Series comparison

-[PULL 00/11] target-arm queue
+[PULL 0/9] target-arm queue
-A collection of bug fixes for rc2...
+Arm queue; bugfixes only.
-The following changes since commit 146aa0f104bb3bf88e43c4082a0bfc4bbda4fbd8:
+thanks
 -- PMM
-  Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2020-04-03 15:30:11 +0100)
+The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:
   Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200406
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117
-for you to fetch changes up to 8893790966d9c964557ad01be4a68ef50696ace8:
+for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:
-  dma/xlnx-zdma: Reorg to fix CUR_DSCR (2020-04-06 10:59:56 +0100)
+  tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * don't expose "ieee_half" via gdbstub (prevents gdb crashes or errors
+ * hw/arm/virt: ARM_VIRT must select ARM_GIC
-   with older GDB versions)
+ * exynos: Fix bad printf format specifiers
- * hw/arm/collie: Put StrongARMState* into a CollieMachineState struct
+ * hw/input/ps2.c: Remove remnants of printf debug
- * PSTATE.PAN should not clear exec bits
+ * target/openrisc: Remove dead code attempting to check "is timer disabled"
- * hw/gpio/aspeed_gpio.c: Don't directly include assert.h
+ * register: Remove unnecessary NULL check
-   (fixes compilation on some Windows build scenarios)
+ * util/cutils: Fix Coverity array overrun in freq_to_str()
- * dump: Fix writing of ELF section
+ * configure: Make "does libgio work" test pull in some actual functions
- * dma/xlnx-zdma: various bug fixes
+ * tmp105: reset the T_low and T_High registers
- * target/arm/helperc. delete obsolete TODO comment
+ * tmp105: Correct handling of temperature limit checks
 ----------------------------------------------------------------
-Alex Bennée (1):
+Alex Chen (1):
-      target/arm: don't expose "ieee_half" via gdbstub
+      exynos: Fix bad printf format specifiers
-Edgar E. Iglesias (5):
+Alistair Francis (1):
-      dma/xlnx-zdma: Remove comment
+      register: Remove unnecessary NULL check
-      dma/xlnx-zdma: Populate DBG0.CMN_BUF_FREE
-      dma/xlnx-zdma: Clear DMA_DONE when halting
+Andrew Jones (1):
-      dma/xlnx-zdma: Advance the descriptor address when stopping
+      hw/arm/virt: ARM_VIRT must select ARM_GIC
       dma/xlnx-zdma: Reorg to fix CUR_DSCR
 Peter Maydell (5):
-      hw/arm/collie: Put StrongARMState* into a CollieMachineState struct
+      hw/input/ps2.c: Remove remnants of printf debug
-      target/arm: PSTATE.PAN should not clear exec bits
+      target/openrisc: Remove dead code attempting to check "is timer disabled"
-      target/arm: Remove obsolete TODO note from get_phys_addr_lpae()
+      configure: Make "does libgio work" test pull in some actual functions
-      hw/gpio/aspeed_gpio.c: Don't directly include assert.h
+      hw/misc/tmp105: reset the T_low and T_High registers
-      dump: Fix writing of ELF section
+      tmp105: Correct handling of temperature limit checks
- dump/dump.c           |  2 +-
+Philippe Mathieu-Daudé (1):
- hw/arm/collie.c       | 33 +++++++++++++++++++++++++-----
+      util/cutils: Fix Coverity array overrun in freq_to_str()
  hw/dma/xlnx-zdma.c    | 56 ++++++++++++++++++++++++++-------------------------
  hw/gpio/aspeed_gpio.c |  2 --
  target/arm/gdbstub.c  |  7 ++++++-
  target/arm/helper.c   | 13 +++++-------
 files changed, 69 insertions(+), 44 deletions(-)
+ configure                    | 11 +++++--
+ hw/misc/tmp105.h             |  7 +++++
+ hw/core/register.c           |  4 ---
+ hw/input/ps2.c               |  9 ------
+ hw/misc/tmp105.c             | 73 ++++++++++++++++++++++++++++++++++++++------
+ hw/timer/exynos4210_mct.c    |  4 +--
+ hw/timer/exynos4210_pwm.c    |  8 ++---
+ target/openrisc/sys_helper.c |  3 --
+ util/cutils.c                |  3 +-
+ hw/arm/Kconfig               |  1 +
+files changed, 89 insertions(+), 34 deletions(-)

-[PULL 01/11] target/arm: don't expose "ieee_half" via gdbstub
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-While support for parsing ieee_half in the XML description was added
-to gdb in 2019 (a6d0f249) there is no easy way for the gdbstub to know
-if the gdb end will understand it. Disable it for now and allow older
-gdbs to successfully connect to the default -cpu max SVE enabled
-QEMUs.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200402143913.24005-1-alex.bennee@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/gdbstub.c | 7 ++++++-
-file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/gdbstub.c
-+++ b/target/arm/gdbstub.c
-@@ -XXX,XX +XXX,XX @@ static const struct TypeSize vec_lanes[] = {
-     /* 16 bit */
-     { "uint16", 16, 'h', 'u' },
-     { "int16", 16, 'h', 's' },
--    { "ieee_half", 16, 'h', 'f' },
-+    /*
-+     * TODO: currently there is no reliable way of telling
-+     * if the remote gdb actually understands ieee_half so
-+     * we don't expose it in the target description for now.
-+     * { "ieee_half", 16, 'h', 'f' },
-+     */
-     /* bytes */
-     { "uint8", 8, 'b', 'u' },
-     { "int8", 8, 'b', 's' },
---
-.20.1

-[PULL 09/11] dma/xlnx-zdma: Clear DMA_DONE when halting
+[PULL 1/9] hw/arm/virt: ARM_VIRT must select ARM_GIC
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Andrew Jones <drjones@redhat.com>
-Clear DMA_DONE when halting the DMA channel.
+The removal of the selection of A15MPCORE from ARM_VIRT also
 removed what A15MPCORE selects, ARM_GIC. We still need ARM_GIC.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Fixes: bec3c97e0cf9 ("hw/arm/virt: Remove dependency on Cortex-A15 MPCore peripherals")
-Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20200402134721.27863-4-edgar.iglesias@gmail.com
+Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20201111143440.112763-1-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 1 +
+ hw/arm/Kconfig | 1 +
 file changed, 1 insertion(+)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/hw/arm/Kconfig
-+++ b/hw/dma/xlnx-zdma.c
++++ b/hw/arm/Kconfig
-@@ -XXX,XX +XXX,XX @@ static void zdma_process_descr(XlnxZDMA *s)
+@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
-     if (src_cmd == CMD_HALT) {
+     imply VFIO_PLATFORM
-         zdma_set_state(s, PAUSED);
+     imply VFIO_XGMAC
-         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, DMA_PAUSE, 1);
+     imply TPM_TIS_SYSBUS
-+        ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, DMA_DONE, false);
++    select ARM_GIC
-         zdma_ch_imr_update_irq(s);
+     select ACPI
-         return;
+     select ARM_SMMUV3
-     }
+     select GPIO_KEY
 --
 .20.1

-[PULL 11/11] dma/xlnx-zdma: Reorg to fix CUR_DSCR
+[PULL 2/9] exynos: Fix bad printf format specifiers
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Alex Chen <alex.chen@huawei.com>
-Reorganize the descriptor handling so that CUR_DSCR always
+We should use printf format specifier "%u" instead of "%d" for
-points to the next descriptor to be processed.
+argument of type "unsigned int".
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reported-by: Euler Robot <euler.robot@huawei.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
-Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Message-id: 20201111073651.72804-1-alex.chen@huawei.com
-Message-id: 20200402134721.27863-6-edgar.iglesias@gmail.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 47 ++++++++++++++++++++++------------------------
+ hw/timer/exynos4210_mct.c | 4 ++--
-file changed, 22 insertions(+), 25 deletions(-)
+ hw/timer/exynos4210_pwm.c | 8 ++++----
 files changed, 6 insertions(+), 6 deletions(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/hw/timer/exynos4210_mct.c
-+++ b/hw/dma/xlnx-zdma.c
++++ b/hw/timer/exynos4210_mct.c
-@@ -XXX,XX +XXX,XX @@ static void zdma_load_src_descriptor(XlnxZDMA *s)
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
      /* If CSTAT is pending and IRQ is enabled */
      if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
              (s->reg.int_enb & G_INT_ENABLE(id))) {
 -        DPRINTF("gcmp timer[%d] IRQ\n", id);
 +        DPRINTF("gcmp timer[%u] IRQ\n", id);
          qemu_irq_raise(s->irq[id]);
      }
  }
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
-+static void zdma_update_descr_addr(XlnxZDMA *s, bool type,
+                     MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
-+                                   unsigned int basereg)
-+{
+     if (freq != s->freq) {
-+    uint64_t addr, next;
+-        DPRINTF("freq=%dHz\n", s->freq);
-+
++        DPRINTF("freq=%uHz\n", s->freq);
-+    if (type == DTYPE_LINEAR) {
-+        addr = zdma_get_regaddr64(s, basereg);
+         /* global timer */
-+        next = addr + sizeof(s->dsc_dst);
+         tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
-+    } else {
+diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
-+        addr = zdma_get_regaddr64(s, basereg);
+index XXXXXXX..XXXXXXX 100644
-+        addr += sizeof(s->dsc_dst);
+--- a/hw/timer/exynos4210_pwm.c
-+        address_space_read(s->dma_as, addr, s->attr, (void *) &next, 8);
++++ b/hw/timer/exynos4210_pwm.c
-+    }
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
-+
-+    zdma_put_regaddr64(s, basereg, next);
+     if (freq != s->timer[id].freq) {
-+}
+         ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
-+
+-        DPRINTF("freq=%dHz\n", s->timer[id].freq);
- static void zdma_load_dst_descriptor(XlnxZDMA *s)
++        DPRINTF("freq=%uHz\n", s->timer[id].freq);
  {
      uint64_t dst_addr;
      unsigned int ptype = ARRAY_FIELD_EX32(s->regs, ZDMA_CH_CTRL0, POINT_TYPE);
 +    bool dst_type;
      if (ptype == PT_REG) {
          memcpy(&s->dsc_dst, &s->regs[R_ZDMA_CH_DST_DSCR_WORD0],
@@ -XXX,XX +XXX,XX @@ static void zdma_load_dst_descriptor(XlnxZDMA *s)
      if (!zdma_load_descriptor(s, dst_addr, &s->dsc_dst)) {
          ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, AXI_RD_DST_DSCR, true);
      }
--}
--static uint64_t zdma_update_descr_addr(XlnxZDMA *s, bool type,
--                                       unsigned int basereg)
--{
--    uint64_t addr, next;
--
--    if (type == DTYPE_LINEAR) {
--        next = zdma_get_regaddr64(s, basereg);
--        next += sizeof(s->dsc_dst);
--        zdma_put_regaddr64(s, basereg, next);
--    } else {
--        addr = zdma_get_regaddr64(s, basereg);
--        addr += sizeof(s->dsc_dst);
--        address_space_read(s->dma_as, addr, s->attr, &next, 8);
--        zdma_put_regaddr64(s, basereg, next);
--    }
--    return next;
-+    /* Advance the descriptor pointer.  */
-+    dst_type = FIELD_EX32(s->dsc_dst.words[3], ZDMA_CH_DST_DSCR_WORD3, TYPE);
-+    zdma_update_descr_addr(s, dst_type, R_ZDMA_CH_DST_CUR_DSCR_LSB);
  }
- static void zdma_write_dst(XlnxZDMA *s, uint8_t *buf, uint32_t len)
+@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
-@@ -XXX,XX +XXX,XX @@ static void zdma_write_dst(XlnxZDMA *s, uint8_t *buf, uint32_t len)
+     uint32_t id = s->id;
-         dst_size = FIELD_EX32(s->dsc_dst.words[2], ZDMA_CH_DST_DSCR_WORD2,
+     bool cmp;
-                               SIZE);
-         if (dst_size == 0 && ptype == PT_MEM) {
+-    DPRINTF("timer %d tick\n", id);
--            uint64_t next;
++    DPRINTF("timer %u tick\n", id);
--            bool dst_type = FIELD_EX32(s->dsc_dst.words[3],
--                                       ZDMA_CH_DST_DSCR_WORD3,
+     /* set irq status */
--                                       TYPE);
+     p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
--
--            next = zdma_update_descr_addr(s, dst_type,
+     /* raise IRQ */
--                                          R_ZDMA_CH_DST_CUR_DSCR_LSB);
+     if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
--            zdma_load_descriptor(s, next, &s->dsc_dst);
+-        DPRINTF("timer %d IRQ\n", id);
-+            zdma_load_dst_descriptor(s);
++        DPRINTF("timer %u IRQ\n", id);
-             dst_size = FIELD_EX32(s->dsc_dst.words[2], ZDMA_CH_DST_DSCR_WORD2,
+         qemu_irq_raise(p->timer[id].irq);
-                                   SIZE);
+     }
-         }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
      }
      if (cmp) {
 -        DPRINTF("auto reload timer %d count to %x\n", id,
 +        DPRINTF("auto reload timer %u count to %x\n", id,
                  p->timer[id].reg_tcntb);
          ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
          ptimer_run(p->timer[id].ptimer, 1);
 --
 .20.1

-[PULL 05/11] hw/gpio/aspeed_gpio.c: Don't directly include assert.h
+[PULL 3/9] hw/input/ps2.c: Remove remnants of printf debug
-Remove a direct include of assert.h -- this is already
+In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
-provided by qemu/osdep.h, and it breaks our rule that the
+and mouse emulation. However we didn't remove all the debug-by-printf
-first include must always be osdep.h.
+support. In fact there is only one printf() remaining, and it is
+redundant with the trace_ps2_write_mouse() event next to it.
-In particular we must get the assert() macro via osdep.h
+Remove the printf() and the now-unused DEBUG* macros.
 to avoid compile failures on mingw (see the comment in
 osdep.h where we redefine assert() for that platform).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Message-id: 20200403124712.24826-1-peter.maydell@linaro.org
+Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
 ---
- hw/gpio/aspeed_gpio.c | 2 --
+ hw/input/ps2.c | 9 ---------
-file changed, 2 deletions(-)
+file changed, 9 deletions(-)
-diff --git a/hw/gpio/aspeed_gpio.c b/hw/gpio/aspeed_gpio.c
+diff --git a/hw/input/ps2.c b/hw/input/ps2.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/gpio/aspeed_gpio.c
+--- a/hw/input/ps2.c
-+++ b/hw/gpio/aspeed_gpio.c
++++ b/hw/input/ps2.c
 @@ -XXX,XX +XXX,XX @@
-  * SPDX-License-Identifier: GPL-2.0-or-later
-  */
+ #include "trace.h"
--#include <assert.h>
+-/* debug PC keyboard */
 -//#define DEBUG_KBD
 -
- #include "qemu/osdep.h"
+-/* debug PC keyboard : only mouse */
- #include "qemu/host-utils.h"
+-//#define DEBUG_MOUSE
- #include "qemu/log.h"
+-
  /* Keyboard Commands */
  #define KBD_CMD_SET_LEDS    0xED    /* Set keyboard leds */
  #define KBD_CMD_ECHO         0xEE
@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
      PS2MouseState *s = (PS2MouseState *)opaque;
      trace_ps2_write_mouse(opaque, val);
 -#ifdef DEBUG_MOUSE
 -    printf("kbd: write mouse 0x%02x\n", val);
 -#endif
      switch(s->common.write_cmd) {
      default:
      case -1:
 --
 .20.1

-[PULL 10/11] dma/xlnx-zdma: Advance the descriptor address when stopping
+[PULL 4/9] target/openrisc: Remove dead code attempting to check "is timer disabled"
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+In the mtspr helper we attempt to check for "is the timer disabled"
 with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
 is zero and the condition is always false (Coverity complains about
 the dead code.)
-Advance the descriptor address when stopping the channel.
+The correct check would be to test whether the TTMR_M field in the
 register is equal to TIMER_NONE instead.  However, the
 cpu_openrisc_timer_update() function checks whether the timer is
 enabled (it looks at cpu->env.is_counting, which is set to 0 via
 cpu_openrisc_count_stop() when the TTMR_M field is set to
 TIMER_NONE), so there's no need to check for "timer disabled" in the
 target/openrisc code.  Instead, simply remove the dead code.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Fixes: Coverity CID 1005812
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Acked-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200402134721.27863-5-edgar.iglesias@gmail.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Stafford Horne <shorne@gmail.com>
+Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
 ---
- hw/dma/xlnx-zdma.c | 1 -
+ target/openrisc/sys_helper.c | 3 ---
-file changed, 1 deletion(-)
+file changed, 3 deletions(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/target/openrisc/sys_helper.c
-+++ b/hw/dma/xlnx-zdma.c
++++ b/target/openrisc/sys_helper.c
-@@ -XXX,XX +XXX,XX @@ static void zdma_process_descr(XlnxZDMA *s)
+@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
-     if (ptype == PT_REG || src_cmd == CMD_STOP) {
-         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_CTRL2, EN, 0);
+     case TO_SPR(10, 1): /* TTCR */
-         zdma_set_state(s, DISABLED);
+         cpu_openrisc_count_set(cpu, rb);
--        return;
+-        if (env->ttmr & TIMER_NONE) {
-     }
+-            return;
+-        }
-     if (src_cmd == CMD_HALT) {
+         cpu_openrisc_timer_update(cpu);
          break;
  #endif
 --
 .20.1

-[PULL 08/11] dma/xlnx-zdma: Populate DBG0.CMN_BUF_FREE
+[PULL 5/9] register: Remove unnecessary NULL check
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Alistair Francis <alistair.francis@wdc.com>
-Populate DBG0.CMN_BUF_FREE so that SW can see some free space.
+This patch fixes CID 1432800 by removing an unnecessary check.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Message-id: 20200402134721.27863-3-edgar.iglesias@gmail.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 6 ++++++
+ hw/core/register.c | 4 ----
-file changed, 6 insertions(+)
+file changed, 4 deletions(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/hw/core/register.c b/hw/core/register.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/hw/core/register.c
-+++ b/hw/dma/xlnx-zdma.c
++++ b/hw/core/register.c
-@@ -XXX,XX +XXX,XX @@ static RegisterAccessInfo zdma_regs_info[] = {
+@@ -XXX,XX +XXX,XX @@ static RegisterInfoArray *register_init_block(DeviceState *owner,
-     },{ .name = "ZDMA_CH_DBG0",  .addr = A_ZDMA_CH_DBG0,
+         int index = rae[i].addr / data_size;
-         .rsvd = 0xfffffe00,
+         RegisterInfo *r = &ri[index];
-         .ro = 0x1ff,
-+
+-        if (data + data_size * index == 0 || !&rae[i]) {
-+        /*
+-            continue;
-+         * There's SW out there that will check the debug regs for free space.
+-        }
-+         * Claim that we always have 0x100 free.
+-
-+         */
+         /* Init the register, this will zero it. */
-+        .reset = 0x100
+         object_initialize((void *)r, sizeof(*r), TYPE_REGISTER);
-     },{ .name = "ZDMA_CH_DBG1",  .addr = A_ZDMA_CH_DBG1,
          .rsvd = 0xfffffe00,
          .ro = 0x1ff,
 --
 .20.1

-[PULL 07/11] dma/xlnx-zdma: Remove comment
+[PULL 6/9] util/cutils: Fix Coverity array overrun in freq_to_str()
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Remove comment.
+Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+>>> Overrunning array "suffixes" of 7 8-byte elements at element
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+    index 7 (byte offset 63) using index "idx" (which evaluates to 7).
-Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
-Message-id: 20200402134721.27863-2-edgar.iglesias@gmail.com
+Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
 which is ~18.446 EHz, less than 1000 EHz.
 Reported-by: Eduardo Habkost <ehabkost@redhat.com>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
 Reviewed-by: Luc Michel <luc@lmichel.fr>
 Message-id: 20201101215755.2021421-1-f4bug@amsat.org
 Suggested-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 1 -
+ util/cutils.c | 3 ++-
-file changed, 1 deletion(-)
+file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/util/cutils.c b/util/cutils.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/util/cutils.c
-+++ b/hw/dma/xlnx-zdma.c
++++ b/util/cutils.c
-@@ -XXX,XX +XXX,XX @@ static void zdma_process_descr(XlnxZDMA *s)
+@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
-         zdma_src_done(s);
+     double freq = freq_hz;
      size_t idx = 0;
 -    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
 +    while (freq >= 1000.0) {
          freq /= 1000.0;
          idx++;
      }
++    assert(idx < ARRAY_SIZE(suffixes));
--    /* Load next descriptor.  */
-     if (ptype == PT_REG || src_cmd == CMD_STOP) {
+     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
-         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_CTRL2, EN, 0);
+ }
          zdma_set_state(s, DISABLED);
 --
 .20.1

-[PULL 04/11] target/arm: Remove obsolete TODO note from get_phys_addr_lpae()
+[PULL 7/9] configure: Make "does libgio work" test pull in some actual functions
-An old comment in get_phys_addr_lpae() claims that the code does not
+In commit 76346b6264a9b01979 we tried to add a configure check that
-support the different format TCR for VTCR_EL2.  This used to be true
+the libgio pkg-config data was correct, which builds an executable
-but it is not true now (in particular the aa64_va_parameters() and
+linked against it.  Unfortunately this doesn't catch the problem
-aa32_va_parameters() functions correctly handle the different
+(missing static library dependency info), because a "do nothing" test
-register format by checking whether the mmu_idx is Stage2).
+source file doesn't have any symbol references that cause the linker
-Remove the out of date parts of the comment.
+to pull in .o files from libgio.a, and so we don't see the "missing
 symbols from libmount" error that a full QEMU link triggers.
 (The ineffective test went unnoticed because of a typo that
 effectively disabled libgio unconditionally, but after commit
 a5dfc11f2 fixed that, a static link of the system emulator on
 Ubuntu stopped working again.)
 Improve the gio test by having the test source fragment reference a
 g_dbus function (which is what is indirectly causing us to end up
 wanting functions from libmount).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20200331143407.3186-1-peter.maydell@linaro.org
+Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 7 +------
+ configure | 11 +++++++++--
-file changed, 1 insertion(+), 6 deletions(-)
+file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/configure b/configure
-index XXXXXXX..XXXXXXX 100644
+index XXXXXXX..XXXXXXX 100755
---- a/target/arm/helper.c
+--- a/configure
-+++ b/target/arm/helper.c
++++ b/configure
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
+@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
-     bool aarch64 = arm_el_is_aa64(env, el);
+     # Check that the libraries actually work -- Ubuntu 18.04 ships
-     bool guarded = false;
+     # with pkg-config --static --libs data for gio-2.0 that is missing
+     # -lblkid and will give a link error.
--    /* TODO:
+-    write_c_skeleton
--     * This code does not handle the different format TCR for VTCR_EL2.
+-    if compile_prog "" "$gio_libs" ; then
--     * This code also does not support shareability levels.
++    cat > $TMPC <<EOF
--     * Attribute and permission bit handling should also be checked when adding
++#include <gio/gio.h>
--     * support for those page table walks.
++int main(void)
--     */
++{
-+    /* TODO: This code does not support shareability levels. */
++    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
-     if (aarch64) {
++    return 0;
-         param = aa64_va_parameters(env, address, mmu_idx,
++}
-                                    access_type != MMU_INST_FETCH);
++EOF
 +    if compile_prog "$gio_cflags" "$gio_libs" ; then
          gio=yes
      else
          gio=no
 --
 .20.1

-[PULL 02/11] hw/arm/collie: Put StrongARMState* into a CollieMachineState struct
+[PULL 8/9] hw/misc/tmp105: reset the T_low and T_High registers
-Coverity complains that the collie_init() function leaks the memory
+The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
-allocated in sa1110_init().  This is true but not significant since
+power-up reset values for the T_low and T_high registers are 80 degrees C
-the function is called only once on machine init and the memory must
+and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
-remain in existence until QEMU exits anyway.
+values are then shifted right by four bits to give the register reset
 values, since both registers store the 12 bits of temperature data in bits
 [15..4] of a 16 bit register.
-Still, we can avoid the technical memory leak by keeping the pointer
+We were resetting these registers to zero, which is problematic for Linux
-to the StrongARMState inside the machine state struct.  Switch from
+guests which enable the alert interrupt and then immediately take an
-the simple DEFINE_MACHINE() style to defining a subclass of
+unexpected overtemperature alert because the current temperature is above
-TYPE_MACHINE which extends the MachineState struct, and keep the
+freezing...
 pointer there.
-Fixes: CID 1421921
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
 Message-id: 20200326204919.22006-1-peter.maydell@linaro.org
 ---
- hw/arm/collie.c | 33 ++++++++++++++++++++++++++++-----
+ hw/misc/tmp105.c | 3 +++
-file changed, 28 insertions(+), 5 deletions(-)
+file changed, 3 insertions(+)
-diff --git a/hw/arm/collie.c b/hw/arm/collie.c
+diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/collie.c
+--- a/hw/misc/tmp105.c
-+++ b/hw/arm/collie.c
++++ b/hw/misc/tmp105.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
- #include "exec/address-spaces.h"
+     s->faults = tmp105_faultq[(s->config >> 3) & 3];
- #include "cpu.h"
+     s->alarm = 0;
-+typedef struct {
++    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
-+    MachineState parent;
++    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
 +
-+    StrongARMState *sa1110;
+     tmp105_interrupt_update(s);
 +} CollieMachineState;
 +
 +#define TYPE_COLLIE_MACHINE MACHINE_TYPE_NAME("collie")
 +#define COLLIE_MACHINE(obj) \
 +    OBJECT_CHECK(CollieMachineState, obj, TYPE_COLLIE_MACHINE)
 +
  static struct arm_boot_info collie_binfo = {
      .loader_start = SA_SDCS0,
      .ram_size = 0x20000000,
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info collie_binfo = {
  static void collie_init(MachineState *machine)
  {
 -    StrongARMState *s;
      DriveInfo *dinfo;
      MachineClass *mc = MACHINE_GET_CLASS(machine);
 +    CollieMachineState *cms = COLLIE_MACHINE(machine);
      if (machine->ram_size != mc->default_ram_size) {
          char *sz = size_to_str(mc->default_ram_size);
@@ -XXX,XX +XXX,XX @@ static void collie_init(MachineState *machine)
          exit(EXIT_FAILURE);
      }
 -    s = sa1110_init(machine->cpu_type);
 +    cms->sa1110 = sa1110_init(machine->cpu_type);
      memory_region_add_subregion(get_system_memory(), SA_SDCS0, machine->ram);
@@ -XXX,XX +XXX,XX @@ static void collie_init(MachineState *machine)
      sysbus_create_simple("scoop", 0x40800000, NULL);
      collie_binfo.board_id = 0x208;
 -    arm_load_kernel(s->cpu, machine, &collie_binfo);
 +    arm_load_kernel(cms->sa1110->cpu, machine, &collie_binfo);
  }
--static void collie_machine_init(MachineClass *mc)
-+static void collie_machine_class_init(ObjectClass *oc, void *data)
- {
-+    MachineClass *mc = MACHINE_CLASS(oc);
-+
-     mc->desc = "Sharp SL-5500 (Collie) PDA (SA-1110)";
-     mc->init = collie_init;
-     mc->ignore_memory_transaction_failures = true;
-@@ -XXX,XX +XXX,XX @@ static void collie_machine_init(MachineClass *mc)
-     mc->default_ram_id = "strongarm.sdram";
- }
--DEFINE_MACHINE("collie", collie_machine_init)
-+static const TypeInfo collie_machine_typeinfo = {
-+    .name = TYPE_COLLIE_MACHINE,
-+    .parent = TYPE_MACHINE,
-+    .class_init = collie_machine_class_init,
-+    .instance_size = sizeof(CollieMachineState),
-+};
-+
-+static void collie_machine_register_types(void)
-+{
-+    type_register_static(&collie_machine_typeinfo);
-+}
-+type_init(collie_machine_register_types);
 --
 .20.1

-[PULL 03/11] target/arm: PSTATE.PAN should not clear exec bits
+[PULL 9/9] tmp105: Correct handling of temperature limit checks
-Our implementation of the PSTATE.PAN bit incorrectly cleared all
+The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
-access permission bits for privileged access to memory which is
+signals an alert when the temperature equals or exceeds the T_high value and
-user-accessible.  It should only affect the privileged read and write
+then remains high until a device register is read or the device responds to
-permissions; execute permission is dealt with via XN/PXN instead.
+the SMBUS Alert Response address, or the device is put into Shutdown Mode.
 Thereafter the Alert pin will only be re-signalled when temperature falls
 below T_low; alert can then be cleared in the same set of ways, and the
 device returns to its initial "alert when temperature goes above T_high"
 mode. (If this textual description is confusing, see figure 3 in the
 TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)
-Fixes: 81636b70c226dc27d7ebc8d
+We were misimplementing this as a simple "always alert if temperature is
 above T_high or below T_low" condition, which gives a spurious alert on
 startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
 limit values.
 Implement the correct (hysteresis) behaviour by tracking whether we
 are currently looking for the temperature to rise over T_high or
 for it to fall below T_low. Our implementation of the comparator
 mode (TM==0) wasn't wrong, but rephrase it to match the way that
 interrupt mode is now handled for clarity.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20200330170651.20901-1-peter.maydell@linaro.org
+Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 6 ++++--
+ hw/misc/tmp105.h |  7 +++++
-file changed, 4 insertions(+), 2 deletions(-)
+ hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
 files changed, 68 insertions(+), 9 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/hw/misc/tmp105.h
-+++ b/target/arm/helper.c
++++ b/hw/misc/tmp105.h
-@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
+@@ -XXX,XX +XXX,XX @@ struct TMP105State {
-         prot_rw = user_rw;
+     int16_t limit[2];
      int faults;
      uint8_t alarm;
 +    /*
 +     * The TMP105 initially looks for a temperature rising above T_high;
 +     * once this is detected, the condition it looks for next is the
 +     * temperature falling below T_low. This flag is false when initially
 +     * looking for T_high, true when looking for T_low.
 +     */
 +    bool detect_falling;
  };
  #endif
 diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/tmp105.c
 +++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
              return;
      }
 -    if ((s->config >> 1) & 1) {                    /* TM */
 -        if (s->temperature >= s->limit[1])
 -            s->alarm = 1;
 -        else if (s->temperature < s->limit[0])
 -            s->alarm = 1;
 +    if (s->config >> 1 & 1) {
 +        /*
 +         * TM == 1 : Interrupt mode. We signal Alert when the
 +         * temperature rises above T_high, and expect the guest to clear
 +         * it (eg by reading a device register).
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 1;
 +                s->detect_falling = false;
 +            }
 +        } else {
 +            if (s->temperature >= s->limit[1]) {
 +                s->alarm = 1;
 +                s->detect_falling = true;
 +            }
 +        }
      } else {
-         if (user_rw && regime_is_pan(env, mmu_idx)) {
+-        if (s->temperature >= s->limit[1])
--            return 0;
+-            s->alarm = 1;
-+            /* PAN forbids data accesses but doesn't affect insn fetch */
+-        else if (s->temperature < s->limit[0])
-+            prot_rw = 0;
+-            s->alarm = 0;
 +        /*
 +         * TM == 0 : Comparator mode. We signal Alert when the temperature
 +         * rises above T_high, and stop signalling it when the temperature
 +         * falls below T_low.
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 0;
 +                s->detect_falling = false;
 +            }
 +        } else {
-+            prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
++            if (s->temperature >= s->limit[1]) {
-         }
++                s->alarm = 1;
--        prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
++                s->detect_falling = true;
 +            }
 +        }
      }
-     if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
+     tmp105_interrupt_update(s);
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
      return 0;
  }
 +static bool detect_falling_needed(void *opaque)
 +{
 +    TMP105State *s = opaque;
 +
 +    /*
 +     * We only need to migrate the detect_falling bool if it's set;
 +     * for migration from older machines we assume that it is false
 +     * (ie temperature is not out of range).
 +     */
 +    return s->detect_falling;
 +}
 +
 +static const VMStateDescription vmstate_tmp105_detect_falling = {
 +    .name = "TMP105/detect-falling",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = detect_falling_needed,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_BOOL(detect_falling, TMP105State),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
  static const VMStateDescription vmstate_tmp105 = {
      .name = "TMP105",
      .version_id = 0,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
          VMSTATE_UINT8(alarm, TMP105State),
          VMSTATE_I2C_SLAVE(i2c, TMP105State),
          VMSTATE_END_OF_LIST()
 +    },
 +    .subsections = (const VMStateDescription*[]) {
 +        &vmstate_tmp105_detect_falling,
 +        NULL
      }
  };
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
      s->config = 0;
      s->faults = tmp105_faultq[(s->config >> 3) & 3];
      s->alarm = 0;
 +    s->detect_falling = false;
      s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
      s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
 --
 .20.1

-[PULL 06/11] dump: Fix writing of ELF section
+Deleted patch
-In write_elf_section() we set the 'shdr' pointer to point to local
-structures shdr32 or shdr64, which we fill in to be written out to
-the ELF dump.  Unfortunately the address we pass to fd_write_vmcore()
-has a spurious '&' operator, so instead of writing out the section
-header we write out the literal pointer value followed by whatever is
-on the stack after the 'shdr' local variable.
-Pass the correct address into fd_write_vmcore().
-Spotted by Coverity: CID 1421970.
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200324173630.12221-1-peter.maydell@linaro.org
----
- dump/dump.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/dump/dump.c b/dump/dump.c
-index XXXXXXX..XXXXXXX 100644
---- a/dump/dump.c
-+++ b/dump/dump.c
-@@ -XXX,XX +XXX,XX @@ static void write_elf_section(DumpState *s, int type, Error **errp)
-         shdr = &shdr64;
-     }
--    ret = fd_write_vmcore(&shdr, shdr_size, s);
-+    ret = fd_write_vmcore(shdr, shdr_size, s);
-     if (ret < 0) {
-         error_setg_errno(errp, -ret,
-                          "dump: failed to write section header table");
---
-.20.1

A collection of bug fixes for rc2...

The following changes since commit 146aa0f104bb3bf88e43c4082a0bfc4bbda4fbd8:

Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2020-04-03 15:30:11 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200406

for you to fetch changes up to 8893790966d9c964557ad01be4a68ef50696ace8:

dma/xlnx-zdma: Reorg to fix CUR_DSCR (2020-04-06 10:59:56 +0100)

----------------------------------------------------------------
target-arm queue:
 * don't expose "ieee_half" via gdbstub (prevents gdb crashes or errors
   with older GDB versions)
 * hw/arm/collie: Put StrongARMState* into a CollieMachineState struct
 * PSTATE.PAN should not clear exec bits
 * hw/gpio/aspeed_gpio.c: Don't directly include assert.h
   (fixes compilation on some Windows build scenarios)
 * dump: Fix writing of ELF section
 * dma/xlnx-zdma: various bug fixes
 * target/arm/helperc. delete obsolete TODO comment

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: don't expose "ieee_half" via gdbstub

Edgar E. Iglesias (5):
      dma/xlnx-zdma: Remove comment
      dma/xlnx-zdma: Populate DBG0.CMN_BUF_FREE
      dma/xlnx-zdma: Clear DMA_DONE when halting
      dma/xlnx-zdma: Advance the descriptor address when stopping
      dma/xlnx-zdma: Reorg to fix CUR_DSCR

Peter Maydell (5):
      hw/arm/collie: Put StrongARMState* into a CollieMachineState struct
      target/arm: PSTATE.PAN should not clear exec bits
      target/arm: Remove obsolete TODO note from get_phys_addr_lpae()
      hw/gpio/aspeed_gpio.c: Don't directly include assert.h
      dump: Fix writing of ELF section

From: Alex Bennée <alex.bennee@linaro.org>

While support for parsing ieee_half in the XML description was added
to gdb in 2019 (a6d0f249) there is no easy way for the gdbstub to know
if the gdb end will understand it. Disable it for now and allow older
gdbs to successfully connect to the default -cpu max SVE enabled
QEMUs.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200402143913.24005-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ static const struct TypeSize vec_lanes[] = {
     /* 16 bit */
     { "uint16", 16, 'h', 'u' },
     { "int16", 16, 'h', 's' },
-    { "ieee_half", 16, 'h', 'f' },
+    /*
+     * TODO: currently there is no reliable way of telling
+     * if the remote gdb actually understands ieee_half so
+     * we don't expose it in the target description for now.
+     * { "ieee_half", 16, 'h', 'f' },
+     */
     /* bytes */
     { "uint8", 8, 'b', 'u' },
     { "int8", 8, 'b', 's' },
-- 
2.20.1

Coverity complains that the collie_init() function leaks the memory
allocated in sa1110_init().  This is true but not significant since
the function is called only once on machine init and the memory must
remain in existence until QEMU exits anyway.

Still, we can avoid the technical memory leak by keeping the pointer
to the StrongARMState inside the machine state struct.  Switch from
the simple DEFINE_MACHINE() style to defining a subclass of
TYPE_MACHINE which extends the MachineState struct, and keep the
pointer there.

Fixes: CID 1421921
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200326204919.22006-1-peter.maydell@linaro.org
---
 hw/arm/collie.c | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/hw/arm/collie.c b/hw/arm/collie.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/collie.c
+++ b/hw/arm/collie.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/address-spaces.h"
 #include "cpu.h"
 
+typedef struct {
+    MachineState parent;
+
+    StrongARMState *sa1110;
+} CollieMachineState;
+
+#define TYPE_COLLIE_MACHINE MACHINE_TYPE_NAME("collie")
+#define COLLIE_MACHINE(obj) \
+    OBJECT_CHECK(CollieMachineState, obj, TYPE_COLLIE_MACHINE)
+
 static struct arm_boot_info collie_binfo = {
     .loader_start = SA_SDCS0,
     .ram_size = 0x20000000,
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info collie_binfo = {
 
 static void collie_init(MachineState *machine)
 {
-    StrongARMState *s;
     DriveInfo *dinfo;
     MachineClass *mc = MACHINE_GET_CLASS(machine);
+    CollieMachineState *cms = COLLIE_MACHINE(machine);
 
     if (machine->ram_size != mc->default_ram_size) {
         char *sz = size_to_str(mc->default_ram_size);
@@ -XXX,XX +XXX,XX @@ static void collie_init(MachineState *machine)
         exit(EXIT_FAILURE);
     }
 
-    s = sa1110_init(machine->cpu_type);
+    cms->sa1110 = sa1110_init(machine->cpu_type);
 
     memory_region_add_subregion(get_system_memory(), SA_SDCS0, machine->ram);
 
@@ -XXX,XX +XXX,XX @@ static void collie_init(MachineState *machine)
     sysbus_create_simple("scoop", 0x40800000, NULL);
 
     collie_binfo.board_id = 0x208;
-    arm_load_kernel(s->cpu, machine, &collie_binfo);
+    arm_load_kernel(cms->sa1110->cpu, machine, &collie_binfo);
 }
 
-static void collie_machine_init(MachineClass *mc)
+static void collie_machine_class_init(ObjectClass *oc, void *data)
 {
+    MachineClass *mc = MACHINE_CLASS(oc);
+
     mc->desc = "Sharp SL-5500 (Collie) PDA (SA-1110)";
     mc->init = collie_init;
     mc->ignore_memory_transaction_failures = true;
@@ -XXX,XX +XXX,XX @@ static void collie_machine_init(MachineClass *mc)
     mc->default_ram_id = "strongarm.sdram";
 }
 
-DEFINE_MACHINE("collie", collie_machine_init)
+static const TypeInfo collie_machine_typeinfo = {
+    .name = TYPE_COLLIE_MACHINE,
+    .parent = TYPE_MACHINE,
+    .class_init = collie_machine_class_init,
+    .instance_size = sizeof(CollieMachineState),
+};
+
+static void collie_machine_register_types(void)
+{
+    type_register_static(&collie_machine_typeinfo);
+}
+type_init(collie_machine_register_types);
-- 
2.20.1

Our implementation of the PSTATE.PAN bit incorrectly cleared all
access permission bits for privileged access to memory which is
user-accessible.  It should only affect the privileged read and write
permissions; execute permission is dealt with via XN/PXN instead.

Fixes: 81636b70c226dc27d7ebc8d
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200330170651.20901-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
         prot_rw = user_rw;
     } else {
         if (user_rw && regime_is_pan(env, mmu_idx)) {
-            return 0;
+            /* PAN forbids data accesses but doesn't affect insn fetch */
+            prot_rw = 0;
+        } else {
+            prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
         }
-        prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
     }
 
     if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
-- 
2.20.1

An old comment in get_phys_addr_lpae() claims that the code does not
support the different format TCR for VTCR_EL2.  This used to be true
but it is not true now (in particular the aa64_va_parameters() and
aa32_va_parameters() functions correctly handle the different
register format by checking whether the mmu_idx is Stage2).
Remove the out of date parts of the comment.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200331143407.3186-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
     bool aarch64 = arm_el_is_aa64(env, el);
     bool guarded = false;
 
-    /* TODO:
-     * This code does not handle the different format TCR for VTCR_EL2.
-     * This code also does not support shareability levels.
-     * Attribute and permission bit handling should also be checked when adding
-     * support for those page table walks.
-     */
+    /* TODO: This code does not support shareability levels. */
     if (aarch64) {
         param = aa64_va_parameters(env, address, mmu_idx,
                                    access_type != MMU_INST_FETCH);
-- 
2.20.1

In write_elf_section() we set the 'shdr' pointer to point to local
structures shdr32 or shdr64, which we fill in to be written out to
the ELF dump.  Unfortunately the address we pass to fd_write_vmcore()
has a spurious '&' operator, so instead of writing out the section
header we write out the literal pointer value followed by whatever is
on the stack after the 'shdr' local variable.

Pass the correct address into fd_write_vmcore().

Spotted by Coverity: CID 1421970.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200324173630.12221-1-peter.maydell@linaro.org
---
 dump/dump.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dump/dump.c b/dump/dump.c
index XXXXXXX..XXXXXXX 100644
--- a/dump/dump.c
+++ b/dump/dump.c
@@ -XXX,XX +XXX,XX @@ static void write_elf_section(DumpState *s, int type, Error **errp)
         shdr = &shdr64;
     }
 
-    ret = fd_write_vmcore(&shdr, shdr_size, s);
+    ret = fd_write_vmcore(shdr, shdr_size, s);
     if (ret < 0) {
         error_setg_errno(errp, -ret,
                          "dump: failed to write section header table");
-- 
2.20.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Populate DBG0.CMN_BUF_FREE so that SW can see some free space.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20200402134721.27863-3-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/dma/xlnx-zdma.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/xlnx-zdma.c
+++ b/hw/dma/xlnx-zdma.c
@@ -XXX,XX +XXX,XX @@ static RegisterAccessInfo zdma_regs_info[] = {
     },{ .name = "ZDMA_CH_DBG0",  .addr = A_ZDMA_CH_DBG0,
         .rsvd = 0xfffffe00,
         .ro = 0x1ff,
+
+        /*
+         * There's SW out there that will check the debug regs for free space.
+         * Claim that we always have 0x100 free.
+         */
+        .reset = 0x100
     },{ .name = "ZDMA_CH_DBG1",  .addr = A_ZDMA_CH_DBG1,
         .rsvd = 0xfffffe00,
         .ro = 0x1ff,
-- 
2.20.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Reorganize the descriptor handling so that CUR_DSCR always
points to the next descriptor to be processed.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20200402134721.27863-6-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/dma/xlnx-zdma.c | 47 ++++++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/xlnx-zdma.c
+++ b/hw/dma/xlnx-zdma.c
@@ -XXX,XX +XXX,XX @@ static void zdma_load_src_descriptor(XlnxZDMA *s)
     }
 }
 
+static void zdma_update_descr_addr(XlnxZDMA *s, bool type,
+                                   unsigned int basereg)
+{
+    uint64_t addr, next;
+
+    if (type == DTYPE_LINEAR) {
+        addr = zdma_get_regaddr64(s, basereg);
+        next = addr + sizeof(s->dsc_dst);
+    } else {
+        addr = zdma_get_regaddr64(s, basereg);
+        addr += sizeof(s->dsc_dst);
+        address_space_read(s->dma_as, addr, s->attr, (void *) &next, 8);
+    }
+
+    zdma_put_regaddr64(s, basereg, next);
+}
+
 static void zdma_load_dst_descriptor(XlnxZDMA *s)
 {
     uint64_t dst_addr;
     unsigned int ptype = ARRAY_FIELD_EX32(s->regs, ZDMA_CH_CTRL0, POINT_TYPE);
+    bool dst_type;
 
     if (ptype == PT_REG) {
         memcpy(&s->dsc_dst, &s->regs[R_ZDMA_CH_DST_DSCR_WORD0],
@@ -XXX,XX +XXX,XX @@ static void zdma_load_dst_descriptor(XlnxZDMA *s)
     if (!zdma_load_descriptor(s, dst_addr, &s->dsc_dst)) {
         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, AXI_RD_DST_DSCR, true);
     }
-}
 
-static uint64_t zdma_update_descr_addr(XlnxZDMA *s, bool type,
-                                       unsigned int basereg)
-{
-    uint64_t addr, next;
-
-    if (type == DTYPE_LINEAR) {
-        next = zdma_get_regaddr64(s, basereg);
-        next += sizeof(s->dsc_dst);
-        zdma_put_regaddr64(s, basereg, next);
-    } else {
-        addr = zdma_get_regaddr64(s, basereg);
-        addr += sizeof(s->dsc_dst);
-        address_space_read(s->dma_as, addr, s->attr, &next, 8);
-        zdma_put_regaddr64(s, basereg, next);
-    }
-    return next;
+    /* Advance the descriptor pointer.  */
+    dst_type = FIELD_EX32(s->dsc_dst.words[3], ZDMA_CH_DST_DSCR_WORD3, TYPE);
+    zdma_update_descr_addr(s, dst_type, R_ZDMA_CH_DST_CUR_DSCR_LSB);
 }
 
 static void zdma_write_dst(XlnxZDMA *s, uint8_t *buf, uint32_t len)
@@ -XXX,XX +XXX,XX @@ static void zdma_write_dst(XlnxZDMA *s, uint8_t *buf, uint32_t len)
         dst_size = FIELD_EX32(s->dsc_dst.words[2], ZDMA_CH_DST_DSCR_WORD2,
                               SIZE);
         if (dst_size == 0 && ptype == PT_MEM) {
-            uint64_t next;
-            bool dst_type = FIELD_EX32(s->dsc_dst.words[3],
-                                       ZDMA_CH_DST_DSCR_WORD3,
-                                       TYPE);
-
-            next = zdma_update_descr_addr(s, dst_type,
-                                          R_ZDMA_CH_DST_CUR_DSCR_LSB);
-            zdma_load_descriptor(s, next, &s->dsc_dst);
+            zdma_load_dst_descriptor(s);
             dst_size = FIELD_EX32(s->dsc_dst.words[2], ZDMA_CH_DST_DSCR_WORD2,
                                   SIZE);
         }
-- 
2.20.1

Arm queue; bugfixes only.

thanks
-- PMM

The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117

for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:

tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: ARM_VIRT must select ARM_GIC
 * exynos: Fix bad printf format specifiers
 * hw/input/ps2.c: Remove remnants of printf debug
 * target/openrisc: Remove dead code attempting to check "is timer disabled"
 * register: Remove unnecessary NULL check
 * util/cutils: Fix Coverity array overrun in freq_to_str()
 * configure: Make "does libgio work" test pull in some actual functions
 * tmp105: reset the T_low and T_High registers
 * tmp105: Correct handling of temperature limit checks

----------------------------------------------------------------
Alex Chen (1):
      exynos: Fix bad printf format specifiers

Alistair Francis (1):
      register: Remove unnecessary NULL check

Andrew Jones (1):
      hw/arm/virt: ARM_VIRT must select ARM_GIC

Peter Maydell (5):
      hw/input/ps2.c: Remove remnants of printf debug
      target/openrisc: Remove dead code attempting to check "is timer disabled"
      configure: Make "does libgio work" test pull in some actual functions
      hw/misc/tmp105: reset the T_low and T_High registers
      tmp105: Correct handling of temperature limit checks

Philippe Mathieu-Daudé (1):
      util/cutils: Fix Coverity array overrun in freq_to_str()

From: Alex Chen <alex.chen@huawei.com>

We should use printf format specifier "%u" instead of "%d" for
argument of type "unsigned int".

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Message-id: 20201111073651.72804-1-alex.chen@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/exynos4210_mct.c | 4 ++--
 hw/timer/exynos4210_pwm.c | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_mct.c
+++ b/hw/timer/exynos4210_mct.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
     /* If CSTAT is pending and IRQ is enabled */
     if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
             (s->reg.int_enb & G_INT_ENABLE(id))) {
-        DPRINTF("gcmp timer[%d] IRQ\n", id);
+        DPRINTF("gcmp timer[%u] IRQ\n", id);
         qemu_irq_raise(s->irq[id]);
     }
 }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
                     MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
 
     if (freq != s->freq) {
-        DPRINTF("freq=%dHz\n", s->freq);
+        DPRINTF("freq=%uHz\n", s->freq);
 
         /* global timer */
         tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_pwm.c
+++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
 
     if (freq != s->timer[id].freq) {
         ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
-        DPRINTF("freq=%dHz\n", s->timer[id].freq);
+        DPRINTF("freq=%uHz\n", s->timer[id].freq);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     uint32_t id = s->id;
     bool cmp;
 
-    DPRINTF("timer %d tick\n", id);
+    DPRINTF("timer %u tick\n", id);
 
     /* set irq status */
     p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
 
     /* raise IRQ */
     if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
-        DPRINTF("timer %d IRQ\n", id);
+        DPRINTF("timer %u IRQ\n", id);
         qemu_irq_raise(p->timer[id].irq);
     }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     }
 
     if (cmp) {
-        DPRINTF("auto reload timer %d count to %x\n", id,
+        DPRINTF("auto reload timer %u count to %x\n", id,
                 p->timer[id].reg_tcntb);
         ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
         ptimer_run(p->timer[id].ptimer, 1);
-- 
2.20.1

In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
and mouse emulation. However we didn't remove all the debug-by-printf
support. In fact there is only one printf() remaining, and it is
redundant with the trace_ps2_write_mouse() event next to it.
Remove the printf() and the now-unused DEBUG* macros.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
---
 hw/input/ps2.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -XXX,XX +XXX,XX @@
 
 #include "trace.h"
 
-/* debug PC keyboard */
-//#define DEBUG_KBD
-
-/* debug PC keyboard : only mouse */
-//#define DEBUG_MOUSE
-
 /* Keyboard Commands */
 #define KBD_CMD_SET_LEDS	0xED	/* Set keyboard leds */
 #define KBD_CMD_ECHO     	0xEE
@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
     PS2MouseState *s = (PS2MouseState *)opaque;
 
     trace_ps2_write_mouse(opaque, val);
-#ifdef DEBUG_MOUSE
-    printf("kbd: write mouse 0x%02x\n", val);
-#endif
     switch(s->common.write_cmd) {
     default:
     case -1:
-- 
2.20.1

In the mtspr helper we attempt to check for "is the timer disabled"
with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
is zero and the condition is always false (Coverity complains about
the dead code.)

The correct check would be to test whether the TTMR_M field in the
register is equal to TIMER_NONE instead.  However, the
cpu_openrisc_timer_update() function checks whether the timer is
enabled (it looks at cpu->env.is_counting, which is set to 0 via
cpu_openrisc_count_stop() when the TTMR_M field is set to
TIMER_NONE), so there's no need to check for "timer disabled" in the
target/openrisc code.  Instead, simply remove the dead code.

Fixes: Coverity CID 1005812
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
---
 target/openrisc/sys_helper.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/sys_helper.c
+++ b/target/openrisc/sys_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
 
     case TO_SPR(10, 1): /* TTCR */
         cpu_openrisc_count_set(cpu, rb);
-        if (env->ttmr & TIMER_NONE) {
-            return;
-        }
         cpu_openrisc_timer_update(cpu);
         break;
 #endif
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):

>>> Overrunning array "suffixes" of 7 8-byte elements at element
    index 7 (byte offset 63) using index "idx" (which evaluates to 7).

Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
which is ~18.446 EHz, less than 1000 EHz.

Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Luc Michel <luc@lmichel.fr>
Message-id: 20201101215755.2021421-1-f4bug@amsat.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 util/cutils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/cutils.c b/util/cutils.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
     double freq = freq_hz;
     size_t idx = 0;
 
-    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
+    while (freq >= 1000.0) {
         freq /= 1000.0;
         idx++;
     }
+    assert(idx < ARRAY_SIZE(suffixes));
 
     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
 }
-- 
2.20.1

In commit 76346b6264a9b01979 we tried to add a configure check that
the libgio pkg-config data was correct, which builds an executable
linked against it.  Unfortunately this doesn't catch the problem
(missing static library dependency info), because a "do nothing" test
source file doesn't have any symbol references that cause the linker
to pull in .o files from libgio.a, and so we don't see the "missing
symbols from libmount" error that a full QEMU link triggers.

(The ineffective test went unnoticed because of a typo that
effectively disabled libgio unconditionally, but after commit
3569a5dfc11f2 fixed that, a static link of the system emulator on
Ubuntu stopped working again.)

Improve the gio test by having the test source fragment reference a
g_dbus function (which is what is indirectly causing us to end up
wanting functions from libmount).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
---
 configure | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index XXXXXXX..XXXXXXX 100755
--- a/configure
+++ b/configure
@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
     # Check that the libraries actually work -- Ubuntu 18.04 ships
     # with pkg-config --static --libs data for gio-2.0 that is missing
     # -lblkid and will give a link error.
-    write_c_skeleton
-    if compile_prog "" "$gio_libs" ; then
+    cat > $TMPC <<EOF
+#include <gio/gio.h>
+int main(void)
+{
+    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
+    return 0;
+}
+EOF
+    if compile_prog "$gio_cflags" "$gio_libs" ; then
         gio=yes
     else
         gio=no
-- 
2.20.1

The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
power-up reset values for the T_low and T_high registers are 80 degrees C
and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
values are then shifted right by four bits to give the register reset
values, since both registers store the 12 bits of temperature data in bits
[15..4] of a 16 bit register.

We were resetting these registers to zero, which is problematic for Linux
guests which enable the alert interrupt and then immediately take an
unexpected overtemperature alert because the current temperature is above
freezing...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
---
 hw/misc/tmp105.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
 
+    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
+    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
+
     tmp105_interrupt_update(s);
 }
 
-- 
2.20.1

The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
signals an alert when the temperature equals or exceeds the T_high value and
then remains high until a device register is read or the device responds to
the SMBUS Alert Response address, or the device is put into Shutdown Mode.
Thereafter the Alert pin will only be re-signalled when temperature falls
below T_low; alert can then be cleared in the same set of ways, and the
device returns to its initial "alert when temperature goes above T_high"
mode. (If this textual description is confusing, see figure 3 in the
TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)

We were misimplementing this as a simple "always alert if temperature is
above T_high or below T_low" condition, which gives a spurious alert on
startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
limit values.

Implement the correct (hysteresis) behaviour by tracking whether we
are currently looking for the temperature to rise over T_high or
for it to fall below T_low. Our implementation of the comparator
mode (TM==0) wasn't wrong, but rephrase it to match the way that
interrupt mode is now handled for clarity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
---
 hw/misc/tmp105.h |  7 +++++
 hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.h
+++ b/hw/misc/tmp105.h
@@ -XXX,XX +XXX,XX @@ struct TMP105State {
     int16_t limit[2];
     int faults;
     uint8_t alarm;
+    /*
+     * The TMP105 initially looks for a temperature rising above T_high;
+     * once this is detected, the condition it looks for next is the
+     * temperature falling below T_low. This flag is false when initially
+     * looking for T_high, true when looking for T_low.
+     */
+    bool detect_falling;
 };
 
 #endif
diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
             return;
     }
 
-    if ((s->config >> 1) & 1) {					/* TM */
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 1;
+    if (s->config >> 1 & 1) {
+        /*
+         * TM == 1 : Interrupt mode. We signal Alert when the
+         * temperature rises above T_high, and expect the guest to clear
+         * it (eg by reading a device register).
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 1;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     } else {
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 0;
+        /*
+         * TM == 0 : Comparator mode. We signal Alert when the temperature
+         * rises above T_high, and stop signalling it when the temperature
+         * falls below T_low.
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 0;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     }
 
     tmp105_interrupt_update(s);
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool detect_falling_needed(void *opaque)
+{
+    TMP105State *s = opaque;
+
+    /*
+     * We only need to migrate the detect_falling bool if it's set;
+     * for migration from older machines we assume that it is false
+     * (ie temperature is not out of range).
+     */
+    return s->detect_falling;
+}
+
+static const VMStateDescription vmstate_tmp105_detect_falling = {
+    .name = "TMP105/detect-falling",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = detect_falling_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_BOOL(detect_falling, TMP105State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_tmp105 = {
     .name = "TMP105",
     .version_id = 0,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
         VMSTATE_UINT8(alarm, TMP105State),
         VMSTATE_I2C_SLAVE(i2c, TMP105State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_tmp105_detect_falling,
+        NULL
     }
 };
 
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->config = 0;
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
+    s->detect_falling = false;
 
     s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
     s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
-- 
2.20.1