Re: [Qemu-devel] [PATCH v3 1/1] s390/ipl: fix ipl with -no-reboot

[David Hildenbrand]

On 21.06.2018 19:01, Christian Borntraeger wrote:
> kexec/kdump as well as the bootloader use a subcode of diagnose 308
> that is supposed to reset the subsystem but not comprise a full
> "reboot". With the latest refactoring this is now broken when
> -no-reboot is used. This for example breaks virt-install from
> iso images.
> 
> We need to mark these "soft" reboots as ok for rebooting.
> 
> Fixes: a30fb811cbe9 (s390x: refactor reset/reipl handling)
> Signed-off-by: Christian Borntraeger 
> ---
>  hw/s390x/ipl.c  | 8 +++-
>  include/sysemu/sysemu.h | 3 +++
>  vl.c| 4 ++--
>  3 files changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
> index 0d67349004..ade6896af6 100644
> --- a/hw/s390x/ipl.c
> +++ b/hw/s390x/ipl.c
> @@ -535,7 +535,13 @@ void s390_ipl_reset_request(CPUState *cs, enum 
> s390_reset reset_type)
>  ipl->iplb_valid = s390_gen_initial_iplb(ipl);
>  }
>  }
> -qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
> +if (reset_type == S390_RESET_MODIFIED_CLEAR ||
> +reset_type == S390_RESET_LOAD_NORMAL) {
> +/* ignore -no-reboot */
> +qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET_FORCE);
> +} else {
> +qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
> +}
>  /* as this is triggered by a CPU, make sure to exit the loop */
>  if (tcg_enabled()) {
>  cpu_loop_exit(cs);
> diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
> index e893f72f3b..345369d924 100644
> --- a/include/sysemu/sysemu.h
> +++ b/include/sysemu/sysemu.h
> @@ -44,6 +44,9 @@ typedef enum ShutdownCause {
>   turns that into a shutdown */
>  SHUTDOWN_CAUSE_GUEST_PANIC,   /* Guest panicked, and command line turns
>   that into a shutdown */
> +SHUTDOWN_CAUSE_GUEST_RESET_FORCE,/* Guest reset that should ignore
> +--no-reboot. This is useful for reset
> +like actions as s390 kexec/kdump */
>  SHUTDOWN_CAUSE__MAX,
>  } ShutdownCause;
>  
> diff --git a/vl.c b/vl.c
> index b3426e03d0..44e65071bc 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -1628,7 +1628,7 @@ void qemu_system_reset(ShutdownCause reason)
>  } else {
>  qemu_devices_reset();
>  }
> -if (reason) {
> +if (reason != SHUTDOWN_CAUSE_GUEST_RESET_FORCE) {
>  qapi_event_send_reset(shutdown_caused_by_guest(reason),
>&error_abort);
>  }
> @@ -1674,7 +1674,7 @@ void qemu_system_guest_panicked(GuestPanicInformation 
> *info)
>  
>  void qemu_system_reset_request(ShutdownCause reason)
>  {
> -if (no_reboot) {
> +if (no_reboot && reason != SHUTDOWN_CAUSE_GUEST_RESET_FORCE) {
>  shutdown_requested = reason;
>  } else {
>  reset_requested = reason;
> 

With whatever name you will end up using for the constant

Reviewed-by: David Hildenbrand 

-- 

Thanks,

David / dhildenb

Re: [Qemu-devel] [Questio] What the proper vfio NIC for emulation smmu?

[Jia He]

Hi Eric

On 6/22/2018 2:39 PM, Auger Eric Wrote:
> Hello Jia,
> 
> On 06/22/2018 03:44 AM, Jia He wrote:
>> Hi Eric
>> I want to test your smmu emulation patchset with vfio-pci ethernet device.
>> Could you kindly give me the NIC type information.
>> In my test, there is vf probe error for menallox connect 4 NIC and TX Unit
>> hang error for Intel X540 NIC. That's the reason why I ask this question.
>>
> virtual SMMUv3 is not integrated with VFIO and is not planned to be. It
> was tested with virtio-net-pci (without vhost-net).
> 
> With upstream code you should see the following warning:
> 
> "SMMUV3 does not support vhost/vfio integration yet: devices of those
> types will not function properly"
> 
> With "[PATCH v3 0/4] ARM SMMUv3: IOTLB Emulation and VHOST Support",
> vhost-net gets integrated. VFIO won't be integrated either. If vfio-pci
> device are attempted to be used along with vsmmu, you will get
> "SMMUv3 does not support notification on MAP: device %s will not
> function properly"

Thanks for the information. Actually, I am using your vsmmu-optim-v3 branch.
I assumed vfio worked fine since you removed that warning in commit
("hw/arm/smmuv3: Add notifications on invalidation"). Seems I am wrong ;-)

> 
> My attempt to integrate the vsmmu with VFIO in the same manner as intel
> iommu (using a fake caching mode) was rejected by the kernel maintainer.
> So for VFIO use case, we need either 2 stage enablement (not implemented
> yet) or virtio-iommu. I will respin this latter against v0.7 spec
> probably next week.
Ok. got it, thanks
> 
> Thanks
> 
> Eric
> 

-- 
Cheers,
Jia

[Qemu-devel] [Bug 1778182] [NEW] qemu-system-aarch64 shows black framebuffer window on minimal bare metal example on SDL but not on VNC

[Ciro Santilli 六四事件 法轮功]

Public bug reported:

QEMU v2.12.0, Ubuntu 18.04 host.

Build QEMU and the bare metal image exactly as described at:
https://raspberrypi.stackexchange.com/revisions/85135/4 with:

Then cd into example 09_framebuffer.

Now if I do:

../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel
kernel8.img -serial stdio

the SDL window shows up black.

However, if I use VNC:

../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel kernel8.img 
-serial stdio -vnc :1
vinagre :5901

an image of Homer Simpson appears as expected.

Therefore, I think this must be a QEMU / SDL bug instead of the
repository, since we get different behaviors with `-vnc` and with SDL.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1778182

Title:
  qemu-system-aarch64 shows black framebuffer window on minimal bare
  metal example on SDL but not on VNC

Status in QEMU:
  New

Bug description:
  QEMU v2.12.0, Ubuntu 18.04 host.

  Build QEMU and the bare metal image exactly as described at:
  https://raspberrypi.stackexchange.com/revisions/85135/4 with:

  Then cd into example 09_framebuffer.

  Now if I do:

  ../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel
  kernel8.img -serial stdio

  the SDL window shows up black.

  However, if I use VNC:

  ../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel kernel8.img 
-serial stdio -vnc :1
  vinagre :5901

  an image of Homer Simpson appears as expected.

  Therefore, I think this must be a QEMU / SDL bug instead of the
  repository, since we get different behaviors with `-vnc` and with SDL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1778182/+subscriptions

[Qemu-devel] [Bug 1778182] Re: qemu-system-aarch64 shows black framebuffer window on minimal bare metal example on SDL but not on VNC

[Ciro Santilli 六四事件 法轮功]

Things that work:

- 
https://github.com/cirosantilli/linux-kernel-module-cheat/tree/741f5215e9515c0d7179671f49fe1781f94e70e3#graphic-mode-arm
 which shows the Penguin with the Linux kernel, after hacking that repo up to 
use the exact same QEMU executable as reported here
- the UART examples on the image repo: 
https://github.com/bztsrc/raspi3-tutorial/tree/9e5611a624b3037788d5b29d951304938bff13ea/05_uart0

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1778182

Title:
  qemu-system-aarch64 shows black framebuffer window on minimal bare
  metal example on SDL but not on VNC

Status in QEMU:
  New

Bug description:
  QEMU v2.12.0, Ubuntu 18.04 host.

  Build QEMU and the bare metal image exactly as described at:
  https://raspberrypi.stackexchange.com/revisions/85135/4 with:

  Then cd into example 09_framebuffer.

  Now if I do:

  ../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel
  kernel8.img -serial stdio

  the SDL window shows up black.

  However, if I use VNC:

  ../../qemu/aarch64-softmmu/qemu-system-aarch64 -M raspi3 -kernel kernel8.img 
-serial stdio -vnc :1
  vinagre :5901

  an image of Homer Simpson appears as expected.

  Therefore, I think this must be a QEMU / SDL bug instead of the
  repository, since we get different behaviors with `-vnc` and with SDL.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1778182/+subscriptions

Re: [Qemu-devel] [PATCH v3 4/4] hw/arm/smmuv3: Add notifications on invalidation

[Jia He]

H

On 6/21/2018 7:16 PM, Eric Auger Wrote:
> On TLB invalidation commands, let's call registered
> IOMMU notifiers. Those can only be UNMAP notifiers.
> SMMUv3 does not support notification on MAP (VFIO).
> 
> This patch allows vhost use case where IOTLB API is notified
> on each guest IOTLB invalidation.
> 
> Signed-off-by: Eric Auger 
> Reviewed-by: Peter Maydell 
> 
> ---
> v2 -> v3:
> - added Peter's R-b
> ---
>  hw/arm/smmu-common.c | 34 +++
>  hw/arm/smmuv3.c  | 99 
> +++-
>  hw/arm/trace-events  |  5 +++
>  include/hw/arm/smmu-common.h |  6 +++
>  4 files changed, 142 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
> index f66e444..3098915 100644
> --- a/hw/arm/smmu-common.c
> +++ b/hw/arm/smmu-common.c
> @@ -385,6 +385,40 @@ static gboolean smmu_iotlb_key_equal(gconstpointer v1, 
> gconstpointer v2)
>  return (k1->asid == k2->asid) && (k1->iova == k2->iova);
>  }
>  
> +/* Unmap the whole notifier's range */
> +static void smmu_unmap_notifier_range(IOMMUNotifier *n)
> +{
> +IOMMUTLBEntry entry;
> +
> +entry.target_as = &address_space_memory;
> +entry.iova = n->start;
> +entry.perm = IOMMU_NONE;
> +entry.addr_mask = n->end - n->start;
> +
> +memory_region_notify_one(n, &entry);
> +}
> +
> +/* Unmap all notifiers attached to @mr */
> +inline void smmu_inv_notifiers_mr(IOMMUMemoryRegion *mr)
> +{
> +IOMMUNotifier *n;
> +
> +trace_smmu_inv_notifiers_mr(mr->parent_obj.name);
> +IOMMU_NOTIFIER_FOREACH(n, mr) {
> +smmu_unmap_notifier_range(n);
> +}
> +}
> +
> +/* Unmap all notifiers of all mr's */
> +void smmu_inv_notifiers_all(SMMUState *s)
> +{
> +SMMUNotifierNode *node;
> +
> +QLIST_FOREACH(node, &s->notifiers_list, next) {
> +smmu_inv_notifiers_mr(&node->sdev->iommu);
> +}
> +}
> +
>  static void smmu_base_realize(DeviceState *dev, Error **errp)
>  {
>  SMMUState *s = ARM_SMMU(dev);
> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
> index 853975a..c58e596 100644
> --- a/hw/arm/smmuv3.c
> +++ b/hw/arm/smmuv3.c
> @@ -780,6 +780,68 @@ epilogue:
>  return entry;
>  }
>  
> +/**
> + * smmuv3_notify_iova - call the notifier @n for a given
> + * @asid and @iova tuple.
> + *
> + * @mr: IOMMU mr region handle
> + * @n: notifier to be called
> + * @asid: address space ID or negative value if we don't care
> + * @iova: iova
> + */
> +static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
> +   IOMMUNotifier *n,
> +   int asid,
> +   dma_addr_t iova)
> +{
> +SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
> +SMMUEventInfo event = {};
> +SMMUTransTableInfo *tt;
> +SMMUTransCfg *cfg;
> +IOMMUTLBEntry entry;
> +
> +cfg = smmuv3_get_config(sdev, &event);
> +if (!cfg) {
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "%s error decoding the configuration for iommu 
> mr=%s\n",
> +  __func__, mr->parent_obj.name);
> +return;
> +}
> +
> +if (asid >= 0 && cfg->asid != asid) {
> +return;
> +}
> +
> +tt = select_tt(cfg, iova);
> +if (!tt) {
> +return;
> +}
> +
> +entry.target_as = &address_space_memory;
> +entry.iova = iova;
> +entry.addr_mask = (1 << tt->granule_sz) - 1;
> +entry.perm = IOMMU_NONE;
> +
> +memory_region_notify_one(n, &entry);
> +}
> +
> +/* invalidate an asid/iova tuple in all mr's */
> +static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, dma_addr_t 
> iova)
> +{
> +SMMUNotifierNode *node;
> +
> +QLIST_FOREACH(node, &s->notifiers_list, next) {
> +IOMMUMemoryRegion *mr = &node->sdev->iommu;
> +IOMMUNotifier *n;
> +
> +trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, iova);
> +
> +IOMMU_NOTIFIER_FOREACH(n, mr) {
> +smmuv3_notify_iova(mr, n, asid, iova);
> +}
> +}
> +}
> +
>  static int smmuv3_cmdq_consume(SMMUv3State *s)
>  {
>  SMMUState *bs = ARM_SMMU(s);
> @@ -899,12 +961,14 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
>  uint16_t asid = CMD_ASID(&cmd);
>  
>  trace_smmuv3_cmdq_tlbi_nh_asid(asid);
> +smmu_inv_notifiers_all(&s->smmu_state);
>  smmu_iotlb_inv_asid(bs, asid);
>  break;
>  }
>  case SMMU_CMD_TLBI_NH_ALL:
>  case SMMU_CMD_TLBI_NSNH_ALL:
>  trace_smmuv3_cmdq_tlbi_nh();
> +smmu_inv_notifiers_all(&s->smmu_state);
>  smmu_iotlb_inv_all(bs);
>  break;
>  case SMMU_CMD_TLBI_NH_VAA:
> @@ -913,6 +977,7 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
>  uint16_t vmid = CMD_VMID(&cmd);
>  
>  trace_smmuv3_cmdq_tlbi_nh_vaa(vmid, addr);
> +smmuv3_inv_notifiers_iova(bs, -1, addr);
>  smmu_iotlb_inv_all(bs);

Re: [Qemu-devel] [PATCH v3 4/4] hw/arm/smmuv3: Add notifications on invalidation

[Auger Eric]

Hello Jia,

On 06/22/2018 09:15 AM, Jia He wrote:
> H
> 
> On 6/21/2018 7:16 PM, Eric Auger Wrote:
>> On TLB invalidation commands, let's call registered
>> IOMMU notifiers. Those can only be UNMAP notifiers.
>> SMMUv3 does not support notification on MAP (VFIO).
>>
>> This patch allows vhost use case where IOTLB API is notified
>> on each guest IOTLB invalidation.
>>
>> Signed-off-by: Eric Auger 
>> Reviewed-by: Peter Maydell 
>>
>> ---
>> v2 -> v3:
>> - added Peter's R-b
>> ---
>>  hw/arm/smmu-common.c | 34 +++
>>  hw/arm/smmuv3.c  | 99 
>> +++-
>>  hw/arm/trace-events  |  5 +++
>>  include/hw/arm/smmu-common.h |  6 +++
>>  4 files changed, 142 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
>> index f66e444..3098915 100644
>> --- a/hw/arm/smmu-common.c
>> +++ b/hw/arm/smmu-common.c
>> @@ -385,6 +385,40 @@ static gboolean smmu_iotlb_key_equal(gconstpointer v1, 
>> gconstpointer v2)
>>  return (k1->asid == k2->asid) && (k1->iova == k2->iova);
>>  }
>>  
>> +/* Unmap the whole notifier's range */
>> +static void smmu_unmap_notifier_range(IOMMUNotifier *n)
>> +{
>> +IOMMUTLBEntry entry;
>> +
>> +entry.target_as = &address_space_memory;
>> +entry.iova = n->start;
>> +entry.perm = IOMMU_NONE;
>> +entry.addr_mask = n->end - n->start;
>> +
>> +memory_region_notify_one(n, &entry);
>> +}
>> +
>> +/* Unmap all notifiers attached to @mr */
>> +inline void smmu_inv_notifiers_mr(IOMMUMemoryRegion *mr)
>> +{
>> +IOMMUNotifier *n;
>> +
>> +trace_smmu_inv_notifiers_mr(mr->parent_obj.name);
>> +IOMMU_NOTIFIER_FOREACH(n, mr) {
>> +smmu_unmap_notifier_range(n);
>> +}
>> +}
>> +
>> +/* Unmap all notifiers of all mr's */
>> +void smmu_inv_notifiers_all(SMMUState *s)
>> +{
>> +SMMUNotifierNode *node;
>> +
>> +QLIST_FOREACH(node, &s->notifiers_list, next) {
>> +smmu_inv_notifiers_mr(&node->sdev->iommu);
>> +}
>> +}
>> +
>>  static void smmu_base_realize(DeviceState *dev, Error **errp)
>>  {
>>  SMMUState *s = ARM_SMMU(dev);
>> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
>> index 853975a..c58e596 100644
>> --- a/hw/arm/smmuv3.c
>> +++ b/hw/arm/smmuv3.c
>> @@ -780,6 +780,68 @@ epilogue:
>>  return entry;
>>  }
>>  
>> +/**
>> + * smmuv3_notify_iova - call the notifier @n for a given
>> + * @asid and @iova tuple.
>> + *
>> + * @mr: IOMMU mr region handle
>> + * @n: notifier to be called
>> + * @asid: address space ID or negative value if we don't care
>> + * @iova: iova
>> + */
>> +static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
>> +   IOMMUNotifier *n,
>> +   int asid,
>> +   dma_addr_t iova)
>> +{
>> +SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
>> +SMMUEventInfo event = {};
>> +SMMUTransTableInfo *tt;
>> +SMMUTransCfg *cfg;
>> +IOMMUTLBEntry entry;
>> +
>> +cfg = smmuv3_get_config(sdev, &event);
>> +if (!cfg) {
>> +qemu_log_mask(LOG_GUEST_ERROR,
>> +  "%s error decoding the configuration for iommu 
>> mr=%s\n",
>> +  __func__, mr->parent_obj.name);
>> +return;
>> +}
>> +
>> +if (asid >= 0 && cfg->asid != asid) {
>> +return;
>> +}
>> +
>> +tt = select_tt(cfg, iova);
>> +if (!tt) {
>> +return;
>> +}
>> +
>> +entry.target_as = &address_space_memory;
>> +entry.iova = iova;
>> +entry.addr_mask = (1 << tt->granule_sz) - 1;
>> +entry.perm = IOMMU_NONE;
>> +
>> +memory_region_notify_one(n, &entry);
>> +}
>> +
>> +/* invalidate an asid/iova tuple in all mr's */
>> +static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, dma_addr_t 
>> iova)
>> +{
>> +SMMUNotifierNode *node;
>> +
>> +QLIST_FOREACH(node, &s->notifiers_list, next) {
>> +IOMMUMemoryRegion *mr = &node->sdev->iommu;
>> +IOMMUNotifier *n;
>> +
>> +trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, iova);
>> +
>> +IOMMU_NOTIFIER_FOREACH(n, mr) {
>> +smmuv3_notify_iova(mr, n, asid, iova);
>> +}
>> +}
>> +}
>> +
>>  static int smmuv3_cmdq_consume(SMMUv3State *s)
>>  {
>>  SMMUState *bs = ARM_SMMU(s);
>> @@ -899,12 +961,14 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
>>  uint16_t asid = CMD_ASID(&cmd);
>>  
>>  trace_smmuv3_cmdq_tlbi_nh_asid(asid);
>> +smmu_inv_notifiers_all(&s->smmu_state);
>>  smmu_iotlb_inv_asid(bs, asid);
>>  break;
>>  }
>>  case SMMU_CMD_TLBI_NH_ALL:
>>  case SMMU_CMD_TLBI_NSNH_ALL:
>>  trace_smmuv3_cmdq_tlbi_nh();
>> +smmu_inv_notifiers_all(&s->smmu_state);
>>  smmu_iotlb_inv_all(bs);
>>  break;
>>  case SMMU_CMD_TLBI_NH_VAA:
>> @@ -913,6 +977,7 @@ static int smmuv3_cmdq_consume(SMMUv3Stat

[Qemu-devel] [Question] inconsistent memory amount statistics

[David Hildenbrand]

Starting qemu with and querying some outputs:

[...]
-m 4G,maxmem=20G,slots=2 \
-numa node,nodeid=0,cpus=0-1 -numa node,nodeid=1,cpus=2-3 \
[...]
-device virtio-balloon \
-object memory-backend-ram,id=mem0,size=8G \
-device pc-dimm,id=dimm0,memdev=mem0 \
-object memory-backend-ram,id=mem1,size=8G \
-device nvdimm,id=dimm1,memdev=mem1,node=1

(qemu) info numa
info numa
2 nodes
node 0 cpus: 0 1
node 0 size: 10240 MB
node 0 plugged: 0 MB
node 1 cpus: 2 3
node 1 size: 10240 MB
node 1 plugged: 0 MB


(qemu) info memory_size_summary
info memory_size_summary
base memory: 4294967296
plugged memory: 17179869184

(qemu) info memory-devices
info memory-devices
Memory device [dimm]: "dimm0"
  addr: 0x14000
  slot: 0
  node: 0
  size: 8589934592
  memdev: /objects/mem0
  hotplugged: false
  hotpluggable: true
Memory device [nvdimm]: "dimm1"
  addr: 0x34000
  slot: 1
  node: 1
  size: 8589934592
  memdev: /objects/mem1
  hotplugged: false
  hotpluggable: true


(qemu) info balloon
info balloon
balloon: actual=12288


1. "info numa"
- considers both, pc-dimm and nvdimm
- "-device ..." are considered as "!plugged" although it could be
  theoretically "unplugged"
- device_add devices are considered as "plugged"

2. "info memory_size_summary"
- considers both, pc-dimm and nvdimm
- "-device ..." are considered as "plugged"
- device_add devices are considered as "plugged"

3. "info balloon"
- does not consider nvdimm devices to calculate "actual"
-- actual = get_current_ram_size() - inflated
-- get_current_ram_size() does not consider nvdimm

So we have some inconsistency in regards of
1. What is considered memory and what not (pc-dimm vs nvdimm)
2. What is considered plugged memory (-device vs. device_add)


Is this what we expect? I think we should make up our mind

a) what "plugged" means
b) which stats should consider "nvdimm" and which not.

I would have guessed that "nvdimms" might be memory devices but should
never count towards memory statistics ("not actually ram" - they might
be OK).

Especially "info memory_size_summary" ... "plugged-memory - amount of
memory that was hot-plugged" - this seems to be wrong. And I wonder if
we should exclude nvdimm from that.

-- 

Thanks,

David / dhildenb

[Qemu-devel] [PATCH v4 0/4] ARM SMMUv3: IOTLB Emulation and VHOST Support

[Eric Auger]

This series brings translation configuration caching and IOTLB
emulation.  The last patch implements VHOST integration and
allows to run VSMMUv3 along with VHOST emulated end points.

The first patch fixes the passthrough mode bug reported by Jia.
It reworks the translate function and this series needed to be
rebased on it.

Best Regards

Eric

This series can be found at:
https://github.com/eauger/qemu/tree/v2.12.0-vsmmu-optim-v4
Previous version at:
https://github.com/eauger/qemu/tree/v2.12.0-vsmmu-optim-v3

History:

v3 -> v4:
- (new == IOMMU_NOTIFIER_MAP) replaced by (new & IOMMU_NOTIFIER_MAP)
  in smmuv3_notify_flag_changed

v2 -> v3:
- collected Peter's R-b
- do not use float in trace points anymore

v1 -> v2:
- addition of the 1st patch (including addr_mask fix)
- addition of the per device mutex as on intel iommu

v1: [1] v12 last 3 patches resent in this series
[1] [PATCH v12 00/17] ARM SMMUv3 Emulation Support
https://lists.gnu.org/archive/html/qemu-devel/2018-04/msg04344.html

Eric Auger (3):
  hw/arm/smmuv3: Cache/invalidate config data
  hw/arm/smmuv3: IOTLB emulation
  hw/arm/smmuv3: Add notifications on invalidation

Jia He (1):
  hw/arm/smmuv3: Fix translate error handling

 hw/arm/smmu-common.c | 118 +++-
 hw/arm/smmuv3-internal.h |  12 +-
 hw/arm/smmuv3.c  | 420 +++
 hw/arm/trace-events  |  27 ++-
 include/hw/arm/smmu-common.h |  24 +++
 include/hw/arm/smmuv3.h  |   1 +
 6 files changed, 558 insertions(+), 44 deletions(-)

-- 
2.5.5

[Qemu-devel] [PATCH v4 1/4] hw/arm/smmuv3: Fix translate error handling

[Eric Auger]

From: Jia He 

In case the STE's config is "Bypass" we currently don't set the
IOMMUTLBEntry perm flags and the access does not succeed. Also
if the config is 0b0xx (Aborted/Reserved), decode_ste and
smmuv3_decode_config currently returns -EINVAL and we don't enter
the expected code path: we record an event whereas we should not.

This patch fixes those bugs and simplifies the error handling.
decode_ste and smmuv3_decode_config now return 0 if aborted or
bypassed config was found. Only bad config info produces negative
error values. In smmuv3_translate we more clearly differentiate
errors, bypass/smmu disabled, aborted and success cases. Also
trace points are differentiated.

Fixes: 9bde7f0674fe ("hw/arm/smmuv3: Implement translate callback")
Reported-by: jia...@hxt-semitech.com
Signed-off-by: jia...@hxt-semitech.com
Signed-off-by: Eric Auger 
Reviewed-by: Peter Maydell 

---

v2 -> v3:
- added Peter's R-b

v1 -> v2:
- set addr_mask in case of bypass and disabled. Mandated for
  vhost use case since a411c84b561baa94b28165c52f21c33517ee8f59
  "exec: extract address_space_translate_iommu, fix page_mask
  corner case"
---
 hw/arm/smmuv3-internal.h | 12 +-
 hw/arm/smmuv3.c  | 96 +---
 hw/arm/trace-events  |  7 ++--
 3 files changed, 80 insertions(+), 35 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index a9d714b..bab25d6 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -23,6 +23,14 @@
 
 #include "hw/arm/smmu-common.h"
 
+typedef enum SMMUTranslationStatus {
+SMMU_TRANS_DISABLE,
+SMMU_TRANS_ABORT,
+SMMU_TRANS_BYPASS,
+SMMU_TRANS_ERROR,
+SMMU_TRANS_SUCCESS,
+} SMMUTranslationStatus;
+
 /* MMIO Registers */
 
 REG32(IDR0,0x0)
@@ -315,7 +323,7 @@ enum { /* Command completion notification */
 /* Events */
 
 typedef enum SMMUEventType {
-SMMU_EVT_OK = 0x00,
+SMMU_EVT_NONE   = 0x00,
 SMMU_EVT_F_UUT,
 SMMU_EVT_C_BAD_STREAMID   ,
 SMMU_EVT_F_STE_FETCH  ,
@@ -337,7 +345,7 @@ typedef enum SMMUEventType {
 } SMMUEventType;
 
 static const char *event_stringify[] = {
-[SMMU_EVT_OK]   = "SMMU_EVT_OK",
+[SMMU_EVT_NONE] = "no recorded event",
 [SMMU_EVT_F_UUT]= "SMMU_EVT_F_UUT",
 [SMMU_EVT_C_BAD_STREAMID]   = "SMMU_EVT_C_BAD_STREAMID",
 [SMMU_EVT_F_STE_FETCH]  = "SMMU_EVT_F_STE_FETCH",
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index 9783309..70b8f29 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -23,6 +23,7 @@
 #include "hw/qdev-core.h"
 #include "hw/pci/pci.h"
 #include "exec/address-spaces.h"
+#include "cpu.h"
 #include "trace.h"
 #include "qemu/log.h"
 #include "qemu/error-report.h"
@@ -154,7 +155,7 @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo 
*info)
 EVT_SET_SID(&evt, info->sid);
 
 switch (info->type) {
-case SMMU_EVT_OK:
+case SMMU_EVT_NONE:
 return;
 case SMMU_EVT_F_UUT:
 EVT_SET_SSID(&evt, info->u.f_uut.ssid);
@@ -312,12 +313,11 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t 
ssid,
 return 0;
 }
 
-/* Returns <0 if the caller has no need to continue the translation */
+/* Returns < 0 in case of invalid STE, 0 otherwise */
 static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
   STE *ste, SMMUEventInfo *event)
 {
 uint32_t config;
-int ret = -EINVAL;
 
 if (!STE_VALID(ste)) {
 goto bad_ste;
@@ -326,13 +326,13 @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
 config = STE_CONFIG(ste);
 
 if (STE_CFG_ABORT(config)) {
-cfg->aborted = true; /* abort but don't record any event */
-return ret;
+cfg->aborted = true;
+return 0;
 }
 
 if (STE_CFG_BYPASS(config)) {
 cfg->bypassed = true;
-return ret;
+return 0;
 }
 
 if (STE_CFG_S2_ENABLED(config)) {
@@ -509,7 +509,7 @@ bad_cd:
  *   the different configuration decoding steps
  * @event: must be zero'ed by the caller
  *
- * return < 0 if the translation needs to be aborted (@event is filled
+ * return < 0 in case of config decoding error (@event is filled
  * accordingly). Return 0 otherwise.
  */
 static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
@@ -518,19 +518,26 @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, 
SMMUTransCfg *cfg,
 SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 uint32_t sid = smmu_get_sid(sdev);
 SMMUv3State *s = sdev->smmu;
-int ret = -EINVAL;
+int ret;
 STE ste;
 CD cd;
 
-if (smmu_find_ste(s, sid, &ste, event)) {
+ret = smmu_find_ste(s, sid, &ste, event);
+if (ret) {
 return ret;
 }
 
-if (decode_ste(s, cfg, &ste, event)) {
+ret = decode_ste(s, cfg, &ste, event);
+if (ret) {
 return ret;

[Qemu-devel] [PATCH v4 2/4] hw/arm/smmuv3: Cache/invalidate config data

[Eric Auger]

Let's cache config data to avoid fetching and parsing STE/CD
structures on each translation. We invalidate them on data structure
invalidation commands.

We put in place a per-smmu mutex to protect the config cache. This
will be useful too to protect the IOTLB cache. The caches can be
accessed without BQL, ie. in IO dataplane. The same kind of mutex was
put in place in the intel viommu.

Signed-off-by: Eric Auger 
Reviewed-by: Peter Maydell 

---
v2 -> v3:
- use uint32_t instead of float in cache hit rate traces
- change the format of the new traces
- added Peter's R-b

v1 -> v2:
- restore mutex

v1:
- only insert the new config if decode_cfg succeeds
- use smmu_get_sid for trace_* and store hits/misses in the SMMUDevice
- s/smmuv3_put_config/smmuv3_flush_config
- document smmuv3_get_config
- removing the mutex as BQL does the job
---
 hw/arm/smmu-common.c |  24 +++-
 hw/arm/smmuv3.c  | 135 +--
 hw/arm/trace-events  |   6 ++
 include/hw/arm/smmu-common.h |   5 ++
 include/hw/arm/smmuv3.h  |   1 +
 5 files changed, 164 insertions(+), 7 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index 3c5f724..db242c7 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -310,6 +310,24 @@ static AddressSpace *smmu_find_add_as(PCIBus *bus, void 
*opaque, int devfn)
 return &sdev->as;
 }
 
+IOMMUMemoryRegion *smmu_iommu_mr(SMMUState *s, uint32_t sid)
+{
+uint8_t bus_n, devfn;
+SMMUPciBus *smmu_bus;
+SMMUDevice *smmu;
+
+bus_n = PCI_BUS_NUM(sid);
+smmu_bus = smmu_find_smmu_pcibus(s, bus_n);
+if (smmu_bus) {
+devfn = sid & 0x7;
+smmu = smmu_bus->pbdev[devfn];
+if (smmu) {
+return &smmu->iommu;
+}
+}
+return NULL;
+}
+
 static void smmu_base_realize(DeviceState *dev, Error **errp)
 {
 SMMUState *s = ARM_SMMU(dev);
@@ -321,7 +339,7 @@ static void smmu_base_realize(DeviceState *dev, Error 
**errp)
 error_propagate(errp, local_err);
 return;
 }
-
+s->configs = g_hash_table_new_full(NULL, NULL, NULL, g_free);
 s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
 
 if (s->primary_bus) {
@@ -333,7 +351,9 @@ static void smmu_base_realize(DeviceState *dev, Error 
**errp)
 
 static void smmu_base_reset(DeviceState *dev)
 {
-/* will be filled later on */
+SMMUState *s = ARM_SMMU(dev);
+
+g_hash_table_remove_all(s->configs);
 }
 
 static Property smmu_dev_properties[] = {
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index 70b8f29..df704c2 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -544,6 +544,58 @@ static int smmuv3_decode_config(IOMMUMemoryRegion *mr, 
SMMUTransCfg *cfg,
 return decode_cd(cfg, &cd, event);
 }
 
+/**
+ * smmuv3_get_config - Look up for a cached copy of configuration data for
+ * @sdev and on cache miss performs a configuration structure decoding from
+ * guest RAM.
+ *
+ * @sdev: SMMUDevice handle
+ * @event: output event info
+ *
+ * The configuration cache contains data resulting from both STE and CD
+ * decoding under the form of an SMMUTransCfg struct. The hash table is indexed
+ * by the SMMUDevice handle.
+ */
+static SMMUTransCfg *smmuv3_get_config(SMMUDevice *sdev, SMMUEventInfo *event)
+{
+SMMUv3State *s = sdev->smmu;
+SMMUState *bc = &s->smmu_state;
+SMMUTransCfg *cfg;
+
+cfg = g_hash_table_lookup(bc->configs, sdev);
+if (cfg) {
+sdev->cfg_cache_hits++;
+trace_smmuv3_config_cache_hit(smmu_get_sid(sdev),
+sdev->cfg_cache_hits, sdev->cfg_cache_misses,
+100 * sdev->cfg_cache_hits /
+(sdev->cfg_cache_hits + sdev->cfg_cache_misses));
+} else {
+sdev->cfg_cache_misses++;
+trace_smmuv3_config_cache_miss(smmu_get_sid(sdev),
+sdev->cfg_cache_hits, sdev->cfg_cache_misses,
+100 * sdev->cfg_cache_hits /
+(sdev->cfg_cache_hits + sdev->cfg_cache_misses));
+cfg = g_new0(SMMUTransCfg, 1);
+
+if (!smmuv3_decode_config(&sdev->iommu, cfg, event)) {
+g_hash_table_insert(bc->configs, sdev, cfg);
+} else {
+g_free(cfg);
+cfg = NULL;
+}
+}
+return cfg;
+}
+
+static void smmuv3_flush_config(SMMUDevice *sdev)
+{
+SMMUv3State *s = sdev->smmu;
+SMMUState *bc = &s->smmu_state;
+
+trace_smmuv3_config_cache_inv(smmu_get_sid(sdev));
+g_hash_table_remove(bc->configs, sdev);
+}
+
 static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
   IOMMUAccessFlags flag, int iommu_idx)
 {
@@ -553,7 +605,7 @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion 
*mr, hwaddr addr,
 SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
 SMMUPTWEventInfo ptw_info = {};
 SMMUTranslationStatus status;
-SMMUTransCfg c

[Qemu-devel] [PATCH v4 4/4] hw/arm/smmuv3: Add notifications on invalidation

[Eric Auger]

On TLB invalidation commands, let's call registered
IOMMU notifiers. Those can only be UNMAP notifiers.
SMMUv3 does not support notification on MAP (VFIO).

This patch allows vhost use case where IOTLB API is notified
on each guest IOTLB invalidation.

Signed-off-by: Eric Auger 
Reviewed-by: Peter Maydell 

---
v3 -> v4:
- fixed smmuv3_notify_flag_changed
  (new == IOMMU_NOTIFIER_MAP) replaced by (new & IOMMU_NOTIFIER_MAP)

v2 -> v3:
- added Peter's R-b
---
 hw/arm/smmu-common.c | 34 +++
 hw/arm/smmuv3.c  | 99 +++-
 hw/arm/trace-events  |  5 +++
 include/hw/arm/smmu-common.h |  6 +++
 4 files changed, 142 insertions(+), 2 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index f66e444..3098915 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -385,6 +385,40 @@ static gboolean smmu_iotlb_key_equal(gconstpointer v1, 
gconstpointer v2)
 return (k1->asid == k2->asid) && (k1->iova == k2->iova);
 }
 
+/* Unmap the whole notifier's range */
+static void smmu_unmap_notifier_range(IOMMUNotifier *n)
+{
+IOMMUTLBEntry entry;
+
+entry.target_as = &address_space_memory;
+entry.iova = n->start;
+entry.perm = IOMMU_NONE;
+entry.addr_mask = n->end - n->start;
+
+memory_region_notify_one(n, &entry);
+}
+
+/* Unmap all notifiers attached to @mr */
+inline void smmu_inv_notifiers_mr(IOMMUMemoryRegion *mr)
+{
+IOMMUNotifier *n;
+
+trace_smmu_inv_notifiers_mr(mr->parent_obj.name);
+IOMMU_NOTIFIER_FOREACH(n, mr) {
+smmu_unmap_notifier_range(n);
+}
+}
+
+/* Unmap all notifiers of all mr's */
+void smmu_inv_notifiers_all(SMMUState *s)
+{
+SMMUNotifierNode *node;
+
+QLIST_FOREACH(node, &s->notifiers_list, next) {
+smmu_inv_notifiers_mr(&node->sdev->iommu);
+}
+}
+
 static void smmu_base_realize(DeviceState *dev, Error **errp)
 {
 SMMUState *s = ARM_SMMU(dev);
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index b6dc7ed..39fbcbf 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -780,6 +780,68 @@ epilogue:
 return entry;
 }
 
+/**
+ * smmuv3_notify_iova - call the notifier @n for a given
+ * @asid and @iova tuple.
+ *
+ * @mr: IOMMU mr region handle
+ * @n: notifier to be called
+ * @asid: address space ID or negative value if we don't care
+ * @iova: iova
+ */
+static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
+   IOMMUNotifier *n,
+   int asid,
+   dma_addr_t iova)
+{
+SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+SMMUEventInfo event = {};
+SMMUTransTableInfo *tt;
+SMMUTransCfg *cfg;
+IOMMUTLBEntry entry;
+
+cfg = smmuv3_get_config(sdev, &event);
+if (!cfg) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s error decoding the configuration for iommu mr=%s\n",
+  __func__, mr->parent_obj.name);
+return;
+}
+
+if (asid >= 0 && cfg->asid != asid) {
+return;
+}
+
+tt = select_tt(cfg, iova);
+if (!tt) {
+return;
+}
+
+entry.target_as = &address_space_memory;
+entry.iova = iova;
+entry.addr_mask = (1 << tt->granule_sz) - 1;
+entry.perm = IOMMU_NONE;
+
+memory_region_notify_one(n, &entry);
+}
+
+/* invalidate an asid/iova tuple in all mr's */
+static void smmuv3_inv_notifiers_iova(SMMUState *s, int asid, dma_addr_t iova)
+{
+SMMUNotifierNode *node;
+
+QLIST_FOREACH(node, &s->notifiers_list, next) {
+IOMMUMemoryRegion *mr = &node->sdev->iommu;
+IOMMUNotifier *n;
+
+trace_smmuv3_inv_notifiers_iova(mr->parent_obj.name, asid, iova);
+
+IOMMU_NOTIFIER_FOREACH(n, mr) {
+smmuv3_notify_iova(mr, n, asid, iova);
+}
+}
+}
+
 static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
 SMMUState *bs = ARM_SMMU(s);
@@ -899,12 +961,14 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
 uint16_t asid = CMD_ASID(&cmd);
 
 trace_smmuv3_cmdq_tlbi_nh_asid(asid);
+smmu_inv_notifiers_all(&s->smmu_state);
 smmu_iotlb_inv_asid(bs, asid);
 break;
 }
 case SMMU_CMD_TLBI_NH_ALL:
 case SMMU_CMD_TLBI_NSNH_ALL:
 trace_smmuv3_cmdq_tlbi_nh();
+smmu_inv_notifiers_all(&s->smmu_state);
 smmu_iotlb_inv_all(bs);
 break;
 case SMMU_CMD_TLBI_NH_VAA:
@@ -913,6 +977,7 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
 uint16_t vmid = CMD_VMID(&cmd);
 
 trace_smmuv3_cmdq_tlbi_nh_vaa(vmid, addr);
+smmuv3_inv_notifiers_iova(bs, -1, addr);
 smmu_iotlb_inv_all(bs);
 break;
 }
@@ -924,6 +989,7 @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
 bool leaf = CMD_LEAF(&cmd);
 
 trace_smmuv3_cmdq_tlbi_nh_va(vmid, asid, addr, leaf);
+smmuv3_inv_notifiers_iova(bs, asid, 

[Qemu-devel] [PATCH v4 3/4] hw/arm/smmuv3: IOTLB emulation

[Eric Auger]

We emulate a TLB cache of size SMMU_IOTLB_MAX_SIZE=256.
It is implemented as a hash table whose key is a combination
of the 16b asid and 48b IOVA (Jenkins hash).

Entries are invalidated on TLB invalidation commands, either
globally, or per asid, or per asid/iova.

Signed-off-by: Eric Auger 

---
v2 -> v3:
- use uint32_t instead of float when printing the iotlb hit rate
- use const local variables in smmu_iotlb_key_equal

v1 -> v2:
- add comment about Jenkins Hash
- remove init of iotlb_hits, misses

v1:
- Add new trace point when smmu is bypassed
- s/iotlb_miss/iotlb_misses, s/iotlb_hit/iotlb_hits
- use SMMUIOTLBKey as a key

Credit to Tomasz Nowicki who did the first implementation of
this IOTLB implementation, inspired of intel_iommu implementation.
---
 hw/arm/smmu-common.c | 60 +++
 hw/arm/smmuv3.c  | 98 ++--
 hw/arm/trace-events  |  9 
 include/hw/arm/smmu-common.h | 13 ++
 4 files changed, 176 insertions(+), 4 deletions(-)

diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index db242c7..f66e444 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -24,11 +24,43 @@
 #include "qom/cpu.h"
 #include "hw/qdev-properties.h"
 #include "qapi/error.h"
+#include "qemu/jhash.h"
 
 #include "qemu/error-report.h"
 #include "hw/arm/smmu-common.h"
 #include "smmu-internal.h"
 
+/* IOTLB Management */
+
+inline void smmu_iotlb_inv_all(SMMUState *s)
+{
+trace_smmu_iotlb_inv_all();
+g_hash_table_remove_all(s->iotlb);
+}
+
+static gboolean smmu_hash_remove_by_asid(gpointer key, gpointer value,
+ gpointer user_data)
+{
+uint16_t asid = *(uint16_t *)user_data;
+SMMUIOTLBKey *iotlb_key = (SMMUIOTLBKey *)key;
+
+return iotlb_key->asid == asid;
+}
+
+inline void smmu_iotlb_inv_iova(SMMUState *s, uint16_t asid, dma_addr_t iova)
+{
+SMMUIOTLBKey key = {.asid = asid, .iova = iova};
+
+trace_smmu_iotlb_inv_iova(asid, iova);
+g_hash_table_remove(s->iotlb, &key);
+}
+
+inline void smmu_iotlb_inv_asid(SMMUState *s, uint16_t asid)
+{
+trace_smmu_iotlb_inv_asid(asid);
+g_hash_table_foreach_remove(s->iotlb, smmu_hash_remove_by_asid, &asid);
+}
+
 /* VMSAv8-64 Translation */
 
 /**
@@ -328,6 +360,31 @@ IOMMUMemoryRegion *smmu_iommu_mr(SMMUState *s, uint32_t 
sid)
 return NULL;
 }
 
+static guint smmu_iotlb_key_hash(gconstpointer v)
+{
+SMMUIOTLBKey *key = (SMMUIOTLBKey *)v;
+uint32_t a, b, c;
+
+/* Jenkins hash */
+a = b = c = JHASH_INITVAL + sizeof(*key);
+a += key->asid;
+b += extract64(key->iova, 0, 32);
+c += extract64(key->iova, 32, 32);
+
+__jhash_mix(a, b, c);
+__jhash_final(a, b, c);
+
+return c;
+}
+
+static gboolean smmu_iotlb_key_equal(gconstpointer v1, gconstpointer v2)
+{
+const SMMUIOTLBKey *k1 = v1;
+const SMMUIOTLBKey *k2 = v2;
+
+return (k1->asid == k2->asid) && (k1->iova == k2->iova);
+}
+
 static void smmu_base_realize(DeviceState *dev, Error **errp)
 {
 SMMUState *s = ARM_SMMU(dev);
@@ -340,6 +397,8 @@ static void smmu_base_realize(DeviceState *dev, Error 
**errp)
 return;
 }
 s->configs = g_hash_table_new_full(NULL, NULL, NULL, g_free);
+s->iotlb = g_hash_table_new_full(smmu_iotlb_key_hash, smmu_iotlb_key_equal,
+ g_free, g_free);
 s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
 
 if (s->primary_bus) {
@@ -354,6 +413,7 @@ static void smmu_base_reset(DeviceState *dev)
 SMMUState *s = ARM_SMMU(dev);
 
 g_hash_table_remove_all(s->configs);
+g_hash_table_remove_all(s->iotlb);
 }
 
 static Property smmu_dev_properties[] = {
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index df704c2..b6dc7ed 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -605,6 +605,10 @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion 
*mr, hwaddr addr,
 SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
 SMMUPTWEventInfo ptw_info = {};
 SMMUTranslationStatus status;
+SMMUState *bs = ARM_SMMU(s);
+uint64_t page_mask, aligned_addr;
+IOMMUTLBEntry *cached_entry = NULL;
+SMMUTransTableInfo *tt;
 SMMUTransCfg *cfg = NULL;
 IOMMUTLBEntry entry = {
 .target_as = &address_space_memory,
@@ -613,6 +617,7 @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion 
*mr, hwaddr addr,
 .addr_mask = ~(hwaddr)0,
 .perm = IOMMU_NONE,
 };
+SMMUIOTLBKey key, *new_key;
 
 qemu_mutex_lock(&s->mutex);
 
@@ -637,7 +642,57 @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion 
*mr, hwaddr addr,
 goto epilogue;
 }
 
-if (smmu_ptw(cfg, addr, flag, &entry, &ptw_info)) {
+tt = select_tt(cfg, addr);
+if (!tt) {
+if (event.record_trans_faults) {
+event.type = SMMU_EVT_F_TRANSLATION;
+event.u.f_translation.addr = addr;
+event.u.f_translation.rnw = flag & 0x1;
+}
+ 

Re: [Qemu-devel] [PATCH] ppc: Fix sam460ex devicetree when booting the Linux kernel

[BALATON Zoltan]

Hello,

Thanks for the feedback, really appreciated.

On Fri, 22 Jun 2018, David Gibson wrote:

On Thu, Jun 21, 2018 at 09:47:51PM -0700, Guenter Roeck wrote:

sam4660ex (or at least this emulation) does not support the "ibm,cpm" power
management. As a result, Linux crashes when trying to access it. Remove
its devicetree node. Also, if/when we boot the Linux kernel directly,
u-boot will not fix up serial frequencies in the devicetree file, and
serial port initialization will fail. Add plausible frequency values to the
first serial port to be able to use it. Disable the second serial port
since it is not available on the board.  Also set valid values for the
other clock nodes otherwise set by u-boot.


Patching clock values when using -kernel instead of u-boot looks good. 
Although I've tested booting a Linux kernel and could see serial output 
while the kernel boots, it only went silent after started user space. Is 
this the same you see or you don't get serial output (with loglevel set to 
some higher value) even during kernel boot? Which kernel and image do you 
test with?


Does leaving second UART in device tree cause any problems? The fdt in 
kernel has these and I'm not sure u-boot would patch this out. Do we need 
to remove this? This did not seem to cause any problem with guests I've 
tried so far. Does real hardware have a different fdt than the stock 
kernel one (which is also what's downloadable from ACube's site).


The version of the Linux kernel I've tried (which is from the Linux CD on 
ACube's site) did not try to access the power management register, neither 
any guest OSes I've tested with. Looks like it may be specific to the 
kernel config you're using.


By the way, when I've tried with a more recent Linux kernel (4.15.10) I've 
noticed that the sm501 driver seemed like having endianness problems and 
thus did not find the chip, while it works with other older kernels made 
for sam460ex. I did not try to debug or bisect this yet. Do you know 
anything about that?


Regards,
BALATON Zoltan


Signed-off-by: Guenter Roeck 
---
 hw/ppc/sam460ex.c | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
index bdc53d2..045a255 100644
--- a/hw/ppc/sam460ex.c
+++ b/hw/ppc/sam460ex.c
@@ -308,6 +308,24 @@ static int sam460ex_load_device_tree(hwaddr addr,
 qemu_fdt_setprop_cell(fdt, "/cpus/cpu@0", "timebase-frequency",
   tb_freq);

+/* Remove cpm node (not emulated) */
+qemu_fdt_nop_node(fdt, "/cpm");
+/* set serial port clock and speed */
+qemu_fdt_setprop_cell(fdt, "/plb/opb/serial@ef600300", "clock-frequency",
+  5000);
+qemu_fdt_setprop_cell(fdt, "/plb/opb/serial@ef600300", "current-speed",
+  38400);
+/* disable second serial port */
+qemu_fdt_setprop_string(fdt, "/plb/opb/serial@ef600400", "status",
+  "disabled");
+/* some more clocks */
+qemu_fdt_setprop_cell(fdt, "/plb", "clock-frequency",
+  5000);
+qemu_fdt_setprop_cell(fdt, "/plb/opb", "clock-frequency",
+  5000);
+qemu_fdt_setprop_cell(fdt, "/plb/opb/ebc", "clock-frequency",
+  5000);
+
 rom_add_blob_fixed(BINARY_DEVICE_TREE_FILE, fdt, fdt_size, addr);
 g_free(fdt);
 ret = fdt_size;

[Qemu-devel] [PATCH v2 3/3] aspeed/timer: use the APB frequency from the SCU

[Cédric Le Goater]

The timer controller can be driven by either an external 1MHz clock or
by the APB clock. Today, the model makes the assumption that the APB
frequency is always set to 24MHz but this is incorrect.

The AST2400 SoC on the palmetto machines uses a 48MHz input clock
source and the APB can be set to 48MHz. The consequence is a general
system slowdown. The QEMU machines using the AST2500 SoC do not seem
impacted today because the APB frequency is still set to 24MHz.

We fix the timer frequency for all SoCs by linking the Timer model to
the SCU model. The APB frequency driving the timers is now the one
configured for the SoC.

Signed-off-by: Cédric Le Goater 
Reviewed-by: Joel Stanley 
---
 include/hw/timer/aspeed_timer.h |  4 
 hw/arm/aspeed_soc.c |  2 ++
 hw/timer/aspeed_timer.c | 19 +++
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/aspeed_timer.h b/include/hw/timer/aspeed_timer.h
index bd6c1a7f9609..040a08873432 100644
--- a/include/hw/timer/aspeed_timer.h
+++ b/include/hw/timer/aspeed_timer.h
@@ -24,6 +24,8 @@
 
 #include "qemu/timer.h"
 
+typedef struct AspeedSCUState AspeedSCUState;
+
 #define ASPEED_TIMER(obj) \
 OBJECT_CHECK(AspeedTimerCtrlState, (obj), TYPE_ASPEED_TIMER);
 #define TYPE_ASPEED_TIMER "aspeed.timer"
@@ -55,6 +57,8 @@ typedef struct AspeedTimerCtrlState {
 uint32_t ctrl;
 uint32_t ctrl2;
 AspeedTimer timers[ASPEED_TIMER_NR_TIMERS];
+
+AspeedSCUState *scu;
 } AspeedTimerCtrlState;
 
 #endif /* ASPEED_TIMER_H */
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index 7cc05ee27ea4..e68911af0f90 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -127,6 +127,8 @@ static void aspeed_soc_init(Object *obj)
 
 object_initialize(&s->timerctrl, sizeof(s->timerctrl), TYPE_ASPEED_TIMER);
 object_property_add_child(obj, "timerctrl", OBJECT(&s->timerctrl), NULL);
+object_property_add_const_link(OBJECT(&s->timerctrl), "scu",
+   OBJECT(&s->scu), &error_abort);
 qdev_set_parent_bus(DEVICE(&s->timerctrl), sysbus_get_default());
 
 object_initialize(&s->i2c, sizeof(s->i2c), TYPE_ASPEED_I2C);
diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index 1e31e22b6f1f..5e3f51b66b43 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -10,8 +10,10 @@
  */
 
 #include "qemu/osdep.h"
+#include "qapi/error.h"
 #include "hw/sysbus.h"
 #include "hw/timer/aspeed_timer.h"
+#include "hw/misc/aspeed_scu.h"
 #include "qemu-common.h"
 #include "qemu/bitops.h"
 #include "qemu/timer.h"
@@ -26,7 +28,6 @@
 #define TIMER_CLOCK_USE_EXT true
 #define TIMER_CLOCK_EXT_HZ 100
 #define TIMER_CLOCK_USE_APB false
-#define TIMER_CLOCK_APB_HZ 2400
 
 #define TIMER_REG_STATUS 0
 #define TIMER_REG_RELOAD 1
@@ -80,11 +81,11 @@ static inline bool timer_external_clock(AspeedTimer *t)
 return timer_ctrl_status(t, op_external_clock);
 }
 
-static uint32_t clock_rates[] = { TIMER_CLOCK_APB_HZ, TIMER_CLOCK_EXT_HZ };
-
 static inline uint32_t calculate_rate(struct AspeedTimer *t)
 {
-return clock_rates[timer_external_clock(t)];
+AspeedTimerCtrlState *s = timer_to_ctrl(t);
+
+return timer_external_clock(t) ? TIMER_CLOCK_EXT_HZ : s->scu->apb_freq;
 }
 
 static inline uint32_t calculate_ticks(struct AspeedTimer *t, uint64_t now_ns)
@@ -449,6 +450,16 @@ static void aspeed_timer_realize(DeviceState *dev, Error 
**errp)
 int i;
 SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 AspeedTimerCtrlState *s = ASPEED_TIMER(dev);
+Object *obj;
+Error *err = NULL;
+
+obj = object_property_get_link(OBJECT(dev), "scu", &err);
+if (!obj) {
+error_propagate(errp, err);
+error_prepend(errp, "required link 'scu' not found: ");
+return;
+}
+s->scu = ASPEED_SCU(obj);
 
 for (i = 0; i < ASPEED_TIMER_NR_TIMERS; i++) {
 aspeed_init_one_timer(s, i);
-- 
2.13.6

[Qemu-devel] [PATCH v2 0/3] aspeed: introduce the APB clock settings

[Cédric Le Goater]

Hello,

The Aspeed SoC clocks are driven by an input source clock which can
have different frequencies : 24MHz or 25MHz, and also, on the Aspeed
AST2400 SoC, 48MHz. The H-PLL (CPU) clock is defined from a calculation
using parameters in the H-PLL Parameter register or from a predefined
set of frequencies if the setting is strapped by hardware (Aspeed
AST2400 SoC). The other clocks of the SoC are then defined from the
H-PLL using dividers.

We first introduce the APB clock because it drives the timer model.
This fixes a slowdown issue on the palmetto machine (AST2400) when
running Linux. The latest Linux versions take into account more
precisely the SoC settings for the clocks and the APB freq is set to
48MHz but modeled at 24MHz by QEMU.

Thanks,

C.

Changes since v1:

- fixed AST2400 HPLL calculation when CLKIN is 25MHz 

Cédric Le Goater (3):
  aspeed/scu: introduce clock frequencies
  aspeed: initialize the SCU controller first
  aspeed/timer: use the APB frequency from the SCU

 include/hw/misc/aspeed_scu.h|  70 --
 include/hw/timer/aspeed_timer.h |   4 ++
 hw/arm/aspeed_soc.c |  42 
 hw/misc/aspeed_scu.c| 106 
 hw/timer/aspeed_timer.c |  19 +--
 5 files changed, 213 insertions(+), 28 deletions(-)

-- 
2.13.6

[Qemu-devel] [PATCH v2 1/3] aspeed/scu: introduce clock frequencies

[Cédric Le Goater]

All Aspeed SoC clocks are driven by an input source clock which can
have different frequencies : 24MHz or 25MHz, and also, on the Aspeed
AST2400 SoC, 48MHz. The H-PLL (CPU) clock is defined from a
calculation using parameters in the H-PLL Parameter register or from a
predefined set of frequencies if the setting is strapped by hardware
(Aspeed AST2400 SoC). The other clocks of the SoC are then defined
from the H-PLL using dividers.

We introduce first the APB clock because it should be used to drive
the Aspeed timer model.

Signed-off-by: Cédric Le Goater 
---
 include/hw/misc/aspeed_scu.h |  70 ++--
 hw/misc/aspeed_scu.c | 106 +++
 2 files changed, 172 insertions(+), 4 deletions(-)

diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h
index d70cc0aeca61..f662c38188f4 100644
--- a/include/hw/misc/aspeed_scu.h
+++ b/include/hw/misc/aspeed_scu.h
@@ -30,6 +30,10 @@ typedef struct AspeedSCUState {
 uint32_t hw_strap1;
 uint32_t hw_strap2;
 uint32_t hw_prot_key;
+
+uint32_t clkin;
+uint32_t hpll;
+uint32_t apb_freq;
 } AspeedSCUState;
 
 #define AST2400_A0_SILICON_REV   0x02000303U
@@ -58,7 +62,64 @@ extern bool is_supported_silicon_rev(uint32_t silicon_rev);
  *   1. 2012/12/29 Ryan Chen Create
  */
 
-/* Hardware Strapping Register definition (for Aspeed AST2400 SOC)
+/* SCU08   Clock Selection Register
+ *
+ *  31 Enable Video Engine clock dynamic slow down
+ *  30:28  Video Engine clock slow down setting
+ *  27 2D Engine GCLK clock source selection
+ *  26 2D Engine GCLK clock throttling enable
+ *  25:23  APB PCLK divider selection
+ *  22:20  LPC Host LHCLK divider selection
+ *  19 LPC Host LHCLK clock generation/output enable control
+ *  18:16  MAC AHB bus clock divider selection
+ *  15 SD/SDIO clock running enable
+ *  14:12  SD/SDIO divider selection
+ *  11 Reserved
+ *  10:8   Video port output clock delay control bit
+ *  7  ARM CPU/AHB clock slow down enable
+ *  6:4ARM CPU/AHB clock slow down setting
+ *  3:2ECLK clock source selection
+ *  1  CPU/AHB clock slow down idle timer
+ *  0  CPU/AHB clock dynamic slow down enable (defined in bit[6:4])
+ */
+#define SCU_CLK_GET_PCLK_DIV(x)(((x) >> 23) & 0x7)
+
+/* SCU24   H-PLL Parameter Register (for Aspeed AST2400 SOC)
+ *
+ *  18 H-PLL parameter selection
+ *   0: Select H-PLL by strapping resistors
+ *   1: Select H-PLL by the programmed registers (SCU24[17:0])
+ *  17 Enable H-PLL bypass mode
+ *  16 Turn off H-PLL
+ *  10:5   H-PLL Numerator
+ *  4  H-PLL Output Divider
+ *  3:0H-PLL Denumerator
+ *
+ *  (Output frequency) = 24MHz * (2-OD) * [(Numerator+2) / (Denumerator+1)]
+ */
+
+#define SCU_AST2400_H_PLL_PROGRAMMED   (0x1 << 18)
+#define SCU_AST2400_H_PLL_BYPASS_EN(0x1 << 17)
+#define SCU_AST2400_H_PLL_OFF  (0x1 << 16)
+
+/* SCU24   H-PLL Parameter Register (for Aspeed AST2500 SOC)
+ *
+ *  21 Enable H-PLL reset
+ *  20 Enable H-PLL bypass mode
+ *  19 Turn off H-PLL
+ *  18:13  H-PLL Post Divider
+ *  12:5   H-PLL Numerator (M)
+ *  4:0H-PLL Denumerator (N)
+ *
+ *  (Output frequency) = CLKIN(24MHz) * [(M+1) / (N+1)] / (P+1)
+ *
+ * The default frequency is 792Mhz when CLKIN = 24MHz
+ */
+
+#define SCU_H_PLL_BYPASS_EN(0x1 << 20)
+#define SCU_H_PLL_OFF  (0x1 << 19)
+
+/* SCU70  Hardware Strapping Register definition (for Aspeed AST2400 SOC)
  *
  * 31:29  Software defined strapping registers
  * 28:27  DRAM size setting (for VGA driver use)
@@ -107,12 +168,13 @@ extern bool is_supported_silicon_rev(uint32_t 
silicon_rev);
 #define SCU_AST2400_HW_STRAP_GET_CLK_SOURCE(x) (x) >> 23) & 0x1) << 1) 
\
 | (((x) >> 18) & 0x1))
 #define SCU_AST2400_HW_STRAP_CLK_SOURCE_MASK   ((0x1 << 23) | (0x1 << 18))
-#define AST2400_CLK_25M_IN (0x1 << 23)
+#define SCU_HW_STRAP_CLK_25M_IN(0x1 << 23)
 #define AST2400_CLK_24M_IN 0
 #define AST2400_CLK_48M_IN 1
 #define AST2400_CLK_25M_IN_24M_USB_CKI 2
 #define AST2400_CLK_25M_IN_48M_USB_CKI 3
 
+#define SCU_HW_STRAP_CLK_48M_IN(0x1 << 18)
 #define SCU_HW_STRAP_2ND_BOOT_WDT  (0x1 << 17)
 #define SCU_HW_STRAP_SUPER_IO_CONFIG   (0x1 << 16)
 #define SCU_HW_STRAP_VGA_CLASS_CODE(0x1 << 15)
@@ -160,8 +222,8 @@ extern bool is_supported_silicon_rev(uint32_t silicon_rev);
 #define AST2400_DIS_BOOT   3
 
 /*
- * Hardware strapping register definition (for Aspeed AST2500 SoC and
- * higher)
+ * SCU70  Hardware strapping register definition (for Aspeed AST2500
+ *SoC and higher)
  *
  * 31 Enable SPI Fl

[Qemu-devel] [PATCH 1/2] mac_dbdma: only dump commands for debug enabled channels

[Mark Cave-Ayland]

This enables us to apply the same filter in DEBUG_DBDMA_CHANMASK to the
DBDMA command execution debug output.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/mac_dbdma.c | 21 +++--
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c
index 1b2a69b3ef..87ae246d37 100644
--- a/hw/misc/macio/mac_dbdma.c
+++ b/hw/misc/macio/mac_dbdma.c
@@ -71,18 +71,19 @@ static DBDMAState *dbdma_from_ch(DBDMA_channel *ch)
 }
 
 #if DEBUG_DBDMA
-static void dump_dbdma_cmd(dbdma_cmd *cmd)
+static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
 {
-printf("dbdma_cmd %p\n", cmd);
-printf("req_count 0x%04x\n", le16_to_cpu(cmd->req_count));
-printf("command 0x%04x\n", le16_to_cpu(cmd->command));
-printf("phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
-printf("cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
-printf("res_count 0x%04x\n", le16_to_cpu(cmd->res_count));
-printf("xfer_status 0x%04x\n", le16_to_cpu(cmd->xfer_status));
+DBDMA_DPRINTFCH(ch, "dbdma_cmd %p\n", cmd);
+DBDMA_DPRINTFCH(ch, "req_count 0x%04x\n", le16_to_cpu(cmd->req_count));
+DBDMA_DPRINTFCH(ch, "command 0x%04x\n", le16_to_cpu(cmd->command));
+DBDMA_DPRINTFCH(ch, "phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
+DBDMA_DPRINTFCH(ch, "cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
+DBDMA_DPRINTFCH(ch, "res_count 0x%04x\n", le16_to_cpu(cmd->res_count));
+DBDMA_DPRINTFCH(ch, "xfer_status 0x%04x\n",
+le16_to_cpu(cmd->xfer_status));
 }
 #else
-static void dump_dbdma_cmd(dbdma_cmd *cmd)
+static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
 {
 }
 #endif
@@ -448,7 +449,7 @@ static void channel_run(DBDMA_channel *ch)
 uint32_t phy_addr;
 
 DBDMA_DPRINTFCH(ch, "channel_run\n");
-dump_dbdma_cmd(current);
+dump_dbdma_cmd(ch, current);
 
 /* clear WAKE flag at command fetch */
 
-- 
2.11.0

[Qemu-devel] [PATCH 2/2] mac_newworld: always enable disable_direct_reg3_writes for ADB machines

[Mark Cave-Ayland]

Commit 84051eb400 "adb: add property to disable direct reg 3 writes" added a
workaround for MacOS 9 incorrectly setting the mouse address during boot of
PMU machines.

Further testing has shown that since fb6649f172 "adb: fix read reg 3 byte
ordering" this can still sometimes happen with the CUDA mac99 machine,
so let's enable this workaround for all New World machines using ADB for now.

Signed-off-by: Mark Cave-Ayland 
---
 hw/ppc/mac_newworld.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index ff715d..2b13fcdde5 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -407,11 +407,11 @@ static void ppc_core99_init(MachineState *machine)
 
 adb_bus = qdev_get_child_bus(dev, "adb.0");
 dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
-qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
+qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
 qdev_init_nofail(dev);
 
 dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
-qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
+qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
 qdev_init_nofail(dev);
 }
 
-- 
2.11.0

[Qemu-devel] [PATCH v2 2/3] aspeed: initialize the SCU controller first

[Cédric Le Goater]

The System Control Unit should be initialized first as it drives all
the configuration of the SoC and other device models.

Signed-off-by: Cédric Le Goater 
Reviewed-by: Joel Stanley 
---
 hw/arm/aspeed_soc.c | 40 
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index 1955a892f4a4..7cc05ee27ea4 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -109,18 +109,6 @@ static void aspeed_soc_init(Object *obj)
 object_initialize(&s->cpu, sizeof(s->cpu), sc->info->cpu_type);
 object_property_add_child(obj, "cpu", OBJECT(&s->cpu), NULL);
 
-object_initialize(&s->vic, sizeof(s->vic), TYPE_ASPEED_VIC);
-object_property_add_child(obj, "vic", OBJECT(&s->vic), NULL);
-qdev_set_parent_bus(DEVICE(&s->vic), sysbus_get_default());
-
-object_initialize(&s->timerctrl, sizeof(s->timerctrl), TYPE_ASPEED_TIMER);
-object_property_add_child(obj, "timerctrl", OBJECT(&s->timerctrl), NULL);
-qdev_set_parent_bus(DEVICE(&s->timerctrl), sysbus_get_default());
-
-object_initialize(&s->i2c, sizeof(s->i2c), TYPE_ASPEED_I2C);
-object_property_add_child(obj, "i2c", OBJECT(&s->i2c), NULL);
-qdev_set_parent_bus(DEVICE(&s->i2c), sysbus_get_default());
-
 object_initialize(&s->scu, sizeof(s->scu), TYPE_ASPEED_SCU);
 object_property_add_child(obj, "scu", OBJECT(&s->scu), NULL);
 qdev_set_parent_bus(DEVICE(&s->scu), sysbus_get_default());
@@ -133,6 +121,18 @@ static void aspeed_soc_init(Object *obj)
 object_property_add_alias(obj, "hw-prot-key", OBJECT(&s->scu),
   "hw-prot-key", &error_abort);
 
+object_initialize(&s->vic, sizeof(s->vic), TYPE_ASPEED_VIC);
+object_property_add_child(obj, "vic", OBJECT(&s->vic), NULL);
+qdev_set_parent_bus(DEVICE(&s->vic), sysbus_get_default());
+
+object_initialize(&s->timerctrl, sizeof(s->timerctrl), TYPE_ASPEED_TIMER);
+object_property_add_child(obj, "timerctrl", OBJECT(&s->timerctrl), NULL);
+qdev_set_parent_bus(DEVICE(&s->timerctrl), sysbus_get_default());
+
+object_initialize(&s->i2c, sizeof(s->i2c), TYPE_ASPEED_I2C);
+object_property_add_child(obj, "i2c", OBJECT(&s->i2c), NULL);
+qdev_set_parent_bus(DEVICE(&s->i2c), sysbus_get_default());
+
 object_initialize(&s->fmc, sizeof(s->fmc), sc->info->fmc_typename);
 object_property_add_child(obj, "fmc", OBJECT(&s->fmc), NULL);
 qdev_set_parent_bus(DEVICE(&s->fmc), sysbus_get_default());
@@ -195,6 +195,14 @@ static void aspeed_soc_realize(DeviceState *dev, Error 
**errp)
 memory_region_add_subregion(get_system_memory(), ASPEED_SOC_SRAM_BASE,
 &s->sram);
 
+/* SCU */
+object_property_set_bool(OBJECT(&s->scu), true, "realized", &err);
+if (err) {
+error_propagate(errp, err);
+return;
+}
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, ASPEED_SOC_SCU_BASE);
+
 /* VIC */
 object_property_set_bool(OBJECT(&s->vic), true, "realized", &err);
 if (err) {
@@ -219,14 +227,6 @@ static void aspeed_soc_realize(DeviceState *dev, Error 
**errp)
 sysbus_connect_irq(SYS_BUS_DEVICE(&s->timerctrl), i, irq);
 }
 
-/* SCU */
-object_property_set_bool(OBJECT(&s->scu), true, "realized", &err);
-if (err) {
-error_propagate(errp, err);
-return;
-}
-sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, ASPEED_SOC_SCU_BASE);
-
 /* UART - attach an 8250 to the IO space as our UART5 */
 if (serial_hd(0)) {
 qemu_irq uart5 = qdev_get_gpio_in(DEVICE(&s->vic), uart_irqs[4]);
-- 
2.13.6

[Qemu-devel] [PATCH v2 1/2] target/arm: Introduce ARM_FEATURE_M_MAIN

[Julia Suvorova via Qemu-devel]

This feature is intended to distinguish ARMv8-M variants: Baseline and
Mainline. ARMv7-M compatibility requires the Main Extension. ARMv6-M
compatibility is provided by all ARMv8-M implementations.

Signed-off-by: Julia Suvorova 
---
 target/arm/cpu.c | 3 +++
 target/arm/cpu.h | 1 +
 2 files changed, 4 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 73073c..c8bba94b06 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1248,6 +1248,7 @@ static void cortex_m3_initfn(Object *obj)
 ARMCPU *cpu = ARM_CPU(obj);
 set_feature(&cpu->env, ARM_FEATURE_V7);
 set_feature(&cpu->env, ARM_FEATURE_M);
+set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 cpu->midr = 0x410fc231;
 cpu->pmsav7_dregion = 8;
 cpu->id_pfr0 = 0x0030;
@@ -1272,6 +1273,7 @@ static void cortex_m4_initfn(Object *obj)
 
 set_feature(&cpu->env, ARM_FEATURE_V7);
 set_feature(&cpu->env, ARM_FEATURE_M);
+set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 cpu->midr = 0x410fc240; /* r0p0 */
 cpu->pmsav7_dregion = 8;
@@ -1297,6 +1299,7 @@ static void cortex_m33_initfn(Object *obj)
 
 set_feature(&cpu->env, ARM_FEATURE_V8);
 set_feature(&cpu->env, ARM_FEATURE_M);
+set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 set_feature(&cpu->env, ARM_FEATURE_M_SECURITY);
 set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 cpu->midr = 0x410fd213; /* r0p3 */
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 8488273c5b..a4507a2d6f 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1482,6 +1482,7 @@ enum arm_features {
 ARM_FEATURE_V8_RDM, /* implements v8.1 simd round multiply */
 ARM_FEATURE_V8_FP16, /* implements v8.2 half-precision float */
 ARM_FEATURE_V8_FCMA, /* has complex number part of v8.3 extensions.  */
+ARM_FEATURE_M_MAIN, /* M profile Main Extension */
 };
 
 static inline int arm_feature(CPUARMState *env, int feature)
-- 
2.17.0

[Qemu-devel] [PATCH 0/2] ppc: minor Mac fixes

[Mark Cave-Ayland]

Here are a couple of minor fixes for things discovered during further
testing of the recent Mac changes.

Signed-off-by: Mark Cave-Ayland 


Mark Cave-Ayland (2):
  mac_dbdma: only dump commands for debug enabled channels
  mac_newworld: always enable disable_direct_reg3_writes for ADB
machines

 hw/misc/macio/mac_dbdma.c | 21 +++--
 hw/ppc/mac_newworld.c |  4 ++--
 2 files changed, 13 insertions(+), 12 deletions(-)

-- 
2.11.0

[Qemu-devel] [PATCH v2 2/2] target/arm: Strict alignment for ARMv6-M and ARMv8-M Baseline

[Julia Suvorova via Qemu-devel]

Unlike ARMv7-M, ARMv6-M and ARMv8-M Baseline only supports naturally
aligned memory accesses for load/store instructions.

Signed-off-by: Julia Suvorova 
---
 target/arm/translate.c | 18 --
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index b988d379e7..2a3e4f5d4c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -1100,7 +1100,14 @@ static inline TCGv gen_aa32_addr(DisasContext *s, 
TCGv_i32 a32, TCGMemOp op)
 static void gen_aa32_ld_i32(DisasContext *s, TCGv_i32 val, TCGv_i32 a32,
 int index, TCGMemOp opc)
 {
-TCGv addr = gen_aa32_addr(s, a32, opc);
+TCGv addr;
+
+if (arm_dc_feature(s, ARM_FEATURE_M) &&
+!arm_dc_feature(s, ARM_FEATURE_M_MAIN)) {
+opc |= MO_ALIGN;
+}
+
+addr = gen_aa32_addr(s, a32, opc);
 tcg_gen_qemu_ld_i32(val, addr, index, opc);
 tcg_temp_free(addr);
 }
@@ -1108,7 +1115,14 @@ static void gen_aa32_ld_i32(DisasContext *s, TCGv_i32 
val, TCGv_i32 a32,
 static void gen_aa32_st_i32(DisasContext *s, TCGv_i32 val, TCGv_i32 a32,
 int index, TCGMemOp opc)
 {
-TCGv addr = gen_aa32_addr(s, a32, opc);
+TCGv addr;
+
+if (arm_dc_feature(s, ARM_FEATURE_M) &&
+!arm_dc_feature(s, ARM_FEATURE_M_MAIN)) {
+opc |= MO_ALIGN;
+}
+
+addr = gen_aa32_addr(s, a32, opc);
 tcg_gen_qemu_st_i32(val, addr, index, opc);
 tcg_temp_free(addr);
 }
-- 
2.17.0

Re: [Qemu-devel] [PATCH v4 02/11] ppc4xx_i2c: Implement directcntl register

[BALATON Zoltan]

On Fri, 22 Jun 2018, David Gibson wrote:

On Thu, Jun 21, 2018 at 09:17:11AM +0200, BALATON Zoltan wrote:

On Wed, 20 Jun 2018, David Gibson wrote:

On Tue, Jun 19, 2018 at 10:52:15AM +0200, BALATON Zoltan wrote:

As well as being able to generate its own i2c transactions, the ppc4xx
i2c controller has a DIRECTCNTL register which allows explicit control
of the i2c lines.

Using this register an OS can directly bitbang i2c operations. In
order to let emulated i2c devices respond to this, we need to wire up
the DIRECTCNTL register to qemu's bitbanged i2c handling code.

Signed-off-by: BALATON Zoltan 
---
v4: Updated commit message and use defined constant where
appropriate


I'm still don't quite understand your approach to the symbolic
constants here, but I don't care enough to hold this up any further.
So, applied to ppc-for-3.0.


Thanks, just to try to clear this up, I consider symbolic constants to be
the name of bits 0-3 in the directntl register so while MSCL equals 1 it's
only appropriate to use the constant if I really mean (1 << 0) i.e. bit 0 of
directcntl reg.


Right..




diff --git a/hw/i2c/ppc4xx_i2c.c b/hw/i2c/ppc4xx_i2c.c
index 4e0aaae..fca80d6 100644
--- a/hw/i2c/ppc4xx_i2c.c
+++ b/hw/i2c/ppc4xx_i2c.c
@@ -30,6 +30,7 @@
 #include "cpu.h"
 #include "hw/hw.h"
 #include "hw/i2c/ppc4xx_i2c.h"
+#include "bitbang_i2c.h"

 #define PPC4xx_I2C_MEM_SIZE 18

@@ -46,6 +47,11 @@

 #define IIC_XTCNTLSS_SRST   (1 << 0)

+#define IIC_DIRECTCNTL_SDAC (1 << 3)
+#define IIC_DIRECTCNTL_SCLC (1 << 2)
+#define IIC_DIRECTCNTL_MSDA (1 << 1)
+#define IIC_DIRECTCNTL_MSCL (1 << 0)
+
 static void ppc4xx_i2c_reset(DeviceState *s)
 {
 PPC4xxI2CState *i2c = PPC4xx_I2C(s);
@@ -289,7 +295,12 @@ static void ppc4xx_i2c_writeb(void *opaque, hwaddr addr, 
uint64_t value,
 i2c->xtcntlss = value;
 break;
 case 16:
-i2c->directcntl = value & 0x7;
+i2c->directcntl = value & (IIC_DIRECTCNTL_SDAC & IIC_DIRECTCNTL_SCLC);


This clears all bits but SDAC and SCLC so constants are OK here as they
refer to bits in the register. (Guest can set the S* bits to say what state
it wants the i2c lines to become.)


+i2c->directcntl |= (value & IIC_DIRECTCNTL_SCLC ? 1 : 0);


This is directcntl[MSCL] = direcntl[SCLC] that is, set MSCL bit the same as
SCLC, the 1 : 0 here are the value of the bit not the MSCL bit so constans
are not appropriate here.


This is what I don't get.  Regardless of the method of it, you *are*
setting bit 1 of the directcntl register, so why would the MSCL name
not be appropriate?


I'm setting bit 0 (MSCL) to either 1 or 0. I could probably use the MSCL 
constant in place of the 1 here but would that make it clearer? It would 
just be longer and less clear without looking up the constants so to me 
this looks more comprehensible this way.



+bitbang_i2c_set(i2c->bitbang, BITBANG_I2C_SCL,
+i2c->directcntl & IIC_DIRECTCNTL_MSCL);


This lets the bitbang_i2c emulation also know that MSCL is set to 1 or 0 so
constant here is OK, previously it was just 1 for brevity which may have
confused you.


+i2c->directcntl |= bitbang_i2c_set(i2c->bitbang, BITBANG_I2C_SDA,
+   (value & IIC_DIRECTCNTL_SDAC) != 0) << 1;


This sets MSDA bit of directcntl to the value returned by bitbang_i2c
emulation when sending it the bit in SDAC. So the
(value & IIC_DIRECTCNTL_SDAC) != 0)
tests what value the SDAC bit has so 0 means the value of the bit and
constant refers to the bit in the register. (Because SDAC is not the LSB and
we need 1 or 0 here hence the equality test to normalise the value, maybe
the !! construct could also be used, I'm not sure.) The << 1 at the end
makes sure we set the MSDA bit but that constant cannot be used here and
using MSCL instead is not correct because we mean the MSDA bit.


Right, I'm not suggesting you use MSCL here, I'm suggesting you use
MSDA.


But how? Third arg of bitbang_i2c_set is level, either 0 or 1. How could a 
constant with value 2 used here? (Also to set bit 1 I have to shift 1 not 
2 so I don't see how the constant could be used there either.)


Regards,
BALATON Zoltan

Re: [Qemu-devel] [PATCH 01/11] hw/input/pckbd: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/input/pckbd.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/input/pckbd.c b/hw/input/pckbd.c
> index f33e3fc63d..1102d2a31b 100644
> --- a/hw/input/pckbd.c
> +++ b/hw/input/pckbd.c
> @@ -22,6 +22,7 @@
>   * THE SOFTWARE.
>   */
>  #include "qemu/osdep.h"
> +#include "qemu/log.h"
>  #include "hw/hw.h"
>  #include "hw/isa/isa.h"
>  #include "hw/i386/pc.h"
> @@ -308,7 +309,8 @@ static void kbd_write_command(void *opaque, hwaddr addr,
>  /* ignore that */
>  break;
>  default:
> -fprintf(stderr, "qemu: unsupported keyboard cmd=0x%02x\n", (int)val);
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "qemu: unsupported keyboard cmd=0x%02lx\n", val);

Please remove the "qemu:" prefix while you're at it.

 Thomas

Re: [Qemu-devel] [PATCH v3 15/49] qapi: do not define enumeration value explicitely

[Markus Armbruster]

Subject: explicitly

Marc-André Lureau  writes:

> The C standard has the initial value at 0 and the subsequent values
> incremented by 1. No need to set this explicitely.
>
> This will prevent from artificial "gaps" when compiling out some enum
> values and having unnecessarily large MAX values & enums arrays.
>
> Signed-off-by: Marc-André Lureau 
> ---
>  scripts/qapi/common.py | 7 ++-
>  1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/scripts/qapi/common.py b/scripts/qapi/common.py
> index 60c1d0a783..68a567f53f 100644
> --- a/scripts/qapi/common.py
> +++ b/scripts/qapi/common.py
> @@ -2032,14 +2032,11 @@ typedef enum %(c_name)s {
>  ''',
>  c_name=c_name(name))
>  
> -i = 0
>  for value in enum_values:
>  ret += mcgen('''
> -%(c_enum)s = %(i)d,
> +%(c_enum)s,
>  ''',
> - c_enum=c_enum_const(name, value, prefix),
> - i=i)
> -i += 1
> + c_enum=c_enum_const(name, value, prefix))
>  
>  ret += mcgen('''
>  } %(c_name)s;

What excactly in your series depends on this?

What safeguards do you propose to ensure an enumeration with
conditionals is compiled only with the exact same conditionals within
the same program?

Example of the kind of deathtrap to guard against: compile

typedef enum Color {
COLOR_WHITE,
#if defined(NEED_CPU_H)
#if defined(TARGET_S390X)
COLOR_BLUE,
#endif /* defined(TARGET_S390X) */
#endif /* defined(NEED_CPU_H) */
COLOR_BLACK,
} Color;

in s390x-code (COLOR_BLACK = 2) and in target-independent code
(COLOR_BLACK = 1), then linking the two together.

Yes, I know a similar deathtrap will be set up for struct and union
types.  No excuse for ignoring either of the two.

[Qemu-devel] [PATCH v2 0/2] Strict alignment for ARMv6-M and ARMv8-M Baseline

[Julia Suvorova via Qemu-devel]

v2:
* Added feature bit for the Main Extention
* Alignment patch is modified to use ARM_FEATURE_M_MAIN

Julia Suvorova (2):
  target/arm: Introduce ARM_FEATURE_M_MAIN
  target/arm: Strict alignment for ARMv6-M and ARMv8-M Baseline

 target/arm/cpu.c   |  3 +++
 target/arm/cpu.h   |  1 +
 target/arm/translate.c | 18 --
 3 files changed, 20 insertions(+), 2 deletions(-)

-- 
2.17.0

Re: [Qemu-devel] [PATCH 03/11] hw/dma/omap_dma: Use qemu_log_mask(UNIMP) instead of printf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/dma/omap_dma.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c
> index abd18c67ea..ab3a1b0451 100644
> --- a/hw/dma/omap_dma.c
> +++ b/hw/dma/omap_dma.c
> @@ -18,6 +18,7 @@
>   * with this program; if not, see .
>   */
>  #include "qemu/osdep.h"
> +#include "qemu/log.h"
>  #include "qemu-common.h"
>  #include "qemu/timer.h"
>  #include "hw/arm/omap.h"
> @@ -1439,8 +1440,9 @@ static int omap_dma_sys_read(struct omap_dma_s *s, int 
> offset,
>  case 0x480:  /* DMA_PCh0_SR */
>  case 0x482:  /* DMA_PCh1_SR */
>  case 0x4c0:  /* DMA_PChD_SR_0 */
> -printf("%s: Physical Channel Status Registers not implemented.\n",
> -   __func__);
> +qemu_log_mask(LOG_UNIMP,
> +  "%s: Physical Channel Status Registers not 
> implemented\n",
> +  __func__);
>  *ret = 0xff;
>  break;

Reviewed-by: Thomas Huth 

Re: [Qemu-devel] [PATCH 04/11] hw/dma/omap_dma: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/dma/omap_dma.c | 66 ++-
>  1 file changed, 42 insertions(+), 24 deletions(-)
[...]
>  case 0x78:   /* DMA4_GCR */
>  s->gcr = value & 0x00ff00ff;
> - if ((value & 0xff) == 0x00) /* MAX_CHANNEL_FIFO_DEPTH */
> -fprintf(stderr, "%s: wrong FIFO depth in GCR\n", __func__);
> +if ((value & 0xff) == 0x00) {
> +/* MAX_CHANNEL_FIFO_DEPTH */
> +qemu_log_mask(LOG_GUEST_ERROR, "%s: wrong FIFO depth in GCR\n",
> +  __func__);
> +}
>  return;

Not sure, but doesn't that MAX_CHANNEL_FIFO_DEPTH comment rather belong
to the if-statement than to the print statement? If so, could you please
leave it at the end of the line?

 Thomas

Re: [Qemu-devel] [PATCH 06/11] hw/sd/omap_mmc: Use qemu_log_mask(UNIMP) instead of printf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/sd/omap_mmc.c | 13 +
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/sd/omap_mmc.c b/hw/sd/omap_mmc.c
> index 5b47cadf11..aa2a816f76 100644
> --- a/hw/sd/omap_mmc.c
> +++ b/hw/sd/omap_mmc.c
> @@ -17,6 +17,7 @@
>   * with this program; if not, see .
>   */
>  #include "qemu/osdep.h"
> +#include "qemu/log.h"
>  #include "hw/hw.h"
>  #include "hw/arm/omap.h"
>  #include "hw/sd/sd.h"
> @@ -449,10 +450,14 @@ static void omap_mmc_write(void *opaque, hwaddr offset,
>  s->enable = (value >> 11) & 1;
>  s->be = (value >> 10) & 1;
>  s->clkdiv = (value >> 0) & (s->rev >= 2 ? 0x3ff : 0xff);
> -if (s->mode != 0)
> -printf("SD mode %i unimplemented!\n", s->mode);
> -if (s->be != 0)
> -printf("SD FIFO byte sex unimplemented!\n");
> +if (s->mode != 0) {
> +qemu_log_mask(LOG_UNIMP,
> +  "omap_mmc_wr: mode #%i unimplemented\n", s->mode);
> +}
> +if (s->be != 0) {
> +qemu_log_mask(LOG_UNIMP,
> +  "omap_mmc_wr: Big Endian not implemented\n");
> +}
>  if (s->dw != 0 && s->lines < 4)
>  printf("4-bit SD bus enabled\n");
>  if (!s->enable)

Reviewed-by: Thomas Huth 

Re: [Qemu-devel] [PATCH 07/11] hw/i2c/omap_i2c: Use qemu_log_mask(UNIMP) instead of fprintf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/i2c/omap_i2c.c | 23 +++
>  1 file changed, 15 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/i2c/omap_i2c.c b/hw/i2c/omap_i2c.c
> index 26e3e5ebf6..e6f34fe31f 100644
> --- a/hw/i2c/omap_i2c.c
> +++ b/hw/i2c/omap_i2c.c
> @@ -17,6 +17,7 @@
>   * with this program; if not, see .
>   */
>  #include "qemu/osdep.h"
> +#include "qemu/log.h"
>  #include "hw/hw.h"
>  #include "hw/i2c/i2c.h"
>  #include "hw/arm/omap.h"
> @@ -339,14 +340,17 @@ static void omap_i2c_write(void *opaque, hwaddr addr,
>  }
>  break;
>  }
> -if ((value & (1 << 15)) && !(value & (1 << 10))) {   /* MST */
> -fprintf(stderr, "%s: I^2C slave mode not supported\n",
> -__func__);
> +if ((value & (1 << 15)) && !(value & (1 << 10))) {
> +/* MST */
> +qemu_log_mask(LOG_UNIMP, "%s: I^2C slave mode not supported\n",
> +  __func__);
>  break;
>  }
> -if ((value & (1 << 15)) && value & (1 << 8)) {   /* XA */
> -fprintf(stderr, "%s: 10-bit addressing mode not supported\n",
> -__func__);
> +if ((value & (1 << 15)) && value & (1 << 8)) {
> +/* XA */
> +qemu_log_mask(LOG_UNIMP,
> +  "%s: 10-bit addressing mode not supported\n",
> +  __func__);
>  break;
>  }
>  if ((value & (1 << 15)) && value & (1 << 0)) {   /* STT 
> */
> @@ -392,8 +396,11 @@ static void omap_i2c_write(void *opaque, hwaddr addr,
>  s->stat |= 0x3f;
>  omap_i2c_interrupts_update(s);
>  }
> -if (value & (1 << 15))   /* 
> ST_EN */
> -fprintf(stderr, "%s: System Test not supported\n", __func__);
> +if (value & (1 << 15)) {
> +/* ST_EN */
> +qemu_log_mask(LOG_UNIMP,
> +  "%s: System Test not supported\n", __func__);
> +}
>  break;
>  
>  default:

Could you please leave the comments at the end of the if-statement lines?

 Thomas

Re: [Qemu-devel] [PATCH v3 11/49] qapi/commands: add #if conditions to commands

[Markus Armbruster]

Marc-André Lureau  writes:

> Wrap generated code with #if/#endif using an 'ifcontext' on
> QAPIGenCSnippet objects.
>
> Signed-off-by: Marc-André Lureau 
> ---
>  scripts/qapi/commands.py | 19 ++-
>  tests/test-qmp-cmds.c|  4 ++--
>  2 files changed, 12 insertions(+), 11 deletions(-)
>
> diff --git a/scripts/qapi/commands.py b/scripts/qapi/commands.py
> index e2366b4801..40bb680b7c 100644
> --- a/scripts/qapi/commands.py
> +++ b/scripts/qapi/commands.py
> @@ -237,7 +237,7 @@ class 
> QAPISchemaGenCommandVisitor(QAPISchemaModularCVisitor):
>  QAPISchemaModularCVisitor.__init__(
>  self, prefix, 'qapi-commands',
>  ' * Schema-defined QAPI/QMP commands', __doc__)
> -self._regy = ''
> +self._regy = QAPIGenCSnippet()
>  self._visited_ret_types = {}
>  
>  def _begin_module(self, name):
> @@ -273,19 +273,20 @@ class 
> QAPISchemaGenCommandVisitor(QAPISchemaModularCVisitor):
>  void %(c_prefix)sqmp_init_marshal(QmpCommandList *cmds);
>  ''',
> c_prefix=c_name(self._prefix, protect=False)))
> -genc.add(gen_registry(self._regy, self._prefix))
> +genc.add(gen_registry(self._regy.get_content(), self._prefix))
>  
>  def visit_command(self, name, info, ifcond, arg_type, ret_type,
>gen, success_response, boxed, allow_oob):
>  if not gen:
>  return
> -self._genh.add(gen_command_decl(name, arg_type, boxed, ret_type))
> -if ret_type and ret_type not in self._visited_ret_types[self._genc]:
> -self._visited_ret_types[self._genc].add(ret_type)
> -self._genc.add(gen_marshal_output(ret_type))
> -self._genh.add(gen_marshal_decl(name))
> -self._genc.add(gen_marshal(name, arg_type, boxed, ret_type))
> -self._regy += gen_register_command(name, success_response, allow_oob)
> +with ifcontext(ifcond, self._genh, self._genc, self._regy):
> +self._genh.add(gen_command_decl(name, arg_type, boxed, ret_type))
> +if ret_type and ret_type not in 
> self._visited_ret_types[self._genc]:
> +self._visited_ret_types[self._genc].add(ret_type)
> +self._genc.add(gen_marshal_output(ret_type))

I'm afraid this falls apart when multiple commands with different
conditions share a return type.

That case needs test coverage.

Aside: the qmp_marshal_FOO() should be static.  I can see just two uses
preventing that:

monitor.c:1146: qmp_marshal_qmp_capabilities, 
QCO_NO_OPTIONS);
monitor.c:4312:qmp_marshal_query_version(NULL, &ver, NULL);

Would be nice to get rid of those.  Not necessarily in this series, of
course.

> +self._genh.add(gen_marshal_decl(name))
> +self._genc.add(gen_marshal(name, arg_type, boxed, ret_type))
> +self._regy.add(gen_register_command(name, success_response, 
> allow_oob))
>  
>  
>  def gen_commands(schema, output_dir, prefix):
> diff --git a/tests/test-qmp-cmds.c b/tests/test-qmp-cmds.c
> index c25fc2100a..e675722593 100644
> --- a/tests/test-qmp-cmds.c
> +++ b/tests/test-qmp-cmds.c
> @@ -12,11 +12,11 @@
>  
>  static QmpCommandList qmp_commands;
>  
> -/* #if defined(TEST_IF_STRUCT) && defined(TEST_IF_CMD) */
> +#if defined(TEST_IF_STRUCT) && defined(TEST_IF_CMD)
>  void qmp_TestIfCmd(TestIfStruct *foo, Error **errp)
>  {
>  }
> -/* #endif */
> +#endif
>  
>  void qmp_user_def_cmd(Error **errp)
>  {

Re: [Qemu-devel] [PATCH 08/11] hw/arm/omap: Use qemu_log_mask(GUEST_ERROR) instead of fprintf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  include/hw/arm/omap.h | 20 
>  1 file changed, 12 insertions(+), 8 deletions(-)
[...]
> @@ -997,14 +998,17 @@ enum {
>  
>  # ifdef TCMI_VERBOSE
>  #  define OMAP_8B_REG(paddr) \
> -fprintf(stderr, "%s: 8-bit register " OMAP_FMT_plx "\n", \
> -__func__, paddr)
> +qemu_log_mask(LOG_GUEST_ERROR, \
> +  "%s: 8-bit register " OMAP_FMT_plx "\n", \
> +  __func__, paddr)
>  #  define OMAP_16B_REG(paddr)\
> -fprintf(stderr, "%s: 16-bit register " OMAP_FMT_plx "\n",\
> -__func__, paddr)
> +qemu_log_mask(LOG_GUEST_ERROR, \
> +  "%s: 16-bit register " OMAP_FMT_plx "\n", \
> +  __func__, paddr)
>  #  define OMAP_32B_REG(paddr)\
> -fprintf(stderr, "%s: 32-bit register " OMAP_FMT_plx "\n",\
> -__func__, paddr)
> +qemu_log_mask(LOG_GUEST_ERROR, \
> +  "%s: 32-bit register " OMAP_FMT_plx "\n", \
> +  __func__, paddr)
>  # else
>  #  define OMAP_8B_REG(paddr)
>  #  define OMAP_16B_REG(paddr)
> 

Since the qemu_log_mask(LOG_GUEST_ERROR, ...) calls are not shown up by
default anymore, I think it would rather be better to get rid of this
#ifdef TCMI_VERBOSE ... #endif block now and put the qemu_log_mask()
statements directly into the omap_badwidth_* functions instead.

 Thomas

Re: [Qemu-devel] [PATCH 09/11] hw/arm/stellaris: Use qemu_log_mask(UNIMP) instead of fprintf

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/arm/stellaris.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
> index a8f1f6a912..d06e366402 100644
> --- a/hw/arm/stellaris.c
> +++ b/hw/arm/stellaris.c
> @@ -560,7 +560,7 @@ static void ssys_write(void *opaque, hwaddr offset,
>  case 0x040: /* SRCR0 */
>  case 0x044: /* SRCR1 */
>  case 0x048: /* SRCR2 */
> -fprintf(stderr, "Peripheral reset not implemented\n");
> +qemu_log_mask(LOG_UNIMP, "Peripheral reset not implemented\n");
>  break;
>  case 0x054: /* IMC */
>  s->int_mask = value & 0x7f;
> 

Reviewed-by: Thomas Huth 

Re: [Qemu-devel] [PATCH v2 08/11] authz: add QAuthZList object type for an access control list

[Daniel P . Berrangé]

On Thu, Jun 21, 2018 at 06:36:19PM +0200, Markus Armbruster wrote:
> Daniel P. Berrangé  writes:
> 
> > On Thu, Jun 21, 2018 at 10:28:23AM -0500, Eric Blake wrote:
> >> On 06/15/2018 10:42 AM, Daniel P. Berrangé wrote:
> >> > From: "Daniel P. Berrange" 
> >> > 
> >> > Add a QAuthZList object type that implements the QAuthZ interface. This
> >> > built-in implementation maintains a trivial access control list with a
> >> > sequence of match rules and a final default policy. This replicates the
> >> > functionality currently provided by the qemu_acl module.
> >> > 
> >> 
> >> > 
> >> > It is not currently possible to create this via -object, since there is
> >> > no syntax supported to specify non-scalar properties for objects. This
> >> > is likely to be addressed by later support for using JSON with -object,
> >> > or an equivalent approach.
> >> 
> >> Is this statement slightly stale, since we have JSON support with --object
> >> already?
> >
> > That's news to me if we do. Markus did a PoC but AFAIK it was never
> > proposed for merge so far.
> 
> Correct.  Can finish the job if there's a need.
> 
> [...]

I'm not hugely bothered by it - this QAuthZList impl serves two core
purposes - a replacement for the HMP monitor commands I deprecated,
an an engine for the QAuthZListFile which stores QAuthZList objects in
external json files. The latter is what I think we'll use in practice,
as it lets us auto-refresh on the fly via inotify which is much more
convenient than having libvirt do object_add/object_del.

Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 10/11] hw/net/stellaris_enet: Use qemu_log_mask(GUEST_ERROR) instead of hw_error

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> hw_error() finally calls abort(), but there is no need to abort here.

Additionally, hw_error() is also only meant for CPU errors (since it
dumps the CPU state). We should really rename that function to
"cpu_hw_error" one day to avoid that people use it in the wrong spots...

> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/net/stellaris_enet.c | 9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
> index 04bd10ada3..188adcbd15 100644
> --- a/hw/net/stellaris_enet.c
> +++ b/hw/net/stellaris_enet.c
> @@ -9,6 +9,7 @@
>  #include "qemu/osdep.h"
>  #include "hw/sysbus.h"
>  #include "net/net.h"
> +#include "qemu/log.h"
>  #include 
>  
>  //#define DEBUG_STELLARIS_ENET 1
> @@ -343,7 +344,9 @@ static uint64_t stellaris_enet_read(void *opaque, hwaddr 
> offset,
>  case 0x3c: /* Undocuented: Timestamp? */
>  return 0;
>  default:
> -hw_error("stellaris_enet_read: Bad offset %x\n", (int)offset);
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "stellaris_enet_rd%d: 0x%" HWADDR_PRIx "\n",
> +  size, offset);
>  return 0;
>  }
>  }
> @@ -442,7 +445,9 @@ static void stellaris_enet_write(void *opaque, hwaddr 
> offset,
>  /* Ignored.  */
>  break;
>  default:
> -hw_error("stellaris_enet_write: Bad offset %x\n", (int)offset);
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "stellaris_enet_wr%d: 0x%" HWADDR_PRIx " = 0x%lx\n",
> +  size, offset, value);
>  }
>  }

Could you please keep the "bad offset" or a similar error message, so
that the user knows that there is really something wrong here?

 Thomas

Re: [Qemu-devel] [PATCH 11/11] hw/net/smc91c111: Use qemu_log_mask(GUEST_ERROR) instead of hw_error

[Thomas Huth]

On 21.06.2018 20:02, Philippe Mathieu-Daudé wrote:
> hw_error() finally calls abort(), but there is no need to abort here.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/net/smc91c111.c | 9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
> index c8cc5379b7..705a034cb9 100644
> --- a/hw/net/smc91c111.c
> +++ b/hw/net/smc91c111.c
> @@ -11,6 +11,7 @@
>  #include "hw/sysbus.h"
>  #include "net/net.h"
>  #include "hw/devices.h"
> +#include "qemu/log.h"
>  /* For crc32 */
>  #include 
>  
> @@ -478,7 +479,9 @@ static void smc91c111_writeb(void *opaque, hwaddr offset,
>  }
>  break;
>  }
> -hw_error("smc91c111_write: Bad reg %d:%x\n", s->bank, (int)offset);
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "smc91c111_write(bank:%d) 0x%" HWADDR_PRIx " = 0x%x\n",
> +  s->bank, offset, value);
>  }
>  
>  static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
> @@ -621,7 +624,9 @@ static uint32_t smc91c111_readb(void *opaque, hwaddr 
> offset)
>  }
>  break;
>  }
> -hw_error("smc91c111_read: Bad reg %d:%x\n", s->bank, (int)offset);
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "smc91c111_read(bank:%d) 0x%" HWADDR_PRIx "\n",
> +  s->bank, offset);
>  return 0;
>  }

Please keep "bad register" or a similar text in here.

 Thomas

[Qemu-devel] [Bug 1775555] Re: guest migration 100% cpu freeze bug

[Frank Schreuder]

We finally managed to reproduce this issue in our test environment. 2
out of 3 VMs froze within 12 hours of constant migrations.

All migrations took place between Skylake Gold => non-Skylake Gold and
non-Skylake Gold => Skylake Gold. Test environment hypervisors are
running Debian 9, Qemu 2.11 and Libvirt 4.0.0.

The test VMs are Debian 8 based with -encrypted filesystems- and a dd
loop running to generate io load. VMs without encrypted filesystem do
not freeze.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/177

Title:
  guest migration 100% cpu freeze bug

Status in QEMU:
  New

Bug description:
  # Investigate migration cpu hog(100%) bug

  I have some issues when migrating from qemu 2.6.2 to qemu 2.11.1.
  The hypervisors are running kernel 4.9.92 on debian stretch with libvirt 
v4.0.0.
  Linux, libvirt and qemu are all custom compiled.

  I migrated around 21.000 vms from qemu 2.6.2 to qemu 2.11.1 and every
  once in a while a vm is stuck at 100% cpu after the migration from
  2.6.2 to 2.11.1. This happend with about 50-60 vms so far.

  I attached gdb to a vcpu thread of one stuck vm, and a bt showed the 
following info:
  #0  0x7f4f19949dd7 in ioctl () at ../sysdeps/unix/syscall-template.S:84
  #1  0x557c9edede47 in kvm_vcpu_ioctl (cpu=cpu@entry=0x557ca1058840, 
type=type@entry=0xae80) at 
/home/dbosschieter/src/qemu-pkg/src/accel/kvm/kvm-all.c:2050
  #2  0x557c9ededfb6 in kvm_cpu_exec (cpu=cpu@entry=0x557ca1058840) at 
/home/dbosschieter/src/qemu-pkg/src/accel/kvm/kvm-all.c:1887
  #3  0x557c9edcab44 in qemu_kvm_cpu_thread_fn (arg=0x557ca1058840) at 
/home/dbosschieter/src/qemu-pkg/src/cpus.c:1128
  #4  0x7f4f19c0f494 in start_thread (arg=0x7f4f053f3700) at 
pthread_create.c:333
  #5  0x7f4f19951acf in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:97

  The ioctl call is a ioctl(18, KVM_RUN and it looks like it is looping
  inside the vm itself.

  I saved the state of the VM (with `virsh save`) after I found it was hanging 
on its vcpu threads. Then I restored this vm on a test environment running the 
same kernel, QEMU and libvirt version). After the restore the VM still was 
haning at 100% cpu usage on all the vcpus.
  I tried to use the perf kvm guest option to trace the guest vm with a copy of 
the kernel, modules and kallsyms files from inside the guest vm and I got the 
following trace:

  $ perf kvm --guest --guestkallsyms=kallsyms --guestmodules=modules record -g 
-p 14471 -o perf.data
  $ perf kvm --guest --guestkallsyms=kallsyms --guestmodules=modules report -i 
perf.data --stdio > analyze

  # To display the perf.data header info, please use --header/--header-only 
options.
  #
  #
  # Total Lost Samples: 0
  #
  # Samples: 105K of event 'cycles'
  # Event count (approx.): 67588147605
  #
  # Children  Self  Command  Shared ObjectSymbol
  Parent symbol
  #     ...  ...  
..  .
  #
  28.79%28.79%  :16028   [guest.kernel.kallsyms]  [g] 
fuse_get_root_inode [other]
  23.48%23.48%  :16030   [guest.kernel.kallsyms]  [g] 
ftrace_raw_output_hrtimer_init  [other]
   7.32% 7.32%  :16029   [guest.kernel.kallsyms]  [g] 
do_sysfs_unregistration [other]
   4.82% 4.82%  :16029   [guest.kernel.kallsyms]  [g] 
posix_cpu_clock_get [other]
   4.20% 4.20%  :16030   [guest.kernel.kallsyms]  [g] 
ftrace_raw_output_timer_expire_entry[other]
   3.87% 3.87%  :16029   [guest.kernel.kallsyms]  [g] kvm_init_debugfs  
  [other]
   3.66% 3.66%  :16029   [guest.kernel.kallsyms]  [g] fat_msg   
  [other]
   3.11% 3.11%  :16029   [guest.kernel.kallsyms]  [g] match_token   
  [other]
   3.07% 3.07%  :16029   [guest.kernel.kallsyms]  [g] load_balance  
  [other]
   1.87% 1.87%  :16029   [guest.kernel.kallsyms]  [g] 
kvm_pv_guest_cpu_reboot [other]
   1.69% 1.69%  :16031   [guest.kernel.kallsyms]  [g] kvm_init_debugfs  
  [other]
   1.59% 1.59%  :16029   [guest.kernel.kallsyms]  [g] sys_kcmp  
  [other]
   1.19% 1.19%  :16031   [guest.kernel.kallsyms]  [g] save_paranoid 
  [other]
   0.82% 0.82%  :16031   [guest.kernel.kallsyms]  [g] 
kvm_pv_guest_cpu_reboot [other]
   0.69% 0.69%  :16031   [guest.kernel.kallsyms]  [g] kvm_cpu_notify
  [other]
   0.54% 0.54%  :16031   [guest.kernel.kallsyms]  [g] 
rcu_process_callbacks   [other]
   0.46% 0.46%  :16030   [guest.kernel.kallsyms]  [g] 
ftrace_raw_output_hrtimer_sta

Re: [Qemu-devel] [PATCH 0/5] Misc sm501 improvements

[BALATON Zoltan]

On Thu, 21 Jun 2018, Philippe Mathieu-Daudé wrote:

Hi Zoltan,

On 06/21/2018 05:08 AM, BALATON Zoltan wrote:

These are fixes to sm501 emulation that were found while testing with
AmigaOS 4.1FE (AmigaOS 4 is known to work on real hardware but we have
no way to verify it against hardware). While this is mainly to improve


Is it possible to fetch/use this image? (and add integration tests)


AmigaOS 4 is not freely available, it needs to be purchased so I'm not 
sure it could be used for tests. Also the current version available for 
Sam460 does not work too well with QEMU yet. To be able to use it 
according to Sebastian one needs at least updated ehci driver and maybe 
CLGD graphics driver which are not on this boot CD and editing the CD is 
not convenient or doable by most people. Therefore we are trying to fix 
QEMU with Sebastian to be usable with the current boot CD but maybe an 
updated CD with better drivers would be the way to go, although I don't 
know if the vendor wants to do that or not.


Regards,
BALATON Zoltan

Re: [Qemu-devel] bug in reopen arch

[Kevin Wolf]

(Berto, I'm CCing you just because this is about reopen, so you might
have thoughts about it. But it's not really related to what you're
currently working on.)

Am 21.06.2018 um 19:44 hat Vladimir Sementsov-Ogievskiy geschrieben:
> 21.06.2018 20:17, Kevin Wolf wrote:
> > Am 21.06.2018 um 17:55 hat Vladimir Sementsov-Ogievskiy geschrieben:
> > > 21.06.2018 17:25, Kevin Wolf wrote:
> > > > Am 15.06.2018 um 20:42 hat Vladimir Sementsov-Ogievskiy geschrieben:
> > > > > Now, I've found the following workaround, what do you think about 
> > > > > something
> > > > > like this as a temporary fix:
> > > > I honestly don't understand why this workaround makes any difference.
> > > with this patch, commit for children will be called earlier than for 
> > > parent,
> > > so, when reopening bitmaps rw (which is done in commit) bs->file will be
> > > already completely reopened rw, and all works.
> > .bdrv_reopen_commit() can't do any I/O because it must not fail.
> > Therefore the order in which nodes are committed should not matter.
> > 
> > Any I/O that needs to be done has to be in .bdrv_reopen_prepare() (and
> > possibly be kept in a temporary buffer) and .bdrv_reopen_commit() can
> > only apply what is already in memory.
> > 
> > I don't see the code for reopening bitmaps in master. Is this a pending
> > patch?
> 
> it is in block.c, in bdrv_reopen_commit()
> 
> ...
> if (!old_can_write && new_can_write && drv->bdrv_reopen_bitmaps_rw) {
>     Error *local_err = NULL;
>     if (drv->bdrv_reopen_bitmaps_rw(bs, &local_err) < 0) {

This is already an ugly hack, we shouldn't have a separate callback for
reopening bitmaps. :-(

If done properly, this code would only exist internally in qcow2 as part
of the .bdrv_reopen/commit implementation.

I'm also not convinced of the error handling. According to commit
cb9ff6c25, this is mostly about the IN_USE flag. The qcow2 spec says
"The bitmap was not saved correctly and may be inconsistent." for this
flag. So the fail-safe state is IN_USE being set.


What I think qcow2 should be doing is setting IN_USE in .prepare (for ro
-> rw) and clearing it in .commit (for rw -> ro).

For this to be possible, .prepare needs write access to an image that
was read-only before and is becoming writable; and .commit needs write
access to an image that was writable and is becoming read-only.

This is the problem to solve, and implementing a proper design that can
provide this will solve the bug for you, too.


I'm not completely sure how this can be achieved best. Allowing parents
to choose whether they want to access the old or the new state is
probably not going to work in the general case because that's
essentially an image opened twice.

Even if it feels like a hack, too, maybe we need to make file-posix
already switch to the "better" file descriptor in .prepare and store the
old one in the BDRVRawReopenState so it can be restored in .abort.

The "better" file descriptor is the one that allows more operation, i.e.
writable is better than read-only in this sense. Of course, if we have
two options like read-only that can prevent certain operations, it may
be unclear, which of the two file descriptors is the one we want.

And obviously, this still needs child-to-parent .prepare order. I
believe when I tried reversing the current order a while ago, I ran into
problems, so whether this is possible or how it needs to be done in
detail needs to be checked carefully.

Kevin

Re: [Qemu-devel] [PATCH] ahci: fix FIS I bit and PIO Setup FIS interrupt

[Paolo Bonzini]

On 21/06/2018 22:06, John Snow wrote:
> 
> On 06/20/2018 09:25 AM, Paolo Bonzini wrote:
>> +pio_fis_i = is_atapi ? ad->done_atapi_packet : !is_write;
> Per DPIOO1, does this go to false for the first DRQ block, or did I
> misunderstand? Currently my understanding:

DPIOO1 is the !is_atapi && is_write case, where I is currently always 0.
 When do we have more than one DRQ block, is it for multi-sector PIO
reads?  Then perhaps we need something like ad->command->done_first_pio.

Paolo

> - device->host
>   DPIOI1
>   Interrupt bit shall be set.
> - host->device:
>   DPIOO1:
>   0 for first block, 1 otherwise
> - ATAPI:
>   0 for packet itself
>   1 for all data otherwise.

Re: [Qemu-devel] [PATCH v3 2/2] block/file-posix: reconfigure aio on iothread start

[Kevin Wolf]

Am 22.06.2018 um 04:25 hat Fam Zheng geschrieben:
> On Thu, 06/21 15:21, Nishanth Aravamudan wrote:
> > When the AioContext changes, we need to associate a LinuxAioState with
> > the new AioContext. Use the bdrv_attach_aio_context callback and call
> > the new aio_setup_linux_aio(), which will allocate a new AioContext if
> > needed, and return errors on failures. If it fails for any reason,
> > fallback to threaded AIO with an error message, as the device is already
> > in-use by the guest.
> > 
> > Signed-off-by: Nishanth Aravamudan 
> > ---
> > Note this patch didn't exist in v2, but is a result of feedback to that
> > posting.
> 
> This should be squashed into patch 1, no?

Yes, without it, patch 1 is incorrect. Specifically, at least the
assertion in aio_get_linux_aio() won't hold true without it.

Kevin

Re: [Qemu-devel] [PULL v2.5 00/19] tcg queued patches

[Peter Maydell]

On 21 June 2018 at 15:37, Richard Henderson
 wrote:
> Re-issuing the v2 pull request with the proper form.
>
>
> r~
>
>
> The following changes since commit 42747d6abb5035473e5585fa17620c1e8983a70b:
>
>   Merge remote-tracking branch 
> 'remotes/edgar/tags/edgar/xilinx-next-2018-06-15.for-upstream' into staging 
> (2018-06-15 17:28:37 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/rth7680/qemu.git tags/pull-tcg-20180615
>
> for you to fetch changes up to 9f754620651d3432114f4bb89c7f12cbea814b3e:
>
>   tcg: Reduce max TB opcode count (2018-06-15 09:39:53 -1000)
>
> 
> TCG patch queue:
>
> Workaround macos assembler lossage.
> Eliminate tb_lock.
> Fix TB code generation overflow.
>
Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH v4 4/5] acpi: build TPM Physical Presence interface

[Igor Mammedov]

On Thu, 21 Jun 2018 16:11:16 -0400
Stefan Berger  wrote:

> On 06/21/2018 07:55 AM, Marc-André Lureau wrote:
> > From: Stefan Berger 
> >
> > The TPM Physical Presence interface consists of an ACPI part, a shared
> > memory part, and code in the firmware. Users can send messages to the
> > firmware by writing a code into the shared memory through invoking the
> > ACPI code. When a reboot happens, the firmware looks for the code and
> > acts on it by sending sequences of commands to the TPM.
> >
> > This patch adds the ACPI code. It is similar to the one in EDK2 but doesn't
> > assume that SMIs are necessary to use. It uses a similar datastructure for
> > the shared memory as EDK2 does so that EDK2 and SeaBIOS could both make use
> > of it. I extended the shared memory data structure with an array of 256
> > bytes, one for each code that could be implemented. The array contains
> > flags describing the individual codes. This decouples the ACPI 
> > implementation
> > from the firmware implementation.
> >
> > The underlying TCG specification is accessible from the following page.
> >
> > https://trustedcomputinggroup.org/tcg-physical-presence-interface-specification/
> >
> > This patch implements version 1.30.
> >
> > Signed-off-by: Stefan Berger 
> >
> > ---
> >
> > v5 (Marc-André):
> >   - /struct tpm_ppi/struct TPMPPIData
> >
> > v4 (Marc-André):
> >   - replace 'DerefOf (FUNC [N])' with a function, to fix Windows ACPI
> >  handling.
> >   - replace 'return Package (..) {} ' with scoped variables, to fix
> > Windows ACPI handling.
> >
> > v3:
> >   - add support for PPI to CRB
> >   - split up OperationRegion TPPI into two parts, one containing
> > the registers (TPP1) and the other one the flags (TPP2); switched
> > the order of the flags versus registers in the code
> >   - adapted ACPI code to small changes to the array of flags where
> > previous flag 0 was removed and now shifting right wasn't always
> > necessary anymore
> >
> > v2:
> >   - get rid of FAIL variable; function 5 was using it and always
> > returns 0; the value is related to the ACPI function call not
> > a possible failure of the TPM function call.
> >   - extend shared memory data structure with per-opcode entries
> > holding flags and use those flags to determine what to return
> > to caller
> >   - implement interface version 1.3
> > ---
> >   include/hw/acpi/tpm.h |  21 +++
> >   hw/i386/acpi-build.c  | 294 +-
> >   2 files changed, 314 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/hw/acpi/tpm.h b/include/hw/acpi/tpm.h
> > index f79d68a77a..430605a8e5 100644
> > --- a/include/hw/acpi/tpm.h
> > +++ b/include/hw/acpi/tpm.h
> > @@ -196,4 +196,25 @@ REG32(CRB_DATA_BUFFER, 0x80)
> >   #define TPM_PPI_VERSION_NONE0
> >   #define TPM_PPI_VERSION_1_301
> >
> > +struct TPMPPIData {
> > +uint8_t  func[256];  /* 0x000: per TPM function implementation 
> > flags;
> > +   set by BIOS */
> > +/* whether function is blocked by BIOS settings; bits 0, 1, 2 */
> > +#define TPM_PPI_FUNC_NOT_IMPLEMENTED (0 << 0)
> > +#define TPM_PPI_FUNC_BIOS_ONLY   (1 << 0)
> > +#define TPM_PPI_FUNC_BLOCKED (2 << 0)
> > +#define TPM_PPI_FUNC_ALLOWED_USR_REQ (3 << 0)
> > +#define TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ (4 << 0)
> > +#define TPM_PPI_FUNC_MASK(7 << 0)
> > +uint8_t ppin;/* 0x100 : set by BIOS */
> > +uint32_t ppip;   /* 0x101 : set by ACPI; not used */
> > +uint32_t pprp;   /* 0x105 : response from TPM; set by BIOS */
> > +uint32_t pprq;   /* 0x109 : opcode; set by ACPI */
> > +uint32_t pprm;   /* 0x10d : parameter for opcode; set by ACPI 
> > */
> > +uint32_t lppr;   /* 0x111 : last opcode; set by BIOS */
> > +uint32_t fret;   /* 0x115 : set by ACPI; not used */
> > +uint8_t res1[0x40];  /* 0x119 : reserved for future use */
> > +uint8_t next_step;   /* 0x159 : next step after reboot; set by 
> > BIOS */
> > +} QEMU_PACKED;
> > +
> >   #endif /* HW_ACPI_TPM_H */  
> 
> Here's a description of this interface. The SMM related fields, ppin, 
> ppip and fret could be
> renamed to reserved fields since we are not supporting SMM.
> 
> diff --git a/docs/specs/tpm.txt b/docs/specs/tpm.txt
> index c230c4c93e..17d811f633 100644
> --- a/docs/specs/tpm.txt
> +++ b/docs/specs/tpm.txt
> @@ -42,6 +42,73 @@ URL:
> 
>   https://trustedcomputinggroup.org/tcg-acpi-specification/
> 
> +== ACPI PPI Interface ==
> +
> +QEMU supports the Physical Presence Interface (PPI) for TPM 1.2 and TPM 
> 2. This
> +interface requires ACPI and firmware support. The specification can be 
> found at
> +the following URL:
> +
> +https://trustedcomputinggroup.org/resource/tcg-physical-presence-interface-specification/
> +
> +PPI enables a system administrator (root) to request a modification to the
> +T

Re: [Qemu-devel] [PATCH v3 12/49] qapi/events: add #if conditions to events

[Markus Armbruster]

Marc-André Lureau  writes:

> Wrap generated code with #if/#endif using an 'ifcontext' on
> QAPIGenCSnippet objects.
>
> Signed-off-by: Marc-André Lureau 
> ---
>  scripts/qapi/events.py | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/qapi/events.py b/scripts/qapi/events.py
> index 26ae00f6f7..dae03e3d88 100644
> --- a/scripts/qapi/events.py
> +++ b/scripts/qapi/events.py
> @@ -185,8 +185,9 @@ class 
> QAPISchemaGenEventVisitor(QAPISchemaModularCVisitor):
>  genc.add(gen_enum_lookup(self._enum_name, self._event_names))
>  
>  def visit_event(self, name, info, ifcond, arg_type, boxed):
> -self._genh.add(gen_event_send_decl(name, arg_type, boxed))
> -self._genc.add(gen_event_send(name, arg_type, boxed, 
> self._enum_name))
> +with ifcontext(ifcond, self._genh, self._genc):
> +self._genh.add(gen_event_send_decl(name, arg_type, boxed))
> +self._genc.add(gen_event_send(name, arg_type, boxed, 
> self._enum_name))
>  self._event_names.append(name)

This makes a conditional event's qapi_event_send_FOO() compile-time
conditional, but its enum QAPIEvent member remains unconditional for
now.  I figure it'll get its #if in PATCH 29.  Please mention this in
your commit message.  You do in PATCH 22.

Re: [Qemu-devel] [PATCH] blogposts: add post about the new check-tcg infrastructure

[Alex Bennée]

Max Filippov  writes:

> On Thu, Jun 21, 2018 at 11:41 AM, Alex Bennée  wrote:
>> Signed-off-by: Alex Bennée 
>> ---
>>  _posts/2018-06-21-tcg-testing.md | 129 +++
>>  1 file changed, 129 insertions(+)
>>  create mode 100644 _posts/2018-06-21-tcg-testing.md
>>
>> diff --git a/_posts/2018-06-21-tcg-testing.md 
>> b/_posts/2018-06-21-tcg-testing.md
>
> [...]
>
>> +The `tests/tcg` directory still contains a number of source files we
>> +don't build. Notably the cris, lm32, mips, openrisc and xtensa targets have
>> +a set of tests that need a system emulator. Now we have the
>> +infrastructure for compiling I hope we can get support for system
>> +tests added fairly quickly. There will need to be some work to figure
>> +out a nice common way to pass results back to the build-system. For
>> +linux-user this is simple as all programs can simply return their exit
>> +code however for system emulation this is a little more involved.
>
> xtensa tests pass exit codes to the build system through semihosting calls.
> If any of them fails make check fails as well.

I've re-written that section as:

  The `tests/tcg` directory still contains a number of source files we
  don't build.

  The cris and openrisc directories contain user-space tests which just
  need the support of a toolchain and the relevant Makefile plumbing to
  be added.

  The lm32, mips and xtensa targets have a set of tests that need a
  system emulator. Aside from adding the compilers as docker images some
  additional work is needed to handle the differences between plain
  linux-user tests which can simply return an exit code to getting the
  results from a qemu-system emulation. Some architectures have
  semi-hosting support already for this while others report their test
  status over a simple serial link which will need to be parsed and
  handled in the `run-%:` test rule.

How is that?

Any chance you could look into what it would take to package up the
xtensa toolchain in a docker container? Are they simply tarballs of
binaries?

--
Alex Bennée

Re: [Qemu-devel] [PATCH v3 00/49] qapi: add #if pre-processor conditions to generated code

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> On Thu, Jun 21, 2018 at 6:47 PM, Markus Armbruster  wrote:
>> I think we can bite off a digestible part of this series:
>> target-independent top-level conditionals.  I think that's PATCH
>> 01-14,31 and applicable parts of 35-37.  The idea is to merge that part
>> quickly, then deal with the (less daunting) remainder.  Marc-André, if
>> you agree with that plan, please respin just that part.  I can continue
>> review of the remainder without a rebase.
>>
>
> That's ok with me, I'll work on it.
> thanks

Please include the relevant part of PATCH 30 "docs: document schema
configuration".  Consider squashing it into PATCH 03.

Re: [Qemu-devel] [RFC PATCH] travis: Do not waste time cloning unused submodules

[Alex Bennée]

Philippe Mathieu-Daudé  writes:

> Builds only require:
> - dtc
> - keycodemapdb
> - capstone
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Some tests might require ROMs. Can they clone submodules only when required?
> ---
>  .travis.yml | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/.travis.yml b/.travis.yml
> index fabfe9ec34..415d703c91 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -67,7 +67,7 @@ before_install:
>- if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update ; fi
>- if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew install libffi gettext glib 
> pixman ; fi
>- wget -O - 
> http://people.linaro.org/~alex.bennee/qemu-submodule-git-seed.tar.xz | tar 
> -xvJ
> -  - git submodule update --init --recursive
> +  - git submodule update --init --recursive capstone dtc
> ui/keycodemapdb

Does that mean we could drop the wget hack? That's there mainly because
cloning all the submodules takes some time.

>  before_script:
>- ./configure ${CONFIG} || { cat config.log && exit 1; }
>  script:


--
Alex Bennée

Re: [Qemu-devel] [RFC PATCH] travis: Do not waste time cloning unused submodules

[Peter Maydell]

On 22 June 2018 at 03:15, Philippe Mathieu-Daudé  wrote:
> Builds only require:
> - dtc
> - keycodemapdb
> - capstone
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Some tests might require ROMs. Can they clone submodules only when required?

In general the ROM blobs should be in the main git repo; the submodules
are only the source for recompiling the blobs, I think.

thanks
-- PMM

Re: [Qemu-devel] [PATCH 0/5] Misc sm501 improvements

[Gerd Hoffmann]

On Thu, Jun 21, 2018 at 10:37:10PM -0300, Philippe Mathieu-Daudé wrote:
> Cc'ing Gerd who maintains many hw/display/ files.
> 
> On 06/21/2018 09:51 PM, David Gibson wrote:
> > On Thu, Jun 21, 2018 at 10:08:21AM +0200, BALATON Zoltan wrote:
> >> These are fixes to sm501 emulation that were found while testing with
> >> AmigaOS 4.1FE (AmigaOS 4 is known to work on real hardware but we have
> >> no way to verify it against hardware). While this is mainly to improve
> >> sam460ex emulation this is now a separate series with the sm501
> >> specific patches because that's also used on SH emulation. I hope
> >> someone can review and merge this.
> [...]
> > hw/display/sm501.c | 166
> +++--
> > 
> > I'm not really familiar with the sm501 hardware, so I can't speak to
> > these technically, beyond the fact that there's nothing obviously
> > bogus.
> > 
> > I can say that BALATON Zoltan is the only person who's made
> > non-trivial changes to sm501 lately, and there don't seem to have been
> > any screams, so I'm pretty happy to assume he knows what he's doing.

Changes all look sane to me even without having sm501 specs at hand.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH 01/23] ppc/pnv: introduce a new intc_create() operation to the chip model

[Greg Kurz]

Hi David,

I'm a bit confused by this massive post... it doesn't have any cover letter, but
it contains all the patches you recently pushed to ppc-for-3.0. Was it supposed
to be a pull request ?

Cheers,

--
Greg

On Fri, 22 Jun 2018 14:24:15 +1000
David Gibson  wrote:

> From: Cédric Le Goater 
> 
> On Power9, the thread interrupt presenter has a different type and is
> linked to the chip owning the cores.
> 
> Signed-off-by: Cédric Le Goater 
> Signed-off-by: David Gibson 
> ---
>  hw/ppc/pnv.c | 21 +++--
>  hw/ppc/pnv_core.c| 18 +-
>  include/hw/ppc/pnv.h |  1 +
>  3 files changed, 29 insertions(+), 11 deletions(-)
> 
> diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
> index 0d2b79f798..c7e127ae97 100644
> --- a/hw/ppc/pnv.c
> +++ b/hw/ppc/pnv.c
> @@ -671,6 +671,13 @@ static uint32_t pnv_chip_core_pir_p8(PnvChip *chip, 
> uint32_t core_id)
>  return (chip->chip_id << 7) | (core_id << 3);
>  }
>  
> +static Object *pnv_chip_power8_intc_create(PnvChip *chip, Object *child,
> +   Error **errp)
> +{
> +return icp_create(child, TYPE_PNV_ICP, XICS_FABRIC(qdev_get_machine()),
> +  errp);
> +}
> +
>  /*
>   *0:48  Reserved - Read as zeroes
>   *   49:52  Node ID
> @@ -686,6 +693,12 @@ static uint32_t pnv_chip_core_pir_p9(PnvChip *chip, 
> uint32_t core_id)
>  return (chip->chip_id << 8) | (core_id << 2);
>  }
>  
> +static Object *pnv_chip_power9_intc_create(PnvChip *chip, Object *child,
> +   Error **errp)
> +{
> +return NULL;
> +}
> +
>  /* Allowed core identifiers on a POWER8 Processor Chip :
>   *
>   * 
> @@ -721,6 +734,7 @@ static void pnv_chip_power8e_class_init(ObjectClass 
> *klass, void *data)
>  k->chip_cfam_id = 0x221ef0498000ull;  /* P8 Murano DD2.1 */
>  k->cores_mask = POWER8E_CORE_MASK;
>  k->core_pir = pnv_chip_core_pir_p8;
> +k->intc_create = pnv_chip_power8_intc_create;
>  k->xscom_base = 0x003fc00ull;
>  dc->desc = "PowerNV Chip POWER8E";
>  }
> @@ -734,6 +748,7 @@ static void pnv_chip_power8_class_init(ObjectClass 
> *klass, void *data)
>  k->chip_cfam_id = 0x220ea0498000ull; /* P8 Venice DD2.0 */
>  k->cores_mask = POWER8_CORE_MASK;
>  k->core_pir = pnv_chip_core_pir_p8;
> +k->intc_create = pnv_chip_power8_intc_create;
>  k->xscom_base = 0x003fc00ull;
>  dc->desc = "PowerNV Chip POWER8";
>  }
> @@ -747,6 +762,7 @@ static void pnv_chip_power8nvl_class_init(ObjectClass 
> *klass, void *data)
>  k->chip_cfam_id = 0x120d30498000ull;  /* P8 Naples DD1.0 */
>  k->cores_mask = POWER8_CORE_MASK;
>  k->core_pir = pnv_chip_core_pir_p8;
> +k->intc_create = pnv_chip_power8_intc_create;
>  k->xscom_base = 0x003fc00ull;
>  dc->desc = "PowerNV Chip POWER8NVL";
>  }
> @@ -760,6 +776,7 @@ static void pnv_chip_power9_class_init(ObjectClass 
> *klass, void *data)
>  k->chip_cfam_id = 0x220d10498000ull; /* P9 Nimbus DD2.0 */
>  k->cores_mask = POWER9_CORE_MASK;
>  k->core_pir = pnv_chip_core_pir_p9;
> +k->intc_create = pnv_chip_power9_intc_create;
>  k->xscom_base = 0x00603fcull;
>  dc->desc = "PowerNV Chip POWER9";
>  }
> @@ -892,8 +909,8 @@ static void pnv_chip_core_realize(PnvChip *chip, Error 
> **errp)
>  object_property_set_int(OBJECT(pnv_core),
>  pcc->core_pir(chip, core_hwid),
>  "pir", &error_fatal);
> -object_property_add_const_link(OBJECT(pnv_core), "xics",
> -   qdev_get_machine(), &error_fatal);
> +object_property_add_const_link(OBJECT(pnv_core), "chip",
> +   OBJECT(chip), &error_fatal);
>  object_property_set_bool(OBJECT(pnv_core), true, "realized",
>   &error_fatal);
>  object_unref(OBJECT(pnv_core));
> diff --git a/hw/ppc/pnv_core.c b/hw/ppc/pnv_core.c
> index f7cf33f547..a9f129fc2c 100644
> --- a/hw/ppc/pnv_core.c
> +++ b/hw/ppc/pnv_core.c
> @@ -99,13 +99,14 @@ static const MemoryRegionOps pnv_core_xscom_ops = {
>  .endianness = DEVICE_BIG_ENDIAN,
>  };
>  
> -static void pnv_realize_vcpu(PowerPCCPU *cpu, XICSFabric *xi, Error **errp)
> +static void pnv_realize_vcpu(PowerPCCPU *cpu, PnvChip *chip, Error **errp)
>  {
>  CPUPPCState *env = &cpu->env;
>  int core_pir;
>  int thread_index = 0; /* TODO: TCG supports only one thread */
>  ppc_spr_t *pir = &env->spr_cb[SPR_PIR];
>  Error *local_err = NULL;
> +PnvChipClass *pcc = PNV_CHIP_GET_CLASS(chip);
>  
>  object_property_set_bool(OBJECT(cpu), true, "realized", &local_err);
>  if (local_err) {
> @@ -113,7 +114,7 @@ static void pnv_realize_vcpu(PowerPCCPU *cpu, XICSFabric 
> *xi, Error **errp)
>  return;
>  }
>  
> -cpu->intc = icp_create(OBJECT(cpu), TYPE_PNV_ICP, xi, &local_err);
> +cpu-

Re: [Qemu-devel] [PATCH 5/5] sm501: Fix support for non-zero frame buffer start address

[BALATON Zoltan]

On Thu, 21 Jun 2018, BALATON Zoltan wrote:

Display updates and drawing hardware cursor did not work when frame
buffer address was non-zero. Fix this by taking the frame buffer
address into account in these cases. This fixes screen dragging on
AmigaOS. Based on patch by Sebastian Bauer.

Signed-off-by: Sebastian Bauer 
Signed-off-by: BALATON Zoltan 
---
hw/display/sm501.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)


I've just noticed this seems to break Linux frambuffer for some reason. I 
got this backtrace:


#0  raise () from /lib64/libc.so.6
#1  abort () from /lib64/libc.so.6
#2  qemu_get_ram_block (addr=2685665280) at exec.c:1296
#3  tlb_reset_dirty_range_all (start=2685665280, length=256000) at exec.c:1330
#4  cpu_physical_memory_snapshot_and_clear_dirty (start=2685665280, 
length=256000, client=0) at exec.c:1420
#5  memory_region_snapshot_and_clear_dirty (mr=0x56b42f20, addr=2147483648, 
size=256000, client=0)
at memory.c:2017
#6  sm501_update_display (opaque=0x56b42f00) at hw/display/sm501.c:1644
#7  graphic_hw_update (con=0x56c3e660) at ui/console.c:267
#8  sdl2_2d_refresh (dcl=0x57076120) at ui/sdl2-2d.c:128
#9  dpy_refresh (s=0x56c3e5f0) at ui/console.c:1658
#10 gui_update (opaque=0x56c3e5f0) at ui/console.c:205
#11 timerlist_run_timers (timer_list=0x5691a7e0) at util/qemu-timer.c:536
#12 qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at util/qemu-timer.c:674
#14 main_loop_wait (nonblocking=0) at util/main-loop.c:503
#15 main_loop () at vl.c:1848
#16 main (argc=17, argv=0x7fffdf68, envp=0x7fffdff8) at vl.c:4600

with this error:

Bad ram offset a014

after sm501 driver in Linux is set up. Any ideas? Maybe something is not 
initialised correctly?


Regards,
BALATON Zoltan


diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index e426d2f..acc26f6 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -578,6 +578,11 @@ static uint32_t get_local_mem_size_index(uint32_t size)
return index;
}

+static ram_addr_t get_fb_addr(SM501State *s, int crt)
+{
+return crt ? s->dc_crt_fb_addr : s->dc_panel_fb_addr;
+}
+
static inline int get_width(SM501State *s, int crt)
{
int width = crt ? s->dc_crt_h_total : s->dc_panel_h_total;
@@ -680,7 +685,8 @@ static inline void hwc_invalidate(SM501State *s, int crt)
start *= w * bpp;
end *= w * bpp;

-memory_region_set_dirty(&s->local_mem_region, start, end - start);
+memory_region_set_dirty(&s->local_mem_region,
+get_fb_addr(s, crt) + start, end - start);
}

static void sm501_2d_operation(SM501State *s)
@@ -1577,7 +1583,7 @@ static void sm501_update_display(void *opaque)
draw_hwc_line_func *draw_hwc_line = NULL;
int full_update = 0;
int y_start = -1;
-ram_addr_t offset = 0;
+ram_addr_t offset;
uint32_t *palette;
uint8_t hwc_palette[3 * 3];
uint8_t *hwc_src = NULL;
@@ -1634,9 +1640,10 @@ static void sm501_update_display(void *opaque)
}

/* draw each line according to conditions */
+offset = get_fb_addr(s, crt);
snap = memory_region_snapshot_and_clear_dirty(&s->local_mem_region,
  offset, width * height * src_bpp, DIRTY_MEMORY_VGA);
-for (y = 0, offset = 0; y < height; y++, offset += width * src_bpp) {
+for (y = 0; y < height; y++, offset += width * src_bpp) {
int update, update_hwc;

/* check if hardware cursor is enabled and we're within its range */

[Qemu-devel] [PATCH v4] xilinx_spips: Make dma transactions as per dma_burst_size

[Sai Pavan Boddu]

From: Sai Pavan Boddu 

Qspi dma has a burst length of 64 bytes, So limit the transactions w.r.t
dma-burst-size property.

Signed-off-by: Sai Pavan Boddu 
Reviewed-by: Edgar E. Iglesias 
---
Changes for V2:
   Remove dynamic allocation of dma_buf and limit burst size to 2k 
Changes for V3:
   Instead of proceeding with max burst size, report user the error.
Changes for V4:
   move dma_buf to the bottom of XlnxZynqMPQSPIPS

 hw/ssi/xilinx_spips.c | 23 ---
 include/hw/ssi/xilinx_spips.h |  5 -
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 03f5fae..d6ca36e 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -851,12 +851,17 @@ static void xlnx_zynqmp_qspips_notify(void *opaque)
 {
 size_t ret;
 uint32_t num;
-const void *rxd = pop_buf(recv_fifo, 4, &num);
+const void *rxd;
+int len;
+
+len = recv_fifo->num >= rq->dma_burst_size ? rq->dma_burst_size :
+   recv_fifo->num;
+rxd = pop_buf(recv_fifo, len, &num);
 
 memcpy(rq->dma_buf, rxd, num);
 
-ret = stream_push(rq->dma, rq->dma_buf, 4);
-assert(ret == 4);
+ret = stream_push(rq->dma, rq->dma_buf, num);
+assert(ret == num);
 xlnx_zynqmp_qspips_check_flush(rq);
 }
 }
@@ -1333,6 +1338,12 @@ static void xlnx_zynqmp_qspips_realize(DeviceState *dev, 
Error **errp)
 XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(dev);
 XilinxSPIPSClass *xsc = XILINX_SPIPS_GET_CLASS(s);
 
+if (s->dma_burst_size > QSPI_DMA_MAX_BURST_SIZE) {
+error_setg(errp,
+   "qspi dma burst size %u exceeds maximum limit %d",
+   s->dma_burst_size, QSPI_DMA_MAX_BURST_SIZE);
+return;
+}
 xilinx_qspips_realize(dev, errp);
 fifo8_create(&s->rx_fifo_g, xsc->rx_fifo_size);
 fifo8_create(&s->tx_fifo_g, xsc->tx_fifo_size);
@@ -1411,6 +1422,11 @@ static const VMStateDescription 
vmstate_xlnx_zynqmp_qspips = {
 }
 };
 
+static Property xilinx_zynqmp_qspips_properties[] = {
+DEFINE_PROP_UINT32("dma-burst-size", XlnxZynqMPQSPIPS, dma_burst_size, 64),
+DEFINE_PROP_END_OF_LIST(),
+};
+
 static Property xilinx_qspips_properties[] = {
 /* We had to turn this off for 2.10 as it is not compatible with migration.
  * It can be enabled but will prevent the device to be migrated.
@@ -1463,6 +1479,7 @@ static void xlnx_zynqmp_qspips_class_init(ObjectClass 
*klass, void * data)
 dc->realize = xlnx_zynqmp_qspips_realize;
 dc->reset = xlnx_zynqmp_qspips_reset;
 dc->vmsd = &vmstate_xlnx_zynqmp_qspips;
+dc->props = xilinx_zynqmp_qspips_properties;
 xsc->reg_ops = &xlnx_zynqmp_qspips_ops;
 xsc->rx_fifo_size = RXFF_A_Q;
 xsc->tx_fifo_size = TXFF_A_Q;
diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h
index d398a4e..a0a0ae7 100644
--- a/include/hw/ssi/xilinx_spips.h
+++ b/include/hw/ssi/xilinx_spips.h
@@ -37,6 +37,8 @@ typedef struct XilinxSPIPS XilinxSPIPS;
 /* Bite off 4k chunks at a time */
 #define LQSPI_CACHE_SIZE 1024
 
+#define QSPI_DMA_MAX_BURST_SIZE 2048
+
 typedef enum {
 READ = 0x3, READ_4 = 0x13,
 FAST_READ = 0xb,FAST_READ_4 = 0x0c,
@@ -95,7 +97,6 @@ typedef struct {
 XilinxQSPIPS parent_obj;
 
 StreamSlave *dma;
-uint8_t dma_buf[4];
 int gqspi_irqline;
 
 uint32_t regs[XLNX_ZYNQMP_SPIPS_R_MAX];
@@ -113,6 +114,8 @@ typedef struct {
 uint8_t rx_fifo_g_align;
 uint8_t tx_fifo_g_align;
 bool man_start_com_g;
+uint32_t dma_burst_size;
+uint8_t dma_buf[QSPI_DMA_MAX_BURST_SIZE];
 } XlnxZynqMPQSPIPS;
 
 typedef struct XilinxSPIPSClass {
-- 
2.7.4

Re: [Qemu-devel] [PATCH v3 1/1] s390/ipl: fix ipl with -no-reboot

[Cornelia Huck]

On Thu, 21 Jun 2018 22:34:49 +0200
Christian Borntraeger  wrote:

> On 06/21/2018 07:08 PM, Paolo Bonzini wrote:
> > On 21/06/2018 19:01, Christian Borntraeger wrote:  
> >> kexec/kdump as well as the bootloader use a subcode of diagnose 308
> >> that is supposed to reset the subsystem but not comprise a full
> >> "reboot". With the latest refactoring this is now broken when
> >> -no-reboot is used. This for example breaks virt-install from
> >> iso images.
> >>
> >> We need to mark these "soft" reboots as ok for rebooting.
> >>
> >> Fixes: a30fb811cbe9 (s390x: refactor reset/reipl handling)
> >> Signed-off-by: Christian Borntraeger   
> > 
> > Ok, then my suggestion made even more sense. :)  No other objections
> > apart from the name of the constant.
> > 
> > Paolo  
> 
> SHUTDOWN_CAUSE_S390_PARTIAL ?

Don't like that one much.

> 
> SHUTDOWN_CAUSE_S390_SUBSYS_RESET?

Either that, or drop the 'S390' (is it conceivable that other
architectures have something similar)?

> 
> 
> >   
> >> ---
> >>  hw/s390x/ipl.c  | 8 +++-
> >>  include/sysemu/sysemu.h | 3 +++
> >>  vl.c| 4 ++--
> >>  3 files changed, 12 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
> >> index 0d67349004..ade6896af6 100644
> >> --- a/hw/s390x/ipl.c
> >> +++ b/hw/s390x/ipl.c
> >> @@ -535,7 +535,13 @@ void s390_ipl_reset_request(CPUState *cs, enum 
> >> s390_reset reset_type)
> >>  ipl->iplb_valid = s390_gen_initial_iplb(ipl);
> >>  }
> >>  }
> >> -qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
> >> +if (reset_type == S390_RESET_MODIFIED_CLEAR ||
> >> +reset_type == S390_RESET_LOAD_NORMAL) {
> >> +/* ignore -no-reboot */
> >> +qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET_FORCE);
> >> +} else {
> >> +qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
> >> +}
> >>  /* as this is triggered by a CPU, make sure to exit the loop */
> >>  if (tcg_enabled()) {
> >>  cpu_loop_exit(cs);
> >> diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
> >> index e893f72f3b..345369d924 100644
> >> --- a/include/sysemu/sysemu.h
> >> +++ b/include/sysemu/sysemu.h
> >> @@ -44,6 +44,9 @@ typedef enum ShutdownCause {
> >>   turns that into a shutdown */
> >>  SHUTDOWN_CAUSE_GUEST_PANIC,   /* Guest panicked, and command line 
> >> turns
> >>   that into a shutdown */
> >> +SHUTDOWN_CAUSE_GUEST_RESET_FORCE,/* Guest reset that should ignore
> >> +--no-reboot. This is useful for 
> >> reset
> >> +like actions as s390 kexec/kdump 
> >> */
> >>  SHUTDOWN_CAUSE__MAX,
> >>  } ShutdownCause;
> >>  
> >> diff --git a/vl.c b/vl.c
> >> index b3426e03d0..44e65071bc 100644
> >> --- a/vl.c
> >> +++ b/vl.c
> >> @@ -1628,7 +1628,7 @@ void qemu_system_reset(ShutdownCause reason)
> >>  } else {
> >>  qemu_devices_reset();
> >>  }
> >> -if (reason) {
> >> +if (reason != SHUTDOWN_CAUSE_GUEST_RESET_FORCE) {
> >>  qapi_event_send_reset(shutdown_caused_by_guest(reason),
> >>&error_abort);
> >>  }
> >> @@ -1674,7 +1674,7 @@ void 
> >> qemu_system_guest_panicked(GuestPanicInformation *info)
> >>  
> >>  void qemu_system_reset_request(ShutdownCause reason)
> >>  {
> >> -if (no_reboot) {
> >> +if (no_reboot && reason != SHUTDOWN_CAUSE_GUEST_RESET_FORCE) {
> >>  shutdown_requested = reason;
> >>  } else {
> >>  reset_requested = reason;
> >>  
> >   
> 

The patch looks sane to me.

Re: [Qemu-devel] [PULL v2 0/9] bitmap export over NBD

[Peter Maydell]

On 21 June 2018 at 15:57, Eric Blake  wrote:
> The following changes since commit 46012db666990ff2eed1d3dc199ab8006439a93b:
>
>   Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180619' into 
> staging (2018-06-20 09:51:30 +0100)
>
> are available in the Git repository at:
>
>   git://repo.or.cz/qemu/ericb.git tags/pull-nbd-2018-06-20-v2
>
> for you to fetch changes up to bc37b06a5cde24fb24c2a2cc44dd86756034ba9d:
>
>   nbd/server: introduce NBD_CMD_CACHE (2018-06-21 09:41:39 -0500)
>
> Only sending the new patches (2, 9) and the changed patch (6, was 5/7
> in v1)
>
> 
> nbd patches for 2018-06-20
>
> Add experimental x-nbd-server-add-bitmap to expose a disabled
> bitmap over NBD, in preparation for a pull model incremental
> backup scheme. Also fix a corner case protocol issue with
> NBD_CMD_BLOCK_STATUS, and add new NBD_CMD_CACHE.
>
> - Eric Blake: tests: Simplify .gitignore
> - Eric Blake: nbd/server: Reject 0-length block status request
> - Vladimir Sementsov-Ogievskiy: 0/6 NBD export bitmaps
> - Vladimir Sementsov-Ogievskiy: nbd/server: introduce NBD_CMD_CACHE
>
Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH v3 1/1] s390/ipl: fix ipl with -no-reboot

[Paolo Bonzini]

On 22/06/2018 11:46, Cornelia Huck wrote:
>>> Ok, then my suggestion made even more sense. :)  No other objections
>>> apart from the name of the constant.
>>>
>>> Paolo  
>> SHUTDOWN_CAUSE_S390_PARTIAL ?
> Don't like that one much.
> 
>> SHUTDOWN_CAUSE_S390_SUBSYS_RESET?
> Either that, or drop the 'S390' (is it conceivable that other
> architectures have something similar)?
> 

I don't know exactly what is going on here, so I'm not very suited to
answer this.  The difference just from reading the C code seems to be
that it calls s390_cpu_load_normal instead of s390_ipl_prepare_cpu, and
that it calls subsystem_reset instead of qemu_devices_reset.

For a more generic name I'd go with SHUTDOWN_CAUSE_OS_BOOT (or
OS_BOOTING, or BOOT_OS), but an s390-specific name is of course fine as
well, especially if you have a specific moniker for the "thing that IPL
gives control to".

Paolo

Re: [Qemu-devel] [Qemu-arm] [PATCH v3 0/8] arm: implement TZ MPC

[Peter Maydell]

On 20 June 2018 at 14:20, Peter Maydell  wrote:
> Hi; this is v3 of my iommu patchset. All the IOMMU stuff is now
> in master, so the remaining part is just implementing and using
> the Trustzone Memory Protection Controller in the mps2-an505.
>
> Changes from v2 to v3 (all fairly minor):
>  * add new variable to clarify sense of LUT bits
>  * only autoinc the IDX register if CTRL.AUTOINC is set
>  * NS accesses should see IDregs only
>(The datasheet is unclear on the exact behaviour on an
>NS access to a non-ID register, so I've made a best guess
>and had them RAZ/WI. This behaviour is not reachable for
>the mps2-an505 anyway, so it doesn't really matter.)



Applied to target-arm.next, thanks.

-- PMM

Re: [Qemu-devel] [PATCH v3 1/1] s390/ipl: fix ipl with -no-reboot

[Christian Borntraeger]

On 06/22/2018 11:59 AM, Paolo Bonzini wrote:
> On 22/06/2018 11:46, Cornelia Huck wrote:
 Ok, then my suggestion made even more sense. :)  No other objections
 apart from the name of the constant.

 Paolo  
>>> SHUTDOWN_CAUSE_S390_PARTIAL ?
>> Don't like that one much.
>>
>>> SHUTDOWN_CAUSE_S390_SUBSYS_RESET?
>> Either that, or drop the 'S390' (is it conceivable that other
>> architectures have something similar)?
>>
> 
> I don't know exactly what is going on here, so I'm not very suited to
> answer this.  The difference just from reading the C code seems to be
> that it calls s390_cpu_load_normal instead of s390_ipl_prepare_cpu, and
> that it calls subsystem_reset instead of qemu_devices_reset.
> 
> For a more generic name I'd go with SHUTDOWN_CAUSE_OS_BOOT (or
> OS_BOOTING, or BOOT_OS), but an s390-specific name is of course fine as
> well, especially if you have a specific moniker for the "thing that IPL

It is not a BOOT, it is in fact an reset just to the devices.
Right now I favor

SHUTDOWN_CAUSE_SUBSYSTEM_RESET

Re: [Qemu-devel] [PATCH v2 0/2] Strict alignment for ARMv6-M and ARMv8-M Baseline

[Peter Maydell]

On 22 June 2018 at 09:01, Julia Suvorova  wrote:
> v2:
> * Added feature bit for the Main Extention
> * Alignment patch is modified to use ARM_FEATURE_M_MAIN
>
> Julia Suvorova (2):
>   target/arm: Introduce ARM_FEATURE_M_MAIN
>   target/arm: Strict alignment for ARMv6-M and ARMv8-M Baseline
>
>  target/arm/cpu.c   |  3 +++
>  target/arm/cpu.h   |  1 +
>  target/arm/translate.c | 18 --
>  3 files changed, 20 insertions(+), 2 deletions(-)



Applied to target-arm.next, thanks.

-- PMM

Re: [Qemu-devel] [PATCH v3 1/1] s390/ipl: fix ipl with -no-reboot

[David Hildenbrand]

On 22.06.2018 12:10, Christian Borntraeger wrote:
> 
> 
> On 06/22/2018 11:59 AM, Paolo Bonzini wrote:
>> On 22/06/2018 11:46, Cornelia Huck wrote:
> Ok, then my suggestion made even more sense. :)  No other objections
> apart from the name of the constant.
>
> Paolo  
 SHUTDOWN_CAUSE_S390_PARTIAL ?
>>> Don't like that one much.
>>>
 SHUTDOWN_CAUSE_S390_SUBSYS_RESET?
>>> Either that, or drop the 'S390' (is it conceivable that other
>>> architectures have something similar)?
>>>
>>
>> I don't know exactly what is going on here, so I'm not very suited to
>> answer this.  The difference just from reading the C code seems to be
>> that it calls s390_cpu_load_normal instead of s390_ipl_prepare_cpu, and
>> that it calls subsystem_reset instead of qemu_devices_reset.
>>
>> For a more generic name I'd go with SHUTDOWN_CAUSE_OS_BOOT (or
>> OS_BOOTING, or BOOT_OS), but an s390-specific name is of course fine as
>> well, especially if you have a specific moniker for the "thing that IPL
> 
> It is not a BOOT, it is in fact an reset just to the devices.
> Right now I favor
> 
> SHUTDOWN_CAUSE_SUBSYSTEM_RESET
> 

+1

-- 

Thanks,

David / dhildenb

Re: [Qemu-devel] [PATCH v3 10/19] linux-user: Propagate goto unimplemented to default

[Peter Maydell]

On 12 June 2018 at 01:51, Richard Henderson
 wrote:
> There is no point in listing a syscall if you want the same effect as
> not listing it.  In one less trivial case, the goto was demonstrably
> not reachable.
>
> Signed-off-by: Richard Henderson 
> ---
>  linux-user/syscall.c | 144 +--
>  1 file changed, 1 insertion(+), 143 deletions(-)
>
Reviewed-by: Peter Maydell 

thanks
-- PMM

[Qemu-devel] [RFC 1/5] hw/arm/virt: Allocate device_memory

[Eric Auger]

We define a new hotpluggable RAM region (aka. device memory).
Its base is 2TB GPA. This obviously requires 42b IPA support
in KVM/ARM, FW and guest kernel. At the moment the device
memory region is max 2TB.

This is largely inspired of device memory initialization in
pc machine code.

Signed-off-by: Eric Auger 
Signed-off-by: Kwangwoo Lee 
---
 hw/arm/virt.c | 105 --
 include/hw/arm/arm.h  |   2 +
 include/hw/arm/virt.h |   1 +
 3 files changed, 80 insertions(+), 28 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 8c001c1..a251054 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -59,6 +59,7 @@
 #include "qapi/visitor.h"
 #include "standard-headers/linux/input.h"
 #include "hw/arm/smmuv3.h"
+#include "hw/acpi/acpi.h"
 
 #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
 static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -94,34 +95,25 @@
 
 #define PLATFORM_BUS_NUM_IRQS 64
 
-/* RAM limit in GB. Since VIRT_MEM starts at the 1GB mark, this means
- * RAM can go up to the 256GB mark, leaving 256GB of the physical
- * address space unallocated and free for future use between 256G and 512G.
- * If we need to provide more RAM to VMs in the future then we need to:
- *  * allocate a second bank of RAM starting at 2TB and working up
- *  * fix the DT and ACPI table generation code in QEMU to correctly
- *report two split lumps of RAM to the guest
- *  * fix KVM in the host kernel to allow guests with >40 bit address spaces
- * (We don't want to fill all the way up to 512GB with RAM because
- * we might want it for non-RAM purposes later. Conversely it seems
- * reasonable to assume that anybody configuring a VM with a quarter
- * of a terabyte of RAM will be doing it on a host with more than a
- * terabyte of physical address space.)
- */
-#define RAMLIMIT_GB 255
-#define RAMLIMIT_BYTES (RAMLIMIT_GB * 1024ULL * 1024 * 1024)
+#define SZ_64K 0x1
+#define SZ_1G (1024ULL * 1024 * 1024)
 
 /* Addresses and sizes of our components.
- * 0..128MB is space for a flash device so we can run bootrom code such as 
UEFI.
- * 128MB..256MB is used for miscellaneous device I/O.
- * 256MB..1GB is reserved for possible future PCI support (ie where the
- * PCI memory window will go if we add a PCI host controller).
- * 1GB and up is RAM (which may happily spill over into the
- * high memory region beyond 4GB).
- * This represents a compromise between how much RAM can be given to
- * a 32 bit VM and leaving space for expansion and in particular for PCI.
- * Note that devices should generally be placed at multiples of 0x1,
+ * 0..128MB is space for a flash device so we can run bootrom code such as 
UEFI,
+ * 128MB..256MB is used for miscellaneous device I/O,
+ * 256MB..1GB is used for PCI host controller,
+ * 1GB..256GB is RAM (not hotpluggable),
+ * 256GB..512GB: is left for device I/O (non RAM purpose),
+ * 512GB..1TB: high mem PCI MMIO region,
+ * 2TB..4TB is used for hot-pluggable DIMM (assumes 42b GPA is supported).
+ *
+ * Note that IO devices should generally be placed at multiples of 0x1,
  * to accommodate guests using 64K pages.
+ *
+ * Conversely it seems reasonable to assume that anybody configuring a VM
+ * with a quarter of a terabyte of RAM will be doing it on a host with more
+ * than a terabyte of physical address space.)
+ *
  */
 static const MemMapEntry a15memmap[] = {
 /* Space up to 0x800 is reserved for a boot ROM */
@@ -148,9 +140,11 @@ static const MemMapEntry a15memmap[] = {
 [VIRT_PCIE_MMIO] =  { 0x1000, 0x2eff },
 [VIRT_PCIE_PIO] =   { 0x3eff, 0x0001 },
 [VIRT_PCIE_ECAM] =  { 0x3f00, 0x0100 },
-[VIRT_MEM] ={ 0x4000, RAMLIMIT_BYTES },
+/* 255GB RAM */
+[VIRT_MEM] ={ SZ_1G , 255 * SZ_1G },
 /* Second PCIe window, 512GB wide at the 512GB boundary */
-[VIRT_PCIE_MMIO_HIGH] =   { 0x80ULL, 0x80ULL },
+[VIRT_PCIE_MMIO_HIGH] = { 512 * SZ_1G, 512 * SZ_1G },
+[VIRT_HOTPLUG_MEM] ={ 2048 * SZ_1G, 2048 * SZ_1G },
 };
 
 static const int a15irqmap[] = {
@@ -1166,6 +1160,58 @@ static void create_secure_ram(VirtMachineState *vms,
 g_free(nodename);
 }
 
+static void create_device_memory(VirtMachineState *vms, MemoryRegion *sysmem)
+{
+MachineState *ms = MACHINE(vms);
+uint64_t device_memory_size;
+uint64_t align = SZ_64K;
+
+/* always allocate the device memory information */
+ms->device_memory = g_malloc0(sizeof(*ms->device_memory));
+
+if (vms->max_vm_phys_shift < 42) {
+/* device memory starts at 2TB whereas this VM supports less than
+ * 2TB GPA */
+if (ms->maxram_size > ms->ram_size || ms->ram_slots) {
+MachineClass *mc = MACHINE_GET_CLASS(ms);
+
+error_report("\"-memory 'slots|maxmem'\" is not supported by %s "
+ "since KVM does not support more tha

[Qemu-devel] [RFC 3/5] hw/arm/boot: introduce fdt_add_memory_node helper

[Eric Auger]

From: Shameer Kolothum 

We introduce an helper to create a memory node. Also we nop
existing /memory node in numa and non numa case.

Signed-off-by: Eric Auger 
Signed-off-by: Shameer Kolothum 

---

the nop related change should disappear if the following series
lands upstream:
[PATCH v2 0/3] ARM virt: Silence dtc warnings
---
 hw/arm/boot.c | 70 +--
 1 file changed, 39 insertions(+), 31 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 1e48166..cc425ce 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -413,6 +413,36 @@ static void set_kernel_args_old(const struct arm_boot_info 
*info,
 }
 }
 
+static int fdt_add_memory_node(void *fdt, uint32_t acells, hwaddr mem_base,
+   uint32_t scells, hwaddr mem_len,
+   int numa_node_id)
+{
+char *nodename = NULL;
+int ret;
+
+nodename = g_strdup_printf("/memory@%" PRIx64, mem_base);
+qemu_fdt_add_subnode(fdt, nodename);
+qemu_fdt_setprop_string(fdt, nodename, "device_type", "memory");
+ret = qemu_fdt_setprop_sized_cells(fdt, nodename, "reg", acells, mem_base,
+   scells, mem_len);
+if (ret < 0) {
+fprintf(stderr, "couldn't set %s/reg\n", nodename);
+goto out;
+}
+if (numa_node_id < 0) {
+goto out;
+}
+
+ret = qemu_fdt_setprop_cell(fdt, nodename, "numa-node-id", numa_node_id);
+if (ret < 0) {
+fprintf(stderr, "couldn't set %s/numa-node-id\n", nodename);
+}
+
+out:
+g_free(nodename);
+return ret;
+}
+
 static void fdt_add_psci_node(void *fdt)
 {
 uint32_t cpu_suspend_fn;
@@ -492,7 +522,6 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info 
*binfo,
 void *fdt = NULL;
 int size, rc;
 uint32_t acells, scells;
-char *nodename;
 unsigned int i;
 hwaddr mem_base, mem_len;
 
@@ -545,49 +574,28 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info 
*binfo,
 "RAM size > 4GB\n");
 goto fail;
 }
+/*
+ * Turn the /memory node created before into a NOP node, then create
+ * /memory@addr nodes.
+ */
+qemu_fdt_nop_node(fdt, "/memory");
 
 if (nb_numa_nodes > 0) {
-/*
- * Turn the /memory node created before into a NOP node, then create
- * /memory@addr nodes for all numa nodes respectively.
- */
-qemu_fdt_nop_node(fdt, "/memory");
 mem_base = binfo->loader_start;
 for (i = 0; i < nb_numa_nodes; i++) {
 mem_len = numa_info[i].node_mem;
-nodename = g_strdup_printf("/memory@%" PRIx64, mem_base);
-qemu_fdt_add_subnode(fdt, nodename);
-qemu_fdt_setprop_string(fdt, nodename, "device_type", "memory");
-rc = qemu_fdt_setprop_sized_cells(fdt, nodename, "reg",
-  acells, mem_base,
-  scells, mem_len);
+rc = fdt_add_memory_node(fdt, acells, mem_base,
+ scells, mem_len, i);
 if (rc < 0) {
-fprintf(stderr, "couldn't set %s/reg for node %d\n", nodename,
-i);
 goto fail;
 }
 
-qemu_fdt_setprop_cell(fdt, nodename, "numa-node-id", i);
 mem_base += mem_len;
-g_free(nodename);
 }
 } else {
-Error *err = NULL;
-
-rc = fdt_path_offset(fdt, "/memory");
+rc = fdt_add_memory_node(fdt, acells, binfo->loader_start,
+ scells, binfo->ram_size, -1);
 if (rc < 0) {
-qemu_fdt_add_subnode(fdt, "/memory");
-}
-
-if (!qemu_fdt_getprop(fdt, "/memory", "device_type", NULL, &err)) {
-qemu_fdt_setprop_string(fdt, "/memory", "device_type", "memory");
-}
-
-rc = qemu_fdt_setprop_sized_cells(fdt, "/memory", "reg",
-  acells, binfo->loader_start,
-  scells, binfo->ram_size);
-if (rc < 0) {
-fprintf(stderr, "couldn't set /memory/reg\n");
 goto fail;
 }
 }
-- 
2.5.5

[Qemu-devel] [RFC 2/5] hw/arm/virt: Add pc-dimm mem hotplug framework

[Eric Auger]

From: Shameer Kolothum 

This patch adds the the PC-DIMM hot-plug/hot-unplug infrastructure
in machvirt.

Signed-off-by: Eric Auger 
Signed-off-by: Shameer Kolothum 
Signed-off-by: Kwangwoo Lee 
---
 default-configs/arm-softmmu.mak |  2 ++
 hw/arm/virt.c   | 53 -
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index 7cf73d2..0840a56 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -151,3 +151,5 @@ CONFIG_PCI_DESIGNWARE=y
 CONFIG_STRONGARM=y
 CONFIG_HIGHBANK=y
 CONFIG_MUSICPAL=y
+CONFIG_MEM_HOTPLUG=y
+
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index a251054..a6e3b3d 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -60,6 +60,7 @@
 #include "standard-headers/linux/input.h"
 #include "hw/arm/smmuv3.h"
 #include "hw/acpi/acpi.h"
+#include "hw/mem/pc-dimm.h"
 
 #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
 static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -1723,6 +1724,40 @@ static const CPUArchIdList 
*virt_possible_cpu_arch_ids(MachineState *ms)
 return ms->possible_cpus;
 }
 
+static void virt_dimm_plug(HotplugHandler *hotplug_dev,
+   DeviceState *dev, Error **errp)
+{
+PCDIMMDevice *dimm = PC_DIMM(dev);
+PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
+Error *local_err = NULL;
+MemoryRegion *mr;
+uint64_t align;
+
+mr = ddc->get_memory_region(dimm, &local_err);
+if (local_err) {
+goto out;
+}
+
+if (memory_region_get_alignment(mr)) {
+align = memory_region_get_alignment(mr);
+} else {
+/* by default we align on 64KB page size */
+align = SZ_64K;
+}
+
+pc_dimm_memory_plug(dev, MACHINE(hotplug_dev), align, &local_err);
+
+out:
+error_propagate(errp, local_err);
+}
+
+static void virt_dimm_unplug(HotplugHandler *hotplug_dev,
+ DeviceState *dev, Error **errp)
+{
+pc_dimm_memory_unplug(dev, MACHINE(hotplug_dev));
+object_unparent(OBJECT(dev));
+}
+
 static void virt_machine_device_plug_cb(HotplugHandler *hotplug_dev,
 DeviceState *dev, Error **errp)
 {
@@ -1734,12 +1769,27 @@ static void virt_machine_device_plug_cb(HotplugHandler 
*hotplug_dev,
  SYS_BUS_DEVICE(dev));
 }
 }
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+virt_dimm_plug(hotplug_dev, dev, errp);
+}
+}
+
+static void virt_machine_device_unplug_cb(HotplugHandler *hotplug_dev,
+  DeviceState *dev, Error **errp)
+{
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+virt_dimm_unplug(hotplug_dev, dev, errp);
+} else {
+error_setg(errp, "device unplug request for unsupported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
 DeviceState *dev)
 {
-if (object_dynamic_cast(OBJECT(dev), TYPE_SYS_BUS_DEVICE)) {
+if (object_dynamic_cast(OBJECT(dev), TYPE_SYS_BUS_DEVICE) ||
+   (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
 return HOTPLUG_HANDLER(machine);
 }
 
@@ -1800,6 +1850,7 @@ static void virt_machine_class_init(ObjectClass *oc, void 
*data)
 assert(!mc->get_hotplug_handler);
 mc->get_hotplug_handler = virt_machine_get_hotplug_handler;
 hc->plug = virt_machine_device_plug_cb;
+hc->unplug = virt_machine_device_unplug_cb;
 }
 
 static const TypeInfo virt_machine_info = {
-- 
2.5.5

[Qemu-devel] [RFC 0/5] ARM virt: Support PC-DIMM at 2TB

[Eric Auger]

This series aims at supporting PC-DIMM in machvirt. The device_memory
is set at 2TB. While its max capacity is currently limited to 2TB,
the actual size depends on the initial guest RAM size and maxmem
parameter. Using memory beyond 2TB is possible if KVM, the FW and the
guest supports up to 42 bit IPA/GPA.

Actual hot-plug and hot-unplug of PC-DIMM is not suported due to lack
of support of those features in baremetal.

This series reuses/rebases patches initially submitted by Shameer in [1]
and Kwangwoo in [2].

[1] [RFC v2 0/6] hw/arm: Add support for non-contiguous iova regions
http://patchwork.ozlabs.org/cover/914694/

[2] [RFC PATCH 0/3] add nvdimm support on AArch64 virt platform
https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg04599.html

It has the following dependencies:

[3] [RFC 0/6] KVM/ARM: Dynamic and larger GPA size
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg05759.htm
which itself depends on the kernel series [4]

[4] [PATCH v2 00/17] kvm: arm64: Dynamic & 52bit IPA support
https://lkml.org/lkml/2018/3/27/437
For testing, use my kernel branch:
https://github.com/eauger/linux/tree/4.16.0-rc3-Suzuki-52b-IPA-v2

Best Regards

Eric

This QEMU series can be found at:
https://github.com/eauger/qemu/tree/v2.12.0-pcdimm-2tb-rfc

Tests:
- On Cavium Gigabyte, a 48b VM was created and PC-DIMM slots were successfully
  added and recognized by the guest. EDK2 has a fixed limit at 40b PA so this
  was tested without FW. NUMA config has not been tested yet.

Eric Auger (1):
  hw/arm/virt: Allocate device_memory

Shameer Kolothum (4):
  hw/arm/virt: Add pc-dimm mem hotplug framework
  hw/arm/boot: introduce fdt_add_memory_node helper
  hw/arm/boot: Expose the PC-DIMM nodes in the DT
  hw/arm/virt-acpi-build: Add PC-DIMM in SRAT

 default-configs/arm-softmmu.mak |   2 +
 hw/arm/boot.c   | 110 
 hw/arm/virt-acpi-build.c|  34 +
 hw/arm/virt.c   | 158 
 include/hw/arm/arm.h|   2 +
 include/hw/arm/virt.h   |   1 +
 6 files changed, 247 insertions(+), 60 deletions(-)

-- 
2.5.5

[Qemu-devel] [RFC 4/5] hw/arm/boot: Expose the PC-DIMM nodes in the DT

[Eric Auger]

From: Shameer Kolothum 

This patch add memory nodes corresponding to PC-DIMM
regions.

Signed-off-by: Shameer Kolothum 
Signed-off-by: Eric Auger 
---
 hw/arm/boot.c | 40 
 1 file changed, 40 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index cc425ce..81668bd 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -19,6 +19,7 @@
 #include "sysemu/numa.h"
 #include "hw/boards.h"
 #include "hw/loader.h"
+#include "hw/mem/memory-device.h"
 #include "elf.h"
 #include "sysemu/device_tree.h"
 #include "qemu/config-file.h"
@@ -516,6 +517,37 @@ static void fdt_add_psci_node(void *fdt)
 qemu_fdt_setprop_cell(fdt, "/psci", "migrate", migrate_fn);
 }
 
+static int fdt_add_hotpluggable_memory_nodes(void *fdt,
+ uint64_t base, uint64_t len,
+ uint32_t acells, uint32_t scells) 
{
+MemoryDeviceInfoList *info_list = qmp_memory_device_list();
+MemoryDeviceInfoList *info;
+uint64_t end, cur, size;
+MemoryDeviceInfo *mi;
+PCDIMMDeviceInfo *di;
+bool is_nvdimm;
+int ret;
+
+end = base + len;
+for (cur = base, info = info_list; cur < end;
+ cur += size, info = info->next) {
+if (!info) {
+break;
+}
+mi = info->value;
+is_nvdimm = (mi->type == MEMORY_DEVICE_INFO_KIND_NVDIMM);
+di = !is_nvdimm ? mi->u.dimm.data : mi->u.nvdimm.data;
+
+ret = fdt_add_memory_node(fdt, acells, di->addr,
+  scells, di->size, di->node);
+if (ret < 0) {
+return ret;
+}
+size = di->size;
+}
+return 0;
+}
+
 int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
  hwaddr addr_limit, AddressSpace *as)
 {
@@ -600,6 +632,14 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info 
*binfo,
 }
 }
 
+rc = fdt_add_hotpluggable_memory_nodes(fdt, binfo->device_memory_start,
+   binfo->device_memory_size,
+   acells, scells);
+if (rc < 0) {
+fprintf(stderr, "couldn't add hotpluggable memory nodes\n");
+goto fail;
+}
+
 rc = fdt_path_offset(fdt, "/chosen");
 if (rc < 0) {
 qemu_fdt_add_subnode(fdt, "/chosen");
-- 
2.5.5

[Qemu-devel] [RFC 5/5] hw/arm/virt-acpi-build: Add PC-DIMM in SRAT

[Eric Auger]

From: Shameer Kolothum 

Generate Memory Affinity Structures for PC-DIMM ranges.

Signed-off-by: Shameer Kolothum 
Signed-off-by: Eric Auger 
---
 hw/arm/virt-acpi-build.c | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 74f5744..38a6886 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -43,6 +43,7 @@
 #include "hw/pci/pcie_host.h"
 #include "hw/pci/pci.h"
 #include "hw/arm/virt.h"
+#include "hw/mem/memory-device.h"
 #include "sysemu/numa.h"
 #include "kvm_arm.h"
 
@@ -532,6 +533,35 @@ build_spcr(GArray *table_data, BIOSLinker *linker, 
VirtMachineState *vms)
  "SPCR", table_data->len - spcr_start, 2, NULL, NULL);
 }
 
+static void build_srat_hotpluggable_memory(GArray *table_data, uint64_t base,
+  uint64_t len, int default_node)
+{
+MemoryDeviceInfoList *info_list = qmp_memory_device_list();
+AcpiSratMemoryAffinity *numamem;
+MemoryDeviceInfoList *info;
+MemoryDeviceInfo *mi;
+PCDIMMDeviceInfo *di;
+uint64_t end = base + len, cur, size;
+
+for (cur = base, info = info_list; cur < end;
+ cur += size, info = info->next) {
+bool is_nvdimm;
+
+if (!info) {
+break;
+}
+numamem = acpi_data_push(table_data, sizeof(*numamem));
+
+mi = info->value;
+is_nvdimm = (mi->type == MEMORY_DEVICE_INFO_KIND_NVDIMM);
+di = !is_nvdimm ? mi->u.dimm.data : mi->u.nvdimm.data;
+
+build_srat_memory(numamem, di->addr, di->size,
+  0, MEM_AFFINITY_ENABLED);
+size = di->size;
+}
+}
+
 static void
 build_srat(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 {
@@ -564,6 +594,10 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
VirtMachineState *vms)
 mem_base += numa_info[i].node_mem;
 }
 
+build_srat_hotpluggable_memory(table_data,
+   vms->bootinfo.device_memory_start,
+   vms->bootinfo.device_memory_size , 0);
+
 build_header(linker, table_data, (void *)(table_data->data + srat_start),
  "SRAT", table_data->len - srat_start, 3, NULL, NULL);
 }
-- 
2.5.5

[Qemu-devel] [PATCH v4] s390/ipl: fix ipl with -no-reboot

[Christian Borntraeger]

kexec/kdump as well as the bootloader use a subcode of diagnose 308
that is supposed to reset the I/O subsystem but not comprise a full
"reboot". With the latest refactoring this is now broken when
-no-reboot is used or when libvirt acts on a reboot QMP event, for
example a virt-install from iso images.
We need to mark these "subsystem reset" as special.

Fixes: a30fb811cbe9 (s390x: refactor reset/reipl handling)
Signed-off-by: Christian Borntraeger 
Reviewed-by: David Hildenbrand 
---
v3->v4: - rename to SHUTDOWN_CAUSE_SUBSYSTEM_RESET
- modify comments and patch descriptions

 hw/s390x/ipl.c  | 8 +++-
 include/sysemu/sysemu.h | 4 
 vl.c| 4 ++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 0d67349004..f278036fa7 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -535,7 +535,13 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset 
reset_type)
 ipl->iplb_valid = s390_gen_initial_iplb(ipl);
 }
 }
-qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+if (reset_type == S390_RESET_MODIFIED_CLEAR ||
+reset_type == S390_RESET_LOAD_NORMAL) {
+/* ignore -no-reboot, send no event  */
+qemu_system_reset_request(SHUTDOWN_CAUSE_SUBSYSTEM_RESET);
+} else {
+qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+}
 /* as this is triggered by a CPU, make sure to exit the loop */
 if (tcg_enabled()) {
 cpu_loop_exit(cs);
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index e893f72f3b..9a621de02f 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -44,6 +44,10 @@ typedef enum ShutdownCause {
  turns that into a shutdown */
 SHUTDOWN_CAUSE_GUEST_PANIC,   /* Guest panicked, and command line turns
  that into a shutdown */
+SHUTDOWN_CAUSE_SUBSYSTEM_RESET,/* Partial guest reset that does not trigger
+  QMP events and ignores --no-reboot. This
+  is useful for sanitize hypercalls on s390
+  that are used during kexec/kdump/boot */
 SHUTDOWN_CAUSE__MAX,
 } ShutdownCause;
 
diff --git a/vl.c b/vl.c
index b3426e03d0..c196e39287 100644
--- a/vl.c
+++ b/vl.c
@@ -1628,7 +1628,7 @@ void qemu_system_reset(ShutdownCause reason)
 } else {
 qemu_devices_reset();
 }
-if (reason) {
+if (reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
 qapi_event_send_reset(shutdown_caused_by_guest(reason),
   &error_abort);
 }
@@ -1674,7 +1674,7 @@ void qemu_system_guest_panicked(GuestPanicInformation 
*info)
 
 void qemu_system_reset_request(ShutdownCause reason)
 {
-if (no_reboot) {
+if (no_reboot && reason != SHUTDOWN_CAUSE_SUBSYSTEM_RESET) {
 shutdown_requested = reason;
 } else {
 reset_requested = reason;
-- 
2.17.0

Re: [Qemu-devel] [PATCH v3 12/19] linux-user: Setup split syscall infrastructure

[Peter Maydell]

On 12 June 2018 at 01:51, Richard Henderson
 wrote:
> Defines a unified structure for implementation and strace.
> Supplies a generator script to build the declarations and
> the lookup function.
>
> Signed-off-by: Richard Henderson 
> ---
>  linux-user/syscall.h   | 178 +++
>  linux-user/strace.c| 386 -
>  linux-user/syscall.c   | 113 --
>  linux-user/Makefile.objs   |  10 +
>  linux-user/gen_syscall_list.py |  82 +++
>  5 files changed, 595 insertions(+), 174 deletions(-)
>  create mode 100644 linux-user/syscall.h
>  create mode 100644 linux-user/gen_syscall_list.py
>
> diff --git a/linux-user/syscall.h b/linux-user/syscall.h
> new file mode 100644
> index 00..7eb078c3e5
> --- /dev/null
> +++ b/linux-user/syscall.h
> @@ -0,0 +1,178 @@
> +/*
> + *  Linux syscalls internals
> + *  Copyright (c) 2018 Linaro, Limited.
> + *
> + *  This program is free software; you can redistribute it and/or modify
> + *  it under the terms of the GNU General Public License as published by
> + *  the Free Software Foundation; either version 2 of the License, or
> + *  (at your option) any later version.
> + *
> + *  This program is distributed in the hope that it will be useful,
> + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *  GNU General Public License for more details.
> + *
> + *  You should have received a copy of the GNU General Public License
> + *  along with this program; if not, see .
> + */
> +
> +typedef struct SyscallDef SyscallDef;
> +
> +/* This hook extracts max 6 arguments from max 8 input registers.
> + * In the process, register pairs that store 64-bit arguments are merged.
> + * Finally, syscalls are demultipliexed; e.g. the hook for socketcall will

"demultiplexed"

> + * return the SyscallDef for bind, listen, etc.  In the process the hook
> + * may need to read from guest memory, or otherwise validate operands.
> + * On failure, set errno (to a host value) and return NULL;
> + * the (target adjusted) errno will be returned to the guest.
> + */
> +typedef const SyscallDef *SyscallArgsFn(const SyscallDef *, int64_t out[6],
> +abi_long in[8]);
> +
> +/* This hook implements the syscall.  */
> +typedef abi_long SyscallImplFn(CPUArchState *, int64_t, int64_t, int64_t,
> +   int64_t, int64_t, int64_t);
> +
> +/* This hook prints the arguments to the syscall for strace.  */
> +typedef void SyscallPrintFn(const SyscallDef *, int64_t arg[6]);
> +
> +/* This hook print the return value from the syscall for strace.  */
> +typedef void SyscallPrintRetFn(const SyscallDef *, abi_long);
> +
> +/* These flags describe the arguments for the generic fallback to
> + * SyscallPrintFn.  ARG_NONE indicates that the argument is not present.
> + */
> +typedef enum {
> +ARG_NONE = 0,
> +
> +/* These print as numbers of abi_long.  */
> +ARG_DEC,
> +ARG_HEX,
> +ARG_OCT,
> +
> +/* These print as sets of flags.  */
> +ARG_ATDIRFD,
> +ARG_MODEFLAG,
> +ARG_OPENFLAG,
> +
> +/* These are interpreted as pointers.  */
> +ARG_PTR,
> +ARG_STR,
> +ARG_BUF,
> +
> +/* For a 32-bit host, force printing as a 64-bit operand.  */
> +#if TARGET_ABI_BITS == 32
> +ARG_DEC64,
> +#else
> +ARG_DEC64 = ARG_DEC,
> +#endif
> +} SyscallArgType;
> +
> +struct SyscallDef {
> +const char *name;
> +SyscallArgsFn *args;
> +SyscallImplFn *impl;
> +SyscallPrintFn *print;
> +SyscallPrintRetFn *print_ret;

Are all these hook functions mandatory, or can a syscall
implementation leave some of them NULL for a default behaviour?

> +SyscallArgType arg_type[6];
> +};
> +
> +void print_syscall_def(const SyscallDef *def, int64_t args[6]);
> +void print_syscall_def_ret(const SyscallDef *def, abi_long ret);
> +void print_syscall_ptr_ret(const SyscallDef *def, abi_long ret);
> +
> +/* Emit the signature for a SyscallArgsFn.  */
> +#define SYSCALL_ARGS(NAME) \
> +static const SyscallDef *args_##NAME(const SyscallDef *def, \
> + int64_t out[6], abi_long in[8])
> +
> +/* Emit the signature for a SyscallImplFn.  */
> +#define SYSCALL_IMPL(NAME) \
> +static abi_long impl_##NAME(CPUArchState *cpu_env, int64_t arg1, \
> +int64_t arg2, int64_t arg3, int64_t arg4, \
> +int64_t arg5, int64_t arg6)
> +
> +/* Emit the definition for a "simple" syscall.  Such does not use
> + * SyscallArgsFn and only uses arg_type for strace.
> + */
> +#define SYSCALL_DEF(NAME, ...) \
> +const SyscallDef def_##NAME = { \
> +.name = #NAME, .impl = impl_##NAME, .arg_type = { __VA_ARGS__ } \
> +}
> +
> +/* Emit the definition for a syscall that also has an args hook,
> + * and uses arg_type for strace.
> + */

Re: [Qemu-devel] [PATCH 1/2] mac_dbdma: only dump commands for debug enabled channels

[David Gibson]

On Fri, Jun 22, 2018 at 09:00:08AM +0100, Mark Cave-Ayland wrote:
> This enables us to apply the same filter in DEBUG_DBDMA_CHANMASK to the
> DBDMA command execution debug output.
> 
> Signed-off-by: Mark Cave-Ayland 

Applied to ppc-for-3.0, thanks.

> ---
>  hw/misc/macio/mac_dbdma.c | 21 +++--
>  1 file changed, 11 insertions(+), 10 deletions(-)
> 
> diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c
> index 1b2a69b3ef..87ae246d37 100644
> --- a/hw/misc/macio/mac_dbdma.c
> +++ b/hw/misc/macio/mac_dbdma.c
> @@ -71,18 +71,19 @@ static DBDMAState *dbdma_from_ch(DBDMA_channel *ch)
>  }
>  
>  #if DEBUG_DBDMA
> -static void dump_dbdma_cmd(dbdma_cmd *cmd)
> +static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
>  {
> -printf("dbdma_cmd %p\n", cmd);
> -printf("req_count 0x%04x\n", le16_to_cpu(cmd->req_count));
> -printf("command 0x%04x\n", le16_to_cpu(cmd->command));
> -printf("phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
> -printf("cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
> -printf("res_count 0x%04x\n", le16_to_cpu(cmd->res_count));
> -printf("xfer_status 0x%04x\n", le16_to_cpu(cmd->xfer_status));
> +DBDMA_DPRINTFCH(ch, "dbdma_cmd %p\n", cmd);
> +DBDMA_DPRINTFCH(ch, "req_count 0x%04x\n", 
> le16_to_cpu(cmd->req_count));
> +DBDMA_DPRINTFCH(ch, "command 0x%04x\n", le16_to_cpu(cmd->command));
> +DBDMA_DPRINTFCH(ch, "phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
> +DBDMA_DPRINTFCH(ch, "cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
> +DBDMA_DPRINTFCH(ch, "res_count 0x%04x\n", 
> le16_to_cpu(cmd->res_count));
> +DBDMA_DPRINTFCH(ch, "xfer_status 0x%04x\n",
> +le16_to_cpu(cmd->xfer_status));
>  }
>  #else
> -static void dump_dbdma_cmd(dbdma_cmd *cmd)
> +static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
>  {
>  }
>  #endif
> @@ -448,7 +449,7 @@ static void channel_run(DBDMA_channel *ch)
>  uint32_t phy_addr;
>  
>  DBDMA_DPRINTFCH(ch, "channel_run\n");
> -dump_dbdma_cmd(current);
> +dump_dbdma_cmd(ch, current);
>  
>  /* clear WAKE flag at command fetch */
>  

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PULL 00/25] ppc-for-3.0 queue 2018-06-22

[David Gibson]

The following changes since commit 46012db666990ff2eed1d3dc199ab8006439a93b:

  Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180619' into 
staging (2018-06-20 09:51:30 +0100)

are available in the Git repository at:

  git://github.com/dgibson/qemu.git tags/ppc-for-3.0-20180622

for you to fetch changes up to e5ca28ecab5c69b7578e22391a66c97c3979ffd8:

  spapr: Don't rewrite mmu capabilities in KVM mode (2018-06-22 14:19:07 +1000)


ppc patch queue 2018-06-22

Another assorted patch of patches for ppc and spapr.
* Rework of guest pagesize handling for ppc, which avoids guest
  visibly different behaviour between accelerators
* A number of Pnv cleanups, working towards more complete POWER9
  support
* Migration of VPA data, a significant bugfix


Alexey Kardashevskiy (1):
  pseries: Update SLOF firmware image to qemu-slof-20180621

BALATON Zoltan (3):
  ppc4xx_i2c: Remove unimplemented sdata and intr registers
  ppc4xx_i2c: Implement directcntl register
  target/ppc: Add missing opcode for icbt on PPC440

Cédric Le Goater (6):
  ppc/pnv: introduce a new intc_create() operation to the chip model
  ppc/pnv: introduce a new isa_create() operation to the chip model
  ppc/pnv: introduce Pnv8Chip and Pnv9Chip models
  ppc/pnv: consolidate the creation of the ISA bus device tree
  spapr: split the IRQ allocation sequence
  spapr: remove unused spapr_irq routines

David Gibson (9):
  target/ppc: Allow cpu compatiblity checks based on type, not instance
  spapr: Compute effective capability values earlier
  spapr: Add cpu_apply hook to capabilities
  target/ppc: Add kvmppc_hpt_needs_host_contiguous_pages() helper
  spapr: Maximum (HPT) pagesize property
  spapr: Use maximum page size capability to simplify memory backend 
checking
  target/ppc: Add ppc_hash64_filter_pagesizes()
  spapr: Limit available pagesizes to provide a consistent guest environment
  spapr: Don't rewrite mmu capabilities in KVM mode

Greg Kurz (2):
  spapr_cpu_core: migrate per-CPU data
  spapr_cpu_core: migrate VPA related state

John Arbuckle (1):
  fpu_helper.c: fix helper_fpscr_clrbit() function

Sebastian Bauer (1):
  sm501: Fix hardware cursor color conversion

 default-configs/ppc-softmmu.mak|   1 +
 default-configs/ppcemb-softmmu.mak |   1 +
 hw/display/sm501.c |   6 +-
 hw/i2c/ppc4xx_i2c.c|  30 ++-
 hw/ppc/pnv.c   | 383 +++--
 hw/ppc/pnv_core.c  |  18 +-
 hw/ppc/pnv_lpc.c   |  30 ++-
 hw/ppc/spapr.c | 122 ++--
 hw/ppc/spapr_caps.c| 158 +--
 hw/ppc/spapr_cpu_core.c|  91 -
 hw/ppc/spapr_events.c  |  18 +-
 hw/ppc/spapr_pci.c |  23 ++-
 hw/ppc/spapr_vio.c |  10 +-
 include/hw/i2c/ppc4xx_i2c.h|   8 +-
 include/hw/ppc/pnv.h   |  26 ++-
 include/hw/ppc/pnv_lpc.h   |   3 +-
 include/hw/ppc/spapr.h |  19 +-
 include/hw/ppc/spapr_cpu_core.h|   1 +
 pc-bios/README |   2 +-
 pc-bios/slof.bin   | Bin 913880 -> 924840 bytes
 roms/SLOF  |   2 +-
 target/ppc/compat.c|  27 ++-
 target/ppc/cpu.h   |   4 +
 target/ppc/fpu_helper.c|  28 +++
 target/ppc/kvm.c   | 146 +++---
 target/ppc/kvm_ppc.h   |  11 +-
 target/ppc/mmu-hash64.c|  59 ++
 target/ppc/mmu-hash64.h|   3 +
 target/ppc/translate.c |   2 +
 29 files changed, 865 insertions(+), 367 deletions(-)

[Qemu-devel] [PULL 08/25] spapr: Compute effective capability values earlier

[David Gibson]

Previously, the effective values of the various spapr capability flags
were only determined at machine reset time.  That was a lazy way of making
sure it was after cpu initialization so it could use the cpu object to
inform the defaults.

But we've now improved the compat checking code so that we don't need to
instantiate the cpus to use it.  That lets us move the resolution of the
capability defaults much earlier.

This is going to be necessary for some future capabilities.

Signed-off-by: David Gibson 
Reviewed-by: Greg Kurz 
Reviewed-by: Cédric Le Goater 
---
 hw/ppc/spapr.c | 6 --
 hw/ppc/spapr_caps.c| 9 ++---
 include/hw/ppc/spapr.h | 3 ++-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index bc179f6f89..4a0b679166 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1612,7 +1612,7 @@ static void spapr_machine_reset(void)
 void *fdt;
 int rc;
 
-spapr_caps_reset(spapr);
+spapr_caps_apply(spapr);
 
 first_ppc_cpu = POWERPC_CPU(first_cpu);
 if (kvm_enabled() && kvmppc_has_cap_mmu_radix() &&
@@ -2526,7 +2526,9 @@ static void spapr_machine_init(MachineState *machine)
 QLIST_INIT(&spapr->phbs);
 QTAILQ_INIT(&spapr->pending_dimm_unplugs);
 
-/* Check HPT resizing availability */
+/* Determine capabilities to run with */
+spapr_caps_init(spapr);
+
 kvmppc_check_papr_resize_hpt(&resize_hpt_err);
 if (spapr->resize_hpt == SPAPR_RESIZE_HPT_DEFAULT) {
 /*
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 469f38f0ef..dabed817d1 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -439,12 +439,12 @@ SPAPR_CAP_MIG_STATE(cfpc, SPAPR_CAP_CFPC);
 SPAPR_CAP_MIG_STATE(sbbc, SPAPR_CAP_SBBC);
 SPAPR_CAP_MIG_STATE(ibs, SPAPR_CAP_IBS);
 
-void spapr_caps_reset(sPAPRMachineState *spapr)
+void spapr_caps_init(sPAPRMachineState *spapr)
 {
 sPAPRCapabilities default_caps;
 int i;
 
-/* First compute the actual set of caps we're running with.. */
+/* Compute the actual set of caps we should run with */
 default_caps = default_caps_with_cpu(spapr, MACHINE(spapr)->cpu_type);
 
 for (i = 0; i < SPAPR_CAP_NUM; i++) {
@@ -455,8 +455,11 @@ void spapr_caps_reset(sPAPRMachineState *spapr)
 spapr->eff.caps[i] = default_caps.caps[i];
 }
 }
+}
 
-/* .. then apply those caps to the virtual hardware */
+void spapr_caps_apply(sPAPRMachineState *spapr)
+{
+int i;
 
 for (i = 0; i < SPAPR_CAP_NUM; i++) {
 sPAPRCapabilityInfo *info = &capability_table[i];
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 3388750fc7..9dbd6010f5 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -798,7 +798,8 @@ static inline uint8_t spapr_get_cap(sPAPRMachineState 
*spapr, int cap)
 return spapr->eff.caps[cap];
 }
 
-void spapr_caps_reset(sPAPRMachineState *spapr);
+void spapr_caps_init(sPAPRMachineState *spapr);
+void spapr_caps_apply(sPAPRMachineState *spapr);
 void spapr_caps_add_properties(sPAPRMachineClass *smc, Error **errp);
 int spapr_caps_post_migration(sPAPRMachineState *spapr);
 
-- 
2.17.1

Re: [Qemu-devel] [PATCH 01/23] ppc/pnv: introduce a new intc_create() operation to the chip model

[David Gibson]

On Fri, Jun 22, 2018 at 11:44:39AM +0200, Greg Kurz wrote:
> Hi David,
> 
> I'm a bit confused by this massive post... it doesn't have any cover letter, 
> but
> it contains all the patches you recently pushed to ppc-for-3.0. Was it 
> supposed
> to be a pull request ?

Gah.  Yes, it was.  I'm not sure quite what went wrong there.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PULL 09/25] spapr: Add cpu_apply hook to capabilities

[David Gibson]

spapr capabilities have an apply hook to actually activate (or deactivate)
the feature in the system at reset time.  However, a number of capabilities
affect the setup of cpus, and need to be applied to each of them -
including hotplugged cpus for extra complication.  To make this simpler,
add an optional cpu_apply hook that is called from spapr_cpu_reset().

Signed-off-by: David Gibson 
Reviewed-by: Greg Kurz 
Reviewed-by: Cédric Le Goater 
---
 hw/ppc/spapr_caps.c | 19 +++
 hw/ppc/spapr_cpu_core.c |  2 ++
 include/hw/ppc/spapr.h  |  1 +
 3 files changed, 22 insertions(+)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index dabed817d1..68a4243efc 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -59,6 +59,8 @@ typedef struct sPAPRCapabilityInfo {
 sPAPRCapPossible *possible;
 /* Make sure the virtual hardware can support this capability */
 void (*apply)(sPAPRMachineState *spapr, uint8_t val, Error **errp);
+void (*cpu_apply)(sPAPRMachineState *spapr, PowerPCCPU *cpu,
+  uint8_t val, Error **errp);
 } sPAPRCapabilityInfo;
 
 static void spapr_cap_get_bool(Object *obj, Visitor *v, const char *name,
@@ -472,6 +474,23 @@ void spapr_caps_apply(sPAPRMachineState *spapr)
 }
 }
 
+void spapr_caps_cpu_apply(sPAPRMachineState *spapr, PowerPCCPU *cpu)
+{
+int i;
+
+for (i = 0; i < SPAPR_CAP_NUM; i++) {
+sPAPRCapabilityInfo *info = &capability_table[i];
+
+/*
+ * If the apply function can't set the desired level and thinks it's
+ * fatal, it should cause that.
+ */
+if (info->cpu_apply) {
+info->cpu_apply(spapr, cpu, spapr->eff.caps[i], &error_fatal);
+}
+}
+}
+
 void spapr_caps_add_properties(sPAPRMachineClass *smc, Error **errp)
 {
 Error *local_err = NULL;
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 67f1596c57..bfb94f650c 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -76,6 +76,8 @@ static void spapr_cpu_reset(void *opaque)
 spapr_cpu->slb_shadow_size = 0;
 spapr_cpu->dtl_addr = 0;
 spapr_cpu->dtl_size = 0;
+
+spapr_caps_cpu_apply(SPAPR_MACHINE(qdev_get_machine()), cpu);
 }
 
 void spapr_cpu_set_entry_state(PowerPCCPU *cpu, target_ulong nip, target_ulong 
r3)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 9dbd6010f5..9dd46a72f6 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -800,6 +800,7 @@ static inline uint8_t spapr_get_cap(sPAPRMachineState 
*spapr, int cap)
 
 void spapr_caps_init(sPAPRMachineState *spapr);
 void spapr_caps_apply(sPAPRMachineState *spapr);
+void spapr_caps_cpu_apply(sPAPRMachineState *spapr, PowerPCCPU *cpu);
 void spapr_caps_add_properties(sPAPRMachineClass *smc, Error **errp);
 int spapr_caps_post_migration(sPAPRMachineState *spapr);
 
-- 
2.17.1

[Qemu-devel] [PULL 03/25] spapr_cpu_core: migrate per-CPU data

[David Gibson]

From: Greg Kurz 

A per-CPU machine data pointer was recently added to PowerPCCPU. The
motivation is to to hide platform specific details from the core CPU
code. This per-CPU data can hold state which is relevant to the guest
though, eg, Virtual Processor Areas, and we should migrate this state.

This patch adds the plumbing so that we can migrate the per-CPU data
for PAPR guests. We only do this for newer machine types for the sake
of backward compatibility. No state is migrated for the moment: the
vmstate_spapr_cpu_state structure will be populated by subsequent
patches.

Signed-off-by: Greg Kurz 
[dwg: Fix some trivial spelling and spacing errors]
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c  |  7 ++-
 hw/ppc/spapr_cpu_core.c | 22 --
 include/hw/ppc/spapr_cpu_core.h |  1 +
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index db0fb385d4..3174468fc5 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4115,7 +4115,12 @@ DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
 HW_COMPAT_2_12 \
 {  \
 .driver = TYPE_POWERPC_CPU,\
-.property = "pre-3.0-migration",  \
+.property = "pre-3.0-migration",   \
+.value= "on",  \
+}, \
+{  \
+.driver = TYPE_SPAPR_CPU_CORE, \
+.property = "pre-3.0-migration",   \
 .value= "on",  \
 },
 
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index aef3be33a3..f129ac884e 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -129,6 +129,15 @@ static void spapr_cpu_core_unrealize(DeviceState *dev, 
Error **errp)
 g_free(sc->threads);
 }
 
+static const VMStateDescription vmstate_spapr_cpu_state = {
+.name = "spapr_cpu",
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_END_OF_LIST()
+},
+};
+
 static void spapr_realize_vcpu(PowerPCCPU *cpu, sPAPRMachineState *spapr,
Error **errp)
 {
@@ -194,6 +203,10 @@ static PowerPCCPU *spapr_create_vcpu(sPAPRCPUCore *sc, int 
i, Error **errp)
 }
 
 cpu->machine_data = g_new0(sPAPRCPUState, 1);
+if (!sc->pre_3_0_migration) {
+vmstate_register(NULL, cs->cpu_index, &vmstate_spapr_cpu_state,
+ cpu->machine_data);
+}
 
 object_unref(obj);
 return cpu;
@@ -204,10 +217,13 @@ err:
 return NULL;
 }
 
-static void spapr_delete_vcpu(PowerPCCPU *cpu)
+static void spapr_delete_vcpu(PowerPCCPU *cpu, sPAPRCPUCore *sc)
 {
 sPAPRCPUState *spapr_cpu = spapr_cpu_state(cpu);
 
+if (!sc->pre_3_0_migration) {
+vmstate_unregister(NULL, &vmstate_spapr_cpu_state, cpu->machine_data);
+}
 cpu->machine_data = NULL;
 g_free(spapr_cpu);
 object_unparent(OBJECT(cpu));
@@ -253,7 +269,7 @@ err_unrealize:
 }
 err:
 while (--i >= 0) {
-spapr_delete_vcpu(sc->threads[i]);
+spapr_delete_vcpu(sc->threads[i], sc);
 }
 g_free(sc->threads);
 error_propagate(errp, local_err);
@@ -261,6 +277,8 @@ err:
 
 static Property spapr_cpu_core_properties[] = {
 DEFINE_PROP_INT32("node-id", sPAPRCPUCore, node_id, 
CPU_UNSET_NUMA_NODE_ID),
+DEFINE_PROP_BOOL("pre-3.0-migration", sPAPRCPUCore, pre_3_0_migration,
+ false),
 DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/include/hw/ppc/spapr_cpu_core.h b/include/hw/ppc/spapr_cpu_core.h
index 8ceea2973a..9e2821e4b3 100644
--- a/include/hw/ppc/spapr_cpu_core.h
+++ b/include/hw/ppc/spapr_cpu_core.h
@@ -31,6 +31,7 @@ typedef struct sPAPRCPUCore {
 /*< public >*/
 PowerPCCPU **threads;
 int node_id;
+bool pre_3_0_migration; /* older machine don't know about sPAPRCPUState */
 } sPAPRCPUCore;
 
 typedef struct sPAPRCPUCoreClass {
-- 
2.17.1

Re: [Qemu-devel] [PATCH 2/2] mac_newworld: always enable disable_direct_reg3_writes for ADB machines

[David Gibson]

On Fri, Jun 22, 2018 at 09:00:09AM +0100, Mark Cave-Ayland wrote:
> Commit 84051eb400 "adb: add property to disable direct reg 3 writes" added a
> workaround for MacOS 9 incorrectly setting the mouse address during boot of
> PMU machines.
> 
> Further testing has shown that since fb6649f172 "adb: fix read reg 3 byte
> ordering" this can still sometimes happen with the CUDA mac99 machine,
> so let's enable this workaround for all New World machines using ADB for now.
> 
> Signed-off-by: Mark Cave-Ayland 

Applied to ppc-for-3.0, thanks.

> ---
>  hw/ppc/mac_newworld.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
> index ff715d..2b13fcdde5 100644
> --- a/hw/ppc/mac_newworld.c
> +++ b/hw/ppc/mac_newworld.c
> @@ -407,11 +407,11 @@ static void ppc_core99_init(MachineState *machine)
>  
>  adb_bus = qdev_get_child_bus(dev, "adb.0");
>  dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
> -qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
> +qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
>  qdev_init_nofail(dev);
>  
>  dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
> -qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
> +qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
>  qdev_init_nofail(dev);
>  }
>  

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PULL 01/25] ppc/pnv: introduce a new intc_create() operation to the chip model

[David Gibson]

From: Cédric Le Goater 

On Power9, the thread interrupt presenter has a different type and is
linked to the chip owning the cores.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/pnv.c | 21 +++--
 hw/ppc/pnv_core.c| 18 +-
 include/hw/ppc/pnv.h |  1 +
 3 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 0d2b79f798..c7e127ae97 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -671,6 +671,13 @@ static uint32_t pnv_chip_core_pir_p8(PnvChip *chip, 
uint32_t core_id)
 return (chip->chip_id << 7) | (core_id << 3);
 }
 
+static Object *pnv_chip_power8_intc_create(PnvChip *chip, Object *child,
+   Error **errp)
+{
+return icp_create(child, TYPE_PNV_ICP, XICS_FABRIC(qdev_get_machine()),
+  errp);
+}
+
 /*
  *0:48  Reserved - Read as zeroes
  *   49:52  Node ID
@@ -686,6 +693,12 @@ static uint32_t pnv_chip_core_pir_p9(PnvChip *chip, 
uint32_t core_id)
 return (chip->chip_id << 8) | (core_id << 2);
 }
 
+static Object *pnv_chip_power9_intc_create(PnvChip *chip, Object *child,
+   Error **errp)
+{
+return NULL;
+}
+
 /* Allowed core identifiers on a POWER8 Processor Chip :
  *
  * 
@@ -721,6 +734,7 @@ static void pnv_chip_power8e_class_init(ObjectClass *klass, 
void *data)
 k->chip_cfam_id = 0x221ef0498000ull;  /* P8 Murano DD2.1 */
 k->cores_mask = POWER8E_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
+k->intc_create = pnv_chip_power8_intc_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8E";
 }
@@ -734,6 +748,7 @@ static void pnv_chip_power8_class_init(ObjectClass *klass, 
void *data)
 k->chip_cfam_id = 0x220ea0498000ull; /* P8 Venice DD2.0 */
 k->cores_mask = POWER8_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
+k->intc_create = pnv_chip_power8_intc_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8";
 }
@@ -747,6 +762,7 @@ static void pnv_chip_power8nvl_class_init(ObjectClass 
*klass, void *data)
 k->chip_cfam_id = 0x120d30498000ull;  /* P8 Naples DD1.0 */
 k->cores_mask = POWER8_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
+k->intc_create = pnv_chip_power8_intc_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8NVL";
 }
@@ -760,6 +776,7 @@ static void pnv_chip_power9_class_init(ObjectClass *klass, 
void *data)
 k->chip_cfam_id = 0x220d10498000ull; /* P9 Nimbus DD2.0 */
 k->cores_mask = POWER9_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p9;
+k->intc_create = pnv_chip_power9_intc_create;
 k->xscom_base = 0x00603fcull;
 dc->desc = "PowerNV Chip POWER9";
 }
@@ -892,8 +909,8 @@ static void pnv_chip_core_realize(PnvChip *chip, Error 
**errp)
 object_property_set_int(OBJECT(pnv_core),
 pcc->core_pir(chip, core_hwid),
 "pir", &error_fatal);
-object_property_add_const_link(OBJECT(pnv_core), "xics",
-   qdev_get_machine(), &error_fatal);
+object_property_add_const_link(OBJECT(pnv_core), "chip",
+   OBJECT(chip), &error_fatal);
 object_property_set_bool(OBJECT(pnv_core), true, "realized",
  &error_fatal);
 object_unref(OBJECT(pnv_core));
diff --git a/hw/ppc/pnv_core.c b/hw/ppc/pnv_core.c
index f7cf33f547..a9f129fc2c 100644
--- a/hw/ppc/pnv_core.c
+++ b/hw/ppc/pnv_core.c
@@ -99,13 +99,14 @@ static const MemoryRegionOps pnv_core_xscom_ops = {
 .endianness = DEVICE_BIG_ENDIAN,
 };
 
-static void pnv_realize_vcpu(PowerPCCPU *cpu, XICSFabric *xi, Error **errp)
+static void pnv_realize_vcpu(PowerPCCPU *cpu, PnvChip *chip, Error **errp)
 {
 CPUPPCState *env = &cpu->env;
 int core_pir;
 int thread_index = 0; /* TODO: TCG supports only one thread */
 ppc_spr_t *pir = &env->spr_cb[SPR_PIR];
 Error *local_err = NULL;
+PnvChipClass *pcc = PNV_CHIP_GET_CLASS(chip);
 
 object_property_set_bool(OBJECT(cpu), true, "realized", &local_err);
 if (local_err) {
@@ -113,7 +114,7 @@ static void pnv_realize_vcpu(PowerPCCPU *cpu, XICSFabric 
*xi, Error **errp)
 return;
 }
 
-cpu->intc = icp_create(OBJECT(cpu), TYPE_PNV_ICP, xi, &local_err);
+cpu->intc = pcc->intc_create(chip, OBJECT(cpu), &local_err);
 if (local_err) {
 error_propagate(errp, local_err);
 return;
@@ -143,13 +144,12 @@ static void pnv_core_realize(DeviceState *dev, Error 
**errp)
 void *obj;
 int i, j;
 char name[32];
-Object *xi;
+Object *chip;
 
-xi = object_property_get_link(OBJECT(dev), "xics", &local_err);
-if (!xi) {
-error_setg(errp, "%s: required link 'xics' not found: %s",
-   __func__, error_get_pretty(l

[Qemu-devel] [PULL 13/25] fpu_helper.c: fix helper_fpscr_clrbit() function

[David Gibson]

From: John Arbuckle 

Fix the helper_fpscr_clrbit() function so it correctly sets the FEX
and VX bits.

Determining the value for the Floating Point Status and Control
Register's (FPSCR) FEX bit is suppose to be done like this:

FEX = (VX & VE) | (OX & OE) | (UX & UE) | (ZX & ZE) | (XX & XE))

It is described as "the logical OR of all the floating-point exception
bits masked by their respective enable bits". It was not implemented
correctly. The value of FEX would stay on even when all other bits
were set to off.

The VX bit is described as "the logical OR of all of the invalid
operation exceptions". This bit was also not implemented correctly. It
too would stay on when all the other bits were set to off.

My main source of information is an IBM document called:

PowerPC Microprocessor Family:
The Programming Environments for 32-Bit Microprocessors

Page 62 is where the FPSCR information is located.

This is an older copy than the one I use but it is still very useful:
https://www.pdfdrive.net/powerpc-microprocessor-family-the-programming-environments-for-32-e3087633.html

I use a G3 and G5 iMac to compare bit values with QEMU. This patch
fixed all the problems I was having with these bits.

Signed-off-by: John Arbuckle 
[dwg: Re-wrapped commit message]
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 28 
 1 file changed, 28 insertions(+)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index d31a933cbb..7714bfe0f9 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -325,6 +325,34 @@ void helper_fpscr_clrbit(CPUPPCState *env, uint32_t bit)
 case FPSCR_RN:
 fpscr_set_rounding_mode(env);
 break;
+case FPSCR_VXSNAN:
+case FPSCR_VXISI:
+case FPSCR_VXIDI:
+case FPSCR_VXZDZ:
+case FPSCR_VXIMZ:
+case FPSCR_VXVC:
+case FPSCR_VXSOFT:
+case FPSCR_VXSQRT:
+case FPSCR_VXCVI:
+if (!fpscr_ix) {
+/* Set VX bit to zero */
+env->fpscr &= ~(1 << FPSCR_VX);
+}
+break;
+case FPSCR_OX:
+case FPSCR_UX:
+case FPSCR_ZX:
+case FPSCR_XX:
+case FPSCR_VE:
+case FPSCR_OE:
+case FPSCR_UE:
+case FPSCR_ZE:
+case FPSCR_XE:
+if (!fpscr_eex) {
+/* Set the FEX bit */
+env->fpscr &= ~(1 << FPSCR_FEX);
+}
+break;
 default:
 break;
 }
-- 
2.17.1

[Qemu-devel] [PULL 04/25] spapr_cpu_core: migrate VPA related state

[David Gibson]

From: Greg Kurz 

QEMU implements the "Shared Processor LPAR" (SPLPAR) option, which allows
the hypervisor to time-slice a physical processor into multiple virtual
processor. The intent is to allow more guests to run, and to optimize
processor utilization.

The guest OS can cede idle VCPUs, so that their processing capacity may
be used by other VCPUs, with the H_CEDE hcall. The guest OS can also
optimize spinlocks, by confering the time-slice of a spinning VCPU to the
spinlock holder if it's currently notrunning, with the H_CONFER hcall.

Both hcalls depend on a "Virtual Processor Area" (VPA) to be registered
by the guest OS, generally during early boot. Other per-VCPU areas can
be registered: the "SLB Shadow Buffer" which allows a more efficient
dispatching of VCPUs, and the "Dispatch Trace Log Buffer" (DTL) which
is used to compute time stolen by the hypervisor. Both DTL and SLB Shadow
areas depend on the VPA to be registered.

The VPA/SLB Shadow/DTL are state that QEMU should migrate, but this doesn't
happen, for no apparent reason other than it was just never coded. This
causes the features listed above to stop working after migration, and it
breaks the logic of the H_REGISTER_VPA hcall in the destination.

The VPA is set at the guest request, ie, we don't have to migrate
it before the guest has actually set it. This patch hence adds an
"spapr_cpu/vpa" subsection to the recently introduced per-CPU machine
data migration stream.

Since DTL and SLB Shadow are optional and both depend on VPA, they get
their own subsections "spapr_cpu/vpa/slb_shadow" and "spapr_cpu/vpa/dtl"
hanging from the "spapr_cpu/vpa" subsection.

Note that this won't break migration to older QEMUs. Is is already handled
by only registering the vmstate handler for per-CPU data with newer machine
types.

Signed-off-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_cpu_core.c | 65 +
 1 file changed, 65 insertions(+)

diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index f129ac884e..67f1596c57 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -129,6 +129,67 @@ static void spapr_cpu_core_unrealize(DeviceState *dev, 
Error **errp)
 g_free(sc->threads);
 }
 
+static bool slb_shadow_needed(void *opaque)
+{
+sPAPRCPUState *spapr_cpu = opaque;
+
+return spapr_cpu->slb_shadow_addr != 0;
+}
+
+static const VMStateDescription vmstate_spapr_cpu_slb_shadow = {
+.name = "spapr_cpu/vpa/slb_shadow",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = slb_shadow_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(slb_shadow_addr, sPAPRCPUState),
+VMSTATE_UINT64(slb_shadow_size, sPAPRCPUState),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static bool dtl_needed(void *opaque)
+{
+sPAPRCPUState *spapr_cpu = opaque;
+
+return spapr_cpu->dtl_addr != 0;
+}
+
+static const VMStateDescription vmstate_spapr_cpu_dtl = {
+.name = "spapr_cpu/vpa/dtl",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = dtl_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(dtl_addr, sPAPRCPUState),
+VMSTATE_UINT64(dtl_size, sPAPRCPUState),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static bool vpa_needed(void *opaque)
+{
+sPAPRCPUState *spapr_cpu = opaque;
+
+return spapr_cpu->vpa_addr != 0;
+}
+
+static const VMStateDescription vmstate_spapr_cpu_vpa = {
+.name = "spapr_cpu/vpa",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = vpa_needed,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(vpa_addr, sPAPRCPUState),
+VMSTATE_END_OF_LIST()
+},
+.subsections = (const VMStateDescription * []) {
+&vmstate_spapr_cpu_slb_shadow,
+&vmstate_spapr_cpu_dtl,
+NULL
+}
+};
+
 static const VMStateDescription vmstate_spapr_cpu_state = {
 .name = "spapr_cpu",
 .version_id = 1,
@@ -136,6 +197,10 @@ static const VMStateDescription vmstate_spapr_cpu_state = {
 .fields = (VMStateField[]) {
 VMSTATE_END_OF_LIST()
 },
+.subsections = (const VMStateDescription * []) {
+&vmstate_spapr_cpu_vpa,
+NULL
+}
 };
 
 static void spapr_realize_vcpu(PowerPCCPU *cpu, sPAPRMachineState *spapr,
-- 
2.17.1

[Qemu-devel] [PULL 02/25] ppc/pnv: introduce a new isa_create() operation to the chip model

[David Gibson]

From: Cédric Le Goater 

This moves the details of the ISA bus creation under the LPC model but
more important, the new PnvChip operation will let us choose the chip
class to use when we introduce the different chip classes for Power9
and Power8. It hides away the processor chip controllers from the
machine.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/pnv.c | 34 +++---
 hw/ppc/pnv_lpc.c | 30 +-
 include/hw/ppc/pnv.h |  1 +
 include/hw/ppc/pnv_lpc.h |  3 +--
 4 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index c7e127ae97..ac828d1331 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -529,24 +529,24 @@ static void pnv_reset(void)
 cpu_physical_memory_write(PNV_FDT_ADDR, fdt, fdt_totalsize(fdt));
 }
 
-static ISABus *pnv_isa_create(PnvChip *chip)
+static ISABus *pnv_chip_power8_isa_create(PnvChip *chip, Error **errp)
 {
-PnvLpcController *lpc = &chip->lpc;
-ISABus *isa_bus;
-qemu_irq *irqs;
-PnvChipClass *pcc = PNV_CHIP_GET_CLASS(chip);
+return pnv_lpc_isa_create(&chip->lpc, true, errp);
+}
 
-/* let isa_bus_new() create its own bridge on SysBus otherwise
- * devices speficied on the command line won't find the bus and
- * will fail to create.
- */
-isa_bus = isa_bus_new(NULL, &lpc->isa_mem, &lpc->isa_io,
-  &error_fatal);
+static ISABus *pnv_chip_power8nvl_isa_create(PnvChip *chip, Error **errp)
+{
+return pnv_lpc_isa_create(&chip->lpc, false, errp);
+}
 
-irqs = pnv_lpc_isa_irq_create(lpc, pcc->chip_type, ISA_NUM_IRQS);
+static ISABus *pnv_chip_power9_isa_create(PnvChip *chip, Error **errp)
+{
+return NULL;
+}
 
-isa_bus_irqs(isa_bus, irqs);
-return isa_bus;
+static ISABus *pnv_isa_create(PnvChip *chip, Error **errp)
+{
+return PNV_CHIP_GET_CLASS(chip)->isa_create(chip, errp);
 }
 
 static void pnv_init(MachineState *machine)
@@ -646,7 +646,7 @@ static void pnv_init(MachineState *machine)
 g_free(chip_typename);
 
 /* Instantiate ISA bus on chip 0 */
-pnv->isa_bus = pnv_isa_create(pnv->chips[0]);
+pnv->isa_bus = pnv_isa_create(pnv->chips[0], &error_fatal);
 
 /* Create serial port */
 serial_hds_isa_init(pnv->isa_bus, 0, MAX_ISA_SERIAL_PORTS);
@@ -735,6 +735,7 @@ static void pnv_chip_power8e_class_init(ObjectClass *klass, 
void *data)
 k->cores_mask = POWER8E_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
 k->intc_create = pnv_chip_power8_intc_create;
+k->isa_create = pnv_chip_power8_isa_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8E";
 }
@@ -749,6 +750,7 @@ static void pnv_chip_power8_class_init(ObjectClass *klass, 
void *data)
 k->cores_mask = POWER8_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
 k->intc_create = pnv_chip_power8_intc_create;
+k->isa_create = pnv_chip_power8_isa_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8";
 }
@@ -763,6 +765,7 @@ static void pnv_chip_power8nvl_class_init(ObjectClass 
*klass, void *data)
 k->cores_mask = POWER8_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p8;
 k->intc_create = pnv_chip_power8_intc_create;
+k->isa_create = pnv_chip_power8nvl_isa_create;
 k->xscom_base = 0x003fc00ull;
 dc->desc = "PowerNV Chip POWER8NVL";
 }
@@ -777,6 +780,7 @@ static void pnv_chip_power9_class_init(ObjectClass *klass, 
void *data)
 k->cores_mask = POWER9_CORE_MASK;
 k->core_pir = pnv_chip_core_pir_p9;
 k->intc_create = pnv_chip_power9_intc_create;
+k->isa_create = pnv_chip_power9_isa_create;
 k->xscom_base = 0x00603fcull;
 dc->desc = "PowerNV Chip POWER9";
 }
diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
index 402c4fefa8..d7721320a2 100644
--- a/hw/ppc/pnv_lpc.c
+++ b/hw/ppc/pnv_lpc.c
@@ -22,6 +22,7 @@
 #include "target/ppc/cpu.h"
 #include "qapi/error.h"
 #include "qemu/log.h"
+#include "hw/isa/isa.h"
 
 #include "hw/ppc/pnv.h"
 #include "hw/ppc/pnv_lpc.h"
@@ -535,16 +536,35 @@ static void pnv_lpc_isa_irq_handler(void *opaque, int n, 
int level)
 }
 }
 
-qemu_irq *pnv_lpc_isa_irq_create(PnvLpcController *lpc, int chip_type,
- int nirqs)
+ISABus *pnv_lpc_isa_create(PnvLpcController *lpc, bool use_cpld, Error **errp)
 {
+Error *local_err = NULL;
+ISABus *isa_bus;
+qemu_irq *irqs;
+qemu_irq_handler handler;
+
+/* let isa_bus_new() create its own bridge on SysBus otherwise
+ * devices speficied on the command line won't find the bus and
+ * will fail to create.
+ */
+isa_bus = isa_bus_new(NULL, &lpc->isa_mem, &lpc->isa_io, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return NULL;
+}
+
 /* Not all variants have a working serial irq decoder. If not,
  * handling of LPC interrupts becomes a platform issue (some
  * platf

[Qemu-devel] [PULL 06/25] ppc/pnv: consolidate the creation of the ISA bus device tree

[David Gibson]

From: Cédric Le Goater 

The device tree node of the ISA bus was being partially done in
different places. Move all the nodes creation under the same routine.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/pnv.c | 51 +++
 1 file changed, 23 insertions(+), 28 deletions(-)

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index a29ea996b4..7401ffe5b0 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -265,18 +265,6 @@ static void pnv_dt_icp(PnvChip *chip, void *fdt, uint32_t 
pir,
 g_free(reg);
 }
 
-static int pnv_chip_lpc_offset(PnvChip *chip, void *fdt)
-{
-char *name;
-int offset;
-
-name = g_strdup_printf("/xscom@%" PRIx64 "/isa@%x",
-   (uint64_t) PNV_XSCOM_BASE(chip), 
PNV_XSCOM_LPC_BASE);
-offset = fdt_path_offset(fdt, name);
-g_free(name);
-return offset;
-}
-
 static void pnv_dt_chip(PnvChip *chip, void *fdt)
 {
 const char *typename = pnv_chip_core_typename(chip);
@@ -285,16 +273,6 @@ static void pnv_dt_chip(PnvChip *chip, void *fdt)
 
 pnv_dt_xscom(chip, fdt, 0);
 
-/* The default LPC bus of a multichip system is on chip 0. It's
- * recognized by the firmware (skiboot) using a "primary"
- * property.
- */
-if (chip->chip_id == 0x0) {
-int lpc_offset = pnv_chip_lpc_offset(chip, fdt);
-
-_FDT((fdt_setprop(fdt, lpc_offset, "primary", NULL, 0)));
-}
-
 for (i = 0; i < chip->nr_cores; i++) {
 PnvCore *pnv_core = PNV_CORE(chip->cores + i * typesize);
 
@@ -418,16 +396,35 @@ static int pnv_dt_isa_device(DeviceState *dev, void 
*opaque)
 return 0;
 }
 
-static void pnv_dt_isa(ISABus *bus, void *fdt, int lpc_offset)
+static int pnv_chip_isa_offset(PnvChip *chip, void *fdt)
+{
+char *name;
+int offset;
+
+name = g_strdup_printf("/xscom@%" PRIx64 "/isa@%x",
+   (uint64_t) PNV_XSCOM_BASE(chip), 
PNV_XSCOM_LPC_BASE);
+offset = fdt_path_offset(fdt, name);
+g_free(name);
+return offset;
+}
+
+/* The default LPC bus of a multichip system is on chip 0. It's
+ * recognized by the firmware (skiboot) using a "primary" property.
+ */
+static void pnv_dt_isa(PnvMachineState *pnv, void *fdt)
 {
+int isa_offset = pnv_chip_isa_offset(pnv->chips[0], fdt);
 ForeachPopulateArgs args = {
 .fdt = fdt,
-.offset = lpc_offset,
+.offset = isa_offset,
 };
 
+_FDT((fdt_setprop(fdt, isa_offset, "primary", NULL, 0)));
+
 /* ISA devices are not necessarily parented to the ISA bus so we
  * can not use object_child_foreach() */
-qbus_walk_children(BUS(bus), pnv_dt_isa_device, NULL, NULL, NULL, &args);
+qbus_walk_children(BUS(pnv->isa_bus), pnv_dt_isa_device, NULL, NULL, NULL,
+   &args);
 }
 
 static void *pnv_dt_create(MachineState *machine)
@@ -438,7 +435,6 @@ static void *pnv_dt_create(MachineState *machine)
 char *buf;
 int off;
 int i;
-int lpc_offset;
 
 fdt = g_malloc0(FDT_MAX_SIZE);
 _FDT((fdt_create_empty_tree(fdt, FDT_MAX_SIZE)));
@@ -480,8 +476,7 @@ static void *pnv_dt_create(MachineState *machine)
 }
 
 /* Populate ISA devices on chip 0 */
-lpc_offset = pnv_chip_lpc_offset(pnv->chips[0], fdt);
-pnv_dt_isa(pnv->isa_bus, fdt, lpc_offset);
+pnv_dt_isa(pnv, fdt);
 
 if (pnv->bmc) {
 pnv_dt_bmc_sensors(pnv->bmc, fdt);
-- 
2.17.1

[Qemu-devel] [PULL 07/25] target/ppc: Allow cpu compatiblity checks based on type, not instance

[David Gibson]

ppc_check_compat() is used in a number of places to check if a cpu object
supports a certain compatiblity mode, subject to various constraints.

It takes a PowerPCCPU *, however it really only depends on the cpu's class.
We have upcoming cases where it would be useful to make compatibility
checks before we fully instantiate the cpu objects.

ppc_type_check_compat() will now make an equivalent check, but based on a
CPU's QOM typename instead of an instantiated CPU object.

We make use of the new interface in several places in spapr, where we're
essentially making a global check, rather than one specific to a particular
cpu.  This avoids some ugly uses of first_cpu to grab a "representative"
instance.

Signed-off-by: David Gibson 
Reviewed-by: Greg Kurz 
Reviewed-by: Cédric Le Goater 
---
 hw/ppc/spapr.c  | 10 --
 hw/ppc/spapr_caps.c | 19 +--
 target/ppc/compat.c | 27 +--
 target/ppc/cpu.h|  4 
 4 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 3174468fc5..bc179f6f89 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1616,8 +1616,8 @@ static void spapr_machine_reset(void)
 
 first_ppc_cpu = POWERPC_CPU(first_cpu);
 if (kvm_enabled() && kvmppc_has_cap_mmu_radix() &&
-ppc_check_compat(first_ppc_cpu, CPU_POWERPC_LOGICAL_3_00, 0,
- spapr->max_compat_pvr)) {
+ppc_type_check_compat(machine->cpu_type, CPU_POWERPC_LOGICAL_3_00, 0,
+  spapr->max_compat_pvr)) {
 /* If using KVM with radix mode available, VCPUs can be started
  * without a HPT because KVM will start them in radix mode.
  * Set the GR bit in PATB so that we know there is no HPT. */
@@ -2520,7 +2520,6 @@ static void spapr_machine_init(MachineState *machine)
 long load_limit, fw_size;
 char *filename;
 Error *resize_hpt_err = NULL;
-PowerPCCPU *first_ppc_cpu;
 
 msi_nonbroken = true;
 
@@ -2618,10 +2617,9 @@ static void spapr_machine_init(MachineState *machine)
 /* init CPUs */
 spapr_init_cpus(spapr);
 
-first_ppc_cpu = POWERPC_CPU(first_cpu);
 if ((!kvm_enabled() || kvmppc_has_cap_mmu_radix()) &&
-ppc_check_compat(first_ppc_cpu, CPU_POWERPC_LOGICAL_3_00, 0,
- spapr->max_compat_pvr)) {
+ppc_type_check_compat(machine->cpu_type, CPU_POWERPC_LOGICAL_3_00, 0,
+  spapr->max_compat_pvr)) {
 /* KVM and TCG always allow GTSE with radix... */
 spapr_ovec_set(spapr->ov5, OV5_MMU_RADIX_GTSE);
 }
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 00e43a9ba7..469f38f0ef 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -327,27 +327,26 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 };
 
 static sPAPRCapabilities default_caps_with_cpu(sPAPRMachineState *spapr,
-   CPUState *cs)
+   const char *cputype)
 {
 sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
-PowerPCCPU *cpu = POWERPC_CPU(cs);
 sPAPRCapabilities caps;
 
 caps = smc->default_caps;
 
-if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_07,
-  0, spapr->max_compat_pvr)) {
+if (!ppc_type_check_compat(cputype, CPU_POWERPC_LOGICAL_2_07,
+   0, spapr->max_compat_pvr)) {
 caps.caps[SPAPR_CAP_HTM] = SPAPR_CAP_OFF;
 caps.caps[SPAPR_CAP_CFPC] = SPAPR_CAP_BROKEN;
 }
 
-if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_06_PLUS,
-  0, spapr->max_compat_pvr)) {
+if (!ppc_type_check_compat(cputype, CPU_POWERPC_LOGICAL_2_06_PLUS,
+   0, spapr->max_compat_pvr)) {
 caps.caps[SPAPR_CAP_SBBC] = SPAPR_CAP_BROKEN;
 }
 
-if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_06,
-  0, spapr->max_compat_pvr)) {
+if (!ppc_type_check_compat(cputype, CPU_POWERPC_LOGICAL_2_06,
+   0, spapr->max_compat_pvr)) {
 caps.caps[SPAPR_CAP_VSX] = SPAPR_CAP_OFF;
 caps.caps[SPAPR_CAP_DFP] = SPAPR_CAP_OFF;
 caps.caps[SPAPR_CAP_IBS] = SPAPR_CAP_BROKEN;
@@ -384,7 +383,7 @@ int spapr_caps_post_migration(sPAPRMachineState *spapr)
 sPAPRCapabilities dstcaps = spapr->eff;
 sPAPRCapabilities srccaps;
 
-srccaps = default_caps_with_cpu(spapr, first_cpu);
+srccaps = default_caps_with_cpu(spapr, MACHINE(spapr)->cpu_type);
 for (i = 0; i < SPAPR_CAP_NUM; i++) {
 /* If not default value then assume came in with the migration */
 if (spapr->mig.caps[i] != spapr->def.caps[i]) {
@@ -446,7 +445,7 @@ void spapr_caps_reset(sPAPRMachineState *spapr)
 int i;
 
 /* First compute the actual set of caps we're running with.. */
-default_caps = default_caps_with_cpu(spapr, first_cpu);
+default_caps = default_caps_with_cpu(

[Qemu-devel] [PULL 12/25] spapr: remove unused spapr_irq routines

[David Gibson]

From: Cédric Le Goater 

spapr_irq_alloc_block and spapr_irq_alloc() are now deprecated.

Signed-off-by: Cédric Le Goater 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 80 +-
 include/hw/ppc/spapr.h |  4 ---
 2 files changed, 1 insertion(+), 83 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index b7705c3944..78186500e9 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3846,84 +3846,6 @@ int spapr_irq_find(sPAPRMachineState *spapr, int num, 
bool align, Error **errp)
 return first + ics->offset;
 }
 
-/*
- * Allocate the IRQ number and set the IRQ type, LSI or MSI
- */
-static void spapr_irq_set_lsi(sPAPRMachineState *spapr, int irq, bool lsi)
-{
-ics_set_irq_type(spapr->ics, irq - spapr->ics->offset, lsi);
-}
-
-int spapr_irq_alloc(sPAPRMachineState *spapr, int irq_hint, bool lsi,
-Error **errp)
-{
-ICSState *ics = spapr->ics;
-int irq;
-
-assert(ics);
-
-if (irq_hint) {
-if (!ICS_IRQ_FREE(ics, irq_hint - ics->offset)) {
-error_setg(errp, "can't allocate IRQ %d: already in use", 
irq_hint);
-return -1;
-}
-irq = irq_hint;
-} else {
-irq = ics_find_free_block(ics, 1, 1);
-if (irq < 0) {
-error_setg(errp, "can't allocate IRQ: no IRQ left");
-return -1;
-}
-irq += ics->offset;
-}
-
-spapr_irq_set_lsi(spapr, irq, lsi);
-trace_spapr_irq_alloc(irq);
-
-return irq;
-}
-
-/*
- * Allocate block of consecutive IRQs, and return the number of the first IRQ 
in
- * the block. If align==true, aligns the first IRQ number to num.
- */
-int spapr_irq_alloc_block(sPAPRMachineState *spapr, int num, bool lsi,
-  bool align, Error **errp)
-{
-ICSState *ics = spapr->ics;
-int i, first = -1;
-
-assert(ics);
-
-/*
- * MSIMesage::data is used for storing VIRQ so
- * it has to be aligned to num to support multiple
- * MSI vectors. MSI-X is not affected by this.
- * The hint is used for the first IRQ, the rest should
- * be allocated continuously.
- */
-if (align) {
-assert((num == 1) || (num == 2) || (num == 4) ||
-   (num == 8) || (num == 16) || (num == 32));
-first = ics_find_free_block(ics, num, num);
-} else {
-first = ics_find_free_block(ics, num, 1);
-}
-if (first < 0) {
-error_setg(errp, "can't find a free %d-IRQ block", num);
-return -1;
-}
-
-first += ics->offset;
-for (i = first; i < first + num; ++i) {
-spapr_irq_set_lsi(spapr, i, lsi);
-}
-
-trace_spapr_irq_alloc_block(first, num, lsi, align);
-
-return first;
-}
-
 int spapr_irq_claim(sPAPRMachineState *spapr, int irq, bool lsi, Error **errp)
 {
 ICSState *ics = spapr->ics;
@@ -3940,7 +3862,7 @@ int spapr_irq_claim(sPAPRMachineState *spapr, int irq, 
bool lsi, Error **errp)
 return -1;
 }
 
-spapr_irq_set_lsi(spapr, irq, lsi);
+ics_set_irq_type(ics, irq - ics->offset, lsi);
 return 0;
 }
 
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 6bfdf5a2fb..8a9142244f 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -772,10 +772,6 @@ int spapr_get_vcpu_id(PowerPCCPU *cpu);
 void spapr_set_vcpu_id(PowerPCCPU *cpu, int cpu_index, Error **errp);
 PowerPCCPU *spapr_find_cpu(int vcpu_id);
 
-int spapr_irq_alloc(sPAPRMachineState *spapr, int irq_hint, bool lsi,
-Error **errp);
-int spapr_irq_alloc_block(sPAPRMachineState *spapr, int num, bool lsi,
-  bool align, Error **errp);
 int spapr_irq_find(sPAPRMachineState *spapr, int num, bool align,
Error **errp);
 #define spapr_irq_findone(spapr, errp) spapr_irq_find(spapr, 1, false, errp)
-- 
2.17.1

[Qemu-devel] [PULL 17/25] target/ppc: Add missing opcode for icbt on PPC440

[David Gibson]

From: BALATON Zoltan 

According to PPC440 User Manual PPC440 has multiple opcodes for icbt
instruction: one for compatibility with older cores and two 440
specific opcodes one of which is defined in BookE. QEMU only
implements two of these, add the missing one.

Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 target/ppc/translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 5fe1ba6555..3a215a1dc6 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -6707,6 +6707,8 @@ GEN_HANDLER_E(mbar, 0x1F, 0x16, 0x1a, 0x001FF801,
 GEN_HANDLER(msync_4xx, 0x1F, 0x16, 0x12, 0x03FFF801, PPC_BOOKE),
 GEN_HANDLER2_E(icbt_440, "icbt", 0x1F, 0x16, 0x00, 0x03E1,
PPC_BOOKE, PPC2_BOOKE206),
+GEN_HANDLER2(icbt_440, "icbt", 0x1F, 0x06, 0x08, 0x03E1,
+   PPC_440_SPEC),
 GEN_HANDLER(lvsl, 0x1f, 0x06, 0x00, 0x0001, PPC_ALTIVEC),
 GEN_HANDLER(lvsr, 0x1f, 0x06, 0x01, 0x0001, PPC_ALTIVEC),
 GEN_HANDLER(mfvscr, 0x04, 0x2, 0x18, 0x001ff800, PPC_ALTIVEC),
-- 
2.17.1

[Qemu-devel] [PULL 14/25] sm501: Fix hardware cursor color conversion

[David Gibson]

From: Sebastian Bauer 

According to the sm501 specs the hardware cursor colors are to be given in
the rgb565 format, but the code currently interprets them as bgr565.

Therefore, the colors of the hardware cursors are wrong in the QEMU
display, e.g., the standard mouse pointer of AmigaOS appears blue instead
of red. This change fixes this issue by replacing the existing naive
bgr565 => rgb888 conversion with a standard rgb565 => rgb888 one that also
scales the color component values properly.

Signed-off-by: Sebastian Bauer 
Signed-off-by: David Gibson 
---
 hw/display/sm501.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index ca0840f6fa..8206ae81a1 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -652,9 +652,9 @@ static inline void get_hwc_palette(SM501State *state, int 
crt, uint8_t *palette)
 } else {
 rgb565 = color_reg & 0x;
 }
-palette[i * 3 + 0] = (rgb565 << 3) & 0xf8; /* red */
-palette[i * 3 + 1] = (rgb565 >> 3) & 0xfc; /* green */
-palette[i * 3 + 2] = (rgb565 >> 8) & 0xf8; /* blue */
+palette[i * 3 + 0] = ((rgb565 >> 11) * 527 + 23) >> 6; /* r */
+palette[i * 3 + 1] = (((rgb565 >> 5) & 0x3f) * 259 + 33) >> 6; /* g */
+palette[i * 3 + 2] = ((rgb565 & 0x1f) * 527 + 23) >> 6; /* b */
 }
 }
 
-- 
2.17.1

[Qemu-devel] [PULL 11/25] spapr: split the IRQ allocation sequence

[David Gibson]

From: Cédric Le Goater 

Today, when a device requests for IRQ number in a sPAPR machine, the
spapr_irq_alloc() routine first scans the ICSState status array to
find an empty slot and then performs the assignement of the selected
numbers. Split this sequence in two distinct routines : spapr_irq_find()
for lookups and spapr_irq_claim() for claiming the IRQ numbers.

This will ease the introduction of a static layout of IRQ numbers.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 50 ++
 hw/ppc/spapr_events.c  | 18 +++
 hw/ppc/spapr_pci.c | 23 ---
 hw/ppc/spapr_vio.c | 10 -
 include/hw/ppc/spapr.h |  4 
 5 files changed, 97 insertions(+), 8 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 4a0b679166..b7705c3944 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3816,6 +3816,36 @@ static int ics_find_free_block(ICSState *ics, int num, 
int alignnum)
 return -1;
 }
 
+int spapr_irq_find(sPAPRMachineState *spapr, int num, bool align, Error **errp)
+{
+ICSState *ics = spapr->ics;
+int first = -1;
+
+assert(ics);
+
+/*
+ * MSIMesage::data is used for storing VIRQ so
+ * it has to be aligned to num to support multiple
+ * MSI vectors. MSI-X is not affected by this.
+ * The hint is used for the first IRQ, the rest should
+ * be allocated continuously.
+ */
+if (align) {
+assert((num == 1) || (num == 2) || (num == 4) ||
+   (num == 8) || (num == 16) || (num == 32));
+first = ics_find_free_block(ics, num, num);
+} else {
+first = ics_find_free_block(ics, num, 1);
+}
+
+if (first < 0) {
+error_setg(errp, "can't find a free %d-IRQ block", num);
+return -1;
+}
+
+return first + ics->offset;
+}
+
 /*
  * Allocate the IRQ number and set the IRQ type, LSI or MSI
  */
@@ -3894,6 +3924,26 @@ int spapr_irq_alloc_block(sPAPRMachineState *spapr, int 
num, bool lsi,
 return first;
 }
 
+int spapr_irq_claim(sPAPRMachineState *spapr, int irq, bool lsi, Error **errp)
+{
+ICSState *ics = spapr->ics;
+
+assert(ics);
+
+if (!ics_valid_irq(ics, irq)) {
+error_setg(errp, "IRQ %d is invalid", irq);
+return -1;
+}
+
+if (!ICS_IRQ_FREE(ics, irq - ics->offset)) {
+error_setg(errp, "IRQ %d is not free", irq);
+return -1;
+}
+
+spapr_irq_set_lsi(spapr, irq, lsi);
+return 0;
+}
+
 void spapr_irq_free(sPAPRMachineState *spapr, int irq, int num)
 {
 ICSState *ics = spapr->ics;
diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
index 86836f0626..e4f5946a21 100644
--- a/hw/ppc/spapr_events.c
+++ b/hw/ppc/spapr_events.c
@@ -707,13 +707,18 @@ void spapr_clear_pending_events(sPAPRMachineState *spapr)
 
 void spapr_events_init(sPAPRMachineState *spapr)
 {
+int epow_irq;
+
+epow_irq = spapr_irq_findone(spapr, &error_fatal);
+
+spapr_irq_claim(spapr, epow_irq, false, &error_fatal);
+
 QTAILQ_INIT(&spapr->pending_events);
 
 spapr->event_sources = spapr_event_sources_new();
 
 spapr_event_sources_register(spapr->event_sources, EVENT_CLASS_EPOW,
- spapr_irq_alloc(spapr, 0, false,
-  &error_fatal));
+ epow_irq);
 
 /* NOTE: if machine supports modern/dedicated hotplug event source,
  * we add it to the device-tree unconditionally. This means we may
@@ -724,9 +729,14 @@ void spapr_events_init(sPAPRMachineState *spapr)
  * checking that it's enabled.
  */
 if (spapr->use_hotplug_event_source) {
+int hp_irq;
+
+hp_irq = spapr_irq_findone(spapr, &error_fatal);
+
+spapr_irq_claim(spapr, hp_irq, false, &error_fatal);
+
 spapr_event_sources_register(spapr->event_sources, 
EVENT_CLASS_HOT_PLUG,
- spapr_irq_alloc(spapr, 0, false,
-  &error_fatal));
+ hp_irq);
 }
 
 spapr->epow_notifier.notify = spapr_powerdown_req;
diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index f936ce63ef..497b896c7d 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -279,6 +279,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 spapr_pci_msi *msi;
 int *config_addr_key;
 Error *err = NULL;
+int i;
 
 /* Fins sPAPRPHBState */
 phb = spapr_pci_find_phb(spapr, buid);
@@ -371,8 +372,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 }
 
 /* Allocate MSIs */
-irq = spapr_irq_alloc_block(spapr, req_num, false,
-   ret_intr_type == RTAS_TYPE_MSI, &err);
+irq = spapr_irq_find(spapr, req_num, ret_intr_type == RTAS_TYPE_MSI, &err);
 if (err) {
 error_reportf_err(err, "Can't allocate MSIs for de

[Qemu-devel] [PULL 20/25] spapr: Use maximum page size capability to simplify memory backend checking

[David Gibson]

The way we used to handle KVM allowable guest pagesizes for PAPR guests
required some convoluted checking of memory attached to the guest.

The allowable pagesizes advertised to the guest cpus depended on the memory
which was attached at boot, but then we needed to ensure that any memory
later hotplugged didn't change which pagesizes were allowed.

Now that we have an explicit machine option to control the allowable
maximum pagesize we can simplify this.  We just check all memory backends
against that declared pagesize.  We check base and cold-plugged memory at
reset time, and hotplugged memory at pre_plug() time.

Signed-off-by: David Gibson 
Reviewed-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
---
 hw/ppc/spapr.c | 17 +++--
 hw/ppc/spapr_caps.c| 21 +
 include/hw/ppc/spapr.h |  3 +++
 target/ppc/kvm.c   | 14 --
 target/ppc/kvm_ppc.h   |  6 --
 5 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 70b150b098..0d032a1ad0 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3192,11 +3192,13 @@ static void spapr_memory_pre_plug(HotplugHandler 
*hotplug_dev, DeviceState *dev,
   Error **errp)
 {
 const sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(hotplug_dev);
+sPAPRMachineState *spapr = SPAPR_MACHINE(hotplug_dev);
 PCDIMMDevice *dimm = PC_DIMM(dev);
 PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
 MemoryRegion *mr;
 uint64_t size;
-char *mem_dev;
+Object *memdev;
+hwaddr pagesize;
 
 if (!smc->dr_lmb_enabled) {
 error_setg(errp, "Memory hotplug not supported for this machine");
@@ -3215,15 +3217,10 @@ static void spapr_memory_pre_plug(HotplugHandler 
*hotplug_dev, DeviceState *dev,
 return;
 }
 
-mem_dev = object_property_get_str(OBJECT(dimm), PC_DIMM_MEMDEV_PROP, NULL);
-if (mem_dev && !kvmppc_is_mem_backend_page_size_ok(mem_dev)) {
-error_setg(errp, "Memory backend has bad page size. "
-   "Use 'memory-backend-file' with correct mem-path.");
-goto out;
-}
-
-out:
-g_free(mem_dev);
+memdev = object_property_get_link(OBJECT(dimm), PC_DIMM_MEMDEV_PROP,
+  &error_abort);
+pagesize = host_memory_backend_pagesize(MEMORY_BACKEND(memdev));
+spapr_check_pagesize(spapr, pagesize, errp);
 }
 
 struct sPAPRDIMMState {
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 6cdc0c94e7..722b213d9a 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -26,6 +26,7 @@
 #include "qapi/error.h"
 #include "qapi/visitor.h"
 #include "sysemu/hw_accel.h"
+#include "exec/ram_addr.h"
 #include "target/ppc/cpu.h"
 #include "target/ppc/mmu-hash64.h"
 #include "cpu-models.h"
@@ -304,14 +305,34 @@ static void 
cap_safe_indirect_branch_apply(sPAPRMachineState *spapr,
 
 #define VALUE_DESC_TRISTATE " (broken, workaround, fixed)"
 
+void spapr_check_pagesize(sPAPRMachineState *spapr, hwaddr pagesize,
+  Error **errp)
+{
+hwaddr maxpagesize = (1ULL << spapr->eff.caps[SPAPR_CAP_HPT_MAXPAGESIZE]);
+
+if (!kvmppc_hpt_needs_host_contiguous_pages()) {
+return;
+}
+
+if (maxpagesize > pagesize) {
+error_setg(errp,
+   "Can't support %"HWADDR_PRIu" kiB guest pages with %"
+   HWADDR_PRIu" kiB host pages with this KVM implementation",
+   maxpagesize >> 10, pagesize >> 10);
+}
+}
+
 static void cap_hpt_maxpagesize_apply(sPAPRMachineState *spapr,
   uint8_t val, Error **errp)
 {
 if (val < 12) {
 error_setg(errp, "Require at least 4kiB hpt-max-page-size");
+return;
 } else if (val < 16) {
 warn_report("Many guests require at least 64kiB hpt-max-page-size");
 }
+
+spapr_check_pagesize(spapr, qemu_getrampagesize(), errp);
 }
 
 sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 4bc9dbff96..7e028164ba 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -806,4 +806,7 @@ void spapr_caps_cpu_apply(sPAPRMachineState *spapr, 
PowerPCCPU *cpu);
 void spapr_caps_add_properties(sPAPRMachineClass *smc, Error **errp);
 int spapr_caps_post_migration(sPAPRMachineState *spapr);
 
+void spapr_check_pagesize(sPAPRMachineState *spapr, hwaddr pagesize,
+  Error **errp);
+
 #endif /* HW_SPAPR_H */
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index 50b5d01432..9cfbd388ad 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -500,26 +500,12 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
 cpu->hash64_opts->flags &= ~PPC_HASH64_1TSEG;
 }
 }
-
-bool kvmppc_is_mem_backend_page_size_ok(const char *obj_path)
-{
-Object *mem_obj = object_resolve_path(obj_path, NULL);
-long pagesize = host_memory_backend_pagesize(MEMORY_BACKEND(mem_obj)

[Qemu-devel] [PULL 10/25] target/ppc: Add kvmppc_hpt_needs_host_contiguous_pages() helper

[David Gibson]

KVM HV has a restriction that for HPT mode guests, guest pages must be hpa
contiguous as well as gpa contiguous.  We have to account for that in
various places.  We determine whether we're subject to this restriction
from the SMMU information exposed by KVM.

Planned cleanups to the way we handle this will require knowing whether
this restriction is in play in wider parts of the code.  So, expose a
helper function which returns it.

This does mean some redundant calls to kvm_get_smmu_info(), but they'll go
away again with future cleanups.

Signed-off-by: David Gibson 
Reviewed-by: Greg Kurz 
Reviewed-by: Cédric Le Goater 
---
 target/ppc/kvm.c | 17 +++--
 target/ppc/kvm_ppc.h |  6 ++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index 5c0e313ca6..50b5d01432 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -406,9 +406,22 @@ target_ulong kvmppc_configure_v3_mmu(PowerPCCPU *cpu,
 }
 }
 
+bool kvmppc_hpt_needs_host_contiguous_pages(void)
+{
+PowerPCCPU *cpu = POWERPC_CPU(first_cpu);
+static struct kvm_ppc_smmu_info smmu_info;
+
+if (!kvm_enabled()) {
+return false;
+}
+
+kvm_get_smmu_info(cpu, &smmu_info);
+return !!(smmu_info.flags & KVM_PPC_PAGE_SIZES_REAL);
+}
+
 static bool kvm_valid_page_size(uint32_t flags, long rampgsize, uint32_t shift)
 {
-if (!(flags & KVM_PPC_PAGE_SIZES_REAL)) {
+if (!kvmppc_hpt_needs_host_contiguous_pages()) {
 return true;
 }
 
@@ -445,7 +458,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
 /* If we have HV KVM, we need to forbid CI large pages if our
  * host page size is smaller than 64K.
  */
-if (smmu_info.flags & KVM_PPC_PAGE_SIZES_REAL) {
+if (kvmppc_hpt_needs_host_contiguous_pages()) {
 if (getpagesize() >= 0x1) {
 cpu->hash64_opts->flags |= PPC_HASH64_CI_LARGEPAGE;
 } else {
diff --git a/target/ppc/kvm_ppc.h b/target/ppc/kvm_ppc.h
index e2840e1d33..a7ddb8a5d6 100644
--- a/target/ppc/kvm_ppc.h
+++ b/target/ppc/kvm_ppc.h
@@ -70,6 +70,7 @@ int kvmppc_resize_hpt_prepare(PowerPCCPU *cpu, target_ulong 
flags, int shift);
 int kvmppc_resize_hpt_commit(PowerPCCPU *cpu, target_ulong flags, int shift);
 bool kvmppc_pvr_workaround_required(PowerPCCPU *cpu);
 
+bool kvmppc_hpt_needs_host_contiguous_pages(void);
 bool kvmppc_is_mem_backend_page_size_ok(const char *obj_path);
 
 #else
@@ -222,6 +223,11 @@ static inline uint64_t kvmppc_rma_size(uint64_t 
current_size,
 return ram_size;
 }
 
+static inline bool kvmppc_hpt_needs_host_contiguous_pages(void)
+{
+return false;
+}
+
 static inline bool kvmppc_is_mem_backend_page_size_ok(const char *obj_path)
 {
 return true;
-- 
2.17.1

[Qemu-devel] [PULL 15/25] ppc4xx_i2c: Remove unimplemented sdata and intr registers

[David Gibson]

From: BALATON Zoltan 

We don't emulate slave mode so related registers are not needed.
[lh]sadr are only retained to avoid too many warnings and simplify
debugging but sdata is not even correct because device has a 4 byte
FIFO instead so just remove this unimplemented register for now.

The intr register is also not implemented correctly, it is for
diagnostics and normally not even visible on device without explicitly
enabling it. As no guests are known to need this remove it as well.

Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 hw/i2c/ppc4xx_i2c.c | 16 +---
 include/hw/i2c/ppc4xx_i2c.h |  4 +---
 2 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/hw/i2c/ppc4xx_i2c.c b/hw/i2c/ppc4xx_i2c.c
index d1936dbdca..4e0aaae1fc 100644
--- a/hw/i2c/ppc4xx_i2c.c
+++ b/hw/i2c/ppc4xx_i2c.c
@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2007 Jocelyn Mayer
  * Copyright (c) 2012 François Revol
- * Copyright (c) 2016 BALATON Zoltan
+ * Copyright (c) 2016-2018 BALATON Zoltan
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to 
deal
@@ -63,7 +63,6 @@ static void ppc4xx_i2c_reset(DeviceState *s)
 i2c->mdcntl = 0;
 i2c->sts = 0;
 i2c->extsts = 0x8f;
-i2c->sdata = 0;
 i2c->lsadr = 0;
 i2c->hsadr = 0;
 i2c->clkdiv = 0;
@@ -71,7 +70,6 @@ static void ppc4xx_i2c_reset(DeviceState *s)
 i2c->xfrcnt = 0;
 i2c->xtcntlss = 0;
 i2c->directcntl = 0xf;
-i2c->intr = 0;
 }
 
 static inline bool ppc4xx_i2c_is_master(PPC4xxI2CState *i2c)
@@ -139,9 +137,6 @@ static uint64_t ppc4xx_i2c_readb(void *opaque, hwaddr addr, 
unsigned int size)
   TYPE_PPC4xx_I2C, __func__);
 }
 break;
-case 2:
-ret = i2c->sdata;
-break;
 case 4:
 ret = i2c->lmadr;
 break;
@@ -181,9 +176,6 @@ static uint64_t ppc4xx_i2c_readb(void *opaque, hwaddr addr, 
unsigned int size)
 case 16:
 ret = i2c->directcntl;
 break;
-case 17:
-ret = i2c->intr;
-break;
 default:
 if (addr < PPC4xx_I2C_MEM_SIZE) {
 qemu_log_mask(LOG_UNIMP, "%s: Unimplemented register 0x%"
@@ -229,9 +221,6 @@ static void ppc4xx_i2c_writeb(void *opaque, hwaddr addr, 
uint64_t value,
 }
 }
 break;
-case 2:
-i2c->sdata = value;
-break;
 case 4:
 i2c->lmadr = value;
 if (i2c_bus_busy(i2c->bus)) {
@@ -302,9 +291,6 @@ static void ppc4xx_i2c_writeb(void *opaque, hwaddr addr, 
uint64_t value,
 case 16:
 i2c->directcntl = value & 0x7;
 break;
-case 17:
-i2c->intr = value;
-break;
 default:
 if (addr < PPC4xx_I2C_MEM_SIZE) {
 qemu_log_mask(LOG_UNIMP, "%s: Unimplemented register 0x%"
diff --git a/include/hw/i2c/ppc4xx_i2c.h b/include/hw/i2c/ppc4xx_i2c.h
index 3c603071bd..e4b6ded855 100644
--- a/include/hw/i2c/ppc4xx_i2c.h
+++ b/include/hw/i2c/ppc4xx_i2c.h
@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2007 Jocelyn Mayer
  * Copyright (c) 2012 François Revol
- * Copyright (c) 2016 BALATON Zoltan
+ * Copyright (c) 2016-2018 BALATON Zoltan
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to 
deal
@@ -49,7 +49,6 @@ typedef struct PPC4xxI2CState {
 uint8_t mdcntl;
 uint8_t sts;
 uint8_t extsts;
-uint8_t sdata;
 uint8_t lsadr;
 uint8_t hsadr;
 uint8_t clkdiv;
@@ -57,7 +56,6 @@ typedef struct PPC4xxI2CState {
 uint8_t xfrcnt;
 uint8_t xtcntlss;
 uint8_t directcntl;
-uint8_t intr;
 } PPC4xxI2CState;
 
 #endif /* PPC4XX_I2C_H */
-- 
2.17.1

[Qemu-devel] [PULL 24/25] mac_dbdma: only dump commands for debug enabled channels

[David Gibson]

From: Mark Cave-Ayland 

This enables us to apply the same filter in DEBUG_DBDMA_CHANMASK to the
DBDMA command execution debug output.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/misc/macio/mac_dbdma.c | 21 +++--
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c
index 1b2a69b3ef..87ae246d37 100644
--- a/hw/misc/macio/mac_dbdma.c
+++ b/hw/misc/macio/mac_dbdma.c
@@ -71,18 +71,19 @@ static DBDMAState *dbdma_from_ch(DBDMA_channel *ch)
 }
 
 #if DEBUG_DBDMA
-static void dump_dbdma_cmd(dbdma_cmd *cmd)
+static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
 {
-printf("dbdma_cmd %p\n", cmd);
-printf("req_count 0x%04x\n", le16_to_cpu(cmd->req_count));
-printf("command 0x%04x\n", le16_to_cpu(cmd->command));
-printf("phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
-printf("cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
-printf("res_count 0x%04x\n", le16_to_cpu(cmd->res_count));
-printf("xfer_status 0x%04x\n", le16_to_cpu(cmd->xfer_status));
+DBDMA_DPRINTFCH(ch, "dbdma_cmd %p\n", cmd);
+DBDMA_DPRINTFCH(ch, "req_count 0x%04x\n", le16_to_cpu(cmd->req_count));
+DBDMA_DPRINTFCH(ch, "command 0x%04x\n", le16_to_cpu(cmd->command));
+DBDMA_DPRINTFCH(ch, "phy_addr 0x%08x\n", le32_to_cpu(cmd->phy_addr));
+DBDMA_DPRINTFCH(ch, "cmd_dep 0x%08x\n", le32_to_cpu(cmd->cmd_dep));
+DBDMA_DPRINTFCH(ch, "res_count 0x%04x\n", le16_to_cpu(cmd->res_count));
+DBDMA_DPRINTFCH(ch, "xfer_status 0x%04x\n",
+le16_to_cpu(cmd->xfer_status));
 }
 #else
-static void dump_dbdma_cmd(dbdma_cmd *cmd)
+static void dump_dbdma_cmd(DBDMA_channel *ch, dbdma_cmd *cmd)
 {
 }
 #endif
@@ -448,7 +449,7 @@ static void channel_run(DBDMA_channel *ch)
 uint32_t phy_addr;
 
 DBDMA_DPRINTFCH(ch, "channel_run\n");
-dump_dbdma_cmd(current);
+dump_dbdma_cmd(ch, current);
 
 /* clear WAKE flag at command fetch */
 
-- 
2.17.1

[Qemu-devel] [PULL 16/25] ppc4xx_i2c: Implement directcntl register

[David Gibson]

From: BALATON Zoltan 

As well as being able to generate its own i2c transactions, the ppc4xx
i2c controller has a DIRECTCNTL register which allows explicit control
of the i2c lines.

Using this register an OS can directly bitbang i2c operations. In
order to let emulated i2c devices respond to this, we need to wire up
the DIRECTCNTL register to qemu's bitbanged i2c handling code.

Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 default-configs/ppc-softmmu.mak|  1 +
 default-configs/ppcemb-softmmu.mak |  1 +
 hw/i2c/ppc4xx_i2c.c| 14 +-
 include/hw/i2c/ppc4xx_i2c.h|  4 
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index abeeb0418a..851b4afc21 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -26,6 +26,7 @@ CONFIG_USB_EHCI_SYSBUS=y
 CONFIG_SM501=y
 CONFIG_IDE_SII3112=y
 CONFIG_I2C=y
+CONFIG_BITBANG_I2C=y
 
 # For Macs
 CONFIG_MAC=y
diff --git a/default-configs/ppcemb-softmmu.mak 
b/default-configs/ppcemb-softmmu.mak
index 67d18b2e0e..37af1930b3 100644
--- a/default-configs/ppcemb-softmmu.mak
+++ b/default-configs/ppcemb-softmmu.mak
@@ -19,3 +19,4 @@ CONFIG_USB_EHCI_SYSBUS=y
 CONFIG_SM501=y
 CONFIG_IDE_SII3112=y
 CONFIG_I2C=y
+CONFIG_BITBANG_I2C=y
diff --git a/hw/i2c/ppc4xx_i2c.c b/hw/i2c/ppc4xx_i2c.c
index 4e0aaae1fc..fca80d695a 100644
--- a/hw/i2c/ppc4xx_i2c.c
+++ b/hw/i2c/ppc4xx_i2c.c
@@ -30,6 +30,7 @@
 #include "cpu.h"
 #include "hw/hw.h"
 #include "hw/i2c/ppc4xx_i2c.h"
+#include "bitbang_i2c.h"
 
 #define PPC4xx_I2C_MEM_SIZE 18
 
@@ -46,6 +47,11 @@
 
 #define IIC_XTCNTLSS_SRST   (1 << 0)
 
+#define IIC_DIRECTCNTL_SDAC (1 << 3)
+#define IIC_DIRECTCNTL_SCLC (1 << 2)
+#define IIC_DIRECTCNTL_MSDA (1 << 1)
+#define IIC_DIRECTCNTL_MSCL (1 << 0)
+
 static void ppc4xx_i2c_reset(DeviceState *s)
 {
 PPC4xxI2CState *i2c = PPC4xx_I2C(s);
@@ -289,7 +295,12 @@ static void ppc4xx_i2c_writeb(void *opaque, hwaddr addr, 
uint64_t value,
 i2c->xtcntlss = value;
 break;
 case 16:
-i2c->directcntl = value & 0x7;
+i2c->directcntl = value & (IIC_DIRECTCNTL_SDAC & IIC_DIRECTCNTL_SCLC);
+i2c->directcntl |= (value & IIC_DIRECTCNTL_SCLC ? 1 : 0);
+bitbang_i2c_set(i2c->bitbang, BITBANG_I2C_SCL,
+i2c->directcntl & IIC_DIRECTCNTL_MSCL);
+i2c->directcntl |= bitbang_i2c_set(i2c->bitbang, BITBANG_I2C_SDA,
+   (value & IIC_DIRECTCNTL_SDAC) != 0) << 1;
 break;
 default:
 if (addr < PPC4xx_I2C_MEM_SIZE) {
@@ -322,6 +333,7 @@ static void ppc4xx_i2c_init(Object *o)
 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem);
 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->irq);
 s->bus = i2c_init_bus(DEVICE(s), "i2c");
+s->bitbang = bitbang_i2c_init(s->bus);
 }
 
 static void ppc4xx_i2c_class_init(ObjectClass *klass, void *data)
diff --git a/include/hw/i2c/ppc4xx_i2c.h b/include/hw/i2c/ppc4xx_i2c.h
index e4b6ded855..ea6c8e1a58 100644
--- a/include/hw/i2c/ppc4xx_i2c.h
+++ b/include/hw/i2c/ppc4xx_i2c.h
@@ -31,6 +31,9 @@
 #include "hw/sysbus.h"
 #include "hw/i2c/i2c.h"
 
+/* from hw/i2c/bitbang_i2c.h */
+typedef struct bitbang_i2c_interface bitbang_i2c_interface;
+
 #define TYPE_PPC4xx_I2C "ppc4xx-i2c"
 #define PPC4xx_I2C(obj) OBJECT_CHECK(PPC4xxI2CState, (obj), TYPE_PPC4xx_I2C)
 
@@ -42,6 +45,7 @@ typedef struct PPC4xxI2CState {
 I2CBus *bus;
 qemu_irq irq;
 MemoryRegion iomem;
+bitbang_i2c_interface *bitbang;
 uint8_t mdata;
 uint8_t lmadr;
 uint8_t hmadr;
-- 
2.17.1

[Qemu-devel] [PULL 05/25] ppc/pnv: introduce Pnv8Chip and Pnv9Chip models

[David Gibson]

From: Cédric Le Goater 

It introduces a base PnvChip class from which the specific processor
chip classes, Pnv8Chip and Pnv9Chip, inherit. Each of them needs to
define an init and a realize routine which will create the controllers
of the target processor. For the moment, the base PnvChip class
handles the XSCOM bus and the cores.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/pnv.c | 281 +++
 include/hw/ppc/pnv.h |  24 +++-
 2 files changed, 202 insertions(+), 103 deletions(-)

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index ac828d1331..a29ea996b4 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -531,12 +531,14 @@ static void pnv_reset(void)
 
 static ISABus *pnv_chip_power8_isa_create(PnvChip *chip, Error **errp)
 {
-return pnv_lpc_isa_create(&chip->lpc, true, errp);
+Pnv8Chip *chip8 = PNV8_CHIP(chip);
+return pnv_lpc_isa_create(&chip8->lpc, true, errp);
 }
 
 static ISABus *pnv_chip_power8nvl_isa_create(PnvChip *chip, Error **errp)
 {
-return pnv_lpc_isa_create(&chip->lpc, false, errp);
+Pnv8Chip *chip8 = PNV8_CHIP(chip);
+return pnv_lpc_isa_create(&chip8->lpc, false, errp);
 }
 
 static ISABus *pnv_chip_power9_isa_create(PnvChip *chip, Error **errp)
@@ -725,6 +727,103 @@ static Object *pnv_chip_power9_intc_create(PnvChip *chip, 
Object *child,
  */
 #define POWER9_CORE_MASK   (0xffull)
 
+static void pnv_chip_power8_instance_init(Object *obj)
+{
+Pnv8Chip *chip8 = PNV8_CHIP(obj);
+
+object_initialize(&chip8->psi, sizeof(chip8->psi), TYPE_PNV_PSI);
+object_property_add_child(obj, "psi", OBJECT(&chip8->psi), NULL);
+object_property_add_const_link(OBJECT(&chip8->psi), "xics",
+   OBJECT(qdev_get_machine()), &error_abort);
+
+object_initialize(&chip8->lpc, sizeof(chip8->lpc), TYPE_PNV_LPC);
+object_property_add_child(obj, "lpc", OBJECT(&chip8->lpc), NULL);
+object_property_add_const_link(OBJECT(&chip8->lpc), "psi",
+   OBJECT(&chip8->psi), &error_abort);
+
+object_initialize(&chip8->occ, sizeof(chip8->occ), TYPE_PNV_OCC);
+object_property_add_child(obj, "occ", OBJECT(&chip8->occ), NULL);
+object_property_add_const_link(OBJECT(&chip8->occ), "psi",
+   OBJECT(&chip8->psi), &error_abort);
+}
+
+static void pnv_chip_icp_realize(Pnv8Chip *chip8, Error **errp)
+ {
+PnvChip *chip = PNV_CHIP(chip8);
+PnvChipClass *pcc = PNV_CHIP_GET_CLASS(chip);
+const char *typename = pnv_chip_core_typename(chip);
+size_t typesize = object_type_get_instance_size(typename);
+int i, j;
+char *name;
+XICSFabric *xi = XICS_FABRIC(qdev_get_machine());
+
+name = g_strdup_printf("icp-%x", chip->chip_id);
+memory_region_init(&chip8->icp_mmio, OBJECT(chip), name, PNV_ICP_SIZE);
+sysbus_init_mmio(SYS_BUS_DEVICE(chip), &chip8->icp_mmio);
+g_free(name);
+
+sysbus_mmio_map(SYS_BUS_DEVICE(chip), 1, PNV_ICP_BASE(chip));
+
+/* Map the ICP registers for each thread */
+for (i = 0; i < chip->nr_cores; i++) {
+PnvCore *pnv_core = PNV_CORE(chip->cores + i * typesize);
+int core_hwid = CPU_CORE(pnv_core)->core_id;
+
+for (j = 0; j < CPU_CORE(pnv_core)->nr_threads; j++) {
+uint32_t pir = pcc->core_pir(chip, core_hwid) + j;
+PnvICPState *icp = PNV_ICP(xics_icp_get(xi, pir));
+
+memory_region_add_subregion(&chip8->icp_mmio, pir << 12,
+&icp->mmio);
+}
+}
+}
+
+static void pnv_chip_power8_realize(DeviceState *dev, Error **errp)
+{
+PnvChipClass *pcc = PNV_CHIP_GET_CLASS(dev);
+PnvChip *chip = PNV_CHIP(dev);
+Pnv8Chip *chip8 = PNV8_CHIP(dev);
+Error *local_err = NULL;
+
+pcc->parent_realize(dev, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+/* Processor Service Interface (PSI) Host Bridge */
+object_property_set_int(OBJECT(&chip8->psi), PNV_PSIHB_BASE(chip),
+"bar", &error_fatal);
+object_property_set_bool(OBJECT(&chip8->psi), true, "realized", 
&local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+pnv_xscom_add_subregion(chip, PNV_XSCOM_PSIHB_BASE, 
&chip8->psi.xscom_regs);
+
+/* Create LPC controller */
+object_property_set_bool(OBJECT(&chip8->lpc), true, "realized",
+ &error_fatal);
+pnv_xscom_add_subregion(chip, PNV_XSCOM_LPC_BASE, &chip8->lpc.xscom_regs);
+
+/* Interrupt Management Area. This is the memory region holding
+ * all the Interrupt Control Presenter (ICP) registers */
+pnv_chip_icp_realize(chip8, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+/* Create the simplified OCC model */
+object_property_set_bool(OBJECT(&chip8->occ), true, "realized", 
&lo

[Qemu-devel] [PATCH] hw/arm/virt: fix psci conduit in acpi when el3 enabled

[Hongbo Zhang]

When QEMU_PSCI_CONDUIT_DISABLED is set, it doesn't mean all the PSCI
conduits are totally disabled, it only mean the QEMU built-in PSCI
support is disabled, in such a case, e.g. EL3 is enabled and external
firmware (it is usually Arm Trusted Firmware) is loaded, SMC should be
used for the guest to trigger PSCI functions.

Signed-off-by: Hongbo Zhang 
---
 hw/arm/virt-acpi-build.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 74f5744..e5b4947 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -715,7 +715,11 @@ static void build_fadt_rev5(GArray *table_data, BIOSLinker 
*linker,
 
 switch (vms->psci_conduit) {
 case QEMU_PSCI_CONDUIT_DISABLED:
-fadt.arm_boot_arch = 0;
+/* This case means QEMU's internal EL3 implementation is disabled,
+ * but when firmware is loaded, the guest can still use SMC as PSCI
+ * conduit to call external firmware PSCI services
+ */ 
+fadt.arm_boot_arch = ACPI_FADT_ARM_PSCI_COMPLIANT;
 break;
 case QEMU_PSCI_CONDUIT_HVC:
 fadt.arm_boot_arch = ACPI_FADT_ARM_PSCI_COMPLIANT |
-- 
2.7.4

[Qemu-devel] [PULL 25/25] mac_newworld: always enable disable_direct_reg3_writes for ADB machines

[David Gibson]

From: Mark Cave-Ayland 

Commit 84051eb400 "adb: add property to disable direct reg 3 writes" added a
workaround for MacOS 9 incorrectly setting the mouse address during boot of
PMU machines.

Further testing has shown that since fb6649f172 "adb: fix read reg 3 byte
ordering" this can still sometimes happen with the CUDA mac99 machine,
so let's enable this workaround for all New World machines using ADB for now.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/ppc/mac_newworld.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index ff715d..2b13fcdde5 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -407,11 +407,11 @@ static void ppc_core99_init(MachineState *machine)
 
 adb_bus = qdev_get_child_bus(dev, "adb.0");
 dev = qdev_create(adb_bus, TYPE_ADB_KEYBOARD);
-qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
+qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
 qdev_init_nofail(dev);
 
 dev = qdev_create(adb_bus, TYPE_ADB_MOUSE);
-qdev_prop_set_bit(dev, "disable-direct-reg3-writes", has_pmu);
+qdev_prop_set_bit(dev, "disable-direct-reg3-writes", true);
 qdev_init_nofail(dev);
 }
 
-- 
2.17.1

[Qemu-devel] [PULL 19/25] spapr: Maximum (HPT) pagesize property

[David Gibson]

The way the POWER Hash Page Table (HPT) MMU is virtualized by KVM HV means
that every page that the guest puts in the pagetables must be truly
physically contiguous, not just GPA-contiguous.  In effect this means that
an HPT guest can't use any pagesizes greater than the host page size used
to back its memory.

At present we handle this by changing what we advertise to the guest based
on the backing pagesizes.  This is pretty bad, because it means the guest
sees a different environment depending on what should be host configuration
details.

As a start on fixing this, we add a new capability parameter to the
pseries machine type which gives the maximum allowed pagesizes for an
HPT guest.  For now we just create and validate the parameter without
making it do anything.

For backwards compatibility, on older machine types we set it to the max
available page size for the host.  For the 3.0 machine type, we fix it to
16, the intention being to only allow HPT pagesizes up to 64kiB by default
in future.

Signed-off-by: David Gibson 
Reviewed-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
---
 hw/ppc/spapr.c | 12 +
 hw/ppc/spapr_caps.c| 56 ++
 include/hw/ppc/spapr.h |  4 ++-
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 78186500e9..70b150b098 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -63,6 +63,7 @@
 #include "hw/virtio/vhost-scsi-common.h"
 
 #include "exec/address-spaces.h"
+#include "exec/ram_addr.h"
 #include "hw/usb.h"
 #include "qemu/config-file.h"
 #include "qemu/error-report.h"
@@ -4015,6 +4016,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 smc->default_caps.caps[SPAPR_CAP_CFPC] = SPAPR_CAP_BROKEN;
 smc->default_caps.caps[SPAPR_CAP_SBBC] = SPAPR_CAP_BROKEN;
 smc->default_caps.caps[SPAPR_CAP_IBS] = SPAPR_CAP_BROKEN;
+smc->default_caps.caps[SPAPR_CAP_HPT_MAXPAGESIZE] = 16; /* 64kiB */
 spapr_caps_add_properties(smc, &error_abort);
 }
 
@@ -4103,8 +4105,18 @@ static void 
spapr_machine_2_12_instance_options(MachineState *machine)
 
 static void spapr_machine_2_12_class_options(MachineClass *mc)
 {
+sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
+uint8_t mps;
+
 spapr_machine_3_0_class_options(mc);
 SET_MACHINE_COMPAT(mc, SPAPR_COMPAT_2_12);
+
+if (kvmppc_hpt_needs_host_contiguous_pages()) {
+mps = ctz64(qemu_getrampagesize());
+} else {
+mps = 34; /* allow everything up to 16GiB, i.e. everything */
+}
+smc->default_caps.caps[SPAPR_CAP_HPT_MAXPAGESIZE] = mps;
 }
 
 DEFINE_SPAPR_MACHINE(2_12, "2.12", false);
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 68a4243efc..6cdc0c94e7 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -27,6 +27,7 @@
 #include "qapi/visitor.h"
 #include "sysemu/hw_accel.h"
 #include "target/ppc/cpu.h"
+#include "target/ppc/mmu-hash64.h"
 #include "cpu-models.h"
 #include "kvm_ppc.h"
 
@@ -144,6 +145,42 @@ out:
 g_free(val);
 }
 
+static void spapr_cap_get_pagesize(Object *obj, Visitor *v, const char *name,
+   void *opaque, Error **errp)
+{
+sPAPRCapabilityInfo *cap = opaque;
+sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+uint8_t val = spapr_get_cap(spapr, cap->index);
+uint64_t pagesize = (1ULL << val);
+
+visit_type_size(v, name, &pagesize, errp);
+}
+
+static void spapr_cap_set_pagesize(Object *obj, Visitor *v, const char *name,
+   void *opaque, Error **errp)
+{
+sPAPRCapabilityInfo *cap = opaque;
+sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+uint64_t pagesize;
+uint8_t val;
+Error *local_err = NULL;
+
+visit_type_size(v, name, &pagesize, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+if (!is_power_of_2(pagesize)) {
+error_setg(errp, "cap-%s must be a power of 2", cap->name);
+return;
+}
+
+val = ctz64(pagesize);
+spapr->cmd_line_caps[cap->index] = true;
+spapr->eff.caps[cap->index] = val;
+}
+
 static void cap_htm_apply(sPAPRMachineState *spapr, uint8_t val, Error **errp)
 {
 if (!val) {
@@ -267,6 +304,16 @@ static void 
cap_safe_indirect_branch_apply(sPAPRMachineState *spapr,
 
 #define VALUE_DESC_TRISTATE " (broken, workaround, fixed)"
 
+static void cap_hpt_maxpagesize_apply(sPAPRMachineState *spapr,
+  uint8_t val, Error **errp)
+{
+if (val < 12) {
+error_setg(errp, "Require at least 4kiB hpt-max-page-size");
+} else if (val < 16) {
+warn_report("Many guests require at least 64kiB hpt-max-page-size");
+}
+}
+
 sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 [SPAPR_CAP_HTM] = {
 .name = "htm",
@@ -326,6 +373,15 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 .possible = &cap_ibs_possible,
 .apply = cap_safe_ind

[Qemu-devel] [PULL 22/25] spapr: Limit available pagesizes to provide a consistent guest environment

[David Gibson]

KVM HV has some limitations (deriving from the hardware) that mean not all
host-cpu supported pagesizes may be usable in the guest.  At present this
means that KVM guests and TCG guests may see different available page sizes
even if they notionally have the same vcpu model.  This is confusing and
also prevents migration between TCG and KVM.

This patch makes the environment consistent by always allowing the same set
of pagesizes.  Since we can't remove the KVM limitations, we do this by
always applying the same limitations it has, even to TCG guests.

Signed-off-by: David Gibson 
Reviewed-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
---
 hw/ppc/spapr_caps.c | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 722b213d9a..62663ebdf5 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -335,6 +335,39 @@ static void cap_hpt_maxpagesize_apply(sPAPRMachineState 
*spapr,
 spapr_check_pagesize(spapr, qemu_getrampagesize(), errp);
 }
 
+static bool spapr_pagesize_cb(void *opaque, uint32_t seg_pshift,
+  uint32_t pshift)
+{
+unsigned maxshift = *((unsigned *)opaque);
+
+assert(pshift >= seg_pshift);
+
+/* Don't allow the guest to use pages bigger than the configured
+ * maximum size */
+if (pshift > maxshift) {
+return false;
+}
+
+/* For whatever reason, KVM doesn't allow multiple pagesizes
+ * within a segment, *except* for the case of 16M pages in a 4k or
+ * 64k segment.  Always exclude other cases, so that TCG and KVM
+ * guests see a consistent environment */
+if ((pshift != seg_pshift) && (pshift != 24)) {
+return false;
+}
+
+return true;
+}
+
+static void cap_hpt_maxpagesize_cpu_apply(sPAPRMachineState *spapr,
+  PowerPCCPU *cpu,
+  uint8_t val, Error **errp)
+{
+unsigned maxshift = val;
+
+ppc_hash64_filter_pagesizes(cpu, spapr_pagesize_cb, &maxshift);
+}
+
 sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 [SPAPR_CAP_HTM] = {
 .name = "htm",
@@ -402,6 +435,7 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 .set = spapr_cap_set_pagesize,
 .type = "int",
 .apply = cap_hpt_maxpagesize_apply,
+.cpu_apply = cap_hpt_maxpagesize_cpu_apply,
 },
 };
 
-- 
2.17.1

Re: [Qemu-devel] [PATCH v3 13/19] linux-user: Split out close, open, openat, read, write

[Peter Maydell]

On 12 June 2018 at 01:51, Richard Henderson
 wrote:
> Signed-off-by: Richard Henderson 
> ---
>  linux-user/syscall.h   |  51 
>  linux-user/strace.c|  35 ---
>  linux-user/syscall.c   | 402 +--
>  linux-user/syscall_file.c  | 423 +
>  linux-user/Makefile.objs   |   3 +-
>  linux-user/gen_syscall_list.py |   5 +
>  linux-user/strace.list |  15 --
>  7 files changed, 484 insertions(+), 450 deletions(-)
>  create mode 100644 linux-user/syscall_file.c

Reviewed-by: Peter Maydell 

> +SYSCALL_IMPL(close)
> +{
> +fd_trans_unregister(arg1);
> +return get_errno(close(arg1));
> +}
> +SYSCALL_DEF(close, ARG_DEC);

If in future we wanted to extend the set of information
we had for each syscall in the SyscallDef struct, I guess
we'd add parameters to the SYSCALL_DEF macro (or have
more variant macros)? I can't offhand think of something I'd
want to use that for, so it's a bit of an abstract question
for the moment.

thanks
-- PMM

[Qemu-devel] [PULL 23/25] spapr: Don't rewrite mmu capabilities in KVM mode

[David Gibson]

Currently during KVM initialization on POWER, kvm_fixup_page_sizes()
rewrites a bunch of information in the cpu state to reflect the
capabilities of the host MMU and KVM.  This overwrites the information
that's already there reflecting how the TCG implementation of the MMU will
operate.

This means that we can get guest-visibly different behaviour between KVM
and TCG (and between different KVM implementations).  That's bad.  It also
prevents migration between KVM and TCG.

The pseries machine type now has filtering of the pagesizes it allows the
guest to use which means it can present a consistent model of the MMU
across all accelerators.

So, we can now replace kvm_fixup_page_sizes() with kvm_check_mmu() which
merely verifies that the expected cpu model can be faithfully handled by
KVM, rather than updating the cpu model to match KVM.

We call kvm_check_mmu() from the spapr cpu reset code.  This is a hack:
conceptually it makes more sense where fixup_page_sizes() was - in the KVM
cpu init path.  However, doing that would require moving the platform's
pagesize filtering much earlier, which would require a lot of work making
further adjustments.  There wouldn't be a lot of concrete point to doing
that, since the only KVM implementation which has the awkward MMU
restrictions is KVM HV, which can only work with an spapr guest anyway.

Signed-off-by: David Gibson 
Reviewed-by: Cédric Le Goater 
---
 hw/ppc/spapr_cpu_core.c |   2 +
 target/ppc/kvm.c| 133 
 target/ppc/kvm_ppc.h|   5 ++
 3 files changed, 72 insertions(+), 68 deletions(-)

diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index bfb94f650c..993759db47 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -78,6 +78,8 @@ static void spapr_cpu_reset(void *opaque)
 spapr_cpu->dtl_size = 0;
 
 spapr_caps_cpu_apply(SPAPR_MACHINE(qdev_get_machine()), cpu);
+
+kvm_check_mmu(cpu, &error_fatal);
 }
 
 void spapr_cpu_set_entry_state(PowerPCCPU *cpu, target_ulong nip, target_ulong 
r3)
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index 9cfbd388ad..4df4ff6cbf 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -419,93 +419,93 @@ bool kvmppc_hpt_needs_host_contiguous_pages(void)
 return !!(smmu_info.flags & KVM_PPC_PAGE_SIZES_REAL);
 }
 
-static bool kvm_valid_page_size(uint32_t flags, long rampgsize, uint32_t shift)
+void kvm_check_mmu(PowerPCCPU *cpu, Error **errp)
 {
-if (!kvmppc_hpt_needs_host_contiguous_pages()) {
-return true;
-}
-
-return (1ul << shift) <= rampgsize;
-}
-
-static long max_cpu_page_size;
-
-static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
-{
-static struct kvm_ppc_smmu_info smmu_info;
-static bool has_smmu_info;
-CPUPPCState *env = &cpu->env;
+struct kvm_ppc_smmu_info smmu_info;
 int iq, ik, jq, jk;
 
-/* We only handle page sizes for 64-bit server guests for now */
-if (!(env->mmu_model & POWERPC_MMU_64)) {
+/* For now, we only have anything to check on hash64 MMUs */
+if (!cpu->hash64_opts || !kvm_enabled()) {
 return;
 }
 
-/* Collect MMU info from kernel if not already */
-if (!has_smmu_info) {
-kvm_get_smmu_info(cpu, &smmu_info);
-has_smmu_info = true;
-}
+kvm_get_smmu_info(cpu, &smmu_info);
 
-if (!max_cpu_page_size) {
-max_cpu_page_size = qemu_getrampagesize();
+if (ppc_hash64_has(cpu, PPC_HASH64_1TSEG)
+&& !(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
+error_setg(errp,
+   "KVM does not support 1TiB segments which guest expects");
+return;
 }
 
-/* Convert to QEMU form */
-memset(cpu->hash64_opts->sps, 0, sizeof(*cpu->hash64_opts->sps));
-
-/* If we have HV KVM, we need to forbid CI large pages if our
- * host page size is smaller than 64K.
- */
-if (kvmppc_hpt_needs_host_contiguous_pages()) {
-if (getpagesize() >= 0x1) {
-cpu->hash64_opts->flags |= PPC_HASH64_CI_LARGEPAGE;
-} else {
-cpu->hash64_opts->flags &= ~PPC_HASH64_CI_LARGEPAGE;
-}
+if (smmu_info.slb_size < cpu->hash64_opts->slb_size) {
+error_setg(errp, "KVM only supports %u SLB entries, but guest needs 
%u",
+   smmu_info.slb_size, cpu->hash64_opts->slb_size);
+return;
 }
 
 /*
- * XXX This loop should be an entry wide AND of the capabilities that
- * the selected CPU has with the capabilities that KVM supports.
+ * Verify that every pagesize supported by the cpu model is
+ * supported by KVM with the same encodings
  */
-for (ik = iq = 0; ik < KVM_PPC_PAGE_SIZES_MAX_SZ; ik++) {
+for (iq = 0; iq < ARRAY_SIZE(cpu->hash64_opts->sps); iq++) {
 PPCHash64SegmentPageSizes *qsps = &cpu->hash64_opts->sps[iq];
-struct kvm_ppc_one_seg_page_size *ksps = &smmu_info.sps[ik];
+struct kvm_ppc_one_seg_page_size *ksps;
 
-if (!kvm_valid_page_size(sm

[Qemu-devel] [PULL 21/25] target/ppc: Add ppc_hash64_filter_pagesizes()

[David Gibson]

The paravirtualized PAPR platform sometimes needs to restrict the guest to
using only some of the page sizes actually supported by the host's MMU.
At the moment this is handled in KVM specific code, but for consistency we
want to apply the same limitations to all accelerators.

This makes a start on this by providing a helper function in the cpu code
to allow platform code to remove some of the cpu's page size definitions
via a caller supplied callback.

Signed-off-by: David Gibson 
Reviewed-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
---
 target/ppc/mmu-hash64.c | 59 +
 target/ppc/mmu-hash64.h |  3 +++
 2 files changed, 62 insertions(+)

diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index aa200cba4c..276d9015e7 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -1166,3 +1166,62 @@ const PPCHash64Options ppc_hash64_opts_POWER7 = {
 },
 }
 };
+
+void ppc_hash64_filter_pagesizes(PowerPCCPU *cpu,
+ bool (*cb)(void *, uint32_t, uint32_t),
+ void *opaque)
+{
+PPCHash64Options *opts = cpu->hash64_opts;
+int i;
+int n = 0;
+bool ci_largepage = false;
+
+assert(opts);
+
+n = 0;
+for (i = 0; i < ARRAY_SIZE(opts->sps); i++) {
+PPCHash64SegmentPageSizes *sps = &opts->sps[i];
+int j;
+int m = 0;
+
+assert(n <= i);
+
+if (!sps->page_shift) {
+break;
+}
+
+for (j = 0; j < ARRAY_SIZE(sps->enc); j++) {
+PPCHash64PageSize *ps = &sps->enc[j];
+
+assert(m <= j);
+if (!ps->page_shift) {
+break;
+}
+
+if (cb(opaque, sps->page_shift, ps->page_shift)) {
+if (ps->page_shift >= 16) {
+ci_largepage = true;
+}
+sps->enc[m++] = *ps;
+}
+}
+
+/* Clear rest of the row */
+for (j = m; j < ARRAY_SIZE(sps->enc); j++) {
+memset(&sps->enc[j], 0, sizeof(sps->enc[j]));
+}
+
+if (m) {
+n++;
+}
+}
+
+/* Clear the rest of the table */
+for (i = n; i < ARRAY_SIZE(opts->sps); i++) {
+memset(&opts->sps[i], 0, sizeof(opts->sps[i]));
+}
+
+if (!ci_largepage) {
+opts->flags &= ~PPC_HASH64_CI_LARGEPAGE;
+}
+}
diff --git a/target/ppc/mmu-hash64.h b/target/ppc/mmu-hash64.h
index 53dcec5b93..f11efc9cbc 100644
--- a/target/ppc/mmu-hash64.h
+++ b/target/ppc/mmu-hash64.h
@@ -20,6 +20,9 @@ unsigned ppc_hash64_hpte_page_shift_noslb(PowerPCCPU *cpu,
 void ppc_store_lpcr(PowerPCCPU *cpu, target_ulong val);
 void ppc_hash64_init(PowerPCCPU *cpu);
 void ppc_hash64_finalize(PowerPCCPU *cpu);
+void ppc_hash64_filter_pagesizes(PowerPCCPU *cpu,
+ bool (*cb)(void *, uint32_t, uint32_t),
+ void *opaque);
 #endif
 
 /*
-- 
2.17.1

Re: [Qemu-devel] [PATCH v3 00/19] linux-user: Split do_syscall

[Peter Maydell]

On 12 June 2018 at 01:51, Richard Henderson
 wrote:
> Version 3 does not attempt the whole thing in one go,
> and does attempt to incorporate strace into the reorg.
>
> Thoughts?

This approach works for me. I won't bother to review the
rest of the patchset for the moment, until Laurent weighs
in on whether he likes the structure or not...

thanks
-- PMM

Re: [Qemu-devel] [PATCH] hw/arm/virt: fix psci conduit in acpi when el3 enabled

[Peter Maydell]

On 22 June 2018 at 11:37, Hongbo Zhang  wrote:
> When QEMU_PSCI_CONDUIT_DISABLED is set, it doesn't mean all the PSCI
> conduits are totally disabled, it only mean the QEMU built-in PSCI
> support is disabled, in such a case, e.g. EL3 is enabled and external
> firmware (it is usually Arm Trusted Firmware) is loaded, SMC should be
> used for the guest to trigger PSCI functions.
>
> Signed-off-by: Hongbo Zhang 
> ---
>  hw/arm/virt-acpi-build.c | 6 +-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
> index 74f5744..e5b4947 100644
> --- a/hw/arm/virt-acpi-build.c
> +++ b/hw/arm/virt-acpi-build.c
> @@ -715,7 +715,11 @@ static void build_fadt_rev5(GArray *table_data, 
> BIOSLinker *linker,
>
>  switch (vms->psci_conduit) {
>  case QEMU_PSCI_CONDUIT_DISABLED:
> -fadt.arm_boot_arch = 0;
> +/* This case means QEMU's internal EL3 implementation is disabled,
> + * but when firmware is loaded, the guest can still use SMC as PSCI
> + * conduit to call external firmware PSCI services
> + */
> +fadt.arm_boot_arch = ACPI_FADT_ARM_PSCI_COMPLIANT;
>  break;
>  case QEMU_PSCI_CONDUIT_HVC:
>  fadt.arm_boot_arch = ACPI_FADT_ARM_PSCI_COMPLIANT |

I think this means we end up reporting different things for ACPI
and DT in this case, doesn't it?

I think that if QEMU isn't providing the PSCI implementation it
shouldn't advertise it in the ACPI tables. It would seem more
logical that the firmware itself does that (QEMU can't know if
it really does provide PSCI, after all...)

thanks
-- PMM