Series comparison

-[PULL 00/21] target-arm queue
+[PULL 0/7] target-arm queue
-Mostly straightforward bugfixes. The new Xilinx devices are
+A last small test of bug fixes before rc1.
 arguably 'new feature', but they're fixing a regression where
 our changes to PSCI in commit 3f37979bf mean that EL3 guest
 code now needs to talk to a proper emulated power-controller
 device to turn on secondary CPUs; and it's not yet rc1 and
 they only affect the Xilinx board, so it seems OK to me.
 thanks
 -- PMM
-The following changes since commit 1d60bb4b14601e38ed17384277aa4c30c57925d3:
+The following changes since commit ed8ad9728a9c0eec34db9dff61dfa2f1dd625637:
-  Merge tag 'pull-request-2022-03-15v2' of https://gitlab.com/thuth/qemu into staging (2022-03-16 10:43:58 +0000)
+  Merge tag 'pull-tpm-2023-07-14-1' of https://github.com/stefanberger/qemu-tpm into staging (2023-07-15 14:54:04 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220318
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230717
-for you to fetch changes up to 79d54c9eac04c554e3c081589542f801ace71797:
+for you to fetch changes up to c2c1c4a35c7c2b1a4140b0942b9797c857e476a4:
-  util/osdep: Remove some early cruft (2022-03-18 11:32:13 +0000)
+  hw/nvram: Avoid unnecessary Xilinx eFuse backstore write (2023-07-17 11:05:52 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * Fix sve2 ldnt1 and stnt1
+ * hw/arm/sbsa-ref: set 'slots' property of xhci
- * Fix pauth_check_trap vs SEL2
+ * linux-user: Remove pointless NULL check in clock_adjtime handling
- * Fix handling of LPAE block descriptors
+ * ptw: Fix S1_ptw_translate() debug path
- * hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
+ * ptw: Account for FEAT_RME when applying {N}SW, SA bits
- * hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
+ * accel/tcg: Zero-pad PC in TCG CPU exec trace lines
- * nsis installer: List emulators in alphabetical order
+ * hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
  * nsis installer: Suppress "ANSI targets are deprecated" warning
  * nsis installer: Fix mouse-over descriptions for emulators
  * hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
  * Improve M-profile vector table access logging
  * Xilinx ZynqMP: model CRF and APU control
  * Fix compile issues on modern Solaris
 ----------------------------------------------------------------
-Andrew Deason (3):
+Peter Maydell (5):
-      util/osdep: Avoid madvise proto on modern Solaris
+      linux-user: Remove pointless NULL check in clock_adjtime handling
-      hw/i386/acpi-build: Avoid 'sun' identifier
+      target/arm/ptw.c: Add comments to S1Translate struct fields
-      util/osdep: Remove some early cruft
+      target/arm: Fix S1_ptw_translate() debug path
       target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits
       accel/tcg: Zero-pad PC in TCG CPU exec trace lines
-Edgar E. Iglesias (6):
+Tong Ho (1):
-      hw/arm/xlnx-zynqmp: Add an unimplemented SERDES area
+      hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
       target/arm: Make rvbar settable after realize
       hw/misc: Add a model of the Xilinx ZynqMP CRF
       hw/arm/xlnx-zynqmp: Connect the ZynqMP CRF
       hw/misc: Add a model of the Xilinx ZynqMP APU Control
       hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control
-Eric Auger (2):
+Yuquan Wang (1):
-      hw/intc: Rename CONFIG_ARM_GIC_TCG into CONFIG_ARM_GICV3_TCG
+      hw/arm/sbsa-ref: set 'slots' property of xhci
       hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
-Peter Maydell (8):
+ accel/tcg/cpu-exec.c      |  4 +--
-      target/arm: Fix handling of LPAE block descriptors
+ accel/tcg/translate-all.c |  2 +-
-      hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
+ hw/arm/sbsa-ref.c         |  1 +
-      hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
+ hw/nvram/xlnx-efuse.c     | 11 ++++--
-      nsis installer: List emulators in alphabetical order
+ linux-user/syscall.c      | 12 +++----
-      nsis installer: Suppress "ANSI targets are deprecated" warning
+ target/arm/ptw.c          | 90 +++++++++++++++++++++++++++++++++++++++++------
-      nsis installer: Fix mouse-over descriptions for emulators
+files changed, 98 insertions(+), 22 deletions(-)
       target/arm: Log M-profile vector table accesses
       target/arm: Log fault address for M-profile faults
 Richard Henderson (2):
       target/arm: Fix sve2 ldnt1 and stnt1
       target/arm: Fix pauth_check_trap vs SEL2
  meson.build                            |  23 ++-
  include/hw/arm/xlnx-zynqmp.h           |   4 +
  include/hw/misc/xlnx-zynqmp-apu-ctrl.h |  93 ++++++++++++
  include/hw/misc/xlnx-zynqmp-crf.h      | 211 ++++++++++++++++++++++++++
  include/qemu/osdep.h                   |   8 +
  target/arm/cpu.h                       |   3 +-
  target/arm/sve.decode                  |   5 +-
  hw/arm/virt.c                          |   7 +-
  hw/arm/xlnx-zynqmp.c                   |  46 +++++-
  hw/dma/xlnx_csu_dma.c                  |   1 +
  hw/i386/acpi-build.c                   |   4 +-
  hw/misc/npcm7xx_clk.c                  |   4 +-
  hw/misc/xlnx-zynqmp-apu-ctrl.c         | 253 +++++++++++++++++++++++++++++++
  hw/misc/xlnx-zynqmp-crf.c              | 266 +++++++++++++++++++++++++++++++++
  target/arm/cpu.c                       |  17 ++-
  target/arm/helper.c                    |  20 ++-
  target/arm/m_helper.c                  |  11 ++
  target/arm/pauth_helper.c              |   2 +-
  target/arm/translate-sve.c             |  51 ++++++-
  tests/tcg/aarch64/test-826.c           |  50 +++++++
  util/osdep.c                           |  10 --
  hw/intc/Kconfig                        |   2 +-
  hw/intc/meson.build                    |   4 +-
  hw/misc/meson.build                    |   2 +
  qemu.nsi                               |   8 +-
  scripts/nsis.py                        |  17 ++-
  tests/tcg/aarch64/Makefile.target      |   4 +
  tests/tcg/configure.sh                 |   4 +
 files changed, 1084 insertions(+), 46 deletions(-)
  create mode 100644 include/hw/misc/xlnx-zynqmp-apu-ctrl.h
  create mode 100644 include/hw/misc/xlnx-zynqmp-crf.h
  create mode 100644 hw/misc/xlnx-zynqmp-apu-ctrl.c
  create mode 100644 hw/misc/xlnx-zynqmp-crf.c
  create mode 100644 tests/tcg/aarch64/test-826.c

-[PULL 01/21] target/arm: Fix sve2 ldnt1 and stnt1
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-For both ldnt1 and stnt1, the meaning of the Rn and Rm are different
-from ld1 and st1: the vector and integer registers are reversed, and
-the integer register 31 refers to XZR instead of SP.
-Secondly, the 64-bit version of ldnt1 was being interpreted as
--bit unpacked unscaled offset instead of 64-bit unscaled offset,
-which discarded the upper 32 bits of the address coming from
-the vector argument.
-Thirdly, validate that the memory element size is in range for the
-vector element size for ldnt1.  For ld1, we do this via independent
-decode patterns, but for ldnt1 we need to do it manually.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/826
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20220308031655.240710-1-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sve.decode             |  5 ++-
- target/arm/translate-sve.c        | 51 +++++++++++++++++++++++++++++--
- tests/tcg/aarch64/test-826.c      | 50 ++++++++++++++++++++++++++++++
- tests/tcg/aarch64/Makefile.target |  4 +++
- tests/tcg/configure.sh            |  4 +++
-files changed, 109 insertions(+), 5 deletions(-)
- create mode 100644 tests/tcg/aarch64/test-826.c
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ USDOT_zzzz      01000100 .. 0 ..... 011 110 ..... .....  @rda_rn_rm
- ### SVE2 Memory Gather Load Group
--# SVE2 64-bit gather non-temporal load
--#   (scalar plus unpacked 32-bit unscaled offsets)
-+# SVE2 64-bit gather non-temporal load (scalar plus 64-bit unscaled offsets)
- LDNT1_zprz      1100010 msz:2 00 rm:5 1 u:1 0 pg:3 rn:5 rd:5 \
--                &rprr_gather_load xs=0 esz=3 scale=0 ff=0
-+                &rprr_gather_load xs=2 esz=3 scale=0 ff=0
- # SVE2 32-bit gather non-temporal load (scalar plus 32-bit unscaled offsets)
- LDNT1_zprz      1000010 msz:2 00 rm:5 10 u:1 pg:3 rn:5 rd:5 \
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
- static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
- {
-+    gen_helper_gvec_mem_scatter *fn = NULL;
-+    bool be = s->be_data == MO_BE;
-+    bool mte = s->mte_active[0];
-+
-+    if (a->esz < a->msz + !a->u) {
-+        return false;
-+    }
-     if (!dc_isar_feature(aa64_sve2, s)) {
-         return false;
-     }
--    return trans_LD1_zprz(s, a);
-+    if (!sve_access_check(s)) {
-+        return true;
-+    }
-+
-+    switch (a->esz) {
-+    case MO_32:
-+        fn = gather_load_fn32[mte][be][0][0][a->u][a->msz];
-+        break;
-+    case MO_64:
-+        fn = gather_load_fn64[mte][be][0][2][a->u][a->msz];
-+        break;
-+    }
-+    assert(fn != NULL);
-+
-+    do_mem_zpz(s, a->rd, a->pg, a->rn, 0,
-+               cpu_reg(s, a->rm), a->msz, false, fn);
-+    return true;
- }
- /* Indexed by [mte][be][xs][msz].  */
-@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
- static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
- {
-+    gen_helper_gvec_mem_scatter *fn;
-+    bool be = s->be_data == MO_BE;
-+    bool mte = s->mte_active[0];
-+
-+    if (a->esz < a->msz) {
-+        return false;
-+    }
-     if (!dc_isar_feature(aa64_sve2, s)) {
-         return false;
-     }
--    return trans_ST1_zprz(s, a);
-+    if (!sve_access_check(s)) {
-+        return true;
-+    }
-+
-+    switch (a->esz) {
-+    case MO_32:
-+        fn = scatter_store_fn32[mte][be][0][a->msz];
-+        break;
-+    case MO_64:
-+        fn = scatter_store_fn64[mte][be][2][a->msz];
-+        break;
-+    default:
-+        g_assert_not_reached();
-+    }
-+
-+    do_mem_zpz(s, a->rd, a->pg, a->rn, 0,
-+               cpu_reg(s, a->rm), a->msz, true, fn);
-+    return true;
- }
- /*
-diff --git a/tests/tcg/aarch64/test-826.c b/tests/tcg/aarch64/test-826.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/tests/tcg/aarch64/test-826.c
-@@ -XXX,XX +XXX,XX @@
-+#include <sys/mman.h>
-+#include <unistd.h>
-+#include <signal.h>
-+#include <stdlib.h>
-+#include <stdio.h>
-+#include <assert.h>
-+
-+static void *expected;
-+
-+void sigsegv(int sig, siginfo_t *info, void *vuc)
-+{
-+    ucontext_t *uc = vuc;
-+
-+    assert(info->si_addr == expected);
-+    uc->uc_mcontext.pc += 4;
-+}
-+
-+int main()
-+{
-+    struct sigaction sa = {
-+        .sa_sigaction = sigsegv,
-+        .sa_flags = SA_SIGINFO
-+    };
-+
-+    void *page;
-+    long ofs;
-+
-+    if (sigaction(SIGSEGV, &sa, NULL) < 0) {
-+        perror("sigaction");
-+        return EXIT_FAILURE;
-+    }
-+
-+    page = mmap(0, getpagesize(), PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
-+    if (page == MAP_FAILED) {
-+        perror("mmap");
-+        return EXIT_FAILURE;
-+    }
-+
-+    ofs = 0x124;
-+    expected = page + ofs;
-+
-+    asm("ptrue p0.d, vl1\n\t"
-+        "dup z0.d, %0\n\t"
-+        "ldnt1h {z1.d}, p0/z, [z0.d, %1]\n\t"
-+        "dup z1.d, %1\n\t"
-+        "ldnt1h {z0.d}, p0/z, [z1.d, %0]"
-+        : : "r"(page), "r"(ofs) : "v0", "v1");
-+
-+    return EXIT_SUCCESS;
-+}
-diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
-index XXXXXXX..XXXXXXX 100644
---- a/tests/tcg/aarch64/Makefile.target
-+++ b/tests/tcg/aarch64/Makefile.target
-@@ -XXX,XX +XXX,XX @@ run-gdbstub-sve-ioctls: sve-ioctls
- EXTRA_RUNS += run-gdbstub-sysregs run-gdbstub-sve-ioctls
- endif
-+endif
-+ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_SVE2),)
-+AARCH64_TESTS += test-826
-+test-826: CFLAGS+=-march=armv8.1-a+sve2
- endif
- TESTS += $(AARCH64_TESTS)
-diff --git a/tests/tcg/configure.sh b/tests/tcg/configure.sh
-index XXXXXXX..XXXXXXX 100755
---- a/tests/tcg/configure.sh
-+++ b/tests/tcg/configure.sh
-@@ -XXX,XX +XXX,XX @@ for target in $target_list; do
-                              -march=armv8.1-a+sve -o $TMPE $TMPC; then
-                   echo "CROSS_CC_HAS_SVE=y" >> $config_target_mak
-               fi
-+              if do_compiler "$target_compiler" $target_compiler_cflags \
-+                             -march=armv8.1-a+sve2 -o $TMPE $TMPC; then
-+                  echo "CROSS_CC_HAS_SVE2=y" >> $config_target_mak
-+              fi
-               if do_compiler "$target_compiler" $target_compiler_cflags \
-                              -march=armv8.3-a -o $TMPE $TMPC; then
-                   echo "CROSS_CC_HAS_ARMV8_3=y" >> $config_target_mak
---
-.25.1

-[PULL 21/21] util/osdep: Remove some early cruft
+[PULL 1/7] hw/arm/sbsa-ref: set 'slots' property of xhci
-From: Andrew Deason <adeason@sinenomine.net>
+From: Yuquan Wang <wangyuquan1236@phytium.com.cn>
-The include for statvfs.h has not been needed since all statvfs calls
+This extends the slots of xhci to 64, since the default xhci_sysbus
-were removed in commit 4a1418e07bdc ("Unbreak large mem support by
+just supports one slot.
 removing kqemu").
-The comment mentioning CONFIG_BSD hasn't made sense since an include
+Signed-off-by: Wang Yuquan <wangyuquan1236@phytium.com.cn>
-for config-host.h was removed in commit aafd75841001 ("util: Clean up
+Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn>
-includes").
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Remove this cruft.
+Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Message-id: 20230710063750.473510-2-wangyuquan1236@phytium.com.cn
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Andrew Deason <adeason@sinenomine.net>
 Message-id: 20220316035227.3702-4-adeason@sinenomine.net
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- util/osdep.c | 7 -------
+ hw/arm/sbsa-ref.c | 1 +
-file changed, 7 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/util/osdep.c b/util/osdep.c
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/util/osdep.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/util/osdep.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void create_xhci(const SBSAMachineState *sms)
-  */
+     hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;
- #include "qemu/osdep.h"
+     int irq = sbsa_ref_irqmap[SBSA_XHCI];
- #include "qapi/error.h"
+     DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);
--
++    qdev_prop_set_uint32(dev, "slots", XHCI_MAXSLOTS);
--/* Needed early for CONFIG_BSD etc. */
--
+     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
--#ifdef CONFIG_SOLARIS
+     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
 -#include <sys/statvfs.h>
 -#endif
 -
  #include "qemu-common.h"
  #include "qemu/cutils.h"
  #include "qemu/sockets.h"
 --
-.25.1
+.34.1

-[PULL 06/21] nsis installer: List emulators in alphabetical order
+[PULL 2/7] linux-user: Remove pointless NULL check in clock_adjtime handling
-We currently list the emulators in the Windows installer's dialog
+In the code for TARGET_NR_clock_adjtime, we set the pointer phtx to
-in an essentially random order (it's whatever glob.glob() returns
+the address of the local variable htx.  This means it can never be
-them to, which is filesystem-implementation-dependent). Add a
+NULL, but later in the code we check it for NULL anyway.  Coverity
-call to sorted() so they appear in alphabetical order.
+complains about this (CID 1507683) because the NULL check comes after
 a call to clock_adjtime() that assumes it is non-NULL.
 Since phtx is always &htx, and is used only in three places, it's not
 really necessary.  Remove it, bringing the code structure in to line
 with that for TARGET_NR_clock_adjtime64, which already uses a simple
 '&htx' when it wants a pointer to 'htx'.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Stefan Weil <sw@weilnetz.de>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: John Snow <jsnow@redhat.com>
+Message-id: 20230623144410.1837261-1-peter.maydell@linaro.org
 Message-id: 20220305105743.2384766-2-peter.maydell@linaro.org
 ---
- scripts/nsis.py | 4 ++--
+ linux-user/syscall.c | 12 +++++-------
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 5 insertions(+), 7 deletions(-)
-diff --git a/scripts/nsis.py b/scripts/nsis.py
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
---- a/scripts/nsis.py
+--- a/linux-user/syscall.c
-+++ b/scripts/nsis.py
++++ b/linux-user/syscall.c
-@@ -XXX,XX +XXX,XX @@ def main():
+@@ -XXX,XX +XXX,XX @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
-         with open(
+ #if defined(TARGET_NR_clock_adjtime) && defined(CONFIG_CLOCK_ADJTIME)
-             os.path.join(destdir + args.prefix, "system-emulations.nsh"), "w"
+     case TARGET_NR_clock_adjtime:
-         ) as nsh:
+         {
--            for exe in glob.glob(
+-            struct timex htx, *phtx = &htx;
-+            for exe in sorted(glob.glob(
++            struct timex htx;
-                 os.path.join(destdir + args.prefix, "qemu-system-*.exe")
--            ):
+-            if (target_to_host_timex(phtx, arg2) != 0) {
-+            )):
++            if (target_to_host_timex(&htx, arg2) != 0) {
-                 exe = os.path.basename(exe)
+                 return -TARGET_EFAULT;
-                 arch = exe[12:-4]
+             }
-                 nsh.write(
+-            ret = get_errno(clock_adjtime(arg1, phtx));
 -            if (!is_error(ret) && phtx) {
 -                if (host_to_target_timex(arg2, phtx) != 0) {
 -                    return -TARGET_EFAULT;
 -                }
 +            ret = get_errno(clock_adjtime(arg1, &htx));
 +            if (!is_error(ret) && host_to_target_timex(arg2, &htx)) {
 +                return -TARGET_EFAULT;
              }
          }
          return ret;
 --
-.25.1
+.34.1

-[PULL 19/21] util/osdep: Avoid madvise proto on modern Solaris
+[PULL 3/7] target/arm/ptw.c: Add comments to S1Translate struct fields
-From: Andrew Deason <adeason@sinenomine.net>
+Add comments to the in_* fields in the S1Translate struct
 that explain what they're doing.
-On older Solaris releases (before Solaris 11), we didn't get a
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-prototype for madvise, and so util/osdep.c provides its own prototype.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Some time between the public Solaris 11.4 release and Solaris 11.4.42
+Message-id: 20230710152130.3928330-2-peter.maydell@linaro.org
-CBE, we started getting an madvise prototype that looks like this:
+---
  target/arm/ptw.c | 40 ++++++++++++++++++++++++++++++++++++++++
 file changed, 40 insertions(+)
-    extern int madvise(void *, size_t, int);
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 which conflicts with the prototype in util/osdeps.c. Instead of always
 declaring this prototype, check if we're missing the madvise()
 prototype, and only declare it ourselves if the prototype is missing.
 Move the prototype to include/qemu/osdep.h, the normal place to handle
 platform-specific header quirks.
 The 'missing_madvise_proto' meson check contains an obviously wrong
 prototype for madvise. So if that code compiles and links, we must be
 missing the actual prototype for madvise.
 Signed-off-by: Andrew Deason <adeason@sinenomine.net>
 Message-id: 20220316035227.3702-2-adeason@sinenomine.net
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  meson.build          | 23 +++++++++++++++++++++--
  include/qemu/osdep.h |  8 ++++++++
  util/osdep.c         |  3 ---
 files changed, 29 insertions(+), 5 deletions(-)
 diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/meson.build
+--- a/target/arm/ptw.c
-+++ b/meson.build
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ config_host_data.set('CONFIG_FDATASYNC', cc.links(gnu_source_prefix + '''
+@@ -XXX,XX +XXX,XX @@
    #error Not supported
    #endif
    }'''))
 -config_host_data.set('CONFIG_MADVISE', cc.links(gnu_source_prefix + '''
 +
 +has_madvise = cc.links(gnu_source_prefix + '''
    #include <sys/types.h>
    #include <sys/mman.h>
    #include <stddef.h>
 -  int main(void) { return madvise(NULL, 0, MADV_DONTNEED); }'''))
 +  int main(void) { return madvise(NULL, 0, MADV_DONTNEED); }''')
 +missing_madvise_proto = false
 +if has_madvise
 +  # Some platforms (illumos and Solaris before Solaris 11) provide madvise()
 +  # but forget to prototype it. In this case, has_madvise will be true (the
 +  # test program links despite a compile warning). To detect the
 +  # missing-prototype case, we try again with a definitely-bogus prototype.
 +  # This will only compile if the system headers don't provide the prototype;
 +  # otherwise the conflicting prototypes will cause a compiler error.
 +  missing_madvise_proto = cc.links(gnu_source_prefix + '''
 +    #include <sys/types.h>
 +    #include <sys/mman.h>
 +    #include <stddef.h>
 +    extern int madvise(int);
 +    int main(void) { return madvise(0); }''')
 +endif
 +config_host_data.set('CONFIG_MADVISE', has_madvise)
 +config_host_data.set('HAVE_MADVISE_WITHOUT_PROTOTYPE', missing_madvise_proto)
 +
  config_host_data.set('CONFIG_MEMFD', cc.links(gnu_source_prefix + '''
    #include <sys/mman.h>
    int main(void) { return memfd_create("foo", MFD_ALLOW_SEALING); }'''))
 diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/qemu/osdep.h
 +++ b/include/qemu/osdep.h
@@ -XXX,XX +XXX,XX @@ void qemu_anon_ram_free(void *ptr, size_t size);
  #define SIGIO SIGPOLL
  #endif
-+#ifdef HAVE_MADVISE_WITHOUT_PROTOTYPE
+ typedef struct S1Translate {
-+/*
++    /*
-+ * See MySQL bug #7156 (http://bugs.mysql.com/bug.php?id=7156) for discussion
++     * in_mmu_idx : specifies which TTBR, TCR, etc to use for the walk.
-+ * about Solaris missing the madvise() prototype.
++     * Together with in_space, specifies the architectural translation regime.
-+ */
++     */
-+extern int madvise(char *, size_t, int);
+     ARMMMUIdx in_mmu_idx;
-+#endif
++    /*
-+
++     * in_ptw_idx: specifies which mmuidx to use for the actual
- #if defined(CONFIG_LINUX)
++     * page table descriptor load operations. This will be one of the
- #ifndef BUS_MCEERR_AR
++     * ARMMMUIdx_Stage2* or one of the ARMMMUIdx_Phys_* indexes.
- #define BUS_MCEERR_AR 4
++     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
-diff --git a/util/osdep.c b/util/osdep.c
++     * this field is updated accordingly.
-index XXXXXXX..XXXXXXX 100644
++     */
---- a/util/osdep.c
+     ARMMMUIdx in_ptw_idx;
-+++ b/util/osdep.c
++    /*
-@@ -XXX,XX +XXX,XX @@
++     * in_space: the security space for this walk. This plus
++     * the in_mmu_idx specify the architectural translation regime.
- #ifdef CONFIG_SOLARIS
++     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
- #include <sys/statvfs.h>
++     * this field is updated accordingly.
--/* See MySQL bug #7156 (http://bugs.mysql.com/bug.php?id=7156) for
++     *
--   discussion about Solaris header problems */
++     * Note that the security space for the in_ptw_idx may be different
--extern int madvise(char *, size_t, int);
++     * from that for the in_mmu_idx. We do not need to explicitly track
- #endif
++     * the in_ptw_idx security space because:
++     *  - if the in_ptw_idx is an ARMMMUIdx_Phys_* then the mmuidx
- #include "qemu-common.h"
++     *    itself specifies the security space
 +     *  - if the in_ptw_idx is an ARMMMUIdx_Stage2* then the security
 +     *    space used for ptw reads is the same as that of the security
 +     *    space of the stage 1 translation for all cases except where
 +     *    stage 1 is Secure; in that case the only possibilities for
 +     *    the ptw read are Secure and NonSecure, and the in_ptw_idx
 +     *    value being Stage2 vs Stage2_S distinguishes those.
 +     */
      ARMSecuritySpace in_space;
 +    /*
 +     * in_secure: whether the translation regime is a Secure one.
 +     * This is always equal to arm_space_is_secure(in_space).
 +     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
 +     * this field is updated accordingly.
 +     */
      bool in_secure;
 +    /*
 +     * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug
 +     * accesses will not update the guest page table access flags
 +     * and will not change the state of the softmmu TLBs.
 +     */
      bool in_debug;
      /*
       * If this is stage 2 of a stage 1+2 page table walk, then this must
 --
-.25.1
+.34.1

-[PULL 17/21] hw/misc: Add a model of the Xilinx ZynqMP APU Control
+[PULL 4/7] target/arm: Fix S1_ptw_translate() debug path
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+In commit fe4a5472ccd6 we rearranged the logic in S1_ptw_translate()
 so that the debug-access "call get_phys_addr_*" codepath is used both
 when S1 is doing ptw reads from stage 2 and when it is doing ptw
 reads from physical memory.  However, we didn't update the
 calculation of s2ptw->in_space and s2ptw->in_secure to account for
 the "ptw reads from physical memory" case.  This meant that debug
 accesses when in Secure state broke.
-Add a model of the Xilinx ZynqMP APU Control.
+Create a new function S2_security_space() which returns the
 correct security space to use for the ptw load, and use it to
 determine the correct .in_secure and .in_space fields for the
 stage 2 lookup for the ptw load.
-Reviewed-by: Luc Michel <luc@lmichel.fr>
+Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20220316164645.2303510-6-edgar.iglesias@gmail.com
+Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20230710152130.3928330-3-peter.maydell@linaro.org
 Fixes: fe4a5472ccd6 ("target/arm: Use get_phys_addr_with_struct in S1_ptw_translate")
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/misc/xlnx-zynqmp-apu-ctrl.h |  93 +++++++++
+ target/arm/ptw.c | 37 ++++++++++++++++++++++++++++++++-----
- hw/misc/xlnx-zynqmp-apu-ctrl.c         | 253 +++++++++++++++++++++++++
+file changed, 32 insertions(+), 5 deletions(-)
  hw/misc/meson.build                    |   1 +
 files changed, 347 insertions(+)
  create mode 100644 include/hw/misc/xlnx-zynqmp-apu-ctrl.h
  create mode 100644 hw/misc/xlnx-zynqmp-apu-ctrl.c
-diff --git a/include/hw/misc/xlnx-zynqmp-apu-ctrl.h b/include/hw/misc/xlnx-zynqmp-apu-ctrl.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/target/arm/ptw.c
---- /dev/null
++++ b/target/arm/ptw.c
-+++ b/include/hw/misc/xlnx-zynqmp-apu-ctrl.h
+@@ -XXX,XX +XXX,XX @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
-@@ -XXX,XX +XXX,XX @@
+     }
-+/*
+ }
-+ * QEMU model of ZynqMP APU Control.
-+ *
++static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space,
-+ * Copyright (c) 2013-2022 Xilinx Inc
++                                          ARMMMUIdx s2_mmu_idx)
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + *
 + * Written by Peter Crosthwaite <peter.crosthwaite@xilinx.com> and
 + * Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 + *
 + */
 +#ifndef HW_MISC_XLNX_ZYNQMP_APU_CTRL_H
 +#define HW_MISC_XLNX_ZYNQMP_APU_CTRL_H
 +
 +#include "hw/sysbus.h"
 +#include "hw/register.h"
 +#include "target/arm/cpu.h"
 +
 +#define TYPE_XLNX_ZYNQMP_APU_CTRL "xlnx.apu-ctrl"
 +OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPAPUCtrl, XLNX_ZYNQMP_APU_CTRL)
 +
 +REG32(APU_ERR_CTRL, 0x0)
 +    FIELD(APU_ERR_CTRL, PSLVERR, 0, 1)
 +REG32(ISR, 0x10)
 +    FIELD(ISR, INV_APB, 0, 1)
 +REG32(IMR, 0x14)
 +    FIELD(IMR, INV_APB, 0, 1)
 +REG32(IEN, 0x18)
 +    FIELD(IEN, INV_APB, 0, 1)
 +REG32(IDS, 0x1c)
 +    FIELD(IDS, INV_APB, 0, 1)
 +REG32(CONFIG_0, 0x20)
 +    FIELD(CONFIG_0, CFGTE, 24, 4)
 +    FIELD(CONFIG_0, CFGEND, 16, 4)
 +    FIELD(CONFIG_0, VINITHI, 8, 4)
 +    FIELD(CONFIG_0, AA64NAA32, 0, 4)
 +REG32(CONFIG_1, 0x24)
 +    FIELD(CONFIG_1, L2RSTDISABLE, 29, 1)
 +    FIELD(CONFIG_1, L1RSTDISABLE, 28, 1)
 +    FIELD(CONFIG_1, CP15DISABLE, 0, 4)
 +REG32(RVBARADDR0L, 0x40)
 +    FIELD(RVBARADDR0L, ADDR, 2, 30)
 +REG32(RVBARADDR0H, 0x44)
 +    FIELD(RVBARADDR0H, ADDR, 0, 8)
 +REG32(RVBARADDR1L, 0x48)
 +    FIELD(RVBARADDR1L, ADDR, 2, 30)
 +REG32(RVBARADDR1H, 0x4c)
 +    FIELD(RVBARADDR1H, ADDR, 0, 8)
 +REG32(RVBARADDR2L, 0x50)
 +    FIELD(RVBARADDR2L, ADDR, 2, 30)
 +REG32(RVBARADDR2H, 0x54)
 +    FIELD(RVBARADDR2H, ADDR, 0, 8)
 +REG32(RVBARADDR3L, 0x58)
 +    FIELD(RVBARADDR3L, ADDR, 2, 30)
 +REG32(RVBARADDR3H, 0x5c)
 +    FIELD(RVBARADDR3H, ADDR, 0, 8)
 +REG32(ACE_CTRL, 0x60)
 +    FIELD(ACE_CTRL, AWQOS, 16, 4)
 +    FIELD(ACE_CTRL, ARQOS, 0, 4)
 +REG32(SNOOP_CTRL, 0x80)
 +    FIELD(SNOOP_CTRL, ACE_INACT, 4, 1)
 +    FIELD(SNOOP_CTRL, ACP_INACT, 0, 1)
 +REG32(PWRCTL, 0x90)
 +    FIELD(PWRCTL, CLREXMONREQ, 17, 1)
 +    FIELD(PWRCTL, L2FLUSHREQ, 16, 1)
 +    FIELD(PWRCTL, CPUPWRDWNREQ, 0, 4)
 +REG32(PWRSTAT, 0x94)
 +    FIELD(PWRSTAT, CLREXMONACK, 17, 1)
 +    FIELD(PWRSTAT, L2FLUSHDONE, 16, 1)
 +    FIELD(PWRSTAT, DBGNOPWRDWN, 0, 4)
 +
 +#define APU_R_MAX ((R_PWRSTAT) + 1)
 +
 +#define APU_MAX_CPU    4
 +
 +struct XlnxZynqMPAPUCtrl {
 +    SysBusDevice busdev;
 +
 +    ARMCPU *cpus[APU_MAX_CPU];
 +    /* WFIs towards PMU. */
 +    qemu_irq wfi_out[4];
 +    /* CPU Power status towards INTC Redirect. */
 +    qemu_irq cpu_power_status[4];
 +    qemu_irq irq_imr;
 +
 +    uint8_t cpu_pwrdwn_req;
 +    uint8_t cpu_in_wfi;
 +
 +    RegisterInfoArray *reg_array;
 +    uint32_t regs[APU_R_MAX];
 +    RegisterInfo regs_info[APU_R_MAX];
 +};
 +
 +#endif
 diff --git a/hw/misc/xlnx-zynqmp-apu-ctrl.c b/hw/misc/xlnx-zynqmp-apu-ctrl.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/xlnx-zynqmp-apu-ctrl.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the ZynqMP APU Control.
 + *
 + * Copyright (c) 2013-2022 Xilinx Inc
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + *
 + * Written by Peter Crosthwaite <peter.crosthwaite@xilinx.com> and
 + * Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu/log.h"
 +#include "migration/vmstate.h"
 +#include "hw/qdev-properties.h"
 +#include "hw/sysbus.h"
 +#include "hw/irq.h"
 +#include "hw/register.h"
 +
 +#include "qemu/bitops.h"
 +#include "qapi/qmp/qerror.h"
 +
 +#include "hw/misc/xlnx-zynqmp-apu-ctrl.h"
 +
 +#ifndef XILINX_ZYNQMP_APU_ERR_DEBUG
 +#define XILINX_ZYNQMP_APU_ERR_DEBUG 0
 +#endif
 +
 +static void update_wfi_out(void *opaque)
 +{
-+    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(opaque);
++    /*
-+    unsigned int i, wfi_pending;
++     * Return the security space to use for stage 2 when doing
-+
++     * the S1 page table descriptor load.
-+    wfi_pending = s->cpu_pwrdwn_req & s->cpu_in_wfi;
++     */
-+    for (i = 0; i < APU_MAX_CPU; i++) {
++    if (regime_is_stage2(s2_mmu_idx)) {
-+        qemu_set_irq(s->wfi_out[i], !!(wfi_pending & (1 << i)));
++        /*
 +         * The security space for ptw reads is almost always the same
 +         * as that of the security space of the stage 1 translation.
 +         * The only exception is when stage 1 is Secure; in that case
 +         * the ptw read might be to the Secure or the NonSecure space
 +         * (but never Realm or Root), and the s2_mmu_idx tells us which.
 +         * Root translations are always single-stage.
 +         */
 +        if (s1_space == ARMSS_Secure) {
 +            return arm_secure_to_space(s2_mmu_idx == ARMMMUIdx_Stage2_S);
 +        } else {
 +            assert(s2_mmu_idx != ARMMMUIdx_Stage2_S);
 +            assert(s1_space != ARMSS_Root);
 +            return s1_space;
 +        }
 +    } else {
 +        /* ptw loads are from phys: the mmu idx itself says which space */
 +        return arm_phys_to_space(s2_mmu_idx);
 +    }
 +}
 +
-+static void zynqmp_apu_rvbar_post_write(RegisterInfo *reg, uint64_t val)
+ /* Translate a S1 pagetable walk through S2 if needed.  */
-+{
+ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-+    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(reg->opaque);
+                              hwaddr addr, ARMMMUFaultInfo *fi)
-+    int i;
+ {
-+
+-    ARMSecuritySpace space = ptw->in_space;
-+    for (i = 0; i < APU_MAX_CPU; ++i) {
+     bool is_secure = ptw->in_secure;
-+        uint64_t rvbar = s->regs[R_RVBARADDR0L + 2 * i] +
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-+                         ((uint64_t)s->regs[R_RVBARADDR0H + 2 * i] << 32);
+     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
-+        if (s->cpus[i]) {
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-+            object_property_set_int(OBJECT(s->cpus[i]), "rvbar", rvbar,
+          * From gdbstub, do not use softmmu so that we don't modify the
-+                                    &error_abort);
+          * state of the cpu at all, including softmmu tlb contents.
-+        }
+          */
-+    }
++        ARMSecuritySpace s2_space = S2_security_space(ptw->in_space, s2_mmu_idx);
-+}
+         S1Translate s2ptw = {
-+
+             .in_mmu_idx = s2_mmu_idx,
-+static void zynqmp_apu_pwrctl_post_write(RegisterInfo *reg, uint64_t val)
+             .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
-+{
+-            .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
-+    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(reg->opaque);
+-            .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
-+    unsigned int i, new;
+-                         : space == ARMSS_Realm ? ARMSS_Realm
-+
+-                         : ARMSS_NonSecure),
-+    for (i = 0; i < APU_MAX_CPU; i++) {
++            .in_secure = arm_space_is_secure(s2_space),
-+        new = val & (1 << i);
++            .in_space = s2_space,
-+        /* Check if CPU's CPUPWRDNREQ has changed. If yes, update GPIOs. */
+             .in_debug = true,
-+        if (new != (s->cpu_pwrdwn_req & (1 << i))) {
+         };
-+            qemu_set_irq(s->cpu_power_status[i], !!new);
+         GetPhysAddrResult s2 = { };
 +        }
 +        s->cpu_pwrdwn_req &= ~(1 << i);
 +        s->cpu_pwrdwn_req |= new;
 +    }
 +    update_wfi_out(s);
 +}
 +
 +static void imr_update_irq(XlnxZynqMPAPUCtrl *s)
 +{
 +    bool pending = s->regs[R_ISR] & ~s->regs[R_IMR];
 +    qemu_set_irq(s->irq_imr, pending);
 +}
 +
 +static void isr_postw(RegisterInfo *reg, uint64_t val64)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(reg->opaque);
 +    imr_update_irq(s);
 +}
 +
 +static uint64_t ien_prew(RegisterInfo *reg, uint64_t val64)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(reg->opaque);
 +    uint32_t val = val64;
 +
 +    s->regs[R_IMR] &= ~val;
 +    imr_update_irq(s);
 +    return 0;
 +}
 +
 +static uint64_t ids_prew(RegisterInfo *reg, uint64_t val64)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(reg->opaque);
 +    uint32_t val = val64;
 +
 +    s->regs[R_IMR] |= val;
 +    imr_update_irq(s);
 +    return 0;
 +}
 +
 +static const RegisterAccessInfo zynqmp_apu_regs_info[] = {
 +#define RVBAR_REGDEF(n) \
 +    {   .name = "RVBAR CPU " #n " Low",  .addr = A_RVBARADDR ## n ## L,    \
 +            .reset = 0xffff0000ul,                                         \
 +            .post_write = zynqmp_apu_rvbar_post_write,                     \
 +    },{ .name = "RVBAR CPU " #n " High", .addr = A_RVBARADDR ## n ## H,    \
 +            .post_write = zynqmp_apu_rvbar_post_write,                     \
 +    }
 +    {   .name = "ERR_CTRL",  .addr = A_APU_ERR_CTRL,
 +    },{ .name = "ISR",  .addr = A_ISR,
 +        .w1c = 0x1,
 +        .post_write = isr_postw,
 +    },{ .name = "IMR",  .addr = A_IMR,
 +        .reset = 0x1,
 +        .ro = 0x1,
 +    },{ .name = "IEN",  .addr = A_IEN,
 +        .pre_write = ien_prew,
 +    },{ .name = "IDS",  .addr = A_IDS,
 +        .pre_write = ids_prew,
 +    },{ .name = "CONFIG_0",  .addr = A_CONFIG_0,
 +        .reset = 0xf0f,
 +    },{ .name = "CONFIG_1",  .addr = A_CONFIG_1,
 +    },
 +    RVBAR_REGDEF(0),
 +    RVBAR_REGDEF(1),
 +    RVBAR_REGDEF(2),
 +    RVBAR_REGDEF(3),
 +    { .name = "ACE_CTRL",  .addr = A_ACE_CTRL,
 +        .reset = 0xf000f,
 +    },{ .name = "SNOOP_CTRL",  .addr = A_SNOOP_CTRL,
 +    },{ .name = "PWRCTL",  .addr = A_PWRCTL,
 +        .post_write = zynqmp_apu_pwrctl_post_write,
 +    },{ .name = "PWRSTAT",  .addr = A_PWRSTAT,
 +        .ro = 0x3000f,
 +    }
 +};
 +
 +static void zynqmp_apu_reset_enter(Object *obj, ResetType type)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(obj);
 +    int i;
 +
 +    for (i = 0; i < APU_R_MAX; ++i) {
 +        register_reset(&s->regs_info[i]);
 +    }
 +
 +    s->cpu_pwrdwn_req = 0;
 +    s->cpu_in_wfi = 0;
 +}
 +
 +static void zynqmp_apu_reset_hold(Object *obj)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(obj);
 +
 +    update_wfi_out(s);
 +    imr_update_irq(s);
 +}
 +
 +static const MemoryRegionOps zynqmp_apu_ops = {
 +    .read = register_read_memory,
 +    .write = register_write_memory,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +    }
 +};
 +
 +static void zynqmp_apu_handle_wfi(void *opaque, int irq, int level)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(opaque);
 +
 +    s->cpu_in_wfi = deposit32(s->cpu_in_wfi, irq, 1, level);
 +    update_wfi_out(s);
 +}
 +
 +static void zynqmp_apu_init(Object *obj)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(obj);
 +    int i;
 +
 +    s->reg_array =
 +        register_init_block32(DEVICE(obj), zynqmp_apu_regs_info,
 +                              ARRAY_SIZE(zynqmp_apu_regs_info),
 +                              s->regs_info, s->regs,
 +                              &zynqmp_apu_ops,
 +                              XILINX_ZYNQMP_APU_ERR_DEBUG,
 +                              APU_R_MAX * 4);
 +    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->reg_array->mem);
 +    sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq_imr);
 +
 +    for (i = 0; i < APU_MAX_CPU; ++i) {
 +        g_autofree gchar *prop_name = g_strdup_printf("cpu%d", i);
 +        object_property_add_link(obj, prop_name, TYPE_ARM_CPU,
 +                                 (Object **)&s->cpus[i],
 +                                 qdev_prop_allow_set_link_before_realize,
 +                                 OBJ_PROP_LINK_STRONG);
 +    }
 +
 +    /* wfi_out is used to connect to PMU GPIs. */
 +    qdev_init_gpio_out_named(DEVICE(obj), s->wfi_out, "wfi_out", 4);
 +    /* CPU_POWER_STATUS is used to connect to INTC redirect. */
 +    qdev_init_gpio_out_named(DEVICE(obj), s->cpu_power_status,
 +                             "CPU_POWER_STATUS", 4);
 +    /* wfi_in is used as input from CPUs as wfi request. */
 +    qdev_init_gpio_in_named(DEVICE(obj), zynqmp_apu_handle_wfi, "wfi_in", 4);
 +}
 +
 +static void zynqmp_apu_finalize(Object *obj)
 +{
 +    XlnxZynqMPAPUCtrl *s = XLNX_ZYNQMP_APU_CTRL(obj);
 +    register_finalize_block(s->reg_array);
 +}
 +
 +static const VMStateDescription vmstate_zynqmp_apu = {
 +    .name = TYPE_XLNX_ZYNQMP_APU_CTRL,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32_ARRAY(regs, XlnxZynqMPAPUCtrl, APU_R_MAX),
 +        VMSTATE_END_OF_LIST(),
 +    }
 +};
 +
 +static void zynqmp_apu_class_init(ObjectClass *klass, void *data)
 +{
 +    ResettableClass *rc = RESETTABLE_CLASS(klass);
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->vmsd = &vmstate_zynqmp_apu;
 +
 +    rc->phases.enter = zynqmp_apu_reset_enter;
 +    rc->phases.hold = zynqmp_apu_reset_hold;
 +}
 +
 +static const TypeInfo zynqmp_apu_info = {
 +    .name              = TYPE_XLNX_ZYNQMP_APU_CTRL,
 +    .parent            = TYPE_SYS_BUS_DEVICE,
 +    .instance_size     = sizeof(XlnxZynqMPAPUCtrl),
 +    .class_init        = zynqmp_apu_class_init,
 +    .instance_init     = zynqmp_apu_init,
 +    .instance_finalize = zynqmp_apu_finalize,
 +};
 +
 +static void zynqmp_apu_register_types(void)
 +{
 +    type_register_static(&zynqmp_apu_info);
 +}
 +
 +type_init(zynqmp_apu_register_types)
 diff --git a/hw/misc/meson.build b/hw/misc/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/meson.build
 +++ b/hw/misc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files(
  softmmu_ss.add(when: 'CONFIG_SLAVIO', if_true: files('slavio_misc.c'))
  softmmu_ss.add(when: 'CONFIG_ZYNQ', if_true: files('zynq_slcr.c'))
  specific_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zynqmp-crf.c'))
 +specific_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zynqmp-apu-ctrl.c'))
  softmmu_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files(
    'xlnx-versal-xramc.c',
    'xlnx-versal-pmc-iou-slcr.c',
 --
-.25.1
+.34.1

-[PULL 05/21] hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
+[PULL 5/7] target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits
-In npcm7xx_clk_sel_init() we allocate a string with g_strdup_printf().
+In get_phys_addr_twostage() the code that applies the effects of
-Use g_autofree so we free it rather than leaking it.
+VSTCR.{SA,SW} and VTCR.{NSA,NSW} only updates result->f.attrs.secure.
 Now we also have f.attrs.space for FEAT_RME, we need to keep the two
 in sync.
-(Detected with the clang leak sanitizer.)
+These bits only have an effect for Secure space translations, not
 for Root, so use the input in_space field to determine whether to
 apply them rather than the input is_secure. This doesn't actually
 make a difference because Root translations are never two-stage,
 but it's a little clearer.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20230710152130.3928330-4-peter.maydell@linaro.org
 Message-id: 20220308170302.2582820-1-peter.maydell@linaro.org
 ---
- hw/misc/npcm7xx_clk.c | 4 ++--
+ target/arm/ptw.c | 13 ++++++++-----
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 8 insertions(+), 5 deletions(-)
-diff --git a/hw/misc/npcm7xx_clk.c b/hw/misc/npcm7xx_clk.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/npcm7xx_clk.c
+--- a/target/arm/ptw.c
-+++ b/hw/misc/npcm7xx_clk.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void npcm7xx_clk_sel_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-     NPCM7xxClockSELState *sel = NPCM7XX_CLOCK_SEL(obj);
+     hwaddr ipa;
+     int s1_prot, s1_lgpgsz;
-     for (i = 0; i < NPCM7XX_CLK_SEL_MAX_INPUT; ++i) {
+     bool is_secure = ptw->in_secure;
--        sel->clock_in[i] = qdev_init_clock_in(DEVICE(sel),
++    ARMSecuritySpace in_space = ptw->in_space;
--                g_strdup_printf("clock-in[%d]", i),
+     bool ret, ipa_secure;
-+        g_autofree char *s = g_strdup_printf("clock-in[%d]", i);
+     ARMCacheAttrs cacheattrs1;
-+        sel->clock_in[i] = qdev_init_clock_in(DEVICE(sel), s,
+     ARMSecuritySpace ipa_space;
-                 npcm7xx_clk_update_sel_cb, sel, ClockUpdate);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-     }
+      * Check if IPA translates to secure or non-secure PA space.
-     sel->clock_out = qdev_init_clock_out(DEVICE(sel), "clock-out");
+      * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
       */
 -    result->f.attrs.secure =
 -        (is_secure
 -         && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
 -         && (ipa_secure
 -             || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
 +    if (in_space == ARMSS_Secure) {
 +        result->f.attrs.secure =
 +            !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
 +            && (ipa_secure
 +                || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW)));
 +        result->f.attrs.space = arm_secure_to_space(result->f.attrs.secure);
 +    }
      return false;
  }
 --
-.25.1
+.34.1

-[PULL 02/21] target/arm: Fix pauth_check_trap vs SEL2
+[PULL 6/7] accel/tcg: Zero-pad PC in TCG CPU exec trace lines
-From: Richard Henderson <richard.henderson@linaro.org>
+In commit f0a08b0913befbd we changed the type of the PC from
 target_ulong to vaddr.  In doing so we inadvertently dropped the
 zero-padding on the PC in trace lines (the second item inside the []
 in these lines).  They used to look like this on AArch64, for
 instance:
-When arm_is_el2_enabled was introduced, we missed
+Trace 0: 0x7f2260000100 [00000000/0000000040000000/00000061/ff200000]
 updating pauth_check_trap.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/788
+and now they look like this:
-Fixes: e6ef0169264b ("target/arm: use arm_is_el2_enabled() where applicable")
+Trace 0: 0x7f4f50000100 [00000000/40000000/00000061/ff200000]
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+and if the PC happens to be somewhere low like 0x5000
-Message-id: 20220315021205.342768-1-richard.henderson@linaro.org
+then the field is shown as /5000/.
 This is because TARGET_FMT_lx is a "%08x" or "%016x" specifier,
 depending on TARGET_LONG_SIZE, whereas VADDR_PRIx is just PRIx64
 with no width specifier.
 Restore the zero-padding by adding an 016 width specifier to
 this tracing and a couple of others that were similarly recently
 changed to use VADDR_PRIx without a width specifier.
 We can't unfortunately restore the "32-bit guests are padded to
 hex digits and 64-bit guests to 16 hex digits" behaviour so
 easily.
 Fixes: f0a08b0913befbd ("accel/tcg/cpu-exec.c: Widen pc to vaddr")
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Anton Johansson <anjo@rev.ng>
+Message-id: 20230711165434.4123674-1-peter.maydell@linaro.org
 ---
- target/arm/pauth_helper.c | 2 +-
+ accel/tcg/cpu-exec.c      | 4 ++--
-file changed, 1 insertion(+), 1 deletion(-)
+ accel/tcg/translate-all.c | 2 +-
 files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/pauth_helper.c
+--- a/accel/tcg/cpu-exec.c
-+++ b/target/arm/pauth_helper.c
++++ b/accel/tcg/cpu-exec.c
-@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN pauth_trap(CPUARMState *env, int target_el,
+@@ -XXX,XX +XXX,XX @@ static void log_cpu_exec(vaddr pc, CPUState *cpu,
+     if (qemu_log_in_addr_range(pc)) {
- static void pauth_check_trap(CPUARMState *env, int el, uintptr_t ra)
+         qemu_log_mask(CPU_LOG_EXEC,
- {
+                       "Trace %d: %p [%08" PRIx64
--    if (el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+-                      "/%" VADDR_PRIx "/%08x/%08x] %s\n",
-+    if (el < 2 && arm_is_el2_enabled(env)) {
++                      "/%016" VADDR_PRIx "/%08x/%08x] %s\n",
-         uint64_t hcr = arm_hcr_el2_eff(env);
+                       cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc,
-         bool trap = !(hcr & HCR_API);
+                       tb->flags, tb->cflags, lookup_symbol(pc));
-         if (el == 0) {
@@ -XXX,XX +XXX,XX @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
          if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
              vaddr pc = log_pc(cpu, last_tb);
              if (qemu_log_in_addr_range(pc)) {
 -                qemu_log("Stopped execution of TB chain before %p [%"
 +                qemu_log("Stopped execution of TB chain before %p [%016"
                           VADDR_PRIx "] %s\n",
                           last_tb->tc.ptr, pc, lookup_symbol(pc));
              }
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
      if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
          vaddr pc = log_pc(cpu, tb);
          if (qemu_log_in_addr_range(pc)) {
 -            qemu_log("cpu_io_recompile: rewound execution of TB to %"
 +            qemu_log("cpu_io_recompile: rewound execution of TB to %016"
                       VADDR_PRIx "\n", pc);
          }
      }
 --
-.25.1
+.34.1

-[PULL 03/21] target/arm: Fix handling of LPAE block descriptors
+Deleted patch
-LPAE descriptors come in three forms:
- * table descriptors, giving the address of the next level page table
- * page descriptors, which occur only at level 3 and describe the
-   mapping of one page (which might be 4K, 16K or 64K)
- * block descriptors, which occur at higher page table levels, and
-   describe the mapping of huge pages
-QEMU's page-table-walk code treats block and page entries
-identically, simply ORing in a number of bits from the input virtual
-address that depends on the level of the page table that we stopped
-at; we depend on the previous masking of descaddr with descaddrmask
-to have already cleared out the low bits of the descriptor word.
-This is not quite right: the address field in a block descriptor is
-smaller, and so there are bits which are valid address bits in a page
-descriptor or a table descriptor but which are not supposed to be
-part of the address in a block descriptor, and descaddrmask does not
-clear them.  We previously mostly got away with this because those
-descriptor bits are RES0; however with FEAT_BBM (part of Armv8.4)
-block descriptor bit 16 is defined to be the nT bit.  No emulated
-QEMU CPU has FEAT_BBM yet, but if the host CPU has it then we might
-see it when using KVM or hvf.
-Explicitly zero out all the descaddr bits we're about to OR vaddr
-bits into.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/790
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220304165628.2345765-1-peter.maydell@linaro.org
----
- target/arm/helper.c | 10 ++++++++--
-file changed, 8 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-             indexmask = indexmask_grainsize;
-             continue;
-         }
--        /* Block entry at level 1 or 2, or page entry at level 3.
-+        /*
-+         * Block entry at level 1 or 2, or page entry at level 3.
-          * These are basically the same thing, although the number
--         * of bits we pull in from the vaddr varies.
-+         * of bits we pull in from the vaddr varies. Note that although
-+         * descaddrmask masks enough of the low bits of the descriptor
-+         * to give a correct page or table address, the address field
-+         * in a block descriptor is smaller; so we need to explicitly
-+         * clear the lower bits here before ORing in the low vaddr bits.
-          */
-         page_size = (1ULL << ((stride * (4 - level)) + 3));
-+        descaddr &= ~(page_size - 1);
-         descaddr |= (address & (page_size - 1));
-         /* Extract attributes from the descriptor */
-         attrs = extract64(descriptor, 2, 10)
---
-.25.1

-[PULL 04/21] hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
+Deleted patch
-In commit 00f05c02f9e7342f we gave the TYPE_XLNX_CSU_DMA object its
-own class struct, but forgot to update the TypeInfo::class_size
-accordingly.  This meant that not enough memory was allocated for the
-class struct, and the initialization of xcdc->read in the class init
-function wrote off the end of the memory. Add the missing line.
-Found by running 'check-qtest-aarch64' with a clang
-address-sanitizer build, which complains:
-==2542634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61000000ab00 at pc 0x559a20aebc29 bp 0x7fff97df74d0 sp 0x7fff97df74c8
-WRITE of size 8 at 0x61000000ab00 thread T0
-    #0 0x559a20aebc28 in xlnx_csu_dma_class_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../hw/dma/xlnx_csu_dma.c:722:16
-    #1 0x559a21bf297c in type_initialize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:365:9
-    #2 0x559a21bf3442 in object_class_foreach_tramp /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1070:5
-    #3 0x7f09bcb641b7 in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x401b7)
-    #4 0x559a21bf3c27 in object_class_foreach /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1092:5
-    #5 0x559a21bf3c27 in object_class_get_list /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1149:5
-    #6 0x559a2081a2fd in select_machine /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:1661:24
-    #7 0x559a2081a2fd in qemu_create_machine /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:2146:35
-    #8 0x559a2081a2fd in qemu_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:3706:5
-    #9 0x559a20720ed5 in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/main.c:49:5
-    #10 0x7f09baec00b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
-    #11 0x559a2067673d in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/qemu-system-aarch64+0xf4b73d)
-x61000000ab00 is located 0 bytes to the right of 192-byte region [0x61000000aa40,0x61000000ab00)
-allocated by thread T0 here:
-    #0 0x559a206eeff2 in calloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/qemu-system-aarch64+0xfc3ff2)
-    #1 0x7f09bcb7bef0 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57ef0)
-    #2 0x559a21bf3442 in object_class_foreach_tramp /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1070:5
-Fixes: 00f05c02f9e7342f ("hw/dma/xlnx_csu_dma: Support starting a read transfer through a class method")
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 20220308150207.2546272-1-peter.maydell@linaro.org
----
- hw/dma/xlnx_csu_dma.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/hw/dma/xlnx_csu_dma.c b/hw/dma/xlnx_csu_dma.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx_csu_dma.c
-+++ b/hw/dma/xlnx_csu_dma.c
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo xlnx_csu_dma_info = {
-     .parent        = TYPE_SYS_BUS_DEVICE,
-     .instance_size = sizeof(XlnxCSUDMA),
-     .class_init    = xlnx_csu_dma_class_init,
-+    .class_size    = sizeof(XlnxCSUDMAClass),
-     .instance_init = xlnx_csu_dma_init,
-     .interfaces = (InterfaceInfo[]) {
-         { TYPE_STREAM_SINK },
---
-.25.1

-[PULL 07/21] nsis installer: Suppress "ANSI targets are deprecated" warning
+Deleted patch
-When we build our Windows installer, it emits the warning:
-   warning 7998: ANSI targets are deprecated
-Fix this by making our installer a Unicode installer instead.  These
-won't work on Win95/98/ME, but we already do not support those.
-See
-https://nsis.sourceforge.io/Docs/Chapter4.html#aunicodetarget
-for the documentation of the Unicode directive.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Stefan Weil <sw@weilnetz.de>
-Message-id: 20220305105743.2384766-3-peter.maydell@linaro.org
----
- qemu.nsi | 3 +++
-file changed, 3 insertions(+)
-diff --git a/qemu.nsi b/qemu.nsi
-index XXXXXXX..XXXXXXX 100644
---- a/qemu.nsi
-+++ b/qemu.nsi
-@@ -XXX,XX +XXX,XX @@
- !define OUTFILE "qemu-setup.exe"
- !endif
-+; Build a unicode installer
-+Unicode true
-+
- ; Use maximum compression.
- SetCompressor /SOLID lzma
---
-.25.1

-[PULL 08/21] nsis installer: Fix mouse-over descriptions for emulators
+Deleted patch
-We use the nsis.py script to write out an installer script Section
-for each emulator executable, so the exact set of Sections depends on
-which executables were built.  However the part of qemu.nsi which
-specifies mouse-over descriptions for each Section still has a
-hard-coded and very outdated list (with just i386 and alpha).  This
-causes two problems.  Firstly, if you build the installer for a
-configuration where you didn't build the i386 binaries you get
-warnings like this:
-  warning 6000: unknown variable/constant "{Section_i386}" detected, ignoring (macro:_==:1)
-  warning 6000: unknown variable/constant "{Section_i386w}" detected, ignoring (macro:_==:1)
-(this happens in our gitlab CI jobs, for instance).
-Secondly, most of the emulators in the generated installer don't have
-any mouseover text.
-Make nsis.py generate a second output file which has the necessary
-MUI_DESCRIPTION_TEXT lines for each Section it creates, so we can
-include that at the right point in qemu.nsi to set the mouse-over
-text.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Message-id: 20220305105743.2384766-4-peter.maydell@linaro.org
----
- qemu.nsi        |  5 +----
- scripts/nsis.py | 13 ++++++++++++-
-files changed, 13 insertions(+), 5 deletions(-)
-diff --git a/qemu.nsi b/qemu.nsi
-index XXXXXXX..XXXXXXX 100644
---- a/qemu.nsi
-+++ b/qemu.nsi
-@@ -XXX,XX +XXX,XX @@ SectionEnd
- ; Descriptions (mouse-over).
- !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
-     !insertmacro MUI_DESCRIPTION_TEXT ${SectionSystem}  "System emulation."
--    !insertmacro MUI_DESCRIPTION_TEXT ${Section_alpha}  "Alpha system emulation."
--    !insertmacro MUI_DESCRIPTION_TEXT ${Section_alphaw} "Alpha system emulation (GUI)."
--    !insertmacro MUI_DESCRIPTION_TEXT ${Section_i386}   "PC i386 system emulation."
--    !insertmacro MUI_DESCRIPTION_TEXT ${Section_i386w}  "PC i386 system emulation (GUI)."
-+!include "${BINDIR}\system-mui-text.nsh"
-     !insertmacro MUI_DESCRIPTION_TEXT ${SectionTools} "Tools."
- !ifdef DLLDIR
-     !insertmacro MUI_DESCRIPTION_TEXT ${SectionDll}   "Runtime Libraries (DLL)."
-diff --git a/scripts/nsis.py b/scripts/nsis.py
-index XXXXXXX..XXXXXXX 100644
---- a/scripts/nsis.py
-+++ b/scripts/nsis.py
-@@ -XXX,XX +XXX,XX @@ def main():
-         subprocess.run(["make", "install", "DESTDIR=" + destdir + os.path.sep])
-         with open(
-             os.path.join(destdir + args.prefix, "system-emulations.nsh"), "w"
--        ) as nsh:
-+        ) as nsh, open(
-+            os.path.join(destdir + args.prefix, "system-mui-text.nsh"), "w"
-+        ) as muinsh:
-             for exe in sorted(glob.glob(
-                 os.path.join(destdir + args.prefix, "qemu-system-*.exe")
-             )):
-@@ -XXX,XX +XXX,XX @@ def main():
-                         arch, exe
-                     )
-                 )
-+                if arch.endswith('w'):
-+                    desc = arch[:-1] + " emulation (GUI)."
-+                else:
-+                    desc = arch + " emulation."
-+
-+                muinsh.write(
-+                    """
-+                !insertmacro MUI_DESCRIPTION_TEXT ${{Section_{0}}} "{1}"
-+                """.format(arch, desc))
-         for exe in glob.glob(os.path.join(destdir + args.prefix, "*.exe")):
-             signcode(exe)
---
-.25.1

-[PULL 09/21] hw/intc: Rename CONFIG_ARM_GIC_TCG into CONFIG_ARM_GICV3_TCG
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-CONFIG_ARM_GIC_TCG actually guards the compilation of TCG GICv3
-specific files. So let's rename it into CONFIG_ARM_GICV3_TCG
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20220308182452.223473-2-eric.auger@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/Kconfig     | 2 +-
- hw/intc/meson.build | 4 ++--
-files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/Kconfig
-+++ b/hw/intc/Kconfig
-@@ -XXX,XX +XXX,XX @@ config APIC
-     select MSI_NONBROKEN
-     select I8259
--config ARM_GIC_TCG
-+config ARM_GICV3_TCG
-     bool
-     default y
-     depends on ARM_GIC && TCG
-diff --git a/hw/intc/meson.build b/hw/intc/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/meson.build
-+++ b/hw/intc/meson.build
-@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
-   'arm_gicv3_common.c',
-   'arm_gicv3_its_common.c',
- ))
--softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
-+softmmu_ss.add(when: 'CONFIG_ARM_GICV3_TCG', if_true: files(
-   'arm_gicv3.c',
-   'arm_gicv3_dist.c',
-   'arm_gicv3_its.c',
-@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
- specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
- specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
- specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
--specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
-+specific_ss.add(when: 'CONFIG_ARM_GICV3_TCG', if_true: files('arm_gicv3_cpuif.c'))
- specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
- specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
- specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
---
-.25.1

-[PULL 10/21] hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-In TCG mode, if gic-version=max we always select GICv3 even if
-CONFIG_ARM_GICV3_TCG is unset. We shall rather select GICv2.
-This also brings the benefit of fixing qos tests errors for tests
-using gic-version=max with CONFIG_ARM_GICV3_TCG unset.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20220308182452.223473-3-eric.auger@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt.c | 7 ++++++-
-file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
-         vms->gic_version = VIRT_GIC_VERSION_2;
-         break;
-     case VIRT_GIC_VERSION_MAX:
--        vms->gic_version = VIRT_GIC_VERSION_3;
-+        if (module_object_class_by_name("arm-gicv3")) {
-+            /* CONFIG_ARM_GICV3_TCG was set */
-+            vms->gic_version = VIRT_GIC_VERSION_3;
-+        } else {
-+            vms->gic_version = VIRT_GIC_VERSION_2;
-+        }
-         break;
-     case VIRT_GIC_VERSION_HOST:
-         error_report("gic-version=host requires KVM");
---
-.25.1

-[PULL 11/21] target/arm: Log M-profile vector table accesses
+Deleted patch
-Currently the CPU_LOG_INT logging misses some useful information
-about loads from the vector table.  Add logging where we load vector
-table entries.  This is particularly helpful for cases where the user
-has accidentally not put a vector table in their image at all, which
-can result in confusing guest crashes at startup.
-Here's an example of the new logging for a case where
-the vector table contains garbage:
-Loaded reset SP 0x0 PC 0x0 from vector table
-Loaded reset SP 0xd008f8df PC 0xf000bf00 from vector table
-Taking exception 3 [Prefetch Abort] on CPU 0
-...with CFSR.IACCVIOL
-...BusFault with BFSR.STKERR
-...taking pending nonsecure exception 3
-...loading from element 3 of non-secure vector table at 0xc
-...loaded new PC 0x20000558
-----------------
-IN:
-x20000558:  08000079  stmdaeq  r0, {r0, r3, r4, r5, r6}
-(The double reset logging is the result of our long-standing
-"CPUs all get reset twice" weirdness; it looks a bit ugly
-but it'll go away if we ever fix that :-))
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20220315204306.2797684-2-peter.maydell@linaro.org
----
- target/arm/cpu.c      | 5 +++++
- target/arm/m_helper.c | 5 +++++
-files changed, 10 insertions(+)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "qemu/qemu-print.h"
- #include "qemu/timer.h"
-+#include "qemu/log.h"
- #include "qemu-common.h"
- #include "target/arm/idau.h"
- #include "qemu/module.h"
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-             initial_pc = ldl_phys(s->as, vecbase + 4);
-         }
-+        qemu_log_mask(CPU_LOG_INT,
-+                      "Loaded reset SP 0x%x PC 0x%x from vector table\n",
-+                      initial_msp, initial_pc);
-+
-         env->regs[13] = initial_msp & 0xFFFFFFFC;
-         env->regs[15] = initial_pc & ~1;
-         env->thumb = initial_pc & 1;
-diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/m_helper.c
-+++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
-     ARMMMUIdx mmu_idx;
-     bool exc_secure;
-+    qemu_log_mask(CPU_LOG_INT,
-+                  "...loading from element %d of %s vector table at 0x%x\n",
-+                  exc, targets_secure ? "secure" : "non-secure", addr);
-+
-     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
-     /*
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
-         goto load_fail;
-     }
-     *pvec = vector_entry;
-+    qemu_log_mask(CPU_LOG_INT, "...loaded new PC 0x%x\n", *pvec);
-     return true;
- load_fail:
---
-.25.1

-[PULL 12/21] target/arm: Log fault address for M-profile faults
+Deleted patch
-For M-profile, the fault address is not always exposed to the guest
-in a fault register (for instance the BFAR bus fault address register
-is only updated for bus faults on data accesses, not instruction
-accesses).  Currently we log the address only if we're putting it
-into a particular guest-visible register.  Since we always have it,
-log it generically, to make logs of i-side faults a bit clearer.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20220315204306.2797684-3-peter.maydell@linaro.org
----
- target/arm/m_helper.c | 6 ++++++
-file changed, 6 insertions(+)
-diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/m_helper.c
-+++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
-          * Note that for M profile we don't have a guest facing FSR, but
-          * the env->exception.fsr will be populated by the code that
-          * raises the fault, in the A profile short-descriptor format.
-+         *
-+         * Log the exception.vaddress now regardless of subtype, because
-+         * logging below only logs it when it goes into a guest visible
-+         * register.
-          */
-+        qemu_log_mask(CPU_LOG_INT, "...at fault address 0x%x\n",
-+                      (uint32_t)env->exception.vaddress);
-         switch (env->exception.fsr & 0xf) {
-         case M_FAKE_FSR_NSC_EXEC:
-             /*
---
-.25.1

-[PULL 13/21] hw/arm/xlnx-zynqmp: Add an unimplemented SERDES area
+Deleted patch
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-Add an unimplemented SERDES (Serializer/Deserializer) area.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Message-id: 20220316164645.2303510-2-edgar.iglesias@gmail.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/xlnx-zynqmp.h | 2 +-
- hw/arm/xlnx-zynqmp.c         | 5 +++++
-files changed, 6 insertions(+), 1 deletion(-)
-diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-zynqmp.h
-+++ b/include/hw/arm/xlnx-zynqmp.h
-@@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
- /*
-  * Unimplemented mmio regions needed to boot some images.
-  */
--#define XLNX_ZYNQMP_NUM_UNIMP_AREAS 1
-+#define XLNX_ZYNQMP_NUM_UNIMP_AREAS 2
- struct XlnxZynqMPState {
-     /*< private >*/
-diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
-+++ b/hw/arm/xlnx-zynqmp.c
-@@ -XXX,XX +XXX,XX @@
- #define QSPI_DMA_ADDR       0xff0f0800
- #define NUM_QSPI_IRQ_LINES  2
-+/* Serializer/Deserializer.  */
-+#define SERDES_ADDR         0xfd400000
-+#define SERDES_SIZE         0x20000
-+
- #define DP_ADDR             0xfd4a0000
- #define DP_IRQ              113
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_unimp_mmio(XlnxZynqMPState *s)
-         hwaddr size;
-     } unimp_areas[ARRAY_SIZE(s->mr_unimp)] = {
-         { .name = "apu", APU_ADDR, APU_SIZE },
-+        { .name = "serdes", SERDES_ADDR, SERDES_SIZE },
-     };
-     unsigned int nr;
---
-.25.1

-[PULL 14/21] target/arm: Make rvbar settable after realize
+Deleted patch
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-Make the rvbar property settable after realize. This is done
-in preparation to model the ZynqMP's runtime configurable rvbar.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Message-id: 20220316164645.2303510-3-edgar.iglesias@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    |  3 ++-
- target/arm/cpu.c    | 12 +++++++-----
- target/arm/helper.c | 10 +++++++---
-files changed, 16 insertions(+), 9 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
-             uint64_t vbar_el[4];
-         };
-         uint32_t mvbar; /* (monitor) vector base address register */
-+        uint64_t rvbar; /* rvbar sampled from rvbar property at reset */
-         struct { /* FCSE PID. */
-             uint32_t fcseidr_ns;
-             uint32_t fcseidr_s;
-@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
-     /* DCZ blocksize, in log_2(words), ie low 4 bits of DCZID_EL0 */
-     uint32_t dcz_blocksize;
--    uint64_t rvbar;
-+    uint64_t rvbar_prop; /* Property/input signals.  */
-     /* Configurable aspects of GIC cpu interface (which is part of the CPU) */
-     int gic_num_lrs; /* number of list registers */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-         } else {
-             env->pstate = PSTATE_MODE_EL1h;
-         }
--        env->pc = cpu->rvbar;
-+
-+        /* Sample rvbar at reset.  */
-+        env->cp15.rvbar = cpu->rvbar_prop;
-+        env->pc = env->cp15.rvbar;
- #endif
-     } else {
- #if defined(CONFIG_USER_ONLY)
-@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_reset_cbar_property =
- static Property arm_cpu_reset_hivecs_property =
-             DEFINE_PROP_BOOL("reset-hivecs", ARMCPU, reset_hivecs, false);
--static Property arm_cpu_rvbar_property =
--            DEFINE_PROP_UINT64("rvbar", ARMCPU, rvbar, 0);
--
- #ifndef CONFIG_USER_ONLY
- static Property arm_cpu_has_el2_property =
-             DEFINE_PROP_BOOL("has_el2", ARMCPU, has_el2, true);
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
-     }
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
--        qdev_property_add_static(DEVICE(obj), &arm_cpu_rvbar_property);
-+        object_property_add_uint64_ptr(obj, "rvbar",
-+                                       &cpu->rvbar_prop,
-+                                       OBJ_PROP_FLAG_READWRITE);
-     }
- #ifndef CONFIG_USER_ONLY
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             ARMCPRegInfo rvbar = {
-                 .name = "RVBAR_EL1", .state = ARM_CP_STATE_AA64,
-                 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
--                .type = ARM_CP_CONST, .access = PL1_R, .resetvalue = cpu->rvbar
-+                .access = PL1_R,
-+                .fieldoffset = offsetof(CPUARMState, cp15.rvbar),
-             };
-             define_one_arm_cp_reg(cpu, &rvbar);
-         }
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             ARMCPRegInfo rvbar = {
-                 .name = "RVBAR_EL2", .state = ARM_CP_STATE_AA64,
-                 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 1,
--                .type = ARM_CP_CONST, .access = PL2_R, .resetvalue = cpu->rvbar
-+                .access = PL2_R,
-+                .fieldoffset = offsetof(CPUARMState, cp15.rvbar),
-             };
-             define_one_arm_cp_reg(cpu, &rvbar);
-         }
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         ARMCPRegInfo el3_regs[] = {
-             { .name = "RVBAR_EL3", .state = ARM_CP_STATE_AA64,
-               .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 1,
--              .type = ARM_CP_CONST, .access = PL3_R, .resetvalue = cpu->rvbar },
-+              .access = PL3_R,
-+              .fieldoffset = offsetof(CPUARMState, cp15.rvbar),
-+            },
-             { .name = "SCTLR_EL3", .state = ARM_CP_STATE_AA64,
-               .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 0,
-               .access = PL3_RW,
---
-.25.1

-[PULL 15/21] hw/misc: Add a model of the Xilinx ZynqMP CRF
+Deleted patch
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-Add a model of the Xilinx ZynqMP CRF. At the moment this
-is mostly a stub model.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Message-id: 20220316164645.2303510-4-edgar.iglesias@gmail.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/misc/xlnx-zynqmp-crf.h | 211 ++++++++++++++++++++++++
- hw/misc/xlnx-zynqmp-crf.c         | 266 ++++++++++++++++++++++++++++++
- hw/misc/meson.build               |   1 +
-files changed, 478 insertions(+)
- create mode 100644 include/hw/misc/xlnx-zynqmp-crf.h
- create mode 100644 hw/misc/xlnx-zynqmp-crf.c
-diff --git a/include/hw/misc/xlnx-zynqmp-crf.h b/include/hw/misc/xlnx-zynqmp-crf.h
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/include/hw/misc/xlnx-zynqmp-crf.h
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * QEMU model of the CRF - Clock Reset FPD.
-+ *
-+ * Copyright (c) 2022 Xilinx Inc.
-+ * SPDX-License-Identifier: GPL-2.0-or-later
-+ * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-+ */
-+#ifndef HW_MISC_XLNX_ZYNQMP_CRF_H
-+#define HW_MISC_XLNX_ZYNQMP_CRF_H
-+
-+#include "hw/sysbus.h"
-+#include "hw/register.h"
-+
-+#define TYPE_XLNX_ZYNQMP_CRF "xlnx.zynqmp_crf"
-+OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPCRF, XLNX_ZYNQMP_CRF)
-+
-+REG32(ERR_CTRL, 0x0)
-+    FIELD(ERR_CTRL, SLVERR_ENABLE, 0, 1)
-+REG32(IR_STATUS, 0x4)
-+    FIELD(IR_STATUS, ADDR_DECODE_ERR, 0, 1)
-+REG32(IR_MASK, 0x8)
-+    FIELD(IR_MASK, ADDR_DECODE_ERR, 0, 1)
-+REG32(IR_ENABLE, 0xc)
-+    FIELD(IR_ENABLE, ADDR_DECODE_ERR, 0, 1)
-+REG32(IR_DISABLE, 0x10)
-+    FIELD(IR_DISABLE, ADDR_DECODE_ERR, 0, 1)
-+REG32(CRF_WPROT, 0x1c)
-+    FIELD(CRF_WPROT, ACTIVE, 0, 1)
-+REG32(APLL_CTRL, 0x20)
-+    FIELD(APLL_CTRL, POST_SRC, 24, 3)
-+    FIELD(APLL_CTRL, PRE_SRC, 20, 3)
-+    FIELD(APLL_CTRL, CLKOUTDIV, 17, 1)
-+    FIELD(APLL_CTRL, DIV2, 16, 1)
-+    FIELD(APLL_CTRL, FBDIV, 8, 7)
-+    FIELD(APLL_CTRL, BYPASS, 3, 1)
-+    FIELD(APLL_CTRL, RESET, 0, 1)
-+REG32(APLL_CFG, 0x24)
-+    FIELD(APLL_CFG, LOCK_DLY, 25, 7)
-+    FIELD(APLL_CFG, LOCK_CNT, 13, 10)
-+    FIELD(APLL_CFG, LFHF, 10, 2)
-+    FIELD(APLL_CFG, CP, 5, 4)
-+    FIELD(APLL_CFG, RES, 0, 4)
-+REG32(APLL_FRAC_CFG, 0x28)
-+    FIELD(APLL_FRAC_CFG, ENABLED, 31, 1)
-+    FIELD(APLL_FRAC_CFG, SEED, 22, 3)
-+    FIELD(APLL_FRAC_CFG, ALGRTHM, 19, 1)
-+    FIELD(APLL_FRAC_CFG, ORDER, 18, 1)
-+    FIELD(APLL_FRAC_CFG, DATA, 0, 16)
-+REG32(DPLL_CTRL, 0x2c)
-+    FIELD(DPLL_CTRL, POST_SRC, 24, 3)
-+    FIELD(DPLL_CTRL, PRE_SRC, 20, 3)
-+    FIELD(DPLL_CTRL, CLKOUTDIV, 17, 1)
-+    FIELD(DPLL_CTRL, DIV2, 16, 1)
-+    FIELD(DPLL_CTRL, FBDIV, 8, 7)
-+    FIELD(DPLL_CTRL, BYPASS, 3, 1)
-+    FIELD(DPLL_CTRL, RESET, 0, 1)
-+REG32(DPLL_CFG, 0x30)
-+    FIELD(DPLL_CFG, LOCK_DLY, 25, 7)
-+    FIELD(DPLL_CFG, LOCK_CNT, 13, 10)
-+    FIELD(DPLL_CFG, LFHF, 10, 2)
-+    FIELD(DPLL_CFG, CP, 5, 4)
-+    FIELD(DPLL_CFG, RES, 0, 4)
-+REG32(DPLL_FRAC_CFG, 0x34)
-+    FIELD(DPLL_FRAC_CFG, ENABLED, 31, 1)
-+    FIELD(DPLL_FRAC_CFG, SEED, 22, 3)
-+    FIELD(DPLL_FRAC_CFG, ALGRTHM, 19, 1)
-+    FIELD(DPLL_FRAC_CFG, ORDER, 18, 1)
-+    FIELD(DPLL_FRAC_CFG, DATA, 0, 16)
-+REG32(VPLL_CTRL, 0x38)
-+    FIELD(VPLL_CTRL, POST_SRC, 24, 3)
-+    FIELD(VPLL_CTRL, PRE_SRC, 20, 3)
-+    FIELD(VPLL_CTRL, CLKOUTDIV, 17, 1)
-+    FIELD(VPLL_CTRL, DIV2, 16, 1)
-+    FIELD(VPLL_CTRL, FBDIV, 8, 7)
-+    FIELD(VPLL_CTRL, BYPASS, 3, 1)
-+    FIELD(VPLL_CTRL, RESET, 0, 1)
-+REG32(VPLL_CFG, 0x3c)
-+    FIELD(VPLL_CFG, LOCK_DLY, 25, 7)
-+    FIELD(VPLL_CFG, LOCK_CNT, 13, 10)
-+    FIELD(VPLL_CFG, LFHF, 10, 2)
-+    FIELD(VPLL_CFG, CP, 5, 4)
-+    FIELD(VPLL_CFG, RES, 0, 4)
-+REG32(VPLL_FRAC_CFG, 0x40)
-+    FIELD(VPLL_FRAC_CFG, ENABLED, 31, 1)
-+    FIELD(VPLL_FRAC_CFG, SEED, 22, 3)
-+    FIELD(VPLL_FRAC_CFG, ALGRTHM, 19, 1)
-+    FIELD(VPLL_FRAC_CFG, ORDER, 18, 1)
-+    FIELD(VPLL_FRAC_CFG, DATA, 0, 16)
-+REG32(PLL_STATUS, 0x44)
-+    FIELD(PLL_STATUS, VPLL_STABLE, 5, 1)
-+    FIELD(PLL_STATUS, DPLL_STABLE, 4, 1)
-+    FIELD(PLL_STATUS, APLL_STABLE, 3, 1)
-+    FIELD(PLL_STATUS, VPLL_LOCK, 2, 1)
-+    FIELD(PLL_STATUS, DPLL_LOCK, 1, 1)
-+    FIELD(PLL_STATUS, APLL_LOCK, 0, 1)
-+REG32(APLL_TO_LPD_CTRL, 0x48)
-+    FIELD(APLL_TO_LPD_CTRL, DIVISOR0, 8, 6)
-+REG32(DPLL_TO_LPD_CTRL, 0x4c)
-+    FIELD(DPLL_TO_LPD_CTRL, DIVISOR0, 8, 6)
-+REG32(VPLL_TO_LPD_CTRL, 0x50)
-+    FIELD(VPLL_TO_LPD_CTRL, DIVISOR0, 8, 6)
-+REG32(ACPU_CTRL, 0x60)
-+    FIELD(ACPU_CTRL, CLKACT_HALF, 25, 1)
-+    FIELD(ACPU_CTRL, CLKACT_FULL, 24, 1)
-+    FIELD(ACPU_CTRL, DIVISOR0, 8, 6)
-+    FIELD(ACPU_CTRL, SRCSEL, 0, 3)
-+REG32(DBG_TRACE_CTRL, 0x64)
-+    FIELD(DBG_TRACE_CTRL, CLKACT, 24, 1)
-+    FIELD(DBG_TRACE_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DBG_TRACE_CTRL, SRCSEL, 0, 3)
-+REG32(DBG_FPD_CTRL, 0x68)
-+    FIELD(DBG_FPD_CTRL, CLKACT, 24, 1)
-+    FIELD(DBG_FPD_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DBG_FPD_CTRL, SRCSEL, 0, 3)
-+REG32(DP_VIDEO_REF_CTRL, 0x70)
-+    FIELD(DP_VIDEO_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(DP_VIDEO_REF_CTRL, DIVISOR1, 16, 6)
-+    FIELD(DP_VIDEO_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DP_VIDEO_REF_CTRL, SRCSEL, 0, 3)
-+REG32(DP_AUDIO_REF_CTRL, 0x74)
-+    FIELD(DP_AUDIO_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(DP_AUDIO_REF_CTRL, DIVISOR1, 16, 6)
-+    FIELD(DP_AUDIO_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DP_AUDIO_REF_CTRL, SRCSEL, 0, 3)
-+REG32(DP_STC_REF_CTRL, 0x7c)
-+    FIELD(DP_STC_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(DP_STC_REF_CTRL, DIVISOR1, 16, 6)
-+    FIELD(DP_STC_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DP_STC_REF_CTRL, SRCSEL, 0, 3)
-+REG32(DDR_CTRL, 0x80)
-+    FIELD(DDR_CTRL, CLKACT, 24, 1)
-+    FIELD(DDR_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DDR_CTRL, SRCSEL, 0, 3)
-+REG32(GPU_REF_CTRL, 0x84)
-+    FIELD(GPU_REF_CTRL, PP1_CLKACT, 26, 1)
-+    FIELD(GPU_REF_CTRL, PP0_CLKACT, 25, 1)
-+    FIELD(GPU_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(GPU_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(GPU_REF_CTRL, SRCSEL, 0, 3)
-+REG32(SATA_REF_CTRL, 0xa0)
-+    FIELD(SATA_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(SATA_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(SATA_REF_CTRL, SRCSEL, 0, 3)
-+REG32(PCIE_REF_CTRL, 0xb4)
-+    FIELD(PCIE_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(PCIE_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(PCIE_REF_CTRL, SRCSEL, 0, 3)
-+REG32(GDMA_REF_CTRL, 0xb8)
-+    FIELD(GDMA_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(GDMA_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(GDMA_REF_CTRL, SRCSEL, 0, 3)
-+REG32(DPDMA_REF_CTRL, 0xbc)
-+    FIELD(DPDMA_REF_CTRL, CLKACT, 24, 1)
-+    FIELD(DPDMA_REF_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DPDMA_REF_CTRL, SRCSEL, 0, 3)
-+REG32(TOPSW_MAIN_CTRL, 0xc0)
-+    FIELD(TOPSW_MAIN_CTRL, CLKACT, 24, 1)
-+    FIELD(TOPSW_MAIN_CTRL, DIVISOR0, 8, 6)
-+    FIELD(TOPSW_MAIN_CTRL, SRCSEL, 0, 3)
-+REG32(TOPSW_LSBUS_CTRL, 0xc4)
-+    FIELD(TOPSW_LSBUS_CTRL, CLKACT, 24, 1)
-+    FIELD(TOPSW_LSBUS_CTRL, DIVISOR0, 8, 6)
-+    FIELD(TOPSW_LSBUS_CTRL, SRCSEL, 0, 3)
-+REG32(DBG_TSTMP_CTRL, 0xf8)
-+    FIELD(DBG_TSTMP_CTRL, DIVISOR0, 8, 6)
-+    FIELD(DBG_TSTMP_CTRL, SRCSEL, 0, 3)
-+REG32(RST_FPD_TOP, 0x100)
-+    FIELD(RST_FPD_TOP, PCIE_CFG_RESET, 19, 1)
-+    FIELD(RST_FPD_TOP, PCIE_BRIDGE_RESET, 18, 1)
-+    FIELD(RST_FPD_TOP, PCIE_CTRL_RESET, 17, 1)
-+    FIELD(RST_FPD_TOP, DP_RESET, 16, 1)
-+    FIELD(RST_FPD_TOP, SWDT_RESET, 15, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM5_RESET, 12, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM4_RESET, 11, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM3_RESET, 10, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM2_RESET, 9, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM1_RESET, 8, 1)
-+    FIELD(RST_FPD_TOP, AFI_FM0_RESET, 7, 1)
-+    FIELD(RST_FPD_TOP, GDMA_RESET, 6, 1)
-+    FIELD(RST_FPD_TOP, GPU_PP1_RESET, 5, 1)
-+    FIELD(RST_FPD_TOP, GPU_PP0_RESET, 4, 1)
-+    FIELD(RST_FPD_TOP, GPU_RESET, 3, 1)
-+    FIELD(RST_FPD_TOP, GT_RESET, 2, 1)
-+    FIELD(RST_FPD_TOP, SATA_RESET, 1, 1)
-+REG32(RST_FPD_APU, 0x104)
-+    FIELD(RST_FPD_APU, ACPU3_PWRON_RESET, 13, 1)
-+    FIELD(RST_FPD_APU, ACPU2_PWRON_RESET, 12, 1)
-+    FIELD(RST_FPD_APU, ACPU1_PWRON_RESET, 11, 1)
-+    FIELD(RST_FPD_APU, ACPU0_PWRON_RESET, 10, 1)
-+    FIELD(RST_FPD_APU, APU_L2_RESET, 8, 1)
-+    FIELD(RST_FPD_APU, ACPU3_RESET, 3, 1)
-+    FIELD(RST_FPD_APU, ACPU2_RESET, 2, 1)
-+    FIELD(RST_FPD_APU, ACPU1_RESET, 1, 1)
-+    FIELD(RST_FPD_APU, ACPU0_RESET, 0, 1)
-+REG32(RST_DDR_SS, 0x108)
-+    FIELD(RST_DDR_SS, DDR_RESET, 3, 1)
-+    FIELD(RST_DDR_SS, APM_RESET, 2, 1)
-+
-+#define CRF_R_MAX (R_RST_DDR_SS + 1)
-+
-+struct XlnxZynqMPCRF {
-+    SysBusDevice parent_obj;
-+    MemoryRegion iomem;
-+    qemu_irq irq_ir;
-+
-+    RegisterInfoArray *reg_array;
-+    uint32_t regs[CRF_R_MAX];
-+    RegisterInfo regs_info[CRF_R_MAX];
-+};
-+
-+#endif
-diff --git a/hw/misc/xlnx-zynqmp-crf.c b/hw/misc/xlnx-zynqmp-crf.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/hw/misc/xlnx-zynqmp-crf.c
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * QEMU model of the CRF - Clock Reset FPD.
-+ *
-+ * Copyright (c) 2022 Xilinx Inc.
-+ * SPDX-License-Identifier: GPL-2.0-or-later
-+ * Written by Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "hw/sysbus.h"
-+#include "hw/register.h"
-+#include "qemu/bitops.h"
-+#include "qemu/log.h"
-+#include "migration/vmstate.h"
-+#include "hw/irq.h"
-+#include "hw/misc/xlnx-zynqmp-crf.h"
-+#include "target/arm/arm-powerctl.h"
-+
-+#ifndef XLNX_ZYNQMP_CRF_ERR_DEBUG
-+#define XLNX_ZYNQMP_CRF_ERR_DEBUG 0
-+#endif
-+
-+#define CRF_MAX_CPU    4
-+
-+static void ir_update_irq(XlnxZynqMPCRF *s)
-+{
-+    bool pending = s->regs[R_IR_STATUS] & ~s->regs[R_IR_MASK];
-+    qemu_set_irq(s->irq_ir, pending);
-+}
-+
-+static void ir_status_postw(RegisterInfo *reg, uint64_t val64)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(reg->opaque);
-+    ir_update_irq(s);
-+}
-+
-+static uint64_t ir_enable_prew(RegisterInfo *reg, uint64_t val64)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(reg->opaque);
-+    uint32_t val = val64;
-+
-+    s->regs[R_IR_MASK] &= ~val;
-+    ir_update_irq(s);
-+    return 0;
-+}
-+
-+static uint64_t ir_disable_prew(RegisterInfo *reg, uint64_t val64)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(reg->opaque);
-+    uint32_t val = val64;
-+
-+    s->regs[R_IR_MASK] |= val;
-+    ir_update_irq(s);
-+    return 0;
-+}
-+
-+static uint64_t rst_fpd_apu_prew(RegisterInfo *reg, uint64_t val64)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(reg->opaque);
-+    uint32_t val = val64;
-+    uint32_t val_old = s->regs[R_RST_FPD_APU];
-+    unsigned int i;
-+
-+    for (i = 0; i < CRF_MAX_CPU; i++) {
-+        uint32_t mask = (1 << (R_RST_FPD_APU_ACPU0_RESET_SHIFT + i));
-+
-+        if ((val ^ val_old) & mask) {
-+            if (val & mask) {
-+                arm_set_cpu_off(i);
-+            } else {
-+                arm_set_cpu_on_and_reset(i);
-+            }
-+        }
-+    }
-+    return val64;
-+}
-+
-+static const RegisterAccessInfo crf_regs_info[] = {
-+    {   .name = "ERR_CTRL",  .addr = A_ERR_CTRL,
-+    },{ .name = "IR_STATUS",  .addr = A_IR_STATUS,
-+        .w1c = 0x1,
-+        .post_write = ir_status_postw,
-+    },{ .name = "IR_MASK",  .addr = A_IR_MASK,
-+        .reset = 0x1,
-+        .ro = 0x1,
-+    },{ .name = "IR_ENABLE",  .addr = A_IR_ENABLE,
-+        .pre_write = ir_enable_prew,
-+    },{ .name = "IR_DISABLE",  .addr = A_IR_DISABLE,
-+        .pre_write = ir_disable_prew,
-+    },{ .name = "CRF_WPROT",  .addr = A_CRF_WPROT,
-+    },{ .name = "APLL_CTRL",  .addr = A_APLL_CTRL,
-+        .reset = 0x12c09,
-+        .rsvd = 0xf88c80f6,
-+    },{ .name = "APLL_CFG",  .addr = A_APLL_CFG,
-+        .rsvd = 0x1801210,
-+    },{ .name = "APLL_FRAC_CFG",  .addr = A_APLL_FRAC_CFG,
-+        .rsvd = 0x7e330000,
-+    },{ .name = "DPLL_CTRL",  .addr = A_DPLL_CTRL,
-+        .reset = 0x2c09,
-+        .rsvd = 0xf88c80f6,
-+    },{ .name = "DPLL_CFG",  .addr = A_DPLL_CFG,
-+        .rsvd = 0x1801210,
-+    },{ .name = "DPLL_FRAC_CFG",  .addr = A_DPLL_FRAC_CFG,
-+        .rsvd = 0x7e330000,
-+    },{ .name = "VPLL_CTRL",  .addr = A_VPLL_CTRL,
-+        .reset = 0x12809,
-+        .rsvd = 0xf88c80f6,
-+    },{ .name = "VPLL_CFG",  .addr = A_VPLL_CFG,
-+        .rsvd = 0x1801210,
-+    },{ .name = "VPLL_FRAC_CFG",  .addr = A_VPLL_FRAC_CFG,
-+        .rsvd = 0x7e330000,
-+    },{ .name = "PLL_STATUS",  .addr = A_PLL_STATUS,
-+        .reset = 0x3f,
-+        .rsvd = 0xc0,
-+        .ro = 0x3f,
-+    },{ .name = "APLL_TO_LPD_CTRL",  .addr = A_APLL_TO_LPD_CTRL,
-+        .reset = 0x400,
-+        .rsvd = 0xc0ff,
-+    },{ .name = "DPLL_TO_LPD_CTRL",  .addr = A_DPLL_TO_LPD_CTRL,
-+        .reset = 0x400,
-+        .rsvd = 0xc0ff,
-+    },{ .name = "VPLL_TO_LPD_CTRL",  .addr = A_VPLL_TO_LPD_CTRL,
-+        .reset = 0x400,
-+        .rsvd = 0xc0ff,
-+    },{ .name = "ACPU_CTRL",  .addr = A_ACPU_CTRL,
-+        .reset = 0x3000400,
-+        .rsvd = 0xfcffc0f8,
-+    },{ .name = "DBG_TRACE_CTRL",  .addr = A_DBG_TRACE_CTRL,
-+        .reset = 0x2500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "DBG_FPD_CTRL",  .addr = A_DBG_FPD_CTRL,
-+        .reset = 0x1002500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "DP_VIDEO_REF_CTRL",  .addr = A_DP_VIDEO_REF_CTRL,
-+        .reset = 0x1002300,
-+        .rsvd = 0xfec0c0f8,
-+    },{ .name = "DP_AUDIO_REF_CTRL",  .addr = A_DP_AUDIO_REF_CTRL,
-+        .reset = 0x1032300,
-+        .rsvd = 0xfec0c0f8,
-+    },{ .name = "DP_STC_REF_CTRL",  .addr = A_DP_STC_REF_CTRL,
-+        .reset = 0x1203200,
-+        .rsvd = 0xfec0c0f8,
-+    },{ .name = "DDR_CTRL",  .addr = A_DDR_CTRL,
-+        .reset = 0x1000500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "GPU_REF_CTRL",  .addr = A_GPU_REF_CTRL,
-+        .reset = 0x1500,
-+        .rsvd = 0xf8ffc0f8,
-+    },{ .name = "SATA_REF_CTRL",  .addr = A_SATA_REF_CTRL,
-+        .reset = 0x1001600,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "PCIE_REF_CTRL",  .addr = A_PCIE_REF_CTRL,
-+        .reset = 0x1500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "GDMA_REF_CTRL",  .addr = A_GDMA_REF_CTRL,
-+        .reset = 0x1000500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "DPDMA_REF_CTRL",  .addr = A_DPDMA_REF_CTRL,
-+        .reset = 0x1000500,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "TOPSW_MAIN_CTRL",  .addr = A_TOPSW_MAIN_CTRL,
-+        .reset = 0x1000400,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "TOPSW_LSBUS_CTRL",  .addr = A_TOPSW_LSBUS_CTRL,
-+        .reset = 0x1000800,
-+        .rsvd = 0xfeffc0f8,
-+    },{ .name = "DBG_TSTMP_CTRL",  .addr = A_DBG_TSTMP_CTRL,
-+        .reset = 0xa00,
-+        .rsvd = 0xffffc0f8,
-+    },
-+    {   .name = "RST_FPD_TOP",  .addr = A_RST_FPD_TOP,
-+        .reset = 0xf9ffe,
-+        .rsvd = 0xf06001,
-+    },{ .name = "RST_FPD_APU",  .addr = A_RST_FPD_APU,
-+        .reset = 0x3d0f,
-+        .rsvd = 0xc2f0,
-+        .pre_write = rst_fpd_apu_prew,
-+    },{ .name = "RST_DDR_SS",  .addr = A_RST_DDR_SS,
-+        .reset = 0xf,
-+        .rsvd = 0xf3,
-+    }
-+};
-+
-+static void crf_reset_enter(Object *obj, ResetType type)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(obj);
-+    unsigned int i;
-+
-+    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
-+        register_reset(&s->regs_info[i]);
-+    }
-+}
-+
-+static void crf_reset_hold(Object *obj)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(obj);
-+    ir_update_irq(s);
-+}
-+
-+static const MemoryRegionOps crf_ops = {
-+    .read = register_read_memory,
-+    .write = register_write_memory,
-+    .endianness = DEVICE_LITTLE_ENDIAN,
-+    .valid = {
-+        .min_access_size = 4,
-+        .max_access_size = 4,
-+    },
-+};
-+
-+static void crf_init(Object *obj)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(obj);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
-+
-+    s->reg_array =
-+        register_init_block32(DEVICE(obj), crf_regs_info,
-+                              ARRAY_SIZE(crf_regs_info),
-+                              s->regs_info, s->regs,
-+                              &crf_ops,
-+                              XLNX_ZYNQMP_CRF_ERR_DEBUG,
-+                              CRF_R_MAX * 4);
-+    sysbus_init_mmio(sbd, &s->reg_array->mem);
-+    sysbus_init_irq(sbd, &s->irq_ir);
-+}
-+
-+static void crf_finalize(Object *obj)
-+{
-+    XlnxZynqMPCRF *s = XLNX_ZYNQMP_CRF(obj);
-+    register_finalize_block(s->reg_array);
-+}
-+
-+static const VMStateDescription vmstate_crf = {
-+    .name = TYPE_XLNX_ZYNQMP_CRF,
-+    .version_id = 1,
-+    .minimum_version_id = 1,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(regs, XlnxZynqMPCRF, CRF_R_MAX),
-+        VMSTATE_END_OF_LIST(),
-+    }
-+};
-+
-+static void crf_class_init(ObjectClass *klass, void *data)
-+{
-+    ResettableClass *rc = RESETTABLE_CLASS(klass);
-+    DeviceClass *dc = DEVICE_CLASS(klass);
-+
-+    dc->vmsd = &vmstate_crf;
-+    rc->phases.enter = crf_reset_enter;
-+    rc->phases.hold = crf_reset_hold;
-+}
-+
-+static const TypeInfo crf_info = {
-+    .name              = TYPE_XLNX_ZYNQMP_CRF,
-+    .parent            = TYPE_SYS_BUS_DEVICE,
-+    .instance_size     = sizeof(XlnxZynqMPCRF),
-+    .class_init        = crf_class_init,
-+    .instance_init     = crf_init,
-+    .instance_finalize = crf_finalize,
-+};
-+
-+static void crf_register_types(void)
-+{
-+    type_register_static(&crf_info);
-+}
-+
-+type_init(crf_register_types)
-diff --git a/hw/misc/meson.build b/hw/misc/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/meson.build
-+++ b/hw/misc/meson.build
-@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files(
- ))
- softmmu_ss.add(when: 'CONFIG_SLAVIO', if_true: files('slavio_misc.c'))
- softmmu_ss.add(when: 'CONFIG_ZYNQ', if_true: files('zynq_slcr.c'))
-+specific_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zynqmp-crf.c'))
- softmmu_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files(
-   'xlnx-versal-xramc.c',
-   'xlnx-versal-pmc-iou-slcr.c',
---
-.25.1

-[PULL 16/21] hw/arm/xlnx-zynqmp: Connect the ZynqMP CRF
+Deleted patch
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-Connect the ZynqMP CRF - Clock Reset FPD device.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
-Reviewed-by: Luc Michel <luc@lmichel.fr>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Message-id: 20220316164645.2303510-5-edgar.iglesias@gmail.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/xlnx-zynqmp.h |  2 ++
- hw/arm/xlnx-zynqmp.c         | 16 ++++++++++++++++
-files changed, 18 insertions(+)
-diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-zynqmp.h
-+++ b/include/hw/arm/xlnx-zynqmp.h
-@@ -XXX,XX +XXX,XX @@
- #include "hw/nvram/xlnx-bbram.h"
- #include "hw/nvram/xlnx-zynqmp-efuse.h"
- #include "hw/or-irq.h"
-+#include "hw/misc/xlnx-zynqmp-crf.h"
- #define TYPE_XLNX_ZYNQMP "xlnx-zynqmp"
- OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
-@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
-     XlnxZDMA adma[XLNX_ZYNQMP_NUM_ADMA_CH];
-     XlnxCSUDMA qspi_dma;
-     qemu_or_irq qspi_irq_orgate;
-+    XlnxZynqMPCRF crf;
-     char *boot_cpu;
-     ARMCPU *boot_cpu_ptr;
-diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
-+++ b/hw/arm/xlnx-zynqmp.c
-@@ -XXX,XX +XXX,XX @@
- #define QSPI_DMA_ADDR       0xff0f0800
- #define NUM_QSPI_IRQ_LINES  2
-+#define CRF_ADDR            0xfd1a0000
-+#define CRF_IRQ             120
-+
- /* Serializer/Deserializer.  */
- #define SERDES_ADDR         0xfd400000
- #define SERDES_SIZE         0x20000
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_efuse(XlnxZynqMPState *s, qemu_irq *gic)
-     sysbus_connect_irq(sbd, 0, gic[EFUSE_IRQ]);
- }
-+static void xlnx_zynqmp_create_crf(XlnxZynqMPState *s, qemu_irq *gic)
-+{
-+    SysBusDevice *sbd;
-+
-+    object_initialize_child(OBJECT(s), "crf", &s->crf, TYPE_XLNX_ZYNQMP_CRF);
-+    sbd = SYS_BUS_DEVICE(&s->crf);
-+
-+    sysbus_realize(sbd, &error_fatal);
-+    sysbus_mmio_map(sbd, 0, CRF_ADDR);
-+    sysbus_connect_irq(sbd, 0, gic[CRF_IRQ]);
-+}
-+
- static void xlnx_zynqmp_create_unimp_mmio(XlnxZynqMPState *s)
- {
-     static const struct UnimpInfo {
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
-     xlnx_zynqmp_create_bbram(s, gic_spi);
-     xlnx_zynqmp_create_efuse(s, gic_spi);
-+    xlnx_zynqmp_create_crf(s, gic_spi);
-     xlnx_zynqmp_create_unimp_mmio(s);
-     for (i = 0; i < XLNX_ZYNQMP_NUM_GDMA_CH; i++) {
---
-.25.1

-[PULL 18/21] hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control
+[PULL 7/7] hw/nvram: Avoid unnecessary Xilinx eFuse backstore write
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Tong Ho <tong.ho@amd.com>
-Connect the ZynqMP APU Control device.
+Add a check in the bit-set operation to write the backstore
 only if the affected bit is 0 before.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+With this in place, there will be no need for callers to
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+do the checking in order to avoid unnecessary writes.
-Reviewed-by: Luc Michel <luc@lmichel.fr>
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Tong Ho <tong.ho@amd.com>
-Message-id: 20220316164645.2303510-7-edgar.iglesias@gmail.com
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/xlnx-zynqmp.h |  4 +++-
+ hw/nvram/xlnx-efuse.c | 11 +++++++++--
- hw/arm/xlnx-zynqmp.c         | 25 +++++++++++++++++++++++--
+file changed, 9 insertions(+), 2 deletions(-)
 files changed, 26 insertions(+), 3 deletions(-)
-diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
+diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-zynqmp.h
+--- a/hw/nvram/xlnx-efuse.c
-+++ b/include/hw/arm/xlnx-zynqmp.h
++++ b/hw/nvram/xlnx-efuse.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool efuse_ro_bits_find(XlnxEFuse *s, uint32_t k)
- #include "hw/nvram/xlnx-bbram.h"
- #include "hw/nvram/xlnx-zynqmp-efuse.h"
+ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
- #include "hw/or-irq.h"
+ {
-+#include "hw/misc/xlnx-zynqmp-apu-ctrl.h"
++    uint32_t set, *row;
- #include "hw/misc/xlnx-zynqmp-crf.h"
++
+     if (efuse_ro_bits_find(s, bit)) {
- #define TYPE_XLNX_ZYNQMP "xlnx-zynqmp"
+         g_autofree char *path = object_get_canonical_path(OBJECT(s));
-@@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
- /*
+@@ -XXX,XX +XXX,XX @@ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
-  * Unimplemented mmio regions needed to boot some images.
+         return false;
-  */
+     }
--#define XLNX_ZYNQMP_NUM_UNIMP_AREAS 2
-+#define XLNX_ZYNQMP_NUM_UNIMP_AREAS 1
+-    s->fuse32[bit / 32] |= 1 << (bit % 32);
+-    efuse_bdrv_sync(s, bit);
- struct XlnxZynqMPState {
++    /* Avoid back-end write unless there is a real update */
-     /*< private >*/
++    row = &s->fuse32[bit / 32];
-@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
++    set = 1 << (bit % 32);
-     XlnxZDMA adma[XLNX_ZYNQMP_NUM_ADMA_CH];
++    if (!(set & *row)) {
-     XlnxCSUDMA qspi_dma;
++        *row |= set;
-     qemu_or_irq qspi_irq_orgate;
++        efuse_bdrv_sync(s, bit);
-+    XlnxZynqMPAPUCtrl apu_ctrl;
++    }
-     XlnxZynqMPCRF crf;
+     return true;
      char *boot_cpu;
 diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xlnx-zynqmp.c
 +++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@
  #define DPDMA_IRQ           116
  #define APU_ADDR            0xfd5c0000
 -#define APU_SIZE            0x100
 +#define APU_IRQ             153
  #define IPI_ADDR            0xFF300000
  #define IPI_IRQ             64
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_efuse(XlnxZynqMPState *s, qemu_irq *gic)
      sysbus_connect_irq(sbd, 0, gic[EFUSE_IRQ]);
  }
-+static void xlnx_zynqmp_create_apu_ctrl(XlnxZynqMPState *s, qemu_irq *gic)
-+{
-+    SysBusDevice *sbd;
-+    int i;
-+
-+    object_initialize_child(OBJECT(s), "apu-ctrl", &s->apu_ctrl,
-+                            TYPE_XLNX_ZYNQMP_APU_CTRL);
-+    sbd = SYS_BUS_DEVICE(&s->apu_ctrl);
-+
-+    for (i = 0; i < XLNX_ZYNQMP_NUM_APU_CPUS; i++) {
-+        g_autofree gchar *name = g_strdup_printf("cpu%d", i);
-+
-+        object_property_set_link(OBJECT(&s->apu_ctrl), name,
-+                                 OBJECT(&s->apu_cpu[i]), &error_abort);
-+    }
-+
-+    sysbus_realize(sbd, &error_fatal);
-+    sysbus_mmio_map(sbd, 0, APU_ADDR);
-+    sysbus_connect_irq(sbd, 0, gic[APU_IRQ]);
-+}
-+
- static void xlnx_zynqmp_create_crf(XlnxZynqMPState *s, qemu_irq *gic)
- {
-     SysBusDevice *sbd;
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_unimp_mmio(XlnxZynqMPState *s)
-         hwaddr base;
-         hwaddr size;
-     } unimp_areas[ARRAY_SIZE(s->mr_unimp)] = {
--        { .name = "apu", APU_ADDR, APU_SIZE },
-         { .name = "serdes", SERDES_ADDR, SERDES_SIZE },
-     };
-     unsigned int nr;
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
-     xlnx_zynqmp_create_bbram(s, gic_spi);
-     xlnx_zynqmp_create_efuse(s, gic_spi);
-+    xlnx_zynqmp_create_apu_ctrl(s, gic_spi);
-     xlnx_zynqmp_create_crf(s, gic_spi);
-     xlnx_zynqmp_create_unimp_mmio(s);
 --
-.25.1
+.34.1

-[PULL 20/21] hw/i386/acpi-build: Avoid 'sun' identifier
+Deleted patch
-From: Andrew Deason <adeason@sinenomine.net>
-On Solaris, 'sun' is #define'd to 1, which causes errors if a variable
-is named 'sun'. Slightly change the name of the var for the Slot User
-Number so we can build on Solaris.
-Reviewed-by: Ani Sinha <ani@anisinha.ca>
-Signed-off-by: Andrew Deason <adeason@sinenomine.net>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Message-id: 20220316035227.3702-3-adeason@sinenomine.net
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/i386/acpi-build.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/i386/acpi-build.c
-+++ b/hw/i386/acpi-build.c
-@@ -XXX,XX +XXX,XX @@ Aml *aml_pci_device_dsm(void)
-     Aml *bnum = aml_arg(4);
-     Aml *func = aml_arg(2);
-     Aml *rev = aml_arg(1);
--    Aml *sun = aml_arg(5);
-+    Aml *sunum = aml_arg(5);
-     method = aml_method("PDSM", 6, AML_SERIALIZED);
-@@ -XXX,XX +XXX,XX @@ Aml *aml_pci_device_dsm(void)
-     UUID = aml_touuid("E5C937D0-3553-4D7A-9117-EA4D19C3434D");
-     ifctx = aml_if(aml_equal(aml_arg(0), UUID));
-     {
--        aml_append(ifctx, aml_store(aml_call2("AIDX", bnum, sun), acpi_index));
-+        aml_append(ifctx, aml_store(aml_call2("AIDX", bnum, sunum), acpi_index));
-         ifctx1 = aml_if(aml_equal(func, zero));
-         {
-             uint8_t byte_list[1];
---
-.25.1

Mostly straightforward bugfixes. The new Xilinx devices are
arguably 'new feature', but they're fixing a regression where
our changes to PSCI in commit 3f37979bf mean that EL3 guest
code now needs to talk to a proper emulated power-controller
device to turn on secondary CPUs; and it's not yet rc1 and
they only affect the Xilinx board, so it seems OK to me.

thanks
-- PMM

The following changes since commit 1d60bb4b14601e38ed17384277aa4c30c57925d3:

Merge tag 'pull-request-2022-03-15v2' of https://gitlab.com/thuth/qemu into staging (2022-03-16 10:43:58 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220318

for you to fetch changes up to 79d54c9eac04c554e3c081589542f801ace71797:

util/osdep: Remove some early cruft (2022-03-18 11:32:13 +0000)

----------------------------------------------------------------
target-arm queue:
 * Fix sve2 ldnt1 and stnt1
 * Fix pauth_check_trap vs SEL2
 * Fix handling of LPAE block descriptors
 * hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
 * hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
 * nsis installer: List emulators in alphabetical order
 * nsis installer: Suppress "ANSI targets are deprecated" warning
 * nsis installer: Fix mouse-over descriptions for emulators
 * hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset
 * Improve M-profile vector table access logging
 * Xilinx ZynqMP: model CRF and APU control
 * Fix compile issues on modern Solaris

----------------------------------------------------------------
Andrew Deason (3):
      util/osdep: Avoid madvise proto on modern Solaris
      hw/i386/acpi-build: Avoid 'sun' identifier
      util/osdep: Remove some early cruft

Edgar E. Iglesias (6):
      hw/arm/xlnx-zynqmp: Add an unimplemented SERDES area
      target/arm: Make rvbar settable after realize
      hw/misc: Add a model of the Xilinx ZynqMP CRF
      hw/arm/xlnx-zynqmp: Connect the ZynqMP CRF
      hw/misc: Add a model of the Xilinx ZynqMP APU Control
      hw/arm/xlnx-zynqmp: Connect the ZynqMP APU Control

Eric Auger (2):
      hw/intc: Rename CONFIG_ARM_GIC_TCG into CONFIG_ARM_GICV3_TCG
      hw/arm/virt: Fix gic-version=max when CONFIG_ARM_GICV3_TCG is unset

Peter Maydell (8):
      target/arm: Fix handling of LPAE block descriptors
      hw/dma/xlnx_csu_dma: Set TYPE_XLNX_CSU_DMA class_size
      hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init()
      nsis installer: List emulators in alphabetical order
      nsis installer: Suppress "ANSI targets are deprecated" warning
      nsis installer: Fix mouse-over descriptions for emulators
      target/arm: Log M-profile vector table accesses
      target/arm: Log fault address for M-profile faults

Richard Henderson (2):
      target/arm: Fix sve2 ldnt1 and stnt1
      target/arm: Fix pauth_check_trap vs SEL2

meson.build                            |  23 ++-
 include/hw/arm/xlnx-zynqmp.h           |   4 +
 include/hw/misc/xlnx-zynqmp-apu-ctrl.h |  93 ++++++++++++
 include/hw/misc/xlnx-zynqmp-crf.h      | 211 ++++++++++++++++++++++++++
 include/qemu/osdep.h                   |   8 +
 target/arm/cpu.h                       |   3 +-
 target/arm/sve.decode                  |   5 +-
 hw/arm/virt.c                          |   7 +-
 hw/arm/xlnx-zynqmp.c                   |  46 +++++-
 hw/dma/xlnx_csu_dma.c                  |   1 +
 hw/i386/acpi-build.c                   |   4 +-
 hw/misc/npcm7xx_clk.c                  |   4 +-
 hw/misc/xlnx-zynqmp-apu-ctrl.c         | 253 +++++++++++++++++++++++++++++++
 hw/misc/xlnx-zynqmp-crf.c              | 266 +++++++++++++++++++++++++++++++++
 target/arm/cpu.c                       |  17 ++-
 target/arm/helper.c                    |  20 ++-
 target/arm/m_helper.c                  |  11 ++
 target/arm/pauth_helper.c              |   2 +-
 target/arm/translate-sve.c             |  51 ++++++-
 tests/tcg/aarch64/test-826.c           |  50 +++++++
 util/osdep.c                           |  10 --
 hw/intc/Kconfig                        |   2 +-
 hw/intc/meson.build                    |   4 +-
 hw/misc/meson.build                    |   2 +
 qemu.nsi                               |   8 +-
 scripts/nsis.py                        |  17 ++-
 tests/tcg/aarch64/Makefile.target      |   4 +
 tests/tcg/configure.sh                 |   4 +
 28 files changed, 1084 insertions(+), 46 deletions(-)
 create mode 100644 include/hw/misc/xlnx-zynqmp-apu-ctrl.h
 create mode 100644 include/hw/misc/xlnx-zynqmp-crf.h
 create mode 100644 hw/misc/xlnx-zynqmp-apu-ctrl.c
 create mode 100644 hw/misc/xlnx-zynqmp-crf.c
 create mode 100644 tests/tcg/aarch64/test-826.c

From: Richard Henderson <richard.henderson@linaro.org>

For both ldnt1 and stnt1, the meaning of the Rn and Rm are different
from ld1 and st1: the vector and integer registers are reversed, and
the integer register 31 refers to XZR instead of SP.

Secondly, the 64-bit version of ldnt1 was being interpreted as
32-bit unpacked unscaled offset instead of 64-bit unscaled offset,
which discarded the upper 32 bits of the address coming from
the vector argument.

Thirdly, validate that the memory element size is in range for the
vector element size for ldnt1.  For ld1, we do this via independent
decode patterns, but for ldnt1 we need to do it manually.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/826
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220308031655.240710-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve.decode             |  5 ++-
 target/arm/translate-sve.c        | 51 +++++++++++++++++++++++++++++--
 tests/tcg/aarch64/test-826.c      | 50 ++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  4 +++
 tests/tcg/configure.sh            |  4 +++
 5 files changed, 109 insertions(+), 5 deletions(-)
 create mode 100644 tests/tcg/aarch64/test-826.c

diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ USDOT_zzzz      01000100 .. 0 ..... 011 110 ..... .....  @rda_rn_rm
 
 ### SVE2 Memory Gather Load Group
 
-# SVE2 64-bit gather non-temporal load
-#   (scalar plus unpacked 32-bit unscaled offsets)
+# SVE2 64-bit gather non-temporal load (scalar plus 64-bit unscaled offsets)
 LDNT1_zprz      1100010 msz:2 00 rm:5 1 u:1 0 pg:3 rn:5 rd:5 \
-                &rprr_gather_load xs=0 esz=3 scale=0 ff=0
+                &rprr_gather_load xs=2 esz=3 scale=0 ff=0
 
 # SVE2 32-bit gather non-temporal load (scalar plus 32-bit unscaled offsets)
 LDNT1_zprz      1000010 msz:2 00 rm:5 10 u:1 pg:3 rn:5 rd:5 \
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
 
 static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
 {
+    gen_helper_gvec_mem_scatter *fn = NULL;
+    bool be = s->be_data == MO_BE;
+    bool mte = s->mte_active[0];
+
+    if (a->esz < a->msz + !a->u) {
+        return false;
+    }
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
-    return trans_LD1_zprz(s, a);
+    if (!sve_access_check(s)) {
+        return true;
+    }
+
+    switch (a->esz) {
+    case MO_32:
+        fn = gather_load_fn32[mte][be][0][0][a->u][a->msz];
+        break;
+    case MO_64:
+        fn = gather_load_fn64[mte][be][0][2][a->u][a->msz];
+        break;
+    }
+    assert(fn != NULL);
+
+    do_mem_zpz(s, a->rd, a->pg, a->rn, 0,
+               cpu_reg(s, a->rm), a->msz, false, fn);
+    return true;
 }
 
 /* Indexed by [mte][be][xs][msz].  */
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
 
 static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
 {
+    gen_helper_gvec_mem_scatter *fn;
+    bool be = s->be_data == MO_BE;
+    bool mte = s->mte_active[0];
+
+    if (a->esz < a->msz) {
+        return false;
+    }
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
-    return trans_ST1_zprz(s, a);
+    if (!sve_access_check(s)) {
+        return true;
+    }
+
+    switch (a->esz) {
+    case MO_32:
+        fn = scatter_store_fn32[mte][be][0][a->msz];
+        break;
+    case MO_64:
+        fn = scatter_store_fn64[mte][be][2][a->msz];
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    do_mem_zpz(s, a->rd, a->pg, a->rn, 0,
+               cpu_reg(s, a->rm), a->msz, true, fn);
+    return true;
 }
 
 /*
diff --git a/tests/tcg/aarch64/test-826.c b/tests/tcg/aarch64/test-826.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/test-826.c
@@ -XXX,XX +XXX,XX @@
+#include <sys/mman.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <assert.h>
+
+static void *expected;
+
+void sigsegv(int sig, siginfo_t *info, void *vuc)
+{
+    ucontext_t *uc = vuc;
+
+    assert(info->si_addr == expected);
+    uc->uc_mcontext.pc += 4;
+}
+
+int main()
+{
+    struct sigaction sa = {
+        .sa_sigaction = sigsegv,
+        .sa_flags = SA_SIGINFO
+    };
+
+    void *page;
+    long ofs;
+
+    if (sigaction(SIGSEGV, &sa, NULL) < 0) {
+        perror("sigaction");
+        return EXIT_FAILURE;
+    }
+
+    page = mmap(0, getpagesize(), PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
+    if (page == MAP_FAILED) {
+        perror("mmap");
+        return EXIT_FAILURE;
+    }
+
+    ofs = 0x124;
+    expected = page + ofs;
+
+    asm("ptrue p0.d, vl1\n\t"
+        "dup z0.d, %0\n\t"
+        "ldnt1h {z1.d}, p0/z, [z0.d, %1]\n\t"
+        "dup z1.d, %1\n\t"
+        "ldnt1h {z0.d}, p0/z, [z1.d, %0]"
+        : : "r"(page), "r"(ofs) : "v0", "v1");
+
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ run-gdbstub-sve-ioctls: sve-ioctls
 
 EXTRA_RUNS += run-gdbstub-sysregs run-gdbstub-sve-ioctls
 endif
+endif
 
+ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_SVE2),)
+AARCH64_TESTS += test-826
+test-826: CFLAGS+=-march=armv8.1-a+sve2
 endif
 
 TESTS += $(AARCH64_TESTS)
diff --git a/tests/tcg/configure.sh b/tests/tcg/configure.sh
index XXXXXXX..XXXXXXX 100755
--- a/tests/tcg/configure.sh
+++ b/tests/tcg/configure.sh
@@ -XXX,XX +XXX,XX @@ for target in $target_list; do
                              -march=armv8.1-a+sve -o $TMPE $TMPC; then
                   echo "CROSS_CC_HAS_SVE=y" >> $config_target_mak
               fi
+              if do_compiler "$target_compiler" $target_compiler_cflags \
+                             -march=armv8.1-a+sve2 -o $TMPE $TMPC; then
+                  echo "CROSS_CC_HAS_SVE2=y" >> $config_target_mak
+              fi
               if do_compiler "$target_compiler" $target_compiler_cflags \
                              -march=armv8.3-a -o $TMPE $TMPC; then
                   echo "CROSS_CC_HAS_ARMV8_3=y" >> $config_target_mak
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

When arm_is_el2_enabled was introduced, we missed
updating pauth_check_trap.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/788
Fixes: e6ef0169264b ("target/arm: use arm_is_el2_enabled() where applicable")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20220315021205.342768-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/pauth_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/pauth_helper.c
+++ b/target/arm/pauth_helper.c
@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN pauth_trap(CPUARMState *env, int target_el,
 
 static void pauth_check_trap(CPUARMState *env, int el, uintptr_t ra)
 {
-    if (el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+    if (el < 2 && arm_is_el2_enabled(env)) {
         uint64_t hcr = arm_hcr_el2_eff(env);
         bool trap = !(hcr & HCR_API);
         if (el == 0) {
-- 
2.25.1

LPAE descriptors come in three forms:

* table descriptors, giving the address of the next level page table
 * page descriptors, which occur only at level 3 and describe the
   mapping of one page (which might be 4K, 16K or 64K)
 * block descriptors, which occur at higher page table levels, and
   describe the mapping of huge pages

QEMU's page-table-walk code treats block and page entries
identically, simply ORing in a number of bits from the input virtual
address that depends on the level of the page table that we stopped
at; we depend on the previous masking of descaddr with descaddrmask
to have already cleared out the low bits of the descriptor word.

This is not quite right: the address field in a block descriptor is
smaller, and so there are bits which are valid address bits in a page
descriptor or a table descriptor but which are not supposed to be
part of the address in a block descriptor, and descaddrmask does not
clear them.  We previously mostly got away with this because those
descriptor bits are RES0; however with FEAT_BBM (part of Armv8.4)
block descriptor bit 16 is defined to be the nT bit.  No emulated
QEMU CPU has FEAT_BBM yet, but if the host CPU has it then we might
see it when using KVM or hvf.

Explicitly zero out all the descaddr bits we're about to OR vaddr
bits into.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/790
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220304165628.2345765-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
             indexmask = indexmask_grainsize;
             continue;
         }
-        /* Block entry at level 1 or 2, or page entry at level 3.
+        /*
+         * Block entry at level 1 or 2, or page entry at level 3.
          * These are basically the same thing, although the number
-         * of bits we pull in from the vaddr varies.
+         * of bits we pull in from the vaddr varies. Note that although
+         * descaddrmask masks enough of the low bits of the descriptor
+         * to give a correct page or table address, the address field
+         * in a block descriptor is smaller; so we need to explicitly
+         * clear the lower bits here before ORing in the low vaddr bits.
          */
         page_size = (1ULL << ((stride * (4 - level)) + 3));
+        descaddr &= ~(page_size - 1);
         descaddr |= (address & (page_size - 1));
         /* Extract attributes from the descriptor */
         attrs = extract64(descriptor, 2, 10)
-- 
2.25.1

In commit 00f05c02f9e7342f we gave the TYPE_XLNX_CSU_DMA object its
own class struct, but forgot to update the TypeInfo::class_size
accordingly.  This meant that not enough memory was allocated for the
class struct, and the initialization of xcdc->read in the class init
function wrote off the end of the memory. Add the missing line.

Found by running 'check-qtest-aarch64' with a clang
address-sanitizer build, which complains:

==2542634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61000000ab00 at pc 0x559a20aebc29 bp 0x7fff97df74d0 sp 0x7fff97df74c8
WRITE of size 8 at 0x61000000ab00 thread T0
    #0 0x559a20aebc28 in xlnx_csu_dma_class_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../hw/dma/xlnx_csu_dma.c:722:16
    #1 0x559a21bf297c in type_initialize /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:365:9
    #2 0x559a21bf3442 in object_class_foreach_tramp /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1070:5
    #3 0x7f09bcb641b7 in g_hash_table_foreach (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x401b7)
    #4 0x559a21bf3c27 in object_class_foreach /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1092:5
    #5 0x559a21bf3c27 in object_class_get_list /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1149:5
    #6 0x559a2081a2fd in select_machine /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:1661:24
    #7 0x559a2081a2fd in qemu_create_machine /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:2146:35
    #8 0x559a2081a2fd in qemu_init /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/vl.c:3706:5
    #9 0x559a20720ed5 in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../softmmu/main.c:49:5
    #10 0x7f09baec00b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x559a2067673d in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/qemu-system-aarch64+0xf4b73d)

0x61000000ab00 is located 0 bytes to the right of 192-byte region [0x61000000aa40,0x61000000ab00)
allocated by thread T0 here:
    #0 0x559a206eeff2 in calloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/qemu-system-aarch64+0xfc3ff2)
    #1 0x7f09bcb7bef0 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57ef0)
    #2 0x559a21bf3442 in object_class_foreach_tramp /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/san/../../qom/object.c:1070:5

Fixes: 00f05c02f9e7342f ("hw/dma/xlnx_csu_dma: Support starting a read transfer through a class method")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20220308150207.2546272-1-peter.maydell@linaro.org
---
 hw/dma/xlnx_csu_dma.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/dma/xlnx_csu_dma.c b/hw/dma/xlnx_csu_dma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/xlnx_csu_dma.c
+++ b/hw/dma/xlnx_csu_dma.c
@@ -XXX,XX +XXX,XX @@ static const TypeInfo xlnx_csu_dma_info = {
     .parent        = TYPE_SYS_BUS_DEVICE,
     .instance_size = sizeof(XlnxCSUDMA),
     .class_init    = xlnx_csu_dma_class_init,
+    .class_size    = sizeof(XlnxCSUDMAClass),
     .instance_init = xlnx_csu_dma_init,
     .interfaces = (InterfaceInfo[]) {
         { TYPE_STREAM_SINK },
-- 
2.25.1

In npcm7xx_clk_sel_init() we allocate a string with g_strdup_printf().
Use g_autofree so we free it rather than leaking it.

(Detected with the clang leak sanitizer.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20220308170302.2582820-1-peter.maydell@linaro.org
---
 hw/misc/npcm7xx_clk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/misc/npcm7xx_clk.c b/hw/misc/npcm7xx_clk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/npcm7xx_clk.c
+++ b/hw/misc/npcm7xx_clk.c
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_clk_sel_init(Object *obj)
     NPCM7xxClockSELState *sel = NPCM7XX_CLOCK_SEL(obj);
 
     for (i = 0; i < NPCM7XX_CLK_SEL_MAX_INPUT; ++i) {
-        sel->clock_in[i] = qdev_init_clock_in(DEVICE(sel),
-                g_strdup_printf("clock-in[%d]", i),
+        g_autofree char *s = g_strdup_printf("clock-in[%d]", i);
+        sel->clock_in[i] = qdev_init_clock_in(DEVICE(sel), s,
                 npcm7xx_clk_update_sel_cb, sel, ClockUpdate);
     }
     sel->clock_out = qdev_init_clock_out(DEVICE(sel), "clock-out");
-- 
2.25.1

We currently list the emulators in the Windows installer's dialog
in an essentially random order (it's whatever glob.glob() returns
them to, which is filesystem-implementation-dependent). Add a
call to sorted() so they appear in alphabetical order.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 20220305105743.2384766-2-peter.maydell@linaro.org
---
 scripts/nsis.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/nsis.py b/scripts/nsis.py
index XXXXXXX..XXXXXXX 100644
--- a/scripts/nsis.py
+++ b/scripts/nsis.py
@@ -XXX,XX +XXX,XX @@ def main():
         with open(
             os.path.join(destdir + args.prefix, "system-emulations.nsh"), "w"
         ) as nsh:
-            for exe in glob.glob(
+            for exe in sorted(glob.glob(
                 os.path.join(destdir + args.prefix, "qemu-system-*.exe")
-            ):
+            )):
                 exe = os.path.basename(exe)
                 arch = exe[12:-4]
                 nsh.write(
-- 
2.25.1

We use the nsis.py script to write out an installer script Section
for each emulator executable, so the exact set of Sections depends on
which executables were built.  However the part of qemu.nsi which
specifies mouse-over descriptions for each Section still has a
hard-coded and very outdated list (with just i386 and alpha).  This
causes two problems.  Firstly, if you build the installer for a
configuration where you didn't build the i386 binaries you get
warnings like this:
  warning 6000: unknown variable/constant "{Section_i386}" detected, ignoring (macro:_==:1)
  warning 6000: unknown variable/constant "{Section_i386w}" detected, ignoring (macro:_==:1)
(this happens in our gitlab CI jobs, for instance).
Secondly, most of the emulators in the generated installer don't have
any mouseover text.

Make nsis.py generate a second output file which has the necessary
MUI_DESCRIPTION_TEXT lines for each Section it creates, so we can
include that at the right point in qemu.nsi to set the mouse-over
text.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: John Snow <jsnow@redhat.com>
Message-id: 20220305105743.2384766-4-peter.maydell@linaro.org
---
 qemu.nsi        |  5 +----
 scripts/nsis.py | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/qemu.nsi b/qemu.nsi
index XXXXXXX..XXXXXXX 100644
--- a/qemu.nsi
+++ b/qemu.nsi
@@ -XXX,XX +XXX,XX @@ SectionEnd
 ; Descriptions (mouse-over).
 !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
     !insertmacro MUI_DESCRIPTION_TEXT ${SectionSystem}  "System emulation."
-    !insertmacro MUI_DESCRIPTION_TEXT ${Section_alpha}  "Alpha system emulation."
-    !insertmacro MUI_DESCRIPTION_TEXT ${Section_alphaw} "Alpha system emulation (GUI)."
-    !insertmacro MUI_DESCRIPTION_TEXT ${Section_i386}   "PC i386 system emulation."
-    !insertmacro MUI_DESCRIPTION_TEXT ${Section_i386w}  "PC i386 system emulation (GUI)."
+!include "${BINDIR}\system-mui-text.nsh"
     !insertmacro MUI_DESCRIPTION_TEXT ${SectionTools} "Tools."
 !ifdef DLLDIR
     !insertmacro MUI_DESCRIPTION_TEXT ${SectionDll}   "Runtime Libraries (DLL)."
diff --git a/scripts/nsis.py b/scripts/nsis.py
index XXXXXXX..XXXXXXX 100644
--- a/scripts/nsis.py
+++ b/scripts/nsis.py
@@ -XXX,XX +XXX,XX @@ def main():
         subprocess.run(["make", "install", "DESTDIR=" + destdir + os.path.sep])
         with open(
             os.path.join(destdir + args.prefix, "system-emulations.nsh"), "w"
-        ) as nsh:
+        ) as nsh, open(
+            os.path.join(destdir + args.prefix, "system-mui-text.nsh"), "w"
+        ) as muinsh:
             for exe in sorted(glob.glob(
                 os.path.join(destdir + args.prefix, "qemu-system-*.exe")
             )):
@@ -XXX,XX +XXX,XX @@ def main():
                         arch, exe
                     )
                 )
+                if arch.endswith('w'):
+                    desc = arch[:-1] + " emulation (GUI)."
+                else:
+                    desc = arch + " emulation."
+
+                muinsh.write(
+                    """
+                !insertmacro MUI_DESCRIPTION_TEXT ${{Section_{0}}} "{1}"
+                """.format(arch, desc))
 
         for exe in glob.glob(os.path.join(destdir + args.prefix, "*.exe")):
             signcode(exe)
-- 
2.25.1

From: Eric Auger <eric.auger@redhat.com>

CONFIG_ARM_GIC_TCG actually guards the compilation of TCG GICv3
specific files. So let's rename it into CONFIG_ARM_GICV3_TCG

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20220308182452.223473-2-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/Kconfig     | 2 +-
 hw/intc/meson.build | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -XXX,XX +XXX,XX @@ config APIC
     select MSI_NONBROKEN
     select I8259
 
-config ARM_GIC_TCG
+config ARM_GICV3_TCG
     bool
     default y
     depends on ARM_GIC && TCG
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
   'arm_gicv3_common.c',
   'arm_gicv3_its_common.c',
 ))
-softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
+softmmu_ss.add(when: 'CONFIG_ARM_GICV3_TCG', if_true: files(
   'arm_gicv3.c',
   'arm_gicv3_dist.c',
   'arm_gicv3_its.c',
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
-specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
+specific_ss.add(when: 'CONFIG_ARM_GICV3_TCG', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
 specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
-- 
2.25.1

From: Eric Auger <eric.auger@redhat.com>

In TCG mode, if gic-version=max we always select GICv3 even if
CONFIG_ARM_GICV3_TCG is unset. We shall rather select GICv2.
This also brings the benefit of fixing qos tests errors for tests
using gic-version=max with CONFIG_ARM_GICV3_TCG unset.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20220308182452.223473-3-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
         vms->gic_version = VIRT_GIC_VERSION_2;
         break;
     case VIRT_GIC_VERSION_MAX:
-        vms->gic_version = VIRT_GIC_VERSION_3;
+        if (module_object_class_by_name("arm-gicv3")) {
+            /* CONFIG_ARM_GICV3_TCG was set */
+            vms->gic_version = VIRT_GIC_VERSION_3;
+        } else {
+            vms->gic_version = VIRT_GIC_VERSION_2;
+        }
         break;
     case VIRT_GIC_VERSION_HOST:
         error_report("gic-version=host requires KVM");
-- 
2.25.1

Currently the CPU_LOG_INT logging misses some useful information
about loads from the vector table.  Add logging where we load vector
table entries.  This is particularly helpful for cases where the user
has accidentally not put a vector table in their image at all, which
can result in confusing guest crashes at startup.

Here's an example of the new logging for a case where
the vector table contains garbage:

Loaded reset SP 0x0 PC 0x0 from vector table
Loaded reset SP 0xd008f8df PC 0xf000bf00 from vector table
Taking exception 3 [Prefetch Abort] on CPU 0
...with CFSR.IACCVIOL
...BusFault with BFSR.STKERR
...taking pending nonsecure exception 3
...loading from element 3 of non-secure vector table at 0xc
...loaded new PC 0x20000558
----------------
IN:
0x20000558:  08000079  stmdaeq  r0, {r0, r3, r4, r5, r6}

(The double reset logging is the result of our long-standing
"CPUs all get reset twice" weirdness; it looks a bit ugly
but it'll go away if we ever fix that :-))

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20220315204306.2797684-2-peter.maydell@linaro.org
---
 target/arm/cpu.c      | 5 +++++
 target/arm/m_helper.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qemu/qemu-print.h"
 #include "qemu/timer.h"
+#include "qemu/log.h"
 #include "qemu-common.h"
 #include "target/arm/idau.h"
 #include "qemu/module.h"
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
             initial_pc = ldl_phys(s->as, vecbase + 4);
         }
 
+        qemu_log_mask(CPU_LOG_INT,
+                      "Loaded reset SP 0x%x PC 0x%x from vector table\n",
+                      initial_msp, initial_pc);
+
         env->regs[13] = initial_msp & 0xFFFFFFFC;
         env->regs[15] = initial_pc & ~1;
         env->thumb = initial_pc & 1;
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     ARMMMUIdx mmu_idx;
     bool exc_secure;
 
+    qemu_log_mask(CPU_LOG_INT,
+                  "...loading from element %d of %s vector table at 0x%x\n",
+                  exc, targets_secure ? "secure" : "non-secure", addr);
+
     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
 
     /*
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
         goto load_fail;
     }
     *pvec = vector_entry;
+    qemu_log_mask(CPU_LOG_INT, "...loaded new PC 0x%x\n", *pvec);
     return true;
 
 load_fail:
-- 
2.25.1

For M-profile, the fault address is not always exposed to the guest
in a fault register (for instance the BFAR bus fault address register
is only updated for bus faults on data accesses, not instruction
accesses).  Currently we log the address only if we're putting it
into a particular guest-visible register.  Since we always have it,
log it generically, to make logs of i-side faults a bit clearer.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20220315204306.2797684-3-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
          * Note that for M profile we don't have a guest facing FSR, but
          * the env->exception.fsr will be populated by the code that
          * raises the fault, in the A profile short-descriptor format.
+         *
+         * Log the exception.vaddress now regardless of subtype, because
+         * logging below only logs it when it goes into a guest visible
+         * register.
          */
+        qemu_log_mask(CPU_LOG_INT, "...at fault address 0x%x\n",
+                      (uint32_t)env->exception.vaddress);
         switch (env->exception.fsr & 0xf) {
         case M_FAKE_FSR_NSC_EXEC:
             /*
-- 
2.25.1