Series comparison

-[PULL 00/26] target-arm queue
+[PULL 00/11] target-arm queue
-Hi; hopefully this is the last arm pullreq before softfreeze.
+The following changes since commit 3214bec13d8d4c40f707d21d8350d04e4123ae97:
 There's a handful of miscellaneous bug fixes here, but the
 bulk of the pullreq is Mostafa's implementation of 2-stage
 translation in the SMMUv3.
-thanks
+  Merge tag 'migration-20250110-pull-request' of https://gitlab.com/farosas/qemu into staging (2025-01-10 13:39:19 -0500)
 -- PMM
 The following changes since commit d74ec4d7dda6322bcc51d1b13ccbd993d3574795:
   Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging (2024-07-18 10:07:23 +1000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240718
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250113
-for you to fetch changes up to 30a1690f2402e6c1582d5b3ebcf7940bfe2fad4b:
+for you to fetch changes up to 435d260e7ec5ff9c79e3e62f1d66ec82d2d691ae:
-  hvf: arm: Do not advance PC when raising an exception (2024-07-18 13:49:30 +0100)
+  docs/system/arm/virt: mention specific migration information (2025-01-13 12:35:35 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * Fix handling of LDAPR/STLR with negative offset
+ * hw/arm_sysctl: fix extracting 31th bit of val
- * LDAPR should honour SCTLR_ELx.nAA
+ * hw/misc: cast rpm to uint64_t
- * Use float_status copy in sme_fmopa_s
+ * tests/qtest/boot-serial-test: Improve ASM
- * hw/display/bcm2835_fb: fix fb_use_offsets condition
+ * target/arm: Move minor arithmetic helpers out of helper.c
- * hw/arm/smmuv3: Support and advertise nesting
+ * target/arm: change default pauth algorithm to impdef
  * Use FPST_F16 for SME FMOPA (widening)
  * tests/arm-cpu-features: Do not assume PMU availability
  * hvf: arm: Do not advance PC when raising an exception
 ----------------------------------------------------------------
-Akihiko Odaki (2):
+Anastasia Belova (1):
-      tests/arm-cpu-features: Do not assume PMU availability
+      hw/arm_sysctl: fix extracting 31th bit of val
       hvf: arm: Do not advance PC when raising an exception
 Daniyal Khan (2):
       target/arm: Use float_status copy in sme_fmopa_s
       tests/tcg/aarch64: Add test cases for SME FMOPA (widening)
 Mostafa Saleh (18):
       hw/arm/smmu-common: Add missing size check for stage-1
       hw/arm/smmu: Fix IPA for stage-2 events
       hw/arm/smmuv3: Fix encoding of CLASS in events
       hw/arm/smmu: Use enum for SMMU stage
       hw/arm/smmu: Split smmuv3_translate()
       hw/arm/smmu: Consolidate ASID and VMID types
       hw/arm/smmu: Introduce CACHED_ENTRY_TO_ADDR
       hw/arm/smmuv3: Translate CD and TT using stage-2 table
       hw/arm/smmu-common: Rework TLB lookup for nesting
       hw/arm/smmu-common: Add support for nested TLB
       hw/arm/smmu-common: Support nested translation
       hw/arm/smmu: Support nesting in smmuv3_range_inval()
       hw/arm/smmu: Introduce smmu_iotlb_inv_asid_vmid
       hw/arm/smmu: Support nesting in the rest of commands
       hw/arm/smmuv3: Support nested SMMUs in smmuv3_notify_iova()
       hw/arm/smmuv3: Handle translation faults according to SMMUPTWEventInfo
       hw/arm/smmuv3: Support and advertise nesting
       hw/arm/smmu: Refactor SMMU OAS
 Peter Maydell (2):
-      target/arm: Fix handling of LDAPR/STLR with negative offset
+      target/arm: Move minor arithmetic helpers out of helper.c
-      target/arm: LDAPR should honour SCTLR_ELx.nAA
+      tests/tcg/aarch64: force qarma5 for pauth-3 test
-Richard Henderson (1):
+Philippe Mathieu-Daudé (4):
-      target/arm: Use FPST_F16 for SME FMOPA (widening)
+      tests/qtest/boot-serial-test: Improve ASM comments of PL011 tests
       tests/qtest/boot-serial-test: Reduce for() loop in PL011 tests
       tests/qtest/boot-serial-test: Reorder pair of instructions in PL011 test
       tests/qtest/boot-serial-test: Initialize PL011 Control register
-SamJakob (1):
+Pierrick Bouvier (3):
-      hw/display/bcm2835_fb: fix fb_use_offsets condition
+      target/arm: add new property to select pauth-qarma5
       target/arm: change default pauth algorithm to impdef
       docs/system/arm/virt: mention specific migration information
- hw/arm/smmuv3-internal.h          |  19 +-
+Tigran Sogomonian (1):
- include/hw/arm/smmu-common.h      |  46 +++-
+      hw/misc: cast rpm to uint64_t
- target/arm/tcg/a64.decode         |   2 +-
- hw/arm/smmu-common.c              | 312 ++++++++++++++++++++++---
+ docs/system/arm/cpu-features.rst                |   7 +-
- hw/arm/smmuv3.c                   | 467 +++++++++++++++++++++++++-------------
+ docs/system/arm/virt.rst                        |   4 +
- hw/display/bcm2835_fb.c           |   2 +-
+ docs/system/introduction.rst                    |   2 +-
- target/arm/hvf/hvf.c              |   1 +
+ target/arm/cpu.h                                |   4 +
- target/arm/tcg/sme_helper.c       |   2 +-
+ hw/core/machine.c                               |   4 +-
- target/arm/tcg/translate-a64.c    |   2 +-
+ hw/misc/arm_sysctl.c                            |   2 +-
- target/arm/tcg/translate-sme.c    |  12 +-
+ hw/misc/npcm7xx_mft.c                           |   5 +-
- tests/qtest/arm-cpu-features.c    |  13 +-
+ target/arm/arm-qmp-cmds.c                       |   2 +-
- tests/tcg/aarch64/sme-fmopa-1.c   |  63 +++++
+ target/arm/cpu.c                                |   2 +
- tests/tcg/aarch64/sme-fmopa-2.c   |  56 +++++
+ target/arm/cpu64.c                              |  38 ++-
- tests/tcg/aarch64/sme-fmopa-3.c   |  63 +++++
+ target/arm/helper.c                             | 285 -----------------------
- hw/arm/trace-events               |  26 ++-
+ target/arm/tcg/arith_helper.c                   | 296 ++++++++++++++++++++++++
- tests/tcg/aarch64/Makefile.target |   5 +-
+ tests/qtest/arm-cpu-features.c                  |  15 +-
-files changed, 846 insertions(+), 245 deletions(-)
+ tests/qtest/boot-serial-test.c                  |  23 +-
- create mode 100644 tests/tcg/aarch64/sme-fmopa-1.c
+ target/arm/{op_addsub.h => tcg/op_addsub.c.inc} |   0
- create mode 100644 tests/tcg/aarch64/sme-fmopa-2.c
+ target/arm/tcg/meson.build                      |   1 +
- create mode 100644 tests/tcg/aarch64/sme-fmopa-3.c
+ tests/tcg/aarch64/Makefile.softmmu-target       |   3 +
 files changed, 377 insertions(+), 316 deletions(-)
  create mode 100644 target/arm/tcg/arith_helper.c
  rename target/arm/{op_addsub.h => tcg/op_addsub.c.inc} (100%)

-[PULL 01/26] target/arm: Fix handling of LDAPR/STLR with negative offset
+Deleted patch
-When we converted the LDAPR/STLR instructions to decodetree we
-accidentally introduced a regression where the offset is negative.
-The 9-bit immediate field is signed, and the old hand decoder
-correctly used sextract32() to get it out of the insn word,
-but the ldapr_stlr_i pattern in the decode file used "imm:9"
-instead of "imm:s9", so it treated the field as unsigned.
-Fix the pattern to treat the field as a signed immediate.
-Cc: qemu-stable@nongnu.org
-Fixes: 2521b6073b7 ("target/arm: Convert LDAPR/STLR (imm) to decodetree")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2419
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20240709134504.3500007-2-peter.maydell@linaro.org
----
- target/arm/tcg/a64.decode | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/a64.decode
-+++ b/target/arm/tcg/a64.decode
-@@ -XXX,XX +XXX,XX @@ LDAPR           sz:2 111 0 00 1 0 1 11111 1100 00 rn:5 rt:5
- LDRA            11 111 0 00 m:1 . 1 ......... w:1 1 rn:5 rt:5 imm=%ldra_imm
- &ldapr_stlr_i   rn rt imm sz sign ext
--@ldapr_stlr_i   .. ...... .. . imm:9 .. rn:5 rt:5 &ldapr_stlr_i
-+@ldapr_stlr_i   .. ...... .. . imm:s9 .. rn:5 rt:5 &ldapr_stlr_i
- STLR_i          sz:2 011001 00 0 ......... 00 ..... ..... @ldapr_stlr_i sign=0 ext=0
- LDAPR_i         sz:2 011001 01 0 ......... 00 ..... ..... @ldapr_stlr_i sign=0 ext=0
- LDAPR_i         00 011001 10 0 ......... 00 ..... ..... @ldapr_stlr_i sign=1 ext=0 sz=0
---
-.34.1

-[PULL 02/26] target/arm: LDAPR should honour SCTLR_ELx.nAA
+Deleted patch
-In commit c1a1f80518d360b when we added the FEAT_LSE2 relaxations to
-the alignment requirements for atomic and ordered loads and stores,
-we didn't quite get it right for LDAPR/LDAPRH/LDAPRB with no
-immediate offset.  These instructions were handled in the old decoder
-as part of disas_ldst_atomic(), but unlike all the other insns that
-function decoded (LDADD, LDCLR, etc) these insns are "ordered", not
-"atomic", so they should be using check_ordered_align() rather than
-check_atomic_align().  Commit c1a1f80518d360b used
-check_atomic_align() regardless for everything in
-disas_ldst_atomic().  We then carried that incorrect check over in
-the decodetree conversion, where LDAPR/LDAPRH/LDAPRB are now handled
-by trans_LDAPR().
-The effect is that when FEAT_LSE2 is implemented, these instructions
-don't honour the SCTLR_ELx.nAA bit and will generate alignment
-faults when they should not.
-(The LDAPR insns with an immediate offset were in disas_ldst_ldapr_stlr()
-and then in trans_LDAPR_i() and trans_STLR_i(), and have always used
-the correct check_ordered_align().)
-Use check_ordered_align() in trans_LDAPR().
-Cc: qemu-stable@nongnu.org
-Fixes: c1a1f80518d360b ("target/arm: Relax ordered/atomic alignment checks for LSE2")
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20240709134504.3500007-3-peter.maydell@linaro.org
----
- target/arm/tcg/translate-a64.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-a64.c
-+++ b/target/arm/tcg/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDAPR(DisasContext *s, arg_LDAPR *a)
-     if (a->rn == 31) {
-         gen_check_sp_alignment(s);
-     }
--    mop = check_atomic_align(s, a->rn, a->sz);
-+    mop = check_ordered_align(s, a->rn, 0, false, a->sz);
-     clean_addr = gen_mte_check1(s, cpu_reg_sp(s, a->rn), false,
-                                 a->rn != 31, mop);
-     /*
---
-.34.1

-[PULL 22/26] target/arm: Use float_status copy in sme_fmopa_s
+[PULL 01/11] hw/arm_sysctl: fix extracting 31th bit of val
-From: Daniyal Khan <danikhan632@gmail.com>
+From: Anastasia Belova <abelova@astralinux.ru>
-We made a copy above because the fp exception flags
+<< 31 is casted to uint64_t while bitwise and with val.
-are not propagated back to the FPST register, but
+So this value may become 0xffffffff80000000 but only
-then failed to use the copy.
+th "start" bit is required.
-Cc: qemu-stable@nongnu.org
+This is not possible in practice because the MemoryRegionOps
-Fixes: 558e956c719 ("target/arm: Implement FMOPA, FMOPS (non-widening)")
+uses the default max access size of 4 bytes and so none
-Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
+of the upper bytes of val will be set, but the bitfield
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+extract API is clearer anyway.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Use the bitfield extract() API instead.
-Message-id: 20240717060149.204788-2-richard.henderson@linaro.org
-[rth: Split from a larger patch]
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20241220125429.7552-1-abelova@astralinux.ru
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 [PMM: add clarification to commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/sme_helper.c | 2 +-
+ hw/misc/arm_sysctl.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
+diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/sme_helper.c
+--- a/hw/misc/arm_sysctl.c
-+++ b/target/arm/tcg/sme_helper.c
++++ b/hw/misc/arm_sysctl.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
+@@ -XXX,XX +XXX,XX @@ static void arm_sysctl_write(void *opaque, hwaddr offset,
-                         if (pb & 1) {
+          * as zero.
-                             uint32_t *a = vza_row + H1_4(col);
+          */
-                             uint32_t *m = vzm + H1_4(col);
+         s->sys_cfgctrl = val & ~((3 << 18) | (1 << 31));
--                            *a = float32_muladd(n, *m, *a, 0, vst);
+-        if (val & (1 << 31)) {
-+                            *a = float32_muladd(n, *m, *a, 0, &fpst);
++        if (extract64(val, 31, 1)) {
-                         }
+             /* Start bit set -- actually do something */
-                         col += 4;
+             unsigned int dcc = extract32(s->sys_cfgctrl, 26, 4);
-                         pb >>= 4;
+             unsigned int function = extract32(s->sys_cfgctrl, 20, 6);
 --
 .34.1

-[PULL 05/26] hw/arm/smmu: Fix IPA for stage-2 events
+[PULL 02/11] hw/misc: cast rpm to uint64_t
-From: Mostafa Saleh <smostafa@google.com>
+From: Tigran Sogomonian <tsogomonian@astralinux.ru>
-For the following events (ARM IHI 0070 F.b - 7.3 Event records):
+The value of an arithmetic expression
-- F_TRANSLATION
+'rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION' is a subject
-- F_ACCESS
+to overflow because its operands are not cast to
-- F_PERMISSION
+a larger data type before performing arithmetic. Thus, need
-- F_ADDR_SIZE
+to cast rpm to uint64_t.
-If fault occurs at stage 2, S2 == 1 and:
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
   - If translating an IPA for a transaction (whether by input to
     stage 2-only configuration, or after successful stage 1 translation),
     CLASS == IN, and IPA is provided.
-At the moment only CLASS == IN is used which indicates input
+Signed-off-by: Tigran Sogomonian <tsogomonian@astralinux.ru>
-translation.
+Reviewed-by: Patrick Leis <venture@google.com>
+Reviewed-by: Hao Wu <wuhaotsh@google.com>
-However, this was not implemented correctly, as for stage 2, the code
+Message-id: 20241226130311.1349-1-tsogomonian@astralinux.ru
 only sets the  S2 bit but not the IPA.
 This field has the same bits as FetchAddr in F_WALK_EABT which is
 populated correctly, so we don’t change that.
 The setting of this field should be done from the walker as the IPA address
 wouldn't be known in case of nesting.
 For stage 1, the spec says:
   If fault occurs at stage 1, S2 == 0 and:
   CLASS == IN, IPA is UNKNOWN.
 So, no need to set it to for stage 1, as ptw_info is initialised by zero in
 smmuv3_translate().
 Fixes: e703f7076a “hw/arm/smmuv3: Add page table walk for stage-2”
 Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Mostafa Saleh <smostafa@google.com>
 Message-id: 20240715084519.1189624-3-smostafa@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmu-common.c | 10 ++++++----
+ hw/misc/npcm7xx_mft.c | 5 +++--
- hw/arm/smmuv3.c      |  4 ++++
+file changed, 3 insertions(+), 2 deletions(-)
 files changed, 10 insertions(+), 4 deletions(-)
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
+diff --git a/hw/misc/npcm7xx_mft.c b/hw/misc/npcm7xx_mft.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
+--- a/hw/misc/npcm7xx_mft.c
-+++ b/hw/arm/smmu-common.c
++++ b/hw/misc/npcm7xx_mft.c
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
+@@ -XXX,XX +XXX,XX @@ static NPCM7xxMFTCaptureState npcm7xx_mft_compute_cnt(
-      */
+          * RPM = revolution/min. The time for one revlution (in ns) is
-     if (ipa >= (1ULL << inputsize)) {
+          * MINUTE_TO_NANOSECOND / RPM.
-         info->type = SMMU_PTW_ERR_TRANSLATION;
+          */
--        goto error;
+-        count = clock_ns_to_ticks(clock, (60 * NANOSECONDS_PER_SECOND) /
-+        goto error_ipa;
+-            (rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION));
 +        count = clock_ns_to_ticks(clock,
 +            (uint64_t)(60 * NANOSECONDS_PER_SECOND) /
 +            ((uint64_t)rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION));
      }
-     while (level < VMSA_LEVELS) {
+     if (count > NPCM7XX_MFT_MAX_CNT) {
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
           */
          if (!PTE_AF(pte) && !cfg->s2cfg.affd) {
              info->type = SMMU_PTW_ERR_ACCESS;
 -            goto error;
 +            goto error_ipa;
          }
          s2ap = PTE_AP(pte);
          if (is_permission_fault_s2(s2ap, perm)) {
              info->type = SMMU_PTW_ERR_PERMISSION;
 -            goto error;
 +            goto error_ipa;
          }
          /*
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
           */
          if (gpa >= (1ULL << cfg->s2cfg.eff_ps)) {
              info->type = SMMU_PTW_ERR_ADDR_SIZE;
 -            goto error;
 +            goto error_ipa;
          }
          tlbe->entry.translated_addr = gpa;
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
      }
      info->type = SMMU_PTW_ERR_TRANSLATION;
 +error_ipa:
 +    info->addr = ipa;
  error:
      info->stage = 2;
      tlbe->entry.perm = IOMMU_NONE;
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
              if (PTW_RECORD_FAULT(cfg)) {
                  event.type = SMMU_EVT_F_TRANSLATION;
                  event.u.f_translation.addr = addr;
 +                event.u.f_translation.addr2 = ptw_info.addr;
                  event.u.f_translation.rnw = flag & 0x1;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
              if (PTW_RECORD_FAULT(cfg)) {
                  event.type = SMMU_EVT_F_ADDR_SIZE;
                  event.u.f_addr_size.addr = addr;
 +                event.u.f_addr_size.addr2 = ptw_info.addr;
                  event.u.f_addr_size.rnw = flag & 0x1;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
              if (PTW_RECORD_FAULT(cfg)) {
                  event.type = SMMU_EVT_F_ACCESS;
                  event.u.f_access.addr = addr;
 +                event.u.f_access.addr2 = ptw_info.addr;
                  event.u.f_access.rnw = flag & 0x1;
              }
              break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
              if (PTW_RECORD_FAULT(cfg)) {
                  event.type = SMMU_EVT_F_PERMISSION;
                  event.u.f_permission.addr = addr;
 +                event.u.f_permission.addr2 = ptw_info.addr;
                  event.u.f_permission.rnw = flag & 0x1;
              }
              break;
 --
 .34.1

-[PULL 23/26] target/arm: Use FPST_F16 for SME FMOPA (widening)
+[PULL 03/11] tests/qtest/boot-serial-test: Improve ASM comments of PL011 tests
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-This operation has float16 inputs and thus must use
+Re-indent ASM comments adding the 'loop:' label.
 the FZ16 control not the FZ control.
-Cc: qemu-stable@nongnu.org
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)")
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reported-by: Daniyal Khan <danikhan632@gmail.com>
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: 20240717060149.204788-3-richard.henderson@linaro.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2374
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/tcg/translate-sme.c | 12 ++++++++----
+ tests/qtest/boot-serial-test.c | 18 +++++++++---------
-file changed, 8 insertions(+), 4 deletions(-)
+file changed, 9 insertions(+), 9 deletions(-)
-diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
+diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/tcg/translate-sme.c
+--- a/tests/qtest/boot-serial-test.c
-+++ b/target/arm/tcg/translate-sme.c
++++ b/tests/qtest/boot-serial-test.c
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
+@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
- }
+ };
- static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+ static const uint8_t bios_raspi2[] = {
-+                            ARMFPStatusFlavour e_fpst,
+-    0x08, 0x30, 0x9f, 0xe5,                 /* ldr   r3,[pc,#8]    Get base */
-                             gen_helper_gvec_5_ptr *fn)
+-    0x54, 0x20, 0xa0, 0xe3,                 /* mov     r2,#'T' */
- {
+-    0x00, 0x20, 0xc3, 0xe5,                 /* strb    r2,[r3] */
-     int svl = streaming_vec_reg_size(s);
+-    0xfb, 0xff, 0xff, 0xea,                 /* b       loop */
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+-    0x00, 0x10, 0x20, 0x3f,                 /* 0x3f201000 = UART0 base addr */
-     zm = vec_full_reg_ptr(s, a->zm);
++    0x08, 0x30, 0x9f, 0xe5,                 /* loop:  ldr     r3, [pc, #8]   Get &UART0 */
-     pn = pred_full_reg_ptr(s, a->pn);
++    0x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
-     pm = pred_full_reg_ptr(s, a->pm);
++    0x00, 0x20, 0xc3, 0xe5,                 /*        strb    r2, [r3]       *TXDAT = 'T' */
--    fpst = fpstatus_ptr(FPST_FPCR);
++    0xfb, 0xff, 0xff, 0xea,                 /*        b       -12            (loop) */
-+    fpst = fpstatus_ptr(e_fpst);
++    0x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
+ };
-     fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
-     return true;
+ static const uint8_t kernel_aarch64[] = {
- }
+-    0x81, 0x0a, 0x80, 0x52,                 /* mov     w1, #0x54 */
+-    0x02, 0x20, 0xa1, 0xd2,                 /* mov     x2, #0x9000000 */
--TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
+-    0x41, 0x00, 0x00, 0x39,                 /* strb    w1, [x2] */
--TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
+-    0xfd, 0xff, 0xff, 0x17,                 /* b       -12 (loop) */
--TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
++    0x81, 0x0a, 0x80, 0x52,                 /* loop:  mov    w1, #'T' */
-+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
++    0x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
-+           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
++    0x41, 0x00, 0x00, 0x39,                 /*        strb   w1, [x2]        *TXDAT = 'T' */
-+TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
++    0xfd, 0xff, 0xff, 0x17,                 /*        b      -12             (loop) */
-+           MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
+ };
-+TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,
-+           MO_64, FPST_FPCR, gen_helper_sme_fmopa_d)
+ static const uint8_t kernel_nrf51[] = {
  /* TODO: FEAT_EBF16 */
  TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
 --
 .34.1

-[PULL 20/26] hw/arm/smmuv3: Support and advertise nesting
+[PULL 04/11] tests/qtest/boot-serial-test: Reduce for() loop in PL011 tests
-From: Mostafa Saleh <smostafa@google.com>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Everything is in place, consolidate parsing of STE cfg and setting
+Since registers are not modified, we don't need
-translation stage.
+to refill their values. Directly jump to the previous
 store instruction to keep filling the TXDAT register.
-Advertise nesting if stage requested is "nested".
+The equivalent C code remains:
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+  while (true) {
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+      *UART_DATA = 'T';
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
+  }
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-18-smostafa@google.com
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Fabiano Rosas <farosas@suse.de>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3.c | 35 ++++++++++++++++++++++++++---------
+ tests/qtest/boot-serial-test.c | 12 ++++++------
-file changed, 26 insertions(+), 9 deletions(-)
+file changed, 6 insertions(+), 6 deletions(-)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/tests/qtest/boot-serial-test.c
-+++ b/hw/arm/smmuv3.c
++++ b/tests/qtest/boot-serial-test.c
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
+@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
-     /* Based on sys property, the stages supported in smmu will be advertised.*/
+ };
-     if (s->stage && !strcmp("2", s->stage)) {
-         s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1);
+ static const uint8_t bios_raspi2[] = {
-+    } else if (s->stage && !strcmp("nested", s->stage)) {
+-    0x08, 0x30, 0x9f, 0xe5,                 /* loop:  ldr     r3, [pc, #8]   Get &UART0 */
-+        s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1);
++    0x08, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #8]   Get &UART0 */
-+        s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1);
+x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
-     } else {
+-    0x00, 0x20, 0xc3, 0xe5,                 /*        strb    r2, [r3]       *TXDAT = 'T' */
-         s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1);
+-    0xfb, 0xff, 0xff, 0xea,                 /*        b       -12            (loop) */
-     }
++    0x00, 0x20, 0xc3, 0xe5,                 /* loop:  strb    r2, [r3]       *TXDAT = 'T' */
-@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
++    0xff, 0xff, 0xff, 0xea,                 /*        b       -4             (loop) */
+x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
- static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
+ };
- {
--    cfg->stage = SMMU_STAGE_2;
+ static const uint8_t kernel_aarch64[] = {
--
+-    0x81, 0x0a, 0x80, 0x52,                 /* loop:  mov    w1, #'T' */
-     if (STE_S2AA64(ste) == 0x0) {
++    0x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
-         qemu_log_mask(LOG_UNIMP,
+x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
-                       "SMMUv3 AArch32 tables not supported\n");
+-    0x41, 0x00, 0x00, 0x39,                 /*        strb   w1, [x2]        *TXDAT = 'T' */
-@@ -XXX,XX +XXX,XX @@ bad_ste:
+-    0xfd, 0xff, 0xff, 0x17,                 /*        b      -12             (loop) */
-     return -EINVAL;
++    0x41, 0x00, 0x00, 0x39,                 /* loop:  strb   w1, [x2]        *TXDAT = 'T' */
- }
++    0xff, 0xff, 0xff, 0x17,                 /*        b      -4              (loop) */
+ };
-+static void decode_ste_config(SMMUTransCfg *cfg, uint32_t config)
-+{
+ static const uint8_t kernel_nrf51[] = {
 +
 +    if (STE_CFG_ABORT(config)) {
 +        cfg->aborted = true;
 +        return;
 +    }
 +    if (STE_CFG_BYPASS(config)) {
 +        cfg->bypassed = true;
 +        return;
 +    }
 +
 +    if (STE_CFG_S1_ENABLED(config)) {
 +        cfg->stage = SMMU_STAGE_1;
 +    }
 +
 +    if (STE_CFG_S2_ENABLED(config)) {
 +        cfg->stage |= SMMU_STAGE_2;
 +    }
 +}
 +
  /* Returns < 0 in case of invalid STE, 0 otherwise */
  static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
                        STE *ste, SMMUEventInfo *event)
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
      config = STE_CONFIG(ste);
 -    if (STE_CFG_ABORT(config)) {
 -        cfg->aborted = true;
 -        return 0;
 -    }
 +    decode_ste_config(cfg, config);
 -    if (STE_CFG_BYPASS(config)) {
 -        cfg->bypassed = true;
 +    if (cfg->aborted || cfg->bypassed) {
          return 0;
      }
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
      /* we support only those at the moment */
      cfg->aa64 = true;
 -    cfg->stage = SMMU_STAGE_1;
      cfg->oas = oas2bits(CD_IPS(cd));
      cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
 --
 .34.1

-[PULL 03/26] hw/display/bcm2835_fb: fix fb_use_offsets condition
+[PULL 05/11] tests/qtest/boot-serial-test: Reorder pair of instructions in PL011 test
-From: SamJakob <me@samjakob.com>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-It is common practice when implementing double-buffering on VideoCore
+In the next commit we are going to use a different value
-to do so by multiplying the height of the virtual buffer by the
+for the $w1 register, maintaining the same $x2 value. In
-number of virtual screens desired (i.e., two - in the case of
+order to keep the next commit trivial to review, set $x2
-double-bufferring).
+before $w1.
-At present, this won't work in QEMU because the logic in
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-fb_use_offsets require that both the virtual width and height exceed
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-their physical counterparts.
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
 This appears to be unintentional/a typo and indeed the comment
 states; "Experimentally, the hardware seems to do this only if the
 viewport size is larger than the physical screen".  The
 viewport/virtual size would be larger than the physical size if
 either virtual dimension were larger than their physical counterparts
 and not necessarily both.
 Signed-off-by: SamJakob <me@samjakob.com>
 Message-id: 20240713160353.62410-1-me@samjakob.com
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/display/bcm2835_fb.c | 2 +-
+ tests/qtest/boot-serial-test.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
+diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/display/bcm2835_fb.c
+--- a/tests/qtest/boot-serial-test.c
-+++ b/hw/display/bcm2835_fb.c
++++ b/tests/qtest/boot-serial-test.c
-@@ -XXX,XX +XXX,XX @@ static bool fb_use_offsets(BCM2835FBConfig *config)
+@@ -XXX,XX +XXX,XX @@ static const uint8_t bios_raspi2[] = {
-      * viewport size is larger than the physical screen. (It doesn't
+ };
-      * prevent the guest setting this silly viewport setting, though...)
-      */
+ static const uint8_t kernel_aarch64[] = {
--    return config->xres_virtual > config->xres &&
+-    0x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
-+    return config->xres_virtual > config->xres ||
+x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
-         config->yres_virtual > config->yres;
++    0x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
- }
+x41, 0x00, 0x00, 0x39,                 /* loop:  strb   w1, [x2]        *TXDAT = 'T' */
+xff, 0xff, 0xff, 0x17,                 /*        b      -4              (loop) */
  };
 --
 .34.1

-[PULL 19/26] hw/arm/smmuv3: Handle translation faults according to SMMUPTWEventInfo
+[PULL 06/11] tests/qtest/boot-serial-test: Initialize PL011 Control register
-From: Mostafa Saleh <smostafa@google.com>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Previously, to check if faults are enabled, it was sufficient to check
+The tests using the PL011 UART of the virt and raspi machines
-the current stage of translation and check the corresponding
+weren't properly enabling the UART and its transmitter previous
-record_faults flag.
+to sending characters. Follow the PL011 manual initialization
 recommendation by setting the proper bits of the control register.
-However, with nesting, it is possible for stage-1 (nested) translation
+Update the ASM code prefixing:
 to trigger a stage-2 fault, so we check SMMUPTWEventInfo as it would
 have the correct stage set from the page table walk.
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
+  *UART_CTRL = UART_ENABLE | TX_ENABLE;
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+to:
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-17-smostafa@google.com
+  while (true) {
       *UART_DATA = 'T';
   }
 Note, since commit 51b61dd4d56 ("hw/char/pl011: Warn when using
 disabled transmitter") incomplete PL011 initialization can be
 logged using the '-d guest_errors' command line option.
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3.c | 15 ++++++++-------
+ tests/qtest/boot-serial-test.c | 7 ++++++-
-file changed, 8 insertions(+), 7 deletions(-)
+file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/tests/qtest/boot-serial-test.c
-+++ b/hw/arm/smmuv3.c
++++ b/tests/qtest/boot-serial-test.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
- #include "smmuv3-internal.h"
+ };
- #include "smmu-internal.h"
+ static const uint8_t bios_raspi2[] = {
--#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == SMMU_STAGE_1) ? \
+-    0x08, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #8]   Get &UART0 */
--                                 (cfg)->record_faults : \
++    0x10, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #16]  Get &UART0 */
--                                 (cfg)->s2cfg.record_faults)
++    0x10, 0x20, 0x9f, 0xe5,                 /*        ldr     r2, [pc, #16]  Get &CR */
-+#define PTW_RECORD_FAULT(ptw_info, cfg) (((ptw_info).stage == SMMU_STAGE_1 && \
++    0xb0, 0x23, 0xc3, 0xe1,                 /*        strh    r2, [r3, #48]  Set CR */
-+                                        (cfg)->record_faults) || \
+x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
-+                                        ((ptw_info).stage == SMMU_STAGE_2 && \
+x00, 0x20, 0xc3, 0xe5,                 /* loop:  strb    r2, [r3]       *TXDAT = 'T' */
-+                                        (cfg)->s2cfg.record_faults))
+xff, 0xff, 0xff, 0xea,                 /*        b       -4             (loop) */
+x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
- /**
++    0x01, 0x01, 0x00, 0x00,                 /* CR:    0x101 = UARTEN|TXE */
-  * smmuv3_trigger_irq - pulse @irq if enabled and update
+ };
-@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-             event->u.f_walk_eabt.addr2 = ptw_info.addr;
+ static const uint8_t kernel_aarch64[] = {
-             break;
+x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
-         case SMMU_PTW_ERR_TRANSLATION:
++    0x21, 0x20, 0x80, 0x52,                 /*        mov    w1, 0x101       CR = UARTEN|TXE */
--            if (PTW_RECORD_FAULT(cfg)) {
++    0x41, 0x60, 0x00, 0x79,                 /*        strh   w1, [x2, #48]   Set CR */
-+            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
+x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
-                 event->type = SMMU_EVT_F_TRANSLATION;
+x41, 0x00, 0x00, 0x39,                 /* loop:  strb   w1, [x2]        *TXDAT = 'T' */
-                 event->u.f_translation.addr2 = ptw_info.addr;
+xff, 0xff, 0xff, 0x17,                 /*        b      -4              (loop) */
                  event->u.f_translation.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
              }
              break;
          case SMMU_PTW_ERR_ADDR_SIZE:
 -            if (PTW_RECORD_FAULT(cfg)) {
 +            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                  event->type = SMMU_EVT_F_ADDR_SIZE;
                  event->u.f_addr_size.addr2 = ptw_info.addr;
                  event->u.f_addr_size.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
              }
              break;
          case SMMU_PTW_ERR_ACCESS:
 -            if (PTW_RECORD_FAULT(cfg)) {
 +            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                  event->type = SMMU_EVT_F_ACCESS;
                  event->u.f_access.addr2 = ptw_info.addr;
                  event->u.f_access.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
              }
              break;
          case SMMU_PTW_ERR_PERMISSION:
 -            if (PTW_RECORD_FAULT(cfg)) {
 +            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                  event->type = SMMU_EVT_F_PERMISSION;
                  event->u.f_permission.addr2 = ptw_info.addr;
                  event->u.f_permission.class = class;
 --
 .34.1

-[PULL 24/26] tests/tcg/aarch64: Add test cases for SME FMOPA (widening)
+[PULL 07/11] target/arm: Move minor arithmetic helpers out of helper.c
-From: Daniyal Khan <danikhan632@gmail.com>
+helper.c includes some small TCG helper functions used for mostly
 arithmetic instructions.  These are TCG only and there's no need for
 them to be in the large and unwieldy helper.c.  Move them out to
 their own source file in the tcg/ subdirectory, together with the
 op_addsub.h multiply-included template header that they use.
-Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
+Since we are moving op_addsub.h, we take the opportunity to
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+give it a name which matches our convention for files which
 are not true header files but which are #included from other
 C files: op_addsub.c.inc.
 (Ironically, this means that helper.c no longer contains
 any TCG helper function definitions at all.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20250110131211.2546314-1-peter.maydell@linaro.org
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240717060149.204788-4-richard.henderson@linaro.org
-Message-Id: 172090222034.13953.16888708708822922098-1@git.sr.ht
-[rth: Split test from a larger patch, tidy assembly]
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/tcg/aarch64/sme-fmopa-1.c   | 63 +++++++++++++++++++++++++++++++
+ target/arm/helper.c                           | 285 -----------------
- tests/tcg/aarch64/sme-fmopa-2.c   | 56 +++++++++++++++++++++++++++
+ target/arm/tcg/arith_helper.c                 | 296 ++++++++++++++++++
- tests/tcg/aarch64/sme-fmopa-3.c   | 63 +++++++++++++++++++++++++++++++
+ .../arm/{op_addsub.h => tcg/op_addsub.c.inc}  |   0
- tests/tcg/aarch64/Makefile.target |  5 ++-
+ target/arm/tcg/meson.build                    |   1 +
-files changed, 185 insertions(+), 2 deletions(-)
+files changed, 297 insertions(+), 285 deletions(-)
- create mode 100644 tests/tcg/aarch64/sme-fmopa-1.c
+ create mode 100644 target/arm/tcg/arith_helper.c
- create mode 100644 tests/tcg/aarch64/sme-fmopa-2.c
+ rename target/arm/{op_addsub.h => tcg/op_addsub.c.inc} (100%)
  create mode 100644 tests/tcg/aarch64/sme-fmopa-3.c
-diff --git a/tests/tcg/aarch64/sme-fmopa-1.c b/tests/tcg/aarch64/sme-fmopa-1.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/main-loop.h"
  #include "qemu/timer.h"
  #include "qemu/bitops.h"
 -#include "qemu/crc32c.h"
  #include "qemu/qemu-print.h"
  #include "exec/exec-all.h"
  #include "exec/translation-block.h"
 -#include <zlib.h> /* for crc32 */
  #include "hw/irq.h"
  #include "system/cpu-timers.h"
  #include "system/kvm.h"
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
      };
  }
 -/*
 - * Note that signed overflow is undefined in C.  The following routines are
 - * careful to use unsigned types where modulo arithmetic is required.
 - * Failure to do so _will_ break on newer gcc.
 - */
 -
 -/* Signed saturating arithmetic.  */
 -
 -/* Perform 16-bit signed saturating addition.  */
 -static inline uint16_t add16_sat(uint16_t a, uint16_t b)
 -{
 -    uint16_t res;
 -
 -    res = a + b;
 -    if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
 -        if (a & 0x8000) {
 -            res = 0x8000;
 -        } else {
 -            res = 0x7fff;
 -        }
 -    }
 -    return res;
 -}
 -
 -/* Perform 8-bit signed saturating addition.  */
 -static inline uint8_t add8_sat(uint8_t a, uint8_t b)
 -{
 -    uint8_t res;
 -
 -    res = a + b;
 -    if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
 -        if (a & 0x80) {
 -            res = 0x80;
 -        } else {
 -            res = 0x7f;
 -        }
 -    }
 -    return res;
 -}
 -
 -/* Perform 16-bit signed saturating subtraction.  */
 -static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
 -{
 -    uint16_t res;
 -
 -    res = a - b;
 -    if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
 -        if (a & 0x8000) {
 -            res = 0x8000;
 -        } else {
 -            res = 0x7fff;
 -        }
 -    }
 -    return res;
 -}
 -
 -/* Perform 8-bit signed saturating subtraction.  */
 -static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
 -{
 -    uint8_t res;
 -
 -    res = a - b;
 -    if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
 -        if (a & 0x80) {
 -            res = 0x80;
 -        } else {
 -            res = 0x7f;
 -        }
 -    }
 -    return res;
 -}
 -
 -#define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
 -#define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
 -#define ADD8(a, b, n)  RESULT(add8_sat(a, b), n, 8);
 -#define SUB8(a, b, n)  RESULT(sub8_sat(a, b), n, 8);
 -#define PFX q
 -
 -#include "op_addsub.h"
 -
 -/* Unsigned saturating arithmetic.  */
 -static inline uint16_t add16_usat(uint16_t a, uint16_t b)
 -{
 -    uint16_t res;
 -    res = a + b;
 -    if (res < a) {
 -        res = 0xffff;
 -    }
 -    return res;
 -}
 -
 -static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
 -{
 -    if (a > b) {
 -        return a - b;
 -    } else {
 -        return 0;
 -    }
 -}
 -
 -static inline uint8_t add8_usat(uint8_t a, uint8_t b)
 -{
 -    uint8_t res;
 -    res = a + b;
 -    if (res < a) {
 -        res = 0xff;
 -    }
 -    return res;
 -}
 -
 -static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
 -{
 -    if (a > b) {
 -        return a - b;
 -    } else {
 -        return 0;
 -    }
 -}
 -
 -#define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
 -#define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
 -#define ADD8(a, b, n)  RESULT(add8_usat(a, b), n, 8);
 -#define SUB8(a, b, n)  RESULT(sub8_usat(a, b), n, 8);
 -#define PFX uq
 -
 -#include "op_addsub.h"
 -
 -/* Signed modulo arithmetic.  */
 -#define SARITH16(a, b, n, op) do { \
 -    int32_t sum; \
 -    sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
 -    RESULT(sum, n, 16); \
 -    if (sum >= 0) \
 -        ge |= 3 << (n * 2); \
 -    } while (0)
 -
 -#define SARITH8(a, b, n, op) do { \
 -    int32_t sum; \
 -    sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
 -    RESULT(sum, n, 8); \
 -    if (sum >= 0) \
 -        ge |= 1 << n; \
 -    } while (0)
 -
 -
 -#define ADD16(a, b, n) SARITH16(a, b, n, +)
 -#define SUB16(a, b, n) SARITH16(a, b, n, -)
 -#define ADD8(a, b, n)  SARITH8(a, b, n, +)
 -#define SUB8(a, b, n)  SARITH8(a, b, n, -)
 -#define PFX s
 -#define ARITH_GE
 -
 -#include "op_addsub.h"
 -
 -/* Unsigned modulo arithmetic.  */
 -#define ADD16(a, b, n) do { \
 -    uint32_t sum; \
 -    sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
 -    RESULT(sum, n, 16); \
 -    if ((sum >> 16) == 1) \
 -        ge |= 3 << (n * 2); \
 -    } while (0)
 -
 -#define ADD8(a, b, n) do { \
 -    uint32_t sum; \
 -    sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
 -    RESULT(sum, n, 8); \
 -    if ((sum >> 8) == 1) \
 -        ge |= 1 << n; \
 -    } while (0)
 -
 -#define SUB16(a, b, n) do { \
 -    uint32_t sum; \
 -    sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
 -    RESULT(sum, n, 16); \
 -    if ((sum >> 16) == 0) \
 -        ge |= 3 << (n * 2); \
 -    } while (0)
 -
 -#define SUB8(a, b, n) do { \
 -    uint32_t sum; \
 -    sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
 -    RESULT(sum, n, 8); \
 -    if ((sum >> 8) == 0) \
 -        ge |= 1 << n; \
 -    } while (0)
 -
 -#define PFX u
 -#define ARITH_GE
 -
 -#include "op_addsub.h"
 -
 -/* Halved signed arithmetic.  */
 -#define ADD16(a, b, n) \
 -  RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
 -#define SUB16(a, b, n) \
 -  RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
 -#define ADD8(a, b, n) \
 -  RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
 -#define SUB8(a, b, n) \
 -  RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
 -#define PFX sh
 -
 -#include "op_addsub.h"
 -
 -/* Halved unsigned arithmetic.  */
 -#define ADD16(a, b, n) \
 -  RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
 -#define SUB16(a, b, n) \
 -  RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
 -#define ADD8(a, b, n) \
 -  RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
 -#define SUB8(a, b, n) \
 -  RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
 -#define PFX uh
 -
 -#include "op_addsub.h"
 -
 -static inline uint8_t do_usad(uint8_t a, uint8_t b)
 -{
 -    if (a > b) {
 -        return a - b;
 -    } else {
 -        return b - a;
 -    }
 -}
 -
 -/* Unsigned sum of absolute byte differences.  */
 -uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
 -{
 -    uint32_t sum;
 -    sum = do_usad(a, b);
 -    sum += do_usad(a >> 8, b >> 8);
 -    sum += do_usad(a >> 16, b >> 16);
 -    sum += do_usad(a >> 24, b >> 24);
 -    return sum;
 -}
 -
 -/* For ARMv6 SEL instruction.  */
 -uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
 -{
 -    uint32_t mask;
 -
 -    mask = 0;
 -    if (flags & 1) {
 -        mask |= 0xff;
 -    }
 -    if (flags & 2) {
 -        mask |= 0xff00;
 -    }
 -    if (flags & 4) {
 -        mask |= 0xff0000;
 -    }
 -    if (flags & 8) {
 -        mask |= 0xff000000;
 -    }
 -    return (a & mask) | (b & ~mask);
 -}
 -
 -/*
 - * CRC helpers.
 - * The upper bytes of val (above the number specified by 'bytes') must have
 - * been zeroed out by the caller.
 - */
 -uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
 -{
 -    uint8_t buf[4];
 -
 -    stl_le_p(buf, val);
 -
 -    /* zlib crc32 converts the accumulator and output to one's complement.  */
 -    return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
 -}
 -
 -uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
 -{
 -    uint8_t buf[4];
 -
 -    stl_le_p(buf, val);
 -
 -    /* Linux crc32c converts the output to one's complement.  */
 -    return crc32c(acc, buf, bytes) ^ 0xffffffff;
 -}
  /*
   * Return the exception level to which FP-disabled exceptions should
 diff --git a/target/arm/tcg/arith_helper.c b/target/arm/tcg/arith_helper.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/tcg/aarch64/sme-fmopa-1.c
++++ b/target/arm/tcg/arith_helper.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * SME outer product, 1 x 1.
++ * ARM generic helpers for various arithmetical operations.
 + *
 + * This code is licensed under the GNU GPL v2 or later.
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
-+
++#include "qemu/osdep.h"
-+#include <stdio.h>
++#include "cpu.h"
-+
++#include "exec/helper-proto.h"
-+static void foo(float *dst)
++#include "qemu/crc32c.h"
-+{
++#include <zlib.h> /* for crc32 */
-+    asm(".arch_extension sme\n\t"
++
-+        "smstart\n\t"
++/*
-+        "ptrue p0.s, vl4\n\t"
++ * Note that signed overflow is undefined in C.  The following routines are
-+        "fmov z0.s, #1.0\n\t"
++ * careful to use unsigned types where modulo arithmetic is required.
-+        /*
++ * Failure to do so _will_ break on newer gcc.
-+         * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.
++ */
-+         * Note that we are using tile 1 here (za1.s) rather than tile 0.
++
-+         */
++/* Signed saturating arithmetic.  */
-+        "zero {za}\n\t"
++
-+        "fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n\t"
++/* Perform 16-bit signed saturating addition.  */
-+        /*
++static inline uint16_t add16_sat(uint16_t a, uint16_t b)
-+         * Read the first 4x4 sub-matrix of elements from tile 1:
++{
-+         * Note that za1h should be interchangeable here.
++    uint16_t res;
-+         */
++
-+        "mov w12, #0\n\t"
++    res = a + b;
-+        "mova z0.s, p0/m, za1v.s[w12, #0]\n\t"
++    if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
-+        "mova z1.s, p0/m, za1v.s[w12, #1]\n\t"
++        if (a & 0x8000) {
-+        "mova z2.s, p0/m, za1v.s[w12, #2]\n\t"
++            res = 0x8000;
-+        "mova z3.s, p0/m, za1v.s[w12, #3]\n\t"
++        } else {
-+        /*
++            res = 0x7fff;
 +         * And store them to the input pointer (dst in the C code):
 +         */
 +        "st1w {z0.s}, p0, [%0]\n\t"
 +        "add x0, x0, #16\n\t"
 +        "st1w {z1.s}, p0, [x0]\n\t"
 +        "add x0, x0, #16\n\t"
 +        "st1w {z2.s}, p0, [x0]\n\t"
 +        "add x0, x0, #16\n\t"
 +        "st1w {z3.s}, p0, [x0]\n\t"
 +        "smstop"
 +        : : "r"(dst)
 +        : "x12", "d0", "d1", "d2", "d3", "memory");
 +}
 +
 +int main()
 +{
 +    float dst[16] = { };
 +
 +    foo(dst);
 +
 +    for (int i = 0; i < 16; i++) {
 +        if (dst[i] != 1.0f) {
 +            goto failure;
 +        }
 +    }
-+    /* success */
++    return res;
-+    return 0;
++}
 +
-+ failure:
++/* Perform 8-bit signed saturating addition.  */
-+    for (int i = 0; i < 16; i++) {
++static inline uint8_t add8_sat(uint8_t a, uint8_t b)
-+        printf("%f%c", dst[i], i % 4 == 3 ? '\n' : ' ');
++{
-+    }
++    uint8_t res;
-+    return 1;
++
-+}
++    res = a + b;
-diff --git a/tests/tcg/aarch64/sme-fmopa-2.c b/tests/tcg/aarch64/sme-fmopa-2.c
++    if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
-new file mode 100644
++        if (a & 0x80) {
-index XXXXXXX..XXXXXXX
++            res = 0x80;
---- /dev/null
++        } else {
-+++ b/tests/tcg/aarch64/sme-fmopa-2.c
++            res = 0x7f;
-@@ -XXX,XX +XXX,XX @@
++        }
 +    }
 +    return res;
 +}
 +
 +/* Perform 16-bit signed saturating subtraction.  */
 +static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
 +{
 +    uint16_t res;
 +
 +    res = a - b;
 +    if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
 +        if (a & 0x8000) {
 +            res = 0x8000;
 +        } else {
 +            res = 0x7fff;
 +        }
 +    }
 +    return res;
 +}
 +
 +/* Perform 8-bit signed saturating subtraction.  */
 +static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
 +{
 +    uint8_t res;
 +
 +    res = a - b;
 +    if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
 +        if (a & 0x80) {
 +            res = 0x80;
 +        } else {
 +            res = 0x7f;
 +        }
 +    }
 +    return res;
 +}
 +
 +#define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
 +#define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
 +#define ADD8(a, b, n)  RESULT(add8_sat(a, b), n, 8);
 +#define SUB8(a, b, n)  RESULT(sub8_sat(a, b), n, 8);
 +#define PFX q
 +
 +#include "op_addsub.c.inc"
 +
 +/* Unsigned saturating arithmetic.  */
 +static inline uint16_t add16_usat(uint16_t a, uint16_t b)
 +{
 +    uint16_t res;
 +    res = a + b;
 +    if (res < a) {
 +        res = 0xffff;
 +    }
 +    return res;
 +}
 +
 +static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
 +{
 +    if (a > b) {
 +        return a - b;
 +    } else {
 +        return 0;
 +    }
 +}
 +
 +static inline uint8_t add8_usat(uint8_t a, uint8_t b)
 +{
 +    uint8_t res;
 +    res = a + b;
 +    if (res < a) {
 +        res = 0xff;
 +    }
 +    return res;
 +}
 +
 +static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
 +{
 +    if (a > b) {
 +        return a - b;
 +    } else {
 +        return 0;
 +    }
 +}
 +
 +#define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
 +#define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
 +#define ADD8(a, b, n)  RESULT(add8_usat(a, b), n, 8);
 +#define SUB8(a, b, n)  RESULT(sub8_usat(a, b), n, 8);
 +#define PFX uq
 +
 +#include "op_addsub.c.inc"
 +
 +/* Signed modulo arithmetic.  */
 +#define SARITH16(a, b, n, op) do { \
 +    int32_t sum; \
 +    sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
 +    RESULT(sum, n, 16); \
 +    if (sum >= 0) \
 +        ge |= 3 << (n * 2); \
 +    } while (0)
 +
 +#define SARITH8(a, b, n, op) do { \
 +    int32_t sum; \
 +    sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
 +    RESULT(sum, n, 8); \
 +    if (sum >= 0) \
 +        ge |= 1 << n; \
 +    } while (0)
 +
 +
 +#define ADD16(a, b, n) SARITH16(a, b, n, +)
 +#define SUB16(a, b, n) SARITH16(a, b, n, -)
 +#define ADD8(a, b, n)  SARITH8(a, b, n, +)
 +#define SUB8(a, b, n)  SARITH8(a, b, n, -)
 +#define PFX s
 +#define ARITH_GE
 +
 +#include "op_addsub.c.inc"
 +
 +/* Unsigned modulo arithmetic.  */
 +#define ADD16(a, b, n) do { \
 +    uint32_t sum; \
 +    sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
 +    RESULT(sum, n, 16); \
 +    if ((sum >> 16) == 1) \
 +        ge |= 3 << (n * 2); \
 +    } while (0)
 +
 +#define ADD8(a, b, n) do { \
 +    uint32_t sum; \
 +    sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
 +    RESULT(sum, n, 8); \
 +    if ((sum >> 8) == 1) \
 +        ge |= 1 << n; \
 +    } while (0)
 +
 +#define SUB16(a, b, n) do { \
 +    uint32_t sum; \
 +    sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
 +    RESULT(sum, n, 16); \
 +    if ((sum >> 16) == 0) \
 +        ge |= 3 << (n * 2); \
 +    } while (0)
 +
 +#define SUB8(a, b, n) do { \
 +    uint32_t sum; \
 +    sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
 +    RESULT(sum, n, 8); \
 +    if ((sum >> 8) == 0) \
 +        ge |= 1 << n; \
 +    } while (0)
 +
 +#define PFX u
 +#define ARITH_GE
 +
 +#include "op_addsub.c.inc"
 +
 +/* Halved signed arithmetic.  */
 +#define ADD16(a, b, n) \
 +  RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
 +#define SUB16(a, b, n) \
 +  RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
 +#define ADD8(a, b, n) \
 +  RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
 +#define SUB8(a, b, n) \
 +  RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
 +#define PFX sh
 +
 +#include "op_addsub.c.inc"
 +
 +/* Halved unsigned arithmetic.  */
 +#define ADD16(a, b, n) \
 +  RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
 +#define SUB16(a, b, n) \
 +  RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
 +#define ADD8(a, b, n) \
 +  RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
 +#define SUB8(a, b, n) \
 +  RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
 +#define PFX uh
 +
 +#include "op_addsub.c.inc"
 +
 +static inline uint8_t do_usad(uint8_t a, uint8_t b)
 +{
 +    if (a > b) {
 +        return a - b;
 +    } else {
 +        return b - a;
 +    }
 +}
 +
 +/* Unsigned sum of absolute byte differences.  */
 +uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
 +{
 +    uint32_t sum;
 +    sum = do_usad(a, b);
 +    sum += do_usad(a >> 8, b >> 8);
 +    sum += do_usad(a >> 16, b >> 16);
 +    sum += do_usad(a >> 24, b >> 24);
 +    return sum;
 +}
 +
 +/* For ARMv6 SEL instruction.  */
 +uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
 +{
 +    uint32_t mask;
 +
 +    mask = 0;
 +    if (flags & 1) {
 +        mask |= 0xff;
 +    }
 +    if (flags & 2) {
 +        mask |= 0xff00;
 +    }
 +    if (flags & 4) {
 +        mask |= 0xff0000;
 +    }
 +    if (flags & 8) {
 +        mask |= 0xff000000;
 +    }
 +    return (a & mask) | (b & ~mask);
 +}
 +
 +/*
-+ * SME outer product, FZ vs FZ16
++ * CRC helpers.
-+ * SPDX-License-Identifier: GPL-2.0-or-later
++ * The upper bytes of val (above the number specified by 'bytes') must have
 + * been zeroed out by the caller.
 + */
-+
++uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
-+#include <stdint.h>
++{
-+#include <stdio.h>
++    uint8_t buf[4];
 +
-+static void test_fmopa(uint32_t *result)
++    stl_le_p(buf, val);
-+{
++
-+    asm(".arch_extension sme\n\t"
++    /* zlib crc32 converts the accumulator and output to one's complement.  */
-+        "smstart\n\t"               /* Z*, P* and ZArray cleared */
++    return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
-+        "ptrue p2.b, vl16\n\t"      /* Limit vector length to 16 */
++}
-+        "ptrue p5.b, vl16\n\t"
++
-+        "movi d0, #0x00ff\n\t"      /* fp16 denormal */
++uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
-+        "movi d16, #0x00ff\n\t"
++{
-+        "mov w15, #0x0001000000\n\t" /* FZ=1, FZ16=0 */
++    uint8_t buf[4];
-+        "msr fpcr, x15\n\t"
++
-+        "fmopa za3.s, p2/m, p5/m, z16.h, z0.h\n\t"
++    stl_le_p(buf, val);
-+        "mov w15, #0\n\t"
++
-+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
++    /* Linux crc32c converts the output to one's complement.  */
-+        "add %0, %0, #16\n\t"
++    return crc32c(acc, buf, bytes) ^ 0xffffffff;
-+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
++}
-+        "mov w15, #2\n\t"
+diff --git a/target/arm/op_addsub.h b/target/arm/tcg/op_addsub.c.inc
-+        "add %0, %0, #16\n\t"
+similarity index 100%
-+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
+rename from target/arm/op_addsub.h
-+        "add %0, %0, #16\n\t"
+rename to target/arm/tcg/op_addsub.c.inc
-+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
+diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
 +        "smstop"
 +        : "+r"(result) :
 +        : "x15", "x16", "p2", "p5", "d0", "d16", "memory");
 +}
 +
 +int main(void)
 +{
 +    uint32_t result[4 * 4] = { };
 +
 +    test_fmopa(result);
 +
 +    if (result[0] != 0x2f7e0100) {
 +        printf("Test failed: Incorrect output in first 4 bytes\n"
 +               "Expected: %08x\n"
 +               "Got:      %08x\n",
 +               0x2f7e0100, result[0]);
 +        return 1;
 +    }
 +
 +    for (int i = 1; i < 16; ++i) {
 +        if (result[i] != 0) {
 +            printf("Test failed: Non-zero word at position %d\n", i);
 +            return 1;
 +        }
 +    }
 +
 +    return 0;
 +}
 diff --git a/tests/tcg/aarch64/sme-fmopa-3.c b/tests/tcg/aarch64/sme-fmopa-3.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/aarch64/sme-fmopa-3.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * SME outer product, [ 1 2 3 4 ] squared
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include <stdio.h>
 +#include <stdint.h>
 +#include <string.h>
 +#include <math.h>
 +
 +static const float i_1234[4] = {
 +    1.0f, 2.0f, 3.0f, 4.0f
 +};
 +
 +static const float expected[4] = {
 +    4.515625f, 5.750000f, 6.984375f, 8.218750f
 +};
 +
 +static void test_fmopa(float *result)
 +{
 +    asm(".arch_extension sme\n\t"
 +        "smstart\n\t"               /* ZArray cleared */
 +        "ptrue p2.b, vl16\n\t"      /* Limit vector length to 16 */
 +        "ld1w {z0.s}, p2/z, [%1]\n\t"
 +        "mov w15, #0\n\t"
 +        "mov za3h.s[w15, 0], p2/m, z0.s\n\t"
 +        "mov za3h.s[w15, 1], p2/m, z0.s\n\t"
 +        "mov w15, #2\n\t"
 +        "mov za3h.s[w15, 0], p2/m, z0.s\n\t"
 +        "mov za3h.s[w15, 1], p2/m, z0.s\n\t"
 +        "msr fpcr, xzr\n\t"
 +        "fmopa za3.s, p2/m, p2/m, z0.h, z0.h\n\t"
 +        "mov w15, #0\n\t"
 +        "st1w {za3h.s[w15, 0]}, p2, [%0]\n"
 +        "add %0, %0, #16\n\t"
 +        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
 +        "mov w15, #2\n\t"
 +        "add %0, %0, #16\n\t"
 +        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
 +        "add %0, %0, #16\n\t"
 +        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
 +        "smstop"
 +        : "+r"(result) : "r"(i_1234)
 +        : "x15", "x16", "p2", "d0", "memory");
 +}
 +
 +int main(void)
 +{
 +    float result[4 * 4] = { };
 +    int ret = 0;
 +
 +    test_fmopa(result);
 +
 +    for (int i = 0; i < 4; i++) {
 +        float actual = result[i];
 +        if (fabsf(actual - expected[i]) > 0.001f) {
 +            printf("Test failed at element %d: Expected %f, got %f\n",
 +                   i, expected[i], actual);
 +            ret = 1;
 +        }
 +    }
 +    return ret;
 +}
 diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
---- a/tests/tcg/aarch64/Makefile.target
+--- a/target/arm/tcg/meson.build
-+++ b/tests/tcg/aarch64/Makefile.target
++++ b/target/arm/tcg/meson.build
-@@ -XXX,XX +XXX,XX @@ endif
+@@ -XXX,XX +XXX,XX @@ arm_ss.add(files(
+   'tlb_helper.c',
- # SME Tests
+   'vec_helper.c',
- ifneq ($(CROSS_AS_HAS_ARMV9_SME),)
+   'tlb-insns.c',
--AARCH64_TESTS += sme-outprod1 sme-smopa-1 sme-smopa-2
++  'arith_helper.c',
--sme-outprod1 sme-smopa-1 sme-smopa-2: CFLAGS += $(CROSS_AS_HAS_ARMV9_SME)
+ ))
-+SME_TESTS = sme-outprod1 sme-smopa-1 sme-smopa-2 sme-fmopa-1 sme-fmopa-2 sme-fmopa-3
-+AARCH64_TESTS += $(SME_TESTS)
+ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
 +$(SME_TESTS): CFLAGS += $(CROSS_AS_HAS_ARMV9_SME)
  endif
  # System Registers Tests
 --
 .34.1

-[PULL 25/26] tests/arm-cpu-features: Do not assume PMU availability
+[PULL 08/11] target/arm: add new property to select pauth-qarma5
-From: Akihiko Odaki <akihiko.odaki@daynix.com>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-Asahi Linux supports KVM but lacks PMU support.
+Before changing default pauth algorithm, we need to make sure current
 default one (QARMA5) can still be selected.
-Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+$ qemu-system-aarch64 -cpu max,pauth-qarma5=on ...
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Message-id: 20240716-pmu-v3-1-8c7c1858a227@daynix.com
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20241219183211.3493974-2-pierrick.bouvier@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/qtest/arm-cpu-features.c | 13 ++++++++-----
+ docs/system/arm/cpu-features.rst |  5 ++++-
-file changed, 8 insertions(+), 5 deletions(-)
+ target/arm/cpu.h                 |  1 +
  target/arm/arm-qmp-cmds.c        |  2 +-
  target/arm/cpu64.c               | 20 ++++++++++++++------
  tests/qtest/arm-cpu-features.c   | 15 +++++++++++----
 files changed, 31 insertions(+), 12 deletions(-)
+diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/cpu-features.rst
++++ b/docs/system/arm/cpu-features.rst
+@@ -XXX,XX +XXX,XX @@ Below is the list of TCG VCPU features and their descriptions.
+ ``pauth-qarma3``
+   When ``pauth`` is enabled, select the architected QARMA3 algorithm.
+-Without either ``pauth-impdef`` or ``pauth-qarma3`` enabled,
++``pauth-qarma5``
++  When ``pauth`` is enabled, select the architected QARMA5 algorithm.
++
++Without ``pauth-impdef``, ``pauth-qarma3`` or ``pauth-qarma5`` enabled,
+ the architected QARMA5 algorithm is used.  The architected QARMA5
+ and QARMA3 algorithms have good cryptographic properties, but can
+ be quite slow to emulate.  The impdef algorithm used by QEMU is
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
+     bool prop_pauth;
+     bool prop_pauth_impdef;
+     bool prop_pauth_qarma3;
++    bool prop_pauth_qarma5;
+     bool prop_lpa2;
+     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
+diff --git a/target/arm/arm-qmp-cmds.c b/target/arm/arm-qmp-cmds.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/arm-qmp-cmds.c
++++ b/target/arm/arm-qmp-cmds.c
+@@ -XXX,XX +XXX,XX @@ static const char *cpu_model_advertised_features[] = {
+     "sve640", "sve768", "sve896", "sve1024", "sve1152", "sve1280",
+     "sve1408", "sve1536", "sve1664", "sve1792", "sve1920", "sve2048",
+     "kvm-no-adjvtime", "kvm-steal-time",
+-    "pauth", "pauth-impdef", "pauth-qarma3",
++    "pauth", "pauth-impdef", "pauth-qarma3", "pauth-qarma5",
+     NULL
+ };
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu64.c
++++ b/target/arm/cpu64.c
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp)
+         }
+         if (cpu->prop_pauth) {
+-            if (cpu->prop_pauth_impdef && cpu->prop_pauth_qarma3) {
++            if ((cpu->prop_pauth_impdef && cpu->prop_pauth_qarma3) ||
++                (cpu->prop_pauth_impdef && cpu->prop_pauth_qarma5) ||
++                (cpu->prop_pauth_qarma3 && cpu->prop_pauth_qarma5)) {
+                 error_setg(errp,
+-                           "cannot enable both pauth-impdef and pauth-qarma3");
++                           "cannot enable pauth-impdef, pauth-qarma3 and "
++                           "pauth-qarma5 at the same time");
+                 return;
+             }
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp)
+             } else if (cpu->prop_pauth_qarma3) {
+                 isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, APA3, features);
+                 isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, GPA3, 1);
+-            } else {
++            } else { /* default is pauth-qarma5 */
+                 isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, APA, features);
+                 isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPA, 1);
+             }
+-        } else if (cpu->prop_pauth_impdef || cpu->prop_pauth_qarma3) {
+-            error_setg(errp, "cannot enable pauth-impdef or "
+-                       "pauth-qarma3 without pauth");
++        } else if (cpu->prop_pauth_impdef ||
++                   cpu->prop_pauth_qarma3 ||
++                   cpu->prop_pauth_qarma5) {
++            error_setg(errp, "cannot enable pauth-impdef, pauth-qarma3 or "
++                       "pauth-qarma5 without pauth");
+             error_append_hint(errp, "Add pauth=on to the CPU property list.\n");
+         }
+     }
+@@ -XXX,XX +XXX,XX @@ static const Property arm_cpu_pauth_impdef_property =
+     DEFINE_PROP_BOOL("pauth-impdef", ARMCPU, prop_pauth_impdef, false);
+ static const Property arm_cpu_pauth_qarma3_property =
+     DEFINE_PROP_BOOL("pauth-qarma3", ARMCPU, prop_pauth_qarma3, false);
++static Property arm_cpu_pauth_qarma5_property =
++    DEFINE_PROP_BOOL("pauth-qarma5", ARMCPU, prop_pauth_qarma5, false);
+ void aarch64_add_pauth_properties(Object *obj)
+ {
+@@ -XXX,XX +XXX,XX @@ void aarch64_add_pauth_properties(Object *obj)
+     } else {
+         qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_impdef_property);
+         qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_qarma3_property);
++        qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_qarma5_property);
+     }
+ }
 diff --git a/tests/qtest/arm-cpu-features.c b/tests/qtest/arm-cpu-features.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/arm-cpu-features.c
 +++ b/tests/qtest/arm-cpu-features.c
-@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
+@@ -XXX,XX +XXX,XX @@ static void pauth_tests_default(QTestState *qts, const char *cpu_type)
-     assert_set_feature(qts, "host", "kvm-no-adjvtime", false);
+     assert_has_feature_enabled(qts, cpu_type, "pauth");
+     assert_has_feature_disabled(qts, cpu_type, "pauth-impdef");
-     if (g_str_equal(qtest_get_arch(), "aarch64")) {
+     assert_has_feature_disabled(qts, cpu_type, "pauth-qarma3");
-+        bool kvm_supports_pmu;
++    assert_has_feature_disabled(qts, cpu_type, "pauth-qarma5");
-         bool kvm_supports_steal_time;
+     assert_set_feature(qts, cpu_type, "pauth", false);
-         bool kvm_supports_sve;
+     assert_set_feature(qts, cpu_type, "pauth", true);
-         char max_name[8], name[8];
+     assert_set_feature(qts, cpu_type, "pauth-impdef", true);
-@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
+     assert_set_feature(qts, cpu_type, "pauth-impdef", false);
+     assert_set_feature(qts, cpu_type, "pauth-qarma3", true);
-         assert_has_feature_enabled(qts, "host", "aarch64");
+     assert_set_feature(qts, cpu_type, "pauth-qarma3", false);
++    assert_set_feature(qts, cpu_type, "pauth-qarma5", true);
--        /* Enabling and disabling pmu should always work. */
++    assert_set_feature(qts, cpu_type, "pauth-qarma5", false);
--        assert_has_feature_enabled(qts, "host", "pmu");
+     assert_error(qts, cpu_type,
--        assert_set_feature(qts, "host", "pmu", false);
+-                 "cannot enable pauth-impdef or pauth-qarma3 without pauth",
--        assert_set_feature(qts, "host", "pmu", true);
++                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
--
+                  "{ 'pauth': false, 'pauth-impdef': true }");
-         /*
+     assert_error(qts, cpu_type,
-          * Some features would be enabled by default, but they're disabled
+-                 "cannot enable pauth-impdef or pauth-qarma3 without pauth",
-          * because this instance of KVM doesn't support them. Test that the
++                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
-@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
+                  "{ 'pauth': false, 'pauth-qarma3': true }");
-         assert_has_feature(qts, "host", "sve");
+     assert_error(qts, cpu_type,
+-                 "cannot enable both pauth-impdef and pauth-qarma3",
-         resp = do_query_no_props(qts, "host");
+-                 "{ 'pauth': true, 'pauth-impdef': true, 'pauth-qarma3': true }");
-+        kvm_supports_pmu = resp_get_feature(resp, "pmu");
++                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
-         kvm_supports_steal_time = resp_get_feature(resp, "kvm-steal-time");
++                 "{ 'pauth': false, 'pauth-qarma5': true }");
-         kvm_supports_sve = resp_get_feature(resp, "sve");
++    assert_error(qts, cpu_type,
-         vls = resp_get_sve_vls(resp);
++                 "cannot enable pauth-impdef, pauth-qarma3 and pauth-qarma5 at the same time",
-         qobject_unref(resp);
++                 "{ 'pauth': true, 'pauth-impdef': true, 'pauth-qarma3': true,"
++                 "  'pauth-qarma5': true }");
-+        if (kvm_supports_pmu) {
+ }
-+            /* If we have pmu then we should be able to toggle it. */
-+            assert_set_feature(qts, "host", "pmu", false);
+ static void test_query_cpu_model_expansion(const void *data)
 +            assert_set_feature(qts, "host", "pmu", true);
 +        }
 +
          if (kvm_supports_steal_time) {
              /* If we have steal-time then we should be able to toggle it. */
              assert_set_feature(qts, "host", "kvm-steal-time", false);
 --
 .34.1

-[PULL 04/26] hw/arm/smmu-common: Add missing size check for stage-1
+[PULL 09/11] tests/tcg/aarch64: force qarma5 for pauth-3 test
-From: Mostafa Saleh <smostafa@google.com>
+The pauth-3 test explicitly tests that a computation of the
 pointer-authentication produces the expected result.  This means that
 it must be run with the QARMA5 algorithm.
-According to the SMMU architecture specification (ARM IHI 0070 F.b),
+Explicitly set the pauth algorithm when running this test, so that it
-in “3.4 Address sizes”
+doesn't break when we change the default algorithm the 'max' CPU
-    The address output from the translation causes a stage 1 Address Size
+uses.
     fault if it exceeds the range of the effective IPA size for the given CD.
-However, this check was missing.
-There is already a similar check for stage-2 against effective PA.
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Message-id: 20240715084519.1189624-2-smostafa@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmu-common.c | 10 ++++++++++
+ tests/tcg/aarch64/Makefile.softmmu-target | 3 +++
-file changed, 10 insertions(+)
+file changed, 3 insertions(+)
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
+diff --git a/tests/tcg/aarch64/Makefile.softmmu-target b/tests/tcg/aarch64/Makefile.softmmu-target
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
+--- a/tests/tcg/aarch64/Makefile.softmmu-target
-+++ b/hw/arm/smmu-common.c
++++ b/tests/tcg/aarch64/Makefile.softmmu-target
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
+@@ -XXX,XX +XXX,XX @@ EXTRA_RUNS+=run-memory-replay
-             goto error;
-         }
+ ifneq ($(CROSS_CC_HAS_ARMV8_3),)
+ pauth-3: CFLAGS += $(CROSS_CC_HAS_ARMV8_3)
-+        /*
++# This test explicitly checks the output of the pauth operation so we
-+         * The address output from the translation causes a stage 1 Address
++# must force the use of the QARMA5 algorithm for it.
-+         * Size fault if it exceeds the range of the effective IPA size for
++run-pauth-3: QEMU_BASE_MACHINE=-M virt -cpu max,pauth-qarma5=on -display none
-+         * the given CD.
+ else
-+         */
+ pauth-3:
-+        if (gpa >= (1ULL << cfg->oas)) {
+     $(call skip-test, "BUILD of $@", "missing compiler support")
 +            info->type = SMMU_PTW_ERR_ADDR_SIZE;
 +            goto error;
 +        }
 +
          tlbe->entry.translated_addr = gpa;
          tlbe->entry.iova = iova & ~mask;
          tlbe->entry.addr_mask = mask;
 --
 .34.1

-[PULL 06/26] hw/arm/smmuv3: Fix encoding of CLASS in events
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-The SMMUv3 spec (ARM IHI 0070 F.b - 7.3 Event records) defines the
-class of events faults as:
-CLASS: The class of the operation that caused the fault:
-- 0b00: CD, CD fetch.
-- 0b01: TTD, Stage 1 translation table fetch.
-- 0b10: IN, Input address
-However, this value was not set and left as 0 which means CD and not
-IN (0b10).
-Another problem was that stage-2 class is considered IN not TT for
-EABT, according to the spec:
-    Translation of an IPA after successful stage 1 translation (or,
-    in stage 2-only configuration, an input IPA)
-    - S2 == 1 (stage 2), CLASS == IN (Input to stage)
-This would change soon when nested translations are supported.
-While at it, add an enum for class as it would be used for nesting.
-However, at the moment stage-1 and stage-2 use the same class values,
-except for EABT.
-Fixes: 9bde7f0674 “hw/arm/smmuv3: Implement translate callback”
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20240715084519.1189624-4-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmuv3-internal.h | 6 ++++++
- hw/arm/smmuv3.c          | 8 +++++++-
-files changed, 13 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
-+++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ typedef enum SMMUTranslationStatus {
-     SMMU_TRANS_SUCCESS,
- } SMMUTranslationStatus;
-+typedef enum SMMUTranslationClass {
-+    SMMU_CLASS_CD,
-+    SMMU_CLASS_TT,
-+    SMMU_CLASS_IN,
-+} SMMUTranslationClass;
-+
- /* MMIO Registers */
- REG32(IDR0,                0x0)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-             event.type = SMMU_EVT_F_WALK_EABT;
-             event.u.f_walk_eabt.addr = addr;
-             event.u.f_walk_eabt.rnw = flag & 0x1;
--            event.u.f_walk_eabt.class = 0x1;
-+            /* Stage-2 (only) is class IN while stage-1 is class TT */
-+            event.u.f_walk_eabt.class = (ptw_info.stage == 2) ?
-+                                         SMMU_CLASS_IN : SMMU_CLASS_TT;
-             event.u.f_walk_eabt.addr2 = ptw_info.addr;
-             break;
-         case SMMU_PTW_ERR_TRANSLATION:
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                 event.type = SMMU_EVT_F_TRANSLATION;
-                 event.u.f_translation.addr = addr;
-                 event.u.f_translation.addr2 = ptw_info.addr;
-+                event.u.f_translation.class = SMMU_CLASS_IN;
-                 event.u.f_translation.rnw = flag & 0x1;
-             }
-             break;
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                 event.type = SMMU_EVT_F_ADDR_SIZE;
-                 event.u.f_addr_size.addr = addr;
-                 event.u.f_addr_size.addr2 = ptw_info.addr;
-+                event.u.f_translation.class = SMMU_CLASS_IN;
-                 event.u.f_addr_size.rnw = flag & 0x1;
-             }
-             break;
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                 event.type = SMMU_EVT_F_ACCESS;
-                 event.u.f_access.addr = addr;
-                 event.u.f_access.addr2 = ptw_info.addr;
-+                event.u.f_translation.class = SMMU_CLASS_IN;
-                 event.u.f_access.rnw = flag & 0x1;
-             }
-             break;
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                 event.type = SMMU_EVT_F_PERMISSION;
-                 event.u.f_permission.addr = addr;
-                 event.u.f_permission.addr2 = ptw_info.addr;
-+                event.u.f_translation.class = SMMU_CLASS_IN;
-                 event.u.f_permission.rnw = flag & 0x1;
-             }
-             break;
---
-.34.1

-[PULL 07/26] hw/arm/smmu: Use enum for SMMU stage
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-Currently, translation stage is represented as an int, where 1 is stage-1 and
-is stage-2, when nested is added, 3 would be confusing to represent nesting,
-so we use an enum instead.
-While keeping the same values, this is useful for:
- - Doing tricks with bit masks, where BIT(0) is stage-1 and BIT(1) is
-   stage-2 and both is nested.
- - Tracing, as stage is printed as int.
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Message-id: 20240715084519.1189624-5-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h | 11 +++++++++--
- hw/arm/smmu-common.c         | 14 +++++++-------
- hw/arm/smmuv3.c              | 17 +++++++++--------
-files changed, 25 insertions(+), 17 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ typedef enum {
-     SMMU_PTW_ERR_PERMISSION,  /* Permission fault */
- } SMMUPTWEventType;
-+/* SMMU Stage */
-+typedef enum {
-+    SMMU_STAGE_1 = 1,
-+    SMMU_STAGE_2,
-+    SMMU_NESTED,
-+} SMMUStage;
-+
- typedef struct SMMUPTWEventInfo {
--    int stage;
-+    SMMUStage stage;
-     SMMUPTWEventType type;
-     dma_addr_t addr; /* fetched address that induced an abort, if any */
- } SMMUPTWEventInfo;
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUS2Cfg {
-  */
- typedef struct SMMUTransCfg {
-     /* Shared fields between stage-1 and stage-2. */
--    int stage;                 /* translation stage */
-+    SMMUStage stage;           /* translation stage */
-     bool disabled;             /* smmu is disabled */
-     bool bypassed;             /* translation is bypassed */
-     bool aborted;              /* translation is aborted */
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
-                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
- {
-     dma_addr_t baseaddr, indexmask;
--    int stage = cfg->stage;
-+    SMMUStage stage = cfg->stage;
-     SMMUTransTableInfo *tt = select_tt(cfg, iova);
-     uint8_t level, granule_sz, inputsize, stride;
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
-     info->type = SMMU_PTW_ERR_TRANSLATION;
- error:
--    info->stage = 1;
-+    info->stage = SMMU_STAGE_1;
-     tlbe->entry.perm = IOMMU_NONE;
-     return -EINVAL;
- }
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
-                           dma_addr_t ipa, IOMMUAccessFlags perm,
-                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
- {
--    const int stage = 2;
-+    const SMMUStage stage = SMMU_STAGE_2;
-     int granule_sz = cfg->s2cfg.granule_sz;
-     /* ARM DDI0487I.a: Table D8-7. */
-     int inputsize = 64 - cfg->s2cfg.tsz;
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
- error_ipa:
-     info->addr = ipa;
- error:
--    info->stage = 2;
-+    info->stage = SMMU_STAGE_2;
-     tlbe->entry.perm = IOMMU_NONE;
-     return -EINVAL;
- }
-@@ -XXX,XX +XXX,XX @@ error:
- int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-              SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
- {
--    if (cfg->stage == 1) {
-+    if (cfg->stage == SMMU_STAGE_1) {
-         return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);
--    } else if (cfg->stage == 2) {
-+    } else if (cfg->stage == SMMU_STAGE_2) {
-         /*
-          * If bypassing stage 1(or unimplemented), the input address is passed
-          * directly to stage 2 as IPA. If the input address of a transaction
-@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-          */
-         if (iova >= (1ULL << cfg->oas)) {
-             info->type = SMMU_PTW_ERR_ADDR_SIZE;
--            info->stage = 1;
-+            info->stage = SMMU_STAGE_1;
-             tlbe->entry.perm = IOMMU_NONE;
-             return -EINVAL;
-         }
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@
- #include "smmuv3-internal.h"
- #include "smmu-internal.h"
--#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == 1) ? (cfg)->record_faults : \
-+#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == SMMU_STAGE_1) ? \
-+                                 (cfg)->record_faults : \
-                                  (cfg)->s2cfg.record_faults)
- /**
-@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
- static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
- {
--    cfg->stage = 2;
-+    cfg->stage = SMMU_STAGE_2;
-     if (STE_S2AA64(ste) == 0x0) {
-         qemu_log_mask(LOG_UNIMP,
-@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
-     /* we support only those at the moment */
-     cfg->aa64 = true;
--    cfg->stage = 1;
-+    cfg->stage = SMMU_STAGE_1;
-     cfg->oas = oas2bits(CD_IPS(cd));
-     cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
-         return ret;
-     }
--    if (cfg->aborted || cfg->bypassed || (cfg->stage == 2)) {
-+    if (cfg->aborted || cfg->bypassed || (cfg->stage == SMMU_STAGE_2)) {
-         return 0;
-     }
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-         goto epilogue;
-     }
--    if (cfg->stage == 1) {
-+    if (cfg->stage == SMMU_STAGE_1) {
-         /* Select stage1 translation table. */
-         tt = select_tt(cfg, addr);
-         if (!tt) {
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-              * nesting is not supported. So it is sufficient to check the
-              * translation stage to know the TLB stage for now.
-              */
--            event.u.f_walk_eabt.s2 = (cfg->stage == 2);
-+            event.u.f_walk_eabt.s2 = (cfg->stage == SMMU_STAGE_2);
-             if (PTW_RECORD_FAULT(cfg)) {
-                 event.type = SMMU_EVT_F_PERMISSION;
-                 event.u.f_permission.addr = addr;
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-     if (smmu_ptw(cfg, aligned_addr, flag, cached_entry, &ptw_info)) {
-         /* All faults from PTW has S2 field. */
--        event.u.f_walk_eabt.s2 = (ptw_info.stage == 2);
-+        event.u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
-         g_free(cached_entry);
-         switch (ptw_info.type) {
-         case SMMU_PTW_ERR_WALK_EABT:
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-             event.u.f_walk_eabt.addr = addr;
-             event.u.f_walk_eabt.rnw = flag & 0x1;
-             /* Stage-2 (only) is class IN while stage-1 is class TT */
--            event.u.f_walk_eabt.class = (ptw_info.stage == 2) ?
-+            event.u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
-                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
-             event.u.f_walk_eabt.addr2 = ptw_info.addr;
-             break;
---
-.34.1

-[PULL 08/26] hw/arm/smmu: Split smmuv3_translate()
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-smmuv3_translate() does everything from STE/CD parsing to TLB lookup
-and PTW.
-Soon, when nesting is supported, stage-1 data (tt, CD) needs to be
-translated using stage-2.
-Split smmuv3_translate() to 3 functions:
-- smmu_translate(): in smmu-common.c, which does the TLB lookup, PTW,
-  TLB insertion, all the functions are already there, this just puts
-  them together.
-  This also simplifies the code as it consolidates event generation
-  in case of TLB lookup permission failure or in TT selection.
-- smmuv3_do_translate(): in smmuv3.c, Calls smmu_translate() and does
-  the event population in case of errors.
-- smmuv3_translate(), now calls smmuv3_do_translate() for
-  translation while the rest is the same.
-Also, add stage in trace_smmuv3_translate_success()
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-6-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |   8 ++
- hw/arm/smmu-common.c         |  59 +++++++++++
- hw/arm/smmuv3.c              | 194 +++++++++++++----------------------
- hw/arm/trace-events          |   2 +-
-files changed, 142 insertions(+), 121 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
- int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-              SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
-+
-+/*
-+ * smmu_translate - Look for a translation in TLB, if not, do a PTW.
-+ * Returns NULL on PTW error or incase of TLB permission errors.
-+ */
-+SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-+                             IOMMUAccessFlags flag, SMMUPTWEventInfo *info);
-+
- /**
-  * select_tt - compute which translation table shall be used according to
-  * the input iova and translation config and return the TT specific info
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-     g_assert_not_reached();
- }
-+SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-+                             IOMMUAccessFlags flag, SMMUPTWEventInfo *info)
-+{
-+    uint64_t page_mask, aligned_addr;
-+    SMMUTLBEntry *cached_entry = NULL;
-+    SMMUTransTableInfo *tt;
-+    int status;
-+
-+    /*
-+     * Combined attributes used for TLB lookup, as only one stage is supported,
-+     * it will hold attributes based on the enabled stage.
-+     */
-+    SMMUTransTableInfo tt_combined;
-+
-+    if (cfg->stage == SMMU_STAGE_1) {
-+        /* Select stage1 translation table. */
-+        tt = select_tt(cfg, addr);
-+        if (!tt) {
-+            info->type = SMMU_PTW_ERR_TRANSLATION;
-+            info->stage = SMMU_STAGE_1;
-+            return NULL;
-+        }
-+        tt_combined.granule_sz = tt->granule_sz;
-+        tt_combined.tsz = tt->tsz;
-+
-+    } else {
-+        /* Stage2. */
-+        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
-+        tt_combined.tsz = cfg->s2cfg.tsz;
-+    }
-+
-+    /*
-+     * TLB lookup looks for granule and input size for a translation stage,
-+     * as only one stage is supported right now, choose the right values
-+     * from the configuration.
-+     */
-+    page_mask = (1ULL << tt_combined.granule_sz) - 1;
-+    aligned_addr = addr & ~page_mask;
-+
-+    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
-+    if (cached_entry) {
-+        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
-+            info->type = SMMU_PTW_ERR_PERMISSION;
-+            info->stage = cfg->stage;
-+            return NULL;
-+        }
-+        return cached_entry;
-+    }
-+
-+    cached_entry = g_new0(SMMUTLBEntry, 1);
-+    status = smmu_ptw(cfg, aligned_addr, flag, cached_entry, info);
-+    if (status) {
-+            g_free(cached_entry);
-+            return NULL;
-+    }
-+    smmu_iotlb_insert(bs, cfg, cached_entry);
-+    return cached_entry;
-+}
-+
- /**
-  * The bus number is used for lookup when SID based invalidation occurs.
-  * In that case we lazily populate the SMMUPciBus array from the bus hash
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_flush_config(SMMUDevice *sdev)
-     g_hash_table_remove(bc->configs, sdev);
- }
-+/* Do translation with TLB lookup. */
-+static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-+                                                 SMMUTransCfg *cfg,
-+                                                 SMMUEventInfo *event,
-+                                                 IOMMUAccessFlags flag,
-+                                                 SMMUTLBEntry **out_entry)
-+{
-+    SMMUPTWEventInfo ptw_info = {};
-+    SMMUState *bs = ARM_SMMU(s);
-+    SMMUTLBEntry *cached_entry = NULL;
-+
-+    cached_entry = smmu_translate(bs, cfg, addr, flag, &ptw_info);
-+    if (!cached_entry) {
-+        /* All faults from PTW has S2 field. */
-+        event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
-+        switch (ptw_info.type) {
-+        case SMMU_PTW_ERR_WALK_EABT:
-+            event->type = SMMU_EVT_F_WALK_EABT;
-+            event->u.f_walk_eabt.addr = addr;
-+            event->u.f_walk_eabt.rnw = flag & 0x1;
-+            event->u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
-+                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
-+            event->u.f_walk_eabt.addr2 = ptw_info.addr;
-+            break;
-+        case SMMU_PTW_ERR_TRANSLATION:
-+            if (PTW_RECORD_FAULT(cfg)) {
-+                event->type = SMMU_EVT_F_TRANSLATION;
-+                event->u.f_translation.addr = addr;
-+                event->u.f_translation.addr2 = ptw_info.addr;
-+                event->u.f_translation.class = SMMU_CLASS_IN;
-+                event->u.f_translation.rnw = flag & 0x1;
-+            }
-+            break;
-+        case SMMU_PTW_ERR_ADDR_SIZE:
-+            if (PTW_RECORD_FAULT(cfg)) {
-+                event->type = SMMU_EVT_F_ADDR_SIZE;
-+                event->u.f_addr_size.addr = addr;
-+                event->u.f_addr_size.addr2 = ptw_info.addr;
-+                event->u.f_addr_size.class = SMMU_CLASS_IN;
-+                event->u.f_addr_size.rnw = flag & 0x1;
-+            }
-+            break;
-+        case SMMU_PTW_ERR_ACCESS:
-+            if (PTW_RECORD_FAULT(cfg)) {
-+                event->type = SMMU_EVT_F_ACCESS;
-+                event->u.f_access.addr = addr;
-+                event->u.f_access.addr2 = ptw_info.addr;
-+                event->u.f_access.class = SMMU_CLASS_IN;
-+                event->u.f_access.rnw = flag & 0x1;
-+            }
-+            break;
-+        case SMMU_PTW_ERR_PERMISSION:
-+            if (PTW_RECORD_FAULT(cfg)) {
-+                event->type = SMMU_EVT_F_PERMISSION;
-+                event->u.f_permission.addr = addr;
-+                event->u.f_permission.addr2 = ptw_info.addr;
-+                event->u.f_permission.class = SMMU_CLASS_IN;
-+                event->u.f_permission.rnw = flag & 0x1;
-+            }
-+            break;
-+        default:
-+            g_assert_not_reached();
-+        }
-+        return SMMU_TRANS_ERROR;
-+    }
-+    *out_entry = cached_entry;
-+    return SMMU_TRANS_SUCCESS;
-+}
-+
-+/* Entry point to SMMU, does everything. */
- static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                                       IOMMUAccessFlags flag, int iommu_idx)
- {
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-     SMMUEventInfo event = {.type = SMMU_EVT_NONE,
-                            .sid = sid,
-                            .inval_ste_allowed = false};
--    SMMUPTWEventInfo ptw_info = {};
-     SMMUTranslationStatus status;
--    SMMUState *bs = ARM_SMMU(s);
--    uint64_t page_mask, aligned_addr;
--    SMMUTLBEntry *cached_entry = NULL;
--    SMMUTransTableInfo *tt;
-     SMMUTransCfg *cfg = NULL;
-     IOMMUTLBEntry entry = {
-         .target_as = &address_space_memory,
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-         .addr_mask = ~(hwaddr)0,
-         .perm = IOMMU_NONE,
-     };
--    /*
--     * Combined attributes used for TLB lookup, as only one stage is supported,
--     * it will hold attributes based on the enabled stage.
--     */
--    SMMUTransTableInfo tt_combined;
-+    SMMUTLBEntry *cached_entry = NULL;
-     qemu_mutex_lock(&s->mutex);
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-         goto epilogue;
-     }
--    if (cfg->stage == SMMU_STAGE_1) {
--        /* Select stage1 translation table. */
--        tt = select_tt(cfg, addr);
--        if (!tt) {
--            if (cfg->record_faults) {
--                event.type = SMMU_EVT_F_TRANSLATION;
--                event.u.f_translation.addr = addr;
--                event.u.f_translation.rnw = flag & 0x1;
--            }
--            status = SMMU_TRANS_ERROR;
--            goto epilogue;
--        }
--        tt_combined.granule_sz = tt->granule_sz;
--        tt_combined.tsz = tt->tsz;
--
--    } else {
--        /* Stage2. */
--        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
--        tt_combined.tsz = cfg->s2cfg.tsz;
--    }
--    /*
--     * TLB lookup looks for granule and input size for a translation stage,
--     * as only one stage is supported right now, choose the right values
--     * from the configuration.
--     */
--    page_mask = (1ULL << tt_combined.granule_sz) - 1;
--    aligned_addr = addr & ~page_mask;
--
--    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
--    if (cached_entry) {
--        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
--            status = SMMU_TRANS_ERROR;
--            /*
--             * We know that the TLB only contains either stage-1 or stage-2 as
--             * nesting is not supported. So it is sufficient to check the
--             * translation stage to know the TLB stage for now.
--             */
--            event.u.f_walk_eabt.s2 = (cfg->stage == SMMU_STAGE_2);
--            if (PTW_RECORD_FAULT(cfg)) {
--                event.type = SMMU_EVT_F_PERMISSION;
--                event.u.f_permission.addr = addr;
--                event.u.f_permission.rnw = flag & 0x1;
--            }
--        } else {
--            status = SMMU_TRANS_SUCCESS;
--        }
--        goto epilogue;
--    }
--
--    cached_entry = g_new0(SMMUTLBEntry, 1);
--
--    if (smmu_ptw(cfg, aligned_addr, flag, cached_entry, &ptw_info)) {
--        /* All faults from PTW has S2 field. */
--        event.u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
--        g_free(cached_entry);
--        switch (ptw_info.type) {
--        case SMMU_PTW_ERR_WALK_EABT:
--            event.type = SMMU_EVT_F_WALK_EABT;
--            event.u.f_walk_eabt.addr = addr;
--            event.u.f_walk_eabt.rnw = flag & 0x1;
--            /* Stage-2 (only) is class IN while stage-1 is class TT */
--            event.u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
--                                         SMMU_CLASS_IN : SMMU_CLASS_TT;
--            event.u.f_walk_eabt.addr2 = ptw_info.addr;
--            break;
--        case SMMU_PTW_ERR_TRANSLATION:
--            if (PTW_RECORD_FAULT(cfg)) {
--                event.type = SMMU_EVT_F_TRANSLATION;
--                event.u.f_translation.addr = addr;
--                event.u.f_translation.addr2 = ptw_info.addr;
--                event.u.f_translation.class = SMMU_CLASS_IN;
--                event.u.f_translation.rnw = flag & 0x1;
--            }
--            break;
--        case SMMU_PTW_ERR_ADDR_SIZE:
--            if (PTW_RECORD_FAULT(cfg)) {
--                event.type = SMMU_EVT_F_ADDR_SIZE;
--                event.u.f_addr_size.addr = addr;
--                event.u.f_addr_size.addr2 = ptw_info.addr;
--                event.u.f_translation.class = SMMU_CLASS_IN;
--                event.u.f_addr_size.rnw = flag & 0x1;
--            }
--            break;
--        case SMMU_PTW_ERR_ACCESS:
--            if (PTW_RECORD_FAULT(cfg)) {
--                event.type = SMMU_EVT_F_ACCESS;
--                event.u.f_access.addr = addr;
--                event.u.f_access.addr2 = ptw_info.addr;
--                event.u.f_translation.class = SMMU_CLASS_IN;
--                event.u.f_access.rnw = flag & 0x1;
--            }
--            break;
--        case SMMU_PTW_ERR_PERMISSION:
--            if (PTW_RECORD_FAULT(cfg)) {
--                event.type = SMMU_EVT_F_PERMISSION;
--                event.u.f_permission.addr = addr;
--                event.u.f_permission.addr2 = ptw_info.addr;
--                event.u.f_translation.class = SMMU_CLASS_IN;
--                event.u.f_permission.rnw = flag & 0x1;
--            }
--            break;
--        default:
--            g_assert_not_reached();
--        }
--        status = SMMU_TRANS_ERROR;
--    } else {
--        smmu_iotlb_insert(bs, cfg, cached_entry);
--        status = SMMU_TRANS_SUCCESS;
--    }
-+    status = smmuv3_do_translate(s, addr, cfg, &event, flag, &cached_entry);
- epilogue:
-     qemu_mutex_unlock(&s->mutex);
-@@ -XXX,XX +XXX,XX @@ epilogue:
-                                     (addr & cached_entry->entry.addr_mask);
-         entry.addr_mask = cached_entry->entry.addr_mask;
-         trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr,
--                                       entry.translated_addr, entry.perm);
-+                                       entry.translated_addr, entry.perm,
-+                                       cfg->stage);
-         break;
-     case SMMU_TRANS_DISABLE:
-         entry.perm = flag;
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
- smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
- smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x STE bypass iova:0x%"PRIx64" is_write=%d"
- smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x abort on iova:0x%"PRIx64" is_write=%d"
--smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
-+smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm, int stage) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x stage=%d"
- smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
- smmuv3_decode_cd(uint32_t oas) "oas=%d"
- smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz, bool had) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d had:%d"
---
-.34.1

-[PULL 09/26] hw/arm/smmu: Consolidate ASID and VMID types
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-ASID and VMID used to be uint16_t in the translation config, however,
-in other contexts they can be int as -1 in case of TLB invalidation,
-to represent all (don’t care).
-When stage-2 was added asid was set to -1 in stage-2 and vmid to -1
-in stage-1 configs. However, that meant they were set as (65536),
-this was not an issue as nesting was not supported and no
-commands/lookup uses both.
-With nesting, it’s critical to get this right as translation must be
-tagged correctly with ASID/VMID, and with ASID=-1 meaning stage-2.
-Represent ASID/VMID everywhere as int.
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-7-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h | 14 +++++++-------
- hw/arm/smmu-common.c         | 10 +++++-----
- hw/arm/smmuv3.c              |  4 ++--
- hw/arm/trace-events          | 18 +++++++++---------
-files changed, 23 insertions(+), 23 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUS2Cfg {
-     bool record_faults;     /* Record fault events (S2R) */
-     uint8_t granule_sz;     /* Granule page shift (based on S2TG) */
-     uint8_t eff_ps;         /* Effective PA output range (based on S2PS) */
--    uint16_t vmid;          /* Virtual Machine ID (S2VMID) */
-+    int vmid;               /* Virtual Machine ID (S2VMID) */
-     uint64_t vttb;          /* Address of translation table base (S2TTB) */
- } SMMUS2Cfg;
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
-     uint64_t ttb;              /* TT base address */
-     uint8_t oas;               /* output address width */
-     uint8_t tbi;               /* Top Byte Ignore */
--    uint16_t asid;
-+    int asid;
-     SMMUTransTableInfo tt[2];
-     /* Used by stage-2 only. */
-     struct SMMUS2Cfg s2cfg;
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUPciBus {
- typedef struct SMMUIOTLBKey {
-     uint64_t iova;
--    uint16_t asid;
--    uint16_t vmid;
-+    int asid;
-+    int vmid;
-     uint8_t tg;
-     uint8_t level;
- } SMMUIOTLBKey;
-@@ -XXX,XX +XXX,XX @@ SMMUDevice *smmu_find_sdev(SMMUState *s, uint32_t sid);
- SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
-                                 SMMUTransTableInfo *tt, hwaddr iova);
- void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *entry);
--SMMUIOTLBKey smmu_get_iotlb_key(uint16_t asid, uint16_t vmid, uint64_t iova,
-+SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
-                                 uint8_t tg, uint8_t level);
- void smmu_iotlb_inv_all(SMMUState *s);
--void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid);
--void smmu_iotlb_inv_vmid(SMMUState *s, uint16_t vmid);
-+void smmu_iotlb_inv_asid(SMMUState *s, int asid);
-+void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
- void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static gboolean smmu_iotlb_key_equal(gconstpointer v1, gconstpointer v2)
-            (k1->vmid == k2->vmid);
- }
--SMMUIOTLBKey smmu_get_iotlb_key(uint16_t asid, uint16_t vmid, uint64_t iova,
-+SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
-                                 uint8_t tg, uint8_t level)
- {
-     SMMUIOTLBKey key = {.asid = asid, .vmid = vmid, .iova = iova,
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_all(SMMUState *s)
- static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
-                                          gpointer user_data)
- {
--    uint16_t asid = *(uint16_t *)user_data;
-+    int asid = *(int *)user_data;
-     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
-     return SMMU_IOTLB_ASID(*iotlb_key) == asid;
-@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
- static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
-                                          gpointer user_data)
- {
--    uint16_t vmid = *(uint16_t *)user_data;
-+    int vmid = *(int *)user_data;
-     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
-     return SMMU_IOTLB_VMID(*iotlb_key) == vmid;
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                                 &info);
- }
--void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid)
-+void smmu_iotlb_inv_asid(SMMUState *s, int asid)
- {
-     trace_smmu_iotlb_inv_asid(asid);
-     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid, &asid);
- }
--void smmu_iotlb_inv_vmid(SMMUState *s, uint16_t vmid)
-+void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
- {
-     trace_smmu_iotlb_inv_vmid(vmid);
-     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid);
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-         }
-         case SMMU_CMD_TLBI_NH_ASID:
-         {
--            uint16_t asid = CMD_ASID(&cmd);
-+            int asid = CMD_ASID(&cmd);
-             if (!STAGE1_SUPPORTED(s)) {
-                 cmd_error = SMMU_CERROR_ILL;
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-             break;
-         case SMMU_CMD_TLBI_S12_VMALL:
-         {
--            uint16_t vmid = CMD_VMID(&cmd);
-+            int vmid = CMD_VMID(&cmd);
-             if (!STAGE2_SUPPORTED(s)) {
-                 cmd_error = SMMU_CERROR_ILL;
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint6
- smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
- smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
- smmu_iotlb_inv_all(void) "IOTLB invalidate all"
--smmu_iotlb_inv_asid(uint16_t asid) "IOTLB invalidate asid=%d"
--smmu_iotlb_inv_vmid(uint16_t vmid) "IOTLB invalidate vmid=%d"
--smmu_iotlb_inv_iova(uint16_t asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
-+smmu_iotlb_inv_asid(int asid) "IOTLB invalidate asid=%d"
-+smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
-+smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
- smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
--smmu_iotlb_lookup_hit(uint16_t asid, uint16_t vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
--smmu_iotlb_lookup_miss(uint16_t asid, uint16_t vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
--smmu_iotlb_insert(uint16_t asid, uint16_t vmid, uint64_t addr, uint8_t tg, uint8_t level) "IOTLB ++ asid=%d vmid=%d addr=0x%"PRIx64" tg=%d level=%d"
-+smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
-+smmu_iotlb_lookup_miss(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
-+smmu_iotlb_insert(int asid, int vmid, uint64_t addr, uint8_t tg, uint8_t level) "IOTLB ++ asid=%d vmid=%d addr=0x%"PRIx64" tg=%d level=%d"
- # smmuv3.c
- smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
-@@ -XXX,XX +XXX,XX @@ smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t p
- smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
- smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
- smmuv3_cmdq_tlbi_nh(void) ""
--smmuv3_cmdq_tlbi_nh_asid(uint16_t asid) "asid=%d"
--smmuv3_cmdq_tlbi_s12_vmid(uint16_t vmid) "vmid=%d"
-+smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
-+smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
- smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
- smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
- smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
--smmuv3_inv_notifiers_iova(const char *name, uint16_t asid, uint16_t vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
-+smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
- # strongarm.c
- strongarm_uart_update_parameters(const char *label, int speed, char parity, int data_bits, int stop_bits) "%s speed=%d parity=%c data=%d stop=%d"
---
-.34.1

-[PULL 10/26] hw/arm/smmu: Introduce CACHED_ENTRY_TO_ADDR
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-Soon, smmuv3_do_translate() will be used to translate the CD and the
-TTBx, instead of re-writting the same logic to convert the returned
-cached entry to an address, add a new macro CACHED_ENTRY_TO_ADDR.
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-8-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h | 3 +++
- hw/arm/smmuv3.c              | 3 +--
-files changed, 4 insertions(+), 2 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@
- #define VMSA_IDXMSK(isz, strd, lvl)         ((1ULL << \
-                                              VMSA_BIT_LVL(isz, strd, lvl)) - 1)
-+#define CACHED_ENTRY_TO_ADDR(ent, addr)      ((ent)->entry.translated_addr + \
-+                                             ((addr) & (ent)->entry.addr_mask))
-+
- /*
-  * Page table walk error types
-  */
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ epilogue:
-     switch (status) {
-     case SMMU_TRANS_SUCCESS:
-         entry.perm = cached_entry->entry.perm;
--        entry.translated_addr = cached_entry->entry.translated_addr +
--                                    (addr & cached_entry->entry.addr_mask);
-+        entry.translated_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr);
-         entry.addr_mask = cached_entry->entry.addr_mask;
-         trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr,
-                                        entry.translated_addr, entry.perm,
---
-.34.1

-[PULL 11/26] hw/arm/smmuv3: Translate CD and TT using stage-2 table
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-According to ARM SMMU architecture specification (ARM IHI 0070 F.b),
-In "5.2 Stream Table Entry":
- [51:6] S1ContextPtr
- If Config[1] == 1 (stage 2 enabled), this pointer is an IPA translated by
- stage 2 and the programmed value must be within the range of the IAS.
-In "5.4.1 CD notes":
- The translation table walks performed from TTB0 or TTB1 are always performed
- in IPA space if stage 2 translations are enabled.
-This patch implements translation of the S1 context descriptor pointer and
-TTBx base addresses through the S2 stage (IPA -> PA)
-smmuv3_do_translate() is updated to have one arg which is translation
-class, this is useful to:
- - Decide wether a translation is stage-2 only or use the STE config.
- - Populate the class in case of faults, WALK_EABT is left unchanged
-   for stage-1 as it is always IN, while stage-2 would match the
-   used class (TT, IN, CD), this will change slightly when the ptw
-   supports nested translation as it can also issue TT event with
-   class IN.
-In case for stage-2 only translation, used in the context of nested
-translation, the stage and asid are saved and restored before and
-after calling smmu_translate().
-Translating CD or TTBx can fail for the following reasons:
-) Large address size: This is described in
-   (3.4.3 Address sizes of SMMU-originated accesses)
-   - For CD ptr larger than IAS, for SMMUv3.1, it can trigger either
-     C_BAD_STE or Translation fault, we implement the latter as it
-     requires no extra code.
-   - For TTBx, if larger than the effective stage 1 output address size, it
-     triggers C_BAD_CD.
-) Faults from PTWs (7.3 Event records)
-   - F_ADDR_SIZE: large address size after first level causes stage 2 Address
-     Size fault (Also in 3.4.3 Address sizes of SMMU-originated accesses)
-   - F_PERMISSION: Same as an address translation. However, when
-     CLASS == CD, the access is implicitly Data and a read.
-   - F_ACCESS: Same as an address translation.
-   - F_TRANSLATION: Same as an address translation.
-   - F_WALK_EABT: Same as an address translation.
-  These are already implemented in the PTW logic, so no extra handling
-  required.
-As in CD and TTBx translation context, the iova is not known, setting
-the InputAddr was removed from "smmuv3_do_translate" and set after
-from "smmuv3_translate" with the new function "smmuv3_fixup_event"
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-9-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmuv3.c | 120 +++++++++++++++++++++++++++++++++++++++++-------
-file changed, 103 insertions(+), 17 deletions(-)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
- }
-+static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-+                                                 SMMUTransCfg *cfg,
-+                                                 SMMUEventInfo *event,
-+                                                 IOMMUAccessFlags flag,
-+                                                 SMMUTLBEntry **out_entry,
-+                                                 SMMUTranslationClass class);
- /* @ssid > 0 not supported yet */
--static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
--                       CD *buf, SMMUEventInfo *event)
-+static int smmu_get_cd(SMMUv3State *s, STE *ste, SMMUTransCfg *cfg,
-+                       uint32_t ssid, CD *buf, SMMUEventInfo *event)
- {
-     dma_addr_t addr = STE_CTXPTR(ste);
-     int ret, i;
-+    SMMUTranslationStatus status;
-+    SMMUTLBEntry *entry;
-     trace_smmuv3_get_cd(addr);
-+
-+    if (cfg->stage == SMMU_NESTED) {
-+        status = smmuv3_do_translate(s, addr, cfg, event,
-+                                     IOMMU_RO, &entry, SMMU_CLASS_CD);
-+
-+        /* Same PTW faults are reported but with CLASS = CD. */
-+        if (status != SMMU_TRANS_SUCCESS) {
-+            return -EINVAL;
-+        }
-+
-+        addr = CACHED_ENTRY_TO_ADDR(entry, addr);
-+    }
-+
-     /* TODO: guarantee 64-bit single-copy atomicity */
-     ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
-                           MEMTXATTRS_UNSPECIFIED);
-@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
-     return 0;
- }
--static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
-+static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
-+                     CD *cd, SMMUEventInfo *event)
- {
-     int ret = -EINVAL;
-     int i;
-+    SMMUTranslationStatus status;
-+    SMMUTLBEntry *entry;
-     if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
-         goto bad_cd;
-@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
-         tt->tsz = tsz;
-         tt->ttb = CD_TTB(cd, i);
-+
-         if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
-             goto bad_cd;
-         }
-+
-+        /* Translate the TTBx, from IPA to PA if nesting is enabled. */
-+        if (cfg->stage == SMMU_NESTED) {
-+            status = smmuv3_do_translate(s, tt->ttb, cfg, event, IOMMU_RO,
-+                                         &entry, SMMU_CLASS_TT);
-+            /*
-+             * Same PTW faults are reported but with CLASS = TT.
-+             * If TTBx is larger than the effective stage 1 output addres
-+             * size, it reports C_BAD_CD, which is handled by the above case.
-+             */
-+            if (status != SMMU_TRANS_SUCCESS) {
-+                return -EINVAL;
-+            }
-+            tt->ttb = CACHED_ENTRY_TO_ADDR(entry, tt->ttb);
-+        }
-+
-         tt->had = CD_HAD(cd, i);
-         trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz, tt->had);
-     }
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
-         return 0;
-     }
--    ret = smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event);
-+    ret = smmu_get_cd(s, &ste, cfg, 0 /* ssid */, &cd, event);
-     if (ret) {
-         return ret;
-     }
--    return decode_cd(cfg, &cd, event);
-+    return decode_cd(s, cfg, &cd, event);
- }
- /**
-@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-                                                  SMMUTransCfg *cfg,
-                                                  SMMUEventInfo *event,
-                                                  IOMMUAccessFlags flag,
--                                                 SMMUTLBEntry **out_entry)
-+                                                 SMMUTLBEntry **out_entry,
-+                                                 SMMUTranslationClass class)
- {
-     SMMUPTWEventInfo ptw_info = {};
-     SMMUState *bs = ARM_SMMU(s);
-     SMMUTLBEntry *cached_entry = NULL;
-+    int asid, stage;
-+    bool desc_s2_translation = class != SMMU_CLASS_IN;
-+
-+    /*
-+     * The function uses the argument class to identify which stage is used:
-+     * - CLASS = IN: Means an input translation, determine the stage from STE.
-+     * - CLASS = CD: Means the addr is an IPA of the CD, and it would be
-+     *   translated using the stage-2.
-+     * - CLASS = TT: Means the addr is an IPA of the stage-1 translation table
-+     *   and it would be translated using the stage-2.
-+     * For the last 2 cases instead of having intrusive changes in the common
-+     * logic, we modify the cfg to be a stage-2 translation only in case of
-+     * nested, and then restore it after.
-+     */
-+    if (desc_s2_translation) {
-+        asid = cfg->asid;
-+        stage = cfg->stage;
-+        cfg->asid = -1;
-+        cfg->stage = SMMU_STAGE_2;
-+    }
-     cached_entry = smmu_translate(bs, cfg, addr, flag, &ptw_info);
-+
-+    if (desc_s2_translation) {
-+        cfg->asid = asid;
-+        cfg->stage = stage;
-+    }
-+
-     if (!cached_entry) {
-         /* All faults from PTW has S2 field. */
-         event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
-         switch (ptw_info.type) {
-         case SMMU_PTW_ERR_WALK_EABT:
-             event->type = SMMU_EVT_F_WALK_EABT;
--            event->u.f_walk_eabt.addr = addr;
-             event->u.f_walk_eabt.rnw = flag & 0x1;
-             event->u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
--                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
-+                                          class : SMMU_CLASS_TT;
-             event->u.f_walk_eabt.addr2 = ptw_info.addr;
-             break;
-         case SMMU_PTW_ERR_TRANSLATION:
-             if (PTW_RECORD_FAULT(cfg)) {
-                 event->type = SMMU_EVT_F_TRANSLATION;
--                event->u.f_translation.addr = addr;
-                 event->u.f_translation.addr2 = ptw_info.addr;
--                event->u.f_translation.class = SMMU_CLASS_IN;
-+                event->u.f_translation.class = class;
-                 event->u.f_translation.rnw = flag & 0x1;
-             }
-             break;
-         case SMMU_PTW_ERR_ADDR_SIZE:
-             if (PTW_RECORD_FAULT(cfg)) {
-                 event->type = SMMU_EVT_F_ADDR_SIZE;
--                event->u.f_addr_size.addr = addr;
-                 event->u.f_addr_size.addr2 = ptw_info.addr;
--                event->u.f_addr_size.class = SMMU_CLASS_IN;
-+                event->u.f_addr_size.class = class;
-                 event->u.f_addr_size.rnw = flag & 0x1;
-             }
-             break;
-         case SMMU_PTW_ERR_ACCESS:
-             if (PTW_RECORD_FAULT(cfg)) {
-                 event->type = SMMU_EVT_F_ACCESS;
--                event->u.f_access.addr = addr;
-                 event->u.f_access.addr2 = ptw_info.addr;
--                event->u.f_access.class = SMMU_CLASS_IN;
-+                event->u.f_access.class = class;
-                 event->u.f_access.rnw = flag & 0x1;
-             }
-             break;
-         case SMMU_PTW_ERR_PERMISSION:
-             if (PTW_RECORD_FAULT(cfg)) {
-                 event->type = SMMU_EVT_F_PERMISSION;
--                event->u.f_permission.addr = addr;
-                 event->u.f_permission.addr2 = ptw_info.addr;
--                event->u.f_permission.class = SMMU_CLASS_IN;
-+                event->u.f_permission.class = class;
-                 event->u.f_permission.rnw = flag & 0x1;
-             }
-             break;
-@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-     return SMMU_TRANS_SUCCESS;
- }
-+/*
-+ * Sets the InputAddr for an SMMU_TRANS_ERROR, as it can't be
-+ * set from all contexts, as smmuv3_get_config() can return
-+ * translation faults in case of nested translation (for CD
-+ * and TTBx). But in that case the iova is not known.
-+ */
-+static void smmuv3_fixup_event(SMMUEventInfo *event, hwaddr iova)
-+{
-+    switch (event->type) {
-+    case SMMU_EVT_F_WALK_EABT:
-+    case SMMU_EVT_F_TRANSLATION:
-+    case SMMU_EVT_F_ADDR_SIZE:
-+    case SMMU_EVT_F_ACCESS:
-+    case SMMU_EVT_F_PERMISSION:
-+        event->u.f_walk_eabt.addr = iova;
-+        break;
-+    default:
-+        break;
-+    }
-+}
-+
- /* Entry point to SMMU, does everything. */
- static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-                                       IOMMUAccessFlags flag, int iommu_idx)
-@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
-         goto epilogue;
-     }
--    status = smmuv3_do_translate(s, addr, cfg, &event, flag, &cached_entry);
-+    status = smmuv3_do_translate(s, addr, cfg, &event, flag,
-+                                 &cached_entry, SMMU_CLASS_IN);
- epilogue:
-     qemu_mutex_unlock(&s->mutex);
-@@ -XXX,XX +XXX,XX @@ epilogue:
-                                      entry.perm);
-         break;
-     case SMMU_TRANS_ERROR:
-+        smmuv3_fixup_event(&event, addr);
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s translation failed for iova=0x%"PRIx64" (%s)\n",
-                       mr->parent_obj.name, addr, smmu_event_string(event.type));
---
-.34.1

-[PULL 12/26] hw/arm/smmu-common: Rework TLB lookup for nesting
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-In the next patch, combine_tlb() will be added which combines 2 TLB
-entries into one for nested translations, which chooses the granule
-and level from the smallest entry.
-This means that with nested translation, an entry can be cached with
-the granule of stage-2 and not stage-1.
-However, currently, the lookup for an IOVA is done with input stage
-granule, which is stage-1 for nested configuration, which will not
-work with the above logic.
-This patch reworks lookup in that case, so it falls back to stage-2
-granule if no entry is found using stage-1 granule.
-Also, drop aligning the iova to avoid over-aligning in case the iova
-is cached with a smaller granule, the TLB lookup will align the iova
-anyway for each granule and level, and the page table walker doesn't
-consider the page offset bits.
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-10-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmu-common.c | 64 +++++++++++++++++++++++++++++---------------
-file changed, 43 insertions(+), 21 deletions(-)
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
-     return key;
- }
--SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
--                                SMMUTransTableInfo *tt, hwaddr iova)
-+static SMMUTLBEntry *smmu_iotlb_lookup_all_levels(SMMUState *bs,
-+                                                  SMMUTransCfg *cfg,
-+                                                  SMMUTransTableInfo *tt,
-+                                                  hwaddr iova)
- {
-     uint8_t tg = (tt->granule_sz - 10) / 2;
-     uint8_t inputsize = 64 - tt->tsz;
-@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
-         }
-         level++;
-     }
-+    return entry;
-+}
-+
-+/**
-+ * smmu_iotlb_lookup - Look up for a TLB entry.
-+ * @bs: SMMU state which includes the TLB instance
-+ * @cfg: Configuration of the translation
-+ * @tt: Translation table info (granule and tsz)
-+ * @iova: IOVA address to lookup
-+ *
-+ * returns a valid entry on success, otherwise NULL.
-+ * In case of nested translation, tt can be updated to include
-+ * the granule of the found entry as it might different from
-+ * the IOVA granule.
-+ */
-+SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
-+                                SMMUTransTableInfo *tt, hwaddr iova)
-+{
-+    SMMUTLBEntry *entry = NULL;
-+
-+    entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
-+    /*
-+     * For nested translation also try the s2 granule, as the TLB will insert
-+     * it if the size of s2 tlb entry was smaller.
-+     */
-+    if (!entry && (cfg->stage == SMMU_NESTED) &&
-+        (cfg->s2cfg.granule_sz != tt->granule_sz)) {
-+        tt->granule_sz = cfg->s2cfg.granule_sz;
-+        entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
-+    }
-     if (entry) {
-         cfg->iotlb_hits++;
-@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
- SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-                              IOMMUAccessFlags flag, SMMUPTWEventInfo *info)
- {
--    uint64_t page_mask, aligned_addr;
-     SMMUTLBEntry *cached_entry = NULL;
-     SMMUTransTableInfo *tt;
-     int status;
-     /*
--     * Combined attributes used for TLB lookup, as only one stage is supported,
--     * it will hold attributes based on the enabled stage.
-+     * Combined attributes used for TLB lookup, holds the attributes for
-+     * the input stage.
-      */
-     SMMUTransTableInfo tt_combined;
--    if (cfg->stage == SMMU_STAGE_1) {
-+    if (cfg->stage == SMMU_STAGE_2) {
-+        /* Stage2. */
-+        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
-+        tt_combined.tsz = cfg->s2cfg.tsz;
-+    } else {
-         /* Select stage1 translation table. */
-         tt = select_tt(cfg, addr);
-         if (!tt) {
-@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-         }
-         tt_combined.granule_sz = tt->granule_sz;
-         tt_combined.tsz = tt->tsz;
--
--    } else {
--        /* Stage2. */
--        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
--        tt_combined.tsz = cfg->s2cfg.tsz;
-     }
--    /*
--     * TLB lookup looks for granule and input size for a translation stage,
--     * as only one stage is supported right now, choose the right values
--     * from the configuration.
--     */
--    page_mask = (1ULL << tt_combined.granule_sz) - 1;
--    aligned_addr = addr & ~page_mask;
--
--    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
-+    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr);
-     if (cached_entry) {
-         if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
-             info->type = SMMU_PTW_ERR_PERMISSION;
-@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-     }
-     cached_entry = g_new0(SMMUTLBEntry, 1);
--    status = smmu_ptw(cfg, aligned_addr, flag, cached_entry, info);
-+    status = smmu_ptw(cfg, addr, flag, cached_entry, info);
-     if (status) {
-             g_free(cached_entry);
-             return NULL;
---
-.34.1

-[PULL 13/26] hw/arm/smmu-common: Add support for nested TLB
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-This patch adds support for nested (combined) TLB entries.
-The main function combine_tlb() is not used here but in the next
-patches, but to simplify the patches it is introduced first.
-Main changes:
-) New field added in the SMMUTLBEntry struct: parent_perm, for
-   nested TLB, holds the stage-2 permission, this can be used to know
-   the origin of a permission fault from a cached entry as caching
-   the “and” of the permissions loses this information.
-   SMMUPTWEventInfo is used to hold information about PTW faults so
-   the event can be populated, the value of stage used to be set
-   based on the current stage for TLB permission faults, however
-   with the parent_perm, it is now set based on which perm has
-   the missing permission
-   When nesting is not enabled it has the same value as perm which
-   doesn't change the logic.
-) As combined TLB implementation is used, the combination logic
-   chooses:
-   - tg and level from the entry which has the smallest addr_mask.
-   - Based on that the iova that would be cached is recalculated.
-   - Translated_addr is chosen from stage-2.
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-11-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |  1 +
- hw/arm/smmu-common.c         | 37 ++++++++++++++++++++++++++++++++----
-files changed, 34 insertions(+), 4 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTLBEntry {
-     IOMMUTLBEntry entry;
-     uint8_t level;
-     uint8_t granule;
-+    IOMMUAccessFlags parent_perm;
- } SMMUTLBEntry;
- /* Stage-2 configuration. */
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
-         tlbe->entry.translated_addr = gpa;
-         tlbe->entry.iova = iova & ~mask;
-         tlbe->entry.addr_mask = mask;
--        tlbe->entry.perm = PTE_AP_TO_PERM(ap);
-+        tlbe->parent_perm = PTE_AP_TO_PERM(ap);
-+        tlbe->entry.perm = tlbe->parent_perm;
-         tlbe->level = level;
-         tlbe->granule = granule_sz;
-         return 0;
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
-         tlbe->entry.translated_addr = gpa;
-         tlbe->entry.iova = ipa & ~mask;
-         tlbe->entry.addr_mask = mask;
--        tlbe->entry.perm = s2ap;
-+        tlbe->parent_perm = s2ap;
-+        tlbe->entry.perm = tlbe->parent_perm;
-         tlbe->level = level;
-         tlbe->granule = granule_sz;
-         return 0;
-@@ -XXX,XX +XXX,XX @@ error:
-     return -EINVAL;
- }
-+/*
-+ * combine S1 and S2 TLB entries into a single entry.
-+ * As a result the S1 entry is overriden with combined data.
-+ */
-+static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
-+                                                SMMUTLBEntry *tlbe_s2,
-+                                                dma_addr_t iova,
-+                                                SMMUTransCfg *cfg)
-+{
-+    if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) {
-+        tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask;
-+        tlbe->granule = tlbe_s2->granule;
-+        tlbe->level = tlbe_s2->level;
-+    }
-+
-+    tlbe->entry.translated_addr = CACHED_ENTRY_TO_ADDR(tlbe_s2,
-+                                    tlbe->entry.translated_addr);
-+
-+    tlbe->entry.iova = iova & ~tlbe->entry.addr_mask;
-+    /* parent_perm has s2 perm while perm keeps s1 perm. */
-+    tlbe->parent_perm = tlbe_s2->entry.perm;
-+    return;
-+}
-+
- /**
-  * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
-  *
-@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-     cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr);
-     if (cached_entry) {
--        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
-+        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm &
-+            cached_entry->parent_perm & IOMMU_WO)) {
-             info->type = SMMU_PTW_ERR_PERMISSION;
--            info->stage = cfg->stage;
-+            info->stage = !(cached_entry->entry.perm & IOMMU_WO) ?
-+                          SMMU_STAGE_1 :
-+                          SMMU_STAGE_2;
-             return NULL;
-         }
-         return cached_entry;
---
-.34.1

-[PULL 14/26] hw/arm/smmu-common: Support nested translation
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-When nested translation is requested, do the following:
-- Translate stage-1 table address IPA into PA through stage-2.
-- Translate stage-1 table walk output (IPA) through stage-2.
-- Create a single TLB entry from stage-1 and stage-2 translations
-  using logic introduced before.
-smmu_ptw() has a new argument SMMUState which include the TLB as
-stage-1 table address can be cached in there.
-Also in smmu_ptw(), a separate path used for nesting to simplify the
-code, although some logic can be combined.
-With nested translation class of translation fault can be different,
-from the class of the translation, as faults from translating stage-1
-tables are considered as CLASS_TT and not CLASS_IN, a new member
-"is_ipa_descriptor" added to "SMMUPTWEventInfo" to differ faults
-from walking stage 1 translation table and faults from translating
-an IPA for a transaction.
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-12-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |  7 ++--
- hw/arm/smmu-common.c         | 74 +++++++++++++++++++++++++++++++-----
- hw/arm/smmuv3.c              | 14 +++++++
-files changed, 82 insertions(+), 13 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUPTWEventInfo {
-     SMMUStage stage;
-     SMMUPTWEventType type;
-     dma_addr_t addr; /* fetched address that induced an abort, if any */
-+    bool is_ipa_descriptor; /* src for fault in nested translation. */
- } SMMUPTWEventInfo;
- typedef struct SMMUTransTableInfo {
-@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
-  * smmu_ptw - Perform the page table walk for a given iova / access flags
-  * pair, according to @cfg translation config
-  */
--int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
--             SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
--
-+int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova,
-+             IOMMUAccessFlags perm, SMMUTLBEntry *tlbe,
-+             SMMUPTWEventInfo *info);
- /*
-  * smmu_translate - Look for a translation in TLB, if not, do a PTW.
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
-     return NULL;
- }
-+/* Translate stage-1 table address using stage-2 page table. */
-+static inline int translate_table_addr_ipa(SMMUState *bs,
-+                                           dma_addr_t *table_addr,
-+                                           SMMUTransCfg *cfg,
-+                                           SMMUPTWEventInfo *info)
-+{
-+    dma_addr_t addr = *table_addr;
-+    SMMUTLBEntry *cached_entry;
-+    int asid;
-+
-+    /*
-+     * The translation table walks performed from TTB0 or TTB1 are always
-+     * performed in IPA space if stage 2 translations are enabled.
-+     */
-+    asid = cfg->asid;
-+    cfg->stage = SMMU_STAGE_2;
-+    cfg->asid = -1;
-+    cached_entry = smmu_translate(bs, cfg, addr, IOMMU_RO, info);
-+    cfg->asid = asid;
-+    cfg->stage = SMMU_NESTED;
-+
-+    if (cached_entry) {
-+        *table_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr);
-+        return 0;
-+    }
-+
-+    info->stage = SMMU_STAGE_2;
-+    info->addr = addr;
-+    info->is_ipa_descriptor = true;
-+    return -EINVAL;
-+}
-+
- /**
-  * smmu_ptw_64_s1 - VMSAv8-64 Walk of the page tables for a given IOVA
-+ * @bs: smmu state which includes TLB instance
-  * @cfg: translation config
-  * @iova: iova to translate
-  * @perm: access type
-@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
-  * Upon success, @tlbe is filled with translated_addr and entry
-  * permission rights.
-  */
--static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
-+static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg,
-                           dma_addr_t iova, IOMMUAccessFlags perm,
-                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
- {
-@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
-                 goto error;
-             }
-             baseaddr = get_table_pte_address(pte, granule_sz);
-+            if (cfg->stage == SMMU_NESTED) {
-+                if (translate_table_addr_ipa(bs, &baseaddr, cfg, info)) {
-+                    goto error;
-+                }
-+            }
-             level++;
-             continue;
-         } else if (is_page_pte(pte, level)) {
-@@ -XXX,XX +XXX,XX @@ error:
-  * combine S1 and S2 TLB entries into a single entry.
-  * As a result the S1 entry is overriden with combined data.
-  */
--static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
--                                                SMMUTLBEntry *tlbe_s2,
--                                                dma_addr_t iova,
--                                                SMMUTransCfg *cfg)
-+static void combine_tlb(SMMUTLBEntry *tlbe, SMMUTLBEntry *tlbe_s2,
-+                        dma_addr_t iova, SMMUTransCfg *cfg)
- {
-     if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) {
-         tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask;
-@@ -XXX,XX +XXX,XX @@ static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
- /**
-  * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
-  *
-+ * @bs: smmu state which includes TLB instance
-  * @cfg: translation configuration
-  * @iova: iova to translate
-  * @perm: tentative access type
-@@ -XXX,XX +XXX,XX @@ static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
-  *
-  * return 0 on success
-  */
--int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
--             SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
-+int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova,
-+             IOMMUAccessFlags perm, SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
- {
-+    int ret;
-+    SMMUTLBEntry tlbe_s2;
-+    dma_addr_t ipa;
-+
-     if (cfg->stage == SMMU_STAGE_1) {
--        return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);
-+        return smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
-     } else if (cfg->stage == SMMU_STAGE_2) {
-         /*
-          * If bypassing stage 1(or unimplemented), the input address is passed
-@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-         return smmu_ptw_64_s2(cfg, iova, perm, tlbe, info);
-     }
--    g_assert_not_reached();
-+    /* SMMU_NESTED. */
-+    ret = smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
-+    if (ret) {
-+        return ret;
-+    }
-+
-+    ipa = CACHED_ENTRY_TO_ADDR(tlbe, iova);
-+    ret = smmu_ptw_64_s2(cfg, ipa, perm, &tlbe_s2, info);
-+    if (ret) {
-+        return ret;
-+    }
-+
-+    combine_tlb(tlbe, &tlbe_s2, iova, cfg);
-+    return 0;
- }
- SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
-     }
-     cached_entry = g_new0(SMMUTLBEntry, 1);
--    status = smmu_ptw(cfg, addr, flag, cached_entry, info);
-+    status = smmu_ptw(bs, cfg, addr, flag, cached_entry, info);
-     if (status) {
-             g_free(cached_entry);
-             return NULL;
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
-     if (!cached_entry) {
-         /* All faults from PTW has S2 field. */
-         event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
-+        /*
-+         * Fault class is set as follows based on "class" input to
-+         * the function and to "ptw_info" from "smmu_translate()"
-+         * For stage-1:
-+         *   - EABT => CLASS_TT (hardcoded)
-+         *   - other events => CLASS_IN (input to function)
-+         * For stage-2 => CLASS_IN (input to function)
-+         * For nested, for all events:
-+         *  - CD fetch => CLASS_CD (input to function)
-+         *  - walking stage 1 translation table  => CLASS_TT (from
-+         *    is_ipa_descriptor or input in case of TTBx)
-+         *  - s2 translation => CLASS_IN (input to function)
-+         */
-+        class = ptw_info.is_ipa_descriptor ? SMMU_CLASS_TT : class;
-         switch (ptw_info.type) {
-         case SMMU_PTW_ERR_WALK_EABT:
-             event->type = SMMU_EVT_F_WALK_EABT;
---
-.34.1

-[PULL 15/26] hw/arm/smmu: Support nesting in smmuv3_range_inval()
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-With nesting, we would need to invalidate IPAs without
-over-invalidating stage-1 IOVAs. This can be done by
-distinguishing IPAs in the TLBs by having ASID=-1.
-To achieve that, rework the invalidation for IPAs to have a
-separate function, while for IOVA invalidation ASID=-1 means
-invalidate for all ASIDs.
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-13-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |  3 ++-
- hw/arm/smmu-common.c         | 47 ++++++++++++++++++++++++++++++++++++
- hw/arm/smmuv3.c              | 23 ++++++++++++------
- hw/arm/trace-events          |  2 +-
-files changed, 66 insertions(+), 9 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_asid(SMMUState *s, int asid);
- void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
- void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
--
-+void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
-+                        uint64_t num_pages, uint8_t ttl);
- /* Unmap the range of all the notifiers registered to any IOMMU mr */
- void smmu_inv_notifiers_all(SMMUState *s);
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value,
-            ((entry->iova & ~info->mask) == info->iova);
- }
-+static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value,
-+                                             gpointer user_data)
-+{
-+    SMMUTLBEntry *iter = (SMMUTLBEntry *)value;
-+    IOMMUTLBEntry *entry = &iter->entry;
-+    SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
-+    SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key;
-+
-+    if (SMMU_IOTLB_ASID(iotlb_key) >= 0) {
-+        /* This is a stage-1 address. */
-+        return false;
-+    }
-+    if (info->vmid != SMMU_IOTLB_VMID(iotlb_key)) {
-+        return false;
-+    }
-+    return ((info->iova & ~entry->addr_mask) == entry->iova) ||
-+           ((entry->iova & ~info->mask) == info->iova);
-+}
-+
- void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                          uint8_t tg, uint64_t num_pages, uint8_t ttl)
- {
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                                 &info);
- }
-+/*
-+ * Similar to smmu_iotlb_inv_iova(), but for Stage-2, ASID is always -1,
-+ * in Stage-1 invalidation ASID = -1, means don't care.
-+ */
-+void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
-+                        uint64_t num_pages, uint8_t ttl)
-+{
-+    uint8_t granule = tg ? tg * 2 + 10 : 12;
-+    int asid = -1;
-+
-+   if (ttl && (num_pages == 1)) {
-+        SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, ipa, tg, ttl);
-+
-+        if (g_hash_table_remove(s->iotlb, &key)) {
-+            return;
-+        }
-+    }
-+
-+    SMMUIOTLBPageInvInfo info = {
-+        .iova = ipa,
-+        .vmid = vmid,
-+        .mask = (num_pages << granule) - 1};
-+
-+    g_hash_table_foreach_remove(s->iotlb,
-+                                smmu_hash_remove_by_vmid_ipa,
-+                                &info);
-+}
-+
- void smmu_iotlb_inv_asid(SMMUState *s, int asid)
- {
-     trace_smmu_iotlb_inv_asid(asid);
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
-     }
- }
--static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
-+static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
- {
-     dma_addr_t end, addr = CMD_ADDR(cmd);
-     uint8_t type = CMD_TYPE(cmd);
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
-     }
-     if (!tg) {
--        trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf);
-+        trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf, stage);
-         smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1);
--        smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
-+        if (stage == SMMU_STAGE_1) {
-+            smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
-+        } else {
-+            smmu_iotlb_inv_ipa(s, vmid, addr, tg, 1, ttl);
-+        }
-         return;
-     }
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
-         uint64_t mask = dma_aligned_pow2_mask(addr, end, 64);
-         num_pages = (mask + 1) >> granule;
--        trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages, ttl, leaf);
-+        trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages,
-+                                 ttl, leaf, stage);
-         smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages);
--        smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
-+        if (stage == SMMU_STAGE_1) {
-+            smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
-+        } else {
-+            smmu_iotlb_inv_ipa(s, vmid, addr, tg, num_pages, ttl);
-+        }
-         addr += mask + 1;
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-                 cmd_error = SMMU_CERROR_ILL;
-                 break;
-             }
--            smmuv3_range_inval(bs, &cmd);
-+            smmuv3_range_inval(bs, &cmd, SMMU_STAGE_1);
-             break;
-         case SMMU_CMD_TLBI_S12_VMALL:
-         {
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-              * As currently only either s1 or s2 are supported
-              * we can reuse same function for s2.
-              */
--            smmuv3_range_inval(bs, &cmd);
-+            smmuv3_range_inval(bs, &cmd, SMMU_STAGE_2);
-             break;
-         case SMMU_CMD_TLBI_EL3_ALL:
-         case SMMU_CMD_TLBI_EL3_VA:
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_cfgi_ste_range(int start, int end) "start=0x%x - end=0x%x"
- smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
- smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
- smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
--smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
-+smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf, int stage) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d stage=%d"
- smmuv3_cmdq_tlbi_nh(void) ""
- smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
- smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
---
-.34.1

-[PULL 16/26] hw/arm/smmu: Introduce smmu_iotlb_inv_asid_vmid
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-Soon, Instead of doing TLB invalidation by ASID only, VMID will be
-also required.
-Add smmu_iotlb_inv_asid_vmid() which invalidates by both ASID and VMID.
-However, at the moment this function is only used in SMMU_CMD_TLBI_NH_ASID
-which is a stage-1 command, so passing VMID = -1 keeps the original
-behaviour.
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-14-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |  2 +-
- hw/arm/smmu-common.c         | 20 +++++++++++++-------
- hw/arm/smmuv3.c              |  2 +-
- hw/arm/trace-events          |  2 +-
-files changed, 16 insertions(+), 10 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *entry);
- SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
-                                 uint8_t tg, uint8_t level);
- void smmu_iotlb_inv_all(SMMUState *s);
--void smmu_iotlb_inv_asid(SMMUState *s, int asid);
-+void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid);
- void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
- void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_all(SMMUState *s)
-     g_hash_table_remove_all(s->iotlb);
- }
--static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
--                                         gpointer user_data)
-+static gboolean smmu_hash_remove_by_asid_vmid(gpointer key, gpointer value,
-+                                              gpointer user_data)
- {
--    int asid = *(int *)user_data;
-+    SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
-     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
--    return SMMU_IOTLB_ASID(*iotlb_key) == asid;
-+    return (SMMU_IOTLB_ASID(*iotlb_key) == info->asid) &&
-+           (SMMU_IOTLB_VMID(*iotlb_key) == info->vmid);
- }
- static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
-                                 &info);
- }
--void smmu_iotlb_inv_asid(SMMUState *s, int asid)
-+void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid)
- {
--    trace_smmu_iotlb_inv_asid(asid);
--    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid, &asid);
-+    SMMUIOTLBPageInvInfo info = {
-+        .asid = asid,
-+        .vmid = vmid,
-+    };
-+
-+    trace_smmu_iotlb_inv_asid_vmid(asid, vmid);
-+    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid_vmid, &info);
- }
- void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-             trace_smmuv3_cmdq_tlbi_nh_asid(asid);
-             smmu_inv_notifiers_all(&s->smmu_state);
--            smmu_iotlb_inv_asid(bs, asid);
-+            smmu_iotlb_inv_asid_vmid(bs, asid, -1);
-             break;
-         }
-         case SMMU_CMD_TLBI_NH_ALL:
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint6
- smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
- smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
- smmu_iotlb_inv_all(void) "IOTLB invalidate all"
--smmu_iotlb_inv_asid(int asid) "IOTLB invalidate asid=%d"
-+smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
- smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
- smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
- smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
---
-.34.1

-[PULL 17/26] hw/arm/smmu: Support nesting in the rest of commands
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-Some commands need rework for nesting, as they used to assume S1
-and S2 are mutually exclusive:
-- CMD_TLBI_NH_ASID: Consider VMID if stage-2 is supported
-- CMD_TLBI_NH_ALL: Consider VMID if stage-2 is supported, otherwise
-  invalidate everything, this required a new vmid invalidation
-  function for stage-1 only (ASID >= 0)
-Also, rework trace events to reflect the new implementation.
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-15-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/smmu-common.h |  1 +
- hw/arm/smmu-common.c         | 16 ++++++++++++++++
- hw/arm/smmuv3.c              | 28 ++++++++++++++++++++++++++--
- hw/arm/trace-events          |  4 +++-
-files changed, 46 insertions(+), 3 deletions(-)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
-+++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
- void smmu_iotlb_inv_all(SMMUState *s);
- void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid);
- void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
-+void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid);
- void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
- void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
-+++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
-     return SMMU_IOTLB_VMID(*iotlb_key) == vmid;
- }
-+static gboolean smmu_hash_remove_by_vmid_s1(gpointer key, gpointer value,
-+                                            gpointer user_data)
-+{
-+    int vmid = *(int *)user_data;
-+    SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
-+
-+    return (SMMU_IOTLB_VMID(*iotlb_key) == vmid) &&
-+           (SMMU_IOTLB_ASID(*iotlb_key) >= 0);
-+}
-+
- static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value,
-                                               gpointer user_data)
- {
-@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
-     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid);
- }
-+inline void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid)
-+{
-+    trace_smmu_iotlb_inv_vmid_s1(vmid);
-+    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid_s1, &vmid);
-+}
-+
- /* VMSAv8-64 Translation */
- /**
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
-         case SMMU_CMD_TLBI_NH_ASID:
-         {
-             int asid = CMD_ASID(&cmd);
-+            int vmid = -1;
-             if (!STAGE1_SUPPORTED(s)) {
-                 cmd_error = SMMU_CERROR_ILL;
-                 break;
-             }
-+            /*
-+             * VMID is only matched when stage 2 is supported, otherwise set it
-+             * to -1 as the value used for stage-1 only VMIDs.
-+             */
-+            if (STAGE2_SUPPORTED(s)) {
-+                vmid = CMD_VMID(&cmd);
-+            }
-+
-             trace_smmuv3_cmdq_tlbi_nh_asid(asid);
-             smmu_inv_notifiers_all(&s->smmu_state);
--            smmu_iotlb_inv_asid_vmid(bs, asid, -1);
-+            smmu_iotlb_inv_asid_vmid(bs, asid, vmid);
-             break;
-         }
-         case SMMU_CMD_TLBI_NH_ALL:
-+        {
-+            int vmid = -1;
-+
-             if (!STAGE1_SUPPORTED(s)) {
-                 cmd_error = SMMU_CERROR_ILL;
-                 break;
-             }
-+
-+            /*
-+             * If stage-2 is supported, invalidate for this VMID only, otherwise
-+             * invalidate the whole thing.
-+             */
-+            if (STAGE2_SUPPORTED(s)) {
-+                vmid = CMD_VMID(&cmd);
-+                trace_smmuv3_cmdq_tlbi_nh(vmid);
-+                smmu_iotlb_inv_vmid_s1(bs, vmid);
-+                break;
-+            }
-             QEMU_FALLTHROUGH;
-+        }
-         case SMMU_CMD_TLBI_NSNH_ALL:
--            trace_smmuv3_cmdq_tlbi_nh();
-+            trace_smmuv3_cmdq_tlbi_nsnh();
-             smmu_inv_notifiers_all(&s->smmu_state);
-             smmu_iotlb_inv_all(bs);
-             break;
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
- smmu_iotlb_inv_all(void) "IOTLB invalidate all"
- smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
- smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
-+smmu_iotlb_inv_vmid_s1(int vmid) "IOTLB invalidate vmid=%d"
- smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
- smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
- smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
-@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
- smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
- smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
- smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf, int stage) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d stage=%d"
--smmuv3_cmdq_tlbi_nh(void) ""
-+smmuv3_cmdq_tlbi_nh(int vmid) "vmid=%d"
-+smmuv3_cmdq_tlbi_nsnh(void) ""
- smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
- smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
- smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
---
-.34.1

-[PULL 18/26] hw/arm/smmuv3: Support nested SMMUs in smmuv3_notify_iova()
+Deleted patch
-From: Mostafa Saleh <smostafa@google.com>
-IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2
-SMMU instances we consider the input address as the IOVA, but when
-nesting is used, we can't mix stage-1 and stage-2 addresses, so for
-nesting only stage-1 is considered the IOVA and would be notified.
-Signed-off-by: Mostafa Saleh <smostafa@google.com>
-Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20240715084519.1189624-16-smostafa@google.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmuv3.c     | 39 +++++++++++++++++++++++++--------------
- hw/arm/trace-events |  2 +-
-files changed, 26 insertions(+), 15 deletions(-)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
-+++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ epilogue:
-  * @iova: iova
-  * @tg: translation granule (if communicated through range invalidation)
-  * @num_pages: number of @granule sized pages (if tg != 0), otherwise 1
-+ * @stage: Which stage(1 or 2) is used
-  */
- static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
-                                IOMMUNotifier *n,
-                                int asid, int vmid,
-                                dma_addr_t iova, uint8_t tg,
--                               uint64_t num_pages)
-+                               uint64_t num_pages, int stage)
- {
-     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
-+    SMMUEventInfo eventinfo = {.inval_ste_allowed = true};
-+    SMMUTransCfg *cfg = smmuv3_get_config(sdev, &eventinfo);
-     IOMMUTLBEvent event;
-     uint8_t granule;
--    SMMUv3State *s = sdev->smmu;
-+
-+    if (!cfg) {
-+        return;
-+    }
-+
-+    /*
-+     * stage is passed from TLB invalidation commands which can be either
-+     * stage-1 or stage-2.
-+     * However, IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2
-+     * SMMU instances we consider the input address as the IOVA, but when
-+     * nesting is used, we can't mix stage-1 and stage-2 addresses, so for
-+     * nesting only stage-1 is considered the IOVA and would be notified.
-+     */
-+    if ((stage == SMMU_STAGE_2) && (cfg->stage == SMMU_NESTED))
-+        return;
-     if (!tg) {
--        SMMUEventInfo eventinfo = {.inval_ste_allowed = true};
--        SMMUTransCfg *cfg = smmuv3_get_config(sdev, &eventinfo);
-         SMMUTransTableInfo *tt;
--        if (!cfg) {
--            return;
--        }
--
-         if (asid >= 0 && cfg->asid != asid) {
-             return;
-         }
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
-             return;
-         }
--        if (STAGE1_SUPPORTED(s)) {
-+        if (stage == SMMU_STAGE_1) {
-             tt = select_tt(cfg, iova);
-             if (!tt) {
-                 return;
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
- /* invalidate an asid/vmid/iova range tuple in all mr's */
- static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
-                                       dma_addr_t iova, uint8_t tg,
--                                      uint64_t num_pages)
-+                                      uint64_t num_pages, int stage)
- {
-     SMMUDevice *sdev;
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
-         IOMMUNotifier *n;
-         trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, vmid,
--                                        iova, tg, num_pages);
-+                                        iova, tg, num_pages, stage);
-         IOMMU_NOTIFIER_FOREACH(n, mr) {
--            smmuv3_notify_iova(mr, n, asid, vmid, iova, tg, num_pages);
-+            smmuv3_notify_iova(mr, n, asid, vmid, iova, tg, num_pages, stage);
-         }
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
-     if (!tg) {
-         trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf, stage);
--        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1);
-+        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1, stage);
-         if (stage == SMMU_STAGE_1) {
-             smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
-         } else {
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
-         num_pages = (mask + 1) >> granule;
-         trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages,
-                                  ttl, leaf, stage);
--        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages);
-+        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages, stage);
-         if (stage == SMMU_STAGE_1) {
-             smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
-         } else {
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
- smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
- smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
- smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
--smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
-+smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages, int stage) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" stage=%d"
- # strongarm.c
- strongarm_uart_update_parameters(const char *label, int speed, char parity, int data_bits, int stop_bits) "%s speed=%d parity=%c data=%d stop=%d"
---
-.34.1

-[PULL 26/26] hvf: arm: Do not advance PC when raising an exception
+[PULL 10/11] target/arm: change default pauth algorithm to impdef
-From: Akihiko Odaki <akihiko.odaki@daynix.com>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-hvf did not advance PC when raising an exception for most unhandled
+Pointer authentication on aarch64 is pretty expensive (up to 50% of
-system registers, but it mistakenly advanced PC when raising an
+execution time) when running a virtual machine with tcg and -cpu max
-exception for GICv3 registers.
+(which enables pauth=on).
-Cc: qemu-stable@nongnu.org
+The advice is always: use pauth-impdef=on.
-Fixes: a2260983c655 ("hvf: arm: Add support for GICv3")
+Our documentation even mentions it "by default" in
-Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+docs/system/introduction.rst.
-Message-id: 20240716-pmu-v3-4-8c7c1858a227@daynix.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Thus, we change the default to use impdef by default. This does not
 affect kvm or hvf acceleration, since pauth algorithm used is the one
 from host cpu.
 This change is retro compatible, in terms of cli, with previous
 versions, as the semantic of using -cpu max,pauth-impdef=on, and -cpu
 max,pauth-qarma3=on is preserved.
 The new option introduced in previous patch and matching old default is
 -cpu max,pauth-qarma5=on.
 It is retro compatible with migration as well, by defining a backcompat
 property, that will use qarma5 by default for virt machine <= 9.2.
 Tested by saving and restoring a vm from qemu 9.2.0 into qemu-master
 (10.0) for cpus neoverse-n2 and max.
 Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20241219183211.3493974-3-pierrick.bouvier@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/hvf/hvf.c | 1 +
+ docs/system/arm/cpu-features.rst |  2 +-
-file changed, 1 insertion(+)
+ docs/system/introduction.rst     |  2 +-
  target/arm/cpu.h                 |  3 +++
  hw/core/machine.c                |  4 +++-
  target/arm/cpu.c                 |  2 ++
  target/arm/cpu64.c               | 22 ++++++++++++++++------
 files changed, 26 insertions(+), 9 deletions(-)
-diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
+diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/hvf/hvf.c
+--- a/docs/system/arm/cpu-features.rst
-+++ b/target/arm/hvf/hvf.c
++++ b/docs/system/arm/cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
+@@ -XXX,XX +XXX,XX @@ Below is the list of TCG VCPU features and their descriptions.
-         /* Call the TCG sysreg handler. This is only safe for GICv3 regs. */
+   When ``pauth`` is enabled, select the architected QARMA5 algorithm.
-         if (!hvf_sysreg_read_cp(cpu, reg, &val)) {
-             hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+ Without ``pauth-impdef``, ``pauth-qarma3`` or ``pauth-qarma5`` enabled,
-+            return 1;
+-the architected QARMA5 algorithm is used.  The architected QARMA5
-         }
++the QEMU impdef algorithm is used.  The architected QARMA5
-         break;
+ and QARMA3 algorithms have good cryptographic properties, but can
-     case SYSREG_DBGBVR0_EL1:
+ be quite slow to emulate.  The impdef algorithm used by QEMU is
  non-cryptographic but significantly faster.
 diff --git a/docs/system/introduction.rst b/docs/system/introduction.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/system/introduction.rst
 +++ b/docs/system/introduction.rst
@@ -XXX,XX +XXX,XX @@ would default to it anyway.
  .. code::
 - -cpu max,pauth-impdef=on \
 + -cpu max \
   -smp 4 \
   -accel tcg \
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
      /* QOM property to indicate we should use the back-compat CNTFRQ default */
      bool backcompat_cntfrq;
 +    /* QOM property to indicate we should use the back-compat QARMA5 default */
 +    bool backcompat_pauth_default_use_qarma5;
 +
      /* Specify the number of cores in this CPU cluster. Used for the L2CTLR
       * register.
       */
 diff --git a/hw/core/machine.c b/hw/core/machine.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/core/machine.c
 +++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/virtio/virtio-iommu.h"
  #include "audio/audio.h"
 -GlobalProperty hw_compat_9_2[] = {};
 +GlobalProperty hw_compat_9_2[] = {
 +    {"arm-cpu", "backcompat-pauth-default-use-qarma5", "true"},
 +};
  const size_t hw_compat_9_2_len = G_N_ELEMENTS(hw_compat_9_2);
  GlobalProperty hw_compat_9_1[] = {
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static const Property arm_cpu_properties[] = {
      DEFINE_PROP_INT32("core-count", ARMCPU, core_count, -1),
      /* True to default to the backward-compat old CNTFRQ rather than 1Ghz */
      DEFINE_PROP_BOOL("backcompat-cntfrq", ARMCPU, backcompat_cntfrq, false),
 +    DEFINE_PROP_BOOL("backcompat-pauth-default-use-qarma5", ARMCPU,
 +                      backcompat_pauth_default_use_qarma5, false),
  };
  static const gchar *arm_gdb_arch_name(CPUState *cs)
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp)
                  return;
              }
 -            if (cpu->prop_pauth_impdef) {
 -                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, API, features);
 -                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPI, 1);
 +            bool use_default = !cpu->prop_pauth_qarma5 &&
 +                               !cpu->prop_pauth_qarma3 &&
 +                               !cpu->prop_pauth_impdef;
 +
 +            if (cpu->prop_pauth_qarma5 ||
 +                (use_default &&
 +                 cpu->backcompat_pauth_default_use_qarma5)) {
 +                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, APA, features);
 +                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPA, 1);
              } else if (cpu->prop_pauth_qarma3) {
                  isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, APA3, features);
                  isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, GPA3, 1);
 -            } else { /* default is pauth-qarma5 */
 -                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, APA, features);
 -                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPA, 1);
 +            } else if (cpu->prop_pauth_impdef ||
 +                       (use_default &&
 +                        !cpu->backcompat_pauth_default_use_qarma5)) {
 +                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, API, features);
 +                isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPI, 1);
 +            } else {
 +                g_assert_not_reached();
              }
          } else if (cpu->prop_pauth_impdef ||
                     cpu->prop_pauth_qarma3 ||
 --
 .34.1

-[PULL 21/26] hw/arm/smmu: Refactor SMMU OAS
+[PULL 11/11] docs/system/arm/virt: mention specific migration information
-From: Mostafa Saleh <smostafa@google.com>
+From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-SMMUv3 OAS is currently hardcoded in the code to 44 bits, for nested
+Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
-configurations that can be a problem, as stage-2 might be shared with
+Message-id: 20241219183211.3493974-4-pierrick.bouvier@linaro.org
-the CPU which might have different PARANGE, and according to SMMU manual
+[PMM: Removed a paragraph about using non-versioned models.]
 ARM IHI 0070F.b:
 .3.6 SMMU_IDR5, OAS must match the system physical address size.
 This patch doesn't change the SMMU OAS, but refactors the code to
 make it easier to do that:
 - Rely everywhere on IDR5 for reading OAS instead of using the
   SMMU_IDR5_OAS macro, so, it is easier just to change IDR5 and
   it propagages correctly.
 - Add additional checks when OAS is greater than 48bits.
 - Remove unused functions/macros: pa_range/MAX_PA.
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Mostafa Saleh <smostafa@google.com>
 Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: 20240715084519.1189624-19-smostafa@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 13 -------------
+ docs/system/arm/virt.rst | 4 ++++
- hw/arm/smmu-common.c     |  7 ++++---
+file changed, 4 insertions(+)
  hw/arm/smmuv3.c          | 35 ++++++++++++++++++++++++++++-------
 files changed, 32 insertions(+), 23 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/docs/system/arm/virt.rst
-+++ b/hw/arm/smmuv3-internal.h
++++ b/docs/system/arm/virt.rst
-@@ -XXX,XX +XXX,XX @@ static inline int oas2bits(int oas_field)
+@@ -XXX,XX +XXX,XX @@ of the 5.0 release and ``virt-5.0`` of the 5.1 release. Migration
-     return -1;
+ is not guaranteed to work between different QEMU releases for
- }
+ the non-versioned ``virt`` machine type.
--static inline int pa_range(STE *ste)
++VM migration is not guaranteed when using ``-cpu max``, as features
--{
++supported may change between QEMU versions.  To ensure your VM can be
--    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
++migrated, it is recommended to use another cpu model instead.
 -
 -    if (!STE_S2AA64(ste)) {
 -        return 40;
 -    }
 -
 -    return oas2bits(oas_field);
 -}
 -
 -#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
 -
  /* CD fields */
  #define CD_VALID(x)   extract32((x)->word[0], 31, 1)
 diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmu-common.c
 +++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg,
      inputsize = 64 - tt->tsz;
      level = 4 - (inputsize - 4) / stride;
      indexmask = VMSA_IDXMSK(inputsize, stride, level);
 -    baseaddr = extract64(tt->ttb, 0, 48);
 +
-+    baseaddr = extract64(tt->ttb, 0, cfg->oas);
+ Supported devices
-     baseaddr &= ~indexmask;
+ """""""""""""""""
      while (level < VMSA_LEVELS) {
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
       * Get the ttb from concatenated structure.
       * The offset is the idx * size of each ttb(number of ptes * (sizeof(pte))
       */
 -    uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, 48) + (1 << stride) *
 -                                  idx * sizeof(uint64_t);
 +    uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, cfg->s2cfg.eff_ps) +
 +                                  (1 << stride) * idx * sizeof(uint64_t);
      dma_addr_t indexmask = VMSA_IDXMSK(inputsize, stride, level);
      baseaddr &= ~indexmask;
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static bool s2t0sz_valid(SMMUTransCfg *cfg)
      }
      if (cfg->s2cfg.granule_sz == 16) {
 -        return (cfg->s2cfg.tsz >= 64 - oas2bits(SMMU_IDR5_OAS));
 +        return (cfg->s2cfg.tsz >= 64 - cfg->s2cfg.eff_ps);
      }
 -    return (cfg->s2cfg.tsz >= MAX(64 - oas2bits(SMMU_IDR5_OAS), 16));
 +    return (cfg->s2cfg.tsz >= MAX(64 - cfg->s2cfg.eff_ps, 16));
  }
  /*
@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
      return nr_concat <= VMSA_MAX_S2_CONCAT;
  }
 -static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
 +static int decode_ste_s2_cfg(SMMUv3State *s, SMMUTransCfg *cfg,
 +                             STE *ste)
  {
 +    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
 +
      if (STE_S2AA64(ste) == 0x0) {
          qemu_log_mask(LOG_UNIMP,
                        "SMMUv3 AArch32 tables not supported\n");
@@ -XXX,XX +XXX,XX @@ static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
      }
      /* For AA64, The effective S2PS size is capped to the OAS. */
 -    cfg->s2cfg.eff_ps = oas2bits(MIN(STE_S2PS(ste), SMMU_IDR5_OAS));
 +    cfg->s2cfg.eff_ps = oas2bits(MIN(STE_S2PS(ste), oas));
 +    /*
 +     * For SMMUv3.1 and later, when OAS == IAS == 52, the stage 2 input
 +     * range is further limited to 48 bits unless STE.S2TG indicates a
 +     * 64KB granule.
 +     */
 +    if (cfg->s2cfg.granule_sz != 16) {
 +        cfg->s2cfg.eff_ps = MIN(cfg->s2cfg.eff_ps, 48);
 +    }
      /*
       * It is ILLEGAL for the address in S2TTB to be outside the range
       * described by the effective S2PS value.
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
                        STE *ste, SMMUEventInfo *event)
  {
      uint32_t config;
 +    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
      int ret;
      if (!STE_VALID(ste)) {
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
           * Stage-1 OAS defaults to OAS even if not enabled as it would be used
           * in input address check for stage-2.
           */
 -        cfg->oas = oas2bits(SMMU_IDR5_OAS);
 -        ret = decode_ste_s2_cfg(cfg, ste);
 +        cfg->oas = oas2bits(oas);
 +        ret = decode_ste_s2_cfg(s, cfg, ste);
          if (ret) {
              goto bad_ste;
          }
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
      int i;
      SMMUTranslationStatus status;
      SMMUTLBEntry *entry;
 +    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
      if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
          goto bad_cd;
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
      cfg->aa64 = true;
      cfg->oas = oas2bits(CD_IPS(cd));
 -    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
 +    cfg->oas = MIN(oas2bits(oas), cfg->oas);
      cfg->tbi = CD_TBI(cd);
      cfg->asid = CD_ASID(cd);
      cfg->affd = CD_AFFD(cd);
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
              goto bad_cd;
          }
 +        /*
 +         * An address greater than 48 bits in size can only be output from a
 +         * TTD when, in SMMUv3.1 and later, the effective IPS is 52 and a 64KB
 +         * granule is in use for that translation table
 +         */
 +        if (tt->granule_sz != 16) {
 +            cfg->oas = MIN(cfg->oas, 48);
 +        }
          tt->tsz = tsz;
          tt->ttb = CD_TTB(cd, i);
 --
 .34.1

Hi; hopefully this is the last arm pullreq before softfreeze.
There's a handful of miscellaneous bug fixes here, but the
bulk of the pullreq is Mostafa's implementation of 2-stage
translation in the SMMUv3.

thanks
-- PMM

The following changes since commit d74ec4d7dda6322bcc51d1b13ccbd993d3574795:

Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging (2024-07-18 10:07:23 +1000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240718

for you to fetch changes up to 30a1690f2402e6c1582d5b3ebcf7940bfe2fad4b:

hvf: arm: Do not advance PC when raising an exception (2024-07-18 13:49:30 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix handling of LDAPR/STLR with negative offset
 * LDAPR should honour SCTLR_ELx.nAA
 * Use float_status copy in sme_fmopa_s
 * hw/display/bcm2835_fb: fix fb_use_offsets condition
 * hw/arm/smmuv3: Support and advertise nesting
 * Use FPST_F16 for SME FMOPA (widening)
 * tests/arm-cpu-features: Do not assume PMU availability
 * hvf: arm: Do not advance PC when raising an exception

----------------------------------------------------------------
Akihiko Odaki (2):
      tests/arm-cpu-features: Do not assume PMU availability
      hvf: arm: Do not advance PC when raising an exception

Daniyal Khan (2):
      target/arm: Use float_status copy in sme_fmopa_s
      tests/tcg/aarch64: Add test cases for SME FMOPA (widening)

Mostafa Saleh (18):
      hw/arm/smmu-common: Add missing size check for stage-1
      hw/arm/smmu: Fix IPA for stage-2 events
      hw/arm/smmuv3: Fix encoding of CLASS in events
      hw/arm/smmu: Use enum for SMMU stage
      hw/arm/smmu: Split smmuv3_translate()
      hw/arm/smmu: Consolidate ASID and VMID types
      hw/arm/smmu: Introduce CACHED_ENTRY_TO_ADDR
      hw/arm/smmuv3: Translate CD and TT using stage-2 table
      hw/arm/smmu-common: Rework TLB lookup for nesting
      hw/arm/smmu-common: Add support for nested TLB
      hw/arm/smmu-common: Support nested translation
      hw/arm/smmu: Support nesting in smmuv3_range_inval()
      hw/arm/smmu: Introduce smmu_iotlb_inv_asid_vmid
      hw/arm/smmu: Support nesting in the rest of commands
      hw/arm/smmuv3: Support nested SMMUs in smmuv3_notify_iova()
      hw/arm/smmuv3: Handle translation faults according to SMMUPTWEventInfo
      hw/arm/smmuv3: Support and advertise nesting
      hw/arm/smmu: Refactor SMMU OAS

Peter Maydell (2):
      target/arm: Fix handling of LDAPR/STLR with negative offset
      target/arm: LDAPR should honour SCTLR_ELx.nAA

Richard Henderson (1):
      target/arm: Use FPST_F16 for SME FMOPA (widening)

SamJakob (1):
      hw/display/bcm2835_fb: fix fb_use_offsets condition

hw/arm/smmuv3-internal.h          |  19 +-
 include/hw/arm/smmu-common.h      |  46 +++-
 target/arm/tcg/a64.decode         |   2 +-
 hw/arm/smmu-common.c              | 312 ++++++++++++++++++++++---
 hw/arm/smmuv3.c                   | 467 +++++++++++++++++++++++++-------------
 hw/display/bcm2835_fb.c           |   2 +-
 target/arm/hvf/hvf.c              |   1 +
 target/arm/tcg/sme_helper.c       |   2 +-
 target/arm/tcg/translate-a64.c    |   2 +-
 target/arm/tcg/translate-sme.c    |  12 +-
 tests/qtest/arm-cpu-features.c    |  13 +-
 tests/tcg/aarch64/sme-fmopa-1.c   |  63 +++++
 tests/tcg/aarch64/sme-fmopa-2.c   |  56 +++++
 tests/tcg/aarch64/sme-fmopa-3.c   |  63 +++++
 hw/arm/trace-events               |  26 ++-
 tests/tcg/aarch64/Makefile.target |   5 +-
 16 files changed, 846 insertions(+), 245 deletions(-)
 create mode 100644 tests/tcg/aarch64/sme-fmopa-1.c
 create mode 100644 tests/tcg/aarch64/sme-fmopa-2.c
 create mode 100644 tests/tcg/aarch64/sme-fmopa-3.c

When we converted the LDAPR/STLR instructions to decodetree we
accidentally introduced a regression where the offset is negative.
The 9-bit immediate field is signed, and the old hand decoder
correctly used sextract32() to get it out of the insn word,
but the ldapr_stlr_i pattern in the decode file used "imm:9"
instead of "imm:s9", so it treated the field as unsigned.

Fix the pattern to treat the field as a signed immediate.

Cc: qemu-stable@nongnu.org
Fixes: 2521b6073b7 ("target/arm: Convert LDAPR/STLR (imm) to decodetree")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2419
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240709134504.3500007-2-peter.maydell@linaro.org
---
 target/arm/tcg/a64.decode | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ LDAPR           sz:2 111 0 00 1 0 1 11111 1100 00 rn:5 rt:5
 LDRA            11 111 0 00 m:1 . 1 ......... w:1 1 rn:5 rt:5 imm=%ldra_imm
 
 &ldapr_stlr_i   rn rt imm sz sign ext
-@ldapr_stlr_i   .. ...... .. . imm:9 .. rn:5 rt:5 &ldapr_stlr_i
+@ldapr_stlr_i   .. ...... .. . imm:s9 .. rn:5 rt:5 &ldapr_stlr_i
 STLR_i          sz:2 011001 00 0 ......... 00 ..... ..... @ldapr_stlr_i sign=0 ext=0
 LDAPR_i         sz:2 011001 01 0 ......... 00 ..... ..... @ldapr_stlr_i sign=0 ext=0
 LDAPR_i         00 011001 10 0 ......... 00 ..... ..... @ldapr_stlr_i sign=1 ext=0 sz=0
-- 
2.34.1

In commit c1a1f80518d360b when we added the FEAT_LSE2 relaxations to
the alignment requirements for atomic and ordered loads and stores,
we didn't quite get it right for LDAPR/LDAPRH/LDAPRB with no
immediate offset.  These instructions were handled in the old decoder
as part of disas_ldst_atomic(), but unlike all the other insns that
function decoded (LDADD, LDCLR, etc) these insns are "ordered", not
"atomic", so they should be using check_ordered_align() rather than
check_atomic_align().  Commit c1a1f80518d360b used
check_atomic_align() regardless for everything in
disas_ldst_atomic().  We then carried that incorrect check over in
the decodetree conversion, where LDAPR/LDAPRH/LDAPRB are now handled
by trans_LDAPR().

The effect is that when FEAT_LSE2 is implemented, these instructions
don't honour the SCTLR_ELx.nAA bit and will generate alignment
faults when they should not.

(The LDAPR insns with an immediate offset were in disas_ldst_ldapr_stlr()
and then in trans_LDAPR_i() and trans_STLR_i(), and have always used
the correct check_ordered_align().)

Use check_ordered_align() in trans_LDAPR().

Cc: qemu-stable@nongnu.org
Fixes: c1a1f80518d360b ("target/arm: Relax ordered/atomic alignment checks for LSE2")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240709134504.3500007-3-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDAPR(DisasContext *s, arg_LDAPR *a)
     if (a->rn == 31) {
         gen_check_sp_alignment(s);
     }
-    mop = check_atomic_align(s, a->rn, a->sz);
+    mop = check_ordered_align(s, a->rn, 0, false, a->sz);
     clean_addr = gen_mte_check1(s, cpu_reg_sp(s, a->rn), false,
                                 a->rn != 31, mop);
     /*
-- 
2.34.1

From: SamJakob <me@samjakob.com>

It is common practice when implementing double-buffering on VideoCore
to do so by multiplying the height of the virtual buffer by the
number of virtual screens desired (i.e., two - in the case of
double-bufferring).

At present, this won't work in QEMU because the logic in
fb_use_offsets require that both the virtual width and height exceed
their physical counterparts.

This appears to be unintentional/a typo and indeed the comment
states; "Experimentally, the hardware seems to do this only if the
viewport size is larger than the physical screen".  The
viewport/virtual size would be larger than the physical size if
either virtual dimension were larger than their physical counterparts
and not necessarily both.

Signed-off-by: SamJakob <me@samjakob.com>
Message-id: 20240713160353.62410-1-me@samjakob.com
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/bcm2835_fb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -XXX,XX +XXX,XX @@ static bool fb_use_offsets(BCM2835FBConfig *config)
      * viewport size is larger than the physical screen. (It doesn't
      * prevent the guest setting this silly viewport setting, though...)
      */
-    return config->xres_virtual > config->xres &&
+    return config->xres_virtual > config->xres ||
         config->yres_virtual > config->yres;
 }
 
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

According to the SMMU architecture specification (ARM IHI 0070 F.b),
in “3.4 Address sizes”
    The address output from the translation causes a stage 1 Address Size
    fault if it exceeds the range of the effective IPA size for the given CD.

However, this check was missing.

There is already a similar check for stage-2 against effective PA.

Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Message-id: 20240715084519.1189624-2-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-common.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
             goto error;
         }
 
+        /*
+         * The address output from the translation causes a stage 1 Address
+         * Size fault if it exceeds the range of the effective IPA size for
+         * the given CD.
+         */
+        if (gpa >= (1ULL << cfg->oas)) {
+            info->type = SMMU_PTW_ERR_ADDR_SIZE;
+            goto error;
+        }
+
         tlbe->entry.translated_addr = gpa;
         tlbe->entry.iova = iova & ~mask;
         tlbe->entry.addr_mask = mask;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

For the following events (ARM IHI 0070 F.b - 7.3 Event records):
- F_TRANSLATION
- F_ACCESS
- F_PERMISSION
- F_ADDR_SIZE

If fault occurs at stage 2, S2 == 1 and:
  - If translating an IPA for a transaction (whether by input to
    stage 2-only configuration, or after successful stage 1 translation),
    CLASS == IN, and IPA is provided.

At the moment only CLASS == IN is used which indicates input
translation.

However, this was not implemented correctly, as for stage 2, the code
only sets the  S2 bit but not the IPA.

This field has the same bits as FetchAddr in F_WALK_EABT which is
populated correctly, so we don’t change that.
The setting of this field should be done from the walker as the IPA address
wouldn't be known in case of nesting.

For stage 1, the spec says:
  If fault occurs at stage 1, S2 == 0 and:
  CLASS == IN, IPA is UNKNOWN.

So, no need to set it to for stage 1, as ptw_info is initialised by zero in
smmuv3_translate().

Fixes: e703f7076a “hw/arm/smmuv3: Add page table walk for stage-2”
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Message-id: 20240715084519.1189624-3-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-common.c | 10 ++++++----
 hw/arm/smmuv3.c      |  4 ++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
      */
     if (ipa >= (1ULL << inputsize)) {
         info->type = SMMU_PTW_ERR_TRANSLATION;
-        goto error;
+        goto error_ipa;
     }
 
     while (level < VMSA_LEVELS) {
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
          */
         if (!PTE_AF(pte) && !cfg->s2cfg.affd) {
             info->type = SMMU_PTW_ERR_ACCESS;
-            goto error;
+            goto error_ipa;
         }
 
         s2ap = PTE_AP(pte);
         if (is_permission_fault_s2(s2ap, perm)) {
             info->type = SMMU_PTW_ERR_PERMISSION;
-            goto error;
+            goto error_ipa;
         }
 
         /*
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
          */
         if (gpa >= (1ULL << cfg->s2cfg.eff_ps)) {
             info->type = SMMU_PTW_ERR_ADDR_SIZE;
-            goto error;
+            goto error_ipa;
         }
 
         tlbe->entry.translated_addr = gpa;
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
     }
     info->type = SMMU_PTW_ERR_TRANSLATION;
 
+error_ipa:
+    info->addr = ipa;
 error:
     info->stage = 2;
     tlbe->entry.perm = IOMMU_NONE;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             if (PTW_RECORD_FAULT(cfg)) {
                 event.type = SMMU_EVT_F_TRANSLATION;
                 event.u.f_translation.addr = addr;
+                event.u.f_translation.addr2 = ptw_info.addr;
                 event.u.f_translation.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             if (PTW_RECORD_FAULT(cfg)) {
                 event.type = SMMU_EVT_F_ADDR_SIZE;
                 event.u.f_addr_size.addr = addr;
+                event.u.f_addr_size.addr2 = ptw_info.addr;
                 event.u.f_addr_size.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             if (PTW_RECORD_FAULT(cfg)) {
                 event.type = SMMU_EVT_F_ACCESS;
                 event.u.f_access.addr = addr;
+                event.u.f_access.addr2 = ptw_info.addr;
                 event.u.f_access.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             if (PTW_RECORD_FAULT(cfg)) {
                 event.type = SMMU_EVT_F_PERMISSION;
                 event.u.f_permission.addr = addr;
+                event.u.f_permission.addr2 = ptw_info.addr;
                 event.u.f_permission.rnw = flag & 0x1;
             }
             break;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

The SMMUv3 spec (ARM IHI 0070 F.b - 7.3 Event records) defines the
class of events faults as:

CLASS: The class of the operation that caused the fault:
- 0b00: CD, CD fetch.
- 0b01: TTD, Stage 1 translation table fetch.
- 0b10: IN, Input address

However, this value was not set and left as 0 which means CD and not
IN (0b10).

Another problem was that stage-2 class is considered IN not TT for
EABT, according to the spec:
    Translation of an IPA after successful stage 1 translation (or,
    in stage 2-only configuration, an input IPA)
    - S2 == 1 (stage 2), CLASS == IN (Input to stage)

This would change soon when nested translations are supported.

While at it, add an enum for class as it would be used for nesting.
However, at the moment stage-1 and stage-2 use the same class values,
except for EABT.

Fixes: 9bde7f0674 “hw/arm/smmuv3: Implement translate callback”
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20240715084519.1189624-4-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 6 ++++++
 hw/arm/smmuv3.c          | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef enum SMMUTranslationStatus {
     SMMU_TRANS_SUCCESS,
 } SMMUTranslationStatus;
 
+typedef enum SMMUTranslationClass {
+    SMMU_CLASS_CD,
+    SMMU_CLASS_TT,
+    SMMU_CLASS_IN,
+} SMMUTranslationClass;
+
 /* MMIO Registers */
 
 REG32(IDR0,                0x0)
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             event.type = SMMU_EVT_F_WALK_EABT;
             event.u.f_walk_eabt.addr = addr;
             event.u.f_walk_eabt.rnw = flag & 0x1;
-            event.u.f_walk_eabt.class = 0x1;
+            /* Stage-2 (only) is class IN while stage-1 is class TT */
+            event.u.f_walk_eabt.class = (ptw_info.stage == 2) ?
+                                         SMMU_CLASS_IN : SMMU_CLASS_TT;
             event.u.f_walk_eabt.addr2 = ptw_info.addr;
             break;
         case SMMU_PTW_ERR_TRANSLATION:
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                 event.type = SMMU_EVT_F_TRANSLATION;
                 event.u.f_translation.addr = addr;
                 event.u.f_translation.addr2 = ptw_info.addr;
+                event.u.f_translation.class = SMMU_CLASS_IN;
                 event.u.f_translation.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                 event.type = SMMU_EVT_F_ADDR_SIZE;
                 event.u.f_addr_size.addr = addr;
                 event.u.f_addr_size.addr2 = ptw_info.addr;
+                event.u.f_translation.class = SMMU_CLASS_IN;
                 event.u.f_addr_size.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                 event.type = SMMU_EVT_F_ACCESS;
                 event.u.f_access.addr = addr;
                 event.u.f_access.addr2 = ptw_info.addr;
+                event.u.f_translation.class = SMMU_CLASS_IN;
                 event.u.f_access.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                 event.type = SMMU_EVT_F_PERMISSION;
                 event.u.f_permission.addr = addr;
                 event.u.f_permission.addr2 = ptw_info.addr;
+                event.u.f_translation.class = SMMU_CLASS_IN;
                 event.u.f_permission.rnw = flag & 0x1;
             }
             break;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Currently, translation stage is represented as an int, where 1 is stage-1 and
2 is stage-2, when nested is added, 3 would be confusing to represent nesting,
so we use an enum instead.

While keeping the same values, this is useful for:
 - Doing tricks with bit masks, where BIT(0) is stage-1 and BIT(1) is
   stage-2 and both is nested.
 - Tracing, as stage is printed as int.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20240715084519.1189624-5-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h | 11 +++++++++--
 hw/arm/smmu-common.c         | 14 +++++++-------
 hw/arm/smmuv3.c              | 17 +++++++++--------
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef enum {
     SMMU_PTW_ERR_PERMISSION,  /* Permission fault */
 } SMMUPTWEventType;
 
+/* SMMU Stage */
+typedef enum {
+    SMMU_STAGE_1 = 1,
+    SMMU_STAGE_2,
+    SMMU_NESTED,
+} SMMUStage;
+
 typedef struct SMMUPTWEventInfo {
-    int stage;
+    SMMUStage stage;
     SMMUPTWEventType type;
     dma_addr_t addr; /* fetched address that induced an abort, if any */
 } SMMUPTWEventInfo;
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUS2Cfg {
  */
 typedef struct SMMUTransCfg {
     /* Shared fields between stage-1 and stage-2. */
-    int stage;                 /* translation stage */
+    SMMUStage stage;           /* translation stage */
     bool disabled;             /* smmu is disabled */
     bool bypassed;             /* translation is bypassed */
     bool aborted;              /* translation is aborted */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 {
     dma_addr_t baseaddr, indexmask;
-    int stage = cfg->stage;
+    SMMUStage stage = cfg->stage;
     SMMUTransTableInfo *tt = select_tt(cfg, iova);
     uint8_t level, granule_sz, inputsize, stride;
 
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
     info->type = SMMU_PTW_ERR_TRANSLATION;
 
 error:
-    info->stage = 1;
+    info->stage = SMMU_STAGE_1;
     tlbe->entry.perm = IOMMU_NONE;
     return -EINVAL;
 }
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
                           dma_addr_t ipa, IOMMUAccessFlags perm,
                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 {
-    const int stage = 2;
+    const SMMUStage stage = SMMU_STAGE_2;
     int granule_sz = cfg->s2cfg.granule_sz;
     /* ARM DDI0487I.a: Table D8-7. */
     int inputsize = 64 - cfg->s2cfg.tsz;
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
 error_ipa:
     info->addr = ipa;
 error:
-    info->stage = 2;
+    info->stage = SMMU_STAGE_2;
     tlbe->entry.perm = IOMMU_NONE;
     return -EINVAL;
 }
@@ -XXX,XX +XXX,XX @@ error:
 int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
              SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 {
-    if (cfg->stage == 1) {
+    if (cfg->stage == SMMU_STAGE_1) {
         return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);
-    } else if (cfg->stage == 2) {
+    } else if (cfg->stage == SMMU_STAGE_2) {
         /*
          * If bypassing stage 1(or unimplemented), the input address is passed
          * directly to stage 2 as IPA. If the input address of a transaction
@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
          */
         if (iova >= (1ULL << cfg->oas)) {
             info->type = SMMU_PTW_ERR_ADDR_SIZE;
-            info->stage = 1;
+            info->stage = SMMU_STAGE_1;
             tlbe->entry.perm = IOMMU_NONE;
             return -EINVAL;
         }
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 #include "smmuv3-internal.h"
 #include "smmu-internal.h"
 
-#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == 1) ? (cfg)->record_faults : \
+#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == SMMU_STAGE_1) ? \
+                                 (cfg)->record_faults : \
                                  (cfg)->s2cfg.record_faults)
 
 /**
@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
 
 static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
 {
-    cfg->stage = 2;
+    cfg->stage = SMMU_STAGE_2;
 
     if (STE_S2AA64(ste) == 0x0) {
         qemu_log_mask(LOG_UNIMP,
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
 
     /* we support only those at the moment */
     cfg->aa64 = true;
-    cfg->stage = 1;
+    cfg->stage = SMMU_STAGE_1;
 
     cfg->oas = oas2bits(CD_IPS(cd));
     cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
         return ret;
     }
 
-    if (cfg->aborted || cfg->bypassed || (cfg->stage == 2)) {
+    if (cfg->aborted || cfg->bypassed || (cfg->stage == SMMU_STAGE_2)) {
         return 0;
     }
 
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
         goto epilogue;
     }
 
-    if (cfg->stage == 1) {
+    if (cfg->stage == SMMU_STAGE_1) {
         /* Select stage1 translation table. */
         tt = select_tt(cfg, addr);
         if (!tt) {
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
              * nesting is not supported. So it is sufficient to check the
              * translation stage to know the TLB stage for now.
              */
-            event.u.f_walk_eabt.s2 = (cfg->stage == 2);
+            event.u.f_walk_eabt.s2 = (cfg->stage == SMMU_STAGE_2);
             if (PTW_RECORD_FAULT(cfg)) {
                 event.type = SMMU_EVT_F_PERMISSION;
                 event.u.f_permission.addr = addr;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
 
     if (smmu_ptw(cfg, aligned_addr, flag, cached_entry, &ptw_info)) {
         /* All faults from PTW has S2 field. */
-        event.u.f_walk_eabt.s2 = (ptw_info.stage == 2);
+        event.u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
         g_free(cached_entry);
         switch (ptw_info.type) {
         case SMMU_PTW_ERR_WALK_EABT:
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
             event.u.f_walk_eabt.addr = addr;
             event.u.f_walk_eabt.rnw = flag & 0x1;
             /* Stage-2 (only) is class IN while stage-1 is class TT */
-            event.u.f_walk_eabt.class = (ptw_info.stage == 2) ?
+            event.u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
             event.u.f_walk_eabt.addr2 = ptw_info.addr;
             break;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

smmuv3_translate() does everything from STE/CD parsing to TLB lookup
and PTW.

Soon, when nesting is supported, stage-1 data (tt, CD) needs to be
translated using stage-2.

Split smmuv3_translate() to 3 functions:

- smmu_translate(): in smmu-common.c, which does the TLB lookup, PTW,
  TLB insertion, all the functions are already there, this just puts
  them together.
  This also simplifies the code as it consolidates event generation
  in case of TLB lookup permission failure or in TT selection.

- smmuv3_do_translate(): in smmuv3.c, Calls smmu_translate() and does
  the event population in case of errors.

- smmuv3_translate(), now calls smmuv3_do_translate() for
  translation while the rest is the same.

Also, add stage in trace_smmuv3_translate_success()

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-6-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |   8 ++
 hw/arm/smmu-common.c         |  59 +++++++++++
 hw/arm/smmuv3.c              | 194 +++++++++++++----------------------
 hw/arm/trace-events          |   2 +-
 4 files changed, 142 insertions(+), 121 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
 int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
              SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
 
+
+/*
+ * smmu_translate - Look for a translation in TLB, if not, do a PTW.
+ * Returns NULL on PTW error or incase of TLB permission errors.
+ */
+SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
+                             IOMMUAccessFlags flag, SMMUPTWEventInfo *info);
+
 /**
  * select_tt - compute which translation table shall be used according to
  * the input iova and translation config and return the TT specific info
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
     g_assert_not_reached();
 }
 
+SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
+                             IOMMUAccessFlags flag, SMMUPTWEventInfo *info)
+{
+    uint64_t page_mask, aligned_addr;
+    SMMUTLBEntry *cached_entry = NULL;
+    SMMUTransTableInfo *tt;
+    int status;
+
+    /*
+     * Combined attributes used for TLB lookup, as only one stage is supported,
+     * it will hold attributes based on the enabled stage.
+     */
+    SMMUTransTableInfo tt_combined;
+
+    if (cfg->stage == SMMU_STAGE_1) {
+        /* Select stage1 translation table. */
+        tt = select_tt(cfg, addr);
+        if (!tt) {
+            info->type = SMMU_PTW_ERR_TRANSLATION;
+            info->stage = SMMU_STAGE_1;
+            return NULL;
+        }
+        tt_combined.granule_sz = tt->granule_sz;
+        tt_combined.tsz = tt->tsz;
+
+    } else {
+        /* Stage2. */
+        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
+        tt_combined.tsz = cfg->s2cfg.tsz;
+    }
+
+    /*
+     * TLB lookup looks for granule and input size for a translation stage,
+     * as only one stage is supported right now, choose the right values
+     * from the configuration.
+     */
+    page_mask = (1ULL << tt_combined.granule_sz) - 1;
+    aligned_addr = addr & ~page_mask;
+
+    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
+    if (cached_entry) {
+        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
+            info->type = SMMU_PTW_ERR_PERMISSION;
+            info->stage = cfg->stage;
+            return NULL;
+        }
+        return cached_entry;
+    }
+
+    cached_entry = g_new0(SMMUTLBEntry, 1);
+    status = smmu_ptw(cfg, aligned_addr, flag, cached_entry, info);
+    if (status) {
+            g_free(cached_entry);
+            return NULL;
+    }
+    smmu_iotlb_insert(bs, cfg, cached_entry);
+    return cached_entry;
+}
+
 /**
  * The bus number is used for lookup when SID based invalidation occurs.
  * In that case we lazily populate the SMMUPciBus array from the bus hash
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_flush_config(SMMUDevice *sdev)
     g_hash_table_remove(bc->configs, sdev);
 }
 
+/* Do translation with TLB lookup. */
+static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
+                                                 SMMUTransCfg *cfg,
+                                                 SMMUEventInfo *event,
+                                                 IOMMUAccessFlags flag,
+                                                 SMMUTLBEntry **out_entry)
+{
+    SMMUPTWEventInfo ptw_info = {};
+    SMMUState *bs = ARM_SMMU(s);
+    SMMUTLBEntry *cached_entry = NULL;
+
+    cached_entry = smmu_translate(bs, cfg, addr, flag, &ptw_info);
+    if (!cached_entry) {
+        /* All faults from PTW has S2 field. */
+        event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
+        switch (ptw_info.type) {
+        case SMMU_PTW_ERR_WALK_EABT:
+            event->type = SMMU_EVT_F_WALK_EABT;
+            event->u.f_walk_eabt.addr = addr;
+            event->u.f_walk_eabt.rnw = flag & 0x1;
+            event->u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
+                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
+            event->u.f_walk_eabt.addr2 = ptw_info.addr;
+            break;
+        case SMMU_PTW_ERR_TRANSLATION:
+            if (PTW_RECORD_FAULT(cfg)) {
+                event->type = SMMU_EVT_F_TRANSLATION;
+                event->u.f_translation.addr = addr;
+                event->u.f_translation.addr2 = ptw_info.addr;
+                event->u.f_translation.class = SMMU_CLASS_IN;
+                event->u.f_translation.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ADDR_SIZE:
+            if (PTW_RECORD_FAULT(cfg)) {
+                event->type = SMMU_EVT_F_ADDR_SIZE;
+                event->u.f_addr_size.addr = addr;
+                event->u.f_addr_size.addr2 = ptw_info.addr;
+                event->u.f_addr_size.class = SMMU_CLASS_IN;
+                event->u.f_addr_size.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ACCESS:
+            if (PTW_RECORD_FAULT(cfg)) {
+                event->type = SMMU_EVT_F_ACCESS;
+                event->u.f_access.addr = addr;
+                event->u.f_access.addr2 = ptw_info.addr;
+                event->u.f_access.class = SMMU_CLASS_IN;
+                event->u.f_access.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_PERMISSION:
+            if (PTW_RECORD_FAULT(cfg)) {
+                event->type = SMMU_EVT_F_PERMISSION;
+                event->u.f_permission.addr = addr;
+                event->u.f_permission.addr2 = ptw_info.addr;
+                event->u.f_permission.class = SMMU_CLASS_IN;
+                event->u.f_permission.rnw = flag & 0x1;
+            }
+            break;
+        default:
+            g_assert_not_reached();
+        }
+        return SMMU_TRANS_ERROR;
+    }
+    *out_entry = cached_entry;
+    return SMMU_TRANS_SUCCESS;
+}
+
+/* Entry point to SMMU, does everything. */
 static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                                       IOMMUAccessFlags flag, int iommu_idx)
 {
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
     SMMUEventInfo event = {.type = SMMU_EVT_NONE,
                            .sid = sid,
                            .inval_ste_allowed = false};
-    SMMUPTWEventInfo ptw_info = {};
     SMMUTranslationStatus status;
-    SMMUState *bs = ARM_SMMU(s);
-    uint64_t page_mask, aligned_addr;
-    SMMUTLBEntry *cached_entry = NULL;
-    SMMUTransTableInfo *tt;
     SMMUTransCfg *cfg = NULL;
     IOMMUTLBEntry entry = {
         .target_as = &address_space_memory,
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
         .addr_mask = ~(hwaddr)0,
         .perm = IOMMU_NONE,
     };
-    /*
-     * Combined attributes used for TLB lookup, as only one stage is supported,
-     * it will hold attributes based on the enabled stage.
-     */
-    SMMUTransTableInfo tt_combined;
+    SMMUTLBEntry *cached_entry = NULL;
 
     qemu_mutex_lock(&s->mutex);
 
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
         goto epilogue;
     }
 
-    if (cfg->stage == SMMU_STAGE_1) {
-        /* Select stage1 translation table. */
-        tt = select_tt(cfg, addr);
-        if (!tt) {
-            if (cfg->record_faults) {
-                event.type = SMMU_EVT_F_TRANSLATION;
-                event.u.f_translation.addr = addr;
-                event.u.f_translation.rnw = flag & 0x1;
-            }
-            status = SMMU_TRANS_ERROR;
-            goto epilogue;
-        }
-        tt_combined.granule_sz = tt->granule_sz;
-        tt_combined.tsz = tt->tsz;
-
-    } else {
-        /* Stage2. */
-        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
-        tt_combined.tsz = cfg->s2cfg.tsz;
-    }
-    /*
-     * TLB lookup looks for granule and input size for a translation stage,
-     * as only one stage is supported right now, choose the right values
-     * from the configuration.
-     */
-    page_mask = (1ULL << tt_combined.granule_sz) - 1;
-    aligned_addr = addr & ~page_mask;
-
-    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
-    if (cached_entry) {
-        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
-            status = SMMU_TRANS_ERROR;
-            /*
-             * We know that the TLB only contains either stage-1 or stage-2 as
-             * nesting is not supported. So it is sufficient to check the
-             * translation stage to know the TLB stage for now.
-             */
-            event.u.f_walk_eabt.s2 = (cfg->stage == SMMU_STAGE_2);
-            if (PTW_RECORD_FAULT(cfg)) {
-                event.type = SMMU_EVT_F_PERMISSION;
-                event.u.f_permission.addr = addr;
-                event.u.f_permission.rnw = flag & 0x1;
-            }
-        } else {
-            status = SMMU_TRANS_SUCCESS;
-        }
-        goto epilogue;
-    }
-
-    cached_entry = g_new0(SMMUTLBEntry, 1);
-
-    if (smmu_ptw(cfg, aligned_addr, flag, cached_entry, &ptw_info)) {
-        /* All faults from PTW has S2 field. */
-        event.u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
-        g_free(cached_entry);
-        switch (ptw_info.type) {
-        case SMMU_PTW_ERR_WALK_EABT:
-            event.type = SMMU_EVT_F_WALK_EABT;
-            event.u.f_walk_eabt.addr = addr;
-            event.u.f_walk_eabt.rnw = flag & 0x1;
-            /* Stage-2 (only) is class IN while stage-1 is class TT */
-            event.u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
-                                         SMMU_CLASS_IN : SMMU_CLASS_TT;
-            event.u.f_walk_eabt.addr2 = ptw_info.addr;
-            break;
-        case SMMU_PTW_ERR_TRANSLATION:
-            if (PTW_RECORD_FAULT(cfg)) {
-                event.type = SMMU_EVT_F_TRANSLATION;
-                event.u.f_translation.addr = addr;
-                event.u.f_translation.addr2 = ptw_info.addr;
-                event.u.f_translation.class = SMMU_CLASS_IN;
-                event.u.f_translation.rnw = flag & 0x1;
-            }
-            break;
-        case SMMU_PTW_ERR_ADDR_SIZE:
-            if (PTW_RECORD_FAULT(cfg)) {
-                event.type = SMMU_EVT_F_ADDR_SIZE;
-                event.u.f_addr_size.addr = addr;
-                event.u.f_addr_size.addr2 = ptw_info.addr;
-                event.u.f_translation.class = SMMU_CLASS_IN;
-                event.u.f_addr_size.rnw = flag & 0x1;
-            }
-            break;
-        case SMMU_PTW_ERR_ACCESS:
-            if (PTW_RECORD_FAULT(cfg)) {
-                event.type = SMMU_EVT_F_ACCESS;
-                event.u.f_access.addr = addr;
-                event.u.f_access.addr2 = ptw_info.addr;
-                event.u.f_translation.class = SMMU_CLASS_IN;
-                event.u.f_access.rnw = flag & 0x1;
-            }
-            break;
-        case SMMU_PTW_ERR_PERMISSION:
-            if (PTW_RECORD_FAULT(cfg)) {
-                event.type = SMMU_EVT_F_PERMISSION;
-                event.u.f_permission.addr = addr;
-                event.u.f_permission.addr2 = ptw_info.addr;
-                event.u.f_translation.class = SMMU_CLASS_IN;
-                event.u.f_permission.rnw = flag & 0x1;
-            }
-            break;
-        default:
-            g_assert_not_reached();
-        }
-        status = SMMU_TRANS_ERROR;
-    } else {
-        smmu_iotlb_insert(bs, cfg, cached_entry);
-        status = SMMU_TRANS_SUCCESS;
-    }
+    status = smmuv3_do_translate(s, addr, cfg, &event, flag, &cached_entry);
 
 epilogue:
     qemu_mutex_unlock(&s->mutex);
@@ -XXX,XX +XXX,XX @@ epilogue:
                                     (addr & cached_entry->entry.addr_mask);
         entry.addr_mask = cached_entry->entry.addr_mask;
         trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr,
-                                       entry.translated_addr, entry.perm);
+                                       entry.translated_addr, entry.perm,
+                                       cfg->stage);
         break;
     case SMMU_TRANS_DISABLE:
         entry.perm = flag;
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
 smmuv3_translate_disable(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x bypass (smmu disabled) iova:0x%"PRIx64" is_write=%d"
 smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x STE bypass iova:0x%"PRIx64" is_write=%d"
 smmuv3_translate_abort(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=0x%x abort on iova:0x%"PRIx64" is_write=%d"
-smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
+smmuv3_translate_success(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm, int stage) "%s sid=0x%x iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x stage=%d"
 smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
 smmuv3_decode_cd(uint32_t oas) "oas=%d"
 smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz, bool had) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d had:%d"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

ASID and VMID used to be uint16_t in the translation config, however,
in other contexts they can be int as -1 in case of TLB invalidation,
to represent all (don’t care).
When stage-2 was added asid was set to -1 in stage-2 and vmid to -1
in stage-1 configs. However, that meant they were set as (65536),
this was not an issue as nesting was not supported and no
commands/lookup uses both.

With nesting, it’s critical to get this right as translation must be
tagged correctly with ASID/VMID, and with ASID=-1 meaning stage-2.
Represent ASID/VMID everywhere as int.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-7-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h | 14 +++++++-------
 hw/arm/smmu-common.c         | 10 +++++-----
 hw/arm/smmuv3.c              |  4 ++--
 hw/arm/trace-events          | 18 +++++++++---------
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUS2Cfg {
     bool record_faults;     /* Record fault events (S2R) */
     uint8_t granule_sz;     /* Granule page shift (based on S2TG) */
     uint8_t eff_ps;         /* Effective PA output range (based on S2PS) */
-    uint16_t vmid;          /* Virtual Machine ID (S2VMID) */
+    int vmid;               /* Virtual Machine ID (S2VMID) */
     uint64_t vttb;          /* Address of translation table base (S2TTB) */
 } SMMUS2Cfg;
 
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
     uint64_t ttb;              /* TT base address */
     uint8_t oas;               /* output address width */
     uint8_t tbi;               /* Top Byte Ignore */
-    uint16_t asid;
+    int asid;
     SMMUTransTableInfo tt[2];
     /* Used by stage-2 only. */
     struct SMMUS2Cfg s2cfg;
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUPciBus {
 
 typedef struct SMMUIOTLBKey {
     uint64_t iova;
-    uint16_t asid;
-    uint16_t vmid;
+    int asid;
+    int vmid;
     uint8_t tg;
     uint8_t level;
 } SMMUIOTLBKey;
@@ -XXX,XX +XXX,XX @@ SMMUDevice *smmu_find_sdev(SMMUState *s, uint32_t sid);
 SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
                                 SMMUTransTableInfo *tt, hwaddr iova);
 void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *entry);
-SMMUIOTLBKey smmu_get_iotlb_key(uint16_t asid, uint16_t vmid, uint64_t iova,
+SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
                                 uint8_t tg, uint8_t level);
 void smmu_iotlb_inv_all(SMMUState *s);
-void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid);
-void smmu_iotlb_inv_vmid(SMMUState *s, uint16_t vmid);
+void smmu_iotlb_inv_asid(SMMUState *s, int asid);
+void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
 
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static gboolean smmu_iotlb_key_equal(gconstpointer v1, gconstpointer v2)
            (k1->vmid == k2->vmid);
 }
 
-SMMUIOTLBKey smmu_get_iotlb_key(uint16_t asid, uint16_t vmid, uint64_t iova,
+SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
                                 uint8_t tg, uint8_t level)
 {
     SMMUIOTLBKey key = {.asid = asid, .vmid = vmid, .iova = iova,
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_all(SMMUState *s)
 static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
                                          gpointer user_data)
 {
-    uint16_t asid = *(uint16_t *)user_data;
+    int asid = *(int *)user_data;
     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
 
     return SMMU_IOTLB_ASID(*iotlb_key) == asid;
@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
 static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
                                          gpointer user_data)
 {
-    uint16_t vmid = *(uint16_t *)user_data;
+    int vmid = *(int *)user_data;
     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
 
     return SMMU_IOTLB_VMID(*iotlb_key) == vmid;
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                                 &info);
 }
 
-void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid)
+void smmu_iotlb_inv_asid(SMMUState *s, int asid)
 {
     trace_smmu_iotlb_inv_asid(asid);
     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid, &asid);
 }
 
-void smmu_iotlb_inv_vmid(SMMUState *s, uint16_t vmid)
+void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
 {
     trace_smmu_iotlb_inv_vmid(vmid);
     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid);
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
         }
         case SMMU_CMD_TLBI_NH_ASID:
         {
-            uint16_t asid = CMD_ASID(&cmd);
+            int asid = CMD_ASID(&cmd);
 
             if (!STAGE1_SUPPORTED(s)) {
                 cmd_error = SMMU_CERROR_ILL;
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
             break;
         case SMMU_CMD_TLBI_S12_VMALL:
         {
-            uint16_t vmid = CMD_VMID(&cmd);
+            int vmid = CMD_VMID(&cmd);
 
             if (!STAGE2_SUPPORTED(s)) {
                 cmd_error = SMMU_CERROR_ILL;
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint6
 smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
 smmu_iotlb_inv_all(void) "IOTLB invalidate all"
-smmu_iotlb_inv_asid(uint16_t asid) "IOTLB invalidate asid=%d"
-smmu_iotlb_inv_vmid(uint16_t vmid) "IOTLB invalidate vmid=%d"
-smmu_iotlb_inv_iova(uint16_t asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
+smmu_iotlb_inv_asid(int asid) "IOTLB invalidate asid=%d"
+smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
+smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
 smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
-smmu_iotlb_lookup_hit(uint16_t asid, uint16_t vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
-smmu_iotlb_lookup_miss(uint16_t asid, uint16_t vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
-smmu_iotlb_insert(uint16_t asid, uint16_t vmid, uint64_t addr, uint8_t tg, uint8_t level) "IOTLB ++ asid=%d vmid=%d addr=0x%"PRIx64" tg=%d level=%d"
+smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
+smmu_iotlb_lookup_miss(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
+smmu_iotlb_insert(int asid, int vmid, uint64_t addr, uint8_t tg, uint8_t level) "IOTLB ++ asid=%d vmid=%d addr=0x%"PRIx64" tg=%d level=%d"
 
 # smmuv3.c
 smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
@@ -XXX,XX +XXX,XX @@ smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t p
 smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
 smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
 smmuv3_cmdq_tlbi_nh(void) ""
-smmuv3_cmdq_tlbi_nh_asid(uint16_t asid) "asid=%d"
-smmuv3_cmdq_tlbi_s12_vmid(uint16_t vmid) "vmid=%d"
+smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
+smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
 smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
 smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
 smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
-smmuv3_inv_notifiers_iova(const char *name, uint16_t asid, uint16_t vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
+smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
 
 # strongarm.c
 strongarm_uart_update_parameters(const char *label, int speed, char parity, int data_bits, int stop_bits) "%s speed=%d parity=%c data=%d stop=%d"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Soon, smmuv3_do_translate() will be used to translate the CD and the
TTBx, instead of re-writting the same logic to convert the returned
cached entry to an address, add a new macro CACHED_ENTRY_TO_ADDR.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-8-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h | 3 +++
 hw/arm/smmuv3.c              | 3 +--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@
 #define VMSA_IDXMSK(isz, strd, lvl)         ((1ULL << \
                                              VMSA_BIT_LVL(isz, strd, lvl)) - 1)
 
+#define CACHED_ENTRY_TO_ADDR(ent, addr)      ((ent)->entry.translated_addr + \
+                                             ((addr) & (ent)->entry.addr_mask))
+
 /*
  * Page table walk error types
  */
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ epilogue:
     switch (status) {
     case SMMU_TRANS_SUCCESS:
         entry.perm = cached_entry->entry.perm;
-        entry.translated_addr = cached_entry->entry.translated_addr +
-                                    (addr & cached_entry->entry.addr_mask);
+        entry.translated_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr);
         entry.addr_mask = cached_entry->entry.addr_mask;
         trace_smmuv3_translate_success(mr->parent_obj.name, sid, addr,
                                        entry.translated_addr, entry.perm,
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

According to ARM SMMU architecture specification (ARM IHI 0070 F.b),
In "5.2 Stream Table Entry":
 [51:6] S1ContextPtr
 If Config[1] == 1 (stage 2 enabled), this pointer is an IPA translated by
 stage 2 and the programmed value must be within the range of the IAS.

In "5.4.1 CD notes":
 The translation table walks performed from TTB0 or TTB1 are always performed
 in IPA space if stage 2 translations are enabled.

This patch implements translation of the S1 context descriptor pointer and
TTBx base addresses through the S2 stage (IPA -> PA)

smmuv3_do_translate() is updated to have one arg which is translation
class, this is useful to:
 - Decide wether a translation is stage-2 only or use the STE config.
 - Populate the class in case of faults, WALK_EABT is left unchanged
   for stage-1 as it is always IN, while stage-2 would match the
   used class (TT, IN, CD), this will change slightly when the ptw
   supports nested translation as it can also issue TT event with
   class IN.

In case for stage-2 only translation, used in the context of nested
translation, the stage and asid are saved and restored before and
after calling smmu_translate().

Translating CD or TTBx can fail for the following reasons:
1) Large address size: This is described in
   (3.4.3 Address sizes of SMMU-originated accesses)
   - For CD ptr larger than IAS, for SMMUv3.1, it can trigger either
     C_BAD_STE or Translation fault, we implement the latter as it
     requires no extra code.
   - For TTBx, if larger than the effective stage 1 output address size, it
     triggers C_BAD_CD.

2) Faults from PTWs (7.3 Event records)
   - F_ADDR_SIZE: large address size after first level causes stage 2 Address
     Size fault (Also in 3.4.3 Address sizes of SMMU-originated accesses)
   - F_PERMISSION: Same as an address translation. However, when
     CLASS == CD, the access is implicitly Data and a read.
   - F_ACCESS: Same as an address translation.
   - F_TRANSLATION: Same as an address translation.
   - F_WALK_EABT: Same as an address translation.
  These are already implemented in the PTW logic, so no extra handling
  required.

As in CD and TTBx translation context, the iova is not known, setting
the InputAddr was removed from "smmuv3_do_translate" and set after
from "smmuv3_translate" with the new function "smmuv3_fixup_event"

Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-9-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 120 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 103 insertions(+), 17 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
 
 }
 
+static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
+                                                 SMMUTransCfg *cfg,
+                                                 SMMUEventInfo *event,
+                                                 IOMMUAccessFlags flag,
+                                                 SMMUTLBEntry **out_entry,
+                                                 SMMUTranslationClass class);
 /* @ssid > 0 not supported yet */
-static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
-                       CD *buf, SMMUEventInfo *event)
+static int smmu_get_cd(SMMUv3State *s, STE *ste, SMMUTransCfg *cfg,
+                       uint32_t ssid, CD *buf, SMMUEventInfo *event)
 {
     dma_addr_t addr = STE_CTXPTR(ste);
     int ret, i;
+    SMMUTranslationStatus status;
+    SMMUTLBEntry *entry;
 
     trace_smmuv3_get_cd(addr);
+
+    if (cfg->stage == SMMU_NESTED) {
+        status = smmuv3_do_translate(s, addr, cfg, event,
+                                     IOMMU_RO, &entry, SMMU_CLASS_CD);
+
+        /* Same PTW faults are reported but with CLASS = CD. */
+        if (status != SMMU_TRANS_SUCCESS) {
+            return -EINVAL;
+        }
+
+        addr = CACHED_ENTRY_TO_ADDR(entry, addr);
+    }
+
     /* TODO: guarantee 64-bit single-copy atomicity */
     ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
                           MEMTXATTRS_UNSPECIFIED);
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
     return 0;
 }
 
-static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
+static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
+                     CD *cd, SMMUEventInfo *event)
 {
     int ret = -EINVAL;
     int i;
+    SMMUTranslationStatus status;
+    SMMUTLBEntry *entry;
 
     if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
         goto bad_cd;
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
 
         tt->tsz = tsz;
         tt->ttb = CD_TTB(cd, i);
+
         if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
             goto bad_cd;
         }
+
+        /* Translate the TTBx, from IPA to PA if nesting is enabled. */
+        if (cfg->stage == SMMU_NESTED) {
+            status = smmuv3_do_translate(s, tt->ttb, cfg, event, IOMMU_RO,
+                                         &entry, SMMU_CLASS_TT);
+            /*
+             * Same PTW faults are reported but with CLASS = TT.
+             * If TTBx is larger than the effective stage 1 output addres
+             * size, it reports C_BAD_CD, which is handled by the above case.
+             */
+            if (status != SMMU_TRANS_SUCCESS) {
+                return -EINVAL;
+            }
+            tt->ttb = CACHED_ENTRY_TO_ADDR(entry, tt->ttb);
+        }
+
         tt->had = CD_HAD(cd, i);
         trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz, tt->had);
     }
@@ -XXX,XX +XXX,XX @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
         return 0;
     }
 
-    ret = smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event);
+    ret = smmu_get_cd(s, &ste, cfg, 0 /* ssid */, &cd, event);
     if (ret) {
         return ret;
     }
 
-    return decode_cd(cfg, &cd, event);
+    return decode_cd(s, cfg, &cd, event);
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
                                                  SMMUTransCfg *cfg,
                                                  SMMUEventInfo *event,
                                                  IOMMUAccessFlags flag,
-                                                 SMMUTLBEntry **out_entry)
+                                                 SMMUTLBEntry **out_entry,
+                                                 SMMUTranslationClass class)
 {
     SMMUPTWEventInfo ptw_info = {};
     SMMUState *bs = ARM_SMMU(s);
     SMMUTLBEntry *cached_entry = NULL;
+    int asid, stage;
+    bool desc_s2_translation = class != SMMU_CLASS_IN;
+
+    /*
+     * The function uses the argument class to identify which stage is used:
+     * - CLASS = IN: Means an input translation, determine the stage from STE.
+     * - CLASS = CD: Means the addr is an IPA of the CD, and it would be
+     *   translated using the stage-2.
+     * - CLASS = TT: Means the addr is an IPA of the stage-1 translation table
+     *   and it would be translated using the stage-2.
+     * For the last 2 cases instead of having intrusive changes in the common
+     * logic, we modify the cfg to be a stage-2 translation only in case of
+     * nested, and then restore it after.
+     */
+    if (desc_s2_translation) {
+        asid = cfg->asid;
+        stage = cfg->stage;
+        cfg->asid = -1;
+        cfg->stage = SMMU_STAGE_2;
+    }
 
     cached_entry = smmu_translate(bs, cfg, addr, flag, &ptw_info);
+
+    if (desc_s2_translation) {
+        cfg->asid = asid;
+        cfg->stage = stage;
+    }
+
     if (!cached_entry) {
         /* All faults from PTW has S2 field. */
         event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
         switch (ptw_info.type) {
         case SMMU_PTW_ERR_WALK_EABT:
             event->type = SMMU_EVT_F_WALK_EABT;
-            event->u.f_walk_eabt.addr = addr;
             event->u.f_walk_eabt.rnw = flag & 0x1;
             event->u.f_walk_eabt.class = (ptw_info.stage == SMMU_STAGE_2) ?
-                                          SMMU_CLASS_IN : SMMU_CLASS_TT;
+                                          class : SMMU_CLASS_TT;
             event->u.f_walk_eabt.addr2 = ptw_info.addr;
             break;
         case SMMU_PTW_ERR_TRANSLATION:
             if (PTW_RECORD_FAULT(cfg)) {
                 event->type = SMMU_EVT_F_TRANSLATION;
-                event->u.f_translation.addr = addr;
                 event->u.f_translation.addr2 = ptw_info.addr;
-                event->u.f_translation.class = SMMU_CLASS_IN;
+                event->u.f_translation.class = class;
                 event->u.f_translation.rnw = flag & 0x1;
             }
             break;
         case SMMU_PTW_ERR_ADDR_SIZE:
             if (PTW_RECORD_FAULT(cfg)) {
                 event->type = SMMU_EVT_F_ADDR_SIZE;
-                event->u.f_addr_size.addr = addr;
                 event->u.f_addr_size.addr2 = ptw_info.addr;
-                event->u.f_addr_size.class = SMMU_CLASS_IN;
+                event->u.f_addr_size.class = class;
                 event->u.f_addr_size.rnw = flag & 0x1;
             }
             break;
         case SMMU_PTW_ERR_ACCESS:
             if (PTW_RECORD_FAULT(cfg)) {
                 event->type = SMMU_EVT_F_ACCESS;
-                event->u.f_access.addr = addr;
                 event->u.f_access.addr2 = ptw_info.addr;
-                event->u.f_access.class = SMMU_CLASS_IN;
+                event->u.f_access.class = class;
                 event->u.f_access.rnw = flag & 0x1;
             }
             break;
         case SMMU_PTW_ERR_PERMISSION:
             if (PTW_RECORD_FAULT(cfg)) {
                 event->type = SMMU_EVT_F_PERMISSION;
-                event->u.f_permission.addr = addr;
                 event->u.f_permission.addr2 = ptw_info.addr;
-                event->u.f_permission.class = SMMU_CLASS_IN;
+                event->u.f_permission.class = class;
                 event->u.f_permission.rnw = flag & 0x1;
             }
             break;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
     return SMMU_TRANS_SUCCESS;
 }
 
+/*
+ * Sets the InputAddr for an SMMU_TRANS_ERROR, as it can't be
+ * set from all contexts, as smmuv3_get_config() can return
+ * translation faults in case of nested translation (for CD
+ * and TTBx). But in that case the iova is not known.
+ */
+static void smmuv3_fixup_event(SMMUEventInfo *event, hwaddr iova)
+{
+    switch (event->type) {
+    case SMMU_EVT_F_WALK_EABT:
+    case SMMU_EVT_F_TRANSLATION:
+    case SMMU_EVT_F_ADDR_SIZE:
+    case SMMU_EVT_F_ACCESS:
+    case SMMU_EVT_F_PERMISSION:
+        event->u.f_walk_eabt.addr = iova;
+        break;
+    default:
+        break;
+    }
+}
+
 /* Entry point to SMMU, does everything. */
 static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
                                       IOMMUAccessFlags flag, int iommu_idx)
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
         goto epilogue;
     }
 
-    status = smmuv3_do_translate(s, addr, cfg, &event, flag, &cached_entry);
+    status = smmuv3_do_translate(s, addr, cfg, &event, flag,
+                                 &cached_entry, SMMU_CLASS_IN);
 
 epilogue:
     qemu_mutex_unlock(&s->mutex);
@@ -XXX,XX +XXX,XX @@ epilogue:
                                      entry.perm);
         break;
     case SMMU_TRANS_ERROR:
+        smmuv3_fixup_event(&event, addr);
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s translation failed for iova=0x%"PRIx64" (%s)\n",
                       mr->parent_obj.name, addr, smmu_event_string(event.type));
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

In the next patch, combine_tlb() will be added which combines 2 TLB
entries into one for nested translations, which chooses the granule
and level from the smallest entry.

This means that with nested translation, an entry can be cached with
the granule of stage-2 and not stage-1.

However, currently, the lookup for an IOVA is done with input stage
granule, which is stage-1 for nested configuration, which will not
work with the above logic.
This patch reworks lookup in that case, so it falls back to stage-2
granule if no entry is found using stage-1 granule.

Also, drop aligning the iova to avoid over-aligning in case the iova
is cached with a smaller granule, the TLB lookup will align the iova
anyway for each granule and level, and the page table walker doesn't
consider the page offset bits.

Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-10-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-common.c | 64 +++++++++++++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 21 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
     return key;
 }
 
-SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
-                                SMMUTransTableInfo *tt, hwaddr iova)
+static SMMUTLBEntry *smmu_iotlb_lookup_all_levels(SMMUState *bs,
+                                                  SMMUTransCfg *cfg,
+                                                  SMMUTransTableInfo *tt,
+                                                  hwaddr iova)
 {
     uint8_t tg = (tt->granule_sz - 10) / 2;
     uint8_t inputsize = 64 - tt->tsz;
@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
         }
         level++;
     }
+    return entry;
+}
+
+/**
+ * smmu_iotlb_lookup - Look up for a TLB entry.
+ * @bs: SMMU state which includes the TLB instance
+ * @cfg: Configuration of the translation
+ * @tt: Translation table info (granule and tsz)
+ * @iova: IOVA address to lookup
+ *
+ * returns a valid entry on success, otherwise NULL.
+ * In case of nested translation, tt can be updated to include
+ * the granule of the found entry as it might different from
+ * the IOVA granule.
+ */
+SMMUTLBEntry *smmu_iotlb_lookup(SMMUState *bs, SMMUTransCfg *cfg,
+                                SMMUTransTableInfo *tt, hwaddr iova)
+{
+    SMMUTLBEntry *entry = NULL;
+
+    entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
+    /*
+     * For nested translation also try the s2 granule, as the TLB will insert
+     * it if the size of s2 tlb entry was smaller.
+     */
+    if (!entry && (cfg->stage == SMMU_NESTED) &&
+        (cfg->s2cfg.granule_sz != tt->granule_sz)) {
+        tt->granule_sz = cfg->s2cfg.granule_sz;
+        entry = smmu_iotlb_lookup_all_levels(bs, cfg, tt, iova);
+    }
 
     if (entry) {
         cfg->iotlb_hits++;
@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
 SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
                              IOMMUAccessFlags flag, SMMUPTWEventInfo *info)
 {
-    uint64_t page_mask, aligned_addr;
     SMMUTLBEntry *cached_entry = NULL;
     SMMUTransTableInfo *tt;
     int status;
 
     /*
-     * Combined attributes used for TLB lookup, as only one stage is supported,
-     * it will hold attributes based on the enabled stage.
+     * Combined attributes used for TLB lookup, holds the attributes for
+     * the input stage.
      */
     SMMUTransTableInfo tt_combined;
 
-    if (cfg->stage == SMMU_STAGE_1) {
+    if (cfg->stage == SMMU_STAGE_2) {
+        /* Stage2. */
+        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
+        tt_combined.tsz = cfg->s2cfg.tsz;
+    } else {
         /* Select stage1 translation table. */
         tt = select_tt(cfg, addr);
         if (!tt) {
@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
         }
         tt_combined.granule_sz = tt->granule_sz;
         tt_combined.tsz = tt->tsz;
-
-    } else {
-        /* Stage2. */
-        tt_combined.granule_sz = cfg->s2cfg.granule_sz;
-        tt_combined.tsz = cfg->s2cfg.tsz;
     }
 
-    /*
-     * TLB lookup looks for granule and input size for a translation stage,
-     * as only one stage is supported right now, choose the right values
-     * from the configuration.
-     */
-    page_mask = (1ULL << tt_combined.granule_sz) - 1;
-    aligned_addr = addr & ~page_mask;
-
-    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, aligned_addr);
+    cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr);
     if (cached_entry) {
         if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
             info->type = SMMU_PTW_ERR_PERMISSION;
@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
     }
 
     cached_entry = g_new0(SMMUTLBEntry, 1);
-    status = smmu_ptw(cfg, aligned_addr, flag, cached_entry, info);
+    status = smmu_ptw(cfg, addr, flag, cached_entry, info);
     if (status) {
             g_free(cached_entry);
             return NULL;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

This patch adds support for nested (combined) TLB entries.
The main function combine_tlb() is not used here but in the next
patches, but to simplify the patches it is introduced first.

Main changes:
1) New field added in the SMMUTLBEntry struct: parent_perm, for
   nested TLB, holds the stage-2 permission, this can be used to know
   the origin of a permission fault from a cached entry as caching
   the “and” of the permissions loses this information.

SMMUPTWEventInfo is used to hold information about PTW faults so
   the event can be populated, the value of stage used to be set
   based on the current stage for TLB permission faults, however
   with the parent_perm, it is now set based on which perm has
   the missing permission

When nesting is not enabled it has the same value as perm which
   doesn't change the logic.

2) As combined TLB implementation is used, the combination logic
   chooses:
   - tg and level from the entry which has the smallest addr_mask.
   - Based on that the iova that would be cached is recalculated.
   - Translated_addr is chosen from stage-2.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-11-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  1 +
 hw/arm/smmu-common.c         | 37 ++++++++++++++++++++++++++++++++----
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTLBEntry {
     IOMMUTLBEntry entry;
     uint8_t level;
     uint8_t granule;
+    IOMMUAccessFlags parent_perm;
 } SMMUTLBEntry;
 
 /* Stage-2 configuration. */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
         tlbe->entry.translated_addr = gpa;
         tlbe->entry.iova = iova & ~mask;
         tlbe->entry.addr_mask = mask;
-        tlbe->entry.perm = PTE_AP_TO_PERM(ap);
+        tlbe->parent_perm = PTE_AP_TO_PERM(ap);
+        tlbe->entry.perm = tlbe->parent_perm;
         tlbe->level = level;
         tlbe->granule = granule_sz;
         return 0;
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
         tlbe->entry.translated_addr = gpa;
         tlbe->entry.iova = ipa & ~mask;
         tlbe->entry.addr_mask = mask;
-        tlbe->entry.perm = s2ap;
+        tlbe->parent_perm = s2ap;
+        tlbe->entry.perm = tlbe->parent_perm;
         tlbe->level = level;
         tlbe->granule = granule_sz;
         return 0;
@@ -XXX,XX +XXX,XX @@ error:
     return -EINVAL;
 }
 
+/*
+ * combine S1 and S2 TLB entries into a single entry.
+ * As a result the S1 entry is overriden with combined data.
+ */
+static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
+                                                SMMUTLBEntry *tlbe_s2,
+                                                dma_addr_t iova,
+                                                SMMUTransCfg *cfg)
+{
+    if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) {
+        tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask;
+        tlbe->granule = tlbe_s2->granule;
+        tlbe->level = tlbe_s2->level;
+    }
+
+    tlbe->entry.translated_addr = CACHED_ENTRY_TO_ADDR(tlbe_s2,
+                                    tlbe->entry.translated_addr);
+
+    tlbe->entry.iova = iova & ~tlbe->entry.addr_mask;
+    /* parent_perm has s2 perm while perm keeps s1 perm. */
+    tlbe->parent_perm = tlbe_s2->entry.perm;
+    return;
+}
+
 /**
  * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
  *
@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
 
     cached_entry = smmu_iotlb_lookup(bs, cfg, &tt_combined, addr);
     if (cached_entry) {
-        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm & IOMMU_WO)) {
+        if ((flag & IOMMU_WO) && !(cached_entry->entry.perm &
+            cached_entry->parent_perm & IOMMU_WO)) {
             info->type = SMMU_PTW_ERR_PERMISSION;
-            info->stage = cfg->stage;
+            info->stage = !(cached_entry->entry.perm & IOMMU_WO) ?
+                          SMMU_STAGE_1 :
+                          SMMU_STAGE_2;
             return NULL;
         }
         return cached_entry;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

When nested translation is requested, do the following:
- Translate stage-1 table address IPA into PA through stage-2.
- Translate stage-1 table walk output (IPA) through stage-2.
- Create a single TLB entry from stage-1 and stage-2 translations
  using logic introduced before.

smmu_ptw() has a new argument SMMUState which include the TLB as
stage-1 table address can be cached in there.

Also in smmu_ptw(), a separate path used for nesting to simplify the
code, although some logic can be combined.

With nested translation class of translation fault can be different,
from the class of the translation, as faults from translating stage-1
tables are considered as CLASS_TT and not CLASS_IN, a new member
"is_ipa_descriptor" added to "SMMUPTWEventInfo" to differ faults
from walking stage 1 translation table and faults from translating
an IPA for a transaction.

Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-12-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  7 ++--
 hw/arm/smmu-common.c         | 74 +++++++++++++++++++++++++++++++-----
 hw/arm/smmuv3.c              | 14 +++++++
 3 files changed, 82 insertions(+), 13 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUPTWEventInfo {
     SMMUStage stage;
     SMMUPTWEventType type;
     dma_addr_t addr; /* fetched address that induced an abort, if any */
+    bool is_ipa_descriptor; /* src for fault in nested translation. */
 } SMMUPTWEventInfo;
 
 typedef struct SMMUTransTableInfo {
@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
  * smmu_ptw - Perform the page table walk for a given iova / access flags
  * pair, according to @cfg translation config
  */
-int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-             SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
-
+int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova,
+             IOMMUAccessFlags perm, SMMUTLBEntry *tlbe,
+             SMMUPTWEventInfo *info);
 
 /*
  * smmu_translate - Look for a translation in TLB, if not, do a PTW.
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
     return NULL;
 }
 
+/* Translate stage-1 table address using stage-2 page table. */
+static inline int translate_table_addr_ipa(SMMUState *bs,
+                                           dma_addr_t *table_addr,
+                                           SMMUTransCfg *cfg,
+                                           SMMUPTWEventInfo *info)
+{
+    dma_addr_t addr = *table_addr;
+    SMMUTLBEntry *cached_entry;
+    int asid;
+
+    /*
+     * The translation table walks performed from TTB0 or TTB1 are always
+     * performed in IPA space if stage 2 translations are enabled.
+     */
+    asid = cfg->asid;
+    cfg->stage = SMMU_STAGE_2;
+    cfg->asid = -1;
+    cached_entry = smmu_translate(bs, cfg, addr, IOMMU_RO, info);
+    cfg->asid = asid;
+    cfg->stage = SMMU_NESTED;
+
+    if (cached_entry) {
+        *table_addr = CACHED_ENTRY_TO_ADDR(cached_entry, addr);
+        return 0;
+    }
+
+    info->stage = SMMU_STAGE_2;
+    info->addr = addr;
+    info->is_ipa_descriptor = true;
+    return -EINVAL;
+}
+
 /**
  * smmu_ptw_64_s1 - VMSAv8-64 Walk of the page tables for a given IOVA
+ * @bs: smmu state which includes TLB instance
  * @cfg: translation config
  * @iova: iova to translate
  * @perm: access type
@@ -XXX,XX +XXX,XX @@ SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
  * Upon success, @tlbe is filled with translated_addr and entry
  * permission rights.
  */
-static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
+static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg,
                           dma_addr_t iova, IOMMUAccessFlags perm,
                           SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 {
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUTransCfg *cfg,
                 goto error;
             }
             baseaddr = get_table_pte_address(pte, granule_sz);
+            if (cfg->stage == SMMU_NESTED) {
+                if (translate_table_addr_ipa(bs, &baseaddr, cfg, info)) {
+                    goto error;
+                }
+            }
             level++;
             continue;
         } else if (is_page_pte(pte, level)) {
@@ -XXX,XX +XXX,XX @@ error:
  * combine S1 and S2 TLB entries into a single entry.
  * As a result the S1 entry is overriden with combined data.
  */
-static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
-                                                SMMUTLBEntry *tlbe_s2,
-                                                dma_addr_t iova,
-                                                SMMUTransCfg *cfg)
+static void combine_tlb(SMMUTLBEntry *tlbe, SMMUTLBEntry *tlbe_s2,
+                        dma_addr_t iova, SMMUTransCfg *cfg)
 {
     if (tlbe_s2->entry.addr_mask < tlbe->entry.addr_mask) {
         tlbe->entry.addr_mask = tlbe_s2->entry.addr_mask;
@@ -XXX,XX +XXX,XX @@ static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
 /**
  * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
  *
+ * @bs: smmu state which includes TLB instance
  * @cfg: translation configuration
  * @iova: iova to translate
  * @perm: tentative access type
@@ -XXX,XX +XXX,XX @@ static void __attribute__((unused)) combine_tlb(SMMUTLBEntry *tlbe,
  *
  * return 0 on success
  */
-int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
-             SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
+int smmu_ptw(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t iova,
+             IOMMUAccessFlags perm, SMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 {
+    int ret;
+    SMMUTLBEntry tlbe_s2;
+    dma_addr_t ipa;
+
     if (cfg->stage == SMMU_STAGE_1) {
-        return smmu_ptw_64_s1(cfg, iova, perm, tlbe, info);
+        return smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
     } else if (cfg->stage == SMMU_STAGE_2) {
         /*
          * If bypassing stage 1(or unimplemented), the input address is passed
@@ -XXX,XX +XXX,XX @@ int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
         return smmu_ptw_64_s2(cfg, iova, perm, tlbe, info);
     }
 
-    g_assert_not_reached();
+    /* SMMU_NESTED. */
+    ret = smmu_ptw_64_s1(bs, cfg, iova, perm, tlbe, info);
+    if (ret) {
+        return ret;
+    }
+
+    ipa = CACHED_ENTRY_TO_ADDR(tlbe, iova);
+    ret = smmu_ptw_64_s2(cfg, ipa, perm, &tlbe_s2, info);
+    if (ret) {
+        return ret;
+    }
+
+    combine_tlb(tlbe, &tlbe_s2, iova, cfg);
+    return 0;
 }
 
 SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
@@ -XXX,XX +XXX,XX @@ SMMUTLBEntry *smmu_translate(SMMUState *bs, SMMUTransCfg *cfg, dma_addr_t addr,
     }
 
     cached_entry = g_new0(SMMUTLBEntry, 1);
-    status = smmu_ptw(cfg, addr, flag, cached_entry, info);
+    status = smmu_ptw(bs, cfg, addr, flag, cached_entry, info);
     if (status) {
             g_free(cached_entry);
             return NULL;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
     if (!cached_entry) {
         /* All faults from PTW has S2 field. */
         event->u.f_walk_eabt.s2 = (ptw_info.stage == SMMU_STAGE_2);
+        /*
+         * Fault class is set as follows based on "class" input to
+         * the function and to "ptw_info" from "smmu_translate()"
+         * For stage-1:
+         *   - EABT => CLASS_TT (hardcoded)
+         *   - other events => CLASS_IN (input to function)
+         * For stage-2 => CLASS_IN (input to function)
+         * For nested, for all events:
+         *  - CD fetch => CLASS_CD (input to function)
+         *  - walking stage 1 translation table  => CLASS_TT (from
+         *    is_ipa_descriptor or input in case of TTBx)
+         *  - s2 translation => CLASS_IN (input to function)
+         */
+        class = ptw_info.is_ipa_descriptor ? SMMU_CLASS_TT : class;
         switch (ptw_info.type) {
         case SMMU_PTW_ERR_WALK_EABT:
             event->type = SMMU_EVT_F_WALK_EABT;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

With nesting, we would need to invalidate IPAs without
over-invalidating stage-1 IOVAs. This can be done by
distinguishing IPAs in the TLBs by having ASID=-1.
To achieve that, rework the invalidation for IPAs to have a
separate function, while for IOVA invalidation ASID=-1 means
invalidate for all ASIDs.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-13-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  3 ++-
 hw/arm/smmu-common.c         | 47 ++++++++++++++++++++++++++++++++++++
 hw/arm/smmuv3.c              | 23 ++++++++++++------
 hw/arm/trace-events          |  2 +-
 4 files changed, 66 insertions(+), 9 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_asid(SMMUState *s, int asid);
 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
-
+void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
+                        uint64_t num_pages, uint8_t ttl);
 /* Unmap the range of all the notifiers registered to any IOMMU mr */
 void smmu_inv_notifiers_all(SMMUState *s);
 
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value,
            ((entry->iova & ~info->mask) == info->iova);
 }
 
+static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value,
+                                             gpointer user_data)
+{
+    SMMUTLBEntry *iter = (SMMUTLBEntry *)value;
+    IOMMUTLBEntry *entry = &iter->entry;
+    SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
+    SMMUIOTLBKey iotlb_key = *(SMMUIOTLBKey *)key;
+
+    if (SMMU_IOTLB_ASID(iotlb_key) >= 0) {
+        /* This is a stage-1 address. */
+        return false;
+    }
+    if (info->vmid != SMMU_IOTLB_VMID(iotlb_key)) {
+        return false;
+    }
+    return ((info->iova & ~entry->addr_mask) == entry->iova) ||
+           ((entry->iova & ~info->mask) == info->iova);
+}
+
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl)
 {
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                                 &info);
 }
 
+/*
+ * Similar to smmu_iotlb_inv_iova(), but for Stage-2, ASID is always -1,
+ * in Stage-1 invalidation ASID = -1, means don't care.
+ */
+void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
+                        uint64_t num_pages, uint8_t ttl)
+{
+    uint8_t granule = tg ? tg * 2 + 10 : 12;
+    int asid = -1;
+
+   if (ttl && (num_pages == 1)) {
+        SMMUIOTLBKey key = smmu_get_iotlb_key(asid, vmid, ipa, tg, ttl);
+
+        if (g_hash_table_remove(s->iotlb, &key)) {
+            return;
+        }
+    }
+
+    SMMUIOTLBPageInvInfo info = {
+        .iova = ipa,
+        .vmid = vmid,
+        .mask = (num_pages << granule) - 1};
+
+    g_hash_table_foreach_remove(s->iotlb,
+                                smmu_hash_remove_by_vmid_ipa,
+                                &info);
+}
+
 void smmu_iotlb_inv_asid(SMMUState *s, int asid)
 {
     trace_smmu_iotlb_inv_asid(asid);
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
     }
 }
 
-static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
+static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
 {
     dma_addr_t end, addr = CMD_ADDR(cmd);
     uint8_t type = CMD_TYPE(cmd);
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
     }
 
     if (!tg) {
-        trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf);
+        trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf, stage);
         smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1);
-        smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
+        if (stage == SMMU_STAGE_1) {
+            smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
+        } else {
+            smmu_iotlb_inv_ipa(s, vmid, addr, tg, 1, ttl);
+        }
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd)
         uint64_t mask = dma_aligned_pow2_mask(addr, end, 64);
 
         num_pages = (mask + 1) >> granule;
-        trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages, ttl, leaf);
+        trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages,
+                                 ttl, leaf, stage);
         smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages);
-        smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
+        if (stage == SMMU_STAGE_1) {
+            smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
+        } else {
+            smmu_iotlb_inv_ipa(s, vmid, addr, tg, num_pages, ttl);
+        }
         addr += mask + 1;
     }
 }
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
                 cmd_error = SMMU_CERROR_ILL;
                 break;
             }
-            smmuv3_range_inval(bs, &cmd);
+            smmuv3_range_inval(bs, &cmd, SMMU_STAGE_1);
             break;
         case SMMU_CMD_TLBI_S12_VMALL:
         {
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
              * As currently only either s1 or s2 are supported
              * we can reuse same function for s2.
              */
-            smmuv3_range_inval(bs, &cmd);
+            smmuv3_range_inval(bs, &cmd, SMMU_STAGE_2);
             break;
         case SMMU_CMD_TLBI_EL3_ALL:
         case SMMU_CMD_TLBI_EL3_VA:
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_cfgi_ste_range(int start, int end) "start=0x%x - end=0x%x"
 smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
 smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
 smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
-smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d"
+smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf, int stage) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d stage=%d"
 smmuv3_cmdq_tlbi_nh(void) ""
 smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
 smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Soon, Instead of doing TLB invalidation by ASID only, VMID will be
also required.
Add smmu_iotlb_inv_asid_vmid() which invalidates by both ASID and VMID.

However, at the moment this function is only used in SMMU_CMD_TLBI_NH_ASID
which is a stage-1 command, so passing VMID = -1 keeps the original
behaviour.

Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-14-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  2 +-
 hw/arm/smmu-common.c         | 20 +++++++++++++-------
 hw/arm/smmuv3.c              |  2 +-
 hw/arm/trace-events          |  2 +-
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_insert(SMMUState *bs, SMMUTransCfg *cfg, SMMUTLBEntry *entry);
 SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
                                 uint8_t tg, uint8_t level);
 void smmu_iotlb_inv_all(SMMUState *s);
-void smmu_iotlb_inv_asid(SMMUState *s, int asid);
+void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid);
 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_all(SMMUState *s)
     g_hash_table_remove_all(s->iotlb);
 }
 
-static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
-                                         gpointer user_data)
+static gboolean smmu_hash_remove_by_asid_vmid(gpointer key, gpointer value,
+                                              gpointer user_data)
 {
-    int asid = *(int *)user_data;
+    SMMUIOTLBPageInvInfo *info = (SMMUIOTLBPageInvInfo *)user_data;
     SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
 
-    return SMMU_IOTLB_ASID(*iotlb_key) == asid;
+    return (SMMU_IOTLB_ASID(*iotlb_key) == info->asid) &&
+           (SMMU_IOTLB_VMID(*iotlb_key) == info->vmid);
 }
 
 static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
                                 &info);
 }
 
-void smmu_iotlb_inv_asid(SMMUState *s, int asid)
+void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid)
 {
-    trace_smmu_iotlb_inv_asid(asid);
-    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid, &asid);
+    SMMUIOTLBPageInvInfo info = {
+        .asid = asid,
+        .vmid = vmid,
+    };
+
+    trace_smmu_iotlb_inv_asid_vmid(asid, vmid);
+    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid_vmid, &info);
 }
 
 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
 
             trace_smmuv3_cmdq_tlbi_nh_asid(asid);
             smmu_inv_notifiers_all(&s->smmu_state);
-            smmu_iotlb_inv_asid(bs, asid);
+            smmu_iotlb_inv_asid_vmid(bs, asid, -1);
             break;
         }
         case SMMU_CMD_TLBI_NH_ALL:
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint6
 smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
 smmu_iotlb_inv_all(void) "IOTLB invalidate all"
-smmu_iotlb_inv_asid(int asid) "IOTLB invalidate asid=%d"
+smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
 smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
 smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
 smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Some commands need rework for nesting, as they used to assume S1
and S2 are mutually exclusive:

- CMD_TLBI_NH_ASID: Consider VMID if stage-2 is supported
- CMD_TLBI_NH_ALL: Consider VMID if stage-2 is supported, otherwise
  invalidate everything, this required a new vmid invalidation
  function for stage-1 only (ASID >= 0)

Also, rework trace events to reflect the new implementation.

Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-15-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  1 +
 hw/arm/smmu-common.c         | 16 ++++++++++++++++
 hw/arm/smmuv3.c              | 28 ++++++++++++++++++++++++++--
 hw/arm/trace-events          |  4 +++-
 4 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ SMMUIOTLBKey smmu_get_iotlb_key(int asid, int vmid, uint64_t iova,
 void smmu_iotlb_inv_all(SMMUState *s);
 void smmu_iotlb_inv_asid_vmid(SMMUState *s, int asid, int vmid);
 void smmu_iotlb_inv_vmid(SMMUState *s, int vmid);
+void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid);
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
 void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_vmid(gpointer key, gpointer value,
     return SMMU_IOTLB_VMID(*iotlb_key) == vmid;
 }
 
+static gboolean smmu_hash_remove_by_vmid_s1(gpointer key, gpointer value,
+                                            gpointer user_data)
+{
+    int vmid = *(int *)user_data;
+    SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
+
+    return (SMMU_IOTLB_VMID(*iotlb_key) == vmid) &&
+           (SMMU_IOTLB_ASID(*iotlb_key) >= 0);
+}
+
 static gboolean smmu_hash_remove_by_asid_vmid_iova(gpointer key, gpointer value,
                                               gpointer user_data)
 {
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_vmid(SMMUState *s, int vmid)
     g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid, &vmid);
 }
 
+inline void smmu_iotlb_inv_vmid_s1(SMMUState *s, int vmid)
+{
+    trace_smmu_iotlb_inv_vmid_s1(vmid);
+    g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_vmid_s1, &vmid);
+}
+
 /* VMSAv8-64 Translation */
 
 /**
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
         case SMMU_CMD_TLBI_NH_ASID:
         {
             int asid = CMD_ASID(&cmd);
+            int vmid = -1;
 
             if (!STAGE1_SUPPORTED(s)) {
                 cmd_error = SMMU_CERROR_ILL;
                 break;
             }
 
+            /*
+             * VMID is only matched when stage 2 is supported, otherwise set it
+             * to -1 as the value used for stage-1 only VMIDs.
+             */
+            if (STAGE2_SUPPORTED(s)) {
+                vmid = CMD_VMID(&cmd);
+            }
+
             trace_smmuv3_cmdq_tlbi_nh_asid(asid);
             smmu_inv_notifiers_all(&s->smmu_state);
-            smmu_iotlb_inv_asid_vmid(bs, asid, -1);
+            smmu_iotlb_inv_asid_vmid(bs, asid, vmid);
             break;
         }
         case SMMU_CMD_TLBI_NH_ALL:
+        {
+            int vmid = -1;
+
             if (!STAGE1_SUPPORTED(s)) {
                 cmd_error = SMMU_CERROR_ILL;
                 break;
             }
+
+            /*
+             * If stage-2 is supported, invalidate for this VMID only, otherwise
+             * invalidate the whole thing.
+             */
+            if (STAGE2_SUPPORTED(s)) {
+                vmid = CMD_VMID(&cmd);
+                trace_smmuv3_cmdq_tlbi_nh(vmid);
+                smmu_iotlb_inv_vmid_s1(bs, vmid);
+                break;
+            }
             QEMU_FALLTHROUGH;
+        }
         case SMMU_CMD_TLBI_NSNH_ALL:
-            trace_smmuv3_cmdq_tlbi_nh();
+            trace_smmuv3_cmdq_tlbi_nsnh();
             smmu_inv_notifiers_all(&s->smmu_state);
             smmu_iotlb_inv_all(bs);
             break;
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
 smmu_iotlb_inv_all(void) "IOTLB invalidate all"
 smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
 smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
+smmu_iotlb_inv_vmid_s1(int vmid) "IOTLB invalidate vmid=%d"
 smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
 smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
 smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_cfgi_cd(uint32_t sid) "sid=0x%x"
 smmuv3_config_cache_hit(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache HIT for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
 smmuv3_config_cache_miss(uint32_t sid, uint32_t hits, uint32_t misses, uint32_t perc) "Config cache MISS for sid=0x%x (hits=%d, misses=%d, hit rate=%d)"
 smmuv3_range_inval(int vmid, int asid, uint64_t addr, uint8_t tg, uint64_t num_pages, uint8_t ttl, bool leaf, int stage) "vmid=%d asid=%d addr=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" ttl=%d leaf=%d stage=%d"
-smmuv3_cmdq_tlbi_nh(void) ""
+smmuv3_cmdq_tlbi_nh(int vmid) "vmid=%d"
+smmuv3_cmdq_tlbi_nsnh(void) ""
 smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
 smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
 smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2
SMMU instances we consider the input address as the IOVA, but when
nesting is used, we can't mix stage-1 and stage-2 addresses, so for
nesting only stage-1 is considered the IOVA and would be notified.

Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-16-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c     | 39 +++++++++++++++++++++++++--------------
 hw/arm/trace-events |  2 +-
 2 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ epilogue:
  * @iova: iova
  * @tg: translation granule (if communicated through range invalidation)
  * @num_pages: number of @granule sized pages (if tg != 0), otherwise 1
+ * @stage: Which stage(1 or 2) is used
  */
 static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
                                IOMMUNotifier *n,
                                int asid, int vmid,
                                dma_addr_t iova, uint8_t tg,
-                               uint64_t num_pages)
+                               uint64_t num_pages, int stage)
 {
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+    SMMUEventInfo eventinfo = {.inval_ste_allowed = true};
+    SMMUTransCfg *cfg = smmuv3_get_config(sdev, &eventinfo);
     IOMMUTLBEvent event;
     uint8_t granule;
-    SMMUv3State *s = sdev->smmu;
+
+    if (!cfg) {
+        return;
+    }
+
+    /*
+     * stage is passed from TLB invalidation commands which can be either
+     * stage-1 or stage-2.
+     * However, IOMMUTLBEvent only understands IOVA, for stage-1 or stage-2
+     * SMMU instances we consider the input address as the IOVA, but when
+     * nesting is used, we can't mix stage-1 and stage-2 addresses, so for
+     * nesting only stage-1 is considered the IOVA and would be notified.
+     */
+    if ((stage == SMMU_STAGE_2) && (cfg->stage == SMMU_NESTED))
+        return;
 
     if (!tg) {
-        SMMUEventInfo eventinfo = {.inval_ste_allowed = true};
-        SMMUTransCfg *cfg = smmuv3_get_config(sdev, &eventinfo);
         SMMUTransTableInfo *tt;
 
-        if (!cfg) {
-            return;
-        }
-
         if (asid >= 0 && cfg->asid != asid) {
             return;
         }
@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
             return;
         }
 
-        if (STAGE1_SUPPORTED(s)) {
+        if (stage == SMMU_STAGE_1) {
             tt = select_tt(cfg, iova);
             if (!tt) {
                 return;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
 /* invalidate an asid/vmid/iova range tuple in all mr's */
 static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
                                       dma_addr_t iova, uint8_t tg,
-                                      uint64_t num_pages)
+                                      uint64_t num_pages, int stage)
 {
     SMMUDevice *sdev;
 
@@ -XXX,XX +XXX,XX @@ static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, int vmid,
         IOMMUNotifier *n;
 
         trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, vmid,
-                                        iova, tg, num_pages);
+                                        iova, tg, num_pages, stage);
 
         IOMMU_NOTIFIER_FOREACH(n, mr) {
-            smmuv3_notify_iova(mr, n, asid, vmid, iova, tg, num_pages);
+            smmuv3_notify_iova(mr, n, asid, vmid, iova, tg, num_pages, stage);
         }
     }
 }
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
 
     if (!tg) {
         trace_smmuv3_range_inval(vmid, asid, addr, tg, 1, ttl, leaf, stage);
-        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1);
+        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, 1, stage);
         if (stage == SMMU_STAGE_1) {
             smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, 1, ttl);
         } else {
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
         num_pages = (mask + 1) >> granule;
         trace_smmuv3_range_inval(vmid, asid, addr, tg, num_pages,
                                  ttl, leaf, stage);
-        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages);
+        smmuv3_inv_notifiers_iova(s, asid, vmid, addr, tg, num_pages, stage);
         if (stage == SMMU_STAGE_1) {
             smmu_iotlb_inv_iova(s, asid, vmid, addr, tg, num_pages, ttl);
         } else {
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
 smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
 smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
 smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
-smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64
+smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages, int stage) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" stage=%d"
 
 # strongarm.c
 strongarm_uart_update_parameters(const char *label, int speed, char parity, int data_bits, int stop_bits) "%s speed=%d parity=%c data=%d stop=%d"
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Previously, to check if faults are enabled, it was sufficient to check
the current stage of translation and check the corresponding
record_faults flag.

However, with nesting, it is possible for stage-1 (nested) translation
to trigger a stage-2 fault, so we check SMMUPTWEventInfo as it would
have the correct stage set from the page table walk.

Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-17-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 #include "smmuv3-internal.h"
 #include "smmu-internal.h"
 
-#define PTW_RECORD_FAULT(cfg)   (((cfg)->stage == SMMU_STAGE_1) ? \
-                                 (cfg)->record_faults : \
-                                 (cfg)->s2cfg.record_faults)
+#define PTW_RECORD_FAULT(ptw_info, cfg) (((ptw_info).stage == SMMU_STAGE_1 && \
+                                        (cfg)->record_faults) || \
+                                        ((ptw_info).stage == SMMU_STAGE_2 && \
+                                        (cfg)->s2cfg.record_faults))
 
 /**
  * smmuv3_trigger_irq - pulse @irq if enabled and update
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
             event->u.f_walk_eabt.addr2 = ptw_info.addr;
             break;
         case SMMU_PTW_ERR_TRANSLATION:
-            if (PTW_RECORD_FAULT(cfg)) {
+            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                 event->type = SMMU_EVT_F_TRANSLATION;
                 event->u.f_translation.addr2 = ptw_info.addr;
                 event->u.f_translation.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
             }
             break;
         case SMMU_PTW_ERR_ADDR_SIZE:
-            if (PTW_RECORD_FAULT(cfg)) {
+            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                 event->type = SMMU_EVT_F_ADDR_SIZE;
                 event->u.f_addr_size.addr2 = ptw_info.addr;
                 event->u.f_addr_size.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
             }
             break;
         case SMMU_PTW_ERR_ACCESS:
-            if (PTW_RECORD_FAULT(cfg)) {
+            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                 event->type = SMMU_EVT_F_ACCESS;
                 event->u.f_access.addr2 = ptw_info.addr;
                 event->u.f_access.class = class;
@@ -XXX,XX +XXX,XX @@ static SMMUTranslationStatus smmuv3_do_translate(SMMUv3State *s, hwaddr addr,
             }
             break;
         case SMMU_PTW_ERR_PERMISSION:
-            if (PTW_RECORD_FAULT(cfg)) {
+            if (PTW_RECORD_FAULT(ptw_info, cfg)) {
                 event->type = SMMU_EVT_F_PERMISSION;
                 event->u.f_permission.addr2 = ptw_info.addr;
                 event->u.f_permission.class = class;
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

Everything is in place, consolidate parsing of STE cfg and setting
translation stage.

Advertise nesting if stage requested is "nested".

Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-18-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     /* Based on sys property, the stages supported in smmu will be advertised.*/
     if (s->stage && !strcmp("2", s->stage)) {
         s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1);
+    } else if (s->stage && !strcmp("nested", s->stage)) {
+        s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1);
+        s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S2P, 1);
     } else {
         s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1);
     }
@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
 
 static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
 {
-    cfg->stage = SMMU_STAGE_2;
-
     if (STE_S2AA64(ste) == 0x0) {
         qemu_log_mask(LOG_UNIMP,
                       "SMMUv3 AArch32 tables not supported\n");
@@ -XXX,XX +XXX,XX @@ bad_ste:
     return -EINVAL;
 }
 
+static void decode_ste_config(SMMUTransCfg *cfg, uint32_t config)
+{
+
+    if (STE_CFG_ABORT(config)) {
+        cfg->aborted = true;
+        return;
+    }
+    if (STE_CFG_BYPASS(config)) {
+        cfg->bypassed = true;
+        return;
+    }
+
+    if (STE_CFG_S1_ENABLED(config)) {
+        cfg->stage = SMMU_STAGE_1;
+    }
+
+    if (STE_CFG_S2_ENABLED(config)) {
+        cfg->stage |= SMMU_STAGE_2;
+    }
+}
+
 /* Returns < 0 in case of invalid STE, 0 otherwise */
 static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
                       STE *ste, SMMUEventInfo *event)
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
 
     config = STE_CONFIG(ste);
 
-    if (STE_CFG_ABORT(config)) {
-        cfg->aborted = true;
-        return 0;
-    }
+    decode_ste_config(cfg, config);
 
-    if (STE_CFG_BYPASS(config)) {
-        cfg->bypassed = true;
+    if (cfg->aborted || cfg->bypassed) {
         return 0;
     }
 
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
 
     /* we support only those at the moment */
     cfg->aa64 = true;
-    cfg->stage = SMMU_STAGE_1;
 
     cfg->oas = oas2bits(CD_IPS(cd));
     cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
-- 
2.34.1

From: Mostafa Saleh <smostafa@google.com>

SMMUv3 OAS is currently hardcoded in the code to 44 bits, for nested
configurations that can be a problem, as stage-2 might be shared with
the CPU which might have different PARANGE, and according to SMMU manual
ARM IHI 0070F.b:
    6.3.6 SMMU_IDR5, OAS must match the system physical address size.

This patch doesn't change the SMMU OAS, but refactors the code to
make it easier to do that:
- Rely everywhere on IDR5 for reading OAS instead of using the
  SMMU_IDR5_OAS macro, so, it is easier just to change IDR5 and
  it propagages correctly.
- Add additional checks when OAS is greater than 48bits.
- Remove unused functions/macros: pa_range/MAX_PA.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240715084519.1189624-19-smostafa@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 13 -------------
 hw/arm/smmu-common.c     |  7 ++++---
 hw/arm/smmuv3.c          | 35 ++++++++++++++++++++++++++++-------
 3 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline int oas2bits(int oas_field)
     return -1;
 }
 
-static inline int pa_range(STE *ste)
-{
-    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
-
-    if (!STE_S2AA64(ste)) {
-        return 40;
-    }
-
-    return oas2bits(oas_field);
-}
-
-#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
-
 /* CD fields */
 
 #define CD_VALID(x)   extract32((x)->word[0], 31, 1)
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s1(SMMUState *bs, SMMUTransCfg *cfg,
     inputsize = 64 - tt->tsz;
     level = 4 - (inputsize - 4) / stride;
     indexmask = VMSA_IDXMSK(inputsize, stride, level);
-    baseaddr = extract64(tt->ttb, 0, 48);
+
+    baseaddr = extract64(tt->ttb, 0, cfg->oas);
     baseaddr &= ~indexmask;
 
     while (level < VMSA_LEVELS) {
@@ -XXX,XX +XXX,XX @@ static int smmu_ptw_64_s2(SMMUTransCfg *cfg,
      * Get the ttb from concatenated structure.
      * The offset is the idx * size of each ttb(number of ptes * (sizeof(pte))
      */
-    uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, 48) + (1 << stride) *
-                                  idx * sizeof(uint64_t);
+    uint64_t baseaddr = extract64(cfg->s2cfg.vttb, 0, cfg->s2cfg.eff_ps) +
+                                  (1 << stride) * idx * sizeof(uint64_t);
     dma_addr_t indexmask = VMSA_IDXMSK(inputsize, stride, level);
 
     baseaddr &= ~indexmask;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static bool s2t0sz_valid(SMMUTransCfg *cfg)
     }
 
     if (cfg->s2cfg.granule_sz == 16) {
-        return (cfg->s2cfg.tsz >= 64 - oas2bits(SMMU_IDR5_OAS));
+        return (cfg->s2cfg.tsz >= 64 - cfg->s2cfg.eff_ps);
     }
 
-    return (cfg->s2cfg.tsz >= MAX(64 - oas2bits(SMMU_IDR5_OAS), 16));
+    return (cfg->s2cfg.tsz >= MAX(64 - cfg->s2cfg.eff_ps, 16));
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static bool s2_pgtable_config_valid(uint8_t sl0, uint8_t t0sz, uint8_t gran)
     return nr_concat <= VMSA_MAX_S2_CONCAT;
 }
 
-static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
+static int decode_ste_s2_cfg(SMMUv3State *s, SMMUTransCfg *cfg,
+                             STE *ste)
 {
+    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
+
     if (STE_S2AA64(ste) == 0x0) {
         qemu_log_mask(LOG_UNIMP,
                       "SMMUv3 AArch32 tables not supported\n");
@@ -XXX,XX +XXX,XX @@ static int decode_ste_s2_cfg(SMMUTransCfg *cfg, STE *ste)
     }
 
     /* For AA64, The effective S2PS size is capped to the OAS. */
-    cfg->s2cfg.eff_ps = oas2bits(MIN(STE_S2PS(ste), SMMU_IDR5_OAS));
+    cfg->s2cfg.eff_ps = oas2bits(MIN(STE_S2PS(ste), oas));
+    /*
+     * For SMMUv3.1 and later, when OAS == IAS == 52, the stage 2 input
+     * range is further limited to 48 bits unless STE.S2TG indicates a
+     * 64KB granule.
+     */
+    if (cfg->s2cfg.granule_sz != 16) {
+        cfg->s2cfg.eff_ps = MIN(cfg->s2cfg.eff_ps, 48);
+    }
     /*
      * It is ILLEGAL for the address in S2TTB to be outside the range
      * described by the effective S2PS value.
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
                       STE *ste, SMMUEventInfo *event)
 {
     uint32_t config;
+    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
     int ret;
 
     if (!STE_VALID(ste)) {
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
          * Stage-1 OAS defaults to OAS even if not enabled as it would be used
          * in input address check for stage-2.
          */
-        cfg->oas = oas2bits(SMMU_IDR5_OAS);
-        ret = decode_ste_s2_cfg(cfg, ste);
+        cfg->oas = oas2bits(oas);
+        ret = decode_ste_s2_cfg(s, cfg, ste);
         if (ret) {
             goto bad_ste;
         }
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
     int i;
     SMMUTranslationStatus status;
     SMMUTLBEntry *entry;
+    uint8_t oas = FIELD_EX32(s->idr[5], IDR5, OAS);
 
     if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
         goto bad_cd;
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
     cfg->aa64 = true;
 
     cfg->oas = oas2bits(CD_IPS(cd));
-    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
+    cfg->oas = MIN(oas2bits(oas), cfg->oas);
     cfg->tbi = CD_TBI(cd);
     cfg->asid = CD_ASID(cd);
     cfg->affd = CD_AFFD(cd);
@@ -XXX,XX +XXX,XX @@ static int decode_cd(SMMUv3State *s, SMMUTransCfg *cfg,
             goto bad_cd;
         }
 
+        /*
+         * An address greater than 48 bits in size can only be output from a
+         * TTD when, in SMMUv3.1 and later, the effective IPS is 52 and a 64KB
+         * granule is in use for that translation table
+         */
+        if (tt->granule_sz != 16) {
+            cfg->oas = MIN(cfg->oas, 48);
+        }
         tt->tsz = tsz;
         tt->ttb = CD_TTB(cd, i);
 
-- 
2.34.1

From: Daniyal Khan <danikhan632@gmail.com>

We made a copy above because the fp exception flags
are not propagated back to the FPST register, but
then failed to use the copy.

Cc: qemu-stable@nongnu.org
Fixes: 558e956c719 ("target/arm: Implement FMOPA, FMOPS (non-widening)")
Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240717060149.204788-2-richard.henderson@linaro.org
[rth: Split from a larger patch]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/sme_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
                         if (pb & 1) {
                             uint32_t *a = vza_row + H1_4(col);
                             uint32_t *m = vzm + H1_4(col);
-                            *a = float32_muladd(n, *m, *a, 0, vst);
+                            *a = float32_muladd(n, *m, *a, 0, &fpst);
                         }
                         col += 4;
                         pb >>= 4;
-- 
2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

This operation has float16 inputs and thus must use
the FZ16 control not the FZ control.

Cc: qemu-stable@nongnu.org
Fixes: 3916841ac75 ("target/arm: Implement FMOPA, FMOPS (widening)")
Reported-by: Daniyal Khan <danikhan632@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240717060149.204788-3-richard.henderson@linaro.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2374
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tcg/translate-sme.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
 }
 
 static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+                            ARMFPStatusFlavour e_fpst,
                             gen_helper_gvec_5_ptr *fn)
 {
     int svl = streaming_vec_reg_size(s);
@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
     zm = vec_full_reg_ptr(s, a->zm);
     pn = pred_full_reg_ptr(s, a->pn);
     pm = pred_full_reg_ptr(s, a->pm);
-    fpst = fpstatus_ptr(FPST_FPCR);
+    fpst = fpstatus_ptr(e_fpst);
 
     fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
     return true;
 }
 
-TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
-TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
-TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a,
+           MO_32, FPST_FPCR_F16, gen_helper_sme_fmopa_h)
+TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a,
+           MO_32, FPST_FPCR, gen_helper_sme_fmopa_s)
+TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a,
+           MO_64, FPST_FPCR, gen_helper_sme_fmopa_d)
 
 /* TODO: FEAT_EBF16 */
 TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
-- 
2.34.1

From: Daniyal Khan <danikhan632@gmail.com>

Signed-off-by: Daniyal Khan <danikhan632@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20240717060149.204788-4-richard.henderson@linaro.org
Message-Id: 172090222034.13953.16888708708822922098-1@git.sr.ht
[rth: Split test from a larger patch, tidy assembly]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/tcg/aarch64/sme-fmopa-1.c   | 63 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/sme-fmopa-2.c   | 56 +++++++++++++++++++++++++++
 tests/tcg/aarch64/sme-fmopa-3.c   | 63 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  5 ++-
 4 files changed, 185 insertions(+), 2 deletions(-)
 create mode 100644 tests/tcg/aarch64/sme-fmopa-1.c
 create mode 100644 tests/tcg/aarch64/sme-fmopa-2.c
 create mode 100644 tests/tcg/aarch64/sme-fmopa-3.c

diff --git a/tests/tcg/aarch64/sme-fmopa-1.c b/tests/tcg/aarch64/sme-fmopa-1.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/sme-fmopa-1.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * SME outer product, 1 x 1.
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+
+static void foo(float *dst)
+{
+    asm(".arch_extension sme\n\t"
+        "smstart\n\t"
+        "ptrue p0.s, vl4\n\t"
+        "fmov z0.s, #1.0\n\t"
+        /*
+         * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.
+         * Note that we are using tile 1 here (za1.s) rather than tile 0.
+         */
+        "zero {za}\n\t"
+        "fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n\t"
+        /*
+         * Read the first 4x4 sub-matrix of elements from tile 1:
+         * Note that za1h should be interchangeable here.
+         */
+        "mov w12, #0\n\t"
+        "mova z0.s, p0/m, za1v.s[w12, #0]\n\t"
+        "mova z1.s, p0/m, za1v.s[w12, #1]\n\t"
+        "mova z2.s, p0/m, za1v.s[w12, #2]\n\t"
+        "mova z3.s, p0/m, za1v.s[w12, #3]\n\t"
+        /*
+         * And store them to the input pointer (dst in the C code):
+         */
+        "st1w {z0.s}, p0, [%0]\n\t"
+        "add x0, x0, #16\n\t"
+        "st1w {z1.s}, p0, [x0]\n\t"
+        "add x0, x0, #16\n\t"
+        "st1w {z2.s}, p0, [x0]\n\t"
+        "add x0, x0, #16\n\t"
+        "st1w {z3.s}, p0, [x0]\n\t"
+        "smstop"
+        : : "r"(dst)
+        : "x12", "d0", "d1", "d2", "d3", "memory");
+}
+
+int main()
+{
+    float dst[16] = { };
+
+    foo(dst);
+
+    for (int i = 0; i < 16; i++) {
+        if (dst[i] != 1.0f) {
+            goto failure;
+        }
+    }
+    /* success */
+    return 0;
+
+ failure:
+    for (int i = 0; i < 16; i++) {
+        printf("%f%c", dst[i], i % 4 == 3 ? '\n' : ' ');
+    }
+    return 1;
+}
diff --git a/tests/tcg/aarch64/sme-fmopa-2.c b/tests/tcg/aarch64/sme-fmopa-2.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/sme-fmopa-2.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * SME outer product, FZ vs FZ16
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include <stdint.h>
+#include <stdio.h>
+
+static void test_fmopa(uint32_t *result)
+{
+    asm(".arch_extension sme\n\t"
+        "smstart\n\t"               /* Z*, P* and ZArray cleared */
+        "ptrue p2.b, vl16\n\t"      /* Limit vector length to 16 */
+        "ptrue p5.b, vl16\n\t"
+        "movi d0, #0x00ff\n\t"      /* fp16 denormal */
+        "movi d16, #0x00ff\n\t"
+        "mov w15, #0x0001000000\n\t" /* FZ=1, FZ16=0 */
+        "msr fpcr, x15\n\t"
+        "fmopa za3.s, p2/m, p5/m, z16.h, z0.h\n\t"
+        "mov w15, #0\n\t"
+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
+        "mov w15, #2\n\t"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
+        "smstop"
+        : "+r"(result) :
+        : "x15", "x16", "p2", "p5", "d0", "d16", "memory");
+}
+
+int main(void)
+{
+    uint32_t result[4 * 4] = { };
+
+    test_fmopa(result);
+
+    if (result[0] != 0x2f7e0100) {
+        printf("Test failed: Incorrect output in first 4 bytes\n"
+               "Expected: %08x\n"
+               "Got:      %08x\n",
+               0x2f7e0100, result[0]);
+        return 1;
+    }
+
+    for (int i = 1; i < 16; ++i) {
+        if (result[i] != 0) {
+            printf("Test failed: Non-zero word at position %d\n", i);
+            return 1;
+        }
+    }
+
+    return 0;
+}
diff --git a/tests/tcg/aarch64/sme-fmopa-3.c b/tests/tcg/aarch64/sme-fmopa-3.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/sme-fmopa-3.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * SME outer product, [ 1 2 3 4 ] squared
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <math.h>
+
+static const float i_1234[4] = {
+    1.0f, 2.0f, 3.0f, 4.0f
+};
+
+static const float expected[4] = {
+    4.515625f, 5.750000f, 6.984375f, 8.218750f
+};
+
+static void test_fmopa(float *result)
+{
+    asm(".arch_extension sme\n\t"
+        "smstart\n\t"               /* ZArray cleared */
+        "ptrue p2.b, vl16\n\t"      /* Limit vector length to 16 */
+        "ld1w {z0.s}, p2/z, [%1]\n\t"
+        "mov w15, #0\n\t"
+        "mov za3h.s[w15, 0], p2/m, z0.s\n\t"
+        "mov za3h.s[w15, 1], p2/m, z0.s\n\t"
+        "mov w15, #2\n\t"
+        "mov za3h.s[w15, 0], p2/m, z0.s\n\t"
+        "mov za3h.s[w15, 1], p2/m, z0.s\n\t"
+        "msr fpcr, xzr\n\t"
+        "fmopa za3.s, p2/m, p2/m, z0.h, z0.h\n\t"
+        "mov w15, #0\n\t"
+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
+        "mov w15, #2\n\t"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 0]}, p2, [%0]\n\t"
+        "add %0, %0, #16\n\t"
+        "st1w {za3h.s[w15, 1]}, p2, [%0]\n\t"
+        "smstop"
+        : "+r"(result) : "r"(i_1234)
+        : "x15", "x16", "p2", "d0", "memory");
+}
+
+int main(void)
+{
+    float result[4 * 4] = { };
+    int ret = 0;
+
+    test_fmopa(result);
+
+    for (int i = 0; i < 4; i++) {
+        float actual = result[i];
+        if (fabsf(actual - expected[i]) > 0.001f) {
+            printf("Test failed at element %d: Expected %f, got %f\n",
+                   i, expected[i], actual);
+            ret = 1;
+        }
+    }
+    return ret;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ endif
 
 # SME Tests
 ifneq ($(CROSS_AS_HAS_ARMV9_SME),)
-AARCH64_TESTS += sme-outprod1 sme-smopa-1 sme-smopa-2
-sme-outprod1 sme-smopa-1 sme-smopa-2: CFLAGS += $(CROSS_AS_HAS_ARMV9_SME)
+SME_TESTS = sme-outprod1 sme-smopa-1 sme-smopa-2 sme-fmopa-1 sme-fmopa-2 sme-fmopa-3
+AARCH64_TESTS += $(SME_TESTS)
+$(SME_TESTS): CFLAGS += $(CROSS_AS_HAS_ARMV9_SME)
 endif
 
 # System Registers Tests
-- 
2.34.1

From: Akihiko Odaki <akihiko.odaki@daynix.com>

Asahi Linux supports KVM but lacks PMU support.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240716-pmu-v3-1-8c7c1858a227@daynix.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/arm-cpu-features.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tests/qtest/arm-cpu-features.c b/tests/qtest/arm-cpu-features.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/arm-cpu-features.c
+++ b/tests/qtest/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
     assert_set_feature(qts, "host", "kvm-no-adjvtime", false);
 
     if (g_str_equal(qtest_get_arch(), "aarch64")) {
+        bool kvm_supports_pmu;
         bool kvm_supports_steal_time;
         bool kvm_supports_sve;
         char max_name[8], name[8];
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
 
         assert_has_feature_enabled(qts, "host", "aarch64");
 
-        /* Enabling and disabling pmu should always work. */
-        assert_has_feature_enabled(qts, "host", "pmu");
-        assert_set_feature(qts, "host", "pmu", false);
-        assert_set_feature(qts, "host", "pmu", true);
-
         /*
          * Some features would be enabled by default, but they're disabled
          * because this instance of KVM doesn't support them. Test that the
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
         assert_has_feature(qts, "host", "sve");
 
         resp = do_query_no_props(qts, "host");
+        kvm_supports_pmu = resp_get_feature(resp, "pmu");
         kvm_supports_steal_time = resp_get_feature(resp, "kvm-steal-time");
         kvm_supports_sve = resp_get_feature(resp, "sve");
         vls = resp_get_sve_vls(resp);
         qobject_unref(resp);
 
+        if (kvm_supports_pmu) {
+            /* If we have pmu then we should be able to toggle it. */
+            assert_set_feature(qts, "host", "pmu", false);
+            assert_set_feature(qts, "host", "pmu", true);
+        }
+
         if (kvm_supports_steal_time) {
             /* If we have steal-time then we should be able to toggle it. */
             assert_set_feature(qts, "host", "kvm-steal-time", false);
-- 
2.34.1

From: Akihiko Odaki <akihiko.odaki@daynix.com>

hvf did not advance PC when raising an exception for most unhandled
system registers, but it mistakenly advanced PC when raising an
exception for GICv3 registers.

Cc: qemu-stable@nongnu.org
Fixes: a2260983c655 ("hvf: arm: Add support for GICv3")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-id: 20240716-pmu-v3-4-8c7c1858a227@daynix.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/hvf/hvf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
         /* Call the TCG sysreg handler. This is only safe for GICv3 regs. */
         if (!hvf_sysreg_read_cp(cpu, reg, &val)) {
             hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+            return 1;
         }
         break;
     case SYSREG_DBGBVR0_EL1:
-- 
2.34.1

The following changes since commit 3214bec13d8d4c40f707d21d8350d04e4123ae97:

Merge tag 'migration-20250110-pull-request' of https://gitlab.com/farosas/qemu into staging (2025-01-10 13:39:19 -0500)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250113

for you to fetch changes up to 435d260e7ec5ff9c79e3e62f1d66ec82d2d691ae:

docs/system/arm/virt: mention specific migration information (2025-01-13 12:35:35 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm_sysctl: fix extracting 31th bit of val
 * hw/misc: cast rpm to uint64_t
 * tests/qtest/boot-serial-test: Improve ASM
 * target/arm: Move minor arithmetic helpers out of helper.c
 * target/arm: change default pauth algorithm to impdef

----------------------------------------------------------------
Anastasia Belova (1):
      hw/arm_sysctl: fix extracting 31th bit of val

Peter Maydell (2):
      target/arm: Move minor arithmetic helpers out of helper.c
      tests/tcg/aarch64: force qarma5 for pauth-3 test

Philippe Mathieu-Daudé (4):
      tests/qtest/boot-serial-test: Improve ASM comments of PL011 tests
      tests/qtest/boot-serial-test: Reduce for() loop in PL011 tests
      tests/qtest/boot-serial-test: Reorder pair of instructions in PL011 test
      tests/qtest/boot-serial-test: Initialize PL011 Control register

Pierrick Bouvier (3):
      target/arm: add new property to select pauth-qarma5
      target/arm: change default pauth algorithm to impdef
      docs/system/arm/virt: mention specific migration information

Tigran Sogomonian (1):
      hw/misc: cast rpm to uint64_t

docs/system/arm/cpu-features.rst                |   7 +-
 docs/system/arm/virt.rst                        |   4 +
 docs/system/introduction.rst                    |   2 +-
 target/arm/cpu.h                                |   4 +
 hw/core/machine.c                               |   4 +-
 hw/misc/arm_sysctl.c                            |   2 +-
 hw/misc/npcm7xx_mft.c                           |   5 +-
 target/arm/arm-qmp-cmds.c                       |   2 +-
 target/arm/cpu.c                                |   2 +
 target/arm/cpu64.c                              |  38 ++-
 target/arm/helper.c                             | 285 -----------------------
 target/arm/tcg/arith_helper.c                   | 296 ++++++++++++++++++++++++
 tests/qtest/arm-cpu-features.c                  |  15 +-
 tests/qtest/boot-serial-test.c                  |  23 +-
 target/arm/{op_addsub.h => tcg/op_addsub.c.inc} |   0
 target/arm/tcg/meson.build                      |   1 +
 tests/tcg/aarch64/Makefile.softmmu-target       |   3 +
 17 files changed, 377 insertions(+), 316 deletions(-)
 create mode 100644 target/arm/tcg/arith_helper.c
 rename target/arm/{op_addsub.h => tcg/op_addsub.c.inc} (100%)

From: Anastasia Belova <abelova@astralinux.ru>

1 << 31 is casted to uint64_t while bitwise and with val.
So this value may become 0xffffffff80000000 but only
31th "start" bit is required.

This is not possible in practice because the MemoryRegionOps
uses the default max access size of 4 bytes and so none
of the upper bytes of val will be set, but the bitfield
extract API is clearer anyway.

Use the bitfield extract() API instead.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Message-id: 20241220125429.7552-1-abelova@astralinux.ru
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: add clarification to commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/arm_sysctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/misc/arm_sysctl.c b/hw/misc/arm_sysctl.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/arm_sysctl.c
+++ b/hw/misc/arm_sysctl.c
@@ -XXX,XX +XXX,XX @@ static void arm_sysctl_write(void *opaque, hwaddr offset,
          * as zero.
          */
         s->sys_cfgctrl = val & ~((3 << 18) | (1 << 31));
-        if (val & (1 << 31)) {
+        if (extract64(val, 31, 1)) {
             /* Start bit set -- actually do something */
             unsigned int dcc = extract32(s->sys_cfgctrl, 26, 4);
             unsigned int function = extract32(s->sys_cfgctrl, 20, 6);
-- 
2.34.1

From: Tigran Sogomonian <tsogomonian@astralinux.ru>

The value of an arithmetic expression
'rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION' is a subject
to overflow because its operands are not cast to
a larger data type before performing arithmetic. Thus, need
to cast rpm to uint64_t.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Tigran Sogomonian <tsogomonian@astralinux.ru>
Reviewed-by: Patrick Leis <venture@google.com>
Reviewed-by: Hao Wu <wuhaotsh@google.com>
Message-id: 20241226130311.1349-1-tsogomonian@astralinux.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/npcm7xx_mft.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/misc/npcm7xx_mft.c b/hw/misc/npcm7xx_mft.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/npcm7xx_mft.c
+++ b/hw/misc/npcm7xx_mft.c
@@ -XXX,XX +XXX,XX @@ static NPCM7xxMFTCaptureState npcm7xx_mft_compute_cnt(
          * RPM = revolution/min. The time for one revlution (in ns) is
          * MINUTE_TO_NANOSECOND / RPM.
          */
-        count = clock_ns_to_ticks(clock, (60 * NANOSECONDS_PER_SECOND) /
-            (rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION));
+        count = clock_ns_to_ticks(clock,
+            (uint64_t)(60 * NANOSECONDS_PER_SECOND) /
+            ((uint64_t)rpm * NPCM7XX_MFT_PULSE_PER_REVOLUTION));
     }
 
     if (count > NPCM7XX_MFT_MAX_CNT) {
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Re-indent ASM comments adding the 'loop:' label.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/boot-serial-test.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/boot-serial-test.c
+++ b/tests/qtest/boot-serial-test.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
 };
 
 static const uint8_t bios_raspi2[] = {
-    0x08, 0x30, 0x9f, 0xe5,                 /* ldr   r3,[pc,#8]    Get base */
-    0x54, 0x20, 0xa0, 0xe3,                 /* mov     r2,#'T' */
-    0x00, 0x20, 0xc3, 0xe5,                 /* strb    r2,[r3] */
-    0xfb, 0xff, 0xff, 0xea,                 /* b       loop */
-    0x00, 0x10, 0x20, 0x3f,                 /* 0x3f201000 = UART0 base addr */
+    0x08, 0x30, 0x9f, 0xe5,                 /* loop:  ldr     r3, [pc, #8]   Get &UART0 */
+    0x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
+    0x00, 0x20, 0xc3, 0xe5,                 /*        strb    r2, [r3]       *TXDAT = 'T' */
+    0xfb, 0xff, 0xff, 0xea,                 /*        b       -12            (loop) */
+    0x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
 };
 
 static const uint8_t kernel_aarch64[] = {
-    0x81, 0x0a, 0x80, 0x52,                 /* mov     w1, #0x54 */
-    0x02, 0x20, 0xa1, 0xd2,                 /* mov     x2, #0x9000000 */
-    0x41, 0x00, 0x00, 0x39,                 /* strb    w1, [x2] */
-    0xfd, 0xff, 0xff, 0x17,                 /* b       -12 (loop) */
+    0x81, 0x0a, 0x80, 0x52,                 /* loop:  mov    w1, #'T' */
+    0x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
+    0x41, 0x00, 0x00, 0x39,                 /*        strb   w1, [x2]        *TXDAT = 'T' */
+    0xfd, 0xff, 0xff, 0x17,                 /*        b      -12             (loop) */
 };
 
 static const uint8_t kernel_nrf51[] = {
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Since registers are not modified, we don't need
to refill their values. Directly jump to the previous
store instruction to keep filling the TXDAT register.

The equivalent C code remains:

while (true) {
      *UART_DATA = 'T';
  }

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/boot-serial-test.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/boot-serial-test.c
+++ b/tests/qtest/boot-serial-test.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
 };
 
 static const uint8_t bios_raspi2[] = {
-    0x08, 0x30, 0x9f, 0xe5,                 /* loop:  ldr     r3, [pc, #8]   Get &UART0 */
+    0x08, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #8]   Get &UART0 */
     0x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
-    0x00, 0x20, 0xc3, 0xe5,                 /*        strb    r2, [r3]       *TXDAT = 'T' */
-    0xfb, 0xff, 0xff, 0xea,                 /*        b       -12            (loop) */
+    0x00, 0x20, 0xc3, 0xe5,                 /* loop:  strb    r2, [r3]       *TXDAT = 'T' */
+    0xff, 0xff, 0xff, 0xea,                 /*        b       -4             (loop) */
     0x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
 };
 
 static const uint8_t kernel_aarch64[] = {
-    0x81, 0x0a, 0x80, 0x52,                 /* loop:  mov    w1, #'T' */
+    0x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
     0x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
-    0x41, 0x00, 0x00, 0x39,                 /*        strb   w1, [x2]        *TXDAT = 'T' */
-    0xfd, 0xff, 0xff, 0x17,                 /*        b      -12             (loop) */
+    0x41, 0x00, 0x00, 0x39,                 /* loop:  strb   w1, [x2]        *TXDAT = 'T' */
+    0xff, 0xff, 0xff, 0x17,                 /*        b      -4              (loop) */
 };
 
 static const uint8_t kernel_nrf51[] = {
-- 
2.34.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

In the next commit we are going to use a different value
for the $w1 register, maintaining the same $x2 value. In
order to keep the next commit trivial to review, set $x2
before $w1.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/boot-serial-test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

From: Philippe Mathieu-Daudé <philmd@linaro.org>

The tests using the PL011 UART of the virt and raspi machines
weren't properly enabling the UART and its transmitter previous
to sending characters. Follow the PL011 manual initialization
recommendation by setting the proper bits of the control register.

Update the ASM code prefixing:

*UART_CTRL = UART_ENABLE | TX_ENABLE;

to:

while (true) {
      *UART_DATA = 'T';
  }

Note, since commit 51b61dd4d56 ("hw/char/pl011: Warn when using
disabled transmitter") incomplete PL011 initialization can be
logged using the '-d guest_errors' command line option.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/boot-serial-test.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/boot-serial-test.c b/tests/qtest/boot-serial-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/boot-serial-test.c
+++ b/tests/qtest/boot-serial-test.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_plml605[] = {
 };
 
 static const uint8_t bios_raspi2[] = {
-    0x08, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #8]   Get &UART0 */
+    0x10, 0x30, 0x9f, 0xe5,                 /*        ldr     r3, [pc, #16]  Get &UART0 */
+    0x10, 0x20, 0x9f, 0xe5,                 /*        ldr     r2, [pc, #16]  Get &CR */
+    0xb0, 0x23, 0xc3, 0xe1,                 /*        strh    r2, [r3, #48]  Set CR */
     0x54, 0x20, 0xa0, 0xe3,                 /*        mov     r2, #'T' */
     0x00, 0x20, 0xc3, 0xe5,                 /* loop:  strb    r2, [r3]       *TXDAT = 'T' */
     0xff, 0xff, 0xff, 0xea,                 /*        b       -4             (loop) */
     0x00, 0x10, 0x20, 0x3f,                 /* UART0: 0x3f201000 */
+    0x01, 0x01, 0x00, 0x00,                 /* CR:    0x101 = UARTEN|TXE */
 };
 
 static const uint8_t kernel_aarch64[] = {
     0x02, 0x20, 0xa1, 0xd2,                 /*        mov    x2, #0x9000000  Load UART0 */
+    0x21, 0x20, 0x80, 0x52,                 /*        mov    w1, 0x101       CR = UARTEN|TXE */
+    0x41, 0x60, 0x00, 0x79,                 /*        strh   w1, [x2, #48]   Set CR */
     0x81, 0x0a, 0x80, 0x52,                 /*        mov    w1, #'T' */
     0x41, 0x00, 0x00, 0x39,                 /* loop:  strb   w1, [x2]        *TXDAT = 'T' */
     0xff, 0xff, 0xff, 0x17,                 /*        b      -4              (loop) */
-- 
2.34.1

helper.c includes some small TCG helper functions used for mostly
arithmetic instructions.  These are TCG only and there's no need for
them to be in the large and unwieldy helper.c.  Move them out to
their own source file in the tcg/ subdirectory, together with the
op_addsub.h multiply-included template header that they use.

Since we are moving op_addsub.h, we take the opportunity to
give it a name which matches our convention for files which
are not true header files but which are #included from other
C files: op_addsub.c.inc.

(Ironically, this means that helper.c no longer contains
any TCG helper function definitions at all.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250110131211.2546314-1-peter.maydell@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
---
 target/arm/helper.c                           | 285 -----------------
 target/arm/tcg/arith_helper.c                 | 296 ++++++++++++++++++
 .../arm/{op_addsub.h => tcg/op_addsub.c.inc}  |   0
 target/arm/tcg/meson.build                    |   1 +
 4 files changed, 297 insertions(+), 285 deletions(-)
 create mode 100644 target/arm/tcg/arith_helper.c
 rename target/arm/{op_addsub.h => tcg/op_addsub.c.inc} (100%)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/main-loop.h"
 #include "qemu/timer.h"
 #include "qemu/bitops.h"
-#include "qemu/crc32c.h"
 #include "qemu/qemu-print.h"
 #include "exec/exec-all.h"
 #include "exec/translation-block.h"
-#include <zlib.h> /* for crc32 */
 #include "hw/irq.h"
 #include "system/cpu-timers.h"
 #include "system/kvm.h"
@@ -XXX,XX +XXX,XX @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
     };
 }
 
-/*
- * Note that signed overflow is undefined in C.  The following routines are
- * careful to use unsigned types where modulo arithmetic is required.
- * Failure to do so _will_ break on newer gcc.
- */
-
-/* Signed saturating arithmetic.  */
-
-/* Perform 16-bit signed saturating addition.  */
-static inline uint16_t add16_sat(uint16_t a, uint16_t b)
-{
-    uint16_t res;
-
-    res = a + b;
-    if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
-        if (a & 0x8000) {
-            res = 0x8000;
-        } else {
-            res = 0x7fff;
-        }
-    }
-    return res;
-}
-
-/* Perform 8-bit signed saturating addition.  */
-static inline uint8_t add8_sat(uint8_t a, uint8_t b)
-{
-    uint8_t res;
-
-    res = a + b;
-    if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
-        if (a & 0x80) {
-            res = 0x80;
-        } else {
-            res = 0x7f;
-        }
-    }
-    return res;
-}
-
-/* Perform 16-bit signed saturating subtraction.  */
-static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
-{
-    uint16_t res;
-
-    res = a - b;
-    if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
-        if (a & 0x8000) {
-            res = 0x8000;
-        } else {
-            res = 0x7fff;
-        }
-    }
-    return res;
-}
-
-/* Perform 8-bit signed saturating subtraction.  */
-static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
-{
-    uint8_t res;
-
-    res = a - b;
-    if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
-        if (a & 0x80) {
-            res = 0x80;
-        } else {
-            res = 0x7f;
-        }
-    }
-    return res;
-}
-
-#define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
-#define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
-#define ADD8(a, b, n)  RESULT(add8_sat(a, b), n, 8);
-#define SUB8(a, b, n)  RESULT(sub8_sat(a, b), n, 8);
-#define PFX q
-
-#include "op_addsub.h"
-
-/* Unsigned saturating arithmetic.  */
-static inline uint16_t add16_usat(uint16_t a, uint16_t b)
-{
-    uint16_t res;
-    res = a + b;
-    if (res < a) {
-        res = 0xffff;
-    }
-    return res;
-}
-
-static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
-{
-    if (a > b) {
-        return a - b;
-    } else {
-        return 0;
-    }
-}
-
-static inline uint8_t add8_usat(uint8_t a, uint8_t b)
-{
-    uint8_t res;
-    res = a + b;
-    if (res < a) {
-        res = 0xff;
-    }
-    return res;
-}
-
-static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
-{
-    if (a > b) {
-        return a - b;
-    } else {
-        return 0;
-    }
-}
-
-#define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
-#define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
-#define ADD8(a, b, n)  RESULT(add8_usat(a, b), n, 8);
-#define SUB8(a, b, n)  RESULT(sub8_usat(a, b), n, 8);
-#define PFX uq
-
-#include "op_addsub.h"
-
-/* Signed modulo arithmetic.  */
-#define SARITH16(a, b, n, op) do { \
-    int32_t sum; \
-    sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
-    RESULT(sum, n, 16); \
-    if (sum >= 0) \
-        ge |= 3 << (n * 2); \
-    } while (0)
-
-#define SARITH8(a, b, n, op) do { \
-    int32_t sum; \
-    sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
-    RESULT(sum, n, 8); \
-    if (sum >= 0) \
-        ge |= 1 << n; \
-    } while (0)
-
-
-#define ADD16(a, b, n) SARITH16(a, b, n, +)
-#define SUB16(a, b, n) SARITH16(a, b, n, -)
-#define ADD8(a, b, n)  SARITH8(a, b, n, +)
-#define SUB8(a, b, n)  SARITH8(a, b, n, -)
-#define PFX s
-#define ARITH_GE
-
-#include "op_addsub.h"
-
-/* Unsigned modulo arithmetic.  */
-#define ADD16(a, b, n) do { \
-    uint32_t sum; \
-    sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
-    RESULT(sum, n, 16); \
-    if ((sum >> 16) == 1) \
-        ge |= 3 << (n * 2); \
-    } while (0)
-
-#define ADD8(a, b, n) do { \
-    uint32_t sum; \
-    sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
-    RESULT(sum, n, 8); \
-    if ((sum >> 8) == 1) \
-        ge |= 1 << n; \
-    } while (0)
-
-#define SUB16(a, b, n) do { \
-    uint32_t sum; \
-    sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
-    RESULT(sum, n, 16); \
-    if ((sum >> 16) == 0) \
-        ge |= 3 << (n * 2); \
-    } while (0)
-
-#define SUB8(a, b, n) do { \
-    uint32_t sum; \
-    sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
-    RESULT(sum, n, 8); \
-    if ((sum >> 8) == 0) \
-        ge |= 1 << n; \
-    } while (0)
-
-#define PFX u
-#define ARITH_GE
-
-#include "op_addsub.h"
-
-/* Halved signed arithmetic.  */
-#define ADD16(a, b, n) \
-  RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
-#define SUB16(a, b, n) \
-  RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
-#define ADD8(a, b, n) \
-  RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
-#define SUB8(a, b, n) \
-  RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
-#define PFX sh
-
-#include "op_addsub.h"
-
-/* Halved unsigned arithmetic.  */
-#define ADD16(a, b, n) \
-  RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
-#define SUB16(a, b, n) \
-  RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
-#define ADD8(a, b, n) \
-  RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
-#define SUB8(a, b, n) \
-  RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
-#define PFX uh
-
-#include "op_addsub.h"
-
-static inline uint8_t do_usad(uint8_t a, uint8_t b)
-{
-    if (a > b) {
-        return a - b;
-    } else {
-        return b - a;
-    }
-}
-
-/* Unsigned sum of absolute byte differences.  */
-uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
-{
-    uint32_t sum;
-    sum = do_usad(a, b);
-    sum += do_usad(a >> 8, b >> 8);
-    sum += do_usad(a >> 16, b >> 16);
-    sum += do_usad(a >> 24, b >> 24);
-    return sum;
-}
-
-/* For ARMv6 SEL instruction.  */
-uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
-{
-    uint32_t mask;
-
-    mask = 0;
-    if (flags & 1) {
-        mask |= 0xff;
-    }
-    if (flags & 2) {
-        mask |= 0xff00;
-    }
-    if (flags & 4) {
-        mask |= 0xff0000;
-    }
-    if (flags & 8) {
-        mask |= 0xff000000;
-    }
-    return (a & mask) | (b & ~mask);
-}
-
-/*
- * CRC helpers.
- * The upper bytes of val (above the number specified by 'bytes') must have
- * been zeroed out by the caller.
- */
-uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
-{
-    uint8_t buf[4];
-
-    stl_le_p(buf, val);
-
-    /* zlib crc32 converts the accumulator and output to one's complement.  */
-    return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
-}
-
-uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
-{
-    uint8_t buf[4];
-
-    stl_le_p(buf, val);
-
-    /* Linux crc32c converts the output to one's complement.  */
-    return crc32c(acc, buf, bytes) ^ 0xffffffff;
-}
 
 /*
  * Return the exception level to which FP-disabled exceptions should
diff --git a/target/arm/tcg/arith_helper.c b/target/arm/tcg/arith_helper.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/tcg/arith_helper.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM generic helpers for various arithmetical operations.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "exec/helper-proto.h"
+#include "qemu/crc32c.h"
+#include <zlib.h> /* for crc32 */
+
+/*
+ * Note that signed overflow is undefined in C.  The following routines are
+ * careful to use unsigned types where modulo arithmetic is required.
+ * Failure to do so _will_ break on newer gcc.
+ */
+
+/* Signed saturating arithmetic.  */
+
+/* Perform 16-bit signed saturating addition.  */
+static inline uint16_t add16_sat(uint16_t a, uint16_t b)
+{
+    uint16_t res;
+
+    res = a + b;
+    if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
+        if (a & 0x8000) {
+            res = 0x8000;
+        } else {
+            res = 0x7fff;
+        }
+    }
+    return res;
+}
+
+/* Perform 8-bit signed saturating addition.  */
+static inline uint8_t add8_sat(uint8_t a, uint8_t b)
+{
+    uint8_t res;
+
+    res = a + b;
+    if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
+        if (a & 0x80) {
+            res = 0x80;
+        } else {
+            res = 0x7f;
+        }
+    }
+    return res;
+}
+
+/* Perform 16-bit signed saturating subtraction.  */
+static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
+{
+    uint16_t res;
+
+    res = a - b;
+    if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
+        if (a & 0x8000) {
+            res = 0x8000;
+        } else {
+            res = 0x7fff;
+        }
+    }
+    return res;
+}
+
+/* Perform 8-bit signed saturating subtraction.  */
+static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
+{
+    uint8_t res;
+
+    res = a - b;
+    if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
+        if (a & 0x80) {
+            res = 0x80;
+        } else {
+            res = 0x7f;
+        }
+    }
+    return res;
+}
+
+#define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
+#define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
+#define ADD8(a, b, n)  RESULT(add8_sat(a, b), n, 8);
+#define SUB8(a, b, n)  RESULT(sub8_sat(a, b), n, 8);
+#define PFX q
+
+#include "op_addsub.c.inc"
+
+/* Unsigned saturating arithmetic.  */
+static inline uint16_t add16_usat(uint16_t a, uint16_t b)
+{
+    uint16_t res;
+    res = a + b;
+    if (res < a) {
+        res = 0xffff;
+    }
+    return res;
+}
+
+static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
+{
+    if (a > b) {
+        return a - b;
+    } else {
+        return 0;
+    }
+}
+
+static inline uint8_t add8_usat(uint8_t a, uint8_t b)
+{
+    uint8_t res;
+    res = a + b;
+    if (res < a) {
+        res = 0xff;
+    }
+    return res;
+}
+
+static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
+{
+    if (a > b) {
+        return a - b;
+    } else {
+        return 0;
+    }
+}
+
+#define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
+#define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
+#define ADD8(a, b, n)  RESULT(add8_usat(a, b), n, 8);
+#define SUB8(a, b, n)  RESULT(sub8_usat(a, b), n, 8);
+#define PFX uq
+
+#include "op_addsub.c.inc"
+
+/* Signed modulo arithmetic.  */
+#define SARITH16(a, b, n, op) do { \
+    int32_t sum; \
+    sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
+    RESULT(sum, n, 16); \
+    if (sum >= 0) \
+        ge |= 3 << (n * 2); \
+    } while (0)
+
+#define SARITH8(a, b, n, op) do { \
+    int32_t sum; \
+    sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
+    RESULT(sum, n, 8); \
+    if (sum >= 0) \
+        ge |= 1 << n; \
+    } while (0)
+
+
+#define ADD16(a, b, n) SARITH16(a, b, n, +)
+#define SUB16(a, b, n) SARITH16(a, b, n, -)
+#define ADD8(a, b, n)  SARITH8(a, b, n, +)
+#define SUB8(a, b, n)  SARITH8(a, b, n, -)
+#define PFX s
+#define ARITH_GE
+
+#include "op_addsub.c.inc"
+
+/* Unsigned modulo arithmetic.  */
+#define ADD16(a, b, n) do { \
+    uint32_t sum; \
+    sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
+    RESULT(sum, n, 16); \
+    if ((sum >> 16) == 1) \
+        ge |= 3 << (n * 2); \
+    } while (0)
+
+#define ADD8(a, b, n) do { \
+    uint32_t sum; \
+    sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
+    RESULT(sum, n, 8); \
+    if ((sum >> 8) == 1) \
+        ge |= 1 << n; \
+    } while (0)
+
+#define SUB16(a, b, n) do { \
+    uint32_t sum; \
+    sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
+    RESULT(sum, n, 16); \
+    if ((sum >> 16) == 0) \
+        ge |= 3 << (n * 2); \
+    } while (0)
+
+#define SUB8(a, b, n) do { \
+    uint32_t sum; \
+    sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
+    RESULT(sum, n, 8); \
+    if ((sum >> 8) == 0) \
+        ge |= 1 << n; \
+    } while (0)
+
+#define PFX u
+#define ARITH_GE
+
+#include "op_addsub.c.inc"
+
+/* Halved signed arithmetic.  */
+#define ADD16(a, b, n) \
+  RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
+#define SUB16(a, b, n) \
+  RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
+#define ADD8(a, b, n) \
+  RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
+#define SUB8(a, b, n) \
+  RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
+#define PFX sh
+
+#include "op_addsub.c.inc"
+
+/* Halved unsigned arithmetic.  */
+#define ADD16(a, b, n) \
+  RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
+#define SUB16(a, b, n) \
+  RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
+#define ADD8(a, b, n) \
+  RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
+#define SUB8(a, b, n) \
+  RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
+#define PFX uh
+
+#include "op_addsub.c.inc"
+
+static inline uint8_t do_usad(uint8_t a, uint8_t b)
+{
+    if (a > b) {
+        return a - b;
+    } else {
+        return b - a;
+    }
+}
+
+/* Unsigned sum of absolute byte differences.  */
+uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
+{
+    uint32_t sum;
+    sum = do_usad(a, b);
+    sum += do_usad(a >> 8, b >> 8);
+    sum += do_usad(a >> 16, b >> 16);
+    sum += do_usad(a >> 24, b >> 24);
+    return sum;
+}
+
+/* For ARMv6 SEL instruction.  */
+uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
+{
+    uint32_t mask;
+
+    mask = 0;
+    if (flags & 1) {
+        mask |= 0xff;
+    }
+    if (flags & 2) {
+        mask |= 0xff00;
+    }
+    if (flags & 4) {
+        mask |= 0xff0000;
+    }
+    if (flags & 8) {
+        mask |= 0xff000000;
+    }
+    return (a & mask) | (b & ~mask);
+}
+
+/*
+ * CRC helpers.
+ * The upper bytes of val (above the number specified by 'bytes') must have
+ * been zeroed out by the caller.
+ */
+uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
+{
+    uint8_t buf[4];
+
+    stl_le_p(buf, val);
+
+    /* zlib crc32 converts the accumulator and output to one's complement.  */
+    return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
+}
+
+uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
+{
+    uint8_t buf[4];
+
+    stl_le_p(buf, val);
+
+    /* Linux crc32c converts the output to one's complement.  */
+    return crc32c(acc, buf, bytes) ^ 0xffffffff;
+}
diff --git a/target/arm/op_addsub.h b/target/arm/tcg/op_addsub.c.inc
similarity index 100%
rename from target/arm/op_addsub.h
rename to target/arm/tcg/op_addsub.c.inc
diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/meson.build
+++ b/target/arm/tcg/meson.build
@@ -XXX,XX +XXX,XX @@ arm_ss.add(files(
   'tlb_helper.c',
   'vec_helper.c',
   'tlb-insns.c',
+  'arith_helper.c',
 ))
 
 arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
-- 
2.34.1

From: Pierrick Bouvier <pierrick.bouvier@linaro.org>

Before changing default pauth algorithm, we need to make sure current
default one (QARMA5) can still be selected.

$ qemu-system-aarch64 -cpu max,pauth-qarma5=on ...

Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20241219183211.3493974-2-pierrick.bouvier@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/cpu-features.rst |  5 ++++-
 target/arm/cpu.h                 |  1 +
 target/arm/arm-qmp-cmds.c        |  2 +-
 target/arm/cpu64.c               | 20 ++++++++++++++------
 tests/qtest/arm-cpu-features.c   | 15 +++++++++++----
 5 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/cpu-features.rst
+++ b/docs/system/arm/cpu-features.rst
@@ -XXX,XX +XXX,XX @@ Below is the list of TCG VCPU features and their descriptions.
 ``pauth-qarma3``
   When ``pauth`` is enabled, select the architected QARMA3 algorithm.
 
-Without either ``pauth-impdef`` or ``pauth-qarma3`` enabled,
+``pauth-qarma5``
+  When ``pauth`` is enabled, select the architected QARMA5 algorithm.
+
+Without ``pauth-impdef``, ``pauth-qarma3`` or ``pauth-qarma5`` enabled,
 the architected QARMA5 algorithm is used.  The architected QARMA5
 and QARMA3 algorithms have good cryptographic properties, but can
 be quite slow to emulate.  The impdef algorithm used by QEMU is
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
     bool prop_pauth;
     bool prop_pauth_impdef;
     bool prop_pauth_qarma3;
+    bool prop_pauth_qarma5;
     bool prop_lpa2;
 
     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
diff --git a/target/arm/arm-qmp-cmds.c b/target/arm/arm-qmp-cmds.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arm-qmp-cmds.c
+++ b/target/arm/arm-qmp-cmds.c
@@ -XXX,XX +XXX,XX @@ static const char *cpu_model_advertised_features[] = {
     "sve640", "sve768", "sve896", "sve1024", "sve1152", "sve1280",
     "sve1408", "sve1536", "sve1664", "sve1792", "sve1920", "sve2048",
     "kvm-no-adjvtime", "kvm-steal-time",
-    "pauth", "pauth-impdef", "pauth-qarma3",
+    "pauth", "pauth-impdef", "pauth-qarma3", "pauth-qarma5",
     NULL
 };
 
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp)
         }
 
         if (cpu->prop_pauth) {
-            if (cpu->prop_pauth_impdef && cpu->prop_pauth_qarma3) {
+            if ((cpu->prop_pauth_impdef && cpu->prop_pauth_qarma3) ||
+                (cpu->prop_pauth_impdef && cpu->prop_pauth_qarma5) ||
+                (cpu->prop_pauth_qarma3 && cpu->prop_pauth_qarma5)) {
                 error_setg(errp,
-                           "cannot enable both pauth-impdef and pauth-qarma3");
+                           "cannot enable pauth-impdef, pauth-qarma3 and "
+                           "pauth-qarma5 at the same time");
                 return;
             }
 
@@ -XXX,XX +XXX,XX @@ void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp)
             } else if (cpu->prop_pauth_qarma3) {
                 isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, APA3, features);
                 isar2 = FIELD_DP64(isar2, ID_AA64ISAR2, GPA3, 1);
-            } else {
+            } else { /* default is pauth-qarma5 */
                 isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, APA, features);
                 isar1 = FIELD_DP64(isar1, ID_AA64ISAR1, GPA, 1);
             }
-        } else if (cpu->prop_pauth_impdef || cpu->prop_pauth_qarma3) {
-            error_setg(errp, "cannot enable pauth-impdef or "
-                       "pauth-qarma3 without pauth");
+        } else if (cpu->prop_pauth_impdef ||
+                   cpu->prop_pauth_qarma3 ||
+                   cpu->prop_pauth_qarma5) {
+            error_setg(errp, "cannot enable pauth-impdef, pauth-qarma3 or "
+                       "pauth-qarma5 without pauth");
             error_append_hint(errp, "Add pauth=on to the CPU property list.\n");
         }
     }
@@ -XXX,XX +XXX,XX @@ static const Property arm_cpu_pauth_impdef_property =
     DEFINE_PROP_BOOL("pauth-impdef", ARMCPU, prop_pauth_impdef, false);
 static const Property arm_cpu_pauth_qarma3_property =
     DEFINE_PROP_BOOL("pauth-qarma3", ARMCPU, prop_pauth_qarma3, false);
+static Property arm_cpu_pauth_qarma5_property =
+    DEFINE_PROP_BOOL("pauth-qarma5", ARMCPU, prop_pauth_qarma5, false);
 
 void aarch64_add_pauth_properties(Object *obj)
 {
@@ -XXX,XX +XXX,XX @@ void aarch64_add_pauth_properties(Object *obj)
     } else {
         qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_impdef_property);
         qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_qarma3_property);
+        qdev_property_add_static(DEVICE(obj), &arm_cpu_pauth_qarma5_property);
     }
 }
 
diff --git a/tests/qtest/arm-cpu-features.c b/tests/qtest/arm-cpu-features.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/arm-cpu-features.c
+++ b/tests/qtest/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void pauth_tests_default(QTestState *qts, const char *cpu_type)
     assert_has_feature_enabled(qts, cpu_type, "pauth");
     assert_has_feature_disabled(qts, cpu_type, "pauth-impdef");
     assert_has_feature_disabled(qts, cpu_type, "pauth-qarma3");
+    assert_has_feature_disabled(qts, cpu_type, "pauth-qarma5");
     assert_set_feature(qts, cpu_type, "pauth", false);
     assert_set_feature(qts, cpu_type, "pauth", true);
     assert_set_feature(qts, cpu_type, "pauth-impdef", true);
     assert_set_feature(qts, cpu_type, "pauth-impdef", false);
     assert_set_feature(qts, cpu_type, "pauth-qarma3", true);
     assert_set_feature(qts, cpu_type, "pauth-qarma3", false);
+    assert_set_feature(qts, cpu_type, "pauth-qarma5", true);
+    assert_set_feature(qts, cpu_type, "pauth-qarma5", false);
     assert_error(qts, cpu_type,
-                 "cannot enable pauth-impdef or pauth-qarma3 without pauth",
+                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
                  "{ 'pauth': false, 'pauth-impdef': true }");
     assert_error(qts, cpu_type,
-                 "cannot enable pauth-impdef or pauth-qarma3 without pauth",
+                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
                  "{ 'pauth': false, 'pauth-qarma3': true }");
     assert_error(qts, cpu_type,
-                 "cannot enable both pauth-impdef and pauth-qarma3",
-                 "{ 'pauth': true, 'pauth-impdef': true, 'pauth-qarma3': true }");
+                 "cannot enable pauth-impdef, pauth-qarma3 or pauth-qarma5 without pauth",
+                 "{ 'pauth': false, 'pauth-qarma5': true }");
+    assert_error(qts, cpu_type,
+                 "cannot enable pauth-impdef, pauth-qarma3 and pauth-qarma5 at the same time",
+                 "{ 'pauth': true, 'pauth-impdef': true, 'pauth-qarma3': true,"
+                 "  'pauth-qarma5': true }");
 }
 
 static void test_query_cpu_model_expansion(const void *data)
-- 
2.34.1

The pauth-3 test explicitly tests that a computation of the
pointer-authentication produces the expected result.  This means that
it must be run with the QARMA5 algorithm.

Explicitly set the pauth algorithm when running this test, so that it
doesn't break when we change the default algorithm the 'max' CPU
uses.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/tcg/aarch64/Makefile.softmmu-target | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/tcg/aarch64/Makefile.softmmu-target b/tests/tcg/aarch64/Makefile.softmmu-target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.softmmu-target
+++ b/tests/tcg/aarch64/Makefile.softmmu-target
@@ -XXX,XX +XXX,XX @@ EXTRA_RUNS+=run-memory-replay
 
 ifneq ($(CROSS_CC_HAS_ARMV8_3),)
 pauth-3: CFLAGS += $(CROSS_CC_HAS_ARMV8_3)
+# This test explicitly checks the output of the pauth operation so we
+# must force the use of the QARMA5 algorithm for it.
+run-pauth-3: QEMU_BASE_MACHINE=-M virt -cpu max,pauth-qarma5=on -display none
 else
 pauth-3:
 	$(call skip-test, "BUILD of $@", "missing compiler support")
-- 
2.34.1

From: Pierrick Bouvier <pierrick.bouvier@linaro.org>

Pointer authentication on aarch64 is pretty expensive (up to 50% of
execution time) when running a virtual machine with tcg and -cpu max
(which enables pauth=on).

The advice is always: use pauth-impdef=on.
Our documentation even mentions it "by default" in
docs/system/introduction.rst.

Thus, we change the default to use impdef by default. This does not
affect kvm or hvf acceleration, since pauth algorithm used is the one
from host cpu.

This change is retro compatible, in terms of cli, with previous
versions, as the semantic of using -cpu max,pauth-impdef=on, and -cpu
max,pauth-qarma3=on is preserved.
The new option introduced in previous patch and matching old default is
-cpu max,pauth-qarma5=on.
It is retro compatible with migration as well, by defining a backcompat
property, that will use qarma5 by default for virt machine <= 9.2.
Tested by saving and restoring a vm from qemu 9.2.0 into qemu-master
(10.0) for cpus neoverse-n2 and max.

Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20241219183211.3493974-3-pierrick.bouvier@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/cpu-features.rst |  2 +-
 docs/system/introduction.rst     |  2 +-
 target/arm/cpu.h                 |  3 +++
 hw/core/machine.c                |  4 +++-
 target/arm/cpu.c                 |  2 ++
 target/arm/cpu64.c               | 22 ++++++++++++++++------
 6 files changed, 26 insertions(+), 9 deletions(-)