Series comparison

-[PULL 0/5] target-arm queue
+[PULL 0/1] target-arm queue
-The following changes since commit 7993b0f83fe5c3f8555e79781d5d098f99751a94:
+The following changes since commit e3debd5e7d0ce031356024878a0a18b9d109354a:
-  Merge remote-tracking branch 'remotes/nvme/tags/nvme-fixes-for-6.0-pull-request' into staging (2021-03-29 18:45:12 +0100)
+  Merge tag 'pull-request-2023-03-24' of https://gitlab.com/thuth/qemu into staging (2023-03-24 16:08:46 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git pull-target-arm-20210330
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230328
-for you to fetch changes up to b9e3f1579a4b06fc63dfa8cdb68df1c58eeb0cf1:
+for you to fetch changes up to 46e3b237c52e0c48bfd81bce020b51fbe300b23a:
-  hw/timer/renesas_tmr: Add default-case asserts in read_tcnt() (2021-03-30 14:05:34 +0100)
+  target/arm/gdbstub: Only advertise M-profile features if TCG available (2023-03-28 10:53:40 +0100)
 ----------------------------------------------------------------
- * net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set
+target-arm queue:
- * hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize()
+ * fix part of the "TCG-disabled builds are broken" issue
  * hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid()
  * target/arm: Make number of counters in PMCR follow the CPU
  * hw/timer/renesas_tmr: Add default-case asserts in read_tcnt()
 ----------------------------------------------------------------
-Doug Evans (1):
+Philippe Mathieu-Daudé (1):
-      net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set
+      target/arm/gdbstub: Only advertise M-profile features if TCG available
-Peter Maydell (2):
+ target/arm/gdbstub.c | 5 +++--
-      target/arm: Make number of counters in PMCR follow the CPU
+file changed, 3 insertions(+), 2 deletions(-)
       hw/timer/renesas_tmr: Add default-case asserts in read_tcnt()
-Philippe Mathieu-Daudé (1):
-      hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize()
-Zenghui Yu (1):
-      hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid()
- hw/arm/smmuv3-internal.h       |  7 -------
- target/arm/cpu.h               |  1 +
- hw/display/xlnx_dp.c           |  9 +++++++++
- hw/net/npcm7xx_emc.c           |  4 +++-
- hw/timer/renesas_tmr.c         |  4 ++++
- target/arm/cpu64.c             |  3 +++
- target/arm/cpu_tcg.c           |  5 +++++
- target/arm/helper.c            | 29 +++++++++++++++++------------
- target/arm/kvm64.c             |  2 ++
- tests/qtest/npcm7xx_emc-test.c | 30 +++++++++++++++++++++---------
-files changed, 65 insertions(+), 29 deletions(-)

-[PULL 1/5] net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set
+[PULL 1/1] target/arm/gdbstub: Only advertise M-profile features if TCG available
-From: Doug Evans <dje@google.com>
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Turning REG_MCMDR_RXON is enough to start receiving packets.
+Cortex-M profile is only emulable from TCG accelerator. Restrict
 the GDBstub features to its availability in order to avoid a link
 error when TCG is not enabled:
-Signed-off-by: Doug Evans <dje@google.com>
+  Undefined symbols for architecture arm64:
-Message-id: 20210319195044.741821-1-dje@google.com
+    "_arm_v7m_get_sp_ptr", referenced from:
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+        _m_sysreg_get in target_arm_gdbstub.c.o
     "_arm_v7m_mrs_control", referenced from:
         _arm_gdb_get_m_systemreg in target_arm_gdbstub.c.o
   ld: symbol(s) not found for architecture arm64
   clang: error: linker command failed with exit code 1 (use -v to see invocation)
 Fixes: 7d8b28b8b5 ("target/arm: Implement gdbstub m-profile systemreg and secext")
 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: 20230322142902.69511-3-philmd@linaro.org
 [PMM: add #include since I cherry-picked this patch from the series]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/npcm7xx_emc.c           |  4 +++-
+ target/arm/gdbstub.c | 5 +++--
- tests/qtest/npcm7xx_emc-test.c | 30 +++++++++++++++++++++---------
+file changed, 3 insertions(+), 2 deletions(-)
 files changed, 24 insertions(+), 10 deletions(-)
-diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/npcm7xx_emc.c
+--- a/target/arm/gdbstub.c
-+++ b/hw/net/npcm7xx_emc.c
++++ b/target/arm/gdbstub.c
-@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
+@@ -XXX,XX +XXX,XX @@
-                    !(value & REG_MCMDR_RXON)) {
+ #include "cpu.h"
-             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
+ #include "exec/gdbstub.h"
  #include "gdbstub/helpers.h"
 +#include "sysemu/tcg.h"
  #include "internals.h"
  #include "cpregs.h"
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
 , "arm-vfp-sysregs.xml", 0);
          }
--        if (!(value & REG_MCMDR_RXON)) {
-+        if (value & REG_MCMDR_RXON) {
-+            emc->rx_active = true;
-+        } else {
-             emc_halt_rx(emc, 0);
-         }
-         break;
-diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/npcm7xx_emc-test.c
-+++ b/tests/qtest/npcm7xx_emc-test.c
-@@ -XXX,XX +XXX,XX @@ static void enable_tx(QTestState *qts, const EMCModule *mod,
-         mcmdr |= REG_MCMDR_TXON;
-         emc_write(qts, mod, REG_MCMDR, mcmdr);
      }
--
+-    if (cpu_isar_feature(aa32_mve, cpu)) {
--    /* Prod the device to send the packet. */
++    if (cpu_isar_feature(aa32_mve, cpu) && tcg_enabled()) {
--    emc_write(qts, mod, REG_TSDR, 1);
+         gdb_register_coprocessor(cs, mve_gdb_get_reg, mve_gdb_set_reg,
- }
+, "arm-m-profile-mve.xml", 0);
  static void emc_send_verify1(QTestState *qts, const EMCModule *mod, int fd,
@@ -XXX,XX +XXX,XX @@ static void emc_send_verify(QTestState *qts, const EMCModule *mod, int fd,
      enable_tx(qts, mod, &desc[0], NUM_TX_DESCRIPTORS, desc_addr,
                with_irq ? REG_MIEN_ENTXINTR : 0);
 +    /* Prod the device to send the packet. */
 +    emc_write(qts, mod, REG_TSDR, 1);
 +
      /*
       * It's problematic to observe the interrupt for each packet.
       * Instead just wait until all the packets go out.
@@ -XXX,XX +XXX,XX @@ static void enable_rx(QTestState *qts, const EMCModule *mod,
          mcmdr |= REG_MCMDR_RXON | mcmdr_flags;
          emc_write(qts, mod, REG_MCMDR, mcmdr);
      }
--
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
--    /* Prod the device to accept a packet. */
+                              arm_gen_dynamic_sysreg_xml(cs, cs->gdb_num_regs),
--    emc_write(qts, mod, REG_RSDR, 1);
+                              "system-registers.xml", 0);
- }
+-    if (arm_feature(env, ARM_FEATURE_M)) {
- static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd,
++    if (arm_feature(env, ARM_FEATURE_M) && tcg_enabled()) {
--                            bool with_irq)
+         gdb_register_coprocessor(cs,
-+                            bool with_irq, bool pump_rsdr)
+             arm_gdb_get_m_systemreg, arm_gdb_set_m_systemreg,
- {
+             arm_gen_dynamic_m_systemreg_xml(cs, cs->gdb_num_regs),
      NPCM7xxEMCRxDesc desc[NUM_RX_DESCRIPTORS];
      uint32_t desc_addr = DESC_ADDR;
@@ -XXX,XX +XXX,XX @@ static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd,
      enable_rx(qts, mod, &desc[0], NUM_RX_DESCRIPTORS, desc_addr,
                with_irq ? REG_MIEN_ENRXINTR : 0, 0);
 +    /*
 +     * If requested, prod the device to accept a packet.
 +     * This isn't necessary, the linux driver doesn't do this.
 +     * Test doing/not-doing this for robustness.
 +     */
 +    if (pump_rsdr) {
 +        emc_write(qts, mod, REG_RSDR, 1);
 +    }
 +
      /* Send test packet to device's socket. */
      ret = iov_send(fd, iov, 2, 0, sizeof(len) + sizeof(test));
      g_assert_cmpint(ret, == , sizeof(test) + sizeof(len));
@@ -XXX,XX +XXX,XX @@ static void test_rx(gconstpointer test_data)
      qtest_irq_intercept_in(qts, "/machine/soc/a9mpcore/gic");
 -    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false);
 -    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true);
 +    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false,
 +                    /*pump_rsdr=*/false);
 +    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false,
 +                    /*pump_rsdr=*/true);
 +    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true,
 +                    /*pump_rsdr=*/false);
 +    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true,
 +                    /*pump_rsdr=*/true);
      emc_test_ptle(qts, td->module, test_sockets[0]);
      qtest_quit(qts);
 --
-.20.1
+.34.1

-[PULL 2/5] hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize()
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-When building with --enable-sanitizers we get:
-  Direct leak of 16 byte(s) in 1 object(s) allocated from:
-      #0 0x5618479ec7cf in malloc (qemu-system-aarch64+0x233b7cf)
-      #1 0x7f675745f958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
-      #2 0x561847c2dcc9 in xlnx_dp_init hw/display/xlnx_dp.c:1259:5
-      #3 0x56184a5bdab8 in object_init_with_type qom/object.c:375:9
-      #4 0x56184a5a2bda in object_initialize_with_type qom/object.c:517:5
-      #5 0x56184a5a24d5 in object_initialize qom/object.c:536:5
-      #6 0x56184a5a2f6c in object_initialize_child_with_propsv qom/object.c:566:5
-      #7 0x56184a5a2e60 in object_initialize_child_with_props qom/object.c:549:10
-      #8 0x56184a5a3a1e in object_initialize_child_internal qom/object.c:603:5
-      #9 0x5618495aa431 in xlnx_zynqmp_init hw/arm/xlnx-zynqmp.c:273:5
-The RX/TX FIFOs are created in xlnx_dp_init(), add xlnx_dp_finalize()
-to destroy them.
-Fixes: 58ac482a66d ("introduce xlnx-dp")
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20210323182958.277654-1-f4bug@amsat.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/display/xlnx_dp.c | 9 +++++++++
-file changed, 9 insertions(+)
-diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/display/xlnx_dp.c
-+++ b/hw/display/xlnx_dp.c
-@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_init(Object *obj)
-     fifo8_create(&s->tx_fifo, 16);
- }
-+static void xlnx_dp_finalize(Object *obj)
-+{
-+    XlnxDPState *s = XLNX_DP(obj);
-+
-+    fifo8_destroy(&s->tx_fifo);
-+    fifo8_destroy(&s->rx_fifo);
-+}
-+
- static void xlnx_dp_realize(DeviceState *dev, Error **errp)
- {
-     XlnxDPState *s = XLNX_DP(dev);
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo xlnx_dp_info = {
-     .parent        = TYPE_SYS_BUS_DEVICE,
-     .instance_size = sizeof(XlnxDPState),
-     .instance_init = xlnx_dp_init,
-+    .instance_finalize = xlnx_dp_finalize,
-     .class_init    = xlnx_dp_class_init,
- };
---
-.20.1

-[PULL 3/5] hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid()
+Deleted patch
-From: Zenghui Yu <yuzenghui@huawei.com>
-They were introduced in commit 9bde7f0674fe ("hw/arm/smmuv3: Implement
-translate callback") but never actually used. Drop them.
-Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
-Acked-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20210325142702.790-1-yuzenghui@huawei.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/smmuv3-internal.h | 7 -------
-file changed, 7 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
-+++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ static inline int pa_range(STE *ste)
- #define CD_A(x)          extract32((x)->word[1], 14, 1)
- #define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
--#define CDM_VALID(x)    ((x)->word[0] & 0x1)
--
--static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
--{
--    return CD_VALID(cd);
--}
--
- /**
-  * tg2granule - Decodes the CD translation granule size field according
-  * to the ttbr in use
---
-.20.1

-[PULL 4/5] target/arm: Make number of counters in PMCR follow the CPU
+Deleted patch
-Currently we give all the v7-and-up CPUs a PMU with 4 counters.  This
-means that we don't provide the 6 counters that are required by the
-Arm BSA (Base System Architecture) specification if the CPU supports
-the Virtualization extensions.
-Instead of having a single PMCR_NUM_COUNTERS, make each CPU type
-specify the PMCR reset value (obtained from the appropriate TRM), and
-use the 'N' field of that value to define the number of counters
-provided.
-This means that we now supply 6 counters for Cortex-A53, A57, A72,
-A15 and A9 as well as '-cpu max'; Cortex-A7 and A8 stay at 4; and
-Cortex-R5 goes down to 3.
-Note that because we now use the PMCR reset value of the specific
-implementation, we no longer set the LC bit out of reset.  This has
-an UNKNOWN value out of reset for all cores with any AArch32 support,
-so guest software should be setting it anyway if it wants it.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Message-id: 20210311165947.27470-1-peter.maydell@linaro.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
----
- target/arm/cpu.h     |  1 +
- target/arm/cpu64.c   |  3 +++
- target/arm/cpu_tcg.c |  5 +++++
- target/arm/helper.c  | 29 +++++++++++++++++------------
- target/arm/kvm64.c   |  2 ++
-files changed, 28 insertions(+), 12 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-         uint64_t id_aa64mmfr2;
-         uint64_t id_aa64dfr0;
-         uint64_t id_aa64dfr1;
-+        uint64_t reset_pmcr_el0;
-     } isar;
-     uint64_t midr;
-     uint32_t revidr;
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
-     cpu->gic_num_lrs = 4;
-     cpu->gic_vpribits = 5;
-     cpu->gic_vprebits = 5;
-+    cpu->isar.reset_pmcr_el0 = 0x41013000;
-     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
- }
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
-     cpu->gic_num_lrs = 4;
-     cpu->gic_vpribits = 5;
-     cpu->gic_vprebits = 5;
-+    cpu->isar.reset_pmcr_el0 = 0x41033000;
-     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
- }
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
-     cpu->gic_num_lrs = 4;
-     cpu->gic_vpribits = 5;
-     cpu->gic_vprebits = 5;
-+    cpu->isar.reset_pmcr_el0 = 0x41023000;
-     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
- }
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu_tcg.c
-+++ b/target/arm/cpu_tcg.c
-@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
-     cpu->ccsidr[1] = 0x2007e01a; /* 16k L1 icache. */
-     cpu->ccsidr[2] = 0xf0000000; /* No L2 icache. */
-     cpu->reset_auxcr = 2;
-+    cpu->isar.reset_pmcr_el0 = 0x41002000;
-     define_arm_cp_regs(cpu, cortexa8_cp_reginfo);
- }
-@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
-     cpu->clidr = (1 << 27) | (1 << 24) | 3;
-     cpu->ccsidr[0] = 0xe00fe019; /* 16k L1 dcache. */
-     cpu->ccsidr[1] = 0x200fe019; /* 16k L1 icache. */
-+    cpu->isar.reset_pmcr_el0 = 0x41093000;
-     define_arm_cp_regs(cpu, cortexa9_cp_reginfo);
- }
-@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
-     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
-     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
-     cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */
-+    cpu->isar.reset_pmcr_el0 = 0x41072000;
-     define_arm_cp_regs(cpu, cortexa15_cp_reginfo); /* Same as A15 */
- }
-@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
-     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
-     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
-     cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */
-+    cpu->isar.reset_pmcr_el0 = 0x410F3000;
-     define_arm_cp_regs(cpu, cortexa15_cp_reginfo);
- }
-@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
-     cpu->isar.id_isar6 = 0x0;
-     cpu->mp_is_up = true;
-     cpu->pmsav7_dregion = 16;
-+    cpu->isar.reset_pmcr_el0 = 0x41151800;
-     define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
- }
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
- #endif
- #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
--#define PMCR_NUM_COUNTERS 4 /* QEMU IMPDEF choice */
- #ifndef CONFIG_USER_ONLY
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
- static inline uint32_t pmu_num_counters(CPUARMState *env)
- {
--  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
-+    ARMCPU *cpu = env_archcpu(env);
-+
-+    return (cpu->isar.reset_pmcr_el0 & PMCRN_MASK) >> PMCRN_SHIFT;
- }
- /* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
-       .resetvalue = 0,
-       .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write },
- #endif
--    /* The only field of MDCR_EL2 that has a defined architectural reset value
--     * is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N.
--     */
--    { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
--      .access = PL2_RW, .resetvalue = PMCR_NUM_COUNTERS,
--      .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), },
-     { .name = "HPFAR", .state = ARM_CP_STATE_AA32,
-       .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
-       .access = PL2_RW, .accessfn = access_el3_aa32ns,
-@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
-      * field as main ID register, and we implement four counters in
-      * addition to the cycle count register.
-      */
--    unsigned int i, pmcrn = PMCR_NUM_COUNTERS;
-+    unsigned int i, pmcrn = pmu_num_counters(&cpu->env);
-     ARMCPRegInfo pmcr = {
-         .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
-         .access = PL0_RW,
-@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
-         .access = PL0_RW, .accessfn = pmreg_access,
-         .type = ARM_CP_IO,
-         .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
--        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT) |
--                      PMCRLC,
-+        .resetvalue = cpu->isar.reset_pmcr_el0,
-         .writefn = pmcr_write, .raw_writefn = raw_write,
-     };
-+
-     define_one_arm_cp_reg(cpu, &pmcr);
-     define_one_arm_cp_reg(cpu, &pmcr64);
-     for (i = 0; i < pmcrn; i++) {
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-               .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
-             REGINFO_SENTINEL
-         };
-+        /*
-+         * The only field of MDCR_EL2 that has a defined architectural reset
-+         * value is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N.
-+         */
-+        ARMCPRegInfo mdcr_el2 = {
-+            .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
-+            .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
-+            .access = PL2_RW, .resetvalue = pmu_num_counters(env),
-+            .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2),
-+        };
-+        define_one_arm_cp_reg(cpu, &mdcr_el2);
-         define_arm_cp_regs(cpu, vpidr_regs);
-         define_arm_cp_regs(cpu, el2_cp_reginfo);
-         if (arm_feature(env, ARM_FEATURE_V8)) {
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-                               ARM64_SYS_REG(3, 0, 0, 7, 1));
-         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr2,
-                               ARM64_SYS_REG(3, 0, 0, 7, 2));
-+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
-+                              ARM64_SYS_REG(3, 3, 9, 12, 0));
-         /*
-          * Note that if AArch32 support is not present in the host,
---
-.20.1

-[PULL 5/5] hw/timer/renesas_tmr: Add default-case asserts in read_tcnt()
+Deleted patch
-In commit 81b3ddaf8772ec we fixed a use of uninitialized data
-in read_tcnt(). However this change wasn't enough to placate
-Coverity, which is not smart enough to see that if we read a
-bit field and then handle cases 0, 1, 2 and 3 then there cannot
-be a flow of execution through the switch default. Add explicit
-default cases which assert that they can't be reached, which
-should help silence Coverity.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20210319162458.13760-1-peter.maydell@linaro.org
----
- hw/timer/renesas_tmr.c | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/hw/timer/renesas_tmr.c b/hw/timer/renesas_tmr.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/renesas_tmr.c
-+++ b/hw/timer/renesas_tmr.c
-@@ -XXX,XX +XXX,XX @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch)
-         case CSS_CASCADING:
-             tcnt[1] = tmr->tcnt[1];
-             break;
-+        default:
-+            g_assert_not_reached();
-         }
-         switch (FIELD_EX8(tmr->tccr[0], TCCR, CSS)) {
-         case CSS_INTERNAL:
-@@ -XXX,XX +XXX,XX @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch)
-         case CSS_EXTERNAL: /* QEMU doesn't implement this */
-             tcnt[0] = tmr->tcnt[0];
-             break;
-+        default:
-+            g_assert_not_reached();
-         }
-     } else {
-         tcnt[0] = tmr->tcnt[0];
---
-.20.1

The following changes since commit 7993b0f83fe5c3f8555e79781d5d098f99751a94:

Merge remote-tracking branch 'remotes/nvme/tags/nvme-fixes-for-6.0-pull-request' into staging (2021-03-29 18:45:12 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git pull-target-arm-20210330

for you to fetch changes up to b9e3f1579a4b06fc63dfa8cdb68df1c58eeb0cf1:

hw/timer/renesas_tmr: Add default-case asserts in read_tcnt() (2021-03-30 14:05:34 +0100)

----------------------------------------------------------------
 * net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set
 * hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize()
 * hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid()
 * target/arm: Make number of counters in PMCR follow the CPU
 * hw/timer/renesas_tmr: Add default-case asserts in read_tcnt()

----------------------------------------------------------------
Doug Evans (1):
      net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set

Peter Maydell (2):
      target/arm: Make number of counters in PMCR follow the CPU
      hw/timer/renesas_tmr: Add default-case asserts in read_tcnt()

Philippe Mathieu-Daudé (1):
      hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize()

Zenghui Yu (1):
      hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid()

From: Doug Evans <dje@google.com>

Turning REG_MCMDR_RXON is enough to start receiving packets.

Signed-off-by: Doug Evans <dje@google.com>
Message-id: 20210319195044.741821-1-dje@google.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/npcm7xx_emc.c           |  4 +++-
 tests/qtest/npcm7xx_emc-test.c | 30 +++++++++++++++++++++---------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
                    !(value & REG_MCMDR_RXON)) {
             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
         }
-        if (!(value & REG_MCMDR_RXON)) {
+        if (value & REG_MCMDR_RXON) {
+            emc->rx_active = true;
+        } else {
             emc_halt_rx(emc, 0);
         }
         break;
diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/npcm7xx_emc-test.c
+++ b/tests/qtest/npcm7xx_emc-test.c
@@ -XXX,XX +XXX,XX @@ static void enable_tx(QTestState *qts, const EMCModule *mod,
         mcmdr |= REG_MCMDR_TXON;
         emc_write(qts, mod, REG_MCMDR, mcmdr);
     }
-
-    /* Prod the device to send the packet. */
-    emc_write(qts, mod, REG_TSDR, 1);
 }
 
 static void emc_send_verify1(QTestState *qts, const EMCModule *mod, int fd,
@@ -XXX,XX +XXX,XX @@ static void emc_send_verify(QTestState *qts, const EMCModule *mod, int fd,
     enable_tx(qts, mod, &desc[0], NUM_TX_DESCRIPTORS, desc_addr,
               with_irq ? REG_MIEN_ENTXINTR : 0);
 
+    /* Prod the device to send the packet. */
+    emc_write(qts, mod, REG_TSDR, 1);
+
     /*
      * It's problematic to observe the interrupt for each packet.
      * Instead just wait until all the packets go out.
@@ -XXX,XX +XXX,XX @@ static void enable_rx(QTestState *qts, const EMCModule *mod,
         mcmdr |= REG_MCMDR_RXON | mcmdr_flags;
         emc_write(qts, mod, REG_MCMDR, mcmdr);
     }
-
-    /* Prod the device to accept a packet. */
-    emc_write(qts, mod, REG_RSDR, 1);
 }
 
 static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd,
-                            bool with_irq)
+                            bool with_irq, bool pump_rsdr)
 {
     NPCM7xxEMCRxDesc desc[NUM_RX_DESCRIPTORS];
     uint32_t desc_addr = DESC_ADDR;
@@ -XXX,XX +XXX,XX @@ static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd,
     enable_rx(qts, mod, &desc[0], NUM_RX_DESCRIPTORS, desc_addr,
               with_irq ? REG_MIEN_ENRXINTR : 0, 0);
 
+    /*
+     * If requested, prod the device to accept a packet.
+     * This isn't necessary, the linux driver doesn't do this.
+     * Test doing/not-doing this for robustness.
+     */
+    if (pump_rsdr) {
+        emc_write(qts, mod, REG_RSDR, 1);
+    }
+
     /* Send test packet to device's socket. */
     ret = iov_send(fd, iov, 2, 0, sizeof(len) + sizeof(test));
     g_assert_cmpint(ret, == , sizeof(test) + sizeof(len));
@@ -XXX,XX +XXX,XX @@ static void test_rx(gconstpointer test_data)
 
     qtest_irq_intercept_in(qts, "/machine/soc/a9mpcore/gic");
 
-    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false);
-    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true);
+    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false,
+                    /*pump_rsdr=*/false);
+    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false,
+                    /*pump_rsdr=*/true);
+    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true,
+                    /*pump_rsdr=*/false);
+    emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true,
+                    /*pump_rsdr=*/true);
     emc_test_ptle(qts, td->module, test_sockets[0]);
 
     qtest_quit(qts);
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When building with --enable-sanitizers we get:

Direct leak of 16 byte(s) in 1 object(s) allocated from:
      #0 0x5618479ec7cf in malloc (qemu-system-aarch64+0x233b7cf)
      #1 0x7f675745f958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958)
      #2 0x561847c2dcc9 in xlnx_dp_init hw/display/xlnx_dp.c:1259:5
      #3 0x56184a5bdab8 in object_init_with_type qom/object.c:375:9
      #4 0x56184a5a2bda in object_initialize_with_type qom/object.c:517:5
      #5 0x56184a5a24d5 in object_initialize qom/object.c:536:5
      #6 0x56184a5a2f6c in object_initialize_child_with_propsv qom/object.c:566:5
      #7 0x56184a5a2e60 in object_initialize_child_with_props qom/object.c:549:10
      #8 0x56184a5a3a1e in object_initialize_child_internal qom/object.c:603:5
      #9 0x5618495aa431 in xlnx_zynqmp_init hw/arm/xlnx-zynqmp.c:273:5

The RX/TX FIFOs are created in xlnx_dp_init(), add xlnx_dp_finalize()
to destroy them.

Fixes: 58ac482a66d ("introduce xlnx-dp")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210323182958.277654-1-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/xlnx_dp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_init(Object *obj)
     fifo8_create(&s->tx_fifo, 16);
 }
 
+static void xlnx_dp_finalize(Object *obj)
+{
+    XlnxDPState *s = XLNX_DP(obj);
+
+    fifo8_destroy(&s->tx_fifo);
+    fifo8_destroy(&s->rx_fifo);
+}
+
 static void xlnx_dp_realize(DeviceState *dev, Error **errp)
 {
     XlnxDPState *s = XLNX_DP(dev);
@@ -XXX,XX +XXX,XX @@ static const TypeInfo xlnx_dp_info = {
     .parent        = TYPE_SYS_BUS_DEVICE,
     .instance_size = sizeof(XlnxDPState),
     .instance_init = xlnx_dp_init,
+    .instance_finalize = xlnx_dp_finalize,
     .class_init    = xlnx_dp_class_init,
 };
 
-- 
2.20.1

From: Zenghui Yu <yuzenghui@huawei.com>

They were introduced in commit 9bde7f0674fe ("hw/arm/smmuv3: Implement
translate callback") but never actually used. Drop them.

Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210325142702.790-1-yuzenghui@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline int pa_range(STE *ste)
 #define CD_A(x)          extract32((x)->word[1], 14, 1)
 #define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
 
-#define CDM_VALID(x)    ((x)->word[0] & 0x1)
-
-static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
-{
-    return CD_VALID(cd);
-}
-
 /**
  * tg2granule - Decodes the CD translation granule size field according
  * to the ttbr in use
-- 
2.20.1

Currently we give all the v7-and-up CPUs a PMU with 4 counters.  This
means that we don't provide the 6 counters that are required by the
Arm BSA (Base System Architecture) specification if the CPU supports
the Virtualization extensions.

Instead of having a single PMCR_NUM_COUNTERS, make each CPU type
specify the PMCR reset value (obtained from the appropriate TRM), and
use the 'N' field of that value to define the number of counters
provided.

This means that we now supply 6 counters for Cortex-A53, A57, A72,
A15 and A9 as well as '-cpu max'; Cortex-A7 and A8 stay at 4; and
Cortex-R5 goes down to 3.

Note that because we now use the PMCR reset value of the specific
implementation, we no longer set the LC bit out of reset.  This has
an UNKNOWN value out of reset for all cores with any AArch32 support,
so guest software should be setting it anyway if it wants it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Message-id: 20210311165947.27470-1-peter.maydell@linaro.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/cpu.h     |  1 +
 target/arm/cpu64.c   |  3 +++
 target/arm/cpu_tcg.c |  5 +++++
 target/arm/helper.c  | 29 +++++++++++++++++------------
 target/arm/kvm64.c   |  2 ++
 5 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
         uint64_t id_aa64mmfr2;
         uint64_t id_aa64dfr0;
         uint64_t id_aa64dfr1;
+        uint64_t reset_pmcr_el0;
     } isar;
     uint64_t midr;
     uint32_t revidr;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
+    cpu->isar.reset_pmcr_el0 = 0x41013000;
     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
+    cpu->isar.reset_pmcr_el0 = 0x41033000;
     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
+    cpu->isar.reset_pmcr_el0 = 0x41023000;
     define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 }
 
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static void cortex_a8_initfn(Object *obj)
     cpu->ccsidr[1] = 0x2007e01a; /* 16k L1 icache. */
     cpu->ccsidr[2] = 0xf0000000; /* No L2 icache. */
     cpu->reset_auxcr = 2;
+    cpu->isar.reset_pmcr_el0 = 0x41002000;
     define_arm_cp_regs(cpu, cortexa8_cp_reginfo);
 }
 
@@ -XXX,XX +XXX,XX @@ static void cortex_a9_initfn(Object *obj)
     cpu->clidr = (1 << 27) | (1 << 24) | 3;
     cpu->ccsidr[0] = 0xe00fe019; /* 16k L1 dcache. */
     cpu->ccsidr[1] = 0x200fe019; /* 16k L1 icache. */
+    cpu->isar.reset_pmcr_el0 = 0x41093000;
     define_arm_cp_regs(cpu, cortexa9_cp_reginfo);
 }
 
@@ -XXX,XX +XXX,XX @@ static void cortex_a7_initfn(Object *obj)
     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
     cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */
+    cpu->isar.reset_pmcr_el0 = 0x41072000;
     define_arm_cp_regs(cpu, cortexa15_cp_reginfo); /* Same as A15 */
 }
 
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
     cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */
     cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */
     cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */
+    cpu->isar.reset_pmcr_el0 = 0x410F3000;
     define_arm_cp_regs(cpu, cortexa15_cp_reginfo);
 }
 
@@ -XXX,XX +XXX,XX @@ static void cortex_r5_initfn(Object *obj)
     cpu->isar.id_isar6 = 0x0;
     cpu->mp_is_up = true;
     cpu->pmsav7_dregion = 16;
+    cpu->isar.reset_pmcr_el0 = 0x41151800;
     define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
 }
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #endif
 
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
-#define PMCR_NUM_COUNTERS 4 /* QEMU IMPDEF choice */
 
 #ifndef CONFIG_USER_ONLY
 
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
 
 static inline uint32_t pmu_num_counters(CPUARMState *env)
 {
-  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
+    ARMCPU *cpu = env_archcpu(env);
+
+    return (cpu->isar.reset_pmcr_el0 & PMCRN_MASK) >> PMCRN_SHIFT;
 }
 
 /* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .resetvalue = 0,
       .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write },
 #endif
-    /* The only field of MDCR_EL2 that has a defined architectural reset value
-     * is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N.
-     */
-    { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
-      .access = PL2_RW, .resetvalue = PMCR_NUM_COUNTERS,
-      .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), },
     { .name = "HPFAR", .state = ARM_CP_STATE_AA32,
       .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
       .access = PL2_RW, .accessfn = access_el3_aa32ns,
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
      * field as main ID register, and we implement four counters in
      * addition to the cycle count register.
      */
-    unsigned int i, pmcrn = PMCR_NUM_COUNTERS;
+    unsigned int i, pmcrn = pmu_num_counters(&cpu->env);
     ARMCPRegInfo pmcr = {
         .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
         .access = PL0_RW,
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
         .access = PL0_RW, .accessfn = pmreg_access,
         .type = ARM_CP_IO,
         .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
-        .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT) |
-                      PMCRLC,
+        .resetvalue = cpu->isar.reset_pmcr_el0,
         .writefn = pmcr_write, .raw_writefn = raw_write,
     };
+
     define_one_arm_cp_reg(cpu, &pmcr);
     define_one_arm_cp_reg(cpu, &pmcr64);
     for (i = 0; i < pmcrn; i++) {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
             REGINFO_SENTINEL
         };
+        /*
+         * The only field of MDCR_EL2 that has a defined architectural reset
+         * value is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N.
+         */
+        ARMCPRegInfo mdcr_el2 = {
+            .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
+            .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
+            .access = PL2_RW, .resetvalue = pmu_num_counters(env),
+            .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2),
+        };
+        define_one_arm_cp_reg(cpu, &mdcr_el2);
         define_arm_cp_regs(cpu, vpidr_regs);
         define_arm_cp_regs(cpu, el2_cp_reginfo);
         if (arm_feature(env, ARM_FEATURE_V8)) {
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                               ARM64_SYS_REG(3, 0, 0, 7, 1));
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr2,
                               ARM64_SYS_REG(3, 0, 0, 7, 2));
+        err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
+                              ARM64_SYS_REG(3, 3, 9, 12, 0));
 
         /*
          * Note that if AArch32 support is not present in the host,
-- 
2.20.1

In commit 81b3ddaf8772ec we fixed a use of uninitialized data
in read_tcnt(). However this change wasn't enough to placate
Coverity, which is not smart enough to see that if we read a
2 bit field and then handle cases 0, 1, 2 and 3 then there cannot
be a flow of execution through the switch default. Add explicit
default cases which assert that they can't be reached, which
should help silence Coverity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210319162458.13760-1-peter.maydell@linaro.org
---
 hw/timer/renesas_tmr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/timer/renesas_tmr.c b/hw/timer/renesas_tmr.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/renesas_tmr.c
+++ b/hw/timer/renesas_tmr.c
@@ -XXX,XX +XXX,XX @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch)
         case CSS_CASCADING:
             tcnt[1] = tmr->tcnt[1];
             break;
+        default:
+            g_assert_not_reached();
         }
         switch (FIELD_EX8(tmr->tccr[0], TCCR, CSS)) {
         case CSS_INTERNAL:
@@ -XXX,XX +XXX,XX @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch)
         case CSS_EXTERNAL: /* QEMU doesn't implement this */
             tcnt[0] = tmr->tcnt[0];
             break;
+        default:
+            g_assert_not_reached();
         }
     } else {
         tcnt[0] = tmr->tcnt[0];
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Cortex-M profile is only emulable from TCG accelerator. Restrict
the GDBstub features to its availability in order to avoid a link
error when TCG is not enabled:

Undefined symbols for architecture arm64:
    "_arm_v7m_get_sp_ptr", referenced from:
        _m_sysreg_get in target_arm_gdbstub.c.o
    "_arm_v7m_mrs_control", referenced from:
        _arm_gdb_get_m_systemreg in target_arm_gdbstub.c.o
  ld: symbol(s) not found for architecture arm64
  clang: error: linker command failed with exit code 1 (use -v to see invocation)

Fixes: 7d8b28b8b5 ("target/arm: Implement gdbstub m-profile systemreg and secext")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20230322142902.69511-3-philmd@linaro.org
[PMM: add #include since I cherry-picked this patch from the series]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "exec/gdbstub.h"
 #include "gdbstub/helpers.h"
+#include "sysemu/tcg.h"
 #include "internals.h"
 #include "cpregs.h"
 
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
                                      2, "arm-vfp-sysregs.xml", 0);
         }
     }
-    if (cpu_isar_feature(aa32_mve, cpu)) {
+    if (cpu_isar_feature(aa32_mve, cpu) && tcg_enabled()) {
         gdb_register_coprocessor(cs, mve_gdb_get_reg, mve_gdb_set_reg,
                                  1, "arm-m-profile-mve.xml", 0);
     }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
                              arm_gen_dynamic_sysreg_xml(cs, cs->gdb_num_regs),
                              "system-registers.xml", 0);
 
-    if (arm_feature(env, ARM_FEATURE_M)) {
+    if (arm_feature(env, ARM_FEATURE_M) && tcg_enabled()) {
         gdb_register_coprocessor(cs,
             arm_gdb_get_m_systemreg, arm_gdb_set_m_systemreg,
             arm_gen_dynamic_m_systemreg_xml(cs, cs->gdb_num_regs),
-- 
2.34.1