Re: [Qemu-devel] [PATCH] migration: calculate expected_downtime with ram_bytes_remaining()

[Peter Xu]

On Sun, Apr 01, 2018 at 12:25:36AM +0530, Balamuruhan S wrote:
> expected_downtime value is not accurate with dirty_pages_rate * page_size,
> using ram_bytes_remaining would yeild it correct.
> 
> Signed-off-by: Balamuruhan S 
> ---
>  migration/migration.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/migration/migration.c b/migration/migration.c
> index 58bd382730..4e43dc4f92 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -2245,8 +2245,7 @@ static void migration_update_counters(MigrationState *s,
>   * recalculate. 1 is a small enough number for our purposes
>   */
>  if (ram_counters.dirty_pages_rate && transferred > 1) {
> -s->expected_downtime = ram_counters.dirty_pages_rate *
> -qemu_target_page_size() / bandwidth;
> +s->expected_downtime = ram_bytes_remaining() / bandwidth;

This field was removed in e4ed1541ac ("savevm: New save live migration
method: pending", 2012-12-20), in which remaing RAM was used.

And it was added back in 90f8ae724a ("migration: calculate
expected_downtime", 2013-02-22), in which dirty rate was used.

However I didn't find a clue on why we changed from using remaining
RAM to using dirty rate...  So I'll leave this question to Juan.

Besides, I'm a bit confused on when we'll want such a value.  AFAIU
precopy is mostly used by setting up the target downtime before hand,
so we should already know the downtime before hand.  Then why we want
to observe such a thing?

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [Qemu-ppc] [PATCH for-2.13] Add host_memory_backend_pagesize() helper

[David Gibson]

On Thu, Mar 29, 2018 at 08:37:48AM +0200, Greg Kurz wrote:
> On Thu, 29 Mar 2018 16:25:37 +1100
> David Gibson  wrote:
> 
> > There are a couple places (one generic, one target specific) where we need
> > to get the host page size associated with a particular memory backend.  I
> > have some upcoming code which will add another place which wants this.  So,
> > for convenience, add a helper function to calculate this.
> > 
> > host_memory_backend_pagesize() returns the host pagesize for a given
> > HostMemoryBackend object, or for the default backend (-mem-path) if passed
> > NULL.
> > 
> > Signed-off-by: David Gibson 
> > ---
> 
> The idea is good but there's a small issue. See below.
> 
> >  backends/hostmem.c   | 20 
> >  exec.c   | 21 +
> >  include/sysemu/hostmem.h |  2 ++
> >  target/ppc/kvm.c | 10 +-
> >  4 files changed, 28 insertions(+), 25 deletions(-)
> > 
> > diff --git a/backends/hostmem.c b/backends/hostmem.c
> > index f61093654e..b6a60cfc5d 100644
> > --- a/backends/hostmem.c
> > +++ b/backends/hostmem.c
> > @@ -18,6 +18,7 @@
> >  #include "qapi/visitor.h"
> >  #include "qemu/config-file.h"
> >  #include "qom/object_interfaces.h"
> > +#include "qemu/mmap-alloc.h"
> >  
> >  #ifdef CONFIG_NUMA
> >  #include 
> > @@ -262,6 +263,25 @@ bool host_memory_backend_is_mapped(HostMemoryBackend 
> > *backend)
> >  return backend->is_mapped;
> >  }
> >  
> > +long host_memory_backend_pagesize(HostMemoryBackend *memdev)
> > +{
> > +const char *path = NULL;
> > +
> > +#ifdef __linux__
> > +if (memdev) {
> > +path = object_property_get_str(OBJECT(memdev), "mem-path", NULL);
> 
> object_property_get_str() returns an allocated string. It should be freed
> before returning.

Ah, nice catch, I'll correct that.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH for-2.13] Add host_memory_backend_pagesize() helper

[David Gibson]

On Mon, Apr 02, 2018 at 11:22:06PM -0300, Eduardo Habkost wrote:
> On Thu, Mar 29, 2018 at 04:25:37PM +1100, David Gibson wrote:
> > There are a couple places (one generic, one target specific) where we need
> > to get the host page size associated with a particular memory backend.  I
> > have some upcoming code which will add another place which wants this.  So,
> > for convenience, add a helper function to calculate this.
> > 
> > host_memory_backend_pagesize() returns the host pagesize for a given
> > HostMemoryBackend object, or for the default backend (-mem-path) if passed
> > NULL.
> > 
> > Signed-off-by: David Gibson 
> > ---
> >  backends/hostmem.c   | 20 
> >  exec.c   | 21 +
> >  include/sysemu/hostmem.h |  2 ++
> >  target/ppc/kvm.c | 10 +-
> >  4 files changed, 28 insertions(+), 25 deletions(-)
> > 
> > diff --git a/backends/hostmem.c b/backends/hostmem.c
> > index f61093654e..b6a60cfc5d 100644
> > --- a/backends/hostmem.c
> > +++ b/backends/hostmem.c
> > @@ -18,6 +18,7 @@
> >  #include "qapi/visitor.h"
> >  #include "qemu/config-file.h"
> >  #include "qom/object_interfaces.h"
> > +#include "qemu/mmap-alloc.h"
> >  
> >  #ifdef CONFIG_NUMA
> >  #include 
> > @@ -262,6 +263,25 @@ bool host_memory_backend_is_mapped(HostMemoryBackend 
> > *backend)
> >  return backend->is_mapped;
> >  }
> >  
> > +long host_memory_backend_pagesize(HostMemoryBackend *memdev)
> 
> qemu_mempath_getpagesize() returns size_t.  Why are you using
> long here?

Because qemu_getrampagesize() returns long.  But size_t is better, so
I've changed it.

> > +{
> > +const char *path = NULL;
> > +
> > +#ifdef __linux__
> > +if (memdev) {
> > +path = object_property_get_str(OBJECT(memdev), "mem-path", NULL);
> > +} else {
> > +path = mem_path;
> > +}
> > +#endif
> > +
> > +if (path) {
> > +return qemu_mempath_getpagesize(path);
> > +} else {
> > +return getpagesize();
> 
> Isn't it simpler to make qemu_mempath_getpagesize() handle
> path==NULL?

Uh.. possibly not, but things you bring up later kind of make it moot.

> > +}
> > +}
> > +
> >  static void
> >  host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
> >  {
> > diff --git a/exec.c b/exec.c
> > index c09bd93df3..04856c2402 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -1488,18 +1488,13 @@ void ram_block_dump(Monitor *mon)
> >   */
> >  static int find_max_supported_pagesize(Object *obj, void *opaque)
> >  {
> > -char *mem_path;
> >  long *hpsize_min = opaque;
> >  
> >  if (object_dynamic_cast(obj, TYPE_MEMORY_BACKEND)) {
> > -mem_path = object_property_get_str(obj, "mem-path", NULL);
> > -if (mem_path) {
> > -long hpsize = qemu_mempath_getpagesize(mem_path);
> > -if (hpsize < *hpsize_min) {
> > -*hpsize_min = hpsize;
> > -}
> > -} else {
> > -*hpsize_min = getpagesize();
> > +long hpsize = host_memory_backend_pagesize(MEMORY_BACKEND(obj));
> 
> So in this caller, `backend` is always non-NULL...
> 
> > +
> > +if (hpsize < *hpsize_min) {
> > +*hpsize_min = hpsize;
> >  }
> >  }
> >  
> > @@ -1509,15 +1504,9 @@ static int find_max_supported_pagesize(Object *obj, 
> > void *opaque)
> >  long qemu_getrampagesize(void)
> >  {
> >  long hpsize = LONG_MAX;
> > -long mainrampagesize;
> > +long mainrampagesize = host_memory_backend_pagesize(NULL);
> 
> ...on this caller `backend` is always NULL...
> 
> 
> >  Object *memdev_root;
> >  
> > -if (mem_path) {
> > -mainrampagesize = qemu_mempath_getpagesize(mem_path);
> > -} else {
> > -mainrampagesize = getpagesize();
> > -}
> > -
> >  /* it's possible we have memory-backend objects with
> >   * hugepage-backed RAM. these may get mapped into system
> >   * address space via -numa parameters or memory hotplug
> [...]
> > diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> > index b329cd8173..0adcf18c9f 100644
> > --- a/target/ppc/kvm.c
> > +++ b/target/ppc/kvm.c
> > @@ -493,15 +493,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
> >  bool kvmppc_is_mem_backend_page_size_ok(const char *obj_path)
> >  {
> >  Object *mem_obj = object_resolve_path(obj_path, NULL);
> > -char *mempath = object_property_get_str(mem_obj, "mem-path", NULL);
> > -long pagesize;
> > -
> > -if (mempath) {
> > -pagesize = qemu_mempath_getpagesize(mempath);
> > -g_free(mempath);
> > -} else {
> > -pagesize = getpagesize();
> > -}
> > +long pagesize = host_memory_backend_pagesize(MEMORY_BACKEND(mem_obj));
> >  
> 
> ...and here `backend` is always non-NULL.
> 
> If there's no caller that relies on both code paths, why overload
> a single function for two different operations?

Good point.  

> I would simply make qemu_mempath_getpagesize() work if path is
> NULL, 

[Qemu-devel] [PATCH for-2.12] monitor: bind dispatch bh to iohandler context

[Peter Xu]

Eric Auger reported the problem days ago that OOB broke ARM when running
with libvirt:

http://lists.gnu.org/archive/html/qemu-devel/2018-03/msg06231.html

This patch fixes the problem.

It's not really needed now since we have turned OOB off now, but it's
still a bug fix, and it'll start to work when we turn OOB on for ARM.

The problem was that the monitor dispatcher bottom half was bound to
qemu_aio_context, but that context seems to be for block only.  For the
rest of the QEMU world we should be using iohandler context.  So
assigning monitor dispatcher bottom half to that context.

If without this change, QMP dispatcher might be run even before reaching
main loop in block IO path, for example, in a stack like:

#0  qmp_cont ()
#1  0x006bd210 in qmp_marshal_cont ()
#2  0x00ac05c4 in do_qmp_dispatch ()
#3  0x00ac07a0 in qmp_dispatch ()
#4  0x00472d60 in monitor_qmp_dispatch_one ()
#5  0x0047302c in monitor_qmp_bh_dispatcher ()
#6  0x00acf374 in aio_bh_call ()
#7  0x00acf428 in aio_bh_poll ()
#8  0x00ad5110 in aio_poll ()
#9  0x00a08ab8 in blk_prw ()
#10 0x00a091c4 in blk_pread ()
#11 0x00734f94 in pflash_cfi01_realize ()
#12 0x0075a3a4 in device_set_realized ()
#13 0x009a26cc in property_set_bool ()
#14 0x009a0a40 in object_property_set ()
#15 0x009a3a08 in object_property_set_qobject ()
#16 0x009a0c8c in object_property_set_bool ()
#17 0x00758f94 in qdev_init_nofail ()
#18 0x0058e190 in create_one_flash ()
#19 0x0058e2f4 in create_flash ()
#20 0x005902f0 in machvirt_init ()
#21 0x007635cc in machine_run_board_init ()
#22 0x006b135c in main ()

This can cause ARM to crash when used with both OOB capability enabled
and libvirt as upper layer, since libvirt will start QEMU with "-S" and
the first "cont" command will arrive very early if the context is not
correct (which is what above stack shows).  Then, the vcpu threads will
start to run right after the qmp_cont() call, even when GICs have not
been setup correctly yet (which is done in kvm_arm_machine_init_done()).

My sincere thanks to Eric Auger who offered great help during both
debugging and verifying the problem.  The ARM test was carried out by
applying this patch upon QEMU 2.12.0-rc0 and problem is gone after the
patch.

A quick test of mine shows that after this patch applied we can pass all
raw iotests even with OOB on by default.

CC: Eric Blake 
CC: Markus Armbruster 
CC: Stefan Hajnoczi 
CC: Fam Zheng 
Reported-by: Eric Auger 
Tested-by: Eric Auger 
Signed-off-by: Peter Xu 
---

This patch will fix all known OOB breakages I know so far, but I think
for better safety I'll still keep OOB off, and I'll send another patch
to turn default OOB on after 2.12 release.
---
 monitor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor.c b/monitor.c
index 51f4cf480f..39f8ee17ba 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4467,7 +4467,7 @@ static void monitor_iothread_init(void)
  * have assumption to be run on main loop thread.  It would be
  * nice that one day we can remove this assumption in the future.
  */
-mon_global.qmp_dispatcher_bh = aio_bh_new(qemu_get_aio_context(),
+mon_global.qmp_dispatcher_bh = aio_bh_new(iohandler_get_aio_context(),
   monitor_qmp_bh_dispatcher,
   NULL);
 
-- 
2.14.3

[Qemu-devel] [PATCH for-2.12] block: handle invalid lseek returns gracefully

[Jeff Cody]

In commit 223a23c198787328ae75bc65d84edf5fde33c0b6, we implemented a
workaround in the gluster driver to handle invalid values returned for
SEEK_DATA or SEEK_HOLE.

In some instances, these same invalid values can be seen in the posix
file handler as well - for example, it has been reported on FUSE gluster
mounts.

Calling assert() for these invalid values is overly harsh; we can safely
return -EIO and allow this case to be treated as a "learned nothing"
case (e.g., D4 / H4, as commented in the code).

This patch does the same thing that 223a23c198787 did for gluster.c,
except in file-posix.c

Signed-off-by: Jeff Cody 
---
 block/file-posix.c | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index d7fb772c14..a2f6d8a8c8 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -2114,7 +2114,12 @@ static int find_allocation(BlockDriverState *bs, off_t 
start,
 if (offs < 0) {
 return -errno;  /* D3 or D4 */
 }
-assert(offs >= start);
+
+if (offs < start) {
+/* This is not a valid return by lseek().  We are safe to just return
+ * -EIO in this case, and we'll treat it like D4. */
+return -EIO;
+}
 
 if (offs > start) {
 /* D2: in hole, next data at offs */
@@ -2146,7 +2151,12 @@ static int find_allocation(BlockDriverState *bs, off_t 
start,
 if (offs < 0) {
 return -errno;  /* D1 and (H3 or H4) */
 }
-assert(offs >= start);
+
+if (offs < start) {
+/* This is not a valid return by lseek().  We are safe to just return
+ * -EIO in this case, and we'll treat it like H4. */
+return -EIO;
+}
 
 if (offs > start) {
 /*
-- 
2.13.6

Re: [Qemu-devel] [PATCH qemu] vfio: Print address space address when cannot map MMIO for DMA

[Alexey Kardashevskiy]

On 29/3/18 9:14 pm, Auger Eric wrote:
> Hi Alexey,
> On 29/03/18 03:55, Alexey Kardashevskiy wrote:
>> On 29/3/18 8:03 am, Auger Eric wrote:
>>> Hi Alexey, Alex,
>>> On 22/03/18 09:18, Alexey Kardashevskiy wrote:
 The 567b5b309abe ("vfio/pci: Relax DMA map errors for MMIO regions") added
 an error message if a passed memory section address or size is not aligned
 to the minimal IOMMU page size. However although it checks
 offset_within_address_space for the alignment, offset_within_region is
 printed instead which makes it harder to find out what device caused
 the message so this replaces offset_within_region with
 offset_within_address_space.

 While we are here, this replaces '..' with 'size=' (as the second number
 is a size, not an end offset) and adds a memory region name.

 Fixes: 567b5b309abe "vfio/pci: Relax DMA map errors for MMIO regions"
 Signed-off-by: Alexey Kardashevskiy 
>>> The patch indeed fixes the reported format issues.
>>>
>>> However I have some other concerns with the info that is reported to the
>>> end-user. See below.
>>>
>>> Assigning an e1000e device with a 64kB host, here are the traces I get:
>>>
>>> Region XXX is not aligned to 0x1 and cannot be mapped for DMA
>>>
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a0050 size=0x3fb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a0050 size=0xffb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a0050 size=0x3fb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a0050 size=0xffb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a0050 size=0x3fb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100a4808 size=0xb7f8
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100e0050 size=0x3fb0
>>> "0004:01:00.0 BAR 3 mmaps[0]" 0x100e4808 size=0xb7f8
>>>
>>> It took me some time to understand what happens but here is now my
>>> understanding:
>>>
>>> 1) When looking at vfio_pci_write_config() pdev->io_regions[bar].addr =
>>> bar_addr in vfio_sub_page_bar_update_mapping() I see the following values:
>>>
>>> UNMAPPED -> 0x0 ->UNMAPPED -> 0x100a -> UNMAPPED -> 0x100a ->
>>> UNMAPPED -> 0x100e
>>>
>>> vfio_sub_page_bar_update_mapping() create mrs with base bar at
>>> 0x100a and 0x100e successively, hence the
>>> vfio_listener_region_add on 0x100a. Indeed, 0x0-0x50 msix-table mmio
>>> region induces some memory section at 0x100a0050 and 0x100e50 successively.
>>>
>>> However this is confusing for the end-user who only has access to the
>>> final mapping (0x100e) through lspi [1].
>>
>>
>> The trace shows that at least at some point the BAR actually was
>> 0x100a, I find this info rather useful than confusing as it might
>> expose a bug of some sort, for example.
>>
>> The user also has access to the MR name which is the host PCI address + BAR
>> index, how is that confusing?
> 
> To me it is confusing since it does not match the final location of bar3
> as output by lspci. I couldn't understanding how 0x100a related to bar3.


PCI resource reallocation is not that rate on PPC, at least, so I am kinda
used to it...



>>> 2) The changes in the size (0x3fb0 <-> 0xffb0) relate to the extension
>>> of the 16kB bar to 64kB in vfio_sub_page_bar_update_mapping
 3) Also it happens that I have a virtio-scsi-pci device that is put just
>>> after the BAR3 at 0x100a4000 and 0x100e4000 successively. The device has
>>
>> e1000e gets aligned to 64k but this one avoids the alignment for some reason?
> 
> Yes I will enquire about the allocation policy
>>
>>
>>> its own msi-table and pba mmio regions[2]. As mmaps[0] is extended to
>>> 64kB (with prio 0), we have those MMIO regions which result in new
>>> memory sections, which cause vfio_listener_region_add calls. This
>>> typically explains why we get a warning on 0x100e4808 (0xb7f8). By the
>>> way I don't get why we don't have a trace for "0004:01:00.0 BAR 3
>>> mmaps[0]" 0x100e4040 size=0x7c0, ie. mmaps[0] space between
>>> virtio-scsi-pci msic-table and pba.
>>
>>
>> "info mtree -f" might give a hint how MRs got resolved, could it end up
>> being emulated (==skipped by the vfio listener)?
> 
> Actually that's what is strange as I can see it in info mtree -f output. See 
> at the end of the mail.

Hm. Looks strange. Would be nice to know why...


>>> So at the end of the day, my fear is all those info become really
>>> frightening and confusing for the end-user and even not relevant
>>> (0x100a stuff). So I would rather simply remove the trace in 2.12
>>> until we find a place where we could generate a clear hint for the
>>> end-user, suggesting to relocate the msix bar.
>>>
>>> Thoughts?
>>
>> Please post complete "lspci -v" output for both pci devices and "info mtree
>> -f" (in addition to "info mtree", not instead).
> 
> see at the end
>>
>> In general, the error_report() could be removed as we did not have any
>> indication of not mapping before so we do not have to start now, I am just
>> missing the point here - the message exposes potentially not-working P2P
>> which is useful 

Re: [Qemu-devel] Loadable block drivers?

[Fam Zheng]

On Tue, 04/03 13:17, Lindsay Mathieson wrote:
> On 3 April 2018 at 13:11, Fam Zheng  wrote:
> 
> > On Tue, 04/03 12:59, Lindsay Mathieson wrote:
> > > Hi all, was looking at developing a block driver for qemu - have examined
> > > the drivers at:
> > >
> > >   https://github.com/qemu/qemu/tree/master/block
> > >
> > > And it seems straightforward enough.
> > >
> > > One thing that is unclear - all the drivers appear to be compiled
> > directly
> > > into qemu. Is there no way to load them dynamically as .so modules?
> >
> > './configure --enable-modules' will enable building block drivers as .so
> > objects, and they are loaded dynamically. These are in-tree .so modules;
> > out-of-tree modules like in Linux kernel are intentionally forbidden.
> >
> > Fam
> >
> 
> 
> 
> Rats, I take it that means I can't develop a testing block module and load
> it with an pre-existing qemu install.

No, that's not possible.

Fam

Re: [Qemu-devel] Loadable block drivers?

[Lindsay Mathieson]

On 3 April 2018 at 13:11, Fam Zheng  wrote:

> On Tue, 04/03 12:59, Lindsay Mathieson wrote:
> > Hi all, was looking at developing a block driver for qemu - have examined
> > the drivers at:
> >
> >   https://github.com/qemu/qemu/tree/master/block
> >
> > And it seems straightforward enough.
> >
> > One thing that is unclear - all the drivers appear to be compiled
> directly
> > into qemu. Is there no way to load them dynamically as .so modules?
>
> './configure --enable-modules' will enable building block drivers as .so
> objects, and they are loaded dynamically. These are in-tree .so modules;
> out-of-tree modules like in Linux kernel are intentionally forbidden.
>
> Fam
>



Rats, I take it that means I can't develop a testing block module and load
it with an pre-existing qemu install.

thanks.

-- 
Lindsay

Re: [Qemu-devel] Loadable block drivers?

[Fam Zheng]

On Tue, 04/03 12:59, Lindsay Mathieson wrote:
> Hi all, was looking at developing a block driver for qemu - have examined
> the drivers at:
> 
>   https://github.com/qemu/qemu/tree/master/block
> 
> And it seems straightforward enough.
> 
> One thing that is unclear - all the drivers appear to be compiled directly
> into qemu. Is there no way to load them dynamically as .so modules?

'./configure --enable-modules' will enable building block drivers as .so
objects, and they are loaded dynamically. These are in-tree .so modules;
out-of-tree modules like in Linux kernel are intentionally forbidden.

Fam

[Qemu-devel] Loadable block drivers?

[Lindsay Mathieson]

Hi all, was looking at developing a block driver for qemu - have examined
the drivers at:

  https://github.com/qemu/qemu/tree/master/block

And it seems straightforward enough.

One thing that is unclear - all the drivers appear to be compiled directly
into qemu. Is there no way to load them dynamically as .so modules?

Thanks,

-- 
Lindsay

Re: [Qemu-devel] [PULL 0/1] RISC-V: Critical fixes for QEMU 2.12

[Michael Clark]

On Sun, Apr 1, 2018 at 11:49 AM, Richard W.M. Jones 
wrote:

> On Fri, Mar 30, 2018 at 10:08:23AM -0700, Michael Clark wrote:
> > Hi Peter,
> >
> > I had tested Richard's proper fix but we didn't have a PR or the required
> > Reviewed-by and Signed-off-by so I made the PR for the conservative fix,
>
> "Richard" is me or Richard Henderson?  Anyway if you meant Stefan
> O'Rear's fix (https://github.com/rwmjones/fedora-riscv-bootstrap/blob/
> master/stage1-riscv-qemu/force-float-save.patch)
> then it is my understanding that this is also just a workaround.


Apologies for not being precise. Richard Henderson has a comprehensive fix
that correctly marks mstatus.FS dirty inside of FP arithmetic and FP loads.
This logic is missing in the current QEMU, hence the bug. i.e. QEMU
currently only has logic to throw exceptions if mstatus.FS state is set of
off, but FP arithmetic and FP loads do not cause state change to dirty.

I submitted the pull request for your's/Stefan's workaround so that QEMU
2.12 has working FP context switching under Linux (always returning dirty
or off is valid implementation choice according to the specification),
given Richard Henderson had not made a PR for his more comprehensive fix,
with the rationale that we could implement the comprehensive fix for QEMU
2.13.

At this point, I think neither of the fixes have gone in due to timing i.e.
the Easter Holidays, so vendors will need either your's/Stefan's workaround
or Richard Henderson's 2 patch series which he sent to the mailing list.

- https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg07034.html

Re: [Qemu-devel] [PATCH v2] i386: add KnightsMill cpu model

[Eduardo Habkost]

On Mon, Apr 02, 2018 at 01:14:30PM +0800, Boqun Feng wrote:
> Ping ;-)

It missed soft feature freeze (March 13th), so I will queue this
for 2.13.  Thanks!

> 
> Regards,
> Boqun
> 
> On Tue, Mar 20, 2018 at 08:08:15AM +0800, Boqun Feng wrote:
> > A new cpu model called "KnightsMill" is added to model Knights Mill
> > processors.  Compared to "Skylake-Server" cpu model, the following
> > features are added:
> > 
> > avx512_4vnniw avx512_4fmaps avx512pf avx512er avx512_vpopcntdq
> > 
> > and the following features are removed:
> > 
> > pcid invpcid clflushopt avx512dq avx512bw clwb smap rtm mpx
> > xsavec xgetbv1 hle
> > 
> > Signed-off-by: Boqun Feng 
> > ---
> > v1 --> v2:
> > 
> > *   Change the model name to "KnightsMill" as per Daniel's
> > suggestion.
> > 
> >  target/i386/cpu.c | 42 ++
> >  1 file changed, 42 insertions(+)
> > 
> > diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> > index 2c04645ceac9..c484afdb7023 100644
> > --- a/target/i386/cpu.c
> > +++ b/target/i386/cpu.c
> > @@ -1795,6 +1795,48 @@ static X86CPUDefinition builtin_x86_defs[] = {
> >  .xlevel = 0x8008,
> >  .model_id = "Intel Xeon Processor (Skylake, IBRS)",
> >  },
> > +{
> > +.name = "KnightsMill",
> > +.level = 0xd,
> > +.vendor = CPUID_VENDOR_INTEL,
> > +.family = 6,
> > +.model = 133,
> > +.stepping = 0,
> > +.features[FEAT_1_EDX] =
> > +CPUID_VME | CPUID_SS | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR |
> > +CPUID_MMX | CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | 
> > CPUID_CMOV |
> > +CPUID_MCA | CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC |
> > +CPUID_CX8 | CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC |
> > +CPUID_PSE | CPUID_DE | CPUID_FP87,
> > +.features[FEAT_1_ECX] =
> > +CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
> > +CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
> > +CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
> > +CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
> > +CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE 
> > |
> > +CPUID_EXT_F16C | CPUID_EXT_RDRAND,
> > +.features[FEAT_8000_0001_EDX] =
> > +CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP |
> > +CPUID_EXT2_NX | CPUID_EXT2_SYSCALL,
> > +.features[FEAT_8000_0001_ECX] =
> > +CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
> > +.features[FEAT_7_0_EBX] =
> > +CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | 
> > CPUID_7_0_EBX_AVX2 |
> > +CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS |
> > +CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | 
> > CPUID_7_0_EBX_AVX512F |
> > +CPUID_7_0_EBX_AVX512CD | CPUID_7_0_EBX_AVX512PF |
> > +CPUID_7_0_EBX_AVX512ER,
> > +.features[FEAT_7_0_ECX] =
> > +CPUID_7_0_ECX_AVX512_VPOPCNTDQ,
> > +.features[FEAT_7_0_EDX] =
> > +CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS,
> > +.features[FEAT_XSAVE] =
> > +CPUID_XSAVE_XSAVEOPT,
> > +.features[FEAT_6_EAX] =
> > +CPUID_6_EAX_ARAT,
> > +.xlevel = 0x8008,
> > +.model_id = "Intel Xeon Phi Processor (Knights Mill)",
> > +},
> >  {
> >  .name = "Opteron_G1",
> >  .level = 5,
> > -- 
> > 2.16.1
> > 

-- 
Eduardo

Re: [Qemu-devel] [PATCH for-2.13] Add host_memory_backend_pagesize() helper

[Eduardo Habkost]

On Thu, Mar 29, 2018 at 04:25:37PM +1100, David Gibson wrote:
> There are a couple places (one generic, one target specific) where we need
> to get the host page size associated with a particular memory backend.  I
> have some upcoming code which will add another place which wants this.  So,
> for convenience, add a helper function to calculate this.
> 
> host_memory_backend_pagesize() returns the host pagesize for a given
> HostMemoryBackend object, or for the default backend (-mem-path) if passed
> NULL.
> 
> Signed-off-by: David Gibson 
> ---
>  backends/hostmem.c   | 20 
>  exec.c   | 21 +
>  include/sysemu/hostmem.h |  2 ++
>  target/ppc/kvm.c | 10 +-
>  4 files changed, 28 insertions(+), 25 deletions(-)
> 
> diff --git a/backends/hostmem.c b/backends/hostmem.c
> index f61093654e..b6a60cfc5d 100644
> --- a/backends/hostmem.c
> +++ b/backends/hostmem.c
> @@ -18,6 +18,7 @@
>  #include "qapi/visitor.h"
>  #include "qemu/config-file.h"
>  #include "qom/object_interfaces.h"
> +#include "qemu/mmap-alloc.h"
>  
>  #ifdef CONFIG_NUMA
>  #include 
> @@ -262,6 +263,25 @@ bool host_memory_backend_is_mapped(HostMemoryBackend 
> *backend)
>  return backend->is_mapped;
>  }
>  
> +long host_memory_backend_pagesize(HostMemoryBackend *memdev)

qemu_mempath_getpagesize() returns size_t.  Why are you using
long here?

> +{
> +const char *path = NULL;
> +
> +#ifdef __linux__
> +if (memdev) {
> +path = object_property_get_str(OBJECT(memdev), "mem-path", NULL);
> +} else {
> +path = mem_path;
> +}
> +#endif
> +
> +if (path) {
> +return qemu_mempath_getpagesize(path);
> +} else {
> +return getpagesize();

Isn't it simpler to make qemu_mempath_getpagesize() handle
path==NULL?


> +}
> +}
> +
>  static void
>  host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
>  {
> diff --git a/exec.c b/exec.c
> index c09bd93df3..04856c2402 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1488,18 +1488,13 @@ void ram_block_dump(Monitor *mon)
>   */
>  static int find_max_supported_pagesize(Object *obj, void *opaque)
>  {
> -char *mem_path;
>  long *hpsize_min = opaque;
>  
>  if (object_dynamic_cast(obj, TYPE_MEMORY_BACKEND)) {
> -mem_path = object_property_get_str(obj, "mem-path", NULL);
> -if (mem_path) {
> -long hpsize = qemu_mempath_getpagesize(mem_path);
> -if (hpsize < *hpsize_min) {
> -*hpsize_min = hpsize;
> -}
> -} else {
> -*hpsize_min = getpagesize();
> +long hpsize = host_memory_backend_pagesize(MEMORY_BACKEND(obj));

So in this caller, `backend` is always non-NULL...

> +
> +if (hpsize < *hpsize_min) {
> +*hpsize_min = hpsize;
>  }
>  }
>  
> @@ -1509,15 +1504,9 @@ static int find_max_supported_pagesize(Object *obj, 
> void *opaque)
>  long qemu_getrampagesize(void)
>  {
>  long hpsize = LONG_MAX;
> -long mainrampagesize;
> +long mainrampagesize = host_memory_backend_pagesize(NULL);

...on this caller `backend` is always NULL...


>  Object *memdev_root;
>  
> -if (mem_path) {
> -mainrampagesize = qemu_mempath_getpagesize(mem_path);
> -} else {
> -mainrampagesize = getpagesize();
> -}
> -
>  /* it's possible we have memory-backend objects with
>   * hugepage-backed RAM. these may get mapped into system
>   * address space via -numa parameters or memory hotplug
[...]
> diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
> index b329cd8173..0adcf18c9f 100644
> --- a/target/ppc/kvm.c
> +++ b/target/ppc/kvm.c
> @@ -493,15 +493,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
>  bool kvmppc_is_mem_backend_page_size_ok(const char *obj_path)
>  {
>  Object *mem_obj = object_resolve_path(obj_path, NULL);
> -char *mempath = object_property_get_str(mem_obj, "mem-path", NULL);
> -long pagesize;
> -
> -if (mempath) {
> -pagesize = qemu_mempath_getpagesize(mempath);
> -g_free(mempath);
> -} else {
> -pagesize = getpagesize();
> -}
> +long pagesize = host_memory_backend_pagesize(MEMORY_BACKEND(mem_obj));
>  

...and here `backend` is always non-NULL.

If there's no caller that relies on both code paths, why overload
a single function for two different operations?

I would simply make qemu_mempath_getpagesize() work if path is
NULL, use qemu_mempath_getpagesize(mem_path) at
qemu_getrampagesize(), and make host_memory_backend_pagesize()
assume require a non-NULL `memdev`.



> +long host_memory_backend_pagesize(HostMemoryBackend *memdev)

Why is the code duplicated in target/ppc/kvm.c?


> +{
> +const char *path = NULL;
> +
> +#ifdef __linux__
> +if (memdev) {
> +path = object_property_get_str(OBJECT(memdev), "mem-path", NULL);
> +} else {
> +path = mem_path;
> +}
> +#endif
> +
> +if (path) {
> +return q

Re: [Qemu-devel] [PULL 0/2] Ide patches

[Fam Zheng]

On Mon, 04/02 12:34, John Snow wrote:
> 
> 
> On 03/31/2018 03:08 AM, no-re...@patchew.org wrote:
> > Hi,
> > 
> > This series failed docker-build@min-glib build test. Please find the 
> > testing commands and
> > their output below. If you have Docker installed, you can probably 
> > reproduce it
> > locally.
> > 
> > Type: series
> > Message-id: 20180327045646.21112-1-js...@redhat.com
> > Subject: [Qemu-devel] [PULL 0/2] Ide patches
> > 
> > === TEST SCRIPT BEGIN ===
> > #!/bin/bash
> > set -e
> > git submodule update --init dtc
> > # Let docker tests dump environment info
> > export SHOW_ENV=1
> > export J=8
> > time make docker-test-build@min-glib
> > === TEST SCRIPT END ===
> > 
> > Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
> > Switched to a new branch 'test'
> > 49a0f26939 Merge remote-tracking branch 
> > 'remotes/rth/tags/pull-tcg-20180328' into staging
> > a60769352d tcg: Mark muluh_i64 and mulsh_i64 as 64-bit ops
> > 
> > === OUTPUT BEGIN ===
> > Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 
> > 'dtc'
> > Cloning into '/var/tmp/patchew-tester-tmp-vi1_8690/src/dtc'...
> > Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
> >   BUILD   min-glib
> > make[1]: Entering directory '/var/tmp/patchew-tester-tmp-vi1_8690/src'
> >   GEN 
> > /var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar
> > Cloning into 
> > '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot'...
> > done.
> > Your branch is up-to-date with 'origin/test'.
> > Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 
> > 'dtc'
> > Cloning into 
> > '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot/dtc'...
> > Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
> > Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) 
> > registered for path 'ui/keycodemapdb'
> > Cloning into 
> > '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot/ui/keycodemapdb'...
> > Submodule path 'ui/keycodemapdb': checked out 
> > '6b3d716e2b6472eb7189d3220552280ef3d832ce'
> > tar: 
> > /var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar:
> >  Wrote only 2048 of 10240 bytes
> > tar: Error is not recoverable: exiting now
> > failed to create tar file
> >   COPYRUNNER
> > RUN test-build in qemu:min-glib 
> > tar: Unexpected EOF in archive
> > tar: Unexpected EOF in archive
> > tar: Error is not recoverable: exiting now
> > /var/tmp/qemu/run: line 32: prep_fail: command not found
> > Environment variables:
> > HOSTNAME=d3de5b81f6a8
> > MAKEFLAGS= -j8
> > J=8
> > CCACHE_DIR=/var/tmp/ccache
> > EXTRA_CONFIGURE_OPTS=
> > V=
> > SHOW_ENV=1
> > PATH=/usr/lib/ccache:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> > PWD=/
> > TARGET_LIST=
> > SHLVL=1
> > HOME=/root
> > TEST_DIR=/tmp/qemu-test
> > FEATURES= dtc
> > DEBUG=
> > _=/usr/bin/env
> > 
> > Configure options:
> > --enable-werror --target-list=x86_64-softmmu,aarch64-softmmu 
> > --prefix=/tmp/qemu-test/install
> > 
> > ERROR: DTC (libfdt) version >= 1.4.2 not present.
> >Please install the DTC (libfdt) devel package
> > 
> 
> Environment problems?
> 
> > Traceback (most recent call last):
> >   File "./tests/docker/docker.py", line 407, in 
> > sys.exit(main())
> >   File "./tests/docker/docker.py", line 404, in main
> > return args.cmdobj.run(args, argv)
> >   File "./tests/docker/docker.py", line 261, in run
> > return Docker().run(argv, args.keep, quiet=args.quiet)
> >   File "./tests/docker/docker.py", line 229, in run
> > quiet=quiet)
> >   File "./tests/docker/docker.py", line 147, in _do_check
> > return subprocess.check_call(self._command + cmd, **kwargs)
> >   File "/usr/lib64/python2.7/subprocess.py", line 186, in check_call
> > raise CalledProcessError(retcode, cmd)
> > subprocess.CalledProcessError: Command '['docker', 'run', '--label', 
> > 'com.qemu.instance.uuid=3f76e41234b211e8813a52540069c830', '-u', '0', 
> > '--security-opt', 'seccomp=unconfined', '--rm', '--net=none', '-e', 
> > 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=8', 
> > '-e', 'DEBUG=', '-e', 'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', 
> > '-v', '/root/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
> > '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023:/var/tmp/qemu:z,ro',
> >  'qemu:min-glib', '/var/tmp/qemu/run', 'test-build']' returned non-zero 
> > exit status 1
> > make[1]: *** [tests/docker/Makefile.include:129: docker-run] Error 1
> > make[1]: Leaving directory '/var/tmp/patchew-tester-tmp-vi1_8690/src'
> > make: *** [tests/docker/Makefile.include:163: 
> > docker-run-test-build@min-glib] Error 2
> > 
> > real0m51.988s
> > user0m9.352s
> > sys 0m6.949s
> > === OUTP

Re: [Qemu-devel] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Eduardo Habkost]

On Thu, Mar 29, 2018 at 11:10:21AM +0200, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: d8575c6c0242b
> Signed-off-by: Greg Kurz 

Queued, thanks.

-- 
Eduardo

Re: [Qemu-devel] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Eduardo Habkost]

On Thu, Mar 29, 2018 at 11:09:46AM +0200, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Signed-off-by: Greg Kurz 

Queued, thanks.

-- 
Eduardo

Re: [Qemu-devel] [PATCH] WHPX fixes an issue with CPUID 1 not returning CPUID_EXT_HYPERVISOR

[Eduardo Habkost]

On Wed, Mar 28, 2018 at 08:48:54PM +, Justin Terry (VM) wrote:
> Hey Eduardo
> 
> Responses inline. Thanks!
> 
> > -Original Message-
> > From: Eduardo Habkost 
> > Sent: Wednesday, March 28, 2018 10:51 AM
> > To: Justin Terry (VM) 
> > Cc: qemu-devel@nongnu.org; pbonz...@redhat.com; r...@twiddle.net
> > Subject: Re: [PATCH] WHPX fixes an issue with CPUID 1 not returning
> > CPUID_EXT_HYPERVISOR
> > 
> > On Mon, Mar 26, 2018 at 10:06:58AM -0700, Justin Terry (VM) wrote:
> > > Implements the CPUID trap for CPUID 1 to include the
> > > CPUID_EXT_HYPERVISOR flag in the ECX results. This was preventing some
> > > older linux kernels from booting when trying to access MSR's that dont
> > > make sense when virtualized.
> > >
> > > Signed-off-by: Justin Terry (VM) 
> > > ---
> > >  target/i386/whpx-all.c | 79
> > > +-
> > >  1 file changed, 78 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/target/i386/whpx-all.c b/target/i386/whpx-all.c index
> > > bf33d320bf..58435178a4 100644
> > > --- a/target/i386/whpx-all.c
> > > +++ b/target/i386/whpx-all.c
> > > @@ -911,12 +911,62 @@ static int whpx_vcpu_run(CPUState *cpu)
> > >  ret = 1;
> > >  break;
> > >
> > > +case WHvRunVpExitReasonX64Cpuid: {
> > > +WHV_REGISTER_VALUE reg_values[5] = {0};
> > > +WHV_REGISTER_NAME reg_names[5];
> > > +UINT32 reg_count = 5;
> > > +UINT64 rip, rax, rcx, rdx, rbx;
> > > +
> > > +rip = vcpu->exit_ctx.VpContext.Rip +
> > > +  vcpu->exit_ctx.VpContext.InstructionLength;
> > > +switch (vcpu->exit_ctx.CpuidAccess.Rax) {
> > > +case 1:
> > > +rax = vcpu->exit_ctx.CpuidAccess.DefaultResultRax;
> > > +/* Advertise that we are running on a hypervisor */
> > > +rcx =
> > > +vcpu->exit_ctx.CpuidAccess.DefaultResultRcx |
> > > +CPUID_EXT_HYPERVISOR;
> > > +
> > > +rdx = vcpu->exit_ctx.CpuidAccess.DefaultResultRdx;
> > > +rbx = vcpu->exit_ctx.CpuidAccess.DefaultResultRbx;
> > > +break;
> > > +default:
> > > +rax = vcpu->exit_ctx.CpuidAccess.DefaultResultRax;
> > > +rcx = vcpu->exit_ctx.CpuidAccess.DefaultResultRcx;
> > > +rdx = vcpu->exit_ctx.CpuidAccess.DefaultResultRdx;
> > > +rbx = vcpu->exit_ctx.CpuidAccess.DefaultResultRbx;
> > 
> > Interesting, so the WHPX API already tries to provide default values for the
> > CPUID leaves.  Would it make sense to try and use the values returned by
> > cpu_x86_cpuid() in the future?
> > 
> > Is there a way to get the default CPUID results from the WHPX API without
> > calling WHvRunVirtualProcessor(), so QEMU can be aware of what exactly
> > the guest is seeing on CPUID?
> 
> The platform now has two ways to interact with CPUID.
> 
> 1. (As the code is doing now). At partition creation time you
> can register for specific CPUID exits and then respond to the
> CPUID with your custom answer or with the Hypervisor defaults
> that were forwarded to you. Unfortunately, QEMU has no way to
> know the Hypervisor default ahead of time but QEMU can make at
> least make a runtime decision about how to respond.
> 2. At partition creation time the platform allows QEMU to
> inject (set) the default responses for specific CPUID exits.
> This can now be done by setting the  `WHV_X64_CPUID_RESULT` in
> the `CpuidResultList` of `WHV_PARTITION_PROPERTY` to the exit
> values QEMU wants. So effectively you can know the answers
> ahead of time for any that you set but the answers are not
> dynamic.
> 
> The only issues/questions I have there are:
> 
> If we use [1] (like the code is now) I don't see any way to
> keep the exits in cpu_x86_cpuid() matched up with the
> registered exits to WHPX. This means that WHPX would not be
> called in these cases and would instead get the Hypervisor
> default rather than the answer from cpu_x86_cpuid().

I assume you could call cpu_x86_cpuid() on every CPUID exit and
override the hypervisor default completely.  Not a very efficient
solution, but seems simple to implement.

But I'm still not sure if you really want to override the
hypervisor defaults completely (see below).

> 
> If we use [2] to inject the answers at creation time WHPX needs
> access to the CPUX86State at accel init which also doesn't seem
> to be possible in QEMU today. WHPX could basically just call
> cpu_x86_cpuid() for each CPUID QEMU cares about and plumb the
> answer before start. This has the best performance as we avoid
> the additional exits but has an issue in that the results must
> be known ahead of time.

You already have a hook into CPU initialization at
whpx_init_vcpu(), wouldn't it work for you?

> 
> And, we could obviously use a hybrid of the two for cases we
> know. Do you have any ideas that I could try o

Re: [Qemu-devel] [PULL 0/2] M68k for 2.12 patches

[Rob Landley]

On 04/02/2018 02:05 PM, Laurent Vivier wrote:
> Le 02/04/2018 à 20:13, Rob Landley a écrit :
>>> The branch to use is q800-dev
...
>> It booted Linux to a shell prompt, I could wget a file from the internet, and
>> /home had the 2 gigabyte ext3 mount from the virtual block device.
>>
>> I.E. it works for me. Why is it still out of tree?
...
> I have to submit some enhancements in the FPU emulation...
> I have to add some specific m68k hardware emulation...
> but via support should be rewritten...
> I have to update some existing hardware emulation...
...
> So, this only needs some work and time.
10 years ago:

https://lists.gnu.org/archive/html/qemu-devel/2007-10/msg00248.html

6 years ago:

https://lists.gnu.org/archive/html/qemu-devel/2011-08/msg02123.html

> I hope q800 will be available in QEMU 2.13.

Good luck,

Rob

[Qemu-devel] [PATCH] hw/arm: Allow manually specified /psci node

[Andrey Smirnov]

Change the code to avoid exiting QEMU if user provided DTB contains
manually specified /psci node and skip any /psci related fixups
instead.

Fixes: 4cbca7d9b4 ("hw/arm: Move virt's PSCI DT fixup code to
arm/boot.c")

Cc: Peter Maydell 
Cc: Marc Zyngier 
Cc: qemu-devel@nongnu.org
Cc: qemu-...@nongnu.org
Signed-off-by: Andrey Smirnov 
---

Mark:

Sorry about the inconvenience, here's the fix (hopefully) to the
prolem you reported in [1]. Let me know if skipping all PSCI related
DTB fixup if /psic node is present is not the behaviour you had in
mind for your suggested fix.

Thanks,
Andrey Smirnov

[1] http://lists.gnu.org/archive/html/qemu-devel/2018-03/msg06914.html

 hw/arm/boot.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 6d0c92ab88..d9f9375cdb 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -422,6 +422,7 @@ static void fdt_add_psci_node(void *fdt)
 ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
 const char *psci_method;
 int64_t psci_conduit;
+int rc;
 
 psci_conduit = object_property_get_int(OBJECT(armcpu),
"psci-conduit",
@@ -439,6 +440,15 @@ static void fdt_add_psci_node(void *fdt)
 g_assert_not_reached();
 }
 
+/*
+ * If /psci node is present in provided DTB, assume that no fixup
+ * is necessary and all PSCI configuration should be taken as-is
+ */
+rc = fdt_path_offset(fdt, "/psci");
+if (rc >= 0) {
+return;
+}
+
 qemu_fdt_add_subnode(fdt, "/psci");
 if (armcpu->psci_version == 2) {
 const char comp[] = "arm,psci-0.2\0arm,psci";
-- 
2.14.3

Re: [Qemu-devel] [PATCH v2 0/3] Add new CD-ROM related qtests

[Thomas Huth]

On 02.04.2018 21:34, John Snow wrote:
> 
> 
> On 04/02/2018 02:39 PM, Thomas Huth wrote:
>> On 29.03.2018 20:28, John Snow wrote:
>>>
>>>
>>> On 03/16/2018 01:39 AM, Thomas Huth wrote:
 With one of my clean-up patches (see commit 1454509726719e0933c800), I
 recently accidentially broke the "-cdrom" parameter (more precisely
 "-drive if=scsi") on a couple of boards, since there was no error
 detected during the "make check" regression testing. This is clearly an
 indication that we are lacking tests in this area.
 So this small patch series now introduces some tests for CD-ROM drives:
 The first two patches introduce the possibility to check that booting
 from CD-ROM drives still works fine for x86 and s390x, and the third
 patch adds a test that certain machines can at least still be started
 with the "-cdrom" parameter (i.e. that test would have catched the
 mistake that I did with my SCSI cleanup patch).

 v2:
  - Use g_spawn_sync() instead of execlp() to run genisoimage
  - The "-cdrom" parameter test is now run on all architectures (with
machine "none" for the machines that are not explicitly checked)
  - Some rewordings and improved comments here and there

 Thomas Huth (3):
   tests/boot-sector: Add magic bytes to s390x boot code header
   tests/cdrom-test: Test booting from CD-ROM ISO image file
   tests/cdrom-test: Test that -cdrom parameter is working

  tests/Makefile.include |   2 +
  tests/boot-sector.c|   9 +-
  tests/cdrom-test.c | 222 
 +
  3 files changed, 230 insertions(+), 3 deletions(-)
  create mode 100644 tests/cdrom-test.c

>>>
>>> New file, but no edit to MAINTAINERS.
>>
>> Which section do you suggest? It tests IDE CD-ROMs, SCSI CD-ROMs, and
>> even virtio-block (on s390x) ... so I have a hard time to decide where
>> this should belong to...
>>
>>  Thomas
>>
> 
> I was hoping you'd figure it out, but fine :D
> 
> You can stick it under my section if you want, but I'll probably defer
> to you if the s390x parts break.

Ok, thanks. But in the long run, we might even need a generic "QTESTS"
section in the MAINTAINERS file, since most of the qtests are currently
not listed there.
And while we're at it, we should maybe also move the qtests to a
separate folder tests/qtests/ or so, so that it is clearer which of the
tests is a qtest and which are something different.
I'll try to come up with some patches once the hard freeze is over...

 Thomas

Re: [Qemu-devel] [PATCH v2 0/3] Add new CD-ROM related qtests

[John Snow]

On 04/02/2018 02:39 PM, Thomas Huth wrote:
> On 29.03.2018 20:28, John Snow wrote:
>>
>>
>> On 03/16/2018 01:39 AM, Thomas Huth wrote:
>>> With one of my clean-up patches (see commit 1454509726719e0933c800), I
>>> recently accidentially broke the "-cdrom" parameter (more precisely
>>> "-drive if=scsi") on a couple of boards, since there was no error
>>> detected during the "make check" regression testing. This is clearly an
>>> indication that we are lacking tests in this area.
>>> So this small patch series now introduces some tests for CD-ROM drives:
>>> The first two patches introduce the possibility to check that booting
>>> from CD-ROM drives still works fine for x86 and s390x, and the third
>>> patch adds a test that certain machines can at least still be started
>>> with the "-cdrom" parameter (i.e. that test would have catched the
>>> mistake that I did with my SCSI cleanup patch).
>>>
>>> v2:
>>>  - Use g_spawn_sync() instead of execlp() to run genisoimage
>>>  - The "-cdrom" parameter test is now run on all architectures (with
>>>machine "none" for the machines that are not explicitly checked)
>>>  - Some rewordings and improved comments here and there
>>>
>>> Thomas Huth (3):
>>>   tests/boot-sector: Add magic bytes to s390x boot code header
>>>   tests/cdrom-test: Test booting from CD-ROM ISO image file
>>>   tests/cdrom-test: Test that -cdrom parameter is working
>>>
>>>  tests/Makefile.include |   2 +
>>>  tests/boot-sector.c|   9 +-
>>>  tests/cdrom-test.c | 222 
>>> +
>>>  3 files changed, 230 insertions(+), 3 deletions(-)
>>>  create mode 100644 tests/cdrom-test.c
>>>
>>
>> New file, but no edit to MAINTAINERS.
> 
> Which section do you suggest? It tests IDE CD-ROMs, SCSI CD-ROMs, and
> even virtio-block (on s390x) ... so I have a hard time to decide where
> this should belong to...
> 
>  Thomas
> 

I was hoping you'd figure it out, but fine :D

You can stick it under my section if you want, but I'll probably defer
to you if the s390x parts break.

--js

Re: [Qemu-devel] [PULL 0/2] M68k for 2.12 patches

[Laurent Vivier]

Le 02/04/2018 à 20:13, Rob Landley a écrit :
> On 03/30/2018 12:00 PM, Laurent Vivier wrote:
>> Le 30/03/2018 à 18:54, Rob Landley a écrit :
>>> On 03/20/2018 04:08 AM, Laurent Vivier wrote:> This series of patches is 
>>> needed
>>> to fix a problem
 in the m68k translator that can crash QEMU when translation
 cache has too many instructions:

   qemu-m68k: tcg/tcg.c:883: tcg_temp_alloc: Assertion `n < 512' failed.
   qemu: uncaught target signal 11 (Segmentation fault) - core dumped

 I have reproduced it in linux user mode, with "ghc", and in
 system mode with the debian-installer for unstable distro
 from debian-ports.
>>>
>>> If someone wanted to follow along with your "boot linux on qemu-system-m68k"
>>> work on https://github.com/vivier/qemu-m68k, which of the 51 branches should
>>> qemu-system-m68k with like -M q800 or whatever you had working be built 
>>> from?
>>
>> The branch to use is q800-dev
> 
> There isn't any m68k support in musl-libc yet, so I grabbed my old
> https://github.com/landley/aboriginal project, did a "./build.sh m68k", built
> your q800-dev branch, added the m68k-softmmu from that to the start of the
> $PATH, and ran "more/dev-environment-from-build.sh m68k".
> 
> It booted Linux to a shell prompt, I could wget a file from the internet, and
> /home had the 2 gigabyte ext3 mount from the virtual block device.
> 
> I.E. it works for me. Why is it still out of tree?

Remaining patches need some cleanup before being submitted.

I have to submit some enhancements in the FPU emulation, but as they
modify fpu/softfloat.c, I don't want to put them as is in an m68k pull-req:

target/m68k: manage FPU exceptions
softfloat: define floatx80_is_any_nan for m68k
softfloat: disable floatx80_invalid_encoding() for m68k

I have to add some specific m68k hardware emulation:

m68k: add via support
m68k: add video card
q800: Apple Sound Chip (ASC) emulation
q800: add Nubus support
q800: add a dummy SWIM floppy controller
m68k: define Macintosh Quadra 800

but via support should be rewritten as Mark has introduced a new generic
mos6522 VIA device.

I have to update some existing hardware emulation:

ESP: add pseudo-DMA as used by Macintosh
escc: introduce a selector for the register bit
dp8393x: fix receiving buffer exhaustion
dp8393x: put DMA temp buffer in the state, not in the stack
dp8393x: manage big endian bus
dp8393x: fix dp8393x_receive

So, this only needs some work and time. I hope q800 will be available in
QEMU 2.13.

Thanks,
Laurent

Re: [Qemu-devel] [PATCH v2 0/3] Add new CD-ROM related qtests

[Thomas Huth]

On 29.03.2018 20:28, John Snow wrote:
> 
> 
> On 03/16/2018 01:39 AM, Thomas Huth wrote:
>> With one of my clean-up patches (see commit 1454509726719e0933c800), I
>> recently accidentially broke the "-cdrom" parameter (more precisely
>> "-drive if=scsi") on a couple of boards, since there was no error
>> detected during the "make check" regression testing. This is clearly an
>> indication that we are lacking tests in this area.
>> So this small patch series now introduces some tests for CD-ROM drives:
>> The first two patches introduce the possibility to check that booting
>> from CD-ROM drives still works fine for x86 and s390x, and the third
>> patch adds a test that certain machines can at least still be started
>> with the "-cdrom" parameter (i.e. that test would have catched the
>> mistake that I did with my SCSI cleanup patch).
>>
>> v2:
>>  - Use g_spawn_sync() instead of execlp() to run genisoimage
>>  - The "-cdrom" parameter test is now run on all architectures (with
>>machine "none" for the machines that are not explicitly checked)
>>  - Some rewordings and improved comments here and there
>>
>> Thomas Huth (3):
>>   tests/boot-sector: Add magic bytes to s390x boot code header
>>   tests/cdrom-test: Test booting from CD-ROM ISO image file
>>   tests/cdrom-test: Test that -cdrom parameter is working
>>
>>  tests/Makefile.include |   2 +
>>  tests/boot-sector.c|   9 +-
>>  tests/cdrom-test.c | 222 
>> +
>>  3 files changed, 230 insertions(+), 3 deletions(-)
>>  create mode 100644 tests/cdrom-test.c
>>
> 
> New file, but no edit to MAINTAINERS.

Which section do you suggest? It tests IDE CD-ROMs, SCSI CD-ROMs, and
even virtio-block (on s390x) ... so I have a hard time to decide where
this should belong to...

 Thomas

Re: [Qemu-devel] [PATCH v3 4/7] s390x/kvm: interface to interpret AP instructions

[Tony Krowiak]

On 03/26/2018 04:38 AM, David Hildenbrand wrote:

On 16.03.2018 00:24, Tony Krowiak wrote:

The VFIO AP device exploits interpretive execution of AP
instructions (APIE). APIE is enabled by setting a device attribute
via the KVM_SET_DEVICE_ATTR ioctl.

Signed-off-by: Tony Krowiak 
---
  target/s390x/kvm.c   |   16 
  target/s390x/kvm_s390x.h |2 ++
  2 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index 33e5ec3..2812e28 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -277,6 +277,22 @@ static void kvm_s390_init_dea_kw(void)
  }
  }
  
+int kvm_s390_set_interpret_ap(uint8_t enable)

+{
+struct kvm_device_attr attribute = {
+.group = KVM_S390_VM_CRYPTO,
+.attr  = KVM_S390_VM_CRYPTO_INTERPRET_AP,
+.addr = 1,
+};
+
+if (!kvm_vm_check_attr(kvm_state, KVM_S390_VM_CRYPTO,
+   KVM_S390_VM_CRYPTO_INTERPRET_AP)) {
+return -EOPNOTSUPP;
+}
+
+return kvm_vm_ioctl(kvm_state, KVM_SET_DEVICE_ATTR, &attribute);
+}
+
  void kvm_s390_crypto_reset(void)
  {
  if (s390_has_feat(S390_FEAT_MSA_EXT_3)) {
diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
index 34ee7e7..0d6c6e7 100644
--- a/target/s390x/kvm_s390x.h
+++ b/target/s390x/kvm_s390x.h
@@ -40,4 +40,6 @@ void kvm_s390_crypto_reset(void);
  void kvm_s390_restart_interrupt(S390CPU *cpu);
  void kvm_s390_stop_interrupt(S390CPU *cpu);
  
+int kvm_s390_set_interpret_ap(uint8_t enable);

+
  #endif /* KVM_S390X_H */


Wonder if a capability - like we use e.g. for SIGP user space
interpretation - would be a better fit.

We can provide the AP feature to the guest in case:
- KVM_S390_VM_CPU_FEAT_AP ("interpretation support") is available
- KVM_S390_VM_CRYPTO_INTERPRET_AP ("interception support") is available

I don't think we need this. I have found a way to set ECA_APIE from the
vfio_ap device driver, so there is no need to do it from the guest. Stay
tuned to this station for v4 of the patch series.


I am missing the second check in your code. (for now you only rely on
KVM_S390_VM_CPU_FEAT_AP)

For what else are you suggesting we need to check?


I think you have to change the order of the patches so they work also
properly when bisectin.

I'll take a look at it.

Re: [Qemu-devel] [PULL 0/2] M68k for 2.12 patches

[Rob Landley]

On 03/30/2018 12:00 PM, Laurent Vivier wrote:
> Le 30/03/2018 à 18:54, Rob Landley a écrit :
>> On 03/20/2018 04:08 AM, Laurent Vivier wrote:> This series of patches is 
>> needed
>> to fix a problem
>>> in the m68k translator that can crash QEMU when translation
>>> cache has too many instructions:
>>>
>>>   qemu-m68k: tcg/tcg.c:883: tcg_temp_alloc: Assertion `n < 512' failed.
>>>   qemu: uncaught target signal 11 (Segmentation fault) - core dumped
>>>
>>> I have reproduced it in linux user mode, with "ghc", and in
>>> system mode with the debian-installer for unstable distro
>>> from debian-ports.
>>
>> If someone wanted to follow along with your "boot linux on qemu-system-m68k"
>> work on https://github.com/vivier/qemu-m68k, which of the 51 branches should
>> qemu-system-m68k with like -M q800 or whatever you had working be built from?
> 
> The branch to use is q800-dev

There isn't any m68k support in musl-libc yet, so I grabbed my old
https://github.com/landley/aboriginal project, did a "./build.sh m68k", built
your q800-dev branch, added the m68k-softmmu from that to the start of the
$PATH, and ran "more/dev-environment-from-build.sh m68k".

It booted Linux to a shell prompt, I could wget a file from the internet, and
/home had the 2 gigabyte ext3 mount from the virtual block device.

I.E. it works for me. Why is it still out of tree?

Rob

[Qemu-devel] [PULL 8/8] target/xtensa: linux-user: fix fadvise64 call

[Max Filippov]

fadvise64_64 on xtensa passes advice as the second argument and so must
be handled similar to PPC.

This fixes glibc testsuite tests posix/tst-posix_fadvise and
posix/tst-posix_fadvise64.

Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 924fd68efcdd..5ef517613577 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11509,7 +11509,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
 
 #ifdef TARGET_NR_fadvise64_64
 case TARGET_NR_fadvise64_64:
-#if defined(TARGET_PPC)
+#if defined(TARGET_PPC) || defined(TARGET_XTENSA)
 /* 6 args: fd, advice, offset (high, low), len (high, low) */
 ret = arg2;
 arg2 = arg3;
-- 
2.11.0

[Qemu-devel] [PULL 4/8] linux-user: fix mq_getsetattr implementation

[Max Filippov]

mq_getsetattr implementation does not set errno correctly in case of
error. Also in the presence of both 2nd and 3rd arguments it calls both
mq_getattr and mq_setattr, whereas only the latter call would suffice.

Don't call mq_getattr in the presence of the 2nd argument. Don't copy
output back to user in case of error. Use get_errno to set errno value.

This fixes test rt/tst-mqueue2 from the glibc testsuite.

Cc: Lionel Landwerlin 
Cc: Kirill A. Shutemov 
Cc: Riku Voipio 
Cc: Aurelien Jarno 
Cc: Laurent Vivier 
Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/syscall.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 18ea79140f16..d51e2a00ee31 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -12092,15 +12092,16 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
 {
 struct mq_attr posix_mq_attr_in, posix_mq_attr_out;
 ret = 0;
-if (arg3 != 0) {
-ret = mq_getattr(arg1, &posix_mq_attr_out);
-copy_to_user_mq_attr(arg3, &posix_mq_attr_out);
-}
 if (arg2 != 0) {
 copy_from_user_mq_attr(&posix_mq_attr_in, arg2);
-ret |= mq_setattr(arg1, &posix_mq_attr_in, &posix_mq_attr_out);
+ret = get_errno(mq_setattr(arg1, &posix_mq_attr_in,
+   &posix_mq_attr_out));
+} else if (arg3 != 0) {
+ret = get_errno(mq_getattr(arg1, &posix_mq_attr_out));
+}
+if (ret == 0 && arg3 != 0) {
+copy_to_user_mq_attr(arg3, &posix_mq_attr_out);
 }
-
 }
 break;
 #endif
-- 
2.11.0

[Qemu-devel] [PULL 7/8] linux-user: implement clock_settime

[Max Filippov]

This fixes glibc testsuite test rt/tst-clock2.

Signed-off-by: Max Filippov 
---
 linux-user/syscall.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 52e2f9c16479..924fd68efcdd 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11878,6 +11878,18 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
 goto unimplemented_nowarn;
 #endif
 
+#ifdef TARGET_NR_clock_settime
+case TARGET_NR_clock_settime:
+{
+struct timespec ts;
+
+ret = target_to_host_timespec(&ts, arg2);
+if (!is_error(ret)) {
+ret = get_errno(clock_settime(arg1, &ts));
+}
+break;
+}
+#endif
 #ifdef TARGET_NR_clock_gettime
 case TARGET_NR_clock_gettime:
 {
-- 
2.11.0

[Qemu-devel] [PULL 2/8] target/xtensa: linux-user: rewind pc for restarted syscall

[Max Filippov]

In case of syscall restart request set pc back to the syscall
instruction.

Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux-user/main.c b/linux-user/main.c
index ba09b7d0c873..8907a8411411 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -4006,6 +4006,9 @@ void cpu_loop(CPUXtensaState *env)
 break;
 
 case -TARGET_ERESTARTSYS:
+env->pc -= 3;
+break;
+
 case -TARGET_QEMU_ESIGRETURN:
 break;
 }
-- 
2.11.0

[Qemu-devel] [PULL 5/8] target/xtensa: linux-user: fix sysv IPC structures

[Max Filippov]

- make target_ipc_perm fields match kernel definitions for xtensa;
- add target_semid64_ds with proper order of times and reserved fields
  for little/big endian specific for xtensa;
- add missing reserved fields after time fields to the target_shmid_ds;
- fix types of shm_cpid, shm_lpid and shm_nattch fields of
  target_shmid_ds to match kernel definitions for xtensa.

These changes fix guest ipcs output and fix glibc testsuite tests
sysvipc/test-sysvsem and sysvipc/test-sysvshm.

Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/xtensa/target_structs.h | 37 ++---
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/linux-user/xtensa/target_structs.h 
b/linux-user/xtensa/target_structs.h
index 020e20e242fc..1b3d9ca314ff 100644
--- a/linux-user/xtensa/target_structs.h
+++ b/linux-user/xtensa/target_structs.h
@@ -8,21 +8,44 @@ struct target_ipc_perm {
 abi_uint cuid;  /* Creator's user ID.  */
 abi_uint cgid;  /* Creator's group ID.  */
 abi_uint mode;  /* Read/write permission.  */
-abi_ushort __seq;   /* Sequence number.  */
+abi_ulong __seq;/* Sequence number.  */
+abi_ulong __unused1;
+abi_ulong __unused2;
+};
+
+struct target_semid64_ds {
+  struct target_ipc_perm sem_perm;
+#ifdef TARGET_WORDS_BIGENDIAN
+  abi_ulong __unused1;
+  abi_ulong sem_otime;
+  abi_ulong __unused2;
+  abi_ulong sem_ctime;
+#else
+  abi_ulong sem_otime;
+  abi_ulong __unused1;
+  abi_ulong sem_ctime;
+  abi_ulong __unused2;
+#endif
+  abi_ulong sem_nsems;
+  abi_ulong __unused3;
+  abi_ulong __unused4;
 };
+#define TARGET_SEMID64_DS
 
 struct target_shmid_ds {
 struct target_ipc_perm shm_perm;/* operation permission struct */
-abi_int shm_segsz;  /* size of segment in bytes */
+abi_long shm_segsz; /* size of segment in bytes */
 abi_long shm_atime; /* time of last shmat() */
+abi_ulong __unused1;
 abi_long shm_dtime; /* time of last shmdt() */
-abi_long shm_ctime; /* time of last change by shmctl() */
-abi_ushort shm_cpid;/* pid of creator */
-abi_ushort shm_lpid;/* pid of last shmop */
-abi_ushort shm_nattch;  /* number of current attaches */
-abi_ushort shm_unused;  /* compatibility */
 abi_ulong __unused2;
+abi_long shm_ctime; /* time of last change by shmctl() */
 abi_ulong __unused3;
+abi_uint shm_cpid;  /* pid of creator */
+abi_uint shm_lpid;  /* pid of last shmop */
+abi_ulong shm_nattch;   /* number of current attaches */
+abi_ulong __unused4;
+abi_ulong __unused5;
 };
 
 #endif
-- 
2.11.0

[Qemu-devel] [PULL 1/8] target/xtensa: fix flush_window_regs

[Max Filippov]

flush_window_regs uses wrong stack frame to save overflow registers in
call8 and call12 frames, which results in wrong register values in
callers of a function that received a signal.
Reimplement flush_window_regs closely following window overflow
sequence.

Signed-off-by: Max Filippov 
---
 linux-user/signal.c | 55 +++--
 1 file changed, 24 insertions(+), 31 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 2ea3e0321f4d..33d5ced30c98 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -7094,52 +7094,45 @@ static abi_ulong get_sigframe(struct target_sigaction 
*sa,
 
 static int flush_window_regs(CPUXtensaState *env)
 {
-const uint32_t nareg_mask = env->config->nareg - 1;
 uint32_t wb = env->sregs[WINDOW_BASE];
-uint32_t ws = (xtensa_replicate_windowstart(env) >> (wb + 1)) &
-((1 << env->config->nareg / 4) - 1);
-uint32_t d = ctz32(ws) + 1;
-uint32_t sp;
-abi_long ret = 0;
-
-wb += d;
-ws >>= d;
+uint32_t ws = xtensa_replicate_windowstart(env) >> (wb + 1);
+unsigned d = ctz32(ws) + 1;
+unsigned i;
+int ret = 0;
 
-xtensa_sync_phys_from_window(env);
-sp = env->phys_regs[(wb * 4 + 1) & nareg_mask];
+for (i = d; i < env->config->nareg / 4; i += d) {
+uint32_t ssp, osp;
+unsigned j;
 
-while (ws && ret == 0) {
-int d;
-int i;
-int idx;
+ws >>= d;
+xtensa_rotate_window(env, d);
 
 if (ws & 0x1) {
-ws >>= 1;
+ssp = env->regs[5];
 d = 1;
 } else if (ws & 0x2) {
-ws >>= 2;
+ssp = env->regs[9];
+ret |= get_user_ual(osp, env->regs[1] - 12);
+osp -= 32;
 d = 2;
-for (i = 0; i < 4; ++i) {
-idx = (wb * 4 + 4 + i) & nareg_mask;
-ret |= put_user_ual(env->phys_regs[idx], sp + (i - 12) * 4);
-}
 } else if (ws & 0x4) {
-ws >>= 3;
+ssp = env->regs[13];
+ret |= get_user_ual(osp, env->regs[1] - 12);
+osp -= 48;
 d = 3;
-for (i = 0; i < 8; ++i) {
-idx = (wb * 4 + 4 + i) & nareg_mask;
-ret |= put_user_ual(env->phys_regs[idx], sp + (i - 16) * 4);
-}
 } else {
 g_assert_not_reached();
 }
-sp = env->phys_regs[((wb + d) * 4 + 1) & nareg_mask];
-for (i = 0; i < 4; ++i) {
-idx = (wb * 4 + i) & nareg_mask;
-ret |= put_user_ual(env->phys_regs[idx], sp + (i - 4) * 4);
+
+for (j = 0; j < 4; ++j) {
+ret |= put_user_ual(env->regs[j], ssp - 16 + j * 4);
+}
+for (j = 4; j < d * 4; ++j) {
+ret |= put_user_ual(env->regs[j], osp - 16 + j * 4);
 }
-wb += d;
 }
+xtensa_rotate_window(env, d);
+g_assert(env->sregs[WINDOW_BASE] == wb);
 return ret == 0;
 }
 
-- 
2.11.0

[Qemu-devel] [PULL 0/8] xtensa-specific and generic fixes for linux-user

[Max Filippov]

Hi Peter,

please pull the following batch of linux-user fixes for 2.12.

The following changes since commit dfe732fb68ef9195517f4f380a477d58a054edc1:

  Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging (2018-03-27 16:25:12 +0100)

are available in the git repository at:

  git://github.com/OSLL/qemu-xtensa.git tags/20180402-xtensa

for you to fetch changes up to 64a563dd8dd6ca2661d96a2e4b69f0a5465cab94:

  target/xtensa: linux-user: fix fadvise64 call (2018-04-02 04:15:35 -0700)


xtensa-specific fixes for linux-user:

- fix flushing registers for signal processing in call8 and call12 frames;
- fix PC value for restarted syscalls;
- fix sysv IPC structures;
- fix fadvise64 syscall;

generic fixes for linux-user:

- fix QEMU assertion in multithreaded application by calling cpu_copy
  under clone_lock;
- fix mq_getsetattr implementation;
- fix error propagation in clock_gettime;
- implement clock_settime.


Max Filippov (8):
  target/xtensa: fix flush_window_regs
  target/xtensa: linux-user: rewind pc for restarted syscall
  linux-user: call cpu_copy under clone_lock
  linux-user: fix mq_getsetattr implementation
  target/xtensa: linux-user: fix sysv IPC structures
  linux-user: fix error propagation in clock_gettime
  linux-user: implement clock_settime
  target/xtensa: linux-user: fix fadvise64 call

 linux-user/main.c  |  3 +++
 linux-user/signal.c| 55 +-
 linux-user/syscall.c   | 36 +
 linux-user/xtensa/target_structs.h | 37 -
 4 files changed, 82 insertions(+), 49 deletions(-)

-- 
Thanks.
-- Max

[Qemu-devel] [PULL 6/8] linux-user: fix error propagation in clock_gettime

[Max Filippov]

host_to_target_timespec may return error if target address could not be
locked, but it is ignored.
Propagate return value of host_to_target_timespec to the caller of
clock_gettime.

Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index d51e2a00ee31..52e2f9c16479 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11884,7 +11884,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
arg1,
 struct timespec ts;
 ret = get_errno(clock_gettime(arg1, &ts));
 if (!is_error(ret)) {
-host_to_target_timespec(arg2, &ts);
+ret = host_to_target_timespec(arg2, &ts);
 }
 break;
 }
-- 
2.11.0

[Qemu-devel] [PULL 3/8] linux-user: call cpu_copy under clone_lock

[Max Filippov]

cpu_copy adds newly created CPU object to container/machine/unattached,
but does it w/o proper locking. As a result when multiple threads create
threads rapidly QEMU may abort with the following message:

  GLib-CRITICAL **: g_hash_table_iter_next: assertion
  'ri->version == ri->hash_table->version' failed

  ERROR:qemu/qom/object.c:1663:object_get_canonical_path_component:
  code should not be reached

E.g. this issue is observed when running glibc test nptl/tst-eintr1.
Move cpu_copy invocation under clone_lock to fix that.

Reviewed-by: Laurent Vivier 
Signed-off-by: Max Filippov 
---
 linux-user/syscall.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 889abbda1e65..18ea79140f16 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6346,6 +6346,10 @@ static int do_fork(CPUArchState *env, unsigned int 
flags, abi_ulong newsp,
 
 ts = g_new0(TaskState, 1);
 init_task_state(ts);
+
+/* Grab a mutex so that thread setup appears atomic.  */
+pthread_mutex_lock(&clone_lock);
+
 /* we create a new CPU instance. */
 new_env = cpu_copy(env);
 /* Init regs that differ from the parent.  */
@@ -6364,9 +6368,6 @@ static int do_fork(CPUArchState *env, unsigned int flags, 
abi_ulong newsp,
 cpu_set_tls (new_env, newtls);
 }
 
-/* Grab a mutex so that thread setup appears atomic.  */
-pthread_mutex_lock(&clone_lock);
-
 memset(&info, 0, sizeof(info));
 pthread_mutex_init(&info.mutex, NULL);
 pthread_mutex_lock(&info.mutex);
-- 
2.11.0

Re: [Qemu-devel] [PATCH v3 5/7] s390x/vfio: ap: Introduce VFIO AP device

[Tony Krowiak]

On 03/27/2018 08:02 AM, Cornelia Huck wrote:

On Fri, 16 Mar 2018 14:22:52 +0100
Halil Pasic  wrote:


On 03/16/2018 11:42 AM, Pierre Morel wrote:

On 16/03/2018 00:24, Tony Krowiak wrote:

Introduces a VFIO based AP device. The device is defined via
the QEMU command line by specifying:

  -device vfio-ap,sysfsdev=

The mediated matrix device is created by the VFIO AP device
driver by writing a UUID to a sysfs attribute file (see
docs/vfio-ap.txt). The mediated matrix device will be named
after the UUID. Symbolic links to the $uuid are created in
many places, so the path to the mediated matrix device $uuid
can be specified in any of the following ways:

/sys/devices/vfio_ap/matrix/$uuid
/sys/devices/vfio_ap/matrix/mdev_supported_types/vfio_ap-passthrough/devices/$uuid
/sys/bus/mdev/devices/$uuid
/sys/bus/mdev/drivers/vfio_mdev/$uuid

When the vfio-ap device is realized, it acquires and opens the
VFIO iommu group to which the mediated matrix device is
bound. This causes a VFIO group notification event to be
signaled. The vfio_ap device driver's group notification
handler will get called at which time the device driver
will configure the the AP devices to which the guest will
be granted access.

Signed-off-by: Tony Krowiak 
---

[..]

+static void vfio_ap_realize(DeviceState *dev, Error **errp)
+{
+VFIODevice *vbasedev;
+VFIOGroup *vfio_group;
+APDevice *apdev = DO_UPCAST(APDevice, parent_obj, dev);
+VFIOAPDevice *vapdev = DO_UPCAST(VFIOAPDevice, apdev, apdev);
+char *mdevid;
+Error *local_err = NULL;
+int ret;
+
+if (!s390_has_feat(S390_FEAT_AP)) {
+error_setg(&local_err, "AP support not enabled");
+goto out_err;
+}
+
+ret = kvm_s390_set_interpret_ap(1);

If we have several devices, this is called once per device.

I don't think having several of these in a single vm makes
any sense. Or does it? IMHO we should make sure there is at
most one device taking care of the crypto pass-through.

Yes, I think we should fence off adding a second device in the realize
function (probably by checking a global variable?)

I agree, will do.

Re: [Qemu-devel] [PATCH v3 7/7] s390: doc: detailed specifications for AP virtualization

[Tony Krowiak]

On 03/16/2018 06:03 AM, Pierre Morel wrote:

On 16/03/2018 00:25, Tony Krowiak wrote:

This patch provides documentation describing the AP architecture and
design concepts behind the virtualization of AP devices. It also
includes an example of how to configure AP devices for exclusive
use of KVM guests.

Signed-off-by: Tony Krowiak 
---
  docs/vfio-ap.txt |  624 
++

  1 files changed, 624 insertions(+), 0 deletions(-)
  create mode 100644 docs/vfio-ap.txt

diff --git a/docs/vfio-ap.txt b/docs/vfio-ap.txt
new file mode 100644
index 000..54e7523
--- /dev/null
+++ b/docs/vfio-ap.txt
@@ -0,0 +1,624 @@
+Adjunct Processor (AP) Device
+=
+
+Contents:
+=
+* Introduction
+* AP Architectural Overview
+* Start Interpretive Execution (SIE) Instruction
+* AP Matrix Configuration on Linux Host
+* AP Matrix Configuration for a Linux Guest
+* Starting a Linux Guest Configured with an AP Matrix
+* Example: Configure AP Matrices for Two Linux Guests
+
+Introduction:
+
+The IBM Adjunct Processor (AP) Cryptographic Facility is comprised
+of three AP instructions and from 1 to 256 PCIe cryptographic 
adapter cards.
+These AP devices provide cryptographic functions to all CPUs 
assigned to a

+linux system running in an IBM Z system LPAR.
+
+On s390x, AP adapter cards are exposed via the AP bus. This document
+describes how those cards may be made available to KVM guests using the
+VFIO mediated device framework.
+
+AP Architectural Overview:
+=
+In order understand the terminology used in the rest of this 
document, let's

+start with some definitions:
+
+* AP adapter
+
+  An AP adapter is an IBM Z adapter card that can perform cryptographic
+  functions. There can be from 0 to 256 adapters assigned to an 
LPAR. Adapters
+  assigned to the LPAR in which a linux host is running will be 
available to
+  the linux host. Each adapter is identified by a number from 0 to 
255. When
+  installed, an AP adapter is accessed by AP instructions executed 
by any CPU.

+
+* AP domain
+
+  An adapter is partitioned into domains. Each domain can be thought 
of as
+  a set of hardware registers for processing AP instructions. An 
adapter can
+  hold up to 256 domains. Each domain is identified by a number from 
0 to 255.

+  Domains can be further classified into two types:
+
+* Usage domains are domains that can be accessed directly to 
process AP

+  commands
+
+* Control domains are domains that are accessed indirectly by AP
+  commands sent to a usage domain to control or change the 
domain, for

+  example; to set a secure private key for the domain.
+
+* AP Queue
+
+  An AP queue is the means by which an AP command-request message is 
sent to an
+  AP usage domain inside a specific AP. An AP queue is identified by 
a tuple
+  comprised of an AP adapter ID (APID) and an AP queue index (APQI). 
The
+  APQI corresponds to a given usage domain number within the 
adapter. This tuple

+  forms an AP Queue Number (APQN) uniquely identifying an AP queue. AP
+  instructions include a field containing the APQN to identify the 
AP queue to

+  which the AP command-request message is to be sent for processing.
+
+* AP Instructions:
+
+  There are three AP instructions:
+
+  * NQAP: to enqueue an AP command-request message to a queue
+  * DQAP: to dequeue an AP command-reply message from a queue
+  * PQAP: to administer the queues
+
+Start Interpretive Execution (SIE) Instruction
+==
+A KVM guest is started by executing the Start Interpretive Execution 
(SIE)
+instruction. The SIE state description is a control block that 
contains the

+state information for a KVM guest and is supplied as input to the SIE
+instruction. The SIE state description contains a field that references
+a Crypto Control Block (CRYCB). The CRYCB contains three fields to 
identify the

+adapters, usage domains and control domains assigned to the KVM guest:
+
+* The AP Mask (APM) field is a bit mask that identifies the AP 
adapters assigned
+  to the KVM guest. Each bit in the mask, from most significant to 
least
+  significant bit, corresponds to an APID from 0-255. If a bit is 
set, the

+  corresponding adapter is valid for use by the KVM guest.
+
+* The AP Queue Mask (AQM) field is a bit mask identifying the AP 
queues assigned
+  to the KVM guest. Each bit in the mask, from most significant to 
least
+  significant bit, corresponds to an AP queue index (APQI) from 
0-255. If a bit

+  is set, the corresponding queue is valid for use by the KVM guest.
+
+* The AP Domain Mask field is a bit mask that identifies the AP 
control domains
+  assigned to the KVM guest. The ADM bit mask controls which domains 
can be
+  changed by an AP command-request message sent to a usage domain 
from the
+  guest. Each bit in the mask, from least significant to most 
significant bit,
+  corresponds t

Re: [Qemu-devel] [PATCH v3 6/7] s390x/kvm: handle AP instruction interception

[Tony Krowiak]

On 03/26/2018 08:01 AM, Halil Pasic wrote:


On 03/26/2018 11:03 AM, Pierre Morel wrote:

+int ap_device_handle_pqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+int fc = 4 & (env->regs[0] >> 24);
+
+/*
+ * The Query Configuration Information (QCI) function (fc == 4) does not
+ * set a response code in reg 1, so check for that along with the
+ * AP feature.
+ */
+if ((fc != 4) && s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}

This would imply an operation exception in case fc==4, which sounds very
wrong.

Yes, operation exception is a wrong response under the condition
(fc == 4) && s390_has_feat(S390_FEAT_AP).

See my response to Pierre:
Message ID: <0b957a5c-1a87-7952-292d-f65052bb6...@linux.vnet.ibm.com>


@David:
FYI Tony is likely to respond after Wednesday as he is on vacation right
now.


It depends but I think that the S390_FEAT_AP_QUERY_CONFIG_INFO must be tested
to know what to answer.
If the feature is there, QCI must be answered correctly.

there are also some error situations to handle in all three functions.


I agree.

Regards,
Halil

Re: [Qemu-devel] [PATCH v3 6/7] s390x/kvm: handle AP instruction interception

[Tony Krowiak]

On 03/26/2018 05:03 AM, Pierre Morel wrote:

On 26/03/2018 10:32, David Hildenbrand wrote:

On 16.03.2018 00:24, Tony Krowiak wrote:

If the CPU model indicates that AP facility is installed on
the guest (i.e., -cpu ,ap=on), then the expectation is that
the AP bus running in the guest will initialize; however, if the
AP instructions are not being interpreted by the firmware, then
they will be intercepted and routed back to QEMU for handling.
If a handler is not defined to process the intercepted instruciton,
t

...snip...



+int ap_device_handle_nqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+
+if (s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}
+
+return -EOPNOTSUPP;
+}
+
+int ap_device_handle_dqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+
+if (s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}
+
+return -EOPNOTSUPP;
+}
+
+int ap_device_handle_pqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+int fc = 4 & (env->regs[0] >> 24);
+
+/*
+ * The Query Configuration Information (QCI) function (fc == 4) 
does not

+ * set a response code in reg 1, so check for that along with the
+ * AP feature.
+ */
+if ((fc != 4) && s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}

This would imply an operation exception in case fc==4, which sounds very
wrong.


It depends but I think that the S390_FEAT_AP_QUERY_CONFIG_INFO must be 
tested

to know what to answer.
If the feature is there, QCI must be answered correctly.
This is an interesting proposition which raises several issues that will 
need to
be addressed. The only time the PQAP(QCI) instruction is intercepted is 
when:
* A vfio-ap device is NOT defined for the guest because the vfio_ap 
device driver

  will set ECA.28 and the PQAP(QCI) instruction will be interpreted
* STFLE.12 is set for the guest

You say that the QCI must be answered correctly, but what is the correct 
response?
If we return the matrix - i.e., APM, ADM and AQM - configured via the 
mediated
matrix device's sysfs attributes files, then if any APQNs are defined in 
the matrix,
we will have to handle *ALL* AP instructions by executing them on behalf 
of the
guest. I suppose we could return an empty matrix in which case the AP 
bus will come
up without any devices on the guest, but what is the expectation of an 
admin who
deliberately configures the mediated matrix device? Should we forego 
handling interception
of AP instructions and consider a guest configuration that turns on 
S390_FEAT_AP but
does not define a vfio-ap device to be erroneous and terminate starting 
of the guest?

Anybody have any thoughts?



there are also some error situations to handle in all three functions.

To what error situations are you referring?






Hard to review without access to documentation. (hard to understand why
such stuff is to be kept confidential for decades)


+
+return -EOPNOTSUPP;
+}
+
  static Property vfio_ap_properties[] = {
  DEFINE_PROP_STRING("sysfsdev", VFIOAPDevice, vdev.sysfsdev),
  DEFINE_PROP_END_OF_LIST(),
diff --git a/include/hw/s390x/ap-device.h 
b/include/hw/s390x/ap-device.h

index 693df90..d45ae38 100644
--- a/include/hw/s390x/ap-device.h
+++ b/include/hw/s390x/ap-device.h
@@ -11,6 +11,8 @@
  #ifndef HW_S390X_AP_DEVICE_H
  #define HW_S390X_AP_DEVICE_H

Re: [Qemu-devel] [PULL 0/2] Ide patches

[John Snow]

On 03/31/2018 03:08 AM, no-re...@patchew.org wrote:
> Hi,
> 
> This series failed docker-build@min-glib build test. Please find the testing 
> commands and
> their output below. If you have Docker installed, you can probably reproduce 
> it
> locally.
> 
> Type: series
> Message-id: 20180327045646.21112-1-js...@redhat.com
> Subject: [Qemu-devel] [PULL 0/2] Ide patches
> 
> === TEST SCRIPT BEGIN ===
> #!/bin/bash
> set -e
> git submodule update --init dtc
> # Let docker tests dump environment info
> export SHOW_ENV=1
> export J=8
> time make docker-test-build@min-glib
> === TEST SCRIPT END ===
> 
> Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
> Switched to a new branch 'test'
> 49a0f26939 Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20180328' 
> into staging
> a60769352d tcg: Mark muluh_i64 and mulsh_i64 as 64-bit ops
> 
> === OUTPUT BEGIN ===
> Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
> Cloning into '/var/tmp/patchew-tester-tmp-vi1_8690/src/dtc'...
> Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
>   BUILD   min-glib
> make[1]: Entering directory '/var/tmp/patchew-tester-tmp-vi1_8690/src'
>   GEN 
> /var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar
> Cloning into 
> '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot'...
> done.
> Your branch is up-to-date with 'origin/test'.
> Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
> Cloning into 
> '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot/dtc'...
> Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
> Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
> for path 'ui/keycodemapdb'
> Cloning into 
> '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar.vroot/ui/keycodemapdb'...
> Submodule path 'ui/keycodemapdb': checked out 
> '6b3d716e2b6472eb7189d3220552280ef3d832ce'
> tar: 
> /var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023/qemu.tar:
>  Wrote only 2048 of 10240 bytes
> tar: Error is not recoverable: exiting now
> failed to create tar file
>   COPYRUNNER
> RUN test-build in qemu:min-glib 
> tar: Unexpected EOF in archive
> tar: Unexpected EOF in archive
> tar: Error is not recoverable: exiting now
> /var/tmp/qemu/run: line 32: prep_fail: command not found
> Environment variables:
> HOSTNAME=d3de5b81f6a8
> MAKEFLAGS= -j8
> J=8
> CCACHE_DIR=/var/tmp/ccache
> EXTRA_CONFIGURE_OPTS=
> V=
> SHOW_ENV=1
> PATH=/usr/lib/ccache:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> PWD=/
> TARGET_LIST=
> SHLVL=1
> HOME=/root
> TEST_DIR=/tmp/qemu-test
> FEATURES= dtc
> DEBUG=
> _=/usr/bin/env
> 
> Configure options:
> --enable-werror --target-list=x86_64-softmmu,aarch64-softmmu 
> --prefix=/tmp/qemu-test/install
> 
> ERROR: DTC (libfdt) version >= 1.4.2 not present.
>Please install the DTC (libfdt) devel package
> 

Environment problems?

> Traceback (most recent call last):
>   File "./tests/docker/docker.py", line 407, in 
> sys.exit(main())
>   File "./tests/docker/docker.py", line 404, in main
> return args.cmdobj.run(args, argv)
>   File "./tests/docker/docker.py", line 261, in run
> return Docker().run(argv, args.keep, quiet=args.quiet)
>   File "./tests/docker/docker.py", line 229, in run
> quiet=quiet)
>   File "./tests/docker/docker.py", line 147, in _do_check
> return subprocess.check_call(self._command + cmd, **kwargs)
>   File "/usr/lib64/python2.7/subprocess.py", line 186, in check_call
> raise CalledProcessError(retcode, cmd)
> subprocess.CalledProcessError: Command '['docker', 'run', '--label', 
> 'com.qemu.instance.uuid=3f76e41234b211e8813a52540069c830', '-u', '0', 
> '--security-opt', 'seccomp=unconfined', '--rm', '--net=none', '-e', 
> 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=8', '-e', 
> 'DEBUG=', '-e', 'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
> '/root/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
> '/var/tmp/patchew-tester-tmp-vi1_8690/src/docker-src.2018-03-31-03.07.40.30023:/var/tmp/qemu:z,ro',
>  'qemu:min-glib', '/var/tmp/qemu/run', 'test-build']' returned non-zero exit 
> status 1
> make[1]: *** [tests/docker/Makefile.include:129: docker-run] Error 1
> make[1]: Leaving directory '/var/tmp/patchew-tester-tmp-vi1_8690/src'
> make: *** [tests/docker/Makefile.include:163: docker-run-test-build@min-glib] 
> Error 2
> 
> real  0m51.988s
> user  0m9.352s
> sys   0m6.949s
> === OUTPUT END ===
> 
> Test command exited with code: 2
> 
> 
> ---
> Email generated automatically by Patchew [http://patchew.org/].
> Please send your feedback to patchew-de...@redhat.com
> 

Unrelated to the patch as far as I can tell.

--js

Re: [Qemu-devel] [PATCH v3 6/7] s390x/kvm: handle AP instruction interception

[Tony Krowiak]

On 03/26/2018 04:32 AM, David Hildenbrand wrote:

On 16.03.2018 00:24, Tony Krowiak wrote:

If the CPU model indicates that AP facility is installed on
the guest (i.e., -cpu ,ap=on), then the expectation is that
the AP bus running in the guest will initialize; however, if the
AP instructions are not being interpreted by the firmware, then
they will be intercepted and routed back to QEMU for handling.
If a handler is not defined to process the intercepted instruciton,
then an operation exception will be injected into the
guest, in which case the AP bus will not initialize.

There are two situations where AP instructions will not be
interpreted:

1. The guest is not configured with a vfio-ap device (i.e.,
-device vfio-ap,sysfsdev=$path-to-mdev). The realize function for
the vfio-ap device enables interpretive execution of AP
instructions.

2. The guest is a second level guest but the first level guest has
not enabled interpretive execution.

This patch introduces AP instruction handlers to ensure the AP bus
module initializes on the guest when the AP facility is installed
on the guest but AP instructions are not being interpreted. The logic
incorporated is:

* If the CPU model indicates AP instructions are
   installed

   * Set the status response code for the instruction to indicate that
 the APQN contained in the instruction is not valid. This is
 a valid response because there will be no devices configured for
 the guest in any of the above scenarios.

* Else return an error from the handler. This will result in an
   operation being injected into the guest and the AP bus will not

s/operation/operation exception/

thanks



   initialize on the guest. That is commensurate with how things work
   today.

Signed-off-by: Tony Krowiak 
---
  hw/vfio/ap.c |   45 ++
  include/hw/s390x/ap-device.h |6 +
  target/s390x/kvm.c   |   14 +
  3 files changed, 65 insertions(+), 0 deletions(-)

diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
index b397bb1..88e744d 100644
--- a/hw/vfio/ap.c
+++ b/hw/vfio/ap.c
@@ -148,6 +148,51 @@ static void vfio_ap_unrealize(DeviceState *dev, Error 
**errp)
  kvm_s390_set_interpret_ap(0);
  }
  

I think you are missing cpu_synchronize_state(CPU(cpu)) in all of these
functions.

I see you negated this in your next response.



+int ap_device_handle_nqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+
+if (s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}
+
+return -EOPNOTSUPP;
+}
+
+int ap_device_handle_dqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+
+if (s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}
+
+return -EOPNOTSUPP;
+}
+
+int ap_device_handle_pqap(S390CPU *cpu)
+{
+CPUS390XState *env = &cpu->env;
+int fc = 4 & (env->regs[0] >> 24);
+
+/*
+ * The Query Configuration Information (QCI) function (fc == 4) does not
+ * set a response code in reg 1, so check for that along with the
+ * AP feature.
+ */
+if ((fc != 4) && s390_has_feat(S390_FEAT_AP)) {
+env->regs[1] = 0x1;
+
+return 0;
+}

This would imply an operation exception in case fc==4, which sounds very
wrong.

Take a look at my response to Pierre for an answer to this one.


Hard to review without access to documentation. (hard to understand why
such stuff is to be kept confidential for decades)

You'll have to talk to the powers that be at IBM about that one :)



+
+return -EOPNOTSUPP;
+}
+
  static Property vfio_ap_properties[] = {
  DEFINE_PROP_STRING("sysfsdev", VFIOAPDevice, vdev.sysfsdev),
  DEFINE_PROP_END_OF_LIST(),
diff --git a/include/hw/s390x/ap-device.h b/include/hw/s390x/ap-device.h
index 693df90..d45ae38 100644
--- a/include/hw/s390x/ap-device.h
+++ b/include/hw/s390x/ap-device.h
@@ -11,6 +11,8 @@
  #ifndef HW_S390X_AP_DEVICE_H
  #define HW_S390X_AP_DEVICE_H
  

[Qemu-devel] [PATCH] roms/u-boot-sam460ex: Change to qemu git mirror and update

[BALATON Zoltan]

Now that we have a mirror of this repo on git.qemu.org change the
submodule to use that and also update it to latest HEAD which has a
commit to fix a dangling symlink.

Signed-off-by: BALATON Zoltan 
---
 .gitmodules  | 2 +-
 roms/u-boot-sam460ex | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index c613722..49e9c2e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -45,4 +45,4 @@
url = git://github.com/hdeller/seabios-hppa.git
 [submodule "roms/u-boot-sam460ex"]
path = roms/u-boot-sam460ex
-   url = git://github.com/zbalaton/u-boot-sam460ex
+   url = git://git.qemu.org/u-boot-sam460ex.git
diff --git a/roms/u-boot-sam460ex b/roms/u-boot-sam460ex
index 119aa27..930735b 16
--- a/roms/u-boot-sam460ex
+++ b/roms/u-boot-sam460ex
@@ -1 +1 @@
-Subproject commit 119aa277f74a4a2d3f7ab6c9471292308eba14e4
+Subproject commit 930735bdd6edbb0588d6a54882feb58ab3cb2d08
-- 
2.7.6

Re: [Qemu-devel] some ROMs questions

[BALATON Zoltan]

On Mon, 2 Apr 2018, Michael Tokarev wrote:

roms/u-boot-sam460ex/tools/updater/stubs.c -
it is some strange symlink pointing to a strange place, probably should be 
removed?


This does not seem to matter for building the rom image but this can be 
fixed by converting it to a relative path. I've done that and will send a 
patch to update the submodule as well to use the QEMU repo now that we 
have a mirror there. Thanks for finding this.



When making u-boot-am460ex image, in roms/Makefile, we do a plain copy, while 5
lines above, u-boot image is being stripped on copy. Should we perform strip for
u-boot-am460ex image too, if not only to be consistent?


No, this is correct. These use different images. For e500 the u-boot ELF 
image is used after stripping it while for sam460ex the u-boot.bin is 
needed which is another build target and does not contain symbols to be 
stripped so a plain copy is enough.



BTW, can't u-boot-am460ex image be made from regular u-boot sources, maybe with 
an
additional board added? :)


No. This was discussed before several times. Look up those threads for 
more info or if you don't beleive it just compare the two u-boot versions. 
I don't intend to take up the task of supporting this board in latest 
u-boot versions which even removed support for the CPU type it needs. Also 
we aim to be as compatible to real hardware as possible because of 
assumptions of closed source guests.


Regards,
BALATON Zoltan

[Qemu-devel] [PULL 1/3] nbd: Fix 32-bit compilation on BLOCK_STATUS

[Eric Blake]

iotests 123 and 209 fail on 32-bit platforms.  The culprit:
sizeof(extent) is wrong; we want sizeof(*extent).  But since
the struct is 8 bytes, it happened to work on 64-bit platforms
where the pointer is also 8 bytes (nasty).

Fixes: 78a33ab58
Reported-by: Max Reitz 
Signed-off-by: Eric Blake 
Message-Id: <20180327210517.1804242-1-ebl...@redhat.com>
Reviewed-by: Paolo Bonzini 
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 block/nbd-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/nbd-client.c b/block/nbd-client.c
index e64e346d690..e7caf49fbb4 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -239,7 +239,7 @@ static int nbd_parse_blockstatus_payload(NBDClientSession 
*client,
 {
 uint32_t context_id;

-if (chunk->length != sizeof(context_id) + sizeof(extent)) {
+if (chunk->length != sizeof(context_id) + sizeof(*extent)) {
 error_setg(errp, "Protocol error: invalid payload for "
  "NBD_REPLY_TYPE_BLOCK_STATUS");
 return -EINVAL;
-- 
2.14.3

[Qemu-devel] [PULL 2/3] nbd/client: Correctly handle bad server REP_META_CONTEXT

[Eric Blake]

It's never a good idea to blindly read for size bytes as
returned by the server without first validating that the size
is within bounds; a malicious or buggy server could cause us
to hang or get out of sync from reading further messages.

It may be smarter to try and teach the client to cope with
unexpected context ids by silently ignoring them instead of
hanging up on the server, but for now, if the server doesn't
reply with exactly the one context we expect, it's easier to
just give up - however, if we give up for any reason other
than an I/O failure, we might as well try to politely tell
the server we are quitting rather than continuing.

Fix some typos in the process.

Signed-off-by: Eric Blake 
Message-Id: <20180329231837.1914680-1-ebl...@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 nbd/client.c | 28 +---
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/nbd/client.c b/nbd/client.c
index 9b9b7f0ea29..dd0174b036e 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -599,8 +599,8 @@ static QIOChannel *nbd_receive_starttls(QIOChannel *ioc,
  * Set one meta context. Simple means that reply must contain zero (not
  * negotiated) or one (negotiated) contexts. More contexts would be considered
  * as a protocol error. It's also implied that meta-data query equals queried
- * context name, so, if server replies with something different then @context,
- * it considered as error too.
+ * context name, so, if server replies with something different than @context,
+ * it is considered an error too.
  * return 1 for successful negotiation, context_id is set
  *0 if operation is unsupported,
  *-1 with errp set for any other error
@@ -649,25 +649,33 @@ static int nbd_negotiate_simple_meta_context(QIOChannel 
*ioc,

 if (reply.type == NBD_REP_META_CONTEXT) {
 char *name;
-size_t len;
+
+if (reply.length != sizeof(received_id) + context_len) {
+error_setg(errp, "Failed to negotiate meta context '%s', server "
+   "answered with unexpected length %" PRIu32, context,
+   reply.length);
+nbd_send_opt_abort(ioc);
+return -1;
+}

 if (nbd_read(ioc, &received_id, sizeof(received_id), errp) < 0) {
 return -1;
 }
 be32_to_cpus(&received_id);

-len = reply.length - sizeof(received_id);
-name = g_malloc(len + 1);
-if (nbd_read(ioc, name, len, errp) < 0) {
+reply.length -= sizeof(received_id);
+name = g_malloc(reply.length + 1);
+if (nbd_read(ioc, name, reply.length, errp) < 0) {
 g_free(name);
 return -1;
 }
-name[len] = '\0';
+name[reply.length] = '\0';
 if (strcmp(context, name)) {
 error_setg(errp, "Failed to negotiate meta context '%s', server "
"answered with different context '%s'", context,
name);
 g_free(name);
+nbd_send_opt_abort(ioc);
 return -1;
 }
 g_free(name);
@@ -690,6 +698,12 @@ static int nbd_negotiate_simple_meta_context(QIOChannel 
*ioc,
 if (reply.type != NBD_REP_ACK) {
 error_setg(errp, "Unexpected reply type %" PRIx32 " expected %x",
reply.type, NBD_REP_ACK);
+nbd_send_opt_abort(ioc);
+return -1;
+}
+if (reply.length) {
+error_setg(errp, "Unexpected length to ACK response");
+nbd_send_opt_abort(ioc);
 return -1;
 }

-- 
2.14.3

[Qemu-devel] [PULL 3/3] nbd: trace meta context negotiation

[Eric Blake]

Having a more detailed log of the interaction between client and
server is invaluable in debugging how meta context negotiation
actually works.

Signed-off-by: Eric Blake 
Message-Id: <20180330130950.1931229-1-ebl...@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy 
---
 nbd/client.c | 2 ++
 nbd/server.c | 8 
 nbd/trace-events | 6 ++
 3 files changed, 16 insertions(+)

diff --git a/nbd/client.c b/nbd/client.c
index dd0174b036e..b9e175d1c27 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -623,6 +623,7 @@ static int nbd_negotiate_simple_meta_context(QIOChannel 
*ioc,
 char *data = g_malloc(data_len);
 char *p = data;

+trace_nbd_opt_meta_request(context, export);
 stl_be_p(p, export_len);
 memcpy(p += sizeof(export_len), export, export_len);
 stl_be_p(p += export_len, 1);
@@ -680,6 +681,7 @@ static int nbd_negotiate_simple_meta_context(QIOChannel 
*ioc,
 }
 g_free(name);

+trace_nbd_opt_meta_reply(context, received_id);
 received = true;

 /* receive NBD_REP_ACK */
diff --git a/nbd/server.c b/nbd/server.c
index cea158913ba..9e1f2271784 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -726,6 +726,7 @@ static int nbd_negotiate_send_meta_context(NBDClient 
*client,
 context_id = 0;
 }

+trace_nbd_negotiate_meta_query_reply(context, context_id);
 set_be_option_rep(&opt.h, client->opt, NBD_REP_META_CONTEXT,
   sizeof(opt) - sizeof(opt.h) + iov[1].iov_len);
 stl_be_p(&opt.context_id, context_id);
@@ -752,10 +753,12 @@ static int nbd_meta_base_query(NBDClient *client, 
NBDExportMetaContexts *meta,
 if (client->opt == NBD_OPT_LIST_META_CONTEXT) {
 meta->base_allocation = true;
 }
+trace_nbd_negotiate_meta_query_parse("base:");
 return 1;
 }

 if (len != alen) {
+trace_nbd_negotiate_meta_query_skip("not base:allocation");
 return nbd_opt_skip(client, len, errp);
 }

@@ -768,6 +771,7 @@ static int nbd_meta_base_query(NBDClient *client, 
NBDExportMetaContexts *meta,
 meta->base_allocation = true;
 }

+trace_nbd_negotiate_meta_query_parse("base:allocation");
 return 1;
 }

@@ -800,6 +804,7 @@ static int nbd_negotiate_meta_query(NBDClient *client,
 /* The only supported namespace for now is 'base'. So query should start
  * with 'base:'. Otherwise, we can ignore it and skip the remainder. */
 if (len < baselen) {
+trace_nbd_negotiate_meta_query_skip("length too short");
 return nbd_opt_skip(client, len, errp);
 }

@@ -809,6 +814,7 @@ static int nbd_negotiate_meta_query(NBDClient *client,
 return ret;
 }
 if (strncmp(query, "base:", baselen) != 0) {
+trace_nbd_negotiate_meta_query_skip("not for base: namespace");
 return nbd_opt_skip(client, len, errp);
 }

@@ -858,6 +864,8 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
 return ret;
 }
 cpu_to_be32s(&nb_queries);
+trace_nbd_negotiate_meta_context(nbd_opt_lookup(client->opt),
+ meta->export_name, nb_queries);

 if (client->opt == NBD_OPT_LIST_META_CONTEXT && !nb_queries) {
 /* enable all known contexts */
diff --git a/nbd/trace-events b/nbd/trace-events
index 0d03edc967d..dee081e7758 100644
--- a/nbd/trace-events
+++ b/nbd/trace-events
@@ -10,6 +10,8 @@ nbd_receive_query_exports_start(const char *wantname) 
"Querying export list for
 nbd_receive_query_exports_success(const char *wantname) "Found desired export 
name '%s'"
 nbd_receive_starttls_new_client(void) "Setting up TLS"
 nbd_receive_starttls_tls_handshake(void) "Starting TLS handshake"
+nbd_opt_meta_request(const char *context, const char *export) "Requesting to 
set meta context %s for export %s"
+nbd_opt_meta_reply(const char *context, uint32_t id) "Received mapping of 
context %s to id %" PRIu32
 nbd_receive_negotiate(void *tlscreds, const char *hostname) "Receiving 
negotiation tlscreds=%p hostname=%s"
 nbd_receive_negotiate_magic(uint64_t magic) "Magic is 0x%" PRIx64
 nbd_receive_negotiate_server_flags(uint32_t globalflags) "Global flags are 
0x%" PRIx32
@@ -44,6 +46,10 @@ nbd_negotiate_handle_info_request(int request, const char 
*name) "Client request
 nbd_negotiate_handle_info_block_size(uint32_t minimum, uint32_t preferred, 
uint32_t maximum) "advertising minimum 0x%" PRIx32 ", preferred 0x%" PRIx32 ", 
maximum 0x%" PRIx32
 nbd_negotiate_handle_starttls(void) "Setting up TLS"
 nbd_negotiate_handle_starttls_handshake(void) "Starting TLS handshake"
+nbd_negotiate_meta_context(const char *optname, const char *export, uint32_t 
queries) "Client requested %s for export %s, with %" PRIu32 " queries"
+nbd_negotiate_meta_query_skip(const char *reason) "Skipping meta query: %s"
+nbd_negotiate_meta_query_parse(const char *query) "Parsed meta query '%s'"
+nbd_negotiate_meta_query_reply(const char *context, uint32_t id) "Replying 
with meta context '%s'

[Qemu-devel] [PULL 0/3] NBD patches for 2.12-rc2

[Eric Blake]

The following changes since commit f184de7553272223d6af731d7d623a7cebf710b5:

  Merge remote-tracking branch 
'remotes/riscv/tags/riscv-qemu-2.12-critical-fixes' into staging (2018-03-31 
09:42:33 +0100)

are available in the Git repository at:

  git://repo.or.cz/qemu/ericb.git tags/pull-nbd-2018-04-02

for you to fetch changes up to 2b53af2523f6a3387f71372f59d3717f1f7d5fd9:

  nbd: trace meta context negotiation (2018-04-02 09:10:49 -0500)


nbd patches for 2018-04-02

- Eric Blake: nbd: Fix 32-bit compilation on BLOCK_STATUS
- Eric Blake: nbd/client: Correctly handle bad server REP_META_CONTEXT
- Eric Blake: nbd: trace meta context negotiation


Eric Blake (3):
  nbd: Fix 32-bit compilation on BLOCK_STATUS
  nbd/client: Correctly handle bad server REP_META_CONTEXT
  nbd: trace meta context negotiation

 block/nbd-client.c |  2 +-
 nbd/client.c   | 30 +++---
 nbd/server.c   |  8 
 nbd/trace-events   |  6 ++
 4 files changed, 38 insertions(+), 8 deletions(-)

-- 
2.14.3

Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions for MacPorts

[Programmingkid]

> On Apr 2, 2018, at 10:07 AM, qemu-devel-requ...@nongnu.org wrote:
> 
> Message: 2
> Date: Mon, 2 Apr 2018 04:22:52 +0200
> From: Paolo Bonzini 
> To: Rainer M?ller , qemu-devel@nongnu.org
> Subject: Re: [Qemu-devel] [qemu-web PATCH] download: Add instructions
>   for MacPorts
> Message-ID: <357029f4-71c0-a9f9-7bda-a5a44f609...@redhat.com>
> Content-Type: text/plain; charset=utf-8
> 
> On 01/04/2018 18:22, Rainer M?ller wrote:
>> Signed-off-by: Rainer M?ller 
>> ---
>> _download/macos.md | 6 +-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>> 
>> diff --git a/_download/macos.md b/_download/macos.md
>> index dbb312c..06aa811 100644
>> --- a/_download/macos.md
>> +++ b/_download/macos.md
>> @@ -1,6 +1,10 @@
>> -QEMU can be installed from Homebrew:
>> +QEMU can be installed from Homebrew:
>> 
>> brew install qemu
>> 
>> +QEMU can be installed from MacPorts:
>> +
>> +sudo port install qemu
>> +
>> QEMU requires Mac OS X 10.5 or later, but it is recommended
>> to use Mac OS X 10.7 or later.
>> 
> 
> Thanks for the patch!  I'm travelling but I will apply it as soon as I can.
> 
> Paolo

I was wondering if a link to the Mac OS X host wiki page could be added to this 
page.
It does have prebuilt binaries ready for use.

https://wiki.qemu.org/Hosts/Mac

Re: [Qemu-devel] [PATCH for-2.12] nbd: trace meta context negotiation

[Eric Blake]

On 03/30/2018 11:32 AM, Vladimir Sementsov-Ogievskiy wrote:
> 30.03.2018 16:09, Eric Blake wrote:
>> Having a more detailed log of the interaction between client and
>> server is invaluable in debugging how meta context negotiation
>> actually works.
>>
>> Signed-off-by: Eric Blake 
>> ---
>>   nbd/client.c | 2 ++
>>   nbd/server.c | 8 
>>   nbd/trace-events | 6 ++
>>   3 files changed, 16 insertions(+)
>>

>> @@ -800,6 +804,7 @@ static int nbd_negotiate_meta_query(NBDClient
>> *client,
>>   /* The only supported namespace for now is 'base'. So query
>> should start
>>    * with 'base:'. Otherwise, we can ignore it and skip the
>> remainder. */
>>   if (len < baselen) {
>> +    trace_nbd_negotiate_meta_query_skip("length too short");
>>   return nbd_opt_skip(client, len, errp);
>>   }
>>
>> @@ -809,6 +814,7 @@ static int nbd_negotiate_meta_query(NBDClient
>> *client,
>>   return ret;
>>   }
>>   if (strncmp(query, "base:", baselen) != 0) {
>> +    trace_nbd_negotiate_meta_query_skip("not for base: namespace");
> 
> Hmm, reasonable example of using same trace-point in several places in
> the code. Is it a precedent?

Yes, trace points have been reused before; as long as the parameters are
the same and the message is reasonable, the only reason to NOT share a
trace is if you ever see yourself needing to select between the two
trace points individually. But for both of these points, it seems to me
that you'd either be tracing everything nbd_* or nothing, rather than
trying to catch just one of these points.

>> +++ b/nbd/trace-events
>> @@ -10,6 +10,8 @@ nbd_receive_query_exports_start(const char
>> *wantname) "Querying export list for
>>   nbd_receive_query_exports_success(const char *wantname) "Found
>> desired export name '%s'"
>>   nbd_receive_starttls_new_client(void) "Setting up TLS"
>>   nbd_receive_starttls_tls_handshake(void) "Starting TLS handshake"
>> +nbd_opt_meta_request(const char *context, const char *export)
>> "Requesting to set meta context %s for export %s"
>> +nbd_opt_meta_reply(const char *context, int id) "Received mapping of
>> context %s to id %d"
> 
> actual type is uint32_t, I'd prefer to reflect it here.
> 

It doesn't make a difference on 'unsigned int' vs. 'uint32_t' in
trace-events.  We guarantee that int is 32 bits on all platforms qemu
compiles on, and "%u" is a lot less typing than "%"PRIu32.  But you are
right that id is unsigned, and printing a negative value for an id could
be confusing, so I'll at least tweak it for that.

> 
> Must-have trace-points, anyway:
> Reviewed-by: Vladimir Sementsov-Ogievskiy 

Thanks; I'll make those trace-events tweaks, and queue in my NBD tree
for a pull request today.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH for-2.12] nbd/client: Correctly handle bad server REP_META_CONTEXT

[Eric Blake]

On 03/30/2018 11:59 AM, Vladimir Sementsov-Ogievskiy wrote:
> 30.03.2018 02:18, Eric Blake wrote:
>> It's never a good idea to blindly read for size bytes as
>> returned by the server without first validating that the size
>> is within bounds; a malicious or buggy server could cause us
>> to hang or get out of sync from reading further messages.
>>
>> It may be smarter to try and teach the client to cope with
>> unexpected context ids by silently ignoring them instead of
>> hanging up on the server, but for now, if the server doesn't
>> reply with exactly the one context we expect, it's easier to
>> just give up - however, if we give up for any reason other
>> than an I/O failure, we might as well try to politely tell
>> the server we are quitting rather than continuing.

>> @@ -651,6 +651,14 @@ static int
>> nbd_negotiate_simple_meta_context(QIOChannel *ioc,
>>   char *name;
>>   size_t len;
>>
>> +    if (reply.length != sizeof(received_id) + context_len) {
>> +    error_setg(errp, "Failed to negotiate meta context '%s',
>> server "
>> +   "answered with unexpected length %u", context,
> 
> uint32_t, is it worth PRIu32 ? Or %u is absolutely portable in this case?

For trace-events, casting uint32_t to unsigned int is always safe, at
which point using %u is less typing (because the trace goes through a
function prototype conversion).  But when directly printing a uint32_t,
you are correct that some oddball 32-bit platforms might have uint32_t
be long, which would then trigger needless warnings if we don't use
PRIu32.  So I'll fix that.

> 
>> +   reply.length);
>> +    nbd_send_opt_abort(ioc);
>> +    return -1;
>> +    }
> 
> hmm, after this check, len variable is not actually needed, we can use
> context_len
> 

Okay, I'm squashing this in:

diff --git i/nbd/client.c w/nbd/client.c
index 4ee1d9a4a2c..dd0174b036e 100644
--- i/nbd/client.c
+++ w/nbd/client.c
@@ -649,11 +649,10 @@ static int
nbd_negotiate_simple_meta_context(QIOChannel *ioc,

 if (reply.type == NBD_REP_META_CONTEXT) {
 char *name;
-size_t len;

 if (reply.length != sizeof(received_id) + context_len) {
 error_setg(errp, "Failed to negotiate meta context '%s',
server "
-   "answered with unexpected length %u", context,
+   "answered with unexpected length %" PRIu32, context,
reply.length);
 nbd_send_opt_abort(ioc);
 return -1;
@@ -664,13 +663,13 @@ static int
nbd_negotiate_simple_meta_context(QIOChannel *ioc,
 }
 be32_to_cpus(&received_id);

-len = reply.length - sizeof(received_id);
-name = g_malloc(len + 1);
-if (nbd_read(ioc, name, len, errp) < 0) {
+reply.length -= sizeof(received_id);
+name = g_malloc(reply.length + 1);
+if (nbd_read(ioc, name, reply.length, errp) < 0) {
 g_free(name);
 return -1;
 }
-name[len] = '\0';
+name[reply.length] = '\0';
 if (strcmp(context, name)) {
 error_setg(errp, "Failed to negotiate meta context '%s',
server "
"answered with different context '%s'", context,


>> @@ -690,6 +699,12 @@ static int
>> nbd_negotiate_simple_meta_context(QIOChannel *ioc,
>>   if (reply.type != NBD_REP_ACK) {
>>   error_setg(errp, "Unexpected reply type %" PRIx32 " expected
>> %x",
>>  reply.type, NBD_REP_ACK);
>> +    nbd_send_opt_abort(ioc);
>> +    return -1;
>> +    }
>> +    if (reply.length) {
> 
> this check is very common for REP_ACK, it may be better to move it to
> nbd_handle_reply_err... (and rename this function? and  combine it
> somehow with _option_request() and _option_reply()?)
> 
>> +    error_setg(errp, "Unexpected length to ACK response");
>> +    nbd_send_opt_abort(ioc);
> 
> hmm, looks like we want nbd_send_opt_abort() before most of return -1.
> Looks like it lacks some generalization, may be want to send it at some
> common point..
> 
>>   return -1;
>>   }
>>
> 
> mostly, just ideas for future refactoring, so:

Indeed, any refactoring we do in that area belongs in 2.13 patches.

> Reviewed-by: Vladimir Sementsov-Ogievskiy 

Thanks; I'm including this in my NBD pull request today.


-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v4 2/2] tpm: extend TPM TIS with state migration support

[Stefan Berger]

On 03/29/2018 01:07 PM, Marc-André Lureau wrote:

Hi

On Thu, Mar 29, 2018 at 1:56 AM, Stefan Berger
 wrote:

On 03/28/2018 11:41 AM, Marc-André Lureau wrote:

Hi

On Thu, Mar 1, 2018 at 8:59 PM, Stefan Berger
 wrote:

+
+static const VMStateDescription vmstate_locty = {
+.name = "loc",
+.version_id = 1,
+.minimum_version_id = 0,
+.minimum_version_id_old = 0,

I don't understand the problem there is leaving all the version fields
to 0, just like CRB.


+.fields  = (VMStateField[]) {
+VMSTATE_UINT32(state, TPMLocality),
+VMSTATE_UINT32(inte, TPMLocality),
+VMSTATE_UINT32(ints, TPMLocality),
+VMSTATE_UINT8(access, TPMLocality),
+VMSTATE_UINT32(sts, TPMLocality),
+VMSTATE_UINT32(iface_id, TPMLocality),
+VMSTATE_END_OF_LIST(),
+}
+};
+
   static const VMStateDescription vmstate_tpm_tis = {
   .name = "tpm",
-.unmigratable = 1,
+.version_id = 1,
+.minimum_version_id = 0,
+.minimum_version_id_old = 0,

same

If you remove the version fields: Reviewed-by: Marc-André Lureau



This is the error I got when setting .version_id = 0 (on both) and doing a
localhost migration

qemu-system-x86_64: Missing section footer for tpm-tis
qemu-system-x86_64: load of migration failed: Invalid argument

It's clearly not the most friendly error message, but I debugged it,
you just have to specify the right version for VMSTATE_STRUCT_ARRAY:
0.
 VMSTATE_STRUCT_ARRAY(loc, TPMState, TPM_TIS_NUM_LOCALITIES, 0,
  vmstate_locty, TPMLocality),

Then it all works with version 0 (or default value)

thanks

Thanks.

[Qemu-devel] [Bug 1639983] Re: e1000 EEPROM have bad checksum

[Jason Wagner]

I'm also seeing this issue with version 2.11. Currently Intel's oldest
available is 18.4 and this version reports an invalid checksum. The
E1000.dos file when loaded doesn't recognize the emulated NIC.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1639983

Title:
  e1000 EEPROM have bad checksum

Status in QEMU:
  New

Bug description:
  I am using qemu-system-i386 to emulate FreeDOS with e1000 nic card.

  I am using Intel PRODOS v.19.0 (latest version with E1000ODI.COM file).
  E1000ODI.COM v.5.07 (140116)

  http://pclosmag.com/html/issues/201208/page11.html
  Suggest that v.4.75 (120212) was/is working.
  Oldest PRODOS available version seems now 18.5 (June 2013) which I have not 
tested yet.

  When running it, it detect: Slot 18, IRQ 11, Port C000.

  But complains:
  EEPROM checksum was incorrect.

  Contact your services network supplier for a replacement.

  paul@paul89473:~$ qemu-system-i386 --version
  QEMU emulator version 2.6.1 (Debian 1:2.6.1+dfsg-0ubuntu5), Copyright (c) 
2003-2008 Fabrice Bellard
  paul@paul89473:~$

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1639983/+subscriptions

[Qemu-devel] [PATCH 1/2] linux-user: define TARGET_ARCH_HAS_KA_RESTORER

[Laurent Vivier]

Sparc as an extended sigaction structure containing
the field ka_restorer used in place of sa_restorer.

Define TARGET_ARCH_HAS_KA_RESTORER and use it
with sparc.

Signed-off-by: Laurent Vivier 
---
 linux-user/signal.c   | 4 ++--
 linux-user/syscall.c  | 7 +--
 linux-user/syscall_defs.h | 4 
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 2ea3e0321f..2b9752b40b 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -2920,8 +2920,8 @@ static void setup_frame(int sig, struct target_sigaction 
*ka,
 env->pc = ka->_sa_handler;
 env->npc = (env->pc + 4);
 /* 5. return to kernel instructions */
-if (ka->sa_restorer) {
-env->regwptr[UREG_I7] = ka->sa_restorer;
+if (ka->ka_restorer) {
+env->regwptr[UREG_I7] = ka->ka_restorer;
 } else {
 uint32_t val32;
 
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 889abbda1e..b8353d8f13 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8699,6 +8699,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
 target_siginitset(&act.sa_mask, old_act->sa_mask);
 act.sa_flags = old_act->sa_flags;
 act.sa_restorer = old_act->sa_restorer;
+#ifdef TARGET_ARCH_HAS_KA_RESTORER
+act.ka_restorer = 0;
+#endif
 unlock_user_struct(old_act, arg2, 0);
 pact = &act;
 } else {
@@ -8773,8 +8776,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
 if (!lock_user_struct(VERIFY_READ, act, arg2, 1)) {
 goto efault;
 }
-#ifdef TARGET_SPARC
-act->sa_restorer = restorer;
+#ifdef TARGET_ARCH_HAS_KA_RESTORER
+act->ka_restorer = restorer;
 #endif
 } else {
 act = NULL;
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 13fe840239..7473be518b 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -435,6 +435,7 @@ int do_sigaction(int sig, const struct target_sigaction 
*act,
 #define TARGET_SA_NODEFER  0x20u
 #define TARGET_SA_RESETHAND4u
 #define TARGET_ARCH_HAS_SA_RESTORER 1
+#define TARGET_ARCH_HAS_KA_RESTORER 1
 #elif defined(TARGET_MIPS)
 #define TARGET_SA_NOCLDSTOP0x0001
 #define TARGET_SA_NOCLDWAIT0x0001
@@ -742,6 +743,9 @@ struct target_sigaction {
 abi_ulong sa_restorer;
 #endif
 target_sigset_t sa_mask;
+#ifdef TARGET_ARCH_HAS_KA_RESTORER
+abi_ulong ka_restorer;
+#endif
 };
 #endif
 
-- 
2.14.3

[Qemu-devel] [PATCH 2/2] linux-user: fix TARGET___O_TMPFILE for sparc

[Laurent Vivier]

Signed-off-by: Laurent Vivier 
---
 linux-user/syscall_defs.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 7473be518b..23f5bccf0e 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2565,6 +2565,7 @@ struct target_statfs64 {
 #define TARGET_O_CLOEXEC  0x40
 #define TARGET___O_SYNC   0x80
 #define TARGET_O_PATH0x100
+#define TARGET___O_TMPFILE   0x200
 #endif
 
 /*  values follow.  */
-- 
2.14.3

[Qemu-devel] [PATCH 0/2] linux-user: fix sparc32plus emulation

[Laurent Vivier]

The sparc signal emulation is broken:
sparc has a special field called ka_restorer and to be used
in place of sa_restorer. Without it, the signal handler
exits and executes unexpected instructions.
(sparc64 has the same kind of problem but this change
doesn't fix it)

Once this problem is fixed, we can chroot in a shell and
execute "ls". And "ls" fails to read directory content
because flags of open() are not translated correctly.
To fix that, the second patch defines the good sparc
value for TARGET___O_TMPFILE.

Laurent Vivier (2):
  linux-user: define TARGET_ARCH_HAS_KA_RESTORER
  linux-user: fix TARGET___O_TMPFILE for sparc

 linux-user/signal.c   | 4 ++--
 linux-user/syscall.c  | 7 +--
 linux-user/syscall_defs.h | 5 +
 3 files changed, 12 insertions(+), 4 deletions(-)

-- 
2.14.3

Re: [Qemu-devel] [PATCH] target/xtensa: linux-user: fix fadvise64 call

[Laurent Vivier]

Le 02/04/2018 à 00:12, Max Filippov a écrit :
> fadvise64_64 on xtensa passes advice as the second argument and so must
> be handled similar to PPC.
> 
> This fixes glibc testsuite tests posix/tst-posix_fadvise and
> posix/tst-posix_fadvise64.
> 
> Signed-off-by: Max Filippov 
> ---
>  linux-user/syscall.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 924fd68efcdd..5ef517613577 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -11509,7 +11509,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
> arg1,
>  
>  #ifdef TARGET_NR_fadvise64_64
>  case TARGET_NR_fadvise64_64:
> -#if defined(TARGET_PPC)
> +#if defined(TARGET_PPC) || defined(TARGET_XTENSA)
>  /* 6 args: fd, advice, offset (high, low), len (high, low) */
>  ret = arg2;
>  arg2 = arg3;
> 

Reviewed-by: Laurent Vivier 

Re: [Qemu-devel] [RFC 00/18] QEMU validator: A method to specify QEMU crash-test cases

[Fam Zheng]

On Mon, Apr 2, 2018 at 7:10 AM, Philippe Mathieu-Daudé  wrote:
> [/var]/tmp full due to some jobs not cleaning well their workspaces?

Somehow our "make check" now keeps hanging in the container,
preventing it from being cleaned up correctly...

Will try to find time for it this week.

Fam

>
> On 03/31/2018 06:04 AM, no-re...@patchew.org wrote:
>> Hi,
>>
>> This series failed docker-build@min-glib build test. Please find the testing 
>> commands and
>> their output below. If you have Docker installed, you can probably reproduce 
>> it
>> locally.
>>
>> N/A. Internal error while reading log file
>>
>>
>>
>> ---
>> Email generated automatically by Patchew [http://patchew.org/].
>> Please send your feedback to patchew-de...@redhat.com
>>

Re: [Qemu-devel] qemu testing image link not work

[Jidong Xiao]

On Mon, Apr 2, 2018 at 2:24 AM, Fam Zheng  wrote:
> On Mon, 04/02 01:52, Jidong Xiao wrote:
>> Hi,
>>
>> A huge amount of documents has referenced this testing image:
>>
>> http://wiki.qemu.org/download/linux-0.2.img.bz2
>>
>> However, the image is no longer there. Is the image still available
>> somewhere? Thanks.
>
> According to the edit history of https://wiki.qemu.org/System_Images these
> images are no longer provided by qemu.org. So we should fix the documents. 
> Where
> are they?
>
> Fam


When I was saying documents, I meant all kinds of online documents,
whenever people talk about qemu test images, they refer to the above
link. For example, that link was included in the native kvm tool
readme file.

Whatever, I just found one available mirror:

http://lassauge.free.fr/qemu/release/

At least, we can download those testing images here.

-Jidong

Re: [Qemu-devel] [RFC 00/18] QEMU validator: A method to specify QEMU crash-test cases

[no-reply]

Hi,

This series failed docker-quick@centos6 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 20180329213857.15499-1-ehabk...@redhat.com
Subject: [Qemu-devel] [RFC 00/18] QEMU validator: A method to specify QEMU 
crash-test cases

=== TEST SCRIPT BEGIN ===
#!/bin/bash
set -e
git submodule update --init dtc
# Let docker tests dump environment info
export SHOW_ENV=1
export J=8
time make docker-test-quick@centos6
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
0fdb1a2f05 Collection of validator.py test cases
962c7b9a45 validator.py script
11125125d8 qemu.py: is_launched() method
e7b9360fc7 qemu.py: qmp_obj() method
04f1d03e56 qemu.py: Don't try to quit cleanly on exceptions
b504207869 qemu.py: 'force' parameter on shutdown()
9cfedb7337 qemu.py: Only wait for process if it's still running
8c7e843d6e qemu.py: Log crashes inside _post_shutdown()
992c1b6bb2 qemu.py: Set _launched = False on _post_shutdown
9e4bcb4215 qemu.py: Make monitor optional
4d78dabfe2 qemu.py: Close _qmp inside _post_shutdown()
3937ce28e2 qemu.py: Use wait() logic inside shutdown()
c2b5140e3d qemu.py: Move _load_io_log() call to _post_shutdown()
a20254c9e0 qemu.py: Split _base_args()
bb5e609a6b qemu.py: Make _vm_monitor a method
a571feea0c qmp.py: Cleanly handle unexpectedly closed socket
9a92759c0c qmp.py: Fix error handling for Python 3
1f8f56095d qmp.py: Make it safe to call close() any time

=== OUTPUT BEGIN ===
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into '/var/tmp/patchew-tester-tmp-_gt5exqw/src/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
  BUILD   centos6
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-_gt5exqw/src'
  GEN 
/var/tmp/patchew-tester-tmp-_gt5exqw/src/docker-src.2018-03-31-04.37.05.10200/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-_gt5exqw/src/docker-src.2018-03-31-04.37.05.10200/qemu.tar.vroot'...
done.
Checking out files:  44% (2693/6074)   
Checking out files:  45% (2734/6074)   
Checking out files:  46% (2795/6074)   
Checking out files:  47% (2855/6074)   
Checking out files:  47% (2882/6074)   
Checking out files:  48% (2916/6074)   
Checking out files:  49% (2977/6074)   
Checking out files:  50% (3037/6074)   
Checking out files:  51% (3098/6074)   
Checking out files:  52% (3159/6074)   
Checking out files:  53% (3220/6074)   
Checking out files:  54% (3280/6074)   
Checking out files:  55% (3341/6074)   
Checking out files:  56% (3402/6074)   
Checking out files:  57% (3463/6074)   
Checking out files:  58% (3523/6074)   
Checking out files:  59% (3584/6074)   
Checking out files:  60% (3645/6074)   
Checking out files:  61% (3706/6074)   
Checking out files:  62% (3766/6074)   
Checking out files:  63% (3827/6074)   
Checking out files:  64% (3888/6074)   
Checking out files:  65% (3949/6074)   
Checking out files:  66% (4009/6074)   
Checking out files:  67% (4070/6074)   
Checking out files:  68% (4131/6074)   
Checking out files:  69% (4192/6074)   
Checking out files:  70% (4252/6074)   
Checking out files:  71% (4313/6074)   
Checking out files:  72% (4374/6074)   
Checking out files:  73% (4435/6074)   
Checking out files:  74% (4495/6074)   
Checking out files:  75% (4556/6074)   
Checking out files:  76% (4617/6074)   
Checking out files:  77% (4677/6074)   
Checking out files:  78% (4738/6074)   
Checking out files:  79% (4799/6074)   
Checking out files:  80% (4860/6074)   
Checking out files:  81% (4920/6074)   
Checking out files:  82% (4981/6074)   
Checking out files:  83% (5042/6074)   
Checking out files:  84% (5103/6074)   
Checking out files:  85% (5163/6074)   
Checking out files:  86% (5224/6074)   
Checking out files:  86% (5278/6074)   
Checking out files:  87% (5285/6074)   
Checking out files:  88% (5346/6074)   
Checking out files:  89% (5406/6074)   
Checking out files:  90% (5467/6074)   
Checking out files:  91% (5528/6074)   
Checking out files:  92% (5589/6074)   
Checking out files:  93% (5649/6074)   
Checking out files:  94% (5710/6074)   
Checking out files:  95% (5771/6074)   
Checking out files:  96% (5832/6074)   
Checking out files:  97% (5892/6074)   
Checking out files:  98% (5953/6074)   
Checking out files:  99% (6014/6074)   
Checking out files: 100% (6074/6074)   
Checking out files: 100% (6074/6074), done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-_gt5exqw/src/docker-src.2018-03-31-04.37.05.10200/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-_gt5exqw/src/docker-src.2

Re: [Qemu-devel] qemu testing image link not work

[Fam Zheng]

On Mon, 04/02 01:52, Jidong Xiao wrote:
> Hi,
> 
> A huge amount of documents has referenced this testing image:
> 
> http://wiki.qemu.org/download/linux-0.2.img.bz2
> 
> However, the image is no longer there. Is the image still available
> somewhere? Thanks.

According to the edit history of https://wiki.qemu.org/System_Images these
images are no longer provided by qemu.org. So we should fix the documents. Where
are they?

Fam

[Qemu-devel] qemu testing image link not work

[Jidong Xiao]

Hi,

A huge amount of documents has referenced this testing image:

http://wiki.qemu.org/download/linux-0.2.img.bz2

However, the image is no longer there. Is the image still available
somewhere? Thanks.

-Jidong