Series comparison

-[PULL 00/30] target-arm queue
+[PULL 00/12] target-arm queue
-Hi; this is the latest target-arm queue. Most of the patches
+Hi; here's a relatively small target-arm queue, pretty much all
-here are RTH's FEAT_HAFDBS finally landing. I've also included
+bug fixes. (There are a few non-arm patches that I've thrown in
-the RNG-seed randomization patches from Jason, as well as a few
+there too for my convenience :-))
 more minor things. The patches include a couple of regression
 fixes:
  * the resettable patch fixes a SCSI reset regression
  * the 'do not re-randomize on snapshot load' patches fix
    record-and-replay regressions
 thanks
 -- PMM
-The following changes since commit e750a7ace492f0b450653d4ad368a77d6f660fb8:
+The following changes since commit 278238505d28d292927bff7683f39fb4fbca7fd1:
-  Merge tag 'pull-9p-20221024' of https://github.com/cschoenebeck/qemu into staging (2022-10-24 14:27:12 -0400)
+  Merge tag 'pull-tcg-20230511-2' of https://gitlab.com/rth7680/qemu into staging (2023-05-11 11:44:23 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221025
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230512
-for you to fetch changes up to e2114f701c78f76246e4b1872639dad94a6bdd21:
+for you to fetch changes up to 478dccbb99db0bf8f00537dd0b4d0de88d5cb537:
-  rx: re-randomize rng-seed on reboot (2022-10-25 17:32:24 +0100)
+  target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check (2023-05-12 16:01:25 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * Implement FEAT_E0PD
+ * More refactoring of files into tcg/
- * Implement FEAT_HAFDBS
+ * Don't allow stage 2 page table walks to downgrade to NS
- * honor HCR_E2H and HCR_TGE in arm_excp_unmasked()
+ * Fix handling of SW and NSW bits for stage 2 walks
- * hw/arm/virt: Fix devicetree warnings about the virtio-iommu node
+ * MAINTAINERS: Update Akihiko Odaki's email address
- * hw/core/resettable: fix reset level counting
+ * ui: Fix pixel colour channel order for PNG screenshots
- * hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()
+ * docs: Remove unused weirdly-named cross-reference targets
- * imx: reload cmp timer outside of the reload ptimer transaction
+ * hw/mips/malta: Fix minor dead code issue
- * x86: do not re-randomize RNG seed on snapshot load
+ * Fixes for the "allow CONFIG_TCG=n" changes
- * m68k/virt: do not re-randomize RNG seed on snapshot load
+ * tests/qtest: Don't run cdrom boot tests if no accelerator is present
- * m68k/q800: do not re-randomize RNG seed on snapshot load
+ * target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check
  * arm: re-randomize rng-seed on reboot
  * riscv: re-randomize rng-seed on reboot
  * mips/boston: re-randomize rng-seed on reboot
  * openrisc: re-randomize rng-seed on reboot
  * rx: re-randomize rng-seed on reboot
 ----------------------------------------------------------------
-Ake Koomsin (1):
+Akihiko Odaki (1):
-      target/arm: honor HCR_E2H and HCR_TGE in arm_excp_unmasked()
+      MAINTAINERS: Update Akihiko Odaki's email address
-Axel Heider (1):
+Fabiano Rosas (3):
-      target/imx: reload cmp timer outside of the reload ptimer transaction
+      target/arm: Select SEMIHOSTING when using TCG
       target/arm: Select CONFIG_ARM_V7M when TCG is enabled
       tests/qtest: Don't run cdrom boot tests if no accelerator is present
-Damien Hedde (1):
+Peter Maydell (6):
-      hw/core/resettable: fix reset level counting
+      target/arm: Don't allow stage 2 page table walks to downgrade to NS
       target/arm: Fix handling of SW and NSW bits for stage 2 walks
       ui: Fix pixel colour channel order for PNG screenshots
       docs: Remove unused weirdly-named cross-reference targets
       hw/mips/malta: Fix minor dead code issue
       target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check
-Jason A. Donenfeld (10):
+Richard Henderson (2):
-      reset: allow registering handlers that aren't called by snapshot loading
+      target/arm: Move translate-a32.h, arm_ldst.h, sve_ldst_internal.h to tcg/
-      device-tree: add re-randomization helper function
+      target/arm: Move helper-{a64,mve,sme,sve}.h to tcg/
       x86: do not re-randomize RNG seed on snapshot load
       arm: re-randomize rng-seed on reboot
       riscv: re-randomize rng-seed on reboot
       m68k/virt: do not re-randomize RNG seed on snapshot load
       m68k/q800: do not re-randomize RNG seed on snapshot load
       mips/boston: re-randomize rng-seed on reboot
       openrisc: re-randomize rng-seed on reboot
       rx: re-randomize rng-seed on reboot
-Jean-Philippe Brucker (1):
+ MAINTAINERS                              |  4 +-
-      hw/arm/virt: Fix devicetree warnings about the virtio-iommu node
+ docs/system/devices/igb.rst              |  2 +-
+ docs/system/devices/ivshmem.rst          |  2 -
-Peter Maydell (2):
+ docs/system/devices/net.rst              |  2 +-
-      target/arm: Implement FEAT_E0PD
+ docs/system/devices/usb.rst              |  2 -
-      hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()
+ docs/system/keys.rst                     |  2 +-
+ docs/system/linuxboot.rst                |  2 +-
-Richard Henderson (14):
+ docs/system/target-i386.rst              |  4 --
-      target/arm: Introduce regime_is_stage2
+ target/arm/helper.h                      |  8 +--
-      target/arm: Add ptw_idx to S1Translate
+ target/arm/internals.h                   | 12 +++-
-      target/arm: Add isar predicates for FEAT_HAFDBS
+ target/arm/{ => tcg}/arm_ldst.h          |  0
-      target/arm: Extract HA and HD in aa64_va_parameters
+ target/arm/{ => tcg}/helper-a64.h        |  0
-      target/arm: Move S1_ptw_translate outside arm_ld[lq]_ptw
+ target/arm/{ => tcg}/helper-mve.h        |  0
-      target/arm: Add ARMFault_UnsuppAtomicUpdate
+ target/arm/{ => tcg}/helper-sme.h        |  0
-      target/arm: Remove loop from get_phys_addr_lpae
+ target/arm/{ => tcg}/helper-sve.h        |  0
-      target/arm: Fix fault reporting in get_phys_addr_lpae
+ target/arm/{ => tcg}/sve_ldst_internal.h |  0
-      target/arm: Don't shift attrs in get_phys_addr_lpae
+ target/arm/{ => tcg}/translate-a32.h     |  0
-      target/arm: Consider GP an attribute in get_phys_addr_lpae
+ hw/mips/malta.c                          |  5 +-
-      target/arm: Tidy merging of attributes from descriptor and table
+ target/arm/gdbstub64.c                   |  2 +-
-      target/arm: Implement FEAT_HAFDBS, access flag portion
+ target/arm/helper.c                      | 15 ++++-
-      target/arm: Implement FEAT_HAFDBS, dirty bit portion
+ target/arm/ptw.c                         | 95 +++++++++++++++++++-------------
-      target/arm: Use the max page size in a 2-stage ptw
+ target/arm/tcg/pauth_helper.c            |  6 +-
+ tests/qtest/cdrom-test.c                 | 10 ++++
- docs/devel/reset.rst          |   8 +-
+ ui/console.c                             |  4 +-
- docs/system/arm/emulation.rst |   2 +
+ target/arm/Kconfig                       |  9 +--
- qapi/run-state.json           |   6 +-
+files changed, 109 insertions(+), 77 deletions(-)
- include/hw/boards.h           |   2 +-
+ rename target/arm/{ => tcg}/arm_ldst.h (100%)
- include/sysemu/device_tree.h  |   9 +
+ rename target/arm/{ => tcg}/helper-a64.h (100%)
- include/sysemu/reset.h        |   5 +-
+ rename target/arm/{ => tcg}/helper-mve.h (100%)
- target/arm/cpu.h              |  15 ++
+ rename target/arm/{ => tcg}/helper-sme.h (100%)
- target/arm/internals.h        |  30 +++
+ rename target/arm/{ => tcg}/helper-sve.h (100%)
- hw/arm/aspeed.c               |   4 +-
+ rename target/arm/{ => tcg}/sve_ldst_internal.h (100%)
- hw/arm/boot.c                 |   2 +
+ rename target/arm/{ => tcg}/translate-a32.h (100%)
  hw/arm/mps2-tz.c              |   4 +-
  hw/arm/virt.c                 |   5 +-
  hw/core/reset.c               |  17 +-
  hw/core/resettable.c          |   3 +-
  hw/hppa/machine.c             |   4 +-
  hw/hyperv/hyperv.c            |   2 +-
  hw/i386/microvm.c             |   4 +-
  hw/i386/pc.c                  |   6 +-
  hw/i386/x86.c                 |   2 +-
  hw/m68k/q800.c                |  33 ++-
  hw/m68k/virt.c                |  20 +-
  hw/mips/boston.c              |   3 +
  hw/openrisc/boot.c            |   3 +
  hw/ppc/pegasos2.c             |   4 +-
  hw/ppc/pnv.c                  |   4 +-
  hw/ppc/spapr.c                |   4 +-
  hw/riscv/boot.c               |   3 +
  hw/rx/rx-gdbsim.c             |   3 +
  hw/s390x/s390-virtio-ccw.c    |   4 +-
  hw/timer/imx_epit.c           |   9 +-
  migration/savevm.c            |   2 +-
  softmmu/device_tree.c         |  21 ++
  softmmu/runstate.c            |  11 +-
  target/arm/cpu.c              |  24 +-
  target/arm/cpu64.c            |   2 +
  target/arm/helper.c           |  31 ++-
  target/arm/ptw.c              | 524 +++++++++++++++++++++++++++---------------
 files changed, 572 insertions(+), 263 deletions(-)

-[PULL 01/30] target/arm: Implement FEAT_E0PD
+Deleted patch
-FEAT_E0PD adds new bits E0PD0 and E0PD1 to TCR_EL1, which allow the
-OS to forbid EL0 access to half of the address space.  Since this is
-an EL0-specific variation on the existing TCR_ELx.{EPD0,EPD1}, we can
-implement it entirely in aa64_va_parameters().
-This requires moving the existing regime_is_user() to internals.h
-so that the code in helper.c can get at it.
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20221021160131.3531787-1-peter.maydell@linaro.org
----
- docs/system/arm/emulation.rst |  1 +
- target/arm/cpu.h              |  5 +++++
- target/arm/internals.h        | 19 +++++++++++++++++++
- target/arm/cpu64.c            |  1 +
- target/arm/helper.c           |  9 +++++++++
- target/arm/ptw.c              | 19 -------------------
-files changed, 35 insertions(+), 19 deletions(-)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_Debugv8p4 (Debug changes for v8.4)
- - FEAT_DotProd (Advanced SIMD dot product instructions)
- - FEAT_DoubleFault (Double Fault Extension)
-+- FEAT_E0PD (Preventing EL0 access to halves of address maps)
- - FEAT_ETS (Enhanced Translation Synchronization)
- - FEAT_FCMA (Floating-point complex number instructions)
- - FEAT_FHM (Floating-point half-precision multiplication instructions)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_lva(const ARMISARegisters *id)
-     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, VARANGE) != 0;
- }
-+static inline bool isar_feature_aa64_e0pd(const ARMISARegisters *id)
-+{
-+    return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, E0PD) != 0;
-+}
-+
- static inline bool isar_feature_aa64_tts2uxn(const ARMISARegisters *id)
- {
-     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, XNX) != 0;
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
-     }
- }
-+static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
-+{
-+    switch (mmu_idx) {
-+    case ARMMMUIdx_E20_0:
-+    case ARMMMUIdx_Stage1_E0:
-+    case ARMMMUIdx_MUser:
-+    case ARMMMUIdx_MSUser:
-+    case ARMMMUIdx_MUserNegPri:
-+    case ARMMMUIdx_MSUserNegPri:
-+        return true;
-+    default:
-+        return false;
-+    case ARMMMUIdx_E10_0:
-+    case ARMMMUIdx_E10_1:
-+    case ARMMMUIdx_E10_1_PAN:
-+        g_assert_not_reached();
-+    }
-+}
-+
- /* Return the SCTLR value which controls this address translation regime */
- static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)
- {
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     t = FIELD_DP64(t, ID_AA64MMFR2, FWB, 1);      /* FEAT_S2FWB */
-     t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1);      /* FEAT_TTL */
-     t = FIELD_DP64(t, ID_AA64MMFR2, BBM, 2);      /* FEAT_BBM at level 2 */
-+    t = FIELD_DP64(t, ID_AA64MMFR2, E0PD, 1);     /* FEAT_E0PD */
-     cpu->isar.id_aa64mmfr2 = t;
-     t = cpu->isar.id_aa64zfr0;
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-         ps = extract32(tcr, 16, 3);
-         ds = extract64(tcr, 32, 1);
-     } else {
-+        bool e0pd;
-+
-         /*
-          * Bit 55 is always between the two regions, and is canonical for
-          * determining if address tagging is enabled.
-@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-             epd = extract32(tcr, 7, 1);
-             sh = extract32(tcr, 12, 2);
-             hpd = extract64(tcr, 41, 1);
-+            e0pd = extract64(tcr, 55, 1);
-         } else {
-             tsz = extract32(tcr, 16, 6);
-             gran = tg1_to_gran_size(extract32(tcr, 30, 2));
-             epd = extract32(tcr, 23, 1);
-             sh = extract32(tcr, 28, 2);
-             hpd = extract64(tcr, 42, 1);
-+            e0pd = extract64(tcr, 56, 1);
-         }
-         ps = extract64(tcr, 32, 3);
-         ds = extract64(tcr, 59, 1);
-+
-+        if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) &&
-+            regime_is_user(env, mmu_idx)) {
-+            epd = true;
-+        }
-     }
-     gran = sanitize_gran_size(cpu, gran, stage2);
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
-     return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
- }
--static bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
--{
--    switch (mmu_idx) {
--    case ARMMMUIdx_E20_0:
--    case ARMMMUIdx_Stage1_E0:
--    case ARMMMUIdx_MUser:
--    case ARMMMUIdx_MSUser:
--    case ARMMMUIdx_MUserNegPri:
--    case ARMMMUIdx_MSUserNegPri:
--        return true;
--    default:
--        return false;
--    case ARMMMUIdx_E10_0:
--    case ARMMMUIdx_E10_1:
--    case ARMMMUIdx_E10_1_PAN:
--        g_assert_not_reached();
--    }
--}
--
- /* Return the TTBR associated with this translation regime */
- static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
- {
---
-.25.1

-[PULL 02/30] hw/arm/virt: Fix devicetree warnings about the virtio-iommu node
+Deleted patch
-From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-The "PCI Bus Binding to: IEEE Std 1275-1994" defines the compatible
-string for a PCIe bus or endpoint as "pci<vendorid>,<deviceid>" or
-similar. Since the initial binding for PCI virtio-iommu didn't follow
-this rule, it was modified to accept both strings and ensure backward
-compatibility. Also, the unit-name for the node should be
-"device,function".
-Fix corresponding dt-validate and dtc warnings:
-  pcie@10000000: virtio_iommu@16:compatible: ['virtio,pci-iommu'] does not contain items matching the given schema
-  pcie@10000000: Unevaluated properties are not allowed (... 'virtio_iommu@16' were unexpected)
-  From schema: linux/Documentation/devicetree/bindings/pci/host-generic-pci.yaml
-  virtio_iommu@16: compatible: 'oneOf' conditional failed, one must be fixed:
-        ['virtio,pci-iommu'] is too short
-        'pci1af4,1057' was expected
-  From schema: dtschema/schemas/pci/pci-bus.yaml
-  Warning (pci_device_reg): /pcie@10000000/virtio_iommu@16: PCI unit address format error, expected "2,0"
-Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt.c | 5 +++--
-file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void create_smmu(const VirtMachineState *vms,
- static void create_virtio_iommu_dt_bindings(VirtMachineState *vms)
- {
--    const char compat[] = "virtio,pci-iommu";
-+    const char compat[] = "virtio,pci-iommu\0pci1af4,1057";
-     uint16_t bdf = vms->virtio_iommu_bdf;
-     MachineState *ms = MACHINE(vms);
-     char *node;
-     vms->iommu_phandle = qemu_fdt_alloc_phandle(ms->fdt);
--    node = g_strdup_printf("%s/virtio_iommu@%d", vms->pciehb_nodename, bdf);
-+    node = g_strdup_printf("%s/virtio_iommu@%x,%x", vms->pciehb_nodename,
-+                           PCI_SLOT(bdf), PCI_FUNC(bdf));
-     qemu_fdt_add_subnode(ms->fdt, node);
-     qemu_fdt_setprop(ms->fdt, node, "compatible", compat, sizeof(compat));
-     qemu_fdt_setprop_sized_cells(ms->fdt, node, "reg",
---
-.25.1

-[PULL 03/30] target/arm: honor HCR_E2H and HCR_TGE in arm_excp_unmasked()
+Deleted patch
-From: Ake Koomsin <ake@igel.co.jp>
-An exception targeting EL2 from lower EL is actually maskable when
-HCR_E2H and HCR_TGE are both set. This applies to both secure and
-non-secure Security state.
-We can remove the conditions that try to suppress masking of
-interrupts when we are Secure and the exception targets EL2 and
-Secure EL2 is disabled.  This is OK because in that situation
-arm_phys_excp_target_el() will never return 2 as the target EL.  The
-'not if secure' check in this function was originally written before
-arm_hcr_el2_eff(), and back then the target EL returned by
-arm_phys_excp_target_el() could be 2 even if we were in Secure
-EL0/EL1; but it is no longer needed.
-Signed-off-by: Ake Koomsin <ake@igel.co.jp>
-Message-id: 20221017092432.546881-1-ake@igel.co.jp
-[PMM: Add commit message paragraph explaining why it's OK to
- remove the checks on secure and SCR_EEL2]
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.c | 24 +++++++++++++++++-------
-file changed, 17 insertions(+), 7 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
-     if ((target_el > cur_el) && (target_el != 1)) {
-         /* Exceptions targeting a higher EL may not be maskable */
-         if (arm_feature(env, ARM_FEATURE_AARCH64)) {
--            /*
--             * 64-bit masking rules are simple: exceptions to EL3
--             * can't be masked, and exceptions to EL2 can only be
--             * masked from Secure state. The HCR and SCR settings
--             * don't affect the masking logic, only the interrupt routing.
--             */
--            if (target_el == 3 || !secure || (env->cp15.scr_el3 & SCR_EEL2)) {
-+            switch (target_el) {
-+            case 2:
-+                /*
-+                 * According to ARM DDI 0487H.a, an interrupt can be masked
-+                 * when HCR_E2H and HCR_TGE are both set regardless of the
-+                 * current Security state. Note that we need to revisit this
-+                 * part again once we need to support NMI.
-+                 */
-+                if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
-+                        unmasked = true;
-+                }
-+                break;
-+            case 3:
-+                /* Interrupt cannot be masked when the target EL is 3 */
-                 unmasked = true;
-+                break;
-+            default:
-+                g_assert_not_reached();
-             }
-         } else {
-             /*
---
-.25.1

-[PULL 12/30] target/arm: Add ARMFault_UnsuppAtomicUpdate
+[PULL 01/12] target/arm: Move translate-a32.h, arm_ldst.h, sve_ldst_internal.h to tcg/
 From: Richard Henderson <richard.henderson@linaro.org>
-This fault type is to be used with FEAT_HAFDBS when
+These files got missed when populating tcg/.
-the guest enables hw updates, but places the tables
+Because they are included with "", no change to the users required.
 in memory where atomic updates are unsupported.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
-Message-id: 20221024051851.3074715-7-richard.henderson@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20230504110412.1892411-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h | 4 ++++
+ target/arm/{ => tcg}/arm_ldst.h          | 0
-file changed, 4 insertions(+)
+ target/arm/{ => tcg}/sve_ldst_internal.h | 0
  target/arm/{ => tcg}/translate-a32.h     | 0
 files changed, 0 insertions(+), 0 deletions(-)
  rename target/arm/{ => tcg}/arm_ldst.h (100%)
  rename target/arm/{ => tcg}/sve_ldst_internal.h (100%)
  rename target/arm/{ => tcg}/translate-a32.h (100%)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/target/arm/arm_ldst.h b/target/arm/tcg/arm_ldst.h
-index XXXXXXX..XXXXXXX 100644
+similarity index 100%
---- a/target/arm/internals.h
+rename from target/arm/arm_ldst.h
-+++ b/target/arm/internals.h
+rename to target/arm/tcg/arm_ldst.h
-@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
+diff --git a/target/arm/sve_ldst_internal.h b/target/arm/tcg/sve_ldst_internal.h
-     ARMFault_AsyncExternal,
+similarity index 100%
-     ARMFault_Debug,
+rename from target/arm/sve_ldst_internal.h
-     ARMFault_TLBConflict,
+rename to target/arm/tcg/sve_ldst_internal.h
-+    ARMFault_UnsuppAtomicUpdate,
+diff --git a/target/arm/translate-a32.h b/target/arm/tcg/translate-a32.h
-     ARMFault_Lockdown,
+similarity index 100%
-     ARMFault_Exclusive,
+rename from target/arm/translate-a32.h
-     ARMFault_ICacheMaint,
+rename to target/arm/tcg/translate-a32.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
      case ARMFault_TLBConflict:
          fsc = 0x30;
          break;
 +    case ARMFault_UnsuppAtomicUpdate:
 +        fsc = 0x31;
 +        break;
      case ARMFault_Lockdown:
          fsc = 0x34;
          break;
 --
-.25.1
+.34.1

-[PULL 17/30] target/arm: Tidy merging of attributes from descriptor and table
+[PULL 02/12] target/arm: Move helper-{a64,mve,sme,sve}.h to tcg/
 From: Richard Henderson <richard.henderson@linaro.org>
-Replace some gotos with some nested if statements.
+While we cannot move the main "helper.h" out of target/arm/,
 due to usage by generic code, we can move the sub-includes.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
-Message-id: 20221024051851.3074715-12-richard.henderson@linaro.org
+Message-id: 20230504110412.1892411-3-richard.henderson@linaro.org
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/ptw.c | 34 ++++++++++++++++------------------
+ target/arm/helper.h               | 8 ++++----
-file changed, 16 insertions(+), 18 deletions(-)
+ target/arm/{ => tcg}/helper-a64.h | 0
  target/arm/{ => tcg}/helper-mve.h | 0
  target/arm/{ => tcg}/helper-sme.h | 0
  target/arm/{ => tcg}/helper-sve.h | 0
 files changed, 4 insertions(+), 4 deletions(-)
  rename target/arm/{ => tcg}/helper-a64.h (100%)
  rename target/arm/{ => tcg}/helper-mve.h (100%)
  rename target/arm/{ => tcg}/helper-sme.h (100%)
  rename target/arm/{ => tcg}/helper-sve.h (100%)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
+--- a/target/arm/helper.h
-+++ b/target/arm/ptw.c
++++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
-     page_size = (1ULL << ((stride * (4 - level)) + 3));
+                    void, ptr, ptr, ptr, ptr, i32)
-     descaddr &= ~(hwaddr)(page_size - 1);
-     descaddr |= (address & (page_size - 1));
+ #ifdef TARGET_AARCH64
--    /* Extract attributes from the descriptor */
+-#include "helper-a64.h"
--    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
+-#include "helper-sve.h"
+-#include "helper-sme.h"
--    if (regime_is_stage2(mmu_idx)) {
++#include "tcg/helper-a64.h"
--        /* Stage 2 table descriptors do not include any attribute fields */
++#include "tcg/helper-sve.h"
--        goto skip_attrs;
++#include "tcg/helper-sme.h"
--    }
+ #endif
--    /* Merge in attributes from table descriptors */
--    attrs |= nstable << 5; /* NS */
+-#include "helper-mve.h"
--    if (param.hpd) {
++#include "tcg/helper-mve.h"
--        /* HPD disables all the table attributes except NSTable.  */
+diff --git a/target/arm/helper-a64.h b/target/arm/tcg/helper-a64.h
--        goto skip_attrs;
+similarity index 100%
--    }
+rename from target/arm/helper-a64.h
--    attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
+rename to target/arm/tcg/helper-a64.h
-     /*
+diff --git a/target/arm/helper-mve.h b/target/arm/tcg/helper-mve.h
--     * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
+similarity index 100%
--     * means "force PL1 access only", which means forcing AP[1] to 0.
+rename from target/arm/helper-mve.h
-+     * Extract attributes from the descriptor, and apply table descriptors.
+rename to target/arm/tcg/helper-mve.h
-+     * Stage 2 table descriptors do not include any attribute fields.
+diff --git a/target/arm/helper-sme.h b/target/arm/tcg/helper-sme.h
-+     * HPD disables all the table attributes except NSTable.
+similarity index 100%
-      */
+rename from target/arm/helper-sme.h
--    attrs &= ~(extract64(tableattrs, 2, 1) << 6);   /* !APT[0] => AP[1] */
+rename to target/arm/tcg/helper-sme.h
--    attrs |= extract32(tableattrs, 3, 1) << 7;      /* APT[1] => AP[2] */
+diff --git a/target/arm/helper-sve.h b/target/arm/tcg/helper-sve.h
-- skip_attrs:
+similarity index 100%
-+    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
+rename from target/arm/helper-sve.h
-+    if (!regime_is_stage2(mmu_idx)) {
+rename to target/arm/tcg/helper-sve.h
 +        attrs |= nstable << 5; /* NS */
 +        if (!param.hpd) {
 +            attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
 +            /*
 +             * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
 +             * means "force PL1 access only", which means forcing AP[1] to 0.
 +             */
 +            attrs &= ~(extract64(tableattrs, 2, 1) << 6); /* !APT[0] => AP[1] */
 +            attrs |= extract32(tableattrs, 3, 1) << 7;    /* APT[1] => AP[2] */
 +        }
 +    }
      /*
       * Here descaddr is the final physical address, and attributes
 --
-.25.1
+.34.1

-[PULL 14/30] target/arm: Fix fault reporting in get_phys_addr_lpae
+[PULL 03/12] target/arm: Don't allow stage 2 page table walks to downgrade to NS
-From: Richard Henderson <richard.henderson@linaro.org>
+Bit 63 in a Table descriptor is only the NSTable bit for stage 1
 translations; in stage 2 it is RES0.  We were incorrectly looking at
 it all the time.
-Always overriding fi->type was incorrect, as we would not properly
+This causes problems if:
-propagate the fault type from S1_ptw_translate, or arm_ldq_ptw.
+ * the stage 2 table descriptor was incorrectly setting the RES0 bit
-Simplify things by providing a new label for a translation fault.
+ * we are doing a stage 2 translation in Secure address space for
-For other faults, store into fi directly.
+   a NonSecure stage 1 regime -- in this case we would incorrectly
    do an immediate downgrade to NonSecure
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+A bug elsewhere in the code currently prevents us from getting
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+to the second situation, but when we fix that it will be possible.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20221024051851.3074715-9-richard.henderson@linaro.org
+Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20230504135425.2748672-2-peter.maydell@linaro.org
 ---
- target/arm/ptw.c | 31 +++++++++++++------------------
+ target/arm/ptw.c | 5 +++--
-file changed, 13 insertions(+), 18 deletions(-)
+file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     ARMCPU *cpu = env_archcpu(env);
+     descaddrmask &= ~indexmask_grainsize;
-     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-     bool is_secure = ptw->in_secure;
+     /*
--    /* Read an LPAE long-descriptor translation table. */
+-     * Secure accesses start with the page table in secure memory and
--    ARMFaultType fault_type = ARMFault_Translation;
++     * Secure stage 1 accesses start with the page table in secure memory and
-     uint32_t level;
+      * can be downgraded to non-secure at any step. Non-secure accesses
-     ARMVAParameters param;
+      * remain non-secure. We implement this by just ORing in the NSTable/NS
-     uint64_t ttbr;
+      * bits at each step.
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
++     * Stage 2 never gets this kind of downgrade.
           * so our choice is to always raise the fault.
           */
          if (param.tsz_oob) {
 -            fault_type = ARMFault_Translation;
 -            goto do_fault;
 +            goto do_translation_fault;
          }
          addrsize = 64 - 8 * param.tbi;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                             addrsize - inputsize);
          if (-top_bits != param.select) {
              /* The gap between the two regions is a Translation fault */
 -            fault_type = ARMFault_Translation;
 -            goto do_fault;
 +            goto do_translation_fault;
          }
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
           * Translation table walk disabled => Translation fault on TLB miss
           * Note: This is always 0 on 64-bit EL2 and EL3.
           */
 -        goto do_fault;
 +        goto do_translation_fault;
      }
      if (!regime_is_stage2(mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          if (param.ds && stride == 9 && sl2) {
              if (sl0 != 0) {
                  level = 0;
 -                fault_type = ARMFault_Translation;
 -                goto do_fault;
 +                goto do_translation_fault;
              }
              startlevel = -1;
          } else if (!aarch64 || stride == 9) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          ok = check_s2_mmu_setup(cpu, aarch64, startlevel,
                                  inputsize, stride, outputsize);
          if (!ok) {
 -            fault_type = ARMFault_Translation;
 -            goto do_fault;
 +            goto do_translation_fault;
          }
          level = startlevel;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          descaddr |= extract64(ttbr, 2, 4) << 48;
      } else if (descaddr >> outputsize) {
          level = 0;
 -        fault_type = ARMFault_AddressSize;
 +        fi->type = ARMFault_AddressSize;
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
          /* Invalid, or the Reserved level 3 encoding */
 -        goto do_fault;
 +        goto do_translation_fault;
      }
      descaddr = descriptor & descaddrmask;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
              descaddr |= extract64(descriptor, 12, 4) << 48;
          }
      } else if (descaddr >> outputsize) {
 -        fault_type = ARMFault_AddressSize;
 +        fi->type = ARMFault_AddressSize;
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
       * Here descaddr is the final physical address, and attributes
       * are all in attrs.
       */
--    fault_type = ARMFault_AccessFlag;
+     tableattrs = is_secure ? 0 : (1 << 4);
-     if ((attrs & (1 << 8)) == 0) {
-         /* Access flag */
+  next_level:
-+        fi->type = ARMFault_AccessFlag;
+     descaddr |= (address >> (stride * (4 - level))) & indexmask;
-         goto do_fault;
+     descaddr &= ~7ULL;
-     }
+-    nstable = extract32(tableattrs, 4, 1);
++    nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     if (nstable) {
-         result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
+         /*
-     }
+          * Stage2_S -> Stage2 or Phys_S -> Phys_NS
 -    fault_type = ARMFault_Permission;
      if (!(result->f.prot & (1 << access_type))) {
 +        fi->type = ARMFault_Permission;
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      result->f.lg_page_size = ctz64(page_size);
      return false;
 -do_fault:
 -    fi->type = fault_type;
 + do_translation_fault:
 +    fi->type = ARMFault_Translation;
 + do_fault:
      fi->level = level;
      /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
      fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
 --
-.25.1
+.34.1

-[PULL 08/30] target/arm: Add ptw_idx to S1Translate
+[PULL 04/12] target/arm: Fix handling of SW and NSW bits for stage 2 walks
-From: Richard Henderson <richard.henderson@linaro.org>
+We currently don't correctly handle the VSTCR_EL2.SW and VTCR_EL2.NSW
 configuration bits.  These allow configuration of whether the stage 2
 page table walks for Secure IPA and NonSecure IPA should do their
 descriptor reads from Secure or NonSecure physical addresses. (This
 is separate from how the translation table base address and other
 parameters are set: an NS IPA always uses VTTBR_EL2 and VTCR_EL2
 for its base address and walk parameters, regardless of the NSW bit,
 and similarly for Secure.)
-Hoist the computation of the mmu_idx for the ptw up to
+Provide a new function ptw_idx_for_stage_2() which returns the
-get_phys_addr_with_struct and get_phys_addr_twostage.
+MMU index to use for descriptor reads, and use it to set up
-This removes the duplicate check for stage2 disabled
+the .in_ptw_idx wherever we call get_phys_addr_lpae().
 from the middle of the walk, performing it only once.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+For a stage 2 walk, wherever we call get_phys_addr_lpae():
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+ * .in_ptw_idx should be ptw_idx_for_stage_2() of the .in_mmu_idx
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
+ * .in_secure should be true if .in_mmu_idx is Stage2_S
-Message-id: 20221024051851.3074715-3-richard.henderson@linaro.org
 This allows us to correct S1_ptw_translate() so that it consistently
 always sets its (out_secure, out_phys) to the result it gets from the
 S2 walk (either by calling get_phys_addr_lpae() or by TLB lookup).
 This makes better conceptual sense because the S2 walk should return
 us an (address space, address) tuple, not an address that we then
 randomly assign to S or NS.
 Our previous handling of SW and NSW was broken, so guest code
 trying to use these bits to put the s2 page tables in the "other"
 address space wouldn't work correctly.
 Cc: qemu-stable@nongnu.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1600
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230504135425.2748672-3-peter.maydell@linaro.org
 ---
- target/arm/ptw.c | 71 ++++++++++++++++++++++++++++++++++++------------
+ target/arm/ptw.c | 76 ++++++++++++++++++++++++++++++++----------------
-file changed, 54 insertions(+), 17 deletions(-)
+file changed, 51 insertions(+), 25 deletions(-)
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
+     return stage_1_mmu_idx(arm_mmu_idx(env));
- typedef struct S1Translate {
+ }
-     ARMMMUIdx in_mmu_idx;
-+    ARMMMUIdx in_ptw_idx;
++/*
-     bool in_secure;
++ * Return where we should do ptw loads from for a stage 2 walk.
-     bool in_debug;
++ * This depends on whether the address we are looking up is a
-     bool out_secure;
++ * Secure IPA or a NonSecure IPA, which we know from whether this is
 + * Stage2 or Stage2_S.
 + * If this is the Secure EL1&0 regime we need to check the NSW and SW bits.
 + */
 +static ARMMMUIdx ptw_idx_for_stage_2(CPUARMState *env, ARMMMUIdx stage2idx)
 +{
 +    bool s2walk_secure;
 +
 +    /*
 +     * We're OK to check the current state of the CPU here because
 +     * (1) we always invalidate all TLBs when the SCR_EL3.NS bit changes
 +     * (2) there's no way to do a lookup that cares about Stage 2 for a
 +     * different security state to the current one for AArch64, and AArch32
 +     * never has a secure EL2. (AArch32 ATS12NSO[UP][RW] allow EL3 to do
 +     * an NS stage 1+2 lookup while the NS bit is 0.)
 +     */
 +    if (!arm_is_secure_below_el3(env) || !arm_el_is_aa64(env, 3)) {
 +        return ARMMMUIdx_Phys_NS;
 +    }
 +    if (stage2idx == ARMMMUIdx_Stage2_S) {
 +        s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
 +    } else {
 +        s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
 +    }
 +    return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
 +
 +}
 +
  static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
  {
      return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
 @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
- {
-     bool is_secure = ptw->in_secure;
      ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
--    ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
 -    bool s2_phys = false;
 +    ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
      uint8_t pte_attrs;
-     bool pte_secure;
+-    bool pte_secure;
--    if (!arm_mmu_idx_is_stage1_of_2(mmu_idx)
+     ptw->out_virt = addr;
--        || regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
--        s2_mmu_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
--        s2_phys = true;
+         if (regime_is_stage2(s2_mmu_idx)) {
 -    }
 -
      if (unlikely(ptw->in_debug)) {
          /*
           * From gdbstub, do not use softmmu so that we don't modify the
           * state of the cpu at all, including softmmu tlb contents.
           */
 -        if (s2_phys) {
 -            ptw->out_phys = addr;
 -            pte_attrs = 0;
 -            pte_secure = is_secure;
 -        } else {
 +        if (regime_is_stage2(s2_mmu_idx)) {
              S1Translate s2ptw = {
                  .in_mmu_idx = s2_mmu_idx,
-+                .in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS,
+-                .in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS,
-                 .in_secure = is_secure,
+-                .in_secure = is_secure,
 +                .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
 +                .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
                  .in_debug = true,
              };
              GetPhysAddrResult s2 = { };
-+
-             if (!get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
-                                     false, &s2, fi)) {
-                 goto fail;
 @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+             }
              ptw->out_phys = s2.f.phys_addr;
              pte_attrs = s2.cacheattrs.attrs;
-             pte_secure = s2.f.attrs.secure;
+-            pte_secure = s2.f.attrs.secure;
-+        } else {
++            ptw->out_secure = s2.f.attrs.secure;
-+            /* Regime is physical. */
+         } else {
-+            ptw->out_phys = addr;
+             /* Regime is physical. */
-+            pte_attrs = 0;
+             ptw->out_phys = addr;
-+            pte_secure = is_secure;
+             pte_attrs = 0;
 -            pte_secure = is_secure;
 +            ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
          }
          ptw->out_host = NULL;
-     } else {
+         ptw->out_rw = false;
 @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-         pte_secure = full->attrs.secure;
+         ptw->out_phys = full->phys_addr | (addr & ~TARGET_PAGE_MASK);
          ptw->out_rw = full->prot & PAGE_WRITE;
          pte_attrs = full->pte_attrs;
 -        pte_secure = full->attrs.secure;
 +        ptw->out_secure = full->attrs.secure;
  #else
          g_assert_not_reached();
  #endif
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          }
      }
--    if (!s2_phys) {
+-    /* Check if page table walk is to secure or non-secure PA space. */
-+    if (regime_is_stage2(s2_mmu_idx)) {
+-    ptw->out_secure = (is_secure
-         uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
+-                       && !(pte_secure
+-                            ? env->cp15.vstcr_el2 & VSTCR_SW
-         if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) {
+-                            : env->cp15.vtcr_el2 & VTCR_NSW));
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     ptw->out_be = regime_translation_big_endian(env, mmu_idx);
-         descaddr |= (address >> (stride * (4 - level))) & indexmask;
+     return true;
-         descaddr &= ~7ULL;
          nstable = extract32(tableattrs, 4, 1);
 -        ptw->in_secure = !nstable;
 +        if (!nstable) {
 +            /*
 +             * Stage2_S -> Stage2 or Phys_S -> Phys_NS
 +             * Assert that the non-secure idx are even, and relative order.
 +             */
 +            QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
 +            QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
 +            QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
 +            QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
 +            ptw->in_ptw_idx &= ~1;
 +            ptw->in_secure = false;
 +        }
          descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
          if (fi->type != ARMFault_None) {
              goto do_fault;
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     hwaddr ipa;
+     int s1_prot, s1_lgpgsz;
+     bool is_secure = ptw->in_secure;
+-    bool ret, ipa_secure, s2walk_secure;
++    bool ret, ipa_secure;
+     ARMCacheAttrs cacheattrs1;
+     bool is_el0;
+     uint64_t hcr;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     ipa = result->f.phys_addr;
+     ipa_secure = result->f.attrs.secure;
+-    if (is_secure) {
+-        /* Select TCR based on the NS bit from the S1 walk. */
+-        s2walk_secure = !(ipa_secure
+-                          ? env->cp15.vstcr_el2 & VSTCR_SW
+-                          : env->cp15.vtcr_el2 & VTCR_NSW);
+-    } else {
+-        assert(!ipa_secure);
+-        s2walk_secure = false;
+-    }
      is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
-     ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+-    ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-+    ptw->in_ptw_idx = s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+-    ptw->in_ptw_idx = s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-     ptw->in_secure = s2walk_secure;
+-    ptw->in_secure = s2walk_secure;
 +    ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +    ptw->in_secure = ipa_secure;
 +    ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx);
      /*
+      * S1 is done, now do S2 translation.
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-                                       ARMMMUFaultInfo *fi)
+         ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
- {
+         break;
-     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
--    ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
++    case ARMMMUIdx_Stage2:
-     bool is_secure = ptw->in_secure;
++    case ARMMMUIdx_Stage2_S:
-+    ARMMMUIdx s1_mmu_idx;
++        /*
++         * Second stage lookup uses physical for ptw; whether this is S or
--    if (mmu_idx != s1_mmu_idx) {
++         * NS may depend on the SW/NSW bits if this is a stage 2 lookup for
-+    switch (mmu_idx) {
++         * the Secure EL2&0 regime.
-+    case ARMMMUIdx_Phys_S:
++         */
-+    case ARMMMUIdx_Phys_NS:
++        ptw->in_ptw_idx = ptw_idx_for_stage_2(env, mmu_idx);
 +        /* Checking Phys early avoids special casing later vs regime_el. */
 +        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
 +                                      is_secure, result, fi);
 +
 +    case ARMMMUIdx_Stage1_E0:
 +    case ARMMMUIdx_Stage1_E1:
 +    case ARMMMUIdx_Stage1_E1_PAN:
 +        /* First stage lookup uses second stage for ptw. */
 +        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +        break;
 +
-+    case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_E10_0:
-+        s1_mmu_idx = ARMMMUIdx_Stage1_E0;
+         s1_mmu_idx = ARMMMUIdx_Stage1_E0;
-+        goto do_twostage;
+         goto do_twostage;
 +    case ARMMMUIdx_E10_1:
 +        s1_mmu_idx = ARMMMUIdx_Stage1_E1;
 +        goto do_twostage;
 +    case ARMMMUIdx_E10_1_PAN:
 +        s1_mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
 +    do_twostage:
          /*
           * Call ourselves recursively to do the stage 1 and then stage 2
           * translations if mmu_idx is a two-stage regime, and EL2 present.
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-             return get_phys_addr_twostage(env, ptw, address, access_type,
+         /* fall through */
-                                           result, fi);
-         }
+     default:
-+        /* fall through */
+-        /* Single stage and second stage uses physical for ptw. */
-+
++        /* Single stage uses physical for ptw. */
-+    default:
+         ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-+        /* Single stage and second stage uses physical for ptw. */
+         break;
 +        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
 +        break;
      }
-     /*
 --
-.25.1
+.34.1

-[PULL 28/30] mips/boston: re-randomize rng-seed on reboot
+[PULL 05/12] MAINTAINERS: Update Akihiko Odaki's email address
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+From: Akihiko Odaki <akihiko.odaki@gmail.com>
-When the system reboots, the rng-seed that the FDT has should be
+I am now employed by Daynix. Although my role as a reviewer of
-re-randomized, so that the new boot gets a new seed. Since the FDT is in
+macOS-related change is not very relevant to the employment, I decided
-the ROM region at this point, we add a hook right after the ROM has been
+to use the company email address to avoid confusions from different
-added, so that we have a pointer to that copy of the FDT.
+addresses.
-Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-Cc: Paul Burton <paulburton@kernel.org>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Message-id: 20230506072333.32510-1-akihiko.odaki@daynix.com
 Message-id: 20221025004327.568476-9-Jason@zx2c4.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/mips/boston.c | 3 +++
+ MAINTAINERS | 4 ++--
-file changed, 3 insertions(+)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/mips/boston.c b/hw/mips/boston.c
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
---- a/hw/mips/boston.c
+--- a/MAINTAINERS
-+++ b/hw/mips/boston.c
++++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ Core Audio framework backend
- #include "sysemu/sysemu.h"
+ M: Gerd Hoffmann <kraxel@redhat.com>
- #include "sysemu/qtest.h"
+ M: Philippe Mathieu-Daudé <philmd@linaro.org>
- #include "sysemu/runstate.h"
+ R: Christian Schoenebeck <qemu_oss@crudebyte.com>
-+#include "sysemu/reset.h"
+-R: Akihiko Odaki <akihiko.odaki@gmail.com>
++R: Akihiko Odaki <akihiko.odaki@daynix.com>
- #include <libfdt.h>
+ S: Odd Fixes
- #include "qom/object.h"
+ F: audio/coreaudio.c
-@@ -XXX,XX +XXX,XX @@ static void boston_mach_init(MachineState *machine)
-             /* Calculate real fdt size after filter */
+@@ -XXX,XX +XXX,XX @@ F: docs/devel/ui.rst
-             dt_size = fdt_totalsize(dtb_load_data);
+ Cocoa graphics
-             rom_add_blob_fixed("dtb", dtb_load_data, dt_size, dtb_paddr);
+ M: Peter Maydell <peter.maydell@linaro.org>
-+            qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+ M: Philippe Mathieu-Daudé <philmd@linaro.org>
-+                                rom_ptr(dtb_paddr, dt_size));
+-R: Akihiko Odaki <akihiko.odaki@gmail.com>
-         } else {
++R: Akihiko Odaki <akihiko.odaki@daynix.com>
-             /* Try to load file as FIT */
+ S: Odd Fixes
-             fit_err = load_fit(&boston_fit_loader, machine->kernel_filename, s);
+ F: ui/cocoa.m
 --
-.25.1
+.34.1

-[PULL 10/30] target/arm: Extract HA and HD in aa64_va_parameters
+[PULL 06/12] ui: Fix pixel colour channel order for PNG screenshots
-From: Richard Henderson <richard.henderson@linaro.org>
+When we take a PNG screenshot the ordering of the colour channels in
 the data is not correct, resulting in the image having weird
 colouring compared to the actual display.  (Specifically, on a
 little-endian host the blue and red channels are swapped; on
 big-endian everything is wrong.)
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+This happens because the pixman idea of the pixel data and the libpng
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+idea differ.  PIXMAN_a8r8g8b8 defines that pixels are 32-bit values,
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+with A in bits 24-31, R in bits 16-23, G in bits 8-15 and B in bits
-Message-id: 20221024051851.3074715-5-richard.henderson@linaro.org
+-7.  This means that on little-endian systems the bytes in memory
 are
    B G R A
 and on big-endian systems they are
    A R G B
 libpng, on the other hand, thinks of pixels as being a series of
 values for each channel, so its format PNG_COLOR_TYPE_RGB_ALPHA
 always wants bytes in the order
    R G B A
 This isn't the same as the pixman order for either big or little
 endian hosts.
 The alpha channel is also unnecessary bulk in the output PNG file,
 because there is no alpha information in a screenshot.
 To handle the endianness issue, we already define in ui/qemu-pixman.h
 various PIXMAN_BE_* and PIXMAN_LE_* values that give consistent
 byte-order pixel channel formats.  So we can use PIXMAN_BE_r8g8b8 and
 PNG_COLOR_TYPE_RGB, which both have an in-memory byte order of
     R G B
 and 3 bytes per pixel.
 (PPM format screenshots get this right; they already use the
 PIXMAN_BE_r8g8b8 format.)
 Cc: qemu-stable@nongnu.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1622
 Fixes: 9a0a119a382867 ("Added parameter to take screenshot with screendump as PNG")
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 20230502135548.2451309-1-peter.maydell@linaro.org
 ---
- target/arm/internals.h | 2 ++
+ ui/console.c | 4 ++--
- target/arm/helper.c    | 8 +++++++-
+file changed, 2 insertions(+), 2 deletions(-)
 files changed, 9 insertions(+), 1 deletion(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/ui/console.c b/ui/console.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/ui/console.c
-+++ b/target/arm/internals.h
++++ b/ui/console.c
-@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
+@@ -XXX,XX +XXX,XX @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
-     bool hpd        : 1;
+     png_struct *png_ptr;
-     bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
+     png_info *info_ptr;
-     bool ds         : 1;
+     g_autoptr(pixman_image_t) linebuf =
-+    bool ha         : 1;
+-                            qemu_pixman_linebuf_create(PIXMAN_a8r8g8b8, width);
-+    bool hd         : 1;
++        qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, width);
-     ARMGranuleSize gran : 2;
+     uint8_t *buf = (uint8_t *)pixman_image_get_data(linebuf);
- } ARMVAParameters;
+     FILE *f = fdopen(fd, "wb");
+     int y;
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
-index XXXXXXX..XXXXXXX 100644
+     png_init_io(png_ptr, f);
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
+     png_set_IHDR(png_ptr, info_ptr, width, height, 8,
-@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+-                 PNG_COLOR_TYPE_RGB_ALPHA, PNG_INTERLACE_NONE,
-                                    ARMMMUIdx mmu_idx, bool data)
++                 PNG_COLOR_TYPE_RGB, PNG_INTERLACE_NONE,
- {
+                  PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
-     uint64_t tcr = regime_tcr(env, mmu_idx);
--    bool epd, hpd, tsz_oob, ds;
+     png_write_info(png_ptr, info_ptr);
 +    bool epd, hpd, tsz_oob, ds, ha, hd;
      int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
      ARMGranuleSize gran;
      ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
          epd = false;
          sh = extract32(tcr, 12, 2);
          ps = extract32(tcr, 16, 3);
 +        ha = extract32(tcr, 21, 1) && cpu_isar_feature(aa64_hafs, cpu);
 +        hd = extract32(tcr, 22, 1) && cpu_isar_feature(aa64_hdbs, cpu);
          ds = extract64(tcr, 32, 1);
      } else {
          bool e0pd;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
              e0pd = extract64(tcr, 56, 1);
          }
          ps = extract64(tcr, 32, 3);
 +        ha = extract64(tcr, 39, 1) && cpu_isar_feature(aa64_hafs, cpu);
 +        hd = extract64(tcr, 40, 1) && cpu_isar_feature(aa64_hdbs, cpu);
          ds = extract64(tcr, 59, 1);
          if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) &&
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
          .hpd = hpd,
          .tsz_oob = tsz_oob,
          .ds = ds,
 +        .ha = ha,
 +        .hd = ha && hd,
          .gran = gran,
      };
  }
 --
-.25.1
+.34.1

-[PULL 05/30] hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()
+[PULL 07/12] docs: Remove unused weirdly-named cross-reference targets
-The semantic difference between the deprecated device_legacy_reset()
+In the doc sources, we have a few cross-reference targets with odd
-function and the newer device_cold_reset() function is that the new
+names "pcsys_005fxyz".  These are the legacy of the semi-automated
-function resets both the device itself and any qbuses it owns,
+conversion of the old info docs to rST (the '005f' is because ASCII
-whereas the legacy function resets just the device itself and nothing
+x5f is '_' and the old info link names had underscores in them).
-else.  In hyperv_synic_reset() we reset a SynICState, which has no
-qbuses, so for this purpose the two functions behave identically and
+Remove the targets which nothing links to, and rename the two targets
-we can stop using the deprecated one.
+which are used to something a bit more descriptive.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+Message-id: 20230421163642.1151904-1-peter.maydell@linaro.org
-Message-id: 20221013171817.1447562-1-peter.maydell@linaro.org
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
 ---
- hw/hyperv/hyperv.c | 2 +-
+ docs/system/devices/igb.rst     | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
+ docs/system/devices/ivshmem.rst | 2 --
  docs/system/devices/net.rst     | 2 +-
  docs/system/devices/usb.rst     | 2 --
  docs/system/keys.rst            | 2 +-
  docs/system/linuxboot.rst       | 2 +-
  docs/system/target-i386.rst     | 4 ----
 files changed, 4 insertions(+), 12 deletions(-)
-diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
+diff --git a/docs/system/devices/igb.rst b/docs/system/devices/igb.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/hyperv/hyperv.c
+--- a/docs/system/devices/igb.rst
-+++ b/hw/hyperv/hyperv.c
++++ b/docs/system/devices/igb.rst
-@@ -XXX,XX +XXX,XX @@ void hyperv_synic_reset(CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ Using igb
-     SynICState *synic = get_synic(cs);
+ =========
-     if (synic) {
+ Using igb should be nothing different from using another network device. See
--        device_legacy_reset(DEVICE(synic));
+-:ref:`pcsys_005fnetwork` in general.
-+        device_cold_reset(DEVICE(synic));
++:ref:`Network_emulation` in general.
-     }
- }
+ However, you may also need to perform additional steps to activate SR-IOV
  feature on your guest. For Linux, refer to [4]_.
 diff --git a/docs/system/devices/ivshmem.rst b/docs/system/devices/ivshmem.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/devices/ivshmem.rst
 +++ b/docs/system/devices/ivshmem.rst
@@ -XXX,XX +XXX,XX @@
 -.. _pcsys_005fivshmem:
 -
  Inter-VM Shared Memory device
  -----------------------------
 diff --git a/docs/system/devices/net.rst b/docs/system/devices/net.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/devices/net.rst
 +++ b/docs/system/devices/net.rst
@@ -XXX,XX +XXX,XX @@
 -.. _pcsys_005fnetwork:
 +.. _Network_Emulation:
  Network emulation
  -----------------
 diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/devices/usb.rst
 +++ b/docs/system/devices/usb.rst
@@ -XXX,XX +XXX,XX @@
 -.. _pcsys_005fusb:
 -
  USB emulation
  -------------
 diff --git a/docs/system/keys.rst b/docs/system/keys.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/keys.rst
 +++ b/docs/system/keys.rst
@@ -XXX,XX +XXX,XX @@
 -.. _pcsys_005fkeys:
 +.. _GUI_keys:
  Keys in the graphical frontends
  -------------------------------
 diff --git a/docs/system/linuxboot.rst b/docs/system/linuxboot.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/linuxboot.rst
 +++ b/docs/system/linuxboot.rst
@@ -XXX,XX +XXX,XX @@ virtual serial port and the QEMU monitor to the console with the
                      -append "root=/dev/hda console=ttyS0" -nographic
  Use Ctrl-a c to switch between the serial console and the monitor (see
 -:ref:`pcsys_005fkeys`).
 +:ref:`GUI_keys`).
 diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/target-i386.rst
 +++ b/docs/system/target-i386.rst
@@ -XXX,XX +XXX,XX @@
  x86 System emulator
  -------------------
 -.. _pcsys_005fdevices:
 -
  Board-specific documentation
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ Architectural features
     i386/sgx
     i386/amd-memory-encryption
 -.. _pcsys_005freq:
 -
  OS requirements
  ~~~~~~~~~~~~~~~
 --
-.25.1
+.34.1

-[PULL 04/30] hw/core/resettable: fix reset level counting
+[PULL 08/12] hw/mips/malta: Fix minor dead code issue
-From: Damien Hedde <damien.hedde@greensocs.com>
+Coverity points out (in CID 1508390) that write_bootloader has
 some dead code, where we assign to 'p' and then in the following
 line assign to it again. This happened as a result of the
 refactoring in commit cd5066f8618b.
-The code for handling the reset level count in the Resettable code
+Fix the dead code by removing the 'void *v' variable entirely and
-has two issues:
+instead adding a cast when calling bl_setup_gt64120_jump_kernel(), as
 we do at its other callsite in write_bootloader_nanomips().
-The reset count is only decremented for the 1->0 case.  This means
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-that if there's ever a nested reset that takes the count to 2 then it
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-will never again be decremented.  Eventually the count will exceed
+---
-the '50' limit in resettable_phase_enter() and QEMU will trip over
+ hw/mips/malta.c | 5 +----
-the assertion failure.  The repro case in issue 1266 is an example of
+file changed, 1 insertion(+), 4 deletions(-)
 this that happens now the SCSI subsystem uses three-phase reset.
-Secondly, the count is decremented only after the exit phase handler
+diff --git a/hw/mips/malta.c b/hw/mips/malta.c
 is called.  Moving the reset count decrement from "just after" to
 "just before" calling the exit phase handler allows
 resettable_is_in_reset() to return false during the handler
 execution.
 This simplifies reset handling in resettable devices.  Typically, a
 function that updates the device state will just need to read the
 current reset state and not anymore treat the "in a reset-exit
 transition" as a special case.
 Note that the semantics change to the *_is_in_reset() functions
 will have no effect on the current codebase, because only two
 devices (hw/char/cadence_uart.c and hw/misc/zynq_sclr.c) currently
 call those functions, and in neither case do they do it from the
 device's exit phase methed.
 Fixes: 4a5fc890 ("scsi: Use device_cold_reset() and bus_cold_reset()")
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1266
 Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reported-by: Michael Peter <michael.peter@hensoldt-cyber.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20221020142749.3357951-1-peter.maydell@linaro.org
 Buglink: https://bugs.launchpad.net/qemu/+bug/1905297
 Reported-by: Michael Peter <michael.peter@hensoldt-cyber.com>
 [PMM: adjust the docs paragraph changed to get the name of the
  'enter' phase right and to clarify exactly when the count is
  adjusted; rewrite the commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  docs/devel/reset.rst | 8 +++++---
  hw/core/resettable.c | 3 +--
 files changed, 6 insertions(+), 5 deletions(-)
 diff --git a/docs/devel/reset.rst b/docs/devel/reset.rst
 index XXXXXXX..XXXXXXX 100644
---- a/docs/devel/reset.rst
+--- a/hw/mips/malta.c
-+++ b/docs/devel/reset.rst
++++ b/hw/mips/malta.c
-@@ -XXX,XX +XXX,XX @@ Polling the reset state
+@@ -XXX,XX +XXX,XX @@ static void write_bootloader(uint8_t *base, uint64_t run_addr,
- Resettable interface provides the ``resettable_is_in_reset()`` function.
+                              uint64_t kernel_entry)
- This function returns true if the object parameter is currently under reset.
+ {
+     uint32_t *p;
--An object is under reset from the beginning of the *init* phase to the end of
+-    void *v;
--the *exit* phase. During all three phases, the function will return that the
--object is in reset.
+     /* Small bootloader */
-+An object is under reset from the beginning of the *enter* phase (before
+     p = (uint32_t *)base;
-+either its children or its own enter method is called) to the *exit*
+@@ -XXX,XX +XXX,XX @@ static void write_bootloader(uint8_t *base, uint64_t run_addr,
-+phase. During *enter* and *hold* phase only, the function will return that the
+      *
-+object is in reset. The state is changed after the *exit* is propagated to
+      */
-+its children and just before calling the object's own *exit* method.
+-    v = p;
- This function may be used if the object behavior has to be adapted
+-    bl_setup_gt64120_jump_kernel(&v, run_addr, kernel_entry);
- while in reset state. For example if a device has an irq input,
+-    p = v;
-diff --git a/hw/core/resettable.c b/hw/core/resettable.c
++    bl_setup_gt64120_jump_kernel((void **)&p, run_addr, kernel_entry);
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/resettable.c
+     /* YAMON subroutines */
-+++ b/hw/core/resettable.c
+     p = (uint32_t *) (base + 0x800);
@@ -XXX,XX +XXX,XX @@ static void resettable_phase_exit(Object *obj, void *opaque, ResetType type)
      resettable_child_foreach(rc, obj, resettable_phase_exit, NULL, type);
      assert(s->count > 0);
 -    if (s->count == 1) {
 +    if (--s->count == 0) {
          trace_resettable_phase_exit_exec(obj, obj_typename, !!rc->phases.exit);
          if (rc->phases.exit && !resettable_get_tr_func(rc, obj)) {
              rc->phases.exit(obj);
          }
 -        s->count = 0;
      }
      s->exit_phase_in_progress = false;
      trace_resettable_phase_exit_end(obj, obj_typename, s->count);
 --
-.25.1
+.34.1

-[PULL 06/30] target/imx: reload cmp timer outside of the reload ptimer transaction
+Deleted patch
-From: Axel Heider <axel.heider@hensoldt.net>
-When running seL4 tests (https://docs.sel4.systems/projects/sel4test)
-on the sabrelight platform, the timer tests fail. The arm/imx6 EPIT
-timer interrupt does not fire properly, instead of a e.g. second in
-can take up to a minute to finally see the interrupt.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1263
-Signed-off-by: Axel Heider <axel.heider@hensoldt.net>
-Message-id: 166663118138.13362.1229967229046092876-0@git.sr.ht
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/imx_epit.c | 9 +++++++--
-file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/imx_epit.c
-+++ b/hw/timer/imx_epit.c
-@@ -XXX,XX +XXX,XX @@ static void imx_epit_write(void *opaque, hwaddr offset, uint64_t value,
-             /* If IOVW bit is set then set the timer value */
-             ptimer_set_count(s->timer_reload, s->lr);
-         }
--
-+        /*
-+         * Commit the change to s->timer_reload, so it can propagate. Otherwise
-+         * the timer interrupt may not fire properly. The commit must happen
-+         * before calling imx_epit_reload_compare_timer(), which reads
-+         * s->timer_reload internally again.
-+         */
-+        ptimer_transaction_commit(s->timer_reload);
-         imx_epit_reload_compare_timer(s);
-         ptimer_transaction_commit(s->timer_cmp);
--        ptimer_transaction_commit(s->timer_reload);
-         break;
-     case 3: /* CMP */
---
-.25.1

-[PULL 30/30] rx: re-randomize rng-seed on reboot
+[PULL 09/12] target/arm: Select SEMIHOSTING when using TCG
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+From: Fabiano Rosas <farosas@suse.de>
-When the system reboots, the rng-seed that the FDT has should be
+Semihosting has been made a 'default y' entry in Kconfig, which does
-re-randomized, so that the new boot gets a new seed. Since the FDT is in
+not work because when building --without-default-devices, the
-the ROM region at this point, we add a hook right after the ROM has been
+semihosting code would not be available.
 added, so that we have a pointer to that copy of the FDT.
-Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Make semihosting unconditional when TCG is present.
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-12-Jason@zx2c4.com
+Fixes: 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a KVM-only build")
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Fabiano Rosas <farosas@suse.de>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230508181611.2621-2-farosas@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/rx/rx-gdbsim.c | 3 +++
+ target/arm/Kconfig | 8 +-------
-file changed, 3 insertions(+)
+file changed, 1 insertion(+), 7 deletions(-)
-diff --git a/hw/rx/rx-gdbsim.c b/hw/rx/rx-gdbsim.c
+diff --git a/target/arm/Kconfig b/target/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
---- a/hw/rx/rx-gdbsim.c
+--- a/target/arm/Kconfig
-+++ b/hw/rx/rx-gdbsim.c
++++ b/target/arm/Kconfig
 @@ -XXX,XX +XXX,XX @@
- #include "hw/rx/rx62n.h"
+ config ARM
- #include "sysemu/qtest.h"
+     bool
- #include "sysemu/device_tree.h"
++    select ARM_COMPATIBLE_SEMIHOSTING if TCG
-+#include "sysemu/reset.h"
- #include "hw/boards.h"
+ config AARCH64
- #include "qom/object.h"
+     bool
+     select ARM
-@@ -XXX,XX +XXX,XX @@ static void rx_gdbsim_init(MachineState *machine)
+-
-             dtb_offset = ROUND_DOWN(machine->ram_size - dtb_size, 16);
+-# This config exists just so we can make SEMIHOSTING default when TCG
-             rom_add_blob_fixed("dtb", dtb, dtb_size,
+-# is selected without also changing it for other architectures.
-                                SDRAM_BASE + dtb_offset);
+-config ARM_SEMIHOSTING
-+            qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+-    bool
-+                                rom_ptr(SDRAM_BASE + dtb_offset, dtb_size));
+-    default y if TCG && ARM
-             /* Set dtb address to R1 */
+-    select ARM_COMPATIBLE_SEMIHOSTING
              RX_CPU(first_cpu)->env.regs[1] = SDRAM_BASE + dtb_offset;
          }
 --
-.25.1
+.34.1

-[PULL 29/30] openrisc: re-randomize rng-seed on reboot
+[PULL 10/12] target/arm: Select CONFIG_ARM_V7M when TCG is enabled
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+From: Fabiano Rosas <farosas@suse.de>
-When the system reboots, the rng-seed that the FDT has should be
+We cannot allow this config to be disabled at the moment as not all of
-re-randomized, so that the new boot gets a new seed. Since the FDT is in
+the relevant code is protected by it.
 the ROM region at this point, we add a hook right after the ROM has been
 added, so that we have a pointer to that copy of the FDT.
-Cc: Stafford Horne <shorne@gmail.com>
+Commit 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+KVM-only build") moved the CONFIGs of several boards to Kconfig, so it
-Message-id: 20221025004327.568476-11-Jason@zx2c4.com
+is now possible that nothing selects ARM_V7M (e.g. when doing a
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+--without-default-devices build).
 Return the CONFIG_ARM_V7M entry to a state where it is always selected
 whenever TCG is available.
 Fixes: 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a KVM-only build")
 Signed-off-by: Fabiano Rosas <farosas@suse.de>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230508181611.2621-3-farosas@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/openrisc/boot.c | 3 +++
+ target/arm/Kconfig | 1 +
-file changed, 3 insertions(+)
+file changed, 1 insertion(+)
-diff --git a/hw/openrisc/boot.c b/hw/openrisc/boot.c
+diff --git a/target/arm/Kconfig b/target/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
---- a/hw/openrisc/boot.c
+--- a/target/arm/Kconfig
-+++ b/hw/openrisc/boot.c
++++ b/target/arm/Kconfig
 @@ -XXX,XX +XXX,XX @@
- #include "hw/openrisc/boot.h"
+ config ARM
- #include "sysemu/device_tree.h"
+     bool
- #include "sysemu/qtest.h"
+     select ARM_COMPATIBLE_SEMIHOSTING if TCG
-+#include "sysemu/reset.h"
++    select ARM_V7M if TCG
- #include <libfdt.h>
+ config AARCH64
+     bool
@@ -XXX,XX +XXX,XX @@ uint32_t openrisc_load_fdt(void *fdt, hwaddr load_start,
      rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
                            &address_space_memory);
 +    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
 +                        rom_ptr_for_as(&address_space_memory, fdt_addr, fdtsize));
      return fdt_addr;
  }
 --
-.25.1
+.34.1

-[PULL 13/30] target/arm: Remove loop from get_phys_addr_lpae
+[PULL 11/12] tests/qtest: Don't run cdrom boot tests if no accelerator is present
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Fabiano Rosas <farosas@suse.de>
-The unconditional loop was used both to iterate over levels
+On a build configured with: --disable-tcg --enable-xen it is possible
-and to control parsing of attributes.  Use an explicit goto
+to produce a QEMU binary with no TCG nor KVM support. Skip the cdrom
-in both cases.
+boot tests if that's the case.
-While this appears less clean for iterating over levels, we
+Fixes: 0c1ae3ff9d ("tests/qtest: Fix tests when no KVM or TCG are present")
-will need to jump back into the middle of this loop for
+Signed-off-by: Fabiano Rosas <farosas@suse.de>
-atomic updates, which is even uglier.
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-id: 20230508181611.2621-4-farosas@suse.de
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20221024051851.3074715-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/ptw.c | 192 +++++++++++++++++++++++------------------------
+ tests/qtest/cdrom-test.c | 10 ++++++++++
-file changed, 96 insertions(+), 96 deletions(-)
+file changed, 10 insertions(+)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+diff --git a/tests/qtest/cdrom-test.c b/tests/qtest/cdrom-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
+--- a/tests/qtest/cdrom-test.c
-+++ b/target/arm/ptw.c
++++ b/tests/qtest/cdrom-test.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+@@ -XXX,XX +XXX,XX @@ static void test_cdboot(gconstpointer data)
-     uint64_t descaddrmask;
-     bool aarch64 = arm_el_is_aa64(env, el);
+ static void add_x86_tests(void)
-     bool guarded = false;
+ {
-+    uint64_t descriptor;
++    if (!qtest_has_accel("tcg") && !qtest_has_accel("kvm")) {
-+    bool nstable;
++        g_test_skip("No KVM or TCG accelerator available, skipping boot tests");
++        return;
      /* TODO: This code does not support shareability levels. */
      if (aarch64) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
       * bits at each step.
       */
      tableattrs = is_secure ? 0 : (1 << 4);
 -    for (;;) {
 -        uint64_t descriptor;
 -        bool nstable;
 -
 -        descaddr |= (address >> (stride * (4 - level))) & indexmask;
 -        descaddr &= ~7ULL;
 -        nstable = extract32(tableattrs, 4, 1);
 -        if (!nstable) {
 -            /*
 -             * Stage2_S -> Stage2 or Phys_S -> Phys_NS
 -             * Assert that the non-secure idx are even, and relative order.
 -             */
 -            QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
 -            QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
 -            QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
 -            QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
 -            ptw->in_ptw_idx &= ~1;
 -            ptw->in_secure = false;
 -        }
 -        if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
 -            goto do_fault;
 -        }
 -        descriptor = arm_ldq_ptw(env, ptw, fi);
 -        if (fi->type != ARMFault_None) {
 -            goto do_fault;
 -        }
 -
 -        if (!(descriptor & 1) ||
 -            (!(descriptor & 2) && (level == 3))) {
 -            /* Invalid, or the Reserved level 3 encoding */
 -            goto do_fault;
 -        }
 -
 -        descaddr = descriptor & descaddrmask;
 + next_level:
 +    descaddr |= (address >> (stride * (4 - level))) & indexmask;
 +    descaddr &= ~7ULL;
 +    nstable = extract32(tableattrs, 4, 1);
 +    if (!nstable) {
          /*
 -         * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
 -         * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
 -         * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
 -         * raise AddressSizeFault.
 +         * Stage2_S -> Stage2 or Phys_S -> Phys_NS
 +         * Assert that the non-secure idx are even, and relative order.
           */
 -        if (outputsize > 48) {
 -            if (param.ds) {
 -                descaddr |= extract64(descriptor, 8, 2) << 50;
 -            } else {
 -                descaddr |= extract64(descriptor, 12, 4) << 48;
 -            }
 -        } else if (descaddr >> outputsize) {
 -            fault_type = ARMFault_AddressSize;
 -            goto do_fault;
 -        }
 -
 -        if ((descriptor & 2) && (level < 3)) {
 -            /*
 -             * Table entry. The top five bits are attributes which may
 -             * propagate down through lower levels of the table (and
 -             * which are all arranged so that 0 means "no effect", so
 -             * we can gather them up by ORing in the bits at each level).
 -             */
 -            tableattrs |= extract64(descriptor, 59, 5);
 -            level++;
 -            indexmask = indexmask_grainsize;
 -            continue;
 -        }
 -        /*
 -         * Block entry at level 1 or 2, or page entry at level 3.
 -         * These are basically the same thing, although the number
 -         * of bits we pull in from the vaddr varies. Note that although
 -         * descaddrmask masks enough of the low bits of the descriptor
 -         * to give a correct page or table address, the address field
 -         * in a block descriptor is smaller; so we need to explicitly
 -         * clear the lower bits here before ORing in the low vaddr bits.
 -         */
 -        page_size = (1ULL << ((stride * (4 - level)) + 3));
 -        descaddr &= ~(hwaddr)(page_size - 1);
 -        descaddr |= (address & (page_size - 1));
 -        /* Extract attributes from the descriptor */
 -        attrs = extract64(descriptor, 2, 10)
 -            | (extract64(descriptor, 52, 12) << 10);
 -
 -        if (regime_is_stage2(mmu_idx)) {
 -            /* Stage 2 table descriptors do not include any attribute fields */
 -            break;
 -        }
 -        /* Merge in attributes from table descriptors */
 -        attrs |= nstable << 3; /* NS */
 -        guarded = extract64(descriptor, 50, 1);  /* GP */
 -        if (param.hpd) {
 -            /* HPD disables all the table attributes except NSTable.  */
 -            break;
 -        }
 -        attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
 -        /*
 -         * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
 -         * means "force PL1 access only", which means forcing AP[1] to 0.
 -         */
 -        attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
 -        attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
 -        break;
 +        QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
 +        QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
 +        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
 +        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
 +        ptw->in_ptw_idx &= ~1;
 +        ptw->in_secure = false;
      }
 +    if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
 +        goto do_fault;
 +    }
 +    descriptor = arm_ldq_ptw(env, ptw, fi);
 +    if (fi->type != ARMFault_None) {
 +        goto do_fault;
 +    }
 +
-+    if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
+     qtest_add_data_func("cdrom/boot/default", "-cdrom ", test_cdboot);
-+        /* Invalid, or the Reserved level 3 encoding */
+     qtest_add_data_func("cdrom/boot/virtio-scsi",
-+        goto do_fault;
+                         "-device virtio-scsi -device scsi-cd,drive=cdr "
@@ -XXX,XX +XXX,XX @@ static void add_x86_tests(void)
  static void add_s390x_tests(void)
  {
 +    if (!qtest_has_accel("tcg") && !qtest_has_accel("kvm")) {
 +        g_test_skip("No KVM or TCG accelerator available, skipping boot tests");
 +        return;
 +    }
 +
-+    descaddr = descriptor & descaddrmask;
+     qtest_add_data_func("cdrom/boot/default", "-cdrom ", test_cdboot);
-+
+     qtest_add_data_func("cdrom/boot/virtio-scsi",
-+    /*
+                         "-device virtio-scsi -device scsi-cd,drive=cdr "
 +     * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
 +     * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
 +     * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
 +     * raise AddressSizeFault.
 +     */
 +    if (outputsize > 48) {
 +        if (param.ds) {
 +            descaddr |= extract64(descriptor, 8, 2) << 50;
 +        } else {
 +            descaddr |= extract64(descriptor, 12, 4) << 48;
 +        }
 +    } else if (descaddr >> outputsize) {
 +        fault_type = ARMFault_AddressSize;
 +        goto do_fault;
 +    }
 +
 +    if ((descriptor & 2) && (level < 3)) {
 +        /*
 +         * Table entry. The top five bits are attributes which may
 +         * propagate down through lower levels of the table (and
 +         * which are all arranged so that 0 means "no effect", so
 +         * we can gather them up by ORing in the bits at each level).
 +         */
 +        tableattrs |= extract64(descriptor, 59, 5);
 +        level++;
 +        indexmask = indexmask_grainsize;
 +        goto next_level;
 +    }
 +
 +    /*
 +     * Block entry at level 1 or 2, or page entry at level 3.
 +     * These are basically the same thing, although the number
 +     * of bits we pull in from the vaddr varies. Note that although
 +     * descaddrmask masks enough of the low bits of the descriptor
 +     * to give a correct page or table address, the address field
 +     * in a block descriptor is smaller; so we need to explicitly
 +     * clear the lower bits here before ORing in the low vaddr bits.
 +     */
 +    page_size = (1ULL << ((stride * (4 - level)) + 3));
 +    descaddr &= ~(hwaddr)(page_size - 1);
 +    descaddr |= (address & (page_size - 1));
 +    /* Extract attributes from the descriptor */
 +    attrs = extract64(descriptor, 2, 10)
 +        | (extract64(descriptor, 52, 12) << 10);
 +
 +    if (regime_is_stage2(mmu_idx)) {
 +        /* Stage 2 table descriptors do not include any attribute fields */
 +        goto skip_attrs;
 +    }
 +    /* Merge in attributes from table descriptors */
 +    attrs |= nstable << 3; /* NS */
 +    guarded = extract64(descriptor, 50, 1);  /* GP */
 +    if (param.hpd) {
 +        /* HPD disables all the table attributes except NSTable.  */
 +        goto skip_attrs;
 +    }
 +    attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
 +    /*
 +     * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
 +     * means "force PL1 access only", which means forcing AP[1] to 0.
 +     */
 +    attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
 +    attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
 + skip_attrs:
 +
      /*
       * Here descaddr is the final physical address, and attributes
       * are all in attrs.
 --
-.25.1
+.34.1

-[PULL 07/30] target/arm: Introduce regime_is_stage2
+[PULL 12/12] target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check
-From: Richard Henderson <richard.henderson@linaro.org>
+In check_s2_mmu_setup() we have a check that is attempting to
 implement the part of AArch64.S2MinTxSZ that is specific to when EL1
 is AArch32:
-Reduce the amount of typing required for this check.
+    if !s1aarch64 then
         // EL1 is AArch32
         min_txsz = Min(min_txsz, 24);
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Unfortunately we got this wrong in two ways:
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+(1) The minimum txsz corresponds to a maximum inputsize, but we got
-Message-id: 20221024051851.3074715-2-richard.henderson@linaro.org
+the sense of the comparison wrong and were faulting for all
 inputsizes less than 40 bits
 (2) We try to implement this as an extra check that happens after
 we've done the same txsz checks we would do for an AArch64 EL1, but
 in fact the pseudocode is *loosening* the requirements, so that txsz
 values that would fault for an AArch64 EL1 do not fault for AArch32
 EL1, because it does Min(old_min, 24), not Max(old_min, 24).
 You can see this also in the text of the Arm ARM in table D8-8, which
 shows that where the implemented PA size is less than 40 bits an
 AArch32 EL1 is still OK with a configured stage2 T0SZ for a 40 bit
 IPA, whereas if EL1 is AArch64 then the T0SZ must be big enough to
 constrain the IPA to the implemented PA size.
 Because of part (2), we can't do this as a separate check, but
 have to integrate it into aa64_va_parameters(). Add a new argument
 to that function to indicate that EL1 is 32-bit. All the existing
 callsites except the one in get_phys_addr_lpae() can pass 'false',
 because they are either doing a lookup for a stage 1 regime or
 else they don't care about the tsz/tsz_oob fields.
 Cc: qemu-stable@nongnu.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1627
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230509092059.3176487-1-peter.maydell@linaro.org
 ---
- target/arm/internals.h |  5 +++++
+ target/arm/internals.h        | 12 +++++++++++-
- target/arm/helper.c    | 14 +++++---------
+ target/arm/gdbstub64.c        |  2 +-
- target/arm/ptw.c       | 14 ++++++--------
+ target/arm/helper.c           | 15 +++++++++++++--
-files changed, 16 insertions(+), 17 deletions(-)
+ target/arm/ptw.c              | 14 ++------------
  target/arm/tcg/pauth_helper.c |  6 +++---
 files changed, 30 insertions(+), 19 deletions(-)
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
-     }
+     ARMGranuleSize gran : 2;
- }
+ } ARMVAParameters;
-+static inline bool regime_is_stage2(ARMMMUIdx mmu_idx)
++/**
-+{
++ * aa64_va_parameters: Return parameters for an AArch64 virtual address
-+    return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
++ * @env: CPU
-+}
++ * @va: virtual address to look up
-+
++ * @mmu_idx: determines translation regime to use
- /* Return the exception level which controls this address translation regime */
++ * @data: true if this is a data access
- static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
++ * @el1_is_aa32: true if we are asking about stage 2 when EL1 is AArch32
- {
++ *  (ignored if @mmu_idx is for a stage 1 regime; only affects tsz/tsz_oob)
 + */
  ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 -                                   ARMMMUIdx mmu_idx, bool data);
 +                                   ARMMMUIdx mmu_idx, bool data,
 +                                   bool el1_is_aa32);
  int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx);
  int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx);
 diff --git a/target/arm/gdbstub64.c b/target/arm/gdbstub64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/gdbstub64.c
 +++ b/target/arm/gdbstub64.c
@@ -XXX,XX +XXX,XX @@ int aarch64_gdb_get_pauth_reg(CPUARMState *env, GByteArray *buf, int reg)
              ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
              ARMVAParameters param;
 -            param = aa64_va_parameters(env, -is_high, mmu_idx, is_data);
 +            param = aa64_va_parameters(env, -is_high, mmu_idx, is_data, false);
              return gdb_get_reg64(buf, pauth_ptr_mask(param));
          }
      default:
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
      unsigned int page_size_granule, page_shift, num, scale, exponent;
      /* Extract one bit to represent the va selector in use. */
      uint64_t select = sextract64(value, 36, 1);
 -    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
 +    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true, false);
      TLBIRange ret = { };
      ARMGranuleSize gran;
@@ -XXX,XX +XXX,XX @@ static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran,
  }
  ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
 -                                   ARMMMUIdx mmu_idx, bool data)
 +                                   ARMMMUIdx mmu_idx, bool data,
 +                                   bool el1_is_aa32)
  {
-     if (regime_has_2_ranges(mmu_idx)) {
+     uint64_t tcr = regime_tcr(env, mmu_idx);
-         return extract64(tcr, 37, 2);
+     bool epd, hpd, tsz_oob, ds, ha, hd;
 -    } else if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
 +    } else if (regime_is_stage2(mmu_idx)) {
          return 0; /* VTCR_EL2 */
      } else {
          /* Replicate the single TBI bit so we always have 2 bits.  */
@@ -XXX,XX +XXX,XX @@ int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
  {
      if (regime_has_2_ranges(mmu_idx)) {
          return extract64(tcr, 51, 2);
 -    } else if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
 +    } else if (regime_is_stage2(mmu_idx)) {
          return 0; /* VTCR_EL2 */
      } else {
          /* Replicate the single TBID bit so we always have 2 bits.  */
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
      int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
      ARMGranuleSize gran;
      ARMCPU *cpu = env_archcpu(env);
 -    bool stage2 = mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
 +    bool stage2 = regime_is_stage2(mmu_idx);
      if (!regime_has_2_ranges(mmu_idx)) {
          select = 0;
 @@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
          }
-         ds = false;
+     }
-     } else if (ds) {
--        switch (mmu_idx) {
++    if (stage2 && el1_is_aa32) {
--        case ARMMMUIdx_Stage2:
++        /*
--        case ARMMMUIdx_Stage2_S:
++         * For AArch32 EL1 the min txsz (and thus max IPA size) requirements
-+        if (regime_is_stage2(mmu_idx)) {
++         * are loosened: a configured IPA of 40 bits is permitted even if
-             if (gran == Gran16K) {
++         * the implemented PA is less than that (and so a 40 bit IPA would
-                 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
++         * fault for an AArch64 EL1). See R_DTLMN.
-             } else {
++         */
-                 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
++        min_tsz = MIN(min_tsz, 24);
-             }
++    }
--            break;
++
--        default:
+     if (tsz > max_tsz) {
-+        } else {
+         tsz = max_tsz;
-             if (gran == Gran16K) {
+         tsz_oob = true;
                  ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
              } else {
                  ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
              }
 -            break;
          }
          if (ds) {
              min_tsz = 12;
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
+@@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr,
-     bool have_wxn;
-     int wxn = 0;
+     sl0 = extract32(tcr, 6, 2);
+     if (is_aa64) {
--    assert(mmu_idx != ARMMMUIdx_Stage2);
+-        /*
--    assert(mmu_idx != ARMMMUIdx_Stage2_S);
+-         * AArch64.S2InvalidTxSZ: While we checked tsz_oob near the top of
-+    assert(!regime_is_stage2(mmu_idx));
+-         * get_phys_addr_lpae, that used aa64_va_parameters which apply
+-         * to aarch64.  If Stage1 is aarch32, the min_txsz is larger.
-     user_rw = simple_ap_to_rw_prot_is_user(ap, true);
+-         * See AArch64.S2MinTxSZ, where min_tsz is 24, translated to
-     if (is_user) {
+-         * inputsize is 64 - 24 = 40.
 -         */
 -        if (iasize < 40 && !arm_el_is_aa64(&cpu->env, 1)) {
 -            goto fail;
 -        }
 -
          /*
           * AArch64.S2InvalidSL: Interpretation of SL depends on the page size,
           * so interleave AArch64.S2StartLevel.
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         goto do_fault;
+         int ps;
-     }
+         param = aa64_va_parameters(env, address, mmu_idx,
--    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
+-                                   access_type != MMU_INST_FETCH);
-+    if (!regime_is_stage2(mmu_idx)) {
++                                   access_type != MMU_INST_FETCH,
 +                                   !arm_el_is_aa64(env, 1));
          level = 0;
          /*
-          * The starting level depends on the virtual address size (which can
+diff --git a/target/arm/tcg/pauth_helper.c b/target/arm/tcg/pauth_helper.c
-          * be up to 48 bits) and the translation granule size. It indicates
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+--- a/target/arm/tcg/pauth_helper.c
-         attrs = extract64(descriptor, 2, 10)
++++ b/target/arm/tcg/pauth_helper.c
-             | (extract64(descriptor, 52, 12) << 10);
+@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
+                              ARMPACKey *key, bool data)
--        if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+ {
-+        if (regime_is_stage2(mmu_idx)) {
+     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-             /* Stage 2 table descriptors do not include any attribute fields */
+-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
-             break;
++    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
-         }
+     uint64_t pac, ext_ptr, ext, test;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     int bot_bit, top_bit;
-     ap = extract32(attrs, 4, 2);
+@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_auth(CPUARMState *env, uint64_t ptr, uint64_t modifier,
+                            ARMPACKey *key, bool data, int keynumber)
--    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+ {
-+    if (regime_is_stage2(mmu_idx)) {
+     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-         ns = mmu_idx == ARMMMUIdx_Stage2;
+-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
-         xn = extract32(attrs, 11, 2);
++    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
-         result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
+     int bot_bit, top_bit;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     uint64_t pac, orig_ptr, test;
-         result->f.guarded = guarded;
-     }
+@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_auth(CPUARMState *env, uint64_t ptr, uint64_t modifier,
+ static uint64_t pauth_strip(CPUARMState *env, uint64_t ptr, bool data)
--    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+ {
-+    if (regime_is_stage2(mmu_idx)) {
+     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-         result->cacheattrs.is_s2_format = true;
+-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
-         result->cacheattrs.attrs = extract32(attrs, 0, 4);
++    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
-     } else {
-@@ -XXX,XX +XXX,XX @@ do_fault:
+     return pauth_original_ptr(ptr, param);
      fi->type = fault_type;
      fi->level = level;
      /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
 -    fi->stage2 = fi->s1ptw || (mmu_idx == ARMMMUIdx_Stage2 ||
 -                               mmu_idx == ARMMMUIdx_Stage2_S);
 +    fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
      fi->s1ns = mmu_idx == ARMMMUIdx_Stage2;
      return true;
  }
 --
-.25.1
+.34.1

-[PULL 09/30] target/arm: Add isar predicates for FEAT_HAFDBS
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-The MMFR1 field may indicate support for hardware update of
-access flag alone, or access flag and dirty bit.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20221024051851.3074715-4-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h | 10 ++++++++++
-file changed, 10 insertions(+)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_e0pd(const ARMISARegisters *id)
-     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, E0PD) != 0;
- }
-+static inline bool isar_feature_aa64_hafs(const ARMISARegisters *id)
-+{
-+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, HAFDBS) != 0;
-+}
-+
-+static inline bool isar_feature_aa64_hdbs(const ARMISARegisters *id)
-+{
-+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, HAFDBS) >= 2;
-+}
-+
- static inline bool isar_feature_aa64_tts2uxn(const ARMISARegisters *id)
- {
-     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, XNX) != 0;
---
-.25.1

-[PULL 11/30] target/arm: Move S1_ptw_translate outside arm_ld[lq]_ptw
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Separate S1 translation from the actual lookup.
-Will enable lpae hardware updates.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20221024051851.3074715-6-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/ptw.c | 41 ++++++++++++++++++++++-------------------
-file changed, 22 insertions(+), 19 deletions(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
- }
- /* All loads done in the course of a page table walk go through here. */
--static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
-+static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
-                             ARMMMUFaultInfo *fi)
- {
-     CPUState *cs = env_cpu(env);
-     uint32_t data;
--    if (!S1_ptw_translate(env, ptw, addr, fi)) {
--        /* Failure. */
--        assert(fi->s1ptw);
--        return 0;
--    }
--
-     if (likely(ptw->out_host)) {
-         /* Page tables are in RAM, and we have the host address. */
-         if (ptw->out_be) {
-@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
-     return data;
- }
--static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
-+static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
-                             ARMMMUFaultInfo *fi)
- {
-     CPUState *cs = env_cpu(env);
-     uint64_t data;
--    if (!S1_ptw_translate(env, ptw, addr, fi)) {
--        /* Failure. */
--        assert(fi->s1ptw);
--        return 0;
--    }
--
-     if (likely(ptw->out_host)) {
-         /* Page tables are in RAM, and we have the host address. */
-         if (ptw->out_be) {
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
-         fi->type = ARMFault_Translation;
-         goto do_fault;
-     }
--    desc = arm_ldl_ptw(env, ptw, table, fi);
-+    if (!S1_ptw_translate(env, ptw, table, fi)) {
-+        goto do_fault;
-+    }
-+    desc = arm_ldl_ptw(env, ptw, fi);
-     if (fi->type != ARMFault_None) {
-         goto do_fault;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
-             /* Fine pagetable.  */
-             table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
-         }
--        desc = arm_ldl_ptw(env, ptw, table, fi);
-+        if (!S1_ptw_translate(env, ptw, table, fi)) {
-+            goto do_fault;
-+        }
-+        desc = arm_ldl_ptw(env, ptw, fi);
-         if (fi->type != ARMFault_None) {
-             goto do_fault;
-         }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
-         fi->type = ARMFault_Translation;
-         goto do_fault;
-     }
--    desc = arm_ldl_ptw(env, ptw, table, fi);
-+    if (!S1_ptw_translate(env, ptw, table, fi)) {
-+        goto do_fault;
-+    }
-+    desc = arm_ldl_ptw(env, ptw, fi);
-     if (fi->type != ARMFault_None) {
-         goto do_fault;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
-         ns = extract32(desc, 3, 1);
-         /* Lookup l2 entry.  */
-         table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
--        desc = arm_ldl_ptw(env, ptw, table, fi);
-+        if (!S1_ptw_translate(env, ptw, table, fi)) {
-+            goto do_fault;
-+        }
-+        desc = arm_ldl_ptw(env, ptw, fi);
-         if (fi->type != ARMFault_None) {
-             goto do_fault;
-         }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-             ptw->in_ptw_idx &= ~1;
-             ptw->in_secure = false;
-         }
--        descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
-+        if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
-+            goto do_fault;
-+        }
-+        descriptor = arm_ldq_ptw(env, ptw, fi);
-         if (fi->type != ARMFault_None) {
-             goto do_fault;
-         }
---
-.25.1

-[PULL 15/30] target/arm: Don't shift attrs in get_phys_addr_lpae
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Leave the upper and lower attributes in the place they originate
-from in the descriptor.  Shifting them around is confusing, since
-one cannot read the bit numbers out of the manual.  Also, new
-attributes have been added which would alter the shifts.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20221024051851.3074715-10-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/ptw.c | 31 +++++++++++++++----------------
-file changed, 15 insertions(+), 16 deletions(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     hwaddr descaddr, indexmask, indexmask_grainsize;
-     uint32_t tableattrs;
-     target_ulong page_size;
--    uint32_t attrs;
-+    uint64_t attrs;
-     int32_t stride;
-     int addrsize, inputsize, outputsize;
-     uint64_t tcr = regime_tcr(env, mmu_idx);
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     descaddr &= ~(hwaddr)(page_size - 1);
-     descaddr |= (address & (page_size - 1));
-     /* Extract attributes from the descriptor */
--    attrs = extract64(descriptor, 2, 10)
--        | (extract64(descriptor, 52, 12) << 10);
-+    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(52, 12));
-     if (regime_is_stage2(mmu_idx)) {
-         /* Stage 2 table descriptors do not include any attribute fields */
-         goto skip_attrs;
-     }
-     /* Merge in attributes from table descriptors */
--    attrs |= nstable << 3; /* NS */
-+    attrs |= nstable << 5; /* NS */
-     guarded = extract64(descriptor, 50, 1);  /* GP */
-     if (param.hpd) {
-         /* HPD disables all the table attributes except NSTable.  */
-         goto skip_attrs;
-     }
--    attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
-+    attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
-     /*
-      * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
-      * means "force PL1 access only", which means forcing AP[1] to 0.
-      */
--    attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
--    attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
-+    attrs &= ~(extract64(tableattrs, 2, 1) << 6);   /* !APT[0] => AP[1] */
-+    attrs |= extract32(tableattrs, 3, 1) << 7;      /* APT[1] => AP[2] */
-  skip_attrs:
-     /*
-      * Here descaddr is the final physical address, and attributes
-      * are all in attrs.
-      */
--    if ((attrs & (1 << 8)) == 0) {
-+    if ((attrs & (1 << 10)) == 0) {
-         /* Access flag */
-         fi->type = ARMFault_AccessFlag;
-         goto do_fault;
-     }
--    ap = extract32(attrs, 4, 2);
-+    ap = extract32(attrs, 6, 2);
-     if (regime_is_stage2(mmu_idx)) {
-         ns = mmu_idx == ARMMMUIdx_Stage2;
--        xn = extract32(attrs, 11, 2);
-+        xn = extract64(attrs, 53, 2);
-         result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
-     } else {
--        ns = extract32(attrs, 3, 1);
--        xn = extract32(attrs, 12, 1);
--        pxn = extract32(attrs, 11, 1);
-+        ns = extract32(attrs, 5, 1);
-+        xn = extract64(attrs, 54, 1);
-+        pxn = extract64(attrs, 53, 1);
-         result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
-     }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     if (regime_is_stage2(mmu_idx)) {
-         result->cacheattrs.is_s2_format = true;
--        result->cacheattrs.attrs = extract32(attrs, 0, 4);
-+        result->cacheattrs.attrs = extract32(attrs, 2, 4);
-     } else {
-         /* Index into MAIR registers for cache attributes */
--        uint8_t attrindx = extract32(attrs, 0, 3);
-+        uint8_t attrindx = extract32(attrs, 2, 3);
-         uint64_t mair = env->cp15.mair_el[regime_el(env, mmu_idx)];
-         assert(attrindx <= 7);
-         result->cacheattrs.is_s2_format = false;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     if (param.ds) {
-         result->cacheattrs.shareability = param.sh;
-     } else {
--        result->cacheattrs.shareability = extract32(attrs, 6, 2);
-+        result->cacheattrs.shareability = extract32(attrs, 8, 2);
-     }
-     result->f.phys_addr = descaddr;
---
-.25.1

-[PULL 16/30] target/arm: Consider GP an attribute in get_phys_addr_lpae
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Both GP and DBM are in the upper attribute block.
-Extend the computation of attrs to include them,
-then simplify the setting of guarded.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20221024051851.3074715-11-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/ptw.c | 6 ++----
-file changed, 2 insertions(+), 4 deletions(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     uint32_t el = regime_el(env, mmu_idx);
-     uint64_t descaddrmask;
-     bool aarch64 = arm_el_is_aa64(env, el);
--    bool guarded = false;
-     uint64_t descriptor;
-     bool nstable;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     descaddr &= ~(hwaddr)(page_size - 1);
-     descaddr |= (address & (page_size - 1));
-     /* Extract attributes from the descriptor */
--    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(52, 12));
-+    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
-     if (regime_is_stage2(mmu_idx)) {
-         /* Stage 2 table descriptors do not include any attribute fields */
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     }
-     /* Merge in attributes from table descriptors */
-     attrs |= nstable << 5; /* NS */
--    guarded = extract64(descriptor, 50, 1);  /* GP */
-     if (param.hpd) {
-         /* HPD disables all the table attributes except NSTable.  */
-         goto skip_attrs;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
-     if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
--        result->f.guarded = guarded;
-+        result->f.guarded = extract64(attrs, 50, 1); /* GP */
-     }
-     if (regime_is_stage2(mmu_idx)) {
---
-.25.1

-[PULL 18/30] target/arm: Implement FEAT_HAFDBS, access flag portion
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Perform the atomic update for hardware management of the access flag.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20221024051851.3074715-13-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- docs/system/arm/emulation.rst |   1 +
- target/arm/cpu64.c            |   1 +
- target/arm/ptw.c              | 176 +++++++++++++++++++++++++++++-----
-files changed, 156 insertions(+), 22 deletions(-)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_FlagM (Flag manipulation instructions v2)
- - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
- - FEAT_GTG (Guest translation granule size)
-+- FEAT_HAFDBS (Hardware management of the access flag and dirty bit state)
- - FEAT_HCX (Support for the HCRX_EL2 register)
- - FEAT_HPDS (Hierarchical permission disables)
- - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     cpu->isar.id_aa64mmfr0 = t;
-     t = cpu->isar.id_aa64mmfr1;
-+    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 1);   /* FEAT_HAFDBS, AF only */
-     t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
-     t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
-     t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-     bool in_secure;
-     bool in_debug;
-     bool out_secure;
-+    bool out_rw;
-     bool out_be;
-+    hwaddr out_virt;
-     hwaddr out_phys;
-     void *out_host;
- } S1Translate;
-@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-     uint8_t pte_attrs;
-     bool pte_secure;
-+    ptw->out_virt = addr;
-+
-     if (unlikely(ptw->in_debug)) {
-         /*
-          * From gdbstub, do not use softmmu so that we don't modify the
-@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-             pte_secure = is_secure;
-         }
-         ptw->out_host = NULL;
-+        ptw->out_rw = false;
-     } else {
-         CPUTLBEntryFull *full;
-         int flags;
-@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-             goto fail;
-         }
-         ptw->out_phys = full->phys_addr;
-+        ptw->out_rw = full->prot & PROT_WRITE;
-         pte_attrs = full->pte_attrs;
-         pte_secure = full->attrs.secure;
-     }
-@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
-                             ARMMMUFaultInfo *fi)
- {
-     CPUState *cs = env_cpu(env);
-+    void *host = ptw->out_host;
-     uint32_t data;
--    if (likely(ptw->out_host)) {
-+    if (likely(host)) {
-         /* Page tables are in RAM, and we have the host address. */
-+        data = qatomic_read((uint32_t *)host);
-         if (ptw->out_be) {
--            data = ldl_be_p(ptw->out_host);
-+            data = be32_to_cpu(data);
-         } else {
--            data = ldl_le_p(ptw->out_host);
-+            data = le32_to_cpu(data);
-         }
-     } else {
-         /* Page tables are in MMIO. */
-@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
-                             ARMMMUFaultInfo *fi)
- {
-     CPUState *cs = env_cpu(env);
-+    void *host = ptw->out_host;
-     uint64_t data;
--    if (likely(ptw->out_host)) {
-+    if (likely(host)) {
-         /* Page tables are in RAM, and we have the host address. */
-+#ifdef CONFIG_ATOMIC64
-+        data = qatomic_read__nocheck((uint64_t *)host);
-         if (ptw->out_be) {
--            data = ldq_be_p(ptw->out_host);
-+            data = be64_to_cpu(data);
-         } else {
--            data = ldq_le_p(ptw->out_host);
-+            data = le64_to_cpu(data);
-         }
-+#else
-+        if (ptw->out_be) {
-+            data = ldq_be_p(host);
-+        } else {
-+            data = ldq_le_p(host);
-+        }
-+#endif
-     } else {
-         /* Page tables are in MMIO. */
-         MemTxAttrs attrs = { .secure = ptw->out_secure };
-@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
-     return data;
- }
-+static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val,
-+                             uint64_t new_val, S1Translate *ptw,
-+                             ARMMMUFaultInfo *fi)
-+{
-+    uint64_t cur_val;
-+    void *host = ptw->out_host;
-+
-+    if (unlikely(!host)) {
-+        fi->type = ARMFault_UnsuppAtomicUpdate;
-+        fi->s1ptw = true;
-+        return 0;
-+    }
-+
-+    /*
-+     * Raising a stage2 Protection fault for an atomic update to a read-only
-+     * page is delayed until it is certain that there is a change to make.
-+     */
-+    if (unlikely(!ptw->out_rw)) {
-+        int flags;
-+        void *discard;
-+
-+        env->tlb_fi = fi;
-+        flags = probe_access_flags(env, ptw->out_virt, MMU_DATA_STORE,
-+                                   arm_to_core_mmu_idx(ptw->in_ptw_idx),
-+                                   true, &discard, 0);
-+        env->tlb_fi = NULL;
-+
-+        if (unlikely(flags & TLB_INVALID_MASK)) {
-+            assert(fi->type != ARMFault_None);
-+            fi->s2addr = ptw->out_virt;
-+            fi->stage2 = true;
-+            fi->s1ptw = true;
-+            fi->s1ns = !ptw->in_secure;
-+            return 0;
-+        }
-+
-+        /* In case CAS mismatches and we loop, remember writability. */
-+        ptw->out_rw = true;
-+    }
-+
-+#ifdef CONFIG_ATOMIC64
-+    if (ptw->out_be) {
-+        old_val = cpu_to_be64(old_val);
-+        new_val = cpu_to_be64(new_val);
-+        cur_val = qatomic_cmpxchg__nocheck((uint64_t *)host, old_val, new_val);
-+        cur_val = be64_to_cpu(cur_val);
-+    } else {
-+        old_val = cpu_to_le64(old_val);
-+        new_val = cpu_to_le64(new_val);
-+        cur_val = qatomic_cmpxchg__nocheck((uint64_t *)host, old_val, new_val);
-+        cur_val = le64_to_cpu(cur_val);
-+    }
-+#else
-+    /*
-+     * We can't support the full 64-bit atomic cmpxchg on the host.
-+     * Because this is only used for FEAT_HAFDBS, which is only for AA64,
-+     * we know that TCG_OVERSIZED_GUEST is set, which means that we are
-+     * running in round-robin mode and could only race with dma i/o.
-+     */
-+#ifndef TCG_OVERSIZED_GUEST
-+# error "Unexpected configuration"
-+#endif
-+    bool locked = qemu_mutex_iothread_locked();
-+    if (!locked) {
-+       qemu_mutex_lock_iothread();
-+    }
-+    if (ptw->out_be) {
-+        cur_val = ldq_be_p(host);
-+        if (cur_val == old_val) {
-+            stq_be_p(host, new_val);
-+        }
-+    } else {
-+        cur_val = ldq_le_p(host);
-+        if (cur_val == old_val) {
-+            stq_le_p(host, new_val);
-+        }
-+    }
-+    if (!locked) {
-+        qemu_mutex_unlock_iothread();
-+    }
-+#endif
-+
-+    return cur_val;
-+}
-+
- static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
-                                      uint32_t *table, uint32_t address)
- {
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     uint32_t el = regime_el(env, mmu_idx);
-     uint64_t descaddrmask;
-     bool aarch64 = arm_el_is_aa64(env, el);
--    uint64_t descriptor;
-+    uint64_t descriptor, new_descriptor;
-     bool nstable;
-     /* TODO: This code does not support shareability levels. */
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     if (fi->type != ARMFault_None) {
-         goto do_fault;
-     }
-+    new_descriptor = descriptor;
-+ restart_atomic_update:
-     if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
-         /* Invalid, or the Reserved level 3 encoding */
-         goto do_translation_fault;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-      * to give a correct page or table address, the address field
-      * in a block descriptor is smaller; so we need to explicitly
-      * clear the lower bits here before ORing in the low vaddr bits.
-+     *
-+     * Afterward, descaddr is the final physical address.
-      */
-     page_size = (1ULL << ((stride * (4 - level)) + 3));
-     descaddr &= ~(hwaddr)(page_size - 1);
-     descaddr |= (address & (page_size - 1));
-+    if (likely(!ptw->in_debug)) {
-+        /*
-+         * Access flag.
-+         * If HA is enabled, prepare to update the descriptor below.
-+         * Otherwise, pass the access fault on to software.
-+         */
-+        if (!(descriptor & (1 << 10))) {
-+            if (param.ha) {
-+                new_descriptor |= 1 << 10; /* AF */
-+            } else {
-+                fi->type = ARMFault_AccessFlag;
-+                goto do_fault;
-+            }
-+        }
-+    }
-+
-     /*
--     * Extract attributes from the descriptor, and apply table descriptors.
--     * Stage 2 table descriptors do not include any attribute fields.
--     * HPD disables all the table attributes except NSTable.
-+     * Extract attributes from the (modified) descriptor, and apply
-+     * table descriptors. Stage 2 table descriptors do not include
-+     * any attribute fields. HPD disables all the table attributes
-+     * except NSTable.
-      */
--    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
-+    attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
-     if (!regime_is_stage2(mmu_idx)) {
-         attrs |= nstable << 5; /* NS */
-         if (!param.hpd) {
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         }
-     }
--    /*
--     * Here descaddr is the final physical address, and attributes
--     * are all in attrs.
--     */
--    if ((attrs & (1 << 10)) == 0) {
--        /* Access flag */
--        fi->type = ARMFault_AccessFlag;
--        goto do_fault;
--    }
--
-     ap = extract32(attrs, 6, 2);
--
-     if (regime_is_stage2(mmu_idx)) {
-         ns = mmu_idx == ARMMMUIdx_Stage2;
-         xn = extract64(attrs, 53, 2);
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         goto do_fault;
-     }
-+    /* If FEAT_HAFDBS has made changes, update the PTE. */
-+    if (new_descriptor != descriptor) {
-+        new_descriptor = arm_casq_ptw(env, descriptor, new_descriptor, ptw, fi);
-+        if (fi->type != ARMFault_None) {
-+            goto do_fault;
-+        }
-+        /*
-+         * I_YZSVV says that if the in-memory descriptor has changed,
-+         * then we must use the information in that new value
-+         * (which might include a different output address, different
-+         * attributes, or generate a fault).
-+         * Restart the handling of the descriptor value from scratch.
-+         */
-+        if (new_descriptor != descriptor) {
-+            descriptor = new_descriptor;
-+            goto restart_atomic_update;
-+        }
-+    }
-+
-     if (ns) {
-         /*
-          * The NS bit will (as required by the architecture) have no effect if
---
-.25.1

-[PULL 19/30] target/arm: Implement FEAT_HAFDBS, dirty bit portion
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Perform the atomic update for hardware management of the dirty bit.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20221024051851.3074715-14-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu64.c |  2 +-
- target/arm/ptw.c   | 16 ++++++++++++++++
-files changed, 17 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     cpu->isar.id_aa64mmfr0 = t;
-     t = cpu->isar.id_aa64mmfr1;
--    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 1);   /* FEAT_HAFDBS, AF only */
-+    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 2);   /* FEAT_HAFDBS */
-     t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
-     t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
-     t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-                 goto do_fault;
-             }
-         }
-+
-+        /*
-+         * Dirty Bit.
-+         * If HD is enabled, pre-emptively set/clear the appropriate AP/S2AP
-+         * bit for writeback. The actual write protection test may still be
-+         * overridden by tableattrs, to be merged below.
-+         */
-+        if (param.hd
-+            && extract64(descriptor, 51, 1)  /* DBM */
-+            && access_type == MMU_DATA_STORE) {
-+            if (regime_is_stage2(mmu_idx)) {
-+                new_descriptor |= 1ull << 7;    /* set S2AP[1] */
-+            } else {
-+                new_descriptor &= ~(1ull << 7); /* clear AP[2] */
-+            }
-+        }
-     }
-     /*
---
-.25.1

-[PULL 20/30] target/arm: Use the max page size in a 2-stage ptw
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-We had only been reporting the stage2 page size.  This causes
-problems if stage1 is using a larger page size (16k, 2M, etc),
-but stage2 is using a smaller page size, because cputlb does
-not set large_page_{addr,mask} properly.
-Fix by using the max of the two page sizes.
-Reported-by: Marc Zyngier <maz@kernel.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20221024051851.3074715-15-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/ptw.c | 11 ++++++++++-
-file changed, 10 insertions(+), 1 deletion(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-                                    ARMMMUFaultInfo *fi)
- {
-     hwaddr ipa;
--    int s1_prot;
-+    int s1_prot, s1_lgpgsz;
-     bool is_secure = ptw->in_secure;
-     bool ret, ipa_secure, s2walk_secure;
-     ARMCacheAttrs cacheattrs1;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-      * Save the stage1 results so that we may merge prot and cacheattrs later.
-      */
-     s1_prot = result->f.prot;
-+    s1_lgpgsz = result->f.lg_page_size;
-     cacheattrs1 = result->cacheattrs;
-     memset(result, 0, sizeof(*result));
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-         return ret;
-     }
-+    /*
-+     * Use the maximum of the S1 & S2 page size, so that invalidation
-+     * of pages > TARGET_PAGE_SIZE works correctly.
-+     */
-+    if (result->f.lg_page_size < s1_lgpgsz) {
-+        result->f.lg_page_size = s1_lgpgsz;
-+    }
-+
-     /* Combine the S1 and S2 cache attributes. */
-     hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-     if (hcr & HCR_DC) {
---
-.25.1

-[PULL 21/30] reset: allow registering handlers that aren't called by snapshot loading
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Snapshot loading only expects to call deterministic handlers, not
-non-deterministic ones. So introduce a way of registering handlers that
-won't be called when reseting for snapshots.
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-2-Jason@zx2c4.com
-[PMM: updated json doc comment with Markus' text; fixed
- checkpatch style nit]
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- qapi/run-state.json        |  6 +++++-
- include/hw/boards.h        |  2 +-
- include/sysemu/reset.h     |  5 ++++-
- hw/arm/aspeed.c            |  4 ++--
- hw/arm/mps2-tz.c           |  4 ++--
- hw/core/reset.c            | 17 ++++++++++++++++-
- hw/hppa/machine.c          |  4 ++--
- hw/i386/microvm.c          |  4 ++--
- hw/i386/pc.c               |  6 +++---
- hw/ppc/pegasos2.c          |  4 ++--
- hw/ppc/pnv.c               |  4 ++--
- hw/ppc/spapr.c             |  4 ++--
- hw/s390x/s390-virtio-ccw.c |  4 ++--
- migration/savevm.c         |  2 +-
- softmmu/runstate.c         | 11 ++++++++---
-files changed, 54 insertions(+), 27 deletions(-)
-diff --git a/qapi/run-state.json b/qapi/run-state.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/run-state.json
-+++ b/qapi/run-state.json
-@@ -XXX,XX +XXX,XX @@
- #                   ignores --no-reboot. This is useful for sanitizing
- #                   hypercalls on s390 that are used during kexec/kdump/boot
- #
-+# @snapshot-load: A snapshot is being loaded by the record & replay
-+#                 subsystem. This value is used only within QEMU.  It
-+#                 doesn't occur in QMP. (since 7.2)
-+#
- ##
- { 'enum': 'ShutdownCause',
-   # Beware, shutdown_caused_by_guest() depends on enumeration order
-   'data': [ 'none', 'host-error', 'host-qmp-quit', 'host-qmp-system-reset',
-             'host-signal', 'host-ui', 'guest-shutdown', 'guest-reset',
--            'guest-panic', 'subsystem-reset'] }
-+            'guest-panic', 'subsystem-reset', 'snapshot-load'] }
- ##
- # @StatusInfo:
-diff --git a/include/hw/boards.h b/include/hw/boards.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/boards.h
-+++ b/include/hw/boards.h
-@@ -XXX,XX +XXX,XX @@ struct MachineClass {
-     const char *deprecation_reason;
-     void (*init)(MachineState *state);
--    void (*reset)(MachineState *state);
-+    void (*reset)(MachineState *state, ShutdownCause reason);
-     void (*wakeup)(MachineState *state);
-     int (*kvm_type)(MachineState *machine, const char *arg);
-diff --git a/include/sysemu/reset.h b/include/sysemu/reset.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/reset.h
-+++ b/include/sysemu/reset.h
-@@ -XXX,XX +XXX,XX @@
- #ifndef QEMU_SYSEMU_RESET_H
- #define QEMU_SYSEMU_RESET_H
-+#include "qapi/qapi-events-run-state.h"
-+
- typedef void QEMUResetHandler(void *opaque);
- void qemu_register_reset(QEMUResetHandler *func, void *opaque);
-+void qemu_register_reset_nosnapshotload(QEMUResetHandler *func, void *opaque);
- void qemu_unregister_reset(QEMUResetHandler *func, void *opaque);
--void qemu_devices_reset(void);
-+void qemu_devices_reset(ShutdownCause reason);
- #endif
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_bletchley_class_init(ObjectClass *oc, void *data)
-         aspeed_soc_num_cpus(amc->soc_name);
- }
--static void fby35_reset(MachineState *state)
-+static void fby35_reset(MachineState *state, ShutdownCause reason)
- {
-     AspeedMachineState *bmc = ASPEED_MACHINE(state);
-     AspeedGPIOState *gpio = &bmc->soc.gpio;
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     /* Board ID: 7 (Class-1, 4 slots) */
-     object_property_set_bool(OBJECT(gpio), "gpioV4", true, &error_fatal);
-diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/mps2-tz.c
-+++ b/hw/arm/mps2-tz.c
-@@ -XXX,XX +XXX,XX @@ static void mps2_set_remap(Object *obj, const char *value, Error **errp)
-     }
- }
--static void mps2_machine_reset(MachineState *machine)
-+static void mps2_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     MPS2TZMachineState *mms = MPS2TZ_MACHINE(machine);
-@@ -XXX,XX +XXX,XX @@ static void mps2_machine_reset(MachineState *machine)
-      * reset see the correct mapping.
-      */
-     remap_memory(mms, mms->remap);
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
- }
- static void mps2tz_class_init(ObjectClass *oc, void *data)
-diff --git a/hw/core/reset.c b/hw/core/reset.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/reset.c
-+++ b/hw/core/reset.c
-@@ -XXX,XX +XXX,XX @@ typedef struct QEMUResetEntry {
-     QTAILQ_ENTRY(QEMUResetEntry) entry;
-     QEMUResetHandler *func;
-     void *opaque;
-+    bool skip_on_snapshot_load;
- } QEMUResetEntry;
- static QTAILQ_HEAD(, QEMUResetEntry) reset_handlers =
-@@ -XXX,XX +XXX,XX @@ void qemu_register_reset(QEMUResetHandler *func, void *opaque)
-     QTAILQ_INSERT_TAIL(&reset_handlers, re, entry);
- }
-+void qemu_register_reset_nosnapshotload(QEMUResetHandler *func, void *opaque)
-+{
-+    QEMUResetEntry *re = g_new0(QEMUResetEntry, 1);
-+
-+    re->func = func;
-+    re->opaque = opaque;
-+    re->skip_on_snapshot_load = true;
-+    QTAILQ_INSERT_TAIL(&reset_handlers, re, entry);
-+}
-+
- void qemu_unregister_reset(QEMUResetHandler *func, void *opaque)
- {
-     QEMUResetEntry *re;
-@@ -XXX,XX +XXX,XX @@ void qemu_unregister_reset(QEMUResetHandler *func, void *opaque)
-     }
- }
--void qemu_devices_reset(void)
-+void qemu_devices_reset(ShutdownCause reason)
- {
-     QEMUResetEntry *re, *nre;
-     /* reset all devices */
-     QTAILQ_FOREACH_SAFE(re, &reset_handlers, entry, nre) {
-+        if (reason == SHUTDOWN_CAUSE_SNAPSHOT_LOAD &&
-+            re->skip_on_snapshot_load) {
-+            continue;
-+        }
-         re->func(re->opaque);
-     }
- }
-diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/hppa/machine.c
-+++ b/hw/hppa/machine.c
-@@ -XXX,XX +XXX,XX @@ static void machine_hppa_init(MachineState *machine)
-     cpu[0]->env.gr[19] = FW_CFG_IO_BASE;
- }
--static void hppa_machine_reset(MachineState *ms)
-+static void hppa_machine_reset(MachineState *ms, ShutdownCause reason)
- {
-     unsigned int smp_cpus = ms->smp.cpus;
-     int i;
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     /* Start all CPUs at the firmware entry point.
-      *  Monarch CPU will initialize firmware, secondary CPUs
-diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/i386/microvm.c
-+++ b/hw/i386/microvm.c
-@@ -XXX,XX +XXX,XX @@ static void microvm_machine_state_init(MachineState *machine)
-     microvm_devices_init(mms);
- }
--static void microvm_machine_reset(MachineState *machine)
-+static void microvm_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     MicrovmMachineState *mms = MICROVM_MACHINE(machine);
-     CPUState *cs;
-@@ -XXX,XX +XXX,XX @@ static void microvm_machine_reset(MachineState *machine)
-         mms->kernel_cmdline_fixed = true;
-     }
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     CPU_FOREACH(cs) {
-         cpu = X86_CPU(cs);
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -XXX,XX +XXX,XX @@ static void pc_machine_initfn(Object *obj)
-     cxl_machine_init(obj, &pcms->cxl_devices_state);
- }
--static void pc_machine_reset(MachineState *machine)
-+static void pc_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     CPUState *cs;
-     X86CPU *cpu;
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     /* Reset APIC after devices have been reset to cancel
-      * any changes that qemu_devices_reset() might have done.
-@@ -XXX,XX +XXX,XX @@ static void pc_machine_reset(MachineState *machine)
- static void pc_machine_wakeup(MachineState *machine)
- {
-     cpu_synchronize_all_states();
--    pc_machine_reset(machine);
-+    pc_machine_reset(machine, SHUTDOWN_CAUSE_NONE);
-     cpu_synchronize_all_post_reset();
- }
-diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ppc/pegasos2.c
-+++ b/hw/ppc/pegasos2.c
-@@ -XXX,XX +XXX,XX @@ static void pegasos2_pci_config_write(Pegasos2MachineState *pm, int bus,
-     pegasos2_mv_reg_write(pm, pcicfg + 4, len, val);
- }
--static void pegasos2_machine_reset(MachineState *machine)
-+static void pegasos2_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     Pegasos2MachineState *pm = PEGASOS2_MACHINE(machine);
-     void *fdt;
-     uint64_t d[2];
-     int sz;
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     if (!pm->vof) {
-         return; /* Firmware should set up machine so nothing to do */
-     }
-diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ppc/pnv.c
-+++ b/hw/ppc/pnv.c
-@@ -XXX,XX +XXX,XX @@ static void pnv_powerdown_notify(Notifier *n, void *opaque)
-     }
- }
--static void pnv_reset(MachineState *machine)
-+static void pnv_reset(MachineState *machine, ShutdownCause reason)
- {
-     PnvMachineState *pnv = PNV_MACHINE(machine);
-     IPMIBmc *bmc;
-     void *fdt;
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     /*
-      * The machine should provide by default an internal BMC simulator.
-diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ppc/spapr.c
-+++ b/hw/ppc/spapr.c
-@@ -XXX,XX +XXX,XX @@ void spapr_check_mmu_mode(bool guest_radix)
-     }
- }
--static void spapr_machine_reset(MachineState *machine)
-+static void spapr_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     SpaprMachineState *spapr = SPAPR_MACHINE(machine);
-     PowerPCCPU *first_ppc_cpu;
-@@ -XXX,XX +XXX,XX @@ static void spapr_machine_reset(MachineState *machine)
-         spapr_setup_hpt(spapr);
-     }
--    qemu_devices_reset();
-+    qemu_devices_reset(reason);
-     spapr_ovec_cleanup(spapr->ov5_cas);
-     spapr->ov5_cas = spapr_ovec_new();
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -XXX,XX +XXX,XX @@ static void s390_pv_prepare_reset(S390CcwMachineState *ms)
-     s390_pv_prep_reset();
- }
--static void s390_machine_reset(MachineState *machine)
-+static void s390_machine_reset(MachineState *machine, ShutdownCause reason)
- {
-     S390CcwMachineState *ms = S390_CCW_MACHINE(machine);
-     enum s390_reset reset_type;
-@@ -XXX,XX +XXX,XX @@ static void s390_machine_reset(MachineState *machine)
-             s390_machine_unprotect(ms);
-         }
--        qemu_devices_reset();
-+        qemu_devices_reset(reason);
-         s390_crypto_reset();
-         /* configure and start the ipl CPU only */
-diff --git a/migration/savevm.c b/migration/savevm.c
-index XXXXXXX..XXXXXXX 100644
---- a/migration/savevm.c
-+++ b/migration/savevm.c
-@@ -XXX,XX +XXX,XX @@ bool load_snapshot(const char *name, const char *vmstate,
-         goto err_drain;
-     }
--    qemu_system_reset(SHUTDOWN_CAUSE_NONE);
-+    qemu_system_reset(SHUTDOWN_CAUSE_SNAPSHOT_LOAD);
-     mis->from_src_file = f;
-     if (!yank_register_instance(MIGRATION_YANK_INSTANCE, errp)) {
-diff --git a/softmmu/runstate.c b/softmmu/runstate.c
-index XXXXXXX..XXXXXXX 100644
---- a/softmmu/runstate.c
-+++ b/softmmu/runstate.c
-@@ -XXX,XX +XXX,XX @@ void qemu_system_reset(ShutdownCause reason)
-     cpu_synchronize_all_states();
-     if (mc && mc->reset) {
--        mc->reset(current_machine);
-+        mc->reset(current_machine, reason);
-     } else {
--        qemu_devices_reset();
-+        qemu_devices_reset(reason);
-     }
--    if (reason && reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
-+    switch (reason) {
-+    case SHUTDOWN_CAUSE_NONE:
-+    case SHUTDOWN_CAUSE_SUBSYSTEM_RESET:
-+    case SHUTDOWN_CAUSE_SNAPSHOT_LOAD:
-+        break;
-+    default:
-         qapi_event_send_reset(shutdown_caused_by_guest(reason), reason);
-     }
-     cpu_synchronize_all_post_reset();
---
-.25.1

-[PULL 22/30] device-tree: add re-randomization helper function
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-When the system reboots, the rng-seed that the FDT has should be
-re-randomized, so that the new boot gets a new seed. Several
-architectures require this functionality, so export a function for
-injecting a new seed into the given FDT.
-Cc: Alistair Francis <alistair.francis@wdc.com>
-Cc: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20221025004327.568476-3-Jason@zx2c4.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/sysemu/device_tree.h |  9 +++++++++
- softmmu/device_tree.c        | 21 +++++++++++++++++++++
-files changed, 30 insertions(+)
-diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/device_tree.h
-+++ b/include/sysemu/device_tree.h
-@@ -XXX,XX +XXX,XX @@ int qemu_fdt_setprop_sized_cells_from_array(void *fdt,
-                                                 qdt_tmp);                 \
-     })
-+
-+/**
-+ * qemu_fdt_randomize_seeds:
-+ * @fdt: device tree blob
-+ *
-+ * Re-randomize all "rng-seed" properties with new seeds.
-+ */
-+void qemu_fdt_randomize_seeds(void *fdt);
-+
- #define FDT_PCI_RANGE_RELOCATABLE          0x80000000
- #define FDT_PCI_RANGE_PREFETCHABLE         0x40000000
- #define FDT_PCI_RANGE_ALIASED              0x20000000
-diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
-index XXXXXXX..XXXXXXX 100644
---- a/softmmu/device_tree.c
-+++ b/softmmu/device_tree.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/option.h"
- #include "qemu/bswap.h"
- #include "qemu/cutils.h"
-+#include "qemu/guest-random.h"
- #include "sysemu/device_tree.h"
- #include "hw/loader.h"
- #include "hw/boards.h"
-@@ -XXX,XX +XXX,XX @@ void hmp_dumpdtb(Monitor *mon, const QDict *qdict)
-     info_report("dtb dumped to %s", filename);
- }
-+
-+void qemu_fdt_randomize_seeds(void *fdt)
-+{
-+    int noffset, poffset, len;
-+    const char *name;
-+    uint8_t *data;
-+
-+    for (noffset = fdt_next_node(fdt, 0, NULL);
-+         noffset >= 0;
-+         noffset = fdt_next_node(fdt, noffset, NULL)) {
-+        for (poffset = fdt_first_property_offset(fdt, noffset);
-+             poffset >= 0;
-+             poffset = fdt_next_property_offset(fdt, poffset)) {
-+            data = (uint8_t *)fdt_getprop_by_offset(fdt, poffset, &name, &len);
-+            if (!data || strcmp(name, "rng-seed"))
-+                continue;
-+            qemu_guest_getrandom_nofail(data, len);
-+        }
-+    }
-+}
---
-.25.1

-[PULL 23/30] x86: do not re-randomize RNG seed on snapshot load
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Snapshot loading is supposed to be deterministic, so we shouldn't
-re-randomize the various seeds used.
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-4-Jason@zx2c4.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/i386/x86.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/i386/x86.c b/hw/i386/x86.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/i386/x86.c
-+++ b/hw/i386/x86.c
-@@ -XXX,XX +XXX,XX @@ void x86_load_linux(X86MachineState *x86ms,
-         setup_data->type = cpu_to_le32(SETUP_RNG_SEED);
-         setup_data->len = cpu_to_le32(RNG_SEED_LENGTH);
-         qemu_guest_getrandom_nofail(setup_data->data, RNG_SEED_LENGTH);
--        qemu_register_reset(reset_rng_seed, setup_data);
-+        qemu_register_reset_nosnapshotload(reset_rng_seed, setup_data);
-         fw_cfg_add_bytes_callback(fw_cfg, FW_CFG_KERNEL_DATA, reset_rng_seed, NULL,
-                                   setup_data, kernel, kernel_size, true);
-     } else {
---
-.25.1

-[PULL 24/30] arm: re-randomize rng-seed on reboot
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-When the system reboots, the rng-seed that the FDT has should be
-re-randomized, so that the new boot gets a new seed. Since the FDT is in
-the ROM region at this point, we add a hook right after the ROM has been
-added, so that we have a pointer to that copy of the FDT.
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: qemu-arm@nongnu.org
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-5-Jason@zx2c4.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/boot.c | 2 ++
-file changed, 2 insertions(+)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
-      * the DTB is copied again upon reset, even if addr points into RAM.
-      */
-     rom_add_blob_fixed_as("dtb", fdt, size, addr, as);
-+    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
-+                                       rom_ptr_for_as(as, addr, size));
-     g_free(fdt);
---
-.25.1

-[PULL 25/30] riscv: re-randomize rng-seed on reboot
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-When the system reboots, the rng-seed that the FDT has should be
-re-randomized, so that the new boot gets a new seed. Since the FDT is in
-the ROM region at this point, we add a hook right after the ROM has been
-added, so that we have a pointer to that copy of the FDT.
-Cc: Palmer Dabbelt <palmer@dabbelt.com>
-Cc: Alistair Francis <alistair.francis@wdc.com>
-Cc: Bin Meng <bin.meng@windriver.com>
-Cc: qemu-riscv@nongnu.org
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20221025004327.568476-6-Jason@zx2c4.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/riscv/boot.c | 3 +++
-file changed, 3 insertions(+)
-diff --git a/hw/riscv/boot.c b/hw/riscv/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/riscv/boot.c
-+++ b/hw/riscv/boot.c
-@@ -XXX,XX +XXX,XX @@
- #include "sysemu/device_tree.h"
- #include "sysemu/qtest.h"
- #include "sysemu/kvm.h"
-+#include "sysemu/reset.h"
- #include <libfdt.h>
-@@ -XXX,XX +XXX,XX @@ uint64_t riscv_load_fdt(hwaddr dram_base, uint64_t mem_size, void *fdt)
-     rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
-                           &address_space_memory);
-+    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
-+                        rom_ptr_for_as(&address_space_memory, fdt_addr, fdtsize));
-     return fdt_addr;
- }
---
-.25.1

-[PULL 26/30] m68k/virt: do not re-randomize RNG seed on snapshot load
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Snapshot loading is supposed to be deterministic, so we shouldn't
-re-randomize the various seeds used.
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-7-Jason@zx2c4.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/m68k/virt.c | 20 +++++++++++---------
-file changed, 11 insertions(+), 9 deletions(-)
-diff --git a/hw/m68k/virt.c b/hw/m68k/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/m68k/virt.c
-+++ b/hw/m68k/virt.c
-@@ -XXX,XX +XXX,XX @@ typedef struct {
-     M68kCPU *cpu;
-     hwaddr initial_pc;
-     hwaddr initial_stack;
--    struct bi_record *rng_seed;
- } ResetInfo;
- static void main_cpu_reset(void *opaque)
-@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
-     M68kCPU *cpu = reset_info->cpu;
-     CPUState *cs = CPU(cpu);
--    if (reset_info->rng_seed) {
--        qemu_guest_getrandom_nofail((void *)reset_info->rng_seed->data + 2,
--            be16_to_cpu(*(uint16_t *)reset_info->rng_seed->data));
--    }
--
-     cpu_reset(cs);
-     cpu->env.aregs[7] = reset_info->initial_stack;
-     cpu->env.pc = reset_info->initial_pc;
- }
-+static void rerandomize_rng_seed(void *opaque)
-+{
-+    struct bi_record *rng_seed = opaque;
-+    qemu_guest_getrandom_nofail((void *)rng_seed->data + 2,
-+                                be16_to_cpu(*(uint16_t *)rng_seed->data));
-+}
-+
- static void virt_init(MachineState *machine)
- {
-     M68kCPU *cpu = NULL;
-@@ -XXX,XX +XXX,XX @@ static void virt_init(MachineState *machine)
-         BOOTINFO0(param_ptr, BI_LAST);
-         rom_add_blob_fixed_as("bootinfo", param_blob, param_ptr - param_blob,
-                               parameters_base, cs->as);
--        reset_info->rng_seed = rom_ptr_for_as(cs->as, parameters_base,
--                                              param_ptr - param_blob) +
--                               (param_rng_seed - param_blob);
-+        qemu_register_reset_nosnapshotload(rerandomize_rng_seed,
-+                            rom_ptr_for_as(cs->as, parameters_base,
-+                                           param_ptr - param_blob) +
-+                            (param_rng_seed - param_blob));
-         g_free(param_blob);
-     }
- }
---
-.25.1

-[PULL 27/30] m68k/q800: do not re-randomize RNG seed on snapshot load
+Deleted patch
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Snapshot loading is supposed to be deterministic, so we shouldn't
-re-randomize the various seeds used.
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Message-id: 20221025004327.568476-8-Jason@zx2c4.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/m68k/q800.c | 33 +++++++++++++--------------------
-file changed, 13 insertions(+), 20 deletions(-)
-diff --git a/hw/m68k/q800.c b/hw/m68k/q800.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/m68k/q800.c
-+++ b/hw/m68k/q800.c
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo glue_info = {
-     },
- };
--typedef struct {
--    M68kCPU *cpu;
--    struct bi_record *rng_seed;
--} ResetInfo;
--
- static void main_cpu_reset(void *opaque)
- {
--    ResetInfo *reset_info = opaque;
--    M68kCPU *cpu = reset_info->cpu;
-+    M68kCPU *cpu = opaque;
-     CPUState *cs = CPU(cpu);
--    if (reset_info->rng_seed) {
--        qemu_guest_getrandom_nofail((void *)reset_info->rng_seed->data + 2,
--            be16_to_cpu(*(uint16_t *)reset_info->rng_seed->data));
--    }
--
-     cpu_reset(cs);
-     cpu->env.aregs[7] = ldl_phys(cs->as, 0);
-     cpu->env.pc = ldl_phys(cs->as, 4);
- }
-+static void rerandomize_rng_seed(void *opaque)
-+{
-+    struct bi_record *rng_seed = opaque;
-+    qemu_guest_getrandom_nofail((void *)rng_seed->data + 2,
-+                                be16_to_cpu(*(uint16_t *)rng_seed->data));
-+}
-+
- static uint8_t fake_mac_rom[] = {
-, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
-     NubusBus *nubus;
-     DeviceState *glue;
-     DriveInfo *dinfo;
--    ResetInfo *reset_info;
-     uint8_t rng_seed[32];
-     linux_boot = (kernel_filename != NULL);
-@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
-         exit(1);
-     }
--    reset_info = g_new0(ResetInfo, 1);
--
-     /* init CPUs */
-     cpu = M68K_CPU(cpu_create(machine->cpu_type));
--    reset_info->cpu = cpu;
--    qemu_register_reset(main_cpu_reset, reset_info);
-+    qemu_register_reset(main_cpu_reset, cpu);
-     /* RAM */
-     memory_region_add_subregion(get_system_memory(), 0, machine->ram);
-@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
-         BOOTINFO0(param_ptr, BI_LAST);
-         rom_add_blob_fixed_as("bootinfo", param_blob, param_ptr - param_blob,
-                               parameters_base, cs->as);
--        reset_info->rng_seed = rom_ptr_for_as(cs->as, parameters_base,
--                                              param_ptr - param_blob) +
--                               (param_rng_seed - param_blob);
-+        qemu_register_reset_nosnapshotload(rerandomize_rng_seed,
-+                            rom_ptr_for_as(cs->as, parameters_base,
-+                                           param_ptr - param_blob) +
-+                            (param_rng_seed - param_blob));
-         g_free(param_blob);
-     } else {
-         uint8_t *ptr;
---
-.25.1

Hi; this is the latest target-arm queue. Most of the patches
here are RTH's FEAT_HAFDBS finally landing. I've also included
the RNG-seed randomization patches from Jason, as well as a few
more minor things. The patches include a couple of regression
fixes:
 * the resettable patch fixes a SCSI reset regression
 * the 'do not re-randomize on snapshot load' patches fix
   record-and-replay regressions

thanks
-- PMM

The following changes since commit e750a7ace492f0b450653d4ad368a77d6f660fb8:

Merge tag 'pull-9p-20221024' of https://github.com/cschoenebeck/qemu into staging (2022-10-24 14:27:12 -0400)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221025

for you to fetch changes up to e2114f701c78f76246e4b1872639dad94a6bdd21:

rx: re-randomize rng-seed on reboot (2022-10-25 17:32:24 +0100)

----------------------------------------------------------------
target-arm queue:
 * Implement FEAT_E0PD
 * Implement FEAT_HAFDBS
 * honor HCR_E2H and HCR_TGE in arm_excp_unmasked()
 * hw/arm/virt: Fix devicetree warnings about the virtio-iommu node
 * hw/core/resettable: fix reset level counting
 * hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()
 * imx: reload cmp timer outside of the reload ptimer transaction
 * x86: do not re-randomize RNG seed on snapshot load
 * m68k/virt: do not re-randomize RNG seed on snapshot load
 * m68k/q800: do not re-randomize RNG seed on snapshot load
 * arm: re-randomize rng-seed on reboot
 * riscv: re-randomize rng-seed on reboot
 * mips/boston: re-randomize rng-seed on reboot
 * openrisc: re-randomize rng-seed on reboot
 * rx: re-randomize rng-seed on reboot

----------------------------------------------------------------
Ake Koomsin (1):
      target/arm: honor HCR_E2H and HCR_TGE in arm_excp_unmasked()

Axel Heider (1):
      target/imx: reload cmp timer outside of the reload ptimer transaction

Damien Hedde (1):
      hw/core/resettable: fix reset level counting

Jason A. Donenfeld (10):
      reset: allow registering handlers that aren't called by snapshot loading
      device-tree: add re-randomization helper function
      x86: do not re-randomize RNG seed on snapshot load
      arm: re-randomize rng-seed on reboot
      riscv: re-randomize rng-seed on reboot
      m68k/virt: do not re-randomize RNG seed on snapshot load
      m68k/q800: do not re-randomize RNG seed on snapshot load
      mips/boston: re-randomize rng-seed on reboot
      openrisc: re-randomize rng-seed on reboot
      rx: re-randomize rng-seed on reboot

Jean-Philippe Brucker (1):
      hw/arm/virt: Fix devicetree warnings about the virtio-iommu node

Peter Maydell (2):
      target/arm: Implement FEAT_E0PD
      hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset()

Richard Henderson (14):
      target/arm: Introduce regime_is_stage2
      target/arm: Add ptw_idx to S1Translate
      target/arm: Add isar predicates for FEAT_HAFDBS
      target/arm: Extract HA and HD in aa64_va_parameters
      target/arm: Move S1_ptw_translate outside arm_ld[lq]_ptw
      target/arm: Add ARMFault_UnsuppAtomicUpdate
      target/arm: Remove loop from get_phys_addr_lpae
      target/arm: Fix fault reporting in get_phys_addr_lpae
      target/arm: Don't shift attrs in get_phys_addr_lpae
      target/arm: Consider GP an attribute in get_phys_addr_lpae
      target/arm: Tidy merging of attributes from descriptor and table
      target/arm: Implement FEAT_HAFDBS, access flag portion
      target/arm: Implement FEAT_HAFDBS, dirty bit portion
      target/arm: Use the max page size in a 2-stage ptw

FEAT_E0PD adds new bits E0PD0 and E0PD1 to TCR_EL1, which allow the
OS to forbid EL0 access to half of the address space.  Since this is
an EL0-specific variation on the existing TCR_ELx.{EPD0,EPD1}, we can
implement it entirely in aa64_va_parameters().

This requires moving the existing regime_is_user() to internals.h
so that the code in helper.c can get at it.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221021160131.3531787-1-peter.maydell@linaro.org
---
 docs/system/arm/emulation.rst |  1 +
 target/arm/cpu.h              |  5 +++++
 target/arm/internals.h        | 19 +++++++++++++++++++
 target/arm/cpu64.c            |  1 +
 target/arm/helper.c           |  9 +++++++++
 target/arm/ptw.c              | 19 -------------------
 6 files changed, 35 insertions(+), 19 deletions(-)

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

The "PCI Bus Binding to: IEEE Std 1275-1994" defines the compatible
string for a PCIe bus or endpoint as "pci<vendorid>,<deviceid>" or
similar. Since the initial binding for PCI virtio-iommu didn't follow
this rule, it was modified to accept both strings and ensure backward
compatibility. Also, the unit-name for the node should be
"device,function".

Fix corresponding dt-validate and dtc warnings:

pcie@10000000: virtio_iommu@16:compatible: ['virtio,pci-iommu'] does not contain items matching the given schema
  pcie@10000000: Unevaluated properties are not allowed (... 'virtio_iommu@16' were unexpected)
  From schema: linux/Documentation/devicetree/bindings/pci/host-generic-pci.yaml
  virtio_iommu@16: compatible: 'oneOf' conditional failed, one must be fixed:
        ['virtio,pci-iommu'] is too short
        'pci1af4,1057' was expected
  From schema: dtschema/schemas/pci/pci-bus.yaml

Warning (pci_device_reg): /pcie@10000000/virtio_iommu@16: PCI unit address format error, expected "2,0"

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_smmu(const VirtMachineState *vms,
 
 static void create_virtio_iommu_dt_bindings(VirtMachineState *vms)
 {
-    const char compat[] = "virtio,pci-iommu";
+    const char compat[] = "virtio,pci-iommu\0pci1af4,1057";
     uint16_t bdf = vms->virtio_iommu_bdf;
     MachineState *ms = MACHINE(vms);
     char *node;
 
     vms->iommu_phandle = qemu_fdt_alloc_phandle(ms->fdt);
 
-    node = g_strdup_printf("%s/virtio_iommu@%d", vms->pciehb_nodename, bdf);
+    node = g_strdup_printf("%s/virtio_iommu@%x,%x", vms->pciehb_nodename,
+                           PCI_SLOT(bdf), PCI_FUNC(bdf));
     qemu_fdt_add_subnode(ms->fdt, node);
     qemu_fdt_setprop(ms->fdt, node, "compatible", compat, sizeof(compat));
     qemu_fdt_setprop_sized_cells(ms->fdt, node, "reg",
-- 
2.25.1

From: Ake Koomsin <ake@igel.co.jp>

An exception targeting EL2 from lower EL is actually maskable when
HCR_E2H and HCR_TGE are both set. This applies to both secure and
non-secure Security state.

We can remove the conditions that try to suppress masking of
interrupts when we are Secure and the exception targets EL2 and
Secure EL2 is disabled.  This is OK because in that situation
arm_phys_excp_target_el() will never return 2 as the target EL.  The
'not if secure' check in this function was originally written before
arm_hcr_el2_eff(), and back then the target EL returned by
arm_phys_excp_target_el() could be 2 even if we were in Secure
EL0/EL1; but it is no longer needed.

Signed-off-by: Ake Koomsin <ake@igel.co.jp>
Message-id: 20221017092432.546881-1-ake@igel.co.jp
[PMM: Add commit message paragraph explaining why it's OK to
 remove the checks on secure and SCR_EEL2]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
     if ((target_el > cur_el) && (target_el != 1)) {
         /* Exceptions targeting a higher EL may not be maskable */
         if (arm_feature(env, ARM_FEATURE_AARCH64)) {
-            /*
-             * 64-bit masking rules are simple: exceptions to EL3
-             * can't be masked, and exceptions to EL2 can only be
-             * masked from Secure state. The HCR and SCR settings
-             * don't affect the masking logic, only the interrupt routing.
-             */
-            if (target_el == 3 || !secure || (env->cp15.scr_el3 & SCR_EEL2)) {
+            switch (target_el) {
+            case 2:
+                /*
+                 * According to ARM DDI 0487H.a, an interrupt can be masked
+                 * when HCR_E2H and HCR_TGE are both set regardless of the
+                 * current Security state. Note that we need to revisit this
+                 * part again once we need to support NMI.
+                 */
+                if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+                        unmasked = true;
+                }
+                break;
+            case 3:
+                /* Interrupt cannot be masked when the target EL is 3 */
                 unmasked = true;
+                break;
+            default:
+                g_assert_not_reached();
             }
         } else {
             /*
-- 
2.25.1

From: Damien Hedde <damien.hedde@greensocs.com>

The code for handling the reset level count in the Resettable code
has two issues:

The reset count is only decremented for the 1->0 case.  This means
that if there's ever a nested reset that takes the count to 2 then it
will never again be decremented.  Eventually the count will exceed
the '50' limit in resettable_phase_enter() and QEMU will trip over
the assertion failure.  The repro case in issue 1266 is an example of
this that happens now the SCSI subsystem uses three-phase reset.

Secondly, the count is decremented only after the exit phase handler
is called.  Moving the reset count decrement from "just after" to
"just before" calling the exit phase handler allows
resettable_is_in_reset() to return false during the handler
execution.

This simplifies reset handling in resettable devices.  Typically, a
function that updates the device state will just need to read the
current reset state and not anymore treat the "in a reset-exit
transition" as a special case.

Note that the semantics change to the *_is_in_reset() functions
will have no effect on the current codebase, because only two
devices (hw/char/cadence_uart.c and hw/misc/zynq_sclr.c) currently
call those functions, and in neither case do they do it from the
device's exit phase methed.

Fixes: 4a5fc890 ("scsi: Use device_cold_reset() and bus_cold_reset()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1266
Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reported-by: Michael Peter <michael.peter@hensoldt-cyber.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20221020142749.3357951-1-peter.maydell@linaro.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1905297
Reported-by: Michael Peter <michael.peter@hensoldt-cyber.com>
[PMM: adjust the docs paragraph changed to get the name of the
 'enter' phase right and to clarify exactly when the count is
 adjusted; rewrite the commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/devel/reset.rst | 8 +++++---
 hw/core/resettable.c | 3 +--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/devel/reset.rst b/docs/devel/reset.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/devel/reset.rst
+++ b/docs/devel/reset.rst
@@ -XXX,XX +XXX,XX @@ Polling the reset state
 Resettable interface provides the ``resettable_is_in_reset()`` function.
 This function returns true if the object parameter is currently under reset.
 
-An object is under reset from the beginning of the *init* phase to the end of
-the *exit* phase. During all three phases, the function will return that the
-object is in reset.
+An object is under reset from the beginning of the *enter* phase (before
+either its children or its own enter method is called) to the *exit*
+phase. During *enter* and *hold* phase only, the function will return that the
+object is in reset. The state is changed after the *exit* is propagated to
+its children and just before calling the object's own *exit* method.
 
 This function may be used if the object behavior has to be adapted
 while in reset state. For example if a device has an irq input,
diff --git a/hw/core/resettable.c b/hw/core/resettable.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/resettable.c
+++ b/hw/core/resettable.c
@@ -XXX,XX +XXX,XX @@ static void resettable_phase_exit(Object *obj, void *opaque, ResetType type)
     resettable_child_foreach(rc, obj, resettable_phase_exit, NULL, type);
 
     assert(s->count > 0);
-    if (s->count == 1) {
+    if (--s->count == 0) {
         trace_resettable_phase_exit_exec(obj, obj_typename, !!rc->phases.exit);
         if (rc->phases.exit && !resettable_get_tr_func(rc, obj)) {
             rc->phases.exit(obj);
         }
-        s->count = 0;
     }
     s->exit_phase_in_progress = false;
     trace_resettable_phase_exit_end(obj, obj_typename, s->count);
-- 
2.25.1

The semantic difference between the deprecated device_legacy_reset()
function and the newer device_cold_reset() function is that the new
function resets both the device itself and any qbuses it owns,
whereas the legacy function resets just the device itself and nothing
else.  In hyperv_synic_reset() we reset a SynICState, which has no
qbuses, so for this purpose the two functions behave identically and
we can stop using the deprecated one.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Message-id: 20221013171817.1447562-1-peter.maydell@linaro.org
---
 hw/hyperv/hyperv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/hyperv/hyperv.c
+++ b/hw/hyperv/hyperv.c
@@ -XXX,XX +XXX,XX @@ void hyperv_synic_reset(CPUState *cs)
     SynICState *synic = get_synic(cs);
 
     if (synic) {
-        device_legacy_reset(DEVICE(synic));
+        device_cold_reset(DEVICE(synic));
     }
 }
 
-- 
2.25.1

From: Axel Heider <axel.heider@hensoldt.net>

When running seL4 tests (https://docs.sel4.systems/projects/sel4test)
on the sabrelight platform, the timer tests fail. The arm/imx6 EPIT
timer interrupt does not fire properly, instead of a e.g. second in
can take up to a minute to finally see the interrupt.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1263

Signed-off-by: Axel Heider <axel.heider@hensoldt.net>
Message-id: 166663118138.13362.1229967229046092876-0@git.sr.ht
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/imx_epit.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/imx_epit.c
+++ b/hw/timer/imx_epit.c
@@ -XXX,XX +XXX,XX @@ static void imx_epit_write(void *opaque, hwaddr offset, uint64_t value,
             /* If IOVW bit is set then set the timer value */
             ptimer_set_count(s->timer_reload, s->lr);
         }
-
+        /*
+         * Commit the change to s->timer_reload, so it can propagate. Otherwise
+         * the timer interrupt may not fire properly. The commit must happen
+         * before calling imx_epit_reload_compare_timer(), which reads
+         * s->timer_reload internally again.
+         */
+        ptimer_transaction_commit(s->timer_reload);
         imx_epit_reload_compare_timer(s);
         ptimer_transaction_commit(s->timer_cmp);
-        ptimer_transaction_commit(s->timer_reload);
         break;
 
     case 3: /* CMP */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reduce the amount of typing required for this check.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  5 +++++
 target/arm/helper.c    | 14 +++++---------
 target/arm/ptw.c       | 14 ++++++--------
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline bool regime_is_pan(CPUARMState *env, ARMMMUIdx mmu_idx)
     }
 }
 
+static inline bool regime_is_stage2(ARMMMUIdx mmu_idx)
+{
+    return mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
+}
+
 /* Return the exception level which controls this address translation regime */
 static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
     if (regime_has_2_ranges(mmu_idx)) {
         return extract64(tcr, 37, 2);
-    } else if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+    } else if (regime_is_stage2(mmu_idx)) {
         return 0; /* VTCR_EL2 */
     } else {
         /* Replicate the single TBI bit so we always have 2 bits.  */
@@ -XXX,XX +XXX,XX @@ int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
     if (regime_has_2_ranges(mmu_idx)) {
         return extract64(tcr, 51, 2);
-    } else if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+    } else if (regime_is_stage2(mmu_idx)) {
         return 0; /* VTCR_EL2 */
     } else {
         /* Replicate the single TBID bit so we always have 2 bits.  */
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
     ARMGranuleSize gran;
     ARMCPU *cpu = env_archcpu(env);
-    bool stage2 = mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S;
+    bool stage2 = regime_is_stage2(mmu_idx);
 
     if (!regime_has_2_ranges(mmu_idx)) {
         select = 0;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         }
         ds = false;
     } else if (ds) {
-        switch (mmu_idx) {
-        case ARMMMUIdx_Stage2:
-        case ARMMMUIdx_Stage2_S:
+        if (regime_is_stage2(mmu_idx)) {
             if (gran == Gran16K) {
                 ds = cpu_isar_feature(aa64_tgran16_2_lpa2, cpu);
             } else {
                 ds = cpu_isar_feature(aa64_tgran4_2_lpa2, cpu);
             }
-            break;
-        default:
+        } else {
             if (gran == Gran16K) {
                 ds = cpu_isar_feature(aa64_tgran16_lpa2, cpu);
             } else {
                 ds = cpu_isar_feature(aa64_tgran4_lpa2, cpu);
             }
-            break;
         }
         if (ds) {
             min_tsz = 12;
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
     bool have_wxn;
     int wxn = 0;
 
-    assert(mmu_idx != ARMMMUIdx_Stage2);
-    assert(mmu_idx != ARMMMUIdx_Stage2_S);
+    assert(!regime_is_stage2(mmu_idx));
 
     user_rw = simple_ap_to_rw_prot_is_user(ap, true);
     if (is_user) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         goto do_fault;
     }
 
-    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
+    if (!regime_is_stage2(mmu_idx)) {
         /*
          * The starting level depends on the virtual address size (which can
          * be up to 48 bits) and the translation granule size. It indicates
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         attrs = extract64(descriptor, 2, 10)
             | (extract64(descriptor, 52, 12) << 10);
 
-        if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+        if (regime_is_stage2(mmu_idx)) {
             /* Stage 2 table descriptors do not include any attribute fields */
             break;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 
     ap = extract32(attrs, 4, 2);
 
-    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+    if (regime_is_stage2(mmu_idx)) {
         ns = mmu_idx == ARMMMUIdx_Stage2;
         xn = extract32(attrs, 11, 2);
         result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         result->f.guarded = guarded;
     }
 
-    if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+    if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
         result->cacheattrs.attrs = extract32(attrs, 0, 4);
     } else {
@@ -XXX,XX +XXX,XX @@ do_fault:
     fi->type = fault_type;
     fi->level = level;
     /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
-    fi->stage2 = fi->s1ptw || (mmu_idx == ARMMMUIdx_Stage2 ||
-                               mmu_idx == ARMMMUIdx_Stage2_S);
+    fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
     fi->s1ns = mmu_idx == ARMMMUIdx_Stage2;
     return true;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Hoist the computation of the mmu_idx for the ptw up to
get_phys_addr_with_struct and get_phys_addr_twostage.
This removes the duplicate check for stage2 disabled
from the middle of the walk, performing it only once.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 71 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 54 insertions(+), 17 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 
 typedef struct S1Translate {
     ARMMMUIdx in_mmu_idx;
+    ARMMMUIdx in_ptw_idx;
     bool in_secure;
     bool in_debug;
     bool out_secure;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
 {
     bool is_secure = ptw->in_secure;
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-    ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-    bool s2_phys = false;
+    ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
     uint8_t pte_attrs;
     bool pte_secure;
 
-    if (!arm_mmu_idx_is_stage1_of_2(mmu_idx)
-        || regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
-        s2_mmu_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-        s2_phys = true;
-    }
-
     if (unlikely(ptw->in_debug)) {
         /*
          * From gdbstub, do not use softmmu so that we don't modify the
          * state of the cpu at all, including softmmu tlb contents.
          */
-        if (s2_phys) {
-            ptw->out_phys = addr;
-            pte_attrs = 0;
-            pte_secure = is_secure;
-        } else {
+        if (regime_is_stage2(s2_mmu_idx)) {
             S1Translate s2ptw = {
                 .in_mmu_idx = s2_mmu_idx,
+                .in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS,
                 .in_secure = is_secure,
                 .in_debug = true,
             };
             GetPhysAddrResult s2 = { };
+
             if (!get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
                                     false, &s2, fi)) {
                 goto fail;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             ptw->out_phys = s2.f.phys_addr;
             pte_attrs = s2.cacheattrs.attrs;
             pte_secure = s2.f.attrs.secure;
+        } else {
+            /* Regime is physical. */
+            ptw->out_phys = addr;
+            pte_attrs = 0;
+            pte_secure = is_secure;
         }
         ptw->out_host = NULL;
     } else {
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         pte_secure = full->attrs.secure;
     }
 
-    if (!s2_phys) {
+    if (regime_is_stage2(s2_mmu_idx)) {
         uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 
         if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         descaddr |= (address >> (stride * (4 - level))) & indexmask;
         descaddr &= ~7ULL;
         nstable = extract32(tableattrs, 4, 1);
-        ptw->in_secure = !nstable;
+        if (!nstable) {
+            /*
+             * Stage2_S -> Stage2 or Phys_S -> Phys_NS
+             * Assert that the non-secure idx are even, and relative order.
+             */
+            QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
+            QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
+            QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
+            QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
+            ptw->in_ptw_idx &= ~1;
+            ptw->in_secure = false;
+        }
         descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 
     is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
     ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+    ptw->in_ptw_idx = s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
     ptw->in_secure = s2walk_secure;
 
     /*
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
                                       ARMMMUFaultInfo *fi)
 {
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-    ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
     bool is_secure = ptw->in_secure;
+    ARMMMUIdx s1_mmu_idx;
 
-    if (mmu_idx != s1_mmu_idx) {
+    switch (mmu_idx) {
+    case ARMMMUIdx_Phys_S:
+    case ARMMMUIdx_Phys_NS:
+        /* Checking Phys early avoids special casing later vs regime_el. */
+        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
+                                      is_secure, result, fi);
+
+    case ARMMMUIdx_Stage1_E0:
+    case ARMMMUIdx_Stage1_E1:
+    case ARMMMUIdx_Stage1_E1_PAN:
+        /* First stage lookup uses second stage for ptw. */
+        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+        break;
+
+    case ARMMMUIdx_E10_0:
+        s1_mmu_idx = ARMMMUIdx_Stage1_E0;
+        goto do_twostage;
+    case ARMMMUIdx_E10_1:
+        s1_mmu_idx = ARMMMUIdx_Stage1_E1;
+        goto do_twostage;
+    case ARMMMUIdx_E10_1_PAN:
+        s1_mmu_idx = ARMMMUIdx_Stage1_E1_PAN;
+    do_twostage:
         /*
          * Call ourselves recursively to do the stage 1 and then stage 2
          * translations if mmu_idx is a two-stage regime, and EL2 present.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
             return get_phys_addr_twostage(env, ptw, address, access_type,
                                           result, fi);
         }
+        /* fall through */
+
+    default:
+        /* Single stage and second stage uses physical for ptw. */
+        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+        break;
     }
 
     /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The MMFR1 field may indicate support for hardware update of
access flag alone, or access flag and dirty bit.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_e0pd(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64mmfr2, ID_AA64MMFR2, E0PD) != 0;
 }
 
+static inline bool isar_feature_aa64_hafs(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, HAFDBS) != 0;
+}
+
+static inline bool isar_feature_aa64_hdbs(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, HAFDBS) >= 2;
+}
+
 static inline bool isar_feature_aa64_tts2uxn(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64mmfr1, ID_AA64MMFR1, XNX) != 0;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 2 ++
 target/arm/helper.c    | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     bool hpd        : 1;
     bool tsz_oob    : 1;  /* tsz has been clamped to legal range */
     bool ds         : 1;
+    bool ha         : 1;
+    bool hd         : 1;
     ARMGranuleSize gran : 2;
 } ARMVAParameters;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
                                    ARMMMUIdx mmu_idx, bool data)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx);
-    bool epd, hpd, tsz_oob, ds;
+    bool epd, hpd, tsz_oob, ds, ha, hd;
     int select, tsz, tbi, max_tsz, min_tsz, ps, sh;
     ARMGranuleSize gran;
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         epd = false;
         sh = extract32(tcr, 12, 2);
         ps = extract32(tcr, 16, 3);
+        ha = extract32(tcr, 21, 1) && cpu_isar_feature(aa64_hafs, cpu);
+        hd = extract32(tcr, 22, 1) && cpu_isar_feature(aa64_hdbs, cpu);
         ds = extract64(tcr, 32, 1);
     } else {
         bool e0pd;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
             e0pd = extract64(tcr, 56, 1);
         }
         ps = extract64(tcr, 32, 3);
+        ha = extract64(tcr, 39, 1) && cpu_isar_feature(aa64_hafs, cpu);
+        hd = extract64(tcr, 40, 1) && cpu_isar_feature(aa64_hdbs, cpu);
         ds = extract64(tcr, 59, 1);
 
         if (e0pd && cpu_isar_feature(aa64_e0pd, cpu) &&
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         .hpd = hpd,
         .tsz_oob = tsz_oob,
         .ds = ds,
+        .ha = ha,
+        .hd = ha && hd,
         .gran = gran,
     };
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Separate S1 translation from the actual lookup.
Will enable lpae hardware updates.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 41 ++++++++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
 }
 
 /* All loads done in the course of a page table walk go through here. */
-static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
+static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
     uint32_t data;
 
-    if (!S1_ptw_translate(env, ptw, addr, fi)) {
-        /* Failure. */
-        assert(fi->s1ptw);
-        return 0;
-    }
-
     if (likely(ptw->out_host)) {
         /* Page tables are in RAM, and we have the host address. */
         if (ptw->out_be) {
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
     return data;
 }
 
-static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
+static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
     uint64_t data;
 
-    if (!S1_ptw_translate(env, ptw, addr, fi)) {
-        /* Failure. */
-        assert(fi->s1ptw);
-        return 0;
-    }
-
     if (likely(ptw->out_host)) {
         /* Page tables are in RAM, and we have the host address. */
         if (ptw->out_be) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
         fi->type = ARMFault_Translation;
         goto do_fault;
     }
-    desc = arm_ldl_ptw(env, ptw, table, fi);
+    if (!S1_ptw_translate(env, ptw, table, fi)) {
+        goto do_fault;
+    }
+    desc = arm_ldl_ptw(env, ptw, fi);
     if (fi->type != ARMFault_None) {
         goto do_fault;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
             /* Fine pagetable.  */
             table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
         }
-        desc = arm_ldl_ptw(env, ptw, table, fi);
+        if (!S1_ptw_translate(env, ptw, table, fi)) {
+            goto do_fault;
+        }
+        desc = arm_ldl_ptw(env, ptw, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
         fi->type = ARMFault_Translation;
         goto do_fault;
     }
-    desc = arm_ldl_ptw(env, ptw, table, fi);
+    if (!S1_ptw_translate(env, ptw, table, fi)) {
+        goto do_fault;
+    }
+    desc = arm_ldl_ptw(env, ptw, fi);
     if (fi->type != ARMFault_None) {
         goto do_fault;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
         ns = extract32(desc, 3, 1);
         /* Lookup l2 entry.  */
         table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
-        desc = arm_ldl_ptw(env, ptw, table, fi);
+        if (!S1_ptw_translate(env, ptw, table, fi)) {
+            goto do_fault;
+        }
+        desc = arm_ldl_ptw(env, ptw, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
             ptw->in_ptw_idx &= ~1;
             ptw->in_secure = false;
         }
-        descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
+        if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
+            goto do_fault;
+        }
+        descriptor = arm_ldq_ptw(env, ptw, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This fault type is to be used with FEAT_HAFDBS when
the guest enables hw updates, but places the tables
in memory where atomic updates are unsupported.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef enum ARMFaultType {
     ARMFault_AsyncExternal,
     ARMFault_Debug,
     ARMFault_TLBConflict,
+    ARMFault_UnsuppAtomicUpdate,
     ARMFault_Lockdown,
     ARMFault_Exclusive,
     ARMFault_ICacheMaint,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi)
     case ARMFault_TLBConflict:
         fsc = 0x30;
         break;
+    case ARMFault_UnsuppAtomicUpdate:
+        fsc = 0x31;
+        break;
     case ARMFault_Lockdown:
         fsc = 0x34;
         break;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The unconditional loop was used both to iterate over levels
and to control parsing of attributes.  Use an explicit goto
in both cases.

While this appears less clean for iterating over levels, we
will need to jump back into the middle of this loop for
atomic updates, which is even uglier.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 192 +++++++++++++++++++++++------------------------
 1 file changed, 96 insertions(+), 96 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
     bool guarded = false;
+    uint64_t descriptor;
+    bool nstable;
 
     /* TODO: This code does not support shareability levels. */
     if (aarch64) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      * bits at each step.
      */
     tableattrs = is_secure ? 0 : (1 << 4);
-    for (;;) {
-        uint64_t descriptor;
-        bool nstable;
-
-        descaddr |= (address >> (stride * (4 - level))) & indexmask;
-        descaddr &= ~7ULL;
-        nstable = extract32(tableattrs, 4, 1);
-        if (!nstable) {
-            /*
-             * Stage2_S -> Stage2 or Phys_S -> Phys_NS
-             * Assert that the non-secure idx are even, and relative order.
-             */
-            QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
-            QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
-            QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
-            QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
-            ptw->in_ptw_idx &= ~1;
-            ptw->in_secure = false;
-        }
-        if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
-            goto do_fault;
-        }
-        descriptor = arm_ldq_ptw(env, ptw, fi);
-        if (fi->type != ARMFault_None) {
-            goto do_fault;
-        }
-
-        if (!(descriptor & 1) ||
-            (!(descriptor & 2) && (level == 3))) {
-            /* Invalid, or the Reserved level 3 encoding */
-            goto do_fault;
-        }
-
-        descaddr = descriptor & descaddrmask;
 
+ next_level:
+    descaddr |= (address >> (stride * (4 - level))) & indexmask;
+    descaddr &= ~7ULL;
+    nstable = extract32(tableattrs, 4, 1);
+    if (!nstable) {
         /*
-         * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
-         * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
-         * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
-         * raise AddressSizeFault.
+         * Stage2_S -> Stage2 or Phys_S -> Phys_NS
+         * Assert that the non-secure idx are even, and relative order.
          */
-        if (outputsize > 48) {
-            if (param.ds) {
-                descaddr |= extract64(descriptor, 8, 2) << 50;
-            } else {
-                descaddr |= extract64(descriptor, 12, 4) << 48;
-            }
-        } else if (descaddr >> outputsize) {
-            fault_type = ARMFault_AddressSize;
-            goto do_fault;
-        }
-
-        if ((descriptor & 2) && (level < 3)) {
-            /*
-             * Table entry. The top five bits are attributes which may
-             * propagate down through lower levels of the table (and
-             * which are all arranged so that 0 means "no effect", so
-             * we can gather them up by ORing in the bits at each level).
-             */
-            tableattrs |= extract64(descriptor, 59, 5);
-            level++;
-            indexmask = indexmask_grainsize;
-            continue;
-        }
-        /*
-         * Block entry at level 1 or 2, or page entry at level 3.
-         * These are basically the same thing, although the number
-         * of bits we pull in from the vaddr varies. Note that although
-         * descaddrmask masks enough of the low bits of the descriptor
-         * to give a correct page or table address, the address field
-         * in a block descriptor is smaller; so we need to explicitly
-         * clear the lower bits here before ORing in the low vaddr bits.
-         */
-        page_size = (1ULL << ((stride * (4 - level)) + 3));
-        descaddr &= ~(hwaddr)(page_size - 1);
-        descaddr |= (address & (page_size - 1));
-        /* Extract attributes from the descriptor */
-        attrs = extract64(descriptor, 2, 10)
-            | (extract64(descriptor, 52, 12) << 10);
-
-        if (regime_is_stage2(mmu_idx)) {
-            /* Stage 2 table descriptors do not include any attribute fields */
-            break;
-        }
-        /* Merge in attributes from table descriptors */
-        attrs |= nstable << 3; /* NS */
-        guarded = extract64(descriptor, 50, 1);  /* GP */
-        if (param.hpd) {
-            /* HPD disables all the table attributes except NSTable.  */
-            break;
-        }
-        attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
-        /*
-         * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
-         * means "force PL1 access only", which means forcing AP[1] to 0.
-         */
-        attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
-        attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
-        break;
+        QEMU_BUILD_BUG_ON((ARMMMUIdx_Phys_NS & 1) != 0);
+        QEMU_BUILD_BUG_ON((ARMMMUIdx_Stage2 & 1) != 0);
+        QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_NS + 1 != ARMMMUIdx_Phys_S);
+        QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2 + 1 != ARMMMUIdx_Stage2_S);
+        ptw->in_ptw_idx &= ~1;
+        ptw->in_secure = false;
     }
+    if (!S1_ptw_translate(env, ptw, descaddr, fi)) {
+        goto do_fault;
+    }
+    descriptor = arm_ldq_ptw(env, ptw, fi);
+    if (fi->type != ARMFault_None) {
+        goto do_fault;
+    }
+
+    if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
+        /* Invalid, or the Reserved level 3 encoding */
+        goto do_fault;
+    }
+
+    descaddr = descriptor & descaddrmask;
+
+    /*
+     * For FEAT_LPA and PS=6, bits [51:48] of descaddr are in [15:12]
+     * of descriptor.  For FEAT_LPA2 and effective DS, bits [51:50] of
+     * descaddr are in [9:8].  Otherwise, if descaddr is out of range,
+     * raise AddressSizeFault.
+     */
+    if (outputsize > 48) {
+        if (param.ds) {
+            descaddr |= extract64(descriptor, 8, 2) << 50;
+        } else {
+            descaddr |= extract64(descriptor, 12, 4) << 48;
+        }
+    } else if (descaddr >> outputsize) {
+        fault_type = ARMFault_AddressSize;
+        goto do_fault;
+    }
+
+    if ((descriptor & 2) && (level < 3)) {
+        /*
+         * Table entry. The top five bits are attributes which may
+         * propagate down through lower levels of the table (and
+         * which are all arranged so that 0 means "no effect", so
+         * we can gather them up by ORing in the bits at each level).
+         */
+        tableattrs |= extract64(descriptor, 59, 5);
+        level++;
+        indexmask = indexmask_grainsize;
+        goto next_level;
+    }
+
+    /*
+     * Block entry at level 1 or 2, or page entry at level 3.
+     * These are basically the same thing, although the number
+     * of bits we pull in from the vaddr varies. Note that although
+     * descaddrmask masks enough of the low bits of the descriptor
+     * to give a correct page or table address, the address field
+     * in a block descriptor is smaller; so we need to explicitly
+     * clear the lower bits here before ORing in the low vaddr bits.
+     */
+    page_size = (1ULL << ((stride * (4 - level)) + 3));
+    descaddr &= ~(hwaddr)(page_size - 1);
+    descaddr |= (address & (page_size - 1));
+    /* Extract attributes from the descriptor */
+    attrs = extract64(descriptor, 2, 10)
+        | (extract64(descriptor, 52, 12) << 10);
+
+    if (regime_is_stage2(mmu_idx)) {
+        /* Stage 2 table descriptors do not include any attribute fields */
+        goto skip_attrs;
+    }
+    /* Merge in attributes from table descriptors */
+    attrs |= nstable << 3; /* NS */
+    guarded = extract64(descriptor, 50, 1);  /* GP */
+    if (param.hpd) {
+        /* HPD disables all the table attributes except NSTable.  */
+        goto skip_attrs;
+    }
+    attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
+    /*
+     * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
+     * means "force PL1 access only", which means forcing AP[1] to 0.
+     */
+    attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
+    attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
+ skip_attrs:
+
     /*
      * Here descaddr is the final physical address, and attributes
      * are all in attrs.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Always overriding fi->type was incorrect, as we would not properly
propagate the fault type from S1_ptw_translate, or arm_ldq_ptw.
Simplify things by providing a new label for a translation fault.
For other faults, store into fi directly.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     ARMCPU *cpu = env_archcpu(env);
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     bool is_secure = ptw->in_secure;
-    /* Read an LPAE long-descriptor translation table. */
-    ARMFaultType fault_type = ARMFault_Translation;
     uint32_t level;
     ARMVAParameters param;
     uint64_t ttbr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          * so our choice is to always raise the fault.
          */
         if (param.tsz_oob) {
-            fault_type = ARMFault_Translation;
-            goto do_fault;
+            goto do_translation_fault;
         }
 
         addrsize = 64 - 8 * param.tbi;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                            addrsize - inputsize);
         if (-top_bits != param.select) {
             /* The gap between the two regions is a Translation fault */
-            fault_type = ARMFault_Translation;
-            goto do_fault;
+            goto do_translation_fault;
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          * Translation table walk disabled => Translation fault on TLB miss
          * Note: This is always 0 on 64-bit EL2 and EL3.
          */
-        goto do_fault;
+        goto do_translation_fault;
     }
 
     if (!regime_is_stage2(mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         if (param.ds && stride == 9 && sl2) {
             if (sl0 != 0) {
                 level = 0;
-                fault_type = ARMFault_Translation;
-                goto do_fault;
+                goto do_translation_fault;
             }
             startlevel = -1;
         } else if (!aarch64 || stride == 9) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         ok = check_s2_mmu_setup(cpu, aarch64, startlevel,
                                 inputsize, stride, outputsize);
         if (!ok) {
-            fault_type = ARMFault_Translation;
-            goto do_fault;
+            goto do_translation_fault;
         }
         level = startlevel;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         descaddr |= extract64(ttbr, 2, 4) << 48;
     } else if (descaddr >> outputsize) {
         level = 0;
-        fault_type = ARMFault_AddressSize;
+        fi->type = ARMFault_AddressSize;
         goto do_fault;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 
     if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
         /* Invalid, or the Reserved level 3 encoding */
-        goto do_fault;
+        goto do_translation_fault;
     }
 
     descaddr = descriptor & descaddrmask;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
             descaddr |= extract64(descriptor, 12, 4) << 48;
         }
     } else if (descaddr >> outputsize) {
-        fault_type = ARMFault_AddressSize;
+        fi->type = ARMFault_AddressSize;
         goto do_fault;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      * Here descaddr is the final physical address, and attributes
      * are all in attrs.
      */
-    fault_type = ARMFault_AccessFlag;
     if ((attrs & (1 << 8)) == 0) {
         /* Access flag */
+        fi->type = ARMFault_AccessFlag;
         goto do_fault;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
     }
 
-    fault_type = ARMFault_Permission;
     if (!(result->f.prot & (1 << access_type))) {
+        fi->type = ARMFault_Permission;
         goto do_fault;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     result->f.lg_page_size = ctz64(page_size);
     return false;
 
-do_fault:
-    fi->type = fault_type;
+ do_translation_fault:
+    fi->type = ARMFault_Translation;
+ do_fault:
     fi->level = level;
     /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
     fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Leave the upper and lower attributes in the place they originate
from in the descriptor.  Shifting them around is confusing, since
one cannot read the bit numbers out of the manual.  Also, new
attributes have been added which would alter the shifts.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20221024051851.3074715-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     hwaddr descaddr, indexmask, indexmask_grainsize;
     uint32_t tableattrs;
     target_ulong page_size;
-    uint32_t attrs;
+    uint64_t attrs;
     int32_t stride;
     int addrsize, inputsize, outputsize;
     uint64_t tcr = regime_tcr(env, mmu_idx);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     descaddr &= ~(hwaddr)(page_size - 1);
     descaddr |= (address & (page_size - 1));
     /* Extract attributes from the descriptor */
-    attrs = extract64(descriptor, 2, 10)
-        | (extract64(descriptor, 52, 12) << 10);
+    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(52, 12));
 
     if (regime_is_stage2(mmu_idx)) {
         /* Stage 2 table descriptors do not include any attribute fields */
         goto skip_attrs;
     }
     /* Merge in attributes from table descriptors */
-    attrs |= nstable << 3; /* NS */
+    attrs |= nstable << 5; /* NS */
     guarded = extract64(descriptor, 50, 1);  /* GP */
     if (param.hpd) {
         /* HPD disables all the table attributes except NSTable.  */
         goto skip_attrs;
     }
-    attrs |= extract32(tableattrs, 0, 2) << 11;     /* XN, PXN */
+    attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
     /*
      * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
      * means "force PL1 access only", which means forcing AP[1] to 0.
      */
-    attrs &= ~(extract32(tableattrs, 2, 1) << 4);   /* !APT[0] => AP[1] */
-    attrs |= extract32(tableattrs, 3, 1) << 5;      /* APT[1] => AP[2] */
+    attrs &= ~(extract64(tableattrs, 2, 1) << 6);   /* !APT[0] => AP[1] */
+    attrs |= extract32(tableattrs, 3, 1) << 7;      /* APT[1] => AP[2] */
  skip_attrs:
 
     /*
      * Here descaddr is the final physical address, and attributes
      * are all in attrs.
      */
-    if ((attrs & (1 << 8)) == 0) {
+    if ((attrs & (1 << 10)) == 0) {
         /* Access flag */
         fi->type = ARMFault_AccessFlag;
         goto do_fault;
     }
 
-    ap = extract32(attrs, 4, 2);
+    ap = extract32(attrs, 6, 2);
 
     if (regime_is_stage2(mmu_idx)) {
         ns = mmu_idx == ARMMMUIdx_Stage2;
-        xn = extract32(attrs, 11, 2);
+        xn = extract64(attrs, 53, 2);
         result->f.prot = get_S2prot(env, ap, xn, s1_is_el0);
     } else {
-        ns = extract32(attrs, 3, 1);
-        xn = extract32(attrs, 12, 1);
-        pxn = extract32(attrs, 11, 1);
+        ns = extract32(attrs, 5, 1);
+        xn = extract64(attrs, 54, 1);
+        pxn = extract64(attrs, 53, 1);
         result->f.prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn);
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 
     if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
-        result->cacheattrs.attrs = extract32(attrs, 0, 4);
+        result->cacheattrs.attrs = extract32(attrs, 2, 4);
     } else {
         /* Index into MAIR registers for cache attributes */
-        uint8_t attrindx = extract32(attrs, 0, 3);
+        uint8_t attrindx = extract32(attrs, 2, 3);
         uint64_t mair = env->cp15.mair_el[regime_el(env, mmu_idx)];
         assert(attrindx <= 7);
         result->cacheattrs.is_s2_format = false;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     if (param.ds) {
         result->cacheattrs.shareability = param.sh;
     } else {
-        result->cacheattrs.shareability = extract32(attrs, 6, 2);
+        result->cacheattrs.shareability = extract32(attrs, 8, 2);
     }
 
     result->f.phys_addr = descaddr;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Both GP and DBM are in the upper attribute block.
Extend the computation of attrs to include them,
then simplify the setting of guarded.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Replace some gotos with some nested if statements.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20221024051851.3074715-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 34 ++++++++++++++++------------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     page_size = (1ULL << ((stride * (4 - level)) + 3));
     descaddr &= ~(hwaddr)(page_size - 1);
     descaddr |= (address & (page_size - 1));
-    /* Extract attributes from the descriptor */
-    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
 
-    if (regime_is_stage2(mmu_idx)) {
-        /* Stage 2 table descriptors do not include any attribute fields */
-        goto skip_attrs;
-    }
-    /* Merge in attributes from table descriptors */
-    attrs |= nstable << 5; /* NS */
-    if (param.hpd) {
-        /* HPD disables all the table attributes except NSTable.  */
-        goto skip_attrs;
-    }
-    attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
     /*
-     * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
-     * means "force PL1 access only", which means forcing AP[1] to 0.
+     * Extract attributes from the descriptor, and apply table descriptors.
+     * Stage 2 table descriptors do not include any attribute fields.
+     * HPD disables all the table attributes except NSTable.
      */
-    attrs &= ~(extract64(tableattrs, 2, 1) << 6);   /* !APT[0] => AP[1] */
-    attrs |= extract32(tableattrs, 3, 1) << 7;      /* APT[1] => AP[2] */
- skip_attrs:
+    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
+    if (!regime_is_stage2(mmu_idx)) {
+        attrs |= nstable << 5; /* NS */
+        if (!param.hpd) {
+            attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
+            /*
+             * The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
+             * means "force PL1 access only", which means forcing AP[1] to 0.
+             */
+            attrs &= ~(extract64(tableattrs, 2, 1) << 6); /* !APT[0] => AP[1] */
+            attrs |= extract32(tableattrs, 3, 1) << 7;    /* APT[1] => AP[2] */
+        }
+    }
 
     /*
      * Here descaddr is the final physical address, and attributes
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Perform the atomic update for hardware management of the access flag.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |   1 +
 target/arm/cpu64.c            |   1 +
 target/arm/ptw.c              | 176 +++++++++++++++++++++++++++++-----
 3 files changed, 156 insertions(+), 22 deletions(-)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_FlagM (Flag manipulation instructions v2)
 - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
 - FEAT_GTG (Guest translation granule size)
+- FEAT_HAFDBS (Hardware management of the access flag and dirty bit state)
 - FEAT_HCX (Support for the HCRX_EL2 register)
 - FEAT_HPDS (Hierarchical permission disables)
 - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     cpu->isar.id_aa64mmfr0 = t;
 
     t = cpu->isar.id_aa64mmfr1;
+    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 1);   /* FEAT_HAFDBS, AF only */
     t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
     t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
     t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
     bool in_secure;
     bool in_debug;
     bool out_secure;
+    bool out_rw;
     bool out_be;
+    hwaddr out_virt;
     hwaddr out_phys;
     void *out_host;
 } S1Translate;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
     uint8_t pte_attrs;
     bool pte_secure;
 
+    ptw->out_virt = addr;
+
     if (unlikely(ptw->in_debug)) {
         /*
          * From gdbstub, do not use softmmu so that we don't modify the
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             pte_secure = is_secure;
         }
         ptw->out_host = NULL;
+        ptw->out_rw = false;
     } else {
         CPUTLBEntryFull *full;
         int flags;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             goto fail;
         }
         ptw->out_phys = full->phys_addr;
+        ptw->out_rw = full->prot & PROT_WRITE;
         pte_attrs = full->pte_attrs;
         pte_secure = full->attrs.secure;
     }
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
+    void *host = ptw->out_host;
     uint32_t data;
 
-    if (likely(ptw->out_host)) {
+    if (likely(host)) {
         /* Page tables are in RAM, and we have the host address. */
+        data = qatomic_read((uint32_t *)host);
         if (ptw->out_be) {
-            data = ldl_be_p(ptw->out_host);
+            data = be32_to_cpu(data);
         } else {
-            data = ldl_le_p(ptw->out_host);
+            data = le32_to_cpu(data);
         }
     } else {
         /* Page tables are in MMIO. */
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
+    void *host = ptw->out_host;
     uint64_t data;
 
-    if (likely(ptw->out_host)) {
+    if (likely(host)) {
         /* Page tables are in RAM, and we have the host address. */
+#ifdef CONFIG_ATOMIC64
+        data = qatomic_read__nocheck((uint64_t *)host);
         if (ptw->out_be) {
-            data = ldq_be_p(ptw->out_host);
+            data = be64_to_cpu(data);
         } else {
-            data = ldq_le_p(ptw->out_host);
+            data = le64_to_cpu(data);
         }
+#else
+        if (ptw->out_be) {
+            data = ldq_be_p(host);
+        } else {
+            data = ldq_le_p(host);
+        }
+#endif
     } else {
         /* Page tables are in MMIO. */
         MemTxAttrs attrs = { .secure = ptw->out_secure };
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
     return data;
 }
 
+static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val,
+                             uint64_t new_val, S1Translate *ptw,
+                             ARMMMUFaultInfo *fi)
+{
+    uint64_t cur_val;
+    void *host = ptw->out_host;
+
+    if (unlikely(!host)) {
+        fi->type = ARMFault_UnsuppAtomicUpdate;
+        fi->s1ptw = true;
+        return 0;
+    }
+
+    /*
+     * Raising a stage2 Protection fault for an atomic update to a read-only
+     * page is delayed until it is certain that there is a change to make.
+     */
+    if (unlikely(!ptw->out_rw)) {
+        int flags;
+        void *discard;
+
+        env->tlb_fi = fi;
+        flags = probe_access_flags(env, ptw->out_virt, MMU_DATA_STORE,
+                                   arm_to_core_mmu_idx(ptw->in_ptw_idx),
+                                   true, &discard, 0);
+        env->tlb_fi = NULL;
+
+        if (unlikely(flags & TLB_INVALID_MASK)) {
+            assert(fi->type != ARMFault_None);
+            fi->s2addr = ptw->out_virt;
+            fi->stage2 = true;
+            fi->s1ptw = true;
+            fi->s1ns = !ptw->in_secure;
+            return 0;
+        }
+
+        /* In case CAS mismatches and we loop, remember writability. */
+        ptw->out_rw = true;
+    }
+
+#ifdef CONFIG_ATOMIC64
+    if (ptw->out_be) {
+        old_val = cpu_to_be64(old_val);
+        new_val = cpu_to_be64(new_val);
+        cur_val = qatomic_cmpxchg__nocheck((uint64_t *)host, old_val, new_val);
+        cur_val = be64_to_cpu(cur_val);
+    } else {
+        old_val = cpu_to_le64(old_val);
+        new_val = cpu_to_le64(new_val);
+        cur_val = qatomic_cmpxchg__nocheck((uint64_t *)host, old_val, new_val);
+        cur_val = le64_to_cpu(cur_val);
+    }
+#else
+    /*
+     * We can't support the full 64-bit atomic cmpxchg on the host.
+     * Because this is only used for FEAT_HAFDBS, which is only for AA64,
+     * we know that TCG_OVERSIZED_GUEST is set, which means that we are
+     * running in round-robin mode and could only race with dma i/o.
+     */
+#ifndef TCG_OVERSIZED_GUEST
+# error "Unexpected configuration"
+#endif
+    bool locked = qemu_mutex_iothread_locked();
+    if (!locked) {
+       qemu_mutex_lock_iothread();
+    }
+    if (ptw->out_be) {
+        cur_val = ldq_be_p(host);
+        if (cur_val == old_val) {
+            stq_be_p(host, new_val);
+        }
+    } else {
+        cur_val = ldq_le_p(host);
+        if (cur_val == old_val) {
+            stq_le_p(host, new_val);
+        }
+    }
+    if (!locked) {
+        qemu_mutex_unlock_iothread();
+    }
+#endif
+
+    return cur_val;
+}
+
 static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
                                      uint32_t *table, uint32_t address)
 {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     uint32_t el = regime_el(env, mmu_idx);
     uint64_t descaddrmask;
     bool aarch64 = arm_el_is_aa64(env, el);
-    uint64_t descriptor;
+    uint64_t descriptor, new_descriptor;
     bool nstable;
 
     /* TODO: This code does not support shareability levels. */
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     if (fi->type != ARMFault_None) {
         goto do_fault;
     }
+    new_descriptor = descriptor;
 
+ restart_atomic_update:
     if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
         /* Invalid, or the Reserved level 3 encoding */
         goto do_translation_fault;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      * to give a correct page or table address, the address field
      * in a block descriptor is smaller; so we need to explicitly
      * clear the lower bits here before ORing in the low vaddr bits.
+     *
+     * Afterward, descaddr is the final physical address.
      */
     page_size = (1ULL << ((stride * (4 - level)) + 3));
     descaddr &= ~(hwaddr)(page_size - 1);
     descaddr |= (address & (page_size - 1));
 
+    if (likely(!ptw->in_debug)) {
+        /*
+         * Access flag.
+         * If HA is enabled, prepare to update the descriptor below.
+         * Otherwise, pass the access fault on to software.
+         */
+        if (!(descriptor & (1 << 10))) {
+            if (param.ha) {
+                new_descriptor |= 1 << 10; /* AF */
+            } else {
+                fi->type = ARMFault_AccessFlag;
+                goto do_fault;
+            }
+        }
+    }
+
     /*
-     * Extract attributes from the descriptor, and apply table descriptors.
-     * Stage 2 table descriptors do not include any attribute fields.
-     * HPD disables all the table attributes except NSTable.
+     * Extract attributes from the (modified) descriptor, and apply
+     * table descriptors. Stage 2 table descriptors do not include
+     * any attribute fields. HPD disables all the table attributes
+     * except NSTable.
      */
-    attrs = descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
+    attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
     if (!regime_is_stage2(mmu_idx)) {
         attrs |= nstable << 5; /* NS */
         if (!param.hpd) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         }
     }
 
-    /*
-     * Here descaddr is the final physical address, and attributes
-     * are all in attrs.
-     */
-    if ((attrs & (1 << 10)) == 0) {
-        /* Access flag */
-        fi->type = ARMFault_AccessFlag;
-        goto do_fault;
-    }
-
     ap = extract32(attrs, 6, 2);
-
     if (regime_is_stage2(mmu_idx)) {
         ns = mmu_idx == ARMMMUIdx_Stage2;
         xn = extract64(attrs, 53, 2);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         goto do_fault;
     }
 
+    /* If FEAT_HAFDBS has made changes, update the PTE. */
+    if (new_descriptor != descriptor) {
+        new_descriptor = arm_casq_ptw(env, descriptor, new_descriptor, ptw, fi);
+        if (fi->type != ARMFault_None) {
+            goto do_fault;
+        }
+        /*
+         * I_YZSVV says that if the in-memory descriptor has changed,
+         * then we must use the information in that new value
+         * (which might include a different output address, different
+         * attributes, or generate a fault).
+         * Restart the handling of the descriptor value from scratch.
+         */
+        if (new_descriptor != descriptor) {
+            descriptor = new_descriptor;
+            goto restart_atomic_update;
+        }
+    }
+
     if (ns) {
         /*
          * The NS bit will (as required by the architecture) have no effect if
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Perform the atomic update for hardware management of the dirty bit.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu64.c |  2 +-
 target/arm/ptw.c   | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     cpu->isar.id_aa64mmfr0 = t;
 
     t = cpu->isar.id_aa64mmfr1;
-    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 1);   /* FEAT_HAFDBS, AF only */
+    t = FIELD_DP64(t, ID_AA64MMFR1, HAFDBS, 2);   /* FEAT_HAFDBS */
     t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
     t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
     t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                 goto do_fault;
             }
         }
+
+        /*
+         * Dirty Bit.
+         * If HD is enabled, pre-emptively set/clear the appropriate AP/S2AP
+         * bit for writeback. The actual write protection test may still be
+         * overridden by tableattrs, to be merged below.
+         */
+        if (param.hd
+            && extract64(descriptor, 51, 1)  /* DBM */
+            && access_type == MMU_DATA_STORE) {
+            if (regime_is_stage2(mmu_idx)) {
+                new_descriptor |= 1ull << 7;    /* set S2AP[1] */
+            } else {
+                new_descriptor &= ~(1ull << 7); /* clear AP[2] */
+            }
+        }
     }
 
     /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We had only been reporting the stage2 page size.  This causes
problems if stage1 is using a larger page size (16k, 2M, etc),
but stage2 is using a smaller page size, because cputlb does
not set large_page_{addr,mask} properly.

Fix by using the max of the two page sizes.

Reported-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221024051851.3074715-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
                                    ARMMMUFaultInfo *fi)
 {
     hwaddr ipa;
-    int s1_prot;
+    int s1_prot, s1_lgpgsz;
     bool is_secure = ptw->in_secure;
     bool ret, ipa_secure, s2walk_secure;
     ARMCacheAttrs cacheattrs1;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      * Save the stage1 results so that we may merge prot and cacheattrs later.
      */
     s1_prot = result->f.prot;
+    s1_lgpgsz = result->f.lg_page_size;
     cacheattrs1 = result->cacheattrs;
     memset(result, 0, sizeof(*result));
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
         return ret;
     }
 
+    /*
+     * Use the maximum of the S1 & S2 page size, so that invalidation
+     * of pages > TARGET_PAGE_SIZE works correctly.
+     */
+    if (result->f.lg_page_size < s1_lgpgsz) {
+        result->f.lg_page_size = s1_lgpgsz;
+    }
+
     /* Combine the S1 and S2 cache attributes. */
     hcr = arm_hcr_el2_eff_secstate(env, is_secure);
     if (hcr & HCR_DC) {
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Snapshot loading only expects to call deterministic handlers, not
non-deterministic ones. So introduce a way of registering handlers that
won't be called when reseting for snapshots.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-2-Jason@zx2c4.com
[PMM: updated json doc comment with Markus' text; fixed
 checkpatch style nit]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 qapi/run-state.json        |  6 +++++-
 include/hw/boards.h        |  2 +-
 include/sysemu/reset.h     |  5 ++++-
 hw/arm/aspeed.c            |  4 ++--
 hw/arm/mps2-tz.c           |  4 ++--
 hw/core/reset.c            | 17 ++++++++++++++++-
 hw/hppa/machine.c          |  4 ++--
 hw/i386/microvm.c          |  4 ++--
 hw/i386/pc.c               |  6 +++---
 hw/ppc/pegasos2.c          |  4 ++--
 hw/ppc/pnv.c               |  4 ++--
 hw/ppc/spapr.c             |  4 ++--
 hw/s390x/s390-virtio-ccw.c |  4 ++--
 migration/savevm.c         |  2 +-
 softmmu/runstate.c         | 11 ++++++++---
 15 files changed, 54 insertions(+), 27 deletions(-)

diff --git a/qapi/run-state.json b/qapi/run-state.json
index XXXXXXX..XXXXXXX 100644
--- a/qapi/run-state.json
+++ b/qapi/run-state.json
@@ -XXX,XX +XXX,XX @@
 #                   ignores --no-reboot. This is useful for sanitizing
 #                   hypercalls on s390 that are used during kexec/kdump/boot
 #
+# @snapshot-load: A snapshot is being loaded by the record & replay
+#                 subsystem. This value is used only within QEMU.  It
+#                 doesn't occur in QMP. (since 7.2)
+#
 ##
 { 'enum': 'ShutdownCause',
   # Beware, shutdown_caused_by_guest() depends on enumeration order
   'data': [ 'none', 'host-error', 'host-qmp-quit', 'host-qmp-system-reset',
             'host-signal', 'host-ui', 'guest-shutdown', 'guest-reset',
-            'guest-panic', 'subsystem-reset'] }
+            'guest-panic', 'subsystem-reset', 'snapshot-load'] }
 
 ##
 # @StatusInfo:
diff --git a/include/hw/boards.h b/include/hw/boards.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -XXX,XX +XXX,XX @@ struct MachineClass {
     const char *deprecation_reason;
 
     void (*init)(MachineState *state);
-    void (*reset)(MachineState *state);
+    void (*reset)(MachineState *state, ShutdownCause reason);
     void (*wakeup)(MachineState *state);
     int (*kvm_type)(MachineState *machine, const char *arg);
 
diff --git a/include/sysemu/reset.h b/include/sysemu/reset.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/reset.h
+++ b/include/sysemu/reset.h
@@ -XXX,XX +XXX,XX @@
 #ifndef QEMU_SYSEMU_RESET_H
 #define QEMU_SYSEMU_RESET_H
 
+#include "qapi/qapi-events-run-state.h"
+
 typedef void QEMUResetHandler(void *opaque);
 
 void qemu_register_reset(QEMUResetHandler *func, void *opaque);
+void qemu_register_reset_nosnapshotload(QEMUResetHandler *func, void *opaque);
 void qemu_unregister_reset(QEMUResetHandler *func, void *opaque);
-void qemu_devices_reset(void);
+void qemu_devices_reset(ShutdownCause reason);
 
 #endif
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_bletchley_class_init(ObjectClass *oc, void *data)
         aspeed_soc_num_cpus(amc->soc_name);
 }
 
-static void fby35_reset(MachineState *state)
+static void fby35_reset(MachineState *state, ShutdownCause reason)
 {
     AspeedMachineState *bmc = ASPEED_MACHINE(state);
     AspeedGPIOState *gpio = &bmc->soc.gpio;
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     /* Board ID: 7 (Class-1, 4 slots) */
     object_property_set_bool(OBJECT(gpio), "gpioV4", true, &error_fatal);
diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mps2-tz.c
+++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@ static void mps2_set_remap(Object *obj, const char *value, Error **errp)
     }
 }
 
-static void mps2_machine_reset(MachineState *machine)
+static void mps2_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     MPS2TZMachineState *mms = MPS2TZ_MACHINE(machine);
 
@@ -XXX,XX +XXX,XX @@ static void mps2_machine_reset(MachineState *machine)
      * reset see the correct mapping.
      */
     remap_memory(mms, mms->remap);
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 }
 
 static void mps2tz_class_init(ObjectClass *oc, void *data)
diff --git a/hw/core/reset.c b/hw/core/reset.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/reset.c
+++ b/hw/core/reset.c
@@ -XXX,XX +XXX,XX @@ typedef struct QEMUResetEntry {
     QTAILQ_ENTRY(QEMUResetEntry) entry;
     QEMUResetHandler *func;
     void *opaque;
+    bool skip_on_snapshot_load;
 } QEMUResetEntry;
 
 static QTAILQ_HEAD(, QEMUResetEntry) reset_handlers =
@@ -XXX,XX +XXX,XX @@ void qemu_register_reset(QEMUResetHandler *func, void *opaque)
     QTAILQ_INSERT_TAIL(&reset_handlers, re, entry);
 }
 
+void qemu_register_reset_nosnapshotload(QEMUResetHandler *func, void *opaque)
+{
+    QEMUResetEntry *re = g_new0(QEMUResetEntry, 1);
+
+    re->func = func;
+    re->opaque = opaque;
+    re->skip_on_snapshot_load = true;
+    QTAILQ_INSERT_TAIL(&reset_handlers, re, entry);
+}
+
 void qemu_unregister_reset(QEMUResetHandler *func, void *opaque)
 {
     QEMUResetEntry *re;
@@ -XXX,XX +XXX,XX @@ void qemu_unregister_reset(QEMUResetHandler *func, void *opaque)
     }
 }
 
-void qemu_devices_reset(void)
+void qemu_devices_reset(ShutdownCause reason)
 {
     QEMUResetEntry *re, *nre;
 
     /* reset all devices */
     QTAILQ_FOREACH_SAFE(re, &reset_handlers, entry, nre) {
+        if (reason == SHUTDOWN_CAUSE_SNAPSHOT_LOAD &&
+            re->skip_on_snapshot_load) {
+            continue;
+        }
         re->func(re->opaque);
     }
 }
diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/hppa/machine.c
+++ b/hw/hppa/machine.c
@@ -XXX,XX +XXX,XX @@ static void machine_hppa_init(MachineState *machine)
     cpu[0]->env.gr[19] = FW_CFG_IO_BASE;
 }
 
-static void hppa_machine_reset(MachineState *ms)
+static void hppa_machine_reset(MachineState *ms, ShutdownCause reason)
 {
     unsigned int smp_cpus = ms->smp.cpus;
     int i;
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     /* Start all CPUs at the firmware entry point.
      *  Monarch CPU will initialize firmware, secondary CPUs
diff --git a/hw/i386/microvm.c b/hw/i386/microvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i386/microvm.c
+++ b/hw/i386/microvm.c
@@ -XXX,XX +XXX,XX @@ static void microvm_machine_state_init(MachineState *machine)
     microvm_devices_init(mms);
 }
 
-static void microvm_machine_reset(MachineState *machine)
+static void microvm_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     MicrovmMachineState *mms = MICROVM_MACHINE(machine);
     CPUState *cs;
@@ -XXX,XX +XXX,XX @@ static void microvm_machine_reset(MachineState *machine)
         mms->kernel_cmdline_fixed = true;
     }
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     CPU_FOREACH(cs) {
         cpu = X86_CPU(cs);
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -XXX,XX +XXX,XX @@ static void pc_machine_initfn(Object *obj)
     cxl_machine_init(obj, &pcms->cxl_devices_state);
 }
 
-static void pc_machine_reset(MachineState *machine)
+static void pc_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     CPUState *cs;
     X86CPU *cpu;
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     /* Reset APIC after devices have been reset to cancel
      * any changes that qemu_devices_reset() might have done.
@@ -XXX,XX +XXX,XX @@ static void pc_machine_reset(MachineState *machine)
 static void pc_machine_wakeup(MachineState *machine)
 {
     cpu_synchronize_all_states();
-    pc_machine_reset(machine);
+    pc_machine_reset(machine, SHUTDOWN_CAUSE_NONE);
     cpu_synchronize_all_post_reset();
 }
 
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -XXX,XX +XXX,XX @@ static void pegasos2_pci_config_write(Pegasos2MachineState *pm, int bus,
     pegasos2_mv_reg_write(pm, pcicfg + 4, len, val);
 }
 
-static void pegasos2_machine_reset(MachineState *machine)
+static void pegasos2_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     Pegasos2MachineState *pm = PEGASOS2_MACHINE(machine);
     void *fdt;
     uint64_t d[2];
     int sz;
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
     if (!pm->vof) {
         return; /* Firmware should set up machine so nothing to do */
     }
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -XXX,XX +XXX,XX @@ static void pnv_powerdown_notify(Notifier *n, void *opaque)
     }
 }
 
-static void pnv_reset(MachineState *machine)
+static void pnv_reset(MachineState *machine, ShutdownCause reason)
 {
     PnvMachineState *pnv = PNV_MACHINE(machine);
     IPMIBmc *bmc;
     void *fdt;
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     /*
      * The machine should provide by default an internal BMC simulator.
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -XXX,XX +XXX,XX @@ void spapr_check_mmu_mode(bool guest_radix)
     }
 }
 
-static void spapr_machine_reset(MachineState *machine)
+static void spapr_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     SpaprMachineState *spapr = SPAPR_MACHINE(machine);
     PowerPCCPU *first_ppc_cpu;
@@ -XXX,XX +XXX,XX @@ static void spapr_machine_reset(MachineState *machine)
         spapr_setup_hpt(spapr);
     }
 
-    qemu_devices_reset();
+    qemu_devices_reset(reason);
 
     spapr_ovec_cleanup(spapr->ov5_cas);
     spapr->ov5_cas = spapr_ovec_new();
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -XXX,XX +XXX,XX @@ static void s390_pv_prepare_reset(S390CcwMachineState *ms)
     s390_pv_prep_reset();
 }
 
-static void s390_machine_reset(MachineState *machine)
+static void s390_machine_reset(MachineState *machine, ShutdownCause reason)
 {
     S390CcwMachineState *ms = S390_CCW_MACHINE(machine);
     enum s390_reset reset_type;
@@ -XXX,XX +XXX,XX @@ static void s390_machine_reset(MachineState *machine)
             s390_machine_unprotect(ms);
         }
 
-        qemu_devices_reset();
+        qemu_devices_reset(reason);
         s390_crypto_reset();
 
         /* configure and start the ipl CPU only */
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ bool load_snapshot(const char *name, const char *vmstate,
         goto err_drain;
     }
 
-    qemu_system_reset(SHUTDOWN_CAUSE_NONE);
+    qemu_system_reset(SHUTDOWN_CAUSE_SNAPSHOT_LOAD);
     mis->from_src_file = f;
 
     if (!yank_register_instance(MIGRATION_YANK_INSTANCE, errp)) {
diff --git a/softmmu/runstate.c b/softmmu/runstate.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/runstate.c
+++ b/softmmu/runstate.c
@@ -XXX,XX +XXX,XX @@ void qemu_system_reset(ShutdownCause reason)
     cpu_synchronize_all_states();
 
     if (mc && mc->reset) {
-        mc->reset(current_machine);
+        mc->reset(current_machine, reason);
     } else {
-        qemu_devices_reset();
+        qemu_devices_reset(reason);
     }
-    if (reason && reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
+    switch (reason) {
+    case SHUTDOWN_CAUSE_NONE:
+    case SHUTDOWN_CAUSE_SUBSYSTEM_RESET:
+    case SHUTDOWN_CAUSE_SNAPSHOT_LOAD:
+        break;
+    default:
         qapi_event_send_reset(shutdown_caused_by_guest(reason), reason);
     }
     cpu_synchronize_all_post_reset();
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

When the system reboots, the rng-seed that the FDT has should be
re-randomized, so that the new boot gets a new seed. Several
architectures require this functionality, so export a function for
injecting a new seed into the given FDT.

Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20221025004327.568476-3-Jason@zx2c4.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/sysemu/device_tree.h |  9 +++++++++
 softmmu/device_tree.c        | 21 +++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/device_tree.h
+++ b/include/sysemu/device_tree.h
@@ -XXX,XX +XXX,XX @@ int qemu_fdt_setprop_sized_cells_from_array(void *fdt,
                                                 qdt_tmp);                 \
     })
 
+
+/**
+ * qemu_fdt_randomize_seeds:
+ * @fdt: device tree blob
+ *
+ * Re-randomize all "rng-seed" properties with new seeds.
+ */
+void qemu_fdt_randomize_seeds(void *fdt);
+
 #define FDT_PCI_RANGE_RELOCATABLE          0x80000000
 #define FDT_PCI_RANGE_PREFETCHABLE         0x40000000
 #define FDT_PCI_RANGE_ALIASED              0x20000000
diff --git a/softmmu/device_tree.c b/softmmu/device_tree.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/device_tree.c
+++ b/softmmu/device_tree.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/option.h"
 #include "qemu/bswap.h"
 #include "qemu/cutils.h"
+#include "qemu/guest-random.h"
 #include "sysemu/device_tree.h"
 #include "hw/loader.h"
 #include "hw/boards.h"
@@ -XXX,XX +XXX,XX @@ void hmp_dumpdtb(Monitor *mon, const QDict *qdict)
 
     info_report("dtb dumped to %s", filename);
 }
+
+void qemu_fdt_randomize_seeds(void *fdt)
+{
+    int noffset, poffset, len;
+    const char *name;
+    uint8_t *data;
+
+    for (noffset = fdt_next_node(fdt, 0, NULL);
+         noffset >= 0;
+         noffset = fdt_next_node(fdt, noffset, NULL)) {
+        for (poffset = fdt_first_property_offset(fdt, noffset);
+             poffset >= 0;
+             poffset = fdt_next_property_offset(fdt, poffset)) {
+            data = (uint8_t *)fdt_getprop_by_offset(fdt, poffset, &name, &len);
+            if (!data || strcmp(name, "rng-seed"))
+                continue;
+            qemu_guest_getrandom_nofail(data, len);
+        }
+    }
+}
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Snapshot loading is supposed to be deterministic, so we shouldn't
re-randomize the various seeds used.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-4-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/i386/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/x86.c b/hw/i386/x86.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i386/x86.c
+++ b/hw/i386/x86.c
@@ -XXX,XX +XXX,XX @@ void x86_load_linux(X86MachineState *x86ms,
         setup_data->type = cpu_to_le32(SETUP_RNG_SEED);
         setup_data->len = cpu_to_le32(RNG_SEED_LENGTH);
         qemu_guest_getrandom_nofail(setup_data->data, RNG_SEED_LENGTH);
-        qemu_register_reset(reset_rng_seed, setup_data);
+        qemu_register_reset_nosnapshotload(reset_rng_seed, setup_data);
         fw_cfg_add_bytes_callback(fw_cfg, FW_CFG_KERNEL_DATA, reset_rng_seed, NULL,
                                   setup_data, kernel, kernel_size, true);
     } else {
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

When the system reboots, the rng-seed that the FDT has should be
re-randomized, so that the new boot gets a new seed. Since the FDT is in
the ROM region at this point, we add a hook right after the ROM has been
added, so that we have a pointer to that copy of the FDT.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-arm@nongnu.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-5-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
      * the DTB is copied again upon reset, even if addr points into RAM.
      */
     rom_add_blob_fixed_as("dtb", fdt, size, addr, as);
+    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+                                       rom_ptr_for_as(as, addr, size));
 
     g_free(fdt);
 
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: Bin Meng <bin.meng@windriver.com>
Cc: qemu-riscv@nongnu.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20221025004327.568476-6-Jason@zx2c4.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/riscv/boot.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/riscv/boot.c b/hw/riscv/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/riscv/boot.c
+++ b/hw/riscv/boot.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/device_tree.h"
 #include "sysemu/qtest.h"
 #include "sysemu/kvm.h"
+#include "sysemu/reset.h"
 
 #include <libfdt.h>
 
@@ -XXX,XX +XXX,XX @@ uint64_t riscv_load_fdt(hwaddr dram_base, uint64_t mem_size, void *fdt)
 
     rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
                           &address_space_memory);
+    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+                        rom_ptr_for_as(&address_space_memory, fdt_addr, fdtsize));
 
     return fdt_addr;
 }
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Snapshot loading is supposed to be deterministic, so we shouldn't
re-randomize the various seeds used.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-7-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/m68k/virt.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/hw/m68k/virt.c b/hw/m68k/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/m68k/virt.c
+++ b/hw/m68k/virt.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     M68kCPU *cpu;
     hwaddr initial_pc;
     hwaddr initial_stack;
-    struct bi_record *rng_seed;
 } ResetInfo;
 
 static void main_cpu_reset(void *opaque)
@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
     M68kCPU *cpu = reset_info->cpu;
     CPUState *cs = CPU(cpu);
 
-    if (reset_info->rng_seed) {
-        qemu_guest_getrandom_nofail((void *)reset_info->rng_seed->data + 2,
-            be16_to_cpu(*(uint16_t *)reset_info->rng_seed->data));
-    }
-
     cpu_reset(cs);
     cpu->env.aregs[7] = reset_info->initial_stack;
     cpu->env.pc = reset_info->initial_pc;
 }
 
+static void rerandomize_rng_seed(void *opaque)
+{
+    struct bi_record *rng_seed = opaque;
+    qemu_guest_getrandom_nofail((void *)rng_seed->data + 2,
+                                be16_to_cpu(*(uint16_t *)rng_seed->data));
+}
+
 static void virt_init(MachineState *machine)
 {
     M68kCPU *cpu = NULL;
@@ -XXX,XX +XXX,XX @@ static void virt_init(MachineState *machine)
         BOOTINFO0(param_ptr, BI_LAST);
         rom_add_blob_fixed_as("bootinfo", param_blob, param_ptr - param_blob,
                               parameters_base, cs->as);
-        reset_info->rng_seed = rom_ptr_for_as(cs->as, parameters_base,
-                                              param_ptr - param_blob) +
-                               (param_rng_seed - param_blob);
+        qemu_register_reset_nosnapshotload(rerandomize_rng_seed,
+                            rom_ptr_for_as(cs->as, parameters_base,
+                                           param_ptr - param_blob) +
+                            (param_rng_seed - param_blob));
         g_free(param_blob);
     }
 }
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Snapshot loading is supposed to be deterministic, so we shouldn't
re-randomize the various seeds used.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-8-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/m68k/q800.c | 33 +++++++++++++--------------------
 1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/hw/m68k/q800.c b/hw/m68k/q800.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/m68k/q800.c
+++ b/hw/m68k/q800.c
@@ -XXX,XX +XXX,XX @@ static const TypeInfo glue_info = {
     },
 };
 
-typedef struct {
-    M68kCPU *cpu;
-    struct bi_record *rng_seed;
-} ResetInfo;
-
 static void main_cpu_reset(void *opaque)
 {
-    ResetInfo *reset_info = opaque;
-    M68kCPU *cpu = reset_info->cpu;
+    M68kCPU *cpu = opaque;
     CPUState *cs = CPU(cpu);
 
-    if (reset_info->rng_seed) {
-        qemu_guest_getrandom_nofail((void *)reset_info->rng_seed->data + 2,
-            be16_to_cpu(*(uint16_t *)reset_info->rng_seed->data));
-    }
-
     cpu_reset(cs);
     cpu->env.aregs[7] = ldl_phys(cs->as, 0);
     cpu->env.pc = ldl_phys(cs->as, 4);
 }
 
+static void rerandomize_rng_seed(void *opaque)
+{
+    struct bi_record *rng_seed = opaque;
+    qemu_guest_getrandom_nofail((void *)rng_seed->data + 2,
+                                be16_to_cpu(*(uint16_t *)rng_seed->data));
+}
+
 static uint8_t fake_mac_rom[] = {
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
 
@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
     NubusBus *nubus;
     DeviceState *glue;
     DriveInfo *dinfo;
-    ResetInfo *reset_info;
     uint8_t rng_seed[32];
 
     linux_boot = (kernel_filename != NULL);
@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
         exit(1);
     }
 
-    reset_info = g_new0(ResetInfo, 1);
-
     /* init CPUs */
     cpu = M68K_CPU(cpu_create(machine->cpu_type));
-    reset_info->cpu = cpu;
-    qemu_register_reset(main_cpu_reset, reset_info);
+    qemu_register_reset(main_cpu_reset, cpu);
 
     /* RAM */
     memory_region_add_subregion(get_system_memory(), 0, machine->ram);
@@ -XXX,XX +XXX,XX @@ static void q800_init(MachineState *machine)
         BOOTINFO0(param_ptr, BI_LAST);
         rom_add_blob_fixed_as("bootinfo", param_blob, param_ptr - param_blob,
                               parameters_base, cs->as);
-        reset_info->rng_seed = rom_ptr_for_as(cs->as, parameters_base,
-                                              param_ptr - param_blob) +
-                               (param_rng_seed - param_blob);
+        qemu_register_reset_nosnapshotload(rerandomize_rng_seed,
+                            rom_ptr_for_as(cs->as, parameters_base,
+                                           param_ptr - param_blob) +
+                            (param_rng_seed - param_blob));
         g_free(param_blob);
     } else {
         uint8_t *ptr;
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Cc: Aleksandar Rikalo <aleksandar.rikalo@syrmia.com>
Cc: Paul Burton <paulburton@kernel.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-9-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/mips/boston.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/mips/boston.c b/hw/mips/boston.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/mips/boston.c
+++ b/hw/mips/boston.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "sysemu/qtest.h"
 #include "sysemu/runstate.h"
+#include "sysemu/reset.h"
 
 #include <libfdt.h>
 #include "qom/object.h"
@@ -XXX,XX +XXX,XX @@ static void boston_mach_init(MachineState *machine)
             /* Calculate real fdt size after filter */
             dt_size = fdt_totalsize(dtb_load_data);
             rom_add_blob_fixed("dtb", dtb_load_data, dt_size, dtb_paddr);
+            qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+                                rom_ptr(dtb_paddr, dt_size));
         } else {
             /* Try to load file as FIT */
             fit_err = load_fit(&boston_fit_loader, machine->kernel_filename, s);
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Cc: Stafford Horne <shorne@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-11-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/openrisc/boot.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/openrisc/boot.c b/hw/openrisc/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/boot.c
+++ b/hw/openrisc/boot.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/openrisc/boot.h"
 #include "sysemu/device_tree.h"
 #include "sysemu/qtest.h"
+#include "sysemu/reset.h"
 
 #include <libfdt.h>
 
@@ -XXX,XX +XXX,XX @@ uint32_t openrisc_load_fdt(void *fdt, hwaddr load_start,
 
     rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
                           &address_space_memory);
+    qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+                        rom_ptr_for_as(&address_space_memory, fdt_addr, fdtsize));
 
     return fdt_addr;
 }
-- 
2.25.1

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Message-id: 20221025004327.568476-12-Jason@zx2c4.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/rx/rx-gdbsim.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/rx/rx-gdbsim.c b/hw/rx/rx-gdbsim.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/rx/rx-gdbsim.c
+++ b/hw/rx/rx-gdbsim.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/rx/rx62n.h"
 #include "sysemu/qtest.h"
 #include "sysemu/device_tree.h"
+#include "sysemu/reset.h"
 #include "hw/boards.h"
 #include "qom/object.h"
 
@@ -XXX,XX +XXX,XX @@ static void rx_gdbsim_init(MachineState *machine)
             dtb_offset = ROUND_DOWN(machine->ram_size - dtb_size, 16);
             rom_add_blob_fixed("dtb", dtb, dtb_size,
                                SDRAM_BASE + dtb_offset);
+            qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+                                rom_ptr(SDRAM_BASE + dtb_offset, dtb_size));
             /* Set dtb address to R1 */
             RX_CPU(first_cpu)->env.regs[1] = SDRAM_BASE + dtb_offset;
         }
-- 
2.25.1

Hi; here's a relatively small target-arm queue, pretty much all
bug fixes. (There are a few non-arm patches that I've thrown in
there too for my convenience :-))

thanks
-- PMM

The following changes since commit 278238505d28d292927bff7683f39fb4fbca7fd1:

Merge tag 'pull-tcg-20230511-2' of https://gitlab.com/rth7680/qemu into staging (2023-05-11 11:44:23 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230512

for you to fetch changes up to 478dccbb99db0bf8f00537dd0b4d0de88d5cb537:

target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check (2023-05-12 16:01:25 +0100)

----------------------------------------------------------------
target-arm queue:
 * More refactoring of files into tcg/
 * Don't allow stage 2 page table walks to downgrade to NS
 * Fix handling of SW and NSW bits for stage 2 walks
 * MAINTAINERS: Update Akihiko Odaki's email address
 * ui: Fix pixel colour channel order for PNG screenshots
 * docs: Remove unused weirdly-named cross-reference targets
 * hw/mips/malta: Fix minor dead code issue
 * Fixes for the "allow CONFIG_TCG=n" changes
 * tests/qtest: Don't run cdrom boot tests if no accelerator is present
 * target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check

----------------------------------------------------------------
Akihiko Odaki (1):
      MAINTAINERS: Update Akihiko Odaki's email address

Fabiano Rosas (3):
      target/arm: Select SEMIHOSTING when using TCG
      target/arm: Select CONFIG_ARM_V7M when TCG is enabled
      tests/qtest: Don't run cdrom boot tests if no accelerator is present

Peter Maydell (6):
      target/arm: Don't allow stage 2 page table walks to downgrade to NS
      target/arm: Fix handling of SW and NSW bits for stage 2 walks
      ui: Fix pixel colour channel order for PNG screenshots
      docs: Remove unused weirdly-named cross-reference targets
      hw/mips/malta: Fix minor dead code issue
      target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check

Richard Henderson (2):
      target/arm: Move translate-a32.h, arm_ldst.h, sve_ldst_internal.h to tcg/
      target/arm: Move helper-{a64,mve,sme,sve}.h to tcg/

MAINTAINERS                              |  4 +-
 docs/system/devices/igb.rst              |  2 +-
 docs/system/devices/ivshmem.rst          |  2 -
 docs/system/devices/net.rst              |  2 +-
 docs/system/devices/usb.rst              |  2 -
 docs/system/keys.rst                     |  2 +-
 docs/system/linuxboot.rst                |  2 +-
 docs/system/target-i386.rst              |  4 --
 target/arm/helper.h                      |  8 +--
 target/arm/internals.h                   | 12 +++-
 target/arm/{ => tcg}/arm_ldst.h          |  0
 target/arm/{ => tcg}/helper-a64.h        |  0
 target/arm/{ => tcg}/helper-mve.h        |  0
 target/arm/{ => tcg}/helper-sme.h        |  0
 target/arm/{ => tcg}/helper-sve.h        |  0
 target/arm/{ => tcg}/sve_ldst_internal.h |  0
 target/arm/{ => tcg}/translate-a32.h     |  0
 hw/mips/malta.c                          |  5 +-
 target/arm/gdbstub64.c                   |  2 +-
 target/arm/helper.c                      | 15 ++++-
 target/arm/ptw.c                         | 95 +++++++++++++++++++-------------
 target/arm/tcg/pauth_helper.c            |  6 +-
 tests/qtest/cdrom-test.c                 | 10 ++++
 ui/console.c                             |  4 +-
 target/arm/Kconfig                       |  9 +--
 25 files changed, 109 insertions(+), 77 deletions(-)
 rename target/arm/{ => tcg}/arm_ldst.h (100%)
 rename target/arm/{ => tcg}/helper-a64.h (100%)
 rename target/arm/{ => tcg}/helper-mve.h (100%)
 rename target/arm/{ => tcg}/helper-sme.h (100%)
 rename target/arm/{ => tcg}/helper-sve.h (100%)
 rename target/arm/{ => tcg}/sve_ldst_internal.h (100%)
 rename target/arm/{ => tcg}/translate-a32.h (100%)

From: Richard Henderson <richard.henderson@linaro.org>

These files got missed when populating tcg/.
Because they are included with "", no change to the users required.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230504110412.1892411-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/{ => tcg}/arm_ldst.h          | 0
 target/arm/{ => tcg}/sve_ldst_internal.h | 0
 target/arm/{ => tcg}/translate-a32.h     | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename target/arm/{ => tcg}/arm_ldst.h (100%)
 rename target/arm/{ => tcg}/sve_ldst_internal.h (100%)
 rename target/arm/{ => tcg}/translate-a32.h (100%)

diff --git a/target/arm/arm_ldst.h b/target/arm/tcg/arm_ldst.h
similarity index 100%
rename from target/arm/arm_ldst.h
rename to target/arm/tcg/arm_ldst.h
diff --git a/target/arm/sve_ldst_internal.h b/target/arm/tcg/sve_ldst_internal.h
similarity index 100%
rename from target/arm/sve_ldst_internal.h
rename to target/arm/tcg/sve_ldst_internal.h
diff --git a/target/arm/translate-a32.h b/target/arm/tcg/translate-a32.h
similarity index 100%
rename from target/arm/translate-a32.h
rename to target/arm/tcg/translate-a32.h
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

While we cannot move the main "helper.h" out of target/arm/,
due to usage by generic code, we can move the sub-includes.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Message-id: 20230504110412.1892411-3-richard.henderson@linaro.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h               | 8 ++++----
 target/arm/{ => tcg}/helper-a64.h | 0
 target/arm/{ => tcg}/helper-mve.h | 0
 target/arm/{ => tcg}/helper-sme.h | 0
 target/arm/{ => tcg}/helper-sve.h | 0
 5 files changed, 4 insertions(+), 4 deletions(-)
 rename target/arm/{ => tcg}/helper-a64.h (100%)
 rename target/arm/{ => tcg}/helper-mve.h (100%)
 rename target/arm/{ => tcg}/helper-sme.h (100%)
 rename target/arm/{ => tcg}/helper-sve.h (100%)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, i32)
 
 #ifdef TARGET_AARCH64
-#include "helper-a64.h"
-#include "helper-sve.h"
-#include "helper-sme.h"
+#include "tcg/helper-a64.h"
+#include "tcg/helper-sve.h"
+#include "tcg/helper-sme.h"
 #endif
 
-#include "helper-mve.h"
+#include "tcg/helper-mve.h"
diff --git a/target/arm/helper-a64.h b/target/arm/tcg/helper-a64.h
similarity index 100%
rename from target/arm/helper-a64.h
rename to target/arm/tcg/helper-a64.h
diff --git a/target/arm/helper-mve.h b/target/arm/tcg/helper-mve.h
similarity index 100%
rename from target/arm/helper-mve.h
rename to target/arm/tcg/helper-mve.h
diff --git a/target/arm/helper-sme.h b/target/arm/tcg/helper-sme.h
similarity index 100%
rename from target/arm/helper-sme.h
rename to target/arm/tcg/helper-sme.h
diff --git a/target/arm/helper-sve.h b/target/arm/tcg/helper-sve.h
similarity index 100%
rename from target/arm/helper-sve.h
rename to target/arm/tcg/helper-sve.h
-- 
2.34.1

Bit 63 in a Table descriptor is only the NSTable bit for stage 1
translations; in stage 2 it is RES0.  We were incorrectly looking at
it all the time.

This causes problems if:
 * the stage 2 table descriptor was incorrectly setting the RES0 bit
 * we are doing a stage 2 translation in Secure address space for
   a NonSecure stage 1 regime -- in this case we would incorrectly
   do an immediate downgrade to NonSecure

A bug elsewhere in the code currently prevents us from getting
to the second situation, but when we fix that it will be possible.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230504135425.2748672-2-peter.maydell@linaro.org
---
 target/arm/ptw.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     descaddrmask &= ~indexmask_grainsize;
 
     /*
-     * Secure accesses start with the page table in secure memory and
+     * Secure stage 1 accesses start with the page table in secure memory and
      * can be downgraded to non-secure at any step. Non-secure accesses
      * remain non-secure. We implement this by just ORing in the NSTable/NS
      * bits at each step.
+     * Stage 2 never gets this kind of downgrade.
      */
     tableattrs = is_secure ? 0 : (1 << 4);
 
  next_level:
     descaddr |= (address >> (stride * (4 - level))) & indexmask;
     descaddr &= ~7ULL;
-    nstable = extract32(tableattrs, 4, 1);
+    nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
     if (nstable) {
         /*
          * Stage2_S -> Stage2 or Phys_S -> Phys_NS
-- 
2.34.1

We currently don't correctly handle the VSTCR_EL2.SW and VTCR_EL2.NSW
configuration bits.  These allow configuration of whether the stage 2
page table walks for Secure IPA and NonSecure IPA should do their
descriptor reads from Secure or NonSecure physical addresses. (This
is separate from how the translation table base address and other
parameters are set: an NS IPA always uses VTTBR_EL2 and VTCR_EL2
for its base address and walk parameters, regardless of the NSW bit,
and similarly for Secure.)

Provide a new function ptw_idx_for_stage_2() which returns the
MMU index to use for descriptor reads, and use it to set up
the .in_ptw_idx wherever we call get_phys_addr_lpae().

For a stage 2 walk, wherever we call get_phys_addr_lpae():
 * .in_ptw_idx should be ptw_idx_for_stage_2() of the .in_mmu_idx
 * .in_secure should be true if .in_mmu_idx is Stage2_S

This allows us to correct S1_ptw_translate() so that it consistently
always sets its (out_secure, out_phys) to the result it gets from the
S2 walk (either by calling get_phys_addr_lpae() or by TLB lookup).
This makes better conceptual sense because the S2 walk should return
us an (address space, address) tuple, not an address that we then
randomly assign to S or NS.

Our previous handling of SW and NSW was broken, so guest code
trying to use these bits to put the s2 page tables in the "other"
address space wouldn't work correctly.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1600
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230504135425.2748672-3-peter.maydell@linaro.org
---
 target/arm/ptw.c | 76 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 51 insertions(+), 25 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
     return stage_1_mmu_idx(arm_mmu_idx(env));
 }
 
+/*
+ * Return where we should do ptw loads from for a stage 2 walk.
+ * This depends on whether the address we are looking up is a
+ * Secure IPA or a NonSecure IPA, which we know from whether this is
+ * Stage2 or Stage2_S.
+ * If this is the Secure EL1&0 regime we need to check the NSW and SW bits.
+ */
+static ARMMMUIdx ptw_idx_for_stage_2(CPUARMState *env, ARMMMUIdx stage2idx)
+{
+    bool s2walk_secure;
+
+    /*
+     * We're OK to check the current state of the CPU here because
+     * (1) we always invalidate all TLBs when the SCR_EL3.NS bit changes
+     * (2) there's no way to do a lookup that cares about Stage 2 for a
+     * different security state to the current one for AArch64, and AArch32
+     * never has a secure EL2. (AArch32 ATS12NSO[UP][RW] allow EL3 to do
+     * an NS stage 1+2 lookup while the NS bit is 0.)
+     */
+    if (!arm_is_secure_below_el3(env) || !arm_el_is_aa64(env, 3)) {
+        return ARMMMUIdx_Phys_NS;
+    }
+    if (stage2idx == ARMMMUIdx_Stage2_S) {
+        s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
+    } else {
+        s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
+    }
+    return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+
+}
+
 static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
     return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
     uint8_t pte_attrs;
-    bool pte_secure;
 
     ptw->out_virt = addr;
 
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         if (regime_is_stage2(s2_mmu_idx)) {
             S1Translate s2ptw = {
                 .in_mmu_idx = s2_mmu_idx,
-                .in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS,
-                .in_secure = is_secure,
+                .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
+                .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
                 .in_debug = true,
             };
             GetPhysAddrResult s2 = { };
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             }
             ptw->out_phys = s2.f.phys_addr;
             pte_attrs = s2.cacheattrs.attrs;
-            pte_secure = s2.f.attrs.secure;
+            ptw->out_secure = s2.f.attrs.secure;
         } else {
             /* Regime is physical. */
             ptw->out_phys = addr;
             pte_attrs = 0;
-            pte_secure = is_secure;
+            ptw->out_secure = s2_mmu_idx == ARMMMUIdx_Phys_S;
         }
         ptw->out_host = NULL;
         ptw->out_rw = false;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         ptw->out_phys = full->phys_addr | (addr & ~TARGET_PAGE_MASK);
         ptw->out_rw = full->prot & PAGE_WRITE;
         pte_attrs = full->pte_attrs;
-        pte_secure = full->attrs.secure;
+        ptw->out_secure = full->attrs.secure;
 #else
         g_assert_not_reached();
 #endif
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         }
     }
 
-    /* Check if page table walk is to secure or non-secure PA space. */
-    ptw->out_secure = (is_secure
-                       && !(pte_secure
-                            ? env->cp15.vstcr_el2 & VSTCR_SW
-                            : env->cp15.vtcr_el2 & VTCR_NSW));
     ptw->out_be = regime_translation_big_endian(env, mmu_idx);
     return true;
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     hwaddr ipa;
     int s1_prot, s1_lgpgsz;
     bool is_secure = ptw->in_secure;
-    bool ret, ipa_secure, s2walk_secure;
+    bool ret, ipa_secure;
     ARMCacheAttrs cacheattrs1;
     bool is_el0;
     uint64_t hcr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 
     ipa = result->f.phys_addr;
     ipa_secure = result->f.attrs.secure;
-    if (is_secure) {
-        /* Select TCR based on the NS bit from the S1 walk. */
-        s2walk_secure = !(ipa_secure
-                          ? env->cp15.vstcr_el2 & VSTCR_SW
-                          : env->cp15.vtcr_el2 & VTCR_NSW);
-    } else {
-        assert(!ipa_secure);
-        s2walk_secure = false;
-    }
 
     is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
-    ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-    ptw->in_ptw_idx = s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-    ptw->in_secure = s2walk_secure;
+    ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+    ptw->in_secure = ipa_secure;
+    ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx);
 
     /*
      * S1 is done, now do S2 translation.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
         ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
         break;
 
+    case ARMMMUIdx_Stage2:
+    case ARMMMUIdx_Stage2_S:
+        /*
+         * Second stage lookup uses physical for ptw; whether this is S or
+         * NS may depend on the SW/NSW bits if this is a stage 2 lookup for
+         * the Secure EL2&0 regime.
+         */
+        ptw->in_ptw_idx = ptw_idx_for_stage_2(env, mmu_idx);
+        break;
+
     case ARMMMUIdx_E10_0:
         s1_mmu_idx = ARMMMUIdx_Stage1_E0;
         goto do_twostage;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
         /* fall through */
 
     default:
-        /* Single stage and second stage uses physical for ptw. */
+        /* Single stage uses physical for ptw. */
         ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
         break;
     }
-- 
2.34.1

From: Akihiko Odaki <akihiko.odaki@gmail.com>

I am now employed by Daynix. Although my role as a reviewer of
macOS-related change is not very relevant to the employment, I decided
to use the company email address to avoid confusions from different
addresses.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20230506072333.32510-1-akihiko.odaki@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 MAINTAINERS | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ Core Audio framework backend
 M: Gerd Hoffmann <kraxel@redhat.com>
 M: Philippe Mathieu-Daudé <philmd@linaro.org>
 R: Christian Schoenebeck <qemu_oss@crudebyte.com>
-R: Akihiko Odaki <akihiko.odaki@gmail.com>
+R: Akihiko Odaki <akihiko.odaki@daynix.com>
 S: Odd Fixes
 F: audio/coreaudio.c
 
@@ -XXX,XX +XXX,XX @@ F: docs/devel/ui.rst
 Cocoa graphics
 M: Peter Maydell <peter.maydell@linaro.org>
 M: Philippe Mathieu-Daudé <philmd@linaro.org>
-R: Akihiko Odaki <akihiko.odaki@gmail.com>
+R: Akihiko Odaki <akihiko.odaki@daynix.com>
 S: Odd Fixes
 F: ui/cocoa.m
 
-- 
2.34.1

When we take a PNG screenshot the ordering of the colour channels in
the data is not correct, resulting in the image having weird
colouring compared to the actual display.  (Specifically, on a
little-endian host the blue and red channels are swapped; on
big-endian everything is wrong.)

This happens because the pixman idea of the pixel data and the libpng
idea differ.  PIXMAN_a8r8g8b8 defines that pixels are 32-bit values,
with A in bits 24-31, R in bits 16-23, G in bits 8-15 and B in bits
0-7.  This means that on little-endian systems the bytes in memory
are
   B G R A
and on big-endian systems they are
   A R G B

libpng, on the other hand, thinks of pixels as being a series of
values for each channel, so its format PNG_COLOR_TYPE_RGB_ALPHA
always wants bytes in the order
   R G B A

This isn't the same as the pixman order for either big or little
endian hosts.

The alpha channel is also unnecessary bulk in the output PNG file,
because there is no alpha information in a screenshot.

To handle the endianness issue, we already define in ui/qemu-pixman.h
various PIXMAN_BE_* and PIXMAN_LE_* values that give consistent
byte-order pixel channel formats.  So we can use PIXMAN_BE_r8g8b8 and
PNG_COLOR_TYPE_RGB, which both have an in-memory byte order of
    R G B
and 3 bytes per pixel.

(PPM format screenshots get this right; they already use the
PIXMAN_BE_r8g8b8 format.)

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1622
Fixes: 9a0a119a382867 ("Added parameter to take screenshot with screendump as PNG")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20230502135548.2451309-1-peter.maydell@linaro.org
---
 ui/console.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ui/console.c b/ui/console.c
index XXXXXXX..XXXXXXX 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -XXX,XX +XXX,XX @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
     png_struct *png_ptr;
     png_info *info_ptr;
     g_autoptr(pixman_image_t) linebuf =
-                            qemu_pixman_linebuf_create(PIXMAN_a8r8g8b8, width);
+        qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, width);
     uint8_t *buf = (uint8_t *)pixman_image_get_data(linebuf);
     FILE *f = fdopen(fd, "wb");
     int y;
@@ -XXX,XX +XXX,XX @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
     png_init_io(png_ptr, f);
 
     png_set_IHDR(png_ptr, info_ptr, width, height, 8,
-                 PNG_COLOR_TYPE_RGB_ALPHA, PNG_INTERLACE_NONE,
+                 PNG_COLOR_TYPE_RGB, PNG_INTERLACE_NONE,
                  PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
 
     png_write_info(png_ptr, info_ptr);
-- 
2.34.1

In the doc sources, we have a few cross-reference targets with odd
names "pcsys_005fxyz".  These are the legacy of the semi-automated
conversion of the old info docs to rST (the '005f' is because ASCII
0x5f is '_' and the old info link names had underscores in them).

Remove the targets which nothing links to, and rename the two targets
which are used to something a bit more descriptive.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230421163642.1151904-1-peter.maydell@linaro.org
Reviewed-by: Markus Armbruster <armbru@redhat.com>
---
 docs/system/devices/igb.rst     | 2 +-
 docs/system/devices/ivshmem.rst | 2 --
 docs/system/devices/net.rst     | 2 +-
 docs/system/devices/usb.rst     | 2 --
 docs/system/keys.rst            | 2 +-
 docs/system/linuxboot.rst       | 2 +-
 docs/system/target-i386.rst     | 4 ----
 7 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/docs/system/devices/igb.rst b/docs/system/devices/igb.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/igb.rst
+++ b/docs/system/devices/igb.rst
@@ -XXX,XX +XXX,XX @@ Using igb
 =========
 
 Using igb should be nothing different from using another network device. See
-:ref:`pcsys_005fnetwork` in general.
+:ref:`Network_emulation` in general.
 
 However, you may also need to perform additional steps to activate SR-IOV
 feature on your guest. For Linux, refer to [4]_.
diff --git a/docs/system/devices/ivshmem.rst b/docs/system/devices/ivshmem.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/ivshmem.rst
+++ b/docs/system/devices/ivshmem.rst
@@ -XXX,XX +XXX,XX @@
-.. _pcsys_005fivshmem:
-
 Inter-VM Shared Memory device
 -----------------------------
 
diff --git a/docs/system/devices/net.rst b/docs/system/devices/net.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/net.rst
+++ b/docs/system/devices/net.rst
@@ -XXX,XX +XXX,XX @@
-.. _pcsys_005fnetwork:
+.. _Network_Emulation:
 
 Network emulation
 -----------------
diff --git a/docs/system/devices/usb.rst b/docs/system/devices/usb.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/devices/usb.rst
+++ b/docs/system/devices/usb.rst
@@ -XXX,XX +XXX,XX @@
-.. _pcsys_005fusb:
-
 USB emulation
 -------------
 
diff --git a/docs/system/keys.rst b/docs/system/keys.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/keys.rst
+++ b/docs/system/keys.rst
@@ -XXX,XX +XXX,XX @@
-.. _pcsys_005fkeys:
+.. _GUI_keys:
 
 Keys in the graphical frontends
 -------------------------------
diff --git a/docs/system/linuxboot.rst b/docs/system/linuxboot.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/linuxboot.rst
+++ b/docs/system/linuxboot.rst
@@ -XXX,XX +XXX,XX @@ virtual serial port and the QEMU monitor to the console with the
                     -append "root=/dev/hda console=ttyS0" -nographic
 
 Use Ctrl-a c to switch between the serial console and the monitor (see
-:ref:`pcsys_005fkeys`).
+:ref:`GUI_keys`).
diff --git a/docs/system/target-i386.rst b/docs/system/target-i386.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/target-i386.rst
+++ b/docs/system/target-i386.rst
@@ -XXX,XX +XXX,XX @@
 x86 System emulator
 -------------------
 
-.. _pcsys_005fdevices:
-
 Board-specific documentation
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -XXX,XX +XXX,XX @@ Architectural features
    i386/sgx
    i386/amd-memory-encryption
 
-.. _pcsys_005freq:
-
 OS requirements
 ~~~~~~~~~~~~~~~
 
-- 
2.34.1

Coverity points out (in CID 1508390) that write_bootloader has
some dead code, where we assign to 'p' and then in the following
line assign to it again. This happened as a result of the
refactoring in commit cd5066f8618b.

Fix the dead code by removing the 'void *v' variable entirely and
instead adding a cast when calling bl_setup_gt64120_jump_kernel(), as
we do at its other callsite in write_bootloader_nanomips().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/mips/malta.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/hw/mips/malta.c b/hw/mips/malta.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/mips/malta.c
+++ b/hw/mips/malta.c
@@ -XXX,XX +XXX,XX @@ static void write_bootloader(uint8_t *base, uint64_t run_addr,
                              uint64_t kernel_entry)
 {
     uint32_t *p;
-    void *v;
 
     /* Small bootloader */
     p = (uint32_t *)base;
@@ -XXX,XX +XXX,XX @@ static void write_bootloader(uint8_t *base, uint64_t run_addr,
      *
      */
 
-    v = p;
-    bl_setup_gt64120_jump_kernel(&v, run_addr, kernel_entry);
-    p = v;
+    bl_setup_gt64120_jump_kernel((void **)&p, run_addr, kernel_entry);
 
     /* YAMON subroutines */
     p = (uint32_t *) (base + 0x800);
-- 
2.34.1

From: Fabiano Rosas <farosas@suse.de>

Semihosting has been made a 'default y' entry in Kconfig, which does
not work because when building --without-default-devices, the
semihosting code would not be available.

Make semihosting unconditional when TCG is present.

Fixes: 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a KVM-only build")
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230508181611.2621-2-farosas@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Kconfig | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/target/arm/Kconfig b/target/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Kconfig
+++ b/target/arm/Kconfig
@@ -XXX,XX +XXX,XX @@
 config ARM
     bool
+    select ARM_COMPATIBLE_SEMIHOSTING if TCG
 
 config AARCH64
     bool
     select ARM
-
-# This config exists just so we can make SEMIHOSTING default when TCG
-# is selected without also changing it for other architectures.
-config ARM_SEMIHOSTING
-    bool
-    default y if TCG && ARM
-    select ARM_COMPATIBLE_SEMIHOSTING
-- 
2.34.1

From: Fabiano Rosas <farosas@suse.de>

We cannot allow this config to be disabled at the moment as not all of
the relevant code is protected by it.

Commit 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a
KVM-only build") moved the CONFIGs of several boards to Kconfig, so it
is now possible that nothing selects ARM_V7M (e.g. when doing a
--without-default-devices build).

Return the CONFIG_ARM_V7M entry to a state where it is always selected
whenever TCG is available.

Fixes: 29d9efca16 ("arm/Kconfig: Do not build TCG-only boards on a KVM-only build")
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230508181611.2621-3-farosas@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

From: Fabiano Rosas <farosas@suse.de>

On a build configured with: --disable-tcg --enable-xen it is possible
to produce a QEMU binary with no TCG nor KVM support. Skip the cdrom
boot tests if that's the case.

Fixes: 0c1ae3ff9d ("tests/qtest: Fix tests when no KVM or TCG are present")
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20230508181611.2621-4-farosas@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/cdrom-test.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/qtest/cdrom-test.c b/tests/qtest/cdrom-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/cdrom-test.c
+++ b/tests/qtest/cdrom-test.c
@@ -XXX,XX +XXX,XX @@ static void test_cdboot(gconstpointer data)
 
 static void add_x86_tests(void)
 {
+    if (!qtest_has_accel("tcg") && !qtest_has_accel("kvm")) {
+        g_test_skip("No KVM or TCG accelerator available, skipping boot tests");
+        return;
+    }
+
     qtest_add_data_func("cdrom/boot/default", "-cdrom ", test_cdboot);
     qtest_add_data_func("cdrom/boot/virtio-scsi",
                         "-device virtio-scsi -device scsi-cd,drive=cdr "
@@ -XXX,XX +XXX,XX @@ static void add_x86_tests(void)
 
 static void add_s390x_tests(void)
 {
+    if (!qtest_has_accel("tcg") && !qtest_has_accel("kvm")) {
+        g_test_skip("No KVM or TCG accelerator available, skipping boot tests");
+        return;
+    }
+
     qtest_add_data_func("cdrom/boot/default", "-cdrom ", test_cdboot);
     qtest_add_data_func("cdrom/boot/virtio-scsi",
                         "-device virtio-scsi -device scsi-cd,drive=cdr "
-- 
2.34.1

In check_s2_mmu_setup() we have a check that is attempting to
implement the part of AArch64.S2MinTxSZ that is specific to when EL1
is AArch32:

if !s1aarch64 then
        // EL1 is AArch32
        min_txsz = Min(min_txsz, 24);

Unfortunately we got this wrong in two ways:

(1) The minimum txsz corresponds to a maximum inputsize, but we got
the sense of the comparison wrong and were faulting for all
inputsizes less than 40 bits

(2) We try to implement this as an extra check that happens after
we've done the same txsz checks we would do for an AArch64 EL1, but
in fact the pseudocode is *loosening* the requirements, so that txsz
values that would fault for an AArch64 EL1 do not fault for AArch32
EL1, because it does Min(old_min, 24), not Max(old_min, 24).

You can see this also in the text of the Arm ARM in table D8-8, which
shows that where the implemented PA size is less than 40 bits an
AArch32 EL1 is still OK with a configured stage2 T0SZ for a 40 bit
IPA, whereas if EL1 is AArch64 then the T0SZ must be big enough to
constrain the IPA to the implemented PA size.

Because of part (2), we can't do this as a separate check, but
have to integrate it into aa64_va_parameters(). Add a new argument
to that function to indicate that EL1 is 32-bit. All the existing
callsites except the one in get_phys_addr_lpae() can pass 'false',
because they are either doing a lookup for a stage 1 regime or
else they don't care about the tsz/tsz_oob fields.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1627
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230509092059.3176487-1-peter.maydell@linaro.org
---
 target/arm/internals.h        | 12 +++++++++++-
 target/arm/gdbstub64.c        |  2 +-
 target/arm/helper.c           | 15 +++++++++++++--
 target/arm/ptw.c              | 14 ++------------
 target/arm/tcg/pauth_helper.c |  6 +++---
 5 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMVAParameters {
     ARMGranuleSize gran : 2;
 } ARMVAParameters;
 
+/**
+ * aa64_va_parameters: Return parameters for an AArch64 virtual address
+ * @env: CPU
+ * @va: virtual address to look up
+ * @mmu_idx: determines translation regime to use
+ * @data: true if this is a data access
+ * @el1_is_aa32: true if we are asking about stage 2 when EL1 is AArch32
+ *  (ignored if @mmu_idx is for a stage 1 regime; only affects tsz/tsz_oob)
+ */
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-                                   ARMMMUIdx mmu_idx, bool data);
+                                   ARMMMUIdx mmu_idx, bool data,
+                                   bool el1_is_aa32);
 
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx);
 int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx);
diff --git a/target/arm/gdbstub64.c b/target/arm/gdbstub64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub64.c
+++ b/target/arm/gdbstub64.c
@@ -XXX,XX +XXX,XX @@ int aarch64_gdb_get_pauth_reg(CPUARMState *env, GByteArray *buf, int reg)
             ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
             ARMVAParameters param;
 
-            param = aa64_va_parameters(env, -is_high, mmu_idx, is_data);
+            param = aa64_va_parameters(env, -is_high, mmu_idx, is_data, false);
             return gdb_get_reg64(buf, pauth_ptr_mask(param));
         }
     default:
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static TLBIRange tlbi_aa64_get_range(CPUARMState *env, ARMMMUIdx mmuidx,
     unsigned int page_size_granule, page_shift, num, scale, exponent;
     /* Extract one bit to represent the va selector in use. */
     uint64_t select = sextract64(value, 36, 1);
-    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true);
+    ARMVAParameters param = aa64_va_parameters(env, select, mmuidx, true, false);
     TLBIRange ret = { };
     ARMGranuleSize gran;
 
@@ -XXX,XX +XXX,XX @@ static ARMGranuleSize sanitize_gran_size(ARMCPU *cpu, ARMGranuleSize gran,
 }
 
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-                                   ARMMMUIdx mmu_idx, bool data)
+                                   ARMMMUIdx mmu_idx, bool data,
+                                   bool el1_is_aa32)
 {
     uint64_t tcr = regime_tcr(env, mmu_idx);
     bool epd, hpd, tsz_oob, ds, ha, hd;
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
         }
     }
 
+    if (stage2 && el1_is_aa32) {
+        /*
+         * For AArch32 EL1 the min txsz (and thus max IPA size) requirements
+         * are loosened: a configured IPA of 40 bits is permitted even if
+         * the implemented PA is less than that (and so a 40 bit IPA would
+         * fault for an AArch64 EL1). See R_DTLMN.
+         */
+        min_tsz = MIN(min_tsz, 24);
+    }
+
     if (tsz > max_tsz) {
         tsz = max_tsz;
         tsz_oob = true;
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr,
 
     sl0 = extract32(tcr, 6, 2);
     if (is_aa64) {
-        /*
-         * AArch64.S2InvalidTxSZ: While we checked tsz_oob near the top of
-         * get_phys_addr_lpae, that used aa64_va_parameters which apply
-         * to aarch64.  If Stage1 is aarch32, the min_txsz is larger.
-         * See AArch64.S2MinTxSZ, where min_tsz is 24, translated to
-         * inputsize is 64 - 24 = 40.
-         */
-        if (iasize < 40 && !arm_el_is_aa64(&cpu->env, 1)) {
-            goto fail;
-        }
-
         /*
          * AArch64.S2InvalidSL: Interpretation of SL depends on the page size,
          * so interleave AArch64.S2StartLevel.
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         int ps;
 
         param = aa64_va_parameters(env, address, mmu_idx,
-                                   access_type != MMU_INST_FETCH);
+                                   access_type != MMU_INST_FETCH,
+                                   !arm_el_is_aa64(env, 1));
         level = 0;
 
         /*
diff --git a/target/arm/tcg/pauth_helper.c b/target/arm/tcg/pauth_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/pauth_helper.c
+++ b/target/arm/tcg/pauth_helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
                              ARMPACKey *key, bool data)
 {
     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
+    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
     uint64_t pac, ext_ptr, ext, test;
     int bot_bit, top_bit;
 
@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_auth(CPUARMState *env, uint64_t ptr, uint64_t modifier,
                            ARMPACKey *key, bool data, int keynumber)
 {
     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
+    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
     int bot_bit, top_bit;
     uint64_t pac, orig_ptr, test;
 
@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_auth(CPUARMState *env, uint64_t ptr, uint64_t modifier,
 static uint64_t pauth_strip(CPUARMState *env, uint64_t ptr, bool data)
 {
     ARMMMUIdx mmu_idx = arm_stage1_mmu_idx(env);
-    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data);
+    ARMVAParameters param = aa64_va_parameters(env, ptr, mmu_idx, data, false);
 
     return pauth_original_ptr(ptr, param);
 }
-- 
2.34.1