Re: [PATCH v4 3/3] hw/misc/mos6522: move timer_new from init() into realize() to avoid memleaks

[David Gibson]

On Fri, Mar 06, 2020 at 09:56:52AM +1100, David Gibson wrote:
> On Thu, Mar 05, 2020 at 02:54:22PM +0800, Pan Nengyuan wrote:
> > There are some memleaks when we call 'device_list_properties'. This patch 
> > move timer_new from init into realize to fix it.
> > 
> > Reported-by: Euler Robot 
> > Signed-off-by: Pan Nengyuan 
> 
> Applied to ppc-for-5.0.
> 
> Probably the memory region stuff should be in realize() rather than
> init() as well, but that can be fixed later.

and removed again.  This causes SEGVs during make
check-qtest-ppc64.

> 
> > ---
> > Cc: Laurent Vivier 
> > Cc: Mark Cave-Ayland 
> > Cc: David Gibson 
> > Cc: qemu-...@nongnu.org
> > ---
> > v2->v1:
> > - no changes in this patch.
> > v3->v2:
> > - remove null check in reset, and add calls to mos6522_realize() in 
> > mac_via_realize to make this move to be valid.
> > v4->v3:
> > - split patch into two, this patch fix the memleaks.
> > ---
> >  hw/misc/mos6522.c | 6 ++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/hw/misc/mos6522.c b/hw/misc/mos6522.c
> > index 19e154b870..c1cd154a84 100644
> > --- a/hw/misc/mos6522.c
> > +++ b/hw/misc/mos6522.c
> > @@ -485,6 +485,11 @@ static void mos6522_init(Object *obj)
> >  for (i = 0; i < ARRAY_SIZE(s->timers); i++) {
> >  s->timers[i].index = i;
> >  }
> > +}
> > +
> > +static void mos6522_realize(DeviceState *dev, Error **errp)
> > +{
> > +MOS6522State *s = MOS6522(dev);
> >  
> >  s->timers[0].timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, mos6522_timer1, 
> > s);
> >  s->timers[1].timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, mos6522_timer2, 
> > s);
> > @@ -502,6 +507,7 @@ static void mos6522_class_init(ObjectClass *oc, void 
> > *data)
> >  
> >  dc->reset = mos6522_reset;
> >  dc->vmsd = &vmstate_mos6522;
> > +dc->realize = mos6522_realize;
> >  device_class_set_props(dc, mos6522_properties);
> >  mdc->parent_reset = dc->reset;
> >  mdc->set_sr_int = mos6522_set_sr_int;
> 



-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v4 00/10] Further bitmaps improvements

[Vladimir Sementsov-Ogievskiy]

12.03.2020 23:41, John Snow wrote:



On 3/12/20 1:59 AM, Vladimir Sementsov-Ogievskiy wrote:

11.03.2020 20:03, John Snow wrote:



On 3/11/20 9:58 AM, Vladimir Sementsov-Ogievskiy wrote:

11.03.2020 12:55, Max Reitz wrote:

On 11.03.20 07:17, Vladimir Sementsov-Ogievskiy wrote:

10.03.2020 20:17, Max Reitz wrote:

On 06.03.20 08:45, Vladimir Sementsov-Ogievskiy wrote:

26.02.2020 16:13, Max Reitz wrote:

On 05.02.20 12:20, Vladimir Sementsov-Ogievskiy wrote:

Hi!

The main feature here is improvement of _next_dirty_area API,
which
I'm
going to use then for backup / block-copy.

Somehow, I thought that it was merged, but seems I even forgot to
send
v4.


The changes from v3 look good to me, but I’d prefer a review from
Eric
on patch 8.



Hi!

Could you take it now, or do you prefer me to resend?j


I understand that you agreed to drop the comment above
bd_extent_array_convert_to_be(), then do the
“s/further call/so further calls/” replacement, and finally
replace the
whole four lines Eric has quoted by “(this ensures that after a
failure,
no further extents can accidentally change the bounds of the last
extent
in the array)”?



Yes, all true.


Hm, I could take it then, but on second thought, John is the maintainer
for 8/10 patches, and Eric is for the other two...  So I’m not sure
whether I’m even the right person to do so.



Hmm, true. Let's wait for John?




I am *VERY* behind on my email, and this patch series is sitting in my
to-review folder. However, if it's ready to go and reviewed, I'm willing
to merge it, test it, and give it a quick look-over and get you on
your way.



It would be great, if it is convenient for you. Thanks!
All patches are reviewed now by Max or Eric, so, I'd be very glad if
this get in 5.0.





Thanks, applied to my bitmaps tree:

https://github.com/jnsnow/qemu/commits/bitmaps
https://github.com/jnsnow/qemu.git



Thank you!


--
Best regards,
Vladimir

Re: [PATCH] block/io: fix bdrv_co_do_copy_on_readv

[Vladimir Sementsov-Ogievskiy]

13.03.2020 2:09, John Snow wrote:



On 3/12/20 4:19 AM, Vladimir Sementsov-Ogievskiy wrote:

Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
anyway.

But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
part of original qiov, defined by qiov_offset and bytes. So we must not
touch qiov behind qiov_offset+bytes bound. Fix it.



For the purposes of the stable branch commit log, how does the bug
manifest? Are there known cases? What's the impact?

(Do we have tests?)


Sorry, nothing of these things. I just saw it while working with this code.




Cc: qemu-sta...@nongnu.org # v4.2
Fixes: 1143ec5ebf4
Signed-off-by: Vladimir Sementsov-Ogievskiy 
---
  block/io.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/io.c b/block/io.c
index 7e4cb74cf4..aba67f66b9 100644
--- a/block/io.c
+++ b/block/io.c
@@ -1399,7 +1399,7 @@ static int coroutine_fn 
bdrv_co_do_copy_on_readv(BdrvChild *child,
  if (!(flags & BDRV_REQ_PREFETCH)) {
  qemu_iovec_from_buf(qiov, qiov_offset + progress,
  bounce_buffer + skip_bytes,
-pnum - skip_bytes);
+MIN(pnum - skip_bytes, bytes - progress));
  }
  } else if (!(flags & BDRV_REQ_PREFETCH)) {
  /* Read directly into the destination */


Even if I don't understand the bug, the tighter bound seems provably
correct anyway, so...

Reviewed-by: John Snow 



Thanks!

--
Best regards,
Vladimir

Re: [PATCH v9 00/10] error: auto propagated local_err part I

[Vladimir Sementsov-Ogievskiy]

12.03.2020 17:24, Markus Armbruster wrote:

Vladimir Sementsov-Ogievskiy  writes:


v9
01: A lot of rewordings [thanks to Eric]
 Still, keep all r-b marks, assuming that they are mostly about macro 
definition
02: significant changes are:
 1. Do not match double propagation pattern in ERRP_AUTO_PROPAGATE-adding 
rule
 2. Introduce errp->->errp scheme to match only functions matched by 
rule1
in rules inherited from rule1
 3. Add rules to warn about unusual patterns

 Also, add line to MAINTAINERS to keep error related coccinelle scripts 
under
 Error section.
07: add Christian's r-b
09: add Eric's r-b
10: a bit of context in xen_block_iothread_create  and qmp_object_add()
 signature are changed. Patch change is obvious, so I keep Paul's r-b

v9 is available at
  https://src.openvz.org/scm/~vsementsov/qemu.git #tag 
up-auto-local-err-partI-v9


Did you forget to push the tag?


Seems I've pushed it to wrong remote. Done now.




v8 is available at
  https://src.openvz.org/scm/~vsementsov/qemu.git #tag 
up-auto-local-err-partI-v8

[...]




--
Best regards,
Vladimir

Re: [PATCH v9 02/10] scripts: Coccinelle script to use ERRP_AUTO_PROPAGATE()

[Vladimir Sementsov-Ogievskiy]

12.03.2020 19:36, Markus Armbruster wrote:

I may have a second look tomorrow with fresher eyes, but let's get this
out now as is.

Vladimir Sementsov-Ogievskiy  writes:


Script adds ERRP_AUTO_PROPAGATE macro invocation where appropriate and
does corresponding changes in code (look for details in
include/qapi/error.h)

Usage example:
spatch --sp-file scripts/coccinelle/auto-propagated-errp.cocci \
  --macro-file scripts/cocci-macro-file.h --in-place --no-show-diff \
  --max-width 80 FILES...

Signed-off-by: Vladimir Sementsov-Ogievskiy 
---

Cc: Eric Blake 
Cc: Kevin Wolf 
Cc: Max Reitz 
Cc: Greg Kurz 
Cc: Christian Schoenebeck 
Cc: Stefano Stabellini 
Cc: Anthony Perard 
Cc: Paul Durrant 
Cc: Stefan Hajnoczi 
Cc: "Philippe Mathieu-Daudé" 
Cc: Laszlo Ersek 
Cc: Gerd Hoffmann 
Cc: Stefan Berger 
Cc: Markus Armbruster 
Cc: Michael Roth 
Cc: qemu-devel@nongnu.org
Cc: qemu-bl...@nongnu.org
Cc: xen-de...@lists.xenproject.org

  scripts/coccinelle/auto-propagated-errp.cocci | 327 ++
  include/qapi/error.h  |   3 +
  MAINTAINERS   |   1 +
  3 files changed, 331 insertions(+)
  create mode 100644 scripts/coccinelle/auto-propagated-errp.cocci

diff --git a/scripts/coccinelle/auto-propagated-errp.cocci 
b/scripts/coccinelle/auto-propagated-errp.cocci
new file mode 100644
index 00..7dac2dcfa4
--- /dev/null
+++ b/scripts/coccinelle/auto-propagated-errp.cocci
@@ -0,0 +1,327 @@
+// Use ERRP_AUTO_PROPAGATE (see include/qapi/error.h)
+//
+// Copyright (c) 2020 Virtuozzo International GmbH.
+//
+// This program is free software; you can redistribute it and/or
+// modify it under the terms of the GNU General Public License as
+// published by the Free Software Foundation; either version 2 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see
+// .
+//
+// Usage example:
+// spatch --sp-file scripts/coccinelle/auto-propagated-errp.cocci \
+//  --macro-file scripts/cocci-macro-file.h --in-place \
+//  --no-show-diff --max-width 80 FILES...
+//
+// Note: --max-width 80 is needed because coccinelle default is less
+// than 80, and without this parameter coccinelle may reindent some
+// lines which fit into 80 characters but not to coccinelle default,
+// which in turn produces extra patch hunks for no reason.


This is about unwanted reformatting of parameter lists due to the ___
chaining hack.  --max-width 80 makes that less likely, but not
impossible.

We can search for unwanted reformatting of parameter lists.  I think
grepping diffs for '^\+.*Error \*\*' should do the trick.  For the whole
tree, I get one false positive (not a parameter list), and one hit:

 @@ -388,8 +388,10 @@ static void object_post_init_with_type(O
  }
  }

 -void object_apply_global_props(Object *obj, const GPtrArray *props, Error 
**errp)
 +void object_apply_global_props(Object *obj, const GPtrArray *props,
 +   Error **errp)
  {
 +ERRP_AUTO_PROPAGATE();
  int i;

  if (!props) {

Reformatting, but not unwanted.


Yes, I saw it. This line is 81 character length, so it's OK to fix it in one 
hunk with
ERRP_AUTO_PROPAGATE addition even for non-automatic patch.



The --max-width 80 hack is good enough for me.

It does result in slightly long transformed lines, e.g. this one in
replication.c:

 @@ -113,7 +113,7 @@ static int replication_open(BlockDriverS
  s->mode = REPLICATION_MODE_PRIMARY;
  top_id = qemu_opt_get(opts, REPLICATION_TOP_ID);
  if (top_id) {
 -error_setg(&local_err, "The primary side does not support option 
top-id");
 +error_setg(errp, "The primary side does not support option 
top-id");
  goto fail;
  }
  } else if (!strcmp(mode, "secondary")) {

v8 did break this line (that's how I found it).  However, v9 still
shortens the line, just not below the target.  All your + lines look
quite unlikely to lengthen lines.  Let's not worry about this.


+// Switch unusual Error ** parameter names to errp
+// (this is necessary to use ERRP_AUTO_PROPAGATE).
+//
+// Disable optional_qualifier to skip functions with
+// "Error *const *errp" parameter.
+//
+// Skip functions with "assert(_errp && *_errp)" statement, because
+// that signals unusual semantics, and the parameter name may well
+// serve a purpose. (like nbd_iter_channel_error()).
+//
+// Skip util/error.c to not touch, for example, error_propagate() and
+// error_propagate_prepend().
+@ depends on !(file in "util/error.c"

Re: [PATCH RFC 0/9] Add riscv64 kvm accel support

[Anup Patel]

On Fri, Mar 13, 2020 at 9:23 AM Yifei Jiang  wrote:
>
> Hi,
>
> This series adds riscv64 kvm support, It is based on riscv_kvm_master
> branch at https://github.com/kvm-riscv/linux.
>
> This series depends on above pending changes which haven't yet been
> accepted, so this QEMU patch series is blocked until that dependency
> has been dealt with, but is worth reviewing anyway.
>
> Several steps to use this:
>
> 1. Build riscv64 emulation
> $ ./configure --target-list=riscv64-softmmu
> $ make -j$(nproc)
>
> 2. Build kernel
> riscv_kvm_master branch at https://github.com/kvm-riscv/linux
>
> 3. Build QEMU VM
> I cross build in riscv toolchain
> $ PKG_CONFIG_LIBDIR=
> $ export PKG_CONFIG_SYSROOT_DIR=
> $ ./configure --target-list=riscv64-softmmu --enable-kvm \
> --cross-prefix=riscv64-linux-gnu- --disable-libiscsi --disable-glusterfs \
> --disable-libusb --disable-usb-redir --audio-drv-list= --disable-opengl \
> --disable-libxml2
>
> 4. Start riscv64 emulation
> $ ./qemu-system-riscv64 -M virt -m 4096M -cpu rv64,x-h=true -nographic \
> -name guest=riscv-hyp,debug-threads=on \
> -smp 4 \
> -kernel ./fw_jump.elf \
> -device loader,file=./Image,addr=0x8020 \
> -drive file=./hyp.img,format=raw,id=hd0 \
> -device virtio-blk-device,drive=hd0 \
> -append "root=/dev/vda rw console=ttyS0 earlycon=sbi"
>
> 5. Start kvm-acceled QEMU VM in riscv64 emulation
> $ ./qemu-system-riscv64 -M virt,accel=kvm -m 1024M -cpu host -nographic \
> -name guest=riscv-guset \
>  -smp 2 \
> -kernel ./Image \
> -drive file=./guest.img,format=raw,id=hd0 \
> -device virtio-blk-device,drive=hd0 \
> -append "root=/dev/vda rw console=ttyS0 earlycon=sbi"
>
> Yifei Jiang (9):
>   linux-header: Update linux/kvm.h
>   target/riscv: Add target/riscv/kvm.c to place the public kvm interface
>   target/riscv: Implement function kvm_arch_init_vcpu
>   target/riscv: Implement kvm_arch_get_registers
>   target/riscv: Implement kvm_arch_put_registers
>   target/riscv: Support start kernel directly by KVM
>   hw/riscv: PLIC update external interrupt by KVM when kvm enabled
>   target/riscv: Handler KVM_EXIT_RISCV_SBI exit
>   target/riscv: add host riscv64 cpu type
>
>  configure  |   1 +
>  hw/riscv/sifive_plic.c |  31 ++-
>  hw/riscv/virt.c|  15 +-
>  linux-headers/linux/kvm.h  |   8 +
>  target/riscv/Makefile.objs |   1 +
>  target/riscv/cpu.c |   9 +
>  target/riscv/cpu.h |   4 +
>  target/riscv/kvm.c | 513 +
>  target/riscv/kvm_riscv.h   |  25 ++
>  9 files changed, 596 insertions(+), 11 deletions(-)
>  create mode 100644 target/riscv/kvm.c
>  create mode 100644 target/riscv/kvm_riscv.h
>
> --
> 2.19.1
>
>
>

First of all many thanks for doing QEMU KVM support. It wasted
bit of my time because I was already doing it but I am happy to
see the patches on list sooner.

In future, please CC the KVM RISC-V mailing list for all QEMU KVM
RISC-V work. The KVM RISC-V mailing list for related projects
(QEMU, KVMTOOL, libvirt, etc) and not just Linux KVM RISC-V.

Currently, we can only review this patch series and get it in final
shape but it can only be merged in QEMU after Linux KVM RISC-V
patches are merged in Linux kernel.

I will be sending out KVM RISC-V v11 series today. There is
a crucial bug fix related to HIDELEG CSR programing. This
bug fix is required in both QEMU and KVM RISC-V. Palmer has
already accepted QEMU HIDELEG CSR fix. The KVM RISC-V
v11 series will have this fix as well.

Thanks & Regards,
Anup Patel

Re: [PATCH v1 1/1] target/riscv: Don't set write permissions on dirty PTEs

[Richard Henderson]

On 3/12/20 3:10 PM, Alistair Francis wrote:
>> I still think this must be a guest (or nested guest) bug related to clearing
>> PTE bits and failing to flush the TLB properly.
> 
> It think so as well now. I have changed the Linux guest and Hypervisor
> to be very aggressive with flushing but still can't get guest user
> space working. I'll keep digging and see if I can figure out what's
> going on.
> 
>>
>> I don't see how it could be a qemu tlb flushing bug.  The only primitive,
>> sfence.vma, is quite heavy-handed and explicitly local to the thread.
> 
> Yes, both sfence and hfence flush all TLBs, so that doesn't seem to be
> the problem.

Here's an idea: change the tlb_flush() calls to tlb_flush_all_cpus_synced().

If that works, it suggests a guest interprocessor interrupt bug in the tlb
shoot-down.


r~

[PATCH 1/4] spapr: Move creation of ibm, dynamic-reconfiguration-memory dt node

[David Gibson]

Currently this node with information about hotpluggable memory is created
from spapr_dt_cas_updates().  But that's just a hangover from when we
created it only as a diff to the device tree at CAS time.  Now that we
fully rebuild the DT as CAS time, it makes more sense to create this along
with the rest of the memory information in the device tree.

So, move it to spapr_populate_memory().  The patch is huge, but it's nearly
all just code motion.

Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 512 +
 1 file changed, 257 insertions(+), 255 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 64bc8b83e9..66289ffef5 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -341,257 +341,6 @@ static int spapr_populate_memory_node(void *fdt, int 
nodeid, hwaddr start,
 return off;
 }
 
-static int spapr_populate_memory(SpaprMachineState *spapr, void *fdt)
-{
-MachineState *machine = MACHINE(spapr);
-hwaddr mem_start, node_size;
-int i, nb_nodes = machine->numa_state->num_nodes;
-NodeInfo *nodes = machine->numa_state->nodes;
-
-for (i = 0, mem_start = 0; i < nb_nodes; ++i) {
-if (!nodes[i].node_mem) {
-continue;
-}
-if (mem_start >= machine->ram_size) {
-node_size = 0;
-} else {
-node_size = nodes[i].node_mem;
-if (node_size > machine->ram_size - mem_start) {
-node_size = machine->ram_size - mem_start;
-}
-}
-if (!mem_start) {
-/* spapr_machine_init() checks for rma_size <= node0_size
- * already */
-spapr_populate_memory_node(fdt, i, 0, spapr->rma_size);
-mem_start += spapr->rma_size;
-node_size -= spapr->rma_size;
-}
-for ( ; node_size; ) {
-hwaddr sizetmp = pow2floor(node_size);
-
-/* mem_start != 0 here */
-if (ctzl(mem_start) < ctzl(sizetmp)) {
-sizetmp = 1ULL << ctzl(mem_start);
-}
-
-spapr_populate_memory_node(fdt, i, mem_start, sizetmp);
-node_size -= sizetmp;
-mem_start += sizetmp;
-}
-}
-
-return 0;
-}
-
-static void spapr_populate_cpu_dt(CPUState *cs, void *fdt, int offset,
-  SpaprMachineState *spapr)
-{
-MachineState *ms = MACHINE(spapr);
-PowerPCCPU *cpu = POWERPC_CPU(cs);
-CPUPPCState *env = &cpu->env;
-PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cs);
-int index = spapr_get_vcpu_id(cpu);
-uint32_t segs[] = {cpu_to_be32(28), cpu_to_be32(40),
-   0x, 0x};
-uint32_t tbfreq = kvm_enabled() ? kvmppc_get_tbfreq()
-: SPAPR_TIMEBASE_FREQ;
-uint32_t cpufreq = kvm_enabled() ? kvmppc_get_clockfreq() : 10;
-uint32_t page_sizes_prop[64];
-size_t page_sizes_prop_size;
-unsigned int smp_threads = ms->smp.threads;
-uint32_t vcpus_per_socket = smp_threads * ms->smp.cores;
-uint32_t pft_size_prop[] = {0, cpu_to_be32(spapr->htab_shift)};
-int compat_smt = MIN(smp_threads, ppc_compat_max_vthreads(cpu));
-SpaprDrc *drc;
-int drc_index;
-uint32_t radix_AP_encodings[PPC_PAGE_SIZES_MAX_SZ];
-int i;
-
-drc = spapr_drc_by_id(TYPE_SPAPR_DRC_CPU, index);
-if (drc) {
-drc_index = spapr_drc_index(drc);
-_FDT((fdt_setprop_cell(fdt, offset, "ibm,my-drc-index", drc_index)));
-}
-
-_FDT((fdt_setprop_cell(fdt, offset, "reg", index)));
-_FDT((fdt_setprop_string(fdt, offset, "device_type", "cpu")));
-
-_FDT((fdt_setprop_cell(fdt, offset, "cpu-version", env->spr[SPR_PVR])));
-_FDT((fdt_setprop_cell(fdt, offset, "d-cache-block-size",
-   env->dcache_line_size)));
-_FDT((fdt_setprop_cell(fdt, offset, "d-cache-line-size",
-   env->dcache_line_size)));
-_FDT((fdt_setprop_cell(fdt, offset, "i-cache-block-size",
-   env->icache_line_size)));
-_FDT((fdt_setprop_cell(fdt, offset, "i-cache-line-size",
-   env->icache_line_size)));
-
-if (pcc->l1_dcache_size) {
-_FDT((fdt_setprop_cell(fdt, offset, "d-cache-size",
-   pcc->l1_dcache_size)));
-} else {
-warn_report("Unknown L1 dcache size for cpu");
-}
-if (pcc->l1_icache_size) {
-_FDT((fdt_setprop_cell(fdt, offset, "i-cache-size",
-   pcc->l1_icache_size)));
-} else {
-warn_report("Unknown L1 icache size for cpu");
-}
-
-_FDT((fdt_setprop_cell(fdt, offset, "timebase-frequency", tbfreq)));
-_FDT((fdt_setprop_cell(fdt, offset, "clock-frequency", cpufreq)));
-_FDT((fdt_setprop_cell(fdt, offset, "slb-size", 
cpu->hash64_opts->slb_size)));
-_FDT((fdt_setprop_cell(fdt, offset, "ibm,slb-size", 
cpu->hash64_opts->slb_size)));
-_FDT((fdt_setprop_string(fdt, offset, "status", "okay"))

[PATCH 3/4] spapr: Rename DT functions to newer naming convention

[David Gibson]

In the spapr code we've been gradually moving towards a convention that
functions which create pieces of the device tree are called spapr_dt_*().
This patch speeds that along by renaming most of the things that don't yet
match that so that they do.

For now we leave the *_dt_populate() functions which are actual methods
used in the DRCClass::dt_populate method.

While we're there we remove a few comments that don't really say anything
useful.

Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c  | 62 +
 hw/ppc/spapr_ovec.c |  4 +--
 include/hw/ppc/spapr_ovec.h |  4 +--
 3 files changed, 33 insertions(+), 37 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index fc28d9df25..6c32ec3c0a 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -217,10 +217,9 @@ static int spapr_fixup_cpu_numa_dt(void *fdt, int offset, 
PowerPCCPU *cpu)
   sizeof(associativity));
 }
 
-/* Populate the "ibm,pa-features" property */
-static void spapr_populate_pa_features(SpaprMachineState *spapr,
-   PowerPCCPU *cpu,
-   void *fdt, int offset)
+static void spapr_dt_pa_features(SpaprMachineState *spapr,
+ PowerPCCPU *cpu,
+ void *fdt, int offset)
 {
 uint8_t pa_features_206[] = { 6, 0,
 0xf6, 0x1f, 0xc7, 0x00, 0x80, 0xc0 };
@@ -315,8 +314,8 @@ static void add_str(GString *s, const gchar *s1)
 g_string_append_len(s, s1, strlen(s1) + 1);
 }
 
-static int spapr_populate_memory_node(void *fdt, int nodeid, hwaddr start,
-   hwaddr size)
+static int spapr_dt_memory_node(void *fdt, int nodeid, hwaddr start,
+hwaddr size)
 {
 uint32_t associativity[] = {
 cpu_to_be32(0x4), /* length */
@@ -391,9 +390,8 @@ spapr_get_drconf_cell(uint32_t seq_lmbs, uint64_t base_addr,
 return elem;
 }
 
-/* ibm,dynamic-memory-v2 */
-static int spapr_populate_drmem_v2(SpaprMachineState *spapr, void *fdt,
-   int offset, MemoryDeviceInfoList *dimms)
+static int spapr_dt_dynamic_memory_v2(SpaprMachineState *spapr, void *fdt,
+  int offset, MemoryDeviceInfoList *dimms)
 {
 MachineState *machine = MACHINE(spapr);
 uint8_t *int_buf, *cur_index;
@@ -484,8 +482,7 @@ static int spapr_populate_drmem_v2(SpaprMachineState 
*spapr, void *fdt,
 return 0;
 }
 
-/* ibm,dynamic-memory */
-static int spapr_populate_drmem_v1(SpaprMachineState *spapr, void *fdt,
+static int spapr_dt_dynamic_memory(SpaprMachineState *spapr, void *fdt,
int offset, MemoryDeviceInfoList *dimms)
 {
 MachineState *machine = MACHINE(spapr);
@@ -554,7 +551,8 @@ static int spapr_populate_drmem_v1(SpaprMachineState 
*spapr, void *fdt,
  * Refer to docs/specs/ppc-spapr-hotplug.txt for the documentation
  * of this device tree node.
  */
-static int spapr_populate_drconf_memory(SpaprMachineState *spapr, void *fdt)
+static int spapr_dt_dynamic_reconfiguration_memory(SpaprMachineState *spapr,
+   void *fdt)
 {
 MachineState *machine = MACHINE(spapr);
 int nb_numa_nodes = machine->numa_state->num_nodes;
@@ -593,9 +591,9 @@ static int spapr_populate_drconf_memory(SpaprMachineState 
*spapr, void *fdt)
 /* ibm,dynamic-memory or ibm,dynamic-memory-v2 */
 dimms = qmp_memory_device_list();
 if (spapr_ovec_test(spapr->ov5_cas, OV5_DRMEM_V2)) {
-ret = spapr_populate_drmem_v2(spapr, fdt, offset, dimms);
+ret = spapr_dt_dynamic_memory_v2(spapr, fdt, offset, dimms);
 } else {
-ret = spapr_populate_drmem_v1(spapr, fdt, offset, dimms);
+ret = spapr_dt_dynamic_memory(spapr, fdt, offset, dimms);
 }
 qapi_free_MemoryDeviceInfoList(dimms);
 
@@ -626,7 +624,7 @@ static int spapr_populate_drconf_memory(SpaprMachineState 
*spapr, void *fdt)
 return ret;
 }
 
-static int spapr_populate_memory(SpaprMachineState *spapr, void *fdt)
+static int spapr_dt_memory(SpaprMachineState *spapr, void *fdt)
 {
 MachineState *machine = MACHINE(spapr);
 SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
@@ -649,7 +647,7 @@ static int spapr_populate_memory(SpaprMachineState *spapr, 
void *fdt)
 if (!mem_start) {
 /* spapr_machine_init() checks for rma_size <= node0_size
  * already */
-spapr_populate_memory_node(fdt, i, 0, spapr->rma_size);
+spapr_dt_memory_node(fdt, i, 0, spapr->rma_size);
 mem_start += spapr->rma_size;
 node_size -= spapr->rma_size;
 }
@@ -661,7 +659,7 @@ static int spapr_populate_memory(SpaprMachineState *spapr, 
void *fdt)
 sizetmp = 1ULL << ctzl(mem_start);
 }
 
-spapr_populate_memory_node(fdt, i, mem_start, sizetmp);
+spapr_dt_me

[PATCH 4/4] spapr: Fold spapr_node0_size() into its only caller

[David Gibson]

The Real Mode Area (RMA) needs to fit within the NUMA node owning memory
at address 0.  That's usually node 0, but can be a later one if there are
some nodes which have no memory (only CPUs).

This is currently handled by the spapr_node0_size() helper.  It has only
one caller, so there's not a lot of point splitting it out.  It's also
extremely easy to misread the code as clamping to the size of the smallest
node rather than the first node with any memory.

So, fold it into the caller, and add some commentary to make it a bit
clearer exactly what it's doing.

Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 37 +
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 6c32ec3c0a..6a42c0f1c9 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -295,20 +295,6 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
 _FDT((fdt_setprop(fdt, offset, "ibm,pa-features", pa_features, pa_size)));
 }
 
-static hwaddr spapr_node0_size(MachineState *machine)
-{
-if (machine->numa_state->num_nodes) {
-int i;
-for (i = 0; i < machine->numa_state->num_nodes; ++i) {
-if (machine->numa_state->nodes[i].node_mem) {
-return MIN(pow2floor(machine->numa_state->nodes[i].node_mem),
-   machine->ram_size);
-}
-}
-}
-return machine->ram_size;
-}
-
 static void add_str(GString *s, const gchar *s1)
 {
 g_string_append_len(s, s1, strlen(s1) + 1);
@@ -2631,10 +2617,24 @@ static hwaddr spapr_rma_size(SpaprMachineState *spapr, 
Error **errp)
 MachineState *machine = MACHINE(spapr);
 SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
 hwaddr rma_size = machine->ram_size;
-hwaddr node0_size = spapr_node0_size(machine);
 
 /* RMA has to fit in the first NUMA node */
-rma_size = MIN(rma_size, node0_size);
+if (machine->numa_state->num_nodes) {
+/*
+ * It's possible for there to be some zero-memory nodes first
+ * in the list.  We need the RMA to fit inside the memory of
+ * the first node which actually has some memory.
+ */
+int i;
+
+for (i = 0; i < machine->numa_state->num_nodes; ++i) {
+if (machine->numa_state->nodes[i].node_mem != 0) {
+hwaddr node_size = machine->numa_state->nodes[i].node_mem;
+rma_size = MIN(rma_size, pow2floor(node_size));
+break;
+}
+}
+}
 
 /*
  * VRMA access is via a special 1TiB SLB mapping, so the RMA can
@@ -2651,6 +2651,11 @@ static hwaddr spapr_rma_size(SpaprMachineState *spapr, 
Error **errp)
 rma_size = MIN(rma_size, smc->rma_limit);
 }
 
+/*
+ * RMA size must be a power of 2
+ */
+rma_size = pow2floor(rma_size);
+
 if (rma_size < MIN_RMA_SLOF) {
 error_setg(errp,
 "pSeries SLOF firmware requires >= %ldMiB guest RMA (Real Mode Area memory)",
-- 
2.24.1

[PATCH 2/4] spapr: Move creation of ibm,architecture-vec-5 property

[David Gibson]

This is currently called from spapr_dt_cas_updates() which is a hang over
from when we created this only as a diff to the DT at CAS time.  Now that
we fully rebuild the DT at CAS time, just create it alon with the rest
of the properties in /chosen.

Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 26 +++---
 1 file changed, 3 insertions(+), 23 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 66289ffef5..fc28d9df25 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -889,22 +889,6 @@ static int spapr_rng_populate_dt(void *fdt)
 return ret ? -1 : 0;
 }
 
-static int spapr_dt_cas_updates(SpaprMachineState *spapr, void *fdt,
-SpaprOptionVector *ov5_updates)
-{
-int offset;
-
-offset = fdt_path_offset(fdt, "/chosen");
-if (offset < 0) {
-offset = fdt_add_subnode(fdt, 0, "chosen");
-if (offset < 0) {
-return offset;
-}
-}
-return spapr_ovec_populate_dt(fdt, offset, spapr->ov5_cas,
-  "ibm,architecture-vec-5");
-}
-
 static void spapr_dt_rtas(SpaprMachineState *spapr, void *fdt)
 {
 MachineState *ms = MACHINE(spapr);
@@ -1115,6 +1099,9 @@ static void spapr_dt_chosen(SpaprMachineState *spapr, 
void *fdt)
 
 spapr_dt_ov5_platform_support(spapr, fdt, chosen);
 
+_FDT(spapr_ovec_populate_dt(fdt, offset, spapr->ov5_cas,
+"ibm,architecture-vec-5"));
+
 g_free(stdout_path);
 g_free(bootlist);
 }
@@ -1263,13 +1250,6 @@ void *spapr_build_fdt(SpaprMachineState *spapr, bool 
reset, size_t space)
 }
 }
 
-/* ibm,client-architecture-support updates */
-ret = spapr_dt_cas_updates(spapr, fdt, spapr->ov5_cas);
-if (ret < 0) {
-error_report("couldn't setup CAS properties fdt");
-exit(1);
-}
-
 if (smc->dr_phb_enabled) {
 ret = spapr_dt_drc(fdt, 0, NULL, SPAPR_DR_CONNECTOR_TYPE_PHB);
 if (ret < 0) {
-- 
2.24.1

[PATCH 0/4] spapr: Assorted minor cleanups

[David Gibson]

Here's a handful of cleanups that came out of larger bits of work but
which aren't intimately tied to those.  For one reason or another they
got forgotten for a while, but I've now dug them out, polished them a
bit and hope to get them in just in time for the qemu-5.0 soft freeze.

David Gibson (4):
  spapr: Move creation of ibm,dynamic-reconfiguration-memory dt node
  spapr: Move creation of ibm,architecture-vec-5 property
  spapr: Rename DT functions to newer naming convention
  spapr: Fold spapr_node0_size() into its only caller

 hw/ppc/spapr.c  | 597 ++--
 hw/ppc/spapr_ovec.c |   4 +-
 include/hw/ppc/spapr_ovec.h |   4 +-
 3 files changed, 294 insertions(+), 311 deletions(-)

-- 
2.24.1

[PATCH RFC 9/9] target/riscv: add host riscv64 cpu type

[Yifei Jiang]

Currently, host cpu is inherited simply.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 target/riscv/cpu.c | 5 +
 target/riscv/cpu.h | 1 +
 2 files changed, 6 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 3c3264869f..11557719cf 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -203,6 +203,10 @@ static void rv64imacu_nommu_cpu_init(Object *obj)
 set_feature(env, RISCV_FEATURE_PMP);
 }
 
+static void riscv_host_cpu_init(Object *obj)
+{
+}
+
 #endif
 
 static ObjectClass *riscv_cpu_class_by_name(const char *cpu_model)
@@ -622,6 +626,7 @@ static const TypeInfo riscv_cpu_type_infos[] = {
 DEFINE_CPU(TYPE_RISCV_CPU_BASE64,   riscv_base64_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_E51,   rv64imacu_nommu_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_U54,   rv64gcsu_priv1_10_0_cpu_init),
+DEFINE_CPU(TYPE_RISCV_CPU_HOST, riscv_host_cpu_init),
 /* Deprecated */
 DEFINE_CPU(TYPE_RISCV_CPU_RV64IMACU_NOMMU,  rv64imacu_nommu_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_RV64GCSU_V1_09_1, rv64gcsu_priv1_09_1_cpu_init),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 2724eca714..10b053a467 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -39,6 +39,7 @@
 #define TYPE_RISCV_CPU_SIFIVE_E51   RISCV_CPU_TYPE_NAME("sifive-e51")
 #define TYPE_RISCV_CPU_SIFIVE_U34   RISCV_CPU_TYPE_NAME("sifive-u34")
 #define TYPE_RISCV_CPU_SIFIVE_U54   RISCV_CPU_TYPE_NAME("sifive-u54")
+#define TYPE_RISCV_CPU_HOST RISCV_CPU_TYPE_NAME("host")
 /* Deprecated */
 #define TYPE_RISCV_CPU_RV32IMACU_NOMMU  RISCV_CPU_TYPE_NAME("rv32imacu-nommu")
 #define TYPE_RISCV_CPU_RV32GCSU_V1_09_1 RISCV_CPU_TYPE_NAME("rv32gcsu-v1.9.1")
-- 
2.19.1

[PATCH RFC 6/9] target/riscv: Support start kernel directly by KVM

[Yifei Jiang]

Get kernel and fdt start address in virt.c, and pass them to KVM
when cpu reset.In addition,add kvm_riscv.h to place riscv specific
interface.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 hw/riscv/virt.c  | 15 +--
 target/riscv/cpu.c   |  4 
 target/riscv/cpu.h   |  3 +++
 target/riscv/kvm.c   | 14 ++
 target/riscv/kvm_riscv.h | 24 
 5 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 target/riscv/kvm_riscv.h

diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 85ec9e22aa..e42c61208d 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -42,6 +42,7 @@
 #include "exec/address-spaces.h"
 #include "hw/pci/pci.h"
 #include "hw/pci-host/gpex.h"
+#include "sysemu/kvm.h"
 
 #include 
 
@@ -480,6 +481,9 @@ static void riscv_virt_board_init(MachineState *machine)
 target_ulong start_addr = memmap[VIRT_DRAM].base;
 int i;
 unsigned int smp_cpus = machine->smp.cpus;
+uint64_t kernel_entry = 0;
+hwaddr start_fdt;
+CPUState *cs;
 
 /* Initialize SOC */
 object_initialize_child(OBJECT(machine), "soc", &s->soc, sizeof(s->soc),
@@ -510,7 +514,7 @@ static void riscv_virt_board_init(MachineState *machine)
  memmap[VIRT_DRAM].base);
 
 if (machine->kernel_filename) {
-uint64_t kernel_entry = riscv_load_kernel(machine->kernel_filename,
+kernel_entry = riscv_load_kernel(machine->kernel_filename,
   NULL);
 
 if (machine->initrd_filename) {
@@ -564,10 +568,17 @@ static void riscv_virt_board_init(MachineState *machine)
 exit(1);
 }
 qemu_fdt_dumpdtb(s->fdt, fdt_totalsize(s->fdt));
+start_fdt = memmap[VIRT_MROM].base + sizeof(reset_vec);
 rom_add_blob_fixed_as("mrom.fdt", s->fdt, fdt_totalsize(s->fdt),
-  memmap[VIRT_MROM].base + sizeof(reset_vec),
+  start_fdt,
   &address_space_memory);
 
+for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+RISCVCPU *riscv_cpu = RISCV_CPU(cs);
+riscv_cpu->env.loader_start = kernel_entry;
+riscv_cpu->env.fdt_start = start_fdt;
+}
+
 /* create PLIC hart topology configuration string */
 plic_hart_config_len = (strlen(VIRT_PLIC_HART_CONFIG) + 1) * smp_cpus;
 plic_hart_config = g_malloc0(plic_hart_config_len);
diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index c0b7023100..3c3264869f 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -28,6 +28,7 @@
 #include "hw/qdev-properties.h"
 #include "migration/vmstate.h"
 #include "fpu/softfloat-helpers.h"
+#include "kvm_riscv.h"
 
 /* RISC-V CPU definitions */
 
@@ -346,6 +347,9 @@ static void riscv_cpu_reset(CPUState *cs)
 cs->exception_index = EXCP_NONE;
 env->load_res = -1;
 set_default_nan_mode(1, &env->fp_status);
+#ifdef CONFIG_KVM
+kvm_riscv_reset_vcpu(cpu);
+#endif
 }
 
 static void riscv_cpu_disas_set_info(CPUState *s, disassemble_info *info)
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 3dcdf92227..2724eca714 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -213,6 +213,9 @@ struct CPURISCVState {
 
 /* Fields from here on are preserved across CPU reset. */
 QEMUTimer *timer; /* Internal timer */
+
+hwaddr loader_start;
+hwaddr fdt_start;
 };
 
 #define RISCV_CPU_CLASS(klass) \
diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index 6dffda36bb..b9aec66b69 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -37,6 +37,7 @@
 #include "hw/irq.h"
 #include "qemu/log.h"
 #include "hw/loader.h"
+#include "kvm_riscv.h"
 
 static __u64 kvm_riscv_reg_id(__u64 type, __u64 idx)
 {
@@ -426,3 +427,16 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
 {
 return 0;
 }
+
+void kvm_riscv_reset_vcpu(RISCVCPU *cpu)
+{
+CPURISCVState *env = &cpu->env;
+
+if (!kvm_enabled()) {
+return;
+}
+env->pc = cpu->env.loader_start;
+env->gpr[10] = kvm_arch_vcpu_id(CPU(cpu)); /* a0 */
+env->gpr[11] = cpu->env.fdt_start; /* a1 */
+}
+
diff --git a/target/riscv/kvm_riscv.h b/target/riscv/kvm_riscv.h
new file mode 100644
index 00..f38c82bf59
--- /dev/null
+++ b/target/riscv/kvm_riscv.h
@@ -0,0 +1,24 @@
+/*
+ * QEMU KVM support -- RISC-V specific functions.
+ *
+ * Copyright (c) 2020 Huawei Technologies Co., Ltd
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this

[PATCH RFC 0/9] Add riscv64 kvm accel support

[Yifei Jiang]

Hi,

This series adds riscv64 kvm support, It is based on riscv_kvm_master
branch at https://github.com/kvm-riscv/linux.

This series depends on above pending changes which haven't yet been
accepted, so this QEMU patch series is blocked until that dependency
has been dealt with, but is worth reviewing anyway.

Several steps to use this:

1. Build riscv64 emulation
$ ./configure --target-list=riscv64-softmmu
$ make -j$(nproc)

2. Build kernel
riscv_kvm_master branch at https://github.com/kvm-riscv/linux

3. Build QEMU VM
I cross build in riscv toolchain
$ PKG_CONFIG_LIBDIR=
$ export PKG_CONFIG_SYSROOT_DIR=
$ ./configure --target-list=riscv64-softmmu --enable-kvm \
--cross-prefix=riscv64-linux-gnu- --disable-libiscsi --disable-glusterfs \
--disable-libusb --disable-usb-redir --audio-drv-list= --disable-opengl \
--disable-libxml2

4. Start riscv64 emulation
$ ./qemu-system-riscv64 -M virt -m 4096M -cpu rv64,x-h=true -nographic \
-name guest=riscv-hyp,debug-threads=on \
-smp 4 \
-kernel ./fw_jump.elf \
-device loader,file=./Image,addr=0x8020 \
-drive file=./hyp.img,format=raw,id=hd0 \
-device virtio-blk-device,drive=hd0 \
-append "root=/dev/vda rw console=ttyS0 earlycon=sbi"

5. Start kvm-acceled QEMU VM in riscv64 emulation
$ ./qemu-system-riscv64 -M virt,accel=kvm -m 1024M -cpu host -nographic \
-name guest=riscv-guset \
 -smp 2 \
-kernel ./Image \
-drive file=./guest.img,format=raw,id=hd0 \
-device virtio-blk-device,drive=hd0 \
-append "root=/dev/vda rw console=ttyS0 earlycon=sbi"

Yifei Jiang (9):
  linux-header: Update linux/kvm.h
  target/riscv: Add target/riscv/kvm.c to place the public kvm interface
  target/riscv: Implement function kvm_arch_init_vcpu
  target/riscv: Implement kvm_arch_get_registers
  target/riscv: Implement kvm_arch_put_registers
  target/riscv: Support start kernel directly by KVM
  hw/riscv: PLIC update external interrupt by KVM when kvm enabled
  target/riscv: Handler KVM_EXIT_RISCV_SBI exit
  target/riscv: add host riscv64 cpu type

 configure  |   1 +
 hw/riscv/sifive_plic.c |  31 ++-
 hw/riscv/virt.c|  15 +-
 linux-headers/linux/kvm.h  |   8 +
 target/riscv/Makefile.objs |   1 +
 target/riscv/cpu.c |   9 +
 target/riscv/cpu.h |   4 +
 target/riscv/kvm.c | 513 +
 target/riscv/kvm_riscv.h   |  25 ++
 9 files changed, 596 insertions(+), 11 deletions(-)
 create mode 100644 target/riscv/kvm.c
 create mode 100644 target/riscv/kvm_riscv.h

-- 
2.19.1

[PATCH RFC 2/9] target/riscv: Add target/riscv/kvm.c to place the public kvm interface

[Yifei Jiang]

Add target/riscv/kvm.c to place kvm_arch_* function needed by kvm/kvm-all.c.
Meanwhile, add riscv64 kvm support to configure.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 configure  |   1 +
 target/riscv/Makefile.objs |   1 +
 target/riscv/kvm.c | 128 +
 3 files changed, 130 insertions(+)
 create mode 100644 target/riscv/kvm.c

diff --git a/configure b/configure
index 3c7470096f..30024a8aef 100755
--- a/configure
+++ b/configure
@@ -200,6 +200,7 @@ supported_kvm_target() {
 x86_64:i386 | x86_64:x86_64 | x86_64:x32 | \
 mips:mips | mipsel:mips | \
 ppc:ppc | ppc64:ppc | ppc:ppc64 | ppc64:ppc64 | ppc64:ppc64le | \
+riscv64:riscv64 | \
 s390x:s390x)
 return 0
 ;;
diff --git a/target/riscv/Makefile.objs b/target/riscv/Makefile.objs
index ff651f69f6..7ea8f4c3da 100644
--- a/target/riscv/Makefile.objs
+++ b/target/riscv/Makefile.objs
@@ -1,5 +1,6 @@
 obj-y += translate.o op_helper.o cpu_helper.o cpu.o csr.o fpu_helper.o 
gdbstub.o
 obj-$(CONFIG_SOFTMMU) += pmp.o
+obj-$(CONFIG_KVM) += kvm.o
 
 ifeq ($(CONFIG_SOFTMMU),y)
 obj-y += monitor.o
diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
new file mode 100644
index 00..8c386d9acf
--- /dev/null
+++ b/target/riscv/kvm.c
@@ -0,0 +1,128 @@
+/*
+ * RISC-V implementation of KVM hooks
+ *
+ * Copyright (c) 2020 Huawei Technologies Co., Ltd
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include 
+
+#include 
+
+#include "qemu-common.h"
+#include "qemu/timer.h"
+#include "qemu/error-report.h"
+#include "qemu/main-loop.h"
+#include "sysemu/sysemu.h"
+#include "sysemu/kvm.h"
+#include "sysemu/kvm_int.h"
+#include "cpu.h"
+#include "trace.h"
+#include "hw/pci/pci.h"
+#include "exec/memattrs.h"
+#include "exec/address-spaces.h"
+#include "hw/boards.h"
+#include "hw/irq.h"
+#include "qemu/log.h"
+#include "hw/loader.h"
+
+const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
+KVM_CAP_LAST_INFO
+};
+
+int kvm_arch_get_registers(CPUState *cs)
+{
+return 0;
+}
+
+int kvm_arch_put_registers(CPUState *cs, int level)
+{
+return 0;
+}
+
+int kvm_arch_release_virq_post(int virq)
+{
+return 0;
+}
+
+int kvm_arch_fixup_msi_route(struct kvm_irq_routing_entry *route,
+ uint64_t address, uint32_t data, PCIDevice *dev)
+{
+return 0;
+}
+
+int kvm_arch_destroy_vcpu(CPUState *cs)
+{
+return 0;
+}
+
+unsigned long kvm_arch_vcpu_id(CPUState *cpu)
+{
+return cpu->cpu_index;
+}
+
+void kvm_arch_init_irq_routing(KVMState *s)
+{
+}
+
+int kvm_arch_init_vcpu(CPUState *cs)
+{
+return 0;
+}
+
+int kvm_arch_msi_data_to_gsi(uint32_t data)
+{
+abort();
+}
+
+int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
+int vector, PCIDevice *dev)
+{
+return 0;
+}
+
+int kvm_arch_init(MachineState *ms, KVMState *s)
+{
+return 0;
+}
+
+int kvm_arch_irqchip_create(KVMState *s)
+{
+return 0;
+}
+
+int kvm_arch_process_async_events(CPUState *cs)
+{
+return 0;
+}
+
+void kvm_arch_pre_run(CPUState *cs, struct kvm_run *run)
+{
+}
+
+MemTxAttrs kvm_arch_post_run(CPUState *cs, struct kvm_run *run)
+{
+return MEMTXATTRS_UNSPECIFIED;
+}
+
+bool kvm_arch_stop_on_emulation_error(CPUState *cs)
+{
+return true;
+}
+
+int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
+{
+return 0;
+}
-- 
2.19.1

[PATCH RFC 7/9] hw/riscv: PLIC update external interrupt by KVM when kvm enabled

[Yifei Jiang]

Only support supervisor external interrupt currently.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 hw/riscv/sifive_plic.c   | 31 ++-
 target/riscv/kvm.c   | 19 +++
 target/riscv/kvm_riscv.h |  1 +
 3 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/hw/riscv/sifive_plic.c b/hw/riscv/sifive_plic.c
index c1e04cbb98..ff5c18ed20 100644
--- a/hw/riscv/sifive_plic.c
+++ b/hw/riscv/sifive_plic.c
@@ -29,6 +29,8 @@
 #include "target/riscv/cpu.h"
 #include "sysemu/sysemu.h"
 #include "hw/riscv/sifive_plic.h"
+#include "sysemu/kvm.h"
+#include "kvm_riscv.h"
 
 #define RISCV_DEBUG_PLIC 0
 
@@ -145,15 +147,26 @@ static void sifive_plic_update(SiFivePLICState *plic)
 continue;
 }
 int level = sifive_plic_irqs_pending(plic, addrid);
-switch (mode) {
-case PLICMode_M:
-riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_MEIP, 
BOOL_TO_MASK(level));
-break;
-case PLICMode_S:
-riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_SEIP, 
BOOL_TO_MASK(level));
-break;
-default:
-break;
+if (kvm_enabled()) {
+if (mode == PLICMode_M) {
+continue;
+}
+#ifdef CONFIG_KVM
+kvm_riscv_set_irq(RISCV_CPU(cpu), IRQ_S_EXT, level);
+#endif
+} else {
+switch (mode) {
+case PLICMode_M:
+riscv_cpu_update_mip(RISCV_CPU(cpu),
+ MIP_MEIP, BOOL_TO_MASK(level));
+break;
+case PLICMode_S:
+riscv_cpu_update_mip(RISCV_CPU(cpu),
+ MIP_SEIP, BOOL_TO_MASK(level));
+break;
+default:
+break;
+}
 }
 }
 
diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index b9aec66b69..0f429fd802 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -440,3 +440,22 @@ void kvm_riscv_reset_vcpu(RISCVCPU *cpu)
 env->gpr[11] = cpu->env.fdt_start; /* a1 */
 }
 
+void kvm_riscv_set_irq(RISCVCPU *cpu, int irq, int level)
+{
+int ret;
+unsigned virq = level ? KVM_INTERRUPT_SET : KVM_INTERRUPT_UNSET;
+
+if (irq != IRQ_S_EXT) {
+return;
+}
+
+if (!kvm_enabled()) {
+return;
+}
+
+ret = kvm_vcpu_ioctl(CPU(cpu), KVM_INTERRUPT, &virq);
+if (ret < 0) {
+perror("Set irq failed");
+abort();
+}
+}
diff --git a/target/riscv/kvm_riscv.h b/target/riscv/kvm_riscv.h
index f38c82bf59..ed281bdce0 100644
--- a/target/riscv/kvm_riscv.h
+++ b/target/riscv/kvm_riscv.h
@@ -20,5 +20,6 @@
 #define QEMU_KVM_RISCV_H
 
 void kvm_riscv_reset_vcpu(RISCVCPU *cpu);
+void kvm_riscv_set_irq(RISCVCPU *cpu, int irq, int level);
 
 #endif
-- 
2.19.1

[PATCH RFC 8/9] target/riscv: Handler KVM_EXIT_RISCV_SBI exit

[Yifei Jiang]

Use char-fe handler console sbi call, which implement early
console io while apply 'earlycon=sbi' into kernel parameters.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 target/riscv/kvm.c | 54 +-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index 0f429fd802..1df70fbb29 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -38,6 +38,7 @@
 #include "qemu/log.h"
 #include "hw/loader.h"
 #include "kvm_riscv.h"
+#include "chardev/char-fe.h"
 
 static __u64 kvm_riscv_reg_id(__u64 type, __u64 idx)
 {
@@ -61,6 +62,19 @@ static __u64 kvm_riscv_reg_id(__u64 type, __u64 idx)
 
 #define RISCV_FP_D_REG(idx)  kvm_riscv_reg_id(KVM_REG_RISCV_FP_D, idx)
 
+enum sbi_ext_id {
+SBI_EXT_0_1_SET_TIMER = 0x0,
+SBI_EXT_0_1_CONSOLE_PUTCHAR = 0x1,
+SBI_EXT_0_1_CONSOLE_GETCHAR = 0x2,
+SBI_EXT_0_1_CLEAR_IPI = 0x3,
+SBI_EXT_0_1_SEND_IPI = 0x4,
+SBI_EXT_0_1_REMOTE_FENCE_I = 0x5,
+SBI_EXT_0_1_REMOTE_SFENCE_VMA = 0x6,
+SBI_EXT_0_1_REMOTE_SFENCE_VMA_ASID = 0x7,
+SBI_EXT_0_1_SHUTDOWN = 0x8,
+SBI_EXT_BASE = 0x10,
+};
+
 static int kvm_riscv_get_regs_core(CPUState *cs)
 {
 int ret = 0;
@@ -423,9 +437,47 @@ bool kvm_arch_stop_on_emulation_error(CPUState *cs)
 return true;
 }
 
+static int kvm_riscv_handle_sbi(struct kvm_run *run)
+{
+int ret = 0;
+unsigned char ch;
+switch (run->riscv_sbi.extension_id) {
+case SBI_EXT_0_1_CONSOLE_PUTCHAR:
+ch = run->riscv_sbi.args[0];
+qemu_chr_fe_write(serial_hd(0)->be, &ch, sizeof(ch));
+break;
+case SBI_EXT_0_1_CONSOLE_GETCHAR:
+ret = qemu_chr_fe_read_all(serial_hd(0)->be, &ch, sizeof(ch));
+if (ret == sizeof(ch)) {
+run->riscv_sbi.args[0] = ch;
+} else {
+run->riscv_sbi.args[0] = -1;
+}
+break;
+default:
+qemu_log_mask(LOG_UNIMP,
+  "%s: un-handled SBI EXIT, specific reasons is %lu\n",
+  __func__, run->riscv_sbi.extension_id);
+ret = -1;
+break;
+}
+return ret;
+}
+
 int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
 {
-return 0;
+int ret = 0;
+switch (run->exit_reason) {
+case KVM_EXIT_RISCV_SBI:
+ret = kvm_riscv_handle_sbi(run);
+break;
+default:
+qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n",
+  __func__, run->exit_reason);
+ret = -1;
+break;
+}
+return ret;
 }
 
 void kvm_riscv_reset_vcpu(RISCVCPU *cpu)
-- 
2.19.1

[PATCH RFC 1/9] linux-header: Update linux/kvm.h

[Yifei Jiang]

Update linux/kvm.h to commit b9a6e4cd9 on https://github.com/kvm-riscv/linux.
Only use this header file, so do not update all linux headers.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 linux-headers/linux/kvm.h | 8 
 1 file changed, 8 insertions(+)

diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 265099100e..7cfc111af5 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -236,6 +236,7 @@ struct kvm_hyperv_exit {
 #define KVM_EXIT_IOAPIC_EOI   26
 #define KVM_EXIT_HYPERV   27
 #define KVM_EXIT_ARM_NISV 28
+#define KVM_EXIT_RISCV_SBI28
 
 /* For KVM_EXIT_INTERNAL_ERROR */
 /* Emulate instruction failed. */
@@ -400,6 +401,13 @@ struct kvm_run {
__u64 esr_iss;
__u64 fault_ipa;
} arm_nisv;
+   /* KVM_EXIT_RISCV_SBI */
+   struct {
+   unsigned long extension_id;
+   unsigned long function_id;
+   unsigned long args[6];
+   unsigned long ret[2];
+   } riscv_sbi;
/* Fix the size of the union. */
char padding[256];
};
-- 
2.19.1

[PATCH RFC 4/9] target/riscv: Implement kvm_arch_get_registers

[Yifei Jiang]

Get GPR CSR and FP registers from kvm by KVM_GET_ONE_REG ioctl.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 target/riscv/kvm.c | 144 -
 1 file changed, 143 insertions(+), 1 deletion(-)

diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index 3e8f8e7185..8d5069b9e9 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -50,13 +50,155 @@ static __u64 kvm_riscv_reg_id(__u64 type, __u64 idx)
 return id;
 }
 
+#define RISCV_CORE_REG(name)  kvm_riscv_reg_id(KVM_REG_RISCV_CORE, \
+ KVM_REG_RISCV_CORE_REG(name))
+
+#define RISCV_CSR_REG(name)  kvm_riscv_reg_id(KVM_REG_RISCV_CSR, \
+ KVM_REG_RISCV_CSR_REG(name))
+
+#define RISCV_FP_F_REG(idx)  kvm_riscv_reg_id(KVM_REG_RISCV_FP_F, idx)
+
+#define RISCV_FP_D_REG(idx)  kvm_riscv_reg_id(KVM_REG_RISCV_FP_D, idx)
+
+static int kvm_riscv_get_regs_core(CPUState *cs)
+{
+int ret = 0;
+int i;
+uint64_t reg;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+ret = kvm_get_one_reg(cs, RISCV_CORE_REG(regs.pc), ®);
+if (ret) {
+return ret;
+}
+env->pc = reg;
+
+for (i = 1; i < 32; i++) {
+__u64 id = kvm_riscv_reg_id(KVM_REG_RISCV_CORE, i);
+ret = kvm_get_one_reg(cs, id, ®);
+if (ret) {
+return ret;
+}
+env->gpr[i] = reg;
+}
+
+return ret;
+}
+
+static int kvm_riscv_get_regs_csr(CPUState *cs)
+{
+int ret = 0;
+uint64_t reg;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sstatus), ®);
+if (ret) {
+return ret;
+}
+env->mstatus = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sie), ®);
+if (ret) {
+return ret;
+}
+env->mie = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(stvec), ®);
+if (ret) {
+return ret;
+}
+env->stvec = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sscratch), ®);
+if (ret) {
+return ret;
+}
+env->sscratch = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sepc), ®);
+if (ret) {
+return ret;
+}
+env->sepc = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(scause), ®);
+if (ret) {
+return ret;
+}
+env->scause = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sip), ®);
+if (ret) {
+return ret;
+}
+env->mip = reg;
+
+ret = kvm_get_one_reg(cs, RISCV_CSR_REG(sstatus), ®);
+if (ret) {
+return ret;
+}
+env->satp = reg;
+
+return ret;
+}
+
+static int kvm_riscv_get_regs_fp(CPUState *cs)
+{
+int ret = 0;
+int i;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+if (riscv_has_ext(env, RVD)) {
+uint64_t reg;
+for (i = 0; i < 32; i++) {
+ret = kvm_get_one_reg(cs, RISCV_FP_D_REG(i), ®);
+if (ret) {
+return ret;
+}
+env->fpr[i] = reg;
+}
+return ret;
+}
+
+if (riscv_has_ext(env, RVF)) {
+uint32_t reg;
+for (i = 0; i < 32; i++) {
+ret = kvm_get_one_reg(cs, RISCV_FP_F_REG(i), ®);
+if (ret) {
+return ret;
+}
+env->fpr[i] = reg;
+}
+return ret;
+}
+
+return ret;
+}
+
 const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 KVM_CAP_LAST_INFO
 };
 
 int kvm_arch_get_registers(CPUState *cs)
 {
-return 0;
+int ret = 0;
+
+ret = kvm_riscv_get_regs_core(cs);
+if (ret) {
+return ret;
+}
+
+ret = kvm_riscv_get_regs_csr(cs);
+if (ret) {
+return ret;
+}
+
+ret = kvm_riscv_get_regs_fp(cs);
+if (ret) {
+return ret;
+}
+
+return ret;
 }
 
 int kvm_arch_put_registers(CPUState *cs, int level)
-- 
2.19.1

[PATCH RFC 3/9] target/riscv: Implement function kvm_arch_init_vcpu

[Yifei Jiang]

Get isa info from kvm while kvm init.

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 target/riscv/kvm.c | 26 +-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index 8c386d9acf..3e8f8e7185 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -38,6 +38,18 @@
 #include "qemu/log.h"
 #include "hw/loader.h"
 
+static __u64 kvm_riscv_reg_id(__u64 type, __u64 idx)
+{
+__u64 id = KVM_REG_RISCV | type | idx;
+
+#if defined(TARGET_RISCV32)
+id |= KVM_REG_SIZE_U32;
+#elif defined(TARGET_RISCV64)
+id |= KVM_REG_SIZE_U64;
+#endif
+return id;
+}
+
 const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 KVM_CAP_LAST_INFO
 };
@@ -79,7 +91,19 @@ void kvm_arch_init_irq_routing(KVMState *s)
 
 int kvm_arch_init_vcpu(CPUState *cs)
 {
-return 0;
+int ret = 0;
+uint64_t isa;
+RISCVCPU *cpu = RISCV_CPU(cs);
+__u64 id;
+
+id = kvm_riscv_reg_id(KVM_REG_RISCV_CONFIG, KVM_REG_RISCV_CONFIG_REG(isa));
+ret = kvm_get_one_reg(cs, id, &isa);
+if (ret) {
+return ret;
+}
+cpu->env.misa = isa;
+
+return ret;
 }
 
 int kvm_arch_msi_data_to_gsi(uint32_t data)
-- 
2.19.1

[PATCH RFC 5/9] target/riscv: Implement kvm_arch_put_registers

[Yifei Jiang]

Put GPR CSR and FP registers by kvm by KVM_SET_ONE_REG ioctl

Signed-off-by: Yifei Jiang 
Signed-off-by: Yipeng Yin 
---
 target/riscv/kvm.c | 136 -
 1 file changed, 135 insertions(+), 1 deletion(-)

diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
index 8d5069b9e9..6dffda36bb 100644
--- a/target/riscv/kvm.c
+++ b/target/riscv/kvm.c
@@ -85,6 +85,31 @@ static int kvm_riscv_get_regs_core(CPUState *cs)
 return ret;
 }
 
+static int kvm_riscv_put_regs_core(CPUState *cs)
+{
+int ret = 0;
+int i;
+uint64_t reg;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+reg = env->pc;
+ret = kvm_set_one_reg(cs, RISCV_CORE_REG(regs.pc), ®);
+if (ret) {
+return ret;
+}
+
+for (i = 1; i < 32; i++) {
+__u64 id = kvm_riscv_reg_id(KVM_REG_RISCV_CORE, i);
+reg = env->gpr[i];
+ret = kvm_set_one_reg(cs, id, ®);
+if (ret) {
+return ret;
+}
+}
+
+return ret;
+}
+
 static int kvm_riscv_get_regs_csr(CPUState *cs)
 {
 int ret = 0;
@@ -142,6 +167,64 @@ static int kvm_riscv_get_regs_csr(CPUState *cs)
 return ret;
 }
 
+static int kvm_riscv_put_regs_csr(CPUState *cs)
+{
+int ret = 0;
+uint64_t reg;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+reg = env->mstatus;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sstatus), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->mie;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sie), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->stvec;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(stvec), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->sscratch;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sscratch), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->sepc;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sepc), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->scause;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(scause), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->mip;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sip), ®);
+if (ret) {
+return ret;
+}
+
+reg = env->satp;
+ret = kvm_set_one_reg(cs, RISCV_CSR_REG(sstatus), ®);
+if (ret) {
+return ret;
+}
+
+return ret;
+}
+
+
 static int kvm_riscv_get_regs_fp(CPUState *cs)
 {
 int ret = 0;
@@ -175,6 +258,40 @@ static int kvm_riscv_get_regs_fp(CPUState *cs)
 return ret;
 }
 
+static int kvm_riscv_put_regs_fp(CPUState *cs)
+{
+int ret = 0;
+int i;
+CPURISCVState *env = &RISCV_CPU(cs)->env;
+
+if (riscv_has_ext(env, RVD)) {
+uint64_t reg;
+for (i = 0; i < 32; i++) {
+reg = env->fpr[i];
+ret = kvm_set_one_reg(cs, RISCV_FP_D_REG(i), ®);
+if (ret) {
+return ret;
+}
+}
+return ret;
+}
+
+if (riscv_has_ext(env, RVF)) {
+uint32_t reg;
+for (i = 0; i < 32; i++) {
+reg = env->fpr[i];
+ret = kvm_set_one_reg(cs, RISCV_FP_F_REG(i), ®);
+if (ret) {
+return ret;
+}
+}
+return ret;
+}
+
+return ret;
+}
+
+
 const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 KVM_CAP_LAST_INFO
 };
@@ -203,7 +320,24 @@ int kvm_arch_get_registers(CPUState *cs)
 
 int kvm_arch_put_registers(CPUState *cs, int level)
 {
-return 0;
+int ret = 0;
+
+ret = kvm_riscv_put_regs_core(cs);
+if (ret) {
+return ret;
+}
+
+ret = kvm_riscv_put_regs_csr(cs);
+if (ret) {
+return ret;
+}
+
+ret = kvm_riscv_put_regs_fp(cs);
+if (ret) {
+return ret;
+}
+
+return ret;
 }
 
 int kvm_arch_release_virq_post(int virq)
-- 
2.19.1

Re: [PATCH] migration/throttle: Add throttle-trig-thres migration parameter

[zhukeqian]

Hi Dr. David,

On 2020/3/13 2:07, Dr. David Alan Gilbert wrote:
> * Keqian Zhu (zhukeqi...@huawei.com) wrote:
>> Currently, if the bytes_dirty_period is more than the 50% of
>> bytes_xfer_period, we start or increase throttling.
>>
>> If we make this percentage higher, then we can tolerate higher
>> dirty rate during migration, which means less impact on guest.
>> The side effect of higher percentage is longer migration time.
>> We can make this parameter configurable to switch between mig-
>> ration time first or guest performance first.
>>
>> The default value is 50 and valid range is 1 to 100.
>>
>> Signed-off-by: Keqian Zhu 
> 
> Apologies for the delay.
It is not late, no worries ;).
> This looks fine now; so
> 
> Reviewed-by: Dr. David Alan Gilbert 
> 
> and I'll queue it.
Thanks.
> I think we could do with a better description than the current one if we
> can find it:
> 
>  The ratio of bytes_dirty_period and bytes_xfer_period
>  to trigger throttling. It is expressed as percentage.
> 
> assumes people understand what those bytes*period mean.
> 
> Still, until we do:
> 
> Queued for migration
> 
[...]
>> -- 
>> 2.19.1
>>
> --
> Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
> 
> 
> .
> 
Thanks,
Keqian

[PATCH v3] hw/net/imx_fec: write TGSR and TCSR3 in imx_enet_write()

[Chen Qun]

The current code causes clang static code analyzer generate warning:
hw/net/imx_fec.c:858:9: warning: Value stored to 'value' is never read
value = value & 0x000f;
^   ~~
hw/net/imx_fec.c:864:9: warning: Value stored to 'value' is never read
value = value & 0x00fd;
^   ~~

According to the definition of the function, the two “value” assignments
 should be written to registers.

Reported-by: Euler Robot 
Signed-off-by: Chen Qun 
---
Cc: Peter Maydell 
Cc: Jason Wang 
Cc: Peter Chubb 

v1->v2:
  The register 'ENET_TGSR' write-1-to-clear timer flag.
  The register 'ENET_TCSRn' 7bit(TF) write-1-to-clear timer flag.

v2->v3:
  Optimize code style, based on discussions with Peter.
---
 hw/net/imx_fec.c | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 6a124a154a..3547975710 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -854,14 +854,17 @@ static void imx_enet_write(IMXFECState *s, uint32_t 
index, uint32_t value)
 s->regs[index] = value & 0x7f7f;
 break;
 case ENET_TGSR:
-/* implement clear timer flag */
-value = value & 0x000f;
+/* implement clear timer flag, 0-3 bits W1C, reserved bits write zero 
*/
+s->regs[index] &= ~(value & 0x000f) & 0x000f;
 break;
 case ENET_TCSR0:
 case ENET_TCSR1:
 case ENET_TCSR2:
 case ENET_TCSR3:
-value = value & 0x00fd;
+/* 7 bits W1C, reserved bits write zero */
+s->regs[index] &= ~(value & 0x0080) & 0x00ff;
+s->regs[index] &= ~0x007d; /* writable fields */
+s->regs[index] |= (value & 0x007d);
 break;
 case ENET_TCCR0:
 case ENET_TCCR1:
-- 
2.23.0

RE: [PATCH v2] hw/net/imx_fec: write TGSR and TCSR3 in imx_enet_write()

[Chenqun (kuhn)]

>-Original Message-
>From: Peter Maydell [mailto:peter.mayd...@linaro.org]
>Sent: Friday, March 13, 2020 1:01 AM
>To: Chenqun (kuhn) 
>Cc: QEMU Developers ; QEMU Trivial triv...@nongnu.org>; Zhanghailiang ;
>Jason Wang ; Peter Chubb
>; qemu-arm ; Euler
>Robot 
>Subject: Re: [PATCH v2] hw/net/imx_fec: write TGSR and TCSR3 in
>imx_enet_write()
>
>On Tue, 10 Mar 2020 at 08:08, Chenqun (kuhn) 
>wrote:
>>
>> >-Original Message-
>> >From: Peter Maydell [mailto:peter.mayd...@linaro.org]
>> >>
>> >> diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c index
>> >> 6a124a154a..322cbdcc17 100644
>> >> --- a/hw/net/imx_fec.c
>> >> +++ b/hw/net/imx_fec.c
>> >> @@ -855,13 +855,15 @@ static void imx_enet_write(IMXFECState *s,
>> >uint32_t index, uint32_t value)
>> >>  break;
>> >>  case ENET_TGSR:
>> >>  /* implement clear timer flag */
>> >> -value = value & 0x000f;
>> >> +s->regs[index] ^= s->regs[index] & value;
>> >> +s->regs[index] &= 0x000f;
>> >>  break;
>> >>  case ENET_TCSR0:
>> >>  case ENET_TCSR1:
>> >>  case ENET_TCSR2:
>> >>  case ENET_TCSR3:
>> >> -value = value & 0x00fd;
>> >> +s->regs[index] = (value & 0x0080) ? (0x007d & value) :
>> >> + (value & 0x00fd);
>> >>  break;
>> >>  case ENET_TCCR0:
>> >>  case ENET_TCCR1:
>> >
>> >This isn't the usual way to write W1C behaviour.
>> >If all the relevant bits are W1C, as for TGSR:
>> >
>> >   s->regs[index] &= ~(value & 0xf); /* all bits W1C */
>> >
>> Yes, it looks better.
>> But do we need clear the reserved bit (31 - 4 bits) explicitly ?
>
>Not necessarily, but it seems to be how the other registers in the device have
>generally been coded, and it's clearly what the intent was here given that the
>original (buggy) code was masking out reserved bits. So I think it makes sense
>to continue in that style.
>
OK, let's keep original code style, and clear reserved bit.  I will provide v3 
version for it.

Thanks.

Re: [kvm-unit-tests PATCH v6 10/13] arm/arm64: ITS: INT functional tests

[Zenghui Yu]

On 2020/3/11 21:51, Eric Auger wrote:

+static void test_its_trigger(void)
+{
+   struct its_collection *col3, *col2;
+   struct its_device *dev2, *dev7;
+
+   if (its_prerequisites(4))
+   return;
+
+   dev2 = its_create_device(2 /* dev id */, 8 /* nb_ites */);
+   dev7 = its_create_device(7 /* dev id */, 8 /* nb_ites */);
+
+   col3 = its_create_collection(3 /* col id */, 3/* target PE */);
+   col2 = its_create_collection(2 /* col id */, 2/* target PE */);
+
+   gicv3_lpi_set_config(8195, LPI_PROP_DEFAULT);
+   gicv3_lpi_set_config(8196, LPI_PROP_DEFAULT);
+
+   report_prefix_push("int");
+   /*
+* dev=2, eventid=20  -> lpi= 8195, col=3
+* dev=7, eventid=255 -> lpi= 8196, col=2
+* Trigger dev2, eventid=20 and dev7, eventid=255
+* Check both LPIs hit
+*/
+
+   its_send_mapd(dev2, true);
+   its_send_mapd(dev7, true);
+
+   its_send_mapc(col3, true);
+   its_send_mapc(col2, true);
+
+   its_send_invall(col2);
+   its_send_invall(col3);
+
+   its_send_mapti(dev2, 8195 /* lpi id */, 20 /* event id */, col3);
+   its_send_mapti(dev7, 8196 /* lpi id */, 255 /* event id */, col2);
+
+   lpi_stats_expect(3, 8195);
+   its_send_int(dev2, 20);
+   check_lpi_stats("dev=2, eventid=20  -> lpi= 8195, col=3");
+
+   lpi_stats_expect(2, 8196);
+   its_send_int(dev7, 255);
+   check_lpi_stats("dev=7, eventid=255 -> lpi= 8196, col=2");
+
+   report_prefix_pop();
+
+   report_prefix_push("inv/invall");
+
+   /*
+* disable 8195, check dev2/eventid=20 does not trigger the
+* corresponding LPI
+*/
+   gicv3_lpi_set_config(8195, LPI_PROP_DEFAULT & ~LPI_PROP_ENABLED);
+   its_send_inv(dev2, 20);
+
+   lpi_stats_expect(-1, -1);
+   its_send_int(dev2, 20);
+   check_lpi_stats("dev2/eventid=20 does not trigger any LPI");
+
+   /*
+* re-enable the LPI but willingly do not call invall
+* so the change in config is not taken into account.
+* The LPI should not hit
+*/
+   gicv3_lpi_set_config(8195, LPI_PROP_DEFAULT);
+   lpi_stats_expect(-1, -1);
+   its_send_int(dev2, 20);
+   check_lpi_stats("dev2/eventid=20 still does not trigger any LPI");
+
+   /* Now call the invall and check the LPI hits */
+   its_send_invall(col3);
+   lpi_stats_expect(3, 8195);
+   its_send_int(dev2, 20);
+   check_lpi_stats("dev2/eventid=20 now triggers an LPI");
+
+   report_prefix_pop();
+
+   report_prefix_push("mapd valid=false");
+   /*
+* Unmap device 2 and check the eventid 20 formerly
+* attached to it does not hit anymore
+*/
+
+   its_send_mapd(dev2, false);
+   lpi_stats_expect(-1, -1);
+   its_send_int(dev2, 20);


Here. You issued an INT command while the dev2 has just been unmapped,
this will be detected by ITS as a command error. We may end-up failed
to see the completion of this command (under the ITS stall mode).


Thanks,
Zenghui


+   check_lpi_stats("no LPI after device unmap");
+   report_prefix_pop();
+}

Re: [kvm-unit-tests PATCH v5 10/13] arm/arm64: ITS: INT functional tests

[Zenghui Yu]

Hi Eric,

On 2020/3/12 17:59, Auger Eric wrote:

Hi Zenghui,

On 3/12/20 10:19 AM, Zenghui Yu wrote:

On 2020/3/11 22:00, Marc Zyngier wrote:

That is still a problem with the ITS. There is no architectural way
to report an error, even if the error numbers are architected...

One thing we could do though is to implement the stall model (as
described
in 5.3.2). It still doesn't give us the error, but at least the command
queue would stop on detecting an error.


It would be interesting to see the buggy guest's behavior under the
stall mode. I've used the following diff (absolutely *not* a formal
patch, don't handle CREADR.Stalled and CWRITER.Retry at all) to have
a try, and caught another command error in the 'its-trigger' test.

logs/its-trigger.log:
" INT dev_id=2 event_id=20
lib/arm64/gic-v3-its-cmd.c:194: assert failed: false: INT timeout! "

dmesg:
[13297.711958] [ cut here ]
[13297.711964] ITS command error encoding 0x10307

It's the last INT test in test_its_trigger() who has triggered this
error, Eric?


Yes it may be the culprit. Anyway I removed the collection unmap in v6.


I forgot to mention that this is based on your v6. I'll reply to it.



By the way are you OK now with v6? I think Drew plans to send a pull
request by the end of this week.


Sorry I haven't looked at it yet (v5 already looks good except for
some minor issues).


Thanks,
Zenghui

[PATCH v3 5/5] hw/arm/fsl-imx6: Wire up USB controllers

[Guenter Roeck]

With this patch, the USB controllers on 'sabrelite' are detected
and can be used to boot the system.

Signed-off-by: Guenter Roeck 
---
v3: Wire up USB and USB PHY controllers separately.
The number of USB controllers does not match the number of USB PHYs,
and they are logically different. 
v2: Use USB PHY emulation

 hw/arm/fsl-imx6.c | 36 
 include/hw/arm/fsl-imx6.h |  6 ++
 2 files changed, 42 insertions(+)

diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
index ecc62855f2..e095e4abc6 100644
--- a/hw/arm/fsl-imx6.c
+++ b/hw/arm/fsl-imx6.c
@@ -22,6 +22,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/arm/fsl-imx6.h"
+#include "hw/usb/imx-usb-phy.h"
 #include "hw/boards.h"
 #include "hw/qdev-properties.h"
 #include "sysemu/sysemu.h"
@@ -86,6 +87,17 @@ static void fsl_imx6_init(Object *obj)
   TYPE_IMX_USDHC);
 }
 
+for (i = 0; i < FSL_IMX6_NUM_USB_PHYS; i++) {
+snprintf(name, NAME_SIZE, "usbphy%d", i);
+sysbus_init_child_obj(obj, name, &s->usbphy[i], sizeof(s->usbphy[i]),
+  TYPE_IMX_USBPHY);
+}
+for (i = 0; i < FSL_IMX6_NUM_USBS; i++) {
+snprintf(name, NAME_SIZE, "usb%d", i);
+sysbus_init_child_obj(obj, name, &s->usb[i], sizeof(s->usb[i]),
+  TYPE_CHIPIDEA);
+}
+
 for (i = 0; i < FSL_IMX6_NUM_ECSPIS; i++) {
 snprintf(name, NAME_SIZE, "spi%d", i + 1);
 sysbus_init_child_obj(obj, name, &s->spi[i], sizeof(s->spi[i]),
@@ -349,6 +361,30 @@ static void fsl_imx6_realize(DeviceState *dev, Error 
**errp)
 esdhc_table[i].irq));
 }
 
+/* USB */
+for (i = 0; i < FSL_IMX6_NUM_USB_PHYS; i++) {
+object_property_set_bool(OBJECT(&s->usbphy[i]), true, "realized",
+ &error_abort);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->usbphy[i]), 0,
+FSL_IMX6_USBPHY1_ADDR + i * 0x1000);
+}
+for (i = 0; i < FSL_IMX6_NUM_USBS; i++) {
+static const int FSL_IMX6_USBn_IRQ[] = {
+FSL_IMX6_USB_OTG_IRQ,
+FSL_IMX6_USB_HOST1_IRQ,
+FSL_IMX6_USB_HOST2_IRQ,
+FSL_IMX6_USB_HOST3_IRQ,
+};
+
+object_property_set_bool(OBJECT(&s->usb[i]), true, "realized",
+ &error_abort);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->usb[i]), 0,
+FSL_IMX6_USBOH3_USB_ADDR + i * 0x200);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->usb[i]), 0,
+   qdev_get_gpio_in(DEVICE(&s->a9mpcore),
+FSL_IMX6_USBn_IRQ[i]));
+}
+
 /* Initialize all ECSPI */
 for (i = 0; i < FSL_IMX6_NUM_ECSPIS; i++) {
 static const struct {
diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
index 60eadccb42..973bcb72f7 100644
--- a/include/hw/arm/fsl-imx6.h
+++ b/include/hw/arm/fsl-imx6.h
@@ -30,6 +30,8 @@
 #include "hw/sd/sdhci.h"
 #include "hw/ssi/imx_spi.h"
 #include "hw/net/imx_fec.h"
+#include "hw/usb/chipidea.h"
+#include "hw/usb/imx-usb-phy.h"
 #include "exec/memory.h"
 #include "cpu.h"
 
@@ -44,6 +46,8 @@
 #define FSL_IMX6_NUM_ESDHCS 4
 #define FSL_IMX6_NUM_ECSPIS 5
 #define FSL_IMX6_NUM_WDTS 2
+#define FSL_IMX6_NUM_USB_PHYS 2
+#define FSL_IMX6_NUM_USBS 4
 
 typedef struct FslIMX6State {
 /*< private >*/
@@ -62,6 +66,8 @@ typedef struct FslIMX6State {
 SDHCIState esdhc[FSL_IMX6_NUM_ESDHCS];
 IMXSPIStatespi[FSL_IMX6_NUM_ECSPIS];
 IMX2WdtState   wdt[FSL_IMX6_NUM_WDTS];
+IMXUSBPHYState usbphy[FSL_IMX6_NUM_USB_PHYS];
+ChipideaState  usb[FSL_IMX6_NUM_USBS];
 IMXFECStateeth;
 MemoryRegion   rom;
 MemoryRegion   caam;
-- 
2.17.1

[PATCH v3 4/5] hw/arm/fsl-imx6ul: Wire up USB controllers

[Guenter Roeck]

IMX6UL USB controllers are quite similar to IMX7 USB controllers.
Wire them up the same way.

The only real difference is that wiring up phy devices is necessary
to avoid phy reset timeouts in the Linux kernel.

Signed-off-by: Guenter Roeck 
---
v3: Wire up USB and USB PHY controllers in separate loops
While the number of USB controllers matches the number of USB PHYs,
they are logically different.
v2: Use USB PHY emulation

 hw/arm/fsl-imx6ul.c | 35 +++
 include/hw/arm/fsl-imx6ul.h | 10 ++
 2 files changed, 45 insertions(+)

diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
index a0bcc6f895..99a5859a4e 100644
--- a/hw/arm/fsl-imx6ul.c
+++ b/hw/arm/fsl-imx6ul.c
@@ -20,6 +20,7 @@
 #include "qapi/error.h"
 #include "hw/arm/fsl-imx6ul.h"
 #include "hw/misc/unimp.h"
+#include "hw/usb/imx-usb-phy.h"
 #include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "qemu/error-report.h"
@@ -133,6 +134,18 @@ static void fsl_imx6ul_init(Object *obj)
   TYPE_IMX_ENET);
 }
 
+/* USB */
+for (i = 0; i < FSL_IMX6UL_NUM_USB_PHYS; i++) {
+snprintf(name, NAME_SIZE, "usbphy%d", i);
+sysbus_init_child_obj(obj, name, &s->usbphy[i], sizeof(s->usbphy[i]),
+  TYPE_IMX_USBPHY);
+}
+for (i = 0; i < FSL_IMX6UL_NUM_USBS; i++) {
+snprintf(name, NAME_SIZE, "usb%d", i);
+sysbus_init_child_obj(obj, name, &s->usb[i], sizeof(s->usb[i]),
+  TYPE_CHIPIDEA);
+}
+
 /*
  * SDHCI
  */
@@ -456,6 +469,28 @@ static void fsl_imx6ul_realize(DeviceState *dev, Error 
**errp)
 FSL_IMX6UL_ENETn_TIMER_IRQ[i]));
 }
 
+/* USB */
+for (i = 0; i < FSL_IMX6UL_NUM_USB_PHYS; i++) {
+object_property_set_bool(OBJECT(&s->usbphy[i]), true, "realized",
+ &error_abort);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->usbphy[i]), 0,
+FSL_IMX6UL_USBPHY1_ADDR + i * 0x1000);
+}
+
+for (i = 0; i < FSL_IMX6UL_NUM_USBS; i++) {
+static const int FSL_IMX6UL_USBn_IRQ[] = {
+FSL_IMX6UL_USB1_IRQ,
+FSL_IMX6UL_USB2_IRQ,
+};
+object_property_set_bool(OBJECT(&s->usb[i]), true, "realized",
+ &error_abort);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->usb[i]), 0,
+FSL_IMX6UL_USBO2_USB_ADDR + i * 0x200);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->usb[i]), 0,
+   qdev_get_gpio_in(DEVICE(&s->a7mpcore),
+FSL_IMX6UL_USBn_IRQ[i]));
+}
+
 /*
  * USDHC
  */
diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
index 5a420785b9..1a0bab8daa 100644
--- a/include/hw/arm/fsl-imx6ul.h
+++ b/include/hw/arm/fsl-imx6ul.h
@@ -34,6 +34,8 @@
 #include "hw/sd/sdhci.h"
 #include "hw/ssi/imx_spi.h"
 #include "hw/net/imx_fec.h"
+#include "hw/usb/chipidea.h"
+#include "hw/usb/imx-usb-phy.h"
 #include "exec/memory.h"
 #include "cpu.h"
 
@@ -54,6 +56,8 @@ enum FslIMX6ULConfiguration {
 FSL_IMX6UL_NUM_I2CS = 4,
 FSL_IMX6UL_NUM_ECSPIS   = 4,
 FSL_IMX6UL_NUM_ADCS = 2,
+FSL_IMX6UL_NUM_USB_PHYS = 2,
+FSL_IMX6UL_NUM_USBS = 2,
 };
 
 typedef struct FslIMX6ULState {
@@ -77,6 +81,8 @@ typedef struct FslIMX6ULState {
 IMXFECStateeth[FSL_IMX6UL_NUM_ETHS];
 SDHCIState usdhc[FSL_IMX6UL_NUM_USDHCS];
 IMX2WdtState   wdt[FSL_IMX6UL_NUM_WDTS];
+IMXUSBPHYState usbphy[FSL_IMX6UL_NUM_USB_PHYS];
+ChipideaState  usb[FSL_IMX6UL_NUM_USBS];
 MemoryRegion   rom;
 MemoryRegion   caam;
 MemoryRegion   ocram;
@@ -145,6 +151,10 @@ enum FslIMX6ULMemoryMap {
 FSL_IMX6UL_EPIT2_ADDR   = 0x020D4000,
 FSL_IMX6UL_EPIT1_ADDR   = 0x020D,
 FSL_IMX6UL_SNVS_HP_ADDR = 0x020CC000,
+FSL_IMX6UL_USBPHY2_ADDR = 0x020CA000,
+FSL_IMX6UL_USBPHY2_SIZE = (4 * 1024),
+FSL_IMX6UL_USBPHY1_ADDR = 0x020C9000,
+FSL_IMX6UL_USBPHY1_SIZE = (4 * 1024),
 FSL_IMX6UL_ANALOG_ADDR  = 0x020C8000,
 FSL_IMX6UL_CCM_ADDR = 0x020C4000,
 FSL_IMX6UL_WDOG2_ADDR   = 0x020C,
-- 
2.17.1

[PATCH v3 3/5] hw/arm/fsl-imx6ul: Instantiate unimplemented pwm and can devices

[Guenter Roeck]

Recent Linux kernels (post v4.20) crash due to accesses to flexcan
and pwm controllers. Instantiate as unimplemented devices to work
around the problem.

Signed-off-by: Guenter Roeck 
---
v3: New patch

 hw/arm/fsl-imx6ul.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
index c405b68d1d..a0bcc6f895 100644
--- a/hw/arm/fsl-imx6ul.c
+++ b/hw/arm/fsl-imx6ul.c
@@ -516,6 +516,20 @@ static void fsl_imx6ul_realize(DeviceState *dev, Error 
**errp)
  */
 create_unimplemented_device("sdma", FSL_IMX6UL_SDMA_ADDR, 0x4000);
 
+/*
+ * PWM
+ */
+create_unimplemented_device("pwm1", FSL_IMX6UL_PWM1_ADDR, 0x4000);
+create_unimplemented_device("pwm2", FSL_IMX6UL_PWM2_ADDR, 0x4000);
+create_unimplemented_device("pwm3", FSL_IMX6UL_PWM3_ADDR, 0x4000);
+create_unimplemented_device("pwm4", FSL_IMX6UL_PWM4_ADDR, 0x4000);
+
+/*
+ * CAN
+ */
+create_unimplemented_device("can1", FSL_IMX6UL_CAN1_ADDR, 0x4000);
+create_unimplemented_device("can2", FSL_IMX6UL_CAN2_ADDR, 0x4000);
+
 /*
  * APHB_DMA
  */
-- 
2.17.1

Re: [PATCH v7 0/4] linux-user: generate syscall_nr.sh for RISC-V

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/cover.1584051142.git.alistair.fran...@wdc.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v7 0/4]  linux-user: generate syscall_nr.sh for RISC-V
Message-id: cover.1584051142.git.alistair.fran...@wdc.com
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Switched to a new branch 'test'
f4fd7cd linux-user/riscv: Update the syscall_nr's to the 5.5 kernel
c1a255d linux-user: Support futex_time64
8260cdf linux-user/syscall: Add support for clock_gettime64/clock_settime64
7f5e99b linux-user: Protect more syscalls

=== OUTPUT BEGIN ===
1/4 Checking commit 7f5e99bb7c2d (linux-user: Protect more syscalls)
2/4 Checking commit 8260cdffefce (linux-user/syscall: Add support for 
clock_gettime64/clock_settime64)
3/4 Checking commit c1a255d57dfe (linux-user: Support futex_time64)
WARNING: architecture specific defines should be avoided
#23: FILE: linux-user/syscall.c:248:
+#if defined(__NR_futex)

WARNING: architecture specific defines should be avoided
#26: FILE: linux-user/syscall.c:251:
+#if defined(__NR_futex_time64)

WARNING: architecture specific defines should be avoided
#37: FILE: linux-user/syscall.c:303:
+#if (defined(TARGET_NR_futex) && defined(__NR_futex)) || \

WARNING: architecture specific defines should be avoided
#43: FILE: linux-user/syscall.c:309:
+#if (defined(TARGET_NR_futex_time64) && defined(__NR_futex_teim64))

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
  ^

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
   ^

ERROR: space required after that ',' (ctx:OxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
 ^

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
   ^

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
   ^

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
  ^

ERROR: space required after that ',' (ctx:VxV)
#44: FILE: linux-user/syscall.c:310:
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
  ^

ERROR: space required after that ',' (ctx:OxV)
#45: FILE: linux-user/syscall.c:311:
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
  ^

ERROR: space required after that ',' (ctx:VxV)
#45: FILE: linux-user/syscall.c:311:
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
  ^

ERROR: space required after that ',' (ctx:OxV)
#45: FILE: linux-user/syscall.c:311:
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
^

ERROR: space required after that ',' (ctx:VxV)
#45: FILE: linux-user/syscall.c:311:
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
   ^

ERROR: space required after that ',' (ctx:VxV)
#45: FILE: linux-user/syscall.c:311:
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
   ^

WARNING: architecture specific defines should be avoided
#55: FILE: linux-user/syscall.c:776:
+#if defined(__NR_futex)

WARNING: architecture specific defines should be avoided
#59: FILE: linux-user/syscall.c:780:
+#if defined(__NR_futex_time64)

ERROR: space required after that ',' (ctx:VxV)
#60: FILE: linux-user/syscall.c:781:
+safe_syscall6(int,futex_time64,int *,uaddr,int,op,int,val, \
  ^

ERROR: space required after that ',' (ctx:VxV)
#60: FILE: linux-user/syscall.c:781:
+safe_syscall6(int,futex_time64,int *,uaddr,int,op,int,val, \
   ^

ERROR: space required after that ',' (ctx:OxV)
#60: FILE: linux-user/syscall.c:781:
+safe_syscall6(int,futex_time64,int *,uaddr,int,op,int,val, \
 ^

ERROR: space required after that ',' (ctx:VxV)
#60: FILE: linux-user/syscall.c:781:
+safe_syscall6(int,futex_time64,int *,uaddr,int,op,int,val, \
   ^

ERROR: space required after that ',

[PATCH v3 1/5] hw/usb: Add basic i.MX USB Phy support

[Guenter Roeck]

Add basic USB PHY support as implemented in i.MX23, i.MX28, i.MX6,
and i.MX7 SoCs.

The only support really needed - at least to boot Linux - is support
for soft reset, which needs to reset various registers to their initial
value. Otherwise, just record register values.

Reviewed-by: Peter Maydell 
Signed-off-by: Guenter Roeck 
---
v3: Added Reviewed-by:;
dropped duplicate "the" in comments;
added new files to MAINTAINERS
v2: New patch, replacing dummy STMP register support with basic USB PHY
emulation.

 MAINTAINERS  |   2 +
 hw/arm/Kconfig   |   1 +
 hw/usb/Kconfig   |   5 +
 hw/usb/Makefile.objs |   2 +
 hw/usb/imx-usb-phy.c | 225 +++
 include/hw/usb/imx-usb-phy.h |  53 +
 6 files changed, 288 insertions(+)
 create mode 100644 hw/usb/imx-usb-phy.c
 create mode 100644 include/hw/usb/imx-usb-phy.h

diff --git a/MAINTAINERS b/MAINTAINERS
index d881ba7d9c..1cfdeeae32 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -748,6 +748,8 @@ F: hw/arm/sabrelite.c
 F: hw/arm/fsl-imx6.c
 F: hw/misc/imx6_*.c
 F: hw/ssi/imx_spi.c
+F: hw/usb/imx-usb-phy.c
+F: include/hw/usb/imx-usb-phy.h
 F: include/hw/arm/fsl-imx6.h
 F: include/hw/misc/imx6_*.h
 F: include/hw/ssi/imx_spi.h
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index bc54fd61f9..21c627c3b7 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -361,6 +361,7 @@ config FSL_IMX6
 select IMX
 select IMX_FEC
 select IMX_I2C
+select IMX_USBPHY
 select SDHCI
 
 config ASPEED_SOC
diff --git a/hw/usb/Kconfig b/hw/usb/Kconfig
index 5e70ed5f7b..464348ba14 100644
--- a/hw/usb/Kconfig
+++ b/hw/usb/Kconfig
@@ -91,3 +91,8 @@ config USB_STORAGE_MTP
 bool
 default y
 depends on USB
+
+config IMX_USBPHY
+bool
+default y
+depends on USB
diff --git a/hw/usb/Makefile.objs b/hw/usb/Makefile.objs
index 2b10868937..66835e5bf7 100644
--- a/hw/usb/Makefile.objs
+++ b/hw/usb/Makefile.objs
@@ -61,3 +61,5 @@ common-obj-$(CONFIG_XEN) += xen-usb.o
 xen-usb.o-cflags := $(LIBUSB_CFLAGS)
 xen-usb.o-libs := $(LIBUSB_LIBS)
 endif
+
+common-obj-$(CONFIG_IMX_USBPHY) += imx-usb-phy.o
diff --git a/hw/usb/imx-usb-phy.c b/hw/usb/imx-usb-phy.c
new file mode 100644
index 00..e705a03a1f
--- /dev/null
+++ b/hw/usb/imx-usb-phy.c
@@ -0,0 +1,225 @@
+/*
+ * i.MX USB PHY
+ *
+ * Copyright (c) 2020 Guenter Roeck 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * We need to implement basic reset control in the PHY control register.
+ * For everything else, it is sufficient to set whatever is written.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/usb/imx-usb-phy.h"
+#include "migration/vmstate.h"
+#include "qemu/log.h"
+#include "qemu/module.h"
+
+static const VMStateDescription vmstate_imx_usbphy = {
+.name = TYPE_IMX_USBPHY,
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_UINT32_ARRAY(usbphy, IMXUSBPHYState, USBPHY_MAX),
+VMSTATE_END_OF_LIST()
+},
+};
+
+static void imx_usbphy_softreset(IMXUSBPHYState *s)
+{
+s->usbphy[USBPHY_PWD] = 0x001e1c00;
+s->usbphy[USBPHY_TX] = 0x10060607;
+s->usbphy[USBPHY_RX] = 0x;
+s->usbphy[USBPHY_CTRL] = 0xc020;
+}
+
+static void imx_usbphy_reset(DeviceState *dev)
+{
+IMXUSBPHYState *s = IMX_USBPHY(dev);
+
+s->usbphy[USBPHY_STATUS] = 0x;
+s->usbphy[USBPHY_DEBUG] = 0x7f18;
+s->usbphy[USBPHY_DEBUG0_STATUS] = 0x;
+s->usbphy[USBPHY_DEBUG1] = 0x1000;
+s->usbphy[USBPHY_VERSION] = 0x0402;
+
+imx_usbphy_softreset(s);
+}
+
+static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, unsigned size)
+{
+IMXUSBPHYState *s = (IMXUSBPHYState *)opaque;
+uint32_t index = offset >> 2;
+uint32_t value;
+
+switch (index) {
+case USBPHY_PWD_SET:
+case USBPHY_TX_SET:
+case USBPHY_RX_SET:
+case USBPHY_CTRL_SET:
+case USBPHY_DEBUG_SET:
+case USBPHY_DEBUG1_SET:
+/*
+ * All REG_NAME_SET register access are in fact targeting the
+ * REG_NAME register.
+ */
+value = s->usbphy[index - 1];
+break;
+case USBPHY_PWD_CLR:
+case USBPHY_TX_CLR:
+case USBPHY_RX_CLR:
+case USBPHY_CTRL_CLR:
+case USBPHY_DEBUG_CLR:
+case USBPHY_DEBUG1_CLR:
+/*
+ * All REG_NAME_CLR register access are in fact targeting the
+ * REG_NAME register.
+ */
+value = s->usbphy[index - 2];
+break;
+case USBPHY_PWD_TOG:
+case USBPHY_TX_TOG:
+case USBPHY_RX_TOG:
+case USBPHY_CTRL_TOG:
+case USBPHY_DEBUG_TOG:
+case USBPHY_DEBUG1_TOG:
+/*
+ * All REG_NAME_TOG register access are in fact targeting the
+ * REG_NAME register.
+ */
+value = s->usbphy[index - 3];
+break;
+default:
+value = s->usbphy[index];
+break;
+

[PATCH v3 2/5] hw/arm/fsl-imx6ul: Fix USB interrupt numbers

[Guenter Roeck]

USB1 and USB2 interrupt numbers were swapped. USB_PHY2 interrupt number
is 45. That didn't really matter up to now since the interrupts were not
used, but it needs to be fixed to be able to wire up the USB controllers.

Fixes: 31cbf933f0e ("i.MX6UL: Add i.MX6UL SOC")
Signed-off-by: Guenter Roeck 
---
v3: New patch

 include/hw/arm/fsl-imx6ul.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
index eda389aec7..5a420785b9 100644
--- a/include/hw/arm/fsl-imx6ul.h
+++ b/include/hw/arm/fsl-imx6ul.h
@@ -241,10 +241,10 @@ enum FslIMX6ULIRQs {
 FSL_IMX6UL_UART7_IRQ= 39,
 FSL_IMX6UL_UART8_IRQ= 40,
 
-FSL_IMX6UL_USB1_IRQ = 42,
-FSL_IMX6UL_USB2_IRQ = 43,
+FSL_IMX6UL_USB1_IRQ = 43,
+FSL_IMX6UL_USB2_IRQ = 42,
 FSL_IMX6UL_USB_PHY1_IRQ = 44,
-FSL_IMX6UL_USB_PHY2_IRQ = 44,
+FSL_IMX6UL_USB_PHY2_IRQ = 45,
 
 FSL_IMX6UL_CAAM_JQ2_IRQ = 46,
 FSL_IMX6UL_CAAM_ERR_IRQ = 47,
-- 
2.17.1

[PATCH v3 0/5] Wire up USB controllers in i.MX6 emulations

[Guenter Roeck]

This patch series wires up the USB controllers on fsl-imx6 and fsl-imx6ul
emulations.

The first patch provides a basic implementation of the USB PHY controller
used in i.MX28 and later chips. Only reset bit handling in the control
register is actually implemented. Basic USB PHY support is needed to make
the USB ports operational in Linux.

The second patch fixes USB and USB PHY interrupt numbers for i.MX6UL.

The third patch instantiates unimplemented pwm and can devices. This patch
is necessary to avoid crashes in Linux when it tries to access those
devices. The crashes are observed when trying to boot Linux v4.21 or later.

The final two patches instantiate the USB controllers for i.mMX6 and
i.MX6UL.

v3:
- Minor cleanup in patch 1/5 (see details in patch)
- Added patch to fix USB and USB PHY interrupt numbers for fsl-imx6ul.
- Added patch to instantiate unimplemented pwm and CAN devices.
- Instantiate USB and USB PHY separately. They are logically different,
  and the number of instances is not always the same.

v2:
- Implement and instantiate basic USB PHY implementation
  instead of emulating a single USB PHY register


Guenter Roeck (5):
  hw/usb: Add basic i.MX USB Phy support
  hw/arm/fsl-imx6ul: Fix USB interrupt numbers
  hw/arm/fsl-imx6ul: Instantiate unimplemented pwm and can devices
  hw/arm/fsl-imx6ul: Wire up USB controllers
  hw/arm/fsl-imx6: Wire up USB controllers

 MAINTAINERS  |   2 +
 hw/arm/Kconfig   |   1 +
 hw/arm/fsl-imx6.c|  36 +++
 hw/arm/fsl-imx6ul.c  |  49 ++
 hw/usb/Kconfig   |   5 +
 hw/usb/Makefile.objs |   2 +
 hw/usb/imx-usb-phy.c | 225 +++
 include/hw/arm/fsl-imx6.h|   6 ++
 include/hw/arm/fsl-imx6ul.h  |  16 ++-
 include/hw/usb/imx-usb-phy.h |  53 ++
 10 files changed, 392 insertions(+), 3 deletions(-)
 create mode 100644 hw/usb/imx-usb-phy.c
 create mode 100644 include/hw/usb/imx-usb-phy.h

Re: [RFC] cpus: avoid get stuck in pause_all_vcpus

[Longpeng (Mike, Cloud Infrastructure Service Product Dept.)]

On 2020/3/12 23:28, Paolo Bonzini wrote:
> On 10/03/20 10:14, Longpeng(Mike) wrote:
>> From: Longpeng 
>>
>> We find an issue when repeat reboot in guest during migration, it cause the
>> migration thread never be waken up again.
>>
>> |
>>|
>> LOCK BQL   |
>> ...|
>> main_loop_should_exit  |
>>  pause_all_vcpus   |
>>   1. set all cpus ->stop=true  |
>>  and then kick |
>>   2. return if all cpus is paused  |
>>  (by '->stopped == true'), else|
>>   3. qemu_cond_wait [BQL UNLOCK]   |
>>|LOCK BQL
>>|...
>>|do_vm_stop
>>| pause_all_vcpus
>>|  (A)set all cpus ->stop=true
>>| and then kick
>>|  (B)return if all cpus is paused
>>| (by '->stopped == true'), else
>>|  (C)qemu_cond_wait [BQL UNLOCK]
>>   4. be waken up and LOCK BQL  |  (D)be waken up BUT wait for  BQL
>>   5. goto 2.   |
>>  (BQL is still LOCKed) |
>>  resume_all_vcpus  |
>>   1. set all cpus ->stop=false |
>>  and ->stopped=false   |
>> ...|
>> BQL UNLOCK |  (E)LOCK BQL
>>|  (F)goto B. [but stopped is false now!]
>>|Finally, sleep at step 3 forever.
>>
>>
>> Note: This patch is just for discuss this issue, I'm looking forward to
>>   your suggestions, thanks!
> 
> Thanks Mike,
> 
> the above sketch is really helpful.
> 
> I think the problem is not that pause_all_vcpus() is not pausing hard
> enough; the problem is rather than resume_all_vcpus(), when used outside
> vm_start(), should know about the race and do nothing if it happens.
> 
> Fortunately resume_all_vcpus does not release the BQL so it should be
> enough to test once; translated to code, this would be the patch to fix it:
> 
> diff --git a/cpus.c b/cpus.c
> index b4f8b84b61..1eb7533a91 100644
> --- a/cpus.c
> +++ b/cpus.c
> @@ -1899,6 +1899,10 @@ void resume_all_vcpus(void)
>  {
>  CPUState *cpu;
> 
> +if (!runstate_is_running()) {
> +return;
> +}
> +
Hi Paolo,

The runstate of my above sketch is running, so maybe your patch can fix some
other issues but not mine ?

main_loop_should_exit
  ( *reset* requested )
  pause_all_vcpus
  resume_all_vcpus
  if (!runstate_check(RUN_STATE_RUNNING) &&
  !runstate_check(RUN_STATE_INMIGRATE)) {
  runstate_set(RUN_STATE_PRELAUNCH);
  ...


migration_completion
  vm_stop_force_state(RUN_STATE_FINISH_MIGRATE);
vm_stop ( if runstate_is_running )
  do_vm_stop
pause_all_vcpus ( if runstate_is_running )


>  qemu_clock_enable(QEMU_CLOCK_VIRTUAL, true);
>  CPU_FOREACH(cpu) {
>  cpu_resume(cpu);
> 
> 
> Thanks,
> 
> Paolo
> 
> .
> 

---
Regards,
Longpeng(Mike)

[PATCH 2/3] MAINTAINERS: Adjust maintainer's email

[Aleksandar Markovic]

From: Aleksandar Markovic 

For some longish time I've been using multiple email addresses
for mailing list communication, and would like to consolidate it
into a single email address that is the most convenient to me.
My other emails, from rt-rk.com and wavecomp.com domains remain
active and I will respond from them too, if needed, but I would
like to manage almost all communication using gmail.com account.

Signed-off-by: Aleksandar Markovic 
---
 .mailmap|  5 +++--
 MAINTAINERS | 12 ++--
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.mailmap b/.mailmap
index 76154c7..e431d1f 100644
--- a/.mailmap
+++ b/.mailmap
@@ -39,8 +39,9 @@ Julia Suvorova  Julia Suvorova via Qemu-devel 
 Justin Terry (VM) via Qemu-devel 

 
 # Next, replace old addresses by a more recent one.
-Aleksandar Markovic  
-Aleksandar Markovic  
+Aleksandar Markovic  

+Aleksandar Markovic  

+Aleksandar Markovic  
 Aleksandar Rikalo  
 Anthony Liguori  Anthony Liguori 
 James Hogan  
diff --git a/MAINTAINERS b/MAINTAINERS
index 4fba8b8..8411c96 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -209,7 +209,7 @@ F: hw/microblaze/
 F: disas/microblaze.c
 
 MIPS TCG CPUs
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Maintained
@@ -1016,7 +1016,7 @@ F: hw/display/jazz_led.c
 F: hw/dma/rc4030.c
 
 Malta
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 M: Philippe Mathieu-Daudé 
 R: Aurelien Jarno 
 S: Maintained
@@ -1029,14 +1029,14 @@ F: tests/acceptance/linux_ssh_mips_malta.py
 F: tests/acceptance/machine_mips_malta.py
 
 Mipssim
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 R: Aleksandar Rikalo 
 S: Odd Fixes
 F: hw/mips/mips_mipssim.c
 F: hw/net/mipsnet.c
 
 R4000
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Obsolete
@@ -1044,7 +1044,7 @@ F: hw/mips/mips_r4k.c
 
 Fulong 2E
 M: Philippe Mathieu-Daudé 
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 S: Odd Fixes
 F: hw/mips/mips_fulong2e.c
 F: hw/isa/vt82c686.c
@@ -2508,7 +2508,7 @@ F: tcg/i386/
 F: disas/i386.c
 
 MIPS TCG target
-M: Aleksandar Markovic 
+M: Aleksandar Markovic 
 R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Maintained
-- 
2.7.4

[PATCH 3/3] MAINTAINERS: Add a file to the main MIPS section

[Aleksandar Markovic]

From: Aleksandar Markovic 

A recently added acceptance test is important not only for
Malta machine, but for overall MIPS target, since it tests
smp feature.

CC: Philippe Mathieu-Daudé 
Signed-off-by: Aleksandar Markovic 
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 8411c96..5c56e14 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -226,6 +226,7 @@ F: include/hw/mips/
 F: include/hw/misc/mips_*
 F: include/hw/timer/mips_gictimer.h
 F: tests/acceptance/linux_ssh_mips_malta.py
+F: tests/acceptance/machine_mips_malta.py
 F: tests/tcg/mips/
 K: ^Subject:.*(?i)mips
 
-- 
2.7.4

[PATCH 1/3] MAINTAINERS: Adjust maintainer's status for some MIPS items

[Aleksandar Markovic]

From: Aleksandar Markovic 

Aurelien has been and will forever remain an idol in QEMU for
MIPS world. However, since he decided to move on to other projects,
acknowledge the reality, and formally releive him from maintainer's
duties for QEMU for MIPS items. Aurelien is though welcome to come
back at any time. Some empty spots caused by this are filled in by
Aleksandar.

CC: Aurelien Jarno 
Signed-off-by: Aleksandar Markovic 
---
 MAINTAINERS | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 32867bc..4fba8b8 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -209,8 +209,8 @@ F: hw/microblaze/
 F: disas/microblaze.c
 
 MIPS TCG CPUs
-M: Aurelien Jarno 
 M: Aleksandar Markovic 
+R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Maintained
 F: target/mips/
@@ -1036,7 +1036,8 @@ F: hw/mips/mips_mipssim.c
 F: hw/net/mipsnet.c
 
 R4000
-M: Aurelien Jarno 
+M: Aleksandar Markovic 
+R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Obsolete
 F: hw/mips/mips_r4k.c
@@ -2507,7 +2508,8 @@ F: tcg/i386/
 F: disas/i386.c
 
 MIPS TCG target
-M: Aurelien Jarno 
+M: Aleksandar Markovic 
+R: Aurelien Jarno 
 R: Aleksandar Rikalo 
 S: Maintained
 F: tcg/mips/
-- 
2.7.4

[PATCH 0/3] MAINTAINERS: Adjust MIPS items

[Aleksandar Markovic]

From: Aleksandar Markovic 

Some MIPS maintainership houskeeping changes, and some items
for better reflecting the reality.

Aleksandar Markovic (3):
  MAINTAINERS: Adjust maintainer's status for some MIPS items
  MAINTAINERS: Adjust maintainer's email
  MAINTAINERS: Add a file to the main MIPS section

 .mailmap|  5 +++--
 MAINTAINERS | 17 ++---
 2 files changed, 13 insertions(+), 9 deletions(-)

-- 
2.7.4

[PATCH 2/2] target/riscv: Add a sifive-e34 cpu type

[Corey Wharton]

The sifive-e34 cpu type is the same as the sifive-e31 with the
single precision floating-point extension enabled.

Signed-off-by: Corey Wharton 
---
 target/riscv/cpu.c | 10 ++
 target/riscv/cpu.h |  1 +
 2 files changed, 11 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index c0b7023100..d415cd06eb 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -164,6 +164,15 @@ static void rv32imacu_nommu_cpu_init(Object *obj)
 set_feature(env, RISCV_FEATURE_PMP);
 }
 
+static void rv32imafcu_nommu_cpu_init(Object *obj)
+{
+CPURISCVState *env = &RISCV_CPU(obj)->env;
+set_misa(env, RV32 | RVI | RVM | RVA | RVF | RVC);
+set_priv_version(env, PRIV_VERSION_1_10_0);
+set_resetvec(env, DEFAULT_RSTVEC);
+set_feature(env, RISCV_FEATURE_PMP);
+}
+
 #elif defined(TARGET_RISCV64)
 
 static void riscv_base64_cpu_init(Object *obj)
@@ -609,6 +618,7 @@ static const TypeInfo riscv_cpu_type_infos[] = {
 #if defined(TARGET_RISCV32)
 DEFINE_CPU(TYPE_RISCV_CPU_BASE32,   riscv_base32_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_E31,   rv32imacu_nommu_cpu_init),
+DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_E34,   rv32imafcu_nommu_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_U34,   rv32gcsu_priv1_10_0_cpu_init),
 /* Depreacted */
 DEFINE_CPU(TYPE_RISCV_CPU_RV32IMACU_NOMMU,  rv32imacu_nommu_cpu_init),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 3dcdf92227..ae5a1d9dce 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -36,6 +36,7 @@
 #define TYPE_RISCV_CPU_BASE32   RISCV_CPU_TYPE_NAME("rv32")
 #define TYPE_RISCV_CPU_BASE64   RISCV_CPU_TYPE_NAME("rv64")
 #define TYPE_RISCV_CPU_SIFIVE_E31   RISCV_CPU_TYPE_NAME("sifive-e31")
+#define TYPE_RISCV_CPU_SIFIVE_E34   RISCV_CPU_TYPE_NAME("sifive-e34")
 #define TYPE_RISCV_CPU_SIFIVE_E51   RISCV_CPU_TYPE_NAME("sifive-e51")
 #define TYPE_RISCV_CPU_SIFIVE_U34   RISCV_CPU_TYPE_NAME("sifive-u34")
 #define TYPE_RISCV_CPU_SIFIVE_U54   RISCV_CPU_TYPE_NAME("sifive-u54")
-- 
2.21.1

[PATCH 1/2] riscv: sifive_e: Support changing CPU type

[Corey Wharton]

Allows the CPU to be changed from the default via the -cpu command
line option.

Signed-off-by: Corey Wharton 
---
 hw/riscv/sifive_e.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index a254cad489..b0a611adb9 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -123,7 +123,7 @@ static void riscv_sifive_e_soc_init(Object *obj)
 object_initialize_child(obj, "cpus", &s->cpus,
 sizeof(s->cpus), TYPE_RISCV_HART_ARRAY,
 &error_abort, NULL);
-object_property_set_str(OBJECT(&s->cpus), SIFIVE_E_CPU, "cpu-type",
+object_property_set_str(OBJECT(&s->cpus), ms->cpu_type, "cpu-type",
 &error_abort);
 object_property_set_int(OBJECT(&s->cpus), ms->smp.cpus, "num-harts",
 &error_abort);
@@ -220,6 +220,7 @@ static void riscv_sifive_e_machine_init(MachineClass *mc)
 mc->desc = "RISC-V Board compatible with SiFive E SDK";
 mc->init = riscv_sifive_e_init;
 mc->max_cpus = 1;
+mc->default_cpu_type = SIFIVE_E_CPU;
 }
 
 DEFINE_MACHINE("sifive_e", riscv_sifive_e_machine_init)
-- 
2.21.1

[PATCH 0/2] Support different CPU types for the sifive_e machine

[Corey Wharton]

The purpose of this patch set is to allow the sifive_e machine to run
with different CPU targets to enable different ISA entensions. To that
end it also introduces a new sifive-e34 CPU type which provides the
same ISA as sifive-e31, with the addition of the single precision
floating-point extension (f). The default CPU for the sifive_e machine
is unchanged.

A user can change the default CPU type by specifying it with the '-cpu'
option on the command line.

Corey Wharton (2):
  riscv: sifive_e: Support changing CPU type
  target/riscv: Add a sifive-e34 cpu type

 hw/riscv/sifive_e.c |  3 ++-
 target/riscv/cpu.c  | 10 ++
 target/riscv/cpu.h  |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.21.1

[PATCH 1/2] riscv: sifive_e: Support changing CPU type

[Corey Wharton]

Allows the CPU to be changed from the default via the -cpu command
line option.

Signed-off-by: Corey Wharton 
---
 hw/riscv/sifive_e.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index a254cad489..b0a611adb9 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -123,7 +123,7 @@ static void riscv_sifive_e_soc_init(Object *obj)
 object_initialize_child(obj, "cpus", &s->cpus,
 sizeof(s->cpus), TYPE_RISCV_HART_ARRAY,
 &error_abort, NULL);
-object_property_set_str(OBJECT(&s->cpus), SIFIVE_E_CPU, "cpu-type",
+object_property_set_str(OBJECT(&s->cpus), ms->cpu_type, "cpu-type",
 &error_abort);
 object_property_set_int(OBJECT(&s->cpus), ms->smp.cpus, "num-harts",
 &error_abort);
@@ -220,6 +220,7 @@ static void riscv_sifive_e_machine_init(MachineClass *mc)
 mc->desc = "RISC-V Board compatible with SiFive E SDK";
 mc->init = riscv_sifive_e_init;
 mc->max_cpus = 1;
+mc->default_cpu_type = SIFIVE_E_CPU;
 }
 
 DEFINE_MACHINE("sifive_e", riscv_sifive_e_machine_init)
-- 
2.21.1

[PATCH 0/2] Support different CPU types for the sifive_e machine

[Corey Wharton]

The purpose of this patch set is to allow the sifive_e machine to run
with different CPU targets to enable different ISA entensions. To that
end it also introduces a new sifive-e34 CPU type which provides the
same ISA as sifive-e31, with the addition of the single precision
floating-point extension (f). The default CPU for the sifive_e machine
is unchanged.

A user can change the default CPU type by specifying it with the '-cpu'
option on the command line.

Corey Wharton (2):
  riscv: sifive_e: Support changing CPU type
  target/riscv: Add a sifive-e34 cpu type

 hw/riscv/sifive_e.c |  3 ++-
 target/riscv/cpu.c  | 10 ++
 target/riscv/cpu.h  |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.21.1

[PATCH 2/2] target/riscv: Add a sifive-e34 cpu type

[Corey Wharton]

The sifive-e34 cpu type is the same as the sifive-e31 with the
single precision floating-point extension enabled.

Signed-off-by: Corey Wharton 
---
 target/riscv/cpu.c | 10 ++
 target/riscv/cpu.h |  1 +
 2 files changed, 11 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index c0b7023100..d415cd06eb 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -164,6 +164,15 @@ static void rv32imacu_nommu_cpu_init(Object *obj)
 set_feature(env, RISCV_FEATURE_PMP);
 }
 
+static void rv32imafcu_nommu_cpu_init(Object *obj)
+{
+CPURISCVState *env = &RISCV_CPU(obj)->env;
+set_misa(env, RV32 | RVI | RVM | RVA | RVF | RVC);
+set_priv_version(env, PRIV_VERSION_1_10_0);
+set_resetvec(env, DEFAULT_RSTVEC);
+set_feature(env, RISCV_FEATURE_PMP);
+}
+
 #elif defined(TARGET_RISCV64)
 
 static void riscv_base64_cpu_init(Object *obj)
@@ -609,6 +618,7 @@ static const TypeInfo riscv_cpu_type_infos[] = {
 #if defined(TARGET_RISCV32)
 DEFINE_CPU(TYPE_RISCV_CPU_BASE32,   riscv_base32_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_E31,   rv32imacu_nommu_cpu_init),
+DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_E34,   rv32imafcu_nommu_cpu_init),
 DEFINE_CPU(TYPE_RISCV_CPU_SIFIVE_U34,   rv32gcsu_priv1_10_0_cpu_init),
 /* Depreacted */
 DEFINE_CPU(TYPE_RISCV_CPU_RV32IMACU_NOMMU,  rv32imacu_nommu_cpu_init),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 3dcdf92227..ae5a1d9dce 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -36,6 +36,7 @@
 #define TYPE_RISCV_CPU_BASE32   RISCV_CPU_TYPE_NAME("rv32")
 #define TYPE_RISCV_CPU_BASE64   RISCV_CPU_TYPE_NAME("rv64")
 #define TYPE_RISCV_CPU_SIFIVE_E31   RISCV_CPU_TYPE_NAME("sifive-e31")
+#define TYPE_RISCV_CPU_SIFIVE_E34   RISCV_CPU_TYPE_NAME("sifive-e34")
 #define TYPE_RISCV_CPU_SIFIVE_E51   RISCV_CPU_TYPE_NAME("sifive-e51")
 #define TYPE_RISCV_CPU_SIFIVE_U34   RISCV_CPU_TYPE_NAME("sifive-u34")
 #define TYPE_RISCV_CPU_SIFIVE_U54   RISCV_CPU_TYPE_NAME("sifive-u54")
-- 
2.21.1

Re: [PATCH v5 00/60] target/riscv: support vector extension v0.7.1

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200312145900.2054-1-zhiwei_...@c-sky.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v5 00/60] target/riscv: support vector extension v0.7.1
Message-id: 20200312145900.2054-1-zhiwei_...@c-sky.com
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Switched to a new branch 'test'
375b545 target/riscv: configure and turn on vector extension from command line
1b21cbe target/riscv: vector compress instruction
f991525 target/riscv: vector register gather instruction
1e14e32 target/riscv: vector slide instructions
39f1497 target/riscv: floating-point scalar move instructions
2e66424 target/riscv: integer scalar move instruction
72404d7 target/riscv: integer extract instruction
3e441a9 target/riscv: vector element index instruction
0e8d18f target/riscv: vector iota instruction
5941891 target/riscv: set-X-first mask bit
1403c7e target/riscv: vmfirst find-first-set mask bit
3eba22e target/riscv: vector mask population count vmpopc
10809a8 target/riscv: vector mask-register logical instructions
b279b81 target/riscv: vector widening floating-point reduction instructions
6b1e85b target/riscv: vector single-width floating-point reduction instructions
ae44adc target/riscv: vector wideing integer reduction instructions
2f73f58 target/riscv: vector single-width integer reduction instructions
4ddb4e3 target/riscv: narrowing floating-point/integer type-convert instructions
ec3b1de target/riscv: widening floating-point/integer type-convert instructions
fc9abf9 target/riscv: vector floating-point/integer type-convert instructions
b3ae6d1 target/riscv: vector floating-point merge instructions
cb59558 target/riscv: vector floating-point classify instructions
1aa8c5b target/riscv: vector floating-point compare instructions
4b71902 target/riscv: vector floating-point sign-injection instructions
9a4bcd8 target/riscv: vector floating-point min/max instructions
8cefa5a target/riscv: vector floating-point square-root instruction
1dca724 target/riscv: vector widening floating-point fused multiply-add 
instructions
d730445 target/riscv: vector single-width floating-point fused multiply-add 
instructions
59e9d00 target/riscv: vector widening floating-point multiply
7728ab1 target/riscv: vector single-width floating-point multiply/divide 
instructions
db7a3eb target/riscv: vector widening floating-point add/subtract instructions
b74ee11 target/riscv: vector single-width floating-point add/subtract 
instructions
a6aed98 target/riscv: vector narrowing fixed-point clip instructions
41bff4f target/riscv: vector single-width scaling shift instructions
4e0735b target/riscv: vector widening saturating scaled multiply-add
7175350 target/riscv: vector single-width fractional multiply with rounding and 
saturation
866ade9 target/riscv: vector single-width averaging add and subtract
a10f893 target/riscv: vector single-width saturating add and subtract
b1968d2 target/riscv: vector integer merge and move instructions
b9a7f44 target/riscv: vector widening integer multiply-add instructions
9a490e5 target/riscv: vector single-width integer multiply-add instructions
24d1513 target/riscv: vector widening integer multiply instructions
4080b57 target/riscv: vector integer divide instructions
aafca3f target/riscv: vector single-width integer multiply instructions
386c472 target/riscv: vector integer min/max instructions
9586428 target/riscv: vector integer comparison instructions
615ad80 target/riscv: vector narrowing integer right shift instructions
2eb1e18 target/riscv: vector single-width bit shift instructions
047a1fa target/riscv: vector bitwise logical instructions
b403895 target/riscv: vector integer add-with-carry / subtract-with-borrow 
instructions
8f2bc0b target/riscv: vector widening integer add and subtract
8f204ca target/riscv: vector single-width integer add and subtract
d5f58d7 target/riscv: add vector amo operations
29a0e0d target/riscv: add fault-only-first unit stride load
8166bfc target/riscv: add vector index load and store instructions
72f9f39 target/riscv: add vector stride load and store instructions
392ca2c target/riscv: add vector configure instruction
472b5e6 target/riscv: support vector extension csr
d172c56 target/riscv: implementation-defined constant parameters
73ee7eb target/riscv: add vector extension field in CPURISCVState

=== OUTPUT BEGIN ===
1/60 Checking commit 73ee7eb553fc (target/riscv: add vector extension field in 
CPURISCVState)
2/60 Checking commit d172c5624ac8 (target/riscv: implementation-defined 
constant parameters)
3/60 Checking commit 472b5e62cd77 (target/riscv: support vector extension csr)
4/60 Checking commit 392ca2c42910 (target/riscv: add vector configure 
instruction

[PATCH] linux-user: Update TASK_UNMAPPED_BASE for aarch64

[Lirong Yuan]

This change updates TASK_UNMAPPED_BASE (the base address for guest programs) 
for aarch64. It is needed to allow qemu to work with Thread Sanitizer (TSan), 
which has specific boundary definitions for memory mappings on different 
platforms:
https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/tsan/rtl/tsan_platform.h

Signed-off-by: Lirong Yuan 
---
 linux-user/mmap.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 8685f02e7e..e378033797 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -184,7 +184,11 @@ static int mmap_frag(abi_ulong real_start,
 }
 
 #if HOST_LONG_BITS == 64 && TARGET_ABI_BITS == 64
+#ifdef TARGET_AARCH64
+# define TASK_UNMAPPED_BASE  0x55
+#else
 # define TASK_UNMAPPED_BASE  (1ul << 38)
+#endif
 #else
 # define TASK_UNMAPPED_BASE  0x4000
 #endif
-- 
2.25.1.481.gfbce0eb801-goog

Re: [PATCH v10 02/10] qemu-binfmt-conf.sh: enforce safe tests

[Unai Martinez Corral]

Laurent, as Eric explained, this commit (as well as the homogeneisation of
spacing) are fixes to pre-existing issues in the script, in order to better
match other bash sources in the codebase. It would be possible to pick 1/10
and 2/10 as a separate patchset.

El mar., 10 mar. 2020 a las 12:47, Eric Blake ()
escribió:

> On 3/10/20 3:28 AM, Laurent Vivier wrote:
> > Le 09/03/2020 à 20:19, Unai Martinez-Corral a écrit :
> >> All the tests are prefixed with 'x', in order to avoid risky comparisons
> >> (i.e. a user deliberately trying to provoke a syntax error).
> >
> > With the quotes I don't see how we can provoke a syntax error.
> > Could you provide an example?
>
> Historically, in some shells:
>
> foo=\(
> bar=\)
> if [ "$foo" = "$bar" ]; then echo hello world; fi
>
> could output 'hello world' (by parsing a parenthesized one-argument
> test, and the string '=' is non-empty), but:
>
> if [ "x$foo" = "x$bar" ]; then echo goodbye; fi
>
> did not (since no operator begins with 'x', you have guaranteed the
> syntax that [ will parse).  Similarly, if foo=! or foo=-a, you could get
> syntax errors (if [ tried to treat the expansion of $foo as an operator
> and got thrown off by the remaining arguments not matching an expected
> pattern).
>
> These days, POSIX says that with three arguments when the 2nd is a
> binary operator, there is no ambiguity (the binary operator takes
> precedence over the ( and ) around the non-empty string test), and
> modern bash obeys the POSIX rule without needing the x prefix.  But it
> is still better to prefix with x for copy-paste portability to older
> shells that do not match current POSIX rules.
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.   +1-919-301-3226
> Virtualization:  qemu.org | libvirt.org
>
>

Re: [PATCH v3 12/16] hw/i386/vmport: Add support for CMD_GET_VCPU_INFO

[Liran Alon]

On 13/03/2020 2:09, Michael S. Tsirkin wrote:

On Thu, Mar 12, 2020 at 06:54:27PM +0200, Liran Alon wrote:

Command currently returns that it is unimplemented by setting
the reserved-bit in it's return value.

Following patches will return various useful vCPU information
to guest.

Reviewed-by: Nikita Leshenko 
Signed-off-by: Liran Alon 
---
  hw/i386/vmport.c | 14 ++
  include/hw/i386/vmport.h |  1 +
  2 files changed, 15 insertions(+)

diff --git a/hw/i386/vmport.c b/hw/i386/vmport.c
index 7e57eda4b526..2ce78aaf7b4c 100644
--- a/hw/i386/vmport.c
+++ b/hw/i386/vmport.c
@@ -55,6 +55,13 @@
  #define VMPORT_COMPAT_CMDS_V2   \
  (1 << VMPORT_COMPAT_CMDS_V2_BIT)
  
+/* vCPU features reported by CMD_GET_VCPU_INFO */

+#define VCPU_INFO_SLC64_BIT 0
+#define VCPU_INFO_SYNC_VTSCS_BIT1
+#define VCPU_INFO_HV_REPLAY_OK_BIT  2
+#define VCPU_INFO_LEGACY_X2APIC_BIT 3
+#define VCPU_INFO_RESERVED_BIT  31
+
  #define VMPORT(obj) OBJECT_CHECK(VMPortState, (obj), TYPE_VMPORT)
  
  typedef struct VMPortState {


Prefix with VMPORT_ please, and add comments.

Ok regarding prefix.
Which comments do you expect? What every flag means? Sure.

-Liran

Re: [PATCH v10 04/10] qemu-binfmt-conf.sh: add QEMU_CREDENTIAL and QEMU_PERSISTENT

[Unai Martinez Corral]

2020/03/10 9:20, Laurent Vivier:

> If variable are set to 'yes', how do you force the value to no with the
> command line?
>

I believe you cannot. Do you mean the explanation should be reworded? Or
that the feature should be implemented?


> Please, refresh my memory, why do we need these variables?
> Do you have an use case?
>

See
https://patchew.org/QEMU/20190306031221.GA53@03612eec87fc/20190306044620.GC75@03612eec87fc/
I copy the relevant explanation below:

The main use case is to provide defaults when this script is included
> in a docker container. There are three actors involved:
>
> - Developers of QEMU providing some defaults in the script.
> - Developer of a docker image including the script from upstream but
> changing some defaults by setting envvars inside the container.
> - User of the container that might want to override the settings
> either by setting the envvars or through the command line.
>
> If the entrypoint to the docker image is any script that executes
> qemu-binfmt-conf.sh at some point, the user cannot provide options
> through the command line. Envvars allow to do so, without requiring
> the user to customize the docker image.

Re: [PATCH v3 12/16] hw/i386/vmport: Add support for CMD_GET_VCPU_INFO

[Michael S. Tsirkin]

On Thu, Mar 12, 2020 at 06:54:27PM +0200, Liran Alon wrote:
> Command currently returns that it is unimplemented by setting
> the reserved-bit in it's return value.
> 
> Following patches will return various useful vCPU information
> to guest.
> 
> Reviewed-by: Nikita Leshenko 
> Signed-off-by: Liran Alon 
> ---
>  hw/i386/vmport.c | 14 ++
>  include/hw/i386/vmport.h |  1 +
>  2 files changed, 15 insertions(+)
> 
> diff --git a/hw/i386/vmport.c b/hw/i386/vmport.c
> index 7e57eda4b526..2ce78aaf7b4c 100644
> --- a/hw/i386/vmport.c
> +++ b/hw/i386/vmport.c
> @@ -55,6 +55,13 @@
>  #define VMPORT_COMPAT_CMDS_V2   \
>  (1 << VMPORT_COMPAT_CMDS_V2_BIT)
>  
> +/* vCPU features reported by CMD_GET_VCPU_INFO */
> +#define VCPU_INFO_SLC64_BIT 0
> +#define VCPU_INFO_SYNC_VTSCS_BIT1
> +#define VCPU_INFO_HV_REPLAY_OK_BIT  2
> +#define VCPU_INFO_LEGACY_X2APIC_BIT 3
> +#define VCPU_INFO_RESERVED_BIT  31
> +
>  #define VMPORT(obj) OBJECT_CHECK(VMPortState, (obj), TYPE_VMPORT)
>  
>  typedef struct VMPortState {


Prefix with VMPORT_ please, and add comments.


> @@ -199,6 +206,11 @@ static uint32_t vmport_cmd_time_full(void *opaque, 
> uint32_t addr)
>  return VMPORT_MAGIC;
>  }
>  
> +static uint32_t vmport_cmd_get_vcpu_info(void *opaque, uint32_t addr)
> +{
> +return 1 << VCPU_INFO_RESERVED_BIT;
> +}
> +
>  /* vmmouse helpers */
>  void vmmouse_get_data(uint32_t *data)
>  {
> @@ -247,6 +259,8 @@ static void vmport_realizefn(DeviceState *dev, Error 
> **errp)
>  vmport_register(VMPORT_CMD_GETBIOSUUID, vmport_cmd_get_bios_uuid, 
> NULL);
>  vmport_register(VMPORT_CMD_GETTIME, vmport_cmd_time, NULL);
>  vmport_register(VMPORT_CMD_GETTIMEFULL, vmport_cmd_time_full, NULL);
> +vmport_register(VMPORT_CMD_GET_VCPU_INFO, vmport_cmd_get_vcpu_info,
> +NULL);
>  }
>  }
>  
> diff --git a/include/hw/i386/vmport.h b/include/hw/i386/vmport.h
> index 5d19963ed417..34cc050b1ffa 100644
> --- a/include/hw/i386/vmport.h
> +++ b/include/hw/i386/vmport.h
> @@ -13,6 +13,7 @@ typedef enum {
>  VMPORT_CMD_VMMOUSE_STATUS   = 40,
>  VMPORT_CMD_VMMOUSE_COMMAND  = 41,
>  VMPORT_CMD_GETTIMEFULL  = 46,
> +VMPORT_CMD_GET_VCPU_INFO= 68,
>  VMPORT_ENTRIES
>  } VMPortCommand;
>  
> -- 
> 2.20.1

Re: [PATCH v3 11/16] hw/i386/vmport: Add support for CMD_GETTIMEFULL

[Michael S. Tsirkin]

On Thu, Mar 12, 2020 at 06:54:26PM +0200, Liran Alon wrote:
> Similar to CMD_GETTIME but lacks the 136-year overflow issue,
> by returning full 64-bit of host uSeconds.
> 
> Reviewed-by: Nikita Leshenko 
> Signed-off-by: Liran Alon 
> ---
>  hw/i386/vmport.c | 17 +
>  include/hw/i386/vmport.h |  1 +
>  2 files changed, 18 insertions(+)
> 
> diff --git a/hw/i386/vmport.c b/hw/i386/vmport.c
> index c5b659c59343..7e57eda4b526 100644
> --- a/hw/i386/vmport.c
> +++ b/hw/i386/vmport.c
> @@ -183,6 +183,22 @@ static uint32_t vmport_cmd_time(void *opaque, uint32_t 
> addr)
>  return (uint32_t)tv.tv_sec;
>  }
>  
> +static uint32_t vmport_cmd_time_full(void *opaque, uint32_t addr)
> +{
> +X86CPU *cpu = X86_CPU(current_cpu);
> +qemu_timeval tv;
> +
> +if (qemu_gettimeofday(&tv) < 0) {
> +return UINT32_MAX;
> +}
> +
> +cpu->env.regs[R_ESI] = (uint32_t)((uint64_t)tv.tv_sec >> 32);
> +cpu->env.regs[R_EDX] = (uint32_t)tv.tv_sec;
> +cpu->env.regs[R_EBX] = (uint32_t)tv.tv_usec;
> +cpu->env.regs[R_ECX] = port_state->max_time_lag_us;
> +return VMPORT_MAGIC;
> +}
> +
>  /* vmmouse helpers */
>  void vmmouse_get_data(uint32_t *data)
>  {

And with usec precision, same comments apply in an even stronger way.


> @@ -230,6 +246,7 @@ static void vmport_realizefn(DeviceState *dev, Error 
> **errp)
>  if (s->compat_flags & VMPORT_COMPAT_CMDS_V2) {
>  vmport_register(VMPORT_CMD_GETBIOSUUID, vmport_cmd_get_bios_uuid, 
> NULL);
>  vmport_register(VMPORT_CMD_GETTIME, vmport_cmd_time, NULL);
> +vmport_register(VMPORT_CMD_GETTIMEFULL, vmport_cmd_time_full, NULL);
>  }
>  }
>  
> diff --git a/include/hw/i386/vmport.h b/include/hw/i386/vmport.h
> index 50416c8c8f3e..5d19963ed417 100644
> --- a/include/hw/i386/vmport.h
> +++ b/include/hw/i386/vmport.h
> @@ -12,6 +12,7 @@ typedef enum {
>  VMPORT_CMD_VMMOUSE_DATA = 39,
>  VMPORT_CMD_VMMOUSE_STATUS   = 40,
>  VMPORT_CMD_VMMOUSE_COMMAND  = 41,
> +VMPORT_CMD_GETTIMEFULL  = 46,
>  VMPORT_ENTRIES
>  } VMPortCommand;
>  
> -- 
> 2.20.1

Re: [PATCH v3 10/16] hw/i386/vmport: Add support for CMD_GETTIME

[Michael S. Tsirkin]

On Thu, Mar 12, 2020 at 06:54:25PM +0200, Liran Alon wrote:
> This command is used by guest to gettimeofday() from host.
> See usage example in open-vm-tools TimeSyncReadHost() function.
> 
> Reviewed-by: Nikita Leshenko 
> Signed-off-by: Liran Alon 
> ---
>  hw/i386/vmport.c | 21 +
>  include/hw/i386/vmport.h |  1 +
>  2 files changed, 22 insertions(+)
> 
> diff --git a/hw/i386/vmport.c b/hw/i386/vmport.c
> index 3fb8a8bd458a..c5b659c59343 100644
> --- a/hw/i386/vmport.c
> +++ b/hw/i386/vmport.c
> @@ -66,6 +66,7 @@ typedef struct VMPortState {
>  
>  uint32_t vmware_vmx_version;
>  uint8_t vmware_vmx_type;
> +uint32_t max_time_lag_us;
>  
>  uint32_t compat_flags;
>  } VMPortState;
> @@ -168,6 +169,20 @@ static uint32_t vmport_cmd_ram_size(void *opaque, 
> uint32_t addr)
>  return ram_size;
>  }
>  
> +static uint32_t vmport_cmd_time(void *opaque, uint32_t addr)
> +{
> +X86CPU *cpu = X86_CPU(current_cpu);
> +qemu_timeval tv;
> +
> +if (qemu_gettimeofday(&tv) < 0) {
> +return UINT32_MAX;
> +}
> +
> +cpu->env.regs[R_EBX] = (uint32_t)tv.tv_usec;
> +cpu->env.regs[R_ECX] = port_state->max_time_lag_us;
> +return (uint32_t)tv.tv_sec;
> +}
> +
>  /* vmmouse helpers */
>  void vmmouse_get_data(uint32_t *data)
>  {

That's a very weird thing to return to the guest.
For example it's not monotonic across migrations.
And what does max_time_lag_us refer to, anyway?


So please add documentation about what this does.
If there's no document to refer to then pls write
code comments or a document under docs/ - this does not
belong in commit log.



> @@ -214,6 +229,7 @@ static void vmport_realizefn(DeviceState *dev, Error 
> **errp)
>  vmport_register(VMPORT_CMD_GETRAMSIZE, vmport_cmd_ram_size, NULL);
>  if (s->compat_flags & VMPORT_COMPAT_CMDS_V2) {
>  vmport_register(VMPORT_CMD_GETBIOSUUID, vmport_cmd_get_bios_uuid, 
> NULL);
> +vmport_register(VMPORT_CMD_GETTIME, vmport_cmd_time, NULL);
>  }
>  }
>  
> @@ -249,6 +265,11 @@ static Property vmport_properties[] = {
>   * 5 - ACE 1.x (Deprecated)
>   */
>  DEFINE_PROP_UINT8("vmware-vmx-type", VMPortState, vmware_vmx_type, 2),
> +/*
> + * Max amount of time lag that can go uncorrected.

What does uncorrected mean?

> + * Value taken from VMware Workstation 5.5.


How do we know this makes sense for KVM? That has significantly
different runtime characteristics.


Also, the version returns ESX server, why does it make
sense to take some values from workstation?

> + **/
> +DEFINE_PROP_UINT32("max-time-lag", VMPortState, max_time_lag_us, 
> 100),
>  
>  DEFINE_PROP_END_OF_LIST(),
>  };
> diff --git a/include/hw/i386/vmport.h b/include/hw/i386/vmport.h
> index 7f33512ca6f0..50416c8c8f3e 100644
> --- a/include/hw/i386/vmport.h
> +++ b/include/hw/i386/vmport.h
> @@ -8,6 +8,7 @@ typedef enum {
>  VMPORT_CMD_GETVERSION   = 10,
>  VMPORT_CMD_GETBIOSUUID  = 19,
>  VMPORT_CMD_GETRAMSIZE   = 20,
> +VMPORT_CMD_GETTIME  = 23,
>  VMPORT_CMD_VMMOUSE_DATA = 39,
>  VMPORT_CMD_VMMOUSE_STATUS   = 40,
>  VMPORT_CMD_VMMOUSE_COMMAND  = 41,
> -- 
> 2.20.1

Re: [PATCH] block/io: fix bdrv_co_do_copy_on_readv

[John Snow]

On 3/12/20 4:19 AM, Vladimir Sementsov-Ogievskiy wrote:
> Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up
> buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end
> anyway.
> 
> But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on
> part of original qiov, defined by qiov_offset and bytes. So we must not
> touch qiov behind qiov_offset+bytes bound. Fix it.
> 

For the purposes of the stable branch commit log, how does the bug
manifest? Are there known cases? What's the impact?

(Do we have tests?)

> Cc: qemu-sta...@nongnu.org # v4.2
> Fixes: 1143ec5ebf4
> Signed-off-by: Vladimir Sementsov-Ogievskiy 
> ---
>  block/io.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/io.c b/block/io.c
> index 7e4cb74cf4..aba67f66b9 100644
> --- a/block/io.c
> +++ b/block/io.c
> @@ -1399,7 +1399,7 @@ static int coroutine_fn 
> bdrv_co_do_copy_on_readv(BdrvChild *child,
>  if (!(flags & BDRV_REQ_PREFETCH)) {
>  qemu_iovec_from_buf(qiov, qiov_offset + progress,
>  bounce_buffer + skip_bytes,
> -pnum - skip_bytes);
> +MIN(pnum - skip_bytes, bytes - 
> progress));
>  }
>  } else if (!(flags & BDRV_REQ_PREFETCH)) {
>  /* Read directly into the destination */
> 
Even if I don't understand the bug, the tighter bound seems provably
correct anyway, so...

Reviewed-by: John Snow 

Re: Questions about pollute the mail list archives

[LIU Zhiwei]

On 2020/3/11 11:46, Richard Henderson wrote:

On 3/10/20 7:19 PM, LIU Zhiwei wrote:

Is it serious?

It isn't ideal.  I would eventually try to review via your branch, and find a
copy of the patch to reply, or send a reply to the cover letter if no copy of
the patch arrived.


Is there any way to clear it in the mail list archives?

No.


Can I send it again to the mail list?

Yes.

To avoid confusion I would label it v4, even if there are no changes since v3.

I would recommend using the --batch-size and --relogin-delay options to
git-send-email.  I don't know exactly what parameters you need, but choosing
small batches and long-ish delays should mean that the whole patch set trickles
out over the course of an hour or two.  Patience is something that computers
are good at.  :-)

Hi Richard,

Thanks very much.
The two parameters really works. After  setting --batch-size to 1, and 
--relogin-delay to 120,

I sent the complete 60 patches(two hours).

Now I label it with v5, as v4 also failed to be complete.

Besides,  I  fix up a bug in v5, therefore it can boot Linux patches now.

Best Regards,
Zhiwei





r~

Re: [PATCH v2 1/2] iotests: Refactor blockdev-reopen test for iothreads

[John Snow]

On 3/6/20 9:14 AM, Kevin Wolf wrote:
> We'll want to test more than one successful case in the future, so
> prepare the test for that by a refactoring that runs each scenario in a
> separate VM.
> 
> test_iothreads_switch_{backing,overlay} currently produce errors, but
> these are cases that should actually work, by switching either the
> backing file node or the overlay node to the AioContext of the other
> node.
> 
> Signed-off-by: Kevin Wolf 
> Tested-by: Peter Krempa 

Reviewed-by: John Snow 

> ---
>  tests/qemu-iotests/245 | 47 ++
>  tests/qemu-iotests/245.out |  4 ++--
>  2 files changed, 39 insertions(+), 12 deletions(-)
> 
> diff --git a/tests/qemu-iotests/245 b/tests/qemu-iotests/245
> index 489bf78bd0..7d9eb6285c 100755
> --- a/tests/qemu-iotests/245
> +++ b/tests/qemu-iotests/245
> @@ -970,8 +970,7 @@ class TestBlockdevReopen(iotests.QMPTestCase):
>  self.assertEqual(self.get_node('hd1'), None)
>  self.assert_qmp(self.get_node('hd2'), 'ro', True)
>  
> -# We don't allow setting a backing file that uses a different AioContext
> -def test_iothreads(self):
> +def run_test_iothreads(self, iothread_a, iothread_b, errmsg = None):
>  opts = hd_opts(0)
>  result = self.vm.qmp('blockdev-add', conv_keys = False, **opts)
>  self.assert_qmp(result, 'return', {})
> @@ -986,20 +985,48 @@ class TestBlockdevReopen(iotests.QMPTestCase):
>  result = self.vm.qmp('object-add', qom_type='iothread', 
> id='iothread1')
>  self.assert_qmp(result, 'return', {})
>  
> -result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd0', 
> iothread='iothread0')
> +result = self.vm.qmp('device_add', driver='virtio-scsi', id='scsi0',
> + iothread=iothread_a)
>  self.assert_qmp(result, 'return', {})
>  
> -self.reopen(opts, {'backing': 'hd2'}, "Cannot use a new backing file 
> with a different AioContext")
> -
> -result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd2', 
> iothread='iothread1')
> +result = self.vm.qmp('device_add', driver='virtio-scsi', id='scsi1',
> + iothread=iothread_b)
>  self.assert_qmp(result, 'return', {})
>  
> -self.reopen(opts, {'backing': 'hd2'}, "Cannot use a new backing file 
> with a different AioContext")
> +if iothread_a:
> +result = self.vm.qmp('device_add', driver='scsi-hd', drive='hd0',
> + share_rw=True, bus="scsi0.0")
> +self.assert_qmp(result, 'return', {})
>  
> -result = self.vm.qmp('x-blockdev-set-iothread', node_name='hd2', 
> iothread='iothread0')
> -self.assert_qmp(result, 'return', {})
> +if iothread_b:
> +result = self.vm.qmp('device_add', driver='scsi-hd', drive='hd2',
> + share_rw=True, bus="scsi1.0")
> +self.assert_qmp(result, 'return', {})
>  
> -self.reopen(opts, {'backing': 'hd2'})
> +# Attaching the backing file may or may not work
> +self.reopen(opts, {'backing': 'hd2'}, errmsg)
> +
> +# But removing the backing file should always work
> +self.reopen(opts, {'backing': None})
> +
> +self.vm.shutdown()
> +
> +# We don't allow setting a backing file that uses a different AioContext 
> if
> +# neither of them can switch to the other AioContext
> +def test_iothreads_error(self):
> +self.run_test_iothreads('iothread0', 'iothread1',
> +"Cannot use a new backing file with a 
> different AioContext")
> +
> +def test_iothreads_compatible_users(self):
> +self.run_test_iothreads('iothread0', 'iothread0')
> +
> +def test_iothreads_switch_backing(self):
> +self.run_test_iothreads('iothread0', None,
> +"Cannot use a new backing file with a 
> different AioContext")
> +
> +def test_iothreads_switch_overlay(self):
> +self.run_test_iothreads(None, 'iothread0',
> +"Cannot use a new backing file with a 
> different AioContext")
>  
>  if __name__ == '__main__':
>  iotests.main(supported_fmts=["qcow2"],
> diff --git a/tests/qemu-iotests/245.out b/tests/qemu-iotests/245.out
> index a19de5214d..682b93394d 100644
> --- a/tests/qemu-iotests/245.out
> +++ b/tests/qemu-iotests/245.out
> @@ -1,6 +1,6 @@
> -..
> +.
>  --
> -Ran 18 tests
> +Ran 21 tests
>  
>  OK
>  {"execute": "job-finalize", "arguments": {"id": "commit0"}}
> 

-- 
—js

Re: [PATCH] linux-user: Add an argument QEMU_MMAP_BASE to set custom mmap base address in qemu user mode

[Lirong Yuan]

On Thu, Mar 12, 2020 at 1:42 AM Laurent Vivier  wrote:

> Le 09/03/2020 à 19:07, Lirong Yuan a écrit :
> >
> > On Mon, Mar 2, 2020 at 11:51 AM Lirong Yuan  > > wrote:
> >
> > On Mon, Mar 2, 2020 at 10:39 AM Laurent Vivier  > > wrote:
> > >
> > > Le 02/03/2020 à 18:53, Lirong Yuan a écrit :
> > > > On Mon, Mar 2, 2020 at 6:56 AM Laurent Vivier  > > wrote:
> > > >>
> > > >> Le 29/02/2020 à 01:43, Lirong Yuan a écrit :
> > > >>> On Fri, Feb 21, 2020 at 5:09 PM Lirong Yuan  > > wrote:
> > > 
> > >  This change allows us to set custom base address for guest
> > programs. It is needed to allow qemu to work with Thread Sanitizer
> > (TSan), which has specific boundary definitions for memory mappings
> > on different platforms:
> > > 
> >
> https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/tsan/rtl/tsan_platform.h
> > > >>
> > > >> Could you give more details and some examples?
> > > >>
> > > >> Thanks,
> > > >> Laurent
> > > >>
> > >  Signed-off-by: Lirong Yuan  > >
> > >  ---
> > >   linux-user/main.c | 12 
> > >   linux-user/mmap.c |  3 ++-
> > >   linux-user/qemu.h |  5 +
> > >   3 files changed, 19 insertions(+), 1 deletion(-)
> > > 
> > >  diff --git a/linux-user/main.c b/linux-user/main.c
> > >  index fba833aac9..c01af6bfee 100644
> > >  --- a/linux-user/main.c
> > >  +++ b/linux-user/main.c
> > >  @@ -336,6 +336,16 @@ static void handle_arg_guest_base(const
> > char *arg)
> > >   have_guest_base = 1;
> > >   }
> > > 
> > >  +static void handle_arg_mmap_base(const char *arg)
> > >  +{
> > >  +int err = qemu_strtoul(arg, NULL, 0, &mmap_base);
> > >  +if (err) {
> > >  +fprintf(stderr, "Invalid mmap_base: %s, err: %d\n",
> > arg, err);
> > >  +exit(EXIT_FAILURE);
> > >  +}
> > >  +mmap_next_start = mmap_base;
> > >  +}
> > >  +
> > >   static void handle_arg_reserved_va(const char *arg)
> > >   {
> > >   char *p;
> > >  @@ -440,6 +450,8 @@ static const struct qemu_argument
> > arg_table[] = {
> > >    "uname",  "set qemu uname release string to
> 'uname'"},
> > >   {"B",  "QEMU_GUEST_BASE",  true,
> > handle_arg_guest_base,
> > >    "address","set guest_base address to 'address'"},
> > >  +{"mmap_base",  "QEMU_MMAP_BASE",   true,
> > handle_arg_mmap_base,
> > >  + "",   "begin allocating guest pages at this
> > host address"},
> > >   {"R",  "QEMU_RESERVED_VA", true,
> > handle_arg_reserved_va,
> > >    "size",   "reserve 'size' bytes for guest virtual
> > address space"},
> > >   {"d",  "QEMU_LOG", true,  handle_arg_log,
> > >  diff --git a/linux-user/mmap.c b/linux-user/mmap.c
> > >  index 8685f02e7e..3f35543acf 100644
> > >  --- a/linux-user/mmap.c
> > >  +++ b/linux-user/mmap.c
> > >  @@ -189,6 +189,7 @@ static int mmap_frag(abi_ulong real_start,
> > >   # define TASK_UNMAPPED_BASE  0x4000
> > >   #endif
> > >   abi_ulong mmap_next_start = TASK_UNMAPPED_BASE;
> > >  +abi_ulong mmap_base = TASK_UNMAPPED_BASE;
> > > 
> > >   unsigned long last_brk;
> > > 
> > >  @@ -299,7 +300,7 @@ abi_ulong mmap_find_vma(abi_ulong start,
> > abi_ulong size, abi_ulong align)
> > > 
> > >   if ((addr & (align - 1)) == 0) {
> > >   /* Success.  */
> > >  -if (start == mmap_next_start && addr >=
> > TASK_UNMAPPED_BASE) {
> > >  +if (start == mmap_next_start && addr >=
> > mmap_base) {
> > >   mmap_next_start = addr + size;
> > >   }
> > >   return addr;
> > >  diff --git a/linux-user/qemu.h b/linux-user/qemu.h
> > >  index 560a68090e..83c00cfea2 100644
> > >  --- a/linux-user/qemu.h
> > >  +++ b/linux-user/qemu.h
> > >  @@ -161,6 +161,11 @@ void task_settid(TaskState *);
> > >   void stop_all_tasks(void);
> > >   extern const char *qemu_uname_release;
> > >   extern unsigned long mmap_min_addr;
> > >  +/*
> > >  + * mmap_base is minimum address to use when allocating guest
> > pages. All guest
> > >  + * pages will be allocated at this (guest) address or higher
> > addresses.
> > >  + */
> > >  +extern abi_ulong mmap_base;

[PATCH v7 2/4] linux-user/syscall: Add support for clock_gettime64/clock_settime64

[Alistair Francis]

Add support for the clock_gettime64/clock_settime64 syscalls.

If your host is 64-bit or is 32-bit with the *_time64 syscall then the
timespec will correctly be a 64-bit time_t. Otherwise the host will
return a 32-bit time_t which will be rounded to 64-bits. This will be
incorrect after y2038.

Signed-off-by: Alistair Francis 
Reviewed-by: Laurent Vivier 
---
 linux-user/syscall.c | 39 +++
 1 file changed, 39 insertions(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 909bec94a5..60fd775d9c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1229,6 +1229,22 @@ static inline abi_long target_to_host_timespec(struct 
timespec *host_ts,
 }
 #endif
 
+#if defined(TARGET_NR_clock_settime64)
+static inline abi_long target_to_host_timespec64(struct timespec *host_ts,
+ abi_ulong target_addr)
+{
+struct target__kernel_timespec *target_ts;
+
+if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
+return -TARGET_EFAULT;
+}
+__get_user(host_ts->tv_sec, &target_ts->tv_sec);
+__get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+unlock_user_struct(target_ts, target_addr, 0);
+return 0;
+}
+#endif
+
 static inline abi_long host_to_target_timespec(abi_ulong target_addr,
struct timespec *host_ts)
 {
@@ -11458,6 +11474,18 @@ static abi_long do_syscall1(void *cpu_env, int num, 
abi_long arg1,
 return ret;
 }
 #endif
+#ifdef TARGET_NR_clock_settime64
+case TARGET_NR_clock_settime64:
+{
+struct timespec ts;
+
+ret = target_to_host_timespec64(&ts, arg2);
+if (!is_error(ret)) {
+ret = get_errno(clock_settime(arg1, &ts));
+}
+return ret;
+}
+#endif
 #ifdef TARGET_NR_clock_gettime
 case TARGET_NR_clock_gettime:
 {
@@ -11469,6 +11497,17 @@ static abi_long do_syscall1(void *cpu_env, int num, 
abi_long arg1,
 return ret;
 }
 #endif
+#ifdef TARGET_NR_clock_gettime64
+case TARGET_NR_clock_gettime64:
+{
+struct timespec ts;
+ret = get_errno(clock_gettime(arg1, &ts));
+if (!is_error(ret)) {
+ret = host_to_target_timespec64(arg2, &ts);
+}
+return ret;
+}
+#endif
 #ifdef TARGET_NR_clock_getres
 case TARGET_NR_clock_getres:
 {
-- 
2.25.1

[PATCH v7 1/4] linux-user: Protect more syscalls

[Alistair Francis]

New y2038 safe 32-bit architectures (like RISC-V) don't support old
syscalls with a 32-bit time_t. The kernel defines new *_time64 versions
of these syscalls. Add some more #ifdefs to syscall.c in linux-user to
allow us to compile without these old syscalls.

Signed-off-by: Alistair Francis 
Reviewed-by: Laurent Vivier 
---
 linux-user/strace.c  |  2 ++
 linux-user/syscall.c | 68 ++--
 2 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/linux-user/strace.c b/linux-user/strace.c
index 4f7130b2ff..6420ccd97b 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -775,6 +775,7 @@ print_syscall_ret_newselect(const struct syscallname *name, 
abi_long ret)
 #define TARGET_TIME_OOP  3   /* leap second in progress */
 #define TARGET_TIME_WAIT 4   /* leap second has occurred */
 #define TARGET_TIME_ERROR5   /* clock not synchronized */
+#ifdef TARGET_NR_adjtimex
 static void
 print_syscall_ret_adjtimex(const struct syscallname *name, abi_long ret)
 {
@@ -813,6 +814,7 @@ print_syscall_ret_adjtimex(const struct syscallname *name, 
abi_long ret)
 
 qemu_log("\n");
 }
+#endif
 
 UNUSED static struct flags access_flags[] = {
 FLAG_GENERIC(F_OK),
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8d27d10807..909bec94a5 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -742,21 +742,30 @@ safe_syscall3(ssize_t, read, int, fd, void *, buff, 
size_t, count)
 safe_syscall3(ssize_t, write, int, fd, const void *, buff, size_t, count)
 safe_syscall4(int, openat, int, dirfd, const char *, pathname, \
   int, flags, mode_t, mode)
+#if defined(TARGET_NR_wait4) || defined(TARGET_NR_waitpid)
 safe_syscall4(pid_t, wait4, pid_t, pid, int *, status, int, options, \
   struct rusage *, rusage)
+#endif
 safe_syscall5(int, waitid, idtype_t, idtype, id_t, id, siginfo_t *, infop, \
   int, options, struct rusage *, rusage)
 safe_syscall3(int, execve, const char *, filename, char **, argv, char **, 
envp)
+#if defined(TARGET_NR_select) || defined(TARGET_NR__newselect) || \
+defined(TARGET_NR_pselect6)
 safe_syscall6(int, pselect6, int, nfds, fd_set *, readfds, fd_set *, writefds, 
\
   fd_set *, exceptfds, struct timespec *, timeout, void *, sig)
+#endif
+#if defined(TARGET_NR_ppoll) || defined(TARGET_NR_poll)
 safe_syscall5(int, ppoll, struct pollfd *, ufds, unsigned int, nfds,
   struct timespec *, tsp, const sigset_t *, sigmask,
   size_t, sigsetsize)
+#endif
 safe_syscall6(int, epoll_pwait, int, epfd, struct epoll_event *, events,
   int, maxevents, int, timeout, const sigset_t *, sigmask,
   size_t, sigsetsize)
+#ifdef TARGET_NR_futex
 safe_syscall6(int,futex,int *,uaddr,int,op,int,val, \
   const struct timespec *,timeout,int *,uaddr2,int,val3)
+#endif
 safe_syscall2(int, rt_sigsuspend, sigset_t *, newset, size_t, sigsetsize)
 safe_syscall2(int, kill, pid_t, pid, int, sig)
 safe_syscall2(int, tkill, int, tid, int, sig)
@@ -776,12 +785,16 @@ safe_syscall6(ssize_t, recvfrom, int, fd, void *, buf, 
size_t, len,
 safe_syscall3(ssize_t, sendmsg, int, fd, const struct msghdr *, msg, int, 
flags)
 safe_syscall3(ssize_t, recvmsg, int, fd, struct msghdr *, msg, int, flags)
 safe_syscall2(int, flock, int, fd, int, operation)
+#ifdef TARGET_NR_rt_sigtimedwait
 safe_syscall4(int, rt_sigtimedwait, const sigset_t *, these, siginfo_t *, 
uinfo,
   const struct timespec *, uts, size_t, sigsetsize)
+#endif
 safe_syscall4(int, accept4, int, fd, struct sockaddr *, addr, socklen_t *, len,
   int, flags)
+#if defined(TARGET_NR_nanosleep)
 safe_syscall2(int, nanosleep, const struct timespec *, req,
   struct timespec *, rem)
+#endif
 #ifdef TARGET_NR_clock_nanosleep
 safe_syscall4(int, clock_nanosleep, const clockid_t, clock, int, flags,
   const struct timespec *, req, struct timespec *, rem)
@@ -802,9 +815,11 @@ safe_syscall5(int, msgrcv, int, msgid, void *, msgp, 
size_t, sz,
 safe_syscall4(int, semtimedop, int, semid, struct sembuf *, tsops,
   unsigned, nsops, const struct timespec *, timeout)
 #endif
-#if defined(TARGET_NR_mq_open) && defined(__NR_mq_open)
+#ifdef TARGET_NR_mq_timedsend
 safe_syscall5(int, mq_timedsend, int, mqdes, const char *, msg_ptr,
   size_t, len, unsigned, prio, const struct timespec *, timeout)
+#endif
+#ifdef TARGET_NR_mq_timedreceive
 safe_syscall5(int, mq_timedreceive, int, mqdes, char *, msg_ptr,
   size_t, len, unsigned *, prio, const struct timespec *, timeout)
 #endif
@@ -946,6 +961,8 @@ abi_long do_brk(abi_ulong new_brk)
 return target_brk;
 }
 
+#if defined(TARGET_NR_select) || defined(TARGET_NR__newselect) || \
+defined(TARGET_NR_pselect6)
 static inline abi_long copy_from_user_fdset(fd_set *fds,
 abi_ulong target_fds_addr,
 int

[PATCH v7 4/4] linux-user/riscv: Update the syscall_nr's to the 5.5 kernel

[Alistair Francis]

Signed-off-by: Alistair Francis 
Reviewed-by: Laurent Vivier 
---
 linux-user/riscv/syscall32_nr.h | 295 +++
 linux-user/riscv/syscall64_nr.h | 301 
 linux-user/riscv/syscall_nr.h   | 294 +--
 3 files changed, 598 insertions(+), 292 deletions(-)
 create mode 100644 linux-user/riscv/syscall32_nr.h
 create mode 100644 linux-user/riscv/syscall64_nr.h

diff --git a/linux-user/riscv/syscall32_nr.h b/linux-user/riscv/syscall32_nr.h
new file mode 100644
index 00..4fef73e954
--- /dev/null
+++ b/linux-user/riscv/syscall32_nr.h
@@ -0,0 +1,295 @@
+/*
+ * This file contains the system call numbers.
+ */
+#ifndef LINUX_USER_RISCV_SYSCALL32_NR_H
+#define LINUX_USER_RISCV_SYSCALL32_NR_H
+
+#define TARGET_NR_io_setup 0
+#define TARGET_NR_io_destroy 1
+#define TARGET_NR_io_submit 2
+#define TARGET_NR_io_cancel 3
+#define TARGET_NR_setxattr 5
+#define TARGET_NR_lsetxattr 6
+#define TARGET_NR_fsetxattr 7
+#define TARGET_NR_getxattr 8
+#define TARGET_NR_lgetxattr 9
+#define TARGET_NR_fgetxattr 10
+#define TARGET_NR_listxattr 11
+#define TARGET_NR_llistxattr 12
+#define TARGET_NR_flistxattr 13
+#define TARGET_NR_removexattr 14
+#define TARGET_NR_lremovexattr 15
+#define TARGET_NR_fremovexattr 16
+#define TARGET_NR_getcwd 17
+#define TARGET_NR_lookup_dcookie 18
+#define TARGET_NR_eventfd2 19
+#define TARGET_NR_epoll_create1 20
+#define TARGET_NR_epoll_ctl 21
+#define TARGET_NR_epoll_pwait 22
+#define TARGET_NR_dup 23
+#define TARGET_NR_dup3 24
+#define TARGET_NR_fcntl64 25
+#define TARGET_NR_inotify_init1 26
+#define TARGET_NR_inotify_add_watch 27
+#define TARGET_NR_inotify_rm_watch 28
+#define TARGET_NR_ioctl 29
+#define TARGET_NR_ioprio_set 30
+#define TARGET_NR_ioprio_get 31
+#define TARGET_NR_flock 32
+#define TARGET_NR_mknodat 33
+#define TARGET_NR_mkdirat 34
+#define TARGET_NR_unlinkat 35
+#define TARGET_NR_symlinkat 36
+#define TARGET_NR_linkat 37
+#define TARGET_NR_umount2 39
+#define TARGET_NR_mount 40
+#define TARGET_NR_pivot_root 41
+#define TARGET_NR_nfsservctl 42
+#define TARGET_NR_statfs64 43
+#define TARGET_NR_fstatfs64 44
+#define TARGET_NR_truncate64 45
+#define TARGET_NR_ftruncate64 46
+#define TARGET_NR_fallocate 47
+#define TARGET_NR_faccessat 48
+#define TARGET_NR_chdir 49
+#define TARGET_NR_fchdir 50
+#define TARGET_NR_chroot 51
+#define TARGET_NR_fchmod 52
+#define TARGET_NR_fchmodat 53
+#define TARGET_NR_fchownat 54
+#define TARGET_NR_fchown 55
+#define TARGET_NR_openat 56
+#define TARGET_NR_close 57
+#define TARGET_NR_vhangup 58
+#define TARGET_NR_pipe2 59
+#define TARGET_NR_quotactl 60
+#define TARGET_NR_getdents64 61
+#define TARGET_NR_llseek 62
+#define TARGET_NR_read 63
+#define TARGET_NR_write 64
+#define TARGET_NR_readv 65
+#define TARGET_NR_writev 66
+#define TARGET_NR_pread64 67
+#define TARGET_NR_pwrite64 68
+#define TARGET_NR_preadv 69
+#define TARGET_NR_pwritev 70
+#define TARGET_NR_sendfile64 71
+#define TARGET_NR_signalfd4 74
+#define TARGET_NR_vmsplice 75
+#define TARGET_NR_splice 76
+#define TARGET_NR_tee 77
+#define TARGET_NR_readlinkat 78
+#define TARGET_NR_fstatat64 79
+#define TARGET_NR_fstat64 80
+#define TARGET_NR_sync 81
+#define TARGET_NR_fsync 82
+#define TARGET_NR_fdatasync 83
+#define TARGET_NR_sync_file_range 84
+#define TARGET_NR_timerfd_create 85
+#define TARGET_NR_acct 89
+#define TARGET_NR_capget 90
+#define TARGET_NR_capset 91
+#define TARGET_NR_personality 92
+#define TARGET_NR_exit 93
+#define TARGET_NR_exit_group 94
+#define TARGET_NR_waitid 95
+#define TARGET_NR_set_tid_address 96
+#define TARGET_NR_unshare 97
+#define TARGET_NR_set_robust_list 99
+#define TARGET_NR_get_robust_list 100
+#define TARGET_NR_getitimer 102
+#define TARGET_NR_setitimer 103
+#define TARGET_NR_kexec_load 104
+#define TARGET_NR_init_module 105
+#define TARGET_NR_delete_module 106
+#define TARGET_NR_timer_create 107
+#define TARGET_NR_timer_getoverrun 109
+#define TARGET_NR_timer_delete 111
+#define TARGET_NR_syslog 116
+#define TARGET_NR_ptrace 117
+#define TARGET_NR_sched_setparam 118
+#define TARGET_NR_sched_setscheduler 119
+#define TARGET_NR_sched_getscheduler 120
+#define TARGET_NR_sched_getparam 121
+#define TARGET_NR_sched_setaffinity 122
+#define TARGET_NR_sched_getaffinity 123
+#define TARGET_NR_sched_yield 124
+#define TARGET_NR_sched_get_priority_max 125
+#define TARGET_NR_sched_get_priority_min 126
+#define TARGET_NR_restart_syscall 128
+#define TARGET_NR_kill 129
+#define TARGET_NR_tkill 130
+#define TARGET_NR_tgkill 131
+#define TARGET_NR_sigaltstack 132
+#define TARGET_NR_rt_sigsuspend 133
+#define TARGET_NR_rt_sigaction 134
+#define TARGET_NR_rt_sigprocmask 135
+#define TARGET_NR_rt_sigpending 136
+#define TARGET_NR_rt_sigqueueinfo 138
+#define TARGET_NR_rt_sigreturn 139
+#define TARGET_NR_setpriority 140
+#define TARGET_NR_getpriority 141
+#define TARGET_NR_reboot 142
+#define TARGET_NR_setregid 143
+#define TARGET_NR_setgid 144
+#define TARGET_NR_setreuid 145
+#define TARGET_NR_set

[PATCH v7 3/4] linux-user: Support futex_time64

[Alistair Francis]

Add support for host and target futex_time64. If futex_time64 exists on
the host we try that first before falling back to the standard futux
syscall.

Signed-off-by: Alistair Francis 
---
 linux-user/syscall.c | 144 +++
 1 file changed, 131 insertions(+), 13 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 60fd775d9c..9ae7a05e38 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -245,7 +245,12 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 
arg4,type5 arg5,  \
 #define __NR_sys_rt_sigqueueinfo __NR_rt_sigqueueinfo
 #define __NR_sys_rt_tgsigqueueinfo __NR_rt_tgsigqueueinfo
 #define __NR_sys_syslog __NR_syslog
-#define __NR_sys_futex __NR_futex
+#if defined(__NR_futex)
+# define __NR_sys_futex __NR_futex
+#endif
+#if defined(__NR_futex_time64)
+# define __NR_sys_futex_time64 __NR_futex_time64
+#endif
 #define __NR_sys_inotify_init __NR_inotify_init
 #define __NR_sys_inotify_add_watch __NR_inotify_add_watch
 #define __NR_sys_inotify_rm_watch __NR_inotify_rm_watch
@@ -295,10 +300,16 @@ _syscall1(int,exit_group,int,error_code)
 #if defined(TARGET_NR_set_tid_address) && defined(__NR_set_tid_address)
 _syscall1(int,set_tid_address,int *,tidptr)
 #endif
-#if defined(TARGET_NR_futex) && defined(__NR_futex)
+#if (defined(TARGET_NR_futex) && defined(__NR_futex)) || \
+(defined(TARGET_NR_futex_time64) && \
+(HOST_LONG_BITS == 64 && defined(__NR_futex)))
 _syscall6(int,sys_futex,int *,uaddr,int,op,int,val,
   const struct timespec *,timeout,int *,uaddr2,int,val3)
 #endif
+#if (defined(TARGET_NR_futex_time64) && defined(__NR_futex_teim64))
+_syscall6(int,sys_futex_time64,int *,uaddr,int,op,int,val,
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
+#endif
 #define __NR_sys_sched_getaffinity __NR_sched_getaffinity
 _syscall3(int, sys_sched_getaffinity, pid_t, pid, unsigned int, len,
   unsigned long *, user_mask_ptr);
@@ -762,10 +773,14 @@ safe_syscall5(int, ppoll, struct pollfd *, ufds, unsigned 
int, nfds,
 safe_syscall6(int, epoll_pwait, int, epfd, struct epoll_event *, events,
   int, maxevents, int, timeout, const sigset_t *, sigmask,
   size_t, sigsetsize)
-#ifdef TARGET_NR_futex
+#if defined(__NR_futex)
 safe_syscall6(int,futex,int *,uaddr,int,op,int,val, \
   const struct timespec *,timeout,int *,uaddr2,int,val3)
 #endif
+#if defined(__NR_futex_time64)
+safe_syscall6(int,futex_time64,int *,uaddr,int,op,int,val, \
+  const struct timespec *,timeout,int *,uaddr2,int,val3)
+#endif
 safe_syscall2(int, rt_sigsuspend, sigset_t *, newset, size_t, sigsetsize)
 safe_syscall2(int, kill, pid_t, pid, int, sig)
 safe_syscall2(int, tkill, int, tid, int, sig)
@@ -1229,7 +1244,7 @@ static inline abi_long target_to_host_timespec(struct 
timespec *host_ts,
 }
 #endif
 
-#if defined(TARGET_NR_clock_settime64)
+#if defined(TARGET_NR_clock_settime64) || defined(TARGET_NR_futex_time64)
 static inline abi_long target_to_host_timespec64(struct timespec *host_ts,
  abi_ulong target_addr)
 {
@@ -6890,6 +6905,55 @@ static inline abi_long host_to_target_statx(struct 
target_statx *host_stx,
 }
 #endif
 
+static int do_sys_futex(int *uaddr, int op, int val,
+ const struct timespec *timeout, int *uaddr2,
+ int val3)
+{
+#if HOST_LONG_BITS == 64
+#if defined(__NR_futex)
+/* always a 64-bit time_t, it doesn't define _time64 version  */
+return sys_futex(uaddr, op, val, timeout, uaddr2, val3);
+
+#endif
+#else /* HOST_LONG_BITS == 64 */
+#if defined(__NR_futex_time64)
+if (sizeof(timeout->tv_sec) == 8) {
+/* _time64 function on 32bit arch */
+return sys_futex_time64(uaddr, op, val, timeout, uaddr2, val3);
+}
+#endif
+#if defined(__NR_futex)
+/* old function on 32bit arch */
+return sys_futex(uaddr, op, val, timeout, uaddr2, val3);
+#endif
+#endif /* HOST_LONG_BITS == 64 */
+return -TARGET_ENOSYS;
+}
+
+static int do_safe_futex(int *uaddr, int op, int val,
+ const struct timespec *timeout, int *uaddr2,
+ int val3)
+{
+#if HOST_LONG_BITS == 64
+#if defined(__NR_futex)
+/* always a 64-bit time_t, it doesn't define _time64 version  */
+return get_errno(safe_futex(uaddr, op, val, timeout, uaddr2, val3));
+#endif
+#else /* HOST_LONG_BITS == 64 */
+#if defined(__NR_futex_time64)
+if (sizeof(timeout->tv_sec) == 8) {
+/* _time64 function on 32bit arch */
+return get_errno(safe_futex_time64(uaddr, op, val, timeout, uaddr2,
+   val3));
+}
+#endif
+#if defined(__NR_futex)
+/* old function on 32bit arch */
+return get_errno(safe_futex(uaddr, op, val, timeout, uaddr2, val3));
+#endif
+#endif /* HOST_LONG_BITS == 64 */
+return -TARGET_ENOSYS;
+}
 
 /* ??? Using host futex calls even when target atomic operation

[PATCH v7 0/4] linux-user: generate syscall_nr.sh for RISC-V

[Alistair Francis]

This series updates the RISC-V syscall_nr.sh based on the 5.5 kernel.

There are two parts to this. One is just adding the new syscalls, the
other part is updating the RV32 syscalls to match the fact that RV32 is
a 64-bit time_t architectures (y2038) safe.

We need to make some changes to syscall.c to avoid warnings/errors
during compliling with the new syscall.

I did some RV32 user space testing after applying these patches. I ran the
glibc testsuite in userspace and I don't see any regressions.

v7:
 - Update futuex_time64 support to work correctly
v6:
 - Split out futex patch and make it more robust
v5:
 - Addres comments raised on v4
   - Don't require 64-bit host for * _time64 functions

Alistair Francis (4):
  linux-user: Protect more syscalls
  linux-user/syscall: Add support for clock_gettime64/clock_settime64
  linux-user: Support futex_time64
  linux-user/riscv: Update the syscall_nr's to the 5.5 kernel

 linux-user/riscv/syscall32_nr.h | 295 +++
 linux-user/riscv/syscall64_nr.h | 301 
 linux-user/riscv/syscall_nr.h   | 294 +--
 linux-user/strace.c |   2 +
 linux-user/syscall.c| 247 --
 5 files changed, 834 insertions(+), 305 deletions(-)
 create mode 100644 linux-user/riscv/syscall32_nr.h
 create mode 100644 linux-user/riscv/syscall64_nr.h

-- 
2.25.1

Re: [PATCH] iotests/026: Move v3-exclusive test to new file

[John Snow]

On 3/11/20 10:07 AM, Max Reitz wrote:
> data_file does not work with v2, and we probably want 026 to keep
> working for v2 images.  Thus, open a new file for v3-exclusive error
> path test cases.
> 
> Fixes: 81311255f217859413c94f2cd9cebf2684bbda94
>(“iotests/026: Test EIO on allocation in a data-file”)
> Signed-off-by: Max Reitz 

Let me start this reply with something good, or at least something
that's not bad. It's value neutral at worst.

Reviewed-by: John Snow 
Tested-by: John Snow 


Now, let's get cracking on some prime nonsense.

I assume this patch is still 'pending'. Here's a complete tangent
unrelated to your patch in every single way:

What's the best way to use patchew to see series that are "pending" in
some way? I'd like to:

- Search only the block list (to:qemu-bl...@nongnu.org. I assume this
catches CCs too.)
- Exclude series that are merged (-is:merged)
- Exclude obsoleted series (-is:obsolete)

This gets a bit closer to things that are interesting in some way --
give or take some fuzziness with patchew's detection of "merged" or
"obsoleted" sometimes.

- Exclude pull requests. (-is:pull seems broken, actually.)
- Exclude reviewed series (-is:reviewed -- what does patchew consider
'reviewed'? does this mean fully reviewed, or any reviews?)

This gives me something a bit more useful.

- Exclude 'expired' series. I use 30 days as a mental model for this. It
might be nice to formalize this and mark patches that received no
replies and didn't detect any other state change as "expired" and send
an autoreply from the bot.

(I.e., patches that are complete, applied, passed CI, were not
obsoleted, did not appear to be merged, and received no replies from
anyone except the patch author)


("Hi, this patch received no replies from anyone except the author (you)
for 30 days. The series is being dropped from the pending queue and is
being marked expired. If the patches are still important, please rebase
them and re-send to the list.

Please use scripts/get_maintainers.pl to identify candidate maintainers
and reviewers and make sure they are CC'd.

This series appears to touch files owned by the following maintainers:
- Blah
- Etc
- And so on

For more information on the contribution process, please visit:
")

We don't have anything like that, so age:<30d suffices. Alright, this
list is starting to look *pretty* decent.

project:QEMU to:qemu-bl...@nongnu.org not:obsolete not:merged
-is:reviewed age:<30d

Lastly, maybe we can exclude series that don't have replies yet. It's
not clear to patchew which replies are:

- Unrelated comments, like this one here
- Requests for a change
- A question for the submitter
- A softly-worded N-A-C-K

and without a concept of designated reviewer, perhaps lack of replies is
good evidence that the series is untouched and needs someone to 'pick it
up'; (-has:replies)

https://patchew.org/search?q=project%3AQEMU+to%3Aqemu-block%40nongnu.org+not%3Aobsolete+not%3Amerged+-is%3Areviewed+age%3A%3C30d+-has%3Areplies

Alright, that's pretty good, actually.

OK, yes, this patch still needs love as far as patchew understands.

> ---
>  tests/qemu-iotests/026 | 31 ---
>  tests/qemu-iotests/026.out |  6 --
>  tests/qemu-iotests/026.out.nocache |  6 --
>  tests/qemu-iotests/289 | 89 ++
>  tests/qemu-iotests/289.out |  8 +++
>  tests/qemu-iotests/group   |  1 +
>  6 files changed, 98 insertions(+), 43 deletions(-)
>  create mode 100755 tests/qemu-iotests/289
>  create mode 100644 tests/qemu-iotests/289.out
> 
> diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
> index b05a4692cf..b9713eb591 100755
> --- a/tests/qemu-iotests/026
> +++ b/tests/qemu-iotests/026
> @@ -240,37 +240,6 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | 
> _filter_qemu_io
>  
>  _check_test_img
>  
> -echo
> -echo === Avoid freeing external data clusters on failure ===
> -echo
> -
> -# Similar test as the last one, except we test what happens when there
> -# is an error when writing to an external data file instead of when
> -# writing to a preallocated zero cluster
> -_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
> -
> -# Put blkdebug above the data-file, and a raw node on top of that so
> -# that blkdebug will see a write_aio event and emit an error
> -$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
> -"json:{
> - 'driver': 'qcow2',
> - 'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
> - 'data-file': {
> - 'driver': 'raw',
> - 'file': {
> - 'driver': 'blkdebug',
> - 'config': '$TEST_DIR/blkdebug.conf',
> - 'image': {
> - 'driver': 'file',
> - 'filename': '$TEST_IMG.data_file'
> - }
> - }
> - }
> - }" \
> -| _filter_qemu_io
> -
> -_check_test_img
> -
>  # success, all done
>  echo "*** done"
>  rm -f 

Re: [PATCH v1 1/1] target/riscv: Don't set write permissions on dirty PTEs

[Alistair Francis]

On Wed, Mar 4, 2020 at 9:34 AM Richard Henderson
 wrote:
>
> On 3/3/20 5:16 PM, Alistair Francis wrote:
> > The RISC-V spec specifies that when a write happens and the D bit is
> > clear the implementation will set the bit in the PTE. It does not
> > describe that the PTE being dirty means that we should provide write
> > access. This patch removes the write access granted to pages when the
> > dirty bit is set.
>
> The W bit by itself says we should provide write access.
>
> It is an implementation detail that we *withhold* write access when D is clear
> (etc) so that we can trap, so that we can properly set D in the future.
>
> The page table walk associated with a read is allowed to cache all of the
> information it finds in the PTE during that walk.  Which includes the D bit.
> If D is set, then we do not need to set it in future, so we do not need to
> trap, so we can immediately honor the W bit.

Ok, I understand what is going on here now. I agree that my patch is wrong.

>
> If the guest changes R/W/X within a PTE (e.g. for mprotect), it is obvious 
> that
> a TLB flush for that page must be done.  It is no different if the guest
> changes A/D (e.g. for swapping).

Agreed.

>
> > Setting write permission on dirty PTEs results in userspace inside a
> > Hypervisor guest (VU) becoming corrupted. This appears to be because it
> > ends up with write permission in the second stage translation in cases
> > where we aren't doing a store.
>
> You've not really given any more information than last time this patch came 
> around.
>
> I still think this must be a guest (or nested guest) bug related to clearing
> PTE bits and failing to flush the TLB properly.

It think so as well now. I have changed the Linux guest and Hypervisor
to be very aggressive with flushing but still can't get guest user
space working. I'll keep digging and see if I can figure out what's
going on.

>
> I don't see how it could be a qemu tlb flushing bug.  The only primitive,
> sfence.vma, is quite heavy-handed and explicitly local to the thread.

Yes, both sfence and hfence flush all TLBs, so that doesn't seem to be
the problem.

>
> It may be a bug in qemu's implementation of second stage paging.  Which is not
> yet upstream, and I haven't gone digging in the archives to find the patch.

It's upstream now, I have double checked it though and I can't see
anything wrong.

Alistair

>
>
> r~

Re: [PATCH 0/5] QEMU Gating CI

[Cleber Rosa]

On Thu, Mar 12, 2020 at 10:00:42PM +, Peter Maydell wrote:
> On Thu, 12 Mar 2020 at 19:36, Cleber Rosa  wrote:
> >
> > The idea about a public facing Gating CI for QEMU was lastly
> > summarized in an RFC[1].  Since then, it was decided that a
> > simpler version should be attempted first.
> 
> OK, so my question here is:
>  * what are the instructions that I have to follow to be
> able to say "ok, here's my branch, run it through these tests,
> please" ?

The quick answer is:

 $ git push g...@gitlab.com:qemu-project/qemu.git my-branch:staging

The longer explanation is that these jobs are limited to a "staging"
branch, so all you'd have to do is to push something to a branch
called "staging".  If that branch happens to be from the
"gitlab.com/qemu-project/qemu" repo, than the runners setup there
would be used.  The documentation an ansible playbooks are supposed
to help with this setup.

Once that push happens, you could use:

 $ contrib/ci/scripts/gitlab-pipeline-status --verbose --wait

Before doing something like:

 $ git push g...@gitlab.com:qemu-project/qemu.git my-branch:master

> 
> thanks
> -- PMM
> 

Let me know if that makes sense.

Cheers,
- Cleber.


signature.asc
Description: PGP signature

Re: [PATCH v5 04/60] target/riscv: add vector configure instruction

[Alistair Francis]

On Thu, Mar 12, 2020 at 3:00 PM LIU Zhiwei  wrote:
>
>
>
> On 2020/3/13 5:23, Alistair Francis wrote:
> > On Thu, Mar 12, 2020 at 8:07 AM LIU Zhiwei  wrote:
> >> vsetvl and vsetvli are two configure instructions for vl, vtype. TB flags
> >> should update after configure instructions. The (ill, lmul, sew ) of vtype
> >> and the bit of (VSTART == 0 && VL == VLMAX) will be placed within tb_flags.
> >>
> >> Signed-off-by: LIU Zhiwei 
> >> ---
> >>   target/riscv/Makefile.objs  |  2 +-
> >>   target/riscv/cpu.h  | 63 ++
> >>   target/riscv/helper.h   |  2 +
> >>   target/riscv/insn32.decode  |  5 ++
> >>   target/riscv/insn_trans/trans_rvv.inc.c | 69 +
> >>   target/riscv/translate.c| 17 +-
> >>   target/riscv/vector_helper.c| 53 +++
> >>   7 files changed, 199 insertions(+), 12 deletions(-)
> >>   create mode 100644 target/riscv/insn_trans/trans_rvv.inc.c
> >>   create mode 100644 target/riscv/vector_helper.c
> >>

...

> >> +gen_get_gpr(s2, a->rs2);
> >> +gen_helper_vsetvl(dst, cpu_env, s1, s2);
> >> +gen_set_gpr(a->rd, dst);
> >> +tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
> >> +exit_tb(ctx);
> > Why does this
> As the vsetvl will change vtype, the tb flags of the instructions next
> to the vsetvl
> will change(some tb flags  are from vtype, like LMUL).
> >
> >> +ctx->base.is_jmp = DISAS_NORETURN;
> >> +
> >> +tcg_temp_free(s1);
> >> +tcg_temp_free(s2);
> >> +tcg_temp_free(dst);
> >> +return true;
> >> +}
> >> +
> >> +static bool trans_vsetvli(DisasContext *ctx, arg_vsetvli * a)
> >> +{
> >> +TCGv s1, s2, dst;
> >> +s2 = tcg_const_tl(a->zimm);
> >> +dst = tcg_temp_new();
> >> +
> >> +/* Using x0 as the rs1 register specifier, encodes an infinite AVL */
> >> +if (a->rs1 == 0) {
> >> +/* As the mask is at least one bit, RV_VLEN_MAX is >= VLMAX */
> >> +s1 = tcg_const_tl(RV_VLEN_MAX);
> >> +} else {
> >> +s1 = tcg_temp_new();
> >> +gen_get_gpr(s1, a->rs1);
> >> +}
> >> +gen_helper_vsetvl(dst, cpu_env, s1, s2);
> >> +gen_set_gpr(a->rd, dst);
> >> +gen_goto_tb(ctx, 0, ctx->pc_succ_insn);
> > Need to be different to this?
> Although vsetvli will also change vtype, the vtype will be a constant.
> So the tb flags of  the instruction(A) next to
> it will always be same with the tb flags at first translation of A.
> That's why gen_goto_tb is enough.

Ah ok. Makes sense.

Once you fix the one nit pick I had you can add my reviewed by:

Reviewed-by: Alistair Francis 

Alistair

>
> Zhiwei

Re: [PATCH 0/5] QEMU Gating CI

[Peter Maydell]

On Thu, 12 Mar 2020 at 19:36, Cleber Rosa  wrote:
>
> The idea about a public facing Gating CI for QEMU was lastly
> summarized in an RFC[1].  Since then, it was decided that a
> simpler version should be attempted first.

OK, so my question here is:
 * what are the instructions that I have to follow to be
able to say "ok, here's my branch, run it through these tests,
please" ?

thanks
-- PMM

Re: [PATCH v4 0/7] Tighten qemu-img rules on missing backing format

[Eric Blake]

On 3/12/20 4:39 PM, no-re...@patchew.org wrote:

Patchew URL: 
https://patchew.org/QEMU/20200312192822.3739399-1-ebl...@redhat.com/



Hi,

This series failed the asan build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1
=== TEST SCRIPT END ===

   CC  block/replication.o
   CC  block/throttle.o
   CC  block/copy-on-read.o
/tmp/qemu-test/src/block/sheepdog.c:2174:9: error: variable 'qdict' is used 
uninitialized whenever 'if' condition is true 
[-Werror,-Wsometimes-uninitialized]
 if (backing_fmt && strcmp(backing_fmt, "sheepdog") != 0) {
 ^~~
/tmp/qemu-test/src/block/sheepdog.c:2241:19: note: uninitialized use occurs here
---
 ^
  = NULL


Bah, real problem (and I missed it because I compiled for debug, while 
this error depends on -O2 for gcc to flag it).  Squash this in:


diff --git i/block/sheepdog.c w/block/sheepdog.c
index 376f4ef74638..e0ea335131d9 100644
--- i/block/sheepdog.c
+++ w/block/sheepdog.c
@@ -2161,9 +2161,9 @@ static int coroutine_fn sd_co_create_opts(const 
char *filename, QemuOpts *opts,

   Error **errp)
 {
 BlockdevCreateOptions *create_options = NULL;
-QDict *qdict, *location_qdict;
+QDict *qdict = NULL, *location_qdict;
 Visitor *v;
-char *redundancy;
+char *redundancy = NULL;
 Error *local_err = NULL;
 int ret;
 char *backing_fmt = NULL;

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH v5 04/60] target/riscv: add vector configure instruction

[LIU Zhiwei]

On 2020/3/13 5:23, Alistair Francis wrote:

On Thu, Mar 12, 2020 at 8:07 AM LIU Zhiwei  wrote:

vsetvl and vsetvli are two configure instructions for vl, vtype. TB flags
should update after configure instructions. The (ill, lmul, sew ) of vtype
and the bit of (VSTART == 0 && VL == VLMAX) will be placed within tb_flags.

Signed-off-by: LIU Zhiwei 
---
  target/riscv/Makefile.objs  |  2 +-
  target/riscv/cpu.h  | 63 ++
  target/riscv/helper.h   |  2 +
  target/riscv/insn32.decode  |  5 ++
  target/riscv/insn_trans/trans_rvv.inc.c | 69 +
  target/riscv/translate.c| 17 +-
  target/riscv/vector_helper.c| 53 +++
  7 files changed, 199 insertions(+), 12 deletions(-)
  create mode 100644 target/riscv/insn_trans/trans_rvv.inc.c
  create mode 100644 target/riscv/vector_helper.c

diff --git a/target/riscv/Makefile.objs b/target/riscv/Makefile.objs
index ff651f69f6..ff38df6219 100644
--- a/target/riscv/Makefile.objs
+++ b/target/riscv/Makefile.objs
@@ -1,4 +1,4 @@
-obj-y += translate.o op_helper.o cpu_helper.o cpu.o csr.o fpu_helper.o 
gdbstub.o
+obj-y += translate.o op_helper.o cpu_helper.o cpu.o csr.o fpu_helper.o 
vector_helper.o gdbstub.o
  obj-$(CONFIG_SOFTMMU) += pmp.o

  ifeq ($(CONFIG_SOFTMMU),y)
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 603715f849..505d1a8515 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -21,6 +21,7 @@
  #define RISCV_CPU_H

  #include "hw/core/cpu.h"
+#include "hw/registerfields.h"
  #include "exec/cpu-defs.h"
  #include "fpu/softfloat-types.h"

@@ -99,6 +100,12 @@ typedef struct CPURISCVState CPURISCVState;

  #define RV_VLEN_MAX 512

+FIELD(VTYPE, VLMUL, 0, 2)
+FIELD(VTYPE, VSEW, 2, 3)
+FIELD(VTYPE, VEDIV, 5, 2)
+FIELD(VTYPE, RESERVED, 7, sizeof(target_ulong) * 8 - 9)
+FIELD(VTYPE, VILL, sizeof(target_ulong) * 8 - 2, 1)
+
  struct CPURISCVState {
  target_ulong gpr[32];
  uint64_t fpr[32]; /* assume both F and D extensions */
@@ -358,19 +365,62 @@ void riscv_cpu_set_fflags(CPURISCVState *env, 
target_ulong);
  #define TB_FLAGS_MMU_MASK   3
  #define TB_FLAGS_MSTATUS_FS MSTATUS_FS

+typedef CPURISCVState CPUArchState;
+typedef RISCVCPU ArchCPU;
+#include "exec/cpu-all.h"
+
+FIELD(TB_FLAGS, VL_EQ_VLMAX, 2, 1)
+FIELD(TB_FLAGS, LMUL, 3, 2)
+FIELD(TB_FLAGS, SEW, 5, 3)
+FIELD(TB_FLAGS, VILL, 8, 1)
+
+/*
+ * A simplification for VLMAX
+ * = (1 << LMUL) * VLEN / (8 * (1 << SEW))
+ * = (VLEN << LMUL) / (8 << SEW)
+ * = (VLEN << LMUL) >> (SEW + 3)
+ * = VLEN >> (SEW + 3 - LMUL)
+ */
+static inline uint32_t vext_get_vlmax(RISCVCPU *cpu, target_ulong vtype)
+{
+uint8_t sew, lmul;
+
+sew = FIELD_EX64(vtype, VTYPE, VSEW);
+lmul = FIELD_EX64(vtype, VTYPE, VLMUL);
+return cpu->cfg.vlen >> (sew + 3 - lmul);
+}
+
  static inline void cpu_get_tb_cpu_state(CPURISCVState *env, target_ulong *pc,
-target_ulong *cs_base, uint32_t *flags)
+target_ulong *cs_base, uint32_t 
*pflags)
  {
+uint32_t flags = 0;
+
  *pc = env->pc;
  *cs_base = 0;
+
+if (env->misa & RVV) {

Can you use: riscv_has_ext(env, RVV) instead?

Yes. It will be clearer.



+uint32_t vlmax = vext_get_vlmax(env_archcpu(env), env->vtype);
+bool vl_eq_vlmax = (env->vstart == 0) && (vlmax == env->vl);
+flags = FIELD_DP32(flags, TB_FLAGS, VILL,
+FIELD_EX64(env->vtype, VTYPE, VILL));
+flags = FIELD_DP32(flags, TB_FLAGS, SEW,
+FIELD_EX64(env->vtype, VTYPE, VSEW));
+flags = FIELD_DP32(flags, TB_FLAGS, LMUL,
+FIELD_EX64(env->vtype, VTYPE, VLMUL));
+flags = FIELD_DP32(flags, TB_FLAGS, VL_EQ_VLMAX, vl_eq_vlmax);
+} else {
+flags = FIELD_DP32(flags, TB_FLAGS, VILL, 1);
+}
+
  #ifdef CONFIG_USER_ONLY
-*flags = TB_FLAGS_MSTATUS_FS;
+flags |= TB_FLAGS_MSTATUS_FS;
  #else
-*flags = cpu_mmu_index(env, 0);
+flags |= cpu_mmu_index(env, 0);
  if (riscv_cpu_fp_enabled(env)) {
-*flags |= env->mstatus & MSTATUS_FS;
+flags |= env->mstatus & MSTATUS_FS;
  }
  #endif
+*pflags = flags;
  }

  int riscv_csrrw(CPURISCVState *env, int csrno, target_ulong *ret_value,
@@ -411,9 +461,4 @@ void riscv_set_csr_ops(int csrno, riscv_csr_operations 
*ops);

  void riscv_cpu_register_gdb_regs_for_features(CPUState *cs);

-typedef CPURISCVState CPUArchState;
-typedef RISCVCPU ArchCPU;
-
-#include "exec/cpu-all.h"
-
  #endif /* RISCV_CPU_H */
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index debb22a480..3c28c7e407 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -76,3 +76,5 @@ DEF_HELPER_2(mret, tl, env, tl)
  DEF_HELPER_1(wfi, void, env)
  DEF_HELPER_1(tlb_flush, void, env)
  #endif
+/* Vector functions */
+DEF_HELPER_3(vsetvl, tl, env, tl, tl)
diff --git a/target/riscv/insn32.decode b/targe

Re: [PATCH v4 0/7] Tighten qemu-img rules on missing backing format

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200312192822.3739399-1-ebl...@redhat.com/



Hi,

This series failed the docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#! /bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===

In file included from /tmp/qemu-test/src/include/qapi/qmp/qdict.h:16,
 from /tmp/qemu-test/src/block/sheepdog.c:20:
/tmp/qemu-test/src/block/sheepdog.c: In function 'sd_co_create_opts':
/tmp/qemu-test/src/include/qapi/qmp/qobject.h:99:13: error: 'qdict' may be used 
uninitialized in this function [-Werror=maybe-uninitialized]
 if (obj && --obj->base.refcnt == 0) {
 ^~
/tmp/qemu-test/src/block/sheepdog.c:2164:12: note: 'qdict' was declared here
 QDict *qdict, *location_qdict;
^
cc1: all warnings being treated as errors
make: *** [/tmp/qemu-test/src/rules.mak:69: block/sheepdog.o] Error 1
make: *** Waiting for unfinished jobs
Traceback (most recent call last):
  File "./tests/docker/docker.py", line 664, in 
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=2bc4557fecf04aae88a65433b16d7773', '-u', 
'1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-yqol9ujz/src/docker-src.2020-03-12-17.44.12.28207:/var/tmp/qemu:z,ro',
 'qemu:fedora', '/var/tmp/qemu/run', 'test-mingw']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=2bc4557fecf04aae88a65433b16d7773
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-yqol9ujz/src'
make: *** [docker-run-test-mingw@fedora] Error 2

real1m54.790s
user0m8.304s


The full log is available at
http://patchew.org/logs/20200312192822.3739399-1-ebl...@redhat.com/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

Re: [PATCH v4 0/7] Tighten qemu-img rules on missing backing format

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200312192822.3739399-1-ebl...@redhat.com/



Hi,

This series failed the docker-quick@centos7 build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===

In file included from /tmp/qemu-test/src/include/qapi/qmp/qdict.h:16:0,
 from /tmp/qemu-test/src/block/sheepdog.c:20:
/tmp/qemu-test/src/block/sheepdog.c: In function 'sd_co_create_opts':
/tmp/qemu-test/src/include/qapi/qmp/qobject.h:98:29: error: 'qdict' may be used 
uninitialized in this function [-Werror=maybe-uninitialized]
 assert(!obj || obj->base.refcnt);
 ^
/tmp/qemu-test/src/block/sheepdog.c:2164:12: note: 'qdict' was declared here
---
^
cc1: all warnings being treated as errors
  CC  scsi/pr-manager.o
make: *** [block/sheepdog.o] Error 1
make: *** Waiting for unfinished jobs
Traceback (most recent call last):
  File "./tests/docker/docker.py", line 664, in 
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=42390fc6cae14dfc8db84779948e6236', '-u', 
'1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-bmmmjgbx/src/docker-src.2020-03-12-17.41.49.21365:/var/tmp/qemu:z,ro',
 'qemu:centos7', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=42390fc6cae14dfc8db84779948e6236
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-bmmmjgbx/src'
make: *** [docker-run-test-quick@centos7] Error 2

real1m47.430s
user0m7.951s


The full log is available at
http://patchew.org/logs/20200312192822.3739399-1-ebl...@redhat.com/testing.docker-quick@centos7/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

Re: [PATCH v4 0/7] Tighten qemu-img rules on missing backing format

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200312192822.3739399-1-ebl...@redhat.com/



Hi,

This series failed the asan build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC  block/replication.o
  CC  block/throttle.o
  CC  block/copy-on-read.o
/tmp/qemu-test/src/block/sheepdog.c:2174:9: error: variable 'qdict' is used 
uninitialized whenever 'if' condition is true 
[-Werror,-Wsometimes-uninitialized]
if (backing_fmt && strcmp(backing_fmt, "sheepdog") != 0) {
^~~
/tmp/qemu-test/src/block/sheepdog.c:2241:19: note: uninitialized use occurs here
---
^
 = NULL
1 error generated.
make: *** [/tmp/qemu-test/src/rules.mak:69: block/sheepdog.o] Error 1
make: *** Waiting for unfinished jobs
Traceback (most recent call last):
  File "./tests/docker/docker.py", line 664, in 
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=93997e5b5eb34c2f9cb85363713a7f85', '-u', 
'1001', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 
'TARGET_LIST=x86_64-softmmu', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 
'J=14', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', 
'-v', '/home/patchew/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-7l8c91wu/src/docker-src.2020-03-12-17.35.51.6480:/var/tmp/qemu:z,ro',
 'qemu:fedora', '/var/tmp/qemu/run', 'test-debug']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=93997e5b5eb34c2f9cb85363713a7f85
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-7l8c91wu/src'
make: *** [docker-run-test-debug@fedora] Error 2

real3m14.071s
user0m8.555s


The full log is available at
http://patchew.org/logs/20200312192822.3739399-1-ebl...@redhat.com/testing.asan/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[PATCH] hw/isa/superio: Correct the license text

[Philippe Mathieu-Daudé]

The license is the 'GNU General Public License v2.0 or later',
not 'and':

  This program is free software; you can redistribute it and/ori
  modify it under the terms of the GNU General Public License as
  published by the Free Software Foundation; either version 2 of
  the License, or (at your option) any later version.

Fix the license comment.

Signed-off-by: Philippe Mathieu-Daudé 
---
 include/hw/isa/superio.h   | 2 +-
 hw/isa/isa-superio.c   | 2 +-
 hw/isa/smc37c669-superio.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/hw/isa/superio.h b/include/hw/isa/superio.h
index b151dcd753..147cc0a7b7 100644
--- a/include/hw/isa/superio.h
+++ b/include/hw/isa/superio.h
@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2018 Philippe Mathieu-Daudé
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
  * See the COPYING file in the top-level directory.
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
diff --git a/hw/isa/isa-superio.c b/hw/isa/isa-superio.c
index c4e391916c..180a8b9625 100644
--- a/hw/isa/isa-superio.c
+++ b/hw/isa/isa-superio.c
@@ -5,7 +5,7 @@
  * Copyright (c) 2011-2012 Andreas Färber
  * Copyright (c) 2018 Philippe Mathieu-Daudé
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
  * See the COPYING file in the top-level directory.
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
diff --git a/hw/isa/smc37c669-superio.c b/hw/isa/smc37c669-superio.c
index 901a9f8e65..18287741cb 100644
--- a/hw/isa/smc37c669-superio.c
+++ b/hw/isa/smc37c669-superio.c
@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2018 Philippe Mathieu-Daudé
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
  * See the COPYING file in the top-level directory.
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
-- 
2.21.1

[PATCH] hw/arm/bcm283x: Correct the license text

[Philippe Mathieu-Daudé]

The license is the 'GNU General Public License v2.0 or later',
not 'and':

  This program is free software; you can redistribute it and/ori
  modify it under the terms of the GNU General Public License as
  published by the Free Software Foundation; either version 2 of
  the License, or (at your option) any later version.

Fix the license comment.

Signed-off-by: Philippe Mathieu-Daudé 
---
 include/hw/arm/bcm2835_peripherals.h | 3 ++-
 include/hw/arm/bcm2836.h | 3 ++-
 include/hw/char/bcm2835_aux.h| 3 ++-
 include/hw/display/bcm2835_fb.h  | 3 ++-
 include/hw/dma/bcm2835_dma.h | 4 +++-
 include/hw/intc/bcm2835_ic.h | 4 +++-
 include/hw/intc/bcm2836_control.h| 3 ++-
 include/hw/misc/bcm2835_mbox.h   | 4 +++-
 include/hw/misc/bcm2835_mbox_defs.h  | 4 +++-
 include/hw/misc/bcm2835_property.h   | 4 +++-
 hw/arm/bcm2835_peripherals.c | 3 ++-
 hw/arm/bcm2836.c | 3 ++-
 hw/arm/raspi.c   | 3 ++-
 hw/display/bcm2835_fb.c  | 1 -
 hw/dma/bcm2835_dma.c | 4 +++-
 hw/intc/bcm2835_ic.c | 4 ++--
 hw/intc/bcm2836_control.c| 4 +++-
 hw/misc/bcm2835_mbox.c   | 4 +++-
 hw/misc/bcm2835_property.c   | 4 +++-
 19 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/include/hw/arm/bcm2835_peripherals.h 
b/include/hw/arm/bcm2835_peripherals.h
index 7859281e11..2e8655a7c2 100644
--- a/include/hw/arm/bcm2835_peripherals.h
+++ b/include/hw/arm/bcm2835_peripherals.h
@@ -5,7 +5,8 @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_PERIPHERALS_H
diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index 92a6544816..024af8aae4 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -5,7 +5,8 @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2836_H
diff --git a/include/hw/char/bcm2835_aux.h b/include/hw/char/bcm2835_aux.h
index cdbf7e3e37..934acf9c81 100644
--- a/include/hw/char/bcm2835_aux.h
+++ b/include/hw/char/bcm2835_aux.h
@@ -2,7 +2,8 @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_AUX_H
diff --git a/include/hw/display/bcm2835_fb.h b/include/hw/display/bcm2835_fb.h
index 228988ba05..2246be74d8 100644
--- a/include/hw/display/bcm2835_fb.h
+++ b/include/hw/display/bcm2835_fb.h
@@ -5,7 +5,8 @@
  * Rasperry Pi 2 emulation and refactoring Copyright (c) 2015, Microsoft
  * Written by Andrew Baumann
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_FB_H
diff --git a/include/hw/dma/bcm2835_dma.h b/include/hw/dma/bcm2835_dma.h
index 91ed8d05d1..a6747842b7 100644
--- a/include/hw/dma/bcm2835_dma.h
+++ b/include/hw/dma/bcm2835_dma.h
@@ -1,6 +1,8 @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_DMA_H
diff --git a/include/hw/intc/bcm2835_ic.h b/include/hw/intc/bcm2835_ic.h
index fb75fa0064..392ded1cb3 100644
--- a/include/hw/intc/bcm2835_ic.h
+++ b/include/hw/intc/bcm2835_ic.h
@@ -1,6 +1,8 @@
 /*
  * Raspberry Pi emulation (c) 2012 Gregory Estrade
- * This code is licensed under the GNU GPLv2 and later.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2835_IC_H
diff --git a/include/hw/intc/bcm2836_control.h 
b/include/hw/intc/bcm2836_control.h
index de061b8929..2c22405686 100644
--- a/include/hw/intc/bcm2836_control.h
+++ b/include/hw/intc/bcm2836_control.h
@@ -8,7 +8,8 @@
  * ARM Local Timer IRQ Copyright (c) 2019. Zoltán Baldaszti
  * Added basic IRQ_TIMER interrupt support
  *
- * This code is licensed under the GNU GPLv2 and later.
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
  */
 
 #ifndef BCM2836_CONTROL_H
diff --git a/include/hw/misc/bcm2835_mbox.h b/include/hw/

Re: [PATCH v5 04/60] target/riscv: add vector configure instruction

[Alistair Francis]

On Thu, Mar 12, 2020 at 8:07 AM LIU Zhiwei  wrote:
>
> vsetvl and vsetvli are two configure instructions for vl, vtype. TB flags
> should update after configure instructions. The (ill, lmul, sew ) of vtype
> and the bit of (VSTART == 0 && VL == VLMAX) will be placed within tb_flags.
>
> Signed-off-by: LIU Zhiwei 
> ---
>  target/riscv/Makefile.objs  |  2 +-
>  target/riscv/cpu.h  | 63 ++
>  target/riscv/helper.h   |  2 +
>  target/riscv/insn32.decode  |  5 ++
>  target/riscv/insn_trans/trans_rvv.inc.c | 69 +
>  target/riscv/translate.c| 17 +-
>  target/riscv/vector_helper.c| 53 +++
>  7 files changed, 199 insertions(+), 12 deletions(-)
>  create mode 100644 target/riscv/insn_trans/trans_rvv.inc.c
>  create mode 100644 target/riscv/vector_helper.c
>
> diff --git a/target/riscv/Makefile.objs b/target/riscv/Makefile.objs
> index ff651f69f6..ff38df6219 100644
> --- a/target/riscv/Makefile.objs
> +++ b/target/riscv/Makefile.objs
> @@ -1,4 +1,4 @@
> -obj-y += translate.o op_helper.o cpu_helper.o cpu.o csr.o fpu_helper.o 
> gdbstub.o
> +obj-y += translate.o op_helper.o cpu_helper.o cpu.o csr.o fpu_helper.o 
> vector_helper.o gdbstub.o
>  obj-$(CONFIG_SOFTMMU) += pmp.o
>
>  ifeq ($(CONFIG_SOFTMMU),y)
> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
> index 603715f849..505d1a8515 100644
> --- a/target/riscv/cpu.h
> +++ b/target/riscv/cpu.h
> @@ -21,6 +21,7 @@
>  #define RISCV_CPU_H
>
>  #include "hw/core/cpu.h"
> +#include "hw/registerfields.h"
>  #include "exec/cpu-defs.h"
>  #include "fpu/softfloat-types.h"
>
> @@ -99,6 +100,12 @@ typedef struct CPURISCVState CPURISCVState;
>
>  #define RV_VLEN_MAX 512
>
> +FIELD(VTYPE, VLMUL, 0, 2)
> +FIELD(VTYPE, VSEW, 2, 3)
> +FIELD(VTYPE, VEDIV, 5, 2)
> +FIELD(VTYPE, RESERVED, 7, sizeof(target_ulong) * 8 - 9)
> +FIELD(VTYPE, VILL, sizeof(target_ulong) * 8 - 2, 1)
> +
>  struct CPURISCVState {
>  target_ulong gpr[32];
>  uint64_t fpr[32]; /* assume both F and D extensions */
> @@ -358,19 +365,62 @@ void riscv_cpu_set_fflags(CPURISCVState *env, 
> target_ulong);
>  #define TB_FLAGS_MMU_MASK   3
>  #define TB_FLAGS_MSTATUS_FS MSTATUS_FS
>
> +typedef CPURISCVState CPUArchState;
> +typedef RISCVCPU ArchCPU;
> +#include "exec/cpu-all.h"
> +
> +FIELD(TB_FLAGS, VL_EQ_VLMAX, 2, 1)
> +FIELD(TB_FLAGS, LMUL, 3, 2)
> +FIELD(TB_FLAGS, SEW, 5, 3)
> +FIELD(TB_FLAGS, VILL, 8, 1)
> +
> +/*
> + * A simplification for VLMAX
> + * = (1 << LMUL) * VLEN / (8 * (1 << SEW))
> + * = (VLEN << LMUL) / (8 << SEW)
> + * = (VLEN << LMUL) >> (SEW + 3)
> + * = VLEN >> (SEW + 3 - LMUL)
> + */
> +static inline uint32_t vext_get_vlmax(RISCVCPU *cpu, target_ulong vtype)
> +{
> +uint8_t sew, lmul;
> +
> +sew = FIELD_EX64(vtype, VTYPE, VSEW);
> +lmul = FIELD_EX64(vtype, VTYPE, VLMUL);
> +return cpu->cfg.vlen >> (sew + 3 - lmul);
> +}
> +
>  static inline void cpu_get_tb_cpu_state(CPURISCVState *env, target_ulong *pc,
> -target_ulong *cs_base, uint32_t 
> *flags)
> +target_ulong *cs_base, uint32_t 
> *pflags)
>  {
> +uint32_t flags = 0;
> +
>  *pc = env->pc;
>  *cs_base = 0;
> +
> +if (env->misa & RVV) {

Can you use: riscv_has_ext(env, RVV) instead?

> +uint32_t vlmax = vext_get_vlmax(env_archcpu(env), env->vtype);
> +bool vl_eq_vlmax = (env->vstart == 0) && (vlmax == env->vl);
> +flags = FIELD_DP32(flags, TB_FLAGS, VILL,
> +FIELD_EX64(env->vtype, VTYPE, VILL));
> +flags = FIELD_DP32(flags, TB_FLAGS, SEW,
> +FIELD_EX64(env->vtype, VTYPE, VSEW));
> +flags = FIELD_DP32(flags, TB_FLAGS, LMUL,
> +FIELD_EX64(env->vtype, VTYPE, VLMUL));
> +flags = FIELD_DP32(flags, TB_FLAGS, VL_EQ_VLMAX, vl_eq_vlmax);
> +} else {
> +flags = FIELD_DP32(flags, TB_FLAGS, VILL, 1);
> +}
> +
>  #ifdef CONFIG_USER_ONLY
> -*flags = TB_FLAGS_MSTATUS_FS;
> +flags |= TB_FLAGS_MSTATUS_FS;
>  #else
> -*flags = cpu_mmu_index(env, 0);
> +flags |= cpu_mmu_index(env, 0);
>  if (riscv_cpu_fp_enabled(env)) {
> -*flags |= env->mstatus & MSTATUS_FS;
> +flags |= env->mstatus & MSTATUS_FS;
>  }
>  #endif
> +*pflags = flags;
>  }
>
>  int riscv_csrrw(CPURISCVState *env, int csrno, target_ulong *ret_value,
> @@ -411,9 +461,4 @@ void riscv_set_csr_ops(int csrno, riscv_csr_operations 
> *ops);
>
>  void riscv_cpu_register_gdb_regs_for_features(CPUState *cs);
>
> -typedef CPURISCVState CPUArchState;
> -typedef RISCVCPU ArchCPU;
> -
> -#include "exec/cpu-all.h"
> -
>  #endif /* RISCV_CPU_H */
> diff --git a/target/riscv/helper.h b/target/riscv/helper.h
> index debb22a480..3c28c7e407 100644
> --- a/target/riscv/helper.h
> +++ b/target/riscv/helper.h
> @@ -76,3 +76,5 @@ DEF_HELPER_2(mret, tl, env, tl)
>  DEF_HELPER_1(wfi, void, 

Re: QMP netdev_add multiple dnssearch values

[Eric Blake]

On 11/27/19 9:49 AM, Eric Blake wrote:

On 11/27/19 7:30 AM, Markus Armbruster wrote:


"Good enough" was true back then.  It wasn't true when we reused it for
netdev_add: hostfwd and guestfwd are list-valued.

We did define a QAPI schema a few months later (14aa0c2de0 "qapi schema:
add Netdev types").  net_client_init() uses it to convert from QemuOpts
to QAPI type Netdev.  This took us to the crazy pipeline we still use
today:

 CLI, HMP
 (key=value,...)
    |
    v
 QMP (JSON) -> QDict -> QemuOpts -> Netdev

We should instead use:

   CLI, HMP
   (key=value,...)
  |
  v
   QemuOpts
  |
  v
 QMP (JSON) -> QDict -> Netdev

Back in 2016, Eric (cc'ed) posted patches to get us to this pipeline.
They got stuck on backward compatibility worries: the old code accepts
all parameters as JSON strings in addition to their proper type, the new
code doesn't.  Undocumented misfeature, but we chickened out anyway.


That was before we had a deprecation process.  Now we do.  If we are 
still worried about it, then we should start the deprecation clock 
(squeezing it into 4.2-rc3 is risky, more likely is starting it in 5.0, 
so that we get rid of string support in 5.2).  If we are not worried 
about it, then we can just kill the misfeature in 5.0.


I'm leaning towards just killing the misfeature (it's a lot of glue code 
to add to support the misfeature for 5.0 and 5.1, if we're just going to 
rip it back out for 5.2), especially since introspection is enough for 
any affected clients to learn about the stricter behavior.






Let's reconsider.  Eric's patches break interface misuse that may or may
not exist in the field.  They fix a correct use of interface people want
to use (or Alex wouldn't have reported this bug), and they make QMP
introspection work for netdev_add.

Eric, what do you think?


Yes, it's time to revive that work (I have no idea if my patches from 
back then will still rebase nicely, though).


Now posted:
https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg03842.html

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Re: [PATCH] acpi: Add Windows ACPI Emulated Device Table (WAET)

[Liran Alon]

On 12/03/2020 21:47, Michael S. Tsirkin wrote:

On Thu, Mar 12, 2020 at 07:28:31PM +0200, Liran Alon wrote:

On 12/03/2020 18:27, Igor Mammedov wrote:

On Wed, 11 Mar 2020 19:08:26 +0200
Liran Alon  wrote:

we typically do not version ACPI table changes (there might be exceptions
but it should be a justified one).
ACPI tables are considered to be a part of firmware (even though they are
generated by QEMU) so on QEMU upgrade user gets a new firmware along with
new ACPI tables.

Hmm... I would have expected as a QEMU user that upgrading QEMU may update
my firmware exposed table (Such as ACPI),
but only if I don't specify I wish to run on a specific machine-type. In
that case, I would've expect to be exposed with exact same firmware
information.
I understood that this was one of the main reasons why ACPI/SMBIOS
generation was moved from SeaBIOS to QEMU.

If you think this isn't the case, I can just remove this flag (Makes code
simpler). What do you prefer?

Thanks for the review,
-Liran


I'm inclined to agree, but no biggie if Igor disagrees let's go along
with his opinion.

I will wait for Igor's reply on this before I submit v2 (I have it ready 
with the flag still existing).

To make sure that v2 passes all review comments. ;)

-Liran

[PATCH] net: Complete qapi-fication of netdev_add

[Eric Blake]

We've had all the required pieces for doing a type-safe representation
of netdev_add as a flat union for quite some time now (since
0e55c381f6 in v2.7.0, released in 2016), but did not make the final
switch to using it because of concern about whether a command-line
regression in accepting "1" in place of 1 for integer arguments would
be problematic.  Back then, we did not have the deprecation cycle to
allow us to make progress.  But now that we have waited so long, other
problems have crept in: for example, our desire to add
qemu-storage-daemon is hampered by the inability to express net
objects, and we are unable to introspect what we actually accept.
Additionally, our round-trip through QemuOpts silently eats any
argument that expands to an array, rendering dnssearch, hostfwd, and
guestfwd useless through QMP:

{"execute": "netdev_add", "arguments": { "id": "netdev0",
  "type": "user", "dnssearch": [
{ "str": "8.8.8.8" }, { "str": "8.8.4.4" }
  ]}}

So without further ado, let's turn on proper QAPI.

There are a few places where the QMP 'netdev_add' command is now
more strict: anywhere that the QAPI lists an integer member, we
now require a strict JSON integer (previously, we allowed both
integers and strings, because the conversion from QMP to QemuOpts
back to QObject collapsed them into integers).  For example,
pre-patch, both of these examples succeed, but post-patch, the
second example now fails:

{'execute':'netdev_add',
  'arguments':{'id':'net1', 'type':'hubport', 'hubid':1}}
{"return": {}}
{'execute':'netdev_add',
  'arguments':{'id':'net2', 'type':'hubport', 'hubid':"2"}}
{"error": {"class": "GenericError", "desc": "Invalid parameter type for 
'hubid', expected: integer"}}

But this stricter QMP is desirable, and introspection is sufficient
for any affected applications to make sure they use it correctly.

In qmp_netdev_add(), we still have to create a QemuOpts object
so that qmp_netdev_del() will be able to remove a hotplugged
network device; but the opts->head remains empty since we now
manage all parsing through the QAPI object rather than QemuOpts.

Reported-by: Alex Kirillov 
Signed-off-by: Eric Blake 
---
 qapi/net.json | 14 +-
 include/net/net.h |  1 -
 monitor/misc.c|  2 --
 net/net.c |  6 +++---
 4 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/qapi/net.json b/qapi/net.json
index 1cb9a7d782b4..cebb1b52e3b1 100644
--- a/qapi/net.json
+++ b/qapi/net.json
@@ -39,18 +39,8 @@
 #
 # Add a network backend.
 #
-# @type: the type of network backend. Possible values are listed in
-#NetClientDriver (excluding 'none' and 'nic')
-#
-# @id: the name of the new network backend
-#
 # Additional arguments depend on the type.
 #
-# TODO: This command effectively bypasses QAPI completely due to its
-#   "additional arguments" business.  It shouldn't have been added to
-#   the schema in this form.  It should be qapified properly, or
-#   replaced by a properly qapified command.
-#
 # Since: 0.14.0
 #
 # Returns: Nothing on success
@@ -64,9 +54,7 @@
 # <- { "return": {} }
 #
 ##
-{ 'command': 'netdev_add',
-  'data': {'type': 'str', 'id': 'str'},
-  'gen': false }# so we can get the additional arguments
+{ 'command': 'netdev_add', 'data': 'Netdev', 'boxed': true }

 ##
 # @netdev_del:
diff --git a/include/net/net.h b/include/net/net.h
index e175ba9677dc..96e6eae8176e 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -203,7 +203,6 @@ void net_cleanup(void);
 void hmp_host_net_add(Monitor *mon, const QDict *qdict);
 void hmp_host_net_remove(Monitor *mon, const QDict *qdict);
 void netdev_add(QemuOpts *opts, Error **errp);
-void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp);

 int net_hub_id_for_client(NetClientState *nc, int *id);
 NetClientState *net_hub_port_find(int hub_id);
diff --git a/monitor/misc.c b/monitor/misc.c
index c3bc34c099dd..41a86e7012a1 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -247,8 +247,6 @@ static void monitor_init_qmp_commands(void)
  qmp_query_qmp_schema, QCO_ALLOW_PRECONFIG);
 qmp_register_command(&qmp_commands, "device_add", qmp_device_add,
  QCO_NO_OPTIONS);
-qmp_register_command(&qmp_commands, "netdev_add", qmp_netdev_add,
- QCO_NO_OPTIONS);
 qmp_register_command(&qmp_commands, "object-add", qmp_object_add,
  QCO_NO_OPTIONS);

diff --git a/net/net.c b/net/net.c
index 9e93c3f8a1e2..a2065aabede2 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1170,7 +1170,7 @@ void netdev_add(QemuOpts *opts, Error **errp)
 net_client_init(opts, true, errp);
 }

-void qmp_netdev_add(QDict *qdict, QObject **ret, Error **errp)
+void qmp_netdev_add(Netdev *netdev, Error **errp)
 {
 Error *local_err = NULL;
 QemuOptsList *opts_list;
@@ -1181,12 +1181,12 @@ void qmp_netdev_add(QDict *qdict, QObject **ret, Error 
**errp)
 goto out;
 }

-opts = qemu_opts_from_qdict(o

Re: [PATCH v5 03/60] target/riscv: support vector extension csr

[Alistair Francis]

On Thu, Mar 12, 2020 at 8:05 AM LIU Zhiwei  wrote:
>
> The v0.7.1 specification does not define vector status within mstatus.
> A future revision will define the privileged portion of the vector status.
>
> Signed-off-by: LIU Zhiwei 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  target/riscv/cpu_bits.h | 15 +
>  target/riscv/csr.c  | 75 -
>  2 files changed, 89 insertions(+), 1 deletion(-)
>
> diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
> index 7f64ee1174..8117e8b5a7 100644
> --- a/target/riscv/cpu_bits.h
> +++ b/target/riscv/cpu_bits.h
> @@ -29,6 +29,14 @@
>  #define FSR_NXA (FPEXC_NX << FSR_AEXC_SHIFT)
>  #define FSR_AEXC(FSR_NVA | FSR_OFA | FSR_UFA | FSR_DZA | FSR_NXA)
>
> +/* Vector Fixed-Point round model */
> +#define FSR_VXRM_SHIFT  9
> +#define FSR_VXRM(0x3 << FSR_VXRM_SHIFT)
> +
> +/* Vector Fixed-Point saturation flag */
> +#define FSR_VXSAT_SHIFT 8
> +#define FSR_VXSAT   (0x1 << FSR_VXSAT_SHIFT)
> +
>  /* Control and Status Registers */
>
>  /* User Trap Setup */
> @@ -48,6 +56,13 @@
>  #define CSR_FRM 0x002
>  #define CSR_FCSR0x003
>
> +/* User Vector CSRs */
> +#define CSR_VSTART  0x008
> +#define CSR_VXSAT   0x009
> +#define CSR_VXRM0x00a
> +#define CSR_VL  0xc20
> +#define CSR_VTYPE   0xc21
> +
>  /* User Timers and Counters */
>  #define CSR_CYCLE   0xc00
>  #define CSR_TIME0xc01
> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
> index 11d184cd16..d71c49dfff 100644
> --- a/target/riscv/csr.c
> +++ b/target/riscv/csr.c
> @@ -46,6 +46,10 @@ void riscv_set_csr_ops(int csrno, riscv_csr_operations 
> *ops)
>  static int fs(CPURISCVState *env, int csrno)
>  {
>  #if !defined(CONFIG_USER_ONLY)
> +/* loose check condition for fcsr in vector extension */
> +if ((csrno == CSR_FCSR) && (env->misa & RVV)) {
> +return 0;
> +}
>  if (!env->debugger && !riscv_cpu_fp_enabled(env)) {
>  return -1;
>  }
> @@ -53,6 +57,14 @@ static int fs(CPURISCVState *env, int csrno)
>  return 0;
>  }
>
> +static int vs(CPURISCVState *env, int csrno)
> +{
> +if (env->misa & RVV) {
> +return 0;
> +}
> +return -1;
> +}
> +
>  static int ctr(CPURISCVState *env, int csrno)
>  {
>  #if !defined(CONFIG_USER_ONLY)
> @@ -174,6 +186,10 @@ static int read_fcsr(CPURISCVState *env, int csrno, 
> target_ulong *val)
>  #endif
>  *val = (riscv_cpu_get_fflags(env) << FSR_AEXC_SHIFT)
>  | (env->frm << FSR_RD_SHIFT);
> +if (vs(env, csrno) >= 0) {
> +*val |= (env->vxrm << FSR_VXRM_SHIFT)
> +| (env->vxsat << FSR_VXSAT_SHIFT);
> +}
>  return 0;
>  }
>
> @@ -186,10 +202,62 @@ static int write_fcsr(CPURISCVState *env, int csrno, 
> target_ulong val)
>  env->mstatus |= MSTATUS_FS;
>  #endif
>  env->frm = (val & FSR_RD) >> FSR_RD_SHIFT;
> +if (vs(env, csrno) >= 0) {
> +env->vxrm = (val & FSR_VXRM) >> FSR_VXRM_SHIFT;
> +env->vxsat = (val & FSR_VXSAT) >> FSR_VXSAT_SHIFT;
> +}
>  riscv_cpu_set_fflags(env, (val & FSR_AEXC) >> FSR_AEXC_SHIFT);
>  return 0;
>  }
>
> +static int read_vtype(CPURISCVState *env, int csrno, target_ulong *val)
> +{
> +*val = env->vtype;
> +return 0;
> +}
> +
> +static int read_vl(CPURISCVState *env, int csrno, target_ulong *val)
> +{
> +*val = env->vl;
> +return 0;
> +}
> +
> +static int read_vxrm(CPURISCVState *env, int csrno, target_ulong *val)
> +{
> +*val = env->vxrm;
> +return 0;
> +}
> +
> +static int write_vxrm(CPURISCVState *env, int csrno, target_ulong val)
> +{
> +env->vxrm = val;
> +return 0;
> +}
> +
> +static int read_vxsat(CPURISCVState *env, int csrno, target_ulong *val)
> +{
> +*val = env->vxsat;
> +return 0;
> +}
> +
> +static int write_vxsat(CPURISCVState *env, int csrno, target_ulong val)
> +{
> +env->vxsat = val;
> +return 0;
> +}
> +
> +static int read_vstart(CPURISCVState *env, int csrno, target_ulong *val)
> +{
> +*val = env->vstart;
> +return 0;
> +}
> +
> +static int write_vstart(CPURISCVState *env, int csrno, target_ulong val)
> +{
> +env->vstart = val;
> +return 0;
> +}
> +
>  /* User Timers and Counters */
>  static int read_instret(CPURISCVState *env, int csrno, target_ulong *val)
>  {
> @@ -1269,7 +1337,12 @@ static riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
>  [CSR_FFLAGS] =  { fs,   read_fflags,  write_fflags  
> },
>  [CSR_FRM] = { fs,   read_frm, write_frm 
> },
>  [CSR_FCSR] ={ fs,   read_fcsr,write_fcsr
> },
> -
> +/* Vector CSRs */
> +[CSR_VSTART] =  { vs,   read_vstart,  write_vstart  
> },
> +[CSR_VXSAT] =   { vs,   read_vxsat,   write_vxsat   
> },
> +[CSR_VXRM] ={ vs,   read_vxrm, 

Re: [PATCH v4 00/10] Further bitmaps improvements

[John Snow]

On 3/12/20 1:59 AM, Vladimir Sementsov-Ogievskiy wrote:
> 11.03.2020 20:03, John Snow wrote:
>>
>>
>> On 3/11/20 9:58 AM, Vladimir Sementsov-Ogievskiy wrote:
>>> 11.03.2020 12:55, Max Reitz wrote:
 On 11.03.20 07:17, Vladimir Sementsov-Ogievskiy wrote:
> 10.03.2020 20:17, Max Reitz wrote:
>> On 06.03.20 08:45, Vladimir Sementsov-Ogievskiy wrote:
>>> 26.02.2020 16:13, Max Reitz wrote:
 On 05.02.20 12:20, Vladimir Sementsov-Ogievskiy wrote:
> Hi!
>
> The main feature here is improvement of _next_dirty_area API,
> which
> I'm
> going to use then for backup / block-copy.
>
> Somehow, I thought that it was merged, but seems I even forgot to
> send
> v4.

 The changes from v3 look good to me, but I’d prefer a review from
 Eric
 on patch 8.

>>>
>>> Hi!
>>>
>>> Could you take it now, or do you prefer me to resend?j
>>
>> I understand that you agreed to drop the comment above
>> bd_extent_array_convert_to_be(), then do the
>> “s/further call/so further calls/” replacement, and finally
>> replace the
>> whole four lines Eric has quoted by “(this ensures that after a
>> failure,
>> no further extents can accidentally change the bounds of the last
>> extent
>> in the array)”?
>>
>
> Yes, all true.

 Hm, I could take it then, but on second thought, John is the maintainer
 for 8/10 patches, and Eric is for the other two...  So I’m not sure
 whether I’m even the right person to do so.

>>>
>>> Hmm, true. Let's wait for John?
>>>
>>>
>>
>> I am *VERY* behind on my email, and this patch series is sitting in my
>> to-review folder. However, if it's ready to go and reviewed, I'm willing
>> to merge it, test it, and give it a quick look-over and get you on
>> your way.
>>
> 
> It would be great, if it is convenient for you. Thanks!
> All patches are reviewed now by Max or Eric, so, I'd be very glad if
> this get in 5.0.
> 
> 
> 

Thanks, applied to my bitmaps tree:

https://github.com/jnsnow/qemu/commits/bitmaps
https://github.com/jnsnow/qemu.git

--js

Re: [PULL 00/36] target-arm queue

[Peter Maydell]

On Thu, 12 Mar 2020 at 16:45, Peter Maydell  wrote:
>
> arm queue; dunno if this will be the last before softfreeze
> or not, but anyway probably the last large one. New orangepi-pc
> board model is the big item here.
>
> thanks
> -- PMM
>
> The following changes since commit 67d9ef7d541c3d21a25796c51c26da096a433565:
>
>   Merge remote-tracking branch 'remotes/pmaydell/tags/pull-docs-20200312' 
> into staging (2020-03-12 15:20:52 +)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git 
> tags/pull-target-arm-20200312
>
> for you to fetch changes up to aca53be34ac3e7cac5f39396a51a338860a5a837:
>
>   target/arm: kvm: Inject events at the last stage of sync (2020-03-12 
> 16:31:10 +)
>
> 
> target-arm queue:
>  * Fix various bugs that might result in an assert() due to
>incorrect hflags for M-profile CPUs
>  * Fix Aspeed SMC Controller user-mode select handling
>  * Report correct (with-tag) address in fault address register
>when TBI is enabled
>  * cubieboard: make sure SOC object isn't leaked
>  * fsl-imx25: Wire up eSDHC controllers
>  * fsl-imx25: Wire up USB controllers
>  * New board model: orangepi-pc (OrangePi PC)
>  * ARM/KVM: if user doesn't select GIC version and the
>host kernel can only provide GICv3, use that, rather
>than defaulting to "fail because GICv2 isn't possible"
>  * kvm: Only do KVM_SET_VCPU_EVENTS at the last stage of sync


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.0
for any user-visible changes.

-- PMM

Re: [PATCH v2] linux-user: fix socket() strace

[Philippe Mathieu-Daudé]

On 3/12/20 5:55 PM, Laurent Vivier wrote:

print_socket_type() doesn't manage flags and the correct type cannot
be displayed

Signed-off-by: Laurent Vivier 
---

Notes:
 v2: replace gemu_log() by qemu_log() as it has been removed from qemu

  linux-user/strace.c | 8 +++-
  1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/linux-user/strace.c b/linux-user/strace.c
index 4f7130b2ff63..69232f7e27b8 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -444,7 +444,7 @@ print_socket_domain(int domain)
  static void
  print_socket_type(int type)
  {
-switch (type) {
+switch (type & TARGET_SOCK_TYPE_MASK) {
  case TARGET_SOCK_DGRAM:
  qemu_log("SOCK_DGRAM");
  break;
@@ -464,6 +464,12 @@ print_socket_type(int type)
  qemu_log("SOCK_PACKET");
  break;
  }
+if (type & TARGET_SOCK_CLOEXEC) {
+qemu_log("|SOCK_CLOEXEC");
+}
+if (type & TARGET_SOCK_NONBLOCK) {
+qemu_log("|SOCK_NONBLOCK");
+}
  }
  
  static void




Reviewed-by: Philippe Mathieu-Daudé 

[PATCH] hw/net/i82596.c: Avoid reading off end of buffer in i82596_receive()

[Peter Maydell]

The i82596_receive() function attempts to pass the guest a buffer
which is effectively the concatenation of the data it is passed and a
4 byte CRC value.  However, rather than implementing this as "write
the data; then write the CRC" it instead bumps the length value of
the data by 4, and writes 4 extra bytes from beyond the end of the
buffer, which it then overwrites with the CRC.  It also assumed that
we could always fit all four bytes of the CRC into the final receive
buffer, which might not be true if the CRC needs to be split over two
receive buffers.

Calculate separately how many bytes we need to transfer into the
guest's receive buffer from the source buffer, and how many we need
to transfer from the CRC work.

We add a count 'bufsz' of the number of bytes left in the source
buffer, which we use purely to assert() that we don't overrun.

Spotted by Coverity (CID 1419396) for the specific case when we end
up using a local array as the source buffer.

Signed-off-by: Peter Maydell 
---
I know Helge has some significant rework of this device planned, but
for 5.0 we need to fix the buffer overrun.

Tested with 'make check' only.
---
 hw/net/i82596.c | 44 +++-
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/hw/net/i82596.c b/hw/net/i82596.c
index fe9f2390a94..2bd5d310367 100644
--- a/hw/net/i82596.c
+++ b/hw/net/i82596.c
@@ -501,7 +501,8 @@ ssize_t i82596_receive(NetClientState *nc, const uint8_t 
*buf, size_t sz)
 uint32_t rfd_p;
 uint32_t rbd;
 uint16_t is_broadcast = 0;
-size_t len = sz;
+size_t len = sz; /* length of data for guest (including CRC) */
+size_t bufsz = sz; /* length of data in buf */
 uint32_t crc;
 uint8_t *crc_ptr;
 uint8_t buf1[MIN_BUF_SIZE + VLAN_HLEN];
@@ -595,6 +596,7 @@ ssize_t i82596_receive(NetClientState *nc, const uint8_t 
*buf, size_t sz)
 if (len < MIN_BUF_SIZE) {
 len = MIN_BUF_SIZE;
 }
+bufsz = len;
 }
 
 /* Calculate the ethernet checksum (4 bytes) */
@@ -627,6 +629,7 @@ ssize_t i82596_receive(NetClientState *nc, const uint8_t 
*buf, size_t sz)
 while (len) {
 uint16_t buffer_size, num;
 uint32_t rba;
+size_t bufcount, crccount;
 
 /* printf("Receive: rbd is %08x\n", rbd); */
 buffer_size = get_uint16(rbd + 12);
@@ -639,14 +642,37 @@ ssize_t i82596_receive(NetClientState *nc, const uint8_t 
*buf, size_t sz)
 }
 rba = get_uint32(rbd + 8);
 /* printf("rba is 0x%x\n", rba); */
-address_space_write(&address_space_memory, rba,
-MEMTXATTRS_UNSPECIFIED, buf, num);
-rba += num;
-buf += num;
-len -= num;
-if (len == 0) { /* copy crc */
-address_space_write(&address_space_memory, rba - 4,
-MEMTXATTRS_UNSPECIFIED, crc_ptr, 4);
+/*
+ * Calculate how many bytes we want from buf[] and how many
+ * from the CRC.
+ */
+if ((len - num) >= 4) {
+/* The whole guest buffer, we haven't hit the CRC yet */
+bufcount = num;
+} else {
+/* All that's left of buf[] */
+bufcount = len - 4;
+}
+crccount = num - bufcount;
+
+if (bufcount > 0) {
+/* Still some of the actual data buffer to transfer */
+bufsz -= bufcount;
+assert(bufsz >= 0);
+address_space_write(&address_space_memory, rba,
+MEMTXATTRS_UNSPECIFIED, buf, bufcount);
+rba += bufcount;
+buf += bufcount;
+len -= bufcount;
+}
+
+/* Write as much of the CRC as fits */
+if (crccount > 0) {
+address_space_write(&address_space_memory, rba,
+MEMTXATTRS_UNSPECIFIED, crc_ptr, crccount);
+rba += crccount;
+crc_ptr += crccount;
+len -= crccount;
 }
 
 num |= 0x4000; /* set F BIT */
-- 
2.20.1

[PATCH v6 41/42] target/arm: Create tagged ram when MTE is enabled

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
v5: Assign cs->num_ases to the final value first.
Downgrade to ID_AA64PFR1.MTE=1 if tag memory is not available.
v6: Add secure tag memory for EL3.
---
 target/arm/cpu.h |  6 ++
 hw/arm/virt.c| 52 +++
 target/arm/cpu.c | 53 +---
 3 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index b78bf2be4a..b360123b37 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -771,6 +771,10 @@ struct ARMCPU {
 /* MemoryRegion to use for secure physical accesses */
 MemoryRegion *secure_memory;
 
+/* MemoryRegion to use for allocation tag accesses */
+MemoryRegion *tag_memory;
+MemoryRegion *secure_tag_memory;
+
 /* For v8M, pointer to the IDAU interface provided by board/SoC */
 Object *idau;
 
@@ -2953,6 +2957,8 @@ typedef enum ARMMMUIdxBit {
 typedef enum ARMASIdx {
 ARMASIdx_NS = 0,
 ARMASIdx_S = 1,
+ARMASIdx_TagNS = 2,
+ARMASIdx_TagS = 3,
 } ARMASIdx;
 
 /* Return the Exception Level targeted by debug exceptions. */
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 32d865a488..63b9d84eb8 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1389,6 +1389,16 @@ static void create_secure_ram(VirtMachineState *vms,
 g_free(nodename);
 }
 
+static void create_tag_ram(MemoryRegion *tag_sysmem,
+   hwaddr base, hwaddr size,
+   const char *name)
+{
+MemoryRegion *tagram = g_new(MemoryRegion, 1);
+
+memory_region_init_ram(tagram, NULL, name, size / 32, &error_fatal);
+memory_region_add_subregion(tag_sysmem, base / 32, tagram);
+}
+
 static void *machvirt_dtb(const struct arm_boot_info *binfo, int *fdt_size)
 {
 const VirtMachineState *board = container_of(binfo, VirtMachineState,
@@ -1543,6 +1553,8 @@ static void machvirt_init(MachineState *machine)
 const CPUArchIdList *possible_cpus;
 MemoryRegion *sysmem = get_system_memory();
 MemoryRegion *secure_sysmem = NULL;
+MemoryRegion *tag_sysmem = NULL;
+MemoryRegion *secure_tag_sysmem = NULL;
 int n, virt_max_cpus;
 bool firmware_loaded;
 bool aarch64 = true;
@@ -1715,6 +1727,35 @@ static void machvirt_init(MachineState *machine)
  "secure-memory", &error_abort);
 }
 
+/*
+ * The cpu adds the property if and only if MemTag is supported.
+ * If it is, we must allocate the ram to back that up.
+ */
+if (object_property_find(cpuobj, "tag-memory", NULL)) {
+if (!tag_sysmem) {
+tag_sysmem = g_new(MemoryRegion, 1);
+memory_region_init(tag_sysmem, OBJECT(machine),
+   "tag-memory", UINT64_MAX / 32);
+
+if (vms->secure) {
+secure_tag_sysmem = g_new(MemoryRegion, 1);
+memory_region_init(secure_tag_sysmem, OBJECT(machine),
+   "secure-tag-memory", UINT64_MAX / 32);
+
+/* As with ram, secure-tag takes precedence over tag.  */
+memory_region_add_subregion_overlap(secure_tag_sysmem, 0,
+tag_sysmem, -1);
+}
+}
+
+object_property_set_link(cpuobj, OBJECT(tag_sysmem),
+ "tag-memory", &error_abort);
+if (vms->secure) {
+object_property_set_link(cpuobj, OBJECT(secure_tag_sysmem),
+ "secure-tag-memory", &error_abort);
+}
+}
+
 object_property_set_bool(cpuobj, true, "realized", &error_fatal);
 object_unref(cpuobj);
 }
@@ -1757,6 +1798,17 @@ static void machvirt_init(MachineState *machine)
 create_uart(vms, VIRT_SECURE_UART, secure_sysmem, serial_hd(1));
 }
 
+if (tag_sysmem) {
+create_tag_ram(tag_sysmem, vms->memmap[VIRT_MEM].base,
+   machine->ram_size, "mach-virt.tag");
+if (vms->secure) {
+create_tag_ram(secure_tag_sysmem,
+   vms->memmap[VIRT_SECURE_MEM].base,
+   vms->memmap[VIRT_SECURE_MEM].size,
+   "mach-virt.secure-tag");
+}
+}
+
 vms->highmem_ecam &= vms->highmem && (!firmware_loaded || aarch64);
 
 create_rtc(vms);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 96c20317ad..c320b4bc71 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1298,6 +1298,27 @@ void arm_cpu_post_init(Object *obj)
 if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
 qdev_property_add_static(DEVICE(cpu), &arm_cpu_gt_cntfrq_property);
 }
+
+#ifndef CONFIG_USER_ONLY
+if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) &&
+cpu_isar_feature(aa64_mte, cpu)) {
+object_pro

[PATCH v6 33/42] target/arm: Add mte helpers for sve scalar + int ff/nf loads

[Richard Henderson]

Because the elements are sequential, we can eliminate many tests all
at once when the tag hits TCMA, or if the page(s) are not Tagged.

Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  98 
 target/arm/sve_helper.c|  98 ++--
 target/arm/translate-sve.c | 232 +
 3 files changed, 342 insertions(+), 86 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index e81d06b27c..849478fc76 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1273,6 +1273,55 @@ DEF_HELPER_FLAGS_4(sve_ldff1sds_be_r, TCG_CALL_NO_WG, 
void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldff1dd_le_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldff1dd_be_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 
+DEF_HELPER_FLAGS_4(sve_ldff1bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bhu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bsu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bdu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bhs_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bss_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1bds_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldff1hh_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hsu_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hdu_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hss_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hds_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldff1hh_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hsu_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hdu_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hss_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1hds_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldff1ss_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1sdu_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1sds_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldff1ss_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1sdu_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1sds_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldff1dd_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldff1dd_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
 DEF_HELPER_FLAGS_4(sve_ldnf1bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldnf1bhu_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldnf1bsu_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
@@ -1304,6 +1353,55 @@ DEF_HELPER_FLAGS_4(sve_ldnf1sds_be_r, TCG_CALL_NO_WG, 
void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldnf1dd_le_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldnf1dd_be_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 
+DEF_HELPER_FLAGS_4(sve_ldnf1bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bhu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bsu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bdu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bhs_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bss_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1bds_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldnf1hh_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1hsu_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1hdu_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1hss_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1hds_le_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ldnf1hh_be_r_mte, TCG_CALL_NO_WG,
+   void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ldnf1hsu_be_r_mte, TCG

[PATCH v6 32/42] target/arm: Add mte helpers for sve scalar + int stores

[Richard Henderson]

Because the elements are sequential, we can eliminate many tests all
at once when the tag hits TCMA, or if the page(s) are not Tagged.

Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  47 +++
 target/arm/sve_helper.c|  95 --
 target/arm/translate-sve.c | 162 -
 3 files changed, 226 insertions(+), 78 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index af1c6967a6..e81d06b27c 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1351,6 +1351,53 @@ DEF_HELPER_FLAGS_4(sve_st1hd_be_r, TCG_CALL_NO_WG, void, 
env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_st1sd_le_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_st1sd_be_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 
+DEF_HELPER_FLAGS_4(sve_st1bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st2dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st3dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st4dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1bh_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1bs_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1bd_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1hs_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1hd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1hs_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1hd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_st1sd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_st1sd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
 DEF_HELPER_FLAGS_6(sve_ldbsu_zsu, TCG_CALL_NO_WG,
void, env, ptr, ptr, ptr, tl, i32)
 DEF_HELPER_FLAGS_6(sve_ldhsu_le_zsu, TCG_CALL_NO_WG,
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 0fbf331742..0b8522ff01 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -5187,11 +5187,12 @@ DO_LDFF1_LDNF1_2(dd,  MO_64, MO_64)
  */
 
 static inline QEMU_ALWAYS_INLINE
-void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr, uint32_t 
desc,
-   const uintptr_t retaddr, const int esz,
-   const int msz, const int N,
+void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr,
+   uint32_t desc, const uintptr_t retaddr,
+   const int esz, const int msz, const int N, uint32_t mtedesc,
sve_ldst1_host_fn *host_fn,
-   sve_ldst1_tlb_fn *tlb_fn)
+   sve_ldst1_tlb_fn *tlb_fn,
+   sve_cont_ldst_mte_check_fn *mte_check_fn)
 {
 const unsigned rd = simd_data(desc);
 const intptr_t reg_max = simd_oprsz(desc);
@@ -5213,7 +5214,14 @@ void sve_stN_r(CPUARMState *env, uint64_t *vg, 
target_ulong addr, uint32_t desc

Re: [PATCH v8 00/18] Add Allwinner H3 SoC and Orange Pi PC Machine

[Niek Linnenbank]

On Thu, Mar 12, 2020 at 5:22 PM Peter Maydell 
wrote:

> On Wed, 11 Mar 2020 at 22:19, Niek Linnenbank 
> wrote:
> >
> > Dear QEMU developers,
> >
> > Hereby I would like to contribute the following set of patches to QEMU
> > which add support for the Allwinner H3 System on Chip and the
> > Orange Pi PC machine. The following features and devices are supported:
> >
> >  * SMP (Quad Core Cortex A7)
> >  * Generic Interrupt Controller configuration
> >  * SRAM mappings
> >  * SDRAM controller
> >  * Real Time Clock
> >  * Timer device (re-used from Allwinner A10)
> >  * UART
> >  * SD/MMC storage controller
> >  * EMAC ethernet
> >  * USB 2.0 interfaces
> >  * Clock Control Unit
> >  * System Control module
> >  * Security Identifier device
>
>
>
> Applied to target-arm.next, thanks.


Great news! And thanks for your support as well Peter!


> (I moved
> the doc into the its new location now that the split-out
> of the arm board docs into separate files has landed.)
>
> Yeah sure, indeed, that makes sense.

Regards,
Niek


> -- PMM
>


-- 
Niek Linnenbank

[PATCH v6 29/42] target/arm: Use mte_checkN for sve unpredicated stores

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  1 +
 target/arm/sve_helper.c| 63 ++-
 target/arm/translate-sve.c | 88 ++
 3 files changed, 94 insertions(+), 58 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index 82ea70cf63..4e71501838 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1124,6 +1124,7 @@ DEF_HELPER_FLAGS_5(sve_ftmad_s, TCG_CALL_NO_RWG, void, 
ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(sve_ftmad_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(sve_ldr, TCG_CALL_NO_WG, void, env, ptr, tl, int)
+DEF_HELPER_FLAGS_4(sve_str, TCG_CALL_NO_WG, void, env, ptr, tl, int)
 
 DEF_HELPER_FLAGS_4(sve_ld1bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ld2bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index ede72a2989..2396737420 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -4191,7 +4191,7 @@ static bool sve_probe_page(SVEHostPage *info, bool 
nofault,
 }
 
 /*
- * Load contiguous data, unpredicated.
+ * Load/store contiguous data, unpredicated.
  *
  * Note that unpredicated load/store of vector/predicate registers
  * are defined as a stream of bytes, which equates to little-endian
@@ -4261,6 +4261,67 @@ void HELPER(sve_ldr)(CPUARMState *env, void *vd, 
target_ulong addr, int size)
 }
 }
 
+void HELPER(sve_str)(CPUARMState *env, void *vd, target_ulong addr, int size)
+{
+int mem_idx = cpu_mmu_index(env, false);
+int in_page = -((int)addr | TARGET_PAGE_MASK);
+uintptr_t ra = GETPC();
+uint64_t val;
+void *host;
+int i;
+
+/* Small stores are expanded inline. */
+tcg_debug_assert(size > 2 * 8);
+
+if (likely(size <= in_page)) {
+host = probe_write(env, addr, size, mem_idx, ra);
+if (likely(host != NULL)) {
+for (i = 0; i + 8 <= size; i += 8) {
+stq_le_p(host + i, *(uint64_t *)(vd + i));
+}
+
+/* Predicate load length may be any multiple of 2. */
+if (unlikely(i != size)) {
+val = *(uint64_t *)(vd + i);
+if (size & 4) {
+stl_le_p(host + i, val);
+i += 4;
+val >>= 32;
+}
+if (size & 2) {
+stw_le_p(host + i, val);
+}
+}
+return;
+}
+} else {
+(void)probe_write(env, addr, in_page, mem_idx, ra);
+(void)probe_write(env, addr + in_page, size - in_page, mem_idx, ra);
+}
+
+/*
+ * Note there is no endian-specific target store function, so to handle
+ * aarch64_be-linux-user we need to bswap the big-endian store.
+ */
+for (i = 0; i + 8 <= size; i += 8) {
+val = *(uint64_t *)(vd + i);
+cpu_stq_data_ra(env, addr + i, le_bswap64(val), ra);
+}
+
+/* Predicate load length may be any multiple of 2. */
+if (unlikely(i != size)) {
+val = *(uint64_t *)(vd + i);
+if (size & 4) {
+cpu_stl_data_ra(env, addr + i, le_bswap32(val), ra);
+i += 4;
+val >>= 32;
+}
+if (size & 2) {
+cpu_stw_data_ra(env, addr + i, le_bswap16(val), ra);
+}
+}
+}
+
 /*
  * Analyse contiguous data, protected by a governing predicate.
  */
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index e55f8835bb..49d2e68564 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -4430,78 +4430,52 @@ static void do_str(DisasContext *s, uint32_t vofs, int 
len, int rn, int imm)
 int len_remain = len % 8;
 int nparts = len / 8 + ctpop8(len_remain);
 int midx = get_mem_index(s);
-TCGv_i64 addr, t0;
+TCGv_i64 dirty_addr, clean_addr, t0;
+int i;
+
+dirty_addr = read_cpu_reg_sp(s, rn, true);
+tcg_gen_addi_i64(dirty_addr, dirty_addr, imm);
+
+clean_addr = gen_mte_checkN(s, dirty_addr, true, rn != 31, len, MO_8);
+
+/* Limit tcg code expansion by doing large loads out of line. */
+if (nparts > 4) {
+TCGv_ptr t_rd = tcg_temp_new_ptr();
+TCGv_i32 t_len = tcg_const_i32(len);
+
+tcg_gen_addi_ptr(t_rd, cpu_env, vofs);
+gen_helper_sve_str(cpu_env, t_rd, clean_addr, t_len);
+tcg_temp_free_ptr(t_rd);
+tcg_temp_free_i32(t_len);
+return;
+}
 
-addr = tcg_temp_new_i64();
 t0 = tcg_temp_new_i64();
-
-/* Note that unpredicated load/store of vector/predicate registers
- * are defined as a stream of bytes, which equates to little-endian
- * operations on larger quantities.  There is no nice way to force
- * a little-endian store for aarch64_be-linux-user out of line.
- *
- * Attempt to keep code expansion to a minimum by limiting the
- * amount of unrolling done.
- */
-

[PATCH v6 28/42] target/arm: Use mte_checkN for sve unpredicated loads

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  2 +
 target/arm/sve_helper.c| 74 --
 target/arm/translate-sve.c | 93 --
 3 files changed, 110 insertions(+), 59 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index 2f47279155..82ea70cf63 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1123,6 +1123,8 @@ DEF_HELPER_FLAGS_5(sve_ftmad_h, TCG_CALL_NO_RWG, void, 
ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(sve_ftmad_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(sve_ftmad_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(sve_ldr, TCG_CALL_NO_WG, void, env, ptr, tl, int)
+
 DEF_HELPER_FLAGS_4(sve_ld1bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ld2bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ld3bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 80453953ad..ede72a2989 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -3967,10 +3967,6 @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void 
*vg, uint32_t desc)
 } while (i != 0);
 }
 
-/*
- * Load contiguous data, protected by a governing predicate.
- */
-
 /*
  * Load elements into @vd + @reg_off, from @host,
  * or the reverse for stores.
@@ -4194,6 +4190,76 @@ static bool sve_probe_page(SVEHostPage *info, bool 
nofault,
 return true;
 }
 
+/*
+ * Load contiguous data, unpredicated.
+ *
+ * Note that unpredicated load/store of vector/predicate registers
+ * are defined as a stream of bytes, which equates to little-endian
+ * operations on larger quantities.
+ *
+ * Note any MTE check is already handled.
+ */
+
+void HELPER(sve_ldr)(CPUARMState *env, void *vd, target_ulong addr, int size)
+{
+int mmu_idx = cpu_mmu_index(env, false);
+int in_page = -((int)addr | TARGET_PAGE_MASK);
+uintptr_t ra = GETPC();
+uint64_t val;
+int i;
+
+/* Small loads are expanded inline. */
+tcg_debug_assert(size > 2 * 8);
+
+/* Bulk copy the data from memory to the register. */
+if (likely(size <= in_page)) {
+void *host = probe_read(env, addr, size, mmu_idx, ra);
+
+if (unlikely(!host)) {
+goto mmio;
+}
+memcpy(vd, host, size);
+} else {
+void *h1 = probe_read(env, addr, in_page, mmu_idx, ra);
+void *h2 = probe_read(env, addr + in_page, size - in_page, mmu_idx, 
ra);
+
+if (unlikely(!h1 || !h2)) {
+goto mmio;
+}
+memcpy(vd, h1, in_page);
+memcpy(vd + in_page, h2, size - in_page);
+}
+
+/* Predicate load length may be any multiple of 2; ensure high bits 0. */
+if (unlikely(size & 7)) {
+memset(vd + size, 0, 8 - (size & 7));
+}
+
+/*
+ * The memcpy and memset above kept the bytes in memory order.
+ * The in-register format has uint64_t in host order, so for
+ * big-endian host we need to bswap.
+ */
+for (i = 0; i < size; i += 8) {
+le64_to_cpus(vd + i);
+}
+return;
+
+ mmio:
+for (i = 0; i + 8 <= size; i += 8) {
+val = cpu_ldq_data_ra(env, addr + i, ra);
+val = le_bswap64(val);
+*(uint64_t *)(vd + i) = val;
+}
+
+/* Predicate load length may be any multiple of 2. */
+if (unlikely(i != size)) {
+val = cpu_ldq_data_ra(env, addr + i, ra);
+val = le_bswap64(val);
+val >>= (size - i) * 8;
+*(uint64_t *)(vd + i + 8) = val;
+}
+}
 
 /*
  * Analyse contiguous data, protected by a governing predicate.
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 7bd7de80e6..e55f8835bb 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -4352,8 +4352,13 @@ static bool trans_UCVTF_dd(DisasContext *s, arg_rpr_esz 
*a)
  *** SVE Memory - 32-bit Gather and Unsized Contiguous Group
  */
 
-/* Subroutine loading a vector register at VOFS of LEN bytes.
+/*
+ * Subroutine loading a vector register at VOFS of LEN bytes.
  * The load should begin at the address Rn + IMM.
+ *
+ * Note that unpredicated load/store of vector/predicate registers
+ * are defined as a stream of bytes, which equates to little-endian
+ * operations on larger quantities.
  */
 
 static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
@@ -4362,81 +4367,59 @@ static void do_ldr(DisasContext *s, uint32_t vofs, int 
len, int rn, int imm)
 int len_remain = len % 8;
 int nparts = len / 8 + ctpop8(len_remain);
 int midx = get_mem_index(s);
-TCGv_i64 addr, t0, t1;
+TCGv_i64 dirty_addr, clean_addr, t0, t1;
+int i;
 
-addr = tcg_temp_new_i64();
-t0 = tcg_temp_new_i64();
+dirty_addr = read_cpu_reg_sp(s, rn, true);
+tcg_gen_addi_i64(dirty_addr, dirty_addr, imm);
 
-/* Note that unpredicated load/store of vector/predicate registers
- *

Re: [PATCH] acpi: Add Windows ACPI Emulated Device Table (WAET)

[Michael S. Tsirkin]

On Thu, Mar 12, 2020 at 07:28:31PM +0200, Liran Alon wrote:
> 
> On 12/03/2020 18:27, Igor Mammedov wrote:
> > On Wed, 11 Mar 2020 19:08:26 +0200
> > Liran Alon  wrote:
> > > +
> > > +static void
> > > +build_waet(GArray *table_data, BIOSLinker *linker)
> > see build_hmat_lb() for example how to doc comment for such function
> > should look like. Use earliest spec version where table was introduced.
> 
> Note that WAET is a table that is not part of ACPI spec officially.
> It's specified on it's own document, there is only a single version, and
> there is only a single table in that document describing that table
> structure.
> 
> Therefore, I cannot write a comment such as build_hmat_lb() have:
> /*
>  * ACPI 6.3: 5.2.27.4 System Locality Latency and Bandwidth Information
>  * Structure: Table 5-146
> */
> 
> My best attempt to do something similar in v2 is:
> /*
>  * Windows ACPI Emulated Devices Table
>  * (Version 1.0 - April 6, 2009)
>  * Spec: 
> http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
>  *
>  * Helpful to speedup Windows guests and ignored by others.
>  */
> 
> If it's not sufficient. Please suggest alternative phrasing which I would
> use in v2.
> 
> > 
> > > +{
> > > +AcpiTableWaet *waet;
> > > +
> > > +waet = acpi_data_push(table_data, sizeof(*waet));
> > > +waet->emulated_device_flags = cpu_to_le32(ACPI_WAET_PM_TIMER_GOOD);
> > we don't use packed structures for building ACPI tables anymore (there is
> > old code that still does but that's being converted when we touch it)
> > 
> > pls use build_append_int_noprefix() api instead, see build_amd_iommu() as
> > an example how to build binary tables using it and how to use comments
> > to document fields.
> > Basic idea is that api makes function building a table match table's
> > description in spec (each call represents a row in spec) and comment
> > belonging to a row should contain verbatim field name as used by spec
> > so reader could copy/past and grep it easily.
> Thanks for pointing this out.
> I will make sure to update my code accordingly in v2.
> > 
> > 
> > 
> > 
> > > +
> > > +build_header(linker, table_data,
> > > + (void *)waet, "WAET", sizeof(*waet), 1, NULL, NULL);
> > > +}
> > > +
> > >   /*
> > >*   IVRS table as specified in AMD IOMMU Specification v2.62, Section 
> > > 5.2
> > >*   accessible here 
> > > https://urldefense.com/v3/__http://support.amd.com/TechDocs/48882_IOMMU.pdf__;!!GqivPVa7Brio!On_WsDCS8ysOeUG17h1l3dTpWEm79AHwMHLbbUgsvagBSpgZAk5U1cXddn6ZNOU$
> > > @@ -2859,6 +2872,11 @@ void acpi_build(AcpiBuildTables *tables, 
> > > MachineState *machine)
> > > machine->nvdimms_state, machine->ram_slots);
> > >   }
> > > +if (!pcmc->do_not_add_waet_acpi) {
> > > +acpi_add_table(table_offsets, tables_blob);
> > > +build_waet(tables_blob, tables->linker);
> > > +}
> > we typically do not version ACPI table changes (there might be exceptions
> > but it should be a justified one).
> > ACPI tables are considered to be a part of firmware (even though they are
> > generated by QEMU) so on QEMU upgrade user gets a new firmware along with
> > new ACPI tables.
> 
> Hmm... I would have expected as a QEMU user that upgrading QEMU may update
> my firmware exposed table (Such as ACPI),
> but only if I don't specify I wish to run on a specific machine-type. In
> that case, I would've expect to be exposed with exact same firmware
> information.
> I understood that this was one of the main reasons why ACPI/SMBIOS
> generation was moved from SeaBIOS to QEMU.
> 
> If you think this isn't the case, I can just remove this flag (Makes code
> simpler). What do you prefer?
> 
> Thanks for the review,
> -Liran
> 

I'm inclined to agree, but no biggie if Igor disagrees let's go along
with his opinion.

-- 
MST

Re: [PATCH V2 7/8] COLO: Migrate dirty pages during the gap of checkpointing

[Dr. David Alan Gilbert]

* zhanghailiang (zhang.zhanghaili...@huawei.com) wrote:
> We can migrate some dirty pages during the gap of checkpointing,
> by this way, we can reduce the amount of ram migrated during checkpointing.
> 
> Signed-off-by: zhanghailiang 
> ---
>  migration/colo.c   | 73 --
>  migration/migration.h  |  1 +
>  migration/trace-events |  1 +
>  qapi/migration.json|  4 ++-
>  4 files changed, 75 insertions(+), 4 deletions(-)
> 
> diff --git a/migration/colo.c b/migration/colo.c
> index 44942c4e23..c36d94072f 100644
> --- a/migration/colo.c
> +++ b/migration/colo.c
> @@ -47,6 +47,13 @@ static COLOMode last_colo_mode;
>  
>  #define COLO_BUFFER_BASE_SIZE (4 * 1024 * 1024)
>  
> +#define DEFAULT_RAM_PENDING_CHECK 1000
> +
> +/* should be calculated by bandwidth and max downtime ? */
> +#define THRESHOLD_PENDING_SIZE (100 * 1024 * 1024UL)

In the last version I asked to change these two values to parameters.

Dave

> +static int checkpoint_request;
> +
>  bool migration_in_colo_state(void)
>  {
>  MigrationState *s = migrate_get_current();
> @@ -517,6 +524,20 @@ static void colo_compare_notify_checkpoint(Notifier 
> *notifier, void *data)
>  colo_checkpoint_notify(data);
>  }
>  
> +static bool colo_need_migrate_ram_background(MigrationState *s)
> +{
> +uint64_t pending_size, pend_pre, pend_compat, pend_post;
> +int64_t max_size = THRESHOLD_PENDING_SIZE;
> +
> +qemu_savevm_state_pending(s->to_dst_file, max_size, &pend_pre,
> +  &pend_compat, &pend_post);
> +pending_size = pend_pre + pend_compat + pend_post;
> +
> +trace_colo_need_migrate_ram_background(pending_size);
> +return (pending_size >= max_size);
> +}
> +
> +
>  static void colo_process_checkpoint(MigrationState *s)
>  {
>  QIOChannelBuffer *bioc;
> @@ -572,6 +593,8 @@ static void colo_process_checkpoint(MigrationState *s)
>  
>  timer_mod(s->colo_delay_timer,
>  current_time + s->parameters.x_checkpoint_delay);
> +timer_mod(s->pending_ram_check_timer,
> +current_time + DEFAULT_RAM_PENDING_CHECK);
>  
>  while (s->state == MIGRATION_STATUS_COLO) {
>  if (failover_get_state() != FAILOVER_STATUS_NONE) {
> @@ -584,9 +607,30 @@ static void colo_process_checkpoint(MigrationState *s)
>  if (s->state != MIGRATION_STATUS_COLO) {
>  goto out;
>  }
> -ret = colo_do_checkpoint_transaction(s, bioc, fb);
> -if (ret < 0) {
> -goto out;
> +if (atomic_xchg(&checkpoint_request, 0)) {
> +/* start a colo checkpoint */
> +ret = colo_do_checkpoint_transaction(s, bioc, fb);
> +if (ret < 0) {
> +goto out;
> +}
> +} else {
> +if (colo_need_migrate_ram_background(s)) {
> +colo_send_message(s->to_dst_file,
> +  COLO_MESSAGE_MIGRATE_RAM_BACKGROUND,
> +  &local_err);
> +if (local_err) {
> +goto out;
> +}
> +
> +qemu_savevm_state_iterate(s->to_dst_file, false);
> +qemu_put_byte(s->to_dst_file, QEMU_VM_EOF);
> +ret = qemu_file_get_error(s->to_dst_file);
> +if (ret < 0) {
> +error_setg_errno(&local_err, -ret,
> +"Failed to send dirty pages backgroud");
> +goto out;
> +}
> +}
>  }
>  }
>  
> @@ -627,6 +671,8 @@ out:
>  colo_compare_unregister_notifier(&packets_compare_notifier);
>  timer_del(s->colo_delay_timer);
>  timer_free(s->colo_delay_timer);
> +timer_del(s->pending_ram_check_timer);
> +timer_free(s->pending_ram_check_timer);
>  qemu_sem_destroy(&s->colo_checkpoint_sem);
>  
>  /*
> @@ -644,6 +690,7 @@ void colo_checkpoint_notify(void *opaque)
>  MigrationState *s = opaque;
>  int64_t next_notify_time;
>  
> +atomic_inc(&checkpoint_request);
>  qemu_sem_post(&s->colo_checkpoint_sem);
>  s->colo_checkpoint_time = qemu_clock_get_ms(QEMU_CLOCK_HOST);
>  next_notify_time = s->colo_checkpoint_time +
> @@ -651,6 +698,19 @@ void colo_checkpoint_notify(void *opaque)
>  timer_mod(s->colo_delay_timer, next_notify_time);
>  }
>  
> +static void colo_pending_ram_check_notify(void *opaque)
> +{
> +int64_t next_notify_time;
> +MigrationState *s = opaque;
> +
> +if (migration_in_colo_state()) {
> +next_notify_time = DEFAULT_RAM_PENDING_CHECK +
> +   qemu_clock_get_ms(QEMU_CLOCK_HOST);
> +timer_mod(s->pending_ram_check_timer, next_notify_time);
> +qemu_sem_post(&s->colo_checkpoint_sem);
> +}
> +}
> +
>  void migrate_start_colo_process(MigrationState *s)
>  {
>  qemu_mutex_unlock_iothread();
> @@ -658,6 +718,8 @@ void migrate_start_colo_process(MigrationState *s)
>  s->colo_delay_timer =

[PATCH v6 36/42] target/arm: Complete TBI clearing for user-only for SVE

[Richard Henderson]

There are a number of paths by which the TBI is still intact
for user-only in the SVE helpers.

Because we currently always set TBI for user-only, we do not
need to pass down the actual TBI setting from above, and we
can remove the top byte in the inner-most primitives, so that
none are forgotten.  Moreover, this keeps the "dirty" pointer
around at the higher levels, where we need it for any MTE checking.

Since the normal case, especially for user-only, goes through
RAM, this clearing merely adds two insns per page lookup, which
will be completely in the noise.

Signed-off-by: Richard Henderson 
---
 target/arm/sve_helper.c | 19 ---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index 566a619300..f0afbd0faf 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -3985,7 +3985,7 @@ typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, 
intptr_t reg_off,
  *
  * For *_tlb, this uses the cpu_*_data_ra helpers.  There are not
  * endian-specific versions of these, so we must handle endianness
- * locally.
+ * locally.  See sve_probe_page about TBI.
  *
  * For *_host, this is a trivial application of the 
  * endian-specific access followed by a store into the vector register.
@@ -4009,7 +4009,7 @@ static void sve_##NAME##_host(void *vd, intptr_t reg_off, 
void *host)  \
 static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
  target_ulong addr, uintptr_t ra)   \
 {   \
-TYPEM val = BSWAP(TLB(env, addr, ra));  \
+TYPEM val = BSWAP(TLB(env, useronly_clean_ptr(addr), ra));  \
 *(TYPEE *)(vd + H(reg_off)) = val;  \
 }
 
@@ -4018,7 +4018,7 @@ static void sve_##NAME##_tlb(CPUARMState *env, void *vd, 
intptr_t reg_off,  \
  target_ulong addr, uintptr_t ra)   \
 {   \
 TYPEM val = *(TYPEE *)(vd + H(reg_off));\
-TLB(env, addr, BSWAP(val), ra); \
+TLB(env, useronly_clean_ptr(addr), BSWAP(val), ra); \
 }
 
 #define DO_LD_PRIM_1(NAME, H, TE, TM)   \
@@ -4152,6 +4152,19 @@ static bool sve_probe_page(SVEHostPage *info, bool 
nofault,
 int flags;
 
 addr += mem_off;
+
+/*
+ * User-only currently always issues with TBI.  See the comment
+ * above useronly_clean_ptr.  Usually we clean this top byte away
+ * during translation, but we can't do that for e.g. vector + imm
+ * addressing modes.
+ *
+ * We currently always enable TBI for user-only, and do not provide
+ * a way to turn it off.  So clean the pointer unconditionally here,
+ * rather than look it up here, or pass it down from above.
+ */
+addr = useronly_clean_ptr(addr);
+
 flags = probe_access_flags(env, addr, access_type, mmu_idx, nofault,
&info->host, retaddr);
 info->flags = flags;
-- 
2.20.1

[PATCH v6 25/42] target/arm: Implement helper_mte_check1

[Richard Henderson]

Fill out the stub that was added earlier.

Signed-off-by: Richard Henderson 
---
 target/arm/internals.h  |  47 +++
 target/arm/mte_helper.c | 126 +++-
 2 files changed, 172 insertions(+), 1 deletion(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index a993e8ca0a..8bbaf9b453 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1314,6 +1314,9 @@ FIELD(MTEDESC, WRITE, 8, 1)
 FIELD(MTEDESC, ESIZE, 9, 5)
 FIELD(MTEDESC, TSIZE, 14, 10)  /* mte_checkN only */
 
+bool mte_probe1(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
+uint64_t mte_check1(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t 
ra);
+
 static inline int allocation_tag_from_addr(uint64_t ptr)
 {
 return extract64(ptr, 56, 4);
@@ -1324,4 +1327,48 @@ static inline uint64_t 
address_with_allocation_tag(uint64_t ptr, int rtag)
 return deposit64(ptr, 56, 4, rtag);
 }
 
+/* Return true if tbi bits mean that the access is checked.  */
+static inline bool tbi_check(uint32_t desc, int bit55)
+{
+return (desc >> (R_MTEDESC_TBI_SHIFT + bit55)) & 1;
+}
+
+/* Return true if tcma bits mean that the access is unchecked.  */
+static inline bool tcma_check(uint32_t desc, int bit55, int ptr_tag)
+{
+/*
+ * We had extracted bit55 and ptr_tag for other reasons, so fold
+ * (ptr<59:55> == 0 || ptr<59:55> == 1) into a single test.
+ */
+bool match = ((ptr_tag + bit55) & 0xf) == 0;
+bool tcma = (desc >> (R_MTEDESC_TCMA_SHIFT + bit55)) & 1;
+return tcma && match;
+}
+
+/*
+ * For TBI, ideally, we would do nothing.  Proper behaviour on fault is
+ * for the tag to be present in the FAR_ELx register.  But for user-only
+ * mode, we do not have a TLB with which to implement this, so we must
+ * remote the top byte.
+ */
+static inline uint64_t useronly_clean_ptr(uint64_t ptr)
+{
+/* TBI is known to be enabled. */
+#ifdef CONFIG_USER_ONLY
+ptr = sextract64(ptr, 0, 56);
+#endif
+return ptr;
+}
+
+static inline uint64_t useronly_maybe_clean_ptr(uint32_t desc, uint64_t ptr)
+{
+#ifdef CONFIG_USER_ONLY
+int64_t clean_ptr = sextract64(ptr, 0, 56);
+if (tbi_check(desc, clean_ptr < 0)) {
+ptr = clean_ptr;
+}
+#endif
+return ptr;
+}
+
 #endif
diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index 907a12b366..7a87574b35 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -359,12 +359,136 @@ void HELPER(stzgm_tags)(CPUARMState *env, uint64_t ptr, 
uint64_t val)
 }
 }
 
+/* Record a tag check failure.  */
+static void mte_check_fail(CPUARMState *env, int mmu_idx,
+   uint64_t dirty_ptr, uintptr_t ra)
+{
+ARMMMUIdx arm_mmu_idx = core_to_aa64_mmu_idx(mmu_idx);
+int el, reg_el, tcf, select;
+uint64_t sctlr;
+
+reg_el = regime_el(env, arm_mmu_idx);
+sctlr = env->cp15.sctlr_el[reg_el];
+
+switch (arm_mmu_idx) {
+case ARMMMUIdx_E10_0:
+case ARMMMUIdx_E20_0:
+el = 0;
+tcf = extract64(sctlr, 38, 2);
+break;
+default:
+el = reg_el;
+tcf = extract64(sctlr, 40, 2);
+}
+
+switch (tcf) {
+case 1:
+/*
+ * Tag check fail causes a synchronous exception.
+ *
+ * In restore_state_to_opc, we set the exception syndrome
+ * for the load or store operation.  Unwind first so we
+ * may overwrite that with the syndrome for the tag check.
+ */
+cpu_restore_state(env_cpu(env), ra, true);
+env->exception.vaddress = dirty_ptr;
+raise_exception(env, EXCP_DATA_ABORT,
+syn_data_abort_no_iss(el != 0, 0, 0, 0, 0, 0x11),
+exception_target_el(env));
+/* noreturn, but fall through to the assert anyway */
+
+case 0:
+/*
+ * Tag check fail does not affect the PE.
+ * We eliminate this case by not setting MTE_ACTIVE
+ * in tb_flags, so that we never make this runtime call.
+ */
+g_assert_not_reached();
+
+case 2:
+/* Tag check fail causes asynchronous flag set.  */
+mmu_idx = arm_mmu_idx_el(env, el);
+if (regime_has_2_ranges(mmu_idx)) {
+select = extract64(dirty_ptr, 55, 1);
+} else {
+select = 0;
+}
+env->cp15.tfsr_el[el] |= 1 << select;
+break;
+
+default:
+/* Case 3: Reserved. */
+qemu_log_mask(LOG_GUEST_ERROR,
+  "Tag check failure with SCTLR_EL%d.TCF%s "
+  "set to reserved value %d\n",
+  reg_el, el ? "" : "0", tcf);
+break;
+}
+}
+
 /*
  * Perform an MTE checked access for a single logical or atomic access.
  */
+static bool mte_probe1_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
+   uintptr_t ra, int bit55)
+{
+int mem_tag, mmu_idx, ptr_tag, size;
+MMUAccessType type;
+uint8_t *mem;
+
+  

[PATCH v6 42/42] target/arm: Add allocation tag storage for system mode

[Richard Henderson]

Look up the physical address for the given virtual address,
convert that to a tag physical address, and finally return
the host address that backs it.

Signed-off-by: Richard Henderson 
---
 target/arm/mte_helper.c | 128 
 1 file changed, 128 insertions(+)

diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index c51f7f04f4..47db87a5a1 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -21,6 +21,7 @@
 #include "cpu.h"
 #include "internals.h"
 #include "exec/exec-all.h"
+#include "exec/ram_addr.h"
 #include "exec/cpu_ldst.h"
 #include "exec/helper-proto.h"
 
@@ -74,8 +75,135 @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int 
ptr_mmu_idx,
int ptr_size, MMUAccessType tag_access,
int tag_size, uintptr_t ra)
 {
+#ifdef CONFIG_USER_ONLY
 /* Tag storage not implemented.  */
 return NULL;
+#else
+uintptr_t index;
+CPUIOTLBEntry *iotlbentry;
+int in_page, flags;
+ram_addr_t ptr_ra;
+hwaddr ptr_paddr, tag_paddr, xlat;
+MemoryRegion *mr;
+ARMASIdx tag_asi;
+AddressSpace *tag_as;
+void *host;
+
+/*
+ * The caller must split calls to this function such that it will
+ * not access *tag* memory beyond the end of the page.
+ */
+in_page = -(ptr | -(TARGET_PAGE_SIZE >> (LOG2_TAG_GRANULE + 1)));
+g_assert(tag_size <= in_page);
+
+/*
+ * Probe the first byte of the virtual address.  This raises an
+ * exception for inaccessible pages, and resolves the virtual address
+ * into the softmmu tlb.
+ */
+flags = probe_access_flags(env, ptr, ptr_access, ptr_mmu_idx,
+   false, &host, ra);
+
+/*
+ * Find the iotlbentry for ptr.  This *must* be present in the TLB
+ * because we just found the mapping.
+ * TODO: Perhaps there should be a cputlb helper that returns a
+ * matching tlb entry + iotlb entry.
+ */
+index = tlb_index(env, ptr_mmu_idx, ptr);
+# ifdef CONFIG_DEBUG_TCG
+{
+CPUTLBEntry *entry = tlb_entry(env, ptr_mmu_idx, ptr);
+target_ulong comparator = (ptr_access == MMU_DATA_LOAD
+   ? entry->addr_read
+   : tlb_addr_write(entry));
+g_assert(tlb_hit(comparator, ptr));
+}
+# endif
+iotlbentry = &env_tlb(env)->d[ptr_mmu_idx].iotlb[index];
+
+/* If the virtual page MemAttr != Tagged, access unchecked. */
+if (!iotlbentry->attrs.target_tlb_bit1) {
+return NULL;
+}
+
+/* If not normal memory, tag storage is not implemented, access unchecked. 
*/
+if (unlikely(flags & TLB_MMIO)) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "Page @ 0x%" PRIx64 " indicates Tagged Normal memory "
+  "but is Device memory\n", ptr);
+return NULL;
+}
+
+/*
+ * The Normal memory access can extend to the next page.  E.g. a single
+ * 8-byte access to the last byte of a page will check only the last
+ * tag on the first page.
+ * Any page access exception has priority over tag check exception.
+ */
+in_page = -(ptr | TARGET_PAGE_MASK);
+if (unlikely(ptr_size > in_page)) {
+void *ignore;
+flags |= probe_access_flags(env, ptr + in_page, ptr_access,
+ptr_mmu_idx, false, &ignore, ra);
+}
+
+/* Any debug exception has priority over a tag check exception. */
+if (unlikely(flags & TLB_WATCHPOINT)) {
+int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
+cpu_check_watchpoint(env_cpu(env), ptr, ptr_size,
+ iotlbentry->attrs, wp, ra);
+}
+
+/*
+ * Find the physical address within the normal mem space.
+ * The memory region lookup must succeed because TLB_MMIO was
+ * not set in the cputlb lookup above.
+ */
+mr = memory_region_from_host(host, &ptr_ra);
+tcg_debug_assert(mr != NULL);
+tcg_debug_assert(memory_region_is_ram(mr));
+ptr_paddr = ptr_ra;
+do {
+ptr_paddr += mr->addr;
+mr = mr->container;
+} while (mr);
+
+/* Convert to the physical address in tag space.  */
+tag_paddr = ptr_paddr >> (LOG2_TAG_GRANULE + 1);
+
+/* Look up the address in tag space. */
+tag_asi = iotlbentry->attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
+tag_as = cpu_get_address_space(env_cpu(env), tag_asi);
+mr = address_space_translate(tag_as, tag_paddr, &xlat, NULL,
+ tag_access == MMU_DATA_STORE,
+ iotlbentry->attrs);
+
+/*
+ * Note that @mr will never be NULL.  If there is nothing in the address
+ * space at @tag_paddr, the translation will return the unallocated memory
+ * region.  For our purposes, the result must be ram.
+ */
+if (unlikely(!memory_region_is_ram(mr))) {
+/* ??? Failu

[PATCH v6 30/42] target/arm: Use mte_check1 for sve LD1R

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/arm/translate-sve.c | 18 ++
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 49d2e68564..e5d12edd55 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -4850,16 +4850,16 @@ static bool trans_LD1RQ_zpri(DisasContext *s, 
arg_rpri_load *a)
 /* Load and broadcast element.  */
 static bool trans_LD1R_zpri(DisasContext *s, arg_rpri_load *a)
 {
-if (!sve_access_check(s)) {
-return true;
-}
-
 unsigned vsz = vec_full_reg_size(s);
 unsigned psz = pred_full_reg_size(s);
 unsigned esz = dtype_esz[a->dtype];
 unsigned msz = dtype_msz(a->dtype);
 TCGLabel *over = gen_new_label();
-TCGv_i64 temp;
+TCGv_i64 temp, clean_addr;
+
+if (!sve_access_check(s)) {
+return true;
+}
 
 /* If the guarding predicate has no bits set, no load occurs.  */
 if (psz <= 8) {
@@ -4880,9 +4880,11 @@ static bool trans_LD1R_zpri(DisasContext *s, 
arg_rpri_load *a)
 }
 
 /* Load the data.  */
-temp = tcg_temp_new_i64();
-tcg_gen_addi_i64(temp, cpu_reg_sp(s, a->rn), a->imm << msz);
-tcg_gen_qemu_ld_i64(temp, temp, get_mem_index(s),
+temp = read_cpu_reg_sp(s, a->rn, true);
+tcg_gen_addi_i64(temp, temp, a->imm << msz);
+clean_addr = gen_mte_check1(s, temp, false, true, msz);
+
+tcg_gen_qemu_ld_i64(temp, clean_addr, get_mem_index(s),
 s->be_data | dtype_mop[a->dtype]);
 
 /* Broadcast to *all* elements.  */
-- 
2.20.1

[PATCH v6 22/42] target/arm: Move regime_tcr to internals.h

[Richard Henderson]

We will shortly need this in mte_helper.c as well.

Signed-off-by: Richard Henderson 
---
 target/arm/internals.h | 9 +
 target/arm/helper.c| 9 -
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index f091891312..56fb07f2b6 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -948,6 +948,15 @@ static inline uint32_t regime_el(CPUARMState *env, 
ARMMMUIdx mmu_idx)
 }
 }
 
+/* Return the TCR controlling this translation regime */
+static inline TCR *regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
+{
+if (mmu_idx == ARMMMUIdx_Stage2) {
+return &env->cp15.vtcr_el2;
+}
+return &env->cp15.tcr_el[regime_el(env, mmu_idx)];
+}
+
 /* Return the FSR value for a debug exception (watchpoint, hardware
  * breakpoint or BKPT insn) targeting the specified exception level.
  */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 2a50d4e9a2..e4b4366af7 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9835,15 +9835,6 @@ static inline uint64_t regime_ttbr(CPUARMState *env, 
ARMMMUIdx mmu_idx,
 
 #endif /* !CONFIG_USER_ONLY */
 
-/* Return the TCR controlling this translation regime */
-static inline TCR *regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
-{
-if (mmu_idx == ARMMMUIdx_Stage2) {
-return &env->cp15.vtcr_el2;
-}
-return &env->cp15.tcr_el[regime_el(env, mmu_idx)];
-}
-
 /* Convert a possible stage1+2 MMU index into the appropriate
  * stage 1 MMU index
  */
-- 
2.20.1

[PATCH v6 38/42] target/arm: Set PSTATE.TCO on exception entry

[Richard Henderson]

D1.10 specifies that exception handlers begin with tag checks overridden.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
---
v2: Only set if MTE feature present.
---
 target/arm/helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 44e7c0d19b..b38dc74733 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -9664,6 +9664,9 @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
 break;
 }
 }
+if (cpu_isar_feature(aa64_mte, cpu)) {
+new_mode |= PSTATE_TCO;
+}
 
 pstate_write(env, PSTATE_DAIF | new_mode);
 env->aarch64 = 1;
-- 
2.20.1

Re: [PATCH V2 8/8] migration/colo: Only flush ram cache while do checkpoint

[Dr. David Alan Gilbert]

* zhanghailiang (zhang.zhanghaili...@huawei.com) wrote:
> After add migrating ram backgroud, we will call ram_load
> for this process, but we should not flush ram cache during
> this process. Move the flush action to the right place.
> 
> Signed-off-by: zhanghailiang 

Reviewed-by: Dr. David Alan Gilbert 

> ---
>  migration/colo.c | 1 +
>  migration/ram.c  | 5 +
>  migration/ram.h  | 1 +
>  3 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/migration/colo.c b/migration/colo.c
> index c36d94072f..18df8289f8 100644
> --- a/migration/colo.c
> +++ b/migration/colo.c
> @@ -799,6 +799,7 @@ static void 
> colo_incoming_process_checkpoint(MigrationIncomingState *mis,
>  
>  qemu_mutex_lock_iothread();
>  vmstate_loading = true;
> +colo_flush_ram_cache();
>  ret = qemu_load_device_state(fb);
>  if (ret < 0) {
>  error_setg(errp, "COLO: load device state failed");
> diff --git a/migration/ram.c b/migration/ram.c
> index 1b3f423351..7bc841d14f 100644
> --- a/migration/ram.c
> +++ b/migration/ram.c
> @@ -3305,7 +3305,7 @@ static bool postcopy_is_running(void)
>   * Flush content of RAM cache into SVM's memory.
>   * Only flush the pages that be dirtied by PVM or SVM or both.
>   */
> -static void colo_flush_ram_cache(void)
> +void colo_flush_ram_cache(void)
>  {
>  RAMBlock *block = NULL;
>  void *dst_host;
> @@ -3576,9 +3576,6 @@ static int ram_load(QEMUFile *f, void *opaque, int 
> version_id)
>  }
>  trace_ram_load_complete(ret, seq_iter);
>  
> -if (!ret  && migration_incoming_in_colo_state()) {
> -colo_flush_ram_cache();
> -}
>  return ret;
>  }
>  
> diff --git a/migration/ram.h b/migration/ram.h
> index 5ceaff7cb4..ae14341482 100644
> --- a/migration/ram.h
> +++ b/migration/ram.h
> @@ -67,5 +67,6 @@ int ram_dirty_bitmap_reload(MigrationState *s, RAMBlock 
> *rb);
>  int colo_init_ram_cache(void);
>  void colo_release_ram_cache(void);
>  void colo_incoming_start_dirty_log(void);
> +void colo_flush_ram_cache(void);
>  
>  #endif
> -- 
> 2.21.0
> 
> 
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

[PATCH v6 27/42] target/arm: Add helper_mte_check_zva

[Richard Henderson]

Use a special helper for DC_ZVA, rather than the more
general mte_checkN.  Leave the helper blank for now.

Signed-off-by: Richard Henderson 
---
 target/arm/helper-a64.h|   1 +
 target/arm/mte_helper.c| 106 +
 target/arm/translate-a64.c |  16 +-
 3 files changed, 122 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper-a64.h b/target/arm/helper-a64.h
index 005af678c7..5b0b699a50 100644
--- a/target/arm/helper-a64.h
+++ b/target/arm/helper-a64.h
@@ -106,6 +106,7 @@ DEF_HELPER_FLAGS_2(xpacd, TCG_CALL_NO_RWG_SE, i64, env, i64)
 
 DEF_HELPER_FLAGS_3(mte_check1, TCG_CALL_NO_WG, i64, env, i32, i64)
 DEF_HELPER_FLAGS_3(mte_checkN, TCG_CALL_NO_WG, i64, env, i32, i64)
+DEF_HELPER_FLAGS_3(mte_check_zva, TCG_CALL_NO_WG, i64, env, i32, i64)
 DEF_HELPER_FLAGS_3(irg, TCG_CALL_NO_RWG, i64, env, i64, i64)
 DEF_HELPER_FLAGS_4(addsubg, TCG_CALL_NO_RWG_SE, i64, env, i64, s32, i32)
 DEF_HELPER_FLAGS_3(ldg, TCG_CALL_NO_WG, i64, env, i64, i64)
diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index 94f67b33d1..c51f7f04f4 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -658,3 +658,109 @@ uint64_t HELPER(mte_checkN)(CPUARMState *env, uint32_t 
desc, uint64_t ptr)
 {
 return mte_checkN(env, desc, ptr, GETPC());
 }
+
+/*
+ * Perform an MTE checked access for DC_ZVA.
+ */
+uint64_t HELPER(mte_check_zva)(CPUARMState *env, uint32_t desc, uint64_t ptr)
+{
+uintptr_t ra = GETPC();
+int log2_dcz_bytes, log2_tag_bytes;
+int mmu_idx, bit55;
+intptr_t dcz_bytes, tag_bytes, i;
+void *mem;
+uint64_t ptr_tag, mem_tag, align_ptr;
+
+bit55 = extract64(ptr, 55, 1);
+
+/* If TBI is disabled, the access is unchecked, and ptr is not dirty. */
+if (unlikely(!tbi_check(desc, bit55))) {
+return ptr;
+}
+
+ptr_tag = allocation_tag_from_addr(ptr);
+
+if (tcma_check(desc, bit55, ptr_tag)) {
+goto done;
+}
+
+/*
+ * In arm_cpu_realizefn, we asserted that dcz > LOG2_TAG_GRANULE+1,
+ * i.e. 32 bytes, which is an unreasonably small dcz anyway, to make
+ * sure that we can access one complete tag byte here.
+ */
+log2_dcz_bytes = env_archcpu(env)->dcz_blocksize + 2;
+log2_tag_bytes = log2_dcz_bytes - (LOG2_TAG_GRANULE + 1);
+dcz_bytes = (intptr_t)1 << log2_dcz_bytes;
+tag_bytes = (intptr_t)1 << log2_tag_bytes;
+align_ptr = ptr & -dcz_bytes;
+
+/*
+ * Trap if accessing an invalid page.  DC_ZVA requires that we supply
+ * the original pointer for an invalid page.  But watchpoints require
+ * that we probe the actual space.  So do both.
+ */
+mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
+(void) probe_write(env, ptr, 1, mmu_idx, ra);
+mem = allocation_tag_mem(env, mmu_idx, align_ptr, MMU_DATA_STORE,
+ dcz_bytes, MMU_DATA_LOAD, tag_bytes, ra);
+if (!mem) {
+goto done;
+}
+
+/*
+ * Unlike the reasoning for checkN, DC_ZVA is always aligned, and thus
+ * it is quite easy to perform all of the comparisons at once without
+ * any extra masking.
+ *
+ * The most common zva block size is 64; some of the thunderx cpus use
+ * a block size of 128.  For user-only, aarch64_max_initfn will set the
+ * block size to 512.  Fill out the other cases for future-proofing.
+ *
+ * In order to be able to find the first miscompare later, we want the
+ * tag bytes to be in little-endian order.
+ */
+switch (log2_tag_bytes) {
+case 0: /* zva_blocksize 32 */
+mem_tag = *(uint8_t *)mem;
+ptr_tag *= 0x11u;
+break;
+case 1: /* zva_blocksize 64 */
+mem_tag = cpu_to_le16(*(uint16_t *)mem);
+ptr_tag *= 0xu;
+break;
+case 2: /* zva_blocksize 128 */
+mem_tag = cpu_to_le32(*(uint32_t *)mem);
+ptr_tag *= 0xu;
+break;
+case 3: /* zva_blocksize 256 */
+mem_tag = cpu_to_le64(*(uint64_t *)mem);
+ptr_tag *= 0xull;
+break;
+
+default: /* zva_blocksize 512, 1024, 2048 */
+ptr_tag *= 0xull;
+i = 0;
+do {
+mem_tag = cpu_to_le64(*(uint64_t *)(mem + i));
+if (unlikely(mem_tag != ptr_tag)) {
+goto fail;
+}
+i += 8;
+align_ptr += 16 * TAG_GRANULE;
+} while (i < tag_bytes);
+goto done;
+}
+
+if (likely(mem_tag == ptr_tag)) {
+goto done;
+}
+
+ fail:
+/* Locate the first nibble that differs. */
+i = ctz64(mem_tag ^ ptr_tag) >> 4;
+mte_check_fail(env, mmu_idx, align_ptr + i * TAG_GRANULE, ra);
+
+ done:
+return useronly_clean_ptr(ptr);
+}
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index c6187ccd60..d86c13a32d 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -1902,7 +1902,21 @@ static void handle_sys(DisasContext *s, uint32_t insn, 

[PATCH v6 31/42] target/arm: Add mte helpers for sve scalar + int loads

[Richard Henderson]

Because the elements are sequential, we can eliminate many tests all
at once when the tag hits TCMA, or if the page(s) are not Tagged.

Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  58 ++
 target/arm/internals.h |   6 +
 target/arm/sve_helper.c| 218 ++---
 target/arm/translate-sve.c | 186 ++-
 4 files changed, 377 insertions(+), 91 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index 4e71501838..af1c6967a6 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1184,6 +1184,64 @@ DEF_HELPER_FLAGS_4(sve_ld1sds_le_r, TCG_CALL_NO_WG, 
void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ld1sdu_be_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ld1sds_be_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 
+DEF_HELPER_FLAGS_4(sve_ld1bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4bb_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4hh_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4hh_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4ss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4ss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4dd_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld2dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld3dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld4dd_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1bhu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld1bsu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld1bdu_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld1bhs_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld1bss_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+DEF_HELPER_FLAGS_4(sve_ld1bds_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1hsu_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hdu_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hss_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hds_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1hsu_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hdu_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hss_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1hds_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1sdu_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1sds_le_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+
+DEF_HELPER_FLAGS_4(sve_ld1sdu_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+DEF_HELPER_FLAGS_4(sve_ld1sds_be_r_mte, TCG_CALL_NO_WG, void, env, ptr, tl, 
i32)
+
 DEF_HELPER_FLAGS_4(sve_ldff1bb_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldff1bhu_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
 DEF_HELPER_FLAGS_4(sve_ldff1bsu_r, TCG_CALL_NO_WG, void, env, ptr, tl, i32)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 04f0b619b7..94b8f07e93 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h