Series comparison

-[PULL 0/9] target-arm queue
+[PULL 0/2] target-arm queue
-Arm queue; bugfixes only.
+Two bug fixes for 9.0...
-thanks
 -- PMM
-The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:
+The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:
-  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)
+  Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408
-for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:
+for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:
-  tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)
+  target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm:
- * hw/arm/virt: ARM_VIRT must select ARM_GIC
+ * Use correct SecuritySpace for AArch64 AT ops at EL3
- * exynos: Fix bad printf format specifiers
+ * Fix CNTPOFF_EL2 trap to missing EL3
  * hw/input/ps2.c: Remove remnants of printf debug
  * target/openrisc: Remove dead code attempting to check "is timer disabled"
  * register: Remove unnecessary NULL check
  * util/cutils: Fix Coverity array overrun in freq_to_str()
  * configure: Make "does libgio work" test pull in some actual functions
  * tmp105: reset the T_low and T_High registers
  * tmp105: Correct handling of temperature limit checks
 ----------------------------------------------------------------
-Alex Chen (1):
+Peter Maydell (1):
-      exynos: Fix bad printf format specifiers
+      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
-Alistair Francis (1):
+Pierre-Clément Tosi (1):
-      register: Remove unnecessary NULL check
+      target/arm: Fix CNTPOFF_EL2 trap to missing EL3
-Andrew Jones (1):
+ target/arm/helper.c | 10 +++++++---
-      hw/arm/virt: ARM_VIRT must select ARM_GIC
+file changed, 7 insertions(+), 3 deletions(-)
-Peter Maydell (5):
-      hw/input/ps2.c: Remove remnants of printf debug
-      target/openrisc: Remove dead code attempting to check "is timer disabled"
-      configure: Make "does libgio work" test pull in some actual functions
-      hw/misc/tmp105: reset the T_low and T_High registers
-      tmp105: Correct handling of temperature limit checks
-Philippe Mathieu-Daudé (1):
-      util/cutils: Fix Coverity array overrun in freq_to_str()
- configure                    | 11 +++++--
- hw/misc/tmp105.h             |  7 +++++
- hw/core/register.c           |  4 ---
- hw/input/ps2.c               |  9 ------
- hw/misc/tmp105.c             | 73 ++++++++++++++++++++++++++++++++++++++------
- hw/timer/exynos4210_mct.c    |  4 +--
- hw/timer/exynos4210_pwm.c    |  8 ++---
- target/openrisc/sys_helper.c |  3 --
- util/cutils.c                |  3 +-
- hw/arm/Kconfig               |  1 +
-files changed, 89 insertions(+), 34 deletions(-)

-[PULL 1/9] hw/arm/virt: ARM_VIRT must select ARM_GIC
+Deleted patch
-From: Andrew Jones <drjones@redhat.com>
-The removal of the selection of A15MPCORE from ARM_VIRT also
-removed what A15MPCORE selects, ARM_GIC. We still need ARM_GIC.
-Fixes: bec3c97e0cf9 ("hw/arm/virt: Remove dependency on Cortex-A15 MPCore peripherals")
-Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
-Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20201111143440.112763-1-drjones@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/Kconfig | 1 +
-file changed, 1 insertion(+)
-diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Kconfig
-+++ b/hw/arm/Kconfig
-@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
-     imply VFIO_PLATFORM
-     imply VFIO_XGMAC
-     imply TPM_TIS_SYSBUS
-+    select ARM_GIC
-     select ACPI
-     select ARM_SMMUV3
-     select GPIO_KEY
---
-.20.1

-[PULL 2/9] exynos: Fix bad printf format specifiers
+[PULL 1/2] target/arm: Fix CNTPOFF_EL2 trap to missing EL3
-From: Alex Chen <alex.chen@huawei.com>
+From: Pierre-Clément Tosi <ptosi@google.com>
-We should use printf format specifier "%u" instead of "%d" for
+EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
-argument of type "unsigned int".
+present, as described by the reference manual (for MRS):
-Reported-by: Euler Robot <euler.robot@huawei.com>
+  /* ... */
-Signed-off-by: Alex Chen <alex.chen@huawei.com>
+  elsif PSTATE.EL == EL2 then
-Message-id: 20201111073651.72804-1-alex.chen@huawei.com
+      if Halted() && HaveEL(EL3) && /*...*/ then
           UNDEFINED;
       elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
           /* ... */
       else
           X[t, 64] = CNTPOFF_EL2;
 However, the existing implementation of gt_cntpoff_access() always
 returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
 pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
 is always true, which is wrong. As a result, QEMU panics in
 access_check_cp_reg() when started without EL3 and running EL2 code
 accessing the register (e.g. any recent KVM booting a guest).
 Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().
 Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
 Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
 Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/exynos4210_mct.c | 4 ++--
+ target/arm/helper.c | 3 ++-
- hw/timer/exynos4210_pwm.c | 8 ++++----
+file changed, 2 insertions(+), 1 deletion(-)
 files changed, 6 insertions(+), 6 deletions(-)
-diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/exynos4210_mct.c
+--- a/target/arm/helper.c
-+++ b/hw/timer/exynos4210_mct.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
-     /* If CSTAT is pending and IRQ is enabled */
+                                         const ARMCPRegInfo *ri,
-     if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
+                                         bool isread)
-             (s->reg.int_enb & G_INT_ENABLE(id))) {
+ {
--        DPRINTF("gcmp timer[%d] IRQ\n", id);
+-    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
-+        DPRINTF("gcmp timer[%u] IRQ\n", id);
++    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
-         qemu_irq_raise(s->irq[id]);
++        !(env->cp15.scr_el3 & SCR_ECVEN)) {
          return CP_ACCESS_TRAP_EL3;
      }
- }
+     return CP_ACCESS_OK;
@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
                      MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
      if (freq != s->freq) {
 -        DPRINTF("freq=%dHz\n", s->freq);
 +        DPRINTF("freq=%uHz\n", s->freq);
          /* global timer */
          tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
 diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/timer/exynos4210_pwm.c
 +++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
      if (freq != s->timer[id].freq) {
          ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
 -        DPRINTF("freq=%dHz\n", s->timer[id].freq);
 +        DPRINTF("freq=%uHz\n", s->timer[id].freq);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
      uint32_t id = s->id;
      bool cmp;
 -    DPRINTF("timer %d tick\n", id);
 +    DPRINTF("timer %u tick\n", id);
      /* set irq status */
      p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
      /* raise IRQ */
      if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
 -        DPRINTF("timer %d IRQ\n", id);
 +        DPRINTF("timer %u IRQ\n", id);
          qemu_irq_raise(p->timer[id].irq);
      }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
      }
      if (cmp) {
 -        DPRINTF("auto reload timer %d count to %x\n", id,
 +        DPRINTF("auto reload timer %u count to %x\n", id,
                  p->timer[id].reg_tcntb);
          ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
          ptimer_run(p->timer[id].ptimer, 1);
 --
-.20.1
+.34.1

-[PULL 3/9] hw/input/ps2.c: Remove remnants of printf debug
+Deleted patch
-In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
-and mouse emulation. However we didn't remove all the debug-by-printf
-support. In fact there is only one printf() remaining, and it is
-redundant with the trace_ps2_write_mouse() event next to it.
-Remove the printf() and the now-unused DEBUG* macros.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
----
- hw/input/ps2.c | 9 ---------
-file changed, 9 deletions(-)
-diff --git a/hw/input/ps2.c b/hw/input/ps2.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/input/ps2.c
-+++ b/hw/input/ps2.c
-@@ -XXX,XX +XXX,XX @@
- #include "trace.h"
--/* debug PC keyboard */
--//#define DEBUG_KBD
--
--/* debug PC keyboard : only mouse */
--//#define DEBUG_MOUSE
--
- /* Keyboard Commands */
- #define KBD_CMD_SET_LEDS    0xED    /* Set keyboard leds */
- #define KBD_CMD_ECHO         0xEE
-@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
-     PS2MouseState *s = (PS2MouseState *)opaque;
-     trace_ps2_write_mouse(opaque, val);
--#ifdef DEBUG_MOUSE
--    printf("kbd: write mouse 0x%02x\n", val);
--#endif
-     switch(s->common.write_cmd) {
-     default:
-     case -1:
---
-.20.1

-[PULL 4/9] target/openrisc: Remove dead code attempting to check "is timer disabled"
+Deleted patch
-In the mtspr helper we attempt to check for "is the timer disabled"
-with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
-is zero and the condition is always false (Coverity complains about
-the dead code.)
-The correct check would be to test whether the TTMR_M field in the
-register is equal to TIMER_NONE instead.  However, the
-cpu_openrisc_timer_update() function checks whether the timer is
-enabled (it looks at cpu->env.is_counting, which is set to 0 via
-cpu_openrisc_count_stop() when the TTMR_M field is set to
-TIMER_NONE), so there's no need to check for "timer disabled" in the
-target/openrisc code.  Instead, simply remove the dead code.
-Fixes: Coverity CID 1005812
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Acked-by: Stafford Horne <shorne@gmail.com>
-Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
----
- target/openrisc/sys_helper.c | 3 ---
-file changed, 3 deletions(-)
-diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/openrisc/sys_helper.c
-+++ b/target/openrisc/sys_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
-     case TO_SPR(10, 1): /* TTCR */
-         cpu_openrisc_count_set(cpu, rb);
--        if (env->ttmr & TIMER_NONE) {
--            return;
--        }
-         cpu_openrisc_timer_update(cpu);
-         break;
- #endif
---
-.20.1

-[PULL 5/9] register: Remove unnecessary NULL check
+Deleted patch
-From: Alistair Francis <alistair.francis@wdc.com>
-This patch fixes CID 1432800 by removing an unnecessary check.
-Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/core/register.c | 4 ----
-file changed, 4 deletions(-)
-diff --git a/hw/core/register.c b/hw/core/register.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/register.c
-+++ b/hw/core/register.c
-@@ -XXX,XX +XXX,XX @@ static RegisterInfoArray *register_init_block(DeviceState *owner,
-         int index = rae[i].addr / data_size;
-         RegisterInfo *r = &ri[index];
--        if (data + data_size * index == 0 || !&rae[i]) {
--            continue;
--        }
--
-         /* Init the register, this will zero it. */
-         object_initialize((void *)r, sizeof(*r), TYPE_REGISTER);
---
-.20.1

-[PULL 6/9] util/cutils: Fix Coverity array overrun in freq_to_str()
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):
->>> Overrunning array "suffixes" of 7 8-byte elements at element
-    index 7 (byte offset 63) using index "idx" (which evaluates to 7).
-Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
-which is ~18.446 EHz, less than 1000 EHz.
-Reported-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
-Reviewed-by: Luc Michel <luc@lmichel.fr>
-Message-id: 20201101215755.2021421-1-f4bug@amsat.org
-Suggested-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- util/cutils.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/util/cutils.c b/util/cutils.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/cutils.c
-+++ b/util/cutils.c
-@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
-     double freq = freq_hz;
-     size_t idx = 0;
--    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
-+    while (freq >= 1000.0) {
-         freq /= 1000.0;
-         idx++;
-     }
-+    assert(idx < ARRAY_SIZE(suffixes));
-     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
- }
---
-.20.1

-[PULL 7/9] configure: Make "does libgio work" test pull in some actual functions
+Deleted patch
-In commit 76346b6264a9b01979 we tried to add a configure check that
-the libgio pkg-config data was correct, which builds an executable
-linked against it.  Unfortunately this doesn't catch the problem
-(missing static library dependency info), because a "do nothing" test
-source file doesn't have any symbol references that cause the linker
-to pull in .o files from libgio.a, and so we don't see the "missing
-symbols from libmount" error that a full QEMU link triggers.
-(The ineffective test went unnoticed because of a typo that
-effectively disabled libgio unconditionally, but after commit
-a5dfc11f2 fixed that, a static link of the system emulator on
-Ubuntu stopped working again.)
-Improve the gio test by having the test source fragment reference a
-g_dbus function (which is what is indirectly causing us to end up
-wanting functions from libmount).
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
----
- configure | 11 +++++++++--
-file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/configure b/configure
-index XXXXXXX..XXXXXXX 100755
---- a/configure
-+++ b/configure
-@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
-     # Check that the libraries actually work -- Ubuntu 18.04 ships
-     # with pkg-config --static --libs data for gio-2.0 that is missing
-     # -lblkid and will give a link error.
--    write_c_skeleton
--    if compile_prog "" "$gio_libs" ; then
-+    cat > $TMPC <<EOF
-+#include <gio/gio.h>
-+int main(void)
-+{
-+    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
-+    return 0;
-+}
-+EOF
-+    if compile_prog "$gio_cflags" "$gio_libs" ; then
-         gio=yes
-     else
-         gio=no
---
-.20.1

-[PULL 8/9] hw/misc/tmp105: reset the T_low and T_High registers
+Deleted patch
-The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
-power-up reset values for the T_low and T_high registers are 80 degrees C
-and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
-values are then shifted right by four bits to give the register reset
-values, since both registers store the 12 bits of temperature data in bits
-[15..4] of a 16 bit register.
-We were resetting these registers to zero, which is problematic for Linux
-guests which enable the alert interrupt and then immediately take an
-unexpected overtemperature alert because the current temperature is above
-freezing...
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
----
- hw/misc/tmp105.c | 3 +++
-file changed, 3 insertions(+)
-diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/tmp105.c
-+++ b/hw/misc/tmp105.c
-@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
-     s->faults = tmp105_faultq[(s->config >> 3) & 3];
-     s->alarm = 0;
-+    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
-+    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
-+
-     tmp105_interrupt_update(s);
- }
---
-.20.1

-[PULL 9/9] tmp105: Correct handling of temperature limit checks
+[PULL 2/2] target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
-The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
+When we do an AT address translation operation, the page table walk
-signals an alert when the temperature equals or exceeds the T_high value and
+is supposed to be performed in the context of the EL we're doing the
-then remains high until a device register is read or the device responds to
+walk for, so for instance an AT S1E2R walk is done for EL2.  In the
-the SMBUS Alert Response address, or the device is put into Shutdown Mode.
+pseudocode an EL is passed to AArch64.AT(), which calls
-Thereafter the Alert pin will only be re-signalled when temperature falls
+SecurityStateAtEL() to find the security state that we should be
-below T_low; alert can then be cleared in the same set of ways, and the
+doing the walk with.
 device returns to its initial "alert when temperature goes above T_high"
 mode. (If this textual description is confusing, see figure 3 in the
 TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)
-We were misimplementing this as a simple "always alert if temperature is
+In ats_write64() we get this wrong, instead using the current
-above T_high or below T_low" condition, which gives a spurious alert on
+security space always.  This is fine for AT operations performed from
-startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
+EL1 and EL2, because there the current security state and the
-limit values.
+security state for the lower EL are the same.  But for AT operations
 performed from EL3, the current security state is always either
 Secure or Root, whereas we want to use the security state defined by
 SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
 FEAT_RME but also ones where EL3 is Secure state and the EL3 code
 is trying to do an AT for a NonSecure EL2 or EL1.
-Implement the correct (hysteresis) behaviour by tracking whether we
+Use arm_security_space_below_el3() to get the SecuritySpace to
-are currently looking for the temperature to rise over T_high or
+pass to do_ats_write() for all AT operations except the
-for it to fall below T_low. Our implementation of the comparator
+AT S1E3* operations.
 mode (TM==0) wasn't wrong, but rephrase it to match the way that
 interrupt mode is now handled for clarity.
+Cc: qemu-stable@nongnu.org
+Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
+Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
 ---
- hw/misc/tmp105.h |  7 +++++
+ target/arm/helper.c | 7 +++++--
- hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
+file changed, 5 insertions(+), 2 deletions(-)
 files changed, 68 insertions(+), 9 deletions(-)
-diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/tmp105.h
+--- a/target/arm/helper.c
-+++ b/hw/misc/tmp105.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ struct TMP105State {
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-     int16_t limit[2];
+     ARMMMUIdx mmu_idx;
-     int faults;
+     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-     uint8_t alarm;
+     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
-+    /*
++    bool for_el3 = false;
-+     * The TMP105 initially looks for a temperature rising above T_high;
++    ARMSecuritySpace ss;
-+     * once this is detected, the condition it looks for next is the
-+     * temperature falling below T_low. This flag is false when initially
+     switch (ri->opc2 & 6) {
-+     * looking for T_high, true when looking for T_low.
+     case 0:
-+     */
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-+    bool detect_falling;
+             break;
- };
+         case 6: /* AT S1E3R, AT S1E3W */
+             mmu_idx = ARMMMUIdx_E3;
- #endif
++            for_el3 = true;
-diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
+             break;
-index XXXXXXX..XXXXXXX 100644
+         default:
---- a/hw/misc/tmp105.c
+             g_assert_not_reached();
-+++ b/hw/misc/tmp105.c
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
+         g_assert_not_reached();
              return;
      }
--    if ((s->config >> 1) & 1) {                    /* TM */
+-    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
--        if (s->temperature >= s->limit[1])
+-                                       mmu_idx, arm_security_space(env));
--            s->alarm = 1;
++    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
--        else if (s->temperature < s->limit[0])
++    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
--            s->alarm = 1;
+ #else
-+    if (s->config >> 1 & 1) {
+     /* Handled by hardware accelerator. */
-+        /*
+     g_assert_not_reached();
 +         * TM == 1 : Interrupt mode. We signal Alert when the
 +         * temperature rises above T_high, and expect the guest to clear
 +         * it (eg by reading a device register).
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 1;
 +                s->detect_falling = false;
 +            }
 +        } else {
 +            if (s->temperature >= s->limit[1]) {
 +                s->alarm = 1;
 +                s->detect_falling = true;
 +            }
 +        }
      } else {
 -        if (s->temperature >= s->limit[1])
 -            s->alarm = 1;
 -        else if (s->temperature < s->limit[0])
 -            s->alarm = 0;
 +        /*
 +         * TM == 0 : Comparator mode. We signal Alert when the temperature
 +         * rises above T_high, and stop signalling it when the temperature
 +         * falls below T_low.
 +         */
 +        if (s->detect_falling) {
 +            if (s->temperature < s->limit[0]) {
 +                s->alarm = 0;
 +                s->detect_falling = false;
 +            }
 +        } else {
 +            if (s->temperature >= s->limit[1]) {
 +                s->alarm = 1;
 +                s->detect_falling = true;
 +            }
 +        }
      }
      tmp105_interrupt_update(s);
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
      return 0;
  }
 +static bool detect_falling_needed(void *opaque)
 +{
 +    TMP105State *s = opaque;
 +
 +    /*
 +     * We only need to migrate the detect_falling bool if it's set;
 +     * for migration from older machines we assume that it is false
 +     * (ie temperature is not out of range).
 +     */
 +    return s->detect_falling;
 +}
 +
 +static const VMStateDescription vmstate_tmp105_detect_falling = {
 +    .name = "TMP105/detect-falling",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = detect_falling_needed,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_BOOL(detect_falling, TMP105State),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
  static const VMStateDescription vmstate_tmp105 = {
      .name = "TMP105",
      .version_id = 0,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
          VMSTATE_UINT8(alarm, TMP105State),
          VMSTATE_I2C_SLAVE(i2c, TMP105State),
          VMSTATE_END_OF_LIST()
 +    },
 +    .subsections = (const VMStateDescription*[]) {
 +        &vmstate_tmp105_detect_falling,
 +        NULL
      }
  };
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
      s->config = 0;
      s->faults = tmp105_faultq[(s->config >> 3) & 3];
      s->alarm = 0;
 +    s->detect_falling = false;
      s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
      s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
 --
-.20.1
+.34.1

Arm queue; bugfixes only.

thanks
-- PMM

The following changes since commit 48aa8f0ac536db3550a35c295ff7de94e4c33739:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2020-11-16' into staging (2020-11-17 11:07:00 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201117

for you to fetch changes up to ab135622cf478585bdfcb68b85e4a817d74a0c42:

tmp105: Correct handling of temperature limit checks (2020-11-17 12:56:33 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: ARM_VIRT must select ARM_GIC
 * exynos: Fix bad printf format specifiers
 * hw/input/ps2.c: Remove remnants of printf debug
 * target/openrisc: Remove dead code attempting to check "is timer disabled"
 * register: Remove unnecessary NULL check
 * util/cutils: Fix Coverity array overrun in freq_to_str()
 * configure: Make "does libgio work" test pull in some actual functions
 * tmp105: reset the T_low and T_High registers
 * tmp105: Correct handling of temperature limit checks

----------------------------------------------------------------
Alex Chen (1):
      exynos: Fix bad printf format specifiers

Alistair Francis (1):
      register: Remove unnecessary NULL check

Andrew Jones (1):
      hw/arm/virt: ARM_VIRT must select ARM_GIC

Peter Maydell (5):
      hw/input/ps2.c: Remove remnants of printf debug
      target/openrisc: Remove dead code attempting to check "is timer disabled"
      configure: Make "does libgio work" test pull in some actual functions
      hw/misc/tmp105: reset the T_low and T_High registers
      tmp105: Correct handling of temperature limit checks

Philippe Mathieu-Daudé (1):
      util/cutils: Fix Coverity array overrun in freq_to_str()

From: Alex Chen <alex.chen@huawei.com>

We should use printf format specifier "%u" instead of "%d" for
argument of type "unsigned int".

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Message-id: 20201111073651.72804-1-alex.chen@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/exynos4210_mct.c | 4 ++--
 hw/timer/exynos4210_pwm.c | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_mct.c
+++ b/hw/timer/exynos4210_mct.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
     /* If CSTAT is pending and IRQ is enabled */
     if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
             (s->reg.int_enb & G_INT_ENABLE(id))) {
-        DPRINTF("gcmp timer[%d] IRQ\n", id);
+        DPRINTF("gcmp timer[%u] IRQ\n", id);
         qemu_irq_raise(s->irq[id]);
     }
 }
@@ -XXX,XX +XXX,XX @@ static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
                     MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
 
     if (freq != s->freq) {
-        DPRINTF("freq=%dHz\n", s->freq);
+        DPRINTF("freq=%uHz\n", s->freq);
 
         /* global timer */
         tx_ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_pwm.c
+++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
 
     if (freq != s->timer[id].freq) {
         ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
-        DPRINTF("freq=%dHz\n", s->timer[id].freq);
+        DPRINTF("freq=%uHz\n", s->timer[id].freq);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     uint32_t id = s->id;
     bool cmp;
 
-    DPRINTF("timer %d tick\n", id);
+    DPRINTF("timer %u tick\n", id);
 
     /* set irq status */
     p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
 
     /* raise IRQ */
     if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
-        DPRINTF("timer %d IRQ\n", id);
+        DPRINTF("timer %u IRQ\n", id);
         qemu_irq_raise(p->timer[id].irq);
     }
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_tick(void *opaque)
     }
 
     if (cmp) {
-        DPRINTF("auto reload timer %d count to %x\n", id,
+        DPRINTF("auto reload timer %u count to %x\n", id,
                 p->timer[id].reg_tcntb);
         ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
         ptimer_run(p->timer[id].ptimer, 1);
-- 
2.20.1

In commit 5edab03d4040 we added tracepoints to the ps2 keyboard
and mouse emulation. However we didn't remove all the debug-by-printf
support. In fact there is only one printf() remaining, and it is
redundant with the trace_ps2_write_mouse() event next to it.
Remove the printf() and the now-unused DEBUG* macros.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-id: 20201101133258.4240-1-peter.maydell@linaro.org
---
 hw/input/ps2.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -XXX,XX +XXX,XX @@
 
 #include "trace.h"
 
-/* debug PC keyboard */
-//#define DEBUG_KBD
-
-/* debug PC keyboard : only mouse */
-//#define DEBUG_MOUSE
-
 /* Keyboard Commands */
 #define KBD_CMD_SET_LEDS	0xED	/* Set keyboard leds */
 #define KBD_CMD_ECHO     	0xEE
@@ -XXX,XX +XXX,XX @@ void ps2_write_mouse(void *opaque, int val)
     PS2MouseState *s = (PS2MouseState *)opaque;
 
     trace_ps2_write_mouse(opaque, val);
-#ifdef DEBUG_MOUSE
-    printf("kbd: write mouse 0x%02x\n", val);
-#endif
     switch(s->common.write_cmd) {
     default:
     case -1:
-- 
2.20.1

In the mtspr helper we attempt to check for "is the timer disabled"
with "if (env->ttmr & TIMER_NONE)".  This is wrong because TIMER_NONE
is zero and the condition is always false (Coverity complains about
the dead code.)

The correct check would be to test whether the TTMR_M field in the
register is equal to TIMER_NONE instead.  However, the
cpu_openrisc_timer_update() function checks whether the timer is
enabled (it looks at cpu->env.is_counting, which is set to 0 via
cpu_openrisc_count_stop() when the TTMR_M field is set to
TIMER_NONE), so there's no need to check for "timer disabled" in the
target/openrisc code.  Instead, simply remove the dead code.

Fixes: Coverity CID 1005812
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201103114654.18540-1-peter.maydell@linaro.org
---
 target/openrisc/sys_helper.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/sys_helper.c
+++ b/target/openrisc/sys_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env, target_ulong spr, target_ulong rb)
 
     case TO_SPR(10, 1): /* TTCR */
         cpu_openrisc_count_set(cpu, rb);
-        if (env->ttmr & TIMER_NONE) {
-            return;
-        }
         cpu_openrisc_timer_update(cpu);
         break;
 #endif
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Fix Coverity CID 1435957:  Memory - illegal accesses (OVERRUN):

>>> Overrunning array "suffixes" of 7 8-byte elements at element
    index 7 (byte offset 63) using index "idx" (which evaluates to 7).

Note, the biggest input value freq_to_str() can accept is UINT64_MAX,
which is ~18.446 EHz, less than 1000 EHz.

Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Luc Michel <luc@lmichel.fr>
Message-id: 20201101215755.2021421-1-f4bug@amsat.org
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 util/cutils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/cutils.c b/util/cutils.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -XXX,XX +XXX,XX @@ char *freq_to_str(uint64_t freq_hz)
     double freq = freq_hz;
     size_t idx = 0;
 
-    while (freq >= 1000.0 && idx < ARRAY_SIZE(suffixes)) {
+    while (freq >= 1000.0) {
         freq /= 1000.0;
         idx++;
     }
+    assert(idx < ARRAY_SIZE(suffixes));
 
     return g_strdup_printf("%0.3g %sHz", freq, suffixes[idx]);
 }
-- 
2.20.1

In commit 76346b6264a9b01979 we tried to add a configure check that
the libgio pkg-config data was correct, which builds an executable
linked against it.  Unfortunately this doesn't catch the problem
(missing static library dependency info), because a "do nothing" test
source file doesn't have any symbol references that cause the linker
to pull in .o files from libgio.a, and so we don't see the "missing
symbols from libmount" error that a full QEMU link triggers.

(The ineffective test went unnoticed because of a typo that
effectively disabled libgio unconditionally, but after commit
3569a5dfc11f2 fixed that, a static link of the system emulator on
Ubuntu stopped working again.)

Improve the gio test by having the test source fragment reference a
g_dbus function (which is what is indirectly causing us to end up
wanting functions from libmount).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20201116104617.18333-1-peter.maydell@linaro.org
---
 configure | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index XXXXXXX..XXXXXXX 100755
--- a/configure
+++ b/configure
@@ -XXX,XX +XXX,XX @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
     # Check that the libraries actually work -- Ubuntu 18.04 ships
     # with pkg-config --static --libs data for gio-2.0 that is missing
     # -lblkid and will give a link error.
-    write_c_skeleton
-    if compile_prog "" "$gio_libs" ; then
+    cat > $TMPC <<EOF
+#include <gio/gio.h>
+int main(void)
+{
+    g_dbus_proxy_new_sync(0, 0, 0, 0, 0, 0, 0, 0);
+    return 0;
+}
+EOF
+    if compile_prog "$gio_cflags" "$gio_libs" ; then
         gio=yes
     else
         gio=no
-- 
2.20.1

The TMP105 datasheet (https://www.ti.com/lit/gpn/tmp105) says that the
power-up reset values for the T_low and T_high registers are 80 degrees C
and 75 degrees C, which are 0x500 and 0x4B0 hex according to table 5.  These
values are then shifted right by four bits to give the register reset
values, since both registers store the 12 bits of temperature data in bits
[15..4] of a 16 bit register.

We were resetting these registers to zero, which is problematic for Linux
guests which enable the alert interrupt and then immediately take an
unexpected overtemperature alert because the current temperature is above
freezing...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-2-peter.maydell@linaro.org
---
 hw/misc/tmp105.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
 
+    s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
+    s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
+
     tmp105_interrupt_update(s);
 }
 
-- 
2.20.1

The TMP105 datasheet says that in Interrupt Mode (when TM==1) the device
signals an alert when the temperature equals or exceeds the T_high value and
then remains high until a device register is read or the device responds to
the SMBUS Alert Response address, or the device is put into Shutdown Mode.
Thereafter the Alert pin will only be re-signalled when temperature falls
below T_low; alert can then be cleared in the same set of ways, and the
device returns to its initial "alert when temperature goes above T_high"
mode. (If this textual description is confusing, see figure 3 in the
TI datasheet at https://www.ti.com/lit/gpn/tmp105 .)

We were misimplementing this as a simple "always alert if temperature is
above T_high or below T_low" condition, which gives a spurious alert on
startup if using the "T_high = 80 degrees C, T_low = 75 degrees C" reset
limit values.

Implement the correct (hysteresis) behaviour by tracking whether we
are currently looking for the temperature to rise over T_high or
for it to fall below T_low. Our implementation of the comparator
mode (TM==0) wasn't wrong, but rephrase it to match the way that
interrupt mode is now handled for clarity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20201110150023.25533-3-peter.maydell@linaro.org
---
 hw/misc/tmp105.h |  7 +++++
 hw/misc/tmp105.c | 70 +++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/hw/misc/tmp105.h b/hw/misc/tmp105.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.h
+++ b/hw/misc/tmp105.h
@@ -XXX,XX +XXX,XX @@ struct TMP105State {
     int16_t limit[2];
     int faults;
     uint8_t alarm;
+    /*
+     * The TMP105 initially looks for a temperature rising above T_high;
+     * once this is detected, the condition it looks for next is the
+     * temperature falling below T_low. This flag is false when initially
+     * looking for T_high, true when looking for T_low.
+     */
+    bool detect_falling;
 };
 
 #endif
diff --git a/hw/misc/tmp105.c b/hw/misc/tmp105.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/tmp105.c
+++ b/hw/misc/tmp105.c
@@ -XXX,XX +XXX,XX @@ static void tmp105_alarm_update(TMP105State *s)
             return;
     }
 
-    if ((s->config >> 1) & 1) {					/* TM */
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 1;
+    if (s->config >> 1 & 1) {
+        /*
+         * TM == 1 : Interrupt mode. We signal Alert when the
+         * temperature rises above T_high, and expect the guest to clear
+         * it (eg by reading a device register).
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 1;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     } else {
-        if (s->temperature >= s->limit[1])
-            s->alarm = 1;
-        else if (s->temperature < s->limit[0])
-            s->alarm = 0;
+        /*
+         * TM == 0 : Comparator mode. We signal Alert when the temperature
+         * rises above T_high, and stop signalling it when the temperature
+         * falls below T_low.
+         */
+        if (s->detect_falling) {
+            if (s->temperature < s->limit[0]) {
+                s->alarm = 0;
+                s->detect_falling = false;
+            }
+        } else {
+            if (s->temperature >= s->limit[1]) {
+                s->alarm = 1;
+                s->detect_falling = true;
+            }
+        }
     }
 
     tmp105_interrupt_update(s);
@@ -XXX,XX +XXX,XX @@ static int tmp105_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool detect_falling_needed(void *opaque)
+{
+    TMP105State *s = opaque;
+
+    /*
+     * We only need to migrate the detect_falling bool if it's set;
+     * for migration from older machines we assume that it is false
+     * (ie temperature is not out of range).
+     */
+    return s->detect_falling;
+}
+
+static const VMStateDescription vmstate_tmp105_detect_falling = {
+    .name = "TMP105/detect-falling",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = detect_falling_needed,
+    .fields = (VMStateField[]) {
+        VMSTATE_BOOL(detect_falling, TMP105State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_tmp105 = {
     .name = "TMP105",
     .version_id = 0,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_tmp105 = {
         VMSTATE_UINT8(alarm, TMP105State),
         VMSTATE_I2C_SLAVE(i2c, TMP105State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_tmp105_detect_falling,
+        NULL
     }
 };
 
@@ -XXX,XX +XXX,XX @@ static void tmp105_reset(I2CSlave *i2c)
     s->config = 0;
     s->faults = tmp105_faultq[(s->config >> 3) & 3];
     s->alarm = 0;
+    s->detect_falling = false;
 
     s->limit[0] = 0x4b00; /* T_LOW, 75 degrees C */
     s->limit[1] = 0x5000; /* T_HIGH, 80 degrees C */
-- 
2.20.1

Two bug fixes for 9.0...

-- PMM

The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:

Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408

for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:

target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)

----------------------------------------------------------------
target-arm:
 * Use correct SecuritySpace for AArch64 AT ops at EL3
 * Fix CNTPOFF_EL2 trap to missing EL3

----------------------------------------------------------------
Peter Maydell (1):
      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3

Pierre-Clément Tosi (1):
      target/arm: Fix CNTPOFF_EL2 trap to missing EL3

target/arm/helper.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

From: Pierre-Clément Tosi <ptosi@google.com>

EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
present, as described by the reference manual (for MRS):

/* ... */
  elsif PSTATE.EL == EL2 then
      if Halted() && HaveEL(EL3) && /*...*/ then
          UNDEFINED;
      elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
          /* ... */
      else
          X[t, 64] = CNTPOFF_EL2;

However, the existing implementation of gt_cntpoff_access() always
returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
is always true, which is wrong. As a result, QEMU panics in
access_check_cp_reg() when started without EL3 and running EL2 code
accessing the register (e.g. any recent KVM booting a guest).

Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().

Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
                                         const ARMCPRegInfo *ri,
                                         bool isread)
 {
-    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
+    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
+        !(env->cp15.scr_el3 & SCR_ECVEN)) {
         return CP_ACCESS_TRAP_EL3;
     }
     return CP_ACCESS_OK;
-- 
2.34.1

When we do an AT address translation operation, the page table walk
is supposed to be performed in the context of the EL we're doing the
walk for, so for instance an AT S1E2R walk is done for EL2.  In the
pseudocode an EL is passed to AArch64.AT(), which calls
SecurityStateAtEL() to find the security state that we should be
doing the walk with.

In ats_write64() we get this wrong, instead using the current
security space always.  This is fine for AT operations performed from
EL1 and EL2, because there the current security state and the
security state for the lower EL are the same.  But for AT operations
performed from EL3, the current security state is always either
Secure or Root, whereas we want to use the security state defined by
SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
FEAT_RME but also ones where EL3 is Secure state and the EL3 code
is trying to do an AT for a NonSecure EL2 or EL1.

Use arm_security_space_below_el3() to get the SecuritySpace to
pass to do_ats_write() for all AT operations except the
AT S1E3* operations.

Cc: qemu-stable@nongnu.org
Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
     ARMMMUIdx mmu_idx;
     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
+    bool for_el3 = false;
+    ARMSecuritySpace ss;
 
     switch (ri->opc2 & 6) {
     case 0:
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
             break;
         case 6: /* AT S1E3R, AT S1E3W */
             mmu_idx = ARMMMUIdx_E3;
+            for_el3 = true;
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         g_assert_not_reached();
     }
 
-    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
-                                       mmu_idx, arm_security_space(env));
+    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
+    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
 #else
     /* Handled by hardware accelerator. */
     g_assert_not_reached();
-- 
2.34.1