Re: [RFC PATCH v8 09/21] vhost: Add svq copy desc mode

[Jason Wang]

On Thu, Jun 9, 2022 at 3:03 AM Eugenio Perez Martin  wrote:
>
> On Wed, Jun 8, 2022 at 6:14 AM Jason Wang  wrote:
> >
> >
> > 在 2022/5/20 03:12, Eugenio Pérez 写道:
> > > Enable SVQ to not to forward the descriptor translating its address to
> > > qemu's IOVA but copying to a region outside of the guest.
> > >
> > > Virtio-net control VQ will use this mode, so we don't need to send all
> > > the guest's memory every time there is a change, but only on messages.
> > > Reversely, CVQ will only have access to control messages.  This lead to
> > > less messing with memory listeners.
> > >
> > > We could also try to send only the required translation by message, but
> > > this presents a problem when many control messages occupy the same
> > > guest's memory region.
> > >
> > > Lastly, this allows us to inject messages from QEMU to the device in a
> > > simple manner.  CVQ should be used rarely and with small messages, so all
> > > the drawbacks should be assumible.
> > >
> > > Signed-off-by: Eugenio Pérez 
> > > ---
> > >   hw/virtio/vhost-shadow-virtqueue.h |  10 ++
> > >   include/hw/virtio/vhost-vdpa.h |   1 +
> > >   hw/virtio/vhost-shadow-virtqueue.c | 174 +++--
> > >   hw/virtio/vhost-vdpa.c |   1 +
> > >   net/vhost-vdpa.c   |   1 +
> > >   5 files changed, 175 insertions(+), 12 deletions(-)
> > >
> > > diff --git a/hw/virtio/vhost-shadow-virtqueue.h 
> > > b/hw/virtio/vhost-shadow-virtqueue.h
> > > index e06ac52158..79cb2d301f 100644
> > > --- a/hw/virtio/vhost-shadow-virtqueue.h
> > > +++ b/hw/virtio/vhost-shadow-virtqueue.h
> > > @@ -17,6 +17,12 @@
> > >
> > >   typedef struct SVQElement {
> > >   VirtQueueElement elem;
> > > +
> > > +/* SVQ IOVA address of in buffer and out buffer if cloned */
> > > +hwaddr in_iova, out_iova;
> >
> >
> > It might worth to mention that we'd expect a single buffer here.
> >
>
> I'll do it. There is another comment like that in another place, I'll
> copy it here.
>
> >
> > > +
> > > +/* Length of in buffer */
> > > +size_t in_len;
> > >   } SVQElement;
> > >
> > >   typedef void (*VirtQueueElementCallback)(VirtIODevice *vdev,
> > > @@ -102,6 +108,9 @@ typedef struct VhostShadowVirtqueue {
> > >
> > >   /* Next head to consume from the device */
> > >   uint16_t last_used_idx;
> > > +
> > > +/* Copy each descriptor to QEMU iova */
> > > +bool copy_descs;
> > >   } VhostShadowVirtqueue;
> > >
> > >   bool vhost_svq_valid_features(uint64_t features, Error **errp);
> > > @@ -119,6 +128,7 @@ void vhost_svq_stop(VhostShadowVirtqueue *svq);
> > >
> > >   VhostShadowVirtqueue *vhost_svq_new(VhostIOVATree *iova_map,
> > >   const VhostShadowVirtqueueOps *ops,
> > > +bool copy_descs,
> > >   const VhostShadowVirtqueueMapOps 
> > > *map_ops,
> > >   void *map_ops_opaque);
> > >
> > > diff --git a/include/hw/virtio/vhost-vdpa.h 
> > > b/include/hw/virtio/vhost-vdpa.h
> > > index f1ba46a860..dc2884eea4 100644
> > > --- a/include/hw/virtio/vhost-vdpa.h
> > > +++ b/include/hw/virtio/vhost-vdpa.h
> > > @@ -33,6 +33,7 @@ typedef struct vhost_vdpa {
> > >   struct vhost_vdpa_iova_range iova_range;
> > >   uint64_t acked_features;
> > >   bool shadow_vqs_enabled;
> > > +bool svq_copy_descs;
> > >   /* IOVA mapping used by the Shadow Virtqueue */
> > >   VhostIOVATree *iova_tree;
> > >   GPtrArray *shadow_vqs;
> > > diff --git a/hw/virtio/vhost-shadow-virtqueue.c 
> > > b/hw/virtio/vhost-shadow-virtqueue.c
> > > index 044005ba89..5a8feb1cbc 100644
> > > --- a/hw/virtio/vhost-shadow-virtqueue.c
> > > +++ b/hw/virtio/vhost-shadow-virtqueue.c
> > > @@ -16,6 +16,7 @@
> > >   #include "qemu/log.h"
> > >   #include "qemu/memalign.h"
> > >   #include "linux-headers/linux/vhost.h"
> > > +#include "qemu/iov.h"
> > >
> > >   /**
> > >* Validate the transport device features that both guests can use with 
> > > the SVQ
> > > @@ -70,6 +71,30 @@ static uint16_t vhost_svq_available_slots(const 
> > > VhostShadowVirtqueue *svq)
> > >   return svq->vring.num - (svq->shadow_avail_idx - 
> > > svq->shadow_used_idx);
> > >   }
> > >
> > > +static void vhost_svq_alloc_buffer(void **base, size_t *len,
> > > +   const struct iovec *iov, size_t num,
> > > +   bool write)
> > > +{
> > > +*len = iov_size(iov, num);
> >
> >
> > Since this behavior is trigger able by the guest, we need an upper limit
> > here.
> >
>
> Good point. What could be a good limit?
>

We probably need to inspect the class/command of the header in this case.

Actually, it's not an vDPA specific issue, we probably need a limit
even for Qemu backend.

The only annoying command is the VIRTIO_NET_CTRL_MAC_TABLE_SET which
accepts an variable macs array.

> As you propose later, maybe I can redesign SVQ so it eithe

Re: [RFC PATCH v8 14/21] vhost: Make possible to check for device exclusive vq group

[Jason Wang]

On Thu, Jun 9, 2022 at 3:22 AM Eugenio Perez Martin  wrote:
>
> On Wed, Jun 8, 2022 at 6:25 AM Jason Wang  wrote:
> >
> >
> > 在 2022/5/20 03:12, Eugenio Pérez 写道:
> > > CVQ needs to be in its own group, not shared with any data vq. Enable
> > > the checking of it here, before introducing address space id concepts.
> > >
> > > Signed-off-by: Eugenio Pérez 
> > > ---
> > >   include/hw/virtio/vhost.h |  2 +
> > >   hw/net/vhost_net.c|  4 +-
> > >   hw/virtio/vhost-vdpa.c| 79 ++-
> > >   hw/virtio/trace-events|  1 +
> > >   4 files changed, 84 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
> > > index b291fe4e24..cebec1d817 100644
> > > --- a/include/hw/virtio/vhost.h
> > > +++ b/include/hw/virtio/vhost.h
> > > @@ -84,6 +84,8 @@ struct vhost_dev {
> > >   int vq_index_end;
> > >   /* if non-zero, minimum required value for max_queues */
> > >   int num_queues;
> > > +/* Must be a vq group different than any other vhost dev */
> > > +bool independent_vq_group;
> >
> >
> > We probably need a better abstraction here.
> >
> > E.g having a parent vhost_dev_group structure.
> >
>
> I think there is room for improvement too, but to make this work we
> don't need the device model to know all the other devices at this
> moment. I'm open to implementing it if we decide that solution is more
> maintainable or whatever other reason though.

I see, so let's keep it as is and do the enhancement in the future.

>
> >
> > >   uint64_t features;
> > >   uint64_t acked_features;
> > >   uint64_t backend_features;
> > > diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
> > > index ccac5b7a64..1c2386c01c 100644
> > > --- a/hw/net/vhost_net.c
> > > +++ b/hw/net/vhost_net.c
> > > @@ -339,14 +339,16 @@ int vhost_net_start(VirtIODevice *dev, 
> > > NetClientState *ncs,
> > >   }
> > >
> > >   for (i = 0; i < nvhosts; i++) {
> > > +bool cvq_idx = i >= data_queue_pairs;
> > >
> > > -if (i < data_queue_pairs) {
> > > +if (!cvq_idx) {
> > >   peer = qemu_get_peer(ncs, i);
> > >   } else { /* Control Virtqueue */
> > >   peer = qemu_get_peer(ncs, n->max_queue_pairs);
> > >   }
> > >
> > >   net = get_vhost_net(peer);
> > > +net->dev.independent_vq_group = !!cvq_idx;
> > >   vhost_net_set_vq_index(net, i * 2, index_end);
> > >
> > >   /* Suppress the masking guest notifiers on vhost user
> > > diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
> > > index eec6d544e9..52dd8baa8d 100644
> > > --- a/hw/virtio/vhost-vdpa.c
> > > +++ b/hw/virtio/vhost-vdpa.c
> > > @@ -685,7 +685,8 @@ static int vhost_vdpa_set_backend_cap(struct 
> > > vhost_dev *dev)
> > >   {
> > >   uint64_t features;
> > >   uint64_t f = 0x1ULL << VHOST_BACKEND_F_IOTLB_MSG_V2 |
> > > -0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH;
> > > +0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH |
> > > +0x1ULL << VHOST_BACKEND_F_IOTLB_ASID;
> > >   int r;
> > >
> > >   if (vhost_vdpa_call(dev, VHOST_GET_BACKEND_FEATURES, &features)) {
> > > @@ -1110,6 +,78 @@ static bool vhost_vdpa_svqs_stop(struct vhost_dev 
> > > *dev)
> > >   return true;
> > >   }
> > >
> > > +static int vhost_vdpa_get_vring_group(struct vhost_dev *dev,
> > > +  struct vhost_vring_state *state)
> > > +{
> > > +int ret = vhost_vdpa_call(dev, VHOST_VDPA_GET_VRING_GROUP, state);
> > > +trace_vhost_vdpa_get_vring_group(dev, state->index, state->num);
> > > +return ret;
> > > +}
> > > +
> > > +static bool vhost_dev_is_independent_group(struct vhost_dev *dev)
> > > +{
> > > +struct vhost_vdpa *v = dev->opaque;
> > > +struct vhost_vring_state this_vq_group = {
> > > +.index = dev->vq_index,
> > > +};
> > > +int ret;
> > > +
> > > +if (!(dev->backend_cap & VHOST_BACKEND_F_IOTLB_ASID)) {
> > > +return true;
> > > +}
> >
> >
> > This should be false?
> >
> >
> > > +
> > > +if (!v->shadow_vqs_enabled) {
> > > +return true;
> > > +}
> >
> >
> > And here?
> >
>
> They're true so it doesn't get in the middle if the device already
> knows there is no need to check vhost_dev for an independent group.

I'm not sure I understand this.

Without ASID but with MQ, we know all vhost_devs are not independent.

>
> With recent mq changes, I think I can delete these checks and move
> them to net/vhost-vdpa.
>
> >
> > > +
> > > +ret = vhost_vdpa_get_vring_group(dev, &this_vq_group);
> > > +if (unlikely(ret)) {
> > > +goto call_err;
> > > +}
> > > +
> > > +for (int i = 1; i < dev->nvqs; ++i) {
> > > +struct vhost_vring_state vq_group = {
> > > +.index = dev->vq_index + i,
> > > +};
> > > +
> > > +ret = vhost_vdpa_get_vring_group(dev, &vq_group);
> > > +if (unlikely(ret)) {
> > > +   

Re: [PATCH v4 08/53] semihosting: Split out guestfd.c

[Alex Bennée]

Richard Henderson  writes:

> In arm-compat-semi.c, we have more advanced treatment of
> guest file descriptors than we do in other implementations.
> Split out GuestFD and related functions to a new file so
> that they can be shared.
>
> Reviewed-by: Peter Maydell 
> Signed-off-by: Richard Henderson 
> ---
>  configs/targets/aarch64-linux-user.mak|   1 +
>  configs/targets/aarch64_be-linux-user.mak |   1 +
>  configs/targets/arm-linux-user.mak|   1 +
>  configs/targets/armeb-linux-user.mak  |   1 +
>  configs/targets/riscv32-linux-user.mak|   1 +
>  configs/targets/riscv64-linux-user.mak|   1 +
>  include/semihosting/guestfd.h |  83 +++
>  semihosting/arm-compat-semi.c | 164 +++---
>  semihosting/guestfd.c | 118 
>  semihosting/meson.build   |   4 +
>  10 files changed, 233 insertions(+), 142 deletions(-)
>  create mode 100644 include/semihosting/guestfd.h
>  create mode 100644 semihosting/guestfd.c
>
> diff --git a/configs/targets/aarch64-linux-user.mak 
> b/configs/targets/aarch64-linux-user.mak
> index d0c603c54e..db552f1839 100644
> --- a/configs/targets/aarch64-linux-user.mak
> +++ b/configs/targets/aarch64-linux-user.mak
> @@ -2,4 +2,5 @@ TARGET_ARCH=aarch64
>  TARGET_BASE_ARCH=arm
>  TARGET_XML_FILES= gdb-xml/aarch64-core.xml gdb-xml/aarch64-fpu.xml
>  TARGET_HAS_BFLT=y
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
> diff --git a/configs/targets/aarch64_be-linux-user.mak 
> b/configs/targets/aarch64_be-linux-user.mak
> index 7794424745..dc78044fb1 100644
> --- a/configs/targets/aarch64_be-linux-user.mak
> +++ b/configs/targets/aarch64_be-linux-user.mak
> @@ -3,4 +3,5 @@ TARGET_BASE_ARCH=arm
>  TARGET_BIG_ENDIAN=y
>  TARGET_XML_FILES= gdb-xml/aarch64-core.xml gdb-xml/aarch64-fpu.xml
>  TARGET_HAS_BFLT=y
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
> diff --git a/configs/targets/arm-linux-user.mak 
> b/configs/targets/arm-linux-user.mak
> index 3e10d6b15d..7f5d65794c 100644
> --- a/configs/targets/arm-linux-user.mak
> +++ b/configs/targets/arm-linux-user.mak
> @@ -3,4 +3,5 @@ TARGET_SYSTBL_ABI=common,oabi
>  TARGET_SYSTBL=syscall.tbl
>  TARGET_XML_FILES= gdb-xml/arm-core.xml gdb-xml/arm-vfp.xml 
> gdb-xml/arm-vfp3.xml gdb-xml/arm-vfp-sysregs.xml gdb-xml/arm-neon.xml 
> gdb-xml/arm-m-profile.xml gdb-xml/arm-m-profile-mve.xml
>  TARGET_HAS_BFLT=y
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
> diff --git a/configs/targets/armeb-linux-user.mak 
> b/configs/targets/armeb-linux-user.mak
> index a249cc2e29..943d0d87bf 100644
> --- a/configs/targets/armeb-linux-user.mak
> +++ b/configs/targets/armeb-linux-user.mak
> @@ -4,4 +4,5 @@ TARGET_SYSTBL=syscall.tbl
>  TARGET_BIG_ENDIAN=y
>  TARGET_XML_FILES= gdb-xml/arm-core.xml gdb-xml/arm-vfp.xml 
> gdb-xml/arm-vfp3.xml gdb-xml/arm-vfp-sysregs.xml gdb-xml/arm-neon.xml 
> gdb-xml/arm-m-profile.xml gdb-xml/arm-m-profile-mve.xml
>  TARGET_HAS_BFLT=y
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
> diff --git a/configs/targets/riscv32-linux-user.mak 
> b/configs/targets/riscv32-linux-user.mak
> index bd2f1fd497..9761618e67 100644
> --- a/configs/targets/riscv32-linux-user.mak
> +++ b/configs/targets/riscv32-linux-user.mak
> @@ -2,4 +2,5 @@ TARGET_ARCH=riscv32
>  TARGET_BASE_ARCH=riscv
>  TARGET_ABI_DIR=riscv
>  TARGET_XML_FILES= gdb-xml/riscv-32bit-cpu.xml gdb-xml/riscv-32bit-fpu.xml 
> gdb-xml/riscv-64bit-fpu.xml gdb-xml/riscv-32bit-virtual.xml
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
> diff --git a/configs/targets/riscv64-linux-user.mak 
> b/configs/targets/riscv64-linux-user.mak
> index 4aca7662ce..cfd1fd382f 100644
> --- a/configs/targets/riscv64-linux-user.mak
> +++ b/configs/targets/riscv64-linux-user.mak
> @@ -2,4 +2,5 @@ TARGET_ARCH=riscv64
>  TARGET_BASE_ARCH=riscv
>  TARGET_ABI_DIR=riscv
>  TARGET_XML_FILES= gdb-xml/riscv-64bit-cpu.xml gdb-xml/riscv-32bit-fpu.xml 
> gdb-xml/riscv-64bit-fpu.xml gdb-xml/riscv-64bit-virtual.xml
> +CONFIG_SEMIHOSTING=y
>  CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y

Why are these needed? The:

config ARM_COMPATIBLE_SEMIHOSTING
   bool
   select SEMIHOSTING

stanza should ensure we select SEMIHOSTING automatically.

Otherwise:

Reviewed-by: Alex Bennée 

-- 
Alex Bennée

Re: [PATCH] microvm: turn off io reservations for pcie root ports

[Gerd Hoffmann]

On Wed, Jun 08, 2022 at 12:06:17PM -0400, Michael S. Tsirkin wrote:
> On Fri, Jun 03, 2022 at 10:59:20AM +0200, Gerd Hoffmann wrote:
> > The pcie host bridge has no io window on microvm,
> > so io reservations will not work.
> > 
> > Signed-off-by: Gerd Hoffmann 
> 
> I don't much like overriding user like this. We end up users
> setting it to silly values and then if we do want to
> support this things just break. Thoughts?

Well, it just looked like the simplest way to tell the firmware that
io reservations are pointless.  Do you have a better idea?

take care,
  Gerd

Re: [RFC][PATCH] docs: note exception for PCIe IO port access

[Laszlo Ersek]

+Alex

On 06/09/22 04:00, Kevin Locke wrote:
> ioport access is required for VESA BIOS Extensions (VBE).  Since ioport
> access is not forwarded over PCI(e) bridges, graphics adapters must be
> attached directly to the Root Complex in order for the BIOS to provide
> VBE modes.  I'm very grateful to Gerd Hoffmann for explaining this on
> the SeaBIOS mailing list.[1]
>
> Update the PCI Express Guidelines to document this as an exception to
> the recommendation to "Place only legacy PCI devices on the Root
> Complex."
>
> [1]: 
> https://mail.coreboot.org/hyperkitty/list/seab...@seabios.org/thread/XG2RN3HKVRDEDTLA2PRELLIENIIH7II7/#XVP3I2KQVZHSTDA4SNVKOITWGRGSDU3F
>
> Signed-off-by: Kevin Locke 
> ---

I think we're discussing three separate things here:

(a) plugging a legacy PCI device into an Express slot
(b) the inverse: plugging an Express device into a legacy PCI slot
(c) plugging an Express device into a slot on the PCIe root complex

Telling these apart is not easy because:

> QEMU does not have a clear socket-device matching mechanism
> and allows any PCI/PCI Express device to be plugged into any
> PCI/PCI Express slot.

Now,

(a) your original (non-functional) use case:

qemu-system-x86_64 \
-no-user-config \
-nodefaults \
-machine q35,accel=kvm \
-m 1G \
-cdrom "$iso" \
-device pcie-root-port,id=pci.1,bus=pcie.0 \
-device VGA,bus=pci.1

violates the following part of "pcie.txt":

> Plugging a PCI device into a PCI Express slot might not always work and
> is weird anyway since it cannot be done for "bare metal".

AIUI, what Gerd explains in that SeaBIOS thread is why and how exactly
such an attempt breaks. The statement that it would break is already
spelled out in "pcie.txt".

So I think that, given strictly your original report on the SeaBIOS
list, no updates to "pcie.txt" are necessary.

Note that your original (functional) use case:

qemu-system-x86_64 \
-no-user-config \
-nodefaults \
-machine q35,accel=kvm \
-m 1G \
-cdrom "$iso" \
-device VGA

does not conflict with

> Place only the following kinds of devices directly on the Root Complex:
> (1) PCI Devices (e.g. network card, graphics card, IDE controller),
> not controllers. Place only legacy PCI devices on
> the Root Complex. These will be considered Integrated Endpoints.
> Note: Integrated Endpoints are not hot-pluggable.
>
> Although the PCI Express spec does not forbid PCI Express devices as
> Integrated Endpoints, existing hardware mostly integrates legacy PCI
> devices with the Root Complex. Guest OSes are suspected to behave
> strangely when PCI Express devices are integrated
> with the Root Complex.

because "-device VGA" is a legacy PCI device, not a PCI Express device.
So the second quoted paragraph does not apply to it at all, and the
first paragraph is in sync with your functional use case.

Then,

On 06/09/22 04:00, Kevin Locke wrote:
> This suggested documentation change is the result of my struggles to
> understand why I was seeing a very limited set of display modes in one
> of my virtual machines, as explained in the seabios ML post linked above
> and an earlier post to qemu-discuss.[2]  I hope it may help avoid some
> of these hassles for future users.

Per your original report, the misconfig on your side was not that you
placed a PCIe display controller on the root complex, but that you
placed a legacy PCI device into a PCIe root port (which is physically
impossible on a physical machine).

>
> I'm far from being an expert in PCI(e), BIOS/VBE, or virtualization in
> general, and would appreciate any suggestions on these docs changes.
> I'm also curious about whether graphics devices are the only exception

While VGA is quirky ("there was only ever intended to be one device" --
see
),
I maintain that it's sufficiently covered already (although not
specifically) by "pcie.txt"; see above. "-device VGA" is a legacy PCI
device, you can't plug it in an Express slot (root complex or port
alike).

In the blog post at
, Gerd
explains that (effectively) only "bochs-display" and "virtio-gpu-pci"
(from QEMU's emulated devices) may be placed in PCI Express slots (root
complex or separate port, alike).

*In theory*, scenario (b) applies to "bochs-display" and
"virtio-gpu-pci" when you plug them into a legacy PCI slot:

> Plugging a PCI Express device into a PCI slot will hide the Extended
> Configuration Space thus is also not recommended.

But this is fine, as these device models don't have extended
capabilities in practice. IOW, I'd imagine them (if they were physical
cards) as PCI Express devices without any use for their extended config
spaces. You could plug them into legacy PCI slots, but would see no
difference in behavior (apart from speed perhaps).

But, we might want to update "

Re: [RFC][PATCH] docs: note exception for PCIe IO port access

[Laszlo Ersek]

On 06/09/22 09:45, Laszlo Ersek wrote:
> +Alex
> 
> On 06/09/22 04:00, Kevin Locke wrote:

> *In theory*, scenario (b) applies to "bochs-display" and
> "virtio-gpu-pci" when you plug them into a legacy PCI slot:
> 
>> Plugging a PCI Express device into a PCI slot will hide the Extended
>> Configuration Space thus is also not recommended.
> 
> But this is fine, as these device models don't have extended
> capabilities in practice. IOW, I'd imagine them (if they were physical
> cards) as PCI Express devices without any use for their extended config
> spaces. You could plug them into legacy PCI slots, but would see no
> difference in behavior (apart from speed perhaps).

Ignore the part starting with "IOW", that seems like brain fart on my
part, apologies! :/

Re: [RFC PATCH v8 14/21] vhost: Make possible to check for device exclusive vq group

[Eugenio Perez Martin]

On Thu, Jun 9, 2022 at 9:13 AM Jason Wang  wrote:
>
> On Thu, Jun 9, 2022 at 3:22 AM Eugenio Perez Martin  
> wrote:
> >
> > On Wed, Jun 8, 2022 at 6:25 AM Jason Wang  wrote:
> > >
> > >
> > > 在 2022/5/20 03:12, Eugenio Pérez 写道:
> > > > CVQ needs to be in its own group, not shared with any data vq. Enable
> > > > the checking of it here, before introducing address space id concepts.
> > > >
> > > > Signed-off-by: Eugenio Pérez 
> > > > ---
> > > >   include/hw/virtio/vhost.h |  2 +
> > > >   hw/net/vhost_net.c|  4 +-
> > > >   hw/virtio/vhost-vdpa.c| 79 ++-
> > > >   hw/virtio/trace-events|  1 +
> > > >   4 files changed, 84 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
> > > > index b291fe4e24..cebec1d817 100644
> > > > --- a/include/hw/virtio/vhost.h
> > > > +++ b/include/hw/virtio/vhost.h
> > > > @@ -84,6 +84,8 @@ struct vhost_dev {
> > > >   int vq_index_end;
> > > >   /* if non-zero, minimum required value for max_queues */
> > > >   int num_queues;
> > > > +/* Must be a vq group different than any other vhost dev */
> > > > +bool independent_vq_group;
> > >
> > >
> > > We probably need a better abstraction here.
> > >
> > > E.g having a parent vhost_dev_group structure.
> > >
> >
> > I think there is room for improvement too, but to make this work we
> > don't need the device model to know all the other devices at this
> > moment. I'm open to implementing it if we decide that solution is more
> > maintainable or whatever other reason though.
>
> I see, so let's keep it as is and do the enhancement in the future.
>
> >
> > >
> > > >   uint64_t features;
> > > >   uint64_t acked_features;
> > > >   uint64_t backend_features;
> > > > diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
> > > > index ccac5b7a64..1c2386c01c 100644
> > > > --- a/hw/net/vhost_net.c
> > > > +++ b/hw/net/vhost_net.c
> > > > @@ -339,14 +339,16 @@ int vhost_net_start(VirtIODevice *dev, 
> > > > NetClientState *ncs,
> > > >   }
> > > >
> > > >   for (i = 0; i < nvhosts; i++) {
> > > > +bool cvq_idx = i >= data_queue_pairs;
> > > >
> > > > -if (i < data_queue_pairs) {
> > > > +if (!cvq_idx) {
> > > >   peer = qemu_get_peer(ncs, i);
> > > >   } else { /* Control Virtqueue */
> > > >   peer = qemu_get_peer(ncs, n->max_queue_pairs);
> > > >   }
> > > >
> > > >   net = get_vhost_net(peer);
> > > > +net->dev.independent_vq_group = !!cvq_idx;
> > > >   vhost_net_set_vq_index(net, i * 2, index_end);
> > > >
> > > >   /* Suppress the masking guest notifiers on vhost user
> > > > diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
> > > > index eec6d544e9..52dd8baa8d 100644
> > > > --- a/hw/virtio/vhost-vdpa.c
> > > > +++ b/hw/virtio/vhost-vdpa.c
> > > > @@ -685,7 +685,8 @@ static int vhost_vdpa_set_backend_cap(struct 
> > > > vhost_dev *dev)
> > > >   {
> > > >   uint64_t features;
> > > >   uint64_t f = 0x1ULL << VHOST_BACKEND_F_IOTLB_MSG_V2 |
> > > > -0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH;
> > > > +0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH |
> > > > +0x1ULL << VHOST_BACKEND_F_IOTLB_ASID;
> > > >   int r;
> > > >
> > > >   if (vhost_vdpa_call(dev, VHOST_GET_BACKEND_FEATURES, &features)) {
> > > > @@ -1110,6 +,78 @@ static bool vhost_vdpa_svqs_stop(struct 
> > > > vhost_dev *dev)
> > > >   return true;
> > > >   }
> > > >
> > > > +static int vhost_vdpa_get_vring_group(struct vhost_dev *dev,
> > > > +  struct vhost_vring_state *state)
> > > > +{
> > > > +int ret = vhost_vdpa_call(dev, VHOST_VDPA_GET_VRING_GROUP, state);
> > > > +trace_vhost_vdpa_get_vring_group(dev, state->index, state->num);
> > > > +return ret;
> > > > +}
> > > > +
> > > > +static bool vhost_dev_is_independent_group(struct vhost_dev *dev)
> > > > +{
> > > > +struct vhost_vdpa *v = dev->opaque;
> > > > +struct vhost_vring_state this_vq_group = {
> > > > +.index = dev->vq_index,
> > > > +};
> > > > +int ret;
> > > > +
> > > > +if (!(dev->backend_cap & VHOST_BACKEND_F_IOTLB_ASID)) {
> > > > +return true;
> > > > +}
> > >
> > >
> > > This should be false?
> > >
> > >
> > > > +
> > > > +if (!v->shadow_vqs_enabled) {
> > > > +return true;
> > > > +}
> > >
> > >
> > > And here?
> > >
> >
> > They're true so it doesn't get in the middle if the device already
> > knows there is no need to check vhost_dev for an independent group.
>
> I'm not sure I understand this.
>
> Without ASID but with MQ, we know all vhost_devs are not independent.
>

I think we can move this discussion to another level: What is the
right action if the device exposes MQ but cannot set a different asid
for cvq for whatever reason?

a. To forbid migration (migration_blocker). This maintains retro
compat

Re: [PATCH v2 1/2] QIOChannelSocket: Reduce ifdefs to improve readability

[Daniel P . Berrangé]

On Wed, Jun 08, 2022 at 06:04:02PM -0300, Leonardo Bras wrote:
> During implementation of MSG_ZEROCOPY feature, a lot of #ifdefs were
> introduced, particularly at qio_channel_socket_writev().
> 
> Rewrite some of those changes so it's easier to read.
>   ...
> Signed-off-by: Leonardo Bras 
> ---
>  io/channel-socket.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/io/channel-socket.c b/io/channel-socket.c
> index dc9c165de1..ef7c7cfbac 100644
> --- a/io/channel-socket.c
> +++ b/io/channel-socket.c
> @@ -554,6 +554,7 @@ static ssize_t qio_channel_socket_writev(QIOChannel *ioc,
>  size_t fdsize = sizeof(int) * nfds;
>  struct cmsghdr *cmsg;
>  int sflags = 0;
> +bool zero_copy_enabled = false;
>  
>  memset(control, 0, CMSG_SPACE(sizeof(int) * SOCKET_MAX_FDS));
>  
> @@ -581,6 +582,7 @@ static ssize_t qio_channel_socket_writev(QIOChannel *ioc,
>  #ifdef QEMU_MSG_ZEROCOPY
>  if (flags & QIO_CHANNEL_WRITE_FLAG_ZERO_COPY) {
>  sflags = MSG_ZEROCOPY;
> +zero_copy_enabled = true;
>  }

There should be a

 #else
error_setg(errp, "Zero copy not supported on this platform");
return -1;
 #endif

>  #endif
>  
> @@ -592,15 +594,13 @@ static ssize_t qio_channel_socket_writev(QIOChannel 
> *ioc,
>  return QIO_CHANNEL_ERR_BLOCK;
>  case EINTR:
>  goto retry;
> -#ifdef QEMU_MSG_ZEROCOPY
>  case ENOBUFS:
> -if (sflags & MSG_ZEROCOPY) {
> +if (zero_copy_enabled) {

if (flags & QIO_CHANNEL_WRITE_FLAG_ZERO_COPY)

avoids the #ifdef without needing to add yet another
variable expressing what's already expressed in both
'flags' and 'sflags'.

>  error_setg_errno(errp, errno,
>   "Process can't lock enough memory for using 
> MSG_ZEROCOPY");
>  return -1;
>  }
>  break;
> -#endif
>  }
>  
>  error_setg_errno(errp, errno,
> -- 
> 2.36.1
> 

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PATCH v2 3/3] target/mips: implement Octeon-specific arithmetic instructions

[Pavel Dovgalyuk]

This patch implements several Octeon-specific instructions:
- BADDU
- DMUL
- EXTS/EXTS32
- CINS/CINS32
- POP/DPOP
- SEQ/SEQI
- SNE/SNEI

Signed-off-by: Pavel Dovgalyuk 

--

v2 changes:
   - Using existing tcg instructions for exts, cins, pop
 (suggested by Richard Henderson)
---
 target/mips/tcg/octeon.decode  |   26 ++
 target/mips/tcg/octeon_translate.c |  155 
 2 files changed, 181 insertions(+)

diff --git a/target/mips/tcg/octeon.decode b/target/mips/tcg/octeon.decode
index 8062715578..8929ad088e 100644
--- a/target/mips/tcg/octeon.decode
+++ b/target/mips/tcg/octeon.decode
@@ -13,3 +13,29 @@
 
 %bbit_p  28:1 16:5
 BBIT 11 set:1 . 10 rs:5 . offset:16 p=%bbit_p
+
+# Arithmetic
+# BADDU rd, rs, rt
+# DMUL rd, rs, rt
+# EXTS rt, rs, p, lenm1
+# EXTS32 rt, rs, p, lenm1
+# CINS rt, rs, p, lenm1
+# CINS32 rt, rs, p, lenm1
+# DPOP rd, rs
+# POP rd, rs
+# SEQ rd, rs, rt
+# SEQI rt, rs, immediate
+# SNE rd, rs, rt
+# SNEI rt, rs, immediate
+
+@r3  .. rs:5 rt:5 rd:5 . ..
+%bitfield_p  0:1 6:5
+@bitfield.. rs:5 rt:5 lenm1:5 . . . p=%bitfield_p
+
+BADDU011100 . . . 0 101000 @r3
+DMUL 011100 . . . 0 11 @r3
+EXTS 011100 . . . . 11101 . @bitfield
+CINS 011100 . . . . 11001 . @bitfield
+POP  011100 rs:5 0 rd:5 0 10110 dw:1
+SEQNE011100 rs:5 rt:5 rd:5 0 10101 ne:1
+SEQNEI   011100 rs:5 rt:5 imm:s10 10111 ne:1
diff --git a/target/mips/tcg/octeon_translate.c 
b/target/mips/tcg/octeon_translate.c
index 1558f74a8e..0470605e1e 100644
--- a/target/mips/tcg/octeon_translate.c
+++ b/target/mips/tcg/octeon_translate.c
@@ -44,3 +44,158 @@ static bool trans_BBIT(DisasContext *ctx, arg_BBIT *a)
 tcg_temp_free(t0);
 return true;
 }
+
+static bool trans_BADDU(DisasContext *ctx, arg_BADDU *a)
+{
+TCGv t0, t1;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+gen_load_gpr(t1, a->rt);
+
+tcg_gen_add_tl(t0, t0, t1);
+tcg_gen_andi_i64(cpu_gpr[a->rd], t0, 0xff);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_DMUL(DisasContext *ctx, arg_DMUL *a)
+{
+TCGv t0, t1;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+gen_load_gpr(t1, a->rt);
+
+tcg_gen_mul_i64(cpu_gpr[a->rd], t0, t1);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_EXTS(DisasContext *ctx, arg_EXTS *a)
+{
+TCGv t0;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+tcg_gen_sextract_tl(t0, t0, a->p, a->lenm1);
+gen_store_gpr(t0, a->rt);
+tcg_temp_free(t0);
+
+return true;
+}
+
+static bool trans_CINS(DisasContext *ctx, arg_CINS *a)
+{
+TCGv t0;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+tcg_gen_deposit_z_tl(t0, t0, a->p, a->lenm1);
+gen_store_gpr(t0, a->rt);
+tcg_temp_free(t0);
+
+return true;
+}
+
+static bool trans_POP(DisasContext *ctx, arg_POP *a)
+{
+TCGv t0;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+if (!a->dw) {
+tcg_gen_andi_i64(t0, t0, 0x);
+}
+tcg_gen_ctpop_tl(t0, t0);
+gen_store_gpr(t0, a->rd);
+tcg_temp_free(t0);
+
+return true;
+}
+
+static bool trans_SEQNE(DisasContext *ctx, arg_SEQNE *a)
+{
+TCGv t0, t1;
+
+if (a->rd == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+
+gen_load_gpr(t0, a->rs);
+gen_load_gpr(t1, a->rt);
+
+if (a->ne) {
+tcg_gen_setcond_tl(TCG_COND_NE, cpu_gpr[a->rd], t1, t0);
+} else {
+tcg_gen_setcond_tl(TCG_COND_EQ, cpu_gpr[a->rd], t1, t0);
+}
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+
+return true;
+}
+
+static bool trans_SEQNEI(DisasContext *ctx, arg_SEQNEI *a)
+{
+TCGv t0;
+
+if (a->rt == 0) {
+/* nop */
+return true;
+}
+
+t0 = tcg_temp_new();
+
+gen_load_gpr(t0, a->rs);
+
+/* Sign-extend to 64 bit value */
+target_ulong imm = a->imm;
+if (a->ne) {
+tcg_gen_setcondi_tl(TCG_COND_NE, cpu_gpr[a->rt], t0, imm);
+} else {
+tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_gpr[a->rt], t0, imm);
+}
+
+tcg_temp_free(t0);
+
+return true;
+}

[PATCH v2 0/3] Cavium Octeon MIPS extensions

[Pavel Dovgalyuk]

The following series includes emulation of the platform-specific MIPS extension
for Cavium Octeon CPUS:
- basic Octeon vCPU model
- custom instruction decoder for Octeon
- implementation of arithmetic and logic instructions

v2 changes:
 - simplified instruction decoding and translation (suggested by Richard 
Henderson)

---

Pavel Dovgalyuk (3):
  target/mips: introduce Cavium Octeon CPU model
  target/mips: implement Octeon-specific BBIT instructions
  target/mips: implement Octeon-specific arithmetic instructions


 target/mips/tcg/meson.build|   2 +
 target/mips/tcg/octeon.decode  |  41 ++
 target/mips/tcg/octeon_translate.c | 201 +
 target/mips/tcg/translate.c|   5 +
 target/mips/tcg/translate.h|   1 +
 5 files changed, 250 insertions(+)
 create mode 100644 target/mips/tcg/octeon.decode
 create mode 100644 target/mips/tcg/octeon_translate.c

--
Pavel Dovgalyuk

[PATCH v2 1/3] target/mips: introduce Cavium Octeon CPU model

[Pavel Dovgalyuk]

This patch adds Cavium Octeon vCPU for providing
Octeon-specific instructions.

Signed-off-by: Pavel Dovgalyuk 

--
v2 changes:
 - vCPU name changed to Octeon68XX (suggested by Richard Henderson)
---
 target/mips/cpu-defs.c.inc |   28 
 target/mips/mips-defs.h|1 +
 2 files changed, 29 insertions(+)

diff --git a/target/mips/cpu-defs.c.inc b/target/mips/cpu-defs.c.inc
index 582f940070..7f53c94ec8 100644
--- a/target/mips/cpu-defs.c.inc
+++ b/target/mips/cpu-defs.c.inc
@@ -921,6 +921,34 @@ const mips_def_t mips_defs[] =
 .insn_flags = CPU_MIPS64R2 | ASE_DSP | ASE_DSP_R2,
 .mmu_type = MMU_TYPE_R4000,
 },
+{
+/*
+ * Octeon 68xx with MIPS64 Cavium Octeon features.
+ */
+.name = "Octeon68XX",
+.CP0_PRid = 0x000D9100,
+.CP0_Config0 = MIPS_CONFIG0 | (0x1 << CP0C0_AR) | (0x2 << CP0C0_AT) |
+   (MMU_TYPE_R4000 << CP0C0_MT),
+.CP0_Config1 = MIPS_CONFIG1 | (0x3F << CP0C1_MMU) |
+   (1 << CP0C1_IS) | (4 << CP0C1_IL) | (1 << CP0C1_IA) |
+   (1 << CP0C1_DS) | (4 << CP0C1_DL) | (1 << CP0C1_DA) |
+   (1 << CP0C1_PC) | (1 << CP0C1_WR) | (1 << CP0C1_EP),
+.CP0_Config2 = MIPS_CONFIG2,
+.CP0_Config3 = MIPS_CONFIG3 | (1 << CP0C3_LPA) | (1 << CP0C3_DSPP) ,
+.CP0_Config4 = MIPS_CONFIG4 | (1U << CP0C4_M) |
+   (0x3c << CP0C4_KScrExist) | (1U << CP0C4_MMUExtDef) |
+   (3U << CP0C4_MMUSizeExt),
+.CP0_LLAddr_rw_bitmask = 0,
+.CP0_LLAddr_shift = 4,
+.CP0_PageGrain = (1 << CP0PG_ELPA),
+.SYNCI_Step = 32,
+.CCRes = 2,
+.CP0_Status_rw_bitmask = 0x12F8,
+.SEGBITS = 42,
+.PABITS = 49,
+.insn_flags = CPU_MIPS64R2 | INSN_OCTEON | ASE_DSP,
+.mmu_type = MMU_TYPE_R4000,
+},
 
 #endif
 };
diff --git a/target/mips/mips-defs.h b/target/mips/mips-defs.h
index 0a12d982a7..a6cebe0265 100644
--- a/target/mips/mips-defs.h
+++ b/target/mips/mips-defs.h
@@ -42,6 +42,7 @@
 #define INSN_LOONGSON2E   0x0400ULL
 #define INSN_LOONGSON2F   0x0800ULL
 #define INSN_LOONGSON3A   0x1000ULL
+#define INSN_OCTEON   0x2000ULL
 /*
  *   bits 52-63: vendor-specific ASEs
  */

[PATCH v2 2/3] target/mips: implement Octeon-specific BBIT instructions

[Pavel Dovgalyuk]

This patch introduces Octeon-specific decoder and implements
check-bit-and-jump instructions.

Signed-off-by: Pavel Dovgalyuk 

--

v2 changes:
 - Changed insn field description and simplified the jumps
   (suggested by Richard Henderson)
---
 target/mips/tcg/meson.build|2 ++
 target/mips/tcg/octeon.decode  |   15 
 target/mips/tcg/octeon_translate.c |   46 
 target/mips/tcg/translate.c|5 
 target/mips/tcg/translate.h|1 +
 5 files changed, 69 insertions(+)
 create mode 100644 target/mips/tcg/octeon.decode
 create mode 100644 target/mips/tcg/octeon_translate.c

diff --git a/target/mips/tcg/meson.build b/target/mips/tcg/meson.build
index 98003779ae..7ee969ec8f 100644
--- a/target/mips/tcg/meson.build
+++ b/target/mips/tcg/meson.build
@@ -3,6 +3,7 @@ gen = [
   decodetree.process('msa.decode', extra_args: '--decode=decode_ase_msa'),
   decodetree.process('tx79.decode', extra_args: '--static-decode=decode_tx79'),
   decodetree.process('vr54xx.decode', extra_args: 
'--decode=decode_ext_vr54xx'),
+  decodetree.process('octeon.decode', extra_args: 
'--decode=decode_ext_octeon'),
 ]
 
 mips_ss.add(gen)
@@ -24,6 +25,7 @@ mips_ss.add(files(
 ))
 mips_ss.add(when: 'TARGET_MIPS64', if_true: files(
   'tx79_translate.c',
+  'octeon_translate.c',
 ), if_false: files(
   'mxu_translate.c',
 ))
diff --git a/target/mips/tcg/octeon.decode b/target/mips/tcg/octeon.decode
new file mode 100644
index 00..8062715578
--- /dev/null
+++ b/target/mips/tcg/octeon.decode
@@ -0,0 +1,15 @@
+# Octeon Architecture Module instruction set
+#
+# Copyright (C) 2022 Pavel Dovgalyuk
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+
+# Branch on bit set or clear
+# BBIT0  110010 . . 
+# BBIT032110110 . . 
+# BBIT1  111010 . . 
+# BBIT13210 . . 
+
+%bbit_p  28:1 16:5
+BBIT 11 set:1 . 10 rs:5 . offset:16 p=%bbit_p
diff --git a/target/mips/tcg/octeon_translate.c 
b/target/mips/tcg/octeon_translate.c
new file mode 100644
index 00..1558f74a8e
--- /dev/null
+++ b/target/mips/tcg/octeon_translate.c
@@ -0,0 +1,46 @@
+/*
+ * Octeon-specific instructions translation routines
+ *
+ *  Copyright (c) 2022 Pavel Dovgalyuk
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "tcg/tcg-op.h"
+#include "tcg/tcg-op-gvec.h"
+#include "exec/helper-gen.h"
+#include "translate.h"
+
+/* Include the auto-generated decoder.  */
+#include "decode-octeon.c.inc"
+
+static bool trans_BBIT(DisasContext *ctx, arg_BBIT *a)
+{
+TCGv p;
+
+if (ctx->hflags & MIPS_HFLAG_BMASK) {
+LOG_DISAS("Branch in delay / forbidden slot at PC 0x"
+  TARGET_FMT_lx "\n", ctx->base.pc_next);
+generate_exception_end(ctx, EXCP_RI);
+return true;
+}
+
+/* Load needed operands */
+TCGv t0 = tcg_temp_new();
+gen_load_gpr(t0, a->rs);
+
+p = tcg_constant_tl(1ULL << a->p);
+if (a->set) {
+tcg_gen_and_tl(bcond, p, t0);
+} else {
+tcg_gen_andc_tl(bcond, p, t0);
+}
+
+ctx->hflags |= MIPS_HFLAG_BC;
+ctx->btarget = ctx->base.pc_next + 4 + a->offset * 4;
+ctx->hflags |= MIPS_HFLAG_BDS32;
+
+tcg_temp_free(t0);
+return true;
+}
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index 6de5b66650..4f41a9b00a 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -15963,6 +15963,11 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 if (cpu_supports_isa(env, INSN_VR54XX) && decode_ext_vr54xx(ctx, 
ctx->opcode)) {
 return;
 }
+#if defined(TARGET_MIPS64)
+if (cpu_supports_isa(env, INSN_OCTEON) && decode_ext_octeon(ctx, 
ctx->opcode)) {
+return;
+}
+#endif
 
 /* ISA extensions */
 if (ase_msa_available(env) && decode_ase_msa(ctx, ctx->opcode)) {
diff --git a/target/mips/tcg/translate.h b/target/mips/tcg/translate.h
index 9997fe2f3c..55053226ae 100644
--- a/target/mips/tcg/translate.h
+++ b/target/mips/tcg/translate.h
@@ -215,6 +215,7 @@ bool decode_ase_msa(DisasContext *ctx, uint32_t insn);
 bool decode_ext_txx9(DisasContext *ctx, uint32_t insn);
 #if defined(TARGET_MIPS64)
 bool decode_ext_tx79(DisasContext *ctx, uint32_t insn);
+bool decode_ext_octeon(DisasContext *ctx, uint32_t insn);
 #endif
 bool decode_ext_vr54xx(DisasContext *ctx, uint32_t insn);
 

[PATCH 1/1] i386/monitor: Fix page table walking issue for LA57 enabled guest

[Yuan Yao]

Don't skip next leve page table for pdpe/pde when the
PG_PRESENT_MASK is set.

This fixs the issue that no mapping information was
collected from "info mem" for guest with LA57 enabled.

Signed-off-by: Yuan Yao 
---
 target/i386/monitor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 8e4b4d600c..3339550bbe 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -489,7 +489,7 @@ static void mem_info_la57(Monitor *mon, CPUArchState *env)
 cpu_physical_memory_read(pdp_addr + l2 * 8, &pdpe, 8);
 pdpe = le64_to_cpu(pdpe);
 end = (l0 << 48) + (l1 << 39) + (l2 << 30);
-if (pdpe & PG_PRESENT_MASK) {
+if (!(pdpe & PG_PRESENT_MASK)) {
 prot = 0;
 mem_print(mon, env, &start, &last_prot, end, prot);
 continue;
@@ -508,7 +508,7 @@ static void mem_info_la57(Monitor *mon, CPUArchState *env)
 cpu_physical_memory_read(pd_addr + l3 * 8, &pde, 8);
 pde = le64_to_cpu(pde);
 end = (l0 << 48) + (l1 << 39) + (l2 << 30) + (l3 << 21);
-if (pde & PG_PRESENT_MASK) {
+if (!(pde & PG_PRESENT_MASK)) {
 prot = 0;
 mem_print(mon, env, &start, &last_prot, end, prot);
 continue;

base-commit: 6d940eff4734bcb40b1a25f62d7cec5a396f994a
-- 
2.27.0

Re: [PATCH v6 resend 0/4] add generic vDPA device support

[Stefan Hajnoczi]

On Sat, May 14, 2022 at 12:11:03PM +0800, Longpeng(Mike) wrote:
> From: Longpeng 
> 
> Hi guys,
> 
> With the generic vDPA device, QEMU won't need to touch the device
> types any more, such like vfio.
> 
> We can use the generic vDPA device as follow:
>   -device vhost-vdpa-device-pci,vhostdev=/dev/vhost-vdpa-X
>   Or
>   -M microvm -m 512m -smp 2 -kernel ... -initrd ... -device \
>   vhost-vdpa-device,vhostdev=/dev/vhost-vdpa-x
> 
> I've done some simple tests on Huawei's offloading card (net, 0.95).

Please send a follow-up patch that adds documentation for this new
device type. Maybe in a new docs/system/devices/vhost-vdpa.rst file?

Stefan


signature.asc
Description: PGP signature

Re: [RFC][PATCH] docs: note exception for PCIe IO port access

[Gerd Hoffmann]

  Hi,

> I find this too general; a PCI Express device is supposed to work
> without IO resources. Graphics cards with legacy VGA compatibility are
> the exception AIUI (see again Alex's blog about VGA arbitration), so we
> should spell that out.

Yes, it's an exception specifically for VGA ports.  Can be turned on and
off here ...

$ sudo lspci -vvs00:1b.0 | grep BridgeCtl
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16+ MAbort- >Reset- FastB2B-
^^^

... and this is what vgaarb uses to route vga register access to devices
behind pci bridges.

take care,
  Gerd

Re: [PATCH] disas: Remove libvixl disassembler

[Thomas Huth]

On 08/06/2022 17.51, Paolo Bonzini wrote:

On 6/3/22 19:35, Thomas Huth wrote:

On 03/06/2022 19.26, Claudio Fontana wrote:

On 6/3/22 18:42, Thomas Huth wrote:

The disassembly via capstone should be superiour to our old vixl
sources nowadays, so let's finally cut this old disassembler out
of the QEMU source tree.

Signed-off-by: Thomas Huth 


agreed, one thought: at the time I added this thing, I had to add C++ 
compilation support,

maybe something we can now drop if there are no more C++ users?


I thought about that, too, but we still have disas/nanomips.cpp left and 
the Windows-related files in qga/vss-win32/* .


That is pure C++ so it does not need the extra complication of "detect 
whether the C and C++ compiler are ABI-compatible" (typically due to 
different libasan/libtsan implementation between gcc and clang).  So it's 
really just nanoMIPS that's left.


Ok, so the next theoretical question is: If we get rid of the nanomips.cpp 
file or convert it to plain C, would we then simplify the code in configure 
again (and forbid C++ for the main QEMU code), or would we rather keep the 
current settings in case we want to re-introduce more C++ code again in the 
future?


 Thomas

Re: [PATCH] disas: Remove libvixl disassembler

[Daniel P . Berrangé]

On Thu, Jun 09, 2022 at 10:47:24AM +0200, Thomas Huth wrote:
> On 08/06/2022 17.51, Paolo Bonzini wrote:
> > On 6/3/22 19:35, Thomas Huth wrote:
> > > On 03/06/2022 19.26, Claudio Fontana wrote:
> > > > On 6/3/22 18:42, Thomas Huth wrote:
> > > > > The disassembly via capstone should be superiour to our old vixl
> > > > > sources nowadays, so let's finally cut this old disassembler out
> > > > > of the QEMU source tree.
> > > > > 
> > > > > Signed-off-by: Thomas Huth 
> > > > 
> > > > agreed, one thought: at the time I added this thing, I had to
> > > > add C++ compilation support,
> > > > maybe something we can now drop if there are no more C++ users?
> > > 
> > > I thought about that, too, but we still have disas/nanomips.cpp left
> > > and the Windows-related files in qga/vss-win32/* .
> > 
> > That is pure C++ so it does not need the extra complication of "detect
> > whether the C and C++ compiler are ABI-compatible" (typically due to
> > different libasan/libtsan implementation between gcc and clang).  So
> > it's really just nanoMIPS that's left.
> 
> Ok, so the next theoretical question is: If we get rid of the nanomips.cpp
> file or convert it to plain C, would we then simplify the code in configure
> again (and forbid C++ for the main QEMU code), or would we rather keep the
> current settings in case we want to re-introduce more C++ code again in the
> future?

It doesn't feel very compelling to have just 1 source file that's
C++ in QEMU. I'm curious how we ended up with this nanomips.cpp
file - perhaps it originated from another project that was C++
based ?

The code itself doesn't look like it especially needs to be using
C++. There's just 1 class there and every method is associated
with that class, and external entry point from the rest of QEMU
is just one boring method. Feels like it could easily have been
done in C.

Personally I'd prefer it to be converted to C, and if we want to
add any C++ in future it should be justified & debated on its
merits, rather than as an artifact of any historical artifacts
such as the code in configure happening to still exist.

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PULL 18/55] target/arm: Move v8m_security_lookup to ptw.c

[Peter Maydell]

From: Richard Henderson 

This function has one private helper, v8m_is_sau_exempt,
so move that at the same time.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-12-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 123 --
 target/arm/ptw.c| 126 
 2 files changed, 126 insertions(+), 123 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 62e48f0925c..d6a749ad0ed 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9,7 +9,6 @@
 #include "qemu/osdep.h"
 #include "qemu/units.h"
 #include "qemu/log.h"
-#include "target/arm/idau.h"
 #include "trace.h"
 #include "cpu.h"
 #include "internals.h"
@@ -11693,128 +11692,6 @@ bool m_is_system_region(CPUARMState *env, uint32_t 
address)
 return arm_feature(env, ARM_FEATURE_M) && extract32(address, 29, 3) == 0x7;
 }
 
-static bool v8m_is_sau_exempt(CPUARMState *env,
-  uint32_t address, MMUAccessType access_type)
-{
-/* The architecture specifies that certain address ranges are
- * exempt from v8M SAU/IDAU checks.
- */
-return
-(access_type == MMU_INST_FETCH && m_is_system_region(env, address)) ||
-(address >= 0xe000 && address <= 0xe0002fff) ||
-(address >= 0xe000e000 && address <= 0xe000efff) ||
-(address >= 0xe002e000 && address <= 0xe002efff) ||
-(address >= 0xe004 && address <= 0xe0041fff) ||
-(address >= 0xe00ff000 && address <= 0xe00f);
-}
-
-void v8m_security_lookup(CPUARMState *env, uint32_t address,
-MMUAccessType access_type, ARMMMUIdx mmu_idx,
-V8M_SAttributes *sattrs)
-{
-/* Look up the security attributes for this address. Compare the
- * pseudocode SecurityCheck() function.
- * We assume the caller has zero-initialized *sattrs.
- */
-ARMCPU *cpu = env_archcpu(env);
-int r;
-bool idau_exempt = false, idau_ns = true, idau_nsc = true;
-int idau_region = IREGION_NOTVALID;
-uint32_t addr_page_base = address & TARGET_PAGE_MASK;
-uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);
-
-if (cpu->idau) {
-IDAUInterfaceClass *iic = IDAU_INTERFACE_GET_CLASS(cpu->idau);
-IDAUInterface *ii = IDAU_INTERFACE(cpu->idau);
-
-iic->check(ii, address, &idau_region, &idau_exempt, &idau_ns,
-   &idau_nsc);
-}
-
-if (access_type == MMU_INST_FETCH && extract32(address, 28, 4) == 0xf) {
-/* 0xf000..0x is always S for insn fetches */
-return;
-}
-
-if (idau_exempt || v8m_is_sau_exempt(env, address, access_type)) {
-sattrs->ns = !regime_is_secure(env, mmu_idx);
-return;
-}
-
-if (idau_region != IREGION_NOTVALID) {
-sattrs->irvalid = true;
-sattrs->iregion = idau_region;
-}
-
-switch (env->sau.ctrl & 3) {
-case 0: /* SAU.ENABLE == 0, SAU.ALLNS == 0 */
-break;
-case 2: /* SAU.ENABLE == 0, SAU.ALLNS == 1 */
-sattrs->ns = true;
-break;
-default: /* SAU.ENABLE == 1 */
-for (r = 0; r < cpu->sau_sregion; r++) {
-if (env->sau.rlar[r] & 1) {
-uint32_t base = env->sau.rbar[r] & ~0x1f;
-uint32_t limit = env->sau.rlar[r] | 0x1f;
-
-if (base <= address && limit >= address) {
-if (base > addr_page_base || limit < addr_page_limit) {
-sattrs->subpage = true;
-}
-if (sattrs->srvalid) {
-/* If we hit in more than one region then we must 
report
- * as Secure, not NS-Callable, with no valid region
- * number info.
- */
-sattrs->ns = false;
-sattrs->nsc = false;
-sattrs->sregion = 0;
-sattrs->srvalid = false;
-break;
-} else {
-if (env->sau.rlar[r] & 2) {
-sattrs->nsc = true;
-} else {
-sattrs->ns = true;
-}
-sattrs->srvalid = true;
-sattrs->sregion = r;
-}
-} else {
-/*
- * Address not in this region. We must check whether the
- * region covers addresses in the same page as our address.
- * In that case we must not report a size that covers the
- * whole page for a subsequent hit against a different MPU
- * region or the background region, because it would result
- * in incorrect TLB 

[PULL 00/55] target-arm queue

[Peter Maydell]

The following changes since commit 6d940eff4734bcb40b1a25f62d7cec5a396f994a:

  Merge tag 'pull-tpm-2022-06-07-1' of https://github.com/stefanberger/qemu-tpm 
into staging (2022-06-07 19:22:18 -0700)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git 
tags/pull-target-arm-20220609

for you to fetch changes up to 414c54d515dba16bfaef643a8acec200c05f229a:

  target/arm: Add ID_AA64SMFR0_EL1 (2022-06-08 19:38:59 +0100)


target-arm queue:
 * target/arm: Declare support for FEAT_RASv1p1
 * target/arm: Implement FEAT_DoubleFault
 * Fix 'writeable' typos
 * xlnx_dp: Implement vblank interrupt
 * target/arm: Move page-table-walk code to ptw.c
 * target/arm: Preparatory patches for SME support


Frederic Konrad (2):
  xlnx_dp: fix the wrong register size
  xlnx-zynqmp: fix the irq mapping for the display port and its dma

Peter Maydell (3):
  target/arm: Declare support for FEAT_RASv1p1
  target/arm: Implement FEAT_DoubleFault
  Fix 'writeable' typos

Richard Henderson (48):
  target/arm: Move stage_1_mmu_idx decl to internals.h
  target/arm: Move get_phys_addr to ptw.c
  target/arm: Move get_phys_addr_v5 to ptw.c
  target/arm: Move get_phys_addr_v6 to ptw.c
  target/arm: Move get_phys_addr_pmsav5 to ptw.c
  target/arm: Move get_phys_addr_pmsav7_default to ptw.c
  target/arm: Move get_phys_addr_pmsav7 to ptw.c
  target/arm: Move get_phys_addr_pmsav8 to ptw.c
  target/arm: Move pmsav8_mpu_lookup to ptw.c
  target/arm: Move pmsav7_use_background_region to ptw.c
  target/arm: Move v8m_security_lookup to ptw.c
  target/arm: Move m_is_{ppb,system}_region to ptw.c
  target/arm: Move get_level1_table_address to ptw.c
  target/arm: Move combine_cacheattrs and subroutines to ptw.c
  target/arm: Move get_phys_addr_lpae to ptw.c
  target/arm: Move arm_{ldl,ldq}_ptw to ptw.c
  target/arm: Move {arm_s1_, }regime_using_lpae_format to tlb_helper.c
  target/arm: Move arm_pamax, pamax_map into ptw.c
  target/arm: Move get_S1prot, get_S2prot to ptw.c
  target/arm: Move check_s2_mmu_setup to ptw.c
  target/arm: Move aa32_va_parameters to ptw.c
  target/arm: Move ap_to_tw_prot etc to ptw.c
  target/arm: Move regime_is_user to ptw.c
  target/arm: Move regime_ttbr to ptw.c
  target/arm: Move regime_translation_disabled to ptw.c
  target/arm: Move arm_cpu_get_phys_page_attrs_debug to ptw.c
  target/arm: Move stage_1_mmu_idx, arm_stage1_mmu_idx to ptw.c
  target/arm: Pass CPUARMState to arm_ld[lq]_ptw
  target/arm: Rename TBFLAG_A64 ZCR_LEN to VL
  linux-user/aarch64: Introduce sve_vq
  target/arm: Remove route_to_el2 check from sve_exception_el
  target/arm: Remove fp checks from sve_exception_el
  target/arm: Add el_is_in_host
  target/arm: Use el_is_in_host for sve_zcr_len_for_el
  target/arm: Use el_is_in_host for sve_exception_el
  target/arm: Hoist arm_is_el2_enabled check in sve_exception_el
  target/arm: Do not use aarch64_sve_zcr_get_valid_len in reset
  target/arm: Merge aarch64_sve_zcr_get_valid_len into caller
  target/arm: Use uint32_t instead of bitmap for sve vq's
  target/arm: Rename sve_zcr_len_for_el to sve_vqm1_for_el
  target/arm: Split out load/store primitives to sve_ldst_internal.h
  target/arm: Export sve contiguous ldst support functions
  target/arm: Move expand_pred_b to vec_internal.h
  target/arm: Use expand_pred_b in mve_helper.c
  target/arm: Move expand_pred_h to vec_internal.h
  target/arm: Export bfdotadd from vec_helper.c
  target/arm: Add isar_feature_aa64_sme
  target/arm: Add ID_AA64SMFR0_EL1

Sai Pavan Boddu (2):
  xlnx_dp: Introduce a vblank signal
  xlnx_dp: Fix the interrupt disable logic

 docs/interop/vhost-user.rst   |2 +-
 docs/specs/vmgenid.txt|4 +-
 docs/system/arm/emulation.rst |2 +
 hw/scsi/mfi.h |2 +-
 include/hw/display/xlnx_dp.h  |   12 +-
 linux-user/aarch64/target_prctl.h |   20 +-
 target/arm/cpu.h  |   66 +-
 target/arm/internals.h|   45 +-
 target/arm/kvm_arm.h  |7 +-
 target/arm/sve_ldst_internal.h|  221 +++
 target/arm/translate-a64.h|2 +-
 target/arm/translate.h|2 +-
 target/arm/vec_internal.h |   28 +-
 target/i386/hvf/vmcs.h|2 +-
 target/i386/hvf/vmx.h |2 +-
 accel/hvf/hvf-accel-ops.c |4 +-
 accel/kvm/kvm-all.c   |4 +-
 accel/tcg/user-exec.c |6 +-
 hw/acpi/ghes.c|2 +-
 hw/arm/xlnx-zynqmp.c  |4 +-
 hw/display/xlnx_dp.c  |   49 +-
 hw/intc/arm_gicv3_cpuif.c |2 +-
 hw/intc/arm_

[PULL 02/55] target/arm: Implement FEAT_DoubleFault

[Peter Maydell]

The FEAT_DoubleFault extension adds the following:

 * All external aborts on instruction fetches and translation table
   walks for instruction fetches must be synchronous.  For QEMU this
   is already true.

 * SCR_EL3 has a new bit NMEA which disables the masking of SError
   interrupts by PSTATE.A when the SError interrupt is taken to EL3.
   For QEMU we only need to make the bit writable, because we have no
   sources of SError interrupts.

 * SCR_EL3 has a new bit EASE which causes synchronous external
   aborts taken to EL3 to be taken at the same entry point as SError.
   (Note that this does not mean that they are SErrors for purposes
   of PSTATE.A masking or that the syndrome register reports them as
   SErrors: it just means that the vector offset is different.)

 * The existing SCTLR_EL3.IESB has an effective value of 1 when
   SCR_EL3.NMEA is 1.  For QEMU this is a no-op because we don't need
   different behaviour based on IESB (we don't need to do anything to
   ensure that error exceptions are synchronized).

So for QEMU the things we need to change are:
 * Make SCR_EL3.{NMEA,EASE} writable
 * When taking a synchronous external abort at EL3, adjust the
   vector entry point if SCR_EL3.EASE is set
 * Advertise the feature in the ID registers

Signed-off-by: Peter Maydell 
Reviewed-by: Richard Henderson 
Message-id: 20220531151431.949322-1-peter.mayd...@linaro.org
---
 docs/system/arm/emulation.rst |  1 +
 target/arm/cpu.h  |  5 +
 target/arm/cpu64.c|  4 ++--
 target/arm/helper.c   | 36 +++
 4 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index 81467f02ce9..83b44100659 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -23,6 +23,7 @@ the following architecture extensions:
 - FEAT_Debugv8p2 (Debug changes for v8.2)
 - FEAT_Debugv8p4 (Debug changes for v8.4)
 - FEAT_DotProd (Advanced SIMD dot product instructions)
+- FEAT_DoubleFault (Double Fault Extension)
 - FEAT_FCMA (Floating-point complex number instructions)
 - FEAT_FHM (Floating-point half-precision multiplication instructions)
 - FEAT_FP16 (Half-precision floating-point data processing)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index c1865ad5dad..0ee1705a4fa 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -3952,6 +3952,11 @@ static inline bool isar_feature_aa64_ras(const 
ARMISARegisters *id)
 return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RAS) != 0;
 }
 
+static inline bool isar_feature_aa64_doublefault(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RAS) >= 2;
+}
+
 static inline bool isar_feature_aa64_sve(const ARMISARegisters *id)
 {
 return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SVE) != 0;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index bd1c62a3428..cce68dd82a2 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -899,7 +899,7 @@ static void aarch64_max_initfn(Object *obj)
 t = cpu->isar.id_aa64pfr0;
 t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);/* FEAT_FP16 */
 t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
-t = FIELD_DP64(t, ID_AA64PFR0, RAS, 1);   /* FEAT_RAS */
+t = FIELD_DP64(t, ID_AA64PFR0, RAS, 2);   /* FEAT_RASv1p1 + 
FEAT_DoubleFault */
 t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);  /* FEAT_SEL2 */
 t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);   /* FEAT_DIT */
@@ -916,7 +916,7 @@ static void aarch64_max_initfn(Object *obj)
  * we do for EL2 with the virtualization=on property.
  */
 t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);   /* FEAT_MTE3 */
-t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 1);  /* FEAT_RASv1p1 */
+t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + 
FEAT_DoubleFault */
 t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
 cpu->isar.id_aa64pfr1 = t;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 40da63913c9..7f2c14bea94 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -1776,6 +1776,9 @@ static void scr_write(CPUARMState *env, const 
ARMCPRegInfo *ri, uint64_t value)
 if (cpu_isar_feature(aa64_scxtnum, cpu)) {
 valid_mask |= SCR_ENSCXT;
 }
+if (cpu_isar_feature(aa64_doublefault, cpu)) {
+valid_mask |= SCR_EASE | SCR_NMEA;
+}
 } else {
 valid_mask &= ~(SCR_RW | SCR_ST);
 if (cpu_isar_feature(aa32_ras, cpu)) {
@@ -10113,6 +10116,31 @@ static uint32_t cpsr_read_for_spsr_elx(CPUARMState 
*env)
 return ret;
 }
 
+static bool syndrome_is_sync_extabt(uint32_t syndrome)
+{
+/* Return true if this syndrome value is a synchronous external abort */
+switch (syn_get_ec(syndrome)) {
+case EC_INSNABORT:
+case EC_INSNABORT_SAME_EL:
+case EC_DATAABORT:
+case EC_DATAABORT_SAME_EL:
+/* Look at 

[PULL 05/55] xlnx_dp: Introduce a vblank signal

[Peter Maydell]

From: Sai Pavan Boddu 

Add a periodic timer which raises vblank at a frequency of 30Hz.

Note that this is a migration compatibility break for the
xlnx-zcu102 board type.

Signed-off-by: Sai Pavan Boddu 
Signed-off-by: Edgar E. Iglesias 
Signed-off-by: Frederic Konrad 
Acked-by: Alistair Francis 
Message-id: 20220601172353.3220232-3-fkon...@xilinx.com
Changes by fkonrad:
  - Switched to transaction-based ptimer API.
  - Added the DP_INT_VBLNK_START macro.
Signed-off-by: Frederic Konrad 
[PMM: bump vmstate version, add commit message note about
 compat break]
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 include/hw/display/xlnx_dp.h |  3 +++
 hw/display/xlnx_dp.c | 30 ++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/include/hw/display/xlnx_dp.h b/include/hw/display/xlnx_dp.h
index 1ef5a89ee74..e86a87f235e 100644
--- a/include/hw/display/xlnx_dp.h
+++ b/include/hw/display/xlnx_dp.h
@@ -35,6 +35,7 @@
 #include "hw/dma/xlnx_dpdma.h"
 #include "audio/audio.h"
 #include "qom/object.h"
+#include "hw/ptimer.h"
 
 #define AUD_CHBUF_MAX_DEPTH (32 * KiB)
 #define MAX_QEMU_BUFFER_SIZE(4 * KiB)
@@ -107,6 +108,8 @@ struct XlnxDPState {
  */
 DPCDState *dpcd;
 I2CDDCState *edid;
+
+ptimer_state *vblank;
 };
 
 #define TYPE_XLNX_DP "xlnx.v-dp"
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 0378570459d..ed856b596da 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -114,6 +114,7 @@
 #define DP_TX_N_AUD (0x032C >> 2)
 #define DP_TX_AUDIO_EXT_DATA(n) ((0x0330 + 4 * n) >> 2)
 #define DP_INT_STATUS   (0x03A0 >> 2)
+#define DP_INT_VBLNK_START  (1 << 13)
 #define DP_INT_MASK (0x03A4 >> 2)
 #define DP_INT_EN   (0x03A8 >> 2)
 #define DP_INT_DS   (0x03AC >> 2)
@@ -260,7 +261,7 @@ typedef enum DPVideoFmt DPVideoFmt;
 
 static const VMStateDescription vmstate_dp = {
 .name = TYPE_XLNX_DP,
-.version_id = 1,
+.version_id = 2,
 .fields = (VMStateField[]){
 VMSTATE_UINT32_ARRAY(core_registers, XlnxDPState,
  DP_CORE_REG_ARRAY_SIZE),
@@ -270,10 +271,15 @@ static const VMStateDescription vmstate_dp = {
  DP_VBLEND_REG_ARRAY_SIZE),
 VMSTATE_UINT32_ARRAY(audio_registers, XlnxDPState,
  DP_AUDIO_REG_ARRAY_SIZE),
+VMSTATE_PTIMER(vblank, XlnxDPState),
 VMSTATE_END_OF_LIST()
 }
 };
 
+#define DP_VBLANK_PTIMER_POLICY (PTIMER_POLICY_WRAP_AFTER_ONE_PERIOD | \
+ PTIMER_POLICY_CONTINUOUS_TRIGGER |\
+ PTIMER_POLICY_NO_IMMEDIATE_TRIGGER)
+
 static void xlnx_dp_update_irq(XlnxDPState *s);
 
 static uint64_t xlnx_dp_audio_read(void *opaque, hwaddr offset, unsigned size)
@@ -773,6 +779,13 @@ static void xlnx_dp_write(void *opaque, hwaddr offset, 
uint64_t value,
 break;
 case DP_TRANSMITTER_ENABLE:
 s->core_registers[offset] = value & 0x01;
+ptimer_transaction_begin(s->vblank);
+if (value & 0x1) {
+ptimer_run(s->vblank, 0);
+} else {
+ptimer_stop(s->vblank);
+}
+ptimer_transaction_commit(s->vblank);
 break;
 case DP_FORCE_SCRAMBLER_RESET:
 /*
@@ -1177,9 +1190,6 @@ static void xlnx_dp_update_display(void *opaque)
 return;
 }
 
-s->core_registers[DP_INT_STATUS] |= (1 << 13);
-xlnx_dp_update_irq(s);
-
 xlnx_dpdma_trigger_vsync_irq(s->dpdma);
 
 /*
@@ -1275,6 +1285,14 @@ static void xlnx_dp_finalize(Object *obj)
 fifo8_destroy(&s->rx_fifo);
 }
 
+static void vblank_hit(void *opaque)
+{
+XlnxDPState *s = XLNX_DP(opaque);
+
+s->core_registers[DP_INT_STATUS] |= DP_INT_VBLNK_START;
+xlnx_dp_update_irq(s);
+}
+
 static void xlnx_dp_realize(DeviceState *dev, Error **errp)
 {
 XlnxDPState *s = XLNX_DP(dev);
@@ -1309,6 +1327,10 @@ static void xlnx_dp_realize(DeviceState *dev, Error 
**errp)
&as);
 AUD_set_volume_out(s->amixer_output_stream, 0, 255, 255);
 xlnx_dp_audio_activate(s);
+s->vblank = ptimer_init(vblank_hit, s, DP_VBLANK_PTIMER_POLICY);
+ptimer_transaction_begin(s->vblank);
+ptimer_set_freq(s->vblank, 30);
+ptimer_transaction_commit(s->vblank);
 }
 
 static void xlnx_dp_reset(DeviceState *dev)
-- 
2.25.1

[PULL 01/55] target/arm: Declare support for FEAT_RASv1p1

[Peter Maydell]

The architectural feature RASv1p1 introduces the following new
features:
 * new registers ERXPFGCDN_EL1, ERXPFGCTL_EL1 and ERXPFGF_EL1
 * new bits in the fine-grained trap registers that control traps
   for these new registers
 * new trap bits HCR_EL2.FIEN and SCR_EL3.FIEN that control traps
   for ERXPFGCDN_EL1, ERXPFGCTL_EL1, ERXPFGP_EL1
 * a larger number of the ERXMISC_EL1 registers
 * the format of ERRSTATUS registers changes

The architecture permits that if ERRIDR_EL1.NUM is 0 (as it is for
QEMU) then all these new registers may UNDEF, and the HCR_EL2.FIEN
and SCR_EL3.FIEN bits may be RES0.  We don't have any ERRSTATUS
registers (again, because ERRIDR_EL1.NUM is 0).  QEMU does not yet
implement the fine-grained-trap extension.  So there is nothing we
need to implement to be compliant with the feature spec.  Make the
'max' CPU report the feature in its ID registers, and document it.

Signed-off-by: Peter Maydell 
Reviewed-by: Richard Henderson 
Message-id: 20220531114258.855804-1-peter.mayd...@linaro.org
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c| 1 +
 2 files changed, 2 insertions(+)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index 49cc3e8340e..81467f02ce9 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -52,6 +52,7 @@ the following architecture extensions:
 - FEAT_PMUv3p1 (PMU Extensions v3.1)
 - FEAT_PMUv3p4 (PMU Extensions v3.4)
 - FEAT_RAS (Reliability, availability, and serviceability)
+- FEAT_RASv1p1 (RAS Extension v1.1)
 - FEAT_RDM (Advanced SIMD rounding double multiply accumulate instructions)
 - FEAT_RNG (Random number generator)
 - FEAT_S2FWB (Stage 2 forced Write-Back)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 3ff9219ca3b..bd1c62a3428 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -916,6 +916,7 @@ static void aarch64_max_initfn(Object *obj)
  * we do for EL2 with the virtualization=on property.
  */
 t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);   /* FEAT_MTE3 */
+t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 1);  /* FEAT_RASv1p1 */
 t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
 cpu->isar.id_aa64pfr1 = t;
 
-- 
2.25.1

[PULL 11/55] target/arm: Move get_phys_addr_v6 to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-5-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  11 +--
 target/arm/helper.c | 161 +---
 target/arm/ptw.c| 153 +
 3 files changed, 161 insertions(+), 164 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 2dbd97b8cbf..349b842d3ce 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -25,15 +25,18 @@ bool get_level1_table_address(CPUARMState *env, ARMMMUIdx 
mmu_idx,
   uint32_t *table, uint32_t address);
 int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
   int ap, int domain_prot);
+int simple_ap_to_rw_prot_is_user(int ap, bool is_user);
+
+static inline int
+simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
+{
+return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
+}
 
 bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, int *prot,
   ARMMMUFaultInfo *fi);
-bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-  target_ulong *page_size, ARMMMUFaultInfo *fi);
 bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, int *prot,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 321716914b1..4a588220250 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10631,7 +10631,7 @@ int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
int ap, int domain_prot)
  * @ap:  The 2-bit simple AP (AP[2:1])
  * @is_user: TRUE if accessing from PL0
  */
-static inline int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
+int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
 {
 switch (ap) {
 case 0:
@@ -10647,12 +10647,6 @@ static inline int simple_ap_to_rw_prot_is_user(int ap, 
bool is_user)
 }
 }
 
-static inline int
-simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
-{
-return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
-}
-
 /* Translate S2 section/page access permissions to protection flags
  *
  * @env: CPUARMState
@@ -10939,159 +10933,6 @@ uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool 
is_secure,
 return 0;
 }
 
-bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-  target_ulong *page_size, ARMMMUFaultInfo *fi)
-{
-CPUState *cs = env_cpu(env);
-ARMCPU *cpu = env_archcpu(env);
-int level = 1;
-uint32_t table;
-uint32_t desc;
-uint32_t xn;
-uint32_t pxn = 0;
-int type;
-int ap;
-int domain = 0;
-int domain_prot;
-hwaddr phys_addr;
-uint32_t dacr;
-bool ns;
-
-/* Pagetable walk.  */
-/* Lookup l1 descriptor.  */
-if (!get_level1_table_address(env, mmu_idx, &table, address)) {
-/* Section translation fault if page walk is disabled by PD0 or PD1 */
-fi->type = ARMFault_Translation;
-goto do_fault;
-}
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
-   mmu_idx, fi);
-if (fi->type != ARMFault_None) {
-goto do_fault;
-}
-type = (desc & 3);
-if (type == 0 || (type == 3 && !cpu_isar_feature(aa32_pxn, cpu))) {
-/* Section translation fault, or attempt to use the encoding
- * which is Reserved on implementations without PXN.
- */
-fi->type = ARMFault_Translation;
-goto do_fault;
-}
-if ((type == 1) || !(desc & (1 << 18))) {
-/* Page or Section.  */
-domain = (desc >> 5) & 0x0f;
-}
-if (regime_el(env, mmu_idx) == 1) {
-dacr = env->cp15.dacr_ns;
-} else {
-dacr = env->cp15.dacr_s;
-}
-if (type == 1) {
-level = 2;
-}
-domain_prot = (dacr >> (domain * 2)) & 3;
-if (domain_prot == 0 || domain_prot == 2) {
-/* Section or Page domain fault */
-fi->type = ARMFault_Domain;
-goto do_fault;
-}
-if (type != 1) {
-if (desc & (1 << 18)) {
-/* Supersection.  */
-phys_addr = (desc & 0xff00) | (address & 0x00ff);
-phys_addr |= (uint64_t)extract32(desc, 20, 4) << 32;
-phys_addr |= (uint64_t)extract32(desc, 5, 4) << 36;
-*page_size = 0x100;
-} else {
-/* Section.  */
-phys_addr = (desc & 0xfff

[PULL 04/55] xlnx_dp: fix the wrong register size

[Peter Maydell]

From: Frederic Konrad 

The core and the vblend registers size are wrong, they should respectively be
0x3B0 and 0x1E0 according to:
  
https://www.xilinx.com/htmldocs/registers/ug1087/ug1087-zynq-ultrascale-registers.html.

Let's fix that and use macros when creating the mmio region.

Fixes: 58ac482a66d ("introduce xlnx-dp")
Signed-off-by: Frederic Konrad 
Reviewed-by: Edgar E. Iglesias 
Acked-by: Alistair Francis 
Message-id: 20220601172353.3220232-2-fkon...@xilinx.com
Signed-off-by: Peter Maydell 
---
 include/hw/display/xlnx_dp.h |  9 +++--
 hw/display/xlnx_dp.c | 17 ++---
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/include/hw/display/xlnx_dp.h b/include/hw/display/xlnx_dp.h
index 8ab4733bb85..1ef5a89ee74 100644
--- a/include/hw/display/xlnx_dp.h
+++ b/include/hw/display/xlnx_dp.h
@@ -39,10 +39,15 @@
 #define AUD_CHBUF_MAX_DEPTH (32 * KiB)
 #define MAX_QEMU_BUFFER_SIZE(4 * KiB)
 
-#define DP_CORE_REG_ARRAY_SIZE  (0x3AF >> 2)
+#define DP_CORE_REG_OFFSET  (0x)
+#define DP_CORE_REG_ARRAY_SIZE  (0x3B0 >> 2)
+#define DP_AVBUF_REG_OFFSET (0xB000)
 #define DP_AVBUF_REG_ARRAY_SIZE (0x238 >> 2)
-#define DP_VBLEND_REG_ARRAY_SIZE(0x1DF >> 2)
+#define DP_VBLEND_REG_OFFSET(0xA000)
+#define DP_VBLEND_REG_ARRAY_SIZE(0x1E0 >> 2)
+#define DP_AUDIO_REG_OFFSET (0xC000)
 #define DP_AUDIO_REG_ARRAY_SIZE (0x50 >> 2)
+#define DP_CONTAINER_SIZE   (0xC050)
 
 struct PixmanPlane {
 pixman_format_code_t format;
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 9bb781e3125..0378570459d 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -1219,19 +1219,22 @@ static void xlnx_dp_init(Object *obj)
 SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 XlnxDPState *s = XLNX_DP(obj);
 
-memory_region_init(&s->container, obj, TYPE_XLNX_DP, 0xC050);
+memory_region_init(&s->container, obj, TYPE_XLNX_DP, DP_CONTAINER_SIZE);
 
 memory_region_init_io(&s->core_iomem, obj, &dp_ops, s, TYPE_XLNX_DP
-  ".core", 0x3AF);
-memory_region_add_subregion(&s->container, 0x, &s->core_iomem);
+  ".core", sizeof(s->core_registers));
+memory_region_add_subregion(&s->container, DP_CORE_REG_OFFSET,
+&s->core_iomem);
 
 memory_region_init_io(&s->vblend_iomem, obj, &vblend_ops, s, TYPE_XLNX_DP
-  ".v_blend", 0x1DF);
-memory_region_add_subregion(&s->container, 0xA000, &s->vblend_iomem);
+  ".v_blend", sizeof(s->vblend_registers));
+memory_region_add_subregion(&s->container, DP_VBLEND_REG_OFFSET,
+&s->vblend_iomem);
 
 memory_region_init_io(&s->avbufm_iomem, obj, &avbufm_ops, s, TYPE_XLNX_DP
-  ".av_buffer_manager", 0x238);
-memory_region_add_subregion(&s->container, 0xB000, &s->avbufm_iomem);
+  ".av_buffer_manager", sizeof(s->avbufm_registers));
+memory_region_add_subregion(&s->container, DP_AVBUF_REG_OFFSET,
+&s->avbufm_iomem);
 
 memory_region_init_io(&s->audio_iomem, obj, &audio_ops, s, TYPE_XLNX_DP
   ".audio", sizeof(s->audio_registers));
-- 
2.25.1

[PULL 03/55] Fix 'writeable' typos

[Peter Maydell]

We have about 30 instances of the typo/variant spelling 'writeable',
and over 500 of the more common 'writable'.  Standardize on the
latter.

Change produced with:

  sed -i -e 's/\([Ww][Rr][Ii][Tt]\)[Ee]\([Aa][Bb][Ll][Ee]\)/\1\2/g' $(git grep 
-il writeable)

and then hand-undoing the instance in linux-headers/linux/kvm.h.

Most of these changes are in comments or documentation; the
exceptions are:
 * a local variable in accel/hvf/hvf-accel-ops.c
 * a local variable in accel/kvm/kvm-all.c
 * the PMCR_WRITABLE_MASK macro in target/arm/internals.h
 * the EPT_VIOLATION_GPA_WRITABLE macro in target/i386/hvf/vmcs.h
   (which is never used anywhere)
 * the AR_TYPE_WRITABLE_MASK macro in target/i386/hvf/vmx.h
   (which is never used anywhere)

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Stefan Weil 
Message-id: 20220505095015.2714666-1-peter.mayd...@linaro.org
---
 docs/interop/vhost-user.rst| 2 +-
 docs/specs/vmgenid.txt | 4 ++--
 hw/scsi/mfi.h  | 2 +-
 target/arm/internals.h | 4 ++--
 target/i386/hvf/vmcs.h | 2 +-
 target/i386/hvf/vmx.h  | 2 +-
 accel/hvf/hvf-accel-ops.c  | 4 ++--
 accel/kvm/kvm-all.c| 4 ++--
 accel/tcg/user-exec.c  | 6 +++---
 hw/acpi/ghes.c | 2 +-
 hw/intc/arm_gicv3_cpuif.c  | 2 +-
 hw/intc/arm_gicv3_dist.c   | 2 +-
 hw/intc/arm_gicv3_redist.c | 4 ++--
 hw/intc/riscv_aclint.c | 2 +-
 hw/intc/riscv_aplic.c  | 2 +-
 hw/pci/shpc.c  | 2 +-
 hw/sparc64/sun4u_iommu.c   | 2 +-
 hw/timer/sse-timer.c   | 2 +-
 target/arm/gdbstub.c   | 2 +-
 target/arm/helper.c| 4 ++--
 target/arm/hvf/hvf.c   | 4 ++--
 target/i386/cpu-sysemu.c   | 2 +-
 target/s390x/ioinst.c  | 2 +-
 python/qemu/machine/machine.py | 2 +-
 tests/tcg/x86_64/system/boot.S | 2 +-
 25 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/docs/interop/vhost-user.rst b/docs/interop/vhost-user.rst
index a99ba4433ce..d7cf904f7fe 100644
--- a/docs/interop/vhost-user.rst
+++ b/docs/interop/vhost-user.rst
@@ -222,7 +222,7 @@ Virtio device config space
 :size: a 32-bit configuration space access size in bytes
 
 :flags: a 32-bit value:
-  - 0: Vhost front-end messages used for writeable fields
+  - 0: Vhost front-end messages used for writable fields
   - 1: Vhost front-end messages used for live migration
 
 :payload: Size bytes array holding the contents of the virtio
diff --git a/docs/specs/vmgenid.txt b/docs/specs/vmgenid.txt
index aa9f5186767..80ff69f31cc 100644
--- a/docs/specs/vmgenid.txt
+++ b/docs/specs/vmgenid.txt
@@ -153,7 +153,7 @@ change the contents of the memory at runtime, specifically 
when starting a
 backed-up or snapshotted image.  In order to do this, QEMU must know the
 address that has been allocated.
 
-The mechanism chosen for this memory sharing is writeable fw_cfg blobs.
+The mechanism chosen for this memory sharing is writable fw_cfg blobs.
 These are data object that are visible to both QEMU and guests, and are
 addressable as sequential files.
 
@@ -164,7 +164,7 @@ Two fw_cfg blobs are used in this case:
 /etc/vmgenid_guid - contains the actual VM Generation ID GUID
   - read-only to the guest
 /etc/vmgenid_addr - contains the address of the downloaded vmgenid blob
-  - writeable by the guest
+  - writable by the guest
 
 
 QEMU sends the following commands to the guest at startup:
diff --git a/hw/scsi/mfi.h b/hw/scsi/mfi.h
index e67a5c0b477..0b4ee53dfc0 100644
--- a/hw/scsi/mfi.h
+++ b/hw/scsi/mfi.h
@@ -633,7 +633,7 @@ struct mfi_ctrl_props {
   * metadata and user data
   * 1=5%, 2=10%, 3=15% and so on
   */
-uint8_t viewSpace;   /* snapshot writeable VIEWs
+uint8_t viewSpace;   /* snapshot writable VIEWs
   * capacity as a % of source LD
   * capacity. 0=READ only
   * 1=5%, 2=10%, 3=15% and so on
diff --git a/target/arm/internals.h b/target/arm/internals.h
index b654bee4682..1e4887b2dd3 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1280,10 +1280,10 @@ enum MVEECIState {
 #define PMCRP   0x2
 #define PMCRE   0x1
 /*
- * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
+ * Mask of PMCR bits writable by guest (not including WO bits like C, P,
  * which can be written as 1 to trigger behaviour but which stay RAZ).
  */
-#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
+#define PMCR_WRITABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
 
 #define PMXEVTYPER_P  0x8000
 #define PMXEVTYPER_U  0x4000
diff --git a/target/i386/hvf/vmcs.h b/target/i386/hvf/vmcs.h
index 42de7ebc3af..b4692f63f65 100644
--- a/target/i386/hvf/vmcs.h
+++ b/target/i386/hvf/vmcs.h
@@ -330,7 +330,7 @@
 #

[PULL 06/55] xlnx_dp: Fix the interrupt disable logic

[Peter Maydell]

From: Sai Pavan Boddu 

Fix interrupt disable logic. Mask value 1 indicates that interrupts are
disabled.

Signed-off-by: Sai Pavan Boddu 
Reviewed-by: Edgar E. Iglesias 
Signed-off-by: Frederic Konrad 
Acked-by: Alistair Francis 
Message-id: 20220601172353.3220232-4-fkon...@xilinx.com
Signed-off-by: Peter Maydell 
---
 hw/display/xlnx_dp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index ed856b596da..a071c818833 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -889,7 +889,7 @@ static void xlnx_dp_write(void *opaque, hwaddr offset, 
uint64_t value,
 xlnx_dp_update_irq(s);
 break;
 case DP_INT_DS:
-s->core_registers[DP_INT_MASK] |= ~value;
+s->core_registers[DP_INT_MASK] |= value;
 xlnx_dp_update_irq(s);
 break;
 default:
-- 
2.25.1

[PULL 12/55] target/arm: Move get_phys_addr_pmsav5 to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-6-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  4 ---
 target/arm/helper.c | 85 -
 target/arm/ptw.c| 85 +
 3 files changed, 85 insertions(+), 89 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 349b842d3ce..324a9dde140 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -33,10 +33,6 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
int ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
-bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  ARMMMUFaultInfo *fi);
 bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, int *prot,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 4a588220250..5d010190108 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -12274,91 +12274,6 @@ bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t 
address,
 return ret;
 }
 
-bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  ARMMMUFaultInfo *fi)
-{
-int n;
-uint32_t mask;
-uint32_t base;
-bool is_user = regime_is_user(env, mmu_idx);
-
-if (regime_translation_disabled(env, mmu_idx)) {
-/* MPU disabled.  */
-*phys_ptr = address;
-*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-return false;
-}
-
-*phys_ptr = address;
-for (n = 7; n >= 0; n--) {
-base = env->cp15.c6_region[n];
-if ((base & 1) == 0) {
-continue;
-}
-mask = 1 << ((base >> 1) & 0x1f);
-/* Keep this shift separate from the above to avoid an
-   (undefined) << 32.  */
-mask = (mask << 1) - 1;
-if (((base ^ address) & ~mask) == 0) {
-break;
-}
-}
-if (n < 0) {
-fi->type = ARMFault_Background;
-return true;
-}
-
-if (access_type == MMU_INST_FETCH) {
-mask = env->cp15.pmsav5_insn_ap;
-} else {
-mask = env->cp15.pmsav5_data_ap;
-}
-mask = (mask >> (n * 4)) & 0xf;
-switch (mask) {
-case 0:
-fi->type = ARMFault_Permission;
-fi->level = 1;
-return true;
-case 1:
-if (is_user) {
-fi->type = ARMFault_Permission;
-fi->level = 1;
-return true;
-}
-*prot = PAGE_READ | PAGE_WRITE;
-break;
-case 2:
-*prot = PAGE_READ;
-if (!is_user) {
-*prot |= PAGE_WRITE;
-}
-break;
-case 3:
-*prot = PAGE_READ | PAGE_WRITE;
-break;
-case 5:
-if (is_user) {
-fi->type = ARMFault_Permission;
-fi->level = 1;
-return true;
-}
-*prot = PAGE_READ;
-break;
-case 6:
-*prot = PAGE_READ;
-break;
-default:
-/* Bad permission.  */
-fi->type = ARMFault_Permission;
-fi->level = 1;
-return true;
-}
-*prot |= PAGE_EXEC;
-return false;
-}
-
 /* Combine either inner or outer cacheability attributes for normal
  * memory, according to table D4-42 and pseudocode procedure
  * CombineS1S2AttrHints() of ARM DDI 0487B.b (the ARMv8 ARM).
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 6a1f4b549d8..5c32648a16a 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -289,6 +289,91 @@ do_fault:
 return true;
 }
 
+static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
+ MMUAccessType access_type, ARMMMUIdx mmu_idx,
+ hwaddr *phys_ptr, int *prot,
+ ARMMMUFaultInfo *fi)
+{
+int n;
+uint32_t mask;
+uint32_t base;
+bool is_user = regime_is_user(env, mmu_idx);
+
+if (regime_translation_disabled(env, mmu_idx)) {
+/* MPU disabled.  */
+*phys_ptr = address;
+*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+return false;
+}
+
+*phys_ptr = address;
+for (n = 7; n >= 0; n--) {
+base = env->cp15.c6_region[n];
+if ((base & 1) == 0) {
+continue;
+}
+mask = 1 << ((base >> 1) & 0x1f);
+/* Keep this shift separate from the above to avoid an
+   (undefined) << 32.  */
+mask = (mask << 1) - 1;
+if (((base ^ address) & ~mask) == 0) {
+break;
+}
+}
+if (n < 

[PULL 10/55] target/arm: Move get_phys_addr_v5 to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-4-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  15 +++--
 target/arm/helper.c | 137 +++-
 target/arm/ptw.c| 123 +++
 3 files changed, 140 insertions(+), 135 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index e2023ae7508..2dbd97b8cbf 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -11,16 +11,21 @@
 
 #ifndef CONFIG_USER_ONLY
 
+uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+ ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi);
+uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+ ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi);
+
 bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
  ARMCacheAttrs s1, ARMCacheAttrs s2);
 
-bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  target_ulong *page_size,
-  ARMMMUFaultInfo *fi);
+bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
+  uint32_t *table, uint32_t address);
+int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
+  int ap, int domain_prot);
+
 bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, int *prot,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 3ffd122178d..321716914b1 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10578,8 +10578,7 @@ bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
  * @ap:  The 3-bit access permissions (AP[2:0])
  * @domain_prot: The 2-bit domain access permissions
  */
-static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
-int ap, int domain_prot)
+int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap, int domain_prot)
 {
 bool is_user = regime_is_user(env, mmu_idx);
 
@@ -10782,8 +10781,8 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx 
mmu_idx, bool is_aa64,
 return prot_rw | PAGE_EXEC;
 }
 
-static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
- uint32_t *table, uint32_t address)
+bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
+  uint32_t *table, uint32_t address)
 {
 /* Note that we can only get here for an AArch32 PL0/PL1 lookup */
 TCR *tcr = regime_tcr(env, mmu_idx);
@@ -10882,8 +10881,8 @@ static hwaddr S1_ptw_translate(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 }
 
 /* All loads done in the course of a page table walk go through here. */
-static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
-ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
+uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+ ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 {
 ARMCPU *cpu = ARM_CPU(cs);
 CPUARMState *env = &cpu->env;
@@ -10911,8 +10910,8 @@ static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, 
bool is_secure,
 return 0;
 }
 
-static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
-ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
+uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+ ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 {
 ARMCPU *cpu = ARM_CPU(cs);
 CPUARMState *env = &cpu->env;
@@ -10940,128 +10939,6 @@ static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr 
addr, bool is_secure,
 return 0;
 }
 
-bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  target_ulong *page_size,
-  ARMMMUFaultInfo *fi)
-{
-CPUState *cs = env_cpu(env);
-int level = 1;
-uint32_t table;
-uint32_t desc;
-int type;
-int ap;
-int domain = 0;
-int domain_prot;
-hwaddr phys_addr;
-uint32_t dacr;
-
-/* Pagetable walk.  */
-/* Lookup l1 descriptor.  */
-if (!get_level1_table_address(env, mmu_idx, &table, address)) {
-/* Section translation fault if page walk is disabled by PD0 or PD1 */
-fi->type = ARMFault_Translation;
-goto do_fault;
-}
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
-   mmu_idx, fi);
-if (fi->type != ARMFault_None) {
-goto do_fault;
-}
-type = (desc 

[PULL 28/55] target/arm: Move aa32_va_parameters to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-22-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  3 ---
 target/arm/helper.c | 64 -
 target/arm/ptw.c| 64 +
 3 files changed, 64 insertions(+), 67 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index a71161b01bd..9314fb4d23c 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -25,8 +25,5 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
-ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
-   ARMMMUIdx mmu_idx);
-
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 2526f4c6c4a..f61f1da61e4 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10771,70 +10771,6 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, 
uint64_t va,
 }
 
 #ifndef CONFIG_USER_ONLY
-ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
-   ARMMMUIdx mmu_idx)
-{
-uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
-uint32_t el = regime_el(env, mmu_idx);
-int select, tsz;
-bool epd, hpd;
-
-assert(mmu_idx != ARMMMUIdx_Stage2_S);
-
-if (mmu_idx == ARMMMUIdx_Stage2) {
-/* VTCR */
-bool sext = extract32(tcr, 4, 1);
-bool sign = extract32(tcr, 3, 1);
-
-/*
- * If the sign-extend bit is not the same as t0sz[3], the result
- * is unpredictable. Flag this as a guest error.
- */
-if (sign != sext) {
-qemu_log_mask(LOG_GUEST_ERROR,
-  "AArch32: VTCR.S / VTCR.T0SZ[3] mismatch\n");
-}
-tsz = sextract32(tcr, 0, 4) + 8;
-select = 0;
-hpd = false;
-epd = false;
-} else if (el == 2) {
-/* HTCR */
-tsz = extract32(tcr, 0, 3);
-select = 0;
-hpd = extract64(tcr, 24, 1);
-epd = false;
-} else {
-int t0sz = extract32(tcr, 0, 3);
-int t1sz = extract32(tcr, 16, 3);
-
-if (t1sz == 0) {
-select = va > (0xu >> t0sz);
-} else {
-/* Note that we will detect errors later.  */
-select = va >= ~(0xu >> t1sz);
-}
-if (!select) {
-tsz = t0sz;
-epd = extract32(tcr, 7, 1);
-hpd = extract64(tcr, 41, 1);
-} else {
-tsz = t1sz;
-epd = extract32(tcr, 23, 1);
-hpd = extract64(tcr, 42, 1);
-}
-/* For aarch32, hpd0 is not enabled without t2e as well.  */
-hpd &= extract32(tcr, 6, 1);
-}
-
-return (ARMVAParameters) {
-.tsz = tsz,
-.select = select,
-.epd = epd,
-.hpd = hpd,
-};
-}
-
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
  MemTxAttrs *attrs)
 {
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 525272e99af..427813ea563 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -615,6 +615,70 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
bool is_aa64,
 return prot_rw | PAGE_EXEC;
 }
 
+static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
+  ARMMMUIdx mmu_idx)
+{
+uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
+uint32_t el = regime_el(env, mmu_idx);
+int select, tsz;
+bool epd, hpd;
+
+assert(mmu_idx != ARMMMUIdx_Stage2_S);
+
+if (mmu_idx == ARMMMUIdx_Stage2) {
+/* VTCR */
+bool sext = extract32(tcr, 4, 1);
+bool sign = extract32(tcr, 3, 1);
+
+/*
+ * If the sign-extend bit is not the same as t0sz[3], the result
+ * is unpredictable. Flag this as a guest error.
+ */
+if (sign != sext) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "AArch32: VTCR.S / VTCR.T0SZ[3] mismatch\n");
+}
+tsz = sextract32(tcr, 0, 4) + 8;
+select = 0;
+hpd = false;
+epd = false;
+} else if (el == 2) {
+/* HTCR */
+tsz = extract32(tcr, 0, 3);
+select = 0;
+hpd = extract64(tcr, 24, 1);
+epd = false;
+} else {
+int t0sz = extract32(tcr, 0, 3);
+int t1sz = extract32(tcr, 16, 3);
+
+if (t1sz == 0) {
+select = va > (0xu >> t0sz);
+} else {
+/* Note that we will detect errors later.  */
+select = va >= ~(0xu >> t1sz);
+}
+if (!select) {
+tsz = t0sz;
+epd = extract32(tcr, 7, 1);
+hpd = extract64(tcr, 41, 1);
+} else {
+ts

[PULL 15/55] target/arm: Move get_phys_addr_pmsav8 to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-9-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  5 ---
 target/arm/helper.c | 75 ---
 target/arm/ptw.c| 77 +
 3 files changed, 77 insertions(+), 80 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index d24b7c263a8..d569507951f 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -41,11 +41,6 @@ void get_phys_addr_pmsav7_default(CPUARMState *env,
   int32_t address, int *prot);
 bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool 
is_user);
 
-bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, MemTxAttrs *txattrs,
-  int *prot, target_ulong *page_size,
-  ARMMMUFaultInfo *fi);
 bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 MMUAccessType access_type, ARMMMUIdx mmu_idx,
 bool s1_is_el0,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 2ebaf694075..44997fd179d 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11970,81 +11970,6 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t 
address,
 return !(*prot & (1 << access_type));
 }
 
-
-bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, MemTxAttrs *txattrs,
-  int *prot, target_ulong *page_size,
-  ARMMMUFaultInfo *fi)
-{
-uint32_t secure = regime_is_secure(env, mmu_idx);
-V8M_SAttributes sattrs = {};
-bool ret;
-bool mpu_is_subpage;
-
-if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-v8m_security_lookup(env, address, access_type, mmu_idx, &sattrs);
-if (access_type == MMU_INST_FETCH) {
-/* Instruction fetches always use the MMU bank and the
- * transaction attribute determined by the fetch address,
- * regardless of CPU state. This is painful for QEMU
- * to handle, because it would mean we need to encode
- * into the mmu_idx not just the (user, negpri) information
- * for the current security state but also that for the
- * other security state, which would balloon the number
- * of mmu_idx values needed alarmingly.
- * Fortunately we can avoid this because it's not actually
- * possible to arbitrarily execute code from memory with
- * the wrong security attribute: it will always generate
- * an exception of some kind or another, apart from the
- * special case of an NS CPU executing an SG instruction
- * in S&NSC memory. So we always just fail the translation
- * here and sort things out in the exception handler
- * (including possibly emulating an SG instruction).
- */
-if (sattrs.ns != !secure) {
-if (sattrs.nsc) {
-fi->type = ARMFault_QEMU_NSCExec;
-} else {
-fi->type = ARMFault_QEMU_SFault;
-}
-*page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
-*phys_ptr = address;
-*prot = 0;
-return true;
-}
-} else {
-/* For data accesses we always use the MMU bank indicated
- * by the current CPU state, but the security attributes
- * might downgrade a secure access to nonsecure.
- */
-if (sattrs.ns) {
-txattrs->secure = false;
-} else if (!secure) {
-/* NS access to S memory must fault.
- * Architecturally we should first check whether the
- * MPU information for this address indicates that we
- * are doing an unaligned access to Device memory, which
- * should generate a UsageFault instead. QEMU does not
- * currently check for that kind of unaligned access though.
- * If we added it we would need to do so as a special case
- * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt().
- */
-fi->type = ARMFault_QEMU_SFault;
-*page_size = sattrs.subpage ? 1 : TARGET_PAGE_SIZE;
-*phys_ptr = address;
-*prot = 0;
-return true;
-}
-}
-}
-
-ret = pmsav8_mpu_lookup(env, address, access_type, mmu_idx, phys_ptr,
-txattrs, prot, &mpu_is_subpage, fi, NUL

[PULL 13/55] target/arm: Move get_phys_addr_pmsav7_default to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-7-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  3 +++
 target/arm/helper.c | 41 -
 target/arm/ptw.c| 41 +
 3 files changed, 44 insertions(+), 41 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 324a9dde140..d6e3fee1523 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -33,6 +33,9 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
+void get_phys_addr_pmsav7_default(CPUARMState *env,
+  ARMMMUIdx mmu_idx,
+  int32_t address, int *prot);
 bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, int *prot,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 5d010190108..d4f7c05625c 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11678,47 +11678,6 @@ do_fault:
 return true;
 }
 
-static inline void get_phys_addr_pmsav7_default(CPUARMState *env,
-ARMMMUIdx mmu_idx,
-int32_t address, int *prot)
-{
-if (!arm_feature(env, ARM_FEATURE_M)) {
-*prot = PAGE_READ | PAGE_WRITE;
-switch (address) {
-case 0xF000 ... 0x:
-if (regime_sctlr(env, mmu_idx) & SCTLR_V) {
-/* hivecs execing is ok */
-*prot |= PAGE_EXEC;
-}
-break;
-case 0x ... 0x7FFF:
-*prot |= PAGE_EXEC;
-break;
-}
-} else {
-/* Default system address map for M profile cores.
- * The architecture specifies which regions are execute-never;
- * at the MPU level no other checks are defined.
- */
-switch (address) {
-case 0x ... 0x1fff: /* ROM */
-case 0x2000 ... 0x3fff: /* SRAM */
-case 0x6000 ... 0x7fff: /* RAM */
-case 0x8000 ... 0x9fff: /* RAM */
-*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-break;
-case 0x4000 ... 0x5fff: /* Peripheral */
-case 0xa000 ... 0xbfff: /* Device */
-case 0xc000 ... 0xdfff: /* Device */
-case 0xe000 ... 0x: /* System */
-*prot = PAGE_READ | PAGE_WRITE;
-break;
-default:
-g_assert_not_reached();
-}
-}
-}
-
 static bool pmsav7_use_background_region(ARMCPU *cpu,
  ARMMMUIdx mmu_idx, bool is_user)
 {
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 5c32648a16a..74650c6c525 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -374,6 +374,47 @@ static bool get_phys_addr_pmsav5(CPUARMState *env, 
uint32_t address,
 return false;
 }
 
+void get_phys_addr_pmsav7_default(CPUARMState *env,
+  ARMMMUIdx mmu_idx,
+  int32_t address, int *prot)
+{
+if (!arm_feature(env, ARM_FEATURE_M)) {
+*prot = PAGE_READ | PAGE_WRITE;
+switch (address) {
+case 0xF000 ... 0x:
+if (regime_sctlr(env, mmu_idx) & SCTLR_V) {
+/* hivecs execing is ok */
+*prot |= PAGE_EXEC;
+}
+break;
+case 0x ... 0x7FFF:
+*prot |= PAGE_EXEC;
+break;
+}
+} else {
+/* Default system address map for M profile cores.
+ * The architecture specifies which regions are execute-never;
+ * at the MPU level no other checks are defined.
+ */
+switch (address) {
+case 0x ... 0x1fff: /* ROM */
+case 0x2000 ... 0x3fff: /* SRAM */
+case 0x6000 ... 0x7fff: /* RAM */
+case 0x8000 ... 0x9fff: /* RAM */
+*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+break;
+case 0x4000 ... 0x5fff: /* Peripheral */
+case 0xa000 ... 0xbfff: /* Device */
+case 0xc000 ... 0xdfff: /* Device */
+case 0xe000 ... 0x: /* System */
+*prot = PAGE_READ | PAGE_WRITE;
+break;
+default:
+g_assert_not_reached();
+}
+}
+}
+
 /**
  * get_phys_addr - get the physical address for this virtual address
  *
-- 
2.25.1

[PULL 36/55] target/arm: Rename TBFLAG_A64 ZCR_LEN to VL

[Peter Maydell]

From: Richard Henderson 

With SME, the vector length does not only come from ZCR_ELx.
Comment that this is either NVL or SVL, like the pseudocode.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-2-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.h   | 3 ++-
 target/arm/translate-a64.h | 2 +-
 target/arm/translate.h | 2 +-
 target/arm/helper.c| 2 +-
 target/arm/translate-a64.c | 2 +-
 target/arm/translate-sve.c | 2 +-
 6 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 0ee1705a4fa..e791ffdd6b6 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -3241,7 +3241,8 @@ FIELD(TBFLAG_M32, MVE_NO_PRED, 5, 1)/* Not 
cached. */
  */
 FIELD(TBFLAG_A64, TBII, 0, 2)
 FIELD(TBFLAG_A64, SVEEXC_EL, 2, 2)
-FIELD(TBFLAG_A64, ZCR_LEN, 4, 4)
+/* The current vector length, either NVL or SVL. */
+FIELD(TBFLAG_A64, VL, 4, 4)
 FIELD(TBFLAG_A64, PAUTH_ACTIVE, 8, 1)
 FIELD(TBFLAG_A64, BT, 9, 1)
 FIELD(TBFLAG_A64, BTYPE, 10, 2) /* Not cached. */
diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index f2e8ee0ee1f..dbc917ee65b 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -104,7 +104,7 @@ static inline TCGv_ptr vec_full_reg_ptr(DisasContext *s, 
int regno)
 /* Return the byte size of the "whole" vector register, VL / 8.  */
 static inline int vec_full_reg_size(DisasContext *s)
 {
-return s->sve_len;
+return s->vl;
 }
 
 bool disas_sve(DisasContext *, uint32_t);
diff --git a/target/arm/translate.h b/target/arm/translate.h
index 9f0bb270c5b..f473a21ed48 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -42,7 +42,7 @@ typedef struct DisasContext {
 bool ns;/* Use non-secure CPREG bank on access */
 int fp_excp_el; /* FP exception EL or 0 if enabled */
 int sve_excp_el; /* SVE exception EL or 0 if enabled */
-int sve_len; /* SVE vector length in bytes */
+int vl;  /* current vector length in bytes */
 /* Flag indicating that exceptions from secure mode are routed to EL3. */
 bool secure_routed_to_el3;
 bool vfp_enabled; /* FP enabled via FPSCR.EN */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 37cf9fa6aba..c228deca755 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11181,7 +11181,7 @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState 
*env, int el, int fp_el,
 zcr_len = sve_zcr_len_for_el(env, el);
 }
 DP_TBFLAG_A64(flags, SVEEXC_EL, sve_el);
-DP_TBFLAG_A64(flags, ZCR_LEN, zcr_len);
+DP_TBFLAG_A64(flags, VL, zcr_len);
 }
 
 sctlr = regime_sctlr(env, stage1);
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 935e1929bb9..d438fb89e73 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -14608,7 +14608,7 @@ static void 
aarch64_tr_init_disas_context(DisasContextBase *dcbase,
 dc->align_mem = EX_TBFLAG_ANY(tb_flags, ALIGN_MEM);
 dc->pstate_il = EX_TBFLAG_ANY(tb_flags, PSTATE__IL);
 dc->sve_excp_el = EX_TBFLAG_A64(tb_flags, SVEEXC_EL);
-dc->sve_len = (EX_TBFLAG_A64(tb_flags, ZCR_LEN) + 1) * 16;
+dc->vl = (EX_TBFLAG_A64(tb_flags, VL) + 1) * 16;
 dc->pauth_active = EX_TBFLAG_A64(tb_flags, PAUTH_ACTIVE);
 dc->bt = EX_TBFLAG_A64(tb_flags, BT);
 dc->btype = EX_TBFLAG_A64(tb_flags, BTYPE);
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 836511d7191..67761bf2cc5 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -111,7 +111,7 @@ static inline int pred_full_reg_offset(DisasContext *s, int 
regno)
 /* Return the byte size of the whole predicate register, VL / 64.  */
 static inline int pred_full_reg_size(DisasContext *s)
 {
-return s->sve_len >> 3;
+return s->vl >> 3;
 }
 
 /* Round up the size of a register to a size allowed by
-- 
2.25.1

[PULL 08/55] target/arm: Move stage_1_mmu_idx decl to internals.h

[Peter Maydell]

From: Richard Henderson 

Move the decl from ptw.h to internals.h.  Provide an inline
version for user-only, just as we do for arm_stage1_mmu_idx.
Move an endif down to make the definition in helper.c be
system only.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-2-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/internals.h | 5 +
 target/arm/helper.c| 5 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 1e4887b2dd3..049edce946c 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -979,11 +979,16 @@ ARMMMUIdx arm_mmu_idx(CPUARMState *env);
  * Return the ARMMMUIdx for the stage1 traversal for the current regime.
  */
 #ifdef CONFIG_USER_ONLY
+static inline ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
+{
+return ARMMMUIdx_Stage1_E0;
+}
 static inline ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
 {
 return ARMMMUIdx_Stage1_E0;
 }
 #else
+ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx);
 ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env);
 #endif
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 5727ead5e4c..829b660db92 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10517,12 +10517,10 @@ static inline uint64_t regime_ttbr(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 }
 }
 
-#endif /* !CONFIG_USER_ONLY */
-
 /* Convert a possible stage1+2 MMU index into the appropriate
  * stage 1 MMU index
  */
-static inline ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
+ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
 {
 switch (mmu_idx) {
 case ARMMMUIdx_SE10_0:
@@ -10541,6 +10539,7 @@ static inline ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx 
mmu_idx)
 return mmu_idx;
 }
 }
+#endif /* !CONFIG_USER_ONLY */
 
 /* Return true if the translation regime is using LPAE format page tables */
 static inline bool regime_using_lpae_format(CPUARMState *env,
-- 
2.25.1

[PULL 07/55] xlnx-zynqmp: fix the irq mapping for the display port and its dma

[Peter Maydell]

From: Frederic Konrad 

When the display port has been initially implemented the device
driver wasn't using interrupts.  Now that the display port driver
waits for vblank interrupt it has been noticed that the irq mapping
is wrong.  So use the value from the linux device tree and the
ultrascale+ reference manual.

Signed-off-by: Frederic Konrad 
Reviewed-by: Edgar E. Iglesias 
Acked-by: Alistair Francis 
Message-id: 20220601172353.3220232-5-fkon...@xilinx.com
[PMM: refold lines in commit message]
Signed-off-by: Peter Maydell 
---
 hw/arm/xlnx-zynqmp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 375309e68eb..383e177a001 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -60,10 +60,10 @@
 #define SERDES_SIZE 0x2
 
 #define DP_ADDR 0xfd4a
-#define DP_IRQ  113
+#define DP_IRQ  0x77
 
 #define DPDMA_ADDR  0xfd4c
-#define DPDMA_IRQ   116
+#define DPDMA_IRQ   0x7a
 
 #define APU_ADDR0xfd5c
 #define APU_IRQ 153
-- 
2.25.1

[PULL 19/55] target/arm: Move m_is_{ppb,system}_region to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-13-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  3 ---
 target/arm/helper.c | 15 ---
 target/arm/ptw.c| 16 
 3 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index d2d27119082..6c47a575991 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -33,9 +33,6 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
-bool m_is_ppb_region(CPUARMState *env, uint32_t address);
-bool m_is_system_region(CPUARMState *env, uint32_t address);
-
 bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 MMUAccessType access_type, ARMMMUIdx mmu_idx,
 bool s1_is_el0,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index d6a749ad0ed..d2ef12346b6 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11677,21 +11677,6 @@ do_fault:
 return true;
 }
 
-bool m_is_ppb_region(CPUARMState *env, uint32_t address)
-{
-/* True if address is in the M profile PPB region 0xe000 - 0xe00f 
*/
-return arm_feature(env, ARM_FEATURE_M) &&
-extract32(address, 20, 12) == 0xe00;
-}
-
-bool m_is_system_region(CPUARMState *env, uint32_t address)
-{
-/* True if address is in the M profile system region
- * 0xe000 - 0x
- */
-return arm_feature(env, ARM_FEATURE_M) && extract32(address, 29, 3) == 0x7;
-}
-
 /* Combine either inner or outer cacheability attributes for normal
  * memory, according to table D4-42 and pseudocode procedure
  * CombineS1S2AttrHints() of ARM DDI 0487B.b (the ARMv8 ARM).
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index c15fba43c31..32ba2e5e8bf 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -416,6 +416,22 @@ static void get_phys_addr_pmsav7_default(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 }
 }
 
+static bool m_is_ppb_region(CPUARMState *env, uint32_t address)
+{
+/* True if address is in the M profile PPB region 0xe000 - 0xe00f 
*/
+return arm_feature(env, ARM_FEATURE_M) &&
+extract32(address, 20, 12) == 0xe00;
+}
+
+static bool m_is_system_region(CPUARMState *env, uint32_t address)
+{
+/*
+ * True if address is in the M profile system region
+ * 0xe000 - 0x
+ */
+return arm_feature(env, ARM_FEATURE_M) && extract32(address, 29, 3) == 0x7;
+}
+
 static bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx,
  bool is_user)
 {
-- 
2.25.1

[PULL 39/55] target/arm: Remove fp checks from sve_exception_el

[Peter Maydell]

From: Richard Henderson 

Instead of checking these bits in fp_exception_el and
also in sve_exception_el, document that we must compare
the results.  The only place where we have not already
checked that FP EL is zero is in rebuild_hflags_a64.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-5-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 58 +++--
 1 file changed, 19 insertions(+), 39 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 1bd77af7e50..4f4044c688d 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6129,11 +6129,15 @@ static const ARMCPRegInfo minimal_ras_reginfo[] = {
   .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vsesr_el2) },
 };
 
-/* Return the exception level to which exceptions should be taken
- * via SVEAccessTrap.  If an exception should be routed through
- * AArch64.AdvSIMDFPAccessTrap, return 0; fp_exception_el should
- * take care of raising that exception.
- * C.f. the ARM pseudocode function CheckSVEEnabled.
+/*
+ * Return the exception level to which exceptions should be taken
+ * via SVEAccessTrap.  This excludes the check for whether the exception
+ * should be routed through AArch64.AdvSIMDFPAccessTrap.  That can easily
+ * be found by testing 0 < fp_exception_el < sve_exception_el.
+ *
+ * C.f. the ARM pseudocode function CheckSVEEnabled.  Note that the
+ * pseudocode does *not* separate out the FP trap checks, but has them
+ * all in one function.
  */
 int sve_exception_el(CPUARMState *env, int el)
 {
@@ -6151,18 +6155,6 @@ int sve_exception_el(CPUARMState *env, int el)
 case 2:
 return 1;
 }
-
-/* Check CPACR.FPEN.  */
-switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, FPEN)) {
-case 1:
-if (el != 0) {
-break;
-}
-/* fall through */
-case 0:
-case 2:
-return 0;
-}
 }
 
 /*
@@ -6180,24 +6172,10 @@ int sve_exception_el(CPUARMState *env, int el)
 case 2:
 return 2;
 }
-
-switch (FIELD_EX32(env->cp15.cptr_el[2], CPTR_EL2, FPEN)) {
-case 1:
-if (el == 2 || !(hcr_el2 & HCR_TGE)) {
-break;
-}
-/* fall through */
-case 0:
-case 2:
-return 0;
-}
 } else if (arm_is_el2_enabled(env)) {
 if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TZ)) {
 return 2;
 }
-if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TFP)) {
-return 0;
-}
 }
 }
 
@@ -11168,19 +11146,21 @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState 
*env, int el, int fp_el,
 
 if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 int sve_el = sve_exception_el(env, el);
-uint32_t zcr_len;
 
 /*
- * If SVE is disabled, but FP is enabled,
- * then the effective len is 0.
+ * If either FP or SVE are disabled, translator does not need len.
+ * If SVE EL > FP EL, FP exception has precedence, and translator
+ * does not need SVE EL.  Save potential re-translations by forcing
+ * the unneeded data to zero.
  */
-if (sve_el != 0 && fp_el == 0) {
-zcr_len = 0;
-} else {
-zcr_len = sve_zcr_len_for_el(env, el);
+if (fp_el != 0) {
+if (sve_el > fp_el) {
+sve_el = 0;
+}
+} else if (sve_el == 0) {
+DP_TBFLAG_A64(flags, VL, sve_zcr_len_for_el(env, el));
 }
 DP_TBFLAG_A64(flags, SVEEXC_EL, sve_el);
-DP_TBFLAG_A64(flags, VL, zcr_len);
 }
 
 sctlr = regime_sctlr(env, stage1);
-- 
2.25.1

[PULL 21/55] target/arm: Move combine_cacheattrs and subroutines to ptw.c

[Peter Maydell]

From: Richard Henderson 

There are a handful of helpers for combine_cacheattrs
that we can move at the same time as the main entry point.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-15-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|   3 -
 target/arm/helper.c | 218 ---
 target/arm/ptw.c| 221 
 3 files changed, 221 insertions(+), 221 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index dd6fb93f336..b2dfe489bbe 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -20,9 +20,6 @@ bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
 
-ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
- ARMCacheAttrs s1, ARMCacheAttrs s2);
-
 int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
   int ap, int domain_prot);
 int simple_ap_to_rw_prot_is_user(int ap, bool is_user);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index a144cb26413..dab485e64ae 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10977,36 +10977,6 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool 
is_aa64, int level,
 }
 return true;
 }
-
-/* Translate from the 4-bit stage 2 representation of
- * memory attributes (without cache-allocation hints) to
- * the 8-bit representation of the stage 1 MAIR registers
- * (which includes allocation hints).
- *
- * ref: shared/translation/attrs/S2AttrDecode()
- *  .../S2ConvertAttrsHints()
- */
-static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
-{
-uint8_t hiattr = extract32(s2attrs, 2, 2);
-uint8_t loattr = extract32(s2attrs, 0, 2);
-uint8_t hihint = 0, lohint = 0;
-
-if (hiattr != 0) { /* normal memory */
-if (arm_hcr_el2_eff(env) & HCR_CD) { /* cache disabled */
-hiattr = loattr = 1; /* non-cacheable */
-} else {
-if (hiattr != 1) { /* Write-through or write-back */
-hihint = 3; /* RW allocate */
-}
-if (loattr != 1) { /* Write-through or write-back */
-lohint = 3; /* RW allocate */
-}
-}
-}
-
-return (hiattr << 6) | (hihint << 4) | (loattr << 2) | lohint;
-}
 #endif /* !CONFIG_USER_ONLY */
 
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
@@ -11653,194 +11623,6 @@ do_fault:
 return true;
 }
 
-/* Combine either inner or outer cacheability attributes for normal
- * memory, according to table D4-42 and pseudocode procedure
- * CombineS1S2AttrHints() of ARM DDI 0487B.b (the ARMv8 ARM).
- *
- * NB: only stage 1 includes allocation hints (RW bits), leading to
- * some asymmetry.
- */
-static uint8_t combine_cacheattr_nibble(uint8_t s1, uint8_t s2)
-{
-if (s1 == 4 || s2 == 4) {
-/* non-cacheable has precedence */
-return 4;
-} else if (extract32(s1, 2, 2) == 0 || extract32(s1, 2, 2) == 2) {
-/* stage 1 write-through takes precedence */
-return s1;
-} else if (extract32(s2, 2, 2) == 2) {
-/* stage 2 write-through takes precedence, but the allocation hint
- * is still taken from stage 1
- */
-return (2 << 2) | extract32(s1, 0, 2);
-} else { /* write-back */
-return s1;
-}
-}
-
-/*
- * Combine the memory type and cacheability attributes of
- * s1 and s2 for the HCR_EL2.FWB == 0 case, returning the
- * combined attributes in MAIR_EL1 format.
- */
-static uint8_t combined_attrs_nofwb(CPUARMState *env,
-ARMCacheAttrs s1, ARMCacheAttrs s2)
-{
-uint8_t s1lo, s2lo, s1hi, s2hi, s2_mair_attrs, ret_attrs;
-
-s2_mair_attrs = convert_stage2_attrs(env, s2.attrs);
-
-s1lo = extract32(s1.attrs, 0, 4);
-s2lo = extract32(s2_mair_attrs, 0, 4);
-s1hi = extract32(s1.attrs, 4, 4);
-s2hi = extract32(s2_mair_attrs, 4, 4);
-
-/* Combine memory type and cacheability attributes */
-if (s1hi == 0 || s2hi == 0) {
-/* Device has precedence over normal */
-if (s1lo == 0 || s2lo == 0) {
-/* nGnRnE has precedence over anything */
-ret_attrs = 0;
-} else if (s1lo == 4 || s2lo == 4) {
-/* non-Reordering has precedence over Reordering */
-ret_attrs = 4;  /* nGnRE */
-} else if (s1lo == 8 || s2lo == 8) {
-/* non-Gathering has precedence over Gathering */
-ret_attrs = 8;  /* nGRE */
-} else {
-ret_attrs = 0xc; /* GRE */
-}
-} else { /* Normal memory */
-/* Outer/inner cacheability combine independently */
-ret_attrs = combine_cacheattr_nibble(s1hi, s2hi) << 4
-  | combine_cacheattr_nibble(s1lo, s2lo);
-}
-retu

[PULL 22/55] target/arm: Move get_phys_addr_lpae to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-16-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  10 ++
 target/arm/helper.c | 416 +---
 target/arm/ptw.c| 411 +++
 3 files changed, 429 insertions(+), 408 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index b2dfe489bbe..31744df6646 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -11,6 +11,8 @@
 
 #ifndef CONFIG_USER_ONLY
 
+extern const uint8_t pamax_map[7];
+
 uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
  ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi);
 uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
@@ -30,6 +32,14 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
int ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
+ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
+   ARMMMUIdx mmu_idx);
+bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
+int inputsize, int stride, int outputsize);
+int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0);
+int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
+   int ap, int ns, int xn, int pxn);
+
 bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 MMUAccessType access_type, ARMMMUIdx mmu_idx,
 bool s1_is_el0,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index dab485e64ae..7de815fe986 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10652,7 +10652,7 @@ int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
  * @xn:  XN (execute-never) bits
  * @s1_is_el0: true if this is S2 of an S1+2 walk for EL0
  */
-static int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
+int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
 {
 int prot = 0;
 
@@ -10703,8 +10703,8 @@ static int get_S2prot(CPUARMState *env, int s2ap, int 
xn, bool s1_is_el0)
  * @xn:  XN (execute-never) bit
  * @pxn: PXN (privileged execute-never) bit
  */
-static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
-  int ap, int ns, int xn, int pxn)
+int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
+   int ap, int ns, int xn, int pxn)
 {
 bool is_user = regime_is_user(env, mmu_idx);
 int prot_rw, user_rw;
@@ -10919,8 +10919,8 @@ uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool 
is_secure,
  * Returns true if the suggested S2 translation parameters are OK and
  * false otherwise.
  */
-static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-   int inputsize, int stride, int outputsize)
+bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
+int inputsize, int stride, int outputsize)
 {
 const int grainsize = stride + 3;
 int startsizecheck;
@@ -10980,7 +10980,7 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool 
is_aa64, int level,
 #endif /* !CONFIG_USER_ONLY */
 
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
-static const uint8_t pamax_map[] = {
+const uint8_t pamax_map[] = {
 [0] = 32,
 [1] = 36,
 [2] = 40,
@@ -11159,8 +11159,8 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, 
uint64_t va,
 }
 
 #ifndef CONFIG_USER_ONLY
-static ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
-  ARMMMUIdx mmu_idx)
+ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
+   ARMMMUIdx mmu_idx)
 {
 uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
 uint32_t el = regime_el(env, mmu_idx);
@@ -11223,406 +11223,6 @@ static ARMVAParameters aa32_va_parameters(CPUARMState 
*env, uint32_t va,
 };
 }
 
-/**
- * get_phys_addr_lpae: perform one stage of page table walk, LPAE format
- *
- * Returns false if the translation was successful. Otherwise, phys_ptr, attrs,
- * prot and page_size may not be filled in, and the populated fsr value 
provides
- * information on why the translation aborted, in the format of a long-format
- * DFSR/IFSR fault register, with the following caveats:
- *  * the WnR bit is never set (the caller must do this).
- *
- * @env: CPUARMState
- * @address: virtual address to get physical address for
- * @access_type: MMU_DATA_LOAD, MMU_DATA_STORE or MMU_INST_FETCH
- * @mmu_idx: MMU index indicating required translation regime
- * @s1_is_el0: if @mmu_idx is ARMMMUIdx_Stage2 (so this is a stage 2 page table
- * walk), must be true if this is stage 2 of a stage 1+2 walk for 
an
- * EL0 access). If @mmu_idx is anything else, @s1_is_el0 is 
ignored.
- * @phys_ptr: set to the physic

[PULL 26/55] target/arm: Move get_S1prot, get_S2prot to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-20-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|   3 --
 target/arm/helper.c | 128 
 target/arm/ptw.c| 128 
 3 files changed, 128 insertions(+), 131 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index fba650d01ca..93147e0b065 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -29,9 +29,6 @@ ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t 
va,
ARMMMUIdx mmu_idx);
 bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
 int inputsize, int stride, int outputsize);
-int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0);
-int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
-   int ap, int ns, int xn, int pxn);
 
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 563e34ecded..148eb28ba8c 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10615,134 +10615,6 @@ int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
 }
 }
 
-/* Translate S2 section/page access permissions to protection flags
- *
- * @env: CPUARMState
- * @s2ap:The 2-bit stage2 access permissions (S2AP)
- * @xn:  XN (execute-never) bits
- * @s1_is_el0: true if this is S2 of an S1+2 walk for EL0
- */
-int get_S2prot(CPUARMState *env, int s2ap, int xn, bool s1_is_el0)
-{
-int prot = 0;
-
-if (s2ap & 1) {
-prot |= PAGE_READ;
-}
-if (s2ap & 2) {
-prot |= PAGE_WRITE;
-}
-
-if (cpu_isar_feature(any_tts2uxn, env_archcpu(env))) {
-switch (xn) {
-case 0:
-prot |= PAGE_EXEC;
-break;
-case 1:
-if (s1_is_el0) {
-prot |= PAGE_EXEC;
-}
-break;
-case 2:
-break;
-case 3:
-if (!s1_is_el0) {
-prot |= PAGE_EXEC;
-}
-break;
-default:
-g_assert_not_reached();
-}
-} else {
-if (!extract32(xn, 1, 1)) {
-if (arm_el_is_aa64(env, 2) || prot & PAGE_READ) {
-prot |= PAGE_EXEC;
-}
-}
-}
-return prot;
-}
-
-/* Translate section/page access permissions to protection flags
- *
- * @env: CPUARMState
- * @mmu_idx: MMU index indicating required translation regime
- * @is_aa64: TRUE if AArch64
- * @ap:  The 2-bit simple AP (AP[2:1])
- * @ns:  NS (non-secure) bit
- * @xn:  XN (execute-never) bit
- * @pxn: PXN (privileged execute-never) bit
- */
-int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
-   int ap, int ns, int xn, int pxn)
-{
-bool is_user = regime_is_user(env, mmu_idx);
-int prot_rw, user_rw;
-bool have_wxn;
-int wxn = 0;
-
-assert(mmu_idx != ARMMMUIdx_Stage2);
-assert(mmu_idx != ARMMMUIdx_Stage2_S);
-
-user_rw = simple_ap_to_rw_prot_is_user(ap, true);
-if (is_user) {
-prot_rw = user_rw;
-} else {
-if (user_rw && regime_is_pan(env, mmu_idx)) {
-/* PAN forbids data accesses but doesn't affect insn fetch */
-prot_rw = 0;
-} else {
-prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
-}
-}
-
-if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
-return prot_rw;
-}
-
-/* TODO have_wxn should be replaced with
- *   ARM_FEATURE_V8 || (ARM_FEATURE_V7 && ARM_FEATURE_EL2)
- * when ARM_FEATURE_EL2 starts getting set. For now we assume all LPAE
- * compatible processors have EL2, which is required for [U]WXN.
- */
-have_wxn = arm_feature(env, ARM_FEATURE_LPAE);
-
-if (have_wxn) {
-wxn = regime_sctlr(env, mmu_idx) & SCTLR_WXN;
-}
-
-if (is_aa64) {
-if (regime_has_2_ranges(mmu_idx) && !is_user) {
-xn = pxn || (user_rw & PAGE_WRITE);
-}
-} else if (arm_feature(env, ARM_FEATURE_V7)) {
-switch (regime_el(env, mmu_idx)) {
-case 1:
-case 3:
-if (is_user) {
-xn = xn || !(user_rw & PAGE_READ);
-} else {
-int uwxn = 0;
-if (have_wxn) {
-uwxn = regime_sctlr(env, mmu_idx) & SCTLR_UWXN;
-}
-xn = xn || !(prot_rw & PAGE_READ) || pxn ||
- (uwxn && (user_rw & PAGE_WRITE));
-}
-break;
-case 2:
-break;
-}
-} else {
-xn = wxn = 0;
-}
-
-if (xn || (wxn && (prot_rw & PAGE_WRITE))) {
-return prot_rw;
-}
-return prot_rw | PAGE_EXEC;
-}
-
 /*
  * check_s2_mmu_setup
  * @cpu:ARMCPU
diff --git a/target/a

[PULL 09/55] target/arm: Move get_phys_addr to ptw.c

[Peter Maydell]

From: Richard Henderson 

Begin moving all of the page table walking functions
out of helper.c, starting with get_phys_addr().

Create a temporary header file, "ptw.h", in which to
share declarations between the two C files while we
are moving functions.

Move a few declarations to "internals.h", which will
remain used by multiple C files.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-3-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/internals.h |  18 ++-
 target/arm/ptw.h   |  51 ++
 target/arm/helper.c| 344 +
 target/arm/ptw.c   | 267 
 target/arm/meson.build |   1 +
 5 files changed, 372 insertions(+), 309 deletions(-)
 create mode 100644 target/arm/ptw.h
 create mode 100644 target/arm/ptw.c

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 049edce946c..1d83146d565 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -613,8 +613,13 @@ ARMMMUIdx 
arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
 /* Return the MMU index for a v7M CPU in the specified security state */
 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate);
 
-/* Return true if the stage 1 translation regime is using LPAE format page
- * tables */
+/* Return true if the translation regime is using LPAE format page tables */
+bool regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
+
+/*
+ * Return true if the stage 1 translation regime is using LPAE
+ * format page tables
+ */
 bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
 
 /* Raise a data fault alignment exception for the specified virtual address */
@@ -777,6 +782,12 @@ static inline uint32_t regime_el(CPUARMState *env, 
ARMMMUIdx mmu_idx)
 }
 }
 
+/* Return the SCTLR value which controls this address translation regime */
+static inline uint64_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+return env->cp15.sctlr_el[regime_el(env, mmu_idx)];
+}
+
 /* Return the TCR controlling this translation regime */
 static inline TCR *regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
@@ -1095,6 +1106,9 @@ typedef struct ARMVAParameters {
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
ARMMMUIdx mmu_idx, bool data);
 
+int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx);
+int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx);
+
 static inline int exception_target_el(CPUARMState *env)
 {
 int target_el = MAX(1, arm_current_el(env));
diff --git a/target/arm/ptw.h b/target/arm/ptw.h
new file mode 100644
index 000..e2023ae7508
--- /dev/null
+++ b/target/arm/ptw.h
@@ -0,0 +1,51 @@
+/*
+ * ARM page table walking.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef TARGET_ARM_PTW_H
+#define TARGET_ARM_PTW_H
+
+#ifndef CONFIG_USER_ONLY
+
+bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
+bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
+ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
+ ARMCacheAttrs s1, ARMCacheAttrs s2);
+
+bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
+  MMUAccessType access_type, ARMMMUIdx mmu_idx,
+  hwaddr *phys_ptr, int *prot,
+  target_ulong *page_size,
+  ARMMMUFaultInfo *fi);
+bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
+  MMUAccessType access_type, ARMMMUIdx mmu_idx,
+  hwaddr *phys_ptr, int *prot,
+  ARMMMUFaultInfo *fi);
+bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
+  MMUAccessType access_type, ARMMMUIdx mmu_idx,
+  hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
+  target_ulong *page_size, ARMMMUFaultInfo *fi);
+bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
+  MMUAccessType access_type, ARMMMUIdx mmu_idx,
+  hwaddr *phys_ptr, int *prot,
+  target_ulong *page_size,
+  ARMMMUFaultInfo *fi);
+bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
+  MMUAccessType access_type, ARMMMUIdx mmu_idx,
+  hwaddr *phys_ptr, MemTxAttrs *txattrs,
+  int *prot, target_ulong *page_size,
+  ARMMMUFaultInfo *fi);
+bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
+MMUAccessType access_type, ARMMMUIdx mmu_idx,
+bool s1_is_el0,
+hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
+target_ulong *page_size_ptr,
+ARMMM

[PULL 29/55] target/arm: Move ap_to_tw_prot etc to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-23-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h| 10 --
 target/arm/helper.c | 77 --
 target/arm/ptw.c| 81 +
 3 files changed, 81 insertions(+), 87 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 9314fb4d23c..85ad5767944 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -15,15 +15,5 @@ bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
 
-int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
-  int ap, int domain_prot);
-int simple_ap_to_rw_prot_is_user(int ap, bool is_user);
-
-static inline int
-simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
-{
-return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
-}
-
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index f61f1da61e4..e894afcb491 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10537,83 +10537,6 @@ bool regime_is_user(CPUARMState *env, ARMMMUIdx 
mmu_idx)
 g_assert_not_reached();
 }
 }
-
-/* Translate section/page access permissions to page
- * R/W protection flags
- *
- * @env: CPUARMState
- * @mmu_idx: MMU index indicating required translation regime
- * @ap:  The 3-bit access permissions (AP[2:0])
- * @domain_prot: The 2-bit domain access permissions
- */
-int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap, int domain_prot)
-{
-bool is_user = regime_is_user(env, mmu_idx);
-
-if (domain_prot == 3) {
-return PAGE_READ | PAGE_WRITE;
-}
-
-switch (ap) {
-case 0:
-if (arm_feature(env, ARM_FEATURE_V7)) {
-return 0;
-}
-switch (regime_sctlr(env, mmu_idx) & (SCTLR_S | SCTLR_R)) {
-case SCTLR_S:
-return is_user ? 0 : PAGE_READ;
-case SCTLR_R:
-return PAGE_READ;
-default:
-return 0;
-}
-case 1:
-return is_user ? 0 : PAGE_READ | PAGE_WRITE;
-case 2:
-if (is_user) {
-return PAGE_READ;
-} else {
-return PAGE_READ | PAGE_WRITE;
-}
-case 3:
-return PAGE_READ | PAGE_WRITE;
-case 4: /* Reserved.  */
-return 0;
-case 5:
-return is_user ? 0 : PAGE_READ;
-case 6:
-return PAGE_READ;
-case 7:
-if (!arm_feature(env, ARM_FEATURE_V6K)) {
-return 0;
-}
-return PAGE_READ;
-default:
-g_assert_not_reached();
-}
-}
-
-/* Translate section/page access permissions to page
- * R/W protection flags.
- *
- * @ap:  The 2-bit simple AP (AP[2:1])
- * @is_user: TRUE if accessing from PL0
- */
-int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
-{
-switch (ap) {
-case 0:
-return is_user ? 0 : PAGE_READ | PAGE_WRITE;
-case 1:
-return PAGE_READ | PAGE_WRITE;
-case 2:
-return is_user ? 0 : PAGE_READ;
-case 3:
-return PAGE_READ;
-default:
-g_assert_not_reached();
-}
-}
 #endif /* !CONFIG_USER_ONLY */
 
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 427813ea563..9ab77c39980 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -211,6 +211,87 @@ static bool get_level1_table_address(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 return true;
 }
 
+/*
+ * Translate section/page access permissions to page R/W protection flags
+ * @env: CPUARMState
+ * @mmu_idx: MMU index indicating required translation regime
+ * @ap:  The 3-bit access permissions (AP[2:0])
+ * @domain_prot: The 2-bit domain access permissions
+ */
+static int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
+ int ap, int domain_prot)
+{
+bool is_user = regime_is_user(env, mmu_idx);
+
+if (domain_prot == 3) {
+return PAGE_READ | PAGE_WRITE;
+}
+
+switch (ap) {
+case 0:
+if (arm_feature(env, ARM_FEATURE_V7)) {
+return 0;
+}
+switch (regime_sctlr(env, mmu_idx) & (SCTLR_S | SCTLR_R)) {
+case SCTLR_S:
+return is_user ? 0 : PAGE_READ;
+case SCTLR_R:
+return PAGE_READ;
+default:
+return 0;
+}
+case 1:
+return is_user ? 0 : PAGE_READ | PAGE_WRITE;
+case 2:
+if (is_user) {
+return PAGE_READ;
+} else {
+return PAGE_READ | PAGE_WRITE;
+}
+case 3:
+return PAGE_READ | PAGE_WRITE;
+case 4: /* Reserved.  */
+return 0;
+case 5:
+return is

[PULL 25/55] target/arm: Move arm_pamax, pamax_map into ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-19-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  2 --
 target/arm/helper.c | 25 -
 target/arm/ptw.c| 25 +
 3 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 28b8cb9fb89..fba650d01ca 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -11,8 +11,6 @@
 
 #ifndef CONFIG_USER_ONLY
 
-extern const uint8_t pamax_map[7];
-
 bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index d2b196ff3e5..563e34ecded 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10814,31 +10814,6 @@ bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int 
level,
 }
 #endif /* !CONFIG_USER_ONLY */
 
-/* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
-const uint8_t pamax_map[] = {
-[0] = 32,
-[1] = 36,
-[2] = 40,
-[3] = 42,
-[4] = 44,
-[5] = 48,
-[6] = 52,
-};
-
-/* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
-unsigned int arm_pamax(ARMCPU *cpu)
-{
-unsigned int parange =
-FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
-
-/*
- * id_aa64mmfr0 is a read-only register so values outside of the
- * supported mappings can be considered an implementation error.
- */
-assert(parange < ARRAY_SIZE(pamax_map));
-return pamax_map[parange];
-}
-
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
 if (regime_has_2_ranges(mmu_idx)) {
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index e4b860d2aee..d754273fa16 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -23,6 +23,31 @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t 
address,
ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
 __attribute__((nonnull));
 
+/* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
+static const uint8_t pamax_map[] = {
+[0] = 32,
+[1] = 36,
+[2] = 40,
+[3] = 42,
+[4] = 44,
+[5] = 48,
+[6] = 52,
+};
+
+/* The cpu-specific constant value of PAMax; also used by hw/arm/virt. */
+unsigned int arm_pamax(ARMCPU *cpu)
+{
+unsigned int parange =
+FIELD_EX64(cpu->isar.id_aa64mmfr0, ID_AA64MMFR0, PARANGE);
+
+/*
+ * id_aa64mmfr0 is a read-only register so values outside of the
+ * supported mappings can be considered an implementation error.
+ */
+assert(parange < ARRAY_SIZE(pamax_map));
+return pamax_map[parange];
+}
+
 static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
 return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
-- 
2.25.1

[PULL 44/55] target/arm: Do not use aarch64_sve_zcr_get_valid_len in reset

[Peter Maydell]

From: Richard Henderson 

We don't need to constrain the value set in zcr_el[1],
because it will be done by sve_zcr_len_for_el.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-10-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index d2bd74c2ed4..06219441674 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -208,8 +208,7 @@ static void arm_cpu_reset(DeviceState *dev)
  CPACR_EL1, ZEN, 3);
 /* with reasonable vector length */
 if (cpu_isar_feature(aa64_sve, cpu)) {
-env->vfp.zcr_el[1] =
-aarch64_sve_zcr_get_valid_len(cpu, cpu->sve_default_vq - 1);
+env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
 }
 /*
  * Enable 48-bit address space (TODO: take reserved_va into account).
-- 
2.25.1

[PULL 16/55] target/arm: Move pmsav8_mpu_lookup to ptw.c

[Peter Maydell]

From: Richard Henderson 

This is the final user of get_phys_addr_pmsav7_default
within helper.c, so make it static within ptw.c.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-10-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|   3 -
 target/arm/helper.c | 136 -
 target/arm/ptw.c| 146 +++-
 3 files changed, 143 insertions(+), 142 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index d569507951f..8d2e2397147 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -36,9 +36,6 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 bool m_is_ppb_region(CPUARMState *env, uint32_t address);
 bool m_is_system_region(CPUARMState *env, uint32_t address);
 
-void get_phys_addr_pmsav7_default(CPUARMState *env,
-  ARMMMUIdx mmu_idx,
-  int32_t address, int *prot);
 bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool 
is_user);
 
 bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 44997fd179d..cb23413d8e5 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11834,142 +11834,6 @@ void v8m_security_lookup(CPUARMState *env, uint32_t 
address,
 }
 }
 
-bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, MemTxAttrs *txattrs,
-  int *prot, bool *is_subpage,
-  ARMMMUFaultInfo *fi, uint32_t *mregion)
-{
-/* Perform a PMSAv8 MPU lookup (without also doing the SAU check
- * that a full phys-to-virt translation does).
- * mregion is (if not NULL) set to the region number which matched,
- * or -1 if no region number is returned (MPU off, address did not
- * hit a region, address hit in multiple regions).
- * We set is_subpage to true if the region hit doesn't cover the
- * entire TARGET_PAGE the address is within.
- */
-ARMCPU *cpu = env_archcpu(env);
-bool is_user = regime_is_user(env, mmu_idx);
-uint32_t secure = regime_is_secure(env, mmu_idx);
-int n;
-int matchregion = -1;
-bool hit = false;
-uint32_t addr_page_base = address & TARGET_PAGE_MASK;
-uint32_t addr_page_limit = addr_page_base + (TARGET_PAGE_SIZE - 1);
-
-*is_subpage = false;
-*phys_ptr = address;
-*prot = 0;
-if (mregion) {
-*mregion = -1;
-}
-
-/* Unlike the ARM ARM pseudocode, we don't need to check whether this
- * was an exception vector read from the vector table (which is always
- * done using the default system address map), because those accesses
- * are done in arm_v7m_load_vector(), which always does a direct
- * read using address_space_ldl(), rather than going via this function.
- */
-if (regime_translation_disabled(env, mmu_idx)) { /* MPU disabled */
-hit = true;
-} else if (m_is_ppb_region(env, address)) {
-hit = true;
-} else {
-if (pmsav7_use_background_region(cpu, mmu_idx, is_user)) {
-hit = true;
-}
-
-for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) {
-/* region search */
-/* Note that the base address is bits [31:5] from the register
- * with bits [4:0] all zeroes, but the limit address is bits
- * [31:5] from the register with bits [4:0] all ones.
- */
-uint32_t base = env->pmsav8.rbar[secure][n] & ~0x1f;
-uint32_t limit = env->pmsav8.rlar[secure][n] | 0x1f;
-
-if (!(env->pmsav8.rlar[secure][n] & 0x1)) {
-/* Region disabled */
-continue;
-}
-
-if (address < base || address > limit) {
-/*
- * Address not in this region. We must check whether the
- * region covers addresses in the same page as our address.
- * In that case we must not report a size that covers the
- * whole page for a subsequent hit against a different MPU
- * region or the background region, because it would result in
- * incorrect TLB hits for subsequent accesses to addresses that
- * are in this MPU region.
- */
-if (limit >= base &&
-ranges_overlap(base, limit - base + 1,
-   addr_page_base,
-   TARGET_PAGE_SIZE)) {
-*is_subpage = true;
-}
-continue;
-}
-
-if (base > addr_page_base || limit < addr_page_limit) {
-*is_subpage = true;
-}
-
-if (mat

[PULL 33/55] target/arm: Move arm_cpu_get_phys_page_attrs_debug to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-27-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 26 --
 target/arm/ptw.c| 24 
 2 files changed, 24 insertions(+), 26 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 69b1c060c1f..fe1e426f883 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10606,32 +10606,6 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, 
uint64_t va,
 };
 }
 
-#ifndef CONFIG_USER_ONLY
-hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
- MemTxAttrs *attrs)
-{
-ARMCPU *cpu = ARM_CPU(cs);
-CPUARMState *env = &cpu->env;
-hwaddr phys_addr;
-target_ulong page_size;
-int prot;
-bool ret;
-ARMMMUFaultInfo fi = {};
-ARMMMUIdx mmu_idx = arm_mmu_idx(env);
-ARMCacheAttrs cacheattrs = {};
-
-*attrs = (MemTxAttrs) {};
-
-ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &phys_addr,
-attrs, &prot, &page_size, &fi, &cacheattrs);
-
-if (ret) {
-return -1;
-}
-return phys_addr;
-}
-#endif
-
 /* Note that signed overflow is undefined in C.  The following routines are
careful to use unsigned types where modulo arithmetic is required.
Failure to do so _will_ break on newer gcc.  */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index ec60afd9bff..e9f6870d0a6 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -2491,3 +2491,27 @@ bool get_phys_addr(CPUARMState *env, target_ulong 
address,
 phys_ptr, prot, page_size, fi);
 }
 }
+
+hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
+ MemTxAttrs *attrs)
+{
+ARMCPU *cpu = ARM_CPU(cs);
+CPUARMState *env = &cpu->env;
+hwaddr phys_addr;
+target_ulong page_size;
+int prot;
+bool ret;
+ARMMMUFaultInfo fi = {};
+ARMMMUIdx mmu_idx = arm_mmu_idx(env);
+ARMCacheAttrs cacheattrs = {};
+
+*attrs = (MemTxAttrs) {};
+
+ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &phys_addr,
+attrs, &prot, &page_size, &fi, &cacheattrs);
+
+if (ret) {
+return -1;
+}
+return phys_addr;
+}
-- 
2.25.1

[PULL 27/55] target/arm: Move check_s2_mmu_setup to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-21-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  2 --
 target/arm/helper.c | 70 -
 target/arm/ptw.c| 70 +
 3 files changed, 70 insertions(+), 72 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 93147e0b065..a71161b01bd 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -27,8 +27,6 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 
 ARMVAParameters aa32_va_parameters(CPUARMState *env, uint32_t va,
ARMMMUIdx mmu_idx);
-bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-int inputsize, int stride, int outputsize);
 
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 148eb28ba8c..2526f4c6c4a 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10614,76 +10614,6 @@ int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
 g_assert_not_reached();
 }
 }
-
-/*
- * check_s2_mmu_setup
- * @cpu:ARMCPU
- * @is_aa64:True if the translation regime is in AArch64 state
- * @startlevel: Suggested starting level
- * @inputsize:  Bitsize of IPAs
- * @stride: Page-table stride (See the ARM ARM)
- *
- * Returns true if the suggested S2 translation parameters are OK and
- * false otherwise.
- */
-bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-int inputsize, int stride, int outputsize)
-{
-const int grainsize = stride + 3;
-int startsizecheck;
-
-/*
- * Negative levels are usually not allowed...
- * Except for FEAT_LPA2, 4k page table, 52-bit address space, which
- * begins with level -1.  Note that previous feature tests will have
- * eliminated this combination if it is not enabled.
- */
-if (level < (inputsize == 52 && stride == 9 ? -1 : 0)) {
-return false;
-}
-
-startsizecheck = inputsize - ((3 - level) * stride + grainsize);
-if (startsizecheck < 1 || startsizecheck > stride + 4) {
-return false;
-}
-
-if (is_aa64) {
-switch (stride) {
-case 13: /* 64KB Pages.  */
-if (level == 0 || (level == 1 && outputsize <= 42)) {
-return false;
-}
-break;
-case 11: /* 16KB Pages.  */
-if (level == 0 || (level == 1 && outputsize <= 40)) {
-return false;
-}
-break;
-case 9: /* 4KB Pages.  */
-if (level == 0 && outputsize <= 42) {
-return false;
-}
-break;
-default:
-g_assert_not_reached();
-}
-
-/* Inputsize checks.  */
-if (inputsize > outputsize &&
-(arm_el_is_aa64(&cpu->env, 1) || inputsize > 40)) {
-/* This is CONSTRAINED UNPREDICTABLE and we choose to fault.  */
-return false;
-}
-} else {
-/* AArch32 only supports 4KB pages. Assert on that.  */
-assert(stride == 9);
-
-if (level == 0) {
-return false;
-}
-}
-return true;
-}
 #endif /* !CONFIG_USER_ONLY */
 
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index af9ad420288..525272e99af 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -615,6 +615,76 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
bool is_aa64,
 return prot_rw | PAGE_EXEC;
 }
 
+/*
+ * check_s2_mmu_setup
+ * @cpu:ARMCPU
+ * @is_aa64:True if the translation regime is in AArch64 state
+ * @startlevel: Suggested starting level
+ * @inputsize:  Bitsize of IPAs
+ * @stride: Page-table stride (See the ARM ARM)
+ *
+ * Returns true if the suggested S2 translation parameters are OK and
+ * false otherwise.
+ */
+static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
+   int inputsize, int stride, int outputsize)
+{
+const int grainsize = stride + 3;
+int startsizecheck;
+
+/*
+ * Negative levels are usually not allowed...
+ * Except for FEAT_LPA2, 4k page table, 52-bit address space, which
+ * begins with level -1.  Note that previous feature tests will have
+ * eliminated this combination if it is not enabled.
+ */
+if (level < (inputsize == 52 && stride == 9 ? -1 : 0)) {
+return false;
+}
+
+startsizecheck = inputsize - ((3 - level) * stride + grainsize);
+if (startsizecheck < 1 || startsizecheck > stride + 4) {
+return false;
+}
+
+if (is_aa64) {
+switch (stride) {
+case 13: /* 64KB Pages.  */
+if (level == 0 || (level == 1 && outputsize <= 42)) {
+return fal

[PULL 45/55] target/arm: Merge aarch64_sve_zcr_get_valid_len into caller

[Peter Maydell]

From: Richard Henderson 

This function is used only once, and will need modification
for Streaming SVE mode.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-11-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/internals.h | 11 ---
 target/arm/helper.c| 30 +++---
 2 files changed, 11 insertions(+), 30 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index ceaddcbfd6e..79eb4637538 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -189,17 +189,6 @@ void arm_translate_init(void);
 void arm_cpu_synchronize_from_tb(CPUState *cs, const TranslationBlock *tb);
 #endif /* CONFIG_TCG */
 
-/**
- * aarch64_sve_zcr_get_valid_len:
- * @cpu: cpu context
- * @start_len: maximum len to consider
- *
- * Return the maximum supported sve vector length <= @start_len.
- * Note that both @start_len and the return value are in units
- * of ZCR_ELx.LEN, so the vector bit length is (x + 1) * 128.
- */
-uint32_t aarch64_sve_zcr_get_valid_len(ARMCPU *cpu, uint32_t start_len);
-
 enum arm_fprounding {
 FPROUNDING_TIEEVEN,
 FPROUNDING_POSINF,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 61e8026d0e3..de159c644cd 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6212,39 +6212,31 @@ int sve_exception_el(CPUARMState *env, int el)
 return 0;
 }
 
-uint32_t aarch64_sve_zcr_get_valid_len(ARMCPU *cpu, uint32_t start_len)
-{
-uint32_t end_len;
-
-start_len = MIN(start_len, ARM_MAX_VQ - 1);
-end_len = start_len;
-
-if (!test_bit(start_len, cpu->sve_vq_map)) {
-end_len = find_last_bit(cpu->sve_vq_map, start_len);
-assert(end_len < start_len);
-}
-return end_len;
-}
-
 /*
  * Given that SVE is enabled, return the vector length for EL.
  */
 uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
 {
 ARMCPU *cpu = env_archcpu(env);
-uint32_t zcr_len = cpu->sve_max_vq - 1;
+uint32_t len = cpu->sve_max_vq - 1;
+uint32_t end_len;
 
 if (el <= 1 && !el_is_in_host(env, el)) {
-zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
+len = MIN(len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
 }
 if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
-zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]);
+len = MIN(len, 0xf & (uint32_t)env->vfp.zcr_el[2]);
 }
 if (arm_feature(env, ARM_FEATURE_EL3)) {
-zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]);
+len = MIN(len, 0xf & (uint32_t)env->vfp.zcr_el[3]);
 }
 
-return aarch64_sve_zcr_get_valid_len(cpu, zcr_len);
+end_len = len;
+if (!test_bit(len, cpu->sve_vq_map)) {
+end_len = find_last_bit(cpu->sve_vq_map, len);
+assert(end_len < len);
+}
+return end_len;
 }
 
 static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-- 
2.25.1

[PULL 17/55] target/arm: Move pmsav7_use_background_region to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-11-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  2 --
 target/arm/helper.c | 19 ---
 target/arm/ptw.c| 21 +
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 8d2e2397147..d2d27119082 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -36,8 +36,6 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int 
ap)
 bool m_is_ppb_region(CPUARMState *env, uint32_t address);
 bool m_is_system_region(CPUARMState *env, uint32_t address);
 
-bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool 
is_user);
-
 bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 MMUAccessType access_type, ARMMMUIdx mmu_idx,
 bool s1_is_el0,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index cb23413d8e5..62e48f0925c 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11678,25 +11678,6 @@ do_fault:
 return true;
 }
 
-bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool is_user)
-{
-/* Return true if we should use the default memory map as a
- * "background" region if there are no hits against any MPU regions.
- */
-CPUARMState *env = &cpu->env;
-
-if (is_user) {
-return false;
-}
-
-if (arm_feature(env, ARM_FEATURE_M)) {
-return env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)]
-& R_V7M_MPU_CTRL_PRIVDEFENA_MASK;
-} else {
-return regime_sctlr(env, mmu_idx) & SCTLR_BR;
-}
-}
-
 bool m_is_ppb_region(CPUARMState *env, uint32_t address)
 {
 /* True if address is in the M profile PPB region 0xe000 - 0xe00f 
*/
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 989e783cce9..b82638b5a06 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -415,6 +415,27 @@ static void get_phys_addr_pmsav7_default(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 }
 }
 
+static bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+ bool is_user)
+{
+/*
+ * Return true if we should use the default memory map as a
+ * "background" region if there are no hits against any MPU regions.
+ */
+CPUARMState *env = &cpu->env;
+
+if (is_user) {
+return false;
+}
+
+if (arm_feature(env, ARM_FEATURE_M)) {
+return env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)]
+& R_V7M_MPU_CTRL_PRIVDEFENA_MASK;
+} else {
+return regime_sctlr(env, mmu_idx) & SCTLR_BR;
+}
+}
+
 static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
  MMUAccessType access_type, ARMMMUIdx mmu_idx,
  hwaddr *phys_ptr, int *prot,
-- 
2.25.1

[PULL 35/55] target/arm: Pass CPUARMState to arm_ld[lq]_ptw

[Peter Maydell]

From: Richard Henderson 

The use of ARM_CPU to recover env from cs calls
object_class_dynamic_cast, which shows up on the profile.
This is pointless, because all callers already have env, and
the reverse operation, env_cpu, is only pointer arithmetic.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-29-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.c | 23 +--
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 49e9a1d108e..4d97a248084 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -241,11 +241,10 @@ static hwaddr S1_ptw_translate(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 }
 
 /* All loads done in the course of a page table walk go through here. */
-static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
 ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 {
-ARMCPU *cpu = ARM_CPU(cs);
-CPUARMState *env = &cpu->env;
+CPUState *cs = env_cpu(env);
 MemTxAttrs attrs = {};
 MemTxResult result = MEMTX_OK;
 AddressSpace *as;
@@ -270,11 +269,10 @@ static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, 
bool is_secure,
 return 0;
 }
 
-static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
+static uint64_t arm_ldq_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
 ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 {
-ARMCPU *cpu = ARM_CPU(cs);
-CPUARMState *env = &cpu->env;
+CPUState *cs = env_cpu(env);
 MemTxAttrs attrs = {};
 MemTxResult result = MEMTX_OK;
 AddressSpace *as;
@@ -409,7 +407,6 @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t 
address,
  target_ulong *page_size,
  ARMMMUFaultInfo *fi)
 {
-CPUState *cs = env_cpu(env);
 int level = 1;
 uint32_t table;
 uint32_t desc;
@@ -427,7 +424,7 @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t 
address,
 fi->type = ARMFault_Translation;
 goto do_fault;
 }
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
+desc = arm_ldl_ptw(env, table, regime_is_secure(env, mmu_idx),
mmu_idx, fi);
 if (fi->type != ARMFault_None) {
 goto do_fault;
@@ -466,7 +463,7 @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t 
address,
 /* Fine pagetable.  */
 table = (desc & 0xf000) | ((address >> 8) & 0xffc);
 }
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
+desc = arm_ldl_ptw(env, table, regime_is_secure(env, mmu_idx),
mmu_idx, fi);
 if (fi->type != ARMFault_None) {
 goto do_fault;
@@ -531,7 +528,6 @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t 
address,
  hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
  target_ulong *page_size, ARMMMUFaultInfo *fi)
 {
-CPUState *cs = env_cpu(env);
 ARMCPU *cpu = env_archcpu(env);
 int level = 1;
 uint32_t table;
@@ -553,7 +549,7 @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t 
address,
 fi->type = ARMFault_Translation;
 goto do_fault;
 }
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
+desc = arm_ldl_ptw(env, table, regime_is_secure(env, mmu_idx),
mmu_idx, fi);
 if (fi->type != ARMFault_None) {
 goto do_fault;
@@ -607,7 +603,7 @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t 
address,
 ns = extract32(desc, 3, 1);
 /* Lookup l2 entry.  */
 table = (desc & 0xfc00) | ((address >> 10) & 0x3fc);
-desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx),
+desc = arm_ldl_ptw(env, table, regime_is_secure(env, mmu_idx),
mmu_idx, fi);
 if (fi->type != ARMFault_None) {
 goto do_fault;
@@ -973,7 +969,6 @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t 
address,
ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
 {
 ARMCPU *cpu = env_archcpu(env);
-CPUState *cs = CPU(cpu);
 /* Read an LPAE long-descriptor translation table. */
 ARMFaultType fault_type = ARMFault_Translation;
 uint32_t level;
@@ -1196,7 +1191,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t 
address,
 descaddr |= (address >> (stride * (4 - level))) & indexmask;
 descaddr &= ~7ULL;
 nstable = extract32(tableattrs, 4, 1);
-descriptor = arm_ldq_ptw(cs, descaddr, !nstable, mmu_idx, fi);
+descriptor = arm_ldq_ptw(env, descaddr, !nstable, mmu_idx, fi);
 if (fi->type != ARMFault_None) {
 goto do_fault;
 }
-- 
2.25.1

[PULL 38/55] target/arm: Remove route_to_el2 check from sve_exception_el

[Peter Maydell]

From: Richard Henderson 

We handle this routing in raise_exception.  Promoting the value early
means that we can't directly compare FPEXC_EL and SVEEXC_EL.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-4-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index c228deca755..1bd77af7e50 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6149,8 +6149,7 @@ int sve_exception_el(CPUARMState *env, int el)
 /* fall through */
 case 0:
 case 2:
-/* route_to_el2 */
-return hcr_el2 & HCR_TGE ? 2 : 1;
+return 1;
 }
 
 /* Check CPACR.FPEN.  */
-- 
2.25.1

[PULL 48/55] target/arm: Split out load/store primitives to sve_ldst_internal.h

[Peter Maydell]

From: Richard Henderson 

Begin creation of sve_ldst_internal.h by moving the primitives
that access host and tlb memory.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-14-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/sve_ldst_internal.h | 127 +
 target/arm/sve_helper.c| 107 +--
 2 files changed, 128 insertions(+), 106 deletions(-)
 create mode 100644 target/arm/sve_ldst_internal.h

diff --git a/target/arm/sve_ldst_internal.h b/target/arm/sve_ldst_internal.h
new file mode 100644
index 000..ef9117e84c1
--- /dev/null
+++ b/target/arm/sve_ldst_internal.h
@@ -0,0 +1,127 @@
+/*
+ * ARM SVE Load/Store Helpers
+ *
+ * Copyright (c) 2018-2022 Linaro
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#ifndef TARGET_ARM_SVE_LDST_INTERNAL_H
+#define TARGET_ARM_SVE_LDST_INTERNAL_H
+
+#include "exec/cpu_ldst.h"
+
+/*
+ * Load one element into @vd + @reg_off from @host.
+ * The controlling predicate is known to be true.
+ */
+typedef void sve_ldst1_host_fn(void *vd, intptr_t reg_off, void *host);
+
+/*
+ * Load one element into @vd + @reg_off from (@env, @vaddr, @ra).
+ * The controlling predicate is known to be true.
+ */
+typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
+  target_ulong vaddr, uintptr_t retaddr);
+
+/*
+ * Generate the above primitives.
+ */
+
+#define DO_LD_HOST(NAME, H, TYPEE, TYPEM, HOST)  \
+static inline void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host) \
+{ TYPEM val = HOST(host); *(TYPEE *)(vd + H(reg_off)) = val; }
+
+#define DO_ST_HOST(NAME, H, TYPEE, TYPEM, HOST)  \
+static inline void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host) \
+{ TYPEM val = *(TYPEE *)(vd + H(reg_off)); HOST(host, val); }
+
+#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB)  \
+static inline void sve_##NAME##_tlb(CPUARMState *env, void *vd,\
+intptr_t reg_off, target_ulong addr, uintptr_t ra) \
+{  \
+TYPEM val = TLB(env, useronly_clean_ptr(addr), ra);\
+*(TYPEE *)(vd + H(reg_off)) = val; \
+}
+
+#define DO_ST_TLB(NAME, H, TYPEE, TYPEM, TLB)  \
+static inline void sve_##NAME##_tlb(CPUARMState *env, void *vd,\
+intptr_t reg_off, target_ulong addr, uintptr_t ra) \
+{  \
+TYPEM val = *(TYPEE *)(vd + H(reg_off));   \
+TLB(env, useronly_clean_ptr(addr), val, ra);   \
+}
+
+#define DO_LD_PRIM_1(NAME, H, TE, TM)   \
+DO_LD_HOST(NAME, H, TE, TM, ldub_p) \
+DO_LD_TLB(NAME, H, TE, TM, cpu_ldub_data_ra)
+
+DO_LD_PRIM_1(ld1bb,  H1,   uint8_t,  uint8_t)
+DO_LD_PRIM_1(ld1bhu, H1_2, uint16_t, uint8_t)
+DO_LD_PRIM_1(ld1bhs, H1_2, uint16_t,  int8_t)
+DO_LD_PRIM_1(ld1bsu, H1_4, uint32_t, uint8_t)
+DO_LD_PRIM_1(ld1bss, H1_4, uint32_t,  int8_t)
+DO_LD_PRIM_1(ld1bdu, H1_8, uint64_t, uint8_t)
+DO_LD_PRIM_1(ld1bds, H1_8, uint64_t,  int8_t)
+
+#define DO_ST_PRIM_1(NAME, H, TE, TM)   \
+DO_ST_HOST(st1##NAME, H, TE, TM, stb_p) \
+DO_ST_TLB(st1##NAME, H, TE, TM, cpu_stb_data_ra)
+
+DO_ST_PRIM_1(bb,   H1,  uint8_t, uint8_t)
+DO_ST_PRIM_1(bh, H1_2, uint16_t, uint8_t)
+DO_ST_PRIM_1(bs, H1_4, uint32_t, uint8_t)
+DO_ST_PRIM_1(bd, H1_8, uint64_t, uint8_t)
+
+#define DO_LD_PRIM_2(NAME, H, TE, TM, LD) \
+DO_LD_HOST(ld1##NAME##_be, H, TE, TM, LD##_be_p)\
+DO_LD_HOST(ld1##NAME##_le, H, TE, TM, LD##_le_p)\
+DO_LD_TLB(ld1##NAME##_be, H, TE, TM, cpu_##LD##_be_data_ra) \
+DO_LD_TLB(ld1##NAME##_le, H, TE, TM, cpu_##LD##_le_data_ra)
+
+#define DO_ST_PRIM_2(NAME, H, TE, TM, ST) \
+DO_ST_HOST(st1##NAME##_be, H, TE, TM, ST##_be_p)\
+DO_ST_HOST(st1##NAME##_le, H, TE, TM, ST##_le_p)\
+DO_ST_TLB(st1##NAME##_be, H, TE, TM, cpu_##ST##_be_data_ra) \
+DO_ST_TLB(st1##NAME##_le, H, TE, TM, cpu_##ST##_le_data_ra)
+
+DO_LD_PRIM_2(hh,  H1_2, uint16_t, uint16_t,

[PULL 14/55] target/arm: Move get_phys_addr_pmsav7 to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-8-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  10 +--
 target/arm/helper.c | 194 +---
 target/arm/ptw.c| 190 +++
 3 files changed, 198 insertions(+), 196 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index d6e3fee1523..d24b7c263a8 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -33,14 +33,14 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
int ap)
 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
+bool m_is_ppb_region(CPUARMState *env, uint32_t address);
+bool m_is_system_region(CPUARMState *env, uint32_t address);
+
 void get_phys_addr_pmsav7_default(CPUARMState *env,
   ARMMMUIdx mmu_idx,
   int32_t address, int *prot);
-bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  target_ulong *page_size,
-  ARMMMUFaultInfo *fi);
+bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool 
is_user);
+
 bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
   MMUAccessType access_type, ARMMMUIdx mmu_idx,
   hwaddr *phys_ptr, MemTxAttrs *txattrs,
diff --git a/target/arm/helper.c b/target/arm/helper.c
index d4f7c05625c..2ebaf694075 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -11678,8 +11678,7 @@ do_fault:
 return true;
 }
 
-static bool pmsav7_use_background_region(ARMCPU *cpu,
- ARMMMUIdx mmu_idx, bool is_user)
+bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool is_user)
 {
 /* Return true if we should use the default memory map as a
  * "background" region if there are no hits against any MPU regions.
@@ -11698,14 +11697,14 @@ static bool pmsav7_use_background_region(ARMCPU *cpu,
 }
 }
 
-static inline bool m_is_ppb_region(CPUARMState *env, uint32_t address)
+bool m_is_ppb_region(CPUARMState *env, uint32_t address)
 {
 /* True if address is in the M profile PPB region 0xe000 - 0xe00f 
*/
 return arm_feature(env, ARM_FEATURE_M) &&
 extract32(address, 20, 12) == 0xe00;
 }
 
-static inline bool m_is_system_region(CPUARMState *env, uint32_t address)
+bool m_is_system_region(CPUARMState *env, uint32_t address)
 {
 /* True if address is in the M profile system region
  * 0xe000 - 0x
@@ -11713,193 +11712,6 @@ static inline bool m_is_system_region(CPUARMState 
*env, uint32_t address)
 return arm_feature(env, ARM_FEATURE_M) && extract32(address, 29, 3) == 0x7;
 }
 
-bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
-  MMUAccessType access_type, ARMMMUIdx mmu_idx,
-  hwaddr *phys_ptr, int *prot,
-  target_ulong *page_size,
-  ARMMMUFaultInfo *fi)
-{
-ARMCPU *cpu = env_archcpu(env);
-int n;
-bool is_user = regime_is_user(env, mmu_idx);
-
-*phys_ptr = address;
-*page_size = TARGET_PAGE_SIZE;
-*prot = 0;
-
-if (regime_translation_disabled(env, mmu_idx) ||
-m_is_ppb_region(env, address)) {
-/* MPU disabled or M profile PPB access: use default memory map.
- * The other case which uses the default memory map in the
- * v7M ARM ARM pseudocode is exception vector reads from the vector
- * table. In QEMU those accesses are done in arm_v7m_load_vector(),
- * which always does a direct read using address_space_ldl(), rather
- * than going via this function, so we don't need to check that here.
- */
-get_phys_addr_pmsav7_default(env, mmu_idx, address, prot);
-} else { /* MPU enabled */
-for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) {
-/* region search */
-uint32_t base = env->pmsav7.drbar[n];
-uint32_t rsize = extract32(env->pmsav7.drsr[n], 1, 5);
-uint32_t rmask;
-bool srdis = false;
-
-if (!(env->pmsav7.drsr[n] & 0x1)) {
-continue;
-}
-
-if (!rsize) {
-qemu_log_mask(LOG_GUEST_ERROR,
-  "DRSR[%d]: Rsize field cannot be 0\n", n);
-continue;
-}
-rsize++;
-rmask = (1ull << rsize) - 1;
-
-if (base & rmask) {
-qemu_log_mask(LOG_GUEST_ERROR,
-  "DRBAR[%d]: 0x%" PRIx32 " misaligned "
-  "to DRSR region size, mask = 0x%" PRIx32 "\n",
-  n, b

[PULL 43/55] target/arm: Hoist arm_is_el2_enabled check in sve_exception_el

[Peter Maydell]

From: Richard Henderson 

This check is buried within arm_hcr_el2_eff(), but since we
have to have the explicit check for CPTR_EL2.TZ, we might as
well just check it once at the beginning of the block.

Once this is done, we can test HCR_EL2.{E2H,TGE} directly,
rather than going through arm_hcr_el2_eff().

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-9-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 13 +
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 40b60b1eea2..61e8026d0e3 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6183,15 +6183,12 @@ int sve_exception_el(CPUARMState *env, int el)
 }
 }
 
-/*
- * CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE).
- */
-if (el <= 2) {
-uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-if (hcr_el2 & HCR_E2H) {
+if (el <= 2 && arm_is_el2_enabled(env)) {
+/* CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE). */
+if (env->cp15.hcr_el2 & HCR_E2H) {
 switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, ZEN)) {
 case 1:
-if (el != 0 || !(hcr_el2 & HCR_TGE)) {
+if (el != 0 || !(env->cp15.hcr_el2 & HCR_TGE)) {
 break;
 }
 /* fall through */
@@ -6199,7 +6196,7 @@ int sve_exception_el(CPUARMState *env, int el)
 case 2:
 return 2;
 }
-} else if (arm_is_el2_enabled(env)) {
+} else {
 if (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, TZ)) {
 return 2;
 }
-- 
2.25.1

[PULL 50/55] target/arm: Move expand_pred_b to vec_internal.h

[Peter Maydell]

From: Richard Henderson 

Put the inline function near the array declaration.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-16-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/vec_internal.h | 8 +++-
 target/arm/sve_helper.c   | 9 -
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/target/arm/vec_internal.h b/target/arm/vec_internal.h
index 1d63402042f..d1a1ea4a668 100644
--- a/target/arm/vec_internal.h
+++ b/target/arm/vec_internal.h
@@ -50,8 +50,14 @@
 #define H8(x)   (x)
 #define H1_8(x) (x)
 
-/* Data for expanding active predicate bits to bytes, for byte elements. */
+/*
+ * Expand active predicate bits to bytes, for byte elements.
+ */
 extern const uint64_t expand_pred_b_data[256];
+static inline uint64_t expand_pred_b(uint8_t byte)
+{
+return expand_pred_b_data[byte];
+}
 
 static inline void clear_tail(void *vd, uintptr_t opr_sz, uintptr_t max_sz)
 {
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 8cd371e3e37..e865c125273 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -103,15 +103,6 @@ uint32_t HELPER(sve_predtest)(void *vd, void *vg, uint32_t 
words)
 return flags;
 }
 
-/*
- * Expand active predicate bits to bytes, for byte elements.
- * (The data table itself is in vec_helper.c as MVE also needs it.)
- */
-static inline uint64_t expand_pred_b(uint8_t byte)
-{
-return expand_pred_b_data[byte];
-}
-
 /* Similarly for half-word elements.
  *  for (i = 0; i < 256; ++i) {
  *  unsigned long m = 0;
-- 
2.25.1

[PULL 46/55] target/arm: Use uint32_t instead of bitmap for sve vq's

[Peter Maydell]

From: Richard Henderson 

The bitmap need only hold 15 bits; bitmap is over-complicated.
We can simplify operations quite a bit with plain logical ops.

The introduction of SVE_VQ_POW2_MAP eliminates the need for
looping in order to search for powers of two.  Simply perform
the logical ops and use count leading or trailing zeros as
required to find the result.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-12-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.h   |   6 +--
 target/arm/internals.h |   5 ++
 target/arm/kvm_arm.h   |   7 ++-
 target/arm/cpu64.c | 117 -
 target/arm/helper.c|   9 +---
 target/arm/kvm64.c |  36 +++--
 6 files changed, 75 insertions(+), 105 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index f5af88b686d..73f24a57603 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1041,9 +1041,9 @@ struct ArchCPU {
  * Bits set in sve_vq_supported represent valid vector lengths for
  * the CPU type.
  */
-DECLARE_BITMAP(sve_vq_map, ARM_MAX_VQ);
-DECLARE_BITMAP(sve_vq_init, ARM_MAX_VQ);
-DECLARE_BITMAP(sve_vq_supported, ARM_MAX_VQ);
+uint32_t sve_vq_map;
+uint32_t sve_vq_init;
+uint32_t sve_vq_supported;
 
 /* Generic timer counter frequency, in Hz */
 uint64_t gt_cntfrq_hz;
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 79eb4637538..a1bae4588ae 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1340,4 +1340,9 @@ bool el_is_in_host(CPUARMState *env, int el);
 
 void aa32_max_features(ARMCPU *cpu);
 
+/* Powers of 2 for sve_vq_map et al. */
+#define SVE_VQ_POW2_MAP \
+((1 << (1 - 1)) | (1 << (2 - 1)) |  \
+ (1 << (4 - 1)) | (1 << (8 - 1)) | (1 << (16 - 1)))
+
 #endif
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index b7f78b52154..99017b635ce 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -239,13 +239,12 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures 
*ahcf);
 /**
  * kvm_arm_sve_get_vls:
  * @cs: CPUState
- * @map: bitmap to fill in
  *
  * Get all the SVE vector lengths supported by the KVM host, setting
  * the bits corresponding to their length in quadwords minus one
- * (vq - 1) in @map up to ARM_MAX_VQ.
+ * (vq - 1) up to ARM_MAX_VQ.  Return the resulting map.
  */
-void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map);
+uint32_t kvm_arm_sve_get_vls(CPUState *cs);
 
 /**
  * kvm_arm_set_cpu_features_from_host:
@@ -439,7 +438,7 @@ static inline void kvm_arm_steal_time_finalize(ARMCPU *cpu, 
Error **errp)
 g_assert_not_reached();
 }
 
-static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
+static inline uint32_t kvm_arm_sve_get_vls(CPUState *cs)
 {
 g_assert_not_reached();
 }
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index cce68dd82a2..15665c962b2 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -355,8 +355,11 @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
  * any of the above.  Finally, if SVE is not disabled, then at least one
  * vector length must be enabled.
  */
-DECLARE_BITMAP(tmp, ARM_MAX_VQ);
-uint32_t vq, max_vq = 0;
+uint32_t vq_map = cpu->sve_vq_map;
+uint32_t vq_init = cpu->sve_vq_init;
+uint32_t vq_supported;
+uint32_t vq_mask = 0;
+uint32_t tmp, vq, max_vq = 0;
 
 /*
  * CPU models specify a set of supported vector lengths which are
@@ -364,10 +367,16 @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
  * in the supported bitmap results in an error.  When KVM is enabled we
  * fetch the supported bitmap from the host.
  */
-if (kvm_enabled() && kvm_arm_sve_supported()) {
-kvm_arm_sve_get_vls(CPU(cpu), cpu->sve_vq_supported);
-} else if (kvm_enabled()) {
-assert(!cpu_isar_feature(aa64_sve, cpu));
+if (kvm_enabled()) {
+if (kvm_arm_sve_supported()) {
+cpu->sve_vq_supported = kvm_arm_sve_get_vls(CPU(cpu));
+vq_supported = cpu->sve_vq_supported;
+} else {
+assert(!cpu_isar_feature(aa64_sve, cpu));
+vq_supported = 0;
+}
+} else {
+vq_supported = cpu->sve_vq_supported;
 }
 
 /*
@@ -375,8 +384,9 @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
  * From the properties, sve_vq_map implies sve_vq_init.
  * Check first for any sve enabled.
  */
-if (!bitmap_empty(cpu->sve_vq_map, ARM_MAX_VQ)) {
-max_vq = find_last_bit(cpu->sve_vq_map, ARM_MAX_VQ) + 1;
+if (vq_map != 0) {
+max_vq = 32 - clz32(vq_map);
+vq_mask = MAKE_64BIT_MASK(0, max_vq);
 
 if (cpu->sve_max_vq && max_vq > cpu->sve_max_vq) {
 error_setg(errp, "cannot enable sve%d", max_vq * 128);
@@ -392,15 +402,10 @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
  * For K

[PULL 20/55] target/arm: Move get_level1_table_address to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-14-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  4 ++--
 target/arm/helper.c | 26 +-
 target/arm/ptw.c| 23 +++
 3 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 6c47a575991..dd6fb93f336 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -18,11 +18,11 @@ uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool 
is_secure,
 
 bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
+uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
+
 ARMCacheAttrs combine_cacheattrs(CPUARMState *env,
  ARMCacheAttrs s1, ARMCacheAttrs s2);
 
-bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
-  uint32_t *table, uint32_t address);
 int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
   int ap, int domain_prot);
 int simple_ap_to_rw_prot_is_user(int ap, bool is_user);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index d2ef12346b6..a144cb26413 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10482,8 +10482,7 @@ static inline bool 
regime_translation_big_endian(CPUARMState *env,
 }
 
 /* Return the TTBR associated with this translation regime */
-static inline uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx,
-   int ttbrn)
+uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
 {
 if (mmu_idx == ARMMMUIdx_Stage2) {
 return env->cp15.vttbr_el2;
@@ -10774,29 +10773,6 @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx 
mmu_idx, bool is_aa64,
 return prot_rw | PAGE_EXEC;
 }
 
-bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
-  uint32_t *table, uint32_t address)
-{
-/* Note that we can only get here for an AArch32 PL0/PL1 lookup */
-TCR *tcr = regime_tcr(env, mmu_idx);
-
-if (address & tcr->mask) {
-if (tcr->raw_tcr & TTBCR_PD1) {
-/* Translation table walk disabled for TTBR1 */
-return false;
-}
-*table = regime_ttbr(env, mmu_idx, 1) & 0xc000;
-} else {
-if (tcr->raw_tcr & TTBCR_PD0) {
-/* Translation table walk disabled for TTBR0 */
-return false;
-}
-*table = regime_ttbr(env, mmu_idx, 0) & tcr->base_mask;
-}
-*table |= (address >> 18) & 0x3ffc;
-return true;
-}
-
 static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
 {
 /*
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 32ba2e5e8bf..5737a3976b8 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -15,6 +15,29 @@
 #include "ptw.h"
 
 
+static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
+ uint32_t *table, uint32_t address)
+{
+/* Note that we can only get here for an AArch32 PL0/PL1 lookup */
+TCR *tcr = regime_tcr(env, mmu_idx);
+
+if (address & tcr->mask) {
+if (tcr->raw_tcr & TTBCR_PD1) {
+/* Translation table walk disabled for TTBR1 */
+return false;
+}
+*table = regime_ttbr(env, mmu_idx, 1) & 0xc000;
+} else {
+if (tcr->raw_tcr & TTBCR_PD0) {
+/* Translation table walk disabled for TTBR0 */
+return false;
+}
+*table = regime_ttbr(env, mmu_idx, 0) & tcr->base_mask;
+}
+*table |= (address >> 18) & 0x3ffc;
+return true;
+}
+
 static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
  MMUAccessType access_type, ARMMMUIdx mmu_idx,
  hwaddr *phys_ptr, int *prot,
-- 
2.25.1

[PULL 47/55] target/arm: Rename sve_zcr_len_for_el to sve_vqm1_for_el

[Peter Maydell]

From: Richard Henderson 

This will be used for both Normal and Streaming SVE, and the value
does not necessarily come from ZCR_ELx.  While we're at it, emphasize
the units in which the value is returned.

Patch produced by
git grep -l sve_zcr_len_for_el | \
xargs -n1 sed -i 's/sve_zcr_len_for_el/sve_vqm1_for_el/g'

and then adding a function comment.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-13-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.h   | 11 ++-
 target/arm/arch_dump.c |  2 +-
 target/arm/cpu.c   |  2 +-
 target/arm/gdbstub64.c |  2 +-
 target/arm/helper.c| 12 ++--
 5 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 73f24a57603..e45b5cb7fe1 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1132,7 +1132,16 @@ void aarch64_sync_64_to_32(CPUARMState *env);
 
 int fp_exception_el(CPUARMState *env, int cur_el);
 int sve_exception_el(CPUARMState *env, int cur_el);
-uint32_t sve_zcr_len_for_el(CPUARMState *env, int el);
+
+/**
+ * sve_vqm1_for_el:
+ * @env: CPUARMState
+ * @el: exception level
+ *
+ * Compute the current SVE vector length for @el, in units of
+ * Quadwords Minus 1 -- the same scale used for ZCR_ELx.LEN.
+ */
+uint32_t sve_vqm1_for_el(CPUARMState *env, int el);
 
 static inline bool is_a64(CPUARMState *env)
 {
diff --git a/target/arm/arch_dump.c b/target/arm/arch_dump.c
index 01848453109..b1f040e69f2 100644
--- a/target/arm/arch_dump.c
+++ b/target/arm/arch_dump.c
@@ -166,7 +166,7 @@ static off_t sve_fpcr_offset(uint32_t vq)
 
 static uint32_t sve_current_vq(CPUARMState *env)
 {
-return sve_zcr_len_for_el(env, arm_current_el(env)) + 1;
+return sve_vqm1_for_el(env, arm_current_el(env)) + 1;
 }
 
 static size_t sve_size_vq(uint32_t vq)
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 06219441674..1b5d5357880 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -925,7 +925,7 @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, 
int flags)
  vfp_get_fpcr(env), vfp_get_fpsr(env));
 
 if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
-int j, zcr_len = sve_zcr_len_for_el(env, el);
+int j, zcr_len = sve_vqm1_for_el(env, el);
 
 for (i = 0; i <= FFR_PRED_NUM; i++) {
 bool eol;
diff --git a/target/arm/gdbstub64.c b/target/arm/gdbstub64.c
index 596878666d7..07a6746944d 100644
--- a/target/arm/gdbstub64.c
+++ b/target/arm/gdbstub64.c
@@ -152,7 +152,7 @@ int arm_gdb_get_svereg(CPUARMState *env, GByteArray *buf, 
int reg)
  * We report in Vector Granules (VG) which is 64bit in a Z reg
  * while the ZCR works in Vector Quads (VQ) which is 128bit chunks.
  */
-int vq = sve_zcr_len_for_el(env, arm_current_el(env)) + 1;
+int vq = sve_vqm1_for_el(env, arm_current_el(env)) + 1;
 return gdb_get_reg64(buf, vq * 2);
 }
 default:
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 90aac6bc12d..400f7cd1dba 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6215,7 +6215,7 @@ int sve_exception_el(CPUARMState *env, int el)
 /*
  * Given that SVE is enabled, return the vector length for EL.
  */
-uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
+uint32_t sve_vqm1_for_el(CPUARMState *env, int el)
 {
 ARMCPU *cpu = env_archcpu(env);
 uint32_t len = cpu->sve_max_vq - 1;
@@ -6238,7 +6238,7 @@ static void zcr_write(CPUARMState *env, const 
ARMCPRegInfo *ri,
   uint64_t value)
 {
 int cur_el = arm_current_el(env);
-int old_len = sve_zcr_len_for_el(env, cur_el);
+int old_len = sve_vqm1_for_el(env, cur_el);
 int new_len;
 
 /* Bits other than [3:0] are RAZ/WI.  */
@@ -6249,7 +6249,7 @@ static void zcr_write(CPUARMState *env, const 
ARMCPRegInfo *ri,
  * Because we arrived here, we know both FP and SVE are enabled;
  * otherwise we would have trapped access to the ZCR_ELn register.
  */
-new_len = sve_zcr_len_for_el(env, cur_el);
+new_len = sve_vqm1_for_el(env, cur_el);
 if (new_len < old_len) {
 aarch64_sve_narrow_vq(env, new_len + 1);
 }
@@ -11168,7 +11168,7 @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState 
*env, int el, int fp_el,
 sve_el = 0;
 }
 } else if (sve_el == 0) {
-DP_TBFLAG_A64(flags, VL, sve_zcr_len_for_el(env, el));
+DP_TBFLAG_A64(flags, VL, sve_vqm1_for_el(env, el));
 }
 DP_TBFLAG_A64(flags, SVEEXC_EL, sve_el);
 }
@@ -11534,10 +11534,10 @@ void aarch64_sve_change_el(CPUARMState *env, int 
old_el,
  */
 old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
 old_len = (old_a64 && !sve_exception_el(env, old_el)
-   ? sve_zcr_len_for_el(env, old_el) : 0);
+   ? sve_vqm1_for_el(env, old_el) : 0);
 new_a64 = new_el ? arm_el_is_aa64(env, new_

[PULL 52/55] target/arm: Move expand_pred_h to vec_internal.h

[Peter Maydell]

From: Richard Henderson 

Move the data to vec_helper.c and the inline to vec_internal.h.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-18-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/vec_internal.h |  7 +++
 target/arm/sve_helper.c   | 29 -
 target/arm/vec_helper.c   | 26 ++
 3 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/target/arm/vec_internal.h b/target/arm/vec_internal.h
index d1a1ea4a668..1d527fadac1 100644
--- a/target/arm/vec_internal.h
+++ b/target/arm/vec_internal.h
@@ -59,6 +59,13 @@ static inline uint64_t expand_pred_b(uint8_t byte)
 return expand_pred_b_data[byte];
 }
 
+/* Similarly for half-word elements. */
+extern const uint64_t expand_pred_h_data[0x55 + 1];
+static inline uint64_t expand_pred_h(uint8_t byte)
+{
+return expand_pred_h_data[byte & 0x55];
+}
+
 static inline void clear_tail(void *vd, uintptr_t opr_sz, uintptr_t max_sz)
 {
 uint64_t *d = vd + opr_sz;
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index e865c125273..1654c0bbf9e 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -103,35 +103,6 @@ uint32_t HELPER(sve_predtest)(void *vd, void *vg, uint32_t 
words)
 return flags;
 }
 
-/* Similarly for half-word elements.
- *  for (i = 0; i < 256; ++i) {
- *  unsigned long m = 0;
- *  if (i & 0xaa) {
- *  continue;
- *  }
- *  for (j = 0; j < 8; j += 2) {
- *  if ((i >> j) & 1) {
- *  m |= 0xul << (j << 3);
- *  }
- *  }
- *  printf("[0x%x] = 0x%016lx,\n", i, m);
- *  }
- */
-static inline uint64_t expand_pred_h(uint8_t byte)
-{
-static const uint64_t word[] = {
-[0x01] = 0x, [0x04] = 0x,
-[0x05] = 0x, [0x10] = 0x,
-[0x11] = 0x, [0x14] = 0x,
-[0x15] = 0x, [0x40] = 0x,
-[0x41] = 0x, [0x44] = 0x,
-[0x45] = 0x, [0x50] = 0x,
-[0x51] = 0x, [0x54] = 0x,
-[0x55] = 0x,
-};
-return word[byte & 0x55];
-}
-
 /* Similarly for single word elements.  */
 static inline uint64_t expand_pred_s(uint8_t byte)
 {
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index 17fb1583622..26c373e522f 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -127,6 +127,32 @@ const uint64_t expand_pred_b_data[256] = {
 0x,
 };
 
+/*
+ * Similarly for half-word elements.
+ *  for (i = 0; i < 256; ++i) {
+ *  unsigned long m = 0;
+ *  if (i & 0xaa) {
+ *  continue;
+ *  }
+ *  for (j = 0; j < 8; j += 2) {
+ *  if ((i >> j) & 1) {
+ *  m |= 0xul << (j << 3);
+ *  }
+ *  }
+ *  printf("[0x%x] = 0x%016lx,\n", i, m);
+ *  }
+ */
+const uint64_t expand_pred_h_data[0x55 + 1] = {
+[0x01] = 0x, [0x04] = 0x,
+[0x05] = 0x, [0x10] = 0x,
+[0x11] = 0x, [0x14] = 0x,
+[0x15] = 0x, [0x40] = 0x,
+[0x41] = 0x, [0x44] = 0x,
+[0x45] = 0x, [0x50] = 0x,
+[0x51] = 0x, [0x54] = 0x,
+[0x55] = 0x,
+};
+
 /* Signed saturating rounding doubling multiply-accumulate high half, 8-bit */
 int8_t do_sqrdmlah_b(int8_t src1, int8_t src2, int8_t src3,
  bool neg, bool round)
-- 
2.25.1

[PULL 23/55] target/arm: Move arm_{ldl,ldq}_ptw to ptw.c

[Peter Maydell]

From: Richard Henderson 

Move the ptw load functions, plus 3 common subroutines:
S1_ptw_translate, ptw_attrs_are_device, and regime_translation_big_endian.
This also allows get_phys_addr_lpae to become static again.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-17-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  13 
 target/arm/helper.c | 141 --
 target/arm/ptw.c| 160 ++--
 3 files changed, 154 insertions(+), 160 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 31744df6646..28b8cb9fb89 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -13,11 +13,6 @@
 
 extern const uint8_t pamax_map[7];
 
-uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
- ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi);
-uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure,
- ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi);
-
 bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
@@ -40,13 +35,5 @@ int get_S2prot(CPUARMState *env, int s2ap, int xn, bool 
s1_is_el0);
 int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
int ap, int ns, int xn, int pxn);
 
-bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-MMUAccessType access_type, ARMMMUIdx mmu_idx,
-bool s1_is_el0,
-hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
-target_ulong *page_size_ptr,
-ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
-__attribute__((nonnull));
-
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 7de815fe986..398bcd62ab9 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10475,12 +10475,6 @@ bool regime_translation_disabled(CPUARMState *env, 
ARMMMUIdx mmu_idx)
 return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 }
 
-static inline bool regime_translation_big_endian(CPUARMState *env,
- ARMMMUIdx mmu_idx)
-{
-return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
-}
-
 /* Return the TTBR associated with this translation regime */
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
 {
@@ -10773,141 +10767,6 @@ int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, 
bool is_aa64,
 return prot_rw | PAGE_EXEC;
 }
 
-static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
-{
-/*
- * For an S1 page table walk, the stage 1 attributes are always
- * some form of "this is Normal memory". The combined S1+S2
- * attributes are therefore only Device if stage 2 specifies Device.
- * With HCR_EL2.FWB == 0 this is when descriptor bits [5:4] are 0b00,
- * ie when cacheattrs.attrs bits [3:2] are 0b00.
- * With HCR_EL2.FWB == 1 this is when descriptor bit [4] is 0, ie
- * when cacheattrs.attrs bit [2] is 0.
- */
-assert(cacheattrs.is_s2_format);
-if (arm_hcr_el2_eff(env) & HCR_FWB) {
-return (cacheattrs.attrs & 0x4) == 0;
-} else {
-return (cacheattrs.attrs & 0xc) == 0;
-}
-}
-
-/* Translate a S1 pagetable walk through S2 if needed.  */
-static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-   hwaddr addr, bool *is_secure,
-   ARMMMUFaultInfo *fi)
-{
-if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
-!regime_translation_disabled(env, ARMMMUIdx_Stage2)) {
-target_ulong s2size;
-hwaddr s2pa;
-int s2prot;
-int ret;
-ARMMMUIdx s2_mmu_idx = *is_secure ? ARMMMUIdx_Stage2_S
-  : ARMMMUIdx_Stage2;
-ARMCacheAttrs cacheattrs = {};
-MemTxAttrs txattrs = {};
-
-ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx, false,
- &s2pa, &txattrs, &s2prot, &s2size, fi,
- &cacheattrs);
-if (ret) {
-assert(fi->type != ARMFault_None);
-fi->s2addr = addr;
-fi->stage2 = true;
-fi->s1ptw = true;
-fi->s1ns = !*is_secure;
-return ~0;
-}
-if ((arm_hcr_el2_eff(env) & HCR_PTW) &&
-ptw_attrs_are_device(env, cacheattrs)) {
-/*
- * PTW set and S1 walk touched S2 Device memory:
- * generate Permission fault.
- */
-fi->type = ARMFault_Permission;
-fi->s2addr = addr;
-fi->stage2 = true;
-fi->s1ptw = true;
-fi->s1ns = !*is_secure;
-return ~0;
-}

[PATCH 1/4] s390x: simplify virtio_ccw_reset_virtio

[Paolo Bonzini]

Call virtio_bus_reset instead of virtio_reset, so that the function
need not receive the VirtIODevice.

Signed-off-by: Paolo Bonzini 
---
 hw/s390x/virtio-ccw.c | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 15b458527e..066a387802 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -249,12 +249,12 @@ static int virtio_ccw_set_vqs(SubchDev *sch, VqInfoBlock 
*info,
 return 0;
 }
 
-static void virtio_ccw_reset_virtio(VirtioCcwDevice *dev, VirtIODevice *vdev)
+static void virtio_ccw_reset_virtio(VirtioCcwDevice *dev)
 {
 CcwDevice *ccw_dev = CCW_DEVICE(dev);
 
 virtio_ccw_stop_ioeventfd(dev);
-virtio_reset(vdev);
+virtio_bus_reset(&dev->bus);
 if (dev->indicators) {
 release_indicator(&dev->routes.adapter, dev->indicators);
 dev->indicators = NULL;
@@ -359,7 +359,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 ret = virtio_ccw_handle_set_vq(sch, ccw, check_len, dev->revision < 1);
 break;
 case CCW_CMD_VDEV_RESET:
-virtio_ccw_reset_virtio(dev, vdev);
+virtio_ccw_reset_virtio(dev);
 ret = 0;
 break;
 case CCW_CMD_READ_FEAT:
@@ -536,7 +536,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 }
 if (virtio_set_status(vdev, status) == 0) {
 if (vdev->status == 0) {
-virtio_ccw_reset_virtio(dev, vdev);
+virtio_ccw_reset_virtio(dev);
 }
 if (status & VIRTIO_CONFIG_S_DRIVER_OK) {
 virtio_ccw_start_ioeventfd(dev);
@@ -921,10 +921,9 @@ static void virtio_ccw_notify(DeviceState *d, uint16_t 
vector)
 static void virtio_ccw_reset(DeviceState *d)
 {
 VirtioCcwDevice *dev = VIRTIO_CCW_DEVICE(d);
-VirtIODevice *vdev = virtio_bus_get_device(&dev->bus);
 VirtIOCCWDeviceClass *vdc = VIRTIO_CCW_DEVICE_GET_CLASS(dev);
 
-virtio_ccw_reset_virtio(dev, vdev);
+virtio_ccw_reset_virtio(dev);
 if (vdc->parent_reset) {
 vdc->parent_reset(d);
 }
-- 
2.36.1

[PULL 49/55] target/arm: Export sve contiguous ldst support functions

[Peter Maydell]

From: Richard Henderson 

Export all of the support functions for performing bulk
fault analysis on a set of elements at contiguous addresses
controlled by a predicate.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-15-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/sve_ldst_internal.h | 94 ++
 target/arm/sve_helper.c| 87 ++-
 2 files changed, 111 insertions(+), 70 deletions(-)

diff --git a/target/arm/sve_ldst_internal.h b/target/arm/sve_ldst_internal.h
index ef9117e84c1..b5c473fc48b 100644
--- a/target/arm/sve_ldst_internal.h
+++ b/target/arm/sve_ldst_internal.h
@@ -124,4 +124,98 @@ DO_ST_PRIM_2(dd, H1_8, uint64_t, uint64_t, stq)
 #undef DO_LD_PRIM_2
 #undef DO_ST_PRIM_2
 
+/*
+ * Resolve the guest virtual address to info->host and info->flags.
+ * If @nofault, return false if the page is invalid, otherwise
+ * exit via page fault exception.
+ */
+
+typedef struct {
+void *host;
+int flags;
+MemTxAttrs attrs;
+} SVEHostPage;
+
+bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
+target_ulong addr, int mem_off, MMUAccessType access_type,
+int mmu_idx, uintptr_t retaddr);
+
+/*
+ * Analyse contiguous data, protected by a governing predicate.
+ */
+
+typedef enum {
+FAULT_NO,
+FAULT_FIRST,
+FAULT_ALL,
+} SVEContFault;
+
+typedef struct {
+/*
+ * First and last element wholly contained within the two pages.
+ * mem_off_first[0] and reg_off_first[0] are always set >= 0.
+ * reg_off_last[0] may be < 0 if the first element crosses pages.
+ * All of mem_off_first[1], reg_off_first[1] and reg_off_last[1]
+ * are set >= 0 only if there are complete elements on a second page.
+ *
+ * The reg_off_* offsets are relative to the internal vector register.
+ * The mem_off_first offset is relative to the memory address; the
+ * two offsets are different when a load operation extends, a store
+ * operation truncates, or for multi-register operations.
+ */
+int16_t mem_off_first[2];
+int16_t reg_off_first[2];
+int16_t reg_off_last[2];
+
+/*
+ * One element that is misaligned and spans both pages,
+ * or -1 if there is no such active element.
+ */
+int16_t mem_off_split;
+int16_t reg_off_split;
+
+/*
+ * The byte offset at which the entire operation crosses a page boundary.
+ * Set >= 0 if and only if the entire operation spans two pages.
+ */
+int16_t page_split;
+
+/* TLB data for the two pages. */
+SVEHostPage page[2];
+} SVEContLdSt;
+
+/*
+ * Find first active element on each page, and a loose bound for the
+ * final element on each page.  Identify any single element that spans
+ * the page boundary.  Return true if there are any active elements.
+ */
+bool sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
+intptr_t reg_max, int esz, int msize);
+
+/*
+ * Resolve the guest virtual addresses to info->page[].
+ * Control the generation of page faults with @fault.  Return false if
+ * there is no work to do, which can only happen with @fault == FAULT_NO.
+ */
+bool sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault,
+ CPUARMState *env, target_ulong addr,
+ MMUAccessType access_type, uintptr_t retaddr);
+
+#ifdef CONFIG_USER_ONLY
+static inline void
+sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env, uint64_t *vg,
+  target_ulong addr, int esize, int msize,
+  int wp_access, uintptr_t retaddr)
+{ }
+#else
+void sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env,
+   uint64_t *vg, target_ulong addr,
+   int esize, int msize, int wp_access,
+   uintptr_t retaddr);
+#endif
+
+void sve_cont_ldst_mte_check(SVEContLdSt *info, CPUARMState *env, uint64_t *vg,
+ target_ulong addr, int esize, int msize,
+ uint32_t mtedesc, uintptr_t ra);
+
 #endif /* TARGET_ARM_SVE_LDST_INTERNAL_H */
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 0c6dde00aa6..8cd371e3e37 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -5341,16 +5341,9 @@ static intptr_t find_next_active(uint64_t *vg, intptr_t 
reg_off,
  * exit via page fault exception.
  */
 
-typedef struct {
-void *host;
-int flags;
-MemTxAttrs attrs;
-} SVEHostPage;
-
-static bool sve_probe_page(SVEHostPage *info, bool nofault,
-   CPUARMState *env, target_ulong addr,
-   int mem_off, MMUAccessType access_type,
-   int mmu_idx, uintptr_t retaddr)
+bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
+ 

[PULL 31/55] target/arm: Move regime_ttbr to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-25-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  1 -
 target/arm/helper.c | 16 
 target/arm/ptw.c| 16 
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 3d3061a4351..ed152ddaf4e 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -12,7 +12,6 @@
 #ifndef CONFIG_USER_ONLY
 
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
-uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
 
 #endif /* !CONFIG_USER_ONLY */
 #endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 8deb0fa94c1..fdda87e87e2 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10475,22 +10475,6 @@ bool regime_translation_disabled(CPUARMState *env, 
ARMMMUIdx mmu_idx)
 return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 }
 
-/* Return the TTBR associated with this translation regime */
-uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
-{
-if (mmu_idx == ARMMMUIdx_Stage2) {
-return env->cp15.vttbr_el2;
-}
-if (mmu_idx == ARMMMUIdx_Stage2_S) {
-return env->cp15.vsttbr_el2;
-}
-if (ttbrn == 0) {
-return env->cp15.ttbr0_el[regime_el(env, mmu_idx)];
-} else {
-return env->cp15.ttbr1_el[regime_el(env, mmu_idx)];
-}
-}
-
 /* Convert a possible stage1+2 MMU index into the appropriate
  * stage 1 MMU index
  */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 8db4b5edf1a..dc559e6bdfd 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -75,6 +75,22 @@ static bool regime_is_user(CPUARMState *env, ARMMMUIdx 
mmu_idx)
 }
 }
 
+/* Return the TTBR associated with this translation regime */
+static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
+{
+if (mmu_idx == ARMMMUIdx_Stage2) {
+return env->cp15.vttbr_el2;
+}
+if (mmu_idx == ARMMMUIdx_Stage2_S) {
+return env->cp15.vsttbr_el2;
+}
+if (ttbrn == 0) {
+return env->cp15.ttbr0_el[regime_el(env, mmu_idx)];
+} else {
+return env->cp15.ttbr1_el[regime_el(env, mmu_idx)];
+}
+}
+
 static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
 {
 /*
-- 
2.25.1

[PULL 53/55] target/arm: Export bfdotadd from vec_helper.c

[Peter Maydell]

From: Richard Henderson 

We will need this over in sme_helper.c.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-19-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/vec_internal.h | 13 +
 target/arm/vec_helper.c   |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/target/arm/vec_internal.h b/target/arm/vec_internal.h
index 1d527fadac1..1f4ed80ff76 100644
--- a/target/arm/vec_internal.h
+++ b/target/arm/vec_internal.h
@@ -230,4 +230,17 @@ uint64_t pmull_h(uint64_t op1, uint64_t op2);
  */
 uint64_t pmull_w(uint64_t op1, uint64_t op2);
 
+/**
+ * bfdotadd:
+ * @sum: addend
+ * @e1, @e2: multiplicand vectors
+ *
+ * BFloat16 2-way dot product of @e1 & @e2, accumulating with @sum.
+ * The @e1 and @e2 operands correspond to the 32-bit source vector
+ * slots and contain two Bfloat16 values each.
+ *
+ * Corresponds to the ARM pseudocode function BFDotAdd.
+ */
+float32 bfdotadd(float32 sum, uint32_t e1, uint32_t e2);
+
 #endif /* TARGET_ARM_VEC_INTERNAL_H */
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index 26c373e522f..9a9c034e36f 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -2557,7 +2557,7 @@ DO_MMLA_B(gvec_usmmla_b, do_usmmla_b)
  * BFloat16 Dot Product
  */
 
-static float32 bfdotadd(float32 sum, uint32_t e1, uint32_t e2)
+float32 bfdotadd(float32 sum, uint32_t e1, uint32_t e2)
 {
 /* FPCR is ignored for BFDOT and BFMMLA. */
 float_status bf_status = {
-- 
2.25.1

[PULL 32/55] target/arm: Move regime_translation_disabled to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-26-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h| 17 
 target/arm/helper.c | 47 -
 target/arm/ptw.c| 47 -
 3 files changed, 46 insertions(+), 65 deletions(-)
 delete mode 100644 target/arm/ptw.h

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
deleted file mode 100644
index ed152ddaf4e..000
--- a/target/arm/ptw.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * ARM page table walking.
- *
- * This code is licensed under the GNU GPL v2 or later.
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#ifndef TARGET_ARM_PTW_H
-#define TARGET_ARM_PTW_H
-
-#ifndef CONFIG_USER_ONLY
-
-bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
-
-#endif /* !CONFIG_USER_ONLY */
-#endif /* TARGET_ARM_PTW_H */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index fdda87e87e2..69b1c060c1f 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -36,7 +36,6 @@
 #include "semihosting/common-semi.h"
 #endif
 #include "cpregs.h"
-#include "ptw.h"
 
 #define ARM_CPU_FREQ 10 /* FIXME: 1 GHz, should be configurable */
 
@@ -10429,52 +10428,6 @@ uint64_t arm_sctlr(CPUARMState *env, int el)
 }
 
 #ifndef CONFIG_USER_ONLY
-
-/* Return true if the specified stage of address translation is disabled */
-bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-uint64_t hcr_el2;
-
-if (arm_feature(env, ARM_FEATURE_M)) {
-switch (env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)] &
-(R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) {
-case R_V7M_MPU_CTRL_ENABLE_MASK:
-/* Enabled, but not for HardFault and NMI */
-return mmu_idx & ARM_MMU_IDX_M_NEGPRI;
-case R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK:
-/* Enabled for all cases */
-return false;
-case 0:
-default:
-/* HFNMIENA set and ENABLE clear is UNPREDICTABLE, but
- * we warned about that in armv7m_nvic.c when the guest set it.
- */
-return true;
-}
-}
-
-hcr_el2 = arm_hcr_el2_eff(env);
-
-if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
-/* HCR.DC means HCR.VM behaves as 1 */
-return (hcr_el2 & (HCR_DC | HCR_VM)) == 0;
-}
-
-if (hcr_el2 & HCR_TGE) {
-/* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
-if (!regime_is_secure(env, mmu_idx) && regime_el(env, mmu_idx) == 1) {
-return true;
-}
-}
-
-if ((hcr_el2 & HCR_DC) && arm_mmu_idx_is_stage1_of_2(mmu_idx)) {
-/* HCR.DC means SCTLR_EL1.M behaves as 0 */
-return true;
-}
-
-return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
-}
-
 /* Convert a possible stage1+2 MMU index into the appropriate
  * stage 1 MMU index
  */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index dc559e6bdfd..ec60afd9bff 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -12,7 +12,6 @@
 #include "cpu.h"
 #include "internals.h"
 #include "idau.h"
-#include "ptw.h"
 
 
 static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
@@ -91,6 +90,52 @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx 
mmu_idx, int ttbrn)
 }
 }
 
+/* Return true if the specified stage of address translation is disabled */
+static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+uint64_t hcr_el2;
+
+if (arm_feature(env, ARM_FEATURE_M)) {
+switch (env->v7m.mpu_ctrl[regime_is_secure(env, mmu_idx)] &
+(R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) {
+case R_V7M_MPU_CTRL_ENABLE_MASK:
+/* Enabled, but not for HardFault and NMI */
+return mmu_idx & ARM_MMU_IDX_M_NEGPRI;
+case R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK:
+/* Enabled for all cases */
+return false;
+case 0:
+default:
+/*
+ * HFNMIENA set and ENABLE clear is UNPREDICTABLE, but
+ * we warned about that in armv7m_nvic.c when the guest set it.
+ */
+return true;
+}
+}
+
+hcr_el2 = arm_hcr_el2_eff(env);
+
+if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
+/* HCR.DC means HCR.VM behaves as 1 */
+return (hcr_el2 & (HCR_DC | HCR_VM)) == 0;
+}
+
+if (hcr_el2 & HCR_TGE) {
+/* TGE means that NS EL0/1 act as if SCTLR_EL1.M is zero */
+if (!regime_is_secure(env, mmu_idx) && regime_el(env, mmu_idx) == 1) {
+return true;
+}
+}
+
+if ((hcr_el2 & HCR_DC) && arm_mmu_idx_is_stage1_of_2(mmu_idx)) {
+/* HCR.DC means SCTLR_EL1.M behaves as 0 */
+re

[PULL 40/55] target/arm: Add el_is_in_host

[Peter Maydell]

From: Richard Henderson 

This (newish) ARM pseudocode function is easier to work with
than open-coded tests for HCR_E2H etc.  Use of the function
will be staged into the code base in parts.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-6-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/internals.h |  2 ++
 target/arm/helper.c| 28 
 2 files changed, 30 insertions(+)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 1d83146d565..ceaddcbfd6e 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1347,6 +1347,8 @@ static inline void 
define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { }
 void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu);
 #endif
 
+bool el_is_in_host(CPUARMState *env, int el);
+
 void aa32_max_features(ARMCPU *cpu);
 
 #endif
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 4f4044c688d..322508170e3 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -5282,6 +5282,34 @@ uint64_t arm_hcr_el2_eff(CPUARMState *env)
 return ret;
 }
 
+/*
+ * Corresponds to ARM pseudocode function ELIsInHost().
+ */
+bool el_is_in_host(CPUARMState *env, int el)
+{
+uint64_t mask;
+
+/*
+ * Since we only care about E2H and TGE, we can skip arm_hcr_el2_eff().
+ * Perform the simplest bit tests first, and validate EL2 afterward.
+ */
+if (el & 1) {
+return false; /* EL1 or EL3 */
+}
+
+/*
+ * Note that hcr_write() checks isar_feature_aa64_vh(),
+ * aka HaveVirtHostExt(), in allowing HCR_E2H to be set.
+ */
+mask = el ? HCR_E2H : HCR_E2H | HCR_TGE;
+if ((env->cp15.hcr_el2 & mask) != mask) {
+return false;
+}
+
+/* TGE and/or E2H set: double check those bits are currently legal. */
+return arm_is_el2_enabled(env) && arm_el_is_aa64(env, 2);
+}
+
 static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri,
uint64_t value)
 {
-- 
2.25.1

[PATCH 0/4] virtio: various cleanups to reset code

[Paolo Bonzini]

Patches 1, 3 and 4 are cleanups with no functional changes (intended, at
least).  Patch 2 is a small fix to legacy virtio-mmio reset, whose
behavior differed slightly compared to zeroing the status of the device.

Paolo

Paolo Bonzini (4):
  s390x: simplify virtio_ccw_reset_virtio
  virtio-mmio: stop ioeventfd on legacy reset
  virtio: stop ioeventfd on reset
  virtio-mmio: cleanup reset

 hw/s390x/virtio-ccw.c   | 12 +---
 hw/virtio/virtio-bus.c  |  1 +
 hw/virtio/virtio-mmio.c | 18 --
 hw/virtio/virtio-pci.c  |  1 -
 4 files changed, 14 insertions(+), 18 deletions(-)

-- 
2.36.1

Re: [PATCH] ui/cocoa: Fix poweroff request code

[Gerd Hoffmann]

On Sun, May 29, 2022 at 12:45:06PM +0200, Philippe Mathieu-Daudé wrote:
> On 29/5/22 10:25, Akihiko Odaki wrote:
> > Signed-off-by: Akihiko Odaki 
> > ---
> >   ui/cocoa.m | 6 +-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/ui/cocoa.m b/ui/cocoa.m
> > index 09a62817f2a..84c84e98fc5 100644
> > --- a/ui/cocoa.m
> > +++ b/ui/cocoa.m
> > @@ -35,6 +35,7 @@
> >   #include "ui/kbd-state.h"
> >   #include "sysemu/sysemu.h"
> >   #include "sysemu/runstate.h"
> > +#include "sysemu/runstate-action.h"
> >   #include "sysemu/cpu-throttle.h"
> >   #include "qapi/error.h"
> >   #include "qapi/qapi-commands-block.h"
> > @@ -1290,7 +1291,10 @@ - (void)applicationWillTerminate:(NSNotification 
> > *)aNotification
> >   {
> >   COCOA_DEBUG("QemuCocoaAppController: applicationWillTerminate\n");
> > -qemu_system_shutdown_request(SHUTDOWN_CAUSE_HOST_UI);
> > +with_iothread_lock(^{
> > +shutdown_action = SHUTDOWN_ACTION_POWEROFF;
> > +qemu_system_shutdown_request(SHUTDOWN_CAUSE_HOST_UI);
> > +});
> >   /*
> >* Sleep here, because returning will cause OSX to kill us
> 
> Reviewed-by: Philippe Mathieu-Daudé 

Added to queue.

thanks,
  Gerd

[PATCH 2/4] virtio-mmio: stop ioeventfd on legacy reset

[Paolo Bonzini]

If the queue PFN is set to zero on a virtio-mmio device, the device is reset.
In that case however the virtio_bus_stop_ioeventfd function was not
called; add it so that the behavior is similar to when status is set to 0.

Signed-off-by: Paolo Bonzini 
---
 hw/virtio/virtio-mmio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
index 688eccda94..41a35d31c8 100644
--- a/hw/virtio/virtio-mmio.c
+++ b/hw/virtio/virtio-mmio.c
@@ -376,6 +376,7 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, 
uint64_t value,
 return;
 }
 if (value == 0) {
+virtio_mmio_stop_ioeventfd(proxy);
 virtio_reset(vdev);
 } else {
 virtio_queue_set_addr(vdev, vdev->queue_sel,
-- 
2.36.1

Re: [PATCH v2 00/35] pc/q35: refactor ISA and SMBUS AML generation

[Igor Mammedov]

On Wed,  8 Jun 2022 09:53:05 -0400
Igor Mammedov  wrote:

> Changelog:
>   since v1:
> * add tis 2.0  clarification to commit message (Ani Sinha)
> * rebase on top of pci tree
> * pick up acks

tests fail due to new cxl testcase,
so I need to fixup whitelisting/blob updating patches and
then I'll resend series as v3

> 
> Series is excerpt form larger refactoring that does
> the same for PCI devices, but it's too large at this
> point, so I've split off a relatively self-contained
> ISA/SMBUS patches into a smaller separate series, and
> PCI refactoring will follow up on top of this series
> using the same AcpiDevAmlIf interface.
> 
> Series consolidates and unifies how pc/q35 machine
> generates AML for ISA and SMBUS devices. It adds
> a new more generic interface 'AcpiDevAmlIf' that
> replaces ISA specific ISADeviceClass::build_aml
> hook and should allow to use the same approach
> (i.e. ask a device to provide its own AML) but
> not limited to ISA bus.
> Series applies AcpiDevAmlIf interface to a few
> ISA devices that were already using
> ISADeviceClass::build_aml and to devices /tpm,
> applesmc,pvpanic,ipmi/ that were generated in
> custom way. The AML generation for the later
> class is normalized to behave like any other
> ISA device that were using ISADeviceClass::build_aml
> and converted to interface 'AcpiDevAmlIf'.
> It simplifies process of building DSDT and
> eliminates custom probing/wiring for those devices
> as AML for them is generated at the time ISA/SMBUS
> is enumerated.
> 
> Changes to DSDT tables QEMU generates are mostly
> contextual where devices scattered across DSDT
> are consolidated under respective device that
> hosts bus they are attached to.
> 
> PS:
>  + series adds several ACPI tests for devices
>that were missing them.
> 
> Igor Mammedov (35):
>   acpi: add interface to build device specific AML
>   acpi: make isa_build_aml() support AcpiDevAmlIf interface
>   acpi: fdc-isa: replace ISADeviceClass::build_aml with
> AcpiDevAmlIfClass:build_dev_aml
>   acpi: parallel port: replace ISADeviceClass::build_aml with
> AcpiDevAmlIfClass:build_dev_aml
>   acpi: serial-is: replace ISADeviceClass::build_aml with
> AcpiDevAmlIfClass:build_dev_aml
>   acpi: mc146818rtc: replace ISADeviceClass::build_aml with
> AcpiDevAmlIfClass:build_dev_aml
>   acpi: pckbd: replace ISADeviceClass::build_aml with
> AcpiDevAmlIfClass:build_dev_aml
>   isa-bus: drop no longer used ISADeviceClass::build_aml
>   tests: acpi: add and whitelist DSDT.ipmismbus expected blob
>   tests: acpi: q35: add test for smbus-ipmi device
>   tests: acpi: update expected blob DSDT.ipmismbus
>   tests: acpi: whitelist DSDT.ipmismbus expected blob
>   ipmi: acpi: use relative path to resource source
>   tests: acpi: update expected DSDT.ipmismbus blob
>   acpi: ich9-smb: add support for AcpiDevAmlIf interface
>   acpi: ipmi: use AcpiDevAmlIf interface to build IPMI device
> descriptors
>   q35: acpi: drop not needed PCMachineClass::do_not_add_smb_acpi
>   tests: acpi: white-list to be re-factored pc/q35 DSDT
>   acpi: pc: isa bridge: use AcpiDevAmlIf interface to build ISA device
> descriptors
>   acpi: q35: isa bridge: use AcpiDevAmlIf interface to build ISA device
> descriptors
>   tests: acpi: update expected blobs
>   tests: acpi: add and white-list DSDT.applesmc expected blob
>   tests: acpi: add applesmc testcase
>   acpi: applesmc: use AcpiDevAmlIfClass:build_dev_aml to provide
> device's AML
>   tests: acpi: update expected blobs
>   tests: acpi: white-lists expected DSDT.pvpanic-isa blob
>   tests: acpi: add pvpanic-isa: testcase
>   acpi: pvpanic-isa: use AcpiDevAmlIfClass:build_dev_aml to provide
> device's AML
>   tests: acpi: update expected DSDT.pvpanic-isa blob
>   tests: acpi: white-list DSDT.tis.tpm2/DSDT.tis.tpm12 expected blobs
>   acpi: pc/q35: tpm-tis: fix TPM device scope
>   acpi: pc/q35: remove not needed 'if' condition on pci bus
>   acpi: tpm-tis: use AcpiDevAmlIfClass:build_dev_aml to provide device's
> AML
>   tests: acpi: update expected DSDT.tis.tpm2/DSDT.tis.tpm12 blobs
>   x86: acpi-build: do not include hw/isa/isa.h directly
> 
>  include/hw/acpi/acpi_aml_interface.h  |  40 ++
>  include/hw/acpi/ipmi.h|   9 +-
>  include/hw/i386/pc.h  |   1 -
>  include/hw/isa/isa.h  |  15 ---
>  include/hw/misc/pvpanic.h |   9 --
>  hw/acpi/acpi_interface.c  |   8 ++
>  hw/acpi/ipmi-stub.c   |   2 +-
>  hw/acpi/ipmi.c|  53 +++-
>  hw/acpi/meson.build   |   2 +-
>  hw/block/fdc-isa.c|  16 ++-
>  hw/char/parallel.c|  14 ++-
>  hw/char/serial-isa.c  |  14 ++-
>  hw/i2c/smbus_ich9.c   |  15 +++
>  hw/i386/acpi-build.c  | 171 ++
>  hw/i386/pc_piix.c |   1 -
>  hw/i386/pc_q35.c  

[PULL 30/55] target/arm: Move regime_is_user to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-24-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/ptw.h|  1 -
 target/arm/helper.c | 24 
 target/arm/ptw.c| 22 ++
 3 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/target/arm/ptw.h b/target/arm/ptw.h
index 85ad5767944..3d3061a4351 100644
--- a/target/arm/ptw.h
+++ b/target/arm/ptw.h
@@ -11,7 +11,6 @@
 
 #ifndef CONFIG_USER_ONLY
 
-bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx);
 bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx);
 uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn);
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index e894afcb491..8deb0fa94c1 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10515,30 +10515,6 @@ ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
 }
 #endif /* !CONFIG_USER_ONLY */
 
-#ifndef CONFIG_USER_ONLY
-bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-switch (mmu_idx) {
-case ARMMMUIdx_SE10_0:
-case ARMMMUIdx_E20_0:
-case ARMMMUIdx_SE20_0:
-case ARMMMUIdx_Stage1_E0:
-case ARMMMUIdx_Stage1_SE0:
-case ARMMMUIdx_MUser:
-case ARMMMUIdx_MSUser:
-case ARMMMUIdx_MUserNegPri:
-case ARMMMUIdx_MSUserNegPri:
-return true;
-default:
-return false;
-case ARMMMUIdx_E10_0:
-case ARMMMUIdx_E10_1:
-case ARMMMUIdx_E10_1_PAN:
-g_assert_not_reached();
-}
-}
-#endif /* !CONFIG_USER_ONLY */
-
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
 if (regime_has_2_ranges(mmu_idx)) {
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 9ab77c39980..8db4b5edf1a 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -53,6 +53,28 @@ static bool regime_translation_big_endian(CPUARMState *env, 
ARMMMUIdx mmu_idx)
 return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
 }
 
+static bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+switch (mmu_idx) {
+case ARMMMUIdx_SE10_0:
+case ARMMMUIdx_E20_0:
+case ARMMMUIdx_SE20_0:
+case ARMMMUIdx_Stage1_E0:
+case ARMMMUIdx_Stage1_SE0:
+case ARMMMUIdx_MUser:
+case ARMMMUIdx_MSUser:
+case ARMMMUIdx_MUserNegPri:
+case ARMMMUIdx_MSUserNegPri:
+return true;
+default:
+return false;
+case ARMMMUIdx_E10_0:
+case ARMMMUIdx_E10_1:
+case ARMMMUIdx_E10_1_PAN:
+g_assert_not_reached();
+}
+}
+
 static bool ptw_attrs_are_device(CPUARMState *env, ARMCacheAttrs cacheattrs)
 {
 /*
-- 
2.25.1

[PULL 54/55] target/arm: Add isar_feature_aa64_sme

[Peter Maydell]

From: Richard Henderson 

This will be used for implementing FEAT_SME.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-20-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.h | 5 +
 1 file changed, 5 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index e45b5cb7fe1..2e6153c5409 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -4048,6 +4048,11 @@ static inline bool isar_feature_aa64_mte(const 
ARMISARegisters *id)
 return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, MTE) >= 2;
 }
 
+static inline bool isar_feature_aa64_sme(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, SME) != 0;
+}
+
 static inline bool isar_feature_aa64_pmu_8_1(const ARMISARegisters *id)
 {
 return FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, PMUVER) >= 4 &&
-- 
2.25.1

[PULL 24/55] target/arm: Move {arm_s1_, }regime_using_lpae_format to tlb_helper.c

[Peter Maydell]

From: Richard Henderson 

These functions are used for both page table walking and for
deciding what format in which to deliver exception results.
Since ptw.c is only present for system mode, put the functions
into tlb_helper.c.

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-18-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 24 
 target/arm/tlb_helper.c | 26 ++
 2 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 398bcd62ab9..d2b196ff3e5 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10515,30 +10515,6 @@ ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
 }
 #endif /* !CONFIG_USER_ONLY */
 
-/* Return true if the translation regime is using LPAE format page tables */
-bool regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-int el = regime_el(env, mmu_idx);
-if (el == 2 || arm_el_is_aa64(env, el)) {
-return true;
-}
-if (arm_feature(env, ARM_FEATURE_LPAE)
-&& (regime_tcr(env, mmu_idx)->raw_tcr & TTBCR_EAE)) {
-return true;
-}
-return false;
-}
-
-/* Returns true if the stage 1 translation regime is using LPAE format page
- * tables. Used when raising alignment exceptions, whose FSR changes depending
- * on whether the long or short descriptor format is in use. */
-bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-mmu_idx = stage_1_mmu_idx(mmu_idx);
-
-return regime_using_lpae_format(env, mmu_idx);
-}
-
 #ifndef CONFIG_USER_ONLY
 bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index 6421e16202e..7d8a86b3c45 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -11,6 +11,32 @@
 #include "exec/exec-all.h"
 #include "exec/helper-proto.h"
 
+
+/* Return true if the translation regime is using LPAE format page tables */
+bool regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+int el = regime_el(env, mmu_idx);
+if (el == 2 || arm_el_is_aa64(env, el)) {
+return true;
+}
+if (arm_feature(env, ARM_FEATURE_LPAE)
+&& (regime_tcr(env, mmu_idx)->raw_tcr & TTBCR_EAE)) {
+return true;
+}
+return false;
+}
+
+/*
+ * Returns true if the stage 1 translation regime is using LPAE format page
+ * tables. Used when raising alignment exceptions, whose FSR changes depending
+ * on whether the long or short descriptor format is in use.
+ */
+bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+mmu_idx = stage_1_mmu_idx(mmu_idx);
+return regime_using_lpae_format(env, mmu_idx);
+}
+
 static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
 unsigned int target_el,
 bool same_el, bool ea,
-- 
2.25.1

[PATCH 3/4] virtio: stop ioeventfd on reset

[Paolo Bonzini]

All calls to virtio_bus_reset are preceded by virtio_bus_stop_ioeventfd,
move the call in virtio_bus_reset: that makes sense and clarifies
that the vdc->reset function is called with ioeventfd already stopped.

Signed-off-by: Paolo Bonzini 
---
 hw/s390x/virtio-ccw.c   | 1 -
 hw/virtio/virtio-bus.c  | 1 +
 hw/virtio/virtio-mmio.c | 4 +---
 hw/virtio/virtio-pci.c  | 1 -
 4 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 066a387802..e33e5207ab 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -253,7 +253,6 @@ static void virtio_ccw_reset_virtio(VirtioCcwDevice *dev)
 {
 CcwDevice *ccw_dev = CCW_DEVICE(dev);
 
-virtio_ccw_stop_ioeventfd(dev);
 virtio_bus_reset(&dev->bus);
 if (dev->indicators) {
 release_indicator(&dev->routes.adapter, dev->indicators);
diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
index d7ec023adf..896feb37a1 100644
--- a/hw/virtio/virtio-bus.c
+++ b/hw/virtio/virtio-bus.c
@@ -104,6 +104,7 @@ void virtio_bus_reset(VirtioBusState *bus)
 VirtIODevice *vdev = virtio_bus_get_device(bus);
 
 DPRINTF("%s: reset device.\n", BUS(bus)->name);
+virtio_bus_stop_ioeventfd(bus);
 if (vdev != NULL) {
 virtio_reset(vdev);
 }
diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
index 41a35d31c8..6d81a26473 100644
--- a/hw/virtio/virtio-mmio.c
+++ b/hw/virtio/virtio-mmio.c
@@ -376,8 +376,7 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, 
uint64_t value,
 return;
 }
 if (value == 0) {
-virtio_mmio_stop_ioeventfd(proxy);
-virtio_reset(vdev);
+virtio_bus_reset(&vdev->bus);
 } else {
 virtio_queue_set_addr(vdev, vdev->queue_sel,
   value << proxy->guest_page_shift);
@@ -628,7 +627,6 @@ static void virtio_mmio_reset(DeviceState *d)
 VirtIOMMIOProxy *proxy = VIRTIO_MMIO(d);
 int i;
 
-virtio_mmio_stop_ioeventfd(proxy);
 virtio_bus_reset(&proxy->bus);
 proxy->host_features_sel = 0;
 proxy->guest_features_sel = 0;
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 0566ad7d00..45327f0b31 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1945,7 +1945,6 @@ static void virtio_pci_reset(DeviceState *qdev)
 PCIDevice *dev = PCI_DEVICE(qdev);
 int i;
 
-virtio_pci_stop_ioeventfd(proxy);
 virtio_bus_reset(bus);
 msix_unuse_all_vectors(&proxy->pci_dev);
 
-- 
2.36.1

Re: [PATCH v6 05/18] job.h: add _locked duplicates for job API functions called with and without job_mutex

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:36:54AM -0400, Emanuele Giuseppe Esposito wrote:
> In preparation to the job_lock/unlock usage, create _locked
> duplicates of some functions, since they will be sometimes called with
> job_mutex held (mostly within job.c),
> and sometimes without (mostly from JobDrivers using the job API).
> 
> Therefore create a _locked version of such function, so that it
> can be used in both cases.
> 
> List of functions duplicated as _locked:
> job_is_ready (both versions are public)
> job_is_completed (both versions are public)
> job_is_cancelled (_locked version is public, needed by mirror.c)
> job_pause_point (_locked version is static, purely done to simplify the code)
> job_cancel_requested (_locked version is static)
> 
> Note: at this stage, job_{lock/unlock} and job lock guard macros
> are *nop*.
> 
> Signed-off-by: Emanuele Giuseppe Esposito 
> ---
>  include/qemu/job.h | 25 +---
>  job.c  | 48 --
>  2 files changed, 64 insertions(+), 9 deletions(-)

Reviewed-by: Stefan Hajnoczi 


signature.asc
Description: PGP signature

[PULL 51/55] target/arm: Use expand_pred_b in mve_helper.c

[Peter Maydell]

From: Richard Henderson 

Use the function instead of the array directly.

Because the function performs its own masking, via the uint8_t
parameter, we need to do nothing extra within the users: the bits
above the first 2 (_uh) or 4 (_uw) will be discarded by assignment
to the local bmask variables, and of course _uq uses the entire
uint64_t result.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-17-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 846962bf4c5..403b345ea3b 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -726,7 +726,7 @@ static void mergemask_sb(int8_t *d, int8_t r, uint16_t mask)
 
 static void mergemask_uh(uint16_t *d, uint16_t r, uint16_t mask)
 {
-uint16_t bmask = expand_pred_b_data[mask & 3];
+uint16_t bmask = expand_pred_b(mask);
 *d = (*d & ~bmask) | (r & bmask);
 }
 
@@ -737,7 +737,7 @@ static void mergemask_sh(int16_t *d, int16_t r, uint16_t 
mask)
 
 static void mergemask_uw(uint32_t *d, uint32_t r, uint16_t mask)
 {
-uint32_t bmask = expand_pred_b_data[mask & 0xf];
+uint32_t bmask = expand_pred_b(mask);
 *d = (*d & ~bmask) | (r & bmask);
 }
 
@@ -748,7 +748,7 @@ static void mergemask_sw(int32_t *d, int32_t r, uint16_t 
mask)
 
 static void mergemask_uq(uint64_t *d, uint64_t r, uint16_t mask)
 {
-uint64_t bmask = expand_pred_b_data[mask & 0xff];
+uint64_t bmask = expand_pred_b(mask);
 *d = (*d & ~bmask) | (r & bmask);
 }
 
-- 
2.25.1

[PULL 34/55] target/arm: Move stage_1_mmu_idx, arm_stage1_mmu_idx to ptw.c

[Peter Maydell]

From: Richard Henderson 

Signed-off-by: Richard Henderson 
Message-id: 20220604040607.269301-28-richard.hender...@linaro.org
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 32 
 target/arm/ptw.c| 28 
 2 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index fe1e426f883..37cf9fa6aba 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10427,31 +10427,6 @@ uint64_t arm_sctlr(CPUARMState *env, int el)
 return env->cp15.sctlr_el[el];
 }
 
-#ifndef CONFIG_USER_ONLY
-/* Convert a possible stage1+2 MMU index into the appropriate
- * stage 1 MMU index
- */
-ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
-{
-switch (mmu_idx) {
-case ARMMMUIdx_SE10_0:
-return ARMMMUIdx_Stage1_SE0;
-case ARMMMUIdx_SE10_1:
-return ARMMMUIdx_Stage1_SE1;
-case ARMMMUIdx_SE10_1_PAN:
-return ARMMMUIdx_Stage1_SE1_PAN;
-case ARMMMUIdx_E10_0:
-return ARMMMUIdx_Stage1_E0;
-case ARMMMUIdx_E10_1:
-return ARMMMUIdx_Stage1_E1;
-case ARMMMUIdx_E10_1_PAN:
-return ARMMMUIdx_Stage1_E1_PAN;
-default:
-return mmu_idx;
-}
-}
-#endif /* !CONFIG_USER_ONLY */
-
 int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
 {
 if (regime_has_2_ranges(mmu_idx)) {
@@ -11081,13 +11056,6 @@ ARMMMUIdx arm_mmu_idx(CPUARMState *env)
 return arm_mmu_idx_el(env, arm_current_el(env));
 }
 
-#ifndef CONFIG_USER_ONLY
-ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
-{
-return stage_1_mmu_idx(arm_mmu_idx(env));
-}
-#endif
-
 static CPUARMTBFlags rebuild_hflags_common(CPUARMState *env, int fp_el,
ARMMMUIdx mmu_idx,
CPUARMTBFlags flags)
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index e9f6870d0a6..49e9a1d108e 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -47,6 +47,34 @@ unsigned int arm_pamax(ARMCPU *cpu)
 return pamax_map[parange];
 }
 
+/*
+ * Convert a possible stage1+2 MMU index into the appropriate stage 1 MMU index
+ */
+ARMMMUIdx stage_1_mmu_idx(ARMMMUIdx mmu_idx)
+{
+switch (mmu_idx) {
+case ARMMMUIdx_SE10_0:
+return ARMMMUIdx_Stage1_SE0;
+case ARMMMUIdx_SE10_1:
+return ARMMMUIdx_Stage1_SE1;
+case ARMMMUIdx_SE10_1_PAN:
+return ARMMMUIdx_Stage1_SE1_PAN;
+case ARMMMUIdx_E10_0:
+return ARMMMUIdx_Stage1_E0;
+case ARMMMUIdx_E10_1:
+return ARMMMUIdx_Stage1_E1;
+case ARMMMUIdx_E10_1_PAN:
+return ARMMMUIdx_Stage1_E1_PAN;
+default:
+return mmu_idx;
+}
+}
+
+ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env)
+{
+return stage_1_mmu_idx(arm_mmu_idx(env));
+}
+
 static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
 {
 return (regime_sctlr(env, mmu_idx) & SCTLR_EE) != 0;
-- 
2.25.1

[PATCH 4/4] virtio-mmio: cleanup reset

[Paolo Bonzini]

Make virtio_mmio_soft_reset reset the virtio device, which is performed by
both the "soft" and the "hard" reset; and then call virtio_mmio_soft_reset
from virtio_mmio_reset to emphasize that the latter is a superset of the
former.

Signed-off-by: Paolo Bonzini 
---
 hw/virtio/virtio-mmio.c | 17 -
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
index 6d81a26473..d240efef97 100644
--- a/hw/virtio/virtio-mmio.c
+++ b/hw/virtio/virtio-mmio.c
@@ -72,12 +72,12 @@ static void virtio_mmio_soft_reset(VirtIOMMIOProxy *proxy)
 {
 int i;
 
-if (proxy->legacy) {
-return;
-}
+virtio_bus_reset(&proxy->bus);
 
-for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-proxy->vqs[i].enabled = 0;
+if (!proxy->legacy) {
+for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
+proxy->vqs[i].enabled = 0;
+}
 }
 }
 
@@ -376,7 +376,7 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, 
uint64_t value,
 return;
 }
 if (value == 0) {
-virtio_bus_reset(&vdev->bus);
+virtio_mmio_soft_reset(proxy);
 } else {
 virtio_queue_set_addr(vdev, vdev->queue_sel,
   value << proxy->guest_page_shift);
@@ -432,7 +432,6 @@ static void virtio_mmio_write(void *opaque, hwaddr offset, 
uint64_t value,
 }
 
 if (vdev->status == 0) {
-virtio_reset(vdev);
 virtio_mmio_soft_reset(proxy);
 }
 break;
@@ -627,7 +626,8 @@ static void virtio_mmio_reset(DeviceState *d)
 VirtIOMMIOProxy *proxy = VIRTIO_MMIO(d);
 int i;
 
-virtio_bus_reset(&proxy->bus);
+virtio_mmio_soft_reset(proxy);
+
 proxy->host_features_sel = 0;
 proxy->guest_features_sel = 0;
 proxy->guest_page_shift = 0;
@@ -636,7 +636,6 @@ static void virtio_mmio_reset(DeviceState *d)
 proxy->guest_features[0] = proxy->guest_features[1] = 0;
 
 for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-proxy->vqs[i].enabled = 0;
 proxy->vqs[i].num = 0;
 proxy->vqs[i].desc[0] = proxy->vqs[i].desc[1] = 0;
 proxy->vqs[i].avail[0] = proxy->vqs[i].avail[1] = 0;
-- 
2.36.1

[PULL 37/55] linux-user/aarch64: Introduce sve_vq

[Peter Maydell]

From: Richard Henderson 

Add an interface function to extract the digested vector length
rather than the raw zcr_el[1] value.  This fixes an incorrect
return from do_prctl_set_vl where we didn't take into account
the set of vector lengths supported by the cpu.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-3-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 linux-user/aarch64/target_prctl.h | 20 +---
 target/arm/cpu.h  | 11 +++
 linux-user/aarch64/signal.c   |  4 ++--
 3 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h 
b/linux-user/aarch64/target_prctl.h
index 3f5a5d3933a..1d440ffbea4 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -10,7 +10,7 @@ static abi_long do_prctl_get_vl(CPUArchState *env)
 {
 ARMCPU *cpu = env_archcpu(env);
 if (cpu_isar_feature(aa64_sve, cpu)) {
-return ((cpu->env.vfp.zcr_el[1] & 0xf) + 1) * 16;
+return sve_vq(env) * 16;
 }
 return -TARGET_EINVAL;
 }
@@ -25,18 +25,24 @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long 
arg2)
  */
 if (cpu_isar_feature(aa64_sve, env_archcpu(env))
 && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
-ARMCPU *cpu = env_archcpu(env);
 uint32_t vq, old_vq;
 
-old_vq = (env->vfp.zcr_el[1] & 0xf) + 1;
-vq = MAX(arg2 / 16, 1);
-vq = MIN(vq, cpu->sve_max_vq);
+old_vq = sve_vq(env);
 
+/*
+ * Bound the value of arg2, so that we know that it fits into
+ * the 4-bit field in ZCR_EL1.  Rely on the hflags rebuild to
+ * sort out the length supported by the cpu.
+ */
+vq = MAX(arg2 / 16, 1);
+vq = MIN(vq, ARM_MAX_VQ);
+env->vfp.zcr_el[1] = vq - 1;
+arm_rebuild_hflags(env);
+
+vq = sve_vq(env);
 if (vq < old_vq) {
 aarch64_sve_narrow_vq(env, vq);
 }
-env->vfp.zcr_el[1] = vq - 1;
-arm_rebuild_hflags(env);
 return vq * 16;
 }
 return -TARGET_EINVAL;
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index e791ffdd6b6..f5af88b686d 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -3286,6 +3286,17 @@ static inline int cpu_mmu_index(CPUARMState *env, bool 
ifetch)
 return EX_TBFLAG_ANY(env->hflags, MMUIDX);
 }
 
+/**
+ * sve_vq
+ * @env: the cpu context
+ *
+ * Return the VL cached within env->hflags, in units of quadwords.
+ */
+static inline int sve_vq(CPUARMState *env)
+{
+return EX_TBFLAG_A64(env->hflags, VL) + 1;
+}
+
 static inline bool bswap_code(bool sctlr_b)
 {
 #ifdef CONFIG_USER_ONLY
diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index 7de4c96eb9d..7da0e36c6d4 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -315,7 +315,7 @@ static int target_restore_sigframe(CPUARMState *env,
 
 case TARGET_SVE_MAGIC:
 if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-vq = (env->vfp.zcr_el[1] & 0xf) + 1;
+vq = sve_vq(env);
 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 if (!sve && size == sve_size) {
 sve = (struct target_sve_context *)ctx;
@@ -434,7 +434,7 @@ static void target_setup_frame(int usig, struct 
target_sigaction *ka,
 
 /* SVE state needs saving only if it exists.  */
 if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-vq = (env->vfp.zcr_el[1] & 0xf) + 1;
+vq = sve_vq(env);
 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 sve_ofs = alloc_sigframe_space(sve_size, &layout);
 }
-- 
2.25.1

Re: [PATCH v6 03/18] job.c: API functions not used outside should be static

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:36:52AM -0400, Emanuele Giuseppe Esposito wrote:
> job_event_* functions can all be static, as they are not used
> outside job.c.
> 
> Same applies for job_txn_add_job().
> 
> Signed-off-by: Emanuele Giuseppe Esposito 
> ---
>  include/qemu/job.h | 18 --
>  job.c  | 22 +++---
>  2 files changed, 19 insertions(+), 21 deletions(-)

Reviewed-by: Stefan Hajnoczi 


signature.asc
Description: PGP signature

[PULL 41/55] target/arm: Use el_is_in_host for sve_zcr_len_for_el

[Peter Maydell]

From: Richard Henderson 

The ARM pseudocode function NVL uses this predicate now,
and I think it's a bit clearer.  Simplify the pseudocode
condition by noting that IsInHost is always false for EL1.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-7-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 322508170e3..6b17c0f507f 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6238,8 +6238,7 @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
 ARMCPU *cpu = env_archcpu(env);
 uint32_t zcr_len = cpu->sve_max_vq - 1;
 
-if (el <= 1 &&
-(arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+if (el <= 1 && !el_is_in_host(env, el)) {
 zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
 }
 if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
-- 
2.25.1

Re: [PATCH v6 13/18] job.h: define unlocked functions

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:37:02AM -0400, Emanuele Giuseppe Esposito wrote:
>  /**
>   * @job: The job to enter.
> + * Called with job_mutex *not* held.
>   *
>   * Continue the specified job by entering the coroutine.
> + * Called with job_mutex lock *not* held.

A similar comment was added just a few lines above.


signature.asc
Description: PGP signature

Re: [PATCH 04/20] migration: rename rate limiting fields in QEMUFile

[Dr. David Alan Gilbert]

* Daniel P. Berrangé (berra...@redhat.com) wrote:
> This renames the following QEMUFile fields
> 
>  * bytes_xfer -> rate_limit_used
>  * xfer_limit -> rate_limit_max
> 
> The intent is to make it clear that 'bytes_xfer' is specifically related
> to rate limiting of data and applies to data queued, which need not have
> been transferred on the wire yet if a flush hasn't taken place.
> 
> Signed-off-by: Daniel P. Berrangé 

Reviewed-by: Dr. David Alan Gilbert 


> ---
>  migration/qemu-file.c | 30 +++---
>  1 file changed, 19 insertions(+), 11 deletions(-)
> 
> diff --git a/migration/qemu-file.c b/migration/qemu-file.c
> index 1479cddad9..03f0b13a55 100644
> --- a/migration/qemu-file.c
> +++ b/migration/qemu-file.c
> @@ -39,8 +39,16 @@ struct QEMUFile {
>  const QEMUFileHooks *hooks;
>  void *opaque;
>  
> -int64_t bytes_xfer;
> -int64_t xfer_limit;
> +/*
> + * Maximum amount of data in bytes to transfer during one
> + * rate limiting time window
> + */
> +int64_t rate_limit_max;
> +/*
> + * Total amount of data in bytes queued for transfer
> + * during this rate limiting time window
> + */
> +int64_t rate_limit_used;
>  
>  int64_t pos; /* start of buffer when writing, end of buffer
>  when reading */
> @@ -304,7 +312,7 @@ size_t ram_control_save_page(QEMUFile *f, ram_addr_t 
> block_offset,
>  int ret = f->hooks->save_page(f, f->opaque, block_offset,
>offset, size, bytes_sent);
>  if (ret != RAM_SAVE_CONTROL_NOT_SUPP) {
> -f->bytes_xfer += size;
> +f->rate_limit_used += size;
>  }
>  
>  if (ret != RAM_SAVE_CONTROL_DELAYED &&
> @@ -457,7 +465,7 @@ void qemu_put_buffer_async(QEMUFile *f, const uint8_t 
> *buf, size_t size,
>  return;
>  }
>  
> -f->bytes_xfer += size;
> +f->rate_limit_used += size;
>  add_to_iovec(f, buf, size, may_free);
>  }
>  
> @@ -475,7 +483,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, 
> size_t size)
>  l = size;
>  }
>  memcpy(f->buf + f->buf_index, buf, l);
> -f->bytes_xfer += l;
> +f->rate_limit_used += l;
>  add_buf_to_iovec(f, l);
>  if (qemu_file_get_error(f)) {
>  break;
> @@ -492,7 +500,7 @@ void qemu_put_byte(QEMUFile *f, int v)
>  }
>  
>  f->buf[f->buf_index] = v;
> -f->bytes_xfer++;
> +f->rate_limit_used++;
>  add_buf_to_iovec(f, 1);
>  }
>  
> @@ -674,7 +682,7 @@ int qemu_file_rate_limit(QEMUFile *f)
>  if (qemu_file_get_error(f)) {
>  return 1;
>  }
> -if (f->xfer_limit > 0 && f->bytes_xfer > f->xfer_limit) {
> +if (f->rate_limit_max > 0 && f->rate_limit_used > f->rate_limit_max) {
>  return 1;
>  }
>  return 0;
> @@ -682,22 +690,22 @@ int qemu_file_rate_limit(QEMUFile *f)
>  
>  int64_t qemu_file_get_rate_limit(QEMUFile *f)
>  {
> -return f->xfer_limit;
> +return f->rate_limit_max;
>  }
>  
>  void qemu_file_set_rate_limit(QEMUFile *f, int64_t limit)
>  {
> -f->xfer_limit = limit;
> +f->rate_limit_max = limit;
>  }
>  
>  void qemu_file_reset_rate_limit(QEMUFile *f)
>  {
> -f->bytes_xfer = 0;
> +f->rate_limit_used = 0;
>  }
>  
>  void qemu_file_update_transfer(QEMUFile *f, int64_t len)
>  {
> -f->bytes_xfer += len;
> +f->rate_limit_used += len;
>  }
>  
>  void qemu_put_be16(QEMUFile *f, unsigned int v)
> -- 
> 2.36.1
> 
-- 
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

[PULL 42/55] target/arm: Use el_is_in_host for sve_exception_el

[Peter Maydell]

From: Richard Henderson 

The ARM pseudocode function CheckNormalSVEEnabled uses this
predicate now, and I think it's a bit clearer.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-8-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/helper.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 6b17c0f507f..40b60b1eea2 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6170,9 +6170,7 @@ static const ARMCPRegInfo minimal_ras_reginfo[] = {
 int sve_exception_el(CPUARMState *env, int el)
 {
 #ifndef CONFIG_USER_ONLY
-uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-
-if (el <= 1 && (hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+if (el <= 1 && !el_is_in_host(env, el)) {
 switch (FIELD_EX64(env->cp15.cpacr_el1, CPACR_EL1, ZEN)) {
 case 1:
 if (el != 0) {
@@ -6189,6 +6187,7 @@ int sve_exception_el(CPUARMState *env, int el)
  * CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE).
  */
 if (el <= 2) {
+uint64_t hcr_el2 = arm_hcr_el2_eff(env);
 if (hcr_el2 & HCR_E2H) {
 switch (FIELD_EX64(env->cp15.cptr_el[2], CPTR_EL2, ZEN)) {
 case 1:
-- 
2.25.1

Re: [PATCH v6 12/18] block_job: rename block_job functions called with job_mutex held

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:37:01AM -0400, Emanuele Giuseppe Esposito wrote:
> @@ -135,32 +137,37 @@ void block_job_remove_all_bdrv(BlockJob *job);
>  bool block_job_has_bdrv(BlockJob *job, BlockDriverState *bs);
>  
>  /**
> - * block_job_set_speed:
> + * block_job_set_speed_locked:
>   * @job: The job to set the speed for.
>   * @speed: The new value
>   * @errp: Error object.
>   *
>   * Set a rate-limiting parameter for the job; the actual meaning may
>   * vary depending on the job type.
> + *
> + * Called with job_mutex lock held. May temporarly release the lock.

s/temporarly/temporarily/


signature.asc
Description: PGP signature

Re: [PATCH 0/2] Fixes for ui/gtk-gl-area

[Gerd Hoffmann]

On Sun, Jun 05, 2022 at 10:50:28AM +0200, Volker Rümelin wrote:
> The first patch fixes a GL context leak.
> 
> The second patch fixes a black guest screen on Wayland with OpenGL
> accelerated QEMU graphics devices. This bug doesn't seem to be related to
> issues #910, #865, #671 or #298.

Both queueed up.

thanks,
  Gerd

[PULL 55/55] target/arm: Add ID_AA64SMFR0_EL1

[Peter Maydell]

From: Richard Henderson 

This register is allocated from the existing block of id registers,
so it is already RES0 for cpus that do not implement SME.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
Message-id: 20220607203306.657998-21-richard.hender...@linaro.org
Signed-off-by: Peter Maydell 
---
 target/arm/cpu.h| 25 +
 target/arm/helper.c |  4 ++--
 target/arm/kvm64.c  | 11 +++
 3 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 2e6153c5409..78dbcb5592c 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -966,6 +966,7 @@ struct ArchCPU {
 uint64_t id_aa64dfr0;
 uint64_t id_aa64dfr1;
 uint64_t id_aa64zfr0;
+uint64_t id_aa64smfr0;
 uint64_t reset_pmcr_el0;
 } isar;
 uint64_t midr;
@@ -2190,6 +2191,15 @@ FIELD(ID_AA64ZFR0, I8MM, 44, 4)
 FIELD(ID_AA64ZFR0, F32MM, 52, 4)
 FIELD(ID_AA64ZFR0, F64MM, 56, 4)
 
+FIELD(ID_AA64SMFR0, F32F32, 32, 1)
+FIELD(ID_AA64SMFR0, B16F32, 34, 1)
+FIELD(ID_AA64SMFR0, F16F32, 35, 1)
+FIELD(ID_AA64SMFR0, I8I32, 36, 4)
+FIELD(ID_AA64SMFR0, F64F64, 48, 1)
+FIELD(ID_AA64SMFR0, I16I64, 52, 4)
+FIELD(ID_AA64SMFR0, SMEVER, 56, 4)
+FIELD(ID_AA64SMFR0, FA64, 63, 1)
+
 FIELD(ID_DFR0, COPDBG, 0, 4)
 FIELD(ID_DFR0, COPSDBG, 4, 4)
 FIELD(ID_DFR0, MMAPDBG, 8, 4)
@@ -4195,6 +4205,21 @@ static inline bool isar_feature_aa64_sve_f64mm(const 
ARMISARegisters *id)
 return FIELD_EX64(id->id_aa64zfr0, ID_AA64ZFR0, F64MM) != 0;
 }
 
+static inline bool isar_feature_aa64_sme_f64f64(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64smfr0, ID_AA64SMFR0, F64F64);
+}
+
+static inline bool isar_feature_aa64_sme_i16i64(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64smfr0, ID_AA64SMFR0, I16I64) == 0xf;
+}
+
+static inline bool isar_feature_aa64_sme_fa64(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64smfr0, ID_AA64SMFR0, FA64);
+}
+
 /*
  * Feature tests for "does this exist in either 32-bit or 64-bit?"
  */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 400f7cd1dba..ac9942d750d 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -7722,11 +7722,11 @@ void register_cp_regs_for_features(ARMCPU *cpu)
   .access = PL1_R, .type = ARM_CP_CONST,
   .accessfn = access_aa64_tid3,
   .resetvalue = cpu->isar.id_aa64zfr0 },
-{ .name = "ID_AA64PFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+{ .name = "ID_AA64SMFR0_EL1", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5,
   .access = PL1_R, .type = ARM_CP_CONST,
   .accessfn = access_aa64_tid3,
-  .resetvalue = 0 },
+  .resetvalue = cpu->isar.id_aa64smfr0 },
 { .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6,
   .access = PL1_R, .type = ARM_CP_CONST,
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index b3f635fc952..ff8f65da22f 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -574,6 +574,8 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 } else {
 err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64pfr1,
   ARM64_SYS_REG(3, 0, 0, 4, 1));
+err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64smfr0,
+  ARM64_SYS_REG(3, 0, 0, 4, 5));
 err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr0,
   ARM64_SYS_REG(3, 0, 0, 5, 0));
 err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64dfr1,
@@ -682,10 +684,11 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures 
*ahcf)
 ahcf->isar.id_aa64pfr0 = t;
 
 /*
- * Before v5.1, KVM did not support SVE and did not expose
- * ID_AA64ZFR0_EL1 even as RAZ.  After v5.1, KVM still does
- * not expose the register to "user" requests like this
- * unless the host supports SVE.
+ * There is a range of kernels between kernel commit 73433762fcae
+ * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
+ * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
+ * SVE support, so we only read it here, rather than together with all
+ * the other ID registers earlier.
  */
 err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
   ARM64_SYS_REG(3, 0, 0, 4, 4));
-- 
2.25.1

Re: [PATCH 2/2] ui/gtk: a new array param monitor to specify the target displays

[Daniel P . Berrangé]

On Tue, May 31, 2022 at 01:23:27PM -0700, Dongwon Kim wrote:
> New integer array parameter, 'monitor' is for specifying the target
> displays where individual QEMU windows are placed upon launching.
> 
> The array contains a series of numbers representing the monitor where
> QEMU windows are placed.
> 
> Numbers in the array are mapped to QEMU windows like,
> 
> [1st detached window, 2nd detached window, Main window]
> 
> Usage example: -display gtk,monitor.0=0,monitor.1=1.
> 
> Cc: Daniel P. Berrangé 
> Cc: Markus Armbruster 
> Cc: Philippe Mathieu-Daudé 
> Cc: Paolo Bonzini 
> Cc: Gerd Hoffmann 
> Cc: Vivek Kasireddy 
> Signed-off-by: Dongwon Kim 
> ---
>  qapi/ui.json|  7 ++-
>  qemu-options.hx |  2 +-
>  ui/gtk.c| 32 +++-
>  3 files changed, 38 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé 


With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [PATCH] ui/console: allow display device to be labeled with given id

[Gerd Hoffmann]

On Thu, May 26, 2022 at 07:08:14AM +, Wen, Jianxian wrote:
> The update makes it easier to find and specify devices.
> They can only be found by device type name without the id field,
> for example, devices of the same type have the same label.
> The update also adds a head field,
> which is useful for devices that support multiple heads,
> such as virtio-gpu.

Can we make the head field conditional, so it's only done in case there
are actually multiple heads?  Both qxl and virtio-gpu have a max_outputs
property, so checking if that exists and is greater than 1 should work
for that.

take care,
  Gerd

Re: [PATCH v6 10/18] jobs: rename static functions called with job_mutex held

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:36:59AM -0400, Emanuele Giuseppe Esposito wrote:
> @@ -530,20 +540,24 @@ void job_enter(Job *job)
>  job_enter_cond(job, NULL);
>  }
>  
> -/* Yield, and schedule a timer to reenter the coroutine after @ns 
> nanoseconds.
> +/*
> + * Yield, and schedule a timer to reenter the coroutine after @ns 
> nanoseconds.
>   * Reentering the job coroutine with job_enter() before the timer has expired
>   * is allowed and cancels the timer.
>   *
>   * If @ns is (uint64_t) -1, no timer is scheduled and job_enter() must be
> - * called explicitly. */
> -static void coroutine_fn job_do_yield(Job *job, uint64_t ns)
> + * called explicitly.
> + *
> + * Called with job_mutex held, but releases it temporarly.

s/temporarly/temporarily/


signature.asc
Description: PGP signature

Re: [PATCH v15 1/9] linux-user: Add LoongArch generic header files

[WANG Xuerui]

On 2022/6/9 10:42, Song Gao wrote:

This includes:
- sockbits.h
- target_errno_defs.h
- target_fcntl.h
- termbits.h
- target_resource.h
- target_structs.h

Signed-off-by: Song Gao 
Signed-off-by: Xiaojuan Yang 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
---
  linux-user/loongarch64/sockbits.h  | 11 +++
  linux-user/loongarch64/target_errno_defs.h | 12 
  linux-user/loongarch64/target_fcntl.h  | 11 +++
  linux-user/loongarch64/target_prctl.h  |  1 +
  linux-user/loongarch64/target_resource.h   | 11 +++
  linux-user/loongarch64/target_structs.h| 11 +++
  linux-user/loongarch64/termbits.h  | 11 +++
  7 files changed, 68 insertions(+)
  create mode 100644 linux-user/loongarch64/sockbits.h
  create mode 100644 linux-user/loongarch64/target_errno_defs.h
  create mode 100644 linux-user/loongarch64/target_fcntl.h
  create mode 100644 linux-user/loongarch64/target_prctl.h
  create mode 100644 linux-user/loongarch64/target_resource.h
  create mode 100644 linux-user/loongarch64/target_structs.h
  create mode 100644 linux-user/loongarch64/termbits.h


So this is all nicely generic.

Reviewed-by: WANG Xuerui 

Re: [PATCH v6 11/18] job.h: rename job API functions called with job_mutex held

[Stefan Hajnoczi]

On Mon, Mar 14, 2022 at 09:37:00AM -0400, Emanuele Giuseppe Esposito wrote:
>  /**
> - * Release a reference that was previously acquired with job_ref() or
> + * Release a reference that was previously acquired with job_ref_locked() or
>   * job_create(). If it's the last reference to the object, it will be freed.
> + *
> + * Called between job_lock and job_unlock, but might release it temporarly.
>   */
> -void job_unref(Job *job);
> +void job_unref_locked(Job *job);
>  
>  /**
>   * @job: The job that has made progress
> @@ -421,8 +427,10 @@ void job_progress_increase_remaining(Job *job, uint64_t 
> delta);
>   * Conditionally enter the job coroutine if the job is ready to run, not
>   * already busy and fn() returns true. fn() is called while under the 
> job_lock
>   * critical section.
> + *
> + * Called between job_lock and job_unlock, but might release it temporarly.

s/temporarly/temporarily/


signature.asc
Description: PGP signature

Re: [PATCH v5 4/6] docs: Add CanoKey documentation

[Gerd Hoffmann]

On Thu, May 19, 2022 at 08:39:38PM +0800, Hongren (Zenithal) Zheng wrote:
> Signed-off-by: Hongren (Zenithal) Zheng 
> ---
>  docs/system/device-emulation.rst |   1 +
>  docs/system/devices/canokey.rst  | 168 +++
>  2 files changed, 169 insertions(+)
>  create mode 100644 docs/system/devices/canokey.rst
> 
> Note on the qemu-xhci issue:
> 
> For FIDO2 packets, they follow the pattern below
> 
>   Interrupt IN (size 64)
>   Interrupt OUT (size 128 with payload)
>   Interrupt OUT ACK (size 64)
>   Interrupt IN ACK (size 128 with payload)

> In qemu-xhci, it assumes a pattern like this
> 
>   Interrupt IN (size 64)
>-> usb_handle_packet
>   Interrupt IN ACK (size 128 with payload (not possible))
><- usb_handle_packet returns
>   Interrupt OUT (size 128 with payload)
>-> the next usb_handle_packet
>   Interrupt OUT ACK (size 64)
><- the next usb_handle_packet returns

> The code works for uhci/ehci in the following way
> 
>   Interrupt IN (size 64)
>-> usb_handle_packet
>   Interrupt IN NAK (size 64)
><- usb_handle_packet returns
>   ... there are many IN NAK here
>   ... uhci/ehci reschedule OUT before IN now
>   Interrupt OUT (size 128 with payload)
>-> the next usb_handle_packet
>   Interrupt OUT ACK (size 64)
><- the next usb_handle_packet returns
>   Interrupt IN (size 64)
>-> last usb_handle_packet
>   Interrupt IN ACK (size 128 with payload)
><- last usb_handle_packet returns

I think this is just a missing usb_wakeup() call somewhere.  If a
usb device got data it must notify the host adapter that way.

> I think qemu-xhci should retry/schedule the failed IN token after
> receiving NAK instead of failing immediately, because interrupt
> endpoint is async.

uhci/ehci keeps polling the device.  That is pretty much mandatory for
correct emulation due to the way the host adapter hardware is designed.
So things are typically working even without an explicit usb_wakeup()
call.

xhci doesn't poll (which is good because that reduces virtualization
overhead alot) but requires an explicit usb_wakeup() call to make xhci
re-try NACK-ed transfers.

take care,
  Gerd

Re: [PATCH v15 4/9] linux-user: Add LoongArch syscall support

[WANG Xuerui]

On 2022/6/9 10:42, Song Gao wrote:

We should disable '__BITS_PER_LONG' at [1] before run gensyscalls.sh

  [1] arch/loongarch/include/uapi/asm/bitsperlong.h


I'm not sure why this is necessary, is this for building on 32-bit where 
__BITS_PER_LONG are (incorrectly) reflecting the host bitness?


If this is the case, arch/riscv uses the same trick (they are defining 
__BITS_PER_LONG as (__SIZEOF_POINTER__ * 8), which is essentially the 
same), so they should fail without the hack described here as well. I 
don't know if something else could be tweaked to get rid of this hack 
(currently unable to investigate deeper for you, taking a break 
reviewing this in the middle of my day job).




Signed-off-by: Song Gao 
Signed-off-by: Xiaojuan Yang 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
---
  linux-user/loongarch64/syscall_nr.h | 312 
  linux-user/loongarch64/target_syscall.h |  48 
  linux-user/syscall_defs.h   |  12 +-
  scripts/gensyscalls.sh  |   1 +
  4 files changed, 368 insertions(+), 5 deletions(-)
  create mode 100644 linux-user/loongarch64/syscall_nr.h
  create mode 100644 linux-user/loongarch64/target_syscall.h

[snip]

diff --git a/linux-user/loongarch64/target_syscall.h 
b/linux-user/loongarch64/target_syscall.h
new file mode 100644
index 00..8b5de52124
--- /dev/null
+++ b/linux-user/loongarch64/target_syscall.h
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2021 Loongson Technology Corporation Limited
+ */
+
+#ifndef LOONGARCH_TARGET_SYSCALL_H
+#define LOONGARCH_TARGET_SYSCALL_H
+
+#include "qemu/units.h"
+
+/*
+ * this struct defines the way the registers are stored on the
+ * stack during a system call.
+ */
+
+struct target_pt_regs {
+/* Saved main processor registers. */
+target_ulong regs[32];
+
+/* Saved special registers. */
+struct {
+target_ulong era;
+target_ulong badv;
+target_ulong crmd;
+target_ulong prmd;
+target_ulong euen;
+target_ulong ecfg;
+target_ulong estat;
+} csr;
+target_ulong orig_a0;
+target_ulong __last[0];
+};
+
+#define UNAME_MACHINE "loongarch64"
+#define UNAME_MINIMUM_RELEASE "5.19.0"
+
+#define TARGET_MCL_CURRENT 1
+#define TARGET_MCL_FUTURE  2
+#define TARGET_MCL_ONFAULT 4
+
+#define TARGET_FORCE_SHMLBA
+
+static inline abi_ulong target_shmlba(CPULoongArchState *env)
+{
+return 64 * KiB;
+}
+
+#endif
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 4587b62ac9..b5b9a02816 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -74,7 +74,7 @@
  || defined(TARGET_M68K) || defined(TARGET_CRIS) \
  || defined(TARGET_S390X) || defined(TARGET_OPENRISC) \
  || defined(TARGET_NIOS2) || defined(TARGET_RISCV) \
-|| defined(TARGET_XTENSA)
+|| defined(TARGET_XTENSA) || defined(TARGET_LOONGARCH64)
  
  #define TARGET_IOC_SIZEBITS	14

  #define TARGET_IOC_DIRBITS2
@@ -2084,8 +2084,9 @@ struct target_stat64  {
  abi_ulong __unused5;
  };
  
-#elif defined(TARGET_OPENRISC) || defined(TARGET_NIOS2) \

-|| defined(TARGET_RISCV) || defined(TARGET_HEXAGON)
+#elif defined(TARGET_OPENRISC) || defined(TARGET_NIOS2) || \
+  defined(TARGET_RISCV) || defined(TARGET_HEXAGON) || \
+  defined(TARGET_LOONGARCH64)
  
  /* These are the asm-generic versions of the stat and stat64 structures */
The finalized LoongArch system call interface doesn't include stat, 
fstat or newfstatat. So do we still have to pull in the definitions for 
stat structures?
  
@@ -2113,7 +2114,7 @@ struct target_stat {

  unsigned int __unused5;
  };
  
-#if !defined(TARGET_RISCV64)

+#if !defined(TARGET_RISCV64) && !defined(TARGET_LOONGARCH64)
  #define TARGET_HAS_STRUCT_STAT64
  struct target_stat64 {
  uint64_t st_dev;

Similarly here.

@@ -2258,7 +2259,8 @@ struct target_statfs64 {
  };
  #elif (defined(TARGET_PPC64) || defined(TARGET_X86_64) || \
 defined(TARGET_SPARC64) || defined(TARGET_AARCH64) || \
-   defined(TARGET_RISCV)) && !defined(TARGET_ABI32)
+   defined(TARGET_RISCV) || defined(TARGET_LOONGARCH64)) && \
+   !defined(TARGET_ABI32)
  struct target_statfs {
abi_long f_type;
abi_long f_bsize;
diff --git a/scripts/gensyscalls.sh b/scripts/gensyscalls.sh
index 8fb450e3c9..b69e1938ab 100755
--- a/scripts/gensyscalls.sh
+++ b/scripts/gensyscalls.sh
@@ -99,4 +99,5 @@ generate_syscall_nr openrisc 32 
"$output/linux-user/openrisc/syscall_nr.h"
  generate_syscall_nr riscv 32 "$output/linux-user/riscv/syscall32_nr.h"
  generate_syscall_nr riscv 64 "$output/linux-user/riscv/syscall64_nr.h"
  generate_syscall_nr hexagon 32 "$output/linux-user/hexagon/syscall_nr.h"
+generate_syscall_nr loongarch 64 "$output/linux-user/loongarch64/syscall_nr.h"
  rm -fr "$TMP"

Re: [PATCH 05/20] migration: rename 'pos' field in QEMUFile to 'bytes_processed'

[Dr. David Alan Gilbert]

* Daniel P. Berrangé (berra...@redhat.com) wrote:
> This makes the field name align with the newly introduced method
> names in the previous commit.

I think that's the method in the following commits?

tbh I'm not sure about this; 'pos' is still passed to writev_buffer
and get_buffer to say where the data is - and that makes it a 'pos'
still rather than a simple stats counter.

Dave

> Signed-off-by: Daniel P. Berrangé 
> ---
>  migration/qemu-file.c | 19 ++-
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/migration/qemu-file.c b/migration/qemu-file.c
> index 03f0b13a55..b21da4c5bf 100644
> --- a/migration/qemu-file.c
> +++ b/migration/qemu-file.c
> @@ -50,8 +50,9 @@ struct QEMUFile {
>   */
>  int64_t rate_limit_used;
>  
> -int64_t pos; /* start of buffer when writing, end of buffer
> -when reading */
> +/* The sum of bytes transferred on the wire */
> +int64_t total_transferred;
> +
>  int buf_index;
>  int buf_size; /* 0 when writing */
>  uint8_t buf[IO_BUF_SIZE];
> @@ -241,14 +242,14 @@ void qemu_fflush(QEMUFile *f)
>  }
>  if (f->iovcnt > 0) {
>  expect = iov_size(f->iov, f->iovcnt);
> -ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, f->pos,
> +ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, 
> f->total_transferred,
>  &local_error);
>  
>  qemu_iovec_release_ram(f);
>  }
>  
>  if (ret >= 0) {
> -f->pos += ret;
> +f->total_transferred += ret;
>  }
>  /* We expect the QEMUFile write impl to send the full
>   * data set we requested, so sanity check that.
> @@ -357,11 +358,11 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
>  return 0;
>  }
>  
> -len = f->ops->get_buffer(f->opaque, f->buf + pending, f->pos,
> +len = f->ops->get_buffer(f->opaque, f->buf + pending, 
> f->total_transferred,
>   IO_BUF_SIZE - pending, &local_error);
>  if (len > 0) {
>  f->buf_size += len;
> -f->pos += len;
> +f->total_transferred += len;
>  } else if (len == 0) {
>  qemu_file_set_error_obj(f, -EIO, local_error);
>  } else if (len != -EAGAIN) {
> @@ -375,7 +376,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
>  
>  void qemu_update_position(QEMUFile *f, size_t size)
>  {
> -f->pos += size;
> +f->total_transferred += size;
>  }
>  
>  /** Closes the file
> @@ -658,7 +659,7 @@ int qemu_get_byte(QEMUFile *f)
>  
>  int64_t qemu_ftell_fast(QEMUFile *f)
>  {
> -int64_t ret = f->pos;
> +int64_t ret = f->total_transferred;
>  int i;
>  
>  for (i = 0; i < f->iovcnt; i++) {
> @@ -671,7 +672,7 @@ int64_t qemu_ftell_fast(QEMUFile *f)
>  int64_t qemu_ftell(QEMUFile *f)
>  {
>  qemu_fflush(f);
> -return f->pos;
> +return f->total_transferred;
>  }
>  
>  int qemu_file_rate_limit(QEMUFile *f)
> -- 
> 2.36.1
> 
-- 
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

Re: [PATCH 2/2] ui/gtk: a new array param monitor to specify the target displays

[Gerd Hoffmann]

On Tue, May 31, 2022 at 01:23:27PM -0700, Dongwon Kim wrote:
> New integer array parameter, 'monitor' is for specifying the target
> displays where individual QEMU windows are placed upon launching.
> 
> The array contains a series of numbers representing the monitor where
> QEMU windows are placed.
> 
> Numbers in the array are mapped to QEMU windows like,
> 
> [1st detached window, 2nd detached window, Main window]
> 
> Usage example: -display gtk,monitor.0=0,monitor.1=1.

Both patches look good to me.  

> +# @monitor: Array of numbers, each of which represents physical
> +#   monitor where individual QEMU window is placed in case
> +#   there are multiple of them
> +#   since 7.1
>  #
>  # Since: 2.12
>  ##
>  { 'struct'  : 'DisplayGTK',
>'data': { '*grab-on-hover' : 'bool',
> -'*zoom-to-fit'   : 'bool'  } }
> +'*zoom-to-fit'   : 'bool',
> +'*monitor'   : ['uint16']  } }

This is what we've agreed to, so I guess this is fine with the QAPI
maintainers too?  Can I have an ack then?

thanks,
  Gerd

Re: [PATCH] hw/usb/hcd-ehci.c: print diagnostics when cpage out of range

[Arnout Engelen]

On Thu, Jun 9, 2022, at 12:09, Gerd Hoffmann wrote:
>   Hi,
> 
> >  if (cpage > 4) {
> >  fprintf(stderr, "cpage out of range (%u)\n", cpage);
> > +bytes  = get_field(p->qtd.token, QTD_TOKEN_TBYTES);
> > +offset = p->qtd.bufptr[0] & ~QTD_BUFPTR_MASK;
> > +cpage  = get_field(p->qtd.token, QTD_TOKEN_CPAGE);
> > +fprintf(stderr, "reading %u bytes from offset %u at page %u\n",
> > +bytes, offset, cpage);
> 
> I think we should either drop it (you've successfully debugged the
> problem meanwhile, thanks for that), or turn it into a tracepoint.
> Simply printing to stderr is deprecated.

Gotcha, I'm OK with dropping it. Thanks for the feedback & queue-ing the fix!


Kind regards,

Arnout

Re: [PATCH 05/20] migration: rename 'pos' field in QEMUFile to 'bytes_processed'

[Dr. David Alan Gilbert]

* Daniel P. Berrangé (berra...@redhat.com) wrote:
> On Thu, Jun 09, 2022 at 10:51:27AM +0100, Dr. David Alan Gilbert wrote:
> > * Daniel P. Berrangé (berra...@redhat.com) wrote:
> > > This makes the field name align with the newly introduced method
> > > names in the previous commit.
> > 
> > I think that's the method in the following commits?
> 
> Opps, yeah, I did re-arrange this series a few times to get the
> most attractive diffs.
> 
> > tbh I'm not sure about this; 'pos' is still passed to writev_buffer
> > and get_buffer to say where the data is - and that makes it a 'pos'
> > still rather than a simple stats counter.
> 
> Note every QIOChannel backed impl of QEMUFile is ignoring the
> 'pos' field.
> 
> The only QEMUFile impl using 'pos' is the one during I/O is
> the block device vmstate. A later patch is introducing a
> QIOChannel impl for the vmstate, and to handle this it is
> tracking a file offset itself internally to the QIOChannel
> impl. So when we eliminate the QEMUFileOps callbacks later,
> this 'pos' goes away.

Ah! Put that description in the commit message and:


Reviewed-by: Dr. David Alan Gilbert 

> So I guess my description here is a little ahead of itself.
> 
> 
> > > Signed-off-by: Daniel P. Berrangé 
> > > ---
> > >  migration/qemu-file.c | 19 ++-
> > >  1 file changed, 10 insertions(+), 9 deletions(-)
> > > 
> > > diff --git a/migration/qemu-file.c b/migration/qemu-file.c
> > > index 03f0b13a55..b21da4c5bf 100644
> > > --- a/migration/qemu-file.c
> > > +++ b/migration/qemu-file.c
> > > @@ -50,8 +50,9 @@ struct QEMUFile {
> > >   */
> > >  int64_t rate_limit_used;
> > >  
> > > -int64_t pos; /* start of buffer when writing, end of buffer
> > > -when reading */
> > > +/* The sum of bytes transferred on the wire */
> > > +int64_t total_transferred;
> > > +
> > >  int buf_index;
> > >  int buf_size; /* 0 when writing */
> > >  uint8_t buf[IO_BUF_SIZE];
> > > @@ -241,14 +242,14 @@ void qemu_fflush(QEMUFile *f)
> > >  }
> > >  if (f->iovcnt > 0) {
> > >  expect = iov_size(f->iov, f->iovcnt);
> > > -ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, f->pos,
> > > +ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, 
> > > f->total_transferred,
> > >  &local_error);
> > >  
> > >  qemu_iovec_release_ram(f);
> > >  }
> > >  
> > >  if (ret >= 0) {
> > > -f->pos += ret;
> > > +f->total_transferred += ret;
> > >  }
> > >  /* We expect the QEMUFile write impl to send the full
> > >   * data set we requested, so sanity check that.
> > > @@ -357,11 +358,11 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
> > >  return 0;
> > >  }
> > >  
> > > -len = f->ops->get_buffer(f->opaque, f->buf + pending, f->pos,
> > > +len = f->ops->get_buffer(f->opaque, f->buf + pending, 
> > > f->total_transferred,
> > >   IO_BUF_SIZE - pending, &local_error);
> > >  if (len > 0) {
> > >  f->buf_size += len;
> > > -f->pos += len;
> > > +f->total_transferred += len;
> > >  } else if (len == 0) {
> > >  qemu_file_set_error_obj(f, -EIO, local_error);
> > >  } else if (len != -EAGAIN) {
> > > @@ -375,7 +376,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
> > >  
> > >  void qemu_update_position(QEMUFile *f, size_t size)
> > >  {
> > > -f->pos += size;
> > > +f->total_transferred += size;
> > >  }
> > >  
> > >  /** Closes the file
> > > @@ -658,7 +659,7 @@ int qemu_get_byte(QEMUFile *f)
> > >  
> > >  int64_t qemu_ftell_fast(QEMUFile *f)
> > >  {
> > > -int64_t ret = f->pos;
> > > +int64_t ret = f->total_transferred;
> > >  int i;
> > >  
> > >  for (i = 0; i < f->iovcnt; i++) {
> > > @@ -671,7 +672,7 @@ int64_t qemu_ftell_fast(QEMUFile *f)
> > >  int64_t qemu_ftell(QEMUFile *f)
> > >  {
> > >  qemu_fflush(f);
> > > -return f->pos;
> > > +return f->total_transferred;
> > >  }
> > >  
> > >  int qemu_file_rate_limit(QEMUFile *f)
> > > -- 
> > > 2.36.1
> > > 
> > -- 
> > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
> > 
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
> 
-- 
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

Re: [PATCH 05/20] migration: rename 'pos' field in QEMUFile to 'bytes_processed'

[Daniel P . Berrangé]

On Thu, Jun 09, 2022 at 10:51:27AM +0100, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (berra...@redhat.com) wrote:
> > This makes the field name align with the newly introduced method
> > names in the previous commit.
> 
> I think that's the method in the following commits?

Opps, yeah, I did re-arrange this series a few times to get the
most attractive diffs.

> tbh I'm not sure about this; 'pos' is still passed to writev_buffer
> and get_buffer to say where the data is - and that makes it a 'pos'
> still rather than a simple stats counter.

Note every QIOChannel backed impl of QEMUFile is ignoring the
'pos' field.

The only QEMUFile impl using 'pos' is the one during I/O is
the block device vmstate. A later patch is introducing a
QIOChannel impl for the vmstate, and to handle this it is
tracking a file offset itself internally to the QIOChannel
impl. So when we eliminate the QEMUFileOps callbacks later,
this 'pos' goes away.

So I guess my description here is a little ahead of itself.


> > Signed-off-by: Daniel P. Berrangé 
> > ---
> >  migration/qemu-file.c | 19 ++-
> >  1 file changed, 10 insertions(+), 9 deletions(-)
> > 
> > diff --git a/migration/qemu-file.c b/migration/qemu-file.c
> > index 03f0b13a55..b21da4c5bf 100644
> > --- a/migration/qemu-file.c
> > +++ b/migration/qemu-file.c
> > @@ -50,8 +50,9 @@ struct QEMUFile {
> >   */
> >  int64_t rate_limit_used;
> >  
> > -int64_t pos; /* start of buffer when writing, end of buffer
> > -when reading */
> > +/* The sum of bytes transferred on the wire */
> > +int64_t total_transferred;
> > +
> >  int buf_index;
> >  int buf_size; /* 0 when writing */
> >  uint8_t buf[IO_BUF_SIZE];
> > @@ -241,14 +242,14 @@ void qemu_fflush(QEMUFile *f)
> >  }
> >  if (f->iovcnt > 0) {
> >  expect = iov_size(f->iov, f->iovcnt);
> > -ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, f->pos,
> > +ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, 
> > f->total_transferred,
> >  &local_error);
> >  
> >  qemu_iovec_release_ram(f);
> >  }
> >  
> >  if (ret >= 0) {
> > -f->pos += ret;
> > +f->total_transferred += ret;
> >  }
> >  /* We expect the QEMUFile write impl to send the full
> >   * data set we requested, so sanity check that.
> > @@ -357,11 +358,11 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
> >  return 0;
> >  }
> >  
> > -len = f->ops->get_buffer(f->opaque, f->buf + pending, f->pos,
> > +len = f->ops->get_buffer(f->opaque, f->buf + pending, 
> > f->total_transferred,
> >   IO_BUF_SIZE - pending, &local_error);
> >  if (len > 0) {
> >  f->buf_size += len;
> > -f->pos += len;
> > +f->total_transferred += len;
> >  } else if (len == 0) {
> >  qemu_file_set_error_obj(f, -EIO, local_error);
> >  } else if (len != -EAGAIN) {
> > @@ -375,7 +376,7 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
> >  
> >  void qemu_update_position(QEMUFile *f, size_t size)
> >  {
> > -f->pos += size;
> > +f->total_transferred += size;
> >  }
> >  
> >  /** Closes the file
> > @@ -658,7 +659,7 @@ int qemu_get_byte(QEMUFile *f)
> >  
> >  int64_t qemu_ftell_fast(QEMUFile *f)
> >  {
> > -int64_t ret = f->pos;
> > +int64_t ret = f->total_transferred;
> >  int i;
> >  
> >  for (i = 0; i < f->iovcnt; i++) {
> > @@ -671,7 +672,7 @@ int64_t qemu_ftell_fast(QEMUFile *f)
> >  int64_t qemu_ftell(QEMUFile *f)
> >  {
> >  qemu_fflush(f);
> > -return f->pos;
> > +return f->total_transferred;
> >  }
> >  
> >  int qemu_file_rate_limit(QEMUFile *f)
> > -- 
> > 2.36.1
> > 
> -- 
> Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
> 

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [PATCH 1/2] ui/gtk: detach VCS for additional guest displays

[Daniel P . Berrangé]

On Tue, May 31, 2022 at 01:23:26PM -0700, Dongwon Kim wrote:
> Detaching any addtional guest displays in case there are multiple
> displays assigned to the guest OS (e.g. max_outputs=n) so that
> all of them are visible upon lauching.
> 
> Cc: Daniel P. Berrangé 
> Cc: Markus Armbruster 
> Cc: Philippe Mathieu-Daudé 
> Cc: Paolo Bonzini 
> Cc: Gerd Hoffmann 
> Cc: Vivek Kasireddy 
> Signed-off-by: Dongwon Kim 
> ---
>  ui/gtk.c | 11 ++-
>  1 file changed, 10 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé 


With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [PATCH] hw/usb/hcd-ehci: fix writeback order

[Gerd Hoffmann]

On Sun, May 08, 2022 at 05:32:22PM +0200, Arnout Engelen wrote:
> The 'active' bit passes control over a qTD between the guest and the
> controller: set to 1 by guest to enable execution by the controller,
> and the controller sets it to '0' to hand back control to the guest.
> 
> ehci_state_writeback write two dwords to main memory using DMA:
> the third dword of the qTD (containing dt, total bytes to transfer,
> cpage, cerr and status) and the fourth dword of the qTD (containing
> the offset).
> 
> This commit makes sure the fourth dword is written before the third,
> avoiding a race condition where a new offset written into the qTD
> by the guest after it observed the status going to go to '0' gets
> overwritten by a 'late' DMA writeback of the previous offset.
> 
> This race condition could lead to 'cpage out of range (5)' errors,
> and reproduced by:
> 
> ./qemu-system-x86_64 -enable-kvm -bios $SEABIOS/bios.bin -m 4096 -device 
> usb-ehci -blockdev 
> driver=file,read-only=on,filename=/home/aengelen/Downloads/openSUSE-Tumbleweed-DVD-i586-Snapshot20220428-Media.iso,node-name=iso
>  -device usb-storage,drive=iso,bootindex=0 -chardev 
> pipe,id=shell,path=/tmp/pipe -device virtio-serial -device 
> virtconsole,chardev=shell -device virtio-rng-pci -serial mon:stdio -nographic
> 
> (press a key, select 'Installation' (2), and accept the default
> values. On my machine the 'cpage out of range' is reproduced while
> loading the Linux Kernel about once per 7 attempts. With the fix in
> this commit it no longer fails)
> 
> This problem was previously reported as a seabios problem in
> https://mail.coreboot.org/hyperkitty/list/seab...@seabios.org/thread/OUTHT5ISSQJGXPNTUPY3O5E5EPZJCHM3/
> and as a nixos CI build failure in
> https://github.com/NixOS/nixpkgs/issues/170803
> 
> Signed-off-by: Arnout Engelen 

Patch queued up.

thanks,
  Gerd