Re: [PATCH for-6.0 2/2] aspeed/smc: Add extra controls to request DMA

2020-11-24 Thread Cédric Le Goater 
On 11/25/20 3:49 AM, Joel Stanley wrote:
> On Fri, 20 Nov 2020 at 16:16, Cédric Le Goater  wrote:
>>
>> The controller has a set of hidden bits to request/grant DMA access.
> 
> Do you have the ast2600 datasheet? It describes these bits:
> 
> 31 RW DMA Request
> 
> Write SPIR80 = 0xAEED to set this bit ot '1'.
> And hardware will clear the request to '0' after DMA done, or FW can
> clear to '0' by writing SPIR80 = 0xDEEA.
> 
> 30 RO DMA Grant
> 
> 0: DMA is not allowed to be used. All DMA related control registers
> are not allowed to be written.
> 1: DMA is granted to be used.

I see them now :) They are under the SPI controllers but not under 
the BMC SPI controller where I was looking. May be the datasheet 
was updated now ? 
 
> Do you want to add the magic behavior to your model?

Yes. The Aspeed SPI driver needs them. I think the model can be better.
I will send a v2.

Thanks,

C.

> 
>>
>> Cc: Chin-Ting Kuo 
>> Signed-off-by: Cédric Le Goater 
>> ---
>>  hw/ssi/aspeed_smc.c | 7 +++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
>> index e3d5e26058c0..c1557ef5d848 100644
>> --- a/hw/ssi/aspeed_smc.c
>> +++ b/hw/ssi/aspeed_smc.c
>> @@ -127,6 +127,8 @@
>>
>>  /* DMA Control/Status Register */
>>  #define R_DMA_CTRL(0x80 / 4)
>> +#define   DMA_CTRL_REQUEST  (1 << 31)
>> +#define   DMA_CTRL_GRANT(1 << 30)
>>  #define   DMA_CTRL_DELAY_MASK   0xf
>>  #define   DMA_CTRL_DELAY_SHIFT  8
>>  #define   DMA_CTRL_FREQ_MASK0xf
>> @@ -1237,6 +1239,11 @@ static void aspeed_smc_dma_done(AspeedSMCState *s)
>>
>>  static void aspeed_smc_dma_ctrl(AspeedSMCState *s, uint64_t dma_ctrl)
>>  {
>> +if (dma_ctrl & DMA_CTRL_REQUEST) {
>> +s->regs[R_DMA_CTRL] = dma_ctrl | DMA_CTRL_GRANT;
>> +return;
>> +}
>> +
>>  if (!(dma_ctrl & DMA_CTRL_ENABLE)) {
>>  s->regs[R_DMA_CTRL] = dma_ctrl;
>>
>> --
>> 2.26.2
>>

[Bug 1905521] [NEW] assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion `s->current' failed

2020-11-24 Thread Gaoning Pan 
Public bug reported:

Hello,

I found an assertion failure in hw/scsi/lsi53c895a.c:624

This was found in latest version 5.2.0.


my reproduced environment is as follows:
Host: ubuntu 18.04
Guest: ubuntu 18.04


QEMU boot command line:
qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive 
format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:-:22 -display 
none -device lsi53c895a -trace lsi\*

Backtrace is as follows:
#0  0x7f845c6eff47 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x7f845c6f18b1 in __GI_abort () at abort.c:79
#2  0x7f845c6e142a in __assert_fail_base (fmt=0x7f845c868a38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55a1034486a0 
"s->current", file=file@entry=0x55a103448360 "../hw/scsi/lsi53c895a.c", 
line=line@entry=624, function=function@entry=0x55a10344ae60 
<__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:92
#3  0x7f845c6e14a2 in __GI___assert_fail (assertion=0x55a1034486a0 
"s->current", file=0x55a103448360 "../hw/scsi/lsi53c895a.c", line=624, 
function=0x55a10344ae60 <__PRETTY_FUNCTION__.31674> "lsi_do_dma") at 
assert.c:101
#4  0x55a102049c65 in lsi_do_dma (s=0x6260c100, out=1) at 
../hw/scsi/lsi53c895a.c:624
#5  0x55a102051573 in lsi_execute_script (s=0x6260c100) at 
../hw/scsi/lsi53c895a.c:1250
#6  0x55a10205b05d in lsi_reg_writeb (s=0x6260c100, offset=47, val=178 
'\262') at ../hw/scsi/lsi53c895a.c:1984
#7  0x55a10205fef8 in lsi_io_write (opaque=0x6260c100, addr=47, 
val=178, size=1) at ../hw/scsi/lsi53c895a.c:2146
#8  0x55a102d1b791 in memory_region_write_accessor (mr=0x6260cbe0, 
addr=47, value=0x7f8349dfe2f8, size=1, shift=0, mask=255, attrs=...) at 
../softmmu/memory.c:484
#9  0x55a102d1bba8 in access_with_adjusted_size (addr=47, 
value=0x7f8349dfe2f8, size=1, access_size_min=1, access_size_max=1, 
access_fn=0x55a102d1b4de , mr=0x6260cbe0, 
attrs=...) at ../softmmu/memory.c:545
#10 0x55a102d261ef in memory_region_dispatch_write (mr=0x6260cbe0, 
addr=47, data=178, op=MO_8, attrs=...) at ../softmmu/memory.c:1494
#11 0x55a102b57c3c in flatview_write_continue (fv=0x606ea920, 
addr=49199, attrs=..., ptr=0x7f8449efb000, len=1, addr1=47, l=1, 
mr=0x6260cbe0) at ../softmmu/physmem.c:2767
#12 0x55a102b57f07 in flatview_write (fv=0x606ea920, addr=49199, 
attrs=..., buf=0x7f8449efb000, len=1) at ../softmmu/physmem.c:2807
#13 0x55a102b587cb in address_space_write (as=0x55a105ebca80 
, addr=49199, attrs=..., buf=0x7f8449efb000, len=1) at 
../softmmu/physmem.c:2899
#14 0x55a102b58878 in address_space_rw (as=0x55a105ebca80 
, addr=49199, attrs=..., buf=0x7f8449efb000, len=1, 
is_write=true) at ../softmmu/physmem.c:2909
#15 0x55a102ad4d50 in kvm_handle_io (port=49199, attrs=..., 
data=0x7f8449efb000, direction=1, size=1, count=1) at 
../accel/kvm/kvm-all.c:2283
#16 0x55a102ad6a0f in kvm_cpu_exec (cpu=0x62e00400) at 
../accel/kvm/kvm-all.c:2529
#17 0x55a102c26fbb in kvm_vcpu_thread_fn (arg=0x62e00400) at 
../accel/kvm/kvm-cpus.c:49
#18 0x55a1032c08f8 in qemu_thread_start (args=0x60382780) at 
../util/qemu-thread-posix.c:521
#19 0x7f845caa96db in start_thread (arg=0x7f8349dff700) at 
pthread_create.c:463
#20 0x7f845c7d2a3f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95


The poc is attached.

** Affects: qemu
 Importance: Undecided
 Assignee: Gaoning Pan (hades0506)
 Status: New

** Attachment added: "lsi-assert.c"
   
https://bugs.launchpad.net/bugs/1905521/+attachment/5437756/+files/lsi-assert.c

** Changed in: qemu
 Assignee: (unassigned) => Gaoning Pan (hades0506)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905521

Title:
  assert issue locates in hw/scsi/lsi53c895a.c:624: lsi_do_dma:
  Assertion `s->current' failed

Status in QEMU:
  New

Bug description:
  Hello,

  I found an assertion failure in hw/scsi/lsi53c895a.c:624

  This was found in latest version 5.2.0.

  
  my reproduced environment is as follows:
  Host: ubuntu 18.04
  Guest: ubuntu 18.04


  QEMU boot command line:
  qemu-system-x86_64 -enable-kvm -boot c -m 4G -drive 
format=qcow2,file=./ubuntu.img -nic user,hostfwd=tcp:0.0.0.0:-:22 -display 
none -device lsi53c895a -trace lsi\*

  Backtrace is as follows:
  #0  0x7f845c6eff47 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x7f845c6f18b1 in __GI_abort () at abort.c:79
  #2  0x7f845c6e142a in __assert_fail_base (fmt=0x7f845c868a38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55a1034486a0 
"s->current", file=file@entry=0x55a103448360 "../hw/scsi/lsi53c895a.c", 
line=line@entry=624, function=function@entry=0x55a10344ae60 
<__PRETTY_FUNCTION__.31674> "lsi_do_dma") at assert.c:92
  #3  0x7f845c6e14a2 in __GI___assert_fail (assertion=0x55a103

Re: [RFC PATCH 00/27] vDPA software assisted live migration

2020-11-24 Thread Jason Wang 



On 2020/11/21 上午2:50, Eugenio Pérez wrote:

This series enable vDPA software assisted live migration for vhost-net
devices. This is a new method of vhost devices migration: Instead of
relay on vDPA device's dirty logging capability, SW assisted LM
intercepts dataplane, forwarding the descriptors between VM and device.

In this migration mode, qemu offers a new vring to the device to
read and write into, and disable vhost notifiers, processing guest and
vhost notifications in qemu. On used buffer relay, qemu will mark the
dirty memory as with plain virtio-net devices. This way, devices does
not need to have dirty page logging capability.

This series is a POC doing SW LM for vhost-net devices, which already
have dirty page logging capabilities. None of the changes have actual
effect with current devices until last two patches (26 and 27) are
applied, but they can be rebased on top of any other. These checks the
device to meet all requirements, and disable vhost-net devices logging
so migration goes through SW LM. This last patch is not meant to be
applied in the final revision, it is in the series just for testing
purposes.

For use SW assisted LM these vhost-net devices need to be instantiated:
* With IOMMU (iommu_platform=on,ats=on)
* Without event_idx (event_idx=off)



So a question is at what level do we want to implement qemu assisted 
live migration. To me it could be done at two levels:


1) generic vhost level which makes it work for both vhost-net/vhost-user 
and vhost-vDPA

2) a specific type of vhost

To me, having a generic one looks better but it would be much more 
complicated. So what I read from this series is it was a vhost kernel 
specific software assisted live migration which is a good start. 
Actually it may even have real use case, e.g it can save dirty bitmaps 
for guest with large memory. But we need to address the above 
limitations first.


So I would like to know what's the reason for mandating iommu platform 
and ats? And I think we need to fix case of event idx support.





Just the notification forwarding (with no descriptor relay) can be
achieved with patches 7 and 9, and starting migration. Partial applies
between 13 and 24 will not work while migrating on source, and patch
25 is needed for the destination to resume network activity.

It is based on the ideas of DPDK SW assisted LM, in the series of



Actually we're better than that since there's no need the trick like 
hardcoded IOVA for mediated(shadow) virtqueue.




DPDK's https://patchwork.dpdk.org/cover/48370/ .



I notice that you do GPA->VA translations and try to establish a VA->VA 
(use VA as IOVA) mapping via device IOTLB. This shortcut should work for 
vhost-kernel/user but not vhost-vDPA. The reason is that there's no 
guarantee that the whole 64bit address range could be used as IOVA. One 
example is that for hardware IOMMU like intel, it usually has 47 or 52 
bits of address width.


So we probably need an IOVA allocator that can make sure the IOVA is not 
overlapped and fit for [1]. We can probably build the IOVA for guest VA 
via memory listeners. Then we have


1) IOVA for GPA
2) IOVA for shadow VQ

And advertise IOVA to VA mapping to vhost.

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b48dc03e575a872404f33b04cd237953c5d7498





Comments are welcome.

Thanks!

Eugenio Pérez (27):
   vhost: Add vhost_dev_can_log
   vhost: Add device callback in vhost_migration_log
   vhost: Move log resize/put to vhost_dev_set_log
   vhost: add vhost_kernel_set_vring_enable
   vhost: Add hdev->dev.sw_lm_vq_handler
   virtio: Add virtio_queue_get_used_notify_split
   vhost: Route guest->host notification through qemu
   vhost: Add a flag for software assisted Live Migration
   vhost: Route host->guest notification through qemu
   vhost: Allocate shadow vring
   virtio: const-ify all virtio_tswap* functions
   virtio: Add virtio_queue_full
   vhost: Send buffers to device
   virtio: Remove virtio_queue_get_used_notify_split
   vhost: Do not invalidate signalled used
   virtio: Expose virtqueue_alloc_element
   vhost: add vhost_vring_set_notification_rcu
   vhost: add vhost_vring_poll_rcu
   vhost: add vhost_vring_get_buf_rcu
   vhost: Return used buffers
   vhost: Add vhost_virtqueue_memory_unmap
   vhost: Add vhost_virtqueue_memory_map
   vhost: unmap qemu's shadow virtqueues on sw live migration
   vhost: iommu changes
   vhost: Do not commit vhost used idx on vhost_virtqueue_stop
   vhost: Add vhost_hdev_can_sw_lm
   vhost: forbid vhost devices logging

  hw/virtio/vhost-sw-lm-ring.h  |  39 +++
  include/hw/virtio/vhost.h |   5 +
  include/hw/virtio/virtio-access.h |   8 +-
  include/hw/virtio/virtio.h|   4 +
  hw/net/virtio-net.c   |  39 ++-
  hw/virtio/vhost-backend.c |  29 ++
  hw/virtio/vhost-sw-lm-ring.c  | 268 +++
  hw/virtio/vhost.c | 431 +-
  hw/virtio/virtio.c

Re: [PATCH v2 3/8] qnum: QNumValue type for QNum value literals

2020-11-24 Thread Markus Armbruster 
Eduardo Habkost  writes:

> On Tue, Nov 24, 2020 at 04:20:37PM +0100, Markus Armbruster wrote:
>> Eduardo Habkost  writes:
>> 
>> > On Tue, Nov 24, 2020 at 09:49:30AM +0100, Markus Armbruster wrote:
>> >> Eduardo Habkost  writes:
>> >> 
>> >> > On Mon, Nov 23, 2020 at 08:51:27AM +0100, Markus Armbruster wrote:
>> >> >> Eduardo Habkost  writes:
>> >> >> 
>> >> >> > On Fri, Nov 20, 2020 at 06:29:16AM +0100, Markus Armbruster wrote:
>> >> >> [...]
>> >> >> >> When the structure of a data type is to be kept away from its 
>> >> >> >> users, I
>> >> >> >> prefer to keep it out of the public header, so the compiler 
>> >> >> >> enforces the
>> >> >> >> encapsulation.
>> >> >> >
>> >> >> > I prefer that too, except that it is impossible when users of the
>> >> >> > API need the compiler to know the struct size.
>> >> >> 
>> >> >> There are cases where the structure of a data type should be
>> >> >> encapsulated, yet its size must be made known for performance (avoid
>> >> >> dynamic memory allocation and pointer chasing).
>> >> >> 
>> >> >> Need for encapsulation correlates with complex algorithms and data
>> >> >> structures.  The cost of dynamic allocation is often in the noise then.
>> >> >
>> >> > I don't know what we are talking about anymore.  None of this
>> >> > applies to the QNum API, right?
>> >> >
>> >> > QNum/QNumValue are not complex data structures, and the reason we
>> >> > need the compiler to know the size of QNumValue is not related to
>> >> > performance at all.
>> >> 
>> >> We started with the question whether to make QNumValue's members
>> >> private.  We digressed to the question when to make members private.
>> >> So back to the original question.
>> >> 
>> >> > We might still want to discourage users of the QNum API from
>> >> > accessing QNum.u/QNumValue.u directly.  Documenting the field as
>> >> > private is a very easy way to do it.
>> >> 
>> >> It's a complete non-issue.  QNum has been around for years, and we
>> >> haven't had any issues that could've been plausibly avoided by asking
>> >> people to refrain from accessing its members.
>> >> 
>> >> If there was an actual need to keep the members private, I'd move the
>> >> struct out of the header, so the compiler enforces privacy.
>> >
>> > Understood.  There's still a question I'd like to answer, to
>> > decide how the API documentation should look like:
>> >
>> >   Is QNum.u/QNumValue.u required to be part of the API
>> >   documentation?
>> >
>> > If accessing that field directly is not necessary for using the
>> > API, I don't think it should appear in the documentation (because
>> > it would be just noise).
>> 
>> The current patch's comment on QNumValue looks good to me.
>> 
>> Does this answer your question?
>
> The current patch (v3) doesn't address the question.  It doesn't
> include documentation for the field, but doesn't hide it.
> kernel-doc will print a warning on that case.

Do we care?  How many such warnings exist before the patch?  Does this
series add just this one, or more?

Use your judgement, then be ready to explain it :)

[Bug 1905356] Re: No check for unaligned data access in ARM32 instructions

2020-11-24 Thread Richard Henderson 
Proposed patches:
https://patchew.org/QEMU/20201125040642.2339476-1-richard.hender...@linaro.org/

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905356

Title:
  No check for unaligned data access in ARM32 instructions

Status in QEMU:
  Confirmed

Bug description:
  hi

  According to the ARM documentation, there are alignment requirements
  of load/store instructions.  Alignment fault should be raised if the
  alignment check is failed. However, it seems that QEMU doesn't
  implement this, which is against the documentation of ARM. For
  example, the instruction LDRD/STRD/LDREX/STREX must check the address
  is word alignment no matter what value the SCTLR.A is.

  I attached a testcase, which contains an instruction at VA 0x10240:
  ldrd r0,[pc.#1] in the main function. QEMU can successfully load the
  data in the unaligned address. The test is done in QEMU 5.1.0. I can
  provide more testcases for the other instructions if you need. Many
  thanks.

  To patch this, we need a check while we translate the instruction to
  tcg. If the address is unaligned, a signal number (i.e., SIGBUS)
  should be raised.

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905356/+subscriptions

Re: [PATCH v1] configure: remove python pkg_resources check

2020-11-24 Thread Thomas Huth 
On 24/11/2020 22.19, Olaf Hering wrote:
> Since meson.git#0240d760c7699a059cc89e584363c6431cdd2b61 setuptools is not 
> required anymore.

That commit was part of meson 0.55.1. We require at least meson 0.55.3. So
right, this should be fine.

> Signed-off-by: Olaf Hering 
> ---
>  configure | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/configure b/configure
> index 8c5d2f9a69..ce9b3c0a33 100755
> --- a/configure
> +++ b/configure
> @@ -1913,9 +1913,6 @@ fi
>  
>  case "$meson" in
>  git | internal)
> -if ! $python -c 'import pkg_resources' > /dev/null 2>&1; then
> -error_exit "Python setuptools not found"
> -fi
>  meson="$python ${source_path}/meson/meson.py"
>  ;;
>  *) meson=$(command -v "$meson") ;;

Reviewed-by: Thomas Huth 

I guess we could now also remove the corresponding package from the docker
and vm files?

$ grep -r setuptool tests/
tests/docker/dockerfiles/debian10.docker: python3-setuptools \
tests/docker/dockerfiles/fedora-win32-cross.docker:python3-setuptools \
tests/docker/dockerfiles/fedora-win64-cross.docker:python3-setuptools \
tests/vm/freebsd:"py37-setuptools",
tests/vm/openbsd:"py3-setuptools",
tests/vm/haiku.x86_64:"setuptools_python3"
tests/vm/netbsd:"py37-setuptools",

[PATCH 11/11] target/arm: Enforce alignment for VLDn/VSTn (single)

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate-neon.c.inc | 39 ++---
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-neon.c.inc b/target/arm/translate-neon.c.inc
index 330b5fc7b0..160dc3d755 100644
--- a/target/arm/translate-neon.c.inc
+++ b/target/arm/translate-neon.c.inc
@@ -602,6 +602,7 @@ static bool trans_VLDST_single(DisasContext *s, 
arg_VLDST_single *a)
 int nregs = a->n + 1;
 int vd = a->vd;
 TCGv_i32 addr, tmp;
+MemOp mop;
 
 if (!arm_dc_feature(s, ARM_FEATURE_NEON)) {
 return false;
@@ -651,25 +652,47 @@ static bool trans_VLDST_single(DisasContext *s, 
arg_VLDST_single *a)
 return true;
 }
 
+mop = s->be_data | a->size;
+if (a->align) {
+static const MemOp mop_align[] = {
+MO_ALIGN_2, MO_ALIGN_4, MO_ALIGN_8, MO_ALIGN_16
+};
+
+switch (nregs) {
+case 1:
+mop |= MO_ALIGN;
+break;
+case 2:
+mop |= mop_align[a->size];
+break;
+case 3:
+/* the align field is repurposed for VLD3 */
+break;
+case 4:
+mop |= mop_align[a->size + a->align];
+break;
+default:
+g_assert_not_reached();
+}
+}
+
 tmp = tcg_temp_new_i32();
 addr = tcg_temp_new_i32();
 load_reg_var(s, addr, a->rn);
-/*
- * TODO: if we implemented alignment exceptions, we should check
- * addr against the alignment encoded in a->align here.
- */
+
 for (reg = 0; reg < nregs; reg++) {
 if (a->l) {
-gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s),
-s->be_data | a->size);
+gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s), mop);
 neon_store_element(vd, a->reg_idx, a->size, tmp);
 } else { /* Store */
 neon_load_element(tmp, vd, a->reg_idx, a->size);
-gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
-s->be_data | a->size);
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s), mop);
 }
 vd += a->stride;
 tcg_gen_addi_i32(addr, addr, 1 << a->size);
+
+/* Subsequent memory operations inherit alignment */
+mop &= ~MO_AMASK;
 }
 tcg_temp_free_i32(addr);
 tcg_temp_free_i32(tmp);
-- 
2.25.1

[PATCH 08/11] target/arm: Enforce alignment for VLD1 (all lanes)

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate-neon.c.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate-neon.c.inc b/target/arm/translate-neon.c.inc
index f6c68e30ab..32e47331a5 100644
--- a/target/arm/translate-neon.c.inc
+++ b/target/arm/translate-neon.c.inc
@@ -518,6 +518,7 @@ static bool trans_VLD_all_lanes(DisasContext *s, 
arg_VLD_all_lanes *a)
 int reg, stride, vec_size;
 int vd = a->vd;
 int size = a->size;
+MemOp mop = size | s->be_data | (a->a ? MO_ALIGN : 0);
 int nregs = a->n + 1;
 TCGv_i32 addr, tmp;
 
@@ -559,8 +560,7 @@ static bool trans_VLD_all_lanes(DisasContext *s, 
arg_VLD_all_lanes *a)
 addr = tcg_temp_new_i32();
 load_reg_var(s, addr, a->rn);
 for (reg = 0; reg < nregs; reg++) {
-gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s),
-s->be_data | size);
+gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s), mop);
 if ((vd & 1) && vec_size == 16) {
 /*
  * We cannot write 16 bytes at once because the
-- 
2.25.1

[PATCH 05/11] target/arm: Enforce alignment for SRS

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 4406f6a67c..b1f43bfb8f 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -5124,11 +5124,13 @@ static void gen_srs(DisasContext *s,
 }
 tcg_gen_addi_i32(addr, addr, offset);
 tmp = load_reg(s, 14);
-gen_aa32_st32(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 tcg_temp_free_i32(tmp);
 tmp = load_cpu_field(spsr);
 tcg_gen_addi_i32(addr, addr, 4);
-gen_aa32_st32(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 tcg_temp_free_i32(tmp);
 if (writeback) {
 switch (amode) {
-- 
2.25.1

[PATCH 09/11] target/arm: Enforce alignment for VLDn/VSTn (multiple)

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate-neon.c.inc | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/target/arm/translate-neon.c.inc b/target/arm/translate-neon.c.inc
index 32e47331a5..c4be019d9c 100644
--- a/target/arm/translate-neon.c.inc
+++ b/target/arm/translate-neon.c.inc
@@ -427,9 +427,12 @@ static void gen_neon_ldst_base_update(DisasContext *s, int 
rm, int rn,
 
 static bool trans_VLDST_multiple(DisasContext *s, arg_VLDST_multiple *a)
 {
+static const MemOp mop_align[4] = {
+0, MO_ALIGN_8, MO_ALIGN_16, MO_ALIGN_32
+};
 /* Neon load/store multiple structures */
 int nregs, interleave, spacing, reg, n;
-MemOp endian = s->be_data;
+MemOp mop, endian = s->be_data;
 int mmu_idx = get_mem_index(s);
 int size = a->size;
 TCGv_i64 tmp64;
@@ -487,6 +490,10 @@ static bool trans_VLDST_multiple(DisasContext *s, 
arg_VLDST_multiple *a)
 addr = tcg_temp_new_i32();
 tmp = tcg_const_i32(1 << size);
 load_reg_var(s, addr, a->rn);
+
+/* Enforce the requested alignment for the first memory operation. */
+mop = endian | size | mop_align[a->align];
+
 for (reg = 0; reg < nregs; reg++) {
 for (n = 0; n < 8 >> size; n++) {
 int xs;
@@ -494,13 +501,16 @@ static bool trans_VLDST_multiple(DisasContext *s, 
arg_VLDST_multiple *a)
 int tt = a->vd + reg + spacing * xs;
 
 if (a->l) {
-gen_aa32_ld_i64(s, tmp64, addr, mmu_idx, endian | size);
+gen_aa32_ld_i64(s, tmp64, addr, mmu_idx, mop);
 neon_store_element64(tt, n, size, tmp64);
 } else {
 neon_load_element64(tmp64, tt, n, size);
-gen_aa32_st_i64(s, tmp64, addr, mmu_idx, endian | size);
+gen_aa32_st_i64(s, tmp64, addr, mmu_idx, mop);
 }
 tcg_gen_add_i32(addr, addr, tmp);
+
+/* Subsequent memory operations inherit alignment */
+mop &= ~MO_AMASK;
 }
 }
 }
-- 
2.25.1

[Bug 1905356] Re: No check for unaligned data access in ARM32 instructions

2020-11-24 Thread Richard Henderson 
Because for user-only, we cheat and use host load/store
operations directly.  This makes for much faster emulation
but imposes a number of limitations -- including ignoring
of the alignment bits on hosts that have native unaligned
accesses.

As a corollary, when running user-only on a host that
enforces alignment, you cannot emulate a guest that
*allows* unaligned accesses.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905356

Title:
  No check for unaligned data access in ARM32 instructions

Status in QEMU:
  Confirmed

Bug description:
  hi

  According to the ARM documentation, there are alignment requirements
  of load/store instructions.  Alignment fault should be raised if the
  alignment check is failed. However, it seems that QEMU doesn't
  implement this, which is against the documentation of ARM. For
  example, the instruction LDRD/STRD/LDREX/STREX must check the address
  is word alignment no matter what value the SCTLR.A is.

  I attached a testcase, which contains an instruction at VA 0x10240:
  ldrd r0,[pc.#1] in the main function. QEMU can successfully load the
  data in the unaligned address. The test is done in QEMU 5.1.0. I can
  provide more testcases for the other instructions if you need. Many
  thanks.

  To patch this, we need a check while we translate the instruction to
  tcg. If the address is unaligned, a signal number (i.e., SIGBUS)
  should be raised.

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905356/+subscriptions

[PATCH 10/11] target/arm: Fix decode of align in VLDST_single

2020-11-24 Thread Richard Henderson 
The encoding of size = 2 and size = 3 had the incorrect decode
for align, overlapping the stride field.  This error was hidden
by what should have been unnecessary masking in translate.

Signed-off-by: Richard Henderson 
---
 target/arm/neon-ls.decode   | 4 ++--
 target/arm/translate-neon.c.inc | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/neon-ls.decode b/target/arm/neon-ls.decode
index c17f5019e3..0a2a0e15db 100644
--- a/target/arm/neon-ls.decode
+++ b/target/arm/neon-ls.decode
@@ -46,7 +46,7 @@ VLD_all_lanes   0100 1 . 1 0 rn:4  11 n:2 size:2 t:1 
a:1 rm:4 \
 
 VLDST_single    0100 1 . l:1 0 rn:4  00 n:2 reg_idx:3 align:1 rm:4 \
vd=%vd_dp size=0 stride=1
-VLDST_single    0100 1 . l:1 0 rn:4  01 n:2 reg_idx:2 align:2 rm:4 \
+VLDST_single    0100 1 . l:1 0 rn:4  01 n:2 reg_idx:2 . align:1 rm:4 \
vd=%vd_dp size=1 stride=%imm1_5_p1
-VLDST_single    0100 1 . l:1 0 rn:4  10 n:2 reg_idx:1 align:3 rm:4 \
+VLDST_single    0100 1 . l:1 0 rn:4  10 n:2 reg_idx:1 . align:2 rm:4 \
vd=%vd_dp size=2 stride=%imm1_6_p1
diff --git a/target/arm/translate-neon.c.inc b/target/arm/translate-neon.c.inc
index c4be019d9c..330b5fc7b0 100644
--- a/target/arm/translate-neon.c.inc
+++ b/target/arm/translate-neon.c.inc
@@ -616,7 +616,7 @@ static bool trans_VLDST_single(DisasContext *s, 
arg_VLDST_single *a)
 switch (nregs) {
 case 1:
 if (((a->align & (1 << a->size)) != 0) ||
-(a->size == 2 && ((a->align & 3) == 1 || (a->align & 3) == 2))) {
+(a->size == 2 && (a->align == 1 || a->align == 2))) {
 return false;
 }
 break;
@@ -631,7 +631,7 @@ static bool trans_VLDST_single(DisasContext *s, 
arg_VLDST_single *a)
 }
 break;
 case 4:
-if ((a->size == 2) && ((a->align & 3) == 3)) {
+if (a->size == 2 && a->align == 3) {
 return false;
 }
 break;
-- 
2.25.1

[PATCH 03/11] target/arm: Enforce alignment for LDM/STM

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 73b3d8cbbf..fe4400fa6c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -7814,7 +7814,7 @@ static bool op_stm(DisasContext *s, arg_ldst_block *a, 
int min_n)
 } else {
 tmp = load_reg(s, i);
 }
-gen_aa32_st32(s, tmp, addr, mem_idx);
+gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN | s->be_data);
 tcg_temp_free_i32(tmp);
 
 /* No need to add after the last transfer.  */
@@ -7889,7 +7889,7 @@ static bool do_ldm(DisasContext *s, arg_ldst_block *a, 
int min_n)
 }
 
 tmp = tcg_temp_new_i32();
-gen_aa32_ld32u(s, tmp, addr, mem_idx);
+gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN | s->be_data);
 if (user) {
 tmp2 = tcg_const_i32(i);
 gen_helper_set_user_reg(cpu_env, tmp2, tmp);
-- 
2.25.1

[PATCH 02/11] target/arm: Enforce alignment for LDA/LDAH/STL/STLH

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 17883d00f4..73b3d8cbbf 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -6876,7 +6876,7 @@ static bool op_stl(DisasContext *s, arg_STL *a, MemOp mop)
 
 static bool trans_STL(DisasContext *s, arg_STL *a)
 {
-return op_stl(s, a, MO_UL);
+return op_stl(s, a, MO_UL | MO_ALIGN);
 }
 
 static bool trans_STLB(DisasContext *s, arg_STL *a)
@@ -6886,7 +6886,7 @@ static bool trans_STLB(DisasContext *s, arg_STL *a)
 
 static bool trans_STLH(DisasContext *s, arg_STL *a)
 {
-return op_stl(s, a, MO_UW);
+return op_stl(s, a, MO_UW | MO_ALIGN);
 }
 
 static bool op_ldrex(DisasContext *s, arg_LDREX *a, MemOp mop, bool acq)
@@ -7033,7 +7033,7 @@ static bool op_lda(DisasContext *s, arg_LDA *a, MemOp mop)
 
 static bool trans_LDA(DisasContext *s, arg_LDA *a)
 {
-return op_lda(s, a, MO_UL);
+return op_lda(s, a, MO_UL | MO_ALIGN);
 }
 
 static bool trans_LDAB(DisasContext *s, arg_LDA *a)
@@ -7043,7 +7043,7 @@ static bool trans_LDAB(DisasContext *s, arg_LDA *a)
 
 static bool trans_LDAH(DisasContext *s, arg_LDA *a)
 {
-return op_lda(s, a, MO_UW);
+return op_lda(s, a, MO_UW | MO_ALIGN);
 }
 
 /*
-- 
2.25.1

[PATCH 06/11] target/arm: Enforce alignment for VLDM/VSTM

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate-vfp.c.inc | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
index 96948f5a2d..58b31ecc3f 100644
--- a/target/arm/translate-vfp.c.inc
+++ b/target/arm/translate-vfp.c.inc
@@ -1065,12 +1065,14 @@ static bool trans_VLDM_VSTM_sp(DisasContext *s, 
arg_VLDM_VSTM_sp *a)
 for (i = 0; i < n; i++) {
 if (a->l) {
 /* load */
-gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
+gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 vfp_store_reg32(tmp, a->vd + i);
 } else {
 /* store */
 vfp_load_reg32(tmp, a->vd + i);
-gen_aa32_st32(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 }
 tcg_gen_addi_i32(addr, addr, offset);
 }
@@ -1148,12 +1150,14 @@ static bool trans_VLDM_VSTM_dp(DisasContext *s, 
arg_VLDM_VSTM_dp *a)
 for (i = 0; i < n; i++) {
 if (a->l) {
 /* load */
-gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
+gen_aa32_ld_i64(s, tmp, addr, get_mem_index(s),
+MO_Q | MO_ALIGN_4 | s->be_data);
 vfp_store_reg64(tmp, a->vd + i);
 } else {
 /* store */
 vfp_load_reg64(tmp, a->vd + i);
-gen_aa32_st64(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i64(s, tmp, addr, get_mem_index(s),
+MO_Q | MO_ALIGN_4 | s->be_data);
 }
 tcg_gen_addi_i32(addr, addr, offset);
 }
-- 
2.25.1

[PATCH 07/11] target/arm: Enforce alignment for VLDR/VSTR

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate-vfp.c.inc | 18 --
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
index 58b31ecc3f..51e85c2767 100644
--- a/target/arm/translate-vfp.c.inc
+++ b/target/arm/translate-vfp.c.inc
@@ -926,11 +926,13 @@ static bool trans_VLDR_VSTR_hp(DisasContext *s, 
arg_VLDR_VSTR_sp *a)
 addr = add_reg_for_lit(s, a->rn, offset);
 tmp = tcg_temp_new_i32();
 if (a->l) {
-gen_aa32_ld16u(s, tmp, addr, get_mem_index(s));
+gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s),
+MO_UW | MO_ALIGN | s->be_data);
 vfp_store_reg32(tmp, a->vd);
 } else {
 vfp_load_reg32(tmp, a->vd);
-gen_aa32_st16(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
+MO_UW | MO_ALIGN | s->be_data);
 }
 tcg_temp_free_i32(tmp);
 tcg_temp_free_i32(addr);
@@ -960,11 +962,13 @@ static bool trans_VLDR_VSTR_sp(DisasContext *s, 
arg_VLDR_VSTR_sp *a)
 addr = add_reg_for_lit(s, a->rn, offset);
 tmp = tcg_temp_new_i32();
 if (a->l) {
-gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
+gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 vfp_store_reg32(tmp, a->vd);
 } else {
 vfp_load_reg32(tmp, a->vd);
-gen_aa32_st32(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i32(s, tmp, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 }
 tcg_temp_free_i32(tmp);
 tcg_temp_free_i32(addr);
@@ -1001,11 +1005,13 @@ static bool trans_VLDR_VSTR_dp(DisasContext *s, 
arg_VLDR_VSTR_dp *a)
 addr = add_reg_for_lit(s, a->rn, offset);
 tmp = tcg_temp_new_i64();
 if (a->l) {
-gen_aa32_ld64(s, tmp, addr, get_mem_index(s));
+gen_aa32_ld_i64(s, tmp, addr, get_mem_index(s),
+MO_Q | MO_ALIGN_4 | s->be_data);
 vfp_store_reg64(tmp, a->vd);
 } else {
 vfp_load_reg64(tmp, a->vd);
-gen_aa32_st64(s, tmp, addr, get_mem_index(s));
+gen_aa32_st_i64(s, tmp, addr, get_mem_index(s),
+MO_Q | MO_ALIGN_4 | s->be_data);
 }
 tcg_temp_free_i64(tmp);
 tcg_temp_free_i32(addr);
-- 
2.25.1

[PATCH 04/11] target/arm: Enforce alignment for RFE

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index fe4400fa6c..4406f6a67c 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -8250,10 +8250,12 @@ static bool trans_RFE(DisasContext *s, arg_RFE *a)
 
 /* Load PC into tmp and CPSR into tmp2.  */
 t1 = tcg_temp_new_i32();
-gen_aa32_ld32u(s, t1, addr, get_mem_index(s));
+gen_aa32_ld_i32(s, t1, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 tcg_gen_addi_i32(addr, addr, 4);
 t2 = tcg_temp_new_i32();
-gen_aa32_ld32u(s, t2, addr, get_mem_index(s));
+gen_aa32_ld_i32(s, t2, addr, get_mem_index(s),
+MO_UL | MO_ALIGN | s->be_data);
 
 if (a->w) {
 /* Base writeback.  */
-- 
2.25.1

[PATCH 01/11] target/arm: Enforce word alignment for LDRD/STRD

2020-11-24 Thread Richard Henderson 
Signed-off-by: Richard Henderson 
---
 target/arm/translate.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index 6d04ca3a8a..17883d00f4 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -6458,7 +6458,7 @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
 addr = op_addr_rr_pre(s, a);
 
 tmp = tcg_temp_new_i32();
-gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | s->be_data);
+gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN_4 | s->be_data);
 store_reg(s, a->rt, tmp);
 
 tcg_gen_addi_i32(addr, addr, 4);
@@ -6487,7 +6487,7 @@ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
 addr = op_addr_rr_pre(s, a);
 
 tmp = load_reg(s, a->rt);
-gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | s->be_data);
+gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN_4 | s->be_data);
 tcg_temp_free_i32(tmp);
 
 tcg_gen_addi_i32(addr, addr, 4);
@@ -6595,7 +6595,7 @@ static bool op_ldrd_ri(DisasContext *s, arg_ldst_ri *a, 
int rt2)
 addr = op_addr_ri_pre(s, a);
 
 tmp = tcg_temp_new_i32();
-gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | s->be_data);
+gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN_4 | s->be_data);
 store_reg(s, a->rt, tmp);
 
 tcg_gen_addi_i32(addr, addr, 4);
@@ -6634,7 +6634,7 @@ static bool op_strd_ri(DisasContext *s, arg_ldst_ri *a, 
int rt2)
 addr = op_addr_ri_pre(s, a);
 
 tmp = load_reg(s, a->rt);
-gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | s->be_data);
+gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN_4 | s->be_data);
 tcg_temp_free_i32(tmp);
 
 tcg_gen_addi_i32(addr, addr, 4);
-- 
2.25.1

[PATCH for-6.0 00/11] target/arm: enforce alignment

2020-11-24 Thread Richard Henderson 
As reported in https://bugs.launchpad.net/bugs/1905356

Not implementing SCTLR.A, but all of the other required
alignment for SCTLR.A=0 in Table A3-1.


r~

Richard Henderson (11):
  target/arm: Enforce word alignment for LDRD/STRD
  target/arm: Enforce alignment for LDA/LDAH/STL/STLH
  target/arm: Enforce alignment for LDM/STM
  target/arm: Enforce alignment for RFE
  target/arm: Enforce alignment for SRS
  target/arm: Enforce alignment for VLDM/VSTM
  target/arm: Enforce alignment for VLDR/VSTR
  target/arm: Enforce alignment for VLD1 (all lanes)
  target/arm: Enforce alignment for VLDn/VSTn (multiple)
  target/arm: Fix decode of align in VLDST_single
  target/arm: Enforce alignment for VLDn/VSTn (single)

 target/arm/neon-ls.decode   |  4 +--
 target/arm/translate.c  | 32 +
 target/arm/translate-neon.c.inc | 63 +
 target/arm/translate-vfp.c.inc  | 30 ++--
 4 files changed, 88 insertions(+), 41 deletions(-)

-- 
2.25.1

[Bug 1905356] Re: No check for unaligned data access in ARM32 instructions

2020-11-24 Thread JIANG Muhui 
Thanks for confirmation.

Btw: I was wondering why the fix will only apply to system mode rather
than user-only mode. Unaligned data access is not permitted in user
level programs, either.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905356

Title:
  No check for unaligned data access in ARM32 instructions

Status in QEMU:
  Confirmed

Bug description:
  hi

  According to the ARM documentation, there are alignment requirements
  of load/store instructions.  Alignment fault should be raised if the
  alignment check is failed. However, it seems that QEMU doesn't
  implement this, which is against the documentation of ARM. For
  example, the instruction LDRD/STRD/LDREX/STREX must check the address
  is word alignment no matter what value the SCTLR.A is.

  I attached a testcase, which contains an instruction at VA 0x10240:
  ldrd r0,[pc.#1] in the main function. QEMU can successfully load the
  data in the unaligned address. The test is done in QEMU 5.1.0. I can
  provide more testcases for the other instructions if you need. Many
  thanks.

  To patch this, we need a check while we translate the instruction to
  tcg. If the address is unaligned, a signal number (i.e., SIGBUS)
  should be raised.

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905356/+subscriptions

[Bug 1905356] Re: No check for unaligned data access in ARM32 instructions

2020-11-24 Thread Richard Henderson 
** Changed in: qemu
 Assignee: (unassigned) => Richard Henderson (rth)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905356

Title:
  No check for unaligned data access in ARM32 instructions

Status in QEMU:
  Confirmed

Bug description:
  hi

  According to the ARM documentation, there are alignment requirements
  of load/store instructions.  Alignment fault should be raised if the
  alignment check is failed. However, it seems that QEMU doesn't
  implement this, which is against the documentation of ARM. For
  example, the instruction LDRD/STRD/LDREX/STREX must check the address
  is word alignment no matter what value the SCTLR.A is.

  I attached a testcase, which contains an instruction at VA 0x10240:
  ldrd r0,[pc.#1] in the main function. QEMU can successfully load the
  data in the unaligned address. The test is done in QEMU 5.1.0. I can
  provide more testcases for the other instructions if you need. Many
  thanks.

  To patch this, we need a check while we translate the instruction to
  tcg. If the address is unaligned, a signal number (i.e., SIGBUS)
  should be raised.

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905356/+subscriptions

Re: [PATCH for-6.0 1/2] aspeed/smc: Add support for address lane disablement

2020-11-24 Thread Joel Stanley 
On Fri, 20 Nov 2020 at 16:16, Cédric Le Goater  wrote:
>
> The controller can be configured to disable or enable address and data
> byte lanes when issuing commands. This is useful in read command mode
> to send SPI NOR commands that don't have an address space, such as
> RDID. It's a good way to have a unified read operation for registers
> and flash contents accesses.
>
> A new SPI driver proposed by Aspeed makes use of this feature. Add
> support for address lanes to start with. We will do the same for the
> data lanes if they are controlled one day.
>
> Cc: Chin-Ting Kuo 
> Signed-off-by: Cédric Le Goater 

Reviewed-by: Joel Stanley 

> ---
>  hw/ssi/aspeed_smc.c | 25 ++---
>  1 file changed, 18 insertions(+), 7 deletions(-)
>
> diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
> index 795784e5f364..e3d5e26058c0 100644
> --- a/hw/ssi/aspeed_smc.c
> +++ b/hw/ssi/aspeed_smc.c
> @@ -71,6 +71,16 @@
>  #define   INTR_CTRL_CMD_ABORT_EN  (1 << 2)
>  #define   INTR_CTRL_WRITE_PROTECT_EN  (1 << 1)
>
> +/* Command Control Register */
> +#define R_CE_CMD_CTRL  (0x0C / 4)
> +#define   CTRL_ADDR_BYTE0_DISABLE_SHIFT   4
> +#define   CTRL_DATA_BYTE0_DISABLE_SHIFT   0
> +
> +#define aspeed_smc_addr_byte_enabled(s, i)   \
> +(!((s)->regs[R_CE_CMD_CTRL] & (1 << (CTRL_ADDR_BYTE0_DISABLE_SHIFT + 
> (i)
> +#define aspeed_smc_data_byte_enabled(s, i)   \
> +(!((s)->regs[R_CE_CMD_CTRL] & (1 << (CTRL_DATA_BYTE0_DISABLE_SHIFT + 
> (i)
> +
>  /* CEx Control Register */
>  #define R_CTRL0   (0x10 / 4)
>  #define   CTRL_IO_QPI  (1 << 31)
> @@ -702,19 +712,17 @@ static void aspeed_smc_flash_setup(AspeedSMCFlash *fl, 
> uint32_t addr)
>  {
>  const AspeedSMCState *s = fl->controller;
>  uint8_t cmd = aspeed_smc_flash_cmd(fl);
> -int i;
> +int i = aspeed_smc_flash_is_4byte(fl) ? 4 : 3;
>
>  /* Flash access can not exceed CS segment */
>  addr = aspeed_smc_check_segment_addr(fl, addr);
>
>  ssi_transfer(s->spi, cmd);
> -
> -if (aspeed_smc_flash_is_4byte(fl)) {
> -ssi_transfer(s->spi, (addr >> 24) & 0xff);
> +while (i--) {
> +if (aspeed_smc_addr_byte_enabled(s, i)) {
> +ssi_transfer(s->spi, (addr >> (i * 8)) & 0xff);
> +}
>  }
> -ssi_transfer(s->spi, (addr >> 16) & 0xff);
> -ssi_transfer(s->spi, (addr >> 8) & 0xff);
> -ssi_transfer(s->spi, (addr & 0xff));
>
>  /*
>   * Use fake transfers to model dummy bytes. The value should
> @@ -988,6 +996,7 @@ static uint64_t aspeed_smc_read(void *opaque, hwaddr 
> addr, unsigned int size)
>  (addr >= s->r_timings &&
>   addr < s->r_timings + s->ctrl->nregs_timings) ||
>  addr == s->r_ce_ctrl ||
> +addr == R_CE_CMD_CTRL ||
>  addr == R_INTR_CTRL ||
>  addr == R_DUMMY_DATA ||
>  (s->ctrl->has_dma && addr == R_DMA_CTRL) ||
> @@ -1276,6 +1285,8 @@ static void aspeed_smc_write(void *opaque, hwaddr addr, 
> uint64_t data,
>  if (value != s->regs[R_SEG_ADDR0 + cs]) {
>  aspeed_smc_flash_set_segment(s, cs, value);
>  }
> +} else if (addr == R_CE_CMD_CTRL) {
> +s->regs[addr] = value & 0xff;
>  } else if (addr == R_DUMMY_DATA) {
>  s->regs[addr] = value & 0xff;
>  } else if (addr == R_INTR_CTRL) {
> --
> 2.26.2
>

Re: [PATCH for-6.0 2/2] aspeed/smc: Add extra controls to request DMA

2020-11-24 Thread Joel Stanley 
On Fri, 20 Nov 2020 at 16:16, Cédric Le Goater  wrote:
>
> The controller has a set of hidden bits to request/grant DMA access.

Do you have the ast2600 datasheet? It describes these bits:

31 RW DMA Request

Write SPIR80 = 0xAEED to set this bit ot '1'.
And hardware will clear the request to '0' after DMA done, or FW can
clear to '0' by writing SPIR80 = 0xDEEA.

30 RO DMA Grant

0: DMA is not allowed to be used. All DMA related control registers
are not allowed to be written.
1: DMA is granted to be used.

Do you want to add the magic behavior to your model?

>
> Cc: Chin-Ting Kuo 
> Signed-off-by: Cédric Le Goater 
> ---
>  hw/ssi/aspeed_smc.c | 7 +++
>  1 file changed, 7 insertions(+)
>
> diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
> index e3d5e26058c0..c1557ef5d848 100644
> --- a/hw/ssi/aspeed_smc.c
> +++ b/hw/ssi/aspeed_smc.c
> @@ -127,6 +127,8 @@
>
>  /* DMA Control/Status Register */
>  #define R_DMA_CTRL(0x80 / 4)
> +#define   DMA_CTRL_REQUEST  (1 << 31)
> +#define   DMA_CTRL_GRANT(1 << 30)
>  #define   DMA_CTRL_DELAY_MASK   0xf
>  #define   DMA_CTRL_DELAY_SHIFT  8
>  #define   DMA_CTRL_FREQ_MASK0xf
> @@ -1237,6 +1239,11 @@ static void aspeed_smc_dma_done(AspeedSMCState *s)
>
>  static void aspeed_smc_dma_ctrl(AspeedSMCState *s, uint64_t dma_ctrl)
>  {
> +if (dma_ctrl & DMA_CTRL_REQUEST) {
> +s->regs[R_DMA_CTRL] = dma_ctrl | DMA_CTRL_GRANT;
> +return;
> +}
> +
>  if (!(dma_ctrl & DMA_CTRL_ENABLE)) {
>  s->regs[R_DMA_CTRL] = dma_ctrl;
>
> --
> 2.26.2
>

Re: [PATCH for-6.0 5/9] spapr: Simplify error path of spapr_core_plug()

2020-11-24 Thread David Gibson 
On Tue, Nov 24, 2020 at 02:07:27PM +0100, Greg Kurz wrote:
> On Mon, 23 Nov 2020 16:13:18 +1100
> David Gibson  wrote:
> 
> > On Sat, Nov 21, 2020 at 12:42:04AM +0100, Greg Kurz wrote:
> > > spapr_core_pre_plug() already guarantees that the slot for the given core
> > > ID is available. It is thus safe to assume that spapr_find_cpu_slot()
> > > returns a slot during plug. Turn the error path into an assertion.
> > > It is also safe to assume that no device is attached to the corresponding
> > > DRC and that spapr_drc_attach() shouldn't fail.
> > > 
> > > Pass &error_abort to spapr_drc_attach() and simplify error handling.
> > > 
> > > Signed-off-by: Greg Kurz 
> > 
> > Applied to ppc-for-6.0, thanks.
> > 
> 
> This patch depends on the previous one.
> 
> > > ---
> > >  hw/ppc/spapr.c | 21 ++---
> > >  1 file changed, 10 insertions(+), 11 deletions(-)
> > > 
> > > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > > index da7586f548df..cfca033c7b14 100644
> > > --- a/hw/ppc/spapr.c
> > > +++ b/hw/ppc/spapr.c
> > > @@ -3739,8 +3739,7 @@ int spapr_core_dt_populate(SpaprDrc *drc, 
> > > SpaprMachineState *spapr,
> > >  return 0;
> > >  }
> > >  
> > > -static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState 
> > > *dev,
> > > -Error **errp)
> 
> ../../hw/ppc/spapr.c: In function ‘spapr_core_plug’:
> ../../hw/ppc/spapr.c:3802:32: error: ‘errp’ undeclared (first use in this 
> function); did you mean ‘errno’?
> errp) < 0) {
> ^~~~
> errno
> ../../hw/ppc/spapr.c:3802:32: note: each undeclared identifier is reported 
> only once for each function it appears in
> 
> Please either drop it from ppc-for-6.0 or possibly adapt spapr_core_plug()
> to handle errors from ppc_set_compat().

Dropped for now (along with a later patch that depended on this one).

> 
> 
> Since I can't see how this could fail for a hotplugged CPU if it
> succeeded for the boot CPU, I'd pass &error_abort despite this
> being a hotplug path.
> 
> 
> > > +static void spapr_core_plug(HotplugHandler *hotplug_dev, DeviceState 
> > > *dev)
> > >  {
> > >  SpaprMachineState *spapr = SPAPR_MACHINE(OBJECT(hotplug_dev));
> > >  MachineClass *mc = MACHINE_GET_CLASS(spapr);
> > > @@ -3755,20 +3754,20 @@ static void spapr_core_plug(HotplugHandler 
> > > *hotplug_dev, DeviceState *dev,
> > >  int i;
> > >  
> > >  core_slot = spapr_find_cpu_slot(MACHINE(hotplug_dev), cc->core_id, 
> > > &index);
> > > -if (!core_slot) {
> > > -error_setg(errp, "Unable to find CPU core with core-id: %d",
> > > -   cc->core_id);
> > > -return;
> > > -}
> > > +g_assert(core_slot); /* Already checked in spapr_core_pre_plug() */
> > > +
> > >  drc = spapr_drc_by_id(TYPE_SPAPR_DRC_CPU,
> > >spapr_vcpu_id(spapr, cc->core_id));
> > >  
> > >  g_assert(drc || !mc->has_hotpluggable_cpus);
> > >  
> > >  if (drc) {
> > > -if (!spapr_drc_attach(drc, dev, errp)) {
> > > -return;
> > > -}
> > > +/*
> > > + * spapr_core_pre_plug() already buys us this is a brand new
> > > + * core being plugged into a free slot. Nothing should already
> > > + * be attached to the corresponding DRC.
> > > + */
> > > +spapr_drc_attach(drc, dev, &error_abort);
> > >  
> > >  if (hotplugged) {
> > >  /*
> > > @@ -3981,7 +3980,7 @@ static void 
> > > spapr_machine_device_plug(HotplugHandler *hotplug_dev,
> > >  if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
> > >  spapr_memory_plug(hotplug_dev, dev);
> > >  } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_CPU_CORE)) {
> > > -spapr_core_plug(hotplug_dev, dev, errp);
> > > +spapr_core_plug(hotplug_dev, dev);
> > >  } else if (object_dynamic_cast(OBJECT(dev), 
> > > TYPE_SPAPR_PCI_HOST_BRIDGE)) {
> > >  spapr_phb_plug(hotplug_dev, dev, errp);
> > >  } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_TPM_PROXY)) {
> > 
> 



-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH for-6.0 4/9] spapr: Set compat mode in spapr_reset_vcpu()

2020-11-24 Thread David Gibson 
On Mon, Nov 23, 2020 at 12:51:08PM +0100, Greg Kurz wrote:
> On Mon, 23 Nov 2020 16:11:30 +1100
> David Gibson  wrote:
> 
> > On Sat, Nov 21, 2020 at 12:42:03AM +0100, Greg Kurz wrote:
> > > When it comes to resetting the compat mode of the vCPUS, there are
> > > two situations to consider:
> > > (1) machine reset should set the compat mode back to the machine default,
> > > ie. spapr->max_compat_pvr
> > > (2) hot plugged vCPUs should set their compat mode to mach the boot vCPU,
> > > ie. POWERPC_CPU(first_cpu)->compat_pvr
> > > 
> > > This is currently handled in two separate places: globally for all vCPUs
> > > from the machine reset code for (1) and for each thread of a core from
> > > the hotplug path for (2).
> > > 
> > > Since the machine reset code already resets all vCPUs, starting with boot
> > > vCPU, consolidate the logic in spapr_reset_vcpu(). Special case the boot
> > > vCPU so that it resets its compat mode back to the machine default. Any
> > > other vCPU just need to match the compat mode of the boot vCPU.
> > > 
> > > Failing to set the compat mode during machine reset is a fatal error,
> > > but not for hot plugged vCPUs. This is arguable because if we've been
> > > able to set the boot vCPU compat mode at CAS or during machine reset,
> > > it should definitely not fail for other vCPUs. Since spapr_reset_vcpu()
> > > already has a fatal error path for kvm_check_mmu() failures, do the
> > > same for ppc_set_compat().
> > > 
> > > This gets rid of an error path in spapr_core_plug(). It will allow
> > > further simplifications.
> > > 
> > > Signed-off-by: Greg Kurz 
> > > ---
> > >  hw/ppc/spapr.c  | 16 
> > >  hw/ppc/spapr_cpu_core.c | 13 +
> > >  2 files changed, 13 insertions(+), 16 deletions(-)
> > > 
> > > diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> > > index f58f77389e8e..da7586f548df 100644
> > > --- a/hw/ppc/spapr.c
> > > +++ b/hw/ppc/spapr.c
> > > @@ -1606,8 +1606,6 @@ static void spapr_machine_reset(MachineState 
> > > *machine)
> > >  spapr_ovec_cleanup(spapr->ov5_cas);
> > >  spapr->ov5_cas = spapr_ovec_new();
> > >  
> > > -ppc_set_compat_all(spapr->max_compat_pvr, &error_fatal);
> > > -
> > >  /*
> > >   * This is fixing some of the default configuration of the XIVE
> > >   * devices. To be called after the reset of the machine devices.
> > > @@ -3785,20 +3783,6 @@ static void spapr_core_plug(HotplugHandler 
> > > *hotplug_dev, DeviceState *dev,
> > >  
> > >  core_slot->cpu = OBJECT(dev);
> > >  
> > > -/*
> > > - * Set compatibility mode to match the boot CPU, which was either set
> > > - * by the machine reset code or by CAS.
> > > - */
> > > -if (hotplugged) {
> > > -for (i = 0; i < cc->nr_threads; i++) {
> > > -if (ppc_set_compat(core->threads[i],
> > > -   POWERPC_CPU(first_cpu)->compat_pvr,
> > > -   errp) < 0) {
> > > -return;
> > > -}
> > > -}
> > > -}
> > > -
> > >  if (smc->pre_2_10_has_unused_icps) {
> > >  for (i = 0; i < cc->nr_threads; i++) {
> > >  cs = CPU(core->threads[i]);
> > > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> > > index 2f7dc3c23ded..17741a3fb77f 100644
> > > --- a/hw/ppc/spapr_cpu_core.c
> > > +++ b/hw/ppc/spapr_cpu_core.c
> > > @@ -27,6 +27,7 @@
> > >  
> > >  static void spapr_reset_vcpu(PowerPCCPU *cpu)
> > >  {
> > > +PowerPCCPU *first_ppc_cpu = POWERPC_CPU(first_cpu);
> > >  CPUState *cs = CPU(cpu);
> > >  CPUPPCState *env = &cpu->env;
> > >  PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
> > > @@ -69,6 +70,18 @@ static void spapr_reset_vcpu(PowerPCCPU *cpu)
> > >  kvm_check_mmu(cpu, &error_fatal);
> > >  
> > >  spapr_irq_cpu_intc_reset(spapr, cpu);
> > > +
> > > +/*
> > > + * The boot CPU is only reset during machine reset : reset its
> > > + * compatibility mode to the machine default. For other CPUs,
> > > + * either cold plugged or hot plugged, set the compatibility mode
> > > + * to match the boot CPU, which was either set by the machine reset
> > > + * code or by CAS.
> > > + */
> > > +ppc_set_compat(cpu,
> > > +   cpu == first_ppc_cpu ?
> > > +   spapr->max_compat_pvr : first_ppc_cpu->compat_pvr,
> > > +   &error_fatal);
> > 
> > This assumes that when it is called for a non-boot CPU, it has already
> > been called for the boot CPU..  Are we certain that's guaranteed by
> > the sequence of reset calls during a full machine reset?
> > 
> 
> This happens to be the case. Basically because the boot CPU core
> is created (including registering its reset handler) first and
> qemu_devices_reset() calls handlers in the same order they were
> registered.

Right, I assumed it works for now, but it seems rather fragile, since
I'm not sure we're relying on guaranteed properties of the int

Re: [PATCH v5 6/7] tcg: implement JIT for iOS and Apple Silicon

2020-11-24 Thread Joelle van Dyne 
A lot of users of UTM are on iOS 13 (a large number of devices only
have jailbreak for iOS 13 and below), but if the QEMU community thinks
it's better that way, we are willing to compromise.

-j

On Tue, Nov 24, 2020 at 7:15 PM Alexander Graf  wrote:
>
>
> On 20.11.20 16:58, Joelle van Dyne wrote:
> > On Fri, Nov 20, 2020 at 3:08 AM Alexander Graf  wrote:
> >>
> >> On 09.11.20 00:24, Joelle van Dyne wrote:
> >>> When entitlements are available (macOS or jailbroken iOS), a hardware
> >>> feature called APRR exists on newer Apple Silicon that can cheaply mark 
> >>> JIT
> >>> pages as either RX or RW. Reverse engineered functions from
> >>> libsystem_pthread.dylib are implemented to handle this.
> >>>
> >>> The following rules apply for JIT write protect:
> >>> * JIT write-protect is enabled before tcg_qemu_tb_exec()
> >>> * JIT write-protect is disabled after tcg_qemu_tb_exec() returns
> >>> * JIT write-protect is disabled inside do_tb_phys_invalidate() but if 
> >>> it
> >>>   is called inside of tcg_qemu_tb_exec() then write-protect will be
> >>>   enabled again before returning.
> >>> * JIT write-protect is disabled by cpu_loop_exit() for interrupt 
> >>> handling.
> >>> * JIT write-protect is disabled everywhere else.
> >>>
> >>> See 
> >>> https://developer.apple.com/documentation/apple_silicon/porting_just-in-time_compilers_to_apple_silicon
> >>>
> >>> Signed-off-by: Joelle van Dyne 
> >>> ---
> >>>include/exec/exec-all.h |  2 +
> >>>include/tcg/tcg-apple-jit.h | 86 +
> >>>include/tcg/tcg.h   |  3 ++
> >>>accel/tcg/cpu-exec-common.c |  2 +
> >>>accel/tcg/cpu-exec.c|  2 +
> >>>accel/tcg/translate-all.c   | 46 
> >>>tcg/tcg.c   |  4 ++
> >>>7 files changed, 145 insertions(+)
> >>>create mode 100644 include/tcg/tcg-apple-jit.h
> >>>
> >>> diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
> >>> index aa65103702..3829f3d470 100644
> >>> --- a/include/exec/exec-all.h
> >>> +++ b/include/exec/exec-all.h
> >>> @@ -549,6 +549,8 @@ TranslationBlock *tb_htable_lookup(CPUState *cpu, 
> >>> target_ulong pc,
> >>>   target_ulong cs_base, uint32_t 
> >>> flags,
> >>>   uint32_t cf_mask);
> >>>void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
> >>> +void tb_exec_lock(void);
> >>> +void tb_exec_unlock(void);
> >>>
> >>>/* GETPC is the true target of the return instruction that we'll 
> >>> execute.  */
> >>>#if defined(CONFIG_TCG_INTERPRETER)
> >>> diff --git a/include/tcg/tcg-apple-jit.h b/include/tcg/tcg-apple-jit.h
> >>> new file mode 100644
> >>> index 00..9efdb2000d
> >>> --- /dev/null
> >>> +++ b/include/tcg/tcg-apple-jit.h
> >>> @@ -0,0 +1,86 @@
> >>> +/*
> >>> + * Apple Silicon functions for JIT handling
> >>> + *
> >>> + * Copyright (c) 2020 osy
> >>> + *
> >>> + * This library is free software; you can redistribute it and/or
> >>> + * modify it under the terms of the GNU Lesser General Public
> >>> + * License as published by the Free Software Foundation; either
> >>> + * version 2.1 of the License, or (at your option) any later version.
> >>> + *
> >>> + * This library is distributed in the hope that it will be useful,
> >>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> >>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> >>> + * Lesser General Public License for more details.
> >>> + *
> >>> + * You should have received a copy of the GNU Lesser General Public
> >>> + * License along with this library; if not, see 
> >>> .
> >>> + */
> >>> +
> >>> +#ifndef TCG_APPLE_JIT_H
> >>> +#define TCG_APPLE_JIT_H
> >>> +
> >>> +/*
> >>> + * APRR handling
> >>> + * Credits to: https://siguza.github.io/APRR/
> >>> + * Reversed from /usr/lib/system/libsystem_pthread.dylib
> >>> + */
> >>> +
> >>> +#if defined(__aarch64__) && defined(CONFIG_DARWIN)
> >>> +
> >>> +#define _COMM_PAGE_START_ADDRESS(0x000FC000ULL) /* In 
> >>> TTBR0 */
> >>> +#define _COMM_PAGE_APRR_SUPPORT (_COMM_PAGE_START_ADDRESS + 
> >>> 0x10C)
> >>> +#define _COMM_PAGE_APPR_WRITE_ENABLE(_COMM_PAGE_START_ADDRESS + 
> >>> 0x110)
> >>> +#define _COMM_PAGE_APRR_WRITE_DISABLE   (_COMM_PAGE_START_ADDRESS + 
> >>> 0x118)
> >>> +
> >>> +static __attribute__((__always_inline__)) bool 
> >>> jit_write_protect_supported(void)
> >>> +{
> >>> +/* Access shared kernel page at fixed memory location. */
> >>> +uint8_t aprr_support = *(volatile uint8_t *)_COMM_PAGE_APRR_SUPPORT;
> >>> +return aprr_support > 0;
> >>> +}
> >>> +
> >>> +/* write protect enable = write disable */
> >>> +static __attribute__((__always_inline__)) void jit_write_protect(int 
> >>> enabled)
> >>> +{
> >>> +/* Access shared kernel page at fixed memory location. */
> >>> +uint8_t aprr_support = *(vola

[PATCH 3/3] monitor:Don't use '#' flag of printf format ('%#') in format strings

2020-11-24 Thread Yutao Ai 
Delete '#' and use '0x' prefix instead

Signed-off-by: Yutao Ai 
---
 monitor/misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor/misc.c b/monitor/misc.c
index 7588f12053..2eb563f6f3 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -910,7 +910,7 @@ static void hmp_ioport_read(Monitor *mon, const QDict 
*qdict)
 suffix = 'l';
 break;
 }
-monitor_printf(mon, "port%c[0x%04x] = %#0*x\n",
+monitor_printf(mon, "port%c[0x%04x] = 0x%0*x\n",
suffix, addr, size * 2, val);
 }
 
-- 
2.19.1

[PATCH 1/3] monitor:open brace '{' following struct go on the same line

2020-11-24 Thread Yutao Ai 
Move the open brace '{' following struct go on the same line

Signed-off-by: Yutao Ai 
---
 monitor/hmp-cmds.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
index 8d7f5fee7e..64188c9fa2 100644
--- a/monitor/hmp-cmds.c
+++ b/monitor/hmp-cmds.c
@@ -1548,8 +1548,7 @@ end:
 hmp_handle_error(mon, err);
 }
 
-typedef struct HMPMigrationStatus
-{
+typedef struct HMPMigrationStatus {
 QEMUTimer *timer;
 Monitor *mon;
 bool is_block_migration;
-- 
2.19.1

[PATCH 2/3] monitor:braces {} are necessary for all arms of this statement

2020-11-24 Thread Yutao Ai 
Fix the errors by add {}

Signed-off-by: Yutao Ai 
---
 monitor/misc.c | 14 +-
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/monitor/misc.c b/monitor/misc.c
index 398211a034..7588f12053 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -492,8 +492,10 @@ static void hmp_singlestep(Monitor *mon, const QDict 
*qdict)
 static void hmp_gdbserver(Monitor *mon, const QDict *qdict)
 {
 const char *device = qdict_get_try_str(qdict, "device");
-if (!device)
+if (!device) {
 device = "tcp::" DEFAULT_GDBSTUB_PORT;
+}
+
 if (gdbserver_start(device) < 0) {
 monitor_printf(mon, "Could not open gdbserver on device '%s'\n",
device);
@@ -559,10 +561,11 @@ static void memory_dump(Monitor *mon, int count, int 
format, int wsize,
 }
 
 len = wsize * count;
-if (wsize == 1)
+if (wsize == 1) {
 line_size = 8;
-else
+} else {
 line_size = 16;
+}
 max_digits = 0;
 
 switch(format) {
@@ -583,10 +586,11 @@ static void memory_dump(Monitor *mon, int count, int 
format, int wsize,
 }
 
 while (len > 0) {
-if (is_physical)
+if (is_physical) {
 monitor_printf(mon, TARGET_FMT_plx ":", addr);
-else
+} else {
 monitor_printf(mon, TARGET_FMT_lx ":", (target_ulong)addr);
+}
 l = len;
 if (l > line_size)
 l = line_size;
-- 
2.19.1

[PATCH 0/3] Fix some style problems in monitor

2020-11-24 Thread Yutao Ai 
I find some style problems while using checkpatch.pl to check monitor codes.
And I fixed these style problems in the submit patches.

Yutao Ai (3):
  monitor:open brace '{' following struct go on the same line
  monitor:braces {} are necessary for all arms of this statement
  monitor:Don't use '#' flag of printf format ('%#') in format strings

 monitor/hmp-cmds.c |  3 +--
 monitor/misc.c | 16 ++--
 2 files changed, 11 insertions(+), 8 deletions(-)

-- 
2.19.1

[PATCH v3] vhost-user-scsi: Fix memleaks in vus_proc_req()

2020-11-24 Thread Alex Chen 
The 'elem' is allocated memory in vu_queue_pop(), and its memory should be
freed in all error branches after vu_queue_pop().
In addition, in order to free the 'elem' memory outside of while(1) loop, move
the definition of 'elem' to the beginning of vus_proc_req().

Reported-by: Euler Robot 
Signed-off-by: Alex Chen 
Reviewed-by: Raphael Norwitz 
---
 contrib/vhost-user-scsi/vhost-user-scsi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/vhost-user-scsi/vhost-user-scsi.c 
b/contrib/vhost-user-scsi/vhost-user-scsi.c
index 0f9ba4b2a2..4639440a70 100644
--- a/contrib/vhost-user-scsi/vhost-user-scsi.c
+++ b/contrib/vhost-user-scsi/vhost-user-scsi.c
@@ -232,6 +232,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 VugDev *gdev;
 VusDev *vdev_scsi;
 VuVirtq *vq;
+VuVirtqElement *elem = NULL;
 
 assert(vu_dev);
 
@@ -248,7 +249,6 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 g_debug("Got kicked on vq[%d]@%p", idx, vq);
 
 while (1) {
-VuVirtqElement *elem;
 VirtIOSCSICmdReq *req;
 VirtIOSCSICmdResp *rsp;
 
@@ -288,6 +288,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 
 free(elem);
 }
+free(elem);
 }
 
 static void vus_queue_set_started(VuDev *vu_dev, int idx, bool started)
-- 
2.19.1

Re: [PATCH v2] vhost-user-scsi: Fix memleaks in vus_proc_req()

2020-11-24 Thread Alex Chen 
Sorry, I forgot to add the Reviewed-by information, I will send patch v3.

On 2020/11/25 9:25, Alex Chen wrote:
> The 'elem' is allocated memory in vu_queue_pop(), and its memory should be
> freed in all error branches after vu_queue_pop().
> In addition, in order to free the 'elem' memory outside of while(1) loop, move
> the definition of 'elem' to the beginning of vus_proc_req().
> 
> Reported-by: Euler Robot 
> Signed-off-by: Alex Chen 
> ---
>  contrib/vhost-user-scsi/vhost-user-scsi.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/contrib/vhost-user-scsi/vhost-user-scsi.c 
> b/contrib/vhost-user-scsi/vhost-user-scsi.c
> index 0f9ba4b2a2..4639440a70 100644
> --- a/contrib/vhost-user-scsi/vhost-user-scsi.c
> +++ b/contrib/vhost-user-scsi/vhost-user-scsi.c
> @@ -232,6 +232,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>  VugDev *gdev;
>  VusDev *vdev_scsi;
>  VuVirtq *vq;
> +VuVirtqElement *elem = NULL;
>  
>  assert(vu_dev);
>  
> @@ -248,7 +249,6 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>  g_debug("Got kicked on vq[%d]@%p", idx, vq);
>  
>  while (1) {
> -VuVirtqElement *elem;
>  VirtIOSCSICmdReq *req;
>  VirtIOSCSICmdResp *rsp;
>  
> @@ -288,6 +288,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>  
>  free(elem);
>  }
> +free(elem);
>  }
>  
>  static void vus_queue_set_started(VuDev *vu_dev, int idx, bool started)
>

[PATCH v2] vhost-user-scsi: Fix memleaks in vus_proc_req()

2020-11-24 Thread Alex Chen 
The 'elem' is allocated memory in vu_queue_pop(), and its memory should be
freed in all error branches after vu_queue_pop().
In addition, in order to free the 'elem' memory outside of while(1) loop, move
the definition of 'elem' to the beginning of vus_proc_req().

Reported-by: Euler Robot 
Signed-off-by: Alex Chen 
---
 contrib/vhost-user-scsi/vhost-user-scsi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/vhost-user-scsi/vhost-user-scsi.c 
b/contrib/vhost-user-scsi/vhost-user-scsi.c
index 0f9ba4b2a2..4639440a70 100644
--- a/contrib/vhost-user-scsi/vhost-user-scsi.c
+++ b/contrib/vhost-user-scsi/vhost-user-scsi.c
@@ -232,6 +232,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 VugDev *gdev;
 VusDev *vdev_scsi;
 VuVirtq *vq;
+VuVirtqElement *elem = NULL;
 
 assert(vu_dev);
 
@@ -248,7 +249,6 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 g_debug("Got kicked on vq[%d]@%p", idx, vq);
 
 while (1) {
-VuVirtqElement *elem;
 VirtIOSCSICmdReq *req;
 VirtIOSCSICmdResp *rsp;
 
@@ -288,6 +288,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
 
 free(elem);
 }
+free(elem);
 }
 
 static void vus_queue_set_started(VuDev *vu_dev, int idx, bool started)
-- 
2.19.1

Re: [PATCH] vhost-user-scsi: Fix memleaks in vus_proc_req()

2020-11-24 Thread Alex Chen 
On 2020/11/24 23:37, Raphael Norwitz wrote:
> On Tue, Nov 24, 2020 at 9:50 AM Alex Chen  wrote:
>>
>> The 'elem' is allocated memory in vu_queue_pop(), and it's memory should be
>> freed in all error branchs after vu_queue_pop().
> 
> s/branchs/branches
> 
>> In addition, in order to free 'elem' memory outside of while(1) loop, move 
>> the
>> definition of 'elem' to the begin of vus_proc_req().
> 
> s/begin/beginning
> 
>>
>> Reported-by: Euler Robot 
>> Signed-off-by: Alex Chen 
> 
> Other than spelling in the commit message, looks good to me.
> 

Thanks for your review, I will fix it and send patch v2.

Thanks,
Alex

> Reviewed-by: Raphael Norwitz 
> 
>> ---
>>  contrib/vhost-user-scsi/vhost-user-scsi.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/contrib/vhost-user-scsi/vhost-user-scsi.c 
>> b/contrib/vhost-user-scsi/vhost-user-scsi.c
>> index 0f9ba4b2a2..4639440a70 100644
>> --- a/contrib/vhost-user-scsi/vhost-user-scsi.c
>> +++ b/contrib/vhost-user-scsi/vhost-user-scsi.c
>> @@ -232,6 +232,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>>  VugDev *gdev;
>>  VusDev *vdev_scsi;
>>  VuVirtq *vq;
>> +VuVirtqElement *elem = NULL;
>>
>>  assert(vu_dev);
>>
>> @@ -248,7 +249,6 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>>  g_debug("Got kicked on vq[%d]@%p", idx, vq);
>>
>>  while (1) {
>> -VuVirtqElement *elem;
>>  VirtIOSCSICmdReq *req;
>>  VirtIOSCSICmdResp *rsp;
>>
>> @@ -288,6 +288,7 @@ static void vus_proc_req(VuDev *vu_dev, int idx)
>>
>>  free(elem);
>>  }
>> +free(elem);
>>  }
>>
>>  static void vus_queue_set_started(VuDev *vu_dev, int idx, bool started)
>> --
>> 2.19.1
>>
>>
> .
>

Re: [PATCH] contrib/rdmacm-mux: Fix error condition in hash_tbl_search_fd_by_ifid()

2020-11-24 Thread Alex Chen 
On 2020/11/24 23:29, Peter Maydell wrote:
> On Tue, 24 Nov 2020 at 12:15, Alex Chen  wrote:
>>
>> Hi everyone,
>>
>> Who can help me merge this patch into the master branch? This patch may be 
>> need for qemu-5.2
> 
> This code has been like this since 2018, so this is not
> a regression in 5.2. At this point in the release cycle
> (rc3 imminent) I think it's best to just leave it until 6.0.
> 

OK, I see.

Thanks
Alex

Re: [PATCH 2/2] target/mips/kvm: Assert unreachable code is not used

2020-11-24 Thread Huacai Chen 
Reviewed-by: Huacai Chen 

On Tue, Nov 24, 2020 at 6:42 PM Philippe Mathieu-Daudé  wrote:
>
> Huacai, ping?
>
> On 5/12/20 9:09 AM, Philippe Mathieu-Daudé wrote:
> > +Paolo
> >
> > On 4/29/20 10:29 AM, Philippe Mathieu-Daudé wrote:
> >> This code must not be used outside of KVM. Abort if it is.
> >>
> >> Signed-off-by: Philippe Mathieu-Daudé 
> >> ---
> >>   target/mips/kvm.c | 8 ++--
> >>   1 file changed, 2 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/target/mips/kvm.c b/target/mips/kvm.c
> >> index de3e26ef1f..050bfbd7fa 100644
> >> --- a/target/mips/kvm.c
> >> +++ b/target/mips/kvm.c
> >> @@ -196,9 +196,7 @@ int kvm_mips_set_interrupt(MIPSCPU *cpu, int irq,
> >> int level)
> >>   CPUState *cs = CPU(cpu);
> >>   struct kvm_mips_interrupt intr;
> >>   -if (!kvm_enabled()) {
> >> -return 0;
> >> -}
> >> +assert(kvm_enabled());
> >> intr.cpu = -1;
> >>   @@ -219,9 +217,7 @@ int kvm_mips_set_ipi_interrupt(MIPSCPU *cpu, int
> >> irq, int level)
> >>   CPUState *dest_cs = CPU(cpu);
> >>   struct kvm_mips_interrupt intr;
> >>   -if (!kvm_enabled()) {
> >> -return 0;
> >> -}
> >> +assert(kvm_enabled());
> >> intr.cpu = dest_cs->cpu_index;
> >>
> >

Re: [PATCH v5 6/7] tcg: implement JIT for iOS and Apple Silicon

2020-11-24 Thread Alexander Graf 



On 20.11.20 16:58, Joelle van Dyne wrote:

On Fri, Nov 20, 2020 at 3:08 AM Alexander Graf  wrote:


On 09.11.20 00:24, Joelle van Dyne wrote:

When entitlements are available (macOS or jailbroken iOS), a hardware
feature called APRR exists on newer Apple Silicon that can cheaply mark JIT
pages as either RX or RW. Reverse engineered functions from
libsystem_pthread.dylib are implemented to handle this.

The following rules apply for JIT write protect:
* JIT write-protect is enabled before tcg_qemu_tb_exec()
* JIT write-protect is disabled after tcg_qemu_tb_exec() returns
* JIT write-protect is disabled inside do_tb_phys_invalidate() but if it
  is called inside of tcg_qemu_tb_exec() then write-protect will be
  enabled again before returning.
* JIT write-protect is disabled by cpu_loop_exit() for interrupt handling.
* JIT write-protect is disabled everywhere else.

See 
https://developer.apple.com/documentation/apple_silicon/porting_just-in-time_compilers_to_apple_silicon

Signed-off-by: Joelle van Dyne 
---
   include/exec/exec-all.h |  2 +
   include/tcg/tcg-apple-jit.h | 86 +
   include/tcg/tcg.h   |  3 ++
   accel/tcg/cpu-exec-common.c |  2 +
   accel/tcg/cpu-exec.c|  2 +
   accel/tcg/translate-all.c   | 46 
   tcg/tcg.c   |  4 ++
   7 files changed, 145 insertions(+)
   create mode 100644 include/tcg/tcg-apple-jit.h

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index aa65103702..3829f3d470 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -549,6 +549,8 @@ TranslationBlock *tb_htable_lookup(CPUState *cpu, 
target_ulong pc,
  target_ulong cs_base, uint32_t flags,
  uint32_t cf_mask);
   void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
+void tb_exec_lock(void);
+void tb_exec_unlock(void);

   /* GETPC is the true target of the return instruction that we'll execute.  */
   #if defined(CONFIG_TCG_INTERPRETER)
diff --git a/include/tcg/tcg-apple-jit.h b/include/tcg/tcg-apple-jit.h
new file mode 100644
index 00..9efdb2000d
--- /dev/null
+++ b/include/tcg/tcg-apple-jit.h
@@ -0,0 +1,86 @@
+/*
+ * Apple Silicon functions for JIT handling
+ *
+ * Copyright (c) 2020 osy
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#ifndef TCG_APPLE_JIT_H
+#define TCG_APPLE_JIT_H
+
+/*
+ * APRR handling
+ * Credits to: https://siguza.github.io/APRR/
+ * Reversed from /usr/lib/system/libsystem_pthread.dylib
+ */
+
+#if defined(__aarch64__) && defined(CONFIG_DARWIN)
+
+#define _COMM_PAGE_START_ADDRESS(0x000FC000ULL) /* In TTBR0 */
+#define _COMM_PAGE_APRR_SUPPORT (_COMM_PAGE_START_ADDRESS + 0x10C)
+#define _COMM_PAGE_APPR_WRITE_ENABLE(_COMM_PAGE_START_ADDRESS + 0x110)
+#define _COMM_PAGE_APRR_WRITE_DISABLE   (_COMM_PAGE_START_ADDRESS + 0x118)
+
+static __attribute__((__always_inline__)) bool 
jit_write_protect_supported(void)
+{
+/* Access shared kernel page at fixed memory location. */
+uint8_t aprr_support = *(volatile uint8_t *)_COMM_PAGE_APRR_SUPPORT;
+return aprr_support > 0;
+}
+
+/* write protect enable = write disable */
+static __attribute__((__always_inline__)) void jit_write_protect(int enabled)
+{
+/* Access shared kernel page at fixed memory location. */
+uint8_t aprr_support = *(volatile uint8_t *)_COMM_PAGE_APRR_SUPPORT;
+if (aprr_support == 0 || aprr_support > 3) {
+return;
+} else if (aprr_support == 1) {
+__asm__ __volatile__ (
+"mov x0, %0\n"
+"ldr x0, [x0]\n"
+"msr S3_4_c15_c2_7, x0\n"
+"isb sy\n"
+:: "r" (enabled ? _COMM_PAGE_APRR_WRITE_DISABLE
+: _COMM_PAGE_APPR_WRITE_ENABLE)
+: "memory", "x0"
+);
+} else {
+__asm__ __volatile__ (
+"mov x0, %0\n"
+"ldr x0, [x0]\n"
+"msr S3_6_c15_c1_5, x0\n"
+"isb sy\n"
+:: "r" (enabled ? _COMM_PAGE_APRR_WRITE_DISABLE
+: _COMM_PAGE_APPR_WRITE_ENABLE)
+: "memory", "x0"
+);
+}
+}


Is there a particular reason you're not just calling
pthread_jit_write_protect_np()? That would remove the depende

[Bug 1905356] Re: No check for unaligned data access in ARM32 instructions

2020-11-24 Thread Richard Henderson 
We don't implement SCTLR.A, but you're right that we should be
checking the mandatory alignments.

Note!  Any fix will only apply to system mode (qemu-system-arm)
and not user-only mode (qemu-arm).

** Changed in: qemu
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905356

Title:
  No check for unaligned data access in ARM32 instructions

Status in QEMU:
  Confirmed

Bug description:
  hi

  According to the ARM documentation, there are alignment requirements
  of load/store instructions.  Alignment fault should be raised if the
  alignment check is failed. However, it seems that QEMU doesn't
  implement this, which is against the documentation of ARM. For
  example, the instruction LDRD/STRD/LDREX/STREX must check the address
  is word alignment no matter what value the SCTLR.A is.

  I attached a testcase, which contains an instruction at VA 0x10240:
  ldrd r0,[pc.#1] in the main function. QEMU can successfully load the
  data in the unaligned address. The test is done in QEMU 5.1.0. I can
  provide more testcases for the other instructions if you need. Many
  thanks.

  To patch this, we need a check while we translate the instruction to
  tcg. If the address is unaligned, a signal number (i.e., SIGBUS)
  should be raised.

  Regards
  Muhui

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905356/+subscriptions

[ANNOUNCE] QEMU 5.2.0-rc3 is now available

2020-11-24 Thread Michael Roth 
Hello,

On behalf of the QEMU Team, I'd like to announce the availability of the
fourth release candidate for the QEMU 5.2 release.  This release is meant
for testing purposes and should not be used in a production environment.

  http://download.qemu-project.org/qemu-5.2.0-rc3.tar.xz
  http://download.qemu-project.org/qemu-5.2.0-rc3.tar.xz.sig

A note from the maintainer:

  This is the final planned rc for the 5.2 release cycle. Unless
  we find any last minute show-stopper bugs, we will release 5.2.0
  on Tuesday 1st December. If we need an rc4 then we'll likely put that
  out on the 1st, with the final release a few days or a week after that.
  
  Note that QEMU has switched build systems so you will need
  to install ninja to compile it. See the "Build Information"
  section of the Changelog for more information about this change.

You can help improve the quality of the QEMU 5.2 release by testing this
release and reporting bugs on Launchpad:

  https://bugs.launchpad.net/qemu/

The release plan, as well a documented known issues for release
candidates, are available at:

  http://wiki.qemu.org/Planning/5.2

Please add entries to the ChangeLog for the 5.2 release below:

  http://wiki.qemu.org/ChangeLog/5.2

Thank you to everyone involved!

Changes since rc2:

dd3d2340c4: Update version for v5.2.0-rc3 release (Peter Maydell)
28afbc1f11: Revert "hw/core/qdev-properties: Use qemu_strtoul() in 
set_pci_host_devaddr()" (Michael S. Tsirkin)
558f5c42ef: tests/9pfs: Mark "local" tests as "slow" (Greg Kurz)
c8bf9a9169: qcow2: Fix corruption on write_zeroes with MAY_UNMAP (Maxim 
Levitsky)
9925990d01: net: Use correct default-path macro for downscript (Keqian Zhu)
f012bec890: tap: fix a memory leak (yuanjungong)
d2abc563e4: net: purge queued rx packets on queue deletion (Yuri Benditovich)
ad6f932fe8: net: do not exit on "netdev_add help" monitor command (Paolo 
Bonzini)
c2cb511634: hw/net/e1000e: advance desc_offset in case of null descriptor 
(Prasad J Pandit)
afae37d98a: ppc/translate: Implement lxvwsx opcode (LemonBoy)
bb0990d174: vfio: Change default dirty pages tracking behavior during migration 
(Kirti Wankhede)
cf254988a5: vfio: Make migration support experimental (Alex Williamson)
c6ff78563a: docs/system/pr-manager.rst: Fix minor docs nits (Peter Maydell)
773ee3f1ea: docs: Split qemu-pr-helper documentation into tools manual (Peter 
Maydell)
0daf34fd3a: docs: Move pr-manager.rst into the system manual (Peter Maydell)
e8eee8d3d9: docs: Move microvm.rst into the system manual (Peter Maydell)
7f0cff6e34: docs: Split out 'pc' machine model docs into their own file (Peter 
Maydell)
c5d7cfdaac: docs/system/virtio-pmem.rst: Fix minor style issues (Peter Maydell)
71266bb4e9: docs: Move virtio-pmem.rst into the system manual (Peter Maydell)
392d8e95c7: docs: Move cpu-hotplug.rst into the system manual (Peter Maydell)
4faf359acc: docs: Move virtio-net-failover.rst into the system manual (Peter 
Maydell)
acebed948c: linux-user/arm: Deliver SIGTRAP for UDF patterns used as 
breakpoints (Peter Maydell)
6951595183: target/arm: Make SYS_HEAPINFO work with RAM that doesn't start at 0 
(Peter Maydell)
75bf6e17f9: docs/system/arm: Document the Sharp Zaurus SL-6000 (Philippe 
Mathieu-Daudé)
12bff81b4d: docs/system/arm: Document OpenPOWER Witherspoon BMC model Front 
LEDs (Philippe Mathieu-Daudé)
d9f2ac3de9: docs/system/arm: Document the various raspi boards (Philippe 
Mathieu-Daudé)
155e1c82ed: docs/system: Deprecate raspi2/raspi3 machine aliases (Philippe 
Mathieu-Daudé)
66278f8aeb: MAINTAINERS: Cover system/arm/sx1.rst with OMAP machines (Philippe 
Mathieu-Daudé)
9eeeb80ad4: MAINTAINERS: Cover system/arm/sbsa.rst with SBSA-REF machine 
(Philippe Mathieu-Daudé)
c67d732c39: MAINTAINERS: Fix system/arm/orangepi.rst path (Philippe 
Mathieu-Daudé)
7170311674: MAINTAINERS: Cover system/arm/nuvoton.rst with Nuvoton NPCM7xx 
(Philippe Mathieu-Daudé)
de8ee7d47c: MAINTAINERS: Cover system/arm/aspeed.rst with ASPEED BMC machines 
(Philippe Mathieu-Daudé)
6e84a91477: MAINTAINERS: Cover system/arm/cpu-features.rst with ARM TCG CPUs 
(Philippe Mathieu-Daudé)
57bdec5c46: hw/intc: fix heap-buffer-overflow in rxicu_realize() (Chen Qun)
98554b3b56: hw/arm: Fix bad print format specifiers (AlexChen)
98e8779770: target/arm: fix stage 2 page-walks in 32-bit emulation (Rémi 
Denis-Courmont)
534f80e1df: .cirrus.yml: bump timeout period for MacOS builds (Alex Bennée)
1352d5688d: gitlab-ci: Move trace backend tests across to gitlab (Philippe 
Mathieu-Daudé)
8e9419b790: tests/docker: Install liblttng-ust-dev package in Ubuntu 20.04 
image (Philippe Mathieu-Daudé)
ac74e282d4: gitlab: move remaining x86 check-tcg targets to gitlab (Alex Bennée)
69272bec1a: tests/avocado: clean-up socket directory after run (Alex Bennée)
8c175c63ee: tests: add prefixes to the bare mkdtemp calls (Alex Bennée)
e4b937d3c4: scripts/ci: clean up default args logic a little (Alex Bennée)
7a3d37a3f2: pc-bios/s390: Update the s390-ccw bios binaries (Thomas Huth)
3d651996

Re: [RFC PATCH 03/25] hw/cxl/component: Introduce CXL components (8.1.x, 8.2.5)

2020-11-24 Thread Ben Widawsky 
On 20-11-17 12:29:40, Jonathan Cameron wrote:

[snip]

> > >   
> > > > +
> > > > +/* 8.2.5.10 - CXL Security Capability Structure */
> > > > +#define CXL_SEC_REGISTERS_OFFSET (CXL_RAS_REGISTERS_OFFSET + 
> > > > CXL_RAS_REGISTERS_SIZE)
> > > > +#define CXL_SEC_REGISTERS_SIZE   0 /* We don't implement 1.1 
> > > > downstream ports */
> > > > +
> > > > +/* 8.2.5.11 - CXL Link Capability Structure */
> > > > +#define CXL_LINK_REGISTERS_OFFSET (CXL_SEC_REGISTERS_OFFSET + 
> > > > CXL_SEC_REGISTERS_SIZE)
> > > > +#define CXL_LINK_REGISTERS_SIZE   0x38  
> > > 
> > > Bit odd to introduce this but not define anything... Can't we bring these
> > > in when we need them later?  
> > 
> > Repeating my comment from 00/25...
> > 
> > For this specific patch series I liked providing #defines in bulk so that 
> > it's
> > easy enough to just bring up the spec and review them. Not sure if there is 
> > a
> > preference from others in the community on this.
> 
> Personally I'd prefer to see the lot if you are going to do that, on basis
> should only need reviewing against the spec once.
> Not sure others will agree though as "the lot" is an awful lot.
> 

I took a shot at stripping some of this out, but it turns out I already use all
of it for the cxl-component-utils. While some of them aren't directly used, the
space reservations for the various caps make sense here IMO.

So for v2, I'm going to leave this as is, and if there is a desire to do things
differently, I think I'd need a suggestion of how to do so.

[snip]


> 
> Thanks,
> 
> Jonathan
>

Re: [RFC] ich9:cpuhp: add support for cpu hot-unplug with SMI broadcast enabled

2020-11-24 Thread Laszlo Ersek 
On 11/24/20 13:25, Igor Mammedov wrote:
> If firmware negotiates ICH9_LPC_SMI_F_CPU_HOT_UNPLUG_BIT feature,
> OSPM on CPU eject will set bit #4 in CPU hotplug block for to be
> ejected CPU to mark it for removal by firmware and trigger SMI
> upcall to let firmware do actual eject.
> 
> Signed-off-by: Igor Mammedov 
> ---
> PS:
>   - abuse 5.1 machine type for now to turn off unplug feature
> (it will be moved to 5.2 machine type once new merge window is open)
> ---
>  include/hw/acpi/cpu.h   |  2 ++
>  docs/specs/acpi_cpu_hotplug.txt | 11 +--
>  hw/acpi/cpu.c   | 18 --
>  hw/i386/acpi-build.c|  5 +
>  hw/i386/pc.c|  1 +
>  hw/isa/lpc_ich9.c   |  2 +-
>  6 files changed, 34 insertions(+), 5 deletions(-)

Thanks -- I've tagged this for later; I can't tell when I'll come to it.
I'll have to re-read the previous discussion, from start of October, first.

Ankur -- please feel free to comment!

Thanks
Laszlo

> 
> diff --git a/include/hw/acpi/cpu.h b/include/hw/acpi/cpu.h
> index 0eeedaa491..999caaf510 100644
> --- a/include/hw/acpi/cpu.h
> +++ b/include/hw/acpi/cpu.h
> @@ -22,6 +22,7 @@ typedef struct AcpiCpuStatus {
>  uint64_t arch_id;
>  bool is_inserting;
>  bool is_removing;
> +bool fw_remove;
>  uint32_t ost_event;
>  uint32_t ost_status;
>  } AcpiCpuStatus;
> @@ -50,6 +51,7 @@ void cpu_hotplug_hw_init(MemoryRegion *as, Object *owner,
>  typedef struct CPUHotplugFeatures {
>  bool acpi_1_compatible;
>  bool has_legacy_cphp;
> +bool fw_unplugs_cpu;
>  const char *smi_path;
>  } CPUHotplugFeatures;
>  
> diff --git a/docs/specs/acpi_cpu_hotplug.txt b/docs/specs/acpi_cpu_hotplug.txt
> index 9bb22d1270..f68ef6e06c 100644
> --- a/docs/specs/acpi_cpu_hotplug.txt
> +++ b/docs/specs/acpi_cpu_hotplug.txt
> @@ -57,7 +57,11 @@ read access:
>It's valid only when bit 0 is set.
> 2: Device remove event, used to distinguish device for which
>no device eject request to OSPM was issued.
> -   3-7: reserved and should be ignored by OSPM
> +   3: reserved and should be ignored by OSPM
> +   4: if set to 1, OSPM requests firmware to perform device eject,
> +  firmware shall clear this event by writing 1 into it before
> +  performing device eject.
> +   5-7: reserved and should be ignored by OSPM
>  [0x5-0x7] reserved
>  [0x8] Command data: (DWORD access)
>contains 0 unless value last stored in 'Command field' is one of:
> @@ -82,7 +86,10 @@ write access:
> selected CPU device
>  3: if set to 1 initiates device eject, set by OSPM when it
> triggers CPU device removal and calls _EJ0 method
> -4-7: reserved, OSPM must clear them before writing to register
> +4: if set to 1 OSPM hands over device eject to firmware,
> +   Firmware shall issue device eject request as described above
> +   (bit #3) and OSPM should not touch device eject bit (#3),
> +5-7: reserved, OSPM must clear them before writing to register
>  [0x5] Command field: (1 byte access)
>value:
>  0: selects a CPU device with inserting/removing events and
> diff --git a/hw/acpi/cpu.c b/hw/acpi/cpu.c
> index f099b50927..09d2f20dae 100644
> --- a/hw/acpi/cpu.c
> +++ b/hw/acpi/cpu.c
> @@ -71,6 +71,7 @@ static uint64_t cpu_hotplug_rd(void *opaque, hwaddr addr, 
> unsigned size)
>  val |= cdev->cpu ? 1 : 0;
>  val |= cdev->is_inserting ? 2 : 0;
>  val |= cdev->is_removing  ? 4 : 0;
> +val |= cdev->fw_remove  ? 16 : 0;
>  trace_cpuhp_acpi_read_flags(cpu_st->selector, val);
>  break;
>  case ACPI_CPU_CMD_DATA_OFFSET_RW:
> @@ -148,6 +149,8 @@ static void cpu_hotplug_wr(void *opaque, hwaddr addr, 
> uint64_t data,
>  hotplug_ctrl = qdev_get_hotplug_handler(dev);
>  hotplug_handler_unplug(hotplug_ctrl, dev, NULL);
>  object_unparent(OBJECT(dev));
> +} else if (data & 16) {
> +cdev->fw_remove = !cdev->fw_remove;
>  }
>  break;
>  case ACPI_CPU_CMD_OFFSET_WR:
> @@ -332,6 +335,7 @@ const VMStateDescription vmstate_cpu_hotplug = {
>  #define CPU_INSERT_EVENT  "CINS"
>  #define CPU_REMOVE_EVENT  "CRMV"
>  #define CPU_EJECT_EVENT   "CEJ0"
> +#define CPU_FW_EJECT_EVENT "CEJF"
>  
>  void build_cpus_aml(Aml *table, MachineState *machine, CPUHotplugFeatures 
> opts,
>  hwaddr io_base,
> @@ -384,7 +388,10 @@ void build_cpus_aml(Aml *table, MachineState *machine, 
> CPUHotplugFeatures opts,
>  aml_append(field, aml_named_field(CPU_REMOVE_EVENT, 1));
>  /* initiates device eject, write only */
>  aml_append(field, aml_named_field(CPU_EJECT_EVENT, 1));
> -aml_append(field, aml_reserved_field(4));
> +aml_append(field, aml

Re: [PULL 0/1] PCI host devaddr property fix for 5.2

2020-11-24 Thread Peter Maydell 
On Tue, 24 Nov 2020 at 15:16, Eduardo Habkost  wrote:
>
> The following changes since commit d536d9578ec3ac5029a70b8126cb84bb6f2124a4:
>
>   Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into 
> staging (2020-11-24 10:59:12 +)
>
> are available in the Git repository at:
>
>   git://github.com/ehabkost/qemu.git tags/machine-next-for-5.2-pull-request
>
> for you to fetch changes up to 28afbc1f11f5ae33b69deb162a551110717eec94:
>
>   Revert "hw/core/qdev-properties: Use qemu_strtoul() in 
> set_pci_host_devaddr()" (2020-11-24 10:06:54 -0500)
>
> 
> PCI host devaddr property fix for 5.2
>
> 


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.2
for any user-visible changes.

-- PMM

Re: [PATCH v3] qga: Correct loop count in qmp_guest_get_vcpus()

2020-11-24 Thread Peter Maydell 
On Tue, 24 Nov 2020 at 14:12, Philippe Mathieu-Daudé  wrote:
> As we are going to tag 5.2-rc3, what is the status of this fix?

'git blame' says none of the code changed here is newer than 2018,
so it seems unlikely that this is a regression since 5.1. rc3 is
now ready to tag, so this is going to get postponed to 6.0
unless somebody has a really solid argument for why it is
a release-critical bug.

thanks
-- PMM

Re: [RFC v5 11/12] i386: centralize initialization of cpu accel interfaces

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 09:13:13PM +0100, Paolo Bonzini wrote:
> On 24/11/20 17:22, Claudio Fontana wrote:
> > +static void x86_cpu_accel_init(void)
> >  {
> > -X86CPUAccelClass *acc;
> > +const char *ac_name;
> > +ObjectClass *ac;
> > +char *xac_name;
> > +ObjectClass *xac;
> > -acc = X86_CPU_ACCEL_CLASS(object_class_by_name(accel_name));
> > -g_assert(acc != NULL);
> > +ac = object_get_class(OBJECT(current_accel()));
> > +g_assert(ac != NULL);
> > +ac_name = object_class_get_name(ac);
> > +g_assert(ac_name != NULL);
> > -object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, 
> > &acc);
> > +xac_name = g_strdup_printf("%s-%s", ac_name, TYPE_X86_CPU);
> > +xac = object_class_by_name(xac_name);
> > +g_free(xac_name);
> > +
> > +if (xac) {
> > +object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, 
> > xac);
> > +}
> >  }
> > +
> > +accel_cpu_init(x86_cpu_accel_init);
> 
> If this and cpus_accel_ops_init are the only call to accel_cpu_init, I'd
> rather make them functions in CPUClass (which you find and call via
> CPU_RESOLVING_TYPE) and AccelClass respectively.

Making x86_cpu_accel_init() be a CPUClass method sounds like a
good idea.  This way we won't need a arch_cpu_accel_init() stub
for non-x86.

accel.c can't use cpu.h, correct?  We can add a:

  CPUClass *arch_base_cpu_type(void)
  {
  return object_class_by_name(CPU_RESOLVING_TYPE);
  }

function to arch_init.c, to allow target-independent code call
target-specific code.

-- 
Eduardo

[PATCH v1] configure: remove python pkg_resources check

2020-11-24 Thread Olaf Hering 
Since meson.git#0240d760c7699a059cc89e584363c6431cdd2b61 setuptools is not 
required anymore.

Signed-off-by: Olaf Hering 
---
 configure | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/configure b/configure
index 8c5d2f9a69..ce9b3c0a33 100755
--- a/configure
+++ b/configure
@@ -1913,9 +1913,6 @@ fi
 
 case "$meson" in
 git | internal)
-if ! $python -c 'import pkg_resources' > /dev/null 2>&1; then
-error_exit "Python setuptools not found"
-fi
 meson="$python ${source_path}/meson/meson.py"
 ;;
 *) meson=$(command -v "$meson") ;;

Re: [PULL 0/1] Block layer patches for 5.2.0-rc3

2020-11-24 Thread Peter Maydell 
On Tue, 24 Nov 2020 at 14:25, Kevin Wolf  wrote:
>
> The following changes since commit 23895cbd82be95428e90168b12e925d0d3ca2f06:
>
>   Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20201123.0' 
> into staging (2020-11-23 18:51:13 +)
>
> are available in the Git repository at:
>
>   git://repo.or.cz/qemu/kevin.git tags/for-upstream
>
> for you to fetch changes up to c8bf9a9169db094aaed680cdba570758c0dc18b9:
>
>   qcow2: Fix corruption on write_zeroes with MAY_UNMAP (2020-11-24 11:29:41 
> +0100)
>
> 
> Patches for 5.2.0-rc3:
>
> - qcow2: Fix corruption on write_zeroes with MAY_UNMAP
>
> 
> Maxim Levitsky (1):
>   qcow2: Fix corruption on write_zeroes with MAY_UNMAP


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.2
for any user-visible changes.

-- PMM

Re: [RFC v5 12/12] accel: centralize initialization of CpusAccelOps

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 08:39:33PM +0100, Claudio Fontana wrote:
> On 11/24/20 8:27 PM, Eduardo Habkost wrote:
> > On Tue, Nov 24, 2020 at 07:52:15PM +0100, Claudio Fontana wrote:
> > [...]
>  +}
> >>>
> >>> Additionally, if you call arch_cpu_accel_init() here, you won't
> >>> need MODULE_INIT_ACCEL_CPU anymore.  The
> >>>
> >>>   module_call_init(MODULE_INIT_ACCEL_CPU)
> >>>
> >>> call with implicit dependencies on runtime state inside vl.c and
> >>> *-user/main.c becomes a trivial:
> >>>
> >>>   accel_init(accel)
> >>>
> >>> call in accel_init_machine() and *-user:main().
> >>
> >>
> >>
> >> I do need a separate thing for the arch cpu accel specialization though,
> >> without MODULE_INIT_ACCEL_CPU that link between all operations done at 
> >> accel-chosen time is missing..
> >>
> > 
> > I think this is a key point we need to sort out.
> > 
> > What do you mean by "link between all operations done at
> > accel-chosen time" and why that's important?
> 
> 
> For understanding by a reader that tries to figure this out,
> (see the gid MODULE_INIT_ACCEL_CPU comment elsewhere in the thread).

Right, but how does the module_call_init(MODULE_INIT_ACCEL_CPU)
indirection makes this easier to figure out than just looking at
a accel_init() function that makes regular function calls?


> 
> And it could be that the high level plan to make accelerators fully 
> dynamically loadable plugins in the future
> also conditioned me to want to have a very clear demarcation line around the 
> choice of the accelerator.

We have dynamically loadable modules for other QOM types,
already, and they just use type_init().  I don't see why an extra
module_init() type makes this easier.

> 
> 
> > 
> > accel_init_machine() has 2-3 lines of code with side effects.  It
> > calls AccelClass.init_machine(), which may may have hundreds of
> 
> 
> could we initialize also all arch-dependent stuff in here?

You can, if you use a wrapper + stub, like arch_cpu_accel_init().


> 
> 
> > lines of code.  accel_setup_post() has one additional method
> > call, which is triggered at a slightly different moment.
> > 
> > You are using MODULE_INIT_ACCEL for 2 additional lines of code:
> > - the cpus_register_accel() call
> > - the x86_cpu_accel_init() call
> > 
> > What makes those 2 lines of code so special, to make them deserve
> > a completely new mechanism to trigger them, instead of using
> > trivial function calls inside a accel_init() function?
> > 
> 
> ...can we do also the x86_cpu_accel_init inside accel_init()?
> 
> 
> In any case I'll try also the alternative, it would be nice if I could bring 
> everything together under the same roof,
> and easily discoverable, both the arch-specific steps that we need to do at 
> accel-chosen time and the non-arch-specific steps.

One way to bring everything together under the same roof is to
call everything inside a accel_init() function.


> 
> Hope this helps clarifying where I am coming from,
> but I am open to have my mind changed, also trying the alternatives you 
> propose here could help me see first hand how things play out.

Thanks!

-- 
Eduardo

Re: [RFC v5 00/12] i386 cleanup

2020-11-24 Thread Paolo Bonzini 

On 24/11/20 17:21, Claudio Fontana wrote:

In this version I basically QOMified X86CPUAccel, taking the
suggestions from Eduardo as the starting point,
but stopping just short of making it an actual QOM interface,
using a plain abstract class, and then subclasses for the
actual objects.

Initialization is still using the existing qemu initialization
framework (module_call_init), which is I still think is better
than the alternatives proposed, in the current state.

Possibly some improvements could be developed in the future here.
In this case, effort should be put in keeping things extendible,
in order not to be blocked once accelerators also become modules.


It's certainly getting there.  Thanks for persisting!

Paolo

Re: [RFC v5 11/12] i386: centralize initialization of cpu accel interfaces

2020-11-24 Thread Paolo Bonzini 

On 24/11/20 17:22, Claudio Fontana wrote:

+static void x86_cpu_accel_init(void)
 {
-X86CPUAccelClass *acc;
+const char *ac_name;
+ObjectClass *ac;
+char *xac_name;
+ObjectClass *xac;
 
-acc = X86_CPU_ACCEL_CLASS(object_class_by_name(accel_name));

-g_assert(acc != NULL);
+ac = object_get_class(OBJECT(current_accel()));
+g_assert(ac != NULL);
+ac_name = object_class_get_name(ac);
+g_assert(ac_name != NULL);
 
-object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, &acc);

+xac_name = g_strdup_printf("%s-%s", ac_name, TYPE_X86_CPU);
+xac = object_class_by_name(xac_name);
+g_free(xac_name);
+
+if (xac) {
+object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, xac);
+}
 }
+
+accel_cpu_init(x86_cpu_accel_init);


If this and cpus_accel_ops_init are the only call to accel_cpu_init, I'd 
rather make them functions in CPUClass (which you find and call via 
CPU_RESOLVING_TYPE) and AccelClass respectively.


Paolo

Re: [PATCH] Initialize Zynq7000 UART clocks on reset

2020-11-24 Thread Philippe Mathieu-Daudé 
Cc'ing qemu-arm list too.

On 11/24/20 5:52 PM, Michael Peter wrote:
> Pass an additional argument to zynq_slcr_compute_clocks that indicates
> whether an reset-exit condition
> applies. If called from zynq_slcr_reset_exit, external clocks are
> assumed to be active, even if the
> device state indicates a reset state.
> 
> Signed-off-by: Michael Peter 
> ---
>  hw/misc/zynq_slcr.c | 12 ++--
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
> index a2b28019e3..073122b934 100644
> --- a/hw/misc/zynq_slcr.c
> +++ b/hw/misc/zynq_slcr.c
> @@ -269,12 +269,12 @@ static uint64_t zynq_slcr_compute_clock(const
> uint64_t periods[],
>   * But do not propagate them further. Connected clocks
>   * will not receive any updates (See zynq_slcr_compute_clocks())
>   */
> -static void zynq_slcr_compute_clocks(ZynqSLCRState *s)
> +static void zynq_slcr_compute_clocks(ZynqSLCRState *s, bool ignore_reset)
>  {
>      uint64_t ps_clk = clock_get(s->ps_clk);
>  
>      /* consider outputs clocks are disabled while in reset */
> -    if (device_is_in_reset(DEVICE(s))) {
> +    if (!ignore_reset && device_is_in_reset(DEVICE(s))) {
>          ps_clk = 0;
>      }
>  
> @@ -305,7 +305,7 @@ static void zynq_slcr_propagate_clocks(ZynqSLCRState *s)
>  static void zynq_slcr_ps_clk_callback(void *opaque)
>  {
>      ZynqSLCRState *s = (ZynqSLCRState *) opaque;
> -    zynq_slcr_compute_clocks(s);
> +    zynq_slcr_compute_clocks(s, false);
>      zynq_slcr_propagate_clocks(s);
>  }
>  
> @@ -410,7 +410,7 @@ static void zynq_slcr_reset_hold(Object *obj)
>      ZynqSLCRState *s = ZYNQ_SLCR(obj);
>  
>      /* will disable all output clocks */
> -    zynq_slcr_compute_clocks(s);
> +    zynq_slcr_compute_clocks(s, false);
>      zynq_slcr_propagate_clocks(s);
>  }
>  
> @@ -419,7 +419,7 @@ static void zynq_slcr_reset_exit(Object *obj)
>      ZynqSLCRState *s = ZYNQ_SLCR(obj);
>  
>      /* will compute output clocks according to ps_clk and registers */
> -    zynq_slcr_compute_clocks(s);
> +    zynq_slcr_compute_clocks(s, true);
>      zynq_slcr_propagate_clocks(s);
>  }
>  
> @@ -558,7 +558,7 @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
>      case R_ARM_PLL_CTRL:
>      case R_DDR_PLL_CTRL:
>      case R_UART_CLK_CTRL:
> -        zynq_slcr_compute_clocks(s);
> +        zynq_slcr_compute_clocks(s, false);
>          zynq_slcr_propagate_clocks(s);
>          break;
>      }
> -- 
> 2.17.1
> 
> 
>

Re: [RFC v5 09/12] module: introduce MODULE_INIT_ACCEL_CPU

2020-11-24 Thread Paolo Bonzini 

On 24/11/20 20:08, Eduardo Habkost wrote:

Not a big advantage I agree,
I think however there is one, in using the existing framework that exists, for 
the purposes that it was built for.

As I understand it, the global module init framework is supposed to mark the 
major initialization steps,
and this seems to fit the bill.

That seems to be the main source of disagreement.  I don't agree
that's the purpose of module_init().

The module init framework is used to unconditionally register
module-provided entities like option names, QOM types, block
drivers, trace events, etc.  The entities registered by module
init functions represent a passive dynamically loadable piece of
code.


Indeed.  Think of module_init() as C++ global constructors.

Anything that has an "if" does not belong in module_init.

If you look at my review of the previous versions, I was not necessarily 
against MODULE_INIT_ACCEL_CPU, but I was (and am) strongly against 
calling it in the middle of the machine creation sequence.


Paolo

Re: [PATCH] target/i386: fix operand order for PDEP and PEXT

2020-11-24 Thread Paolo Bonzini 

On 24/11/20 18:54, Richard Henderson wrote:

+test-i386-bmi2: CFLAGS += -mbmi2
+run-test-i386-bmi2: QEMU_OPTS += -cpu max
+run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max

I suspect that we still support host operating systems whose compilers do not
support -mbmi2.  This might require a bit in tests/tcg/configure.sh akin to
CROSS_CC_HAS_ARMV8_3.



Actually -mbmi2 should not be needed since (unlike sse or avx) the 
instructions use normal registers.  Only the assembler matters, and at 
least RHEL7 (binutils 2.27) has them.  So I'll just remove the flag, it 
should be enough.


Paolo

Re: [RFC v5 12/12] accel: centralize initialization of CpusAccelOps

2020-11-24 Thread Claudio Fontana 
On 11/24/20 8:27 PM, Eduardo Habkost wrote:
> On Tue, Nov 24, 2020 at 07:52:15PM +0100, Claudio Fontana wrote:
> [...]
 +}
>>>
>>> Additionally, if you call arch_cpu_accel_init() here, you won't
>>> need MODULE_INIT_ACCEL_CPU anymore.  The
>>>
>>>   module_call_init(MODULE_INIT_ACCEL_CPU)
>>>
>>> call with implicit dependencies on runtime state inside vl.c and
>>> *-user/main.c becomes a trivial:
>>>
>>>   accel_init(accel)
>>>
>>> call in accel_init_machine() and *-user:main().
>>
>>
>>
>> I do need a separate thing for the arch cpu accel specialization though,
>> without MODULE_INIT_ACCEL_CPU that link between all operations done at 
>> accel-chosen time is missing..
>>
> 
> I think this is a key point we need to sort out.
> 
> What do you mean by "link between all operations done at
> accel-chosen time" and why that's important?


For understanding by a reader that tries to figure this out,
(see the gid MODULE_INIT_ACCEL_CPU comment elsewhere in the thread).

And it could be that the high level plan to make accelerators fully dynamically 
loadable plugins in the future
also conditioned me to want to have a very clear demarcation line around the 
choice of the accelerator.


> 
> accel_init_machine() has 2-3 lines of code with side effects.  It
> calls AccelClass.init_machine(), which may may have hundreds of


could we initialize also all arch-dependent stuff in here?


> lines of code.  accel_setup_post() has one additional method
> call, which is triggered at a slightly different moment.
> 
> You are using MODULE_INIT_ACCEL for 2 additional lines of code:
> - the cpus_register_accel() call
> - the x86_cpu_accel_init() call
> 
> What makes those 2 lines of code so special, to make them deserve
> a completely new mechanism to trigger them, instead of using
> trivial function calls inside a accel_init() function?
> 

...can we do also the x86_cpu_accel_init inside accel_init()?


In any case I'll try also the alternative, it would be nice if I could bring 
everything together under the same roof,
and easily discoverable, both the arch-specific steps that we need to do at 
accel-chosen time and the non-arch-specific steps.

Hope this helps clarifying where I am coming from,
but I am open to have my mind changed, also trying the alternatives you propose 
here could help me see first hand how things play out.

Thanks!

Claudio

Re: [PATCH 1/1] Fix qcow2 corruption on discard

2020-11-24 Thread Maxim Levitsky 
On Tue, 2020-11-24 at 20:59 +0200, Maxim Levitsky wrote:
> On Tue, 2020-11-24 at 19:59 +0100, Alberto Garcia wrote:
> > On Tue 24 Nov 2020 10:17:23 AM CET, Kevin Wolf wrote:
> > > We can then continue work to find a minimal reproducer and merge the
> > > test case in the early 6.0 cycle.
> > 
> > I haven't been able to reproduce the problem yet, do you have any
> > findings?
> > 
> > Berto
> > 
> 
> I have a working reproducer script. I'll send it in a hour or so.
> Best regards,
>   Maxim Levitsky

I have attached a minimal reproducer for this issue.
I can convert this to an iotest if you think that this is worth it.


So these are the exact conditions for the corruption to happen:

1. Image must have at least 5 refcount tables 
(1 more that default refcount table cache size, which is 4 by default)


2. IO pattern that populates the 4 entry refcount table cache fully:

 Easiest way to do it is to have 4 L2 entries populated in the base image,
 such as each entry references a physical cluster that is served by different
 refcount table.
 
 Then discard these entries in the snapshot, triggering discard in the
 base file during the commit, which will populate the refcount table cache.


4. A discard of a cluster that belongs to 5th refcount table (done in the
   exact same way as above discards).
   It should be done soon, before L2 cache flushed due to some unrelated
   IO.

   This triggers the corruption:

The call stack is:

2. qcow2_free_any_cluster->
qcow2_free_clusters->
update_refcount:

//This sets dependency between flushing the refcount 
cache and l2 cache.
if (decrease)
qcow2_cache_set_dependency(bs, 
s->refcount_block_cache,s->l2_table_cache);


ret = alloc_refcount_block(bs, cluster_index, 
&refcount_block);
return load_refcount_block(bs, 
refcount_block_offset, refcount_block);
return qcow2_cache_get(...
qcow2_cache_do_get
/* because of a cache 
miss, we have to evict an entry*/
ret = 
qcow2_cache_entry_flush(bs, c, i);
if (c->depends) {
/* this flushes 
the L2 cache */
ret = 
qcow2_cache_flush_dependency(bs, c);
}


I had attached a reproducer that works with almost any cluster size and 
refcount block size.
Cluster sizes below 4K don't work because commit which is done by the mirror 
job which works on 4K granularity,
and that results in it not doing any discards due to various alignment 
restrictions.

If I patch qemu to make mirror job work on 512B granularity, test reproduces 
for small clusters as well.

The reproducer creates a qcow2 image in the current directory and it needs 
about 11G for default parameters.
(64K cluster size, 16 bit refcounts).
For 4K cluster size and 64 bit refcounts, it needs only 11M.
(This can be changed by editing the script)

Best regards,
Maxim Levitsky


reproducer.sh
Description: application/shellscript

Re: [RFC v5 12/12] accel: centralize initialization of CpusAccelOps

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 07:52:15PM +0100, Claudio Fontana wrote:
[...]
> >> +}
> > 
> > Additionally, if you call arch_cpu_accel_init() here, you won't
> > need MODULE_INIT_ACCEL_CPU anymore.  The
> > 
> >   module_call_init(MODULE_INIT_ACCEL_CPU)
> > 
> > call with implicit dependencies on runtime state inside vl.c and
> > *-user/main.c becomes a trivial:
> > 
> >   accel_init(accel)
> > 
> > call in accel_init_machine() and *-user:main().
> 
> 
> 
> I do need a separate thing for the arch cpu accel specialization though,
> without MODULE_INIT_ACCEL_CPU that link between all operations done at 
> accel-chosen time is missing..
> 

I think this is a key point we need to sort out.

What do you mean by "link between all operations done at
accel-chosen time" and why that's important?

accel_init_machine() has 2-3 lines of code with side effects.  It
calls AccelClass.init_machine(), which may may have hundreds of
lines of code.  accel_setup_post() has one additional method
call, which is triggered at a slightly different moment.

You are using MODULE_INIT_ACCEL for 2 additional lines of code:
- the cpus_register_accel() call
- the x86_cpu_accel_init() call

What makes those 2 lines of code so special, to make them deserve
a completely new mechanism to trigger them, instead of using
trivial function calls inside a accel_init() function?

-- 
Eduardo

Re: [PATCH v2] hw/arm/virt enable support for virtio-mem

2020-11-24 Thread David Hildenbrand 
On 24.11.20 19:11, Jonathan Cameron wrote:
> On Mon, 9 Nov 2020 20:47:09 +0100
> David Hildenbrand  wrote:
> 
> +CC Eric based on similar query in other branch of the thread.
> 
>> On 05.11.20 18:43, Jonathan Cameron wrote:
>>> Basically a cut and paste job from the x86 support with the exception of
>>> needing a larger block size as the Memory Block Size (MIN_SECTION_SIZE)
>>> on ARM64 in Linux is 1G.
>>>
>>> Tested:
>>> * In full emulation and with KVM on an arm64 server.
>>> * cold and hotplug for the virtio-mem-pci device.
>>> * Wide range of memory sizes, added at creation and later.
>>> * Fairly basic memory usage of memory added.  Seems to function as normal.
>>> * NUMA setup with virtio-mem-pci devices on each node.
>>> * Simple migration test.
>>>
>>> Related kernel patch just enables the Kconfig item for ARM64 as an
>>> alternative to x86 in drivers/virtio/Kconfig
>>>
>>> The original patches from David Hildenbrand stated that he thought it should
>>> work for ARM64 but it wasn't enabled in the kernel [1]
>>> It appears he was correct and everything 'just works'.
>>>
>>> The build system related stuff is intended to ensure virtio-mem support is
>>> not built for arm32 (build will fail due no defined block size).
>>> If there is a more elegant way to do this, please point me in the right
>>> direction.  
>>
>> You might be aware of https://virtio-mem.gitlab.io/developer-guide.html 
>> and the "issue" with 64k base pages - 512MB granularity. Similar as the 
>> question from Auger, have you tried running arm64 with differing page 
>> sizes in host/guest?
>>
> 
> Hi David,
> 
>> With recent kernels, you can use "memhp_default_state=online_movable" on 
>> the kernel cmdline to make memory unplug more likely to succeed - 
>> especially with 64k base pages. You just have to be sure to not hotplug 
>> "too much memory" to a VM.
> 
> Thanks for the pointer - that definitely simplifies testing.  Was getting a 
> bit
> tedious with out that.
> 
> As ever other stuff got in the way, so I only just got back to looking at 
> this.
> 
> I've not done a particularly comprehensive set of tests yet, but things seem
> to 'work' with mixed page sizes.
> 
> With 64K pages in general, you run into a problem with the device block_size 
> being
> smaller than the subblock_size.  I've just added a check for that into the

"device block size smaller than subblock size" - that's very common,
e.g.,  on x86-64.

E.g., device_block_size is 2MiB, subblock size 4MiB - until we improve
that in the future in Linux guests.

Or did you mean something else?

> virtio-mem kernel driver and have it fail to probe if that happens.  I don't
> think such a setup makes any sense anyway so no loss there.  Should it make 
> sense
> to drop that restriction in the future we can deal with that then without 
> breaking
> backwards compatibility.
> 
> So the question is whether it makes sense to bother with virtio-mem support
> at all on ARM64 with 64k pages given currently the minimum workable block_size
> is 512MiB?  I guess there is an argument of virtio-mem being a possibly more
> convenient interface than full memory HP.  Curious to hear what people think 
> on
> this?

IMHO we really want it. For example, RHEL is always 64k. This is a
current guest limitation, to be improved in the future - either by
moving away from 512MB huge pages with 64k or by improving
alloc_contig_range().

> 
> 4K guest on 64K host seems fine and no such limit is needed - though there
> may be performance issues doing that.

Yeah, if one is lucky to get one of these 512 MiB huge pages at all :)

> 
> 64k guest on 4k host with 512MiB block size seems fine.
> 
> If there are any places anyone thinks need particular poking I'd appreciate a 
> hint :)

If things seem to work for now, that's great :) Thanks!

-- 
Thanks,

David / dhildenb

Re: [RFC v5 09/12] module: introduce MODULE_INIT_ACCEL_CPU

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 07:29:50PM +0100, Claudio Fontana wrote:
> On 11/24/20 6:08 PM, Eduardo Habkost wrote:
> > On Tue, Nov 24, 2020 at 05:22:07PM +0100, Claudio Fontana wrote:
> >> apply this to the registration of the cpus accel interfaces,
> >>
> >> but this will be also in preparation for later use of this
> >> new module init step to also register per-accel x86 cpu type
> >> interfaces.
> >>
> >> Signed-off-by: Claudio Fontana 
> >> ---
> > [...]
> >> diff --git a/accel/qtest/qtest.c b/accel/qtest/qtest.c
> >> index b4e731cb2b..482f89729f 100644
> >> --- a/accel/qtest/qtest.c
> >> +++ b/accel/qtest/qtest.c
> >> @@ -32,7 +32,6 @@ const CpusAccel qtest_cpus = {
> >>  
> >>  static int qtest_init_accel(MachineState *ms)
> >>  {
> >> -cpus_register_accel(&qtest_cpus);
> >>  return 0;
> >>  }
> >>  
> >> @@ -58,3 +57,12 @@ static void qtest_type_init(void)
> >>  }
> >>  
> >>  type_init(qtest_type_init);
> >> +
> >> +static void qtest_accel_cpu_init(void)
> >> +{
> >> +if (qtest_enabled()) {
> >> +cpus_register_accel(&qtest_cpus);
> >> +}
> >> +}
> >> +
> >> +accel_cpu_init(qtest_accel_cpu_init);
> > 
> > I don't understand why this (and the similar changes on other
> > accelerators) is an improvement.
> > 
> > You are replacing a trivial AccelClass-specific init method with
> > a module_init() function that has a hidden dependency on runtime
> > state.
> > 
> 
> Not a big advantage I agree,
> I think however there is one, in using the existing framework that exists, 
> for the purposes that it was built for.
> 
> As I understand it, the global module init framework is supposed to mark the 
> major initialization steps,
> and this seems to fit the bill.

That seems to be the main source of disagreement.  I don't agree
that's the purpose of module_init().

The module init framework is used to unconditionally register
module-provided entities like option names, QOM types, block
drivers, trace events, etc.  The entities registered by module
init functions represent a passive dynamically loadable piece of
code.

module_init() was never used for initialization of machines,
devices, CPUs, or other runtime state.  We don't have
MODULE_INIT_MONITOR, MODULE_INIT_OBJECTS, MODULE_INIT_MACHINE,
MODULE_INIT_CPUS, MODULE_INIT_DEVICES, etc.

And I'm not convinced we should, because it would hide
dependencies between initialization steps.  It would force us to
make initialization functions affect and depend on global state.

I believe this:

  int main()
  {
result_of_A = init_A(input_for_A);
result_of_B = init_B(input_for_B);
result_of_C = init_C(input_for_C);
  }

is clearer and more maintainable than:

  int main()
  {
module_init_call(MODULE_INIT_A);  /* result_of_A hidden in global state */
module_init_call(MODULE_INIT_B);  /* result_of_B hidden in global state */
module_init_call(MODULE_INIT_C);  /* result_of_C hidden in global state */
  }

> 
> The "hidden" dependency on the fact that accels need to be initialized at 
> that time, is not hidden at all I think,
> it is what this module init step is all about.
> 
> It is explicitly meaning, "_now that the current accelerator is chosen_, 
> perform these initializations".
> 
> But, as you mentioned elsewhere, I will in the meantime anyway squash these 
> things so they do not start fragmented at all, and centralize immediately.

Agreed.  We still need to sort out the disagreement above, or
we'll spend a lot of energy arguing about code.

-- 
Eduardo

Re: [PATCH 1/1] Fix qcow2 corruption on discard

2020-11-24 Thread Maxim Levitsky 
On Tue, 2020-11-24 at 19:59 +0100, Alberto Garcia wrote:
> On Tue 24 Nov 2020 10:17:23 AM CET, Kevin Wolf wrote:
> > We can then continue work to find a minimal reproducer and merge the
> > test case in the early 6.0 cycle.
> 
> I haven't been able to reproduce the problem yet, do you have any
> findings?
> 
> Berto
> 

I have a working reproducer script. I'll send it in a hour or so.
Best regards,
Maxim Levitsky

Re: [PATCH 1/1] Fix qcow2 corruption on discard

2020-11-24 Thread Alberto Garcia 
On Tue 24 Nov 2020 10:17:23 AM CET, Kevin Wolf wrote:
> We can then continue work to find a minimal reproducer and merge the
> test case in the early 6.0 cycle.

I haven't been able to reproduce the problem yet, do you have any
findings?

Berto

Re: [RFC v5 12/12] accel: centralize initialization of CpusAccelOps

2020-11-24 Thread Claudio Fontana 
On 11/24/20 6:48 PM, Eduardo Habkost wrote:
> On Tue, Nov 24, 2020 at 05:22:10PM +0100, Claudio Fontana wrote:
>> Signed-off-by: Claudio Fontana 
>> ---
>>  accel/kvm/kvm-all.c  |  9 ---
>>  accel/kvm/kvm-cpus.c | 26 +-
>>  accel/kvm/kvm-cpus.h |  2 --
>>  accel/qtest/qtest.c  | 31 --
>>  accel/tcg/tcg-cpus-icount.c  | 11 +---
>>  accel/tcg/tcg-cpus-icount.h  |  2 ++
>>  accel/tcg/tcg-cpus-mttcg.c   | 12 +++--
>>  accel/tcg/tcg-cpus-mttcg.h   | 19 ++
>>  accel/tcg/tcg-cpus-rr.c  |  7 -
>>  accel/tcg/tcg-cpus.c | 48 ++---
>>  accel/tcg/tcg-cpus.h |  4 ---
>>  accel/xen/xen-all.c  | 29 ++--
>>  include/sysemu/cpus.h| 39 ---
>>  softmmu/cpus.c   | 51 +---
>>  target/i386/hax/hax-all.c|  9 ---
>>  target/i386/hax/hax-cpus.c   | 29 +++-
>>  target/i386/hax/hax-cpus.h   |  2 --
>>  target/i386/hvf/hvf-cpus.c   | 27 ++-
>>  target/i386/hvf/hvf-cpus.h   |  2 --
>>  target/i386/hvf/hvf.c|  9 ---
>>  target/i386/whpx/whpx-all.c  |  9 ---
>>  target/i386/whpx/whpx-cpus.c | 29 +++-
>>  target/i386/whpx/whpx-cpus.h |  2 --
>>  23 files changed, 251 insertions(+), 157 deletions(-)
>>  create mode 100644 accel/tcg/tcg-cpus-mttcg.h
>>
>> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
>> index 509b249f52..33156cc4c7 100644
>> --- a/accel/kvm/kvm-all.c
>> +++ b/accel/kvm/kvm-all.c
>> @@ -3234,12 +3234,3 @@ static void kvm_type_init(void)
>>  }
>>  
>>  type_init(kvm_type_init);
>> -
>> -static void kvm_accel_cpu_init(void)
>> -{
>> -if (kvm_enabled()) {
>> -cpus_register_accel(&kvm_cpus);
>> -}
>> -}
>> -
>> -accel_cpu_init(kvm_accel_cpu_init);
>> diff --git a/accel/kvm/kvm-cpus.c b/accel/kvm/kvm-cpus.c
>> index d809b1e74c..33dc8e737a 100644
>> --- a/accel/kvm/kvm-cpus.c
>> +++ b/accel/kvm/kvm-cpus.c
>> @@ -74,11 +74,25 @@ static void kvm_start_vcpu_thread(CPUState *cpu)
>> cpu, QEMU_THREAD_JOINABLE);
>>  }
>>  
>> -const CpusAccel kvm_cpus = {
>> -.create_vcpu_thread = kvm_start_vcpu_thread,
>> +static void kvm_cpus_class_init(ObjectClass *oc, void *data)
>> +{
>> +CpusAccelOps *ops = CPUS_ACCEL_OPS_CLASS(oc);
> 
> Why do you need a separate QOM type hierarchy instead of just
> doing this inside AccelClass methods and/or existing accel
> class_init functions?
> 
>>  
>> -.synchronize_post_reset = kvm_cpu_synchronize_post_reset,
>> -.synchronize_post_init = kvm_cpu_synchronize_post_init,
>> -.synchronize_state = kvm_cpu_synchronize_state,
>> -.synchronize_pre_loadvm = kvm_cpu_synchronize_pre_loadvm,
>> +ops->create_vcpu_thread = kvm_start_vcpu_thread;
>> +ops->synchronize_post_reset = kvm_cpu_synchronize_post_reset;
>> +ops->synchronize_post_init = kvm_cpu_synchronize_post_init;
>> +ops->synchronize_state = kvm_cpu_synchronize_state;
>> +ops->synchronize_pre_loadvm = kvm_cpu_synchronize_pre_loadvm;
> 
> All of these could be AccelClass fields.


Makes sense, and I like also the idea below (to have a pointer from the 
AccelClass to the Ops).
I'll give both a try.


> 
> TCG makes it a bit more complicated because there's a different
> set of methods chosen for TYPE_TCG_ACCEL depending on the
> configuration.

Right, that was a bit painful,

> This could be solved by patching AccelClass at
> init time, or by moving the method pointers to AccelState.


Ok I'll experiment here.

> 
> Alternatively, if you still want to keep the
> CpusAccel/CpusAccelOps struct, that's OK.  You can just add a
> `CpusAccel *cpu_accel_ops` field to AccelClass or AccelState.  No
> need for a separate QOM hierarchy, either.
> 
> If you _really_ want a separate TYPE_CPU_ACCEL_OPS QOM type, you



No, I do not think I really need a separate QOM type.



> can still have it.  But it can be just an interface implemented
> by each accel subclass, instead of requiring a separate
> CPUS_ACCEL_TYPE_NAME(...) type to be registered for each
> accelerator.  (I don't see why you would want it, though.)
> 
> 
>>  };
>> +static const TypeInfo kvm_cpus_type_info = {
>> +.name = CPUS_ACCEL_TYPE_NAME("kvm"),
>> +
>> +.parent = TYPE_CPUS_ACCEL_OPS,
>> +.class_init = kvm_cpus_class_init,
>> +.abstract = true,
>> +};
>> +static void kvm_cpus_register_types(void)
>> +{
>> +type_register_static(&kvm_cpus_type_info);
>> +}
>> +type_init(kvm_cpus_register_types);
> [...]
>> -typedef struct CpusAccel {
>> -void (*create_vcpu_thread)(CPUState *cpu); /* MANDATORY */
>> +typedef struct CpusAccelOps CpusAccelOps;
>> +DECLARE_CLASS_CHECKERS(CpusAccelOps, CPUS_ACCEL_OPS, TYPE_CPUS_ACCEL_OPS)
>> +
>> +struct CpusAccelOps {
>> +ObjectClass parent_class;
>> +
>> +/* initialization function called when accel is chosen */
>> +void (*accel_chosen_init

[PATCH] Initialize Zynq7000 UART clocks on reset

2020-11-24 Thread Michael Peter 
Pass an additional argument to zynq_slcr_compute_clocks that indicates whether 
an reset-exit condition
applies. If called from zynq_slcr_reset_exit, external clocks are assumed to be 
active, even if the
device state indicates a reset state.

Signed-off-by: Michael Peter 
---
 hw/misc/zynq_slcr.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index a2b28019e3..073122b934 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -269,12 +269,12 @@ static uint64_t zynq_slcr_compute_clock(const uint64_t 
periods[],
  * But do not propagate them further. Connected clocks
  * will not receive any updates (See zynq_slcr_compute_clocks())
  */
-static void zynq_slcr_compute_clocks(ZynqSLCRState *s)
+static void zynq_slcr_compute_clocks(ZynqSLCRState *s, bool ignore_reset)
 {
 uint64_t ps_clk = clock_get(s->ps_clk);

 /* consider outputs clocks are disabled while in reset */
-if (device_is_in_reset(DEVICE(s))) {
+if (!ignore_reset && device_is_in_reset(DEVICE(s))) {
 ps_clk = 0;
 }

@@ -305,7 +305,7 @@ static void zynq_slcr_propagate_clocks(ZynqSLCRState *s)
 static void zynq_slcr_ps_clk_callback(void *opaque)
 {
 ZynqSLCRState *s = (ZynqSLCRState *) opaque;
-zynq_slcr_compute_clocks(s);
+zynq_slcr_compute_clocks(s, false);
 zynq_slcr_propagate_clocks(s);
 }

@@ -410,7 +410,7 @@ static void zynq_slcr_reset_hold(Object *obj)
 ZynqSLCRState *s = ZYNQ_SLCR(obj);

 /* will disable all output clocks */
-zynq_slcr_compute_clocks(s);
+zynq_slcr_compute_clocks(s, false);
 zynq_slcr_propagate_clocks(s);
 }

@@ -419,7 +419,7 @@ static void zynq_slcr_reset_exit(Object *obj)
 ZynqSLCRState *s = ZYNQ_SLCR(obj);

 /* will compute output clocks according to ps_clk and registers */
-zynq_slcr_compute_clocks(s);
+zynq_slcr_compute_clocks(s, true);
 zynq_slcr_propagate_clocks(s);
 }

@@ -558,7 +558,7 @@ static void zynq_slcr_write(void *opaque, hwaddr offset,
 case R_ARM_PLL_CTRL:
 case R_DDR_PLL_CTRL:
 case R_UART_CLK_CTRL:
-zynq_slcr_compute_clocks(s);
+zynq_slcr_compute_clocks(s, false);
 zynq_slcr_propagate_clocks(s);
 break;
 }
--
2.17.1

Re: Re: [PATCH] linux-user/elfload: Fix handling of pure BSS segments

2020-11-24 Thread Stephen Long 
Hi Peter, 

> (a) what does "fails to load" mean here? In the sample binary
> I had, we got a SIGSEGV in zero_bss() when it tried to memset()
> memory that hadn't been mmap()ed. Is that the only failure mode,
> or can this manifest in other ways too?

Apologies for the unclear commit msg. I was also seeing a SIGSEGV in
zero_bss() with the binaries I was generating. I was using LLD to generate
the binaries. The binaries all had LOAD segments with a file size of 0.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919921 was the thread that
Philippe pointed me to with the requested change that solved my issue.

> (b) The comment immediately before this change says:
>* Some segments may be completely empty without any backing file
>* segment, in that case just let zero_bss allocate an empty buffer
>* for it.
> which is justifying why it was looking at p_filesz and not vaddr_len.
> With this change to the code, the comment becomes stale and needs
> updating.

I'll update the comment and the commit msg if this change makes sense to
everybody.

> (c) After this change, are there still cases where zero_bss()
> needs to do its mmap()/page_set_flags(), or does that become
> unnecessary ?

Maybe someone else can speak to this. But, you might be right. I don't see
this being necessary anymore.

Thanks,
Stephen

Re: [RFC v5 11/12] i386: centralize initialization of cpu accel interfaces

2020-11-24 Thread Claudio Fontana 
On 11/24/20 5:59 PM, Eduardo Habkost wrote:
> On Tue, Nov 24, 2020 at 05:22:09PM +0100, Claudio Fontana wrote:
>> Signed-off-by: Claudio Fontana 
> 
> Probably this can be squashed into patch 10/12.


Yes, you are right, no point building things fragmented and then merging 
together later.


> 
>> ---
>>  target/i386/cpu-qom.h |  2 --
>>  target/i386/cpu.c | 27 ---
>>  target/i386/hvf/cpu.c |  9 -
>>  target/i386/kvm/cpu.c |  8 
>>  target/i386/tcg/cpu.c |  9 -
>>  5 files changed, 20 insertions(+), 35 deletions(-)
>>
>> diff --git a/target/i386/cpu-qom.h b/target/i386/cpu-qom.h
>> index 9316e78e71..2cea5394c6 100644
>> --- a/target/i386/cpu-qom.h
>> +++ b/target/i386/cpu-qom.h
>> @@ -98,6 +98,4 @@ struct X86CPUAccelClass {
>>  void (*cpu_realizefn)(X86CPU *cpu, Error **errp);
>>  };
>>  
>> -void x86_cpu_accel_init(const char *accel_name);
>> -
>>  #endif
>> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
>> index b799723e53..f6fd055046 100644
>> --- a/target/i386/cpu.c
>> +++ b/target/i386/cpu.c
>> @@ -7066,18 +7066,31 @@ type_init(x86_cpu_register_types)
>>  static void x86_cpu_accel_init_aux(ObjectClass *klass, void *opaque)
>>  {
>>  X86CPUClass *xcc = X86_CPU_CLASS(klass);
>> -const X86CPUAccelClass **accel = opaque;
>> +X86CPUAccelClass *accel = opaque;
>>  
>> -xcc->accel = *accel;
>> +xcc->accel = accel;
>>  xcc->accel->cpu_common_class_init(xcc);
>>  }
>>  
>> -void x86_cpu_accel_init(const char *accel_name)
>> +static void x86_cpu_accel_init(void)
>>  {
>> -X86CPUAccelClass *acc;
>> +const char *ac_name;
>> +ObjectClass *ac;
>> +char *xac_name;
>> +ObjectClass *xac;
>>  
>> -acc = X86_CPU_ACCEL_CLASS(object_class_by_name(accel_name));
>> -g_assert(acc != NULL);
>> +ac = object_get_class(OBJECT(current_accel()));
>> +g_assert(ac != NULL);
>> +ac_name = object_class_get_name(ac);
>> +g_assert(ac_name != NULL);
>>  
>> -object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, &acc);
>> +xac_name = g_strdup_printf("%s-%s", ac_name, TYPE_X86_CPU);
>> +xac = object_class_by_name(xac_name);
>> +g_free(xac_name);
>> +
>> +if (xac) {
>> +object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, 
>> xac);
>> +}
>>  }
>> +
>> +accel_cpu_init(x86_cpu_accel_init);
> 
> This keeps the hidden initialization ordering dependency between
> MODULE_INIT_ACCEL_CPU and current_accel().  I thought we were
> going to get rid of module init functions that depend on runtime
> state.
> 
> This is an improvement to the code in patch 10/12, though.  If
> others believe it is an acceptable (temporary) solution, I won't
> block it.


In the way I thought about it, MODULE_INIT_ACCEL_CPU meant exactly that: 
initializations to be done after accel is chosen.
So in my view the relationship with current_accel() was then following 
naturally.



> 
> I would still prefer to have a
>   void arch_accel_cpu_init(AccelState*)
> function which would call a
>   void x86_cpu_accel_init(AccelState*)
> function.  That would make the dependency between
> x86_cpu_accel_init() and accelerator creation explicit.
> 


not a bad idea either,
what I would lose here is a single point to discover the codebase, ie

MODULE_INIT_ACCEL_CPU via a simple grep or gid MODULE_INIT_ACCEL_CPU gives me 
all initializations done
for this phase, not only the arch_ stuff, but also currently the Ops stuff.


> 
>> diff --git a/target/i386/hvf/cpu.c b/target/i386/hvf/cpu.c
>> index 7e7dc044d3..70b6dbfc10 100644
>> --- a/target/i386/hvf/cpu.c
>> +++ b/target/i386/hvf/cpu.c
>> @@ -65,12 +65,3 @@ static void hvf_cpu_accel_register_types(void)
>>  type_register_static(&hvf_cpu_accel_type_info);
>>  }
>>  type_init(hvf_cpu_accel_register_types);
>> -
>> -static void hvf_cpu_accel_init(void)
>> -{
>> -if (hvf_enabled()) {
>> -x86_cpu_accel_init(X86_CPU_ACCEL_TYPE_NAME("hvf"));
>> -}
>> -}
>> -
>> -accel_cpu_init(hvf_cpu_accel_init);
>> diff --git a/target/i386/kvm/cpu.c b/target/i386/kvm/cpu.c
>> index bc5f519479..c17ed5a3f2 100644
>> --- a/target/i386/kvm/cpu.c
>> +++ b/target/i386/kvm/cpu.c
>> @@ -147,11 +147,3 @@ static void kvm_cpu_accel_register_types(void)
>>  type_register_static(&kvm_cpu_accel_type_info);
>>  }
>>  type_init(kvm_cpu_accel_register_types);
>> -
>> -static void kvm_cpu_accel_init(void)
>> -{
>> -if (kvm_enabled()) {
>> -x86_cpu_accel_init(X86_CPU_ACCEL_TYPE_NAME("kvm"));
>> -}
>> -}
>> -accel_cpu_init(kvm_cpu_accel_init);
>> diff --git a/target/i386/tcg/cpu.c b/target/i386/tcg/cpu.c
>> index e7d4effdd0..00166c36e9 100644
>> --- a/target/i386/tcg/cpu.c
>> +++ b/target/i386/tcg/cpu.c
>> @@ -170,12 +170,3 @@ static void tcg_cpu_accel_register_types(void)
>>  type_register_static(&tcg_cpu_accel_type_info);
>>  }
>>  type_init(tcg_cpu_accel_register_types);
>> -
>> -static void tcg_cpu_accel_init(void)
>> -{
>> -if (tcg_enabled()) {
>

Re: [RFC v5 09/12] module: introduce MODULE_INIT_ACCEL_CPU

2020-11-24 Thread Claudio Fontana 
On 11/24/20 6:08 PM, Eduardo Habkost wrote:
> On Tue, Nov 24, 2020 at 05:22:07PM +0100, Claudio Fontana wrote:
>> apply this to the registration of the cpus accel interfaces,
>>
>> but this will be also in preparation for later use of this
>> new module init step to also register per-accel x86 cpu type
>> interfaces.
>>
>> Signed-off-by: Claudio Fontana 
>> ---
> [...]
>> diff --git a/accel/qtest/qtest.c b/accel/qtest/qtest.c
>> index b4e731cb2b..482f89729f 100644
>> --- a/accel/qtest/qtest.c
>> +++ b/accel/qtest/qtest.c
>> @@ -32,7 +32,6 @@ const CpusAccel qtest_cpus = {
>>  
>>  static int qtest_init_accel(MachineState *ms)
>>  {
>> -cpus_register_accel(&qtest_cpus);
>>  return 0;
>>  }
>>  
>> @@ -58,3 +57,12 @@ static void qtest_type_init(void)
>>  }
>>  
>>  type_init(qtest_type_init);
>> +
>> +static void qtest_accel_cpu_init(void)
>> +{
>> +if (qtest_enabled()) {
>> +cpus_register_accel(&qtest_cpus);
>> +}
>> +}
>> +
>> +accel_cpu_init(qtest_accel_cpu_init);
> 
> I don't understand why this (and the similar changes on other
> accelerators) is an improvement.
> 
> You are replacing a trivial AccelClass-specific init method with
> a module_init() function that has a hidden dependency on runtime
> state.
> 

Not a big advantage I agree,
I think however there is one, in using the existing framework that exists, for 
the purposes that it was built for.

As I understand it, the global module init framework is supposed to mark the 
major initialization steps,
and this seems to fit the bill.

The "hidden" dependency on the fact that accels need to be initialized at that 
time, is not hidden at all I think,
it is what this module init step is all about.

It is explicitly meaning, "_now that the current accelerator is chosen_, 
perform these initializations".

But, as you mentioned elsewhere, I will in the meantime anyway squash these 
things so they do not start fragmented at all, and centralize immediately.


Thanks,

Claudio

Re: [RFC v5 08/12] accel: extend AccelState and AccelClass to user-mode

2020-11-24 Thread Claudio Fontana 
Hi Eduardo,

thanks for looking at this,

On 11/24/20 6:56 PM, Eduardo Habkost wrote:
> On Tue, Nov 24, 2020 at 05:22:06PM +0100, Claudio Fontana wrote:
>> Signed-off-by: Claudio Fontana 
>> ---
> [...]
>> @@ -908,8 +909,12 @@ int main(int argc, char **argv)
>>  }
>>  
>>  /* init tcg before creating CPUs and to get qemu_host_page_size */
>> -tcg_exec_init(0);
>> +{
>> +AccelClass *ac = accel_find("tcg");
>>  
>> +g_assert(ac != NULL);
>> +ac->init_machine(NULL);
> 
> Most init_machine() methods will crash if you call them with a
> NULL argument.

not tcg though,


> 
> This looks like another reason for having a
>   void accel_init(AccelState*)
> function and a
>   void (*init)(AccelState*)
> method in AccelClass.
> 
> Then the whole code block above would be as trivial as:
> 
>   accel_init(current_accel());


but this does look like an attractive result,

thanks!

CLaudio
> 
> 
>> +}
> [...]
>>
>

Re: [PATCH v2] hw/arm/virt enable support for virtio-mem

2020-11-24 Thread Jonathan Cameron 
On Mon, 9 Nov 2020 20:47:09 +0100
David Hildenbrand  wrote:

+CC Eric based on similar query in other branch of the thread.

> On 05.11.20 18:43, Jonathan Cameron wrote:
> > Basically a cut and paste job from the x86 support with the exception of
> > needing a larger block size as the Memory Block Size (MIN_SECTION_SIZE)
> > on ARM64 in Linux is 1G.
> > 
> > Tested:
> > * In full emulation and with KVM on an arm64 server.
> > * cold and hotplug for the virtio-mem-pci device.
> > * Wide range of memory sizes, added at creation and later.
> > * Fairly basic memory usage of memory added.  Seems to function as normal.
> > * NUMA setup with virtio-mem-pci devices on each node.
> > * Simple migration test.
> > 
> > Related kernel patch just enables the Kconfig item for ARM64 as an
> > alternative to x86 in drivers/virtio/Kconfig
> > 
> > The original patches from David Hildenbrand stated that he thought it should
> > work for ARM64 but it wasn't enabled in the kernel [1]
> > It appears he was correct and everything 'just works'.
> > 
> > The build system related stuff is intended to ensure virtio-mem support is
> > not built for arm32 (build will fail due no defined block size).
> > If there is a more elegant way to do this, please point me in the right
> > direction.  
> 
> You might be aware of https://virtio-mem.gitlab.io/developer-guide.html 
> and the "issue" with 64k base pages - 512MB granularity. Similar as the 
> question from Auger, have you tried running arm64 with differing page 
> sizes in host/guest?
> 

Hi David,

> With recent kernels, you can use "memhp_default_state=online_movable" on 
> the kernel cmdline to make memory unplug more likely to succeed - 
> especially with 64k base pages. You just have to be sure to not hotplug 
> "too much memory" to a VM.

Thanks for the pointer - that definitely simplifies testing.  Was getting a bit
tedious with out that.

As ever other stuff got in the way, so I only just got back to looking at this.

I've not done a particularly comprehensive set of tests yet, but things seem
to 'work' with mixed page sizes.

With 64K pages in general, you run into a problem with the device block_size 
being
smaller than the subblock_size.  I've just added a check for that into the
virtio-mem kernel driver and have it fail to probe if that happens.  I don't
think such a setup makes any sense anyway so no loss there.  Should it make 
sense
to drop that restriction in the future we can deal with that then without 
breaking
backwards compatibility.

So the question is whether it makes sense to bother with virtio-mem support
at all on ARM64 with 64k pages given currently the minimum workable block_size
is 512MiB?  I guess there is an argument of virtio-mem being a possibly more
convenient interface than full memory HP.  Curious to hear what people think on
this?

4K guest on 64K host seems fine and no such limit is needed - though there
may be performance issues doing that.

64k guest on 4k host with 512MiB block size seems fine.

If there are any places anyone thinks need particular poking I'd appreciate a 
hint :)

Jonathan



> 
> 
> I had my prototype living at
> 
> g...@github.com:davidhildenbrand/qemu.git / virtio-mem-arm64
> 
> which looks very similar to your patch. That is good :)
> 
> [...]
> 
> >   static void virt_machine_device_plug_cb(HotplugHandler *hotplug_dev,
> >   DeviceState *dev, Error **errp)
> >   {
> > @@ -2336,6 +2389,9 @@ static void 
> > virt_machine_device_plug_cb(HotplugHandler *hotplug_dev,
> >   if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
> >   virt_memory_plug(hotplug_dev, dev, errp);
> >   }
> > +if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_MEM_PCI)) {
> > +virt_virtio_md_pci_plug(hotplug_dev, dev, errp);
> > +}  
> 
> These better all be "else if".
> 
> >   if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
> >   PCIDevice *pdev = PCI_DEVICE(dev);
> >   
> > @@ -2363,6 +2419,11 @@ static void virt_dimm_unplug_request(HotplugHandler 
> > *hotplug_dev,
> >   goto out;
> >   }
> >   
> > +if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_MEM_PCI)) {
> > +error_setg(&local_err,
> > +   "virtio-mem based memory devices cannot be unplugged.");
> > +goto out;
> > +}  
> 
> This should go into virt_machine_device_unplug_request_cb() instead, no?
> [...]
> 
>

Re: [RFC v5 08/12] accel: extend AccelState and AccelClass to user-mode

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 05:22:06PM +0100, Claudio Fontana wrote:
> Signed-off-by: Claudio Fontana 
> ---
[...]
> @@ -908,8 +909,12 @@ int main(int argc, char **argv)
>  }
>  
>  /* init tcg before creating CPUs and to get qemu_host_page_size */
> -tcg_exec_init(0);
> +{
> +AccelClass *ac = accel_find("tcg");
>  
> +g_assert(ac != NULL);
> +ac->init_machine(NULL);

Most init_machine() methods will crash if you call them with a
NULL argument.

This looks like another reason for having a
  void accel_init(AccelState*)
function and a
  void (*init)(AccelState*)
method in AccelClass.

Then the whole code block above would be as trivial as:

  accel_init(current_accel());


> +}
[...]
> 

-- 
Eduardo

Re: [PATCH v3 2/7] introduce UFFD-WP low-level interface helpers

2020-11-24 Thread Dr. David Alan Gilbert 
* Andrey Gruzdev (andrey.gruz...@virtuozzo.com) wrote:
> Implemented support for the whole RAM block memory
> protection/un-protection. Introduced higher level
> ram_write_tracking_start() and ram_write_tracking_stop()
> to start/stop tracking guest memory writes.
> 
> Signed-off-by: Andrey Gruzdev 
> ---
>  include/exec/memory.h |   7 ++
>  migration/ram.c   | 267 ++
>  migration/ram.h   |   4 +
>  3 files changed, 278 insertions(+)
> 
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index 0f3e6bcd5e..3d798fce16 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -139,6 +139,13 @@ typedef struct IOMMUNotifier IOMMUNotifier;
>  /* RAM is a persistent kind memory */
>  #define RAM_PMEM (1 << 5)
>  
> +/*
> + * UFFDIO_WRITEPROTECT is used on this RAMBlock to
> + * support 'write-tracking' migration type.
> + * Implies ram_state->ram_wt_enabled.
> + */
> +#define RAM_UF_WRITEPROTECT (1 << 6)
> +
>  static inline void iommu_notifier_init(IOMMUNotifier *n, IOMMUNotify fn,
> IOMMUNotifierFlag flags,
> hwaddr start, hwaddr end,
> diff --git a/migration/ram.c b/migration/ram.c
> index 7811cde643..7f273c9996 100644
> --- a/migration/ram.c
> +++ b/migration/ram.c
> @@ -56,6 +56,12 @@
>  #include "savevm.h"
>  #include "qemu/iov.h"
>  #include "multifd.h"
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include "sysemu/runstate.h"
>  
>  /***/
>  /* ram save/restore */
> @@ -298,6 +304,8 @@ struct RAMSrcPageRequest {
>  struct RAMState {
>  /* QEMUFile used for this migration */
>  QEMUFile *f;
> +/* UFFD file descriptor, used in 'write-tracking' migration */
> +int uffdio_fd;
>  /* Last block that we have visited searching for dirty pages */
>  RAMBlock *last_seen_block;
>  /* Last block from where we have sent data */
> @@ -453,6 +461,181 @@ static QemuThread *decompress_threads;
>  static QemuMutex decomp_done_lock;
>  static QemuCond decomp_done_cond;
>  
> +/**
> + * uffd_create_fd: create UFFD file descriptor
> + *
> + * Returns non-negative file descriptor or negative value in case of an error
> + */
> +static int uffd_create_fd(void)
> +{
> +int uffd;
> +struct uffdio_api api_struct;
> +uint64_t ioctl_mask = BIT(_UFFDIO_REGISTER) | BIT(_UFFDIO_UNREGISTER);

You need to be a bit careful about doing this in migration/ram.c - it's
generic code; at minimum it needs ifdef'ing for Linux.

> +uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
> +if (uffd < 0) {
> +error_report("uffd_create_fd() failed: UFFD not supported");
> +return -1;
> +}
> +
> +api_struct.api = UFFD_API;
> +api_struct.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP;
> +if (ioctl(uffd, UFFDIO_API, &api_struct)) {
> +error_report("uffd_create_fd() failed: "
> +"API version not supported version=%llx errno=%i",
> +api_struct.api, errno);
> +goto fail;
> +}
> +
> +if ((api_struct.ioctls & ioctl_mask) != ioctl_mask) {
> +error_report("uffd_create_fd() failed: "
> +"PAGEFAULT_FLAG_WP feature missing");
> +goto fail;
> +}
> +
> +return uffd;

Should we be putting that somewher that we can share with postcopy?

> +fail:
> +close(uffd);
> +return -1;
> +}
> +
> +/**
> + * uffd_close_fd: close UFFD file descriptor
> + *
> + * @uffd: UFFD file descriptor
> + */
> +static void uffd_close_fd(int uffd)
> +{
> +assert(uffd >= 0);
> +close(uffd);
> +}
> +
> +/**
> + * uffd_register_memory: register memory range with UFFD
> + *
> + * Returns 0 in case of success, negative value on error
> + *
> + * @uffd: UFFD file descriptor
> + * @start: starting virtual address of memory range
> + * @length: length of memory range
> + * @track_missing: generate events on missing-page faults
> + * @track_wp: generate events on write-protected-page faults
> + */
> +static int uffd_register_memory(int uffd, hwaddr start, hwaddr length,
> +bool track_missing, bool track_wp)
> +{
> +struct uffdio_register uffd_register;
> +
> +uffd_register.range.start = start;
> +uffd_register.range.len = length;
> +uffd_register.mode = (track_missing ? UFFDIO_REGISTER_MODE_MISSING : 0) |
> + (track_wp ? UFFDIO_REGISTER_MODE_WP : 0);
> +
> +if (ioctl(uffd, UFFDIO_REGISTER, &uffd_register)) {
> +error_report("uffd_register_memory() failed: "
> +"start=%0"PRIx64" len=%"PRIu64" mode=%llu errno=%i",
> +start, length, uffd_register.mode, errno);
> +return -1;
> +}
> +
> +return 0;
> +}
> +
> +/**
> + * uffd_protect_memory: protect/unprotect memory range for writes with UFFD
> + *
> + * Returns 0 on success or negative value in case of error
> + *
> + * @uffd: UFFD file de

Re: [PATCH for-6.0 2/8] spapr/xive: Introduce spapr_xive_nr_ends()

2020-11-24 Thread Cédric Le Goater 
On 11/24/20 6:01 PM, Greg Kurz wrote:
> On Tue, 24 Nov 2020 14:54:38 +0100
> Cédric Le Goater  wrote:
> 
>> On 11/23/20 12:16 PM, Greg Kurz wrote:
>>> On Mon, 23 Nov 2020 10:46:38 +0100
>>> Cédric Le Goater  wrote:
>>>
 On 11/20/20 6:46 PM, Greg Kurz wrote:
> We're going to kill the "nr_ends" field in a subsequent patch.

 why ? it is one of the tables of the controller and its part of 
 the main XIVE concepts. Conceptually, we could let the machine 
 dimension it with an arbitrary value as OPAL does. The controller
 would fail when the table is fully used. 

>>>
>>> The idea is that the sPAPR machine only true need is to create a
>>> controller that can accommodate up to a certain number of vCPU ids.
>>> It doesn't really to know about the END itself IMHO.> 
>>> This being said, if we decide to pass both spapr_max_server_number()
>>> and smp.max_cpus down to the backends as function arguments, we won't
>>> have to change "nr_ends" at all.
>>
>> I would prefer that but I am still not sure what they represent. 
>>
>> Looking at the sPAPR XIVE code, we deal with numbers/ranges in the 
>> following places today.
>>
>>  * spapr_xive_dt() 
>>
>>It defines a range of interrupt numbers to be used by the guest 
>>for the threads/vCPUs IPIs. It's a subset of interrupt numbers 
>>in :
>>
>>  [ SPAPR_IRQ_IPI - SPAPR_IRQ_EPOW [
>>
>>These are not vCPU ids.
>>
>>Since these interrupt numbers will be considered as free to use
>>by the OS, it makes sense to pre-claim them. But claiming an 
>>interrupt number in the guest can potentially set up, through 
>>the KVM device, a mapping on the host and in HW. See below why
>>this can be a problem.
>>
>>  * kvmppc_xive_cpu_connect()   
>>
>>This sizes the NVT tables in OPAL for the guest. This is the  
>>max number of vCPUs of the guest (not vCPU ids)
>>
> 
> I guess you're talking about KVM_DEV_XIVE_NR_SERVERS in
> kvmppc_xive_connect() actually. We're currently passing
> spapr_max_server_number() (vCPU id) but you might be
> right.
> 
> I need to re-read the story around VSMT and XIVE.

ok. What we care about here, is a size to allocate the NVT block
representing the vCPUs in HW. NVT ids are pushed in the thread 
contexts when the vCPUs are scheduled to run and looked for by 
the presenter when an interrupt is to be delivered.

 
> commit 1e175d2e07c71d9574f5b1c74523abca54e2654f
> Author: Sam Bobroff 
> Date:   Wed Jul 25 16:12:02 2018 +1000
> 
> KVM: PPC: Book3S HV: Pack VCORE IDs to access full VCPU ID space
> 
>>  * spapr_irq_init()
>>
>>This is where the IPI interrupt numbers are claimed today. 
>>Directly in QEMU and KVM, if the machine is running XIVE only, 
>>indirectly if it's dual, first in QEMU and then in KVM when 
>>the machine switches of interrupt mode in CAS. 
>>
>>The problem is that the underlying XIVE resources in HW are 
>>allocated where the QEMU process is running. Which is not the
>>best option when the vCPUs are pinned on different chips.
>>
>>My patchset was trying to improve that by claiming the IPI on 
>>demand when the vCPU is connected to the KVM device. But it 
>>was using the vCPU id as the IPI interrupt number which is 
>>utterly wrong, the guest OS could use any number in the range 
>>exposed in the DT.
>>
>>The last patch you sent was going in the right direction I think.
>>That is to claim the IPI when the guest OS is requesting for it. 
>>
>>
>> http://patchwork.ozlabs.org/project/qemu-devel/patch/160528045027.804522.6161091782230763832.st...@bahia.lan/
>>
>>But I don't understand why it was so complex. It should be like
>>the MSIs claimed by PCI devices.
>>
> 
> The difference here is that the guest doesn't claim IPIs. They are
> supposedly pre-claimed in "ibm,xive-lisn-ranges". And this is actually
> the case in QEMU.

yes. That's what I want to change (for performance)

> The IPI setup sequence in the guest is basically:
> 1) grab a free irq from the bitmap, ie. "ibm,xive-lisn-ranges"
> 2) calls H_INT_GET_SOURCE_INFO, ie. populate_irq_data()
> 3) calls H_INT_SET_SOURCE_CONFIG, ie, configure_irq())
> 
> If we want an IPI to be claimed by the appropriate vCPU, we
> can only do this from under H_INT_SET_SOURCE_CONFIG. And
> until the guest eventually configures the IPI, KVM and QEMU
> are out of sync.

Well, KVM doesn't know either how much PCI MSIs will be claimed.
It all depends on the guest OS. 

I don't think this is a problem to expose unclaimed interrupt
numbers to the guest if they are IPIs. We can detect that
easily with the range and claim the source at KVM level when 
it's configured or in h_int_get_source_info(). Talking of which, 
it might be good to have a KVM command to query the source 
characteristics on the host. I sent a patchset a while ago in 
that sense.

> This complexifies migration because we have to guess at
> post load if we should claim the IPI in KV

Re: [PATCH] target/i386: fix operand order for PDEP and PEXT

2020-11-24 Thread Richard Henderson 
On 11/23/20 5:14 AM, Paolo Bonzini wrote:
> For PDEP and PEXT, the mask is provided in the memory (mod+r/m)
> operand, and therefore is loaded in s->T0 by gen_ldst_modrm.
> The source is provided in the second source operand (VEX.)
> and therefore is loaded in s->T1.  Fix the order in which
> they are passed to the helpers.
> 
> Reported-by: Lenard Szolnoki 
> Analyzed-by: Lenard Szolnoki 
> Fixes: https://bugs.launchpad.net/qemu/+bug/1605123
> Signed-off-by: Paolo Bonzini 

The patch itself looks fine.

> +test-i386-bmi2: CFLAGS += -mbmi2
> +run-test-i386-bmi2: QEMU_OPTS += -cpu max
> +run-plugin-test-i386-bmi2-%: QEMU_OPTS += -cpu max

I suspect that we still support host operating systems whose compilers do not
support -mbmi2.  This might require a bit in tests/tcg/configure.sh akin to
CROSS_CC_HAS_ARMV8_3.

> +int main(int argc, char *argv[]) {
> +char hello[16];
> +uint64_t ehlo = 0x202020204f4c4845ull;
> +uint64_t mask = 0xa080800302020001ull;
> +uint64_t result64;
> +uint32_t result32;
> +
> +/* 64 bits */
> +asm volatile ("pextq   %2, %1, %0" : "=r"(result64) : "r"(ehlo), 
> "m"(mask));
> +assert(result64 == 133);

The test is written for x86_64 not i386.  How are we preventing the test case
from being run on 32-bit in the makefile?

> +/* 32 bits */
> +asm volatile ("pextl   %2, %k1, %k0" : "=r"(result32) : "r"(ehlo), 
> "m"(mask));
> +assert(result32 == 5);

Surely we should test the full 64-bit register result, and not truncate to
uint32_t in the output variable?


r~

Re: [RFC v5 12/12] accel: centralize initialization of CpusAccelOps

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 05:22:10PM +0100, Claudio Fontana wrote:
> Signed-off-by: Claudio Fontana 
> ---
>  accel/kvm/kvm-all.c  |  9 ---
>  accel/kvm/kvm-cpus.c | 26 +-
>  accel/kvm/kvm-cpus.h |  2 --
>  accel/qtest/qtest.c  | 31 --
>  accel/tcg/tcg-cpus-icount.c  | 11 +---
>  accel/tcg/tcg-cpus-icount.h  |  2 ++
>  accel/tcg/tcg-cpus-mttcg.c   | 12 +++--
>  accel/tcg/tcg-cpus-mttcg.h   | 19 ++
>  accel/tcg/tcg-cpus-rr.c  |  7 -
>  accel/tcg/tcg-cpus.c | 48 ++---
>  accel/tcg/tcg-cpus.h |  4 ---
>  accel/xen/xen-all.c  | 29 ++--
>  include/sysemu/cpus.h| 39 ---
>  softmmu/cpus.c   | 51 +---
>  target/i386/hax/hax-all.c|  9 ---
>  target/i386/hax/hax-cpus.c   | 29 +++-
>  target/i386/hax/hax-cpus.h   |  2 --
>  target/i386/hvf/hvf-cpus.c   | 27 ++-
>  target/i386/hvf/hvf-cpus.h   |  2 --
>  target/i386/hvf/hvf.c|  9 ---
>  target/i386/whpx/whpx-all.c  |  9 ---
>  target/i386/whpx/whpx-cpus.c | 29 +++-
>  target/i386/whpx/whpx-cpus.h |  2 --
>  23 files changed, 251 insertions(+), 157 deletions(-)
>  create mode 100644 accel/tcg/tcg-cpus-mttcg.h
> 
> diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
> index 509b249f52..33156cc4c7 100644
> --- a/accel/kvm/kvm-all.c
> +++ b/accel/kvm/kvm-all.c
> @@ -3234,12 +3234,3 @@ static void kvm_type_init(void)
>  }
>  
>  type_init(kvm_type_init);
> -
> -static void kvm_accel_cpu_init(void)
> -{
> -if (kvm_enabled()) {
> -cpus_register_accel(&kvm_cpus);
> -}
> -}
> -
> -accel_cpu_init(kvm_accel_cpu_init);
> diff --git a/accel/kvm/kvm-cpus.c b/accel/kvm/kvm-cpus.c
> index d809b1e74c..33dc8e737a 100644
> --- a/accel/kvm/kvm-cpus.c
> +++ b/accel/kvm/kvm-cpus.c
> @@ -74,11 +74,25 @@ static void kvm_start_vcpu_thread(CPUState *cpu)
> cpu, QEMU_THREAD_JOINABLE);
>  }
>  
> -const CpusAccel kvm_cpus = {
> -.create_vcpu_thread = kvm_start_vcpu_thread,
> +static void kvm_cpus_class_init(ObjectClass *oc, void *data)
> +{
> +CpusAccelOps *ops = CPUS_ACCEL_OPS_CLASS(oc);

Why do you need a separate QOM type hierarchy instead of just
doing this inside AccelClass methods and/or existing accel
class_init functions?

>  
> -.synchronize_post_reset = kvm_cpu_synchronize_post_reset,
> -.synchronize_post_init = kvm_cpu_synchronize_post_init,
> -.synchronize_state = kvm_cpu_synchronize_state,
> -.synchronize_pre_loadvm = kvm_cpu_synchronize_pre_loadvm,
> +ops->create_vcpu_thread = kvm_start_vcpu_thread;
> +ops->synchronize_post_reset = kvm_cpu_synchronize_post_reset;
> +ops->synchronize_post_init = kvm_cpu_synchronize_post_init;
> +ops->synchronize_state = kvm_cpu_synchronize_state;
> +ops->synchronize_pre_loadvm = kvm_cpu_synchronize_pre_loadvm;

All of these could be AccelClass fields.

TCG makes it a bit more complicated because there's a different
set of methods chosen for TYPE_TCG_ACCEL depending on the
configuration.  This could be solved by patching AccelClass at
init time, or by moving the method pointers to AccelState.

Alternatively, if you still want to keep the
CpusAccel/CpusAccelOps struct, that's OK.  You can just add a
`CpusAccel *cpu_accel_ops` field to AccelClass or AccelState.  No
need for a separate QOM hierarchy, either.

If you _really_ want a separate TYPE_CPU_ACCEL_OPS QOM type, you
can still have it.  But it can be just an interface implemented
by each accel subclass, instead of requiring a separate
CPUS_ACCEL_TYPE_NAME(...) type to be registered for each
accelerator.  (I don't see why you would want it, though.)


>  };
> +static const TypeInfo kvm_cpus_type_info = {
> +.name = CPUS_ACCEL_TYPE_NAME("kvm"),
> +
> +.parent = TYPE_CPUS_ACCEL_OPS,
> +.class_init = kvm_cpus_class_init,
> +.abstract = true,
> +};
> +static void kvm_cpus_register_types(void)
> +{
> +type_register_static(&kvm_cpus_type_info);
> +}
> +type_init(kvm_cpus_register_types);
[...]
> -typedef struct CpusAccel {
> -void (*create_vcpu_thread)(CPUState *cpu); /* MANDATORY */
> +typedef struct CpusAccelOps CpusAccelOps;
> +DECLARE_CLASS_CHECKERS(CpusAccelOps, CPUS_ACCEL_OPS, TYPE_CPUS_ACCEL_OPS)
> +
> +struct CpusAccelOps {
> +ObjectClass parent_class;
> +
> +/* initialization function called when accel is chosen */
> +void (*accel_chosen_init)(CpusAccelOps *ops);

This can be an AccelClass method too.  What about just naming it
AccelClass.init?

> +
> +void (*create_vcpu_thread)(CPUState *cpu); /* MANDATORY NON-NULL */
>  void (*kick_vcpu_thread)(CPUState *cpu);
>  
>  void (*synchronize_post_reset)(CPUState *cpu);
> @@ -20,13 +45,7 @@ typedef struct CpusAccel {
>  
>  int64_t (*get_virtual_clock)(void);
>  int64_t (*get_elapsed_ticks)(void);
> -}

Re: [PATCH] target/mips/translate: Simplify PCPYH using deposit/extract

2020-11-24 Thread Richard Henderson 
On 11/24/20 9:28 AM, Richard Henderson wrote:
>> +tcg_gen_extract_i64(t0, cpu_gpr[a->rt], 0, 16);
>> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 0, 16);
>> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 16, 16);
>> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 32, 16);
>> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 48, 16);
> 
> Actually, this would be better as
> 
>tcg_gen_ext16u_i64(t0, cpu_gpr[rt]);
>tcg_gen_muli_i64(cpu_gpr[a->rd], t0, dup_const(1, MO_16));

Hmm, while that's fine for 64-bit hosts (and ideal for x86_64), it's not ideal
for the 32-bit hosts we have left.

This can also be done with

  // replicate lower 16 bits, garbage in upper 32.
  tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rt],
  cpu_gpr[a->rt], 16, 48);
  // replicate lower 32 bits
  tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd],
  cpu_gpr[a->rd], 32, 32);


r~

Re: [PATCH v3 3/7] support UFFD write fault processing in ram_save_iterate()

2020-11-24 Thread Andrey Gruzdev 

On 24.11.2020 18:17, Peter Xu wrote:

On Tue, Nov 24, 2020 at 11:02:09AM +0300, Andrey Gruzdev wrote:

On 24.11.2020 00:34, Peter Xu wrote:

On Fri, Nov 20, 2020 at 07:53:34PM +0300, Andrey Gruzdev wrote:

On 20.11.2020 19:43, Peter Xu wrote:

On Fri, Nov 20, 2020 at 07:15:07PM +0300, Andrey Gruzdev wrote:

Yeah, I think we can re-use the postcopy queue code for faulting pages. I'm
worring a little about some additional overhead dealing with urgent request
semaphore. Also, the code won't change a lot, something like:

[...]
   /* In case of 'write-tracking' migration we first try
* to poll UFFD and sse if we have write page fault event */
   poll_fault_page(rs);

   again = true;
   found = get_queued_page(rs, &pss);

   if (!found) {
   /* priority queue empty, so just search for something dirty */
   found = find_dirty_block(rs, &pss, &again);
   }
[...]


Could I ask what's the "urgent request semaphore"?  Thanks,



These function use it (the correct name is 'rate_limit_sem'):

void migration_make_urgent_request(void)
{
  qemu_sem_post(&migrate_get_current()->rate_limit_sem);
}

void migration_consume_urgent_request(void)
{
  qemu_sem_wait(&migrate_get_current()->rate_limit_sem);
}

They are called from ram_save_queue_pages and unqueue_page, accordingly, to
control migration rate limiter.

bool migration_rate_limit(void)
{
[...]
  /*
   * Wait for a delay to do rate limiting OR
   * something urgent to post the semaphore.
   */
  int ms = s->iteration_start_time + BUFFER_DELAY - now;
  trace_migration_rate_limit_pre(ms);
  if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) {
  /*
   * We were woken by one or more urgent things but
   * the timedwait will have consumed one of them.
   * The service routine for the urgent wake will dec
   * the semaphore itself for each item it consumes,
   * so add this one we just eat back.
   */
  qemu_sem_post(&s->rate_limit_sem);
  urgent = true;
  }
[...]
}



Hmm... Why its overhead could be a problem?  If it's an overhead that can be
avoided, then postcopy might want that too.

The thing is I really feel like the snapshot logic can leverage the whole idea
of existing postcopy (like get_queued_page/unqueue_page; it's probably due to
the fact that both of them want to "migrate some more urgent pages than the
background migration, due to either missing/wrprotected pages"), but I might
have something missing.

Thanks,



I don't think this overhead itself is a problem since its negligible
compared to other stuff.. You're undoubtly correct about using postcopy idea
in case when wr-fault pages arrive from the separate thread or external
source. Then we really need to decouple that separate thread or external
requestor from the migration thread.

In this patch series wr-faults arrive in the same migration loop with normal
scan, so I don't see direct reason to pass it through the queue, but I might
have missed something from your proposal.


I see your point.  For me whether using a thread is not extremely important -
actually we can have a standalone thread to handle the vcpu faults too just
like postcopy; it's just run on the src host.  My major point is that we should
avoid introducing the extra pss logic because fundamentally it's doing the same
thing as get_queued_page() right now, unless I'm wrong...

So I think your previous poll_fault_page() call is okay; assuming the same poll
model as you used, I mean something like this:

--8<---
diff --git a/migration/ram.c b/migration/ram.c
index 7811cde643..718dd276c7 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1473,6 +1473,14 @@ static bool get_queued_page(RAMState *rs, 
PageSearchStatus *pss)
  
  } while (block && !dirty);
  
+if (!block) {

+/*
+ * Set the block too if live snapshot is enabled; that's when we have
+ * vcpus got blocked by the wr-protected pages.
+ */
+block = poll_fault_page(rs, &offset);
+}
+
  if (block) {
  /*
   * As soon as we start servicing pages out of order, then we have
--8<---

So as long as we set the block and offset, pss will be updated just like
postcopy.  That's exactly what we want, am I right?



Also think the best place to put polling call here, not to touch pss yet 
again.




Do you mean that if we use postcopy logic, we'll allocate memory and make
copies of faulting pages and then immediately un-protect them?
Or we just put faulting page address to the queued item and release
protection after page content has been saved.


I think current approach would be fine, so we don't copy page and unprotect at
a single place after the page is dumped to the precopy stream.  If you could
measure the latencies then it'll be even bette

Re: [PULL 0/1] 9p fixes for 5.2 2020-11-24

2020-11-24 Thread Peter Maydell 
On Tue, 24 Nov 2020 at 12:08, Greg Kurz  wrote:
>
> The following changes since commit 683685e72dccaf8cb9fe8ffa20f5c5aacea72118:
>
>   Merge remote-tracking branch 
> 'remotes/stefanha-gitlab/tags/block-pull-request' into staging (2020-11-23 
> 13:03:13 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/gkurz/qemu.git tags/9p-fix-2020-11-24
>
> for you to fetch changes up to 558f5c42efded3e0d0b20a90bce2a9a14580d824:
>
>   tests/9pfs: Mark "local" tests as "slow" (2020-11-24 12:44:25 +0100)
>
> 
> Mark "local" qtests as slow to avoid unwanted breakage of "make check"
> with some configurations (eg. Fedora's Copr automatic build system).
>
> 
> Greg Kurz (1):
>   tests/9pfs: Mark "local" tests as "slow"
>
>  tests/qtest/virtio-9p-test.c | 9 +
>  1 file changed, 9 insertions(+)
> --

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.2
for any user-visible changes.

-- PMM

Re: [PATCH] linux-user/elfload: Fix handling of pure BSS segments

2020-11-24 Thread Peter Maydell 
On Wed, 18 Nov 2020 at 16:55, Stephen Long  wrote:
>
> qemu-user fails to load ELFs with only BSS and no data section
>
> Signed-off-by: Ben Hutchings 
> Signed-off-by: Stephen Long 
> ---
>
> Submitting this on behalf of Ben Hutchings. Feel free to edit the commit
> msg.
>
>  linux-user/elfload.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/linux-user/elfload.c b/linux-user/elfload.c
> index 0b02a92602..af16d94c61 100644
> --- a/linux-user/elfload.c
> +++ b/linux-user/elfload.c
> @@ -2783,7 +2783,7 @@ static void load_elf_image(const char *image_name, int 
> image_fd,
>   * segment, in that case just let zero_bss allocate an empty 
> buffer
>   * for it.
>   */
> -if (eppnt->p_filesz != 0) {
> +if (vaddr_len != 0) {
>  error = target_mmap(vaddr_ps, vaddr_len, elf_prot,
>  MAP_PRIVATE | MAP_FIXED,
>  image_fd, eppnt->p_offset - vaddr_po);

So (having run into a different instance of this elsewhere), a
couple of questions:

(a) what does "fails to load" mean here? In the sample binary
I had, we got a SIGSEGV in zero_bss() when it tried to memset()
memory that hadn't been mmap()ed. Is that the only failure mode,
or can this manifest in other ways too?

(b) The comment immediately before this change says:
 * Some segments may be completely empty without any backing file
 * segment, in that case just let zero_bss allocate an empty buffer
 * for it.
which is justifying why it was looking at p_filesz and not vaddr_len.
With this change to the code, the comment becomes stale and needs
updating.

(c) After this change, are there still cases where zero_bss()
needs to do its mmap()/page_set_flags(), or does that become
unnecessary ?

thanks
-- PMM

Re: [PATCH] linux-user/elfload: Fix handling of pure BSS segments

2020-11-24 Thread Richard Henderson 
On 11/18/20 8:52 AM, Stephen Long wrote:
> qemu-user fails to load ELFs with only BSS and no data section
> 
> Signed-off-by: Ben Hutchings 
> Signed-off-by: Stephen Long 
> ---

Reviewed-by: Richard Henderson 


r~

Re: simple aarch64 binary can cause linux-user QEMU to segv in zero_bss()

2020-11-24 Thread Peter Maydell 
On Tue, 24 Nov 2020 at 17:18, Richard Henderson
 wrote:
>
> On 11/23/20 11:52 AM, Peter Maydell wrote:
> > Somebody reported this on stackoverflow. Before I spend too
> > much time thinking about how this ought to work, does anybody
> > have the elfload.c intended operation in their head still?

> > Should we try to get the SEGV handler working earlier in initialization
> > (it's pretty hairy machinery so that could be tricky) or should
> > elfload.c be mprotect()ing things appropriately itself?
>
> elfload should be handling this.
>
> I believe this should be fixed by
>
> https://patchew.org/QEMU/20201118165206.2826-1-stepl...@quicinc.com/

That does indeed seem to fix things. I have a couple of questions
about the patch that I'll make in that thread...

-- PMM

[Bug 1905444] [NEW] [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-generic-fuzz-xhci: Stack-overflow in address_space_stl_internal

2020-11-24 Thread Alexander Bulekov 
Public bug reported:

 affects qemu

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=27796

=== Reproducer (build with --enable-sanitizers) ===
cat << EOF | ./qemu-system-i386 -display none  -machine accel=qtest, \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
-qtest-log none -qtest stdio
outl 0xcf8 0x8803
outw 0xcfc 0x5e46
outl 0xcf8 0x8810
outl 0xcfc 0xff5a5e46
write 0xff5a5020 0x6 0x0b70
outl 0xcf8 0x8893
outb 0xcfc 0x93
writel 0xff5a7000 0xff5a5020
write 0xff5a700c 0x4 0x0c0c2e58
write 0xff5a4040 0x4 0x00d26001
write 0xff5a4044 0x4 0x030
EOF

=== Stack Trace ===
==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 (pc 
0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
#0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
#1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
#2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
#3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
#4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
#5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
#13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
#14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
#15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
#16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
#17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
#18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905444

Title:
  [OSS-Fuzz] Issue 27796 in oss-fuzz: qemu:qemu-fuzz-i386-target-
  generic-fuzz-xhci: Stack-overflow in address_space_stl_internal

Status in QEMU:
  New

Bug description:
   affects qemu

  OSS-Fuzz Report: https://bugs.chromium.org/p/oss-
  fuzz/issues/detail?id=27796

  === Reproducer (build with --enable-sanitizers) ===
  cat << EOF | ./qemu-system-i386 -display none  -machine accel=qtest, \
  -m 512M -machine q35 -nodefaults \
  -drive file=null-co://,if=none,format=raw,id=disk0 \
  -device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 \
  -qtest-log none -qtest stdio
  outl 0xcf8 0x8803
  outw 0xcfc 0x5e46
  outl 0xcf8 0x8810
  outl 0xcfc 0xff5a5e46
  write 0xff5a5020 0x6 0x0b70
  outl 0xcf8 0x8893
  outb 0xcfc 0x93
  writel 0xff5a7000 0xff5a5020
  write 0xff5a700c 0x4 0x0c0c2e58
  write 0xff5a4040 0x4 0x00d26001
  write 0xff5a4044 0x4 0x030
  EOF

  === Stack Trace ===
  ==50473==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe3ec97e28 
(pc 0x55e292eac159 bp 0x7ffe3ec98670 sp 0x7ffe3ec97e30 T0)
  #0 0x55e292eac159 in __asan_memcpy (u-system-i386+0x2a0e159)
  #1 0x55e2944bc04e in flatview_do_translate softmmu/physmem.c:513:12
  #2 0x55e2944dbe90 in flatview_translate softmmu/physmem.c:563:15
  #3 0x55e2944dbe90 in address_space_translate include/exec/memory.h:2362:12
  #4 0x55e2944dbe90 in address_space_stl_internal memory_ldst.c.inc:316:10
  #5 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
  #6 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
  #7 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
  #8 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
  #9 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
  #10 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
  #11 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
  #12 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9
  #13 0x55e294230428 in memory_region_write_accessor softmmu/memory.c:484:5
  #14 0x55e29422fe63 in access_with_adjusted_size softmmu/memory.c:545:18
  #15 0x55e29422f6fc in memory_region_dispatch_write softmmu/memory.c
  #16 0x55e2944dc03c in address_space_stl_internal memory_ldst.c.inc:319:13
  #17 0x55e29393d2a0 in xhci_intr_update hw/usb/hcd-xhci.c:554:13
  #18 0x55e29393efb9 in xhci_runtime_write hw/usb/hcd-xhci.c:3032:9

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905444/+subscriptions

Re: [RFC v3] VFIO Migration

2020-11-24 Thread Dr. David Alan Gilbert 
* Stefan Hajnoczi (stefa...@redhat.com) wrote:
> On Wed, Nov 11, 2020 at 04:18:34PM +, Thanos Makatos wrote:
> > 
> > > VFIO Migration
> > > ==
> > > This document describes how to ensure migration compatibility for VFIO
> > > devices,
> > > including mdev and vfio-user devices.
> > 
> > Is this something all VFIO/user devices will have to support? If it's not
> > mandatory, how can a device advertise support?
> 
> The --print-migration-info-json command-line option described below must
> be implemented by the vfio-user device emulation program. Similarly,
> VFIO/mdev devices must provide the migration/ sysfs group.
> 
> If the device implementation does not expose these standard interfaces
> then management tools can still attempt to migrate them, but there is no
> migration compatibility check or algorithm for setting up the
> destination device. In other words, it will only succeed with some luck
> or by hardcoding knowledge of the specific device implementation into
> the management tool.
> 
> > 
> > > Multiple device implementations can support the same device model. Doing
> > > so
> > > means that the device implementations can offer migration compatiblity
> > > because
> > > they support the same hardware interface, device state representation, and
> > > migration parameters.
> > 
> > Does the above mean that a passthrough function can be migrated to a 
> > vfio-user
> > program and vice versa? If so, then it's worth mentioning.
> 
> Yes, if they are migration compatible (they support the same device
> model and migration parameters) then migration is possible. I'll make
> this clear in the next revision.
> 
> Note VFIO migration is currently only working for mdev devices. Alex
> Williamson mentioned that it could be extended to core VFIO PCI devices
> (without mdev) in the future.
> 
> > > More complex device emulation programs may host multiple devices. The
> > > interface
> > > for configuring these device emulation programs is not standardized.
> > > Therefore,
> > > migrating these devices is beyond the scope of this document.
> > 
> > Most likely a device emulation program hosting multile devices would allow
> > some form of communication for control purposes (e.g. SPDK implements a 
> > JSON-RPC
> > server). So maybe it's possible to define interacting with such programs in
> > this document?
> 
> Yes, it's definitely possible. There needs to be agreement on the RPC
> mechanism. QEMU implements QMP, SPDK has something similar but
> different, gRPC/Protobuf is popular, and D-Bus is another alternative. I
> asked about RPC mechanisms on the muser Slack instance to see if there
> was consensus but it seems to be a bit early for that.
> 
> Perhaps the most realistic option will be to define bindings to several
> RPC mechanisms. That way everyone can use their preferred RPC mechanism,
> at the cost of requiring management tools to support more than one
> (which some already do, e.g. libvirt uses XDR itself but also implements
> QEMU's QMP).
> 
> > > 
> > > The migration information JSON is printed to standard output by a 
> > > vfio-user
> > > device emulation program as follows:
> > > 
> > > .. code:: bash
> > > 
> > >   $ my-device --print-migration-info-json
> > > 
> > > The device is instantiated by launching the destination process with the
> > > migration parameter list from the source:
> > 
> > Must 'my-device --print-migration-info-json' always generate the same 
> > migration
> > information JSON? If so, then what if the output generated by
> > 'my-device --print-migration-info-json' depends on additional arguments 
> > passed
> > to 'my-device' when it was originally started?
> 
> Yes, it needs to be stable in the sense that you can invoke the program
> with --print-migration-info-json and then expect launching the program
> to succeed with migration parameters that are valid according to the
> JSON.
> 
> Running the same device emulation binary on different hosts can produce
> different JSON. This is because the binary may rely on host hardware
> resources or features (e.g. does this host have GPUs available?).
> 
> It gets trickier when considering host reboots. I think the JSON can
> change between reboots. However, the management tools may cache the JSON
> so there needs to be a rule about when to refresh it.

libvirt does something similar for QEMU's current capabilities; it
normally works fine; very occasionally you have to flush the cache
though if you do something surprising which causes it to change
capabilities.

Dave

> Regarding additional command-line arguments, they can affect the JSON
> output. For example, they could include the connection details to an
> iSCSI LUN and affect the block size migration parameter. This leads to
> the same issue - can they be cached by the management tool? The answer
> is the same - stability is needed in the short-term to avoid unexpected
> failures when launching the program, but over the longer term we should
> allow JSON c

Re: [PATCH] target/mips/translate: Simplify PCPYH using deposit/extract

2020-11-24 Thread Richard Henderson 
On 11/24/20 2:38 AM, Philippe Mathieu-Daudé wrote:
> Simplify (and optimize) the Parallel Copy Halfword
> instruction using deposit() / extract() helpers.
> 
> Ref: C790-Specific Instruction Set, Appendix B-63.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  target/mips/translate.c | 35 ++-
>  1 file changed, 10 insertions(+), 25 deletions(-)
> 
> diff --git a/target/mips/translate.c b/target/mips/translate.c
> index c64a1bc42e1..17a28557c2c 100644
> --- a/target/mips/translate.c
> +++ b/target/mips/translate.c
> @@ -25220,34 +25220,19 @@ static void gen_mmi_pcpyh(DisasContext *ctx)
>  tcg_gen_movi_i64(cpu_mmr[rd], 0);
>  } else {
>  TCGv_i64 t0 = tcg_temp_new();
> -TCGv_i64 t1 = tcg_temp_new();
> -uint64_t mask = (1ULL << 16) - 1;
>  
> -tcg_gen_andi_i64(t0, cpu_gpr[rt], mask);
> -tcg_gen_movi_i64(t1, 0);
> -tcg_gen_or_i64(t1, t0, t1);
> -tcg_gen_shli_i64(t0, t0, 16);
> -tcg_gen_or_i64(t1, t0, t1);
> -tcg_gen_shli_i64(t0, t0, 16);
> -tcg_gen_or_i64(t1, t0, t1);
> -tcg_gen_shli_i64(t0, t0, 16);
> -tcg_gen_or_i64(t1, t0, t1);
> +tcg_gen_extract_i64(t0, cpu_gpr[a->rt], 0, 16);
> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 0, 16);
> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 16, 16);
> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 32, 16);
> +tcg_gen_deposit_i64(cpu_gpr[a->rd], cpu_gpr[a->rd], t0, 48, 16);

Actually, this would be better as

   tcg_gen_ext16u_i64(t0, cpu_gpr[rt]);
   tcg_gen_muli_i64(cpu_gpr[a->rd], t0, dup_const(1, MO_16));


r~

Re: [RFC v3] VFIO Migration

2020-11-24 Thread Dr. David Alan Gilbert 
* Alex Williamson (alex.william...@redhat.com) wrote:
> On Mon, 16 Nov 2020 14:52:26 +0100
> Cornelia Huck  wrote:
> 
> > On Mon, 16 Nov 2020 11:02:51 +
> > Stefan Hajnoczi  wrote:
> > 
> > > On Wed, Nov 11, 2020 at 04:35:43PM +0100, Cornelia Huck wrote:  
> > > > On Wed, 11 Nov 2020 15:14:49 +
> > > > Stefan Hajnoczi  wrote:
> > > > 
> > > > > On Wed, Nov 11, 2020 at 12:48:53PM +0100, Cornelia Huck wrote:
> > > > > > On Tue, 10 Nov 2020 13:14:04 -0700
> > > > > > Alex Williamson  wrote:  
> > > > > > > On Tue, 10 Nov 2020 09:53:49 +
> > > > > > > Stefan Hajnoczi  wrote:  
> > > > > >   
> > > > > > > > Device models supported by an mdev driver and their details can 
> > > > > > > > be read from
> > > > > > > > the migration_info.json attr. Each mdev type supports one 
> > > > > > > > device model. If a
> > > > > > > > parent device supports multiple device models then each device 
> > > > > > > > model has an
> > > > > > > > mdev type. There may be multiple mdev types for a single device 
> > > > > > > > model when they
> > > > > > > > offer different migration parameters such as resource capacity 
> > > > > > > > or feature
> > > > > > > > availability.
> > > > > > > > 
> > > > > > > > For example, a graphics card that supports 4 GB and 8 GB device 
> > > > > > > > instances would
> > > > > > > > provide gfx-4GB and gfx-8GB mdev types with memory=4096 and 
> > > > > > > > memory=8192
> > > > > > > > migration parameters, respectively.
> > > > > > > 
> > > > > > > 
> > > > > > > I think this example could be expanded for clarity.  I think this 
> > > > > > > is
> > > > > > > suggesting we have mdev_types of gfx-4GB and gfx-8GB, which each
> > > > > > > implement some common device model, ie. com.gfx/GPU, where the
> > > > > > > migration parameter 'memory' for each defaults to a value 
> > > > > > > matching the
> > > > > > > type name.  But it seems like this can also lead to some 
> > > > > > > combinatorial
> > > > > > > challenges for management tools if these parameters are writable. 
> > > > > > >  For
> > > > > > > example, should a management tool create a gfx-4GB device and 
> > > > > > > change to
> > > > > > > memory parameter to 8192 or a gfx-8GB device with the default 
> > > > > > > parameter?  
> > > > > > 
> > > > > > I would expect that the mdev types need to match in the first place.
> > > > > > What role would the memory= parameter play, then? Allowing gfx-4GB 
> > > > > > to
> > > > > > have memory=8192 feels wrong to me.  
> > > > > 
> > > > > Yes, I expected these mdev types to only accept a fixed "memory" 
> > > > > value,
> > > > > but there's nothing stopping a driver author from making "memory" 
> > > > > accept
> > > > > any value.
> > > > 
> > > > I'm wondering how useful the memory parameter is, then. The layer
> > > > checking for compatibility can filter out inconsistent settings, but
> > > > why would we need to express something that is already implied in the
> > > > mdev type separately?
> > > 
> > > To avoid tying device instances to specific mdev types. An mdev type is
> > > a device implementation, but the goal is to enable migration between
> > > device implementations (new/old or completely different
> > > implementations).
> > > 
> > > Imagine a new physical device that now offers variable memory because
> > > users found the static mdev types too constraining.  How do you migrate
> > > back and forth between new and old physical devices if the migration
> > > parameters don't describe the memory size? Migration parameters make it
> > > possible. Without them the management tool needs to hard-code knowledge
> > > of specific mdev types that support migration.  
> > 
> > But doesn't the management tool *still* need to keep hardcoded
> > information about what the value of that memory parameter was for an
> > existing mdev type? If we have gfx-variable with a memory parameter,
> > fine; but if the target is supposed to accept a gfx-4GB device, it
> > should simply instantiate a gfx-4GB device.
> > 
> > I'm getting a bit worried about the complexity of the checking that
> > management software is supposed to perform. Is it really that bad to
> > restrict the models to a few, well-defined ones? Especially in the mdev
> > case, where we have control about what is getting instantiated?
> 
> This is exactly what I was noting with the combinatorial challenges of
> the management tool.  If a vendor chooses to use a generic base device
> model which they modify with parameters to match an assortment of mdev
> types, then management tools will need to match every mdev type
> implementing that device model to determine if compatible parameters
> exist.  OTOH, the vendor could choose to create a device model that
> specifically describes a single configuration of known parameters.
> 
> For example, mdev type gfx-4GB might be a device model com.gfx/GPU with
> a fixed memory parameter of 4GB or it could be a device model
> co

Re: [PATCH v3 1/7] introduce 'track-writes-ram' migration capability

2020-11-24 Thread Andrey Gruzdev 

On 24.11.2020 19:55, Dr. David Alan Gilbert wrote:

* Peter Xu (pet...@redhat.com) wrote:

On Thu, Nov 19, 2020 at 01:51:50PM -0500, Peter Xu wrote:

On Thu, Nov 19, 2020 at 03:59:34PM +0300, Andrey Gruzdev via wrote:

Signed-off-by: Andrey Gruzdev 
---
  migration/migration.c | 96 +++
  migration/migration.h |  1 +
  qapi/migration.json   |  7 +++-
  3 files changed, 103 insertions(+), 1 deletion(-)

diff --git a/migration/migration.c b/migration/migration.c
index 87a9b59f83..ff0364dde0 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -56,6 +56,7 @@
  #include "net/announce.h"
  #include "qemu/queue.h"
  #include "multifd.h"
+#include "sysemu/cpus.h"
  
  #ifdef CONFIG_VFIO

  #include "hw/vfio/vfio-common.h"
@@ -1165,6 +1166,91 @@ static bool migrate_caps_check(bool *cap_list,
  }
  }
  
+if (cap_list[MIGRATION_CAPABILITY_TRACK_WRITES_RAM]) {

+if (cap_list[MIGRATION_CAPABILITY_POSTCOPY_RAM]) {
+error_setg(errp,
+"Track-writes is not compatible with postcopy-ram");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_DIRTY_BITMAPS]) {
+error_setg(errp,
+"Track-writes is not compatible with dirty-bitmaps");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_POSTCOPY_BLOCKTIME]) {
+error_setg(errp,
+"Track-writes is not compatible with postcopy-blocktime");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_LATE_BLOCK_ACTIVATE]) {
+error_setg(errp,
+"Track-writes is not compatible with late-block-activate");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_RETURN_PATH]) {
+error_setg(errp,
+"Track-writes is not compatible with return-path");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_MULTIFD]) {
+error_setg(errp, "Track-writes is not compatible with multifd");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_PAUSE_BEFORE_SWITCHOVER]) {
+error_setg(errp,
+"Track-writes is not compatible with 
pause-before-switchover");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_AUTO_CONVERGE]) {
+error_setg(errp,
+"Track-writes is not compatible with auto-converge");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_RELEASE_RAM]) {
+error_setg(errp,
+"Track-writes is not compatible with release-ram");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_RDMA_PIN_ALL]) {
+error_setg(errp,
+"Track-writes is not compatible with rdma-pin-all");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_COMPRESS]) {
+error_setg(errp,
+"Track-writes is not compatible with compression");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_XBZRLE]) {
+error_setg(errp,
+"Track-writes is not compatible with XBZLRE");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_X_COLO]) {
+error_setg(errp,
+"Track-writes is not compatible with x-colo");
+return false;
+}
+
+if (cap_list[MIGRATION_CAPABILITY_VALIDATE_UUID]) {
+error_setg(errp,
+"Track-writes is not compatible with validate-uuid");
+return false;
+}


Another thing forgot to mention - we can at least define an array for live
snapshot now so we just loop over that one instead of copy-paste these lines...


Yes, I think we've already got a name lookup
(MigrationCapability_lookup - that's generated during build), so if you
just have an array of MigrationCapability's you should be able to loop
over them.

Dave



Yes, totally agree, already changed to loop-through incompatible caps 
array. Names are easy to lookup, found it.


Andrey


+}
+
  return true;
  }
  
@@ -2490,6 +2576,15 @@ bool migrate_use_block_incremental(void)

  return s->parameters.block_incremental;
  }
  
+bool migrate_track_writes_ram(void)

+{
+MigrationState *s;
+
+s = migrate_get_current();
+
+return s->enabled_capabilities[MIGRATION_CAPABILITY_TRACK_WRITES_RAM];
+}
+
  /* migration thread support */
  /*
   * Something bad happened to the RP stream, mark an error
@@ -3783,6 +3878,7 @@ static Property migration_properties[] = {
  DEFINE_PROP_MIG_CAP("x-block", MIGRATION_CAPABILITY_BLOCK),
  DEFINE_PROP_MIG_CAP("x-return-path", MIGRATION_CAPABILITY_RETURN_PATH),
  DEFINE_PROP_MIG_CAP("x-multifd", MIGRATION_CAPABILITY_MULTIFD),
+DEFINE_PROP_M

[Bug 1605123] Re: PEXT returns wrong values, seemingly switches arguments

2020-11-24 Thread Thomas Huth 
Paolo sent a patch here:
https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg05700.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1605123

Title:
  PEXT returns wrong values, seemingly switches arguments

Status in QEMU:
  New

Bug description:
  Hi,

  I fiddled with BMI2 instructions and discovered that pext instructions
  emulated with "qemu-x86_64 -cpu Haswell" return the wrong value. It
  seemingly switches up its arguments. I suspect that the error is around the
  gen_helper_pext(...) call in target-i386/translate.c. I checked helper_pext
  in target-i386/int_helper.c and it works fine.

  I ran my program on a CPU with BMI2 instruction set too, and it indeed
  returns different values.

  I didn't check pdep, it could have the same problem.

  $ qemu-x86_64 --version
  qemu-x86_64 version 2.6.50 (v2.6.0-2095-ge66b05e-dirty), Copyright (c) 
2003-2008 Fabrice Bellard

  $ uname -a
  Linux lenard-hp 4.3.0-1-amd64 #1 SMP Debian 4.3.5-1 (2016-02-06) x86_64 
GNU/Linux

  I compiled the attached file with the command line "gcc -o main -g
  -mbmi2 main.c".

  $ gcc --version
  gcc (Debian 5.4.0-6) 5.4.0 20160609

  Best regards,
  Lénárd Szolnoki

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1605123/+subscriptions

Re: simple aarch64 binary can cause linux-user QEMU to segv in zero_bss()

2020-11-24 Thread Richard Henderson 
On 11/23/20 11:52 AM, Peter Maydell wrote:
> Somebody reported this on stackoverflow. Before I spend too
> much time thinking about how this ought to work, does anybody
> have the elfload.c intended operation in their head still?
> Bug description and analysis of what goes wrong below:
> 
> https://stackoverflow.com/questions/64956322/alignment-requirements-for-arm64-elf-executables-run-in-qemu-assembled-by-gas
> 
> Given this trivial asm:
> 
> ===begin program.s===
> // GNU Assembler, ARM64 Linux
> 
> .bss
> 
> .lcomm ARRAY, 16
> 
> .text
> 
> .global _start
> 
> _start:
> mov x8, 93 // exit sys num
> mov x0, 0 // success
> svc 0
> ===endit===

...

> Should we try to get the SEGV handler working earlier in initialization
> (it's pretty hairy machinery so that could be tricky) or should
> elfload.c be mprotect()ing things appropriately itself?

elfload should be handling this.

I believe this should be fixed by

https://patchew.org/QEMU/20201118165206.2826-1-stepl...@quicinc.com/


r~

Re: [PATCH for-6.0 4/8] spapr/xive: Add "nr-ipis" property

2020-11-24 Thread Greg Kurz 
On Mon, 23 Nov 2020 11:13:21 +0100
Cédric Le Goater  wrote:

> On 11/20/20 6:46 PM, Greg Kurz wrote:
> > The sPAPR XIVE device exposes a range of LISNs that the guest uses
> > for IPIs. This range is currently sized according to the highest
> > vCPU id, ie. spapr_max_server_number(), as obtained from the machine
> > through the "nr_servers" argument of the generic spapr_irq_dt() call.
> > 
> > This makes sense for the "ibm,interrupt-server-ranges" property of
> > sPAPR XICS, but certainly not for "ibm,xive-lisn-ranges". The range
> > should be sized to the maximum number of possible vCPUs. It happens
> > that spapr_max_server_number() == smp.max_cpus in practice with the
> > machine default settings. This might not be the case though when
> > VSMT is in use : we can end up with a much larger range (up to 8
> > times bigger) than needed and waste LISNs. 
> 
> will it exceed 4K ? if not, we are fine.
> 
> The fact that it is so complex to get the number of vCPUs is a 
> problem by it self to me. Can we simplify that ? or introduce a 
> spapr_max_server_number_id() ? 
> 

"server number" is the XICS wording for vCPU id. The name of the
existing spapr_max_server_number() is perfectly fine from this
perspective: this sizes "ibm,interrupt-server-ranges".

> > But most importantly, this
> > lures people into thinking that IPI numbers are always equal to
> > vCPU ids, which is wrong and bit us recently:
> 
> do we have a converting routing vcpu_id_to_ipi ? I think we have
> that in KVM.
> 
> > https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg01476.html
> > 
> > Introduce an "nr-ipis" property that the machine sets to smp.max_cpus
> > before realizing the deice. Use that instead of "nr_servers" in
> > spapr_xive_dt(). Have the machine to claim the same number of IPIs
> > in spapr_irq_init().
> > 
> > This doesn't cause any guest visible change when using the machine
> > default settings (ie. VSMT == smp.threads).>
> > Signed-off-by: Greg Kurz 
> > ---
> >  include/hw/ppc/spapr_xive.h | 8 
> >  hw/intc/spapr_xive.c| 4 +++-
> >  hw/ppc/spapr_irq.c  | 4 +++-
> >  3 files changed, 14 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/hw/ppc/spapr_xive.h b/include/hw/ppc/spapr_xive.h
> > index 7123ea07ed78..69b9fbc1b9a5 100644
> > --- a/include/hw/ppc/spapr_xive.h
> > +++ b/include/hw/ppc/spapr_xive.h
> > @@ -43,6 +43,14 @@ typedef struct SpaprXive {
> >  
> >  /* DT */
> >  gchar *nodename;
> > +/*
> > + * The sPAPR XIVE device needs to know how many vCPUs it
> > + * might be exposed to in order to size the IPI range in
> > + * "ibm,interrupt-server-ranges". It is the purpose of the
> 
> There is no "ibm,interrupt-server-ranges"  property in XIVE
> 

Yeah copy/paste error. Read "ibm,xive-lisn-ranges" of course :)

> > + * "nr-ipis" property which *must* be set to a non-null
> > + * value before realizing the sPAPR XIVE device.
> > + */
> > +uint32_t nr_ipis;
> >  
> >  /* Routing table */
> >  XiveEAS   *eat;
> > diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c
> > index e4dbf9c2c409..d13a2955ce9b 100644
> > --- a/hw/intc/spapr_xive.c
> > +++ b/hw/intc/spapr_xive.c
> > @@ -311,6 +311,7 @@ static void spapr_xive_realize(DeviceState *dev, Error 
> > **errp)
> >  /* Set by spapr_irq_init() */
> >  g_assert(xive->nr_irqs);
> >  g_assert(xive->nr_servers);
> > +g_assert(xive->nr_ipis);
> >  
> >  sxc->parent_realize(dev, &local_err);
> >  if (local_err) {
> > @@ -608,6 +609,7 @@ static Property spapr_xive_properties[] = {
> >   */
> >  DEFINE_PROP_UINT32("nr-ends", SpaprXive, nr_ends_vmstate, 0),
> >  DEFINE_PROP_UINT32("nr-servers", SpaprXive, nr_servers, 0),
> > +DEFINE_PROP_UINT32("nr-ipis", SpaprXive, nr_ipis, 0),
> >  DEFINE_PROP_UINT64("vc-base", SpaprXive, vc_base, SPAPR_XIVE_VC_BASE),
> >  DEFINE_PROP_UINT64("tm-base", SpaprXive, tm_base, SPAPR_XIVE_TM_BASE),
> >  DEFINE_PROP_UINT8("hv-prio", SpaprXive, hv_prio, 7),
> > @@ -698,7 +700,7 @@ static void spapr_xive_dt(SpaprInterruptController 
> > *intc, uint32_t nr_servers,
> >  /* Interrupt number ranges for the IPIs */
> >  uint32_t lisn_ranges[] = {
> >  cpu_to_be32(SPAPR_IRQ_IPI),
> > -cpu_to_be32(SPAPR_IRQ_IPI + nr_servers),
> > +cpu_to_be32(SPAPR_IRQ_IPI + xive->nr_ipis),
> 
> I don't understand why we need nr_ipis. Can't we pass the same value in 
> nr_servers from the machine ?
> 

This is the point of this patch. nr_servers is vCPU id and shouldn't be
used to size the LISN range.

> ( Conceptually, the first 4K are all IPIs. The first range is for 
>   HW threads ) 
> 
> 
> >  };
> >  /*
> >   * EQ size - the sizes of pages supported by the system 4K, 64K,
> > diff --git a/hw/ppc/spapr_irq.c b/hw/ppc/spapr_irq.c
> > index 8c5627225636..a0fc474ecb06 100644
> > --- a/hw/ppc/spapr_irq.c
> > +++ b/hw/ppc/spapr_irq.c
> > @@ -325,12 +325,14 @@ void spapr_irq_init(SpaprMac

[Bug 645662] Re: QEMU x87 emulation of trig and other complex ops is only at 64-bit precision, not 80-bit

2020-11-24 Thread Richard Henderson 
In the meantime, target/m68k has implemented these trig
functions for its (only slightly different) 96-bit
extended-float format.

With a minor amount of work this code could be shared.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/645662

Title:
  QEMU x87 emulation of trig and other complex ops is only at 64-bit
  precision, not 80-bit

Status in QEMU:
  Confirmed

Bug description:
  When doing the regression tests for Python 3.1.2 with Qemu 0.12.5, (Linux 
version 2.6.26-2-686 (Debian 2.6.26-25lenny1)),
  gcc (Debian 4.3.2-1.1) 4.3.2, Python compiled from sources within qemu,
  3 math tests fail, apparently because the floating point unit is buggy. Qmeu 
was compiled from original sources
  on Debian Lenny with kernel  2.6.34.6 from kernel.org, gcc  (Debian 
4.3.2-1.1) 4.3. 

  Regression testing errors:

  test_cmath
  test test_cmath failed -- Traceback (most recent call last):
File "/root/tools/python3/Python-3.1.2/Lib/test/test_cmath.py", line 364, in
  self.fail(error_message)
  AssertionError: acos0034: acos(complex(-1.0002, 0.0))
  Expected: complex(3.141592653589793, -2.1073424255447014e-08)
  Received: complex(3.141592653589793, -2.1073424338879928e-08)
  Received value insufficiently close to expected value.

  
  test_float
  test test_float failed -- Traceback (most recent call last):
File "/root/tools/python3/Python-3.1.2/Lib/test/test_float.py", line 479, in
  self.assertEqual(s, repr(float(s)))
  AssertionError: '8.72293771110361e+25' != '8.722937711103609e+25'

  
  test_math
  test test_math failed -- multiple errors occurred; run in verbose mode for 
deta

  =>

  runtests.sh -v test_math

  le01:~/tools/python3/Python-3.1.2# ./runtests.sh -v test_math
  test_math BAD
   1 BAD
   0 GOOD
   0 SKIPPED
   1 total
  le01:~/tools/python3/Python-3.1.2#

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/645662/+subscriptions

[Bug 1905297] Re: Zynq7000 UART clock reset initialization

2020-11-24 Thread Michael Peter 
Hi Phil,

thanks for your advise and patience.

I created a new patch (this time with a sign-off) and sent it to qemu-
de...@nongnu.org.

Since I have to use a corporate email system, I hope that the formatting
is not gone.

Best regards,

Michael

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1905297

Title:
  Zynq7000 UART clock reset initialization

Status in QEMU:
  New

Bug description:
  Hello,

  we have come across a strange behavior in the Zynq7000 model of Qemu
  that seems to have been  introduced between 5.0.0 and 5.1.0.

  
  The reset values of the SLCR register, in particular those for UART_CLK_CTRL, 
are such that
  the UARTs should find functional clocks. Up to 5.0.0 this was also the 
behavior that was
  implemented in QEMU.

  Starting in 5.1.0, we found that - despite correct reset values [1] - the 
UARTs are non-functional
  upon reset. Some investigation revealed that the cause for that is that the 
corresponding
  clocks are not properly initialized.

  Between 5.0.0 and 5.1.0, there are three commits  that touch the Zynq
  UART clocks [2]. The last of them [3] triggers the faulty behavior.

  Attached is a patch that applies 5.2.0-rc2 and yields a functional UART. We 
surmise that the
  underlying device release issue runs much deeper, so it is only meant to 
identify the issue.


  [1] hw/misc/zynq_slcr.c
static void zynq_slcr_reset_init(Object *obj, ResetType type)
 s->regs[R_UART_CLK_CTRL]  = 0x3F03;
  [2] 38867cb7ec90..5b49a34c6800
  [3] commit 5b49a34c6800d0cb917f959d8e75e5775f0fac3f (refs/bisect/bad)
Author: Damien Hedde 
Date:   Mon Apr 6 15:52:50 2020 +0200

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1905297/+subscriptions

Re: [RFC v5 09/12] module: introduce MODULE_INIT_ACCEL_CPU

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 05:22:07PM +0100, Claudio Fontana wrote:
> apply this to the registration of the cpus accel interfaces,
> 
> but this will be also in preparation for later use of this
> new module init step to also register per-accel x86 cpu type
> interfaces.
> 
> Signed-off-by: Claudio Fontana 
> ---
[...]
> diff --git a/accel/qtest/qtest.c b/accel/qtest/qtest.c
> index b4e731cb2b..482f89729f 100644
> --- a/accel/qtest/qtest.c
> +++ b/accel/qtest/qtest.c
> @@ -32,7 +32,6 @@ const CpusAccel qtest_cpus = {
>  
>  static int qtest_init_accel(MachineState *ms)
>  {
> -cpus_register_accel(&qtest_cpus);
>  return 0;
>  }
>  
> @@ -58,3 +57,12 @@ static void qtest_type_init(void)
>  }
>  
>  type_init(qtest_type_init);
> +
> +static void qtest_accel_cpu_init(void)
> +{
> +if (qtest_enabled()) {
> +cpus_register_accel(&qtest_cpus);
> +}
> +}
> +
> +accel_cpu_init(qtest_accel_cpu_init);

I don't understand why this (and the similar changes on other
accelerators) is an improvement.

You are replacing a trivial AccelClass-specific init method with
a module_init() function that has a hidden dependency on runtime
state.

-- 
Eduardo

Re: [PATCH v3 1/7] introduce 'track-writes-ram' migration capability

2020-11-24 Thread Dr. David Alan Gilbert 
* Peter Xu (pet...@redhat.com) wrote:
> On Thu, Nov 19, 2020 at 01:51:50PM -0500, Peter Xu wrote:
> > On Thu, Nov 19, 2020 at 03:59:34PM +0300, Andrey Gruzdev via wrote:
> > > Signed-off-by: Andrey Gruzdev 
> > > ---
> > >  migration/migration.c | 96 +++
> > >  migration/migration.h |  1 +
> > >  qapi/migration.json   |  7 +++-
> > >  3 files changed, 103 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/migration/migration.c b/migration/migration.c
> > > index 87a9b59f83..ff0364dde0 100644
> > > --- a/migration/migration.c
> > > +++ b/migration/migration.c
> > > @@ -56,6 +56,7 @@
> > >  #include "net/announce.h"
> > >  #include "qemu/queue.h"
> > >  #include "multifd.h"
> > > +#include "sysemu/cpus.h"
> > >  
> > >  #ifdef CONFIG_VFIO
> > >  #include "hw/vfio/vfio-common.h"
> > > @@ -1165,6 +1166,91 @@ static bool migrate_caps_check(bool *cap_list,
> > >  }
> > >  }
> > >  
> > > +if (cap_list[MIGRATION_CAPABILITY_TRACK_WRITES_RAM]) {
> > > +if (cap_list[MIGRATION_CAPABILITY_POSTCOPY_RAM]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with postcopy-ram");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_DIRTY_BITMAPS]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with dirty-bitmaps");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_POSTCOPY_BLOCKTIME]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with 
> > > postcopy-blocktime");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_LATE_BLOCK_ACTIVATE]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with 
> > > late-block-activate");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_RETURN_PATH]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with return-path");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_MULTIFD]) {
> > > +error_setg(errp, "Track-writes is not compatible with 
> > > multifd");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_PAUSE_BEFORE_SWITCHOVER]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with 
> > > pause-before-switchover");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_AUTO_CONVERGE]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with auto-converge");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_RELEASE_RAM]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with release-ram");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_RDMA_PIN_ALL]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with rdma-pin-all");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_COMPRESS]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with compression");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_XBZRLE]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with XBZLRE");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_X_COLO]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with x-colo");
> > > +return false;
> > > +}
> > > +
> > > +if (cap_list[MIGRATION_CAPABILITY_VALIDATE_UUID]) {
> > > +error_setg(errp,
> > > +"Track-writes is not compatible with validate-uuid");
> > > +return false;
> > > +}
> 
> Another thing forgot to mention - we can at least define an array for live
> snapshot now so we just loop over that one instead of copy-paste these 
> lines...

Yes, I think we've already got a name lookup
(MigrationCapability_lookup - that's generated during build), so if you
just have an array of MigrationCapability's you should be able to loop
over them.

Dave

> > > +}
> > > +
> > >  return true;
> > >  }
> > >  
> > > @@ -2490,6 +2576,15 @@ bool migrate_use_block_incremental(void)
> > >  return s->parameters.block_incremental;
> > >  }
> > >  
> > > +bool migrate_track_writes_ram(void)
> > > +{

Re: [PATCH for-6.0 2/8] spapr/xive: Introduce spapr_xive_nr_ends()

2020-11-24 Thread Greg Kurz 
On Tue, 24 Nov 2020 14:54:38 +0100
Cédric Le Goater  wrote:

> On 11/23/20 12:16 PM, Greg Kurz wrote:
> > On Mon, 23 Nov 2020 10:46:38 +0100
> > Cédric Le Goater  wrote:
> > 
> >> On 11/20/20 6:46 PM, Greg Kurz wrote:
> >>> We're going to kill the "nr_ends" field in a subsequent patch.
> >>
> >> why ? it is one of the tables of the controller and its part of 
> >> the main XIVE concepts. Conceptually, we could let the machine 
> >> dimension it with an arbitrary value as OPAL does. The controller
> >> would fail when the table is fully used. 
> >>
> > 
> > The idea is that the sPAPR machine only true need is to create a
> > controller that can accommodate up to a certain number of vCPU ids.
> > It doesn't really to know about the END itself IMHO.> 
> > This being said, if we decide to pass both spapr_max_server_number()
> > and smp.max_cpus down to the backends as function arguments, we won't
> > have to change "nr_ends" at all.
> 
> I would prefer that but I am still not sure what they represent. 
> 
> Looking at the sPAPR XIVE code, we deal with numbers/ranges in the 
> following places today.
> 
>  * spapr_xive_dt() 
> 
>It defines a range of interrupt numbers to be used by the guest 
>for the threads/vCPUs IPIs. It's a subset of interrupt numbers 
>in :
> 
>   [ SPAPR_IRQ_IPI - SPAPR_IRQ_EPOW [
> 
>These are not vCPU ids.
> 
>Since these interrupt numbers will be considered as free to use
>by the OS, it makes sense to pre-claim them. But claiming an 
>interrupt number in the guest can potentially set up, through 
>the KVM device, a mapping on the host and in HW. See below why
>this can be a problem.
> 
>  * kvmppc_xive_cpu_connect()   
> 
>This sizes the NVT tables in OPAL for the guest. This is the  
>max number of vCPUs of the guest (not vCPU ids)
> 

I guess you're talking about KVM_DEV_XIVE_NR_SERVERS in
kvmppc_xive_connect() actually. We're currently passing
spapr_max_server_number() (vCPU id) but you might be
right.

I need to re-read the story around VSMT and XIVE.

commit 1e175d2e07c71d9574f5b1c74523abca54e2654f
Author: Sam Bobroff 
Date:   Wed Jul 25 16:12:02 2018 +1000

KVM: PPC: Book3S HV: Pack VCORE IDs to access full VCPU ID space

>  * spapr_irq_init()
> 
>This is where the IPI interrupt numbers are claimed today. 
>Directly in QEMU and KVM, if the machine is running XIVE only, 
>indirectly if it's dual, first in QEMU and then in KVM when 
>the machine switches of interrupt mode in CAS. 
> 
>The problem is that the underlying XIVE resources in HW are 
>allocated where the QEMU process is running. Which is not the
>best option when the vCPUs are pinned on different chips.
> 
>My patchset was trying to improve that by claiming the IPI on 
>demand when the vCPU is connected to the KVM device. But it 
>was using the vCPU id as the IPI interrupt number which is 
>utterly wrong, the guest OS could use any number in the range 
>exposed in the DT.
>
>The last patch you sent was going in the right direction I think.
>That is to claim the IPI when the guest OS is requesting for it. 
> 
>
> http://patchwork.ozlabs.org/project/qemu-devel/patch/160528045027.804522.6161091782230763832.st...@bahia.lan/
>
>But I don't understand why it was so complex. It should be like
>the MSIs claimed by PCI devices.
> 

The difference here is that the guest doesn't claim IPIs. They are
supposedly pre-claimed in "ibm,xive-lisn-ranges". And this is actually
the case in QEMU.

The IPI setup sequence in the guest is basically:
1) grab a free irq from the bitmap, ie. "ibm,xive-lisn-ranges"
2) calls H_INT_GET_SOURCE_INFO, ie. populate_irq_data()
3) calls H_INT_SET_SOURCE_CONFIG, ie, configure_irq())

If we want an IPI to be claimed by the appropriate vCPU, we
can only do this from under H_INT_SET_SOURCE_CONFIG. And
until the guest eventually configures the IPI, KVM and QEMU
are out of sync.

This complexifies migration because we have to guess at
post load if we should claim the IPI in KVM or not. The
simple presence of the vCPU isn't enough : we need to
guess if the guest actually configured the IPI or not.

> 
> All this to say, that we need to size better the range in the 
> "ibm,xive-lisn-ranges" property if that's broken for vSMT. 
> 

Sizing the range to smp.max_cpus as proposed in this series
is fine, no matter what the VSMT is.

> Then, I think the IPIs can be treated just like the PCI MSIs
> but they need to be claimed first. That's the ugly part. 
> 

Yeah that's the big difference. For PCI MSIs, QEMU owns the
bitmap and the guest can claim (or release) a number of
MSIs the "ibm,change-msi" RTAS interface. There's no
such thing for IPIs : they are supposedly already claimed.

> Should we add a special check in h_int_set_source_config to
> deal with unclaimed IPIs that are being configured ?
> 

This is what my tentative fix does.

> 
> C.

[Bug 1774830] Re: qemu monitor disassembled memory dump produces incorrect output

2020-11-24 Thread Thomas Huth 
*** This bug is a duplicate of bug 1900779 ***
https://bugs.launchpad.net/bugs/1900779

Looking at your patch and the fix in commit 437588d81d99ac91cb1e, the
modifications are the same, so this issue should be fixed, indeed. Big
sorry that your bug report here fell through the cracks, but at least
it's fixed now. Closing this ticket as duplicate.

** This bug has been marked a duplicate of bug 1900779
   xp /16i on arm mixes DWords

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1774830

Title:
  qemu monitor disassembled memory dump produces incorrect output

Status in QEMU:
  New

Bug description:
  Greetings,

  I've been using qemu-system-aarch64 to do some low-level programming
  targeting the raspberry pi 3. While I was debugging a problem in my
  code I noticed a very confusing inconsistency that I think is very
  likely a bug somewhere in how qemu's monitor produces its disassembled
  output.

  Here's my version output (installed via homebrew on macOS 10.13.4)

  $ qemu-system-aarch64 --version
  QEMU emulator version 2.12.0
  Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

  Some system information (macOS 10.13.4):

  $ uname -a
  Darwin Lillith.local 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 
PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64 x86_64

  Here's an example of the problem I am seeing:

  qemu-system-aarch64 -S -M raspi3 -kernel kernel8.img -monitor stdio
  QEMU 2.12.0 monitor - type 'help' for more information
  (qemu) x /32x 0x8
  0008: 0xd53800a1 0x92400421 0xb461 0xd503205f
  00080010: 0x17ff 0x58000161 0x913f 0x58000161
  00080020: 0x18e2 0x3482 0xf800843f 0x51000442
  00080030: 0x35a2 0xd2806763 0x17ff 0x
  00080040: 0x0008 0x 0x00080050 0x
  00080050: 0x 0x 0x 0x
  00080060: 0x 0x 0x 0x
  00080070: 0x 0x 0x 0x
  (qemu) x /32i 0x8
  0x0008:  d53800a1  mrs  x1, mpidr_el1
  0x00080004:  92400421  and  x1, x1, #3
  0x00080008:  b461  cbz  x1, #0x80014
  0x0008000c:  d503205f  wfe
  0x00080010:  17ff  b#0x8000c
  0x00080014:  58000161  ldr  x1, #0x80040
  0x00080018:  913f  mov  sp, x1
  0x0008001c:  58000161  ldr  x1, #0x80048
  0x00080020:  92400421  and  x1, x1, #3
  0x00080024:  b461  cbz  x1, #0x80030
  0x00080028:  d503205f  wfe
  0x0008002c:  17ff  b#0x80028
  0x00080030:  58000161  ldr  x1, #0x8005c
  0x00080034:  913f  mov  sp, x1
  0x00080038:  58000161  ldr  x1, #0x80064
  0x0008003c:  18e2  ldr  w2, #0x80058
  0x00080040:  3482  cbz  w2, #0x80050
  0x00080044:  f800843f  str  xzr, [x1], #8
  0x00080048:  51000442  sub  w2, w2, #1
  0x0008004c:  35a2  cbnz w2, #0x80040
  0x00080050:  d2806763  movz x3, #0x33b
  0x00080054:  17ff  b#0x80050
  0x00080058:    .byte0x00, 0x00, 0x00, 0x00
  0x0008005c:  0008  .byte0x00, 0x00, 0x08, 0x00
  0x00080060:    .byte0x00, 0x00, 0x00, 0x00
  0x00080064:  00080050  .byte0x50, 0x00, 0x08, 0x00
  0x00080068:    .byte0x00, 0x00, 0x00, 0x00
  0x0008006c:    .byte0x00, 0x00, 0x00, 0x00
  0x00080070:    .byte0x00, 0x00, 0x00, 0x00
  0x00080074:    .byte0x00, 0x00, 0x00, 0x00
  0x00080078:    .byte0x00, 0x00, 0x00, 0x00
  0x0008007c:    .byte0x00, 0x00, 0x00, 0x00

  Please notice that between 0x80004 thru 0x8001c is repeated for some
  reason in the /32i formatted output which also causes the addresses
  for the following bytes to also be incorrect.

  Just in order to keep things as clear as possible, I'll also attach
  the binary shown above but disassembled by objdump instead of qemu.

  $ aarch64-elf-objdump -d kernel8.elf

  kernel8.elf: file format elf64-littleaarch64

  Disassembly of section .text:

  0008 <_start>:
     8: d53800a1mrs x1, mpidr_el1
     80004: 92400421and x1, x1, #0x3
     80008: b461cbz x1, 80014 <_start+0x14>
     8000c: d503205fwfe
     80010: 17ffb   8000c <_start+0xc>
     80014: 58000161ldr x1, 80040 <_start+0x40>
     80018: 913fmov sp, x1
     8001c: 58000161ldr x1, 80048 <_start+0x48>
     80020: 18e2ldr w2, 8003c <_start+0x3c>
     80024: 3482cbz w2, 80034 <_start+0x34>
     80028: f800843fstr xzr, [x1], #8
     8002c: 51000442sub w2, w2, #0x1
     80030: 35a2cbnzw2, 80024 <_start+0x24>
     80034: d2806763mov x3, #0x33b  // #827

Re: [RFC v5 11/12] i386: centralize initialization of cpu accel interfaces

2020-11-24 Thread Eduardo Habkost 
On Tue, Nov 24, 2020 at 05:22:09PM +0100, Claudio Fontana wrote:
> Signed-off-by: Claudio Fontana 

Probably this can be squashed into patch 10/12.

> ---
>  target/i386/cpu-qom.h |  2 --
>  target/i386/cpu.c | 27 ---
>  target/i386/hvf/cpu.c |  9 -
>  target/i386/kvm/cpu.c |  8 
>  target/i386/tcg/cpu.c |  9 -
>  5 files changed, 20 insertions(+), 35 deletions(-)
> 
> diff --git a/target/i386/cpu-qom.h b/target/i386/cpu-qom.h
> index 9316e78e71..2cea5394c6 100644
> --- a/target/i386/cpu-qom.h
> +++ b/target/i386/cpu-qom.h
> @@ -98,6 +98,4 @@ struct X86CPUAccelClass {
>  void (*cpu_realizefn)(X86CPU *cpu, Error **errp);
>  };
>  
> -void x86_cpu_accel_init(const char *accel_name);
> -
>  #endif
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index b799723e53..f6fd055046 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -7066,18 +7066,31 @@ type_init(x86_cpu_register_types)
>  static void x86_cpu_accel_init_aux(ObjectClass *klass, void *opaque)
>  {
>  X86CPUClass *xcc = X86_CPU_CLASS(klass);
> -const X86CPUAccelClass **accel = opaque;
> +X86CPUAccelClass *accel = opaque;
>  
> -xcc->accel = *accel;
> +xcc->accel = accel;
>  xcc->accel->cpu_common_class_init(xcc);
>  }
>  
> -void x86_cpu_accel_init(const char *accel_name)
> +static void x86_cpu_accel_init(void)
>  {
> -X86CPUAccelClass *acc;
> +const char *ac_name;
> +ObjectClass *ac;
> +char *xac_name;
> +ObjectClass *xac;
>  
> -acc = X86_CPU_ACCEL_CLASS(object_class_by_name(accel_name));
> -g_assert(acc != NULL);
> +ac = object_get_class(OBJECT(current_accel()));
> +g_assert(ac != NULL);
> +ac_name = object_class_get_name(ac);
> +g_assert(ac_name != NULL);
>  
> -object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, &acc);
> +xac_name = g_strdup_printf("%s-%s", ac_name, TYPE_X86_CPU);
> +xac = object_class_by_name(xac_name);
> +g_free(xac_name);
> +
> +if (xac) {
> +object_class_foreach(x86_cpu_accel_init_aux, TYPE_X86_CPU, false, 
> xac);
> +}
>  }
> +
> +accel_cpu_init(x86_cpu_accel_init);

This keeps the hidden initialization ordering dependency between
MODULE_INIT_ACCEL_CPU and current_accel().  I thought we were
going to get rid of module init functions that depend on runtime
state.

This is an improvement to the code in patch 10/12, though.  If
others believe it is an acceptable (temporary) solution, I won't
block it.

I would still prefer to have a
  void arch_accel_cpu_init(AccelState*)
function which would call a
  void x86_cpu_accel_init(AccelState*)
function.  That would make the dependency between
x86_cpu_accel_init() and accelerator creation explicit.


> diff --git a/target/i386/hvf/cpu.c b/target/i386/hvf/cpu.c
> index 7e7dc044d3..70b6dbfc10 100644
> --- a/target/i386/hvf/cpu.c
> +++ b/target/i386/hvf/cpu.c
> @@ -65,12 +65,3 @@ static void hvf_cpu_accel_register_types(void)
>  type_register_static(&hvf_cpu_accel_type_info);
>  }
>  type_init(hvf_cpu_accel_register_types);
> -
> -static void hvf_cpu_accel_init(void)
> -{
> -if (hvf_enabled()) {
> -x86_cpu_accel_init(X86_CPU_ACCEL_TYPE_NAME("hvf"));
> -}
> -}
> -
> -accel_cpu_init(hvf_cpu_accel_init);
> diff --git a/target/i386/kvm/cpu.c b/target/i386/kvm/cpu.c
> index bc5f519479..c17ed5a3f2 100644
> --- a/target/i386/kvm/cpu.c
> +++ b/target/i386/kvm/cpu.c
> @@ -147,11 +147,3 @@ static void kvm_cpu_accel_register_types(void)
>  type_register_static(&kvm_cpu_accel_type_info);
>  }
>  type_init(kvm_cpu_accel_register_types);
> -
> -static void kvm_cpu_accel_init(void)
> -{
> -if (kvm_enabled()) {
> -x86_cpu_accel_init(X86_CPU_ACCEL_TYPE_NAME("kvm"));
> -}
> -}
> -accel_cpu_init(kvm_cpu_accel_init);
> diff --git a/target/i386/tcg/cpu.c b/target/i386/tcg/cpu.c
> index e7d4effdd0..00166c36e9 100644
> --- a/target/i386/tcg/cpu.c
> +++ b/target/i386/tcg/cpu.c
> @@ -170,12 +170,3 @@ static void tcg_cpu_accel_register_types(void)
>  type_register_static(&tcg_cpu_accel_type_info);
>  }
>  type_init(tcg_cpu_accel_register_types);
> -
> -static void tcg_cpu_accel_init(void)
> -{
> -if (tcg_enabled()) {
> -x86_cpu_accel_init(X86_CPU_ACCEL_TYPE_NAME("tcg"));
> -}
> -}
> -
> -accel_cpu_init(tcg_cpu_accel_init);
> -- 
> 2.26.2
> 

-- 
Eduardo

[Bug 1774853] Re: claims temp file is used by another process

2020-11-24 Thread Thomas Huth 
Is this still reproducible with the latest version of QEMU, or could
this ticket be closed nowadays?

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1774853

Title:
  claims temp file is used by another process

Status in QEMU:
  Incomplete

Bug description:
  QEMU emulator version 2.12.50 (v2.12.0-12378-g99a34dc4d2-dirty)

  "c:\Program Files\qemu\qemu-system-x86_64.exe" -net none -parallel none -bios 
OVMF.fd -L . -hda fat:rw:image
  vvfat image chs 1024,16,63
  c:\Program Files\qemu\qemu-system-x86_64.exe: -hda fat:rw:image: Could not 
open 'C:\Users\tsiros\AppData\Local\Temp\qem5B92.tmp': The process cannot 
access the file because it is being used by another process.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1774853/+subscriptions

[Bug 1745354] Re: CDOS ps/2 mouse problem

2020-11-24 Thread Thomas Huth 
The QEMU project is currently considering to move its bug tracking to another 
system. For this we need to know which bugs are still valid and which could be 
closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state 
back to "New" within the next 60 days, otherwise this report will be marked as 
"Expired". Or mark it as "Fix Released" if the problem has been solved with a 
newer version of QEMU already. Thank you and sorry for the inconvenience.

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1745354

Title:
  CDOS ps/2 mouse problem

Status in QEMU:
  Incomplete

Bug description:
  Qemu v2.10.2 (also tested with 2.11.0)
  Host OS : CentOS 7 x86_64 (1708)
  Guest OS : Concurrent DOS 386 3.0 (with GEM)

  There is my launch command : 
  /usr/local/bin/qemu-system-i386 -m 4m -cpu 486 -hda /home/my_user/HDD.img 
-vga std

  When I'm launching the guest, it is not responding after focusing in
  the viewer. I think this is due to the ps/2 emulation because when I
  add "-usb -device usb-mouse" in my command I don't have this issue
  (but in this case, mouse is not supported by CDOS).

  I tested with an older version of Qemu (0.11) which uses the Bochs
  bios (instead of SeaBios in newer versions), and I don't have this
  issue either.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1745354/+subscriptions

[Bug 1779447] Re: SLIRP SMB silently fails with MacOS smbd

2020-11-24 Thread Thomas Huth 
The QEMU project is currently considering to move its bug tracking to another 
system. For this we need to know which bugs are still valid and which could be 
closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state 
back to "New" within the next 60 days, otherwise this report will be marked as 
"Expired". Or mark it as "Fix Released" if the problem has been solved with a 
newer version of QEMU already. Thank you and sorry for the inconvenience.

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1779447

Title:
  SLIRP SMB silently fails with MacOS smbd

Status in QEMU:
  Incomplete

Bug description:
  When using the -net 
user,id=net0,ipv6=off,smb=/path/to/share/option,hostfwd=tcp::19500-:22 I can 
successfully mount_smbfs the shared directory on the guest when QEMU is running 
on a Linux or FreeBSD host. However, on a MacOS host the mount_smbfs command 
just fails with
  `mount_smbfs: unable to open connection: syserr = Connection reset by peer`.
  After some debugging it turns out this is because the smbd shipped by macos 
is incompatible and doesn't use the same config file/command line arguments.

  I have since got it working by compiling the sources form samba.org
  and using the --smbd= configure option pointing to that binary.

  Would it be possible to print a warning message or even better abort
  the launch saying smbd is incompatible with QEMU if the -smb= flag is
  passed? It appears that smbd should die with an error code on invalid
  arguments so QEMU should be able to report that.

  
  This was happening with QEMU built from git sources at 
c1c2a435905ae76b159c573b0c0d6f095b45ebc6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1779447/+subscriptions

[Bug 1777235] Re: NVME is missing support for Get Log Page command

2020-11-24 Thread Thomas Huth 
Has this ever been sent?

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1777235

Title:
  NVME is missing support for Get Log Page command

Status in QEMU:
  Incomplete

Bug description:
  "Get Log Page" is a mandatory admin command by the specification (NVMe
  1.2, Section 5, Figure 40) currently not implemented by device.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1777235/+subscriptions

Re: [PATCH v3 0/7] UFFD write-tracking migration/snapshots

2020-11-24 Thread Dr. David Alan Gilbert 
* Andrey Gruzdev (andrey.gruz...@virtuozzo.com) wrote:
> Changes with v3:
> * coding style fixes to pass checkpatch test
> * qapi/migration.json: change 'track-writes-ram' capability
> *  supported version to 6.0
> * fixes to commit message format
> 

cc'ing in COLO people, since they could use this as well. 
> This patch series is a kind of 'rethinking' of Denis Plotnikov's ideas he's
> implemented in his series '[PATCH v0 0/4] migration: add background snapshot'.
> 
> Currently the only way to make (external) live VM snapshot is using existing
> dirty page logging migration mechanism. The main problem is that it tends to
> produce a lot of page duplicates while running VM goes on updating already
> saved pages. That leads to the fact that vmstate image size is commonly 
> several
> times bigger then non-zero part of virtual machine's RSS. Time required to
> converge RAM migration and the size of snapshot image severely depend on the
> guest memory write rate, sometimes resulting in unacceptably long snapshot
> creation time and huge image size.
> 
> This series propose a way to solve the aforementioned problems. This is done
> by using different RAM migration mechanism based on UFFD write protection
> management introduced in v5.7 kernel. The migration strategy is to 'freeze'
> guest RAM content using write-protection and iteratively release protection
> for memory ranges that have already been saved to the migration stream.
> At the same time we read in pending UFFD write fault events and save those
> pages out-of-order with higher priority.
> 
> How to use:
> 1. Enable write-tracking migration capability
>virsh qemu-monitor-command  --hmp migrate_set_capability.
> track-writes-ram on
> 
> 2. Start the external migration to a file
>virsh qemu-monitor-command  --hmp migrate exec:'cat > ./vm_state'
> 
> 3. Wait for the migration finish and check that the migration has completed.
> state.
> 
> Andrey Gruzdev (7):
>   introduce 'track-writes-ram' migration capability
>   introduce UFFD-WP low-level interface helpers
>   support UFFD write fault processing in ram_save_iterate()
>   implementation of write-tracking migration thread
>   implementation of vm_start() BH
>   the rest of write tracking migration code
>   introduce simple linear scan rate limiting mechanism
> 
>  include/exec/memory.h |   7 +
>  migration/migration.c | 338 +++-
>  migration/migration.h |   4 +
>  migration/ram.c   | 439 +-
>  migration/ram.h   |   4 +
>  migration/savevm.c|   1 -
>  migration/savevm.h|   2 +
>  qapi/migration.json   |   7 +-
>  8 files changed, 790 insertions(+), 12 deletions(-)
> 
> -- 
> 2.25.1
> 
-- 
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

[Bug 1774830] Re: qemu monitor disassembled memory dump produces incorrect output

2020-11-24 Thread Thomas Huth 
*** This bug is a duplicate of bug 1900779 ***
https://bugs.launchpad.net/bugs/1900779

I think this is likely a duplicate of bug
https://bugs.launchpad.net/qemu/+bug/1900779 which has recently been
fixed. Could you please check with the latest release candidate of QEMU
5.2 whether the issue is fixed for you? Thanks!

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1774830

Title:
  qemu monitor disassembled memory dump produces incorrect output

Status in QEMU:
  New

Bug description:
  Greetings,

  I've been using qemu-system-aarch64 to do some low-level programming
  targeting the raspberry pi 3. While I was debugging a problem in my
  code I noticed a very confusing inconsistency that I think is very
  likely a bug somewhere in how qemu's monitor produces its disassembled
  output.

  Here's my version output (installed via homebrew on macOS 10.13.4)

  $ qemu-system-aarch64 --version
  QEMU emulator version 2.12.0
  Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

  Some system information (macOS 10.13.4):

  $ uname -a
  Darwin Lillith.local 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 
PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64 x86_64

  Here's an example of the problem I am seeing:

  qemu-system-aarch64 -S -M raspi3 -kernel kernel8.img -monitor stdio
  QEMU 2.12.0 monitor - type 'help' for more information
  (qemu) x /32x 0x8
  0008: 0xd53800a1 0x92400421 0xb461 0xd503205f
  00080010: 0x17ff 0x58000161 0x913f 0x58000161
  00080020: 0x18e2 0x3482 0xf800843f 0x51000442
  00080030: 0x35a2 0xd2806763 0x17ff 0x
  00080040: 0x0008 0x 0x00080050 0x
  00080050: 0x 0x 0x 0x
  00080060: 0x 0x 0x 0x
  00080070: 0x 0x 0x 0x
  (qemu) x /32i 0x8
  0x0008:  d53800a1  mrs  x1, mpidr_el1
  0x00080004:  92400421  and  x1, x1, #3
  0x00080008:  b461  cbz  x1, #0x80014
  0x0008000c:  d503205f  wfe
  0x00080010:  17ff  b#0x8000c
  0x00080014:  58000161  ldr  x1, #0x80040
  0x00080018:  913f  mov  sp, x1
  0x0008001c:  58000161  ldr  x1, #0x80048
  0x00080020:  92400421  and  x1, x1, #3
  0x00080024:  b461  cbz  x1, #0x80030
  0x00080028:  d503205f  wfe
  0x0008002c:  17ff  b#0x80028
  0x00080030:  58000161  ldr  x1, #0x8005c
  0x00080034:  913f  mov  sp, x1
  0x00080038:  58000161  ldr  x1, #0x80064
  0x0008003c:  18e2  ldr  w2, #0x80058
  0x00080040:  3482  cbz  w2, #0x80050
  0x00080044:  f800843f  str  xzr, [x1], #8
  0x00080048:  51000442  sub  w2, w2, #1
  0x0008004c:  35a2  cbnz w2, #0x80040
  0x00080050:  d2806763  movz x3, #0x33b
  0x00080054:  17ff  b#0x80050
  0x00080058:    .byte0x00, 0x00, 0x00, 0x00
  0x0008005c:  0008  .byte0x00, 0x00, 0x08, 0x00
  0x00080060:    .byte0x00, 0x00, 0x00, 0x00
  0x00080064:  00080050  .byte0x50, 0x00, 0x08, 0x00
  0x00080068:    .byte0x00, 0x00, 0x00, 0x00
  0x0008006c:    .byte0x00, 0x00, 0x00, 0x00
  0x00080070:    .byte0x00, 0x00, 0x00, 0x00
  0x00080074:    .byte0x00, 0x00, 0x00, 0x00
  0x00080078:    .byte0x00, 0x00, 0x00, 0x00
  0x0008007c:    .byte0x00, 0x00, 0x00, 0x00

  Please notice that between 0x80004 thru 0x8001c is repeated for some
  reason in the /32i formatted output which also causes the addresses
  for the following bytes to also be incorrect.

  Just in order to keep things as clear as possible, I'll also attach
  the binary shown above but disassembled by objdump instead of qemu.

  $ aarch64-elf-objdump -d kernel8.elf

  kernel8.elf: file format elf64-littleaarch64

  Disassembly of section .text:

  0008 <_start>:
     8: d53800a1mrs x1, mpidr_el1
     80004: 92400421and x1, x1, #0x3
     80008: b461cbz x1, 80014 <_start+0x14>
     8000c: d503205fwfe
     80010: 17ffb   8000c <_start+0xc>
     80014: 58000161ldr x1, 80040 <_start+0x40>
     80018: 913fmov sp, x1
     8001c: 58000161ldr x1, 80048 <_start+0x48>
     80020: 18e2ldr w2, 8003c <_start+0x3c>
     80024: 3482cbz w2, 80034 <_start+0x34>
     80028: f800843fstr xzr, [x1], #8
     8002c: 51000442sub w2, w2, #0x1
     80030: 35a2cbnzw2, 80024 <_start+0x24>
     80034: d2806763mov x3, #0x33b  // #827
     80038: 17ffb   80034 <_start+0x34>
     8003c: .word   0x
     80

[Bug 1777786] Re: virtio-gpu-3d.c: change virtio_gpu_fence_poll timer scale

2020-11-24 Thread Thomas Huth 
Did you ever send your patch to the mailing list for discussion?

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/186

Title:
  virtio-gpu-3d.c: change virtio_gpu_fence_poll timer scale

Status in QEMU:
  Incomplete

Bug description:
  We use virtio-gpu to accelerate Unigine Heaven Benchmark in VM. But we get 
only 5 FPS when we use AMD RX460 in our host.
  We found that guest os spent a lot of time in waiting for the return of 
glMapBufferRange/glUnmapBuffer commad. We suspected the host GPU was waiting 
for fence. So we finally change the timer of fence_poll. Afer change timer from
   ms to us, Benchmark result raise up to 22 FPS.

  From a4003af5c4fe92d55353f42767d0c45de95bb78f Mon Sep 17 00:00:00 2001
  From: chen wei 
  Date: Fri, 8 Jun 2018 17:34:45 +0800
  Subject: [PATCH] virtio-gpu:improve 3d performance greatly

opengl function need fence support.when CPU execute opengl function, it 
need wait fence for synchronize GPU.
  so qemu must deal with fence timely as possible. but now the expire time of 
the timer to deal with fence is 10 ms.
  I think it is too long for opengl. So i will change it to 20 ns.
Before change, when i play Unigine_Heaven 3d game with virglrenderer, the 
fps is 3.  atfer change the fps up to 23.

  Signed-off-by: chen wei   
  Signed-off-by: wang qiang 
  ---
   hw/display/virtio-gpu-3d.c | 4 ++--
   1 file changed, 2 insertions(+), 2 deletions(-)

  diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
  index 3558f38..c0a5d21 100644
  --- a/hw/display/virtio-gpu-3d.c
  +++ b/hw/display/virtio-gpu-3d.c
  @@ -582,7 +582,7 @@ static void virtio_gpu_fence_poll(void *opaque)
   virgl_renderer_poll();
   virtio_gpu_process_cmdq(g);
   if (!QTAILQ_EMPTY(&g->cmdq) || !QTAILQ_EMPTY(&g->fenceq)) {
  -timer_mod(g->fence_poll, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 10);
  +timer_mod(g->fence_poll, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 20);
   }
   }
   
  @@ -629,7 +629,7 @@ int virtio_gpu_virgl_init(VirtIOGPU *g)
   return ret;
   }
   
  -g->fence_poll = timer_new_ms(QEMU_CLOCK_VIRTUAL,
  +g->fence_poll = timer_new_us(QEMU_CLOCK_VIRTUAL,
virtio_gpu_fence_poll, g);
   
   if (virtio_gpu_stats_enabled(g->conf)) {
  -- 
  2.7.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/186/+subscriptions

[Bug 1758819] Re: HVF Illegal instruction: 4, High Sierra, v2.12-rc0

2020-11-24 Thread Thomas Huth 
Looking through old bug tickets ... Did you ever send your patch to the
qemu-devel mailing list? See
https://wiki.qemu.org/Contribute/SubmitAPatch for more information

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1758819

Title:
  HVF Illegal instruction: 4, High Sierra, v2.12-rc0

Status in QEMU:
  New

Bug description:
  I've built v2.12.0-rc0 on MacOS using homebrew. I'm running 10.13.3 on
  a 5,1 Mac Pro with a X5690 processor.

  When I run 'qemu-system-x86_64 -M accel=hvf', I get a crash "Illegal
  instruction: 4".

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1758819/+subscriptions

  1   2   3   >