[PATCH v20 5/5] target-arm: kvm64: handle SIGBUS signal from kernel or KVM

[Xiang Zheng]

From: Dongjiu Geng 

Add a SIGBUS signal handler. In this handler, it checks the SIGBUS type,
translates the host VA delivered by host to guest PA, then fills this PA
to guest APEI GHES memory, then notifies guest according to the SIGBUS
type.

When guest accesses the poisoned memory, it will generate a Synchronous
External Abort(SEA). Then host kernel gets an APEI notification and calls
memory_failure() to unmapped the affected page in stage 2, finally
returns to guest.

Guest continues to access the PG_hwpoison page, it will trap to KVM as
stage2 fault, then a SIGBUS_MCEERR_AR synchronous signal is delivered to
Qemu, Qemu records this error address into guest APEI GHES memory and
notifes guest using Synchronous-External-Abort(SEA).

In order to inject a vSEA, we introduce the kvm_inject_arm_sea() function
in which we can setup the type of exception and the syndrome information.
When switching to guest, the target vcpu will jump to the synchronous
external abort vector table entry.

The ESR_ELx.DFSC is set to synchronous external abort(0x10), and the
ESR_ELx.FnV is set to not valid(0x1), which will tell guest that FAR is
not valid and hold an UNKNOWN value. These values will be set to KVM
register structures through KVM_SET_ONE_REG IOCTL.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 hw/acpi/acpi_ghes.c | 259 
 include/hw/acpi/acpi_ghes.h |  42 ++
 include/sysemu/kvm.h|   3 +-
 target/arm/cpu.h|   4 +
 target/arm/helper.c |   2 +-
 target/arm/internals.h  |   5 +-
 target/arm/kvm64.c  |  64 +
 target/arm/tlb_helper.c |   2 +-
 target/i386/cpu.h   |   2 +
 9 files changed, 377 insertions(+), 6 deletions(-)

diff --git a/hw/acpi/acpi_ghes.c b/hw/acpi/acpi_ghes.c
index 23f8a9928c..00e5410c37 100644
--- a/hw/acpi/acpi_ghes.c
+++ b/hw/acpi/acpi_ghes.c
@@ -27,6 +27,174 @@
 #include "sysemu/sysemu.h"
 #include "qemu/error-report.h"
 
+/*
+ * Total size for Generic Error Status Block
+ * ACPI 6.2: 18.3.2.7.1 Generic Error Data,
+ * Table 18-380 Generic Error Status Block
+ */
+#define ACPI_GHES_GESB_SIZE 20
+/* The offset of Data Length in Generic Error Status Block */
+#define ACPI_GHES_GESB_DATA_LENGTH_OFFSET   12
+
+/*
+ * Record the value of data length for each error status block to avoid getting
+ * this value from guest.
+ */
+static uint32_t acpi_ghes_data_length[ACPI_GHES_ERROR_SOURCE_COUNT];
+
+/*
+ * Generic Error Data Entry
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_data(GArray *table, QemuUUID section_type,
+uint32_t error_severity, uint16_t revision,
+uint8_t validation_bits, uint8_t flags,
+uint32_t error_data_length, QemuUUID fru_id,
+uint8_t *fru_text, uint64_t time_stamp)
+{
+QemuUUID uuid_le;
+
+/* Section Type */
+uuid_le = qemu_uuid_bswap(section_type);
+g_array_append_vals(table, uuid_le.data, ARRAY_SIZE(uuid_le.data));
+
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+/* Revision */
+build_append_int_noprefix(table, revision, 2);
+/* Validation Bits */
+build_append_int_noprefix(table, validation_bits, 1);
+/* Flags */
+build_append_int_noprefix(table, flags, 1);
+/* Error Data Length */
+build_append_int_noprefix(table, error_data_length, 4);
+
+/* FRU Id */
+uuid_le = qemu_uuid_bswap(fru_id);
+g_array_append_vals(table, uuid_le.data, ARRAY_SIZE(uuid_le.data));
+
+/* FRU Text */
+g_array_append_vals(table, fru_text, 20);
+/* Timestamp */
+build_append_int_noprefix(table, time_stamp, 8);
+}
+
+/*
+ * Generic Error Status Block
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_status(GArray *table, uint32_t 
block_status,
+uint32_t raw_data_offset, uint32_t raw_data_length,
+uint32_t data_length, uint32_t error_severity)
+{
+/* Block Status */
+build_append_int_noprefix(table, block_status, 4);
+/* Raw Data Offset */
+build_append_int_noprefix(table, raw_data_offset, 4);
+/* Raw Data Length */
+build_append_int_noprefix(table, raw_data_length, 4);
+/* Data Length */
+build_append_int_noprefix(table, data_length, 4);
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+}
+
+/* UEFI 2.6: N.2.5 Memory Error Section */
+static void acpi_ghes_build_append_mem_cper(GArray *table,
+uint64_t error_physical_addr)
+{
+/*
+ * Memory Error Record
+ */
+
+/* Validation Bits */
+build_append_int_noprefix(table,
+  (1UL << 14) | /* Type Valid */
+  (1UL << 1) /* Physical Address Valid */,
+  8);
+/* Error Status */
+build_append_int_noprefix(table, 0, 8);
+/* Physic

[PATCH v20 3/5] ACPI: Add APEI GHES table generation support

[Xiang Zheng]

From: Dongjiu Geng 

This patch implements APEI GHES Table generation via fw_cfg blobs. Now
it only supports ARMv8 SEA, a type of GHESv2 error source. Afterwards,
we can extend the supported types if needed. For the CPER section,
currently it is memory section because kernel mainly wants userspace to
handle the memory errors.

This patch follows the spec ACPI 6.2 to build the Hardware Error Source
table. For more detailed information, please refer to document:
docs/specs/acpi_hest_ghes.rst

Suggested-by: Laszlo Ersek 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 default-configs/arm-softmmu.mak |   1 +
 hw/acpi/Kconfig |   4 +
 hw/acpi/Makefile.objs   |   1 +
 hw/acpi/acpi_ghes.c | 217 
 hw/acpi/aml-build.c |   2 +
 hw/arm/virt-acpi-build.c|  12 ++
 include/hw/acpi/acpi_ghes.h | 106 
 include/hw/acpi/aml-build.h |   1 +
 8 files changed, 344 insertions(+)
 create mode 100644 hw/acpi/acpi_ghes.c
 create mode 100644 include/hw/acpi/acpi_ghes.h

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index 1f2e0e7fde..5722f3130e 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -40,3 +40,4 @@ CONFIG_FSL_IMX25=y
 CONFIG_FSL_IMX7=y
 CONFIG_FSL_IMX6UL=y
 CONFIG_SEMIHOSTING=y
+CONFIG_ACPI_APEI=y
diff --git a/hw/acpi/Kconfig b/hw/acpi/Kconfig
index 12e3f1e86e..ed8c34d238 100644
--- a/hw/acpi/Kconfig
+++ b/hw/acpi/Kconfig
@@ -23,6 +23,10 @@ config ACPI_NVDIMM
 bool
 depends on ACPI
 
+config ACPI_APEI
+bool
+depends on ACPI
+
 config ACPI_PCI
 bool
 depends on ACPI && PCI
diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
index 655a9c1973..84474b0ca8 100644
--- a/hw/acpi/Makefile.objs
+++ b/hw/acpi/Makefile.objs
@@ -5,6 +5,7 @@ common-obj-$(CONFIG_ACPI_CPU_HOTPLUG) += cpu_hotplug.o
 common-obj-$(CONFIG_ACPI_MEMORY_HOTPLUG) += memory_hotplug.o
 common-obj-$(CONFIG_ACPI_CPU_HOTPLUG) += cpu.o
 common-obj-$(CONFIG_ACPI_NVDIMM) += nvdimm.o
+common-obj-$(CONFIG_ACPI_APEI) += acpi_ghes.o
 common-obj-$(CONFIG_ACPI_VMGENID) += vmgenid.o
 common-obj-$(CONFIG_ACPI_HW_REDUCED) += generic_event_device.o
 common-obj-$(call lnot,$(CONFIG_ACPI_X86)) += acpi-stub.o
diff --git a/hw/acpi/acpi_ghes.c b/hw/acpi/acpi_ghes.c
new file mode 100644
index 00..23f8a9928c
--- /dev/null
+++ b/hw/acpi/acpi_ghes.c
@@ -0,0 +1,217 @@
+/*
+ * Support for generating APEI tables and recording CPER for Guests
+ *
+ * Copyright (c) 2019 HUAWEI TECHNOLOGIES CO., LTD.
+ *
+ * Author: Dongjiu Geng 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "hw/acpi/acpi.h"
+#include "hw/acpi/aml-build.h"
+#include "hw/acpi/acpi_ghes.h"
+#include "hw/nvram/fw_cfg.h"
+#include "sysemu/sysemu.h"
+#include "qemu/error-report.h"
+
+/*
+ * Hardware Error Notification
+ * ACPI 4.0: 17.3.2.7 Hardware Error Notification
+ */
+static void acpi_ghes_build_notify(GArray *table, const uint8_t type)
+{
+/* Type */
+build_append_int_noprefix(table, type, 1);
+/*
+ * Length:
+ * Total length of the structure in bytes
+ */
+build_append_int_noprefix(table, 28, 1);
+/* Configuration Write Enable */
+build_append_int_noprefix(table, 0, 2);
+/* Poll Interval */
+build_append_int_noprefix(table, 0, 4);
+/* Vector */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+}
+
+/* Build table for the hardware error fw_cfg blob */
+void acpi_ghes_build_error_table(GArray *hardware_errors, BIOSLinker *linker)
+{
+int i, error_status_block_offset;
+
+/*
+ * | +--+
+ * | |error_block_address   |
+ * | |  ..  |
+ * | +--+
+ * | |read_ack_register |
+ * | | ...  |
+ * | +--+
+ * | |  Error Status Data Block |
+ * | |  

[PATCH v20 4/5] KVM: Move hwpoison page related functions into kvm-all.c

[Xiang Zheng]

From: Dongjiu Geng 

kvm_hwpoison_page_add() and kvm_unpoison_all() will both be used by X86
and ARM platforms, so moving them into "accel/kvm/kvm-all.c" to avoid
duplicate code.

For architectures that don't use the poison-list functionality the
reset handler will harmlessly do nothing, so let's register the
kvm_unpoison_all() function in the generic kvm_init() function.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 accel/kvm/kvm-all.c  | 36 
 include/sysemu/kvm_int.h | 12 
 target/i386/kvm.c| 36 
 3 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index d2d96d73e8..6af7ac7ef5 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -41,6 +41,7 @@
 #include "hw/irq.h"
 #include "sysemu/sev.h"
 #include "sysemu/balloon.h"
+#include "sysemu/reset.h"
 
 #include "hw/boards.h"
 
@@ -856,6 +857,39 @@ int kvm_vm_check_extension(KVMState *s, unsigned int 
extension)
 return ret;
 }
 
+typedef struct HWPoisonPage {
+ram_addr_t ram_addr;
+QLIST_ENTRY(HWPoisonPage) list;
+} HWPoisonPage;
+
+static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
+QLIST_HEAD_INITIALIZER(hwpoison_page_list);
+
+static void kvm_unpoison_all(void *param)
+{
+HWPoisonPage *page, *next_page;
+
+QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
+QLIST_REMOVE(page, list);
+qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
+g_free(page);
+}
+}
+
+void kvm_hwpoison_page_add(ram_addr_t ram_addr)
+{
+HWPoisonPage *page;
+
+QLIST_FOREACH(page, &hwpoison_page_list, list) {
+if (page->ram_addr == ram_addr) {
+return;
+}
+}
+page = g_new(HWPoisonPage, 1);
+page->ram_addr = ram_addr;
+QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
+}
+
 static uint32_t adjust_ioeventfd_endianness(uint32_t val, uint32_t size)
 {
 #if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
@@ -2031,6 +2065,8 @@ static int kvm_init(MachineState *ms)
 goto err;
 }
 
+qemu_register_reset(kvm_unpoison_all, NULL);
+
 if (machine_kernel_irqchip_allowed(ms)) {
 kvm_irqchip_create(ms, s);
 }
diff --git a/include/sysemu/kvm_int.h b/include/sysemu/kvm_int.h
index ac2d1f8b56..c660a70c51 100644
--- a/include/sysemu/kvm_int.h
+++ b/include/sysemu/kvm_int.h
@@ -42,4 +42,16 @@ void kvm_memory_listener_register(KVMState *s, 
KVMMemoryListener *kml,
   AddressSpace *as, int as_id);
 
 void kvm_set_max_memslot_size(hwaddr max_slot_size);
+
+/**
+ * kvm_hwpoison_page_add:
+ *
+ * Parameters:
+ *  @ram_addr: the address in the RAM for the poisoned page
+ *
+ * Add a poisoned page to the list
+ *
+ * Return: None.
+ */
+void kvm_hwpoison_page_add(ram_addr_t ram_addr);
 #endif
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 8c73438c67..6100135364 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -24,7 +24,6 @@
 #include "sysemu/sysemu.h"
 #include "sysemu/hw_accel.h"
 #include "sysemu/kvm_int.h"
-#include "sysemu/reset.h"
 #include "sysemu/runstate.h"
 #include "kvm_i386.h"
 #include "hyperv.h"
@@ -514,40 +513,6 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, 
uint32_t index)
 }
 }
 
-
-typedef struct HWPoisonPage {
-ram_addr_t ram_addr;
-QLIST_ENTRY(HWPoisonPage) list;
-} HWPoisonPage;
-
-static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
-QLIST_HEAD_INITIALIZER(hwpoison_page_list);
-
-static void kvm_unpoison_all(void *param)
-{
-HWPoisonPage *page, *next_page;
-
-QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
-QLIST_REMOVE(page, list);
-qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
-g_free(page);
-}
-}
-
-static void kvm_hwpoison_page_add(ram_addr_t ram_addr)
-{
-HWPoisonPage *page;
-
-QLIST_FOREACH(page, &hwpoison_page_list, list) {
-if (page->ram_addr == ram_addr) {
-return;
-}
-}
-page = g_new(HWPoisonPage, 1);
-page->ram_addr = ram_addr;
-QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
-}
-
 static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
  int *max_banks)
 {
@@ -2102,7 +2067,6 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 fprintf(stderr, "e820_add_entry() table is full\n");
 return ret;
 }
-qemu_register_reset(kvm_unpoison_all, NULL);
 
 shadow_mem = machine_kvm_shadow_mem(ms);
 if (shadow_mem != -1) {
-- 
2.19.1

[PATCH v20 1/5] hw/arm/virt: Introduce a RAS machine option

[Xiang Zheng]

From: Dongjiu Geng 

RAS Virtualization feature is not supported now, so add a RAS machine
option and disable it by default.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 hw/arm/virt.c | 23 +++
 include/hw/arm/virt.h |  1 +
 2 files changed, 24 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index d4bedc2607..ea0fbf82be 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1819,6 +1819,20 @@ static void virt_set_its(Object *obj, bool value, Error 
**errp)
 vms->its = value;
 }
 
+static bool virt_get_ras(Object *obj, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+return vms->ras;
+}
+
+static void virt_set_ras(Object *obj, bool value, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+vms->ras = value;
+}
+
 static char *virt_get_gic_version(Object *obj, Error **errp)
 {
 VirtMachineState *vms = VIRT_MACHINE(obj);
@@ -2122,6 +2136,15 @@ static void virt_instance_init(Object *obj)
 "Valid values are none and smmuv3",
 NULL);
 
+/* Default disallows RAS instantiation */
+vms->ras = false;
+object_property_add_bool(obj, "ras", virt_get_ras,
+ virt_set_ras, NULL);
+object_property_set_description(obj, "ras",
+"Set on/off to enable/disable "
+"RAS instantiation",
+NULL);
+
 vms->irqmap = a15irqmap;
 
 virt_flash_create(vms);
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 0b41083e9d..989785f2f7 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -122,6 +122,7 @@ typedef struct {
 bool highmem_ecam;
 bool its;
 bool virt;
+bool ras;
 int32_t gic_version;
 VirtIOMMUType iommu;
 struct arm_boot_info bootinfo;
-- 
2.19.1

[PATCH v20 2/5] docs: APEI GHES generation and CPER record description

[Xiang Zheng]

From: Dongjiu Geng 

Add APEI/GHES detailed design document

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 docs/specs/acpi_hest_ghes.rst | 95 +++
 docs/specs/index.rst  |  1 +
 2 files changed, 96 insertions(+)
 create mode 100644 docs/specs/acpi_hest_ghes.rst

diff --git a/docs/specs/acpi_hest_ghes.rst b/docs/specs/acpi_hest_ghes.rst
new file mode 100644
index 00..348825f9d3
--- /dev/null
+++ b/docs/specs/acpi_hest_ghes.rst
@@ -0,0 +1,95 @@
+APEI tables generating and CPER record
+==
+
+..
+   Copyright (c) 2019 HUAWEI TECHNOLOGIES CO., LTD.
+
+   This work is licensed under the terms of the GNU GPL, version 2 or later.
+   See the COPYING file in the top-level directory.
+
+Design Details
+--
+
+::
+
+ etc/acpi/tables etc/hardware_errors
+    
==
+  + +--++---+
+  | | HEST ||address|  
  +--+
+  | +--+|registers  |  
  | Error Status |
+  | | GHES1|| +-+  
  | Data Block 1 |
+  | +--+ +->| |error_block_address1 
|--->| ++
+  | | .| |  | +-+  
  | |  CPER  |
+  | | error_status_address-+-+ +--->| |error_block_address2 |+ 
  | |  CPER  |
+  | | .|   || +-+| 
  | |    |
+  | | read_ack_register+-+ || |..   || 
  | |  CPER  |
+  | | read_ack_preserve| | |+---+| 
  | ++
+  | | read_ack_write   | | | +->| |error_block_addressN |--+ | 
  | Error Status |
+  + +--+ | | |  | +-+  | | 
  | Data Block 2 |
+  | | GHES2| +-+-+->| |read_ack_register1   |  | 
+-->| ++
+  + +--+   | |  | +-+  |   
  | |  CPER  |
+  | | .|   | | +--->| |read_ack_register2   |  |   
  | |  CPER  |
+  | | error_status_address-+---+ | || +-+  |   
  | |    |
+  | | .| | || |  .  |  |   
  | |  CPER  |
+  | | read_ack_register+-+-+| +-+  |   
  +-++
+  | | read_ack_preserve| |   +->| |read_ack_registerN   |  |   
  | |..  |
+  | | read_ack_write   | |   |  | +-+  |   
  | ++
+  + +--| |   | |   
  | Error Status |
+  | | ...  | |   | |   
  | Data Block N |
+  + +--+ |   | 
+>| ++
+  | | GHESN| |   | 
  | |  CPER  |
+  + +--+ |   | 
  | |  CPER  |
+  | | .| |   | 
  | |    |
+  | | error_status_address-+-+   | 
  | |  CPER  |
+  | | .| | 
  +-++
+  | | read_ack_register+-+
+  | | read_ack_preserve|
+  | | read_ack_write   |
+  + +--+
+
+(1) QEMU generates the ACPI HEST table. This table goes in the current
+"etc/acpi/tables" fw_cfg blob. Each error source has different
+notification types.
+
+(2) A new fw_cfg blob called "etc/hardware_errors" is introduced. QEMU
+also needs to populate this blob. The "etc/hardware_errors" fw_cfg blob
+contains an address registers table and an Error Status Data Block table.
+
+(3) The address registers table contains N Error Block Address entries
+and N Read Ack Register entries. The size for each entry is 8-byte.
+The Error Status Data Block table contains N Error Status Data Block
+entries. The size for each entry is 4096(0x1000) bytes. The total size
+for the "etc/hardware_errors" fw_cfg blob is (N * 8 * 2 + N * 4096) bytes.
+N is the number of the kinds of hardware error sources.
+
+(4) QEMU generates the ACPI linker/loader script for the firmware. The
+firmware pre-allocates memory for "etc/acpi/tables", "etc/hardware_errors"
+and copies blob contents there.
+
+(5) QEMU generates N ADD_POINTER commands, which patch add

[PATCH v20 0/5] Add ARMv8 RAS virtualization support in QEMU

[Xiang Zheng]

In the ARMv8 platform, the CPU error types are synchronous external abort(SEA)
and SError Interrupt (SEI). If exception happens in guest, sometimes it's better
for guest to perform the recovery, because host does not know the detailed
information of guest. For example, if an exception happens in a user-space
application within guest, host does not know which application encounters
errors.

For the ARMv8 SEA/SEI, KVM or host kernel delivers SIGBUS to notify userspace.
After user space gets the notification, it will record the CPER into guest GHES
buffer and inject an exception or IRQ into guest.

In the current implementation, if the type of SIGBUS is BUS_MCEERR_AR, we will
treat it as a synchronous exception, and notify guest with ARMv8 SEA
notification type after recording CPER into guest.

This series of patches are based on Qemu 4.1, which include two parts:
1. Generate APEI/GHES table.
2. Handle the SIGBUS signal, record the CPER in runtime and fill it into guest
   memory, then notify guest according to the type of SIGBUS.

The whole solution was suggested by James(james.mo...@arm.com); The solution of
APEI section was suggested by Laszlo(ler...@redhat.com).
Show some discussions in [1].

This series of patches have already been tested on ARM64 platform with RAS
feature enabled:
Show the APEI part verification result in [2].
Show the BUS_MCEERR_AR SIGBUS handling verification result in [3].

---
Change since v19:
1. Fix clang compile error
2. Fix sphinx build error

Change since v18:
1. Fix some code-style and typo/grammar problems.
2. Remove no_ras in the VirtMachineClass struct.
3. Convert documentation to rst format.
4. Simplize the code and add comments for some magic value.
5. Move kvm_inject_arm_sea() function into the patch where it's used.
6. Register the reset handler(kvm_unpoison_all()) in the kvm_init() function.

Change since v17:
1. Improve some commit messages and comments.
2. Fix some code-style problems.
3. Add a *ras* machine option.
4. Move HEST/GHES related structures and macros into "hw/acpi/acpi_ghes.*".
5. Move HWPoison page functions into "include/sysemu/kvm_int.h".
6. Fix some bugs.
7. Improve the design document.

Change since v16:
1. check whether ACPI table is enabled when handling the memory error in the 
SIGBUS handler.

Change since v15:
1. Add a doc-comment in the proper format for 'include/exec/ram_addr.h'
2. Remove write_part_cpustate_to_list() because there is another bug fix patch
   has been merged "arm: Allow system registers for KVM guests to be changed by 
QEMU code"
3. Add some comments for kvm_inject_arm_sea() in 'target/arm/kvm64.c'
4. Compare the arm_current_el() return value to 0,1,2,3, not to PSTATE_MODE_* 
constants.
5. Change the RAS support wasn't introduced before 4.1 QEMU version.
6. Move the no_ras flag  patch to begin in this series

Change since v14:
1. Remove the BUS_MCEERR_AO handling logic because this asynchronous signal was 
masked by main thread
2. Address some Igor Mammedov's comments(ACPI part)
   1) change the comments for the enum AcpiHestNotifyType definition and remove 
ditto in patch 1
   2) change some patch commit messages and separate "APEI GHES table 
generation" patch to more patches.
3. Address some peter's comments(arm64 Synchronous External Abort injection)
   1) change some code notes
   2) using arm_current_el() for current EL
   2) use the helper functions for those (syn_data_abort_*).

Change since v13:
1. Move the patches that set guest ESR and inject virtual SError out of this 
series
2. Clean and optimize the APEI part patches
3. Update the commit messages and add some comments for the code

Change since v12:
1. Address Paolo's comments to move HWPoisonPage definition to 
accel/kvm/kvm-all.c
2. Only call kvm_cpu_synchronize_state() when get the BUS_MCEERR_AR signal
3. Only add and enable GPIO-Signal and ARMv8 SEA two hardware error sources
4. Address Michael's comments to not sync SPDX from Linux kernel header file

Change since v11:
Address James's comments(james.mo...@arm.com)
1. Check whether KVM has the capability to to set ESR instead of detecting host 
CPU RAS capability
2. For SIGBUS_MCEERR_AR SIGBUS, use Synchronous-External-Abort(SEA) 
notification type
   for SIGBUS_MCEERR_AO SIGBUS, use GPIO-Signal notification


Address Shannon's comments(for ACPI part):
1. Unify hest_ghes.c and hest_ghes.h license declaration
2. Remove unnecessary including "qmp-commands.h" in hest_ghes.c
3. Unconditionally add guest APEI table based on James's 
comments(james.mo...@arm.com)
4. Add a option to virt machine for migration compatibility. On new virt 
machine it's on
   by default while off for old ones, we enabled it since 2.12
5. Refer to the ACPI spec version which introduces Hardware Error Notification 
first time
6. Add ACPI_HEST_NOTIFY_RESERVED notification type

Address Igor's comments(for ACPI part):
1. Add doc patch first which will describe how it's supposed to work between 
QEMU/firmware/guest
   OS with expected flows

[PATCH v2 4/6] migration/multifd: used must not be 0 for a pending job

[Wei Yang]

After thread synchronization request is handled in another case, this
means when we only get pending_job when there is used pages.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 62072b7a35..12c270e86d 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1132,12 +1132,11 @@ static void *multifd_send_thread(void *opaque)
 break;
 }
 
-if (used) {
-ret = qio_channel_writev_all(p->c, p->pages->iov,
- used, &local_err);
-if (ret != 0) {
-break;
-}
+assert(used);
+ret = qio_channel_writev_all(p->c, p->pages->iov,
+ used, &local_err);
+if (ret != 0) {
+break;
 }
 
 qemu_mutex_lock(&p->mutex);
-- 
2.17.1

[PATCH v2 1/6] migration/multifd: move Params update and pages cleanup into multifd_send_fill_packet()

[Wei Yang]

Fill data and update/cleanup related field in one place. Also make the
code a little clean.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 20 +++-
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 5876054195..35f147388b 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -789,15 +789,16 @@ static void multifd_pages_clear(MultiFDPages_t *pages)
 g_free(pages);
 }
 
-static void multifd_send_fill_packet(MultiFDSendParams *p)
+static void multifd_send_fill_packet(MultiFDSendParams *p, uint32_t used)
 {
 MultiFDPacket_t *packet = p->packet;
+uint32_t next_packet_size = used * qemu_target_page_size();
 int i;
 
 packet->flags = cpu_to_be32(p->flags);
 packet->pages_alloc = cpu_to_be32(p->pages->allocated);
 packet->pages_used = cpu_to_be32(p->pages->used);
-packet->next_packet_size = cpu_to_be32(p->next_packet_size);
+packet->next_packet_size = cpu_to_be32(next_packet_size);
 packet->packet_num = cpu_to_be64(p->packet_num);
 
 if (p->pages->block) {
@@ -807,6 +808,13 @@ static void multifd_send_fill_packet(MultiFDSendParams *p)
 for (i = 0; i < p->pages->used; i++) {
 packet->offset[i] = cpu_to_be64(p->pages->offset[i]);
 }
+
+p->next_packet_size = next_packet_size;
+p->flags = 0;
+p->num_packets++;
+p->num_pages += used;
+p->pages->used = 0;
+p->pages->block = NULL;
 }
 
 static int multifd_recv_unfill_packet(MultiFDRecvParams *p, Error **errp)
@@ -1109,13 +1117,7 @@ static void *multifd_send_thread(void *opaque)
 uint64_t packet_num = p->packet_num;
 flags = p->flags;
 
-p->next_packet_size = used * qemu_target_page_size();
-multifd_send_fill_packet(p);
-p->flags = 0;
-p->num_packets++;
-p->num_pages += used;
-p->pages->used = 0;
-p->pages->block = NULL;
+multifd_send_fill_packet(p, used);
 qemu_mutex_unlock(&p->mutex);
 
 trace_multifd_send(p->id, packet_num, used, flags,
-- 
2.17.1

[PATCH v2 0/6] migration/multifd: a new mechanism for send thread sync

[Wei Yang]

Current send thread could work while the sync mechanism has some problem:

  * has spuriously wakeup
  * number of channels_ready will *overflow* the number of real channels

The reason is:

  * if MULTIFD_FLAG_SYNC is set in the middle of send thread running, there
is one more spurious wakeup
  * if MULTIFD_FLAG_SYNC is set when send thread is not running, there is one
more channels_ready be triggered

To solve this situation, one new mechanism is introduced to synchronize send
threads. The idea is simple, a new field *sync* is introduced to indicate a
synchronization is required.

---
v2: rebase on latest code

Wei Yang (6):
  migration/multifd: move Params update and pages cleanup into
multifd_send_fill_packet()
  migration/multifd: notify channels_ready when send thread starts
  migration/multifd: use sync field to synchronize send threads
  migration/multifd: used must not be 0 for a pending job
  migration/multifd: use boolean for pending_job is enough
  migration/multifd: there is no spurious wakeup now

 migration/ram.c | 74 +++--
 1 file changed, 47 insertions(+), 27 deletions(-)

-- 
2.17.1

Re: [RFC 0/3] block/file-posix: Work around XFS bug

[no-reply]

Patchew URL: https://patchew.org/QEMU/20191025095849.25283-1-mre...@redhat.com/



Hi,

This series failed the docker-quick@centos7 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC  block/sheepdog.o
  CC  block/accounting.o
/tmp/qemu-test/src/block/file-posix.c: In function 'raw_open_common':
/tmp/qemu-test/src/block/file-posix.c:671:5: error: implicit declaration of 
function 'platform_test_xfs_fd' [-Werror=implicit-function-declaration]
 if (platform_test_xfs_fd(s->fd)) {
 ^
/tmp/qemu-test/src/block/file-posix.c:671:5: error: nested extern declaration 
of 'platform_test_xfs_fd' [-Werror=nested-externs]
cc1: all warnings being treated as errors
make: *** [block/file-posix.o] Error 1
make: *** Waiting for unfinished jobs
Traceback (most recent call last):
  File "./tests/docker/docker.py", line 662, in 
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=c74d47e9bfb24107b6e94885fa8a2151', '-u', 
'1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-ytazf4e4/src/docker-src.2019-10-25-20.11.53.7609:/var/tmp/qemu:z,ro',
 'qemu:centos7', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=c74d47e9bfb24107b6e94885fa8a2151
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-ytazf4e4/src'
make: *** [docker-run-test-quick@centos7] Error 2

real2m32.235s
user0m8.092s


The full log is available at
http://patchew.org/logs/20191025095849.25283-1-mre...@redhat.com/testing.docker-quick@centos7/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[PATCH v2 6/6] migration/multifd: there is no spurious wakeup now

[Wei Yang]

The spurious wakeup is gone.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index fccdbfabc5..73ace40b1b 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1168,8 +1168,8 @@ static void *multifd_send_thread(void *opaque)
 qemu_mutex_unlock(&p->mutex);
 break;
 } else {
-qemu_mutex_unlock(&p->mutex);
-/* sometimes there are spurious wakeups */
+/* no other case should trigger me */
+g_assert_not_reached();
 }
 }
 
-- 
2.17.1

Re: [PATCH 0/4] SCSI COMPARE_AND_WRITE support

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/1571996163-27688-1-git-send-email-baiyao...@cmss.chinamobile.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH 0/4] SCSI COMPARE_AND_WRITE support
Type: series
Message-id: 1571996163-27688-1-git-send-email-baiyao...@cmss.chinamobile.com

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Switched to a new branch 'test'
9dec556 scsi-disk: add FUA support for COMPARE_AND_WRITE
8ee0b25 hw/scsi: add SCSI COMPARE_AND_WRITE support
6c2bd51 block/rbd: implement bdrv_aio_compare_and_write interface
f2cafca block: add SCSI COMPARE_AND_WRITE support

=== OUTPUT BEGIN ===
1/4 Checking commit f2cafca98400 (block: add SCSI COMPARE_AND_WRITE support)
2/4 Checking commit 6c2bd51ede14 (block/rbd: implement 
bdrv_aio_compare_and_write interface)
ERROR: braces {} are necessary for all arms of this statement
#59: FILE: block/rbd.c:808:
+if (LIBRBD_HAVE_COMPARE_AND_WRITE)
[...]

ERROR: line over 90 characters
#87: FILE: block/rbd.c:1015:
+r = rbd_aio_compare_and_write(s->image, off, size/2, rcb->buf, 
(rcb->buf + size/2), c, 0, 0);

ERROR: spaces required around that '/' (ctx:VxV)
#87: FILE: block/rbd.c:1015:
+r = rbd_aio_compare_and_write(s->image, off, size/2, rcb->buf, 
(rcb->buf + size/2), c, 0, 0);
  ^

ERROR: spaces required around that '/' (ctx:VxV)
#87: FILE: block/rbd.c:1015:
+r = rbd_aio_compare_and_write(s->image, off, size/2, rcb->buf, 
(rcb->buf + size/2), c, 0, 0);

^

WARNING: line over 80 characters
#98: FILE: block/rbd.c:1082:
+  uint64_t offset, uint64_t 
bytes,

total: 4 errors, 1 warnings, 90 lines checked

Patch 2/4 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

3/4 Checking commit 8ee0b25d3d83 (hw/scsi: add SCSI COMPARE_AND_WRITE support)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#219: 
new file mode 100644

total: 0 errors, 1 warnings, 190 lines checked

Patch 3/4 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
4/4 Checking commit 9dec556b752c (scsi-disk: add FUA support for 
COMPARE_AND_WRITE)
=== OUTPUT END ===

Test command exited with code: 1


The full log is available at
http://patchew.org/logs/1571996163-27688-1-git-send-email-baiyao...@cmss.chinamobile.com/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[PATCH v2 5/6] migration/multifd: use boolean for pending_job is enough

[Wei Yang]

After synchronization request is handled in another case, there only
could be one pending_job for one send thread at most.

This is fine to use boolean to represent this behavior.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 12c270e86d..fccdbfabc5 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -646,7 +646,7 @@ typedef struct {
 /* should this thread finish */
 bool quit;
 /* thread has work to do */
-int pending_job;
+bool pending_job;
 /* array of pages to sent */
 MultiFDPages_t *pages;
 /* packet allocated len */
@@ -933,7 +933,7 @@ static int multifd_send_pages(RAMState *rs)
 return -1;
 }
 if (!p->pending_job) {
-p->pending_job++;
+p->pending_job = true;
 next_channel = (i + 1) % migrate_multifd_channels();
 break;
 }
@@ -1140,7 +1140,7 @@ static void *multifd_send_thread(void *opaque)
 }
 
 qemu_mutex_lock(&p->mutex);
-p->pending_job--;
+p->pending_job = false;
 qemu_mutex_unlock(&p->mutex);
 
 qemu_sem_post(&multifd_send_state->channels_ready);
@@ -1238,8 +1238,7 @@ int multifd_save_setup(void)
 qemu_mutex_init(&p->mutex);
 qemu_sem_init(&p->sem, 0);
 qemu_sem_init(&p->sem_sync, 0);
-p->quit = p->sync = false;
-p->pending_job = 0;
+p->quit = p->sync = p->pending_job = false;
 p->id = i;
 p->pages = multifd_pages_init(page_count);
 p->packet_len = sizeof(MultiFDPacket_t)
-- 
2.17.1

[PATCH v2 16/27] riscv: plic: Always set sip.SEIP bit for HS

[Alistair Francis]

When the PLIC generates an interrupt ensure we always set it for the SIP
CSR that corresponds to the HS (V=0) register.

Signed-off-by: Alistair Francis 
---
 hw/riscv/sifive_plic.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/riscv/sifive_plic.c b/hw/riscv/sifive_plic.c
index 98e4304b66..8309e96f64 100644
--- a/hw/riscv/sifive_plic.c
+++ b/hw/riscv/sifive_plic.c
@@ -150,7 +150,17 @@ static void sifive_plic_update(SiFivePLICState *plic)
 riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_MEIP, 
BOOL_TO_MASK(level));
 break;
 case PLICMode_S:
-riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_SEIP, 
BOOL_TO_MASK(level));
+if (riscv_cpu_virt_enabled(env)) {
+if (level) {
+atomic_or(&env->mip_novirt, MIP_SEIP);
+g_assert(riscv_cpu_virt_enabled(env));
+} else {
+atomic_and(&env->mip_novirt, ~MIP_SEIP);
+g_assert(riscv_cpu_virt_enabled(env));
+}
+} else {
+riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_SEIP, 
BOOL_TO_MASK(level));
+}
 break;
 default:
 break;
-- 
2.23.0

[PATCH v2 2/6] migration/multifd: notify channels_ready when send thread starts

[Wei Yang]

multifd_send_state->channels_ready is initialized to 0. It is proper to
let main thread know we are ready when thread start running.

Current implementation works since ram_save_setup() calls
multifd_send_sync_main() which wake up send thread and posts
channels_ready. This behavior will introduce some unpredictable
situation and disturb the semaphore value.

This is a preparation patch to use another mechanism to do send thread
synchronization to avoid post channels_ready in this case. So this patch
posts channels_ready when send threads start running.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/migration/ram.c b/migration/ram.c
index 35f147388b..25d477796e 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1107,6 +1107,8 @@ static void *multifd_send_thread(void *opaque)
 }
 /* initial packet */
 p->num_packets = 1;
+/* let main thread know we are ready */
+qemu_sem_post(&multifd_send_state->channels_ready);
 
 while (true) {
 qemu_sem_wait(&p->sem);
-- 
2.17.1

[PATCH v2 3/6] migration/multifd: use sync field to synchronize send threads

[Wei Yang]

Add a field in MultiFDSendParams to indicate there is a request to
synchronize send threads.

By doing so, send_thread will just post sem_sync on synchronization
request and channels_ready will not *overflow*.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 30 --
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 25d477796e..62072b7a35 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -641,6 +641,8 @@ typedef struct {
 QemuMutex mutex;
 /* is this channel thread running */
 bool running;
+/* should sync this channel */
+bool sync;
 /* should this thread finish */
 bool quit;
 /* thread has work to do */
@@ -1074,8 +1076,7 @@ static void multifd_send_sync_main(RAMState *rs)
 }
 
 p->packet_num = multifd_send_state->packet_num++;
-p->flags |= MULTIFD_FLAG_SYNC;
-p->pending_job++;
+p->sync = true;
 qemu_file_update_transfer(rs->f, p->packet_len);
 ram_counters.multifd_bytes += p->packet_len;
 ram_counters.transferred += p->packet_len;
@@ -1143,10 +1144,27 @@ static void *multifd_send_thread(void *opaque)
 p->pending_job--;
 qemu_mutex_unlock(&p->mutex);
 
-if (flags & MULTIFD_FLAG_SYNC) {
-qemu_sem_post(&p->sem_sync);
-}
 qemu_sem_post(&multifd_send_state->channels_ready);
+} else if (p->sync) {
+uint64_t packet_num = p->packet_num;
+uint32_t flags = p->flags;
+assert(!p->pages->used);
+
+p->flags |= MULTIFD_FLAG_SYNC;
+multifd_send_fill_packet(p, 0);
+p->sync = false;
+qemu_mutex_unlock(&p->mutex);
+
+trace_multifd_send(p->id, packet_num, 0, flags | MULTIFD_FLAG_SYNC,
+   p->next_packet_size);
+
+ret = qio_channel_write_all(p->c, (void *)p->packet,
+p->packet_len, &local_err);
+if (ret != 0) {
+break;
+}
+
+qemu_sem_post(&p->sem_sync);
 } else if (p->quit) {
 qemu_mutex_unlock(&p->mutex);
 break;
@@ -1221,7 +1239,7 @@ int multifd_save_setup(void)
 qemu_mutex_init(&p->mutex);
 qemu_sem_init(&p->sem, 0);
 qemu_sem_init(&p->sem_sync, 0);
-p->quit = false;
+p->quit = p->sync = false;
 p->pending_job = 0;
 p->id = i;
 p->pages = multifd_pages_init(page_count);
-- 
2.17.1

[PATCH v2 14/27] target/ricsv: Flush the TLB on virtulisation mode changes

[Alistair Francis]

To ensure our TLB isn't out-of-date we flush it on all virt mode
changes. Unlike priv mode this isn't saved in the mmu_idx as all
guests share V=1. The easiest option is just to flush on all changes.

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu_helper.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index bb4557df16..637e05996a 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -200,6 +200,11 @@ void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool 
enable)
 return;
 }
 
+/* Flush the TLB on all virt mode changes. */
+if (get_field(env->virt, VIRT_ONOFF) != enable) {
+tlb_flush(env_cpu(env));
+}
+
 env->virt = set_field(env->virt, VIRT_ONOFF, enable);
 }
 
-- 
2.23.0

[PATCH v2 19/27] target/riscv: Add hfence instructions

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/insn32.decode| 23 ++-
 .../riscv/insn_trans/trans_privileged.inc.c   | 40 +++
 2 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 77f794ed70..cfd9ca6d2b 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -63,20 +63,25 @@
 @r2_rm   ...   . . ... . ... %rs1 %rm %rd
 @r2  ...   . . ... . ... %rs1 %rd
 
+@hfence_gvma ... . .   ... . ... %rs2 %rs1
+@hfence_bvma ... . .   ... . ... %rs2 %rs1
+
 @sfence_vma ... . .   ... . ... %rs2 %rs1
 @sfence_vm  ... . .   ... . ... %rs1
 
 
 # *** Privileged Instructions ***
-ecall   0 000 0 1110011
-ebreak 0001 0 000 0 1110011
-uret   00000010 0 000 0 1110011
-sret   000100000010 0 000 0 1110011
-hret   00100010 0 000 0 1110011
-mret   001100000010 0 000 0 1110011
-wfi000100000101 0 000 0 1110011
-sfence_vma 0001001. . 000 0 1110011 @sfence_vma
-sfence_vm  000100000100 . 000 0 1110011 @sfence_vm
+ecall    0 000 0 1110011
+ebreak  0001 0 000 0 1110011
+uret00000010 0 000 0 1110011
+sret000100000010 0 000 0 1110011
+hret00100010 0 000 0 1110011
+mret001100000010 0 000 0 1110011
+wfi 000100000101 0 000 0 1110011
+hfence_gvma 0110001. . 000 0 1110011 @hfence_gvma
+hfence_bvma 0010001. . 000 0 1110011 @hfence_bvma
+sfence_vma  0001001. . 000 0 1110011 @sfence_vma
+sfence_vm   000100000100 . 000 0 1110011 @sfence_vm
 
 # *** RV32I Base Instruction Set ***
 lui     . 0110111 @u
diff --git a/target/riscv/insn_trans/trans_privileged.inc.c 
b/target/riscv/insn_trans/trans_privileged.inc.c
index c5e4b3e49a..b9b5a89b52 100644
--- a/target/riscv/insn_trans/trans_privileged.inc.c
+++ b/target/riscv/insn_trans/trans_privileged.inc.c
@@ -108,3 +108,43 @@ static bool trans_sfence_vm(DisasContext *ctx, 
arg_sfence_vm *a)
 #endif
 return false;
 }
+
+static bool trans_hfence_gvma(DisasContext *ctx, arg_sfence_vma *a)
+{
+#ifndef CONFIG_USER_ONLY
+if (ctx->priv_ver >= PRIV_VERSION_1_10_0 &&
+has_ext(ctx, RVH)) {
+/* Hpervisor extensions exist */
+/*
+ * if (env->priv == PRV_M ||
+ *   (env->priv == PRV_S &&
+ *!riscv_cpu_virt_enabled(env) &&
+ *get_field(ctx->mstatus_fs, MSTATUS_TVM))) {
+ */
+gen_helper_tlb_flush(cpu_env);
+return true;
+/* } */
+}
+#endif
+return false;
+}
+
+static bool trans_hfence_bvma(DisasContext *ctx, arg_sfence_vma *a)
+{
+#ifndef CONFIG_USER_ONLY
+if (ctx->priv_ver >= PRIV_VERSION_1_10_0 &&
+has_ext(ctx, RVH)) {
+/* Hpervisor extensions exist */
+/*
+ * if (env->priv == PRV_M ||
+ *   (env->priv == PRV_S &&
+ *!riscv_cpu_virt_enabled(env) &&
+ *get_field(ctx->mstatus_fs, MSTATUS_TVM))) {
+ */
+gen_helper_tlb_flush(cpu_env);
+return true;
+/* } */
+}
+#endif
+return false;
+}
-- 
2.23.0

[PATCH v2 08/27] target/riscv: Dump Hypervisor registers if enabled

[Alistair Francis]

Dump the Hypervisor registers and the current Hypervisor state.

While we are editing this code let's also dump stvec and scause.

Signed-off-by: Alistair Francis 
Signed-off-by: Atish Patra 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu.c | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index e521ebe2e1..e66fd300fd 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -220,17 +220,51 @@ static void riscv_cpu_dump_state(CPUState *cs, FILE *f, 
int flags)
 CPURISCVState *env = &cpu->env;
 int i;
 
+#if !defined(CONFIG_USER_ONLY)
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s %d\n", "V  =  ", riscv_cpu_virt_enabled(env));
+}
+#endif
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "pc  ", env->pc);
 #ifndef CONFIG_USER_ONLY
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mhartid ", env->mhartid);
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mstatus ", env->mstatus);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "hstatus ", env->hstatus);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "bstatus ", env->vsstatus);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mip ", env->mip);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vsip",
+ (target_ulong)atomic_read(&env->vsip));
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mie ", env->mie);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vsie", env->vsie);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mideleg ", env->mideleg);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "hideleg ", env->hideleg);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "medeleg ", env->medeleg);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "hedeleg ", env->hedeleg);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mtvec   ", env->mtvec);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "stvec   ", env->stvec);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vstvec  ", env->vstvec);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mepc", env->mepc);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "sepc", env->sepc);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vsepc   ", env->vsepc);
+}
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mcause  ", env->mcause);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "scause  ", env->scause);
+if (riscv_has_ext(env, RVH)) {
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vscause ", env->vscause);
+}
 #endif
 
 for (i = 0; i < 32; i++) {
-- 
2.23.0

[PATCH v2 05/27] target/riscv: Fix CSR perm checking for HS mode

[Alistair Francis]

Update the CSR permission checking to work correctly when we are in
HS-mode.

Signed-off-by: Alistair Francis 
---
 target/riscv/csr.c | 18 ++
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index da02f9f0b1..08956aa557 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -799,12 +799,22 @@ int riscv_csrrw(CPURISCVState *env, int csrno, 
target_ulong *ret_value,
 
 /* check privileges and return -1 if check fails */
 #if !defined(CONFIG_USER_ONLY)
-int csr_priv = get_field(csrno, 0x300);
+int effective_priv = env->priv;
 int read_only = get_field(csrno, 0xC00) == 3;
-if ((!env->debugger) && (env->priv < csr_priv)) {
-return -1;
+
+if (riscv_has_ext(env, RVH) &&
+env->priv == PRV_S &&
+!riscv_cpu_virt_enabled(env)) {
+/*
+ * We are in S mode without virtualisation, therefore we are in HS 
Mode.
+ * Add 1 to the effective privledge level to allow us to access the
+ * Hypervisor CSRs.
+ */
+effective_priv++;
 }
-if (write_mask && read_only) {
+
+if ((write_mask && read_only) ||
+(!env->debugger && (effective_priv < get_field(csrno, 0x300 {
 return -1;
 }
 #endif
-- 
2.23.0

[PATCH v2 04/27] target/riscv: Add the force HS exception mode

[Alistair Francis]

Add a FORCE_HS_EXCEP mode to the RISC-V virtulisation status. This bit
specifies if an exeption should be taken to HS mode no matter the
current delegation status. This is used when an exeption must be taken
to HS mode, such as when a second level page fault occurs.

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h|  2 ++
 target/riscv/cpu_bits.h   |  6 ++
 target/riscv/cpu_helper.c | 18 ++
 3 files changed, 26 insertions(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 469dcbd1c0..bb7a0e27a7 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -252,6 +252,8 @@ bool riscv_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request);
 bool riscv_cpu_fp_enabled(CPURISCVState *env);
 bool riscv_cpu_virt_enabled(CPURISCVState *env);
 void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable);
+bool riscv_cpu_force_hs_excep_enabled(CPURISCVState *env);
+void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable);
 int riscv_cpu_mmu_index(CPURISCVState *env, bool ifetch);
 hwaddr riscv_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 void  riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index b4119cc002..162d42f211 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -424,6 +424,12 @@
 
 /* Virtulisation Register Fields */
 #define VIRT_ONOFF  1
+/* This is used to save state for when we take an exception. If this is set
+ * that means that we want to force a HS level exception (no matter what the
+ * delegation is set to). This will occur for things such as a second level
+ * page table fault.
+ */
+#define FORCE_HS_EXCEP  2
 
 /* RV32 satp CSR field masks */
 #define SATP32_MODE 0x8000
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 0306f3181d..1464f73bee 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -100,6 +100,24 @@ void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool 
enable)
 env->virt = set_field(env->virt, VIRT_ONOFF, enable);
 }
 
+bool riscv_cpu_force_hs_excep_enabled(CPURISCVState *env)
+{
+if (!riscv_has_ext(env, RVH)) {
+return false;
+}
+
+return get_field(env->virt, FORCE_HS_EXCEP);
+}
+
+void riscv_cpu_set_force_hs_excep(CPURISCVState *env, bool enable)
+{
+if (!riscv_has_ext(env, RVH)) {
+return;
+}
+
+env->virt = set_field(env->virt, FORCE_HS_EXCEP, enable);
+}
+
 int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts)
 {
 CPURISCVState *env = &cpu->env;
-- 
2.23.0

[PATCH v2 00/27] Add RISC-V Hypervisor Extension v0.4

[Alistair Francis]

This patch series adds the RISC-V Hypervisor extension v0.4. This is the
latest draft spec of the Hypervisor extension.

The Hypervisor extension is disabled by default, so this series should
result in no changes to anyone using QEMU unless they enable the
extension. The extention can be enabled with the -cpu property (see
below).

At the moment the spec does not include information about the mstatush
register. Although this information has since been merged into the
master spec. As it is only adding support for 32-bit I have added this
register to this series.

Testing of this implementation has been done by using the baremetal
Xvisor Hypervisor. We are able to run two Linux guests (that's all I
have tried) as guests in 64-bit. In 32-bit so far I can only run
baremetal guests, but I think this is a baremetal boot loader issue and
not an issue in QEMU.

The RISC-V KVM implementation was also written using these patches. The
KVM implementation is currently under review.

These patches result in a reproducable race when booting a SMP Linux
guest inside a SMP Linux KVM host. This will need to be fixed.

At the moment this spec is in a draft state and is subject to change. As
QEMU is extreamly useful in early bring up I think it makes sense for
QEMU to support non-frozen extensions.

Thanks to Anup for doing the initial port of Xvisor. The port is avaliable here:
https://github.com/avpatel/xvisor-next and will run on QEMU.

Also thanks to Atish for implementing the SBI call support in Xvisor and
for lots of help debugging.

To run this yourself:
 1. Apply this patch series to QEMU. The latest branch can be found here:
  
https://github.com/alistair23/qemu/tree/mainline/alistair/riscv-hyp-ext-v0.4.next
 2. Get the version of OpenSBI that supports the H extension. This can
be found here:
  https://github.com/riscv/opensbi/tree/hyp_ext_changes_v1
 3. Build the next release of Xvisor. It is available here:
  https://github.com/avpatel/xvisor-next
 4. Make sure you build the Xvisor tests, see here for details:
  
https://github.com/avpatel/xvisor-next/tree/master/tests/riscv/virt64/linux
 5. Run QEMU:
 ./riscv64-softmmu/qemu-system-riscv64 -nographic \
   -machine virt -cpu rv64,x-h=true \
   -serial mon:stdio -serial null -m 4G \
   -device loader,file=vmm.bin,addr=0x8020 \
   -kernel fw_jump.elf \
   -initrd vmm-disk-linux.img \
   -append "vmm.console=uart@1000 vmm.bootcmd=\"vfs mount initrd /;vfs 
run /boot.xscript;vfs cat /system/banner.txt\""

   Once you get to the prompt you can start the geust by running:
 guest kick guest0
   You can then bind to the serial port using:
 vserial bind guest0/uart0
   Then you can start Linux using:
 autoexec

 This was all tested with the mainline 5.2/5.3 kernels.

There is very early work on a Xen port as well which is avaliable here:
https://github.com/alistair23/xen/tree/alistair/riscv-port

ToDo/Issues
 - Get 32-bit fully working

This series is based on Palmers for-master branch:
https://github.com/palmer-dabbelt/qemu/commits/for-master

v2:
 - Rebase on for-master
 - Consolidate patches requested by Palmer
 - Other updates based on feedback


Alistair Francis (27):
  target/riscv: Don't set write permissions on dirty PTEs
  target/riscv: Add the Hypervisor extension
  target/riscv: Add the virtulisation mode
  target/riscv: Add the force HS exception mode
  target/riscv: Fix CSR perm checking for HS mode
  target/riscv: Add the Hypervisor CSRs to CPUState
  target/riscv: Print priv and virt in disas log
  target/riscv: Dump Hypervisor registers if enabled
  target/riscv: Add Hypervisor CSR access functions
  target/riscv: Add Hypervisor virtual CSRs accesses
  target/riscv: Convert mie and mstatus to pointers
  target/riscv: Add virtual register swapping function
  target/riscv: Add support for virtual interrupt setting
  target/ricsv: Flush the TLB on virtulisation mode changes
  target/riscv: Generate illegal instruction on WFI when V=1
  riscv: plic: Always set sip.SEIP bit for HS
  target/riscv: Add hypvervisor trap support
  target/riscv: Add Hypervisor trap return support
  target/riscv: Add hfence instructions
  target/riscv: Disable guest FP support based on virtual status
  target/riscv: Mark both sstatus and vsstatus as dirty
  target/riscv: Respect MPRV and SPRV for floating point ops
  target/riscv: Allow specifying MMU stage
  target/riscv: Implement second stage MMU
  target/riscv: Add support for the 32-bit MSTATUSH CSR
  target/riscv: Add the MSTATUS_MPV_ISSET helper macro
  target/riscv: Allow enabling the Hypervisor extension

 hw/riscv/sifive_plic.c|  12 +-
 target/riscv/cpu.c|  61 ++-
 target/riscv/cpu.h|  55 +-
 target/riscv/cpu_bits.h   |  45 +-
 target/riscv/cpu_helper.c | 481 --
 target/riscv/csr.c| 262 +-

[PATCH v2 01/27] target/riscv: Don't set write permissions on dirty PTEs

[Alistair Francis]

Setting write permission on dirty PTEs results in userspace inside a
Hypervisor guest (VU) becoming corrupted. This appears to be because it
ends up with write permission in the second stage translation in cases
where we aren't doing a store.

Signed-off-by: Alistair Francis 
Reviewed-by: Bin Meng 
---
 target/riscv/cpu_helper.c | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 0e1a4d91fc..31f553efb9 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -344,10 +344,8 @@ restart:
 if ((pte & PTE_X)) {
 *prot |= PAGE_EXEC;
 }
-/* add write permission on stores or if the page is already dirty,
-   so that we TLB miss on later writes to update the dirty bit */
-if ((pte & PTE_W) &&
-(access_type == MMU_DATA_STORE || (pte & PTE_D))) {
+/* add write permission on stores */
+if ((pte & PTE_W) && (access_type == MMU_DATA_STORE)) {
 *prot |= PAGE_WRITE;
 }
 return TRANSLATE_SUCCESS;
-- 
2.23.0

[PATCH v1 1/1] opensbi: Upgrade from v0.4 to v0.5

[Alistair Francis]

This release has:
Lot of critical fixes
Hypervisor extension support
SBI v0.2 base extension support
Debug prints support
Handle traps when doing unpriv load/store
Allow compiling without FP support
Use git describe to generate boot-time banner
Andes AE350 platform support

Signed-off-by: Alistair Francis 
---
You can get the branch from here if the binaries are causing issues:
https://github.com/alistair23/qemu/tree/mainline/alistair/opensbi.next

 pc-bios/opensbi-riscv32-virt-fw_jump.bin | Bin 36888 -> 40984 bytes
 pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin | Bin 45064 -> 49160 bytes
 pc-bios/opensbi-riscv64-virt-fw_jump.bin | Bin 40968 -> 45064 bytes
 roms/opensbi |   2 +-
 4 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pc-bios/opensbi-riscv32-virt-fw_jump.bin 
b/pc-bios/opensbi-riscv32-virt-fw_jump.bin
index 
f5bcaa56954c860d09acc0cb337c1666d88b6efb..6c5b7b89f676392b687d9835ac9fbdc34f3052cd
 100644
GIT binary patch
delta 14873
zcmcJ030M@@w(hQ~uBvWCX>DY1N=ri{#9%89(L`lxTF~GS(O?`Y5k1LOBQc35Cuy*#
zZW{;GEjA=3;snY$F~p7%eaC=EgP25#5z*YJL_{<>2~LP8$X&auQDe@1-@EU755M*8
zu08zw-)j%G*4kxmKAl@eo6`nG+!CTtPdkkeUR@sH%OIp-m`+`OGIHmQ7kAP~&W|3?
z=on;&I#^`JiMtpS-s9DX0iOyPE7bNLkh|e`FUN)tBes4jeD|tCI3p;0Ay?C*$4i3o
zLnOSq6gl_HIr|^@dO?ZStJ$-w=)!)%XogD5(5(W&d7Kh{XrQV$ZSOy3*9gJ+DiVG;
zPA%Cl_Z{8hYVDQHca=mI2*!EP_%!v&e!;l{YG0ua7HqnwHH!wqS+FJR-Moj$43_G{
zd(4gK^Qn};e9j=s^{*lRawok(9{1|O@|eZJPsS`hPsZ$6ogDG$W;UAW$O{>mjEIh~
za0QDTnJfxdamZogP`C$=f(C}OiV)HquE1!1~De=POoNzYZ@
zy3i|KEDU%C9Z2Ve;lI)T!6l^FRBMM6TTMUdv^?s`H@wpN=;=;70`WiT!Sv68_!qh$
z^jK(`I>G=lTpm_x->zY$Jr65u&ig8Pc*)1{5oYAe--YJw)u6|J>F_HZm7(;hJp;=0
z@@4|#SSCcphO2C}y#nZD#{3fxR>XFTY7NPE&=k^8k@y2eA7AI40JQ<1
zS%L8FUPzE=bSD4}^>N~@idZ^*3cjR>)jnIJC@O6uJ@iaeKx7)y8YqMZvmepQtwZAwPf@?2t?Qvd$aoHRLLZ;cpA4lq`D!)sF#KgdEqxI_LQWTnhhK2v5f+y
zQi!p6920Bf7}GvZG#$pBTzKfJ=X?K5>NlgB!K&ZnU+F8T8wt>^W}IlUDQs&me$#AN
zJ`~U91E1gX!m2jb4IA;^k``#Foic98ErI@b@FC`mD%QB#KDI-GE}S7_+eq4sZVnvL
zLVkVr!iZa9RSYeyJ@$><)zQus-t2ex|;X-yYb47`Juc0WD
zW6=*N{Mre0aXsnirdHOF`lSXRRsD{m@{{3}gV?5wGutgNr!0ANz41q?z*#PUo&XXMn$@hm84zkY;|2=?uo^G-U{*A1)m~(=
zM2sJJFvI9yO7#r*HldO`r9T;eVp_$F@>yj_Eym9VTx=@kixP?
zt{r9rZT7Yol1<4^TNk~=xj2Q&9xu(siL(c_-p6=Oh@V
zdSg7^)=f`;F#=a~GlaszEPW;MR%v9oaa~bXXdd+8`^mS@4y8z^p<{yVo2A?)Ra(Hb?vq3ux
z7+1iNRK@}CFk4Y(b)!55RWGcGo?5NX(P>$9k|#q(HQn&^?)vU_P`ee>UI=P0!3#V?
zg7c2YgW3;71jKBPq2tK7?XHDxe5I$68bt7Py9)z@a9wx(h&`^AKd@OHvC0l_2y89X
zGW%dv^GJPii_l=FNv^KQKET&i)A(Godj5NOSdVef^!q`N)Ms*T^;q^y4%;ilBky<^
zaBDW?55xIhgP*DJA6`S$l<8P36-&;o1>-;=&tpGz%rn)j-9xZLV$hEDvw?z+w8j~WGkUp|l)9<8o5_JrRsRLd(TqRciVIH`h-1i%zU>je7Z7f#KWSB}5
z!&Id*V%58t?`aHy+Rn$b2DPi7s_n}#P9ACpL+w#`WltgW*;VoV&ocj}AJ;@DIrTXi
zCTc=I!jvNK6AfkDar_xV_*Zp^`M+Bj?8AXZ=Wy4;$S*uIwrwhGok_-=M(@biA{|ZF
z(5BNJGX>99#4Z|J<**(?Y3Y2g133-9Ha>!-i%_rC>F~0$w9xBKLQV_vQX}M2GfWIp
z%E!^37TBWZ56FBFJ*y+9M>VM1cjHfxol8!y{h38sVbYHAnG+75pyH@_-@n6R?$)i!e=qiJqonkU>oiIJ
z$k7x?u^u_!;8wFYYOFgW!B#Znb7Dw0RFo$f;oMQz^C=yFZu0ZPKW7Dr5hKjnQYLnY}DJA9-MFlwElD1T8G7L%DI=
zCQ`;Z*}2s{^HoN9WuArl4If{7w8fNbY_MN@bfH9ezYc9Yb~ZXUjy0Y=wrwJ*Z~nft
z!Jq3mR`TaD6gtQlinjRY$4d*wcClX0lV2ayK0~;I98XWSTyXJ|wzVTIyv3HQ+^Q@(AF(aE$R^xtLLD=8`3m$?
znUIylpOU755;wl#UiEv)5f!@DmxKA{7X52lUIBR(Y0KVFnIw~aEgWNO-}qkO8tE?L
zx8suI&%~RfCLWkLP9kcbC5;$+&XQocM1a-BNisnF@`f1pQHJS8iC*##@0eL#Lct3|
zf3j=QA$3va7dPA_^0!3`8N9bI9H(I2Zug58JosLA*Q=!9(=|~7!}cn$JEYx6m(Qbc
z=_>l(96K_l+%g&UbR16lbIn%5S^M3ktXT76CDj_^nCR?(zz=hD9FDH@$AUs_ZJ<
zGNM}GRU9+HpA(Hq91{({V?#J`LL4W?E&;1@G+33ZxB%r&Hhl476va6jdxIJF-G=Z*
z9F@#p;cK&}W?#sb7H#@fCRMjVEL0&T*aHnLIbw0;?XO$cl~-#%DlPiClnL^HaZLW5
z*`tE=^lwuWYmdsifJsPHGLwx;aYBkxG_6!J(K*V19%6!|WG3uUhA;h{DpxwLpP)qJ
zLFEDXG;F1EL-3stc4y#$u&CG_l}yc3M(ixU!+(B||`CBCmzJFfehDQq8va4WAR+@a`>
zpim;*#4A9QX&d?Z&b|LTG7TQgy#_z!J-i{dbNz&<4GmY$w@MQnx#uZ-|0~q6R(Y4;
zunAw3q^U;*rm1}b(>Ce@)AUocVk~HOg4w8KOtNZsa*k^p)%Ai}^{$3*HMeE6sT!V7
zzmTn&YeAYa#;NQY%&-{BNZwTdy>U*-s>B!E7BsP)WebwLgNkfnaDJ7&T$FVuP&+*B
zdBbp_OhF$t>21Pw`+KsZ5xX954MYdFZi_kqmY^oj8!{Y1mTAX=se(`$iNy`k2T$++4mo!3&8jQmv
zrC8~&6i>t{nG-4{Q?*1XR)r`<=V&G4T%`=)cH$*I1HxSvVvr;^B_3!E_-1+FmLwtZ
zgbgvyIB-w)f&aDy{IkR0rmRA^-nYNe>M|O0+%$85#7fAKShI{IZE05L|COoq2aoRp
zAgL(ESq(@b6jOBrkVb=7*ycitaUq#D%ShbjE~Liy+?+NvtJB|x;m|M~8iqqNP8BUy
zEuopJ5Slr$iiRQK%f16-pu%--O6$6SoGWA?;~KDGmok+X04NWDssYFbKsNwr9{{xh
z(BUUQyj2FOBnozoZO@xBP|#{Hn->Ek1{g8G2<$c$*lbI{b_-#E5knY7`negUX2?ML
zj4mK)kuLyhSoUwtYHczw0-!tqss7KpGwgaslj
z5Mf6PM2{1x3mDSMr27tBk0sK@~%tB+gP;;{7wu_8iZKWW&tpo(L1Dmy|&l#}3
z3c&W#zTxiY`342MW&Ht?Z!FYzH{oXXId?lBU}RZR%v3$qt`ge0!#2s>
zoDHO%+-gYQALM41ehuB()yr)3>@9fb#OI?LOliFQl=zZwrFXB^rKe}clUKBLE
z&+_mR9>TQ+yg`>9LZxlw3@(R7eRC-O5{fs5Jucq(bg}vcOzVgDDGqsDod0yOVGy38
zH_+-JS69n*cpE%T(Yl_B2jJ`a-8dmwZQf*pkdAFzxo#&1As7xFl7>l#GKXcsjP`_p
zD>sT)qO@RMTf%vu?y(uBJB6Hqxd1WzmDNbt>O^8~2r6g8^1z6K;5V<$Fv3bw-|YTV
zL~oO@u1PV%By4R$UzmO>)9oHk5o;n|>WZ_$6pl|H1s4J9A-FP4N(gy=Uh}5B-LTwS$WQ5htS+T!a!l
zWYF|L2!Cl*OAO9i`39`;7_&E~HervmkKN{Z2A$gh+R_shMBl;Jmr
z^zY{)q-rE&ZdEZSfbj`nTUiJPcM0AzWDXE{dJJBMv;AH0L8tvr=msk&U6?mD`^2O&
zb;a}w0Nu5DXzwJs|8JXbe!h#SR}bnP2zz

[PATCH 1/2] migration/multifd: clean pages after filling packet

[Wei Yang]

This is a preparation for the next patch:

not use multifd during postcopy.

Without enabling postcopy, everything looks good. While after enabling
postcopy, migration may fail even not use multifd during postcopy. The
reason is the pages is not properly cleared and *old* target page will
continue to be transferred.

After clean pages, migration succeeds.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 80dd2d55f9..7087bb73ed 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -929,10 +929,10 @@ static int multifd_send_pages(RAMState *rs)
 }
 qemu_mutex_unlock(&p->mutex);
 }
-p->pages->used = 0;
+assert(!p->pages->used);
+assert(!p->pages->block);
 
 p->packet_num = multifd_send_state->packet_num++;
-p->pages->block = NULL;
 multifd_send_state->pages = p->pages;
 p->pages = pages;
 transferred = ((uint64_t) pages->used) * TARGET_PAGE_SIZE + p->packet_len;
@@ -1114,6 +1114,8 @@ static void *multifd_send_thread(void *opaque)
 p->flags = 0;
 p->num_packets++;
 p->num_pages += used;
+p->pages->used = 0;
+p->pages->block = NULL;
 qemu_mutex_unlock(&p->mutex);
 
 trace_multifd_send(p->id, packet_num, used, flags,
-- 
2.17.1

[PATCH 0/2] not use multifd during postcopy

[Wei Yang]

We don't support multifd during postcopy, but user still could enable
both multifd and postcopy. This leads to migration failure.

Patch 1 does proper cleanup, otherwise we may have data corruption.
Patch 2 does the main job.

BTW, current multifd synchronization method needs a cleanup. Will send another
patch set.

Wei Yang (2):
  migration/multifd: clean pages after filling packet
  migration/multifd: not use multifd during postcopy

 migration/ram.c | 15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

-- 
2.17.1

[PATCH v2 15/27] target/riscv: Generate illegal instruction on WFI when V=1

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index d150551bc9..beb34e705b 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -130,9 +130,10 @@ void helper_wfi(CPURISCVState *env)
 {
 CPUState *cs = env_cpu(env);
 
-if (env->priv == PRV_S &&
+if ((env->priv == PRV_S &&
 env->priv_ver >= PRIV_VERSION_1_10_0 &&
-get_field(*env->mstatus, MSTATUS_TW)) {
+get_field(*env->mstatus, MSTATUS_TW)) ||
+riscv_cpu_virt_enabled(env)) {
 riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 } else {
 cs->halted = 1;
-- 
2.23.0

[PATCH v2 20/27] target/riscv: Disable guest FP support based on virtual status

[Alistair Francis]

When the Hypervisor extension is in use we only enable floating point
support when both status and vsstatus have enabled floating point
support.

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu_helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 41cd314f64..79966ac6e6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -91,6 +91,9 @@ bool riscv_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 bool riscv_cpu_fp_enabled(CPURISCVState *env)
 {
 if (*env->mstatus & MSTATUS_FS) {
+if (riscv_cpu_virt_enabled(env) && !(env->vsstatus & MSTATUS_FS)) {
+return false;
+}
 return true;
 }
 
-- 
2.23.0

[PATCH v2 27/27] target/riscv: Allow enabling the Hypervisor extension

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu.c | 5 +
 target/riscv/cpu.h | 1 +
 2 files changed, 6 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 03622825f3..6d02e61e8a 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -446,6 +446,9 @@ static void riscv_cpu_realize(DeviceState *dev, Error 
**errp)
 if (cpu->cfg.ext_u) {
 target_misa |= RVU;
 }
+if (cpu->cfg.ext_h) {
+target_misa |= RVH;
+}
 
 set_misa(env, RVXLEN | target_misa);
 }
@@ -492,6 +495,8 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("c", RISCVCPU, cfg.ext_c, true),
 DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
+/* This is experimental so mark with 'x-' */
+DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
 DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
 DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index b8b731df43..ed1f139369 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -258,6 +258,7 @@ typedef struct RISCVCPU {
 bool ext_c;
 bool ext_s;
 bool ext_u;
+bool ext_h;
 bool ext_counters;
 bool ext_ifencei;
 bool ext_icsr;
-- 
2.23.0

[PATCH v2 18/27] target/riscv: Add Hypervisor trap return support

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 66 
 1 file changed, 54 insertions(+), 12 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index beb34e705b..e5128570e6 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -73,6 +73,8 @@ target_ulong helper_csrrc(CPURISCVState *env, target_ulong 
src,
 
 target_ulong helper_sret(CPURISCVState *env, target_ulong cpu_pc_deb)
 {
+target_ulong prev_priv, prev_virt, mstatus;
+
 if (!(env->priv >= PRV_S)) {
 riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 }
@@ -87,16 +89,46 @@ target_ulong helper_sret(CPURISCVState *env, target_ulong 
cpu_pc_deb)
 riscv_raise_exception(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
 }
 
-target_ulong mstatus = *env->mstatus;
-target_ulong prev_priv = get_field(mstatus, MSTATUS_SPP);
-mstatus = set_field(mstatus,
-env->priv_ver >= PRIV_VERSION_1_10_0 ?
-MSTATUS_SIE : MSTATUS_UIE << prev_priv,
-get_field(mstatus, MSTATUS_SPIE));
-mstatus = set_field(mstatus, MSTATUS_SPIE, 0);
-mstatus = set_field(mstatus, MSTATUS_SPP, PRV_U);
+mstatus = *env->mstatus;
+
+if (riscv_has_ext(env, RVH) && !riscv_cpu_virt_enabled(env)) {
+/* We support Hypervisor extensions and virtulisation is disabled */
+target_ulong hstatus = env->hstatus;
+
+prev_priv = get_field(mstatus, MSTATUS_SPP);
+prev_virt = get_field(hstatus, HSTATUS_SPV);
+
+hstatus = set_field(hstatus, HSTATUS_SPV,
+ get_field(hstatus, HSTATUS_SP2V));
+mstatus = set_field(mstatus, MSTATUS_SPP,
+get_field(hstatus, HSTATUS_SP2P));
+hstatus = set_field(hstatus, HSTATUS_SP2V, 0);
+hstatus = set_field(hstatus, HSTATUS_SP2P, 0);
+mstatus = set_field(mstatus, SSTATUS_SIE,
+get_field(mstatus, SSTATUS_SPIE));
+mstatus = set_field(mstatus, SSTATUS_SPIE, 1);
+
+*env->mstatus = mstatus;
+env->hstatus = hstatus;
+
+if (prev_virt) {
+riscv_cpu_swap_hypervisor_regs(env);
+}
+
+riscv_cpu_set_virt_enabled(env, prev_virt);
+} else {
+prev_priv = get_field(mstatus, MSTATUS_SPP);
+
+mstatus = set_field(mstatus,
+env->priv_ver >= PRIV_VERSION_1_10_0 ?
+MSTATUS_SIE : MSTATUS_UIE << prev_priv,
+get_field(mstatus, MSTATUS_SPIE));
+mstatus = set_field(mstatus, MSTATUS_SPIE, 0);
+mstatus = set_field(mstatus, MSTATUS_SPP, PRV_U);
+*env->mstatus = mstatus;
+}
+
 riscv_cpu_set_mode(env, prev_priv);
-*env->mstatus = mstatus;
 
 return retpc;
 }
@@ -114,14 +146,24 @@ target_ulong helper_mret(CPURISCVState *env, target_ulong 
cpu_pc_deb)
 
 target_ulong mstatus = *env->mstatus;
 target_ulong prev_priv = get_field(mstatus, MSTATUS_MPP);
+target_ulong prev_virt = get_field(mstatus, MSTATUS_MPV);
 mstatus = set_field(mstatus,
 env->priv_ver >= PRIV_VERSION_1_10_0 ?
 MSTATUS_MIE : MSTATUS_UIE << prev_priv,
 get_field(mstatus, MSTATUS_MPIE));
-mstatus = set_field(mstatus, MSTATUS_MPIE, 0);
-mstatus = set_field(mstatus, MSTATUS_MPP, PRV_U);
-riscv_cpu_set_mode(env, prev_priv);
+mstatus = set_field(mstatus, MSTATUS_MPIE, 1);
+mstatus = set_field(mstatus, MSTATUS_MPP, 0);
+mstatus = set_field(mstatus, MSTATUS_MPV, 0);
 *env->mstatus = mstatus;
+riscv_cpu_set_mode(env, prev_priv);
+
+if (riscv_has_ext(env, RVH)) {
+if (prev_virt) {
+riscv_cpu_swap_hypervisor_regs(env);
+}
+
+riscv_cpu_set_virt_enabled(env, prev_virt);
+}
 
 return retpc;
 }
-- 
2.23.0

[PATCH v2 26/27] target/riscv: Add the MSTATUS_MPV_ISSET helper macro

[Alistair Francis]

Add a helper macro MSTATUS_MPV_ISSET() which will determine if the
MSTATUS_MPV bit is set for both 32-bit and 64-bit RISC-V.

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu_bits.h   | 11 +++
 target/riscv/cpu_helper.c |  4 ++--
 target/riscv/op_helper.c  |  2 +-
 target/riscv/translate.c  |  2 +-
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index a2358c4956..f9389b071d 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -365,8 +365,19 @@
 #define MSTATUS_TVM 0x0010 /* since: priv-1.10 */
 #define MSTATUS_TW  0x2000 /* since: priv-1.10 */
 #define MSTATUS_TSR 0x4000 /* since: priv-1.10 */
+#if defined(TARGET_RISCV64)
 #define MSTATUS_MTL 0x40ULL
 #define MSTATUS_MPV 0x80ULL
+#elif defined(TARGET_RISCV32)
+#define MSTATUS_MTL 0x0040
+#define MSTATUS_MPV 0x0080
+#endif
+
+#ifdef TARGET_RISCV32
+# define MSTATUS_MPV_ISSET(env)  get_field(*env->mstatush, MSTATUS_MPV)
+#else
+# define MSTATUS_MPV_ISSET(env)  get_field(*env->mstatus, MSTATUS_MPV)
+#endif
 
 #define MSTATUS64_UXL   0x0003ULL
 #define MSTATUS64_SXL   0x000CULL
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 79b2f30876..dedca3eea8 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -331,7 +331,7 @@ static int get_physical_address(CPURISCVState *env, hwaddr 
*physical,
 mode = get_field(*env->mstatus, MSTATUS_MPP);
 
 if (riscv_has_ext(env, RVH) &&
-get_field(*env->mstatus, MSTATUS_MPV)) {
+MSTATUS_MPV_ISSET(env)) {
 use_background = true;
 }
 }
@@ -718,7 +718,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int 
size,
 m_mode_two_stage = env->priv == PRV_M &&
access_type != MMU_INST_FETCH &&
get_field(*env->mstatus, MSTATUS_MPRV) &&
-   get_field(*env->mstatus, MSTATUS_MPV);
+   MSTATUS_MPV_ISSET(env);
 
 hs_mode_two_stage = env->priv == PRV_S &&
 !riscv_cpu_virt_enabled(env) &&
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index a0a631d722..b0b9890a15 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -146,7 +146,7 @@ target_ulong helper_mret(CPURISCVState *env, target_ulong 
cpu_pc_deb)
 
 target_ulong mstatus = *env->mstatus;
 target_ulong prev_priv = get_field(mstatus, MSTATUS_MPP);
-target_ulong prev_virt = get_field(mstatus, MSTATUS_MPV);
+target_ulong prev_virt = MSTATUS_MPV_ISSET(env);
 mstatus = set_field(mstatus,
 env->priv_ver >= PRIV_VERSION_1_10_0 ?
 MSTATUS_MIE : MSTATUS_UIE << prev_priv,
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index ea19ba9c5d..f0d9860429 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -754,7 +754,7 @@ static void riscv_tr_init_disas_context(DisasContextBase 
*dcbase, CPUState *cs)
 ctx->virt_enabled = riscv_cpu_virt_enabled(env);
 if (env->priv_ver == PRV_M &&
 get_field(*env->mstatus, MSTATUS_MPRV) &&
-get_field(*env->mstatus, MSTATUS_MPV)) {
+MSTATUS_MPV_ISSET(env)) {
 ctx->virt_enabled = true;
 } else if (env->priv == PRV_S &&
!riscv_cpu_virt_enabled(env) &&
-- 
2.23.0

[PATCH v2 22/27] target/riscv: Respect MPRV and SPRV for floating point ops

[Alistair Francis]

mark_fs_dirty() is the only place in translate.c that uses the
virt_enabled bool. Let's respect the contents of MSTATUS.MPRV and
HSTATUS.SPRV when setting the bool as this is used for performing
floating point operations when V=0.

Signed-off-by: Alistair Francis 
---
 target/riscv/translate.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 19771904f4..ea19ba9c5d 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -750,7 +750,21 @@ static void riscv_tr_init_disas_context(DisasContextBase 
*dcbase, CPUState *cs)
 ctx->mstatus_fs = ctx->base.tb->flags & TB_FLAGS_MSTATUS_FS;
 ctx->priv_ver = env->priv_ver;
 #if !defined(CONFIG_USER_ONLY)
-ctx->virt_enabled = riscv_cpu_virt_enabled(env);
+if (riscv_has_ext(env, RVH)) {
+ctx->virt_enabled = riscv_cpu_virt_enabled(env);
+if (env->priv_ver == PRV_M &&
+get_field(*env->mstatus, MSTATUS_MPRV) &&
+get_field(*env->mstatus, MSTATUS_MPV)) {
+ctx->virt_enabled = true;
+} else if (env->priv == PRV_S &&
+   !riscv_cpu_virt_enabled(env) &&
+   get_field(env->hstatus, HSTATUS_SPRV) &&
+   get_field(env->hstatus, HSTATUS_SPV)) {
+ctx->virt_enabled = true;
+}
+} else {
+ctx->virt_enabled = false;
+}
 #else
 ctx->virt_enabled = false;
 #endif
-- 
2.23.0

[PATCH v2 17/27] target/riscv: Add hypvervisor trap support

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu_bits.h   |  4 +--
 target/riscv/cpu_helper.c | 71 +--
 target/riscv/csr.c|  4 +--
 3 files changed, 65 insertions(+), 14 deletions(-)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index d66a29bdb1..17d168852c 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -510,8 +510,8 @@
 #define RISCV_EXCP_STORE_AMO_ADDR_MIS  0x6
 #define RISCV_EXCP_STORE_AMO_ACCESS_FAULT  0x7
 #define RISCV_EXCP_U_ECALL 0x8
-#define RISCV_EXCP_S_ECALL 0x9
-#define RISCV_EXCP_H_ECALL 0xa
+#define RISCV_EXCP_HS_ECALL0x9
+#define RISCV_EXCP_VS_ECALL0xa
 #define RISCV_EXCP_M_ECALL 0xb
 #define RISCV_EXCP_INST_PAGE_FAULT 0xc /* since: priv-1.10.0 */
 #define RISCV_EXCP_LOAD_PAGE_FAULT 0xd /* since: priv-1.10.0 */
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 637e05996a..41cd314f64 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -669,6 +669,7 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 
 RISCVCPU *cpu = RISCV_CPU(cs);
 CPURISCVState *env = &cpu->env;
+target_ulong s;
 
 /* cs->exception is 32-bits wide unlike mcause which is XLEN-bits wide
  * so we mask off the MSB and separate into trap type and cause.
@@ -678,13 +679,6 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 target_ulong deleg = async ? env->mideleg : env->medeleg;
 target_ulong tval = 0;
 
-static const int ecall_cause_map[] = {
-[PRV_U] = RISCV_EXCP_U_ECALL,
-[PRV_S] = RISCV_EXCP_S_ECALL,
-[PRV_H] = RISCV_EXCP_H_ECALL,
-[PRV_M] = RISCV_EXCP_M_ECALL
-};
-
 if (!async) {
 /* set tval to badaddr for traps with address information */
 switch (cause) {
@@ -705,7 +699,16 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 /* ecall is dispatched as one cause so translate based on mode */
 if (cause == RISCV_EXCP_U_ECALL) {
 assert(env->priv <= 3);
-cause = ecall_cause_map[env->priv];
+
+if (env->priv == PRV_M) {
+cause = RISCV_EXCP_M_ECALL;
+} else if (env->priv == PRV_S && riscv_cpu_virt_enabled(env)) {
+cause = RISCV_EXCP_VS_ECALL;
+} else if (env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) {
+cause = RISCV_EXCP_HS_ECALL;
+} else if (env->priv == PRV_U) {
+cause = RISCV_EXCP_U_ECALL;
+}
 }
 }
 
@@ -715,7 +718,42 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 if (env->priv <= PRV_S &&
 cause < TARGET_LONG_BITS && ((deleg >> cause) & 1)) {
 /* handle the trap in S-mode */
-target_ulong s = *env->mstatus;
+if (riscv_has_ext(env, RVH)) {
+target_ulong hdeleg = async ? env->hideleg : env->hedeleg;
+
+if (riscv_cpu_virt_enabled(env) && ((hdeleg >> cause) & 1) &&
+!riscv_cpu_force_hs_excep_enabled(env)) {
+/* Trap to VS mode */
+} else if (riscv_cpu_virt_enabled(env)) {
+/* Trap into HS mode, from virt */
+riscv_cpu_swap_hypervisor_regs(env);
+env->hstatus = set_field(env->hstatus, HSTATUS_SP2V,
+ get_field(env->hstatus, HSTATUS_SPV));
+env->hstatus = set_field(env->hstatus, HSTATUS_SP2P,
+ get_field(*env->mstatus, 
SSTATUS_SPP));
+env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
+ riscv_cpu_virt_enabled(env));
+
+if (riscv_cpu_force_hs_excep_enabled(env)) {
+env->hstatus = set_field(env->hstatus, HSTATUS_STL, 1);
+} else {
+env->hstatus = set_field(env->hstatus, HSTATUS_STL, 0);
+}
+
+riscv_cpu_set_virt_enabled(env, 0);
+riscv_cpu_set_force_hs_excep(env, 0);
+} else {
+/* Trap into HS mode */
+env->hstatus = set_field(env->hstatus, HSTATUS_SP2V,
+ get_field(env->hstatus, HSTATUS_SPV));
+env->hstatus = set_field(env->hstatus, HSTATUS_SP2P,
+ get_field(*env->mstatus, 
SSTATUS_SPP));
+env->hstatus = set_field(env->hstatus, HSTATUS_SPV,
+ riscv_cpu_virt_enabled(env));
+}
+}
+
+s = *env->mstatus;
 s = set_field(s, MSTATUS_SPIE, env->priv_ver >= PRIV_VERSION_1_10_0 ?
 get_field(s, MSTATUS_SIE) : get_field(s, MSTATUS_UIE << 
env->priv));
 s = set_field(s, MSTATUS_SPP, env->priv);
@@ -729,7 +767,20 @@ void riscv_cpu_do_interrupt(CPUState *cs

[PATCH v2 25/27] target/riscv: Add support for the 32-bit MSTATUSH CSR

[Alistair Francis]

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.c|  6 ++
 target/riscv/cpu.h|  7 +++
 target/riscv/cpu_bits.h   |  3 +++
 target/riscv/cpu_helper.c |  7 +++
 target/riscv/csr.c| 25 +
 target/riscv/op_helper.c  |  4 
 6 files changed, 52 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index f75c709e35..03622825f3 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -229,6 +229,9 @@ static void riscv_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 #ifndef CONFIG_USER_ONLY
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mhartid ", env->mhartid);
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mstatus ", *env->mstatus);
+#ifdef TARGET_RISCV32
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mstatush ", *env->mstatush);
+#endif
 if (riscv_has_ext(env, RVH)) {
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "hstatus ", env->hstatus);
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "bstatus ", env->vsstatus);
@@ -467,6 +470,9 @@ static void riscv_cpu_init(Object *obj)
 #ifndef CONFIG_USER_ONLY
 env->mie = &env->mie_novirt;
 env->mstatus = &env->mstatus_novirt;
+# ifdef TARGET_RISCV32
+env->mstatush = &env->mstatush_novirt;
+# endif
 #endif
 }
 
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 0ea56f9059..b8b731df43 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -127,6 +127,10 @@ struct CPURISCVState {
 target_ulong mip;
 target_ulong mip_novirt;
 
+#ifdef TARGET_RISCV32
+target_ulong *mstatush;
+#endif
+
 uint32_t miclaim;
 
 target_ulong *mie;
@@ -154,6 +158,9 @@ struct CPURISCVState {
  */
 target_ulong mie_novirt;
 target_ulong mstatus_novirt;
+#ifdef TARGET_RISCV32
+target_ulong mstatush_novirt;
+#endif
 
 /* Hypervisor CSRs */
 target_ulong hstatus;
diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index 17d168852c..a2358c4956 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -135,6 +135,9 @@
 #define CSR_MTVEC   0x305
 #define CSR_MCOUNTEREN  0x306
 
+/* 32-bit only */
+#define CSR_MSTATUSH0x310
+
 /* Legacy Counter Setup (priv v1.9.1) */
 /* Update to #define CSR_MCOUNTINHIBIT 0x320 for 1.11.0 */
 #define CSR_MUCOUNTEREN 0x320
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index b3ce345f81..79b2f30876 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -950,10 +950,17 @@ void riscv_cpu_do_interrupt(CPUState *cs)
 if (riscv_cpu_virt_enabled(env)) {
 riscv_cpu_swap_hypervisor_regs(env);
 }
+#ifdef TARGET_RISCV32
+*env->mstatush = set_field(*env->mstatush, MSTATUS_MPV,
+   riscv_cpu_virt_enabled(env));
+*env->mstatush = set_field(*env->mstatush, MSTATUS_MTL,
+   riscv_cpu_force_hs_excep_enabled(env));
+#else
 *env->mstatus = set_field(*env->mstatus, MSTATUS_MPV,
   riscv_cpu_virt_enabled(env));
 *env->mstatus = set_field(*env->mstatus, MSTATUS_MTL,
   riscv_cpu_force_hs_excep_enabled(env));
+#endif
 
 /* Trapping to M mode, virt is disabled */
 riscv_cpu_set_virt_enabled(env, 0);
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index a795a02968..8a093abdb2 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -364,6 +364,27 @@ static int write_mstatus(CPURISCVState *env, int csrno, 
target_ulong val)
 return 0;
 }
 
+#ifdef TARGET_RISCV32
+static int read_mstatush(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = *env->mstatush;
+return 0;
+}
+
+static int write_mstatush(CPURISCVState *env, int csrno, target_ulong val)
+{
+if ((val ^ *env->mstatush) & (MSTATUS_MPV)) {
+tlb_flush(env_cpu(env));
+}
+
+val &= MSTATUS_MPV | MSTATUS_MTL;
+
+*env->mstatush = val;
+
+return 0;
+}
+#endif
+
 static int read_misa(CPURISCVState *env, int csrno, target_ulong *val)
 {
 *val = env->misa;
@@ -1102,6 +1123,10 @@ static riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
 [CSR_MTVEC] =   { any,  read_mtvec,   write_mtvec   },
 [CSR_MCOUNTEREN] =  { any,  read_mcounteren,  write_mcounteren  },
 
+#if defined(TARGET_RISCV32)
+[CSR_MSTATUSH] ={ any,  read_mstatush,write_mstatush},
+#endif
+
 /* Legacy Counter Setup (priv v1.9.1) */
 [CSR_MUCOUNTEREN] = { any,  read_mucounteren, write_mucounteren },
 [CSR_MSCOUNTEREN] = { any,  read_mscounteren, write_mscounteren },
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index e5128570e6..a0a631d722 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -153,7 +153,11 @@ target_ulong helper_mret(CPURISCVState *env, target_ulong 
cpu_pc_deb)
 get_field(mstatus,

[PATCH v2 12/27] target/riscv: Add virtual register swapping function

[Alistair Francis]

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h| 13 +-
 target/riscv/cpu_bits.h   |  7 
 target/riscv/cpu_helper.c | 88 +++
 3 files changed, 107 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 5b71ee416f..0ea56f9059 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -125,6 +125,8 @@ struct CPURISCVState {
 target_ulong *mstatus;
 
 target_ulong mip;
+target_ulong mip_novirt;
+
 uint32_t miclaim;
 
 target_ulong *mie;
@@ -161,7 +163,7 @@ struct CPURISCVState {
 
 /* Virtual CSRs */
 target_ulong vsstatus;
-uint32_t vsip;
+target_ulong vsip;
 target_ulong vsie;
 target_ulong vstvec;
 target_ulong vsscratch;
@@ -170,6 +172,14 @@ struct CPURISCVState {
 target_ulong vstval;
 target_ulong vsatp;
 
+/* HS Backup CSRs */
+target_ulong stvec_hs;
+target_ulong sscratch_hs;
+target_ulong sepc_hs;
+target_ulong scause_hs;
+target_ulong stval_hs;
+target_ulong satp_hs;
+
 target_ulong scounteren;
 target_ulong mcounteren;
 
@@ -300,6 +310,7 @@ void riscv_cpu_list(void);
 #define cpu_mmu_index riscv_cpu_mmu_index
 
 #ifndef CONFIG_USER_ONLY
+void riscv_cpu_swap_hypervisor_regs(CPURISCVState *env);
 int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts);
 uint32_t riscv_cpu_update_mip(RISCVCPU *cpu, uint32_t mask, uint32_t value);
 #define BOOL_TO_MASK(x) (-!!(x)) /* helper for riscv_cpu_update_mip value */
diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index 95909f159a..d66a29bdb1 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -553,4 +553,11 @@
 #define SIP_STIP   MIP_STIP
 #define SIP_SEIP   MIP_SEIP
 
+/* MIE masks */
+#define MIE_SEIE   (1 << IRQ_S_EXT)
+#define MIE_UEIE   (1 << IRQ_U_EXT)
+#define MIE_STIE   (1 << IRQ_S_TIMER)
+#define MIE_UTIE   (1 << IRQ_U_TIMER)
+#define MIE_SSIE   (1 << IRQ_S_SOFT)
+#define MIE_USIE   (1 << IRQ_U_SOFT)
 #endif
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 21d049cdce..12a10e8679 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -82,6 +82,94 @@ bool riscv_cpu_fp_enabled(CPURISCVState *env)
 return false;
 }
 
+void riscv_cpu_swap_hypervisor_regs(CPURISCVState *env)
+{
+RISCVCPU *cpu = RISCV_CPU(env_cpu(env));
+uint32_t tmp;
+target_ulong mstatus_mask = MSTATUS_MXR | MSTATUS_SUM | MSTATUS_FS |
+MSTATUS_SPP | MSTATUS_SPIE | MSTATUS_SIE;
+target_ulong sie_mask = MIE_SEIE | MIE_STIE | MIE_SSIE |
+MIE_UEIE | MIE_UTIE | MIE_USIE;
+target_ulong mip_mask = MIP_SSIP | MIP_STIP | MIP_SEIP;
+bool current_virt = riscv_cpu_virt_enabled(env);
+
+g_assert(riscv_has_ext(env, RVH));
+
+#if defined(TARGET_RISCV64)
+mstatus_mask |= MSTATUS64_UXL;
+#endif
+
+if (current_virt) {
+/* Current V=1 and we are about to change to V=0 */
+env->mstatus = &env->mstatus_novirt;
+*env->mstatus &= mstatus_mask;
+*env->mstatus |= env->vsstatus & ~mstatus_mask;
+/* Ensure that vsstatus only holds the correct bits */
+env->vsstatus &= mstatus_mask;
+
+env->mie = &env->mie_novirt;
+*env->mie &= sie_mask;
+*env->mie |= env->vsie & ~sie_mask;
+/* Ensure that vsie only holds the correct bits */
+env->vsie &= sie_mask;
+
+env->vstvec = env->stvec;
+env->stvec = env->stvec_hs;
+
+env->vsscratch = env->sscratch;
+env->sscratch = env->sscratch_hs;
+
+env->vsepc = env->sepc;
+env->sepc = env->sepc_hs;
+
+env->vscause = env->scause;
+env->scause = env->scause_hs;
+
+env->vstval = env->sbadaddr;
+env->sbadaddr = env->stval_hs;
+
+env->vsatp = env->satp;
+env->satp = env->satp_hs;
+
+tmp = env->mip_novirt;
+tmp = riscv_cpu_update_mip(cpu, mip_mask, tmp);
+tmp &= mip_mask;
+env->vsip = tmp;
+} else {
+/* Current V=0 and we are about to change to V=1 */
+env->mstatus = &env->vsstatus;
+*env->mstatus &= mstatus_mask;
+*env->mstatus |= env->mstatus_novirt & ~mstatus_mask;
+
+env->mie = &env->vsie;
+*env->mie &= sie_mask;
+*env->mie |= env->mie_novirt & ~sie_mask;
+
+env->stvec_hs = env->stvec;
+env->stvec = env->vstvec;
+
+env->sscratch_hs = env->sscratch;
+env->sscratch = env->vsscratch;
+
+env->sepc_hs = env->sepc;
+env->sepc = env->vsepc;
+
+env->scause_hs = env->scause;
+env->scause = env->vscause;
+
+env->stval_hs = env->sbadaddr;
+env->sbadaddr = env->vstval;
+
+env->satp_hs = env-

[PATCH v2 24/27] target/riscv: Implement second stage MMU

[Alistair Francis]

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu_helper.c | 193 ++
 1 file changed, 174 insertions(+), 19 deletions(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 275b6c2a67..b3ce345f81 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -304,11 +304,12 @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong 
newpriv)
  * @mmu_idx: Indicates current privilege level
  * @first_stage: Are we in first stage translation?
  *   Second stage is used for hypervisor guest translation
+ * @two_stage: Are we going to perform two stage translation
  */
 static int get_physical_address(CPURISCVState *env, hwaddr *physical,
 int *prot, target_ulong addr,
 int access_type, int mmu_idx,
-bool first_stage)
+bool first_stage, bool two_stage)
 {
 /* NOTE: the env->pc value visible here will not be
  * correct, but the value visible to the exception handler
@@ -316,13 +317,40 @@ static int get_physical_address(CPURISCVState *env, 
hwaddr *physical,
 MemTxResult res;
 MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
 int mode = mmu_idx;
+bool use_background = false;
 
+/*
+ * Check if we should use the background registers for the two
+ * stage translation. We don't need to check if we actually need
+ * two stage translation as that happened before this function
+ * was called. Background registers will be used if the guest has
+ * forced a two stage translation to be on (in HS or M mode).
+ */
 if (mode == PRV_M && access_type != MMU_INST_FETCH) {
 if (get_field(*env->mstatus, MSTATUS_MPRV)) {
 mode = get_field(*env->mstatus, MSTATUS_MPP);
+
+if (riscv_has_ext(env, RVH) &&
+get_field(*env->mstatus, MSTATUS_MPV)) {
+use_background = true;
+}
+}
+}
+
+if (mode == PRV_S && access_type != MMU_INST_FETCH &&
+riscv_has_ext(env, RVH) && !riscv_cpu_virt_enabled(env)) {
+if (get_field(env->hstatus, HSTATUS_SPRV)) {
+mode = get_field(*env->mstatus, SSTATUS_SPP);
+use_background = true;
 }
 }
 
+if (first_stage == false) {
+/* We are in stage 2 translation, this is similar to stage 1. */
+/* Stage 2 is always taken as U-mode */
+mode = PRV_U;
+}
+
 if (mode == PRV_M || !riscv_feature(env, RISCV_FEATURE_MMU)) {
 *physical = addr;
 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
@@ -332,13 +360,30 @@ static int get_physical_address(CPURISCVState *env, 
hwaddr *physical,
 *prot = 0;
 
 hwaddr base;
-int levels, ptidxbits, ptesize, vm, sum;
-int mxr = get_field(*env->mstatus, MSTATUS_MXR);
+int levels, ptidxbits, ptesize, vm, sum, mxr, widened;
+
+if (first_stage == true) {
+mxr = get_field(*env->mstatus, MSTATUS_MXR);
+} else {
+mxr = get_field(env->vsstatus, MSTATUS_MXR);
+}
 
 if (env->priv_ver >= PRIV_VERSION_1_10_0) {
-base = (hwaddr)get_field(env->satp, SATP_PPN) << PGSHIFT;
+if (first_stage == true) {
+if (use_background) {
+base = (hwaddr)get_field(env->vsatp, SATP_PPN) << PGSHIFT;
+vm = get_field(env->vsatp, SATP_MODE);
+} else {
+base = (hwaddr)get_field(env->satp, SATP_PPN) << PGSHIFT;
+vm = get_field(env->satp, SATP_MODE);
+}
+widened = 0;
+} else {
+base = (hwaddr)get_field(env->hgatp, HGATP_PPN) << PGSHIFT;
+vm = get_field(env->hgatp, HGATP_MODE);
+widened = 2;
+}
 sum = get_field(*env->mstatus, MSTATUS_SUM);
-vm = get_field(env->satp, SATP_MODE);
 switch (vm) {
 case VM_1_10_SV32:
   levels = 2; ptidxbits = 10; ptesize = 4; break;
@@ -356,6 +401,7 @@ static int get_physical_address(CPURISCVState *env, hwaddr 
*physical,
   g_assert_not_reached();
 }
 } else {
+widened = 0;
 base = (hwaddr)(env->sptbr) << PGSHIFT;
 sum = !get_field(*env->mstatus, MSTATUS_PUM);
 vm = get_field(*env->mstatus, MSTATUS_VM);
@@ -376,9 +422,16 @@ static int get_physical_address(CPURISCVState *env, hwaddr 
*physical,
 }
 
 CPUState *cs = env_cpu(env);
-int va_bits = PGSHIFT + levels * ptidxbits;
-target_ulong mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
-target_ulong masked_msbs = (addr >> (va_bits - 1)) & mask;
+int va_bits = PGSHIFT + levels * ptidxbits + widened;
+target_ulong mask, masked_msbs;
+
+if (TARGET_LONG_BITS > (va_bits - 1)) {
+mask = (1L << (TARGET_LONG_BITS - (va_bits - 1))) - 1;
+} else {
+mask = 0;
+}
+masked_msbs = (addr >> (va_bits - 1)) & mask;
+
 if (masked_msbs != 0

[PATCH v2 11/27] target/riscv: Convert mie and mstatus to pointers

[Alistair Francis]

To handle the new Hypervisor CSR register aliasing let's use pointers.

We only need to convert the MIE and MSTATUS CSRs. With the exception of
MIP all of the other CSRs that swap with virtulsation changes are S-Mode
only, so we can just do a lazy switch. This because more challenging for
the M-Mode registers so it ends up being easier to use pointers.

As the MIP CSR is always accessed atomicly the pointer swap doesn't work
so we leave that as is.

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu.c| 16 
 target/riscv/cpu.h| 12 ++--
 target/riscv/cpu_helper.c | 32 
 target/riscv/csr.c| 28 ++--
 target/riscv/op_helper.c  | 14 +++---
 5 files changed, 59 insertions(+), 43 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index e66fd300fd..f75c709e35 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -228,7 +228,7 @@ static void riscv_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "pc  ", env->pc);
 #ifndef CONFIG_USER_ONLY
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mhartid ", env->mhartid);
-qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mstatus ", env->mstatus);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mstatus ", *env->mstatus);
 if (riscv_has_ext(env, RVH)) {
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "hstatus ", env->hstatus);
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "bstatus ", env->vsstatus);
@@ -238,7 +238,7 @@ static void riscv_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vsip",
  (target_ulong)atomic_read(&env->vsip));
 }
-qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mie ", env->mie);
+qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "mie ", *env->mie);
 if (riscv_has_ext(env, RVH)) {
 qemu_fprintf(f, " %s " TARGET_FMT_lx "\n", "vsie", env->vsie);
 }
@@ -308,7 +308,7 @@ static bool riscv_cpu_has_work(CPUState *cs)
  * Definition of the WFI instruction requires it to ignore the privilege
  * mode and delegation registers, but respect individual enables
  */
-return (env->mip & env->mie) != 0;
+return (env->mip & *env->mie) != 0;
 #else
 return true;
 #endif
@@ -329,7 +329,7 @@ static void riscv_cpu_reset(CPUState *cs)
 mcc->parent_reset(cs);
 #ifndef CONFIG_USER_ONLY
 env->priv = PRV_M;
-env->mstatus &= ~(MSTATUS_MIE | MSTATUS_MPRV);
+*env->mstatus &= ~(MSTATUS_MIE | MSTATUS_MPRV);
 env->mcause = 0;
 env->pc = env->resetvec;
 #endif
@@ -458,8 +458,16 @@ static void riscv_cpu_realize(DeviceState *dev, Error 
**errp)
 static void riscv_cpu_init(Object *obj)
 {
 RISCVCPU *cpu = RISCV_CPU(obj);
+#ifndef CONFIG_USER_ONLY
+CPURISCVState *env = &cpu->env;
+#endif
 
 cpu_set_cpustate_pointers(cpu);
+
+#ifndef CONFIG_USER_ONLY
+env->mie = &env->mie_novirt;
+env->mstatus = &env->mstatus_novirt;
+#endif
 }
 
 static const VMStateDescription vmstate_riscv_cpu = {
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index a1625e8af0..5b71ee416f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -122,12 +122,12 @@ struct CPURISCVState {
 target_ulong resetvec;
 
 target_ulong mhartid;
-target_ulong mstatus;
+target_ulong *mstatus;
 
 target_ulong mip;
 uint32_t miclaim;
 
-target_ulong mie;
+target_ulong *mie;
 target_ulong mideleg;
 
 target_ulong sptbr;  /* until: priv-1.9.1 */
@@ -145,6 +145,14 @@ struct CPURISCVState {
 target_ulong mcause;
 target_ulong mtval;  /* since: priv-1.10.0 */
 
+/* The following registers are the "real" versions that the pointer
+ * versions point to. These should never be used unless you know what you
+ * are doing. To access these use the pointer versions instead. This is
+ * required to handle the Hypervisor register swapping.
+ */
+target_ulong mie_novirt;
+target_ulong mstatus_novirt;
+
 /* Hypervisor CSRs */
 target_ulong hstatus;
 target_ulong hedeleg;
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 1464f73bee..21d049cdce 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -37,9 +37,9 @@ int riscv_cpu_mmu_index(CPURISCVState *env, bool ifetch)
 #ifndef CONFIG_USER_ONLY
 static int riscv_cpu_local_irq_pending(CPURISCVState *env)
 {
-target_ulong mstatus_mie = get_field(env->mstatus, MSTATUS_MIE);
-target_ulong mstatus_sie = get_field(env->mstatus, MSTATUS_SIE);
-target_ulong pending = env->mip & env->mie;
+target_ulong mstatus_mie = get_field(*env->mstatus, MSTATUS_MIE);
+target_ulong mstatus_sie = get_field(*env->mstatus, MSTATUS_SIE);
+target_ulong pending = env->mip & *env->mie;
 target_ulong mie = env->priv < PRV_M || (env->priv == PRV_M && 
mstatus_mie);
 tar

[PATCH v2 13/27] target/riscv: Add support for virtual interrupt setting

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu_helper.c | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 12a10e8679..bb4557df16 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -39,12 +39,27 @@ static int riscv_cpu_local_irq_pending(CPURISCVState *env)
 {
 target_ulong mstatus_mie = get_field(*env->mstatus, MSTATUS_MIE);
 target_ulong mstatus_sie = get_field(*env->mstatus, MSTATUS_SIE);
+target_ulong vsstatus_sie = get_field(env->mstatus_novirt, MSTATUS_SIE);
+
 target_ulong pending = env->mip & *env->mie;
-target_ulong mie = env->priv < PRV_M || (env->priv == PRV_M && 
mstatus_mie);
-target_ulong sie = env->priv < PRV_S || (env->priv == PRV_S && 
mstatus_sie);
+target_ulong hspending = env->mip_novirt & env->mie_novirt;
+
+target_ulong mie  = env->priv < PRV_M || (env->priv == PRV_M && 
mstatus_mie);
+target_ulong sie  = env->priv < PRV_S || (env->priv == PRV_S && 
mstatus_sie);
+target_ulong vsie = env->priv < PRV_S || (env->priv == PRV_S && 
vsstatus_sie);
+
 target_ulong irqs = (pending & ~env->mideleg & -mie) |
 (pending &  env->mideleg & -sie);
 
+if (riscv_cpu_virt_enabled(env)) {
+target_ulong pending_hs_irq = hspending & -vsie;
+
+if (pending_hs_irq) {
+riscv_cpu_set_force_hs_excep(env, FORCE_HS_EXCEP);
+return ctz64(pending_hs_irq);
+}
+}
+
 if (irqs) {
 return ctz64(irqs); /* since non-zero */
 } else {
-- 
2.23.0

[PATCH v2 07/27] target/riscv: Print priv and virt in disas log

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/translate.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index adeddb85f6..8ac72c6470 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -810,7 +810,15 @@ static void riscv_tr_tb_stop(DisasContextBase *dcbase, 
CPUState *cpu)
 
 static void riscv_tr_disas_log(const DisasContextBase *dcbase, CPUState *cpu)
 {
+#ifndef CONFIG_USER_ONLY
+RISCVCPU *rvcpu = RISCV_CPU(cpu);
+CPURISCVState *env = &rvcpu->env;
+#endif
+
 qemu_log("IN: %s\n", lookup_symbol(dcbase->pc_first));
+#ifndef CONFIG_USER_ONLY
+qemu_log("Priv: "TARGET_FMT_ld"; Virt: "TARGET_FMT_ld"\n", env->priv, 
env->virt);
+#endif
 log_target_disas(cpu, dcbase->pc_first, dcbase->tb->size);
 }
 
-- 
2.23.0

[PATCH v2 23/27] target/riscv: Allow specifying MMU stage

[Alistair Francis]

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu_helper.c | 39 ++-
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 79966ac6e6..275b6c2a67 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -296,10 +296,19 @@ void riscv_cpu_set_mode(CPURISCVState *env, target_ulong 
newpriv)
  *
  * Adapted from Spike's mmu_t::translate and mmu_t::walk
  *
+ * @env: CPURISCVState
+ * @physical: This will be set to the calculated physical address
+ * @prot: The returned protection attributes
+ * @addr: The virtual address to be translated
+ * @access_type: The type of MMU access
+ * @mmu_idx: Indicates current privilege level
+ * @first_stage: Are we in first stage translation?
+ *   Second stage is used for hypervisor guest translation
  */
 static int get_physical_address(CPURISCVState *env, hwaddr *physical,
 int *prot, target_ulong addr,
-int access_type, int mmu_idx)
+int access_type, int mmu_idx,
+bool first_stage)
 {
 /* NOTE: the env->pc value visible here will not be
  * correct, but the value visible to the exception handler
@@ -502,13 +511,23 @@ restart:
 }
 
 static void raise_mmu_exception(CPURISCVState *env, target_ulong address,
-MMUAccessType access_type, bool pmp_violation)
+MMUAccessType access_type, bool pmp_violation,
+bool first_stage)
 {
 CPUState *cs = env_cpu(env);
-int page_fault_exceptions =
-(env->priv_ver >= PRIV_VERSION_1_10_0) &&
-get_field(env->satp, SATP_MODE) != VM_1_10_MBARE &&
-!pmp_violation;
+int page_fault_exceptions;
+if (first_stage) {
+page_fault_exceptions =
+(env->priv_ver >= PRIV_VERSION_1_10_0) &&
+get_field(env->satp, SATP_MODE) != VM_1_10_MBARE &&
+!pmp_violation;
+riscv_cpu_set_force_hs_excep(env, 0);
+} else {
+page_fault_exceptions =
+get_field(env->hgatp, HGATP_MODE) != VM_1_10_MBARE &&
+!pmp_violation;
+riscv_cpu_set_force_hs_excep(env, 1);
+}
 switch (access_type) {
 case MMU_INST_FETCH:
 cs->exception_index = page_fault_exceptions ?
@@ -535,7 +554,8 @@ hwaddr riscv_cpu_get_phys_page_debug(CPUState *cs, vaddr 
addr)
 int prot;
 int mmu_idx = cpu_mmu_index(&cpu->env, false);
 
-if (get_physical_address(&cpu->env, &phys_addr, &prot, addr, 0, mmu_idx)) {
+if (get_physical_address(&cpu->env, &phys_addr, &prot, addr, 0, mmu_idx,
+ true)) {
 return -1;
 }
 return phys_addr;
@@ -601,7 +621,8 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int 
size,
 qemu_log_mask(CPU_LOG_MMU, "%s ad %" VADDR_PRIx " rw %d mmu_idx %d\n",
   __func__, address, access_type, mmu_idx);
 
-ret = get_physical_address(env, &pa, &prot, address, access_type, mmu_idx);
+ret = get_physical_address(env, &pa, &prot, address, access_type, mmu_idx,
+   true);
 
 if (mode == PRV_M && access_type != MMU_INST_FETCH) {
 if (get_field(*env->mstatus, MSTATUS_MPRV)) {
@@ -638,7 +659,7 @@ bool riscv_cpu_tlb_fill(CPUState *cs, vaddr address, int 
size,
 } else if (probe) {
 return false;
 } else {
-raise_mmu_exception(env, address, access_type, pmp_violation);
+raise_mmu_exception(env, address, access_type, pmp_violation, true);
 riscv_raise_exception(env, cs->exception_index, retaddr);
 }
 #else
-- 
2.23.0

[PATCH v2 21/27] target/riscv: Mark both sstatus and vsstatus as dirty

[Alistair Francis]

Mark both sstatus and vsstatus as dirty (3).

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/translate.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 8ac72c6470..19771904f4 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -44,6 +44,7 @@ typedef struct DisasContext {
 /* pc_succ_insn points to the instruction following base.pc_next */
 target_ulong pc_succ_insn;
 target_ulong priv_ver;
+bool virt_enabled;
 uint32_t opcode;
 uint32_t mstatus_fs;
 uint32_t misa;
@@ -398,6 +399,12 @@ static void mark_fs_dirty(DisasContext *ctx)
 tcg_gen_ld_tl(tmp, cpu_env, offsetof(CPURISCVState, mstatus));
 tcg_gen_ori_tl(tmp, tmp, MSTATUS_FS);
 tcg_gen_st_tl(tmp, cpu_env, offsetof(CPURISCVState, mstatus));
+
+if (ctx->virt_enabled) {
+tcg_gen_ld_tl(tmp, cpu_env, offsetof(CPURISCVState, vsstatus));
+tcg_gen_ori_tl(tmp, tmp, MSTATUS_FS);
+tcg_gen_st_tl(tmp, cpu_env, offsetof(CPURISCVState, vsstatus));
+}
 tcg_temp_free(tmp);
 }
 #else
@@ -742,6 +749,11 @@ static void riscv_tr_init_disas_context(DisasContextBase 
*dcbase, CPUState *cs)
 ctx->mem_idx = ctx->base.tb->flags & TB_FLAGS_MMU_MASK;
 ctx->mstatus_fs = ctx->base.tb->flags & TB_FLAGS_MSTATUS_FS;
 ctx->priv_ver = env->priv_ver;
+#if !defined(CONFIG_USER_ONLY)
+ctx->virt_enabled = riscv_cpu_virt_enabled(env);
+#else
+ctx->virt_enabled = false;
+#endif
 ctx->misa = env->misa;
 ctx->frm = -1;  /* unknown rounding mode */
 ctx->ext_ifencei = cpu->cfg.ext_ifencei;
-- 
2.23.0

[PATCH v2 03/27] target/riscv: Add the virtulisation mode

[Alistair Francis]

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h|  4 
 target/riscv/cpu_bits.h   |  3 +++
 target/riscv/cpu_helper.c | 18 ++
 3 files changed, 25 insertions(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 91e1c56fc4..469dcbd1c0 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -117,6 +117,8 @@ struct CPURISCVState {
 
 #ifndef CONFIG_USER_ONLY
 target_ulong priv;
+/* This contains QEMU specific information about the virt state. */
+target_ulong virt;
 target_ulong resetvec;
 
 target_ulong mhartid;
@@ -248,6 +250,8 @@ int riscv_cpu_gdb_read_register(CPUState *cpu, uint8_t 
*buf, int reg);
 int riscv_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
 bool riscv_cpu_exec_interrupt(CPUState *cs, int interrupt_request);
 bool riscv_cpu_fp_enabled(CPURISCVState *env);
+bool riscv_cpu_virt_enabled(CPURISCVState *env);
+void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable);
 int riscv_cpu_mmu_index(CPURISCVState *env, bool ifetch);
 hwaddr riscv_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 void  riscv_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index e99834856c..b4119cc002 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -422,6 +422,9 @@
 #define PRV_H 2 /* Reserved */
 #define PRV_M 3
 
+/* Virtulisation Register Fields */
+#define VIRT_ONOFF  1
+
 /* RV32 satp CSR field masks */
 #define SATP32_MODE 0x8000
 #define SATP32_ASID 0x7fc0
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 31f553efb9..0306f3181d 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -82,6 +82,24 @@ bool riscv_cpu_fp_enabled(CPURISCVState *env)
 return false;
 }
 
+bool riscv_cpu_virt_enabled(CPURISCVState *env)
+{
+if (!riscv_has_ext(env, RVH)) {
+return false;
+}
+
+return get_field(env->virt, VIRT_ONOFF);
+}
+
+void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable)
+{
+if (!riscv_has_ext(env, RVH)) {
+return;
+}
+
+env->virt = set_field(env->virt, VIRT_ONOFF, enable);
+}
+
 int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts)
 {
 CPURISCVState *env = &cpu->env;
-- 
2.23.0

[PATCH v2 09/27] target/riscv: Add Hypervisor CSR access functions

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/csr.c | 68 ++
 1 file changed, 68 insertions(+)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 08956aa557..edfafca06f 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -98,6 +98,20 @@ static int smode(CPURISCVState *env, int csrno)
 return -!riscv_has_ext(env, RVS);
 }
 
+static int hmode(CPURISCVState *env, int csrno)
+{
+if (riscv_has_ext(env, RVS) &&
+riscv_has_ext(env, RVH)) {
+/* Hypervisor extension is supported */
+if ((env->priv == PRV_S && !riscv_cpu_virt_enabled(env)) ||
+env->priv == PRV_M) {
+return 0;
+}
+}
+
+return -1;
+}
+
 static int pmp(CPURISCVState *env, int csrno)
 {
 return -!riscv_feature(env, RISCV_FEATURE_PMP);
@@ -754,6 +768,55 @@ static int write_satp(CPURISCVState *env, int csrno, 
target_ulong val)
 return 0;
 }
 
+/* Hypervisor Extensions */
+static int read_hstatus(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->hstatus;
+return 0;
+}
+
+static int write_hstatus(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->hstatus = val;
+return 0;
+}
+
+static int read_hedeleg(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->hedeleg;
+return 0;
+}
+
+static int write_hedeleg(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->hedeleg = val;
+return 0;
+}
+
+static int read_hideleg(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->hideleg;
+return 0;
+}
+
+static int write_hideleg(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->hideleg = val;
+return 0;
+}
+
+static int read_hgatp(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->hgatp;
+return 0;
+}
+
+static int write_hgatp(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->hgatp = val;
+return 0;
+}
+
 /* Physical Memory Protection */
 static int read_pmpcfg(CPURISCVState *env, int csrno, target_ulong *val)
 {
@@ -957,6 +1020,11 @@ static riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
 /* Supervisor Protection and Translation */
 [CSR_SATP] ={ smode, read_satp,write_satp},
 
+[CSR_HSTATUS] = { hmode,   read_hstatus, write_hstatus
},
+[CSR_HEDELEG] = { hmode,   read_hedeleg, write_hedeleg
},
+[CSR_HIDELEG] = { hmode,   read_hideleg, write_hideleg
},
+[CSR_HGATP] =   { hmode,   read_hgatp,   write_hgatp  
},
+
 /* Physical Memory Protection */
 [CSR_PMPCFG0  ... CSR_PMPADDR9] =  { pmp,   read_pmpcfg,  write_pmpcfg   },
 [CSR_PMPADDR0 ... CSR_PMPADDR15] = { pmp,   read_pmpaddr, write_pmpaddr  },
-- 
2.23.0

[PATCH v2 02/27] target/riscv: Add the Hypervisor extension

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Chih-Min Chao 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index f889427869..91e1c56fc4 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -67,6 +67,7 @@
 #define RVC RV('C')
 #define RVS RV('S')
 #define RVU RV('U')
+#define RVH RV('H')
 
 /* S extension denotes that Supervisor mode exists, however it is possible
to have a core that support S mode but does not have an MMU and there
-- 
2.23.0

[PATCH v2 10/27] target/riscv: Add Hypervisor virtual CSRs accesses

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu_bits.h |  11 
 target/riscv/csr.c  | 119 
 2 files changed, 130 insertions(+)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index 162d42f211..95909f159a 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -191,6 +191,17 @@
 #define HGATP_PPNSATP64_PPN
 #endif
 
+/* Virtual CSRs */
+#define CSR_VSSTATUS0x200
+#define CSR_VSIE0x204
+#define CSR_VSTVEC  0x205
+#define CSR_VSSCRATCH   0x240
+#define CSR_VSEPC   0x241
+#define CSR_VSCAUSE 0x242
+#define CSR_VSTVAL  0x243
+#define CSR_VSIP0x244
+#define CSR_VSATP   0x280
+
 /* Physical Memory Protection */
 #define CSR_PMPCFG0 0x3a0
 #define CSR_PMPCFG1 0x3a1
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index edfafca06f..a1eb15f507 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -817,6 +817,115 @@ static int write_hgatp(CPURISCVState *env, int csrno, 
target_ulong val)
 return 0;
 }
 
+/* Virtual CSR Registers */
+static int read_vsstatus(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vsstatus;
+return 0;
+}
+
+static int write_vsstatus(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vsstatus = val;
+return 0;
+}
+
+static int read_vsie(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vsie;
+return 0;
+}
+
+static int write_vsie(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vsie = val;
+return 0;
+}
+
+static int read_vstvec(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vstvec;
+return 0;
+}
+
+static int write_vstvec(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vstvec = val;
+return 0;
+}
+
+static int read_vsscratch(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vsscratch;
+return 0;
+}
+
+static int write_vsscratch(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vsscratch = val;
+return 0;
+}
+
+static int read_vsepc(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vsepc;
+return 0;
+}
+
+static int write_vsepc(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vsepc = val;
+return 0;
+}
+
+static int read_vscause(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vscause;
+return 0;
+}
+
+static int write_vscause(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vscause = val;
+return 0;
+}
+
+static int read_vstval(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vstval;
+return 0;
+}
+
+static int write_vstval(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vstval = val;
+return 0;
+}
+
+static int read_vsip(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = (target_ulong)atomic_read(&env->vsip);
+return 0;
+}
+
+static int write_vsip(CPURISCVState *env, int csrno, target_ulong val)
+{
+atomic_set(&env->vsip, val);
+return 0;
+}
+
+static int read_vsatp(CPURISCVState *env, int csrno, target_ulong *val)
+{
+*val = env->vsatp;
+return 0;
+}
+
+static int write_vsatp(CPURISCVState *env, int csrno, target_ulong val)
+{
+env->vsatp = val;
+return 0;
+}
+
 /* Physical Memory Protection */
 static int read_pmpcfg(CPURISCVState *env, int csrno, target_ulong *val)
 {
@@ -1025,6 +1134,16 @@ static riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
 [CSR_HIDELEG] = { hmode,   read_hideleg, write_hideleg
},
 [CSR_HGATP] =   { hmode,   read_hgatp,   write_hgatp  
},
 
+[CSR_VSSTATUS] ={ hmode,   read_vsstatus,write_vsstatus   
},
+[CSR_VSIE] ={ hmode,   read_vsie,write_vsie   
},
+[CSR_VSTVEC] =  { hmode,   read_vstvec,  write_vstvec 
},
+[CSR_VSSCRATCH] =   { hmode,   read_vsscratch,   write_vsscratch  
},
+[CSR_VSEPC] =   { hmode,   read_vsepc,   write_vsepc  
},
+[CSR_VSCAUSE] = { hmode,   read_vscause, write_vscause
},
+[CSR_VSTVAL] =  { hmode,   read_vstval,  write_vstval 
},
+[CSR_VSIP] ={ hmode,   read_vsip,write_vsip   
},
+[CSR_VSATP] =   { hmode,   read_vsatp,   write_vsatp  
},
+
 /* Physical Memory Protection */
 [CSR_PMPCFG0  ... CSR_PMPADDR9] =  { pmp,   read_pmpcfg,  write_pmpcfg   },
 [CSR_PMPADDR0 ... CSR_PMPADDR15] = { pmp,   read_pmpaddr, write_pmpaddr  },
-- 
2.23.0

[PATCH v2 06/27] target/riscv: Add the Hypervisor CSRs to CPUState

[Alistair Francis]

As the MIP CSR is 32-bits to allow atomic_read on 32-bit hosts the vsip
is 32-bit as well.

Signed-off-by: Alistair Francis 
Reviewed-by: Chih-Min Chao 
Reviewed-by: Palmer Dabbelt 
---
 target/riscv/cpu.h | 17 +
 1 file changed, 17 insertions(+)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index bb7a0e27a7..a1625e8af0 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -145,6 +145,23 @@ struct CPURISCVState {
 target_ulong mcause;
 target_ulong mtval;  /* since: priv-1.10.0 */
 
+/* Hypervisor CSRs */
+target_ulong hstatus;
+target_ulong hedeleg;
+target_ulong hideleg;
+target_ulong hgatp;
+
+/* Virtual CSRs */
+target_ulong vsstatus;
+uint32_t vsip;
+target_ulong vsie;
+target_ulong vstvec;
+target_ulong vsscratch;
+target_ulong vsepc;
+target_ulong vscause;
+target_ulong vstval;
+target_ulong vsatp;
+
 target_ulong scounteren;
 target_ulong mcounteren;
 
-- 
2.23.0

Re: [PATCH] buildfix: update texinfo menu

[Laszlo Ersek]

On 10/23/19 12:19, Gerd Hoffmann wrote:
> Build error message:
> qemu-doc.texi:34: node `Top' lacks menu item for `Recently removed features' 
> despite being its Up target
> 
> Fixes: 3264ffced3d0 ("dirty-bitmaps: remove deprecated autoload parameter")
> Signed-off-by: Gerd Hoffmann 
> ---
>  qemu-doc.texi | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/qemu-doc.texi b/qemu-doc.texi
> index 3c5022050f0f..3ddf5c0a6865 100644
> --- a/qemu-doc.texi
> +++ b/qemu-doc.texi
> @@ -44,6 +44,7 @@
>  * Security::
>  * Implementation notes::
>  * Deprecated features::
> +* Recently removed features::
>  * Supported build platforms::
>  * License::
>  * Index::
> 

Tested-by: Laszlo Ersek 

(Applied it on top of ee70fc26a561, and now the tree builds.)

Thanks!
Laszlo

[PATCH 2/2] migration/multifd: not use multifd during postcopy

[Wei Yang]

We don't support multifd during postcopy, but user still could enable
both multifd and postcopy. This leads to migration failure.

Skip multifd during postcopy.

Signed-off-by: Wei Yang 
---
 migration/ram.c | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 7087bb73ed..5876054195 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -2547,10 +2547,13 @@ static int ram_save_target_page(RAMState *rs, 
PageSearchStatus *pss,
 }
 
 /*
- * do not use multifd for compression as the first page in the new
- * block should be posted out before sending the compressed page
+ * Do not use multifd for:
+ * 1. Compression as the first page in the new block should be posted out
+ *before sending the compressed page
+ * 2. In postcopy as one whole host page should be placed
  */
-if (!save_page_use_compression(rs) && migrate_use_multifd()) {
+if (!save_page_use_compression(rs) && migrate_use_multifd()
+&& !migration_in_postcopy()) {
 return ram_save_multifd_page(rs, block, offset);
 }
 
-- 
2.17.1

Re: [PATCH] Semihost SYS_READC implementation (v4)

[Keith Packard]

Peter Maydell  writes:

> I'm going to push for somebody actually writing out a
> document and putting it somewhere that we can point to
> and say "that's the authoritative spec", please...
> it doesn't have to be a big formal thing, but I do
> think you want it written down, because the whole point
> is for multiple implementations and users to interoperate.

I can work within the RISC-V foundation to get an 'official' document
written. Having a handful of existing inter-operable implementations
will make that really easy to do :-)

> Yeah, the mux works fine for this kind of thing. There's
> no inherent reason why semihosting ought to "win" as
> the initially selected thing on the mux, though --
> typically that would be expected to be the UART/serial
> console.

That would just require moving the call to qemu_semihosting_console_init
up in the function. Doesn't really matter to me; I suspect that most
users will either user serial or semihosting, but probably not both
(except when debugging the serial driver).

This does the trick (on top of the latest patch). Let me know if this is
what you want. To get semihosting to be first, you have to disable the
serial driver if the hardware has a serial port:

qemu -chardev stdio,mux=on,id=stdio0 \
 -serial null \
 -semihosting-config enable=on,chardev=stdio0 \
 -mon chardev=stdio0,mode=readline"

diff --git a/vl.c b/vl.c
index ac584d97ea..7ea8a907fd 100644
--- a/vl.c
+++ b/vl.c
@@ -4284,6 +4284,9 @@ int main(int argc, char **argv, char **envp)
 qemu_opts_foreach(qemu_find_opts("mon"),
   mon_init_func, NULL, &error_fatal);
 
+/* connect semihosting console input if requested */
+qemu_semihosting_console_init();
+
 if (foreach_device_config(DEV_SERIAL, serial_parse) < 0)
 exit(1);
 if (foreach_device_config(DEV_PARALLEL, parallel_parse) < 0)
@@ -4381,9 +4384,6 @@ int main(int argc, char **argv, char **envp)
 ds = init_displaystate();
 qemu_display_init(ds, &dpy);
 
-/* connect semihosting console input if requested */
-qemu_semihosting_console_init();
-
 /* must be after terminal init, SDL library changes signal handlers */
 os_setup_signal_handling();
 
-- 
-keith


signature.asc
Description: PGP signature

Re: [PATCH] ptimer: Remove old ptimer_init_with_bh() API

[Richard Henderson]

On 10/25/19 10:24 AM, Peter Maydell wrote:
> Now all the users of ptimers have converted to the transaction-based
> API, we can remove ptimer_init_with_bh() and all the code paths
> that are used only by bottom-half based ptimers, and tidy up the
> documentation comments to consider the transaction-based API the
> only possibility.
> 
> The code changes result from:
>  * s->bh no longer exists
>  * s->callback is now always non-NULL
> 
> Signed-off-by: Peter Maydell 
> ---
>  include/hw/ptimer.h | 45 +++---
>  hw/core/ptimer.c| 91 -
>  2 files changed, 36 insertions(+), 100 deletions(-)

Reviewed-by: Richard Henderson 


r~

Re: [PATCH] fw_cfg: Allow reboot-timeout=-1 again

[Laszlo Ersek]

On 10/25/19 18:57, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" 
>
> Commit ee5d0f89de3e53cdb0dc added range checking on reboot-timeout
> to only allow the range 0..65535; however both qemu and libvirt document
> the special value -1  to mean don't reboot.
> Allow it again.
>
> Fixes: ee5d0f89de3e53cdb0dc ("fw_cfg: Fix -boot reboot-timeout error 
> checking")
> RH bz: https://bugzilla.redhat.com/show_bug.cgi?id=1765443
> Signed-off-by: Dr. David Alan Gilbert 
> ---
>  hw/nvram/fw_cfg.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
> index 7dc3ac378e..1a9ec44232 100644
> --- a/hw/nvram/fw_cfg.c
> +++ b/hw/nvram/fw_cfg.c
> @@ -247,10 +247,11 @@ static void fw_cfg_reboot(FWCfgState *s)
>
>  if (reboot_timeout) {
>  rt_val = qemu_opt_get_number(opts, "reboot-timeout", -1);
> +
>  /* validate the input */
> -if (rt_val < 0 || rt_val > 0x) {
> +if (rt_val < -1 || rt_val > 0x) {
>  error_report("reboot timeout is invalid,"
> - "it should be a value between 0 and 65535");
> + "it should be a value between -1 and 65535");
>  exit(1);
>  }
>  }
>

Ouch.

Here's the prototype of qemu_opt_get_number():

> uint64_t qemu_opt_get_number(QemuOpts *opts, const char *name, uint64_t 
> defval);

So, when we call it, here's what we actually do:

rt_val = (int64_t)qemu_opt_get_number(opts, "reboot-timeout", 
(uint64_t)-1);
 ^^^

The conversion to uint64_t is fine.

The conversion to int64_t is not great:

> Otherwise, the new type is signed and the value cannot be represented
> in it; either the result is implementation-defined or an
> implementation-defined signal is raised.

I guess we're exploiting two's complement, as the implementation-defined
result. Not great. :)

Here's what I'd prefer:

> diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
> index 7dc3ac378ee0..16413550a1da 100644
> --- a/hw/nvram/fw_cfg.c
> +++ b/hw/nvram/fw_cfg.c
> @@ -237,7 +237,7 @@ static void fw_cfg_bootsplash(FWCfgState *s)
>  static void fw_cfg_reboot(FWCfgState *s)
>  {
>  const char *reboot_timeout = NULL;
> -int64_t rt_val = -1;
> +uint64_t rt_val = -1;
>  uint32_t rt_le32;
>
>  /* get user configuration */
> @@ -248,9 +248,9 @@ static void fw_cfg_reboot(FWCfgState *s)
>  if (reboot_timeout) {
>  rt_val = qemu_opt_get_number(opts, "reboot-timeout", -1);
>  /* validate the input */
> -if (rt_val < 0 || rt_val > 0x) {
> +if (rt_val > 0x && rt_val != (uint64_t)-1) {
>  error_report("reboot timeout is invalid,"
> - "it should be a value between 0 and 65535");
> + "it should be a value between -1 and 65535");
>  exit(1);
>  }
>  }

(

The trick is that strtoull(), in

  qemu_opt_get_number()
qemu_opt_get_number_helper()
  parse_option_number()
qemu_strtou64()
  strtoull()

turns "-1" into (uint64_t)-1, which counts as a valid conversion, per
spec:

> If the subject sequence has the expected form and the value of /base/
> is zero, the sequence of characters starting with the first digit is
> interpreted as an integer constant according to the rules of 6.4.4.1.
> If the subject sequence has the expected form and the value of /base/
> is between 2 and 36, it is used as the base for conversion, ascribing
> to each letter its value as given above. If the subject sequence
> begins with a minus sign, the value resulting from the conversion is
> negated (in the return type). A pointer to the final string is stored
> in the object pointed to by /endptr/, provided that /endptr/ is not a
> null pointer.

)

I don't insist though; if Phil is OK with the posted patch, I won't try
to block it.

Thanks
Laszlo

Re: [PATCH v2 4/7] exec: Use const alias for TARGET_PAGE_BITS_VARY

[Richard Henderson]

On 10/25/19 5:01 PM, Peter Maydell wrote:
> On Fri, 25 Oct 2019 at 21:43, Richard Henderson
>  wrote:
>>
>> On 10/25/19 10:51 AM, Peter Maydell wrote:
 + * We want to declare the "target_page" variable as const, which tells
 + * the compiler that it can cache any value that it reads across calls.
 + * This avoids multiple assertions and multiple reads within any one user.
 + *
 + * This works because we initialize the target_page data very early, in a
 + * location far removed from the functions that require the final results.
>>>
>>> I have to say that this feels like a worryingly large amount
>>> of magic. Is this actually guaranteed to work by the compiler?
>>
>> Yes.
> 
> I'm curious to know how the compiler engineers define
> "very early" and "far removed" -- in my experience they
> usually prefer to be more precise than that :-)

I remembered putting more precise language in there, but I don't see it now.
Perhaps I just dreamt it.

The last write to the non-const variable happens before the first time we
access the const variable.  At the first access to the const variable, we
assert that it has been initialized.

There's no specific barrier to avoid that first read of the const variable not
be hoisted by the compiler before the last store of the non-const variable,
except for being in a separate function, in a separate compilation unit, and
thus "far away".

We could, perhaps, put a barrier() at the end of finalize_target_page_bits(),
documenting this fact against some future date when compilation with -flto is
viable.  I will say, though, that I've tried that recently and quite some work
is required before one could enable -flto.  In the meantime, the barrier()
would compile away to nothing.


r~

Re: [PATCH] fw_cfg: Allow reboot-timeout=-1 again

[Markus Armbruster]

"Dr. David Alan Gilbert (git)"  writes:

> From: "Dr. David Alan Gilbert" 
>
> Commit ee5d0f89de3e53cdb0dc added range checking on reboot-timeout
> to only allow the range 0..65535; however both qemu and libvirt document
> the special value -1  to mean don't reboot.
> Allow it again.
>
> Fixes: ee5d0f89de3e53cdb0dc ("fw_cfg: Fix -boot reboot-timeout error 
> checking")
> RH bz: https://bugzilla.redhat.com/show_bug.cgi?id=1765443
> Signed-off-by: Dr. David Alan Gilbert 
> ---
>  hw/nvram/fw_cfg.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
> index 7dc3ac378e..1a9ec44232 100644
> --- a/hw/nvram/fw_cfg.c
> +++ b/hw/nvram/fw_cfg.c
> @@ -247,10 +247,11 @@ static void fw_cfg_reboot(FWCfgState *s)
>  
>  if (reboot_timeout) {
>  rt_val = qemu_opt_get_number(opts, "reboot-timeout", -1);
> +
>  /* validate the input */
> -if (rt_val < 0 || rt_val > 0x) {
> +if (rt_val < -1 || rt_val > 0x) {
>  error_report("reboot timeout is invalid,"
> - "it should be a value between 0 and 65535");
> + "it should be a value between -1 and 65535");
>  exit(1);
>  }
>  }

Semantic conflict with "PATCH] qemu-options.hx: Update for
reboot-timeout parameter", Message-Id:
<20191015151451.727323-1-h...@redhat.com>.

I'm too tired right now to risk an opinion on which one we want.

[Bug 1849894] Re: hw/scsi/scsi-disk.c line 2554 allocation overflow

[Witold Baryluk]

FYI. Adding if (len <= 0) return; in the scsi_disk_new_request_dump
solved the compilation issue for me.

So indeed gcc thinks len == -1

I am pretty sure the build qemu is functional, as this path is only
taken if the trace_event_get_state_backends(TRACE_SCSI_DISK_NEW_REQUEST)
is true, which by default it is not.

BTW. Also, aarch64-softmmu/qemu-system-aarch64 takes very long time to
link compared to other targets, so I recommend using -flto=16 to
increase parallelism, and reduce lto link time to about 4 minutes. (But
64GB of memory recommended).

I also tested with --disable-slirp configure flag. Still same issue.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1849894

Title:
  hw/scsi/scsi-disk.c line 2554 allocation overflow

Status in QEMU:
  New

Bug description:
  When compiling qemu from git master (at commit
  03bf012e523ecdf047ac56b2057950247256064d ) on Linux amd64, with gcc-9
  9.2.1 , and using `-march=native -flto`, during linking of most target
  binaries, compiler does detect an issue with allocation in
  scsi_disk_new_request_dump and aborts compilation.

  
  make[1]: Entering directory '/home/user/qemu/slirp'
  make[1]: Nothing to be done for 'all'.
  make[1]: Leaving directory '/home/user/qemu/slirp'
  nm: stats64.o: no symbols
LINKaarch64-softmmu/qemu-system-aarch64
  In function ‘scsi_disk_new_request_dump’,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2580:9,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2564:21:
  hw/scsi/scsi-disk.c:2554:19: error: argument 1 value ‘18446744073709551612’ 
exceeds maximum object size 9223372036854775807 
[-Werror=alloc-size-larger-than=]
  hw/scsi/scsi-disk.c: In function ‘scsi_new_request’:
  /usr/include/glib-2.0/glib/gmem.h:78:10: note: in a call to allocation 
function ‘g_malloc’ declared here
 78 | gpointer g_malloc (gsize  n_bytes) G_GNUC_MALLOC 
G_GNUC_ALLOC_SIZE(1);
|  ^
  lto1: all warnings being treated as errors
  lto-wrapper: fatal error: c++ returned 1 exit status
  compilation terminated.
  /usr/bin/ld: error: lto-wrapper failed
  collect2: error: ld returned 1 exit status


  same happens for most other targets: alpha-softmmu/qemu-system-alpha
  arm-softmmu/qemu-system-arm hppa-softmmu/qemu-system-hppa i386-softmmu
  /qemu-system-i386 lm32-softmmu/qemu-system-lm32 mips-softmmu/qemu-
  system-mips mips64-softmmu/qemu-system-mips64 mips64el-softmmu/qemu-
  system-mips64el mipsel-softmmu/qemu-system-mipsel ppc-softmmu/qemu-
  system-ppc ppc64-softmmu/qemu-system-ppc64 riscv32-softmmu/qemu-
  system-riscv32 riscv64-softmmu/qemu-system-riscv64 s390x-softmmu/qemu-
  system-s390x sh4-softmmu/qemu-system-sh4 sh4eb-softmmu/qemu-system-
  sh4eb sparc-softmmu/qemu-system-sparc sparc64-softmmu/qemu-system-
  sparc64 x86_64-softmmu/qemu-system-x86_64 xtensa-softmmu/qemu-system-
  xtensa xtensaeb-softmmu/qemu-system-xtensaeb

  Notice -softmmu being a common factor here.


  The size of the allocation for the temporary buffer for dumping using
  snprintf is determined based on the size of the buffer via call to
  scsi_cdb_length. I believe the heavy inlining and constant propagation
  makes scsi_cdb_length return -1, so len = -1. Then allocation size is
  5*len + 1, or -4. Which overflows to 2^64 - 4 or so.

  The case of len==-1 from scsi_cdb_length happens if the (buf[0] >> 5)
  is not 0, 1, 2, 4 or 5.

  However, I can't find out how gcc figures out that buf[0] is not one
  of these variables. To me looking at this function, compiler should
  not know anything about buf[0].

  I tried following the chain of calls back, including devirtualize
  alloc_req, and I found scsi_device_alloc_req calling these alloc_req
  callbacks, but it is itself called from scsi_req_new, which is called
  in  get_scsi_requests , just after buf is filled from QEMUFile using
  qemu_get_buffer, which ultimately goes even further into read paths,
  which there might be many AFAIK.


  
  glib2 version 2.62.1-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1849894/+subscriptions

Re: [PATCH v2 4/7] exec: Use const alias for TARGET_PAGE_BITS_VARY

[Peter Maydell]

On Fri, 25 Oct 2019 at 21:43, Richard Henderson
 wrote:
>
> On 10/25/19 10:51 AM, Peter Maydell wrote:
> >> + * We want to declare the "target_page" variable as const, which tells
> >> + * the compiler that it can cache any value that it reads across calls.
> >> + * This avoids multiple assertions and multiple reads within any one user.
> >> + *
> >> + * This works because we initialize the target_page data very early, in a
> >> + * location far removed from the functions that require the final results.
> >
> > I have to say that this feels like a worryingly large amount
> > of magic. Is this actually guaranteed to work by the compiler?
>
> Yes.

I'm curious to know how the compiler engineers define
"very early" and "far removed" -- in my experience they
usually prefer to be more precise than that :-)

thanks
-- PMM

Re: [PULL 00/20] MIPS queue for October 24th, 2019 - v2

[Peter Maydell]

On Fri, 25 Oct 2019 at 17:44, Aleksandar Markovic
 wrote:
>
> From: Aleksandar Markovic 
>
> The following changes since commit 03bf012e523ecdf047ac56b2057950247256064d:
>
>   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging 
> (2019-10-25 14:59:53 +0100)
>
> are available in the git repository at:
>
>   https://github.com/AMarkovic/qemu tags/mips-queue-oct-24-2019-v2
>
> for you to fetch changes up to 220ad858d3baf8b772cfddb8b657f9c799e98ddd:
>
>   tests/ssh_linux_malta: Fix 64-bit target tests (2019-10-25 18:37:01 +0200)
>
> 
>
> MIPS queue for October 24th, 2019 - v2
>
>   - update of MIPS-specific acceptance tests
>   - other mostly cosmetic changes
>   - in v2, an offending patch (causing clang build error) is removed
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/4.2
for any user-visible changes.

-- PMM

Re: [PULL 00/12] tcg patch queue

[Richard Henderson]

On 10/25/19 12:12 PM, Peter Maydell wrote:
> Compile failure, win32:
...
> /usr/lib/mxe/usr/x86_64-w64-mingw32.shared/include/glib-2.0/glib/gmacros.h:337:23:
> error: expected expression befor
> e 'do'
>  #define G_STMT_START  do
>^
> /usr/lib/mxe/usr/x86_64-w64-mingw32.shared/include/glib-2.0/glib/gtestutils.h:115:41:
> note: in expansion of macro 'G_STMT_START'
>  #define g_assert(expr)  G_STMT_START { \
>  ^
> /home/petmay01/qemu-for-merges/include/qemu/osdep.h:152:20: note: in
> expansion of macro 'g_assert'
>  #define assert(x)  g_assert(x)

Ho hum.   This...

> ^
> /home/petmay01/qemu-for-merges/include/exec/cpu-all.h:225:29: note: in
> expansion of macro 'assert'
>  #  define TARGET_PAGE_MASK (assert(target_page.decided), target_page.mask)

... must be the reason why we used to use ({ ... }) here.

Why oh why does g_assert use a do/while(0) statement instead of use an
expression like the C assert is required to do?

> Also
> /home/petmay01/qemu-for-merges/exec.c: In function 'iotlb_to_section':
> /home/petmay01/qemu-for-merges/exec.c:2871:1: error: control reaches
> end of non-void function [-Werror=return-type]
>  }
...
> Not sure if that's just follow-on errors from the earlier
> ones, though.

These are all follow-on, as you say.


r~

Re: [PATCH v2 0/4] tcg/LICENSE: Remove no-longer-true statement that TCG is BSD-licensed

[Richard Henderson]

On 10/25/19 11:58 AM, Peter Maydell wrote:
> Since 2008 the tcg/LICENSE file has not changed: it claims that
> everything under tcg/ is BSD-licensed.
> 
> This is not true and hasn't been true for years: in 2013 we
> accepted the tcg/aarch64 target code under a GPLv2-or-later
> license statement. We also have generic vector optimisation
> code under the LGPL2.1-or-later, and the TCI backend is
> GPLv2-or-later. Further, many of the files are not BSD
> licensed but MIT licensed.
> 
> We don't really consider the tcg subdirectory to be a distinct
> part of QEMU anyway.
> 
> This patchset adds explicit licensing/copyright comments to
> the three files which were missing them, removes the
> inaccurate tcg/LICENSE file, and updates the top-level
> LICENSE file to be more accurate about the current state
> of the licenses used in the code in tcg/.
> 
> If we want a policy that tcg/ code has a restricted
> permitted set of licenses, then we really need to have
> this enforced by checkpatch -- history demonstrates that
> just writing it in tcg/LICENSE does not prevent code under
> other licenses getting in. In the v1 email thread nobody
> seemed to be very strongly arguing for this, though, and
> at this point we would need to make an active effort to
> track down contributors and get relicensing statements.
> If anybody wants to push that effort now would be a good
> time to volunteer :-)
> 
> Note on the licensing for the tcg-target.opc.h files:
>  * I've used the same license as the rest of the relevant
>backend, which is to say GPL2-or-later for tcg/aarch64
>and MIT for tcg/i386 and tcg/ppc.
>  * In all 3 cases, the only people who've made contributions
>to the files are Richard Henderson and (for aarch64) Alex Bennée
> 
> Richard, Alex -- an acked-by for the relevant patches would
> be nice (or if you intended a different license for the
> contributions than I have assumed please say so!)

No, I had no intention to put things under a different license.

Reviewed-by: Richard Henderson 

for the lot.  Since I'm having to re-spin the last tcg pull for a win32
failure, I'll include this as well.


r~

Re: [PATCH] Semihost SYS_READC implementation (v4)

[Peter Maydell]

On Fri, 25 Oct 2019 at 20:15, Keith Packard  wrote:
>
> Peter Maydell  writes:
>
> > Is there a specification for RISC-V semihosting? This is
> > likely to be my first question when the support comes
> > round for review, so you can have it early :-)  We'd
> > prefer to implement specified interfaces, not random
> > ad-hoc "this seems to be what newlib wants to see,
> > which is turn got hacked together by copying some other
> > architecture's code".
>
> There seems to be convergence on a pretty simple interface which uses
> ebreak surrounded by a couple of specific no-ops:
>
>   slli x0, x0, 0x1f
>   ebreak
>   srai x0, x0, 0x7
>
> There are implementations in rust and openocd, and I've got one for
> picolibc.

I'm going to push for somebody actually writing out a
document and putting it somewhere that we can point to
and say "that's the authoritative spec", please...
it doesn't have to be a big formal thing, but I do
think you want it written down, because the whole point
is for multiple implementations and users to interoperate.


> > Isn't the answer to this "don't use a command line that tries
> > to connect stdio to multiple things" ?
>
> Uh, we do that all the time? The mux device is designed to handle this
> so that you can use stdio for both monitor commands and application
> I/O. It's very convenient, the only issue is that the last device that
> hooks to the mux ends up getting input first (you use ^Ac to rotate
> among the selected devices).

Yeah, the mux works fine for this kind of thing. There's
no inherent reason why semihosting ought to "win" as
the initially selected thing on the mux, though --
typically that would be expected to be the UART/serial
console.

thanks
-- PMM

Re: [PATCH v2 0/4] tcg/LICENSE: Remove no-longer-true statement that TCG is BSD-licensed

[Alexander Graf]

On 25.10.19 17:58, Peter Maydell wrote:

Since 2008 the tcg/LICENSE file has not changed: it claims that
everything under tcg/ is BSD-licensed.

This is not true and hasn't been true for years: in 2013 we
accepted the tcg/aarch64 target code under a GPLv2-or-later
license statement. We also have generic vector optimisation
code under the LGPL2.1-or-later, and the TCI backend is
GPLv2-or-later. Further, many of the files are not BSD
licensed but MIT licensed.

We don't really consider the tcg subdirectory to be a distinct
part of QEMU anyway.

This patchset adds explicit licensing/copyright comments to
the three files which were missing them, removes the
inaccurate tcg/LICENSE file, and updates the top-level
LICENSE file to be more accurate about the current state
of the licenses used in the code in tcg/.

If we want a policy that tcg/ code has a restricted
permitted set of licenses, then we really need to have
this enforced by checkpatch -- history demonstrates that
just writing it in tcg/LICENSE does not prevent code under
other licenses getting in. In the v1 email thread nobody
seemed to be very strongly arguing for this, though, and
at this point we would need to make an active effort to
track down contributors and get relicensing statements.
If anybody wants to push that effort now would be a good
time to volunteer :-)

Note on the licensing for the tcg-target.opc.h files:
  * I've used the same license as the rest of the relevant
backend, which is to say GPL2-or-later for tcg/aarch64
and MIT for tcg/i386 and tcg/ppc.
  * In all 3 cases, the only people who've made contributions
to the files are Richard Henderson and (for aarch64) Alex Bennée

Richard, Alex -- an acked-by for the relevant patches would
be nice (or if you intended a different license for the
contributions than I have assumed please say so!)



Thanks for cleaning up the license mess :)

Reviewed-by: Alexander Graf 

Alex

Re: [PATCH v13 06/12] numa: Extend CLI to provide memory latency and bandwidth information

[Eduardo Habkost]

On Fri, Oct 25, 2019 at 09:44:50PM +0200, Markus Armbruster wrote:
> Igor Mammedov  writes:
> 
> > On Fri, 25 Oct 2019 14:33:53 +0800
> > Tao Xu  wrote:
> >
> >> On 10/23/2019 11:28 PM, Igor Mammedov wrote:
> >> > On Sun, 20 Oct 2019 19:11:19 +0800
> >> > Tao Xu  wrote:  
> >> [...]
> >> >> +#
> >> >> +# @access-bandwidth: access bandwidth (MB/s)
> >> >> +#
> >> >> +# @read-bandwidth: read bandwidth (MB/s)
> >> >> +#
> >> >> +# @write-bandwidth: write bandwidth (MB/s)  
> >> > I think units here are not appropriate, values stored in fields are
> >> > minimal base units only and nothing else (i.e. ps and B/s)
> >> >   
> >> Eric suggest me to drop picoseconds. So here I can use ns. For 
> >> bandwidth, if we use B/s here, does it let user or developer to 
> >> misunderstand that the smallest unit is B/s ?
> >
> > It's not nanoseconds or MB/s stored in theses fields, isn't it?
> > I'd specify units in which value is stored or drop units altogether.
> >
> > Maybe Eric and Markus can suggest a better way to describe fields.
> 
> This isn't review (yet), just an attempt to advise more quickly on
> general QAPI/QMP conventions.
> 
> Unit prefixes like Mebi- are nice for humans, because 1MiB is clearer
> than 1048576B.
> 
> QMP is for machines.  We eschew unit prefixes and unit symbols there.
> The unit is implied.  Unit prefixes only complicate things.  Machines
> can deal with 1048576 easily.  Also dealing 1024Ki and 1Mi is additional
> work.  We therefore use JSON numbers for byte counts, not strings with
> units.
> 
> The general rule is "always use the plainest implied unit that would
> do."  There are exceptions, mostly due to review failure.
> 
> Byte rates should be in bytes per second.
> 
> For time, we've made a godawful mess.  The plainest unit is clearly the
> second.  We commonly need sub-second granularity, though.
> Floating-point seconds are unpopular for some reason :)  Instead we use
> milli-, micro-, and nanoseconds, and even (seconds, microseconds) pairs.
> 
> QAPI schema documentation describes both the generated C and the QMP
> wire protocol.  It must be written with the implied unit.  If you send a
> byte rate in bytes per second via QMP, that's what you document.  Even
> if a human interface lets you specify the byte rate in MiB/s.
> 
> Does this make sense?

This makes sense for the bandwidth fields.  We still need to
decide how to represent the latency field, though.

Seconds would be the obvious choice, if only it didn't risk
silently losing precision when converting numbers to floats.

-- 
Eduardo

[PULL 0/1] Require Python >= 3.5 to build QEMU

[Eduardo Habkost]

The following changes since commit 03bf012e523ecdf047ac56b2057950247256064d:

  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging 
(2019-10-25 14:59:53 +0100)

are available in the Git repository at:

  git://github.com/ehabkost/qemu.git tags/python-next-pull-request

for you to fetch changes up to d24e417866f85229de1b75bc5c0a1d942451a842:

  configure: Require Python >= 3.5 (2019-10-25 16:34:57 -0300)


Require Python >= 3.5 to build QEMU



Eduardo Habkost (1):
  configure: Require Python >= 3.5

 configure  | 18 --
 tests/Makefile.include |  5 -
 2 files changed, 4 insertions(+), 19 deletions(-)

-- 
2.21.0

Re: [PATCH v2 4/7] exec: Use const alias for TARGET_PAGE_BITS_VARY

[Richard Henderson]

On 10/25/19 10:51 AM, Peter Maydell wrote:
>> + * We want to declare the "target_page" variable as const, which tells
>> + * the compiler that it can cache any value that it reads across calls.
>> + * This avoids multiple assertions and multiple reads within any one user.
>> + *
>> + * This works because we initialize the target_page data very early, in a
>> + * location far removed from the functions that require the final results.
> 
> I have to say that this feels like a worryingly large amount
> of magic. Is this actually guaranteed to work by the compiler?

Yes.


r~

Re: [PATCH v5] ssi: xilinx_spips: Skip spi bus update for a few register writes

[Alistair Francis]

On Thu, Oct 24, 2019 at 10:31 PM Sai Pavan Boddu
 wrote:
>
> A few configuration register writes need not update the spi bus state, so just
> return after register write.
>
> Signed-off-by: Sai Pavan Boddu 

Reviewed-by: Alistair Francis 

Alistair

> ---
>
> Changes for V2:
> Just skip update of spips cs and fifos
> Update commit message accordingly
> Changes for V4:
> Avoid checking for zynqmp qspi
> Skip spi bus update for few of the registers Changes for V4:
> Move the register list to existing switch case above.
> Change for V5:
> Fixed Commit message.
>
>  hw/ssi/xilinx_spips.c | 22 ++
>  1 file changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index a309c71..0d6c2e1 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -109,6 +109,7 @@
>  #define R_GPIO  (0x30 / 4)
>  #define R_LPBK_DLY_ADJ  (0x38 / 4)
>  #define R_LPBK_DLY_ADJ_RESET (0x33)
> +#define R_IOU_TAPDLY_BYPASS (0x3C / 4)
>  #define R_TXD1  (0x80 / 4)
>  #define R_TXD2  (0x84 / 4)
>  #define R_TXD3  (0x88 / 4)
> @@ -139,6 +140,8 @@
>  #define R_LQSPI_STS (0xA4 / 4)
>  #define LQSPI_STS_WR_RECVD  (1 << 1)
>
> +#define R_DUMMY_CYCLE_EN(0xC8 / 4)
> +#define R_ECO   (0xF8 / 4)
>  #define R_MOD_ID(0xFC / 4)
>
>  #define R_GQSPI_SELECT  (0x144 / 4)
> @@ -970,6 +973,7 @@ static void xilinx_spips_write(void *opaque, hwaddr addr,
>  {
>  int mask = ~0;
>  XilinxSPIPS *s = opaque;
> +bool try_flush = true;
>
>  DB_PRINT_L(0, "addr=" TARGET_FMT_plx " = %x\n", addr, (unsigned)value);
>  addr >>= 2;
> @@ -1019,13 +1023,23 @@ static void xilinx_spips_write(void *opaque, hwaddr 
> addr,
>  tx_data_bytes(&s->tx_fifo, (uint32_t)value, 3,
>s->regs[R_CONFIG] & R_CONFIG_ENDIAN);
>  goto no_reg_update;
> +/* Skip SPI bus update for below registers writes */
> +case R_GPIO:
> +case R_LPBK_DLY_ADJ:
> +case R_IOU_TAPDLY_BYPASS:
> +case R_DUMMY_CYCLE_EN:
> +case R_ECO:
> +try_flush = false;
> +break;
>  }
>  s->regs[addr] = (s->regs[addr] & ~mask) | (value & mask);
>  no_reg_update:
> -xilinx_spips_update_cs_lines(s);
> -xilinx_spips_check_flush(s);
> -xilinx_spips_update_cs_lines(s);
> -xilinx_spips_update_ixr(s);
> +if (try_flush) {
> +xilinx_spips_update_cs_lines(s);
> +xilinx_spips_check_flush(s);
> +xilinx_spips_update_cs_lines(s);
> +xilinx_spips_update_ixr(s);
> +}
>  }
>
>  static const MemoryRegionOps spips_ops = {
> --
> 2.7.4
>
>

Re: [Qemu-devel] [Qemu-riscv] [PATCH v1 10/28] target/riscv: Convert mie and mstatus to pointers

[Alistair Francis]

On Thu, Sep 19, 2019 at 9:59 AM Jonathan Behrens  wrote:
>
> On Thu, Sep 19, 2019 at 10:50 AM Richard Henderson
>  wrote:
> >
> > On 9/18/19 4:47 PM, Alistair Francis wrote:
> > > I'm not a fan of the pointer method that I'm using, but to me it seems
> > > the least worst in terms of handling future code, keeping everythign
> > > consistnent and avoiding complex access rules.
> >
> > FWIW, I prefer the "banked" register method used by ARM.
> >
> > enum {
> > M_REG_NS = 0,/* non-secure mode */
> > M_REG_S = 1, /* secure mode */
> > M_REG_NUM_BANKS = 2,
> > };
> >
> > ...
> >
> > uint32_t vecbase[M_REG_NUM_BANKS];
> > uint32_t basepri[M_REG_NUM_BANKS];
> > uint32_t control[M_REG_NUM_BANKS];
> >
> > The major difference that I see is that a pointer can only represent a 
> > single
> > state at a single time.  With an index, different parts of the code can ask
> > different questions that may have different states.  E.g. "are we currently 
> > in
> > secure mode" vs "will the exception return to secure mode".
>
> This makes a lot of sense to me. It means that any individual control register
> has an unambiguous name that doesn't change based on context. They aren't 
> quite
> the same names as used in the architecture specification (mie & vsie
> vs. mie[NOVIRT] & mie[VIRT]), but they are reasonably close. It also means 
> other
> parts of the code can't ignore that there are two different versions of the
> registers in play. Perhaps the biggest benefit though is that you can sidestep
> swapping on mode changes *and* avoid needing any super fancy logic in the 
> access
> functions:
>
> int read_mstatus(...) {
> target_ulong novirt_mask = ...;
> *val = env->mstatus[NOVIRT] & novirt_mask | env->mstatus[virt_mode()];
> }
>
> int read_vsstatus(...) {
> *val = env->mstatus[VIRT];
> }
>
> int write_mstatus(...) {
> ...
> target_ulong novirt_mask = ...;
> env->mstatus[NOVIRT] = (env->mstatus[NOVIRT] & ~novirt_mask) |
>(newval & novirt_mask);
> env->mstatus[virt_mode()] = (env->mstatus[virt_mode()] & novirt_mask) |
> (newval & ~novirt_mask);

The part I don't like about this is that it then requires all of the
RISC-V implementation to be affected by the Hypervisor extension. The
current way means that if you aren't interested in the extension you
can just ignore it and not worry about breaking anything. For ARM this
isn't as big of an issue, but RISC-V is much more modular (there will
be lots of platforms without the H extension) so I don't want people
to have to worry about it.

PS: Sorry for the delay here, I have been looking into some other ways
of doing this, but I still think the current way is the least bad.

Alistair

> }

[PULL 1/1] configure: Require Python >= 3.5

[Eduardo Habkost]

Python 3.5 is the oldest Python version available on our
supported build platforms, and Python 2 end of life will be 3
weeks after the planned release date of QEMU 4.2.0.  Drop Python
2 support from configure completely, and require Python 3.5 or
newer.

Signed-off-by: Eduardo Habkost 
Message-Id: <20191016224237.26180-1-ehabk...@redhat.com>
Reviewed-by: John Snow 
Signed-off-by: Eduardo Habkost 
---
 configure  | 18 --
 tests/Makefile.include |  5 -
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/configure b/configure
index 145fcabbb3..bfc2b1a9d8 100755
--- a/configure
+++ b/configure
@@ -896,9 +896,9 @@ fi
 : ${install=${INSTALL-install}}
 # We prefer python 3.x. A bare 'python' is traditionally
 # python 2.x, but some distros have it as python 3.x, so
-# we check that before python2
+# we check that too
 python=
-for binary in "${PYTHON-python3}" python python2
+for binary in "${PYTHON-python3}" python
 do
 if has "$binary"
 then
@@ -1829,8 +1829,8 @@ fi
 
 # Note that if the Python conditional here evaluates True we will exit
 # with status 1 which is a shell 'false' value.
-if ! $python -c 'import sys; sys.exit(sys.version_info < (2,7))'; then
-  error_exit "Cannot use '$python', Python 2 >= 2.7 or Python 3 is required." \
+if ! $python -c 'import sys; sys.exit(sys.version_info < (3,5))'; then
+  error_exit "Cannot use '$python', Python >= 3.5 is required." \
   "Use --python=/path/to/python to specify a supported Python."
 fi
 
@@ -6466,15 +6466,6 @@ if test "$supported_os" = "no"; then
 echo "us upstream at qemu-devel@nongnu.org."
 fi
 
-# Note that if the Python conditional here evaluates True we will exit
-# with status 1 which is a shell 'false' value.
-if ! $python -c 'import sys; sys.exit(sys.version_info < (3,0))'; then
-  echo
-  echo "warning: Python 2 support is deprecated" >&2
-  echo "warning: Python 3 will be required for building future versions of 
QEMU" >&2
-  python2="y"
-fi
-
 config_host_mak="config-host.mak"
 
 echo "# Automatically generated by configure - do not modify" 
>config-all-disas.mak
@@ -7295,7 +7286,6 @@ echo "INSTALL_DATA=$install -c -m 0644" >> 
$config_host_mak
 echo "INSTALL_PROG=$install -c -m 0755" >> $config_host_mak
 echo "INSTALL_LIB=$install -c -m 0644" >> $config_host_mak
 echo "PYTHON=$python" >> $config_host_mak
-echo "PYTHON2=$python2" >> $config_host_mak
 echo "CC=$cc" >> $config_host_mak
 if $iasl -h > /dev/null 2>&1; then
   echo "IASL=$iasl" >> $config_host_mak
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 09e5b410dc..c4e656001e 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -1139,7 +1139,6 @@ TESTS_RESULTS_DIR=$(BUILD_DIR)/tests/results
 AVOCADO_SHOW=app
 AVOCADO_TAGS=$(patsubst %-softmmu,-t arch:%, $(filter 
%-softmmu,$(TARGET_DIRS)))
 
-ifneq ($(PYTHON2),y)
 $(TESTS_VENV_DIR): $(TESTS_VENV_REQ)
$(call quiet-command, \
 $(PYTHON) -m venv --system-site-packages $@, \
@@ -1148,10 +1147,6 @@ $(TESTS_VENV_DIR): $(TESTS_VENV_REQ)
 $(TESTS_VENV_DIR)/bin/python -m pip -q install -r 
$(TESTS_VENV_REQ), \
 PIP, $(TESTS_VENV_REQ))
$(call quiet-command, touch $@)
-else
-$(TESTS_VENV_DIR):
-   $(error "venv directory for tests requires Python 3")
-endif
 
 $(TESTS_RESULTS_DIR):
$(call quiet-command, mkdir -p $@, \
-- 
2.21.0

[Bug 1849894] [NEW] hw/scsi/scsi-disk.c line 2554 allocation overflow

[Witold Baryluk]

Public bug reported:

When compiling qemu from git master (at commit
03bf012e523ecdf047ac56b2057950247256064d ) on Linux amd64, with gcc-9
9.2.1 , and using `-march=native -flto`, during linking of most target
binaries, compiler does detect an issue with allocation in
scsi_disk_new_request_dump and aborts compilation.


make[1]: Entering directory '/home/user/qemu/slirp'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/user/qemu/slirp'
nm: stats64.o: no symbols
  LINKaarch64-softmmu/qemu-system-aarch64
In function ‘scsi_disk_new_request_dump’,
inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2580:9,
inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2564:21:
hw/scsi/scsi-disk.c:2554:19: error: argument 1 value ‘18446744073709551612’ 
exceeds maximum object size 9223372036854775807 
[-Werror=alloc-size-larger-than=]
hw/scsi/scsi-disk.c: In function ‘scsi_new_request’:
/usr/include/glib-2.0/glib/gmem.h:78:10: note: in a call to allocation function 
‘g_malloc’ declared here
   78 | gpointer g_malloc (gsize  n_bytes) G_GNUC_MALLOC 
G_GNUC_ALLOC_SIZE(1);
  |  ^
lto1: all warnings being treated as errors
lto-wrapper: fatal error: c++ returned 1 exit status
compilation terminated.
/usr/bin/ld: error: lto-wrapper failed
collect2: error: ld returned 1 exit status


same happens for most other targets: alpha-softmmu/qemu-system-alpha
arm-softmmu/qemu-system-arm hppa-softmmu/qemu-system-hppa i386-softmmu
/qemu-system-i386 lm32-softmmu/qemu-system-lm32 mips-softmmu/qemu-
system-mips mips64-softmmu/qemu-system-mips64 mips64el-softmmu/qemu-
system-mips64el mipsel-softmmu/qemu-system-mipsel ppc-softmmu/qemu-
system-ppc ppc64-softmmu/qemu-system-ppc64 riscv32-softmmu/qemu-system-
riscv32 riscv64-softmmu/qemu-system-riscv64 s390x-softmmu/qemu-system-
s390x sh4-softmmu/qemu-system-sh4 sh4eb-softmmu/qemu-system-sh4eb sparc-
softmmu/qemu-system-sparc sparc64-softmmu/qemu-system-sparc64
x86_64-softmmu/qemu-system-x86_64 xtensa-softmmu/qemu-system-xtensa
xtensaeb-softmmu/qemu-system-xtensaeb

Notice -softmmu being a common factor here.


The size of the allocation for the temporary buffer for dumping using
snprintf is determined based on the size of the buffer via call to
scsi_cdb_length. I believe the heavy inlining and constant propagation
makes scsi_cdb_length return -1, so len = -1. Then allocation size is
5*len + 1, or -4. Which overflows to 2^64 - 4 or so.

The case of len==-1 from scsi_cdb_length happens if the (buf[0] >> 5) is
not 0, 1, 2, 4 or 5.

However, I can't find out how gcc figures out that buf[0] is not one of
these variables. To me looking at this function, compiler should not
know anything about buf[0].

I tried following the chain of calls back, including devirtualize
alloc_req, and I found scsi_device_alloc_req calling these alloc_req
callbacks, but it is itself called from scsi_req_new, which is called in
get_scsi_requests , just after buf is filled from QEMUFile using
qemu_get_buffer, which ultimately goes even further into read paths,
which there might be many AFAIK.


glib2 version 2.62.1-1

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1849894

Title:
  hw/scsi/scsi-disk.c line 2554 allocation overflow

Status in QEMU:
  New

Bug description:
  When compiling qemu from git master (at commit
  03bf012e523ecdf047ac56b2057950247256064d ) on Linux amd64, with gcc-9
  9.2.1 , and using `-march=native -flto`, during linking of most target
  binaries, compiler does detect an issue with allocation in
  scsi_disk_new_request_dump and aborts compilation.

  
  make[1]: Entering directory '/home/user/qemu/slirp'
  make[1]: Nothing to be done for 'all'.
  make[1]: Leaving directory '/home/user/qemu/slirp'
  nm: stats64.o: no symbols
LINKaarch64-softmmu/qemu-system-aarch64
  In function ‘scsi_disk_new_request_dump’,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2580:9,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2564:21:
  hw/scsi/scsi-disk.c:2554:19: error: argument 1 value ‘18446744073709551612’ 
exceeds maximum object size 9223372036854775807 
[-Werror=alloc-size-larger-than=]
  hw/scsi/scsi-disk.c: In function ‘scsi_new_request’:
  /usr/include/glib-2.0/glib/gmem.h:78:10: note: in a call to allocation 
function ‘g_malloc’ declared here
 78 | gpointer g_malloc (gsize  n_bytes) G_GNUC_MALLOC 
G_GNUC_ALLOC_SIZE(1);
|  ^
  lto1: all warnings being treated as errors
  lto-wrapper: fatal error: c++ returned 1 exit status
  compilation terminated.
  /usr/bin/ld: error: lto-wrapper failed
  collect2: error: ld returned 1 exit status


  same happens for most other targets: alpha-softmmu/qemu-system-alpha
  arm-softmmu/qemu-system-arm hppa-softmmu/qemu-system-hppa i386-softmmu
  /qemu-system-i386 lm32-softmmu/qemu-system-lm32 m

Re: [PULL v2 00/73] tcg plugins and testing updates

[Markus Armbruster]

Alex Bennée  writes:

> Markus Armbruster  writes:
>
>> I hate to interfere with the merging of working code for non-technical
>> reasons
>>
>> This is a plugin interface.  As I wrote in reply to v4, I'd like to see
>> a pragmatic argument why abuse of the plugin interface to circumvent the
>> GPL is not practical.  This might include "not a stable interface", "you
>> have to link with a truckload of gpl code", "the set of things you can
>> do is deliberately extremely limited".
>
> I included a link to the description in lead patch of the following two
> revisions posted after v4 for this purpose. To repeat myself:

If you had cc'ed me, I might have even read it :)

>   QEMU TCG plugins provide a way for users to run experiments taking
>   advantage of the total system control emulation can have over a guest.
>   It provides a mechanism for plugins to subscribe to events during
>   translation and execution and optionally callback into the plugin
>   during these events. TCG plugins are unable to change the system state
>   only monitor it passively. However they can do this down to an
>   individual instruction granularity including potentially subscribing
>   to all load and store operations.
>
> So to summarise it is a deliberately limited set of passive observations
> that can be made by the plugins. You cannot implement a new device using
> this interface.
>
>> Perhaps such an argument is made somewhere in these 73 patches already.
>> I admit to not having read them all :)  In the TCG plugin design document
>> perhaps?  Assuming it exists...
>
> Indeed there is - docs/devel/plugins.rst

In 21/73.  I'll read it as soon as I can.

File contents is about *TCG* plugins, file name advertises plugins
without a qualifier.  We can rename when it bothers us.

> A high level tour of the design decisions and approaches is the subject
> of my talk on Friday morning.

Good move.

>> I proposed discussing the project's requirements for external interfaces
>> on GPL circumvention deterrence at the QEMU Summit next week.
>
> That should certainly be an agenda item for the summit. I don't think
> this provides a mechanism for GPL circumnavigation though.
>
>> If merging this could be delayed until the licensing ramifications have
>> become a bit more clear, I'd be obliged.
>
> I'd rather not unless we can make an exception for late merging of the
> PR. I've worked quite hard to make sure everything is ready for the 4.2
> window and I'd rather not miss a whole release cycle on a
> misunderstanding of what these plugins allow.

I think there are multiple ways to avoid the nuclear outcome.

Coming to a conclusion before the soft freeze is the nicest one.

Making an exception for late merging is another one, but Peter may
prefer not to.

Yet another one is merging the pull request before the soft freeze with
the understanding that it'll be reverted unless we come to a positive
conclusion before say -rc0 (Nov 5).  I'm confident we can work it out in
Lyon.

[PULL v3 13/15] travis.yml: --enable-debug-tcg to check-tcg

[Alex Bennée]

This adds a whole bunch of asserts which will catch bugs you might
introduce into the TCG code.

Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 

diff --git a/.travis.yml b/.travis.yml
index c43597f1331..ba3a8d4cfc9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -334,14 +334,14 @@ matrix:
 
 # Run check-tcg against linux-user
 - env:
-- CONFIG="--disable-system"
+- CONFIG="--disable-system --enable-debug-tcg"
 - TEST_CMD="make -j3 check-tcg V=1"
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-default"
 
 
 # Run check-tcg against softmmu targets
 - env:
-- 
CONFIG="--target-list=xtensa-softmmu,arm-softmmu,aarch64-softmmu,alpha-softmmu"
+- CONFIG="--enable-debug-tcg 
--target-list=xtensa-softmmu,arm-softmmu,aarch64-softmmu,alpha-softmmu"
 - TEST_CMD="make -j3 check-tcg V=1"
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-default"
 
-- 
2.20.1

[PULL v3 06/15] travis.yml: Test the release tarball

[Alex Bennée]

From: Philippe Mathieu-Daudé 

Add a job to generate the release tarball and build/install few
QEMU targets from it.

Ideally we should build the 'efi' target from the 'roms' directory,
but it is too time consuming.

This job is only triggered when a tag starting with 'v' is pushed,
which is the case with release candidate tags.

Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20191007160450.3619-1-phi...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/.travis.yml b/.travis.yml
index 7e0d4ad2b31..f2b679fe701 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -343,3 +343,26 @@ matrix:
 - 
CONFIG="--target-list=xtensa-softmmu,arm-softmmu,aarch64-softmmu,alpha-softmmu"
 - TEST_CMD="make -j3 check-tcg V=1"
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-default"
+
+
+# Release builds
+# The make-release script expect a QEMU version, so our tag must start 
with a 'v'.
+# This is the case when release candidate tags are created.
+- if: tag IS present AND tag =~ /^v\d+\.\d+(\.\d+)?(-\S*)?$/
+  env:
+# We want to build from the release tarball
+- BUILD_DIR="release/build/dir" SRC_DIR="../../.."
+- BASE_CONFIG="--prefix=$PWD/dist"
+- 
CONFIG="--target-list=x86_64-softmmu,aarch64-softmmu,armeb-linux-user,ppc-linux-user"
+- TEST_CMD="make install -j3"
+- QEMU_VERSION="${TRAVIS_TAG:1}"
+- CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-default"
+  before_script:
+- command -v ccache && ccache --zero-stats
+- mkdir -p ${BUILD_DIR} && cd ${BUILD_DIR}
+  script:
+- make -C ${SRC_DIR} qemu-${QEMU_VERSION}.tar.bz2
+- ls -l ${SRC_DIR}/qemu-${QEMU_VERSION}.tar.bz2
+- tar -xf ${SRC_DIR}/qemu-${QEMU_VERSION}.tar.bz2 && cd 
qemu-${QEMU_VERSION}
+- ./configure ${BASE_CONFIG} ${CONFIG} || { cat config.log && exit 1; }
+- make install
-- 
2.20.1

[PULL 1/2] virtio-blk: Add blk_drain() to virtio_blk_device_unrealize()

[Stefan Hajnoczi]

From: Julia Suvorova 

QEMU does not wait for completed I/O requests, assuming that the guest
driver will reset the device before calling unrealize(). This does not
happen on Windows, and QEMU crashes in virtio_notify(), getting the
result of a completed I/O request on hot-unplugged device.

Signed-off-by: Julia Suvorova 
Message-Id: <20191018142856.31870-1-jus...@redhat.com>
Signed-off-by: Stefan Hajnoczi 
---
 hw/block/virtio-blk.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index ed2ddebd2b..14e9f85b8b 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1207,6 +1207,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev, 
Error **errp)
 VirtIODevice *vdev = VIRTIO_DEVICE(dev);
 VirtIOBlock *s = VIRTIO_BLK(dev);
 
+blk_drain(s->blk);
 virtio_blk_data_plane_destroy(s->dataplane);
 s->dataplane = NULL;
 qemu_del_vm_change_state_handler(s->change);
-- 
2.21.0

[PULL v3 12/15] gitlab-ci.yml: Use libvdeplug-dev to compile-test the VDE network backend

[Alex Bennée]

From: Thomas Huth 

The libvdeplug-dev package is required to compile-test net/vde.c.

Signed-off-by: Thomas Huth 
Message-Id: <20191016131002.29663-1-th...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ed8067f5cf9..be57c6a454a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,7 +5,7 @@ before_script:
 build-system1:
  script:
  - apt-get install -y -qq libgtk-3-dev libvte-dev nettle-dev libcacard-dev
-  libusb-dev libvde-dev libspice-protocol-dev libgl1-mesa-dev
+  libusb-dev libvde-dev libspice-protocol-dev libgl1-mesa-dev 
libvdeplug-dev
  - ./configure --enable-werror --target-list="aarch64-softmmu alpha-softmmu
   cris-softmmu hppa-softmmu lm32-softmmu moxie-softmmu microblazeel-softmmu
   mips64el-softmmu m68k-softmmu ppc-softmmu riscv64-softmmu sparc-softmmu"
-- 
2.20.1

Re: [PATCH v2 02/15] qapi/block-core: add option for io_uring

[Markus Armbruster]

Stefan Hajnoczi  writes:

> From: Aarushi Mehta 
>
> Only enumerates option for devices that support it.

I'm not sure I get this sentence.

> Since QAPI schema
> supports io_uring, which is the actual name of the Linux API, it is
> preferred over io-uring.

I guess this one means something like "Since io_uring is the actual name
of the Linux API, we use it as enum value even though the QAPI schema
conventions would prefer io-uring."

> Signed-off-by: Aarushi Mehta 
> Signed-off-by: Stefan Hajnoczi 
> ---
>  qapi/block-core.json | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index b274aef713..3196f40178 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -2851,11 +2851,13 @@
>  #
>  # @threads: Use qemu's thread pool
>  # @native:  Use native AIO backend (only Linux and Windows)
> +# @io_uring:Use linux io_uring (since 4.2)
>  #
>  # Since: 2.9
>  ##
>  { 'enum': 'BlockdevAioOptions',
> -  'data': [ 'threads', 'native' ] }
> +  'data': [ 'threads', 'native',
> +{ 'name': 'io_uring', 'if': 'defined(CONFIG_LINUX_IO_URING)' } ] 
> }
>  
>  ##
>  # @BlockdevCacheOptions:

I encourage you to polish the commit message some.

Acked-by: Markus Armbruster 

[PULL v3 15/15] tests/docker: update Travis image to a more current version

[Alex Bennée]

This isn't the latest one available on hub.docker.com but it does
match the ID reported by the Xenial builds running on Travis:

  instance: ... travis-ci-sardonyx-xenial-1553530528-f909ac5

Signed-off-by: Alex Bennée 

diff --git a/tests/docker/dockerfiles/travis.docker 
b/tests/docker/dockerfiles/travis.docker
index ea14da29d97..e8eb48dccfd 100644
--- a/tests/docker/dockerfiles/travis.docker
+++ b/tests/docker/dockerfiles/travis.docker
@@ -1,4 +1,8 @@
-FROM travisci/ci-sardonyx:packer-1546978056-2c98a19
+#
+# Travis Image - this is broadly the same image that we run our CI
+# tests on.
+#
+FROM travisci/ci-sardonyx:packer-1552557266-f909ac5
 ENV DEBIAN_FRONTEND noninteractive
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
-- 
2.20.1

[PULL v3 14/15] tests/docker: set HOST_ARCH if we don't have ARCH

[Alex Bennée]

As the docker rules want to be able to be run on a virgin unconfigured
checkout add a fallback and use it if we need to.

Signed-off-by: Alex Bennée 

diff --git a/.shippable.yml b/.shippable.yml
index bbc6f88510f..f74a3de3ffd 100644
--- a/.shippable.yml
+++ b/.shippable.yml
@@ -27,8 +27,6 @@ env:
   TARGET_LIST=ppc64-softmmu,ppc64-linux-user,ppc64abi32-linux-user
 build:
   pre_ci:
-# usually host ARCH is set by configure
-- echo "ARCH=$(uname -m)" > config-host.mak
 - make docker-image-${IMAGE} V=1
   pre_ci_boot:
 image_name: qemu
diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include
index 89c56a3a88c..19dbe261699 100644
--- a/tests/docker/Makefile.include
+++ b/tests/docker/Makefile.include
@@ -2,6 +2,8 @@
 
 .PHONY: docker docker-test docker-clean docker-image docker-qemu-src
 
+HOST_ARCH = $(if $(ARCH),$(ARCH),$(shell uname -m))
+
 DOCKER_SUFFIX := .docker
 DOCKER_FILES_DIR := $(SRC_PATH)/tests/docker/dockerfiles
 # we don't run tests on intermediate images (used as base by another image)
@@ -88,7 +90,7 @@ endif
 
 # Enforce dependencies for composite images
 docker-image-debian9-mxe: docker-image-debian9
-ifeq ($(ARCH),x86_64)
+ifeq ($(HOST_ARCH),x86_64)
 docker-image-debian-amd64: docker-image-debian9
 DOCKER_PARTIAL_IMAGES += debian-amd64-cross
 else
@@ -106,7 +108,7 @@ docker-image-debian-win32-cross: docker-image-debian9-mxe
 docker-image-debian-win64-cross: docker-image-debian9-mxe
 
 # For non-x86 hosts not all cross-compilers have been packaged
-ifneq ($(ARCH),x86_64)
+ifneq ($(HOST_ARCH),x86_64)
 DOCKER_PARTIAL_IMAGES += debian-mips-cross debian-mipsel-cross 
debian-mips64el-cross
 DOCKER_PARTIAL_IMAGES += debian-ppc64el-cross
 DOCKER_PARTIAL_IMAGES += debian-s390x-cross
-- 
2.20.1

[PULL v3 02/15] travis.yml: Add libvdeplug-dev to compile-test net/vde.c

[Alex Bennée]

From: Thomas Huth 

This library is needed to compile the VDE network backend.

Signed-off-by: Thomas Huth 
Message-Id: <20191009170701.14756-2-th...@redhat.com>
Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 

diff --git a/.travis.yml b/.travis.yml
index 7d90b87540f..7be2a9949f5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -46,6 +46,7 @@ addons:
   - libssh-dev
   - liburcu-dev
   - libusb-1.0-0-dev
+  - libvdeplug-dev
   - libvte-2.91-dev
   - sparse
   - uuid-dev
-- 
2.20.1

Re: [RFC v4 PATCH 48/49] multi-process: add the concept description to docs/devel/qemu-multiprocess

[Elena Ufimtseva]

On Thu, Oct 24, 2019 at 05:09:29AM -0400, Jagannathan Raman wrote:
> From: John G Johnson 
> 
> Signed-off-by: John G Johnson 
> Signed-off-by: Elena Ufimtseva 
> Signed-off-by: Jagannathan Raman 
> ---
>  v2 -> v3:
>- Updated with latest design of this project
> 
>  v3 -> v4:
>   - Updated document to RST format
>

Hi,

The warning was reported in regards to this patch because the index for the 
multi-process
document is incorrect as pointed by the automated tests.

"/tmp/qemu-test/src/docs/devel/index.rst:13:toctree contains reference to 
nonexisting document 'multi-process'".

The correct version of this patch is available. Should that be sent in the next 
series or can
be correct version attached here?

Thank you!

Elena, Jag and JJ.  
>  docs/devel/index.rst |1 +
>  docs/devel/qemu-multiprocess.rst | 1102 
> ++
>  2 files changed, 1103 insertions(+)
>  create mode 100644 docs/devel/qemu-multiprocess.rst
> 
> diff --git a/docs/devel/index.rst b/docs/devel/index.rst
> index 1ec61fc..edd3fe3 100644
> --- a/docs/devel/index.rst
> +++ b/docs/devel/index.rst
> @@ -22,3 +22,4 @@ Contents:
> decodetree
> secure-coding-practices
> tcg
> +   multi-process
> diff --git a/docs/devel/qemu-multiprocess.rst 
> b/docs/devel/qemu-multiprocess.rst
> new file mode 100644
> index 000..2c42c6e
> --- /dev/null
> +++ b/docs/devel/qemu-multiprocess.rst
> @@ -0,0 +1,1102 @@
> +Disaggregating QEMU
> +===
> +
> +QEMU is often used as the hypervisor for virtual machines running in the
> +Oracle cloud. Since one of the advantages of cloud computing is the
> +ability to run many VMs from different tenants in the same cloud
> +infrastructure, a guest that compromised its hypervisor could
> +potentially use the hypervisor's access privileges to access data it is
> +not authorized for.
> +
> +QEMU can be susceptible to security attack because it is a large,
> +monolithic program that provides many features to the VMs it services.
> +Many of these feature can be configured out of QEMU, but even a reduced
> +configuration QEMU has a large amount of code a guest can potentially
> +attack in order to gain additional privileges.
> +
> +QEMU services
> +-
> +
> +QEMU can be broadly described as providing three main services. One is a
> +VM control point, where VMs can be created, migrated, re-configured, and
> +destroyed. A second is to emulate the CPU instructions within the VM,
> +often accelerated by HW virtualization features such as Intel's VT
> +extensions. Finally, it provides IO services to the VM by emulating HW
> +IO devices, such as disk and network devices.
> +
> +A disaggregated QEMU
> +
> +
> +A disaggregated QEMU involves separating QEMU services into separate
> +host processes. Each of these processes can be given only the privileges
> +it needs to provide its service, e.g., a disk service could be given
> +access only the the disk images it provides, and not be allowed to
> +access other files, or any network devices. An attacker who compromised
> +this service would not be able to use this exploit to access files or
> +devices beyond what the disk service was given access to.
> +
> +A QEMU control process would remain, but in disaggregated mode, it would
> +be a control point that executes the processes needed to support the VM
> +being created, but have no direct interfaces to the VM. During VM
> +execution, it would still provide the user interface to hot-plug devices
> +or live migrate the VM.
> +
> +A first step in creating a disaggregated QEMU is to separate IO services
> +from the main QEMU program, which would continue to provide CPU
> +emulation. i.e., the control process would also be the CPU emulation
> +process. In a later phase, CPU emulation could be separated from the
> +control process.
> +
> +Disaggregating IO services
> +--
> +
> +Disaggregating IO services is a good place to begin QEMU disaggregating
> +for a couple of reasons. One is the sheer number of IO devices QEMU can
> +emulate provides a large surface of interfaces which could potentially
> +be exploited, and, indeed, have been a source of exploits in the past.
> +Another is the modular nature of QEMU device emulation code provides
> +interface points where the QEMU functions that perform device emulation
> +can be separated from the QEMU functions that manage the emulation of
> +guest CPU instructions.
> +
> +QEMU device emulation
> +~
> +
> +QEMU uses a object oriented SW architecture for device emulation code.
> +Configured objects are all compiled into the QEMU binary, then objects
> +are instantiated by name when used by the guest VM. For example, the
> +code to emulate a device named "foo" is always present in QEMU, but its
> +instantiation code is only run when the device is included in the target
> +VM. (e.g., via the QEMU command line as *-device foo*)
> +
> +The object model 

[PULL v3 07/15] travis.yml: bump Xcode 10 to latest dot release

[Alex Bennée]

According to:

  https://docs.travis-ci.com/user/reference/osx/#macos-version

we have 10.3 available so lets use it. I don't know what Apple's
deprecation policy is for Xcode because it requires an AppleID to find
out.

Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 

diff --git a/.travis.yml b/.travis.yml
index f2b679fe701..da6a2063fca 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -247,7 +247,7 @@ matrix:
 - env:
 - 
CONFIG="--target-list=i386-softmmu,ppc-softmmu,ppc64-softmmu,m68k-softmmu,x86_64-softmmu"
   os: osx
-  osx_image: xcode10.2
+  osx_image: xcode10.3
   compiler: clang
 
 
-- 
2.20.1

[PULL v3 10/15] tests/vm/netbsd: Disable IPv6

[Alex Bennée]

From: Eduardo Habkost 

Workaround for issues when the host has no IPv6 connectivity.

Signed-off-by: Eduardo Habkost 
Reviewed-by: Thomas Huth 
Message-Id: <20191018181705.17957-4-ehabk...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/tests/vm/netbsd b/tests/vm/netbsd
index ee9eaeab504..18aa56ae826 100755
--- a/tests/vm/netbsd
+++ b/tests/vm/netbsd
@@ -28,6 +28,13 @@ class NetBSDVM(basevm.BaseVM):
 gmake --output-sync -j{jobs} {target} {verbose};
 """
 
+# Workaround for NetBSD + IPv6 + slirp issues.
+# NetBSD seems to ignore the ICMPv6 Destination Unreachable
+# messages generated by slirp.  When the host has no IPv6
+# connectivity, this causes every connection to ftp.NetBSD.org
+# take more than a minute to be established.
+ipv6 = False
+
 def build_image(self, img):
 cimg = 
self._download_with_cache("http://download.patchew.org/netbsd-7.1-amd64.img.xz";,
  
sha256sum='b633d565b0eac3d02015cd0c81440bd8a7a8df8512615ac1ee05d318be015732')
-- 
2.20.1

Re: [PULL v2 00/73] tcg plugins and testing updates

[Alex Bennée]

Peter Maydell  writes:

> On Fri, 25 Oct 2019 at 07:37, Alex Bennée  wrote:
>>
>> The following changes since commit 81c1f71eeb874c4cbbb9c5c4d1a1dc0ba7391dff:
>>
>>   Merge remote-tracking branch 
>> 'remotes/ehabkost/tags/machine-next-pull-request' into staging (2019-10-24 
>> 10:43:20 +0100)
>>
>> are available in the Git repository at:
>>
>>   https://github.com/stsquad/qemu.git tags/pull-testing-and-plugins-241019-2
>>
>> for you to fetch changes up to 18900c2d7901680457b51b3ad3f684ef9cba8b64:
>>
>>   travis.yml: enable linux-gcc-debug-tcg cache (2019-10-24 22:31:29 +0100)
>>
>> 
>> Core TCG plugin support and testing updates
>>
>>   - TCG plugin support
>>   - netbsd VM autoinstall
>>   - various Travis dependency updates
>>   - enable tcg debug for check-tcg
>>   - additional Xcode build for Cirrus
>>   - dependency tweak for gitlab
>>
>
> This makes the vm-build-netbsd target stop working:
> looking at the log file it seems to try to do an install,
> but there's a pkg_add command failure and then it
> times out because it expects a menu with an 'Enable sshd'
> option and it isn't there:

OK I've dropped this (again) and re-sent a testing only PR. I'll resend
the remaining plugin stuff on Monday.

>
> con recv: >a: Host  ftp.NetBSD.org
> con recv: b: Base directorypub/pkgsrc/packages/NetBSD
> con recv:  c: Package directory/amd64/8.1/All
> con recv:  d: Userftp
> con recv:  e: Password
> con recv:  f: Proxy
> con recv:  g: Additional packages
> con recv:  h: Configure network
> con recv:  i: Quit installing binary pkgs
> con recv:  x: Install pkgin
> con send: x
> con recv:  and update package summary a: Host
> ftp.NetBSD.org>x: Install pkgin and update package summary
> con recv: Status: RunningCommand: pkg_add
> http://ftp.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.1/All/pkgin
> con recv: 
> pkg_add:
> Can't process 
> http://ftp.NetBSD.org:80/pub/pkgsrc/packages/NetBSD/amd64/8.1/All/pkgin*:
> Not Found
> con recv: pkg_add: no pkg found for
> 'http://ftp.NetBSD.org/pub/pkgsrc/packages/NetBSD/amd64/8.1/All/pkgin',
> sorry.
> con recv: pkg_add: 1 package addition failed
> con recv: Command failedHit enter to continue
> con send: 
> con recv: Enabling binary packages with pkgin requires setting up the
> repository.  The
> con recv:  following are the host, directory, user, and password that
> will be used.  If
> con recv:  "user" is "ftp", then the password is not needed.
> con recv:
> con recv: >a: Host  ftp.NetBSD.org
> con recv: b: Base directorypub/pkgsrc/packages/NetBSD
> con recv:  c: Package directory/amd64/8.1/All
> con recv:  d: Userftp
> con recv:  e: Password
> con recv:  f: Proxy
> con recv:  g: Additional packages
> con recv:  h: Configure network
> con recv:  i: Quit installing binary pkgs
> console: *** read timeout ***
> console: waiting for: 'g: Enable sshd'
> console: line buffer:
>
> con recv:  x: Install pkgin and update package summary
>
> Failed to prepare guest environment
> Traceback (most recent call last):
>   File "/home/peter.maydell/qemu-netbsd/tests/vm/basevm.py", line 362, in main
> return vm.build_image(args.image)
>   File "/home/peter.maydell/qemu-netbsd/tests/vm/netbsd", line 173, in
> build_image
> self.console_wait_send("g: Enable sshd",   "g\n")
>   File "/home/peter.maydell/qemu-netbsd/tests/vm/basevm.py", line 262,
> in console_wait_send
> self.console_wait(wait)
>   File "/home/peter.maydell/qemu-netbsd/tests/vm/basevm.py", line 224,
> in console_wait
> chars = vm.console_socket.recv(1)
> socket.timeout: timed out
>
>
> I tried a couple of times and it failed the same way both times.
>
>
> thanks
> -- PMM


--
Alex Bennée

[PULL v3 04/15] travis.yml: Use newer version of libgnutls and libpng

[Alex Bennée]

From: Thomas Huth 

libgnutls-dev and libpng12-dev are not available in newer versions
of Ubuntu anymore, so installing these packages fails e.g. in the
new arm64 containers on Travis. Let's use newer versions of these
packages by default instead. (The old versions still get tested in
the "gcc-9" build).

Signed-off-by: Thomas Huth 
Message-Id: <20191009170701.14756-4-th...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/.travis.yml b/.travis.yml
index b446e04e8ae..e65e53f3d7e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -29,7 +29,7 @@ addons:
   - libcap-dev
   - libcap-ng-dev
   - libgcc-4.8-dev
-  - libgnutls-dev
+  - libgnutls28-dev
   - libgtk-3-dev
   - libiscsi-dev
   - liblttng-ust-dev
@@ -37,7 +37,7 @@ addons:
   - libnfs-dev
   - libnss3-dev
   - libpixman-1-dev
-  - libpng12-dev
+  - libpng-dev
   - librados-dev
   - libsdl2-dev
   - libsdl2-image-dev
-- 
2.20.1

[PULL v3 11/15] travis.yml: cache the clang sanitizer build

[Alex Bennée]

Hopefully we'll see the same benefits as the other builds.

Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 

diff --git a/.travis.yml b/.travis.yml
index da6a2063fca..c43597f1331 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -189,6 +189,7 @@ matrix:
 
 - env:
 - CONFIG="--target-list=${MAIN_SOFTMMU_TARGETS} "
+- CACHE_NAME="${TRAVIS_BRANCH}-linux-clang-sanitize"
   compiler: clang
   before_script:
 - ./configure ${CONFIG} --extra-cflags="-fsanitize=undefined -Werror" 
|| { cat config.log && exit 1; }
-- 
2.20.1

[PULL v3 03/15] travis.yml: Use libsdl2 instead of libsdl1.2, and install libsdl2-image

[Alex Bennée]

From: Thomas Huth 

We've removed support for SDL 1.2 quite a while ago already, so let's
use SDL 2 now in Travis to get test coverage for SDL again.
And while we're at it, also add libsdl2-image-dev which can be used
by QEMU nowadays, too.

Signed-off-by: Thomas Huth 
Message-Id: <20191009170701.14756-3-th...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/.travis.yml b/.travis.yml
index 7be2a9949f5..b446e04e8ae 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,7 +39,8 @@ addons:
   - libpixman-1-dev
   - libpng12-dev
   - librados-dev
-  - libsdl1.2-dev
+  - libsdl2-dev
+  - libsdl2-image-dev
   - libseccomp-dev
   - libspice-protocol-dev
   - libspice-server-dev
@@ -309,7 +310,8 @@ matrix:
 - libpixman-1-dev
 - libpng12-dev
 - librados-dev
-- libsdl1.2-dev
+- libsdl2-dev
+- libsdl2-image-dev
 - libseccomp-dev
 - libspice-protocol-dev
 - libspice-server-dev
-- 
2.20.1

[PULL v3 01/15] travis.yml: reduce scope of the --enable-debug build

[Alex Bennée]

Adding debug makes things run a bit slower so lets not hammer all the
targets.

Signed-off-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 

diff --git a/.travis.yml b/.travis.yml
index d0b9e099b9c..7d90b87540f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -124,12 +124,13 @@ matrix:
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-default"
 
 
+# --enable-debug implies --enable-debug-tcg, also runs quite a bit slower
 - env:
-- CONFIG="--enable-debug --enable-debug-tcg --disable-user"
+- CONFIG="--enable-debug --target-list=${MAIN_SOFTMMU_TARGETS}"
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-debug"
 
 
-# TCG debug can be run just on it's own and is mostly agnostic to 
user/softmmu distinctions
+# TCG debug can be run just on its own and is mostly agnostic to 
user/softmmu distinctions
 - env:
 - CONFIG="--enable-debug-tcg --disable-system"
 - CACHE_NAME="${TRAVIS_BRANCH}-linux-gcc-debug"
-- 
2.20.1

[PULL v3 00/15] testing updates

[Alex Bennée]

The following changes since commit 03bf012e523ecdf047ac56b2057950247256064d:

  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging 
(2019-10-25 14:59:53 +0100)

are available in the Git repository at:

  https://github.com/stsquad/qemu.git tags/pull-testing-next-251019-3

for you to fetch changes up to 8ce2f68fc90e36d8cd57585f7f4bc75e5038f0b1:

  tests/docker: update Travis image to a more current version (2019-10-25 
19:24:21 +0100)


Testing updates (split from mega PR)

  - various Travis dependency updates
  - enable tcg debug for check-tcg
  - additional Xcode build for Cirrus
  - dependency tweak for gitlab


Alex Bennée (7):
  travis.yml: reduce scope of the --enable-debug build
  travis.yml: bump Xcode 10 to latest dot release
  cirrus.yml: add latest Xcode build target
  travis.yml: cache the clang sanitizer build
  travis.yml: --enable-debug-tcg to check-tcg
  tests/docker: set HOST_ARCH if we don't have ARCH
  tests/docker: update Travis image to a more current version

Eduardo Habkost (2):
  tests/vm: Let subclasses disable IPv6
  tests/vm/netbsd: Disable IPv6

Philippe Mathieu-Daudé (1):
  travis.yml: Test the release tarball

Thomas Huth (5):
  travis.yml: Add libvdeplug-dev to compile-test net/vde.c
  travis.yml: Use libsdl2 instead of libsdl1.2, and install libsdl2-image
  travis.yml: Use newer version of libgnutls and libpng
  travis.yml: Fix the ccache lines
  gitlab-ci.yml: Use libvdeplug-dev to compile-test the VDE network backend

 .cirrus.yml| 11 
 .gitlab-ci.yml |  2 +-
 .shippable.yml |  2 --
 .travis.yml| 50 ++
 tests/docker/Makefile.include  |  6 ++--
 tests/docker/dockerfiles/travis.docker |  6 +++-
 tests/vm/basevm.py |  5 +++-
 tests/vm/netbsd|  7 +
 8 files changed, 71 insertions(+), 18 deletions(-)

-- 
2.20.1

[PULL v3 09/15] tests/vm: Let subclasses disable IPv6

[Alex Bennée]

From: Eduardo Habkost 

The mechanism will be used to work around issues related to IPv6
on the netbsd image builder.

Signed-off-by: Eduardo Habkost 
Reviewed-by: Thomas Huth 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20191018181705.17957-3-ehabk...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/tests/vm/basevm.py b/tests/vm/basevm.py
index b5d1479bee9..2929de23aa7 100755
--- a/tests/vm/basevm.py
+++ b/tests/vm/basevm.py
@@ -57,6 +57,8 @@ class BaseVM(object):
 arch = "#arch"
 # command to halt the guest, can be overridden by subclasses
 poweroff = "poweroff"
+# enable IPv6 networking
+ipv6 = True
 def __init__(self, debug=False, vcpus=None):
 self._guest = None
 self._tmpdir = os.path.realpath(tempfile.mkdtemp(prefix="vm-test-",
@@ -81,7 +83,8 @@ class BaseVM(object):
 self._args = [ \
 "-nodefaults", "-m", "4G",
 "-cpu", "max",
-"-netdev", "user,id=vnet,hostfwd=:127.0.0.1:0-:22",
+"-netdev", "user,id=vnet,hostfwd=:127.0.0.1:0-:22" +
+   (",ipv6=no" if not self.ipv6 else ""),
 "-device", "virtio-net-pci,netdev=vnet",
 "-vnc", "127.0.0.1:0,to=20"]
 if vcpus and vcpus > 1:
-- 
2.20.1

[PULL v3 08/15] cirrus.yml: add latest Xcode build target

[Alex Bennée]

CirrusCI provides a mojave-xcode alias for the latest Xcode available.
Let's use it to make sure we track the latest releases.

Signed-off-by: Alex Bennée 

diff --git a/.cirrus.yml b/.cirrus.yml
index 8326a3a4b16..27efc48619b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -25,3 +25,14 @@ macos_task:
 - ./configure --python=/usr/local/bin/python3 || { cat config.log; exit 1; 
}
 - gmake -j$(sysctl -n hw.ncpu)
 - gmake check -j$(sysctl -n hw.ncpu)
+
+macos_xcode_task:
+  osx_instance:
+# this is an alias for the latest Xcode
+image: mojave-xcode
+  install_script:
+- brew install pkg-config gnu-sed glib pixman make sdl2
+  script:
+- ./configure --cc=clang || { cat config.log; exit 1; }
+- gmake -j$(sysctl -n hw.ncpu)
+- gmake check -j$(sysctl -n hw.ncpu)
-- 
2.20.1

[PULL v3 05/15] travis.yml: Fix the ccache lines

[Alex Bennée]

From: Thomas Huth 

The "command -v ccache && ccache ..." likely were supposed to test
the availability of ccache before running the program. But this
shell construct causes Travis to abort if ccache is not available.
Use an if-statement instead to fix this problem.

Signed-off-by: Thomas Huth 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé 
Message-Id: <20191009170701.14756-5-th...@redhat.com>
Signed-off-by: Alex Bennée 

diff --git a/.travis.yml b/.travis.yml
index e65e53f3d7e..7e0d4ad2b31 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -91,13 +91,13 @@ git:
 
 before_script:
   - if [ "$TRAVIS_OS_NAME" == "osx" ] ; then export 
PATH="/usr/local/opt/ccache/libexec:$PATH" ; fi
-  - command -v ccache && ccache --zero-stats
+  - if command -v ccache ; then ccache --zero-stats ; fi
   - mkdir -p ${BUILD_DIR} && cd ${BUILD_DIR}
   - ${SRC_DIR}/configure ${BASE_CONFIG} ${CONFIG} || { cat config.log && exit 
1; }
 script:
   - make -j3 && travis_retry ${TEST_CMD}
 after_script:
-  - command -v ccache && ccache --show-stats
+  - if command -v ccache ; then ccache --show-stats ; fi
 
 
 matrix:
-- 
2.20.1

Re: [PATCH v13 06/12] numa: Extend CLI to provide memory latency and bandwidth information

[Markus Armbruster]

Igor Mammedov  writes:

> On Fri, 25 Oct 2019 14:33:53 +0800
> Tao Xu  wrote:
>
>> On 10/23/2019 11:28 PM, Igor Mammedov wrote:
>> > On Sun, 20 Oct 2019 19:11:19 +0800
>> > Tao Xu  wrote:  
>> [...]
>> >> +#
>> >> +# @access-bandwidth: access bandwidth (MB/s)
>> >> +#
>> >> +# @read-bandwidth: read bandwidth (MB/s)
>> >> +#
>> >> +# @write-bandwidth: write bandwidth (MB/s)  
>> > I think units here are not appropriate, values stored in fields are
>> > minimal base units only and nothing else (i.e. ps and B/s)
>> >   
>> Eric suggest me to drop picoseconds. So here I can use ns. For 
>> bandwidth, if we use B/s here, does it let user or developer to 
>> misunderstand that the smallest unit is B/s ?
>
> It's not nanoseconds or MB/s stored in theses fields, isn't it?
> I'd specify units in which value is stored or drop units altogether.
>
> Maybe Eric and Markus can suggest a better way to describe fields.

This isn't review (yet), just an attempt to advise more quickly on
general QAPI/QMP conventions.

Unit prefixes like Mebi- are nice for humans, because 1MiB is clearer
than 1048576B.

QMP is for machines.  We eschew unit prefixes and unit symbols there.
The unit is implied.  Unit prefixes only complicate things.  Machines
can deal with 1048576 easily.  Also dealing 1024Ki and 1Mi is additional
work.  We therefore use JSON numbers for byte counts, not strings with
units.

The general rule is "always use the plainest implied unit that would
do."  There are exceptions, mostly due to review failure.

Byte rates should be in bytes per second.

For time, we've made a godawful mess.  The plainest unit is clearly the
second.  We commonly need sub-second granularity, though.
Floating-point seconds are unpopular for some reason :)  Instead we use
milli-, micro-, and nanoseconds, and even (seconds, microseconds) pairs.

QAPI schema documentation describes both the generated C and the QMP
wire protocol.  It must be written with the implied unit.  If you send a
byte rate in bytes per second via QMP, that's what you document.  Even
if a human interface lets you specify the byte rate in MiB/s.

Does this make sense?

>> >>   @item -numa 
>> >> node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
>> >>   @itemx -numa 
>> >> node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
>> >>   @itemx -numa 
>> >> dist,src=@var{source},dst=@var{destination},val=@var{distance}
>> >>   @itemx -numa 
>> >> cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}]
>> >> +@itemx -numa 
>> >> hmat-lb,initiator=@var{node},target=@var{node},hierarchy=@var{str},data-type=@var{str}[,latency=@var{lat}][,bandwidth=@var{bw}]
>> >>   
>> >
>> > ^^^ ^^^
>> > Using the same 'str' for 2 different enums is confusing.
>> > Suggest for 1st use 'level' and for the second just 'type'
>> >   
>> Ok
>> 
>> >>   @findex -numa
>> >>   Define a NUMA node and assign RAM and VCPUs to it.
>> >>   Set the NUMA distance from a source node to a destination node.
>> >> +Set the ACPI Heterogeneous Memory Attributes for the given nodes.
>> >>   
>> >>   Legacy VCPU assignment uses @samp{cpus} option where
>> >>   @var{firstcpu} and @var{lastcpu} are CPU indexes. Each
>> >> @@ -256,6 +259,50 @@ specified resources, it just assigns existing 
>> >> resources to NUMA
>> >>   nodes. This means that one still has to use the @option{-m},
>> >>   @option{-smp} options to allocate RAM and VCPUs respectively.
>> >>   
>> >> +Use @samp{hmat-lb} to set System Locality Latency and Bandwidth 
>> >> Information
>> >> +between initiator and target NUMA nodes in ACPI Heterogeneous Attribute 
>> >> Memory Table (HMAT).
>> >> +Initiator NUMA node can create memory requests, usually including one or 
>> >> more processors.  
>> > s/including/it has/
>> >   
>> >> +Target NUMA node contains addressable memory.
>> >> +
>> >> +In @samp{hmat-lb} option, @var{node} are NUMA node IDs. @var{str} of 
>> >> 'hierarchy'
>> >> +is the memory hierarchy of the target NUMA node: if @var{str} is 
>> >> 'memory', the structure
>> >> +represents the memory performance; if @var{str} is 
>> >> 'first-level|second-level|third-level',
>> >> +this structure represents aggregated performance of memory side caches 
>> >> for each domain.
>> >> +@var{str} of 'data-type' is type of data represented by this structure 
>> >> instance:
>> >> +if 'hierarchy' is 'memory', 'data-type' is 'access|read|write' 
>> >> latency(nanoseconds)  
>> > is nanoseconds is right here? Looking at previous patches default value of 
>> > suffix-less
>> > should be picoseconds. I'd just drop '(nanoseconds)'. User will use 
>> > appropriate suffix.
>> >   
>> OK, I will drop it.
>> >> +or 'access|read|write' bandwidth(MB/s) of the target memory; if 
>> >> 'hierarchy' is  
>> > ditto (MB/s), probably should be By

[PULL 2/2] yield_until_fd_readable: make it work with any AioContect

[Stefan Hajnoczi]

From: Dietmar Maurer 

Simply use qemu_get_current_aio_context().

Signed-off-by: Dietmar Maurer 
Message-Id: <20191024045610.9071-1-diet...@proxmox.com>
Signed-off-by: Stefan Hajnoczi 
---
 util/qemu-coroutine-io.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/util/qemu-coroutine-io.c b/util/qemu-coroutine-io.c
index 44a8969a69..5b80bb416f 100644
--- a/util/qemu-coroutine-io.c
+++ b/util/qemu-coroutine-io.c
@@ -67,6 +67,7 @@ qemu_co_send_recv(int sockfd, void *buf, size_t bytes, bool 
do_send)
 }
 
 typedef struct {
+AioContext *ctx;
 Coroutine *co;
 int fd;
 } FDYieldUntilData;
@@ -74,7 +75,7 @@ typedef struct {
 static void fd_coroutine_enter(void *opaque)
 {
 FDYieldUntilData *data = opaque;
-qemu_set_fd_handler(data->fd, NULL, NULL, NULL);
+aio_set_fd_handler(data->ctx, data->fd, false, NULL, NULL, NULL, NULL);
 qemu_coroutine_enter(data->co);
 }
 
@@ -83,8 +84,10 @@ void coroutine_fn yield_until_fd_readable(int fd)
 FDYieldUntilData data;
 
 assert(qemu_in_coroutine());
+data.ctx = qemu_get_current_aio_context();
 data.co = qemu_coroutine_self();
 data.fd = fd;
-qemu_set_fd_handler(fd, fd_coroutine_enter, NULL, &data);
+aio_set_fd_handler(
+data.ctx, fd, false, fd_coroutine_enter, NULL, NULL, &data);
 qemu_coroutine_yield();
 }
-- 
2.21.0

[PULL 0/2] Block patches

[Stefan Hajnoczi]

The following changes since commit 58560ad254fbda71d4daa6622d71683190070ee2:

  Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-4.2-20191024' into 
staging (2019-10-24 16:22:58 +0100)

are available in the Git repository at:

  https://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to d154ef37ff885918fa3e512fd7a8e42870291667:

  yield_until_fd_readable: make it work with any AioContect (2019-10-25 
14:38:29 +0200)


Pull request



Dietmar Maurer (1):
  yield_until_fd_readable: make it work with any AioContect

Julia Suvorova (1):
  virtio-blk: Add blk_drain() to virtio_blk_device_unrealize()

 hw/block/virtio-blk.c| 1 +
 util/qemu-coroutine-io.c | 7 +--
 2 files changed, 6 insertions(+), 2 deletions(-)

-- 
2.21.0

Re: [PATCH] Semihost SYS_READC implementation (v4)

[Keith Packard]

Peter Maydell  writes:

> Is there a specification for RISC-V semihosting? This is
> likely to be my first question when the support comes
> round for review, so you can have it early :-)  We'd
> prefer to implement specified interfaces, not random
> ad-hoc "this seems to be what newlib wants to see,
> which is turn got hacked together by copying some other
> architecture's code".

There seems to be convergence on a pretty simple interface which uses
ebreak surrounded by a couple of specific no-ops:

  slli x0, x0, 0x1f
  ebreak
  srai x0, x0, 0x7

There are implementations in rust and openocd, and I've got one for
picolibc. The risc-v semihosting code is sitting on a branch in my repo
on github:

https://github.com/keith-packard/qemu/tree/riscv-semihost

> (describing a mechanism to avoid stopping the emulator)
> This feels to me like it's a bit overcomplicated unless it turns out
> we actually require it though.

Would also be nice for multi-core setups. I'd like to start with the
simple plan for now.

> Isn't the answer to this "don't use a command line that tries
> to connect stdio to multiple things" ?

Uh, we do that all the time? The mux device is designed to handle this
so that you can use stdio for both monitor commands and application
I/O. It's very convenient, the only issue is that the last device that
hooks to the mux ends up getting input first (you use ^Ac to rotate
among the selected devices).

-- 
-keith


signature.asc
Description: PGP signature

Re: [PATCH 0/7] i386: Add `machine` parameter to query-cpu-definitions

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20191025022553.25298-1-ehabk...@redhat.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH 0/7] i386: Add `machine` parameter to query-cpu-definitions
Type: series
Message-id: 20191025022553.25298-1-ehabk...@redhat.com

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
80774f3 cpu: Add `machine` parameter to query-cpu-definitions
a94469e i386: Don't use default_cpu_version() inside query-cpu-definitions
9c82004 i386: Remove x86_cpu_set_default_version() function
c529624 machine: machine_find_class() function
f79edfc i386: Don't use default_cpu_version at "-cpu help"
0106983 i386: Add default_version parameter to CPU version functions
d6a172b i386: Use g_autofree at x86_cpu_list_entry()

=== OUTPUT BEGIN ===
1/7 Checking commit d6a172b05619 (i386: Use g_autofree at x86_cpu_list_entry())
2/7 Checking commit 0106983c7b3c (i386: Add default_version parameter to CPU 
version functions)
WARNING: line over 80 characters
#28: FILE: target/i386/cpu.c:3191:
+   X86CPUVersion 
default_version)

WARNING: line over 80 characters
#60: FILE: target/i386/cpu.c:3983:
+g_autofree char *alias_of = x86_cpu_class_get_alias_of(cc, 
default_cpu_version);

WARNING: line over 80 characters
#78: FILE: target/i386/cpu.c:4121:
+X86CPUVersion version = x86_cpu_model_resolve_version(model, 
default_cpu_version);

total: 0 errors, 3 warnings, 55 lines checked

Patch 2/7 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
3/7 Checking commit f79edfcd6195 (i386: Don't use default_cpu_version at "-cpu 
help")
4/7 Checking commit c529624d287b (machine: machine_find_class() function)
5/7 Checking commit 9c820045c733 (i386: Remove x86_cpu_set_default_version() 
function)
WARNING: line over 80 characters
#81: FILE: target/i386/cpu.c:3178:
+(PCMachineClass *)object_class_dynamic_cast(OBJECT_CLASS(mc), 
TYPE_PC_MACHINE);

WARNING: line over 80 characters
#87: FILE: target/i386/cpu.c:3184:
+return 
default_cpu_version_for_machine(MACHINE_GET_CLASS(qdev_get_machine()));

WARNING: line over 80 characters
#110: FILE: target/i386/cpu.c:4134:
+X86CPUVersion version = x86_cpu_model_resolve_version(model, 
default_cpu_version());

total: 0 errors, 3 warnings, 88 lines checked

Patch 5/7 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/7 Checking commit a94469ea9b83 (i386: Don't use default_cpu_version() inside 
query-cpu-definitions)
7/7 Checking commit 80774f3866be (cpu: Add `machine` parameter to 
query-cpu-definitions)
WARNING: line over 80 characters
#147: FILE: tests/acceptance/x86_cpu_model_versions.py:238:
+"""Check if unversioned CPU model is an alias pointing to right 
version"""

ERROR: line over 90 characters
#152: FILE: tests/acceptance/x86_cpu_model_versions.py:243:
+cpus1 = dict((m['name'], m.get('alias-of')) for m in 
vm1.command('query-cpu-definitions', machine='none'))

ERROR: line over 90 characters
#159: FILE: tests/acceptance/x86_cpu_model_versions.py:250:
+cpus2 = dict((m['name'], m.get('alias-of')) for m in 
vm2.command('query-cpu-definitions'))

WARNING: line over 80 characters
#165: FILE: tests/acceptance/x86_cpu_model_versions.py:256:
+"""Check if unversioned CPU model is an alias pointing to right 
version"""

ERROR: line over 90 characters
#170: FILE: tests/acceptance/x86_cpu_model_versions.py:261:
+cpus1 = dict((m['name'], m.get('alias-of')) for m in 
vm1.command('query-cpu-definitions', machine='pc-i440fx-4.1'))

ERROR: line over 90 characters
#177: FILE: tests/acceptance/x86_cpu_model_versions.py:268:
+cpus2 = dict((m['name'], m.get('alias-of')) for m in 
vm2.command('query-cpu-definitions'))

total: 4 errors, 2 warnings, 141 lines checked

Patch 7/7 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


The full log is available at
http://patchew.org/logs/20191025022553.25298-1-ehabk...@redhat.com/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[PATCH] Semihost SYS_READC implementation (v5)

[Keith Packard]

Provides a blocking call to read a character from the console using
semihosting.chardev, if specified. This takes some careful command
line options to use stdio successfully as the serial ports, monitor
and semihost all want to use stdio. Here's a sample set of command
line options which share stdio betwen semihost, monitor and serial
ports:

qemu \
-chardev stdio,mux=on,id=stdio0 \
-serial chardev:stdio0 \
-semihosting-config enable=on,chardev=stdio0 \
-mon chardev=stdio0,mode=readline

This creates a chardev hooked to stdio and then connects all of the
subsystems to it. A shorter mechanism would be good to hear about.

Signed-off-by: Keith Packard 
---

v2:
Add implementation in linux-user/arm/semihost.c

v3:  (thanks to Paolo Bonzini )
Replace hand-rolled fifo with fifo8
Avoid mixing code and declarations
Remove spurious (void) cast of function parameters
Define qemu_semihosting_console_init when CONFIG_USER_ONLY

v4:
Add qemu_semihosting_console_init to stubs/semihost.c for
hosts that don't support semihosting

v5:
Move #include statements to the top of the file.
Actually include the stubs/semihost.c patch that was
supposed to be in v4

 hw/semihosting/console.c  | 72 +++
 include/hw/semihosting/console.h  | 12 ++
 include/hw/semihosting/semihost.h |  4 ++
 linux-user/arm/semihost.c | 23 ++
 stubs/semihost.c  |  4 ++
 target/arm/arm-semi.c |  3 +-
 vl.c  |  3 ++
 7 files changed, 119 insertions(+), 2 deletions(-)

diff --git a/hw/semihosting/console.c b/hw/semihosting/console.c
index b4b17c8afb..4db68d6227 100644
--- a/hw/semihosting/console.c
+++ b/hw/semihosting/console.c
@@ -22,6 +22,12 @@
 #include "exec/gdbstub.h"
 #include "qemu/log.h"
 #include "chardev/char.h"
+#include 
+#include "chardev/char-fe.h"
+#include "sysemu/sysemu.h"
+#include "qemu/main-loop.h"
+#include "qapi/error.h"
+#include "qemu/fifo8.h"
 
 int qemu_semihosting_log_out(const char *s, int len)
 {
@@ -98,3 +104,69 @@ void qemu_semihosting_console_outc(CPUArchState *env, 
target_ulong addr)
   __func__, addr);
 }
 }
+
+#define FIFO_SIZE   1024
+
+typedef struct SemihostingConsole {
+CharBackend backend;
+pthread_mutex_t mutex;
+pthread_cond_t  cond;
+boolgot;
+Fifo8   fifo;
+} SemihostingConsole;
+
+static SemihostingConsole console = {
+.mutex = PTHREAD_MUTEX_INITIALIZER,
+.cond = PTHREAD_COND_INITIALIZER
+};
+
+static int console_can_read(void *opaque)
+{
+SemihostingConsole *c = opaque;
+int ret;
+pthread_mutex_lock(&c->mutex);
+ret = (int) fifo8_num_free(&c->fifo);
+pthread_mutex_unlock(&c->mutex);
+return ret;
+}
+
+static void console_read(void *opaque, const uint8_t *buf, int size)
+{
+SemihostingConsole *c = opaque;
+pthread_mutex_lock(&c->mutex);
+while (size-- && !fifo8_is_full(&c->fifo)) {
+fifo8_push(&c->fifo, *buf++);
+}
+pthread_cond_broadcast(&c->cond);
+pthread_mutex_unlock(&c->mutex);
+}
+
+target_ulong qemu_semihosting_console_inc(CPUArchState *env)
+{
+uint8_t ch;
+SemihostingConsole *c = &console;
+qemu_mutex_unlock_iothread();
+pthread_mutex_lock(&c->mutex);
+while (fifo8_is_empty(&c->fifo)) {
+pthread_cond_wait(&c->cond, &c->mutex);
+}
+ch = fifo8_pop(&c->fifo);
+pthread_mutex_unlock(&c->mutex);
+qemu_mutex_lock_iothread();
+return (target_ulong) ch;
+}
+
+void qemu_semihosting_console_init(void)
+{
+Chardev *chr = semihosting_get_chardev();
+
+if  (chr) {
+fifo8_create(&console.fifo, FIFO_SIZE);
+qemu_chr_fe_init(&console.backend, chr, &error_abort);
+qemu_chr_fe_set_handlers(&console.backend,
+ console_can_read,
+ console_read,
+ NULL, NULL, &console,
+ NULL, true);
+}
+}
diff --git a/include/hw/semihosting/console.h b/include/hw/semihosting/console.h
index 9be9754bcd..f7d5905b41 100644
--- a/include/hw/semihosting/console.h
+++ b/include/hw/semihosting/console.h
@@ -37,6 +37,18 @@ int qemu_semihosting_console_outs(CPUArchState *env, 
target_ulong s);
  */
 void qemu_semihosting_console_outc(CPUArchState *env, target_ulong c);
 
+/**
+ * qemu_semihosting_console_inc:
+ * @env: CPUArchState
+ *
+ * Receive single character from debug console. This
+ * may be the remote gdb session if a softmmu guest is currently being
+ * debugged.
+ *
+ * Returns: character read or -1 on error
+ */
+target_ulong qemu_semihosting_console_inc(CPUArchState *env);
+
 /**
  * qemu_semihosting_log_out:
  * @s: pointer to string
diff --git a/include/hw/semihosting/semihost.h 
b/include/hw/semihosting/semihost.h
index 60fc42d851..b8ce5117ae 10064

Re: [PATCH] Semihost SYS_READC implementation (v4)

[no-reply]

Patchew URL: https://patchew.org/QEMU/20191024224622.12371-1-kei...@keithp.com/



Hi,

This series failed the docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#! /bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC  aarch64-softmmu/target/arm/translate-sve.o
../vl.o: In function `qemu_main':
/tmp/qemu-test/src/vl.c:4385: undefined reference to 
`qemu_semihosting_console_init'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:206: qemu-system-x86_64w.exe] Error 1
make: *** [Makefile:482: x86_64-softmmu/all] Error 2
make: *** Waiting for unfinished jobs
  LINKaarch64-softmmu/qemu-system-aarch64w.exe
  GEN aarch64-softmmu/qemu-system-aarch64.exe
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=c8023af7d17f49c389a9dbb7c2292a6e', '-u', 
'1001', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-wurz4hht/src/docker-src.2019-10-25-14.17.51.2074:/var/tmp/qemu:z,ro',
 'qemu:fedora', '/var/tmp/qemu/run', 'test-mingw']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=c8023af7d17f49c389a9dbb7c2292a6e
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-wurz4hht/src'
make: *** [docker-run-test-mingw@fedora] Error 2

real2m52.599s
user0m8.472s


The full log is available at
http://patchew.org/logs/20191024224622.12371-1-kei...@keithp.com/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

Re: [PATCH] Semihost SYS_READC implementation (v4)

[no-reply]

Patchew URL: https://patchew.org/QEMU/20191024224622.12371-1-kei...@keithp.com/



Hi,

This series failed the docker-quick@centos7 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC  aarch64-softmmu/trace/generated-helpers.o
../vl.o: In function `main':
/tmp/qemu-test/src/vl.c:4385: undefined reference to 
`qemu_semihosting_console_init'
collect2: error: ld returned 1 exit status
make[1]: *** [qemu-system-x86_64] Error 1
make: *** [x86_64-softmmu/all] Error 2
make: *** Waiting for unfinished jobs
  LINKaarch64-softmmu/qemu-system-aarch64
Traceback (most recent call last):
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=56d753bff38f4c6794bd90f9a5f3e2df', '-u', 
'1001', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-kcdksyw0/src/docker-src.2019-10-25-14.14.31.23494:/var/tmp/qemu:z,ro',
 'qemu:centos7', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=56d753bff38f4c6794bd90f9a5f3e2df
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-kcdksyw0/src'
make: *** [docker-run-test-quick@centos7] Error 2

real2m45.581s
user0m8.220s


The full log is available at
http://patchew.org/logs/20191024224622.12371-1-kei...@keithp.com/testing.docker-quick@centos7/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[Bug 1849879] [NEW] qemu-arm should accept vmrs apsr_nzcv, fpscr on M-profile

[Christophe Lyon]

Public bug reported:

I've noticed that qemu-arm for cortex-M considers
vmrs apsr_nzcv, fpscr
as an illegal instruction.

In this case, rt==15 means APSR, and the instruction should be accepted
and executed like for A-profile.

I posted a small patch:
https://lists.gnu.org/archive/html/qemu-devel/2019-10/msg06978.html

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1849879

Title:
  qemu-arm should accept vmrs apsr_nzcv, fpscr on M-profile

Status in QEMU:
  New

Bug description:
  I've noticed that qemu-arm for cortex-M considers
  vmrs apsr_nzcv, fpscr
  as an illegal instruction.

  In this case, rt==15 means APSR, and the instruction should be
  accepted and executed like for A-profile.

  I posted a small patch:
  https://lists.gnu.org/archive/html/qemu-devel/2019-10/msg06978.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1849879/+subscriptions

Re: [PATCH v6 06/11] qapi: add failover negotiated event

[Jens Freimann]

On Fri, Oct 25, 2019 at 04:03:54PM +0200, Markus Armbruster wrote:

Bear with me, I know next to nothing about failover.

Jens Freimann  writes:


This event is sent to let libvirt know that VIRTIO_NET_F_STANDBY feature
was enabled. The primary device this virtio-net device is associated
with, will now be hotplugged via qdev_device_add().


Passive voice deftly avoids telling the reader who will do the
hot-plugging.  Intentional?


Not really, it's in the comment to the event. The hotplug will be
done by the virtio-net device code that activates the feature, in
virtio_net_set_features().




Signed-off-by: Jens Freimann 
Acked-by: Cornelia Huck 
---
 qapi/net.json | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/qapi/net.json b/qapi/net.json
index 728990f4fb..ea64f7 100644
--- a/qapi/net.json
+++ b/qapi/net.json
@@ -737,3 +737,22 @@
 ##
 { 'command': 'announce-self', 'boxed': true,
   'data' : 'AnnounceParameters'}
+
+##
+# @FAILOVER_NEGOTIATED:
+#
+# Emitted when VIRTIO_NET_F_STANDBY was enabled during feature negotiation.
+# Failover primary devices which were hidden (not hotplugged when requested)
+# before will now be hotplugged by the virtio-net standby device.
+#
+# device-id: QEMU device id of the unplugged device


@device-id is new since v5.

A quick skim of
https://www.kernel.org/doc/html/latest/networking/net_failover.html
tells me there are three devices involved: master, primary slave,
standby slave.  Which one is @device-id?  Or am I confused?


Yes, the device-id is new and it's the device-id of the standby (i.e.
virtio-net) device.

regards,
Jens 

Re: [PATCH v6 01/11] qdev/qbus: add hidden device support

[Dr. David Alan Gilbert]

* Jens Freimann (jfreim...@redhat.com) wrote:
> This adds support for hiding a device to the qbus and qdev APIs.  The
> first user of this will be the virtio-net failover feature but the API
> introduced with this patch could be used to implement other features as
> well, for example hiding pci devices when a pci bus is powered off.
> 
> qdev_device_add() is modified to check for a failover_pair_id
> argument in the option string. A DeviceListener callback
> should_be_hidden() is added. It can be used by a standby device to
> inform qdev that this device should not be added now. The standby device
> handler can store the device options to plug the device in at a later
> point in time.
> 
> One reason for hiding the device is that we don't want to expose both
> devices to the guest kernel until the respective virtio feature bit
> VIRTIO_NET_F_STANDBY was negotiated and we know that the devices will be
> handled correctly by the guest.
> 
> More information on the kernel feature this is using:
>  https://www.kernel.org/doc/html/latest/networking/net_failover.html
> 
> An example where the primary device is a vfio-pci device and the standby
> device is a virtio-net device:
> 
> A device is hidden when it has an "failover_pair_id" option, e.g.
> 
>  -device virtio-net-pci,...,failover=on,...
>  -device vfio-pci,...,failover_pair_id=net1,...
> 
> Signed-off-by: Jens Freimann 
> Reviewed-by: Cornelia Huck 

I think I see why you've done this, but I'd lay odds on that we're
going to find some odd corners of other things in qemu prodding hidden
devices.  We'll see!

Dave

> ---
>  hw/core/qdev.c | 24 
>  include/hw/qdev-core.h | 29 +
>  qdev-monitor.c | 41 +
>  vl.c   |  6 --
>  4 files changed, 94 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index cbad6c1d55..3b8d43d0fd 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -212,6 +212,30 @@ void device_listener_unregister(DeviceListener *listener)
>  QTAILQ_REMOVE(&device_listeners, listener, link);
>  }
>  
> +bool qdev_should_hide_device(QemuOpts *opts)
> +{
> +int rc = -1;
> +DeviceListener *listener;
> +
> +QTAILQ_FOREACH(listener, &device_listeners, link) {
> +   if (listener->should_be_hidden) {
> +/*
> + * should_be_hidden_will return
> + *  1 if device matches opts and it should be hidden
> + *  0 if device matches opts and should not be hidden
> + *  -1 if device doesn't match ops
> + */
> +rc = listener->should_be_hidden(listener, opts);
> +}
> +
> +if (rc > 0) {
> +break;
> +}
> +}
> +
> +return rc > 0;
> +}
> +
>  void qdev_set_legacy_instance_id(DeviceState *dev, int alias_id,
>   int required_for_version)
>  {
> diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
> index aa123f88cb..710981af36 100644
> --- a/include/hw/qdev-core.h
> +++ b/include/hw/qdev-core.h
> @@ -78,6 +78,19 @@ typedef void (*BusUnrealize)(BusState *bus, Error **errp);
>   * respective parent types.
>   *   
>   * 
> + *
> + * # Hiding a device #
> + * To hide a device, a DeviceListener function should_be_hidden() needs to
> + * be registered.
> + * It can be used to defer adding a device and therefore hide it from the
> + * guest. The handler registering to this DeviceListener can save the QOpts
> + * passed to it for re-using it later and must return that it wants the 
> device
> + * to be/remain hidden or not. When the handler function decides the device
> + * shall not be hidden it will be added in qdev_device_add() and
> + * realized as any other device. Otherwise qdev_device_add() will return 
> early
> + * without adding the device. The guest will not see a "hidden" device
> + * until it was marked don't hide and qdev_device_add called again.
> + *
>   */
>  typedef struct DeviceClass {
>  /*< private >*/
> @@ -154,6 +167,12 @@ struct DeviceState {
>  struct DeviceListener {
>  void (*realize)(DeviceListener *listener, DeviceState *dev);
>  void (*unrealize)(DeviceListener *listener, DeviceState *dev);
> +/*
> + * This callback is called upon init of the DeviceState and allows to
> + * inform qdev that a device should be hidden, depending on the device
> + * opts, for example, to hide a standby device.
> + */
> +int (*should_be_hidden)(DeviceListener *listener, QemuOpts *device_opts);
>  QTAILQ_ENTRY(DeviceListener) link;
>  };
>  
> @@ -451,4 +470,14 @@ static inline bool qbus_is_hotpluggable(BusState *bus)
>  void device_listener_register(DeviceListener *listener);
>  void device_listener_unregister(DeviceListener *listener);
>  
> +/**
> + * @qdev_should_hide_device:
> + * @opts: QemuOpts as passed on cmdline.
> + *
> + * Check if a device should be added.
> + * When a device is

Re: [PATCH 00/11] tests/acceptance: Fix 64-bit MIPS target tests

[Philippe Mathieu-Daudé]

On 10/25/19 6:46 PM, Aleksandar Markovic wrote:

On Thu, Oct 24, 2019 at 11:23 AM Aleksandar Markovic
 wrote:


ping for Cleber and Eduardo



I applied patches 7, 8, 9, 10, and 11 to MIPS queue.


Thanks Aleksandar!