[PULL 00/12] target-arm queue

[PULL 00/12] target-arm queue

[Peter Maydell]

One last arm pullreq before I stop work for the end of the year...

-- PMM

The following changes since commit 8e5943260a8f765216674ee87ce8588cc4e7463e:

  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-12-20 12:46:10 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191220

for you to fetch changes up to c8fa6079eb35888587f1be27c1590da4edcc5098:

  arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on() (2019-12-20 14:03:00 +0000)

----------------------------------------------------------------
target-arm queue:
 * Support emulating the generic timers at frequencies other than 62.5MHz
 * Various fixes for SMMUv3 emulation bugs
 * Improve assert error message for hflags mismatches
 * arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()

----------------------------------------------------------------
Andrew Jeffery (4):
      target/arm: Remove redundant scaling of nexttick
      target/arm: Abstract the generic timer frequency
      target/arm: Prepare generic timer for per-platform CNTFRQ
      ast2600: Configure CNTFRQ at 1125MHz

Niek Linnenbank (1):
      arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()

Philippe Mathieu-Daudé (1):
      target/arm: Display helpful message when hflags mismatch

Simon Veith (6):
      hw/arm/smmuv3: Apply address mask to linear strtab base address
      hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
      hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
      hw/arm/smmuv3: Align stream table base address to table size
      hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro
      hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position

 hw/arm/smmuv3-internal.h  |  6 ++---
 target/arm/cpu.h          |  5 ++++
 hw/arm/aspeed_ast2600.c   |  3 +++
 hw/arm/smmuv3.c           | 28 +++++++++++++++-----
 target/arm/arm-powerctl.c |  3 +++
 target/arm/cpu.c          | 65 +++++++++++++++++++++++++++++++++++++++++------
 target/arm/helper.c       | 42 +++++++++++++++++++++++-------
 7 files changed, 125 insertions(+), 27 deletions(-)

Re: [PULL 00/12] target-arm queue

[Peter Maydell]

On Fri, 20 Dec 2019 at 14:26, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> One last arm pullreq before I stop work for the end of the year...
>
> -- PMM
>
> The following changes since commit 8e5943260a8f765216674ee87ce8588cc4e7463e:
>
>   Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-12-20 12:46:10 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191220
>
> for you to fetch changes up to c8fa6079eb35888587f1be27c1590da4edcc5098:
>
>   arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on() (2019-12-20 14:03:00 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * Support emulating the generic timers at frequencies other than 62.5MHz
>  * Various fixes for SMMUv3 emulation bugs
>  * Improve assert error message for hflags mismatches
>  * arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.0
for any user-visible changes.

-- PMM

[PULL 00/12] target-arm queue

[Peter Maydell]

Almost nothing in here is arm-related, but the target-arm
queue was convenient for these last minute bits and pieces
for 5.0...

thanks
-- PMM

The following changes since commit 14e5526b51910efd62cd31cd95b49baca975c83f:

  Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2020-04-13 15:42:51 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200414

for you to fetch changes up to 84f82ddcbb4ac4ed04c8675e85155329f23184f0:

  Deprecate KVM support for AArch32 (2020-04-14 17:20:22 +0100)

----------------------------------------------------------------
patch queue:
 * Fix some problems that trip up Coverity's scanner
 * run-coverity-scan: New script automating the scan-and-upload process
 * docs: Improve our gdbstub documentation
 * configure: Honour --disable-werror for Sphinx
 * docs: Fix errors produced when building with Sphinx 3.0
 * docs: Require Sphinx 1.6 or better
 * Add deprecation notice for KVM support on AArch32 hosts

----------------------------------------------------------------
Peter Maydell (12):
      osdep.h: Drop no-longer-needed Coverity workarounds
      thread.h: Fix Coverity version of qemu_cond_timedwait()
      thread.h: Remove trailing semicolons from Coverity qemu_mutex_lock() etc
      linux-user/flatload.c: Use "" for include of QEMU header target_flat.h
      scripts/run-coverity-scan: Script to run Coverity Scan build
      scripts/coverity-scan: Add Docker support
      docs: Improve our gdbstub documentation
      configure: Honour --disable-werror for Sphinx
      scripts/kernel-doc: Add missing close-paren in c:function directives
      kernel-doc: Use c:struct for Sphinx 3.0 and later
      docs: Require Sphinx 1.6 or better
      Deprecate KVM support for AArch32

 configure                                  |   9 +-
 Makefile                                   |   2 +-
 include/qemu/osdep.h                       |  14 -
 include/qemu/thread.h                      |  12 +-
 linux-user/flatload.c                      |   2 +-
 MAINTAINERS                                |   5 +
 docs/conf.py                               |   6 +-
 docs/sphinx/kerneldoc.py                   |   1 +
 docs/system/deprecated.rst                 |   8 +
 docs/system/gdb.rst                        |  22 +-
 qemu-options.hx                            |  24 +-
 scripts/coverity-scan/coverity-scan.docker | 131 ++++++++++
 scripts/coverity-scan/run-coverity-scan    | 401 +++++++++++++++++++++++++++++
 scripts/kernel-doc                         |  18 +-
 14 files changed, 615 insertions(+), 40 deletions(-)
 create mode 100644 scripts/coverity-scan/coverity-scan.docker
 create mode 100755 scripts/coverity-scan/run-coverity-scan

Re: [PULL 00/12] target-arm queue

[Peter Maydell]

On Tue, 14 Apr 2020 at 17:26, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Almost nothing in here is arm-related, but the target-arm
> queue was convenient for these last minute bits and pieces
> for 5.0...
>
> thanks
> -- PMM
>
> The following changes since commit 14e5526b51910efd62cd31cd95b49baca975c83f:
>
>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2020-04-13 15:42:51 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200414
>
> for you to fetch changes up to 84f82ddcbb4ac4ed04c8675e85155329f23184f0:
>
>   Deprecate KVM support for AArch32 (2020-04-14 17:20:22 +0100)
>
> ----------------------------------------------------------------
> patch queue:
>  * Fix some problems that trip up Coverity's scanner
>  * run-coverity-scan: New script automating the scan-and-upload process
>  * docs: Improve our gdbstub documentation
>  * configure: Honour --disable-werror for Sphinx
>  * docs: Fix errors produced when building with Sphinx 3.0
>  * docs: Require Sphinx 1.6 or better
>  * Add deprecation notice for KVM support on AArch32 hosts
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.0
for any user-visible changes.

-- PMM

[PULL 00/12] target-arm queue

[Peter Maydell]

Not much here, mostly documentation, but a few bug fixes.

thanks
-- PMM

The following changes since commit 873ec69aeb12e24eec7fb317fd0cd8494e8489dd:

  Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-i2c-5' into staging (2020-07-20 11:03:09 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200720

for you to fetch changes up to 6a0b7505f1fd6769c3f1558fda76464d51e4118a:

  docs/system: Document the arm virt board (2020-07-20 11:35:17 +0100)

----------------------------------------------------------------
target-arm queue:
 * virt: Don't enable MTE emulation by default
 * virt: Diagnose attempts to use MTE with memory-hotplug or KVM
   (rather than silently not working correctly)
 * util: Implement qemu_get_thread_id() for OpenBSD
 * qdev: Add doc comments for qdev_unrealize and GPIO functions,
   and standardize on doc-comments-in-header-file
 * hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
 * docs/system: Document canon-a1100, collie, gumstix, virt boards

----------------------------------------------------------------
David CARLIER (1):
      util: Implement qemu_get_thread_id() for OpenBSD

Peter Maydell (8):
      qdev: Move doc comments from qdev.c to qdev-core.h
      qdev: Document qdev_unrealize()
      qdev: Document GPIO related functions
      hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
      docs/system: Briefly document canon-a1100 board
      docs/system: Briefly document collie board
      docs/system: Briefly document gumstix boards
      docs/system: Document the arm virt board

Richard Henderson (3):
      hw/arm/virt: Enable MTE via a machine property
      hw/arm/virt: Error for MTE enabled with KVM
      hw/arm/virt: Disable memory hotplug when MTE is enabled

 docs/system/arm/collie.rst   |  16 +++
 docs/system/arm/digic.rst    |  11 ++
 docs/system/arm/gumstix.rst  |  21 ++++
 docs/system/arm/virt.rst     | 161 ++++++++++++++++++++++++++
 docs/system/target-arm.rst   |   4 +
 include/hw/arm/virt.h        |   1 +
 include/hw/qdev-core.h       | 267 ++++++++++++++++++++++++++++++++++++++++++-
 include/hw/qdev-properties.h |  13 +++
 hw/arm/armsse.c              |   2 +
 hw/arm/virt.c                |  50 +++++++-
 hw/core/qdev.c               |  33 ------
 target/arm/cpu.c             |  19 +--
 target/arm/cpu64.c           |   5 +-
 util/oslib-posix.c           |   2 +
 MAINTAINERS                  |   4 +
 15 files changed, 559 insertions(+), 50 deletions(-)
 create mode 100644 docs/system/arm/collie.rst
 create mode 100644 docs/system/arm/digic.rst
 create mode 100644 docs/system/arm/gumstix.rst
 create mode 100644 docs/system/arm/virt.rst

Re: [PULL 00/12] target-arm queue

[Peter Maydell]

On Mon, 20 Jul 2020 at 13:56, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Not much here, mostly documentation, but a few bug fixes.
>
> thanks
> -- PMM
>
> The following changes since commit 873ec69aeb12e24eec7fb317fd0cd8494e8489dd:
>
>   Merge remote-tracking branch 'remotes/cminyard/tags/for-qemu-i2c-5' into staging (2020-07-20 11:03:09 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200720
>
> for you to fetch changes up to 6a0b7505f1fd6769c3f1558fda76464d51e4118a:
>
>   docs/system: Document the arm virt board (2020-07-20 11:35:17 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * virt: Don't enable MTE emulation by default
>  * virt: Diagnose attempts to use MTE with memory-hotplug or KVM
>    (rather than silently not working correctly)
>  * util: Implement qemu_get_thread_id() for OpenBSD
>  * qdev: Add doc comments for qdev_unrealize and GPIO functions,
>    and standardize on doc-comments-in-header-file
>  * hw/arm/armsse: Assert info->num_cpus is in-bounds in armsse_realize()
>  * docs/system: Document canon-a1100, collie, gumstix, virt boards


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

[PULL 00/12] target-arm queue

[Peter Maydell]

The following changes since commit 6eeea6725a70e6fcb5abba0764496bdab07ddfb3:

  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-10-06' into staging (2020-10-06 21:13:34 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201008

for you to fetch changes up to ba118c26e16a97e6ff6de8184057d3420ce16a23:

  target/arm: Make '-cpu max' have a 48-bit PA (2020-10-08 15:24:32 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
 * hw/arm/fsl-imx25: Fix a typo
 * hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
 * hw/arm/sbsa-ref : allocate IRQs for SMMUv3
 * hw/char/bcm2835_aux: Allow less than 32-bit accesses
 * hw/arm/virt: Implement kvm-steal-time
 * target/arm: Make '-cpu max' have a 48-bit PA

----------------------------------------------------------------
Andrew Jones (6):
      linux headers: sync to 5.9-rc7
      target/arm/kvm: Make uncalled stubs explicitly unreachable
      hw/arm/virt: Move post cpu realize check into its own function
      hw/arm/virt: Move kvm pmu setup to virt_cpu_post_init
      tests/qtest: Restore aarch64 arm-cpu-features test
      hw/arm/virt: Implement kvm-steal-time

Graeme Gregory (2):
      hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
      hw/arm/sbsa-ref : allocate IRQs for SMMUv3

Peter Maydell (1):
      target/arm: Make '-cpu max' have a 48-bit PA

Philippe Mathieu-Daudé (3):
      hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
      hw/arm/fsl-imx25: Fix a typo
      hw/char/bcm2835_aux: Allow less than 32-bit accesses

 docs/system/arm/cpu-features.rst |  11 ++++
 include/hw/arm/fsl-imx25.h       |   2 +-
 include/hw/arm/virt.h            |   5 ++
 linux-headers/linux/kvm.h        |   6 ++-
 target/arm/cpu.h                 |   4 ++
 target/arm/kvm_arm.h             |  94 ++++++++++++++++++++++++++-------
 hw/arm/sbsa-ref.c                |   3 +-
 hw/arm/virt.c                    | 110 ++++++++++++++++++++++++++++-----------
 hw/char/bcm2835_aux.c            |   4 +-
 hw/ssi/npcm7xx_fiu.c             |  12 ++---
 target/arm/cpu.c                 |   8 +++
 target/arm/cpu64.c               |   4 ++
 target/arm/kvm.c                 |  16 ++++++
 target/arm/kvm64.c               |  64 +++++++++++++++++++++--
 target/arm/monitor.c             |   2 +-
 tests/qtest/arm-cpu-features.c   |  25 +++++++--
 hw/ssi/trace-events              |   2 +-
 tests/qtest/meson.build          |   3 +-
 18 files changed, 303 insertions(+), 72 deletions(-)

[PULL 00/12] target-arm queue

[Peter Maydell]

Last few changes before rc0: a few bug fixes, but mostly
docs stuff.

-- PMM

The following changes since commit a97fca4ceb9d9b10aa8b582e817a5ee6c42ffbaf:

  Merge remote-tracking branch 'remotes/mst/tags/for_upstream3' into staging (2021-07-16 16:34:42 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210718

for you to fetch changes up to 8fe612a183dec4c63afdc57537079bc742d024ca:

  target/arm: Remove duplicate 'plus1' function from Neon and SVE decode (2021-07-18 10:59:47 +0100)

----------------------------------------------------------------
target-arm queue:
 * Remove duplicate 'plus1' function from Neon and SVE decode
 * Fix offsets for TTBCR for big-endian hosts
 * docs: fix copyright date
 * docs: add license/version info to HTML footers
 * docs: add an About section
 * docs: document some more arm boards

----------------------------------------------------------------
Peter Maydell (11):
      docs: Fix documentation Copyright date
      docs: Stop calling the top level subsections of our manual 'manuals'
      docs: Remove "Contents:" lines from top-level subsections
      docs: Move deprecation, build and license info out of system/
      docs: Add some actual About text to about/index.rst
      docs: Add license note to the HTML page footer
      docs: Add QEMU version information to HTML footer
      docs: Add skeletal documentation of cubieboard
      docs: Add skeletal documentation of the emcraft-sf2
      docs: Add skeletal documentation of highbank and midway
      target/arm: Remove duplicate 'plus1' function from Neon and SVE decode

Richard Henderson (1):
      target/arm: Fix offsets for TTBCR

 docs/_templates/footer.html                 | 14 ++++++++++++++
 docs/{system => about}/build-platforms.rst  |  0
 docs/{system => about}/deprecated.rst       |  0
 docs/about/index.rst                        | 27 +++++++++++++++++++++++++++
 docs/{system => about}/license.rst          |  0
 docs/{system => about}/removed-features.rst |  0
 docs/conf.py                                |  2 +-
 docs/devel/index.rst                        |  7 +------
 docs/index.rst                              |  1 +
 docs/interop/index.rst                      |  9 ++-------
 docs/meson.build                            |  3 ++-
 docs/specs/index.rst                        |  7 ++-----
 docs/system/arm/cubieboard.rst              | 16 ++++++++++++++++
 docs/system/arm/emcraft-sf2.rst             | 15 +++++++++++++++
 docs/system/arm/highbank.rst                | 19 +++++++++++++++++++
 docs/system/index.rst                       | 11 +----------
 docs/system/target-arm.rst                  |  3 +++
 docs/tools/index.rst                        |  7 ++-----
 docs/user/index.rst                         |  7 +------
 target/arm/neon-ls.decode                   |  4 ++--
 target/arm/neon-shared.decode               |  2 +-
 target/arm/sve.decode                       |  2 +-
 target/arm/helper.c                         | 11 +++++++----
 target/arm/translate-neon.c                 |  5 -----
 target/arm/translate-sve.c                  |  5 -----
 MAINTAINERS                                 |  4 ++++
 26 files changed, 122 insertions(+), 59 deletions(-)
 create mode 100644 docs/_templates/footer.html
 rename docs/{system => about}/build-platforms.rst (100%)
 rename docs/{system => about}/deprecated.rst (100%)
 create mode 100644 docs/about/index.rst
 rename docs/{system => about}/license.rst (100%)
 rename docs/{system => about}/removed-features.rst (100%)
 create mode 100644 docs/system/arm/cubieboard.rst
 create mode 100644 docs/system/arm/emcraft-sf2.rst
 create mode 100644 docs/system/arm/highbank.rst

Re: [PULL 00/12] target-arm queue

[Peter Maydell]

On Sun, 18 Jul 2021 at 13:46, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Last few changes before rc0: a few bug fixes, but mostly
> docs stuff.
>
> -- PMM
>
> The following changes since commit a97fca4ceb9d9b10aa8b582e817a5ee6c42ffbaf:
>
>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream3' into staging (2021-07-16 16:34:42 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210718
>
> for you to fetch changes up to 8fe612a183dec4c63afdc57537079bc742d024ca:
>
>   target/arm: Remove duplicate 'plus1' function from Neon and SVE decode (2021-07-18 10:59:47 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * Remove duplicate 'plus1' function from Neon and SVE decode
>  * Fix offsets for TTBCR for big-endian hosts
>  * docs: fix copyright date
>  * docs: add license/version info to HTML footers
>  * docs: add an About section
>  * docs: document some more arm boards
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PULL 00/12] target-arm queue

[Peter Maydell]

Hi; here's a relatively small target-arm queue, pretty much all
bug fixes. (There are a few non-arm patches that I've thrown in
there too for my convenience :-))

thanks
-- PMM

The following changes since commit 278238505d28d292927bff7683f39fb4fbca7fd1:

  Merge tag 'pull-tcg-20230511-2' of https://gitlab.com/rth7680/qemu into staging (2023-05-11 11:44:23 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230512

for you to fetch changes up to 478dccbb99db0bf8f00537dd0b4d0de88d5cb537:

  target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check (2023-05-12 16:01:25 +0100)

----------------------------------------------------------------
target-arm queue:
 * More refactoring of files into tcg/
 * Don't allow stage 2 page table walks to downgrade to NS
 * Fix handling of SW and NSW bits for stage 2 walks
 * MAINTAINERS: Update Akihiko Odaki's email address
 * ui: Fix pixel colour channel order for PNG screenshots
 * docs: Remove unused weirdly-named cross-reference targets
 * hw/mips/malta: Fix minor dead code issue
 * Fixes for the "allow CONFIG_TCG=n" changes
 * tests/qtest: Don't run cdrom boot tests if no accelerator is present
 * target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check

----------------------------------------------------------------
Akihiko Odaki (1):
      MAINTAINERS: Update Akihiko Odaki's email address

Fabiano Rosas (3):
      target/arm: Select SEMIHOSTING when using TCG
      target/arm: Select CONFIG_ARM_V7M when TCG is enabled
      tests/qtest: Don't run cdrom boot tests if no accelerator is present

Peter Maydell (6):
      target/arm: Don't allow stage 2 page table walks to downgrade to NS
      target/arm: Fix handling of SW and NSW bits for stage 2 walks
      ui: Fix pixel colour channel order for PNG screenshots
      docs: Remove unused weirdly-named cross-reference targets
      hw/mips/malta: Fix minor dead code issue
      target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check

Richard Henderson (2):
      target/arm: Move translate-a32.h, arm_ldst.h, sve_ldst_internal.h to tcg/
      target/arm: Move helper-{a64,mve,sme,sve}.h to tcg/

 MAINTAINERS                              |  4 +-
 docs/system/devices/igb.rst              |  2 +-
 docs/system/devices/ivshmem.rst          |  2 -
 docs/system/devices/net.rst              |  2 +-
 docs/system/devices/usb.rst              |  2 -
 docs/system/keys.rst                     |  2 +-
 docs/system/linuxboot.rst                |  2 +-
 docs/system/target-i386.rst              |  4 --
 target/arm/helper.h                      |  8 +--
 target/arm/internals.h                   | 12 +++-
 target/arm/{ => tcg}/arm_ldst.h          |  0
 target/arm/{ => tcg}/helper-a64.h        |  0
 target/arm/{ => tcg}/helper-mve.h        |  0
 target/arm/{ => tcg}/helper-sme.h        |  0
 target/arm/{ => tcg}/helper-sve.h        |  0
 target/arm/{ => tcg}/sve_ldst_internal.h |  0
 target/arm/{ => tcg}/translate-a32.h     |  0
 hw/mips/malta.c                          |  5 +-
 target/arm/gdbstub64.c                   |  2 +-
 target/arm/helper.c                      | 15 ++++-
 target/arm/ptw.c                         | 95 +++++++++++++++++++-------------
 target/arm/tcg/pauth_helper.c            |  6 +-
 tests/qtest/cdrom-test.c                 | 10 ++++
 ui/console.c                             |  4 +-
 target/arm/Kconfig                       |  9 +--
 25 files changed, 109 insertions(+), 77 deletions(-)
 rename target/arm/{ => tcg}/arm_ldst.h (100%)
 rename target/arm/{ => tcg}/helper-a64.h (100%)
 rename target/arm/{ => tcg}/helper-mve.h (100%)
 rename target/arm/{ => tcg}/helper-sme.h (100%)
 rename target/arm/{ => tcg}/helper-sve.h (100%)
 rename target/arm/{ => tcg}/sve_ldst_internal.h (100%)
 rename target/arm/{ => tcg}/translate-a32.h (100%)

Re: [PULL 00/12] target-arm queue

[Richard Henderson]

On 5/12/23 16:34, Peter Maydell wrote:
> Hi; here's a relatively small target-arm queue, pretty much all
> bug fixes. (There are a few non-arm patches that I've thrown in
> there too for my convenience :-))
> 
> thanks
> -- PMM
> 
> The following changes since commit 278238505d28d292927bff7683f39fb4fbca7fd1:
> 
>    Merge tag 'pull-tcg-20230511-2' ofhttps://gitlab.com/rth7680/qemu  into staging (2023-05-11 11:44:23 +0100)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git  tags/pull-target-arm-20230512
> 
> for you to fetch changes up to 478dccbb99db0bf8f00537dd0b4d0de88d5cb537:
> 
>    target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check (2023-05-12 16:01:25 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * More refactoring of files into tcg/
>   * Don't allow stage 2 page table walks to downgrade to NS
>   * Fix handling of SW and NSW bits for stage 2 walks
>   * MAINTAINERS: Update Akihiko Odaki's email address
>   * ui: Fix pixel colour channel order for PNG screenshots
>   * docs: Remove unused weirdly-named cross-reference targets
>   * hw/mips/malta: Fix minor dead code issue
>   * Fixes for the "allow CONFIG_TCG=n" changes
>   * tests/qtest: Don't run cdrom boot tests if no accelerator is present
>   * target/arm: Correct AArch64.S2MinTxSZ 32-bit EL1 input size check

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/8.1 as appropriate.


r~

[PULL 00/12] target-arm queue

[Peter Maydell]

Hi; here's another arm pullreq. These changes are all bug fixes
(including some Coverity issue fixes), so are OK for applying
either before or after softfreeze.

thanks
-- PMM

The following changes since commit 3e01f1147a16ca566694b97eafc941d62fa1e8d8:

  Merge tag 'pull-sp-20231105' of https://gitlab.com/rth7680/qemu into staging (2023-11-06 09:34:22 +0800)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20231106

for you to fetch changes up to 5722fc471296d5f042df4b005a851cc8008df0c9:

  target/arm: Fix A64 LDRA immediate decode (2023-11-06 15:00:29 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: fix PMU IRQ registration
 * hw/arm/virt: Report correct register sizes in ACPI DBG2/SPCR tables
 * hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): assert no overflow
 * util/filemonitor-inotify: qemu_file_monitor_watch(): assert no overflow
 * mc146818rtc: rtc_set_time(): initialize tm to zeroes
 * block/nvme: nvme_process_completion() fix bound for cid
 * hw/core/loader: gunzip(): initialize z_stream
 * io/channel-socket: qio_channel_socket_flush(): improve msg validation
 * hw/arm/vexpress-a9: Remove useless mapping of RAM at address 0
 * target/arm: Fix A64 LDRA immediate decode

----------------------------------------------------------------
Peter Maydell (4):
      tests/qtest/bios-tables-test: Allow changes to virt SPCR and DBG2
      tests/qtest/bios-tables-test: Update virt SPCR and DBG2 golden references
      hw/arm/vexpress-a9: Remove useless mapping of RAM at address 0
      target/arm: Fix A64 LDRA immediate decode

Sebastian Ott (1):
      hw/arm/virt: fix PMU IRQ registration

Udo Steinberg (1):
      hw/arm/virt: Report correct register sizes in ACPI DBG2/SPCR tables.

Vladimir Sementsov-Ogievskiy (6):
      hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): assert no overflow
      util/filemonitor-inotify: qemu_file_monitor_watch(): assert no overflow
      mc146818rtc: rtc_set_time(): initialize tm to zeroes
      block/nvme: nvme_process_completion() fix bound for cid
      hw/core/loader: gunzip(): initialize z_stream
      io/channel-socket: qio_channel_socket_flush(): improve msg validation

 docs/system/arm/vexpress.rst |   3 +++
 target/arm/tcg/translate.h   |   5 +++++
 target/arm/tcg/a64.decode    |   2 +-
 block/nvme.c                 |   7 ++++---
 hw/arm/vexpress.c            |  14 +++-----------
 hw/arm/virt-acpi-build.c     |   4 ++--
 hw/arm/virt.c                |   3 ++-
 hw/core/loader.c             |   2 +-
 hw/i386/intel_iommu.c        |  23 ++++++++++++++++++++---
 hw/rtc/mc146818rtc.c         |   2 +-
 io/channel-socket.c          |   5 +++++
 util/filemonitor-inotify.c   |  25 +++++++++++++++++--------
 tests/data/acpi/virt/DBG2    | Bin 87 -> 87 bytes
 tests/data/acpi/virt/SPCR    | Bin 80 -> 80 bytes
 14 files changed, 64 insertions(+), 31 deletions(-)

[PULL 01/12] hw/arm/virt: fix PMU IRQ registration

[Peter Maydell]

From: Sebastian Ott <sebott@redhat.com>

Since commit 9036e917f8 ("{include/}hw/arm: refactor virt PPI logic")
PMU IRQ registration fails for arm64 guests:

[    0.563689] hw perfevents: unable to request IRQ14 for ARM PMU counters
[    0.565160] armv8-pmu: probe of pmu failed with error -22

That commit re-defined VIRTUAL_PMU_IRQ to be a INTID but missed a case
where the PMU IRQ is actually referred by its PPI index. Fix that by using
INTID_TO_PPI() in that case.

Fixes: 9036e917f8 ("{include/}hw/arm: refactor virt PPI logic")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1960
Signed-off-by: Sebastian Ott <sebott@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 475d918d-ab0e-f717-7206-57a5beb28c7b@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 92085d2d8fb..0a16ab30958 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -631,7 +631,8 @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
         qemu_fdt_setprop(ms->fdt, "/pmu", "compatible",
                          compat, sizeof(compat));
         qemu_fdt_setprop_cells(ms->fdt, "/pmu", "interrupts",
-                               GIC_FDT_IRQ_TYPE_PPI, VIRTUAL_PMU_IRQ, irqflags);
+                               GIC_FDT_IRQ_TYPE_PPI,
+                               INTID_TO_PPI(VIRTUAL_PMU_IRQ), irqflags);
     }
 }
 
-- 
2.34.1

[PULL 02/12] tests/qtest/bios-tables-test: Allow changes to virt SPCR and DBG2

[Peter Maydell]

Allow changes to the virt board SPCR and DBG2 -- we are going to fix
an error in the UART descriptions there.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index dfb8523c8bf..6673e2c4c13 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1 +1,3 @@
 /* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/virt/SPCR",
+"tests/data/acpi/virt/DBG2",
-- 
2.34.1

[PULL 03/12] hw/arm/virt: Report correct register sizes in ACPI DBG2/SPCR tables.

[Peter Maydell]

From: Udo Steinberg <udo@hypervisor.org>

Documentation for using the GAS in ACPI tables to report debug UART addresses at
https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/acpi-debug-port-table
states the following:

- The Register Bit Width field contains the register stride and must be a
  power of 2 that is at least as large as the access size.  On 32-bit
  platforms this value cannot exceed 32.  On 64-bit platforms this value
  cannot exceed 64.
- The Access Size field is used to determine whether byte, WORD, DWORD, or
  QWORD accesses are to be used.  QWORD accesses are only valid on 64-bit
  architectures.

Documentation for the ARM PL011 at
https://developer.arm.com/documentation/ddi0183/latest/
states that the registers are:

- spaced 4 bytes apart (see Table 3-2), so register stride must be 32.
- 16 bits in size in some cases (see individual registers), so access
  size must be at least 2.

Linux doesn't seem to care about this error in the table, but it does
affect at least the NOVA microhypervisor.

In theory we therefore have a choice between reporting the access
size as 2 (16 bit accesses) or 3 (32-bit accesses).  In practice,
Linux does not correctly handle the case where the table reports the
access size as 2: as of kernel commit 750b95887e5678, the code in
acpi_parse_spcr() tries to tell the serial driver to use 16 bit
accesses by passing "mmio16" in the option string, but the PL011
driver code in pl011_console_match() only recognizes "mmio" or
"mmio32". The result is that unless the user has enabled 'earlycon'
there is no console output from the guest kernel.

We therefore choose to report the access size as 32 bits; this works
for NOVA and also for Linux.  It is also what the UEFI firmware on a
Raspberry Pi 4 reports, so we're in line with existing real-world
practice.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1938
Signed-off-by: Udo Steinberg <udo@hypervisor.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: minor commit message tweaks; use 32 bit accesses]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 9ce136cd88c..8bc35a483c9 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -482,7 +482,7 @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     build_append_int_noprefix(table_data, 3, 1); /* ARM PL011 UART */
     build_append_int_noprefix(table_data, 0, 3); /* Reserved */
     /* Base Address */
-    build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1,
+    build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 3,
                      vms->memmap[VIRT_UART].base);
     /* Interrupt Type */
     build_append_int_noprefix(table_data,
@@ -673,7 +673,7 @@ build_dbg2(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     build_append_int_noprefix(table_data, 34, 2);
 
     /* BaseAddressRegister[] */
-    build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 8, 0, 1,
+    build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 32, 0, 3,
                      vms->memmap[VIRT_UART].base);
 
     /* AddressSize[] */
-- 
2.34.1

[PULL 04/12] tests/qtest/bios-tables-test: Update virt SPCR and DBG2 golden references

[Peter Maydell]

Update the virt SPCR and DBG2 golden reference files to have the
fix for the description of the UART.

Diffs from iasl:

@@ -1,57 +1,57 @@
 /*
  * Intel ACPI Component Architecture
  * AML/ASL+ Disassembler version 20200925 (64-bit version)
  * Copyright (c) 2000 - 2020 Intel Corporation
  *
- * Disassembly of tests/data/acpi/virt/SPCR, Fri Nov  3 14:12:06 2023
+ * Disassembly of /tmp/aml-E6YUD2, Fri Nov  3 14:12:06 2023
  *
  * ACPI Data Table [SPCR]
  *
  * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
  */

 [000h 0000   4]                    Signature : "SPCR"    [Serial Port Console Redirection table]
 [004h 0004   4]                 Table Length : 00000050
 [008h 0008   1]                     Revision : 02
-[009h 0009   1]                     Checksum : CB
+[009h 0009   1]                     Checksum : B1
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001

 [024h 0036   1]               Interface Type : 03
 [025h 0037   3]                     Reserved : 000000

 [028h 0040  12]         Serial Port Register : [Generic Address Structure]
 [028h 0040   1]                     Space ID : 00 [SystemMemory]
-[029h 0041   1]                    Bit Width : 08
+[029h 0041   1]                    Bit Width : 20
 [02Ah 0042   1]                   Bit Offset : 00
-[02Bh 0043   1]         Encoded Access Width : 01 [Byte Access:8]
+[02Bh 0043   1]         Encoded Access Width : 03 [DWord Access:32]
 [02Ch 0044   8]                      Address : 0000000009000000

 [034h 0052   1]               Interrupt Type : 08
 [035h 0053   1]          PCAT-compatible IRQ : 00
 [036h 0054   4]                    Interrupt : 00000021
 [03Ah 0058   1]                    Baud Rate : 03
 [03Bh 0059   1]                       Parity : 00
 [03Ch 0060   1]                    Stop Bits : 01
 [03Dh 0061   1]                 Flow Control : 02
 [03Eh 0062   1]                Terminal Type : 00
 [04Ch 0076   1]                     Reserved : 00
 [040h 0064   2]                PCI Device ID : FFFF
 [042h 0066   2]                PCI Vendor ID : FFFF
 [044h 0068   1]                      PCI Bus : 00
 [045h 0069   1]                   PCI Device : 00
 [046h 0070   1]                 PCI Function : 00
 [047h 0071   4]                    PCI Flags : 00000000
 [04Bh 0075   1]                  PCI Segment : 00
 [04Ch 0076   4]                     Reserved : 00000000

 Raw Table Data: Length 80 (0x50)

-    0000: 53 50 43 52 50 00 00 00 02 CB 42 4F 43 48 53 20  // SPCRP.....BOCHS
+    0000: 53 50 43 52 50 00 00 00 02 B1 42 4F 43 48 53 20  // SPCRP.....BOCHS
     0010: 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
-    0020: 01 00 00 00 03 00 00 00 00 08 00 01 00 00 00 09  // ................
+    0020: 01 00 00 00 03 00 00 00 00 20 00 03 00 00 00 09  // ......... ......
     0030: 00 00 00 00 08 00 21 00 00 00 03 00 01 02 00 00  // ......!.........
     0040: FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00  // ................

@@ -1,57 +1,57 @@
 /*
  * Intel ACPI Component Architecture
  * AML/ASL+ Disassembler version 20200925 (64-bit version)
  * Copyright (c) 2000 - 2020 Intel Corporation
  *
- * Disassembly of tests/data/acpi/virt/DBG2, Fri Nov  3 14:12:06 2023
+ * Disassembly of /tmp/aml-V1YUD2, Fri Nov  3 14:12:06 2023
  *
  * ACPI Data Table [DBG2]
  *
  * Format: [HexOffset DecimalOffset ByteLength]  FieldName : FieldValue
  */

 [000h 0000   4]                    Signature : "DBG2"    [Debug Port table type 2]
 [004h 0004   4]                 Table Length : 00000057
 [008h 0008   1]                     Revision : 00
-[009h 0009   1]                     Checksum : CF
+[009h 0009   1]                     Checksum : B5
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001

 [024h 0036   4]                  Info Offset : 0000002C
 [028h 0040   4]                   Info Count : 00000001

 [02Ch 0044   1]                     Revision : 00
 [02Dh 0045   2]                       Length : 002B
 [02Fh 0047   1]               Register Count : 01
 [030h 0048   2]              Namepath Length : 0005
 [032h 0050   2]              Namepath Offset : 0026
 [034h 0052   2]              OEM Data Length : 0000 [Optional field not present]
 [036h 0054   2]              OEM Data Offset : 0000 [Optional field not present]
 [038h 0056   2]                    Port Type : 8000
 [03Ah 0058   2]                 Port Subtype : 0003
 [03Ch 0060   2]                     Reserved : 0000
 [03Eh 0062   2]          Base Address Offset : 0016
 [040h 0064   2]          Address Size Offset : 0022

 [042h 0066  12]        Base Address Register : [Generic Address Structure]
 [042h 0066   1]                     Space ID : 00 [SystemMemory]
-[043h 0067   1]                    Bit Width : 08
+[043h 0067   1]                    Bit Width : 20
 [044h 0068   1]                   Bit Offset : 00
-[045h 0069   1]         Encoded Access Width : 01 [Byte Access:8]
+[045h 0069   1]         Encoded Access Width : 03 [DWord Access:32]
 [046h 0070   8]                      Address : 0000000009000000

 [04Eh 0078   4]                 Address Size : 00001000

 [052h 0082   5]                     Namepath : "COM0"

 Raw Table Data: Length 87 (0x57)

-    0000: 44 42 47 32 57 00 00 00 00 CF 42 4F 43 48 53 20  // DBG2W.....BOCHS
+    0000: 44 42 47 32 57 00 00 00 00 B5 42 4F 43 48 53 20  // DBG2W.....BOCHS
     0010: 42 58 50 43 20 20 20 20 01 00 00 00 42 58 50 43  // BXPC    ....BXPC
     0020: 01 00 00 00 2C 00 00 00 01 00 00 00 00 2B 00 01  // ....,........+..
     0030: 05 00 26 00 00 00 00 00 00 80 03 00 00 00 16 00  // ..&.............
-    0040: 22 00 00 08 00 01 00 00 00 09 00 00 00 00 00 10  // "...............
+    0040: 22 00 00 20 00 03 00 00 00 09 00 00 00 00 00 10  // ".. ............
     0050: 00 00 43 4F 4D 30 00                             // ..COM0.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 tests/data/acpi/virt/DBG2                   | Bin 87 -> 87 bytes
 tests/data/acpi/virt/SPCR                   | Bin 80 -> 80 bytes
 3 files changed, 2 deletions(-)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index 6673e2c4c13..dfb8523c8bf 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1,3 +1 @@
 /* List of comma-separated changed AML files to ignore */
-"tests/data/acpi/virt/SPCR",
-"tests/data/acpi/virt/DBG2",
diff --git a/tests/data/acpi/virt/DBG2 b/tests/data/acpi/virt/DBG2
index 86e6314f7b0235ef8ed3e0221e09f996c41f5e98..0a05e1a47f9c303c6a6c9ca8414c62ec4ac90f98 100644
GIT binary patch
delta 37
ncmWF!=W=m!HwtF}f~^y|EJYL;n1M`A5T8MSfx+3|*MI>4b2kL{

delta 37
ncmWF!=W=m!HwtF}g7Xu(EJZjN7=cVq5T8MSfx+3|*MI>4bG-!j

diff --git a/tests/data/acpi/virt/SPCR b/tests/data/acpi/virt/SPCR
index 24e0a579e7d73f432a614380e29aa95113344186..cf0f2b75226515097c08d2e2016a83a4f08812ba 100644
GIT binary patch
delta 23
ecmWFt;0g|K4hmpkU|`xfkxQOgfq{9VjtT%gOa!L@

delta 23
ecmWFt;0g|K4hmpkU|>2ukxQPLgMo3PjtT%g(gddf

-- 
2.34.1

[PULL 05/12] hw/i386/intel_iommu: vtd_slpte_nonzero_rsvd(): assert no overflow

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

We support only 3- and 4-level page-tables, which is firstly checked in
vtd_decide_config(), then setup in vtd_init(). Than level fields are
checked by vtd_is_level_supported().

So here we can't have level out from 1..4 inclusive range. Let's assert
it. That also explains Coverity that we are not going to overflow the
array.

CID: 1487158, 1487186
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-2-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/i386/intel_iommu.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 1c6c18622fd..1a44ef696c3 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -1045,18 +1045,35 @@ static dma_addr_t vtd_get_iova_pgtbl_base(IntelIOMMUState *s,
  * Rsvd field masks for spte:
  *     vtd_spte_rsvd 4k pages
  *     vtd_spte_rsvd_large large pages
+ *
+ * We support only 3-level and 4-level page tables (see vtd_init() which
+ * sets only VTD_CAP_SAGAW_39bit and maybe VTD_CAP_SAGAW_48bit bits in s->cap).
  */
-static uint64_t vtd_spte_rsvd[5];
-static uint64_t vtd_spte_rsvd_large[5];
+#define VTD_SPTE_RSVD_LEN 5
+static uint64_t vtd_spte_rsvd[VTD_SPTE_RSVD_LEN];
+static uint64_t vtd_spte_rsvd_large[VTD_SPTE_RSVD_LEN];
 
 static bool vtd_slpte_nonzero_rsvd(uint64_t slpte, uint32_t level)
 {
-    uint64_t rsvd_mask = vtd_spte_rsvd[level];
+    uint64_t rsvd_mask;
+
+    /*
+     * We should have caught a guest-mis-programmed level earlier,
+     * via vtd_is_level_supported.
+     */
+    assert(level < VTD_SPTE_RSVD_LEN);
+    /*
+     * Zero level doesn't exist. The smallest level is VTD_SL_PT_LEVEL=1 and
+     * checked by vtd_is_last_slpte().
+     */
+    assert(level);
 
     if ((level == VTD_SL_PD_LEVEL || level == VTD_SL_PDP_LEVEL) &&
         (slpte & VTD_SL_PT_PAGE_SIZE_MASK)) {
         /* large page */
         rsvd_mask = vtd_spte_rsvd_large[level];
+    } else {
+        rsvd_mask = vtd_spte_rsvd[level];
     }
 
     return slpte & rsvd_mask;
-- 
2.34.1

[PULL 06/12] util/filemonitor-inotify: qemu_file_monitor_watch(): assert no overflow

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Prefer clear assertions instead of [im]possible array overflow.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-3-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 util/filemonitor-inotify.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/util/filemonitor-inotify.c b/util/filemonitor-inotify.c
index 2c45f7f1764..2121111f38b 100644
--- a/util/filemonitor-inotify.c
+++ b/util/filemonitor-inotify.c
@@ -81,16 +81,25 @@ static void qemu_file_monitor_watch(void *arg)
 
     /* Loop over all events in the buffer */
     while (used < len) {
-        struct inotify_event *ev =
-            (struct inotify_event *)(buf + used);
-        const char *name = ev->len ? ev->name : "";
-        QFileMonitorDir *dir = g_hash_table_lookup(mon->idmap,
-                                                   GINT_TO_POINTER(ev->wd));
-        uint32_t iev = ev->mask &
-            (IN_CREATE | IN_MODIFY | IN_DELETE | IN_IGNORED |
-             IN_MOVED_TO | IN_MOVED_FROM | IN_ATTRIB);
+        const char *name;
+        QFileMonitorDir *dir;
+        uint32_t iev;
         int qev;
         gsize i;
+        struct inotify_event *ev = (struct inotify_event *)(buf + used);
+
+        /*
+         * We trust the kenel to provide valid buffer with complete event
+         * records.
+         */
+        assert(len - used >= sizeof(struct inotify_event));
+        assert(len - used - sizeof(struct inotify_event) >= ev->len);
+
+        name = ev->len ? ev->name : "";
+        dir = g_hash_table_lookup(mon->idmap, GINT_TO_POINTER(ev->wd));
+        iev = ev->mask &
+            (IN_CREATE | IN_MODIFY | IN_DELETE | IN_IGNORED |
+             IN_MOVED_TO | IN_MOVED_FROM | IN_ATTRIB);
 
         used += sizeof(struct inotify_event) + ev->len;
 
-- 
2.34.1

[PULL 07/12] mc146818rtc: rtc_set_time(): initialize tm to zeroes

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

set_time() function doesn't set all the fields, so it's better to
initialize tm structure. And Coverity will be happier about it.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-4-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/rtc/mc146818rtc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/rtc/mc146818rtc.c b/hw/rtc/mc146818rtc.c
index c27c362db9e..2d391a83969 100644
--- a/hw/rtc/mc146818rtc.c
+++ b/hw/rtc/mc146818rtc.c
@@ -599,7 +599,7 @@ static void rtc_get_time(MC146818RtcState *s, struct tm *tm)
 
 static void rtc_set_time(MC146818RtcState *s)
 {
-    struct tm tm;
+    struct tm tm = {};
     g_autofree const char *qom_path = object_get_canonical_path(OBJECT(s));
 
     rtc_get_time(s, &tm);
-- 
2.34.1

[PULL 08/12] block/nvme: nvme_process_completion() fix bound for cid

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

NVMeQueuePair::reqs has length NVME_NUM_REQS, which less than
NVME_QUEUE_SIZE by 1.

Fixes: 1086e95da17050 ("block/nvme: switch to a NVMeRequest freelist")
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-5-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 block/nvme.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/block/nvme.c b/block/nvme.c
index 96b3f8f2fa1..0a0a0a6b36c 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -417,9 +417,10 @@ static bool nvme_process_completion(NVMeQueuePair *q)
             q->cq_phase = !q->cq_phase;
         }
         cid = le16_to_cpu(c->cid);
-        if (cid == 0 || cid > NVME_QUEUE_SIZE) {
-            warn_report("NVMe: Unexpected CID in completion queue: %"PRIu32", "
-                        "queue size: %u", cid, NVME_QUEUE_SIZE);
+        if (cid == 0 || cid > NVME_NUM_REQS) {
+            warn_report("NVMe: Unexpected CID in completion queue: %" PRIu32
+                        ", should be within: 1..%u inclusively", cid,
+                        NVME_NUM_REQS);
             continue;
         }
         trace_nvme_complete_command(s, q->index, cid);
-- 
2.34.1

[PULL 09/12] hw/core/loader: gunzip(): initialize z_stream

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Coverity signals that variable as being used uninitialized. And really,
when work with external APIs that's better to zero out the structure,
where we set some fields by hand.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-6-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/core/loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index 4dd5a71fb79..b7bb44b7f7c 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -558,7 +558,7 @@ static void zfree(void *x, void *addr)
 
 ssize_t gunzip(void *dst, size_t dstlen, uint8_t *src, size_t srclen)
 {
-    z_stream s;
+    z_stream s = {};
     ssize_t dstbytes;
     int r, i, flags;
 
-- 
2.34.1

[PULL 10/12] io/channel-socket: qio_channel_socket_flush(): improve msg validation

[Peter Maydell]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

For SO_EE_ORIGIN_ZEROCOPY the 32-bit notification range is encoded
as [ee_info, ee_data] inclusively, so ee_info should be less or
equal to ee_data.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Maksim Davydov <davydov-max@yandex-team.ru>
Message-id: 20231017125941.810461-7-vsementsov@yandex-team.ru
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 io/channel-socket.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/io/channel-socket.c b/io/channel-socket.c
index 02ffb51e995..3a899b06085 100644
--- a/io/channel-socket.c
+++ b/io/channel-socket.c
@@ -782,6 +782,11 @@ static int qio_channel_socket_flush(QIOChannel *ioc,
                              "Error not from zero copy");
             return -1;
         }
+        if (serr->ee_data < serr->ee_info) {
+            error_setg_errno(errp, serr->ee_origin,
+                             "Wrong notification bounds");
+            return -1;
+        }
 
         /* No errors, count successfully finished sendmsg()*/
         sioc->zero_copy_sent += serr->ee_data - serr->ee_info + 1;
-- 
2.34.1

[PULL 11/12] hw/arm/vexpress-a9: Remove useless mapping of RAM at address 0

[Peter Maydell]

On the vexpress-a9 board we try to map both RAM and flash to address 0,
as seen in "info mtree":

address-space: memory
  0000000000000000-ffffffffffffffff (prio 0, i/o): system
    0000000000000000-0000000003ffffff (prio 0, romd): alias vexpress.flashalias @vexpress.flash0 0000000000000000-0000000003ffffff
    0000000000000000-0000000003ffffff (prio 0, ram): alias vexpress.lowmem @vexpress.highmem 0000000000000000-0000000003ffffff
    0000000010000000-0000000010000fff (prio 0, i/o): arm-sysctl
    0000000010004000-0000000010004fff (prio 0, i/o): pl041
(etc)

The flash "wins" and the RAM mapping is useless (but also harmless).

This happened as a result of commit 6ec1588e in 2014, which changed
"we always map the RAM to the low addresses for vexpress-a9" to "we
always map flash in the low addresses", but forgot to stop mapping
the RAM.

In real hardware, this low part of memory is remappable, both at
runtime by the guest writing to a control register, and configurably
as to what you get out of reset -- you can have the first flash
device, or the second, or the DDR2 RAM, or the external AXI bus
(which for QEMU means "nothing there").  In an ideal world we would
support that remapping both at runtime and via a machine property to
select the out-of-reset behaviour.

Pending anybody caring enough to implement the full remapping
behaviour:
 * remove the useless mapped-but-inaccessible lowram MR
 * document that QEMU doesn't support remapping of low memory

Fixes: 6ec1588e ("hw/arm/vexpress: Alias NOR flash at 0 for vexpress-a9")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1761
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20231103185602.875849-1-peter.maydell@linaro.org
---
 docs/system/arm/vexpress.rst |  3 +++
 hw/arm/vexpress.c            | 14 +++-----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/docs/system/arm/vexpress.rst b/docs/system/arm/vexpress.rst
index 3e3839e9231..38f29c73e71 100644
--- a/docs/system/arm/vexpress.rst
+++ b/docs/system/arm/vexpress.rst
@@ -58,6 +58,9 @@ Other differences between the hardware and the QEMU model:
   ``vexpress-a15``, and have IRQs from 40 upwards. If a dtb is
   provided on the command line then QEMU will edit it to include
   suitable entries describing these transports for the guest.
+- QEMU does not currently support either dynamic or static remapping
+  of the area of memory at address 0: it is always mapped to alias
+  the first flash bank
 
 Booting a Linux kernel
 ----------------------
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index 8ff37f52ca1..c08ea34e924 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -177,7 +177,6 @@ struct VexpressMachineState {
     MemoryRegion vram;
     MemoryRegion sram;
     MemoryRegion flashalias;
-    MemoryRegion lowram;
     MemoryRegion a15sram;
     bool secure;
     bool virt;
@@ -276,7 +275,6 @@ static void a9_daughterboard_init(VexpressMachineState *vms,
 {
     MachineState *machine = MACHINE(vms);
     MemoryRegion *sysmem = get_system_memory();
-    ram_addr_t low_ram_size;
 
     if (ram_size > 0x40000000) {
         /* 1GB is the maximum the address space permits */
@@ -284,17 +282,11 @@ static void a9_daughterboard_init(VexpressMachineState *vms,
         exit(1);
     }
 
-    low_ram_size = ram_size;
-    if (low_ram_size > 0x4000000) {
-        low_ram_size = 0x4000000;
-    }
-    /* RAM is from 0x60000000 upwards. The bottom 64MB of the
+    /*
+     * RAM is from 0x60000000 upwards. The bottom 64MB of the
      * address space should in theory be remappable to various
-     * things including ROM or RAM; we always map the RAM there.
+     * things including ROM or RAM; we always map the flash there.
      */
-    memory_region_init_alias(&vms->lowram, NULL, "vexpress.lowmem",
-                             machine->ram, 0, low_ram_size);
-    memory_region_add_subregion(sysmem, 0x0, &vms->lowram);
     memory_region_add_subregion(sysmem, 0x60000000, machine->ram);
 
     /* 0x1e000000 A9MPCore (SCU) private memory region */
-- 
2.34.1

[PULL 12/12] target/arm: Fix A64 LDRA immediate decode

[Peter Maydell]

In commit be23a049 in the conversion to decodetree we broke the
decoding of the immediate value in the LDRA instruction.  This should
be a 10 bit signed value that is scaled by 8, but in the conversion
we incorrectly ended up scaling it only by 2.  Fix the scaling
factor.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1970
Fixes: be23a049 ("target/arm: Convert load (pointer auth) insns to decodetree")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20231106113445.1163063-1-peter.maydell@linaro.org
---
 target/arm/tcg/translate.h | 5 +++++
 target/arm/tcg/a64.decode  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index 9efe00cf6ca..3c3bb3431ad 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -205,6 +205,11 @@ static inline int times_4(DisasContext *s, int x)
     return x * 4;
 }
 
+static inline int times_8(DisasContext *s, int x)
+{
+    return x * 8;
+}
+
 static inline int times_2_plus_1(DisasContext *s, int x)
 {
     return x * 2 + 1;
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index 0cf11470741..8a20dce3c8f 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -462,7 +462,7 @@ LDAPR           sz:2 111 0 00 1 0 1 11111 1100 00 rn:5 rt:5
 # Load/store register (pointer authentication)
 
 # LDRA immediate is 10 bits signed and scaled, but the bits aren't all contiguous
-%ldra_imm       22:s1 12:9 !function=times_2
+%ldra_imm       22:s1 12:9 !function=times_8
 
 LDRA            11 111 0 00 m:1 . 1 ......... w:1 1 rn:5 rt:5 imm=%ldra_imm
 
-- 
2.34.1

Re: [PULL 00/12] target-arm queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 00/12] target-arm queue

[Peter Maydell]

The following changes since commit 131c58469f6fb68c89b38fee6aba8bbb20c7f4bf:

  rust: add --rust-target option for bindgen (2025-02-06 13:51:46 -0500)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250210

for you to fetch changes up to 27a8d899c7a100fd5aa040a8b993bb257687c393:

  linux-user: Do not define struct sched_attr if libc headers do (2025-02-07 16:09:20 +0000)

----------------------------------------------------------------
target-arm queue:
 * Deprecate pxa2xx CPUs, iwMMXt emulation, -old-param option
 * Drop unused AArch64DecodeTable typedefs
 * Minor code cleanups
 * hw/net/cadence_gem:  Fix the mask/compare/disable-mask logic
 * linux-user: Do not define struct sched_attr if libc headers do

----------------------------------------------------------------
Andrew Yuan (1):
      hw/net/cadence_gem:  Fix the mask/compare/disable-mask logic

Khem Raj (1):
      linux-user: Do not define struct sched_attr if libc headers do

Peter Maydell (4):
      target/arm: deprecate the pxa2xx CPUs and iwMMXt emulation
      tests/tcg/arm: Remove test-arm-iwmmxt test
      target/arm: Drop unused AArch64DecodeTable typedefs
      qemu-options: Deprecate -old-param command line option

Philippe Mathieu-Daudé (6):
      hw/arm/boot: Propagate vCPU to arm_load_dtb()
      hw/arm/fsl-imx6: Add local 'mpcore/gic' variables
      hw/arm/fsl-imx6ul: Add local 'mpcore/gic' variables
      hw/arm/fsl-imx7: Add local 'mpcore/gic' variables
      hw/cpu/arm: Alias 'num-cpu' property on TYPE_REALVIEW_MPCORE
      hw/cpu/arm: Declare CPU QOM types using DEFINE_TYPES() macro

 docs/about/deprecated.rst       | 34 ++++++++++++++++++++++
 include/hw/arm/boot.h           |  4 ++-
 target/arm/cpu.h                |  1 +
 hw/arm/boot.c                   | 11 +++----
 hw/arm/fsl-imx6.c               | 52 ++++++++++++++-------------------
 hw/arm/fsl-imx6ul.c             | 64 +++++++++++++++++------------------------
 hw/arm/fsl-imx7.c               | 52 +++++++++++++++------------------
 hw/arm/virt.c                   |  2 +-
 hw/cpu/a15mpcore.c              | 21 ++++++--------
 hw/cpu/a9mpcore.c               | 21 ++++++--------
 hw/cpu/arm11mpcore.c            | 21 ++++++--------
 hw/cpu/realview_mpcore.c        | 29 +++++++------------
 hw/net/cadence_gem.c            | 26 +++++++++++++----
 linux-user/syscall.c            |  4 ++-
 system/vl.c                     |  1 +
 target/arm/cpu.c                |  3 ++
 target/arm/tcg/cpu32.c          | 36 +++++++++++++++--------
 target/arm/tcg/translate-a64.c  | 11 -------
 tests/tcg/arm/Makefile.target   |  7 -----
 tests/tcg/arm/README            |  5 ----
 tests/tcg/arm/test-arm-iwmmxt.S | 49 -------------------------------
 21 files changed, 205 insertions(+), 249 deletions(-)
 delete mode 100644 tests/tcg/arm/test-arm-iwmmxt.S

Re: [PULL 00/12] target-arm queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/10.0 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]