Series comparison

-[PULL 0/2] target-arm queue
+[PULL v2 00/39] target-arm queue
-Two bug fixes for 9.0...
+v2: fix format-string issue in a test case.
 -- PMM
-The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:
+The following changes since commit 6f34661b6c97a37a5efc27d31c037ddeda4547e2:
-  Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)
+  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2021-03-11 18:55:27 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210314
-for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:
+for you to fetch changes up to 6500ac13ff8e5c64ca69f5ef5d456028cfda6139:
-  target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)
+  hw/display/pxa2xx: Inline template header (2021-03-14 13:14:56 +0000)
 ----------------------------------------------------------------
-target-arm:
+target-arm queue:
- * Use correct SecuritySpace for AArch64 AT ops at EL3
+ * versal: Support XRAMs and XRAM controller
- * Fix CNTPOFF_EL2 trap to missing EL3
+ * smmu: Various minor bug fixes
  * SVE emulation: fix bugs handling odd vector lengths
  * allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
  * tests/acceptance: fix orangepi-pc acceptance tests
  * hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
  * hw/arm/virt: KVM: The IPA lower bound is 32
  * npcm7xx: support MFT module
  * pl110, pxa2xx_lcd: tidy up template headers
 ----------------------------------------------------------------
-Peter Maydell (1):
+Andrew Jones (2):
-      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
+      accel: kvm: Fix kvm_type invocation
       hw/arm/virt: KVM: The IPA lower bound is 32
-Pierre-Clément Tosi (1):
+Edgar E. Iglesias (2):
-      target/arm: Fix CNTPOFF_EL2 trap to missing EL3
+      hw/misc: versal: Add a model of the XRAM controller
       hw/arm: versal: Add support for the XRAMs
- target/arm/helper.c | 10 +++++++---
+Eric Auger (7):
-file changed, 7 insertions(+), 3 deletions(-)
+      intel_iommu: Fix mask may be uninitialized in vtd_context_device_invalidate
       dma: Introduce dma_aligned_pow2_mask()
       virtio-iommu: Handle non power of 2 range invalidations
       hw/arm/smmu-common: Fix smmu_iotlb_inv_iova when asid is not set
       hw/arm/smmuv3: Enforce invalidation on a power of two range
       hw/arm/smmuv3: Fix SMMU_CMD_CFGI_STE_RANGE handling
       hw/arm/smmuv3: Uniformize sid traces
+Hao Wu (5):
+      hw/misc: Add GPIOs for duty in NPCM7xx PWM
+      hw/misc: Add NPCM7XX MFT Module
+      hw/arm: Add MFT device to NPCM7xx Soc
+      hw/arm: Connect PWM fans in NPCM7XX boards
+      tests/qtest: Test PWM fan RPM using MFT in PWM test
+Niek Linnenbank (5):
+      hw/net/allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
+      tests/acceptance/boot_linux_console: remove Armbian 19.11.3 bionic test for orangepi-pc machine
+      tests/acceptance/boot_linux_console: change URL for test_arm_orangepi_bionic_20_08
+      tests/acceptance: update sunxi kernel from armbian to 5.10.16
+      tests/acceptance: drop ARMBIAN_ARTIFACTS_CACHED condition for orangepi-pc, cubieboard tests
+Peter Maydell (9):
+      hw/display/pl110: Remove dead code for non-32-bpp surfaces
+      hw/display/pl110: Pull included-once parts of template header into pl110.c
+      hw/display/pl110: Remove use of BITS from pl110_template.h
+      hw/display/pxa2xx_lcd: Remove dead code for non-32-bpp surfaces
+      hw/display/pxa2xx_lcd: Remove dest_width state field
+      hw/display/pxa2xx: Remove use of BITS in pxa2xx_template.h
+      hw/display/pxa2xx: Apply brace-related coding style fixes to template header
+      hw/display/pxa2xx: Apply whitespace-only coding style fixes to template header
+      hw/display/pxa2xx: Inline template header
+Philippe Mathieu-Daudé (1):
+      hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
+Richard Henderson (8):
+      target/arm: Fix sve_uzp_p vs odd vector lengths
+      target/arm: Fix sve_zip_p vs odd vector lengths
+      target/arm: Fix sve_punpk_p vs odd vector lengths
+      target/arm: Update find_last_active for PREDDESC
+      target/arm: Update BRKA, BRKB, BRKN for PREDDESC
+      target/arm: Update CNTP for PREDDESC
+      target/arm: Update WHILE for PREDDESC
+      target/arm: Update sve reduction vs simd_desc
+ docs/system/arm/nuvoton.rst            |   2 +-
+ docs/system/arm/xlnx-versal-virt.rst   |   1 +
+ hw/arm/smmu-internal.h                 |   5 +
+ hw/display/pl110_template.h            | 120 +-------
+ hw/display/pxa2xx_template.h           | 447 ---------------------------
+ include/hw/arm/npcm7xx.h               |  13 +-
+ include/hw/arm/xlnx-versal.h           |  13 +
+ include/hw/boards.h                    |   1 +
+ include/hw/misc/npcm7xx_mft.h          |  70 +++++
+ include/hw/misc/npcm7xx_pwm.h          |   4 +-
+ include/hw/misc/xlnx-versal-xramc.h    |  97 ++++++
+ include/sysemu/dma.h                   |  12 +
+ target/arm/kvm_arm.h                   |   6 +-
+ accel/kvm/kvm-all.c                    |   2 +
+ hw/arm/npcm7xx.c                       |  45 ++-
+ hw/arm/npcm7xx_boards.c                |  99 ++++++
+ hw/arm/smmu-common.c                   |  32 +-
+ hw/arm/smmuv3.c                        |  58 ++--
+ hw/arm/virt.c                          |  23 +-
+ hw/arm/xlnx-versal.c                   |  36 +++
+ hw/display/pl110.c                     | 123 +++++---
+ hw/display/pxa2xx_lcd.c                | 520 ++++++++++++++++++++++++++-----
+ hw/i386/intel_iommu.c                  |  32 +-
+ hw/misc/npcm7xx_mft.c                  | 540 +++++++++++++++++++++++++++++++++
+ hw/misc/npcm7xx_pwm.c                  |   4 +
+ hw/misc/xlnx-versal-xramc.c            | 253 +++++++++++++++
+ hw/net/allwinner-sun8i-emac.c          |  62 ++--
+ hw/timer/sse-timer.c                   |   1 +
+ hw/virtio/virtio-iommu.c               |  19 +-
+ softmmu/dma-helpers.c                  |  26 ++
+ target/arm/kvm.c                       |   4 +-
+ target/arm/sve_helper.c                | 107 ++++---
+ target/arm/translate-sve.c             |  26 +-
+ tests/qtest/npcm7xx_pwm-test.c         | 205 ++++++++++++-
+ hw/arm/trace-events                    |  24 +-
+ hw/misc/meson.build                    |   2 +
+ hw/misc/trace-events                   |   8 +
+ tests/acceptance/boot_linux_console.py | 120 +++-----
+ tests/acceptance/replay_kernel.py      |  10 +-
+files changed, 2235 insertions(+), 937 deletions(-)
+ delete mode 100644 hw/display/pxa2xx_template.h
+ create mode 100644 include/hw/misc/npcm7xx_mft.h
+ create mode 100644 include/hw/misc/xlnx-versal-xramc.h
+ create mode 100644 hw/misc/npcm7xx_mft.c
+ create mode 100644 hw/misc/xlnx-versal-xramc.c

-[PULL 1/2] target/arm: Fix CNTPOFF_EL2 trap to missing EL3
+Deleted patch
-From: Pierre-Clément Tosi <ptosi@google.com>
-EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
-present, as described by the reference manual (for MRS):
-  /* ... */
-  elsif PSTATE.EL == EL2 then
-      if Halted() && HaveEL(EL3) && /*...*/ then
-          UNDEFINED;
-      elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
-          /* ... */
-      else
-          X[t, 64] = CNTPOFF_EL2;
-However, the existing implementation of gt_cntpoff_access() always
-returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
-pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
-is always true, which is wrong. As a result, QEMU panics in
-access_check_cp_reg() when started without EL3 and running EL2 code
-accessing the register (e.g. any recent KVM booting a guest).
-Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().
-Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
-Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
-Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
-                                         const ARMCPRegInfo *ri,
-                                         bool isread)
- {
--    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
-+    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
-+        !(env->cp15.scr_el3 & SCR_ECVEN)) {
-         return CP_ACCESS_TRAP_EL3;
-     }
-     return CP_ACCESS_OK;
---
-.34.1

-[PULL 2/2] target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
+Deleted patch
-When we do an AT address translation operation, the page table walk
-is supposed to be performed in the context of the EL we're doing the
-walk for, so for instance an AT S1E2R walk is done for EL2.  In the
-pseudocode an EL is passed to AArch64.AT(), which calls
-SecurityStateAtEL() to find the security state that we should be
-doing the walk with.
-In ats_write64() we get this wrong, instead using the current
-security space always.  This is fine for AT operations performed from
-EL1 and EL2, because there the current security state and the
-security state for the lower EL are the same.  But for AT operations
-performed from EL3, the current security state is always either
-Secure or Root, whereas we want to use the security state defined by
-SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
-FEAT_RME but also ones where EL3 is Secure state and the EL3 code
-is trying to do an AT for a NonSecure EL2 or EL1.
-Use arm_security_space_below_el3() to get the SecuritySpace to
-pass to do_ats_write() for all AT operations except the
-AT S1E3* operations.
-Cc: qemu-stable@nongnu.org
-Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
----
- target/arm/helper.c | 7 +++++--
-file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-     ARMMMUIdx mmu_idx;
-     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
-+    bool for_el3 = false;
-+    ARMSecuritySpace ss;
-     switch (ri->opc2 & 6) {
-     case 0:
-@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-             break;
-         case 6: /* AT S1E3R, AT S1E3W */
-             mmu_idx = ARMMMUIdx_E3;
-+            for_el3 = true;
-             break;
-         default:
-             g_assert_not_reached();
-@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-         g_assert_not_reached();
-     }
--    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
--                                       mmu_idx, arm_security_space(env));
-+    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
-+    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
- #else
-     /* Handled by hardware accelerator. */
-     g_assert_not_reached();
---
-.34.1

Two bug fixes for 9.0...

-- PMM

The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:

Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408

for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:

target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)

----------------------------------------------------------------
target-arm:
 * Use correct SecuritySpace for AArch64 AT ops at EL3
 * Fix CNTPOFF_EL2 trap to missing EL3

----------------------------------------------------------------
Peter Maydell (1):
      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3

Pierre-Clément Tosi (1):
      target/arm: Fix CNTPOFF_EL2 trap to missing EL3

target/arm/helper.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

From: Pierre-Clément Tosi <ptosi@google.com>

EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
present, as described by the reference manual (for MRS):

/* ... */
  elsif PSTATE.EL == EL2 then
      if Halted() && HaveEL(EL3) && /*...*/ then
          UNDEFINED;
      elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
          /* ... */
      else
          X[t, 64] = CNTPOFF_EL2;

However, the existing implementation of gt_cntpoff_access() always
returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
is always true, which is wrong. As a result, QEMU panics in
access_check_cp_reg() when started without EL3 and running EL2 code
accessing the register (e.g. any recent KVM booting a guest).

Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().

Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
                                         const ARMCPRegInfo *ri,
                                         bool isread)
 {
-    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
+    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
+        !(env->cp15.scr_el3 & SCR_ECVEN)) {
         return CP_ACCESS_TRAP_EL3;
     }
     return CP_ACCESS_OK;
-- 
2.34.1

When we do an AT address translation operation, the page table walk
is supposed to be performed in the context of the EL we're doing the
walk for, so for instance an AT S1E2R walk is done for EL2.  In the
pseudocode an EL is passed to AArch64.AT(), which calls
SecurityStateAtEL() to find the security state that we should be
doing the walk with.

In ats_write64() we get this wrong, instead using the current
security space always.  This is fine for AT operations performed from
EL1 and EL2, because there the current security state and the
security state for the lower EL are the same.  But for AT operations
performed from EL3, the current security state is always either
Secure or Root, whereas we want to use the security state defined by
SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
FEAT_RME but also ones where EL3 is Secure state and the EL3 code
is trying to do an AT for a NonSecure EL2 or EL1.

Use arm_security_space_below_el3() to get the SecuritySpace to
pass to do_ats_write() for all AT operations except the
AT S1E3* operations.

Cc: qemu-stable@nongnu.org
Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
     ARMMMUIdx mmu_idx;
     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
+    bool for_el3 = false;
+    ARMSecuritySpace ss;
 
     switch (ri->opc2 & 6) {
     case 0:
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
             break;
         case 6: /* AT S1E3R, AT S1E3W */
             mmu_idx = ARMMMUIdx_E3;
+            for_el3 = true;
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         g_assert_not_reached();
     }
 
-    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
-                                       mmu_idx, arm_security_space(env));
+    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
+    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
 #else
     /* Handled by hardware accelerator. */
     g_assert_not_reached();
-- 
2.34.1

v2: fix format-string issue in a test case.

-- PMM

The following changes since commit 6f34661b6c97a37a5efc27d31c037ddeda4547e2:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2021-03-11 18:55:27 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210314

for you to fetch changes up to 6500ac13ff8e5c64ca69f5ef5d456028cfda6139:

hw/display/pxa2xx: Inline template header (2021-03-14 13:14:56 +0000)

----------------------------------------------------------------
target-arm queue:
 * versal: Support XRAMs and XRAM controller
 * smmu: Various minor bug fixes
 * SVE emulation: fix bugs handling odd vector lengths
 * allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
 * tests/acceptance: fix orangepi-pc acceptance tests
 * hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()
 * hw/arm/virt: KVM: The IPA lower bound is 32
 * npcm7xx: support MFT module
 * pl110, pxa2xx_lcd: tidy up template headers

----------------------------------------------------------------
Andrew Jones (2):
      accel: kvm: Fix kvm_type invocation
      hw/arm/virt: KVM: The IPA lower bound is 32

Edgar E. Iglesias (2):
      hw/misc: versal: Add a model of the XRAM controller
      hw/arm: versal: Add support for the XRAMs

Eric Auger (7):
      intel_iommu: Fix mask may be uninitialized in vtd_context_device_invalidate
      dma: Introduce dma_aligned_pow2_mask()
      virtio-iommu: Handle non power of 2 range invalidations
      hw/arm/smmu-common: Fix smmu_iotlb_inv_iova when asid is not set
      hw/arm/smmuv3: Enforce invalidation on a power of two range
      hw/arm/smmuv3: Fix SMMU_CMD_CFGI_STE_RANGE handling
      hw/arm/smmuv3: Uniformize sid traces

Hao Wu (5):
      hw/misc: Add GPIOs for duty in NPCM7xx PWM
      hw/misc: Add NPCM7XX MFT Module
      hw/arm: Add MFT device to NPCM7xx Soc
      hw/arm: Connect PWM fans in NPCM7XX boards
      tests/qtest: Test PWM fan RPM using MFT in PWM test

Niek Linnenbank (5):
      hw/net/allwinner-sun8i-emac: traverse transmit queue using TX_CUR_DESC register value
      tests/acceptance/boot_linux_console: remove Armbian 19.11.3 bionic test for orangepi-pc machine
      tests/acceptance/boot_linux_console: change URL for test_arm_orangepi_bionic_20_08
      tests/acceptance: update sunxi kernel from armbian to 5.10.16
      tests/acceptance: drop ARMBIAN_ARTIFACTS_CACHED condition for orangepi-pc, cubieboard tests

Peter Maydell (9):
      hw/display/pl110: Remove dead code for non-32-bpp surfaces
      hw/display/pl110: Pull included-once parts of template header into pl110.c
      hw/display/pl110: Remove use of BITS from pl110_template.h
      hw/display/pxa2xx_lcd: Remove dead code for non-32-bpp surfaces
      hw/display/pxa2xx_lcd: Remove dest_width state field
      hw/display/pxa2xx: Remove use of BITS in pxa2xx_template.h
      hw/display/pxa2xx: Apply brace-related coding style fixes to template header
      hw/display/pxa2xx: Apply whitespace-only coding style fixes to template header
      hw/display/pxa2xx: Inline template header

Philippe Mathieu-Daudé (1):
      hw/timer/sse-timer: Propagate eventual error in sse_timer_realize()

Richard Henderson (8):
      target/arm: Fix sve_uzp_p vs odd vector lengths
      target/arm: Fix sve_zip_p vs odd vector lengths
      target/arm: Fix sve_punpk_p vs odd vector lengths
      target/arm: Update find_last_active for PREDDESC
      target/arm: Update BRKA, BRKB, BRKN for PREDDESC
      target/arm: Update CNTP for PREDDESC
      target/arm: Update WHILE for PREDDESC
      target/arm: Update sve reduction vs simd_desc