Series comparison

-[PULL 00/17] target-arm queue
+[PULL 00/39] target-arm queue
-Arm changes for before softfreeze: mostly my PL061/GPIO patches,
+The following changes since commit 55ef0b702bc2c90c3c4ed97f97676d8f139e5ca1:
 but also a new M-profile board and various other things.
-thanks
+  Merge remote-tracking branch 'remotes/lvivier-gitlab/tags/linux-user-for-7.0-pull-request' into staging (2022-02-07 10:48:25 +0000)
 -- PMM
 The following changes since commit 05de778b5b8ab0b402996769117b88c7ea5c7c61:
   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2021-07-09 14:30:01 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210709
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220208
-for you to fetch changes up to 05449abb1d4c5f0c69ceb3d8d03cbc75de39b646:
+for you to fetch changes up to 4fd1ebb10593087d45d2f56f7f3d13447d24802c:
-  hw/intc: Improve formatting of MEMTX_ERROR guest error message (2021-07-09 16:09:12 +0100)
+  hw/sensor: Add lsm303dlhc magnetometer device (2022-02-08 10:56:29 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * New machine type: stm32vldiscovery
+ * Fix handling of SVE ZCR_LEN when using VHE
- * hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write
+ * xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
- * hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers
+ * Don't ever enable PSCI when booting guest in EL3
- * virt: Fix implementation of GPIO-based powerdown/shutdown mechanism
+ * Adhere to SMCCC 1.3 section 5.2
- * Correct the encoding of MDCCSR_EL0 and DBGDSCRint
+ * highbank: Fix issues with booting SMP
- * hw/intc: Improve formatting of MEMTX_ERROR guest error message
+ * midway: Fix issues booting at all
  * boot: Drop existing dtb /psci node rather than retaining it
  * versal-virt: Always call arm_load_kernel()
  * force flag recalculation when messing with DAIF
  * hw/timer/armv7m_systick: Update clock source before enabling timer
  * hw/arm/smmuv3: Fix device reset
  * hw/intc/arm_gicv3_its: refactorings and minor bug fixes
  * hw/sensor: Add lsm303dlhc magnetometer device
 ----------------------------------------------------------------
-Alexandre Iooss (4):
+Alex Bennée (1):
-      stm32f100: Add the stm32f100 SoC
+      arm: force flag recalculation when messing with DAIF
       stm32vldiscovery: Add the STM32VLDISCOVERY Machine
       docs/system: arm: Add stm32 boards description
       tests/boot-serial-test: Add STM32VLDISCOVERY board testcase
-Peter Maydell (10):
+Edgar E. Iglesias (1):
-      hw/gpio/pl061: Convert DPRINTF to tracepoints
+      hw/arm: versal-virt: Always call arm_load_kernel()
       hw/gpio/pl061: Clean up read/write offset handling logic
       hw/gpio/pl061: Add tracepoints for register read and write
       hw/gpio/pl061: Document the interface of this device
       hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers
       hw/gpio/pl061: Make pullup/pulldown of outputs configurable
       hw/arm/virt: Make PL061 GPIO lines pulled low, not high
       hw/gpio/pl061: Convert to 3-phase reset and assert GPIO lines correctly on reset
       hw/gpio/pl061: Document a shortcoming in our implementation
       hw/arm/stellaris: Expand comment about handling of OLED chipselect
-Rebecca Cran (1):
+Eric Auger (1):
-      hw/intc: Improve formatting of MEMTX_ERROR guest error message
+      hw/arm/smmuv3: Fix device reset
-Ricardo Koller (1):
+Francisco Iglesias (1):
-      hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write
+      hw/arm/xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
-hnick@vmware.com (1):
+Kevin Townsend (1):
-      target/arm: Correct the encoding of MDCCSR_EL0 and DBGDSCRint
+      hw/sensor: Add lsm303dlhc magnetometer device
- docs/system/arm/stm32.rst               |  66 +++++++
+Peter Maydell (29):
- docs/system/target-arm.rst              |   1 +
+      target/arm: make psci-conduit settable after realize
- default-configs/devices/arm-softmmu.mak |   1 +
+      cpu.c: Make start-powered-off settable after realize
- include/hw/arm/stm32f100_soc.h          |  57 ++++++
+      hw/arm/boot: Support setting psci-conduit based on guest EL
- hw/arm/stellaris.c                      |  56 +++++-
+      hw/arm: imx: Don't enable PSCI conduit when booting guest in EL3
- hw/arm/stm32f100_soc.c                  | 182 +++++++++++++++++
+      hw/arm: allwinner: Don't enable PSCI conduit when booting guest in EL3
- hw/arm/stm32vldiscovery.c               |  66 +++++++
+      hw/arm/xlnx-zcu102: Don't enable PSCI conduit when booting guest in EL3
- hw/arm/virt.c                           |   3 +
+      hw/arm/versal: Let boot.c handle PSCI enablement
- hw/gpio/pl061.c                         | 341 +++++++++++++++++++++++++-------
+      hw/arm/virt: Let boot.c handle PSCI enablement
- hw/intc/arm_gicv3_cpuif.c               |   4 +-
+      hw/arm: highbank: For EL3 guests, don't enable PSCI, start all cores
- hw/intc/arm_gicv3_redist.c              |   4 +-
+      arm: tcg: Adhere to SMCCC 1.3 section 5.2
- target/arm/helper.c                     |  16 +-
+      hw/arm/highbank: Drop use of secure_board_setup
- tests/qtest/boot-serial-test.c          |  37 ++++
+      hw/arm/boot: Prevent setting both psci_conduit and secure_board_setup
- MAINTAINERS                             |  13 ++
+      hw/arm/boot: Don't write secondary boot stub if using PSCI
- hw/arm/Kconfig                          |  10 +
+      hw/arm/highbank: Drop unused secondary boot stub code
- hw/arm/meson.build                      |   2 +
+      hw/arm/boot: Drop nb_cpus field from arm_boot_info
- hw/gpio/trace-events                    |   9 +
+      hw/arm/boot: Drop existing dtb /psci node rather than retaining it
-files changed, 790 insertions(+), 78 deletions(-)
+      hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packets
- create mode 100644 docs/system/arm/stm32.rst
+      hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_t
- create mode 100644 include/hw/arm/stm32f100_soc.h
+      hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()
- create mode 100644 hw/arm/stm32f100_soc.c
+      hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_t
- create mode 100644 hw/arm/stm32vldiscovery.c
+      hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()
       hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()
       hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()
       hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a struct
       hw/intc/arm_gicv3_its: Make update_ite() use ITEntry
       hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fields
       hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field
       hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTI
       hw/intc/arm_gicv3_its: Split error checks
+Richard Henderson (4):
+      target/arm: Fix sve_zcr_len_for_el for VHE mode running
+      target/arm: Tidy sve_exception_el for CPACR_EL1 access
+      target/arm: Fix {fp, sve}_exception_el for VHE mode running
+      target/arm: Use CPTR_TFP with CPTR_EL3 in fp_exception_el
+Richard Petri (1):
+      hw/timer/armv7m_systick: Update clock source before enabling timer
+ hw/intc/gicv3_internal.h               |  23 +-
+ include/hw/arm/boot.h                  |  14 +-
+ include/hw/arm/xlnx-versal.h           |   1 -
+ include/hw/arm/xlnx-zynqmp.h           |   2 +
+ include/hw/intc/arm_gicv3_its_common.h |   2 -
+ cpu.c                                  |  22 +-
+ hw/arm/allwinner-h3.c                  |   9 +-
+ hw/arm/aspeed.c                        |   1 -
+ hw/arm/boot.c                          | 107 ++++-
+ hw/arm/exynos4_boards.c                |   1 -
+ hw/arm/fsl-imx6ul.c                    |   2 -
+ hw/arm/fsl-imx7.c                      |   8 +-
+ hw/arm/highbank.c                      |  72 +---
+ hw/arm/imx25_pdk.c                     |   3 +-
+ hw/arm/kzm.c                           |   1 -
+ hw/arm/mcimx6ul-evk.c                  |   2 +-
+ hw/arm/mcimx7d-sabre.c                 |   2 +-
+ hw/arm/npcm7xx.c                       |   3 -
+ hw/arm/orangepi.c                      |   5 +-
+ hw/arm/raspi.c                         |   1 -
+ hw/arm/realview.c                      |   1 -
+ hw/arm/sabrelite.c                     |   1 -
+ hw/arm/sbsa-ref.c                      |   1 -
+ hw/arm/smmuv3.c                        |   6 +
+ hw/arm/vexpress.c                      |   1 -
+ hw/arm/virt.c                          |  13 +-
+ hw/arm/xilinx_zynq.c                   |   1 -
+ hw/arm/xlnx-versal-virt.c              |  17 +-
+ hw/arm/xlnx-versal.c                   |   5 +-
+ hw/arm/xlnx-zcu102.c                   |   1 +
+ hw/arm/xlnx-zynqmp.c                   |  25 +-
+ hw/intc/arm_gicv3_its.c                | 696 +++++++++++++++------------------
+ hw/sensor/lsm303dlhc_mag.c             | 556 ++++++++++++++++++++++++++
+ hw/timer/armv7m_systick.c              |   8 +-
+ target/arm/cpu.c                       |   6 +-
+ target/arm/helper-a64.c                |   2 +
+ target/arm/helper.c                    | 118 ++++--
+ target/arm/psci.c                      |  35 +-
+ tests/qtest/lsm303dlhc-mag-test.c      | 148 +++++++
+ hw/sensor/Kconfig                      |   4 +
+ hw/sensor/meson.build                  |   1 +
+ tests/qtest/meson.build                |   1 +
+files changed, 1308 insertions(+), 620 deletions(-)
+ create mode 100644 hw/sensor/lsm303dlhc_mag.c
+ create mode 100644 tests/qtest/lsm303dlhc-mag-test.c

-New patch
+[PULL 01/39] target/arm: Fix sve_zcr_len_for_el for VHE mode running
+From: Richard Henderson <richard.henderson@linaro.org>
+When HCR_EL2.{E2H,TGE} == '11', ZCR_EL1 is unused.
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-2-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
+     ARMCPU *cpu = env_archcpu(env);
+     uint32_t zcr_len = cpu->sve_max_vq - 1;
+-    if (el <= 1) {
++    if (el <= 1 &&
++        (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+         zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
+     }
+     if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+--
+.25.1

-New patch
+[PULL 02/39] target/arm: Tidy sve_exception_el for CPACR_EL1 access
+From: Richard Henderson <richard.henderson@linaro.org>
+Extract entire fields for ZEN and FPEN, rather than testing specific bits.
+This makes it easier to follow the code versus the ARM spec.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-3-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 36 +++++++++++++++++-------------------
+file changed, 17 insertions(+), 19 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
+     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
+     if (el <= 1 && (hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+-        bool disabled = false;
+-
+-        /* The CPACR.ZEN controls traps to EL1:
+-         * 0, 2 : trap EL0 and EL1 accesses
+-         * 1    : trap only EL0 accesses
+-         * 3    : trap no accesses
+-         */
+-        if (!extract32(env->cp15.cpacr_el1, 16, 1)) {
+-            disabled = true;
+-        } else if (!extract32(env->cp15.cpacr_el1, 17, 1)) {
+-            disabled = el == 0;
+-        }
+-        if (disabled) {
++        /* Check CPACR.ZEN.  */
++        switch (extract32(env->cp15.cpacr_el1, 16, 2)) {
++        case 1:
++            if (el != 0) {
++                break;
++            }
++            /* fall through */
++        case 0:
++        case 2:
+             /* route_to_el2 */
+             return hcr_el2 & HCR_TGE ? 2 : 1;
+         }
+         /* Check CPACR.FPEN.  */
+-        if (!extract32(env->cp15.cpacr_el1, 20, 1)) {
+-            disabled = true;
+-        } else if (!extract32(env->cp15.cpacr_el1, 21, 1)) {
+-            disabled = el == 0;
+-        }
+-        if (disabled) {
++        switch (extract32(env->cp15.cpacr_el1, 20, 2)) {
++        case 1:
++            if (el != 0) {
++                break;
++            }
++            /* fall through */
++        case 0:
++        case 2:
+             return 0;
+         }
+     }
+--
+.25.1

-New patch
+[PULL 03/39] target/arm: Fix {fp, sve}_exception_el for VHE mode running
+From: Richard Henderson <richard.henderson@linaro.org>
+When HCR_EL2.E2H is set, the format of CPTR_EL2 changes to
+look more like CPACR_EL1, with ZEN and FPEN fields instead
+of TZ and TFP fields.
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220127063428.30212-4-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 77 +++++++++++++++++++++++++++++++++++----------
+file changed, 60 insertions(+), 17 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
+         }
+     }
+-    /* CPTR_EL2.  Since TZ and TFP are positive,
+-     * they will be zero when EL2 is not present.
++    /*
++     * CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE).
+      */
+-    if (el <= 2 && arm_is_el2_enabled(env)) {
+-        if (env->cp15.cptr_el[2] & CPTR_TZ) {
+-            return 2;
+-        }
+-        if (env->cp15.cptr_el[2] & CPTR_TFP) {
+-            return 0;
++    if (el <= 2) {
++        if (hcr_el2 & HCR_E2H) {
++            /* Check CPTR_EL2.ZEN.  */
++            switch (extract32(env->cp15.cptr_el[2], 16, 2)) {
++            case 1:
++                if (el != 0 || !(hcr_el2 & HCR_TGE)) {
++                    break;
++                }
++                /* fall through */
++            case 0:
++            case 2:
++                return 2;
++            }
++
++            /* Check CPTR_EL2.FPEN.  */
++            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
++            case 1:
++                if (el == 2 || !(hcr_el2 & HCR_TGE)) {
++                    break;
++                }
++                /* fall through */
++            case 0:
++            case 2:
++                return 0;
++            }
++        } else if (arm_is_el2_enabled(env)) {
++            if (env->cp15.cptr_el[2] & CPTR_TZ) {
++                return 2;
++            }
++            if (env->cp15.cptr_el[2] & CPTR_TFP) {
++                return 0;
++            }
+         }
+     }
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
+ int fp_exception_el(CPUARMState *env, int cur_el)
+ {
+ #ifndef CONFIG_USER_ONLY
++    uint64_t hcr_el2;
++
+     /* CPACR and the CPTR registers don't exist before v6, so FP is
+      * always accessible
+      */
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
+         return 0;
+     }
++    hcr_el2 = arm_hcr_el2_eff(env);
++
+     /* The CPACR controls traps to EL1, or PL1 if we're 32 bit:
+      * 0, 2 : trap EL0 and EL1/PL1 accesses
+      * 1    : trap only EL0 accesses
+      * 3    : trap no accesses
+      * This register is ignored if E2H+TGE are both set.
+      */
+-    if ((arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
++    if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+         int fpen = extract32(env->cp15.cpacr_el1, 20, 2);
+         switch (fpen) {
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
+         }
+     }
+-    /* For the CPTR registers we don't need to guard with an ARM_FEATURE
+-     * check because zero bits in the registers mean "don't trap".
++    /*
++     * CPTR_EL2 is present in v7VE or v8, and changes format
++     * with HCR_EL2.E2H (regardless of TGE).
+      */
+-
+-    /* CPTR_EL2 : present in v7VE or v8 */
+-    if (cur_el <= 2 && extract32(env->cp15.cptr_el[2], 10, 1)
+-        && arm_is_el2_enabled(env)) {
+-        /* Trap FP ops at EL2, NS-EL1 or NS-EL0 to EL2 */
+-        return 2;
++    if (cur_el <= 2) {
++        if (hcr_el2 & HCR_E2H) {
++            /* Check CPTR_EL2.FPEN.  */
++            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
++            case 1:
++                if (cur_el != 0 || !(hcr_el2 & HCR_TGE)) {
++                    break;
++                }
++                /* fall through */
++            case 0:
++            case 2:
++                return 2;
++            }
++        } else if (arm_is_el2_enabled(env)) {
++            if (env->cp15.cptr_el[2] & CPTR_TFP) {
++                return 2;
++            }
++        }
+     }
+     /* CPTR_EL3 : present in v8 */
+--
+.25.1

-[PULL 16/17] target/arm: Correct the encoding of MDCCSR_EL0 and DBGDSCRint
+[PULL 04/39] target/arm: Use CPTR_TFP with CPTR_EL3 in fp_exception_el
-From: "hnick@vmware.com" <hnick@vmware.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Nick Hudson <hnick@vmware.com>
+Use the named bit rather than a bare extract32.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 16 +++++++++++++---
+ target/arm/helper.c | 2 +-
-file changed, 13 insertions(+), 3 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
-       .access = PL1_RW, .accessfn = access_tda,
+     }
-       .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
-       .resetvalue = 0 },
+     /* CPTR_EL3 : present in v8 */
--    /* MDCCSR_EL0, aka DBGDSCRint. This is a read-only mirror of MDSCR_EL1.
+-    if (extract32(env->cp15.cptr_el[3], 10, 1)) {
-+    /*
++    if (env->cp15.cptr_el[3] & CPTR_TFP) {
-+     * MDCCSR_EL0[30:29] map to EDSCR[30:29].  Simply RAZ as the external
+         /* Trap all FP ops to EL3 */
-+     * Debug Communication Channel is not implemented.
+         return 3;
-+     */
+     }
 +    { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 1, .opc2 = 0,
 +      .access = PL0_R, .accessfn = access_tda,
 +      .type = ARM_CP_CONST, .resetvalue = 0 },
 +    /*
 +     * DBGDSCRint[15,12,5:2] map to MDSCR_EL1[15,12,5:2].  Map all bits as
 +     * it is unlikely a guest will care.
       * We don't implement the configurable EL0 access.
       */
 -    { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_BOTH,
 -      .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
 +    { .name = "DBGDSCRint", .state = ARM_CP_STATE_AA32,
 +      .cp = 14, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
        .type = ARM_CP_ALIAS,
        .access = PL1_R, .accessfn = access_tda,
        .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), },
 --
-.20.1
+.25.1

-New patch
+[PULL 05/39] hw/arm/xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
+From: Francisco Iglesias <francisco.iglesias@xilinx.com>
+'Or' the IRQs coming from the QSPI and QSPI DMA models. This is done for
+avoiding the situation where one of the models incorrectly deasserts an
+interrupt asserted from the other model (which will result in that the IRQ
+is lost and will not reach guest SW).
+Signed-off-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Luc Michel <luc@lmichel.fr>
+Message-id: 20220203151742.1457-1-francisco.iglesias@xilinx.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/arm/xlnx-zynqmp.h |  2 ++
+ hw/arm/xlnx-zynqmp.c         | 14 ++++++++++++--
+files changed, 14 insertions(+), 2 deletions(-)
+diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-zynqmp.h
++++ b/include/hw/arm/xlnx-zynqmp.h
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/dma/xlnx_csu_dma.h"
+ #include "hw/nvram/xlnx-bbram.h"
+ #include "hw/nvram/xlnx-zynqmp-efuse.h"
++#include "hw/or-irq.h"
+ #define TYPE_XLNX_ZYNQMP "xlnx-zynqmp"
+ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
+@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
+     XlnxZDMA gdma[XLNX_ZYNQMP_NUM_GDMA_CH];
+     XlnxZDMA adma[XLNX_ZYNQMP_NUM_ADMA_CH];
+     XlnxCSUDMA qspi_dma;
++    qemu_or_irq qspi_irq_orgate;
+     char *boot_cpu;
+     ARMCPU *boot_cpu_ptr;
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-zynqmp.c
++++ b/hw/arm/xlnx-zynqmp.c
+@@ -XXX,XX +XXX,XX @@
+ #define LQSPI_ADDR          0xc0000000
+ #define QSPI_IRQ            15
+ #define QSPI_DMA_ADDR       0xff0f0800
++#define NUM_QSPI_IRQ_LINES  2
+ #define DP_ADDR             0xfd4a0000
+ #define DP_IRQ              113
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
+     }
+     object_initialize_child(obj, "qspi-dma", &s->qspi_dma, TYPE_XLNX_CSU_DMA);
++    object_initialize_child(obj, "qspi-irq-orgate",
++                            &s->qspi_irq_orgate, TYPE_OR_IRQ);
+ }
+ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+                            gic_spi[adma_ch_intr[i]]);
+     }
++    object_property_set_int(OBJECT(&s->qspi_irq_orgate),
++                            "num-lines", NUM_QSPI_IRQ_LINES, &error_fatal);
++    qdev_realize(DEVICE(&s->qspi_irq_orgate), NULL, &error_fatal);
++    qdev_connect_gpio_out(DEVICE(&s->qspi_irq_orgate), 0, gic_spi[QSPI_IRQ]);
++
+     if (!object_property_set_link(OBJECT(&s->qspi_dma), "dma",
+                                   OBJECT(system_memory), errp)) {
+         return;
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     }
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi_dma), 0, QSPI_DMA_ADDR);
+-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0, gic_spi[QSPI_IRQ]);
++    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0,
++                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 0));
+     if (!object_property_set_link(OBJECT(&s->qspi), "stream-connected-dma",
+                                   OBJECT(&s->qspi_dma), errp)) {
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     }
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR);
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR);
+-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]);
++    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0,
++                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 1));
+     for (i = 0; i < XLNX_ZYNQMP_NUM_QSPI_BUS; i++) {
+         g_autofree gchar *bus_name = g_strdup_printf("qspi%d", i);
+--
+.25.1

-New patch
+[PULL 06/39] target/arm: make psci-conduit settable after realize
+We want to allow the psci-conduit property to be set after realize,
+because the parts of the code which are best placed to decide if it's
+OK to enable QEMU's builtin PSCI emulation (the board code and the
+arm_load_kernel() function are distant from the code which creates
+and realizes CPUs (typically inside an SoC object's init and realize
+method) and run afterwards.
+Since the DEFINE_PROP_* macros don't have support for creating
+properties which can be changed after realize, change the property to
+be created with object_property_add_uint32_ptr(), which is what we
+already use in this function for creating settable-after-realize
+properties like init-svtor and init-nsvtor.
+Note that it doesn't conceptually make sense to change the setting of
+the property after the machine has been completely initialized,
+beacuse this would mean that the behaviour of the machine when first
+started would differ from its behaviour when the system is
+subsequently reset.  (It would also require the underlying state to
+be migrated, which we don't do.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20220127154639.2090164-2-peter.maydell@linaro.org
+---
+ target/arm/cpu.c | 6 +++++-
+file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.c
++++ b/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
+                                        OBJ_PROP_FLAG_READWRITE);
+     }
++    /* Not DEFINE_PROP_UINT32: we want this to be settable after realize */
++    object_property_add_uint32_ptr(obj, "psci-conduit",
++                                   &cpu->psci_conduit,
++                                   OBJ_PROP_FLAG_READWRITE);
++
+     qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property);
+     if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
+@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
+ }
+ static Property arm_cpu_properties[] = {
+-    DEFINE_PROP_UINT32("psci-conduit", ARMCPU, psci_conduit, 0),
+     DEFINE_PROP_UINT64("midr", ARMCPU, midr, 0),
+     DEFINE_PROP_UINT64("mp-affinity", ARMCPU,
+                         mp_affinity, ARM64_AFFINITY_INVALID),
+--
+.25.1

-[PULL 10/17] hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers
+[PULL 07/39] cpu.c: Make start-powered-off settable after realize
-The Luminary variant of the PL061 has registers GPIOPUR and GPIOPDR
+The CPU object's start-powered-off property is currently only
-which lets the guest configure whether the GPIO lines are pull-up,
+settable before the CPU object is realized.  For arm machines this is
-pull-down, or truly floating. Instead of assuming all lines are pulled
+awkward, because we would like to decide whether the CPU should be
-high, honour the PUR and PDR registers.
+powered-off based on how we are booting the guest code, which is
 something done in the machine model code and in common code called by
 the machine model, which runs much later and in completely different
 parts of the codebase from the SoC object code that is responsible
 for creating and realizing the CPU objects.
-For the plain PL061, continue to assume that lines have an external
+Allow start-powered-off to be set after realize.  Since this isn't
-pull-up resistor, as we did before.
+something that's supported by the DEFINE_PROP_* macros, we have to
 switch the property definition to use the
 object_class_property_add_bool() function.
-The stellaris board actually relies on this behaviour -- the CD line
+Note that it doesn't conceptually make sense to change the setting of
-of the ssd0323 display device is connected to GPIO output C7, and it
+the property after the machine has been completely initialized,
-is only because of a different bug which we're about to fix that we
+beacuse this would mean that the behaviour of the machine when first
-weren't incorrectly driving this line high on reset and putting the
+started would differ from its behaviour when the system is
-ssd0323 into data mode.
+subsequently reset.  (It would also require the underlying state to
 be migrated, which we don't do.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20220127154639.2090164-3-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c      | 58 +++++++++++++++++++++++++++++++++++++++++---
+ cpu.c | 22 +++++++++++++++++++++-
- hw/gpio/trace-events |  2 +-
+file changed, 21 insertions(+), 1 deletion(-)
 files changed, 55 insertions(+), 5 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/cpu.c b/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/cpu.c
-+++ b/hw/gpio/pl061.c
++++ b/cpu.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl061 = {
+@@ -XXX,XX +XXX,XX @@ static Property cpu_common_props[] = {
-     }
+     DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
                       MemoryRegion *),
  #endif
 -    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
      DEFINE_PROP_END_OF_LIST(),
  };
-+static uint8_t pl061_floating(PL061State *s)
++static bool cpu_get_start_powered_off(Object *obj, Error **errp)
 +{
-+    /*
++    CPUState *cpu = CPU(obj);
-+     * Return mask of bits which correspond to pins configured as inputs
++    return cpu->start_powered_off;
 +     * and which are floating (neither pulled up to 1 nor down to 0).
 +     */
 +    uint8_t floating;
 +
 +    if (s->id == pl061_id_luminary) {
 +        /*
 +         * If both PUR and PDR bits are clear, there is neither a pullup
 +         * nor a pulldown in place, and the output truly floats.
 +         */
 +        floating = ~(s->pur | s->pdr);
 +    } else {
 +        /* Assume outputs are pulled high. FIXME: this is board dependent. */
 +        floating = 0;
 +    }
 +    return floating & ~s->dir;
 +}
 +
-+static uint8_t pl061_pullups(PL061State *s)
++static void cpu_set_start_powered_off(Object *obj, bool value, Error **errp)
 +{
-+    /*
++    CPUState *cpu = CPU(obj);
-+     * Return mask of bits which correspond to pins configured as inputs
++    cpu->start_powered_off = value;
 +     * and which are pulled up to 1.
 +     */
 +    uint8_t pullups;
 +
 +    if (s->id == pl061_id_luminary) {
 +        /*
 +         * The Luminary variant of the PL061 has an extra registers which
 +         * the guest can use to configure whether lines should be pullup
 +         * or pulldown.
 +         */
 +        pullups = s->pur;
 +    } else {
 +        /* Assume outputs are pulled high. FIXME: this is board dependent. */
 +        pullups = 0xff;
 +    }
 +    return pullups & ~s->dir;
 +}
 +
- static void pl061_update(PL061State *s)
+ void cpu_class_init_props(DeviceClass *dc)
  {
-     uint8_t changed;
++    ObjectClass *oc = OBJECT_CLASS(dc);
-     uint8_t mask;
++
-     uint8_t out;
+     device_class_set_props(dc, cpu_common_props);
      int i;
 +    uint8_t pullups = pl061_pullups(s);
 +    uint8_t floating = pl061_floating(s);
 -    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data);
 +    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data,
 +                       pullups, floating);
 -    /* Outputs float high.  */
 -    /* FIXME: This is board dependent.  */
 -    out = (s->data & s->dir) | ~s->dir;
 +    /*
-+     * Pins configured as output are driven from the data register;
++     * We can't use DEFINE_PROP_BOOL in the Property array for this
-+     * otherwise if they're pulled up they're 1, and if they're floating
++     * property, because we want this to be settable after realize.
 +     * then we give them the same value they had previously, so we don't
 +     * report any change to the other end.
 +     */
-+    out = (s->data & s->dir) | pullups | (s->old_out_data & floating);
++    object_class_property_add_bool(oc, "start-powered-off",
-     changed = s->old_out_data ^ out;
++                                   cpu_get_start_powered_off,
-     if (changed) {
++                                   cpu_set_start_powered_off);
-         s->old_out_data = out;
+ }
-diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
-index XXXXXXX..XXXXXXX 100644
+ void cpu_exec_initfn(CPUState *cpu)
 --- a/hw/gpio/trace-events
 +++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ nrf51_gpio_set(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
  nrf51_gpio_update_output_irq(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
  # pl061.c
 -pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIODATA 0x%x"
 +pl061_update(const char *id, uint32_t dir, uint32_t data, uint32_t pullups, uint32_t floating) "%s GPIODIR 0x%x GPIODATA 0x%x pullups 0x%x floating 0x%x"
  pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
  pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
  pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
 --
-.20.1
+.25.1

-[PULL 14/17] hw/gpio/pl061: Document a shortcoming in our implementation
+[PULL 08/39] hw/arm/boot: Support setting psci-conduit based on guest EL
-The Luminary PL061s in the Stellaris LM3S9695 don't all have the same
+Currently we expect board code to set the psci-conduit property on
-reset value for GPIOPUR.  We can get away with not letting the board
+CPUs and ensure that secondary CPUs are created with the
-configure the PUR reset value because we don't actually wire anything
+start-powered-off property set to false, if the board wishes to use
-up to the lines which should reset to pull-up.  Add a comment noting
+QEMU's builtin PSCI emulation.  This worked OK for the virt board
-this omission.
+where we first wanted to use it, because the virt board directly
 creates its CPUs and is in a reasonable position to set those
 properties.  For other boards which model real hardware and use a
 separate SoC object, however, it is more awkward.  Most PSCI-using
 boards just set the psci-conduit board unconditionally.
 This was never strictly speaking correct (because you would not be
 able to run EL3 guest firmware that itself provided the PSCI
 interface, as the QEMU implementation would overrule it), but mostly
 worked in practice because for non-PSCI SMC calls QEMU would emulate
 the SMC instruction as normal (by trapping to guest EL3).  However,
 we would like to make our PSCI emulation follow the part of the SMCC
 specification that mandates that SMC calls with unknown function
 identifiers return a failure code, which means that all SMC calls
 will be handled by the PSCI code and the "emulate as normal" path
 will no longer be taken.
 We tried to implement that in commit 9fcd15b9193e81
 ("arm: tcg: Adhere to SMCCC 1.3 section 5.2"), but this
 regressed attempts to run EL3 guest code on the affected boards:
  * mcimx6ul-evk, mcimx7d-sabre, orangepi, xlnx-zcu102
  * for the case only of EL3 code loaded via -kernel (and
    not via -bios or -pflash), virt and xlnx-versal-virt
 so for the 7.0 release we reverted it (in commit 4825eaae4fdd56f).
 This commit provides a mechanism that boards can use to arrange that
 psci-conduit is set if running guest code at a low enough EL but not
 if it would be running at the same EL that the conduit implies that
 the QEMU PSCI implementation is using.  (Later commits will convert
 individual board models to use this mechanism.)
 We do this by moving the setting of the psci-conduit and
 start-powered-off properties to arm_load_kernel().  Boards which want
 to potentially use emulated PSCI must set a psci_conduit field in the
 arm_boot_info struct to the type of conduit they want to use (SMC or
 HVC); arm_load_kernel() will then set the CPUs up accordingly if it
 is not going to start the guest code at the same or higher EL as the
 fake QEMU firmware would be at.
 Board/SoC code which uses this mechanism should no longer set the CPU
 psci-conduit property directly.  It should only set the
 start-powered-off property for secondaries if EL3 guest firmware
 running bare metal expects that rather than the alternative "all CPUs
 start executing the firmware at once".
 Note that when calculating whether we are going to run guest
 code at EL3, we ignore the setting of arm_boot_info::secure_board_setup,
 which might cause us to run a stub bit of guest code at EL3 which
 does some board-specific setup before dropping to EL2 or EL1 to
 run the guest kernel. This is OK because only one board that
 enables PSCI sets secure_board_setup (the highbank board), and
 the stub code it writes will behave the same way whether the
 one SMC call it makes is handled by "emulate the SMC" or by
 "PSCI default returns an error code". So we can leave that stub
 code in place until after we've changed the PSCI default behaviour;
 at that point we will remove it.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Tested-by: Cédric Le Goater <clg@kaod.org>
 Message-id: 20220127154639.2090164-4-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c | 9 +++++++++
+ include/hw/arm/boot.h | 10 +++++++++
-file changed, 9 insertions(+)
+ hw/arm/boot.c         | 50 +++++++++++++++++++++++++++++++++++++++++++
 files changed, 60 insertions(+)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/include/hw/arm/boot.h
-+++ b/hw/gpio/pl061.c
++++ b/include/hw/arm/boot.h
-@@ -XXX,XX +XXX,XX @@ static void pl061_enter_reset(Object *obj, ResetType type)
+@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
-     trace_pl061_reset(DEVICE(s)->canonical_path);
+      * the user it should implement this hook.
+      */
-     /* reset values from PL061 TRM, Stellaris LM3S5P31 & LM3S8962 Data Sheet */
+     void (*modify_dtb)(const struct arm_boot_info *info, void *fdt);
 +    /*
 +     * If a board wants to use the QEMU emulated-firmware PSCI support,
 +     * it should set this to QEMU_PSCI_CONDUIT_HVC or QEMU_PSCI_CONDUIT_SMC
 +     * as appropriate. arm_load_kernel() will set the psci-conduit and
 +     * start-powered-off properties on the CPUs accordingly.
 +     * Note that if the guest image is started at the same exception level
 +     * as the conduit specifies calls should go to (eg guest firmware booted
 +     * to EL3) then PSCI will not be enabled.
 +     */
 +    int psci_conduit;
      /* Used internally by arm_boot.c */
      int is_linux;
      hwaddr initrd_start;
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
  {
      CPUState *cs;
      AddressSpace *as = arm_boot_address_space(cpu, info);
 +    int boot_el;
 +    CPUARMState *env = &cpu->env;
      /*
       * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
          arm_setup_direct_kernel_boot(cpu, info);
      }
 +    /*
 +     * Disable the PSCI conduit if it is set up to target the same
 +     * or a lower EL than the one we're going to start the guest code in.
 +     * This logic needs to agree with the code in do_cpu_reset() which
 +     * decides whether we're going to boot the guest in the highest
 +     * supported exception level or in a lower one.
 +     */
 +
 +    /* Boot into highest supported EL ... */
 +    if (arm_feature(env, ARM_FEATURE_EL3)) {
 +        boot_el = 3;
 +    } else if (arm_feature(env, ARM_FEATURE_EL2)) {
 +        boot_el = 2;
 +    } else {
 +        boot_el = 1;
 +    }
 +    /* ...except that if we're booting Linux we adjust the EL we boot into */
 +    if (info->is_linux && !info->secure_boot) {
 +        boot_el = arm_feature(env, ARM_FEATURE_EL2) ? 2 : 1;
 +    }
 +
 +    if ((info->psci_conduit == QEMU_PSCI_CONDUIT_HVC && boot_el >= 2) ||
 +        (info->psci_conduit == QEMU_PSCI_CONDUIT_SMC && boot_el == 3)) {
 +        info->psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
 +    }
 +
 +    if (info->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
 +        for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
 +            Object *cpuobj = OBJECT(cs);
 +
 +            object_property_set_int(cpuobj, "psci-conduit", info->psci_conduit,
 +                                    &error_abort);
 +            /*
 +             * Secondary CPUs start in PSCI powered-down state. Like the
 +             * code in do_cpu_reset(), we assume first_cpu is the primary
 +             * CPU.
 +             */
 +            if (cs != first_cpu) {
 +                object_property_set_bool(cpuobj, "start-powered-off", true,
 +                                         &error_abort);
 +            }
 +        }
 +    }
 +
 +    /*
-+     * FIXME: For the LM3S6965, not all of the PL061 instances have the
++     * arm_load_dtb() may add a PSCI node so it must be called after we have
-+     * same reset values for GPIOPUR, GPIOAFSEL and GPIODEN, so in theory
++     * decided whether to enable PSCI and set the psci-conduit CPU properties.
 +     * we should allow the board to configure these via properties.
 +     * In practice, we don't wire anything up to the affected GPIO lines
 +     * (PB7, PC0, PC1, PC2, PC3 -- they're used for JTAG), so we can
 +     * get away with this inaccuracy.
 +     */
-     s->data = 0;
+     if (!info->skip_dtb_autoload && have_dtb(info)) {
-     s->old_in_data = 0;
+         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as, ms) < 0) {
-     s->dir = 0;
+             exit(1);
 --
-.20.1
+.25.1

-New patch
+[PULL 09/39] hw/arm: imx: Don't enable PSCI conduit when booting guest in EL3
+Change the iMX-SoC based boards to use the new boot.c functionality
+to allow us to enable psci-conduit only if the guest is being booted
+in EL1 or EL2, so that if the user runs guest EL3 firmware code our
+PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit property on the CPU
+objects in the SoC code, and instead set the psci_conduit field in
+the arm_boot_info struct to tell the common boot loader code that
+we'd like PSCI if the guest is starting at an EL that it makes
+sense with.
+This affects the mcimx6ul-evk and mcimx7d-sabre boards.
+Note that for the mcimx7d board, this means that when running guest
+code at EL3 there is currently no way to power on the secondary CPUs,
+because we do not currently have a model of the system reset
+controller module which should be used to do that for the imx7 SoC,
+only for the imx6 SoC.  (Previously EL3 code which knew it was
+running on QEMU could use a PSCI call to do this.) This doesn't
+affect the imx6ul-evk board because it is uniprocessor.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Acked-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220127154639.2090164-5-peter.maydell@linaro.org
+---
+ hw/arm/fsl-imx6ul.c    | 2 --
+ hw/arm/fsl-imx7.c      | 8 ++++----
+ hw/arm/mcimx6ul-evk.c  | 1 +
+ hw/arm/mcimx7d-sabre.c | 1 +
+files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx6ul.c
++++ b/hw/arm/fsl-imx6ul.c
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
+         return;
+     }
+-    object_property_set_int(OBJECT(&s->cpu), "psci-conduit",
+-                            QEMU_PSCI_CONDUIT_SMC, &error_abort);
+     qdev_realize(DEVICE(&s->cpu), NULL, &error_abort);
+     /*
+diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx7.c
++++ b/hw/arm/fsl-imx7.c
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < smp_cpus; i++) {
+         o = OBJECT(&s->cpu[i]);
+-        object_property_set_int(o, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
+-                                &error_abort);
+-
+         /* On uniprocessor, the CBAR is set to 0 */
+         if (smp_cpus > 1) {
+             object_property_set_int(o, "reset-cbar", FSL_IMX7_A7MPCORE_ADDR,
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
+         }
+         if (i) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /*
++             * Secondary CPUs start in powered-down state (and can be
++             * powered up via the SRC system reset controller)
++             */
+             object_property_set_bool(o, "start-powered-off", true,
+                                      &error_abort);
+         }
+diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mcimx6ul-evk.c
++++ b/hw/arm/mcimx6ul-evk.c
+@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
+         .board_id = -1,
+         .ram_size = machine->ram_size,
+         .nb_cpus = machine->smp.cpus,
++        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
+     };
+     s = FSL_IMX6UL(object_new(TYPE_FSL_IMX6UL));
+diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mcimx7d-sabre.c
++++ b/hw/arm/mcimx7d-sabre.c
+@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
+         .board_id = -1,
+         .ram_size = machine->ram_size,
+         .nb_cpus = machine->smp.cpus,
++        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
+     };
+     s = FSL_IMX7(object_new(TYPE_FSL_IMX7));
+--
+.25.1

-New patch
+[PULL 10/39] hw/arm: allwinner: Don't enable PSCI conduit when booting guest in EL3
+Change the allwinner-h3 based board to use the new boot.c
+functionality to allow us to enable psci-conduit only if the guest is
+being booted in EL1 or EL2, so that if the user runs guest EL3
+firmware code our PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit property on the CPU
+objects in the SoC code, and instead set the psci_conduit field in
+the arm_boot_info struct to tell the common boot loader code that
+we'd like PSCI if the guest is starting at an EL that it makes sense
+with.
+This affects the orangepi-pc board.
+This commit leaves the secondary CPUs in the powered-down state if
+the guest is booting at EL3, which is the same behaviour as before
+this commit.  The secondaries can no longer be started by that EL3
+code making a PSCI call but can still be started via the CPU
+Configuration Module registers (which we model in
+hw/misc/allwinner-cpucfg.c).
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-6-peter.maydell@linaro.org
+---
+ hw/arm/allwinner-h3.c | 9 ++++-----
+ hw/arm/orangepi.c     | 1 +
+files changed, 5 insertions(+), 5 deletions(-)
+diff --git a/hw/arm/allwinner-h3.c b/hw/arm/allwinner-h3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/allwinner-h3.c
++++ b/hw/arm/allwinner-h3.c
+@@ -XXX,XX +XXX,XX @@ static void allwinner_h3_realize(DeviceState *dev, Error **errp)
+     /* CPUs */
+     for (i = 0; i < AW_H3_NUM_CPUS; i++) {
+-        /* Provide Power State Coordination Interface */
+-        qdev_prop_set_int32(DEVICE(&s->cpus[i]), "psci-conduit",
+-                            QEMU_PSCI_CONDUIT_SMC);
+-
+-        /* Disable secondary CPUs */
++        /*
++         * Disable secondary CPUs. Guest EL3 firmware will start
++         * them via CPU reset control registers.
++         */
+         qdev_prop_set_bit(DEVICE(&s->cpus[i]), "start-powered-off",
+                           i > 0);
+diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/orangepi.c
++++ b/hw/arm/orangepi.c
+@@ -XXX,XX +XXX,XX @@ static void orangepi_init(MachineState *machine)
+     }
+     orangepi_binfo.loader_start = h3->memmap[AW_H3_DEV_SDRAM];
+     orangepi_binfo.ram_size = machine->ram_size;
++    orangepi_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &orangepi_binfo);
+ }
+--
+.25.1

-[PULL 08/17] hw/gpio/pl061: Add tracepoints for register read and write
+[PULL 11/39] hw/arm/xlnx-zcu102: Don't enable PSCI conduit when booting guest in EL3
-Add tracepoints for reads and writes to the PL061 registers. This requires
+Change the Xilinx ZynqMP-based board xlnx-zcu102 to use the new
-restructuring pl061_read() to only return after the tracepoint, rather
+boot.c functionality to allow us to enable psci-conduit only if
-than having lots of early-returns.
+the guest is being booted in EL1 or EL2, so that if the user runs
 guest EL3 firmware code our PSCI emulation doesn't get in its
 way.
 To do this we stop setting the psci-conduit property on the CPU
 objects in the SoC code, and instead set the psci_conduit field in
 the arm_boot_info struct to tell the common boot loader code that
 we'd like PSCI if the guest is starting at an EL that it makes
 sense with.
 Note that this means that EL3 guest code will have no way
 to power on secondary cores, because we don't model any
 kind of power controller that does that on this SoC.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Acked-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220127154639.2090164-7-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c      | 70 ++++++++++++++++++++++++++++++--------------
+ hw/arm/xlnx-zcu102.c |  1 +
- hw/gpio/trace-events |  2 ++
+ hw/arm/xlnx-zynqmp.c | 11 ++++++-----
-files changed, 50 insertions(+), 22 deletions(-)
+files changed, 7 insertions(+), 5 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/arm/xlnx-zcu102.c b/hw/arm/xlnx-zcu102.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/arm/xlnx-zcu102.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/arm/xlnx-zcu102.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zcu102_init(MachineState *machine)
-                            unsigned size)
+     s->binfo.ram_size = ram_size;
- {
+     s->binfo.loader_start = 0;
-     PL061State *s = (PL061State *)opaque;
+     s->binfo.modify_dtb = zcu102_modify_dtb;
-+    uint64_t r = 0;
++    s->binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(s->soc.boot_cpu_ptr, machine, &s->binfo);
      switch (offset) {
      case 0x0 ... 0x3ff: /* Data */
 -        return s->data & (offset >> 2);
 +        r = s->data & (offset >> 2);
 +        break;
      case 0x400: /* Direction */
 -        return s->dir;
 +        r = s->dir;
 +        break;
      case 0x404: /* Interrupt sense */
 -        return s->isense;
 +        r = s->isense;
 +        break;
      case 0x408: /* Interrupt both edges */
 -        return s->ibe;
 +        r = s->ibe;
 +        break;
      case 0x40c: /* Interrupt event */
 -        return s->iev;
 +        r = s->iev;
 +        break;
      case 0x410: /* Interrupt mask */
 -        return s->im;
 +        r = s->im;
 +        break;
      case 0x414: /* Raw interrupt status */
 -        return s->istate;
 +        r = s->istate;
 +        break;
      case 0x418: /* Masked interrupt status */
 -        return s->istate & s->im;
 +        r = s->istate & s->im;
 +        break;
      case 0x420: /* Alternate function select */
 -        return s->afsel;
 +        r = s->afsel;
 +        break;
      case 0x500: /* 2mA drive */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->dr2r;
 +        r = s->dr2r;
 +        break;
      case 0x504: /* 4mA drive */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->dr4r;
 +        r = s->dr4r;
 +        break;
      case 0x508: /* 8mA drive */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->dr8r;
 +        r = s->dr8r;
 +        break;
      case 0x50c: /* Open drain */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->odr;
 +        r = s->odr;
 +        break;
      case 0x510: /* Pull-up */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->pur;
 +        r = s->pur;
 +        break;
      case 0x514: /* Pull-down */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->pdr;
 +        r = s->pdr;
 +        break;
      case 0x518: /* Slew rate control */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->slr;
 +        r = s->slr;
 +        break;
      case 0x51c: /* Digital enable */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->den;
 +        r = s->den;
 +        break;
      case 0x520: /* Lock */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->locked;
 +        r = s->locked;
 +        break;
      case 0x524: /* Commit */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->cr;
 +        r = s->cr;
 +        break;
      case 0x528: /* Analog mode select */
          if (s->id != pl061_id_luminary) {
              goto bad_offset;
          }
 -        return s->amsel;
 +        r = s->amsel;
 +        break;
      case 0xfd0 ... 0xfff: /* ID registers */
 -        return s->id[(offset - 0xfd0) >> 2];
 +        r = s->id[(offset - 0xfd0) >> 2];
 +        break;
      default:
      bad_offset:
          qemu_log_mask(LOG_GUEST_ERROR,
                        "pl061_read: Bad offset %x\n", (int)offset);
          break;
      }
 -    return 0;
 +
 +    trace_pl061_read(DEVICE(s)->canonical_path, offset, r);
 +    return r;
  }
- static void pl061_write(void *opaque, hwaddr offset,
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
      PL061State *s = (PL061State *)opaque;
      uint8_t mask;
 +    trace_pl061_write(DEVICE(s)->canonical_path, offset, value);
 +
      switch (offset) {
      case 0 ... 0x3ff:
          mask = (offset >> 2) & s->dir;
 diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/trace-events
+--- a/hw/arm/xlnx-zynqmp.c
-+++ b/hw/gpio/trace-events
++++ b/hw/arm/xlnx-zynqmp.c
-@@ -XXX,XX +XXX,XX @@ pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIOD
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
- pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
- pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
+         name = object_get_canonical_path_component(OBJECT(&s->rpu_cpu[i]));
- pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
+         if (strcmp(name, boot_cpu)) {
-+pl061_read(const char *id, uint64_t offset, uint64_t r) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
+-            /* Secondary CPUs start in PSCI powered-down state */
-+pl061_write(const char *id, uint64_t offset, uint64_t value) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
++            /*
++             * Secondary CPUs start in powered-down state.
- # sifive_gpio.c
++             */
- sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
+             object_property_set_bool(OBJECT(&s->rpu_cpu[i]),
                                       "start-powered-off", true, &error_abort);
          } else {
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
      for (i = 0; i < num_apus; i++) {
          const char *name;
 -        object_property_set_int(OBJECT(&s->apu_cpu[i]), "psci-conduit",
 -                                QEMU_PSCI_CONDUIT_SMC, &error_abort);
 -
          name = object_get_canonical_path_component(OBJECT(&s->apu_cpu[i]));
          if (strcmp(name, boot_cpu)) {
 -            /* Secondary CPUs start in PSCI powered-down state */
 +            /*
 +             * Secondary CPUs start in powered-down state.
 +             */
              object_property_set_bool(OBJECT(&s->apu_cpu[i]),
                                       "start-powered-off", true, &error_abort);
          } else {
 --
-.20.1
+.25.1

-New patch
+[PULL 12/39] hw/arm/versal: Let boot.c handle PSCI enablement
+Instead of setting the CPU psci-conduit and start-powered-off
+properties in the xlnx-versal-virt board code, set the arm_boot_info
+psci_conduit field so that the boot.c code can do it.
+This will fix a corner case where we were incorrectly enabling PSCI
+emulation when booting guest code into EL3 because it was an ELF file
+passed to -kernel.  (EL3 guest code started via -bios, -pflash, or
+the generic loader was already being run with PSCI emulation
+disabled.)
+Note that EL3 guest code has no way to turn on the secondary CPUs
+because there's no emulated power controller, but this was already
+true for EL3 guest code run via -bios, -pflash, or the generic
+loader.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-8-peter.maydell@linaro.org
+---
+ include/hw/arm/xlnx-versal.h | 1 -
+ hw/arm/xlnx-versal-virt.c    | 6 ++++--
+ hw/arm/xlnx-versal.c         | 5 +----
+files changed, 5 insertions(+), 7 deletions(-)
+diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-versal.h
++++ b/include/hw/arm/xlnx-versal.h
+@@ -XXX,XX +XXX,XX @@ struct Versal {
+     struct {
+         MemoryRegion *mr_ddr;
+-        uint32_t psci_conduit;
+     } cfg;
+ };
+diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal-virt.c
++++ b/hw/arm/xlnx-versal-virt.c
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+      * When loading an OS, we turn on QEMU's PSCI implementation with SMC
+      * as the PSCI conduit. When there's no -kernel, we assume the user
+      * provides EL3 firmware to handle PSCI.
++     *
++     * Even if the user provides a kernel filename, arm_load_kernel()
++     * may suppress PSCI if it's going to boot that guest code at EL3.
+      */
+     if (machine->kernel_filename) {
+         psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+                             TYPE_XLNX_VERSAL);
+     object_property_set_link(OBJECT(&s->soc), "ddr", OBJECT(machine->ram),
+                              &error_abort);
+-    object_property_set_int(OBJECT(&s->soc), "psci-conduit", psci_conduit,
+-                            &error_abort);
+     sysbus_realize(SYS_BUS_DEVICE(&s->soc), &error_fatal);
+     fdt_create(s);
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+     s->binfo.loader_start = 0x0;
+     s->binfo.get_dtb = versal_virt_get_dtb;
+     s->binfo.modify_dtb = versal_virt_modify_dtb;
++    s->binfo.psci_conduit = psci_conduit;
+     if (machine->kernel_filename) {
+         arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
+     } else {
+diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal.c
++++ b/hw/arm/xlnx-versal.c
+@@ -XXX,XX +XXX,XX @@ static void versal_create_apu_cpus(Versal *s)
+         object_initialize_child(OBJECT(s), "apu-cpu[*]", &s->fpd.apu.cpu[i],
+                                 XLNX_VERSAL_ACPU_TYPE);
+         obj = OBJECT(&s->fpd.apu.cpu[i]);
+-        object_property_set_int(obj, "psci-conduit", s->cfg.psci_conduit,
+-                                &error_abort);
+         if (i) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /* Secondary CPUs start in powered-down state */
+             object_property_set_bool(obj, "start-powered-off", true,
+                                      &error_abort);
+         }
+@@ -XXX,XX +XXX,XX @@ static void versal_init(Object *obj)
+ static Property versal_properties[] = {
+     DEFINE_PROP_LINK("ddr", Versal, cfg.mr_ddr, TYPE_MEMORY_REGION,
+                      MemoryRegion *),
+-    DEFINE_PROP_UINT32("psci-conduit", Versal, cfg.psci_conduit, 0),
+     DEFINE_PROP_END_OF_LIST()
+ };
+--
+.25.1

-[PULL 12/17] hw/arm/virt: Make PL061 GPIO lines pulled low, not high
+[PULL 13/39] hw/arm/virt: Let boot.c handle PSCI enablement
-For the virt board we have two PL061 devices -- one for NonSecure which
+Instead of setting the CPU psci-conduit and start-powered-off
-is inputs only, and one for Secure which is outputs only. For the former,
+properties in the virt board code, set the arm_boot_info psci_conduit
-we don't care whether its outputs are pulled low or high when the line is
+field so that the boot.c code can do it.
 configured as an input, because we don't connect them. For the latter,
 we do care, because we wire the lines up to the gpio-pwr device, which
 assumes that level 1 means "do the action" and 1 means "do nothing".
 For consistency in case we add more outputs in future, configure both
 PL061s to pull GPIO lines down to 0.
-Reported-by: Maxim Uvarov <maxim.uvarov@linaro.org>
+This will fix a corner case where we were incorrectly enabling PSCI
 emulation when booting guest code into EL3 because it was an ELF file
 passed to -kernel or to the generic loader.  (EL3 guest code started
 via -bios or -pflash was already being run with PSCI emulation
 disabled.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-9-peter.maydell@linaro.org
 ---
- hw/arm/virt.c | 3 +++
+ hw/arm/virt.c | 12 +-----------
-file changed, 3 insertions(+)
+file changed, 1 insertion(+), 11 deletions(-)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void create_gpio_devices(const VirtMachineState *vms, int gpio,
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
-     MachineState *ms = MACHINE(vms);
+             object_property_set_bool(cpuobj, "has_el2", false, NULL);
+         }
-     pl061_dev = qdev_new("pl061");
-+    /* Pull lines down to 0 if not driven by the PL061 */
+-        if (vms->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
-+    qdev_prop_set_uint32(pl061_dev, "pullups", 0);
+-            object_property_set_int(cpuobj, "psci-conduit", vms->psci_conduit,
-+    qdev_prop_set_uint32(pl061_dev, "pulldowns", 0xff);
+-                                    NULL);
-     s = SYS_BUS_DEVICE(pl061_dev);
+-
-     sysbus_realize_and_unref(s, &error_fatal);
+-            /* Secondary CPUs start in PSCI powered-down state */
-     memory_region_add_subregion(mem, base, sysbus_mmio_get_region(s, 0));
+-            if (n > 0) {
 -                object_property_set_bool(cpuobj, "start-powered-off", true,
 -                                         NULL);
 -            }
 -        }
 -
          if (vmc->kvm_no_adjvtime &&
              object_property_find(cpuobj, "kvm-no-adjvtime")) {
              object_property_set_bool(cpuobj, "kvm-no-adjvtime", true, NULL);
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
      vms->bootinfo.get_dtb = machvirt_dtb;
      vms->bootinfo.skip_dtb_autoload = true;
      vms->bootinfo.firmware_loaded = firmware_loaded;
 +    vms->bootinfo.psci_conduit = vms->psci_conduit;
      arm_load_kernel(ARM_CPU(first_cpu), machine, &vms->bootinfo);
      vms->machine_done.notify = virt_machine_done;
 --
-.20.1
+.25.1

-New patch
+[PULL 14/39] hw/arm: highbank: For EL3 guests, don't enable PSCI, start all cores
+Change the highbank/midway boards to use the new boot.c functionality
+to allow us to enable psci-conduit only if the guest is being booted
+in EL1 or EL2, so that if the user runs guest EL3 firmware code our
+PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit and start-powered-off
+properties on the CPU objects in the board code, and instead set the
+psci_conduit field in the arm_boot_info struct to tell the common
+boot loader code that we'd like PSCI if the guest is starting at an
+EL that it makes sense with (in which case it will set these
+properties).
+This means that when running guest code at EL3, all the cores
+will start execution at once on poweron. This matches the
+real hardware behaviour. (A brief description of the hardware
+boot process is in the u-boot documentation for these boards:
+https://u-boot.readthedocs.io/en/latest/board/highbank/highbank.html#boot-process
+ -- in theory one might run the 'a9boot'/'a15boot' secure monitor
+code in QEMU, though we probably don't emulate enough for that.)
+This affects the highbank and midway boards.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-10-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 7 +------
+file changed, 1 insertion(+), 6 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+         object_property_set_int(cpuobj, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
+                                 &error_abort);
+-        if (n) {
+-            /* Secondary CPUs start in PSCI powered-down state */
+-            object_property_set_bool(cpuobj, "start-powered-off", true,
+-                                     &error_abort);
+-        }
+-
+         if (object_property_find(cpuobj, "reset-cbar")) {
+             object_property_set_int(cpuobj, "reset-cbar", MPCORE_PERIPHBASE,
+                                     &error_abort);
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+     highbank_binfo.write_board_setup = hb_write_board_setup;
+     highbank_binfo.secure_board_setup = true;
++    highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
+ }
+--
+.25.1

-[PULL 04/17] tests/boot-serial-test: Add STM32VLDISCOVERY board testcase
+[PULL 15/39] arm: tcg: Adhere to SMCCC 1.3 section 5.2
-From: Alexandre Iooss <erdnaxe@crans.org>
+The SMCCC 1.3 spec section 5.2 says
-New mini-kernel test for STM32VLDISCOVERY USART1.
+  The Unknown SMC Function Identifier is a sign-extended value of (-1)
   that is returned in the R0, W0 or X0 registers. An implementation must
   return this error code when it receives:
-Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
+    * An SMC or HVC call with an unknown Function Identifier
-Acked-by: Thomas Huth <thuth@redhat.com>
+    * An SMC or HVC call for a removed Function Identifier
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
+    * An SMC64/HVC64 call from AArch32 state
-Message-id: 20210617165647.2575955-5-erdnaxe@crans.org
 To comply with these statements, let's always return -1 when we encounter
 an unknown HVC or SMC call.
 [PMM:
  This is a reinstatement of commit 9fcd15b9193e819b, previously
  reverted in commit 4825eaae4fdd56fba0f; we can do this now that we
  have arranged for all the affected board models to not enable the
  PSCI emulation if they are running guest code at EL3. This avoids
  the regressions that caused us to revert the change for 7.0.]
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Tested-by: Cédric Le Goater <clg@kaod.org>
 Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/qtest/boot-serial-test.c | 37 ++++++++++++++++++++++++++++++++++
+ target/arm/psci.c | 35 ++++++-----------------------------
-file changed, 37 insertions(+)
+file changed, 6 insertions(+), 29 deletions(-)
-diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
+diff --git a/target/arm/psci.c b/target/arm/psci.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/boot-serial-test.c
+--- a/target/arm/psci.c
-+++ b/tests/qtest/boot-serial-test.c
++++ b/target/arm/psci.c
-@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_nrf51[] = {
+@@ -XXX,XX +XXX,XX @@
-x1c, 0x25, 0x00, 0x40                  /* 0x4000251c = UART TXD */
- };
+ bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
+ {
-+static const uint8_t kernel_stm32vldiscovery[] = {
+-    /* Return true if the r0/x0 value indicates a PSCI call and
-+    0x00, 0x00, 0x00, 0x00,                 /* Stack top address */
+-     * the exception type matches the configured PSCI conduit. This is
-+    0x1d, 0x00, 0x00, 0x00,                 /* Reset handler address */
+-     * called before the SMC/HVC instruction is executed, to decide whether
-+    0x00, 0x00, 0x00, 0x00,                 /* NMI */
+-     * we should treat it as a PSCI call or with the architecturally
-+    0x00, 0x00, 0x00, 0x00,                 /* Hard fault */
++    /*
-+    0x00, 0x00, 0x00, 0x00,                 /* Memory management fault */
++     * Return true if the exception type matches the configured PSCI conduit.
-+    0x00, 0x00, 0x00, 0x00,                 /* Bus fault */
++     * This is called before the SMC/HVC instruction is executed, to decide
-+    0x00, 0x00, 0x00, 0x00,                 /* Usage fault */
++     * whether we should treat it as a PSCI call or with the architecturally
-+    0x0b, 0x4b,                             /* ldr  r3, [pc, #44] Get RCC */
+      * defined behaviour for an SMC or HVC (which might be UNDEF or trap
-+    0x44, 0xf2, 0x04, 0x02,                 /* movw r2, #16388 */
+      * to EL2 or to EL3).
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+      */
-+    0x0a, 0x4b,                             /* ldr  r3, [pc, #40] Get GPIOA */
+-    CPUARMState *env = &cpu->env;
-+    0x1a, 0x68,                             /* ldr  r2, [r3] */
+-    uint64_t param = is_a64(env) ? env->xregs[0] : env->regs[0];
-+    0x22, 0xf0, 0xf0, 0x02,                 /* bic  r2, r2, #240 */
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+     switch (excp_type) {
-+    0x1a, 0x68,                             /* ldr  r2, [r3] */
+     case EXCP_HVC:
-+    0x42, 0xf0, 0xb0, 0x02,                 /* orr  r2, r2, #176 */
+@@ -XXX,XX +XXX,XX @@ bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+         return false;
-+    0x07, 0x4b,                             /* ldr  r3, [pc, #26] Get BAUD */
+     }
-+    0x45, 0x22,                             /* movs r2, #69 */
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+-    switch (param) {
-+    0x06, 0x4b,                             /* ldr  r3, [pc, #24] Get ENABLE */
+-    case QEMU_PSCI_0_2_FN_PSCI_VERSION:
-+    0x42, 0xf2, 0x08, 0x02,                 /* movw r2, #8200 */
+-    case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+-    case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
-+    0x05, 0x4b,                             /* ldr  r3, [pc, #20] Get TXD */
+-    case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
-+    0x54, 0x22,                             /* movs r2, 'T' */
+-    case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
-+    0x1a, 0x60,                             /* str  r2, [r3] */
+-    case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
-+    0xfe, 0xe7,                             /* b    . */
+-    case QEMU_PSCI_0_1_FN_CPU_ON:
-+    0x18, 0x10, 0x02, 0x40,                 /* 0x40021018 = RCC */
+-    case QEMU_PSCI_0_2_FN_CPU_ON:
-+    0x04, 0x08, 0x01, 0x40,                 /* 0x40010804 = GPIOA */
+-    case QEMU_PSCI_0_2_FN64_CPU_ON:
-+    0x08, 0x38, 0x01, 0x40,                 /* 0x40013808 = USART1 BAUD */
+-    case QEMU_PSCI_0_1_FN_CPU_OFF:
-+    0x0c, 0x38, 0x01, 0x40,                 /* 0x4001380c = USART1 ENABLE */
+-    case QEMU_PSCI_0_2_FN_CPU_OFF:
-+    0x04, 0x38, 0x01, 0x40                  /* 0x40013804 = USART1 TXD */
+-    case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
-+};
+-    case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
-+
+-    case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
- typedef struct testdef {
+-    case QEMU_PSCI_0_1_FN_MIGRATE:
-     const char *arch;       /* Target architecture */
+-    case QEMU_PSCI_0_2_FN_MIGRATE:
-     const char *machine;    /* Name of the machine */
+-        return true;
-@@ -XXX,XX +XXX,XX @@ static testdef_t tests[] = {
+-    default:
-     { "aarch64", "virt", "-cpu max", "TT", sizeof(kernel_aarch64),
+-        return false;
-       kernel_aarch64 },
+-    }
-     { "arm", "microbit", "", "T", sizeof(kernel_nrf51), kernel_nrf51 },
++    return true;
-+    { "arm", "stm32vldiscovery", "", "T",
+ }
-+      sizeof(kernel_stm32vldiscovery), kernel_stm32vldiscovery },
+ void arm_handle_psci_call(ARMCPU *cpu)
-     { NULL }
+@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
- };
+         break;
      case QEMU_PSCI_0_1_FN_MIGRATE:
      case QEMU_PSCI_0_2_FN_MIGRATE:
 +    default:
          ret = QEMU_PSCI_RET_NOT_SUPPORTED;
          break;
 -    default:
 -        g_assert_not_reached();
      }
  err:
 --
-.20.1
+.25.1

-New patch
+[PULL 16/39] hw/arm/highbank: Drop use of secure_board_setup
+Guest code on highbank may make non-PSCI SMC calls in order to
+enable/disable the L2x0 cache controller (see the Linux kernel's
+arch/arm/mach-highbank/highbank.c highbank_l2c310_write_sec()
+function).  The ABI for this is documented in kernel commit
+e56130dcb as being borrowed from the OMAP44xx ROM.  The OMAP44xx TRM
+documents this function ID as having no return value and potentially
+trashing all guest registers except SP and PC. For QEMU's purposes
+(where our L2x0 model is a stub and enabling or disabling it doesn't
+affect the guest behaviour) a simple "do nothing" SMC is fine.
+We currently implement this NOP behaviour using a little bit of
+Secure code we run before jumping to the guest kernel, which is
+written by arm_write_secure_board_setup_dummy_smc().  The code sets
+up a set of Secure vectors where the SMC entry point returns without
+doing anything.
+Now that the PSCI SMC emulation handles all SMC calls (setting r0 to
+an error code if the input r0 function identifier is not recognized),
+we can use that default behaviour as sufficient for the highbank
+cache controller call.  (Because the guest code assumes r0 has no
+interesting value on exit it doesn't matter that we set it to the
+error code).  We can therefore delete the highbank board code that
+sets secure_board_setup to true and writes the secure-code bootstub.
+(Note that because the OMAP44xx ABI puts function-identifiers in
+r12 and PSCI uses r0, we only avoid a clash because Linux's code
+happens to put the function-identifier in both registers. But this
+is true also when the kernel is running on real firmware that
+implements both ABIs as far as I can see.)
+This change fixes in passing booting on the 'midway' board model,
+which has been completely broken since we added support for Hyp
+mode to the Cortex-A15 CPU. When we did that boot.c was made to
+start running the guest code in Hyp mode; this includes the
+board_setup hook, which instantly UNDEFs because the NSACR is
+not accessible from Hyp. (Put another way, we never made the
+secure_board_setup hook support cope with Hyp mode.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-12-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 8 --------
+file changed, 8 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@
+ /* Board init.  */
+-static void hb_write_board_setup(ARMCPU *cpu,
+-                                 const struct arm_boot_info *info)
+-{
+-    arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR);
+-}
+-
+ static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+ {
+     int n;
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.write_secondary_boot = hb_write_secondary;
+     highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+-    highbank_binfo.write_board_setup = hb_write_board_setup;
+-    highbank_binfo.secure_board_setup = true;
+     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
+--
+.25.1

-New patch
+[PULL 17/39] hw/arm/boot: Prevent setting both psci_conduit and secure_board_setup
+Now that we have dealt with the one special case (highbank) that needed
+to set both psci_conduit and secure_board_setup, we don't need to
+allow that combination any more. It doesn't make sense in general,
+so use an assertion to ensure we don't add new boards that do it
+by accident without thinking through the consequences.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-13-peter.maydell@linaro.org
+---
+ hw/arm/boot.c | 10 ++++++++++
+file changed, 10 insertions(+)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
+      * supported exception level or in a lower one.
+      */
++    /*
++     * If PSCI is enabled, then SMC calls all go to the PSCI handler and
++     * are never emulated to trap into guest code. It therefore does not
++     * make sense for the board to have a setup code fragment that runs
++     * in Secure, because this will probably need to itself issue an SMC of some
++     * kind as part of its operation.
++     */
++    assert(info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED ||
++           !info->secure_board_setup);
++
+     /* Boot into highest supported EL ... */
+     if (arm_feature(env, ARM_FEATURE_EL3)) {
+         boot_el = 3;
+--
+.25.1

-New patch
+[PULL 18/39] hw/arm/boot: Don't write secondary boot stub if using PSCI
+If we're using PSCI emulation to start secondary CPUs, there is no
+point in writing the "secondary boot" stub code, because it will
+never be used -- secondary CPUs start powered-off, and when powered
+on are set to begin execution at the address specified by the guest's
+power-on PSCI call, not at the stub.
+Move the call to the hook that writes the secondary boot stub code so
+that we can do it only if we're starting a Linux kernel and not using
+PSCI.
+(None of the users of the hook care about the ordering of its call
+relative to anything else: they only use it to write a rom blob to
+guest memory.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-14-peter.maydell@linaro.org
+---
+ include/hw/arm/boot.h |  3 +++
+ hw/arm/boot.c         | 35 ++++++++++++++++++++++++-----------
+files changed, 27 insertions(+), 11 deletions(-)
+diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/boot.h
++++ b/include/hw/arm/boot.h
+@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
+      * boot loader/boot ROM code, and secondary_cpu_reset_hook() should
+      * perform any necessary CPU reset handling and set the PC for the
+      * secondary CPUs to point at this boot blob.
++     *
++     * These hooks won't be called if secondary CPUs are booting via
++     * emulated PSCI (see psci_conduit below).
+      */
+     void (*write_secondary_boot)(ARMCPU *cpu,
+                                  const struct arm_boot_info *info);
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+                         set_kernel_args(info, as);
+                     }
+                 }
+-            } else {
++            } else if (info->secondary_cpu_reset_hook) {
+                 info->secondary_cpu_reset_hook(cpu, info);
+             }
+         }
+@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
+         elf_machine = EM_ARM;
+     }
+-    if (!info->secondary_cpu_reset_hook) {
+-        info->secondary_cpu_reset_hook = default_reset_secondary;
+-    }
+-    if (!info->write_secondary_boot) {
+-        info->write_secondary_boot = default_write_secondary;
+-    }
+-
+     if (info->nb_cpus == 0)
+         info->nb_cpus = 1;
+@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
+         write_bootloader("bootloader", info->loader_start,
+                          primary_loader, fixupcontext, as);
+-        if (info->nb_cpus > 1) {
+-            info->write_secondary_boot(cpu, info);
+-        }
+         if (info->write_board_setup) {
+             info->write_board_setup(cpu, info);
+         }
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
+         }
+     }
++    if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
++        info->is_linux && info->nb_cpus > 1) {
++        /*
++         * We're booting Linux but not using PSCI, so for SMP we need
++         * to write a custom secondary CPU boot loader stub, and arrange
++         * for the secondary CPU reset to make the accompanying initialization.
++         */
++        if (!info->secondary_cpu_reset_hook) {
++            info->secondary_cpu_reset_hook = default_reset_secondary;
++        }
++        if (!info->write_secondary_boot) {
++            info->write_secondary_boot = default_write_secondary;
++        }
++        info->write_secondary_boot(cpu, info);
++    } else {
++        /*
++         * No secondary boot stub; don't use the reset hook that would
++         * have set the CPU up to call it
++         */
++        info->write_secondary_boot = NULL;
++        info->secondary_cpu_reset_hook = NULL;
++    }
++
+     /*
+      * arm_load_dtb() may add a PSCI node so it must be called after we have
+      * decided whether to enable PSCI and set the psci-conduit CPU properties.
+--
+.25.1

-New patch
+[PULL 19/39] hw/arm/highbank: Drop unused secondary boot stub code
+The highbank and midway board code includes boot-stub code for
+handling secondary CPU boot which keeps the secondaries in a pen
+until the primary writes to a known location with the address they
+should jump to.
+This code is never used, because the boards enable QEMU's PSCI
+emulation, so secondary CPUs are kept powered off until the PSCI call
+which turns them on, and then start execution from the address given
+by the guest in that PSCI call.  Delete the unreachable code.
+(The code was wrong for midway in any case -- on the Cortex-A15 the
+GIC CPU interface registers are at a different offset from PERIPHBASE
+compared to the Cortex-A9, and the code baked-in the offsets for
+highbank's A9.)
+Note that this commit implicitly depends on the preceding "Don't
+write secondary boot stub if using PSCI" commit -- the default
+secondary-boot stub code overlaps with one of the highbank-specific
+bootcode rom blobs, so we must suppress the secondary-boot
+stub code entirely, not merely replace the highbank-specific
+version with the default.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-15-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 56 -----------------------------------------------
+file changed, 56 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@
+ /* Board init.  */
+-static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+-{
+-    int n;
+-    uint32_t smpboot[] = {
+-        0xee100fb0, /* mrc p15, 0, r0, c0, c0, 5 - read current core id */
+-        0xe210000f, /* ands r0, r0, #0x0f */
+-        0xe3a03040, /* mov r3, #0x40 - jump address is 0x40 + 0x10 * core id */
+-        0xe0830200, /* add r0, r3, r0, lsl #4 */
+-        0xe59f2024, /* ldr r2, privbase */
+-        0xe3a01001, /* mov r1, #1 */
+-        0xe5821100, /* str r1, [r2, #256] - set GICC_CTLR.Enable */
+-        0xe3a010ff, /* mov r1, #0xff */
+-        0xe5821104, /* str r1, [r2, #260] - set GICC_PMR.Priority to 0xff */
+-        0xf57ff04f, /* dsb */
+-        0xe320f003, /* wfi */
+-        0xe5901000, /* ldr     r1, [r0] */
+-        0xe1110001, /* tst     r1, r1 */
+-        0x0afffffb, /* beq     <wfi> */
+-        0xe12fff11, /* bx      r1 */
+-        MPCORE_PERIPHBASE   /* privbase: MPCore peripheral base address.  */
+-    };
+-    for (n = 0; n < ARRAY_SIZE(smpboot); n++) {
+-        smpboot[n] = tswap32(smpboot[n]);
+-    }
+-    rom_add_blob_fixed_as("smpboot", smpboot, sizeof(smpboot), SMP_BOOT_ADDR,
+-                          arm_boot_address_space(cpu, info));
+-}
+-
+-static void hb_reset_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+-{
+-    CPUARMState *env = &cpu->env;
+-
+-    switch (info->nb_cpus) {
+-    case 4:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x30, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        /* fallthrough */
+-    case 3:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x20, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        /* fallthrough */
+-    case 2:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x10, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        env->regs[15] = SMP_BOOT_ADDR;
+-        break;
+-    default:
+-        break;
+-    }
+-}
+-
+ #define NUM_REGS      0x200
+ static void hb_regs_write(void *opaque, hwaddr offset,
+                           uint64_t value, unsigned size)
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.board_id = -1;
+     highbank_binfo.nb_cpus = smp_cpus;
+     highbank_binfo.loader_start = 0;
+-    highbank_binfo.write_secondary_boot = hb_write_secondary;
+-    highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+--
+.25.1

-New patch
+[PULL 20/39] hw/arm/boot: Drop nb_cpus field from arm_boot_info
+We use the arm_boot_info::nb_cpus field in only one place, and that
 place can easily get the number of CPUs locally rather than relying
 on the board code to have set the field correctly.  (At least one
 board, xlnx-versal-virt, does not set the field despite having more
 than one CPU.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Tested-by: Cédric Le Goater <clg@kaod.org>
 Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Message-id: 20220127154639.2090164-16-peter.maydell@linaro.org
 ---
  include/hw/arm/boot.h   | 1 -
  hw/arm/aspeed.c         | 1 -
  hw/arm/boot.c           | 7 +++----
  hw/arm/exynos4_boards.c | 1 -
  hw/arm/highbank.c       | 1 -
  hw/arm/imx25_pdk.c      | 3 +--
  hw/arm/kzm.c            | 1 -
  hw/arm/mcimx6ul-evk.c   | 1 -
  hw/arm/mcimx7d-sabre.c  | 1 -
  hw/arm/npcm7xx.c        | 3 ---
  hw/arm/orangepi.c       | 4 +---
  hw/arm/raspi.c          | 1 -
  hw/arm/realview.c       | 1 -
  hw/arm/sabrelite.c      | 1 -
  hw/arm/sbsa-ref.c       | 1 -
  hw/arm/vexpress.c       | 1 -
  hw/arm/virt.c           | 1 -
  hw/arm/xilinx_zynq.c    | 1 -
 files changed, 5 insertions(+), 26 deletions(-)
 diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/boot.h
 +++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
      hwaddr smp_loader_start;
      hwaddr smp_bootreg_addr;
      hwaddr gic_cpu_if_addr;
 -    int nb_cpus;
      int board_id;
      /* ARM machines that support the ARM Security Extensions use this field to
       * control whether Linux is booted as secure(true) or non-secure(false).
 diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/aspeed.c
 +++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_init(MachineState *machine)
      aspeed_board_binfo.ram_size = machine->ram_size;
      aspeed_board_binfo.loader_start = sc->memmap[ASPEED_DEV_SDRAM];
 -    aspeed_board_binfo.nb_cpus = sc->num_cpus;
      if (amc->i2c_init) {
          amc->i2c_init(bmc);
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
          elf_machine = EM_ARM;
      }
 -    if (info->nb_cpus == 0)
 -        info->nb_cpus = 1;
 -
      /* Assume that raw images are linux kernels, and ELF images are not.  */
      kernel_size = arm_load_elf(info, &elf_entry, &image_low_addr,
                                 &image_high_addr, elf_machine, as);
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      AddressSpace *as = arm_boot_address_space(cpu, info);
      int boot_el;
      CPUARMState *env = &cpu->env;
 +    int nb_cpus = 0;
      /*
       * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
       */
      for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
          qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
 +        nb_cpus++;
      }
      /*
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      }
      if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
 -        info->is_linux && info->nb_cpus > 1) {
 +        info->is_linux && nb_cpus > 1) {
          /*
           * We're booting Linux but not using PSCI, so for SMP we need
           * to write a custom secondary CPU boot loader stub, and arrange
 diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4_boards.c
 +++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@ static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
  static struct arm_boot_info exynos4_board_binfo = {
      .loader_start     = EXYNOS4210_BASE_BOOT_ADDR,
      .smp_loader_start = EXYNOS4210_SMP_BOOT_ADDR,
 -    .nb_cpus          = EXYNOS4210_NCPUS,
      .write_secondary_boot = exynos4210_write_secondary,
  };
 diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/highbank.c
 +++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
       * clear that the value is meaningless.
       */
      highbank_binfo.board_id = -1;
 -    highbank_binfo.nb_cpus = smp_cpus;
      highbank_binfo.loader_start = 0;
      highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
      highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 diff --git a/hw/arm/imx25_pdk.c b/hw/arm/imx25_pdk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/imx25_pdk.c
 +++ b/hw/arm/imx25_pdk.c
@@ -XXX,XX +XXX,XX @@ static void imx25_pdk_init(MachineState *machine)
      imx25_pdk_binfo.ram_size = machine->ram_size;
      imx25_pdk_binfo.loader_start = FSL_IMX25_SDRAM0_ADDR;
 -    imx25_pdk_binfo.board_id = 1771,
 -    imx25_pdk_binfo.nb_cpus = 1;
 +    imx25_pdk_binfo.board_id = 1771;
      for (i = 0; i < FSL_IMX25_NUM_ESDHCS; i++) {
          BusState *bus;
 diff --git a/hw/arm/kzm.c b/hw/arm/kzm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/kzm.c
 +++ b/hw/arm/kzm.c
@@ -XXX,XX +XXX,XX @@ static void kzm_init(MachineState *machine)
      }
      kzm_binfo.ram_size = machine->ram_size;
 -    kzm_binfo.nb_cpus = 1;
      if (!qtest_enabled()) {
          arm_load_kernel(&s->soc.cpu, machine, &kzm_binfo);
 diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mcimx6ul-evk.c
 +++ b/hw/arm/mcimx6ul-evk.c
@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
          .loader_start = FSL_IMX6UL_MMDC_ADDR,
          .board_id = -1,
          .ram_size = machine->ram_size,
 -        .nb_cpus = machine->smp.cpus,
          .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
      };
 diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mcimx7d-sabre.c
 +++ b/hw/arm/mcimx7d-sabre.c
@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
          .loader_start = FSL_IMX7_MMDC_ADDR,
          .board_id = -1,
          .ram_size = machine->ram_size,
 -        .nb_cpus = machine->smp.cpus,
          .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
      };
 diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/npcm7xx.c
 +++ b/hw/arm/npcm7xx.c
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info npcm7xx_binfo = {
  void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc)
  {
 -    NPCM7xxClass *sc = NPCM7XX_GET_CLASS(soc);
 -
      npcm7xx_binfo.ram_size = machine->ram_size;
 -    npcm7xx_binfo.nb_cpus = sc->num_cpus;
      arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo);
  }
 diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/orangepi.c
 +++ b/hw/arm/orangepi.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/qdev-properties.h"
  #include "hw/arm/allwinner-h3.h"
 -static struct arm_boot_info orangepi_binfo = {
 -    .nb_cpus = AW_H3_NUM_CPUS,
 -};
 +static struct arm_boot_info orangepi_binfo;
  static void orangepi_init(MachineState *machine)
  {
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, RaspiProcessorId processor_id,
      s->binfo.board_id = MACH_TYPE_BCM2708;
      s->binfo.ram_size = ram_size;
 -    s->binfo.nb_cpus = machine->smp.cpus;
      if (processor_id <= PROCESSOR_ID_BCM2836) {
          /*
 diff --git a/hw/arm/realview.c b/hw/arm/realview.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/realview.c
 +++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@ static void realview_init(MachineState *machine,
      memory_region_add_subregion(sysmem, SMP_BOOT_ADDR, ram_hack);
      realview_binfo.ram_size = ram_size;
 -    realview_binfo.nb_cpus = smp_cpus;
      realview_binfo.board_id = realview_board_id[board_type];
      realview_binfo.loader_start = (board_type == BOARD_PB_A8 ? 0x70000000 : 0);
      arm_load_kernel(ARM_CPU(first_cpu), machine, &realview_binfo);
 diff --git a/hw/arm/sabrelite.c b/hw/arm/sabrelite.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sabrelite.c
 +++ b/hw/arm/sabrelite.c
@@ -XXX,XX +XXX,XX @@ static void sabrelite_init(MachineState *machine)
      }
      sabrelite_binfo.ram_size = machine->ram_size;
 -    sabrelite_binfo.nb_cpus = machine->smp.cpus;
      sabrelite_binfo.secure_boot = true;
      sabrelite_binfo.write_secondary_boot = sabrelite_write_secondary;
      sabrelite_binfo.secondary_cpu_reset_hook = sabrelite_reset_secondary;
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sbsa-ref.c
 +++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
      create_secure_ec(secure_sysmem);
      sms->bootinfo.ram_size = machine->ram_size;
 -    sms->bootinfo.nb_cpus = smp_cpus;
      sms->bootinfo.board_id = -1;
      sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
      sms->bootinfo.get_dtb = sbsa_ref_dtb;
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      }
      daughterboard->bootinfo.ram_size = machine->ram_size;
 -    daughterboard->bootinfo.nb_cpus = machine->smp.cpus;
      daughterboard->bootinfo.board_id = VEXPRESS_BOARD_ID;
      daughterboard->bootinfo.loader_start = daughterboard->loader_start;
      daughterboard->bootinfo.smp_loader_start = map[VE_SRAM];
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
      }
      vms->bootinfo.ram_size = machine->ram_size;
 -    vms->bootinfo.nb_cpus = smp_cpus;
      vms->bootinfo.board_id = -1;
      vms->bootinfo.loader_start = vms->memmap[VIRT_MEM].base;
      vms->bootinfo.get_dtb = machvirt_dtb;
 diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xilinx_zynq.c
 +++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)
      sysbus_mmio_map(busdev, 0, 0xF8007000);
      zynq_binfo.ram_size = machine->ram_size;
 -    zynq_binfo.nb_cpus = 1;
      zynq_binfo.board_id = 0xd32;
      zynq_binfo.loader_start = 0;
      zynq_binfo.board_setup_addr = BOARD_SETUP_ADDR;
 --
 .25.1

-New patch
+[PULL 21/39] hw/arm/boot: Drop existing dtb /psci node rather than retaining it
+If we're using PSCI emulation, we add a /psci node to the device tree
+we pass to the guest.  At the moment, if the dtb already has a /psci
+node in it, we retain it, rather than replacing it. (This behaviour
+was added in commit c39770cd637765 in 2018.)
+This is a problem if the existing node doesn't match our PSCI
+emulation.  In particular, it might specify the wrong method (HVC vs
+SMC), or wrong function IDs for cpu_suspend/cpu_off/etc, in which
+case the guest will not get the behaviour it wants when it makes PSCI
+calls.
+An example of this is trying to boot the highbank or midway board
+models using the device tree supplied in the kernel sources: this
+device tree includes a /psci node that specifies function IDs that
+don't match the (PSCI 0.2 compliant) IDs that QEMU uses.  The dtb
+cpu_suspend function ID happens to match the PSCI 0.2 cpu_off ID, so
+the guest hangs after booting when the kernel tries to idle the CPU
+and instead it gets turned off.
+Instead of retaining an existing /psci node, delete it entirely
+and replace it with a node whose properties match QEMU's PSCI
+emulation behaviour. This matches the way we handle /memory nodes,
+where we also delete any existing nodes and write in ones that
+match the way QEMU is going to behave.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-17-peter.maydell@linaro.org
+---
+ hw/arm/boot.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
+     }
+     /*
+-     * If /psci node is present in provided DTB, assume that no fixup
+-     * is necessary and all PSCI configuration should be taken as-is
++     * A pre-existing /psci node might specify function ID values
++     * that don't match QEMU's PSCI implementation. Delete the whole
++     * node and put our own in instead.
+      */
+     rc = fdt_path_offset(fdt, "/psci");
+     if (rc >= 0) {
+-        return;
++        qemu_fdt_nop_node(fdt, "/psci");
+     }
+     qemu_fdt_add_subnode(fdt, "/psci");
+--
+.25.1

-[PULL 17/17] hw/intc: Improve formatting of MEMTX_ERROR guest error message
+[PULL 22/39] hw/arm: versal-virt: Always call arm_load_kernel()
-From: Rebecca Cran <rebecca@nuviainc.com>
+From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-Add a space in the message printed when gicr_read*/gicr_write* returns
+Always call arm_load_kernel() regardless of kernel_filename being
-MEMTX_ERROR in arm_gicv3_redist.c.
+set. This is needed because arm_load_kernel() sets up reset for
 the CPUs.
-Signed-off-by: Rebecca Cran <rebecca@nuviainc.com>
+Fixes: 6f16da53ff (hw/arm: versal: Add a virtual Xilinx Versal board)
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20210706211432.31902-1-rebecca@nuviainc.com
+Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Message-id: 20220130110313.4045351-2-edgar.iglesias@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_redist.c | 4 ++--
+ hw/arm/xlnx-versal-virt.c | 11 ++---------
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 2 insertions(+), 9 deletions(-)
-diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_redist.c
+--- a/hw/arm/xlnx-versal-virt.c
-+++ b/hw/intc/arm_gicv3_redist.c
++++ b/hw/arm/xlnx-versal-virt.c
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
-     if (r == MEMTX_ERROR) {
+     s->binfo.get_dtb = versal_virt_get_dtb;
-         qemu_log_mask(LOG_GUEST_ERROR,
+     s->binfo.modify_dtb = versal_virt_modify_dtb;
-                       "%s: invalid guest read at offset " TARGET_FMT_plx
+     s->binfo.psci_conduit = psci_conduit;
--                      "size %u\n", __func__, offset, size);
+-    if (machine->kernel_filename) {
-+                      " size %u\n", __func__, offset, size);
+-        arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
-         trace_gicv3_redist_badread(gicv3_redist_affid(cs), offset,
+-    } else {
-                                    size, attrs.secure);
+-        AddressSpace *as = arm_boot_address_space(&s->soc.fpd.apu.cpu[0],
-         /* The spec requires that reserved registers are RAZ/WI;
+-                                                  &s->binfo);
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
++    if (!machine->kernel_filename) {
-     if (r == MEMTX_ERROR) {
+         /* Some boot-loaders (e.g u-boot) don't like blobs at address 0 (NULL).
-         qemu_log_mask(LOG_GUEST_ERROR,
+          * Offset things by 4K.  */
-                       "%s: invalid guest write at offset " TARGET_FMT_plx
+         s->binfo.loader_start = 0x1000;
--                      "size %u\n", __func__, offset, size);
+         s->binfo.dtb_limit = 0x1000000;
-+                      " size %u\n", __func__, offset, size);
+-        if (arm_load_dtb(s->binfo.loader_start,
-         trace_gicv3_redist_badwrite(gicv3_redist_affid(cs), offset, data,
+-                         &s->binfo, s->binfo.dtb_limit, as, machine) < 0) {
-                                     size, attrs.secure);
+-            exit(EXIT_FAILURE);
-         /* The spec requires that reserved registers are RAZ/WI;
+-        }
      }
 +    arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
      for (i = 0; i < XLNX_VERSAL_NUM_OSPI_FLASH; i++) {
          BusState *spi_bus;
 --
-.20.1
+.25.1

-[PULL 03/17] docs/system: arm: Add stm32 boards description
+[PULL 23/39] arm: force flag recalculation when messing with DAIF
-From: Alexandre Iooss <erdnaxe@crans.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-This adds the target guide for Netduino 2, Netduino Plus 2 and STM32VLDISCOVERY.
+The recently introduced debug tests in kvm-unit-tests exposed an error
 in our handling of singlestep cause by stale hflags. This is caught by
 --enable-debug-tcg when running the tests.
-Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reported-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20210617165647.2575955-4-erdnaxe@crans.org
+Tested-by: Andrew Jones <drjones@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220202122353.457084-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/stm32.rst  | 66 ++++++++++++++++++++++++++++++++++++++
+ target/arm/helper-a64.c | 2 ++
- docs/system/target-arm.rst |  1 +
+file changed, 2 insertions(+)
  MAINTAINERS                |  1 +
 files changed, 68 insertions(+)
  create mode 100644 docs/system/arm/stm32.rst
-diff --git a/docs/system/arm/stm32.rst b/docs/system/arm/stm32.rst
+diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/docs/system/arm/stm32.rst
@@ -XXX,XX +XXX,XX @@
 +STMicroelectronics STM32 boards (``netduino2``, ``netduinoplus2``, ``stm32vldiscovery``)
 +========================================================================================
 +
 +The `STM32`_ chips are a family of 32-bit ARM-based microcontroller by
 +STMicroelectronics.
 +
 +.. _STM32: https://www.st.com/en/microcontrollers-microprocessors/stm32-32-bit-arm-cortex-mcus.html
 +
 +The STM32F1 series is based on ARM Cortex-M3 core. The following machines are
 +based on this chip :
 +
 +- ``stm32vldiscovery``  STM32VLDISCOVERY board with STM32F100RBT6 microcontroller
 +
 +The STM32F2 series is based on ARM Cortex-M3 core. The following machines are
 +based on this chip :
 +
 +- ``netduino2``         Netduino 2 board with STM32F205RFT6 microcontroller
 +
 +The STM32F4 series is based on ARM Cortex-M4F core. This series is pin-to-pin
 +compatible with STM32F2 series. The following machines are based on this chip :
 +
 +- ``netduinoplus2``     Netduino Plus 2 board with STM32F405RGT6 microcontroller
 +
 +There are many other STM32 series that are currently not supported by QEMU.
 +
 +Supported devices
 +-----------------
 +
 + * ARM Cortex-M3, Cortex M4F
 + * Analog to Digital Converter (ADC)
 + * EXTI interrupt
 + * Serial ports (USART)
 + * SPI controller
 + * System configuration (SYSCFG)
 + * Timer controller (TIMER)
 +
 +Missing devices
 +---------------
 +
 + * Camera interface (DCMI)
 + * Controller Area Network (CAN)
 + * Cycle Redundancy Check (CRC) calculation unit
 + * Digital to Analog Converter (DAC)
 + * DMA controller
 + * Ethernet controller
 + * Flash Interface Unit
 + * GPIO controller
 + * I2C controller
 + * Inter-Integrated Sound (I2S) controller
 + * Power supply configuration (PWR)
 + * Random Number Generator (RNG)
 + * Real-Time Clock (RTC) controller
 + * Reset and Clock Controller (RCC)
 + * Secure Digital Input/Output (SDIO) interface
 + * USB OTG
 + * Watchdog controller (IWDG, WWDG)
 +
 +Boot options
 +------------
 +
 +The STM32 machines can be started using the ``-kernel`` option to load a
 +firmware. Example:
 +
 +.. code-block:: bash
 +
 +  $ qemu-system-arm -M stm32vldiscovery -kernel firmware.bin
 diff --git a/docs/system/target-arm.rst b/docs/system/target-arm.rst
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/target-arm.rst
+--- a/target/arm/helper-a64.c
-+++ b/docs/system/target-arm.rst
++++ b/target/arm/helper-a64.c
-@@ -XXX,XX +XXX,XX @@ undocumented; you can get a complete list by running
+@@ -XXX,XX +XXX,XX @@ void HELPER(msr_i_daifset)(CPUARMState *env, uint32_t imm)
-    arm/collie
+ {
-    arm/sx1
+     daif_check(env, 0x1e, imm, GETPC());
-    arm/stellaris
+     env->daif |= (imm << 6) & PSTATE_DAIF;
-+   arm/stm32
++    arm_rebuild_hflags(env);
-    arm/virt
+ }
-    arm/xlnx-versal-virt
+ void HELPER(msr_i_daifclear)(CPUARMState *env, uint32_t imm)
-diff --git a/MAINTAINERS b/MAINTAINERS
+ {
-index XXXXXXX..XXXXXXX 100644
+     daif_check(env, 0x1f, imm, GETPC());
---- a/MAINTAINERS
+     env->daif &= ~((imm << 6) & PSTATE_DAIF);
-+++ b/MAINTAINERS
++    arm_rebuild_hflags(env);
-@@ -XXX,XX +XXX,XX @@ M: Alexandre Iooss <erdnaxe@crans.org>
+ }
- L: qemu-arm@nongnu.org
- S: Maintained
+ /* Convert a softfloat float_relation_ (as returned by
  F: hw/arm/stm32vldiscovery.c
 +F: docs/system/arm/stm32.rst
  Versatile Express
  M: Peter Maydell <peter.maydell@linaro.org>
 --
-.20.1
+.25.1

-[PULL 05/17] hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write
+[PULL 24/39] hw/timer/armv7m_systick: Update clock source before enabling timer
-From: Ricardo Koller <ricarkol@google.com>
+From: Richard Petri <git@rpls.de>
-icv_eoir_write() and icv_dir_write() ignore invalid virtual IRQ numbers
+Starting the SysTick timer and changing the clock source a the same time
-(like LPIs).  The issue is that these functions check against the number
+will result in an error, if the previous clock period was zero. For exmaple,
-of implemented IRQs (QEMU's default is num_irq=288) which can be lower
+on the mps2-tz platforms, no refclk is present. Right after reset, the
-than the maximum virtual IRQ number (1020 - 1).  The consequence is that
+configured ptimer period is zero, and trying to enabling it will turn it off
-if a hypervisor creates an LR for an IRQ between 288 and 1020, then the
+right away. E.g., code running on the platform setting
 guest is unable to deactivate the resulting IRQ. Note that other
 functions that deal with large IRQ numbers, like icv_iar_read, check
 against 1020 and not against num_irq.
-Fix the checks by using GICV3_MAXIRQ (1020) instead of the number of
+    SysTick->CTRL  = SysTick_CTRL_CLKSOURCE_Msk | SysTick_CTRL_ENABLE_Msk;
 implemented IRQs.
-Signed-off-by: Ricardo Koller <ricarkol@google.com>
+should change the clock source and enable the timer on real hardware, but
-Message-id: 20210702233701.3369-1-ricarkol@google.com
+resulted in an error in qemu.
 Signed-off-by: Richard Petri <git@rpls.de>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220201192650.289584-1-git@rpls.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_cpuif.c | 4 ++--
+ hw/timer/armv7m_systick.c | 8 ++++----
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+diff --git a/hw/timer/armv7m_systick.c b/hw/timer/armv7m_systick.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/hw/timer/armv7m_systick.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/hw/timer/armv7m_systick.c
-@@ -XXX,XX +XXX,XX @@ static void icv_dir_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
+         s->control &= 0xfffffff8;
-     trace_gicv3_icv_dir_write(gicv3_redist_affid(cs), value);
+         s->control |= value & 7;
--    if (irq >= cs->gic->num_irq) {
++        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
-+    if (irq >= GICV3_MAXIRQ) {
++            systick_set_period_from_clock(s);
-         /* Also catches special interrupt numbers and LPIs */
++        }
-         return;
++
-     }
+         if ((oldval ^ value) & SYSTICK_ENABLE) {
-@@ -XXX,XX +XXX,XX @@ static void icv_eoir_write(CPUARMState *env, const ARMCPRegInfo *ri,
+             if (value & SYSTICK_ENABLE) {
-     trace_gicv3_icv_eoir_write(ri->crm == 8 ? 0 : 1,
+                 ptimer_run(s->ptimer, 0);
-                                gicv3_redist_affid(cs), value);
+@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
+                 ptimer_stop(s->ptimer);
--    if (irq >= cs->gic->num_irq) {
+             }
-+    if (irq >= GICV3_MAXIRQ) {
+         }
-         /* Also catches special interrupt numbers and LPIs */
+-
-         return;
+-        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
 -            systick_set_period_from_clock(s);
 -        }
          ptimer_transaction_commit(s->ptimer);
          break;
      }
 --
-.20.1
+.25.1

-[PULL 02/17] stm32vldiscovery: Add the STM32VLDISCOVERY Machine
+[PULL 25/39] hw/arm/smmuv3: Fix device reset
-From: Alexandre Iooss <erdnaxe@crans.org>
+From: Eric Auger <eric.auger@redhat.com>
-This is a Cortex-M3 based machine. Information can be found at:
+We currently miss a bunch of register resets in the device reset
-https://www.st.com/en/evaluation-tools/stm32vldiscovery.html
+function. This sometimes prevents the guest from rebooting after
 a system_reset (with virtio-blk-pci). For instance, we may get
 the following errors:
-Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
+invalid STE
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
-Message-id: 20210617165647.2575955-3-erdnaxe@crans.org
+Invalid read at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
 invalid STE
 smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
 Invalid write at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
 invalid STE
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 20220202111602.627429-1-eric.auger@redhat.com
 Fixes: 10a83cb988 ("hw/arm/smmuv3: Skeleton")
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- default-configs/devices/arm-softmmu.mak |  1 +
+ hw/arm/smmuv3.c | 6 ++++++
- hw/arm/stm32vldiscovery.c               | 66 +++++++++++++++++++++++++
+file changed, 6 insertions(+)
  MAINTAINERS                             |  6 +++
  hw/arm/Kconfig                          |  4 ++
  hw/arm/meson.build                      |  1 +
 files changed, 78 insertions(+)
  create mode 100644 hw/arm/stm32vldiscovery.c
-diff --git a/default-configs/devices/arm-softmmu.mak b/default-configs/devices/arm-softmmu.mak
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/default-configs/devices/arm-softmmu.mak
+--- a/hw/arm/smmuv3.c
-+++ b/default-configs/devices/arm-softmmu.mak
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ CONFIG_CHEETAH=y
+@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
- CONFIG_SX1=y
+     s->features = 0;
- CONFIG_NSERIES=y
+     s->sid_split = 0;
- CONFIG_STELLARIS=y
+     s->aidr = 0x1;
-+CONFIG_STM32VLDISCOVERY=y
++    s->cr[0] = 0;
- CONFIG_REALVIEW=y
++    s->cr0ack = 0;
- CONFIG_VERSATILE=y
++    s->irq_ctrl = 0;
- CONFIG_VEXPRESS=y
++    s->gerror = 0;
-diff --git a/hw/arm/stm32vldiscovery.c b/hw/arm/stm32vldiscovery.c
++    s->gerrorn = 0;
-new file mode 100644
++    s->statusr = 0;
-index XXXXXXX..XXXXXXX
+ }
---- /dev/null
-+++ b/hw/arm/stm32vldiscovery.c
+ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
@@ -XXX,XX +XXX,XX @@
 +/*
 + * ST STM32VLDISCOVERY machine
 + *
 + * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
 + * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "hw/boards.h"
 +#include "hw/qdev-properties.h"
 +#include "qemu/error-report.h"
 +#include "hw/arm/stm32f100_soc.h"
 +#include "hw/arm/boot.h"
 +
 +/* stm32vldiscovery implementation is derived from netduinoplus2 */
 +
 +/* Main SYSCLK frequency in Hz (24MHz) */
 +#define SYSCLK_FRQ 24000000ULL
 +
 +static void stm32vldiscovery_init(MachineState *machine)
 +{
 +    DeviceState *dev;
 +
 +    /*
 +     * TODO: ideally we would model the SoC RCC and let it handle
 +     * system_clock_scale, including its ability to define different
 +     * possible SYSCLK sources.
 +     */
 +    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
 +
 +    dev = qdev_new(TYPE_STM32F100_SOC);
 +    qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m3"));
 +    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
 +
 +    armv7m_load_kernel(ARM_CPU(first_cpu),
 +                       machine->kernel_filename,
 +                       FLASH_SIZE);
 +}
 +
 +static void stm32vldiscovery_machine_init(MachineClass *mc)
 +{
 +    mc->desc = "ST STM32VLDISCOVERY (Cortex-M3)";
 +    mc->init = stm32vldiscovery_init;
 +}
 +
 +DEFINE_MACHINE("stm32vldiscovery", stm32vldiscovery_machine_init)
 +
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/*/stellaris*
  F: include/hw/input/gamepad.h
  F: docs/system/arm/stellaris.rst
 +STM32VLDISCOVERY
 +M: Alexandre Iooss <erdnaxe@crans.org>
 +L: qemu-arm@nongnu.org
 +S: Maintained
 +F: hw/arm/stm32vldiscovery.c
 +
  Versatile Express
  M: Peter Maydell <peter.maydell@linaro.org>
  L: qemu-arm@nongnu.org
 diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/Kconfig
 +++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config STELLARIS
      select STELLARIS_ENET # ethernet
      select UNIMP
 +config STM32VLDISCOVERY
 +    bool
 +    select STM32F100_SOC
 +
  config STRONGARM
      bool
      select PXA2XX
 diff --git a/hw/arm/meson.build b/hw/arm/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/meson.build
 +++ b/hw/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_Z2', if_true: files('z2.c'))
  arm_ss.add(when: 'CONFIG_REALVIEW', if_true: files('realview.c'))
  arm_ss.add(when: 'CONFIG_SBSA_REF', if_true: files('sbsa-ref.c'))
  arm_ss.add(when: 'CONFIG_STELLARIS', if_true: files('stellaris.c'))
 +arm_ss.add(when: 'CONFIG_STM32VLDISCOVERY', if_true: files('stm32vldiscovery.c'))
  arm_ss.add(when: 'CONFIG_COLLIE', if_true: files('collie.c'))
  arm_ss.add(when: 'CONFIG_VERSATILE', if_true: files('versatilepb.c'))
  arm_ss.add(when: 'CONFIG_VEXPRESS', if_true: files('vexpress.c'))
 --
-.20.1
+.25.1

-New patch
+[PULL 26/39] hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packets
+Currently the ITS accesses each 8-byte doubleword in a 4-doubleword
 command packet with a separate address_space_ldq_le() call.  This is
 awkward because the individual command processing functions have
 ended up with code to handle "load more doublewords out of the
 packet", which is both unwieldy and also a potential source of bugs
 because it's not obvious when looking at a line that pulls a field
 out of the 'value' variable which of the 4 doublewords that variable
 currently holds.
 Switch to using address_space_map() to map the whole command packet
 at once and fish the four doublewords out of it.  Then each process_*
 function can start with a few lines of code that extract the fields
 it cares about.
 This requires us to split out the guts of process_its_cmd() into a
 new do_process_its_cmd(), because we were previously overloading the
 value and offset arguments as a backdoor way to directly pass the
 devid and eventid from a write to GITS_TRANSLATER.  The new
 do_process_its_cmd() takes those arguments directly, and
 process_its_cmd() is just a wrapper that does the "read fields from
 command packet" part.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-2-peter.maydell@linaro.org
 ---
  hw/intc/gicv3_internal.h |   4 +-
  hw/intc/arm_gicv3_its.c  | 208 +++++++++++----------------------------
 files changed, 62 insertions(+), 150 deletions(-)
 diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/gicv3_internal.h
 +++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ FIELD(GITS_TYPER, CIL, 36, 1)
  #define LPI_CTE_ENABLED          TABLE_ENTRY_VALID_MASK
  #define LPI_PRIORITY_MASK         0xfc
 -#define GITS_CMDQ_ENTRY_SIZE               32
 -#define NUM_BYTES_IN_DW                     8
 +#define GITS_CMDQ_ENTRY_WORDS 4
 +#define GITS_CMDQ_ENTRY_SIZE  (GITS_CMDQ_ENTRY_WORDS * sizeof(uint64_t))
  #define CMD_MASK                  0xff
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
   * 3. handling of ITS CLEAR command
   * 4. handling of ITS DISCARD command
   */
 -static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
 -                                    uint32_t offset, ItsCmdType cmd)
 +static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
 +                                       uint32_t eventid, ItsCmdType cmd)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
 -    uint32_t devid, eventid;
      MemTxResult res = MEMTX_OK;
      bool dte_valid;
      uint64_t dte = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
      bool cte_valid = false;
      uint64_t rdbase;
 -    if (cmd == NONE) {
 -        devid = offset;
 -    } else {
 -        devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -
 -        offset += NUM_BYTES_IN_DW;
 -        value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                     MEMTXATTRS_UNSPECIFIED, &res);
 -    }
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    eventid = (value & EVENTID_MASK);
 -
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: devid %d>=%d",
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
      }
      return CMD_CONTINUE;
  }
 -
 -static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
 -                                  uint32_t offset, bool ignore_pInt)
 +static ItsCmdResult process_its_cmd(GICv3ITSState *s, const uint64_t *cmdpkt,
 +                                    ItsCmdType cmd)
 +{
 +    uint32_t devid, eventid;
 +
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    eventid = cmdpkt[1] & EVENTID_MASK;
 +    return do_process_its_cmd(s, devid, eventid, cmd);
 +}
 +
 +static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
 +                                  bool ignore_pInt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint32_t devid, eventid;
      uint32_t pIntid = 0;
      uint64_t num_eventids;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
      uint64_t dte = 0;
      IteEntry ite = {};
 -    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    eventid = (value & EVENTID_MASK);
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    eventid = cmdpkt[1] & EVENTID_MASK;
      if (ignore_pInt) {
          pIntid = eventid;
      } else {
 -        pIntid = ((value & pINTID_MASK) >> pINTID_SHIFT);
 +        pIntid = (cmdpkt[1] & pINTID_MASK) >> pINTID_SHIFT;
      }
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    icid = value & ICID_MASK;
 +    icid = cmdpkt[2] & ICID_MASK;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
      return res == MEMTX_OK;
  }
 -static ItsCmdResult process_mapc(GICv3ITSState *s, uint32_t offset)
 +static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint16_t icid;
      uint64_t rdbase;
      bool valid;
 -    MemTxResult res = MEMTX_OK;
 -    uint64_t value;
 -    offset += NUM_BYTES_IN_DW;
 -    offset += NUM_BYTES_IN_DW;
 +    icid = cmdpkt[2] & ICID_MASK;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    icid = value & ICID_MASK;
 -
 -    rdbase = (value & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
 +    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
      rdbase &= RDBASE_PROCNUM_MASK;
 -    valid = (value & CMD_FIELD_VALID_MASK);
 +    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
      return res == MEMTX_OK;
  }
 -static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
 -                                 uint32_t offset)
 +static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint32_t devid;
      uint8_t size;
      uint64_t itt_addr;
      bool valid;
 -    MemTxResult res = MEMTX_OK;
 -    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    size = (value & SIZE_MASK);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    itt_addr = (value & ITTADDR_MASK) >> ITTADDR_SHIFT;
 -
 -    valid = (value & CMD_FIELD_VALID_MASK);
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    size = cmdpkt[1] & SIZE_MASK;
 +    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
 +    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((devid >= s->dt.num_entries) ||
          (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
      return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
  }
 -static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
 -                                   uint32_t offset)
 +static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
 -    MemTxResult res = MEMTX_OK;
      uint64_t rd1, rd2;
 -    /* No fields in dwords 0 or 1 */
 -    offset += NUM_BYTES_IN_DW;
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 +    rd1 = FIELD_EX64(cmdpkt[2], MOVALL_2, RDBASE1);
 +    rd2 = FIELD_EX64(cmdpkt[3], MOVALL_3, RDBASE2);
 -    rd1 = FIELD_EX64(value, MOVALL_2, RDBASE1);
      if (rd1 >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: RDBASE1 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
                        __func__, rd1, s->gicv3->num_cpu);
          return CMD_CONTINUE;
      }
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    rd2 = FIELD_EX64(value, MOVALL_3, RDBASE2);
      if (rd2 >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: RDBASE2 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
      return CMD_CONTINUE;
  }
 -static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
 -                                 uint32_t offset)
 +static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      MemTxResult res = MEMTX_OK;
      uint32_t devid, eventid, intid;
      uint16_t old_icid, new_icid;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
      uint64_t num_eventids;
      IteEntry ite = {};
 -    devid = FIELD_EX64(value, MOVI_0, DEVICEID);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -    eventid = FIELD_EX64(value, MOVI_1, EVENTID);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -    new_icid = FIELD_EX64(value, MOVI_2, ICID);
 +    devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
 +    eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
 +    new_icid = FIELD_EX64(cmdpkt[2], MOVI_2, ICID);
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
      uint32_t wr_offset = 0;
      uint32_t rd_offset = 0;
      uint32_t cq_offset = 0;
 -    uint64_t data;
      AddressSpace *as = &s->gicv3->dma_as;
 -    MemTxResult res = MEMTX_OK;
      uint8_t cmd;
      int i;
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
      while (wr_offset != rd_offset) {
          ItsCmdResult result = CMD_CONTINUE;
 +        void *hostmem;
 +        hwaddr buflen;
 +        uint64_t cmdpkt[GITS_CMDQ_ENTRY_WORDS];
          cq_offset = (rd_offset * GITS_CMDQ_ENTRY_SIZE);
 -        data = address_space_ldq_le(as, s->cq.base_addr + cq_offset,
 -                                    MEMTXATTRS_UNSPECIFIED, &res);
 -        if (res != MEMTX_OK) {
 +
 +        buflen = GITS_CMDQ_ENTRY_SIZE;
 +        hostmem = address_space_map(as, s->cq.base_addr + cq_offset,
 +                                    &buflen, false, MEMTXATTRS_UNSPECIFIED);
 +        if (!hostmem || buflen != GITS_CMDQ_ENTRY_SIZE) {
 +            if (hostmem) {
 +                address_space_unmap(as, hostmem, buflen, false, 0);
 +            }
              s->creadr = FIELD_DP64(s->creadr, GITS_CREADR, STALLED, 1);
              qemu_log_mask(LOG_GUEST_ERROR,
                            "%s: could not read command at 0x%" PRIx64 "\n",
                            __func__, s->cq.base_addr + cq_offset);
              break;
          }
 +        for (i = 0; i < ARRAY_SIZE(cmdpkt); i++) {
 +            cmdpkt[i] = ldq_le_p(hostmem + i * sizeof(uint64_t));
 +        }
 +        address_space_unmap(as, hostmem, buflen, false, 0);
 -        cmd = (data & CMD_MASK);
 +        cmd = cmdpkt[0] & CMD_MASK;
          trace_gicv3_its_process_command(rd_offset, cmd);
          switch (cmd) {
          case GITS_CMD_INT:
 -            result = process_its_cmd(s, data, cq_offset, INTERRUPT);
 +            result = process_its_cmd(s, cmdpkt, INTERRUPT);
              break;
          case GITS_CMD_CLEAR:
 -            result = process_its_cmd(s, data, cq_offset, CLEAR);
 +            result = process_its_cmd(s, cmdpkt, CLEAR);
              break;
          case GITS_CMD_SYNC:
              /*
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
               */
              break;
          case GITS_CMD_MAPD:
 -            result = process_mapd(s, data, cq_offset);
 +            result = process_mapd(s, cmdpkt);
              break;
          case GITS_CMD_MAPC:
 -            result = process_mapc(s, cq_offset);
 +            result = process_mapc(s, cmdpkt);
              break;
          case GITS_CMD_MAPTI:
 -            result = process_mapti(s, data, cq_offset, false);
 +            result = process_mapti(s, cmdpkt, false);
              break;
          case GITS_CMD_MAPI:
 -            result = process_mapti(s, data, cq_offset, true);
 +            result = process_mapti(s, cmdpkt, true);
              break;
          case GITS_CMD_DISCARD:
 -            result = process_its_cmd(s, data, cq_offset, DISCARD);
 +            result = process_its_cmd(s, cmdpkt, DISCARD);
              break;
          case GITS_CMD_INV:
          case GITS_CMD_INVALL:
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
              }
              break;
          case GITS_CMD_MOVI:
 -            result = process_movi(s, data, cq_offset);
 +            result = process_movi(s, cmdpkt);
              break;
          case GITS_CMD_MOVALL:
 -            result = process_movall(s, data, cq_offset);
 +            result = process_movall(s, cmdpkt);
              break;
          default:
              break;
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_translation_write(void *opaque, hwaddr offset,
  {
      GICv3ITSState *s = (GICv3ITSState *)opaque;
      bool result = true;
 -    uint32_t devid = 0;
      trace_gicv3_its_translation_write(offset, data, size, attrs.requester_id);
      switch (offset) {
      case GITS_TRANSLATER:
          if (s->ctlr & R_GITS_CTLR_ENABLED_MASK) {
 -            devid = attrs.requester_id;
 -            result = process_its_cmd(s, data, devid, NONE);
 +            result = do_process_its_cmd(s, attrs.requester_id, data, NONE);
          }
          break;
      default:
 --
 .25.1

-New patch
+[PULL 27/39] hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_t
+In the ITS, a DTE is an entry in the device table, which contains
 multiple fields. Currently the function get_dte() which reads one
 entry from the device table returns it as a raw 64-bit integer,
 which we then pass around in that form, only extracting fields
 from it as we need them.
 Create a real C struct with the same fields as the DTE, and
 populate it in get_dte(), so that that function and update_dte()
 are the only ones that need to care about the in-guest-memory
 format of the DTE.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-3-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 111 ++++++++++++++++++++--------------------
 file changed, 56 insertions(+), 55 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint64_t itel;
  } IteEntry;
 +typedef struct DTEntry {
 +    bool valid;
 +    unsigned size;
 +    uint64_t ittaddr;
 +} DTEntry;
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool get_cte(GICv3ITSState *s, uint16_t icid, uint64_t *cte,
      return FIELD_EX64(*cte, CTE, VALID);
  }
 -static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
 +static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                         IteEntry ite)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t itt_addr;
      MemTxResult res = MEMTX_OK;
 -    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
 -    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
 -
 -    address_space_stq_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
 +    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                           sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
                           &res);
      if (res == MEMTX_OK) {
 -        address_space_stl_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
 +        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                               sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
                               MEMTXATTRS_UNSPECIFIED, &res);
      }
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
      }
  }
 -static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
 +static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                      uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t itt_addr;
      bool status = false;
      IteEntry ite = {};
 -    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
 -    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
 -
 -    ite.itel = address_space_ldq_le(as, itt_addr +
 +    ite.itel = address_space_ldq_le(as, dte->ittaddr +
                                      (eventid * (sizeof(uint64_t) +
                                      sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
                                      res);
      if (*res == MEMTX_OK) {
 -        ite.iteh = address_space_ldl_le(as, itt_addr +
 +        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
                                          (eventid * (sizeof(uint64_t) +
                                          sizeof(uint32_t))) + sizeof(uint32_t),
                                          MEMTXATTRS_UNSPECIFIED, res);
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
      return status;
  }
 -static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
 +/*
 + * Read the Device Table entry at index @devid. On success (including
 + * successfully determining that there is no valid DTE for this index),
 + * we return MEMTX_OK and populate the DTEntry struct accordingly.
 + * If there is an error reading memory then we return the error code.
 + */
 +static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
  {
 +    MemTxResult res = MEMTX_OK;
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, res);
 +    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, &res);
 +    uint64_t dteval;
      if (entry_addr == -1) {
 -        return 0; /* a DTE entry with the Valid bit clear */
 +        /* No L2 table entry, i.e. no valid DTE, or a memory error */
 +        dte->valid = false;
 +        return res;
      }
 -    return address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, res);
 +    dteval = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
 +    }
 +    dte->valid = FIELD_EX64(dteval, DTE, VALID);
 +    dte->size = FIELD_EX64(dteval, DTE, SIZE);
 +    /* DTE word field stores bits [51:8] of the ITT address */
 +    dte->ittaddr = FIELD_EX64(dteval, DTE, ITTADDR) << ITTADDR_SHIFT;
 +    return MEMTX_OK;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                         uint32_t eventid, ItsCmdType cmd)
  {
      MemTxResult res = MEMTX_OK;
 -    bool dte_valid;
 -    uint64_t dte = 0;
      uint64_t num_eventids;
      uint16_t icid = 0;
      uint32_t pIntid = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      uint64_t cte = 0;
      bool cte_valid = false;
      uint64_t rdbase;
 +    DTEntry dte;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -
 -    if (!dte_valid) {
 +    if (!dte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid dte: %"PRIx64" for %d\n",
 -                      __func__, dte, devid);
 +                      "invalid dte for %d\n", __func__, devid);
          return CMD_CONTINUE;
      }
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 -
 +    num_eventids = 1ULL << (dte.size + 1);
      if (eventid >= num_eventids) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, dte, &icid, &pIntid, &res);
 +    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
      if (res != MEMTX_OK) {
          return CMD_STALL;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      if (cmd == DISCARD) {
          IteEntry ite = {};
          /* remove mapping from interrupt translation table */
 -        return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      uint32_t pIntid = 0;
      uint64_t num_eventids;
      uint32_t num_intids;
 -    bool dte_valid;
 -    MemTxResult res = MEMTX_OK;
      uint16_t icid = 0;
 -    uint64_t dte = 0;
      IteEntry ite = {};
 +    DTEntry dte;
      devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
      eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 +    num_eventids = 1ULL << (dte.size + 1);
      num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
      if ((icid >= s->ct.num_entries)
 -            || !dte_valid || (eventid >= num_eventids) ||
 +            || !dte.valid || (eventid >= num_eventids) ||
              (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
               (pIntid != INTID_SPURIOUS))) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes "
                        "icid %d or eventid %d or pIntid %d or"
                        "unmapped dte %d\n", __func__, icid, eventid,
 -                      pIntid, dte_valid);
 +                      pIntid, dte.valid);
          /*
           * in this implementation, in case of error
           * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      }
      /* add ite entry to interrupt translation table */
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, dte_valid);
 +    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
 -    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
  }
  static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      uint16_t old_icid, new_icid;
      uint64_t old_cte, new_cte;
      uint64_t old_rdbase, new_rdbase;
 -    uint64_t dte;
 -    bool dte_valid, ite_valid, cte_valid;
 +    bool ite_valid, cte_valid;
      uint64_t num_eventids;
      IteEntry ite = {};
 +    DTEntry dte;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
                        __func__, devid, s->dt.num_entries);
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -    if (!dte_valid) {
 +    if (!dte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid dte: %"PRIx64" for %d\n",
 -                      __func__, dte, devid);
 +                      "invalid dte for %d\n", __func__, devid);
          return CMD_CONTINUE;
      }
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 +    num_eventids = 1ULL << (dte.size + 1);
      if (eventid >= num_eventids) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, dte, &old_icid, &intid, &res);
 +    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
      if (res != MEMTX_OK) {
          return CMD_STALL;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
 -    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
  }
  /*
 --
 .25.1

-[PULL 13/17] hw/gpio/pl061: Convert to 3-phase reset and assert GPIO lines correctly on reset
+[PULL 28/39] hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()
-The PL061 comes out of reset with all its lines configured as input,
+Make update_dte() take a DTEntry struct rather than all the fields of
-which means they might need to be pulled to 0 or 1 depending on the
+the new DTE as separate arguments.
 'pullups' and 'pulldowns' properties.  Currently we do not assert
 these lines on reset; they will only be set whenever the guest first
 touches a register that triggers a call to pl061_update().
 Convert the device to three-phase reset so we have a place where we
 can safely call qemu_set_irq() to set the floating lines to their
 correct values.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-4-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c      | 29 +++++++++++++++++++++++++----
+ hw/intc/arm_gicv3_its.c | 35 ++++++++++++++++++-----------------
- hw/gpio/trace-events |  1 +
+file changed, 18 insertions(+), 17 deletions(-)
 files changed, 26 insertions(+), 4 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
-     return;
+     return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
  }
--static void pl061_reset(DeviceState *dev)
+-static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
-+static void pl061_enter_reset(Object *obj, ResetType type)
+-                       uint8_t size, uint64_t itt_addr)
 +/*
 + * Update the Device Table entry for @devid to @dte. Returns true
 + * on success, false if there was a memory access error.
 + */
 +static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
  {
--    PL061State *s = PL061(dev);
+     AddressSpace *as = &s->gicv3->dma_as;
-+    PL061State *s = PL061(obj);
+     uint64_t entry_addr;
-+
+-    uint64_t dte = 0;
-+    trace_pl061_reset(DEVICE(s)->canonical_path);
++    uint64_t dteval = 0;
+     MemTxResult res = MEMTX_OK;
-     /* reset values from PL061 TRM, Stellaris LM3S5P31 & LM3S8962 Data Sheet */
-     s->data = 0;
+     if (s->dt.valid) {
--    s->old_out_data = 0;
+-        if (valid) {
-     s->old_in_data = 0;
++        if (dte->valid) {
-     s->dir = 0;
+             /* add mapping entry to device table */
-     s->isense = 0;
+-            dte = FIELD_DP64(dte, DTE, VALID, 1);
-@@ -XXX,XX +XXX,XX @@ static void pl061_reset(DeviceState *dev)
+-            dte = FIELD_DP64(dte, DTE, SIZE, size);
-     s->amsel = 0;
+-            dte = FIELD_DP64(dte, DTE, ITTADDR, itt_addr);
 +            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
 +            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
 +            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
          }
      } else {
          return true;
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
          /* No L2 table for this index: discard write and continue */
          return true;
      }
 -    address_space_stq_le(as, entry_addr, dte, MEMTXATTRS_UNSPECIFIED, &res);
 +    address_space_stq_le(as, entry_addr, dteval, MEMTXATTRS_UNSPECIFIED, &res);
      return res == MEMTX_OK;
  }
-+static void pl061_hold_reset(Object *obj)
+ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
 +{
 +    PL061State *s = PL061(obj);
 +    int i, level;
 +    uint8_t floating = pl061_floating(s);
 +    uint8_t pullups = pl061_pullups(s);
 +
 +    for (i = 0; i < N_GPIOS; i++) {
 +        if (extract32(floating, i, 1)) {
 +            continue;
 +        }
 +        level = extract32(pullups, i, 1);
 +        trace_pl061_set_output(DEVICE(s)->canonical_path, i, level);
 +        qemu_set_irq(s->out[i], level);
 +    }
 +    s->old_out_data = pullups;
 +}
 +
  static void pl061_set_irq(void * opaque, int irq, int level)
  {
-     PL061State *s = (PL061State *)opaque;
+     uint32_t devid;
-@@ -XXX,XX +XXX,XX @@ static Property pl061_props[] = {
+-    uint8_t size;
- static void pl061_class_init(ObjectClass *klass, void *data)
+-    uint64_t itt_addr;
- {
+-    bool valid;
-     DeviceClass *dc = DEVICE_CLASS(klass);
++    DTEntry dte;
-+    ResettableClass *rc = RESETTABLE_CLASS(klass);
+     devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
-     dc->vmsd = &vmstate_pl061;
+-    size = cmdpkt[1] & SIZE_MASK;
--    dc->reset = &pl061_reset;
+-    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
-     dc->realize = pl061_realize;
+-    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
-     device_class_set_props(dc, pl061_props);
++    dte.size = cmdpkt[1] & SIZE_MASK;
-+    rc->phases.enter = pl061_enter_reset;
++    dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
-+    rc->phases.hold = pl061_hold_reset;
++    dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((devid >= s->dt.num_entries) ||
 -        (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
 +        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "ITS MAPD: invalid device table attributes "
 -                      "devid %d or size %d\n", devid, size);
 +                      "devid %d or size %d\n", devid, dte.size);
          /*
           * in this implementation, in case of error
           * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
 +    return update_dte(s, devid, &dte) ? CMD_CONTINUE : CMD_STALL;
  }
- static const TypeInfo pl061_info = {
+ static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
 diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/gpio/trace-events
 +++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to
  pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
  pl061_read(const char *id, uint64_t offset, uint64_t r) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
  pl061_write(const char *id, uint64_t offset, uint64_t value) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
 +pl061_reset(const char *id) "%s reset"
  # sifive_gpio.c
  sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
 --
-.20.1
+.25.1

-New patch
+[PULL 29/39] hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_t
+In the ITS, a CTE is an entry in the collection table, which contains
 multiple fields. Currently the function get_cte() which reads one
 entry from the device table returns a success/failure boolean and
 passes back the raw 64-bit integer CTE value via a pointer argument.
 We then extract fields from the CTE as we need them.
 Create a real C struct with the same fields as the CTE, and
 populate it in get_cte(), so that that function and update_cte()
 are the only ones which need to care about the in-guest-memory
 format of the CTE.
 This brings get_cte()'s API into line with get_dte().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-5-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 96 ++++++++++++++++++++++-------------------
 file changed, 52 insertions(+), 44 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct DTEntry {
      uint64_t ittaddr;
  } DTEntry;
 +typedef struct CTEntry {
 +    bool valid;
 +    uint32_t rdbase;
 +} CTEntry;
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static uint64_t table_entry_addr(GICv3ITSState *s, TableDesc *td,
      return (l2 & ((1ULL << 51) - 1)) + (idx % num_l2_entries) * td->entry_sz;
  }
 -static bool get_cte(GICv3ITSState *s, uint16_t icid, uint64_t *cte,
 -                    MemTxResult *res)
 +/*
 + * Read the Collection Table entry at index @icid. On success (including
 + * successfully determining that there is no valid CTE for this index),
 + * we return MEMTX_OK and populate the CTEntry struct @cte accordingly.
 + * If there is an error reading memory then we return the error code.
 + */
 +static MemTxResult get_cte(GICv3ITSState *s, uint16_t icid, CTEntry *cte)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t entry_addr = table_entry_addr(s, &s->ct, icid, res);
 +    MemTxResult res = MEMTX_OK;
 +    uint64_t entry_addr = table_entry_addr(s, &s->ct, icid, &res);
 +    uint64_t cteval;
      if (entry_addr == -1) {
 -        return false; /* not valid */
 +        /* No L2 table entry, i.e. no valid CTE, or a memory error */
 +        cte->valid = false;
 +        return res;
      }
 -    *cte = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, res);
 -    return FIELD_EX64(*cte, CTE, VALID);
 +    cteval = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
 +    }
 +    cte->valid = FIELD_EX64(cteval, CTE, VALID);
 +    cte->rdbase = FIELD_EX64(cteval, CTE, RDBASE);
 +    return MEMTX_OK;
  }
  static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      uint16_t icid = 0;
      uint32_t pIntid = 0;
      bool ite_valid = false;
 -    uint64_t cte = 0;
 -    bool cte_valid = false;
 -    uint64_t rdbase;
      DTEntry dte;
 +    CTEntry cte;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, icid, &cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, icid, &cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, cte);
 +                      "%s: invalid command attributes: invalid CTE\n",
 +                      __func__);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
       * Current implementation only supports rdbase == procnum
       * Hence rdbase physical address is ignored
       */
 -    rdbase = FIELD_EX64(cte, CTE, RDBASE);
 -
 -    if (rdbase >= s->gicv3->num_cpu) {
 +    if (cte.rdbase >= s->gicv3->num_cpu) {
          return CMD_CONTINUE;
      }
      if ((cmd == CLEAR) || (cmd == DISCARD)) {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[rdbase], pIntid, 0);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 0);
      } else {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[rdbase], pIntid, 1);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 1);
      }
      if (cmd == DISCARD) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      MemTxResult res = MEMTX_OK;
      uint32_t devid, eventid, intid;
      uint16_t old_icid, new_icid;
 -    uint64_t old_cte, new_cte;
 -    uint64_t old_rdbase, new_rdbase;
 -    bool ite_valid, cte_valid;
 +    bool ite_valid;
      uint64_t num_eventids;
      IteEntry ite = {};
      DTEntry dte;
 +    CTEntry old_cte, new_cte;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, old_icid, &old_cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, old_icid, &old_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!old_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, old_cte);
 +                      "invalid CTE for old ICID 0x%x\n",
 +                      __func__, old_icid);
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, new_icid, &new_cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, new_icid, &new_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!new_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, new_cte);
 +                      "invalid CTE for new ICID 0x%x\n",
 +                      __func__, new_icid);
          return CMD_CONTINUE;
      }
 -    old_rdbase = FIELD_EX64(old_cte, CTE, RDBASE);
 -    if (old_rdbase >= s->gicv3->num_cpu) {
 +    if (old_cte.rdbase >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: CTE has invalid rdbase 0x%"PRIx64"\n",
 -                      __func__, old_rdbase);
 +                      "%s: CTE has invalid rdbase 0x%x\n",
 +                      __func__, old_cte.rdbase);
          return CMD_CONTINUE;
      }
 -    new_rdbase = FIELD_EX64(new_cte, CTE, RDBASE);
 -    if (new_rdbase >= s->gicv3->num_cpu) {
 +    if (new_cte.rdbase >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: CTE has invalid rdbase 0x%"PRIx64"\n",
 -                      __func__, new_rdbase);
 +                      "%s: CTE has invalid rdbase 0x%x\n",
 +                      __func__, new_cte.rdbase);
          return CMD_CONTINUE;
      }
 -    if (old_rdbase != new_rdbase) {
 +    if (old_cte.rdbase != new_cte.rdbase) {
          /* Move the LPI from the old redistributor to the new one */
 -        gicv3_redist_mov_lpi(&s->gicv3->cpu[old_rdbase],
 -                             &s->gicv3->cpu[new_rdbase],
 +        gicv3_redist_mov_lpi(&s->gicv3->cpu[old_cte.rdbase],
 +                             &s->gicv3->cpu[new_cte.rdbase],
                               intid);
      }
 --
 .25.1

-[PULL 07/17] hw/gpio/pl061: Clean up read/write offset handling logic
+[PULL 30/39] hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()
-Currently the pl061_read() and pl061_write() functions handle offsets
+Make update_cte() take a CTEntry struct rather than all the fields
-using a combination of three if() statements and a switch().  Clean
+of the new CTE as separate arguments.
 this up to use just a switch, using case ranges.
-This requires that instead of catching accesses to the luminary-only
+This brings it into line with the update_dte() API.
 registers on a stock PL061 via a check on s->rsvd_start we use
 an "is this luminary?" check in the cases for each luminary-only
 register.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-6-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c | 104 ++++++++++++++++++++++++++++++++++++------------
+ hw/intc/arm_gicv3_its.c | 32 +++++++++++++++++---------------
-file changed, 79 insertions(+), 25 deletions(-)
+file changed, 17 insertions(+), 15 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ struct PL061State {
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
-     qemu_irq irq;
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
-     qemu_irq out[N_GPIOS];
+ }
-     const unsigned char *id;
--    uint32_t rsvd_start; /* reserved area: [rsvd_start, 0xfcc] */
+-static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
- };
+-                       uint64_t rdbase)
++/*
- static const VMStateDescription vmstate_pl061 = {
++ * Update the Collection Table entry for @icid to @cte. Returns true
-@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
++ * on success, false if there was a memory access error.
 + */
 +static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
  {
-     PL061State *s = (PL061State *)opaque;
+     AddressSpace *as = &s->gicv3->dma_as;
+     uint64_t entry_addr;
--    if (offset < 0x400) {
+-    uint64_t cte = 0;
--        return s->data & (offset >> 2);
++    uint64_t cteval = 0;
--    }
+     MemTxResult res = MEMTX_OK;
--    if (offset >= s->rsvd_start && offset <= 0xfcc) {
--        goto err_out;
+     if (!s->ct.valid) {
--    }
+         return true;
 -    if (offset >= 0xfd0 && offset < 0x1000) {
 -        return s->id[(offset - 0xfd0) >> 2];
 -    }
      switch (offset) {
 +    case 0x0 ... 0x3ff: /* Data */
 +        return s->data & (offset >> 2);
      case 0x400: /* Direction */
          return s->dir;
      case 0x404: /* Interrupt sense */
@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
      case 0x420: /* Alternate function select */
          return s->afsel;
      case 0x500: /* 2mA drive */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->dr2r;
      case 0x504: /* 4mA drive */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->dr4r;
      case 0x508: /* 8mA drive */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->dr8r;
      case 0x50c: /* Open drain */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->odr;
      case 0x510: /* Pull-up */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->pur;
      case 0x514: /* Pull-down */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->pdr;
      case 0x518: /* Slew rate control */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->slr;
      case 0x51c: /* Digital enable */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->den;
      case 0x520: /* Lock */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->locked;
      case 0x524: /* Commit */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->cr;
      case 0x528: /* Analog mode select */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          return s->amsel;
 +    case 0xfd0 ... 0xfff: /* ID registers */
 +        return s->id[(offset - 0xfd0) >> 2];
      default:
 +    bad_offset:
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "pl061_read: Bad offset %x\n", (int)offset);
          break;
      }
--err_out:
--    qemu_log_mask(LOG_GUEST_ERROR,
+-    if (valid) {
--                  "pl061_read: Bad offset %x\n", (int)offset);
++    if (cte->valid) {
-     return 0;
+         /* add mapping entry to collection table */
 -        cte = FIELD_DP64(cte, CTE, VALID, 1);
 -        cte = FIELD_DP64(cte, CTE, RDBASE, rdbase);
 +        cteval = FIELD_DP64(cteval, CTE, VALID, 1);
 +        cteval = FIELD_DP64(cteval, CTE, RDBASE, cte->rdbase);
      }
      entry_addr = table_entry_addr(s, &s->ct, icid, &res);
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
          return true;
      }
 -    address_space_stq_le(as, entry_addr, cte, MEMTXATTRS_UNSPECIFIED, &res);
 +    address_space_stq_le(as, entry_addr, cteval, MEMTXATTRS_UNSPECIFIED, &res);
      return res == MEMTX_OK;
  }
-@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
+ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
-     PL061State *s = (PL061State *)opaque;
+ {
-     uint8_t mask;
+     uint16_t icid;
+-    uint64_t rdbase;
--    if (offset < 0x400) {
+-    bool valid;
-+    switch (offset) {
++    CTEntry cte;
-+    case 0 ... 0x3ff:
-         mask = (offset >> 2) & s->dir;
+     icid = cmdpkt[2] & ICID_MASK;
-         s->data = (s->data & ~mask) | (value & mask);
-         pl061_update(s);
+-    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
-         return;
+-    rdbase &= RDBASE_PROCNUM_MASK;
--    }
++    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
--    if (offset >= s->rsvd_start) {
++    cte.rdbase &= RDBASE_PROCNUM_MASK;
--        goto err_out;
--    }
+-    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
--    switch (offset) {
++    cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
-     case 0x400: /* Direction */
-         s->dir = value & 0xff;
+-    if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
-         break;
++    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
-@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
+         qemu_log_mask(LOG_GUEST_ERROR,
-         s->afsel = (s->afsel & ~mask) | (value & mask);
+                       "ITS MAPC: invalid collection table attributes "
-         break;
+-                      "icid %d rdbase %" PRIu64 "\n",  icid, rdbase);
-     case 0x500: /* 2mA drive */
++                      "icid %d rdbase %u\n",  icid, cte.rdbase);
-+        if (s->id != pl061_id_luminary) {
+         /*
-+            goto bad_offset;
+          * in this implementation, in case of error
-+        }
+          * we ignore this command and move onto the next
-         s->dr2r = value & 0xff;
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
-         break;
+         return CMD_CONTINUE;
      case 0x504: /* 4mA drive */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->dr4r = value & 0xff;
          break;
      case 0x508: /* 8mA drive */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->dr8r = value & 0xff;
          break;
      case 0x50c: /* Open drain */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->odr = value & 0xff;
          break;
      case 0x510: /* Pull-up */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->pur = value & 0xff;
          break;
      case 0x514: /* Pull-down */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->pdr = value & 0xff;
          break;
      case 0x518: /* Slew rate control */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->slr = value & 0xff;
          break;
      case 0x51c: /* Digital enable */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->den = value & 0xff;
          break;
      case 0x520: /* Lock */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->locked = (value != 0xacce551);
          break;
      case 0x524: /* Commit */
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          if (!s->locked)
              s->cr = value & 0xff;
          break;
      case 0x528:
 +        if (s->id != pl061_id_luminary) {
 +            goto bad_offset;
 +        }
          s->amsel = value & 0xff;
          break;
      default:
 -        goto err_out;
 +    bad_offset:
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "pl061_write: Bad offset %x\n", (int)offset);
 +        return;
      }
-     pl061_update(s);
-     return;
+-    return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
--err_out:
++    return update_cte(s, icid, &cte) ? CMD_CONTINUE : CMD_STALL;
 -    qemu_log_mask(LOG_GUEST_ERROR,
 -                  "pl061_write: Bad offset %x\n", (int)offset);
  }
- static void pl061_reset(DeviceState *dev)
+ /*
@@ -XXX,XX +XXX,XX @@ static void pl061_luminary_init(Object *obj)
      PL061State *s = PL061(obj);
      s->id = pl061_id_luminary;
 -    s->rsvd_start = 0x52c;
  }
  static void pl061_init(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void pl061_init(Object *obj)
      SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
      s->id = pl061_id;
 -    s->rsvd_start = 0x424;
      memory_region_init_io(&s->iomem, obj, &pl061_ops, s, "pl061", 0x1000);
      sysbus_init_mmio(sbd, &s->iomem);
 --
-.20.1
+.25.1

-New patch
+[PULL 31/39] hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()
+In get_ite() and update_ite() we work with a 12-byte in-guest-memory
+table entry, which we intend to handle as an 8-byte value followed by
+a 4-byte value.  Unfortunately the calculation of the address of the
+-byte value is wrong, because we write it as:
+ table_base_address + (index * entrysize) + 4
+(obfuscated by the way the expression has been written)
+when it should be + 8.  This bug meant that we overwrote the top
+bytes of the 8-byte value with the 4-byte value.  There are no
+guest-visible effects because the top half of the 8-byte value
+contains only the doorbell interrupt field, which is used only in
+GICv4, and the two bugs in the "write ITE" and "read ITE" codepaths
+cancel each other out.
+We can't simply change the calculation, because this would break
+migration of a (TCG) guest from the old version of QEMU which had
+in-guest-memory interrupt tables written using the buggy version of
+update_ite().  We must also at the same time change the layout of the
+fields within the ITE_L and ITE_H values so that the in-memory
+locations of the fields we care about (VALID, INTTYPE, INTID and
+ICID) stay the same.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-7-peter.maydell@linaro.org
+---
+ hw/intc/gicv3_internal.h | 19 ++++++++++---------
+ hw/intc/arm_gicv3_its.c  | 28 +++++++++++-----------------
+files changed, 21 insertions(+), 26 deletions(-)
+diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/gicv3_internal.h
++++ b/hw/intc/gicv3_internal.h
+@@ -XXX,XX +XXX,XX @@ FIELD(MOVI_2, ICID, 0, 16)
+  * 12 bytes Interrupt translation Table Entry size
+  * as per Table 5.3 in GICv3 spec
+  * ITE Lower 8 Bytes
+- *   Bits:    | 49 ... 26 | 25 ... 2 |   1     |   0    |
+- *   Values:  |  Doorbell |  IntNum  | IntType |  Valid |
++ *   Bits:    | 63 ... 48 | 47 ... 32 | 31 ... 26 | 25 ... 2 |   1     |  0    |
++ *   Values:  | vPEID     | ICID      | unused    |  IntNum  | IntType | Valid |
+  * ITE Higher 4 Bytes
+- *   Bits:    | 31 ... 16 | 15 ...0 |
+- *   Values:  |  vPEID    |  ICID   |
+- * (When Doorbell is unused, as it always is in GICv3, it is 1023)
++ *   Bits:    | 31 ... 25 | 24 ... 0 |
++ *   Values:  | unused    | Doorbell |
++ * (When Doorbell is unused, as it always is for INTYPE_PHYSICAL,
++ * the value of that field in memory cannot be relied upon -- older
++ * versions of QEMU did not correctly write to that memory.)
+  */
+ #define ITS_ITT_ENTRY_SIZE            0xC
+ FIELD(ITE_L, VALID, 0, 1)
+ FIELD(ITE_L, INTTYPE, 1, 1)
+ FIELD(ITE_L, INTID, 2, 24)
+-FIELD(ITE_L, DOORBELL, 26, 24)
+-
+-FIELD(ITE_H, ICID, 0, 16)
+-FIELD(ITE_H, VPEID, 16, 16)
++FIELD(ITE_L, ICID, 32, 16)
++FIELD(ITE_L, VPEID, 48, 16)
++FIELD(ITE_H, DOORBELL, 0, 24)
+ /* Possible values for ITE_L INTTYPE */
+ #define ITE_INTTYPE_VIRTUAL 0
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+ {
+     AddressSpace *as = &s->gicv3->dma_as;
+     MemTxResult res = MEMTX_OK;
++    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+-    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
+-                         sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
+-                         &res);
++    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
+     if (res == MEMTX_OK) {
+-        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
+-                             sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
++        address_space_stl_le(as, iteaddr + 8, ite.iteh,
+                              MEMTXATTRS_UNSPECIFIED, &res);
+     }
+     if (res != MEMTX_OK) {
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+     AddressSpace *as = &s->gicv3->dma_as;
+     bool status = false;
+     IteEntry ite = {};
++    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+-    ite.itel = address_space_ldq_le(as, dte->ittaddr +
+-                                    (eventid * (sizeof(uint64_t) +
+-                                    sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
+-                                    res);
++    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
+     if (*res == MEMTX_OK) {
+-        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
+-                                        (eventid * (sizeof(uint64_t) +
+-                                        sizeof(uint32_t))) + sizeof(uint32_t),
++        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
+                                         MEMTXATTRS_UNSPECIFIED, res);
+         if (*res == MEMTX_OK) {
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+                 int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
+                 if (inttype == ITE_INTTYPE_PHYSICAL) {
+                     *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
+-                    *icid = FIELD_EX32(ite.iteh, ITE_H, ICID);
++                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
+                     status = true;
+                 }
+             }
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
++    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
++    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+ }
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
++    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
++    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+ }
+--
+.25.1

-[PULL 06/17] hw/gpio/pl061: Convert DPRINTF to tracepoints
+[PULL 32/39] hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()
-Convert the use of the DPRINTF debug macro in the PL061 model to
+The get_ite() code has some awkward nested if statements; clean
-use tracepoints.
+them up by returning early if the memory accesses fail.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-8-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c      | 27 +++++++++------------------
+ hw/intc/arm_gicv3_its.c | 26 ++++++++++++++------------
- hw/gpio/trace-events |  6 ++++++
+file changed, 14 insertions(+), 12 deletions(-)
 files changed, 15 insertions(+), 18 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
- #include "qemu/log.h"
+     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
- #include "qemu/module.h"
- #include "qom/object.h"
+     ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
--
++    if (*res != MEMTX_OK) {
--//#define DEBUG_PL061 1
++        return false;
--
++    }
--#ifdef DEBUG_PL061
--#define DPRINTF(fmt, ...) \
+-    if (*res == MEMTX_OK) {
--do { printf("pl061: " fmt , ## __VA_ARGS__); } while (0)
+-        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
--#define BADF(fmt, ...) \
+-                                        MEMTXATTRS_UNSPECIFIED, res);
--do { fprintf(stderr, "pl061: error: " fmt , ## __VA_ARGS__); exit(1);} while (0)
++    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
--#else
++                                    MEMTXATTRS_UNSPECIFIED, res);
--#define DPRINTF(fmt, ...) do {} while(0)
++    if (*res != MEMTX_OK) {
--#define BADF(fmt, ...) \
++        return false;
--do { fprintf(stderr, "pl061: error: " fmt , ## __VA_ARGS__);} while (0)
++    }
--#endif
-+#include "trace.h"
+-        if (*res == MEMTX_OK) {
+-            if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
- static const uint8_t pl061_id[12] =
+-                int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
-   { 0x00, 0x00, 0x00, 0x00, 0x61, 0x10, 0x04, 0x00, 0x0d, 0xf0, 0x05, 0xb1 };
+-                if (inttype == ITE_INTTYPE_PHYSICAL) {
-@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
+-                    *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
-     uint8_t out;
+-                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
-     int i;
+-                    status = true;
+-                }
--    DPRINTF("dir = %d, data = %d\n", s->dir, s->data);
+-            }
-+    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data);
++    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
++        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
-     /* Outputs float high.  */
++        if (inttype == ITE_INTTYPE_PHYSICAL) {
-     /* FIXME: This is board dependent.  */
++            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
-@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
++            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
-         for (i = 0; i < N_GPIOS; i++) {
++            status = true;
              mask = 1 << i;
              if (changed & mask) {
 -                DPRINTF("Set output %d = %d\n", i, (out & mask) != 0);
 -                qemu_set_irq(s->out[i], (out & mask) != 0);
 +                int level = (out & mask) != 0;
 +                trace_pl061_set_output(DEVICE(s)->canonical_path, i, level);
 +                qemu_set_irq(s->out[i], level);
              }
          }
      }
-@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
+     return status;
          for (i = 0; i < N_GPIOS; i++) {
              mask = 1 << i;
              if (changed & mask) {
 -                DPRINTF("Changed input %d = %d\n", i, (s->data & mask) != 0);
 +                trace_pl061_input_change(DEVICE(s)->canonical_path, i,
 +                                         (s->data & mask) != 0);
                  if (!(s->isense & mask)) {
                      /* Edge interrupt */
@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
      /* Level interrupt */
      s->istate |= ~(s->data ^ s->iev) & s->isense;
 -    DPRINTF("istate = %02X\n", s->istate);
 +    trace_pl061_update_istate(DEVICE(s)->canonical_path,
 +                              s->istate, s->im, (s->istate & s->im) != 0);
      qemu_set_irq(s->irq, (s->istate & s->im) != 0);
  }
 diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/gpio/trace-events
 +++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ nrf51_gpio_write(uint64_t offset, uint64_t value) "offset 0x%" PRIx64 " value 0x
  nrf51_gpio_set(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
  nrf51_gpio_update_output_irq(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
 +# pl061.c
 +pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIODATA 0x%x"
 +pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
 +pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
 +pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
 +
  # sifive_gpio.c
  sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
  sifive_gpio_write(uint64_t offset, uint64_t value) "offset 0x%" PRIx64 " value 0x%" PRIx64
 --
-.20.1
+.25.1

-New patch
+[PULL 33/39] hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a struct
+In get_ite() we currently return the caller some of the fields of an
 Interrupt Table Entry via a set of pointer arguments, and validate
 some of them internally (interrupt type and valid bit) to return a
 simple true/false 'valid' indication. Define a new ITEntry struct
 which has all the fields that the in-memory ITE has, and bring the
 get_ite() function in to line with get_dte() and get_cte().
 This paves the way for handling virtual interrupts, which will want
 a different subset of the fields in the ITE. Handling them under
 the old "lots of pointer arguments" scheme would have meant a
 confusingly large set of arguments for this function.
 The new struct ITEntry is obviously confusably similar to the
 existing IteEntry struct, whose fields are the raw 12 bytes
 of the in-memory ITE. In the next commit we will make update_ite()
 use ITEntry instead of IteEntry, which will allow us to delete
 the IteEntry struct and remove the confusion.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-9-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 102 ++++++++++++++++++++++------------------
 file changed, 55 insertions(+), 47 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct CTEntry {
      uint32_t rdbase;
  } CTEntry;
 +typedef struct ITEntry {
 +    bool valid;
 +    int inttype;
 +    uint32_t intid;
 +    uint32_t doorbell;
 +    uint32_t icid;
 +    uint32_t vpeid;
 +} ITEntry;
 +
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
      }
  }
 -static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
 -                    uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
 +/*
 + * Read the Interrupt Table entry at index @eventid from the table specified
 + * by the DTE @dte. On success, we return MEMTX_OK and populate the ITEntry
 + * struct @ite accordingly. If there is an error reading memory then we return
 + * the error code.
 + */
 +static MemTxResult get_ite(GICv3ITSState *s, uint32_t eventid,
 +                           const DTEntry *dte, ITEntry *ite)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    bool status = false;
 -    IteEntry ite = {};
 +    MemTxResult res = MEMTX_OK;
 +    uint64_t itel;
 +    uint32_t iteh;
      hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 -    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
 -    if (*res != MEMTX_OK) {
 -        return false;
 +    itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
      }
 -    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
 -                                    MEMTXATTRS_UNSPECIFIED, res);
 -    if (*res != MEMTX_OK) {
 -        return false;
 +    iteh = address_space_ldl_le(as, iteaddr + 8, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
      }
 -    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
 -        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
 -        if (inttype == ITE_INTTYPE_PHYSICAL) {
 -            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
 -            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
 -            status = true;
 -        }
 -    }
 -    return status;
 +    ite->valid = FIELD_EX64(itel, ITE_L, VALID);
 +    ite->inttype = FIELD_EX64(itel, ITE_L, INTTYPE);
 +    ite->intid = FIELD_EX64(itel, ITE_L, INTID);
 +    ite->icid = FIELD_EX64(itel, ITE_L, ICID);
 +    ite->vpeid = FIELD_EX64(itel, ITE_L, VPEID);
 +    ite->doorbell = FIELD_EX64(iteh, ITE_H, DOORBELL);
 +    return MEMTX_OK;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
  static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                         uint32_t eventid, ItsCmdType cmd)
  {
 -    MemTxResult res = MEMTX_OK;
      uint64_t num_eventids;
 -    uint16_t icid = 0;
 -    uint32_t pIntid = 0;
 -    bool ite_valid = false;
      DTEntry dte;
      CTEntry cte;
 +    ITEntry ite;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_ite(s, eventid, &dte, &ite) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!ite_valid) {
 +    if (!ite.valid || ite.inttype != ITE_INTTYPE_PHYSICAL) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: invalid ITE\n",
                        __func__);
          return CMD_CONTINUE;
      }
 -    if (icid >= s->ct.num_entries) {
 +    if (ite.icid >= s->ct.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
 -                      __func__, icid);
 +                      __func__, ite.icid);
          return CMD_CONTINUE;
      }
 -    if (get_cte(s, icid, &cte) != MEMTX_OK) {
 +    if (get_cte(s, ite.icid, &cte) != MEMTX_OK) {
          return CMD_STALL;
      }
      if (!cte.valid) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      }
      if ((cmd == CLEAR) || (cmd == DISCARD)) {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 0);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 0);
      } else {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 1);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 1);
      }
      if (cmd == DISCARD) {
 -        IteEntry ite = {};
 +        IteEntry itee = {};
          /* remove mapping from interrupt translation table */
 -        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
  static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    MemTxResult res = MEMTX_OK;
 -    uint32_t devid, eventid, intid;
 -    uint16_t old_icid, new_icid;
 -    bool ite_valid;
 +    uint32_t devid, eventid;
 +    uint16_t new_icid;
      uint64_t num_eventids;
      IteEntry ite = {};
      DTEntry dte;
      CTEntry old_cte, new_cte;
 +    ITEntry old_ite;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_ite(s, eventid, &dte, &old_ite) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!ite_valid) {
 +    if (!old_ite.valid || old_ite.inttype != ITE_INTTYPE_PHYSICAL) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: invalid ITE\n",
                        __func__);
          return CMD_CONTINUE;
      }
 -    if (old_icid >= s->ct.num_entries) {
 +    if (old_ite.icid >= s->ct.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
 -                      __func__, old_icid);
 +                      __func__, old_ite.icid);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    if (get_cte(s, old_icid, &old_cte) != MEMTX_OK) {
 +    if (get_cte(s, old_ite.icid, &old_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
      if (!old_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
                        "invalid CTE for old ICID 0x%x\n",
 -                      __func__, old_icid);
 +                      __func__, old_ite.icid);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          /* Move the LPI from the old redistributor to the new one */
          gicv3_redist_mov_lpi(&s->gicv3->cpu[old_cte.rdbase],
                               &s->gicv3->cpu[new_cte.rdbase],
 -                             intid);
 +                             old_ite.intid);
      }
      /* Update the ICID field in the interrupt translation table entry */
      ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
 +    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
      return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 --
 .25.1

-[PULL 11/17] hw/gpio/pl061: Make pullup/pulldown of outputs configurable
+[PULL 34/39] hw/intc/arm_gicv3_its: Make update_ite() use ITEntry
-The PL061 GPIO does not itself include pullup or pulldown resistors
+Make the update_ite() struct use the new ITEntry struct, so that
-to set the value of a GPIO line treated as an output when it is
+callers don't need to assemble the in-memory ITE data themselves, and
-configured as an input (ie when the PL061 itself is not driving it).
+only get_ite() and update_ite() need to care about that in-memory
-In real hardware it is up to the board to add suitable pullups or
+layout.  We can then drop the no-longer-used IteEntry struct
-pulldowns.  Currently our implementation hardwires this to "outputs
+definition.
 pulled high", which is correct for some boards (eg the realview ones:
 see figure 3-29 in the "RealView Platform Baseboard for ARM926EJ-S
 User Guide" DUI0224I), but wrong for others.
 In particular, the wiring in the 'virt' board and the gpio-pwr device
 assumes that wires should be pulled low, because otherwise the
 pull-to-high will trigger a shutdown or reset action.  (The only
 reason this doesn't happen immediately on startup is due to another
 bug in the PL061, where we don't assert the GPIOs to the correct
 value on reset, but will do so as soon as the guest touches a
 register and pl061_update() gets called.)
 Add properties to the pl061 so the board can configure whether it
 wants GPIO lines to have pullup, pulldown, or neither.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-10-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c | 51 +++++++++++++++++++++++++++++++++++++++++++++----
+ hw/intc/arm_gicv3_its.c | 62 +++++++++++++++++++++--------------------
-file changed, 47 insertions(+), 4 deletions(-)
+file changed, 32 insertions(+), 30 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ typedef enum ItsCmdType {
-  *  + unnamed GPIO inputs 0..7: inputs to connect to the emulated GPIO lines
+     INTERRUPT = 3,
-  *  + unnamed GPIO outputs 0..7: the emulated GPIO lines, considered as
+ } ItsCmdType;
-  *    outputs
-+ *  + QOM property "pullups": an integer defining whether non-floating lines
+-typedef struct {
-+ *    configured as inputs should be pulled up to logical 1 (ie whether in
+-    uint32_t iteh;
-+ *    real hardware they have a pullup resistor on the line out of the PL061).
+-    uint64_t itel;
-+ *    This should be an 8-bit value, where bit 0 is 1 if GPIO line 0 should
+-} IteEntry;
-+ *    be pulled high, bit 1 configures line 1, and so on. The default is 0xff,
+-
-+ *    indicating that all GPIO lines are pulled up to logical 1.
+ typedef struct DTEntry {
-+ *  + QOM property "pulldowns": an integer defining whether non-floating lines
+     bool valid;
-+ *    configured as inputs should be pulled down to logical 0 (ie whether in
+     unsigned size;
-+ *    real hardware they have a pulldown resistor on the line out of the PL061).
+@@ -XXX,XX +XXX,XX @@ static MemTxResult get_cte(GICv3ITSState *s, uint16_t icid, CTEntry *cte)
-+ *    This should be an 8-bit value, where bit 0 is 1 if GPIO line 0 should
+     return MEMTX_OK;
-+ *    be pulled low, bit 1 configures line 1, and so on. The default is 0x0.
+ }
-+ *    It is an error to set a bit in both "pullups" and "pulldowns". If a bit
-+ *    is 0 in both, then the line is considered to be floating, and it will
++/*
-+ *    not have qemu_set_irq() called on it when it is configured as an input.
++ * Update the Interrupt Table entry at index @evinted in the table specified
-  */
++ * by the dte @dte. Returns true on success, false if there was a memory
++ * access error.
- #include "qemu/osdep.h"
++ */
- #include "hw/irq.h"
+ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
- #include "hw/sysbus.h"
+-                       IteEntry ite)
-+#include "hw/qdev-properties.h"
++                       const ITEntry *ite)
- #include "migration/vmstate.h"
+ {
-+#include "qapi/error.h"
+     AddressSpace *as = &s->gicv3->dma_as;
- #include "qemu/log.h"
+     MemTxResult res = MEMTX_OK;
- #include "qemu/module.h"
+     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
- #include "qom/object.h"
++    uint64_t itel = 0;
-@@ -XXX,XX +XXX,XX @@ struct PL061State {
++    uint32_t iteh = 0;
-     qemu_irq irq;
-     qemu_irq out[N_GPIOS];
+-    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
-     const unsigned char *id;
+-
-+    /* Properties, for non-Luminary PL061 */
+-    if (res == MEMTX_OK) {
-+    uint32_t pullups;
+-        address_space_stl_le(as, iteaddr + 8, ite.iteh,
-+    uint32_t pulldowns;
+-                             MEMTXATTRS_UNSPECIFIED, &res);
- };
++    if (ite->valid) {
++        itel = FIELD_DP64(itel, ITE_L, VALID, 1);
- static const VMStateDescription vmstate_pl061 = {
++        itel = FIELD_DP64(itel, ITE_L, INTTYPE, ite->inttype);
-@@ -XXX,XX +XXX,XX @@ static uint8_t pl061_floating(PL061State *s)
++        itel = FIELD_DP64(itel, ITE_L, INTID, ite->intid);
-          */
++        itel = FIELD_DP64(itel, ITE_L, ICID, ite->icid);
-         floating = ~(s->pur | s->pdr);
++        itel = FIELD_DP64(itel, ITE_L, VPEID, ite->vpeid);
-     } else {
++        iteh = FIELD_DP32(iteh, ITE_H, DOORBELL, ite->doorbell);
 -        /* Assume outputs are pulled high. FIXME: this is board dependent. */
 -        floating = 0;
 +        floating = ~(s->pullups | s->pulldowns);
      }
-     return floating & ~s->dir;
++
 +    address_space_stq_le(as, iteaddr, itel, MEMTXATTRS_UNSPECIFIED, &res);
      if (res != MEMTX_OK) {
          return false;
 -    } else {
 -        return true;
      }
 +    address_space_stl_le(as, iteaddr + 8, iteh, MEMTXATTRS_UNSPECIFIED, &res);
 +    return res == MEMTX_OK;
  }
-@@ -XXX,XX +XXX,XX @@ static uint8_t pl061_pullups(PL061State *s)
-          */
+ /*
-         pullups = s->pur;
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      } else {
 -        /* Assume outputs are pulled high. FIXME: this is board dependent. */
 -        pullups = 0xff;
 +        pullups = s->pullups;
      }
-     return pullups & ~s->dir;
      if (cmd == DISCARD) {
 -        IteEntry itee = {};
 +        ITEntry ite = {};
          /* remove mapping from interrupt translation table */
 -        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
 +        ite.valid = false;
 +        return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
-@@ -XXX,XX +XXX,XX @@ static void pl061_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
-     qdev_init_gpio_out(dev, s->out, N_GPIOS);
+     uint64_t num_eventids;
      uint32_t num_intids;
      uint16_t icid = 0;
 -    IteEntry ite = {};
      DTEntry dte;
 +    ITEntry ite;
      devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
      eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      }
      /* add ite entry to interrupt translation table */
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
 -    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
 -
 -    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +    ite.valid = true;
 +    ite.inttype = ITE_INTTYPE_PHYSICAL;
 +    ite.intid = pIntid;
 +    ite.icid = icid;
 +    ite.doorbell = INTID_SPURIOUS;
 +    ite.vpeid = 0;
 +    return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
  }
-+static void pl061_realize(DeviceState *dev, Error **errp)
+ /*
-+{
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
-+    PL061State *s = PL061(dev);
+     uint32_t devid, eventid;
-+
+     uint16_t new_icid;
-+    if (s->pullups > 0xff) {
+     uint64_t num_eventids;
-+        error_setg(errp, "pullups property must be between 0 and 0xff");
+-    IteEntry ite = {};
-+        return;
+     DTEntry dte;
-+    }
+     CTEntry old_cte, new_cte;
-+    if (s->pulldowns > 0xff) {
+     ITEntry old_ite;
-+        error_setg(errp, "pulldowns property must be between 0 and 0xff");
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
-+        return;
+     }
-+    }
-+    if (s->pullups & s->pulldowns) {
+     /* Update the ICID field in the interrupt translation table entry */
-+        error_setg(errp, "no bit may be set both in pullups and pulldowns");
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
-+        return;
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
-+    }
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
-+}
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
-+
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
-+static Property pl061_props[] = {
+-    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
-+    DEFINE_PROP_UINT32("pullups", PL061State, pullups, 0xff),
++    old_ite.icid = new_icid;
-+    DEFINE_PROP_UINT32("pulldowns", PL061State, pulldowns, 0x0),
++    return update_ite(s, eventid, &dte, &old_ite) ? CMD_CONTINUE : CMD_STALL;
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
  static void pl061_class_init(ObjectClass *klass, void *data)
  {
      DeviceClass *dc = DEVICE_CLASS(klass);
      dc->vmsd = &vmstate_pl061;
      dc->reset = &pl061_reset;
 +    dc->realize = pl061_realize;
 +    device_class_set_props(dc, pl061_props);
  }
- static const TypeInfo pl061_info = {
+ /*
 --
-.20.1
+.25.1

-New patch
+[PULL 35/39] hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fields
+Currently we track in the TableDesc and CmdQDesc structs the state of
+the GITS_BASER<n> and GITS_CBASER Valid bits.  However we aren't very
+consistent abut checking the valid field: we test it in update_cte()
+and update_dte(), but not anywhere else we look things up in tables.
+The GIC specification says that it is UNPREDICTABLE if a guest fails
+to set any of these Valid bits before enabling the ITS via
+GITS_CTLR.Enabled.  So we can choose to handle Valid == 0 as
+equivalent to a zero-length table.  This is in fact how we're already
+catching this case in most of the table-access paths: when Valid is 0
+we leave the num_entries fields in TableDesc or CmdQDesc set to zero,
+and then the out-of-bounds check "index >= num_entries" that we have
+to do anyway before doing any of these table lookups will always be
+true, catching the no-valid-table case without any extra code.
+So we can remove the checks on the valid field from update_cte()
+and update_dte(): since these happen after the bounds check there
+was never any case when the test could fail. That means the valid
+fields would be entirely unused, so just remove them.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-11-peter.maydell@linaro.org
+---
+ include/hw/intc/arm_gicv3_its_common.h |  2 --
+ hw/intc/arm_gicv3_its.c                | 31 ++++++++++++--------------
+files changed, 14 insertions(+), 19 deletions(-)
+diff --git a/include/hw/intc/arm_gicv3_its_common.h b/include/hw/intc/arm_gicv3_its_common.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/intc/arm_gicv3_its_common.h
++++ b/include/hw/intc/arm_gicv3_its_common.h
+@@ -XXX,XX +XXX,XX @@
+ #define GITS_TRANSLATER  0x0040
+ typedef struct {
+-    bool valid;
+     bool indirect;
+     uint16_t entry_sz;
+     uint32_t page_sz;
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ } TableDesc;
+ typedef struct {
+-    bool valid;
+     uint32_t num_entries;
+     uint64_t base_addr;
+ } CmdQDesc;
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
+     uint64_t cteval = 0;
+     MemTxResult res = MEMTX_OK;
+-    if (!s->ct.valid) {
+-        return true;
+-    }
+-
+     if (cte->valid) {
+         /* add mapping entry to collection table */
+         cteval = FIELD_DP64(cteval, CTE, VALID, 1);
+@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
+     uint64_t dteval = 0;
+     MemTxResult res = MEMTX_OK;
+-    if (s->dt.valid) {
+-        if (dte->valid) {
+-            /* add mapping entry to device table */
+-            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
+-            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
+-            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
+-        }
+-    } else {
+-        return true;
++    if (dte->valid) {
++        /* add mapping entry to device table */
++        dteval = FIELD_DP64(dteval, DTE, VALID, 1);
++        dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
++        dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
+     }
+     entry_addr = table_entry_addr(s, &s->dt, devid, &res);
+@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
+         }
+         memset(td, 0, sizeof(*td));
+-        td->valid = FIELD_EX64(value, GITS_BASER, VALID);
+         /*
+          * If GITS_BASER<n>.Valid is 0 for any <n> then we will not process
+          * interrupts. (GITS_TYPER.HCC is 0 for this implementation, so we
+@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
+          * for the register corresponding to the Collection table but we
+          * still have to process interrupts using non-memory-backed
+          * Collection table entries.)
++         * The specification makes it UNPREDICTABLE to enable the ITS without
++         * marking each BASER<n> as valid. We choose to handle these as if
++         * the table was zero-sized, so commands using the table will fail
++         * and interrupts requested via GITS_TRANSLATER writes will be ignored.
++         * This happens automatically by leaving the num_entries field at
++         * zero, which will be caught by the bounds checks we have before
++         * every table lookup anyway.
+          */
+-        if (!td->valid) {
++        if (!FIELD_EX64(value, GITS_BASER, VALID)) {
+             continue;
+         }
+         td->page_sz = page_sz;
+@@ -XXX,XX +XXX,XX @@ static void extract_cmdq_params(GICv3ITSState *s)
+     num_pages = FIELD_EX64(value, GITS_CBASER, SIZE) + 1;
+     memset(&s->cq, 0 , sizeof(s->cq));
+-    s->cq.valid = FIELD_EX64(value, GITS_CBASER, VALID);
+-    if (s->cq.valid) {
++    if (FIELD_EX64(value, GITS_CBASER, VALID)) {
+         s->cq.num_entries = (num_pages * GITS_PAGE_SIZE_4K) /
+                              GITS_CMDQ_ENTRY_SIZE;
+         s->cq.base_addr = FIELD_EX64(value, GITS_CBASER, PHYADDR);
+--
+.25.1

-New patch
+[PULL 36/39] hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field
+In the MAPC command, if V=0 this is a request to delete a collection
+table entry and the rdbase field of the command packet will not be
+used.  In particular, the specification says that the "UNPREDICTABLE
+if rdbase is not valid" only applies for V=1.
+We were doing a check-and-log-guest-error on rdbase regardless of
+whether the V bit was set, and also (harmlessly but confusingly)
+storing the contents of the rdbase field into the updated collection
+table entry.  Update the code so that if V=0 we don't check or use
+the rdbase field value.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-12-peter.maydell@linaro.org
+---
+ hw/intc/arm_gicv3_its.c | 24 ++++++++++++------------
+file changed, 12 insertions(+), 12 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
+     CTEntry cte;
+     icid = cmdpkt[2] & ICID_MASK;
+-
+-    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
+-    cte.rdbase &= RDBASE_PROCNUM_MASK;
+-
+     cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
++    if (cte.valid) {
++        cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
++        cte.rdbase &= RDBASE_PROCNUM_MASK;
++    } else {
++        cte.rdbase = 0;
++    }
+-    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
++    if (icid >= s->ct.num_entries) {
++        qemu_log_mask(LOG_GUEST_ERROR, "ITS MAPC: invalid ICID 0x%d", icid);
++        return CMD_CONTINUE;
++    }
++    if (cte.valid && cte.rdbase >= s->gicv3->num_cpu) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+-                      "ITS MAPC: invalid collection table attributes "
+-                      "icid %d rdbase %u\n",  icid, cte.rdbase);
+-        /*
+-         * in this implementation, in case of error
+-         * we ignore this command and move onto the next
+-         * command in the queue
+-         */
++                      "ITS MAPC: invalid RDBASE %u ", cte.rdbase);
+         return CMD_CONTINUE;
+     }
+--
+.25.1

-[PULL 09/17] hw/gpio/pl061: Document the interface of this device
+[PULL 37/39] hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTI
-Add a comment documenting the "QEMU interface" of this device:
+When handling MAPI/MAPTI, we allow the supplied interrupt ID to be
-which MMIO regions, IRQ lines, GPIO lines, etc it exposes.
+either 1023 or something in the valid LPI range.  This is a mistake:
 only a real valid LPI is allowed.  (The general behaviour of the ITS
 is that most interrupt ID fields require a value in the LPI range;
 the exception is that fields specifying a doorbell value, which are
 all in GICv4 commands, allow also 1023 to mean "no doorbell".)
 Remove the condition that incorrectly allows 1023 here.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-13-peter.maydell@linaro.org
 ---
- hw/gpio/pl061.c | 7 +++++++
+ hw/intc/arm_gicv3_its.c | 3 +--
-file changed, 7 insertions(+)
+file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/pl061.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/gpio/pl061.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
-  * Written by Paul Brook
-  *
+     if ((icid >= s->ct.num_entries)
-  * This code is licensed under the GPL.
+             || !dte.valid || (eventid >= num_eventids) ||
-+ *
+-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
-+ * QEMU interface:
+-             (pIntid != INTID_SPURIOUS))) {
-+ *  + sysbus MMIO region 0: the device registers
++            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
-+ *  + sysbus IRQ: the GPIOINTR interrupt line
+         qemu_log_mask(LOG_GUEST_ERROR,
-+ *  + unnamed GPIO inputs 0..7: inputs to connect to the emulated GPIO lines
+                       "%s: invalid command attributes "
-+ *  + unnamed GPIO outputs 0..7: the emulated GPIO lines, considered as
+                       "icid %d or eventid %d or pIntid %d or"
 + *    outputs
   */
  #include "qemu/osdep.h"
 --
-.20.1
+.25.1

-[PULL 15/17] hw/arm/stellaris: Expand comment about handling of OLED chipselect
+[PULL 38/39] hw/intc/arm_gicv3_its: Split error checks
-The stellaris board doesn't emulate the handling of the OLED
+In most of the ITS command processing, we check different error
-chipselect line correctly.  Expand the comment describing this,
+possibilities one at a time and log them appropriately. In
-including a sketch of the theoretical correct way to do it.
+process_mapti() and process_mapd() we have code which checks
 multiple error cases at once, which means the logging is less
 specific than it could be. Split those cases up.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-14-peter.maydell@linaro.org
 ---
- hw/arm/stellaris.c | 56 +++++++++++++++++++++++++++++++++++++++++++++-
+ hw/intc/arm_gicv3_its.c | 52 ++++++++++++++++++++++++-----------------
-file changed, 55 insertions(+), 1 deletion(-)
+file changed, 31 insertions(+), 21 deletions(-)
-diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/stellaris.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/arm/stellaris.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
-             DeviceState *sddev;
+     num_eventids = 1ULL << (dte.size + 1);
-             DeviceState *ssddev;
+     num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
--            /* Some boards have both an OLED controller and SD card connected to
+-    if ((icid >= s->ct.num_entries)
-+            /*
+-            || !dte.valid || (eventid >= num_eventids) ||
-+             * Some boards have both an OLED controller and SD card connected to
+-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
-              * the same SSI port, with the SD card chip select connected to a
++    if (icid >= s->ct.num_entries) {
-              * GPIO pin.  Technically the OLED chip select is connected to the
+         qemu_log_mask(LOG_GUEST_ERROR,
-              * SSI Fss pin.  We do not bother emulating that as both devices
+-                      "%s: invalid command attributes "
-              * should never be selected simultaneously, and our OLED controller
+-                      "icid %d or eventid %d or pIntid %d or"
-              * ignores stray 0xff commands that occur when deselecting the SD
+-                      "unmapped dte %d\n", __func__, icid, eventid,
-              * card.
+-                      pIntid, dte.valid);
-+             *
+-        /*
-+             * The h/w wiring is:
+-         * in this implementation, in case of error
-+             *  - GPIO pin D0 is wired to the active-low SD card chip select
+-         * we ignore this command and move onto the next
-+             *  - GPIO pin A3 is wired to the active-low OLED chip select
+-         * command in the queue
-+             *  - The SoC wiring of the PL061 "auxiliary function" for A3 is
+-         */
-+             *    SSI0Fss ("frame signal"), which is an output from the SoC's
++                      "%s: invalid ICID 0x%x >= 0x%x\n",
-+             *    SSI controller. The SSI controller takes SSI0Fss low when it
++                      __func__, icid, s->ct.num_entries);
-+             *    transmits a frame, so it can work as a chip-select signal.
++        return CMD_CONTINUE;
-+             *  - GPIO A4 is aux-function SSI0Rx, and wired to the SD card Tx
++    }
-+             *    (the OLED never sends data to the CPU, so no wiring needed)
++
-+             *  - GPIO A5 is aux-function SSI0Tx, and wired to the SD card Rx
++    if (!dte.valid) {
-+             *    and the OLED display-data-in
++        qemu_log_mask(LOG_GUEST_ERROR,
-+             *  - GPIO A2 is aux-function SSI0Clk, wired to SD card and OLED
++                      "%s: no valid DTE for devid 0x%x\n", __func__, devid);
-+             *    serial-clock input
++        return CMD_CONTINUE;
-+             * So a guest that wants to use the OLED can configure the PL061
++    }
-+             * to make pins A2, A3, A5 aux-function, so they are connected
++
-+             * directly to the SSI controller. When the SSI controller sends
++    if (eventid >= num_eventids) {
-+             * data it asserts SSI0Fss which selects the OLED.
++        qemu_log_mask(LOG_GUEST_ERROR,
-+             * A guest that wants to use the SD card configures A2, A4 and A5
++                      "%s: invalid event ID 0x%x >= 0x%" PRIx64 "\n",
-+             * as aux-function, but leaves A3 as a software-controlled GPIO
++                      __func__, eventid, num_eventids);
-+             * line. It asserts the SD card chip-select by using the PL061
++        return CMD_CONTINUE;
-+             * to control pin D0, and lets the SSI controller handle Clk, Tx
++    }
-+             * and Rx. (The SSI controller asserts Fss during tx cycles as
++
-+             * usual, but because A3 is not set to aux-function this is not
++    if (pIntid < GICV3_LPI_INTID_START || pIntid >= num_intids) {
-+             * forwarded to the OLED, and so the OLED stays unselected.)
++        qemu_log_mask(LOG_GUEST_ERROR,
-+             *
++                      "%s: invalid interrupt ID 0x%x\n", __func__, pIntid);
-+             * The QEMU implementation instead is:
+         return CMD_CONTINUE;
-+             *  - GPIO pin D0 is wired to the active-low SD card chip select,
+     }
-+             *    and also to the OLED chip-select which is implemented
-+             *    as *active-high*
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
-+             *  - SSI controller signals go to the devices regardless of
+     dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
-+             *    whether the guest programs A2, A4, A5 as aux-function or not
+     dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
-+             *
-+             * The problem with this implementation is if the guest doesn't
+-    if ((devid >= s->dt.num_entries) ||
-+             * care about the SD card and only uses the OLED. In that case it
+-        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
-+             * may choose never to do anything with D0 (leaving it in its
++    if (devid >= s->dt.num_entries) {
-+             * default floating state, which reliably leaves the card disabled
+         qemu_log_mask(LOG_GUEST_ERROR,
-+             * because an SD card has a pullup on CS within the card itself),
+-                      "ITS MAPD: invalid device table attributes "
-+             * and only set up A2, A3, A5. This for us would mean the OLED
+-                      "devid %d or size %d\n", devid, dte.size);
-+             * never gets the chip-select assert it needs. We work around
+-        /*
-+             * this with a manual raise of D0 here (despite board creation
+-         * in this implementation, in case of error
-+             * code being the wrong place to raise IRQ lines) to put the OLED
+-         * we ignore this command and move onto the next
-+             * into an initially selected state.
+-         * command in the queue
-+             *
+-         */
-+             * In theory the right way to model this would be:
++                      "ITS MAPD: invalid device ID field 0x%x >= 0x%x\n",
-+             *  - Implement aux-function support in the PL061, with an
++                      devid, s->dt.num_entries);
-+             *    extra set of AFIN and AFOUT GPIO lines (set up so that
++        return CMD_CONTINUE;
-+             *    if a GPIO line is in auxfn mode the main GPIO in and out
++    }
-+             *    track the AFIN and AFOUT lines)
++
-+             *  - Wire the AFOUT for D0 up to either a line from the
++    if (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS)) {
-+             *    SSI controller that's pulled low around every transmit,
++        qemu_log_mask(LOG_GUEST_ERROR,
-+             *    or at least to an always-0 line here on the board
++                      "ITS MAPD: invalid size %d\n", dte.size);
-+             *  - Make the ssd0323 OLED controller chipselect active-low
+         return CMD_CONTINUE;
-              */
+     }
              bus = qdev_get_child_bus(dev, "ssi");
 --
-.20.1
+.25.1

-[PULL 01/17] stm32f100: Add the stm32f100 SoC
+[PULL 39/39] hw/sensor: Add lsm303dlhc magnetometer device
-From: Alexandre Iooss <erdnaxe@crans.org>
+From: Kevin Townsend <kevin.townsend@linaro.org>
-This SoC is similar to stm32f205 SoC.
+This commit adds emulation of the magnetometer on the LSM303DLHC.
-This will be used by the STM32VLDISCOVERY to create a machine.
+It allows the magnetometer's X, Y and Z outputs to be set via the
 mag-x, mag-y and mag-z properties, as well as the 12-bit
 temperature output via the temperature property. Sensor can be
 enabled with 'CONFIG_LSM303DLHC_MAG=y'.
-Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
+Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20220130095032.35392-1-kevin.townsend@linaro.org
-Message-id: 20210617165647.2575955-2-erdnaxe@crans.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/stm32f100_soc.h |  57 +++++++++++
+ hw/sensor/lsm303dlhc_mag.c        | 556 ++++++++++++++++++++++++++++++
- hw/arm/stm32f100_soc.c         | 182 +++++++++++++++++++++++++++++++++
+ tests/qtest/lsm303dlhc-mag-test.c | 148 ++++++++
- MAINTAINERS                    |   6 ++
+ hw/sensor/Kconfig                 |   4 +
- hw/arm/Kconfig                 |   6 ++
+ hw/sensor/meson.build             |   1 +
- hw/arm/meson.build             |   1 +
+ tests/qtest/meson.build           |   1 +
-files changed, 252 insertions(+)
+files changed, 710 insertions(+)
- create mode 100644 include/hw/arm/stm32f100_soc.h
+ create mode 100644 hw/sensor/lsm303dlhc_mag.c
- create mode 100644 hw/arm/stm32f100_soc.c
+ create mode 100644 tests/qtest/lsm303dlhc-mag-test.c
-diff --git a/include/hw/arm/stm32f100_soc.h b/include/hw/arm/stm32f100_soc.h
+diff --git a/hw/sensor/lsm303dlhc_mag.c b/hw/sensor/lsm303dlhc_mag.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/include/hw/arm/stm32f100_soc.h
++++ b/hw/sensor/lsm303dlhc_mag.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * STM32F100 SoC
++ * LSM303DLHC I2C magnetometer.
 + *
-+ * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
++ * Copyright (C) 2021 Linaro Ltd.
 + * Written by Kevin Townsend <kevin.townsend@linaro.org>
 + *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
-+ * The above copyright notice and this permission notice shall be included in
++ * SPDX-License-Identifier: GPL-2.0-or-later
-+ * all copies or substantial portions of the Software.
++ */
 +
 +/*
 + * The I2C address associated with this device is set on the command-line when
 + * initialising the machine, but the following address is standard: 0x1E.
 + *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * Get and set functions for 'mag-x', 'mag-y' and 'mag-z' assume that
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * 1 = 0.001 uT. (NOTE the 1 gauss = 100 uT, so setting a value of 100,000
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * would be equal to 1 gauss or 100 uT.)
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ *
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * Get and set functions for 'temperature' assume that 1 = 0.001 C, so 23.6 C
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * would be equal to 23600.
-+ * THE SOFTWARE.
++ */
-+ */
++
-+
++#include "qemu/osdep.h"
-+#ifndef HW_ARM_STM32F100_SOC_H
++#include "hw/i2c/i2c.h"
-+#define HW_ARM_STM32F100_SOC_H
++#include "migration/vmstate.h"
-+
++#include "qapi/error.h"
-+#include "hw/char/stm32f2xx_usart.h"
++#include "qapi/visitor.h"
-+#include "hw/ssi/stm32f2xx_spi.h"
++#include "qemu/module.h"
-+#include "hw/arm/armv7m.h"
++#include "qemu/log.h"
-+#include "qom/object.h"
++#include "qemu/bswap.h"
 +
-+#define TYPE_STM32F100_SOC "stm32f100-soc"
++enum LSM303DLHCMagReg {
-+OBJECT_DECLARE_SIMPLE_TYPE(STM32F100State, STM32F100_SOC)
++    LSM303DLHC_MAG_REG_CRA          = 0x00,
-+
++    LSM303DLHC_MAG_REG_CRB          = 0x01,
-+#define STM_NUM_USARTS 3
++    LSM303DLHC_MAG_REG_MR           = 0x02,
-+#define STM_NUM_SPIS 2
++    LSM303DLHC_MAG_REG_OUT_X_H      = 0x03,
-+
++    LSM303DLHC_MAG_REG_OUT_X_L      = 0x04,
-+#define FLASH_BASE_ADDRESS 0x08000000
++    LSM303DLHC_MAG_REG_OUT_Z_H      = 0x05,
-+#define FLASH_SIZE (128 * 1024)
++    LSM303DLHC_MAG_REG_OUT_Z_L      = 0x06,
-+#define SRAM_BASE_ADDRESS 0x20000000
++    LSM303DLHC_MAG_REG_OUT_Y_H      = 0x07,
-+#define SRAM_SIZE (8 * 1024)
++    LSM303DLHC_MAG_REG_OUT_Y_L      = 0x08,
-+
++    LSM303DLHC_MAG_REG_SR           = 0x09,
-+struct STM32F100State {
++    LSM303DLHC_MAG_REG_IRA          = 0x0A,
-+    /*< private >*/
++    LSM303DLHC_MAG_REG_IRB          = 0x0B,
-+    SysBusDevice parent_obj;
++    LSM303DLHC_MAG_REG_IRC          = 0x0C,
-+
++    LSM303DLHC_MAG_REG_TEMP_OUT_H   = 0x31,
-+    /*< public >*/
++    LSM303DLHC_MAG_REG_TEMP_OUT_L   = 0x32
 +    char *cpu_type;
 +
 +    ARMv7MState armv7m;
 +
 +    STM32F2XXUsartState usart[STM_NUM_USARTS];
 +    STM32F2XXSPIState spi[STM_NUM_SPIS];
 +};
 +
-+#endif
++typedef struct LSM303DLHCMagState {
-diff --git a/hw/arm/stm32f100_soc.c b/hw/arm/stm32f100_soc.c
++    I2CSlave parent_obj;
 +    uint8_t cra;
 +    uint8_t crb;
 +    uint8_t mr;
 +    int16_t x;
 +    int16_t z;
 +    int16_t y;
 +    int16_t x_lock;
 +    int16_t z_lock;
 +    int16_t y_lock;
 +    uint8_t sr;
 +    uint8_t ira;
 +    uint8_t irb;
 +    uint8_t irc;
 +    int16_t temperature;
 +    int16_t temperature_lock;
 +    uint8_t len;
 +    uint8_t buf;
 +    uint8_t pointer;
 +} LSM303DLHCMagState;
 +
 +#define TYPE_LSM303DLHC_MAG "lsm303dlhc_mag"
 +OBJECT_DECLARE_SIMPLE_TYPE(LSM303DLHCMagState, LSM303DLHC_MAG)
 +
 +/*
 + * Conversion factor from Gauss to sensor values for each GN gain setting,
 + * in units "lsb per Gauss" (see data sheet table 3). There is no documented
 + * behaviour if the GN setting in CRB is incorrectly set to 0b000;
 + * we arbitrarily make it the same as 0b001.
 + */
 +uint32_t xy_gain[] = { 1100, 1100, 855, 670, 450, 400, 330, 230 };
 +uint32_t z_gain[] = { 980, 980, 760, 600, 400, 355, 295, 205 };
 +
 +static void lsm303dlhc_mag_get_x(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->x, 100000, xy_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_get_y(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->y, 100000, xy_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_get_z(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->z, 100000, z_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_set_x(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, xy_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->x = (int16_t)reg;
 +}
 +
 +static void lsm303dlhc_mag_set_y(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, xy_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->y = (int16_t)reg;
 +}
 +
 +static void lsm303dlhc_mag_set_z(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, z_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->z = (int16_t)reg;
 +}
 +
 +/*
 + * Get handler for the temperature property.
 + */
 +static void lsm303dlhc_mag_get_temperature(Object *obj, Visitor *v,
 +                                           const char *name, void *opaque,
 +                                           Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +
 +    /* Convert to 1 lsb = 0.125 C to 1 = 0.001 C for 'temperature' property. */
 +    value = s->temperature * 125;
 +
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +/*
 + * Set handler for the temperature property.
 + */
 +static void lsm303dlhc_mag_set_temperature(Object *obj, Visitor *v,
 +                                           const char *name, void *opaque,
 +                                           Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    /* Input temperature is in 0.001 C units. Convert to 1 lsb = 0.125 C. */
 +    value /= 125;
 +
 +    if (value > 2047 || value < -2048) {
 +        error_setg(errp, "value %" PRId64 " lsb is out of range", value);
 +        return;
 +    }
 +
 +    s->temperature = (int16_t)value;
 +}
 +
 +/*
 + * Callback handler whenever a 'I2C_START_RECV' (read) event is received.
 + */
 +static void lsm303dlhc_mag_read(LSM303DLHCMagState *s)
 +{
 +    /*
 +     * Set the LOCK bit whenever a new read attempt is made. This will be
 +     * cleared in I2C_FINISH. Note that DRDY is always set to 1 in this driver.
 +     */
 +    s->sr = 0x3;
 +
 +    /*
 +     * Copy the current X/Y/Z and temp. values into the locked registers so
 +     * that 'mag-x', 'mag-y', 'mag-z' and 'temperature' can continue to be
 +     * updated via QOM, etc., without corrupting the current read event.
 +     */
 +    s->x_lock = s->x;
 +    s->z_lock = s->z;
 +    s->y_lock = s->y;
 +    s->temperature_lock = s->temperature;
 +}
 +
 +/*
 + * Callback handler whenever a 'I2C_FINISH' event is received.
 + */
 +static void lsm303dlhc_mag_finish(LSM303DLHCMagState *s)
 +{
 +    /*
 +     * Clear the LOCK bit when the read attempt terminates.
 +     * This bit is initially set in the I2C_START_RECV handler.
 +     */
 +    s->sr = 0x1;
 +}
 +
 +/*
 + * Callback handler when a device attempts to write to a register.
 + */
 +static void lsm303dlhc_mag_write(LSM303DLHCMagState *s)
 +{
 +    switch (s->pointer) {
 +    case LSM303DLHC_MAG_REG_CRA:
 +        s->cra = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_CRB:
 +        /* Make sure gain is at least 1, falling back to 1 on an error. */
 +        if (s->buf >> 5 == 0) {
 +            s->buf = 1 << 5;
 +        }
 +        s->crb = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_MR:
 +        s->mr = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_SR:
 +        s->sr = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRA:
 +        s->ira = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRB:
 +        s->irb = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRC:
 +        s->irc = s->buf;
 +        break;
 +    default:
 +        qemu_log_mask(LOG_GUEST_ERROR, "reg is read-only: 0x%02X", s->buf);
 +        break;
 +    }
 +}
 +
 +/*
 + * Low-level master-to-slave transaction handler.
 + */
 +static int lsm303dlhc_mag_send(I2CSlave *i2c, uint8_t data)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    if (s->len == 0) {
 +        /* First byte is the reg pointer */
 +        s->pointer = data;
 +        s->len++;
 +    } else if (s->len == 1) {
 +        /* Second byte is the new register value. */
 +        s->buf = data;
 +        lsm303dlhc_mag_write(s);
 +    } else {
 +        g_assert_not_reached();
 +    }
 +
 +    return 0;
 +}
 +
 +/*
 + * Low-level slave-to-master transaction handler (read attempts).
 + */
 +static uint8_t lsm303dlhc_mag_recv(I2CSlave *i2c)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +    uint8_t resp;
 +
 +    switch (s->pointer) {
 +    case LSM303DLHC_MAG_REG_CRA:
 +        resp = s->cra;
 +        break;
 +    case LSM303DLHC_MAG_REG_CRB:
 +        resp = s->crb;
 +        break;
 +    case LSM303DLHC_MAG_REG_MR:
 +        resp = s->mr;
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_X_H:
 +        resp = (uint8_t)(s->x_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_X_L:
 +        resp = (uint8_t)(s->x_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Z_H:
 +        resp = (uint8_t)(s->z_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Z_L:
 +        resp = (uint8_t)(s->z_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Y_H:
 +        resp = (uint8_t)(s->y_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Y_L:
 +        resp = (uint8_t)(s->y_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_SR:
 +        resp = s->sr;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRA:
 +        resp = s->ira;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRB:
 +        resp = s->irb;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRC:
 +        resp = s->irc;
 +        break;
 +    case LSM303DLHC_MAG_REG_TEMP_OUT_H:
 +        /* Check if the temperature sensor is enabled or not (CRA & 0x80). */
 +        if (s->cra & 0x80) {
 +            resp = (uint8_t)(s->temperature_lock >> 8);
 +        } else {
 +            resp = 0;
 +        }
 +        break;
 +    case LSM303DLHC_MAG_REG_TEMP_OUT_L:
 +        if (s->cra & 0x80) {
 +            resp = (uint8_t)(s->temperature_lock & 0xff);
 +        } else {
 +            resp = 0;
 +        }
 +        break;
 +    default:
 +        resp = 0;
 +        break;
 +    }
 +
 +    /*
 +     * The address pointer on the LSM303DLHC auto-increments whenever a byte
 +     * is read, without the master device having to request the next address.
 +     *
 +     * The auto-increment process has the following logic:
 +     *
 +     *   - if (s->pointer == 8) then s->pointer = 3
 +     *   - else: if (s->pointer == 12) then s->pointer = 0
 +     *   - else: s->pointer += 1
 +     *
 +     * Reading an invalid address return 0.
 +     */
 +    if (s->pointer == LSM303DLHC_MAG_REG_OUT_Y_L) {
 +        s->pointer = LSM303DLHC_MAG_REG_OUT_X_H;
 +    } else if (s->pointer == LSM303DLHC_MAG_REG_IRC) {
 +        s->pointer = LSM303DLHC_MAG_REG_CRA;
 +    } else {
 +        s->pointer++;
 +    }
 +
 +    return resp;
 +}
 +
 +/*
 + * Bus state change handler.
 + */
 +static int lsm303dlhc_mag_event(I2CSlave *i2c, enum i2c_event event)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    switch (event) {
 +    case I2C_START_SEND:
 +        break;
 +    case I2C_START_RECV:
 +        lsm303dlhc_mag_read(s);
 +        break;
 +    case I2C_FINISH:
 +        lsm303dlhc_mag_finish(s);
 +        break;
 +    case I2C_NACK:
 +        break;
 +    }
 +
 +    s->len = 0;
 +    return 0;
 +}
 +
 +/*
 + * Device data description using VMSTATE macros.
 + */
 +static const VMStateDescription vmstate_lsm303dlhc_mag = {
 +    .name = "LSM303DLHC_MAG",
 +    .version_id = 0,
 +    .minimum_version_id = 0,
 +    .fields = (VMStateField[]) {
 +
 +        VMSTATE_I2C_SLAVE(parent_obj, LSM303DLHCMagState),
 +        VMSTATE_UINT8(len, LSM303DLHCMagState),
 +        VMSTATE_UINT8(buf, LSM303DLHCMagState),
 +        VMSTATE_UINT8(pointer, LSM303DLHCMagState),
 +        VMSTATE_UINT8(cra, LSM303DLHCMagState),
 +        VMSTATE_UINT8(crb, LSM303DLHCMagState),
 +        VMSTATE_UINT8(mr, LSM303DLHCMagState),
 +        VMSTATE_INT16(x, LSM303DLHCMagState),
 +        VMSTATE_INT16(z, LSM303DLHCMagState),
 +        VMSTATE_INT16(y, LSM303DLHCMagState),
 +        VMSTATE_INT16(x_lock, LSM303DLHCMagState),
 +        VMSTATE_INT16(z_lock, LSM303DLHCMagState),
 +        VMSTATE_INT16(y_lock, LSM303DLHCMagState),
 +        VMSTATE_UINT8(sr, LSM303DLHCMagState),
 +        VMSTATE_UINT8(ira, LSM303DLHCMagState),
 +        VMSTATE_UINT8(irb, LSM303DLHCMagState),
 +        VMSTATE_UINT8(irc, LSM303DLHCMagState),
 +        VMSTATE_INT16(temperature, LSM303DLHCMagState),
 +        VMSTATE_INT16(temperature_lock, LSM303DLHCMagState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +/*
 + * Put the device into post-reset default state.
 + */
 +static void lsm303dlhc_mag_default_cfg(LSM303DLHCMagState *s)
 +{
 +    /* Set the device into is default reset state. */
 +    s->len = 0;
 +    s->pointer = 0;         /* Current register. */
 +    s->buf = 0;             /* Shared buffer. */
 +    s->cra = 0x10;          /* Temp Enabled = 0, Data Rate = 15.0 Hz. */
 +    s->crb = 0x20;          /* Gain = +/- 1.3 Gauss. */
 +    s->mr = 0x3;            /* Operating Mode = Sleep. */
 +    s->x = 0;
 +    s->z = 0;
 +    s->y = 0;
 +    s->x_lock = 0;
 +    s->z_lock = 0;
 +    s->y_lock = 0;
 +    s->sr = 0x1;            /* DRDY = 1. */
 +    s->ira = 0x48;
 +    s->irb = 0x34;
 +    s->irc = 0x33;
 +    s->temperature = 0;     /* Default to 0 degrees C (0/8 lsb = 0 C). */
 +    s->temperature_lock = 0;
 +}
 +
 +/*
 + * Callback handler when DeviceState 'reset' is set to true.
 + */
 +static void lsm303dlhc_mag_reset(DeviceState *dev)
 +{
 +    I2CSlave *i2c = I2C_SLAVE(dev);
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    /* Set the device into its default reset state. */
 +    lsm303dlhc_mag_default_cfg(s);
 +}
 +
 +/*
 + * Initialisation of any public properties.
 + */
 +static void lsm303dlhc_mag_initfn(Object *obj)
 +{
 +    object_property_add(obj, "mag-x", "int",
 +                lsm303dlhc_mag_get_x,
 +                lsm303dlhc_mag_set_x, NULL, NULL);
 +
 +    object_property_add(obj, "mag-y", "int",
 +                lsm303dlhc_mag_get_y,
 +                lsm303dlhc_mag_set_y, NULL, NULL);
 +
 +    object_property_add(obj, "mag-z", "int",
 +                lsm303dlhc_mag_get_z,
 +                lsm303dlhc_mag_set_z, NULL, NULL);
 +
 +    object_property_add(obj, "temperature", "int",
 +                lsm303dlhc_mag_get_temperature,
 +                lsm303dlhc_mag_set_temperature, NULL, NULL);
 +}
 +
 +/*
 + * Set the virtual method pointers (bus state change, tx/rx, etc.).
 + */
 +static void lsm303dlhc_mag_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    I2CSlaveClass *k = I2C_SLAVE_CLASS(klass);
 +
 +    dc->reset = lsm303dlhc_mag_reset;
 +    dc->vmsd = &vmstate_lsm303dlhc_mag;
 +    k->event = lsm303dlhc_mag_event;
 +    k->recv = lsm303dlhc_mag_recv;
 +    k->send = lsm303dlhc_mag_send;
 +}
 +
 +static const TypeInfo lsm303dlhc_mag_info = {
 +    .name = TYPE_LSM303DLHC_MAG,
 +    .parent = TYPE_I2C_SLAVE,
 +    .instance_size = sizeof(LSM303DLHCMagState),
 +    .instance_init = lsm303dlhc_mag_initfn,
 +    .class_init = lsm303dlhc_mag_class_init,
 +};
 +
 +static void lsm303dlhc_mag_register_types(void)
 +{
 +    type_register_static(&lsm303dlhc_mag_info);
 +}
 +
 +type_init(lsm303dlhc_mag_register_types)
 diff --git a/tests/qtest/lsm303dlhc-mag-test.c b/tests/qtest/lsm303dlhc-mag-test.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/hw/arm/stm32f100_soc.c
++++ b/tests/qtest/lsm303dlhc-mag-test.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * STM32F100 SoC
++ * QTest testcase for the LSM303DLHC I2C magnetometer
 + *
-+ * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
++ * Copyright (C) 2021 Linaro Ltd.
-+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
++ * Written by Kevin Townsend <kevin.townsend@linaro.org>
 + *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
-+ * The above copyright notice and this permission notice shall be included in
++ * SPDX-License-Identifier: GPL-2.0-or-later
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
-+#include "qapi/error.h"
++#include "libqtest-single.h"
-+#include "qemu/module.h"
++#include "libqos/qgraph.h"
-+#include "hw/arm/boot.h"
++#include "libqos/i2c.h"
-+#include "exec/address-spaces.h"
++#include "qapi/qmp/qdict.h"
-+#include "hw/arm/stm32f100_soc.h"
++
-+#include "hw/qdev-properties.h"
++#define LSM303DLHC_MAG_TEST_ID        "lsm303dlhc_mag-test"
-+#include "hw/misc/unimp.h"
++#define LSM303DLHC_MAG_REG_CRA        0x00
-+#include "sysemu/sysemu.h"
++#define LSM303DLHC_MAG_REG_CRB        0x01
-+
++#define LSM303DLHC_MAG_REG_OUT_X_H    0x03
-+/* stm32f100_soc implementation is derived from stm32f205_soc */
++#define LSM303DLHC_MAG_REG_OUT_Z_H    0x05
-+
++#define LSM303DLHC_MAG_REG_OUT_Y_H    0x07
-+static const uint32_t usart_addr[STM_NUM_USARTS] = { 0x40013800, 0x40004400,
++#define LSM303DLHC_MAG_REG_IRC        0x0C
-+    0x40004800 };
++#define LSM303DLHC_MAG_REG_TEMP_OUT_H 0x31
-+static const uint32_t spi_addr[STM_NUM_SPIS] = { 0x40013000, 0x40003800 };
++
-+
++static int qmp_lsm303dlhc_mag_get_property(const char *id, const char *prop)
-+static const int usart_irq[STM_NUM_USARTS] = {37, 38, 39};
++{
-+static const int spi_irq[STM_NUM_SPIS] = {35, 36};
++    QDict *response;
-+
++    int ret;
-+static void stm32f100_soc_initfn(Object *obj)
++
-+{
++    response = qmp("{ 'execute': 'qom-get', 'arguments': { 'path': %s, "
-+    STM32F100State *s = STM32F100_SOC(obj);
++                   "'property': %s } }", id, prop);
-+    int i;
++    g_assert(qdict_haskey(response, "return"));
-+
++    ret = qdict_get_int(response, "return");
-+    object_initialize_child(obj, "armv7m", &s->armv7m, TYPE_ARMV7M);
++    qobject_unref(response);
-+
++    return ret;
-+    for (i = 0; i < STM_NUM_USARTS; i++) {
++}
-+        object_initialize_child(obj, "usart[*]", &s->usart[i],
++
-+                                TYPE_STM32F2XX_USART);
++static void qmp_lsm303dlhc_mag_set_property(const char *id, const char *prop,
-+    }
++                                            int value)
-+
++{
-+    for (i = 0; i < STM_NUM_SPIS; i++) {
++    QDict *response;
-+        object_initialize_child(obj, "spi[*]", &s->spi[i], TYPE_STM32F2XX_SPI);
++
-+    }
++    response = qmp("{ 'execute': 'qom-set', 'arguments': { 'path': %s, "
-+}
++                   "'property': %s, 'value': %d } }", id, prop, value);
-+
++    g_assert(qdict_haskey(response, "return"));
-+static void stm32f100_soc_realize(DeviceState *dev_soc, Error **errp)
++    qobject_unref(response);
-+{
++}
-+    STM32F100State *s = STM32F100_SOC(dev_soc);
++
-+    DeviceState *dev, *armv7m;
++static void send_and_receive(void *obj, void *data, QGuestAllocator *alloc)
-+    SysBusDevice *busdev;
++{
-+    int i;
++    int64_t value;
-+
++    QI2CDevice *i2cdev = (QI2CDevice *)obj;
-+    MemoryRegion *system_memory = get_system_memory();
++
-+    MemoryRegion *sram = g_new(MemoryRegion, 1);
++    /* Check default value for CRB */
-+    MemoryRegion *flash = g_new(MemoryRegion, 1);
++    g_assert_cmphex(i2c_get8(i2cdev, LSM303DLHC_MAG_REG_CRB), ==, 0x20);
-+    MemoryRegion *flash_alias = g_new(MemoryRegion, 1);
++
-+
++    /* Set x to 1.0 gauss and verify the value */
-+    /*
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
-+     * Init flash region
++    value = qmp_lsm303dlhc_mag_get_property(
-+     * Flash starts at 0x08000000 and then is aliased to boot memory at 0x0
++        LSM303DLHC_MAG_TEST_ID, "mag-x");
-+     */
++    g_assert_cmpint(value, ==, 100000);
-+    memory_region_init_rom(flash, OBJECT(dev_soc), "STM32F100.flash",
++
-+                           FLASH_SIZE, &error_fatal);
++    /* Set y to 1.5 gauss and verify the value */
-+    memory_region_init_alias(flash_alias, OBJECT(dev_soc),
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
-+                             "STM32F100.flash.alias", flash, 0, FLASH_SIZE);
++    value = qmp_lsm303dlhc_mag_get_property(
-+    memory_region_add_subregion(system_memory, FLASH_BASE_ADDRESS, flash);
++        LSM303DLHC_MAG_TEST_ID, "mag-y");
-+    memory_region_add_subregion(system_memory, 0, flash_alias);
++    g_assert_cmpint(value, ==, 150000);
 +
-+    /* Init SRAM region */
++    /* Set z to 0.5 gauss and verify the value */
-+    memory_region_init_ram(sram, NULL, "STM32F100.sram", SRAM_SIZE,
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-z", 50000);
-+                           &error_fatal);
++    value = qmp_lsm303dlhc_mag_get_property(
-+    memory_region_add_subregion(system_memory, SRAM_BASE_ADDRESS, sram);
++        LSM303DLHC_MAG_TEST_ID, "mag-z");
-+
++    g_assert_cmpint(value, ==, 50000);
-+    /* Init ARMv7m */
++
-+    armv7m = DEVICE(&s->armv7m);
++    /* Set temperature to 23.6 C and verify the value */
-+    qdev_prop_set_uint32(armv7m, "num-irq", 61);
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID,
-+    qdev_prop_set_string(armv7m, "cpu-type", s->cpu_type);
++        "temperature", 23600);
-+    qdev_prop_set_bit(armv7m, "enable-bitband", true);
++    value = qmp_lsm303dlhc_mag_get_property(
-+    object_property_set_link(OBJECT(&s->armv7m), "memory",
++        LSM303DLHC_MAG_TEST_ID, "temperature");
-+                             OBJECT(get_system_memory()), &error_abort);
++    /* Should return 23.5 C due to 0.125°C steps. */
-+    if (!sysbus_realize(SYS_BUS_DEVICE(&s->armv7m), errp)) {
++    g_assert_cmpint(value, ==, 23500);
-+        return;
++
-+    }
++    /* Read raw x axis registers (1 gauss = 1100 at +/-1.3 g gain) */
-+
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_X_H);
-+    /* Attach UART (uses USART registers) and USART controllers */
++    g_assert_cmphex(value, ==, 1100);
-+    for (i = 0; i < STM_NUM_USARTS; i++) {
++
-+        dev = DEVICE(&(s->usart[i]));
++    /* Read raw y axis registers (1.5 gauss = 1650 at +/- 1.3 g gain = ) */
-+        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H);
-+        if (!sysbus_realize(SYS_BUS_DEVICE(&s->usart[i]), errp)) {
++    g_assert_cmphex(value, ==, 1650);
-+            return;
++
-+        }
++    /* Read raw z axis registers (0.5 gauss = 490 at +/- 1.3 g gain = ) */
-+        busdev = SYS_BUS_DEVICE(dev);
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Z_H);
-+        sysbus_mmio_map(busdev, 0, usart_addr[i]);
++    g_assert_cmphex(value, ==, 490);
-+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, usart_irq[i]));
++
-+    }
++    /* Read raw temperature registers with temp disabled (CRA = 0x10) */
-+
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
-+    /* SPI 1 and 2 */
++    g_assert_cmphex(value, ==, 0);
-+    for (i = 0; i < STM_NUM_SPIS; i++) {
++
-+        dev = DEVICE(&(s->spi[i]));
++    /* Enable temperature reads (CRA = 0x90) */
-+        if (!sysbus_realize(SYS_BUS_DEVICE(&s->spi[i]), errp)) {
++    i2c_set8(i2cdev, LSM303DLHC_MAG_REG_CRA, 0x90);
-+            return;
++
-+        }
++    /* Read raw temp registers (23.5 C = 188 at 1 lsb = 0.125 C) */
-+        busdev = SYS_BUS_DEVICE(dev);
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
-+        sysbus_mmio_map(busdev, 0, spi_addr[i]);
++    g_assert_cmphex(value, ==, 188);
-+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, spi_irq[i]));
++}
-+    }
++
-+
++static void reg_wraparound(void *obj, void *data, QGuestAllocator *alloc)
-+    create_unimplemented_device("timer[2]",  0x40000000, 0x400);
++{
-+    create_unimplemented_device("timer[3]",  0x40000400, 0x400);
++    uint8_t value[4];
-+    create_unimplemented_device("timer[4]",  0x40000800, 0x400);
++    QI2CDevice *i2cdev = (QI2CDevice *)obj;
-+    create_unimplemented_device("timer[6]",  0x40001000, 0x400);
++
-+    create_unimplemented_device("timer[7]",  0x40001400, 0x400);
++    /* Set x to 1.0 gauss, and y to 1.5 gauss for known test values */
-+    create_unimplemented_device("RTC",       0x40002800, 0x400);
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
-+    create_unimplemented_device("WWDG",      0x40002C00, 0x400);
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
-+    create_unimplemented_device("IWDG",      0x40003000, 0x400);
++
-+    create_unimplemented_device("I2C1",      0x40005400, 0x400);
++    /* Check that requesting 4 bytes starting at Y_H wraps around to X_L */
-+    create_unimplemented_device("I2C2",      0x40005800, 0x400);
++    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H, value, 4);
-+    create_unimplemented_device("BKP",       0x40006C00, 0x400);
++    /* 1.5 gauss = 1650 lsb = 0x672 */
-+    create_unimplemented_device("PWR",       0x40007000, 0x400);
++    g_assert_cmphex(value[0], ==, 0x06);
-+    create_unimplemented_device("DAC",       0x40007400, 0x400);
++    g_assert_cmphex(value[1], ==, 0x72);
-+    create_unimplemented_device("CEC",       0x40007800, 0x400);
++    /* 1.0 gauss = 1100 lsb = 0x44C */
-+    create_unimplemented_device("AFIO",      0x40010000, 0x400);
++    g_assert_cmphex(value[2], ==, 0x04);
-+    create_unimplemented_device("EXTI",      0x40010400, 0x400);
++    g_assert_cmphex(value[3], ==, 0x4C);
-+    create_unimplemented_device("GPIOA",     0x40010800, 0x400);
++
-+    create_unimplemented_device("GPIOB",     0x40010C00, 0x400);
++    /* Check that requesting LSM303DLHC_MAG_REG_IRC wraps around to CRA */
-+    create_unimplemented_device("GPIOC",     0x40011000, 0x400);
++    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_IRC, value, 2);
-+    create_unimplemented_device("GPIOD",     0x40011400, 0x400);
++    /* Default value for IRC = 0x33 */
-+    create_unimplemented_device("GPIOE",     0x40011800, 0x400);
++    g_assert_cmphex(value[0], ==, 0x33);
-+    create_unimplemented_device("ADC1",      0x40012400, 0x400);
++    /* Default value for CRA = 0x10 */
-+    create_unimplemented_device("timer[1]",  0x40012C00, 0x400);
++    g_assert_cmphex(value[1], ==, 0x10);
-+    create_unimplemented_device("timer[15]", 0x40014000, 0x400);
++}
-+    create_unimplemented_device("timer[16]", 0x40014400, 0x400);
++
-+    create_unimplemented_device("timer[17]", 0x40014800, 0x400);
++static void lsm303dlhc_mag_register_nodes(void)
-+    create_unimplemented_device("DMA",       0x40020000, 0x400);
++{
-+    create_unimplemented_device("RCC",       0x40021000, 0x400);
++    QOSGraphEdgeOptions opts = {
-+    create_unimplemented_device("Flash Int", 0x40022000, 0x400);
++        .extra_device_opts = "id=" LSM303DLHC_MAG_TEST_ID ",address=0x1e"
-+    create_unimplemented_device("CRC",       0x40023000, 0x400);
++    };
-+}
++    add_qi2c_address(&opts, &(QI2CAddress) { 0x1E });
 +
-+static Property stm32f100_soc_properties[] = {
++    qos_node_create_driver("lsm303dlhc_mag", i2c_device_create);
-+    DEFINE_PROP_STRING("cpu-type", STM32F100State, cpu_type),
++    qos_node_consumes("lsm303dlhc_mag", "i2c-bus", &opts);
-+    DEFINE_PROP_END_OF_LIST(),
++
-+};
++    qos_add_test("tx-rx", "lsm303dlhc_mag", send_and_receive, NULL);
-+
++    qos_add_test("regwrap", "lsm303dlhc_mag", reg_wraparound, NULL);
-+static void stm32f100_soc_class_init(ObjectClass *klass, void *data)
++}
-+{
++libqos_init(lsm303dlhc_mag_register_nodes);
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+diff --git a/hw/sensor/Kconfig b/hw/sensor/Kconfig
 +
 +    dc->realize = stm32f100_soc_realize;
 +    device_class_set_props(dc, stm32f100_soc_properties);
 +}
 +
 +static const TypeInfo stm32f100_soc_info = {
 +    .name          = TYPE_STM32F100_SOC,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(STM32F100State),
 +    .instance_init = stm32f100_soc_initfn,
 +    .class_init    = stm32f100_soc_class_init,
 +};
 +
 +static void stm32f100_soc_types(void)
 +{
 +    type_register_static(&stm32f100_soc_info);
 +}
 +
 +type_init(stm32f100_soc_types)
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
+--- a/hw/sensor/Kconfig
-+++ b/MAINTAINERS
++++ b/hw/sensor/Kconfig
-@@ -XXX,XX +XXX,XX @@ L: qemu-arm@nongnu.org
+@@ -XXX,XX +XXX,XX @@ config ADM1272
- S: Maintained
+ config MAX34451
- F: hw/arm/virt-acpi-build.c
+     bool
+     depends on I2C
-+STM32F100
++
-+M: Alexandre Iooss <erdnaxe@crans.org>
++config LSM303DLHC_MAG
-+L: qemu-arm@nongnu.org
++    bool
-+S: Maintained
++    depends on I2C
-+F: hw/arm/stm32f100_soc.c
+diff --git a/hw/sensor/meson.build b/hw/sensor/meson.build
 +
  STM32F205
  M: Alistair Francis <alistair@alistair23.me>
  M: Peter Maydell <peter.maydell@linaro.org>
 diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Kconfig
+--- a/hw/sensor/meson.build
-+++ b/hw/arm/Kconfig
++++ b/hw/sensor/meson.build
-@@ -XXX,XX +XXX,XX @@ config RASPI
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_DPS310', if_true: files('dps310.c'))
-     select SDHCI
+ softmmu_ss.add(when: 'CONFIG_EMC141X', if_true: files('emc141x.c'))
-     select USB_DWC2
+ softmmu_ss.add(when: 'CONFIG_ADM1272', if_true: files('adm1272.c'))
+ softmmu_ss.add(when: 'CONFIG_MAX34451', if_true: files('max34451.c'))
-+config STM32F100_SOC
++softmmu_ss.add(when: 'CONFIG_LSM303DLHC_MAG', if_true: files('lsm303dlhc_mag.c'))
-+    bool
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
 +    select ARM_V7M
 +    select STM32F2XX_USART
 +    select STM32F2XX_SPI
 +
  config STM32F205_SOC
      bool
      select ARM_V7M
 diff --git a/hw/arm/meson.build b/hw/arm/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/meson.build
+--- a/tests/qtest/meson.build
-+++ b/hw/arm/meson.build
++++ b/tests/qtest/meson.build
-@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_STRONGARM', if_true: files('strongarm.c'))
+@@ -XXX,XX +XXX,XX @@ qos_test_ss.add(
- arm_ss.add(when: 'CONFIG_ALLWINNER_A10', if_true: files('allwinner-a10.c', 'cubieboard.c'))
+   'eepro100-test.c',
- arm_ss.add(when: 'CONFIG_ALLWINNER_H3', if_true: files('allwinner-h3.c', 'orangepi.c'))
+   'es1370-test.c',
- arm_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_peripherals.c', 'bcm2836.c', 'raspi.c'))
+   'ipoctal232-test.c',
-+arm_ss.add(when: 'CONFIG_STM32F100_SOC', if_true: files('stm32f100_soc.c'))
++  'lsm303dlhc-mag-test.c',
- arm_ss.add(when: 'CONFIG_STM32F205_SOC', if_true: files('stm32f205_soc.c'))
+   'max34451-test.c',
- arm_ss.add(when: 'CONFIG_STM32F405_SOC', if_true: files('stm32f405_soc.c'))
+   'megasas-test.c',
- arm_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zynqmp.c', 'xlnx-zcu102.c'))
+   'ne2000-test.c',
 --
-.20.1
+.25.1

Arm changes for before softfreeze: mostly my PL061/GPIO patches,
but also a new M-profile board and various other things.

thanks
-- PMM

The following changes since commit 05de778b5b8ab0b402996769117b88c7ea5c7c61:

Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2021-07-09 14:30:01 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210709

for you to fetch changes up to 05449abb1d4c5f0c69ceb3d8d03cbc75de39b646:

hw/intc: Improve formatting of MEMTX_ERROR guest error message (2021-07-09 16:09:12 +0100)

----------------------------------------------------------------
target-arm queue:
 * New machine type: stm32vldiscovery
 * hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write
 * hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers
 * virt: Fix implementation of GPIO-based powerdown/shutdown mechanism
 * Correct the encoding of MDCCSR_EL0 and DBGDSCRint
 * hw/intc: Improve formatting of MEMTX_ERROR guest error message

----------------------------------------------------------------
Alexandre Iooss (4):
      stm32f100: Add the stm32f100 SoC
      stm32vldiscovery: Add the STM32VLDISCOVERY Machine
      docs/system: arm: Add stm32 boards description
      tests/boot-serial-test: Add STM32VLDISCOVERY board testcase

Peter Maydell (10):
      hw/gpio/pl061: Convert DPRINTF to tracepoints
      hw/gpio/pl061: Clean up read/write offset handling logic
      hw/gpio/pl061: Add tracepoints for register read and write
      hw/gpio/pl061: Document the interface of this device
      hw/gpio/pl061: Honour Luminary PL061 PUR and PDR registers
      hw/gpio/pl061: Make pullup/pulldown of outputs configurable
      hw/arm/virt: Make PL061 GPIO lines pulled low, not high
      hw/gpio/pl061: Convert to 3-phase reset and assert GPIO lines correctly on reset
      hw/gpio/pl061: Document a shortcoming in our implementation
      hw/arm/stellaris: Expand comment about handling of OLED chipselect

Rebecca Cran (1):
      hw/intc: Improve formatting of MEMTX_ERROR guest error message

Ricardo Koller (1):
      hw/intc/arm_gicv3_cpuif: Fix virtual irq number check in icv_[dir|eoir]_write

hnick@vmware.com (1):
      target/arm: Correct the encoding of MDCCSR_EL0 and DBGDSCRint

docs/system/arm/stm32.rst               |  66 +++++++
 docs/system/target-arm.rst              |   1 +
 default-configs/devices/arm-softmmu.mak |   1 +
 include/hw/arm/stm32f100_soc.h          |  57 ++++++
 hw/arm/stellaris.c                      |  56 +++++-
 hw/arm/stm32f100_soc.c                  | 182 +++++++++++++++++
 hw/arm/stm32vldiscovery.c               |  66 +++++++
 hw/arm/virt.c                           |   3 +
 hw/gpio/pl061.c                         | 341 +++++++++++++++++++++++++-------
 hw/intc/arm_gicv3_cpuif.c               |   4 +-
 hw/intc/arm_gicv3_redist.c              |   4 +-
 target/arm/helper.c                     |  16 +-
 tests/qtest/boot-serial-test.c          |  37 ++++
 MAINTAINERS                             |  13 ++
 hw/arm/Kconfig                          |  10 +
 hw/arm/meson.build                      |   2 +
 hw/gpio/trace-events                    |   9 +
 17 files changed, 790 insertions(+), 78 deletions(-)
 create mode 100644 docs/system/arm/stm32.rst
 create mode 100644 include/hw/arm/stm32f100_soc.h
 create mode 100644 hw/arm/stm32f100_soc.c
 create mode 100644 hw/arm/stm32vldiscovery.c

From: Alexandre Iooss <erdnaxe@crans.org>

This SoC is similar to stm32f205 SoC.
This will be used by the STM32VLDISCOVERY to create a machine.

Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210617165647.2575955-2-erdnaxe@crans.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/stm32f100_soc.h |  57 +++++++++++
 hw/arm/stm32f100_soc.c         | 182 +++++++++++++++++++++++++++++++++
 MAINTAINERS                    |   6 ++
 hw/arm/Kconfig                 |   6 ++
 hw/arm/meson.build             |   1 +
 5 files changed, 252 insertions(+)
 create mode 100644 include/hw/arm/stm32f100_soc.h
 create mode 100644 hw/arm/stm32f100_soc.c

diff --git a/include/hw/arm/stm32f100_soc.h b/include/hw/arm/stm32f100_soc.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/stm32f100_soc.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F100 SoC
+ *
+ * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_ARM_STM32F100_SOC_H
+#define HW_ARM_STM32F100_SOC_H
+
+#include "hw/char/stm32f2xx_usart.h"
+#include "hw/ssi/stm32f2xx_spi.h"
+#include "hw/arm/armv7m.h"
+#include "qom/object.h"
+
+#define TYPE_STM32F100_SOC "stm32f100-soc"
+OBJECT_DECLARE_SIMPLE_TYPE(STM32F100State, STM32F100_SOC)
+
+#define STM_NUM_USARTS 3
+#define STM_NUM_SPIS 2
+
+#define FLASH_BASE_ADDRESS 0x08000000
+#define FLASH_SIZE (128 * 1024)
+#define SRAM_BASE_ADDRESS 0x20000000
+#define SRAM_SIZE (8 * 1024)
+
+struct STM32F100State {
+    /*< private >*/
+    SysBusDevice parent_obj;
+
+    /*< public >*/
+    char *cpu_type;
+
+    ARMv7MState armv7m;
+
+    STM32F2XXUsartState usart[STM_NUM_USARTS];
+    STM32F2XXSPIState spi[STM_NUM_SPIS];
+};
+
+#endif
diff --git a/hw/arm/stm32f100_soc.c b/hw/arm/stm32f100_soc.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/stm32f100_soc.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F100 SoC
+ *
+ * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/module.h"
+#include "hw/arm/boot.h"
+#include "exec/address-spaces.h"
+#include "hw/arm/stm32f100_soc.h"
+#include "hw/qdev-properties.h"
+#include "hw/misc/unimp.h"
+#include "sysemu/sysemu.h"
+
+/* stm32f100_soc implementation is derived from stm32f205_soc */
+
+static const uint32_t usart_addr[STM_NUM_USARTS] = { 0x40013800, 0x40004400,
+    0x40004800 };
+static const uint32_t spi_addr[STM_NUM_SPIS] = { 0x40013000, 0x40003800 };
+
+static const int usart_irq[STM_NUM_USARTS] = {37, 38, 39};
+static const int spi_irq[STM_NUM_SPIS] = {35, 36};
+
+static void stm32f100_soc_initfn(Object *obj)
+{
+    STM32F100State *s = STM32F100_SOC(obj);
+    int i;
+
+    object_initialize_child(obj, "armv7m", &s->armv7m, TYPE_ARMV7M);
+
+    for (i = 0; i < STM_NUM_USARTS; i++) {
+        object_initialize_child(obj, "usart[*]", &s->usart[i],
+                                TYPE_STM32F2XX_USART);
+    }
+
+    for (i = 0; i < STM_NUM_SPIS; i++) {
+        object_initialize_child(obj, "spi[*]", &s->spi[i], TYPE_STM32F2XX_SPI);
+    }
+}
+
+static void stm32f100_soc_realize(DeviceState *dev_soc, Error **errp)
+{
+    STM32F100State *s = STM32F100_SOC(dev_soc);
+    DeviceState *dev, *armv7m;
+    SysBusDevice *busdev;
+    int i;
+
+    MemoryRegion *system_memory = get_system_memory();
+    MemoryRegion *sram = g_new(MemoryRegion, 1);
+    MemoryRegion *flash = g_new(MemoryRegion, 1);
+    MemoryRegion *flash_alias = g_new(MemoryRegion, 1);
+
+    /*
+     * Init flash region
+     * Flash starts at 0x08000000 and then is aliased to boot memory at 0x0
+     */
+    memory_region_init_rom(flash, OBJECT(dev_soc), "STM32F100.flash",
+                           FLASH_SIZE, &error_fatal);
+    memory_region_init_alias(flash_alias, OBJECT(dev_soc),
+                             "STM32F100.flash.alias", flash, 0, FLASH_SIZE);
+    memory_region_add_subregion(system_memory, FLASH_BASE_ADDRESS, flash);
+    memory_region_add_subregion(system_memory, 0, flash_alias);
+
+    /* Init SRAM region */
+    memory_region_init_ram(sram, NULL, "STM32F100.sram", SRAM_SIZE,
+                           &error_fatal);
+    memory_region_add_subregion(system_memory, SRAM_BASE_ADDRESS, sram);
+
+    /* Init ARMv7m */
+    armv7m = DEVICE(&s->armv7m);
+    qdev_prop_set_uint32(armv7m, "num-irq", 61);
+    qdev_prop_set_string(armv7m, "cpu-type", s->cpu_type);
+    qdev_prop_set_bit(armv7m, "enable-bitband", true);
+    object_property_set_link(OBJECT(&s->armv7m), "memory",
+                             OBJECT(get_system_memory()), &error_abort);
+    if (!sysbus_realize(SYS_BUS_DEVICE(&s->armv7m), errp)) {
+        return;
+    }
+
+    /* Attach UART (uses USART registers) and USART controllers */
+    for (i = 0; i < STM_NUM_USARTS; i++) {
+        dev = DEVICE(&(s->usart[i]));
+        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
+        if (!sysbus_realize(SYS_BUS_DEVICE(&s->usart[i]), errp)) {
+            return;
+        }
+        busdev = SYS_BUS_DEVICE(dev);
+        sysbus_mmio_map(busdev, 0, usart_addr[i]);
+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, usart_irq[i]));
+    }
+
+    /* SPI 1 and 2 */
+    for (i = 0; i < STM_NUM_SPIS; i++) {
+        dev = DEVICE(&(s->spi[i]));
+        if (!sysbus_realize(SYS_BUS_DEVICE(&s->spi[i]), errp)) {
+            return;
+        }
+        busdev = SYS_BUS_DEVICE(dev);
+        sysbus_mmio_map(busdev, 0, spi_addr[i]);
+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, spi_irq[i]));
+    }
+
+    create_unimplemented_device("timer[2]",  0x40000000, 0x400);
+    create_unimplemented_device("timer[3]",  0x40000400, 0x400);
+    create_unimplemented_device("timer[4]",  0x40000800, 0x400);
+    create_unimplemented_device("timer[6]",  0x40001000, 0x400);
+    create_unimplemented_device("timer[7]",  0x40001400, 0x400);
+    create_unimplemented_device("RTC",       0x40002800, 0x400);
+    create_unimplemented_device("WWDG",      0x40002C00, 0x400);
+    create_unimplemented_device("IWDG",      0x40003000, 0x400);
+    create_unimplemented_device("I2C1",      0x40005400, 0x400);
+    create_unimplemented_device("I2C2",      0x40005800, 0x400);
+    create_unimplemented_device("BKP",       0x40006C00, 0x400);
+    create_unimplemented_device("PWR",       0x40007000, 0x400);
+    create_unimplemented_device("DAC",       0x40007400, 0x400);
+    create_unimplemented_device("CEC",       0x40007800, 0x400);
+    create_unimplemented_device("AFIO",      0x40010000, 0x400);
+    create_unimplemented_device("EXTI",      0x40010400, 0x400);
+    create_unimplemented_device("GPIOA",     0x40010800, 0x400);
+    create_unimplemented_device("GPIOB",     0x40010C00, 0x400);
+    create_unimplemented_device("GPIOC",     0x40011000, 0x400);
+    create_unimplemented_device("GPIOD",     0x40011400, 0x400);
+    create_unimplemented_device("GPIOE",     0x40011800, 0x400);
+    create_unimplemented_device("ADC1",      0x40012400, 0x400);
+    create_unimplemented_device("timer[1]",  0x40012C00, 0x400);
+    create_unimplemented_device("timer[15]", 0x40014000, 0x400);
+    create_unimplemented_device("timer[16]", 0x40014400, 0x400);
+    create_unimplemented_device("timer[17]", 0x40014800, 0x400);
+    create_unimplemented_device("DMA",       0x40020000, 0x400);
+    create_unimplemented_device("RCC",       0x40021000, 0x400);
+    create_unimplemented_device("Flash Int", 0x40022000, 0x400);
+    create_unimplemented_device("CRC",       0x40023000, 0x400);
+}
+
+static Property stm32f100_soc_properties[] = {
+    DEFINE_PROP_STRING("cpu-type", STM32F100State, cpu_type),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void stm32f100_soc_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = stm32f100_soc_realize;
+    device_class_set_props(dc, stm32f100_soc_properties);
+}
+
+static const TypeInfo stm32f100_soc_info = {
+    .name          = TYPE_STM32F100_SOC,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(STM32F100State),
+    .instance_init = stm32f100_soc_initfn,
+    .class_init    = stm32f100_soc_class_init,
+};
+
+static void stm32f100_soc_types(void)
+{
+    type_register_static(&stm32f100_soc_info);
+}
+
+type_init(stm32f100_soc_types)
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/virt-acpi-build.c
 
+STM32F100
+M: Alexandre Iooss <erdnaxe@crans.org>
+L: qemu-arm@nongnu.org
+S: Maintained
+F: hw/arm/stm32f100_soc.c
+
 STM32F205
 M: Alistair Francis <alistair@alistair23.me>
 M: Peter Maydell <peter.maydell@linaro.org>
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config RASPI
     select SDHCI
     select USB_DWC2
 
+config STM32F100_SOC
+    bool
+    select ARM_V7M
+    select STM32F2XX_USART
+    select STM32F2XX_SPI
+
 config STM32F205_SOC
     bool
     select ARM_V7M
diff --git a/hw/arm/meson.build b/hw/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/meson.build
+++ b/hw/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_STRONGARM', if_true: files('strongarm.c'))
 arm_ss.add(when: 'CONFIG_ALLWINNER_A10', if_true: files('allwinner-a10.c', 'cubieboard.c'))
 arm_ss.add(when: 'CONFIG_ALLWINNER_H3', if_true: files('allwinner-h3.c', 'orangepi.c'))
 arm_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_peripherals.c', 'bcm2836.c', 'raspi.c'))
+arm_ss.add(when: 'CONFIG_STM32F100_SOC', if_true: files('stm32f100_soc.c'))
 arm_ss.add(when: 'CONFIG_STM32F205_SOC', if_true: files('stm32f205_soc.c'))
 arm_ss.add(when: 'CONFIG_STM32F405_SOC', if_true: files('stm32f405_soc.c'))
 arm_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zynqmp.c', 'xlnx-zcu102.c'))
-- 
2.20.1

From: Alexandre Iooss <erdnaxe@crans.org>

This is a Cortex-M3 based machine. Information can be found at:
https://www.st.com/en/evaluation-tools/stm32vldiscovery.html

Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210617165647.2575955-3-erdnaxe@crans.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 default-configs/devices/arm-softmmu.mak |  1 +
 hw/arm/stm32vldiscovery.c               | 66 +++++++++++++++++++++++++
 MAINTAINERS                             |  6 +++
 hw/arm/Kconfig                          |  4 ++
 hw/arm/meson.build                      |  1 +
 5 files changed, 78 insertions(+)
 create mode 100644 hw/arm/stm32vldiscovery.c

diff --git a/default-configs/devices/arm-softmmu.mak b/default-configs/devices/arm-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/devices/arm-softmmu.mak
+++ b/default-configs/devices/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_CHEETAH=y
 CONFIG_SX1=y
 CONFIG_NSERIES=y
 CONFIG_STELLARIS=y
+CONFIG_STM32VLDISCOVERY=y
 CONFIG_REALVIEW=y
 CONFIG_VERSATILE=y
 CONFIG_VEXPRESS=y
diff --git a/hw/arm/stm32vldiscovery.c b/hw/arm/stm32vldiscovery.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/stm32vldiscovery.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ST STM32VLDISCOVERY machine
+ *
+ * Copyright (c) 2021 Alexandre Iooss <erdnaxe@crans.org>
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "hw/boards.h"
+#include "hw/qdev-properties.h"
+#include "qemu/error-report.h"
+#include "hw/arm/stm32f100_soc.h"
+#include "hw/arm/boot.h"
+
+/* stm32vldiscovery implementation is derived from netduinoplus2 */
+
+/* Main SYSCLK frequency in Hz (24MHz) */
+#define SYSCLK_FRQ 24000000ULL
+
+static void stm32vldiscovery_init(MachineState *machine)
+{
+    DeviceState *dev;
+
+    /*
+     * TODO: ideally we would model the SoC RCC and let it handle
+     * system_clock_scale, including its ability to define different
+     * possible SYSCLK sources.
+     */
+    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
+
+    dev = qdev_new(TYPE_STM32F100_SOC);
+    qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m3"));
+    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
+
+    armv7m_load_kernel(ARM_CPU(first_cpu),
+                       machine->kernel_filename,
+                       FLASH_SIZE);
+}
+
+static void stm32vldiscovery_machine_init(MachineClass *mc)
+{
+    mc->desc = "ST STM32VLDISCOVERY (Cortex-M3)";
+    mc->init = stm32vldiscovery_init;
+}
+
+DEFINE_MACHINE("stm32vldiscovery", stm32vldiscovery_machine_init)
+
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/*/stellaris*
 F: include/hw/input/gamepad.h
 F: docs/system/arm/stellaris.rst
 
+STM32VLDISCOVERY
+M: Alexandre Iooss <erdnaxe@crans.org>
+L: qemu-arm@nongnu.org
+S: Maintained
+F: hw/arm/stm32vldiscovery.c
+
 Versatile Express
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config STELLARIS
     select STELLARIS_ENET # ethernet
     select UNIMP
 
+config STM32VLDISCOVERY
+    bool
+    select STM32F100_SOC
+
 config STRONGARM
     bool
     select PXA2XX
diff --git a/hw/arm/meson.build b/hw/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/meson.build
+++ b/hw/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'CONFIG_Z2', if_true: files('z2.c'))
 arm_ss.add(when: 'CONFIG_REALVIEW', if_true: files('realview.c'))
 arm_ss.add(when: 'CONFIG_SBSA_REF', if_true: files('sbsa-ref.c'))
 arm_ss.add(when: 'CONFIG_STELLARIS', if_true: files('stellaris.c'))
+arm_ss.add(when: 'CONFIG_STM32VLDISCOVERY', if_true: files('stm32vldiscovery.c'))
 arm_ss.add(when: 'CONFIG_COLLIE', if_true: files('collie.c'))
 arm_ss.add(when: 'CONFIG_VERSATILE', if_true: files('versatilepb.c'))
 arm_ss.add(when: 'CONFIG_VEXPRESS', if_true: files('vexpress.c'))
-- 
2.20.1

From: Alexandre Iooss <erdnaxe@crans.org>

This adds the target guide for Netduino 2, Netduino Plus 2 and STM32VLDISCOVERY.

Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210617165647.2575955-4-erdnaxe@crans.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/stm32.rst  | 66 ++++++++++++++++++++++++++++++++++++++
 docs/system/target-arm.rst |  1 +
 MAINTAINERS                |  1 +
 3 files changed, 68 insertions(+)
 create mode 100644 docs/system/arm/stm32.rst

diff --git a/docs/system/arm/stm32.rst b/docs/system/arm/stm32.rst
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/docs/system/arm/stm32.rst
@@ -XXX,XX +XXX,XX @@
+STMicroelectronics STM32 boards (``netduino2``, ``netduinoplus2``, ``stm32vldiscovery``)
+========================================================================================
+
+The `STM32`_ chips are a family of 32-bit ARM-based microcontroller by
+STMicroelectronics.
+
+.. _STM32: https://www.st.com/en/microcontrollers-microprocessors/stm32-32-bit-arm-cortex-mcus.html
+
+The STM32F1 series is based on ARM Cortex-M3 core. The following machines are
+based on this chip :
+
+- ``stm32vldiscovery``  STM32VLDISCOVERY board with STM32F100RBT6 microcontroller
+
+The STM32F2 series is based on ARM Cortex-M3 core. The following machines are
+based on this chip :
+
+- ``netduino2``         Netduino 2 board with STM32F205RFT6 microcontroller
+
+The STM32F4 series is based on ARM Cortex-M4F core. This series is pin-to-pin
+compatible with STM32F2 series. The following machines are based on this chip :
+
+- ``netduinoplus2``     Netduino Plus 2 board with STM32F405RGT6 microcontroller
+
+There are many other STM32 series that are currently not supported by QEMU.
+
+Supported devices
+-----------------
+
+ * ARM Cortex-M3, Cortex M4F
+ * Analog to Digital Converter (ADC)
+ * EXTI interrupt
+ * Serial ports (USART)
+ * SPI controller
+ * System configuration (SYSCFG)
+ * Timer controller (TIMER)
+
+Missing devices
+---------------
+
+ * Camera interface (DCMI)
+ * Controller Area Network (CAN)
+ * Cycle Redundancy Check (CRC) calculation unit
+ * Digital to Analog Converter (DAC)
+ * DMA controller
+ * Ethernet controller
+ * Flash Interface Unit
+ * GPIO controller
+ * I2C controller
+ * Inter-Integrated Sound (I2S) controller
+ * Power supply configuration (PWR)
+ * Random Number Generator (RNG)
+ * Real-Time Clock (RTC) controller
+ * Reset and Clock Controller (RCC)
+ * Secure Digital Input/Output (SDIO) interface
+ * USB OTG
+ * Watchdog controller (IWDG, WWDG)
+
+Boot options
+------------
+
+The STM32 machines can be started using the ``-kernel`` option to load a
+firmware. Example:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M stm32vldiscovery -kernel firmware.bin
diff --git a/docs/system/target-arm.rst b/docs/system/target-arm.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/target-arm.rst
+++ b/docs/system/target-arm.rst
@@ -XXX,XX +XXX,XX @@ undocumented; you can get a complete list by running
    arm/collie
    arm/sx1
    arm/stellaris
+   arm/stm32
    arm/virt
    arm/xlnx-versal-virt
 
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Alexandre Iooss <erdnaxe@crans.org>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/stm32vldiscovery.c
+F: docs/system/arm/stm32.rst
 
 Versatile Express
 M: Peter Maydell <peter.maydell@linaro.org>
-- 
2.20.1

From: Alexandre Iooss <erdnaxe@crans.org>

New mini-kernel test for STM32VLDISCOVERY USART1.

Signed-off-by: Alexandre Iooss <erdnaxe@crans.org>
Acked-by: Thomas Huth <thuth@redhat.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210617165647.2575955-5-erdnaxe@crans.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/boot-serial-test.c | 37 ++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/boot-serial-test.c
+++ b/tests/qtest/boot-serial-test.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_nrf51[] = {
     0x1c, 0x25, 0x00, 0x40                  /* 0x4000251c = UART TXD */
 };
 
+static const uint8_t kernel_stm32vldiscovery[] = {
+    0x00, 0x00, 0x00, 0x00,                 /* Stack top address */
+    0x1d, 0x00, 0x00, 0x00,                 /* Reset handler address */
+    0x00, 0x00, 0x00, 0x00,                 /* NMI */
+    0x00, 0x00, 0x00, 0x00,                 /* Hard fault */
+    0x00, 0x00, 0x00, 0x00,                 /* Memory management fault */
+    0x00, 0x00, 0x00, 0x00,                 /* Bus fault */
+    0x00, 0x00, 0x00, 0x00,                 /* Usage fault */
+    0x0b, 0x4b,                             /* ldr  r3, [pc, #44] Get RCC */
+    0x44, 0xf2, 0x04, 0x02,                 /* movw r2, #16388 */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0x0a, 0x4b,                             /* ldr  r3, [pc, #40] Get GPIOA */
+    0x1a, 0x68,                             /* ldr  r2, [r3] */
+    0x22, 0xf0, 0xf0, 0x02,                 /* bic  r2, r2, #240 */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0x1a, 0x68,                             /* ldr  r2, [r3] */
+    0x42, 0xf0, 0xb0, 0x02,                 /* orr  r2, r2, #176 */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0x07, 0x4b,                             /* ldr  r3, [pc, #26] Get BAUD */
+    0x45, 0x22,                             /* movs r2, #69 */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0x06, 0x4b,                             /* ldr  r3, [pc, #24] Get ENABLE */
+    0x42, 0xf2, 0x08, 0x02,                 /* movw r2, #8200 */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0x05, 0x4b,                             /* ldr  r3, [pc, #20] Get TXD */
+    0x54, 0x22,                             /* movs r2, 'T' */
+    0x1a, 0x60,                             /* str  r2, [r3] */
+    0xfe, 0xe7,                             /* b    . */
+    0x18, 0x10, 0x02, 0x40,                 /* 0x40021018 = RCC */
+    0x04, 0x08, 0x01, 0x40,                 /* 0x40010804 = GPIOA */
+    0x08, 0x38, 0x01, 0x40,                 /* 0x40013808 = USART1 BAUD */
+    0x0c, 0x38, 0x01, 0x40,                 /* 0x4001380c = USART1 ENABLE */
+    0x04, 0x38, 0x01, 0x40                  /* 0x40013804 = USART1 TXD */
+};
+
 typedef struct testdef {
     const char *arch;       /* Target architecture */
     const char *machine;    /* Name of the machine */
@@ -XXX,XX +XXX,XX @@ static testdef_t tests[] = {
     { "aarch64", "virt", "-cpu max", "TT", sizeof(kernel_aarch64),
       kernel_aarch64 },
     { "arm", "microbit", "", "T", sizeof(kernel_nrf51), kernel_nrf51 },
+    { "arm", "stm32vldiscovery", "", "T",
+      sizeof(kernel_stm32vldiscovery), kernel_stm32vldiscovery },
 
     { NULL }
 };
-- 
2.20.1

From: Ricardo Koller <ricarkol@google.com>

icv_eoir_write() and icv_dir_write() ignore invalid virtual IRQ numbers
(like LPIs).  The issue is that these functions check against the number
of implemented IRQs (QEMU's default is num_irq=288) which can be lower
than the maximum virtual IRQ number (1020 - 1).  The consequence is that
if a hypervisor creates an LR for an IRQ between 288 and 1020, then the
guest is unable to deactivate the resulting IRQ. Note that other
functions that deal with large IRQ numbers, like icv_iar_read, check
against 1020 and not against num_irq.

Fix the checks by using GICV3_MAXIRQ (1020) instead of the number of
implemented IRQs.

Signed-off-by: Ricardo Koller <ricarkol@google.com>
Message-id: 20210702233701.3369-1-ricarkol@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static void icv_dir_write(CPUARMState *env, const ARMCPRegInfo *ri,
 
     trace_gicv3_icv_dir_write(gicv3_redist_affid(cs), value);
 
-    if (irq >= cs->gic->num_irq) {
+    if (irq >= GICV3_MAXIRQ) {
         /* Also catches special interrupt numbers and LPIs */
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void icv_eoir_write(CPUARMState *env, const ARMCPRegInfo *ri,
     trace_gicv3_icv_eoir_write(ri->crm == 8 ? 0 : 1,
                                gicv3_redist_affid(cs), value);
 
-    if (irq >= cs->gic->num_irq) {
+    if (irq >= GICV3_MAXIRQ) {
         /* Also catches special interrupt numbers and LPIs */
         return;
     }
-- 
2.20.1

Convert the use of the DPRINTF debug macro in the PL061 model to
use tracepoints.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c      | 27 +++++++++------------------
 hw/gpio/trace-events |  6 ++++++
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/log.h"
 #include "qemu/module.h"
 #include "qom/object.h"
-
-//#define DEBUG_PL061 1
-
-#ifdef DEBUG_PL061
-#define DPRINTF(fmt, ...) \
-do { printf("pl061: " fmt , ## __VA_ARGS__); } while (0)
-#define BADF(fmt, ...) \
-do { fprintf(stderr, "pl061: error: " fmt , ## __VA_ARGS__); exit(1);} while (0)
-#else
-#define DPRINTF(fmt, ...) do {} while(0)
-#define BADF(fmt, ...) \
-do { fprintf(stderr, "pl061: error: " fmt , ## __VA_ARGS__);} while (0)
-#endif
+#include "trace.h"
 
 static const uint8_t pl061_id[12] =
   { 0x00, 0x00, 0x00, 0x00, 0x61, 0x10, 0x04, 0x00, 0x0d, 0xf0, 0x05, 0xb1 };
@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
     uint8_t out;
     int i;
 
-    DPRINTF("dir = %d, data = %d\n", s->dir, s->data);
+    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data);
 
     /* Outputs float high.  */
     /* FIXME: This is board dependent.  */
@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
         for (i = 0; i < N_GPIOS; i++) {
             mask = 1 << i;
             if (changed & mask) {
-                DPRINTF("Set output %d = %d\n", i, (out & mask) != 0);
-                qemu_set_irq(s->out[i], (out & mask) != 0);
+                int level = (out & mask) != 0;
+                trace_pl061_set_output(DEVICE(s)->canonical_path, i, level);
+                qemu_set_irq(s->out[i], level);
             }
         }
     }
@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
         for (i = 0; i < N_GPIOS; i++) {
             mask = 1 << i;
             if (changed & mask) {
-                DPRINTF("Changed input %d = %d\n", i, (s->data & mask) != 0);
+                trace_pl061_input_change(DEVICE(s)->canonical_path, i,
+                                         (s->data & mask) != 0);
 
                 if (!(s->isense & mask)) {
                     /* Edge interrupt */
@@ -XXX,XX +XXX,XX @@ static void pl061_update(PL061State *s)
     /* Level interrupt */
     s->istate |= ~(s->data ^ s->iev) & s->isense;
 
-    DPRINTF("istate = %02X\n", s->istate);
+    trace_pl061_update_istate(DEVICE(s)->canonical_path,
+                              s->istate, s->im, (s->istate & s->im) != 0);
 
     qemu_set_irq(s->irq, (s->istate & s->im) != 0);
 }
diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/trace-events
+++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ nrf51_gpio_write(uint64_t offset, uint64_t value) "offset 0x%" PRIx64 " value 0x
 nrf51_gpio_set(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
 nrf51_gpio_update_output_irq(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
 
+# pl061.c
+pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIODATA 0x%x"
+pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
+pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
+pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
+
 # sifive_gpio.c
 sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
 sifive_gpio_write(uint64_t offset, uint64_t value) "offset 0x%" PRIx64 " value 0x%" PRIx64
-- 
2.20.1

Currently the pl061_read() and pl061_write() functions handle offsets
using a combination of three if() statements and a switch().  Clean
this up to use just a switch, using case ranges.

This requires that instead of catching accesses to the luminary-only
registers on a stock PL061 via a check on s->rsvd_start we use
an "is this luminary?" check in the cases for each luminary-only
register.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c | 104 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 79 insertions(+), 25 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@ struct PL061State {
     qemu_irq irq;
     qemu_irq out[N_GPIOS];
     const unsigned char *id;
-    uint32_t rsvd_start; /* reserved area: [rsvd_start, 0xfcc] */
 };
 
 static const VMStateDescription vmstate_pl061 = {
@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
 {
     PL061State *s = (PL061State *)opaque;
 
-    if (offset < 0x400) {
-        return s->data & (offset >> 2);
-    }
-    if (offset >= s->rsvd_start && offset <= 0xfcc) {
-        goto err_out;
-    }
-    if (offset >= 0xfd0 && offset < 0x1000) {
-        return s->id[(offset - 0xfd0) >> 2];
-    }
     switch (offset) {
+    case 0x0 ... 0x3ff: /* Data */
+        return s->data & (offset >> 2);
     case 0x400: /* Direction */
         return s->dir;
     case 0x404: /* Interrupt sense */
@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
     case 0x420: /* Alternate function select */
         return s->afsel;
     case 0x500: /* 2mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->dr2r;
     case 0x504: /* 4mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->dr4r;
     case 0x508: /* 8mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->dr8r;
     case 0x50c: /* Open drain */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->odr;
     case 0x510: /* Pull-up */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->pur;
     case 0x514: /* Pull-down */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->pdr;
     case 0x518: /* Slew rate control */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->slr;
     case 0x51c: /* Digital enable */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->den;
     case 0x520: /* Lock */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->locked;
     case 0x524: /* Commit */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->cr;
     case 0x528: /* Analog mode select */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         return s->amsel;
+    case 0xfd0 ... 0xfff: /* ID registers */
+        return s->id[(offset - 0xfd0) >> 2];
     default:
+    bad_offset:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "pl061_read: Bad offset %x\n", (int)offset);
         break;
     }
-err_out:
-    qemu_log_mask(LOG_GUEST_ERROR,
-                  "pl061_read: Bad offset %x\n", (int)offset);
     return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
     PL061State *s = (PL061State *)opaque;
     uint8_t mask;
 
-    if (offset < 0x400) {
+    switch (offset) {
+    case 0 ... 0x3ff:
         mask = (offset >> 2) & s->dir;
         s->data = (s->data & ~mask) | (value & mask);
         pl061_update(s);
         return;
-    }
-    if (offset >= s->rsvd_start) {
-        goto err_out;
-    }
-    switch (offset) {
     case 0x400: /* Direction */
         s->dir = value & 0xff;
         break;
@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
         s->afsel = (s->afsel & ~mask) | (value & mask);
         break;
     case 0x500: /* 2mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->dr2r = value & 0xff;
         break;
     case 0x504: /* 4mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->dr4r = value & 0xff;
         break;
     case 0x508: /* 8mA drive */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->dr8r = value & 0xff;
         break;
     case 0x50c: /* Open drain */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->odr = value & 0xff;
         break;
     case 0x510: /* Pull-up */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->pur = value & 0xff;
         break;
     case 0x514: /* Pull-down */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->pdr = value & 0xff;
         break;
     case 0x518: /* Slew rate control */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->slr = value & 0xff;
         break;
     case 0x51c: /* Digital enable */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->den = value & 0xff;
         break;
     case 0x520: /* Lock */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->locked = (value != 0xacce551);
         break;
     case 0x524: /* Commit */
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         if (!s->locked)
             s->cr = value & 0xff;
         break;
     case 0x528:
+        if (s->id != pl061_id_luminary) {
+            goto bad_offset;
+        }
         s->amsel = value & 0xff;
         break;
     default:
-        goto err_out;
+    bad_offset:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "pl061_write: Bad offset %x\n", (int)offset);
+        return;
     }
     pl061_update(s);
     return;
-err_out:
-    qemu_log_mask(LOG_GUEST_ERROR,
-                  "pl061_write: Bad offset %x\n", (int)offset);
 }
 
 static void pl061_reset(DeviceState *dev)
@@ -XXX,XX +XXX,XX @@ static void pl061_luminary_init(Object *obj)
     PL061State *s = PL061(obj);
 
     s->id = pl061_id_luminary;
-    s->rsvd_start = 0x52c;
 }
 
 static void pl061_init(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void pl061_init(Object *obj)
     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 
     s->id = pl061_id;
-    s->rsvd_start = 0x424;
 
     memory_region_init_io(&s->iomem, obj, &pl061_ops, s, "pl061", 0x1000);
     sysbus_init_mmio(sbd, &s->iomem);
-- 
2.20.1

Add tracepoints for reads and writes to the PL061 registers. This requires
restructuring pl061_read() to only return after the tracepoint, rather
than having lots of early-returns.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c      | 70 ++++++++++++++++++++++++++++++--------------
 hw/gpio/trace-events |  2 ++
 2 files changed, 50 insertions(+), 22 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
                            unsigned size)
 {
     PL061State *s = (PL061State *)opaque;
+    uint64_t r = 0;
 
     switch (offset) {
     case 0x0 ... 0x3ff: /* Data */
-        return s->data & (offset >> 2);
+        r = s->data & (offset >> 2);
+        break;
     case 0x400: /* Direction */
-        return s->dir;
+        r = s->dir;
+        break;
     case 0x404: /* Interrupt sense */
-        return s->isense;
+        r = s->isense;
+        break;
     case 0x408: /* Interrupt both edges */
-        return s->ibe;
+        r = s->ibe;
+        break;
     case 0x40c: /* Interrupt event */
-        return s->iev;
+        r = s->iev;
+        break;
     case 0x410: /* Interrupt mask */
-        return s->im;
+        r = s->im;
+        break;
     case 0x414: /* Raw interrupt status */
-        return s->istate;
+        r = s->istate;
+        break;
     case 0x418: /* Masked interrupt status */
-        return s->istate & s->im;
+        r = s->istate & s->im;
+        break;
     case 0x420: /* Alternate function select */
-        return s->afsel;
+        r = s->afsel;
+        break;
     case 0x500: /* 2mA drive */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->dr2r;
+        r = s->dr2r;
+        break;
     case 0x504: /* 4mA drive */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->dr4r;
+        r = s->dr4r;
+        break;
     case 0x508: /* 8mA drive */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->dr8r;
+        r = s->dr8r;
+        break;
     case 0x50c: /* Open drain */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->odr;
+        r = s->odr;
+        break;
     case 0x510: /* Pull-up */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->pur;
+        r = s->pur;
+        break;
     case 0x514: /* Pull-down */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->pdr;
+        r = s->pdr;
+        break;
     case 0x518: /* Slew rate control */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->slr;
+        r = s->slr;
+        break;
     case 0x51c: /* Digital enable */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->den;
+        r = s->den;
+        break;
     case 0x520: /* Lock */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->locked;
+        r = s->locked;
+        break;
     case 0x524: /* Commit */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->cr;
+        r = s->cr;
+        break;
     case 0x528: /* Analog mode select */
         if (s->id != pl061_id_luminary) {
             goto bad_offset;
         }
-        return s->amsel;
+        r = s->amsel;
+        break;
     case 0xfd0 ... 0xfff: /* ID registers */
-        return s->id[(offset - 0xfd0) >> 2];
+        r = s->id[(offset - 0xfd0) >> 2];
+        break;
     default:
     bad_offset:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "pl061_read: Bad offset %x\n", (int)offset);
         break;
     }
-    return 0;
+
+    trace_pl061_read(DEVICE(s)->canonical_path, offset, r);
+    return r;
 }
 
 static void pl061_write(void *opaque, hwaddr offset,
@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
     PL061State *s = (PL061State *)opaque;
     uint8_t mask;
 
+    trace_pl061_write(DEVICE(s)->canonical_path, offset, value);
+
     switch (offset) {
     case 0 ... 0x3ff:
         mask = (offset >> 2) & s->dir;
diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/trace-events
+++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIOD
 pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
 pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
 pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
+pl061_read(const char *id, uint64_t offset, uint64_t r) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
+pl061_write(const char *id, uint64_t offset, uint64_t value) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
 
 # sifive_gpio.c
 sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
-- 
2.20.1

The Luminary variant of the PL061 has registers GPIOPUR and GPIOPDR
which lets the guest configure whether the GPIO lines are pull-up,
pull-down, or truly floating. Instead of assuming all lines are pulled
high, honour the PUR and PDR registers.

For the plain PL061, continue to assume that lines have an external
pull-up resistor, as we did before.

The stellaris board actually relies on this behaviour -- the CD line
of the ssd0323 display device is connected to GPIO output C7, and it
is only because of a different bug which we're about to fix that we
weren't incorrectly driving this line high on reset and putting the
ssd0323 into data mode.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c      | 58 +++++++++++++++++++++++++++++++++++++++++---
 hw/gpio/trace-events |  2 +-
 2 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl061 = {
     }
 };
 
+static uint8_t pl061_floating(PL061State *s)
+{
+    /*
+     * Return mask of bits which correspond to pins configured as inputs
+     * and which are floating (neither pulled up to 1 nor down to 0).
+     */
+    uint8_t floating;
+
+    if (s->id == pl061_id_luminary) {
+        /*
+         * If both PUR and PDR bits are clear, there is neither a pullup
+         * nor a pulldown in place, and the output truly floats.
+         */
+        floating = ~(s->pur | s->pdr);
+    } else {
+        /* Assume outputs are pulled high. FIXME: this is board dependent. */
+        floating = 0;
+    }
+    return floating & ~s->dir;
+}
+
+static uint8_t pl061_pullups(PL061State *s)
+{
+    /*
+     * Return mask of bits which correspond to pins configured as inputs
+     * and which are pulled up to 1.
+     */
+    uint8_t pullups;
+
+    if (s->id == pl061_id_luminary) {
+        /*
+         * The Luminary variant of the PL061 has an extra registers which
+         * the guest can use to configure whether lines should be pullup
+         * or pulldown.
+         */
+        pullups = s->pur;
+    } else {
+        /* Assume outputs are pulled high. FIXME: this is board dependent. */
+        pullups = 0xff;
+    }
+    return pullups & ~s->dir;
+}
+
 static void pl061_update(PL061State *s)
 {
     uint8_t changed;
     uint8_t mask;
     uint8_t out;
     int i;
+    uint8_t pullups = pl061_pullups(s);
+    uint8_t floating = pl061_floating(s);
 
-    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data);
+    trace_pl061_update(DEVICE(s)->canonical_path, s->dir, s->data,
+                       pullups, floating);
 
-    /* Outputs float high.  */
-    /* FIXME: This is board dependent.  */
-    out = (s->data & s->dir) | ~s->dir;
+    /*
+     * Pins configured as output are driven from the data register;
+     * otherwise if they're pulled up they're 1, and if they're floating
+     * then we give them the same value they had previously, so we don't
+     * report any change to the other end.
+     */
+    out = (s->data & s->dir) | pullups | (s->old_out_data & floating);
     changed = s->old_out_data ^ out;
     if (changed) {
         s->old_out_data = out;
diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/trace-events
+++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ nrf51_gpio_set(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
 nrf51_gpio_update_output_irq(int64_t line, int64_t value) "line %" PRIi64 " value %" PRIi64
 
 # pl061.c
-pl061_update(const char *id, uint32_t dir, uint32_t data) "%s GPIODIR 0x%x GPIODATA 0x%x"
+pl061_update(const char *id, uint32_t dir, uint32_t data, uint32_t pullups, uint32_t floating) "%s GPIODIR 0x%x GPIODATA 0x%x pullups 0x%x floating 0x%x"
 pl061_set_output(const char *id, int gpio, int level) "%s setting output %d to %d"
 pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to %d"
 pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
-- 
2.20.1

The PL061 GPIO does not itself include pullup or pulldown resistors
to set the value of a GPIO line treated as an output when it is
configured as an input (ie when the PL061 itself is not driving it).
In real hardware it is up to the board to add suitable pullups or
pulldowns.  Currently our implementation hardwires this to "outputs
pulled high", which is correct for some boards (eg the realview ones:
see figure 3-29 in the "RealView Platform Baseboard for ARM926EJ-S
User Guide" DUI0224I), but wrong for others.

In particular, the wiring in the 'virt' board and the gpio-pwr device
assumes that wires should be pulled low, because otherwise the
pull-to-high will trigger a shutdown or reset action.  (The only
reason this doesn't happen immediately on startup is due to another
bug in the PL061, where we don't assert the GPIOs to the correct
value on reset, but will do so as soon as the guest touches a
register and pl061_update() gets called.)

Add properties to the pl061 so the board can configure whether it
wants GPIO lines to have pullup, pulldown, or neither.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c | 51 +++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 47 insertions(+), 4 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@
  *  + unnamed GPIO inputs 0..7: inputs to connect to the emulated GPIO lines
  *  + unnamed GPIO outputs 0..7: the emulated GPIO lines, considered as
  *    outputs
+ *  + QOM property "pullups": an integer defining whether non-floating lines
+ *    configured as inputs should be pulled up to logical 1 (ie whether in
+ *    real hardware they have a pullup resistor on the line out of the PL061).
+ *    This should be an 8-bit value, where bit 0 is 1 if GPIO line 0 should
+ *    be pulled high, bit 1 configures line 1, and so on. The default is 0xff,
+ *    indicating that all GPIO lines are pulled up to logical 1.
+ *  + QOM property "pulldowns": an integer defining whether non-floating lines
+ *    configured as inputs should be pulled down to logical 0 (ie whether in
+ *    real hardware they have a pulldown resistor on the line out of the PL061).
+ *    This should be an 8-bit value, where bit 0 is 1 if GPIO line 0 should
+ *    be pulled low, bit 1 configures line 1, and so on. The default is 0x0.
+ *    It is an error to set a bit in both "pullups" and "pulldowns". If a bit
+ *    is 0 in both, then the line is considered to be floating, and it will
+ *    not have qemu_set_irq() called on it when it is configured as an input.
  */
 
 #include "qemu/osdep.h"
 #include "hw/irq.h"
 #include "hw/sysbus.h"
+#include "hw/qdev-properties.h"
 #include "migration/vmstate.h"
+#include "qapi/error.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
 #include "qom/object.h"
@@ -XXX,XX +XXX,XX @@ struct PL061State {
     qemu_irq irq;
     qemu_irq out[N_GPIOS];
     const unsigned char *id;
+    /* Properties, for non-Luminary PL061 */
+    uint32_t pullups;
+    uint32_t pulldowns;
 };
 
 static const VMStateDescription vmstate_pl061 = {
@@ -XXX,XX +XXX,XX @@ static uint8_t pl061_floating(PL061State *s)
          */
         floating = ~(s->pur | s->pdr);
     } else {
-        /* Assume outputs are pulled high. FIXME: this is board dependent. */
-        floating = 0;
+        floating = ~(s->pullups | s->pulldowns);
     }
     return floating & ~s->dir;
 }
@@ -XXX,XX +XXX,XX @@ static uint8_t pl061_pullups(PL061State *s)
          */
         pullups = s->pur;
     } else {
-        /* Assume outputs are pulled high. FIXME: this is board dependent. */
-        pullups = 0xff;
+        pullups = s->pullups;
     }
     return pullups & ~s->dir;
 }
@@ -XXX,XX +XXX,XX @@ static void pl061_init(Object *obj)
     qdev_init_gpio_out(dev, s->out, N_GPIOS);
 }
 
+static void pl061_realize(DeviceState *dev, Error **errp)
+{
+    PL061State *s = PL061(dev);
+
+    if (s->pullups > 0xff) {
+        error_setg(errp, "pullups property must be between 0 and 0xff");
+        return;
+    }
+    if (s->pulldowns > 0xff) {
+        error_setg(errp, "pulldowns property must be between 0 and 0xff");
+        return;
+    }
+    if (s->pullups & s->pulldowns) {
+        error_setg(errp, "no bit may be set both in pullups and pulldowns");
+        return;
+    }
+}
+
+static Property pl061_props[] = {
+    DEFINE_PROP_UINT32("pullups", PL061State, pullups, 0xff),
+    DEFINE_PROP_UINT32("pulldowns", PL061State, pulldowns, 0x0),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void pl061_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl061;
     dc->reset = &pl061_reset;
+    dc->realize = pl061_realize;
+    device_class_set_props(dc, pl061_props);
 }
 
 static const TypeInfo pl061_info = {
-- 
2.20.1

For the virt board we have two PL061 devices -- one for NonSecure which
is inputs only, and one for Secure which is outputs only. For the former,
we don't care whether its outputs are pulled low or high when the line is
configured as an input, because we don't connect them. For the latter,
we do care, because we wire the lines up to the gpio-pwr device, which
assumes that level 1 means "do the action" and 1 means "do nothing".
For consistency in case we add more outputs in future, configure both
PL061s to pull GPIO lines down to 0.

Reported-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/arm/virt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_gpio_devices(const VirtMachineState *vms, int gpio,
     MachineState *ms = MACHINE(vms);
 
     pl061_dev = qdev_new("pl061");
+    /* Pull lines down to 0 if not driven by the PL061 */
+    qdev_prop_set_uint32(pl061_dev, "pullups", 0);
+    qdev_prop_set_uint32(pl061_dev, "pulldowns", 0xff);
     s = SYS_BUS_DEVICE(pl061_dev);
     sysbus_realize_and_unref(s, &error_fatal);
     memory_region_add_subregion(mem, base, sysbus_mmio_get_region(s, 0));
-- 
2.20.1

The PL061 comes out of reset with all its lines configured as input,
which means they might need to be pulled to 0 or 1 depending on the
'pullups' and 'pulldowns' properties.  Currently we do not assert
these lines on reset; they will only be set whenever the guest first
touches a register that triggers a call to pl061_update().

Convert the device to three-phase reset so we have a place where we
can safely call qemu_set_irq() to set the floating lines to their
correct values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 hw/gpio/pl061.c      | 29 +++++++++++++++++++++++++----
 hw/gpio/trace-events |  1 +
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@ static void pl061_write(void *opaque, hwaddr offset,
     return;
 }
 
-static void pl061_reset(DeviceState *dev)
+static void pl061_enter_reset(Object *obj, ResetType type)
 {
-    PL061State *s = PL061(dev);
+    PL061State *s = PL061(obj);
+
+    trace_pl061_reset(DEVICE(s)->canonical_path);
 
     /* reset values from PL061 TRM, Stellaris LM3S5P31 & LM3S8962 Data Sheet */
     s->data = 0;
-    s->old_out_data = 0;
     s->old_in_data = 0;
     s->dir = 0;
     s->isense = 0;
@@ -XXX,XX +XXX,XX @@ static void pl061_reset(DeviceState *dev)
     s->amsel = 0;
 }
 
+static void pl061_hold_reset(Object *obj)
+{
+    PL061State *s = PL061(obj);
+    int i, level;
+    uint8_t floating = pl061_floating(s);
+    uint8_t pullups = pl061_pullups(s);
+
+    for (i = 0; i < N_GPIOS; i++) {
+        if (extract32(floating, i, 1)) {
+            continue;
+        }
+        level = extract32(pullups, i, 1);
+        trace_pl061_set_output(DEVICE(s)->canonical_path, i, level);
+        qemu_set_irq(s->out[i], level);
+    }
+    s->old_out_data = pullups;
+}
+
 static void pl061_set_irq(void * opaque, int irq, int level)
 {
     PL061State *s = (PL061State *)opaque;
@@ -XXX,XX +XXX,XX @@ static Property pl061_props[] = {
 static void pl061_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl061;
-    dc->reset = &pl061_reset;
     dc->realize = pl061_realize;
     device_class_set_props(dc, pl061_props);
+    rc->phases.enter = pl061_enter_reset;
+    rc->phases.hold = pl061_hold_reset;
 }
 
 static const TypeInfo pl061_info = {
diff --git a/hw/gpio/trace-events b/hw/gpio/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/trace-events
+++ b/hw/gpio/trace-events
@@ -XXX,XX +XXX,XX @@ pl061_input_change(const char *id, int gpio, int level) "%s input %d changed to
 pl061_update_istate(const char *id, uint32_t istate, uint32_t im, int level) "%s GPIORIS 0x%x GPIOIE 0x%x interrupt level %d"
 pl061_read(const char *id, uint64_t offset, uint64_t r) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
 pl061_write(const char *id, uint64_t offset, uint64_t value) "%s offset 0x%" PRIx64 " value 0x%" PRIx64
+pl061_reset(const char *id) "%s reset"
 
 # sifive_gpio.c
 sifive_gpio_read(uint64_t offset, uint64_t r) "offset 0x%" PRIx64 " value 0x%" PRIx64
-- 
2.20.1

The Luminary PL061s in the Stellaris LM3S9695 don't all have the same
reset value for GPIOPUR.  We can get away with not letting the board
configure the PUR reset value because we don't actually wire anything
up to the lines which should reset to pull-up.  Add a comment noting
this omission.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 hw/gpio/pl061.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -XXX,XX +XXX,XX @@ static void pl061_enter_reset(Object *obj, ResetType type)
     trace_pl061_reset(DEVICE(s)->canonical_path);
 
     /* reset values from PL061 TRM, Stellaris LM3S5P31 & LM3S8962 Data Sheet */
+
+    /*
+     * FIXME: For the LM3S6965, not all of the PL061 instances have the
+     * same reset values for GPIOPUR, GPIOAFSEL and GPIODEN, so in theory
+     * we should allow the board to configure these via properties.
+     * In practice, we don't wire anything up to the affected GPIO lines
+     * (PB7, PC0, PC1, PC2, PC3 -- they're used for JTAG), so we can
+     * get away with this inaccuracy.
+     */
     s->data = 0;
     s->old_in_data = 0;
     s->dir = 0;
-- 
2.20.1

The stellaris board doesn't emulate the handling of the OLED
chipselect line correctly.  Expand the comment describing this,
including a sketch of the theoretical correct way to do it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/stellaris.c | 56 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
             DeviceState *sddev;
             DeviceState *ssddev;
 
-            /* Some boards have both an OLED controller and SD card connected to
+            /*
+             * Some boards have both an OLED controller and SD card connected to
              * the same SSI port, with the SD card chip select connected to a
              * GPIO pin.  Technically the OLED chip select is connected to the
              * SSI Fss pin.  We do not bother emulating that as both devices
              * should never be selected simultaneously, and our OLED controller
              * ignores stray 0xff commands that occur when deselecting the SD
              * card.
+             *
+             * The h/w wiring is:
+             *  - GPIO pin D0 is wired to the active-low SD card chip select
+             *  - GPIO pin A3 is wired to the active-low OLED chip select
+             *  - The SoC wiring of the PL061 "auxiliary function" for A3 is
+             *    SSI0Fss ("frame signal"), which is an output from the SoC's
+             *    SSI controller. The SSI controller takes SSI0Fss low when it
+             *    transmits a frame, so it can work as a chip-select signal.
+             *  - GPIO A4 is aux-function SSI0Rx, and wired to the SD card Tx
+             *    (the OLED never sends data to the CPU, so no wiring needed)
+             *  - GPIO A5 is aux-function SSI0Tx, and wired to the SD card Rx
+             *    and the OLED display-data-in
+             *  - GPIO A2 is aux-function SSI0Clk, wired to SD card and OLED
+             *    serial-clock input
+             * So a guest that wants to use the OLED can configure the PL061
+             * to make pins A2, A3, A5 aux-function, so they are connected
+             * directly to the SSI controller. When the SSI controller sends
+             * data it asserts SSI0Fss which selects the OLED.
+             * A guest that wants to use the SD card configures A2, A4 and A5
+             * as aux-function, but leaves A3 as a software-controlled GPIO
+             * line. It asserts the SD card chip-select by using the PL061
+             * to control pin D0, and lets the SSI controller handle Clk, Tx
+             * and Rx. (The SSI controller asserts Fss during tx cycles as
+             * usual, but because A3 is not set to aux-function this is not
+             * forwarded to the OLED, and so the OLED stays unselected.)
+             *
+             * The QEMU implementation instead is:
+             *  - GPIO pin D0 is wired to the active-low SD card chip select,
+             *    and also to the OLED chip-select which is implemented
+             *    as *active-high*
+             *  - SSI controller signals go to the devices regardless of
+             *    whether the guest programs A2, A4, A5 as aux-function or not
+             *
+             * The problem with this implementation is if the guest doesn't
+             * care about the SD card and only uses the OLED. In that case it
+             * may choose never to do anything with D0 (leaving it in its
+             * default floating state, which reliably leaves the card disabled
+             * because an SD card has a pullup on CS within the card itself),
+             * and only set up A2, A3, A5. This for us would mean the OLED
+             * never gets the chip-select assert it needs. We work around
+             * this with a manual raise of D0 here (despite board creation
+             * code being the wrong place to raise IRQ lines) to put the OLED
+             * into an initially selected state.
+             *
+             * In theory the right way to model this would be:
+             *  - Implement aux-function support in the PL061, with an
+             *    extra set of AFIN and AFOUT GPIO lines (set up so that
+             *    if a GPIO line is in auxfn mode the main GPIO in and out
+             *    track the AFIN and AFOUT lines)
+             *  - Wire the AFOUT for D0 up to either a line from the
+             *    SSI controller that's pulled low around every transmit,
+             *    or at least to an always-0 line here on the board
+             *  - Make the ssd0323 OLED controller chipselect active-low
              */
             bus = qdev_get_child_bus(dev, "ssi");
 
-- 
2.20.1

From: "hnick@vmware.com" <hnick@vmware.com>

Signed-off-by: Nick Hudson <hnick@vmware.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .access = PL1_RW, .accessfn = access_tda,
       .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
       .resetvalue = 0 },
-    /* MDCCSR_EL0, aka DBGDSCRint. This is a read-only mirror of MDSCR_EL1.
+    /*
+     * MDCCSR_EL0[30:29] map to EDSCR[30:29].  Simply RAZ as the external
+     * Debug Communication Channel is not implemented.
+     */
+    { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 1, .opc2 = 0,
+      .access = PL0_R, .accessfn = access_tda,
+      .type = ARM_CP_CONST, .resetvalue = 0 },
+    /*
+     * DBGDSCRint[15,12,5:2] map to MDSCR_EL1[15,12,5:2].  Map all bits as
+     * it is unlikely a guest will care.
      * We don't implement the configurable EL0 access.
      */
-    { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_BOTH,
-      .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
+    { .name = "DBGDSCRint", .state = ARM_CP_STATE_AA32,
+      .cp = 14, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
       .type = ARM_CP_ALIAS,
       .access = PL1_R, .accessfn = access_tda,
       .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), },
-- 
2.20.1

From: Rebecca Cran <rebecca@nuviainc.com>

Add a space in the message printed when gicr_read*/gicr_write* returns
MEMTX_ERROR in arm_gicv3_redist.c.

Signed-off-by: Rebecca Cran <rebecca@nuviainc.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210706211432.31902-1-rebecca@nuviainc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_redist.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_redist.c
+++ b/hw/intc/arm_gicv3_redist.c
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
     if (r == MEMTX_ERROR) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid guest read at offset " TARGET_FMT_plx
-                      "size %u\n", __func__, offset, size);
+                      " size %u\n", __func__, offset, size);
         trace_gicv3_redist_badread(gicv3_redist_affid(cs), offset,
                                    size, attrs.secure);
         /* The spec requires that reserved registers are RAZ/WI;
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
     if (r == MEMTX_ERROR) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid guest write at offset " TARGET_FMT_plx
-                      "size %u\n", __func__, offset, size);
+                      " size %u\n", __func__, offset, size);
         trace_gicv3_redist_badwrite(gicv3_redist_affid(cs), offset, data,
                                     size, attrs.secure);
         /* The spec requires that reserved registers are RAZ/WI;
-- 
2.20.1

The following changes since commit 55ef0b702bc2c90c3c4ed97f97676d8f139e5ca1:

Merge remote-tracking branch 'remotes/lvivier-gitlab/tags/linux-user-for-7.0-pull-request' into staging (2022-02-07 10:48:25 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220208

for you to fetch changes up to 4fd1ebb10593087d45d2f56f7f3d13447d24802c:

hw/sensor: Add lsm303dlhc magnetometer device (2022-02-08 10:56:29 +0000)

----------------------------------------------------------------
target-arm queue:
 * Fix handling of SVE ZCR_LEN when using VHE
 * xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
 * Don't ever enable PSCI when booting guest in EL3
 * Adhere to SMCCC 1.3 section 5.2
 * highbank: Fix issues with booting SMP
 * midway: Fix issues booting at all
 * boot: Drop existing dtb /psci node rather than retaining it
 * versal-virt: Always call arm_load_kernel()
 * force flag recalculation when messing with DAIF
 * hw/timer/armv7m_systick: Update clock source before enabling timer
 * hw/arm/smmuv3: Fix device reset
 * hw/intc/arm_gicv3_its: refactorings and minor bug fixes
 * hw/sensor: Add lsm303dlhc magnetometer device

----------------------------------------------------------------
Alex Bennée (1):
      arm: force flag recalculation when messing with DAIF

Edgar E. Iglesias (1):
      hw/arm: versal-virt: Always call arm_load_kernel()

Eric Auger (1):
      hw/arm/smmuv3: Fix device reset

Francisco Iglesias (1):
      hw/arm/xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs

Kevin Townsend (1):
      hw/sensor: Add lsm303dlhc magnetometer device

Peter Maydell (29):
      target/arm: make psci-conduit settable after realize
      cpu.c: Make start-powered-off settable after realize
      hw/arm/boot: Support setting psci-conduit based on guest EL
      hw/arm: imx: Don't enable PSCI conduit when booting guest in EL3
      hw/arm: allwinner: Don't enable PSCI conduit when booting guest in EL3
      hw/arm/xlnx-zcu102: Don't enable PSCI conduit when booting guest in EL3
      hw/arm/versal: Let boot.c handle PSCI enablement
      hw/arm/virt: Let boot.c handle PSCI enablement
      hw/arm: highbank: For EL3 guests, don't enable PSCI, start all cores
      arm: tcg: Adhere to SMCCC 1.3 section 5.2
      hw/arm/highbank: Drop use of secure_board_setup
      hw/arm/boot: Prevent setting both psci_conduit and secure_board_setup
      hw/arm/boot: Don't write secondary boot stub if using PSCI
      hw/arm/highbank: Drop unused secondary boot stub code
      hw/arm/boot: Drop nb_cpus field from arm_boot_info
      hw/arm/boot: Drop existing dtb /psci node rather than retaining it
      hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packets
      hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_t
      hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()
      hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_t
      hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()
      hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()
      hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()
      hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a struct
      hw/intc/arm_gicv3_its: Make update_ite() use ITEntry
      hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fields
      hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field
      hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTI
      hw/intc/arm_gicv3_its: Split error checks

Richard Henderson (4):
      target/arm: Fix sve_zcr_len_for_el for VHE mode running
      target/arm: Tidy sve_exception_el for CPACR_EL1 access
      target/arm: Fix {fp, sve}_exception_el for VHE mode running
      target/arm: Use CPTR_TFP with CPTR_EL3 in fp_exception_el

Richard Petri (1):
      hw/timer/armv7m_systick: Update clock source before enabling timer

From: Richard Henderson <richard.henderson@linaro.org>

When HCR_EL2.{E2H,TGE} == '11', ZCR_EL1 is unused.

Reported-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Message-id: 20220127063428.30212-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
     ARMCPU *cpu = env_archcpu(env);
     uint32_t zcr_len = cpu->sve_max_vq - 1;
 
-    if (el <= 1) {
+    if (el <= 1 &&
+        (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
         zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
     }
     if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Extract entire fields for ZEN and FPEN, rather than testing specific bits.
This makes it easier to follow the code versus the ARM spec.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Message-id: 20220127063428.30212-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 36 +++++++++++++++++-------------------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
 
     if (el <= 1 && (hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
-        bool disabled = false;
-
-        /* The CPACR.ZEN controls traps to EL1:
-         * 0, 2 : trap EL0 and EL1 accesses
-         * 1    : trap only EL0 accesses
-         * 3    : trap no accesses
-         */
-        if (!extract32(env->cp15.cpacr_el1, 16, 1)) {
-            disabled = true;
-        } else if (!extract32(env->cp15.cpacr_el1, 17, 1)) {
-            disabled = el == 0;
-        }
-        if (disabled) {
+        /* Check CPACR.ZEN.  */
+        switch (extract32(env->cp15.cpacr_el1, 16, 2)) {
+        case 1:
+            if (el != 0) {
+                break;
+            }
+            /* fall through */
+        case 0:
+        case 2:
             /* route_to_el2 */
             return hcr_el2 & HCR_TGE ? 2 : 1;
         }
 
         /* Check CPACR.FPEN.  */
-        if (!extract32(env->cp15.cpacr_el1, 20, 1)) {
-            disabled = true;
-        } else if (!extract32(env->cp15.cpacr_el1, 21, 1)) {
-            disabled = el == 0;
-        }
-        if (disabled) {
+        switch (extract32(env->cp15.cpacr_el1, 20, 2)) {
+        case 1:
+            if (el != 0) {
+                break;
+            }
+            /* fall through */
+        case 0:
+        case 2:
             return 0;
         }
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

When HCR_EL2.E2H is set, the format of CPTR_EL2 changes to
look more like CPACR_EL1, with ZEN and FPEN fields instead
of TZ and TFP fields.

Reported-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220127063428.30212-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 77 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 60 insertions(+), 17 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
         }
     }
 
-    /* CPTR_EL2.  Since TZ and TFP are positive,
-     * they will be zero when EL2 is not present.
+    /*
+     * CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE).
      */
-    if (el <= 2 && arm_is_el2_enabled(env)) {
-        if (env->cp15.cptr_el[2] & CPTR_TZ) {
-            return 2;
-        }
-        if (env->cp15.cptr_el[2] & CPTR_TFP) {
-            return 0;
+    if (el <= 2) {
+        if (hcr_el2 & HCR_E2H) {
+            /* Check CPTR_EL2.ZEN.  */
+            switch (extract32(env->cp15.cptr_el[2], 16, 2)) {
+            case 1:
+                if (el != 0 || !(hcr_el2 & HCR_TGE)) {
+                    break;
+                }
+                /* fall through */
+            case 0:
+            case 2:
+                return 2;
+            }
+
+            /* Check CPTR_EL2.FPEN.  */
+            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
+            case 1:
+                if (el == 2 || !(hcr_el2 & HCR_TGE)) {
+                    break;
+                }
+                /* fall through */
+            case 0:
+            case 2:
+                return 0;
+            }
+        } else if (arm_is_el2_enabled(env)) {
+            if (env->cp15.cptr_el[2] & CPTR_TZ) {
+                return 2;
+            }
+            if (env->cp15.cptr_el[2] & CPTR_TFP) {
+                return 0;
+            }
         }
     }
 
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
 int fp_exception_el(CPUARMState *env, int cur_el)
 {
 #ifndef CONFIG_USER_ONLY
+    uint64_t hcr_el2;
+
     /* CPACR and the CPTR registers don't exist before v6, so FP is
      * always accessible
      */
@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
         return 0;
     }
 
+    hcr_el2 = arm_hcr_el2_eff(env);
+
     /* The CPACR controls traps to EL1, or PL1 if we're 32 bit:
      * 0, 2 : trap EL0 and EL1/PL1 accesses
      * 1    : trap only EL0 accesses
      * 3    : trap no accesses
      * This register is ignored if E2H+TGE are both set.
      */
-    if ((arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+    if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
         int fpen = extract32(env->cp15.cpacr_el1, 20, 2);
 
         switch (fpen) {
@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
         }
     }
 
-    /* For the CPTR registers we don't need to guard with an ARM_FEATURE
-     * check because zero bits in the registers mean "don't trap".
+    /*
+     * CPTR_EL2 is present in v7VE or v8, and changes format
+     * with HCR_EL2.E2H (regardless of TGE).
      */
-
-    /* CPTR_EL2 : present in v7VE or v8 */
-    if (cur_el <= 2 && extract32(env->cp15.cptr_el[2], 10, 1)
-        && arm_is_el2_enabled(env)) {
-        /* Trap FP ops at EL2, NS-EL1 or NS-EL0 to EL2 */
-        return 2;
+    if (cur_el <= 2) {
+        if (hcr_el2 & HCR_E2H) {
+            /* Check CPTR_EL2.FPEN.  */
+            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
+            case 1:
+                if (cur_el != 0 || !(hcr_el2 & HCR_TGE)) {
+                    break;
+                }
+                /* fall through */
+            case 0:
+            case 2:
+                return 2;
+            }
+        } else if (arm_is_el2_enabled(env)) {
+            if (env->cp15.cptr_el[2] & CPTR_TFP) {
+                return 2;
+            }
+        }
     }
 
     /* CPTR_EL3 : present in v8 */
-- 
2.25.1

From: Francisco Iglesias <francisco.iglesias@xilinx.com>

'Or' the IRQs coming from the QSPI and QSPI DMA models. This is done for
avoiding the situation where one of the models incorrectly deasserts an
interrupt asserted from the other model (which will result in that the IRQ
is lost and will not reach guest SW).

Signed-off-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Luc Michel <luc@lmichel.fr>
Message-id: 20220203151742.1457-1-francisco.iglesias@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/xlnx-zynqmp.h |  2 ++
 hw/arm/xlnx-zynqmp.c         | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-zynqmp.h
+++ b/include/hw/arm/xlnx-zynqmp.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/dma/xlnx_csu_dma.h"
 #include "hw/nvram/xlnx-bbram.h"
 #include "hw/nvram/xlnx-zynqmp-efuse.h"
+#include "hw/or-irq.h"
 
 #define TYPE_XLNX_ZYNQMP "xlnx-zynqmp"
 OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
     XlnxZDMA gdma[XLNX_ZYNQMP_NUM_GDMA_CH];
     XlnxZDMA adma[XLNX_ZYNQMP_NUM_ADMA_CH];
     XlnxCSUDMA qspi_dma;
+    qemu_or_irq qspi_irq_orgate;
 
     char *boot_cpu;
     ARMCPU *boot_cpu_ptr;
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@
 #define LQSPI_ADDR          0xc0000000
 #define QSPI_IRQ            15
 #define QSPI_DMA_ADDR       0xff0f0800
+#define NUM_QSPI_IRQ_LINES  2
 
 #define DP_ADDR             0xfd4a0000
 #define DP_IRQ              113
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
     }
 
     object_initialize_child(obj, "qspi-dma", &s->qspi_dma, TYPE_XLNX_CSU_DMA);
+    object_initialize_child(obj, "qspi-irq-orgate",
+                            &s->qspi_irq_orgate, TYPE_OR_IRQ);
 }
 
 static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
                            gic_spi[adma_ch_intr[i]]);
     }
 
+    object_property_set_int(OBJECT(&s->qspi_irq_orgate),
+                            "num-lines", NUM_QSPI_IRQ_LINES, &error_fatal);
+    qdev_realize(DEVICE(&s->qspi_irq_orgate), NULL, &error_fatal);
+    qdev_connect_gpio_out(DEVICE(&s->qspi_irq_orgate), 0, gic_spi[QSPI_IRQ]);
+
     if (!object_property_set_link(OBJECT(&s->qspi_dma), "dma",
                                   OBJECT(system_memory), errp)) {
         return;
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
     }
 
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi_dma), 0, QSPI_DMA_ADDR);
-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0, gic_spi[QSPI_IRQ]);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0,
+                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 0));
 
     if (!object_property_set_link(OBJECT(&s->qspi), "stream-connected-dma",
                                   OBJECT(&s->qspi_dma), errp)) {
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
     }
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR);
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR);
-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0,
+                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 1));
 
     for (i = 0; i < XLNX_ZYNQMP_NUM_QSPI_BUS; i++) {
         g_autofree gchar *bus_name = g_strdup_printf("qspi%d", i);
-- 
2.25.1

We want to allow the psci-conduit property to be set after realize,
because the parts of the code which are best placed to decide if it's
OK to enable QEMU's builtin PSCI emulation (the board code and the
arm_load_kernel() function are distant from the code which creates
and realizes CPUs (typically inside an SoC object's init and realize
method) and run afterwards.

Since the DEFINE_PROP_* macros don't have support for creating
properties which can be changed after realize, change the property to
be created with object_property_add_uint32_ptr(), which is what we
already use in this function for creating settable-after-realize
properties like init-svtor and init-nsvtor.

Note that it doesn't conceptually make sense to change the setting of
the property after the machine has been completely initialized,
beacuse this would mean that the behaviour of the machine when first
started would differ from its behaviour when the system is
subsequently reset.  (It would also require the underlying state to
be migrated, which we don't do.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20220127154639.2090164-2-peter.maydell@linaro.org
---
 target/arm/cpu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
                                        OBJ_PROP_FLAG_READWRITE);
     }
 
+    /* Not DEFINE_PROP_UINT32: we want this to be settable after realize */
+    object_property_add_uint32_ptr(obj, "psci-conduit",
+                                   &cpu->psci_conduit,
+                                   OBJ_PROP_FLAG_READWRITE);
+
     qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property);
 
     if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
 }
 
 static Property arm_cpu_properties[] = {
-    DEFINE_PROP_UINT32("psci-conduit", ARMCPU, psci_conduit, 0),
     DEFINE_PROP_UINT64("midr", ARMCPU, midr, 0),
     DEFINE_PROP_UINT64("mp-affinity", ARMCPU,
                         mp_affinity, ARM64_AFFINITY_INVALID),
-- 
2.25.1

The CPU object's start-powered-off property is currently only
settable before the CPU object is realized.  For arm machines this is
awkward, because we would like to decide whether the CPU should be
powered-off based on how we are booting the guest code, which is
something done in the machine model code and in common code called by
the machine model, which runs much later and in completely different
parts of the codebase from the SoC object code that is responsible
for creating and realizing the CPU objects.

Allow start-powered-off to be set after realize.  Since this isn't
something that's supported by the DEFINE_PROP_* macros, we have to
switch the property definition to use the
object_class_property_add_bool() function.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20220127154639.2090164-3-peter.maydell@linaro.org
---
 cpu.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/cpu.c b/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/cpu.c
+++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ static Property cpu_common_props[] = {
     DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
                      MemoryRegion *),
 #endif
-    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
     DEFINE_PROP_END_OF_LIST(),
 };
 
+static bool cpu_get_start_powered_off(Object *obj, Error **errp)
+{
+    CPUState *cpu = CPU(obj);
+    return cpu->start_powered_off;
+}
+
+static void cpu_set_start_powered_off(Object *obj, bool value, Error **errp)
+{
+    CPUState *cpu = CPU(obj);
+    cpu->start_powered_off = value;
+}
+
 void cpu_class_init_props(DeviceClass *dc)
 {
+    ObjectClass *oc = OBJECT_CLASS(dc);
+
     device_class_set_props(dc, cpu_common_props);
+    /*
+     * We can't use DEFINE_PROP_BOOL in the Property array for this
+     * property, because we want this to be settable after realize.
+     */
+    object_class_property_add_bool(oc, "start-powered-off",
+                                   cpu_get_start_powered_off,
+                                   cpu_set_start_powered_off);
 }
 
 void cpu_exec_initfn(CPUState *cpu)
-- 
2.25.1

Currently we expect board code to set the psci-conduit property on
CPUs and ensure that secondary CPUs are created with the
start-powered-off property set to false, if the board wishes to use
QEMU's builtin PSCI emulation.  This worked OK for the virt board
where we first wanted to use it, because the virt board directly
creates its CPUs and is in a reasonable position to set those
properties.  For other boards which model real hardware and use a
separate SoC object, however, it is more awkward.  Most PSCI-using
boards just set the psci-conduit board unconditionally.

This was never strictly speaking correct (because you would not be
able to run EL3 guest firmware that itself provided the PSCI
interface, as the QEMU implementation would overrule it), but mostly
worked in practice because for non-PSCI SMC calls QEMU would emulate
the SMC instruction as normal (by trapping to guest EL3).  However,
we would like to make our PSCI emulation follow the part of the SMCC
specification that mandates that SMC calls with unknown function
identifiers return a failure code, which means that all SMC calls
will be handled by the PSCI code and the "emulate as normal" path
will no longer be taken.

We tried to implement that in commit 9fcd15b9193e81
("arm: tcg: Adhere to SMCCC 1.3 section 5.2"), but this
regressed attempts to run EL3 guest code on the affected boards:
 * mcimx6ul-evk, mcimx7d-sabre, orangepi, xlnx-zcu102
 * for the case only of EL3 code loaded via -kernel (and
   not via -bios or -pflash), virt and xlnx-versal-virt
so for the 7.0 release we reverted it (in commit 4825eaae4fdd56f).

This commit provides a mechanism that boards can use to arrange that
psci-conduit is set if running guest code at a low enough EL but not
if it would be running at the same EL that the conduit implies that
the QEMU PSCI implementation is using.  (Later commits will convert
individual board models to use this mechanism.)

We do this by moving the setting of the psci-conduit and
start-powered-off properties to arm_load_kernel().  Boards which want
to potentially use emulated PSCI must set a psci_conduit field in the
arm_boot_info struct to the type of conduit they want to use (SMC or
HVC); arm_load_kernel() will then set the CPUs up accordingly if it
is not going to start the guest code at the same or higher EL as the
fake QEMU firmware would be at.

Board/SoC code which uses this mechanism should no longer set the CPU
psci-conduit property directly.  It should only set the
start-powered-off property for secondaries if EL3 guest firmware
running bare metal expects that rather than the alternative "all CPUs
start executing the firmware at once".

Note that when calculating whether we are going to run guest
code at EL3, we ignore the setting of arm_boot_info::secure_board_setup,
which might cause us to run a stub bit of guest code at EL3 which
does some board-specific setup before dropping to EL2 or EL1 to
run the guest kernel. This is OK because only one board that
enables PSCI sets secure_board_setup (the highbank board), and
the stub code it writes will behave the same way whether the
one SMC call it makes is handled by "emulate the SMC" or by
"PSCI default returns an error code". So we can leave that stub
code in place until after we've changed the PSCI default behaviour;
at that point we will remove it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20220127154639.2090164-4-peter.maydell@linaro.org
---
 include/hw/arm/boot.h | 10 +++++++++
 hw/arm/boot.c         | 50 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/boot.h
+++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
      * the user it should implement this hook.
      */
     void (*modify_dtb)(const struct arm_boot_info *info, void *fdt);
+    /*
+     * If a board wants to use the QEMU emulated-firmware PSCI support,
+     * it should set this to QEMU_PSCI_CONDUIT_HVC or QEMU_PSCI_CONDUIT_SMC
+     * as appropriate. arm_load_kernel() will set the psci-conduit and
+     * start-powered-off properties on the CPUs accordingly.
+     * Note that if the guest image is started at the same exception level
+     * as the conduit specifies calls should go to (eg guest firmware booted
+     * to EL3) then PSCI will not be enabled.
+     */
+    int psci_conduit;
     /* Used internally by arm_boot.c */
     int is_linux;
     hwaddr initrd_start;
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
 {
     CPUState *cs;
     AddressSpace *as = arm_boot_address_space(cpu, info);
+    int boot_el;
+    CPUARMState *env = &cpu->env;
 
     /*
      * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
         arm_setup_direct_kernel_boot(cpu, info);
     }
 
+    /*
+     * Disable the PSCI conduit if it is set up to target the same
+     * or a lower EL than the one we're going to start the guest code in.
+     * This logic needs to agree with the code in do_cpu_reset() which
+     * decides whether we're going to boot the guest in the highest
+     * supported exception level or in a lower one.
+     */
+
+    /* Boot into highest supported EL ... */
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        boot_el = 3;
+    } else if (arm_feature(env, ARM_FEATURE_EL2)) {
+        boot_el = 2;
+    } else {
+        boot_el = 1;
+    }
+    /* ...except that if we're booting Linux we adjust the EL we boot into */
+    if (info->is_linux && !info->secure_boot) {
+        boot_el = arm_feature(env, ARM_FEATURE_EL2) ? 2 : 1;
+    }
+
+    if ((info->psci_conduit == QEMU_PSCI_CONDUIT_HVC && boot_el >= 2) ||
+        (info->psci_conduit == QEMU_PSCI_CONDUIT_SMC && boot_el == 3)) {
+        info->psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
+    }
+
+    if (info->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
+        for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+            Object *cpuobj = OBJECT(cs);
+
+            object_property_set_int(cpuobj, "psci-conduit", info->psci_conduit,
+                                    &error_abort);
+            /*
+             * Secondary CPUs start in PSCI powered-down state. Like the
+             * code in do_cpu_reset(), we assume first_cpu is the primary
+             * CPU.
+             */
+            if (cs != first_cpu) {
+                object_property_set_bool(cpuobj, "start-powered-off", true,
+                                         &error_abort);
+            }
+        }
+    }
+
+    /*
+     * arm_load_dtb() may add a PSCI node so it must be called after we have
+     * decided whether to enable PSCI and set the psci-conduit CPU properties.
+     */
     if (!info->skip_dtb_autoload && have_dtb(info)) {
         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as, ms) < 0) {
             exit(1);
-- 
2.25.1

Change the iMX-SoC based boards to use the new boot.c functionality
to allow us to enable psci-conduit only if the guest is being booted
in EL1 or EL2, so that if the user runs guest EL3 firmware code our
PSCI emulation doesn't get in its way.

To do this we stop setting the psci-conduit property on the CPU
objects in the SoC code, and instead set the psci_conduit field in
the arm_boot_info struct to tell the common boot loader code that
we'd like PSCI if the guest is starting at an EL that it makes
sense with.

This affects the mcimx6ul-evk and mcimx7d-sabre boards.

Note that for the mcimx7d board, this means that when running guest
code at EL3 there is currently no way to power on the secondary CPUs,
because we do not currently have a model of the system reset
controller module which should be used to do that for the imx7 SoC,
only for the imx6 SoC.  (Previously EL3 code which knew it was
running on QEMU could use a PSCI call to do this.) This doesn't
affect the imx6ul-evk board because it is uniprocessor.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220127154639.2090164-5-peter.maydell@linaro.org
---
 hw/arm/fsl-imx6ul.c    | 2 --
 hw/arm/fsl-imx7.c      | 8 ++++----
 hw/arm/mcimx6ul-evk.c  | 1 +
 hw/arm/mcimx7d-sabre.c | 1 +
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx6ul.c
+++ b/hw/arm/fsl-imx6ul.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
         return;
     }
 
-    object_property_set_int(OBJECT(&s->cpu), "psci-conduit",
-                            QEMU_PSCI_CONDUIT_SMC, &error_abort);
     qdev_realize(DEVICE(&s->cpu), NULL, &error_abort);
 
     /*
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx7.c
+++ b/hw/arm/fsl-imx7.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
     for (i = 0; i < smp_cpus; i++) {
         o = OBJECT(&s->cpu[i]);
 
-        object_property_set_int(o, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
-                                &error_abort);
-
         /* On uniprocessor, the CBAR is set to 0 */
         if (smp_cpus > 1) {
             object_property_set_int(o, "reset-cbar", FSL_IMX7_A7MPCORE_ADDR,
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
         }
 
         if (i) {
-            /* Secondary CPUs start in PSCI powered-down state */
+            /*
+             * Secondary CPUs start in powered-down state (and can be
+             * powered up via the SRC system reset controller)
+             */
             object_property_set_bool(o, "start-powered-off", true,
                                      &error_abort);
         }
diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mcimx6ul-evk.c
+++ b/hw/arm/mcimx6ul-evk.c
@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
         .board_id = -1,
         .ram_size = machine->ram_size,
         .nb_cpus = machine->smp.cpus,
+        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
     };
 
     s = FSL_IMX6UL(object_new(TYPE_FSL_IMX6UL));
diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mcimx7d-sabre.c
+++ b/hw/arm/mcimx7d-sabre.c
@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
         .board_id = -1,
         .ram_size = machine->ram_size,
         .nb_cpus = machine->smp.cpus,
+        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
     };
 
     s = FSL_IMX7(object_new(TYPE_FSL_IMX7));
-- 
2.25.1

Change the allwinner-h3 based board to use the new boot.c
functionality to allow us to enable psci-conduit only if the guest is
being booted in EL1 or EL2, so that if the user runs guest EL3
firmware code our PSCI emulation doesn't get in its way.

This affects the orangepi-pc board.

This commit leaves the secondary CPUs in the powered-down state if
the guest is booting at EL3, which is the same behaviour as before
this commit.  The secondaries can no longer be started by that EL3
code making a PSCI call but can still be started via the CPU
Configuration Module registers (which we model in
hw/misc/allwinner-cpucfg.c).

diff --git a/hw/arm/allwinner-h3.c b/hw/arm/allwinner-h3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-h3.c
+++ b/hw/arm/allwinner-h3.c
@@ -XXX,XX +XXX,XX @@ static void allwinner_h3_realize(DeviceState *dev, Error **errp)
     /* CPUs */
     for (i = 0; i < AW_H3_NUM_CPUS; i++) {
 
-        /* Provide Power State Coordination Interface */
-        qdev_prop_set_int32(DEVICE(&s->cpus[i]), "psci-conduit",
-                            QEMU_PSCI_CONDUIT_SMC);
-
-        /* Disable secondary CPUs */
+        /*
+         * Disable secondary CPUs. Guest EL3 firmware will start
+         * them via CPU reset control registers.
+         */
         qdev_prop_set_bit(DEVICE(&s->cpus[i]), "start-powered-off",
                           i > 0);
 
diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/orangepi.c
+++ b/hw/arm/orangepi.c
@@ -XXX,XX +XXX,XX @@ static void orangepi_init(MachineState *machine)
     }
     orangepi_binfo.loader_start = h3->memmap[AW_H3_DEV_SDRAM];
     orangepi_binfo.ram_size = machine->ram_size;
+    orangepi_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
     arm_load_kernel(ARM_CPU(first_cpu), machine, &orangepi_binfo);
 }
 
-- 
2.25.1

Change the Xilinx ZynqMP-based board xlnx-zcu102 to use the new
boot.c functionality to allow us to enable psci-conduit only if
the guest is being booted in EL1 or EL2, so that if the user runs
guest EL3 firmware code our PSCI emulation doesn't get in its
way.

Note that this means that EL3 guest code will have no way
to power on secondary cores, because we don't model any
kind of power controller that does that on this SoC.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220127154639.2090164-7-peter.maydell@linaro.org
---
 hw/arm/xlnx-zcu102.c |  1 +
 hw/arm/xlnx-zynqmp.c | 11 ++++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/hw/arm/xlnx-zcu102.c b/hw/arm/xlnx-zcu102.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zcu102.c
+++ b/hw/arm/xlnx-zcu102.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zcu102_init(MachineState *machine)
     s->binfo.ram_size = ram_size;
     s->binfo.loader_start = 0;
     s->binfo.modify_dtb = zcu102_modify_dtb;
+    s->binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
     arm_load_kernel(s->soc.boot_cpu_ptr, machine, &s->binfo);
 }
 
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
 
         name = object_get_canonical_path_component(OBJECT(&s->rpu_cpu[i]));
         if (strcmp(name, boot_cpu)) {
-            /* Secondary CPUs start in PSCI powered-down state */
+            /*
+             * Secondary CPUs start in powered-down state.
+             */
             object_property_set_bool(OBJECT(&s->rpu_cpu[i]),
                                      "start-powered-off", true, &error_abort);
         } else {
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
     for (i = 0; i < num_apus; i++) {
         const char *name;
 
-        object_property_set_int(OBJECT(&s->apu_cpu[i]), "psci-conduit",
-                                QEMU_PSCI_CONDUIT_SMC, &error_abort);
-
         name = object_get_canonical_path_component(OBJECT(&s->apu_cpu[i]));
         if (strcmp(name, boot_cpu)) {
-            /* Secondary CPUs start in PSCI powered-down state */
+            /*
+             * Secondary CPUs start in powered-down state.
+             */
             object_property_set_bool(OBJECT(&s->apu_cpu[i]),
                                      "start-powered-off", true, &error_abort);
         } else {
-- 
2.25.1

Instead of setting the CPU psci-conduit and start-powered-off
properties in the xlnx-versal-virt board code, set the arm_boot_info
psci_conduit field so that the boot.c code can do it.

This will fix a corner case where we were incorrectly enabling PSCI
emulation when booting guest code into EL3 because it was an ELF file
passed to -kernel.  (EL3 guest code started via -bios, -pflash, or
the generic loader was already being run with PSCI emulation
disabled.)

Note that EL3 guest code has no way to turn on the secondary CPUs
because there's no emulated power controller, but this was already
true for EL3 guest code run via -bios, -pflash, or the generic
loader.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20220127154639.2090164-8-peter.maydell@linaro.org
---
 include/hw/arm/xlnx-versal.h | 1 -
 hw/arm/xlnx-versal-virt.c    | 6 ++++--
 hw/arm/xlnx-versal.c         | 5 +----
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@ struct Versal {
 
     struct {
         MemoryRegion *mr_ddr;
-        uint32_t psci_conduit;
     } cfg;
 };
 
diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
      * When loading an OS, we turn on QEMU's PSCI implementation with SMC
      * as the PSCI conduit. When there's no -kernel, we assume the user
      * provides EL3 firmware to handle PSCI.
+     *
+     * Even if the user provides a kernel filename, arm_load_kernel()
+     * may suppress PSCI if it's going to boot that guest code at EL3.
      */
     if (machine->kernel_filename) {
         psci_conduit = QEMU_PSCI_CONDUIT_SMC;
@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
                             TYPE_XLNX_VERSAL);
     object_property_set_link(OBJECT(&s->soc), "ddr", OBJECT(machine->ram),
                              &error_abort);
-    object_property_set_int(OBJECT(&s->soc), "psci-conduit", psci_conduit,
-                            &error_abort);
     sysbus_realize(SYS_BUS_DEVICE(&s->soc), &error_fatal);
 
     fdt_create(s);
@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
     s->binfo.loader_start = 0x0;
     s->binfo.get_dtb = versal_virt_get_dtb;
     s->binfo.modify_dtb = versal_virt_modify_dtb;
+    s->binfo.psci_conduit = psci_conduit;
     if (machine->kernel_filename) {
         arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
     } else {
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@ static void versal_create_apu_cpus(Versal *s)
         object_initialize_child(OBJECT(s), "apu-cpu[*]", &s->fpd.apu.cpu[i],
                                 XLNX_VERSAL_ACPU_TYPE);
         obj = OBJECT(&s->fpd.apu.cpu[i]);
-        object_property_set_int(obj, "psci-conduit", s->cfg.psci_conduit,
-                                &error_abort);
         if (i) {
-            /* Secondary CPUs start in PSCI powered-down state */
+            /* Secondary CPUs start in powered-down state */
             object_property_set_bool(obj, "start-powered-off", true,
                                      &error_abort);
         }
@@ -XXX,XX +XXX,XX @@ static void versal_init(Object *obj)
 static Property versal_properties[] = {
     DEFINE_PROP_LINK("ddr", Versal, cfg.mr_ddr, TYPE_MEMORY_REGION,
                      MemoryRegion *),
-    DEFINE_PROP_UINT32("psci-conduit", Versal, cfg.psci_conduit, 0),
     DEFINE_PROP_END_OF_LIST()
 };
 
-- 
2.25.1

Instead of setting the CPU psci-conduit and start-powered-off
properties in the virt board code, set the arm_boot_info psci_conduit
field so that the boot.c code can do it.

This will fix a corner case where we were incorrectly enabling PSCI
emulation when booting guest code into EL3 because it was an ELF file
passed to -kernel or to the generic loader.  (EL3 guest code started
via -bios or -pflash was already being run with PSCI emulation
disabled.)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
             object_property_set_bool(cpuobj, "has_el2", false, NULL);
         }
 
-        if (vms->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
-            object_property_set_int(cpuobj, "psci-conduit", vms->psci_conduit,
-                                    NULL);
-
-            /* Secondary CPUs start in PSCI powered-down state */
-            if (n > 0) {
-                object_property_set_bool(cpuobj, "start-powered-off", true,
-                                         NULL);
-            }
-        }
-
         if (vmc->kvm_no_adjvtime &&
             object_property_find(cpuobj, "kvm-no-adjvtime")) {
             object_property_set_bool(cpuobj, "kvm-no-adjvtime", true, NULL);
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
     vms->bootinfo.get_dtb = machvirt_dtb;
     vms->bootinfo.skip_dtb_autoload = true;
     vms->bootinfo.firmware_loaded = firmware_loaded;
+    vms->bootinfo.psci_conduit = vms->psci_conduit;
     arm_load_kernel(ARM_CPU(first_cpu), machine, &vms->bootinfo);
 
     vms->machine_done.notify = virt_machine_done;
-- 
2.25.1

Change the highbank/midway boards to use the new boot.c functionality
to allow us to enable psci-conduit only if the guest is being booted
in EL1 or EL2, so that if the user runs guest EL3 firmware code our
PSCI emulation doesn't get in its way.

To do this we stop setting the psci-conduit and start-powered-off
properties on the CPU objects in the board code, and instead set the
psci_conduit field in the arm_boot_info struct to tell the common
boot loader code that we'd like PSCI if the guest is starting at an
EL that it makes sense with (in which case it will set these
properties).

This means that when running guest code at EL3, all the cores
will start execution at once on poweron. This matches the
real hardware behaviour. (A brief description of the hardware
boot process is in the u-boot documentation for these boards:
https://u-boot.readthedocs.io/en/latest/board/highbank/highbank.html#boot-process
 -- in theory one might run the 'a9boot'/'a15boot' secure monitor
code in QEMU, though we probably don't emulate enough for that.)

This affects the highbank and midway boards.

diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
         object_property_set_int(cpuobj, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
                                 &error_abort);
 
-        if (n) {
-            /* Secondary CPUs start in PSCI powered-down state */
-            object_property_set_bool(cpuobj, "start-powered-off", true,
-                                     &error_abort);
-        }
-
         if (object_property_find(cpuobj, "reset-cbar")) {
             object_property_set_int(cpuobj, "reset-cbar", MPCORE_PERIPHBASE,
                                     &error_abort);
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
     highbank_binfo.write_board_setup = hb_write_board_setup;
     highbank_binfo.secure_board_setup = true;
+    highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 
     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
 }
-- 
2.25.1

The SMCCC 1.3 spec section 5.2 says

The Unknown SMC Function Identifier is a sign-extended value of (-1)
  that is returned in the R0, W0 or X0 registers. An implementation must
  return this error code when it receives:

* An SMC or HVC call with an unknown Function Identifier
    * An SMC or HVC call for a removed Function Identifier
    * An SMC64/HVC64 call from AArch32 state

To comply with these statements, let's always return -1 when we encounter
an unknown HVC or SMC call.

[PMM:
 This is a reinstatement of commit 9fcd15b9193e819b, previously
 reverted in commit 4825eaae4fdd56fba0f; we can do this now that we
 have arranged for all the affected board models to not enable the
 PSCI emulation if they are running guest code at EL3. This avoids
 the regressions that caused us to revert the change for 7.0.]

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/psci.c | 35 ++++++-----------------------------
 1 file changed, 6 insertions(+), 29 deletions(-)

diff --git a/target/arm/psci.c b/target/arm/psci.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/psci.c
+++ b/target/arm/psci.c
@@ -XXX,XX +XXX,XX @@
 
 bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
 {
-    /* Return true if the r0/x0 value indicates a PSCI call and
-     * the exception type matches the configured PSCI conduit. This is
-     * called before the SMC/HVC instruction is executed, to decide whether
-     * we should treat it as a PSCI call or with the architecturally
+    /*
+     * Return true if the exception type matches the configured PSCI conduit.
+     * This is called before the SMC/HVC instruction is executed, to decide
+     * whether we should treat it as a PSCI call or with the architecturally
      * defined behaviour for an SMC or HVC (which might be UNDEF or trap
      * to EL2 or to EL3).
      */
-    CPUARMState *env = &cpu->env;
-    uint64_t param = is_a64(env) ? env->xregs[0] : env->regs[0];
 
     switch (excp_type) {
     case EXCP_HVC:
@@ -XXX,XX +XXX,XX @@ bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
         return false;
     }
 
-    switch (param) {
-    case QEMU_PSCI_0_2_FN_PSCI_VERSION:
-    case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
-    case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
-    case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
-    case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
-    case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
-    case QEMU_PSCI_0_1_FN_CPU_ON:
-    case QEMU_PSCI_0_2_FN_CPU_ON:
-    case QEMU_PSCI_0_2_FN64_CPU_ON:
-    case QEMU_PSCI_0_1_FN_CPU_OFF:
-    case QEMU_PSCI_0_2_FN_CPU_OFF:
-    case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
-    case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
-    case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
-    case QEMU_PSCI_0_1_FN_MIGRATE:
-    case QEMU_PSCI_0_2_FN_MIGRATE:
-        return true;
-    default:
-        return false;
-    }
+    return true;
 }
 
 void arm_handle_psci_call(ARMCPU *cpu)
@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
         break;
     case QEMU_PSCI_0_1_FN_MIGRATE:
     case QEMU_PSCI_0_2_FN_MIGRATE:
+    default:
         ret = QEMU_PSCI_RET_NOT_SUPPORTED;
         break;
-    default:
-        g_assert_not_reached();
     }
 
 err:
-- 
2.25.1

Guest code on highbank may make non-PSCI SMC calls in order to
enable/disable the L2x0 cache controller (see the Linux kernel's
arch/arm/mach-highbank/highbank.c highbank_l2c310_write_sec()
function).  The ABI for this is documented in kernel commit
8e56130dcb as being borrowed from the OMAP44xx ROM.  The OMAP44xx TRM
documents this function ID as having no return value and potentially
trashing all guest registers except SP and PC. For QEMU's purposes
(where our L2x0 model is a stub and enabling or disabling it doesn't
affect the guest behaviour) a simple "do nothing" SMC is fine.

We currently implement this NOP behaviour using a little bit of
Secure code we run before jumping to the guest kernel, which is
written by arm_write_secure_board_setup_dummy_smc().  The code sets
up a set of Secure vectors where the SMC entry point returns without
doing anything.

Now that the PSCI SMC emulation handles all SMC calls (setting r0 to
an error code if the input r0 function identifier is not recognized),
we can use that default behaviour as sufficient for the highbank
cache controller call.  (Because the guest code assumes r0 has no
interesting value on exit it doesn't matter that we set it to the
error code).  We can therefore delete the highbank board code that
sets secure_board_setup to true and writes the secure-code bootstub.

(Note that because the OMAP44xx ABI puts function-identifiers in
r12 and PSCI uses r0, we only avoid a clash because Linux's code
happens to put the function-identifier in both registers. But this
is true also when the kernel is running on real firmware that
implements both ABIs as far as I can see.)

This change fixes in passing booting on the 'midway' board model,
which has been completely broken since we added support for Hyp
mode to the Cortex-A15 CPU. When we did that boot.c was made to
start running the guest code in Hyp mode; this includes the
board_setup hook, which instantly UNDEFs because the NSACR is
not accessible from Hyp. (Put another way, we never made the
secure_board_setup hook support cope with Hyp mode.)

diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
 
 /* Board init.  */
 
-static void hb_write_board_setup(ARMCPU *cpu,
-                                 const struct arm_boot_info *info)
-{
-    arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR);
-}
-
 static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
 {
     int n;
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
     highbank_binfo.write_secondary_boot = hb_write_secondary;
     highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
-    highbank_binfo.write_board_setup = hb_write_board_setup;
-    highbank_binfo.secure_board_setup = true;
     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 
     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
-- 
2.25.1

Now that we have dealt with the one special case (highbank) that needed
to set both psci_conduit and secure_board_setup, we don't need to
allow that combination any more. It doesn't make sense in general,
so use an assertion to ensure we don't add new boards that do it
by accident without thinking through the consequences.

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      * supported exception level or in a lower one.
      */
 
+    /*
+     * If PSCI is enabled, then SMC calls all go to the PSCI handler and
+     * are never emulated to trap into guest code. It therefore does not
+     * make sense for the board to have a setup code fragment that runs
+     * in Secure, because this will probably need to itself issue an SMC of some
+     * kind as part of its operation.
+     */
+    assert(info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED ||
+           !info->secure_board_setup);
+
     /* Boot into highest supported EL ... */
     if (arm_feature(env, ARM_FEATURE_EL3)) {
         boot_el = 3;
-- 
2.25.1

If we're using PSCI emulation to start secondary CPUs, there is no
point in writing the "secondary boot" stub code, because it will
never be used -- secondary CPUs start powered-off, and when powered
on are set to begin execution at the address specified by the guest's
power-on PSCI call, not at the stub.

Move the call to the hook that writes the secondary boot stub code so
that we can do it only if we're starting a Linux kernel and not using
PSCI.

(None of the users of the hook care about the ordering of its call
relative to anything else: they only use it to write a rom blob to
guest memory.)

diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/boot.h
+++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
      * boot loader/boot ROM code, and secondary_cpu_reset_hook() should
      * perform any necessary CPU reset handling and set the PC for the
      * secondary CPUs to point at this boot blob.
+     *
+     * These hooks won't be called if secondary CPUs are booting via
+     * emulated PSCI (see psci_conduit below).
      */
     void (*write_secondary_boot)(ARMCPU *cpu,
                                  const struct arm_boot_info *info);
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                         set_kernel_args(info, as);
                     }
                 }
-            } else {
+            } else if (info->secondary_cpu_reset_hook) {
                 info->secondary_cpu_reset_hook(cpu, info);
             }
         }
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
         elf_machine = EM_ARM;
     }
 
-    if (!info->secondary_cpu_reset_hook) {
-        info->secondary_cpu_reset_hook = default_reset_secondary;
-    }
-    if (!info->write_secondary_boot) {
-        info->write_secondary_boot = default_write_secondary;
-    }
-
     if (info->nb_cpus == 0)
         info->nb_cpus = 1;
 
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
         write_bootloader("bootloader", info->loader_start,
                          primary_loader, fixupcontext, as);
 
-        if (info->nb_cpus > 1) {
-            info->write_secondary_boot(cpu, info);
-        }
         if (info->write_board_setup) {
             info->write_board_setup(cpu, info);
         }
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
         }
     }
 
+    if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
+        info->is_linux && info->nb_cpus > 1) {
+        /*
+         * We're booting Linux but not using PSCI, so for SMP we need
+         * to write a custom secondary CPU boot loader stub, and arrange
+         * for the secondary CPU reset to make the accompanying initialization.
+         */
+        if (!info->secondary_cpu_reset_hook) {
+            info->secondary_cpu_reset_hook = default_reset_secondary;
+        }
+        if (!info->write_secondary_boot) {
+            info->write_secondary_boot = default_write_secondary;
+        }
+        info->write_secondary_boot(cpu, info);
+    } else {
+        /*
+         * No secondary boot stub; don't use the reset hook that would
+         * have set the CPU up to call it
+         */
+        info->write_secondary_boot = NULL;
+        info->secondary_cpu_reset_hook = NULL;
+    }
+
     /*
      * arm_load_dtb() may add a PSCI node so it must be called after we have
      * decided whether to enable PSCI and set the psci-conduit CPU properties.
-- 
2.25.1

The highbank and midway board code includes boot-stub code for
handling secondary CPU boot which keeps the secondaries in a pen
until the primary writes to a known location with the address they
should jump to.

This code is never used, because the boards enable QEMU's PSCI
emulation, so secondary CPUs are kept powered off until the PSCI call
which turns them on, and then start execution from the address given
by the guest in that PSCI call.  Delete the unreachable code.

(The code was wrong for midway in any case -- on the Cortex-A15 the
GIC CPU interface registers are at a different offset from PERIPHBASE
compared to the Cortex-A9, and the code baked-in the offsets for
highbank's A9.)

Note that this commit implicitly depends on the preceding "Don't
write secondary boot stub if using PSCI" commit -- the default
secondary-boot stub code overlaps with one of the highbank-specific
bootcode rom blobs, so we must suppress the secondary-boot
stub code entirely, not merely replace the highbank-specific
version with the default.

diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
 
 /* Board init.  */
 
-static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
-{
-    int n;
-    uint32_t smpboot[] = {
-        0xee100fb0, /* mrc p15, 0, r0, c0, c0, 5 - read current core id */
-        0xe210000f, /* ands r0, r0, #0x0f */
-        0xe3a03040, /* mov r3, #0x40 - jump address is 0x40 + 0x10 * core id */
-        0xe0830200, /* add r0, r3, r0, lsl #4 */
-        0xe59f2024, /* ldr r2, privbase */
-        0xe3a01001, /* mov r1, #1 */
-        0xe5821100, /* str r1, [r2, #256] - set GICC_CTLR.Enable */
-        0xe3a010ff, /* mov r1, #0xff */
-        0xe5821104, /* str r1, [r2, #260] - set GICC_PMR.Priority to 0xff */
-        0xf57ff04f, /* dsb */
-        0xe320f003, /* wfi */
-        0xe5901000, /* ldr     r1, [r0] */
-        0xe1110001, /* tst     r1, r1 */
-        0x0afffffb, /* beq     <wfi> */
-        0xe12fff11, /* bx      r1 */
-        MPCORE_PERIPHBASE   /* privbase: MPCore peripheral base address.  */
-    };
-    for (n = 0; n < ARRAY_SIZE(smpboot); n++) {
-        smpboot[n] = tswap32(smpboot[n]);
-    }
-    rom_add_blob_fixed_as("smpboot", smpboot, sizeof(smpboot), SMP_BOOT_ADDR,
-                          arm_boot_address_space(cpu, info));
-}
-
-static void hb_reset_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
-{
-    CPUARMState *env = &cpu->env;
-
-    switch (info->nb_cpus) {
-    case 4:
-        address_space_stl_notdirty(&address_space_memory,
-                                   SMP_BOOT_REG + 0x30, 0,
-                                   MEMTXATTRS_UNSPECIFIED, NULL);
-        /* fallthrough */
-    case 3:
-        address_space_stl_notdirty(&address_space_memory,
-                                   SMP_BOOT_REG + 0x20, 0,
-                                   MEMTXATTRS_UNSPECIFIED, NULL);
-        /* fallthrough */
-    case 2:
-        address_space_stl_notdirty(&address_space_memory,
-                                   SMP_BOOT_REG + 0x10, 0,
-                                   MEMTXATTRS_UNSPECIFIED, NULL);
-        env->regs[15] = SMP_BOOT_ADDR;
-        break;
-    default:
-        break;
-    }
-}
-
 #define NUM_REGS      0x200
 static void hb_regs_write(void *opaque, hwaddr offset,
                           uint64_t value, unsigned size)
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
     highbank_binfo.board_id = -1;
     highbank_binfo.nb_cpus = smp_cpus;
     highbank_binfo.loader_start = 0;
-    highbank_binfo.write_secondary_boot = hb_write_secondary;
-    highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 
-- 
2.25.1

We use the arm_boot_info::nb_cpus field in only one place, and that
place can easily get the number of CPUs locally rather than relying
on the board code to have set the field correctly.  (At least one
board, xlnx-versal-virt, does not set the field despite having more
than one CPU.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20220127154639.2090164-16-peter.maydell@linaro.org
---
 include/hw/arm/boot.h   | 1 -
 hw/arm/aspeed.c         | 1 -
 hw/arm/boot.c           | 7 +++----
 hw/arm/exynos4_boards.c | 1 -
 hw/arm/highbank.c       | 1 -
 hw/arm/imx25_pdk.c      | 3 +--
 hw/arm/kzm.c            | 1 -
 hw/arm/mcimx6ul-evk.c   | 1 -
 hw/arm/mcimx7d-sabre.c  | 1 -
 hw/arm/npcm7xx.c        | 3 ---
 hw/arm/orangepi.c       | 4 +---
 hw/arm/raspi.c          | 1 -
 hw/arm/realview.c       | 1 -
 hw/arm/sabrelite.c      | 1 -
 hw/arm/sbsa-ref.c       | 1 -
 hw/arm/vexpress.c       | 1 -
 hw/arm/virt.c           | 1 -
 hw/arm/xilinx_zynq.c    | 1 -
 18 files changed, 5 insertions(+), 26 deletions(-)

diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/boot.h
+++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
     hwaddr smp_loader_start;
     hwaddr smp_bootreg_addr;
     hwaddr gic_cpu_if_addr;
-    int nb_cpus;
     int board_id;
     /* ARM machines that support the ARM Security Extensions use this field to
      * control whether Linux is booted as secure(true) or non-secure(false).
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_init(MachineState *machine)
 
     aspeed_board_binfo.ram_size = machine->ram_size;
     aspeed_board_binfo.loader_start = sc->memmap[ASPEED_DEV_SDRAM];
-    aspeed_board_binfo.nb_cpus = sc->num_cpus;
 
     if (amc->i2c_init) {
         amc->i2c_init(bmc);
diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
         elf_machine = EM_ARM;
     }
 
-    if (info->nb_cpus == 0)
-        info->nb_cpus = 1;
-
     /* Assume that raw images are linux kernels, and ELF images are not.  */
     kernel_size = arm_load_elf(info, &elf_entry, &image_low_addr,
                                &image_high_addr, elf_machine, as);
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
     AddressSpace *as = arm_boot_address_space(cpu, info);
     int boot_el;
     CPUARMState *env = &cpu->env;
+    int nb_cpus = 0;
 
     /*
      * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      */
     for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
         qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
+        nb_cpus++;
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
     }
 
     if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
-        info->is_linux && info->nb_cpus > 1) {
+        info->is_linux && nb_cpus > 1) {
         /*
          * We're booting Linux but not using PSCI, so for SMP we need
          * to write a custom secondary CPU boot loader stub, and arrange
diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@ static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
 static struct arm_boot_info exynos4_board_binfo = {
     .loader_start     = EXYNOS4210_BASE_BOOT_ADDR,
     .smp_loader_start = EXYNOS4210_SMP_BOOT_ADDR,
-    .nb_cpus          = EXYNOS4210_NCPUS,
     .write_secondary_boot = exynos4210_write_secondary,
 };
 
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
      * clear that the value is meaningless.
      */
     highbank_binfo.board_id = -1;
-    highbank_binfo.nb_cpus = smp_cpus;
     highbank_binfo.loader_start = 0;
     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
diff --git a/hw/arm/imx25_pdk.c b/hw/arm/imx25_pdk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/imx25_pdk.c
+++ b/hw/arm/imx25_pdk.c
@@ -XXX,XX +XXX,XX @@ static void imx25_pdk_init(MachineState *machine)
 
     imx25_pdk_binfo.ram_size = machine->ram_size;
     imx25_pdk_binfo.loader_start = FSL_IMX25_SDRAM0_ADDR;
-    imx25_pdk_binfo.board_id = 1771,
-    imx25_pdk_binfo.nb_cpus = 1;
+    imx25_pdk_binfo.board_id = 1771;
 
     for (i = 0; i < FSL_IMX25_NUM_ESDHCS; i++) {
         BusState *bus;
diff --git a/hw/arm/kzm.c b/hw/arm/kzm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/kzm.c
+++ b/hw/arm/kzm.c
@@ -XXX,XX +XXX,XX @@ static void kzm_init(MachineState *machine)
     }
 
     kzm_binfo.ram_size = machine->ram_size;
-    kzm_binfo.nb_cpus = 1;
 
     if (!qtest_enabled()) {
         arm_load_kernel(&s->soc.cpu, machine, &kzm_binfo);
diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mcimx6ul-evk.c
+++ b/hw/arm/mcimx6ul-evk.c
@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
         .loader_start = FSL_IMX6UL_MMDC_ADDR,
         .board_id = -1,
         .ram_size = machine->ram_size,
-        .nb_cpus = machine->smp.cpus,
         .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
     };
 
diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mcimx7d-sabre.c
+++ b/hw/arm/mcimx7d-sabre.c
@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
         .loader_start = FSL_IMX7_MMDC_ADDR,
         .board_id = -1,
         .ram_size = machine->ram_size,
-        .nb_cpus = machine->smp.cpus,
         .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
     };
 
diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/npcm7xx.c
+++ b/hw/arm/npcm7xx.c
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info npcm7xx_binfo = {
 
 void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc)
 {
-    NPCM7xxClass *sc = NPCM7XX_GET_CLASS(soc);
-
     npcm7xx_binfo.ram_size = machine->ram_size;
-    npcm7xx_binfo.nb_cpus = sc->num_cpus;
 
     arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo);
 }
diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/orangepi.c
+++ b/hw/arm/orangepi.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/qdev-properties.h"
 #include "hw/arm/allwinner-h3.h"
 
-static struct arm_boot_info orangepi_binfo = {
-    .nb_cpus = AW_H3_NUM_CPUS,
-};
+static struct arm_boot_info orangepi_binfo;
 
 static void orangepi_init(MachineState *machine)
 {
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, RaspiProcessorId processor_id,
 
     s->binfo.board_id = MACH_TYPE_BCM2708;
     s->binfo.ram_size = ram_size;
-    s->binfo.nb_cpus = machine->smp.cpus;
 
     if (processor_id <= PROCESSOR_ID_BCM2836) {
         /*
diff --git a/hw/arm/realview.c b/hw/arm/realview.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/realview.c
+++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@ static void realview_init(MachineState *machine,
     memory_region_add_subregion(sysmem, SMP_BOOT_ADDR, ram_hack);
 
     realview_binfo.ram_size = ram_size;
-    realview_binfo.nb_cpus = smp_cpus;
     realview_binfo.board_id = realview_board_id[board_type];
     realview_binfo.loader_start = (board_type == BOARD_PB_A8 ? 0x70000000 : 0);
     arm_load_kernel(ARM_CPU(first_cpu), machine, &realview_binfo);
diff --git a/hw/arm/sabrelite.c b/hw/arm/sabrelite.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sabrelite.c
+++ b/hw/arm/sabrelite.c
@@ -XXX,XX +XXX,XX @@ static void sabrelite_init(MachineState *machine)
     }
 
     sabrelite_binfo.ram_size = machine->ram_size;
-    sabrelite_binfo.nb_cpus = machine->smp.cpus;
     sabrelite_binfo.secure_boot = true;
     sabrelite_binfo.write_secondary_boot = sabrelite_write_secondary;
     sabrelite_binfo.secondary_cpu_reset_hook = sabrelite_reset_secondary;
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
     create_secure_ec(secure_sysmem);
 
     sms->bootinfo.ram_size = machine->ram_size;
-    sms->bootinfo.nb_cpus = smp_cpus;
     sms->bootinfo.board_id = -1;
     sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
     sms->bootinfo.get_dtb = sbsa_ref_dtb;
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
     }
 
     daughterboard->bootinfo.ram_size = machine->ram_size;
-    daughterboard->bootinfo.nb_cpus = machine->smp.cpus;
     daughterboard->bootinfo.board_id = VEXPRESS_BOARD_ID;
     daughterboard->bootinfo.loader_start = daughterboard->loader_start;
     daughterboard->bootinfo.smp_loader_start = map[VE_SRAM];
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
     }
 
     vms->bootinfo.ram_size = machine->ram_size;
-    vms->bootinfo.nb_cpus = smp_cpus;
     vms->bootinfo.board_id = -1;
     vms->bootinfo.loader_start = vms->memmap[VIRT_MEM].base;
     vms->bootinfo.get_dtb = machvirt_dtb;
diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xilinx_zynq.c
+++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)
     sysbus_mmio_map(busdev, 0, 0xF8007000);
 
     zynq_binfo.ram_size = machine->ram_size;
-    zynq_binfo.nb_cpus = 1;
     zynq_binfo.board_id = 0xd32;
     zynq_binfo.loader_start = 0;
     zynq_binfo.board_setup_addr = BOARD_SETUP_ADDR;
-- 
2.25.1

If we're using PSCI emulation, we add a /psci node to the device tree
we pass to the guest.  At the moment, if the dtb already has a /psci
node in it, we retain it, rather than replacing it. (This behaviour
was added in commit c39770cd637765 in 2018.)

This is a problem if the existing node doesn't match our PSCI
emulation.  In particular, it might specify the wrong method (HVC vs
SMC), or wrong function IDs for cpu_suspend/cpu_off/etc, in which
case the guest will not get the behaviour it wants when it makes PSCI
calls.

An example of this is trying to boot the highbank or midway board
models using the device tree supplied in the kernel sources: this
device tree includes a /psci node that specifies function IDs that
don't match the (PSCI 0.2 compliant) IDs that QEMU uses.  The dtb
cpu_suspend function ID happens to match the PSCI 0.2 cpu_off ID, so
the guest hangs after booting when the kernel tries to idle the CPU
and instead it gets turned off.

Instead of retaining an existing /psci node, delete it entirely
and replace it with a node whose properties match QEMU's PSCI
emulation behaviour. This matches the way we handle /memory nodes,
where we also delete any existing nodes and write in ones that
match the way QEMU is going to behave.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20220127154639.2090164-17-peter.maydell@linaro.org
---
 hw/arm/boot.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
     }
 
     /*
-     * If /psci node is present in provided DTB, assume that no fixup
-     * is necessary and all PSCI configuration should be taken as-is
+     * A pre-existing /psci node might specify function ID values
+     * that don't match QEMU's PSCI implementation. Delete the whole
+     * node and put our own in instead.
      */
     rc = fdt_path_offset(fdt, "/psci");
     if (rc >= 0) {
-        return;
+        qemu_fdt_nop_node(fdt, "/psci");
     }
 
     qemu_fdt_add_subnode(fdt, "/psci");
-- 
2.25.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Always call arm_load_kernel() regardless of kernel_filename being
set. This is needed because arm_load_kernel() sets up reset for
the CPUs.

Fixes: 6f16da53ff (hw/arm: versal: Add a virtual Xilinx Versal board)
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20220130110313.4045351-2-edgar.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/xlnx-versal-virt.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
     s->binfo.get_dtb = versal_virt_get_dtb;
     s->binfo.modify_dtb = versal_virt_modify_dtb;
     s->binfo.psci_conduit = psci_conduit;
-    if (machine->kernel_filename) {
-        arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
-    } else {
-        AddressSpace *as = arm_boot_address_space(&s->soc.fpd.apu.cpu[0],
-                                                  &s->binfo);
+    if (!machine->kernel_filename) {
         /* Some boot-loaders (e.g u-boot) don't like blobs at address 0 (NULL).
          * Offset things by 4K.  */
         s->binfo.loader_start = 0x1000;
         s->binfo.dtb_limit = 0x1000000;
-        if (arm_load_dtb(s->binfo.loader_start,
-                         &s->binfo, s->binfo.dtb_limit, as, machine) < 0) {
-            exit(EXIT_FAILURE);
-        }
     }
+    arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
 
     for (i = 0; i < XLNX_VERSAL_NUM_OSPI_FLASH; i++) {
         BusState *spi_bus;
-- 
2.25.1

From: Alex Bennée <alex.bennee@linaro.org>

The recently introduced debug tests in kvm-unit-tests exposed an error
in our handling of singlestep cause by stale hflags. This is caught by
--enable-debug-tcg when running the tests.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reported-by: Andrew Jones <drjones@redhat.com>
Tested-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220202122353.457084-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-a64.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ void HELPER(msr_i_daifset)(CPUARMState *env, uint32_t imm)
 {
     daif_check(env, 0x1e, imm, GETPC());
     env->daif |= (imm << 6) & PSTATE_DAIF;
+    arm_rebuild_hflags(env);
 }
 
 void HELPER(msr_i_daifclear)(CPUARMState *env, uint32_t imm)
 {
     daif_check(env, 0x1f, imm, GETPC());
     env->daif &= ~((imm << 6) & PSTATE_DAIF);
+    arm_rebuild_hflags(env);
 }
 
 /* Convert a softfloat float_relation_ (as returned by
-- 
2.25.1

From: Richard Petri <git@rpls.de>

Starting the SysTick timer and changing the clock source a the same time
will result in an error, if the previous clock period was zero. For exmaple,
on the mps2-tz platforms, no refclk is present. Right after reset, the
configured ptimer period is zero, and trying to enabling it will turn it off
right away. E.g., code running on the platform setting

SysTick->CTRL  = SysTick_CTRL_CLKSOURCE_Msk | SysTick_CTRL_ENABLE_Msk;

should change the clock source and enable the timer on real hardware, but
resulted in an error in qemu.

Signed-off-by: Richard Petri <git@rpls.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220201192650.289584-1-git@rpls.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/armv7m_systick.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/timer/armv7m_systick.c b/hw/timer/armv7m_systick.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/armv7m_systick.c
+++ b/hw/timer/armv7m_systick.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
         s->control &= 0xfffffff8;
         s->control |= value & 7;
 
+        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
+            systick_set_period_from_clock(s);
+        }
+
         if ((oldval ^ value) & SYSTICK_ENABLE) {
             if (value & SYSTICK_ENABLE) {
                 ptimer_run(s->ptimer, 0);
@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
                 ptimer_stop(s->ptimer);
             }
         }
-
-        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
-            systick_set_period_from_clock(s);
-        }
         ptimer_transaction_commit(s->ptimer);
         break;
     }
-- 
2.25.1

From: Eric Auger <eric.auger@redhat.com>

We currently miss a bunch of register resets in the device reset
function. This sometimes prevents the guest from rebooting after
a system_reset (with virtio-blk-pci). For instance, we may get
the following errors:

invalid STE
smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
Invalid read at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
invalid STE
smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
Invalid write at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
invalid STE

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20220202111602.627429-1-eric.auger@redhat.com
Fixes: 10a83cb988 ("hw/arm/smmuv3: Skeleton")
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->features = 0;
     s->sid_split = 0;
     s->aidr = 0x1;
+    s->cr[0] = 0;
+    s->cr0ack = 0;
+    s->irq_ctrl = 0;
+    s->gerror = 0;
+    s->gerrorn = 0;
+    s->statusr = 0;
 }
 
 static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
-- 
2.25.1

Currently the ITS accesses each 8-byte doubleword in a 4-doubleword
command packet with a separate address_space_ldq_le() call.  This is
awkward because the individual command processing functions have
ended up with code to handle "load more doublewords out of the
packet", which is both unwieldy and also a potential source of bugs
because it's not obvious when looking at a line that pulls a field
out of the 'value' variable which of the 4 doublewords that variable
currently holds.

Switch to using address_space_map() to map the whole command packet
at once and fish the four doublewords out of it.  Then each process_*
function can start with a few lines of code that extract the fields
it cares about.

This requires us to split out the guts of process_its_cmd() into a
new do_process_its_cmd(), because we were previously overloading the
value and offset arguments as a backdoor way to directly pass the
devid and eventid from a write to GITS_TRANSLATER.  The new
do_process_its_cmd() takes those arguments directly, and
process_its_cmd() is just a wrapper that does the "read fields from
command packet" part.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-2-peter.maydell@linaro.org
---
 hw/intc/gicv3_internal.h |   4 +-
 hw/intc/arm_gicv3_its.c  | 208 +++++++++++----------------------------
 2 files changed, 62 insertions(+), 150 deletions(-)

diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/gicv3_internal.h
+++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ FIELD(GITS_TYPER, CIL, 36, 1)
 #define LPI_CTE_ENABLED          TABLE_ENTRY_VALID_MASK
 #define LPI_PRIORITY_MASK         0xfc
 
-#define GITS_CMDQ_ENTRY_SIZE               32
-#define NUM_BYTES_IN_DW                     8
+#define GITS_CMDQ_ENTRY_WORDS 4
+#define GITS_CMDQ_ENTRY_SIZE  (GITS_CMDQ_ENTRY_WORDS * sizeof(uint64_t))
 
 #define CMD_MASK                  0xff
 
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
  * 3. handling of ITS CLEAR command
  * 4. handling of ITS DISCARD command
  */
-static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
-                                    uint32_t offset, ItsCmdType cmd)
+static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
+                                       uint32_t eventid, ItsCmdType cmd)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
-    uint32_t devid, eventid;
     MemTxResult res = MEMTX_OK;
     bool dte_valid;
     uint64_t dte = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
     bool cte_valid = false;
     uint64_t rdbase;
 
-    if (cmd == NONE) {
-        devid = offset;
-    } else {
-        devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
-
-        offset += NUM_BYTES_IN_DW;
-        value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                     MEMTXATTRS_UNSPECIFIED, &res);
-    }
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    eventid = (value & EVENTID_MASK);
-
     if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: devid %d>=%d",
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
     }
     return CMD_CONTINUE;
 }
-
-static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
-                                  uint32_t offset, bool ignore_pInt)
+static ItsCmdResult process_its_cmd(GICv3ITSState *s, const uint64_t *cmdpkt,
+                                    ItsCmdType cmd)
+{
+    uint32_t devid, eventid;
+
+    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
+    eventid = cmdpkt[1] & EVENTID_MASK;
+    return do_process_its_cmd(s, devid, eventid, cmd);
+}
+
+static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
+                                  bool ignore_pInt)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
     uint32_t devid, eventid;
     uint32_t pIntid = 0;
     uint64_t num_eventids;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
     uint64_t dte = 0;
     IteEntry ite = {};
 
-    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    eventid = (value & EVENTID_MASK);
+    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
+    eventid = cmdpkt[1] & EVENTID_MASK;
 
     if (ignore_pInt) {
         pIntid = eventid;
     } else {
-        pIntid = ((value & pINTID_MASK) >> pINTID_SHIFT);
+        pIntid = (cmdpkt[1] & pINTID_MASK) >> pINTID_SHIFT;
     }
 
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    icid = value & ICID_MASK;
+    icid = cmdpkt[2] & ICID_MASK;
 
     if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
     return res == MEMTX_OK;
 }
 
-static ItsCmdResult process_mapc(GICv3ITSState *s, uint32_t offset)
+static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
     uint16_t icid;
     uint64_t rdbase;
     bool valid;
-    MemTxResult res = MEMTX_OK;
-    uint64_t value;
 
-    offset += NUM_BYTES_IN_DW;
-    offset += NUM_BYTES_IN_DW;
+    icid = cmdpkt[2] & ICID_MASK;
 
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    icid = value & ICID_MASK;
-
-    rdbase = (value & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
+    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
     rdbase &= RDBASE_PROCNUM_MASK;
 
-    valid = (value & CMD_FIELD_VALID_MASK);
+    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 
     if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
         qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
     return res == MEMTX_OK;
 }
 
-static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
-                                 uint32_t offset)
+static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
     uint32_t devid;
     uint8_t size;
     uint64_t itt_addr;
     bool valid;
-    MemTxResult res = MEMTX_OK;
 
-    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
-
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    size = (value & SIZE_MASK);
-
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    itt_addr = (value & ITTADDR_MASK) >> ITTADDR_SHIFT;
-
-    valid = (value & CMD_FIELD_VALID_MASK);
+    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
+    size = cmdpkt[1] & SIZE_MASK;
+    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
+    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 
     if ((devid >= s->dt.num_entries) ||
         (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
     return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
 }
 
-static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
-                                   uint32_t offset)
+static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
-    MemTxResult res = MEMTX_OK;
     uint64_t rd1, rd2;
 
-    /* No fields in dwords 0 or 1 */
-    offset += NUM_BYTES_IN_DW;
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
+    rd1 = FIELD_EX64(cmdpkt[2], MOVALL_2, RDBASE1);
+    rd2 = FIELD_EX64(cmdpkt[3], MOVALL_3, RDBASE2);
 
-    rd1 = FIELD_EX64(value, MOVALL_2, RDBASE1);
     if (rd1 >= s->gicv3->num_cpu) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: RDBASE1 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
                       __func__, rd1, s->gicv3->num_cpu);
         return CMD_CONTINUE;
     }
-
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-
-    rd2 = FIELD_EX64(value, MOVALL_3, RDBASE2);
     if (rd2 >= s->gicv3->num_cpu) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: RDBASE2 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
     return CMD_CONTINUE;
 }
 
-static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
-                                 uint32_t offset)
+static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
-    AddressSpace *as = &s->gicv3->dma_as;
     MemTxResult res = MEMTX_OK;
     uint32_t devid, eventid, intid;
     uint16_t old_icid, new_icid;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
     uint64_t num_eventids;
     IteEntry ite = {};
 
-    devid = FIELD_EX64(value, MOVI_0, DEVICEID);
-
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-    eventid = FIELD_EX64(value, MOVI_1, EVENTID);
-
-    offset += NUM_BYTES_IN_DW;
-    value = address_space_ldq_le(as, s->cq.base_addr + offset,
-                                 MEMTXATTRS_UNSPECIFIED, &res);
-    if (res != MEMTX_OK) {
-        return CMD_STALL;
-    }
-    new_icid = FIELD_EX64(value, MOVI_2, ICID);
+    devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
+    eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
+    new_icid = FIELD_EX64(cmdpkt[2], MOVI_2, ICID);
 
     if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
     uint32_t wr_offset = 0;
     uint32_t rd_offset = 0;
     uint32_t cq_offset = 0;
-    uint64_t data;
     AddressSpace *as = &s->gicv3->dma_as;
-    MemTxResult res = MEMTX_OK;
     uint8_t cmd;
     int i;
 
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
 
     while (wr_offset != rd_offset) {
         ItsCmdResult result = CMD_CONTINUE;
+        void *hostmem;
+        hwaddr buflen;
+        uint64_t cmdpkt[GITS_CMDQ_ENTRY_WORDS];
 
         cq_offset = (rd_offset * GITS_CMDQ_ENTRY_SIZE);
-        data = address_space_ldq_le(as, s->cq.base_addr + cq_offset,
-                                    MEMTXATTRS_UNSPECIFIED, &res);
-        if (res != MEMTX_OK) {
+
+        buflen = GITS_CMDQ_ENTRY_SIZE;
+        hostmem = address_space_map(as, s->cq.base_addr + cq_offset,
+                                    &buflen, false, MEMTXATTRS_UNSPECIFIED);
+        if (!hostmem || buflen != GITS_CMDQ_ENTRY_SIZE) {
+            if (hostmem) {
+                address_space_unmap(as, hostmem, buflen, false, 0);
+            }
             s->creadr = FIELD_DP64(s->creadr, GITS_CREADR, STALLED, 1);
             qemu_log_mask(LOG_GUEST_ERROR,
                           "%s: could not read command at 0x%" PRIx64 "\n",
                           __func__, s->cq.base_addr + cq_offset);
             break;
         }
+        for (i = 0; i < ARRAY_SIZE(cmdpkt); i++) {
+            cmdpkt[i] = ldq_le_p(hostmem + i * sizeof(uint64_t));
+        }
+        address_space_unmap(as, hostmem, buflen, false, 0);
 
-        cmd = (data & CMD_MASK);
+        cmd = cmdpkt[0] & CMD_MASK;
 
         trace_gicv3_its_process_command(rd_offset, cmd);
 
         switch (cmd) {
         case GITS_CMD_INT:
-            result = process_its_cmd(s, data, cq_offset, INTERRUPT);
+            result = process_its_cmd(s, cmdpkt, INTERRUPT);
             break;
         case GITS_CMD_CLEAR:
-            result = process_its_cmd(s, data, cq_offset, CLEAR);
+            result = process_its_cmd(s, cmdpkt, CLEAR);
             break;
         case GITS_CMD_SYNC:
             /*
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
              */
             break;
         case GITS_CMD_MAPD:
-            result = process_mapd(s, data, cq_offset);
+            result = process_mapd(s, cmdpkt);
             break;
         case GITS_CMD_MAPC:
-            result = process_mapc(s, cq_offset);
+            result = process_mapc(s, cmdpkt);
             break;
         case GITS_CMD_MAPTI:
-            result = process_mapti(s, data, cq_offset, false);
+            result = process_mapti(s, cmdpkt, false);
             break;
         case GITS_CMD_MAPI:
-            result = process_mapti(s, data, cq_offset, true);
+            result = process_mapti(s, cmdpkt, true);
             break;
         case GITS_CMD_DISCARD:
-            result = process_its_cmd(s, data, cq_offset, DISCARD);
+            result = process_its_cmd(s, cmdpkt, DISCARD);
             break;
         case GITS_CMD_INV:
         case GITS_CMD_INVALL:
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
             }
             break;
         case GITS_CMD_MOVI:
-            result = process_movi(s, data, cq_offset);
+            result = process_movi(s, cmdpkt);
             break;
         case GITS_CMD_MOVALL:
-            result = process_movall(s, data, cq_offset);
+            result = process_movall(s, cmdpkt);
             break;
         default:
             break;
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_translation_write(void *opaque, hwaddr offset,
 {
     GICv3ITSState *s = (GICv3ITSState *)opaque;
     bool result = true;
-    uint32_t devid = 0;
 
     trace_gicv3_its_translation_write(offset, data, size, attrs.requester_id);
 
     switch (offset) {
     case GITS_TRANSLATER:
         if (s->ctlr & R_GITS_CTLR_ENABLED_MASK) {
-            devid = attrs.requester_id;
-            result = process_its_cmd(s, data, devid, NONE);
+            result = do_process_its_cmd(s, attrs.requester_id, data, NONE);
         }
         break;
     default:
-- 
2.25.1

In the ITS, a DTE is an entry in the device table, which contains
multiple fields. Currently the function get_dte() which reads one
entry from the device table returns it as a raw 64-bit integer,
which we then pass around in that form, only extracting fields
from it as we need them.

Create a real C struct with the same fields as the DTE, and
populate it in get_dte(), so that that function and update_dte()
are the only ones that need to care about the in-guest-memory
format of the DTE.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-3-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 111 ++++++++++++++++++++--------------------
 1 file changed, 56 insertions(+), 55 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint64_t itel;
 } IteEntry;
 
+typedef struct DTEntry {
+    bool valid;
+    unsigned size;
+    uint64_t ittaddr;
+} DTEntry;
+
 /*
  * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
  * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool get_cte(GICv3ITSState *s, uint16_t icid, uint64_t *cte,
     return FIELD_EX64(*cte, CTE, VALID);
 }
 
-static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
+static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                        IteEntry ite)
 {
     AddressSpace *as = &s->gicv3->dma_as;
-    uint64_t itt_addr;
     MemTxResult res = MEMTX_OK;
 
-    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
-    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
-
-    address_space_stq_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
+    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                          sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
                          &res);
 
     if (res == MEMTX_OK) {
-        address_space_stl_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
+        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                              sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
                              MEMTXATTRS_UNSPECIFIED, &res);
     }
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
     }
 }
 
-static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
+static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                     uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
 {
     AddressSpace *as = &s->gicv3->dma_as;
-    uint64_t itt_addr;
     bool status = false;
     IteEntry ite = {};
 
-    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
-    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
-
-    ite.itel = address_space_ldq_le(as, itt_addr +
+    ite.itel = address_space_ldq_le(as, dte->ittaddr +
                                     (eventid * (sizeof(uint64_t) +
                                     sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
                                     res);
 
     if (*res == MEMTX_OK) {
-        ite.iteh = address_space_ldl_le(as, itt_addr +
+        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
                                         (eventid * (sizeof(uint64_t) +
                                         sizeof(uint32_t))) + sizeof(uint32_t),
                                         MEMTXATTRS_UNSPECIFIED, res);
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
     return status;
 }
 
-static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
+/*
+ * Read the Device Table entry at index @devid. On success (including
+ * successfully determining that there is no valid DTE for this index),
+ * we return MEMTX_OK and populate the DTEntry struct accordingly.
+ * If there is an error reading memory then we return the error code.
+ */
+static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
 {
+    MemTxResult res = MEMTX_OK;
     AddressSpace *as = &s->gicv3->dma_as;
-    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, res);
+    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, &res);
+    uint64_t dteval;
 
     if (entry_addr == -1) {
-        return 0; /* a DTE entry with the Valid bit clear */
+        /* No L2 table entry, i.e. no valid DTE, or a memory error */
+        dte->valid = false;
+        return res;
     }
-    return address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, res);
+    dteval = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, &res);
+    if (res != MEMTX_OK) {
+        return res;
+    }
+    dte->valid = FIELD_EX64(dteval, DTE, VALID);
+    dte->size = FIELD_EX64(dteval, DTE, SIZE);
+    /* DTE word field stores bits [51:8] of the ITT address */
+    dte->ittaddr = FIELD_EX64(dteval, DTE, ITTADDR) << ITTADDR_SHIFT;
+    return MEMTX_OK;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                        uint32_t eventid, ItsCmdType cmd)
 {
     MemTxResult res = MEMTX_OK;
-    bool dte_valid;
-    uint64_t dte = 0;
     uint64_t num_eventids;
     uint16_t icid = 0;
     uint32_t pIntid = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
     uint64_t cte = 0;
     bool cte_valid = false;
     uint64_t rdbase;
+    DTEntry dte;
 
     if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
         return CMD_CONTINUE;
     }
 
-    dte = get_dte(s, devid, &res);
-
-    if (res != MEMTX_OK) {
+    if (get_dte(s, devid, &dte) != MEMTX_OK) {
         return CMD_STALL;
     }
-    dte_valid = FIELD_EX64(dte, DTE, VALID);
-
-    if (!dte_valid) {
+    if (!dte.valid) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: "
-                      "invalid dte: %"PRIx64" for %d\n",
-                      __func__, dte, devid);
+                      "invalid dte for %d\n", __func__, devid);
         return CMD_CONTINUE;
     }
 
-    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
-
+    num_eventids = 1ULL << (dte.size + 1);
     if (eventid >= num_eventids) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
         return CMD_CONTINUE;
     }
 
-    ite_valid = get_ite(s, eventid, dte, &icid, &pIntid, &res);
+    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
     if (res != MEMTX_OK) {
         return CMD_STALL;
     }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
     if (cmd == DISCARD) {
         IteEntry ite = {};
         /* remove mapping from interrupt translation table */
-        return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
+        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
     }
     return CMD_CONTINUE;
 }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     uint32_t pIntid = 0;
     uint64_t num_eventids;
     uint32_t num_intids;
-    bool dte_valid;
-    MemTxResult res = MEMTX_OK;
     uint16_t icid = 0;
-    uint64_t dte = 0;
     IteEntry ite = {};
+    DTEntry dte;
 
     devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
     eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
         return CMD_CONTINUE;
     }
 
-    dte = get_dte(s, devid, &res);
-
-    if (res != MEMTX_OK) {
+    if (get_dte(s, devid, &dte) != MEMTX_OK) {
         return CMD_STALL;
     }
-    dte_valid = FIELD_EX64(dte, DTE, VALID);
-    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
+    num_eventids = 1ULL << (dte.size + 1);
     num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
 
     if ((icid >= s->ct.num_entries)
-            || !dte_valid || (eventid >= num_eventids) ||
+            || !dte.valid || (eventid >= num_eventids) ||
             (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
              (pIntid != INTID_SPURIOUS))) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes "
                       "icid %d or eventid %d or pIntid %d or"
                       "unmapped dte %d\n", __func__, icid, eventid,
-                      pIntid, dte_valid);
+                      pIntid, dte.valid);
         /*
          * in this implementation, in case of error
          * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     }
 
     /* add ite entry to interrupt translation table */
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, dte_valid);
+    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
     ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
 
-    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
+    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
 static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
     uint16_t old_icid, new_icid;
     uint64_t old_cte, new_cte;
     uint64_t old_rdbase, new_rdbase;
-    uint64_t dte;
-    bool dte_valid, ite_valid, cte_valid;
+    bool ite_valid, cte_valid;
     uint64_t num_eventids;
     IteEntry ite = {};
+    DTEntry dte;
 
     devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
     eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
                       __func__, devid, s->dt.num_entries);
         return CMD_CONTINUE;
     }
-    dte = get_dte(s, devid, &res);
-    if (res != MEMTX_OK) {
+    if (get_dte(s, devid, &dte) != MEMTX_OK) {
         return CMD_STALL;
     }
 
-    dte_valid = FIELD_EX64(dte, DTE, VALID);
-    if (!dte_valid) {
+    if (!dte.valid) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: "
-                      "invalid dte: %"PRIx64" for %d\n",
-                      __func__, dte, devid);
+                      "invalid dte for %d\n", __func__, devid);
         return CMD_CONTINUE;
     }
 
-    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
+    num_eventids = 1ULL << (dte.size + 1);
     if (eventid >= num_eventids) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
         return CMD_CONTINUE;
     }
 
-    ite_valid = get_ite(s, eventid, dte, &old_icid, &intid, &res);
+    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
     if (res != MEMTX_OK) {
         return CMD_STALL;
     }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
     ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
-    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
+    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
 /*
-- 
2.25.1

Make update_dte() take a DTEntry struct rather than all the fields of
the new DTE as separate arguments.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-4-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
     return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
 }
 
-static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
-                       uint8_t size, uint64_t itt_addr)
+/*
+ * Update the Device Table entry for @devid to @dte. Returns true
+ * on success, false if there was a memory access error.
+ */
+static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
 {
     AddressSpace *as = &s->gicv3->dma_as;
     uint64_t entry_addr;
-    uint64_t dte = 0;
+    uint64_t dteval = 0;
     MemTxResult res = MEMTX_OK;
 
     if (s->dt.valid) {
-        if (valid) {
+        if (dte->valid) {
             /* add mapping entry to device table */
-            dte = FIELD_DP64(dte, DTE, VALID, 1);
-            dte = FIELD_DP64(dte, DTE, SIZE, size);
-            dte = FIELD_DP64(dte, DTE, ITTADDR, itt_addr);
+            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
+            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
+            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
         }
     } else {
         return true;
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
         /* No L2 table for this index: discard write and continue */
         return true;
     }
-    address_space_stq_le(as, entry_addr, dte, MEMTXATTRS_UNSPECIFIED, &res);
+    address_space_stq_le(as, entry_addr, dteval, MEMTXATTRS_UNSPECIFIED, &res);
     return res == MEMTX_OK;
 }
 
 static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
     uint32_t devid;
-    uint8_t size;
-    uint64_t itt_addr;
-    bool valid;
+    DTEntry dte;
 
     devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
-    size = cmdpkt[1] & SIZE_MASK;
-    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
-    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
+    dte.size = cmdpkt[1] & SIZE_MASK;
+    dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
+    dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 
     if ((devid >= s->dt.num_entries) ||
-        (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
+        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "ITS MAPD: invalid device table attributes "
-                      "devid %d or size %d\n", devid, size);
+                      "devid %d or size %d\n", devid, dte.size);
         /*
          * in this implementation, in case of error
          * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
         return CMD_CONTINUE;
     }
 
-    return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
+    return update_dte(s, devid, &dte) ? CMD_CONTINUE : CMD_STALL;
 }
 
 static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
-- 
2.25.1

In the ITS, a CTE is an entry in the collection table, which contains
multiple fields. Currently the function get_cte() which reads one
entry from the device table returns a success/failure boolean and
passes back the raw 64-bit integer CTE value via a pointer argument.
We then extract fields from the CTE as we need them.

Create a real C struct with the same fields as the CTE, and
populate it in get_cte(), so that that function and update_cte()
are the only ones which need to care about the in-guest-memory
format of the CTE.

This brings get_cte()'s API into line with get_dte().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-5-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 96 ++++++++++++++++++++++-------------------
 1 file changed, 52 insertions(+), 44 deletions(-)

Make update_cte() take a CTEntry struct rather than all the fields
of the new CTE as separate arguments.

This brings it into line with the update_dte() API.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-6-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
-static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
-                       uint64_t rdbase)
+/*
+ * Update the Collection Table entry for @icid to @cte. Returns true
+ * on success, false if there was a memory access error.
+ */
+static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
 {
     AddressSpace *as = &s->gicv3->dma_as;
     uint64_t entry_addr;
-    uint64_t cte = 0;
+    uint64_t cteval = 0;
     MemTxResult res = MEMTX_OK;
 
     if (!s->ct.valid) {
         return true;
     }
 
-    if (valid) {
+    if (cte->valid) {
         /* add mapping entry to collection table */
-        cte = FIELD_DP64(cte, CTE, VALID, 1);
-        cte = FIELD_DP64(cte, CTE, RDBASE, rdbase);
+        cteval = FIELD_DP64(cteval, CTE, VALID, 1);
+        cteval = FIELD_DP64(cteval, CTE, RDBASE, cte->rdbase);
     }
 
     entry_addr = table_entry_addr(s, &s->ct, icid, &res);
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
         return true;
     }
 
-    address_space_stq_le(as, entry_addr, cte, MEMTXATTRS_UNSPECIFIED, &res);
+    address_space_stq_le(as, entry_addr, cteval, MEMTXATTRS_UNSPECIFIED, &res);
     return res == MEMTX_OK;
 }
 
 static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
     uint16_t icid;
-    uint64_t rdbase;
-    bool valid;
+    CTEntry cte;
 
     icid = cmdpkt[2] & ICID_MASK;
 
-    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
-    rdbase &= RDBASE_PROCNUM_MASK;
+    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
+    cte.rdbase &= RDBASE_PROCNUM_MASK;
 
-    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
+    cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 
-    if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
+    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "ITS MAPC: invalid collection table attributes "
-                      "icid %d rdbase %" PRIu64 "\n",  icid, rdbase);
+                      "icid %d rdbase %u\n",  icid, cte.rdbase);
         /*
          * in this implementation, in case of error
          * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
         return CMD_CONTINUE;
     }
 
-    return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
+    return update_cte(s, icid, &cte) ? CMD_CONTINUE : CMD_STALL;
 }
 
 /*
-- 
2.25.1

In get_ite() and update_ite() we work with a 12-byte in-guest-memory
table entry, which we intend to handle as an 8-byte value followed by
a 4-byte value.  Unfortunately the calculation of the address of the
4-byte value is wrong, because we write it as:

table_base_address + (index * entrysize) + 4
(obfuscated by the way the expression has been written)

when it should be + 8.  This bug meant that we overwrote the top
bytes of the 8-byte value with the 4-byte value.  There are no
guest-visible effects because the top half of the 8-byte value
contains only the doorbell interrupt field, which is used only in
GICv4, and the two bugs in the "write ITE" and "read ITE" codepaths
cancel each other out.

We can't simply change the calculation, because this would break
migration of a (TCG) guest from the old version of QEMU which had
in-guest-memory interrupt tables written using the buggy version of
update_ite().  We must also at the same time change the layout of the
fields within the ITE_L and ITE_H values so that the in-memory
locations of the fields we care about (VALID, INTTYPE, INTID and
ICID) stay the same.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-7-peter.maydell@linaro.org
---
 hw/intc/gicv3_internal.h | 19 ++++++++++---------
 hw/intc/arm_gicv3_its.c  | 28 +++++++++++-----------------
 2 files changed, 21 insertions(+), 26 deletions(-)

diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/gicv3_internal.h
+++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ FIELD(MOVI_2, ICID, 0, 16)
  * 12 bytes Interrupt translation Table Entry size
  * as per Table 5.3 in GICv3 spec
  * ITE Lower 8 Bytes
- *   Bits:    | 49 ... 26 | 25 ... 2 |   1     |   0    |
- *   Values:  |  Doorbell |  IntNum  | IntType |  Valid |
+ *   Bits:    | 63 ... 48 | 47 ... 32 | 31 ... 26 | 25 ... 2 |   1     |  0    |
+ *   Values:  | vPEID     | ICID      | unused    |  IntNum  | IntType | Valid |
  * ITE Higher 4 Bytes
- *   Bits:    | 31 ... 16 | 15 ...0 |
- *   Values:  |  vPEID    |  ICID   |
- * (When Doorbell is unused, as it always is in GICv3, it is 1023)
+ *   Bits:    | 31 ... 25 | 24 ... 0 |
+ *   Values:  | unused    | Doorbell |
+ * (When Doorbell is unused, as it always is for INTYPE_PHYSICAL,
+ * the value of that field in memory cannot be relied upon -- older
+ * versions of QEMU did not correctly write to that memory.)
  */
 #define ITS_ITT_ENTRY_SIZE            0xC
 
 FIELD(ITE_L, VALID, 0, 1)
 FIELD(ITE_L, INTTYPE, 1, 1)
 FIELD(ITE_L, INTID, 2, 24)
-FIELD(ITE_L, DOORBELL, 26, 24)
-
-FIELD(ITE_H, ICID, 0, 16)
-FIELD(ITE_H, VPEID, 16, 16)
+FIELD(ITE_L, ICID, 32, 16)
+FIELD(ITE_L, VPEID, 48, 16)
+FIELD(ITE_H, DOORBELL, 0, 24)
 
 /* Possible values for ITE_L INTTYPE */
 #define ITE_INTTYPE_VIRTUAL 0
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
 {
     AddressSpace *as = &s->gicv3->dma_as;
     MemTxResult res = MEMTX_OK;
+    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 
-    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
-                         sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
-                         &res);
+    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
 
     if (res == MEMTX_OK) {
-        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
-                             sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
+        address_space_stl_le(as, iteaddr + 8, ite.iteh,
                              MEMTXATTRS_UNSPECIFIED, &res);
     }
     if (res != MEMTX_OK) {
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
     AddressSpace *as = &s->gicv3->dma_as;
     bool status = false;
     IteEntry ite = {};
+    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 
-    ite.itel = address_space_ldq_le(as, dte->ittaddr +
-                                    (eventid * (sizeof(uint64_t) +
-                                    sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
-                                    res);
+    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
 
     if (*res == MEMTX_OK) {
-        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
-                                        (eventid * (sizeof(uint64_t) +
-                                        sizeof(uint32_t))) + sizeof(uint32_t),
+        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
                                         MEMTXATTRS_UNSPECIFIED, res);
 
         if (*res == MEMTX_OK) {
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                 int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
                 if (inttype == ITE_INTTYPE_PHYSICAL) {
                     *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
-                    *icid = FIELD_EX32(ite.iteh, ITE_H, ICID);
+                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
                     status = true;
                 }
             }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
+    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
+    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
 
     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
+    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
+    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
-- 
2.25.1

The get_ite() code has some awkward nested if statements; clean
them up by returning early if the memory accesses fail.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-8-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 
     ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
+    if (*res != MEMTX_OK) {
+        return false;
+    }
 
-    if (*res == MEMTX_OK) {
-        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
-                                        MEMTXATTRS_UNSPECIFIED, res);
+    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
+                                    MEMTXATTRS_UNSPECIFIED, res);
+    if (*res != MEMTX_OK) {
+        return false;
+    }
 
-        if (*res == MEMTX_OK) {
-            if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
-                int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
-                if (inttype == ITE_INTTYPE_PHYSICAL) {
-                    *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
-                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
-                    status = true;
-                }
-            }
+    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
+        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
+        if (inttype == ITE_INTTYPE_PHYSICAL) {
+            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
+            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
+            status = true;
         }
     }
     return status;
-- 
2.25.1

In get_ite() we currently return the caller some of the fields of an
Interrupt Table Entry via a set of pointer arguments, and validate
some of them internally (interrupt type and valid bit) to return a
simple true/false 'valid' indication. Define a new ITEntry struct
which has all the fields that the in-memory ITE has, and bring the
get_ite() function in to line with get_dte() and get_cte().

This paves the way for handling virtual interrupts, which will want
a different subset of the fields in the ITE. Handling them under
the old "lots of pointer arguments" scheme would have meant a
confusingly large set of arguments for this function.

The new struct ITEntry is obviously confusably similar to the
existing IteEntry struct, whose fields are the raw 12 bytes
of the in-memory ITE. In the next commit we will make update_ite()
use ITEntry instead of IteEntry, which will allow us to delete
the IteEntry struct and remove the confusion.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-9-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 102 ++++++++++++++++++++++------------------
 1 file changed, 55 insertions(+), 47 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct CTEntry {
     uint32_t rdbase;
 } CTEntry;
 
+typedef struct ITEntry {
+    bool valid;
+    int inttype;
+    uint32_t intid;
+    uint32_t doorbell;
+    uint32_t icid;
+    uint32_t vpeid;
+} ITEntry;
+
+
 /*
  * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
  * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
     }
 }
 
-static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
-                    uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
+/*
+ * Read the Interrupt Table entry at index @eventid from the table specified
+ * by the DTE @dte. On success, we return MEMTX_OK and populate the ITEntry
+ * struct @ite accordingly. If there is an error reading memory then we return
+ * the error code.
+ */
+static MemTxResult get_ite(GICv3ITSState *s, uint32_t eventid,
+                           const DTEntry *dte, ITEntry *ite)
 {
     AddressSpace *as = &s->gicv3->dma_as;
-    bool status = false;
-    IteEntry ite = {};
+    MemTxResult res = MEMTX_OK;
+    uint64_t itel;
+    uint32_t iteh;
     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 
-    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
-    if (*res != MEMTX_OK) {
-        return false;
+    itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, &res);
+    if (res != MEMTX_OK) {
+        return res;
     }
 
-    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
-                                    MEMTXATTRS_UNSPECIFIED, res);
-    if (*res != MEMTX_OK) {
-        return false;
+    iteh = address_space_ldl_le(as, iteaddr + 8, MEMTXATTRS_UNSPECIFIED, &res);
+    if (res != MEMTX_OK) {
+        return res;
     }
 
-    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
-        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
-        if (inttype == ITE_INTTYPE_PHYSICAL) {
-            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
-            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
-            status = true;
-        }
-    }
-    return status;
+    ite->valid = FIELD_EX64(itel, ITE_L, VALID);
+    ite->inttype = FIELD_EX64(itel, ITE_L, INTTYPE);
+    ite->intid = FIELD_EX64(itel, ITE_L, INTID);
+    ite->icid = FIELD_EX64(itel, ITE_L, ICID);
+    ite->vpeid = FIELD_EX64(itel, ITE_L, VPEID);
+    ite->doorbell = FIELD_EX64(iteh, ITE_H, DOORBELL);
+    return MEMTX_OK;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
 static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                        uint32_t eventid, ItsCmdType cmd)
 {
-    MemTxResult res = MEMTX_OK;
     uint64_t num_eventids;
-    uint16_t icid = 0;
-    uint32_t pIntid = 0;
-    bool ite_valid = false;
     DTEntry dte;
     CTEntry cte;
+    ITEntry ite;
 
     if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
         return CMD_CONTINUE;
     }
 
-    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
-    if (res != MEMTX_OK) {
+    if (get_ite(s, eventid, &dte, &ite) != MEMTX_OK) {
         return CMD_STALL;
     }
 
-    if (!ite_valid) {
+    if (!ite.valid || ite.inttype != ITE_INTTYPE_PHYSICAL) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: invalid ITE\n",
                       __func__);
         return CMD_CONTINUE;
     }
 
-    if (icid >= s->ct.num_entries) {
+    if (ite.icid >= s->ct.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
-                      __func__, icid);
+                      __func__, ite.icid);
         return CMD_CONTINUE;
     }
 
-    if (get_cte(s, icid, &cte) != MEMTX_OK) {
+    if (get_cte(s, ite.icid, &cte) != MEMTX_OK) {
         return CMD_STALL;
     }
     if (!cte.valid) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
     }
 
     if ((cmd == CLEAR) || (cmd == DISCARD)) {
-        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 0);
+        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 0);
     } else {
-        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 1);
+        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 1);
     }
 
     if (cmd == DISCARD) {
-        IteEntry ite = {};
+        IteEntry itee = {};
         /* remove mapping from interrupt translation table */
-        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
     }
     return CMD_CONTINUE;
 }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
 
 static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
 {
-    MemTxResult res = MEMTX_OK;
-    uint32_t devid, eventid, intid;
-    uint16_t old_icid, new_icid;
-    bool ite_valid;
+    uint32_t devid, eventid;
+    uint16_t new_icid;
     uint64_t num_eventids;
     IteEntry ite = {};
     DTEntry dte;
     CTEntry old_cte, new_cte;
+    ITEntry old_ite;
 
     devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
     eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
         return CMD_CONTINUE;
     }
 
-    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
-    if (res != MEMTX_OK) {
+    if (get_ite(s, eventid, &dte, &old_ite) != MEMTX_OK) {
         return CMD_STALL;
     }
 
-    if (!ite_valid) {
+    if (!old_ite.valid || old_ite.inttype != ITE_INTTYPE_PHYSICAL) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: invalid ITE\n",
                       __func__);
         return CMD_CONTINUE;
     }
 
-    if (old_icid >= s->ct.num_entries) {
+    if (old_ite.icid >= s->ct.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
-                      __func__, old_icid);
+                      __func__, old_ite.icid);
         return CMD_CONTINUE;
     }
 
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
         return CMD_CONTINUE;
     }
 
-    if (get_cte(s, old_icid, &old_cte) != MEMTX_OK) {
+    if (get_cte(s, old_ite.icid, &old_cte) != MEMTX_OK) {
         return CMD_STALL;
     }
     if (!old_cte.valid) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes: "
                       "invalid CTE for old ICID 0x%x\n",
-                      __func__, old_icid);
+                      __func__, old_ite.icid);
         return CMD_CONTINUE;
     }
 
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
         /* Move the LPI from the old redistributor to the new one */
         gicv3_redist_mov_lpi(&s->gicv3->cpu[old_cte.rdbase],
                              &s->gicv3->cpu[new_cte.rdbase],
-                             intid);
+                             old_ite.intid);
     }
 
     /* Update the ICID field in the interrupt translation table entry */
     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
+    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
     ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
     ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
-- 
2.25.1

Make the update_ite() struct use the new ITEntry struct, so that
callers don't need to assemble the in-memory ITE data themselves, and
only get_ite() and update_ite() need to care about that in-memory
layout.  We can then drop the no-longer-used IteEntry struct
definition.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-10-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 62 +++++++++++++++++++++--------------------
 1 file changed, 32 insertions(+), 30 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef enum ItsCmdType {
     INTERRUPT = 3,
 } ItsCmdType;
 
-typedef struct {
-    uint32_t iteh;
-    uint64_t itel;
-} IteEntry;
-
 typedef struct DTEntry {
     bool valid;
     unsigned size;
@@ -XXX,XX +XXX,XX @@ static MemTxResult get_cte(GICv3ITSState *s, uint16_t icid, CTEntry *cte)
     return MEMTX_OK;
 }
 
+/*
+ * Update the Interrupt Table entry at index @evinted in the table specified
+ * by the dte @dte. Returns true on success, false if there was a memory
+ * access error.
+ */
 static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
-                       IteEntry ite)
+                       const ITEntry *ite)
 {
     AddressSpace *as = &s->gicv3->dma_as;
     MemTxResult res = MEMTX_OK;
     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+    uint64_t itel = 0;
+    uint32_t iteh = 0;
 
-    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
-
-    if (res == MEMTX_OK) {
-        address_space_stl_le(as, iteaddr + 8, ite.iteh,
-                             MEMTXATTRS_UNSPECIFIED, &res);
+    if (ite->valid) {
+        itel = FIELD_DP64(itel, ITE_L, VALID, 1);
+        itel = FIELD_DP64(itel, ITE_L, INTTYPE, ite->inttype);
+        itel = FIELD_DP64(itel, ITE_L, INTID, ite->intid);
+        itel = FIELD_DP64(itel, ITE_L, ICID, ite->icid);
+        itel = FIELD_DP64(itel, ITE_L, VPEID, ite->vpeid);
+        iteh = FIELD_DP32(iteh, ITE_H, DOORBELL, ite->doorbell);
     }
+
+    address_space_stq_le(as, iteaddr, itel, MEMTXATTRS_UNSPECIFIED, &res);
     if (res != MEMTX_OK) {
         return false;
-    } else {
-        return true;
     }
+    address_space_stl_le(as, iteaddr + 8, iteh, MEMTXATTRS_UNSPECIFIED, &res);
+    return res == MEMTX_OK;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
     }
 
     if (cmd == DISCARD) {
-        IteEntry itee = {};
+        ITEntry ite = {};
         /* remove mapping from interrupt translation table */
-        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
+        ite.valid = false;
+        return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
     }
     return CMD_CONTINUE;
 }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     uint64_t num_eventids;
     uint32_t num_intids;
     uint16_t icid = 0;
-    IteEntry ite = {};
     DTEntry dte;
+    ITEntry ite;
 
     devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
     eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     }
 
     /* add ite entry to interrupt translation table */
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
-
-    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+    ite.valid = true;
+    ite.inttype = ITE_INTTYPE_PHYSICAL;
+    ite.intid = pIntid;
+    ite.icid = icid;
+    ite.doorbell = INTID_SPURIOUS;
+    ite.vpeid = 0;
+    return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
     uint32_t devid, eventid;
     uint16_t new_icid;
     uint64_t num_eventids;
-    IteEntry ite = {};
     DTEntry dte;
     CTEntry old_cte, new_cte;
     ITEntry old_ite;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
     }
 
     /* Update the ICID field in the interrupt translation table entry */
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
-    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
-    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+    old_ite.icid = new_icid;
+    return update_ite(s, eventid, &dte, &old_ite) ? CMD_CONTINUE : CMD_STALL;
 }
 
 /*
-- 
2.25.1

Currently we track in the TableDesc and CmdQDesc structs the state of
the GITS_BASER<n> and GITS_CBASER Valid bits.  However we aren't very
consistent abut checking the valid field: we test it in update_cte()
and update_dte(), but not anywhere else we look things up in tables.

The GIC specification says that it is UNPREDICTABLE if a guest fails
to set any of these Valid bits before enabling the ITS via
GITS_CTLR.Enabled.  So we can choose to handle Valid == 0 as
equivalent to a zero-length table.  This is in fact how we're already
catching this case in most of the table-access paths: when Valid is 0
we leave the num_entries fields in TableDesc or CmdQDesc set to zero,
and then the out-of-bounds check "index >= num_entries" that we have
to do anyway before doing any of these table lookups will always be
true, catching the no-valid-table case without any extra code.

So we can remove the checks on the valid field from update_cte()
and update_dte(): since these happen after the bounds check there
was never any case when the test could fail. That means the valid
fields would be entirely unused, so just remove them.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-11-peter.maydell@linaro.org
---
 include/hw/intc/arm_gicv3_its_common.h |  2 --
 hw/intc/arm_gicv3_its.c                | 31 ++++++++++++--------------
 2 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/include/hw/intc/arm_gicv3_its_common.h b/include/hw/intc/arm_gicv3_its_common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/arm_gicv3_its_common.h
+++ b/include/hw/intc/arm_gicv3_its_common.h
@@ -XXX,XX +XXX,XX @@
 #define GITS_TRANSLATER  0x0040
 
 typedef struct {
-    bool valid;
     bool indirect;
     uint16_t entry_sz;
     uint32_t page_sz;
@@ -XXX,XX +XXX,XX @@ typedef struct {
 } TableDesc;
 
 typedef struct {
-    bool valid;
     uint32_t num_entries;
     uint64_t base_addr;
 } CmdQDesc;
diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
     uint64_t cteval = 0;
     MemTxResult res = MEMTX_OK;
 
-    if (!s->ct.valid) {
-        return true;
-    }
-
     if (cte->valid) {
         /* add mapping entry to collection table */
         cteval = FIELD_DP64(cteval, CTE, VALID, 1);
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
     uint64_t dteval = 0;
     MemTxResult res = MEMTX_OK;
 
-    if (s->dt.valid) {
-        if (dte->valid) {
-            /* add mapping entry to device table */
-            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
-            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
-            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
-        }
-    } else {
-        return true;
+    if (dte->valid) {
+        /* add mapping entry to device table */
+        dteval = FIELD_DP64(dteval, DTE, VALID, 1);
+        dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
+        dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
     }
 
     entry_addr = table_entry_addr(s, &s->dt, devid, &res);
@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
         }
 
         memset(td, 0, sizeof(*td));
-        td->valid = FIELD_EX64(value, GITS_BASER, VALID);
         /*
          * If GITS_BASER<n>.Valid is 0 for any <n> then we will not process
          * interrupts. (GITS_TYPER.HCC is 0 for this implementation, so we
@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
          * for the register corresponding to the Collection table but we
          * still have to process interrupts using non-memory-backed
          * Collection table entries.)
+         * The specification makes it UNPREDICTABLE to enable the ITS without
+         * marking each BASER<n> as valid. We choose to handle these as if
+         * the table was zero-sized, so commands using the table will fail
+         * and interrupts requested via GITS_TRANSLATER writes will be ignored.
+         * This happens automatically by leaving the num_entries field at
+         * zero, which will be caught by the bounds checks we have before
+         * every table lookup anyway.
          */
-        if (!td->valid) {
+        if (!FIELD_EX64(value, GITS_BASER, VALID)) {
             continue;
         }
         td->page_sz = page_sz;
@@ -XXX,XX +XXX,XX @@ static void extract_cmdq_params(GICv3ITSState *s)
     num_pages = FIELD_EX64(value, GITS_CBASER, SIZE) + 1;
 
     memset(&s->cq, 0 , sizeof(s->cq));
-    s->cq.valid = FIELD_EX64(value, GITS_CBASER, VALID);
 
-    if (s->cq.valid) {
+    if (FIELD_EX64(value, GITS_CBASER, VALID)) {
         s->cq.num_entries = (num_pages * GITS_PAGE_SIZE_4K) /
                              GITS_CMDQ_ENTRY_SIZE;
         s->cq.base_addr = FIELD_EX64(value, GITS_CBASER, PHYADDR);
-- 
2.25.1

In the MAPC command, if V=0 this is a request to delete a collection
table entry and the rdbase field of the command packet will not be
used.  In particular, the specification says that the "UNPREDICTABLE
if rdbase is not valid" only applies for V=1.

We were doing a check-and-log-guest-error on rdbase regardless of
whether the V bit was set, and also (harmlessly but confusingly)
storing the contents of the rdbase field into the updated collection
table entry.  Update the code so that if V=0 we don't check or use
the rdbase field value.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-12-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
     CTEntry cte;
 
     icid = cmdpkt[2] & ICID_MASK;
-
-    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
-    cte.rdbase &= RDBASE_PROCNUM_MASK;
-
     cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
+    if (cte.valid) {
+        cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
+        cte.rdbase &= RDBASE_PROCNUM_MASK;
+    } else {
+        cte.rdbase = 0;
+    }
 
-    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
+    if (icid >= s->ct.num_entries) {
+        qemu_log_mask(LOG_GUEST_ERROR, "ITS MAPC: invalid ICID 0x%d", icid);
+        return CMD_CONTINUE;
+    }
+    if (cte.valid && cte.rdbase >= s->gicv3->num_cpu) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "ITS MAPC: invalid collection table attributes "
-                      "icid %d rdbase %u\n",  icid, cte.rdbase);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "ITS MAPC: invalid RDBASE %u ", cte.rdbase);
         return CMD_CONTINUE;
     }
 
-- 
2.25.1

When handling MAPI/MAPTI, we allow the supplied interrupt ID to be
either 1023 or something in the valid LPI range.  This is a mistake:
only a real valid LPI is allowed.  (The general behaviour of the ITS
is that most interrupt ID fields require a value in the LPI range;
the exception is that fields specifying a doorbell value, which are
all in GICv4 commands, allow also 1023 to mean "no doorbell".)
Remove the condition that incorrectly allows 1023 here.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-13-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
 
     if ((icid >= s->ct.num_entries)
             || !dte.valid || (eventid >= num_eventids) ||
-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
-             (pIntid != INTID_SPURIOUS))) {
+            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid command attributes "
                       "icid %d or eventid %d or pIntid %d or"
-- 
2.25.1

In most of the ITS command processing, we check different error
possibilities one at a time and log them appropriately. In
process_mapti() and process_mapd() we have code which checks
multiple error cases at once, which means the logging is less
specific than it could be. Split those cases up.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220201193207.2771604-14-peter.maydell@linaro.org
---
 hw/intc/arm_gicv3_its.c | 52 ++++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 21 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
     num_eventids = 1ULL << (dte.size + 1);
     num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
 
-    if ((icid >= s->ct.num_entries)
-            || !dte.valid || (eventid >= num_eventids) ||
-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
+    if (icid >= s->ct.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s: invalid command attributes "
-                      "icid %d or eventid %d or pIntid %d or"
-                      "unmapped dte %d\n", __func__, icid, eventid,
-                      pIntid, dte.valid);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "%s: invalid ICID 0x%x >= 0x%x\n",
+                      __func__, icid, s->ct.num_entries);
+        return CMD_CONTINUE;
+    }
+
+    if (!dte.valid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: no valid DTE for devid 0x%x\n", __func__, devid);
+        return CMD_CONTINUE;
+    }
+
+    if (eventid >= num_eventids) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid event ID 0x%x >= 0x%" PRIx64 "\n",
+                      __func__, eventid, num_eventids);
+        return CMD_CONTINUE;
+    }
+
+    if (pIntid < GICV3_LPI_INTID_START || pIntid >= num_intids) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid interrupt ID 0x%x\n", __func__, pIntid);
         return CMD_CONTINUE;
     }
 
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
     dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
     dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 
-    if ((devid >= s->dt.num_entries) ||
-        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
+    if (devid >= s->dt.num_entries) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "ITS MAPD: invalid device table attributes "
-                      "devid %d or size %d\n", devid, dte.size);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "ITS MAPD: invalid device ID field 0x%x >= 0x%x\n",
+                      devid, s->dt.num_entries);
+        return CMD_CONTINUE;
+    }
+
+    if (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "ITS MAPD: invalid size %d\n", dte.size);
         return CMD_CONTINUE;
     }
 
-- 
2.25.1

From: Kevin Townsend <kevin.townsend@linaro.org>

This commit adds emulation of the magnetometer on the LSM303DLHC.
It allows the magnetometer's X, Y and Z outputs to be set via the
mag-x, mag-y and mag-z properties, as well as the 12-bit
temperature output via the temperature property. Sensor can be
enabled with 'CONFIG_LSM303DLHC_MAG=y'.

Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Message-id: 20220130095032.35392-1-kevin.townsend@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sensor/lsm303dlhc_mag.c        | 556 ++++++++++++++++++++++++++++++
 tests/qtest/lsm303dlhc-mag-test.c | 148 ++++++++
 hw/sensor/Kconfig                 |   4 +
 hw/sensor/meson.build             |   1 +
 tests/qtest/meson.build           |   1 +
 5 files changed, 710 insertions(+)
 create mode 100644 hw/sensor/lsm303dlhc_mag.c
 create mode 100644 tests/qtest/lsm303dlhc-mag-test.c

diff --git a/hw/sensor/lsm303dlhc_mag.c b/hw/sensor/lsm303dlhc_mag.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/sensor/lsm303dlhc_mag.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * LSM303DLHC I2C magnetometer.
+ *
+ * Copyright (C) 2021 Linaro Ltd.
+ * Written by Kevin Townsend <kevin.townsend@linaro.org>
+ *
+ * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+/*
+ * The I2C address associated with this device is set on the command-line when
+ * initialising the machine, but the following address is standard: 0x1E.
+ *
+ * Get and set functions for 'mag-x', 'mag-y' and 'mag-z' assume that
+ * 1 = 0.001 uT. (NOTE the 1 gauss = 100 uT, so setting a value of 100,000
+ * would be equal to 1 gauss or 100 uT.)
+ *
+ * Get and set functions for 'temperature' assume that 1 = 0.001 C, so 23.6 C
+ * would be equal to 23600.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/i2c/i2c.h"
+#include "migration/vmstate.h"
+#include "qapi/error.h"
+#include "qapi/visitor.h"
+#include "qemu/module.h"
+#include "qemu/log.h"
+#include "qemu/bswap.h"
+
+enum LSM303DLHCMagReg {
+    LSM303DLHC_MAG_REG_CRA          = 0x00,
+    LSM303DLHC_MAG_REG_CRB          = 0x01,
+    LSM303DLHC_MAG_REG_MR           = 0x02,
+    LSM303DLHC_MAG_REG_OUT_X_H      = 0x03,
+    LSM303DLHC_MAG_REG_OUT_X_L      = 0x04,
+    LSM303DLHC_MAG_REG_OUT_Z_H      = 0x05,
+    LSM303DLHC_MAG_REG_OUT_Z_L      = 0x06,
+    LSM303DLHC_MAG_REG_OUT_Y_H      = 0x07,
+    LSM303DLHC_MAG_REG_OUT_Y_L      = 0x08,
+    LSM303DLHC_MAG_REG_SR           = 0x09,
+    LSM303DLHC_MAG_REG_IRA          = 0x0A,
+    LSM303DLHC_MAG_REG_IRB          = 0x0B,
+    LSM303DLHC_MAG_REG_IRC          = 0x0C,
+    LSM303DLHC_MAG_REG_TEMP_OUT_H   = 0x31,
+    LSM303DLHC_MAG_REG_TEMP_OUT_L   = 0x32
+};
+
+typedef struct LSM303DLHCMagState {
+    I2CSlave parent_obj;
+    uint8_t cra;
+    uint8_t crb;
+    uint8_t mr;
+    int16_t x;
+    int16_t z;
+    int16_t y;
+    int16_t x_lock;
+    int16_t z_lock;
+    int16_t y_lock;
+    uint8_t sr;
+    uint8_t ira;
+    uint8_t irb;
+    uint8_t irc;
+    int16_t temperature;
+    int16_t temperature_lock;
+    uint8_t len;
+    uint8_t buf;
+    uint8_t pointer;
+} LSM303DLHCMagState;
+
+#define TYPE_LSM303DLHC_MAG "lsm303dlhc_mag"
+OBJECT_DECLARE_SIMPLE_TYPE(LSM303DLHCMagState, LSM303DLHC_MAG)
+
+/*
+ * Conversion factor from Gauss to sensor values for each GN gain setting,
+ * in units "lsb per Gauss" (see data sheet table 3). There is no documented
+ * behaviour if the GN setting in CRB is incorrectly set to 0b000;
+ * we arbitrarily make it the same as 0b001.
+ */
+uint32_t xy_gain[] = { 1100, 1100, 855, 670, 450, 400, 330, 230 };
+uint32_t z_gain[] = { 980, 980, 760, 600, 400, 355, 295, 205 };
+
+static void lsm303dlhc_mag_get_x(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int gm = extract32(s->crb, 5, 3);
+
+    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
+    int64_t value = muldiv64(s->x, 100000, xy_gain[gm]);
+    visit_type_int(v, name, &value, errp);
+}
+
+static void lsm303dlhc_mag_get_y(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int gm = extract32(s->crb, 5, 3);
+
+    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
+    int64_t value = muldiv64(s->y, 100000, xy_gain[gm]);
+    visit_type_int(v, name, &value, errp);
+}
+
+static void lsm303dlhc_mag_get_z(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int gm = extract32(s->crb, 5, 3);
+
+    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
+    int64_t value = muldiv64(s->z, 100000, z_gain[gm]);
+    visit_type_int(v, name, &value, errp);
+}
+
+static void lsm303dlhc_mag_set_x(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int64_t value;
+    int64_t reg;
+    int gm = extract32(s->crb, 5, 3);
+
+    if (!visit_type_int(v, name, &value, errp)) {
+        return;
+    }
+
+    reg = muldiv64(value, xy_gain[gm], 100000);
+
+    /* Make sure we are within a 12-bit limit. */
+    if (reg > 2047 || reg < -2048) {
+        error_setg(errp, "value %" PRId64 " out of register's range", value);
+        return;
+    }
+
+    s->x = (int16_t)reg;
+}
+
+static void lsm303dlhc_mag_set_y(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int64_t value;
+    int64_t reg;
+    int gm = extract32(s->crb, 5, 3);
+
+    if (!visit_type_int(v, name, &value, errp)) {
+        return;
+    }
+
+    reg = muldiv64(value, xy_gain[gm], 100000);
+
+    /* Make sure we are within a 12-bit limit. */
+    if (reg > 2047 || reg < -2048) {
+        error_setg(errp, "value %" PRId64 " out of register's range", value);
+        return;
+    }
+
+    s->y = (int16_t)reg;
+}
+
+static void lsm303dlhc_mag_set_z(Object *obj, Visitor *v, const char *name,
+                                 void *opaque, Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int64_t value;
+    int64_t reg;
+    int gm = extract32(s->crb, 5, 3);
+
+    if (!visit_type_int(v, name, &value, errp)) {
+        return;
+    }
+
+    reg = muldiv64(value, z_gain[gm], 100000);
+
+    /* Make sure we are within a 12-bit limit. */
+    if (reg > 2047 || reg < -2048) {
+        error_setg(errp, "value %" PRId64 " out of register's range", value);
+        return;
+    }
+
+    s->z = (int16_t)reg;
+}
+
+/*
+ * Get handler for the temperature property.
+ */
+static void lsm303dlhc_mag_get_temperature(Object *obj, Visitor *v,
+                                           const char *name, void *opaque,
+                                           Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int64_t value;
+
+    /* Convert to 1 lsb = 0.125 C to 1 = 0.001 C for 'temperature' property. */
+    value = s->temperature * 125;
+
+    visit_type_int(v, name, &value, errp);
+}
+
+/*
+ * Set handler for the temperature property.
+ */
+static void lsm303dlhc_mag_set_temperature(Object *obj, Visitor *v,
+                                           const char *name, void *opaque,
+                                           Error **errp)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
+    int64_t value;
+
+    if (!visit_type_int(v, name, &value, errp)) {
+        return;
+    }
+
+    /* Input temperature is in 0.001 C units. Convert to 1 lsb = 0.125 C. */
+    value /= 125;
+
+    if (value > 2047 || value < -2048) {
+        error_setg(errp, "value %" PRId64 " lsb is out of range", value);
+        return;
+    }
+
+    s->temperature = (int16_t)value;
+}
+
+/*
+ * Callback handler whenever a 'I2C_START_RECV' (read) event is received.
+ */
+static void lsm303dlhc_mag_read(LSM303DLHCMagState *s)
+{
+    /*
+     * Set the LOCK bit whenever a new read attempt is made. This will be
+     * cleared in I2C_FINISH. Note that DRDY is always set to 1 in this driver.
+     */
+    s->sr = 0x3;
+
+    /*
+     * Copy the current X/Y/Z and temp. values into the locked registers so
+     * that 'mag-x', 'mag-y', 'mag-z' and 'temperature' can continue to be
+     * updated via QOM, etc., without corrupting the current read event.
+     */
+    s->x_lock = s->x;
+    s->z_lock = s->z;
+    s->y_lock = s->y;
+    s->temperature_lock = s->temperature;
+}
+
+/*
+ * Callback handler whenever a 'I2C_FINISH' event is received.
+ */
+static void lsm303dlhc_mag_finish(LSM303DLHCMagState *s)
+{
+    /*
+     * Clear the LOCK bit when the read attempt terminates.
+     * This bit is initially set in the I2C_START_RECV handler.
+     */
+    s->sr = 0x1;
+}
+
+/*
+ * Callback handler when a device attempts to write to a register.
+ */
+static void lsm303dlhc_mag_write(LSM303DLHCMagState *s)
+{
+    switch (s->pointer) {
+    case LSM303DLHC_MAG_REG_CRA:
+        s->cra = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_CRB:
+        /* Make sure gain is at least 1, falling back to 1 on an error. */
+        if (s->buf >> 5 == 0) {
+            s->buf = 1 << 5;
+        }
+        s->crb = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_MR:
+        s->mr = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_SR:
+        s->sr = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_IRA:
+        s->ira = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_IRB:
+        s->irb = s->buf;
+        break;
+    case LSM303DLHC_MAG_REG_IRC:
+        s->irc = s->buf;
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR, "reg is read-only: 0x%02X", s->buf);
+        break;
+    }
+}
+
+/*
+ * Low-level master-to-slave transaction handler.
+ */
+static int lsm303dlhc_mag_send(I2CSlave *i2c, uint8_t data)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
+
+    if (s->len == 0) {
+        /* First byte is the reg pointer */
+        s->pointer = data;
+        s->len++;
+    } else if (s->len == 1) {
+        /* Second byte is the new register value. */
+        s->buf = data;
+        lsm303dlhc_mag_write(s);
+    } else {
+        g_assert_not_reached();
+    }
+
+    return 0;
+}
+
+/*
+ * Low-level slave-to-master transaction handler (read attempts).
+ */
+static uint8_t lsm303dlhc_mag_recv(I2CSlave *i2c)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
+    uint8_t resp;
+
+    switch (s->pointer) {
+    case LSM303DLHC_MAG_REG_CRA:
+        resp = s->cra;
+        break;
+    case LSM303DLHC_MAG_REG_CRB:
+        resp = s->crb;
+        break;
+    case LSM303DLHC_MAG_REG_MR:
+        resp = s->mr;
+        break;
+    case LSM303DLHC_MAG_REG_OUT_X_H:
+        resp = (uint8_t)(s->x_lock >> 8);
+        break;
+    case LSM303DLHC_MAG_REG_OUT_X_L:
+        resp = (uint8_t)(s->x_lock);
+        break;
+    case LSM303DLHC_MAG_REG_OUT_Z_H:
+        resp = (uint8_t)(s->z_lock >> 8);
+        break;
+    case LSM303DLHC_MAG_REG_OUT_Z_L:
+        resp = (uint8_t)(s->z_lock);
+        break;
+    case LSM303DLHC_MAG_REG_OUT_Y_H:
+        resp = (uint8_t)(s->y_lock >> 8);
+        break;
+    case LSM303DLHC_MAG_REG_OUT_Y_L:
+        resp = (uint8_t)(s->y_lock);
+        break;
+    case LSM303DLHC_MAG_REG_SR:
+        resp = s->sr;
+        break;
+    case LSM303DLHC_MAG_REG_IRA:
+        resp = s->ira;
+        break;
+    case LSM303DLHC_MAG_REG_IRB:
+        resp = s->irb;
+        break;
+    case LSM303DLHC_MAG_REG_IRC:
+        resp = s->irc;
+        break;
+    case LSM303DLHC_MAG_REG_TEMP_OUT_H:
+        /* Check if the temperature sensor is enabled or not (CRA & 0x80). */
+        if (s->cra & 0x80) {
+            resp = (uint8_t)(s->temperature_lock >> 8);
+        } else {
+            resp = 0;
+        }
+        break;
+    case LSM303DLHC_MAG_REG_TEMP_OUT_L:
+        if (s->cra & 0x80) {
+            resp = (uint8_t)(s->temperature_lock & 0xff);
+        } else {
+            resp = 0;
+        }
+        break;
+    default:
+        resp = 0;
+        break;
+    }
+
+    /*
+     * The address pointer on the LSM303DLHC auto-increments whenever a byte
+     * is read, without the master device having to request the next address.
+     *
+     * The auto-increment process has the following logic:
+     *
+     *   - if (s->pointer == 8) then s->pointer = 3
+     *   - else: if (s->pointer == 12) then s->pointer = 0
+     *   - else: s->pointer += 1
+     *
+     * Reading an invalid address return 0.
+     */
+    if (s->pointer == LSM303DLHC_MAG_REG_OUT_Y_L) {
+        s->pointer = LSM303DLHC_MAG_REG_OUT_X_H;
+    } else if (s->pointer == LSM303DLHC_MAG_REG_IRC) {
+        s->pointer = LSM303DLHC_MAG_REG_CRA;
+    } else {
+        s->pointer++;
+    }
+
+    return resp;
+}
+
+/*
+ * Bus state change handler.
+ */
+static int lsm303dlhc_mag_event(I2CSlave *i2c, enum i2c_event event)
+{
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
+
+    switch (event) {
+    case I2C_START_SEND:
+        break;
+    case I2C_START_RECV:
+        lsm303dlhc_mag_read(s);
+        break;
+    case I2C_FINISH:
+        lsm303dlhc_mag_finish(s);
+        break;
+    case I2C_NACK:
+        break;
+    }
+
+    s->len = 0;
+    return 0;
+}
+
+/*
+ * Device data description using VMSTATE macros.
+ */
+static const VMStateDescription vmstate_lsm303dlhc_mag = {
+    .name = "LSM303DLHC_MAG",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .fields = (VMStateField[]) {
+
+        VMSTATE_I2C_SLAVE(parent_obj, LSM303DLHCMagState),
+        VMSTATE_UINT8(len, LSM303DLHCMagState),
+        VMSTATE_UINT8(buf, LSM303DLHCMagState),
+        VMSTATE_UINT8(pointer, LSM303DLHCMagState),
+        VMSTATE_UINT8(cra, LSM303DLHCMagState),
+        VMSTATE_UINT8(crb, LSM303DLHCMagState),
+        VMSTATE_UINT8(mr, LSM303DLHCMagState),
+        VMSTATE_INT16(x, LSM303DLHCMagState),
+        VMSTATE_INT16(z, LSM303DLHCMagState),
+        VMSTATE_INT16(y, LSM303DLHCMagState),
+        VMSTATE_INT16(x_lock, LSM303DLHCMagState),
+        VMSTATE_INT16(z_lock, LSM303DLHCMagState),
+        VMSTATE_INT16(y_lock, LSM303DLHCMagState),
+        VMSTATE_UINT8(sr, LSM303DLHCMagState),
+        VMSTATE_UINT8(ira, LSM303DLHCMagState),
+        VMSTATE_UINT8(irb, LSM303DLHCMagState),
+        VMSTATE_UINT8(irc, LSM303DLHCMagState),
+        VMSTATE_INT16(temperature, LSM303DLHCMagState),
+        VMSTATE_INT16(temperature_lock, LSM303DLHCMagState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/*
+ * Put the device into post-reset default state.
+ */
+static void lsm303dlhc_mag_default_cfg(LSM303DLHCMagState *s)
+{
+    /* Set the device into is default reset state. */
+    s->len = 0;
+    s->pointer = 0;         /* Current register. */
+    s->buf = 0;             /* Shared buffer. */
+    s->cra = 0x10;          /* Temp Enabled = 0, Data Rate = 15.0 Hz. */
+    s->crb = 0x20;          /* Gain = +/- 1.3 Gauss. */
+    s->mr = 0x3;            /* Operating Mode = Sleep. */
+    s->x = 0;
+    s->z = 0;
+    s->y = 0;
+    s->x_lock = 0;
+    s->z_lock = 0;
+    s->y_lock = 0;
+    s->sr = 0x1;            /* DRDY = 1. */
+    s->ira = 0x48;
+    s->irb = 0x34;
+    s->irc = 0x33;
+    s->temperature = 0;     /* Default to 0 degrees C (0/8 lsb = 0 C). */
+    s->temperature_lock = 0;
+}
+
+/*
+ * Callback handler when DeviceState 'reset' is set to true.
+ */
+static void lsm303dlhc_mag_reset(DeviceState *dev)
+{
+    I2CSlave *i2c = I2C_SLAVE(dev);
+    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
+
+    /* Set the device into its default reset state. */
+    lsm303dlhc_mag_default_cfg(s);
+}
+
+/*
+ * Initialisation of any public properties.
+ */
+static void lsm303dlhc_mag_initfn(Object *obj)
+{
+    object_property_add(obj, "mag-x", "int",
+                lsm303dlhc_mag_get_x,
+                lsm303dlhc_mag_set_x, NULL, NULL);
+
+    object_property_add(obj, "mag-y", "int",
+                lsm303dlhc_mag_get_y,
+                lsm303dlhc_mag_set_y, NULL, NULL);
+
+    object_property_add(obj, "mag-z", "int",
+                lsm303dlhc_mag_get_z,
+                lsm303dlhc_mag_set_z, NULL, NULL);
+
+    object_property_add(obj, "temperature", "int",
+                lsm303dlhc_mag_get_temperature,
+                lsm303dlhc_mag_set_temperature, NULL, NULL);
+}
+
+/*
+ * Set the virtual method pointers (bus state change, tx/rx, etc.).
+ */
+static void lsm303dlhc_mag_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    I2CSlaveClass *k = I2C_SLAVE_CLASS(klass);
+
+    dc->reset = lsm303dlhc_mag_reset;
+    dc->vmsd = &vmstate_lsm303dlhc_mag;
+    k->event = lsm303dlhc_mag_event;
+    k->recv = lsm303dlhc_mag_recv;
+    k->send = lsm303dlhc_mag_send;
+}
+
+static const TypeInfo lsm303dlhc_mag_info = {
+    .name = TYPE_LSM303DLHC_MAG,
+    .parent = TYPE_I2C_SLAVE,
+    .instance_size = sizeof(LSM303DLHCMagState),
+    .instance_init = lsm303dlhc_mag_initfn,
+    .class_init = lsm303dlhc_mag_class_init,
+};
+
+static void lsm303dlhc_mag_register_types(void)
+{
+    type_register_static(&lsm303dlhc_mag_info);
+}
+
+type_init(lsm303dlhc_mag_register_types)
diff --git a/tests/qtest/lsm303dlhc-mag-test.c b/tests/qtest/lsm303dlhc-mag-test.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/qtest/lsm303dlhc-mag-test.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QTest testcase for the LSM303DLHC I2C magnetometer
+ *
+ * Copyright (C) 2021 Linaro Ltd.
+ * Written by Kevin Townsend <kevin.townsend@linaro.org>
+ *
+ * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "libqtest-single.h"
+#include "libqos/qgraph.h"
+#include "libqos/i2c.h"
+#include "qapi/qmp/qdict.h"
+
+#define LSM303DLHC_MAG_TEST_ID        "lsm303dlhc_mag-test"
+#define LSM303DLHC_MAG_REG_CRA        0x00
+#define LSM303DLHC_MAG_REG_CRB        0x01
+#define LSM303DLHC_MAG_REG_OUT_X_H    0x03
+#define LSM303DLHC_MAG_REG_OUT_Z_H    0x05
+#define LSM303DLHC_MAG_REG_OUT_Y_H    0x07
+#define LSM303DLHC_MAG_REG_IRC        0x0C
+#define LSM303DLHC_MAG_REG_TEMP_OUT_H 0x31
+
+static int qmp_lsm303dlhc_mag_get_property(const char *id, const char *prop)
+{
+    QDict *response;
+    int ret;
+
+    response = qmp("{ 'execute': 'qom-get', 'arguments': { 'path': %s, "
+                   "'property': %s } }", id, prop);
+    g_assert(qdict_haskey(response, "return"));
+    ret = qdict_get_int(response, "return");
+    qobject_unref(response);
+    return ret;
+}
+
+static void qmp_lsm303dlhc_mag_set_property(const char *id, const char *prop,
+                                            int value)
+{
+    QDict *response;
+
+    response = qmp("{ 'execute': 'qom-set', 'arguments': { 'path': %s, "
+                   "'property': %s, 'value': %d } }", id, prop, value);
+    g_assert(qdict_haskey(response, "return"));
+    qobject_unref(response);
+}
+
+static void send_and_receive(void *obj, void *data, QGuestAllocator *alloc)
+{
+    int64_t value;
+    QI2CDevice *i2cdev = (QI2CDevice *)obj;
+
+    /* Check default value for CRB */
+    g_assert_cmphex(i2c_get8(i2cdev, LSM303DLHC_MAG_REG_CRB), ==, 0x20);
+
+    /* Set x to 1.0 gauss and verify the value */
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
+    value = qmp_lsm303dlhc_mag_get_property(
+        LSM303DLHC_MAG_TEST_ID, "mag-x");
+    g_assert_cmpint(value, ==, 100000);
+
+    /* Set y to 1.5 gauss and verify the value */
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
+    value = qmp_lsm303dlhc_mag_get_property(
+        LSM303DLHC_MAG_TEST_ID, "mag-y");
+    g_assert_cmpint(value, ==, 150000);
+
+    /* Set z to 0.5 gauss and verify the value */
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-z", 50000);
+    value = qmp_lsm303dlhc_mag_get_property(
+        LSM303DLHC_MAG_TEST_ID, "mag-z");
+    g_assert_cmpint(value, ==, 50000);
+
+    /* Set temperature to 23.6 C and verify the value */
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID,
+        "temperature", 23600);
+    value = qmp_lsm303dlhc_mag_get_property(
+        LSM303DLHC_MAG_TEST_ID, "temperature");
+    /* Should return 23.5 C due to 0.125°C steps. */
+    g_assert_cmpint(value, ==, 23500);
+
+    /* Read raw x axis registers (1 gauss = 1100 at +/-1.3 g gain) */
+    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_X_H);
+    g_assert_cmphex(value, ==, 1100);
+
+    /* Read raw y axis registers (1.5 gauss = 1650 at +/- 1.3 g gain = ) */
+    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H);
+    g_assert_cmphex(value, ==, 1650);
+
+    /* Read raw z axis registers (0.5 gauss = 490 at +/- 1.3 g gain = ) */
+    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Z_H);
+    g_assert_cmphex(value, ==, 490);
+
+    /* Read raw temperature registers with temp disabled (CRA = 0x10) */
+    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
+    g_assert_cmphex(value, ==, 0);
+
+    /* Enable temperature reads (CRA = 0x90) */
+    i2c_set8(i2cdev, LSM303DLHC_MAG_REG_CRA, 0x90);
+
+    /* Read raw temp registers (23.5 C = 188 at 1 lsb = 0.125 C) */
+    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
+    g_assert_cmphex(value, ==, 188);
+}
+
+static void reg_wraparound(void *obj, void *data, QGuestAllocator *alloc)
+{
+    uint8_t value[4];
+    QI2CDevice *i2cdev = (QI2CDevice *)obj;
+
+    /* Set x to 1.0 gauss, and y to 1.5 gauss for known test values */
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
+    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
+
+    /* Check that requesting 4 bytes starting at Y_H wraps around to X_L */
+    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H, value, 4);
+    /* 1.5 gauss = 1650 lsb = 0x672 */
+    g_assert_cmphex(value[0], ==, 0x06);
+    g_assert_cmphex(value[1], ==, 0x72);
+    /* 1.0 gauss = 1100 lsb = 0x44C */
+    g_assert_cmphex(value[2], ==, 0x04);
+    g_assert_cmphex(value[3], ==, 0x4C);
+
+    /* Check that requesting LSM303DLHC_MAG_REG_IRC wraps around to CRA */
+    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_IRC, value, 2);
+    /* Default value for IRC = 0x33 */
+    g_assert_cmphex(value[0], ==, 0x33);
+    /* Default value for CRA = 0x10 */
+    g_assert_cmphex(value[1], ==, 0x10);
+}
+
+static void lsm303dlhc_mag_register_nodes(void)
+{
+    QOSGraphEdgeOptions opts = {
+        .extra_device_opts = "id=" LSM303DLHC_MAG_TEST_ID ",address=0x1e"
+    };
+    add_qi2c_address(&opts, &(QI2CAddress) { 0x1E });
+
+    qos_node_create_driver("lsm303dlhc_mag", i2c_device_create);
+    qos_node_consumes("lsm303dlhc_mag", "i2c-bus", &opts);
+
+    qos_add_test("tx-rx", "lsm303dlhc_mag", send_and_receive, NULL);
+    qos_add_test("regwrap", "lsm303dlhc_mag", reg_wraparound, NULL);
+}
+libqos_init(lsm303dlhc_mag_register_nodes);
diff --git a/hw/sensor/Kconfig b/hw/sensor/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/sensor/Kconfig
+++ b/hw/sensor/Kconfig
@@ -XXX,XX +XXX,XX @@ config ADM1272
 config MAX34451
     bool
     depends on I2C
+
+config LSM303DLHC_MAG
+    bool
+    depends on I2C
diff --git a/hw/sensor/meson.build b/hw/sensor/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/sensor/meson.build
+++ b/hw/sensor/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_DPS310', if_true: files('dps310.c'))
 softmmu_ss.add(when: 'CONFIG_EMC141X', if_true: files('emc141x.c'))
 softmmu_ss.add(when: 'CONFIG_ADM1272', if_true: files('adm1272.c'))
 softmmu_ss.add(when: 'CONFIG_MAX34451', if_true: files('max34451.c'))
+softmmu_ss.add(when: 'CONFIG_LSM303DLHC_MAG', if_true: files('lsm303dlhc_mag.c'))
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qos_test_ss.add(
   'eepro100-test.c',
   'es1370-test.c',
   'ipoctal232-test.c',
+  'lsm303dlhc-mag-test.c',
   'max34451-test.c',
   'megasas-test.c',
   'ne2000-test.c',
-- 
2.25.1