date:20210309

Hi Philippe,

On Sat, Feb 20, 2021 at 4:58 PM Bin Meng  wrote:
>
> From: Bin Meng 
>
> At present the sd_erase() does not erase the requested range of card
> data to 0xFFs. Let's make the erase operation actually happen.
>
> Signed-off-by: Bin Meng 
>
> ---
>
> Changes in v3:
> - fix the skip erase logic for SDSC cards
>

Any comments for v3?

Regards,
Bin

[PATCH] tests: Move unit tests into a separate directory

The main tests directory still looks very crowded, and it's not
clear which files are part of a unit tests and which belong to
a different test subsystem. Let's clean up the mess and move the
unit tests to a separate directory.

Signed-off-by: Thomas Huth 
---
 MAINTAINERS   |  68 +++
 tests/meson.build | 182 +
 tests/{ => unit}/check-block-qdict.c  |   0
 tests/{ => unit}/check-qdict.c|   0
 tests/{ => unit}/check-qjson.c|   0
 tests/{ => unit}/check-qlist.c|   0
 tests/{ => unit}/check-qlit.c |   0
 tests/{ => unit}/check-qnull.c|   0
 tests/{ => unit}/check-qnum.c |   0
 tests/{ => unit}/check-qobject.c  |   0
 tests/{ => unit}/check-qom-interface.c|   0
 tests/{ => unit}/check-qom-proplist.c |   0
 tests/{ => unit}/check-qstring.c  |   0
 tests/{ => unit}/crypto-tls-psk-helpers.c |   0
 tests/{ => unit}/crypto-tls-psk-helpers.h |   0
 tests/{ => unit}/crypto-tls-x509-helpers.c|   0
 tests/{ => unit}/crypto-tls-x509-helpers.h|   0
 tests/{ => unit}/io-channel-helpers.c |   0
 tests/{ => unit}/io-channel-helpers.h |   0
 tests/{ => unit}/iothread.c   |   0
 tests/{ => unit}/iothread.h   |   0
 tests/unit/meson.build| 184 ++
 tests/{ => unit}/pkix_asn1_tab.c  |   2 +-
 tests/{ => unit}/ptimer-test-stubs.c  |   0
 tests/{ => unit}/ptimer-test.c|   0
 tests/{ => unit}/ptimer-test.h|   0
 tests/{ => unit}/rcutorture.c |   0
 tests/{ => unit}/socket-helpers.c |   0
 tests/{ => unit}/socket-helpers.h |   0
 tests/{ => unit}/test-aio-multithread.c   |   0
 tests/{ => unit}/test-aio.c   |   0
 tests/{ => unit}/test-authz-list.c|   0
 tests/{ => unit}/test-authz-listfile.c|   0
 tests/{ => unit}/test-authz-pam.c |   0
 tests/{ => unit}/test-authz-simple.c  |   0
 tests/{ => unit}/test-base64.c|   0
 tests/{ => unit}/test-bdrv-drain.c|   0
 tests/{ => unit}/test-bdrv-graph-mod.c|   0
 tests/{ => unit}/test-bitcnt.c|   0
 tests/{ => unit}/test-bitmap.c|   0
 tests/{ => unit}/test-bitops.c|   0
 tests/{ => unit}/test-block-backend.c |   0
 tests/{ => unit}/test-block-iothread.c|   0
 tests/{ => unit}/test-blockjob-txn.c  |   0
 tests/{ => unit}/test-blockjob.c  |   0
 tests/{ => unit}/test-bufferiszero.c  |   0
 tests/{ => unit}/test-char.c  |   0
 tests/{ => unit}/test-clone-visitor.c |   0
 tests/{ => unit}/test-coroutine.c |   0
 tests/{ => unit}/test-crypto-afsplit.c|   0
 tests/{ => unit}/test-crypto-block.c  |   0
 tests/{ => unit}/test-crypto-cipher.c |   0
 tests/{ => unit}/test-crypto-hash.c   |   0
 tests/{ => unit}/test-crypto-hmac.c   |   0
 tests/{ => unit}/test-crypto-ivgen.c  |   0
 tests/{ => unit}/test-crypto-pbkdf.c  |   0
 tests/{ => unit}/test-crypto-secret.c |   0
 tests/{ => unit}/test-crypto-tlscredsx509.c   |   0
 tests/{ => unit}/test-crypto-tlssession.c |   0
 tests/{ => unit}/test-crypto-xts.c|   0
 tests/{ => unit}/test-cutils.c|   0
 tests/{ => unit}/test-fdmon-epoll.c   |   0
 tests/{ => unit}/test-hbitmap.c   |   0
 tests/{ => unit}/test-image-locking.c |   0
 tests/{ => unit}/test-int128.c|   0
 tests/{ => unit}/test-io-channel-buffer.c |   0
 tests/{ => unit}/test-io-channel-command.c|   0
 tests/{ => unit}/test-io-channel-file.c   |   0
 tests/{ => unit}/test-io-channel-socket.c |   0
 tests/{ => unit}/test-io-channel-tls.c|   0
 tests/{ => unit}/test-io-task.c   |   0
 tests/{ => unit}/test-iov.c   |   0
 tests/{ => unit}/test-keyval.c|   0
 tests/{ => unit}/test-logging.c   |   0
 tests/{ => unit}/test-mul64.c |   0
 tests/{ => unit}/test-opts-visitor.c  |   0
 tests/{ => unit}/test-qapi-util.c |   0
 tests/{ => unit}/test-qdev-global-props.c |   0
 tests/{ => unit}/test-qdist.c |   0
 tests/{ => unit}/test-qemu-opts.c |   0
 tests/{ => unit}/test-qga.c   |   2 +-
 tests/{ => unit}/test-qgraph.c|   4 +-
 tests/{ => unit}/test-qht.c   |   0
 tests/{ => unit}/test-qmp-cmds.c  |   0
 tests/{ => unit}/test-qmp-event.c |   0
 tests/{ => unit}/test-qobject-input-visitor.c |   0
 .../{ => unit}/test-qobject-output-visitor.c  |   0
 tests/{ => unit}/test-rcu-list.c  |   0
 tests/{ => unit}/te

Re: [PATCH] fuzz: don't leave orphan llvm-symbolizers around


On 10/03/2021 07.12, Alexander Bulekov wrote:

I noticed that with a sufficiently small timeout, the fuzzer fork-server
sometimes locks up. On closer inspection, the issue appeared to be
caused by entering our SIGALRM handler, while libfuzzer is in it's crash
handlers. Because libfuzzer relies on pipe communication with an
external child process to print out stack-traces, we shouldn't exit
early, and leave an orphan child. Check for children in the SIGALRM
handler to avoid this issue.

Signed-off-by: Alexander Bulekov 
---
  tests/qtest/fuzz/generic_fuzz.c | 15 +++
  1 file changed, 15 insertions(+)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index ee8c17a04c..387ae2020a 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -583,6 +583,21 @@ static void handle_timeout(int sig)
  fprintf(stderr, "[Timeout]\n");
  fflush(stderr);
  }
+
+/*
+ * If there is a crash, libfuzzer/ASAN forks a child to run an
+ * "llvm-symbolizer" process for printing out a pretty stacktrace. It
+ * communicates with this child using a pipe.  If we timeout+Exit, while
+ * libfuzzer is still communicating with the llvm-symbolizer child, we will
+ * be left with an orphan llvm-symbolizer process. Sometimes, this appears
+ * to lead to a deadlock in the forkserver. Use waitpid to check if there
+ * are any waitable children. If so, exit out of the signal-handler, and
+ * let libfuzzer finish communicating with the child, and exit, on its own.
+ */
+if (waitpid(-1, NULL, WNOHANG) == 0) {
+return;
+}
+
  _Exit(0);
  }


Acked-by: Thomas Huth

[PATCH] fuzz: don't leave orphan llvm-symbolizers around

2021-03-09 Thread Alexander Bulekov

I noticed that with a sufficiently small timeout, the fuzzer fork-server
sometimes locks up. On closer inspection, the issue appeared to be
caused by entering our SIGALRM handler, while libfuzzer is in it's crash
handlers. Because libfuzzer relies on pipe communication with an
external child process to print out stack-traces, we shouldn't exit
early, and leave an orphan child. Check for children in the SIGALRM
handler to avoid this issue.

Signed-off-by: Alexander Bulekov 
---
 tests/qtest/fuzz/generic_fuzz.c | 15 +++
 1 file changed, 15 insertions(+)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index ee8c17a04c..387ae2020a 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -583,6 +583,21 @@ static void handle_timeout(int sig)
 fprintf(stderr, "[Timeout]\n");
 fflush(stderr);
 }
+
+/*
+ * If there is a crash, libfuzzer/ASAN forks a child to run an
+ * "llvm-symbolizer" process for printing out a pretty stacktrace. It
+ * communicates with this child using a pipe.  If we timeout+Exit, while
+ * libfuzzer is still communicating with the llvm-symbolizer child, we will
+ * be left with an orphan llvm-symbolizer process. Sometimes, this appears
+ * to lead to a deadlock in the forkserver. Use waitpid to check if there
+ * are any waitable children. If so, exit out of the signal-handler, and
+ * let libfuzzer finish communicating with the child, and exit, on its own.
+ */
+if (waitpid(-1, NULL, WNOHANG) == 0) {
+return;
+}
+
 _Exit(0);
 }
 
-- 
2.28.0

Re: [Bug 1918321] [NEW] [OSS-Fuzz] Issue 31875 megasas: Null-ptr dereference in megasas_finish_dcmd

2021-03-09 Thread Alexander Bulekov

I posted a reproducer for a different bug. Here are the correct
reproducer and stacktrace:

/*
 * Autogenerated Fuzzer Test Case
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

/*
 * cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
 * -m 512M -machine q35 -nodefaults -device megasas -device \
 * scsi-cd,drive=null0 -blockdev \
 * driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
 * outl 0xcf8 0x8801
 * outl 0xcfc 0x0500
 * outl 0xcf8 0x8816
 * outl 0xcfc 0x1900
 * write 0x1e1ed300 0x1 0x01
 * write 0x1e1ed307 0x1 0x01
 * write 0x1e1ed316 0x1 0x01
 * write 0x1e1ed328 0x1 0x01
 * write 0x1e1ed32f 0x1 0x01
 * outl 0x1940 0x1e1ed300
 * outl 0x1940 0x1e1ed300
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * clock_step
 * outb 0x1940 0x0
 * write 0x0 0x1 0x01
 * write 0x7 0x1 0x01
 * write 0x16 0x1 0x01
 * write 0x28 0x1 0x01
 * write 0x2f 0x1 0x01
 * outb 0x1940 0x0
 * write 0x0 0x1 0x05
 * write 0x7 0x1 0x01
 * write 0x19 0x1 0x02
 * write 0x1a 0x1 0x01
 * write 0x1b 0x1 0x08
 * write 0x2f 0x1 0x01
 * outb 0x1940 0x0
 * EOF
 */
static void
null_deref_megasas_finish_dcmd(void)
{
QTestState *s = qtest_init(
"-display none , -m 512M -machine q35 -nodefaults -device "
"megasas -device scsi-cd,drive=null0 -blockdev "
"driver=null-co,read-zeroes=on,node-name=null0 ");
qtest_outl(s, 0xcf8, 0x8801);
qtest_outl(s, 0xcfc, 0x0500);
qtest_outl(s, 0xcf8, 0x8816);
qtest_outl(s, 0xcfc, 0x1900);
qtest_bufwrite(s, 0x1e1ed300, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed307, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed316, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed328, "\x01", 0x1);
qtest_bufwrite(s, 0x1e1ed32f, "\x01", 0x1);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_outl(s, 0x1940, 0x1e1ed300);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_clock_step_next(s);
qtest_outb(s, 0x1940, 0x0);
qtest_bufwrite(s, 0x0, "\x01", 0x1);
qtest_bufwrite(s, 0x7, "\x01", 0x1);
qtest_bufwrite(s, 0x16, "\x01", 0x1);
qtest_bufwrite(s, 0x28, "\x01", 0x1);
qtest_bufwrite(s, 0x2f, "\x01",

Re: [PATCH 3/3] Andes AE350 RISC-V Machine

On Wed, Mar 10, 2021 at 11:36 AM Dylan Jhong  wrote:
>
> This provides a RISC-V Board based on Andes's AE350 specification.
> The following machine is implemented:
>
> - 'andes_ae350'; PLIC, PLICSW, PLMT, 16550a UART, VirtIO MMIO, device-tree

Is this a virtual target because virtio is added? Or does the hardware
provide the virtio programming interface?

>
> Signed-off-by: Dylan Jhong 
> Signed-off-by: Ruinland ChuanTzu Tsai 
> ---
>  default-configs/devices/riscv32-softmmu.mak |   1 +
>  default-configs/devices/riscv64-softmmu.mak |   1 +
>  hw/riscv/Kconfig|   7 +
>  hw/riscv/andes_ae350.c  | 501 
>  hw/riscv/meson.build|   1 +
>  include/hw/riscv/andes_ae350.h  |  93 
>  6 files changed, 604 insertions(+)
>  create mode 100644 hw/riscv/andes_ae350.c
>  create mode 100644 include/hw/riscv/andes_ae350.h
>
> diff --git a/default-configs/devices/riscv32-softmmu.mak 
> b/default-configs/devices/riscv32-softmmu.mak
> index d847bd5692..a268007e72 100644
> --- a/default-configs/devices/riscv32-softmmu.mak
> +++ b/default-configs/devices/riscv32-softmmu.mak
> @@ -8,6 +8,7 @@ CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
>
>  # Boards:
>  #
> +CONFIG_ANDES_AE350=y
>  CONFIG_SPIKE=y
>  CONFIG_SIFIVE_E=y
>  CONFIG_SIFIVE_U=y
> diff --git a/default-configs/devices/riscv64-softmmu.mak 
> b/default-configs/devices/riscv64-softmmu.mak
> index d5eec75f05..9a37dfd8c0 100644
> --- a/default-configs/devices/riscv64-softmmu.mak
> +++ b/default-configs/devices/riscv64-softmmu.mak
> @@ -8,6 +8,7 @@ CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
>
>  # Boards:
>  #
> +CONFIG_ANDES_AE350=y
>  CONFIG_SPIKE=y
>  CONFIG_SIFIVE_E=y
>  CONFIG_SIFIVE_U=y
> diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
> index d139074b02..04f6369ab7 100644
> --- a/hw/riscv/Kconfig
> +++ b/hw/riscv/Kconfig
> @@ -1,6 +1,13 @@
>  config IBEX
>  bool
>
> +config ANDES_AE350

This needs to be sorted in alphabetical order

> +bool
> +select SERIAL
> +select VIRTIO_MMIO
> +select ANDES_PLIC
> +select ANDES_PLMT
> +
>  config MICROCHIP_PFSOC
>  bool
>  select CADENCE_SDHCI
> diff --git a/hw/riscv/andes_ae350.c b/hw/riscv/andes_ae350.c
> new file mode 100644
> index 00..ed5f9701ad
> --- /dev/null
> +++ b/hw/riscv/andes_ae350.c
> @@ -0,0 +1,501 @@
> +/*
> + * Andes RISC-V AE350 Board
> + *
> + * Copyright (c) 2021 Andes Tech. Corp.
> + *
> + * Andes AE350 Board supports ns16550a UART and VirtIO MMIO.
> + * The interrupt controllers are andes PLIC and andes PLICSW.
> + * Timer is Andes PLMT.
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms and conditions of the GNU General Public License,
> + * version 2 or later, as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope it will be useful, but WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
> + * more details.
> + *
> + * You should have received a copy of the GNU General Public License along 
> with
> + * this program.  If not, see .
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qemu/units.h"
> +#include "qemu/log.h"
> +#include "qemu/error-report.h"
> +#include "qapi/error.h"
> +#include "hw/boards.h"
> +#include "hw/loader.h"
> +#include "hw/sysbus.h"
> +#include "hw/qdev-properties.h"
> +#include "hw/char/serial.h"
> +#include "target/riscv/cpu.h"
> +#include "hw/riscv/riscv_hart.h"
> +#include "hw/riscv/boot.h"
> +#include "hw/riscv/numa.h"
> +#include "chardev/char.h"
> +#include "sysemu/arch_init.h"
> +#include "sysemu/device_tree.h"
> +#include "sysemu/sysemu.h"
> +#include "hw/pci/pci.h"
> +#include "hw/pci-host/gpex.h"
> +
> +#include "hw/intc/andes_plic.h"
> +#include "hw/timer/andes_plmt.h"
> +#include "hw/riscv/andes_ae350.h"
> +
> +# define BIOS_FILENAME ""
> +
> +static const struct MemmapEntry {
> +hwaddr base;
> +hwaddr size;
> +} andes_ae350_memmap[] = {
> +[ANDES_AE350_DEBUG] = { 0x,  0x100 },
> +[ANDES_AE350_DRAM]  = { 0x, 0x8000 },
> +[ANDES_AE350_MROM]  = { 0xb000,   0x10 },
> +[ANDES_AE350_MAC]   = { 0xe010,   0x10 },
> +[ANDES_AE350_GEM]   = { 0xe020,   0x10 },
> +[ANDES_AE350_PLIC]  = { 0xe400,   0x40 },
> +[ANDES_AE350_PLMT]  = { 0xe600,   0x10 },
> +[ANDES_AE350_PLICSW]= { 0xe640,   0x40 },
> +[ANDES_AE350_UART1] = { 0xf020,  0x100 },
> +[ANDES_AE350_UART2] = { 0xf030,  0x100 },
> +[ANDES_AE350_PIT]   = { 0xf040,   0x10 },
> +[ANDES_AE350_SDC]   = { 0xf0e0,   0x10 },
> +[ANDES_AE350_VIRTIO]= { 0xfe00, 0x1000 },
> +};
> +
> +static void
> +create_fdt(AndesAe350BoardState *bs, const struct Memmap

Re: [PATCH 1/3] Andes RISC-V PLIC

On Wed, Mar 10, 2021 at 11:34 AM Dylan Jhong  wrote:
>
> Andes PLIC (Platform-Level Interrupt Controller) device provides an
> interrupt controller functionality based on Andes's PLIC specification.
>
> The Andes PLIC can handle either external interrupts (PLIC)
> or interprocessor interrupts (PLICSW).
>
> While Andes PLIC spec includes vector interrupt and interrupt preemption,
> we leave them as future items for now.
>
> Signed-off-by: Dylan Jhong 
> Signed-off-by: Ruinland ChuanTzu Tsai 
> ---
>  hw/intc/Kconfig  |   3 +
>  hw/intc/andes_plic.c | 505 +++
>  hw/intc/meson.build  |   1 +
>  include/hw/intc/andes_plic.h | 130 +
>  4 files changed, 639 insertions(+)
>  create mode 100644 hw/intc/andes_plic.c
>  create mode 100644 include/hw/intc/andes_plic.h

Is the Andes PLIC spec public available?

What's the difference between Andres's implementation and the SiFive's?

Regards,
Bin

Re: [PATCH] docs: Fix removal text of -show-cursor

2021-03-09 Thread Markus Armbruster

Thomas Huth  writes:

> We should say now when it was removed, not when it was deprecated.
>
> Signed-off-by: Thomas Huth 
> ---
>  docs/system/removed-features.rst | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/docs/system/removed-features.rst 
> b/docs/system/removed-features.rst
> index f8db76d0b5..13f9dd3014 100644
> --- a/docs/system/removed-features.rst
> +++ b/docs/system/removed-features.rst
> @@ -26,8 +26,8 @@ The ``-no-kvm`` argument was a synonym for setting 
> ``-machine accel=tcg``.
>  The ``-realtime mlock=on|off`` argument has been replaced by the
>  ``-overcommit mem-lock=on|off`` argument.
>  
> -``-show-cursor`` option (since 5.0)
> -'''
> +``-show-cursor`` option (removed in 6.0)
> +
>  
>  Use ``-display sdl,show-cursor=on``, ``-display gtk,show-cursor=on``
>  or ``-display default,show-cursor=on`` instead.

Reviewed-by: Markus Armbruster

Re: [PATCH v2] tests/acceptance: Add bFLT loader linux-user test


On 09/03/2021 23.27, Philippe Mathieu-Daudé wrote:

ping?


I guess we really need someone who could act as a maintainer for the 
tests/acceptance directory, who could pick up patches and send pull requests 
if nobody else is picking up these patches...


Cleber, Wainer, Willian, any volunteers?

 Thomas



On 2/14/21 8:45 PM, Philippe Mathieu-Daudé wrote:

Add a very quick test that runs a busybox binary in bFLT format:

   $ avocado --show=app run -t linux_user tests/acceptance/load_bflt.py
   JOB ID : db94d5960ce564c50904d666a7e259148c27e88f
   JOB LOG: ~/avocado/job-results/job-2019-06-25T10.52-db94d59/job.log
(1/1) tests/acceptance/load_bflt.py:LoadBFLT.test_stm32: PASS (0.15 s)
   RESULTS: PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | 
CANCEL 0
   JOB TIME   : 0.54 s

Signed-off-by: Philippe Mathieu-Daudé 
---
Based-on: <20210214175912.732946-1-f4...@amsat.org>
   tests/acceptance: Extract QemuBaseTest from Test
   tests/acceptance: Make pick_default_qemu_bin() more generic
   tests/acceptance: Introduce QemuUserTest base class
---
  tests/acceptance/load_bflt.py | 51 +++
  1 file changed, 51 insertions(+)
  create mode 100644 tests/acceptance/load_bflt.py

diff --git a/tests/acceptance/load_bflt.py b/tests/acceptance/load_bflt.py
new file mode 100644
index 000..4b7796d0775
--- /dev/null
+++ b/tests/acceptance/load_bflt.py
@@ -0,0 +1,51 @@
+# Test the bFLT format
+#
+# Copyright (C) 2019 Philippe Mathieu-Daudé 
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import os
+import bz2
+import subprocess
+
+from avocado_qemu import QemuUserTest
+
+
+class LoadBFLT(QemuUserTest):
+
+def extract_cpio(self, cpio_path):
+"""
+Extracts a cpio archive into the test workdir
+
+:param cpio_path: path to the cpio archive
+"""
+cwd = os.getcwd()
+os.chdir(self.workdir)
+with bz2.open(cpio_path, 'rb') as archive_cpio:
+subprocess.run(['cpio', '-i'], input=archive_cpio.read(),
+   stderr=subprocess.DEVNULL)
+os.chdir(cwd)
+
+@skipUnless(os.getenv('AVOCADO_ALLOW_UNTRUSTED_CODE'), 'untrusted code')
+def test_stm32(self):
+"""
+:avocado: tags=arch:arm
+:avocado: tags=linux_user
+:avocado: tags=quick
+"""
+# See https://elinux.org/STM32#User_Space
+rootfs_url = ('https://elinux.org/images/5/51/'
+  'Stm32_mini_rootfs.cpio.bz2')
+rootfs_hash = '9f065e6ba40cce7411ba757f924f30fcc57951e6'
+rootfs_path_bz2 = self.fetch_asset(rootfs_url, asset_hash=rootfs_hash)
+busybox_path = self.workdir + "/bin/busybox"
+
+self.extract_cpio(rootfs_path_bz2)
+
+res = self.run(busybox_path)
+ver = 'BusyBox v1.24.0.git (2015-02-03 22:17:13 CET) multi-call 
binary.'
+self.assertIn(ver, res.stdout_text)
+
+res = self.run(busybox_path, ['uname', '-a'])
+unm = 'armv7l GNU/Linux'
+self.assertIn(unm, res.stdout_text)

[PATCH] docs: Fix removal text of -show-cursor

We should say now when it was removed, not when it was deprecated.

Signed-off-by: Thomas Huth 
---
 docs/system/removed-features.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/system/removed-features.rst b/docs/system/removed-features.rst
index f8db76d0b5..13f9dd3014 100644
--- a/docs/system/removed-features.rst
+++ b/docs/system/removed-features.rst
@@ -26,8 +26,8 @@ The ``-no-kvm`` argument was a synonym for setting ``-machine 
accel=tcg``.
 The ``-realtime mlock=on|off`` argument has been replaced by the
 ``-overcommit mem-lock=on|off`` argument.
 
-``-show-cursor`` option (since 5.0)
-'''
+``-show-cursor`` option (removed in 6.0)
+
 
 Use ``-display sdl,show-cursor=on``, ``-display gtk,show-cursor=on``
 or ``-display default,show-cursor=on`` instead.
-- 
2.27.0

Re: [PATCH qemu v14] spapr: Implement Open Firmware client interface

2021-03-09 Thread Alexey Kardashevskiy





On 10/03/2021 13:40, David Gibson wrote:

On Wed, Mar 10, 2021 at 12:55:07PM +1100, Alexey Kardashevskiy wrote:



On 10/03/2021 01:00, BALATON Zoltan wrote:

On Tue, 9 Mar 2021, Alexey Kardashevskiy wrote:

On 09/03/2021 16:29, David Gibson wrote:

+struct ClientArchitectureSupportClass {
+    InterfaceClass parent;
+    target_ulong (*cas)(CPUState *cs, target_ulong vec);
+    void (*quiesce)(void);


Is there actually any real connection of quiesce behaviour to cas
behaviour?  Basically, I'm wondering if this is not so much about
client-architecture-support fundamentally as just about
machine-specific parts of the VOF behaviour.  Which would be fine, but
suggests a different name for the interface.


The most canonical way would be having 2 interfaces.


Why?  I don't see any reason these shouldn't be a single interface, it
just has a bad name.


I renamed it to SpaprVofInterface for now.



[snip]

+typedef int size_t;
+typedef void client(void);
+
+/* globals */
+extern void _prom_entry(void); /* OF CI entry point
(i.e. this firmware) */
+
+void do_boot(unsigned long addr, unsigned long r3,
unsigned long r4);
+
+/* libc */
+int strlen(const char *s);
+int strcmp(const char *s1, const char *s2);
+void *memcpy(void *dest, const void *src, size_t n);
+int memcmp(const void *ptr1, const void *ptr2, size_t n);
+void *memmove(void *dest, const void *src, size_t n);
+void *memset(void *dest, int c, size_t size);
+
+/* Prom */
+typedef unsigned long prom_arg_t;
+int call_prom(const char *service, int nargs, int nret, ...);


AIUI this isn't so much about calling the PROM, since this *is* the
PROM code, but rather about calling the parts that are implemented on
the qemu side.  Different names might clarify that.


"call_ci"?


Works for me.


call_ci() it is then.

About builtins such as memcmp() - turns out these are not really
builtins as they are not inlined and gcc/ld still want to link
against libc which is trickier for such firmware (not quite sure how
to do this and keep it small and not pull other libc stuff in), gcc
just knows about them a bit more. This is different from, for
example, __builtin_ctz which is inlined. So I am keeping my libc.o
for now.


Do they really want libc or they are in libgcc for which there's
--static-libgcc I think to avoid needing it in runtime but not sure what
clang has for these.


I was getting "unresolved symbol `memcmp`" when I tried calling memcmp() or
__builtin_memcmp() and "-lc" did not help (installed some multilib packages,


Yeah, you'll need -lgcc rather than -lc, libgcc is the one with the
builtin helpers.


Tried that:
===
ld -nostdlib -e_start -Tl.lds -EB -lgcc -o vof.elf entry.o main.o ci.o 
bootmem.o

ld: cannot find -lgcc
===

I tried playing with the cmdline but to no avail.

I also looked at libgcc and it does not look like it has the libc 
implementations:


===
[fstn1-p1 qemu-killslof]$ find /lib -iname "libgcc*"
/lib/powerpc64le-linux-gnu/libgcc_s.so.1

[fstn1-p1 qemu-killslof]$ objdump -D 
/lib/powerpc64le-linux-gnu/libgcc_s.so.1  | egrep '(memcmp|memcpy)'

00010750 :

[fstn1-p1 qemu-killslof]$
===



did not help either). I figured if I cannot get it compile in 3 minutes, I
should not probably be posting this and better off simply keeping the
existing small libc.


Fair point.


Yup.



--
Alexey

Re: [PULL 00/20] ppc-for-6.0 queue 20210310

Hi David,

On Wed, Mar 10, 2021 at 12:10 PM David Gibson
 wrote:
>
> The following changes since commit b2ae1009d7cca2701e17eae55ae2d44fd22c942a:
>
>   Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210307' 
> into staging (2021-03-09 13:50:35 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/dgibson/qemu.git tags/ppc-for-6.0-20210310
>
> for you to fetch changes up to eb7f80fd26d73e7e1af105431da58971b1dba517:
>
>   spapr.c: send QAPI event when memory hotunplug fails (2021-03-10 09:07:09 
> +1100)
>
> 
> ppc patch queue for 2021-03-10
>
> Next batch of patches for the ppc target and machine types.  Includes:
>  * Several cleanups for sm501 from Peter Maydell
>  * An update to the SLOF guest firmware
>  * Improved handling of hotplug failures in spapr, associated cleanups
>to the hotplug handling code
>  * Several etsec fixes and cleanups from Bin Meng
>  * Assorted other fixes and cleanups
>
> 
> Alexey Kardashevskiy (1):
>   pseries: Update SLOF firmware image
>
> Bin Meng (2):
>   hw/net: fsl_etsec: Fix build error when HEX_DUMP is on
>   hw/ppc: e500: Add missing  in the eTSEC node

It seems the following patch was missing?
http://patchwork.ozlabs.org/project/qemu-devel/patch/1613660319-76960-1-git-send-email-bmeng...@gmail.com/

>
> Cédric Le Goater (1):
>   docs/system: Extend PPC section
>
> Daniel Henrique Barboza (11):
>   spapr_drc.c: do not call spapr_drc_detach() in drc_isolate_logical()
>   spapr_drc.c: use spapr_drc_release() in isolate_physical/set_unusable
>   spapr: rename spapr_drc_detach() to spapr_drc_unplug_request()
>   spapr_drc.c: introduce unplug_timeout_timer
>   spapr_drc.c: add hotunplug timeout for CPUs
>   spapr_drc.c: use DRC reconfiguration to cleanup DIMM unplug state
>   spapr.c: add 'unplug already in progress' message for PHB unplug
>   spapr_pci.c: add 'unplug already in progress' message for PCI unplug
>   qemu_timer.c: add timer_deadline_ms() helper
>   spapr.c: remove duplicated assert in spapr_memory_unplug_request()
>   spapr.c: send QAPI event when memory hotunplug fails
>
> Fabiano Rosas (1):
>   target/ppc: Fix bcdsub. emulation when result overflows
>
> Peter Maydell (3):
>   hw/display/sm501: Remove dead code for non-32-bit RGB surfaces
>   hw/display/sm501: Expand out macros in template header
>   hw/display/sm501: Inline template header into C file
>
> Vitaly Cheptsov (1):
>   target/ppc: fix icount support on Book-e vms accessing SPRs
>

Regards,
Bin

[PATCH v2] ui/cocoa: Clear modifiers whenever possible

2021-03-09 Thread Akihiko Odaki

ui/cocoa does not receive NSEventTypeFlagsChanged when it is not active,
and the modifier state can be desynchronized in such a situation.

[NSEvent -modifierFlags] tells whether a modifier is *not* pressed, so
check it whenever receiving an event and clear the modifier if it is not
pressed.

Note that [NSEvent -modifierFlags] does not tell if a certain modifier
*is* pressed because the documented mask for [NSEvent -modifierFlags]
generalizes left shift and right shift, for example. CapsLock is the
only exception. The pressed state is synchronized only with
NSEventTypeFlagsChanged.

This change also removes modifier keys from keycode map. If they
are input with NSEventTypeKeyDown or NSEventTypeKeyUp, it leads to
desynchronization. Although such a situation is not observed, they are
removed just in case.

Thanks to Konstantin Nazarov for testing and finding a bug in this
change:
https://gist.github.com/akihikodaki/87df4149e7ca87f18dc56807ec5a1bc5#gistcomment-3659419

Signed-off-by: Akihiko Odaki 
---
 ui/cocoa.m | 148 +
 1 file changed, 92 insertions(+), 56 deletions(-)

diff --git a/ui/cocoa.m b/ui/cocoa.m
index f27beb30e6e..2b6aea429f8 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -189,14 +189,6 @@ static bool bool_with_iothread_lock(BoolCodeBlock block)
 [kVK_ANSI_Comma] = Q_KEY_CODE_COMMA,
 [kVK_ANSI_Period] = Q_KEY_CODE_DOT,
 [kVK_ANSI_Slash] = Q_KEY_CODE_SLASH,
-[kVK_Shift] = Q_KEY_CODE_SHIFT,
-[kVK_RightShift] = Q_KEY_CODE_SHIFT_R,
-[kVK_Control] = Q_KEY_CODE_CTRL,
-[kVK_RightControl] = Q_KEY_CODE_CTRL_R,
-[kVK_Option] = Q_KEY_CODE_ALT,
-[kVK_RightOption] = Q_KEY_CODE_ALT_R,
-[kVK_Command] = Q_KEY_CODE_META_L,
-[0x36] = Q_KEY_CODE_META_R, /* There is no kVK_RightCommand */
 [kVK_Space] = Q_KEY_CODE_SPC,
 
 [kVK_ANSI_Keypad0] = Q_KEY_CODE_KP_0,
@@ -615,9 +607,24 @@ - (void) toggleModifier: (int)keycode {
 qemu_input_event_send_key_qcode(dcl.con, keycode, 
modifiers_state[keycode]);
 }
 
-- (void) toggleStatefulModifier: (int)keycode {
+- (void) clearModifier: (int)keycode {
+if (!modifiers_state[keycode]) {
+return;
+}
+
+// Clear the stored state.
+modifiers_state[keycode] = NO;
+// Send a keyup.
+qemu_input_event_send_key_qcode(dcl.con, keycode, false);
+}
+
+- (void) setStatefulModifier: (int)keycode down:(BOOL)down {
+if (down == modifiers_state[keycode]) {
+return;
+}
+
 // Toggle the stored state.
-modifiers_state[keycode] = !modifiers_state[keycode];
+modifiers_state[keycode] = down;
 // Generate keydown and keyup.
 qemu_input_event_send_key_qcode(dcl.con, keycode, true);
 qemu_input_event_send_key_qcode(dcl.con, keycode, false);
@@ -714,57 +721,86 @@ - (bool) handleEventLocked:(NSEvent *)event
 static bool switched_to_fullscreen = false;
 // Location of event in virtual screen coordinates
 NSPoint p = [self screenLocationOfEvent:event];
+NSUInteger modifiers = [event modifierFlags];
 
-switch ([event type]) {
-case NSEventTypeFlagsChanged:
-if ([event keyCode] == 0) {
-// When the Cocoa keyCode is zero that means keys should be
-// synthesized based on the values in in the eventModifiers
-// bitmask.
-
-if (qemu_console_is_graphic(NULL)) {
-NSUInteger modifiers = [event modifierFlags];
+// emulate caps lock keydown and keyup
+[self setStatefulModifier:Q_KEY_CODE_CAPS_LOCK down:!!(modifiers & 
NSEventModifierFlagCapsLock)];
 
-if (!!(modifiers & NSEventModifierFlagCapsLock) != 
!!modifiers_state[Q_KEY_CODE_CAPS_LOCK]) {
-[self toggleStatefulModifier:Q_KEY_CODE_CAPS_LOCK];
-}
-if (!!(modifiers & NSEventModifierFlagShift) != 
!!modifiers_state[Q_KEY_CODE_SHIFT]) {
-[self toggleModifier:Q_KEY_CODE_SHIFT];
-}
-if (!!(modifiers & NSEventModifierFlagControl) != 
!!modifiers_state[Q_KEY_CODE_CTRL]) {
-[self toggleModifier:Q_KEY_CODE_CTRL];
-}
-if (!!(modifiers & NSEventModifierFlagOption) != 
!!modifiers_state[Q_KEY_CODE_ALT]) {
-[self toggleModifier:Q_KEY_CODE_ALT];
-}
-if (!!(modifiers & NSEventModifierFlagCommand) != 
!!modifiers_state[Q_KEY_CODE_META_L]) {
-[self toggleModifier:Q_KEY_CODE_META_L];
-}
-}
-} else {
-keycode = cocoa_keycode_to_qemu([event keyCode]);
-}
-
-if ((keycode == Q_KEY_CODE_META_L || keycode == Q_KEY_CODE_META_R)
-   && !isMouseGrabbed) {
-  /* Don't pass command key changes to guest unless mouse is 
grabbed */
-  keycode = 0;
-}
+if (qemu_

Re: [PATCH qemu v14] spapr: Implement Open Firmware client interface

On Tue, Mar 09, 2021 at 06:28:44PM +1100, Alexey Kardashevskiy wrote:
> 
> 
> On 09/03/2021 16:29, David Gibson wrote:
> 
> 
> > > > > +struct ClientArchitectureSupportClass {
> > > > > +InterfaceClass parent;
> > > > > +target_ulong (*cas)(CPUState *cs, target_ulong vec);
> > > > > +void (*quiesce)(void);
> > > > 
> > > > Is there actually any real connection of quiesce behaviour to cas
> > > > behaviour?  Basically, I'm wondering if this is not so much about
> > > > client-architecture-support fundamentally as just about
> > > > machine-specific parts of the VOF behaviour.  Which would be fine, but
> > > > suggests a different name for the interface.
> > > 
> > > The most canonical way would be having 2 interfaces.
> > 
> > Why?  I don't see any reason these shouldn't be a single interface, it
> > just has a bad name.
> 
> I renamed it to SpaprVofInterface for now.

It doesn't really have anything to do with PAPR, though.  Well, I
guess the CAS part does, but quiesce doesn't.  I'd suggest
"VofMachineInterface" - it represents where VOF needs to interact with
machine type specifics.

> > [snip]
> > > > > +typedef int size_t;
> > > > > +typedef void client(void);
> > > > > +
> > > > > +/* globals */
> > > > > +extern void _prom_entry(void); /* OF CI entry point (i.e. this 
> > > > > firmware) */
> > > > > +
> > > > > +void do_boot(unsigned long addr, unsigned long r3, unsigned long r4);
> > > > > +
> > > > > +/* libc */
> > > > > +int strlen(const char *s);
> > > > > +int strcmp(const char *s1, const char *s2);
> > > > > +void *memcpy(void *dest, const void *src, size_t n);
> > > > > +int memcmp(const void *ptr1, const void *ptr2, size_t n);
> > > > > +void *memmove(void *dest, const void *src, size_t n);
> > > > > +void *memset(void *dest, int c, size_t size);
> > > > > +
> > > > > +/* Prom */
> > > > > +typedef unsigned long prom_arg_t;
> > > > > +int call_prom(const char *service, int nargs, int nret, ...);
> > > > 
> > > > AIUI this isn't so much about calling the PROM, since this *is* the
> > > > PROM code, but rather about calling the parts that are implemented on
> > > > the qemu side.  Different names might clarify that.
> > > 
> > > "call_ci"?
> > 
> > Works for me.
> 
> call_ci() it is then.
> 
> About builtins such as memcmp() - turns out these are not really builtins as
> they are not inlined and gcc/ld still want to link against libc which is
> trickier for such firmware (not quite sure how to do this and keep it small
> and not pull other libc stuff in), gcc just knows about them a bit more.
> This is different from, for example, __builtin_ctz which is inlined. So I am
> keeping my libc.o for now.
> 
> 
> 

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[PULL 20/20] spapr.c: send QAPI event when memory hotunplug fails

From: Daniel Henrique Barboza 

Recent changes allowed the pSeries machine to rollback the hotunplug
process for the DIMM when the guest kernel signals, via a
reconfiguration of the DR connector, that it's not going to release the
LMBs.

Let's also warn QAPI listerners about it. One place to do it would be
right after the unplug state is cleaned up,
spapr_clear_pending_dimm_unplug_state(). This would mean that the
function is now doing more than cleaning up the pending dimm state
though.

This patch does the following changes in spapr.c:

- send a QAPI event to inform that we experienced a failure in the
  hotunplug of the DIMM;

- rename spapr_clear_pending_dimm_unplug_state() to
  spapr_memory_unplug_rollback(). This is a better fit for what the
  function is now doing, and it makes callers care more about what the
  function goal is and less about spapr.c internals such as clearing
  the pending dimm unplug state.

Reviewed-by: Greg Kurz 
Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210302141019.153729-3-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 13 +++--
 hw/ppc/spapr_drc.c |  5 ++---
 include/hw/ppc/spapr.h |  3 +--
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index b579830832..d56418ca29 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -28,6 +28,7 @@
 #include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qapi/error.h"
+#include "qapi/qapi-events-machine.h"
 #include "qapi/visitor.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/hostmem.h"
@@ -3575,14 +3576,14 @@ static SpaprDimmState 
*spapr_recover_pending_dimm_state(SpaprMachineState *ms,
 return spapr_pending_dimm_unplugs_add(ms, avail_lmbs, dimm);
 }
 
-void spapr_clear_pending_dimm_unplug_state(SpaprMachineState *spapr,
-   DeviceState *dev)
+void spapr_memory_unplug_rollback(SpaprMachineState *spapr, DeviceState *dev)
 {
 SpaprDimmState *ds;
 PCDIMMDevice *dimm;
 SpaprDrc *drc;
 uint32_t nr_lmbs;
 uint64_t size, addr_start, addr;
+g_autofree char *qapi_error = NULL;
 int i;
 
 if (!dev) {
@@ -3616,6 +3617,14 @@ void 
spapr_clear_pending_dimm_unplug_state(SpaprMachineState *spapr,
 drc->unplug_requested = false;
 addr += SPAPR_MEMORY_BLOCK_SIZE;
 }
+
+/*
+ * Tell QAPI that something happened and the memory
+ * hotunplug wasn't successful.
+ */
+qapi_error = g_strdup_printf("Memory hotunplug rejected by the guest "
+ "for device %s", dev->id);
+qapi_event_send_mem_unplug_error(dev->id, qapi_error);
 }
 
 /* Callback to be called during DRC release. */
diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 98b626acf9..8a71b03800 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -1231,12 +1231,11 @@ static void rtas_ibm_configure_connector(PowerPCCPU 
*cpu,
 
 /*
  * This indicates that the kernel is reconfiguring a LMB due to
- * a failed hotunplug. Clear the pending unplug state for the whole
- * DIMM.
+ * a failed hotunplug. Rollback the DIMM unplug process.
  */
 if (spapr_drc_type(drc) == SPAPR_DR_CONNECTOR_TYPE_LMB &&
 drc->unplug_requested) {
-spapr_clear_pending_dimm_unplug_state(spapr, drc->dev);
+spapr_memory_unplug_rollback(spapr, drc->dev);
 }
 
 if (!drc->fdt) {
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index d6edeaaaff..47cebaf3ac 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -847,8 +847,7 @@ int spapr_hpt_shift_for_ramsize(uint64_t ramsize);
 int spapr_reallocate_hpt(SpaprMachineState *spapr, int shift, Error **errp);
 void spapr_clear_pending_events(SpaprMachineState *spapr);
 void spapr_clear_pending_hotplug_events(SpaprMachineState *spapr);
-void spapr_clear_pending_dimm_unplug_state(SpaprMachineState *spapr,
-   DeviceState *dev);
+void spapr_memory_unplug_rollback(SpaprMachineState *spapr, DeviceState *dev);
 int spapr_max_server_number(SpaprMachineState *spapr);
 void spapr_store_hpte(PowerPCCPU *cpu, hwaddr ptex,
   uint64_t pte0, uint64_t pte1);
-- 
2.29.2

[PULL 16/20] spapr_pci.c: add 'unplug already in progress' message for PCI unplug

From: Daniel Henrique Barboza 

Hotunplug for all other devices are warning the user when the hotunplug
is already in progress. Do the same for PCI devices in
spapr_pci_unplug_request().

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210226163301.419727-5-danielhb...@gmail.com>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_pci.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index b00e9609ae..feba18cb12 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -1743,6 +1743,10 @@ static void spapr_pci_unplug_request(HotplugHandler 
*plug_handler,
 }
 }
 }
+} else {
+error_setg(errp,
+   "PCI device unplug already in progress for device %s",
+   drc->dev->id);
 }
 }
 
-- 
2.29.2

[PULL 19/20] spapr.c: remove duplicated assert in spapr_memory_unplug_request()

From: Daniel Henrique Barboza 

We are asserting the existence of the first DRC LMB after sending unplug
requests to all LMBs of the DIMM, where every DRC is being asserted
inside the loop. This means that the first DRC is being asserted twice.

Remove the duplicated assert.

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210302141019.153729-2-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index aca3ef9d58..b579830832 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3703,7 +3703,6 @@ static void spapr_memory_unplug_request(HotplugHandler 
*hotplug_dev,
 
 drc = spapr_drc_by_id(TYPE_SPAPR_DRC_LMB,
   addr_start / SPAPR_MEMORY_BLOCK_SIZE);
-g_assert(drc);
 spapr_hotplug_req_remove_by_count_indexed(SPAPR_DR_CONNECTOR_TYPE_LMB,
   nr_lmbs, spapr_drc_index(drc));
 }
-- 
2.29.2

[PULL 17/20] qemu_timer.c: add timer_deadline_ms() helper

From: Daniel Henrique Barboza 

The pSeries machine is using QEMUTimer internals to return the timeout
in seconds for a timer object, in hw/ppc/spapr.c, function
spapr_drc_unplug_timeout_remaining_sec().

Create a helper in qemu-timer.c to retrieve the deadline for a QEMUTimer
object, in ms, to avoid exposing timer internals to the PPC code.

CC: Paolo Bonzini 
Acked-by: Paolo Bonzini 
Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210301124133.23800-2-danielhb...@gmail.com>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_drc.c   |  5 ++---
 include/qemu/timer.h |  8 
 util/qemu-timer.c| 13 +
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 8c4997d795..98b626acf9 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -421,9 +421,8 @@ void spapr_drc_unplug_request(SpaprDrc *drc)
 
 int spapr_drc_unplug_timeout_remaining_sec(SpaprDrc *drc)
 {
-if (drc->unplug_requested && timer_pending(drc->unplug_timeout_timer)) {
-return (qemu_timeout_ns_to_ms(drc->unplug_timeout_timer->expire_time) -
-qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)) / 1000;
+if (drc->unplug_requested) {
+return timer_deadline_ms(drc->unplug_timeout_timer) / 1000;
 }
 
 return 0;
diff --git a/include/qemu/timer.h b/include/qemu/timer.h
index 1678238384..5e76e3f8c2 100644
--- a/include/qemu/timer.h
+++ b/include/qemu/timer.h
@@ -795,6 +795,14 @@ static inline int64_t get_max_clock_jump(void)
 return 60 * NANOSECONDS_PER_SECOND;
 }
 
+/**
+ * timer_deadline_ms:
+ *
+ * Returns the remaining miliseconds for @timer to expire, or zero
+ * if the timer is no longer pending.
+ */
+int64_t timer_deadline_ms(QEMUTimer *timer);
+
 /*
  * Low level clock functions
  */
diff --git a/util/qemu-timer.c b/util/qemu-timer.c
index 81c28af517..02424bc1b6 100644
--- a/util/qemu-timer.c
+++ b/util/qemu-timer.c
@@ -243,6 +243,19 @@ int64_t timerlist_deadline_ns(QEMUTimerList *timer_list)
 return delta;
 }
 
+/*
+ * Returns the time remaining for the deadline, in ms.
+ */
+int64_t timer_deadline_ms(QEMUTimer *timer)
+{
+if (timer_pending(timer)) {
+return qemu_timeout_ns_to_ms(timer->expire_time) -
+   qemu_clock_get_ms(timer->timer_list->clock->type);
+}
+
+return 0;
+}
+
 /* Calculate the soonest deadline across all timerlists attached
  * to the clock. This is used for the icount timeout so we
  * ignore whether or not the clock should be used in deadline
-- 
2.29.2

[PULL 18/20] target/ppc: fix icount support on Book-e vms accessing SPRs

From: Vitaly Cheptsov 

Failing to guard SPR access with gen_io_start/gen_stop_exception
causes "Bad icount read" exceptions when running VMs with
e500mc and e500v2 CPUs with an icount parameter.

Cc: David Gibson 
Cc: Greg Kurz 
Cc: Paolo Bonzini 
Signed-off-by: Vitaly Cheptsov 
Message-Id: <20210303140851.78383-1-chept...@ispras.ru>
Signed-off-by: David Gibson 
---
 target/ppc/translate_init.c.inc | 36 +
 1 file changed, 36 insertions(+)

diff --git a/target/ppc/translate_init.c.inc b/target/ppc/translate_init.c.inc
index e7324e85cd..09c9ae2c98 100644
--- a/target/ppc/translate_init.c.inc
+++ b/target/ppc/translate_init.c.inc
@@ -567,35 +567,71 @@ static void spr_write_601_ubatl(DisasContext *ctx, int 
sprn, int gprn)
 #if !defined(CONFIG_USER_ONLY)
 static void spr_read_40x_pit(DisasContext *ctx, int gprn, int sprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_helper_load_40x_pit(cpu_gpr[gprn], cpu_env);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 
 static void spr_write_40x_pit(DisasContext *ctx, int sprn, int gprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_helper_store_40x_pit(cpu_env, cpu_gpr[gprn]);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 
 static void spr_write_40x_dbcr0(DisasContext *ctx, int sprn, int gprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_store_spr(sprn, cpu_gpr[gprn]);
 gen_helper_store_40x_dbcr0(cpu_env, cpu_gpr[gprn]);
 /* We must stop translation as we may have rebooted */
 gen_stop_exception(ctx);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 
 static void spr_write_40x_sler(DisasContext *ctx, int sprn, int gprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_helper_store_40x_sler(cpu_env, cpu_gpr[gprn]);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 
 static void spr_write_booke_tcr(DisasContext *ctx, int sprn, int gprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_helper_store_booke_tcr(cpu_env, cpu_gpr[gprn]);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 
 static void spr_write_booke_tsr(DisasContext *ctx, int sprn, int gprn)
 {
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
 gen_helper_store_booke_tsr(cpu_env, cpu_gpr[gprn]);
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_stop_exception(ctx);
+}
 }
 #endif
 
-- 
2.29.2

[PULL 14/20] hw/ppc: e500: Add missing in the eTSEC node

From: Bin Meng 

The eTSEC node should provide an empty  property in the
eTSEC node, otherwise of_translate_address() in the Linux kernel
fails to get the eTSEC register base, reporting:

  OF: ** translation for device /platform@f/ethernet@0/queue-group **
  OF: bus is default (na=1, ns=1) on /platform@f/ethernet@0
  OF: translating address: 
  OF: parent bus is default (na=1, ns=1) on /platform@f
  OF: no ranges; cannot translate

Per devicetree spec v0.3 [1] chapter 2.3.8:

  If the property is not present in a bus node, it is assumed that
  no mapping exists between children of the node and the parent
  address space.

This is why of_translate_address() aborts the address translation.
Apparently U-Boot devicetree parser seems to be tolerant with
missing  as this was not noticed when testing with U-Boot.
The empty  property is present in all kernel shipped dtsi
files for eTSEC, Let's add it to conform with the spec.

[1] 
https://github.com/devicetree-org/devicetree-specification/releases/download/v0.3/devicetree-specification-v0.3.pdf

Fixes: fdfb7f2cdb2d ("e500: Add support for eTSEC in device tree")
Signed-off-by: Bin Meng 
Message-Id: <1614158919-9473-1-git-send-email-bmeng...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/e500.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 01517a6c6c..1d94485ac8 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -231,6 +231,7 @@ static int create_devtree_etsec(SysBusDevice *sbdev, 
PlatformDevtreeData *data)
 assert(irq2 >= 0);
 
 qemu_fdt_add_subnode(fdt, node);
+qemu_fdt_setprop(fdt, node, "ranges", NULL, 0);
 qemu_fdt_setprop_string(fdt, node, "device_type", "network");
 qemu_fdt_setprop_string(fdt, node, "compatible", "fsl,etsec2");
 qemu_fdt_setprop_string(fdt, node, "model", "eTSEC");
-- 
2.29.2

[PULL 08/20] docs/system: Extend PPC section

From: Cédric Le Goater 

This moves the current documentation in files specific to each
platform family. PowerNV machine is updated, the other machines need
to be done.

Signed-off-by: Cédric Le Goater 
Message-Id: <20210222133956.156001-1-...@kaod.org>
Reviewed-by: Greg Kurz 
[dwg: Trivial capitalization fix]
Signed-off-by: David Gibson 
---
 docs/system/ppc/embedded.rst |  10 ++
 docs/system/ppc/powermac.rst |  34 ++
 docs/system/ppc/powernv.rst  | 193 +++
 docs/system/ppc/prep.rst |  18 
 docs/system/ppc/pseries.rst  |  12 +++
 docs/system/target-ppc.rst   |  53 +++---
 6 files changed, 282 insertions(+), 38 deletions(-)
 create mode 100644 docs/system/ppc/embedded.rst
 create mode 100644 docs/system/ppc/powermac.rst
 create mode 100644 docs/system/ppc/powernv.rst
 create mode 100644 docs/system/ppc/prep.rst
 create mode 100644 docs/system/ppc/pseries.rst

diff --git a/docs/system/ppc/embedded.rst b/docs/system/ppc/embedded.rst
new file mode 100644
index 00..cfffbda24d
--- /dev/null
+++ b/docs/system/ppc/embedded.rst
@@ -0,0 +1,10 @@
+Embedded family boards
+==
+
+- ``bamboo``   bamboo
+- ``mpc8544ds``mpc8544ds
+- ``ppce500``  generic paravirt e500 platform
+- ``ref405ep`` ref405ep
+- ``sam460ex`` aCube Sam460ex
+- ``taihu``taihu
+- ``virtex-ml507`` Xilinx Virtex ML507 reference design
diff --git a/docs/system/ppc/powermac.rst b/docs/system/ppc/powermac.rst
new file mode 100644
index 00..04334ba210
--- /dev/null
+++ b/docs/system/ppc/powermac.rst
@@ -0,0 +1,34 @@
+PowerMac family boards (``g3beige``, ``mac99``)
+==
+
+Use the executable ``qemu-system-ppc`` to simulate a complete PowerMac
+PowerPC system.
+
+- ``g3beige``  Heathrow based PowerMAC
+- ``mac99``Mac99 based PowerMAC
+
+Supported devices
+-
+
+QEMU emulates the following PowerMac peripherals:
+
+ *  UniNorth or Grackle PCI Bridge
+ *  PCI VGA compatible card with VESA Bochs Extensions
+ *  2 PMAC IDE interfaces with hard disk and CD-ROM support
+ *  NE2000 PCI adapters
+ *  Non Volatile RAM
+ *  VIA-CUDA with ADB keyboard and mouse.
+
+
+Missing devices
+---
+
+ * To be identified
+
+Firmware
+
+
+Since version 0.9.1, QEMU uses OpenBIOS https://www.openbios.org/ for
+the g3beige and mac99 PowerMac and the 40p machines. OpenBIOS is a free
+(GPL v2) portable firmware implementation. The goal is to implement a
+100% IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.
diff --git a/docs/system/ppc/powernv.rst b/docs/system/ppc/powernv.rst
new file mode 100644
index 00..43c58bc32e
--- /dev/null
+++ b/docs/system/ppc/powernv.rst
@@ -0,0 +1,193 @@
+PowerNV family boards (``powernv8``, ``powernv9``)
+==
+
+PowerNV (as Non-Virtualized) is the "baremetal" platform using the
+OPAL firmware. It runs Linux on IBM and OpenPOWER systems and it can
+be used as an hypervisor OS, running KVM guests, or simply as a host
+OS.
+
+The PowerNV QEMU machine tries to emulate a PowerNV system at the
+level of the skiboot firmware, which loads the OS and provides some
+runtime services. Power Systems have a lower firmware (HostBoot) that
+does low level system initialization, like DRAM training. This is
+beyond the scope of what QEMU addresses today.
+
+Supported devices
+-
+
+ * Multi processor support for POWER8, POWER8NVL and POWER9.
+ * XSCOM, serial communication sideband bus to configure chiplets
+ * Simple LPC Controller
+ * Processor Service Interface (PSI) Controller
+ * Interrupt Controller, XICS (POWER8) and XIVE (POWER9)
+ * POWER8 PHB3 PCIe Host bridge and POWER9 PHB4 PCIe Host bridge
+ * Simple OCC is an on-chip microcontroller used for power management
+   tasks
+ * iBT device to handle BMC communication, with the internal BMC
+   simulator provided by QEMU or an external BMC such as an Aspeed
+   QEMU machine.
+ * PNOR containing the different firmware partitions.
+
+Missing devices
+---
+
+A lot is missing, among which :
+
+ * POWER10 processor
+ * XIVE2 (POWER10) interrupt controller
+ * I2C controllers (yet to be merged)
+ * NPU/NPU2/NPU3 controllers
+ * EEH support for PCIe Host bridge controllers
+ * NX controller
+ * VAS controller
+ * chipTOD (Time Of Day)
+ * Self Boot Engine (SBE).
+ * FSI bus
+
+Firmware
+
+
+The OPAL firmware (OpenPower Abstraction Layer) for OpenPower systems
+includes the runtime services `skiboot` and the bootloader kernel and
+initramfs `skiroot`. Source code can be found on GitHub:
+
+  https://github.com/open-power.
+
+Prebuilt images of `skiboot` and `skiboot` are made available on the 
`OpenPOWER `__ 
site. To boot a POWER9 machine, use the `withers

[PULL 15/20] spapr.c: add 'unplug already in progress' message for PHB unplug

From: Daniel Henrique Barboza 

Both CPU hotunplug and PC_DIMM unplug reports an user warning,
mentioning that the hotunplug is in progress, if consecutive
'device_del' are issued in quick succession.

Do the same for PHBs in spapr_phb_unplug_request().

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210226163301.419727-4-danielhb...@gmail.com>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 6eaddb12cb..aca3ef9d58 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4034,6 +4034,10 @@ static void spapr_phb_unplug_request(HotplugHandler 
*hotplug_dev,
 if (!spapr_drc_unplug_requested(drc)) {
 spapr_drc_unplug_request(drc);
 spapr_hotplug_req_remove_by_index(drc);
+} else {
+error_setg(errp,
+   "PCI Host Bridge unplug already in progress for device %s",
+   dev->id);
 }
 }
 
-- 
2.29.2

[PULL 12/20] spapr_drc.c: use DRC reconfiguration to cleanup DIMM unplug state

From: Daniel Henrique Barboza 

Handling errors in memory hotunplug in the pSeries machine is more
complex than any other device type, because there are all the
complications that other devices has, and more.

For instance, determining a timeout for a DIMM hotunplug must consider
if it's a Hash-MMU or a Radix-MMU guest, because Hash guests takes
longer to hotunplug DIMMs. The size of the DIMM is also a factor, given
that longer DIMMs naturally takes longer to be hotunplugged from the
kernel. And there's also the guest memory usage to be considered: if
there's a process that is consuming memory that would be lost by the
DIMM unplug, the kernel will postpone the unplug process until the
process finishes, and then initiate the regular hotunplug process. The
first two considerations are manageable, but the last one is a deal
breaker.

There is no sane way for the pSeries machine to determine the memory
load in the guest when attempting a DIMM hotunplug - and even if there
was a way, the guest can start using all the RAM in the middle of the
unplug process and invalidate our previous assumptions - and in result
we can't even begin to calculate a timeout for the operation. This means
that we can't implement a viable timeout mechanism for memory unplug in
pSeries.

Going back to why we would consider an unplug timeout, the reason is
that we can't know if the kernel is giving up the unplug. Turns out
that, sometimes, we can. Consider a failed memory hotunplug attempt
where the kernel will error out with the following message:

'pseries-hotplug-mem: Memory indexed-count-remove failed, adding any
removed LMBs'

This happens when there is a LMB that the kernel gave up in removing,
and the LMBs previously marked for removal are now being added back.
This happens in the pseries kernel in [1], dlpar_memory_remove_by_ic()
into dlpar_add_lmb(), and after that update_lmb_associativity_index().
In this function, the kernel is configuring the LMB DRC connector again.
Note that this is a valid usage in LOPAR, as stated in section
"ibm,configure-connector RTAS Call":

'A subsequent sequence of calls to ibm,configure-connector with the same
entry from the “ibm,drc-indexes” or “ibm,drc-info” property will restart
the configuration of devices which were not completely configured.'

We can use this kernel behavior in our favor. If a DRC connector
reconfiguration for a LMB that we marked as unplug pending happens, this
indicates that the kernel changed its mind about the unplug and is
reasserting that it will keep using all the LMBs of the DIMM. In this
case, it's safe to assume that the whole DIMM device unplug was
cancelled.

This patch hops into rtas_ibm_configure_connector() and, in the scenario
described above, clear the unplug state for the DIMM device. This will
not solve all the problems we still have with memory unplug, but it will
cover this case where the kernel reconfigures LMBs after a failed
unplug. We are a bit more resilient, without using an unreliable
timeout, and we didn't make the remaining error cases any worse.

[1] arch/powerpc/platforms/pseries/hotplug-memory.c

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210222194531.62717-6-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 43 ++
 hw/ppc/spapr_drc.c | 10 ++
 include/hw/ppc/spapr.h |  2 ++
 3 files changed, 55 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index ecce8abf14..6eaddb12cb 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3575,6 +3575,49 @@ static SpaprDimmState 
*spapr_recover_pending_dimm_state(SpaprMachineState *ms,
 return spapr_pending_dimm_unplugs_add(ms, avail_lmbs, dimm);
 }
 
+void spapr_clear_pending_dimm_unplug_state(SpaprMachineState *spapr,
+   DeviceState *dev)
+{
+SpaprDimmState *ds;
+PCDIMMDevice *dimm;
+SpaprDrc *drc;
+uint32_t nr_lmbs;
+uint64_t size, addr_start, addr;
+int i;
+
+if (!dev) {
+return;
+}
+
+dimm = PC_DIMM(dev);
+ds = spapr_pending_dimm_unplugs_find(spapr, dimm);
+
+/*
+ * 'ds == NULL' would mean that the DIMM doesn't have a pending
+ * unplug state, but one of its DRC is marked as unplug_requested.
+ * This is bad and weird enough to g_assert() out.
+ */
+g_assert(ds);
+
+spapr_pending_dimm_unplugs_remove(spapr, ds);
+
+size = memory_device_get_region_size(MEMORY_DEVICE(dimm), &error_abort);
+nr_lmbs = size / SPAPR_MEMORY_BLOCK_SIZE;
+
+addr_start = object_property_get_uint(OBJECT(dimm), PC_DIMM_ADDR_PROP,
+  &error_abort);
+
+addr = addr_start;
+for (i = 0; i < nr_lmbs; i++) {
+drc = spapr_drc_by_id(TYPE_SPAPR_DRC_LMB,
+  addr / SPAPR_MEMORY_BLOCK_SIZE);
+g_assert(drc);
+
+drc->unplug_requested = false;
+addr += SPAPR_MEMORY_BLOCK_SIZE;
+}
+}
+
 /* Callback to be

[PULL 11/20] spapr_drc.c: add hotunplug timeout for CPUs

From: Daniel Henrique Barboza 

There is a reliable way to make a CPU hotunplug fail in the pseries
machine. Hotplug a CPU A, then offline all other CPUs inside the guest
but A. When trying to hotunplug A the guest kernel will refuse to do it,
because A is now the last online CPU of the guest. PAPR has no 'error
callback' in this situation to report back to the platform, so the guest
kernel will deny the unplug in silent and QEMU will never know what
happened. The unplug pending state of A will remain until the guest is
shutdown or rebooted.

Previous attempts of fixing it (see [1] and [2]) were aimed at trying to
mitigate the effects of the problem. In [1] we were trying to guess
which guest CPUs were online to forbid hotunplug of the last online CPU
in the QEMU layer, avoiding the scenario described above because QEMU is
now failing in behalf of the guest. This is not robust because the last
online CPU of the guest can change while we're in the middle of the
unplug process, and our initial assumptions are now invalid. In [2] we
were accepting that our unplug process is uncertain and the user should
be allowed to spam the IRQ hotunplug queue of the guest in case the CPU
hotunplug fails.

This patch presents another alternative, using the timeout
infrastructure introduced in the previous patch. CPU hotunplugs in the
pSeries machine will now timeout after 15 seconds. This is a long time
for a single CPU unplug to occur, regardless of guest load - although
the user is *strongly* encouraged to *not* hotunplug devices from a
guest under high load - and we can be sure that something went wrong if
it takes longer than that for the guest to release the CPU (the same
can't be said about memory hotunplug - more on that in the next patch).

Timing out the unplug operation will reset the unplug state of the CPU
and allow the user to try it again, regardless of the error situation
that prevented the hotunplug to occur. Of all the not so pretty
fixes/mitigations for CPU hotunplug errors in pSeries, timing out the
operation is an admission that we have no control in the process, and
must assume the worst case if the operation doesn't succeed in a
sensible time frame.

[1] https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg03353.html
[2] https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04400.html

Reported-by: Xujun Ma 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1911414
Reviewed-by: David Gibson 
Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210222194531.62717-5-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c |  4 
 hw/ppc/spapr_drc.c | 13 +
 include/hw/ppc/spapr_drc.h |  1 +
 3 files changed, 18 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index b066df68cb..ecce8abf14 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3724,6 +3724,10 @@ void spapr_core_unplug_request(HotplugHandler 
*hotplug_dev, DeviceState *dev,
 if (!spapr_drc_unplug_requested(drc)) {
 spapr_drc_unplug_request(drc);
 spapr_hotplug_req_remove_by_index(drc);
+} else {
+error_setg(errp, "core-id %d unplug is still pending, %d seconds "
+   "timeout remaining",
+   cc->core_id, spapr_drc_unplug_timeout_remaining_sec(drc));
 }
 }
 
diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 27adbc5c30..fd2e45640f 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -409,6 +409,8 @@ void spapr_drc_unplug_request(SpaprDrc *drc)
 
 drc->unplug_requested = true;
 
+spapr_drc_start_unplug_timeout_timer(drc);
+
 if (drc->state != drck->empty_state) {
 trace_spapr_drc_awaiting_quiesce(spapr_drc_index(drc));
 return;
@@ -417,6 +419,16 @@ void spapr_drc_unplug_request(SpaprDrc *drc)
 spapr_drc_release(drc);
 }
 
+int spapr_drc_unplug_timeout_remaining_sec(SpaprDrc *drc)
+{
+if (drc->unplug_requested && timer_pending(drc->unplug_timeout_timer)) {
+return (qemu_timeout_ns_to_ms(drc->unplug_timeout_timer->expire_time) -
+qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)) / 1000;
+}
+
+return 0;
+}
+
 bool spapr_drc_reset(SpaprDrc *drc)
 {
 SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
@@ -710,6 +722,7 @@ static void spapr_drc_cpu_class_init(ObjectClass *k, void 
*data)
 drck->drc_name_prefix = "CPU ";
 drck->release = spapr_core_release;
 drck->dt_populate = spapr_core_dt_populate;
+drck->unplug_timeout_seconds = 15;
 }
 
 static void spapr_drc_pci_class_init(ObjectClass *k, void *data)
diff --git a/include/hw/ppc/spapr_drc.h b/include/hw/ppc/spapr_drc.h
index 38ec4c8091..26599c385a 100644
--- a/include/hw/ppc/spapr_drc.h
+++ b/include/hw/ppc/spapr_drc.h
@@ -248,6 +248,7 @@ int spapr_dt_drc(void *fdt, int offset, Object *owner, 
uint32_t drc_type_mask);
  */
 void spapr_drc_attach(SpaprDrc *drc, DeviceState *d);
 void spapr_drc_unplug_request(SpaprDrc *drc);
+int spapr_drc_unplug_timeout_remaining_sec(S

[PULL 06/20] spapr_drc.c: use spapr_drc_release() in isolate_physical/set_unusable

From: Daniel Henrique Barboza 

When moving a physical DRC to "Available", drc_isolate_physical() will
move the DRC state to STATE_PHYSICAL_POWERON and, if the DRC is marked
for unplug, call spapr_drc_detach(). For physical DRCs,
drck->empty_state is STATE_PHYSICAL_POWERON, meaning that we're sure
that spapr_drc_detach() will end up calling spapr_drc_release() in the
end.

Likewise, for logical DRCs, drc_set_unusable will move the DRC to
"Unusable" state, setting drc->state to STATE_LOGICAL_UNUSABLE, which is
the drck->empty_state for logical DRCs. spapr_drc_detach() will call
spapr_drc_release() in this case as well.

In both scenarios, spapr_drc_detach() is being used as a
spapr_drc_release(), wrapper, where we also set unplug_requested (which
is already true, otherwise spapr_drc_detach() wouldn't be called in the
first place) and check if drc->state == drck->empty_state, which we also
know it's guaranteed to be true because we just set it.

Just use spapr_drc_release() in these functions to be clear of our
intentions in both these functions.

Reviewed-by: Greg Kurz 
Reviewed-by: David Gibson 
Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210222194531.62717-2-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_drc.c | 32 
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 84bd3c881f..555a25517d 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -50,6 +50,20 @@ uint32_t spapr_drc_index(SpaprDrc *drc)
 | (drc->id & DRC_INDEX_ID_MASK);
 }
 
+static void spapr_drc_release(SpaprDrc *drc)
+{
+SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
+
+drck->release(drc->dev);
+
+drc->unplug_requested = false;
+g_free(drc->fdt);
+drc->fdt = NULL;
+drc->fdt_start_offset = 0;
+object_property_del(OBJECT(drc), "device");
+drc->dev = NULL;
+}
+
 static uint32_t drc_isolate_physical(SpaprDrc *drc)
 {
 switch (drc->state) {
@@ -68,7 +82,7 @@ static uint32_t drc_isolate_physical(SpaprDrc *drc)
 if (drc->unplug_requested) {
 uint32_t drc_index = spapr_drc_index(drc);
 trace_spapr_drc_set_isolation_state_finalizing(drc_index);
-spapr_drc_detach(drc);
+spapr_drc_release(drc);
 }
 
 return RTAS_OUT_SUCCESS;
@@ -209,7 +223,7 @@ static uint32_t drc_set_unusable(SpaprDrc *drc)
 if (drc->unplug_requested) {
 uint32_t drc_index = spapr_drc_index(drc);
 trace_spapr_drc_set_allocation_state_finalizing(drc_index);
-spapr_drc_detach(drc);
+spapr_drc_release(drc);
 }
 
 return RTAS_OUT_SUCCESS;
@@ -372,20 +386,6 @@ void spapr_drc_attach(SpaprDrc *drc, DeviceState *d)
  NULL, 0);
 }
 
-static void spapr_drc_release(SpaprDrc *drc)
-{
-SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
-
-drck->release(drc->dev);
-
-drc->unplug_requested = false;
-g_free(drc->fdt);
-drc->fdt = NULL;
-drc->fdt_start_offset = 0;
-object_property_del(OBJECT(drc), "device");
-drc->dev = NULL;
-}
-
 void spapr_drc_detach(SpaprDrc *drc)
 {
 SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
-- 
2.29.2

[PULL 03/20] hw/display/sm501: Inline template header into C file

From: Peter Maydell 

We no longer need to include sm501_template.h multiple times, so
we can simply inline its contents into sm501.c.

Signed-off-by: Peter Maydell 
Message-Id: <20210212180653.27588-4-peter.mayd...@linaro.org>
Acked-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 hw/display/sm501.c  |  83 +++-
 hw/display/sm501_template.h | 105 
 2 files changed, 81 insertions(+), 107 deletions(-)
 delete mode 100644 hw/display/sm501_template.h

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index aba447c18b..8789722ef2 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -1558,8 +1558,87 @@ typedef void draw_hwc_line_func(uint8_t *d, const 
uint8_t *s,
 int width, const uint8_t *palette,
 int c_x, int c_y);
 
-#define DEPTH 32
-#include "sm501_template.h"
+static void draw_line8_32(uint8_t *d, const uint8_t *s, int width,
+  const uint32_t *pal)
+{
+uint8_t v, r, g, b;
+do {
+v = ldub_p(s);
+r = (pal[v] >> 16) & 0xff;
+g = (pal[v] >>  8) & 0xff;
+b = (pal[v] >>  0) & 0xff;
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
+s++;
+d += 4;
+} while (--width != 0);
+}
+
+static void draw_line16_32(uint8_t *d, const uint8_t *s, int width,
+   const uint32_t *pal)
+{
+uint16_t rgb565;
+uint8_t r, g, b;
+
+do {
+rgb565 = lduw_le_p(s);
+r = (rgb565 >> 8) & 0xf8;
+g = (rgb565 >> 3) & 0xfc;
+b = (rgb565 << 3) & 0xf8;
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
+s += 2;
+d += 4;
+} while (--width != 0);
+}
+
+static void draw_line32_32(uint8_t *d, const uint8_t *s, int width,
+   const uint32_t *pal)
+{
+uint8_t r, g, b;
+
+do {
+r = s[2];
+g = s[1];
+b = s[0];
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
+s += 4;
+d += 4;
+} while (--width != 0);
+}
+
+/**
+ * Draw hardware cursor image on the given line.
+ */
+static void draw_hwc_line_32(uint8_t *d, const uint8_t *s, int width,
+ const uint8_t *palette, int c_x, int c_y)
+{
+int i;
+uint8_t r, g, b, v, bitset = 0;
+
+/* get cursor position */
+assert(0 <= c_y && c_y < SM501_HWC_HEIGHT);
+s += SM501_HWC_WIDTH * c_y / 4;  /* 4 pixels per byte */
+d += c_x * 4;
+
+for (i = 0; i < SM501_HWC_WIDTH && c_x + i < width; i++) {
+/* get pixel value */
+if (i % 4 == 0) {
+bitset = ldub_p(s);
+s++;
+}
+v = bitset & 3;
+bitset >>= 2;
+
+/* write pixel */
+if (v) {
+v--;
+r = palette[v * 3 + 0];
+g = palette[v * 3 + 1];
+b = palette[v * 3 + 2];
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
+}
+d += 4;
+}
+}
 
 static void sm501_update_display(void *opaque)
 {
diff --git a/hw/display/sm501_template.h b/hw/display/sm501_template.h
deleted file mode 100644
index 28537a05d9..00
--- a/hw/display/sm501_template.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Pixel drawing function templates for QEMU SM501 Device
- *
- * Copyright (c) 2008 Shin-ichiro KAWASAKI
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to 
deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-static void draw_line8_32(uint8_t *d, const uint8_t *s, int width,
-  const uint32_t *pal)
-{
-uint8_t v, r, g, b;
-do {
-v = ldub_p(s);
-r = (pal[v] >> 16) & 0xff;
-g = (pal[v] >>  8) & 0xff;
-b = (pal[v] >>  0) & 0xff;
-*(uint32_t *)d = rgb_to_pixel32(r, g, b);
-s++;
-d += 4;
-} while (--width != 0);
-}
-
-static void draw_line16_32(uint8_t *d, const uint8_t *s, int width,
-   const uint32_t *pal)
-{
-uint16_t

[PULL 02/20] hw/display/sm501: Expand out macros in template header

From: Peter Maydell 

Now that we only include sm501_template.h for the DEPTH==32 case, we
can expand out the uses of the BPP, PIXEL_TYPE and PIXEL_NAME macros
in that header.

Signed-off-by: Peter Maydell 
Message-Id: <20210212180653.27588-3-peter.mayd...@linaro.org>
Acked-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 hw/display/sm501_template.h | 60 +++--
 1 file changed, 17 insertions(+), 43 deletions(-)

diff --git a/hw/display/sm501_template.h b/hw/display/sm501_template.h
index a60abad019..28537a05d9 100644
--- a/hw/display/sm501_template.h
+++ b/hw/display/sm501_template.h
@@ -22,28 +22,8 @@
  * THE SOFTWARE.
  */
 
-#if DEPTH == 8
-#define BPP 1
-#define PIXEL_TYPE uint8_t
-#elif DEPTH == 15 || DEPTH == 16
-#define BPP 2
-#define PIXEL_TYPE uint16_t
-#elif DEPTH == 32
-#define BPP 4
-#define PIXEL_TYPE uint32_t
-#else
-#error unsupport depth
-#endif
-
-#ifdef BGR_FORMAT
-#define PIXEL_NAME glue(DEPTH, bgr)
-#else
-#define PIXEL_NAME DEPTH
-#endif /* BGR_FORMAT */
-
-
-static void glue(draw_line8_, PIXEL_NAME)(
- uint8_t *d, const uint8_t *s, int width, const uint32_t *pal)
+static void draw_line8_32(uint8_t *d, const uint8_t *s, int width,
+  const uint32_t *pal)
 {
 uint8_t v, r, g, b;
 do {
@@ -51,14 +31,14 @@ static void glue(draw_line8_, PIXEL_NAME)(
 r = (pal[v] >> 16) & 0xff;
 g = (pal[v] >>  8) & 0xff;
 b = (pal[v] >>  0) & 0xff;
-*(PIXEL_TYPE *)d = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
 s++;
-d += BPP;
+d += 4;
 } while (--width != 0);
 }
 
-static void glue(draw_line16_, PIXEL_NAME)(
- uint8_t *d, const uint8_t *s, int width, const uint32_t *pal)
+static void draw_line16_32(uint8_t *d, const uint8_t *s, int width,
+   const uint32_t *pal)
 {
 uint16_t rgb565;
 uint8_t r, g, b;
@@ -68,14 +48,14 @@ static void glue(draw_line16_, PIXEL_NAME)(
 r = (rgb565 >> 8) & 0xf8;
 g = (rgb565 >> 3) & 0xfc;
 b = (rgb565 << 3) & 0xf8;
-*(PIXEL_TYPE *)d = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
 s += 2;
-d += BPP;
+d += 4;
 } while (--width != 0);
 }
 
-static void glue(draw_line32_, PIXEL_NAME)(
- uint8_t *d, const uint8_t *s, int width, const uint32_t *pal)
+static void draw_line32_32(uint8_t *d, const uint8_t *s, int width,
+   const uint32_t *pal)
 {
 uint8_t r, g, b;
 
@@ -83,17 +63,17 @@ static void glue(draw_line32_, PIXEL_NAME)(
 r = s[2];
 g = s[1];
 b = s[0];
-*(PIXEL_TYPE *)d = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
 s += 4;
-d += BPP;
+d += 4;
 } while (--width != 0);
 }
 
 /**
  * Draw hardware cursor image on the given line.
  */
-static void glue(draw_hwc_line_, PIXEL_NAME)(uint8_t *d, const uint8_t *s,
- int width, const uint8_t *palette, int c_x, int c_y)
+static void draw_hwc_line_32(uint8_t *d, const uint8_t *s, int width,
+ const uint8_t *palette, int c_x, int c_y)
 {
 int i;
 uint8_t r, g, b, v, bitset = 0;
@@ -101,7 +81,7 @@ static void glue(draw_hwc_line_, PIXEL_NAME)(uint8_t *d, 
const uint8_t *s,
 /* get cursor position */
 assert(0 <= c_y && c_y < SM501_HWC_HEIGHT);
 s += SM501_HWC_WIDTH * c_y / 4;  /* 4 pixels per byte */
-d += c_x * BPP;
+d += c_x * 4;
 
 for (i = 0; i < SM501_HWC_WIDTH && c_x + i < width; i++) {
 /* get pixel value */
@@ -118,14 +98,8 @@ static void glue(draw_hwc_line_, PIXEL_NAME)(uint8_t *d, 
const uint8_t *s,
 r = palette[v * 3 + 0];
 g = palette[v * 3 + 1];
 b = palette[v * 3 + 2];
-*(PIXEL_TYPE *)d = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
+*(uint32_t *)d = rgb_to_pixel32(r, g, b);
 }
-d += BPP;
+d += 4;
 }
 }
-
-#undef DEPTH
-#undef BPP
-#undef PIXEL_TYPE
-#undef PIXEL_NAME
-#undef BGR_FORMAT
-- 
2.29.2

[PULL 13/20] hw/net: fsl_etsec: Fix build error when HEX_DUMP is on

From: Bin Meng 

"qemu-common.h" should be included to provide the forward declaration
of qemu_hexdump() when HEX_DUMP is on.

Signed-off-by: Bin Meng 
Message-Id: <20210228050431.24647-1-bmeng...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/net/fsl_etsec/etsec.c | 1 +
 hw/net/fsl_etsec/rings.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/net/fsl_etsec/etsec.c b/hw/net/fsl_etsec/etsec.c
index 93886bba60..bd9d62b559 100644
--- a/hw/net/fsl_etsec/etsec.c
+++ b/hw/net/fsl_etsec/etsec.c
@@ -27,6 +27,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "hw/sysbus.h"
 #include "hw/irq.h"
 #include "hw/ptimer.h"
diff --git a/hw/net/fsl_etsec/rings.c b/hw/net/fsl_etsec/rings.c
index fe055d3381..d6be0d7d18 100644
--- a/hw/net/fsl_etsec/rings.c
+++ b/hw/net/fsl_etsec/rings.c
@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "net/checksum.h"
 #include "qemu/log.h"
 #include "etsec.h"
-- 
2.29.2

[PULL 07/20] spapr: rename spapr_drc_detach() to spapr_drc_unplug_request()

From: Daniel Henrique Barboza 

spapr_drc_detach() is not the best name for what the function does. The
function does not detach the DRC, it makes an uncommited attempt to do
it.  It'll mark the DRC as pending unplug, via the 'unplug_request'
flag, and only if the DRC state is drck->empty_state it will detach the
DRC, via spapr_drc_release().

This is a contrast with its pair spapr_drc_attach(), where the function
is indeed creating the DRC QOM object. If you know what
spapr_drc_attach() does, you can be misled into thinking that
spapr_drc_detach() is removing the DRC from QEMU internal state, which
isn't true.

The current role of this function is better described as a request for
detach, since there's no guarantee that we're going to detach the DRC in
the end.  Rename the function to spapr_drc_unplug_request to reflect
what is is doing.

The initial idea was to change the name to spapr_drc_detach_request(),
and later on change the unplug_request flag to detach_request. However,
unplug_request is a migratable boolean for a long time now and renaming
it is not worth the trouble. spapr_drc_unplug_request() setting
drc->unplug_request is more natural than spapr_drc_detach_request
setting drc->unplug_request.

Reviewed-by: Greg Kurz 
Reviewed-by: David Gibson 
Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210222194531.62717-3-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 6 +++---
 hw/ppc/spapr_drc.c | 4 ++--
 hw/ppc/spapr_pci.c | 4 ++--
 hw/ppc/trace-events| 2 +-
 include/hw/ppc/spapr_drc.h | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 85fe65f894..b066df68cb 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3654,7 +3654,7 @@ static void spapr_memory_unplug_request(HotplugHandler 
*hotplug_dev,
   addr / SPAPR_MEMORY_BLOCK_SIZE);
 g_assert(drc);
 
-spapr_drc_detach(drc);
+spapr_drc_unplug_request(drc);
 addr += SPAPR_MEMORY_BLOCK_SIZE;
 }
 
@@ -3722,7 +3722,7 @@ void spapr_core_unplug_request(HotplugHandler 
*hotplug_dev, DeviceState *dev,
 g_assert(drc);
 
 if (!spapr_drc_unplug_requested(drc)) {
-spapr_drc_detach(drc);
+spapr_drc_unplug_request(drc);
 spapr_hotplug_req_remove_by_index(drc);
 }
 }
@@ -3985,7 +3985,7 @@ static void spapr_phb_unplug_request(HotplugHandler 
*hotplug_dev,
 assert(drc);
 
 if (!spapr_drc_unplug_requested(drc)) {
-spapr_drc_detach(drc);
+spapr_drc_unplug_request(drc);
 spapr_hotplug_req_remove_by_index(drc);
 }
 }
diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 555a25517d..67041fb212 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -386,11 +386,11 @@ void spapr_drc_attach(SpaprDrc *drc, DeviceState *d)
  NULL, 0);
 }
 
-void spapr_drc_detach(SpaprDrc *drc)
+void spapr_drc_unplug_request(SpaprDrc *drc)
 {
 SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
 
-trace_spapr_drc_detach(spapr_drc_index(drc));
+trace_spapr_drc_unplug_request(spapr_drc_index(drc));
 
 g_assert(drc->dev);
 
diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index f1c7479816..b00e9609ae 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -1723,12 +1723,12 @@ static void spapr_pci_unplug_request(HotplugHandler 
*plug_handler,
  * functions, even if their unplug weren't requested
  * beforehand.
  */
-spapr_drc_detach(func_drc);
+spapr_drc_unplug_request(func_drc);
 }
 }
 }
 
-spapr_drc_detach(drc);
+spapr_drc_unplug_request(drc);
 
 /* if this isn't func 0, defer unplug event. otherwise signal removal
  * for all present functions
diff --git a/hw/ppc/trace-events b/hw/ppc/trace-events
index 1e91984526..b4bbfbb013 100644
--- a/hw/ppc/trace-events
+++ b/hw/ppc/trace-events
@@ -50,7 +50,7 @@ spapr_drc_set_allocation_state(uint32_t index, int state) 
"drc: 0x%"PRIx32", sta
 spapr_drc_set_allocation_state_finalizing(uint32_t index) "drc: 0x%"PRIx32
 spapr_drc_set_configured(uint32_t index) "drc: 0x%"PRIx32
 spapr_drc_attach(uint32_t index) "drc: 0x%"PRIx32
-spapr_drc_detach(uint32_t index) "drc: 0x%"PRIx32
+spapr_drc_unplug_request(uint32_t index) "drc: 0x%"PRIx32
 spapr_drc_awaiting_quiesce(uint32_t index) "drc: 0x%"PRIx32
 spapr_drc_reset(uint32_t index) "drc: 0x%"PRIx32
 spapr_drc_realize(uint32_t index) "drc: 0x%"PRIx32
diff --git a/include/hw/ppc/spapr_drc.h b/include/hw/ppc/spapr_drc.h
index 8982927d5c..02a63b3666 100644
--- a/include/hw/ppc/spapr_drc.h
+++ b/include/hw/ppc/spapr_drc.h
@@ -243,7 +243,7 @@ int spapr_dt_drc(void *fdt, int offset, Object *owner, 
uint32_t drc_type_mask);
  * beforehand (eg. check drc->dev at pre-plug).
  */
 void spapr_drc_attach(SpaprDrc *drc, DeviceState *d);
-

[PULL 01/20] hw/display/sm501: Remove dead code for non-32-bit RGB surfaces

From: Peter Maydell 

For a long time now the UI layer has guaranteed that the console
surface is always 32 bits per pixel RGB. Remove the legacy dead
code from the sm501 display device which was handling the
possibility that the console surface was some other format.

Signed-off-by: Peter Maydell 
Message-Id: <20210212180653.27588-2-peter.mayd...@linaro.org>
Acked-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 hw/display/sm501.c | 91 +++---
 1 file changed, 6 insertions(+), 85 deletions(-)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index 8966b69bc7..aba447c18b 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -1558,89 +1558,9 @@ typedef void draw_hwc_line_func(uint8_t *d, const 
uint8_t *s,
 int width, const uint8_t *palette,
 int c_x, int c_y);
 
-#define DEPTH 8
-#include "sm501_template.h"
-
-#define DEPTH 15
-#include "sm501_template.h"
-
-#define BGR_FORMAT
-#define DEPTH 15
-#include "sm501_template.h"
-
-#define DEPTH 16
-#include "sm501_template.h"
-
-#define BGR_FORMAT
-#define DEPTH 16
-#include "sm501_template.h"
-
 #define DEPTH 32
 #include "sm501_template.h"
 
-#define BGR_FORMAT
-#define DEPTH 32
-#include "sm501_template.h"
-
-static draw_line_func *draw_line8_funcs[] = {
-draw_line8_8,
-draw_line8_15,
-draw_line8_16,
-draw_line8_32,
-draw_line8_32bgr,
-draw_line8_15bgr,
-draw_line8_16bgr,
-};
-
-static draw_line_func *draw_line16_funcs[] = {
-draw_line16_8,
-draw_line16_15,
-draw_line16_16,
-draw_line16_32,
-draw_line16_32bgr,
-draw_line16_15bgr,
-draw_line16_16bgr,
-};
-
-static draw_line_func *draw_line32_funcs[] = {
-draw_line32_8,
-draw_line32_15,
-draw_line32_16,
-draw_line32_32,
-draw_line32_32bgr,
-draw_line32_15bgr,
-draw_line32_16bgr,
-};
-
-static draw_hwc_line_func *draw_hwc_line_funcs[] = {
-draw_hwc_line_8,
-draw_hwc_line_15,
-draw_hwc_line_16,
-draw_hwc_line_32,
-draw_hwc_line_32bgr,
-draw_hwc_line_15bgr,
-draw_hwc_line_16bgr,
-};
-
-static inline int get_depth_index(DisplaySurface *surface)
-{
-switch (surface_bits_per_pixel(surface)) {
-default:
-case 8:
-return 0;
-case 15:
-return 1;
-case 16:
-return 2;
-case 32:
-if (is_surface_bgr(surface)) {
-return 4;
-} else {
-return 3;
-}
-}
-}
-
 static void sm501_update_display(void *opaque)
 {
 SM501State *s = (SM501State *)opaque;
@@ -1652,7 +1572,6 @@ static void sm501_update_display(void *opaque)
 int height = get_height(s, crt);
 int src_bpp = get_bpp(s, crt);
 int dst_bpp = surface_bytes_per_pixel(surface);
-int dst_depth_index = get_depth_index(surface);
 draw_line_func *draw_line = NULL;
 draw_hwc_line_func *draw_hwc_line = NULL;
 int full_update = 0;
@@ -1662,6 +1581,8 @@ static void sm501_update_display(void *opaque)
 uint8_t hwc_palette[3 * 3];
 uint8_t *hwc_src = NULL;
 
+assert(dst_bpp == 4); /* Output is always 32-bit RGB */
+
 if (!((crt ? s->dc_crt_control : s->dc_panel_control)
   & SM501_DC_CRT_CONTROL_ENABLE)) {
 return;
@@ -1674,13 +1595,13 @@ static void sm501_update_display(void *opaque)
 /* choose draw_line function */
 switch (src_bpp) {
 case 1:
-draw_line = draw_line8_funcs[dst_depth_index];
+draw_line = draw_line8_32;
 break;
 case 2:
-draw_line = draw_line16_funcs[dst_depth_index];
+draw_line = draw_line16_32;
 break;
 case 4:
-draw_line = draw_line32_funcs[dst_depth_index];
+draw_line = draw_line32_32;
 break;
 default:
 qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
@@ -1691,7 +1612,7 @@ static void sm501_update_display(void *opaque)
 /* set up to draw hardware cursor */
 if (is_hwc_enabled(s, crt)) {
 /* choose cursor draw line function */
-draw_hwc_line = draw_hwc_line_funcs[dst_depth_index];
+draw_hwc_line = draw_hwc_line_32;
 hwc_src = get_hwc_address(s, crt);
 c_x = get_hwc_x(s, crt);
 c_y = get_hwc_y(s, crt);
-- 
2.29.2

[PULL 04/20] spapr_drc.c: do not call spapr_drc_detach() in drc_isolate_logical()

From: Daniel Henrique Barboza 

drc_isolate_logical() is used to move the DRC from the "Configured" to
the "Available" state, erroring out if the DRC is in the unexpected
"Unisolate" state and doing nothing (with RTAS_OUT_SUCCESS) if the DRC
is already in "Available" or in "Unusable" state.

When moving from "Configured" to "Available", the DRC is moved to the
LOGICAL_AVAILABLE state, a drc->unplug_requested check is done and, if
true, spapr_drc_detach() is called.

What spapr_drc_detach() does then is:

- set drc->unplug_requested to true. In fact, this is the only place
where unplug_request is set to true;
- does nothing else if drc->state != drck->empty_state. If the DRC
state is equal to drck->empty_state, spapr_drc_release() is
called. For logical DRCs, drck->empty_state = LOGICAL_UNUSABLE.

In short, calling spapr_drc_detach() in drc_isolate_logical() does
nothing. It'll set unplug_request to true again ('again' since it was
already true - otherwise the function wouldn't be called), and will
return without calling spapr_drc_release() because the DRC is not in
LOGICAL_UNUSABLE, since drc_isolate_logical() just moved it to
LOGICAL_AVAILABLE. The only place where the logical DRC is released is
when called from drc_set_unusable(), when it is moved to the
"Unusable" state.  As it should, according to PAPR.

Even though calling spapr_drc_detach() in drc_isolate_logical() is
benign, removing it will avoid further thought about the matter. So
let's go ahead and do that.

As a note, this logic was introduced in commit bbf5c878ab76. Since
then, the DRC handling code was refactored and enhanced, and PAPR
itself went through some changes in the DRC area as well. It is
expected that some assumptions we had back then are now deprecated.

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210211225246.17315-2-danielhb...@gmail.com>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_drc.c | 13 -
 1 file changed, 13 deletions(-)

diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 8571d5bafe..84bd3c881f 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -132,19 +132,6 @@ static uint32_t drc_isolate_logical(SpaprDrc *drc)
 
 drc->state = SPAPR_DRC_STATE_LOGICAL_AVAILABLE;
 
-/* if we're awaiting release, but still in an unconfigured state,
- * it's likely the guest is still in the process of configuring
- * the device and is transitioning the devices to an ISOLATED
- * state as a part of that process. so we only complete the
- * removal when this transition happens for a device in a
- * configured state, as suggested by the state diagram from PAPR+
- * 2.7, 13.4
- */
-if (drc->unplug_requested) {
-uint32_t drc_index = spapr_drc_index(drc);
-trace_spapr_drc_set_isolation_state_finalizing(drc_index);
-spapr_drc_detach(drc);
-}
 return RTAS_OUT_SUCCESS;
 }
 
-- 
2.29.2

[PULL 09/20] target/ppc: Fix bcdsub. emulation when result overflows

From: Fabiano Rosas 

The commit d03b174a83 (target/ppc: simplify bcdadd/sub functions)
meant to simplify some of the code but it inadvertently altered the
way the CR6 field is set after the operation has overflowed.

The CR6 bits are set based on the *unbounded* result of the operation,
so we need to look at the result before returning from bcd_add_mag,
otherwise we will look at 0 when it overflows.

Consider the following subtraction:

v0 = 0x999c (maximum positive BCD value)
v1 = 0x001d (negative one BCD value)
bcdsub. v0,v0,v1,0

The Power ISA 2.07B says:
If the unbounded result is greater than zero, do the following.
  If PS=0, the sign code of the result is set to 0b1100.
  If PS=1, the sign code of the result is set to 0b.
  If the operation overflows, CR field 6 is set to 0b0101. Otherwise,
  CR field 6 is set to 0b0100.

POWER9 hardware:
vr0 = 0x000c (positive zero BCD value)
cr6 = 0b0101 (0x5) (positive, overflow)

QEMU:
vr0 = 0x000c (positive zero BCD value)
cr6 = 0b0011 (0x3) (zero, overflow) <--- wrong

This patch reverts the part of d03b174a83 that introduced the
problem and adds a test-case to avoid further regressions:

before:
$ make run-tcg-tests-ppc64le-linux-user
(...)
  TESTbcdsub on ppc64le
bcdsub: qemu/tests/tcg/ppc64le/bcdsub.c:58: test_bcdsub_gt:
Assertion `(cr >> 4) == ((1 << 2) | (1 << 0))' failed.

Fixes: d03b174a83 (target/ppc: simplify bcdadd/sub functions)
Reported-by: Paul Clarke 
Signed-off-by: Fabiano Rosas 
Message-Id: <20210222194035.2723056-1-faro...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 target/ppc/int_helper.c   |  13 ++-
 tests/tcg/configure.sh|   6 ++
 tests/tcg/ppc64/Makefile.target   |  13 +++
 tests/tcg/ppc64le/Makefile.target |  12 +++
 tests/tcg/ppc64le/bcdsub.c| 130 ++
 5 files changed, 171 insertions(+), 3 deletions(-)
 create mode 100644 tests/tcg/ppc64/Makefile.target
 create mode 100644 tests/tcg/ppc64le/Makefile.target
 create mode 100644 tests/tcg/ppc64le/bcdsub.c

diff --git a/target/ppc/int_helper.c b/target/ppc/int_helper.c
index 0b682a1f94..429de28494 100644
--- a/target/ppc/int_helper.c
+++ b/target/ppc/int_helper.c
@@ -2175,14 +2175,17 @@ static int bcd_cmp_mag(ppc_avr_t *a, ppc_avr_t *b)
 return 0;
 }
 
-static void bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
+static int bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
int *overflow)
 {
 int carry = 0;
 int i;
+int is_zero = 1;
+
 for (i = 1; i <= 31; i++) {
 uint8_t digit = bcd_get_digit(a, i, invalid) +
 bcd_get_digit(b, i, invalid) + carry;
+is_zero &= (digit == 0);
 if (digit > 9) {
 carry = 1;
 digit -= 10;
@@ -2194,6 +2197,7 @@ static void bcd_add_mag(ppc_avr_t *t, ppc_avr_t *a, 
ppc_avr_t *b, int *invalid,
 }
 
 *overflow = carry;
+return is_zero;
 }
 
 static void bcd_sub_mag(ppc_avr_t *t, ppc_avr_t *a, ppc_avr_t *b, int *invalid,
@@ -2225,14 +2229,15 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 int sgnb = bcd_get_sgn(b);
 int invalid = (sgna == 0) || (sgnb == 0);
 int overflow = 0;
+int zero = 0;
 uint32_t cr = 0;
 ppc_avr_t result = { .u64 = { 0, 0 } };
 
 if (!invalid) {
 if (sgna == sgnb) {
 result.VsrB(BCD_DIG_BYTE(0)) = bcd_preferred_sgn(sgna, ps);
-bcd_add_mag(&result, a, b, &invalid, &overflow);
-cr = bcd_cmp_zero(&result);
+zero = bcd_add_mag(&result, a, b, &invalid, &overflow);
+cr = (sgna > 0) ? CRF_GT : CRF_LT;
 } else {
 int magnitude = bcd_cmp_mag(a, b);
 if (magnitude > 0) {
@@ -2255,6 +2260,8 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 cr = CRF_SO;
 } else if (overflow) {
 cr |= CRF_SO;
+} else if (zero) {
+cr |= CRF_EQ;
 }
 
 *r = result;
diff --git a/tests/tcg/configure.sh b/tests/tcg/configure.sh
index 36b8a73a54..ce304f4933 100755
--- a/tests/tcg/configure.sh
+++ b/tests/tcg/configure.sh
@@ -251,6 +251,12 @@ for target in $target_list; do
 echo "CROSS_CC_HAS_ARMV8_MTE=y" >> $config_target_mak
 fi
 ;;
+ppc*)
+if do_compiler "$target_compiler" $target_compiler_cflags \
+   -mpower8-vector -o $TMPE $TMPC; then
+echo "CROSS_CC_HAS_POWER8_VECTOR=y" >> $config_target_mak
+fi
+;;
 esac
 
 enabled_cross_compilers="$enabled_cross_compilers $target_compiler"
diff --git a/tests/tcg/ppc64/Makefile.target b/tests/tcg/ppc64/Makefile.target
new file mode 100644
index 00..0c6a4585fc
--- /dev/null
+++ b/tests/tcg/ppc64/Makefile.target
@@ -0,0 +1,13 @@
+# -*- Mode: makefile -*-

[PULL 10/20] spapr_drc.c: introduce unplug_timeout_timer

From: Daniel Henrique Barboza 

The LoPAR spec provides no way for the guest kernel to report failure of
hotplug/hotunplug events. This wouldn't be bad if those operations were
granted to always succeed, but that's far for the reality.

What ends up happening is that, in the case of a failed hotunplug,
regardless of whether it was a QEMU error or a guest misbehavior, the
pSeries machine is retaining the unplug state of the device in the
running guest.  This state is cleanup in machine reset, where it is
assumed that this state represents a device that is pending unplug, and
the device is hotunpluged from the board. Until the reset occurs, any
hotunplug operation of the same device is forbid because there is a
pending unplug state.

This behavior has at least one undesirable side effect. A long standing
pending unplug state is, more often than not, the result of a hotunplug
error. The user had to dealt with it, since retrying to unplug the
device is noy allowed, and then in the machine reset we're removing the
device from the guest. This means that we're failing the user twice -
failed to hotunplug when asked, then hotunplugged without notice.

Solutions to this problem range between trying to predict when the
hotunplug will fail and forbid the operation from the QEMU layer, from
opening up the IRQ queue to allow for multiple hotunplug attempts, from
telling the users to 'reboot the machine if something goes wrong'. The
first solution is flawed because we can't fully predict guest behavior
from QEMU, the second solution is a trial and error remediation that
counts on a hope that the unplug will eventually succeed, and the third
is ... well.

This patch introduces a crude, but effective solution to hotunplug
errors in the pSeries machine. For each unplug done, we'll timeout after
some time. If a certain amount of time passes, we'll cleanup the
hotunplug state from the machine.  During the timeout period, any unplug
operations in the same device will still be blocked. After that, we'll
assume that the guest failed the operation, and allow the user to try
again. If the timeout is too short we'll prevent legitimate hotunplug
situations to occur, so we'll need to overestimate the regular time an
unplug operation takes to succeed to account that.

The true solution for the hotunplug errors in the pSeries machines is a
PAPR change to allow for the guest to warn the platform about it. For
now, the work done in this timeout design can be used for the new PAPR
'abort hcall' in the future, given that for both cases we'll need code
to cleanup the existing unplug states of the DRCs.

At this moment we're adding the basic wiring of the timer into the DRC.
Next patch will use the timer to timeout failed CPU hotunplugs.

Signed-off-by: Daniel Henrique Barboza 
Message-Id: <20210222194531.62717-4-danielhb...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_drc.c | 40 ++
 include/hw/ppc/spapr_drc.h |  4 
 2 files changed, 44 insertions(+)

diff --git a/hw/ppc/spapr_drc.c b/hw/ppc/spapr_drc.c
index 67041fb212..27adbc5c30 100644
--- a/hw/ppc/spapr_drc.c
+++ b/hw/ppc/spapr_drc.c
@@ -57,6 +57,8 @@ static void spapr_drc_release(SpaprDrc *drc)
 drck->release(drc->dev);
 
 drc->unplug_requested = false;
+timer_del(drc->unplug_timeout_timer);
+
 g_free(drc->fdt);
 drc->fdt = NULL;
 drc->fdt_start_offset = 0;
@@ -370,6 +372,17 @@ static void prop_get_fdt(Object *obj, Visitor *v, const 
char *name,
 } while (fdt_depth != 0);
 }
 
+static void spapr_drc_start_unplug_timeout_timer(SpaprDrc *drc)
+{
+SpaprDrcClass *drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
+
+if (drck->unplug_timeout_seconds != 0) {
+timer_mod(drc->unplug_timeout_timer,
+  qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +
+  drck->unplug_timeout_seconds * 1000);
+}
+}
+
 void spapr_drc_attach(SpaprDrc *drc, DeviceState *d)
 {
 trace_spapr_drc_attach(spapr_drc_index(drc));
@@ -475,11 +488,23 @@ static bool spapr_drc_needed(void *opaque)
 spapr_drc_unplug_requested(drc);
 }
 
+static int spapr_drc_post_load(void *opaque, int version_id)
+{
+SpaprDrc *drc = opaque;
+
+if (drc->unplug_requested) {
+spapr_drc_start_unplug_timeout_timer(drc);
+}
+
+return 0;
+}
+
 static const VMStateDescription vmstate_spapr_drc = {
 .name = "spapr_drc",
 .version_id = 1,
 .minimum_version_id = 1,
 .needed = spapr_drc_needed,
+.post_load = spapr_drc_post_load,
 .fields  = (VMStateField []) {
 VMSTATE_UINT32(state, SpaprDrc),
 VMSTATE_END_OF_LIST()
@@ -490,6 +515,15 @@ static const VMStateDescription vmstate_spapr_drc = {
 }
 };
 
+static void drc_unplug_timeout_cb(void *opaque)
+{
+SpaprDrc *drc = opaque;
+
+if (drc->unplug_requested) {
+drc->unplug_requested = false;
+}
+}
+
 static void drc_realize(DeviceState *d, Error **errp)
 {
 SpaprDrc *drc = SPAPR_DR_CONNECT

[PULL 00/20] ppc-for-6.0 queue 20210310

The following changes since commit b2ae1009d7cca2701e17eae55ae2d44fd22c942a:

  Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210307' into 
staging (2021-03-09 13:50:35 +)

are available in the Git repository at:

  https://gitlab.com/dgibson/qemu.git tags/ppc-for-6.0-20210310

for you to fetch changes up to eb7f80fd26d73e7e1af105431da58971b1dba517:

  spapr.c: send QAPI event when memory hotunplug fails (2021-03-10 09:07:09 
+1100)


ppc patch queue for 2021-03-10

Next batch of patches for the ppc target and machine types.  Includes:
 * Several cleanups for sm501 from Peter Maydell
 * An update to the SLOF guest firmware
 * Improved handling of hotplug failures in spapr, associated cleanups
   to the hotplug handling code
 * Several etsec fixes and cleanups from Bin Meng
 * Assorted other fixes and cleanups


Alexey Kardashevskiy (1):
  pseries: Update SLOF firmware image

Bin Meng (2):
  hw/net: fsl_etsec: Fix build error when HEX_DUMP is on
  hw/ppc: e500: Add missing  in the eTSEC node

Cédric Le Goater (1):
  docs/system: Extend PPC section

Daniel Henrique Barboza (11):
  spapr_drc.c: do not call spapr_drc_detach() in drc_isolate_logical()
  spapr_drc.c: use spapr_drc_release() in isolate_physical/set_unusable
  spapr: rename spapr_drc_detach() to spapr_drc_unplug_request()
  spapr_drc.c: introduce unplug_timeout_timer
  spapr_drc.c: add hotunplug timeout for CPUs
  spapr_drc.c: use DRC reconfiguration to cleanup DIMM unplug state
  spapr.c: add 'unplug already in progress' message for PHB unplug
  spapr_pci.c: add 'unplug already in progress' message for PCI unplug
  qemu_timer.c: add timer_deadline_ms() helper
  spapr.c: remove duplicated assert in spapr_memory_unplug_request()
  spapr.c: send QAPI event when memory hotunplug fails

Fabiano Rosas (1):
  target/ppc: Fix bcdsub. emulation when result overflows

Peter Maydell (3):
  hw/display/sm501: Remove dead code for non-32-bit RGB surfaces
  hw/display/sm501: Expand out macros in template header
  hw/display/sm501: Inline template header into C file

Vitaly Cheptsov (1):
  target/ppc: fix icount support on Book-e vms accessing SPRs

 docs/system/ppc/embedded.rst  |  10 ++
 docs/system/ppc/powermac.rst  |  34 +++
 docs/system/ppc/powernv.rst   | 193 ++
 docs/system/ppc/prep.rst  |  18 
 docs/system/ppc/pseries.rst   |  12 +++
 docs/system/target-ppc.rst|  53 +++
 hw/display/sm501.c| 160 +++
 hw/display/sm501_template.h   | 131 --
 hw/net/fsl_etsec/etsec.c  |   1 +
 hw/net/fsl_etsec/rings.c  |   1 +
 hw/ppc/e500.c |   1 +
 hw/ppc/spapr.c|  67 -
 hw/ppc/spapr_drc.c| 110 --
 hw/ppc/spapr_pci.c|   8 +-
 hw/ppc/trace-events   |   2 +-
 include/hw/ppc/spapr.h|   1 +
 include/hw/ppc/spapr_drc.h|   7 +-
 include/qemu/timer.h  |   8 ++
 pc-bios/README|   2 +-
 pc-bios/slof.bin  | Bin 968368 -> 96 bytes
 roms/SLOF |   2 +-
 target/ppc/int_helper.c   |  13 ++-
 target/ppc/translate_init.c.inc   |  36 +++
 tests/tcg/configure.sh|   6 ++
 tests/tcg/ppc64/Makefile.target   |  13 +++
 tests/tcg/ppc64le/Makefile.target |  12 +++
 tests/tcg/ppc64le/bcdsub.c| 130 +
 util/qemu-timer.c |  13 +++
 28 files changed, 751 insertions(+), 293 deletions(-)
 create mode 100644 docs/system/ppc/embedded.rst
 create mode 100644 docs/system/ppc/powermac.rst
 create mode 100644 docs/system/ppc/powernv.rst
 create mode 100644 docs/system/ppc/prep.rst
 create mode 100644 docs/system/ppc/pseries.rst
 delete mode 100644 hw/display/sm501_template.h
 create mode 100644 tests/tcg/ppc64/Makefile.target
 create mode 100644 tests/tcg/ppc64le/Makefile.target
 create mode 100644 tests/tcg/ppc64le/bcdsub.c

Re: [PATCH qemu v14] spapr: Implement Open Firmware client interface

On Wed, Mar 10, 2021 at 12:55:07PM +1100, Alexey Kardashevskiy wrote:
> 
> 
> On 10/03/2021 01:00, BALATON Zoltan wrote:
> > On Tue, 9 Mar 2021, Alexey Kardashevskiy wrote:
> > > On 09/03/2021 16:29, David Gibson wrote:
> > > > > > > +struct ClientArchitectureSupportClass {
> > > > > > > +    InterfaceClass parent;
> > > > > > > +    target_ulong (*cas)(CPUState *cs, target_ulong vec);
> > > > > > > +    void (*quiesce)(void);
> > > > > > 
> > > > > > Is there actually any real connection of quiesce behaviour to cas
> > > > > > behaviour?  Basically, I'm wondering if this is not so much about
> > > > > > client-architecture-support fundamentally as just about
> > > > > > machine-specific parts of the VOF behaviour.  Which would be fine, 
> > > > > > but
> > > > > > suggests a different name for the interface.
> > > > > 
> > > > > The most canonical way would be having 2 interfaces.
> > > > 
> > > > Why?  I don't see any reason these shouldn't be a single interface, it
> > > > just has a bad name.
> > > 
> > > I renamed it to SpaprVofInterface for now.
> > > 
> > > 
> > > > [snip]
> > > > > > > +typedef int size_t;
> > > > > > > +typedef void client(void);
> > > > > > > +
> > > > > > > +/* globals */
> > > > > > > +extern void _prom_entry(void); /* OF CI entry point
> > > > > > > (i.e. this firmware) */
> > > > > > > +
> > > > > > > +void do_boot(unsigned long addr, unsigned long r3,
> > > > > > > unsigned long r4);
> > > > > > > +
> > > > > > > +/* libc */
> > > > > > > +int strlen(const char *s);
> > > > > > > +int strcmp(const char *s1, const char *s2);
> > > > > > > +void *memcpy(void *dest, const void *src, size_t n);
> > > > > > > +int memcmp(const void *ptr1, const void *ptr2, size_t n);
> > > > > > > +void *memmove(void *dest, const void *src, size_t n);
> > > > > > > +void *memset(void *dest, int c, size_t size);
> > > > > > > +
> > > > > > > +/* Prom */
> > > > > > > +typedef unsigned long prom_arg_t;
> > > > > > > +int call_prom(const char *service, int nargs, int nret, ...);
> > > > > > 
> > > > > > AIUI this isn't so much about calling the PROM, since this *is* the
> > > > > > PROM code, but rather about calling the parts that are implemented 
> > > > > > on
> > > > > > the qemu side.  Different names might clarify that.
> > > > > 
> > > > > "call_ci"?
> > > > 
> > > > Works for me.
> > > 
> > > call_ci() it is then.
> > > 
> > > About builtins such as memcmp() - turns out these are not really
> > > builtins as they are not inlined and gcc/ld still want to link
> > > against libc which is trickier for such firmware (not quite sure how
> > > to do this and keep it small and not pull other libc stuff in), gcc
> > > just knows about them a bit more. This is different from, for
> > > example, __builtin_ctz which is inlined. So I am keeping my libc.o
> > > for now.
> > 
> > Do they really want libc or they are in libgcc for which there's
> > --static-libgcc I think to avoid needing it in runtime but not sure what
> > clang has for these.
> 
> I was getting "unresolved symbol `memcmp`" when I tried calling memcmp() or
> __builtin_memcmp() and "-lc" did not help (installed some multilib packages,

Yeah, you'll need -lgcc rather than -lc, libgcc is the one with the
builtin helpers.

> did not help either). I figured if I cannot get it compile in 3 minutes, I
> should not probably be posting this and better off simply keeping the
> existing small libc.

Fair point.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[PATCH qemu v15] spapr: Implement Open Firmware client interface

2021-03-09 Thread Alexey Kardashevskiy

The PAPR platform which describes an OS environment that's presented by
a combination of a hypervisor and firmware. The features it specifies
require collaboration between the firmware and the hypervisor.

Since the beginning, the runtime component of the firmware (RTAS) has
been implemented as a 20 byte shim which simply forwards it to
a hypercall implemented in qemu. The boot time firmware component is
SLOF - but a build that's specific to qemu, and has always needed to be
updated in sync with it. Even though we've managed to limit the amount
of runtime communication we need between qemu and SLOF, there's some,
and it has become increasingly awkward to handle as we've implemented
new features.

This implements a boot time OF client interface (CI) which is
enabled by a new "x-vof" pseries machine option (stands for "Virtual Open
Firmware). When enabled, QEMU implements the custom H_OF_CLIENT hcall
which implements Open Firmware Client Interface (OF CI). This allows
using a smaller stateless firmware which does not have to manage
the device tree.

The new "vof.bin" firmware image is included with source code under
pc-bios/. It also includes RTAS blob.

This implements a handful of CI methods just to get -kernel/-initrd
working. In particular, this implements the device tree fetching and
simple memory allocator - "claim" (an OF CI memory allocator) and updates
"/memory@0/available" to report the client about available memory.

This implements changing some device tree properties which we know how
to deal with, the rest is ignored. To allow changes, this skips
fdt_pack() when x-vof=on as not packing the blob leaves some room for
appending.

In absence of SLOF, this assigns phandles to device tree nodes to make
device tree traversing work.

When x-vof=on, this adds "/chosen" every time QEMU (re)builds a tree.

This adds basic instances support which are managed by a hash map
ihandle -> [phandle].

Before the guest started, the used memory is:
0..e60 - the initial firmware
8000..1 - stack
40.. - kernel
3ea.. - initramdisk

This OF CI does not implement "interpret".

Unlike SLOF, this does not format uninitialized nvram. Instead, this
includes a disk image with pre-formatted nvram.

With this basic support, this can only boot into kernel directly.
However this is just enough for the petitboot kernel and initradmdisk to
boot from any possible source. Note this requires reasonably recent guest
kernel with:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df5be5be8735

The immediate benefit is much faster booting time which especially
crucial with fully emulated early CPU bring up environments. Also this
may come handy when/if GRUB-in-the-userspace sees light of the day.

This separates VOF and sPAPR in a hope that VOF bits may be reused by
other POWERPC boards which do not support pSeries.

This is coded in assumption that later on we might be adding support for
booting from QEMU backends (blockdev is the first candidate) without
devices/drivers in between as OF1275 does not require that and
it is quite easy to so.

Signed-off-by: Alexey Kardashevskiy
---

The example command line is:

/home/aik/pbuild/qemu-killslof-localhost-ppc64/qemu-system-ppc64 \
-nodefaults \
-chardev stdio,id=STDIO0,signal=off,mux=on \
-device spapr-vty,id=svty0,reg=0x71000110,chardev=STDIO0 \
-mon id=MON0,chardev=STDIO0,mode=readline \
-nographic \
-vga none \
-enable-kvm \
-m 2G \
-machine
pseries,x-vof=on,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-ccf-assist=off
\
-kernel pbuild/kernel-le-guest/vmlinux \
-initrd pb/rootfs.cpio.xz \
-drive
id=DRIVE0,if=none,file=./p/qemu-killslof/pc-bios/vof-nvram.bin,format=raw \
-global spapr-nvram.drive=DRIVE0 \
-snapshot \
-smp 8,threads=8 \
-L /home/aik/t/qemu-ppc64-bios/ \
-trace events=qemu_trace_events \
-d guest_errors \
-chardev socket,id=SOCKET0,server,nowait,path=qemu.mon.tmux26 \
-mon chardev=SOCKET0,mode=control

---
Changes:
v15:
* bugfix: claimed memory for the VOF itself
* ditched OF_STACK_ADDR and allocate one instead, now it starts from 0x8000
because it is aligned to its size (no particular reason though)
* coding style
* moved nvram.bin up one level
* ditched bool in the firmware
* made debugging code conditional using trace_event_get_state() +
qemu_loglevel_mask()
* renamed the CAS interface to SpaprVofInterface
* added "write" which for now dumps the message and ihandle via
trace point for early debug assistance
* commented on when we allocate of_instances in vof_build_dt()
* store fw_size is SpaprMachine to let spapr_vof_reset() claim it
* many small fixes from v14's review

v14:
* check for truncates in readstr()
* ditched a separate vof_reset()
* spapr->vof is a pointer now, dropped the "on" field
* removed rtas_base from vof and updated comment why we allow setting it
* added myself to maintainers
* updated commit log about blockdev and other possible platforms
* added a note why new hcall is 0x5
* no in place endianness con

[PATCH 3/3] Andes AE350 RISC-V Machine

This provides a RISC-V Board based on Andes's AE350 specification.
The following machine is implemented:

- 'andes_ae350'; PLIC, PLICSW, PLMT, 16550a UART, VirtIO MMIO, device-tree

Signed-off-by: Dylan Jhong 
Signed-off-by: Ruinland ChuanTzu Tsai 
---
 default-configs/devices/riscv32-softmmu.mak |   1 +
 default-configs/devices/riscv64-softmmu.mak |   1 +
 hw/riscv/Kconfig|   7 +
 hw/riscv/andes_ae350.c  | 501 
 hw/riscv/meson.build|   1 +
 include/hw/riscv/andes_ae350.h  |  93 
 6 files changed, 604 insertions(+)
 create mode 100644 hw/riscv/andes_ae350.c
 create mode 100644 include/hw/riscv/andes_ae350.h

diff --git a/default-configs/devices/riscv32-softmmu.mak 
b/default-configs/devices/riscv32-softmmu.mak
index d847bd5692..a268007e72 100644
--- a/default-configs/devices/riscv32-softmmu.mak
+++ b/default-configs/devices/riscv32-softmmu.mak
@@ -8,6 +8,7 @@ CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
 
 # Boards:
 #
+CONFIG_ANDES_AE350=y
 CONFIG_SPIKE=y
 CONFIG_SIFIVE_E=y
 CONFIG_SIFIVE_U=y
diff --git a/default-configs/devices/riscv64-softmmu.mak 
b/default-configs/devices/riscv64-softmmu.mak
index d5eec75f05..9a37dfd8c0 100644
--- a/default-configs/devices/riscv64-softmmu.mak
+++ b/default-configs/devices/riscv64-softmmu.mak
@@ -8,6 +8,7 @@ CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
 
 # Boards:
 #
+CONFIG_ANDES_AE350=y
 CONFIG_SPIKE=y
 CONFIG_SIFIVE_E=y
 CONFIG_SIFIVE_U=y
diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
index d139074b02..04f6369ab7 100644
--- a/hw/riscv/Kconfig
+++ b/hw/riscv/Kconfig
@@ -1,6 +1,13 @@
 config IBEX
 bool
 
+config ANDES_AE350
+bool
+select SERIAL
+select VIRTIO_MMIO
+select ANDES_PLIC
+select ANDES_PLMT
+
 config MICROCHIP_PFSOC
 bool
 select CADENCE_SDHCI
diff --git a/hw/riscv/andes_ae350.c b/hw/riscv/andes_ae350.c
new file mode 100644
index 00..ed5f9701ad
--- /dev/null
+++ b/hw/riscv/andes_ae350.c
@@ -0,0 +1,501 @@
+/*
+ * Andes RISC-V AE350 Board
+ *
+ * Copyright (c) 2021 Andes Tech. Corp.
+ *
+ * Andes AE350 Board supports ns16550a UART and VirtIO MMIO.
+ * The interrupt controllers are andes PLIC and andes PLICSW.
+ * Timer is Andes PLMT.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+#include "hw/boards.h"
+#include "hw/loader.h"
+#include "hw/sysbus.h"
+#include "hw/qdev-properties.h"
+#include "hw/char/serial.h"
+#include "target/riscv/cpu.h"
+#include "hw/riscv/riscv_hart.h"
+#include "hw/riscv/boot.h"
+#include "hw/riscv/numa.h"
+#include "chardev/char.h"
+#include "sysemu/arch_init.h"
+#include "sysemu/device_tree.h"
+#include "sysemu/sysemu.h"
+#include "hw/pci/pci.h"
+#include "hw/pci-host/gpex.h"
+
+#include "hw/intc/andes_plic.h"
+#include "hw/timer/andes_plmt.h"
+#include "hw/riscv/andes_ae350.h"
+
+# define BIOS_FILENAME ""
+
+static const struct MemmapEntry {
+hwaddr base;
+hwaddr size;
+} andes_ae350_memmap[] = {
+[ANDES_AE350_DEBUG] = { 0x,  0x100 },
+[ANDES_AE350_DRAM]  = { 0x, 0x8000 },
+[ANDES_AE350_MROM]  = { 0xb000,   0x10 },
+[ANDES_AE350_MAC]   = { 0xe010,   0x10 },
+[ANDES_AE350_GEM]   = { 0xe020,   0x10 },
+[ANDES_AE350_PLIC]  = { 0xe400,   0x40 },
+[ANDES_AE350_PLMT]  = { 0xe600,   0x10 },
+[ANDES_AE350_PLICSW]= { 0xe640,   0x40 },
+[ANDES_AE350_UART1] = { 0xf020,  0x100 },
+[ANDES_AE350_UART2] = { 0xf030,  0x100 },
+[ANDES_AE350_PIT]   = { 0xf040,   0x10 },
+[ANDES_AE350_SDC]   = { 0xf0e0,   0x10 },
+[ANDES_AE350_VIRTIO]= { 0xfe00, 0x1000 },
+};
+
+static void
+create_fdt(AndesAe350BoardState *bs, const struct MemmapEntry *memmap,
+uint64_t mem_size, const char *cmdline)
+{
+AndesAe350SocState *s = &bs->soc;
+MachineState *ms = MACHINE(qdev_get_machine());
+void *fdt;
+int cpu, i;
+uint64_t mem_addr;
+uint32_t *plic_irq_ext, *plicsw_irq_ext, *plmt_irq_ext;
+unsigned long plic_addr, plicsw_addr, plmt_addr;
+char *plic_name, *plicsw_name, *plmt_name;
+uint32_t intc_phandle = 0, plic_phandle = 0;
+uint32_t phandle = 1;
+char *isa_name, *mem_name, *cpu

[PATCH 2/3] Andes RISC-V PLMT

Andes PLMT (Platform-Level Machine Timer) device provides an
timer functionality and issues timer interrupts.

The Andes PLMT is implemented based on Andes's PLMT specification.

Signed-off-by: Dylan Jhong 
Signed-off-by: Ruinland ChuanTzu Tsai 
---
 hw/timer/Kconfig  |   3 +
 hw/timer/andes_plmt.c | 225 ++
 hw/timer/meson.build  |   1 +
 include/hw/timer/andes_plmt.h |  50 
 4 files changed, 279 insertions(+)
 create mode 100644 hw/timer/andes_plmt.c
 create mode 100644 include/hw/timer/andes_plmt.h

diff --git a/hw/timer/Kconfig b/hw/timer/Kconfig
index 18936ef55b..d96814e5a4 100644
--- a/hw/timer/Kconfig
+++ b/hw/timer/Kconfig
@@ -1,3 +1,6 @@
+config ANDES_PLMT
+bool
+
 config ARM_TIMER
 bool
 select PTIMER
diff --git a/hw/timer/andes_plmt.c b/hw/timer/andes_plmt.c
new file mode 100644
index 00..a6adb05199
--- /dev/null
+++ b/hw/timer/andes_plmt.c
@@ -0,0 +1,225 @@
+/*
+ * Andes PLMT (Platform Level Machine Timer)
+ *
+ * Copyright (c) 2021 Andes Tech. Corp.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "qemu/timer.h"
+#include "qemu/module.h"
+#include "hw/sysbus.h"
+#include "target/riscv/cpu.h"
+#include "hw/qdev-properties.h"
+#include "hw/timer/andes_plmt.h"
+
+static uint64_t andes_cpu_riscv_read_rtc(uint32_t timebase_freq)
+{
+return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
+timebase_freq, NANOSECONDS_PER_SECOND);
+}
+
+/*
+ * Called when timecmp is written to update the QEMU timer or immediately
+ * trigger timer interrupt if mtimecmp <= current timer value.
+ */
+static void
+andes_plmt_write_timecmp(RISCVCPU *cpu, uint64_t value)
+{
+uint64_t next;
+uint64_t diff;
+
+uint64_t rtc_r = andes_cpu_riscv_read_rtc(ANDES_PLMT_TIMEBASE_FREQ);
+
+cpu->env.timecmp = (uint64_t)value;
+if (cpu->env.timecmp <= rtc_r) {
+/*
+ * if we're setting an MTIMECMP value in the "past",
+ * immediately raise the timer interrupt
+ */
+riscv_cpu_update_mip(cpu, MIP_MTIP, BOOL_TO_MASK(1));
+return;
+}
+
+/* otherwise, set up the future timer interrupt */
+riscv_cpu_update_mip(cpu, MIP_MTIP, BOOL_TO_MASK(0));
+diff = cpu->env.timecmp - rtc_r;
+/* back to ns (note args switched in muldiv64) */
+next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
+muldiv64(diff, NANOSECONDS_PER_SECOND, ANDES_PLMT_TIMEBASE_FREQ);
+timer_mod(cpu->env.timer, next);
+}
+
+/*
+ * Callback used when the timer set using timer_mod expires.
+ * Should raise the timer interrupt line
+ */
+static void
+andes_plmt_timer_cb(void *opaque)
+{
+RISCVCPU *cpu = opaque;
+riscv_cpu_update_mip(cpu, MIP_MTIP, BOOL_TO_MASK(1));
+}
+
+static uint64_t
+andes_plmt_read(void *opaque, hwaddr addr, unsigned size)
+{
+AndesPLMTState *plmt = opaque;
+uint64_t rz = 0;
+
+if ((addr >= (plmt->timecmp_base)) &&
+(addr < (plmt->timecmp_base + (plmt->num_harts << 3 {
+/* %8=0:timecmp_lo, %8=4:timecmp_hi */
+size_t hartid = (addr - plmt->timecmp_base) >> 3;
+CPUState *cpu = qemu_get_cpu(hartid);
+CPURISCVState *env = cpu ? cpu->env_ptr : NULL;
+if (!env) {
+error_report("plmt: invalid timecmp hartid: %zu", hartid);
+} else if ((addr & 0x7) == 0) {
+rz = env->timecmp & (unsigned long)0x;
+} else if ((addr & 0x7) == 4) {
+rz = (env->timecmp >> 32) & (unsigned long)0x;
+} else {
+error_report("plmt: invalid read: %08x", (uint32_t)addr);
+}
+} else if (addr == (plmt->time_base)) {
+/* time_lo */
+rz = andes_cpu_riscv_read_rtc(ANDES_PLMT_TIMEBASE_FREQ)
+& (unsigned long)0x;
+} else if (addr == (plmt->time_base + 4)) {
+/* time_hi */
+rz = (andes_cpu_riscv_read_rtc(ANDES_PLMT_TIMEBASE_FREQ) >> 32)
+& (unsigned long)0x;
+} else {
+error_report("plmt: invalid read: %08x", (uint32_t)addr);
+}
+
+return rz;
+}
+
+static void
+andes_plmt_write(void *opaque, hwaddr addr, uint64_t value, unsigned size)
+{
+AndesPLMTState *plmt = opaque;
+
+if ((addr >= (plmt->timecmp_base)) &&
+(addr < (plmt->timecmp_base + (plmt->num_harts << 3 {

[PATCH 1/3] Andes RISC-V PLIC

Andes PLIC (Platform-Level Interrupt Controller) device provides an
interrupt controller functionality based on Andes's PLIC specification.

The Andes PLIC can handle either external interrupts (PLIC)
or interprocessor interrupts (PLICSW).

While Andes PLIC spec includes vector interrupt and interrupt preemption,
we leave them as future items for now.

Signed-off-by: Dylan Jhong 
Signed-off-by: Ruinland ChuanTzu Tsai 
---
 hw/intc/Kconfig  |   3 +
 hw/intc/andes_plic.c | 505 +++
 hw/intc/meson.build  |   1 +
 include/hw/intc/andes_plic.h | 130 +
 4 files changed, 639 insertions(+)
 create mode 100644 hw/intc/andes_plic.c
 create mode 100644 include/hw/intc/andes_plic.h

diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index 66bf0b90b4..b1735c937a 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -67,3 +67,6 @@ config SIFIVE_CLINT
 
 config SIFIVE_PLIC
 bool
+
+config ANDES_PLIC
+bool
diff --git a/hw/intc/andes_plic.c b/hw/intc/andes_plic.c
new file mode 100644
index 00..51b5583566
--- /dev/null
+++ b/hw/intc/andes_plic.c
@@ -0,0 +1,505 @@
+/*
+ * Andes PLIC (Platform Level Interrupt Controller)
+ *
+ * Copyright (c) 2021 Andes Tech. Corp.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "hw/qdev-properties.h"
+#include "target/riscv/cpu.h"
+#include "hw/sysbus.h"
+#include "hw/intc/andes_plic.h"
+
+/* #define DEBUG_ANDES_PLIC */
+#define LOGGE(x...) qemu_log_mask(LOG_GUEST_ERROR, x)
+#define xLOG(x...)
+#define yLOG(x...) qemu_log(x)
+#ifdef DEBUG_ANDES_PLIC
+  #define LOG(x...) yLOG(x)
+#else
+  #define LOG(x...) xLOG(x)
+#endif
+
+enum register_names {
+REG_FEATURE_ENABLE = 0x,
+REG_TRIGGER_TYPE_BASE = 0x1080,
+REG_NUM_IRQ_TARGET = 0x1100,
+REG_VER_MAX_PRIORITY = 0x1104,
+};
+
+enum feature_enable_register {
+FER_PREEMPT = (1u << 0),
+FER_VECTORED = (1u << 0),
+};
+
+static uint32_t atomic_set_masked(uint32_t *a, uint32_t mask, uint32_t value)
+{
+uint32_t old, new, cmp = qatomic_read(a);
+
+do {
+old = cmp;
+new = (old & ~mask) | (value & mask);
+cmp = qatomic_cmpxchg(a, old, new);
+} while (old != cmp);
+
+return old;
+}
+
+static void andes_plic_set_pending(AndesPLICState *plic, int irq, bool level)
+{
+atomic_set_masked(&plic->pending[irq >> 5], 1 << (irq & 31), -!!level);
+}
+
+static void andes_plic_set_claimed(AndesPLICState *plic, int irq, bool level)
+{
+atomic_set_masked(&plic->claimed[irq >> 5], 1 << (irq & 31), -!!level);
+}
+
+static int andes_plic_irqs_pending(AndesPLICState *plic, uint32_t target_id)
+{
+int i, j;
+for (i = 0; i < plic->bitfield_words; i++) {
+uint32_t pending_enabled_not_claimed =
+(plic->pending[i] & ~plic->claimed[i]) &
+plic->enable[target_id * plic->bitfield_words + i];
+if (!pending_enabled_not_claimed) {
+continue;
+}
+
+for (j = 0; j < 32; j++) {
+int irq = (i << 5) + j;
+uint32_t prio = plic->source_priority[irq];
+int enabled = pending_enabled_not_claimed & (1 << j);
+if (enabled && prio > plic->target_priority[target_id]) {
+return 1;
+}
+}
+}
+return 0;
+}
+
+void andes_plichw_update(AndesPLICState *plic)
+{
+int target_id;
+
+/* raise irq on harts where this irq is enabled */
+for (target_id = 0; target_id < plic->num_addrs; target_id++) {
+uint32_t hart_id = plic->addr_config[target_id].hart_id;
+AndesPLICMode mode = plic->addr_config[target_id].mode;
+CPUState *cpu = qemu_get_cpu(hart_id);
+CPURISCVState *env = cpu ? cpu->env_ptr : NULL;
+if (!env) {
+continue;
+}
+int level = andes_plic_irqs_pending(plic, target_id);
+
+switch (mode) {
+case PlicMode_M:
+riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_MEIP, 
BOOL_TO_MASK(level));
+break;
+case PlicMode_S:
+riscv_cpu_update_mip(RISCV_CPU(cpu), MIP_SEIP, 
BOOL_TO_MASK(level));
+break;
+default:
+break;
+}
+}
+}
+
+void andes_plicsw_update(AndesPLICState *plic)
+{
+int target_id;
+
+/* raise irq on harts where this irq is enable

[PATCH 0/3] Support Andes AE350 Platform

The following patches support Andes's Linux BSP booting on 
qemu using 'andes_ae350' machine.

This patchset has implemented the basic components of AE350 platform, 
which are 
  1. PLIC(external interrupts),
  2. PLICSW(interprocessor interrupts),
  3. PLMT(timer interrupts),
  4. UART(16550a),
  5. Virtio MMIO,
  6. Device tree

Dylan Jhong (3):
  Andes RISC-V PLIC
  Andes RISC-V PLMT
  Andes AE350 RISC-V Machine

 default-configs/devices/riscv32-softmmu.mak |   1 +
 default-configs/devices/riscv64-softmmu.mak |   1 +
 hw/intc/Kconfig |   3 +
 hw/intc/andes_plic.c| 505 
 hw/intc/meson.build |   1 +
 hw/riscv/Kconfig|   7 +
 hw/riscv/andes_ae350.c  | 501 +++
 hw/riscv/meson.build|   1 +
 hw/timer/Kconfig|   3 +
 hw/timer/andes_plmt.c   | 225 +
 hw/timer/meson.build|   1 +
 include/hw/intc/andes_plic.h| 130 +
 include/hw/riscv/andes_ae350.h  |  93 
 include/hw/timer/andes_plmt.h   |  50 ++
 14 files changed, 1522 insertions(+)
 create mode 100644 hw/intc/andes_plic.c
 create mode 100644 hw/riscv/andes_ae350.c
 create mode 100644 hw/timer/andes_plmt.c
 create mode 100644 include/hw/intc/andes_plic.h
 create mode 100644 include/hw/riscv/andes_ae350.h
 create mode 100644 include/hw/timer/andes_plmt.h

-- 
2.17.1

Re: [PATCH 2/2] ui/cocoa: Do not rely on the first argument

2021-03-09 Thread Akihiko Odaki

2021年3月9日(火) 22:10 BALATON Zoltan :
>
> On Tue, 9 Mar 2021, Akihiko Odaki wrote:
> > The first argument of the executable was used to get its path, but it is
> > not reliable because the executer can specify any arbitrary string. Use the
> > interfaces provided by QEMU and the platform to get those paths.
> >
> > Signed-off-by: Akihiko Odaki 
> > ---
> > ui/cocoa.m | 29 +++--
> > 1 file changed, 15 insertions(+), 14 deletions(-)
> >
> > diff --git a/ui/cocoa.m b/ui/cocoa.m
> > index d8eacea6d22..6e94301c0d6 100644
> > --- a/ui/cocoa.m
> > +++ b/ui/cocoa.m
> > @@ -1414,20 +1414,21 @@ - (void)make_about_window
> > [superView addSubview: picture_view];
> >
> > /* Make the name label */
> > -x = 0;
> > -y = y - 25;
> > -int name_width = about_width, name_height = 20;
> > -NSRect name_rect = NSMakeRect(x, y, name_width, name_height);
> > -NSTextField *name_label = [[NSTextField alloc] initWithFrame: 
> > name_rect];
> > -[name_label setEditable: NO];
> > -[name_label setBezeled: NO];
> > -[name_label setDrawsBackground: NO];
> > -[name_label setAlignment: NSTextAlignmentCenter];
> > -NSString *qemu_name = [[NSString alloc] initWithCString: gArgv[0]
> > -encoding: 
> > NSASCIIStringEncoding];
> > -qemu_name = [qemu_name lastPathComponent];
> > -[name_label setStringValue: qemu_name];
> > -[superView addSubview: name_label];
> > +NSBundle *bundle = [NSBundle mainBundle];
> > +if (bundle) {
>
> Does this break about window if the executable is not in a bundle (like
> when run from the command line after compiling)? Shouldn't you only put
> the qemu_name in this if and have some default name if bundle is not
> available (or fall back to argv[0] in that case?
>
> Regards,
> BALATON Zoltan
>

No, it just doesn't show the application name. Everything else is fine.

Regards,
Akihiko Odaki

[PATCH v7 8/8] hw/ppc: Add emulation of Genesi/bPlan Pegasos II

Add new machine called pegasos2 emulating the Genesi/bPlan Pegasos II,
a PowerPC board based on the Marvell MV64361 system controller and the
VIA VT8231 integrated south bridge/superio chips. It can run Linux,
AmigaOS and a wide range of MorphOS versions. Currently a firmware ROM
image is needed to boot and only MorphOS has a video driver to produce
graphics output. Linux could work too but distros that supported this
machine don't include usual video drivers so those only run with
serial console for now.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Philippe Mathieu-Daudé 
---
 MAINTAINERS |  10 ++
 default-configs/devices/ppc-softmmu.mak |   2 +
 hw/ppc/Kconfig  |   9 ++
 hw/ppc/meson.build  |   2 +
 hw/ppc/pegasos2.c   | 144 
 5 files changed, 167 insertions(+)
 create mode 100644 hw/ppc/pegasos2.c

diff --git a/MAINTAINERS b/MAINTAINERS
index f22d83c178..c363b6ad1e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1345,6 +1345,16 @@ F: pc-bios/canyonlands.dt[sb]
 F: pc-bios/u-boot-sam460ex-20100605.bin
 F: roms/u-boot-sam460ex
 
+pegasos2
+M: BALATON Zoltan 
+R: David Gibson 
+L: qemu-...@nongnu.org
+S: Maintained
+F: hw/ppc/pegasos2.c
+F: hw/pci-host/mv64361.c
+F: hw/pci-host/mv643xx.h
+F: include/hw/pci-host/mv64361.h
+
 RISC-V Machines
 ---
 OpenTitan
diff --git a/default-configs/devices/ppc-softmmu.mak 
b/default-configs/devices/ppc-softmmu.mak
index 61b78b844d..4535993d8d 100644
--- a/default-configs/devices/ppc-softmmu.mak
+++ b/default-configs/devices/ppc-softmmu.mak
@@ -14,5 +14,7 @@ CONFIG_SAM460EX=y
 CONFIG_MAC_OLDWORLD=y
 CONFIG_MAC_NEWWORLD=y
 
+CONFIG_PEGASOS2=y
+
 # For PReP
 CONFIG_PREP=y
diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
index d11dc30509..e51e0e5e5a 100644
--- a/hw/ppc/Kconfig
+++ b/hw/ppc/Kconfig
@@ -68,6 +68,15 @@ config SAM460EX
 select USB_OHCI
 select FDT_PPC
 
+config PEGASOS2
+bool
+select MV64361
+select VT82C686
+select IDE_VIA
+select SMBUS_EEPROM
+# This should come with VT82C686
+select ACPI_X86
+
 config PREP
 bool
 imply PCI_DEVICES
diff --git a/hw/ppc/meson.build b/hw/ppc/meson.build
index 218631c883..86d6f379d1 100644
--- a/hw/ppc/meson.build
+++ b/hw/ppc/meson.build
@@ -78,5 +78,7 @@ ppc_ss.add(when: 'CONFIG_E500', if_true: files(
 ))
 # PowerPC 440 Xilinx ML507 reference board.
 ppc_ss.add(when: 'CONFIG_VIRTEX', if_true: files('virtex_ml507.c'))
+# Pegasos2
+ppc_ss.add(when: 'CONFIG_PEGASOS2', if_true: files('pegasos2.c'))
 
 hw_arch += {'ppc': ppc_ss}
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
new file mode 100644
index 00..0bfd0928aa
--- /dev/null
+++ b/hw/ppc/pegasos2.c
@@ -0,0 +1,144 @@
+/*
+ * QEMU PowerPC CHRP (Genesi/bPlan Pegasos II) hardware System Emulator
+ *
+ * Copyright (c) 2018-2020 BALATON Zoltan
+ *
+ * This work is licensed under the GNU GPL license version 2 or later.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "hw/hw.h"
+#include "hw/ppc/ppc.h"
+#include "hw/sysbus.h"
+#include "hw/pci/pci_host.h"
+#include "hw/irq.h"
+#include "hw/pci-host/mv64361.h"
+#include "hw/isa/vt82c686.h"
+#include "hw/ide/pci.h"
+#include "hw/i2c/smbus_eeprom.h"
+#include "hw/qdev-properties.h"
+#include "sysemu/reset.h"
+#include "hw/boards.h"
+#include "hw/loader.h"
+#include "hw/fw-path-provider.h"
+#include "elf.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "sysemu/kvm.h"
+#include "kvm_ppc.h"
+#include "exec/address-spaces.h"
+#include "trace.h"
+#include "qemu/datadir.h"
+#include "sysemu/device_tree.h"
+
+#define PROM_FILENAME "pegasos2.rom"
+#define PROM_ADDR 0xfff0
+#define PROM_SIZE 0x8
+
+#define BUS_FREQ_HZ 1
+
+static void pegasos2_cpu_reset(void *opaque)
+{
+PowerPCCPU *cpu = opaque;
+
+cpu_reset(CPU(cpu));
+cpu->env.spr[SPR_HID1] = 7ULL << 28;
+}
+
+static void pegasos2_init(MachineState *machine)
+{
+PowerPCCPU *cpu = NULL;
+MemoryRegion *rom = g_new(MemoryRegion, 1);
+DeviceState *mv;
+PCIBus *pci_bus;
+PCIDevice *dev;
+I2CBus *i2c_bus;
+const char *fwname = machine->firmware ?: PROM_FILENAME;
+char *filename;
+int sz;
+uint8_t *spd_data;
+
+/* init CPU */
+cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
+if (PPC_INPUT(&cpu->env) != PPC_FLAGS_INPUT_6xx) {
+error_report("Incompatible CPU, only 6xx bus supported");
+exit(1);
+}
+
+/* Set time-base frequency */
+cpu_ppc_tb_init(&cpu->env, BUS_FREQ_HZ / 4);
+qemu_register_reset(pegasos2_cpu_reset, cpu);
+
+/* RAM */
+memory_region_add_subregion(get_system_memory(), 0, machine->ram);
+
+/* allocate and load firmware */
+filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, fwname);
+if (!filename) {
+error_report("Could not find firmware '%s'", fwname);
+exit(1);
+}
+me

[PATCH v7 7/8] hw/pci-host: Add emulation of Marvell MV64361 PPC system controller

The Marvell Discovery II aka. MV64361 is a PowerPC system controller
chip that is used on the pegasos2 PPC board. This adds emulation of it
that models the device enough to boot guests on this board. The
mv643xx.h header with register definitions is taken from Linux 4.15.10
only fixing white space errors, removing not needed parts and changing
formatting for QEMU coding style.

Signed-off-by: BALATON Zoltan 
---
 hw/pci-host/Kconfig   |   4 +
 hw/pci-host/meson.build   |   2 +
 hw/pci-host/mv64361.c | 966 ++
 hw/pci-host/mv643xx.h | 918 
 hw/pci-host/trace-events  |   6 +
 include/hw/pci-host/mv64361.h |   8 +
 include/hw/pci/pci_ids.h  |   1 +
 7 files changed, 1905 insertions(+)
 create mode 100644 hw/pci-host/mv64361.c
 create mode 100644 hw/pci-host/mv643xx.h
 create mode 100644 include/hw/pci-host/mv64361.h

diff --git a/hw/pci-host/Kconfig b/hw/pci-host/Kconfig
index 2ccc96f02c..79c20bf28b 100644
--- a/hw/pci-host/Kconfig
+++ b/hw/pci-host/Kconfig
@@ -72,3 +72,7 @@ config REMOTE_PCIHOST
 config SH_PCI
 bool
 select PCI
+
+config MV64361
+bool
+select PCI
diff --git a/hw/pci-host/meson.build b/hw/pci-host/meson.build
index 87a896973e..34b3538beb 100644
--- a/hw/pci-host/meson.build
+++ b/hw/pci-host/meson.build
@@ -19,6 +19,8 @@ pci_ss.add(when: 'CONFIG_GRACKLE_PCI', if_true: 
files('grackle.c'))
 pci_ss.add(when: 'CONFIG_UNIN_PCI', if_true: files('uninorth.c'))
 # PowerPC E500 boards
 pci_ss.add(when: 'CONFIG_PPCE500_PCI', if_true: files('ppce500.c'))
+# Pegasos2
+pci_ss.add(when: 'CONFIG_MV64361', if_true: files('mv64361.c'))
 
 # ARM devices
 pci_ss.add(when: 'CONFIG_VERSATILE_PCI', if_true: files('versatile.c'))
diff --git a/hw/pci-host/mv64361.c b/hw/pci-host/mv64361.c
new file mode 100644
index 00..d71402f8b5
--- /dev/null
+++ b/hw/pci-host/mv64361.c
@@ -0,0 +1,966 @@
+/*
+ * Marvell Discovery II MV64361 System Controller for
+ * QEMU PowerPC CHRP (Genesi/bPlan Pegasos II) hardware System Emulator
+ *
+ * Copyright (c) 2018-2020 BALATON Zoltan
+ *
+ * This work is licensed under the GNU GPL license version 2 or later.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "hw/hw.h"
+#include "hw/sysbus.h"
+#include "hw/pci/pci.h"
+#include "hw/pci/pci_host.h"
+#include "hw/irq.h"
+#include "hw/intc/i8259.h"
+#include "hw/qdev-properties.h"
+#include "exec/address-spaces.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "trace.h"
+#include "hw/pci-host/mv64361.h"
+#include "mv643xx.h"
+
+#define TYPE_MV64361_PCI_BRIDGE "mv64361-pcibridge"
+
+static void mv64361_pcibridge_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+k->vendor_id = PCI_VENDOR_ID_MARVELL;
+k->device_id = PCI_DEVICE_ID_MARVELL_MV6436X;
+k->class_id = PCI_CLASS_BRIDGE_HOST;
+/*
+ * PCI-facing part of the host bridge,
+ * not usable without the host-facing part
+ */
+dc->user_creatable = false;
+}
+
+static const TypeInfo mv64361_pcibridge_info = {
+.name  = TYPE_MV64361_PCI_BRIDGE,
+.parent= TYPE_PCI_DEVICE,
+.instance_size = sizeof(PCIDevice),
+.class_init= mv64361_pcibridge_class_init,
+.interfaces = (InterfaceInfo[]) {
+{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
+{ },
+},
+};
+
+
+#define TYPE_MV64361_PCI "mv64361-pcihost"
+OBJECT_DECLARE_SIMPLE_TYPE(MV64361PCIState, MV64361_PCI)
+
+struct MV64361PCIState {
+PCIHostState parent_obj;
+
+uint8_t index;
+MemoryRegion io;
+MemoryRegion mem;
+qemu_irq irq[PCI_NUM_PINS];
+
+uint32_t io_base;
+uint32_t io_size;
+uint32_t mem_base[4];
+uint32_t mem_size[4];
+uint64_t remap[5];
+};
+
+static int mv64361_pcihost_map_irq(PCIDevice *pci_dev, int n)
+{
+return (n + PCI_SLOT(pci_dev->devfn)) % PCI_NUM_PINS;
+}
+
+static void mv64361_pcihost_set_irq(void *opaque, int n, int level)
+{
+MV64361PCIState *s = opaque;
+qemu_set_irq(s->irq[n], level);
+}
+
+static void mv64361_pcihost_realize(DeviceState *dev, Error **errp)
+{
+MV64361PCIState *s = MV64361_PCI(dev);
+PCIHostState *h = PCI_HOST_BRIDGE(dev);
+char *name;
+
+name = g_strdup_printf("pci%d-io", s->index);
+memory_region_init(&s->io, OBJECT(dev), name, 0x1);
+g_free(name);
+name = g_strdup_printf("pci%d-mem", s->index);
+memory_region_init(&s->mem, OBJECT(dev), name, 1ULL << 32);
+g_free(name);
+name = g_strdup_printf("pci.%d", s->index);
+h->bus = pci_register_root_bus(dev, name, mv64361_pcihost_set_irq,
+   mv64361_pcihost_map_irq, dev,
+   &s->mem, &s->io, 0, 4, TYPE_PCI_BUS);
+g_free(name);
+pci_create_simple(h->bus, 0, TYPE_MV64361_PCI_BRIDGE);
+}
+
+static Property mv64361_pcihos

[PATCH v7 2/8] vt82c686: QOM-ify superio related functionality

Collect superio functionality and its controlling config registers
handling in an abstract VIA_SUPERIO class that is a subclass of
ISA_SUPERIO and put vt82c686b specific parts in a subclass of this
abstract class.

Signed-off-by: BALATON Zoltan 
---
 hw/isa/vt82c686.c | 242 --
 include/hw/isa/vt82c686.h |   1 -
 2 files changed, 152 insertions(+), 91 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index a3353ec5db..e89dbf43da 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -249,12 +249,21 @@ static const TypeInfo vt8231_pm_info = {
 };
 
 
-typedef struct SuperIOConfig {
+#define TYPE_VIA_SUPERIO "via-superio"
+OBJECT_DECLARE_SIMPLE_TYPE(ViaSuperIOState, VIA_SUPERIO)
+
+struct ViaSuperIOState {
+ISASuperIODevice superio;
 uint8_t regs[0x100];
+const MemoryRegionOps *io_ops;
 MemoryRegion io;
-ISASuperIODevice *superio;
 MemoryRegion *serial_io[SUPERIO_MAX_SERIAL_PORTS];
-} SuperIOConfig;
+};
+
+static inline void via_superio_io_enable(ViaSuperIOState *s, bool enable)
+{
+memory_region_set_enabled(&s->io, enable);
+}
 
 static MemoryRegion *find_subregion(ISADevice *d, MemoryRegion *parent,
 int offs)
@@ -270,10 +279,78 @@ static MemoryRegion *find_subregion(ISADevice *d, 
MemoryRegion *parent,
 return mr;
 }
 
-static void superio_cfg_write(void *opaque, hwaddr addr, uint64_t data,
-  unsigned size)
+static void via_superio_realize(DeviceState *d, Error **errp)
+{
+ViaSuperIOState *s = VIA_SUPERIO(d);
+ISASuperIOClass *ic = ISA_SUPERIO_GET_CLASS(s);
+Error *local_err = NULL;
+int i;
+
+assert(s->io_ops);
+ic->parent_realize(d, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+/* Grab io regions of serial devices so we can control them */
+for (i = 0; i < ic->serial.count; i++) {
+ISADevice *sd = s->superio.serial[i];
+MemoryRegion *io = isa_address_space_io(sd);
+MemoryRegion *mr = find_subregion(sd, io, sd->ioport_id);
+if (!mr) {
+error_setg(errp, "Could not get io region for serial %d", i);
+return;
+}
+s->serial_io[i] = mr;
+}
+
+memory_region_init_io(&s->io, OBJECT(d), s->io_ops, s, "via-superio", 2);
+memory_region_set_enabled(&s->io, false);
+/* The floppy also uses 0x3f0 and 0x3f1 but this seems to work anyway */
+memory_region_add_subregion(isa_address_space_io(ISA_DEVICE(s)), 0x3f0,
+&s->io);
+}
+
+static uint64_t via_superio_cfg_read(void *opaque, hwaddr addr, unsigned size)
+{
+ViaSuperIOState *sc = opaque;
+uint8_t idx = sc->regs[0];
+uint8_t val = sc->regs[idx];
+
+if (addr == 0) {
+return idx;
+}
+if (addr == 1 && idx == 0) {
+val = 0; /* reading reg 0 where we store index value */
+}
+trace_via_superio_read(idx, val);
+return val;
+}
+
+static void via_superio_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+ISASuperIOClass *sc = ISA_SUPERIO_CLASS(klass);
+
+sc->parent_realize = dc->realize;
+dc->realize = via_superio_realize;
+}
+
+static const TypeInfo via_superio_info = {
+.name  = TYPE_VIA_SUPERIO,
+.parent= TYPE_ISA_SUPERIO,
+.instance_size = sizeof(ViaSuperIOState),
+.class_size= sizeof(ISASuperIOClass),
+.class_init= via_superio_class_init,
+.abstract  = true,
+};
+
+#define TYPE_VT82C686B_SUPERIO "vt82c686b-superio"
+
+static void vt82c686b_superio_cfg_write(void *opaque, hwaddr addr,
+uint64_t data, unsigned size)
 {
-SuperIOConfig *sc = opaque;
+ViaSuperIOState *sc = opaque;
 uint8_t idx = sc->regs[0];
 
 if (addr == 0) { /* config index register */
@@ -295,29 +372,29 @@ static void superio_cfg_write(void *opaque, hwaddr addr, 
uint64_t data,
 case 0xfd ... 0xff:
 /* ignore write to read only registers */
 return;
-case 0xe2:
+case 0xe2: /* Function select */
 {
 data &= 0x1f;
 if (data & BIT(2)) { /* Serial port 1 enable */
-ISADevice *dev = sc->superio->serial[0];
+ISADevice *dev = sc->superio.serial[0];
 if (!memory_region_is_mapped(sc->serial_io[0])) {
 memory_region_add_subregion(isa_address_space_io(dev),
 dev->ioport_id, sc->serial_io[0]);
 }
 } else {
-MemoryRegion *io = isa_address_space_io(sc->superio->serial[0]);
+MemoryRegion *io = isa_address_space_io(sc->superio.serial[0]);
 if (memory_region_is_mapped(sc->serial_io[0])) {
 memory_region_del_subregion(io, sc->serial_io[0]);
 }
 }
 if (data & BIT(3)) { /* Serial port 2 enable */
-ISADevic

[PATCH v7 1/8] vt82c686: Implement control of serial port io ranges via config regs

In VIA super south bridge the io ranges of superio components
(parallel and serial ports and FDC) can be controlled by superio
config registers to set their base address and enable/disable them.
This is not easy to implement in QEMU because ISA emulation is only
designed to set io base address once on creating the device and io
ranges are registered at creation and cannot easily be disabled or
moved later.

In this patch we hack around that but only for serial ports because
those have a single io range at port base that's relatively easy to
handle and it's what guests actually use and set address different
than the default.

We do not attempt to handle controlling the parallel and FDC regions
because those have multiple io ranges so handling them would be messy
and guests either don't change their deafult or don't care. We could
even get away with disabling and not emulating them, but since they
are already there, this patch leaves them mapped at their default
address just in case this could be useful for a guest in the future.

Signed-off-by: BALATON Zoltan 
---
 hw/isa/vt82c686.c | 84 +--
 1 file changed, 82 insertions(+), 2 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index 05d084f698..a3353ec5db 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -252,8 +252,24 @@ static const TypeInfo vt8231_pm_info = {
 typedef struct SuperIOConfig {
 uint8_t regs[0x100];
 MemoryRegion io;
+ISASuperIODevice *superio;
+MemoryRegion *serial_io[SUPERIO_MAX_SERIAL_PORTS];
 } SuperIOConfig;
 
+static MemoryRegion *find_subregion(ISADevice *d, MemoryRegion *parent,
+int offs)
+{
+MemoryRegion *subregion, *mr = NULL;
+
+QTAILQ_FOREACH(subregion, &parent->subregions, subregions_link) {
+if (subregion->addr == offs) {
+mr = subregion;
+break;
+}
+}
+return mr;
+}
+
 static void superio_cfg_write(void *opaque, hwaddr addr, uint64_t data,
   unsigned size)
 {
@@ -279,7 +295,53 @@ static void superio_cfg_write(void *opaque, hwaddr addr, 
uint64_t data,
 case 0xfd ... 0xff:
 /* ignore write to read only registers */
 return;
-/* case 0xe6 ... 0xe8: Should set base port of parallel and serial */
+case 0xe2:
+{
+data &= 0x1f;
+if (data & BIT(2)) { /* Serial port 1 enable */
+ISADevice *dev = sc->superio->serial[0];
+if (!memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_add_subregion(isa_address_space_io(dev),
+dev->ioport_id, sc->serial_io[0]);
+}
+} else {
+MemoryRegion *io = isa_address_space_io(sc->superio->serial[0]);
+if (memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_del_subregion(io, sc->serial_io[0]);
+}
+}
+if (data & BIT(3)) { /* Serial port 2 enable */
+ISADevice *dev = sc->superio->serial[1];
+if (!memory_region_is_mapped(sc->serial_io[1])) {
+memory_region_add_subregion(isa_address_space_io(dev),
+dev->ioport_id, sc->serial_io[1]);
+}
+} else {
+MemoryRegion *io = isa_address_space_io(sc->superio->serial[1]);
+if (memory_region_is_mapped(sc->serial_io[1])) {
+memory_region_del_subregion(io, sc->serial_io[1]);
+}
+}
+break;
+}
+case 0xe7: /* Serial port 1 io base address */
+{
+data &= 0xfe;
+sc->superio->serial[0]->ioport_id = data << 2;
+if (memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_set_address(sc->serial_io[0], data << 2);
+}
+break;
+}
+case 0xe8: /* Serial port 2 io base address */
+{
+data &= 0xfe;
+sc->superio->serial[1]->ioport_id = data << 2;
+if (memory_region_is_mapped(sc->serial_io[1])) {
+memory_region_set_address(sc->serial_io[1], data << 2);
+}
+break;
+}
 default:
 qemu_log_mask(LOG_UNIMP,
   "via_superio_cfg: unimplemented register 0x%x\n", idx);
@@ -385,6 +447,7 @@ static void vt82c686b_realize(PCIDevice *d, Error **errp)
 DeviceState *dev = DEVICE(d);
 ISABus *isa_bus;
 qemu_irq *isa_irq;
+ISASuperIOClass *ic;
 int i;
 
 qdev_init_gpio_out(dev, &s->cpu_intr, 1);
@@ -394,7 +457,9 @@ static void vt82c686b_realize(PCIDevice *d, Error **errp)
 isa_bus_irqs(isa_bus, i8259_init(isa_bus, *isa_irq));
 i8254_pit_init(isa_bus, 0x40, 0, NULL);
 i8257_dma_init(isa_bus, 0);
-isa_create_simple(isa_bus, TYPE_VT82C686B_SUPERIO);
+s->superio_cfg.superio = ISA_SUPERIO(isa_create_simple(isa_bus,
+  TYPE_VT82C686B_SUPERIO));
+ic = ISA

[PATCH v7 3/8] vt82c686: Add VT8231_SUPERIO based on VIA_SUPERIO

The VT8231 south bridge is very similar to VT82C686B but there are
some differences in register addresses and functionality, e.g. the
VT8231 only has one serial port. This commit adds VT8231_SUPERIO
subclass based on the abstract VIA_SUPERIO class to emulate the
superio part of VT8231.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Philippe Mathieu-Daudé 
---
 hw/isa/vt82c686.c | 121 ++
 1 file changed, 121 insertions(+)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index e89dbf43da..8131cb42a9 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -491,6 +491,126 @@ static const TypeInfo vt82c686b_superio_info = {
 };
 
 
+#define TYPE_VT8231_SUPERIO "vt8231-superio"
+
+static void vt8231_superio_cfg_write(void *opaque, hwaddr addr,
+ uint64_t data, unsigned size)
+{
+ViaSuperIOState *sc = opaque;
+uint8_t idx = sc->regs[0];
+
+if (addr == 0) { /* config index register */
+sc->regs[0] = data;
+return;
+}
+
+/* config data register */
+trace_via_superio_write(idx, data);
+switch (idx) {
+case 0x00 ... 0xdf:
+case 0xe7 ... 0xef:
+case 0xf0 ... 0xf1:
+case 0xf5:
+case 0xf8:
+case 0xfd:
+/* ignore write to read only registers */
+return;
+case 0xf2: /* Function select */
+{
+data &= 0x17;
+if (data & BIT(2)) { /* Serial port enable */
+ISADevice *dev = sc->superio.serial[0];
+if (!memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_add_subregion(isa_address_space_io(dev),
+dev->ioport_id, sc->serial_io[0]);
+}
+} else {
+MemoryRegion *io = isa_address_space_io(sc->superio.serial[0]);
+if (memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_del_subregion(io, sc->serial_io[0]);
+}
+}
+break;
+}
+case 0xf4: /* Serial port io base address */
+{
+data &= 0xfe;
+sc->superio.serial[0]->ioport_id = data << 2;
+if (memory_region_is_mapped(sc->serial_io[0])) {
+memory_region_set_address(sc->serial_io[0], data << 2);
+}
+break;
+}
+default:
+qemu_log_mask(LOG_UNIMP,
+  "via_superio_cfg: unimplemented register 0x%x\n", idx);
+break;
+}
+sc->regs[idx] = data;
+}
+
+static const MemoryRegionOps vt8231_superio_cfg_ops = {
+.read = via_superio_cfg_read,
+.write = vt8231_superio_cfg_write,
+.endianness = DEVICE_NATIVE_ENDIAN,
+.impl = {
+.min_access_size = 1,
+.max_access_size = 1,
+},
+};
+
+static void vt8231_superio_reset(DeviceState *dev)
+{
+ViaSuperIOState *s = VIA_SUPERIO(dev);
+
+memset(s->regs, 0, sizeof(s->regs));
+/* Device ID */
+s->regs[0xf0] = 0x3c;
+/* Device revision */
+s->regs[0xf1] = 0x01;
+/* Function select - all disabled */
+vt8231_superio_cfg_write(s, 0, 0xf2, 1);
+vt8231_superio_cfg_write(s, 1, 0x03, 1);
+/* Serial port base addr */
+vt8231_superio_cfg_write(s, 0, 0xf4, 1);
+vt8231_superio_cfg_write(s, 1, 0xfe, 1);
+/* Parallel port base addr */
+vt8231_superio_cfg_write(s, 0, 0xf6, 1);
+vt8231_superio_cfg_write(s, 1, 0xde, 1);
+/* Floppy ctrl base addr */
+vt8231_superio_cfg_write(s, 0, 0xf7, 1);
+vt8231_superio_cfg_write(s, 1, 0xfc, 1);
+
+vt8231_superio_cfg_write(s, 0, 0, 1);
+}
+
+static void vt8231_superio_init(Object *obj)
+{
+VIA_SUPERIO(obj)->io_ops = &vt8231_superio_cfg_ops;
+}
+
+static void vt8231_superio_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+ISASuperIOClass *sc = ISA_SUPERIO_CLASS(klass);
+
+dc->reset = vt8231_superio_reset;
+sc->serial.count = 1;
+sc->parallel.count = 1;
+sc->ide.count = 0; /* emulated by via-ide */
+sc->floppy.count = 1;
+}
+
+static const TypeInfo vt8231_superio_info = {
+.name  = TYPE_VT8231_SUPERIO,
+.parent= TYPE_VIA_SUPERIO,
+.instance_size = sizeof(ViaSuperIOState),
+.instance_init = vt8231_superio_init,
+.class_size= sizeof(ISASuperIOClass),
+.class_init= vt8231_superio_class_init,
+};
+
+
 OBJECT_DECLARE_SIMPLE_TYPE(VT82C686BISAState, VT82C686B_ISA)
 
 struct VT82C686BISAState {
@@ -614,6 +734,7 @@ static void vt82c686b_register_types(void)
 type_register_static(&vt8231_pm_info);
 type_register_static(&via_superio_info);
 type_register_static(&vt82c686b_superio_info);
+type_register_static(&vt8231_superio_info);
 type_register_static(&via_info);
 }
 
-- 
2.21.3

[PATCH v7 6/8] hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM

From: Philippe Mathieu-Daudé 

TYPE_VIA_PM calls apm_init() in via_pm_realize(), so
requires APM to be selected.

Reported-by: BALATON Zoltan 
Signed-off-by: Philippe Mathieu-Daudé 
Signed-off-by: BALATON Zoltan 
---
 hw/isa/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/isa/Kconfig b/hw/isa/Kconfig
index c7f07854f7..9c026d0c51 100644
--- a/hw/isa/Kconfig
+++ b/hw/isa/Kconfig
@@ -47,6 +47,7 @@ config VT82C686
 select ACPI_SMBUS
 select SERIAL_ISA
 select FDC
+select APM
 
 config SMC37C669
 bool
-- 
2.21.3

[PATCH v7 5/8] vt82c686: Add emulation of VT8231 south bridge

Add emulation of VT8231 south bridge ISA part based on the similar
VT82C686B but implemented in a separate subclass that holds the
differences while reusing parts that can be shared.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Philippe Mathieu-Daudé 
---
 hw/isa/vt82c686.c | 84 +++
 include/hw/isa/vt82c686.h |  1 +
 include/hw/pci/pci_ids.h  |  1 +
 3 files changed, 86 insertions(+)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index fddbc974bd..51d9eff0ff 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -8,6 +8,9 @@
  *
  * Contributions after 2012-01-13 are licensed under the terms of the
  * GNU GPL, version 2 or (at your option) any later version.
+ *
+ * VT8231 south bridge support and general clean up to allow it
+ * Copyright (c) 2018-2020 BALATON Zoltan
  */
 
 #include "qemu/osdep.h"
@@ -733,6 +736,86 @@ static const TypeInfo vt82c686b_isa_info = {
 .class_init= vt82c686b_class_init,
 };
 
+/* TYPE_VT8231_ISA */
+
+static void vt8231_write_config(PCIDevice *d, uint32_t addr,
+uint32_t val, int len)
+{
+ViaISAState *s = VIA_ISA(d);
+
+trace_via_isa_write(addr, val, len);
+pci_default_write_config(d, addr, val, len);
+if (addr == 0x50) {
+/* BIT(2): enable or disable superio config io ports */
+via_superio_io_enable(s->via_sio, val & BIT(2));
+}
+}
+
+static void vt8231_isa_reset(DeviceState *dev)
+{
+ViaISAState *s = VIA_ISA(dev);
+uint8_t *pci_conf = s->dev.config;
+
+pci_set_long(pci_conf + PCI_CAPABILITY_LIST, 0x00c0);
+pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_IO | PCI_COMMAND_MEMORY |
+ PCI_COMMAND_MASTER | PCI_COMMAND_SPECIAL);
+pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM);
+
+pci_conf[0x58] = 0x40; /* Miscellaneous Control 0 */
+pci_conf[0x67] = 0x08; /* Fast IR Config */
+pci_conf[0x6b] = 0x01; /* Fast IR I/O Base */
+}
+
+static void vt8231_realize(PCIDevice *d, Error **errp)
+{
+ViaISAState *s = VIA_ISA(d);
+DeviceState *dev = DEVICE(d);
+ISABus *isa_bus;
+qemu_irq *isa_irq;
+int i;
+
+qdev_init_gpio_out(dev, &s->cpu_intr, 1);
+isa_irq = qemu_allocate_irqs(via_isa_request_i8259_irq, s, 1);
+isa_bus = isa_bus_new(dev, get_system_memory(), pci_address_space_io(d),
+  &error_fatal);
+isa_bus_irqs(isa_bus, i8259_init(isa_bus, *isa_irq));
+i8254_pit_init(isa_bus, 0x40, 0, NULL);
+i8257_dma_init(isa_bus, 0);
+s->via_sio = VIA_SUPERIO(isa_create_simple(isa_bus, TYPE_VT8231_SUPERIO));
+mc146818_rtc_init(isa_bus, 2000, NULL);
+
+for (i = 0; i < PCI_CONFIG_HEADER_SIZE; i++) {
+if (i < PCI_COMMAND || i >= PCI_REVISION_ID) {
+d->wmask[i] = 0;
+}
+}
+}
+
+static void vt8231_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+k->realize = vt8231_realize;
+k->config_write = vt8231_write_config;
+k->vendor_id = PCI_VENDOR_ID_VIA;
+k->device_id = PCI_DEVICE_ID_VIA_8231_ISA;
+k->class_id = PCI_CLASS_BRIDGE_ISA;
+k->revision = 0x10;
+dc->reset = vt8231_isa_reset;
+dc->desc = "ISA bridge";
+dc->vmsd = &vmstate_via;
+/* Reason: part of VIA VT8231 southbridge, needs to be wired up */
+dc->user_creatable = false;
+}
+
+static const TypeInfo vt8231_isa_info = {
+.name  = TYPE_VT8231_ISA,
+.parent= TYPE_VIA_ISA,
+.instance_size = sizeof(ViaISAState),
+.class_init= vt8231_class_init,
+};
+
 
 static void vt82c686b_register_types(void)
 {
@@ -744,6 +827,7 @@ static void vt82c686b_register_types(void)
 type_register_static(&vt8231_superio_info);
 type_register_static(&via_isa_info);
 type_register_static(&vt82c686b_isa_info);
+type_register_static(&vt8231_isa_info);
 }
 
 type_init(vt82c686b_register_types)
diff --git a/include/hw/isa/vt82c686.h b/include/hw/isa/vt82c686.h
index 0692b9a527..0f01aaa471 100644
--- a/include/hw/isa/vt82c686.h
+++ b/include/hw/isa/vt82c686.h
@@ -3,6 +3,7 @@
 
 #define TYPE_VT82C686B_ISA "vt82c686b-isa"
 #define TYPE_VT82C686B_PM "vt82c686b-pm"
+#define TYPE_VT8231_ISA "vt8231-isa"
 #define TYPE_VT8231_PM "vt8231-pm"
 #define TYPE_VIA_AC97 "via-ac97"
 #define TYPE_VIA_MC97 "via-mc97"
diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
index aa3f67eaa4..ac0c23ebc7 100644
--- a/include/hw/pci/pci_ids.h
+++ b/include/hw/pci/pci_ids.h
@@ -210,6 +210,7 @@
 #define PCI_DEVICE_ID_VIA_82C686B_PM 0x3057
 #define PCI_DEVICE_ID_VIA_AC97   0x3058
 #define PCI_DEVICE_ID_VIA_MC97   0x3068
+#define PCI_DEVICE_ID_VIA_8231_ISA   0x8231
 #define PCI_DEVICE_ID_VIA_8231_PM0x8235
 
 #define PCI_VENDOR_ID_MARVELL0x11ab
-- 
2.21.3

[PATCH v7 0/8] Pegasos2 emulation

Hello,

This is adding a new PPC board called pegasos2. More info on it can be
found at:

https://osdn.net/projects/qmiga/wiki/SubprojectPegasos2

Currently it needs a firmware ROM image that I cannot include due to
original copyright holder (bPlan) did not release it under a free
licence but I have plans to write a replacement in the future. With
the original board firmware it can boot MorphOS now as:

qemu-system-ppc -M pegasos2 -cdrom morphos.iso -device ati-vga,romfile="" 
-serial stdio

then enter "boot cd boot.img" at the firmware "ok" prompt as described
in the MorphOS.readme. To boot Linux use same command line with e.g.
-cdrom debian-8.11.0-powerpc-netinst.iso then enter
"boot cd install/pegasos"

The last patch adds the actual board code after previous patches
adding VT8231 and MV64361 system controller chip emulation.

Regards,
BALATON Zoltan

v7: Fix errp usage in patch 2

v6: Rebased on master, updated commit message about migration change

v5: Changes for review comments from David and Philippe

V4: Rename pegasos2_reset to pegasos2_cpu_reset
Add new files to MAINTAINERS

BALATON Zoltan (7):
  vt82c686: Implement control of serial port io ranges via config regs
  vt82c686: QOM-ify superio related functionality
  vt82c686: Add VT8231_SUPERIO based on VIA_SUPERIO
  vt82c686: Introduce abstract TYPE_VIA_ISA and base vt82c686b_isa on it
  vt82c686: Add emulation of VT8231 south bridge
  hw/pci-host: Add emulation of Marvell MV64361 PPC system controller
  hw/ppc: Add emulation of Genesi/bPlan Pegasos II

Philippe Mathieu-Daudé (1):
  hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM

 MAINTAINERS |  10 +
 default-configs/devices/ppc-softmmu.mak |   2 +
 hw/isa/Kconfig  |   1 +
 hw/isa/vt82c686.c   | 517 +++--
 hw/pci-host/Kconfig |   4 +
 hw/pci-host/meson.build |   2 +
 hw/pci-host/mv64361.c   | 966 
 hw/pci-host/mv643xx.h   | 918 ++
 hw/pci-host/trace-events|   6 +
 hw/ppc/Kconfig  |   9 +
 hw/ppc/meson.build  |   2 +
 hw/ppc/pegasos2.c   | 144 
 include/hw/isa/vt82c686.h   |   2 +-
 include/hw/pci-host/mv64361.h   |   8 +
 include/hw/pci/pci_ids.h|   4 +-
 15 files changed, 2512 insertions(+), 83 deletions(-)
 create mode 100644 hw/pci-host/mv64361.c
 create mode 100644 hw/pci-host/mv643xx.h
 create mode 100644 hw/ppc/pegasos2.c
 create mode 100644 include/hw/pci-host/mv64361.h

-- 
2.21.3

[PATCH v7 4/8] vt82c686: Introduce abstract TYPE_VIA_ISA and base vt82c686b_isa on it

To allow reusing ISA bridge emulation for vt8231_isa move the device
state of vt82c686b_isa emulation in an abstract via_isa class. This
change breaks migration back compatibility but this is not an issue
for Fuloong2E machine which is not versioned or migration supported.

Signed-off-by: BALATON Zoltan 
---
 hw/isa/vt82c686.c| 70 ++--
 include/hw/pci/pci_ids.h |  2 +-
 2 files changed, 40 insertions(+), 32 deletions(-)

diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
index 8131cb42a9..fddbc974bd 100644
--- a/hw/isa/vt82c686.c
+++ b/hw/isa/vt82c686.c
@@ -611,24 +611,48 @@ static const TypeInfo vt8231_superio_info = {
 };
 
 
-OBJECT_DECLARE_SIMPLE_TYPE(VT82C686BISAState, VT82C686B_ISA)
+#define TYPE_VIA_ISA "via-isa"
+OBJECT_DECLARE_SIMPLE_TYPE(ViaISAState, VIA_ISA)
 
-struct VT82C686BISAState {
+struct ViaISAState {
 PCIDevice dev;
 qemu_irq cpu_intr;
 ViaSuperIOState *via_sio;
 };
 
+static const VMStateDescription vmstate_via = {
+.name = "via-isa",
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_PCI_DEVICE(dev, ViaISAState),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const TypeInfo via_isa_info = {
+.name  = TYPE_VIA_ISA,
+.parent= TYPE_PCI_DEVICE,
+.instance_size = sizeof(ViaISAState),
+.abstract  = true,
+.interfaces= (InterfaceInfo[]) {
+{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
+{ },
+},
+};
+
 static void via_isa_request_i8259_irq(void *opaque, int irq, int level)
 {
-VT82C686BISAState *s = opaque;
+ViaISAState *s = opaque;
 qemu_set_irq(s->cpu_intr, level);
 }
 
+/* TYPE_VT82C686B_ISA */
+
 static void vt82c686b_write_config(PCIDevice *d, uint32_t addr,
uint32_t val, int len)
 {
-VT82C686BISAState *s = VT82C686B_ISA(d);
+ViaISAState *s = VIA_ISA(d);
 
 trace_via_isa_write(addr, val, len);
 pci_default_write_config(d, addr, val, len);
@@ -638,19 +662,9 @@ static void vt82c686b_write_config(PCIDevice *d, uint32_t 
addr,
 }
 }
 
-static const VMStateDescription vmstate_via = {
-.name = "vt82c686b",
-.version_id = 1,
-.minimum_version_id = 1,
-.fields = (VMStateField[]) {
-VMSTATE_PCI_DEVICE(dev, VT82C686BISAState),
-VMSTATE_END_OF_LIST()
-}
-};
-
 static void vt82c686b_isa_reset(DeviceState *dev)
 {
-VT82C686BISAState *s = VT82C686B_ISA(dev);
+ViaISAState *s = VIA_ISA(dev);
 uint8_t *pci_conf = s->dev.config;
 
 pci_set_long(pci_conf + PCI_CAPABILITY_LIST, 0x00c0);
@@ -670,7 +684,7 @@ static void vt82c686b_isa_reset(DeviceState *dev)
 
 static void vt82c686b_realize(PCIDevice *d, Error **errp)
 {
-VT82C686BISAState *s = VT82C686B_ISA(d);
+ViaISAState *s = VIA_ISA(d);
 DeviceState *dev = DEVICE(d);
 ISABus *isa_bus;
 qemu_irq *isa_irq;
@@ -694,7 +708,7 @@ static void vt82c686b_realize(PCIDevice *d, Error **errp)
 }
 }
 
-static void via_class_init(ObjectClass *klass, void *data)
+static void vt82c686b_class_init(ObjectClass *klass, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
@@ -702,28 +716,21 @@ static void via_class_init(ObjectClass *klass, void *data)
 k->realize = vt82c686b_realize;
 k->config_write = vt82c686b_write_config;
 k->vendor_id = PCI_VENDOR_ID_VIA;
-k->device_id = PCI_DEVICE_ID_VIA_ISA_BRIDGE;
+k->device_id = PCI_DEVICE_ID_VIA_82C686B_ISA;
 k->class_id = PCI_CLASS_BRIDGE_ISA;
 k->revision = 0x40;
 dc->reset = vt82c686b_isa_reset;
 dc->desc = "ISA bridge";
 dc->vmsd = &vmstate_via;
-/*
- * Reason: part of VIA VT82C686 southbridge, needs to be wired up,
- * e.g. by mips_fuloong2e_init()
- */
+/* Reason: part of VIA VT82C686 southbridge, needs to be wired up */
 dc->user_creatable = false;
 }
 
-static const TypeInfo via_info = {
+static const TypeInfo vt82c686b_isa_info = {
 .name  = TYPE_VT82C686B_ISA,
-.parent= TYPE_PCI_DEVICE,
-.instance_size = sizeof(VT82C686BISAState),
-.class_init= via_class_init,
-.interfaces = (InterfaceInfo[]) {
-{ INTERFACE_CONVENTIONAL_PCI_DEVICE },
-{ },
-},
+.parent= TYPE_VIA_ISA,
+.instance_size = sizeof(ViaISAState),
+.class_init= vt82c686b_class_init,
 };
 
 
@@ -735,7 +742,8 @@ static void vt82c686b_register_types(void)
 type_register_static(&via_superio_info);
 type_register_static(&vt82c686b_superio_info);
 type_register_static(&vt8231_superio_info);
-type_register_static(&via_info);
+type_register_static(&via_isa_info);
+type_register_static(&vt82c686b_isa_info);
 }
 
 type_init(vt82c686b_register_types)
diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
index ea28dcc850..aa3f67eaa4 100644
--- a/include/hw/pci/pci_ids.h
+++ b/include/hw/pci/pci_ids.h
@@ -204,7 +204,7 @@
 #def

[PATCH v4 2/3] vfio: Set the priority of the VFIO VM state change handler explicitly

In the VFIO VM state change handler when stopping the VM, the _RUNNING
bit in device_state is cleared which makes the VFIO device stop, including
no longer generating interrupts. Then we can save the pending states of
all interrupts in the GIC VM state change handler (on ARM).

So we have to set the priority of the VFIO VM state change handler
explicitly (like virtio devices) to ensure it is called before the
GIC's in saving.

Signed-off-by: Shenming Lu 
Reviewed-by: Kirti Wankhede 
Reviewed-by: Cornelia Huck 
---
 hw/vfio/migration.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c
index f5bf67f642..b74982e3e6 100644
--- a/hw/vfio/migration.c
+++ b/hw/vfio/migration.c
@@ -862,7 +862,8 @@ static int vfio_migration_init(VFIODevice *vbasedev,
 register_savevm_live(id, VMSTATE_INSTANCE_ID_ANY, 1, &savevm_vfio_handlers,
  vbasedev);
 
-migration->vm_state = qemu_add_vm_change_state_handler(vfio_vmstate_change,
+migration->vm_state = qdev_add_vm_change_state_handler(vbasedev->dev,
+   vfio_vmstate_change,
vbasedev);
 migration->migration_state.notify = vfio_migration_state_notifier;
 add_migration_state_change_notifier(&migration->migration_state);
-- 
2.19.1

[PATCH v4 0/3] vfio: Some fixes and optimizations for VFIO migration

This patch set includes two fixes and one optimization for VFIO migration
as blew:

Patch 1-2:
- Fix two ordering problems in migration.

Patch 3:
- Optimize the enabling process of the MSI-X vectors in migration.

History:

v3 -> v4
- Use msix_function_masked instead of msix_masked() in Patch 3.

v2 -> v3:
- Nit fixes.
- Set error in migration stream for migration to fail in Patch 1.
- Tested Patch 3 with a Windows guest.

Thanks,
Shenming


Shenming Lu (3):
  vfio: Move the saving of the config space to the right place in VFIO
migration
  vfio: Set the priority of the VFIO VM state change handler explicitly
  vfio: Avoid disabling and enabling vectors repeatedly in VFIO
migration

 hw/vfio/migration.c | 28 +---
 hw/vfio/pci.c   | 20 +---
 2 files changed, 34 insertions(+), 14 deletions(-)

-- 
2.19.1

[PATCH v4 3/3] vfio: Avoid disabling and enabling vectors repeatedly in VFIO migration

In VFIO migration resume phase and some guest startups, there are
already unmasked vectors in the vector table when calling
vfio_msix_enable(). So in order to avoid inefficiently disabling
and enabling vectors repeatedly, let's allocate all needed vectors
first and then enable these unmasked vectors one by one without
disabling.

Signed-off-by: Shenming Lu 
---
 hw/vfio/pci.c | 20 +---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index f74be78209..fece8c2504 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -569,6 +569,9 @@ static void vfio_msix_vector_release(PCIDevice *pdev, 
unsigned int nr)
 
 static void vfio_msix_enable(VFIOPCIDevice *vdev)
 {
+PCIDevice *pdev = &vdev->pdev;
+unsigned int nr, max_vec = 0;
+
 vfio_disable_interrupts(vdev);
 
 vdev->msi_vectors = g_new0(VFIOMSIVector, vdev->msix->entries);
@@ -587,11 +590,22 @@ static void vfio_msix_enable(VFIOPCIDevice *vdev)
  * triggering to userspace, then immediately release the vector, leaving
  * the physical device with no vectors enabled, but MSI-X enabled, just
  * like the guest view.
+ * If there are already unmasked vectors (in migration resume phase and
+ * some guest startups) which will be enabled soon, we can allocate all
+ * of them here to avoid inefficiently disabling and enabling vectors
+ * repeatedly later.
  */
-vfio_msix_vector_do_use(&vdev->pdev, 0, NULL, NULL);
-vfio_msix_vector_release(&vdev->pdev, 0);
+if (!pdev->msix_function_masked) {
+for (nr = 0; nr < msix_nr_vectors_allocated(pdev); nr++) {
+if (!msix_is_masked(pdev, nr)) {
+max_vec = nr;
+}
+}
+}
+vfio_msix_vector_do_use(pdev, max_vec, NULL, NULL);
+vfio_msix_vector_release(pdev, max_vec);
 
-if (msix_set_vector_notifiers(&vdev->pdev, vfio_msix_vector_use,
+if (msix_set_vector_notifiers(pdev, vfio_msix_vector_use,
   vfio_msix_vector_release, NULL)) {
 error_report("vfio: msix_set_vector_notifiers failed");
 }
-- 
2.19.1

[PATCH v4 1/3] vfio: Move the saving of the config space to the right place in VFIO migration

On ARM64 the VFIO SET_IRQS ioctl is dependent on the VM interrupt
setup, if the restoring of the VFIO PCI device config space is
before the VGIC, an error might occur in the kernel.

So we move the saving of the config space to the non-iterable
process, thus it will be called after the VGIC according to
their priorities.

As for the possible dependence of the device specific migration
data on it's config space, we can let the vendor driver to
include any config info it needs in its own data stream.

Signed-off-by: Shenming Lu 
Reviewed-by: Kirti Wankhede 
---
 hw/vfio/migration.c | 25 +++--
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c
index 00daa50ed8..f5bf67f642 100644
--- a/hw/vfio/migration.c
+++ b/hw/vfio/migration.c
@@ -575,11 +575,6 @@ static int vfio_save_complete_precopy(QEMUFile *f, void 
*opaque)
 return ret;
 }
 
-ret = vfio_save_device_config_state(f, opaque);
-if (ret) {
-return ret;
-}
-
 ret = vfio_update_pending(vbasedev);
 if (ret) {
 return ret;
@@ -620,6 +615,19 @@ static int vfio_save_complete_precopy(QEMUFile *f, void 
*opaque)
 return ret;
 }
 
+static void vfio_save_state(QEMUFile *f, void *opaque)
+{
+VFIODevice *vbasedev = opaque;
+int ret;
+
+ret = vfio_save_device_config_state(f, opaque);
+if (ret) {
+error_report("%s: Failed to save device config space",
+ vbasedev->name);
+qemu_file_set_error(f, ret);
+}
+}
+
 static int vfio_load_setup(QEMUFile *f, void *opaque)
 {
 VFIODevice *vbasedev = opaque;
@@ -670,11 +678,7 @@ static int vfio_load_state(QEMUFile *f, void *opaque, int 
version_id)
 switch (data) {
 case VFIO_MIG_FLAG_DEV_CONFIG_STATE:
 {
-ret = vfio_load_device_config_state(f, opaque);
-if (ret) {
-return ret;
-}
-break;
+return vfio_load_device_config_state(f, opaque);
 }
 case VFIO_MIG_FLAG_DEV_SETUP_STATE:
 {
@@ -720,6 +724,7 @@ static SaveVMHandlers savevm_vfio_handlers = {
 .save_live_pending = vfio_save_pending,
 .save_live_iterate = vfio_save_iterate,
 .save_live_complete_precopy = vfio_save_complete_precopy,
+.save_state = vfio_save_state,
 .load_setup = vfio_load_setup,
 .load_cleanup = vfio_load_cleanup,
 .load_state = vfio_load_state,
-- 
2.19.1

Emulating STM32F407 (Cortex-M4) with peripherals on an X86

2021-03-09 Thread Srinath M

Hi

I am new to the Qemu project and was wondering if it is possible to emulate
the above processor with it's peripherals (Uart, DMA at least) on an X86.
Would it be possible for the following OS to run in a Qemu emulation (as it
does on the real processor) ?
https://www.st.com/en/development-tools/coide.html

I want to see how many such devices would interact with each other over a
network and it's unviable to have dozens of embedded boards at a time.

Generally all these processors have more functionality than pins, so the
pins are multiplexed and must be assigned functionality in a startup
routine. So i think there must be a CPU+peripheral emulator running on a
board emulator.

I would like to know if anyone has attempted something like this before or
some thoughts on the best way forward.

Regards
Srinath

Re: [PATCH] hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM


On Wed, 10 Mar 2021, Philippe Mathieu-Daudé wrote:

On 3/10/21 12:41 AM, BALATON Zoltan wrote:

On Tue, 9 Mar 2021, Philippe Mathieu-Daudé wrote:

ping for review?


This is included in my pegasos2 series as 6/8 replacing half of a
similar patch from my original version. Since I've reported it I don't
think I should be also reviewing it but it's quite trivial so may not
need that much review.


Forwarding a patch doesn't mean you have reviewed it :/


I guess it does mean I agree with it and really don't see how another line 
with my name would make it any better when it already has my Suggested-by 
and Signed-off-by. An R-b tag probably really only helps for patches that 
are more complex than one line that the maintainter can easily check.



If you can provide a formal R-b tag, then I can queue this or the
one in your series.


The two are the same. If you commit this first my series can be easily 
rebased by dropping that patch or it will get committed as part of the 
series. At this point I think it's easiest if David takes the whole series 
than if you take a few of them then I have to rebase again and part of the 
series goes in via another tree. As the freeze is nearing I'd like 
somebody take the whole series so if you can ack the vt82c686 parts I 
think you don't need to do anything more which is what you said before 
you'd prefer.


I'll fix the errp you've noticed and repost. Adding any more to the series 
now would need starting review again which would risk missing the freeze. 
So unless it's needed to accept the series as it is I'd leave any other 
improvements for later after this pegasos2 series is merged.


Regards,
BALATON Zoltan


Thanks,

Phil.

Re: [PATCH v6 4/8] vt82c686: Introduce abstract TYPE_VIA_ISA and base vt82c686b_isa on it


On Wed, 10 Mar 2021, Philippe Mathieu-Daudé wrote:

On 3/9/21 9:28 PM, BALATON Zoltan wrote:

To allow reusing ISA bridge emulation for vt8231_isa move the device
state of vt82c686b_isa emulation in an abstract via_isa class. This
change breaks migration back compatibility but this is not an issue
for Fuloong2E machine which is not versioned or migration supported.

Signed-off-by: BALATON Zoltan 
---
 hw/isa/vt82c686.c| 70 ++--
 include/hw/pci/pci_ids.h |  2 +-
 2 files changed, 40 insertions(+), 32 deletions(-)


This should be OK if this other series is accepted:
"hw/usb: Extract Extract VT82C686 UHCI PCI function into new unit"
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg03083.html


How is this patch related to that series? This one changes the isa bridge 
part and that makes the usb part compiled only if configured. These seem 
unrelated and independent to me.


Regards,
BALATON Zoltan


I'll come back to this patch after the former series is reviewed.

Re: [PATCH 3/3] hw/usb: Extract VT82C686 UHCI PCI function into a new unit


On Wed, 10 Mar 2021, Philippe Mathieu-Daudé wrote:

On 3/9/21 9:13 PM, BALATON Zoltan wrote:

On Tue, 9 Mar 2021, Philippe Mathieu-Daudé wrote:

Extract the VT82C686 PCI UHCI function into a new unit so
it is only build when the VT82C686 south bridge is selected.


I'm not sure it's worth separating just this one device from the other
similar usb devices when the others that are also part of south bridge
chips are left there. Maybe you could just set user_creatable = false so
it can only be created as part of the chips that contain it or just
don't bother and leave it as it is which is the least likely to break
anything that may rely on it as removing it from the device list may
need to go through deprecation.

But I don't really mind, so if others like this approach I don't want to
block the patch. I think it's unlikely anybody would use this device
other than part of fuloong2e or pegasos2 so probably it's unlikely to
break anything if it suddenly goes away from a new build.


OK. As I sent this series to help you with your Pegasos2 board, do you
mind sending a patch then?

I suppose you mean using "#include CONFIG_DEVICES" and checking for the
CONFIG_VT82C686 symbol to register the QOM type?


I don't see how this should help with the pegasos2 series as that's 
already working without this change. I really just meant I don't see this 
would improve much when you leave the piix and ich ones there that are the 
same for other south bridges so this patch makes one of these configurable 
but not the others, that makes them different when they are now similar. 
Additionally it may break something as it changes the availability of this 
device (although that's very unlikely to cause problems in practice). So 
I'd just leave this alone for now and not change it at all until all of 
these are cleaned up in a uniform way at some later point if that's deemed 
useful or desirable. Maybe I'm missing the point though.


But while pegasos2 does not need this change it should also not break it 
so I don't really mind.


Regards,
BALATON Zoltan

Re: [RFC RESEND PATCH 0/4] hw/arm/virt-acpi-build: Introduce iommu option for pci root bus

2021-03-09 Thread Wang Xingang


Hi Eric,

On 2021/3/9 22:36, Auger Eric wrote:

Hi,
On 2/27/21 9:33 AM, Wang Xingang wrote:

From: Xingang Wang 

These patches add support for configure iommu on/off for pci root bus,
including primary bus and pxb root bus. At present, All root bus will go
through iommu when iommu is configured, which is not flexible.

So this add option to enable/disable iommu for primary bus and pxb root bus.
When iommu is enabled for the root bus, devices attached to it will go
through iommu. When iommu is disabled for the root bus, devices will not
go through iommu accordingly.


Please could you give an example of the qemu command line for which the
new option is useful for you. This would help me to understand your
pcie/pci topology and also make sure I test it with the smmu.

Thank you in advance

Best Regards

Eric


Xingang Wang (4):
   pci: Add PCI_BUS_IOMMU property
   hw/pci: Add iommu option for pci root bus
   hw/pci: Add pci_root_bus_max_bus
   hw/arm/virt-acpi-build: Add explicit idmap info in IORT table

  hw/arm/virt-acpi-build.c| 92 +
  hw/arm/virt.c   | 29 +
  hw/pci-bridge/pci_expander_bridge.c |  6 ++
  hw/pci/pci.c| 35 ++-
  include/hw/arm/virt.h   |  1 +
  include/hw/pci/pci.h|  1 +
  include/hw/pci/pci_bus.h| 13 
  7 files changed, 153 insertions(+), 24 deletions(-)



.



Thanks for your advice.

I test this with the following script, in which i add two options.

The option `primary_bus_iommu=false(or true)` for `-machine 
virt,iommu=smmuv3`, this helps to enable/disable whether primary bus go 
through iommu.


The other option `iommu=false` or `iommu=true` for `-device pxb-pcie` 
helps to enable/disable whether pxb root bus go through iommu.



#!/bin/sh

/path/to/qemu/build/aarch64-softmmu/qemu-system-aarch64 \
-enable-kvm \
-cpu host \
-kernel /path/to/linux/arch/arm64/boot/Image \
-m 16G \
-smp 8,sockets=8,cores=1,threads=1 \
-machine 
virt,kernel_irqchip=on,gic-version=3,iommu=smmuv3,primary_bus_iommu=false \
-drive file=./QEMU_EFI-pflash.raw,if=pflash,format=raw,unit=0,readonly=on \
-device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,addr=0x3.0x1,iommu=false \
-device pxb-pcie,bus_nr=0x20,id=pci.20,bus=pcie.0,addr=0x3.0x2,iommu=true \
-device pxb-pcie,bus_nr=0x23,id=pci.30,bus=pcie.0,addr=0x3.0x3,iommu=true \
-device pxb-pcie,bus_nr=0x40,id=pci.40,bus=pcie.0,addr=0x3.0x4,iommu=false \
-device pcie-pci-bridge,id=pci.11,bus=pci.10,addr=0x1 \
-device pcie-pci-bridge,id=pci.21,bus=pci.20,addr=0x1 \
-device pcie-root-port,port=0x20,chassis=10,id=pci.2,bus=pcie.0,addr=0x2 \
-device pcie-root-port,port=0x20,chassis=11,id=pci.12,bus=pci.10,addr=0x2 \
-device pcie-root-port,port=0x20,chassis=19,id=pci.19,bus=pci.11,addr=0x3 \
-device pcie-root-port,port=0x20,chassis=12,id=pci.22,bus=pci.20,addr=0x2 \
-device pcie-root-port,port=0x20,chassis=13,id=pci.42,bus=pci.40,addr=0x2 \
-device virtio-scsi-pci,id=scsi0,bus=pci.12,addr=0x1 \
-device vfio-pci,host=b5:00.2,bus=pci.42,addr=0x0,id=acc2 \
-net none \
-initrd /path/to/rootfs.cpio.gz \
-nographic \
-append "rdinit=init console=ttyAMA0 earlycon=pl011,0x900 nokaslr" \


I test the command line with an accelerator. The IORT table will have 
some changes, so only the root bus with iommu=true will go through smmuv3.


Thanks,
Xingang
.

Re: [PATCH v2 2/2] accel: kvm: Add aligment assert for kvm_log_clear_one_slot

2021-03-09 Thread Keqian Zhu




On 2021/3/10 0:08, Peter Xu wrote:
> On Tue, Mar 09, 2021 at 02:57:53PM +, Dr. David Alan Gilbert wrote:
>> * Thomas Huth (th...@redhat.com) wrote:
>>> On 09/03/2021 15.05, Keqian Zhu wrote:


 On 2021/3/9 21:48, Thomas Huth wrote:
> On 17/12/2020 02.49, Keqian Zhu wrote:
[...]

>>>
>>> #0  0x72c1584f in raise () at /lib64/libc.so.6
>>> #1  0x72bffc45 in abort () at /lib64/libc.so.6
>>> #2  0x72bffb19 in _nl_load_domain.cold.0 () at /lib64/libc.so.6
>>> #3  0x72c0de36 in .annobin_assert.c_end () at /lib64/libc.so.6
>>> #4  0x55ba25f3 in kvm_log_clear_one_slot
>>> (size=6910080, start=0, as_id=0, mem=0x56e1ee00)
>>> at ../../devel/qemu/accel/kvm/kvm-all.c:691
>>> #5  0x55ba25f3 in kvm_physical_log_clear
>>> (section=0x7fffd0b0, section=0x7fffd0b0, kml=0x56dbaac0)
>>> at ../../devel/qemu/accel/kvm/kvm-all.c:843
>>> #6  0x55ba25f3 in kvm_log_clear (listener=0x56dbaac0, 
>>> section=0x7fffd0b0)
>>> at ../../devel/qemu/accel/kvm/kvm-all.c:1253
>>> #7  0x55b023d8 in memory_region_clear_dirty_bitmap
>>> (mr=mr@entry=0x573394c0, start=start@entry=0, len=len@entry=6910080)
>>> at ../../devel/qemu/softmmu/memory.c:2132
>>> #8  0x55b313d9 in cpu_physical_memory_snapshot_and_clear_dirty
>>> (mr=mr@entry=0x573394c0, offset=offset@entry=0, 
>>> length=length@entry=6910080, client=client@entry=0) at 
>>> ../../devel/qemu/softmmu/physmem.c:1109
>>> #9  0x55b02483 in memory_region_snapshot_and_clear_dirty
>>> (mr=mr@entry=0x573394c0, addr=addr@entry=0, 
>>> size=size@entry=6910080, client=client@entry=0)
>>> at ../../devel/qemu/softmmu/memory.c:2146
>>
>> Could you please figure out which memory region this is?
>> WTH is that size? Is that really the problem that the size is just
>> crazy?
> 
> It seems vga_draw_graphic() could call 
> memory_region_snapshot_and_clear_dirty()
> with not-page-aligned size.  cpu_physical_memory_snapshot_and_clear_dirty()
> actually took care of most of it on alignment, however still the "length"
> parameter got passed in without alignment check or so.
> 
> Cc Gerd too.
> 
> I'm not sure how many use cases are there like this.. if there're a lot maybe
> we can indeed drop this assert patch, but instead in kvm_log_clear_one_slot()
> we should ALIGN_DOWN the size to smallest host page size. Say, if we need to
> clear dirty bit for range (0, 0x1020), we should only clean (0, 0x1000) since
> there can still be dirty data on range (0x1020, 0x2000).
Right, the @start and @size should be properly aligned by 
kvm_log_clear_one_slot().
We shouldn't clear areas that beyond what caller expected.

An assert here is not properly.

Thanks,
Keqian
> 
> Thanks,
> 
>>
>> Dave
>>
>>> #10 0x55babe99 in vga_draw_graphic (full_update=0, s=0x573394b0)
>>> at ../../devel/qemu/hw/display/vga.c:1661
>>> #11 0x55babe99 in vga_update_display (opaque=0x573394b0)
>>> at ../../devel/qemu/hw/display/vga.c:1784
>>> #12 0x55babe99 in vga_update_display (opaque=0x573394b0)
>>> at ../../devel/qemu/hw/display/vga.c:1757
>>> #13 0x558ddd32 in graphic_hw_update (con=0x56a11800)
>>> at ../../devel/qemu/ui/console.c:279
>>> #14 0x558dccd2 in dpy_refresh (s=0x56c17da0) at 
>>> ../../devel/qemu/ui/console.c:1742
>>> #15 0x558dccd2 in gui_update (opaque=opaque@entry=0x56c17da0)
>>> at ../../devel/qemu/ui/console.c:209
>>> #16 0x55dbd520 in timerlist_run_timers (timer_list=0x56937c50)
>>> at ../../devel/qemu/util/qemu-timer.c:574
>>> #17 0x55dbd520 in timerlist_run_timers (timer_list=0x56937c50)
>>> at ../../devel/qemu/util/qemu-timer.c:499
>>> #18 0x55dbd74a in qemu_clock_run_timers (type=)
>>> at ../../devel/qemu/util/qemu-timer.c:670
>>> #19 0x55dbd74a in qemu_clock_run_all_timers () at 
>>> ../../devel/qemu/util/qemu-timer.c:670
>>>
>>> Looks like something in the vga code calls this with size=6910080
>>> and thus triggers the alignment assertion?
>>>
>>>  Thomas
>> -- 
>> Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
>>
>

Re: [PATCH qemu v14] spapr: Implement Open Firmware client interface

2021-03-09 Thread Alexey Kardashevskiy





On 10/03/2021 01:00, BALATON Zoltan wrote:

On Tue, 9 Mar 2021, Alexey Kardashevskiy wrote:

On 09/03/2021 16:29, David Gibson wrote:

+struct ClientArchitectureSupportClass {
+    InterfaceClass parent;
+    target_ulong (*cas)(CPUState *cs, target_ulong vec);
+    void (*quiesce)(void);


Is there actually any real connection of quiesce behaviour to cas
behaviour?  Basically, I'm wondering if this is not so much about
client-architecture-support fundamentally as just about
machine-specific parts of the VOF behaviour.  Which would be fine, but
suggests a different name for the interface.


The most canonical way would be having 2 interfaces.


Why?  I don't see any reason these shouldn't be a single interface, it
just has a bad name.


I renamed it to SpaprVofInterface for now.



[snip]

+typedef int size_t;
+typedef void client(void);
+
+/* globals */
+extern void _prom_entry(void); /* OF CI entry point (i.e. this 
firmware) */

+
+void do_boot(unsigned long addr, unsigned long r3, unsigned long 
r4);

+
+/* libc */
+int strlen(const char *s);
+int strcmp(const char *s1, const char *s2);
+void *memcpy(void *dest, const void *src, size_t n);
+int memcmp(const void *ptr1, const void *ptr2, size_t n);
+void *memmove(void *dest, const void *src, size_t n);
+void *memset(void *dest, int c, size_t size);
+
+/* Prom */
+typedef unsigned long prom_arg_t;
+int call_prom(const char *service, int nargs, int nret, ...);


AIUI this isn't so much about calling the PROM, since this *is* the
PROM code, but rather about calling the parts that are implemented on
the qemu side.  Different names might clarify that.


"call_ci"?


Works for me.


call_ci() it is then.

About builtins such as memcmp() - turns out these are not really 
builtins as they are not inlined and gcc/ld still want to link against 
libc which is trickier for such firmware (not quite sure how to do 
this and keep it small and not pull other libc stuff in), gcc just 
knows about them a bit more. This is different from, for example, 
__builtin_ctz which is inlined. So I am keeping my libc.o for now.


Do they really want libc or they are in libgcc for which there's 
--static-libgcc I think to avoid needing it in runtime but not sure what 
clang has for these.


I was getting "unresolved symbol `memcmp`" when I tried calling memcmp() 
or __builtin_memcmp() and "-lc" did not help (installed some multilib 
packages, did not help either). I figured if I cannot get it compile in 
3 minutes, I should not probably be posting this and better off simply 
keeping the existing small libc.




--
Alexey

Re: [PATCH] vfio: Support host translation granule size

2021-03-09 Thread Keqian Zhu

Hi Alex,

On 2021/3/10 7:17, Alex Williamson wrote:
> On Thu, 4 Mar 2021 21:34:46 +0800
> Kunkun Jiang  wrote:
> 
>> The cpu_physical_memory_set_dirty_lebitmap() can quickly deal with
>> the dirty pages of memory by bitmap-traveling, regardless of whether
>> the bitmap is aligned correctly or not.
>>
>> cpu_physical_memory_set_dirty_lebitmap() supports pages in bitmap of
>> host page size. So it'd better to set bitmap_pgsize to host page size
>> to support more translation granule sizes.
>>
>> Fixes: 87ea529c502 (vfio: Get migration capability flags for container)
>> Signed-off-by: Kunkun Jiang 
>> ---
>>  hw/vfio/common.c | 44 ++--
>>  1 file changed, 22 insertions(+), 22 deletions(-)
>>
>> diff --git a/hw/vfio/common.c b/hw/vfio/common.c
>> index 6ff1daa763..69fb5083a4 100644
>> --- a/hw/vfio/common.c
>> +++ b/hw/vfio/common.c
>> @@ -378,7 +378,7 @@ static int vfio_dma_unmap_bitmap(VFIOContainer 
>> *container,
>>  {
>>  struct vfio_iommu_type1_dma_unmap *unmap;
>>  struct vfio_bitmap *bitmap;
>> -uint64_t pages = TARGET_PAGE_ALIGN(size) >> TARGET_PAGE_BITS;
>> +uint64_t pages = REAL_HOST_PAGE_ALIGN(size) / qemu_real_host_page_size;
>>  int ret;
>>  
>>  unmap = g_malloc0(sizeof(*unmap) + sizeof(*bitmap));
>> @@ -390,12 +390,12 @@ static int vfio_dma_unmap_bitmap(VFIOContainer 
>> *container,
>>  bitmap = (struct vfio_bitmap *)&unmap->data;
>>  
>>  /*
>> - * cpu_physical_memory_set_dirty_lebitmap() expects pages in bitmap of
>> - * TARGET_PAGE_SIZE to mark those dirty. Hence set bitmap_pgsize to
>> - * TARGET_PAGE_SIZE.
>> + * cpu_physical_memory_set_dirty_lebitmap() supports pages in bitmap of
>> + * qemu_real_host_page_size to mark those dirty. Hence set bitmap_pgsize
>> + * to qemu_real_host_page_size.
> 
> 
> I don't see that this change is well supported by the code,
> cpu_physical_memory_set_dirty_lebitmap() seems to operate on
> TARGET_PAGE_SIZE, and the next three patch chunks take a detour through
> memory listener code that seem unrelated to the change described in the
> commit log.  This claims to fix something, what is actually broken?
Actually I have reported this bug long ago. 
cpu_physical_memory_set_dirty_lebitmap() expects
the granule of @bitmap to be qemu_real_host_page_size, as it uses @hpratio to 
convert the bitmap.

Thanks,
Keqian

> Thanks,
> 
> Alex
> 
>>   */
>>  
>> -bitmap->pgsize = TARGET_PAGE_SIZE;
>> +bitmap->pgsize = qemu_real_host_page_size;
>>  bitmap->size = ROUND_UP(pages, sizeof(__u64) * BITS_PER_BYTE) /
>> BITS_PER_BYTE;
>>  
>> @@ -674,16 +674,16 @@ static void vfio_listener_region_add(MemoryListener 
>> *listener,
>>  return;
>>  }
>>  
>> -if (unlikely((section->offset_within_address_space & ~TARGET_PAGE_MASK) 
>> !=
>> - (section->offset_within_region & ~TARGET_PAGE_MASK))) {
>> +if (unlikely((section->offset_within_address_space & 
>> ~qemu_real_host_page_mask) !=
>> + (section->offset_within_region & 
>> ~qemu_real_host_page_mask))) {
>>  error_report("%s received unaligned region", __func__);
>>  return;
>>  }
>>  
>> -iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
>> +iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
>>  llend = int128_make64(section->offset_within_address_space);
>>  llend = int128_add(llend, section->size);
>> -llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
>> +llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
>>  
>>  if (int128_ge(int128_make64(iova), llend)) {
>>  return;
>> @@ -892,8 +892,8 @@ static void vfio_listener_region_del(MemoryListener 
>> *listener,
>>  return;
>>  }
>>  
>> -if (unlikely((section->offset_within_address_space & ~TARGET_PAGE_MASK) 
>> !=
>> - (section->offset_within_region & ~TARGET_PAGE_MASK))) {
>> +if (unlikely((section->offset_within_address_space & 
>> ~qemu_real_host_page_mask) !=
>> + (section->offset_within_region & 
>> ~qemu_real_host_page_mask))) {
>>  error_report("%s received unaligned region", __func__);
>>  return;
>>  }
>> @@ -921,10 +921,10 @@ static void vfio_listener_region_del(MemoryListener 
>> *listener,
>>   */
>>  }
>>  
>> -iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
>> +iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
>>  llend = int128_make64(section->offset_within_address_space);
>>  llend = int128_add(llend, section->size);
>> -llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
>> +llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
>>  
>>  if (int128_ge(int128_make64(iova), llend)) {
>>  return;
>> @@ -1004,13 +1004,13 @@ static int vfio_get_dirty_bitmap(VFIOContainer 
>> *container, uint64_t iova,
>>

Re: [PATCH v3 2/3] migration/ram: Reduce unnecessary rate limiting

2021-03-09 Thread Kunkun Jiang


Hi,

On 2021/3/10 0:15, Peter Xu wrote:

On Tue, Mar 09, 2021 at 10:33:04PM +0800, Kunkun Jiang wrote:

Hi,

On 2021/3/9 5:12, Peter Xu wrote:

On Mon, Mar 08, 2021 at 06:34:58PM +0800, Kunkun Jiang wrote:

Hi,

On 2021/3/5 22:22, Peter Xu wrote:

Kunkun,

On Fri, Mar 05, 2021 at 03:50:34PM +0800, Kunkun Jiang wrote:

When the host page is a huge page and something is sent in the
current iteration, the migration_rate_limit() should be executed.
If not, this function can be omitted to save time.

Rename tmppages to pages_this_iteration to express its meaning
more clearly.

Signed-off-by: Keqian Zhu 
Signed-off-by: Kunkun Jiang 
---
migration/ram.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index a168da5cdd..9fc5b2997c 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1988,7 +1988,7 @@ static int ram_save_target_page(RAMState *rs, 
PageSearchStatus *pss,
static int ram_save_host_page(RAMState *rs, PageSearchStatus *pss,
  bool last_stage)
{
-int tmppages, pages = 0;
+int pages = 0;
size_t pagesize_bits =
qemu_ram_pagesize(pss->block) >> TARGET_PAGE_BITS;
unsigned long start_page = pss->page;
@@ -2000,21 +2000,28 @@ static int ram_save_host_page(RAMState *rs, 
PageSearchStatus *pss,
}
do {
+int pages_this_iteration = 0;
+
/* Check if the page is dirty and send it if it is */
if (!migration_bitmap_clear_dirty(rs, pss->block, pss->page)) {
pss->page++;
continue;
}
-tmppages = ram_save_target_page(rs, pss, last_stage);
-if (tmppages < 0) {
-return tmppages;
+pages_this_iteration = ram_save_target_page(rs, pss, last_stage);
+if (pages_this_iteration < 0) {
+return pages_this_iteration;
}
-pages += tmppages;
+pages += pages_this_iteration;

To me, both names are okay, it's just that the new name doesn't really provide
a lot more new information, while it's even longer...

Since you seem to prefer cleaning up tmppages, I'm actually thinking whether
it should be called as "pages" at all since ram_save_target_page() majorly only
returns either 1 if succeeded or <0 if error.  There's only one very corner
case of xbzrle where it can return 0 in save_xbzrle_page():

   if (encoded_len == 0) {
   trace_save_xbzrle_page_skipping();
   return 0;
   }

I think it means the page didn't change at all, then I'm also wondering maybe
it can also return 1 showing one page migrated (though actually skipped!) which
should still be fine for the callers, e.g., ram_find_and_save_block() who will
finally check this "pages" value.

So I think _maybe_ that's a nicer cleanup to change that "return 0" to "return
1", then another patch to make the return value to be (1) return 0 if page
saved, or (2) return <0 if error.  Then here in ram_save_host_page() tmppages
can be renamed to "ret" or "succeed".

Thanks for your advice.
change "return 0" to "return 1" would have a slight effect on
'rs->target_page_count += pages'
in ram_save_iterate(). This may lead to consider more complex situations.
What do you think of
this?

I don't think we should change the meaning of ram_save_host_page()'s return
value, but only ram_save_target_page(); ram_save_host_page() could return >1
for huge pages.  Thanks,


I am not sure I have got your point. If I change "return 0" to "return 1"
(actually skipped),
the "pages" in the ram_save_host_page() will add 1(original add 0). Then it
will end the
loop in the ram_find_and_save_block.

Frankly I even think it's a bug - when return 0 it could mean the xbzrle page
is the same as before even if dirty bit set (the page just got written with the
same data, that's why dirty bit set but xbzrle calculated with no diff).
However it shouldn't mean "done==1" which is a sign of "migration complete"
imho..

Thanks for your explanation, I get it.

And then in the ram_save_iterate(), the
modify may
have a effect on "rs->target_page_count += page".
I haven't done enough research on this part of code. Do you think this
change will have
a big impact?

Maybe, but I don't expect it to change anything real.  If to change it we'd
definitely better smoke xbzrle a bit.  It's a pure idea I got in mind to
cleanup the code, but feel free to ignore it too.

For your current series, I think the last patch is the most appealing.  So
maybe we can focus on that first.

Thanks,


You are right. The change here may be not worth it.

Thanks,

Kunkun Jiang

Re: [PATCH v2 4/4] slirp: feature detection for smbd

2021-03-09 Thread Samuel Thibault

Joelle van Dyne, le mar. 09 mars 2021 10:11:31 -0800, a ecrit:
> On Tue, Mar 9, 2021 at 6:09 AM Philippe Mathieu-Daudé  
> wrote:
> > On 3/9/21 1:27 AM, Joelle van Dyne wrote:
> > > Replace Windows specific macro with a more generic feature detection
> > > macro. Allows slirp smb feature to be disabled manually as well.
> > >
> > > Signed-off-by: Joelle van Dyne 
> > > ---
> > >  configure   | 26 +++---
> > >  meson.build |  2 +-
> > >  net/slirp.c | 16 
> > >  3 files changed, 32 insertions(+), 12 deletions(-)
> >
> > Hmm v1 had: Acked-by: Samuel Thibault 
> > did you change something to not include Samuel A-b tag?
> 
> Sorry, I must have missed it!

NP :)

Samuel

[PATCH v3 1/3] target/arm: Add support for FEAT_TLBIRANGE

ARMv8.4 adds the mandatory FEAT_TLBIRANGE. It provides TLBI
maintenance instructions that apply to a range of input addresses.

Signed-off-by: Rebecca Cran 
---
 accel/tcg/cputlb.c  |  22 ++
 include/exec/exec-all.h |  41 
 target/arm/cpu.h|   5 +
 target/arm/helper.c | 248 
 4 files changed, 316 insertions(+)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 8a7b779270a4..233fe302c236 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -623,6 +623,28 @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS);
 }
 
+void tlb_flush_page_range_by_mmuidx(CPUState *cpu, target_ulong addr,
+unsigned int num_pages, uint16_t idxmap)
+{
+  /*
+   * We currently do a full flush, but for performance this should be
+   * updated to only flush the requested pages, taking TBI into account.
+   */
+tlb_flush_by_mmuidx(cpu, idxmap);
+}
+
+void tlb_flush_page_range_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
+target_ulong addr,
+unsigned int num_pages,
+uint16_t idxmap)
+{
+/*
+ * We currently do a full flush, but for performance this should be
+ * updated to only flush the requested pages, taking TBI into account.
+ */
+tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, idxmap);
+}
+
 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
uint16_t idxmap)
 {
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index 6b036cae8f65..91232cd48d22 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -212,6 +212,35 @@ void tlb_flush_page_by_mmuidx_all_cpus(CPUState *cpu, 
target_ulong addr,
  */
 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *cpu, target_ulong addr,
   uint16_t idxmap);
+/**
+ * tlb_flush_page_range_by_mmuidx:
+ * @cpu: CPU whose TLB should be flushed
+ * @addr: virtual address of start of page range to be flushed
+ * @num_pages: the number of pages to be flushed
+ * @idxmap: bitmap of MMU indexes to flush
+ *
+ * Flush a range of pages from the TLB of the specified CPU, for the specified
+ * MMU indexes.
+ */
+void tlb_flush_page_range_by_mmuidx(CPUState *cpu, target_ulong addr,
+unsigned int num_pages, uint16_t idxmap);
+/**
+ * tlb_flush_page_range_by_mmuidx_all_cpus_synced:
+ * @cpu: Originating CPU of the flush
+ * @addr: virtual address of start of page range to be flushed
+ * @num_pages: the number of pages to be flushed
+ * @idxmap: bitmap of MMU indexes to flush
+ *
+ * Flush a range of pages from the TLB of all CPUs, for the specified MMU
+ * indexes like tlb_flush_page_by_mmuidx_all_cpus except the source
+ * vCPUs work is scheduled as safe work meaning all flushes will be
+ * complete once the source vCPUs safe work is complete. This will
+ * depend on when the guests translation ends the TB.
+ */
+void tlb_flush_page_range_by_mmuidx_all_cpus_synced(CPUState *cpu,
+target_ulong addr,
+unsigned int num_pages,
+uint16_t idxmap);
 /**
  * tlb_flush_by_mmuidx:
  * @cpu: CPU whose TLB should be flushed
@@ -313,6 +342,18 @@ static inline void tlb_flush_page_all_cpus_synced(CPUState 
*src,
   target_ulong addr)
 {
 }
+static inline void tlb_flush_page_range_by_mmuidx(CPUState *cpu,
+  target_ulong addr,
+  unsigned int num_pages,
+  int idxmap)
+{
+}
+static inline void tlb_flush_page_range_by_mmuidx_all_cpus_synced(CPUState 
*src_cpu,
+  target_ulong 
addr,
+  unsigned int 
num_pages,
+  uint16_t 
idxmap)
+{
+}
 static inline void tlb_flush(CPUState *cpu)
 {
 }
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 193a49ec7fac..32b78a4ef587 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -4038,6 +4038,11 @@ static inline bool isar_feature_aa64_pauth_arch(const 
ARMISARegisters *id)
 return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, APA) != 0;
 }
 
+static inline bool isar_feature_aa64_tlbirange(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, TLB) == 2;
+}
+
 static inline bool isar_feature_aa64_sb(const ARMISARegisters *id)
 {
 return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, SB) != 0;
diff --git a/target/arm/helper.c b/target/

[PATCH v3 3/3] target/arm: set ID_AA64ISAR0.TLB to 2 for max AARCH64 CPU type

Indicate support for FEAT_TLBIOS and FEAT_TLBIRANGE by setting
ID_AA64ISAR0.TLB to 2 for the max AARCH64 CPU type.

Signed-off-by: Rebecca Cran 
---
 target/arm/cpu64.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index f0a9e968c9c1..e34a6a6174fe 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -651,6 +651,7 @@ static void aarch64_max_initfn(Object *obj)
 t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1);
 t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1);
 t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2); /* v8.5-CondM */
+t = FIELD_DP64(t, ID_AA64ISAR0, TLB, 2);
 t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1);
 cpu->isar.id_aa64isar0 = t;
 
-- 
2.26.2

[PATCH v3 2/3] target/arm: Add support for FEAT_TLBIOS

ARMv8.4 adds the mandatory FEAT_TLBIOS. It provides TLBI
maintenance instructions that extend to the Outer Shareable domain.

Signed-off-by: Rebecca Cran 
---
 target/arm/cpu.h|  6 ++
 target/arm/helper.c | 75 
 2 files changed, 81 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 32b78a4ef587..cf0801994a5f 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -4043,6 +4043,12 @@ static inline bool isar_feature_aa64_tlbirange(const 
ARMISARegisters *id)
 return FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, TLB) == 2;
 }
 
+static inline bool isar_feature_aa64_tlbios(const ARMISARegisters *id)
+{
+return FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, TLB) == 1 ||
+   FIELD_EX64(id->id_aa64isar0, ID_AA64ISAR0, TLB) == 2;
+}
+
 static inline bool isar_feature_aa64_sb(const ARMISARegisters *id)
 {
 return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, SB) != 0;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index ec81586d90dd..b1f634b0c897 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -7165,6 +7165,78 @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
 REGINFO_SENTINEL
 };
 
+static const ARMCPRegInfo tlbios_reginfo[] = {
+{ .name = "TLBI_VMALLE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 0,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_vmalle1is_write },
+{ .name = "TLBI_ASIDE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 1, .opc2 = 2,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_vmalle1is_write },
+{ .name = "TLBI_RVAE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae1is_write },
+{ .name = "TLBI_RVAAE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 3,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae1is_write },
+   { .name = "TLBI_RVALE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 5,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae1is_write },
+{ .name = "TLBI_RVAALE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 7,
+  .access = PL1_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae1is_write },
+{ .name = "TLBI_ALLE2OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 0,
+  .access = PL2_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_alle2is_write },
+   { .name = "TLBI_ALLE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 4,
+  .access = PL2_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_alle1is_write },
+{ .name = "TLBI_VMALLS12E1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 6,
+  .access = PL2_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_alle1is_write },
+{ .name = "TLBI_IPAS2E1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 0,
+  .access = PL2_W, .type = ARM_CP_NOP },
+{ .name = "TLBI_RIPAS2E1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 3,
+  .access = PL2_W, .type = ARM_CP_NOP },
+{ .name = "TLBI_IPAS2LE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 4,
+  .access = PL2_W, .type = ARM_CP_NOP },
+{ .name = "TLBI_RIPAS2LE1OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 7,
+  .access = PL2_W, .type = ARM_CP_NOP },
+   { .name = "TLBI_RVAE2OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 1,
+  .access = PL2_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae2is_write },
+   { .name = "TLBI_RVALE2OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 5,
+  .access = PL2_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae2is_write },
+{ .name = "TLBI_ALLE3OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 0,
+  .access = PL3_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_alle3is_write },
+   { .name = "TLBI_RVAE3OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 5, .opc2 = 1,
+  .access = PL3_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae3is_write },
+   { .name = "TLBI_RVALE3OS", .state = ARM_CP_STATE_AA64,
+  .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 5, .opc2 = 5,
+  .access = PL3_W, .type = ARM_CP_NO_RAW,
+  .writefn = tlbi_aa64_rvae3is_write },
+REGINFO_SENTINEL
+};
+
 static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
 {
 Error *err = NULL;
@@ -8537,6 +86

[PATCH v3 0/3] target/arm: Add support for FEAT_TLBIOS and FEAT_TLBIRANGE

ARMv8.4 adds the mandatory FEAT_TLBIOS and FEAT_TLBIRANGE. 
They provides TLBI maintenance instructions that extend to the Outer
Shareable domain and that apply to a range of input addresses.

Changes from v2 to v3:

o Change the functions in cputlb.c to do a full flush. This should
  only be a short-term implementation.

Testing:
  o Ran scripts/checkpatch.pl: functions in exec-all.h fail,
but I think that's acceptable?
  o Built all targets
  o Ran test code that executed the new instructions
  o Ran "make test"

Rebecca Cran (3):
  target/arm: Add support for FEAT_TLBIRANGE
  target/arm: Add support for FEAT_TLBIOS
  target/arm: set ID_AA64ISAR0.TLB to 2 for max AARCH64 CPU type

 accel/tcg/cputlb.c  |  22 ++
 include/exec/exec-all.h |  41 +++
 target/arm/cpu.h|  11 +
 target/arm/cpu64.c  |   1 +
 target/arm/helper.c | 323 
 5 files changed, 398 insertions(+)

-- 
2.26.2

[PATCH V3] file-posix: allow -EBUSY -EINVAL errors during write zeros on block

2021-03-09 Thread ChangLimin

Since Linux 5.10, write zeros to a multipath device using
ioctl(fd, BLKZEROOUT, range) with cache none or directsync return -EBUSY
permanently.

Similar to handle_aiocb_write_zeroes_unmap, handle_aiocb_write_zeroes_block
allow -EBUSY and -EINVAL errors during ioctl(fd, BLKZEROOUT, range).

Reference commit in Linux 5.10:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=384d87ef2c954fc58e6c5fd8253e4a1984f5fe02

Although it will be fixed in 5.12, I think it's good to avoid similar problem 
in the future.
https://lore.kernel.org/linux-block/53689a67-7591-0ad8-3e7d-dca9a626c...@kernel.dk/

Signed-off-by: ChangLimin 
---
 block/file-posix.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/block/file-posix.c b/block/file-posix.c
index 05079b40ca..4e132db929 100644
--- a/block/file-posix.c
+++ b/block/file-posix.c
@@ -1629,8 +1629,13 @@ static ssize_t 
handle_aiocb_write_zeroes_block(RawPosixAIOData *aiocb)
 } while (errno == EINTR);

 ret = translate_err(-errno);
-if (ret == -ENOTSUP) {
-s->has_write_zeroes = false;
+switch (ret) {
+case -ENOTSUP:
+s->has_write_zeroes = false; /* fall through */
+case -EINVAL:
+case -EBUSY:
+return -ENOTSUP;
+break;
 }
 }
 #endif
--
2.27.0

Re: [PATCH 3/3] hw/usb: Extract VT82C686 UHCI PCI function into a new unit

On 3/9/21 9:13 PM, BALATON Zoltan wrote:
> On Tue, 9 Mar 2021, Philippe Mathieu-Daudé wrote:
>> Extract the VT82C686 PCI UHCI function into a new unit so
>> it is only build when the VT82C686 south bridge is selected.
> 
> I'm not sure it's worth separating just this one device from the other
> similar usb devices when the others that are also part of south bridge
> chips are left there. Maybe you could just set user_creatable = false so
> it can only be created as part of the chips that contain it or just
> don't bother and leave it as it is which is the least likely to break
> anything that may rely on it as removing it from the device list may
> need to go through deprecation.
> 
> But I don't really mind, so if others like this approach I don't want to
> block the patch. I think it's unlikely anybody would use this device
> other than part of fuloong2e or pegasos2 so probably it's unlikely to
> break anything if it suddenly goes away from a new build.

OK. As I sent this series to help you with your Pegasos2 board, do you
mind sending a patch then?

I suppose you mean using "#include CONFIG_DEVICES" and checking for the
CONFIG_VT82C686 symbol to register the QOM type?

Thanks,

Phil.

Re: [PATCH v6 4/8] vt82c686: Introduce abstract TYPE_VIA_ISA and base vt82c686b_isa on it

On 3/9/21 9:28 PM, BALATON Zoltan wrote:
> To allow reusing ISA bridge emulation for vt8231_isa move the device
> state of vt82c686b_isa emulation in an abstract via_isa class. This
> change breaks migration back compatibility but this is not an issue
> for Fuloong2E machine which is not versioned or migration supported.
> 
> Signed-off-by: BALATON Zoltan 
> ---
>  hw/isa/vt82c686.c| 70 ++--
>  include/hw/pci/pci_ids.h |  2 +-
>  2 files changed, 40 insertions(+), 32 deletions(-)

This should be OK if this other series is accepted:
"hw/usb: Extract Extract VT82C686 UHCI PCI function into new unit"
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg03083.html

I'll come back to this patch after the former series is reviewed.

Re: [PATCH v6 2/8] vt82c686: QOM-ify superio related functionality

On 3/9/21 9:28 PM, BALATON Zoltan wrote:
> Collect superio functionality and its controlling config registers
> handling in an abstract VIA_SUPERIO class that is a subclass of
> ISA_SUPERIO and put vt82c686b specific parts in a subclass of this
> abstract class.
> 
> Signed-off-by: BALATON Zoltan 
> ---
>  hw/isa/vt82c686.c | 240 --
>  include/hw/isa/vt82c686.h |   1 -
>  2 files changed, 150 insertions(+), 91 deletions(-)

>  static MemoryRegion *find_subregion(ISADevice *d, MemoryRegion *parent,
>  int offs)
> @@ -270,10 +279,76 @@ static MemoryRegion *find_subregion(ISADevice *d, 
> MemoryRegion *parent,
>  return mr;
>  }
>  
> -static void superio_cfg_write(void *opaque, hwaddr addr, uint64_t data,
> -  unsigned size)
> +static void via_superio_realize(DeviceState *d, Error **errp)
> +{
> +ViaSuperIOState *s = VIA_SUPERIO(d);
> +ISASuperIOClass *ic = ISA_SUPERIO_GET_CLASS(s);
> +int i;
> +
> +assert(s->io_ops);
> +ic->parent_realize(d, errp);
> +if (*errp) {

Unfortunately this doesn't work because errp can be NULL...
This is described in "qapi/error.h". You have to use a local_err.

> +return;
> +}

Re: [PATCH] hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM

On 3/10/21 12:41 AM, BALATON Zoltan wrote:
> On Tue, 9 Mar 2021, Philippe Mathieu-Daudé wrote:
>> ping for review?
> 
> This is included in my pegasos2 series as 6/8 replacing half of a
> similar patch from my original version. Since I've reported it I don't
> think I should be also reviewing it but it's quite trivial so may not
> need that much review.

Forwarding a patch doesn't mean you have reviewed it :/

If you can provide a formal R-b tag, then I can queue this or the
one in your series.

Thanks,

Phil.

[PATCH 7/9] hw/block/pflash_cfi02: Factor out DeviceReset method

There is multiple places doing a device reset. Factor that
out in a common method which matches the DeviceReset prototype,
so we can also remove the reset code from the DeviceRealize()
handler. Explicit the device is set in "read array" mode on
reset.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi02.c | 16 +++-
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 2ba77a0171b..484b056b898 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -193,6 +193,14 @@ static void pflash_mode_read_array(PFlashCFI02 *pfl)
 memory_region_rom_device_set_romd(&pfl->orig_mem, true);
 }
 
+static void pflash_cfi02_reset(DeviceState *dev)
+{
+PFlashCFI02 *pfl = PFLASH_CFI02(dev);
+
+trace_pflash_reset();
+pflash_mode_read_array(pfl);
+}
+
 static size_t pflash_regions_count(PFlashCFI02 *pfl)
 {
 return pfl->cfi_table[0x2c];
@@ -330,8 +338,7 @@ static uint64_t pflash_read(void *opaque, hwaddr offset, 
unsigned int width)
 default:
 /* This should never happen : reset state & treat it as a read*/
 DPRINTF("%s: unknown command state: %x\n", __func__, pfl->cmd);
-pfl->wcycle = 0;
-pfl->cmd = 0;
+pflash_cfi02_reset(DEVICE(pfl));
 /* fall through to the read code */
 case 0x80: /* Erase (unlock) */
 /* We accept reads during second unlock sequence... */
@@ -710,10 +717,8 @@ static void pflash_write(void *opaque, hwaddr offset, 
uint64_t value,
 
 /* Reset flash */
  reset_flash:
-trace_pflash_reset();
 pfl->bypass = 0;
-pfl->wcycle = 0;
-pfl->cmd = 0;
+pflash_cfi02_reset(DEVICE(pfl));
 return;
 
  do_bypass:
@@ -977,6 +982,7 @@ static void pflash_cfi02_class_init(ObjectClass *klass, 
void *data)
 DeviceClass *dc = DEVICE_CLASS(klass);
 
 dc->realize = pflash_cfi02_realize;
+dc->reset = pflash_cfi02_reset;
 dc->unrealize = pflash_cfi02_unrealize;
 device_class_set_props(dc, pflash_cfi02_properties);
 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
-- 
2.26.2

[PATCH 4/9] hw/block/pflash_cfi02: Set rom_mode to true in pflash_setup_mappings()

There is only one call to pflash_setup_mappings(). Convert 'rom_mode'
to boolean and set it to true directly within pflash_setup_mappings().

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi02.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 845f50ed99b..5f949b4c792 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -108,7 +108,7 @@ struct PFlashCFI02 {
 MemoryRegion mem;
 MemoryRegion *mem_mappings;/* array; one per mapping */
 MemoryRegion orig_mem;
-int rom_mode;
+bool rom_mode;
 int read_counter; /* used for lazy switch-back to rom mode */
 int sectors_to_erase;
 uint64_t erase_time_remaining;
@@ -181,6 +181,7 @@ static void pflash_setup_mappings(PFlashCFI02 *pfl)
  "pflash-alias", &pfl->orig_mem, 0, size);
 memory_region_add_subregion(&pfl->mem, i * size, 
&pfl->mem_mappings[i]);
 }
+pfl->rom_mode = true;
 }
 
 static void pflash_register_memory(PFlashCFI02 *pfl, int rom_mode)
@@ -927,7 +928,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error 
**errp)
 pfl->sector_erase_map = bitmap_new(pfl->total_sectors);
 
 pflash_setup_mappings(pfl);
-pfl->rom_mode = 1;
 sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
 
 timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
-- 
2.26.2

[PATCH 8/9] hw/block/pflash_cfi01: Clarify trace events

Use the 'mode_read_array' event when we set the device in such
mode, and use the 'reset' event in DeviceReset handler.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi01.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 03472ea5b64..2618e00926d 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -663,7 +663,7 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
   "\n", __func__, offset, pfl->wcycle, pfl->cmd, value);
 
  mode_read_array:
-trace_pflash_reset();
+trace_pflash_mode_read_array();
 memory_region_rom_device_set_romd(&pfl->mem, true);
 pfl->wcycle = 0;
 pfl->cmd = 0x00; /* This model reset value for READ_ARRAY (not CFI) */
@@ -886,6 +886,7 @@ static void pflash_cfi01_system_reset(DeviceState *dev)
 {
 PFlashCFI01 *pfl = PFLASH_CFI01(dev);
 
+trace_pflash_reset();
 /*
  * The command 0x00 is not assigned by the CFI open standard,
  * but QEMU historically uses it for the READ_ARRAY command (0xff).
-- 
2.26.2

[PATCH 6/9] hw/block/pflash_cfi02: Rename register_memory(true) as mode_read_array

The same pattern is used when setting the flash in READ_ARRAY mode:
- Set the state machine command to READ_ARRAY
- Reset the write_cycle counter
- Reset the memory region in ROMD

Refactor the current code by extracting this pattern.
It is used three times:

- When the timer expires and not in bypass mode

- On a read access (on invalid command).

- When the device is initialized. Here the ROMD mode is hidden
  by the memory_region_init_rom_device() call.

pflash_register_memory(rom_mode=true) already sets the ROM device
in "read array" mode (from I/O device to ROM one). Explicit that
by renaming the function as pflash_mode_read_array(), adding
a trace event and resetting wcycle.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi02.c | 18 +-
 hw/block/trace-events   |  1 +
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 4efbae2f0c9..2ba77a0171b 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -184,10 +184,13 @@ static void pflash_setup_mappings(PFlashCFI02 *pfl)
 pfl->rom_mode = true;
 }
 
-static void pflash_register_memory(PFlashCFI02 *pfl, int rom_mode)
+static void pflash_mode_read_array(PFlashCFI02 *pfl)
 {
-memory_region_rom_device_set_romd(&pfl->orig_mem, rom_mode);
-pfl->rom_mode = rom_mode;
+trace_pflash_mode_read_array();
+pfl->cmd = 0x00;
+pfl->wcycle = 0;
+pfl->rom_mode = true;
+memory_region_rom_device_set_romd(&pfl->orig_mem, true);
 }
 
 static size_t pflash_regions_count(PFlashCFI02 *pfl)
@@ -249,11 +252,10 @@ static void pflash_timer(void *opaque)
 toggle_dq7(pfl);
 if (pfl->bypass) {
 pfl->wcycle = 2;
+pfl->cmd = 0;
 } else {
-pflash_register_memory(pfl, 1);
-pfl->wcycle = 0;
+pflash_mode_read_array(pfl);
 }
-pfl->cmd = 0;
 }
 
 /*
@@ -315,7 +317,7 @@ static uint64_t pflash_read(void *opaque, hwaddr offset, 
unsigned int width)
 /* Lazy reset to ROMD mode after a certain amount of read accesses */
 if (!pfl->rom_mode && pfl->wcycle == 0 &&
 ++pfl->read_counter > PFLASH_LAZY_ROMD_THRESHOLD) {
-pflash_register_memory(pfl, 1);
+pflash_mode_read_array(pfl);
 }
 offset &= pfl->chip_len - 1;
 boff = offset & 0xFF;
@@ -933,8 +935,6 @@ static void pflash_cfi02_realize(DeviceState *dev, Error 
**errp)
 sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
 
 timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
-pfl->wcycle = 0;
-pfl->cmd = 0;
 pfl->status = 0;
 
 pflash_cfi02_fill_cfi_table(pfl, nb_regions);
diff --git a/hw/block/trace-events b/hw/block/trace-events
index d32475c3989..f16d6e90cfd 100644
--- a/hw/block/trace-events
+++ b/hw/block/trace-events
@@ -7,6 +7,7 @@ fdc_ioport_write(uint8_t reg, uint8_t value) "write reg 0x%02x 
val 0x%02x"
 # pflash_cfi01.c
 # pflash_cfi02.c
 pflash_reset(void) "reset"
+pflash_mode_read_array(void) "mode: read array"
 pflash_timer_expired(uint8_t cmd) "command 0x%02x done"
 pflash_io_read(uint64_t offset, unsigned size, uint32_t value, uint8_t cmd, 
uint8_t wcycle) "offset:0x%04"PRIx64" size:%u value:0x%04x cmd:0x%02x wcycle:%u"
 pflash_io_write(uint64_t offset, unsigned size, uint32_t value, uint8_t 
wcycle) "offset:0x%04"PRIx64" size:%u value:0x%04x wcycle:%u"
-- 
2.26.2

[PATCH 9/9] hw/block/pflash_cfi01: Extract pflash_mode_read_array()

The same pattern is used when setting the flash in READ_ARRAY mode:
- Set the state machine command to READ_ARRAY
- Reset the write_cycle counter
- Reset the memory region in ROMD

Refactor the current code by extracting this pattern.
It is used three times:

- On a read access (on invalid command).

- On a write access (on command failure, error, or explicitly asked)

- When the device is initialized. Here the ROMD mode is hidden
  by the memory_region_init_rom_device() call.

Reviewed-by: Alistair Francis 
Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi01.c | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 2618e00926d..32c9b289715 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -115,6 +115,19 @@ static const VMStateDescription vmstate_pflash = {
 }
 };
 
+static void pflash_mode_read_array(PFlashCFI01 *pfl)
+{
+trace_pflash_mode_read_array();
+/*
+ * The command 0x00 is not assigned by the CFI open standard,
+ * but QEMU historically uses it for the READ_ARRAY command (0xff).
+ */
+trace_pflash_mode_read_array();
+pfl->cmd = 0x00;
+pfl->wcycle = 0;
+memory_region_rom_device_set_romd(&pfl->mem, true);
+}
+
 /*
  * Perform a CFI query based on the bank width of the flash.
  * If this code is called we know we have a device_width set for
@@ -283,12 +296,7 @@ static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr 
offset,
 default:
 /* This should never happen : reset state & treat it as a read */
 DPRINTF("%s: unknown command state: %x\n", __func__, pfl->cmd);
-pfl->wcycle = 0;
-/*
- * The command 0x00 is not assigned by the CFI open standard,
- * but QEMU historically uses it for the READ_ARRAY command (0xff).
- */
-pfl->cmd = 0x00;
+pflash_mode_read_array(pfl);
 /* fall through to read code */
 case 0x00: /* This model reset value for READ_ARRAY (not CFI compliant) */
 /* Flash area read */
@@ -663,10 +671,7 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
   "\n", __func__, offset, pfl->wcycle, pfl->cmd, value);
 
  mode_read_array:
-trace_pflash_mode_read_array();
-memory_region_rom_device_set_romd(&pfl->mem, true);
-pfl->wcycle = 0;
-pfl->cmd = 0x00; /* This model reset value for READ_ARRAY (not CFI) */
+pflash_mode_read_array(pfl);
 }
 
 
@@ -872,13 +877,8 @@ static void pflash_cfi01_realize(DeviceState *dev, Error 
**errp)
 pfl->max_device_width = pfl->device_width;
 }
 
-pfl->wcycle = 0;
-/*
- * The command 0x00 is not assigned by the CFI open standard,
- * but QEMU historically uses it for the READ_ARRAY command (0xff).
- */
-pfl->cmd = 0x00;
 pfl->status = 0x80; /* WSM ready */
+pflash_mode_read_array(pfl);
 pflash_cfi01_fill_cfi_table(pfl);
 }
 
@@ -887,13 +887,7 @@ static void pflash_cfi01_system_reset(DeviceState *dev)
 PFlashCFI01 *pfl = PFLASH_CFI01(dev);
 
 trace_pflash_reset();
-/*
- * The command 0x00 is not assigned by the CFI open standard,
- * but QEMU historically uses it for the READ_ARRAY command (0xff).
- */
-pfl->cmd = 0x00;
-pfl->wcycle = 0;
-memory_region_rom_device_set_romd(&pfl->mem, true);
+pflash_mode_read_array(pfl);
 /*
  * The WSM ready timer occurs at most 150ns after system reset.
  * This model deliberately ignores this delay.
-- 
2.26.2

[PATCH 3/9] hw/block/pflash_cfi02: Extract pflash_cfi02_fill_cfi_table()

Fill the CFI table in out of DeviceRealize() in a new function:
pflash_cfi02_fill_cfi_table().

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi02.c | 193 +---
 1 file changed, 99 insertions(+), 94 deletions(-)

diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index fa981465e12..845f50ed99b 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -724,6 +724,104 @@ static const MemoryRegionOps pflash_cfi02_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+static void pflash_cfi02_fill_cfi_table(PFlashCFI02 *pfl, int nb_regions)
+{
+/* Hardcoded CFI table (mostly from SG29 Spansion flash) */
+const uint16_t pri_ofs = 0x40;
+/* Standard "QRY" string */
+pfl->cfi_table[0x10] = 'Q';
+pfl->cfi_table[0x11] = 'R';
+pfl->cfi_table[0x12] = 'Y';
+/* Command set (AMD/Fujitsu) */
+pfl->cfi_table[0x13] = 0x02;
+pfl->cfi_table[0x14] = 0x00;
+/* Primary extended table address */
+pfl->cfi_table[0x15] = pri_ofs;
+pfl->cfi_table[0x16] = pri_ofs >> 8;
+/* Alternate command set (none) */
+pfl->cfi_table[0x17] = 0x00;
+pfl->cfi_table[0x18] = 0x00;
+/* Alternate extended table (none) */
+pfl->cfi_table[0x19] = 0x00;
+pfl->cfi_table[0x1A] = 0x00;
+/* Vcc min */
+pfl->cfi_table[0x1B] = 0x27;
+/* Vcc max */
+pfl->cfi_table[0x1C] = 0x36;
+/* Vpp min (no Vpp pin) */
+pfl->cfi_table[0x1D] = 0x00;
+/* Vpp max (no Vpp pin) */
+pfl->cfi_table[0x1E] = 0x00;
+/* Timeout per single byte/word write (128 ms) */
+pfl->cfi_table[0x1F] = 0x07;
+/* Timeout for min size buffer write (NA) */
+pfl->cfi_table[0x20] = 0x00;
+/* Typical timeout for block erase (512 ms) */
+pfl->cfi_table[0x21] = 0x09;
+/* Typical timeout for full chip erase (4096 ms) */
+pfl->cfi_table[0x22] = 0x0C;
+/* Reserved */
+pfl->cfi_table[0x23] = 0x01;
+/* Max timeout for buffer write (NA) */
+pfl->cfi_table[0x24] = 0x00;
+/* Max timeout for block erase */
+pfl->cfi_table[0x25] = 0x0A;
+/* Max timeout for chip erase */
+pfl->cfi_table[0x26] = 0x0D;
+/* Device size */
+pfl->cfi_table[0x27] = ctz32(pfl->chip_len);
+/* Flash device interface (8 & 16 bits) */
+pfl->cfi_table[0x28] = 0x02;
+pfl->cfi_table[0x29] = 0x00;
+/* Max number of bytes in multi-bytes write */
+/*
+ * XXX: disable buffered write as it's not supported
+ * pfl->cfi_table[0x2A] = 0x05;
+ */
+pfl->cfi_table[0x2A] = 0x00;
+pfl->cfi_table[0x2B] = 0x00;
+/* Number of erase block regions */
+pfl->cfi_table[0x2c] = nb_regions;
+/* Erase block regions */
+for (int i = 0; i < nb_regions; ++i) {
+uint32_t sector_len_per_device = pfl->sector_len[i];
+pfl->cfi_table[0x2d + 4 * i] = pfl->nb_blocs[i] - 1;
+pfl->cfi_table[0x2e + 4 * i] = (pfl->nb_blocs[i] - 1) >> 8;
+pfl->cfi_table[0x2f + 4 * i] = sector_len_per_device >> 8;
+pfl->cfi_table[0x30 + 4 * i] = sector_len_per_device >> 16;
+}
+assert(0x2c + 4 * nb_regions < pri_ofs);
+
+/* Extended */
+pfl->cfi_table[0x00 + pri_ofs] = 'P';
+pfl->cfi_table[0x01 + pri_ofs] = 'R';
+pfl->cfi_table[0x02 + pri_ofs] = 'I';
+
+/* Extended version 1.0 */
+pfl->cfi_table[0x03 + pri_ofs] = '1';
+pfl->cfi_table[0x04 + pri_ofs] = '0';
+
+/* Address sensitive unlock required. */
+pfl->cfi_table[0x05 + pri_ofs] = 0x00;
+/* Erase suspend to read/write. */
+pfl->cfi_table[0x06 + pri_ofs] = 0x02;
+/* Sector protect not supported. */
+pfl->cfi_table[0x07 + pri_ofs] = 0x00;
+/* Temporary sector unprotect not supported. */
+pfl->cfi_table[0x08 + pri_ofs] = 0x00;
+
+/* Sector protect/unprotect scheme. */
+pfl->cfi_table[0x09 + pri_ofs] = 0x00;
+
+/* Simultaneous operation not supported. */
+pfl->cfi_table[0x0a + pri_ofs] = 0x00;
+/* Burst mode not supported. */
+pfl->cfi_table[0x0b + pri_ofs] = 0x00;
+/* Page mode not supported. */
+pfl->cfi_table[0x0c + pri_ofs] = 0x00;
+assert(0x0c + pri_ofs < ARRAY_SIZE(pfl->cfi_table));
+}
+
 static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
 {
 ERRP_GUARD();
@@ -837,100 +935,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error 
**errp)
 pfl->cmd = 0;
 pfl->status = 0;
 
-/* Hardcoded CFI table (mostly from SG29 Spansion flash) */
-const uint16_t pri_ofs = 0x40;
-/* Standard "QRY" string */
-pfl->cfi_table[0x10] = 'Q';
-pfl->cfi_table[0x11] = 'R';
-pfl->cfi_table[0x12] = 'Y';
-/* Command set (AMD/Fujitsu) */
-pfl->cfi_table[0x13] = 0x02;
-pfl->cfi_table[0x14] = 0x00;
-/* Primary extended table address */
-pfl->cfi_table[0x15] = pri_ofs;
-pfl->cfi_table[0x16] = pri_ofs >> 8;
-/* Alternate command set (none) */
-pfl->cfi_table[0x17] = 0x00;
-pfl->cfi_table[0x18] = 0x00;
-/* Alternate extended table (none) */
-pf

[PATCH 5/9] hw/block/pflash_cfi02: Open-code pflash_register_memory(rom=false)

There is only one call to pflash_register_memory() with
rom_mode == false. As we want to modify pflash_register_memory()
in the next patch, open-code this trivial function in place for
the 'rom_mode == false' case.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi02.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 5f949b4c792..4efbae2f0c9 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -467,8 +467,10 @@ static void pflash_write(void *opaque, hwaddr offset, 
uint64_t value,
 switch (pfl->wcycle) {
 case 0:
 /* Set the device in I/O access mode if required */
-if (pfl->rom_mode)
-pflash_register_memory(pfl, 0);
+if (pfl->rom_mode) {
+pfl->rom_mode = false;
+memory_region_rom_device_set_romd(&pfl->orig_mem, false);
+}
 pfl->read_counter = 0;
 /* We're in read mode */
 check_unlock0:
-- 
2.26.2

[PATCH 2/9] hw/block/pflash_cfi01: Extract pflash_cfi01_fill_cfi_table()

Fill the CFI table in out of DeviceRealize() in a new function:
pflash_cfi01_fill_cfi_table().

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi01.c | 140 +---
 1 file changed, 73 insertions(+), 67 deletions(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index b6919bbe474..03472ea5b64 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -704,30 +704,11 @@ static const MemoryRegionOps pflash_cfi01_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
+static void pflash_cfi01_fill_cfi_table(PFlashCFI01 *pfl)
 {
-ERRP_GUARD();
-PFlashCFI01 *pfl = PFLASH_CFI01(dev);
-uint64_t total_len;
-int ret;
 uint64_t blocks_per_device, sector_len_per_device, device_len;
 int num_devices;
 
-if (pfl->sector_len == 0) {
-error_setg(errp, "attribute \"sector-length\" not specified or zero.");
-return;
-}
-if (pfl->nb_blocs == 0) {
-error_setg(errp, "attribute \"num-blocks\" not specified or zero.");
-return;
-}
-if (pfl->name == NULL) {
-error_setg(errp, "attribute \"name\" not specified.");
-return;
-}
-
-total_len = pfl->sector_len * pfl->nb_blocs;
-
 /*
  * These are only used to expose the parameters of each device
  * in the cfi_table[].
@@ -742,53 +723,6 @@ static void pflash_cfi01_realize(DeviceState *dev, Error 
**errp)
 }
 device_len = sector_len_per_device * blocks_per_device;
 
-memory_region_init_rom_device(
-&pfl->mem, OBJECT(dev),
-&pflash_cfi01_ops,
-pfl,
-pfl->name, total_len, errp);
-if (*errp) {
-return;
-}
-
-pfl->storage = memory_region_get_ram_ptr(&pfl->mem);
-sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
-
-if (pfl->blk) {
-uint64_t perm;
-pfl->ro = !blk_supports_write_perm(pfl->blk);
-perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE);
-ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp);
-if (ret < 0) {
-return;
-}
-} else {
-pfl->ro = 0;
-}
-
-if (pfl->blk) {
-if (!blk_check_size_and_read_all(pfl->blk, pfl->storage, total_len,
- errp)) {
-vmstate_unregister_ram(&pfl->mem, DEVICE(pfl));
-return;
-}
-}
-
-/*
- * Default to devices being used at their maximum device width. This was
- * assumed before the device_width support was added.
- */
-if (!pfl->max_device_width) {
-pfl->max_device_width = pfl->device_width;
-}
-
-pfl->wcycle = 0;
-/*
- * The command 0x00 is not assigned by the CFI open standard,
- * but QEMU historically uses it for the READ_ARRAY command (0xff).
- */
-pfl->cmd = 0x00;
-pfl->status = 0x80; /* WSM ready */
 /* Hardcoded CFI table */
 /* Standard "QRY" string */
 pfl->cfi_table[0x10] = 'Q';
@@ -876,6 +810,78 @@ static void pflash_cfi01_realize(DeviceState *dev, Error 
**errp)
 pfl->cfi_table[0x3f] = 0x01; /* Number of protection fields */
 }
 
+static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
+{
+ERRP_GUARD();
+PFlashCFI01 *pfl = PFLASH_CFI01(dev);
+uint64_t total_len;
+int ret;
+
+if (pfl->sector_len == 0) {
+error_setg(errp, "attribute \"sector-length\" not specified or zero.");
+return;
+}
+if (pfl->nb_blocs == 0) {
+error_setg(errp, "attribute \"num-blocks\" not specified or zero.");
+return;
+}
+if (pfl->name == NULL) {
+error_setg(errp, "attribute \"name\" not specified.");
+return;
+}
+
+total_len = pfl->sector_len * pfl->nb_blocs;
+
+memory_region_init_rom_device(
+&pfl->mem, OBJECT(dev),
+&pflash_cfi01_ops,
+pfl,
+pfl->name, total_len, errp);
+if (*errp) {
+return;
+}
+
+pfl->storage = memory_region_get_ram_ptr(&pfl->mem);
+sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
+
+if (pfl->blk) {
+uint64_t perm;
+pfl->ro = !blk_supports_write_perm(pfl->blk);
+perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE);
+ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp);
+if (ret < 0) {
+return;
+}
+} else {
+pfl->ro = 0;
+}
+
+if (pfl->blk) {
+if (!blk_check_size_and_read_all(pfl->blk, pfl->storage, total_len,
+ errp)) {
+vmstate_unregister_ram(&pfl->mem, DEVICE(pfl));
+return;
+}
+}
+
+/*
+ * Default to devices being used at their maximum device width. This was
+ * assumed before the device_width support was added.
+ */
+if (!pfl->max_device_width) {
+pfl->max_device_width = pfl->device_width;
+}
+
+pfl->wcycle

[PATCH 1/9] hw/block/pflash_cfi: Fix code style for checkpatch.pl

We are going to move this code, fix its style first.

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/block/pflash_cfi01.c | 36 
 hw/block/pflash_cfi02.c |  9 ++---
 2 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index 22287a1522e..b6919bbe474 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -115,7 +115,8 @@ static const VMStateDescription vmstate_pflash = {
 }
 };
 
-/* Perform a CFI query based on the bank width of the flash.
+/*
+ * Perform a CFI query based on the bank width of the flash.
  * If this code is called we know we have a device_width set for
  * this flash.
  */
@@ -125,7 +126,8 @@ static uint32_t pflash_cfi_query(PFlashCFI01 *pfl, hwaddr 
offset)
 uint32_t resp = 0;
 hwaddr boff;
 
-/* Adjust incoming offset to match expected device-width
+/*
+ * Adjust incoming offset to match expected device-width
  * addressing. CFI query addresses are always specified in terms of
  * the maximum supported width of the device.  This means that x8
  * devices and x8/x16 devices in x8 mode behave differently.  For
@@ -141,7 +143,8 @@ static uint32_t pflash_cfi_query(PFlashCFI01 *pfl, hwaddr 
offset)
 if (boff >= sizeof(pfl->cfi_table)) {
 return 0;
 }
-/* Now we will construct the CFI response generated by a single
+/*
+ * Now we will construct the CFI response generated by a single
  * device, then replicate that for all devices that make up the
  * bus.  For wide parts used in x8 mode, CFI query responses
  * are different than native byte-wide parts.
@@ -185,7 +188,8 @@ static uint32_t pflash_devid_query(PFlashCFI01 *pfl, hwaddr 
offset)
 uint32_t resp;
 hwaddr boff;
 
-/* Adjust incoming offset to match expected device-width
+/*
+ * Adjust incoming offset to match expected device-width
  * addressing. Device ID read addresses are always specified in
  * terms of the maximum supported width of the device.  This means
  * that x8 devices and x8/x16 devices in x8 mode behave
@@ -198,7 +202,8 @@ static uint32_t pflash_devid_query(PFlashCFI01 *pfl, hwaddr 
offset)
 boff = offset >> (ctz32(pfl->bank_width) +
   ctz32(pfl->max_device_width) - ctz32(pfl->device_width));
 
-/* Mask off upper bits which may be used in to query block
+/*
+ * Mask off upper bits which may be used in to query block
  * or sector lock status at other addresses.
  * Offsets 2/3 are block lock status, is not emulated.
  */
@@ -297,7 +302,8 @@ static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr offset,
 case 0x60: /* Block /un)lock */
 case 0x70: /* Status Register */
 case 0xe8: /* Write block */
-/* Status register read.  Return status from each device in
+/*
+ * Status register read.  Return status from each device in
  * bank.
  */
 ret = pfl->status;
@@ -308,7 +314,8 @@ static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr offset,
 shift += pfl->device_width * 8;
 }
 } else if (!pfl->device_width && width > 2) {
-/* Handle 32 bit flash cases where device width is not
+/*
+ * Handle 32 bit flash cases where device width is not
  * set. (Existing behavior before device width added.)
  */
 ret |= pfl->status << 16;
@@ -340,7 +347,8 @@ static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr offset,
 break;
 }
 } else {
-/* If we have a read larger than the bank_width, combine multiple
+/*
+ * If we have a read larger than the bank_width, combine multiple
  * manufacturer/device ID queries into a single response.
  */
 int i;
@@ -367,7 +375,8 @@ static uint32_t pflash_read(PFlashCFI01 *pfl, hwaddr offset,
 ret = 0;
 }
 } else {
-/* If we have a read larger than the bank_width, combine multiple
+/*
+ * If we have a read larger than the bank_width, combine multiple
  * CFI queries into a single response.
  */
 int i;
@@ -544,7 +553,8 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
 
 break;
 case 0xe8:
-/* Mask writeblock size based on device width, or bank width if
+/*
+ * Mask writeblock size based on device width, or bank width if
  * device width not specified.
  */
 /* FIXME check @offset, @width */
@@ -718,7 +728,8 @@ static void pflash_cfi01_realize(DeviceState *dev, Error 
**errp)
 
 total_len = pfl->sector_len * pfl->nb_blocs;
 
-/* These are only used to expose the parameters of each device
+/*
+ * These are only used to expose the parameters of each devic

[PATCH 0/9] hw/block/pflash: Refactors around setting the device in read-array mode

I remembered this almost 2 years old series while reviewing
David Edmondson's patches... (which I plan to apply on top).

Basically we move things around to make the code easier to maintain.

Please review :)

Regards,

Phil.

Philippe Mathieu-Daudé (9):
  hw/block/pflash_cfi: Fix code style for checkpatch.pl
  hw/block/pflash_cfi01: Extract pflash_cfi01_fill_cfi_table()
  hw/block/pflash_cfi02: Extract pflash_cfi02_fill_cfi_table()
  hw/block/pflash_cfi02: Set rom_mode to true in pflash_setup_mappings()
  hw/block/pflash_cfi02: Open-code pflash_register_memory(rom=false)
  hw/block/pflash_cfi02: Rename register_memory(true) as mode_read_array
  hw/block/pflash_cfi02: Factor out DeviceReset method
  hw/block/pflash_cfi01: Clarify trace events
  hw/block/pflash_cfi01: Extract pflash_mode_read_array()

 hw/block/pflash_cfi01.c | 201 +
 hw/block/pflash_cfi02.c | 238 +---
 hw/block/trace-events   |   1 +
 3 files changed, 235 insertions(+), 205 deletions(-)

-- 
2.26.2

Re: [PATCH] hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM


On Tue, 9 Mar 2021, Philippe Mathieu-Daudé wrote:

ping for review?


This is included in my pegasos2 series as 6/8 replacing half of a similar 
patch from my original version. Since I've reported it I don't think I 
should be also reviewing it but it's quite trivial so may not need that 
much review.


Regards,
BALATON Zoltan


On 3/2/21 9:05 AM, Philippe Mathieu-Daudé wrote:

TYPE_VIA_PM calls apm_init() in via_pm_realize(), so
requires APM to be selected.

Reported-by: BALATON Zoltan 
Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/isa/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/isa/Kconfig b/hw/isa/Kconfig
index c7f07854f7e..9c026d0c510 100644
--- a/hw/isa/Kconfig
+++ b/hw/isa/Kconfig
@@ -47,6 +47,7 @@ config VT82C686
 select ACPI_SMBUS
 select SERIAL_ISA
 select FDC
+select APM

 config SMC37C669
 bool

Re: [PATCH] vfio: Support host translation granule size

2021-03-09 Thread Alex Williamson

On Thu, 4 Mar 2021 21:34:46 +0800
Kunkun Jiang  wrote:

> The cpu_physical_memory_set_dirty_lebitmap() can quickly deal with
> the dirty pages of memory by bitmap-traveling, regardless of whether
> the bitmap is aligned correctly or not.
> 
> cpu_physical_memory_set_dirty_lebitmap() supports pages in bitmap of
> host page size. So it'd better to set bitmap_pgsize to host page size
> to support more translation granule sizes.
> 
> Fixes: 87ea529c502 (vfio: Get migration capability flags for container)
> Signed-off-by: Kunkun Jiang 
> ---
>  hw/vfio/common.c | 44 ++--
>  1 file changed, 22 insertions(+), 22 deletions(-)
> 
> diff --git a/hw/vfio/common.c b/hw/vfio/common.c
> index 6ff1daa763..69fb5083a4 100644
> --- a/hw/vfio/common.c
> +++ b/hw/vfio/common.c
> @@ -378,7 +378,7 @@ static int vfio_dma_unmap_bitmap(VFIOContainer *container,
>  {
>  struct vfio_iommu_type1_dma_unmap *unmap;
>  struct vfio_bitmap *bitmap;
> -uint64_t pages = TARGET_PAGE_ALIGN(size) >> TARGET_PAGE_BITS;
> +uint64_t pages = REAL_HOST_PAGE_ALIGN(size) / qemu_real_host_page_size;
>  int ret;
>  
>  unmap = g_malloc0(sizeof(*unmap) + sizeof(*bitmap));
> @@ -390,12 +390,12 @@ static int vfio_dma_unmap_bitmap(VFIOContainer 
> *container,
>  bitmap = (struct vfio_bitmap *)&unmap->data;
>  
>  /*
> - * cpu_physical_memory_set_dirty_lebitmap() expects pages in bitmap of
> - * TARGET_PAGE_SIZE to mark those dirty. Hence set bitmap_pgsize to
> - * TARGET_PAGE_SIZE.
> + * cpu_physical_memory_set_dirty_lebitmap() supports pages in bitmap of
> + * qemu_real_host_page_size to mark those dirty. Hence set bitmap_pgsize
> + * to qemu_real_host_page_size.


I don't see that this change is well supported by the code,
cpu_physical_memory_set_dirty_lebitmap() seems to operate on
TARGET_PAGE_SIZE, and the next three patch chunks take a detour through
memory listener code that seem unrelated to the change described in the
commit log.  This claims to fix something, what is actually broken?
Thanks,

Alex

>   */
>  
> -bitmap->pgsize = TARGET_PAGE_SIZE;
> +bitmap->pgsize = qemu_real_host_page_size;
>  bitmap->size = ROUND_UP(pages, sizeof(__u64) * BITS_PER_BYTE) /
> BITS_PER_BYTE;
>  
> @@ -674,16 +674,16 @@ static void vfio_listener_region_add(MemoryListener 
> *listener,
>  return;
>  }
>  
> -if (unlikely((section->offset_within_address_space & ~TARGET_PAGE_MASK) 
> !=
> - (section->offset_within_region & ~TARGET_PAGE_MASK))) {
> +if (unlikely((section->offset_within_address_space & 
> ~qemu_real_host_page_mask) !=
> + (section->offset_within_region & 
> ~qemu_real_host_page_mask))) {
>  error_report("%s received unaligned region", __func__);
>  return;
>  }
>  
> -iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
> +iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
>  llend = int128_make64(section->offset_within_address_space);
>  llend = int128_add(llend, section->size);
> -llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
> +llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
>  
>  if (int128_ge(int128_make64(iova), llend)) {
>  return;
> @@ -892,8 +892,8 @@ static void vfio_listener_region_del(MemoryListener 
> *listener,
>  return;
>  }
>  
> -if (unlikely((section->offset_within_address_space & ~TARGET_PAGE_MASK) 
> !=
> - (section->offset_within_region & ~TARGET_PAGE_MASK))) {
> +if (unlikely((section->offset_within_address_space & 
> ~qemu_real_host_page_mask) !=
> + (section->offset_within_region & 
> ~qemu_real_host_page_mask))) {
>  error_report("%s received unaligned region", __func__);
>  return;
>  }
> @@ -921,10 +921,10 @@ static void vfio_listener_region_del(MemoryListener 
> *listener,
>   */
>  }
>  
> -iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
> +iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
>  llend = int128_make64(section->offset_within_address_space);
>  llend = int128_add(llend, section->size);
> -llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
> +llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
>  
>  if (int128_ge(int128_make64(iova), llend)) {
>  return;
> @@ -1004,13 +1004,13 @@ static int vfio_get_dirty_bitmap(VFIOContainer 
> *container, uint64_t iova,
>  range->size = size;
>  
>  /*
> - * cpu_physical_memory_set_dirty_lebitmap() expects pages in bitmap of
> - * TARGET_PAGE_SIZE to mark those dirty. Hence set bitmap's pgsize to
> - * TARGET_PAGE_SIZE.
> + * cpu_physical_memory_set_dirty_lebitmap() supports pages in bitmap of
> + * qemu_real_host_page_size to mark those dirty. Hence set bitmap's 
> pgsize
> +

Re: [PATCH] docs/system: Document the removal of "compat" property for POWER CPUs

2021-03-09 Thread Greg Kurz

On Tue, 9 Mar 2021 21:52:40 +0100
Laurent Vivier  wrote:

> Le 22/02/2021 à 12:28, Greg Kurz a écrit :
> > This is just an oversight.
> > 
> > Fixes: f518be3aa35b ("target/ppc: Remove "compat" property of server class 
> > POWER CPUs")
> > Cc: gr...@kaod.org
> > Signed-off-by: Greg Kurz 
> > ---
> >  docs/system/removed-features.rst |6 ++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/docs/system/removed-features.rst 
> > b/docs/system/removed-features.rst
> > index c8481cafbd5c..04ffa90d48ca 100644
> > --- a/docs/system/removed-features.rst
> > +++ b/docs/system/removed-features.rst
> > @@ -115,6 +115,12 @@ The RISC-V no MMU cpus have been removed. The two 
> > CPUs: ``rv32imacu-nommu`` and
> >  ``rv64imacu-nommu`` can no longer be used. Instead the MMU status can be 
> > specified
> >  via the CPU ``mmu`` option when using the ``rv32`` or ``rv64`` CPUs.
> >  
> > +``compat`` property of server class POWER CPUs (removed in 6.0)
> > +'''
> > +
> > +The ``max-cpu-compat`` property of the ``pseries`` machine type should be 
> > used
> > +instead.
> > +
> >  System emulator machines
> >  
> >  
> 
> Reviewed-by: Laurent Vivier 
> 

I was thinking this was simple enough to go through the trivial tree. :)

Re: [PATCH 3/4] vhost-user: Monitor slave channel in vhost_user_read()

2021-03-09 Thread Greg Kurz

On Tue, 9 Mar 2021 15:18:56 +
Stefan Hajnoczi  wrote:

> On Mon, Mar 08, 2021 at 01:31:40PM +0100, Greg Kurz wrote:
> > @@ -363,8 +367,30 @@ static int vhost_user_read(struct vhost_dev *dev, 
> > VhostUserMsg *msg)
> >  qemu_chr_be_update_read_handlers(chr->chr, ctxt);
> >  qemu_chr_fe_add_watch(chr, G_IO_IN | G_IO_HUP, vhost_user_read_cb, 
> > &data);
> >  
> > +if (u->slave_ioc) {
> > +/*
> > + * This guarantees that all pending events in the main context
> > + * for the slave channel are purged. They will be re-detected
> > + * and processed now by the nested loop.
> > + */
> > +g_source_destroy(u->slave_src);
> > +g_source_unref(u->slave_src);
> > +u->slave_src = NULL;
> > +slave_src = qio_channel_add_watch_source(u->slave_ioc, G_IO_IN,
> 
> Why does slave_ioc use G_IO_IN while chr uses G_IO_IN | G_IO_HUP?

Oops my bad... this is copy&paste of the change introduced in
vhost_setup_slave_channel() by patch 2, which is lacking G_IO_HUP.

It should even actually be G_IO_IN | G_IO_HUP | G_IO_ERR to match
what was done before when calling qemu_set_fd_handler() and which
is recommended by the glib documentation:

https://developer.gnome.org/glib/stable/glib-The-Main-Event-Loop.html#GPollFD

So I'm now wondering why callers of qemu_chr_fe_add_watch() never pass
G_IO_ERR... I'll sort this out for v2.


pgpZiEMV5piwF.pgp
Description: OpenPGP digital signature

Re: [PATCH v2] MAINTAINERS: Fix the location of tools manuals

2021-03-09 Thread Greg Kurz

On Tue, 9 Mar 2021 20:48:40 +0100
Thomas Huth  wrote:

> On 09/03/2021 18.41, Wainer dos Santos Moschetta wrote:
> > Hi,
> > 
> > Any issue that prevent this of being queued?
> 
> Maybe it's just not clear who should take the patch ... CC:-ing qemu-trivial 
> and qemu-block now, since I think it could go through the trivial or block 
> tree.
> 

For the virtfs change:

Acked-by: Greg Kurz 

> > On 2/4/21 10:59 AM, Philippe Mathieu-Daudé wrote:
> >> On 2/4/21 2:54 PM, Wainer dos Santos Moschetta wrote:
> >>> The qemu-img.rst, qemu-nbd.rst, virtfs-proxy-helper.rst, 
> >>> qemu-trace-stap.rst,
> >>> and virtiofsd.rst manuals were moved to docs/tools, so this update 
> >>> MAINTAINERS
> >>> accordingly.
> >>>
> >>> Fixes: a08b4a9fe6c ("docs: Move tools documentation to tools manual")
> >>> Signed-off-by: Wainer dos Santos Moschetta 
> >>> ---
> >>> v1: was "MAINTAINERS: Fix the location of virtiofsd.rst"
> >>> v2: Fixed the location of all files [philmd]
> >>>
> >>>   MAINTAINERS | 10 +-
> >>>   1 file changed, 5 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/MAINTAINERS b/MAINTAINERS
> >>> index 00626941f1..174425a941 100644
> >>> --- a/MAINTAINERS
> >>> +++ b/MAINTAINERS
> >>> @@ -1829,7 +1829,7 @@ S: Odd Fixes
> >>>   F: hw/9pfs/
> >>>   X: hw/9pfs/xen-9p*
> >>>   F: fsdev/
> >>> -F: docs/interop/virtfs-proxy-helper.rst
> >>> +F: docs/tools/virtfs-proxy-helper.rst
> 
> FWIW:
> Reviewed-by: Thomas Huth 
>

Re: [PATCH] tests/acceptance: Print expected message on wait_for_console_pattern

2021-03-09 Thread Joel Stanley

On Tue, 9 Mar 2021 at 16:00, Wainer dos Santos Moschetta
 wrote:
>
> For the sake of improve debuggability of tests which use the
> wait_for_console_pattern(), this changed the _console_interaction() so that
> the expected message is printed if the test fail.
>
> Signed-off-by: Wainer dos Santos Moschetta 
> ---
> While I was testing  "[PATCH v2 2/2] tests/acceptance: Test ast2600 machine"
> I could not clearly determine which of the called wait_for_console_pattern()
> was failing. So this patch improves debuggability in such as situations.

Nice!

Reviewed-by: Joel Stanley 

>
>  tests/acceptance/avocado_qemu/__init__.py | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/tests/acceptance/avocado_qemu/__init__.py 
> b/tests/acceptance/avocado_qemu/__init__.py
> index df167b142c..ed338caaba 100644
> --- a/tests/acceptance/avocado_qemu/__init__.py
> +++ b/tests/acceptance/avocado_qemu/__init__.py
> @@ -97,7 +97,8 @@ def _console_interaction(test, success_message, 
> failure_message,
>  break
>  if failure_message and failure_message in msg:
>  console.close()
> -fail = 'Failure message found in console: %s' % failure_message
> +fail = 'Failure message found in console: "%s". Expected: "%s"' 
> % \
> +(failure_message, success_message)
>  test.fail(fail)
>
>  def interrupt_interactive_console_until_pattern(test, success_message,
> --
> 2.29.2
>
>

Re: [PATCH 0/3] target/tricore: Pass MMUAccessType to get_physical_address()

On 2/10/21 1:12 PM, Bastian Koppelmann wrote:
> Hi,
> 
> On Wed, Jan 27, 2021 at 11:42:52PM +0100, Philippe Mathieu-Daudé wrote:
>> Taking notes while reviewing commit 671a0a1265a
>> ("use MMUAccessType instead of int in mmu_translate").
>>
>> Philippe Mathieu-Daudé (3):
>>   target/tricore: Replace magic value by MMU_DATA_LOAD definition
>>   target/tricore: Pass MMUAccessType to get_physical_address()
>>   target/tricore: Remove unused definitions
>>
>>  target/tricore/cpu.h| 12 
>>  target/tricore/helper.c |  9 -
>>  2 files changed, 4 insertions(+), 17 deletions(-)
> 
> Thanks for the cleanup. I applied it to my tricore.next queue.

Thanks Bastian!

Phil.

Re: [PATCH v5 4/8] vt82c686: Introduce abstract TYPE_VIA_ISA and base vt82c686b_isa on it

On Tue, Mar 09, 2021 at 10:12:24AM +0100, Philippe Mathieu-Daudé wrote:
> On 3/5/21 2:02 AM, David Gibson wrote:
> > On Thu, Mar 04, 2021 at 11:42:10PM +0100, Philippe Mathieu-Daudé wrote:
> >> On 3/4/21 9:16 PM, BALATON Zoltan wrote:
> >>> On Thu, 4 Mar 2021, Philippe Mathieu-Daudé wrote:
>  On 3/2/21 10:11 PM, BALATON Zoltan wrote:
> > To allow reusing ISA bridge emulation for vt8231_isa move the device
> > state of vt82c686b_isa emulation in an abstract via_isa class.
> >
> > Signed-off-by: BALATON Zoltan 
> > ---
> >  hw/isa/vt82c686.c    | 70 ++--
> >  include/hw/pci/pci_ids.h |  2 +-
> >  2 files changed, 40 insertions(+), 32 deletions(-)
> >
> > diff --git a/hw/isa/vt82c686.c b/hw/isa/vt82c686.c
> > index 72234bc4d1..5137f97f37 100644
> > --- a/hw/isa/vt82c686.c
> > +++ b/hw/isa/vt82c686.c
> > @@ -609,24 +609,48 @@ static const TypeInfo vt8231_superio_info = {
> >  };
> >
> >
> > -OBJECT_DECLARE_SIMPLE_TYPE(VT82C686BISAState, VT82C686B_ISA)
> > +#define TYPE_VIA_ISA "via-isa"
> > +OBJECT_DECLARE_SIMPLE_TYPE(ViaISAState, VIA_ISA)
> >
> > -struct VT82C686BISAState {
> > +struct ViaISAState {
> >  PCIDevice dev;
> >  qemu_irq cpu_intr;
> >  ViaSuperIOState *via_sio;
> >  };
> >
> > +static const VMStateDescription vmstate_via = {
> > +    .name = "via-isa",
> 
>  You changed the migration stream name, so I think we have
>  a problem with migration... No clue how to do that properly.
> >>>
> >>> I don't think these machines support migration or state description of
> >>> vt86c686b was not missing something before these patches that would make
> >>> it not work anyway so I did not worry about this too much. I doubt
> >>> anybody wants to migrate a fuloong2e machine so this should not be a
> >>> problem in practice but maybe you can mention it in the release notes if
> >>> you think that would be necessary.
> >>
> >> Maybe just add in the description:
> >>
> >>  This change breaks migration back compatibility, but
> >>  this is not an issue for the Fuloong2E machine.
> > 
> > Hrm.  If migration was never supported, why is there a vmstate
> > description there at all though?
> > 
> > That said, I don't think breaking compat is a problem: that's only an
> > issue where we actually have versioned machine types, which covers
> > only pc, pseries, arm virt and a very few others.  I don't think this
> > device was used on any of them.
> 
> OK. Can you provide a formal Ack-by tag then? :)

Not really - this device isn't within the things I maintain, and I
don't really understand it.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH] hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM

ping for review?

On 3/2/21 9:05 AM, Philippe Mathieu-Daudé wrote:
> TYPE_VIA_PM calls apm_init() in via_pm_realize(), so
> requires APM to be selected.
> 
> Reported-by: BALATON Zoltan 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/isa/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/hw/isa/Kconfig b/hw/isa/Kconfig
> index c7f07854f7e..9c026d0c510 100644
> --- a/hw/isa/Kconfig
> +++ b/hw/isa/Kconfig
> @@ -47,6 +47,7 @@ config VT82C686
>  select ACPI_SMBUS
>  select SERIAL_ISA
>  select FDC
> +select APM
>  
>  config SMC37C669
>  bool
>

Re: [PATCH v2] tests/acceptance: Add bFLT loader linux-user test

ping?

On 2/14/21 8:45 PM, Philippe Mathieu-Daudé wrote:
> Add a very quick test that runs a busybox binary in bFLT format:
> 
>   $ avocado --show=app run -t linux_user tests/acceptance/load_bflt.py
>   JOB ID : db94d5960ce564c50904d666a7e259148c27e88f
>   JOB LOG: ~/avocado/job-results/job-2019-06-25T10.52-db94d59/job.log
>(1/1) tests/acceptance/load_bflt.py:LoadBFLT.test_stm32: PASS (0.15 s)
>   RESULTS: PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | 
> CANCEL 0
>   JOB TIME   : 0.54 s
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Based-on: <20210214175912.732946-1-f4...@amsat.org>
>   tests/acceptance: Extract QemuBaseTest from Test
>   tests/acceptance: Make pick_default_qemu_bin() more generic
>   tests/acceptance: Introduce QemuUserTest base class
> ---
>  tests/acceptance/load_bflt.py | 51 +++
>  1 file changed, 51 insertions(+)
>  create mode 100644 tests/acceptance/load_bflt.py
> 
> diff --git a/tests/acceptance/load_bflt.py b/tests/acceptance/load_bflt.py
> new file mode 100644
> index 000..4b7796d0775
> --- /dev/null
> +++ b/tests/acceptance/load_bflt.py
> @@ -0,0 +1,51 @@
> +# Test the bFLT format
> +#
> +# Copyright (C) 2019 Philippe Mathieu-Daudé 
> +#
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +
> +import os
> +import bz2
> +import subprocess
> +
> +from avocado_qemu import QemuUserTest
> +
> +
> +class LoadBFLT(QemuUserTest):
> +
> +def extract_cpio(self, cpio_path):
> +"""
> +Extracts a cpio archive into the test workdir
> +
> +:param cpio_path: path to the cpio archive
> +"""
> +cwd = os.getcwd()
> +os.chdir(self.workdir)
> +with bz2.open(cpio_path, 'rb') as archive_cpio:
> +subprocess.run(['cpio', '-i'], input=archive_cpio.read(),
> +   stderr=subprocess.DEVNULL)
> +os.chdir(cwd)
> +
> +@skipUnless(os.getenv('AVOCADO_ALLOW_UNTRUSTED_CODE'), 'untrusted code')
> +def test_stm32(self):
> +"""
> +:avocado: tags=arch:arm
> +:avocado: tags=linux_user
> +:avocado: tags=quick
> +"""
> +# See https://elinux.org/STM32#User_Space
> +rootfs_url = ('https://elinux.org/images/5/51/'
> +  'Stm32_mini_rootfs.cpio.bz2')
> +rootfs_hash = '9f065e6ba40cce7411ba757f924f30fcc57951e6'
> +rootfs_path_bz2 = self.fetch_asset(rootfs_url, 
> asset_hash=rootfs_hash)
> +busybox_path = self.workdir + "/bin/busybox"
> +
> +self.extract_cpio(rootfs_path_bz2)
> +
> +res = self.run(busybox_path)
> +ver = 'BusyBox v1.24.0.git (2015-02-03 22:17:13 CET) multi-call 
> binary.'
> +self.assertIn(ver, res.stdout_text)
> +
> +res = self.run(busybox_path, ['uname', '-a'])
> +unm = 'armv7l GNU/Linux'
> +self.assertIn(unm, res.stdout_text)
>

Re: [PATCH v5 0/4] qapi: Restrict X86 features to X86 targets

ping?

On 2/24/21 11:46 PM, Philippe Mathieu-Daudé wrote:
> Since v4:
> - Rebase on Claudio's work to avoid stub
> 
> This series restrict the 'feature-words' property to the x86
> architecture (other archs don't have it), and to system-mode
> (user-mode doesn't use it).
> 
> v4: https://www.mail-archive.com/qemu-devel@nongnu.org/msg746628.html
> 
> Supersedes: <20201001144152.1555659-1-phi...@redhat.com>
> Based-on: <20210224133428.14071-1-cfont...@suse.de>
> 
> Philippe Mathieu-Daudé (4):
>   target/i386/cpu: Introduce get_register_enum_32() helper
>   target/i386/cpu: Restrict x86_cpu_get_feature_words to sysemu
>   qapi: Move X86 specific types to machine-target.json
>   qapi/machine-target: Restrict X86 features to X86 targets
> 
>  qapi/machine-target.json   | 45 ++
>  qapi/machine.json  | 42 ---
>  target/i386/cpu-internal.h |  7 ++
>  target/i386/cpu-softmmu.c  | 36 ++
>  target/i386/cpu.c  | 45 +++---
>  5 files changed, 96 insertions(+), 79 deletions(-)
>

Re: [PULL 00/18] testing, docs, semihosting move and guest-loader

On 3/9/21 7:37 PM, Alex Bennée wrote:
> 
> Peter Maydell  writes:
> 
>> On Mon, 8 Mar 2021 at 13:51, Alex Bennée  wrote:
>>>
>>> The following changes since commit 91e92cad67caca3bc4b8e920ddb5c8ca64aac9e1:
>>>
>>>   Merge remote-tracking branch 'remotes/cohuck-gitlab/tags/s390x-20210305' 
>>> into staging (2021-03-05 19:04:47 +)
>>>
>>> are available in the Git repository at:
>>>
>>>   https://github.com/stsquad/qemu.git 
>>> tags/pull-testing-docs-xen-updates-080321-1
>>>
>>> for you to fetch changes up to 8109b8cadf5979a29b4b6e1ca7288bc0ee676426:
>>>
>>>   semihosting: Move hw/semihosting/ -> semihosting/ (2021-03-08 12:15:05 
>>> +)
>>>
>>> 
>>> Testing, guest-loader and other misc tweaks
>>>
>>>   - add warning text to quickstart example
>>>   - add support for hexagon check-tcg tests
>>>   - add CFI tests to CI
>>>   - use --arch-only for docker pre-requisites
>>>   - fix .editorconfig for emacs
>>>   - add guest-loader for Xen-like hypervisor testing
>>>   - move generic-loader docs into manual proper
>>>   - move semihosting out of hw/
>>
>> Fails on x86-64 trying to do something with docker:
>>
>> make: Entering directory
>> '/home/petmay01/linaro/qemu-for-merges/build/all-linux-static'
>> /home/petmay01/linaro/qemu-for-merges/tests/docker/docker.py --engine
>> auto build -t qemu/debian-hexagon-cross -f
>> /home/petmay01/linaro/qemu-for-merges/tests/docker/dockerfiles/debian-hexagon-cross.docker
>>   --registry registry.gitlab.com/qemu-project/qemu --add-current-user
>> --extra-files 
>> /home/petmay01/linaro/qemu-for-merges/tests/docker/dockerfiles/debian-hexagon-cross.docker.d/build-toolchain.sh
>> Using default tag: latest
>> latest: Pulling from qemu-project/qemu/qemu/debian10
>> Digest: 
>> sha256:4f96b88d2c3cf59d46d6173d86f240ef7b4f2b68509e6e5eec7b179aa1bfbf74
>> Status: Image is up to date for
>> registry.gitlab.com/qemu-project/qemu/qemu/debian10:latest
>> Using default tag: latest
>> latest: Pulling from qemu-project/qemu/qemu/debian-hexagon-cross
>> 45b42c59be33: Already exists
>> 7a55fd5ded7c: Already exists
>> [...]
>>
>> 40ae5f465547: Pull complete
>> Digest: 
>> sha256:c5f3e6f6a761c17570945059e60297352380379f9222fe444f998c6ea7e9d4ce
>> Status: Downloaded newer image for
>> registry.gitlab.com/qemu-project/qemu/qemu/debian-hexagon-cross:latest

^ until here, all good.

>>
>> #1 [internal] load build definition from tmplp8d2u1p.docker
>> #1   digest:
>> sha256:639f37ba0ced2cf59254e62ec107d1d7ccd627d6876fb2b465f50c88c4baa44d
>> #1 name: "[internal] load build definition from tmplp8d2u1p.docker"
>> #1  started: 2021-03-09 16:53:55.092177401 + UTC
>> #1completed: 2021-03-09 16:53:55.092271396 + UTC
>> #1 duration: 93.995µs
>> #1  started: 2021-03-09 16:53:55.092598107 + UTC
>> #1completed: 2021-03-09 16:53:55.188002068 + UTC
>> #1 duration: 95.403961ms
>> #1 transferring dockerfile: 1.26kB done
>>
>> [...]
>> #9 [internal] load build context
>> #9  started: 2021-03-09 16:53:56.338003711 + UTC
>> #9completed: 2021-03-09 16:53:56.42858509 + UTC
>> #9 duration: 90.581379ms
>> #9 transferring context: 4.19kB done
>>
>>
>> #7 [2/6] RUN apt update && DEBIAN_FRONTEND=noninteractive eatmydata
>> ...
>> #7   digest:
>> sha256:d73bbaa9b5d86f286257ada3d545250e61e000c22c1f971f003578dc00661346
>> #7 name: "[2/6] RUN apt update &&
>> DEBIAN_FRONTEND=noninteractive eatmydata apt build-dep -yy qemu"

^ why is that run?...

>> #7  started: 2021-03-09 16:53:56.338854291 + UTC
>> #7 0.553
>> #7 0.553 WARNING: apt does not have a stable CLI interface. Use with
>> caution in scripts.
>> #7 0.553
>> #7completed: 2021-03-09 16:54:00.554068941 + UTC
>> #7 duration: 4.21521465s
>> #7error: "executor failed running [/bin/sh -c apt update &&
>>  DEBIAN_FRONTEND=noninteractive eatmydata apt build-dep -yy qemu]:
>> exit code: 137: context canceled: context canceled"

:/

Re: [PATCH 2/2] sysemu: Let VMChangeStateHandler take boolean 'running' argument

2021-03-09 Thread Laurent Vivier

Le 11/01/2021 à 16:20, Philippe Mathieu-Daudé a écrit :
> The 'running' argument from VMChangeStateHandler does not require
> other value than 0 / 1. Make it a plain boolean.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  include/sysemu/runstate.h   | 10 --
>  target/arm/kvm_arm.h|  2 +-
>  target/ppc/cpu-qom.h|  2 +-
>  accel/xen/xen-all.c |  2 +-
>  audio/audio.c   |  2 +-
>  block/block-backend.c   |  2 +-
>  gdbstub.c   |  2 +-
>  hw/block/pflash_cfi01.c |  2 +-
>  hw/block/virtio-blk.c   |  2 +-
>  hw/display/qxl.c|  2 +-
>  hw/i386/kvm/clock.c |  2 +-
>  hw/i386/kvm/i8254.c |  2 +-
>  hw/i386/kvmvapic.c  |  2 +-
>  hw/i386/xen/xen-hvm.c   |  2 +-
>  hw/ide/core.c   |  2 +-
>  hw/intc/arm_gicv3_its_kvm.c |  2 +-
>  hw/intc/arm_gicv3_kvm.c |  2 +-
>  hw/intc/spapr_xive_kvm.c|  2 +-
>  hw/misc/mac_via.c   |  2 +-
>  hw/net/e1000e_core.c|  2 +-
>  hw/nvram/spapr_nvram.c  |  2 +-
>  hw/ppc/ppc.c|  2 +-
>  hw/ppc/ppc_booke.c  |  2 +-
>  hw/s390x/tod-kvm.c  |  2 +-
>  hw/scsi/scsi-bus.c  |  2 +-
>  hw/usb/hcd-ehci.c   |  2 +-
>  hw/usb/host-libusb.c|  2 +-
>  hw/usb/redirect.c   |  2 +-
>  hw/vfio/migration.c |  2 +-
>  hw/virtio/virtio-rng.c  |  2 +-
>  hw/virtio/virtio.c  |  2 +-
>  net/net.c   |  2 +-
>  softmmu/memory.c|  2 +-
>  softmmu/runstate.c  |  2 +-
>  target/arm/kvm.c|  2 +-
>  target/i386/kvm/kvm.c   |  2 +-
>  target/i386/sev.c   |  2 +-
>  target/i386/whpx/whpx-all.c |  2 +-
>  target/mips/kvm.c   |  4 ++--
>  ui/gtk.c|  2 +-
>  ui/spice-core.c |  2 +-
>  41 files changed, 49 insertions(+), 43 deletions(-)
> 
> diff --git a/include/sysemu/runstate.h b/include/sysemu/runstate.h
> index 3ab35a039a0..a5356915734 100644
> --- a/include/sysemu/runstate.h
> +++ b/include/sysemu/runstate.h
> @@ -10,7 +10,7 @@ bool runstate_is_running(void);
>  bool runstate_needs_reset(void);
>  bool runstate_store(char *str, size_t size);
>  
> -typedef void VMChangeStateHandler(void *opaque, int running, RunState state);
> +typedef void VMChangeStateHandler(void *opaque, bool running, RunState 
> state);
>  
>  VMChangeStateEntry *qemu_add_vm_change_state_handler(VMChangeStateHandler 
> *cb,
>   void *opaque);
> @@ -20,7 +20,13 @@ VMChangeStateEntry 
> *qdev_add_vm_change_state_handler(DeviceState *dev,
>   VMChangeStateHandler 
> *cb,
>   void *opaque);
>  void qemu_del_vm_change_state_handler(VMChangeStateEntry *e);
> -void vm_state_notify(int running, RunState state);
> +/**
> + * vm_state_notify: Notify the state of the VM
> + *
> + * @running: whether the VM is running or not.
> + * @state: the #RunState of the VM.
> + */
> +void vm_state_notify(bool running, RunState state);
>  
>  static inline bool shutdown_caused_by_guest(ShutdownCause cause)
>  {
> diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
> index eb81b7059eb..68ec970c4f4 100644
> --- a/target/arm/kvm_arm.h
> +++ b/target/arm/kvm_arm.h
> @@ -352,7 +352,7 @@ void kvm_arm_get_virtual_time(CPUState *cs);
>   */
>  void kvm_arm_put_virtual_time(CPUState *cs);
>  
> -void kvm_arm_vm_state_change(void *opaque, int running, RunState state);
> +void kvm_arm_vm_state_change(void *opaque, bool running, RunState state);
>  
>  int kvm_arm_vgic_probe(void);
>  
> diff --git a/target/ppc/cpu-qom.h b/target/ppc/cpu-qom.h
> index 63b9e8632ca..118baf8d41f 100644
> --- a/target/ppc/cpu-qom.h
> +++ b/target/ppc/cpu-qom.h
> @@ -218,7 +218,7 @@ extern const VMStateDescription vmstate_ppc_timebase;
>  .offset = vmstate_offset_value(_state, _field, PPCTimebase),  \
>  }
>  
> -void cpu_ppc_clock_vm_state_change(void *opaque, int running,
> +void cpu_ppc_clock_vm_state_change(void *opaque, bool running,
> RunState state);
>  #endif
>  
> diff --git a/accel/xen/xen-all.c b/accel/xen/xen-all.c
> index 878a4089d97..3756aca27be 100644
> --- a/accel/xen/xen-all.c
> +++ b/accel/xen/xen-all.c
> @@ -122,7 +122,7 @@ static void xenstore_record_dm_state(struct xs_handle 
> *xs, const char *state)
>  }
>  
>  
> -static void xen_change_state_handler(void *opaque, int running,
> +static void xen_change_state_handler(void *opaque, bool running,
>   RunState state)
>  {
>  if (running) {
> diff --git a/audio/audio.c b/audio/audio.c
> index b48471bb3f6..f2d56e7e57d 100644
> --- a/audio/audio.c
> +++ b/audio/audio.c
> @@ -1549,7 +1549,7 @@ static int audio_driver_init(AudioState *s, struct 
> audio_driver *drv,
>  }
>  }
>  
> -static void audio_vm_change_state_handler (void *opaque, int running,
> +st

Re: [PATCH 1/2] sysemu/runstate: Let runstate_is_running() return bool

2021-03-09 Thread Laurent Vivier

Le 11/01/2021 à 16:20, Philippe Mathieu-Daudé a écrit :
> runstate_check() returns a boolean. runstate_is_running()
> returns what runstate_check() returns, also a boolean.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  include/sysemu/runstate.h | 2 +-
>  softmmu/runstate.c| 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/include/sysemu/runstate.h b/include/sysemu/runstate.h
> index e557f470d42..3ab35a039a0 100644
> --- a/include/sysemu/runstate.h
> +++ b/include/sysemu/runstate.h
> @@ -6,7 +6,7 @@
>  
>  bool runstate_check(RunState state);
>  void runstate_set(RunState new_state);
> -int runstate_is_running(void);
> +bool runstate_is_running(void);
>  bool runstate_needs_reset(void);
>  bool runstate_store(char *str, size_t size);
>  
> diff --git a/softmmu/runstate.c b/softmmu/runstate.c
> index 636aab0addb..c7a67147d17 100644
> --- a/softmmu/runstate.c
> +++ b/softmmu/runstate.c
> @@ -217,7 +217,7 @@ void runstate_set(RunState new_state)
>  current_run_state = new_state;
>  }
>  
> -int runstate_is_running(void)
> +bool runstate_is_running(void)
>  {
>  return runstate_check(RUN_STATE_RUNNING);
>  }
> 

Applied to my trivial-patches branch.

Thanks,
Laurent

Re: [PATCH 0/2] sysemu: Let VMChangeStateHandler take boolean 'running' argument