Series comparison

-[PULL 0/6] target-arm queue
+[PULL 0/9] target-arm queue
-A handful of bugfixes before rc1 tomorrow...
+Arm queue; bugfixes only.
 thanks
 -- PMM
-The following changes since commit f9fe8450fa7cdc6268e05c93fa258f583f4514b7:
+The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:
-  Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-5.0-pull-request' into staging (2020-03-30 11:32:01 +0100)
+  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200330
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117
-for you to fetch changes up to 88828bf133b64b7a860c166af3423ef1a47c5d3b:
+for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:
-  target/arm: fix incorrect current EL bug in aarch32 exception emulation (2020-03-30 13:55:32 +0100)
+  tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
+ * hw/arm/virt: ARM_VIRT must select ARM_GIC
- * hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
+ * exynos: Fix bad printf format specifiers
- * docs/conf.py: Raise ConfigError for bad Sphinx Python version
+ * hw/input/ps2.c: Remove remnants of printf debug
- * hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
+ * target/openrisc: Remove dead code attempting to check "is timer disabled"
- * hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
+ * register: Remove unnecessary NULL check
- * target/arm: fix incorrect current EL bug in aarch32 exception emulation
+ * util/cutils: Fix Coverity array overrun in freq_to_str()
  * configure: Make "does libgio work" test pull in some actual functions
  * tmp105: reset the T_low and T_High registers
  * tmp105: Correct handling of temperature limit checks
 ----------------------------------------------------------------
-Changbin Du (1):
+Alex Chen (1):
-      target/arm: fix incorrect current EL bug in aarch32 exception emulation
+      exynos: Fix bad printf format specifiers
-Niek Linnenbank (2):
+Alistair Francis (1):
-      hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
+      register: Remove unnecessary NULL check
       hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
-Peter Maydell (3):
+Andrew Jones (1):
-      docs/conf.py: Raise ConfigError for bad Sphinx Python version
+      hw/arm/virt: ARM_VIRT must select ARM_GIC
       hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
       hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
- hw/arm/orangepi.c            |  2 +-
+Peter Maydell (5):
- hw/arm/xlnx-zynqmp.c         | 27 ++++++++++++++++++++++++++-
+      hw/input/ps2.c: Remove remnants of printf debug
- hw/misc/allwinner-h3-dramc.c |  4 ++--
+      target/openrisc: Remove dead code attempting to check "is timer disabled"
- target/arm/helper.c          |  5 ++++-
+      configure: Make "does libgio work" test pull in some actual functions
- docs/conf.py                 |  9 +++++----
+      hw/misc/tmp105: reset the T_low and T_High registers
-files changed, 38 insertions(+), 9 deletions(-)
+      tmp105: Correct handling of temperature limit checks
+Philippe Mathieu-Daudé (1):
+      util/cutils: Fix Coverity array overrun in freq_to_str()
+ configure                    | 11 +++++--
+ hw/misc/tmp105.h             |  7 +++++
+ hw/core/register.c           |  4 ---
+ hw/input/ps2.c               |  9 ------
+ hw/misc/tmp105.c             | 73 ++++++++++++++++++++++++++++++++++++++------
+ hw/timer/exynos4210_mct.c    |  4 +--
+ hw/timer/exynos4210_pwm.c    |  8 ++---
+ target/openrisc/sys_helper.c |  3 --
+ util/cutils.c                |  3 +-
+ hw/arm/Kconfig               |  1 +
+files changed, 89 insertions(+), 34 deletions(-)

-[PULL 6/6] target/arm: fix incorrect current EL bug in aarch32 exception emulation
+[PULL 1/9] hw/arm/virt: ARM_VIRT must select ARM_GIC
-From: Changbin Du <changbin.du@gmail.com>
+From: Andrew Jones <drjones@redhat.com>
-The arm_current_el() should be invoked after mode switching. Otherwise, we
+The removal of the selection of A15MPCORE from ARM_VIRT also
-get a wrong current EL value, since current EL is also determined by
+removed what A15MPCORE selects, ARM_GIC. We still need ARM_GIC.
 current mode.
-Fixes: 4a2696c0d4 ("target/arm: Set PAN bit as required on exception entry")
+Fixes: bec3c97e0cf9 ("hw/arm/virt: Remove dependency on Cortex-A15 MPCore peripherals")
-Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20200328140232.17278-1-changbin.du@gmail.com
+Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20201111143440.112763-1-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 5 ++++-
+ hw/arm/Kconfig | 1 +
-file changed, 4 insertions(+), 1 deletion(-)
+file changed, 1 insertion(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/hw/arm/Kconfig
-+++ b/target/arm/helper.c
++++ b/hw/arm/Kconfig
-@@ -XXX,XX +XXX,XX @@ static void take_aarch32_exception(CPUARMState *env, int new_mode,
+@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
+     imply VFIO_PLATFORM
-     /* Change the CPU state so as to actually take the exception. */
+     imply VFIO_XGMAC
-     switch_mode(env, new_mode);
+     imply TPM_TIS_SYSBUS
--    new_el = arm_current_el(env);
++    select ARM_GIC
+     select ACPI
-     /*
+     select ARM_SMMUV3
-      * For exceptions taken to AArch32 we must clear the SS bit in both
+     select GPIO_KEY
@@ -XXX,XX +XXX,XX @@ static void take_aarch32_exception(CPUARMState *env, int new_mode,
      env->condexec_bits = 0;
      /* Switch to the new mode, and to the correct instruction set.  */
      env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
 +
 +    /* This must be after mode switching. */
 +    new_el = arm_current_el(env);
 +
      /* Set new mode endianness */
      env->uncached_cpsr &= ~CPSR_E;
      if (env->cp15.sctlr_el[new_el] & SCTLR_EE) {
 --
 .20.1

-[PULL 2/6] hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
+[PULL 2/9] exynos: Fix bad printf format specifiers
-From: Niek Linnenbank <nieklinnenbank@gmail.com>
+From: Alex Chen <alex.chen@huawei.com>
-The allwinner_h3_dramc_map_rows function simulates row addressing behavior
+We should use printf format specifier "%u" instead of "%d" for
-when bootloader software attempts to detect the amount of available SDRAM.
+argument of type "unsigned int".
-Currently the line that calculates the 64-bit address of the mirrored row
+Reported-by: Euler Robot <euler.robot@huawei.com>
-uses a signed 32-bit multiply operation that in theory could result in the
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
-upper 32-bit be all 1s. This commit ensures that the row mirror address
+Message-id: 20201111073651.72804-1-alex.chen@huawei.com
 is calculated using only 64-bit operations.
 Reported-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Message-id: 20200323192944.5967-1-nieklinnenbank@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/allwinner-h3-dramc.c | 4 ++--
+ hw/timer/exynos4210_mct.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
+ hw/timer/exynos4210_pwm.c | 8 ++++----
 files changed, 6 insertions(+), 6 deletions(-)
-diff --git a/hw/misc/allwinner-h3-dramc.c b/hw/misc/allwinner-h3-dramc.c
+diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/allwinner-h3-dramc.c
+--- a/hw/timer/exynos4210_mct.c
-+++ b/hw/misc/allwinner-h3-dramc.c
++++ b/hw/timer/exynos4210_mct.c
-@@ -XXX,XX +XXX,XX @@ static void allwinner_h3_dramc_map_rows(AwH3DramCtlState *s, uint8_t row_bits,
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
+     /* If CSTAT is pending and IRQ is enabled */
-     } else if (row_bits_actual) {
+     if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
-         /* Row bits not matching ram_size, install the rows mirror */
+             (s->reg.int_enb & G_INT_ENABLE(id))) {
--        hwaddr row_mirror = s->ram_addr + ((1 << (row_bits_actual +
+-        DPRINTF("gcmp timer[%d] IRQ\n", id);
--                                                  bank_bits)) * page_size);
++        DPRINTF("gcmp timer[%u] IRQ\n", id);
-+        hwaddr row_mirror = s->ram_addr + ((1ULL << (row_bits_actual +
+         qemu_irq_raise(s->irq[id]);
-+                                                     bank_bits)) * page_size);
+     }
+ }
-         memory_region_set_enabled(&s->row_mirror_alias, true);
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
-         memory_region_set_address(&s->row_mirror_alias, row_mirror);
+                     MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
      if (freq != s->freq) {
 -        DPRINTF("freq=%dHz\n", s->freq);
 +        DPRINTF("freq=%uHz\n", s->freq);
          /* global timer */
          tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
 diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/timer/exynos4210_pwm.c
 +++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
      if (freq != s->timer[id].freq) {
          ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
 -        DPRINTF("freq=%dHz\n", s->timer[id].freq);
 +        DPRINTF("freq=%uHz\n", s->timer[id].freq);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
      uint32_t id = s->id;
      bool cmp;
 -    DPRINTF("timer %d tick\n", id);
 +    DPRINTF("timer %u tick\n", id);
      /* set irq status */
      p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
      /* raise IRQ */
      if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
 -        DPRINTF("timer %d IRQ\n", id);
 +        DPRINTF("timer %u IRQ\n", id);
          qemu_irq_raise(p->timer[id].irq);
      }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
      }
      if (cmp) {
 -        DPRINTF("auto reload timer %d count to %x\n", id,
 +        DPRINTF("auto reload timer %u count to %x\n", id,
                  p->timer[id].reg_tcntb);
          ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
          ptimer_run(p->timer[id].ptimer, 1);
 --
 .20.1

-New patch
+[PULL 3/9] hw/input/ps2.c: Remove remnants of printf debug
+In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
+and mouse emulation. However we didn't remove all the debug-by-printf
+support. In fact there is only one printf() remaining, and it is
+redundant with the trace_ps2_write_mouse() event next to it.
+Remove the printf() and the now-unused DEBUG* macros.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
+---
+ hw/input/ps2.c | 9 ---------
+file changed, 9 deletions(-)
+diff --git a/hw/input/ps2.c b/hw/input/ps2.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/input/ps2.c
++++ b/hw/input/ps2.c
+@@ -XXX,XX +XXX,XX @@
+ #include "trace.h"
+-/* debug PC keyboard */
+-//#define DEBUG_KBD
+-
+-/* debug PC keyboard : only mouse */
+-//#define DEBUG_MOUSE
+-
+ /* Keyboard Commands */
+ #define KBD_CMD_SET_LEDS    0xED    /* Set keyboard leds */
+ #define KBD_CMD_ECHO         0xEE
+@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
+     PS2MouseState *s = (PS2MouseState *)opaque;
+     trace_ps2_write_mouse(opaque, val);
+-#ifdef DEBUG_MOUSE
+-    printf("kbd: write mouse 0x%02x\n", val);
+-#endif
+     switch(s->common.write_cmd) {
+     default:
+     case -1:
+--
+.20.1

-New patch
+[PULL 4/9] target/openrisc: Remove dead code attempting to check "is timer disabled"
+In the mtspr helper we attempt to check for "is the timer disabled"
+with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
+is zero and the condition is always false (Coverity complains about
+the dead code.)
+The correct check would be to test whether the TTMR_M field in the
+register is equal to TIMER_NONE instead.  However, the
+cpu_openrisc_timer_update() function checks whether the timer is
+enabled (it looks at cpu->env.is_counting, which is set to 0 via
+cpu_openrisc_count_stop() when the TTMR_M field is set to
+TIMER_NONE), so there's no need to check for "timer disabled" in the
+target/openrisc code.  Instead, simply remove the dead code.
+Fixes: Coverity CID 1005812
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Stafford Horne <shorne@gmail.com>
+Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
+---
+ target/openrisc/sys_helper.c | 3 ---
+file changed, 3 deletions(-)
+diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/openrisc/sys_helper.c
++++ b/target/openrisc/sys_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
+     case TO_SPR(10, 1): /* TTCR */
+         cpu_openrisc_count_set(cpu, rb);
+-        if (env->ttmr & TIMER_NONE) {
+-            return;
+-        }
+         cpu_openrisc_timer_update(cpu);
+         break;
+ #endif
+--
+.20.1

-[PULL 1/6] hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
+[PULL 5/9] register: Remove unnecessary NULL check
-From: Niek Linnenbank <nieklinnenbank@gmail.com>
+From: Alistair Francis <alistair.francis@wdc.com>
-The Orange Pi PC initialization function needs to verify that the SD card
+This patch fixes CID 1432800 by removing an unnecessary check.
 block backend is usable before calling the Boot ROM setup routine. When
 calling blk_is_available() the input parameter should not be NULL.
 This commit ensures that blk_is_available is only called with non-NULL input.
-Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Message-id: 20200322205439.15231-1-nieklinnenbank@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/orangepi.c | 2 +-
+ hw/core/register.c | 4 ----
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 4 deletions(-)
-diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
+diff --git a/hw/core/register.c b/hw/core/register.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/orangepi.c
+--- a/hw/core/register.c
-+++ b/hw/arm/orangepi.c
++++ b/hw/core/register.c
-@@ -XXX,XX +XXX,XX @@ static void orangepi_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static RegisterInfoArray *register_init_block(DeviceState *owner,
-                                 machine->ram);
+         int index = rae[i].addr / data_size;
+         RegisterInfo *r = &ri[index];
-     /* Load target kernel or start using BootROM */
--    if (!machine->kernel_filename && blk_is_available(blk)) {
+-        if (data + data_size * index == 0 || !&rae[i]) {
-+    if (!machine->kernel_filename && blk && blk_is_available(blk)) {
+-            continue;
-         /* Use Boot ROM to copy data from SD card to SRAM */
+-        }
-         allwinner_h3_bootrom_setup(h3, blk);
+-
-     }
+         /* Init the register, this will zero it. */
          object_initialize((void *)r, sizeof(*r), TYPE_REGISTER);
 --
 .20.1

-[PULL 4/6] hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
+[PULL 6/9] util/cutils: Fix Coverity array overrun in freq_to_str()
-In xlnx_zynqmp_realize() if the attempt to realize the SD
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
 controller object fails then the error-return path will leak
 the 'bus_name' string. Fix this by deferring the allocation
 until after the realize has succeeded.
-Fixes: Coverity CID 1421911
+Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):
 >>> Overrunning array "suffixes" of 7 8-byte elements at element
     index 7 (byte offset 63) using index "idx" (which evaluates to 7).
 Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
 which is ~18.446 EHz, less than 1000 EHz.
 Reported-by: Eduardo Habkost <ehabkost@redhat.com>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
 Reviewed-by: Luc Michel <luc@lmichel.fr>
 Message-id: 20201101215755.2021421-1-f4bug@amsat.org
 Suggested-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20200324134947.15384-2-peter.maydell@linaro.org
 ---
- hw/arm/xlnx-zynqmp.c | 3 ++-
+ util/cutils.c | 3 ++-
 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+diff --git a/util/cutils.c b/util/cutils.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
+--- a/util/cutils.c
-+++ b/hw/arm/xlnx-zynqmp.c
++++ b/util/cutils.c
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, gic_spi[SATA_INTR]);
+     double freq = freq_hz;
+     size_t idx = 0;
-     for (i = 0; i < XLNX_ZYNQMP_NUM_SDHCI; i++) {
--        char *bus_name = g_strdup_printf("sd-bus%d", i);
+-    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
-+        char *bus_name;
++    while (freq >= 1000.0) {
-         SysBusDevice *sbd = SYS_BUS_DEVICE(&s->sdhci[i]);
+         freq /= 1000.0;
-         Object *sdhci = OBJECT(&s->sdhci[i]);
+         idx++;
+     }
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
++    assert(idx < ARRAY_SIZE(suffixes));
-         sysbus_connect_irq(sbd, 0, gic_spi[sdhci_intr[i]]);
+     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
-         /* Alias controller SD bus to the SoC itself */
+ }
 +        bus_name = g_strdup_printf("sd-bus%d", i);
          object_property_add_alias(OBJECT(s), bus_name, sdhci, "sd-bus",
                                    &error_abort);
          g_free(bus_name);
 --
 .20.1

-New patch
+[PULL 7/9] configure: Make "does libgio work" test pull in some actual functions
+In commit 76346b6264a9b01979 we tried to add a configure check that
+the libgio pkg-config data was correct, which builds an executable
+linked against it.  Unfortunately this doesn't catch the problem
+(missing static library dependency info), because a "do nothing" test
+source file doesn't have any symbol references that cause the linker
+to pull in .o files from libgio.a, and so we don't see the "missing
+symbols from libmount" error that a full QEMU link triggers.
+(The ineffective test went unnoticed because of a typo that
+effectively disabled libgio unconditionally, but after commit
+a5dfc11f2 fixed that, a static link of the system emulator on
+Ubuntu stopped working again.)
+Improve the gio test by having the test source fragment reference a
+g_dbus function (which is what is indirectly causing us to end up
+wanting functions from libmount).
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
+---
+ configure | 11 +++++++++--
+file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/configure b/configure
+index XXXXXXX..XXXXXXX 100755
+--- a/configure
++++ b/configure
+@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
+     # Check that the libraries actually work -- Ubuntu 18.04 ships
+     # with pkg-config --static --libs data for gio-2.0 that is missing
+     # -lblkid and will give a link error.
+-    write_c_skeleton
+-    if compile_prog "" "$gio_libs" ; then
++    cat > $TMPC <<EOF
++#include <gio/gio.h>
++int main(void)
++{
++    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
++    return 0;
++}
++EOF
++    if compile_prog "$gio_cflags" "$gio_libs" ; then
+         gio=yes
+     else
+         gio=no
+--
+.20.1

-[PULL 3/6] docs/conf.py: Raise ConfigError for bad Sphinx Python version
+[PULL 8/9] hw/misc/tmp105: reset the T_low and T_High registers
-Raise ConfigError rather than VersionRequirementError when we detect
+The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
-that the Python being used by Sphinx is too old.
+power-up reset values for the T_low and T_high registers are 80 degrees C
 and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
 values are then shifted right by four bits to give the register reset
 values, since both registers store the 12 bits of temperature data in bits
 [15..4] of a 16 bit register.
-Currently the way we flag the Python version problem up to the user
+We were resetting these registers to zero, which is problematic for Linux
-causes Sphinx to print an unnecessary Python stack trace as well as
+guests which enable the alert interrupt and then immediately take an
-the information about the problem; in most versions of Sphinx this is
+unexpected overtemperature alert because the current temperature is above
-unavoidable.
+freezing...
 The upstream Sphinx developers kindly added a feature to allow
 conf.py to report errors to the user without the backtrace:
   https://github.com/sphinx-doc/sphinx/commit/be608ca2313fc08eb842f3dc19d0f5d2d8227d08
 but the exception type they chose for this was ConfigError.
 Switch to ConfigError, which won't make any difference with currently
 deployed Sphinx versions, but will be prettier one day when the user
 is using a Sphinx version with the new feature.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: John Snow <jsnow@redhat.com>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20200313163616.30674-1-peter.maydell@linaro.org
+Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
 ---
- docs/conf.py | 9 +++++----
+ hw/misc/tmp105.c | 3 +++
-file changed, 5 insertions(+), 4 deletions(-)
+file changed, 3 insertions(+)
-diff --git a/docs/conf.py b/docs/conf.py
+diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/conf.py
+--- a/hw/misc/tmp105.c
-+++ b/docs/conf.py
++++ b/hw/misc/tmp105.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
- import os
+     s->faults = tmp105_faultq[(s->config >> 3) & 3];
- import sys
+     s->alarm = 0;
- import sphinx
--from sphinx.errors import VersionRequirementError
++    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
-+from sphinx.errors import ConfigError
++    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
++
- # Make Sphinx fail cleanly if using an old Python, rather than obscurely
+     tmp105_interrupt_update(s);
- # failing because some code in one of our extensions doesn't work there.
+ }
--# Unfortunately this doesn't display very neatly (there's an unavoidable
 -# Python backtrace) but at least the information gets printed...
 +# In newer versions of Sphinx this will display nicely; in older versions
 +# Sphinx will also produce a Python backtrace but at least the information
 +# gets printed...
  if sys.version_info < (3,5):
 -    raise VersionRequirementError(
 +    raise ConfigError(
          "QEMU requires a Sphinx that uses Python 3.5 or better\n")
  # The per-manual conf.py will set qemu_docdir for a single-manual build;
 --
 .20.1

-[PULL 5/6] hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
+[PULL 9/9] tmp105: Correct handling of temperature limit checks
-In some places in xlnx_zynqmp_realize() we were putting an
+The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
-error into our local Error*, but forgetting to check for
+signals an alert when the temperature equals or exceeds the T_high value and
-failure and pass it back to the caller. Add the missing code.
+then remains high until a device register is read or the device responds to
 the SMBUS Alert Response address, or the device is put into Shutdown Mode.
 Thereafter the Alert pin will only be re-signalled when temperature falls
 below T_low; alert can then be cleared in the same set of ways, and the
 device returns to its initial "alert when temperature goes above T_high"
 mode. (If this textual description is confusing, see figure 3 in the
 TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)
 We were misimplementing this as a simple "always alert if temperature is
 above T_high or below T_low" condition, which gives a spurious alert on
 startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
 limit values.
 Implement the correct (hysteresis) behaviour by tracking whether we
 are currently looking for the temperature to rise over T_high or
 for it to fall below T_low. Our implementation of the comparator
 mode (TM==0) wasn't wrong, but rephrase it to match the way that
 interrupt mode is now handled for clarity.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200324134947.15384-3-peter.maydell@linaro.org
 ---
- hw/arm/xlnx-zynqmp.c | 24 ++++++++++++++++++++++++
+ hw/misc/tmp105.h |  7 +++++
-file changed, 24 insertions(+)
+ hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
 files changed, 68 insertions(+), 9 deletions(-)
-diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
+--- a/hw/misc/tmp105.h
-+++ b/hw/arm/xlnx-zynqmp.c
++++ b/hw/misc/tmp105.h
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ struct TMP105State {
-          * - eMMC Specification Version 4.51
+     int16_t limit[2];
-          */
+     int faults;
-         object_property_set_uint(sdhci, 3, "sd-spec-version", &err);
+     uint8_t alarm;
-+        if (err) {
++    /*
-+            error_propagate(errp, err);
++     * The TMP105 initially looks for a temperature rising above T_high;
-+            return;
++     * once this is detected, the condition it looks for next is the
 +     * temperature falling below T_low. This flag is false when initially
 +     * looking for T_high, true when looking for T_low.
 +     */
 +    bool detect_falling;
  };
  #endif
 diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/tmp105.c
 +++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
              return;
      }
 -    if ((s->config >> 1) & 1) {                    /* TM */
 -        if (s->temperature >= s->limit[1])
 -            s->alarm = 1;
 -        else if (s->temperature < s->limit[0])
 -            s->alarm = 1;
 +    if (s->config >> 1 & 1) {
 +        /*
 +         * TM == 1 : Interrupt mode. We signal Alert when the
 +         * temperature rises above T_high, and expect the guest to clear
 +         * it (eg by reading a device register).
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 1;
 +                s->detect_falling = false;
 +            }
 +        } else {
 +            if (s->temperature >= s->limit[1]) {
 +                s->alarm = 1;
 +                s->detect_falling = true;
 +            }
 +        }
-         object_property_set_uint(sdhci, SDHCI_CAPABILITIES, "capareg", &err);
+     } else {
-+        if (err) {
+-        if (s->temperature >= s->limit[1])
-+            error_propagate(errp, err);
+-            s->alarm = 1;
-+            return;
+-        else if (s->temperature < s->limit[0])
 -            s->alarm = 0;
 +        /*
 +         * TM == 0 : Comparator mode. We signal Alert when the temperature
 +         * rises above T_high, and stop signalling it when the temperature
 +         * falls below T_low.
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 0;
 +                s->detect_falling = false;
 +            }
 +        } else {
 +            if (s->temperature >= s->limit[1]) {
 +                s->alarm = 1;
 +                s->detect_falling = true;
 +            }
 +        }
-         object_property_set_uint(sdhci, UHS_I, "uhs", &err);
-+        if (err) {
-+            error_propagate(errp, err);
-+            return;
-+        }
-         object_property_set_bool(sdhci, true, "realized", &err);
-         if (err) {
-             error_propagate(errp, err);
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
-         gchar *bus_name;
-         object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err);
-+        if (err) {
-+            error_propagate(errp, err);
-+            return;
-+        }
-         sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, spi_addr[i]);
-         sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0,
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
      }
-     object_property_set_bool(OBJECT(&s->qspi), true, "realized", &err);
+     tmp105_interrupt_update(s);
-+    if (err) {
+@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
-+        error_propagate(errp, err);
+     return 0;
-+        return;
+ }
 +static bool detect_falling_needed(void *opaque)
 +{
 +    TMP105State *s = opaque;
 +
 +    /*
 +     * We only need to migrate the detect_falling bool if it's set;
 +     * for migration from older machines we assume that it is false
 +     * (ie temperature is not out of range).
 +     */
 +    return s->detect_falling;
 +}
 +
 +static const VMStateDescription vmstate_tmp105_detect_falling = {
 +    .name = "TMP105/detect-falling",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = detect_falling_needed,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_BOOL(detect_falling, TMP105State),
 +        VMSTATE_END_OF_LIST()
 +    }
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR);
++};
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR);
++
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]);
+ static const VMStateDescription vmstate_tmp105 = {
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     .name = "TMP105",
+     .version_id = 0,
-     for (i = 0; i < XLNX_ZYNQMP_NUM_GDMA_CH; i++) {
+@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
-         object_property_set_uint(OBJECT(&s->gdma[i]), 128, "bus-width", &err);
+         VMSTATE_UINT8(alarm, TMP105State),
-+        if (err) {
+         VMSTATE_I2C_SLAVE(i2c, TMP105State),
-+            error_propagate(errp, err);
+         VMSTATE_END_OF_LIST()
-+            return;
++    },
-+        }
++    .subsections = (const VMStateDescription*[]) {
-         object_property_set_bool(OBJECT(&s->gdma[i]), true, "realized", &err);
++        &vmstate_tmp105_detect_falling,
-         if (err) {
++        NULL
-             error_propagate(errp, err);
+     }
  };
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
      s->config = 0;
      s->faults = tmp105_faultq[(s->config >> 3) & 3];
      s->alarm = 0;
 +    s->detect_falling = false;
      s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
      s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
 --
 .20.1

A handful of bugfixes before rc1 tomorrow...

thanks
-- PMM

The following changes since commit f9fe8450fa7cdc6268e05c93fa258f583f4514b7:

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-5.0-pull-request' into staging (2020-03-30 11:32:01 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200330

for you to fetch changes up to 88828bf133b64b7a860c166af3423ef1a47c5d3b:

target/arm: fix incorrect current EL bug in aarch32 exception emulation (2020-03-30 13:55:32 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
 * hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address
 * docs/conf.py: Raise ConfigError for bad Sphinx Python version
 * hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
 * hw/arm/xlnx-zynqmp.c: Add missing error-propagation code
 * target/arm: fix incorrect current EL bug in aarch32 exception emulation

----------------------------------------------------------------
Changbin Du (1):
      target/arm: fix incorrect current EL bug in aarch32 exception emulation

Niek Linnenbank (2):
      hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available
      hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address

Peter Maydell (3):
      docs/conf.py: Raise ConfigError for bad Sphinx Python version
      hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path
      hw/arm/xlnx-zynqmp.c: Add missing error-propagation code

From: Niek Linnenbank <nieklinnenbank@gmail.com>

The Orange Pi PC initialization function needs to verify that the SD card
block backend is usable before calling the Boot ROM setup routine. When
calling blk_is_available() the input parameter should not be NULL.
This commit ensures that blk_is_available is only called with non-NULL input.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200322205439.15231-1-nieklinnenbank@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/orangepi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/orangepi.c
+++ b/hw/arm/orangepi.c
@@ -XXX,XX +XXX,XX @@ static void orangepi_init(MachineState *machine)
                                 machine->ram);
 
     /* Load target kernel or start using BootROM */
-    if (!machine->kernel_filename && blk_is_available(blk)) {
+    if (!machine->kernel_filename && blk && blk_is_available(blk)) {
         /* Use Boot ROM to copy data from SD card to SRAM */
         allwinner_h3_bootrom_setup(h3, blk);
     }
-- 
2.20.1

From: Niek Linnenbank <nieklinnenbank@gmail.com>

The allwinner_h3_dramc_map_rows function simulates row addressing behavior
when bootloader software attempts to detect the amount of available SDRAM.

Currently the line that calculates the 64-bit address of the mirrored row
uses a signed 32-bit multiply operation that in theory could result in the
upper 32-bit be all 1s. This commit ensures that the row mirror address
is calculated using only 64-bit operations.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Message-id: 20200323192944.5967-1-nieklinnenbank@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/allwinner-h3-dramc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/misc/allwinner-h3-dramc.c b/hw/misc/allwinner-h3-dramc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/allwinner-h3-dramc.c
+++ b/hw/misc/allwinner-h3-dramc.c
@@ -XXX,XX +XXX,XX @@ static void allwinner_h3_dramc_map_rows(AwH3DramCtlState *s, uint8_t row_bits,
 
     } else if (row_bits_actual) {
         /* Row bits not matching ram_size, install the rows mirror */
-        hwaddr row_mirror = s->ram_addr + ((1 << (row_bits_actual +
-                                                  bank_bits)) * page_size);
+        hwaddr row_mirror = s->ram_addr + ((1ULL << (row_bits_actual +
+                                                     bank_bits)) * page_size);
 
         memory_region_set_enabled(&s->row_mirror_alias, true);
         memory_region_set_address(&s->row_mirror_alias, row_mirror);
-- 
2.20.1

Raise ConfigError rather than VersionRequirementError when we detect
that the Python being used by Sphinx is too old.

Currently the way we flag the Python version problem up to the user
causes Sphinx to print an unnecessary Python stack trace as well as
the information about the problem; in most versions of Sphinx this is
unavoidable.

The upstream Sphinx developers kindly added a feature to allow
conf.py to report errors to the user without the backtrace:
  https://github.com/sphinx-doc/sphinx/commit/be608ca2313fc08eb842f3dc19d0f5d2d8227d08
but the exception type they chose for this was ConfigError.

Switch to ConfigError, which won't make any difference with currently
deployed Sphinx versions, but will be prettier one day when the user
is using a Sphinx version with the new feature.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 20200313163616.30674-1-peter.maydell@linaro.org
---
 docs/conf.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/conf.py b/docs/conf.py
index XXXXXXX..XXXXXXX 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -XXX,XX +XXX,XX @@
 import os
 import sys
 import sphinx
-from sphinx.errors import VersionRequirementError
+from sphinx.errors import ConfigError
 
 # Make Sphinx fail cleanly if using an old Python, rather than obscurely
 # failing because some code in one of our extensions doesn't work there.
-# Unfortunately this doesn't display very neatly (there's an unavoidable
-# Python backtrace) but at least the information gets printed...
+# In newer versions of Sphinx this will display nicely; in older versions
+# Sphinx will also produce a Python backtrace but at least the information
+# gets printed...
 if sys.version_info < (3,5):
-    raise VersionRequirementError(
+    raise ConfigError(
         "QEMU requires a Sphinx that uses Python 3.5 or better\n")
 
 # The per-manual conf.py will set qemu_docdir for a single-manual build;
-- 
2.20.1

In xlnx_zynqmp_realize() if the attempt to realize the SD
controller object fails then the error-return path will leak
the 'bus_name' string. Fix this by deferring the allocation
until after the realize has succeeded.

Fixes: Coverity CID 1421911
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200324134947.15384-2-peter.maydell@linaro.org
---
 hw/arm/xlnx-zynqmp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, gic_spi[SATA_INTR]);
 
     for (i = 0; i < XLNX_ZYNQMP_NUM_SDHCI; i++) {
-        char *bus_name = g_strdup_printf("sd-bus%d", i);
+        char *bus_name;
         SysBusDevice *sbd = SYS_BUS_DEVICE(&s->sdhci[i]);
         Object *sdhci = OBJECT(&s->sdhci[i]);
 
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
         sysbus_connect_irq(sbd, 0, gic_spi[sdhci_intr[i]]);
 
         /* Alias controller SD bus to the SoC itself */
+        bus_name = g_strdup_printf("sd-bus%d", i);
         object_property_add_alias(OBJECT(s), bus_name, sdhci, "sd-bus",
                                   &error_abort);
         g_free(bus_name);
-- 
2.20.1

In some places in xlnx_zynqmp_realize() we were putting an
error into our local Error*, but forgetting to check for
failure and pass it back to the caller. Add the missing code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200324134947.15384-3-peter.maydell@linaro.org
---
 hw/arm/xlnx-zynqmp.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
          * - eMMC Specification Version 4.51
          */
         object_property_set_uint(sdhci, 3, "sd-spec-version", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_uint(sdhci, SDHCI_CAPABILITIES, "capareg", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_uint(sdhci, UHS_I, "uhs", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_bool(sdhci, true, "realized", &err);
         if (err) {
             error_propagate(errp, err);
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
         gchar *bus_name;
 
         object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
 
         sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, spi_addr[i]);
         sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0,
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
     }
 
     object_property_set_bool(OBJECT(&s->qspi), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR);
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR);
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]);
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
 
     for (i = 0; i < XLNX_ZYNQMP_NUM_GDMA_CH; i++) {
         object_property_set_uint(OBJECT(&s->gdma[i]), 128, "bus-width", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_bool(OBJECT(&s->gdma[i]), true, "realized", &err);
         if (err) {
             error_propagate(errp, err);
-- 
2.20.1

From: Changbin Du <changbin.du@gmail.com>

The arm_current_el() should be invoked after mode switching. Otherwise, we
get a wrong current EL value, since current EL is also determined by
current mode.

Fixes: 4a2696c0d4 ("target/arm: Set PAN bit as required on exception entry")
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200328140232.17278-1-changbin.du@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void take_aarch32_exception(CPUARMState *env, int new_mode,
 
     /* Change the CPU state so as to actually take the exception. */
     switch_mode(env, new_mode);
-    new_el = arm_current_el(env);
 
     /*
      * For exceptions taken to AArch32 we must clear the SS bit in both
@@ -XXX,XX +XXX,XX @@ static void take_aarch32_exception(CPUARMState *env, int new_mode,
     env->condexec_bits = 0;
     /* Switch to the new mode, and to the correct instruction set.  */
     env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
+
+    /* This must be after mode switching. */
+    new_el = arm_current_el(env);
+
     /* Set new mode endianness */
     env->uncached_cpsr &= ~CPSR_E;
     if (env->cp15.sctlr_el[new_el] & SCTLR_EE) {
-- 
2.20.1

Arm queue; bugfixes only.

thanks
-- PMM

The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117

for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:

tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: ARM_VIRT must select ARM_GIC
 * exynos: Fix bad printf format specifiers
 * hw/input/ps2.c: Remove remnants of printf debug
 * target/openrisc: Remove dead code attempting to check "is timer disabled"
 * register: Remove unnecessary NULL check
 * util/cutils: Fix Coverity array overrun in freq_to_str()
 * configure: Make "does libgio work" test pull in some actual functions
 * tmp105: reset the T_low and T_High registers
 * tmp105: Correct handling of temperature limit checks

----------------------------------------------------------------
Alex Chen (1):
      exynos: Fix bad printf format specifiers

Alistair Francis (1):
      register: Remove unnecessary NULL check

Andrew Jones (1):
      hw/arm/virt: ARM_VIRT must select ARM_GIC

Peter Maydell (5):
      hw/input/ps2.c: Remove remnants of printf debug
      target/openrisc: Remove dead code attempting to check "is timer disabled"
      configure: Make "does libgio work" test pull in some actual functions
      hw/misc/tmp105: reset the T_low and T_High registers
      tmp105: Correct handling of temperature limit checks

Philippe Mathieu-Daudé (1):
      util/cutils: Fix Coverity array overrun in freq_to_str()

From: Alex Chen <alex.chen@huawei.com>

We should use printf format specifier "%u" instead of "%d" for
argument of type "unsigned int".

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Message-id: 20201111073651.72804-1-alex.chen@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/exynos4210_mct.c | 4 ++--
 hw/timer/exynos4210_pwm.c | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_mct.c
+++ b/hw/timer/exynos4210_mct.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
     /* If CSTAT is pending and IRQ is enabled */
     if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
             (s->reg.int_enb & G_INT_ENABLE(id))) {
-        DPRINTF("gcmp timer[%d] IRQ\n", id);
+        DPRINTF("gcmp timer[%u] IRQ\n", id);
         qemu_irq_raise(s->irq[id]);
     }
 }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
                     MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
 
     if (freq != s->freq) {
-        DPRINTF("freq=%dHz\n", s->freq);
+        DPRINTF("freq=%uHz\n", s->freq);
 
         /* global timer */
         tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_pwm.c
+++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
 
     if (freq != s->timer[id].freq) {
         ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
-        DPRINTF("freq=%dHz\n", s->timer[id].freq);
+        DPRINTF("freq=%uHz\n", s->timer[id].freq);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     uint32_t id = s->id;
     bool cmp;
 
-    DPRINTF("timer %d tick\n", id);
+    DPRINTF("timer %u tick\n", id);
 
     /* set irq status */
     p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
 
     /* raise IRQ */
     if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
-        DPRINTF("timer %d IRQ\n", id);
+        DPRINTF("timer %u IRQ\n", id);
         qemu_irq_raise(p->timer[id].irq);
     }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     }
 
     if (cmp) {
-        DPRINTF("auto reload timer %d count to %x\n", id,
+        DPRINTF("auto reload timer %u count to %x\n", id,
                 p->timer[id].reg_tcntb);
         ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
         ptimer_run(p->timer[id].ptimer, 1);
-- 
2.20.1

In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
and mouse emulation. However we didn't remove all the debug-by-printf
support. In fact there is only one printf() remaining, and it is
redundant with the trace_ps2_write_mouse() event next to it.
Remove the printf() and the now-unused DEBUG* macros.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
---
 hw/input/ps2.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -XXX,XX +XXX,XX @@
 
 #include "trace.h"
 
-/* debug PC keyboard */
-//#define DEBUG_KBD
-
-/* debug PC keyboard : only mouse */
-//#define DEBUG_MOUSE
-
 /* Keyboard Commands */
 #define KBD_CMD_SET_LEDS	0xED	/* Set keyboard leds */
 #define KBD_CMD_ECHO     	0xEE
@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
     PS2MouseState *s = (PS2MouseState *)opaque;
 
     trace_ps2_write_mouse(opaque, val);
-#ifdef DEBUG_MOUSE
-    printf("kbd: write mouse 0x%02x\n", val);
-#endif
     switch(s->common.write_cmd) {
     default:
     case -1:
-- 
2.20.1

In the mtspr helper we attempt to check for "is the timer disabled"
with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
is zero and the condition is always false (Coverity complains about
the dead code.)

The correct check would be to test whether the TTMR_M field in the
register is equal to TIMER_NONE instead.  However, the
cpu_openrisc_timer_update() function checks whether the timer is
enabled (it looks at cpu->env.is_counting, which is set to 0 via
cpu_openrisc_count_stop() when the TTMR_M field is set to
TIMER_NONE), so there's no need to check for "timer disabled" in the
target/openrisc code.  Instead, simply remove the dead code.

Fixes: Coverity CID 1005812
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
---
 target/openrisc/sys_helper.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/sys_helper.c
+++ b/target/openrisc/sys_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
 
     case TO_SPR(10, 1): /* TTCR */
         cpu_openrisc_count_set(cpu, rb);
-        if (env->ttmr & TIMER_NONE) {
-            return;
-        }
         cpu_openrisc_timer_update(cpu);
         break;
 #endif
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):

>>> Overrunning array "suffixes" of 7 8-byte elements at element
    index 7 (byte offset 63) using index "idx" (which evaluates to 7).

Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
which is ~18.446 EHz, less than 1000 EHz.

Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Luc Michel <luc@lmichel.fr>
Message-id: 20201101215755.2021421-1-f4bug@amsat.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 util/cutils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/cutils.c b/util/cutils.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
     double freq = freq_hz;
     size_t idx = 0;
 
-    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
+    while (freq >= 1000.0) {
         freq /= 1000.0;
         idx++;
     }
+    assert(idx < ARRAY_SIZE(suffixes));
 
     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
 }
-- 
2.20.1

In commit 76346b6264a9b01979 we tried to add a configure check that
the libgio pkg-config data was correct, which builds an executable
linked against it.  Unfortunately this doesn't catch the problem
(missing static library dependency info), because a "do nothing" test
source file doesn't have any symbol references that cause the linker
to pull in .o files from libgio.a, and so we don't see the "missing
symbols from libmount" error that a full QEMU link triggers.

(The ineffective test went unnoticed because of a typo that
effectively disabled libgio unconditionally, but after commit
3569a5dfc11f2 fixed that, a static link of the system emulator on
Ubuntu stopped working again.)

Improve the gio test by having the test source fragment reference a
g_dbus function (which is what is indirectly causing us to end up
wanting functions from libmount).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
---
 configure | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index XXXXXXX..XXXXXXX 100755
--- a/configure
+++ b/configure
@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
     # Check that the libraries actually work -- Ubuntu 18.04 ships
     # with pkg-config --static --libs data for gio-2.0 that is missing
     # -lblkid and will give a link error.
-    write_c_skeleton
-    if compile_prog "" "$gio_libs" ; then
+    cat > $TMPC <<EOF
+#include <gio/gio.h>
+int main(void)
+{
+    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
+    return 0;
+}
+EOF
+    if compile_prog "$gio_cflags" "$gio_libs" ; then
         gio=yes
     else
         gio=no
-- 
2.20.1

The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
power-up reset values for the T_low and T_high registers are 80 degrees C
and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
values are then shifted right by four bits to give the register reset
values, since both registers store the 12 bits of temperature data in bits
[15..4] of a 16 bit register.

We were resetting these registers to zero, which is problematic for Linux
guests which enable the alert interrupt and then immediately take an
unexpected overtemperature alert because the current temperature is above
freezing...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
---
 hw/misc/tmp105.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
 
+    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
+    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
+
     tmp105_interrupt_update(s);
 }
 
-- 
2.20.1

The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
signals an alert when the temperature equals or exceeds the T_high value and
then remains high until a device register is read or the device responds to
the SMBUS Alert Response address, or the device is put into Shutdown Mode.
Thereafter the Alert pin will only be re-signalled when temperature falls
below T_low; alert can then be cleared in the same set of ways, and the
device returns to its initial "alert when temperature goes above T_high"
mode. (If this textual description is confusing, see figure 3 in the
TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)

We were misimplementing this as a simple "always alert if temperature is
above T_high or below T_low" condition, which gives a spurious alert on
startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
limit values.

Implement the correct (hysteresis) behaviour by tracking whether we
are currently looking for the temperature to rise over T_high or
for it to fall below T_low. Our implementation of the comparator
mode (TM==0) wasn't wrong, but rephrase it to match the way that
interrupt mode is now handled for clarity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
---
 hw/misc/tmp105.h |  7 +++++
 hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.h
+++ b/hw/misc/tmp105.h
@@ -XXX,XX +XXX,XX @@ struct TMP105State {
     int16_t limit[2];
     int faults;
     uint8_t alarm;
+    /*
+     * The TMP105 initially looks for a temperature rising above T_high;
+     * once this is detected, the condition it looks for next is the
+     * temperature falling below T_low. This flag is false when initially
+     * looking for T_high, true when looking for T_low.
+     */
+    bool detect_falling;
 };
 
 #endif
diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
             return;
     }
 
-    if ((s->config >> 1) & 1) {					/* TM */
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 1;
+    if (s->config >> 1 & 1) {
+        /*
+         * TM == 1 : Interrupt mode. We signal Alert when the
+         * temperature rises above T_high, and expect the guest to clear
+         * it (eg by reading a device register).
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 1;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     } else {
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 0;
+        /*
+         * TM == 0 : Comparator mode. We signal Alert when the temperature
+         * rises above T_high, and stop signalling it when the temperature
+         * falls below T_low.
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 0;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     }
 
     tmp105_interrupt_update(s);
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool detect_falling_needed(void *opaque)
+{
+    TMP105State *s = opaque;
+
+    /*
+     * We only need to migrate the detect_falling bool if it's set;
+     * for migration from older machines we assume that it is false
+     * (ie temperature is not out of range).
+     */
+    return s->detect_falling;
+}
+
+static const VMStateDescription vmstate_tmp105_detect_falling = {
+    .name = "TMP105/detect-falling",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = detect_falling_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_BOOL(detect_falling, TMP105State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_tmp105 = {
     .name = "TMP105",
     .version_id = 0,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
         VMSTATE_UINT8(alarm, TMP105State),
         VMSTATE_I2C_SLAVE(i2c, TMP105State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_tmp105_detect_falling,
+        NULL
     }
 };
 
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->config = 0;
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
+    s->detect_falling = false;
 
     s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
     s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
-- 
2.20.1