[PULL 00/21] target-arm queue

[PULL 00/21] target-arm queue

[Peter Maydell]

Arm pullreq: these are all bugfixes. I've included a handful
of my fixes for various non-arm minor Coverity issues too.

thanks
-- PMM

The following changes since commit 93b799fafd9170da3a79a533ea6f73a18de82e22:

  Merge tag 'pull-ppc-for-9.1-2-20240726-1' of https://gitlab.com/npiggin/qemu into staging (2024-07-26 15:10:45 +1000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240730

for you to fetch changes up to 73188068d7ba40c8a37b4763db38bb1ce24ca07d:

  system/physmem: Where we assume we have a RAM MR, assert it (2024-07-29 17:03:35 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/char/bcm2835_aux: Fix assert when receive FIFO fills up
 * hw/arm/smmuv3: Assert input to oas2bits() is valid
 * target/arm/kvm: Set PMU for host only when available
 * target/arm/kvm: Do not silently remove PMU
 * hvf: arm: Properly disable PMU
 * hvf: arm: Do not advance PC when raising an exception
 * hw/misc/bcm2835_property: several minor bugfixes
 * target/arm: Don't assert for 128-bit tile accesses when SVL is 128
 * target/arm: Fix UMOPA/UMOPS of 16-bit values
 * target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled
 * system/physmem: Where we assume we have a RAM MR, assert it
 * sh4, i386, m68k, xtensa, tricore, arm: fix minor Coverity issues

----------------------------------------------------------------
Akihiko Odaki (5):
      target/arm/kvm: Set PMU for host only when available
      target/arm/kvm: Do not silently remove PMU
      hvf: arm: Raise an exception for sysreg by default
      hvf: arm: Properly disable PMU
      hvf: arm: Do not advance PC when raising an exception

Frederik van Hövell (1):
      hw/char/bcm2835_aux: Fix assert when receive FIFO fills up

Mostafa Saleh (1):
      hw/arm/smmuv3: Assert input to oas2bits() is valid

Peter Maydell (14):
      hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE
      hw/misc/bcm2835_property: Avoid overflow in OTP access properties
      hw/misc/bcm2835_property: Restrict scope of start_num, number, otp_row
      hw/misc/bcm2835_property: Reduce scope of variables in mbox push function
      target/arm: Don't assert for 128-bit tile accesses when SVL is 128
      target/arm: Fix UMOPA/UMOPS of 16-bit values
      target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl()
      target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled
      target/tricore: Use unsigned types for bitops in helper_eq_b()
      target/xtensa: Make use of 'segment' in pptlb helper less confusing
      target/m68k: avoid shift into sign bit in dump_address_map()
      target/i386: Remove dead assignment to ss in do_interrupt64()
      target/sh4: Avoid shift into sign bit in update_itlb_use()
      system/physmem: Where we assume we have a RAM MR, assert it

 hw/arm/smmuv3-internal.h       |   3 +-
 hw/char/bcm2835_aux.c          |   2 +-
 hw/misc/bcm2835_property.c     |  91 +++++++------
 system/physmem.c               |  18 ++-
 target/arm/helper.c            |   2 +-
 target/arm/hvf/hvf.c           | 302 +++++++++++++++++++++--------------------
 target/arm/kvm.c               |   7 +-
 target/arm/tcg/sme_helper.c    |   8 +-
 target/arm/tcg/translate-sme.c |  10 +-
 target/arm/tcg/translate-sve.c |  18 ++-
 target/i386/tcg/seg_helper.c   |   5 +-
 target/m68k/helper.c           |   7 +-
 target/sh4/helper.c            |   2 +-
 target/tricore/op_helper.c     |   4 +-
 target/xtensa/mmu_helper.c     |   4 +-
 15 files changed, 262 insertions(+), 221 deletions(-)

[PULL 01/21] hw/char/bcm2835_aux: Fix assert when receive FIFO fills up

[Peter Maydell]

From: Frederik van Hövell <frederik@fvhovell.nl>

When a bare-metal application on the raspi3 board reads the
AUX_MU_STAT_REG MMIO register while the device's buffer is
at full receive FIFO capacity
(i.e. `s->read_count == BCM2835_AUX_RX_FIFO_LEN`) the
assertion `assert(s->read_count < BCM2835_AUX_RX_FIFO_LEN)`
fails.

Reported-by: Cryptjar <cryptjar@junk.studio>
Suggested-by: Cryptjar <cryptjar@junk.studio>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/459
Signed-off-by: Frederik van Hövell <frederik@fvhovell.nl>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
[PMM: commit message tweaks]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/bcm2835_aux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
index 83990e20f76..fca2f27a553 100644
--- a/hw/char/bcm2835_aux.c
+++ b/hw/char/bcm2835_aux.c
@@ -138,7 +138,7 @@ static uint64_t bcm2835_aux_read(void *opaque, hwaddr offset, unsigned size)
         res = 0x30e; /* space in the output buffer, empty tx fifo, idle tx/rx */
         if (s->read_count > 0) {
             res |= 0x1; /* data in input buffer */
-            assert(s->read_count < BCM2835_AUX_RX_FIFO_LEN);
+            assert(s->read_count <= BCM2835_AUX_RX_FIFO_LEN);
             res |= ((uint32_t)s->read_count) << 16; /* rx fifo fill level */
         }
         return res;
-- 
2.34.1

[PULL 02/21] hw/arm/smmuv3: Assert input to oas2bits() is valid

[Peter Maydell]

From: Mostafa Saleh <smostafa@google.com>

Coverity has spotted a possible problem with the OAS handling
(CID 1558464), where the error return of oas2bits() -1 is not
checked, which can cause an overflow in oas value.

oas2bits() is only called with valid inputs, harden the function
to assert that.

Reported-By: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20240722103531.2377348-1-smostafa@google.com
Link: https://lore.kernel.org/qemu-devel/CAFEAcA-H=n-3mHC+eL6YjfL1m+x+b+Fk3mkgZbN74WNxifFVow@mail.gmail.com/
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index 0ebf2eebcff..b6b7399347f 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -599,7 +599,8 @@ static inline int oas2bits(int oas_field)
     case 5:
         return 48;
     }
-    return -1;
+
+    g_assert_not_reached();
 }
 
 /* CD fields */
-- 
2.34.1

[PULL 03/21] target/arm/kvm: Set PMU for host only when available

[Peter Maydell]

From: Akihiko Odaki <akihiko.odaki@daynix.com>

target/arm/kvm.c checked PMU availability but unconditionally set the
PMU feature flag for the host CPU model, which is confusing. Set the
feature flag only when available.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index 70f79eda33c..b20a35052f4 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -280,6 +280,7 @@ static bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     if (kvm_arm_pmu_supported()) {
         init.features[0] |= 1 << KVM_ARM_VCPU_PMU_V3;
         pmu_supported = true;
+        features |= 1ULL << ARM_FEATURE_PMU;
     }
 
     if (!kvm_arm_create_scratch_host_vcpu(cpus_to_try, fdarray, &init)) {
@@ -448,7 +449,6 @@ static bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     features |= 1ULL << ARM_FEATURE_V8;
     features |= 1ULL << ARM_FEATURE_NEON;
     features |= 1ULL << ARM_FEATURE_AARCH64;
-    features |= 1ULL << ARM_FEATURE_PMU;
     features |= 1ULL << ARM_FEATURE_GENERIC_TIMER;
 
     ahcf->features = features;
-- 
2.34.1

[PULL 04/21] target/arm/kvm: Do not silently remove PMU

[Peter Maydell]

From: Akihiko Odaki <akihiko.odaki@daynix.com>

kvm_arch_init_vcpu() used to remove PMU when it is not available even
if the CPU model needs one. It is semantically incorrect, and may
continue execution on a misbehaving host that advertises a CPU model
while lacking its PMU. Keep the PMU when the CPU model needs one, and
let kvm_arm_vcpu_init() fail if the KVM implementation mismatches with
our expectation.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index b20a35052f4..849e2e21b30 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -1888,13 +1888,8 @@ int kvm_arch_init_vcpu(CPUState *cs)
     if (!arm_feature(env, ARM_FEATURE_AARCH64)) {
         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_EL1_32BIT;
     }
-    if (!kvm_check_extension(cs->kvm_state, KVM_CAP_ARM_PMU_V3)) {
-        cpu->has_pmu = false;
-    }
     if (cpu->has_pmu) {
         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PMU_V3;
-    } else {
-        env->features &= ~(1ULL << ARM_FEATURE_PMU);
     }
     if (cpu_isar_feature(aa64_sve, cpu)) {
         assert(kvm_arm_sve_supported());
-- 
2.34.1

[PULL 05/21] hvf: arm: Raise an exception for sysreg by default

[Peter Maydell]

From: Akihiko Odaki <akihiko.odaki@daynix.com>

Any sysreg access results in an exception unless defined otherwise so
we should raise an exception by default.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/hvf/hvf.c | 174 +++++++++++++++++++++----------------------
 1 file changed, 85 insertions(+), 89 deletions(-)

diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index eb090e67a2f..1a749534fb0 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -1199,57 +1199,56 @@ static bool hvf_sysreg_read_cp(CPUState *cpu, uint32_t reg, uint64_t *val)
     return false;
 }
 
-static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
+static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint64_t *val)
 {
     ARMCPU *arm_cpu = ARM_CPU(cpu);
     CPUARMState *env = &arm_cpu->env;
-    uint64_t val = 0;
 
     switch (reg) {
     case SYSREG_CNTPCT_EL0:
-        val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
+        *val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
               gt_cntfrq_period_ns(arm_cpu);
-        break;
+        return 0;
     case SYSREG_PMCR_EL0:
-        val = env->cp15.c9_pmcr;
-        break;
+        *val = env->cp15.c9_pmcr;
+        return 0;
     case SYSREG_PMCCNTR_EL0:
         pmu_op_start(env);
-        val = env->cp15.c15_ccnt;
+        *val = env->cp15.c15_ccnt;
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMCNTENCLR_EL0:
-        val = env->cp15.c9_pmcnten;
-        break;
+        *val = env->cp15.c9_pmcnten;
+        return 0;
     case SYSREG_PMOVSCLR_EL0:
-        val = env->cp15.c9_pmovsr;
-        break;
+        *val = env->cp15.c9_pmovsr;
+        return 0;
     case SYSREG_PMSELR_EL0:
-        val = env->cp15.c9_pmselr;
-        break;
+        *val = env->cp15.c9_pmselr;
+        return 0;
     case SYSREG_PMINTENCLR_EL1:
-        val = env->cp15.c9_pminten;
-        break;
+        *val = env->cp15.c9_pminten;
+        return 0;
     case SYSREG_PMCCFILTR_EL0:
-        val = env->cp15.pmccfiltr_el0;
-        break;
+        *val = env->cp15.pmccfiltr_el0;
+        return 0;
     case SYSREG_PMCNTENSET_EL0:
-        val = env->cp15.c9_pmcnten;
-        break;
+        *val = env->cp15.c9_pmcnten;
+        return 0;
     case SYSREG_PMUSERENR_EL0:
-        val = env->cp15.c9_pmuserenr;
-        break;
+        *val = env->cp15.c9_pmuserenr;
+        return 0;
     case SYSREG_PMCEID0_EL0:
     case SYSREG_PMCEID1_EL0:
         /* We can't really count anything yet, declare all events invalid */
-        val = 0;
-        break;
+        *val = 0;
+        return 0;
     case SYSREG_OSLSR_EL1:
-        val = env->cp15.oslsr_el1;
-        break;
+        *val = env->cp15.oslsr_el1;
+        return 0;
     case SYSREG_OSDLR_EL1:
         /* Dummy register */
-        break;
+        return 0;
     case SYSREG_ICC_AP0R0_EL1:
     case SYSREG_ICC_AP0R1_EL1:
     case SYSREG_ICC_AP0R2_EL1:
@@ -1276,9 +1275,8 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     case SYSREG_ICC_SRE_EL1:
     case SYSREG_ICC_CTLR_EL1:
         /* Call the TCG sysreg handler. This is only safe for GICv3 regs. */
-        if (!hvf_sysreg_read_cp(cpu, reg, &val)) {
-            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
-            return 1;
+        if (hvf_sysreg_read_cp(cpu, reg, &val)) {
+            return 0;
         }
         break;
     case SYSREG_DBGBVR0_EL1:
@@ -1297,8 +1295,8 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     case SYSREG_DBGBVR13_EL1:
     case SYSREG_DBGBVR14_EL1:
     case SYSREG_DBGBVR15_EL1:
-        val = env->cp15.dbgbvr[SYSREG_CRM(reg)];
-        break;
+        *val = env->cp15.dbgbvr[SYSREG_CRM(reg)];
+        return 0;
     case SYSREG_DBGBCR0_EL1:
     case SYSREG_DBGBCR1_EL1:
     case SYSREG_DBGBCR2_EL1:
@@ -1315,8 +1313,8 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     case SYSREG_DBGBCR13_EL1:
     case SYSREG_DBGBCR14_EL1:
     case SYSREG_DBGBCR15_EL1:
-        val = env->cp15.dbgbcr[SYSREG_CRM(reg)];
-        break;
+        *val = env->cp15.dbgbcr[SYSREG_CRM(reg)];
+        return 0;
     case SYSREG_DBGWVR0_EL1:
     case SYSREG_DBGWVR1_EL1:
     case SYSREG_DBGWVR2_EL1:
@@ -1333,8 +1331,8 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     case SYSREG_DBGWVR13_EL1:
     case SYSREG_DBGWVR14_EL1:
     case SYSREG_DBGWVR15_EL1:
-        val = env->cp15.dbgwvr[SYSREG_CRM(reg)];
-        break;
+        *val = env->cp15.dbgwvr[SYSREG_CRM(reg)];
+        return 0;
     case SYSREG_DBGWCR0_EL1:
     case SYSREG_DBGWCR1_EL1:
     case SYSREG_DBGWCR2_EL1:
@@ -1351,35 +1349,25 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     case SYSREG_DBGWCR13_EL1:
     case SYSREG_DBGWCR14_EL1:
     case SYSREG_DBGWCR15_EL1:
-        val = env->cp15.dbgwcr[SYSREG_CRM(reg)];
-        break;
+        *val = env->cp15.dbgwcr[SYSREG_CRM(reg)];
+        return 0;
     default:
         if (is_id_sysreg(reg)) {
             /* ID system registers read as RES0 */
-            val = 0;
-            break;
+            *val = 0;
+            return 0;
         }
-        cpu_synchronize_state(cpu);
-        trace_hvf_unhandled_sysreg_read(env->pc, reg,
-                                        SYSREG_OP0(reg),
-                                        SYSREG_OP1(reg),
-                                        SYSREG_CRN(reg),
-                                        SYSREG_CRM(reg),
-                                        SYSREG_OP2(reg));
-        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
-        return 1;
     }
 
-    trace_hvf_sysreg_read(reg,
-                          SYSREG_OP0(reg),
-                          SYSREG_OP1(reg),
-                          SYSREG_CRN(reg),
-                          SYSREG_CRM(reg),
-                          SYSREG_OP2(reg),
-                          val);
-    hvf_set_reg(cpu, rt, val);
-
-    return 0;
+    cpu_synchronize_state(cpu);
+    trace_hvf_unhandled_sysreg_read(env->pc, reg,
+                                    SYSREG_OP0(reg),
+                                    SYSREG_OP1(reg),
+                                    SYSREG_CRN(reg),
+                                    SYSREG_CRM(reg),
+                                    SYSREG_OP2(reg));
+    hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+    return 1;
 }
 
 static void pmu_update_irq(CPUARMState *env)
@@ -1503,7 +1491,7 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
         pmu_op_start(env);
         env->cp15.c15_ccnt = val;
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMCR_EL0:
         pmu_op_start(env);
 
@@ -1523,45 +1511,45 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
         env->cp15.c9_pmcr |= (val & PMCR_WRITABLE_MASK);
 
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMUSERENR_EL0:
         env->cp15.c9_pmuserenr = val & 0xf;
-        break;
+        return 0;
     case SYSREG_PMCNTENSET_EL0:
         env->cp15.c9_pmcnten |= (val & pmu_counter_mask(env));
-        break;
+        return 0;
     case SYSREG_PMCNTENCLR_EL0:
         env->cp15.c9_pmcnten &= ~(val & pmu_counter_mask(env));
-        break;
+        return 0;
     case SYSREG_PMINTENCLR_EL1:
         pmu_op_start(env);
         env->cp15.c9_pminten |= val;
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMOVSCLR_EL0:
         pmu_op_start(env);
         env->cp15.c9_pmovsr &= ~val;
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMSWINC_EL0:
         pmu_op_start(env);
         pmswinc_write(env, val);
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_PMSELR_EL0:
         env->cp15.c9_pmselr = val & 0x1f;
-        break;
+        return 0;
     case SYSREG_PMCCFILTR_EL0:
         pmu_op_start(env);
         env->cp15.pmccfiltr_el0 = val & PMCCFILTR_EL0;
         pmu_op_finish(env);
-        break;
+        return 0;
     case SYSREG_OSLAR_EL1:
         env->cp15.oslsr_el1 = val & 1;
-        break;
+        return 0;
     case SYSREG_OSDLR_EL1:
         /* Dummy register */
-        break;
+        return 0;
     case SYSREG_ICC_AP0R0_EL1:
     case SYSREG_ICC_AP0R1_EL1:
     case SYSREG_ICC_AP0R2_EL1:
@@ -1591,10 +1579,10 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
         if (!hvf_sysreg_write_cp(cpu, reg, val)) {
             hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
         }
-        break;
+        return 0;
     case SYSREG_MDSCR_EL1:
         env->cp15.mdscr_el1 = val;
-        break;
+        return 0;
     case SYSREG_DBGBVR0_EL1:
     case SYSREG_DBGBVR1_EL1:
     case SYSREG_DBGBVR2_EL1:
@@ -1612,7 +1600,7 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
     case SYSREG_DBGBVR14_EL1:
     case SYSREG_DBGBVR15_EL1:
         env->cp15.dbgbvr[SYSREG_CRM(reg)] = val;
-        break;
+        return 0;
     case SYSREG_DBGBCR0_EL1:
     case SYSREG_DBGBCR1_EL1:
     case SYSREG_DBGBCR2_EL1:
@@ -1630,7 +1618,7 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
     case SYSREG_DBGBCR14_EL1:
     case SYSREG_DBGBCR15_EL1:
         env->cp15.dbgbcr[SYSREG_CRM(reg)] = val;
-        break;
+        return 0;
     case SYSREG_DBGWVR0_EL1:
     case SYSREG_DBGWVR1_EL1:
     case SYSREG_DBGWVR2_EL1:
@@ -1648,7 +1636,7 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
     case SYSREG_DBGWVR14_EL1:
     case SYSREG_DBGWVR15_EL1:
         env->cp15.dbgwvr[SYSREG_CRM(reg)] = val;
-        break;
+        return 0;
     case SYSREG_DBGWCR0_EL1:
     case SYSREG_DBGWCR1_EL1:
     case SYSREG_DBGWCR2_EL1:
@@ -1666,20 +1654,18 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
     case SYSREG_DBGWCR14_EL1:
     case SYSREG_DBGWCR15_EL1:
         env->cp15.dbgwcr[SYSREG_CRM(reg)] = val;
-        break;
-    default:
-        cpu_synchronize_state(cpu);
-        trace_hvf_unhandled_sysreg_write(env->pc, reg,
-                                         SYSREG_OP0(reg),
-                                         SYSREG_OP1(reg),
-                                         SYSREG_CRN(reg),
-                                         SYSREG_CRM(reg),
-                                         SYSREG_OP2(reg));
-        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
-        return 1;
+        return 0;
     }
 
-    return 0;
+    cpu_synchronize_state(cpu);
+    trace_hvf_unhandled_sysreg_write(env->pc, reg,
+                                     SYSREG_OP0(reg),
+                                     SYSREG_OP1(reg),
+                                     SYSREG_CRN(reg),
+                                     SYSREG_CRM(reg),
+                                     SYSREG_OP2(reg));
+    hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+    return 1;
 }
 
 static int hvf_inject_interrupts(CPUState *cpu)
@@ -1944,7 +1930,17 @@ int hvf_vcpu_exec(CPUState *cpu)
         int sysreg_ret = 0;
 
         if (isread) {
-            sysreg_ret = hvf_sysreg_read(cpu, reg, rt);
+            sysreg_ret = hvf_sysreg_read(cpu, reg, &val);
+            if (!sysreg_ret) {
+                trace_hvf_sysreg_read(reg,
+                                      SYSREG_OP0(reg),
+                                      SYSREG_OP1(reg),
+                                      SYSREG_CRN(reg),
+                                      SYSREG_CRM(reg),
+                                      SYSREG_OP2(reg),
+                                      val);
+                hvf_set_reg(cpu, rt, val);
+            }
         } else {
             val = hvf_get_reg(cpu, rt);
             sysreg_ret = hvf_sysreg_write(cpu, reg, val);
-- 
2.34.1

Re: [PULL 05/21] hvf: arm: Raise an exception for sysreg by default

[Richard Henderson]

On 7/30/24 19:40, Peter Maydell wrote:
> From: Akihiko Odaki <akihiko.odaki@daynix.com>
> 
> Any sysreg access results in an exception unless defined otherwise so
> we should raise an exception by default.
> 
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
>   target/arm/hvf/hvf.c | 174 +++++++++++++++++++++----------------------
>   1 file changed, 85 insertions(+), 89 deletions(-)


This patch fails to compile:

https://gitlab.com/qemu-project/qemu/-/jobs/7489527235

../target/arm/hvf/hvf.c:1283:42: error: incompatible pointer types passing 'uint64_t **' 
(aka 'unsigned long long **') to parameter of type 'uint64_t *' (aka 'unsigned long long 
*'); remove & [-Werror,-Wincompatible-pointer-types]
         if (hvf_sysreg_read_cp(cpu, reg, &val)) {
                                          ^~~~
../target/arm/hvf/hvf.c:1175:71: note: passing argument to parameter 'val' here
static bool hvf_sysreg_read_cp(CPUState *cpu, uint32_t reg, uint64_t *val)
                                                                       ^
1 error generated.

This snuck in while our Cirrus build minutes were exhausted, but it suggests that the 
patch was never tested at all.


r~

Re: [PULL 05/21] hvf: arm: Raise an exception for sysreg by default

[Akihiko Odaki]

On 2024/08/02 16:51, Richard Henderson wrote:
> On 7/30/24 19:40, Peter Maydell wrote:
>> From: Akihiko Odaki <akihiko.odaki@daynix.com>
>>
>> Any sysreg access results in an exception unless defined otherwise so
>> we should raise an exception by default.
>>
>> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
>> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
>> ---
>>   target/arm/hvf/hvf.c | 174 +++++++++++++++++++++----------------------
>>   1 file changed, 85 insertions(+), 89 deletions(-)
> 
> 
> This patch fails to compile:
> 
> https://gitlab.com/qemu-project/qemu/-/jobs/7489527235
> 
> ../target/arm/hvf/hvf.c:1283:42: error: incompatible pointer types 
> passing 'uint64_t **' (aka 'unsigned long long **') to parameter of type 
> 'uint64_t *' (aka 'unsigned long long *'); remove & 
> [-Werror,-Wincompatible-pointer-types]
>          if (hvf_sysreg_read_cp(cpu, reg, &val)) {
>                                           ^~~~
> ../target/arm/hvf/hvf.c:1175:71: note: passing argument to parameter 
> 'val' here
> static bool hvf_sysreg_read_cp(CPUState *cpu, uint32_t reg, uint64_t *val)
>                                                                        ^
> 1 error generated.
> 
> This snuck in while our Cirrus build minutes were exhausted, but it 
> suggests that the patch was never tested at all.

I have just submitted a fix. I'm sorry for causing a mess.

This is a problem in my workflow. I wrote the code on Linux, tested and 
fixed it on macOS. However I forgot to synchronize the code between 
macOS and Linux before sending it on Linux.

Regards,
Akihiko Odaki

[PULL 06/21] hvf: arm: Properly disable PMU

[Peter Maydell]

From: Akihiko Odaki <akihiko.odaki@daynix.com>

Setting pmu property used to have no effect for hvf so fix it.

Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/hvf/hvf.c | 186 +++++++++++++++++++++++--------------------
 1 file changed, 98 insertions(+), 88 deletions(-)

diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index 1a749534fb0..adcdfae0b17 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -1204,45 +1204,50 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint64_t *val)
     ARMCPU *arm_cpu = ARM_CPU(cpu);
     CPUARMState *env = &arm_cpu->env;
 
+    if (arm_feature(env, ARM_FEATURE_PMU)) {
+        switch (reg) {
+        case SYSREG_PMCR_EL0:
+            *val = env->cp15.c9_pmcr;
+            return 0;
+        case SYSREG_PMCCNTR_EL0:
+            pmu_op_start(env);
+            *val = env->cp15.c15_ccnt;
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMCNTENCLR_EL0:
+            *val = env->cp15.c9_pmcnten;
+            return 0;
+        case SYSREG_PMOVSCLR_EL0:
+            *val = env->cp15.c9_pmovsr;
+            return 0;
+        case SYSREG_PMSELR_EL0:
+            *val = env->cp15.c9_pmselr;
+            return 0;
+        case SYSREG_PMINTENCLR_EL1:
+            *val = env->cp15.c9_pminten;
+            return 0;
+        case SYSREG_PMCCFILTR_EL0:
+            *val = env->cp15.pmccfiltr_el0;
+            return 0;
+        case SYSREG_PMCNTENSET_EL0:
+            *val = env->cp15.c9_pmcnten;
+            return 0;
+        case SYSREG_PMUSERENR_EL0:
+            *val = env->cp15.c9_pmuserenr;
+            return 0;
+        case SYSREG_PMCEID0_EL0:
+        case SYSREG_PMCEID1_EL0:
+            /* We can't really count anything yet, declare all events invalid */
+            *val = 0;
+            return 0;
+        }
+    }
+
     switch (reg) {
     case SYSREG_CNTPCT_EL0:
         *val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
               gt_cntfrq_period_ns(arm_cpu);
         return 0;
-    case SYSREG_PMCR_EL0:
-        *val = env->cp15.c9_pmcr;
-        return 0;
-    case SYSREG_PMCCNTR_EL0:
-        pmu_op_start(env);
-        *val = env->cp15.c15_ccnt;
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMCNTENCLR_EL0:
-        *val = env->cp15.c9_pmcnten;
-        return 0;
-    case SYSREG_PMOVSCLR_EL0:
-        *val = env->cp15.c9_pmovsr;
-        return 0;
-    case SYSREG_PMSELR_EL0:
-        *val = env->cp15.c9_pmselr;
-        return 0;
-    case SYSREG_PMINTENCLR_EL1:
-        *val = env->cp15.c9_pminten;
-        return 0;
-    case SYSREG_PMCCFILTR_EL0:
-        *val = env->cp15.pmccfiltr_el0;
-        return 0;
-    case SYSREG_PMCNTENSET_EL0:
-        *val = env->cp15.c9_pmcnten;
-        return 0;
-    case SYSREG_PMUSERENR_EL0:
-        *val = env->cp15.c9_pmuserenr;
-        return 0;
-    case SYSREG_PMCEID0_EL0:
-    case SYSREG_PMCEID1_EL0:
-        /* We can't really count anything yet, declare all events invalid */
-        *val = 0;
-        return 0;
     case SYSREG_OSLSR_EL1:
         *val = env->cp15.oslsr_el1;
         return 0;
@@ -1486,64 +1491,69 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
                            SYSREG_OP2(reg),
                            val);
 
-    switch (reg) {
-    case SYSREG_PMCCNTR_EL0:
-        pmu_op_start(env);
-        env->cp15.c15_ccnt = val;
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMCR_EL0:
-        pmu_op_start(env);
+    if (arm_feature(env, ARM_FEATURE_PMU)) {
+        switch (reg) {
+        case SYSREG_PMCCNTR_EL0:
+            pmu_op_start(env);
+            env->cp15.c15_ccnt = val;
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMCR_EL0:
+            pmu_op_start(env);
 
-        if (val & PMCRC) {
-            /* The counter has been reset */
-            env->cp15.c15_ccnt = 0;
-        }
-
-        if (val & PMCRP) {
-            unsigned int i;
-            for (i = 0; i < pmu_num_counters(env); i++) {
-                env->cp15.c14_pmevcntr[i] = 0;
+            if (val & PMCRC) {
+                /* The counter has been reset */
+                env->cp15.c15_ccnt = 0;
             }
+
+            if (val & PMCRP) {
+                unsigned int i;
+                for (i = 0; i < pmu_num_counters(env); i++) {
+                    env->cp15.c14_pmevcntr[i] = 0;
+                }
+            }
+
+            env->cp15.c9_pmcr &= ~PMCR_WRITABLE_MASK;
+            env->cp15.c9_pmcr |= (val & PMCR_WRITABLE_MASK);
+
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMUSERENR_EL0:
+            env->cp15.c9_pmuserenr = val & 0xf;
+            return 0;
+        case SYSREG_PMCNTENSET_EL0:
+            env->cp15.c9_pmcnten |= (val & pmu_counter_mask(env));
+            return 0;
+        case SYSREG_PMCNTENCLR_EL0:
+            env->cp15.c9_pmcnten &= ~(val & pmu_counter_mask(env));
+            return 0;
+        case SYSREG_PMINTENCLR_EL1:
+            pmu_op_start(env);
+            env->cp15.c9_pminten |= val;
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMOVSCLR_EL0:
+            pmu_op_start(env);
+            env->cp15.c9_pmovsr &= ~val;
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMSWINC_EL0:
+            pmu_op_start(env);
+            pmswinc_write(env, val);
+            pmu_op_finish(env);
+            return 0;
+        case SYSREG_PMSELR_EL0:
+            env->cp15.c9_pmselr = val & 0x1f;
+            return 0;
+        case SYSREG_PMCCFILTR_EL0:
+            pmu_op_start(env);
+            env->cp15.pmccfiltr_el0 = val & PMCCFILTR_EL0;
+            pmu_op_finish(env);
+            return 0;
         }
+    }
 
-        env->cp15.c9_pmcr &= ~PMCR_WRITABLE_MASK;
-        env->cp15.c9_pmcr |= (val & PMCR_WRITABLE_MASK);
-
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMUSERENR_EL0:
-        env->cp15.c9_pmuserenr = val & 0xf;
-        return 0;
-    case SYSREG_PMCNTENSET_EL0:
-        env->cp15.c9_pmcnten |= (val & pmu_counter_mask(env));
-        return 0;
-    case SYSREG_PMCNTENCLR_EL0:
-        env->cp15.c9_pmcnten &= ~(val & pmu_counter_mask(env));
-        return 0;
-    case SYSREG_PMINTENCLR_EL1:
-        pmu_op_start(env);
-        env->cp15.c9_pminten |= val;
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMOVSCLR_EL0:
-        pmu_op_start(env);
-        env->cp15.c9_pmovsr &= ~val;
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMSWINC_EL0:
-        pmu_op_start(env);
-        pmswinc_write(env, val);
-        pmu_op_finish(env);
-        return 0;
-    case SYSREG_PMSELR_EL0:
-        env->cp15.c9_pmselr = val & 0x1f;
-        return 0;
-    case SYSREG_PMCCFILTR_EL0:
-        pmu_op_start(env);
-        env->cp15.pmccfiltr_el0 = val & PMCCFILTR_EL0;
-        pmu_op_finish(env);
-        return 0;
+    switch (reg) {
     case SYSREG_OSLAR_EL1:
         env->cp15.oslsr_el1 = val & 1;
         return 0;
-- 
2.34.1

[PULL 07/21] hvf: arm: Do not advance PC when raising an exception

[Peter Maydell]

From: Akihiko Odaki <akihiko.odaki@daynix.com>

This is identical with commit 30a1690f2402 ("hvf: arm: Do not advance
PC when raising an exception") but for writes instead of reads.

Fixes: a2260983c655 ("hvf: arm: Add support for GICv3")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/hvf/hvf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index adcdfae0b17..c1496ad5be9 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -1586,10 +1586,10 @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
     case SYSREG_ICC_SGI1R_EL1:
     case SYSREG_ICC_SRE_EL1:
         /* Call the TCG sysreg handler. This is only safe for GICv3 regs. */
-        if (!hvf_sysreg_write_cp(cpu, reg, val)) {
-            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        if (hvf_sysreg_write_cp(cpu, reg, val)) {
+            return 0;
         }
-        return 0;
+        break;
     case SYSREG_MDSCR_EL1:
         env->cp15.mdscr_el1 = val;
         return 0;
-- 
2.34.1

[PULL 08/21] hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE

[Peter Maydell]

The documentation of the "Set palette" mailbox property at
https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface#set-palette
says it has the form:

    Length: 24..1032
    Value:
        u32: offset: first palette index to set (0-255)
        u32: length: number of palette entries to set (1-256)
        u32...: RGBA palette values (offset to offset+length-1)

We get this wrong in a couple of ways:
 * we aren't checking the offset and length are in range, so the guest
   can make us spin for a long time by providing a large length
 * the bounds check on our loop is wrong: we should iterate through
   'length' palette entries, not 'length - offset' entries

Fix the loop to implement the bounds checks and get the loop
condition right. In the process, make the variables local to
this switch case, rather than function-global, so it's clearer
what type they are when reading the code.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-2-peter.maydell@linaro.org
---
 hw/misc/bcm2835_property.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index 63de3db6215..e28fdca9846 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -31,7 +31,6 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
     size_t resplen;
     uint32_t tmp;
     int n;
-    uint32_t offset, length, color;
     uint32_t start_num, number, otp_row;
 
     /*
@@ -274,19 +273,25 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
             resplen = 16;
             break;
         case RPI_FWREQ_FRAMEBUFFER_SET_PALETTE:
-            offset = ldl_le_phys(&s->dma_as, value + 12);
-            length = ldl_le_phys(&s->dma_as, value + 16);
-            n = 0;
-            while (n < length - offset) {
-                color = ldl_le_phys(&s->dma_as, value + 20 + (n << 2));
-                stl_le_phys(&s->dma_as,
-                            s->fbdev->vcram_base + ((offset + n) << 2), color);
-                n++;
+        {
+            uint32_t offset = ldl_le_phys(&s->dma_as, value + 12);
+            uint32_t length = ldl_le_phys(&s->dma_as, value + 16);
+            int resp;
+
+            if (offset > 255 || length < 1 || length > 256) {
+                resp = 1; /* invalid request */
+            } else {
+                for (uint32_t e = 0; e < length; e++) {
+                    uint32_t color = ldl_le_phys(&s->dma_as, value + 20 + (e << 2));
+                    stl_le_phys(&s->dma_as,
+                                s->fbdev->vcram_base + ((offset + e) << 2), color);
+                }
+                resp = 0;
             }
-            stl_le_phys(&s->dma_as, value + 12, 0);
+            stl_le_phys(&s->dma_as, value + 12, resp);
             resplen = 4;
             break;
-
+        }
         case RPI_FWREQ_FRAMEBUFFER_GET_NUM_DISPLAYS:
             stl_le_phys(&s->dma_as, value + 12, 1);
             resplen = 4;
-- 
2.34.1

[PULL 09/21] hw/misc/bcm2835_property: Avoid overflow in OTP access properties

[Peter Maydell]

Coverity points out that in our handling of the property
RPI_FWREQ_SET_CUSTOMER_OTP we have a potential overflow.  This
happens because we read start_num and number from the guest as
unsigned 32 bit integers, but then the variable 'n' we use as a loop
counter as we iterate from start_num to start_num + number is only an
"int".  That means that if the guest passes us a very large start_num
we will interpret it as negative.  This will result in an assertion
failure inside bcm2835_otp_set_row(), which checks that we didn't
pass it an invalid row number.

A similar issue applies to all the properties for accessing OTP rows
where we are iterating through with a start and length read from the
guest.

Use uint32_t for the loop counter to avoid this problem. Because in
all cases 'n' is only used as a loop counter, we can do this as
part of the for(), restricting its scope to exactly where we need it.

Resolves: Coverity CID 1549401
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-3-peter.maydell@linaro.org
---
 hw/misc/bcm2835_property.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index e28fdca9846..7eb623b4e90 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -30,7 +30,6 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
     uint32_t tot_len;
     size_t resplen;
     uint32_t tmp;
-    int n;
     uint32_t start_num, number, otp_row;
 
     /*
@@ -337,7 +336,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 
             resplen = 8 + 4 * number;
 
-            for (n = start_num; n < start_num + number &&
+            for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
                 otp_row = bcm2835_otp_get_row(s->otp,
                                               BCM2835_OTP_CUSTOMER_OTP + n);
@@ -366,7 +365,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
                 break;
             }
 
-            for (n = start_num; n < start_num + number &&
+            for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
                 otp_row = ldl_le_phys(&s->dma_as,
                                       value + 20 + ((n - start_num) << 2));
@@ -383,7 +382,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 
             resplen = 8 + 4 * number;
 
-            for (n = start_num; n < start_num + number &&
+            for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
                 otp_row = bcm2835_otp_get_row(s->otp,
                                               BCM2835_OTP_PRIVATE_KEY + n);
@@ -403,7 +402,7 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
                 break;
             }
 
-            for (n = start_num; n < start_num + number &&
+            for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
                 otp_row = ldl_le_phys(&s->dma_as,
                                       value + 20 + ((n - start_num) << 2));
-- 
2.34.1

[PULL 10/21] hw/misc/bcm2835_property: Restrict scope of start_num, number, otp_row

[Peter Maydell]

In the long function bcm2835_property_mbox_push(), the variables
start_num, number and otp_row are used only in the four cases which
access OTP data, and their uses don't overlap with each other.

Make these variables have scope restricted to the cases where they're
used, so it's easier to read each individual case without having to
cross-refer up to the variable declaration at the top of the function
and check whether the variable is also used later in the loop.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-4-peter.maydell@linaro.org
---
 hw/misc/bcm2835_property.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index 7eb623b4e90..443d42a1824 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -30,7 +30,6 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
     uint32_t tot_len;
     size_t resplen;
     uint32_t tmp;
-    uint32_t start_num, number, otp_row;
 
     /*
      * Copy the current state of the framebuffer config; we will update
@@ -331,22 +330,25 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
         /* Customer OTP */
 
         case RPI_FWREQ_GET_CUSTOMER_OTP:
-            start_num = ldl_le_phys(&s->dma_as, value + 12);
-            number = ldl_le_phys(&s->dma_as, value + 16);
+        {
+            uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12);
+            uint32_t number = ldl_le_phys(&s->dma_as, value + 16);
 
             resplen = 8 + 4 * number;
 
             for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
-                otp_row = bcm2835_otp_get_row(s->otp,
+                uint32_t otp_row = bcm2835_otp_get_row(s->otp,
                                               BCM2835_OTP_CUSTOMER_OTP + n);
                 stl_le_phys(&s->dma_as,
                             value + 20 + ((n - start_num) << 2), otp_row);
             }
             break;
+        }
         case RPI_FWREQ_SET_CUSTOMER_OTP:
-            start_num = ldl_le_phys(&s->dma_as, value + 12);
-            number = ldl_le_phys(&s->dma_as, value + 16);
+        {
+            uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12);
+            uint32_t number = ldl_le_phys(&s->dma_as, value + 16);
 
             resplen = 4;
 
@@ -367,32 +369,35 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 
             for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_CUSTOMER_OTP_LEN; n++) {
-                otp_row = ldl_le_phys(&s->dma_as,
+                uint32_t otp_row = ldl_le_phys(&s->dma_as,
                                       value + 20 + ((n - start_num) << 2));
                 bcm2835_otp_set_row(s->otp,
                                     BCM2835_OTP_CUSTOMER_OTP + n, otp_row);
             }
             break;
+        }
 
         /* Device-specific private key */
-
         case RPI_FWREQ_GET_PRIVATE_KEY:
-            start_num = ldl_le_phys(&s->dma_as, value + 12);
-            number = ldl_le_phys(&s->dma_as, value + 16);
+        {
+            uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12);
+            uint32_t number = ldl_le_phys(&s->dma_as, value + 16);
 
             resplen = 8 + 4 * number;
 
             for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
-                otp_row = bcm2835_otp_get_row(s->otp,
+                uint32_t otp_row = bcm2835_otp_get_row(s->otp,
                                               BCM2835_OTP_PRIVATE_KEY + n);
                 stl_le_phys(&s->dma_as,
                             value + 20 + ((n - start_num) << 2), otp_row);
             }
             break;
+        }
         case RPI_FWREQ_SET_PRIVATE_KEY:
-            start_num = ldl_le_phys(&s->dma_as, value + 12);
-            number = ldl_le_phys(&s->dma_as, value + 16);
+        {
+            uint32_t start_num = ldl_le_phys(&s->dma_as, value + 12);
+            uint32_t number = ldl_le_phys(&s->dma_as, value + 16);
 
             resplen = 4;
 
@@ -404,12 +409,13 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 
             for (uint32_t n = start_num; n < start_num + number &&
                  n < BCM2835_OTP_PRIVATE_KEY_LEN; n++) {
-                otp_row = ldl_le_phys(&s->dma_as,
+                uint32_t otp_row = ldl_le_phys(&s->dma_as,
                                       value + 20 + ((n - start_num) << 2));
                 bcm2835_otp_set_row(s->otp,
                                     BCM2835_OTP_PRIVATE_KEY + n, otp_row);
             }
             break;
+        }
         default:
             qemu_log_mask(LOG_UNIMP,
                           "bcm2835_property: unhandled tag 0x%08x\n", tag);
-- 
2.34.1

[PULL 11/21] hw/misc/bcm2835_property: Reduce scope of variables in mbox push function

[Peter Maydell]

In bcm2835_property_mbox_push(), some variables are defined at function scope
but used only in a smaller scope of the function:
 * tag, bufsize, resplen are used only in the body of the while() loop
 * tmp is used only for RPI_FWREQ_SET_POWER_STATE (and is badly named)

Declare these variables in the scope where they're needed, so the code
is easier to read.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-5-peter.maydell@linaro.org
---
 hw/misc/bcm2835_property.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index 443d42a1824..8ca3128f29b 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -25,11 +25,7 @@
 
 static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 {
-    uint32_t tag;
-    uint32_t bufsize;
     uint32_t tot_len;
-    size_t resplen;
-    uint32_t tmp;
 
     /*
      * Copy the current state of the framebuffer config; we will update
@@ -48,10 +44,10 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
     /* @(addr + 4) : Buffer response code */
     value = s->addr + 8;
     while (value + 8 <= s->addr + tot_len) {
-        tag = ldl_le_phys(&s->dma_as, value);
-        bufsize = ldl_le_phys(&s->dma_as, value + 4);
+        uint32_t tag = ldl_le_phys(&s->dma_as, value);
+        uint32_t bufsize = ldl_le_phys(&s->dma_as, value + 4);
         /* @(value + 8) : Request/response indicator */
-        resplen = 0;
+        size_t resplen = 0;
         switch (tag) {
         case RPI_FWREQ_PROPERTY_END:
             break;
@@ -95,13 +91,16 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
             resplen = 8;
             break;
         case RPI_FWREQ_SET_POWER_STATE:
-            /* Assume that whatever device they asked for exists,
-             * and we'll just claim we set it to the desired state
+        {
+            /*
+             * Assume that whatever device they asked for exists,
+             * and we'll just claim we set it to the desired state.
              */
-            tmp = ldl_le_phys(&s->dma_as, value + 16);
-            stl_le_phys(&s->dma_as, value + 16, (tmp & 1));
+            uint32_t state = ldl_le_phys(&s->dma_as, value + 16);
+            stl_le_phys(&s->dma_as, value + 16, (state & 1));
             resplen = 8;
             break;
+        }
 
         /* Clocks */
 
-- 
2.34.1

[PULL 12/21] target/arm: Don't assert for 128-bit tile accesses when SVL is 128

[Peter Maydell]

For an instruction which accesses a 128-bit element tile when
the SVL is also 128 (for example MOV z0.Q, p0/M, ZA0H.Q[w0,0]),
we will assert in get_tile_rowcol():

qemu-system-aarch64: ../../tcg/tcg-op.c:926: tcg_gen_deposit_z_i32: Assertion `len > 0' failed.

This happens because we calculate
    len = ctz32(streaming_vec_reg_size(s)) - esz;$
but if the SVL and the element size are the same len is 0, and
the deposit operation asserts.

In this case the ZA storage contains exactly one 128 bit
element ZA tile, and the horizontal or vertical slice is just
that tile. This means that regardless of the index value in
the Ws register, we always access that tile. (In pseudocode terms,
we calculate (index + offset) MOD 1, which is 0.)

Special case the len == 0 case to avoid hitting the assertion
in tcg_gen_deposit_z_i32().

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240722172957.1041231-2-peter.maydell@linaro.org
---
 target/arm/tcg/translate-sme.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c
index 185a8a917b0..a50a419af27 100644
--- a/target/arm/tcg/translate-sme.c
+++ b/target/arm/tcg/translate-sme.c
@@ -49,7 +49,15 @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
     /* Prepare a power-of-two modulo via extraction of @len bits. */
     len = ctz32(streaming_vec_reg_size(s)) - esz;
 
-    if (vertical) {
+    if (!len) {
+        /*
+         * SVL is 128 and the element size is 128. There is exactly
+         * one 128x128 tile in the ZA storage, and so we calculate
+         * (Rs + imm) MOD 1, which is always 0. We need to special case
+         * this because TCG doesn't allow deposit ops with len 0.
+         */
+        tcg_gen_movi_i32(tmp, 0);
+    } else if (vertical) {
         /*
          * Compute the byte offset of the index within the tile:
          *     (index % (svl / size)) * size
-- 
2.34.1

[PULL 13/21] target/arm: Fix UMOPA/UMOPS of 16-bit values

[Peter Maydell]

The UMOPA/UMOPS instructions are supposed to multiply unsigned 8 or
16 bit elements and accumulate the products into a 64-bit element.
In the Arm ARM pseudocode, this is done with the usual
infinite-precision signed arithmetic.  However our implementation
doesn't quite get it right, because in the DEF_IMOP_64() macro we do:
  sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);

where NTYPE and MTYPE are uint16_t or int16_t.  In the uint16_t case,
the C usual arithmetic conversions mean the values are converted to
"int" type and the multiply is done as a 32-bit multiply.  This means
that if the inputs are, for example, 0xffff and 0xffff then the
result is 0xFFFE0001 as an int, which is then promoted to uint64_t
for the accumulation into sum; this promotion incorrectly sign
extends the multiply.

Avoid the incorrect sign extension by casting to int64_t before
the multiply, so we do the multiply as 64-bit signed arithmetic,
which is a type large enough that the multiply can never
overflow into the sign bit.

(The equivalent 8-bit operations in DEF_IMOP_32() are fine, because
the 8-bit multiplies can never overflow into the sign bit of a
32-bit integer.)

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2372
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240722172957.1041231-3-peter.maydell@linaro.org
---
 target/arm/tcg/sme_helper.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
index 50bb088d048..3ba826a6ceb 100644
--- a/target/arm/tcg/sme_helper.c
+++ b/target/arm/tcg/sme_helper.c
@@ -1162,10 +1162,10 @@ static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
     uint64_t sum = 0;                                                       \
     /* Apply P to N as a mask, making the inactive elements 0. */           \
     n &= expand_pred_h(p);                                                  \
-    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
-    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
-    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
-    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
+    sum += (int64_t)(NTYPE)(n >> 0) * (MTYPE)(m >> 0);                      \
+    sum += (int64_t)(NTYPE)(n >> 16) * (MTYPE)(m >> 16);                    \
+    sum += (int64_t)(NTYPE)(n >> 32) * (MTYPE)(m >> 32);                    \
+    sum += (int64_t)(NTYPE)(n >> 48) * (MTYPE)(m >> 48);                    \
     return neg ? a - sum : a + sum;                                         \
 }
 
-- 
2.34.1

[PULL 14/21] target/arm: Avoid shifts by -1 in tszimm_shr() and tszimm_shl()

[Peter Maydell]

The function tszimm_esz() returns a shift amount, or possibly -1 in
certain cases that correspond to unallocated encodings in the
instruction set.  We catch these later in the trans_ functions
(generally with an "a-esz < 0" check), but before we do the
decodetree-generated code will also call tszimm_shr() or tszimm_sl(),
which will use the tszimm_esz() return value as a shift count without
checking that it is not negative, which is undefined behaviour.

Avoid the UB by checking the return value in tszimm_shr() and
tszimm_shl().

Cc: qemu-stable@nongnu.org
Resolves: Coverity CID 1547617, 1547694
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240722172957.1041231-4-peter.maydell@linaro.org
---
 target/arm/tcg/translate-sve.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index 798ab2bfb13..a72c2620960 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -50,13 +50,27 @@ static int tszimm_esz(DisasContext *s, int x)
 
 static int tszimm_shr(DisasContext *s, int x)
 {
-    return (16 << tszimm_esz(s, x)) - x;
+    /*
+     * We won't use the tszimm_shr() value if tszimm_esz() returns -1 (the
+     * trans function will check for esz < 0), so we can return any
+     * value we like from here in that case as long as we avoid UB.
+     */
+    int esz = tszimm_esz(s, x);
+    if (esz < 0) {
+        return esz;
+    }
+    return (16 << esz) - x;
 }
 
 /* See e.g. LSL (immediate, predicated).  */
 static int tszimm_shl(DisasContext *s, int x)
 {
-    return x - (8 << tszimm_esz(s, x));
+    /* As with tszimm_shr(), value will be unused if esz < 0 */
+    int esz = tszimm_esz(s, x);
+    if (esz < 0) {
+        return esz;
+    }
+    return x - (8 << esz);
 }
 
 /* The SH bit is in bit 8.  Extract the low 8 and shift.  */
-- 
2.34.1

[PULL 15/21] target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled

[Peter Maydell]

When determining the current vector length, the SMCR_EL2.LEN and
SVCR_EL2.LEN settings should only be considered if EL2 is enabled
(compare the pseudocode CurrentSVL and CurrentNSVL which call
EL2Enabled()).

We were checking against ARM_FEATURE_EL2 rather than calling
arm_is_el2_enabled(), which meant that we would look at
SMCR_EL2/SVCR_EL2 when in Secure EL1 or Secure EL0 even if Secure EL2
was not enabled.

Use the correct check in sve_vqm1_for_el_sm().

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240722172957.1041231-5-peter.maydell@linaro.org
---
 target/arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index ce319572354..8fb4b474e83 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -7232,7 +7232,7 @@ uint32_t sve_vqm1_for_el_sm(CPUARMState *env, int el, bool sm)
     if (el <= 1 && !el_is_in_host(env, el)) {
         len = MIN(len, 0xf & (uint32_t)cr[1]);
     }
-    if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+    if (el <= 2 && arm_is_el2_enabled(env)) {
         len = MIN(len, 0xf & (uint32_t)cr[2]);
     }
     if (arm_feature(env, ARM_FEATURE_EL3)) {
-- 
2.34.1

[PULL 16/21] target/tricore: Use unsigned types for bitops in helper_eq_b()

[Peter Maydell]

Coverity points out that in helper_eq_b() we have an int32_t 'msk'
and we end up shifting into its sign bit. This is OK for QEMU because
we use -fwrapv to give this well defined semantics, but when you look
at what this function is doing it's doing bit operations, so we
should be using an unsigned variable anyway. This also matches the
return type of the function.

Make 'ret' and 'msk' uint32_t.

Resolves: Coverity CID 1547758
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240723151042.1396610-1-peter.maydell@linaro.org
---
 target/tricore/op_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
index ba9c4444b39..a0d5a0da1df 100644
--- a/target/tricore/op_helper.c
+++ b/target/tricore/op_helper.c
@@ -1505,8 +1505,8 @@ uint32_t helper_sub_h(CPUTriCoreState *env, target_ulong r1, target_ulong r2)
 
 uint32_t helper_eq_b(target_ulong r1, target_ulong r2)
 {
-    int32_t ret;
-    int32_t i, msk;
+    uint32_t ret, msk;
+    int32_t i;
 
     ret = 0;
     msk = 0xff;
-- 
2.34.1

[PULL 17/21] target/xtensa: Make use of 'segment' in pptlb helper less confusing

[Peter Maydell]

Coverity gets confused about the use of the 'segment' variable in the
pptlb helper function: it thinks that we can take a code path where
we first initialize it:
  unsigned segment = XTENSA_MPU_PROBE_B;  // 0x40000000
and then use that value as a shift count:
  } else if (nhits == 1 && (env->sregs[MPUENB] & (1u << segment))) {

In fact this isn't possible, beacuse xtensa_mpu_lookup() is passed
'&segment', and it uses that as an output value, which it will always
set if it returns nonzero.  But the way the code is currently written
is confusing to a human reader as well as to Coverity.

Instead of initializing 'segment' at the top of the function with a
value that's only used in the "nhits == 0" code path, use the
constant value directly in that code path, and don't initialize
segment.  This matches the way we use xtensa_mpu_lookup() in its
other callsites in get_physical_addr_mpu().

Resolves: Coverity CID 1547589

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Message-id: 20240723151454.1396826-1-peter.maydell@linaro.org
---
 target/xtensa/mmu_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/xtensa/mmu_helper.c b/target/xtensa/mmu_helper.c
index 997b21d3890..29b84d5dbf6 100644
--- a/target/xtensa/mmu_helper.c
+++ b/target/xtensa/mmu_helper.c
@@ -991,7 +991,7 @@ uint32_t HELPER(rptlb1)(CPUXtensaState *env, uint32_t s)
 uint32_t HELPER(pptlb)(CPUXtensaState *env, uint32_t v)
 {
     unsigned nhits;
-    unsigned segment = XTENSA_MPU_PROBE_B;
+    unsigned segment;
     unsigned bg_segment;
 
     nhits = xtensa_mpu_lookup(env->mpu_fg, env->config->n_mpu_fg_segments,
@@ -1005,7 +1005,7 @@ uint32_t HELPER(pptlb)(CPUXtensaState *env, uint32_t v)
         xtensa_mpu_lookup(env->config->mpu_bg,
                           env->config->n_mpu_bg_segments,
                           v, &bg_segment);
-        return env->config->mpu_bg[bg_segment].attr | segment;
+        return env->config->mpu_bg[bg_segment].attr | XTENSA_MPU_PROBE_B;
     }
 }
 
-- 
2.34.1

[PULL 18/21] target/m68k: avoid shift into sign bit in dump_address_map()

[Peter Maydell]

Coverity complains (CID 1547592) that in dump_address_map() we take a
value stored in a signed integer variable 'i' and shift it by enough
to shift into the sign bit when we construct the value 'logical'.
This isn't a bug for QEMU because we use -fwrapv semantics, but
we can make Coverity happy by using an unsigned type for the loop
variables i, j, k in this function.

While we're changing the declaration of the variables, put them
in the for() loops so their scope is the minimum required (a style
now permitted by our coding style guide).

Resolves: Coverity CID 1547592
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723154207.1483665-1-peter.maydell@linaro.org
---
 target/m68k/helper.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/m68k/helper.c b/target/m68k/helper.c
index 7967ad13cbf..4c85badd5d3 100644
--- a/target/m68k/helper.c
+++ b/target/m68k/helper.c
@@ -479,7 +479,6 @@ static void print_address_zone(uint32_t logical, uint32_t physical,
 
 static void dump_address_map(CPUM68KState *env, uint32_t root_pointer)
 {
-    int i, j, k;
     int tic_size, tic_shift;
     uint32_t tib_mask;
     uint32_t tia, tib, tic;
@@ -502,19 +501,19 @@ static void dump_address_map(CPUM68KState *env, uint32_t root_pointer)
         tic_shift = 12;
         tib_mask = M68K_4K_PAGE_MASK;
     }
-    for (i = 0; i < M68K_ROOT_POINTER_ENTRIES; i++) {
+    for (unsigned i = 0; i < M68K_ROOT_POINTER_ENTRIES; i++) {
         tia = address_space_ldl(cs->as, M68K_POINTER_BASE(root_pointer) + i * 4,
                                 MEMTXATTRS_UNSPECIFIED, &txres);
         if (txres != MEMTX_OK || !M68K_UDT_VALID(tia)) {
             continue;
         }
-        for (j = 0; j < M68K_ROOT_POINTER_ENTRIES; j++) {
+        for (unsigned j = 0; j < M68K_ROOT_POINTER_ENTRIES; j++) {
             tib = address_space_ldl(cs->as, M68K_POINTER_BASE(tia) + j * 4,
                                     MEMTXATTRS_UNSPECIFIED, &txres);
             if (txres != MEMTX_OK || !M68K_UDT_VALID(tib)) {
                 continue;
             }
-            for (k = 0; k < tic_size; k++) {
+            for (unsigned k = 0; k < tic_size; k++) {
                 tic = address_space_ldl(cs->as, (tib & tib_mask) + k * 4,
                                         MEMTXATTRS_UNSPECIFIED, &txres);
                 if (txres != MEMTX_OK || !M68K_PDT_VALID(tic)) {
-- 
2.34.1

[PULL 19/21] target/i386: Remove dead assignment to ss in do_interrupt64()

[Peter Maydell]

Coverity points out that in do_interrupt64() in the "to inner
privilege" codepath we set "ss = 0", but because we also set
"new_stack = 1" there, later in the function we will always override
that value of ss with "ss = 0 | dpl".

Remove the unnecessary initialization of ss, which allows us to
reduce the scope of the variable to only where it is used.  Borrow a
comment from helper_lcall_protected() that explains what "0 | dpl"
means here.

Resolves: Coverity CID 1527395
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723162525.1585743-1-peter.maydell@linaro.org
---
 target/i386/tcg/seg_helper.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index aac092a356b..bab552cd535 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -926,7 +926,7 @@ static void do_interrupt64(CPUX86State *env, int intno, int is_int,
     target_ulong ptr;
     int type, dpl, selector, cpl, ist;
     int has_error_code, new_stack;
-    uint32_t e1, e2, e3, ss, eflags;
+    uint32_t e1, e2, e3, eflags;
     target_ulong old_eip, offset;
     bool set_rf;
     StackAccess sa;
@@ -1007,7 +1007,6 @@ static void do_interrupt64(CPUX86State *env, int intno, int is_int,
         /* to inner privilege */
         new_stack = 1;
         sa.sp = get_rsp_from_tss(env, ist != 0 ? ist + 3 : dpl);
-        ss = 0;
     } else {
         /* to same privilege */
         if (env->eflags & VM_MASK) {
@@ -1040,7 +1039,7 @@ static void do_interrupt64(CPUX86State *env, int intno, int is_int,
     env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
 
     if (new_stack) {
-        ss = 0 | dpl;
+        uint32_t ss = 0 | dpl; /* SS = NULL selector with RPL = new CPL */
         cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT);
     }
     env->regs[R_ESP] = sa.sp;
-- 
2.34.1

[PULL 20/21] target/sh4: Avoid shift into sign bit in update_itlb_use()

[Peter Maydell]

In update_itlb_use() the variables or_mask and and_mask are uint8_t,
which means that in expressions like "and_mask << 24" the usual C
arithmetic conversions will result in the shift being done as a
signed int type, and so we will shift into the sign bit. For QEMU
this isn't undefined behaviour because we use -fwrapv; but we can
avoid it anyway by using uint32_t types for or_mask and and_mask.

Resolves: Coverity CID 1547628
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Message-id: 20240723172431.1757296-1-peter.maydell@linaro.org
---
 target/sh4/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/sh4/helper.c b/target/sh4/helper.c
index 67029106277..9659c695504 100644
--- a/target/sh4/helper.c
+++ b/target/sh4/helper.c
@@ -187,7 +187,7 @@ void superh_cpu_do_interrupt(CPUState *cs)
 
 static void update_itlb_use(CPUSH4State * env, int itlbnb)
 {
-    uint8_t or_mask = 0, and_mask = (uint8_t) - 1;
+    uint32_t or_mask = 0, and_mask = 0xff;
 
     switch (itlbnb) {
     case 0:
-- 
2.34.1

[PULL 21/21] system/physmem: Where we assume we have a RAM MR, assert it

[Peter Maydell]

In the functions invalidate_and_set_dirty() and
cpu_physical_memory_snapshot_and_clear_dirty(), we assume that we
are dealing with RAM memory regions. In this case we know that
memory_region_get_ram_addr() will succeed. Assert this before we
use the returned ram_addr_t in arithmetic.

This makes Coverity happier about these functions: it otherwise
complains that we might have an arithmetic overflow that stems
from the possible -1 return from memory_region_get_ram_addr().

Resolves: Coverity CID 1547629, 1547715

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Message-id: 20240723170513.1676453-1-peter.maydell@linaro.org
---
 system/physmem.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/system/physmem.c b/system/physmem.c
index 0e19186e1b4..94600a33ec3 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -923,13 +923,19 @@ DirtyBitmapSnapshot *cpu_physical_memory_snapshot_and_clear_dirty
     (MemoryRegion *mr, hwaddr offset, hwaddr length, unsigned client)
 {
     DirtyMemoryBlocks *blocks;
-    ram_addr_t start = memory_region_get_ram_addr(mr) + offset;
+    ram_addr_t start, first, last;
     unsigned long align = 1UL << (TARGET_PAGE_BITS + BITS_PER_LEVEL);
-    ram_addr_t first = QEMU_ALIGN_DOWN(start, align);
-    ram_addr_t last  = QEMU_ALIGN_UP(start + length, align);
     DirtyBitmapSnapshot *snap;
     unsigned long page, end, dest;
 
+    start = memory_region_get_ram_addr(mr);
+    /* We know we're only called for RAM MemoryRegions */
+    assert(start != RAM_ADDR_INVALID);
+    start += offset;
+
+    first = QEMU_ALIGN_DOWN(start, align);
+    last  = QEMU_ALIGN_UP(start + length, align);
+
     snap = g_malloc0(sizeof(*snap) +
                      ((last - first) >> (TARGET_PAGE_BITS + 3)));
     snap->start = first;
@@ -2659,7 +2665,11 @@ static void invalidate_and_set_dirty(MemoryRegion *mr, hwaddr addr,
                                      hwaddr length)
 {
     uint8_t dirty_log_mask = memory_region_get_dirty_log_mask(mr);
-    addr += memory_region_get_ram_addr(mr);
+    ram_addr_t ramaddr = memory_region_get_ram_addr(mr);
+
+    /* We know we're only called for RAM MemoryRegions */
+    assert(ramaddr != RAM_ADDR_INVALID);
+    addr += ramaddr;
 
     /* No early return if dirty_log_mask is or becomes 0, because
      * cpu_physical_memory_set_dirty_range will still call
-- 
2.34.1

Re: [PULL 00/21] target-arm queue

[Richard Henderson]

On 7/30/24 19:39, Peter Maydell wrote:
> Arm pullreq: these are all bugfixes. I've included a handful
> of my fixes for various non-arm minor Coverity issues too.
> 
> thanks
> -- PMM
> 
> The following changes since commit 93b799fafd9170da3a79a533ea6f73a18de82e22:
> 
>    Merge tag 'pull-ppc-for-9.1-2-20240726-1' ofhttps://gitlab.com/npiggin/qemu into staging (2024-07-26 15:10:45 +1000)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240730
> 
> for you to fetch changes up to 73188068d7ba40c8a37b4763db38bb1ce24ca07d:
> 
>    system/physmem: Where we assume we have a RAM MR, assert it (2024-07-29 17:03:35 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/char/bcm2835_aux: Fix assert when receive FIFO fills up
>   * hw/arm/smmuv3: Assert input to oas2bits() is valid
>   * target/arm/kvm: Set PMU for host only when available
>   * target/arm/kvm: Do not silently remove PMU
>   * hvf: arm: Properly disable PMU
>   * hvf: arm: Do not advance PC when raising an exception
>   * hw/misc/bcm2835_property: several minor bugfixes
>   * target/arm: Don't assert for 128-bit tile accesses when SVL is 128
>   * target/arm: Fix UMOPA/UMOPS of 16-bit values
>   * target/arm: Ignore SMCR_EL2.LEN and SVCR_EL2.LEN if EL2 is not enabled
>   * system/physmem: Where we assume we have a RAM MR, assert it
>   * sh4, i386, m68k, xtensa, tricore, arm: fix minor Coverity issues

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~

[PULL 00/21] target-arm queue

[Peter Maydell]

Hi; here's a target-arm pullreq to go in before softfreeze.
This is actually pretty much entirely bugfixes (since the
SEL2 timers we implement here are a missing part of a feature
we claim to already implement).

thanks
-- PMM

The following changes since commit 98c7362b1efe651327385a25874a73e008c6549e:

  Merge tag 'accel-cpus-20250306' of https://github.com/philmd/qemu into staging (2025-03-07 07:39:49 +0800)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250307

for you to fetch changes up to 0ce0739d46983e5e88fa9c149cb305689c9d8c6f:

  target/rx: Remove TCG_CALL_NO_WG from helpers which write env (2025-03-07 15:03:20 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/smmu-common: Remove the repeated ttb field
 * hw/gpio: npcm7xx: fixup out-of-bounds access
 * tests/functional/test_arm_sx1: Check whether the serial console is working
 * target/arm: Fix minor bugs in generic timer register handling
 * target/arm: Implement SEL2 physical and virtual timers
 * target/arm: Correct STRD, LDRD atomicity and fault behaviour
 * target/arm: Make dummy debug registers RAZ, not NOP
 * util/qemu-timer.c: Don't warp timer from timerlist_rearm()
 * include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN
 * hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper
 * target/rx: Set exception vector base to 0xffffff80
 * target/rx: Remove TCG_CALL_NO_WG from helpers which write env

----------------------------------------------------------------
Alex Bennée (4):
      target/arm: Implement SEL2 physical and virtual timers
      target/arm: Document the architectural names of our GTIMERs
      hw/arm: enable secure EL2 timers for virt machine
      hw/arm: enable secure EL2 timers for sbsa machine

JianChunfu (2):
      hw/arm/smmu-common: Remove the repeated ttb field
      hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper

Keith Packard (2):
      target/rx: Set exception vector base to 0xffffff80
      target/rx: Remove TCG_CALL_NO_WG from helpers which write env

Patrick Venture (1):
      hw/gpio: npcm7xx: fixup out-of-bounds access

Peter Maydell (11):
      target/arm: Apply correct timer offset when calculating deadlines
      target/arm: Don't apply CNTVOFF_EL2 for EL2_VIRT timer
      target/arm: Make CNTPS_* UNDEF from Secure EL1 when Secure EL2 is enabled
      target/arm: Always apply CNTVOFF_EL2 for CNTV_TVAL_EL02 accesses
      target/arm: Refactor handling of timer offset for direct register accesses
      target/arm: Correct LDRD atomicity and fault behaviour
      target/arm: Correct STRD atomicity
      target/arm: Drop unused address_offset from op_addr_{rr, ri}_post()
      target/arm: Make dummy debug registers RAZ, not NOP
      util/qemu-timer.c: Don't warp timer from timerlist_rearm()
      include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN

Thomas Huth (1):
      tests/functional/test_arm_sx1: Check whether the serial console is working

 MAINTAINERS                      |   1 +
 hw/arm/smmu-internal.h           |   5 -
 include/exec/memop.h             |   8 +-
 include/hw/arm/bsa.h             |   2 +
 include/hw/arm/smmu-common.h     |   7 +-
 target/arm/cpu.h                 |   2 +
 target/arm/gtimer.h              |  14 +-
 target/arm/internals.h           |   5 +-
 target/rx/helper.h               |  34 ++--
 hw/arm/sbsa-ref.c                |   2 +
 hw/arm/smmu-common.c             |  21 +++
 hw/arm/smmuv3.c                  |  19 +--
 hw/arm/virt.c                    |   2 +
 hw/gpio/npcm7xx_gpio.c           |   3 +-
 target/arm/cpu.c                 |   4 +
 target/arm/debug_helper.c        |   7 +-
 target/arm/helper.c              | 324 ++++++++++++++++++++++++++++++++-------
 target/arm/tcg/op_helper.c       |   8 +-
 target/arm/tcg/translate.c       | 147 +++++++++++-------
 target/rx/helper.c               |   2 +-
 util/qemu-timer.c                |   4 -
 hw/arm/trace-events              |   3 +-
 tests/functional/test_arm_sx1.py |   7 +-
 23 files changed, 455 insertions(+), 176 deletions(-)

Re: [PULL 00/21] target-arm queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/10.0 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 00/21] target-arm queue

[Peter Maydell]

Here's another arm pullreq; nothing too exciting in here I think.

thanks
-- PMM

The following changes since commit 5fee33d97a7f2e95716417bd164f2f5264acd976:

  Merge tag 'samuel-thibault' of https://people.debian.org/~sthibault/qemu into staging (2024-04-29 14:34:25 -0700)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240430

for you to fetch changes up to a0c325c4b05cf7815739d6a84e567b95c8c5be7e:

  tests/qtest : Add testcase for DM163 (2024-04-30 16:05:08 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/core/clock: allow clock_propagate on child clocks
 * hvf: arm: Remove unused PL1_WRITE_MASK define
 * target/arm: Restrict translation disabled alignment check to VMSA
 * docs/system/arm/emulation.rst: Add missing implemented features
 * target/arm: Enable FEAT_CSV2_3, FEAT_ETS2, FEAT_Spec_FPACC for 'max'
 * tests/avocado: update sunxi kernel from armbian to 6.6.16
 * target/arm: Make new CPUs default to 1GHz generic timer
 * hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields
 * hw/char/stm32l4x5_usart: Fix memory corruption by adding correct class_size
 * hw/arm/npcm7xx: Store derivative OTP fuse key in little endian
 * hw/arm: Add DM163 display to B-L475E-IOT01A board

----------------------------------------------------------------
Alexandra Diupina (1):
      hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields

Inès Varhol (5):
      hw/display : Add device DM163
      hw/arm : Pass STM32L4x5 SYSCFG gpios to STM32L4x5 SoC
      hw/arm : Create Bl475eMachineState
      hw/arm : Connect DM163 to B-L475E-IOT01A
      tests/qtest : Add testcase for DM163

Peter Maydell (10):
      docs/system/arm/emulation.rst: Add missing implemented features
      target/arm: Enable FEAT_CSV2_3 for -cpu max
      target/arm: Enable FEAT_ETS2 for -cpu max
      target/arm: Implement ID_AA64MMFR3_EL1
      target/arm: Enable FEAT_Spec_FPACC for -cpu max
      tests/avocado: update sunxi kernel from armbian to 6.6.16
      target/arm: Refactor default generic timer frequency handling
      hw/arm/sbsa-ref: Force CPU generic timer to 62.5MHz
      hw/watchdog/sbsa_gwdt: Make watchdog timer frequency a QOM property
      target/arm: Default to 1GHz cntfrq for 'max' and new CPUs

Philippe Mathieu-Daudé (1):
      hw/arm/npcm7xx: Store derivative OTP fuse key in little endian

Raphael Poggi (1):
      hw/core/clock: allow clock_propagate on child clocks

Richard Henderson (1):
      target/arm: Restrict translation disabled alignment check to VMSA

Thomas Huth (1):
      hw/char/stm32l4x5_usart: Fix memory corruption by adding correct class_size

Zenghui Yu (1):
      hvf: arm: Remove PL1_WRITE_MASK

 docs/system/arm/b-l475e-iot01a.rst  |   3 +-
 docs/system/arm/emulation.rst       |  42 ++++-
 include/hw/display/dm163.h          |  59 ++++++
 include/hw/watchdog/sbsa_gwdt.h     |   3 +-
 target/arm/cpu.h                    |  28 +++
 target/arm/internals.h              |  15 +-
 hw/arm/b-l475e-iot01a.c             | 105 +++++++++--
 hw/arm/npcm7xx.c                    |   3 +-
 hw/arm/sbsa-ref.c                   |  16 ++
 hw/arm/stm32l4x5_soc.c              |   6 +-
 hw/char/stm32l4x5_usart.c           |   1 +
 hw/core/clock.c                     |   1 -
 hw/core/machine.c                   |   4 +-
 hw/display/dm163.c                  | 349 ++++++++++++++++++++++++++++++++++++
 hw/dma/xlnx_dpdma.c                 |  20 +--
 hw/watchdog/sbsa_gwdt.c             |  15 +-
 target/arm/cpu.c                    |  42 +++--
 target/arm/cpu64.c                  |   2 +
 target/arm/helper.c                 |  22 +--
 target/arm/hvf/hvf.c                |   3 +-
 target/arm/kvm.c                    |   2 +
 target/arm/tcg/cpu32.c              |   6 +-
 target/arm/tcg/cpu64.c              |  28 ++-
 target/arm/tcg/hflags.c             |  12 +-
 tests/qtest/dm163-test.c            | 194 ++++++++++++++++++++
 tests/qtest/stm32l4x5_gpio-test.c   |  13 +-
 tests/qtest/stm32l4x5_syscfg-test.c |  17 +-
 hw/arm/Kconfig                      |   1 +
 hw/display/Kconfig                  |   3 +
 hw/display/meson.build              |   1 +
 hw/display/trace-events             |  14 ++
 tests/avocado/boot_linux_console.py |  70 ++++----
 tests/avocado/replay_kernel.py      |   8 +-
 tests/qtest/meson.build             |   2 +
 34 files changed, 987 insertions(+), 123 deletions(-)
 create mode 100644 include/hw/display/dm163.h
 create mode 100644 hw/display/dm163.c
 create mode 100644 tests/qtest/dm163-test.c

Re: [PULL 00/21] target-arm queue

[Richard Henderson]

On 4/30/24 09:48, Peter Maydell wrote:
> Here's another arm pullreq; nothing too exciting in here I think.
> 
> thanks
> -- PMM
> 
> The following changes since commit 5fee33d97a7f2e95716417bd164f2f5264acd976:
> 
>    Merge tag 'samuel-thibault' ofhttps://people.debian.org/~sthibault/qemu  into staging (2024-04-29 14:34:25 -0700)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git  tags/pull-target-arm-20240430
> 
> for you to fetch changes up to a0c325c4b05cf7815739d6a84e567b95c8c5be7e:
> 
>    tests/qtest : Add testcase for DM163 (2024-04-30 16:05:08 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/core/clock: allow clock_propagate on child clocks
>   * hvf: arm: Remove unused PL1_WRITE_MASK define
>   * target/arm: Restrict translation disabled alignment check to VMSA
>   * docs/system/arm/emulation.rst: Add missing implemented features
>   * target/arm: Enable FEAT_CSV2_3, FEAT_ETS2, FEAT_Spec_FPACC for 'max'
>   * tests/avocado: update sunxi kernel from armbian to 6.6.16
>   * target/arm: Make new CPUs default to 1GHz generic timer
>   * hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields
>   * hw/char/stm32l4x5_usart: Fix memory corruption by adding correct class_size
>   * hw/arm/npcm7xx: Store derivative OTP fuse key in little endian
>   * hw/arm: Add DM163 display to B-L475E-IOT01A board

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.


r~

[PULL 00/21] target-arm queue

[Peter Maydell]

The following changes since commit 977542ded7e6b28d2bc077bcda24568c716e393c:

  Merge tag 'pull-testing-updates-120124-2' of https://gitlab.com/stsquad/qemu into staging (2024-01-12 14:02:53 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240116

for you to fetch changes up to 7ec39730a9cc443c752d4cad2bf1c00467551ef5:

  load_elf: fix iterator's type for elf file processing (2024-01-15 17:14:22 +0000)

----------------------------------------------------------------
target-arm queue:
 * docs/devel/docs: Document .hx file syntax
 * arm_pamax() no longer needs to do feature propagation
 * docs/system/arm/virt.rst: Improve 'highmem' option docs
 * STM32L4x5 Implement SYSCFG and EXTI devices
 * Nuvoton: Implement PCI Mailbox module
 * Nuvoton: Implement GMAC module
 * hw/timer: fix systick trace message
 * hw/arm/virt: Consolidate valid CPU types
 * load_elf: fix iterator's type for elf file processing

----------------------------------------------------------------
Anastasia Belova (1):
      load_elf: fix iterator's type for elf file processing

Gavin Shan (1):
      hw/arm/virt: Consolidate valid CPU types

Hao Wu (3):
      hw/misc: Add Nuvoton's PCI Mailbox Module
      hw/misc: Add qtest for NPCM7xx PCI Mailbox
      hw/arm: Add GMAC devices to NPCM7XX SoC

Inès Varhol (6):
      hw/misc: Implement STM32L4x5 EXTI
      hw/arm: Connect STM32L4x5 EXTI to STM32L4x5 SoC
      tests/qtest: Add STM32L4x5 EXTI QTest testcase
      hw/misc: Implement STM32L4x5 SYSCFG
      hw/arm: Connect STM32L4x5 SYSCFG to STM32L4x5 SoC
      tests/qtest: Add STM32L4x5 SYSCFG QTest testcase

Nabih Estefan Diaz (4):
      tests/qtest: Creating qtest for GMAC Module
      hw/net: GMAC Rx Implementation
      hw/net: GMAC Tx Implementation
      tests/qtest: Adding PCS Module test to GMAC Qtest

Peter Maydell (5):
      docs/devel/docs: Document .hx file syntax
      target/arm: arm_pamax() no longer needs to do feature propagation
      docs/system/arm/virt.rst: Improve 'highmem' option docs
      hw/arm: Add PCI mailbox module to Nuvoton SoC
      hw/net: Add NPCMXXX GMAC device

Samuel Tardieu (1):
      hw/timer: fix systick trace message

 MAINTAINERS                         |   1 +
 docs/devel/docs.rst                 |  60 +++
 docs/devel/index-build.rst          |   1 +
 docs/system/arm/b-l475e-iot01a.rst  |   7 +-
 docs/system/arm/nuvoton.rst         |   2 +
 docs/system/arm/virt.rst            |   8 +-
 include/hw/arm/npcm7xx.h            |   4 +
 include/hw/arm/stm32l4x5_soc.h      |   5 +
 include/hw/elf_ops.h                |   2 +-
 include/hw/misc/npcm7xx_pci_mbox.h  |  81 ++++
 include/hw/misc/stm32l4x5_exti.h    |  51 ++
 include/hw/misc/stm32l4x5_syscfg.h  |  54 +++
 include/hw/net/npcm_gmac.h          | 340 +++++++++++++
 hw/arm/npcm7xx.c                    |  53 +-
 hw/arm/stm32l4x5_soc.c              |  73 ++-
 hw/arm/virt.c                       |   8 +-
 hw/misc/npcm7xx_pci_mbox.c          | 324 +++++++++++++
 hw/misc/stm32l4x5_exti.c            | 290 +++++++++++
 hw/misc/stm32l4x5_syscfg.c          | 266 ++++++++++
 hw/net/npcm_gmac.c                  | 939 ++++++++++++++++++++++++++++++++++++
 target/arm/ptw.c                    |  14 +-
 tests/qtest/npcm7xx_pci_mbox-test.c | 238 +++++++++
 tests/qtest/npcm_gmac-test.c        | 341 +++++++++++++
 tests/qtest/stm32l4x5_exti-test.c   | 524 ++++++++++++++++++++
 tests/qtest/stm32l4x5_syscfg-test.c | 331 +++++++++++++
 hmp-commands-info.hx                |  10 +-
 hmp-commands.hx                     |  10 +-
 hw/arm/Kconfig                      |   2 +
 hw/misc/Kconfig                     |   6 +
 hw/misc/meson.build                 |   3 +
 hw/misc/trace-events                |  16 +
 hw/net/meson.build                  |   2 +-
 hw/net/trace-events                 |  19 +
 hw/timer/trace-events               |   2 +-
 qemu-img-cmds.hx                    |   2 +
 qemu-options.hx                     |   2 +
 tests/qtest/meson.build             |   8 +
 37 files changed, 4066 insertions(+), 33 deletions(-)
 create mode 100644 docs/devel/docs.rst
 create mode 100644 include/hw/misc/npcm7xx_pci_mbox.h
 create mode 100644 include/hw/misc/stm32l4x5_exti.h
 create mode 100644 include/hw/misc/stm32l4x5_syscfg.h
 create mode 100644 include/hw/net/npcm_gmac.h
 create mode 100644 hw/misc/npcm7xx_pci_mbox.c
 create mode 100644 hw/misc/stm32l4x5_exti.c
 create mode 100644 hw/misc/stm32l4x5_syscfg.c
 create mode 100644 hw/net/npcm_gmac.c
 create mode 100644 tests/qtest/npcm7xx_pci_mbox-test.c
 create mode 100644 tests/qtest/npcm_gmac-test.c
 create mode 100644 tests/qtest/stm32l4x5_exti-test.c
 create mode 100644 tests/qtest/stm32l4x5_syscfg-test.c

[PULL 00/21] target-arm queue

[Peter Maydell]

Hi; here's the latest batch of arm changes. The big thing
in here is the SMMUv3 changes to add stage-2 translation support.

thanks
-- PMM

The following changes since commit aa9bbd865502ed517624ab6fe7d4b5d89ca95e43:

  Merge tag 'pull-ppc-20230528' of https://gitlab.com/danielhb/qemu into staging (2023-05-29 14:31:52 -0700)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230530

for you to fetch changes up to b03d0d4f531a8b867e0aac1fab0b876903015680:

  docs: sbsa: correct graphics card name (2023-05-30 13:32:46 +0100)

----------------------------------------------------------------
target-arm queue:
 * fsl-imx6: Add SNVS support for i.MX6 boards
 * smmuv3: Add support for stage 2 translations
 * hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop
 * hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number
 * cleanups for recent Kconfig changes
 * target/arm: Explicitly select short-format FSR for M-profile
 * tests/qtest: Run arm-specific tests only if the required machine is available
 * hw/arm/sbsa-ref: add GIC node into DT
 * docs: sbsa: correct graphics card name
 * Update copyright dates to 2023

----------------------------------------------------------------
Clément Chigot (1):
      hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number

Enze Li (1):
      Update copyright dates to 2023

Fabiano Rosas (3):
      target/arm: Explain why we need to select ARM_V7M
      arm/Kconfig: Keep Kconfig default entries in default.mak as documentation
      arm/Kconfig: Make TCG dependence explicit

Marcin Juszkiewicz (2):
      hw/arm/sbsa-ref: add GIC node into DT
      docs: sbsa: correct graphics card name

Mostafa Saleh (10):
      hw/arm/smmuv3: Add missing fields for IDR0
      hw/arm/smmuv3: Update translation config to hold stage-2
      hw/arm/smmuv3: Refactor stage-1 PTW
      hw/arm/smmuv3: Add page table walk for stage-2
      hw/arm/smmuv3: Parse STE config for stage-2
      hw/arm/smmuv3: Make TLB lookup work for stage-2
      hw/arm/smmuv3: Add VMID to TLB tagging
      hw/arm/smmuv3: Add CMDs related to stage-2
      hw/arm/smmuv3: Add stage-2 support in iova notifier
      hw/arm/smmuv3: Add knob to choose translation stage and enable stage-2

Peter Maydell (1):
      target/arm: Explicitly select short-format FSR for M-profile

Thomas Huth (1):
      tests/qtest: Run arm-specific tests only if the required machine is available

Tommy Wu (1):
      hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop.

Vitaly Cheptsov (1):
      fsl-imx6: Add SNVS support for i.MX6 boards

 docs/conf.py                                |   2 +-
 docs/system/arm/sbsa.rst                    |   2 +-
 configs/devices/aarch64-softmmu/default.mak |   6 +
 configs/devices/arm-softmmu/default.mak     |  40 ++++
 hw/arm/smmu-internal.h                      |  37 +++
 hw/arm/smmuv3-internal.h                    |  12 +-
 include/hw/arm/fsl-imx6.h                   |   2 +
 include/hw/arm/smmu-common.h                |  45 +++-
 include/hw/arm/smmuv3.h                     |   4 +
 include/qemu/help-texts.h                   |   2 +-
 hw/arm/fsl-imx6.c                           |   8 +
 hw/arm/sbsa-ref.c                           |  19 +-
 hw/arm/smmu-common.c                        | 209 ++++++++++++++--
 hw/arm/smmuv3.c                             | 357 ++++++++++++++++++++++++----
 hw/arm/xlnx-zynqmp.c                        |   2 +-
 hw/dma/xilinx_axidma.c                      |  11 +-
 target/arm/tcg/tlb_helper.c                 |  13 +-
 hw/arm/Kconfig                              | 123 ++++++----
 hw/arm/trace-events                         |  14 +-
 target/arm/Kconfig                          |   3 +
 tests/qtest/meson.build                     |   7 +-
 21 files changed, 773 insertions(+), 145 deletions(-)

Re: [PULL 00/21] target-arm queue

[Richard Henderson]

On 5/30/23 06:25, Peter Maydell wrote:
> Hi; here's the latest batch of arm changes. The big thing
> in here is the SMMUv3 changes to add stage-2 translation support.
> 
> thanks
> -- PMM
> 
> The following changes since commit aa9bbd865502ed517624ab6fe7d4b5d89ca95e43:
> 
>    Merge tag 'pull-ppc-20230528' of https://gitlab.com/danielhb/qemu into staging (2023-05-29 14:31:52 -0700)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230530
> 
> for you to fetch changes up to b03d0d4f531a8b867e0aac1fab0b876903015680:
> 
>    docs: sbsa: correct graphics card name (2023-05-30 13:32:46 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * fsl-imx6: Add SNVS support for i.MX6 boards
>   * smmuv3: Add support for stage 2 translations
>   * hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop
>   * hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number
>   * cleanups for recent Kconfig changes
>   * target/arm: Explicitly select short-format FSR for M-profile
>   * tests/qtest: Run arm-specific tests only if the required machine is available
>   * hw/arm/sbsa-ref: add GIC node into DT
>   * docs: sbsa: correct graphics card name
>   * Update copyright dates to 2023

Printf failure on aarch64-macos and cross-mipsel:

https://gitlab.com/qemu-project/qemu/-/jobs/4374716505#L3662
https://gitlab.com/qemu-project/qemu/-/jobs/4374716612#L4963

../hw/arm/smmuv3.c:423:23: error: format specifies type 'unsigned long' but the argument 
has type 'uint64_t' (aka 'unsigned long long') [-Werror,-Wformat]
                       cfg->s2cfg.vttb,  cfg->s2cfg.eff_ps);
                       ^~~~~~~~~~~~~~~
/private/var/folders/76/zy5ktkns50v6gt5g8r0sf6sc0000gn/T/cirrus-ci-build/include/qemu/log.h:54:30: 
note: expanded from macro 'qemu_log_mask'
             qemu_log(FMT, ## __VA_ARGS__);              \
                      ~~~     ^~~~~~~~~~~


r~

[PULL 00/21] target-arm queue

[Peter Maydell]

Hi; here's the first target-arm pullreq for the 8.1 cycle.
Nothing particularly huge in here, just the various things
that had accumulated during the freeze.

thanks
-- PMM

The following changes since commit 2d82c32b2ceaca3dc3da5e36e10976f34bfcb598:

  Open 8.1 development tree (2023-04-20 10:05:25 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230420

for you to fetch changes up to 1ed1f338520cda0574b7e04f5e8e85e049740548:

  arm/mcimx7d-sabre: Set fec2-phy-connected property to false (2023-04-20 10:46:43 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm: Fix some typos in comments (most found by codespell)
 * exynos: Fix out-of-bounds access in exynos4210_gcomp_find debug printf
 * Orangepi-PC, Cubieboard: add Allwinner WDT watchdog emulation
 * tests/avocado: Add reboot tests to Cubieboard
 * hw/timer/imx_epit: Fix bugs in timer limit checking
 * target/arm: Remove KVM AArch32 CPU definitions
 * hw/arm/virt: Restrict Cortex-A7 check to TCG
 * target/arm: Initialize debug capabilities only once
 * target/arm: Implement FEAT_PAN3
 * docs/devel/kconfig.rst: Fix incorrect markup
 * target/arm: Report pauth information to gdb as 'pauth_v2'
 * mcimxd7-sabre, mcimx6ul-evk: Correctly model the way the PHY
   on the second ethernet device must be configured via the
   first one

----------------------------------------------------------------
Akihiko Odaki (1):
      target/arm: Initialize debug capabilities only once

Axel Heider (2):
      hw/timer/imx_epit: don't shadow variable
      hw/timer/imx_epit: fix limit check

Feng Jiang (1):
      exynos: Fix out-of-bounds access in exynos4210_gcomp_find debug printf

Guenter Roeck (5):
      hw/net/imx_fec: Support two Ethernet interfaces connected to single MDIO bus
      fsl-imx6ul: Add fec[12]-phy-connected properties
      arm/mcimx6ul-evk: Set fec1-phy-connected property to false
      fsl-imx7: Add fec[12]-phy-connected properties
      arm/mcimx7d-sabre: Set fec2-phy-connected property to false

Peter Maydell (5):
      target/arm: Pass ARMMMUFaultInfo to merge_syn_data_abort()
      target/arm: Don't set ISV when reporting stage 1 faults in ESR_EL2
      target/arm: Implement FEAT_PAN3
      docs/devel/kconfig.rst: Fix incorrect markup
      target/arm: Report pauth information to gdb as 'pauth_v2'

Philippe Mathieu-Daudé (2):
      target/arm: Remove KVM AArch32 CPU definitions
      hw/arm/virt: Restrict Cortex-A7 check to TCG

Stefan Weil (1):
      hw/arm: Fix some typos in comments (most found by codespell)

Strahinja Jankovic (4):
      hw/watchdog: Allwinner WDT emulation for system reset
      hw/arm: Add WDT to Allwinner-A10 and Cubieboard
      hw/arm: Add WDT to Allwinner-H3 and Orangepi-PC
      tests/avocado: Add reboot tests to Cubieboard

 docs/devel/kconfig.rst              |   2 +-
 docs/system/arm/cubieboard.rst      |   1 +
 docs/system/arm/emulation.rst       |   1 +
 docs/system/arm/orangepi.rst        |   1 +
 include/hw/arm/allwinner-a10.h      |   2 +
 include/hw/arm/allwinner-h3.h       |   5 +-
 include/hw/arm/fsl-imx6ul.h         |   1 +
 include/hw/arm/fsl-imx7.h           |   1 +
 include/hw/net/imx_fec.h            |   2 +
 include/hw/watchdog/allwinner-wdt.h | 123 +++++++++++
 target/arm/cpu.h                    |   5 +
 target/arm/kvm-consts.h             |   9 +-
 target/arm/kvm_arm.h                |   8 +
 hw/arm/allwinner-a10.c              |   7 +
 hw/arm/allwinner-h3.c               |   8 +
 hw/arm/exynos4210.c                 |   4 +-
 hw/arm/fsl-imx6ul.c                 |  20 ++
 hw/arm/fsl-imx7.c                   |  20 ++
 hw/arm/mcimx6ul-evk.c               |   2 +
 hw/arm/mcimx7d-sabre.c              |   2 +
 hw/arm/musicpal.c                   |   2 +-
 hw/arm/omap1.c                      |   2 +-
 hw/arm/omap2.c                      |   2 +-
 hw/arm/virt-acpi-build.c            |   2 +-
 hw/arm/virt.c                       |   4 +-
 hw/arm/xlnx-versal-virt.c           |   2 +-
 hw/net/imx_fec.c                    |  27 ++-
 hw/timer/exynos4210_mct.c           |  13 +-
 hw/timer/imx_epit.c                 |   2 +-
 hw/watchdog/allwinner-wdt.c         | 416 ++++++++++++++++++++++++++++++++++++
 target/arm/cpu64.c                  |   2 +-
 target/arm/cpu_tcg.c                |   2 -
 target/arm/gdbstub.c                |   9 +-
 target/arm/kvm.c                    |   2 +
 target/arm/kvm64.c                  |  18 +-
 target/arm/ptw.c                    |  14 +-
 target/arm/tcg/tlb_helper.c         |  26 ++-
 gdb-xml/aarch64-pauth.xml           |   2 +-
 hw/arm/Kconfig                      |   4 +-
 hw/watchdog/Kconfig                 |   4 +
 hw/watchdog/meson.build             |   1 +
 hw/watchdog/trace-events            |   7 +
 tests/avocado/boot_linux_console.py |  15 +-
 43 files changed, 738 insertions(+), 64 deletions(-)
 create mode 100644 include/hw/watchdog/allwinner-wdt.h
 create mode 100644 hw/watchdog/allwinner-wdt.c

Re: [PULL 00/21] target-arm queue

[Richard Henderson]

On 4/20/23 11:04, Peter Maydell wrote:
> Hi; here's the first target-arm pullreq for the 8.1 cycle.
> Nothing particularly huge in here, just the various things
> that had accumulated during the freeze.
> 
> thanks
> -- PMM
> 
> The following changes since commit 2d82c32b2ceaca3dc3da5e36e10976f34bfcb598:
> 
>    Open 8.1 development tree (2023-04-20 10:05:25 +0100)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230420
> 
> for you to fetch changes up to 1ed1f338520cda0574b7e04f5e8e85e049740548:
> 
>    arm/mcimx7d-sabre: Set fec2-phy-connected property to false (2023-04-20 10:46:43 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/arm: Fix some typos in comments (most found by codespell)
>   * exynos: Fix out-of-bounds access in exynos4210_gcomp_find debug printf
>   * Orangepi-PC, Cubieboard: add Allwinner WDT watchdog emulation
>   * tests/avocado: Add reboot tests to Cubieboard
>   * hw/timer/imx_epit: Fix bugs in timer limit checking
>   * target/arm: Remove KVM AArch32 CPU definitions
>   * hw/arm/virt: Restrict Cortex-A7 check to TCG
>   * target/arm: Initialize debug capabilities only once
>   * target/arm: Implement FEAT_PAN3
>   * docs/devel/kconfig.rst: Fix incorrect markup
>   * target/arm: Report pauth information to gdb as 'pauth_v2'
>   * mcimxd7-sabre, mcimx6ul-evk: Correctly model the way the PHY
>     on the second ethernet device must be configured via the
>     first one

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/7.1 as appropriate.


r~

Re: [PULL 00/21] target-arm queue

[Peter Maydell]

On Fri, 21 Apr 2023 at 11:49, Richard Henderson
<richard.henderson@linaro.org> wrote:
> Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/7.1 as appropriate.

8.1 :-)  (I created the 8.1 page yesterday.)

-- PMM

[PULL 00/21] target-arm queue

[Peter Maydell]

The following changes since commit f003dd8d81f7d88f4b1f8802309eaa76f6eb223a:

  Merge tag 'pull-tcg-20230305' of https://gitlab.com/rth7680/qemu into staging (2023-03-06 10:20:04 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230306

for you to fetch changes up to 2ddc45954f97cd1d7ee5cbca0def05e980d1da9f:

  hw: arm: allwinner-h3: Fix and complete H3 i2c devices (2023-03-06 15:31:24 +0000)

----------------------------------------------------------------
target-arm queue:
 * allwinner-h3: Fix I2C controller model for Sun6i SoCs
 * allwinner-h3: Add missing i2c controllers
 * Expose M-profile system registers to gdbstub
 * Expose pauth information to gdbstub
 * Support direct boot for Linux/arm64 EFI zboot images
 * Fix incorrect stage 2 MMU setup validation

----------------------------------------------------------------
Ard Biesheuvel (1):
      hw: arm: Support direct boot for Linux/arm64 EFI zboot images

David Reiss (2):
      target/arm: Export arm_v7m_mrs_control
      target/arm: Export arm_v7m_get_sp_ptr

Richard Henderson (16):
      target/arm: Normalize aarch64 gdbstub get/set function names
      target/arm: Unexport arm_gen_dynamic_sysreg_xml
      target/arm: Move arm_gen_dynamic_svereg_xml to gdbstub64.c
      target/arm: Split out output_vector_union_type
      target/arm: Simplify register counting in arm_gen_dynamic_svereg_xml
      target/arm: Hoist pred_width in arm_gen_dynamic_svereg_xml
      target/arm: Fix svep width in arm_gen_dynamic_svereg_xml
      target/arm: Add name argument to output_vector_union_type
      target/arm: Simplify iteration over bit widths
      target/arm: Create pauth_ptr_mask
      target/arm: Implement gdbstub pauth extension
      target/arm: Implement gdbstub m-profile systemreg and secext
      target/arm: Handle m-profile in arm_is_secure
      target/arm: Stub arm_hcr_el2_eff for m-profile
      target/arm: Diagnose incorrect usage of arm_is_secure subroutines
      target/arm: Rewrite check_s2_mmu_setup

qianfan Zhao (2):
      hw: allwinner-i2c: Fix TWI_CNTR_INT_FLAG on SUN6i SoCs
      hw: arm: allwinner-h3: Fix and complete H3 i2c devices

 configs/targets/aarch64-linux-user.mak    |   2 +-
 configs/targets/aarch64-softmmu.mak       |   2 +-
 configs/targets/aarch64_be-linux-user.mak |   2 +-
 include/hw/arm/allwinner-h3.h             |   6 +
 include/hw/i2c/allwinner-i2c.h            |   6 +
 include/hw/loader.h                       |  19 ++
 target/arm/cpu.h                          |  17 +-
 target/arm/internals.h                    |  34 +++-
 hw/arm/allwinner-h3.c                     |  29 +++-
 hw/arm/boot.c                             |   6 +
 hw/core/loader.c                          |  91 ++++++++++
 hw/i2c/allwinner-i2c.c                    |  26 ++-
 target/arm/gdbstub.c                      | 278 ++++++++++++++++++------------
 target/arm/gdbstub64.c                    | 175 ++++++++++++++++++-
 target/arm/helper.c                       |   3 +
 target/arm/ptw.c                          | 173 +++++++++++--------
 target/arm/tcg/m_helper.c                 |  90 +++++-----
 target/arm/tcg/pauth_helper.c             |  26 ++-
 gdb-xml/aarch64-pauth.xml                 |  15 ++
 19 files changed, 742 insertions(+), 258 deletions(-)
 create mode 100644 gdb-xml/aarch64-pauth.xml

Re: [PULL 00/21] target-arm queue

[Peter Maydell]

On Mon, 6 Mar 2023 at 15:34, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> The following changes since commit f003dd8d81f7d88f4b1f8802309eaa76f6eb223a:
>
>   Merge tag 'pull-tcg-20230305' of https://gitlab.com/rth7680/qemu into staging (2023-03-06 10:20:04 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230306
>
> for you to fetch changes up to 2ddc45954f97cd1d7ee5cbca0def05e980d1da9f:
>
>   hw: arm: allwinner-h3: Fix and complete H3 i2c devices (2023-03-06 15:31:24 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * allwinner-h3: Fix I2C controller model for Sun6i SoCs
>  * allwinner-h3: Add missing i2c controllers
>  * Expose M-profile system registers to gdbstub
>  * Expose pauth information to gdbstub
>  * Support direct boot for Linux/arm64 EFI zboot images
>  * Fix incorrect stage 2 MMU setup validation
>
> ----------------------------------------------------------------


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

[PULL 00/21] target-arm queue

[Peter Maydell]

Mostly straightforward bugfixes. The new Xilinx devices are
arguably 'new feature', but they're fixing a regression where
our changes to PSCI in commit 3f37979bf mean that EL3 guest
code now needs to talk to a proper emulated power-controller
device to turn on secondary CPUs; and it's not yet rc1 and
they only affect the Xilinx board, so it seems OK to me.

thanks
-- PMM

The following changes since commit 1d60bb4b14601e38ed17384277aa4c30c57925d3:

  Merge tag 'pull-request-2022-03-15v2' of https://gitlab.com/thuth/qemu into staging (2022-03-16 10:43:58 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220318

for you to fetch changes up to 79d54c9eac04c554e3c081589542f801ace71797:

  util/osdep: Remove some early cruft (2022-03-18 11:32:13 +0000)

----------------------------------------------------------------
target-arm queue:
 * Fix sve2 ldnt1 and stnt1
 * Fix pauth_check_trap vs SEL2
 * Fix handling of LPAE block descriptors
 * hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
 * hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
 * nsis installer: List emulators in alphabetical order
 * nsis installer: Suppress "ANSI targets are deprecated" warning
 * nsis installer: Fix mouse-over descriptions for emulators
 * hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
 * Improve M-profile vector table access logging
 * Xilinx ZynqMP: model CRF and APU control
 * Fix compile issues on modern Solaris

----------------------------------------------------------------
Andrew Deason (3):
      util/osdep: Avoid madvise proto on modern Solaris
      hw/i386/acpi-build: Avoid 'sun' identifier
      util/osdep: Remove some early cruft

Edgar E. Iglesias (6):
      hw/arm/xlnx-zynqmp: Add an unimplemented SERDES area
      target/arm: Make rvbar settable after realize
      hw/misc: Add a model of the Xilinx ZynqMP CRF
      hw/arm/xlnx-zynqmp: Connect the ZynqMP CRF
      hw/misc: Add a model of the Xilinx ZynqMP APU Control
      hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control

Eric Auger (2):
      hw/intc: Rename CONFIG_ARM_GIC_TCG into CONFIG_ARM_GICV3_TCG
      hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset

Peter Maydell (8):
      target/arm: Fix handling of LPAE block descriptors
      hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
      hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
      nsis installer: List emulators in alphabetical order
      nsis installer: Suppress "ANSI targets are deprecated" warning
      nsis installer: Fix mouse-over descriptions for emulators
      target/arm: Log M-profile vector table accesses
      target/arm: Log fault address for M-profile faults

Richard Henderson (2):
      target/arm: Fix sve2 ldnt1 and stnt1
      target/arm: Fix pauth_check_trap vs SEL2

 meson.build                            |  23 ++-
 include/hw/arm/xlnx-zynqmp.h           |   4 +
 include/hw/misc/xlnx-zynqmp-apu-ctrl.h |  93 ++++++++++++
 include/hw/misc/xlnx-zynqmp-crf.h      | 211 ++++++++++++++++++++++++++
 include/qemu/osdep.h                   |   8 +
 target/arm/cpu.h                       |   3 +-
 target/arm/sve.decode                  |   5 +-
 hw/arm/virt.c                          |   7 +-
 hw/arm/xlnx-zynqmp.c                   |  46 +++++-
 hw/dma/xlnx_csu_dma.c                  |   1 +
 hw/i386/acpi-build.c                   |   4 +-
 hw/misc/npcm7xx_clk.c                  |   4 +-
 hw/misc/xlnx-zynqmp-apu-ctrl.c         | 253 +++++++++++++++++++++++++++++++
 hw/misc/xlnx-zynqmp-crf.c              | 266 +++++++++++++++++++++++++++++++++
 target/arm/cpu.c                       |  17 ++-
 target/arm/helper.c                    |  20 ++-
 target/arm/m_helper.c                  |  11 ++
 target/arm/pauth_helper.c              |   2 +-
 target/arm/translate-sve.c             |  51 ++++++-
 tests/tcg/aarch64/test-826.c           |  50 +++++++
 util/osdep.c                           |  10 --
 hw/intc/Kconfig                        |   2 +-
 hw/intc/meson.build                    |   4 +-
 hw/misc/meson.build                    |   2 +
 qemu.nsi                               |   8 +-
 scripts/nsis.py                        |  17 ++-
 tests/tcg/aarch64/Makefile.target      |   4 +
 tests/tcg/configure.sh                 |   4 +
 28 files changed, 1084 insertions(+), 46 deletions(-)
 create mode 100644 include/hw/misc/xlnx-zynqmp-apu-ctrl.h
 create mode 100644 include/hw/misc/xlnx-zynqmp-crf.h
 create mode 100644 hw/misc/xlnx-zynqmp-apu-ctrl.c
 create mode 100644 hw/misc/xlnx-zynqmp-crf.c
 create mode 100644 tests/tcg/aarch64/test-826.c

Re: [PULL 00/21] target-arm queue

[Peter Maydell]

On Fri, 18 Mar 2022 at 13:23, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Mostly straightforward bugfixes. The new Xilinx devices are
> arguably 'new feature', but they're fixing a regression where
> our changes to PSCI in commit 3f37979bf mean that EL3 guest
> code now needs to talk to a proper emulated power-controller
> device to turn on secondary CPUs; and it's not yet rc1 and
> they only affect the Xilinx board, so it seems OK to me.
>
> thanks
> -- PMM
>
> The following changes since commit 1d60bb4b14601e38ed17384277aa4c30c57925d3:
>
>   Merge tag 'pull-request-2022-03-15v2' of https://gitlab.com/thuth/qemu into staging (2022-03-16 10:43:58 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220318
>
> for you to fetch changes up to 79d54c9eac04c554e3c081589542f801ace71797:
>
>   util/osdep: Remove some early cruft (2022-03-18 11:32:13 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * Fix sve2 ldnt1 and stnt1
>  * Fix pauth_check_trap vs SEL2
>  * Fix handling of LPAE block descriptors
>  * hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
>  * hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
>  * nsis installer: List emulators in alphabetical order
>  * nsis installer: Suppress "ANSI targets are deprecated" warning
>  * nsis installer: Fix mouse-over descriptions for emulators
>  * hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
>  * Improve M-profile vector table access logging
>  * Xilinx ZynqMP: model CRF and APU control
>  * Fix compile issues on modern Solaris
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/7.0
for any user-visible changes.

-- PMM

[PULL 00/21] target-arm queue

[Peter Maydell]

A largish pullreq but it's almost all docs fixes.

-- PMM

The following changes since commit 10a3c4a4b3e14208cfed274514d1911e5230935f:

  Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-08-02 09:47:07 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210802

for you to fetch changes up to 4a64939db76b10d8d41d2af3c6aad8142da55450:

  docs: Move user-facing barrier docs into system manual (2021-08-02 12:55:51 +0100)

----------------------------------------------------------------
target-arm queue:
 * Add documentation of Arm 'mainstone', 'kzm', 'imx25-pdk' boards
 * MAINTAINERS: Don't list Andrzej Zaborowski for various components
 * docs: Remove stale TODO comments about license and version
 * docs: Move licence/copyright from HTML output to rST comments
 * docs: Format literal text correctly
 * hw/arm/boot: Report error if there is no fw_cfg device in the machine
 * docs: rSTify barrier.txt and bootindex.txt

----------------------------------------------------------------
Peter Maydell (21):
      docs: Add documentation of Arm 'mainstone' board
      docs: Add documentation of Arm 'kzm' board
      docs: Add documentation of Arm 'imx25-pdk' board
      MAINTAINERS: Don't list Andrzej Zaborowski for various components
      docs: Remove stale TODO comments about license and version
      docs: Move licence/copyright from HTML output to rST comments
      docs/devel/build-system.rst: Format literals correctly
      docs/devel/build-system.rst: Correct typo in example code
      docs/devel/ebpf_rss.rst: Format literals correctly
      docs/devel/migration.rst: Format literals correctly
      docs/devel: Format literals correctly
      docs/system/s390x/protvirt.rst: Format literals correctly
      docs/system/arm/cpu-features.rst: Format literals correctly
      docs: Format literals correctly
      docs/about/removed-features: Fix markup error
      docs/tools/virtiofsd.rst: Delete stray backtick
      hw/arm/boot: Report error if there is no fw_cfg device in the machine
      docs: Move bootindex.txt into system section and rstify
      docs: Move the protocol part of barrier.txt into interop
      ui/input-barrier: Move TODOs from barrier.txt to a comment
      docs: Move user-facing barrier docs into system manual

 docs/about/index.rst                         |   2 +-
 docs/about/removed-features.rst              |   2 +-
 docs/barrier.txt                             | 370 -----------------------
 docs/bootindex.txt                           |  52 ----
 docs/devel/build-system.rst                  | 160 +++++-----
 docs/devel/ebpf_rss.rst                      |  18 +-
 docs/devel/migration.rst                     |  36 +--
 docs/devel/qgraph.rst                        |   8 +-
 docs/devel/tcg-plugins.rst                   |  14 +-
 docs/devel/testing.rst                       |   8 +-
 docs/interop/barrier.rst                     | 426 +++++++++++++++++++++++++++
 docs/interop/index.rst                       |   1 +
 docs/interop/live-block-operations.rst       |   2 +-
 docs/interop/qemu-ga-ref.rst                 |   9 -
 docs/interop/qemu-qmp-ref.rst                |   9 -
 docs/interop/qemu-storage-daemon-qmp-ref.rst |   9 -
 docs/interop/vhost-user-gpu.rst              |   7 +-
 docs/interop/vhost-user.rst                  |  12 +-
 docs/system/arm/cpu-features.rst             | 116 ++++----
 docs/system/arm/imx25-pdk.rst                |  19 ++
 docs/system/arm/kzm.rst                      |  18 ++
 docs/system/arm/mainstone.rst                |  25 ++
 docs/system/arm/nuvoton.rst                  |   2 +-
 docs/system/arm/sbsa.rst                     |   4 +-
 docs/system/arm/virt.rst                     |   2 +-
 docs/system/barrier.rst                      |  44 +++
 docs/system/bootindex.rst                    |  76 +++++
 docs/system/cpu-hotplug.rst                  |   2 +-
 docs/system/generic-loader.rst               |   4 +-
 docs/system/guest-loader.rst                 |   6 +-
 docs/system/index.rst                        |   2 +
 docs/system/ppc/powernv.rst                  |   8 +-
 docs/system/riscv/microchip-icicle-kit.rst   |   2 +-
 docs/system/riscv/virt.rst                   |   2 +-
 docs/system/s390x/protvirt.rst               |  12 +-
 docs/system/target-arm.rst                   |   3 +
 docs/tools/virtiofsd.rst                     |   2 +-
 hw/arm/boot.c                                |   9 +
 hw/arm/sbsa-ref.c                            |   7 -
 ui/input-barrier.c                           |   5 +
 MAINTAINERS                                  |   8 +-
 41 files changed, 849 insertions(+), 674 deletions(-)
 delete mode 100644 docs/barrier.txt
 delete mode 100644 docs/bootindex.txt
 create mode 100644 docs/interop/barrier.rst
 create mode 100644 docs/system/arm/imx25-pdk.rst
 create mode 100644 docs/system/arm/kzm.rst
 create mode 100644 docs/system/arm/mainstone.rst
 create mode 100644 docs/system/barrier.rst
 create mode 100644 docs/system/bootindex.rst

Re: [PULL 00/21] target-arm queue

[Peter Maydell]

On Mon, 2 Aug 2021 at 12:58, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> A largish pullreq but it's almost all docs fixes.
>
> -- PMM
>
> The following changes since commit 10a3c4a4b3e14208cfed274514d1911e5230935f:
>
>   Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-08-02 09:47:07 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210802
>
> for you to fetch changes up to 4a64939db76b10d8d41d2af3c6aad8142da55450:
>
>   docs: Move user-facing barrier docs into system manual (2021-08-02 12:55:51 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * Add documentation of Arm 'mainstone', 'kzm', 'imx25-pdk' boards
>  * MAINTAINERS: Don't list Andrzej Zaborowski for various components
>  * docs: Remove stale TODO comments about license and version
>  * docs: Move licence/copyright from HTML output to rST comments
>  * docs: Format literal text correctly
>  * hw/arm/boot: Report error if there is no fw_cfg device in the machine
>  * docs: rSTify barrier.txt and bootindex.txt


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PULL 00/21] target-arm queue

[Peter Maydell]

Mostly just bug fixes. The important one here is
  hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
which fixes a buffer overrun that's a security issue if you're running
KVM on Arm with kernel-irqchip=off (which hopefully nobody is doing in
a security context, because kernel-irqchip=on is the default and the
sensible choice for performance).

-- PMM

The following changes since commit cf7ca7d5b9faca13f1f8e3ea92cfb2f741eb0c0e:

  Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging (2021-02-01 16:28:00 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210202-1

for you to fetch changes up to 14657850c9cc10948551fbb884c30eb5a3a7370a:

  hw/arm: Display CPU type in machine description (2021-02-02 17:53:44 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/intc/arm_gic: Allow to use QTest without crashing
 * hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
 * hw/char/exynos4210_uart: Fix missing call to report ready for input
 * hw/arm/smmuv3: Fix addr_mask for range-based invalidation
 * hw/ssi/imx_spi: Fix various minor bugs
 * hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
 * hw/arm: Add missing Kconfig dependencies
 * hw/arm: Display CPU type in machine description

----------------------------------------------------------------
Bin Meng (5):
      hw/ssi: imx_spi: Use a macro for number of chip selects supported
      hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset()
      hw/ssi: imx_spi: Round up the burst length to be multiple of 8
      hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic
      hw/ssi: imx_spi: Correct tx and rx fifo endianness

Iris Johnson (2):
      hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
      hw/char/exynos4210_uart: Fix missing call to report ready for input

Philippe Mathieu-Daudé (12):
      hw/intc/arm_gic: Allow to use QTest without crashing
      hw/ssi: imx_spi: Remove pointless variable initialization
      hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value
      hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled
      hw/ssi: imx_spi: Rework imx_spi_write() to handle block disabled
      hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
      hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ
      hw/arm/exynos4210: Add missing dependency on OR_IRQ
      hw/arm/xlnx-versal: Versal SoC requires ZDMA
      hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals
      hw/net/can: ZynqMP CAN device requires PTIMER
      hw/arm: Display CPU type in machine description

Xuzhou Cheng (1):
      hw/ssi: imx_spi: Disable chip selects when controller is disabled

Zenghui Yu (1):
      hw/arm/smmuv3: Fix addr_mask for range-based invalidation

 include/hw/ssi/imx_spi.h  |   5 +-
 hw/arm/digic_boards.c     |   2 +-
 hw/arm/microbit.c         |   2 +-
 hw/arm/netduino2.c        |   2 +-
 hw/arm/netduinoplus2.c    |   2 +-
 hw/arm/orangepi.c         |   2 +-
 hw/arm/smmuv3.c           |   4 +-
 hw/arm/stellaris.c        |   4 +-
 hw/char/exynos4210_uart.c |   7 ++-
 hw/intc/arm_gic.c         |   5 +-
 hw/ssi/imx_spi.c          | 153 +++++++++++++++++++++++++++++-----------------
 hw/Kconfig                |   1 +
 hw/arm/Kconfig            |   5 ++
 hw/dma/Kconfig            |   3 +
 hw/dma/meson.build        |   2 +-
 15 files changed, 130 insertions(+), 69 deletions(-)

Re: [PULL 00/21] target-arm queue

[Philippe Mathieu-Daudé]

Hi Peter,

On 2/2/21 6:54 PM, Peter Maydell wrote:
> Mostly just bug fixes. The important one here is
>   hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
> which fixes a buffer overrun that's a security issue if you're running
> KVM on Arm with kernel-irqchip=off (which hopefully nobody is doing in
> a security context, because kernel-irqchip=on is the default and the
> sensible choice for performance).

FYI Prasad mentioned a CVE was requested:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg778659.html

As you said it is an odd configuration, I am not sure it is worth
to wait for the CVE number to add it to the commit (which helps
downstream distributions tracking these).

[updating]

Just got detail from Prasad on IRC, it usually takes ~1 day to get
the CVE number assigned, so maybe worth postponing this until tomorrow.

Prasad, can you reply to this message ASAP once you get the number?

Thanks,

Phil.

> -- PMM
> 
> The following changes since commit cf7ca7d5b9faca13f1f8e3ea92cfb2f741eb0c0e:
> 
>   Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging (2021-02-01 16:28:00 +0000)
> 
> are available in the Git repository at:
> 
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210202-1
> 
> for you to fetch changes up to 14657850c9cc10948551fbb884c30eb5a3a7370a:
> 
>   hw/arm: Display CPU type in machine description (2021-02-02 17:53:44 +0000)
> 
> ----------------------------------------------------------------
> target-arm queue:
>  * hw/intc/arm_gic: Allow to use QTest without crashing
>  * hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
>  * hw/char/exynos4210_uart: Fix missing call to report ready for input
>  * hw/arm/smmuv3: Fix addr_mask for range-based invalidation
>  * hw/ssi/imx_spi: Fix various minor bugs
>  * hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
>  * hw/arm: Add missing Kconfig dependencies
>  * hw/arm: Display CPU type in machine description
> 
> ----------------------------------------------------------------
> Bin Meng (5):
>       hw/ssi: imx_spi: Use a macro for number of chip selects supported
>       hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset()
>       hw/ssi: imx_spi: Round up the burst length to be multiple of 8
>       hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic
>       hw/ssi: imx_spi: Correct tx and rx fifo endianness
> 
> Iris Johnson (2):
>       hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
>       hw/char/exynos4210_uart: Fix missing call to report ready for input
> 
> Philippe Mathieu-Daudé (12):
>       hw/intc/arm_gic: Allow to use QTest without crashing
>       hw/ssi: imx_spi: Remove pointless variable initialization
>       hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value
>       hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled
>       hw/ssi: imx_spi: Rework imx_spi_write() to handle block disabled
>       hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
>       hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ
>       hw/arm/exynos4210: Add missing dependency on OR_IRQ
>       hw/arm/xlnx-versal: Versal SoC requires ZDMA
>       hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals
>       hw/net/can: ZynqMP CAN device requires PTIMER
>       hw/arm: Display CPU type in machine description
> 
> Xuzhou Cheng (1):
>       hw/ssi: imx_spi: Disable chip selects when controller is disabled
> 
> Zenghui Yu (1):
>       hw/arm/smmuv3: Fix addr_mask for range-based invalidation
> 
>  include/hw/ssi/imx_spi.h  |   5 +-
>  hw/arm/digic_boards.c     |   2 +-
>  hw/arm/microbit.c         |   2 +-
>  hw/arm/netduino2.c        |   2 +-
>  hw/arm/netduinoplus2.c    |   2 +-
>  hw/arm/orangepi.c         |   2 +-
>  hw/arm/smmuv3.c           |   4 +-
>  hw/arm/stellaris.c        |   4 +-
>  hw/char/exynos4210_uart.c |   7 ++-
>  hw/intc/arm_gic.c         |   5 +-
>  hw/ssi/imx_spi.c          | 153 +++++++++++++++++++++++++++++-----------------
>  hw/Kconfig                |   1 +
>  hw/arm/Kconfig            |   5 ++
>  hw/dma/Kconfig            |   3 +
>  hw/dma/meson.build        |   2 +-
>  15 files changed, 130 insertions(+), 69 deletions(-)
> 

Re: [PULL 00/21] target-arm queue

[P J P]

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

+-- On Wed, 3 Feb 2021, Philippe Mathieu-Daudé wrote --+
| FYI Prasad mentioned a CVE was requested:
| https://www.mail-archive.com/qemu-devel@nongnu.org/msg778659.html
| 
| As you said it is an odd configuration, I am not sure it is worth
| to wait for the CVE number to add it to the commit (which helps
| downstream distributions tracking these).
| 
| [updating]
| 
| Just got detail from Prasad on IRC, it usually takes ~1 day to get
| the CVE number assigned, so maybe worth postponing this until tomorrow.
| 
| Prasad, can you reply to this message ASAP once you get the number?

'CVE-2021-20221' assigned by Red Hat Inc.
  -> https://bugs.launchpad.net/qemu/+bug/1914353/comments/3

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

[PULL 00/21] target-arm queue

[Peter Maydell]

Arm queue; not huge but I figured I might as well send it out since
I've been doing code review today and there's no queue of unprocessed
pullreqs...

thanks
-- PMM

The following changes since commit b3f846c59d8405bb87c551187721fc92ff2f1b92:

  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2021-01-11v2' into staging (2021-01-11 15:15:35 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210112

for you to fetch changes up to 19d131395ccaf503db21dadd8257e6dc9fc1d7de:

  ui/cocoa: Fix openFile: deprecation on Big Sur (2021-01-12 11:38:37 +0000)

----------------------------------------------------------------
target-arm queue:
 * arm: Support emulation of ARMv8.4-TTST extension
 * arm: Update cpu.h ID register field definitions
 * arm: Fix breakage of XScale instruction emulation
 * hw/net/lan9118: Fix RX Status FIFO PEEK value
 * npcm7xx: Add ADC and PWM emulation
 * ui/cocoa: Make "open docs" help menu entry work again when binary
   is run from the build tree
 * ui/cocoa: Fix openFile: deprecation on Big Sur
 * docs: Add qemu-storage-daemon(1) manpage to meson.build
 * docs: Build and install all the docs in a single manual

----------------------------------------------------------------
Hao Wu (6):
      hw/misc: Add clock converter in NPCM7XX CLK module
      hw/timer: Refactor NPCM7XX Timer to use CLK clock
      hw/adc: Add an ADC module for NPCM7XX
      hw/misc: Add a PWM module for NPCM7XX
      hw/misc: Add QTest for NPCM7XX PWM Module
      hw/*: Use type casting for SysBusDevice in NPCM7XX

Leif Lindholm (6):
      target/arm: fix typo in cpu.h ID_AA64PFR1 field name
      target/arm: make ARMCPU.clidr 64-bit
      target/arm: make ARMCPU.ctr 64-bit
      target/arm: add descriptions of CLIDR_EL1, CCSIDR_EL1, CTR_EL0 to cpu.h
      target/arm: add aarch64 ID register fields to cpu.h
      target/arm: add aarch32 ID register fields to cpu.h

Peter Maydell (5):
      docs: Add qemu-storage-daemon(1) manpage to meson.build
      docs: Build and install all the docs in a single manual
      target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
      hw/net/lan9118: Fix RX Status FIFO PEEK value
      hw/net/lan9118: Add symbolic constants for register offsets

Roman Bolshakov (2):
      ui/cocoa: Update path to docs in build tree
      ui/cocoa: Fix openFile: deprecation on Big Sur

Rémi Denis-Courmont (2):
      target/arm: ARMv8.4-TTST extension
      target/arm: enable Small Translation tables in max CPU

 docs/conf.py                     |  46 ++-
 docs/devel/conf.py               |  15 -
 docs/index.html.in               |  17 -
 docs/interop/conf.py             |  28 --
 docs/meson.build                 |  65 ++--
 docs/specs/conf.py               |  16 -
 docs/system/arm/nuvoton.rst      |   4 +-
 docs/system/conf.py              |  28 --
 docs/tools/conf.py               |  37 --
 docs/user/conf.py                |  15 -
 meson.build                      |   1 +
 hw/adc/trace.h                   |   1 +
 include/hw/adc/npcm7xx_adc.h     |  69 ++++
 include/hw/arm/npcm7xx.h         |   4 +
 include/hw/misc/npcm7xx_clk.h    | 146 ++++++-
 include/hw/misc/npcm7xx_pwm.h    | 105 +++++
 include/hw/timer/npcm7xx_timer.h |   1 +
 target/arm/cpu.h                 |  85 ++++-
 hw/adc/npcm7xx_adc.c             | 301 +++++++++++++++
 hw/arm/npcm7xx.c                 |  55 ++-
 hw/arm/npcm7xx_boards.c          |   2 +-
 hw/mem/npcm7xx_mc.c              |   2 +-
 hw/misc/npcm7xx_clk.c            | 807 ++++++++++++++++++++++++++++++++++++++-
 hw/misc/npcm7xx_gcr.c            |   2 +-
 hw/misc/npcm7xx_pwm.c            | 550 ++++++++++++++++++++++++++
 hw/misc/npcm7xx_rng.c            |   2 +-
 hw/net/lan9118.c                 |  26 +-
 hw/nvram/npcm7xx_otp.c           |   2 +-
 hw/ssi/npcm7xx_fiu.c             |   2 +-
 hw/timer/npcm7xx_timer.c         |  39 +-
 target/arm/cpu64.c               |   1 +
 target/arm/helper.c              |  15 +-
 target/arm/translate.c           |   7 +
 tests/qtest/npcm7xx_adc-test.c   | 377 ++++++++++++++++++
 tests/qtest/npcm7xx_pwm-test.c   | 490 ++++++++++++++++++++++++
 hw/adc/meson.build               |   1 +
 hw/adc/trace-events              |   5 +
 hw/misc/meson.build              |   1 +
 hw/misc/trace-events             |   6 +
 tests/qtest/meson.build          |   4 +-
 ui/cocoa.m                       |   7 +-
 41 files changed, 3124 insertions(+), 263 deletions(-)
 delete mode 100644 docs/devel/conf.py
 delete mode 100644 docs/index.html.in
 delete mode 100644 docs/interop/conf.py
 delete mode 100644 docs/specs/conf.py
 delete mode 100644 docs/system/conf.py
 delete mode 100644 docs/tools/conf.py
 delete mode 100644 docs/user/conf.py
 create mode 100644 hw/adc/trace.h
 create mode 100644 include/hw/adc/npcm7xx_adc.h
 create mode 100644 include/hw/misc/npcm7xx_pwm.h
 create mode 100644 hw/adc/npcm7xx_adc.c
 create mode 100644 hw/misc/npcm7xx_pwm.c
 create mode 100644 tests/qtest/npcm7xx_adc-test.c
 create mode 100644 tests/qtest/npcm7xx_pwm-test.c
 create mode 100644 hw/adc/trace-events