Series comparison

-[Qemu-devel] [PULL 0/5] target-arm queue
+[PULL 0/2] target-arm queue
-A last arm pullreq before rc0. This is mostly bug fixes,
+This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
-though you could call adding the missing local timer
+we were using uninitialized data for the guarded bit when
-support to bcm2836_control a new feature I suppose --
+combining stage 1 and stage 2 attrs.
 in any case it's a small and localised change.
 thanks
 -- PMM
-The following changes since commit 7074ab12c81a1b2b1e0e1c40983f56b2c5ccc494:
+The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:
-  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-03-14 16:19:37 +0000)
+  Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190315
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410
-for you to fetch changes up to 5de56742a3c91de3d646326bec43a989bba83ca4:
+for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:
-  target/arm: Check access permission to ADDVL/ADDPL/RDVL (2019-03-15 11:12:29 +0000)
+  target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm: Fix bug where we weren't initializing
- * Add missing SVE-enabled check to ADDVL/ADDPL/RDVL
+            guarded bit state when combining S1/S2 attrs
  * virt-acpi-build: use PCIE_MMCFG_BUS to retrieve end_bus_number
  * virt-acpi-build: Fix SMMUv3 GSIV values
  * Allow EL0 to write to arch timer registers, not just read them
  * bcm2836_control: Implement local timer
 ----------------------------------------------------------------
-Amir Charif (1):
+Richard Henderson (2):
-      target/arm: Check access permission to ADDVL/ADDPL/RDVL
+      target/arm: PTE bit GP only applies to stage1
       target/arm: Copy guarded bit in combine_cacheattrs
-Dongjiu Geng (1):
+ target/arm/ptw.c | 11 ++++++-----
-      target/arm: change arch timer registers access permission
+file changed, 6 insertions(+), 5 deletions(-)
 Eric Auger (1):
       hw/arm/virt-acpi-build: Fix SMMUv3 GSIV values
 Wei Yang (1):
       hw/arm/virt-acpi-build: use PCIE_MMCFG_BUS to retrieve end_bus_number
 Zoltán Baldaszti (1):
       hw/intc/bcm2836_control: Implement local timer
  include/hw/intc/bcm2836_control.h |   9 ++++
  hw/arm/virt-acpi-build.c          |   6 +--
  hw/intc/bcm2836_control.c         | 101 +++++++++++++++++++++++++++++++++++++-
  target/arm/helper.c               |  30 +++++------
  target/arm/translate-sve.c        |  22 ++++++---
 files changed, 140 insertions(+), 28 deletions(-)

-[Qemu-devel] [PULL 1/5] hw/intc/bcm2836_control: Implement local timer
+[PULL 1/2] target/arm: PTE bit GP only applies to stage1
-From: Zoltán Baldaszti <bztemail@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The BCM2836 control logic module includes a simple
+Only perform the extract of GP during the stage1 walk.
 "local timer" which is a programmable down-counter that
 can generates an interrupt. Implement this functionality.
-Signed-off-by: Zoltán Baldaszti <bztemail@gmail.com>
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: wrote commit message; wrapped long line; tweaked
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
  some comments to match the final version of the code]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/intc/bcm2836_control.h |   9 +++
+ target/arm/ptw.c | 10 +++++-----
- hw/intc/bcm2836_control.c         | 101 +++++++++++++++++++++++++++++-
+file changed, 5 insertions(+), 5 deletions(-)
 files changed, 108 insertions(+), 2 deletions(-)
-diff --git a/include/hw/intc/bcm2836_control.h b/include/hw/intc/bcm2836_control.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/intc/bcm2836_control.h
+--- a/target/arm/ptw.c
-+++ b/include/hw/intc/bcm2836_control.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
+         result->f.attrs.secure = false;
-  * Written by Andrew Baumann
+     }
-  *
-+ * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
+-    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
-+ * Added basic IRQ_TIMER interrupt support
+-    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-+ *
+-        result->f.guarded = extract64(attrs, 50, 1); /* GP */
-  * This code is licensed under the GNU GPLv2 and later.
+-    }
-  */
+-
+     if (regime_is_stage2(mmu_idx)) {
-@@ -XXX,XX +XXX,XX @@
+         result->cacheattrs.is_s2_format = true;
- #define BCM2836_CONTROL_H
+         result->cacheattrs.attrs = extract32(attrs, 2, 4);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
- #include "hw/sysbus.h"
+         assert(attrindx <= 7);
-+#include "qemu/timer.h"
+         result->cacheattrs.is_s2_format = false;
+         result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
  /* 4 mailboxes per core, for 16 total */
  #define BCM2836_NCORES 4
@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836ControlState {
      bool gpu_irq, gpu_fiq;
      uint8_t timerirqs[BCM2836_NCORES];
 +    /* local timer */
 +    QEMUTimer timer;
 +    uint32_t local_timer_control;
 +    uint8_t route_localtimer;
 +
-     /* interrupt source registers, post-routing (also input-derived; visible) */
++        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
-     uint32_t irqsrc[BCM2836_NCORES];
++        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-     uint32_t fiqsrc[BCM2836_NCORES];
++            result->f.guarded = extract64(attrs, 50, 1); /* GP */
-diff --git a/hw/intc/bcm2836_control.c b/hw/intc/bcm2836_control.c
++        }
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/bcm2836_control.c
 +++ b/hw/intc/bcm2836_control.c
@@ -XXX,XX +XXX,XX @@
   * This code is licensed under the GNU GPLv2 and later.
   *
   * At present, only implements interrupt routing, and mailboxes (i.e.,
 - * not local timer, PMU interrupt, or AXI counters).
 + * not PMU interrupt, or AXI counters).
 + *
 + * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
   *
   * Ref:
   * https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
@@ -XXX,XX +XXX,XX @@
  #include "qemu/log.h"
  #define REG_GPU_ROUTE           0x0c
 +#define REG_LOCALTIMERROUTING   0x24
 +#define REG_LOCALTIMERCONTROL   0x34
 +#define REG_LOCALTIMERACK       0x38
  #define REG_TIMERCONTROL        0x40
  #define REG_MBOXCONTROL         0x50
  #define REG_IRQSRC              0x60
@@ -XXX,XX +XXX,XX @@
  #define IRQ_TIMER       11
  #define IRQ_MAX         IRQ_TIMER
 +#define LOCALTIMER_FREQ      38400000
 +#define LOCALTIMER_INTFLAG   (1 << 31)
 +#define LOCALTIMER_RELOAD    (1 << 30)
 +#define LOCALTIMER_INTENABLE (1 << 29)
 +#define LOCALTIMER_ENABLE    (1 << 28)
 +#define LOCALTIMER_VALUE(x)  ((x) & 0xfffffff)
 +
  static void deliver_local(BCM2836ControlState *s, uint8_t core, uint8_t irq,
                            uint32_t controlreg, uint8_t controlidx)
  {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_update(BCM2836ControlState *s)
          s->fiqsrc[s->route_gpu_fiq] |= (uint32_t)1 << IRQ_GPU;
      }
-+    /*
+     /*
 +     * handle the control module 'local timer' interrupt for one of the
 +     * cores' IRQ/FIQ;  this is distinct from the per-CPU timer
 +     * interrupts handled below.
 +     */
 +    if ((s->local_timer_control & LOCALTIMER_INTENABLE) &&
 +        (s->local_timer_control & LOCALTIMER_INTFLAG)) {
 +        if (s->route_localtimer & 4) {
 +            s->fiqsrc[(s->route_localtimer & 3)] |= (uint32_t)1 << IRQ_TIMER;
 +        } else {
 +            s->irqsrc[(s->route_localtimer & 3)] |= (uint32_t)1 << IRQ_TIMER;
 +        }
 +    }
 +
      for (i = 0; i < BCM2836_NCORES; i++) {
          /* handle local timer interrupts for this core */
          if (s->timerirqs[i]) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_set_gpu_fiq(void *opaque, int irq, int level)
      bcm2836_control_update(s);
  }
 +static void bcm2836_control_local_timer_set_next(void *opaque)
 +{
 +    BCM2836ControlState *s = opaque;
 +    uint64_t next_event;
 +
 +    assert(LOCALTIMER_VALUE(s->local_timer_control) > 0);
 +
 +    next_event = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
 +        muldiv64(LOCALTIMER_VALUE(s->local_timer_control),
 +            NANOSECONDS_PER_SECOND, LOCALTIMER_FREQ);
 +    timer_mod(&s->timer, next_event);
 +}
 +
 +static void bcm2836_control_local_timer_tick(void *opaque)
 +{
 +    BCM2836ControlState *s = opaque;
 +
 +    bcm2836_control_local_timer_set_next(s);
 +
 +    s->local_timer_control |= LOCALTIMER_INTFLAG;
 +    bcm2836_control_update(s);
 +}
 +
 +static void bcm2836_control_local_timer_control(void *opaque, uint32_t val)
 +{
 +    BCM2836ControlState *s = opaque;
 +
 +    s->local_timer_control = val;
 +    if (val & LOCALTIMER_ENABLE) {
 +        bcm2836_control_local_timer_set_next(s);
 +    } else {
 +        timer_del(&s->timer);
 +    }
 +}
 +
 +static void bcm2836_control_local_timer_ack(void *opaque, uint32_t val)
 +{
 +    BCM2836ControlState *s = opaque;
 +
 +    if (val & LOCALTIMER_INTFLAG) {
 +        s->local_timer_control &= ~LOCALTIMER_INTFLAG;
 +    }
 +    if ((val & LOCALTIMER_RELOAD) &&
 +        (s->local_timer_control & LOCALTIMER_ENABLE)) {
 +            bcm2836_control_local_timer_set_next(s);
 +    }
 +}
 +
  static uint64_t bcm2836_control_read(void *opaque, hwaddr offset, unsigned size)
  {
      BCM2836ControlState *s = opaque;
@@ -XXX,XX +XXX,XX @@ static uint64_t bcm2836_control_read(void *opaque, hwaddr offset, unsigned size)
          assert(s->route_gpu_fiq < BCM2836_NCORES
                 && s->route_gpu_irq < BCM2836_NCORES);
          return ((uint32_t)s->route_gpu_fiq << 2) | s->route_gpu_irq;
 +    } else if (offset == REG_LOCALTIMERROUTING) {
 +        return s->route_localtimer;
 +    } else if (offset == REG_LOCALTIMERCONTROL) {
 +        return s->local_timer_control;
 +    } else if (offset == REG_LOCALTIMERACK) {
 +        return 0;
      } else if (offset >= REG_TIMERCONTROL && offset < REG_MBOXCONTROL) {
          return s->timercontrol[(offset - REG_TIMERCONTROL) >> 2];
      } else if (offset >= REG_MBOXCONTROL && offset < REG_IRQSRC) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_write(void *opaque, hwaddr offset,
      if (offset == REG_GPU_ROUTE) {
          s->route_gpu_irq = val & 0x3;
          s->route_gpu_fiq = (val >> 2) & 0x3;
 +    } else if (offset == REG_LOCALTIMERROUTING) {
 +        s->route_localtimer = val & 7;
 +    } else if (offset == REG_LOCALTIMERCONTROL) {
 +        bcm2836_control_local_timer_control(s, val);
 +    } else if (offset == REG_LOCALTIMERACK) {
 +        bcm2836_control_local_timer_ack(s, val);
      } else if (offset >= REG_TIMERCONTROL && offset < REG_MBOXCONTROL) {
          s->timercontrol[(offset - REG_TIMERCONTROL) >> 2] = val & 0xff;
      } else if (offset >= REG_MBOXCONTROL && offset < REG_IRQSRC) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_reset(DeviceState *d)
      s->route_gpu_irq = s->route_gpu_fiq = 0;
 +    timer_del(&s->timer);
 +    s->route_localtimer = 0;
 +    s->local_timer_control = 0;
 +
      for (i = 0; i < BCM2836_NCORES; i++) {
          s->timercontrol[i] = 0;
          s->mailboxcontrol[i] = 0;
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_init(Object *obj)
      /* outputs to CPU cores */
      qdev_init_gpio_out_named(dev, s->irq, "irq", BCM2836_NCORES);
      qdev_init_gpio_out_named(dev, s->fiq, "fiq", BCM2836_NCORES);
 +
 +    /* create a qemu virtual timer */
 +    timer_init_ns(&s->timer, QEMU_CLOCK_VIRTUAL,
 +                  bcm2836_control_local_timer_tick, s);
  }
  static const VMStateDescription vmstate_bcm2836_control = {
      .name = TYPE_BCM2836_CONTROL,
 -    .version_id = 1,
 +    .version_id = 2,
      .minimum_version_id = 1,
      .fields = (VMStateField[]) {
          VMSTATE_UINT32_ARRAY(mailboxes, BCM2836ControlState,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_bcm2836_control = {
          VMSTATE_UINT32_ARRAY(timercontrol, BCM2836ControlState, BCM2836_NCORES),
          VMSTATE_UINT32_ARRAY(mailboxcontrol, BCM2836ControlState,
                               BCM2836_NCORES),
 +        VMSTATE_TIMER_V(timer, BCM2836ControlState, 2),
 +        VMSTATE_UINT32_V(local_timer_control, BCM2836ControlState, 2),
 +        VMSTATE_UINT8_V(route_localtimer, BCM2836ControlState, 2),
          VMSTATE_END_OF_LIST()
      }
  };
 --
-.20.1
+.34.1

-[Qemu-devel] [PULL 2/5] hw/arm/virt-acpi-build: Fix SMMUv3 GSIV values
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-The GSIV numbers of the SPI based interrupts is not correct as
-ARM_SPI_BASE was not added to the irqmap[VIRT_SMMU] value. So
-this may collide with VIRTIO_MMIO irq window.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20190312091031.5185-1-eric.auger@redhat.com
-Reviewed-by: Shannon Zhao <shannon.zhaosl@gmail.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt-acpi-build.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
-+++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-     its->identifiers[0] = 0; /* MADT translation_id */
-     if (vms->iommu == VIRT_IOMMU_SMMUV3) {
--        int irq =  vms->irqmap[VIRT_SMMU];
-+        int irq =  vms->irqmap[VIRT_SMMU] + ARM_SPI_BASE;
-         /* SMMUv3 node */
-         smmu_offset = iort_node_offset + node_size;
---
-.20.1

-[Qemu-devel] [PULL 3/5] target/arm: change arch timer registers access permission
+Deleted patch
-From: Dongjiu Geng <gengdongjiu@huawei.com>
-Some generic arch timer registers are Config-RW in the EL0,
-which means the EL0 exception level can have write permission
-if it is appropriately configured.
-When VM access registers, QEMU firstly checks whether they have RW
-permission, then check whether it is appropriately configured.
-If they are defined to read only in EL0, even though they have been
-appropriately configured, they still do not have write permission.
-So need to add the write permission according to ARMV8 spec when
-define it.
-Signed-off-by: Dongjiu Geng <gengdongjiu@huawei.com>
-Message-id: 1552395177-12608-1-git-send-email-gengdongjiu@huawei.com
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 30 +++++++++++++++---------------
-file changed, 15 insertions(+), 15 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     /* per-timer control */
-     { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
-       .secure = ARM_CP_SECSTATE_NS,
--      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
-       .accessfn = gt_ptimer_access,
-       .fieldoffset = offsetoflow32(CPUARMState,
-                                    cp15.c14_timer[GTIMER_PHYS].ctl),
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     { .name = "CNTP_CTL_S",
-       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
-       .secure = ARM_CP_SECSTATE_S,
--      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
-       .accessfn = gt_ptimer_access,
-       .fieldoffset = offsetoflow32(CPUARMState,
-                                    cp15.c14_timer[GTIMER_SEC].ctl),
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     },
-     { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
--      .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_ptimer_access,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
-       .resetvalue = 0,
-       .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
-     },
-     { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
--      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
-       .accessfn = gt_vtimer_access,
-       .fieldoffset = offsetoflow32(CPUARMState,
-                                    cp15.c14_timer[GTIMER_VIRT].ctl),
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     },
-     { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
--      .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_vtimer_access,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
-       .resetvalue = 0,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     /* TimerValue views: a 32 bit downcounting view of the underlying state */
-     { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
-       .secure = ARM_CP_SECSTATE_NS,
--      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_ptimer_access,
-       .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
-     },
-     { .name = "CNTP_TVAL_S",
-       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
-       .secure = ARM_CP_SECSTATE_S,
--      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_ptimer_access,
-       .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write,
-     },
-     { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
--      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset,
-       .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
-     },
-     { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
--      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_vtimer_access,
-       .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
-     },
-     { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
--      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
-+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
-       .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset,
-       .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
-     },
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     /* Comparison value, indicating when the timer goes off */
-     { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
-       .secure = ARM_CP_SECSTATE_NS,
--      .access = PL1_RW | PL0_R,
-+      .access = PL0_RW,
-       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
-       .accessfn = gt_ptimer_access,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     },
-     { .name = "CNTP_CVAL_S", .cp = 15, .crm = 14, .opc1 = 2,
-       .secure = ARM_CP_SECSTATE_S,
--      .access = PL1_RW | PL0_R,
-+      .access = PL0_RW,
-       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
-       .accessfn = gt_ptimer_access,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     },
-     { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
--      .access = PL1_RW | PL0_R,
-+      .access = PL0_RW,
-       .type = ARM_CP_IO,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
-       .resetvalue = 0, .accessfn = gt_ptimer_access,
-       .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
-     },
-     { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
--      .access = PL1_RW | PL0_R,
-+      .access = PL0_RW,
-       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
-       .accessfn = gt_vtimer_access,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-     },
-     { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
--      .access = PL1_RW | PL0_R,
-+      .access = PL0_RW,
-       .type = ARM_CP_IO,
-       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
-       .resetvalue = 0, .accessfn = gt_vtimer_access,
---
-.20.1

-[Qemu-devel] [PULL 4/5] hw/arm/virt-acpi-build: use PCIE_MMCFG_BUS to retrieve end_bus_number
+Deleted patch
-From: Wei Yang <richardw.yang@linux.intel.com>
-This is more proper to use PCIE_MMCFG_BUS to retrieve end_bus_number.
-Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20190312074953.16671-1-richardw.yang@linux.intel.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt-acpi-build.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
-+++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-     /* Only a single allocation so no need to play with segments */
-     mcfg->allocation[0].pci_segment = cpu_to_le16(0);
-     mcfg->allocation[0].start_bus_number = 0;
--    mcfg->allocation[0].end_bus_number = (memmap[ecam_id].size
--                                          / PCIE_MMCFG_SIZE_MIN) - 1;
-+    mcfg->allocation[0].end_bus_number =
-+        PCIE_MMCFG_BUS(memmap[ecam_id].size - 1);
-     build_header(linker, table_data, (void *)(table_data->data + mcfg_start),
-                  "MCFG", table_data->len - mcfg_start, 1, NULL, NULL);
---
-.20.1

-[Qemu-devel] [PULL 5/5] target/arm: Check access permission to ADDVL/ADDPL/RDVL
+[PULL 2/2] target/arm: Copy guarded bit in combine_cacheattrs
-From: Amir Charif <amir.charif@cea.fr>
+From: Richard Henderson <richard.henderson@linaro.org>
-These instructions do not trap when SVE is disabled in EL0,
+The guarded bit comes from the stage1 walk.
 causing them to be executed with wrong size information.
-Signed-off-by: Amir Charif <amir.charif@cea.fr>
+Fixes: Coverity CID 1507929
-Message-id: 1552579248-31025-1-git-send-email-amir.charif@cea.fr
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: added 'target/arm' prefix to subject]
+Message-id: 20230407185149.3253946-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-sve.c | 22 ++++++++++++++--------
+ target/arm/ptw.c | 1 +
-file changed, 14 insertions(+), 8 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/translate-sve.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_INDEX_rr(DisasContext *s, arg_INDEX_rr *a)
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
- static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
+     assert(!s1.is_s2_format);
- {
+     ret.is_s2_format = false;
--    TCGv_i64 rd = cpu_reg_sp(s, a->rd);
++    ret.guarded = s1.guarded;
--    TCGv_i64 rn = cpu_reg_sp(s, a->rn);
--    tcg_gen_addi_i64(rd, rn, a->imm * vec_full_reg_size(s));
+     if (s1.attrs == 0xf0) {
-+    if (sve_access_check(s)) {
+         tagged = true;
 +        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
 +        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
 +        tcg_gen_addi_i64(rd, rn, a->imm * vec_full_reg_size(s));
 +    }
      return true;
  }
  static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
  {
 -    TCGv_i64 rd = cpu_reg_sp(s, a->rd);
 -    TCGv_i64 rn = cpu_reg_sp(s, a->rn);
 -    tcg_gen_addi_i64(rd, rn, a->imm * pred_full_reg_size(s));
 +    if (sve_access_check(s)) {
 +        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
 +        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
 +        tcg_gen_addi_i64(rd, rn, a->imm * pred_full_reg_size(s));
 +    }
      return true;
  }
  static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
  {
 -    TCGv_i64 reg = cpu_reg(s, a->rd);
 -    tcg_gen_movi_i64(reg, a->imm * vec_full_reg_size(s));
 +    if (sve_access_check(s)) {
 +        TCGv_i64 reg = cpu_reg(s, a->rd);
 +        tcg_gen_movi_i64(reg, a->imm * vec_full_reg_size(s));
 +    }
      return true;
  }
 --
-.20.1
+.34.1

A last arm pullreq before rc0. This is mostly bug fixes,
though you could call adding the missing local timer
support to bcm2836_control a new feature I suppose --
in any case it's a small and localised change.

thanks
-- PMM

The following changes since commit 7074ab12c81a1b2b1e0e1c40983f56b2c5ccc494:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-03-14 16:19:37 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190315

for you to fetch changes up to 5de56742a3c91de3d646326bec43a989bba83ca4:

target/arm: Check access permission to ADDVL/ADDPL/RDVL (2019-03-15 11:12:29 +0000)

----------------------------------------------------------------
target-arm queue:
 * Add missing SVE-enabled check to ADDVL/ADDPL/RDVL
 * virt-acpi-build: use PCIE_MMCFG_BUS to retrieve end_bus_number
 * virt-acpi-build: Fix SMMUv3 GSIV values
 * Allow EL0 to write to arch timer registers, not just read them
 * bcm2836_control: Implement local timer

----------------------------------------------------------------
Amir Charif (1):
      target/arm: Check access permission to ADDVL/ADDPL/RDVL

Dongjiu Geng (1):
      target/arm: change arch timer registers access permission

Eric Auger (1):
      hw/arm/virt-acpi-build: Fix SMMUv3 GSIV values

Wei Yang (1):
      hw/arm/virt-acpi-build: use PCIE_MMCFG_BUS to retrieve end_bus_number

Zoltán Baldaszti (1):
      hw/intc/bcm2836_control: Implement local timer

include/hw/intc/bcm2836_control.h |   9 ++++
 hw/arm/virt-acpi-build.c          |   6 +--
 hw/intc/bcm2836_control.c         | 101 +++++++++++++++++++++++++++++++++++++-
 target/arm/helper.c               |  30 +++++------
 target/arm/translate-sve.c        |  22 ++++++---
 5 files changed, 140 insertions(+), 28 deletions(-)

From: Zoltán Baldaszti <bztemail@gmail.com>

The BCM2836 control logic module includes a simple
"local timer" which is a programmable down-counter that
can generates an interrupt. Implement this functionality.

Signed-off-by: Zoltán Baldaszti <bztemail@gmail.com>
[PMM: wrote commit message; wrapped long line; tweaked
 some comments to match the final version of the code]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/intc/bcm2836_control.h |   9 +++
 hw/intc/bcm2836_control.c         | 101 +++++++++++++++++++++++++++++-
 2 files changed, 108 insertions(+), 2 deletions(-)

diff --git a/include/hw/intc/bcm2836_control.h b/include/hw/intc/bcm2836_control.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/intc/bcm2836_control.h
+++ b/include/hw/intc/bcm2836_control.h
@@ -XXX,XX +XXX,XX @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
+ * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
+ * Added basic IRQ_TIMER interrupt support
+ *
  * This code is licensed under the GNU GPLv2 and later.
  */
 
@@ -XXX,XX +XXX,XX @@
 #define BCM2836_CONTROL_H
 
 #include "hw/sysbus.h"
+#include "qemu/timer.h"
 
 /* 4 mailboxes per core, for 16 total */
 #define BCM2836_NCORES 4
@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836ControlState {
     bool gpu_irq, gpu_fiq;
     uint8_t timerirqs[BCM2836_NCORES];
 
+    /* local timer */
+    QEMUTimer timer;
+    uint32_t local_timer_control;
+    uint8_t route_localtimer;
+
     /* interrupt source registers, post-routing (also input-derived; visible) */
     uint32_t irqsrc[BCM2836_NCORES];
     uint32_t fiqsrc[BCM2836_NCORES];
diff --git a/hw/intc/bcm2836_control.c b/hw/intc/bcm2836_control.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/bcm2836_control.c
+++ b/hw/intc/bcm2836_control.c
@@ -XXX,XX +XXX,XX @@
  * This code is licensed under the GNU GPLv2 and later.
  *
  * At present, only implements interrupt routing, and mailboxes (i.e.,
- * not local timer, PMU interrupt, or AXI counters).
+ * not PMU interrupt, or AXI counters).
+ *
+ * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
  *
  * Ref:
  * https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
@@ -XXX,XX +XXX,XX @@
 #include "qemu/log.h"
 
 #define REG_GPU_ROUTE           0x0c
+#define REG_LOCALTIMERROUTING   0x24
+#define REG_LOCALTIMERCONTROL   0x34
+#define REG_LOCALTIMERACK       0x38
 #define REG_TIMERCONTROL        0x40
 #define REG_MBOXCONTROL         0x50
 #define REG_IRQSRC              0x60
@@ -XXX,XX +XXX,XX @@
 #define IRQ_TIMER       11
 #define IRQ_MAX         IRQ_TIMER
 
+#define LOCALTIMER_FREQ      38400000
+#define LOCALTIMER_INTFLAG   (1 << 31)
+#define LOCALTIMER_RELOAD    (1 << 30)
+#define LOCALTIMER_INTENABLE (1 << 29)
+#define LOCALTIMER_ENABLE    (1 << 28)
+#define LOCALTIMER_VALUE(x)  ((x) & 0xfffffff)
+
 static void deliver_local(BCM2836ControlState *s, uint8_t core, uint8_t irq,
                           uint32_t controlreg, uint8_t controlidx)
 {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_update(BCM2836ControlState *s)
         s->fiqsrc[s->route_gpu_fiq] |= (uint32_t)1 << IRQ_GPU;
     }
 
+    /*
+     * handle the control module 'local timer' interrupt for one of the
+     * cores' IRQ/FIQ;  this is distinct from the per-CPU timer
+     * interrupts handled below.
+     */
+    if ((s->local_timer_control & LOCALTIMER_INTENABLE) &&
+        (s->local_timer_control & LOCALTIMER_INTFLAG)) {
+        if (s->route_localtimer & 4) {
+            s->fiqsrc[(s->route_localtimer & 3)] |= (uint32_t)1 << IRQ_TIMER;
+        } else {
+            s->irqsrc[(s->route_localtimer & 3)] |= (uint32_t)1 << IRQ_TIMER;
+        }
+    }
+
     for (i = 0; i < BCM2836_NCORES; i++) {
         /* handle local timer interrupts for this core */
         if (s->timerirqs[i]) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_set_gpu_fiq(void *opaque, int irq, int level)
     bcm2836_control_update(s);
 }
 
+static void bcm2836_control_local_timer_set_next(void *opaque)
+{
+    BCM2836ControlState *s = opaque;
+    uint64_t next_event;
+
+    assert(LOCALTIMER_VALUE(s->local_timer_control) > 0);
+
+    next_event = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
+        muldiv64(LOCALTIMER_VALUE(s->local_timer_control),
+            NANOSECONDS_PER_SECOND, LOCALTIMER_FREQ);
+    timer_mod(&s->timer, next_event);
+}
+
+static void bcm2836_control_local_timer_tick(void *opaque)
+{
+    BCM2836ControlState *s = opaque;
+
+    bcm2836_control_local_timer_set_next(s);
+
+    s->local_timer_control |= LOCALTIMER_INTFLAG;
+    bcm2836_control_update(s);
+}
+
+static void bcm2836_control_local_timer_control(void *opaque, uint32_t val)
+{
+    BCM2836ControlState *s = opaque;
+
+    s->local_timer_control = val;
+    if (val & LOCALTIMER_ENABLE) {
+        bcm2836_control_local_timer_set_next(s);
+    } else {
+        timer_del(&s->timer);
+    }
+}
+
+static void bcm2836_control_local_timer_ack(void *opaque, uint32_t val)
+{
+    BCM2836ControlState *s = opaque;
+
+    if (val & LOCALTIMER_INTFLAG) {
+        s->local_timer_control &= ~LOCALTIMER_INTFLAG;
+    }
+    if ((val & LOCALTIMER_RELOAD) &&
+        (s->local_timer_control & LOCALTIMER_ENABLE)) {
+            bcm2836_control_local_timer_set_next(s);
+    }
+}
+
 static uint64_t bcm2836_control_read(void *opaque, hwaddr offset, unsigned size)
 {
     BCM2836ControlState *s = opaque;
@@ -XXX,XX +XXX,XX @@ static uint64_t bcm2836_control_read(void *opaque, hwaddr offset, unsigned size)
         assert(s->route_gpu_fiq < BCM2836_NCORES
                && s->route_gpu_irq < BCM2836_NCORES);
         return ((uint32_t)s->route_gpu_fiq << 2) | s->route_gpu_irq;
+    } else if (offset == REG_LOCALTIMERROUTING) {
+        return s->route_localtimer;
+    } else if (offset == REG_LOCALTIMERCONTROL) {
+        return s->local_timer_control;
+    } else if (offset == REG_LOCALTIMERACK) {
+        return 0;
     } else if (offset >= REG_TIMERCONTROL && offset < REG_MBOXCONTROL) {
         return s->timercontrol[(offset - REG_TIMERCONTROL) >> 2];
     } else if (offset >= REG_MBOXCONTROL && offset < REG_IRQSRC) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_write(void *opaque, hwaddr offset,
     if (offset == REG_GPU_ROUTE) {
         s->route_gpu_irq = val & 0x3;
         s->route_gpu_fiq = (val >> 2) & 0x3;
+    } else if (offset == REG_LOCALTIMERROUTING) {
+        s->route_localtimer = val & 7;
+    } else if (offset == REG_LOCALTIMERCONTROL) {
+        bcm2836_control_local_timer_control(s, val);
+    } else if (offset == REG_LOCALTIMERACK) {
+        bcm2836_control_local_timer_ack(s, val);
     } else if (offset >= REG_TIMERCONTROL && offset < REG_MBOXCONTROL) {
         s->timercontrol[(offset - REG_TIMERCONTROL) >> 2] = val & 0xff;
     } else if (offset >= REG_MBOXCONTROL && offset < REG_IRQSRC) {
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_reset(DeviceState *d)
 
     s->route_gpu_irq = s->route_gpu_fiq = 0;
 
+    timer_del(&s->timer);
+    s->route_localtimer = 0;
+    s->local_timer_control = 0;
+
     for (i = 0; i < BCM2836_NCORES; i++) {
         s->timercontrol[i] = 0;
         s->mailboxcontrol[i] = 0;
@@ -XXX,XX +XXX,XX @@ static void bcm2836_control_init(Object *obj)
     /* outputs to CPU cores */
     qdev_init_gpio_out_named(dev, s->irq, "irq", BCM2836_NCORES);
     qdev_init_gpio_out_named(dev, s->fiq, "fiq", BCM2836_NCORES);
+
+    /* create a qemu virtual timer */
+    timer_init_ns(&s->timer, QEMU_CLOCK_VIRTUAL,
+                  bcm2836_control_local_timer_tick, s);
 }
 
 static const VMStateDescription vmstate_bcm2836_control = {
     .name = TYPE_BCM2836_CONTROL,
-    .version_id = 1,
+    .version_id = 2,
     .minimum_version_id = 1,
     .fields = (VMStateField[]) {
         VMSTATE_UINT32_ARRAY(mailboxes, BCM2836ControlState,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_bcm2836_control = {
         VMSTATE_UINT32_ARRAY(timercontrol, BCM2836ControlState, BCM2836_NCORES),
         VMSTATE_UINT32_ARRAY(mailboxcontrol, BCM2836ControlState,
                              BCM2836_NCORES),
+        VMSTATE_TIMER_V(timer, BCM2836ControlState, 2),
+        VMSTATE_UINT32_V(local_timer_control, BCM2836ControlState, 2),
+        VMSTATE_UINT8_V(route_localtimer, BCM2836ControlState, 2),
         VMSTATE_END_OF_LIST()
     }
 };
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

The GSIV numbers of the SPI based interrupts is not correct as
ARM_SPI_BASE was not added to the irqmap[VIRT_SMMU] value. So
this may collide with VIRTIO_MMIO irq window.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20190312091031.5185-1-eric.auger@redhat.com
Reviewed-by: Shannon Zhao <shannon.zhaosl@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

From: Dongjiu Geng <gengdongjiu@huawei.com>

Some generic arch timer registers are Config-RW in the EL0,
which means the EL0 exception level can have write permission
if it is appropriately configured.

When VM access registers, QEMU firstly checks whether they have RW
permission, then check whether it is appropriately configured.
If they are defined to read only in EL0, even though they have been
appropriately configured, they still do not have write permission.
So need to add the write permission according to ARMV8 spec when
define it.

Signed-off-by: Dongjiu Geng <gengdongjiu@huawei.com>
Message-id: 1552395177-12608-1-git-send-email-gengdongjiu@huawei.com
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     /* per-timer control */
     { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
       .secure = ARM_CP_SECSTATE_NS,
-      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
       .accessfn = gt_ptimer_access,
       .fieldoffset = offsetoflow32(CPUARMState,
                                    cp15.c14_timer[GTIMER_PHYS].ctl),
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     { .name = "CNTP_CTL_S",
       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
       .secure = ARM_CP_SECSTATE_S,
-      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
       .accessfn = gt_ptimer_access,
       .fieldoffset = offsetoflow32(CPUARMState,
                                    cp15.c14_timer[GTIMER_SEC].ctl),
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     },
     { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
-      .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_ptimer_access,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
       .resetvalue = 0,
       .writefn = gt_phys_ctl_write, .raw_writefn = raw_write,
     },
     { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
-      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL0_RW,
       .accessfn = gt_vtimer_access,
       .fieldoffset = offsetoflow32(CPUARMState,
                                    cp15.c14_timer[GTIMER_VIRT].ctl),
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     },
     { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
-      .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_vtimer_access,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
       .resetvalue = 0,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     /* TimerValue views: a 32 bit downcounting view of the underlying state */
     { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
       .secure = ARM_CP_SECSTATE_NS,
-      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_ptimer_access,
       .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
     },
     { .name = "CNTP_TVAL_S",
       .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
       .secure = ARM_CP_SECSTATE_S,
-      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_ptimer_access,
       .readfn = gt_sec_tval_read, .writefn = gt_sec_tval_write,
     },
     { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
-      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_ptimer_access, .resetfn = gt_phys_timer_reset,
       .readfn = gt_phys_tval_read, .writefn = gt_phys_tval_write,
     },
     { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
-      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_vtimer_access,
       .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
     },
     { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
-      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL0_RW,
       .accessfn = gt_vtimer_access, .resetfn = gt_virt_timer_reset,
       .readfn = gt_virt_tval_read, .writefn = gt_virt_tval_write,
     },
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     /* Comparison value, indicating when the timer goes off */
     { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
       .secure = ARM_CP_SECSTATE_NS,
-      .access = PL1_RW | PL0_R,
+      .access = PL0_RW,
       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
       .accessfn = gt_ptimer_access,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     },
     { .name = "CNTP_CVAL_S", .cp = 15, .crm = 14, .opc1 = 2,
       .secure = ARM_CP_SECSTATE_S,
-      .access = PL1_RW | PL0_R,
+      .access = PL0_RW,
       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
       .accessfn = gt_ptimer_access,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     },
     { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
-      .access = PL1_RW | PL0_R,
+      .access = PL0_RW,
       .type = ARM_CP_IO,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
       .resetvalue = 0, .accessfn = gt_ptimer_access,
       .writefn = gt_phys_cval_write, .raw_writefn = raw_write,
     },
     { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
-      .access = PL1_RW | PL0_R,
+      .access = PL0_RW,
       .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
       .accessfn = gt_vtimer_access,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     },
     { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
-      .access = PL1_RW | PL0_R,
+      .access = PL0_RW,
       .type = ARM_CP_IO,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
       .resetvalue = 0, .accessfn = gt_vtimer_access,
-- 
2.20.1

From: Wei Yang <richardw.yang@linux.intel.com>

This is more proper to use PCIE_MMCFG_BUS to retrieve end_bus_number.

Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Message-id: 20190312074953.16671-1-richardw.yang@linux.intel.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     /* Only a single allocation so no need to play with segments */
     mcfg->allocation[0].pci_segment = cpu_to_le16(0);
     mcfg->allocation[0].start_bus_number = 0;
-    mcfg->allocation[0].end_bus_number = (memmap[ecam_id].size
-                                          / PCIE_MMCFG_SIZE_MIN) - 1;
+    mcfg->allocation[0].end_bus_number =
+        PCIE_MMCFG_BUS(memmap[ecam_id].size - 1);
 
     build_header(linker, table_data, (void *)(table_data->data + mcfg_start),
                  "MCFG", table_data->len - mcfg_start, 1, NULL, NULL);
-- 
2.20.1

From: Amir Charif <amir.charif@cea.fr>

These instructions do not trap when SVE is disabled in EL0,
causing them to be executed with wrong size information.

Signed-off-by: Amir Charif <amir.charif@cea.fr>
Message-id: 1552579248-31025-1-git-send-email-amir.charif@cea.fr
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added 'target/arm' prefix to subject]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-sve.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_INDEX_rr(DisasContext *s, arg_INDEX_rr *a)
 
 static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
 {
-    TCGv_i64 rd = cpu_reg_sp(s, a->rd);
-    TCGv_i64 rn = cpu_reg_sp(s, a->rn);
-    tcg_gen_addi_i64(rd, rn, a->imm * vec_full_reg_size(s));
+    if (sve_access_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * vec_full_reg_size(s));
+    }
     return true;
 }
 
 static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
 {
-    TCGv_i64 rd = cpu_reg_sp(s, a->rd);
-    TCGv_i64 rn = cpu_reg_sp(s, a->rn);
-    tcg_gen_addi_i64(rd, rn, a->imm * pred_full_reg_size(s));
+    if (sve_access_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * pred_full_reg_size(s));
+    }
     return true;
 }
 
 static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
 {
-    TCGv_i64 reg = cpu_reg(s, a->rd);
-    tcg_gen_movi_i64(reg, a->imm * vec_full_reg_size(s));
+    if (sve_access_check(s)) {
+        TCGv_i64 reg = cpu_reg(s, a->rd);
+        tcg_gen_movi_i64(reg, a->imm * vec_full_reg_size(s));
+    }
     return true;
 }
 
-- 
2.20.1

This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
we were using uninitialized data for the guarded bit when
combining stage 1 and stage 2 attrs.

thanks
-- PMM

The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:

Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410

for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:

target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)

----------------------------------------------------------------
target-arm: Fix bug where we weren't initializing
            guarded bit state when combining S1/S2 attrs

----------------------------------------------------------------
Richard Henderson (2):
      target/arm: PTE bit GP only applies to stage1
      target/arm: Copy guarded bit in combine_cacheattrs

target/arm/ptw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Only perform the extract of GP during the stage1 walk.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         result->f.attrs.secure = false;
     }
 
-    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
-    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-        result->f.guarded = extract64(attrs, 50, 1); /* GP */
-    }
-
     if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
         result->cacheattrs.attrs = extract32(attrs, 2, 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         assert(attrindx <= 7);
         result->cacheattrs.is_s2_format = false;
         result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
+
+        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
+        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
+            result->f.guarded = extract64(attrs, 50, 1); /* GP */
+        }
     }
 
     /*
-- 
2.34.1