Re: [Qemu-devel] [PATCH 0/2] vnc: remove deprecated TLS related features

[Gerd Hoffmann]

  Hi,

>   doc: switch to modern syntax for VNC TLS setup
>   vnc: remove support for deprecated tls, x509, x509verify options

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] [RFC/RFT PATCH 0/2] spice-display locking fixes (cursors)?

[Gerd Hoffmann]

On Fri, Jul 20, 2018 at 08:31:07AM +0200, Paolo Bonzini wrote:
> The first issue was found by Coverity and should be trivial.  The second
> however made me wonder how to test the code and whether it has ever
> worked, because in theory it should be an instant deadlock whenever
> qemu_spice_cursor_refresh_bh is called.

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] [PATCH] sdl2: redraw correctly when scanout_mode enabled.

[Gerd Hoffmann]

On Thu, Jul 26, 2018 at 03:59:00PM -0700, Tao Wu wrote:
> When scanout_mode enabled, surface is out of sync with actual screen.
> In such case, we just call sdl2_gl_scanout_flush to do redraw. This
> fixes bug reported in
> https://lists.freedesktop.org/archives/virglrenderer-devel/2018-July/001330.html

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] [PATCH] editorconfig: set emacs mode

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> On Mon, Aug 20, 2018 at 9:55 PM Eric Blake  wrote:
>>
>> On 08/20/2018 01:00 PM, Peter Maydell wrote:
>> > On 20 August 2018 at 18:43, Marc-André Lureau
>> >  wrote:
>> >> Some time ago, I proposed to use an (eval) in .dir-locals.el to set
>> >> the mode for all json files and Makefile. Unfortunately, this isn't
>> >> safe, and emacs will prompt the user, which isn't very friendly.
>> >>
>> >> Fortunately, editorconfig provides a special config key which does
>> >> allow to set the emacs mode. Set the emacs mode for JSON, GLSL and
>> >> extra makefiles that are not yet covered. Drop modeline from JSON
>> >> files.
>> >
>> > Does emacs apply info from the the editorconfig file by default, though?
>>
>> Per https://editorconfig.org/, no, you have to first install an emacs
>> plugin to get editorconfig files to have any effect.  So this patch is a
>> non-starter unless distros start patching emacs to install that plugin
>> by default.
>
> But .editorconfing is already present in qemu source tree. (and fwiw,
> it's installed by default with some starter kits, like prelude).
>
> What's the issue adding the emacs mode in the config file?
>
> Let's keep the modeline in existing files if you prefer, but it's
> still very limited (a majority of files are not covered). And I would
> rather see it gone, than having editor-specific lines in our source
> files.

I'm fine with adding stuff to .editorconfig that helps users.

Replacing Emacs file local variables by .editorconfig hurts Emacs users
that don't have the plugin set up.

I suggest you respin with the deletions dropped, and the additions to
.editorconfig limited to ones that still make a difference.

Re: [Qemu-devel] [PATCH] ui: use enum to string helpers

[Gerd Hoffmann]

On Wed, Aug 01, 2018 at 11:25:08AM +0200, Marc-André Lureau wrote:
> Minor code simplification.

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] Bugs when cross-compiling qemu for Windows with mingw 8.1, executable doesn't run

[Stefan Weil]

Am 20.08.2018 um 22:39 schrieb Howard Spoelstra:
> Confirmed, adding --disable-stack-protector to configure results in a
> working binary.
> 
> Great, thanks,
> Howard

There is already a bug report for gcc:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86832

It looks like not only Windows but also MacOS is affected.

Cheers
Stefan

Re: [Qemu-devel] [PATCH for-3.1] ui/sdl2: Remove the obsolete SDL_INIT_NOPARACHUTE flag

[Gerd Hoffmann]

On Wed, Aug 08, 2018 at 11:46:42AM +0200, Thomas Huth wrote:
> SDL_INIT_NOPARACHUTE is not used in SDL2 anymore, and the define is just
> a dummy (see https://wiki.libsdl.org/MigrationGuide#Some_general_truths
> for example). So we can remove it and get rid of the "flags" variable
> nowadays.

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] [PATCH] vnc: fix memleak of the "vnc-worker-output" name

[Gerd Hoffmann]

On Wed, Aug 08, 2018 at 12:18:30AM +0200, Peter Wu wrote:
> Fixes repeated memory leaks of 18 bytes when using VNC:
> 
> Direct leak of 831024 byte(s) in 46168 object(s) allocated from:
> ...
> #4 0x7f6d2f919bdd in g_strdup_vprintf glib/gstrfuncs.c:514
> #5 0x56085cdcf660 in buffer_init util/buffer.c:59
> #6 0x56085ca6a7ec in vnc_async_encoding_start ui/vnc-jobs.c:177
> #7 0x56085ca6b815 in vnc_worker_thread_loop ui/vnc-jobs.c:240
> 
> Fixes: 543b95801f98 ("vnc: attach names to buffers")
> Cc: Gerd Hoffmann 
> CC: qemu-sta...@nongnu.org
> Signed-off-by: Peter Wu 

Added to ui queue.

thanks,
  Gerd

Re: [Qemu-devel] [PATCH v2 41/60] json: Nicer recovery from invalid leading zero

[Markus Armbruster]

Eric Blake  writes:

> On 08/20/2018 06:39 AM, Markus Armbruster wrote:
>
>> In review of v1, we discussed whether to try matching non-integer
>> numbers with redundant leading zero.  Doing that tightly in the lexer
>> requires duplicating six states.  A simpler alternative is to have the
>> lexer eat "digit salad" after redundant leading zero: 0[0-9.eE+-]+.
>> Your suggestion for hexadecimal numbers is digit salad with different
>> digits: [0-9a-fA-FxX].  Another option is their union: [0-9a-fA-FxX+-].
>> Even more radical would be eating anything but whitespace and structural
>> characters: [^][}{:, \t\n\r].  That idea pushed to the limit results in
>> a two-stage lexer: first stage finds token strings, where a token string
>> is a structural character or a sequence of non-structural,
>> non-whitespace characters, second stage rejects invalid token strings.
>>
>> Hmm, we could try to recover from lexical errors more smartly in
>> general: instead of ending the JSON error token after the first
>> offending character, end it before the first whitespace or structural
>> character following the offending character.
>>
>> I can try that, but I'd prefer to try it in a follow-up patch.
>
> Indeed, that sounds like a valid approach. So, for this patch, I'm
> fine with just accepting ['0' ... '9'], then seeing if the later
> smarter-lexing change makes back-to-back non-structural tokens give
> saner error messages in general.

I think I'll drop this patch for now.  It's not useful enough to apply
it now, then revert it when we have the more general error recovery
improvement.

Re: [Qemu-devel] [PATCH] monitor: avoid potential dead-lock when cleaning up

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> On Mon, Aug 20, 2018 at 8:57 AM Markus Armbruster  wrote:
>>
>> Marc-André Lureau  writes:
>>
>> > Hi
>> > On Wed, Aug 1, 2018 at 5:09 PM Markus Armbruster  wrote:
>> >>
>> >> Marc-André Lureau  writes:
>> >>
>> >> > Hi
>> >> >
>> >> > On Wed, Aug 1, 2018 at 3:19 PM, Markus Armbruster  
>> >> > wrote:
>> >> >> Marc-André Lureau  writes:
>> >> >>
>> >> >>> When a monitor is connected to a Spice chardev, the monitor cleanup
>> >> >>> can dead-lock:
>> >> >>>
>> >> >>>  #0  0x7f43446637fd in __lll_lock_wait () at 
>> >> >>> /lib64/libpthread.so.0
>> >> >>>  #1  0x7f434465ccf4 in pthread_mutex_lock () at 
>> >> >>> /lib64/libpthread.so.0
>> >> >>>  #2  0x556dd79f22ba in qemu_mutex_lock_impl (mutex=0x556dd81c9220 
>> >> >>> , file=0x556dd7ae3648 "/home/elmarco/src/qq/monitor.c", 
>> >> >>> line=645) at /home/elmarco/src/qq/util/qemu-thread-posix.c:66
>> >> >>>  #3  0x556dd7431bd5 in monitor_qapi_event_queue 
>> >> >>> (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x556dd9abc850, 
>> >> >>> errp=0x7fffb7bbddd8) at /home/elmarco/src/qq/monitor.c:645
>> >> >>>  #4  0x556dd79d476b in qapi_event_send_spice_disconnected 
>> >> >>> (server=0x556dd98ee760, client=0x556ddaaa8560, errp=0x556dd82180d0 
>> >> >>> ) at qapi/qapi-events-ui.c:149
>> >> >>>  #5  0x556dd7870fc1 in channel_event (event=3, 
>> >> >>> info=0x556ddad1b590) at /home/elmarco/src/qq/ui/spice-core.c:235
>> >> >>>  #6  0x7f434560a6bb in reds_handle_channel_event (reds=> >> >>> out>, event=3, info=0x556ddad1b590) at reds.c:316
>> >> >>>  #7  0x7f43455f393b in main_dispatcher_self_handle_channel_event 
>> >> >>> (info=0x556ddad1b590, event=3, self=0x556dd9a7d8c0) at 
>> >> >>> main-dispatcher.c:197
>> >> >>>  #8  0x7f43455f393b in main_dispatcher_channel_event 
>> >> >>> (self=0x556dd9a7d8c0, event=event@entry=3, info=0x556ddad1b590) at 
>> >> >>> main-dispatcher.c:197
>> >> >>>  #9  0x7f4345612833 in red_stream_push_channel_event 
>> >> >>> (s=s@entry=0x556ddae2ef40, event=event@entry=3) at red-stream.c:414
>> >> >>>  #10 0x7f434561286b in red_stream_free (s=0x556ddae2ef40) at 
>> >> >>> red-stream.c:388
>> >> >>>  #11 0x7f43455f9ddc in red_channel_client_finalize 
>> >> >>> (object=0x556dd9bb21a0) at red-channel-client.c:347
>> >> >>>  #12 0x7f434b5f9fb9 in g_object_unref () at 
>> >> >>> /lib64/libgobject-2.0.so.0
>> >> >>>  #13 0x7f43455fc212 in red_channel_client_push 
>> >> >>> (rcc=0x556dd9bb21a0) at red-channel-client.c:1341
>> >> >>>  #14 0x556dd76081ba in spice_port_set_fe_open 
>> >> >>> (chr=0x556dd9925e20, fe_open=0) at 
>> >> >>> /home/elmarco/src/qq/chardev/spice.c:241
>> >> >>>  #15 0x556dd796d74a in qemu_chr_fe_set_open (be=0x556dd9a37c00, 
>> >> >>> fe_open=0) at /home/elmarco/src/qq/chardev/char-fe.c:340
>> >> >>>  #16 0x556dd796d4d9 in qemu_chr_fe_set_handlers 
>> >> >>> (b=0x556dd9a37c00, fd_can_read=0x0, fd_read=0x0, fd_event=0x0, 
>> >> >>> be_change=0x0, opaque=0x0, context=0x0, set_open=true) at 
>> >> >>> /home/elmarco/src/qq/chardev/char-fe.c:280
>> >> >>>  #17 0x556dd796d359 in qemu_chr_fe_deinit (b=0x556dd9a37c00, 
>> >> >>> del=false) at /home/elmarco/src/qq/chardev/char-fe.c:233
>> >> >>>  #18 0x556dd7432240 in monitor_data_destroy (mon=0x556dd9a37c00) 
>> >> >>> at /home/elmarco/src/qq/monitor.c:786
>> >> >>>  #19 0x556dd743b968 in monitor_cleanup () at 
>> >> >>> /home/elmarco/src/qq/monitor.c:4683
>> >> >>>  #20 0x556dd75ce776 in main (argc=3, argv=0x7fffb7bbe458, 
>> >> >>> envp=0x7fffb7bbe478) at /home/elmarco/src/qq/vl.c:4660
>> >> >>>
>> >> >>> Because spice code tries to emit a "disconnected" signal on the
>> >> >>> monitors. Fix this situation by tightening the monitor lock time to
>> >> >>> the monitor list removal.
>> >> >>>
>> >> >>> Signed-off-by: Marc-André Lureau 
>> >> >>
>> >> >> Do you think this should go into 3.0?
>> >> >>
>> >> >>> ---
>> >> >>>  monitor.c | 22 +++---
>> >> >>>  1 file changed, 15 insertions(+), 7 deletions(-)
>> >> >>>
>> >> >>> diff --git a/monitor.c b/monitor.c
>> >> >>> index 0fa0910a2a..a16a6c5311 100644
>> >> >>> --- a/monitor.c
>> >> >>> +++ b/monitor.c
>> >> >>> @@ -4702,8 +4702,6 @@ void monitor_init(Chardev *chr, int flags)
>> >> >>>
>> >> >>>  void monitor_cleanup(void)
>> >> >>>  {
>> >> >>> -Monitor *mon, *next;
>> >> >>> -
>> >> >>>  /*
>> >> >>>   * We need to explicitly stop the I/O thread (but not destroy 
>> >> >>> it),
>> >> >>>   * clean up the monitor resources, then destroy the I/O thread 
>> >> >>> since
>> >> >>> @@ -4719,14 +4717,24 @@ void monitor_cleanup(void)
>> >> >>>  monitor_qmp_bh_responder(NULL);
>> >> >>>
>> >> >>>  /* Flush output buffers and destroy monitors */
>> >> >>> -qemu_mutex_lock(_lock);
>> >> >>> -QTAILQ_FOREACH_SAFE(mon, _list, entry, next) {
>> >> >>> -QTAILQ_REMOVE(_list, mon, entry);
>> >> >>> +do {
>> >> >>
>> >> >> for (;;), please.
>> >> >>
>> >> >>> +

[Qemu-devel] [PULL 15/26] spapr: introduce a fixed IRQ number space

[David Gibson]

From: Cédric Le Goater 

This proposal introduces a new IRQ number space layout using static
numbers for all devices, depending on a device index, and a bitmap
allocator for the MSI IRQ numbers which are negotiated by the guest at
runtime.

As the VIO device model does not have a device index but a "reg"
property, we introduce a formula to compute an IRQ number from a "reg"
value. It should minimize most of the collisions.

The previous layout is kept in pre-3.1 machines raising the
'legacy_irq_allocation' machine class flag.

Signed-off-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/Makefile.objs   |  2 +-
 hw/ppc/spapr.c | 32 ++
 hw/ppc/spapr_events.c  | 12 ---
 hw/ppc/spapr_irq.c | 56 
 hw/ppc/spapr_pci.c | 29 +
 hw/ppc/spapr_vio.c | 66 ++
 include/hw/ppc/spapr.h |  5 +++
 include/hw/ppc/spapr_irq.h | 32 ++
 8 files changed, 216 insertions(+), 18 deletions(-)
 create mode 100644 hw/ppc/spapr_irq.c
 create mode 100644 include/hw/ppc/spapr_irq.h

diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index bcab6323b7..4ab5564672 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -4,7 +4,7 @@ obj-y += ppc.o ppc_booke.o fdt.o
 obj-$(CONFIG_PSERIES) += spapr.o spapr_caps.o spapr_vio.o spapr_events.o
 obj-$(CONFIG_PSERIES) += spapr_hcall.o spapr_iommu.o spapr_rtas.o
 obj-$(CONFIG_PSERIES) += spapr_pci.o spapr_rtc.o spapr_drc.o spapr_rng.o
-obj-$(CONFIG_PSERIES) += spapr_cpu_core.o spapr_ovec.o
+obj-$(CONFIG_PSERIES) += spapr_cpu_core.o spapr_ovec.o spapr_irq.o
 # IBM PowerNV
 obj-$(CONFIG_POWERNV) += pnv.o pnv_xscom.o pnv_core.o pnv_lpc.o pnv_psi.o 
pnv_occ.o pnv_bmc.o
 ifeq ($(CONFIG_PCI)$(CONFIG_PSERIES)$(CONFIG_LINUX), yyy)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a732f59205..6a78ceb708 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -189,6 +189,11 @@ static void xics_system_init(MachineState *machine, int 
nr_irqs, Error **errp)
 sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
 Error *local_err = NULL;
 
+/* Initialize the MSI IRQ allocator. */
+if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+spapr_irq_msi_init(spapr, XICS_IRQ_BASE + nr_irqs - SPAPR_IRQ_MSI);
+}
+
 if (kvm_enabled()) {
 if (machine_kernel_irqchip_allowed(machine) &&
 !xics_kvm_init(spapr, _err)) {
@@ -1636,6 +1641,10 @@ static void spapr_machine_reset(void)
 ppc_set_compat(first_ppc_cpu, spapr->max_compat_pvr, _fatal);
 }
 
+if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+spapr_irq_msi_reset(spapr);
+}
+
 qemu_devices_reset();
 
 /* DRC reset may cause a device to be unplugged. This will cause troubles
@@ -1910,6 +1919,24 @@ static const VMStateDescription vmstate_spapr_patb_entry 
= {
 },
 };
 
+static bool spapr_irq_map_needed(void *opaque)
+{
+sPAPRMachineState *spapr = opaque;
+
+return spapr->irq_map && !bitmap_empty(spapr->irq_map, spapr->irq_map_nr);
+}
+
+static const VMStateDescription vmstate_spapr_irq_map = {
+.name = "spapr_irq_map",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = spapr_irq_map_needed,
+.fields = (VMStateField[]) {
+VMSTATE_BITMAP(irq_map, sPAPRMachineState, 0, irq_map_nr),
+VMSTATE_END_OF_LIST()
+},
+};
+
 static const VMStateDescription vmstate_spapr = {
 .name = "spapr",
 .version_id = 3,
@@ -1937,6 +1964,7 @@ static const VMStateDescription vmstate_spapr = {
 _spapr_cap_cfpc,
 _spapr_cap_sbbc,
 _spapr_cap_ibs,
+_spapr_irq_map,
 NULL
 }
 };
@@ -4086,8 +4114,12 @@ static void 
spapr_machine_3_0_instance_options(MachineState *machine)
 
 static void spapr_machine_3_0_class_options(MachineClass *mc)
 {
+sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
+
 spapr_machine_3_1_class_options(mc);
 SET_MACHINE_COMPAT(mc, SPAPR_COMPAT_3_0);
+
+smc->legacy_irq_allocation = true;
 }
 
 DEFINE_SPAPR_MACHINE(3_0, "3.0", false);
diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c
index e4f5946a21..32719a1b72 100644
--- a/hw/ppc/spapr_events.c
+++ b/hw/ppc/spapr_events.c
@@ -707,9 +707,11 @@ void spapr_clear_pending_events(sPAPRMachineState *spapr)
 
 void spapr_events_init(sPAPRMachineState *spapr)
 {
-int epow_irq;
+int epow_irq = SPAPR_IRQ_EPOW;
 
-epow_irq = spapr_irq_findone(spapr, _fatal);
+if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+epow_irq = spapr_irq_findone(spapr, _fatal);
+}
 
 spapr_irq_claim(spapr, epow_irq, false, _fatal);
 
@@ -729,9 +731,11 @@ void spapr_events_init(sPAPRMachineState *spapr)
  * checking that it's enabled.
  */
 if (spapr->use_hotplug_event_source) {
-int hp_irq;
+int hp_irq = SPAPR_IRQ_HOTPLUG;
 
-hp_irq = 

[Qemu-devel] [PULL 16/26] hw/ppc/prep: Remove ifdeffed-out stub of XCSR code

[David Gibson]

From: Peter Maydell 

The prep machine has some code which is stubs of accessors
for XCSR registers. This has been disabled via #if 0
since commit b6b8bd1819ff in 2004, and doesn't have any
actual interesting content. It also uses the deprecated
old_mmio accessor functions. Remove it entirely.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Hervé Poussineau 
Signed-off-by: David Gibson 
---
 hw/ppc/prep.c | 97 +++
 1 file changed, 4 insertions(+), 93 deletions(-)

diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
index 3401570d98..b26138e5c4 100644
--- a/hw/ppc/prep.c
+++ b/hw/ppc/prep.c
@@ -78,94 +78,6 @@ static int ne2000_irq[NE2000_NB_MAX] = { 9, 10, 11, 3, 4, 5 
};
 /* ISA IO ports bridge */
 #define PPC_IO_BASE 0x8000
 
-/* PowerPC control and status registers */
-#if 0 // Not used
-static struct {
-/* IDs */
-uint32_t veni_devi;
-uint32_t revi;
-/* Control and status */
-uint32_t gcsr;
-uint32_t xcfr;
-uint32_t ct32;
-uint32_t mcsr;
-/* General purpose registers */
-uint32_t gprg[6];
-/* Exceptions */
-uint32_t feen;
-uint32_t fest;
-uint32_t fema;
-uint32_t fecl;
-uint32_t eeen;
-uint32_t eest;
-uint32_t eecl;
-uint32_t eeint;
-uint32_t eemck0;
-uint32_t eemck1;
-/* Error diagnostic */
-} XCSR;
-
-static void PPC_XCSR_writeb (void *opaque,
- hwaddr addr, uint32_t value)
-{
-printf("%s: 0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", __func__, addr,
-   value);
-}
-
-static void PPC_XCSR_writew (void *opaque,
- hwaddr addr, uint32_t value)
-{
-printf("%s: 0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", __func__, addr,
-   value);
-}
-
-static void PPC_XCSR_writel (void *opaque,
- hwaddr addr, uint32_t value)
-{
-printf("%s: 0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", __func__, addr,
-   value);
-}
-
-static uint32_t PPC_XCSR_readb (void *opaque, hwaddr addr)
-{
-uint32_t retval = 0;
-
-printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
-   retval);
-
-return retval;
-}
-
-static uint32_t PPC_XCSR_readw (void *opaque, hwaddr addr)
-{
-uint32_t retval = 0;
-
-printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
-   retval);
-
-return retval;
-}
-
-static uint32_t PPC_XCSR_readl (void *opaque, hwaddr addr)
-{
-uint32_t retval = 0;
-
-printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
-   retval);
-
-return retval;
-}
-
-static const MemoryRegionOps PPC_XCSR_ops = {
-.old_mmio = {
-.read = { PPC_XCSR_readb, PPC_XCSR_readw, PPC_XCSR_readl, },
-.write = { PPC_XCSR_writeb, PPC_XCSR_writew, PPC_XCSR_writel, },
-},
-.endianness = DEVICE_LITTLE_ENDIAN,
-};
-
-#endif
-
 /* Fake super-io ports for PREP platform (Intel 82378ZB) */
 typedef struct sysctrl_t {
 qemu_irq reset_irq;
@@ -648,11 +560,10 @@ static void ppc_prep_init(MachineState *machine)
 portio_list_init(_port_list, NULL, prep_portio_list, sysctrl, "prep");
 portio_list_add(_port_list, isa_address_space_io(isa), 0x0);
 
-/* PowerPC control and status register group */
-#if 0
-memory_region_init_io(xcsr, NULL, _XCSR_ops, NULL, "ppc-xcsr", 0x1000);
-memory_region_add_subregion(sysmem, 0xFEFF, xcsr);
-#endif
+/*
+ * PowerPC control and status register group: unimplemented,
+ * would be at address 0xFEFF.
+ */
 
 if (machine_usb(machine)) {
 pci_create_simple(pci_bus, -1, "pci-ohci");
-- 
2.17.1

[Qemu-devel] [PULL 19/26] spapr: introduce a IRQ controller backend to the machine

[David Gibson]

From: Cédric Le Goater 

This proposal moves all the related IRQ routines of the sPAPR machine
behind a sPAPR IRQ backend interface 'spapr_irq' to prepare for future
changes. First of which will be to increase the size of the IRQ number
space, then, will follow a new backend for the POWER9 XIVE IRQ controller.

Signed-off-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 180 +
 hw/ppc/spapr_cpu_core.c|   1 +
 hw/ppc/spapr_irq.c | 230 +
 include/hw/ppc/spapr.h |  11 +-
 include/hw/ppc/spapr_irq.h |  22 
 5 files changed, 259 insertions(+), 185 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 6a78ceb708..ddd4478a34 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -54,7 +54,6 @@
 #include "hw/ppc/spapr.h"
 #include "hw/ppc/spapr_vio.h"
 #include "hw/pci-host/spapr.h"
-#include "hw/ppc/xics.h"
 #include "hw/pci/msi.h"
 
 #include "hw/pci/pci.h"
@@ -117,33 +116,6 @@ static bool spapr_is_thread0_in_vcore(sPAPRMachineState 
*spapr,
 return spapr_get_vcpu_id(cpu) % spapr->vsmt == 0;
 }
 
-static ICSState *spapr_ics_create(sPAPRMachineState *spapr,
-  const char *type_ics,
-  int nr_irqs, Error **errp)
-{
-Error *local_err = NULL;
-Object *obj;
-
-obj = object_new(type_ics);
-object_property_add_child(OBJECT(spapr), "ics", obj, _abort);
-object_property_add_const_link(obj, ICS_PROP_XICS, OBJECT(spapr),
-   _abort);
-object_property_set_int(obj, nr_irqs, "nr-irqs", _err);
-if (local_err) {
-goto error;
-}
-object_property_set_bool(obj, true, "realized", _err);
-if (local_err) {
-goto error;
-}
-
-return ICS_BASE(obj);
-
-error:
-error_propagate(errp, local_err);
-return NULL;
-}
-
 static bool pre_2_10_vmstate_dummy_icp_needed(void *opaque)
 {
 /* Dummy entries correspond to unused ICPState objects in older QEMUs,
@@ -184,43 +156,6 @@ static int xics_max_server_number(sPAPRMachineState *spapr)
 return DIV_ROUND_UP(max_cpus * spapr->vsmt, smp_threads);
 }
 
-static void xics_system_init(MachineState *machine, int nr_irqs, Error **errp)
-{
-sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
-Error *local_err = NULL;
-
-/* Initialize the MSI IRQ allocator. */
-if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
-spapr_irq_msi_init(spapr, XICS_IRQ_BASE + nr_irqs - SPAPR_IRQ_MSI);
-}
-
-if (kvm_enabled()) {
-if (machine_kernel_irqchip_allowed(machine) &&
-!xics_kvm_init(spapr, _err)) {
-spapr->icp_type = TYPE_KVM_ICP;
-spapr->ics = spapr_ics_create(spapr, TYPE_ICS_KVM, nr_irqs,
-  _err);
-}
-if (machine_kernel_irqchip_required(machine) && !spapr->ics) {
-error_prepend(_err,
-  "kernel_irqchip requested but unavailable: ");
-goto error;
-}
-error_free(local_err);
-local_err = NULL;
-}
-
-if (!spapr->ics) {
-xics_spapr_init(spapr);
-spapr->icp_type = TYPE_ICP;
-spapr->ics = spapr_ics_create(spapr, TYPE_ICS_SIMPLE, nr_irqs,
-  _err);
-}
-
-error:
-error_propagate(errp, local_err);
-}
-
 static int spapr_fixup_cpu_smt_dt(void *fdt, int offset, PowerPCCPU *cpu,
   int smt_threads)
 {
@@ -2618,7 +2553,7 @@ static void spapr_machine_init(MachineState *machine)
 load_limit = MIN(spapr->rma_size, RTAS_MAX_ADDR) - FW_OVERHEAD;
 
 /* Set up Interrupt Controller before we create the VCPUs */
-xics_system_init(machine, XICS_IRQS_SPAPR, _fatal);
+smc->irq->init(spapr, _fatal);
 
 /* Set up containers for ibm,client-architecture-support negotiated options
  */
@@ -3810,121 +3745,13 @@ static ICPState *spapr_icp_get(XICSFabric *xi, int 
vcpu_id)
 return cpu ? ICP(cpu->intc) : NULL;
 }
 
-#define ICS_IRQ_FREE(ics, srcno)   \
-(!((ics)->irqs[(srcno)].flags & (XICS_FLAGS_IRQ_MASK)))
-
-static int ics_find_free_block(ICSState *ics, int num, int alignnum)
-{
-int first, i;
-
-for (first = 0; first < ics->nr_irqs; first += alignnum) {
-if (num > (ics->nr_irqs - first)) {
-return -1;
-}
-for (i = first; i < first + num; ++i) {
-if (!ICS_IRQ_FREE(ics, i)) {
-break;
-}
-}
-if (i == (first + num)) {
-return first;
-}
-}
-
-return -1;
-}
-
-int spapr_irq_find(sPAPRMachineState *spapr, int num, bool align, Error **errp)
-{
-ICSState *ics = spapr->ics;
-int first = -1;
-
-assert(ics);
-
-/*
- * MSIMesage::data is used for storing VIRQ so
- * it has to be aligned to num to support multiple
- * MSI vectors. MSI-X 

[Qemu-devel] [PULL 17/26] hw/ppc/ppc_boards: Don't use old_mmio for ref405ep_fpga

[David Gibson]

From: Peter Maydell 

Switch the ref405ep_fpga device away from using the old_mmio
MemoryRegion accessors.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: David Gibson 
---
 hw/ppc/ppc405_boards.c | 60 +++---
 1 file changed, 10 insertions(+), 50 deletions(-)

diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c
index 70111075b3..f5a9c24b6c 100644
--- a/hw/ppc/ppc405_boards.c
+++ b/hw/ppc/ppc405_boards.c
@@ -66,7 +66,7 @@ struct ref405ep_fpga_t {
 uint8_t reg1;
 };
 
-static uint32_t ref405ep_fpga_readb (void *opaque, hwaddr addr)
+static uint64_t ref405ep_fpga_readb(void *opaque, hwaddr addr, unsigned size)
 {
 ref405ep_fpga_t *fpga;
 uint32_t ret;
@@ -87,8 +87,8 @@ static uint32_t ref405ep_fpga_readb (void *opaque, hwaddr 
addr)
 return ret;
 }
 
-static void ref405ep_fpga_writeb (void *opaque,
-  hwaddr addr, uint32_t value)
+static void ref405ep_fpga_writeb(void *opaque, hwaddr addr, uint64_t value,
+ unsigned size)
 {
 ref405ep_fpga_t *fpga;
 
@@ -105,54 +105,14 @@ static void ref405ep_fpga_writeb (void *opaque,
 }
 }
 
-static uint32_t ref405ep_fpga_readw (void *opaque, hwaddr addr)
-{
-uint32_t ret;
-
-ret = ref405ep_fpga_readb(opaque, addr) << 8;
-ret |= ref405ep_fpga_readb(opaque, addr + 1);
-
-return ret;
-}
-
-static void ref405ep_fpga_writew (void *opaque,
-  hwaddr addr, uint32_t value)
-{
-ref405ep_fpga_writeb(opaque, addr, (value >> 8) & 0xFF);
-ref405ep_fpga_writeb(opaque, addr + 1, value & 0xFF);
-}
-
-static uint32_t ref405ep_fpga_readl (void *opaque, hwaddr addr)
-{
-uint32_t ret;
-
-ret = ref405ep_fpga_readb(opaque, addr) << 24;
-ret |= ref405ep_fpga_readb(opaque, addr + 1) << 16;
-ret |= ref405ep_fpga_readb(opaque, addr + 2) << 8;
-ret |= ref405ep_fpga_readb(opaque, addr + 3);
-
-return ret;
-}
-
-static void ref405ep_fpga_writel (void *opaque,
-  hwaddr addr, uint32_t value)
-{
-ref405ep_fpga_writeb(opaque, addr, (value >> 24) & 0xFF);
-ref405ep_fpga_writeb(opaque, addr + 1, (value >> 16) & 0xFF);
-ref405ep_fpga_writeb(opaque, addr + 2, (value >> 8) & 0xFF);
-ref405ep_fpga_writeb(opaque, addr + 3, value & 0xFF);
-}
-
 static const MemoryRegionOps ref405ep_fpga_ops = {
-.old_mmio = {
-.read = {
-ref405ep_fpga_readb, ref405ep_fpga_readw, ref405ep_fpga_readl,
-},
-.write = {
-ref405ep_fpga_writeb, ref405ep_fpga_writew, ref405ep_fpga_writel,
-},
-},
-.endianness = DEVICE_NATIVE_ENDIAN,
+.read = ref405ep_fpga_readb,
+.write = ref405ep_fpga_writeb,
+.impl.min_access_size = 1,
+.impl.max_access_size = 1,
+.valid.min_access_size = 1,
+.valid.max_access_size = 4,
+.endianness = DEVICE_BIG_ENDIAN,
 };
 
 static void ref405ep_fpga_reset (void *opaque)
-- 
2.17.1

[Qemu-devel] [PULL 21/26] qemu-doc: mark ppc/prep machine as deprecated

[David Gibson]

From: Hervé Poussineau 

40p machine type should be used instead.

Signed-off-by: Hervé Poussineau 
Acked-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 qemu-deprecated.texi | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 67b721156f..87212b62f2 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -195,6 +195,12 @@ support page sizes < 4096 any longer.
 These machine types are very old and likely can not be used for live migration
 from old QEMU versions anymore. A newer machine type should be used instead.
 
+@subsection prep (PowerPC) (since 3.1)
+
+This machine type uses an unmaintained firmware, broken in lots of ways,
+and unable to start post-2004 operating systems. 40p machine type should be
+used instead.
+
 @section Device options
 
 @subsection Block device options
-- 
2.17.1

[Qemu-devel] [PULL 22/26] 40p: don't use legacy fw_cfg_init_mem() function

[David Gibson]

From: Mark Cave-Ayland 

Instead initialise the device via qdev to allow us to set device properties
directly as required.

Signed-off-by: Mark Cave-Ayland 
Acked-by: Hervé Poussineau 
Signed-off-by: David Gibson 
---
 hw/ppc/prep.c | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
index 83083e4f1b..47146ba12a 100644
--- a/hw/ppc/prep.c
+++ b/hw/ppc/prep.c
@@ -618,7 +618,7 @@ static void ibm_40p_init(MachineState *machine)
 uint16_t cmos_checksum;
 PowerPCCPU *cpu;
 DeviceState *dev;
-SysBusDevice *pcihost;
+SysBusDevice *pcihost, *s;
 Nvram *m48t59 = NULL;
 PCIBus *pci_bus;
 ISABus *isa_bus;
@@ -711,7 +711,16 @@ static void ibm_40p_init(MachineState *machine)
 }
 
 /* Prepare firmware configuration for OpenBIOS */
-fw_cfg = fw_cfg_init_mem(CFG_ADDR, CFG_ADDR + 2);
+dev = qdev_create(NULL, TYPE_FW_CFG_MEM);
+fw_cfg = FW_CFG(dev);
+qdev_prop_set_uint32(dev, "data_width", 1);
+qdev_prop_set_bit(dev, "dma_enabled", false);
+object_property_add_child(OBJECT(qdev_get_machine()), TYPE_FW_CFG,
+  OBJECT(fw_cfg), NULL);
+qdev_init_nofail(dev);
+s = SYS_BUS_DEVICE(dev);
+sysbus_mmio_map(s, 0, CFG_ADDR);
+sysbus_mmio_map(s, 1, CFG_ADDR + 2);
 
 if (machine->kernel_filename) {
 /* load kernel */
-- 
2.17.1

[Qemu-devel] [PULL 20/26] hw/ppc: deprecate the machine type 'prep', replaced by '40p'

[David Gibson]

From: Hervé Poussineau 

- prep machine is a fictional machine, so has no specifications. Which
  devices can be changed/added/removed without impact? Are interrupts
  correctly mapped?
- prep firmware (OHW) has support only for IDE drives (no SCSI).
  Booting from IDE has been broken approximatively 3 years ago, and nobody 
complained.
- OHW is limited on IDE boot to a specific set of OS loaders.
  These operating systems are of the 2004 time frame.
- OHW can use -kernel. Linux kernel freezes a long time after PS/2 mouse
  detection, and then screen becomes garbage. This was already broken in
  QEMU v2.7, 2 years ago, and nobody complained.

On the other side:
- 40p is a real machine, so emulation can be checked against
  hardware specifications
- OpenBIOS has support for SCSI block devices, including 40p LSI adapter
- OpenBIOS can start mostly all Linux kernels (including recent ones)
  and recent operating system (like NetBSD 7.1.2)

Signed-off-by: Hervé Poussineau 
[dwg: Drop prep from boot-serial test to avoid deprecation warnings]
Signed-off-by: David Gibson 
---
 hw/ppc/prep.c| 1 +
 tests/boot-serial-test.c | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
index b26138e5c4..83083e4f1b 100644
--- a/hw/ppc/prep.c
+++ b/hw/ppc/prep.c
@@ -587,6 +587,7 @@ static void ppc_prep_init(MachineState *machine)
 
 static void prep_machine_init(MachineClass *mc)
 {
+mc->deprecation_reason = "use 40p machine type instead";
 mc->desc = "PowerPC PREP platform";
 mc->init = ppc_prep_init;
 mc->block_default_type = IF_IDE;
diff --git a/tests/boot-serial-test.c b/tests/boot-serial-test.c
index fca5f2f5da..f123b15e3e 100644
--- a/tests/boot-serial-test.c
+++ b/tests/boot-serial-test.c
@@ -75,13 +75,11 @@ typedef struct testdef {
 static testdef_t tests[] = {
 { "alpha", "clipper", "", "PCI:" },
 { "ppc", "ppce500", "", "U-Boot" },
-{ "ppc", "prep", "-m 96", "Memory size: 96 MB" },
 { "ppc", "40p", "-boot d", "Booting from device d" },
 { "ppc", "g3beige", "", "PowerPC,750" },
 { "ppc", "mac99", "", "PowerPC,G4" },
 { "ppc", "sam460ex", "-m 256", "DRAM:  256 MiB" },
 { "ppc64", "ppce500", "", "U-Boot" },
-{ "ppc64", "prep", "-boot e", "Booting from device e" },
 { "ppc64", "40p", "-m 192", "Memory size: 192 MB" },
 { "ppc64", "mac99", "", "PowerPC,970FX" },
 { "ppc64", "pseries", "", "Open Firmware" },
-- 
2.17.1

[Qemu-devel] [PULL 23/26] mac_oldworld: don't use legacy fw_cfg_init_mem() function

[David Gibson]

From: Mark Cave-Ayland 

Instead initialise the device via qdev to allow us to set device properties
directly as required.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/ppc/mac_oldworld.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 064d7eb30a..80b5525775 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -309,7 +309,17 @@ static void ppc_heathrow_init(MachineState *machine)
 
 /* No PCI init: the BIOS will do it */
 
-fw_cfg = fw_cfg_init_mem(CFG_ADDR, CFG_ADDR + 2);
+dev = qdev_create(NULL, TYPE_FW_CFG_MEM);
+fw_cfg = FW_CFG(dev);
+qdev_prop_set_uint32(dev, "data_width", 1);
+qdev_prop_set_bit(dev, "dma_enabled", false);
+object_property_add_child(OBJECT(qdev_get_machine()), TYPE_FW_CFG,
+  OBJECT(fw_cfg), NULL);
+qdev_init_nofail(dev);
+s = SYS_BUS_DEVICE(dev);
+sysbus_mmio_map(s, 0, CFG_ADDR);
+sysbus_mmio_map(s, 1, CFG_ADDR + 2);
+
 fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)smp_cpus);
 fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)ram_size);
-- 
2.17.1

[Qemu-devel] [PULL 18/26] hw/ppc/ppc405_uc: Convert away from old_mmio

[David Gibson]

From: Peter Maydell 

Convert the devices in ppc405_uc away from using the old_mmio
MemoryRegion accessors:

 * opba's 32-bit and 16-bit accessors were just calling the
   8-bit accessors and assembling a big-endian order number,
   which we can do by setting the .impl.max_access_size to 1
   and the endianness to DEVICE_BIG_ENDIAN, and letting the
   core memory code do the assembly
 * ppc405_gpio's accessors were all just stubs
 * ppc4xx_gpt's 8-bit and 16-bit accessors were treating the
   access as invalid, which we can do by setting the
   .valid.min_access_size and .valid.max_access_size fields

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: David Gibson 
---
 hw/ppc/ppc405_uc.c | 173 +++--
 1 file changed, 25 insertions(+), 148 deletions(-)

diff --git a/hw/ppc/ppc405_uc.c b/hw/ppc/ppc405_uc.c
index 4bd9fbcc1e..5c58415cf1 100644
--- a/hw/ppc/ppc405_uc.c
+++ b/hw/ppc/ppc405_uc.c
@@ -283,7 +283,7 @@ struct ppc4xx_opba_t {
 uint8_t pr;
 };
 
-static uint32_t opba_readb (void *opaque, hwaddr addr)
+static uint64_t opba_readb(void *opaque, hwaddr addr, unsigned size)
 {
 ppc4xx_opba_t *opba;
 uint32_t ret;
@@ -307,8 +307,8 @@ static uint32_t opba_readb (void *opaque, hwaddr addr)
 return ret;
 }
 
-static void opba_writeb (void *opaque,
- hwaddr addr, uint32_t value)
+static void opba_writeb(void *opaque, hwaddr addr, uint64_t value,
+unsigned size)
 {
 ppc4xx_opba_t *opba;
 
@@ -328,61 +328,14 @@ static void opba_writeb (void *opaque,
 break;
 }
 }
-
-static uint32_t opba_readw (void *opaque, hwaddr addr)
-{
-uint32_t ret;
-
-#ifdef DEBUG_OPBA
-printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
-#endif
-ret = opba_readb(opaque, addr) << 8;
-ret |= opba_readb(opaque, addr + 1);
-
-return ret;
-}
-
-static void opba_writew (void *opaque,
- hwaddr addr, uint32_t value)
-{
-#ifdef DEBUG_OPBA
-printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
-   value);
-#endif
-opba_writeb(opaque, addr, value >> 8);
-opba_writeb(opaque, addr + 1, value);
-}
-
-static uint32_t opba_readl (void *opaque, hwaddr addr)
-{
-uint32_t ret;
-
-#ifdef DEBUG_OPBA
-printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
-#endif
-ret = opba_readb(opaque, addr) << 24;
-ret |= opba_readb(opaque, addr + 1) << 16;
-
-return ret;
-}
-
-static void opba_writel (void *opaque,
- hwaddr addr, uint32_t value)
-{
-#ifdef DEBUG_OPBA
-printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
-   value);
-#endif
-opba_writeb(opaque, addr, value >> 24);
-opba_writeb(opaque, addr + 1, value >> 16);
-}
-
 static const MemoryRegionOps opba_ops = {
-.old_mmio = {
-.read = { opba_readb, opba_readw, opba_readl, },
-.write = { opba_writeb, opba_writew, opba_writel, },
-},
-.endianness = DEVICE_NATIVE_ENDIAN,
+.read = opba_readb,
+.write = opba_writeb,
+.impl.min_access_size = 1,
+.impl.max_access_size = 1,
+.valid.min_access_size = 1,
+.valid.max_access_size = 4,
+.endianness = DEVICE_BIG_ENDIAN,
 };
 
 static void ppc4xx_opba_reset (void *opaque)
@@ -750,65 +703,27 @@ struct ppc405_gpio_t {
 uint32_t isr1l;
 };
 
-static uint32_t ppc405_gpio_readb (void *opaque, hwaddr addr)
+static uint64_t ppc405_gpio_read(void *opaque, hwaddr addr, unsigned size)
 {
 #ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
+printf("%s: addr " TARGET_FMT_plx " size %d\n", __func__, addr, size);
 #endif
 
 return 0;
 }
 
-static void ppc405_gpio_writeb (void *opaque,
-hwaddr addr, uint32_t value)
-{
-#ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
-   value);
-#endif
-}
-
-static uint32_t ppc405_gpio_readw (void *opaque, hwaddr addr)
+static void ppc405_gpio_write(void *opaque, hwaddr addr, uint64_t value,
+  unsigned size)
 {
 #ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
-#endif
-
-return 0;
-}
-
-static void ppc405_gpio_writew (void *opaque,
-hwaddr addr, uint32_t value)
-{
-#ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
-   value);
-#endif
-}
-
-static uint32_t ppc405_gpio_readl (void *opaque, hwaddr addr)
-{
-#ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
-#endif
-
-return 0;
-}
-
-static void ppc405_gpio_writel (void *opaque,
-hwaddr addr, uint32_t value)
-{
-#ifdef DEBUG_GPIO
-printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
-   value);
+printf("%s: addr " TARGET_FMT_plx " size %d val %08" PRIx32 "\n",

[Qemu-devel] [PULL 26/26] ppc: add DBCR based debugging

[David Gibson]

From: Roman Kapl 

Add support for DBCR (debug control register) based debugging as used on
BookE ppc. So far supports only branch and single-step events, but these are
the important ones. GDB in Linux guest can now do single-stepping.

Signed-off-by: Roman Kapl 
Signed-off-by: David Gibson 
---
 target/ppc/cpu.h|   5 ++
 target/ppc/excp_helper.c|  11 ++--
 target/ppc/translate.c  | 107 
 target/ppc/translate_init.inc.c |  17 +
 4 files changed, 107 insertions(+), 33 deletions(-)

diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index 4edcf62cf7..ec149349e2 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -481,6 +481,11 @@ struct ppc_slb_t {
 #define msr_ts   ((env->msr >> MSR_TS1)  & 3)
 #define msr_tm   ((env->msr >> MSR_TM)   & 1)
 
+#define DBCR0_ICMP (1 << 27)
+#define DBCR0_BRT (1 << 26)
+#define DBSR_ICMP (1 << 27)
+#define DBSR_BRT (1 << 26)
+
 /* Hypervisor bit is more specific */
 #if defined(TARGET_PPC64)
 #define MSR_HVB (1ULL << MSR_SHV)
diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index d6e97a90e0..0ec7ae1ad4 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -348,19 +348,16 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int 
excp_model, int excp)
 case POWERPC_EXCP_ITLB:  /* Instruction TLB error*/
 break;
 case POWERPC_EXCP_DEBUG: /* Debug interrupt  */
-switch (excp_model) {
-case POWERPC_EXCP_BOOKE:
+if (env->flags & POWERPC_FLAG_DE) {
 /* FIXME: choose one or the other based on CPU type */
 srr0 = SPR_BOOKE_DSRR0;
 srr1 = SPR_BOOKE_DSRR1;
 asrr0 = SPR_BOOKE_CSRR0;
 asrr1 = SPR_BOOKE_CSRR1;
-break;
-default:
-break;
+/* DBSR already modified by caller */
+} else {
+cpu_abort(cs, "Debug exception triggered on unsupported model\n");
 }
-/* XXX: TODO */
-cpu_abort(cs, "Debug exception is not implemented yet !\n");
 break;
 case POWERPC_EXCP_SPEU:  /* SPE/embedded floating-point unavailable  */
 env->spr[SPR_BOOKE_ESR] = ESR_SPV;
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 9eaa10b421..881743571b 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -211,6 +211,7 @@ struct DisasContext {
 bool gtse;
 ppc_spr_t *spr_cb; /* Needed to check rights for mfspr/mtspr */
 int singlestep_enabled;
+uint32_t flags;
 uint64_t insns_flags;
 uint64_t insns_flags2;
 };
@@ -251,6 +252,17 @@ struct opc_handler_t {
 #endif
 };
 
+/* SPR load/store helpers */
+static inline void gen_load_spr(TCGv t, int reg)
+{
+tcg_gen_ld_tl(t, cpu_env, offsetof(CPUPPCState, spr[reg]));
+}
+
+static inline void gen_store_spr(int reg, TCGv t)
+{
+tcg_gen_st_tl(t, cpu_env, offsetof(CPUPPCState, spr[reg]));
+}
+
 static inline void gen_set_access_type(DisasContext *ctx, int access_type)
 {
 if (ctx->need_access_type && ctx->access_type != access_type) {
@@ -313,6 +325,38 @@ static void gen_exception_nip(DisasContext *ctx, uint32_t 
excp,
 ctx->exception = (excp);
 }
 
+/* Translates the EXCP_TRACE/BRANCH exceptions used on most PowerPCs to
+ * EXCP_DEBUG, if we are running on cores using the debug enable bit (e.g.
+ * BookE).
+ */
+static uint32_t gen_prep_dbgex(DisasContext *ctx, uint32_t excp)
+{
+if ((ctx->singlestep_enabled & CPU_SINGLE_STEP)
+&& (excp == POWERPC_EXCP_BRANCH)) {
+/* Trace excpt. has priority */
+excp = POWERPC_EXCP_TRACE;
+}
+if (ctx->flags & POWERPC_FLAG_DE) {
+target_ulong dbsr = 0;
+switch (excp) {
+case POWERPC_EXCP_TRACE:
+dbsr = DBCR0_ICMP;
+break;
+case POWERPC_EXCP_BRANCH:
+dbsr = DBCR0_BRT;
+break;
+}
+TCGv t0 = tcg_temp_new();
+gen_load_spr(t0, SPR_BOOKE_DBSR);
+tcg_gen_ori_tl(t0, t0, dbsr);
+gen_store_spr(SPR_BOOKE_DBSR, t0);
+tcg_temp_free(t0);
+return POWERPC_EXCP_DEBUG;
+} else {
+return excp;
+}
+}
+
 static void gen_debug_exception(DisasContext *ctx)
 {
 TCGv_i32 t0;
@@ -575,17 +619,6 @@ typedef struct opcode_t {
 }
 #endif
 
-/* SPR load/store helpers */
-static inline void gen_load_spr(TCGv t, int reg)
-{
-tcg_gen_ld_tl(t, cpu_env, offsetof(CPUPPCState, spr[reg]));
-}
-
-static inline void gen_store_spr(int reg, TCGv t)
-{
-tcg_gen_st_tl(t, cpu_env, offsetof(CPUPPCState, spr[reg]));
-}
-
 /* Invalid instruction */
 static void gen_invalid(DisasContext *ctx)
 {
@@ -3602,6 +3635,24 @@ static inline bool use_goto_tb(DisasContext *ctx, 
target_ulong dest)
 #endif
 }
 
+static void gen_lookup_and_goto_ptr(DisasContext *ctx)
+{
+int sse = ctx->singlestep_enabled;
+if (unlikely(sse)) {
+if (sse & GDBSTUB_SINGLE_STEP) {
+

[Qemu-devel] [PULL 09/26] target/ppc: Use non-arithmetic conversions for fp load/store

[David Gibson]

From: Richard Henderson 

Memory operations have no side effects on fp state.
The use of a "real" conversions between float64 and float32
would raise exceptions for SNaN and out-of-range inputs.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c| 61 --
 target/ppc/helper.h|  4 +-
 target/ppc/translate/fp-impl.inc.c | 26 +
 3 files changed, 61 insertions(+), 30 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index 5af5241ab0..b9bb1b856e 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -47,24 +47,61 @@ static inline bool fp_exceptions_enabled(CPUPPCState *env)
 
 /*/
 /* Floating point operations helpers */
-uint64_t helper_float32_to_float64(CPUPPCState *env, uint32_t arg)
+
+/*
+ * This is the non-arithmatic conversion that happens e.g. on loads.
+ * In the Power ISA pseudocode, this is called DOUBLE.
+ */
+uint64_t helper_todouble(uint32_t arg)
 {
-CPU_FloatU f;
-CPU_DoubleU d;
+uint32_t abs_arg = arg & 0x7fff;
+uint64_t ret;
 
-f.l = arg;
-d.d = float32_to_float64(f.f, >fp_status);
-return d.ll;
+if (likely(abs_arg >= 0x0080)) {
+/* Normalized operand, or Inf, or NaN.  */
+ret  = (uint64_t)extract32(arg, 30, 2) << 62;
+ret |= ((extract32(arg, 30, 1) ^ 1) * (uint64_t)7) << 59;
+ret |= (uint64_t)extract32(arg, 0, 30) << 29;
+} else {
+/* Zero or Denormalized operand.  */
+ret = (uint64_t)extract32(arg, 31, 1) << 63;
+if (unlikely(abs_arg != 0)) {
+/* Denormalized operand.  */
+int shift = clz32(abs_arg) - 9;
+int exp = -126 - shift + 1023;
+ret |= (uint64_t)exp << 52;
+ret |= abs_arg << (shift + 29);
+}
+}
+return ret;
 }
 
-uint32_t helper_float64_to_float32(CPUPPCState *env, uint64_t arg)
+/*
+ * This is the non-arithmatic conversion that happens e.g. on stores.
+ * In the Power ISA pseudocode, this is called SINGLE.
+ */
+uint32_t helper_tosingle(uint64_t arg)
 {
-CPU_FloatU f;
-CPU_DoubleU d;
+int exp = extract64(arg, 52, 11);
+uint32_t ret;
 
-d.ll = arg;
-f.f = float64_to_float32(d.d, >fp_status);
-return f.l;
+if (likely(exp > 896)) {
+/* No denormalization required (includes Inf, NaN).  */
+ret  = extract64(arg, 62, 2) << 30;
+ret |= extract64(arg, 29, 30);
+} else {
+/* Zero or Denormal result.  If the exponent is in bounds for
+ * a single-precision denormal result, extract the proper bits.
+ * If the input is not zero, and the exponent is out of bounds,
+ * then the result is undefined; this underflows to zero.
+ */
+ret = extract64(arg, 63, 1) << 31;
+if (unlikely(exp >= 874)) {
+/* Denormal result.  */
+ret |= ((1ULL << 52) | extract64(arg, 0, 52)) >> (896 + 30 - exp);
+}
+}
+return ret;
 }
 
 static inline int ppc_float32_get_unbiased_exp(float32 f)
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index 7ed72c2337..ef64248bc4 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -61,8 +61,8 @@ DEF_HELPER_2(compute_fprf_float64, void, env, i64)
 DEF_HELPER_3(store_fpscr, void, env, i64, i32)
 DEF_HELPER_2(fpscr_clrbit, void, env, i32)
 DEF_HELPER_2(fpscr_setbit, void, env, i32)
-DEF_HELPER_2(float64_to_float32, i32, env, i64)
-DEF_HELPER_2(float32_to_float64, i64, env, i32)
+DEF_HELPER_FLAGS_1(todouble, TCG_CALL_NO_RWG_SE, i64, i32)
+DEF_HELPER_FLAGS_1(tosingle, TCG_CALL_NO_RWG_SE, i32, i64)
 
 DEF_HELPER_4(fcmpo, void, env, i64, i64, i32)
 DEF_HELPER_4(fcmpu, void, env, i64, i64, i32)
diff --git a/target/ppc/translate/fp-impl.inc.c 
b/target/ppc/translate/fp-impl.inc.c
index 2fbd4d4f38..a6f522b85c 100644
--- a/target/ppc/translate/fp-impl.inc.c
+++ b/target/ppc/translate/fp-impl.inc.c
@@ -660,15 +660,12 @@ GEN_LDUF(name, ldop, op | 0x21, type);
\
 GEN_LDUXF(name, ldop, op | 0x01, type);   \
 GEN_LDXF(name, ldop, 0x17, op | 0x00, type)
 
-static inline void gen_qemu_ld32fs(DisasContext *ctx, TCGv_i64 arg1, TCGv arg2)
+static void gen_qemu_ld32fs(DisasContext *ctx, TCGv_i64 dest, TCGv addr)
 {
-TCGv t0 = tcg_temp_new();
-TCGv_i32 t1 = tcg_temp_new_i32();
-gen_qemu_ld32u(ctx, t0, arg2);
-tcg_gen_trunc_tl_i32(t1, t0);
-tcg_temp_free(t0);
-gen_helper_float32_to_float64(arg1, cpu_env, t1);
-tcg_temp_free_i32(t1);
+TCGv_i32 tmp = tcg_temp_new_i32();
+tcg_gen_qemu_ld_i32(tmp, addr, ctx->mem_idx, DEF_MEMOP(MO_UL));
+gen_helper_todouble(dest, tmp);
+tcg_temp_free_i32(tmp);
 }
 
  /* lfd lfdu lfdux lfdx */
@@ -836,15 +833,12 @@ GEN_STUF(name, stop, op | 0x21, type);
\
 

[Qemu-devel] [PULL 25/26] spapr_pci: factorize the use of SPAPR_MACHINE_GET_CLASS()

[David Gibson]

From: Cédric Le Goater 

It should save us some CPU cycles as these routines perform a lot of
checks.

Signed-off-by: Cédric Le Goater 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_pci.c | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index 3791ced6c5..5cd676e443 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -267,6 +267,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 target_ulong args, uint32_t nret,
 target_ulong rets)
 {
+sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
 uint32_t config_addr = rtas_ld(args, 0);
 uint64_t buid = rtas_ldq(args, 1);
 unsigned int func = rtas_ld(args, 3);
@@ -334,7 +335,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 return;
 }
 
-if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+if (!smc->legacy_irq_allocation) {
 spapr_irq_msi_free(spapr, msi->first_irq, msi->num);
 }
 spapr_irq_free(spapr, msi->first_irq, msi->num);
@@ -375,7 +376,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 }
 
 /* Allocate MSIs */
-if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+if (smc->legacy_irq_allocation) {
 irq = spapr_irq_find(spapr, req_num, ret_intr_type == RTAS_TYPE_MSI,
  );
 } else {
@@ -401,7 +402,7 @@ static void rtas_ibm_change_msi(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 
 /* Release previous MSIs */
 if (msi) {
-if (!SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+if (!smc->legacy_irq_allocation) {
 spapr_irq_msi_free(spapr, msi->first_irq, msi->num);
 }
 spapr_irq_free(spapr, msi->first_irq, msi->num);
@@ -1558,6 +1559,7 @@ static void spapr_phb_realize(DeviceState *dev, Error 
**errp)
 sPAPRMachineState *spapr =
 (sPAPRMachineState *) object_dynamic_cast(qdev_get_machine(),
   TYPE_SPAPR_MACHINE);
+sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
 SysBusDevice *s = SYS_BUS_DEVICE(dev);
 sPAPRPHBState *sphb = SPAPR_PCI_HOST_BRIDGE(s);
 PCIHostState *phb = PCI_HOST_BRIDGE(s);
@@ -1575,7 +1577,6 @@ static void spapr_phb_realize(DeviceState *dev, Error 
**errp)
 }
 
 if (sphb->index != (uint32_t)-1) {
-sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
 Error *local_err = NULL;
 
 smc->phb_placement(spapr, sphb->index,
@@ -1720,7 +1721,7 @@ static void spapr_phb_realize(DeviceState *dev, Error 
**errp)
 uint32_t irq = SPAPR_IRQ_PCI_LSI + sphb->index * PCI_NUM_PINS + i;
 Error *local_err = NULL;
 
-if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+if (smc->legacy_irq_allocation) {
 irq = spapr_irq_findone(spapr, _err);
 if (local_err) {
 error_propagate(errp, local_err);
-- 
2.17.1

[Qemu-devel] [PULL 05/26] target/ppc: Tidy helper_fmul

[David Gibson]

From: Richard Henderson 

Tidy the invalid exception checking so that we rely on softfloat for
initial argument validation, and select the kind of invalid operand
exception only when we know we must.  Pass and return float64 values
directly rather than bounce through the CPU_DoubleU union.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 25 +++--
 target/ppc/helper.h |  2 +-
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index c20b9ae672..b9ee46eb5f 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -635,27 +635,24 @@ uint64_t helper_fsub(CPUPPCState *env, uint64_t arg1, 
uint64_t arg2)
 }
 
 /* fmul - fmul. */
-uint64_t helper_fmul(CPUPPCState *env, uint64_t arg1, uint64_t arg2)
+float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2)
 {
-CPU_DoubleU farg1, farg2;
-
-farg1.ll = arg1;
-farg2.ll = arg2;
+float64 ret = float64_mul(arg1, arg2, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
- (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d {
-/* Multiplication of zero by infinity */
-farg1.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXIMZ, 1);
-} else {
-if (unlikely(float64_is_signaling_nan(farg1.d, >fp_status) ||
- float64_is_signaling_nan(farg2.d, >fp_status))) {
+if (unlikely(status & float_flag_invalid)) {
+if ((float64_is_infinity(arg1) && float64_is_zero(arg2)) ||
+(float64_is_zero(arg1) && float64_is_infinity(arg2))) {
+/* Multiplication of zero by infinity */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXIMZ, 1);
+} else if (float64_is_signaling_nan(arg1, >fp_status) ||
+   float64_is_signaling_nan(arg2, >fp_status)) {
 /* sNaN multiplication */
 float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
 }
-farg1.d = float64_mul(farg1.d, farg2.d, >fp_status);
 }
 
-return farg1.ll;
+return ret;
 }
 
 /* fdiv - fdiv. */
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index 1c453fa0f7..e4f7c55db9 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -87,7 +87,7 @@ DEF_HELPER_2(frim, i64, env, i64)
 
 DEF_HELPER_3(fadd, i64, env, i64, i64)
 DEF_HELPER_3(fsub, i64, env, i64, i64)
-DEF_HELPER_3(fmul, i64, env, i64, i64)
+DEF_HELPER_3(fmul, f64, env, f64, f64)
 DEF_HELPER_3(fdiv, f64, env, f64, f64)
 DEF_HELPER_4(fmadd, i64, env, i64, i64, i64)
 DEF_HELPER_4(fmsub, i64, env, i64, i64, i64)
-- 
2.17.1

[Qemu-devel] [PULL 14/26] spapr: Add a pseries-3.1 machine type

[David Gibson]

From: Cédric Le Goater 

Signed-off-by: Cédric Le Goater 
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 23 +--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index e5d825374e..a732f59205 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4059,19 +4059,38 @@ static const TypeInfo spapr_machine_info = {
 }\
 type_init(spapr_machine_register_##suffix)
 
+ /*
+ * pseries-3.1
+ */
+static void spapr_machine_3_1_instance_options(MachineState *machine)
+{
+}
+
+static void spapr_machine_3_1_class_options(MachineClass *mc)
+{
+/* Defaults for the latest behaviour inherited from the base class */
+}
+
+DEFINE_SPAPR_MACHINE(3_1, "3.1", true);
+
 /*
  * pseries-3.0
  */
+#define SPAPR_COMPAT_3_0  \
+HW_COMPAT_3_0
+
 static void spapr_machine_3_0_instance_options(MachineState *machine)
 {
+spapr_machine_3_1_instance_options(machine);
 }
 
 static void spapr_machine_3_0_class_options(MachineClass *mc)
 {
-/* Defaults for the latest behaviour inherited from the base class */
+spapr_machine_3_1_class_options(mc);
+SET_MACHINE_COMPAT(mc, SPAPR_COMPAT_3_0);
 }
 
-DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
+DEFINE_SPAPR_MACHINE(3_0, "3.0", false);
 
 /*
  * pseries-2.12
-- 
2.17.1

[Qemu-devel] [PULL 06/26] target/ppc: Tidy helper_fadd, helper_fsub

[David Gibson]

From: Richard Henderson 

Tidy the invalid exception checking so that we rely on softfloat for
initial argument validation, and select the kind of invalid operand
exception only when we know we must.  Pass and return float64 values
directly rather than bounce through the CPU_DoubleU union.

Note that because we know float_flag_invalid was set, we do not have
to re-check the signs of the infinities.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 50 +
 target/ppc/helper.h |  4 ++--
 2 files changed, 23 insertions(+), 31 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index b9ee46eb5f..7758372ecd 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -587,51 +587,43 @@ void helper_reset_fpstatus(CPUPPCState *env)
 }
 
 /* fadd - fadd. */
-uint64_t helper_fadd(CPUPPCState *env, uint64_t arg1, uint64_t arg2)
+float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2)
 {
-CPU_DoubleU farg1, farg2;
-
-farg1.ll = arg1;
-farg2.ll = arg2;
+float64 ret = float64_add(arg1, arg2, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) 
&&
- float64_is_neg(farg1.d) != float64_is_neg(farg2.d))) {
-/* Magnitude subtraction of infinities */
-farg1.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXISI, 1);
-} else {
-if (unlikely(float64_is_signaling_nan(farg1.d, >fp_status) ||
- float64_is_signaling_nan(farg2.d, >fp_status))) {
+if (unlikely(status & float_flag_invalid)) {
+if (float64_is_infinity(arg1) && float64_is_infinity(arg2)) {
+/* Magnitude subtraction of infinities */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXISI, 1);
+} else if (float64_is_signaling_nan(arg1, >fp_status) ||
+   float64_is_signaling_nan(arg2, >fp_status)) {
 /* sNaN addition */
 float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
 }
-farg1.d = float64_add(farg1.d, farg2.d, >fp_status);
 }
 
-return farg1.ll;
+return ret;
 }
 
 /* fsub - fsub. */
-uint64_t helper_fsub(CPUPPCState *env, uint64_t arg1, uint64_t arg2)
+float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2)
 {
-CPU_DoubleU farg1, farg2;
-
-farg1.ll = arg1;
-farg2.ll = arg2;
+float64 ret = float64_sub(arg1, arg2, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) 
&&
- float64_is_neg(farg1.d) == float64_is_neg(farg2.d))) {
-/* Magnitude subtraction of infinities */
-farg1.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXISI, 1);
-} else {
-if (unlikely(float64_is_signaling_nan(farg1.d, >fp_status) ||
- float64_is_signaling_nan(farg2.d, >fp_status))) {
-/* sNaN subtraction */
+if (unlikely(status & float_flag_invalid)) {
+if (float64_is_infinity(arg1) && float64_is_infinity(arg2)) {
+/* Magnitude subtraction of infinities */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXISI, 1);
+} else if (float64_is_signaling_nan(arg1, >fp_status) ||
+   float64_is_signaling_nan(arg2, >fp_status)) {
+/* sNaN addition */
 float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
 }
-farg1.d = float64_sub(farg1.d, farg2.d, >fp_status);
 }
 
-return farg1.ll;
+return ret;
 }
 
 /* fmul - fmul. */
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index e4f7c55db9..d81806dd2c 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -85,8 +85,8 @@ DEF_HELPER_2(friz, i64, env, i64)
 DEF_HELPER_2(frip, i64, env, i64)
 DEF_HELPER_2(frim, i64, env, i64)
 
-DEF_HELPER_3(fadd, i64, env, i64, i64)
-DEF_HELPER_3(fsub, i64, env, i64, i64)
+DEF_HELPER_3(fadd, f64, env, f64, f64)
+DEF_HELPER_3(fsub, f64, env, f64, f64)
 DEF_HELPER_3(fmul, f64, env, f64, f64)
 DEF_HELPER_3(fdiv, f64, env, f64, f64)
 DEF_HELPER_4(fmadd, i64, env, i64, i64, i64)
-- 
2.17.1

[Qemu-devel] [PULL 24/26] mac_newworld: don't use legacy fw_cfg_init_mem() function

[David Gibson]

From: Mark Cave-Ayland 

Instead initialise the device via qdev to allow us to set device properties
directly as required.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/ppc/mac_newworld.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 2ca294664b..a6b95f024c 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -454,7 +454,17 @@ static void ppc_core99_init(MachineState *machine)
 pmac_format_nvram_partition(nvr, 0x2000);
 /* No PCI init: the BIOS will do it */
 
-fw_cfg = fw_cfg_init_mem(CFG_ADDR, CFG_ADDR + 2);
+dev = qdev_create(NULL, TYPE_FW_CFG_MEM);
+fw_cfg = FW_CFG(dev);
+qdev_prop_set_uint32(dev, "data_width", 1);
+qdev_prop_set_bit(dev, "dma_enabled", false);
+object_property_add_child(OBJECT(qdev_get_machine()), TYPE_FW_CFG,
+  OBJECT(fw_cfg), NULL);
+qdev_init_nofail(dev);
+s = SYS_BUS_DEVICE(dev);
+sysbus_mmio_map(s, 0, CFG_ADDR);
+sysbus_mmio_map(s, 1, CFG_ADDR + 2);
+
 fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)smp_cpus);
 fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)ram_size);
-- 
2.17.1

[Qemu-devel] [PULL 13/26] target/ppc: simplify bcdadd/sub functions

[David Gibson]

From: Yasmin Beatriz 

After solving a corner case in bcdsub, this patch simplifies the logic
of both bcdadd/sub instructions by removing some unnecessary local flags.
This commit also rearranges some if-else conditions in bcdadd to make it
easier to read.

Signed-off-by: Yasmin Beatriz 
Signed-off-by: David Gibson 
---
 target/ppc/int_helper.c | 49 +++--
 1 file changed, 18 insertions(+), 31 deletions(-)

diff --git a/target/ppc/int_helper.c b/target/ppc/int_helper.c
index ac7f92d7ae..fcac90a4a9 100644
--- a/target/ppc/int_helper.c
+++ b/target/ppc/int_helper.c
@@ -2671,16 +2671,14 @@ static int bcd_cmp_mag(ppc_avr_t *a, ppc_avr_t *b)
 return 0;
 }
 
-static int bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
+static void bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
int *overflow)
 {
 int carry = 0;
 int i;
-int is_zero = 1;
 for (i = 1; i <= 31; i++) {
 uint8_t digit = bcd_get_digit(a, i, invalid) +
 bcd_get_digit(b, i, invalid) + carry;
-is_zero &= (digit == 0);
 if (digit > 9) {
 carry = 1;
 digit -= 10;
@@ -2689,26 +2687,20 @@ static int bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, 
ppc_avr_t *b, int *invalid,
 }
 
 bcd_put_digit(t, digit, i);
-
-if (unlikely(*invalid)) {
-return -1;
-}
 }
 
 *overflow = carry;
-return is_zero;
 }
 
-static int bcd_sub_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
+static void bcd_sub_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
int *overflow)
 {
 int carry = 0;
 int i;
-int is_zero = 1;
+
 for (i = 1; i <= 31; i++) {
 uint8_t digit = bcd_get_digit(a, i, invalid) -
 bcd_get_digit(b, i, invalid) + carry;
-is_zero &= (digit == 0);
 if (digit & 0x80) {
 carry = -1;
 digit += 10;
@@ -2717,14 +2709,9 @@ static int bcd_sub_mag(ppc_avr_t *t, ppc_avr_t *a, 
ppc_avr_t *b, int *invalid,
 }
 
 bcd_put_digit(t, digit, i);
-
-if (unlikely(*invalid)) {
-return -1;
-}
 }
 
 *overflow = carry;
-return is_zero;
 }
 
 uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, ppc_avr_t *b, uint32_t ps)
@@ -2734,26 +2721,28 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 int sgnb = bcd_get_sgn(b);
 int invalid = (sgna == 0) || (sgnb == 0);
 int overflow = 0;
-int zero = 0;
 uint32_t cr = 0;
 ppc_avr_t result = { .u64 = { 0, 0 } };
 
 if (!invalid) {
 if (sgna == sgnb) {
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
-zero = bcd_add_mag(, a, b, , );
-cr = (sgna > 0) ? CRF_GT : CRF_LT;
-} else if (bcd_cmp_mag(a, b) > 0) {
-result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
-zero = bcd_sub_mag(, a, b, , );
-cr = (sgna > 0) ? CRF_GT : CRF_LT;
-} else if (bcd_cmp_mag(a, b) == 0) {
-result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(0, ps);
-zero = bcd_sub_mag(, b, a, , );
+bcd_add_mag(, a, b, , );
+cr = bcd_cmp_zero();
 } else {
-result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgnb, ps);
-zero = bcd_sub_mag(, b, a, , );
-cr = (sgnb > 0) ? CRF_GT : CRF_LT;
+int magnitude = bcd_cmp_mag(a, b);
+if (magnitude > 0) {
+result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
+bcd_sub_mag(, a, b, , );
+cr = (sgna > 0) ? CRF_GT : CRF_LT;
+} else if (magnitude < 0) {
+result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgnb, ps);
+bcd_sub_mag(, b, a, , );
+cr = (sgnb > 0) ? CRF_GT : CRF_LT;
+} else {
+result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(0, ps);
+cr = CRF_EQ;
+}
 }
 }
 
@@ -2762,8 +2751,6 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 cr = CRF_SO;
 } else if (overflow) {
 cr |= CRF_SO;
-} else if (zero) {
-cr = CRF_EQ;
 }
 
 *r = result;
-- 
2.17.1

[Qemu-devel] [PULL 00/26] ppc-for-3.1 queue 20180821

[David Gibson]

The following changes since commit d0092d90eb546a8bbe9e9120426c189474123797:

  Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180820' into 
staging (2018-08-20 17:41:18 +0100)

are available in the Git repository at:

  git://github.com/dgibson/qemu.git tags/ppc-for-3.1-20180821

for you to fetch changes up to 0e3bf4890906fa7066a5deafd6ab033934b8d100:

  ppc: add DBCR based debugging (2018-08-21 14:28:45 +1000)


ppc patch queue 2018-08-21

Here's my first ppc & spapr pull request for qemu-3.1.  This contains
a bunch of things that have accumulated while 3.0 was in freeze.
Highlights are:
* SLOF firmware update
* A number of floating point cleanups from Richard Henderson and
  Yasmin Beatriz
* A new model for assigning irq numbers on spapr, this is an
  important preliminary step towards implementing the POWER9
  "XIVE" interrupt controller


Alexey Kardashevskiy (2):
  pseries: Update SLOF firmware image
  vfio/spapr: Allow backing bigger guest IOMMU pages with smaller physical 
pages

Bharata B Rao (1):
  spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn

Cédric Le Goater (4):
  spapr: Add a pseries-3.1 machine type
  spapr: introduce a fixed IRQ number space
  spapr: introduce a IRQ controller backend to the machine
  spapr_pci: factorize the use of SPAPR_MACHINE_GET_CLASS()

Greg Kurz (1):
  xics: don't include "target/ppc/cpu-qom.h" in "hw/ppc/xics.h"

Hervé Poussineau (2):
  hw/ppc: deprecate the machine type 'prep', replaced by '40p'
  qemu-doc: mark ppc/prep machine as deprecated

Mark Cave-Ayland (3):
  40p: don't use legacy fw_cfg_init_mem() function
  mac_oldworld: don't use legacy fw_cfg_init_mem() function
  mac_newworld: don't use legacy fw_cfg_init_mem() function

Peter Maydell (3):
  hw/ppc/prep: Remove ifdeffed-out stub of XCSR code
  hw/ppc/ppc_boards: Don't use old_mmio for ref405ep_fpga
  hw/ppc/ppc405_uc: Convert away from old_mmio

Richard Henderson (7):
  target/ppc: Enable fp exceptions for user-only
  target/ppc: Honor fpscr_ze semantics and tidy fdiv
  target/ppc: Tidy helper_fmul
  target/ppc: Tidy helper_fadd, helper_fsub
  target/ppc: Tidy helper_fsqrt
  target/ppc: Honor fpscr_ze semantics and tidy fre, fresqrt
  target/ppc: Use non-arithmetic conversions for fp load/store

Roman Kapl (1):
  ppc: add DBCR based debugging

Yasmin Beatriz (2):
  target/ppc: bcdsub fix sign when result is zero
  target/ppc: simplify bcdadd/sub functions

 hw/ppc/Makefile.objs   |   2 +-
 hw/ppc/mac_newworld.c  |  12 +-
 hw/ppc/mac_oldworld.c  |  12 +-
 hw/ppc/ppc405_boards.c |  60 ++--
 hw/ppc/ppc405_uc.c | 173 --
 hw/ppc/prep.c  | 111 ++
 hw/ppc/spapr.c | 225 +++-
 hw/ppc/spapr_cpu_core.c|  63 
 hw/ppc/spapr_events.c  |  12 +-
 hw/ppc/spapr_irq.c | 286 
 hw/ppc/spapr_pci.c |  32 +++-
 hw/ppc/spapr_vio.c |  66 -
 hw/vfio/common.c   |   3 +
 hw/vfio/spapr.c|  21 ++-
 include/hw/ppc/spapr.h |  16 +-
 include/hw/ppc/spapr_irq.h |  54 +++
 include/hw/ppc/xics.h  |   1 -
 include/hw/vfio/vfio-common.h  |   1 +
 pc-bios/README |   2 +-
 pc-bios/slof.bin   | Bin 924840 -> 974544 bytes
 qemu-deprecated.texi   |   6 +
 roms/SLOF  |   2 +-
 target/ppc/cpu.h   |   5 +
 target/ppc/excp_helper.c   |  11 +-
 target/ppc/fpu_helper.c| 292 ++---
 target/ppc/helper.h|  14 +-
 target/ppc/int_helper.c|  46 +++---
 target/ppc/translate.c | 107 ++
 target/ppc/translate/fp-impl.inc.c |  26 ++--
 target/ppc/translate_init.inc.c|  19 +++
 tests/boot-serial-test.c   |   2 -
 31 files changed, 946 insertions(+), 736 deletions(-)
 create mode 100644 hw/ppc/spapr_irq.c
 create mode 100644 include/hw/ppc/spapr_irq.h

[Qemu-devel] [PULL 08/26] target/ppc: Honor fpscr_ze semantics and tidy fre, fresqrt

[David Gibson]

From: Richard Henderson 

Divide by zero, exception taken, leaves the destination register
unmodified.  Therefore we must raise the exception before returning
from the respective helpers.

>From helper_fre, divide by zero exception not taken, return the
documented +/- 0.5.

At the same time, tidy the invalid exception checking so that we
rely on softfloat for initial argument validation, and select the
kind of invalid operand exception only when we know we must.

At the same time, pass and return float64 values directly rather
than bounce through the CPU_DoubleU union.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 62 -
 1 file changed, 37 insertions(+), 25 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index 44f3fed17d..5af5241ab0 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -879,18 +879,27 @@ float64 helper_fsqrt(CPUPPCState *env, float64 arg)
 }
 
 /* fre - fre. */
-uint64_t helper_fre(CPUPPCState *env, uint64_t arg)
+float64 helper_fre(CPUPPCState *env, float64 arg)
 {
-CPU_DoubleU farg;
-
-farg.ll = arg;
+/* "Estimate" the reciprocal with actual division.  */
+float64 ret = float64_div(float64_one, arg, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_signaling_nan(farg.d, >fp_status))) {
-/* sNaN reciprocal */
-float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+if (unlikely(status)) {
+if (status & float_flag_invalid) {
+if (float64_is_signaling_nan(arg, >fp_status)) {
+/* sNaN reciprocal */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+}
+}
+if (status & float_flag_divbyzero) {
+float_zero_divide_excp(env, GETPC());
+/* For FPSCR.ZE == 0, the result is 1/2.  */
+ret = float64_set_sign(float64_half, float64_is_neg(arg));
+}
 }
-farg.d = float64_div(float64_one, farg.d, >fp_status);
-return farg.d;
+
+return ret;
 }
 
 /* fres - fres. */
@@ -913,27 +922,30 @@ uint64_t helper_fres(CPUPPCState *env, uint64_t arg)
 }
 
 /* frsqrte  - frsqrte. */
-uint64_t helper_frsqrte(CPUPPCState *env, uint64_t arg)
+float64 helper_frsqrte(CPUPPCState *env, float64 arg)
 {
-CPU_DoubleU farg;
-
-farg.ll = arg;
+/* "Estimate" the reciprocal with actual division.  */
+float64 rets = float64_sqrt(arg, >fp_status);
+float64 retd = float64_div(float64_one, rets, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_any_nan(farg.d))) {
-if (unlikely(float64_is_signaling_nan(farg.d, >fp_status))) {
-/* sNaN reciprocal square root */
-float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
-farg.ll = float64_snan_to_qnan(farg.ll);
+if (unlikely(status)) {
+if (status & float_flag_invalid) {
+if (float64_is_signaling_nan(arg, >fp_status)) {
+/* sNaN reciprocal */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+} else {
+/* Square root of a negative nonzero number */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSQRT, 1);
+}
+}
+if (status & float_flag_divbyzero) {
+/* Reciprocal of (square root of) zero.  */
+float_zero_divide_excp(env, GETPC());
 }
-} else if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
-/* Reciprocal square root of a negative nonzero number */
-farg.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSQRT, 1);
-} else {
-farg.d = float64_sqrt(farg.d, >fp_status);
-farg.d = float64_div(float64_one, farg.d, >fp_status);
 }
 
-return farg.ll;
+return retd;
 }
 
 /* fsel - fsel. */
-- 
2.17.1

[Qemu-devel] [PULL 12/26] xics: don't include "target/ppc/cpu-qom.h" in "hw/ppc/xics.h"

[David Gibson]

From: Greg Kurz 

The last user of the PowerPCCPU typedef in "hw/ppc/xics.h" vanished with
commit b1fd36c363d73969841468146ebfb9fd84a5ee52. It isn't necessary to
include "target/ppc/cpu-qom.h" there anymore.

Signed-off-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 include/hw/ppc/xics.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/include/hw/ppc/xics.h b/include/hw/ppc/xics.h
index 6ac8a9392d..9c2916c9b2 100644
--- a/include/hw/ppc/xics.h
+++ b/include/hw/ppc/xics.h
@@ -29,7 +29,6 @@
 #define XICS_H
 
 #include "hw/qdev.h"
-#include "target/ppc/cpu-qom.h"
 
 #define XICS_IPI0x2
 #define XICS_BUID   0x1
-- 
2.17.1

[Qemu-devel] [PULL 10/26] target/ppc: bcdsub fix sign when result is zero

[David Gibson]

From: Yasmin Beatriz 

When the result of bcdsub is equal to zero, the result sign may be
set to negative in some cases, and this does not follow the Power ISA
specifications as to decimal integer arithmetic instructions.

Signed-off-by: Yasmin Beatriz 
Signed-off-by: David Gibson 
---
 target/ppc/int_helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/ppc/int_helper.c b/target/ppc/int_helper.c
index d52338ed71..ac7f92d7ae 100644
--- a/target/ppc/int_helper.c
+++ b/target/ppc/int_helper.c
@@ -2747,6 +2747,9 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
 zero = bcd_sub_mag(, a, b, , );
 cr = (sgna > 0) ? CRF_GT : CRF_LT;
+} else if (bcd_cmp_mag(a, b) == 0) {
+result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(0, ps);
+zero = bcd_sub_mag(, b, a, , );
 } else {
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgnb, ps);
 zero = bcd_sub_mag(, b, a, , );
-- 
2.17.1

[Qemu-devel] [PULL 11/26] vfio/spapr: Allow backing bigger guest IOMMU pages with smaller physical pages

[David Gibson]

From: Alexey Kardashevskiy 

At the moment the PPC64/pseries guest only supports 4K/64K/16M IOMMU
pages and POWER8 CPU supports the exact same set of page size so
so far things worked fine.

However POWER9 supports different set of sizes - 4K/64K/2M/1G and
the last two - 2M and 1G - are not even allowed in the paravirt interface
(RTAS DDW) so we always end up using 64K IOMMU pages, although we could
back guest's 16MB IOMMU pages with 2MB pages on the host.

This stores the supported host IOMMU page sizes in VFIOContainer and uses
this later when creating a new DMA window. This uses the system page size
(64k normally, 2M/16M/1G if hugepages used) as the upper limit of
the IOMMU pagesize.

This changes the type of @pagesize to uint64_t as this is what
memory_region_iommu_get_min_page_size() returns and clz64() takes.

There should be no behavioral changes on platforms other than pseries.
The guest will keep using the IOMMU page size selected by the PHB pagesize
property as this only changes the underlying hardware TCE table
granularity.

Signed-off-by: Alexey Kardashevskiy 
Signed-off-by: David Gibson 
---
 hw/vfio/common.c  |  3 +++
 hw/vfio/spapr.c   | 21 -
 include/hw/vfio/vfio-common.h |  1 +
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index cd1f4af18a..3f31f80b12 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -1136,6 +1136,7 @@ static int vfio_connect_container(VFIOGroup *group, 
AddressSpace *as,
 info.iova_pgsizes = 4096;
 }
 vfio_host_win_add(container, 0, (hwaddr)-1, info.iova_pgsizes);
+container->pgsizes = info.iova_pgsizes;
 } else if (ioctl(fd, VFIO_CHECK_EXTENSION, VFIO_SPAPR_TCE_IOMMU) ||
ioctl(fd, VFIO_CHECK_EXTENSION, VFIO_SPAPR_TCE_v2_IOMMU)) {
 struct vfio_iommu_spapr_tce_info info;
@@ -1200,6 +1201,7 @@ static int vfio_connect_container(VFIOGroup *group, 
AddressSpace *as,
 }
 
 if (v2) {
+container->pgsizes = info.ddw.pgsizes;
 /*
  * There is a default window in just created container.
  * To make region_add/del simpler, we better remove this
@@ -1214,6 +1216,7 @@ static int vfio_connect_container(VFIOGroup *group, 
AddressSpace *as,
 }
 } else {
 /* The default table uses 4K pages */
+container->pgsizes = 0x1000;
 vfio_host_win_add(container, info.dma32_window_start,
   info.dma32_window_start +
   info.dma32_window_size - 1,
diff --git a/hw/vfio/spapr.c b/hw/vfio/spapr.c
index 259397c002..becf71a3fc 100644
--- a/hw/vfio/spapr.c
+++ b/hw/vfio/spapr.c
@@ -15,6 +15,7 @@
 
 #include "hw/vfio/vfio-common.h"
 #include "hw/hw.h"
+#include "exec/ram_addr.h"
 #include "qemu/error-report.h"
 #include "trace.h"
 
@@ -144,9 +145,27 @@ int vfio_spapr_create_window(VFIOContainer *container,
 {
 int ret;
 IOMMUMemoryRegion *iommu_mr = IOMMU_MEMORY_REGION(section->mr);
-unsigned pagesize = memory_region_iommu_get_min_page_size(iommu_mr);
+uint64_t pagesize = memory_region_iommu_get_min_page_size(iommu_mr);
 unsigned entries, pages;
 struct vfio_iommu_spapr_tce_create create = { .argsz = sizeof(create) };
+long systempagesize = qemu_getrampagesize();
+
+/*
+ * The host might not support the guest supported IOMMU page size,
+ * so we will use smaller physical IOMMU pages to back them.
+ */
+if (pagesize > systempagesize) {
+pagesize = systempagesize;
+}
+pagesize = 1ULL << (63 - clz64(container->pgsizes &
+   (pagesize | (pagesize - 1;
+if (!pagesize) {
+error_report("Host doesn't support page size 0x%"PRIx64
+ ", the supported mask is 0x%lx",
+ memory_region_iommu_get_min_page_size(iommu_mr),
+ container->pgsizes);
+return -EINVAL;
+}
 
 /*
  * FIXME: For VFIO iommu types which have KVM acceleration to
diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h
index 15ea6c26fd..821def0565 100644
--- a/include/hw/vfio/vfio-common.h
+++ b/include/hw/vfio/vfio-common.h
@@ -73,6 +73,7 @@ typedef struct VFIOContainer {
 unsigned iommu_type;
 int error;
 bool initialized;
+unsigned long pgsizes;
 /*
  * This assumes the host IOMMU can support only a single
  * contiguous IOVA window.  We may need to generalize that in
-- 
2.17.1

[Qemu-devel] [PULL 04/26] target/ppc: Honor fpscr_ze semantics and tidy fdiv

[David Gibson]

From: Richard Henderson 

Divide by zero, exception taken, leaves the destination register
unmodified.  Therefore we must raise the exception before returning
from helper_fdiv.  Move the check from do_float_check_status into
helper_fdiv.

At the same time, tidy the invalid exception checking so that we
rely on softfloat for initial argument validation, and select the
kind of invalid operand exception only when we know we must.

At the same time, pass and return float64 values directly rather
than bounce through the CPU_DoubleU union.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 50 +++--
 target/ppc/helper.h |  2 +-
 2 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index 9b39c4b3e5..c20b9ae672 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -545,9 +545,7 @@ static void do_float_check_status(CPUPPCState *env, 
uintptr_t raddr)
 int status = get_float_exception_flags(>fp_status);
 bool inexact_happened = false;
 
-if (status & float_flag_divbyzero) {
-float_zero_divide_excp(env, raddr);
-} else if (status & float_flag_overflow) {
+if (status & float_flag_overflow) {
 float_overflow_excp(env);
 } else if (status & float_flag_underflow) {
 float_underflow_excp(env);
@@ -661,30 +659,32 @@ uint64_t helper_fmul(CPUPPCState *env, uint64_t arg1, 
uint64_t arg2)
 }
 
 /* fdiv - fdiv. */
-uint64_t helper_fdiv(CPUPPCState *env, uint64_t arg1, uint64_t arg2)
+float64 helper_fdiv(CPUPPCState *env, float64 arg1, float64 arg2)
 {
-CPU_DoubleU farg1, farg2;
-
-farg1.ll = arg1;
-farg2.ll = arg2;
+float64 ret = float64_div(arg1, arg2, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_infinity(farg1.d) &&
- float64_is_infinity(farg2.d))) {
-/* Division of infinity by infinity */
-farg1.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXIDI, 1);
-} else if (unlikely(float64_is_zero(farg1.d) && float64_is_zero(farg2.d))) 
{
-/* Division of zero by zero */
-farg1.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXZDZ, 1);
-} else {
-if (unlikely(float64_is_signaling_nan(farg1.d, >fp_status) ||
- float64_is_signaling_nan(farg2.d, >fp_status))) {
-/* sNaN division */
-float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+if (unlikely(status)) {
+if (status & float_flag_invalid) {
+/* Determine what kind of invalid operation was seen.  */
+if (float64_is_infinity(arg1) && float64_is_infinity(arg2)) {
+/* Division of infinity by infinity */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXIDI, 1);
+} else if (float64_is_zero(arg1) && float64_is_zero(arg2)) {
+/* Division of zero by zero */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXZDZ, 1);
+} else if (float64_is_signaling_nan(arg1, >fp_status) ||
+   float64_is_signaling_nan(arg2, >fp_status)) {
+/* sNaN division */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+}
+}
+if (status & float_flag_divbyzero) {
+float_zero_divide_excp(env, GETPC());
 }
-farg1.d = float64_div(farg1.d, farg2.d, >fp_status);
 }
 
-return farg1.ll;
+return ret;
 }
 
 
@@ -1928,6 +1928,9 @@ void helper_##op(CPUPPCState *env, uint32_t opcode)   
\
 tp##_is_signaling_nan(xb.fld, )) {  \
 float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, sfprf);\
 } \
+} \
+if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) {   \
+float_zero_divide_excp(env, GETPC()); \
 } \
   \
 if (r2sp) {   \
@@ -1978,6 +1981,9 @@ void helper_xsdivqp(CPUPPCState *env, uint32_t opcode)
 float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
 }
 }
+if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) {
+float_zero_divide_excp(env, GETPC());
+}
 
 helper_compute_fprf_float128(env, xt.f128);
 putVSR(rD(opcode) + 32, , env);
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index 5706c2497f..1c453fa0f7 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -88,7 +88,7 @@ DEF_HELPER_2(frim, i64, env, i64)
 DEF_HELPER_3(fadd, i64, 

[Qemu-devel] [PULL 03/26] target/ppc: Enable fp exceptions for user-only

[David Gibson]

From: Richard Henderson 

While just setting the MSR bits is sufficient, we can tidy
the helper code by extracting the MSR test to a helper and
then forcing it true for user-only.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 15 ---
 target/ppc/translate_init.inc.c |  2 ++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index 8675d931b6..9b39c4b3e5 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -36,6 +36,15 @@ static inline float128 float128_snan_to_qnan(float128 x)
 #define float32_snan_to_qnan(x) ((x) | 0x0040)
 #define float16_snan_to_qnan(x) ((x) | 0x0200)
 
+static inline bool fp_exceptions_enabled(CPUPPCState *env)
+{
+#ifdef CONFIG_USER_ONLY
+return true;
+#else
+return (env->msr & ((1U << MSR_FE0) | (1U << MSR_FE1))) != 0;
+#endif
+}
+
 /*/
 /* Floating point operations helpers */
 uint64_t helper_float32_to_float64(CPUPPCState *env, uint32_t arg)
@@ -207,7 +216,7 @@ uint64_t float_invalid_op_excp(CPUPPCState *env, int op, 
int set_fpcc)
 if (ve != 0) {
 /* Update the floating-point enabled exception summary */
 env->fpscr |= 1 << FPSCR_FEX;
-if (msr_fe0 != 0 || msr_fe1 != 0) {
+if (fp_exceptions_enabled(env)) {
 /* GETPC() works here because this is inline */
 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
POWERPC_EXCP_FP | op, GETPC());
@@ -225,7 +234,7 @@ static inline void float_zero_divide_excp(CPUPPCState *env, 
uintptr_t raddr)
 if (fpscr_ze != 0) {
 /* Update the floating-point enabled exception summary */
 env->fpscr |= 1 << FPSCR_FEX;
-if (msr_fe0 != 0 || msr_fe1 != 0) {
+if (fp_exceptions_enabled(env)) {
 raise_exception_err_ra(env, POWERPC_EXCP_PROGRAM,
POWERPC_EXCP_FP | POWERPC_EXCP_FP_ZX,
raddr);
@@ -555,7 +564,7 @@ static void do_float_check_status(CPUPPCState *env, 
uintptr_t raddr)
 if (cs->exception_index == POWERPC_EXCP_PROGRAM &&
 (env->error_code & POWERPC_EXCP_FP)) {
 /* Differred floating-point exception after target FPR update */
-if (msr_fe0 != 0 || msr_fe1 != 0) {
+if (fp_exceptions_enabled(env)) {
 raise_exception_err_ra(env, cs->exception_index,
env->error_code, raddr);
 }
diff --git a/target/ppc/translate_init.inc.c b/target/ppc/translate_init.inc.c
index 7813b1b004..fe0cb98e6d 100644
--- a/target/ppc/translate_init.inc.c
+++ b/target/ppc/translate_init.inc.c
@@ -10278,6 +10278,8 @@ static void ppc_cpu_reset(CPUState *s)
 #endif
 #if defined(CONFIG_USER_ONLY)
 msr |= (target_ulong)1 << MSR_FP; /* Allow floating point usage */
+msr |= (target_ulong)1 << MSR_FE0; /* Allow floating point exceptions */
+msr |= (target_ulong)1 << MSR_FE1;
 msr |= (target_ulong)1 << MSR_VR; /* Allow altivec usage */
 msr |= (target_ulong)1 << MSR_VSX; /* Allow VSX usage */
 msr |= (target_ulong)1 << MSR_SPE; /* Allow SPE usage */
-- 
2.17.1

[Qemu-devel] [PULL 01/26] spapr_cpu_core: vmstate_[un]register per-CPU data from (un)realizefn

[David Gibson]

From: Bharata B Rao 

VMStateDescription vmstate_spapr_cpu_state was added by commit
b94020268e0b6 (spapr_cpu_core: migrate per-CPU data) to migrate per-CPU
data with the required vmstate registration and unregistration calls.
However the unregistration is being done only from vcpu creation error path
and not from CPU delete path.

This causes migration to fail with the following error if migration is
attempted after a CPU unplug like this:
Unknown savevm section or instance 'spapr_cpu' 16
Additionally this leaves the source VM unresponsive after migration failure.

Fix this by ensuring the vmstate_unregister happens during CPU removal.
Fixing this becomes easier when vmstate (un)registration calls are moved to
vcpu (un)realize functions which is what this patch does.

Fixes: https://bugs.launchpad.net/qemu/+bug/1785972
Reported-by: Satheesh Rajendran 
Signed-off-by: Bharata B Rao 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_cpu_core.c | 62 +
 1 file changed, 32 insertions(+), 30 deletions(-)

diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 993759db47..bb88a3ce4e 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -113,26 +113,6 @@ const char *spapr_get_cpu_core_type(const char *cpu_type)
 return object_class_get_name(oc);
 }
 
-static void spapr_unrealize_vcpu(PowerPCCPU *cpu)
-{
-qemu_unregister_reset(spapr_cpu_reset, cpu);
-object_unparent(cpu->intc);
-cpu_remove_sync(CPU(cpu));
-object_unparent(OBJECT(cpu));
-}
-
-static void spapr_cpu_core_unrealize(DeviceState *dev, Error **errp)
-{
-sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
-CPUCore *cc = CPU_CORE(dev);
-int i;
-
-for (i = 0; i < cc->nr_threads; i++) {
-spapr_unrealize_vcpu(sc->threads[i]);
-}
-g_free(sc->threads);
-}
-
 static bool slb_shadow_needed(void *opaque)
 {
 sPAPRCPUState *spapr_cpu = opaque;
@@ -207,10 +187,34 @@ static const VMStateDescription vmstate_spapr_cpu_state = 
{
 }
 };
 
+static void spapr_unrealize_vcpu(PowerPCCPU *cpu, sPAPRCPUCore *sc)
+{
+if (!sc->pre_3_0_migration) {
+vmstate_unregister(NULL, _spapr_cpu_state, cpu->machine_data);
+}
+qemu_unregister_reset(spapr_cpu_reset, cpu);
+object_unparent(cpu->intc);
+cpu_remove_sync(CPU(cpu));
+object_unparent(OBJECT(cpu));
+}
+
+static void spapr_cpu_core_unrealize(DeviceState *dev, Error **errp)
+{
+sPAPRCPUCore *sc = SPAPR_CPU_CORE(OBJECT(dev));
+CPUCore *cc = CPU_CORE(dev);
+int i;
+
+for (i = 0; i < cc->nr_threads; i++) {
+spapr_unrealize_vcpu(sc->threads[i], sc);
+}
+g_free(sc->threads);
+}
+
 static void spapr_realize_vcpu(PowerPCCPU *cpu, sPAPRMachineState *spapr,
-   Error **errp)
+   sPAPRCPUCore *sc, Error **errp)
 {
 CPUPPCState *env = >env;
+CPUState *cs = CPU(cpu);
 Error *local_err = NULL;
 
 object_property_set_bool(OBJECT(cpu), true, "realized", _err);
@@ -233,6 +237,11 @@ static void spapr_realize_vcpu(PowerPCCPU *cpu, 
sPAPRMachineState *spapr,
 goto error_unregister;
 }
 
+if (!sc->pre_3_0_migration) {
+vmstate_register(NULL, cs->cpu_index, _spapr_cpu_state,
+ cpu->machine_data);
+}
+
 return;
 
 error_unregister:
@@ -272,10 +281,6 @@ static PowerPCCPU *spapr_create_vcpu(sPAPRCPUCore *sc, int 
i, Error **errp)
 }
 
 cpu->machine_data = g_new0(sPAPRCPUState, 1);
-if (!sc->pre_3_0_migration) {
-vmstate_register(NULL, cs->cpu_index, _spapr_cpu_state,
- cpu->machine_data);
-}
 
 object_unref(obj);
 return cpu;
@@ -290,9 +295,6 @@ static void spapr_delete_vcpu(PowerPCCPU *cpu, sPAPRCPUCore 
*sc)
 {
 sPAPRCPUState *spapr_cpu = spapr_cpu_state(cpu);
 
-if (!sc->pre_3_0_migration) {
-vmstate_unregister(NULL, _spapr_cpu_state, cpu->machine_data);
-}
 cpu->machine_data = NULL;
 g_free(spapr_cpu);
 object_unparent(OBJECT(cpu));
@@ -325,7 +327,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error 
**errp)
 }
 
 for (j = 0; j < cc->nr_threads; j++) {
-spapr_realize_vcpu(sc->threads[j], spapr, _err);
+spapr_realize_vcpu(sc->threads[j], spapr, sc, _err);
 if (local_err) {
 goto err_unrealize;
 }
@@ -334,7 +336,7 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error 
**errp)
 
 err_unrealize:
 while (--j >= 0) {
-spapr_unrealize_vcpu(sc->threads[j]);
+spapr_unrealize_vcpu(sc->threads[j], sc);
 }
 err:
 while (--i >= 0) {
-- 
2.17.1

[Qemu-devel] [PULL 07/26] target/ppc: Tidy helper_fsqrt

[David Gibson]

From: Richard Henderson 

Tidy the invalid exception checking so that we rely on softfloat for
initial argument validation, and select the kind of invalid operand
exception only when we know we must.  Pass and return float64 values
directly rather than bounce through the CPU_DoubleU union.

Signed-off-by: Richard Henderson 
Signed-off-by: David Gibson 
---
 target/ppc/fpu_helper.c | 29 ++---
 target/ppc/helper.h |  2 +-
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c
index 7758372ecd..44f3fed17d 100644
--- a/target/ppc/fpu_helper.c
+++ b/target/ppc/fpu_helper.c
@@ -858,25 +858,24 @@ uint64_t helper_frsp(CPUPPCState *env, uint64_t arg)
 }
 
 /* fsqrt - fsqrt. */
-uint64_t helper_fsqrt(CPUPPCState *env, uint64_t arg)
+float64 helper_fsqrt(CPUPPCState *env, float64 arg)
 {
-CPU_DoubleU farg;
-
-farg.ll = arg;
+float64 ret = float64_sqrt(arg, >fp_status);
+int status = get_float_exception_flags(>fp_status);
 
-if (unlikely(float64_is_any_nan(farg.d))) {
-if (unlikely(float64_is_signaling_nan(farg.d, >fp_status))) {
-/* sNaN reciprocal square root */
-float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
-farg.ll = float64_snan_to_qnan(farg.ll);
+if (unlikely(status & float_flag_invalid)) {
+if (unlikely(float64_is_any_nan(arg))) {
+if (unlikely(float64_is_signaling_nan(arg, >fp_status))) {
+/* sNaN square root */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSNAN, 1);
+}
+} else {
+/* Square root of a negative nonzero number */
+float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSQRT, 1);
 }
-} else if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
-/* Square root of a negative nonzero number */
-farg.ll = float_invalid_op_excp(env, POWERPC_EXCP_FP_VXSQRT, 1);
-} else {
-farg.d = float64_sqrt(farg.d, >fp_status);
 }
-return farg.ll;
+
+return ret;
 }
 
 /* fre - fre. */
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index d81806dd2c..7ed72c2337 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -93,7 +93,7 @@ DEF_HELPER_4(fmadd, i64, env, i64, i64, i64)
 DEF_HELPER_4(fmsub, i64, env, i64, i64, i64)
 DEF_HELPER_4(fnmadd, i64, env, i64, i64, i64)
 DEF_HELPER_4(fnmsub, i64, env, i64, i64, i64)
-DEF_HELPER_2(fsqrt, i64, env, i64)
+DEF_HELPER_2(fsqrt, f64, env, f64)
 DEF_HELPER_2(fre, i64, env, i64)
 DEF_HELPER_2(fres, i64, env, i64)
 DEF_HELPER_2(frsqrte, i64, env, i64)
-- 
2.17.1

[Qemu-devel] [Bug 1470720] Re: high IRQ-TLB generates network interruptions

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1470720

Title:
  high IRQ-TLB generates network interruptions

Status in QEMU:
  Expired

Bug description:
   we are having a problem in our hosts, all the vm running on them
  suddenly, and for some seconds, lost network connectivity.

  the root cause appears to be the increase of irb-tlb from low values
  (less than 20) to more than >100k, that spike only last for some
  seconds then everything goes back to normal

  i've upload an screenshot of collectd for one hypervisor here
  http://zumbi.com.ar/tmp/irq-tlb.png

  
  we have hosts running precise (qemu 1.5, ovs 2.0.2, libvirt 1.2.2 and kernel 
3.13) where the issue is frequent. also we have an small % of our fleet running 
trusty (qemu 2.0.0 ovs 2.0.2 libvirt 1.2.2 and kernel 3.16) where the problem 
seemed to be nonexistent until today

  issue seems to be isolated to < 10% of our hypervisors, some hypervisors had 
this problem every few days, others only once or twice. our vm are a black box 
to us we don't know what users run on them, but mostly cpu and network bound 
workload.
  most of our guests run centos 6.5 (kernel 2.6.32)

  vm are bridged to a linuxbridge then veth wired to an ovs switch
  (neutron openvswitch agent setup)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1470720/+subscriptions

[Qemu-devel] [Bug 1471583] Re: QCA988X Wifi Card Not PCI Passing Through

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1471583

Title:
  QCA988X Wifi Card Not PCI Passing Through

Status in QEMU:
  Expired

Bug description:
  CPU:  Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz
  KVM:  qemu-kvm-1.5.3-86.el7_1.2.x86_64
  Kernel:  4.1.1-1.el7.elrepo.x86_64, and kernel-3.10.0-229.7.2.el7.x86_64
  Host & Guest: CentOS 7.1
  Using virt-manager-1.1.0-12.el7.noarch to create, configure, and start guest

  I am trying to do a PCI passthrough of a QCA988X wifi card.  It's a Doodle 
Labs military-grade 802.11ac miniPCI card, which uses the ath10k kernel driver. 
 This card configures nicely on the host, and seems to pass through to the 
guest, but early in the boot of the guest it says "Unknown header type" at the 
wifi's bus address.  And sure enough, lspci -vv on the host then shows:
  !!! Unknown header type 7f
  Kernel driver in use: vfio-pci

  When the guest has booted, of course it shows as an Unclassified
  device.  Host and guest must run at least kernel 4.0 so the wifi
  card's current firmware will load, and so that its driver comes with
  the kernel.  I have both host and guest set up for the wifi card.  I
  tried running kernel 3.10 in the host and passing through the PCI
  device, but same behavior.

  I am passing through to the guest an Intel i350 ethernet card just
  fine, in fact I'm passing through two of its SR-IOV virt interfaces to
  the guest, so that works.

  On the host, before I start the guest, the wifi card looks like this
  (lspci -vv):

  0a:00.0 Network controller: Qualcomm Atheros QCA988x 802.11ac Wireless 
Network Adapter
  Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- 
Stepping- SERR- FastB2B- DisINTx+
  Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- 
SERR- https://bugs.launchpad.net/qemu/+bug/1471583/+subscriptions

[Qemu-devel] [Bug 1314293] Re: screendump with qxl + spice shows stale data

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1314293

Title:
  screendump with qxl + spice shows stale data

Status in QEMU:
  Expired

Bug description:
  The monitor 'screendump' command returns stale data for VMs using qxl
  + spice. If you perform multiple screendumps, screendump #N will show
  roughly the display from the time screendump #N-1 was taken. This
  affects 'virsh screenshot' and libvirt screenshot APIs by association.

  Gerd explains that new monitor commands/infrastructure is likely
  required to handle this correctly:

  https://lists.gnu.org/archive/html/qemu-devel/2014-04/msg03840.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1314293/+subscriptions

[Qemu-devel] [Bug 1472083] Re: Qemu 2.1.2 hang when stop command

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1472083

Title:
  Qemu 2.1.2 hang when stop command

Status in QEMU:
  Expired

Bug description:
  Qemu 2.1.2, Linux kernel 3.13.6, this is the stack.

  #0  in ppoll () from /lib/x86_64-linux-gnu/libc.so.6
  #1  in qemu_poll_ns (fds=0x7fa82a8de380, nfds=1, timeout=-1) at 
qemu-timer.c:314
  #2  in aio_poll (ctx=0x7fa82a8b5000, blocking=true) at aio-posix.c:250
  #3  in bdrv_drain_all () at block.c:1924
  #4  in do_vm_stop (state=RUN_STATE_PAUSED) at /qemu-2.1.2/cpus.c:544
  #5  in vm_stop (state=RUN_STATE_PAUSED) at /qemu-2.1.2/cpus.c:1227
  #6  in qmp_stop (errp=0x7b6dcaf8) at qmp.c:98
  #7  in qmp_marshal_input_stop (mon=0x7fa82a8e0970, qdict=0x7fa830295020, 
ret=0x7b6dcb48) at qmp-marshal.c:2806
  #8  in qmp_call_cmd (mon=0x7fa82a8e0970, cmd=0x7fa8290558a0, 
params=0x7fa830295020)  at /qemu-2.1.2/monitor.c:5038
  #9  in handle_qmp_command (parser=0x7fa82a8e0a28, tokens=0x7fa82a8d9b50) at 
/qemu-2.1.2/monitor.c:5104
  #10 in json_message_process_token (lexer=0x7fa82a8e0a30, 
token=0x7fa830122b60, type=JSON_OPERATOR, x=39, y=17865) at 
qobject/json-streamer.c:87
  #11 in json_lexer_feed_char (lexer=0x7fa82a8e0a30, ch=125 '}', flush=false) 
at qobject/json-lexer.c:303
  #12 in json_lexer_feed (lexer=0x7fa82a8e0a30, buffer=0x7b6dcdb0 
"}\315m\373\377\177", size=1) at qobject/json-lexer.c:356
  #13 in json_message_parser_feed (parser=0x7fa82a8e0a28, buffer=0x7b6dcdb0 
"}\315m\373\377\177", size=1) at qobject/json-streamer.c:111
  #14 in monitor_control_read (opaque=0x7fa82a8e0970, buf=0x7b6dcdb0 
"}\315m\373\377\177", size=1) at /qemu-2.1.2/monitor.c:5125
  #15 in qemu_chr_be_write (s=0x7fa82a8c2020, buf=0x7b6dcdb0 
"}\315m\373\377\177", len=1) at qemu-char.c:213
  #16 in tcp_chr_read (chan=0x7fa82a8c4ba0, cond=G_IO_IN, 
opaque=0x7fa82a8c2020) at qemu-char.c:2729
  #17 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
  #18 in glib_pollfds_poll () at main-loop.c:190
  #19 in os_host_main_loop_wait (timeout=2400) at main-loop.c:235
  #20 in main_loop_wait (nonblocking=0) at main-loop.c:484
  #21 in main_loop () at vl.c:2034
  #22 in main (argc=55, argv=0x7b6de338, envp=0x7b6de4f8) at vl.c:4583

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1472083/+subscriptions

Re: [Qemu-devel] [PATCH V11 17/20] filter-rewriter: handle checkpoint and failover event

[Jason Wang]

On 2018年08月12日 04:59, Zhang Chen wrote:

After one round of checkpoint, the states between PVM and SVM
become consistent, so it is unnecessary to adjust the sequence
of net packets for old connections, besides, while failover
happens, filter-rewriter will into failover mode that needn't
handle the new TCP connection.

Signed-off-by: zhanghailiang 
Signed-off-by: Zhang Chen 
Signed-off-by: Zhang Chen 
---
  net/colo-compare.c| 12 -
  net/colo.c|  8 ++
  net/colo.h|  2 ++
  net/filter-rewriter.c | 57 +++
  4 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index b8c0240725..462e822be6 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -116,6 +116,12 @@ enum {
  SECONDARY_IN,
  };
  
+static void colo_compare_inconsistency_notify(void)

+{
+notifier_list_notify(_compare_notifiers,
+migrate_get_current());
+}
+
  static int compare_chr_send(CompareState *s,
  const uint8_t *buf,
  uint32_t size,
@@ -562,12 +568,6 @@ static int colo_old_packet_check_one(Packet *pkt, int64_t 
*check_time)
  }
  }
  
-static void colo_compare_inconsistency_notify(void)

-{
-notifier_list_notify(_compare_notifiers,
-migrate_get_current());
-}
-


This part of changes seems unnecessary?


  void colo_compare_register_notifier(Notifier *notify)
  {
  notifier_list_add(_compare_notifiers, notify);
diff --git a/net/colo.c b/net/colo.c
index 97c8fc928f..49176bf07b 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -221,3 +221,11 @@ Connection *connection_get(GHashTable 
*connection_track_table,
  
  return conn;

  }
+
+bool connection_has_tracked(GHashTable *connection_track_table,
+ConnectionKey *key)
+{
+Connection *conn = g_hash_table_lookup(connection_track_table, key);
+
+return conn ? true : false;
+}
diff --git a/net/colo.h b/net/colo.h
index 0277e0e9ba..11c5226488 100644
--- a/net/colo.h
+++ b/net/colo.h
@@ -98,6 +98,8 @@ void connection_destroy(void *opaque);
  Connection *connection_get(GHashTable *connection_track_table,
 ConnectionKey *key,
 GQueue *conn_list);
+bool connection_has_tracked(GHashTable *connection_track_table,
+ConnectionKey *key);
  void connection_hashtable_reset(GHashTable *connection_track_table);
  Packet *packet_new(const void *data, int size, int vnet_hdr_len);
  void packet_destroy(void *opaque, void *user_data);
diff --git a/net/filter-rewriter.c b/net/filter-rewriter.c
index f18a71bf2e..c463a0c1d0 100644
--- a/net/filter-rewriter.c
+++ b/net/filter-rewriter.c
@@ -20,11 +20,15 @@
  #include "qemu/main-loop.h"
  #include "qemu/iov.h"
  #include "net/checksum.h"
+#include "net/colo.h"
+#include "migration/colo.h"
  
  #define FILTER_COLO_REWRITER(obj) \

  OBJECT_CHECK(RewriterState, (obj), TYPE_FILTER_REWRITER)
  
  #define TYPE_FILTER_REWRITER "filter-rewriter"

+#define FAILOVER_MODE_ON  true
+#define FAILOVER_MODE_OFF false
  
  typedef struct RewriterState {

  NetFilterState parent_obj;
@@ -32,8 +36,14 @@ typedef struct RewriterState {
  /* hashtable to save connection */
  GHashTable *connection_track_table;
  bool vnet_hdr;
+bool failover_mode;
  } RewriterState;
  
+static void filter_rewriter_failover_mode(RewriterState *s)

+{
+s->failover_mode = FAILOVER_MODE_ON;
+}
+
  static void filter_rewriter_flush(NetFilterState *nf)
  {
  RewriterState *s = FILTER_COLO_REWRITER(nf);
@@ -269,6 +279,13 @@ static ssize_t colo_rewriter_receive_iov(NetFilterState 
*nf,
   */
  reverse_connection_key();
  }
+
+/* After failover we needn't change new TCP packet */
+if (s->failover_mode &&
+connection_has_tracked(s->connection_track_table, )) {


I think you mean !connection_has_tracked() here?


+goto out;
+}
+
  conn = connection_get(s->connection_track_table,
,
NULL);
@@ -302,11 +319,49 @@ static ssize_t colo_rewriter_receive_iov(NetFilterState 
*nf,
  }
  }
  
+out:

  packet_destroy(pkt, NULL);
  pkt = NULL;
  return 0;
  }
  
+static void reset_seq_offset(gpointer key, gpointer value, gpointer user_data)

+{
+Connection *conn = (Connection *)value;
+
+conn->offset = 0;
+}
+
+static gboolean offset_is_nonzero(gpointer key,
+  gpointer value,
+  gpointer user_data)
+{
+Connection *conn = (Connection *)value;
+
+return conn->offset ? true : false;
+}
+
+static void colo_rewriter_handle_event(NetFilterState *nf, int event,
+   Error **errp)
+{
+RewriterState *rs = FILTER_COLO_REWRITER(nf);
+
+switch (event) {
+

Re: [Qemu-devel] [PATCH V11 15/20] net/net.c: Add net client type check function for COLO

[Jason Wang]

On 2018年08月12日 04:59, Zhang Chen wrote:

From: Zhang Chen 

We add is_colo_support_client_type() to check the net client type for
COLO-compare. Currently we just support TAP.
Suggested by Jason.

Signed-off-by: Zhang Chen 
Signed-off-by: Zhang Chen 
---


This needs more works:

- Forbid vhost
- Deal with hotplug

Looks not a must for this series, so to speed up the process, you may do 
it on top.


Thanks


  include/net/net.h  |  1 +
  net/colo-compare.c |  5 +
  net/net.c  | 14 ++
  3 files changed, 20 insertions(+)

diff --git a/include/net/net.h b/include/net/net.h
index 1425960f76..dcbc7ba9c0 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -212,6 +212,7 @@ void hmp_host_net_add(Monitor *mon, const QDict *qdict);
  void hmp_host_net_remove(Monitor *mon, const QDict *qdict);
  void netdev_add(QemuOpts *opts, Error **errp);
  void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp);
+bool is_colo_support_client_type(void);
  
  int net_hub_id_for_client(NetClientState *nc, int *id);

  NetClientState *net_hub_port_find(int hub_id);
diff --git a/net/colo-compare.c b/net/colo-compare.c
index 426eab5973..b8c0240725 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -996,6 +996,11 @@ static void colo_compare_complete(UserCreatable *uc, Error 
**errp)
  return;
  }
  
+if (!is_colo_support_client_type()) {

+error_setg(errp, "COLO-compare: Net client type is not supported");
+return;
+}
+
  net_socket_rs_init(>pri_rs, compare_pri_rs_finalize, s->vnet_hdr);
  net_socket_rs_init(>sec_rs, compare_sec_rs_finalize, s->vnet_hdr);
  
diff --git a/net/net.c b/net/net.c

index 2a3133990c..a77ea88fff 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1733,3 +1733,17 @@ int net_fill_rstate(SocketReadState *rs, const uint8_t 
*buf, int size)
  assert(size == 0);
  return 0;
  }
+
+/* Currently, COLO just support TAP */
+bool is_colo_support_client_type(void)
+{
+NetClientState *nc;
+
+QTAILQ_FOREACH(nc, _clients, next) {
+if (nc->info->type != NET_CLIENT_DRIVER_TAP) {
+return false;
+}
+}
+
+return true;
+}

Re: [Qemu-devel] [PATCH V11 16/20] filter: Add handle_event method for NetFilterClass

[Jason Wang]

On 2018年08月12日 04:59, Zhang Chen wrote:

Filter needs to process the event of checkpoint/failover or
other event passed by COLO frame.

Signed-off-by: zhanghailiang 
---
  include/net/filter.h |  5 +
  net/filter.c | 17 +
  net/net.c| 28 
  3 files changed, 50 insertions(+)

diff --git a/include/net/filter.h b/include/net/filter.h
index 435acd6f82..49da666ac0 100644
--- a/include/net/filter.h
+++ b/include/net/filter.h
@@ -38,6 +38,8 @@ typedef ssize_t (FilterReceiveIOV)(NetFilterState *nc,
  
  typedef void (FilterStatusChanged) (NetFilterState *nf, Error **errp);
  
+typedef void (FilterHandleEvent) (NetFilterState *nf, int event, Error **errp);

+
  typedef struct NetFilterClass {
  ObjectClass parent_class;
  
@@ -45,6 +47,7 @@ typedef struct NetFilterClass {

  FilterSetup *setup;
  FilterCleanup *cleanup;
  FilterStatusChanged *status_changed;
+FilterHandleEvent *handle_event;
  /* mandatory */
  FilterReceiveIOV *receive_iov;
  } NetFilterClass;
@@ -77,4 +80,6 @@ ssize_t qemu_netfilter_pass_to_next(NetClientState *sender,
  int iovcnt,
  void *opaque);
  
+void colo_notify_filters_event(int event, Error **errp);

+
  #endif /* QEMU_NET_FILTER_H */
diff --git a/net/filter.c b/net/filter.c
index 2fd7d7d663..0f17eba143 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -17,6 +17,8 @@
  #include "net/vhost_net.h"
  #include "qom/object_interfaces.h"
  #include "qemu/iov.h"
+#include "net/colo.h"
+#include "migration/colo.h"
  
  static inline bool qemu_can_skip_netfilter(NetFilterState *nf)

  {
@@ -245,11 +247,26 @@ static void netfilter_finalize(Object *obj)
  g_free(nf->netdev_id);
  }
  
+static void dummy_handle_event(NetFilterState *nf, int event, Error **errp)

+{


It's in fact not a "dummy" handler, Maybe it's better to rename it as 
"default".



+switch (event) {
+case COLO_EVENT_CHECKPOINT:
+break;
+case COLO_EVENT_FAILOVER:
+object_property_set_str(OBJECT(nf), "off", "status", errp);


I think filter is a generic infrastructure, so it's better not have COLO 
specific things like this. You can either add a generic name or have a 
dedicated helper to just disable all net filters.



+break;
+default:
+break;
+}
+}
+
  static void netfilter_class_init(ObjectClass *oc, void *data)
  {
  UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+NetFilterClass *nfc = NETFILTER_CLASS(oc);
  
  ucc->complete = netfilter_complete;

+nfc->handle_event = dummy_handle_event;
  }
  
  static const TypeInfo netfilter_info = {

diff --git a/net/net.c b/net/net.c
index a77ea88fff..b4f6a2efb2 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1331,6 +1331,34 @@ void hmp_info_network(Monitor *mon, const QDict *qdict)
  }
  }
  
+void colo_notify_filters_event(int event, Error **errp)

+{
+NetClientState *nc, *peer;
+NetClientDriver type;
+NetFilterState *nf;
+NetFilterClass *nfc = NULL;
+Error *local_err = NULL;
+
+QTAILQ_FOREACH(nc, _clients, next) {
+peer = nc->peer;
+type = nc->info->type;
+if (!peer || type != NET_CLIENT_DRIVER_TAP) {
+continue;
+}


The check the TAP is redundant with previous patch.


+QTAILQ_FOREACH(nf, >filters, next) {
+nfc =  NETFILTER_GET_CLASS(OBJECT(nf));
+if (!nfc->handle_event) {


Looks like this won't happen.

Thanks


+continue;
+}
+nfc->handle_event(nf, event, _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+}
+}
+}
+
  void qmp_set_link(const char *name, bool up, Error **errp)
  {
  NetClientState *ncs[MAX_QUEUE_NUM];

[Qemu-devel] [PATCH v3 2/2] hw/pci: add PCI resource reserve capability to legacy PCI bridge

[Jing Liu]

Add hint to firmware (e.g. SeaBIOS) to reserve addtional
BUS/IO/MEM/PREF resource for legacy pci-pci bridge. Add the
resource reserve capability deleting in pci_bridge_dev_exitfn.

Signed-off-by: Jing Liu 
---
 hw/pci-bridge/pci_bridge_dev.c | 24 
 1 file changed, 24 insertions(+)

diff --git a/hw/pci-bridge/pci_bridge_dev.c b/hw/pci-bridge/pci_bridge_dev.c
index b2d861d..97a8e8b 100644
--- a/hw/pci-bridge/pci_bridge_dev.c
+++ b/hw/pci-bridge/pci_bridge_dev.c
@@ -46,6 +46,9 @@ struct PCIBridgeDev {
 uint32_t flags;
 
 OnOffAuto msi;
+
+/* additional resources to reserve */
+PCIResReserve res_reserve;
 };
 typedef struct PCIBridgeDev PCIBridgeDev;
 
@@ -95,6 +98,12 @@ static void pci_bridge_dev_realize(PCIDevice *dev, Error 
**errp)
 error_free(local_err);
 }
 
+err = pci_bridge_qemu_reserve_cap_init(dev, 0,
+ bridge_dev->res_reserve, errp);
+if (err) {
+goto cap_error;
+}
+
 if (shpc_present(dev)) {
 /* TODO: spec recommends using 64 bit prefetcheable BAR.
  * Check whether that works well. */
@@ -103,6 +112,8 @@ static void pci_bridge_dev_realize(PCIDevice *dev, Error 
**errp)
 }
 return;
 
+cap_error:
+msi_uninit(dev);
 msi_error:
 slotid_cap_cleanup(dev);
 slotid_error:
@@ -116,6 +127,8 @@ shpc_error:
 static void pci_bridge_dev_exitfn(PCIDevice *dev)
 {
 PCIBridgeDev *bridge_dev = PCI_BRIDGE_DEV(dev);
+
+pci_del_capability(dev, PCI_CAP_ID_VNDR, sizeof(PCIBridgeQemuCap));
 if (msi_present(dev)) {
 msi_uninit(dev);
 }
@@ -162,6 +175,17 @@ static Property pci_bridge_dev_properties[] = {
 ON_OFF_AUTO_AUTO),
 DEFINE_PROP_BIT(PCI_BRIDGE_DEV_PROP_SHPC, PCIBridgeDev, flags,
 PCI_BRIDGE_DEV_F_SHPC_REQ, true),
+DEFINE_PROP_UINT32("bus-reserve", PCIBridgeDev,
+   res_reserve.bus, -1),
+DEFINE_PROP_SIZE("io-reserve", PCIBridgeDev,
+ res_reserve.io, -1),
+DEFINE_PROP_SIZE("mem-reserve", PCIBridgeDev,
+ res_reserve.mem_non_pref, -1),
+DEFINE_PROP_SIZE("pref32-reserve", PCIBridgeDev,
+ res_reserve.mem_pref_32, -1),
+DEFINE_PROP_SIZE("pref64-reserve", PCIBridgeDev,
+ res_reserve.mem_pref_64, -1),
+
 DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
1.8.3.1

[Qemu-devel] [PATCH v3 0/2] hw/pci: PCI resource reserve capability

[Jing Liu]

This patch serial is about PCI resource reserve capability.

First patch refactors the resource reserve fields in GenPCIERoorPort
structure out to another new structure, called "PCIResReserve". Modify
the parameter list of pci_bridge_qemu_reserve_cap_init().

Second patch enables the resource reserve capability for legacy PCI bridge
so that firmware can reserve additional resources for this bridge.

Change Logs:
v3 -> v2
* remove the teardown patch because only need pci_del_capability
* keep the names to be consistent with firmware counterpart
* some minor fixes

v2 -> v1
* add refactoring patch
* add teardown function
* some other fixes

Jing Liu (2):
  hw/pci: factor PCI reserve resources to a separate structure
  hw/pci: add PCI resource reserve capability to legacy PCI bridge

 hw/pci-bridge/gen_pcie_root_port.c | 33 +
 hw/pci-bridge/pci_bridge_dev.c | 24 
 hw/pci/pci_bridge.c| 38 +-
 include/hw/pci/pci_bridge.h| 18 +-
 4 files changed, 71 insertions(+), 42 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH v3 1/2] hw/pci: factor PCI reserve resources to a separate structure

[Jing Liu]

Factor "bus_reserve", "io_reserve", "mem_reserve", "pref32_reserve"
and "pref64_reserve" fields of the "GenPCIERootPort" structure out
to "PCIResReserve" structure, so that other PCI bridges can
reuse it to add resource reserve capability.

Signed-off-by: Jing Liu 
---
 hw/pci-bridge/gen_pcie_root_port.c | 33 +
 hw/pci/pci_bridge.c| 38 +-
 include/hw/pci/pci_bridge.h| 18 +-
 3 files changed, 47 insertions(+), 42 deletions(-)

diff --git a/hw/pci-bridge/gen_pcie_root_port.c 
b/hw/pci-bridge/gen_pcie_root_port.c
index d117e20..299de42 100644
--- a/hw/pci-bridge/gen_pcie_root_port.c
+++ b/hw/pci-bridge/gen_pcie_root_port.c
@@ -29,12 +29,8 @@ typedef struct GenPCIERootPort {
 
 bool migrate_msix;
 
-/* additional resources to reserve on firmware init */
-uint32_t bus_reserve;
-uint64_t io_reserve;
-uint64_t mem_reserve;
-uint64_t pref32_reserve;
-uint64_t pref64_reserve;
+/* additional resources to reserve */
+PCIResReserve res_reserve;
 } GenPCIERootPort;
 
 static uint8_t gen_rp_aer_vector(const PCIDevice *d)
@@ -82,16 +78,15 @@ static void gen_rp_realize(DeviceState *dev, Error **errp)
 return;
 }
 
-int rc = pci_bridge_qemu_reserve_cap_init(d, 0, grp->bus_reserve,
-grp->io_reserve, grp->mem_reserve, grp->pref32_reserve,
-grp->pref64_reserve, errp);
+int rc = pci_bridge_qemu_reserve_cap_init(d, 0,
+  grp->res_reserve, errp);
 
 if (rc < 0) {
 rpc->parent_class.exit(d);
 return;
 }
 
-if (!grp->io_reserve) {
+if (!grp->res_reserve.io) {
 pci_word_test_and_clear_mask(d->wmask + PCI_COMMAND,
  PCI_COMMAND_IO);
 d->wmask[PCI_IO_BASE] = 0;
@@ -117,12 +112,18 @@ static const VMStateDescription vmstate_rp_dev = {
 };
 
 static Property gen_rp_props[] = {
-DEFINE_PROP_BOOL("x-migrate-msix", GenPCIERootPort, migrate_msix, true),
-DEFINE_PROP_UINT32("bus-reserve", GenPCIERootPort, bus_reserve, -1),
-DEFINE_PROP_SIZE("io-reserve", GenPCIERootPort, io_reserve, -1),
-DEFINE_PROP_SIZE("mem-reserve", GenPCIERootPort, mem_reserve, -1),
-DEFINE_PROP_SIZE("pref32-reserve", GenPCIERootPort, pref32_reserve, -1),
-DEFINE_PROP_SIZE("pref64-reserve", GenPCIERootPort, pref64_reserve, -1),
+DEFINE_PROP_BOOL("x-migrate-msix", GenPCIERootPort,
+ migrate_msix, true),
+DEFINE_PROP_UINT32("bus-reserve", GenPCIERootPort,
+   res_reserve.bus, -1),
+DEFINE_PROP_SIZE("io-reserve", GenPCIERootPort,
+ res_reserve.io, -1),
+DEFINE_PROP_SIZE("mem-reserve", GenPCIERootPort,
+ res_reserve.mem_non_pref, -1),
+DEFINE_PROP_SIZE("pref32-reserve", GenPCIERootPort,
+ res_reserve.mem_pref_32, -1),
+DEFINE_PROP_SIZE("pref64-reserve", GenPCIERootPort,
+ res_reserve.mem_pref_64, -1),
 DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 40a39f5..08b7e44 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -411,38 +411,34 @@ void pci_bridge_map_irq(PCIBridge *br, const char* 
bus_name,
 
 
 int pci_bridge_qemu_reserve_cap_init(PCIDevice *dev, int cap_offset,
- uint32_t bus_reserve, uint64_t io_reserve,
- uint64_t mem_non_pref_reserve,
- uint64_t mem_pref_32_reserve,
- uint64_t mem_pref_64_reserve,
- Error **errp)
+ PCIResReserve res_reserve, Error **errp)
 {
-if (mem_pref_32_reserve != (uint64_t)-1 &&
-mem_pref_64_reserve != (uint64_t)-1) {
+if (res_reserve.mem_pref_32 != (uint64_t)-1 &&
+res_reserve.mem_pref_64 != (uint64_t)-1) {
 error_setg(errp,
"PCI resource reserve cap: PREF32 and PREF64 conflict");
 return -EINVAL;
 }
 
-if (mem_non_pref_reserve != (uint64_t)-1 &&
-mem_non_pref_reserve >= (1ULL << 32)) {
+if (res_reserve.mem_non_pref != (uint64_t)-1 &&
+res_reserve.mem_non_pref >= (1ULL << 32)) {
 error_setg(errp,
"PCI resource reserve cap: mem-reserve must be less than 
4G");
 return -EINVAL;
 }
 
-if (mem_pref_32_reserve != (uint64_t)-1 &&
-mem_pref_32_reserve >= (1ULL << 32)) {
+if (res_reserve.mem_pref_32 != (uint64_t)-1 &&
+res_reserve.mem_pref_32 >= (1ULL << 32)) {
 error_setg(errp,
"PCI resource reserve cap: pref32-reserve  must be less 
than 4G");
 return -EINVAL;
 }
 
-if (bus_reserve == (uint32_t)-1 &&
-io_reserve == (uint64_t)-1 &&
-mem_non_pref_reserve == (uint64_t)-1 &&
-

Re: [Qemu-devel] [PATCH V11 00/20] COLO: integrate colo frame with block replication and COLO proxy

[Zhang Chen]

Hi Jason and Markus,

Ping...
Do you have time to review this series?

Thanks
Zhang Chen

On Sun, Aug 12, 2018 at 4:59 AM Zhang Chen  wrote:

> Hi~ All~
>
> COLO Frame, block replication and COLO proxy(colo-compare,filter-mirror,
> filter-redirector,filter-rewriter) have been exist in qemu
> for long time, it's time to integrate these three parts to make COLO
> really works.
>
> In this series, we have some optimizations for COLO frame, including
> separating the
> process of saving ram and device state, using an COLO_EXIT event to notify
> users that
> VM exits COLO, for these parts, most of them have been reviewed long time
> ago in old version,
> but since this series have just rebased on upstream which had merged a new
> series of migration,
> parts of pathes in this series deserve review again.
>
> We use notifier/callback method for COLO compare to notify COLO frame about
> net packets inconsistent event, and add a handle_event method for
> NetFilterClass to
> help COLO frame to notify filters and colo-compare about
> checkpoint/failover event,
> it is flexible.
>
> For the neweset version, please refer to:
> https://github.com/zhangckid/qemu/tree/qemu-colo-18aug12
>
> Please review, thanks.
>
> V11:
>  - Rebased on upstream.
>  - Used "RAMBLOCK_FOREACH_MIGRATABLE()" to replace "QLIST_FOREACH_RCU()"
> in patch 08/20.
>  - Fixed COLO related qapi command's since version in patch 10/20.
>
> V10:
>  - Rebased on upstream.
>  - Removed the "active" in COLOState.
>  - Fixed some comments.
>
> V9:
>  - Rebased on upstream codes.
>  - Addressed Jason's comments add TCP state machine track in
>filter-rewriter.
>  - Fix some bug in colo-compare.
>  - Fix typo.
>  - Add filter-rewriter failover handle.
>  - Add net client type check in colo-compare.
>  - Add COLO state diagram.
>  - Addressed Markus and Daive's comments.
>
>
> V8:
>  - Rebased on upstream codes.
>  - Addressed Markus's comments in patch 10/17.
>  - Addressed Markus's comments in patch 11/17.
>  - Removed some comments in patch 4/17.
>  - Moved the "migration_bitmap_clear_dirty()" to suitable position in
>patch 9/17.
>  - Rewrote the patch 07/17 to address Davie's comments.
>  - Moved the "qemu_savevm_live_state" out of the
>qemu_mutex_lock_iothread.
>  - Fixed the bug that in some status COLO vm crash with segmentation fault.
>
> V7:
>  - Addressed Markus's comments in 11/17.
>  - Rebased on upstream.
>
> V6:
>  - Addressed Eric Blake's comments, use the enum to feedback in patch
> 11/17.
>  - Fixed QAPI command separator problem in patch 11/17.
>
>
>
> Zhang Chen (16):
>   filter-rewriter: Add TCP state machine and fix memory leak in
> connection_track_table
>   colo-compare: implement the process of checkpoint
>   colo-compare: use notifier to notify packets comparing result
>   COLO: integrate colo compare with colo frame
>   COLO: Add block replication into colo process
>   COLO: Remove colo_state migration struct
>   COLO: Load dirty pages into SVM's RAM cache firstly
>   ram/COLO: Record the dirty pages that SVM received
>   COLO: Flush memory data from ram cache
>   qapi/migration.json: Rename COLO unknown mode to none mode.
>   qapi: Add new command to query colo status
>   savevm: split the process of different stages for loadvm/savevm
>   net/net.c: Add net client type check function for COLO
>   filter: Add handle_event method for NetFilterClass
>   filter-rewriter: handle checkpoint and failover event
>   docs: Add COLO status diagram to COLO-FT.txt
>
> zhanghailiang (4):
>   qmp event: Add COLO_EXIT event to notify users while exited COLO
>   COLO: flush host dirty ram from cache
>   COLO: notify net filters about checkpoint/failover event
>   COLO: quick failover process by kick COLO thread
>
>  docs/COLO-FT.txt  |  34 ++
>  include/exec/ram_addr.h   |   1 +
>  include/migration/colo.h  |  11 +-
>  include/net/filter.h  |   5 +
>  include/net/net.h |   1 +
>  migration/Makefile.objs   |   2 +-
>  migration/colo-comm.c |  76 --
>  migration/colo-failover.c |   2 +-
>  migration/colo.c  | 212 --
>  migration/migration.c |  44 +++-
>  migration/ram.c   | 166 -
>  migration/ram.h   |   4 +
>  migration/savevm.c|  53 --
>  migration/savevm.h|   5 +
>  migration/trace-events|   3 +
>  net/colo-compare.c| 120 +++--
>  net/colo-compare.h|  24 +
>  net/colo.c|  10 +-
>  net/colo.h|  11 +-
>  net/filter-rewriter.c | 162 +++--
>  net/filter.c  |  17 +++
>  net/net.c |  42 
>  qapi/migration.json   |  80 +-
>  vl.c  |   2 -
>  24 files changed, 948 insertions(+), 139 deletions(-)
>  delete mode 100644 migration/colo-comm.c
>  create mode 100644 net/colo-compare.h
>
> --
> 2.17.GIT
>
>

[Qemu-devel] [PATCH 6/7] target/s390x: fix PACK reading 1 byte less and writing 1 byte more

[Pavel Zbitskiy]

PACK fails on the test from the Principles of Operation: F1F2F3F4
becomes 234C instead of 0001234C due to an off-by-one error.
Furthermore, it overwrites one extra byte to the left of F1.

If len_dest is 0, then we only want to flip the 1st byte and never loop
over the rest. Therefore, the loop condition should be > and not >=.

If len_src is 1, then we should flip the 1st byte and pack the 2nd.
Since len_src is already decremented before the loop, the first
condition should be >=, and not >.

Likewise for len_src == 2 and the second condition.

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/mem_helper.c   |  6 +++---
 tests/tcg/s390x/Makefile.target |  1 +
 tests/tcg/s390x/pack.c  | 21 +
 3 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 tests/tcg/s390x/pack.c

diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
index 704d0193b5..bacae4f503 100644
--- a/target/s390x/mem_helper.c
+++ b/target/s390x/mem_helper.c
@@ -1019,15 +1019,15 @@ void HELPER(pack)(CPUS390XState *env, uint32_t len, 
uint64_t dest, uint64_t src)
 len_src--;
 
 /* now pack every value */
-while (len_dest >= 0) {
+while (len_dest > 0) {
 b = 0;
 
-if (len_src > 0) {
+if (len_src >= 0) {
 b = cpu_ldub_data_ra(env, src, ra) & 0x0f;
 src--;
 len_src--;
 }
-if (len_src > 0) {
+if (len_src >= 0) {
 b |= cpu_ldub_data_ra(env, src, ra) << 4;
 src--;
 len_src--;
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index 7de4376f52..151dc075aa 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -5,3 +5,4 @@ TESTS+=csst
 TESTS+=ipm
 TESTS+=exrl-trt
 TESTS+=exrl-trtr
+TESTS+=pack
diff --git a/tests/tcg/s390x/pack.c b/tests/tcg/s390x/pack.c
new file mode 100644
index 00..4be36f29a7
--- /dev/null
+++ b/tests/tcg/s390x/pack.c
@@ -0,0 +1,21 @@
+#include 
+
+int main(void)
+{
+char data[] = {0xaa, 0xaa, 0xf1, 0xf2, 0xf3, 0xc4, 0xaa, 0xaa};
+char exp[] = {0xaa, 0xaa, 0x00, 0x01, 0x23, 0x4c, 0xaa, 0xaa};
+int i;
+
+asm volatile(
+"pack 2(4,%[data]),2(4,%[data])\n"
+:
+: [data] "r" ([0])
+: "memory");
+for (i = 0; i < 8; i++) {
+if (data[i] != exp[i]) {
+write(1, "bad data\n", 9);
+return 1;
+}
+}
+return 0;
+}
-- 
2.18.0

[Qemu-devel] [PATCH 4/7] target/s390x: fix IPM polluting irrelevant bits

[Pavel Zbitskiy]

Suppose psw.mask=0x8000, cc=2, r1=0 and we do "ipm 1".
This command must touch only bits 32-39, so the expected output
is r1=0x2000. However, currently qemu yields r1=0x20008000,
because irrelevant parts of PSW leak into r1 during program mask
transfer.

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/translate.c| 17 +++--
 tests/tcg/s390x/Makefile.target |  1 +
 tests/tcg/s390x/ipm.c   | 22 ++
 3 files changed, 30 insertions(+), 10 deletions(-)
 create mode 100644 tests/tcg/s390x/ipm.c

diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 929fc2db28..f58b36b789 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -2445,20 +2445,17 @@ static DisasJumpType op_insi(DisasContext *s, DisasOps 
*o)
 
 static DisasJumpType op_ipm(DisasContext *s, DisasOps *o)
 {
-TCGv_i64 t1;
+TCGv_i64 t1, t2;
 
 gen_op_calc_cc(s);
-tcg_gen_andi_i64(o->out, o->out, ~0xff00ull);
-
 t1 = tcg_temp_new_i64();
-tcg_gen_shli_i64(t1, psw_mask, 20);
-tcg_gen_shri_i64(t1, t1, 36);
-tcg_gen_or_i64(o->out, o->out, t1);
-
-tcg_gen_extu_i32_i64(t1, cc_op);
-tcg_gen_shli_i64(t1, t1, 28);
-tcg_gen_or_i64(o->out, o->out, t1);
+tcg_gen_extract_i64(t1, psw_mask, 40, 4);
+t2 = tcg_temp_new_i64();
+tcg_gen_extu_i32_i64(t2, cc_op);
+tcg_gen_deposit_i64(t1, t1, t2, 4, 60);
+tcg_gen_deposit_i64(o->out, o->out, t1, 24, 8);
 tcg_temp_free_i64(t1);
+tcg_temp_free_i64(t2);
 return DISAS_NEXT;
 }
 
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index f62f950d8e..c800a582e5 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -2,3 +2,4 @@ VPATH+=$(SRC_PATH)/tests/tcg/s390x
 CFLAGS+=-march=zEC12 -m64
 TESTS+=hello-s390x
 TESTS+=csst
+TESTS+=ipm
diff --git a/tests/tcg/s390x/ipm.c b/tests/tcg/s390x/ipm.c
new file mode 100644
index 00..742f3a18c5
--- /dev/null
+++ b/tests/tcg/s390x/ipm.c
@@ -0,0 +1,22 @@
+#include 
+#include 
+
+int main(void)
+{
+uint32_t op1 = 0x;
+uint32_t op2 = 0x;
+uint64_t cc = 0xull;
+
+asm volatile(
+"clc 0(4,%[op1]),0(%[op2])\n"
+"ipm %[cc]\n"
+: [cc] "+r" (cc)
+: [op1] "r" (),
+  [op2] "r" ()
+: "cc");
+if (cc != 0x20ffull) {
+write(1, "bad cc\n", 7);
+return 1;
+}
+return 0;
+}
-- 
2.18.0

[Qemu-devel] [PATCH 7/7] target/s390x: implement CVB, CVBY and CVBG

[Pavel Zbitskiy]

Convert to Binary - counterparts of the already implemented Convert
to Decimal (CVD*) instructions.
Example from the Principles of Operation: 25594C becomes 63FA.

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/helper.h   |  1 +
 target/s390x/insn-data.def  |  4 +++
 target/s390x/int_helper.c   | 50 +
 target/s390x/translate.c| 10 +++
 tests/tcg/s390x/Makefile.target |  1 +
 tests/tcg/s390x/cvb.c   | 18 
 6 files changed, 84 insertions(+)
 create mode 100644 tests/tcg/s390x/cvb.c

diff --git a/target/s390x/helper.h b/target/s390x/helper.h
index 97c60ca7bc..46baaee0ab 100644
--- a/target/s390x/helper.h
+++ b/target/s390x/helper.h
@@ -88,6 +88,7 @@ DEF_HELPER_FLAGS_4(tcxb, TCG_CALL_NO_RWG_SE, i32, env, i64, 
i64, i64)
 DEF_HELPER_FLAGS_2(sqeb, TCG_CALL_NO_WG, i64, env, i64)
 DEF_HELPER_FLAGS_2(sqdb, TCG_CALL_NO_WG, i64, env, i64)
 DEF_HELPER_FLAGS_3(sqxb, TCG_CALL_NO_WG, i64, env, i64, i64)
+DEF_HELPER_FLAGS_3(cvb, TCG_CALL_NO_WG, i64, env, i64, i32)
 DEF_HELPER_FLAGS_1(cvd, TCG_CALL_NO_RWG_SE, i64, s32)
 DEF_HELPER_FLAGS_4(pack, TCG_CALL_NO_WG, void, env, i32, i64, i64)
 DEF_HELPER_FLAGS_4(pka, TCG_CALL_NO_WG, void, env, i64, i64, i32)
diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
index 9c7b434fca..1b29a5e044 100644
--- a/target/s390x/insn-data.def
+++ b/target/s390x/insn-data.def
@@ -284,6 +284,10 @@
 D(0xec73, CLFIT,   RIE_a, GIE, r1_32u, i2_32u, 0, 0, ct, 0, 1)
 D(0xec71, CLGIT,   RIE_a, GIE, r1_o, i2_32u, 0, 0, ct, 0, 1)
 
+/* CONVERT TO BINARY */
+C(0x4f00, CVB, RX_a,  Z,   0, a2, new, r1_32, cvb, 0)
+C(0xe306, CVBY,RXY_a, LD,  0, a2, new, r1_32, cvb, 0)
+C(0xe30e, CVBG,RXY_a, Z,   0, a2, r1, 0, cvb, 0)
 /* CONVERT TO DECIMAL */
 C(0x4e00, CVD, RX_a,  Z,   r1_o, a2, 0, 0, cvd, 0)
 C(0xe326, CVDY,RXY_a, LD,  r1_o, a2, 0, 0, cvd, 0)
diff --git a/target/s390x/int_helper.c b/target/s390x/int_helper.c
index abf77a94e6..66c6dc8b3a 100644
--- a/target/s390x/int_helper.c
+++ b/target/s390x/int_helper.c
@@ -24,6 +24,7 @@
 #include "exec/exec-all.h"
 #include "qemu/host-utils.h"
 #include "exec/helper-proto.h"
+#include "exec/cpu_ldst.h"
 
 /* #define DEBUG_HELPER */
 #ifdef DEBUG_HELPER
@@ -118,6 +119,55 @@ uint64_t HELPER(divu64)(CPUS390XState *env, uint64_t ah, 
uint64_t al,
 return ret;
 }
 
+static void general_operand_exception(CPUS390XState *env, uintptr_t ra)
+{
+#ifndef CONFIG_USER_ONLY
+LowCore *lowcore;
+
+lowcore = cpu_map_lowcore(env);
+lowcore->data_exc_code = 0;
+cpu_unmap_lowcore(lowcore);
+#endif
+s390_program_interrupt(env, PGM_DATA, ILEN_AUTO, ra);
+}
+
+uint64_t HELPER(cvb)(CPUS390XState *env, uint64_t src, uint32_t n)
+{
+int i, j;
+uintptr_t ra = GETPC();
+int64_t dec, sign = 0, digit, val = 0, pow10 = 0;
+
+for (i = 0; i < n; i++) {
+dec = cpu_ldq_data_ra(env, src + (n - i - 1) * 8, ra);
+for (j = 0; j < 16; j++, dec >>= 4) {
+if (i == 0 && j == 0) {
+sign = dec & 0xf;
+if (sign < 0xa) {
+general_operand_exception(env, ra);
+}
+continue;
+}
+digit = dec & 0xf;
+if (digit > 0x9) {
+general_operand_exception(env, ra);
+}
+if (i == 0 && j == 1) {
+if (sign == 0xb || sign == 0xd) {
+val = -digit;
+pow10 = -10;
+} else {
+val = digit;
+pow10 = 10;
+}
+} else {
+val += digit * pow10;
+pow10 *= 10;
+}
+}
+}
+return val;
+}
+
 uint64_t HELPER(cvd)(int32_t reg)
 {
 /* positive 0 */
diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index f58b36b789..b3cbfead5d 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -2115,6 +2115,16 @@ static DisasJumpType op_csp(DisasContext *s, DisasOps *o)
 }
 #endif
 
+static DisasJumpType op_cvb(DisasContext *s, DisasOps *o)
+{
+uint64_t n = ((s->fields->op == 0xE3) && (s->fields->op2 == 0x0E)) ?
+/* CVBG */  2 :
+/* CVB, CVBY */ 1;
+
+gen_helper_cvb(o->out, cpu_env, o->in2, tcg_const_i32(n));
+return DISAS_NEXT;
+}
+
 static DisasJumpType op_cvd(DisasContext *s, DisasOps *o)
 {
 TCGv_i64 t1 = tcg_temp_new_i64();
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index 151dc075aa..990dfb26ff 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -6,3 +6,4 @@ TESTS+=ipm
 TESTS+=exrl-trt
 TESTS+=exrl-trtr
 TESTS+=pack
+TESTS+=cvb
diff --git a/tests/tcg/s390x/cvb.c b/tests/tcg/s390x/cvb.c
new file mode 100644
index 00..3a72e132aa
--- /dev/null
+++ b/tests/tcg/s390x/cvb.c
@@ -0,0 +1,18 @@
+#include 
+#include 
+
+int main(void)
+{
+uint64_t data = 

[Qemu-devel] [PATCH 3/7] target/s390x: fix CSST decoding and runtime alignment check

[Pavel Zbitskiy]

CSST is defined as:

C(0xc802, CSST,SSF,   CASS, la1, a2, 0, 0, csst, 0)

It means that the first parameter is handled by in1_la1().
in1_la1() fills addr1 field, and not in1.

Furthermore, when extract32() is used for the alignment check, the
third parameter should specify the number of trailing bits that must
be 0. For FC these numbers are:

FC=0 (word, 4 bytes):2
FC=1 (double word, 8 bytes): 3
FC=2 (quad word, 16 bytes):  4

For SC these numbers correspond to the size:

SC=0: 0
SC=1: 1
SC=2: 2
SC=3: 3
SC=4: 4

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/mem_helper.c   |  2 +-
 target/s390x/translate.c|  4 +--
 tests/tcg/s390x/Makefile.target |  1 +
 tests/tcg/s390x/csst.c  | 43 +
 4 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 tests/tcg/s390x/csst.c

diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
index e21a47fb4d..c94dbf3fcb 100644
--- a/target/s390x/mem_helper.c
+++ b/target/s390x/mem_helper.c
@@ -1442,7 +1442,7 @@ static uint32_t do_csst(CPUS390XState *env, uint32_t r3, 
uint64_t a1,
 }
 
 /* Sanity check the alignments.  */
-if (extract32(a1, 0, 4 << fc) || extract32(a2, 0, 1 << sc)) {
+if (extract32(a1, 0, fc + 2) || extract32(a2, 0, sc)) {
 goto spec_exception;
 }
 
diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 111d575c41..929fc2db28 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -2059,9 +2059,9 @@ static DisasJumpType op_csst(DisasContext *s, DisasOps *o)
 TCGv_i32 t_r3 = tcg_const_i32(r3);
 
 if (tb_cflags(s->base.tb) & CF_PARALLEL) {
-gen_helper_csst_parallel(cc_op, cpu_env, t_r3, o->in1, o->in2);
+gen_helper_csst_parallel(cc_op, cpu_env, t_r3, o->addr1, o->in2);
 } else {
-gen_helper_csst(cc_op, cpu_env, t_r3, o->in1, o->in2);
+gen_helper_csst(cc_op, cpu_env, t_r3, o->addr1, o->in2);
 }
 tcg_temp_free_i32(t_r3);
 
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index 9f4076901f..f62f950d8e 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -1,3 +1,4 @@
 VPATH+=$(SRC_PATH)/tests/tcg/s390x
 CFLAGS+=-march=zEC12 -m64
 TESTS+=hello-s390x
+TESTS+=csst
diff --git a/tests/tcg/s390x/csst.c b/tests/tcg/s390x/csst.c
new file mode 100644
index 00..1dae9071fb
--- /dev/null
+++ b/tests/tcg/s390x/csst.c
@@ -0,0 +1,43 @@
+#include 
+#include 
+
+int main(void)
+{
+uint64_t parmlist[] = {
+0xfedcba9876543210ull,
+0,
+0xull,
+0,
+};
+uint64_t op1 = 0x0123456789abcdefull;
+uint64_t op2 = 0;
+uint64_t op3 = op1;
+uint64_t cc;
+
+asm volatile(
+"lghi %%r0,%[flags]\n"
+"la %%r1,%[parmlist]\n"
+"csst %[op1],%[op2],%[op3]\n"
+"ipm %[cc]\n"
+: [op1] "+m" (op1),
+  [op2] "+m" (op2),
+  [op3] "+r" (op3),
+  [cc] "=r" (cc)
+: [flags] "K" (0x0301),
+  [parmlist] "m" (parmlist)
+: "r0", "r1", "cc", "memory");
+cc = (cc >> 28) & 3;
+if (cc) {
+write(1, "bad cc\n", 7);
+return 1;
+}
+if (op1 != parmlist[0]) {
+write(1, "bad op1\n", 8);
+return 1;
+}
+if (op2 != parmlist[2]) {
+write(1, "bad op2\n", 8);
+return 1;
+}
+return 0;
+}
-- 
2.18.0

[Qemu-devel] [PATCH 2/7] target/s390x: add BAL and BALR instructions

[Pavel Zbitskiy]

These instructions are provided for compatibility purposes and are
used only by old software, in the new code BAS and BASR are preferred.
The difference between the old and new instruction exists only in the
24-bit mode.

In addition, fix BAS polluting high 32 bits of the first operand in
24- and 31-bit addressing modes.

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/insn-data.def |  3 +++
 target/s390x/translate.c   | 55 +-
 2 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/target/s390x/insn-data.def b/target/s390x/insn-data.def
index 5c6f33ed9c..9c7b434fca 100644
--- a/target/s390x/insn-data.def
+++ b/target/s390x/insn-data.def
@@ -102,6 +102,9 @@
 D(0x9400, NI,  SI,Z,   la1, i2_8u, new, 0, ni, nz64, MO_UB)
 D(0xeb54, NIY, SIY,   LD,  la1, i2_8u, new, 0, ni, nz64, MO_UB)
 
+/* BRANCH AND LINK */
+C(0x0500, BALR,RR_a,  Z,   0, r2_nz, r1, 0, bal, 0)
+C(0x4500, BAL, RX_a,  Z,   0, a2, r1, 0, bal, 0)
 /* BRANCH AND SAVE */
 C(0x0d00, BASR,RR_a,  Z,   0, r2_nz, r1, 0, bas, 0)
 C(0x4d00, BAS, RX_a,  Z,   0, a2, r1, 0, bas, 0)
diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index 57c03cbf58..111d575c41 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -84,14 +84,22 @@ static uint64_t inline_branch_hit[CC_OP_MAX];
 static uint64_t inline_branch_miss[CC_OP_MAX];
 #endif
 
-static uint64_t pc_to_link_info(DisasContext *s, uint64_t pc)
+static void pc_to_link_info(TCGv_i64 out, DisasContext *s, uint64_t pc)
 {
-if (!(s->base.tb->flags & FLAG_MASK_64)) {
-if (s->base.tb->flags & FLAG_MASK_32) {
-return pc | 0x8000;
+TCGv_i64 tmp;
+
+if (s->base.tb->flags & FLAG_MASK_32) {
+if (s->base.tb->flags & FLAG_MASK_64) {
+tcg_gen_movi_i64(out, pc);
+return;
 }
+pc |= 0x8000;
 }
-return pc;
+assert(!(s->base.tb->flags & FLAG_MASK_64));
+tmp = tcg_temp_new_i64();
+tcg_gen_movi_i64(tmp, pc);
+tcg_gen_deposit_i64(out, out, tmp, 0, 32);
+tcg_temp_free_i64(tmp);
 }
 
 static TCGv_i64 psw_addr;
@@ -1453,7 +1461,40 @@ static DisasJumpType op_ni(DisasContext *s, DisasOps *o)
 
 static DisasJumpType op_bas(DisasContext *s, DisasOps *o)
 {
-tcg_gen_movi_i64(o->out, pc_to_link_info(s, s->pc_tmp));
+pc_to_link_info(o->out, s, s->pc_tmp);
+if (o->in2) {
+tcg_gen_mov_i64(psw_addr, o->in2);
+per_branch(s, false);
+return DISAS_PC_UPDATED;
+} else {
+return DISAS_NEXT;
+}
+}
+
+static void save_link_info(DisasContext *s, DisasOps *o)
+{
+TCGv_i64 t;
+
+if (s->base.tb->flags & (FLAG_MASK_32 | FLAG_MASK_64)) {
+pc_to_link_info(o->out, s, s->pc_tmp);
+return;
+}
+gen_op_calc_cc(s);
+tcg_gen_andi_i64(o->out, o->out, 0xull);
+tcg_gen_ori_i64(o->out, o->out, ((s->ilen / 2) << 30) | s->pc_tmp);
+t = tcg_temp_new_i64();
+tcg_gen_shri_i64(t, psw_mask, 16);
+tcg_gen_andi_i64(t, t, 0x0f00);
+tcg_gen_or_i64(o->out, o->out, t);
+tcg_gen_extu_i32_i64(t, cc_op);
+tcg_gen_shli_i64(t, t, 28);
+tcg_gen_or_i64(o->out, o->out, t);
+tcg_temp_free_i64(t);
+}
+
+static DisasJumpType op_bal(DisasContext *s, DisasOps *o)
+{
+save_link_info(s, o);
 if (o->in2) {
 tcg_gen_mov_i64(psw_addr, o->in2);
 per_branch(s, false);
@@ -1465,7 +1506,7 @@ static DisasJumpType op_bas(DisasContext *s, DisasOps *o)
 
 static DisasJumpType op_basi(DisasContext *s, DisasOps *o)
 {
-tcg_gen_movi_i64(o->out, pc_to_link_info(s, s->pc_tmp));
+pc_to_link_info(o->out, s, s->pc_tmp);
 return help_goto_direct(s, s->base.pc_next + 2 * get_field(s->fields, i2));
 }
 
-- 
2.18.0

[Qemu-devel] [PATCH 0/7] Some improvements in z/Arch instructions support

[Pavel Zbitskiy]

Found while attempting to run an old tool in qemu.

* BAL and BALR:Added.
* CSST:Qemu crashed after an accidental jump to garbage.
* IPM: A tool produced an incorrect output.
* EX TRT/TRTR: A tool ran quite slow.
* PACK:A tool produced an incorrect output.
* CVB, CVBY, CVBG: Added.

Changes since v2:
* Updated MAINTAINERS.
* Updated BAL and BAS not to overwrite high 32 bits
  in 24- and 31- bit modes.

Changes since v1:
* Tests.
* Call pc_to_link_info() instead of op_bas().
* Clarified CSST commit message.
* Rewrote IPM using extract/deposit.
* Clarified PACK commit message.
* Do not use LowCore for CONFIG_USER_ONLY.
* Reduce duplication in CVB code.

Pavel Zbitskiy (7):
  tests/tcg: add a simple s390x test
  target/s390x: add BAL and BALR instructions
  target/s390x: fix CSST decoding and runtime alignment check
  target/s390x: fix IPM polluting irrelevant bits
  target/s390x: add EX support for TRT and TRTR
  target/s390x: fix PACK reading 1 byte less and writing 1 byte more
  target/s390x: implement CVB, CVBY and CVBG

 MAINTAINERS |  1 +
 target/s390x/helper.h   |  1 +
 target/s390x/insn-data.def  |  7 +++
 target/s390x/int_helper.c   | 50 +++
 target/s390x/mem_helper.c   | 24 +++--
 target/s390x/translate.c| 86 +
 tests/tcg/s390x/Makefile.target |  9 
 tests/tcg/s390x/csst.c  | 43 +
 tests/tcg/s390x/cvb.c   | 18 +++
 tests/tcg/s390x/exrl-trt.c  | 48 ++
 tests/tcg/s390x/exrl-trtr.c | 48 ++
 tests/tcg/s390x/hello-s390x.c   |  7 +++
 tests/tcg/s390x/ipm.c   | 22 +
 tests/tcg/s390x/pack.c  | 21 
 14 files changed, 362 insertions(+), 23 deletions(-)
 create mode 100644 tests/tcg/s390x/Makefile.target
 create mode 100644 tests/tcg/s390x/csst.c
 create mode 100644 tests/tcg/s390x/cvb.c
 create mode 100644 tests/tcg/s390x/exrl-trt.c
 create mode 100644 tests/tcg/s390x/exrl-trtr.c
 create mode 100644 tests/tcg/s390x/hello-s390x.c
 create mode 100644 tests/tcg/s390x/ipm.c
 create mode 100644 tests/tcg/s390x/pack.c

-- 
2.18.0

[Qemu-devel] [PATCH 5/7] target/s390x: add EX support for TRT and TRTR

[Pavel Zbitskiy]

Improves "b213c9f5: target/s390x: Implement TRTR" by introducing the
intermediate functions, which are compatible with dx_helper type.

Signed-off-by: Pavel Zbitskiy 
---
 target/s390x/mem_helper.c   | 16 +++
 tests/tcg/s390x/Makefile.target |  2 ++
 tests/tcg/s390x/exrl-trt.c  | 48 +
 tests/tcg/s390x/exrl-trtr.c | 48 +
 4 files changed, 114 insertions(+)
 create mode 100644 tests/tcg/s390x/exrl-trt.c
 create mode 100644 tests/tcg/s390x/exrl-trtr.c

diff --git a/target/s390x/mem_helper.c b/target/s390x/mem_helper.c
index c94dbf3fcb..704d0193b5 100644
--- a/target/s390x/mem_helper.c
+++ b/target/s390x/mem_helper.c
@@ -1299,12 +1299,26 @@ static inline uint32_t do_helper_trt(CPUS390XState 
*env, int len,
 return 0;
 }
 
+static uint32_t do_helper_trt_fwd(CPUS390XState *env, uint32_t len,
+  uint64_t array, uint64_t trans,
+  uintptr_t ra)
+{
+return do_helper_trt(env, len, array, trans, 1, ra);
+}
+
 uint32_t HELPER(trt)(CPUS390XState *env, uint32_t len, uint64_t array,
  uint64_t trans)
 {
 return do_helper_trt(env, len, array, trans, 1, GETPC());
 }
 
+static uint32_t do_helper_trt_bkwd(CPUS390XState *env, uint32_t len,
+   uint64_t array, uint64_t trans,
+   uintptr_t ra)
+{
+return do_helper_trt(env, len, array, trans, -1, ra);
+}
+
 uint32_t HELPER(trtr)(CPUS390XState *env, uint32_t len, uint64_t array,
   uint64_t trans)
 {
@@ -2193,12 +2207,14 @@ void HELPER(ex)(CPUS390XState *env, uint32_t ilen, 
uint64_t r1, uint64_t addr)
 typedef uint32_t (*dx_helper)(CPUS390XState *, uint32_t, uint64_t,
   uint64_t, uintptr_t);
 static const dx_helper dx[16] = {
+[0x0] = do_helper_trt_bkwd,
 [0x2] = do_helper_mvc,
 [0x4] = do_helper_nc,
 [0x5] = do_helper_clc,
 [0x6] = do_helper_oc,
 [0x7] = do_helper_xc,
 [0xc] = do_helper_tr,
+[0xd] = do_helper_trt_fwd,
 };
 dx_helper helper = dx[opc & 0xf];
 
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index c800a582e5..7de4376f52 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -3,3 +3,5 @@ CFLAGS+=-march=zEC12 -m64
 TESTS+=hello-s390x
 TESTS+=csst
 TESTS+=ipm
+TESTS+=exrl-trt
+TESTS+=exrl-trtr
diff --git a/tests/tcg/s390x/exrl-trt.c b/tests/tcg/s390x/exrl-trt.c
new file mode 100644
index 00..3c5323aecb
--- /dev/null
+++ b/tests/tcg/s390x/exrl-trt.c
@@ -0,0 +1,48 @@
+#include 
+#include 
+
+int main(void)
+{
+char op1[] = "hello";
+char op2[256];
+uint64_t r1 = 0xull;
+uint64_t r2 = 0xull;
+uint64_t cc;
+int i;
+
+for (i = 0; i < 256; i++) {
+if (i == 0) {
+op2[i] = 0xaa;
+} else {
+op2[i] = 0;
+}
+}
+asm volatile(
+"j 2f\n"
+"1:  trt 0(1,%[op1]),0(%[op2])\n"
+"2:  exrl %[op1_len],1b\n"
+"lgr %[r1],%%r1\n"
+"lgr %[r2],%%r2\n"
+"ipm %[cc]\n"
+: [r1] "+r" (r1),
+  [r2] "+r" (r2),
+  [cc] "=r" (cc)
+: [op1] "r" (),
+  [op1_len] "r" (5),
+  [op2] "r" ()
+: "r1", "r2", "cc");
+cc = (cc >> 28) & 3;
+if (cc != 2) {
+write(1, "bad cc\n", 7);
+return 1;
+}
+if ((char *)r1 != [5]) {
+write(1, "bad r1\n", 7);
+return 1;
+}
+if (r2 != 0xffaaull) {
+write(1, "bad r2\n", 7);
+return 1;
+}
+return 0;
+}
diff --git a/tests/tcg/s390x/exrl-trtr.c b/tests/tcg/s390x/exrl-trtr.c
new file mode 100644
index 00..c33153ad7e
--- /dev/null
+++ b/tests/tcg/s390x/exrl-trtr.c
@@ -0,0 +1,48 @@
+#include 
+#include 
+
+int main(void)
+{
+char op1[] = {0, 1, 2, 3};
+char op2[256];
+uint64_t r1 = 0xull;
+uint64_t r2 = 0xull;
+uint64_t cc;
+int i;
+
+for (i = 0; i < 256; i++) {
+if (i == 1) {
+op2[i] = 0xbb;
+} else {
+op2[i] = 0;
+}
+}
+asm volatile(
+"j 2f\n"
+"1:  trtr 3(1,%[op1]),0(%[op2])\n"
+"2:  exrl %[op1_len],1b\n"
+"lgr %[r1],%%r1\n"
+"lgr %[r2],%%r2\n"
+"ipm %[cc]\n"
+: [r1] "+r" (r1),
+  [r2] "+r" (r2),
+  [cc] "=r" (cc)
+: [op1] "r" (),
+  [op1_len] "r" (3),
+  [op2] "r" ()
+: "r1", "r2", "cc");
+cc = (cc >> 28) & 3;
+if (cc != 1) {
+write(1, "bad cc\n", 7);
+return 1;
+}
+if ((char *)r1 != [1]) {
+write(1, "bad r1\n", 7);
+return 1;
+}
+if (r2 != 0xffbbull) {
+  

[Qemu-devel] [PATCH 1/7] tests/tcg: add a simple s390x test

[Pavel Zbitskiy]

Copied from alpha.

Signed-off-by: Pavel Zbitskiy 
---
 MAINTAINERS | 1 +
 tests/tcg/s390x/Makefile.target | 3 +++
 tests/tcg/s390x/hello-s390x.c   | 7 +++
 3 files changed, 11 insertions(+)
 create mode 100644 tests/tcg/s390x/Makefile.target
 create mode 100644 tests/tcg/s390x/hello-s390x.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 6902a568f4..27af17caa7 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -253,6 +253,7 @@ S: Maintained
 F: target/s390x/
 F: hw/s390x/
 F: disas/s390.c
+F: tests/tcg/s390x/
 L: qemu-s3...@nongnu.org
 
 SH4
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
new file mode 100644
index 00..9f4076901f
--- /dev/null
+++ b/tests/tcg/s390x/Makefile.target
@@ -0,0 +1,3 @@
+VPATH+=$(SRC_PATH)/tests/tcg/s390x
+CFLAGS+=-march=zEC12 -m64
+TESTS+=hello-s390x
diff --git a/tests/tcg/s390x/hello-s390x.c b/tests/tcg/s390x/hello-s390x.c
new file mode 100644
index 00..3dc0a05f2b
--- /dev/null
+++ b/tests/tcg/s390x/hello-s390x.c
@@ -0,0 +1,7 @@
+#include 
+
+int main(void)
+{
+write(1, "hello\n", 6);
+return 0;
+}
-- 
2.18.0

Re: [Qemu-devel] [PATCH v2 2/3] hw/pci: add teardown function for PCI resource reserve capability

[Liu, Jing2]

Hi Marcel,

On 8/20/2018 9:38 PM, Marcel Apfelbaum wrote:

Hi Jing,

On 08/20/2018 05:58 AM, Liu, Jing2 wrote:

Hi Marcel,

On 8/18/2018 12:10 AM, Marcel Apfelbaum wrote:

Hi Jing,

On 08/16/2018 12:28 PM, Jing Liu wrote:

Clean up the PCI config space of resource reserve capability.

Signed-off-by: Jing Liu 
---
  hw/pci/pci_bridge.c | 9 +
  include/hw/pci/pci_bridge.h | 1 +
  2 files changed, 10 insertions(+)

diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 15b055e..dbcee90 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -465,6 +465,15 @@ int pci_bridge_qemu_reserve_cap_init(PCIDevice 
*dev, int cap_offset,

  return 0;
  }
+void pci_bridge_qemu_reserve_cap_uninit(PCIDevice *dev)
+{
+    uint8_t pos = pci_find_capability(dev, PCI_CAP_ID_VNDR);
+
+    pci_del_capability(dev, PCI_CAP_ID_VNDR, 
sizeof(PCIBridgeQemuCap));


I think that you only need to call pci_del_capability,


+    memset(dev->config + pos + PCI_CAP_FLAGS, 0,
+   sizeof(PCIBridgeQemuCap) - PCI_CAP_FLAGS);
+}


... no need for the above line. The reason is pci_del_capability
will "unlink" the capability, and even if the data remains in
the configuration space array, it will not be used.


I think I got it: pci_del_capability "unlink" by set the tag
pdev->config[PCI_STATUS] &= ~PCI_STATUS_CAP_LIST;
so that pdev->config will not be used, right?


If is the latest capability in the list, yes.
Otherwise it will simply link 'prev' with 'next' using config array 
offsets.

I got it! Thanks very much for the details!

Jing



Thanks,
Marcel




Do you agree? If yes, just call pci_del_capability and you don't need
this patch.


Yup, I agree with you. And let me remove this patch in next version.

Thanks,
Jing



Thanks,
Marcel



[...]

Re: [Qemu-devel] [PATCH v3 0/3] file-posix: Simplifications on image locking

[Fam Zheng]

On Fri, 08/17 17:35, no-re...@patchew.org wrote:
> ERROR:/tmp/qemu-test/src/tests/test-image-locking.c:69:check_locked_bytes: 
> assertion failed (perm_expected == !!qemu_lock_fd_test(fd, 100 + i, 1, 
> true)): (1 == 0)

This image doesn't have OFD locking support in its glibc. Will add a check in
the test code and skip.

Fam

[Qemu-devel] [PATCH v4 0/3] file-posix: Simplifications on image locking

[Fam Zheng]

v4: Fix test on systems without OFD. [Patchew]

The first patch reduces chances of QEMU crash in unusual (but not unlikely)
cases especially when used by Libvirt (see commit message).

The second patch halves fd for images.

The third adds some more test for patch one (would have caught the regression
caused by v2).

Fam Zheng (3):
  file-posix: Skip effectiveless OFD lock operations
  file-posix: Drop s->lock_fd
  tests: Add unit tests for image locking

 block/file-posix.c |  83 
 tests/Makefile.include |   2 +
 tests/test-image-locking.c | 154 +
 3 files changed, 209 insertions(+), 30 deletions(-)
 create mode 100644 tests/test-image-locking.c

-- 
2.17.1

[Qemu-devel] [PATCH v4 1/3] file-posix: Skip effectiveless OFD lock operations

[Fam Zheng]

If we know we've already locked the bytes, don't do it again; similarly
don't unlock a byte if we haven't locked it. This doesn't change the
behavior, but fixes a corner case explained below.

Libvirt had an error handling bug that an image can get its (ownership,
file mode, SELinux) permissions changed (RHBZ 1584982) by mistake behind
QEMU. Specifically, an image in use by Libvirt VM has:

$ ls -lhZ b.img
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c600,c690 b.img

Trying to attach it a second time won't work because of image locking.
And after the error, it becomes:

$ ls -lhZ b.img
-rw-r--r--. root root system_u:object_r:virt_image_t:s0 b.img

Then, we won't be able to do OFD lock operations with the existing fd.
In other words, the code such as in blk_detach_dev:

blk_set_perm(blk, 0, BLK_PERM_ALL, _abort);

can abort() QEMU, out of environmental changes.

This patch is an easy fix to this and the change is regardlessly
reasonable, so do it.

Signed-off-by: Fam Zheng 

---

v3: Don't misuse s->perm and s->shared_perm.
v2: For s == NULL, unlock all bits. [Kevin]
---
 block/file-posix.c | 54 +-
 1 file changed, 44 insertions(+), 10 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index fe83cbf0eb..f062e477e9 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -152,6 +152,11 @@ typedef struct BDRVRawState {
 uint64_t perm;
 uint64_t shared_perm;
 
+/* The perms bits whose corresponding bytes are already locked in
+ * s->lock_fd. */
+uint64_t locked_perm;
+uint64_t locked_shared_perm;
+
 #ifdef CONFIG_XFS
 bool is_xfs:1;
 #endif
@@ -680,43 +685,72 @@ typedef enum {
  * file; if @unlock == true, also unlock the unneeded bytes.
  * @shared_perm_lock_bits is the mask of all permissions that are NOT shared.
  */
-static int raw_apply_lock_bytes(int fd,
+static int raw_apply_lock_bytes(BDRVRawState *s, int fd,
 uint64_t perm_lock_bits,
 uint64_t shared_perm_lock_bits,
 bool unlock, Error **errp)
 {
 int ret;
 int i;
+uint64_t locked_perm, locked_shared_perm;
+
+if (s) {
+locked_perm = s->locked_perm;
+locked_shared_perm = s->locked_shared_perm;
+} else {
+/*
+ * We don't have the previous bits, just lock/unlock for each of the
+ * requested bits.
+ */
+if (unlock) {
+locked_perm = BLK_PERM_ALL;
+locked_shared_perm = BLK_PERM_ALL;
+} else {
+locked_perm = 0;
+locked_shared_perm = 0;
+}
+}
 
 PERM_FOREACH(i) {
 int off = RAW_LOCK_PERM_BASE + i;
-if (perm_lock_bits & (1ULL << i)) {
+uint64_t bit = (1ULL << i);
+if ((perm_lock_bits & bit) && !(locked_perm & bit)) {
 ret = qemu_lock_fd(fd, off, 1, false);
 if (ret) {
 error_setg(errp, "Failed to lock byte %d", off);
 return ret;
+} else if (s) {
+s->locked_perm |= bit;
 }
-} else if (unlock) {
+} else if (unlock && (locked_perm & bit) && !(perm_lock_bits & bit)) {
 ret = qemu_unlock_fd(fd, off, 1);
 if (ret) {
 error_setg(errp, "Failed to unlock byte %d", off);
 return ret;
+} else if (s) {
+s->locked_perm &= ~bit;
 }
 }
 }
 PERM_FOREACH(i) {
 int off = RAW_LOCK_SHARED_BASE + i;
-if (shared_perm_lock_bits & (1ULL << i)) {
+uint64_t bit = (1ULL << i);
+if ((shared_perm_lock_bits & bit) && !(locked_shared_perm & bit)) {
 ret = qemu_lock_fd(fd, off, 1, false);
 if (ret) {
 error_setg(errp, "Failed to lock byte %d", off);
 return ret;
+} else if (s) {
+s->locked_shared_perm |= bit;
 }
-} else if (unlock) {
+} else if (unlock && (locked_shared_perm & bit) &&
+   !(shared_perm_lock_bits & bit)) {
 ret = qemu_unlock_fd(fd, off, 1);
 if (ret) {
 error_setg(errp, "Failed to unlock byte %d", off);
 return ret;
+} else if (s) {
+s->locked_shared_perm &= ~bit;
 }
 }
 }
@@ -788,7 +822,7 @@ static int raw_handle_perm_lock(BlockDriverState *bs,
 
 switch (op) {
 case RAW_PL_PREPARE:
-ret = raw_apply_lock_bytes(s->lock_fd, s->perm | new_perm,
+ret = raw_apply_lock_bytes(s, s->lock_fd, s->perm | new_perm,
~s->shared_perm | ~new_shared,
false, errp);
 if (!ret) {
@@ -800,7 +834,7 @@ static int raw_handle_perm_lock(BlockDriverState *bs,
 op = RAW_PL_ABORT;
 /* fall through to unlock 

[Qemu-devel] [PATCH v4 2/3] file-posix: Drop s->lock_fd

[Fam Zheng]

The lock_fd field is not strictly necessary because transferring locked
bytes from old fd to the new one shouldn't fail anyway. This spares the
user one fd per image.

Signed-off-by: Fam Zheng 
---
 block/file-posix.c | 37 +
 1 file changed, 13 insertions(+), 24 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index f062e477e9..26d4e487d2 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -142,7 +142,6 @@ do { \
 
 typedef struct BDRVRawState {
 int fd;
-int lock_fd;
 bool use_lock;
 int type;
 int open_flags;
@@ -153,7 +152,7 @@ typedef struct BDRVRawState {
 uint64_t shared_perm;
 
 /* The perms bits whose corresponding bytes are already locked in
- * s->lock_fd. */
+ * s->fd. */
 uint64_t locked_perm;
 uint64_t locked_shared_perm;
 
@@ -542,18 +541,6 @@ static int raw_open_common(BlockDriverState *bs, QDict 
*options,
 }
 s->fd = fd;
 
-s->lock_fd = -1;
-if (s->use_lock) {
-fd = qemu_open(filename, s->open_flags);
-if (fd < 0) {
-ret = -errno;
-error_setg_errno(errp, errno, "Could not open '%s' for locking",
- filename);
-qemu_close(s->fd);
-goto fail;
-}
-s->lock_fd = fd;
-}
 s->perm = 0;
 s->shared_perm = BLK_PERM_ALL;
 
@@ -818,15 +805,13 @@ static int raw_handle_perm_lock(BlockDriverState *bs,
 return 0;
 }
 
-assert(s->lock_fd > 0);
-
 switch (op) {
 case RAW_PL_PREPARE:
-ret = raw_apply_lock_bytes(s, s->lock_fd, s->perm | new_perm,
+ret = raw_apply_lock_bytes(s, s->fd, s->perm | new_perm,
~s->shared_perm | ~new_shared,
false, errp);
 if (!ret) {
-ret = raw_check_lock_bytes(s->lock_fd, new_perm, new_shared, errp);
+ret = raw_check_lock_bytes(s->fd, new_perm, new_shared, errp);
 if (!ret) {
 return 0;
 }
@@ -834,7 +819,7 @@ static int raw_handle_perm_lock(BlockDriverState *bs,
 op = RAW_PL_ABORT;
 /* fall through to unlock bytes. */
 case RAW_PL_ABORT:
-raw_apply_lock_bytes(s, s->lock_fd, s->perm, ~s->shared_perm,
+raw_apply_lock_bytes(s, s->fd, s->perm, ~s->shared_perm,
  true, _err);
 if (local_err) {
 /* Theoretically the above call only unlocks bytes and it cannot
@@ -844,7 +829,7 @@ static int raw_handle_perm_lock(BlockDriverState *bs,
 }
 break;
 case RAW_PL_COMMIT:
-raw_apply_lock_bytes(s, s->lock_fd, new_perm, ~new_shared,
+raw_apply_lock_bytes(s, s->fd, new_perm, ~new_shared,
  true, _err);
 if (local_err) {
 /* Theoretically the above call only unlocks bytes and it cannot
@@ -956,10 +941,18 @@ static void raw_reopen_commit(BDRVReopenState *state)
 {
 BDRVRawReopenState *rs = state->opaque;
 BDRVRawState *s = state->bs->opaque;
+Error *local_err = NULL;
 
 s->check_cache_dropped = rs->check_cache_dropped;
 s->open_flags = rs->open_flags;
 
+/* Copy locks to the new fd before closing the old one. */
+raw_apply_lock_bytes(NULL, rs->fd, s->locked_perm,
+ ~s->locked_shared_perm, false, _err);
+if (local_err) {
+/* shouldn't fail in a sane host, but report it just in case. */
+error_report_err(local_err);
+}
 qemu_close(s->fd);
 s->fd = rs->fd;
 
@@ -1952,10 +1945,6 @@ static void raw_close(BlockDriverState *bs)
 qemu_close(s->fd);
 s->fd = -1;
 }
-if (s->lock_fd >= 0) {
-qemu_close(s->lock_fd);
-s->lock_fd = -1;
-}
 }
 
 /**
-- 
2.17.1

Re: [Qemu-devel] [PATCH 0/4] docker: Sort packages

[Fam Zheng]

On Fri, 08/17 22:53, Philippe Mathieu-Daudé wrote:
> Trivial cleanup patches.
> 
> Per the Docker recommendation, "this helps to avoid duplication of
> packages and make the list much easier to update. This also makes PRs
> a lot easier to read and review."
> 
> Regards,
> 
> Phil.
> 
> Philippe Mathieu-Daudé (4):
>   docker: Sort Fedora packages
>   docker: Sort Fedora packages (i386-cross)
>   docker: Sort Ubuntu packages
>   docker: Sort CentOS packages
> 
>  tests/docker/dockerfiles/centos7.docker   |   2 +-
>  .../dockerfiles/fedora-i386-cross.docker  |   9 +-
>  tests/docker/dockerfiles/fedora.docker| 102 ++
>  tests/docker/dockerfiles/ubuntu.docker|  61 +--
>  4 files changed, 141 insertions(+), 33 deletions(-)
> 
> -- 
> 2.18.0
> 

Queued, thanks.

Fam

Re: [Qemu-devel] [PATCH] docker: Clean dangling tarball files

[Fam Zheng]

On Sat, 08/18 00:03, Philippe Mathieu-Daudé wrote:
> When a container fails, it leaves a dangling tarball which name is
> based on a timestamp. Further uses of make won't clean those files,
> neither calling the 'docker-clean' target.
> 
> Use the .DELETE_ON_ERROR built-in target to let make remove those
> temporary tarballs in case of failure.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  tests/docker/Makefile.include | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include
> index d3101afecd..6e03235ab9 100644
> --- a/tests/docker/Makefile.include
> +++ b/tests/docker/Makefile.include
> @@ -25,6 +25,7 @@ IMAGES ?= %
>  CUR_TIME := $(shell date +%Y-%m-%d-%H.%M.%S.)
>  DOCKER_SRC_COPY := $(BUILD_DIR)/docker-src.$(CUR_TIME)
>  
> +.DELETE_ON_ERROR: $(DOCKER_SRC_COPY)
>  $(DOCKER_SRC_COPY):
>   @mkdir $@
>   $(if $(SRC_ARCHIVE), \
> -- 
> 2.18.0
> 

Queued, thanks.

Fam

[Qemu-devel] [PATCH v4 3/3] tests: Add unit tests for image locking

[Fam Zheng]

Signed-off-by: Fam Zheng 
---
 tests/Makefile.include |   2 +
 tests/test-image-locking.c | 154 +
 2 files changed, 156 insertions(+)
 create mode 100644 tests/test-image-locking.c

diff --git a/tests/Makefile.include b/tests/Makefile.include
index 760a0f18b6..8cc0595b39 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -95,6 +95,7 @@ check-unit-y += tests/test-bdrv-drain$(EXESUF)
 check-unit-y += tests/test-blockjob$(EXESUF)
 check-unit-y += tests/test-blockjob-txn$(EXESUF)
 check-unit-y += tests/test-block-backend$(EXESUF)
+check-unit-y += tests/test-image-locking$(EXESUF)
 check-unit-y += tests/test-x86-cpuid$(EXESUF)
 # all code tested by test-x86-cpuid is inside topology.h
 gcov-files-test-x86-cpuid-y =
@@ -640,6 +641,7 @@ tests/test-bdrv-drain$(EXESUF): tests/test-bdrv-drain.o 
$(test-block-obj-y) $(te
 tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) 
$(test-util-obj-y)
 tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o 
$(test-block-obj-y) $(test-util-obj-y)
 tests/test-block-backend$(EXESUF): tests/test-block-backend.o 
$(test-block-obj-y) $(test-util-obj-y)
+tests/test-image-locking$(EXESUF): tests/test-image-locking.o 
$(test-block-obj-y) $(test-util-obj-y)
 tests/test-thread-pool$(EXESUF): tests/test-thread-pool.o $(test-block-obj-y)
 tests/test-iov$(EXESUF): tests/test-iov.o $(test-util-obj-y)
 tests/test-hbitmap$(EXESUF): tests/test-hbitmap.o $(test-util-obj-y) 
$(test-crypto-obj-y)
diff --git a/tests/test-image-locking.c b/tests/test-image-locking.c
new file mode 100644
index 00..ac1a5fd4ca
--- /dev/null
+++ b/tests/test-image-locking.c
@@ -0,0 +1,154 @@
+/*
+ * Image locking tests
+ *
+ * Copyright (c) 2018 Red Hat Inc.
+ *
+ * Author: Fam Zheng 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "block/block.h"
+#include "sysemu/block-backend.h"
+#include "qapi/error.h"
+#include "qapi/qmp/qdict.h"
+
+static BlockBackend *open_image(const char *path,
+uint64_t perm, uint64_t shared_perm,
+Error **errp)
+{
+Error *local_err = NULL;
+BlockBackend *blk;
+QDict *options = qdict_new();
+
+qdict_put_str(options, "driver", "raw");
+blk = blk_new_open(path, NULL, options, BDRV_O_RDWR, _err);
+if (blk) {
+g_assert_null(local_err);
+if (blk_set_perm(blk, perm, shared_perm, errp)) {
+blk_unref(blk);
+blk = NULL;
+}
+} else {
+error_propagate(errp, local_err);
+}
+return blk;
+}
+
+static void check_locked_bytes(int fd, uint64_t perm_locks,
+   uint64_t shared_perm_locks)
+{
+int i;
+
+if (!perm_locks && !shared_perm_locks) {
+g_assert(!qemu_lock_fd_test(fd, 0, 0, true));
+return;
+}
+for (i = 0; (1ULL << i) <= BLK_PERM_ALL; i++) {
+uint64_t bit = (1ULL << i);
+bool perm_expected = !!(bit & perm_locks);
+bool shared_perm_expected = !!(bit & shared_perm_locks);
+g_assert_cmpint(perm_expected, ==,
+!!qemu_lock_fd_test(fd, 100 + i, 1, true));
+g_assert_cmpint(shared_perm_expected, ==,
+!!qemu_lock_fd_test(fd, 200 + i, 1, true));
+}
+}
+
+static void test_image_locking_basic(void)
+{
+BlockBackend *blk1, *blk2, *blk3;
+char img_path[] = "/tmp/qtest.XX";
+uint64_t perm, shared_perm;
+
+int fd = mkstemp(img_path);
+assert(fd >= 0);
+
+perm = BLK_PERM_WRITE | BLK_PERM_CONSISTENT_READ;
+shared_perm = BLK_PERM_ALL;
+blk1 = open_image(img_path, perm, shared_perm, _abort);
+g_assert(blk1);
+
+check_locked_bytes(fd, perm, ~shared_perm);
+
+/* compatible perm between blk1 and blk2 */
+blk2 = open_image(img_path, perm | BLK_PERM_RESIZE, shared_perm, NULL);
+g_assert(blk2);
+

Re: [Qemu-devel] [PULL 0/7] Linux user for 3.1 patches

[no-reply]

Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20180820202604.14218-1-laur...@vivier.eu
Subject: [Qemu-devel] [PULL 0/7] Linux user for 3.1 patches

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
4526b6d422 linux-user: add QEMU_IFLA_INFO_KIND nested type for tun
3e38cd31f6 linux-user: update netlink route types
f497361d67 linux-user: introduce QEMU_RTA_* to use with rtattr_type_t
ccb71001f9 linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC
7f1171c163 sh4: fix use_icount with linux-user
1b749aea90 linux-user: fix 32bit g2h()/h2g()
28fe264aa2 qemu-binfmt-conf.sh: add x86_64 target

=== OUTPUT BEGIN ===
Checking PATCH 1/7: qemu-binfmt-conf.sh: add x86_64 target...
WARNING: line over 80 characters
#29: FILE: scripts/qemu-binfmt-conf.sh:17:
+x86_64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'

ERROR: line over 90 characters
#30: FILE: scripts/qemu-binfmt-conf.sh:18:
+x86_64_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'

total: 1 errors, 1 warnings, 18 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Checking PATCH 2/7: linux-user: fix 32bit g2h()/h2g()...
Checking PATCH 3/7: sh4: fix use_icount with linux-user...
Checking PATCH 4/7: linux-user: fix recvmsg()/recvfrom() with netlink and 
MSG_TRUNC...
Checking PATCH 5/7: linux-user: introduce QEMU_RTA_* to use with 
rtattr_type_t...
Checking PATCH 6/7: linux-user: update netlink route types...
Checking PATCH 7/7: linux-user: add QEMU_IFLA_INFO_KIND nested type for tun...
=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

Re: [Qemu-devel] [PATCH 2/7] jobs: canonize Error object

[John Snow]

On 08/17/2018 03:04 PM, John Snow wrote:
> +error_setg_errno(>err, -job->ret, "job failed");

Kevin specifically asked for me to change this, and I lost it in the
shuffle. I'll send a v3 now, since there are enough nits to warrant it,
and I think I want to adjust a few things to set up the "part II"
portion of this changeset a little more nicely.

--js

Re: [Qemu-devel] [PATCH v3 4/6] hw/riscv/virt: Connect a VGA PCIe device

[Alistair Francis]

On Thu, Aug 16, 2018 at 11:36 PM, Gerd Hoffmann  wrote:
>   Hi,
>
>> +pci_bus = PCI_HOST_BRIDGE(dev)->bus;
>> +
>> +pci_vga_init(pci_bus);
>
> I'd suggest to use "-device bochs-display" instead, unless you need all
> the legacy vga cruft (text mode, ...).  The bochs-drm kms driver can
> handle this one just fine too, it is much smaller (in terms of code
> lines and attack surface), and it has pcie support.

I gave this a quick try and the kernel didn't see the device with the
bochs-drm driver enabled.

I'll dig in a little more.

Alistair

>
> cheers,
>   Gerd
>

Re: [Qemu-devel] [PATCH v2 2/2] block: iotest to catch abort on forced blockjob cancel

[John Snow]

On 08/16/2018 02:46 PM, Jeff Cody wrote:
> Signed-off-by: Jeff Cody 
> ---
>  tests/qemu-iotests/229 | 95 ++
>  tests/qemu-iotests/229.out | 23 +
>  tests/qemu-iotests/group   |  1 +
>  3 files changed, 119 insertions(+)
>  create mode 100755 tests/qemu-iotests/229
>  create mode 100644 tests/qemu-iotests/229.out
> 
> diff --git a/tests/qemu-iotests/229 b/tests/qemu-iotests/229
> new file mode 100755
> index 00..2af04c8028
> --- /dev/null
> +++ b/tests/qemu-iotests/229
> @@ -0,0 +1,95 @@
> +#!/bin/bash
> +#
> +# Test for force canceling a running blockjob that is paused in
> +# an error state.
> +#
> +# Copyright (C) 2018 Red Hat, Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see .
> +#
> +
> +# creator
> +owner=jc...@redhat.com
> +
> +seq="$(basename $0)"
> +echo "QA output created by $seq"
> +
> +here="$PWD"
> +status=1 # failure is the default!
> +
> +_cleanup()
> +{
> +_cleanup_qemu
> +_cleanup_test_img
> +rm -f "$TEST_IMG" "$DEST_IMG"
> +}
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +# get standard environment, filters and checks
> +. ./common.rc
> +. ./common.filter
> +. ./common.qemu
> +
> +# Needs backing file and backing format support
> +_supported_fmt qcow2 qed
> +_supported_proto file
> +_supported_os Linux
> +
> +
> +DEST_IMG="$TEST_DIR/d.$IMGFMT"
> +TEST_IMG="$TEST_DIR/b.$IMGFMT"
> +
> +_make_test_img 2M
> +
> +# destination for mirror will be too small, causing error
> +TEST_IMG=$DEST_IMG _make_test_img 1M
> +
> +$QEMU_IO -c 'write 0 2M' "$TEST_IMG" | _filter_qemu_io
> +
> +_launch_qemu -drive id=testdisk,file="$TEST_IMG",format="$IMGFMT"
> +
> +_send_qemu_cmd $QEMU_HANDLE \
> +"{'execute': 'qmp_capabilities'}" \
> +'return'
> +
> +echo
> +echo '=== Starting drive-mirror, causing error & stop  ==='
> +echo
> +
> +_send_qemu_cmd $QEMU_HANDLE \
> +"{'execute': 'drive-mirror',
> + 'arguments': {'device': 'testdisk',
> +   'mode':   'absolute-paths',
> +   'format': 'qcow2',
> +   'target': '$DEST_IMG',
> +   'sync':   'full',
> +   'mode':   'existing',
> +   'on-source-error': 'stop',
> +   'on-target-error': 'stop' }}"\
> + "BLOCK_JOB_ERROR"
> +
> +echo
> +echo '=== Force cancel job paused in error state  ==='
> +echo
> +
> +success_or_failure="y" _send_qemu_cmd $QEMU_HANDLE \
> +"{'execute': 'block-job-cancel',
> + 'arguments': { 'device': 'testdisk',
> +'force': true}}" \
> + "BLOCK_JOB_CANCELLED" "Assertion"
> +
> +# success, all done
> +echo "*** done"
> +rm -f $seq.full
> +status=0
> diff --git a/tests/qemu-iotests/229.out b/tests/qemu-iotests/229.out
> new file mode 100644
> index 00..d5dea5cdd2
> --- /dev/null
> +++ b/tests/qemu-iotests/229.out
> @@ -0,0 +1,23 @@
> +QA output created by 229
> +Formatting 'TEST_DIR/b.IMGFMT', fmt=IMGFMT size=2097152
> +Formatting 'TEST_DIR/d.IMGFMT', fmt=IMGFMT size=1048576
> +wrote 2097152/2097152 bytes at offset 0
> +2 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
> +{"return": {}}
> +
> +=== Starting drive-mirror, causing error & stop  ===
> +
> +{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": 
> "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "testdisk"}}
> +{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": 
> "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "testdisk"}}
> +{"return": {}}
> +{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": 
> "BLOCK_JOB_ERROR", "data": {"device": "testdisk", "operation": "write", 
> "action": "stop"}}
> +
> +=== Force cancel job paused in error state  ===
> +
> +{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": 
> "JOB_STATUS_CHANGE", "data": {"status": "paused", "id": "testdisk"}}

Is this a race? I imagine the job pauses itself as a result of the error
it just signaled, so the pause event generally occurs before we start
attempting to force cancel, and then:

> +{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": 
> "JOB_STATUS_CHANGE", "data": {"status": "running", "id": 

Re: [Qemu-devel] [PATCH 3/7] jobs: add exit shim

[Eric Blake]

On 08/17/2018 02:04 PM, John Snow wrote:

All jobs do the same thing when they leave their running loop:
- Store the return code in a structure
- wait to receive this structure in the main thread
- signal job completion via job_completed

Few jobs do anything beyond exactly this. Consolidate this exit
logic for a net reduction in SLOC.

More seriously, when we utilize job_defer_to_main_loop_bh to call
a function that calls job_completed, job_finalize_single will run
in a context where it has recursively taken the aio_context lock,
which can cause hangs if it puts down a reference that causes a flush.

You can observe this in practice by looking at mirror_exit's careful
placement of job_completed and bdrv_unref calls.

If we centralize job exiting, we can signal job completion from outside
of the aio_context, which should allow for job cleanup code to run with
only one lock, which makes cleanup callbacks less tricky to write.

Signed-off-by: John Snow 
---
  include/qemu/job.h |  7 +++
  job.c  | 19 +++
  2 files changed, 26 insertions(+)



Reviewed-by: Eric Blake 

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] Simulating a composite machine

[Martin Schroeder via Qemu-devel]

Is it that I need to add emulation for CP10 and CP11?
On Mon, Aug 20, 2018 at 8:29 PM Martin Schroeder
 wrote:
>
> Sent it off as reply instead of reply all.. my bad.
>
> I was also surprised that it was mid into an instruction. The code
> works fine on STM32 but if FPU is not enabled on the STM32 then I
> believe the code will fault in much the same way. I have had this
> problem before and it was also hard faulting inside libc snprintf. It
> has definitely something to do with FPU and snprintf faults when fpu
> is not enabled on F4. When FPU is enabled everything works. Why I
> don't know.
>
> It seems the HardFault is preceded by two UsageFaults:
> Taking exception 17 [v7M NOCP UsageFault]
> ...taking pending nonsecure exception 3
> Taking exception 17 [v7M NOCP UsageFault]
> qemu: fatal: Lockup: can't escalate 3 to HardFault (current priority -1)
>
> Ok so FPU support is not there. What would it take for me to add it? I
> would very much like to add it if I get some guidance as to what needs
> to be done and where I can find information on how to do it. I see
> there is some code in fpu/softfloat.c but I guess it is not enough?
> On Mon, Aug 20, 2018 at 8:12 PM Peter Maydell  
> wrote:
> >
> > On 20 August 2018 at 19:03, Martin Schroeder
> >  wrote:
> > > Peter, perhaps a slightly off-topic question,
> >
> > Could you keep traffic on the mailing lists, please? That
> > way everybody can read the answer and reply if they have a view.
> >
> > (I append the rest because I'd typed it all out before I noticed
> > that this was a private email.)
> >
> > > but how do I enable FPU
> > > support for armv7m M4 emulation? Is it supported? FPU instructions
> > > currently make the armv7m core go into hard fault on master.
> >
> > It's not supported, because FPU support requires changes to
> > the M profile exception handling (stacking FPU regs on exception
> > entry, handling the lazy-stacking feature, etc). This is on my
> > todo list, so there is a reasonable chance it'll get done either
> > for QEMU 3.1 or more likely for 3.2, if nobody else gets to it first.
> >
> > > If I disable FPU in firmware build and use -mfloat-abi=soft then I get
> > > a hard fault even sooner with following warning: "warning: TCG
> > > temporary leaks before 0805875a"
> >
> > The warning is harmless -- I think the only remaining
> > encodings that can cause it to be produced are all ones
> > where the instruction in question generates an exception
> > (it's caused because we generate a bit of code before
> > realising the insn is going to fault, and then the TCG
> > temp is not cleaned up by the per-insn translation code.
> > The temp is cleaned up at the end of the TB, so it's not
> > a permanent leak -- the warning is there because per-insn
> > leaks let the guest run us out of temps by having a TB with
> > a lot of the same insn in it.)
> >
> > > (gdb) disas 0x0805875a
> > > Dump of assembler code for function snprintf:
> > >0x08058750 <+0>: push{r2, r3}
> > >0x08058754 <+4>: push{r4, r5, r6, lr}
> > >0x08058758 <+8>: ldr r3, [pc, #136]  ; 0x80587e8 
> > >0x0805875c <+12>:subsr4, r1, #0
> > >0x08058760 <+16>:ldr r5, [r3]
> > >0x08058764 <+20>:movlt   r3, #139; 0x8b
> > >0x08058768 <+24>:sub sp, sp, #112; 0x70
> > >0x0805876c <+28>:strlt   r3, [r5]
> > >0x08058770 <+32>:mvnlt   r0, #0
> > >0x08058774 <+36>:blt 0x80587d8 
> > >0x08058778 <+40>:add r12, sp, #132   ; 0x84
> > >0x0805877c <+44>:mov r3, #520; 0x208
> > >0x08058780 <+48>:subne   lr, r4, #1
> > >0x08058784 <+52>:moveq   lr, r4
> > >0x08058788 <+56>:ldr r2, [sp, #128]  ; 0x80
> >
> > Not clear from that why you're getting a hard fault, but it
> > seems a bit suspicious that the quoted PC is midway through an
> > insn -- suggests that maybe the code being executed is not
> > what your disassembly says it is?
> >
> > You might find that the -d debug logs are helpful in indicating
> > what's happened.
> >
> > thanks
> > -- PMM

[Qemu-devel] [PATCH v2] ipmi: Use proper struct reference for BT vmstate

[minyard]

From: Corey Minyard 

The vmstate for isa_ipmi_bt was referencing into the bt structure,
instead create a bt structure separate and use that.

The version 1 of the BT transfer was fairly broken, if a migration
occured during an IPMI operation, it is likely the migration would
be corrupted because I misunderstood the VMSTATE_VBUFFER_UINT32()
handling, I thought it handled transferring the length field,
too.  So I just remove support for that.  I doubt anyone is using
it at this point.

This also removes the transfer of use_irq, since that should come
from configuration.

Signed-off-by: Corey Minyard 
Reviewed-by: Dr. David Alan Gilbert 
---
 hw/ipmi/isa_ipmi_bt.c | 68 +--
 1 file changed, 55 insertions(+), 13 deletions(-)

This is a matching patch for the IPMI BT code that matches the previous
IPMI KCS change recently done.

diff --git a/hw/ipmi/isa_ipmi_bt.c b/hw/ipmi/isa_ipmi_bt.c
index e946030..8bbb1fa 100644
--- a/hw/ipmi/isa_ipmi_bt.c
+++ b/hw/ipmi/isa_ipmi_bt.c
@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "qapi/error.h"
 #include "hw/hw.h"
 #include "hw/ipmi/ipmi.h"
@@ -450,22 +451,63 @@ static void isa_ipmi_bt_realize(DeviceState *dev, Error 
**errp)
 isa_register_ioport(isadev, >bt.io, iib->bt.io_base);
 }
 
-static const VMStateDescription vmstate_ISAIPMIBTDevice = {
-.name = TYPE_IPMI_INTERFACE,
+static int ipmi_bt_vmstate_post_load(void *opaque, int version)
+{
+IPMIBT *ib = opaque;
+
+/* Make sure all the values are sane. */
+if (ib->outpos >= MAX_IPMI_MSG_SIZE || ib->outlen >= MAX_IPMI_MSG_SIZE ||
+ib->outpos >= ib->outlen) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "ipmi:bt: vmstate transfer received bad out values: %d 
%d\n",
+  ib->outpos, ib->outlen);
+ib->outpos = 0;
+ib->outlen = 0;
+}
+
+if (ib->inlen >= MAX_IPMI_MSG_SIZE) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "ipmi:bt: vmstate transfer received bad in value: %d\n",
+  ib->inlen);
+ib->inlen = 0;
+}
+
+return 0;
+}
+
+const VMStateDescription vmstate_IPMIBT = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "bt",
 .version_id = 1,
 .minimum_version_id = 1,
+.post_load = ipmi_bt_vmstate_post_load,
+.fields  = (VMStateField[]) {
+VMSTATE_BOOL(obf_irq_set, IPMIBT),
+VMSTATE_BOOL(atn_irq_set, IPMIBT),
+VMSTATE_BOOL(irqs_enabled, IPMIBT),
+VMSTATE_UINT32(outpos, IPMIBT),
+VMSTATE_UINT32(outlen, IPMIBT),
+VMSTATE_UINT8_ARRAY(outmsg, IPMIBT, MAX_IPMI_MSG_SIZE),
+VMSTATE_UINT32(inlen, IPMIBT),
+VMSTATE_UINT8_ARRAY(inmsg, IPMIBT, MAX_IPMI_MSG_SIZE),
+VMSTATE_UINT8(control_reg, IPMIBT),
+VMSTATE_UINT8(mask_reg, IPMIBT),
+VMSTATE_UINT8(waiting_rsp, IPMIBT),
+VMSTATE_UINT8(waiting_seq, IPMIBT),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const VMStateDescription vmstate_ISAIPMIBTDevice = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "isa-bt",
+.version_id = 2,
+.minimum_version_id = 2,
+/*
+ * Version 1 had messed up the array transfer, it's not even usable
+ * because it used VMSTATE_VBUFFER_UINT32, but it did not transfer
+ * the buffer length, so random things would happen.
+ */
 .fields  = (VMStateField[]) {
-VMSTATE_BOOL(bt.obf_irq_set, ISAIPMIBTDevice),
-VMSTATE_BOOL(bt.atn_irq_set, ISAIPMIBTDevice),
-VMSTATE_BOOL(bt.use_irq, ISAIPMIBTDevice),
-VMSTATE_BOOL(bt.irqs_enabled, ISAIPMIBTDevice),
-VMSTATE_UINT32(bt.outpos, ISAIPMIBTDevice),
-VMSTATE_VBUFFER_UINT32(bt.outmsg, ISAIPMIBTDevice, 1, NULL, bt.outlen),
-VMSTATE_VBUFFER_UINT32(bt.inmsg, ISAIPMIBTDevice, 1, NULL, bt.inlen),
-VMSTATE_UINT8(bt.control_reg, ISAIPMIBTDevice),
-VMSTATE_UINT8(bt.mask_reg, ISAIPMIBTDevice),
-VMSTATE_UINT8(bt.waiting_rsp, ISAIPMIBTDevice),
-VMSTATE_UINT8(bt.waiting_seq, ISAIPMIBTDevice),
+VMSTATE_STRUCT(bt, ISAIPMIBTDevice, 1, vmstate_IPMIBT, IPMIBT),
 VMSTATE_END_OF_LIST()
 }
 };
-- 
2.7.4

Re: [Qemu-devel] [PATCH] editorconfig: set emacs mode

[Marc-André Lureau]

Hi

On Mon, Aug 20, 2018 at 9:55 PM Eric Blake  wrote:
>
> On 08/20/2018 01:00 PM, Peter Maydell wrote:
> > On 20 August 2018 at 18:43, Marc-André Lureau
> >  wrote:
> >> Some time ago, I proposed to use an (eval) in .dir-locals.el to set
> >> the mode for all json files and Makefile. Unfortunately, this isn't
> >> safe, and emacs will prompt the user, which isn't very friendly.
> >>
> >> Fortunately, editorconfig provides a special config key which does
> >> allow to set the emacs mode. Set the emacs mode for JSON, GLSL and
> >> extra makefiles that are not yet covered. Drop modeline from JSON
> >> files.
> >
> > Does emacs apply info from the the editorconfig file by default, though?
>
> Per https://editorconfig.org/, no, you have to first install an emacs
> plugin to get editorconfig files to have any effect.  So this patch is a
> non-starter unless distros start patching emacs to install that plugin
> by default.

But .editorconfing is already present in qemu source tree. (and fwiw,
it's installed by default with some starter kits, like prelude).

What's the issue adding the emacs mode in the config file?

Let's keep the modeline in existing files if you prefer, but it's
still very limited (a majority of files are not covered). And I would
rather see it gone, than having editor-specific lines in our source
files.

thanks

[Qemu-devel] [PATCH v2 07/10] Don't delay host status register busy bit when interrupts are enabled

[minyard]

From: Corey Minyard 

Change 880b1ffe6ec2f0ae "smbus: do not immediately complete commands"
changed pm_smbus to delay setting the host busy bit until the status
register was read, to work around a bug in AMIBIOS.  Unfortunately,
when interrupts are enabled, the status register will never get read
and the processing will never happen.

Modify the code to only delay setting the host busy bit if interrupts
are not enabled.

Signed-off-by: Corey Minyard 
Cc: Hervé Poussineau 
Cc: Philippe Mathieu-Daudé 
---
 hw/i2c/pm_smbus.c | 19 +--
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 664a6b1..10ba208 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -80,9 +80,6 @@ static void smb_transaction(PMSMBus *s)
 I2CBus *bus = s->smbus;
 int ret;
 
-assert(s->smb_stat & STS_HOST_BUSY);
-s->smb_stat &= ~STS_HOST_BUSY;
-
 SMBUS_DPRINTF("SMBus trans addr=0x%02x prot=0x%02x\n", addr, prot);
 /* Transaction isn't exec if STS_DEV_ERR bit set */
 if ((s->smb_stat & STS_DEV_ERR) != 0)  {
@@ -209,9 +206,18 @@ error:
 
 static void smb_transaction_start(PMSMBus *s)
 {
-/* Do not execute immediately the command ; it will be
- * executed when guest will read SMB_STAT register */
-s->smb_stat |= STS_HOST_BUSY;
+if (s->smb_ctl & CTL_INTREN) {
+smb_transaction(s);
+} else {
+/* Do not execute immediately the command; it will be
+ * executed when guest will read SMB_STAT register.  This
+ * is to work around a bug in AMIBIOS (that is working
+ * around another bug in some specific hardware) where
+ * it waits for STS_HOST_BUSY to be set before waiting
+ * checking for status.  If STS_HOST_BUSY doesn't get
+ * set, it gets stuck. */
+s->smb_stat |= STS_HOST_BUSY;
+}
 }
 
 static bool
@@ -330,6 +336,7 @@ static uint64_t smb_ioport_readb(void *opaque, hwaddr addr, 
unsigned width)
 val = s->smb_stat;
 if (s->smb_stat & STS_HOST_BUSY) {
 /* execute command now */
+s->smb_stat &= ~STS_HOST_BUSY;
 smb_transaction(s);
 }
 break;
-- 
2.7.4

[Qemu-devel] [PULL 4/7] linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC

[Laurent Vivier]

If recvmsg()/recvfrom() are used with the MSG_TRUNC flag, they return the
real length even if it was longer than the passed buffer.
So when we translate the buffer we must check we don't go beyond the
end of the buffer.

Bug: https://github.com/vivier/qemu-m68k/issues/33
Reported-by: John Paul Adrian Glaubitz 
Signed-off-by: Laurent Vivier 
Reviewed-by: Peter Maydell 
Message-Id: <20180820171557.7734-2-laur...@vivier.eu>
---
 linux-user/syscall.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1806b33b02..e66faf1c62 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3892,7 +3892,7 @@ static abi_long do_sendrecvmsg_locked(int fd, struct 
target_msghdr *msgp,
 len = ret;
 if (fd_trans_host_to_target_data(fd)) {
 ret = fd_trans_host_to_target_data(fd)(msg.msg_iov->iov_base,
-   len);
+   MIN(msg.msg_iov->iov_len, len));
 } else {
 ret = host_to_target_cmsg(msgp, );
 }
@@ -4169,7 +4169,12 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, 
size_t len, int flags,
 }
 if (!is_error(ret)) {
 if (fd_trans_host_to_target_data(fd)) {
-ret = fd_trans_host_to_target_data(fd)(host_msg, ret);
+abi_long trans;
+trans = fd_trans_host_to_target_data(fd)(host_msg, MIN(ret, len));
+if (is_error(trans)) {
+ret = trans;
+goto fail;
+}
 }
 if (target_addr) {
 host_to_target_sockaddr(target_addr, addr, addrlen);
-- 
2.17.1

[Qemu-devel] [PULL 5/7] linux-user: introduce QEMU_RTA_* to use with rtattr_type_t

[Laurent Vivier]

Following commit will introduce RTA_PREF that appears only with
kernel v4.1. To avoid to manage a specific case for it, this patch
introduces the full list of rtattr_type_t prefixed with QEMU_ (as we
did for IFLA values)

Signed-off-by: Laurent Vivier 
Reviewed-by: Peter Maydell 
Message-Id: <20180820171557.7734-3-laur...@vivier.eu>
[lv: added more RTA_* from linux v4.18]
---
 linux-user/syscall.c | 56 +++-
 1 file changed, 45 insertions(+), 11 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e66faf1c62..9effbb316a 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -539,6 +539,40 @@ enum {
 QEMU___IFLA_XDP_MAX,
 };
 
+enum {
+QEMU_RTA_UNSPEC,
+QEMU_RTA_DST,
+QEMU_RTA_SRC,
+QEMU_RTA_IIF,
+QEMU_RTA_OIF,
+QEMU_RTA_GATEWAY,
+QEMU_RTA_PRIORITY,
+QEMU_RTA_PREFSRC,
+QEMU_RTA_METRICS,
+QEMU_RTA_MULTIPATH,
+QEMU_RTA_PROTOINFO, /* no longer used */
+QEMU_RTA_FLOW,
+QEMU_RTA_CACHEINFO,
+QEMU_RTA_SESSION, /* no longer used */
+QEMU_RTA_MP_ALGO, /* no longer used */
+QEMU_RTA_TABLE,
+QEMU_RTA_MARK,
+QEMU_RTA_MFC_STATS,
+QEMU_RTA_VIA,
+QEMU_RTA_NEWDST,
+QEMU_RTA_PREF,
+QEMU_RTA_ENCAP_TYPE,
+QEMU_RTA_ENCAP,
+QEMU_RTA_EXPIRES,
+QEMU_RTA_PAD,
+QEMU_RTA_UID,
+QEMU_RTA_TTL_PROPAGATE,
+QEMU_RTA_IP_PROTO,
+QEMU_RTA_SPORT,
+QEMU_RTA_DPORT,
+QEMU___RTA_MAX
+};
+
 typedef abi_long (*TargetFdDataFunc)(void *, size_t);
 typedef abi_long (*TargetFdAddrFunc)(void *, abi_ulong, socklen_t);
 typedef struct TargetFdTrans {
@@ -2661,14 +2695,14 @@ static abi_long host_to_target_data_route_rtattr(struct 
rtattr *rtattr)
 uint32_t *u32;
 switch (rtattr->rta_type) {
 /* binary: depends on family type */
-case RTA_GATEWAY:
-case RTA_DST:
-case RTA_PREFSRC:
+case QEMU_RTA_GATEWAY:
+case QEMU_RTA_DST:
+case QEMU_RTA_PREFSRC:
 break;
 /* u32 */
-case RTA_PRIORITY:
-case RTA_TABLE:
-case RTA_OIF:
+case QEMU_RTA_PRIORITY:
+case QEMU_RTA_TABLE:
+case QEMU_RTA_OIF:
 u32 = RTA_DATA(rtattr);
 *u32 = tswap32(*u32);
 break;
@@ -2808,13 +2842,13 @@ static abi_long target_to_host_data_route_rtattr(struct 
rtattr *rtattr)
 uint32_t *u32;
 switch (rtattr->rta_type) {
 /* binary: depends on family type */
-case RTA_DST:
-case RTA_SRC:
-case RTA_GATEWAY:
+case QEMU_RTA_DST:
+case QEMU_RTA_SRC:
+case QEMU_RTA_GATEWAY:
 break;
 /* u32 */
-case RTA_PRIORITY:
-case RTA_OIF:
+case QEMU_RTA_PRIORITY:
+case QEMU_RTA_OIF:
 u32 = RTA_DATA(rtattr);
 *u32 = tswap32(*u32);
 break;
-- 
2.17.1

Re: [Qemu-devel] [PATCH 3/5] target/s390x: Convert to HAVE_CMPXCHG128 and HAVE_ATOMIC128

[Richard Henderson]

On 08/17/2018 10:03 AM, Emilio G. Cota wrote:
>> -if (((4 << fc) | (1 << sc)) & mask) {
>> +if ((HAVE_CMPXCHG128 ? 0 : fsize > max) ||
>> +(HAVE_ATOMIC128  ? 0 : ssize > max)) {
> I don't know what fsize/ssize are, so this is hard to review
> for me--just opened the PoO for the first time ever, and I'm
> even more confused :-)

I've renamed the variables to swap_size and store_size;
hopefully that makes this clearer.


r~

[Qemu-devel] [PULL 3/7] sh4: fix use_icount with linux-user

[Laurent Vivier]

This fixes java in a linux-user chroot:
  $ java --version
  qemu-sh4: .../accel/tcg/cpu-exec.c:634: cpu_loop_exec_tb: Assertion 
`use_icount' failed.
  qemu: uncaught target signal 6 (Aborted) - core dumped
  Aborted (core dumped)

In gen_conditional_jump() in the GUSA_EXCLUSIVE part, we must reset
base.is_jmp to DISAS_NEXT after the gen_goto_tb() as it is done in
gen_delayed_conditional_jump() after the gen_jump().

Bug: https://bugs.launchpad.net/qemu/+bug/1768246
Fixes: 4834871bc95b67343248100e2a75ae0d287bc08b
   ("target/sh4: Convert to DisasJumpType")
Reported-by: John Paul Adrian Glaubitz 
Signed-off-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Reviewed-by: Aurelien Jarno 
Message-Id: <20180811082328.11268-1-laur...@vivier.eu>
---
 target/sh4/translate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index 1b9a201d6d..ab254b0e8d 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -293,6 +293,7 @@ static void gen_conditional_jump(DisasContext *ctx, 
target_ulong dest,
disallow it in use_goto_tb, but it handles exit + singlestep.  */
 gen_goto_tb(ctx, 0, dest);
 gen_set_label(l1);
+ctx->base.is_jmp = DISAS_NEXT;
 return;
 }
 
-- 
2.17.1

[Qemu-devel] [PATCH v2 05/10] i2c:pm_smbus: Fix state transfer

[minyard]

From: Corey Minyard 

Transfer the state information for the SMBus registers and
internal data so it will work on a VM transfer.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
Cc: Dr. David Alan Gilbert 
---
 hw/acpi/piix4.c   |  3 ++-
 hw/i2c/pm_smbus.c | 20 
 hw/i2c/smbus_ich9.c   |  5 +++--
 include/hw/i2c/pm_smbus.h |  2 ++
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 6404af5..f8d8d2e 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -309,7 +309,7 @@ static const VMStateDescription vmstate_cpuhp_state = {
  */
 static const VMStateDescription vmstate_acpi = {
 .name = "piix4_pm",
-.version_id = 3,
+.version_id = 4,
 .minimum_version_id = 3,
 .minimum_version_id_old = 1,
 .load_state_old = acpi_load_old,
@@ -320,6 +320,7 @@ static const VMStateDescription vmstate_acpi = {
 VMSTATE_UINT16(ar.pm1.evt.en, PIIX4PMState),
 VMSTATE_UINT16(ar.pm1.cnt.cnt, PIIX4PMState),
 VMSTATE_STRUCT(apm, PIIX4PMState, 0, vmstate_apm, APMState),
+VMSTATE_STRUCT(smb, PIIX4PMState, 4, pmsmb_vmstate, PMSMBus),
 VMSTATE_TIMER_PTR(ar.tmr.timer, PIIX4PMState),
 VMSTATE_INT64(ar.tmr.overflow_time, PIIX4PMState),
 VMSTATE_STRUCT(ar.gpe, PIIX4PMState, 2, vmstate_gpe, ACPIGPE),
diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 32132be..9e11d47 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -383,6 +383,26 @@ static const MemoryRegionOps pm_smbus_ops = {
 .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
+const VMStateDescription pmsmb_vmstate = {
+.name = "pmsmb",
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_UINT8(smb_stat, PMSMBus),
+VMSTATE_UINT8(smb_ctl, PMSMBus),
+VMSTATE_UINT8(smb_cmd, PMSMBus),
+VMSTATE_UINT8(smb_addr, PMSMBus),
+VMSTATE_UINT8(smb_data0, PMSMBus),
+VMSTATE_UINT8(smb_data1, PMSMBus),
+VMSTATE_UINT32(smb_index, PMSMBus),
+VMSTATE_UINT8_ARRAY(smb_data, PMSMBus, PM_SMBUS_MAX_MSG_SIZE),
+VMSTATE_UINT8(smb_auxctl, PMSMBus),
+VMSTATE_BOOL(i2c_enable, PMSMBus),
+VMSTATE_BOOL(op_done, PMSMBus),
+VMSTATE_END_OF_LIST()
+}
+};
+
 void pm_smbus_init(DeviceState *parent, PMSMBus *smb)
 {
 smb->op_done = true;
diff --git a/hw/i2c/smbus_ich9.c b/hw/i2c/smbus_ich9.c
index a66a114..c8b8413 100644
--- a/hw/i2c/smbus_ich9.c
+++ b/hw/i2c/smbus_ich9.c
@@ -45,10 +45,11 @@ typedef struct ICH9SMBState {
 
 static const VMStateDescription vmstate_ich9_smbus = {
 .name = "ich9_smb",
-.version_id = 1,
+.version_id = 2,
 .minimum_version_id = 1,
 .fields = (VMStateField[]) {
-VMSTATE_PCI_DEVICE(dev, struct ICH9SMBState),
+VMSTATE_PCI_DEVICE(dev, ICH9SMBState),
+VMSTATE_STRUCT(smb, ICH9SMBState, 2, pmsmb_vmstate, PMSMBus),
 VMSTATE_END_OF_LIST()
 }
 };
diff --git a/include/hw/i2c/pm_smbus.h b/include/hw/i2c/pm_smbus.h
index 99d5489..b1e1970 100644
--- a/include/hw/i2c/pm_smbus.h
+++ b/include/hw/i2c/pm_smbus.h
@@ -33,4 +33,6 @@ typedef struct PMSMBus {
 
 void pm_smbus_init(DeviceState *parent, PMSMBus *smb);
 
+extern const VMStateDescription pmsmb_vmstate;
+
 #endif /* PM_SMBUS_H */
-- 
2.7.4

[Qemu-devel] [PULL 0/7] Linux user for 3.1 patches

[Laurent Vivier]

The following changes since commit 0abaa41d936becd914a16ee1fe2a981d96d19428:

  Merge remote-tracking branch 'remotes/ehabkost/tags/x86-next-pull-request' 
into staging (2018-08-17 09:46:00 +0100)

are available in the Git repository at:

  git://github.com/vivier/qemu.git tags/linux-user-for-3.1-pull-request

for you to fetch changes up to 70c61d4f78cc8475b597f1ef26faf232302b81d1:

  linux-user: add QEMU_IFLA_INFO_KIND nested type for tun (2018-08-20 22:07:40 
+0200)


linux-user fixes:
- netlink fixes (add missing types, fix MSG_TRUNC)
- sh4 fix (tcg state)
- sparc32plus fix (truncate address space to 32bit)
- add x86_64 binfmt data



Laurent Vivier (7):
  qemu-binfmt-conf.sh: add x86_64 target
  linux-user: fix 32bit g2h()/h2g()
  sh4: fix use_icount with linux-user
  linux-user: fix recvmsg()/recvfrom() with netlink and MSG_TRUNC
  linux-user: introduce QEMU_RTA_* to use with rtattr_type_t
  linux-user: update netlink route types
  linux-user: add QEMU_IFLA_INFO_KIND nested type for tun

 include/exec/cpu_ldst.h   |  23 +++-
 include/exec/cpu_ldst_useronly_template.h |  12 +-
 linux-user/syscall.c  | 134 +++---
 scripts/qemu-binfmt-conf.sh   |   6 +-
 target/sh4/translate.c|   1 +
 5 files changed, 150 insertions(+), 26 deletions(-)

-- 
2.17.1

[Qemu-devel] [PATCH v2 03/10] i2c:pm_smbus: Make the I2C block read command read-only

[minyard]

From: Corey Minyard 

It did have write capability, but the manual says the behavior
with write enabled is undefined.  So just set an error in this
case.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/i2c/pm_smbus.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index f1fe889..dc61f2c 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -55,7 +55,7 @@
 #define PROT_WORD_DATA  3
 #define PROT_PROC_CALL  4
 #define PROT_BLOCK_DATA 5
-#define PROT_I2C_BLOCK_DATA 6
+#define PROT_I2C_BLOCK_READ 6
 
 /*#define DEBUG*/
 
@@ -115,7 +115,7 @@ static void smb_transaction(PMSMBus *s)
 goto done;
 }
 break;
-case PROT_I2C_BLOCK_DATA:
+case PROT_I2C_BLOCK_READ:
 if (read) {
 int xfersize = s->smb_data0;
 if (xfersize > sizeof(s->smb_data)) {
@@ -125,9 +125,8 @@ static void smb_transaction(PMSMBus *s)
xfersize, false, true);
 goto data8;
 } else {
-ret = smbus_write_block(bus, addr, cmd, s->smb_data, s->smb_data0,
-false);
-goto done;
+/* The manual says the behavior is undefined, just set DEV_ERR. */
+goto error;
 }
 break;
 default:
-- 
2.7.4

Re: [Qemu-devel] Bugs when cross-compiling qemu for Windows with mingw 8.1, executable doesn't run

[Howard Spoelstra]

On Mon, Aug 20, 2018 at 9:47 PM, Stefan Weil  wrote:
> Am 20.08.2018 um 21:41 schrieb Stefan Weil:
>> That's a problem triggered by gcc 8 for Mingw-w64 with compiler options
>> -fstack-protector-all and -fstack-protector-strong. With any of those
>> options this simple test program also fails with SIGSEGV:
>>
>> #include 
>> int main(void) {
>>   SYSTEM_INFO system_info;
>>   GetSystemInfo(_info);
>>   return system_info.dwPageSize;
>> }
>>
>> With configure option --disable-stack-protector, the resulting binary
>> should work.
>
>
> I could confirm that now. The following build works for me:
>
> ./configure --cross-prefix=x86_64-w64-mingw32- --enable-debug \
>   --disable-stack-protector --target-list=ppc-softmmu && make
>
> Stefan

Confirmed, adding --disable-stack-protector to configure results in a
working binary.

Great, thanks,
Howard

[Qemu-devel] [PULL 7/7] linux-user: add QEMU_IFLA_INFO_KIND nested type for tun

[Laurent Vivier]

Signed-off-by: Laurent Vivier 
Reviewed-by: Peter Maydell 
Message-Id: <20180820171557.7734-5-laur...@vivier.eu>
---
 linux-user/syscall.c | 48 
 1 file changed, 48 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index c0840107c9..202aa777ad 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -501,6 +501,20 @@ enum {
 QEMU___IFLA_BRPORT_MAX
 };
 
+enum {
+QEMU_IFLA_TUN_UNSPEC,
+QEMU_IFLA_TUN_OWNER,
+QEMU_IFLA_TUN_GROUP,
+QEMU_IFLA_TUN_TYPE,
+QEMU_IFLA_TUN_PI,
+QEMU_IFLA_TUN_VNET_HDR,
+QEMU_IFLA_TUN_PERSIST,
+QEMU_IFLA_TUN_MULTI_QUEUE,
+QEMU_IFLA_TUN_NUM_QUEUES,
+QEMU_IFLA_TUN_NUM_DISABLED_QUEUES,
+QEMU___IFLA_TUN_MAX,
+};
+
 enum {
 QEMU_IFLA_INFO_UNSPEC,
 QEMU_IFLA_INFO_KIND,
@@ -2349,6 +2363,34 @@ static abi_long 
host_to_target_slave_data_bridge_nlattr(struct nlattr *nlattr,
 return 0;
 }
 
+static abi_long host_to_target_data_tun_nlattr(struct nlattr *nlattr,
+  void *context)
+{
+uint32_t *u32;
+
+switch (nlattr->nla_type) {
+/* uint8_t */
+case QEMU_IFLA_TUN_TYPE:
+case QEMU_IFLA_TUN_PI:
+case QEMU_IFLA_TUN_VNET_HDR:
+case QEMU_IFLA_TUN_PERSIST:
+case QEMU_IFLA_TUN_MULTI_QUEUE:
+break;
+/* uint32_t */
+case QEMU_IFLA_TUN_NUM_QUEUES:
+case QEMU_IFLA_TUN_NUM_DISABLED_QUEUES:
+case QEMU_IFLA_TUN_OWNER:
+case QEMU_IFLA_TUN_GROUP:
+u32 = NLA_DATA(nlattr);
+*u32 = tswap32(*u32);
+break;
+default:
+gemu_log("Unknown QEMU_IFLA_TUN type %d\n", nlattr->nla_type);
+break;
+}
+return 0;
+}
+
 struct linkinfo_context {
 int len;
 char *name;
@@ -2383,6 +2425,12 @@ static abi_long 
host_to_target_data_linkinfo_nlattr(struct nlattr *nlattr,
   nlattr->nla_len,
   NULL,
  
host_to_target_data_bridge_nlattr);
+} else if (strncmp(li_context->name, "tun",
+li_context->len) == 0) {
+return host_to_target_for_each_nlattr(NLA_DATA(nlattr),
+  nlattr->nla_len,
+  NULL,
+
host_to_target_data_tun_nlattr);
 } else {
 gemu_log("Unknown QEMU_IFLA_INFO_KIND %s\n", li_context->name);
 }
-- 
2.17.1

[Qemu-devel] [PATCH v2 06/10] i2c:pm_smbus: Add interrupt handling

[minyard]

From: Corey Minyard 

Add the necessary code so that interrupts actually work from
the pm_smbus device.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/i2c/pm_smbus.c | 14 +-
 hw/i2c/smbus_ich9.c   | 19 ++-
 include/hw/i2c/pm_smbus.h |  2 ++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 9e11d47..664a6b1 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -214,6 +214,12 @@ static void smb_transaction_start(PMSMBus *s)
 s->smb_stat |= STS_HOST_BUSY;
 }
 
+static bool
+smb_irq_value(PMSMBus *s)
+{
+return ((s->smb_stat & ~STS_HOST_BUSY) != 0) && (s->smb_ctl & CTL_INTREN);
+}
+
 static void smb_ioport_writeb(void *opaque, hwaddr addr, uint64_t val,
   unsigned width)
 {
@@ -309,7 +315,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, 
uint64_t val,
 }
 
  out:
-return;
+if (s->set_irq) {
+s->set_irq(s, smb_irq_value(s));
+}
 }
 
 static uint64_t smb_ioport_readb(void *opaque, hwaddr addr, unsigned width)
@@ -365,6 +373,10 @@ static uint64_t smb_ioport_readb(void *opaque, hwaddr 
addr, unsigned width)
 SMBUS_DPRINTF("SMB readb port=0x%04" HWADDR_PRIx " val=0x%02x\n",
   addr, val);
 
+if (s->set_irq) {
+s->set_irq(s, smb_irq_value(s));
+}
+
 return val;
 }
 
diff --git a/hw/i2c/smbus_ich9.c b/hw/i2c/smbus_ich9.c
index c8b8413..316c2a4 100644
--- a/hw/i2c/smbus_ich9.c
+++ b/hw/i2c/smbus_ich9.c
@@ -40,15 +40,18 @@
 typedef struct ICH9SMBState {
 PCIDevice dev;
 
+bool irq_enabled;
+
 PMSMBus smb;
 } ICH9SMBState;
 
 static const VMStateDescription vmstate_ich9_smbus = {
 .name = "ich9_smb",
-.version_id = 2,
+.version_id = 3,
 .minimum_version_id = 1,
 .fields = (VMStateField[]) {
 VMSTATE_PCI_DEVICE(dev, ICH9SMBState),
+VMSTATE_BOOL_V(irq_enabled, ICH9SMBState, 3),
 VMSTATE_STRUCT(smb, ICH9SMBState, 2, pmsmb_vmstate, PMSMBus),
 VMSTATE_END_OF_LIST()
 }
@@ -110,11 +113,25 @@ static void ich9_smb_class_init(ObjectClass *klass, void 
*data)
 dc->user_creatable = false;
 }
 
+static void ich9_smb_set_irq(PMSMBus *pmsmb, bool enabled)
+{
+ICH9SMBState *s = pmsmb->opaque;
+
+if (enabled == s->irq_enabled) {
+return;
+}
+
+s->irq_enabled = enabled;
+pci_set_irq(>dev, enabled);
+}
+
 I2CBus *ich9_smb_init(PCIBus *bus, int devfn, uint32_t smb_io_base)
 {
 PCIDevice *d =
 pci_create_simple_multifunction(bus, devfn, true, 
TYPE_ICH9_SMB_DEVICE);
 ICH9SMBState *s = ICH9_SMB_DEVICE(d);
+s->smb.set_irq = ich9_smb_set_irq;
+s->smb.opaque = s;
 return s->smb.smbus;
 }
 
diff --git a/include/hw/i2c/pm_smbus.h b/include/hw/i2c/pm_smbus.h
index b1e1970..cfe596f 100644
--- a/include/hw/i2c/pm_smbus.h
+++ b/include/hw/i2c/pm_smbus.h
@@ -23,6 +23,8 @@ typedef struct PMSMBus {
 
 /* Set by the user. */
 bool i2c_enable;
+void (*set_irq)(struct PMSMBus *s, bool enabled);
+void *opaque;
 
 /* Internally used by pm_smbus. */
 
-- 
2.7.4

[Qemu-devel] [PULL 2/7] linux-user: fix 32bit g2h()/h2g()

[Laurent Vivier]

sparc32plus has 64bit long type but only 32bit virtual address space.

For instance, "apt-get upgrade" failed because of a mmap()/msync()
sequence.

mmap() returned 0xff252000 but msync() used g2h(0xff252000)
to find the host address. The "(target_ulong)" in g2h() doesn't fix the
address because it is 64bit long.

This patch introduces an "abi_ptr" that is set to uint32_t
if the virtual address space is addressed using 32bit in the linux-user
case. It stays set to target_ulong with softmmu case.

Signed-off-by: Laurent Vivier 
Message-Id: <20180814171217.14680-1-laur...@vivier.eu>
Reviewed-by: Richard Henderson 
[lv: added "%" in TARGET_ABI_FMT_ptr "%"PRIx64]
---
 include/exec/cpu_ldst.h   | 23 ++-
 include/exec/cpu_ldst_useronly_template.h | 12 ++--
 linux-user/syscall.c  |  2 +-
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index 0f2cb717b1..41ed0526e2 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -48,8 +48,19 @@
 #define CPU_LDST_H
 
 #if defined(CONFIG_USER_ONLY)
+/* sparc32plus has 64bit long but 32bit space address
+ * this can make bad result with g2h() and h2g()
+ */
+#if TARGET_VIRT_ADDR_SPACE_BITS <= 32
+typedef uint32_t abi_ptr;
+#define TARGET_ABI_FMT_ptr "%x"
+#else
+typedef uint64_t abi_ptr;
+#define TARGET_ABI_FMT_ptr "%"PRIx64
+#endif
+
 /* All direct uses of g2h and h2g need to go away for usermode softmmu.  */
-#define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base))
+#define g2h(x) ((void *)((unsigned long)(abi_ptr)(x) + guest_base))
 
 #define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX)
 #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
@@ -61,7 +72,7 @@ static inline int guest_range_valid(unsigned long start, 
unsigned long len)
 
 #define h2g_nocheck(x) ({ \
 unsigned long __ret = (unsigned long)(x) - guest_base; \
-(abi_ulong)__ret; \
+(abi_ptr)__ret; \
 })
 
 #define h2g(x) ({ \
@@ -69,7 +80,9 @@ static inline int guest_range_valid(unsigned long start, 
unsigned long len)
 assert(h2g_valid(x)); \
 h2g_nocheck(x); \
 })
-
+#else
+typedef target_ulong abi_ptr;
+#define TARGET_ABI_FMT_ptr TARGET_ABI_FMT_lx
 #endif
 
 #if defined(CONFIG_USER_ONLY)
@@ -397,7 +410,7 @@ extern __thread uintptr_t helper_retaddr;
  * This is the equivalent of the initial fast-path code used by
  * TCG backends for guest load and store accesses.
  */
-static inline void *tlb_vaddr_to_host(CPUArchState *env, target_ulong addr,
+static inline void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
   int access_type, int mmu_idx)
 {
 #if defined(CONFIG_USER_ONLY)
@@ -405,7 +418,7 @@ static inline void *tlb_vaddr_to_host(CPUArchState *env, 
target_ulong addr,
 #else
 int index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
 CPUTLBEntry *tlbentry = >tlb_table[mmu_idx][index];
-target_ulong tlb_addr;
+abi_ptr tlb_addr;
 uintptr_t haddr;
 
 switch (access_type) {
diff --git a/include/exec/cpu_ldst_useronly_template.h 
b/include/exec/cpu_ldst_useronly_template.h
index e30e58ed4a..0fd6019af0 100644
--- a/include/exec/cpu_ldst_useronly_template.h
+++ b/include/exec/cpu_ldst_useronly_template.h
@@ -62,7 +62,7 @@
 #endif
 
 static inline RES_TYPE
-glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, target_ulong ptr)
+glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
 {
 #if !defined(CODE_ACCESS)
 trace_guest_mem_before_exec(
@@ -74,7 +74,7 @@ glue(glue(cpu_ld, USUFFIX), MEMSUFFIX)(CPUArchState *env, 
target_ulong ptr)
 
 static inline RES_TYPE
 glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
-  target_ulong ptr,
+  abi_ptr ptr,
   uintptr_t retaddr)
 {
 RES_TYPE ret;
@@ -86,7 +86,7 @@ glue(glue(glue(cpu_ld, USUFFIX), MEMSUFFIX), 
_ra)(CPUArchState *env,
 
 #if DATA_SIZE <= 2
 static inline int
-glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, target_ulong ptr)
+glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, abi_ptr ptr)
 {
 #if !defined(CODE_ACCESS)
 trace_guest_mem_before_exec(
@@ -98,7 +98,7 @@ glue(glue(cpu_lds, SUFFIX), MEMSUFFIX)(CPUArchState *env, 
target_ulong ptr)
 
 static inline int
 glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), _ra)(CPUArchState *env,
-  target_ulong ptr,
+  abi_ptr ptr,
   uintptr_t retaddr)
 {
 int ret;
@@ -111,7 +111,7 @@ glue(glue(glue(cpu_lds, SUFFIX), MEMSUFFIX), 
_ra)(CPUArchState *env,
 
 #ifndef CODE_ACCESS
 static inline void
-glue(glue(cpu_st, SUFFIX), MEMSUFFIX)(CPUArchState *env, target_ulong ptr,
+glue(glue(cpu_st, SUFFIX), 

[Qemu-devel] [PATCH v2 02/10] i2c:pm_smbus: Fix the semantics of block I2C transfers

[minyard]

From: Corey Minyard 

The I2C block transfer commands was not implemented correctly, it
read a length byte and such like it was an smbus transfer.

So fix the smbus_read_block() and smbus_write_block() functions
so they can properly handle I2C transfers, and normal SMBus
transfers (for upcoming changes).  Pass in a transfer size and
a bool to know whether to use the size byte (like SMBus) or use
the length given (like I2C).

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/i2c/pm_smbus.c  | 10 --
 hw/i2c/smbus.c | 37 -
 include/hw/i2c/smbus.h | 17 +++--
 3 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 83c2377..f1fe889 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -117,10 +117,16 @@ static void smb_transaction(PMSMBus *s)
 break;
 case PROT_I2C_BLOCK_DATA:
 if (read) {
-ret = smbus_read_block(bus, addr, cmd, s->smb_data);
+int xfersize = s->smb_data0;
+if (xfersize > sizeof(s->smb_data)) {
+xfersize = sizeof(s->smb_data);
+}
+ret = smbus_read_block(bus, addr, s->smb_data1, s->smb_data,
+   xfersize, false, true);
 goto data8;
 } else {
-ret = smbus_write_block(bus, addr, cmd, s->smb_data, s->smb_data0);
+ret = smbus_write_block(bus, addr, cmd, s->smb_data, s->smb_data0,
+false);
 goto done;
 }
 break;
diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 587ce1a..6ff77c5 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -293,33 +293,42 @@ int smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t 
command, uint16_t data)
 return 0;
 }
 
-int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data)
+int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
+ int len, bool recv_len, bool send_cmd)
 {
-int len;
+int rlen;
 int i;
 
-if (i2c_start_transfer(bus, addr, 0)) {
-return -1;
+if (send_cmd) {
+if (i2c_start_transfer(bus, addr, 0)) {
+return -1;
+}
+i2c_send(bus, command);
 }
-i2c_send(bus, command);
 if (i2c_start_transfer(bus, addr, 1)) {
-i2c_end_transfer(bus);
+if (send_cmd) {
+i2c_end_transfer(bus);
+}
 return -1;
 }
-len = i2c_recv(bus);
-if (len > 32) {
-len = 0;
+if (recv_len) {
+rlen = i2c_recv(bus);
+} else {
+rlen = len;
 }
-for (i = 0; i < len; i++) {
+if (rlen > len) {
+rlen = 0;
+}
+for (i = 0; i < rlen; i++) {
 data[i] = i2c_recv(bus);
 }
 i2c_nack(bus);
 i2c_end_transfer(bus);
-return len;
+return rlen;
 }
 
 int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t 
*data,
-  int len)
+  int len, bool send_len)
 {
 int i;
 
@@ -330,7 +339,9 @@ int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t 
command, uint8_t *data,
 return -1;
 }
 i2c_send(bus, command);
-i2c_send(bus, len);
+if (send_len) {
+i2c_send(bus, len);
+}
 for (i = 0; i < len; i++) {
 i2c_send(bus, data[i]);
 }
diff --git a/include/hw/i2c/smbus.h b/include/hw/i2c/smbus.h
index 4fdba02..d8b1b9e 100644
--- a/include/hw/i2c/smbus.h
+++ b/include/hw/i2c/smbus.h
@@ -72,9 +72,22 @@ int smbus_read_byte(I2CBus *bus, uint8_t addr, uint8_t 
command);
 int smbus_write_byte(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t data);
 int smbus_read_word(I2CBus *bus, uint8_t addr, uint8_t command);
 int smbus_write_word(I2CBus *bus, uint8_t addr, uint8_t command, uint16_t 
data);
-int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t 
*data);
+
+/*
+ * Do a block transfer from an I2C device.  If recv_len is set, then the
+ * first received byte is a length field and is used to know how much data
+ * to receive.  Otherwise receive "len" bytes.  If send_cmd is set, send
+ * the command byte first before receiving the data.
+ */
+int smbus_read_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t *data,
+ int len, bool recv_len, bool send_cmd);
+
+/*
+ * Do a block transfer to an I2C device.  If send_len is set, send the
+ * "len" value before the data.
+ */
 int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t command, uint8_t 
*data,
-  int len);
+  int len, bool send_len);
 
 void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, uint8_t 
*eeprom_buf);
 void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
-- 
2.7.4

[Qemu-devel] [PULL 1/7] qemu-binfmt-conf.sh: add x86_64 target

[Laurent Vivier]

Signed-off-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Reviewed-by: Thomas Huth 
Message-Id: <20180801102944.23457-1-laur...@vivier.eu>
---
 scripts/qemu-binfmt-conf.sh | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index b0dc8a714a..b5a16742a1 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -4,7 +4,7 @@
 qemu_target_list="i386 i486 alpha arm armeb sparc32plus ppc ppc64 ppc64le m68k 
\
 mips mipsel mipsn32 mipsn32el mips64 mips64el \
 sh4 sh4eb s390x aarch64 aarch64_be hppa riscv32 riscv64 xtensa xtensaeb \
-microblaze microblazeel or1k"
+microblaze microblazeel or1k x86_64"
 
 
i386_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00'
 
i386_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
@@ -14,6 +14,10 @@ 
i486_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\
 
i486_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
 i486_family=i386
 
+x86_64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'
+x86_64_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
+x86_64_family=i386
+
 
alpha_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90'
 
alpha_mask='\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
 alpha_family=alpha
-- 
2.17.1

[Qemu-devel] [PULL 6/7] linux-user: update netlink route types

[Laurent Vivier]

Add RTA_PREF and RTA_CACHEINFO.

Fix following errors when we start gedit:

  Unknown host RTA type: 12
  Unknown host RTA type: 20

Signed-off-by: Laurent Vivier 
Reviewed-by: Peter Maydell 
Message-Id: <20180820171557.7734-4-laur...@vivier.eu>
---
 linux-user/syscall.c | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 9effbb316a..c0840107c9 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2693,12 +2693,17 @@ static abi_long host_to_target_data_addr_rtattr(struct 
rtattr *rtattr)
 static abi_long host_to_target_data_route_rtattr(struct rtattr *rtattr)
 {
 uint32_t *u32;
+struct rta_cacheinfo *ci;
+
 switch (rtattr->rta_type) {
 /* binary: depends on family type */
 case QEMU_RTA_GATEWAY:
 case QEMU_RTA_DST:
 case QEMU_RTA_PREFSRC:
 break;
+/* u8 */
+case QEMU_RTA_PREF:
+break;
 /* u32 */
 case QEMU_RTA_PRIORITY:
 case QEMU_RTA_TABLE:
@@ -2706,6 +2711,20 @@ static abi_long host_to_target_data_route_rtattr(struct 
rtattr *rtattr)
 u32 = RTA_DATA(rtattr);
 *u32 = tswap32(*u32);
 break;
+/* struct rta_cacheinfo */
+case QEMU_RTA_CACHEINFO:
+ci = RTA_DATA(rtattr);
+ci->rta_clntref = tswap32(ci->rta_clntref);
+ci->rta_lastuse = tswap32(ci->rta_lastuse);
+ci->rta_expires = tswap32(ci->rta_expires);
+ci->rta_error = tswap32(ci->rta_error);
+ci->rta_used = tswap32(ci->rta_used);
+#if defined(RTNETLINK_HAVE_PEERINFO)
+ci->rta_id = tswap32(ci->rta_id);
+ci->rta_ts = tswap32(ci->rta_ts);
+ci->rta_tsage = tswap32(ci->rta_tsage);
+#endif
+break;
 default:
 gemu_log("Unknown host RTA type: %d\n", rtattr->rta_type);
 break;
-- 
2.17.1

[Qemu-devel] [PATCH v2 0/8] Make the pm_smbus code more correct

[minyard]

These changes make the pm_smbus device work more like the real thing,
adding block transfers, I2C block transfers, and interrupts.

It also adds vmstate transfer for the smbus device in patch 5.
That patch could probably be left out if that is not desirable.

Patch 7 works around a change made to work around an AMIBIOS bug and
is necessary for interrupts to work.

Patches 9 and 10 add vmstate transfer for SMBus EEPROMs, and obviously
requires patch 5 to work properly.  These could also be left out.

[Qemu-devel] [PULL 4/7] hostmem-file: add the 'pmem' option

[Michael S. Tsirkin]

From: Junyan He 

When QEMU emulates vNVDIMM labels and migrates vNVDIMM devices, it
needs to know whether the backend storage is a real persistent memory,
in order to decide whether special operations should be performed to
ensure the data persistence.

This boolean option 'pmem' allows users to specify whether the backend
storage of memory-backend-file is a real persistent memory. If
'pmem=on', QEMU will set the flag RAM_PMEM in the RAM block of the
corresponding memory region. If 'pmem' is set while lack of libpmem
support, a error is generated.

Signed-off-by: Junyan He 
Signed-off-by: Haozhong Zhang 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Richard Henderson 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 docs/nvdimm.txt | 22 +
 include/exec/memory.h   |  4 
 include/exec/ram_addr.h |  3 +++
 backends/hostmem-file.c | 43 +++--
 exec.c  |  8 
 qemu-options.hx |  7 +++
 6 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/docs/nvdimm.txt b/docs/nvdimm.txt
index 24b443b655..5f158a6170 100644
--- a/docs/nvdimm.txt
+++ b/docs/nvdimm.txt
@@ -173,3 +173,25 @@ There are currently two valid values for this option:
  the NVDIMMs in the event of power loss.  This implies that the
  platform also supports flushing dirty data through the memory
  controller on power loss.
+
+If the vNVDIMM backend is in host persistent memory that can be accessed in
+SNIA NVM Programming Model [1] (e.g., Intel NVDIMM), it's suggested to set
+the 'pmem' option of memory-backend-file to 'on'. When 'pmem' is 'on' and QEMU
+is built with libpmem [2] support (configured with --enable-libpmem), QEMU
+will take necessary operations to guarantee the persistence of its own writes
+to the vNVDIMM backend(e.g., in vNVDIMM label emulation and live migration).
+If 'pmem' is 'on' while there is no libpmem support, qemu will exit and report
+a "lack of libpmem support" message to ensure the persistence is available.
+For example, if we want to ensure the persistence for some backend file,
+use the QEMU command line:
+
+-object memory-backend-file,id=nv_mem,mem-path=/XXX/yyy,size=4G,pmem=on
+
+References
+--
+
+[1] NVM Programming Model (NPM)
+   Version 1.2
+
https://www.snia.org/sites/default/files/technical_work/final/NVMProgrammingModel_v1.2.pdf
+[2] Persistent Memory Development Kit (PMDK), formerly known as NVML project, 
home page:
+http://pmem.io/pmdk/
diff --git a/include/exec/memory.h b/include/exec/memory.h
index 30e7166dd1..cd62029a7d 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -123,6 +123,9 @@ typedef struct IOMMUNotifier IOMMUNotifier;
 /* RAM can be migrated */
 #define RAM_MIGRATABLE (1 << 4)
 
+/* RAM is a persistent kind memory */
+#define RAM_PMEM (1 << 5)
+
 static inline void iommu_notifier_init(IOMMUNotifier *n, IOMMUNotify fn,
IOMMUNotifierFlag flags,
hwaddr start, hwaddr end,
@@ -654,6 +657,7 @@ void memory_region_init_resizeable_ram(MemoryRegion *mr,
  * (getpagesize()) will be used.
  * @ram_flags: Memory region features:
  * - RAM_SHARED: memory must be mmaped with the MAP_SHARED flag
+ * - RAM_PMEM: the memory is persistent memory
  * Other bits are ignored now.
  * @path: the path in which to allocate the RAM.
  * @errp: pointer to Error*, to store an error if it happens.
diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h
index 8a4a9bc614..3abb639056 100644
--- a/include/exec/ram_addr.h
+++ b/include/exec/ram_addr.h
@@ -70,6 +70,8 @@ static inline unsigned long int 
ramblock_recv_bitmap_offset(void *host_addr,
 return host_addr_offset >> TARGET_PAGE_BITS;
 }
 
+bool ramblock_is_pmem(RAMBlock *rb);
+
 long qemu_getrampagesize(void);
 
 /**
@@ -83,6 +85,7 @@ long qemu_getrampagesize(void);
  *  @ram_flags: specify the properties of the ram block, which can be one
  *  or bit-or of following values
  *  - RAM_SHARED: mmap the backing file or device with MAP_SHARED
+ *  - RAM_PMEM: the backend @mem_path or @fd is persistent memory
  *  Other bits are ignored.
  *  @mem_path or @fd: specify the backing file or device
  *  @errp: pointer to Error*, to store an error if it happens
diff --git a/backends/hostmem-file.c b/backends/hostmem-file.c
index 34c68bb081..2476dcb435 100644
--- a/backends/hostmem-file.c
+++ b/backends/hostmem-file.c
@@ -12,6 +12,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu-common.h"
+#include "qemu/error-report.h"
 #include "sysemu/hostmem.h"
 #include "sysemu/sysemu.h"
 #include "qom/object_interfaces.h"
@@ -31,9 +32,10 @@ typedef struct HostMemoryBackendFile HostMemoryBackendFile;
 struct HostMemoryBackendFile {
 HostMemoryBackend 

[Qemu-devel] [PATCH v2 08/10] i2c:pm_smbus: Add the ability to force block transfer enable

[minyard]

From: Corey Minyard 

The PIIX4 hardware has block transfer buffer always enabled in
the hardware, but the i801 does not.  Add a parameter to pm_smbus_init
to force on the block transfer so the PIIX4 handler can enable this
by default, as it was disabled by default before.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/acpi/piix4.c   | 2 +-
 hw/i2c/pm_smbus.c | 5 -
 hw/i2c/smbus_ich9.c   | 2 +-
 hw/isa/vt82c686.c | 2 +-
 include/hw/i2c/pm_smbus.h | 2 +-
 5 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index f8d8d2e..313305f 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -513,7 +513,7 @@ static void piix4_pm_realize(PCIDevice *dev, Error **errp)
 pci_conf[0x90] = s->smb_io_base | 1;
 pci_conf[0x91] = s->smb_io_base >> 8;
 pci_conf[0xd2] = 0x09;
-pm_smbus_init(DEVICE(dev), >smb);
+pm_smbus_init(DEVICE(dev), >smb, true);
 memory_region_set_enabled(>smb.io, pci_conf[0xd2] & 1);
 memory_region_add_subregion(pci_address_space_io(dev),
 s->smb_io_base, >smb.io);
diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 10ba208..4d021bb 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -422,11 +422,14 @@ const VMStateDescription pmsmb_vmstate = {
 }
 };
 
-void pm_smbus_init(DeviceState *parent, PMSMBus *smb)
+void pm_smbus_init(DeviceState *parent, PMSMBus *smb, bool force_aux_blk)
 {
 smb->op_done = true;
 smb->reset = pm_smbus_reset;
 smb->smbus = i2c_init_bus(parent, "i2c");
+if (force_aux_blk) {
+smb->smb_auxctl |= AUX_BLK;
+}
 memory_region_init_io(>io, OBJECT(parent), _smbus_ops, smb,
   "pm-smbus", 64);
 }
diff --git a/hw/i2c/smbus_ich9.c b/hw/i2c/smbus_ich9.c
index 316c2a4..5860fc9 100644
--- a/hw/i2c/smbus_ich9.c
+++ b/hw/i2c/smbus_ich9.c
@@ -88,7 +88,7 @@ static void ich9_smbus_realize(PCIDevice *d, Error **errp)
 pci_set_byte(d->config + ICH9_SMB_HOSTC, 0);
 /* TODO bar0, bar1: 64bit BAR support*/
 
-pm_smbus_init(>qdev, >smb);
+pm_smbus_init(>qdev, >smb, false);
 pci_register_bar(d, ICH9_SMB_SMB_BASE_BAR, PCI_BASE_ADDRESS_SPACE_IO,
  >smb.io);
 }
diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index cff1946..7302f6d 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -370,7 +370,7 @@ static void vt82c686b_pm_realize(PCIDevice *dev, Error 
**errp)
 pci_conf[0x90] = s->smb_io_base | 1;
 pci_conf[0x91] = s->smb_io_base >> 8;
 pci_conf[0xd2] = 0x90;
-pm_smbus_init(>dev.qdev, >smb);
+pm_smbus_init(>dev.qdev, >smb, false);
 memory_region_add_subregion(get_system_io(), s->smb_io_base, >smb.io);
 
 apm_init(dev, >apm, NULL, s);
diff --git a/include/hw/i2c/pm_smbus.h b/include/hw/i2c/pm_smbus.h
index cfe596f..471345e 100644
--- a/include/hw/i2c/pm_smbus.h
+++ b/include/hw/i2c/pm_smbus.h
@@ -33,7 +33,7 @@ typedef struct PMSMBus {
 bool op_done;
 } PMSMBus;
 
-void pm_smbus_init(DeviceState *parent, PMSMBus *smb);
+void pm_smbus_init(DeviceState *parent, PMSMBus *smb, bool force_aux_blk);
 
 extern const VMStateDescription pmsmb_vmstate;
 
-- 
2.7.4

[Qemu-devel] [PATCH v2 10/10] i2c: Add vmstate handling to the smbus eeprom

[minyard]

From: Corey Minyard 

Signed-off-by: Corey Minyard 
Cc: Paolo Bonzini 
Cc: "Michael S . Tsirkin" 
Cc: Dr. David Alan Gilbert 
---
 hw/i2c/smbus_eeprom.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
index f18aa3d..d4430b0 100644
--- a/hw/i2c/smbus_eeprom.c
+++ b/hw/i2c/smbus_eeprom.c
@@ -29,6 +29,8 @@
 
 //#define DEBUG
 
+#define TYPE_SMBUS_EEPROM_DEVICE "smbus-eeprom"
+
 typedef struct SMBusEEPROMDevice {
 SMBusDevice smbusdev;
 void *data;
@@ -97,6 +99,17 @@ static uint8_t eeprom_read_data(SMBusDevice *dev, uint8_t 
cmd, int n)
 return eeprom_receive_byte(dev);
 }
 
+static const VMStateDescription vmstate_smbus_eeprom = {
+.name = TYPE_SMBUS_EEPROM_DEVICE,
+.version_id = 1,
+.minimum_version_id = 1,
+.fields  = (VMStateField[]) {
+VMSTATE_SMBUS_DEVICE(smbusdev, SMBusEEPROMDevice),
+VMSTATE_UINT8(offset, SMBusEEPROMDevice),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static void smbus_eeprom_realize(DeviceState *dev, Error **errp)
 {
 SMBusEEPROMDevice *eeprom = (SMBusEEPROMDevice *)dev;
@@ -121,12 +134,13 @@ static void smbus_eeprom_class_initfn(ObjectClass *klass, 
void *data)
 sc->write_data = eeprom_write_data;
 sc->read_data = eeprom_read_data;
 dc->props = smbus_eeprom_properties;
+dc->vmsd = _smbus_eeprom;
 /* Reason: pointer property "data" */
 dc->user_creatable = false;
 }
 
 static const TypeInfo smbus_eeprom_info = {
-.name  = "smbus-eeprom",
+.name  = TYPE_SMBUS_EEPROM_DEVICE,
 .parent= TYPE_SMBUS_DEVICE,
 .instance_size = sizeof(SMBusEEPROMDevice),
 .class_init= smbus_eeprom_class_initfn,
-- 
2.7.4

[Qemu-devel] [PULL 7/7] migration/ram: ensure write persistence on loading all data to PMEM.

[Michael S. Tsirkin]

From: Junyan He 

Because we need to make sure the pmem kind memory data is synced
after migration, we choose to call pmem_persist() when the migration
finish. This will make sure the data of pmem is safe and will not
lose if power is off.

Signed-off-by: Junyan He 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/qemu/pmem.h | 6 ++
 migration/ram.c | 8 
 2 files changed, 14 insertions(+)

diff --git a/include/qemu/pmem.h b/include/qemu/pmem.h
index ebdb070210..dfb6d0da62 100644
--- a/include/qemu/pmem.h
+++ b/include/qemu/pmem.h
@@ -25,6 +25,12 @@ pmem_memcpy_persist(void *pmemdest, const void *src, size_t 
len)
 return NULL;
 }
 
+static inline void
+pmem_persist(const void *addr, size_t len)
+{
+g_assert_not_reached();
+}
+
 #endif /* CONFIG_LIBPMEM */
 
 #endif /* !QEMU_PMEM_H */
diff --git a/migration/ram.c b/migration/ram.c
index 5beefae7f5..fa79d0a5b9 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -33,6 +33,7 @@
 #include "qemu/bitops.h"
 #include "qemu/bitmap.h"
 #include "qemu/main-loop.h"
+#include "qemu/pmem.h"
 #include "xbzrle.h"
 #include "ram.h"
 #include "migration.h"
@@ -3547,6 +3548,13 @@ static int ram_load_setup(QEMUFile *f, void *opaque)
 static int ram_load_cleanup(void *opaque)
 {
 RAMBlock *rb;
+
+RAMBLOCK_FOREACH_MIGRATABLE(rb) {
+if (ramblock_is_pmem(rb)) {
+pmem_persist(rb->host, rb->used_length);
+}
+}
+
 xbzrle_load_cleanup();
 compress_threads_load_cleanup();
 
-- 
MST

[Qemu-devel] [PATCH v2 09/10] i2c: Add an SMBus vmstate structure

[minyard]

From: Corey Minyard 

Signed-off-by: Corey Minyard 
Cc: Paolo Bonzini 
Cc: "Michael S . Tsirkin" 
Cc: Dr. David Alan Gilbert 
---
 hw/i2c/smbus.c | 14 ++
 include/hw/i2c/smbus.h | 18 +++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/hw/i2c/smbus.c b/hw/i2c/smbus.c
index 6ff77c5..b0774d7 100644
--- a/hw/i2c/smbus.c
+++ b/hw/i2c/smbus.c
@@ -349,6 +349,20 @@ int smbus_write_block(I2CBus *bus, uint8_t addr, uint8_t 
command, uint8_t *data,
 return 0;
 }
 
+const VMStateDescription vmstate_smbus_device = {
+.name = TYPE_SMBUS_DEVICE,
+.version_id = 1,
+.minimum_version_id = 1,
+.fields  = (VMStateField[]) {
+VMSTATE_I2C_SLAVE(i2c, SMBusDevice),
+VMSTATE_INT32(mode, SMBusDevice),
+VMSTATE_INT32(data_len, SMBusDevice),
+VMSTATE_UINT8_ARRAY(data_buf, SMBusDevice, SMBUS_DATA_MAX_LEN),
+VMSTATE_UINT8(command, SMBusDevice),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static void smbus_device_class_init(ObjectClass *klass, void *data)
 {
 I2CSlaveClass *sc = I2C_SLAVE_CLASS(klass);
diff --git a/include/hw/i2c/smbus.h b/include/hw/i2c/smbus.h
index d8b1b9e..7b52020 100644
--- a/include/hw/i2c/smbus.h
+++ b/include/hw/i2c/smbus.h
@@ -53,14 +53,16 @@ typedef struct SMBusDeviceClass
 uint8_t (*read_data)(SMBusDevice *dev, uint8_t cmd, int n);
 } SMBusDeviceClass;
 
+#define SMBUS_DATA_MAX_LEN 34  /* command + len + 32 bytes of data.  */
+
 struct SMBusDevice {
 /* The SMBus protocol is implemented on top of I2C.  */
 I2CSlave i2c;
 
 /* Remaining fields for internal use only.  */
-int mode;
-int data_len;
-uint8_t data_buf[34]; /* command + len + 32 bytes of data.  */
+int32_t mode;
+int32_t data_len;
+uint8_t data_buf[SMBUS_DATA_MAX_LEN];
 uint8_t command;
 };
 
@@ -93,4 +95,14 @@ void smbus_eeprom_init_one(I2CBus *smbus, uint8_t address, 
uint8_t *eeprom_buf);
 void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
const uint8_t *eeprom_spd, int size);
 
+extern const VMStateDescription vmstate_smbus_device;
+
+#define VMSTATE_SMBUS_DEVICE(_field, _state) {   \
+.name   = (stringify(_field)),   \
+.size   = sizeof(SMBusDevice),   \
+.vmsd   = _smbus_device, \
+.flags  = VMS_STRUCT,\
+.offset = vmstate_offset_value(_state, _field, SMBusDevice), \
+}
+
 #endif
-- 
2.7.4

[Qemu-devel] [PULL 2/7] memory, exec: switch file ram allocation functions to 'flags' parameters

[Michael S. Tsirkin]

From: Junyan He 

As more flag parameters besides the existing 'share' are going to be
added to following functions
memory_region_init_ram_from_file
qemu_ram_alloc_from_fd
qemu_ram_alloc_from_file
let's switch them to use the 'flags' parameters so as to ease future
flag additions.

The existing 'share' flag is converted to the RAM_SHARED bit in ram_flags,
and other flag bits are ignored by above functions right now.

Signed-off-by: Junyan He 
Signed-off-by: Haozhong Zhang 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Richard Henderson 
---
 include/exec/memory.h   |  7 +--
 include/exec/ram_addr.h | 25 +++--
 backends/hostmem-file.c |  3 ++-
 exec.c  | 10 +-
 memory.c|  8 +---
 numa.c  |  2 +-
 6 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index 6d0af29155..30e7166dd1 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -640,6 +640,7 @@ void memory_region_init_resizeable_ram(MemoryRegion *mr,
void *host),
Error **errp);
 #ifdef __linux__
+
 /**
  * memory_region_init_ram_from_file:  Initialize RAM memory region with a
  *mmap-ed backend.
@@ -651,7 +652,9 @@ void memory_region_init_resizeable_ram(MemoryRegion *mr,
  * @size: size of the region.
  * @align: alignment of the region base address; if 0, the default alignment
  * (getpagesize()) will be used.
- * @share: %true if memory must be mmaped with the MAP_SHARED flag
+ * @ram_flags: Memory region features:
+ * - RAM_SHARED: memory must be mmaped with the MAP_SHARED flag
+ * Other bits are ignored now.
  * @path: the path in which to allocate the RAM.
  * @errp: pointer to Error*, to store an error if it happens.
  *
@@ -663,7 +666,7 @@ void memory_region_init_ram_from_file(MemoryRegion *mr,
   const char *name,
   uint64_t size,
   uint64_t align,
-  bool share,
+  uint32_t ram_flags,
   const char *path,
   Error **errp);
 
diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h
index cf4ce06248..8a4a9bc614 100644
--- a/include/exec/ram_addr.h
+++ b/include/exec/ram_addr.h
@@ -71,12 +71,33 @@ static inline unsigned long int 
ramblock_recv_bitmap_offset(void *host_addr,
 }
 
 long qemu_getrampagesize(void);
+
+/**
+ * qemu_ram_alloc_from_file,
+ * qemu_ram_alloc_from_fd:  Allocate a ram block from the specified backing
+ *  file or device
+ *
+ * Parameters:
+ *  @size: the size in bytes of the ram block
+ *  @mr: the memory region where the ram block is
+ *  @ram_flags: specify the properties of the ram block, which can be one
+ *  or bit-or of following values
+ *  - RAM_SHARED: mmap the backing file or device with MAP_SHARED
+ *  Other bits are ignored.
+ *  @mem_path or @fd: specify the backing file or device
+ *  @errp: pointer to Error*, to store an error if it happens
+ *
+ * Return:
+ *  On success, return a pointer to the ram block.
+ *  On failure, return NULL.
+ */
 RAMBlock *qemu_ram_alloc_from_file(ram_addr_t size, MemoryRegion *mr,
-   bool share, const char *mem_path,
+   uint32_t ram_flags, const char *mem_path,
Error **errp);
 RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
- bool share, int fd,
+ uint32_t ram_flags, int fd,
  Error **errp);
+
 RAMBlock *qemu_ram_alloc_from_ptr(ram_addr_t size, void *host,
   MemoryRegion *mr, Error **errp);
 RAMBlock *qemu_ram_alloc(ram_addr_t size, bool share, MemoryRegion *mr,
diff --git a/backends/hostmem-file.c b/backends/hostmem-file.c
index 134b08d63a..34c68bb081 100644
--- a/backends/hostmem-file.c
+++ b/backends/hostmem-file.c
@@ -58,7 +58,8 @@ file_backend_memory_alloc(HostMemoryBackend *backend, Error 
**errp)
 path = object_get_canonical_path(OBJECT(backend));
 memory_region_init_ram_from_file(>mr, OBJECT(backend),
  path,
- backend->size, fb->align, backend->share,
+ backend->size, fb->align,
+ backend->share ? RAM_SHARED : 0,
  fb->mem_path, errp);
 g_free(path);
 }
diff --git a/exec.c b/exec.c
index cc042dcefd..3b8f91448d 100644
--- 

[Qemu-devel] [PATCH v2 01/10] i2c:pm_smbus: Clean up some style issues

[minyard]

From: Corey Minyard 

Fix some spacing issues, remove extraneous comments, add some
defines instead of hard-coding numbers.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/i2c/pm_smbus.c | 58 ---
 1 file changed, 38 insertions(+), 20 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index 0d26e0f..83c2377 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -22,8 +22,6 @@
 #include "hw/i2c/pm_smbus.h"
 #include "hw/i2c/smbus.h"
 
-/* no save/load? */
-
 #define SMBHSTSTS   0x00
 #define SMBHSTCNT   0x02
 #define SMBHSTCMD   0x03
@@ -32,19 +30,34 @@
 #define SMBHSTDAT1  0x06
 #define SMBBLKDAT   0x07
 
-#define STS_HOST_BUSY   (1)
-#define STS_INTR(1<<1)
-#define STS_DEV_ERR (1<<2)
-#define STS_BUS_ERR (1<<3)
-#define STS_FAILED  (1<<4)
-#define STS_SMBALERT(1<<5)
-#define STS_INUSE_STS   (1<<6)
-#define STS_BYTE_DONE   (1<<7)
+#define STS_HOST_BUSY   (1 << 0)
+#define STS_INTR(1 << 1)
+#define STS_DEV_ERR (1 << 2)
+#define STS_BUS_ERR (1 << 3)
+#define STS_FAILED  (1 << 4)
+#define STS_SMBALERT(1 << 5)
+#define STS_INUSE_STS   (1 << 6)
+#define STS_BYTE_DONE   (1 << 7)
 /* Signs of successfully transaction end :
 *  ByteDoneStatus = 1 (STS_BYTE_DONE) and INTR = 1 (STS_INTR )
 */
 
-//#define DEBUG
+#define CTL_INTREN  (1 << 0)
+#define CTL_KILL(1 << 1)
+#define CTL_LAST_BYTE   (1 << 5)
+#define CTL_START   (1 << 6)
+#define CTL_PEC_EN  (1 << 7)
+#define CTL_RETURN_MASK 0x1f
+
+#define PROT_QUICK  0
+#define PROT_BYTE   1
+#define PROT_BYTE_DATA  2
+#define PROT_WORD_DATA  3
+#define PROT_PROC_CALL  4
+#define PROT_BLOCK_DATA 5
+#define PROT_I2C_BLOCK_DATA 6
+
+/*#define DEBUG*/
 
 #ifdef DEBUG
 # define SMBUS_DPRINTF(format, ...) printf(format, ## __VA_ARGS__)
@@ -70,11 +83,12 @@ static void smb_transaction(PMSMBus *s)
 if ((s->smb_stat & STS_DEV_ERR) != 0)  {
 goto error;
 }
+
 switch(prot) {
-case 0x0:
+case PROT_QUICK:
 ret = smbus_quick_command(bus, addr, read);
 goto done;
-case 0x1:
+case PROT_BYTE:
 if (read) {
 ret = smbus_receive_byte(bus, addr);
 goto data8;
@@ -82,7 +96,7 @@ static void smb_transaction(PMSMBus *s)
 ret = smbus_send_byte(bus, addr, cmd);
 goto done;
 }
-case 0x2:
+case PROT_BYTE_DATA:
 if (read) {
 ret = smbus_read_byte(bus, addr, cmd);
 goto data8;
@@ -91,16 +105,17 @@ static void smb_transaction(PMSMBus *s)
 goto done;
 }
 break;
-case 0x3:
+case PROT_WORD_DATA:
 if (read) {
 ret = smbus_read_word(bus, addr, cmd);
 goto data16;
 } else {
-ret = smbus_write_word(bus, addr, cmd, (s->smb_data1 << 8) | 
s->smb_data0);
+ret = smbus_write_word(bus, addr, cmd,
+   (s->smb_data1 << 8) | s->smb_data0);
 goto done;
 }
 break;
-case 0x5:
+case PROT_I2C_BLOCK_DATA:
 if (read) {
 ret = smbus_read_block(bus, addr, cmd, s->smb_data);
 goto data8;
@@ -158,8 +173,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, 
uint64_t val,
 break;
 case SMBHSTCNT:
 s->smb_ctl = val;
-if (val & 0x40)
+if (s->smb_ctl & CTL_START) {
 smb_transaction_start(s);
+}
 break;
 case SMBHSTCMD:
 s->smb_cmd = val;
@@ -198,7 +214,7 @@ static uint64_t smb_ioport_readb(void *opaque, hwaddr addr, 
unsigned width)
 break;
 case SMBHSTCNT:
 s->smb_index = 0;
-val = s->smb_ctl & 0x1f;
+val = s->smb_ctl & CTL_RETURN_MASK;
 break;
 case SMBHSTCMD:
 val = s->smb_cmd;
@@ -221,7 +237,9 @@ static uint64_t smb_ioport_readb(void *opaque, hwaddr addr, 
unsigned width)
 val = 0;
 break;
 }
-SMBUS_DPRINTF("SMB readb port=0x%04" HWADDR_PRIx " val=0x%02x\n", addr, 
val);
+SMBUS_DPRINTF("SMB readb port=0x%04" HWADDR_PRIx " val=0x%02x\n",
+  addr, val);
+
 return val;
 }
 
-- 
2.7.4

[Qemu-devel] [PULL 6/7] migration/ram: Add check and info message to nvdimm post copy.

[Michael S. Tsirkin]

From: Junyan He 

The nvdimm kind memory does not support post copy now.
We disable post copy if we have nvdimm memory and print some
log hint to user.

Signed-off-by: Junyan He 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 migration/ram.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/migration/ram.c b/migration/ram.c
index 24dea2730c..5beefae7f5 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -3906,6 +3906,15 @@ static int ram_load(QEMUFile *f, void *opaque, int 
version_id)
 
 static bool ram_has_postcopy(void *opaque)
 {
+RAMBlock *rb;
+RAMBLOCK_FOREACH_MIGRATABLE(rb) {
+if (ramblock_is_pmem(rb)) {
+info_report("Block: %s, host: %p is a nvdimm memory, postcopy"
+ "is not supported now!", rb->idstr, rb->host);
+return false;
+}
+}
+
 return migrate_postcopy_ram();
 }
 
-- 
MST

[Qemu-devel] [PULL 1/7] memory, exec: Expose all memory block related flags.

[Michael S. Tsirkin]

From: Junyan He 

We need to use these flags in other files rather than just in exec.c,
For example, RAM_SHARED should be used when create a ram block from file.
We expose them the exec/memory.h

Signed-off-by: Junyan He 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Richard Henderson 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/exec/memory.h | 20 
 exec.c| 20 
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index 448d41a752..6d0af29155 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -103,6 +103,26 @@ struct IOMMUNotifier {
 };
 typedef struct IOMMUNotifier IOMMUNotifier;
 
+/* RAM is pre-allocated and passed into qemu_ram_alloc_from_ptr */
+#define RAM_PREALLOC   (1 << 0)
+
+/* RAM is mmap-ed with MAP_SHARED */
+#define RAM_SHARED (1 << 1)
+
+/* Only a portion of RAM (used_length) is actually used, and migrated.
+ * This used_length size can change across reboots.
+ */
+#define RAM_RESIZEABLE (1 << 2)
+
+/* UFFDIO_ZEROPAGE is available on this RAMBlock to atomically
+ * zero the page and wake waiting processes.
+ * (Set during postcopy)
+ */
+#define RAM_UF_ZEROPAGE (1 << 3)
+
+/* RAM can be migrated */
+#define RAM_MIGRATABLE (1 << 4)
+
 static inline void iommu_notifier_init(IOMMUNotifier *n, IOMMUNotify fn,
IOMMUNotifierFlag flags,
hwaddr start, hwaddr end,
diff --git a/exec.c b/exec.c
index 4f5df07b6a..cc042dcefd 100644
--- a/exec.c
+++ b/exec.c
@@ -87,26 +87,6 @@ AddressSpace address_space_memory;
 
 MemoryRegion io_mem_rom, io_mem_notdirty;
 static MemoryRegion io_mem_unassigned;
-
-/* RAM is pre-allocated and passed into qemu_ram_alloc_from_ptr */
-#define RAM_PREALLOC   (1 << 0)
-
-/* RAM is mmap-ed with MAP_SHARED */
-#define RAM_SHARED (1 << 1)
-
-/* Only a portion of RAM (used_length) is actually used, and migrated.
- * This used_length size can change across reboots.
- */
-#define RAM_RESIZEABLE (1 << 2)
-
-/* UFFDIO_ZEROPAGE is available on this RAMBlock to atomically
- * zero the page and wake waiting processes.
- * (Set during postcopy)
- */
-#define RAM_UF_ZEROPAGE (1 << 3)
-
-/* RAM can be migrated */
-#define RAM_MIGRATABLE (1 << 4)
 #endif
 
 #ifdef TARGET_PAGE_BITS_VARY
-- 
MST

[Qemu-devel] [PATCH v2 04/10] i2c:pm_smbus: Add block transfer capability

[minyard]

From: Corey Minyard 

There was no block transfer code in pm_smbus.c, and it is needed
for some devices.  So add it.

This adds both byte-by-byte block transfers and buffered block
transfers.

Signed-off-by: Corey Minyard 
Cc: Michael S. Tsirkin 
Cc: Paolo Bonzini 
---
 hw/i2c/pm_smbus.c | 151 ++
 hw/i2c/smbus_ich9.c   |   8 ++-
 include/hw/i2c/pm_smbus.h |  20 +-
 3 files changed, 164 insertions(+), 15 deletions(-)

diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c
index dc61f2c..32132be 100644
--- a/hw/i2c/pm_smbus.c
+++ b/hw/i2c/pm_smbus.c
@@ -29,6 +29,7 @@
 #define SMBHSTDAT0  0x05
 #define SMBHSTDAT1  0x06
 #define SMBBLKDAT   0x07
+#define SMBAUXCTL   0x0d
 
 #define STS_HOST_BUSY   (1 << 0)
 #define STS_INTR(1 << 1)
@@ -57,6 +58,10 @@
 #define PROT_BLOCK_DATA 5
 #define PROT_I2C_BLOCK_READ 6
 
+#define AUX_PEC   (1 << 0)
+#define AUX_BLK   (1 << 1)
+#define AUX_MASK  0x3
+
 /*#define DEBUG*/
 
 #ifdef DEBUG
@@ -129,6 +134,51 @@ static void smb_transaction(PMSMBus *s)
 goto error;
 }
 break;
+case PROT_BLOCK_DATA:
+if (read) {
+ret = smbus_read_block(bus, addr, cmd, s->smb_data,
+   sizeof(s->smb_data), !s->i2c_enable,
+   !s->i2c_enable);
+if (ret < 0) {
+goto error;
+}
+s->smb_index = 0;
+s->op_done = false;
+if (s->smb_auxctl & AUX_BLK) {
+s->smb_stat |= STS_INTR;
+} else {
+s->smb_blkdata = s->smb_data[0];
+s->smb_stat |= STS_HOST_BUSY | STS_BYTE_DONE;
+}
+s->smb_data0 = ret;
+goto out;
+} else {
+if (s->smb_auxctl & AUX_BLK) {
+if (s->smb_index != s->smb_data0) {
+s->smb_index = 0;
+goto error;
+}
+/* Data is already all written to the queue, just do
+   the operation. */
+s->smb_index = 0;
+ret = smbus_write_block(bus, addr, cmd, s->smb_data,
+s->smb_data0, !s->i2c_enable);
+if (ret < 0) {
+goto error;
+}
+s->op_done = true;
+s->smb_stat |= STS_INTR;
+s->smb_stat &= ~STS_HOST_BUSY;
+} else {
+s->op_done = false;
+s->smb_stat |= STS_HOST_BUSY | STS_BYTE_DONE;
+s->smb_data[0] = s->smb_blkdata;
+s->smb_index = 0;
+ret = 0;
+}
+goto out;
+}
+break;
 default:
 goto error;
 }
@@ -148,13 +198,13 @@ done:
 if (ret < 0) {
 goto error;
 }
-s->smb_stat |= STS_BYTE_DONE | STS_INTR;
+s->smb_stat |= STS_INTR;
+out:
 return;
 
 error:
 s->smb_stat |= STS_DEV_ERR;
 return;
-
 }
 
 static void smb_transaction_start(PMSMBus *s)
@@ -173,14 +223,61 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, 
uint64_t val,
   " val=0x%02" PRIx64 "\n", addr, val);
 switch(addr) {
 case SMBHSTSTS:
-s->smb_stat = (~(val & 0xff)) & s->smb_stat;
-s->smb_index = 0;
+s->smb_stat &= ~(val & ~STS_HOST_BUSY);
+if (!s->op_done && !(s->smb_auxctl & AUX_BLK)) {
+uint8_t read = s->smb_addr & 0x01;
+
+s->smb_index++;
+if (!read && s->smb_index == s->smb_data0) {
+uint8_t prot = (s->smb_ctl >> 2) & 0x07;
+uint8_t cmd = s->smb_cmd;
+uint8_t addr = s->smb_addr >> 1;
+int ret;
+
+if (prot == PROT_I2C_BLOCK_READ) {
+s->smb_stat |= STS_DEV_ERR;
+goto out;
+}
+
+ret = smbus_write_block(s->smbus, addr, cmd, s->smb_data,
+s->smb_data0, !s->i2c_enable);
+if (ret < 0) {
+s->smb_stat |= STS_DEV_ERR;
+goto out;
+}
+s->op_done = true;
+s->smb_stat |= STS_INTR;
+s->smb_stat &= ~STS_HOST_BUSY;
+} else if (!read) {
+s->smb_data[s->smb_index] = s->smb_blkdata;
+s->smb_stat |= STS_BYTE_DONE;
+} else if (s->smb_ctl & CTL_LAST_BYTE) {
+s->op_done = true;
+s->smb_blkdata = s->smb_data[s->smb_index];
+s->smb_index = 0;
+s->smb_stat |= STS_INTR;
+s->smb_stat &= ~STS_HOST_BUSY;
+} else {
+s->smb_blkdata = s->smb_data[s->smb_index];
+s->smb_stat |= STS_BYTE_DONE;
+}
+}
 break;
 case SMBHSTCNT:
-

[Qemu-devel] [PULL 0/7] pc: fixes

[Michael S. Tsirkin]

The following changes since commit f7502360397d291be04bc040e9f96c92ff2d8030:

  Update version for v3.0.0-rc3 release (2018-07-31 19:30:17 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git tags/for_upstream

for you to fetch changes up to 56eb90af39abf66c0e80588a9f50c31e7df7320b:

  migration/ram: ensure write persistence on loading all data to PMEM. 
(2018-08-10 13:29:39 +0300)


pc: fixes

This includes nvdimm persistence fixes queued before the release.

Signed-off-by: Michael S. Tsirkin 


Junyan He (7):
  memory, exec: Expose all memory block related flags.
  memory, exec: switch file ram allocation functions to 'flags' parameters
  configure: add libpmem support
  hostmem-file: add the 'pmem' option
  mem/nvdimm: ensure write persistence to PMEM in label emulation
  migration/ram: Add check and info message to nvdimm post copy.
  migration/ram: ensure write persistence on loading all data to PMEM.

 docs/nvdimm.txt | 22 ++
 configure   | 29 +
 include/exec/memory.h   | 31 +--
 include/exec/ram_addr.h | 28 ++--
 include/qemu/pmem.h | 36 
 backends/hostmem-file.c | 44 ++--
 exec.c  | 38 +-
 hw/mem/nvdimm.c |  9 -
 memory.c|  8 +---
 migration/ram.c | 17 +
 numa.c  |  2 +-
 qemu-options.hx |  7 +++
 12 files changed, 235 insertions(+), 36 deletions(-)
 create mode 100644 include/qemu/pmem.h

[Qemu-devel] [PULL 5/7] mem/nvdimm: ensure write persistence to PMEM in label emulation

[Michael S. Tsirkin]

From: Junyan He 

Guest writes to vNVDIMM labels are intercepted and performed on the
backend by QEMU. When the backend is a real persistent memort, QEMU
needs to take proper operations to ensure its write persistence on the
persistent memory. Otherwise, a host power failure may result in the
loss of guest label configurations.

Signed-off-by: Haozhong Zhang 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Richard Henderson 
---
 include/qemu/pmem.h | 30 ++
 hw/mem/nvdimm.c |  9 -
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 include/qemu/pmem.h

diff --git a/include/qemu/pmem.h b/include/qemu/pmem.h
new file mode 100644
index 00..ebdb070210
--- /dev/null
+++ b/include/qemu/pmem.h
@@ -0,0 +1,30 @@
+/*
+ * QEMU header file for libpmem.
+ *
+ * Copyright (c) 2018 Intel Corporation.
+ *
+ * Author: Haozhong Zhang 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef QEMU_PMEM_H
+#define QEMU_PMEM_H
+
+#ifdef CONFIG_LIBPMEM
+#include 
+#else  /* !CONFIG_LIBPMEM */
+
+static inline void *
+pmem_memcpy_persist(void *pmemdest, const void *src, size_t len)
+{
+/* If 'pmem' option is 'on', we should always have libpmem support,
+   or qemu will report a error and exit, never come here. */
+g_assert_not_reached();
+return NULL;
+}
+
+#endif /* CONFIG_LIBPMEM */
+
+#endif /* !QEMU_PMEM_H */
diff --git a/hw/mem/nvdimm.c b/hw/mem/nvdimm.c
index 021d1c3997..1c6674c4ed 100644
--- a/hw/mem/nvdimm.c
+++ b/hw/mem/nvdimm.c
@@ -23,6 +23,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/pmem.h"
 #include "qapi/error.h"
 #include "qapi/visitor.h"
 #include "hw/mem/nvdimm.h"
@@ -164,11 +165,17 @@ static void nvdimm_write_label_data(NVDIMMDevice *nvdimm, 
const void *buf,
 {
 MemoryRegion *mr;
 PCDIMMDevice *dimm = PC_DIMM(nvdimm);
+bool is_pmem = object_property_get_bool(OBJECT(dimm->hostmem),
+"pmem", NULL);
 uint64_t backend_offset;
 
 nvdimm_validate_rw_label_data(nvdimm, size, offset);
 
-memcpy(nvdimm->label_data + offset, buf, size);
+if (!is_pmem) {
+memcpy(nvdimm->label_data + offset, buf, size);
+} else {
+pmem_memcpy_persist(nvdimm->label_data + offset, buf, size);
+}
 
 mr = host_memory_backend_get_memory(dimm->hostmem);
 backend_offset = memory_region_size(mr) - nvdimm->label_size + offset;
-- 
MST

[Qemu-devel] [PULL 3/7] configure: add libpmem support

[Michael S. Tsirkin]

From: Junyan He 

Add a pair of configure options --{enable,disable}-libpmem to control
whether QEMU is compiled with PMDK libpmem [1].

QEMU may write to the host persistent memory (e.g. in vNVDIMM label
emulation and live migration), so it must take the proper operations
to ensure the persistence of its own writes. Depending on the CPU
models and available instructions, the optimal operation can vary [2].
PMDK libpmem have already implemented those operations on multiple CPU
models (x86 and ARM) and the logic to select the optimal ones, so QEMU
can just use libpmem rather than re-implement them.

Libpem is a part of PMDK project(formerly known as NMVL).
The project's home page is: http://pmem.io/pmdk/
And the project's repository is: https://github.com/pmem/pmdk/

For more information about libpmem APIs, you can refer to the comments
in source code of: pmdk/src/libpmem/pmem.c, begin at line 33.

Signed-off-by: Junyan He 
Signed-off-by: Haozhong Zhang 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Igor Mammedov 
Reviewed-by: Richard Henderson 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 configure | 29 +
 1 file changed, 29 insertions(+)

diff --git a/configure b/configure
index 2a7796ea80..1c9288b17b 100755
--- a/configure
+++ b/configure
@@ -475,6 +475,7 @@ vxhs=""
 libxml2=""
 docker="no"
 debug_mutex="no"
+libpmem=""
 
 # cross compilers defaults, can be overridden with --cross-cc-ARCH
 cross_cc_aarch64="aarch64-linux-gnu-gcc"
@@ -1435,6 +1436,10 @@ for opt do
   ;;
   --disable-debug-mutex) debug_mutex=no
   ;;
+  --enable-libpmem) libpmem=yes
+  ;;
+  --disable-libpmem) libpmem=no
+  ;;
   *)
   echo "ERROR: unknown option $opt"
   echo "Try '$0 --help' for more information"
@@ -1710,6 +1715,7 @@ disabled with --disable-FEATURE, default is enabled if 
available:
   vhost-user  vhost-user support
   capstonecapstone disassembler support
   debug-mutex mutex debugging support
+  libpmem libpmem support
 
 NOTE: The object files are built at the place where configure is launched
 EOF
@@ -5545,6 +5551,24 @@ if has "docker"; then
 docker=$($python $source_path/tests/docker/docker.py probe)
 fi
 
+##
+# check for libpmem
+
+if test "$libpmem" != "no"; then
+   if $pkg_config --exists "libpmem"; then
+   libpmem="yes"
+   libpmem_libs=$($pkg_config --libs libpmem)
+   libpmem_cflags=$($pkg_config --cflags libpmem)
+   libs_softmmu="$libs_softmmu $libpmem_libs"
+   QEMU_CFLAGS="$QEMU_CFLAGS $libpmem_cflags"
+   else
+   if test "$libpmem" = "yes" ; then
+   feature_not_found "libpmem" "Install nvml or pmdk"
+   fi
+   libpmem="no"
+   fi
+fi
+
 ##
 # End of CC checks
 # After here, no more $cc or $ld runs
@@ -6010,6 +6034,7 @@ echo "replication support $replication"
 echo "VxHS block device $vxhs"
 echo "capstone  $capstone"
 echo "docker$docker"
+echo "libpmem support   $libpmem"
 
 if test "$sdl_too_old" = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -6763,6 +6788,10 @@ if test "$vxhs" = "yes" ; then
   echo "VXHS_LIBS=$vxhs_libs" >> $config_host_mak
 fi
 
+if test "$libpmem" = "yes" ; then
+  echo "CONFIG_LIBPMEM=y" >> $config_host_mak
+fi
+
 if test "$tcg_interpreter" = "yes"; then
   QEMU_INCLUDES="-iquote \$(SRC_PATH)/tcg/tci $QEMU_INCLUDES"
 elif test "$ARCH" = "sparc64" ; then
-- 
MST