Re: [PATCH v2 0/4] hw/nvme: fix controller hotplugging

[Klaus Jensen]

On Jul  9 08:16, Hannes Reinecke wrote:

On 7/9/21 8:05 AM, Klaus Jensen wrote:

On Jul  7 17:49, Klaus Jensen wrote:

From: Klaus Jensen 

Back in May, Hannes posted a fix[1] to re-enable NVMe PCI hotplug. We
discussed a bit back and fourth and I mentioned that the core issue was
an artifact of the parent/child relationship stemming from the qdev
setup we have with namespaces attaching to controller through a qdev
bus.

The gist of this series is the fourth patch "hw/nvme: fix controller hot
unplugging" which basically causes namespaces to be reassigned to a bus
owned by the subsystem if the parent controller is linked to one. This
fixes `device_del/add nvme` in such settings.

Note, that in the case that there is no subsystem involved, nvme devices
can be removed from the system with `device_del`, but this *will* cause
the namespaces to be removed as well since there is no place (i.e. no
subsystem) for them to "linger". And since this series does not add
support for hotplugging nvme-ns devices, while an nvme device can be
readded, no namespaces can. Support for hotplugging nvme-ns devices is
present in [1], but I'd rather not add that since I think '-device
nvme-ns' is already a bad design choice.

Now, I do realize that it is not "pretty" to explicitly change the
parent bus, so I do have a an RFC patch in queue that replaces the
subsystem and namespace devices with objects, but keeps -device shims
available for backwards compatibility. This approach will solve the
problems properly and should be a better model. However, I don't believe
it will make it for 6.1 and I'd really like to at least fix the
unplugging for 6.1 and this gets the job done.

 [1]: 20210511073511.32511-1-h...@suse.de

v2:
- added R-b's by Hannes for patches 1 through 3
- simplified "hw/nvme: fix controller hot unplugging"

Klaus Jensen (4):
 hw/nvme: remove NvmeCtrl parameter from ns setup/check functions
 hw/nvme: mark nvme-subsys non-hotpluggable
 hw/nvme: unregister controller with subsystem at exit
 hw/nvme: fix controller hot unplugging

hw/nvme/nvme.h   | 18 +---
hw/nvme/ctrl.c   | 14 ++--
hw/nvme/ns.c | 55 +++-
hw/nvme/subsys.c |  9 
4 files changed, 63 insertions(+), 33 deletions(-)

--
2.32.0



Applied patches 1 through 3 to nvme-next.


So, how do we go about with patch 4?
Without it this whole exercise is a bit pointless, seeing that it 
doesn't fix anything.




Patch 1-3 are fixes we need anyway, so I thought I might as well apply 
them :)



Shall we go with that patch as an interim solution?
Will you replace it with your 'object' patch?
What is the plan?



Yes, if acceptable, I would like to use patch 4 as an interim solution. 
We have a bug we need to fix for 6.1, and I belive this does the job.


I considered changing the existing nvme-bus to be on the main system 
bus, but then we break the existing behavior that the namespaces attach 
to the most recently defined controller in the absence of the shared 
parameter or an explicit bus parameter.


Wrt. "the plan", right now, I see two solutions going forward:

1. Introduce new -object's for nvme-nvm-subsystem and nvme-ns
   This is the approach that I am taking right now and it works well. It 
   allows many-to-many relationships and separates the life times of 
   subsystems, namespaces and controllers like you mentioned.


   Conceptually, I also really like that the subsystem and namespace are 
   not "devices". One could argue that the namespace is comparable to a 
   SCSI LUN (-device scsi-hd, right?), but where the SCSI LUN actually 
   "shows up" in the host, the nvme namespace does not.


   My series handles backwards compatibility by keeping -device "shims" 
   around that just wraps the new objects but behaves like it used to. 
   The plan would be to deprecate these devices.


   The downside to this approach is that it moves the subsystem and 
   namespaces out of the "qdev tree (info qtree)" and into the pure QOM 
   "/objects" tree. Instead of qtree, we can have QMP and HMP commands 
   for introspection.


2. Make the subsystem a "system bus device"
   This way we add an "nvme-nvm-subsystems" bus as a direct child of the 
   main system bus, and we can possibly get rid of the explicit -device 
   nvme-subsys as well. We change the namespace device to plug into that 
   instead. The nvme controller device still needs to plug into the PCI 
   bus, so it cannot be a child of the subsystems bus, but can keep 
   using a link parameter to hook into the subsystem and attach to any 
   namespaces it would like.


   I'm unsure if we can do this without deprecating the existing 
   namespace device, just like option 1.


   I have not implemented this, so I need to look more into it. It seems 
   like the main thing that this gives us compared to 1) is `info qtree` 
   support and we still end up just "wiring" namespace attachment with 
   backlinks anyway.


I'm not sure what I wou

Re: [PATCH v3 0/2] x86/sev: Measured Linux SEV guest with kernel/initrd/cmdline

[Michael S. Tsirkin]

On Thu, Jun 24, 2021 at 10:20:38AM +, Dov Murik wrote:
> Currently booting with -kernel/-initrd/-append is not supported in SEV
> confidential guests, because the content of these blobs is not measured
> and therefore not trusted by the SEV guest.
> 
> However, in some cases the kernel, initrd, and cmdline are not secret
> but should not be modified by the host.  In such a case, we want to
> verify inside the trusted VM that the kernel, initrd, and cmdline are
> indeed the ones expected by the Guest Owner, and only if that is the
> case go on and boot them up (removing the need for grub inside OVMF in
> that mode).
> 
> To support that, OVMF adds a special area for hashes of
> kernel/initrd/cmdline; that area is expected to be filled by QEMU and
> encrypted as part of the initial SEV guest launch.  This in turn makes
> the hashes part of the PSP measured content, and OVMF can trust these
> inputs if they match the hashes.
> 
> This series adds an SEV function to generate the table of hashes for
> OVMF and encrypt it (patch 1/2), and calls this function if SEV is
> enabled when the kernel/initrd/cmdline are prepared (patch 2/2).
> 
> Corresponding OVMF support was submitted to edk2-devel [1] (patch series
> "Measured SEV boot with kernel/initrd/cmdline"); it's still under
> review.
> 
> [1] https://edk2.groups.io/g/devel/topic/patch_v1_0_8_measured_sev/83074450


Now that I figured the measurement angle

Acked-by: Michael S. Tsirkin 

> ---
> 
> v3 changes:
>  - initrd hash is now mandatory; if no -initrd is passed, calculate the
>hash of the empty buffer.  This is now aligned with the OVMF
>behaviour which verifies the empty initrd (correctly).
>  - make SevHashTable entries fixed: 3 entries for cmdline, initrd, and kernel.
>  - in sev_add_kernel_loader_hashes: first calculate all the hashes, only then
>fill-in the hashes table in the guest's memory.
>  - Use g_assert_not_reached in sev-stub.c.
>  - Use QEMU_PACKED attribute for structs.
>  - Use QemuUUID type for guids.
>  - in sev_add_kernel_loader_hashes: use ARRAY_SIZE(iov) instead of literal 2.
> 
> v2: 
> https://lore.kernel.org/qemu-devel/20210621190553.1763020-1-dovmu...@linux.ibm.com/
> v2 changes:
>  - Extract main functionality to sev.c (with empty stub in sev-stub.c)
>  - Use sev_enabled() instead of machine->cgs->ready to detect SEV guest
>  - Coding style changes
> 
> v1: 
> https://lore.kernel.org/qemu-devel/20210525065931.1628554-1-dovmu...@linux.ibm.com/
> 
> Dov Murik (2):
>   sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux
> boot
>   x86/sev: generate SEV kernel loader hashes in x86_load_linux
> 
>  target/i386/sev_i386.h |  12 
>  hw/i386/x86.c  |  25 +++-
>  target/i386/sev-stub.c |   5 ++
>  target/i386/sev.c  | 137 +
>  4 files changed, 178 insertions(+), 1 deletion(-)
> 
> 
> base-commit: b22726abdfa54592d6ad88f65b0297c0e8b363e2
> -- 
> 2.25.1

Re: [PATCH 2/2] qemu-img: Add --skip-broken for 'convert --bitmaps'

[Vladimir Sementsov-Ogievskiy]

08.07.2021 04:30, Eric Blake wrote:

The point of 'qemu-img convert --bitmaps' is to be a convenience for
actions that are already possible through a string of smaller
'qemu-img bitmap' sub-commands.  One situation not accounted for
already is that if a source image contains an inconsistent bitmap (for
example, because a qemu process died abruptly before flushing bitmap
state), the user MUST delete those inconsistent bitmaps before
anything else useful can be done with the image.

We don't want to delete inconsistent bitmaps by default: although a
corrupt bitmap is only a loss of optimization rather than a corruption
of user-visible data, it is still nice to require the user to opt in
to the fact that they are aware of the loss of the bitmap.  Still,
requiring the user to check 'qemu-img info' to see whether bitmaps are
consistent, then use 'qemu-img bitmap --remove' to remove offenders,
all before using 'qemu-img convert', is a lot more work than just
adding a knob 'qemu-img convert --bitmaps --skip-broken' which opts in
to skipping the broken bitmaps.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1946084
Signed-off-by: Eric Blake 
---
  docs/tools/qemu-img.rst   |  8 +++-
  qemu-img.c| 20 +--
  tests/qemu-iotests/tests/qemu-img-bitmaps |  4 
  tests/qemu-iotests/tests/qemu-img-bitmaps.out | 14 +
  4 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
index 1d8470eada0e..5cf1c764597b 100644
--- a/docs/tools/qemu-img.rst
+++ b/docs/tools/qemu-img.rst
@@ -414,7 +414,7 @@ Command description:
4
  Error on reading data

-.. option:: convert [--object OBJECTDEF] [--image-opts] [--target-image-opts] 
[--target-is-zero] [--bitmaps] [-U] [-C] [-c] [-p] [-q] [-n] [-f FMT] [-t 
CACHE] [-T SRC_CACHE] [-O OUTPUT_FMT] [-B BACKING_FILE] [-o OPTIONS] [-l 
SNAPSHOT_PARAM] [-S SPARSE_SIZE] [-r RATE_LIMIT] [-m NUM_COROUTINES] [-W] 
FILENAME [FILENAME2 [...]] OUTPUT_FILENAME
+.. option:: convert [--object OBJECTDEF] [--image-opts] [--target-image-opts] 
[--target-is-zero] [--bitmaps [--skip-broken]] [-U] [-C] [-c] [-p] [-q] [-n] 
[-f FMT] [-t CACHE] [-T SRC_CACHE] [-O OUTPUT_FMT] [-B BACKING_FILE] [-o 
OPTIONS] [-l SNAPSHOT_PARAM] [-S SPARSE_SIZE] [-r RATE_LIMIT] [-m 
NUM_COROUTINES] [-W] FILENAME [FILENAME2 [...]] OUTPUT_FILENAME


Of course, [--bitmaps [--skip-broken]] looks like --skip-broken is a 
suboption.. But actually it's not so. So, shouldn't it be named more explicit, 
like --skip-broken-bitmaps ? To be sure that we will not interfere in future 
with some other broken things we want to skip? And to avoid strange but correct 
command lines like

qemu-img convert --skip-broken  --bitmaps  src dst




Convert the disk image *FILENAME* or a snapshot *SNAPSHOT_PARAM*
to disk image *OUTPUT_FILENAME* using format *OUTPUT_FMT*. It can
@@ -456,6 +456,12 @@ Command description:
*NUM_COROUTINES* specifies how many coroutines work in parallel during
the convert process (defaults to 8).

+  Use of ``--bitmaps`` requests that any persistent bitmaps present in
+  the original are also copied to the destination.  If any bitmap is
+  inconsistent in the source, the conversion will fail unless
+  ``--skip-broken`` is also specified to copy only the consistent
+  bitmaps.
+
  .. option:: create [--object OBJECTDEF] [-q] [-f FMT] [-b BACKING_FILE] [-F 
BACKING_FMT] [-u] [-o OPTIONS] FILENAME [SIZE]

Create the new disk image *FILENAME* of size *SIZE* and format
diff --git a/qemu-img.c b/qemu-img.c
index 68a4d298098f..e8b012f39c0c 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -82,6 +82,7 @@ enum {
  OPTION_MERGE = 274,
  OPTION_BITMAPS = 275,
  OPTION_FORCE = 276,
+OPTION_SKIP_BROKEN = 277,
  };

  typedef enum OutputFormat {
@@ -2101,7 +2102,8 @@ static int convert_do_copy(ImgConvertState *s)
  return s->ret;
  }

-static int convert_copy_bitmaps(BlockDriverState *src, BlockDriverState *dst)
+static int convert_copy_bitmaps(BlockDriverState *src, BlockDriverState *dst,
+bool skip_broken)
  {
  BdrvDirtyBitmap *bm;
  Error *err = NULL;
@@ -2113,6 +2115,10 @@ static int convert_copy_bitmaps(BlockDriverState *src, 
BlockDriverState *dst)
  continue;
  }
  name = bdrv_dirty_bitmap_name(bm);
+if (skip_broken && bdrv_dirty_bitmap_inconsistent(bm)) {
+warn_report("Skipping inconsistent bitmap %s", name);
+continue;
+}
  qmp_block_dirty_bitmap_add(dst->node_name, name,
 true, bdrv_dirty_bitmap_granularity(bm),
 true, true,
@@ -2167,6 +2173,7 @@ static int img_convert(int argc, char **argv)
  bool force_share = false;
  bool explict_min_sparse = false;
  bool bitmaps = false;
+bool skip_broken = false;
  int64_t rate_limit = 0;

   

Re: [PATCH 1/2] iotests: Improve and rename test 291 to qemu-img-bitmap

[Vladimir Sementsov-Ogievskiy]

08.07.2021 04:30, Eric Blake wrote:

Enhance the test to demonstrate behavior of qemu-img with a qcow2
image containing an inconsistent bitmap, and rename it now that we
support useful iotest names.

While at it, fix a missing newline in the error message thus exposed.

Signed-off-by: Eric Blake 
---
  block/dirty-bitmap.c  |  2 +-
  .../{291 => tests/qemu-img-bitmaps}   | 13 +++-
  .../{291.out => tests/qemu-img-bitmaps.out}   | 32 ++-
  3 files changed, 44 insertions(+), 3 deletions(-)
  rename tests/qemu-iotests/{291 => tests/qemu-img-bitmaps} (92%)
  rename tests/qemu-iotests/{291.out => tests/qemu-img-bitmaps.out} (82%)

diff --git a/block/dirty-bitmap.c b/block/dirty-bitmap.c
index 68d295d6e3ed..0ef46163e3ea 100644
--- a/block/dirty-bitmap.c
+++ b/block/dirty-bitmap.c
@@ -193,7 +193,7 @@ int bdrv_dirty_bitmap_check(const BdrvDirtyBitmap *bitmap, 
uint32_t flags,
  error_setg(errp, "Bitmap '%s' is inconsistent and cannot be used",
 bitmap->name);
  error_append_hint(errp, "Try block-dirty-bitmap-remove to delete"
-  " this bitmap from disk");
+  " this bitmap from disk\n");
  return -1;
  }

diff --git a/tests/qemu-iotests/291 b/tests/qemu-iotests/tests/qemu-img-bitmaps
similarity index 92%
rename from tests/qemu-iotests/291
rename to tests/qemu-iotests/tests/qemu-img-bitmaps
index 20efb080a6c0..76cd9e31e850 100755
--- a/tests/qemu-iotests/291
+++ b/tests/qemu-iotests/tests/qemu-img-bitmaps
@@ -3,7 +3,7 @@
  #
  # Test qemu-img bitmap handling
  #
-# Copyright (C) 2018-2020 Red Hat, Inc.
+# Copyright (C) 2018-2021 Red Hat, Inc.
  #
  # This program is free software; you can redistribute it and/or modify
  # it under the terms of the GNU General Public License as published by
@@ -32,6 +32,7 @@ _cleanup()
  trap "_cleanup; exit \$status" 0 1 2 3 15

  # get standard environment, filters and checks
+cd ..
  . ./common.rc
  . ./common.filter
  . ./common.nbd
@@ -129,6 +130,16 @@ $QEMU_IMG map --output=json --image-opts \

  nbd_server_stop

+echo
+echo "=== Check handling of inconsistent bitmap ==="
+echo
+
+$QEMU_IO -c abort "$TEST_IMG" 2>/dev/null
+$QEMU_IMG bitmap --add "$TEST_IMG" b4
+$QEMU_IMG bitmap --remove "$TEST_IMG" b1
+_img_info --format-specific | _filter_irrelevant_img_info
+$QEMU_IMG convert --bitmaps -O qcow2 "$TEST_IMG" "$TEST_IMG.copy"


Worth then removing remaining inconsistent bitmaps and try again?

I think you should now remove $TEST_IMG.copy in _cleanup

with squashed in

--- a/tests/qemu-iotests/tests/qemu-img-bitmaps
+++ b/tests/qemu-iotests/tests/qemu-img-bitmaps
@@ -27,6 +27,7 @@ status=1 # failure is the default!
 _cleanup()
 {
 _cleanup_test_img
+_rm_test_img "$TEST_IMG.copy"
 nbd_server_stop
 }
 trap "_cl

Tested-by: Vladimir Sementsov-Ogievskiy 
Reviewed-by: Vladimir Sementsov-Ogievskiy 


+
  # success, all done
  echo '*** done'
  rm -f $seq.full
diff --git a/tests/qemu-iotests/291.out 
b/tests/qemu-iotests/tests/qemu-img-bitmaps.out
similarity index 82%
rename from tests/qemu-iotests/291.out
rename to tests/qemu-iotests/tests/qemu-img-bitmaps.out
index 018d6b103f87..17b34eaed30f 100644
--- a/tests/qemu-iotests/291.out
+++ b/tests/qemu-iotests/tests/qemu-img-bitmaps.out
@@ -1,4 +1,4 @@
-QA output created by 291
+QA output created by qemu-img-bitmaps

  === Initial image setup ===

@@ -115,4 +115,34 @@ Format specific information:
  [{ "start": 0, "length": 2097152, "depth": 0, "present": true, "zero": false, "data": 
true, "offset": OFFSET},
  { "start": 2097152, "length": 1048576, "depth": 0, "present": false, "zero": false, 
"data": false},
  { "start": 3145728, "length": 7340032, "depth": 0, "present": true, "zero": false, 
"data": true, "offset": OFFSET}]
+
+=== Check handling of inconsistent bitmap ===
+
+image: TEST_DIR/t.IMGFMT
+file format: IMGFMT
+virtual size: 10 MiB (10485760 bytes)
+cluster_size: 65536
+backing file: TEST_DIR/t.IMGFMT.base
+backing file format: IMGFMT
+Format specific information:
+bitmaps:
+[0]:
+flags:
+[0]: in-use
+[1]: auto
+name: b2
+granularity: 65536
+[1]:
+flags:
+[0]: in-use
+name: b0
+granularity: 65536
+[2]:
+flags:
+[0]: auto
+name: b4
+granularity: 65536
+corrupt: false
+qemu-img: Failed to populate bitmap b0: Bitmap 'b0' is inconsistent and cannot 
be used
+Try block-dirty-bitmap-remove to delete this bitmap from disk
  *** done




--
Best regards,
Vladimir

Re: [PATCH v2 0/4] hw/nvme: fix controller hotplugging

[Hannes Reinecke]

On 7/9/21 8:05 AM, Klaus Jensen wrote:

On Jul  7 17:49, Klaus Jensen wrote:

From: Klaus Jensen 

Back in May, Hannes posted a fix[1] to re-enable NVMe PCI hotplug. We
discussed a bit back and fourth and I mentioned that the core issue was
an artifact of the parent/child relationship stemming from the qdev
setup we have with namespaces attaching to controller through a qdev
bus.

The gist of this series is the fourth patch "hw/nvme: fix controller hot
unplugging" which basically causes namespaces to be reassigned to a bus
owned by the subsystem if the parent controller is linked to one. This
fixes `device_del/add nvme` in such settings.

Note, that in the case that there is no subsystem involved, nvme devices
can be removed from the system with `device_del`, but this *will* cause
the namespaces to be removed as well since there is no place (i.e. no
subsystem) for them to "linger". And since this series does not add
support for hotplugging nvme-ns devices, while an nvme device can be
readded, no namespaces can. Support for hotplugging nvme-ns devices is
present in [1], but I'd rather not add that since I think '-device
nvme-ns' is already a bad design choice.

Now, I do realize that it is not "pretty" to explicitly change the
parent bus, so I do have a an RFC patch in queue that replaces the
subsystem and namespace devices with objects, but keeps -device shims
available for backwards compatibility. This approach will solve the
problems properly and should be a better model. However, I don't believe
it will make it for 6.1 and I'd really like to at least fix the
unplugging for 6.1 and this gets the job done.

 [1]: 20210511073511.32511-1-h...@suse.de

v2:
- added R-b's by Hannes for patches 1 through 3
- simplified "hw/nvme: fix controller hot unplugging"

Klaus Jensen (4):
 hw/nvme: remove NvmeCtrl parameter from ns setup/check functions
 hw/nvme: mark nvme-subsys non-hotpluggable
 hw/nvme: unregister controller with subsystem at exit
 hw/nvme: fix controller hot unplugging

hw/nvme/nvme.h   | 18 +---
hw/nvme/ctrl.c   | 14 ++--
hw/nvme/ns.c | 55 +++-
hw/nvme/subsys.c |  9 
4 files changed, 63 insertions(+), 33 deletions(-)

--
2.32.0



Applied patches 1 through 3 to nvme-next.


So, how do we go about with patch 4?
Without it this whole exercise is a bit pointless, seeing that it 
doesn't fix anything.


Shall we go with that patch as an interim solution?
Will you replace it with your 'object' patch?
What is the plan?

Cheers,

Hannes
--
Dr. Hannes ReineckeKernel Storage Architect
h...@suse.de  +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer

Re: [PATCH]: /hw/nvme/ctrl error handling if descriptors are greater than 1024

[Klaus Jensen]

On Jul  6 16:13, Padmakar Kalghatgi wrote:

From: padmakar



if the number of descriptors or pages is more than 1024,

dma writes or reads will result in failure. Hence, we check

if the number of descriptors or pages is more than 1024

in the nvme module and return Internal Device error.



Signed-off-by: Padmakar Kalghatgi

---

hw/nvme/ctrl.c   | 14 ++

hw/nvme/trace-events |  1 +

2 files changed, 15 insertions(+)



diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c

index 40a7efc..082592f 100644

--- a/hw/nvme/ctrl.c

+++ b/hw/nvme/ctrl.c

@@ -602,6 +602,20 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg,
hwaddr addr, size_t len)

return NVME_SUCCESS;

}

+/*

+ *  The QEMU has an inherent issue where in if the no.

+ *  of descriptors is more than 1024, it will result in

+ *  failure during the dma write or reads. Hence, we need

+ *  to return the error.

+ */

+

+if (((sg->flags & NVME_SG_DMA) && ((sg->qsg.nsg + 1) > IOV_MAX)) ||

+((sg->iov.niov + 1) > IOV_MAX)) {

+NVME_GUEST_ERR(pci_nvme_ub_sg_desc_toohigh,

+   "number of descriptors is greater than 1024");

+return NVME_INTERNAL_DEV_ERROR;

+}

+

trace_pci_nvme_map_addr(addr, len);

if (nvme_addr_is_cmb(n, addr)) {

diff --git a/hw/nvme/trace-events b/hw/nvme/trace-events

index ea33d0c..bfe1a3b 100644

--- a/hw/nvme/trace-events

+++ b/hw/nvme/trace-events

@@ -202,3 +202,4 @@ pci_nvme_ub_db_wr_invalid_cqhead(uint32_t qid, uint16_t
new_head) "completion qu

pci_nvme_ub_db_wr_invalid_sq(uint32_t qid) "submission queue doorbell write
for nonexistent queue, sqid=%"PRIu32", ignoring"

pci_nvme_ub_db_wr_invalid_sqtail(uint32_t qid, uint16_t new_tail)
"submission queue doorbell write value beyond queue size, sqid=%"PRIu32",
new_head=%"PRIu16", ignoring"

pci_nvme_ub_unknown_css_value(void) "unknown value in cc.css field"

+pci_nvme_ub_sg_desc_toohigh(void) "the number of sg descriptors is too
high"

--

2.7.0.windows.1





Applied to nvme-next, but made the error message more generic (this also 
applied to PRPs).


signature.asc
Description: PGP signature

Re: [PATCH v2 0/4] hw/nvme: fix controller hotplugging

[Klaus Jensen]

On Jul  7 17:49, Klaus Jensen wrote:

From: Klaus Jensen 

Back in May, Hannes posted a fix[1] to re-enable NVMe PCI hotplug. We
discussed a bit back and fourth and I mentioned that the core issue was
an artifact of the parent/child relationship stemming from the qdev
setup we have with namespaces attaching to controller through a qdev
bus.

The gist of this series is the fourth patch "hw/nvme: fix controller hot
unplugging" which basically causes namespaces to be reassigned to a bus
owned by the subsystem if the parent controller is linked to one. This
fixes `device_del/add nvme` in such settings.

Note, that in the case that there is no subsystem involved, nvme devices
can be removed from the system with `device_del`, but this *will* cause
the namespaces to be removed as well since there is no place (i.e. no
subsystem) for them to "linger". And since this series does not add
support for hotplugging nvme-ns devices, while an nvme device can be
readded, no namespaces can. Support for hotplugging nvme-ns devices is
present in [1], but I'd rather not add that since I think '-device
nvme-ns' is already a bad design choice.

Now, I do realize that it is not "pretty" to explicitly change the
parent bus, so I do have a an RFC patch in queue that replaces the
subsystem and namespace devices with objects, but keeps -device shims
available for backwards compatibility. This approach will solve the
problems properly and should be a better model. However, I don't believe
it will make it for 6.1 and I'd really like to at least fix the
unplugging for 6.1 and this gets the job done.

 [1]: 20210511073511.32511-1-h...@suse.de

v2:
- added R-b's by Hannes for patches 1 through 3
- simplified "hw/nvme: fix controller hot unplugging"

Klaus Jensen (4):
 hw/nvme: remove NvmeCtrl parameter from ns setup/check functions
 hw/nvme: mark nvme-subsys non-hotpluggable
 hw/nvme: unregister controller with subsystem at exit
 hw/nvme: fix controller hot unplugging

hw/nvme/nvme.h   | 18 +---
hw/nvme/ctrl.c   | 14 ++--
hw/nvme/ns.c | 55 +++-
hw/nvme/subsys.c |  9 
4 files changed, 63 insertions(+), 33 deletions(-)

--
2.32.0



Applied patches 1 through 3 to nvme-next.


signature.asc
Description: PGP signature

Re: [PATCH v8 9/9] virtio-pci: add support for configure interrupt

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

Add support for configure interrupt, use kvm_irqfd_assign and set the
gsi to kernel. When the configure notifier was eventfd_signal by host
kernel, this will finally inject an msix interrupt to guest

Signed-off-by: Cindy Lu 
---
  hw/virtio/virtio-pci.c | 60 +++---
  1 file changed, 50 insertions(+), 10 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index e43d5760ee..73b5ffd1b8 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -717,7 +717,8 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, 
int queue_no,
  VirtQueue *vq;
  
  if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {

-return -1;
+*n = virtio_get_config_notifier(vdev);
+*vector = vdev->config_vector;



Is there a case that the vector is not vdev->config_vector? If not, we 
probably don't need this.




  } else {
  if (!virtio_queue_get_num(vdev, queue_no)) {
  return -1;
@@ -764,6 +765,10 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy 
*proxy, int nvqs)
  return ret;
  }
  
+static int kvm_virtio_pci_vector_config_use(VirtIOPCIProxy *proxy)

+{
+return kvm_virtio_pci_vector_use_one(proxy, VIRTIO_CONFIG_IRQ_IDX);
+}
  
  static void kvm_virtio_pci_vector_release_one(VirtIOPCIProxy *proxy,

  int queue_no)
@@ -792,6 +797,30 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy 
*proxy, int nvqs)
  }
  }
  
+static void kvm_virtio_pci_vector_config_release(VirtIOPCIProxy *proxy)



"kvm_virtio_pci_config_vector_relase" please, consider we've already had:

kvm_virtio_pci_vq_vector_release().

Thanks



+{
+kvm_virtio_pci_vector_release_one(proxy, VIRTIO_CONFIG_IRQ_IDX);
+}




Blank line is needed.



+static int virtio_pci_set_config_notifier(DeviceState *d, bool assign)
+{
+VirtIOPCIProxy *proxy = to_virtio_pci_proxy(d);
+VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+EventNotifier *notifier = virtio_get_config_notifier(vdev);
+int r = 0;
+if (assign) {
+r = event_notifier_init(notifier, 0);
+if (r < 0) {
+return r;
+}
+virtio_set_config_notifier_fd_handler(vdev, true, true);
+kvm_virtio_pci_vector_config_use(proxy);
+} else {
+virtio_set_config_notifier_fd_handler(vdev, false, true);
+kvm_virtio_pci_vector_config_release(proxy);
+event_notifier_cleanup(notifier);
+}



We check MSIX in virtio_pci_set_guest_notifier but not here, any reason 
for this?


And I think we need consider to reuse the code in 
virtio_pci_set_guest_notifier().




+return r;
+}
  static int virtio_pci_one_vector_unmask(VirtIOPCIProxy *proxy,
 unsigned int queue_no,
 unsigned int vector,
@@ -873,7 +902,12 @@ static int virtio_pci_vector_unmask(PCIDevice *dev, 
unsigned vector,
  }
  vq = virtio_vector_next_queue(vq);
  }
-
+n = virtio_get_config_notifier(vdev);
+ret = virtio_pci_one_vector_unmask(proxy, VIRTIO_CONFIG_IRQ_IDX,
+vector, msg, n);
+if (ret < 0) {
+goto undo;
+}
  return 0;
  
  undo:

@@ -909,6 +943,8 @@ static void virtio_pci_vector_mask(PCIDevice *dev, unsigned 
vector)
  }
  vq = virtio_vector_next_queue(vq);
  }
+n = virtio_get_config_notifier(vdev);
+virtio_pci_one_vector_mask(proxy, VIRTIO_CONFIG_IRQ_IDX, vector, n);
  }
  
  static void virtio_pci_vector_poll(PCIDevice *dev,

@@ -921,19 +957,17 @@ static void virtio_pci_vector_poll(PCIDevice *dev,
  int queue_no;
  unsigned int vector;
  EventNotifier *notifier;
-VirtQueue *vq;
-
-for (queue_no = 0; queue_no < proxy->nvqs_with_notifiers; queue_no++) {
-if (!virtio_queue_get_num(vdev, queue_no)) {
+int ret;
+for (queue_no = VIRTIO_CONFIG_IRQ_IDX;
+queue_no < proxy->nvqs_with_notifiers; queue_no++) {
+ret = virtio_pci_get_notifier(proxy, queue_no, ¬ifier, &vector);
+if (ret < 0) {
  break;
  }
-vector = virtio_queue_vector(vdev, queue_no);
  if (vector < vector_start || vector >= vector_end ||
  !msix_is_masked(dev, vector)) {
  continue;
  }
-vq = virtio_get_queue(vdev, queue_no);
-notifier = virtio_queue_get_guest_notifier(vq);
  if (k->guest_notifier_pending) {
  if (k->guest_notifier_pending(vdev, queue_no)) {
  msix_set_pending(dev, vector);
@@ -1002,6 +1036,7 @@ static int virtio_pci_set_guest_notifiers(DeviceState *d, 
int nvqs, bool assign)
  msix_unset_vector_notifiers(&proxy->pci_dev);
  if (proxy->vector_irqfd) {
  kvm_virtio_pci_vector_release(proxy, nvqs);
+kvm_virtio_pci_vector_config_release(proxy);
  g_free(proxy->vector_irqfd);
  

Re: [PATCH v8 8/9] virtio-pci:decouple the single vector from the interrupt process

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

use the kvm_virtio_pci_vector_use_one and _release_one
these funtion is to deal with the single vector, the
whole process will finish in a loop with vq number.

Signed-off-by: Cindy Lu 
---
  hw/virtio/virtio-pci.c | 109 -
  1 file changed, 42 insertions(+), 67 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index fe06847b62..e43d5760ee 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -666,7 +666,6 @@ static uint32_t virtio_read_config(PCIDevice *pci_dev,
  }
  
  static int kvm_virtio_pci_vq_vector_use(VirtIOPCIProxy *proxy,

-unsigned int queue_no,
  unsigned int vector)
  {
  VirtIOIRQFD *irqfd = &proxy->vector_irqfd[vector];
@@ -733,87 +732,63 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, 
int queue_no,
  return 0;
  }
  
-static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, int nvqs)

+static int kvm_virtio_pci_vector_use_one(VirtIOPCIProxy *proxy, int queue_no)
  {
-PCIDevice *dev = &proxy->pci_dev;
-VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
-VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
  unsigned int vector;
-int ret, queue_no;
+int ret;
  EventNotifier *n;
-for (queue_no = 0; queue_no < nvqs; queue_no++) {
-if (!virtio_queue_get_num(vdev, queue_no)) {
-break;
-}



So this check is not moved but deleted, is this intentional?



-ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
-if (ret < 0) {
-break;
-}
-if (vector >= msix_nr_vectors_allocated(dev)) {
-continue;
-}



So did this?



-ret = kvm_virtio_pci_vq_vector_use(proxy, queue_no, vector);
-if (ret < 0) {
-goto undo;
-}
-/* If guest supports masking, set up irqfd now.
- * Otherwise, delay until unmasked in the frontend.
- */
-if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-ret = kvm_virtio_pci_irqfd_use(proxy, n, vector);
-if (ret < 0) {
-kvm_virtio_pci_vq_vector_release(proxy, vector);
-goto undo;
-}
-}
+ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
+if (ret < 0) {
+return ret;
+}
+ret = kvm_virtio_pci_vq_vector_use(proxy, vector);
+if (ret < 0) {
+goto undo;
+}
+ret = kvm_virtio_pci_irqfd_use(proxy, n, vector);
+if (ret < 0) {
+goto undo;
  }
  return 0;
-
  undo:
-while (--queue_no >= 0) {
-vector = virtio_queue_vector(vdev, queue_no);
-if (vector >= msix_nr_vectors_allocated(dev)) {
-continue;
-}
-if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
-if (ret < 0) {
-break;
-}
-kvm_virtio_pci_irqfd_release(proxy, n, vector);
-}
-kvm_virtio_pci_vq_vector_release(proxy, vector);
+kvm_virtio_pci_irqfd_release(proxy, n, vector);
+return ret;
+}
+static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, int nvqs)
+{
+int queue_no;
+int ret = 0;
+for (queue_no = 0; queue_no < nvqs; queue_no++) {
+ret = kvm_virtio_pci_vector_use_one(proxy, queue_no);
  }
  return ret;
  }
  
-static void kvm_virtio_pci_vector_release(VirtIOPCIProxy *proxy, int nvqs)

+
+static void kvm_virtio_pci_vector_release_one(VirtIOPCIProxy *proxy,
+int queue_no)
  {
-PCIDevice *dev = &proxy->pci_dev;
  VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
  unsigned int vector;
-int queue_no;
-VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
  EventNotifier *n;
-int ret ;
+int ret;
+VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
+ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
+if (ret < 0) {
+return;
+}
+
+if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
+kvm_virtio_pci_irqfd_release(proxy, n, vector);
+}
+kvm_virtio_pci_vq_vector_release(proxy, vector);
+}
+static void kvm_virtio_pci_vector_release(VirtIOPCIProxy *proxy, int nvqs)
+{
+int queue_no;
+
  for (queue_no = 0; queue_no < nvqs; queue_no++) {
-if (!virtio_queue_get_num(vdev, queue_no)) {
-break;
-}



This is deleted by not removed.



-ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
-if (ret < 0) {
-break;
-}
-if (vector >= msix_nr_vectors_allocated(dev)) {
-continue;
-}



So did this.

Thanks



-/* If guest supports masking, clean up irqfd now.
- * Otherwise, it was cleaned when masked in th

Re: [PATCH 01/17] target/riscv: Use tcg_constant_*

[Alistair Francis]

On Fri, Jul 9, 2021 at 2:36 PM Richard Henderson
 wrote:
>
> Replace uses of tcg_const_* with the allocate and free close together.
>
> Signed-off-by: Richard Henderson 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  target/riscv/translate.c| 36 --
>  target/riscv/insn_trans/trans_rvf.c.inc |  3 +-
>  target/riscv/insn_trans/trans_rvv.c.inc | 65 +
>  3 files changed, 34 insertions(+), 70 deletions(-)
>
> diff --git a/target/riscv/translate.c b/target/riscv/translate.c
> index 62a7d7e4c7..bba5ad8ec4 100644
> --- a/target/riscv/translate.c
> +++ b/target/riscv/translate.c
> @@ -104,20 +104,16 @@ static void gen_nanbox_s(TCGv_i64 out, TCGv_i64 in)
>   */
>  static void gen_check_nanbox_s(TCGv_i64 out, TCGv_i64 in)
>  {
> -TCGv_i64 t_max = tcg_const_i64(0xull);
> -TCGv_i64 t_nan = tcg_const_i64(0x7fc0ull);
> +TCGv_i64 t_max = tcg_constant_i64(0xull);
> +TCGv_i64 t_nan = tcg_constant_i64(0x7fc0ull);
>
>  tcg_gen_movcond_i64(TCG_COND_GEU, out, in, t_max, in, t_nan);
> -tcg_temp_free_i64(t_max);
> -tcg_temp_free_i64(t_nan);
>  }
>
>  static void generate_exception(DisasContext *ctx, int excp)
>  {
>  tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
> -TCGv_i32 helper_tmp = tcg_const_i32(excp);
> -gen_helper_raise_exception(cpu_env, helper_tmp);
> -tcg_temp_free_i32(helper_tmp);
> +gen_helper_raise_exception(cpu_env, tcg_constant_i32(excp));
>  ctx->base.is_jmp = DISAS_NORETURN;
>  }
>
> @@ -125,17 +121,13 @@ static void generate_exception_mtval(DisasContext *ctx, 
> int excp)
>  {
>  tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
>  tcg_gen_st_tl(cpu_pc, cpu_env, offsetof(CPURISCVState, badaddr));
> -TCGv_i32 helper_tmp = tcg_const_i32(excp);
> -gen_helper_raise_exception(cpu_env, helper_tmp);
> -tcg_temp_free_i32(helper_tmp);
> +gen_helper_raise_exception(cpu_env, tcg_constant_i32(excp));
>  ctx->base.is_jmp = DISAS_NORETURN;
>  }
>
>  static void gen_exception_debug(void)
>  {
> -TCGv_i32 helper_tmp = tcg_const_i32(EXCP_DEBUG);
> -gen_helper_raise_exception(cpu_env, helper_tmp);
> -tcg_temp_free_i32(helper_tmp);
> +gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
>  }
>
>  /* Wrapper around tcg_gen_exit_tb that handles single stepping */
> @@ -247,7 +239,7 @@ static void gen_div(TCGv ret, TCGv source1, TCGv source2)
>   */
>  cond1 = tcg_temp_new();
>  cond2 = tcg_temp_new();
> -zeroreg = tcg_const_tl(0);
> +zeroreg = tcg_constant_tl(0);
>  resultopt1 = tcg_temp_new();
>
>  tcg_gen_movi_tl(resultopt1, (target_ulong)-1);
> @@ -268,7 +260,6 @@ static void gen_div(TCGv ret, TCGv source1, TCGv source2)
>
>  tcg_temp_free(cond1);
>  tcg_temp_free(cond2);
> -tcg_temp_free(zeroreg);
>  tcg_temp_free(resultopt1);
>  }
>
> @@ -277,7 +268,7 @@ static void gen_divu(TCGv ret, TCGv source1, TCGv source2)
>  TCGv cond1, zeroreg, resultopt1;
>  cond1 = tcg_temp_new();
>
> -zeroreg = tcg_const_tl(0);
> +zeroreg = tcg_constant_tl(0);
>  resultopt1 = tcg_temp_new();
>
>  tcg_gen_setcondi_tl(TCG_COND_EQ, cond1, source2, 0);
> @@ -290,7 +281,6 @@ static void gen_divu(TCGv ret, TCGv source1, TCGv source2)
>  tcg_gen_divu_tl(ret, source1, source2);
>
>  tcg_temp_free(cond1);
> -tcg_temp_free(zeroreg);
>  tcg_temp_free(resultopt1);
>  }
>
> @@ -300,7 +290,7 @@ static void gen_rem(TCGv ret, TCGv source1, TCGv source2)
>
>  cond1 = tcg_temp_new();
>  cond2 = tcg_temp_new();
> -zeroreg = tcg_const_tl(0);
> +zeroreg = tcg_constant_tl(0);
>  resultopt1 = tcg_temp_new();
>
>  tcg_gen_movi_tl(resultopt1, 1L);
> @@ -320,7 +310,6 @@ static void gen_rem(TCGv ret, TCGv source1, TCGv source2)
>
>  tcg_temp_free(cond1);
>  tcg_temp_free(cond2);
> -tcg_temp_free(zeroreg);
>  tcg_temp_free(resultopt1);
>  }
>
> @@ -328,7 +317,7 @@ static void gen_remu(TCGv ret, TCGv source1, TCGv source2)
>  {
>  TCGv cond1, zeroreg, resultopt1;
>  cond1 = tcg_temp_new();
> -zeroreg = tcg_const_tl(0);
> +zeroreg = tcg_constant_tl(0);
>  resultopt1 = tcg_temp_new();
>
>  tcg_gen_movi_tl(resultopt1, (target_ulong)1);
> @@ -341,7 +330,6 @@ static void gen_remu(TCGv ret, TCGv source1, TCGv source2)
>  source1);
>
>  tcg_temp_free(cond1);
> -tcg_temp_free(zeroreg);
>  tcg_temp_free(resultopt1);
>  }
>
> @@ -402,15 +390,11 @@ static inline void mark_fs_dirty(DisasContext *ctx) { }
>
>  static void gen_set_rm(DisasContext *ctx, int rm)
>  {
> -TCGv_i32 t0;
> -
>  if (ctx->frm == rm) {
>  return;
>  }
>  ctx->frm = rm;
> -t0 = tcg_const_i32(rm);
> -gen_helper_set_rounding_mode(cpu_env, t0);
> -tcg_temp_free_i32(t0);
> +gen_helper_set_rounding_mode(cpu_env, tcg_constant_i32(rm));
>  }
>
>  static int ex_plus_1(DisasContext *ctx, int nf)
> diff --git a

[PATCH 1/2] watchdog: aspeed: Sanitize control register values

[Andrew Jeffery]

While some of the critical fields remain the same, there is variation in
the definition of the control register across the SoC generations.
Reserved regions are adjusted, while in other cases the mutability or
behaviour of fields change.

Introduce a callback to sanitize the value on writes to ensure model
behaviour reflects the hardware.

Fixes: 854123bf8d4b ("wdt: Add Aspeed watchdog device model")
Signed-off-by: Andrew Jeffery 
---
 hw/watchdog/wdt_aspeed.c | 24 ++--
 include/hw/watchdog/wdt_aspeed.h |  1 +
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index 6352ba1b0e5b..faa3d35fdf21 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -118,13 +118,27 @@ static void aspeed_wdt_reload_1mhz(AspeedWDTState *s)
 }
 }
 
+static uint64_t aspeed_2400_sanitize_ctrl(uint64_t data)
+{
+return data & 0x;
+}
+
+static uint64_t aspeed_2500_sanitize_ctrl(uint64_t data)
+{
+return (data & ~(0xfUL << 8)) | WDT_CTRL_1MHZ_CLK;
+}
+
+static uint64_t aspeed_2600_sanitize_ctrl(uint64_t data)
+{
+return data & ~(0x7UL << 7);
+}
 
 static void aspeed_wdt_write(void *opaque, hwaddr offset, uint64_t data,
  unsigned size)
 {
 AspeedWDTState *s = ASPEED_WDT(opaque);
 AspeedWDTClass *awc = ASPEED_WDT_GET_CLASS(s);
-bool enable = data & WDT_CTRL_ENABLE;
+bool enable;
 
 offset >>= 2;
 
@@ -144,6 +158,8 @@ static void aspeed_wdt_write(void *opaque, hwaddr offset, 
uint64_t data,
 }
 break;
 case WDT_CTRL:
+data = awc->sanitize_ctrl(data);
+enable = data & WDT_CTRL_ENABLE;
 if (enable && !aspeed_wdt_is_enabled(s)) {
 s->regs[WDT_CTRL] = data;
 awc->wdt_reload(s);
@@ -207,11 +223,12 @@ static const MemoryRegionOps aspeed_wdt_ops = {
 static void aspeed_wdt_reset(DeviceState *dev)
 {
 AspeedWDTState *s = ASPEED_WDT(dev);
+AspeedWDTClass *awc = ASPEED_WDT_GET_CLASS(s);
 
 s->regs[WDT_STATUS] = 0x3EF1480;
 s->regs[WDT_RELOAD_VALUE] = 0x03EF1480;
 s->regs[WDT_RESTART] = 0;
-s->regs[WDT_CTRL] = 0;
+s->regs[WDT_CTRL] = awc->sanitize_ctrl(0);
 s->regs[WDT_RESET_WIDTH] = 0xFF;
 
 timer_del(s->timer);
@@ -293,6 +310,7 @@ static void aspeed_2400_wdt_class_init(ObjectClass *klass, 
void *data)
 awc->ext_pulse_width_mask = 0xff;
 awc->reset_ctrl_reg = SCU_RESET_CONTROL1;
 awc->wdt_reload = aspeed_wdt_reload;
+awc->sanitize_ctrl = aspeed_2400_sanitize_ctrl;
 }
 
 static const TypeInfo aspeed_2400_wdt_info = {
@@ -328,6 +346,7 @@ static void aspeed_2500_wdt_class_init(ObjectClass *klass, 
void *data)
 awc->reset_ctrl_reg = SCU_RESET_CONTROL1;
 awc->reset_pulse = aspeed_2500_wdt_reset_pulse;
 awc->wdt_reload = aspeed_wdt_reload_1mhz;
+awc->sanitize_ctrl = aspeed_2500_sanitize_ctrl;
 }
 
 static const TypeInfo aspeed_2500_wdt_info = {
@@ -348,6 +367,7 @@ static void aspeed_2600_wdt_class_init(ObjectClass *klass, 
void *data)
 awc->reset_ctrl_reg = AST2600_SCU_RESET_CONTROL1;
 awc->reset_pulse = aspeed_2500_wdt_reset_pulse;
 awc->wdt_reload = aspeed_wdt_reload_1mhz;
+awc->sanitize_ctrl = aspeed_2600_sanitize_ctrl;
 }
 
 static const TypeInfo aspeed_2600_wdt_info = {
diff --git a/include/hw/watchdog/wdt_aspeed.h b/include/hw/watchdog/wdt_aspeed.h
index 80b03661e303..f945cd6c5833 100644
--- a/include/hw/watchdog/wdt_aspeed.h
+++ b/include/hw/watchdog/wdt_aspeed.h
@@ -44,6 +44,7 @@ struct AspeedWDTClass {
 uint32_t reset_ctrl_reg;
 void (*reset_pulse)(AspeedWDTState *s, uint32_t property);
 void (*wdt_reload)(AspeedWDTState *s);
+uint64_t (*sanitize_ctrl)(uint64_t data);
 };
 
 #endif /* WDT_ASPEED_H */
-- 
2.30.2

RE: [PULL V2 1/6] qapi/net: Add IPFlowSpec and QMP command for filter passthrough

[Zhang, Chen]

> -Original Message-
> From: Jason Wang 
> Sent: Friday, July 9, 2021 11:53 AM
> To: Zhang, Chen 
> Cc: Lukas Straub ; Daniel P. Berrangé
> ; Li Zhijian ; qemu-dev
> ; Markus Armbruster ;
> Gerd Hoffmann ; Eric Blake ; Dr.
> David Alan Gilbert 
> Subject: Re: [PULL V2 1/6] qapi/net: Add IPFlowSpec and QMP command for
> filter passthrough
> 
> 
> 在 2021/7/1 下午5:11, Zhang Chen 写道:
> > Since the real user scenario does not need to monitor all traffic.
> > Add passthrough-filter-add and passthrough-filter-del to maintain a
> > network passthrough list in object with network packet processing
> > function. Add IPFlowSpec struct for all QMP commands.
> > Most the fields of IPFlowSpec are optional,except object-name.
> >
> > Signed-off-by: Zhang Chen 
> 
> 
> Hi:
> 
> I would like to have ack from the QAPI guys for this patch.

Sure, Markus already give some comments for this patch.
Hi Markus,  Can you please add an ack to this patch?

Thanks
Chen

> 
> Thanks
> 
> 
> > ---
> >   net/net.c | 10 +++
> >   qapi/net.json | 78
> +++
> >   2 files changed, 88 insertions(+)
> >
> > diff --git a/net/net.c b/net/net.c
> > index 76bbb7c31b..00f2be7a58 100644
> > --- a/net/net.c
> > +++ b/net/net.c
> > @@ -1195,6 +1195,16 @@ void qmp_netdev_del(const char *id, Error
> **errp)
> >   }
> >   }
> >
> > +void qmp_passthrough_filter_add(IPFlowSpec *spec, Error **errp) {
> > +/* TODO implement setup passthrough rule */ }
> > +
> > +void qmp_passthrough_filter_del(IPFlowSpec *spec, Error **errp) {
> > +/* TODO implement delete passthrough rule */ }
> > +
> >   static void netfilter_print_info(Monitor *mon, NetFilterState *nf)
> >   {
> >   char *str;
> > diff --git a/qapi/net.json b/qapi/net.json index
> > 7fab2e7cd8..bfe38faab5 100644
> > --- a/qapi/net.json
> > +++ b/qapi/net.json
> > @@ -7,6 +7,7 @@
> >   ##
> >
> >   { 'include': 'common.json' }
> > +{ 'include': 'sockets.json' }
> >
> >   ##
> >   # @set_link:
> > @@ -696,3 +697,80 @@
> >   ##
> >   { 'event': 'FAILOVER_NEGOTIATED',
> > 'data': {'device-id': 'str'} }
> > +
> > +##
> > +# @IPFlowSpec:
> > +#
> > +# IP flow specification.
> > +#
> > +# @protocol: Transport layer protocol like TCP/UDP, etc. The protocol is
> the
> > +#string instead of enum, because it can be passed to
> getprotobyname(3)
> > +#and avoid duplication with /etc/protocols.
> > +#
> > +# @object-name: The @object-name means a qemu object with network
> packet
> > +#   processing function, for example colo-compare, 
> > filtr-redirector
> > +#   filtr-mirror, etc. VM can running with multi network packet
> > +#   processing function objects. They can control different 
> > network
> > +#   data paths from netdev or chardev. So it needs the 
> > object-name
> > +#   to set the effective module.
> > +#
> > +# @source: Source address and port.
> > +#
> > +# @destination: Destination address and port.
> > +#
> > +# Since: 6.1
> > +##
> > +{ 'struct': 'IPFlowSpec',
> > +  'data': { '*protocol': 'str', 'object-name': 'str',
> > +'*source': 'InetSocketAddressBase',
> > +'*destination': 'InetSocketAddressBase' } }
> > +
> > +##
> > +# @passthrough-filter-add:
> > +#
> > +# Add passthrough entry IPFlowSpec to a qemu object with network
> > +packet # processing function, for example filtr-mirror, COLO-compare, etc.
> > +# The object-name is necessary. The protocol and source/destination
> > +IP and # source/destination ports are optional. if only inputs part
> > +of the # information, it will match all traffic.
> > +#
> > +# Returns: Nothing on success
> > +#
> > +# Since: 6.1
> > +#
> > +# Example:
> > +#
> > +# -> { "execute": "passthrough-filter-add",
> > +#  "arguments": { "protocol": "tcp", "object-name": "object0",
> > +#  "source": {"host": "192.168.1.1", "port": "1234"},
> > +#  "destination": {"host": "192.168.1.2", "port": "4321"} } }
> > +# <- { "return": {} }
> > +#
> > +##
> > +{ 'command': 'passthrough-filter-add', 'boxed': true,
> > + 'data': 'IPFlowSpec' }
> > +
> > +##
> > +# @passthrough-filter-del:
> > +#
> > +# Delete passthrough entry IPFlowSpec to a qemu object with network
> > +packet # processing function, for example filtr-mirror, COLO-compare, etc.
> > +# The object-name is necessary. The protocol and source/destination
> > +IP and # source/destination ports are optional. if only inputs part
> > +of the # information, only the exact same rule will be deleted.
> > +#
> > +# Returns: Nothing on success
> > +#
> > +# Since: 6.1
> > +#
> > +# Example:
> > +#
> > +# -> { "execute": "passthrough-filter-del",
> > +#  "arguments": { "protocol": "tcp", "object-name": "object0",
> > +#  "source": {"host": "192.168.1.1", "port": "1234"},
> > +#  "destination": {"host": "192.168.1.2", "port": "4321"} } }
> > +# <- { "return": {} }
> > +#
> > +##
> > +{ 'command': 'passthrough-filter-del', 'box

Re: [PATCH 02/17] target/riscv: Introduce gpr_src, gpr_dst

[Alistair Francis]

On Fri, Jul 9, 2021 at 2:42 PM Richard Henderson
 wrote:
>
> New helpers that do not force tcg globals into temps,
> returning a constant 0 for $zero as source and a new
> temp for $zero as destination.
>
> Use them in gen_arith_imm_{fn,tl}, gen_arith, gen_unary.
> These are simplest because no further temps required.
>
> Signed-off-by: Richard Henderson 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  target/riscv/translate.c | 83 ++--
>  1 file changed, 45 insertions(+), 38 deletions(-)
>
> diff --git a/target/riscv/translate.c b/target/riscv/translate.c
> index bba5ad8ec4..2cfcb849b8 100644
> --- a/target/riscv/translate.c
> +++ b/target/riscv/translate.c
> @@ -65,6 +65,8 @@ typedef struct DisasContext {
>  uint16_t mlen;
>  bool vl_eq_vlmax;
>  CPUState *cs;
> +TCGv zero;
> +TCGv sink;
>  } DisasContext;
>
>  static inline bool has_ext(DisasContext *ctx, uint32_t ext)
> @@ -202,6 +204,14 @@ static inline void gen_get_gpr(TCGv t, int reg_num)
>  }
>  }
>
> +static TCGv gpr_src(DisasContext *ctx, int reg_num)
> +{
> +if (reg_num == 0) {
> +return ctx->zero;
> +}
> +return cpu_gpr[reg_num];
> +}
> +
>  /* Wrapper for setting reg values - need to check of reg is zero since
>   * cpu_gpr[0] is not actually allocated. this is more for safety purposes,
>   * since we usually avoid calling the OP_TYPE_gen function if we see a write 
> to
> @@ -214,6 +224,17 @@ static inline void gen_set_gpr(int reg_num_dst, TCGv t)
>  }
>  }
>
> +static TCGv gpr_dst(DisasContext *ctx, int reg_num)
> +{
> +if (reg_num == 0) {
> +if (ctx->sink == NULL) {
> +ctx->sink = tcg_temp_new();
> +}
> +return ctx->sink;
> +}
> +return cpu_gpr[reg_num];
> +}
> +
>  static void gen_mulhsu(TCGv ret, TCGv arg1, TCGv arg2)
>  {
>  TCGv rl = tcg_temp_new();
> @@ -442,33 +463,21 @@ static int ex_rvc_shifti(DisasContext *ctx, int imm)
>  static bool gen_arith_imm_fn(DisasContext *ctx, arg_i *a,
>   void (*func)(TCGv, TCGv, target_long))
>  {
> -TCGv source1;
> -source1 = tcg_temp_new();
> +TCGv dest = gpr_dst(ctx, a->rd);
> +TCGv src1 = gpr_src(ctx, a->rs1);
>
> -gen_get_gpr(source1, a->rs1);
> -
> -(*func)(source1, source1, a->imm);
> -
> -gen_set_gpr(a->rd, source1);
> -tcg_temp_free(source1);
> +(*func)(dest, src1, a->imm);
>  return true;
>  }
>
>  static bool gen_arith_imm_tl(DisasContext *ctx, arg_i *a,
>   void (*func)(TCGv, TCGv, TCGv))
>  {
> -TCGv source1, source2;
> -source1 = tcg_temp_new();
> -source2 = tcg_temp_new();
> +TCGv dest = gpr_dst(ctx, a->rd);
> +TCGv src1 = gpr_src(ctx, a->rs1);
> +TCGv src2 = tcg_constant_tl(a->imm);
>
> -gen_get_gpr(source1, a->rs1);
> -tcg_gen_movi_tl(source2, a->imm);
> -
> -(*func)(source1, source1, source2);
> -
> -gen_set_gpr(a->rd, source1);
> -tcg_temp_free(source1);
> -tcg_temp_free(source2);
> +(*func)(dest, src1, src2);
>  return true;
>  }
>
> @@ -758,18 +767,11 @@ static void gen_add_uw(TCGv ret, TCGv arg1, TCGv arg2)
>  static bool gen_arith(DisasContext *ctx, arg_r *a,
>void(*func)(TCGv, TCGv, TCGv))
>  {
> -TCGv source1, source2;
> -source1 = tcg_temp_new();
> -source2 = tcg_temp_new();
> +TCGv dest = gpr_dst(ctx, a->rd);
> +TCGv src1 = gpr_src(ctx, a->rs1);
> +TCGv src2 = gpr_src(ctx, a->rs2);
>
> -gen_get_gpr(source1, a->rs1);
> -gen_get_gpr(source2, a->rs2);
> -
> -(*func)(source1, source1, source2);
> -
> -gen_set_gpr(a->rd, source1);
> -tcg_temp_free(source1);
> -tcg_temp_free(source2);
> +(*func)(dest, src1, src2);
>  return true;
>  }
>
> @@ -871,14 +873,10 @@ static void gen_clz(TCGv ret, TCGv arg1)
>  static bool gen_unary(DisasContext *ctx, arg_r2 *a,
>void(*func)(TCGv, TCGv))
>  {
> -TCGv source = tcg_temp_new();
> +TCGv dest = gpr_dst(ctx, a->rd);
> +TCGv src1 = gpr_src(ctx, a->rs1);
>
> -gen_get_gpr(source, a->rs1);
> -
> -(*func)(source, source);
> -
> -gen_set_gpr(a->rd, source);
> -tcg_temp_free(source);
> +(*func)(dest, src1);
>  return true;
>  }
>
> @@ -952,8 +950,12 @@ static void riscv_tr_init_disas_context(DisasContextBase 
> *dcbase, CPUState *cs)
>  ctx->cs = cs;
>  }
>
> -static void riscv_tr_tb_start(DisasContextBase *db, CPUState *cpu)
> +static void riscv_tr_tb_start(DisasContextBase *dcbase, CPUState *cpu)
>  {
> +DisasContext *ctx = container_of(dcbase, DisasContext, base);
> +
> +ctx->sink = NULL;
> +ctx->zero = tcg_constant_tl(0);
>  }
>
>  static void riscv_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
> @@ -988,6 +990,11 @@ static void riscv_tr_translate_insn(DisasContextBase 
> *dcbase, CPUState *cpu)
>  decode_opc(env, ctx, opcode16);
>  ctx->base.pc_next = ctx->pc_succ_insn;
>
> +if (ctx->sin

Re: [PATCH v8 6/9] virtio-mmio: add support for configure interrupt

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

Add configure interrupt support for virtio-mmio bus. This
interrupt will working while backend is vhost-vdpa

Signed-off-by: Cindy Lu 
---
  hw/virtio/virtio-mmio.c | 26 ++
  1 file changed, 26 insertions(+)

diff --git a/hw/virtio/virtio-mmio.c b/hw/virtio/virtio-mmio.c
index 342c918ea7..6c786db071 100644
--- a/hw/virtio/virtio-mmio.c
+++ b/hw/virtio/virtio-mmio.c
@@ -670,7 +670,29 @@ static int virtio_mmio_set_guest_notifier(DeviceState *d, 
int n, bool assign,
  
  return 0;

  }
+static int virtio_mmio_set_config_notifier(DeviceState *d, bool assign)
+{



We had similar issue as previous patch.

We need use "virtio_mmio_set_config_guest_notifier()."

Thanks



+VirtIOMMIOProxy *proxy = VIRTIO_MMIO(d);
+VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+VirtioDeviceClass *vdc = VIRTIO_DEVICE_GET_CLASS(vdev);
  
+EventNotifier *notifier = virtio_get_config_notifier(vdev);

+int r = 0;
+if (assign) {
+r = event_notifier_init(notifier, 0);
+if (r < 0) {
+return r;
+}
+virtio_set_config_notifier_fd_handler(vdev, true, false);
+} else {
+virtio_set_config_notifier_fd_handler(vdev, false, false);
+event_notifier_cleanup(notifier);
+}
+if (vdc->guest_notifier_mask && vdev->use_guest_notifier_mask) {
+vdc->guest_notifier_mask(vdev, VIRTIO_CONFIG_IRQ_IDX, !assign);
+}
+return r;
+}
  static int virtio_mmio_set_guest_notifiers(DeviceState *d, int nvqs,
 bool assign)
  {
@@ -692,6 +714,10 @@ static int virtio_mmio_set_guest_notifiers(DeviceState *d, 
int nvqs,
  goto assign_error;
  }
  }
+r = virtio_mmio_set_config_notifier(d, assign);
+if (r < 0) {
+goto assign_error;
+}
  
  return 0;
  

Re: [PATCH v8 7/9] virtio-pci: decouple notifier from interrupt process

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

use the virtio_pci_get_notifier function to
get the notifer, the input of the function
will is the idx, the output is notifier and
vector



You need to describe why such decoupling is needed.




Signed-off-by: Cindy Lu 



I think we need move this patch as patch 3.



---
  hw/virtio/virtio-pci.c | 45 --
  1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 2fe5b1f5aa..fe06847b62 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -710,6 +710,28 @@ static void kvm_virtio_pci_irqfd_release(VirtIOPCIProxy 
*proxy,
  ret = kvm_irqchip_remove_irqfd_notifier_gsi(kvm_state, n, irqfd->virq);
  assert(ret == 0);
  }
+static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,
+  EventNotifier **n, unsigned int *vector)
+{
+PCIDevice *dev = &proxy->pci_dev;
+VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
+VirtQueue *vq;
+
+if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
+return -1;
+} else {
+if (!virtio_queue_get_num(vdev, queue_no)) {
+return -1;
+}
+*vector = virtio_queue_vector(vdev, queue_no);
+vq = virtio_get_queue(vdev, queue_no);
+*n = virtio_queue_get_guest_notifier(vq);
+}
+if (*vector >= msix_nr_vectors_allocated(dev)) {
+return -1;
+}
+return 0;
+}
  
  static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, int nvqs)

  {
@@ -718,13 +740,15 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy 
*proxy, int nvqs)
  VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
  unsigned int vector;
  int ret, queue_no;
-VirtQueue *vq;
  EventNotifier *n;
  for (queue_no = 0; queue_no < nvqs; queue_no++) {
  if (!virtio_queue_get_num(vdev, queue_no)) {
  break;
  }
-vector = virtio_queue_vector(vdev, queue_no);
+ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
+if (ret < 0) {
+break;



So this suppresses the check below? (you had a similar check that is 
done in virtio_pci_get_notifier).


Thanks



+}
  if (vector >= msix_nr_vectors_allocated(dev)) {
  continue;
  }
@@ -736,8 +760,6 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, 
int nvqs)
   * Otherwise, delay until unmasked in the frontend.
   */
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-vq = virtio_get_queue(vdev, queue_no);
-n = virtio_queue_get_guest_notifier(vq);
  ret = kvm_virtio_pci_irqfd_use(proxy, n, vector);
  if (ret < 0) {
  kvm_virtio_pci_vq_vector_release(proxy, vector);
@@ -754,8 +776,10 @@ undo:
  continue;
  }
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-vq = virtio_get_queue(vdev, queue_no);
-n = virtio_queue_get_guest_notifier(vq);
+ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
+if (ret < 0) {
+break;
+}
  kvm_virtio_pci_irqfd_release(proxy, n, vector);
  }
  kvm_virtio_pci_vq_vector_release(proxy, vector);
@@ -770,13 +794,16 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy 
*proxy, int nvqs)
  unsigned int vector;
  int queue_no;
  VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
-VirtQueue *vq;
  EventNotifier *n;
+int ret ;
  for (queue_no = 0; queue_no < nvqs; queue_no++) {
  if (!virtio_queue_get_num(vdev, queue_no)) {
  break;
  }
-vector = virtio_queue_vector(vdev, queue_no);
+ret = virtio_pci_get_notifier(proxy, queue_no, &n, &vector);
+if (ret < 0) {
+break;
+}
  if (vector >= msix_nr_vectors_allocated(dev)) {
  continue;
  }
@@ -784,8 +811,6 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy 
*proxy, int nvqs)
   * Otherwise, it was cleaned when masked in the frontend.
   */
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-vq = virtio_get_queue(vdev, queue_no);
-n = virtio_queue_get_guest_notifier(vq);
  kvm_virtio_pci_irqfd_release(proxy, n, vector);
  }
  kvm_virtio_pci_vq_vector_release(proxy, vector);

[PULL 31/33] spapr: Fix implementation of Open Firmware client interface

[David Gibson]

From: Alexey Kardashevskiy 

This addresses the comments from v22.

The functional changes are (the VOF ones need retesting with Pegasos2):

(VOF) setprop will start failing if the machine class callback
did not handle it;
(VOF) unit addresses are lowered in path_offset();
(SPAPR) /chosen/bootargs is initialized from kernel_cmdline if
the client did not change it.

Fixes: 5c991e5d4378 ("spapr: Implement Open Firmware client interface")
Cc: BALATON Zoltan 
Signed-off-by: Alexey Kardashevskiy 
Message-Id: <20210708065625.548396-1-...@ozlabs.ru>
Tested-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 MAINTAINERS|   4 ++--
 hw/ppc/spapr.c |  10 +-
 hw/ppc/spapr_hcall.c   |   5 ++---
 hw/ppc/spapr_vof.c |  32 +++-
 hw/ppc/vof.c   |  30 +-
 include/hw/ppc/spapr.h |   3 +--
 pc-bios/vof.bin| Bin 3784 -> 3456 bytes
 pc-bios/vof/ci.c   |   2 +-
 pc-bios/vof/libc.c |  26 --
 pc-bios/vof/main.c |   2 +-
 pc-bios/vof/vof.h  |   2 --
 11 files changed, 48 insertions(+), 68 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index ce122eeced..89d71b42b2 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1362,8 +1362,8 @@ F: include/hw/pci-host/mv64361.h
 
 Virtual Open Firmware (VOF)
 M: Alexey Kardashevskiy 
-M: David Gibson 
-M: Greg Kurz 
+R: David Gibson 
+R: Greg Kurz 
 L: qemu-...@nongnu.org
 S: Maintained
 F: hw/ppc/spapr_vof*
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index e9b6d0f587..3808d47053 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1645,15 +1645,7 @@ static void spapr_machine_reset(MachineState *machine)
 
 fdt = spapr_build_fdt(spapr, true, FDT_MAX_SIZE);
 if (spapr->vof) {
-target_ulong stack_ptr = 0;
-
-spapr_vof_reset(spapr, fdt, &stack_ptr, &error_fatal);
-
-spapr_cpu_set_entry_state(first_ppc_cpu, SPAPR_ENTRY_POINT,
-  stack_ptr, spapr->initrd_base,
-  spapr->initrd_size);
-/* VOF is 32bit BE so enforce MSR here */
-first_ppc_cpu->env.msr &= ~((1ULL << MSR_SF) | (1ULL << MSR_LE));
+spapr_vof_reset(spapr, fdt, &error_fatal);
 /*
  * Do not pack the FDT as the client may change properties.
  * VOF client does not expect the FDT so we do not load it to the VM.
diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 80ae8eaadd..0e9a5b2e40 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -1080,7 +1080,7 @@ target_ulong do_client_architecture_support(PowerPCCPU 
*cpu,
 SpaprOptionVector *ov1_guest, *ov5_guest;
 bool guest_radix;
 bool raw_mode_supported = false;
-bool guest_xive, reset_fdt = false;
+bool guest_xive;
 CPUState *cs;
 void *fdt;
 uint32_t max_compat = spapr->max_compat_pvr;
@@ -1233,8 +1233,7 @@ target_ulong do_client_architecture_support(PowerPCCPU 
*cpu,
 spapr_setup_hpt(spapr);
 }
 
-reset_fdt = spapr->vof != NULL;
-fdt = spapr_build_fdt(spapr, reset_fdt, fdt_bufsize);
+fdt = spapr_build_fdt(spapr, spapr->vof != NULL, fdt_bufsize);
 g_free(spapr->fdt_blob);
 spapr->fdt_size = fdt_totalsize(fdt);
 spapr->fdt_initial_size = spapr->fdt_size;
diff --git a/hw/ppc/spapr_vof.c b/hw/ppc/spapr_vof.c
index 131a03fec0..40ce8fe003 100644
--- a/hw/ppc/spapr_vof.c
+++ b/hw/ppc/spapr_vof.c
@@ -8,6 +8,7 @@
 #include "qapi/error.h"
 #include "hw/ppc/spapr.h"
 #include "hw/ppc/spapr_vio.h"
+#include "hw/ppc/spapr_cpu_core.h"
 #include "hw/ppc/fdt.h"
 #include "hw/ppc/vof.h"
 #include "sysemu/sysemu.h"
@@ -29,13 +30,19 @@ target_ulong spapr_h_vof_client(PowerPCCPU *cpu, 
SpaprMachineState *spapr,
 void spapr_vof_client_dt_finalize(SpaprMachineState *spapr, void *fdt)
 {
 char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus);
-int chosen;
 
 vof_build_dt(fdt, spapr->vof);
 
-_FDT(chosen = fdt_path_offset(fdt, "/chosen"));
-_FDT(fdt_setprop_string(fdt, chosen, "bootargs",
-spapr->vof->bootargs ? : ""));
+if (spapr->vof->bootargs) {
+int chosen;
+
+_FDT(chosen = fdt_path_offset(fdt, "/chosen"));
+/*
+ * If the client did not change "bootargs", spapr_dt_chosen() must have
+ * stored machine->kernel_cmdline in it before getting here.
+ */
+_FDT(fdt_setprop_string(fdt, chosen, "bootargs", 
spapr->vof->bootargs));
+}
 
 /*
  * SLOF-less setup requires an open instance of stdout for early
@@ -48,20 +55,21 @@ void spapr_vof_client_dt_finalize(SpaprMachineState *spapr, 
void *fdt)
 }
 }
 
-void spapr_vof_reset(SpaprMachineState *spapr, void *fdt,
- target_ulong *stack_ptr, Error **errp)
+void spapr_vof_reset(SpaprMachineState *spapr, void *fdt, Error **errp)
 {
+target_ulong stack_ptr;
 Vof *vof = spapr->vof;
+PowerPCCPU *first_ppc_cpu = POWERPC_CPU(first_cpu);
 
 vof_ini

Re: [PATCH v8 5/9] vhost-net:add support for configure interrupt

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

Add configure notifier support in vhost and virtio driver
When backend support VIRTIO_NET_F_STATUS,setup the configure
interrupt function in vhost_net_start and release the related
resource when vhost_net_stop

Signed-off-by: Cindy Lu 
---
  hw/net/vhost_net.c | 36 +++
  hw/net/virtio-net.c|  6 ++
  hw/virtio/vhost.c  | 44 ++
  hw/virtio/virtio.c | 33 ++--
  include/hw/virtio/vhost.h  |  2 ++
  include/hw/virtio/virtio.h |  5 +
  include/net/vhost_net.h|  3 +++
  7 files changed, 127 insertions(+), 2 deletions(-)

diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
index 24d555e764..be453717c4 100644
--- a/hw/net/vhost_net.c
+++ b/hw/net/vhost_net.c
@@ -310,6 +310,31 @@ static void vhost_net_stop_one(struct vhost_net *net,
  vhost_dev_disable_notifiers(&net->dev, dev);
  }
  
+static void vhost_net_stop_config_intr(struct vhost_net *net)

+{
+struct vhost_dev *dev = &net->dev;
+if (dev->features & (0x1ULL << VIRTIO_NET_F_STATUS)) {
+if (dev->vhost_ops->vhost_set_config_call) {
+int fd = -1;
+dev->vhost_ops->vhost_set_config_call(dev, fd);
+}
+}
+}
+
+static void vhost_net_start_config_intr(struct vhost_net *net)
+{
+struct vhost_dev *dev = &net->dev;
+if (!(dev->features & (0x1ULL << VIRTIO_NET_F_STATUS))) {
+return;
+}



Rethink about this, I don't think we need such whitelist. Config 
interrupt works like a basic device facility.




+if (dev->vhost_ops->vhost_set_config_call) {
+int fd = event_notifier_get_fd(&dev->vdev->config_notifier);
+int r = dev->vhost_ops->vhost_set_config_call(dev, fd);
+if (!r) {
+event_notifier_set(&dev->vdev->config_notifier);
+}
+}
+}
  int vhost_net_start(VirtIODevice *dev, NetClientState *ncs,
  int total_queues)
  {
@@ -364,6 +389,7 @@ int vhost_net_start(VirtIODevice *dev, NetClientState *ncs,
  }
  }
  
+vhost_net_start_config_intr(get_vhost_net(ncs[0].peer));



I think we can reuse vhost_vdpa_dev_start()?



  return 0;
  
  err_start:

@@ -397,6 +423,7 @@ void vhost_net_stop(VirtIODevice *dev, NetClientState *ncs,
  fprintf(stderr, "vhost guest notifier cleanup failed: %d\n", r);
  fflush(stderr);
  }
+vhost_net_stop_config_intr(get_vhost_net(ncs[0].peer));
  assert(r >= 0);
  }
  
@@ -426,6 +453,15 @@ void vhost_net_virtqueue_mask(VHostNetState *net, VirtIODevice *dev,

  vhost_virtqueue_mask(&net->dev, dev, idx, mask);
  }
  
+bool vhost_net_config_pending(VHostNetState *net, int idx)

+{
+return vhost_config_pending(&net->dev, idx);
+}



Blank line is needed.



+void vhost_net_config_mask(VHostNetState *net, VirtIODevice *dev,
+  bool mask)
+{
+vhost_config_mask(&net->dev, dev, mask);
+}
  VHostNetState *get_vhost_net(NetClientState *nc)
  {
  VHostNetState *vhost_net = 0;
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f50235b5d6..02033be748 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -3055,6 +3055,9 @@ static bool 
virtio_net_guest_notifier_pending(VirtIODevice *vdev, int idx)
  if (idx != VIRTIO_CONFIG_IRQ_IDX) {
  return vhost_net_virtqueue_pending(get_vhost_net(nc->peer), idx);
  }
+if (idx == VIRTIO_CONFIG_IRQ_IDX) {
+return vhost_net_config_pending(get_vhost_net(nc->peer), idx);



I think there's no need to pass idx to vhost_net_config_pending.



+   }
  return false;
  }
  
@@ -3067,6 +3070,9 @@ static void virtio_net_guest_notifier_mask(VirtIODevice *vdev, int idx,

  if (idx != VIRTIO_CONFIG_IRQ_IDX) {
  vhost_net_virtqueue_mask(get_vhost_net(nc->peer), vdev, idx, mask);
  }
+if (idx == VIRTIO_CONFIG_IRQ_IDX) {
+vhost_net_config_mask(get_vhost_net(nc->peer), vdev, mask);
+ }
  }
  
  static void virtio_net_set_config_size(VirtIONet *n, uint64_t host_features)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index e2163a0d63..6716109448 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -1505,6 +1505,16 @@ bool vhost_virtqueue_pending(struct vhost_dev *hdev, int 
n)
  return event_notifier_test_and_clear(&vq->masked_notifier);
  }
  
+bool vhost_config_pending(struct vhost_dev *hdev, int n)

+{
+assert(hdev->vhost_ops);
+VirtIODevice *vdev = hdev->vdev;
+if ((hdev->started == false) ||
+(hdev->vhost_ops->vhost_set_config_call == NULL)) {
+return false;
+}
+return event_notifier_test_and_clear(&vdev->masked_config_notifier);



n is not used.



+}
  /* Mask/unmask events from this vq. */
  void vhost_virtqueue_mask(struct vhost_dev *hdev, VirtIODevice *vdev, int n,
   bool mask)
@@ -1529,6 +1539,30 @@ void vhost_virtqueue_mask(struct vhost_dev *hdev, 
VirtIODevice *vdev, int n,
 

Re: [PATCH v8 4/9] vhost-vdpa: add support for config interrupt call back

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

Add new call back function in vhost-vdpa, this call back function only
supported in vhost-vdpa backend

Signed-off-by: Cindy Lu 



Acked-by: Jason Wang 



---
  hw/virtio/trace-events | 2 ++
  hw/virtio/vhost-vdpa.c | 7 +++
  2 files changed, 9 insertions(+)

diff --git a/hw/virtio/trace-events b/hw/virtio/trace-events
index c62727f879..152db5917d 100644
--- a/hw/virtio/trace-events
+++ b/hw/virtio/trace-events
@@ -52,6 +52,8 @@ vhost_vdpa_set_vring_call(void *dev, unsigned int index, int fd) 
"dev: %p index:
  vhost_vdpa_get_features(void *dev, uint64_t features) "dev: %p features: 
0x%"PRIx64
  vhost_vdpa_set_owner(void *dev) "dev: %p"
  vhost_vdpa_vq_get_addr(void *dev, void *vq, uint64_t desc_user_addr, uint64_t avail_user_addr, uint64_t 
used_user_addr) "dev: %p vq: %p desc_user_addr: 0x%"PRIx64" avail_user_addr: 
0x%"PRIx64" used_user_addr: 0x%"PRIx64
+vhost_vdpa_set_config_call(void *dev, int fd)"dev: %p fd: %d"
+
  
  # virtio.c

  virtqueue_alloc_element(void *elem, size_t sz, unsigned in_num, unsigned out_num) 
"elem %p size %zd in_num %u out_num %u"
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index 01d2101d09..58075da9d9 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -545,6 +545,12 @@ static int vhost_vdpa_set_vring_call(struct vhost_dev *dev,
  trace_vhost_vdpa_set_vring_call(dev, file->index, file->fd);
  return vhost_vdpa_call(dev, VHOST_SET_VRING_CALL, file);
  }
+static int vhost_vdpa_set_config_call(struct vhost_dev *dev,
+   int fd)
+{
+trace_vhost_vdpa_set_config_call(dev, fd);
+return vhost_vdpa_call(dev, VHOST_VDPA_SET_CONFIG_CALL, &fd);
+}
  
  static int vhost_vdpa_get_features(struct vhost_dev *dev,

   uint64_t *features)
@@ -611,4 +617,5 @@ const VhostOps vdpa_ops = {
  .vhost_get_device_id = vhost_vdpa_get_device_id,
  .vhost_vq_get_addr = vhost_vdpa_vq_get_addr,
  .vhost_force_iommu = vhost_vdpa_force_iommu,
+.vhost_set_config_call = vhost_vdpa_set_config_call,
  };

[PATCH v3] remote/memory: Replace share parameter with ram_flags

[Yang Zhong]

Fixes: d5015b801340 ("softmmu/memory: Pass ram_flags to
qemu_ram_alloc_from_fd()")

Signed-off-by: Yang Zhong 
Reviewed-by: David Hildenbrand 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Pankaj Gupta 
Reviewed-by: Peter Xu 
---
 hw/remote/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/remote/memory.c b/hw/remote/memory.c
index 472ed2a272..6e21ab1a45 100644
--- a/hw/remote/memory.c
+++ b/hw/remote/memory.c
@@ -46,7 +46,7 @@ void remote_sysmem_reconfig(MPQemuMsg *msg, Error **errp)
 subregion = g_new(MemoryRegion, 1);
 memory_region_init_ram_from_fd(subregion, NULL,
name, sysmem_info->sizes[region],
-   true, msg->fds[region],
+   RAM_SHARED, msg->fds[region],
sysmem_info->offsets[region],
errp);
 
-- 
2.29.2.334.gfaefdd61ec

Re: [PATCH v8 2/9] virtio-pci:decouple virtqueue from interrupt setting process

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

Decouple virtqueue from interrupt setting process to support config interrupt
Now the code for interrupt/vector are coupling
with the vq number, this patch will decouple the vritqueue
numbers from these functions

Signed-off-by: Cindy Lu 
---
  hw/virtio/virtio-pci.c | 55 --
  1 file changed, 31 insertions(+), 24 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index b321604d9b..2fe5b1f5aa 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -693,23 +693,17 @@ static void 
kvm_virtio_pci_vq_vector_release(VirtIOPCIProxy *proxy,
  }
  
  static int kvm_virtio_pci_irqfd_use(VirtIOPCIProxy *proxy,

- unsigned int queue_no,
+ EventNotifier *n,
   unsigned int vector)
  {
  VirtIOIRQFD *irqfd = &proxy->vector_irqfd[vector];
-VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
-VirtQueue *vq = virtio_get_queue(vdev, queue_no);
-EventNotifier *n = virtio_queue_get_guest_notifier(vq);
  return kvm_irqchip_add_irqfd_notifier_gsi(kvm_state, n, NULL, 
irqfd->virq);
  }
  
  static void kvm_virtio_pci_irqfd_release(VirtIOPCIProxy *proxy,

-  unsigned int queue_no,
+  EventNotifier *n ,
unsigned int vector)
  {
-VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
-VirtQueue *vq = virtio_get_queue(vdev, queue_no);
-EventNotifier *n = virtio_queue_get_guest_notifier(vq);
  VirtIOIRQFD *irqfd = &proxy->vector_irqfd[vector];
  int ret;
  
@@ -724,7 +718,8 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, int nvqs)

  VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
  unsigned int vector;
  int ret, queue_no;
-
+VirtQueue *vq;
+EventNotifier *n;
  for (queue_no = 0; queue_no < nvqs; queue_no++) {
  if (!virtio_queue_get_num(vdev, queue_no)) {
  break;
@@ -741,7 +736,9 @@ static int kvm_virtio_pci_vector_use(VirtIOPCIProxy *proxy, 
int nvqs)
   * Otherwise, delay until unmasked in the frontend.
   */
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-ret = kvm_virtio_pci_irqfd_use(proxy, queue_no, vector);
+vq = virtio_get_queue(vdev, queue_no);
+n = virtio_queue_get_guest_notifier(vq);



I see some similar logic below, let's introduce helper for them.



+ret = kvm_virtio_pci_irqfd_use(proxy, n, vector);
  if (ret < 0) {
  kvm_virtio_pci_vq_vector_release(proxy, vector);
  goto undo;
@@ -757,7 +754,9 @@ undo:
  continue;
  }
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-kvm_virtio_pci_irqfd_release(proxy, queue_no, vector);
+vq = virtio_get_queue(vdev, queue_no);
+n = virtio_queue_get_guest_notifier(vq);
+kvm_virtio_pci_irqfd_release(proxy, n, vector);
  }
  kvm_virtio_pci_vq_vector_release(proxy, vector);
  }
@@ -771,7 +770,8 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy 
*proxy, int nvqs)
  unsigned int vector;
  int queue_no;
  VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
-
+VirtQueue *vq;
+EventNotifier *n;
  for (queue_no = 0; queue_no < nvqs; queue_no++) {
  if (!virtio_queue_get_num(vdev, queue_no)) {
  break;
@@ -784,21 +784,22 @@ static void kvm_virtio_pci_vector_release(VirtIOPCIProxy 
*proxy, int nvqs)
   * Otherwise, it was cleaned when masked in the frontend.
   */
  if (vdev->use_guest_notifier_mask && k->guest_notifier_mask) {
-kvm_virtio_pci_irqfd_release(proxy, queue_no, vector);
+vq = virtio_get_queue(vdev, queue_no);
+n = virtio_queue_get_guest_notifier(vq);
+kvm_virtio_pci_irqfd_release(proxy, n, vector);
  }
  kvm_virtio_pci_vq_vector_release(proxy, vector);
  }
  }
  
-static int virtio_pci_vq_vector_unmask(VirtIOPCIProxy *proxy,

+static int virtio_pci_one_vector_unmask(VirtIOPCIProxy *proxy,
 unsigned int queue_no,
 unsigned int vector,
-   MSIMessage msg)
+   MSIMessage msg,
+   EventNotifier *n)
  {
  VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
  VirtioDeviceClass *k = VIRTIO_DEVICE_GET_CLASS(vdev);
-VirtQueue *vq = virtio_get_queue(vdev, queue_no);
-EventNotifier *n = virtio_queue_get_guest_notifier(vq);
  VirtIOIRQFD *irqfd;
  int ret = 0;
  
@@ -825,14 +826,15 @@ static int virtio_pci_vq_vector_unmask(VirtIOPCIProxy *proxy,

  event_no

[PULL 29/33] ppc/pegasos2: Implement some RTAS functions with VOF

[David Gibson]

From: BALATON Zoltan 

Linux uses RTAS functions to access PCI devices so we need to provide
these with VOF. Implement some of the most important functions to
allow booting Linux with VOF. With this the board is now usable
without a binary ROM image and we can enable it by default as other
boards.

Signed-off-by: BALATON Zoltan 
Message-Id: <20210708215113.b3f74745...@zero.eik.bme.hu>
Signed-off-by: David Gibson 
---
 default-configs/devices/ppc-softmmu.mak |   2 +-
 hw/ppc/pegasos2.c   | 137 
 2 files changed, 138 insertions(+), 1 deletion(-)

diff --git a/default-configs/devices/ppc-softmmu.mak 
b/default-configs/devices/ppc-softmmu.mak
index c2d41198cd..4535993d8d 100644
--- a/default-configs/devices/ppc-softmmu.mak
+++ b/default-configs/devices/ppc-softmmu.mak
@@ -14,7 +14,7 @@ CONFIG_SAM460EX=y
 CONFIG_MAC_OLDWORLD=y
 CONFIG_MAC_NEWWORLD=y
 
-CONFIG_PEGASOS2=n
+CONFIG_PEGASOS2=y
 
 # For PReP
 CONFIG_PREP=y
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index cf1dc53c83..9a6ae867e4 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -43,6 +43,7 @@
 #define PROM_SIZE 0x8
 
 #define KVMPPC_HCALL_BASE0xf000
+#define KVMPPC_H_RTAS(KVMPPC_HCALL_BASE + 0x0)
 #define KVMPPC_H_VOF_CLIENT  (KVMPPC_HCALL_BASE + 0x5)
 
 #define H_SUCCESS 0
@@ -195,6 +196,30 @@ static void pegasos2_init(MachineState *machine)
 }
 }
 
+static uint32_t pegasos2_pci_config_read(AddressSpace *as, int bus,
+ uint32_t addr, uint32_t len)
+{
+hwaddr pcicfg = (bus ? 0xf1000c78 : 0xf1000cf8);
+uint32_t val = 0x;
+
+stl_le_phys(as, pcicfg, addr | BIT(31));
+switch (len) {
+case 4:
+val = ldl_le_phys(as, pcicfg + 4);
+break;
+case 2:
+val = lduw_le_phys(as, pcicfg + 4);
+break;
+case 1:
+val = ldub_phys(as, pcicfg + 4);
+break;
+default:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid length\n", __func__);
+break;
+}
+return val;
+}
+
 static void pegasos2_pci_config_write(AddressSpace *as, int bus, uint32_t addr,
   uint32_t len, uint32_t val)
 {
@@ -304,6 +329,87 @@ static void pegasos2_machine_reset(MachineState *machine)
 pm->cpu->vhyp = PPC_VIRTUAL_HYPERVISOR(machine);
 }
 
+enum pegasos2_rtas_tokens {
+RTAS_RESTART_RTAS = 0,
+RTAS_NVRAM_FETCH = 1,
+RTAS_NVRAM_STORE = 2,
+RTAS_GET_TIME_OF_DAY = 3,
+RTAS_SET_TIME_OF_DAY = 4,
+RTAS_EVENT_SCAN = 6,
+RTAS_CHECK_EXCEPTION = 7,
+RTAS_READ_PCI_CONFIG = 8,
+RTAS_WRITE_PCI_CONFIG = 9,
+RTAS_DISPLAY_CHARACTER = 10,
+RTAS_SET_INDICATOR = 11,
+RTAS_POWER_OFF = 17,
+RTAS_SUSPEND = 18,
+RTAS_HIBERNATE = 19,
+RTAS_SYSTEM_REBOOT = 20,
+};
+
+static target_ulong pegasos2_rtas(PowerPCCPU *cpu, Pegasos2MachineState *pm,
+  target_ulong args_real)
+{
+AddressSpace *as = CPU(cpu)->as;
+uint32_t token = ldl_be_phys(as, args_real);
+uint32_t nargs = ldl_be_phys(as, args_real + 4);
+uint32_t nrets = ldl_be_phys(as, args_real + 8);
+uint32_t args = args_real + 12;
+uint32_t rets = args_real + 12 + nargs * 4;
+
+if (nrets < 1) {
+qemu_log_mask(LOG_GUEST_ERROR, "Too few return values in RTAS call\n");
+return H_PARAMETER;
+}
+switch (token) {
+case RTAS_READ_PCI_CONFIG:
+{
+uint32_t addr, len, val;
+
+if (nargs != 2 || nrets != 2) {
+stl_be_phys(as, rets, -1);
+return H_PARAMETER;
+}
+addr = ldl_be_phys(as, args);
+len = ldl_be_phys(as, args + 4);
+val = pegasos2_pci_config_read(as, !(addr >> 24),
+   addr & 0x0fff, len);
+stl_be_phys(as, rets, 0);
+stl_be_phys(as, rets + 4, val);
+return H_SUCCESS;
+}
+case RTAS_WRITE_PCI_CONFIG:
+{
+uint32_t addr, len, val;
+
+if (nargs != 3 || nrets != 1) {
+stl_be_phys(as, rets, -1);
+return H_PARAMETER;
+}
+addr = ldl_be_phys(as, args);
+len = ldl_be_phys(as, args + 4);
+val = ldl_be_phys(as, args + 8);
+pegasos2_pci_config_write(as, !(addr >> 24),
+  addr & 0x0fff, len, val);
+stl_be_phys(as, rets, 0);
+return H_SUCCESS;
+}
+case RTAS_DISPLAY_CHARACTER:
+if (nargs != 1 || nrets != 1) {
+stl_be_phys(as, rets, -1);
+return H_PARAMETER;
+}
+qemu_log_mask(LOG_UNIMP, "%c", ldl_be_phys(as, args));
+stl_be_phys(as, rets, 0);
+return H_SUCCESS;
+default:
+qemu_log_mask(LOG_UNIMP, "Unknown RTAS token %u (args=%u, rets=%u)\n",
+  token, nargs, nrets);
+stl_be_phys(as, rets, 0);
+return H_SUCCESS;
+}
+}
+
 static void pegasos2_hypercall(PPCVirtualHypervisor *vhyp, PowerPCC

[PATCH 2/2] watchdog: aspeed: Fix sequential control writes

[Andrew Jeffery]

The logic in the handling for the control register required toggling the
enable state for writes to stick. Rework the condition chain to allow
sequential writes that do not update the enable state.

Fixes: 854123bf8d4b ("wdt: Add Aspeed watchdog device model")
Signed-off-by: Andrew Jeffery 
---
 hw/watchdog/wdt_aspeed.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index faa3d35fdf21..69c37af9a6e9 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -166,6 +166,8 @@ static void aspeed_wdt_write(void *opaque, hwaddr offset, 
uint64_t data,
 } else if (!enable && aspeed_wdt_is_enabled(s)) {
 s->regs[WDT_CTRL] = data;
 timer_del(s->timer);
+} else {
+s->regs[WDT_CTRL] = data;
 }
 break;
 case WDT_RESET_WIDTH:
-- 
2.30.2

[PULL 26/33] target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits

[David Gibson]

From: Nicholas Piggin 

There are several new L1D cache flush bits added to the hcall which reflect
hardware security features for speculative cache access issues.

These behaviours are now being specified as negative in order to simplify
patched kernel compatibility with older firmware (a new problem found in
existing systems would automatically be vulnerable).

[dwg: Technically this changes behaviour for existing machine types.
 After discussion with Nick, we've determined this is safe, because
 the worst that will happen if a guest gets the wrong information due
 to a migration is that it will perform some unnecessary workarounds,
 but will remain correct and secure (well, as secure as it was going
 to be anyway).  In addition the change only affects cap-cfpc=safe
 which is not enabled by default, and in fact is not possible to set
 on any current hardware (though it's expected it will be possible on
 POWER10)]

Signed-off-by: Nicholas Piggin 
Message-Id: <20210615044107.1481608-1-npig...@gmail.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_hcall.c   | 2 ++
 include/hw/ppc/spapr.h | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 03fc191599..80ae8eaadd 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -1318,6 +1318,8 @@ static target_ulong h_get_cpu_characteristics(PowerPCCPU 
*cpu,
 behaviour |= H_CPU_BEHAV_L1D_FLUSH_PR;
 break;
 case SPAPR_CAP_FIXED:
+behaviour |= H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY;
+behaviour |= H_CPU_BEHAV_NO_L1D_FLUSH_UACCESS;
 break;
 default: /* broken */
 assert(safe_cache == SPAPR_CAP_BROKEN);
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 1e63f33e9a..a25e69fe4c 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -400,10 +400,13 @@ struct SpaprMachineState {
 #define H_CPU_CHAR_THR_RECONF_TRIG  PPC_BIT(6)
 #define H_CPU_CHAR_CACHE_COUNT_DIS  PPC_BIT(7)
 #define H_CPU_CHAR_BCCTR_FLUSH_ASSIST   PPC_BIT(9)
+
 #define H_CPU_BEHAV_FAVOUR_SECURITY PPC_BIT(0)
 #define H_CPU_BEHAV_L1D_FLUSH_PRPPC_BIT(1)
 #define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR   PPC_BIT(2)
 #define H_CPU_BEHAV_FLUSH_COUNT_CACHE   PPC_BIT(5)
+#define H_CPU_BEHAV_NO_L1D_FLUSH_ENTRY  PPC_BIT(7)
+#define H_CPU_BEHAV_NO_L1D_FLUSH_UACCESSPPC_BIT(8)
 
 /* Each control block has to be on a 4K boundary */
 #define H_CB_ALIGNMENT 4096
-- 
2.31.1

[PULL 27/33] ppc/pegasos2: Use Virtual Open Firmware as firmware replacement

[David Gibson]

From: BALATON Zoltan 

The pegasos2 board comes with an Open Firmware compliant ROM based on
SmartFirmware but it has some changes that are not open source
therefore the ROM binary cannot be included in QEMU. Guests running on
the board however depend on services provided by the firmware. The
Virtual Open Firmware recently added to QEMU implements a minimal set
of these services to allow some guests to boot without the original
firmware. This patch adds VOF as the default firmware for pegasos2
which allows booting Linux and MorphOS via -kernel option while a ROM
image can still be used with -bios for guests that don't run with VOF.

Signed-off-by: BALATON Zoltan 
Message-Id: 
<1d6ed6f290c5c1f0b5a1e1c51cf1151452d70d9a.1624811233.git.bala...@eik.bme.hu>
Signed-off-by: David Gibson 
---
 hw/ppc/Kconfig|   1 +
 hw/ppc/pegasos2.c | 602 +-
 2 files changed, 601 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
index 67630f80e1..7fcafec60a 100644
--- a/hw/ppc/Kconfig
+++ b/hw/ppc/Kconfig
@@ -76,6 +76,7 @@ config PEGASOS2
 select VT82C686
 select IDE_VIA
 select SMBUS_EEPROM
+select VOF
 # This should come with VT82C686
 select ACPI_X86
 
diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index 07971175c9..f1741a4512 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -34,13 +34,33 @@
 #include "trace.h"
 #include "qemu/datadir.h"
 #include "sysemu/device_tree.h"
+#include "hw/ppc/vof.h"
 
-#define PROM_FILENAME "pegasos2.rom"
+#include 
+
+#define PROM_FILENAME "vof.bin"
 #define PROM_ADDR 0xfff0
 #define PROM_SIZE 0x8
 
+#define KVMPPC_HCALL_BASE0xf000
+#define KVMPPC_H_VOF_CLIENT  (KVMPPC_HCALL_BASE + 0x5)
+
+#define H_SUCCESS 0
+#define H_PRIVILEGE  -3  /* Caller not privileged */
+#define H_PARAMETER  -4  /* Parameter invalid, out-of-range or conflicting */
+
 #define BUS_FREQ_HZ 1
 
+#define PCI0_MEM_BASE 0xc000
+#define PCI0_MEM_SIZE 0x2000
+#define PCI0_IO_BASE  0xf800
+#define PCI0_IO_SIZE  0x1
+
+#define PCI1_MEM_BASE 0x8000
+#define PCI1_MEM_SIZE 0x4000
+#define PCI1_IO_BASE  0xfe00
+#define PCI1_IO_SIZE  0x1
+
 #define TYPE_PEGASOS2_MACHINE  MACHINE_TYPE_NAME("pegasos2")
 OBJECT_DECLARE_TYPE(Pegasos2MachineState, MachineClass, PEGASOS2_MACHINE)
 
@@ -48,14 +68,26 @@ struct Pegasos2MachineState {
 MachineState parent_obj;
 PowerPCCPU *cpu;
 DeviceState *mv;
+Vof *vof;
+void *fdt_blob;
+uint64_t kernel_addr;
+uint64_t kernel_entry;
+uint64_t kernel_size;
 };
 
+static void *build_fdt(MachineState *machine, int *fdt_size);
+
 static void pegasos2_cpu_reset(void *opaque)
 {
 PowerPCCPU *cpu = opaque;
+Pegasos2MachineState *pm = PEGASOS2_MACHINE(current_machine);
 
 cpu_reset(CPU(cpu));
 cpu->env.spr[SPR_HID1] = 7ULL << 28;
+if (pm->vof) {
+cpu->env.gpr[1] = 2 * VOF_STACK_SIZE - 0x20;
+cpu->env.nip = 0x100;
+}
 }
 
 static void pegasos2_init(MachineState *machine)
@@ -92,18 +124,24 @@ static void pegasos2_init(MachineState *machine)
 error_report("Could not find firmware '%s'", fwname);
 exit(1);
 }
+if (!machine->firmware && !pm->vof) {
+pm->vof = g_malloc0(sizeof(*pm->vof));
+}
 memory_region_init_rom(rom, NULL, "pegasos2.rom", PROM_SIZE, &error_fatal);
 memory_region_add_subregion(get_system_memory(), PROM_ADDR, rom);
 sz = load_elf(filename, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 1,
   PPC_ELF_MACHINE, 0, 0);
 if (sz <= 0) {
-sz = load_image_targphys(filename, PROM_ADDR, PROM_SIZE);
+sz = load_image_targphys(filename, pm->vof ? 0 : PROM_ADDR, PROM_SIZE);
 }
 if (sz <= 0 || sz > PROM_SIZE) {
 error_report("Could not load firmware '%s'", filename);
 exit(1);
 }
 g_free(filename);
+if (pm->vof) {
+pm->vof->fw_size = sz;
+}
 
 /* Marvell Discovery II system controller */
 pm->mv = DEVICE(sysbus_create_simple(TYPE_MV64361, -1,
@@ -137,20 +175,185 @@ static void pegasos2_init(MachineState *machine)
 
 /* other PC hardware */
 pci_vga_init(pci_bus);
+
+if (machine->kernel_filename) {
+sz = load_elf(machine->kernel_filename, NULL, NULL, NULL,
+  &pm->kernel_entry, &pm->kernel_addr, NULL, NULL, 1,
+  PPC_ELF_MACHINE, 0, 0);
+if (sz <= 0) {
+error_report("Could not load kernel '%s'",
+ machine->kernel_filename);
+exit(1);
+}
+pm->kernel_size = sz;
+if (!pm->vof) {
+warn_report("Option -kernel may be ineffective with -bios.");
+}
+}
+if (machine->kernel_cmdline && !pm->vof) {
+warn_report("Option -append may be ineffective with -bios.");
+}
+}
+
+static void pegasos2_pci_config_write(AddressSpace *as, int bus, uint32_t addr,
+  ui

[PATCH 0/2] wdt_aspeed: Fix behaviour of control register

[Andrew Jeffery]

Hello,

I discovered a couple of bugs in the watchdog while testing a tool to poke
Aspeed BMCs over their various AHB bridges. The immediate observation was that
the model for the 2500 wasn't signalling use of the fixed 1MHz clock, which is
resolved in the first patch. The other observation was that sequential writes to
control weren't sticking if the enable bit wasn't toggled, which is fixed in the
second patch.

Please review.

Andrew

Andrew Jeffery (2):
  watchdog: aspeed: Sanitize control register values
  watchdog: aspeed: Fix sequential control writes

 hw/watchdog/wdt_aspeed.c | 26 --
 include/hw/watchdog/wdt_aspeed.h |  1 +
 2 files changed, 25 insertions(+), 2 deletions(-)

-- 
2.30.2

[PULL 32/33] linux-headers: Update

[David Gibson]

From: Bharata B Rao 

Update to mainline commit: 79160a603bdb ("Merge tag 'usb-5.14-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb"

Signed-off-by: Bharata B Rao 
Message-Id: <20210706112440.1449562-2-bhar...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 include/standard-headers/asm-x86/kvm_para.h   |  13 +++
 include/standard-headers/drm/drm_fourcc.h |   7 ++
 include/standard-headers/linux/ethtool.h  |   4 +-
 .../linux/input-event-codes.h |   1 +
 include/standard-headers/linux/virtio_ids.h   |   2 +-
 include/standard-headers/linux/virtio_vsock.h |   9 ++
 linux-headers/asm-arm64/kvm.h |  11 ++
 linux-headers/asm-generic/mman-common.h   |   3 +
 linux-headers/asm-generic/unistd.h|   4 +-
 linux-headers/asm-mips/mman.h |   3 +
 linux-headers/asm-mips/unistd_n32.h   |   1 +
 linux-headers/asm-mips/unistd_n64.h   |   1 +
 linux-headers/asm-mips/unistd_o32.h   |   1 +
 linux-headers/asm-powerpc/unistd_32.h |   1 +
 linux-headers/asm-powerpc/unistd_64.h |   1 +
 linux-headers/asm-s390/unistd_32.h|   1 +
 linux-headers/asm-s390/unistd_64.h|   1 +
 linux-headers/asm-x86/kvm.h   |  13 +++
 linux-headers/asm-x86/unistd_32.h |   7 +-
 linux-headers/asm-x86/unistd_64.h |   7 +-
 linux-headers/asm-x86/unistd_x32.h|   7 +-
 linux-headers/linux/kvm.h | 105 ++
 linux-headers/linux/userfaultfd.h |  11 +-
 23 files changed, 197 insertions(+), 17 deletions(-)

diff --git a/include/standard-headers/asm-x86/kvm_para.h 
b/include/standard-headers/asm-x86/kvm_para.h
index 215d01b4ec..204cfb8640 100644
--- a/include/standard-headers/asm-x86/kvm_para.h
+++ b/include/standard-headers/asm-x86/kvm_para.h
@@ -33,6 +33,8 @@
 #define KVM_FEATURE_PV_SCHED_YIELD 13
 #define KVM_FEATURE_ASYNC_PF_INT   14
 #define KVM_FEATURE_MSI_EXT_DEST_ID15
+#define KVM_FEATURE_HC_MAP_GPA_RANGE   16
+#define KVM_FEATURE_MIGRATION_CONTROL  17
 
 #define KVM_HINTS_REALTIME  0
 
@@ -54,6 +56,7 @@
 #define MSR_KVM_POLL_CONTROL   0x4b564d05
 #define MSR_KVM_ASYNC_PF_INT   0x4b564d06
 #define MSR_KVM_ASYNC_PF_ACK   0x4b564d07
+#define MSR_KVM_MIGRATION_CONTROL  0x4b564d08
 
 struct kvm_steal_time {
uint64_t steal;
@@ -90,6 +93,16 @@ struct kvm_clock_pairing {
 /* MSR_KVM_ASYNC_PF_INT */
 #define KVM_ASYNC_PF_VEC_MASK  GENMASK(7, 0)
 
+/* MSR_KVM_MIGRATION_CONTROL */
+#define KVM_MIGRATION_READY(1 << 0)
+
+/* KVM_HC_MAP_GPA_RANGE */
+#define KVM_MAP_GPA_RANGE_PAGE_SZ_4K   0
+#define KVM_MAP_GPA_RANGE_PAGE_SZ_2M   (1 << 0)
+#define KVM_MAP_GPA_RANGE_PAGE_SZ_1G   (1 << 1)
+#define KVM_MAP_GPA_RANGE_ENC_STAT(n)  (n << 4)
+#define KVM_MAP_GPA_RANGE_ENCRYPTEDKVM_MAP_GPA_RANGE_ENC_STAT(1)
+#define KVM_MAP_GPA_RANGE_DECRYPTEDKVM_MAP_GPA_RANGE_ENC_STAT(0)
 
 /* Operations for KVM_HC_MMU_OP */
 #define KVM_MMU_OP_WRITE_PTE1
diff --git a/include/standard-headers/drm/drm_fourcc.h 
b/include/standard-headers/drm/drm_fourcc.h
index a61ae520c2..352b51fd0a 100644
--- a/include/standard-headers/drm/drm_fourcc.h
+++ b/include/standard-headers/drm/drm_fourcc.h
@@ -167,6 +167,13 @@ extern "C" {
 #define DRM_FORMAT_RGBA1010102 fourcc_code('R', 'A', '3', '0') /* [31:0] 
R:G:B:A 10:10:10:2 little endian */
 #define DRM_FORMAT_BGRA1010102 fourcc_code('B', 'A', '3', '0') /* [31:0] 
B:G:R:A 10:10:10:2 little endian */
 
+/* 64 bpp RGB */
+#define DRM_FORMAT_XRGB16161616fourcc_code('X', 'R', '4', '8') /* 
[63:0] x:R:G:B 16:16:16:16 little endian */
+#define DRM_FORMAT_XBGR16161616fourcc_code('X', 'B', '4', '8') /* 
[63:0] x:B:G:R 16:16:16:16 little endian */
+
+#define DRM_FORMAT_ARGB16161616fourcc_code('A', 'R', '4', '8') /* 
[63:0] A:R:G:B 16:16:16:16 little endian */
+#define DRM_FORMAT_ABGR16161616fourcc_code('A', 'B', '4', '8') /* 
[63:0] A:B:G:R 16:16:16:16 little endian */
+
 /*
  * Floating point 64bpp RGB
  * IEEE 754-2008 binary16 half-precision float
diff --git a/include/standard-headers/linux/ethtool.h 
b/include/standard-headers/linux/ethtool.h
index 218d944a17..053d3fafdf 100644
--- a/include/standard-headers/linux/ethtool.h
+++ b/include/standard-headers/linux/ethtool.h
@@ -233,7 +233,7 @@ enum tunable_id {
ETHTOOL_PFC_PREVENTION_TOUT, /* timeout in msecs */
/*
 * Add your fresh new tunable attribute above and remember to update
-* tunable_strings[] in net/core/ethtool.c
+* tunable_strings[] in net/ethtool/common.c
 */
__ETHTOOL_TUNABLE_COUNT,
 };
@@ -297,7 +297,7 @@ enum phy_tunable_id {
ETHTOOL_PHY_EDPD,
/*
 * Add your fresh new phy tunable attribute above and remember to update
-* phy_tunable_strings[] in net/core/ethtool.c
+* phy_tunable_strings[] in net/ethtool/common.c
 */
__ETHTOOL_PHY_TUNABL

[PULL 19/33] target/ppc: change ppc_hash32_xlate to use mmu_idx

[David Gibson]

From: "Bruno Larsen (billionai)" 

Changed hash32 address translation to use the supplied mmu_idx, instead
of using what was stored in the msr, for parity purposes (radix64
already uses that) and for conceptual correctness, all the relevant
functions should always use the supplied mmu_idx, as there are no
guarantees that the mmu_idx stored in the CPU variable will not desync.

Signed-off-by: Bruno Larsen (billionai) 
Reviewed-by: David Gibson 
Message-Id: <20210706150316.21005-3-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash32.c | 40 +++-
 target/ppc/mmu-hash32.h |  2 +-
 target/ppc/mmu_helper.c |  2 +-
 3 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index 4edd5ffe14..3957aab2dc 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -25,6 +25,7 @@
 #include "kvm_ppc.h"
 #include "internal.h"
 #include "mmu-hash32.h"
+#include "mmu-books.h"
 #include "exec/log.h"
 
 /* #define DEBUG_BATS */
@@ -86,25 +87,22 @@ static int ppc_hash32_pp_prot(int key, int pp, int nx)
 return prot;
 }
 
-static int ppc_hash32_pte_prot(PowerPCCPU *cpu,
+static int ppc_hash32_pte_prot(int mmu_idx,
target_ulong sr, ppc_hash_pte32_t pte)
 {
-CPUPPCState *env = &cpu->env;
 unsigned pp, key;
 
-key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));
+key = !!(mmuidx_pr(mmu_idx) ? (sr & SR32_KP) : (sr & SR32_KS));
 pp = pte.pte1 & HPTE32_R_PP;
 
 return ppc_hash32_pp_prot(key, pp, !!(sr & SR32_NX));
 }
 
-static target_ulong hash32_bat_size(PowerPCCPU *cpu,
+static target_ulong hash32_bat_size(int mmu_idx,
 target_ulong batu, target_ulong batl)
 {
-CPUPPCState *env = &cpu->env;
-
-if ((msr_pr && !(batu & BATU32_VP))
-|| (!msr_pr && !(batu & BATU32_VS))) {
+if ((mmuidx_pr(mmu_idx) && !(batu & BATU32_VP))
+|| (!mmuidx_pr(mmu_idx) && !(batu & BATU32_VS))) {
 return 0;
 }
 
@@ -137,14 +135,13 @@ static target_ulong hash32_bat_601_size(PowerPCCPU *cpu,
 return BATU32_BEPI & ~((batl & BATL32_601_BL) << 17);
 }
 
-static int hash32_bat_601_prot(PowerPCCPU *cpu,
+static int hash32_bat_601_prot(int mmu_idx,
target_ulong batu, target_ulong batl)
 {
-CPUPPCState *env = &cpu->env;
 int key, pp;
 
 pp = batu & BATU32_601_PP;
-if (msr_pr == 0) {
+if (mmuidx_pr(mmu_idx) == 0) {
 key = !!(batu & BATU32_601_KS);
 } else {
 key = !!(batu & BATU32_601_KP);
@@ -153,7 +150,8 @@ static int hash32_bat_601_prot(PowerPCCPU *cpu,
 }
 
 static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, target_ulong ea,
-MMUAccessType access_type, int *prot)
+MMUAccessType access_type, int *prot,
+int mmu_idx)
 {
 CPUPPCState *env = &cpu->env;
 target_ulong *BATlt, *BATut;
@@ -177,7 +175,7 @@ static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, 
target_ulong ea,
 if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
 mask = hash32_bat_601_size(cpu, batu, batl);
 } else {
-mask = hash32_bat_size(cpu, batu, batl);
+mask = hash32_bat_size(mmu_idx, batu, batl);
 }
 LOG_BATS("%s: %cBAT%d v " TARGET_FMT_lx " BATu " TARGET_FMT_lx
  " BATl " TARGET_FMT_lx "\n", __func__,
@@ -187,7 +185,7 @@ static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, 
target_ulong ea,
 hwaddr raddr = (batl & mask) | (ea & ~mask);
 
 if (unlikely(env->mmu_model == POWERPC_MMU_601)) {
-*prot = hash32_bat_601_prot(cpu, batu, batl);
+*prot = hash32_bat_601_prot(mmu_idx, batu, batl);
 } else {
 *prot = hash32_bat_prot(cpu, batu, batl);
 }
@@ -224,12 +222,12 @@ static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, 
target_ulong ea,
 static bool ppc_hash32_direct_store(PowerPCCPU *cpu, target_ulong sr,
 target_ulong eaddr,
 MMUAccessType access_type,
-hwaddr *raddr, int *prot,
+hwaddr *raddr, int *prot, int mmu_idx,
 bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
-int key = !!(msr_pr ? (sr & SR32_KP) : (sr & SR32_KS));
+int key = !!(mmuidx_pr(mmu_idx) ? (sr & SR32_KP) : (sr & SR32_KS));
 
 qemu_log_mask(CPU_LOG_MMU, "direct store...\n");
 
@@ -428,7 +426,7 @@ static hwaddr ppc_hash32_pte_raddr(target_ulong sr, 
ppc_hash_pte32_t pte,
 }
 
 bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
-  hwaddr *raddrp, int *psizep, int *protp,
+  hwaddr *raddrp, int *psizep, int *protp, i

Re: [PATCH v8 3/9] vhost: add new call back function for config interrupt

[Jason Wang]

在 2021/7/6 下午3:20, Cindy Lu 写道:

To support configure interrupt, we need to
add a new call back function for config interrupt.

Signed-off-by: Cindy Lu 



Acked-by: Jason Wang 



---
  include/hw/virtio/vhost-backend.h | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/include/hw/virtio/vhost-backend.h 
b/include/hw/virtio/vhost-backend.h
index 8a6f8e2a7a..8ade8e0bd2 100644
--- a/include/hw/virtio/vhost-backend.h
+++ b/include/hw/virtio/vhost-backend.h
@@ -125,6 +125,8 @@ typedef int (*vhost_get_device_id_op)(struct vhost_dev 
*dev, uint32_t *dev_id);
  
  typedef bool (*vhost_force_iommu_op)(struct vhost_dev *dev);
  
+typedef int (*vhost_set_config_call_op)(struct vhost_dev *dev,

+   int fd);
  typedef struct VhostOps {
  VhostBackendType backend_type;
  vhost_backend_init vhost_backend_init;
@@ -170,6 +172,7 @@ typedef struct VhostOps {
  vhost_vq_get_addr_op  vhost_vq_get_addr;
  vhost_get_device_id_op vhost_get_device_id;
  vhost_force_iommu_op vhost_force_iommu;
+vhost_set_config_call_op vhost_set_config_call;
  } VhostOps;
  
  extern const VhostOps user_ops;

qemu-devel@nongnu.org

[David Gibson]

This is obviously intended to be a mask, not a logical operation.

Signed-off-by: David Gibson 
---
 hw/ppc/pegasos2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index f1741a4512..cf1dc53c83 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -584,7 +584,7 @@ static void add_pci_device(PCIBus *bus, PCIDevice *d, void 
*opaque)
   pci_get_word(&d->config[PCI_SUBSYSTEM_VENDOR_ID]));
 cells[0] = pci_get_long(&d->config[PCI_CLASS_REVISION]);
 qemu_fdt_setprop_cell(fi->fdt, node->str, "class-code", cells[0] >> 8);
-qemu_fdt_setprop_cell(fi->fdt, node->str, "revision-id", cells[0] && 0xff);
+qemu_fdt_setprop_cell(fi->fdt, node->str, "revision-id", cells[0] & 0xff);
 qemu_fdt_setprop_cell(fi->fdt, node->str, "device-id",
   pci_get_word(&d->config[PCI_DEVICE_ID]));
 qemu_fdt_setprop_cell(fi->fdt, node->str, "vendor-id",
-- 
2.31.1

[PULL 33/33] target/ppc: Support for H_RPT_INVALIDATE hcall

[David Gibson]

From: Bharata B Rao 

If KVM_CAP_RPT_INVALIDATE KVM capability is enabled, then

- indicate the availability of H_RPT_INVALIDATE hcall to the guest via
  ibm,hypertas-functions property.
- Enable the hcall

Both the above are done only if the new sPAPR machine capability
cap-rpt-invalidate is set.

Signed-off-by: Bharata B Rao 
Message-Id: <20210706112440.1449562-3-bhar...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c |  6 ++
 hw/ppc/spapr_caps.c| 41 +
 include/hw/ppc/spapr.h |  8 ++--
 target/ppc/kvm.c   | 12 
 target/ppc/kvm_ppc.h   | 12 
 5 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 3808d47053..a007be471e 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -881,6 +881,10 @@ static void spapr_dt_rtas(SpaprMachineState *spapr, void 
*fdt)
 add_str(hypertas, "hcall-copy");
 add_str(hypertas, "hcall-debug");
 add_str(hypertas, "hcall-vphn");
+if (spapr_get_cap(spapr, SPAPR_CAP_RPT_INVALIDATE) == SPAPR_CAP_ON) {
+add_str(hypertas, "hcall-rpt-invalidate");
+}
+
 add_str(qemu_hypertas, "hcall-memop1");
 
 if (!kvm_enabled() || kvmppc_spapr_use_multitce()) {
@@ -2030,6 +2034,7 @@ static const VMStateDescription vmstate_spapr = {
 &vmstate_spapr_cap_ccf_assist,
 &vmstate_spapr_cap_fwnmi,
 &vmstate_spapr_fwnmi,
+&vmstate_spapr_cap_rpt_invalidate,
 NULL
 }
 };
@@ -4618,6 +4623,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 smc->default_caps.caps[SPAPR_CAP_LARGE_DECREMENTER] = SPAPR_CAP_ON;
 smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_ON;
 smc->default_caps.caps[SPAPR_CAP_FWNMI] = SPAPR_CAP_ON;
+smc->default_caps.caps[SPAPR_CAP_RPT_INVALIDATE] = SPAPR_CAP_OFF;
 spapr_caps_add_properties(smc);
 smc->irq = &spapr_irq_dual;
 smc->dr_phb_enabled = true;
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index d0c419b392..ed7c077a0d 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -582,6 +582,37 @@ static void cap_fwnmi_apply(SpaprMachineState *spapr, 
uint8_t val,
 }
 }
 
+static void cap_rpt_invalidate_apply(SpaprMachineState *spapr,
+ uint8_t val, Error **errp)
+{
+ERRP_GUARD();
+
+if (!val) {
+/* capability disabled by default */
+return;
+}
+
+if (tcg_enabled()) {
+error_setg(errp, "No H_RPT_INVALIDATE support in TCG");
+error_append_hint(errp,
+  "Try appending -machine cap-rpt-invalidate=off\n");
+} else if (kvm_enabled()) {
+if (!kvmppc_has_cap_mmu_radix()) {
+error_setg(errp, "H_RPT_INVALIDATE only supported on Radix");
+return;
+}
+
+if (!kvmppc_has_cap_rpt_invalidate()) {
+error_setg(errp,
+   "KVM implementation does not support H_RPT_INVALIDATE");
+error_append_hint(errp,
+  "Try appending -machine 
cap-rpt-invalidate=off\n");
+} else {
+kvmppc_enable_h_rpt_invalidate();
+}
+}
+}
+
 SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 [SPAPR_CAP_HTM] = {
 .name = "htm",
@@ -690,6 +721,15 @@ SpaprCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 .type = "bool",
 .apply = cap_fwnmi_apply,
 },
+[SPAPR_CAP_RPT_INVALIDATE] = {
+.name = "rpt-invalidate",
+.description = "Allow H_RPT_INVALIDATE",
+.index = SPAPR_CAP_RPT_INVALIDATE,
+.get = spapr_cap_get_bool,
+.set = spapr_cap_set_bool,
+.type = "bool",
+.apply = cap_rpt_invalidate_apply,
+},
 };
 
 static SpaprCapabilities default_caps_with_cpu(SpaprMachineState *spapr,
@@ -830,6 +870,7 @@ SPAPR_CAP_MIG_STATE(nested_kvm_hv, SPAPR_CAP_NESTED_KVM_HV);
 SPAPR_CAP_MIG_STATE(large_decr, SPAPR_CAP_LARGE_DECREMENTER);
 SPAPR_CAP_MIG_STATE(ccf_assist, SPAPR_CAP_CCF_ASSIST);
 SPAPR_CAP_MIG_STATE(fwnmi, SPAPR_CAP_FWNMI);
+SPAPR_CAP_MIG_STATE(rpt_invalidate, SPAPR_CAP_RPT_INVALIDATE);
 
 void spapr_caps_init(SpaprMachineState *spapr)
 {
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 779f707fb8..637652ad16 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -75,8 +75,10 @@ typedef enum {
 #define SPAPR_CAP_CCF_ASSIST0x09
 /* Implements PAPR FWNMI option */
 #define SPAPR_CAP_FWNMI 0x0A
+/* Support H_RPT_INVALIDATE */
+#define SPAPR_CAP_RPT_INVALIDATE0x0B
 /* Num Caps */
-#define SPAPR_CAP_NUM   (SPAPR_CAP_FWNMI + 1)
+#define SPAPR_CAP_NUM   (SPAPR_CAP_RPT_INVALIDATE + 1)
 
 /*
  * Capability Values
@@ -547,8 +549,9 @@ struct SpaprMachineState {
 #define H_SCM_UNBIND_MEM0x3F0
 #define H_SCM_UNBIND_ALL0x3FC
 #define H_SCM_HEALTH0x400
+#define H_RPT_INVALIDATE 

[PULL 24/33] ppc/pegasos2: Introduce Pegasos2MachineState structure

[David Gibson]

From: BALATON Zoltan 

Add own machine state structure which will be used to store state
needed for firmware emulation.

Signed-off-by: BALATON Zoltan 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: 
<7f6d5fbf4f70c64dba001483174a2921dd616ecd.1624811233.git.bala...@eik.bme.hu>
Signed-off-by: David Gibson 
---
 hw/ppc/pegasos2.c | 50 +++
 1 file changed, 37 insertions(+), 13 deletions(-)

diff --git a/hw/ppc/pegasos2.c b/hw/ppc/pegasos2.c
index 0bfd0928aa..07971175c9 100644
--- a/hw/ppc/pegasos2.c
+++ b/hw/ppc/pegasos2.c
@@ -1,7 +1,7 @@
 /*
  * QEMU PowerPC CHRP (Genesi/bPlan Pegasos II) hardware System Emulator
  *
- * Copyright (c) 2018-2020 BALATON Zoltan
+ * Copyright (c) 2018-2021 BALATON Zoltan
  *
  * This work is licensed under the GNU GPL license version 2 or later.
  *
@@ -41,6 +41,15 @@
 
 #define BUS_FREQ_HZ 1
 
+#define TYPE_PEGASOS2_MACHINE  MACHINE_TYPE_NAME("pegasos2")
+OBJECT_DECLARE_TYPE(Pegasos2MachineState, MachineClass, PEGASOS2_MACHINE)
+
+struct Pegasos2MachineState {
+MachineState parent_obj;
+PowerPCCPU *cpu;
+DeviceState *mv;
+};
+
 static void pegasos2_cpu_reset(void *opaque)
 {
 PowerPCCPU *cpu = opaque;
@@ -51,9 +60,9 @@ static void pegasos2_cpu_reset(void *opaque)
 
 static void pegasos2_init(MachineState *machine)
 {
-PowerPCCPU *cpu = NULL;
+Pegasos2MachineState *pm = PEGASOS2_MACHINE(machine);
+CPUPPCState *env;
 MemoryRegion *rom = g_new(MemoryRegion, 1);
-DeviceState *mv;
 PCIBus *pci_bus;
 PCIDevice *dev;
 I2CBus *i2c_bus;
@@ -63,15 +72,16 @@ static void pegasos2_init(MachineState *machine)
 uint8_t *spd_data;
 
 /* init CPU */
-cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
-if (PPC_INPUT(&cpu->env) != PPC_FLAGS_INPUT_6xx) {
+pm->cpu = POWERPC_CPU(cpu_create(machine->cpu_type));
+env = &pm->cpu->env;
+if (PPC_INPUT(env) != PPC_FLAGS_INPUT_6xx) {
 error_report("Incompatible CPU, only 6xx bus supported");
 exit(1);
 }
 
 /* Set time-base frequency */
-cpu_ppc_tb_init(&cpu->env, BUS_FREQ_HZ / 4);
-qemu_register_reset(pegasos2_cpu_reset, cpu);
+cpu_ppc_tb_init(env, BUS_FREQ_HZ / 4);
+qemu_register_reset(pegasos2_cpu_reset, pm->cpu);
 
 /* RAM */
 memory_region_add_subregion(get_system_memory(), 0, machine->ram);
@@ -96,16 +106,16 @@ static void pegasos2_init(MachineState *machine)
 g_free(filename);
 
 /* Marvell Discovery II system controller */
-mv = DEVICE(sysbus_create_simple(TYPE_MV64361, -1,
-((qemu_irq *)cpu->env.irq_inputs)[PPC6xx_INPUT_INT]));
-pci_bus = mv64361_get_pci_bus(mv, 1);
+pm->mv = DEVICE(sysbus_create_simple(TYPE_MV64361, -1,
+ ((qemu_irq *)env->irq_inputs)[PPC6xx_INPUT_INT]));
+pci_bus = mv64361_get_pci_bus(pm->mv, 1);
 
 /* VIA VT8231 South Bridge (multifunction PCI device) */
 /* VT8231 function 0: PCI-to-ISA Bridge */
 dev = pci_create_simple_multifunction(pci_bus, PCI_DEVFN(12, 0), true,
   TYPE_VT8231_ISA);
 qdev_connect_gpio_out(DEVICE(dev), 0,
-  qdev_get_gpio_in_named(mv, "gpp", 31));
+  qdev_get_gpio_in_named(pm->mv, "gpp", 31));
 
 /* VT8231 function 1: IDE Controller */
 dev = pci_create_simple(pci_bus, PCI_DEVFN(12, 1), "via-ide");
@@ -129,8 +139,10 @@ static void pegasos2_init(MachineState *machine)
 pci_vga_init(pci_bus);
 }
 
-static void pegasos2_machine(MachineClass *mc)
+static void pegasos2_machine_class_init(ObjectClass *oc, void *data)
 {
+MachineClass *mc = MACHINE_CLASS(oc);
+
 mc->desc = "Genesi/bPlan Pegasos II";
 mc->init = pegasos2_init;
 mc->block_default_type = IF_IDE;
@@ -141,4 +153,16 @@ static void pegasos2_machine(MachineClass *mc)
 mc->default_ram_size = 512 * MiB;
 }
 
-DEFINE_MACHINE("pegasos2", pegasos2_machine)
+static const TypeInfo pegasos2_machine_info = {
+.name  = TYPE_PEGASOS2_MACHINE,
+.parent= TYPE_MACHINE,
+.class_init= pegasos2_machine_class_init,
+.instance_size = sizeof(Pegasos2MachineState),
+};
+
+static void pegasos2_machine_register_types(void)
+{
+type_register_static(&pegasos2_machine_info);
+}
+
+type_init(pegasos2_machine_register_types)
-- 
2.31.1

[PULL 14/33] target/ppc: Fix compilation with FLUSH_ALL_TLBS debug option

[David Gibson]

From: Fabiano Rosas 

../target/ppc/mmu_helper.c: In function 'helper_store_ibatu':
../target/ppc/mmu_helper.c:1802:17: error: unused variable 'cpu' 
[-Werror=unused-variable]
 1802 | PowerPCCPU *cpu = env_archcpu(env);
  | ^~~
../target/ppc/mmu_helper.c: In function 'helper_store_dbatu':
../target/ppc/mmu_helper.c:1838:17: error: unused variable 'cpu' 
[-Werror=unused-variable]
 1838 | PowerPCCPU *cpu = env_archcpu(env);
  | ^~~
../target/ppc/mmu_helper.c: In function 'helper_store_601_batu':
../target/ppc/mmu_helper.c:1874:17: error: unused variable 'cpu' 
[-Werror=unused-variable]
 1874 | PowerPCCPU *cpu = env_archcpu(env);
  | ^~~
../target/ppc/mmu_helper.c: In function 'helper_store_601_batl':
../target/ppc/mmu_helper.c:1919:17: error: unused variable 'cpu' 
[-Werror=unused-variable]
 1919 | PowerPCCPU *cpu = env_archcpu(env);

Fixes: db70b31144 ("target/ppc: Use env_cpu, env_archcpu")
Signed-off-by: Fabiano Rosas 
Message-Id: <20210702215235.1941771-3-faro...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 target/ppc/mmu_helper.c | 8 
 1 file changed, 8 deletions(-)

diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index 4c534b534b..945ac41d42 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -1755,9 +1755,6 @@ static inline void dump_store_bat(CPUPPCState *env, char 
ID, int ul, int nr,
 void helper_store_ibatu(CPUPPCState *env, uint32_t nr, target_ulong value)
 {
 target_ulong mask;
-#if defined(FLUSH_ALL_TLBS)
-PowerPCCPU *cpu = env_archcpu(env);
-#endif
 
 dump_store_bat(env, 'I', 0, nr, value);
 if (env->IBAT[0][nr] != value) {
@@ -1791,9 +1788,6 @@ void helper_store_ibatl(CPUPPCState *env, uint32_t nr, 
target_ulong value)
 void helper_store_dbatu(CPUPPCState *env, uint32_t nr, target_ulong value)
 {
 target_ulong mask;
-#if defined(FLUSH_ALL_TLBS)
-PowerPCCPU *cpu = env_archcpu(env);
-#endif
 
 dump_store_bat(env, 'D', 0, nr, value);
 if (env->DBAT[0][nr] != value) {
@@ -1828,7 +1822,6 @@ void helper_store_601_batu(CPUPPCState *env, uint32_t nr, 
target_ulong value)
 {
 target_ulong mask;
 #if defined(FLUSH_ALL_TLBS)
-PowerPCCPU *cpu = env_archcpu(env);
 int do_inval;
 #endif
 
@@ -1873,7 +1866,6 @@ void helper_store_601_batl(CPUPPCState *env, uint32_t nr, 
target_ulong value)
 #if !defined(FLUSH_ALL_TLBS)
 target_ulong mask;
 #else
-PowerPCCPU *cpu = env_archcpu(env);
 int do_inval;
 #endif
 
-- 
2.31.1

[PULL 23/33] target/ppc: mtmsrd is an illegal instruction on BookE

[David Gibson]

From: Nicholas Piggin 

MSR is a 32-bit register in BookE and there is no mtmsrd instruction.

Cc: Christian Zigotzky 
Signed-off-by: Nicholas Piggin 
Message-Id: <20210706051321.609046-1-npig...@gmail.com>
Signed-off-by: David Gibson 
---
 target/ppc/translate.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index f65d1e81ea..d1f482b0f3 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -4940,6 +4940,11 @@ static void gen_mtcrf(DisasContext *ctx)
 #if defined(TARGET_PPC64)
 static void gen_mtmsrd(DisasContext *ctx)
 {
+if (unlikely(!is_book3s_arch2x(ctx))) {
+gen_invalid(ctx);
+return;
+}
+
 CHK_SV;
 
 #if !defined(CONFIG_USER_ONLY)
-- 
2.31.1

[PULL 30/33] target/ppc: Don't compile ppc_tlb_invalid_all without TCG

[David Gibson]

From: "Lucas Mateus Castro (alqotel)" 

The function ppc_tlb_invalid_all is not compiled anymore in a TCG-less
environment, and the call to that function has been disabled in this
situation

Signed-off-by: Lucas Mateus Castro (alqotel) 
Message-Id: <20210708164957.28096-2-lucas.ara...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/cpu_init.c   | 2 ++
 target/ppc/mmu_helper.c | 4 
 2 files changed, 6 insertions(+)

diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c
index 6f8ce010ba..505a0ed6ac 100644
--- a/target/ppc/cpu_init.c
+++ b/target/ppc/cpu_init.c
@@ -8847,9 +8847,11 @@ static void ppc_cpu_reset(DeviceState *dev)
 
 #if !defined(CONFIG_USER_ONLY)
 env->nip = env->hreset_vector | env->excp_prefix;
+#if defined(CONFIG_TCG)
 if (env->mmu_model != POWERPC_MMU_REAL) {
 ppc_tlb_invalidate_all(env);
 }
+#endif /* CONFIG_TCG */
 #endif
 
 hreg_compute_hflags(env);
diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index 47e9f9529e..869d24d301 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -825,6 +825,7 @@ static int mmubooke_get_physical_address(CPUPPCState *env, 
mmu_ctx_t *ctx,
 return ret;
 }
 
+#ifdef CONFIG_TCG
 static void booke206_flush_tlb(CPUPPCState *env, int flags,
const int check_iprot)
 {
@@ -846,6 +847,7 @@ static void booke206_flush_tlb(CPUPPCState *env, int flags,
 
 tlb_flush(env_cpu(env));
 }
+#endif
 
 static hwaddr booke206_tlb_to_page_size(CPUPPCState *env,
 ppcmas_tlb_t *tlb)
@@ -1901,6 +1903,7 @@ void helper_store_601_batl(CPUPPCState *env, uint32_t nr, 
target_ulong value)
 }
 #endif
 
+#ifdef CONFIG_TCG
 /*/
 /* TLB management */
 void ppc_tlb_invalidate_all(CPUPPCState *env)
@@ -1944,6 +1947,7 @@ void ppc_tlb_invalidate_all(CPUPPCState *env)
 break;
 }
 }
+#endif
 
 #ifdef CONFIG_TCG
 void ppc_tlb_invalidate_one(CPUPPCState *env, target_ulong addr)
-- 
2.31.1

[PULL 13/33] target/ppc: Fix compilation with DUMP_PAGE_TABLES debug option

[David Gibson]

From: Fabiano Rosas 

../target/ppc/mmu_helper.c: In function 'get_segment_6xx_tlb':
../target/ppc/mmu_helper.c:514:46: error: passing argument 1 of
'ppc_hash32_hpt_mask' from incompatible pointer type 
[-Werror=incompatible-pointer-types]

  514 |  ppc_hash32_hpt_mask(env) + 0x80);
  |  ^~~
  |  |
  |  CPUPPCState *

Fixes: 36778660d7 ("target/ppc: Eliminate htab_base and htab_mask variables")
Signed-off-by: Fabiano Rosas 
Message-Id: <20210702215235.1941771-2-faro...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 target/ppc/mmu_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index ba1952c77d..4c534b534b 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -511,7 +511,7 @@ static int get_segment_6xx_tlb(CPUPPCState *env, mmu_ctx_t 
*ctx,
 
 qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx
  "\n", ppc_hash32_hpt_base(cpu),
- ppc_hash32_hpt_mask(env) + 0x80);
+ ppc_hash32_hpt_mask(cpu) + 0x80);
 for (curaddr = ppc_hash32_hpt_base(cpu);
  curaddr < (ppc_hash32_hpt_base(cpu)
 + ppc_hash32_hpt_mask(cpu) + 0x80);
-- 
2.31.1

[PULL 22/33] spapr: Implement Open Firmware client interface

[David Gibson]

From: Alexey Kardashevskiy 

The PAPR platform describes an OS environment that's presented by
a combination of a hypervisor and firmware. The features it specifies
require collaboration between the firmware and the hypervisor.

Since the beginning, the runtime component of the firmware (RTAS) has
been implemented as a 20 byte shim which simply forwards it to
a hypercall implemented in qemu. The boot time firmware component is
SLOF - but a build that's specific to qemu, and has always needed to be
updated in sync with it. Even though we've managed to limit the amount
of runtime communication we need between qemu and SLOF, there's some,
and it has become increasingly awkward to handle as we've implemented
new features.

This implements a boot time OF client interface (CI) which is
enabled by a new "x-vof" pseries machine option (stands for "Virtual Open
Firmware). When enabled, QEMU implements the custom H_OF_CLIENT hcall
which implements Open Firmware Client Interface (OF CI). This allows
using a smaller stateless firmware which does not have to manage
the device tree.

The new "vof.bin" firmware image is included with source code under
pc-bios/. It also includes RTAS blob.

This implements a handful of CI methods just to get -kernel/-initrd
working. In particular, this implements the device tree fetching and
simple memory allocator - "claim" (an OF CI memory allocator) and updates
"/memory@0/available" to report the client about available memory.

This implements changing some device tree properties which we know how
to deal with, the rest is ignored. To allow changes, this skips
fdt_pack() when x-vof=on as not packing the blob leaves some room for
appending.

In absence of SLOF, this assigns phandles to device tree nodes to make
device tree traversing work.

When x-vof=on, this adds "/chosen" every time QEMU (re)builds a tree.

This adds basic instances support which are managed by a hash map
ihandle -> [phandle].

Before the guest started, the used memory is:
0..e60 - the initial firmware
8000..1 - stack
40.. - kernel
3ea.. - initramdisk

This OF CI does not implement "interpret".

Unlike SLOF, this does not format uninitialized nvram. Instead, this
includes a disk image with pre-formatted nvram.

With this basic support, this can only boot into kernel directly.
However this is just enough for the petitboot kernel and initradmdisk to
boot from any possible source. Note this requires reasonably recent guest
kernel with:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df5be5be8735

The immediate benefit is much faster booting time which especially
crucial with fully emulated early CPU bring up environments. Also this
may come handy when/if GRUB-in-the-userspace sees light of the day.

This separates VOF and sPAPR in a hope that VOF bits may be reused by
other POWERPC boards which do not support pSeries.

This assumes potential support for booting from QEMU backends
such as blockdev or netdev without devices/drivers used.

Signed-off-by: Alexey Kardashevskiy 
Message-Id: <20210625055155.2252896-1-...@ozlabs.ru>
Reviewed-by: BALATON Zoltan 
[dwg: Adjusted some includes which broke compile in some more obscure
 compilation setups]
Signed-off-by: David Gibson 
---
 MAINTAINERS |   12 +
 hw/ppc/Kconfig  |4 +
 hw/ppc/meson.build  |3 +
 hw/ppc/spapr.c  |   67 ++-
 hw/ppc/spapr_hcall.c|   25 +-
 hw/ppc/spapr_vof.c  |  153 ++
 hw/ppc/trace-events |   24 +
 hw/ppc/vof.c| 1049 +++
 include/hw/ppc/spapr.h  |   19 +-
 include/hw/ppc/vof.h|   58 +++
 pc-bios/README  |4 +
 pc-bios/vof-nvram.bin   |  Bin 0 -> 16384 bytes
 pc-bios/vof.bin |  Bin 0 -> 3784 bytes
 pc-bios/vof/Makefile|   23 +
 pc-bios/vof/bootmem.c   |   14 +
 pc-bios/vof/ci.c|   91 
 pc-bios/vof/entry.S |   49 ++
 pc-bios/vof/libc.c  |   92 
 pc-bios/vof/main.c  |   21 +
 pc-bios/vof/vof.h   |   43 ++
 pc-bios/vof/vof.lds |   48 ++
 tests/qtest/rtas-test.c |   15 +-
 22 files changed, 1801 insertions(+), 13 deletions(-)
 create mode 100644 hw/ppc/spapr_vof.c
 create mode 100644 hw/ppc/vof.c
 create mode 100644 include/hw/ppc/vof.h
 create mode 100644 pc-bios/vof-nvram.bin
 create mode 100755 pc-bios/vof.bin
 create mode 100644 pc-bios/vof/Makefile
 create mode 100644 pc-bios/vof/bootmem.c
 create mode 100644 pc-bios/vof/ci.c
 create mode 100644 pc-bios/vof/entry.S
 create mode 100644 pc-bios/vof/libc.c
 create mode 100644 pc-bios/vof/main.c
 create mode 100644 pc-bios/vof/vof.h
 create mode 100644 pc-bios/vof/vof.lds

diff --git a/MAINTAINERS b/MAINTAINERS
index 684142e12e..ce122eeced 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1360,6 +1360,18 @@ F: hw/pci-host/mv64361.c
 F: hw/pci-host/mv643xx.h
 F: include/hw/pci-host/mv64361.h
 
+Virtual Open Firmware (VOF)
+M: Alexey Kardashevskiy 
+M: David Gibson 
+M: Greg Kurz 
+L: qemu-...@nongnu.org
+S: M

[PULL 25/33] target/ppc: Allow virtual hypervisor on CPU without HV

[David Gibson]

From: BALATON Zoltan 

Change the assert in ppc_store_sdr1() to allow vhyp to be set on CPUs
without HV bit. This allows using the vhyp interface for firmware
emulation on pegasos2.

Signed-off-by: BALATON Zoltan 
Message-Id: 
<21c7745aabbb68fcc50bb2ffaf16b939ba21261c.1624811233.git.bala...@eik.bme.hu>
Signed-off-by: David Gibson 
---
 target/ppc/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/cpu.c b/target/ppc/cpu.c
index 19d67b5b07..a29299882a 100644
--- a/target/ppc/cpu.c
+++ b/target/ppc/cpu.c
@@ -72,7 +72,7 @@ void ppc_store_sdr1(CPUPPCState *env, target_ulong value)
 {
 PowerPCCPU *cpu = env_archcpu(env);
 qemu_log_mask(CPU_LOG_MMU, "%s: " TARGET_FMT_lx "\n", __func__, value);
-assert(!cpu->vhyp);
+assert(!cpu->env.has_hv_mode || !cpu->vhyp);
 #if defined(TARGET_PPC64)
 if (mmu_is_64bit(env->mmu_model)) {
 target_ulong sdr_mask = SDR_64_HTABORG | SDR_64_HTABSIZE;
-- 
2.31.1

[PULL 17/33] target/ppc: changed ppc_hash64_xlate to use mmu_idx

[David Gibson]

From: "Bruno Larsen (billionai)" 

Changed hash64 address translation to use the supplied mmu_idx instead
of using the one stored in the msr, for parity purposes (other book3s
MMUs already use it).

Signed-off-by: Bruno Larsen (billionai) 
Reviewed-by: Richard Henderson 
Message-Id: <20210628133610.1143-4-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash64.c | 43 -
 target/ppc/mmu-hash64.h |  2 +-
 target/ppc/mmu_helper.c |  2 +-
 3 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index c1b98a97e9..19832c4b46 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -366,10 +366,9 @@ static inline int ppc_hash64_pte_noexec_guard(PowerPCCPU 
*cpu,
 }
 
 /* Check Basic Storage Protection */
-static int ppc_hash64_pte_prot(PowerPCCPU *cpu,
+static int ppc_hash64_pte_prot(int mmu_idx,
ppc_slb_t *slb, ppc_hash_pte64_t pte)
 {
-CPUPPCState *env = &cpu->env;
 unsigned pp, key;
 /*
  * Some pp bit combinations have undefined behaviour, so default
@@ -377,7 +376,7 @@ static int ppc_hash64_pte_prot(PowerPCCPU *cpu,
  */
 int prot = 0;
 
-key = !!(msr_pr ? (slb->vsid & SLB_VSID_KP)
+key = !!(mmuidx_pr(mmu_idx) ? (slb->vsid & SLB_VSID_KP)
  : (slb->vsid & SLB_VSID_KS));
 pp = (pte.pte1 & HPTE64_R_PP) | ((pte.pte1 & HPTE64_R_PP0) >> 61);
 
@@ -744,17 +743,17 @@ static bool ppc_hash64_use_vrma(CPUPPCState *env)
 }
 }
 
-static void ppc_hash64_set_isi(CPUState *cs, uint64_t error_code)
+static void ppc_hash64_set_isi(CPUState *cs, int mmu_idx, uint64_t error_code)
 {
 CPUPPCState *env = &POWERPC_CPU(cs)->env;
 bool vpm;
 
-if (msr_ir) {
+if (!mmuidx_real(mmu_idx)) {
 vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
 } else {
 vpm = ppc_hash64_use_vrma(env);
 }
-if (vpm && !msr_hv) {
+if (vpm && !mmuidx_hv(mmu_idx)) {
 cs->exception_index = POWERPC_EXCP_HISI;
 } else {
 cs->exception_index = POWERPC_EXCP_ISI;
@@ -762,17 +761,17 @@ static void ppc_hash64_set_isi(CPUState *cs, uint64_t 
error_code)
 env->error_code = error_code;
 }
 
-static void ppc_hash64_set_dsi(CPUState *cs, uint64_t dar, uint64_t dsisr)
+static void ppc_hash64_set_dsi(CPUState *cs, int mmu_idx, uint64_t dar, 
uint64_t dsisr)
 {
 CPUPPCState *env = &POWERPC_CPU(cs)->env;
 bool vpm;
 
-if (msr_dr) {
+if (!mmuidx_real(mmu_idx)) {
 vpm = !!(env->spr[SPR_LPCR] & LPCR_VPM1);
 } else {
 vpm = ppc_hash64_use_vrma(env);
 }
-if (vpm && !msr_hv) {
+if (vpm && !mmuidx_hv(mmu_idx)) {
 cs->exception_index = POWERPC_EXCP_HDSI;
 env->spr[SPR_HDAR] = dar;
 env->spr[SPR_HDSISR] = dsisr;
@@ -874,7 +873,7 @@ static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb)
 }
 
 bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
-  hwaddr *raddrp, int *psizep, int *protp,
+  hwaddr *raddrp, int *psizep, int *protp, int mmu_idx,
   bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
@@ -897,7 +896,7 @@ bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, 
MMUAccessType access_type,
  */
 
 /* 1. Handle real mode accesses */
-if (access_type == MMU_INST_FETCH ? !msr_ir : !msr_dr) {
+if (mmuidx_real(mmu_idx)) {
 /*
  * Translation is supposedly "off", but in real mode the top 4
  * effective address bits are (mostly) ignored
@@ -909,7 +908,7 @@ bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, 
MMUAccessType access_type,
  * In virtual hypervisor mode, there's nothing to do:
  *   EA == GPA == qemu guest address
  */
-} else if (msr_hv || !env->has_hv_mode) {
+} else if (mmuidx_hv(mmu_idx) || !env->has_hv_mode) {
 /* In HV mode, add HRMOR if top EA bit is clear */
 if (!(eaddr >> 63)) {
 raddr |= env->spr[SPR_HRMOR];
@@ -937,13 +936,13 @@ bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr, 
MMUAccessType access_type,
 }
 switch (access_type) {
 case MMU_INST_FETCH:
-ppc_hash64_set_isi(cs, SRR1_PROTFAULT);
+ppc_hash64_set_isi(cs, mmu_idx, SRR1_PROTFAULT);
 break;
 case MMU_DATA_LOAD:
-ppc_hash64_set_dsi(cs, eaddr, DSISR_PROTFAULT);
+ppc_hash64_set_dsi(cs, mmu_idx, eaddr, DSISR_PROTFAULT);
 break;
 case MMU_DATA_STORE:
-ppc_hash64_set_dsi(cs, eaddr,
+ppc_hash64_set_dsi(cs, mmu_idx, eaddr,
DSISR_PROTFAULT | DSISR_ISSTORE);
 break;
 default:
@@ -996,7 +995,7 @@ bool ppc_hash64_xlate(PowerPCCPU

[PULL 12/33] target/ppc: Restrict ppc_cpu_tlb_fill to TCG

[David Gibson]

From: Richard Henderson 

This function is used by TCGCPUOps, and is thus TCG specific.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-10-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu_helper.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index a0e4e027d3..ba1952c77d 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -2948,6 +2948,7 @@ hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr 
addr)
 return -1;
 }
 
+#ifdef CONFIG_TCG
 bool ppc_cpu_tlb_fill(CPUState *cs, vaddr eaddr, int size,
   MMUAccessType access_type, int mmu_idx,
   bool probe, uintptr_t retaddr)
@@ -2968,3 +2969,4 @@ bool ppc_cpu_tlb_fill(CPUState *cs, vaddr eaddr, int size,
 raise_exception_err_ra(&cpu->env, cs->exception_index,
cpu->env.error_code, retaddr);
 }
+#endif
-- 
2.31.1

[PULL 18/33] target/ppc: introduce mmu-books.h

[David Gibson]

From: "Bruno Larsen (billionai)" 

Intrudoce a header common to all BookS MMUs, that can hold code that is
common to hash32 and book3s-v3 MMUs.

Suggested-by: David Gibson 
Signed-off-by: Bruno Larsen (billionai) 
Message-Id: <20210706150316.21005-2-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-book3s-v3.h | 14 +-
 target/ppc/mmu-books.h | 30 ++
 2 files changed, 31 insertions(+), 13 deletions(-)
 create mode 100644 target/ppc/mmu-books.h

diff --git a/target/ppc/mmu-book3s-v3.h b/target/ppc/mmu-book3s-v3.h
index c89d0bccfd..d6d5ed8f8e 100644
--- a/target/ppc/mmu-book3s-v3.h
+++ b/target/ppc/mmu-book3s-v3.h
@@ -21,6 +21,7 @@
 #define PPC_MMU_BOOK3S_V3_H
 
 #include "mmu-hash64.h"
+#include "mmu-books.h"
 
 #ifndef CONFIG_USER_ONLY
 
@@ -47,19 +48,6 @@ struct prtb_entry {
 uint64_t prtbe0, prtbe1;
 };
 
-/*
- * These correspond to the mmu_idx values computed in
- * hreg_compute_hflags_value. See the tables therein
- *
- * They are here because some bits are inverted for BookE MMUs
- * not necessarily because they only work for BookS. However,
- * we only needed to change BookS MMUs, we left the functions
- * here to avoid other possible bugs for untested MMUs
- */
-static inline bool mmuidx_pr(int idx) { return !(idx & 1); }
-static inline bool mmuidx_real(int idx) { return idx & 2; }
-static inline bool mmuidx_hv(int idx) { return idx & 4; }
-
 #ifdef TARGET_PPC64
 
 static inline bool ppc64_use_proc_tbl(PowerPCCPU *cpu)
diff --git a/target/ppc/mmu-books.h b/target/ppc/mmu-books.h
new file mode 100644
index 00..0d12551867
--- /dev/null
+++ b/target/ppc/mmu-books.h
@@ -0,0 +1,30 @@
+/*
+ *  PowerPC BookS emulation generic mmu definitions for qemu.
+ *
+ *  Copyright (c) 2021 Instituto de Pesquisas Eldorado (eldorado.org.br)
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#ifndef PPC_MMU_BOOKS_H
+#define PPC_MMU_BOOKS_H
+
+/*
+ * These correspond to the mmu_idx values computed in
+ * hreg_compute_hflags_value. See the tables therein
+ */
+static inline bool mmuidx_pr(int idx) { return !(idx & 1); }
+static inline bool mmuidx_real(int idx) { return idx & 2; }
+static inline bool mmuidx_hv(int idx) { return idx & 4; }
+#endif /* PPC_MMU_BOOKS_H */
-- 
2.31.1

[PULL 16/33] target/ppc: fix address translation bug for radix mmus

[David Gibson]

From: "Bruno Larsen (billionai)" 

This commit attempts to fix a technical hiccup first mentioned by Richard
Henderson in
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg06247.html

To sumarize the hiccup here, when radix-style mmus are translating an
address, they might need to call a second level of translation, with
hypervisor privileges. However, the way it was being done up until
this point meant that the second level translation had the same
privileges as the first level. It could lead to a bug in address
translation when running KVM inside a TCG guest, but this bug was never
experienced by users, so this isn't as much a bug fix as it is a
correctness cleanup.

This patch attempts that cleanup by making radix64_*_xlate functions
receive the mmu_idx, and passing one with the correct permission for the
second level translation.

The mmuidx macros added by this patch are only correct for non-bookE
mmus, because BookE style set the IS and DS bits inverted and there
might be other subtle differences. However, there doesn't seem to be
BookE cpus that have radix-style mmus, so we left a comment there to
document the issue, in case a machine does have that and was missed.

As part of this cleanup, we now need to send the correct mmmu_idx
when calling get_phys_page_debug, otherwise we might not be able to see the
memory that the CPU could

Suggested-by: Richard Henderson 
Signed-off-by: Bruno Larsen (billionai) 
Reviewed-by: Richard Henderson 
Reviewed-by: Cédric Le Goater 
Tested-by: Cédric Le Goater 
Message-Id: <20210628133610.1143-2-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-book3s-v3.h | 13 +
 target/ppc/mmu-radix64.c   | 37 +
 target/ppc/mmu-radix64.h   |  2 +-
 target/ppc/mmu_helper.c|  8 +---
 4 files changed, 40 insertions(+), 20 deletions(-)

diff --git a/target/ppc/mmu-book3s-v3.h b/target/ppc/mmu-book3s-v3.h
index a1326df969..c89d0bccfd 100644
--- a/target/ppc/mmu-book3s-v3.h
+++ b/target/ppc/mmu-book3s-v3.h
@@ -47,6 +47,19 @@ struct prtb_entry {
 uint64_t prtbe0, prtbe1;
 };
 
+/*
+ * These correspond to the mmu_idx values computed in
+ * hreg_compute_hflags_value. See the tables therein
+ *
+ * They are here because some bits are inverted for BookE MMUs
+ * not necessarily because they only work for BookS. However,
+ * we only needed to change BookS MMUs, we left the functions
+ * here to avoid other possible bugs for untested MMUs
+ */
+static inline bool mmuidx_pr(int idx) { return !(idx & 1); }
+static inline bool mmuidx_real(int idx) { return idx & 2; }
+static inline bool mmuidx_hv(int idx) { return idx & 4; }
+
 #ifdef TARGET_PPC64
 
 static inline bool ppc64_use_proc_tbl(PowerPCCPU *cpu)
diff --git a/target/ppc/mmu-radix64.c b/target/ppc/mmu-radix64.c
index cbd404bfa4..5b0e62e676 100644
--- a/target/ppc/mmu-radix64.c
+++ b/target/ppc/mmu-radix64.c
@@ -155,7 +155,7 @@ static void ppc_radix64_raise_hsi(PowerPCCPU *cpu, 
MMUAccessType access_type,
 
 static bool ppc_radix64_check_prot(PowerPCCPU *cpu, MMUAccessType access_type,
uint64_t pte, int *fault_cause, int *prot,
-   bool partition_scoped)
+   int mmu_idx, bool partition_scoped)
 {
 CPUPPCState *env = &cpu->env;
 int need_prot;
@@ -173,7 +173,8 @@ static bool ppc_radix64_check_prot(PowerPCCPU *cpu, 
MMUAccessType access_type,
 /* Determine permissions allowed by Encoded Access Authority */
 if (!partition_scoped && (pte & R_PTE_EAA_PRIV) && msr_pr) {
 *prot = 0;
-} else if (msr_pr || (pte & R_PTE_EAA_PRIV) || partition_scoped) {
+} else if (mmuidx_pr(mmu_idx) || (pte & R_PTE_EAA_PRIV) ||
+   partition_scoped) {
 *prot = ppc_radix64_get_prot_eaa(pte);
 } else { /* !msr_pr && !(pte & R_PTE_EAA_PRIV) && !partition_scoped */
 *prot = ppc_radix64_get_prot_eaa(pte);
@@ -299,7 +300,7 @@ static int ppc_radix64_partition_scoped_xlate(PowerPCCPU 
*cpu,
   ppc_v3_pate_t pate,
   hwaddr *h_raddr, int *h_prot,
   int *h_page_size, bool pde_addr,
-  bool guest_visible)
+  int mmu_idx, bool guest_visible)
 {
 int fault_cause = 0;
 hwaddr pte_addr;
@@ -310,7 +311,8 @@ static int ppc_radix64_partition_scoped_xlate(PowerPCCPU 
*cpu,
 if (ppc_radix64_walk_tree(CPU(cpu)->as, g_raddr, pate.dw0 & PRTBE_R_RPDB,
   pate.dw0 & PRTBE_R_RPDS, h_raddr, h_page_size,
   &pte, &fault_cause, &pte_addr) ||
-ppc_radix64_check_prot(cpu, access_type, pte, &fault_cause, h_prot, 
true)) {
+ppc_radix64_check_prot(cpu, access_type, pte,
+   &fault_cause, h_prot, mmu_idx, true)) {
 

[PULL 11/33] target/ppc: Introduce ppc_xlate

[David Gibson]

From: Richard Henderson 

Create one common dispatch for all of the ppc_*_xlate functions.
Use ppc64_v3_radix to directly dispatch between ppc_radix64_xlate
and ppc_hash64_xlate.

Remove the separate *_handle_mmu_fault and *_get_phys_page_debug
functions, using common code for ppc_cpu_tlb_fill and
ppc_cpu_get_phys_page_debug.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-9-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-book3s-v3.c |  19 ---
 target/ppc/mmu-book3s-v3.h |   5 --
 target/ppc/mmu-hash32.c|  38 ++
 target/ppc/mmu-hash32.h|   6 +--
 target/ppc/mmu-hash64.c|  37 ++
 target/ppc/mmu-hash64.h|   6 +--
 target/ppc/mmu-radix64.c   |  38 ++
 target/ppc/mmu-radix64.h   |   6 +--
 target/ppc/mmu_helper.c| 100 ++---
 9 files changed, 55 insertions(+), 200 deletions(-)

diff --git a/target/ppc/mmu-book3s-v3.c b/target/ppc/mmu-book3s-v3.c
index c78fd8dc0e..f4985bae78 100644
--- a/target/ppc/mmu-book3s-v3.c
+++ b/target/ppc/mmu-book3s-v3.c
@@ -23,25 +23,6 @@
 #include "mmu-book3s-v3.h"
 #include "mmu-radix64.h"
 
-int ppc64_v3_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr, int rwx,
-  int mmu_idx)
-{
-if (ppc64_v3_radix(cpu)) { /* Guest uses radix */
-return ppc_radix64_handle_mmu_fault(cpu, eaddr, rwx, mmu_idx);
-} else { /* Guest uses hash */
-return ppc_hash64_handle_mmu_fault(cpu, eaddr, rwx, mmu_idx);
-}
-}
-
-hwaddr ppc64_v3_get_phys_page_debug(PowerPCCPU *cpu, vaddr eaddr)
-{
-if (ppc64_v3_radix(cpu)) {
-return ppc_radix64_get_phys_page_debug(cpu, eaddr);
-} else {
-return ppc_hash64_get_phys_page_debug(cpu, eaddr);
-}
-}
-
 bool ppc64_v3_get_pate(PowerPCCPU *cpu, target_ulong lpid, ppc_v3_pate_t 
*entry)
 {
 uint64_t patb = cpu->env.spr[SPR_PTCR] & PTCR_PATB;
diff --git a/target/ppc/mmu-book3s-v3.h b/target/ppc/mmu-book3s-v3.h
index 7b89be54b8..a1326df969 100644
--- a/target/ppc/mmu-book3s-v3.h
+++ b/target/ppc/mmu-book3s-v3.h
@@ -67,11 +67,6 @@ static inline bool ppc64_v3_radix(PowerPCCPU *cpu)
 return !!(cpu->env.spr[SPR_LPCR] & LPCR_HR);
 }
 
-hwaddr ppc64_v3_get_phys_page_debug(PowerPCCPU *cpu, vaddr eaddr);
-
-int ppc64_v3_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr, int rwx,
-  int mmu_idx);
-
 static inline hwaddr ppc_hash64_hpt_base(PowerPCCPU *cpu)
 {
 uint64_t base;
diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index ad22372c07..6a07c345e4 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -424,10 +424,9 @@ static hwaddr ppc_hash32_pte_raddr(target_ulong sr, 
ppc_hash_pte32_t pte,
 return (rpn & ~mask) | (eaddr & mask);
 }
 
-static bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr,
- MMUAccessType access_type,
- hwaddr *raddrp, int *psizep, int *protp,
- bool guest_visible)
+bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
+  hwaddr *raddrp, int *psizep, int *protp,
+  bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -569,34 +568,3 @@ static bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr,
 *protp = prot;
 return true;
 }
-
-int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
-MMUAccessType access_type, int mmu_idx)
-{
-CPUState *cs = CPU(cpu);
-int page_size, prot;
-hwaddr raddr;
-
-/* Translate eaddr to raddr (where raddr is addr qemu needs for access) */
-if (!ppc_hash32_xlate(cpu, eaddr, access_type, &raddr,
-   &page_size, &prot, true)) {
-return 1;
-}
-
-tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK,
- prot, mmu_idx, 1UL << page_size);
-return 0;
-}
-
-hwaddr ppc_hash32_get_phys_page_debug(PowerPCCPU *cpu, target_ulong eaddr)
-{
-int psize, prot;
-hwaddr raddr;
-
-if (!ppc_hash32_xlate(cpu, eaddr, MMU_DATA_LOAD, &raddr,
-   &psize, &prot, false)) {
-return -1;
-}
-
-return raddr & TARGET_PAGE_MASK;
-}
diff --git a/target/ppc/mmu-hash32.h b/target/ppc/mmu-hash32.h
index 30e35718a7..8694eccabd 100644
--- a/target/ppc/mmu-hash32.h
+++ b/target/ppc/mmu-hash32.h
@@ -4,9 +4,9 @@
 #ifndef CONFIG_USER_ONLY
 
 hwaddr get_pteg_offset32(PowerPCCPU *cpu, hwaddr hash);
-hwaddr ppc_hash32_get_phys_page_debug(PowerPCCPU *cpu, target_ulong addr);
-int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr address,
-MMUAccessType access_type, int mmu_idx);
+bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, MMUAccessType access_type,
+  hwaddr *raddrp, int *psizep, int *protp,
+  bool guest_visible);
 
 /*
  * Segment register de

[PULL 08/33] target/ppc: Split out ppc_hash64_xlate

[David Gibson]

From: Richard Henderson 

Mirror the interface of ppc_radix64_xlate, putting all of
the logic for hash64 translation into a single function.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-6-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash64.c | 125 +++-
 1 file changed, 59 insertions(+), 66 deletions(-)

diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index 2febd369b1..c6b167b4dc 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -873,8 +873,10 @@ static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb)
 return -1;
 }
 
-int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
-MMUAccessType access_type, int mmu_idx)
+static bool ppc_hash64_xlate(PowerPCCPU *cpu, vaddr eaddr,
+ MMUAccessType access_type,
+ hwaddr *raddrp, int *psizep, int *protp,
+ bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -918,9 +920,11 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 slb = &vrma_slbe;
 if (build_vrma_slbe(cpu, slb) != 0) {
 /* Invalid VRMA setup, machine check */
-cs->exception_index = POWERPC_EXCP_MCHECK;
-env->error_code = 0;
-return 1;
+if (guest_visible) {
+cs->exception_index = POWERPC_EXCP_MCHECK;
+env->error_code = 0;
+}
+return false;
 }
 
 goto skip_slb_search;
@@ -929,6 +933,9 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 
 /* Emulated old-style RMO mode, bounds check against RMLS */
 if (raddr >= limit) {
+if (!guest_visible) {
+return false;
+}
 switch (access_type) {
 case MMU_INST_FETCH:
 ppc_hash64_set_isi(cs, SRR1_PROTFAULT);
@@ -943,15 +950,16 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 default:
 g_assert_not_reached();
 }
-return 1;
+return false;
 }
 
 raddr |= env->spr[SPR_RMOR];
 }
-tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK,
- PAGE_READ | PAGE_WRITE | PAGE_EXEC, mmu_idx,
- TARGET_PAGE_SIZE);
-return 0;
+
+*raddrp = raddr;
+*protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+*psizep = TARGET_PAGE_BITS;
+return true;
 }
 
 /* 2. Translation is on, so look up the SLB */
@@ -964,6 +972,9 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 exit(1);
 }
 /* Segment still not found, generate the appropriate interrupt */
+if (!guest_visible) {
+return false;
+}
 switch (access_type) {
 case MMU_INST_FETCH:
 cs->exception_index = POWERPC_EXCP_ISEG;
@@ -978,20 +989,25 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 default:
 g_assert_not_reached();
 }
-return 1;
+return false;
 }
 
-skip_slb_search:
+ skip_slb_search:
 
 /* 3. Check for segment level no-execute violation */
 if (access_type == MMU_INST_FETCH && (slb->vsid & SLB_VSID_N)) {
-ppc_hash64_set_isi(cs, SRR1_NOEXEC_GUARD);
-return 1;
+if (guest_visible) {
+ppc_hash64_set_isi(cs, SRR1_NOEXEC_GUARD);
+}
+return false;
 }
 
 /* 4. Locate the PTE in the hash table */
 ptex = ppc_hash64_htab_lookup(cpu, slb, eaddr, &pte, &apshift);
 if (ptex == -1) {
+if (!guest_visible) {
+return false;
+}
 switch (access_type) {
 case MMU_INST_FETCH:
 ppc_hash64_set_isi(cs, SRR1_NOPTE);
@@ -1005,7 +1021,7 @@ skip_slb_search:
 default:
 g_assert_not_reached();
 }
-return 1;
+return false;
 }
 qemu_log_mask(CPU_LOG_MMU,
   "found PTE at index %08" HWADDR_PRIx "\n", ptex);
@@ -1021,6 +1037,9 @@ skip_slb_search:
 if (need_prot & ~prot) {
 /* Access right violation */
 qemu_log_mask(CPU_LOG_MMU, "PTE access rejected\n");
+if (!guest_visible) {
+return false;
+}
 if (access_type == MMU_INST_FETCH) {
 int srr1 = 0;
 if (PAGE_EXEC & ~exec_prot) {
@@ -1045,7 +1064,7 @@ skip_slb_search:
 }
 ppc_hash64_set_dsi(cs, eaddr, dsisr);
 }
-return 1;
+return false;
 }
 
 qemu_log_mask(CPU_LOG_MMU, "PTE access granted !\n");
@@ -1069,66 +1088,40 @@ skip_slb_search:
 
 /* 7. Determine the

[PULL 21/33] docs/system: ppc: Update ppce500 documentation with eTSEC support

[David Gibson]

From: Bin Meng 

This adds eTSEC support to the PowerPC `ppce500` machine documentation.

Signed-off-by: Bin Meng 
Signed-off-by: David Gibson 
---
 docs/system/ppc/ppce500.rst | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/system/ppc/ppce500.rst b/docs/system/ppc/ppce500.rst
index 7a815c1881..afc58f60f5 100644
--- a/docs/system/ppc/ppce500.rst
+++ b/docs/system/ppc/ppce500.rst
@@ -19,6 +19,7 @@ The ``ppce500`` machine supports the following devices:
 * Power-off functionality via one GPIO pin
 * 1 Freescale MPC8xxx PCI host controller
 * VirtIO devices via PCI bus
+* 1 Freescale Enhanced Triple Speed Ethernet controller (eTSEC)
 
 Hardware configuration information
 --
@@ -121,7 +122,7 @@ To boot the 32-bit Linux kernel:
 Running U-Boot
 --
 
-U-Boot mainline v2021.04 release is tested at the time of writing. To build a
+U-Boot mainline v2021.07 release is tested at the time of writing. To build a
 U-Boot mainline bootloader that can be booted by the ``ppce500`` machine, use
 the qemu-ppce500_defconfig with similar commands as described above for Linux:
 
@@ -154,3 +155,10 @@ interface at PCI address 0.1.0, but we can switch that to 
an e1000 NIC by:
 -display none -serial stdio \
 -bios u-boot \
 -nic tap,ifname=tap0,script=no,downscript=no,model=e1000
+
+The QEMU ``ppce500`` machine can also dynamically instantiate an eTSEC device
+if “-device eTSEC” is given to QEMU:
+
+.. code-block:: bash
+
+  -netdev tap,ifname=tap0,script=no,downscript=no,id=net0 -device 
eTSEC,netdev=net0
-- 
2.31.1

[PULL 15/33] target/ppc: Fix compilation with DEBUG_BATS debug option

[David Gibson]

From: Fabiano Rosas 

../target/ppc/mmu-hash32.c: In function 'ppc_hash32_bat_lookup':
../target/ppc/mmu-hash32.c:204:13: error: 'BATu' undeclared (first use in this 
function);
  204 | BATu = &BATut[i];
  | ^~~~
  | BATut
../target/ppc/mmu-hash32.c:205:13: error: 'BATl' undeclared (first use in this 
function);
  205 | BATl = &BATlt[i];
  | ^~~~
  | BATlt
../target/ppc/mmu-hash32.c:206:13: error: 'BEPIu' undeclared (first use in this 
function)
  206 | BEPIu = *BATu & BATU32_BEPIU;
  | ^
../target/ppc/mmu-hash32.c:206:29: error: 'BATU32_BEPIU' undeclared (first use 
in this function);
  206 | BEPIu = *BATu & BATU32_BEPIU;
  | ^~~~
  | BATU32_BEPI
../target/ppc/mmu-hash32.c:207:13: error: 'BEPIl' undeclared (first use in this 
function)
  207 | BEPIl = *BATu & BATU32_BEPIL;
  | ^
../target/ppc/mmu-hash32.c:207:29: error: 'BATU32_BEPIL' undeclared (first use 
in this function);
  207 | BEPIl = *BATu & BATU32_BEPIL;
  | ^~~~
  | BATU32_BEPI
../target/ppc/mmu-hash32.c:208:13: error: 'bl' undeclared (first use in this 
function)
  208 | bl = (*BATu & 0x1FFC) << 15;
  | ^~

Fixes: 9813279664 ("target-ppc: Disentangle BAT code for 32-bit hash MMUs")
Signed-off-by: Fabiano Rosas 
Message-Id: <20210702215235.1941771-4-faro...@linux.ibm.com>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash32.c | 5 -
 target/ppc/mmu-hash32.h | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index 6a07c345e4..4edd5ffe14 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -27,7 +27,7 @@
 #include "mmu-hash32.h"
 #include "exec/log.h"
 
-/* #define DEBUG_BAT */
+/* #define DEBUG_BATS */
 
 #ifdef DEBUG_BATS
 #  define LOG_BATS(...) qemu_log_mask(CPU_LOG_MMU, __VA_ARGS__)
@@ -199,6 +199,9 @@ static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, 
target_ulong ea,
 /* No hit */
 #if defined(DEBUG_BATS)
 if (qemu_log_enabled()) {
+target_ulong *BATu, *BATl;
+target_ulong BEPIl, BEPIu, bl;
+
 LOG_BATS("no BAT match for " TARGET_FMT_lx ":\n", ea);
 for (i = 0; i < 4; i++) {
 BATu = &BATut[i];
diff --git a/target/ppc/mmu-hash32.h b/target/ppc/mmu-hash32.h
index 8694eccabd..c9f584b8ee 100644
--- a/target/ppc/mmu-hash32.h
+++ b/target/ppc/mmu-hash32.h
@@ -22,6 +22,8 @@ bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr, 
MMUAccessType access_type,
  * Block Address Translation (BAT) definitions
  */
 
+#define BATU32_BEPIU0xf000
+#define BATU32_BEPIL0x0ffe
 #define BATU32_BEPI 0xfffe
 #define BATU32_BL   0x1ffc
 #define BATU32_VS   0x0002
-- 
2.31.1

[PULL 07/33] target/ppc: Use bool success for ppc_radix64_xlate

[David Gibson]

From: Richard Henderson 

Instead of returning non-zero for failure, return true for success.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-5-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-radix64.c | 30 +++---
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/target/ppc/mmu-radix64.c b/target/ppc/mmu-radix64.c
index dd5ae69052..2d5f0850c9 100644
--- a/target/ppc/mmu-radix64.c
+++ b/target/ppc/mmu-radix64.c
@@ -463,10 +463,10 @@ static int ppc_radix64_process_scoped_xlate(PowerPCCPU 
*cpu,
  *  | = On| Process Scoped |Scoped |
  *  +-++---+
  */
-static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
- MMUAccessType access_type,
- hwaddr *raddr, int *psizep, int *protp,
- bool guest_visible)
+static bool ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
+  MMUAccessType access_type,
+  hwaddr *raddr, int *psizep, int *protp,
+  bool guest_visible)
 {
 CPUPPCState *env = &cpu->env;
 uint64_t lpid, pid;
@@ -492,7 +492,7 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 }
 *protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 *psizep = TARGET_PAGE_BITS;
-return 0;
+return true;
 }
 
 /*
@@ -510,7 +510,7 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 if (guest_visible) {
 ppc_radix64_raise_segi(cpu, access_type, eaddr);
 }
-return 1;
+return false;
 }
 
 /* Get Process Table */
@@ -523,13 +523,13 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 if (guest_visible) {
 ppc_radix64_raise_si(cpu, access_type, eaddr, DSISR_NOPTE);
 }
-return 1;
+return false;
 }
 if (!validate_pate(cpu, lpid, &pate)) {
 if (guest_visible) {
 ppc_radix64_raise_si(cpu, access_type, eaddr, 
DSISR_R_BADCONFIG);
 }
-return 1;
+return false;
 }
 }
 
@@ -549,7 +549,7 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
pate, &g_raddr, &prot,
&psize, guest_visible);
 if (ret) {
-return ret;
+return false;
 }
 *psizep = MIN(*psizep, psize);
 *protp &= prot;
@@ -573,7 +573,7 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
  &prot, &psize, false,
  guest_visible);
 if (ret) {
-return ret;
+return false;
 }
 *psizep = MIN(*psizep, psize);
 *protp &= prot;
@@ -582,7 +582,7 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 }
 }
 
-return 0;
+return true;
 }
 
 int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
@@ -593,8 +593,8 @@ int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 hwaddr raddr;
 
 /* Translate eaddr to raddr (where raddr is addr qemu needs for access) */
-if (ppc_radix64_xlate(cpu, eaddr, access_type, &raddr,
-  &page_size, &prot, true)) {
+if (!ppc_radix64_xlate(cpu, eaddr, access_type, &raddr,
+   &page_size, &prot, true)) {
 return 1;
 }
 
@@ -608,8 +608,8 @@ hwaddr ppc_radix64_get_phys_page_debug(PowerPCCPU *cpu, 
target_ulong eaddr)
 int psize, prot;
 hwaddr raddr;
 
-if (ppc_radix64_xlate(cpu, eaddr, MMU_DATA_LOAD, &raddr,
-  &psize, &prot, false)) {
+if (!ppc_radix64_xlate(cpu, eaddr, MMU_DATA_LOAD, &raddr,
+   &psize, &prot, false)) {
 return -1;
 }
 
-- 
2.31.1

[PULL 09/33] target/ppc: Split out ppc_hash32_xlate

[David Gibson]

From: Richard Henderson 

Mirror the interface of ppc_radix64_xlate, putting all of
the logic for hash32 translation into a single entry point.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-7-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash32.c | 224 
 1 file changed, 113 insertions(+), 111 deletions(-)

diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index 8f19b43e47..ad22372c07 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -218,10 +218,11 @@ static hwaddr ppc_hash32_bat_lookup(PowerPCCPU *cpu, 
target_ulong ea,
 return -1;
 }
 
-static int ppc_hash32_direct_store(PowerPCCPU *cpu, target_ulong sr,
-   target_ulong eaddr,
-   MMUAccessType access_type,
-   hwaddr *raddr, int *prot)
+static bool ppc_hash32_direct_store(PowerPCCPU *cpu, target_ulong sr,
+target_ulong eaddr,
+MMUAccessType access_type,
+hwaddr *raddr, int *prot,
+bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -238,17 +239,23 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
  */
 *raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFF);
 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
-return 0;
+return true;
 }
 
 if (access_type == MMU_INST_FETCH) {
 /* No code fetch is allowed in direct-store areas */
-cs->exception_index = POWERPC_EXCP_ISI;
-env->error_code = 0x1000;
-return 1;
+if (guest_visible) {
+cs->exception_index = POWERPC_EXCP_ISI;
+env->error_code = 0x1000;
+}
+return false;
 }
 
-switch (env->access_type) {
+/*
+ * From ppc_cpu_get_phys_page_debug, env->access_type is not set.
+ * Assume ACCESS_INT for that case.
+ */
+switch (guest_visible ? env->access_type : ACCESS_INT) {
 case ACCESS_INT:
 /* Integer load/store : only access allowed */
 break;
@@ -257,7 +264,7 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
 cs->exception_index = POWERPC_EXCP_ALIGN;
 env->error_code = POWERPC_EXCP_ALIGN_FP;
 env->spr[SPR_DAR] = eaddr;
-return 1;
+return false;
 case ACCESS_RES:
 /* lwarx, ldarx or srwcx. */
 env->error_code = 0;
@@ -267,7 +274,7 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
 } else {
 env->spr[SPR_DSISR] = 0x0400;
 }
-return 1;
+return false;
 case ACCESS_CACHE:
 /*
  * dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi
@@ -276,7 +283,7 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
  * no-op, it's quite easy :-)
  */
 *raddr = eaddr;
-return 0;
+return true;
 case ACCESS_EXT:
 /* eciwx or ecowx */
 cs->exception_index = POWERPC_EXCP_DSI;
@@ -287,16 +294,18 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
 } else {
 env->spr[SPR_DSISR] = 0x0410;
 }
-return 1;
+return false;
 default:
-cpu_abort(cs, "ERROR: instruction should not need "
- "address translation\n");
+cpu_abort(cs, "ERROR: insn should not need address translation\n");
 }
-if ((access_type == MMU_DATA_STORE || key != 1) &&
-(access_type == MMU_DATA_LOAD || key != 0)) {
+
+*prot = key ? PAGE_READ | PAGE_WRITE : PAGE_READ;
+if (*prot & prot_for_access_type(access_type)) {
 *raddr = eaddr;
-return 0;
-} else {
+return true;
+}
+
+if (guest_visible) {
 cs->exception_index = POWERPC_EXCP_DSI;
 env->error_code = 0;
 env->spr[SPR_DAR] = eaddr;
@@ -305,8 +314,8 @@ static int ppc_hash32_direct_store(PowerPCCPU *cpu, 
target_ulong sr,
 } else {
 env->spr[SPR_DSISR] = 0x0800;
 }
-return 1;
 }
+return false;
 }
 
 hwaddr get_pteg_offset32(PowerPCCPU *cpu, hwaddr hash)
@@ -415,8 +424,10 @@ static hwaddr ppc_hash32_pte_raddr(target_ulong sr, 
ppc_hash_pte32_t pte,
 return (rpn & ~mask) | (eaddr & mask);
 }
 
-int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
-MMUAccessType access_type, int mmu_idx)
+static bool ppc_hash32_xlate(PowerPCCPU *cpu, vaddr eaddr,
+ MMUAccessType access_type,
+ hwaddr *raddrp, int *psizep, int *protp,
+ bool guest_visible)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -427,43 +438,43 @@ i

[PULL 06/33] target/ppc: Push real-mode handling into ppc_radix64_xlate

[David Gibson]

From: Richard Henderson 

This removes some incomplete duplication between
ppc_radix64_handle_mmu_fault and ppc_radix64_get_phys_page_debug.
The former was correct wrt SPR_HRMOR and the latter was not.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-4-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu-radix64.c | 77 ++--
 1 file changed, 34 insertions(+), 43 deletions(-)

diff --git a/target/ppc/mmu-radix64.c b/target/ppc/mmu-radix64.c
index 1c707d387d..dd5ae69052 100644
--- a/target/ppc/mmu-radix64.c
+++ b/target/ppc/mmu-radix64.c
@@ -465,7 +465,6 @@ static int ppc_radix64_process_scoped_xlate(PowerPCCPU *cpu,
  */
 static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
  MMUAccessType access_type,
- bool relocation,
  hwaddr *raddr, int *psizep, int *protp,
  bool guest_visible)
 {
@@ -474,6 +473,37 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 ppc_v3_pate_t pate;
 int psize, prot;
 hwaddr g_raddr;
+bool relocation;
+
+assert(!(msr_hv && cpu->vhyp));
+
+relocation = (access_type == MMU_INST_FETCH ? msr_ir : msr_dr);
+
+/* HV or virtual hypervisor Real Mode Access */
+if (!relocation && (msr_hv || cpu->vhyp)) {
+/* In real mode top 4 effective addr bits (mostly) ignored */
+*raddr = eaddr & 0x0FFFULL;
+
+/* In HV mode, add HRMOR if top EA bit is clear */
+if (msr_hv || !env->has_hv_mode) {
+if (!(eaddr >> 63)) {
+*raddr |= env->spr[SPR_HRMOR];
+   }
+}
+*protp = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+*psizep = TARGET_PAGE_BITS;
+return 0;
+}
+
+/*
+ * Check UPRT (we avoid the check in real mode to deal with
+ * transitional states during kexec.
+ */
+if (guest_visible && !ppc64_use_proc_tbl(cpu)) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "LPCR:UPRT not set in radix mode ! LPCR="
+  TARGET_FMT_lx "\n", env->spr[SPR_LPCR]);
+}
 
 /* Virtual Mode Access - get the fully qualified address */
 if (!ppc_radix64_get_fully_qualified_addr(&cpu->env, eaddr, &lpid, &pid)) {
@@ -559,43 +589,11 @@ int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
  MMUAccessType access_type, int mmu_idx)
 {
 CPUState *cs = CPU(cpu);
-CPUPPCState *env = &cpu->env;
 int page_size, prot;
-bool relocation;
 hwaddr raddr;
 
-assert(!(msr_hv && cpu->vhyp));
-
-relocation = (access_type == MMU_INST_FETCH ? msr_ir : msr_dr);
-/* HV or virtual hypervisor Real Mode Access */
-if (!relocation && (msr_hv || cpu->vhyp)) {
-/* In real mode top 4 effective addr bits (mostly) ignored */
-raddr = eaddr & 0x0FFFULL;
-
-/* In HV mode, add HRMOR if top EA bit is clear */
-if (msr_hv || !env->has_hv_mode) {
-if (!(eaddr >> 63)) {
-raddr |= env->spr[SPR_HRMOR];
-   }
-}
-tlb_set_page(cs, eaddr & TARGET_PAGE_MASK, raddr & TARGET_PAGE_MASK,
- PAGE_READ | PAGE_WRITE | PAGE_EXEC, mmu_idx,
- TARGET_PAGE_SIZE);
-return 0;
-}
-
-/*
- * Check UPRT (we avoid the check in real mode to deal with
- * transitional states during kexec.
- */
-if (!ppc64_use_proc_tbl(cpu)) {
-qemu_log_mask(LOG_GUEST_ERROR,
-  "LPCR:UPRT not set in radix mode ! LPCR="
-  TARGET_FMT_lx "\n", env->spr[SPR_LPCR]);
-}
-
 /* Translate eaddr to raddr (where raddr is addr qemu needs for access) */
-if (ppc_radix64_xlate(cpu, eaddr, access_type, relocation, &raddr,
+if (ppc_radix64_xlate(cpu, eaddr, access_type, &raddr,
   &page_size, &prot, true)) {
 return 1;
 }
@@ -607,18 +605,11 @@ int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 
 hwaddr ppc_radix64_get_phys_page_debug(PowerPCCPU *cpu, target_ulong eaddr)
 {
-CPUPPCState *env = &cpu->env;
 int psize, prot;
 hwaddr raddr;
 
-/* Handle Real Mode */
-if ((msr_dr == 0) && (msr_hv || cpu->vhyp)) {
-/* In real mode top 4 effective addr bits (mostly) ignored */
-return eaddr & 0x0FFFULL;
-}
-
-if (ppc_radix64_xlate(cpu, eaddr, 0, msr_dr, &raddr, &psize,
-  &prot, false)) {
+if (ppc_radix64_xlate(cpu, eaddr, MMU_DATA_LOAD, &raddr,
+  &psize, &prot, false)) {
 return -1;
 }
 
-- 
2.31.1

[PULL 10/33] target/ppc: Split out ppc_jumbo_xlate

[David Gibson]

From: Richard Henderson 

Mirror the interface of ppc_radix64_xlate (mostly), putting all
of the logic for older mmu translation into a single entry point.
For booke, we need to add mmu_idx to the xlate-style interface.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-8-bruno.lar...@eldorado.org.br>
Signed-off-by: David Gibson 
---
 target/ppc/mmu_helper.c | 179 +---
 1 file changed, 96 insertions(+), 83 deletions(-)

diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index c4b1c93e47..2e92deb105 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -1435,48 +1435,6 @@ static int get_physical_address(CPUPPCState *env, 
mmu_ctx_t *ctx,
 }
 #endif
 
-hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
-{
-PowerPCCPU *cpu = POWERPC_CPU(cs);
-CPUPPCState *env = &cpu->env;
-mmu_ctx_t ctx;
-
-switch (env->mmu_model) {
-#if defined(TARGET_PPC64)
-case POWERPC_MMU_64B:
-case POWERPC_MMU_2_03:
-case POWERPC_MMU_2_06:
-case POWERPC_MMU_2_07:
-return ppc_hash64_get_phys_page_debug(cpu, addr);
-case POWERPC_MMU_3_00:
-return ppc64_v3_get_phys_page_debug(cpu, addr);
-#endif
-
-case POWERPC_MMU_32B:
-case POWERPC_MMU_601:
-return ppc_hash32_get_phys_page_debug(cpu, addr);
-
-default:
-;
-}
-
-if (unlikely(get_physical_address(env, &ctx, addr, MMU_DATA_LOAD,
-  ACCESS_INT) != 0)) {
-
-/*
- * Some MMUs have separate TLBs for code and data. If we only
- * try an ACCESS_INT, we may not be able to read instructions
- * mapped by code TLBs, so we also try a ACCESS_CODE.
- */
-if (unlikely(get_physical_address(env, &ctx, addr, MMU_INST_FETCH,
-  ACCESS_CODE) != 0)) {
-return -1;
-}
-}
-
-return ctx.raddr & TARGET_PAGE_MASK;
-}
-
 static void booke206_update_mas_tlb_miss(CPUPPCState *env, target_ulong 
address,
  MMUAccessType access_type, int 
mmu_idx)
 {
@@ -1532,30 +1490,38 @@ static void booke206_update_mas_tlb_miss(CPUPPCState 
*env, target_ulong address,
 }
 
 /* Perform address translation */
-static int cpu_ppc_handle_mmu_fault(CPUPPCState *env, target_ulong address,
-MMUAccessType access_type, int mmu_idx)
+/* TODO: Split this by mmu_model. */
+static bool ppc_jumbo_xlate(PowerPCCPU *cpu, vaddr eaddr,
+MMUAccessType access_type,
+hwaddr *raddrp, int *psizep, int *protp,
+int mmu_idx, bool guest_visible)
 {
-CPUState *cs = env_cpu(env);
-PowerPCCPU *cpu = POWERPC_CPU(cs);
+CPUState *cs = CPU(cpu);
+CPUPPCState *env = &cpu->env;
 mmu_ctx_t ctx;
 int type;
-int ret = 0;
+int ret;
 
 if (access_type == MMU_INST_FETCH) {
 /* code access */
 type = ACCESS_CODE;
-} else {
+} else if (guest_visible) {
 /* data access */
 type = env->access_type;
+} else {
+type = ACCESS_INT;
 }
-ret = get_physical_address_wtlb(env, &ctx, address, access_type,
+
+ret = get_physical_address_wtlb(env, &ctx, eaddr, access_type,
 type, mmu_idx);
 if (ret == 0) {
-tlb_set_page(cs, address & TARGET_PAGE_MASK,
- ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
- mmu_idx, TARGET_PAGE_SIZE);
-ret = 0;
-} else if (ret < 0) {
+*raddrp = ctx.raddr;
+*protp = ctx.prot;
+*psizep = TARGET_PAGE_BITS;
+return true;
+}
+
+if (guest_visible) {
 LOG_MMU_STATE(cs);
 if (type == ACCESS_CODE) {
 switch (ret) {
@@ -1565,7 +1531,7 @@ static int cpu_ppc_handle_mmu_fault(CPUPPCState *env, 
target_ulong address,
 case POWERPC_MMU_SOFT_6xx:
 cs->exception_index = POWERPC_EXCP_IFTLB;
 env->error_code = 1 << 18;
-env->spr[SPR_IMISS] = address;
+env->spr[SPR_IMISS] = eaddr;
 env->spr[SPR_ICMP] = 0x8000 | ctx.ptem;
 goto tlb_miss;
 case POWERPC_MMU_SOFT_74xx:
@@ -1575,29 +1541,25 @@ static int cpu_ppc_handle_mmu_fault(CPUPPCState *env, 
target_ulong address,
 case POWERPC_MMU_SOFT_4xx_Z:
 cs->exception_index = POWERPC_EXCP_ITLB;
 env->error_code = 0;
-env->spr[SPR_40x_DEAR] = address;
+env->spr[SPR_40x_DEAR] = eaddr;
 env->spr[SPR_40x_ESR] = 0x;
 break;
 case POWERPC_MMU_BOOKE206:
-booke206_update_mas_tlb_miss(env, address, 2, mmu_idx);
+booke206_update_mas_tlb_miss(env, eaddr, 2, mmu_idx);

[PULL 03/33] spapr: tune rtas-size

[David Gibson]

From: Alexey Kardashevskiy 

QEMU reserves space for RTAS via /rtas/rtas-size which tells the client
how much space the RTAS requires to work which includes the RTAS binary
blob implementing RTAS runtime. Because pseries supports FWNMI which
requires plenty of space, QEMU reserves more than 2KB which is
enough for the RTAS blob as it is just 20 bytes (under QEMU).

Since FWNMI reset delivery was added, RTAS_SIZE macro is not used anymore.
This replaces RTAS_SIZE with RTAS_MIN_SIZE and uses it in
the /rtas/rtas-size calculation to account for the RTAS blob.

Fixes: 0e236d347790 ("ppc/spapr: Implement FWNMI System Reset delivery")
Signed-off-by: Alexey Kardashevskiy 
Message-Id: <20210622070336.1463250-1-...@ozlabs.ru>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 8 ++--
 include/hw/ppc/spapr.h | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 4dd90b75cc..9e19c57032 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -919,9 +919,13 @@ static void spapr_dt_rtas(SpaprMachineState *spapr, void 
*fdt)
  *
  * The extra 8 bytes is required because Linux's FWNMI error log check
  * is off-by-one.
+ *
+ * RTAS_MIN_SIZE is required for the RTAS blob itself.
  */
-_FDT(fdt_setprop_cell(fdt, rtas, "rtas-size", RTAS_ERROR_LOG_MAX +
- ms->smp.max_cpus * sizeof(uint64_t)*2 + 
sizeof(uint64_t)));
+_FDT(fdt_setprop_cell(fdt, rtas, "rtas-size", RTAS_MIN_SIZE +
+  RTAS_ERROR_LOG_MAX +
+  ms->smp.max_cpus * sizeof(uint64_t) * 2 +
+  sizeof(uint64_t)));
 _FDT(fdt_setprop_cell(fdt, rtas, "rtas-error-log-max",
   RTAS_ERROR_LOG_MAX));
 _FDT(fdt_setprop_cell(fdt, rtas, "rtas-event-scan-rate",
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index f05219f75e..5697327e4c 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -770,7 +770,7 @@ void spapr_load_rtas(SpaprMachineState *spapr, void *fdt, 
hwaddr addr);
 #define SPAPR_IS_PCI_LIOBN(liobn)   (!!((liobn) & 0x8000))
 #define SPAPR_PCI_DMA_WINDOW_NUM(liobn) ((liobn) & 0xff)
 
-#define RTAS_SIZE   2048
+#define RTAS_MIN_SIZE   20 /* hv_rtas_size in SLOF */
 #define RTAS_ERROR_LOG_MAX  2048
 
 /* Offset from rtas-base where error log is placed */
-- 
2.31.1

[PULL 05/33] target/ppc: Use MMUAccessType with *_handle_mmu_fault

[David Gibson]

From: Richard Henderson 

These changes were waiting until we didn't need to match
the function type of PowerPCCPUClass.handle_mmu_fault.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-3-bruno.lar...@eldorado.org.br>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash32.c  | 7 ++-
 target/ppc/mmu-hash32.h  | 4 ++--
 target/ppc/mmu-hash64.c  | 6 +-
 target/ppc/mmu-hash64.h  | 4 ++--
 target/ppc/mmu-radix64.c | 7 ++-
 target/ppc/mmu-radix64.h | 4 ++--
 6 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/target/ppc/mmu-hash32.c b/target/ppc/mmu-hash32.c
index 9f0a497657..8f19b43e47 100644
--- a/target/ppc/mmu-hash32.c
+++ b/target/ppc/mmu-hash32.c
@@ -415,8 +415,8 @@ static hwaddr ppc_hash32_pte_raddr(target_ulong sr, 
ppc_hash_pte32_t pte,
 return (rpn & ~mask) | (eaddr & mask);
 }
 
-int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr, int rwx,
-int mmu_idx)
+int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
+MMUAccessType access_type, int mmu_idx)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -425,11 +425,8 @@ int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr, int rwx,
 ppc_hash_pte32_t pte;
 int prot;
 int need_prot;
-MMUAccessType access_type;
 hwaddr raddr;
 
-assert((rwx == 0) || (rwx == 1) || (rwx == 2));
-access_type = rwx;
 need_prot = prot_for_access_type(access_type);
 
 /* 1. Handle real mode accesses */
diff --git a/target/ppc/mmu-hash32.h b/target/ppc/mmu-hash32.h
index 898021f0d8..30e35718a7 100644
--- a/target/ppc/mmu-hash32.h
+++ b/target/ppc/mmu-hash32.h
@@ -5,8 +5,8 @@
 
 hwaddr get_pteg_offset32(PowerPCCPU *cpu, hwaddr hash);
 hwaddr ppc_hash32_get_phys_page_debug(PowerPCCPU *cpu, target_ulong addr);
-int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr address, int rw,
-int mmu_idx);
+int ppc_hash32_handle_mmu_fault(PowerPCCPU *cpu, vaddr address,
+MMUAccessType access_type, int mmu_idx);
 
 /*
  * Segment register definitions
diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index 708dffc31b..2febd369b1 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -874,7 +874,7 @@ static int build_vrma_slbe(PowerPCCPU *cpu, ppc_slb_t *slb)
 }
 
 int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
-int rwx, int mmu_idx)
+MMUAccessType access_type, int mmu_idx)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
@@ -884,13 +884,9 @@ int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr 
eaddr,
 hwaddr ptex;
 ppc_hash_pte64_t pte;
 int exec_prot, pp_prot, amr_prot, prot;
-MMUAccessType access_type;
 int need_prot;
 hwaddr raddr;
 
-assert((rwx == 0) || (rwx == 1) || (rwx == 2));
-access_type = rwx;
-
 /*
  * Note on LPCR usage: 970 uses HID4, but our special variant of
  * store_spr copies relevant fields into env->spr[SPR_LPCR].
diff --git a/target/ppc/mmu-hash64.h b/target/ppc/mmu-hash64.h
index 4b8b8e7950..3e8a8eec1f 100644
--- a/target/ppc/mmu-hash64.h
+++ b/target/ppc/mmu-hash64.h
@@ -8,8 +8,8 @@ void dump_slb(PowerPCCPU *cpu);
 int ppc_store_slb(PowerPCCPU *cpu, target_ulong slot,
   target_ulong esid, target_ulong vsid);
 hwaddr ppc_hash64_get_phys_page_debug(PowerPCCPU *cpu, target_ulong addr);
-int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr address, int rw,
-int mmu_idx);
+int ppc_hash64_handle_mmu_fault(PowerPCCPU *cpu, vaddr address,
+MMUAccessType access_type, int mmu_idx);
 void ppc_hash64_tlb_flush_hpte(PowerPCCPU *cpu,
target_ulong pte_index,
target_ulong pte0, target_ulong pte1);
diff --git a/target/ppc/mmu-radix64.c b/target/ppc/mmu-radix64.c
index b6d191c1d8..1c707d387d 100644
--- a/target/ppc/mmu-radix64.c
+++ b/target/ppc/mmu-radix64.c
@@ -555,19 +555,16 @@ static int ppc_radix64_xlate(PowerPCCPU *cpu, vaddr eaddr,
 return 0;
 }
 
-int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr, int rwx,
- int mmu_idx)
+int ppc_radix64_handle_mmu_fault(PowerPCCPU *cpu, vaddr eaddr,
+ MMUAccessType access_type, int mmu_idx)
 {
 CPUState *cs = CPU(cpu);
 CPUPPCState *env = &cpu->env;
 int page_size, prot;
 bool relocation;
-MMUAccessType access_type;
 hwaddr raddr;
 
 assert(!(msr_hv && cpu->vhyp));
-assert((rwx == 0) || (rwx == 1) || (rwx == 2));
-access_type = rwx;
 
 relocation = (access_type == MMU_INST_FETCH ? msr_ir : msr_dr);
 /* HV or virtual hypervisor Real Mode Access */
diff --git a/target/ppc/mmu-radix64.h b/target/ppc/mmu-radix64.h
index f28c5794d0..94bd

[PULL 02/33] target/ppc: Drop PowerPCCPUClass::interrupts_big_endian()

[David Gibson]

From: Greg Kurz 

This isn't used anymore.

Signed-off-by: Greg Kurz 
Message-Id: <20210622140926.677618-3-gr...@kaod.org>
Reviewed-by: Fabiano Rosas 
Signed-off-by: David Gibson 
---
 target/ppc/cpu-qom.h  |  1 -
 target/ppc/cpu_init.c | 17 -
 2 files changed, 18 deletions(-)

diff --git a/target/ppc/cpu-qom.h b/target/ppc/cpu-qom.h
index 06b6571bc9..7b424e3cb0 100644
--- a/target/ppc/cpu-qom.h
+++ b/target/ppc/cpu-qom.h
@@ -199,7 +199,6 @@ struct PowerPCCPUClass {
 void (*init_proc)(CPUPPCState *env);
 int  (*check_pow)(CPUPPCState *env);
 int (*handle_mmu_fault)(PowerPCCPU *cpu, vaddr eaddr, int rwx, int 
mmu_idx);
-bool (*interrupts_big_endian)(PowerPCCPU *cpu);
 };
 
 #ifndef CONFIG_USER_ONLY
diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c
index d0411e7302..1a22aef874 100644
--- a/target/ppc/cpu_init.c
+++ b/target/ppc/cpu_init.c
@@ -2666,18 +2666,6 @@ static int check_pow_hid0_74xx(CPUPPCState *env)
 return 0;
 }
 
-static bool ppc_cpu_interrupts_big_endian_always(PowerPCCPU *cpu)
-{
-return true;
-}
-
-#ifdef TARGET_PPC64
-static bool ppc_cpu_interrupts_big_endian_lpcr(PowerPCCPU *cpu)
-{
-return !(cpu->env.spr[SPR_LPCR] & LPCR_ILE);
-}
-#endif
-
 /*/
 /* PowerPC implementations definitions   */
 
@@ -7740,7 +7728,6 @@ POWERPC_FAMILY(POWER7)(ObjectClass *oc, void *data)
  POWERPC_FLAG_VSX;
 pcc->l1_dcache_size = 0x8000;
 pcc->l1_icache_size = 0x8000;
-pcc->interrupts_big_endian = ppc_cpu_interrupts_big_endian_lpcr;
 }
 
 static void init_proc_POWER8(CPUPPCState *env)
@@ -7918,7 +7905,6 @@ POWERPC_FAMILY(POWER8)(ObjectClass *oc, void *data)
  POWERPC_FLAG_VSX | POWERPC_FLAG_TM;
 pcc->l1_dcache_size = 0x8000;
 pcc->l1_icache_size = 0x8000;
-pcc->interrupts_big_endian = ppc_cpu_interrupts_big_endian_lpcr;
 }
 
 #ifdef CONFIG_SOFTMMU
@@ -8136,7 +8122,6 @@ POWERPC_FAMILY(POWER9)(ObjectClass *oc, void *data)
  POWERPC_FLAG_VSX | POWERPC_FLAG_TM | POWERPC_FLAG_SCV;
 pcc->l1_dcache_size = 0x8000;
 pcc->l1_icache_size = 0x8000;
-pcc->interrupts_big_endian = ppc_cpu_interrupts_big_endian_lpcr;
 }
 
 #ifdef CONFIG_SOFTMMU
@@ -8347,7 +8332,6 @@ POWERPC_FAMILY(POWER10)(ObjectClass *oc, void *data)
  POWERPC_FLAG_VSX | POWERPC_FLAG_TM | POWERPC_FLAG_SCV;
 pcc->l1_dcache_size = 0x8000;
 pcc->l1_icache_size = 0x8000;
-pcc->interrupts_big_endian = ppc_cpu_interrupts_big_endian_lpcr;
 }
 
 #if !defined(CONFIG_USER_ONLY)
@@ -9094,7 +9078,6 @@ static void ppc_cpu_class_init(ObjectClass *oc, void 
*data)
 device_class_set_parent_unrealize(dc, ppc_cpu_unrealize,
   &pcc->parent_unrealize);
 pcc->pvr_match = ppc_pvr_match_default;
-pcc->interrupts_big_endian = ppc_cpu_interrupts_big_endian_always;
 device_class_set_props(dc, ppc_cpu_properties);
 
 device_class_set_parent_reset(dc, ppc_cpu_reset, &pcc->parent_reset);
-- 
2.31.1

[PULL 00/33] ppc-for-6.1 queue 20210709

[David Gibson]

The following changes since commit 9db3065c62a983286d06c207f4981408cf42184d:

  Merge remote-tracking branch 
'remotes/vivier2/tags/linux-user-for-6.1-pull-request' into staging (2021-07-08 
16:30:18 +0100)

are available in the Git repository at:

  https://gitlab.com/dgibson/qemu.git tags/ppc-for-6.1-20210709

for you to fetch changes up to 82123b756a1a2f1965350e5794aaa7b5c6a15282:

  target/ppc: Support for H_RPT_INVALIDATE hcall (2021-07-09 11:01:06 +1000)


ppc patch queue 2021-07-09

Here's a (probably) final pull request before the qemu-6.1 soft
freeze.  Includes:
  * Implementation of the new H_RPT_INVALIDATE hypercall
  * Virtual Open Firmware for pSeries and pegasos2 machine types.
This is an experimental minimal Open Firmware implementation which
works by delegating nearly everything to qemu itself via a special
hypercall.
  * A number of cleanups to the ppc soft MMU code
  * Fix to handling of two-level radix mode translations for the
powernv machine type
  * Update the H_GET_CPU_CHARACTERISTICS call with newly defined bits.
This will allow more flexible handling of possible future CPU
Spectre-like flaws
  * Correctly treat mtmsrd as an illegal instruction on BookE cpus
  * Firmware update for the ppce500 machine type


Alexey Kardashevskiy (3):
  spapr: tune rtas-size
  spapr: Implement Open Firmware client interface
  spapr: Fix implementation of Open Firmware client interface

BALATON Zoltan (4):
  ppc/pegasos2: Introduce Pegasos2MachineState structure
  target/ppc: Allow virtual hypervisor on CPU without HV
  ppc/pegasos2: Use Virtual Open Firmware as firmware replacement
  ppc/pegasos2: Implement some RTAS functions with VOF

Bharata B Rao (2):
  linux-headers: Update
  target/ppc: Support for H_RPT_INVALIDATE hcall

Bin Meng (2):
  roms/u-boot: Bump ppce500 u-boot to v2021.07 to add eTSEC support
  docs/system: ppc: Update ppce500 documentation with eTSEC support

Bruno Larsen (billionai) (4):
  target/ppc: fix address translation bug for radix mmus
  target/ppc: changed ppc_hash64_xlate to use mmu_idx
  target/ppc: introduce mmu-books.h
  target/ppc: change ppc_hash32_xlate to use mmu_idx

David Gibson (1):
  ppc/pegasos2: Fix use of && instead of &

Fabiano Rosas (3):
  target/ppc: Fix compilation with DUMP_PAGE_TABLES debug option
  target/ppc: Fix compilation with FLUSH_ALL_TLBS debug option
  target/ppc: Fix compilation with DEBUG_BATS debug option

Greg Kurz (2):
  target/ppc: Introduce ppc_interrupts_little_endian()
  target/ppc: Drop PowerPCCPUClass::interrupts_big_endian()

Lucas Mateus Castro (alqotel) (1):
  target/ppc: Don't compile ppc_tlb_invalid_all without TCG

Nicholas Piggin (2):
  target/ppc: mtmsrd is an illegal instruction on BookE
  target/ppc/spapr: Update H_GET_CPU_CHARACTERISTICS L1D cache flush bits

Richard Henderson (9):
  target/ppc: Remove PowerPCCPUClass.handle_mmu_fault
  target/ppc: Use MMUAccessType with *_handle_mmu_fault
  target/ppc: Push real-mode handling into ppc_radix64_xlate
  target/ppc: Use bool success for ppc_radix64_xlate
  target/ppc: Split out ppc_hash64_xlate
  target/ppc: Split out ppc_hash32_xlate
  target/ppc: Split out ppc_jumbo_xlate
  target/ppc: Introduce ppc_xlate
  target/ppc: Restrict ppc_cpu_tlb_fill to TCG

 MAINTAINERS|   12 +
 default-configs/devices/ppc-softmmu.mak|2 +-
 docs/system/ppc/ppce500.rst|   10 +-
 hw/ppc/Kconfig |5 +
 hw/ppc/meson.build |3 +
 hw/ppc/pegasos2.c  |  789 ++-
 hw/ppc/spapr.c |   77 +-
 hw/ppc/spapr_caps.c|   41 +
 hw/ppc/spapr_hcall.c   |   24 +-
 hw/ppc/spapr_vof.c |  167 
 hw/ppc/trace-events|   24 +
 hw/ppc/vof.c   | 1053 
 include/hw/ppc/spapr.h |   31 +-
 include/hw/ppc/vof.h   |   58 ++
 include/standard-headers/asm-x86/kvm_para.h|   13 +
 include/standard-headers/drm/drm_fourcc.h  |7 +
 include/standard-headers/linux/ethtool.h   |4 +-
 include/standard-headers/linux/input-event-codes.h |1 +
 include/standard-headers/linux/virtio_ids.h|2 +-
 include/standard-headers/linux/virtio_vsock.h  |9 +
 linux-headers/asm-arm64/kvm.h  |   11 +
 linux-headers/asm-generic/mman-common.h|3 +
 linux-headers/asm-generic/unistd.h |4 +-
 linux-headers/asm-mip

[PULL 04/33] target/ppc: Remove PowerPCCPUClass.handle_mmu_fault

[David Gibson]

From: Richard Henderson 

Instead, use a switch on env->mmu_model.  This avoids some
replicated information in cpu setup.

Signed-off-by: Richard Henderson 
Message-Id: <20210621125115.67717-2-bruno.lar...@eldorado.org.br>
Reviewed-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 target/ppc/cpu-qom.h|  1 -
 target/ppc/cpu_init.c   | 45 -
 target/ppc/mmu_helper.c | 24 ++
 3 files changed, 20 insertions(+), 50 deletions(-)

diff --git a/target/ppc/cpu-qom.h b/target/ppc/cpu-qom.h
index 7b424e3cb0..5800fa324e 100644
--- a/target/ppc/cpu-qom.h
+++ b/target/ppc/cpu-qom.h
@@ -198,7 +198,6 @@ struct PowerPCCPUClass {
 int n_host_threads;
 void (*init_proc)(CPUPPCState *env);
 int  (*check_pow)(CPUPPCState *env);
-int (*handle_mmu_fault)(PowerPCCPU *cpu, vaddr eaddr, int rwx, int 
mmu_idx);
 };
 
 #ifndef CONFIG_USER_ONLY
diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c
index 1a22aef874..6f8ce010ba 100644
--- a/target/ppc/cpu_init.c
+++ b/target/ppc/cpu_init.c
@@ -4566,9 +4566,6 @@ POWERPC_FAMILY(601)(ObjectClass *oc, void *data)
 (1ull << MSR_IR) |
 (1ull << MSR_DR);
 pcc->mmu_model = POWERPC_MMU_601;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_601;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_601;
@@ -4611,9 +4608,6 @@ POWERPC_FAMILY(601v)(ObjectClass *oc, void *data)
 (1ull << MSR_IR) |
 (1ull << MSR_DR);
 pcc->mmu_model = POWERPC_MMU_601;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_601;
 pcc->flags = POWERPC_FLAG_SE | POWERPC_FLAG_RTC_CLK | POWERPC_FLAG_HID0_LE;
@@ -4877,9 +4871,6 @@ POWERPC_FAMILY(604)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_604;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_604;
@@ -4961,9 +4952,6 @@ POWERPC_FAMILY(604E)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_604;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_604;
@@ -5032,9 +5020,6 @@ POWERPC_FAMILY(740)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_7x0;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_750;
@@ -5112,9 +5097,6 @@ POWERPC_FAMILY(750)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_7x0;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_750;
@@ -5315,9 +5297,6 @@ POWERPC_FAMILY(750cl)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_7x0;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_750;
@@ -5398,9 +5377,6 @@ POWERPC_FAMILY(750cx)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_7x0;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_750;
@@ -5486,9 +5462,6 @@ POWERPC_FAMILY(750fx)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->handle_mmu_fault = ppc_hash32_handle_mmu_fault;
-#endif
 pcc->excp_model = POWERPC_EXCP_7x0;
 pcc->bus_model = PPC_FLAGS_INPUT_6xx;
 pcc->bfd_mach = bfd_mach_ppc_750;
@@ -5574,9 +5547,6 @@ POWERPC_FAMILY(750gx)(ObjectClass *oc, void *data)
 (1ull << MSR_RI) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_32B;
-#if defined(CONFIG_SOFTMMU)
-pcc->h

[PULL 01/33] target/ppc: Introduce ppc_interrupts_little_endian()

[David Gibson]

From: Greg Kurz 

PowerPC CPUs use big endian by default but starting with POWER7,
server grade CPUs use the ILE bit of the LPCR special purpose
register to decide on the endianness to use when handling
interrupts. This gives a clue to QEMU on the endianness the
guest kernel is running, which is needed when generating an
ELF dump of the guest or when delivering an FWNMI machine
check interrupt.

Commit 382d2db62bcb ("target-ppc: Introduce callback for interrupt
endianness") added a class method to PowerPCCPUClass to modelize
this : default implementation returns a fixed "big endian" value,
while POWER7 and newer do the LPCR_ILE check. This is suboptimal
as it forces to implement the method for every new CPU family, and
it is very unlikely that this will ever be different than what we
have today.

We basically only have three cases to consider:
a) CPU doesn't have an LPCR => big endian
b) CPU has an LPCR but doesn't support the ILE bit => big endian
c) CPU has an LPCR and supports the ILE bit => little or big endian

Instead of class methods, introduce an inline helper that checks the
ILE bit in the LPCR_MASK to decide on the outcome. The new helper
words little endian instead of big endian. This allows to drop a !
operator in ppc_cpu_do_fwnmi_machine_check().

Signed-off-by: Greg Kurz 
Message-Id: <20210622140926.677618-2-gr...@kaod.org>
Reviewed-by: Fabiano Rosas 
Signed-off-by: David Gibson 
---
 target/ppc/arch_dump.c   |  8 +++-
 target/ppc/cpu.h | 15 +++
 target/ppc/excp_helper.c |  3 +--
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/target/ppc/arch_dump.c b/target/ppc/arch_dump.c
index 9210e61ef4..bb392f6d88 100644
--- a/target/ppc/arch_dump.c
+++ b/target/ppc/arch_dump.c
@@ -227,22 +227,20 @@ int cpu_get_dump_info(ArchDumpInfo *info,
   const struct GuestPhysBlockList *guest_phys_blocks)
 {
 PowerPCCPU *cpu;
-PowerPCCPUClass *pcc;
 
 if (first_cpu == NULL) {
 return -1;
 }
 
 cpu = POWERPC_CPU(first_cpu);
-pcc = POWERPC_CPU_GET_CLASS(cpu);
 
 info->d_machine = PPC_ELF_MACHINE;
 info->d_class = ELFCLASS;
 
-if ((*pcc->interrupts_big_endian)(cpu)) {
-info->d_endian = ELFDATA2MSB;
-} else {
+if (ppc_interrupts_little_endian(cpu)) {
 info->d_endian = ELFDATA2LSB;
+} else {
+info->d_endian = ELFDATA2MSB;
 }
 /* 64KB is the max page size for pseries kernel */
 if (strncmp(object_get_typename(qdev_get_machine()),
diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index b4de0db7ff..93d308ac8f 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -2643,6 +2643,21 @@ static inline bool ppc_has_spr(PowerPCCPU *cpu, int spr)
 return cpu->env.spr_cb[spr].name != NULL;
 }
 
+static inline bool ppc_interrupts_little_endian(PowerPCCPU *cpu)
+{
+PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
+
+/*
+ * Only models that have an LPCR and know about LPCR_ILE can do little
+ * endian.
+ */
+if (pcc->lpcr_mask & LPCR_ILE) {
+return !!(cpu->env.spr[SPR_LPCR] & LPCR_ILE);
+}
+
+return false;
+}
+
 void dump_mmu(CPUPPCState *env);
 
 void ppc_maybe_bswap_register(CPUPPCState *env, uint8_t *mem_buf, int len);
diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index fd147e2a37..a79a0ed465 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -1099,7 +1099,6 @@ void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, 
target_ulong vector)
 {
 PowerPCCPU *cpu = POWERPC_CPU(cs);
 CPUPPCState *env = &cpu->env;
-PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
 target_ulong msr = 0;
 
 /*
@@ -1108,7 +1107,7 @@ void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, 
target_ulong vector)
  */
 msr = (1ULL << MSR_ME);
 msr |= env->msr & (1ULL << MSR_SF);
-if (!(*pcc->interrupts_big_endian)(cpu)) {
+if (ppc_interrupts_little_endian(cpu)) {
 msr |= (1ULL << MSR_LE);
 }
 
-- 
2.31.1

[PATCH V2 2/3] hw/virtio: add vhost-user-i2c-pci boilerplate

[Viresh Kumar]

This allows is to instantiate a vhost-user-i2c device as part of a PCI
bus. It is mostly boilerplate which looks pretty similar to the
vhost-user-fs-pci device.

Reviewed-by: Alex Bennée 
Signed-off-by: Viresh Kumar 
---
 hw/virtio/meson.build  |  1 +
 hw/virtio/vhost-user-i2c-pci.c | 69 ++
 2 files changed, 70 insertions(+)
 create mode 100644 hw/virtio/vhost-user-i2c-pci.c

diff --git a/hw/virtio/meson.build b/hw/virtio/meson.build
index 1a0d736a0db5..bc352a600911 100644
--- a/hw/virtio/meson.build
+++ b/hw/virtio/meson.build
@@ -26,6 +26,7 @@ virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: 
files('virtio-rng.c'))
 virtio_ss.add(when: 'CONFIG_VIRTIO_IOMMU', if_true: files('virtio-iommu.c'))
 virtio_ss.add(when: 'CONFIG_VIRTIO_MEM', if_true: files('virtio-mem.c'))
 virtio_ss.add(when: 'CONFIG_VHOST_USER_I2C', if_true: 
files('vhost-user-i2c.c'))
+virtio_ss.add(when: ['CONFIG_VIRTIO_PCI', 'CONFIG_VHOST_USER_I2C'], if_true: 
files('vhost-user-i2c-pci.c'))
 
 virtio_pci_ss = ss.source_set()
 virtio_pci_ss.add(when: 'CONFIG_VHOST_VSOCK', if_true: 
files('vhost-vsock-pci.c'))
diff --git a/hw/virtio/vhost-user-i2c-pci.c b/hw/virtio/vhost-user-i2c-pci.c
new file mode 100644
index ..70b7b65fd970
--- /dev/null
+++ b/hw/virtio/vhost-user-i2c-pci.c
@@ -0,0 +1,69 @@
+/*
+ * Vhost-user i2c virtio device PCI glue
+ *
+ * Copyright (c) 2021 Viresh Kumar 
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "hw/qdev-properties.h"
+#include "hw/virtio/vhost-user-i2c.h"
+#include "virtio-pci.h"
+
+struct VHostUserI2CPCI {
+VirtIOPCIProxy parent_obj;
+VHostUserI2C vdev;
+};
+
+typedef struct VHostUserI2CPCI VHostUserI2CPCI;
+
+#define TYPE_VHOST_USER_I2C_PCI "vhost-user-i2c-pci-base"
+
+DECLARE_INSTANCE_CHECKER(VHostUserI2CPCI, VHOST_USER_I2C_PCI,
+ TYPE_VHOST_USER_I2C_PCI)
+
+static void vhost_user_i2c_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
+{
+VHostUserI2CPCI *dev = VHOST_USER_I2C_PCI(vpci_dev);
+DeviceState *vdev = DEVICE(&dev->vdev);
+
+vpci_dev->nvectors = 1;
+qdev_realize(vdev, BUS(&vpci_dev->bus), errp);
+}
+
+static void vhost_user_i2c_pci_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+VirtioPCIClass *k = VIRTIO_PCI_CLASS(klass);
+PCIDeviceClass *pcidev_k = PCI_DEVICE_CLASS(klass);
+k->realize = vhost_user_i2c_pci_realize;
+set_bit(DEVICE_CATEGORY_INPUT, dc->categories);
+pcidev_k->vendor_id = PCI_VENDOR_ID_REDHAT_QUMRANET;
+pcidev_k->device_id = 0; /* Set by virtio-pci based on virtio id */
+pcidev_k->revision = 0x00;
+pcidev_k->class_id = PCI_CLASS_COMMUNICATION_OTHER;
+}
+
+static void vhost_user_i2c_pci_instance_init(Object *obj)
+{
+VHostUserI2CPCI *dev = VHOST_USER_I2C_PCI(obj);
+
+virtio_instance_init_common(obj, &dev->vdev, sizeof(dev->vdev),
+TYPE_VHOST_USER_I2C);
+}
+
+static const VirtioPCIDeviceTypeInfo vhost_user_i2c_pci_info = {
+.base_name = TYPE_VHOST_USER_I2C_PCI,
+.non_transitional_name = "vhost-user-i2c-pci",
+.instance_size = sizeof(VHostUserI2CPCI),
+.instance_init = vhost_user_i2c_pci_instance_init,
+.class_init = vhost_user_i2c_pci_class_init,
+};
+
+static void vhost_user_i2c_pci_register(void)
+{
+virtio_pci_types_register(&vhost_user_i2c_pci_info);
+}
+
+type_init(vhost_user_i2c_pci_register);
-- 
2.31.1.272.g89b43f80a514

[PATCH V2 0/3] virtio: Add vhost-user-i2c device's support

[Viresh Kumar]

Hello,

This patchset adds vhost-user-i2c device's support in Qemu. Initially I tried to
add the backend implementation as well into Qemu, but as I was looking for a
hypervisor agnostic backend implementation, I decided to keep it outside of
Qemu. Eventually I implemented it in Rust and it works very well with this
patchset, and it is under review [1] to be merged in common rust vhost devices
crate.

The kernel virtio I2C driver [2] is fully reviewed and is ready to be merged 
soon.

V1->V2:
- Dropped the backend support from qemu and minor cleanups.

I2C Testing:


I didn't have access to a real hardware where I can play with a I2C
client device (like RTC, eeprom, etc) to verify the working of the
backend daemon, so I decided to test it on my x86 box itself with
hierarchy of two ARM64 guests.

The first ARM64 guest was passed "-device ds1338,address=0x20" option,
so it could emulate a ds1338 RTC device, which connects to an I2C bus.
Once the guest came up, ds1338 device instance was created within the
guest kernel by doing:

  echo ds1338 0x20 > /sys/bus/i2c/devices/i2c-0/new_device

[
  Note that this may end up binding the ds1338 device to its driver,
  which won't let our i2c daemon talk to the device. For that we need to
  manually unbind the device from the driver:

  echo 0-0020 > /sys/bus/i2c/devices/0-0020/driver/unbind
]

After this is done, you will get /dev/rtc1. This is the device we wanted
to emulate, which will be accessed by the vhost-user-i2c backend daemon
via the /dev/i2c-0 file present in the guest VM.

At this point we need to start the backend daemon and give it a
socket-path to talk to from qemu (you can pass -v to it to get more
detailed messages):

  vhost-user-i2c --socket-path=vi2c.sock -l 0:32

[ Here, 0:32 is the bus/device mapping, 0 for /dev/i2c-0 and 32 (i.e.
0x20) is client address of ds1338 that we used while creating the
device. ]

Now we need to start the second level ARM64 guest (from within the first
guest) to get the i2c-virtio.c Linux driver up. The second level guest
is passed the following options to connect to the same socket:

  -chardev socket,path=vi2c.sock0,id=vi2c \
  -device vhost-user-i2c-pci,chardev=vi2c,id=i2c

Once the second level guest boots up, we will see the i2c-virtio bus at
/sys/bus/i2c/devices/i2c-X/. From there we can now make it emulate the
ds1338 device again by doing:


  echo ds1338 0x20 > /sys/bus/i2c/devices/i2c-0/new_device

[ This time we want ds1338's driver to be bound to the device, so it
should be enabled in the kernel as well. ]

And we will get /dev/rtc1 device again here in the second level guest.
Now we can play with the rtc device with help of hwclock utility and we
can see the following sequence of transfers happening if we try to
update rtc's time from system time.

hwclock -w -f /dev/rtc1 (in guest2) ->
  Reaches i2c-virtio.c (Linux bus driver in guest2) ->
transfer over virtio ->
  Reaches the qemu's vhost-i2c device emulation (running over guest1) ->
Reaches the backend daemon vhost-user-i2c started earlier (in guest1) ->
  ioctl(/dev/i2c-0, I2C_RDWR, ..); (in guest1) ->
reaches qemu's hw/rtc/ds1338.c (running over host)


SMBUS Testing:
--

I wasn't required to have such a tedious setup for testing out with
SMBUS devices. I was able to emulate a SMBUS device on my x86 machine
using i2c-stub driver.

$ modprobe i2c-stub chip_addr=0x20
//Boot the arm64 guest now with i2c-virtio driver and then do:
$ echo al3320a 0x20 > /sys/class/i2c-adapter/i2c-0/new_device
$ cat /sys/bus/iio/devices/iio:device0/in_illuminance_raw

That's it.

I hope I was able to give a clear picture of my test setup here :)

--
Viresh

Viresh Kumar (3):
  hw/virtio: add boilerplate for vhost-user-i2c device
  hw/virtio: add vhost-user-i2c-pci boilerplate
  MAINTAINERS: Add entry for virtio-i2c

 MAINTAINERS|   7 +
 hw/virtio/Kconfig  |   5 +
 hw/virtio/meson.build  |   2 +
 hw/virtio/vhost-user-i2c-pci.c |  69 +++
 hw/virtio/vhost-user-i2c.c | 288 +
 include/hw/virtio/vhost-user-i2c.h |  28 +++
 6 files changed, 399 insertions(+)
 create mode 100644 hw/virtio/vhost-user-i2c-pci.c
 create mode 100644 hw/virtio/vhost-user-i2c.c
 create mode 100644 include/hw/virtio/vhost-user-i2c.h

-- 
2.31.1.272.g89b43f80a514

[PATCH V2 3/3] MAINTAINERS: Add entry for virtio-i2c

[Viresh Kumar]

This patch adds entry for virtio-i2c related files in MAINTAINERS.

Signed-off-by: Viresh Kumar 
---
 MAINTAINERS | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 684142e12eaa..2869fb185253 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2143,6 +2143,13 @@ F: docs/interop/vhost-user-gpu.rst
 F: contrib/vhost-user-gpu
 F: hw/display/vhost-user-*
 
+vhost-user-i2c
+M: Viresh Kumar 
+S: Supported
+F: hw/virtio/vhost-user-i2c.c
+F: hw/virtio/vhost-user-i2c-pci.c
+F: include/hw/virtio/vhost-user-i2c.h
+
 Cirrus VGA
 M: Gerd Hoffmann 
 S: Odd Fixes
-- 
2.31.1.272.g89b43f80a514

[PATCH V2 1/3] hw/virtio: add boilerplate for vhost-user-i2c device

[Viresh Kumar]

This creates the QEMU side of the vhost-user-i2c device which connects
to the remote daemon. It is based of vhost-user-fs code.

Signed-off-by: Viresh Kumar 
---
 hw/virtio/Kconfig  |   5 +
 hw/virtio/meson.build  |   1 +
 hw/virtio/vhost-user-i2c.c | 288 +
 include/hw/virtio/vhost-user-i2c.h |  28 +++
 4 files changed, 322 insertions(+)
 create mode 100644 hw/virtio/vhost-user-i2c.c
 create mode 100644 include/hw/virtio/vhost-user-i2c.h

diff --git a/hw/virtio/Kconfig b/hw/virtio/Kconfig
index 0eda25c4e1bf..35ab45e2095c 100644
--- a/hw/virtio/Kconfig
+++ b/hw/virtio/Kconfig
@@ -58,3 +58,8 @@ config VIRTIO_MEM
 depends on LINUX
 depends on VIRTIO_MEM_SUPPORTED
 select MEM_DEVICE
+
+config VHOST_USER_I2C
+bool
+default y
+depends on VIRTIO && VHOST_USER
diff --git a/hw/virtio/meson.build b/hw/virtio/meson.build
index fbff9bc9d4de..1a0d736a0db5 100644
--- a/hw/virtio/meson.build
+++ b/hw/virtio/meson.build
@@ -25,6 +25,7 @@ virtio_ss.add(when: 'CONFIG_VHOST_USER_VSOCK', if_true: 
files('vhost-user-vsock.
 virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-rng.c'))
 virtio_ss.add(when: 'CONFIG_VIRTIO_IOMMU', if_true: files('virtio-iommu.c'))
 virtio_ss.add(when: 'CONFIG_VIRTIO_MEM', if_true: files('virtio-mem.c'))
+virtio_ss.add(when: 'CONFIG_VHOST_USER_I2C', if_true: 
files('vhost-user-i2c.c'))
 
 virtio_pci_ss = ss.source_set()
 virtio_pci_ss.add(when: 'CONFIG_VHOST_VSOCK', if_true: 
files('vhost-vsock-pci.c'))
diff --git a/hw/virtio/vhost-user-i2c.c b/hw/virtio/vhost-user-i2c.c
new file mode 100644
index ..d172632bb0cd
--- /dev/null
+++ b/hw/virtio/vhost-user-i2c.c
@@ -0,0 +1,288 @@
+/*
+ * Vhost-user i2c virtio device
+ *
+ * Copyright (c) 2021 Viresh Kumar 
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "hw/qdev-properties.h"
+#include "hw/virtio/virtio-bus.h"
+#include "hw/virtio/vhost-user-i2c.h"
+#include "qemu/error-report.h"
+#include "standard-headers/linux/virtio_ids.h"
+
+/* Remove this once the header is updated in Linux kernel */
+#ifndef VIRTIO_ID_I2C_ADAPTER
+#define VIRTIO_ID_I2C_ADAPTER34
+#endif
+
+static void vu_i2c_start(VirtIODevice *vdev)
+{
+BusState *qbus = BUS(qdev_get_parent_bus(DEVICE(vdev)));
+VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus);
+VHostUserI2C *i2c = VHOST_USER_I2C(vdev);
+int ret, i;
+
+if (!k->set_guest_notifiers) {
+error_report("binding does not support guest notifiers");
+return;
+}
+
+ret = vhost_dev_enable_notifiers(&i2c->vhost_dev, vdev);
+if (ret < 0) {
+error_report("Error enabling host notifiers: %d", -ret);
+return;
+}
+
+ret = k->set_guest_notifiers(qbus->parent, i2c->vhost_dev.nvqs, true);
+if (ret < 0) {
+error_report("Error binding guest notifier: %d", -ret);
+goto err_host_notifiers;
+}
+
+i2c->vhost_dev.acked_features = vdev->guest_features;
+
+ret = vhost_dev_start(&i2c->vhost_dev, vdev);
+if (ret < 0) {
+error_report("Error starting vhost-user-i2c: %d", -ret);
+goto err_guest_notifiers;
+}
+
+/*
+ * guest_notifier_mask/pending not used yet, so just unmask
+ * everything here. virtio-pci will do the right thing by
+ * enabling/disabling irqfd.
+ */
+for (i = 0; i < i2c->vhost_dev.nvqs; i++) {
+vhost_virtqueue_mask(&i2c->vhost_dev, vdev, i, false);
+}
+
+return;
+
+err_guest_notifiers:
+k->set_guest_notifiers(qbus->parent, i2c->vhost_dev.nvqs, false);
+err_host_notifiers:
+vhost_dev_disable_notifiers(&i2c->vhost_dev, vdev);
+}
+
+static void vu_i2c_stop(VirtIODevice *vdev)
+{
+VHostUserI2C *i2c = VHOST_USER_I2C(vdev);
+BusState *qbus = BUS(qdev_get_parent_bus(DEVICE(vdev)));
+VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus);
+int ret;
+
+if (!k->set_guest_notifiers) {
+return;
+}
+
+vhost_dev_stop(&i2c->vhost_dev, vdev);
+
+ret = k->set_guest_notifiers(qbus->parent, i2c->vhost_dev.nvqs, false);
+if (ret < 0) {
+error_report("vhost guest notifier cleanup failed: %d", ret);
+return;
+}
+
+vhost_dev_disable_notifiers(&i2c->vhost_dev, vdev);
+}
+
+static void vu_i2c_set_status(VirtIODevice *vdev, uint8_t status)
+{
+VHostUserI2C *i2c = VHOST_USER_I2C(vdev);
+bool should_start = status & VIRTIO_CONFIG_S_DRIVER_OK;
+
+if (!vdev->vm_running) {
+should_start = false;
+}
+
+if (i2c->vhost_dev.started == should_start) {
+return;
+}
+
+if (should_start) {
+vu_i2c_start(vdev);
+} else {
+vu_i2c_stop(vdev);
+}
+}
+
+static uint64_t vu_i2c_get_features(VirtIODevice *vdev,
+uint64_t requested_features, Error **errp)
+{
+/* No feature bits used yet */
+return requested_features;
+}
+
+static void vu_i2c_handle_output(VirtIOD

[Bug 1741718] Re: qemu-system-sparc64: "panic[cpu0]/thread=180e000: lgrp_traverse: No memory blocks found" with tribblix-sparc-0m16.iso

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1741718

Title:
  qemu-system-sparc64: "panic[cpu0]/thread=180e000: lgrp_traverse: No
  memory blocks found" with tribblix-sparc-0m16.iso

Status in QEMU:
  Expired

Bug description:
  qemu-system-sparc64 Niagara VM running Tribblix crashes with
  "panic[cpu0]/thread=180e000: lgrp_traverse: No memory blocks found" on
  QEMU 2.11.0. Happens also with 1 GB, 4 GB, and 8 GB of RAM.

  $ qemu-system-sparc64 -nographic -M niagara -L 
/home/newman/Downloads/OpenSPARCT1_Arch.1.5/S10image/ -drive 
if=pflash,readonly=on,file=/home/newman/Downloads/tribblix-sparc-0m16.iso -m 
2048
  cpu Probing I/O buses

  
  Sun Fire T2000, No Keyboard
  Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  OpenBoot 4.20.0, 256 MB memory available, Serial #1122867.
  [mo23723 obp4.20.0 #0]
  Ethernet address 0:80:3:de:ad:3, Host ID: 80112233.


  ok boot
  Boot device: vdisk  File and args: 
  hsfs-file-system 
  Loading: /platform/sun4v/boot_archive
  ramdisk-root ufs-file-system 
  Loading: /platform/sun4v/kernel/sparcv9/unix
  \
  panic[cpu0]/thread=180e000: lgrp_traverse: No memory blocks found

  Warning - stack not written to the dumpbuf
  0180b710 unix:lgrp_traverse+120 (fff32000, 10d5f30, 2000, 7efefeff, 
81010100, ff00)
%l0-3: 01876c00  010d6c00 
%l4-7: 80008f000740 80008fc54750 f0254cc4 010dedd0
  0180b800 unix:plat_lgrp_init+14 (4, 180e000, 4, 0, 180b950, 1)
%l0-3: fff32000 fff340e0 fff34590 010d5f28
%l4-7: 0016  0016 0011
  0180b8b0 unix:lgrp_plat_init+74 (0, 0, 0, 180ba08, 180ba00, 91)
%l0-3: 2000 fff34000 01874c00 01874c00
%l4-7:  01874c00 0180b950 010de048
  0180b960 unix:lgrp_init+4 (0, 2000, 70002000, 0, 180c0e8, 0)
%l0-3: 0180e380 0183c678 0180ba08 010d4f90
%l4-7: 010d4fa0 010d1c00 4000 80001070
  0180ba10 unix:mlsetup+2f4 (180bb80, 180bec0, 0, 0, f025496c, 0)
%l0-3: 018ee000 70002000 70002000 0180bad0
%l4-7: 0190c4d8 0001001f56e0  80001070

  
  ERROR: Last Trap: Level 14 Interrupt
  [Exception handlers interrupted, please file a bug]
  [type 'resume' to attempt a normal recovery]

  
  Without "if=pflash" VM hangs:

  $ qemu-system-sparc64 -nographic -M niagara -L 
/home/newman/Downloads/OpenSPARCT1_Arch.1.5/S10image/ -drive 
readonly=on,file=/home/newman/Downloads/tribblix-sparc-0m16.iso -m 4096
  cpu Probing I/O buses

  
  Sun Fire T2000, No Keyboard
  Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  OpenBoot 4.20.0, 256 MB memory available, Serial #1122867.
  [mo23723 obp4.20.0 #0]
  Ethernet address 0:80:3:de:ad:3, Host ID: 80112233.


  ok boot
  Boot device: vdisk  File and args: 
  qemu: fatal: Trap 0x0032 while trap level (6) >= MAXTL (6), Error state
  pc: 0040f01c  npc: 0040f020
  %g0-3:    00970280
  %g4-7: 1000   
  %o0-3:  8ffd6000 8000  
  %o4-7:  00f0 fff55701 f020d78c 
  %l0-3: 0002fd10 7ffe 8000  
  %l4-7: 000b 80008fffa750 f026fbf0 f022a0d8 
  %i0-3: 8000 1000   
  %i4-7:     
  %f00:     
  %f08:     
  %f16:     
  %f24:     
  %f32:     
  %f40:     
  %f48:     
  %f56:     
  pstate: 0014 ccr: 11 (icc: ---C xcc: ---C) asi: 20 tl: 6 pil: d gl: 6
  tbr: f020 hpstate: 0004 htba: 0040
  cansave: 6 canrestore: 0 otherwin: 0 wstate: 0 cleanwin: 7 cwp: 0
  fsr:  y:  fprs: 0004

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/17417

Re: [PATCH] hw/riscv: sifive_u: Make sure firmware info is 8-byte aligned

[Alistair Francis]

On Fri, Jul 9, 2021 at 12:33 AM Bin Meng  wrote:
>
> Currently the firmware dynamic info (fw_dyn) is put right after
> the reset vector, which is not 8-byte aligned on RV64. OpenSBI
> fw_dynamic uses ld to read contents from 'struct fw_dynamic_info',
> which expects fw_dyn to be on the 8-byte boundary, otherwise the
> misaligned load exception may happen. Fortunately this does not
> cause any issue on QEMU, as QEMU does support misaligned load.
>
> RV32 does not have any issue as it is 4-byte aligned already.
> Change to make sure it is 8-byte aligned which works for both
> RV32 and RV64.
>
> Signed-off-by: Bin Meng 

Thanks!

Applied to riscv-to-apply.next

Alistair

> ---
>
>  hw/riscv/sifive_u.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
> index 273c86418c..4d99566e62 100644
> --- a/hw/riscv/sifive_u.c
> +++ b/hw/riscv/sifive_u.c
> @@ -599,10 +599,10 @@ static void sifive_u_machine_init(MachineState *machine)
>  }
>
>  /* reset vector */
> -uint32_t reset_vec[11] = {
> +uint32_t reset_vec[12] = {
>  s->msel,   /* MSEL pin state */
>  0x0297,/* 1:  auipc  t0, %pcrel_hi(fw_dyn) */
> -0x02828613,/* addi   a2, t0, %pcrel_lo(1b) */
> +0x02c28613,/* addi   a2, t0, %pcrel_lo(1b) */
>  0xf1402573,/* csrr   a0, mhartid  */
>  0,
>  0,
> @@ -610,6 +610,7 @@ static void sifive_u_machine_init(MachineState *machine)
>  start_addr,/* start: .dword */
>  start_addr_hi32,
>  fdt_load_addr, /* fdt_laddr: .dword */
> +0x,
>  0x,
> /* fw_dyn: */
>  };
> --
> 2.25.1
>
>

[PATCH 14/17] target/riscv: Tidy trans_rvh.c.inc

[Richard Henderson]

Exit early if check_access fails.
Split out do_hlv, do_hsv, do_hlvx subroutines.
Use gpr_src, gpr_dst in the new subroutines.

Signed-off-by: Richard Henderson 
---
 target/riscv/insn32.decode  |   1 +
 target/riscv/insn_trans/trans_rvh.c.inc | 264 +---
 2 files changed, 55 insertions(+), 210 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index f09f8d5faf..2cd921d51c 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -42,6 +42,7 @@
 &jimm rd
 &rrd rs1 rs2
 &r2   rd rs1
+&r2_s rs1 rs2
 &simm rs1 rs2
 &uimm rd
 &shift shamt rs1 rd
diff --git a/target/riscv/insn_trans/trans_rvh.c.inc 
b/target/riscv/insn_trans/trans_rvh.c.inc
index 6b5edf82b7..dac732024b 100644
--- a/target/riscv/insn_trans/trans_rvh.c.inc
+++ b/target/riscv/insn_trans/trans_rvh.c.inc
@@ -17,281 +17,137 @@
  */
 
 #ifndef CONFIG_USER_ONLY
-static void check_access(DisasContext *ctx) {
+static bool check_access(DisasContext *ctx)
+{
 if (!ctx->hlsx) {
 if (ctx->virt_enabled) {
 generate_exception(ctx, RISCV_EXCP_VIRT_INSTRUCTION_FAULT);
 } else {
 generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
 }
+return false;
 }
+return true;
 }
 #endif
 
+static bool do_hlv(DisasContext *ctx, arg_r2 *a, MemOp mop)
+{
+#ifdef CONFIG_USER_ONLY
+return false;
+#else
+if (check_access(ctx)) {
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv addr = gpr_src(ctx, a->rs1);
+int mem_idx = ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
+tcg_gen_qemu_ld_tl(dest, addr, mem_idx, mop);
+}
+return true;
+#endif
+}
+
 static bool trans_hlv_b(DisasContext *ctx, arg_hlv_b *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
-
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_SB);
-gen_set_gpr(a->rd, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-return true;
-#else
-return false;
-#endif
+return do_hlv(ctx, a, MO_SB);
 }
 
 static bool trans_hlv_h(DisasContext *ctx, arg_hlv_h *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
-
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_TESW);
-gen_set_gpr(a->rd, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-return true;
-#else
-return false;
-#endif
+return do_hlv(ctx, a, MO_TESW);
 }
 
 static bool trans_hlv_w(DisasContext *ctx, arg_hlv_w *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
-
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_TESL);
-gen_set_gpr(a->rd, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-return true;
-#else
-return false;
-#endif
+return do_hlv(ctx, a, MO_TESL);
 }
 
 static bool trans_hlv_bu(DisasContext *ctx, arg_hlv_bu *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
-
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_UB);
-gen_set_gpr(a->rd, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-return true;
-#else
-return false;
-#endif
+return do_hlv(ctx, a, MO_UB);
 }
 
 static bool trans_hlv_hu(DisasContext *ctx, arg_hlv_hu *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
+return do_hlv(ctx, a, MO_TEUW);
+}
 
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_TEUW);
-gen_set_gpr(a->rd, t1);
-
-tcg_temp_free(t0);
-tcg_temp_free(t1);
-return true;
-#else
+static bool do_hsv(DisasContext *ctx, arg_r2_s *a, MemOp mop)
+{
+#ifdef CONFIG_USER_ONLY
 return false;
+#else
+if (check_access(ctx)) {
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv data = gpr_src(ctx, a->rs2);
+int mem_idx = ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK;
+tcg_gen_qemu_ld_tl(data, addr, mem_idx, mop);
+}
+return true;
 #endif
 }
 
 static bool trans_hsv_b(DisasContext *ctx, arg_hsv_b *a)
 {
 REQUIRE_EXT(ctx, RVH);
-#ifndef CONFIG_USER_ONLY
-TCGv t0 = tcg_temp_new();
-TCGv dat = tcg_temp_new();
-
-check_access(ctx);
-
-gen_get_gpr(t0, a->rs1);
-gen_get_gpr(dat, a->rs2);
-
-tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx | TB_FLAGS_PRIV_HYP_ACCESS_MASK, 
MO_SB);
-
-tcg_temp_free(t0);
-tcg_temp_free(dat);
-return true;
-#else
-return fa

[Bug 1895602] Re: older OS's do not detect CD change

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1895602

Title:
  older OS's do not detect CD change

Status in QEMU:
  Expired

Bug description:
  There are at least two older operating systems, being FreeBSD 2.2 and
  FreeDOS 1.2, that misbehave when the change command is used on the IDE
  CD drive, and work fine on a real machine.  In both cases, changing
  the CD causes the guest to either refuse to read the disc or appear to
  read bad data, and in both cases the guest read the disc without issue
  after a system_reset.

  A HD image that demonstrates this behavior can be produced if
  necessary, however the FreeDOS 1.2 CD can be booted directly and used
  to test:

  http://freedos.org/download/download/FD12CD.iso

  (choose install then abort and you get a prompt in which you can type
  "dir D:", say)

  note, running eject before the change command does nothing to help.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1895602/+subscriptions

[Bug 1839807] Re: Snapshots freeze guest Sabrelite IMX.6 board

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1839807

Title:
  Snapshots freeze guest Sabrelite IMX.6 board

Status in QEMU:
  Expired

Bug description:
  Hello,

  I'm trying to take and restore  a snapshot with the whole system state of the 
Sabrelite IMX.6 board running on QEMU with commands savevm/loadvm.
  It seems that I am able to take a snapshot but loading the snapshot fails.

  For comparison I checked out snapshots on 32bit ARM Virt with Debian as well 
as on the Versatilepb board with a bare metal application and it works fine.
  The problem occurs only with that one particular board.

  My environment is:
  Ubuntu 18.04
  QEMU 3.0.1 (I see the same issue in QEMU 4.0.0 as well)
  The kernel and device tree used for the board was 5.1.14 version from 
kernel.org

  The file system was build from imx_v6_v7_defconfig config in buildroot
  as and sd card image.

  Problem:

  Loading snapshot stops the whole machine and it's impossible to resume
  it.

  Steps to reproduce problem:

  1.  I converted the sdcard.img built from the buildroot to qcow2
  using command qemu-img convert -f raw -O qcow2 sdcard.img
  sdcard.qcow2, since the raw doesn't support snapshots.

  2.  I start QEMU with a command
  ./arm-softmmu/qemu-system-arm -m 512 -M sabrelite -kernel zImage -append 
"rootfstype=ext4 root=/dev/mmcblk2p2 rw rootwait" -rtc base=localtime,clock=vm 
-dtb imx6dl-sabresd.dtb -drive file=sdcard.qcow2,index=2,format=qcow2,id=mycard 
-device sd-card,drive=mycard -nographic -net nic -net user

  3.  I run a simple program which print characters to the console
  in the background and add some files in user directory, to differ from
  original image.

  4.  I switch to QEMU monitor, and type “savevm ”.
  When I type “info snapshots”, the snapshot is listed.
  So I assume it was saved correctly.

  5.  Then I switch back to Linux console from monitor, remove the
  added files and stop the background printing process.

  6.  I switch back to monitor and I'm trying now to load the
  snapshot by “loadvm ” command.

  That’s where the problem occurs. QEMU stops and I can't switch back from 
monitor to Linux.
  Typing “cont” doesn’t help.
  It seems like the simulation has freezed. CPU usage on my Laptop machine 
equals 100% until I exit QEMU.

  
  What’s interesting when I exit the QEMU and then start it again the Linux 
boots and after it reaches the command prompt I can see the files which were 
removed after saving the snapshot.

  It looks like loading the snapshots works for restoring disk space but
  it fails for restoring the running processes.

  Due to the answer on QEMU mailing list
  (https://lists.nongnu.org/archive/html/qemu-
  discuss/2019-08/msg00016.html) it is QEMUs bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1839807/+subscriptions

[PATCH 12/17] target/riscv: Use gpr_{src,dst} for RVF

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvf.c.inc | 131 +---
 1 file changed, 49 insertions(+), 82 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvf.c.inc 
b/target/riscv/insn_trans/trans_rvf.c.inc
index 89f78701e7..ff8e942199 100644
--- a/target/riscv/insn_trans/trans_rvf.c.inc
+++ b/target/riscv/insn_trans/trans_rvf.c.inc
@@ -27,14 +27,23 @@ static bool trans_flw(DisasContext *ctx, arg_flw *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-tcg_gen_addi_tl(t0, t0, a->imm);
 
-tcg_gen_qemu_ld_i64(cpu_fpr[a->rd], t0, ctx->mem_idx, MO_TEUL);
-gen_nanbox_s(cpu_fpr[a->rd], cpu_fpr[a->rd]);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv temp = NULL;
 
-tcg_temp_free(t0);
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
+
+TCGv_i64 dest = cpu_fpr[a->rd];
+tcg_gen_qemu_ld_i64(dest, addr, ctx->mem_idx, MO_TEUL);
+gen_nanbox_s(dest, dest);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 mark_fs_dirty(ctx);
 return true;
 }
@@ -43,14 +52,21 @@ static bool trans_fsw(DisasContext *ctx, arg_fsw *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
 
-tcg_gen_addi_tl(t0, t0, a->imm);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv temp = NULL;
 
-tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], t0, ctx->mem_idx, MO_TEUL);
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
 
-tcg_temp_free(t0);
+tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], addr, ctx->mem_idx, MO_TEUL);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 return true;
 }
 
@@ -271,12 +287,8 @@ static bool trans_fcvt_w_s(DisasContext *ctx, arg_fcvt_w_s 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
 
-TCGv t0 = tcg_temp_new();
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_w_s(t0, cpu_env, cpu_fpr[a->rs1]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fcvt_w_s(gpr_dst(ctx, a->rd), cpu_env, cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -285,12 +297,8 @@ static bool trans_fcvt_wu_s(DisasContext *ctx, 
arg_fcvt_wu_s *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
 
-TCGv t0 = tcg_temp_new();
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_wu_s(t0, cpu_env, cpu_fpr[a->rs1]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fcvt_wu_s(gpr_dst(ctx, a->rd), cpu_env, cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -300,17 +308,14 @@ static bool trans_fmv_x_w(DisasContext *ctx, arg_fmv_x_w 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
 
-TCGv t0 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
 
 #if defined(TARGET_RISCV64)
-tcg_gen_ext32s_tl(t0, cpu_fpr[a->rs1]);
+tcg_gen_ext32s_tl(dest, cpu_fpr[a->rs1]);
 #else
-tcg_gen_extrl_i64_i32(t0, cpu_fpr[a->rs1]);
+tcg_gen_extrl_i64_i32(dest, cpu_fpr[a->rs1]);
 #endif
 
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
 return true;
 }
 
@@ -318,10 +323,9 @@ static bool trans_feq_s(DisasContext *ctx, arg_feq_s *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
-TCGv t0 = tcg_temp_new();
-gen_helper_feq_s(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
+
+gen_helper_feq_s(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -329,10 +333,9 @@ static bool trans_flt_s(DisasContext *ctx, arg_flt_s *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
-TCGv t0 = tcg_temp_new();
-gen_helper_flt_s(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
+
+gen_helper_flt_s(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -340,10 +343,9 @@ static bool trans_fle_s(DisasContext *ctx, arg_fle_s *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
-TCGv t0 = tcg_temp_new();
-gen_helper_fle_s(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
+
+gen_helper_fle_s(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -352,13 +354,7 @@ static bool trans_fclass_s(DisasContext *ctx, arg_fclass_s 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
 
-TCGv t0 = tcg_temp_new();
-
-gen_helper_fclass_s(t0, cpu_fpr[a->rs1]);
-
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fclass_s(gpr_dst(ctx, a->rd), cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -367,15 +363,10 @@ static bool trans_fcvt_s_w(DisasContext *ctx, 
arg_fcvt_s_w *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVF);
 
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-
 gen_set_rm(ctx, a->rm);
-gen_hel

[PATCH 05/17] target/riscv: Use gpr_{src, dst} and tcg_constant_tl in gen_grevi

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c | 17 +
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 7dedfd548b..6ad40e43b0 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -620,23 +620,16 @@ static void gen_sro(TCGv ret, TCGv arg1, TCGv arg2)
 
 static bool gen_grevi(DisasContext *ctx, arg_grevi *a)
 {
-TCGv source1 = tcg_temp_new();
-TCGv source2;
-
-gen_get_gpr(source1, a->rs1);
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
 
 if (a->shamt == (TARGET_LONG_BITS - 8)) {
 /* rev8, byte swaps */
-tcg_gen_bswap_tl(source1, source1);
+tcg_gen_bswap_tl(dest, src1);
 } else {
-source2 = tcg_temp_new();
-tcg_gen_movi_tl(source2, a->shamt);
-gen_helper_grev(source1, source1, source2);
-tcg_temp_free(source2);
+TCGv src2 = tcg_constant_tl(a->shamt);
+gen_helper_grev(dest, src1, src2);
 }
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
 return true;
 }
 
-- 
2.25.1

[Bug 1849894] Re: hw/scsi/scsi-disk.c line 2554 allocation overflow

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1849894

Title:
  hw/scsi/scsi-disk.c line 2554 allocation overflow

Status in QEMU:
  Expired

Bug description:
  When compiling qemu from git master (at commit
  03bf012e523ecdf047ac56b2057950247256064d ) on Linux amd64, with gcc-9
  9.2.1 , and using `-march=native -flto`, during linking of most target
  binaries, compiler does detect an issue with allocation in
  scsi_disk_new_request_dump and aborts compilation.

  
  make[1]: Entering directory '/home/user/qemu/slirp'
  make[1]: Nothing to be done for 'all'.
  make[1]: Leaving directory '/home/user/qemu/slirp'
  nm: stats64.o: no symbols
LINKaarch64-softmmu/qemu-system-aarch64
  In function ‘scsi_disk_new_request_dump’,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2580:9,
  inlined from ‘scsi_new_request’ at hw/scsi/scsi-disk.c:2564:21:
  hw/scsi/scsi-disk.c:2554:19: error: argument 1 value ‘18446744073709551612’ 
exceeds maximum object size 9223372036854775807 
[-Werror=alloc-size-larger-than=]
  hw/scsi/scsi-disk.c: In function ‘scsi_new_request’:
  /usr/include/glib-2.0/glib/gmem.h:78:10: note: in a call to allocation 
function ‘g_malloc’ declared here
 78 | gpointer g_malloc (gsize  n_bytes) G_GNUC_MALLOC 
G_GNUC_ALLOC_SIZE(1);
|  ^
  lto1: all warnings being treated as errors
  lto-wrapper: fatal error: c++ returned 1 exit status
  compilation terminated.
  /usr/bin/ld: error: lto-wrapper failed
  collect2: error: ld returned 1 exit status


  same happens for most other targets: alpha-softmmu/qemu-system-alpha
  arm-softmmu/qemu-system-arm hppa-softmmu/qemu-system-hppa i386-softmmu
  /qemu-system-i386 lm32-softmmu/qemu-system-lm32 mips-softmmu/qemu-
  system-mips mips64-softmmu/qemu-system-mips64 mips64el-softmmu/qemu-
  system-mips64el mipsel-softmmu/qemu-system-mipsel ppc-softmmu/qemu-
  system-ppc ppc64-softmmu/qemu-system-ppc64 riscv32-softmmu/qemu-
  system-riscv32 riscv64-softmmu/qemu-system-riscv64 s390x-softmmu/qemu-
  system-s390x sh4-softmmu/qemu-system-sh4 sh4eb-softmmu/qemu-system-
  sh4eb sparc-softmmu/qemu-system-sparc sparc64-softmmu/qemu-system-
  sparc64 x86_64-softmmu/qemu-system-x86_64 xtensa-softmmu/qemu-system-
  xtensa xtensaeb-softmmu/qemu-system-xtensaeb

  Notice -softmmu being a common factor here.


  The size of the allocation for the temporary buffer for dumping using
  snprintf is determined based on the size of the buffer via call to
  scsi_cdb_length. I believe the heavy inlining and constant propagation
  makes scsi_cdb_length return -1, so len = -1. Then allocation size is
  5*len + 1, or -4. Which overflows to 2^64 - 4 or so.

  The case of len==-1 from scsi_cdb_length happens if the (buf[0] >> 5)
  is not 0, 1, 2, 4 or 5.

  However, I can't find out how gcc figures out that buf[0] is not one
  of these variables. To me looking at this function, compiler should
  not know anything about buf[0].

  I tried following the chain of calls back, including devirtualize
  alloc_req, and I found scsi_device_alloc_req calling these alloc_req
  callbacks, but it is itself called from scsi_req_new, which is called
  in  get_scsi_requests , just after buf is filled from QEMUFile using
  qemu_get_buffer, which ultimately goes even further into read paths,
  which there might be many AFAIK.


  
  glib2 version 2.62.1-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1849894/+subscriptions

[PATCH 17/17] target/riscv: Remove gen_get_gpr

[Richard Henderson]

This function is now unused.
The corresponding gen_set_gpr function is still in use.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c | 17 +
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 8ff75a5798..a6c850e9d3 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -195,15 +195,6 @@ static void gen_goto_tb(DisasContext *ctx, int n, 
target_ulong dest)
 /* Wrapper for getting reg values - need to check of reg is zero since
  * cpu_gpr[0] is not actually allocated
  */
-static inline void gen_get_gpr(TCGv t, int reg_num)
-{
-if (reg_num == 0) {
-tcg_gen_movi_tl(t, 0);
-} else {
-tcg_gen_mov_tl(t, cpu_gpr[reg_num]);
-}
-}
-
 static TCGv gpr_src(DisasContext *ctx, int reg_num)
 {
 if (reg_num == 0) {
@@ -1046,9 +1037,11 @@ void riscv_translate_init(void)
 {
 int i;
 
-/* cpu_gpr[0] is a placeholder for the zero register. Do not use it. */
-/* Use the gen_set_gpr and gen_get_gpr helper functions when accessing */
-/* registers, unless you specifically block reads/writes to reg 0 */
+/*
+ * cpu_gpr[0] is a placeholder for the zero register. Do not use it.
+ * Use the gpr_src and gpr_dst helper functions when accessing regs,
+ * unless you specifically block reads/writes to reg 0.
+ */
 cpu_gpr[0] = NULL;
 
 for (i = 1; i < 32; i++) {
-- 
2.25.1

[PATCH 09/17] target/riscv: Reorg csr instructions

[Richard Henderson]

Introduce csrr and csrw helpers, for read-only and write-only insns.

Note that we do not properly implement this in riscv_csrrw, in that
we cannot distinguish true read-only (rs1 == 0) from any other zero
write_mask another source register -- this should still raise an
exception for read-only registers.

Only issue gen_io_start for CF_USE_ICOUNT.
Use ctx->zero for csrrc.

Signed-off-by: Richard Henderson 
---
 target/riscv/helper.h   |   6 +-
 target/riscv/op_helper.c|  18 +--
 target/riscv/insn_trans/trans_rvi.c.inc | 170 +---
 3 files changed, 129 insertions(+), 65 deletions(-)

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index 415e37bc37..460eee9988 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -65,9 +65,9 @@ DEF_HELPER_FLAGS_2(gorc, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(gorcw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 
 /* Special functions */
-DEF_HELPER_3(csrrw, tl, env, tl, tl)
-DEF_HELPER_4(csrrs, tl, env, tl, tl, tl)
-DEF_HELPER_4(csrrc, tl, env, tl, tl, tl)
+DEF_HELPER_2(csrr, tl, env, int)
+DEF_HELPER_3(csrw, void, env, int, tl)
+DEF_HELPER_4(csrrw, tl, env, int, tl, tl)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_2(sret, tl, env, tl)
 DEF_HELPER_2(mret, tl, env, tl)
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index 3c48e739ac..ee7c24efe7 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -37,11 +37,10 @@ void helper_raise_exception(CPURISCVState *env, uint32_t 
exception)
 riscv_raise_exception(env, exception, 0);
 }
 
-target_ulong helper_csrrw(CPURISCVState *env, target_ulong src,
-target_ulong csr)
+target_ulong helper_csrr(CPURISCVState *env, int csr)
 {
 target_ulong val = 0;
-RISCVException ret = riscv_csrrw(env, csr, &val, src, -1);
+RISCVException ret = riscv_csrrw(env, csr, &val, 0, 0);
 
 if (ret != RISCV_EXCP_NONE) {
 riscv_raise_exception(env, ret, GETPC());
@@ -49,23 +48,20 @@ target_ulong helper_csrrw(CPURISCVState *env, target_ulong 
src,
 return val;
 }
 
-target_ulong helper_csrrs(CPURISCVState *env, target_ulong src,
-target_ulong csr, target_ulong rs1_pass)
+void helper_csrw(CPURISCVState *env, int csr, target_ulong src)
 {
-target_ulong val = 0;
-RISCVException ret = riscv_csrrw(env, csr, &val, -1, rs1_pass ? src : 0);
+RISCVException ret = riscv_csrrw(env, csr, NULL, src, -1);
 
 if (ret != RISCV_EXCP_NONE) {
 riscv_raise_exception(env, ret, GETPC());
 }
-return val;
 }
 
-target_ulong helper_csrrc(CPURISCVState *env, target_ulong src,
-target_ulong csr, target_ulong rs1_pass)
+target_ulong helper_csrrw(CPURISCVState *env, int csr,
+  target_ulong src, target_ulong write_mask)
 {
 target_ulong val = 0;
-RISCVException ret = riscv_csrrw(env, csr, &val, 0, rs1_pass ? src : 0);
+RISCVException ret = riscv_csrrw(env, csr, &val, src, write_mask);
 
 if (ret != RISCV_EXCP_NONE) {
 riscv_raise_exception(env, ret, GETPC());
diff --git a/target/riscv/insn_trans/trans_rvi.c.inc 
b/target/riscv/insn_trans/trans_rvi.c.inc
index 840187a4d6..3705aad380 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -452,80 +452,148 @@ static bool trans_fence_i(DisasContext *ctx, arg_fence_i 
*a)
 return true;
 }
 
-#define RISCV_OP_CSR_PRE do {\
-source1 = tcg_temp_new(); \
-csr_store = tcg_temp_new(); \
-dest = tcg_temp_new(); \
-rs1_pass = tcg_temp_new(); \
-gen_get_gpr(source1, a->rs1); \
-tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next); \
-tcg_gen_movi_tl(rs1_pass, a->rs1); \
-tcg_gen_movi_tl(csr_store, a->csr); \
-gen_io_start();\
-} while (0)
+static bool do_csr_post(DisasContext *ctx)
+{
+/* We may have changed important cpu state -- exit to main loop. */
+tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
+exit_tb(ctx);
+ctx->base.is_jmp = DISAS_NORETURN;
+return true;
+}
 
-#define RISCV_OP_CSR_POST do {\
-gen_set_gpr(a->rd, dest); \
-tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn); \
-exit_tb(ctx); \
-ctx->base.is_jmp = DISAS_NORETURN; \
-tcg_temp_free(source1); \
-tcg_temp_free(csr_store); \
-tcg_temp_free(dest); \
-tcg_temp_free(rs1_pass); \
-} while (0)
+static bool do_csrr(DisasContext *ctx, int rd, int rc)
+{
+TCGv dest = gpr_dst(ctx, rd);
+TCGv_i32 csr = tcg_constant_i32(rc);
 
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
+gen_helper_csrr(dest, cpu_env, csr);
+return do_csr_post(ctx);
+}
+
+static bool do_csrw(DisasContext *ctx, int rc, TCGv src)
+{
+TCGv_i32 csr = tcg_constant_i32(rc);
+
+if (tb_cflags(ctx->base.tb) & CF_USE_ICOUNT) {
+gen_io_start();
+}
+gen_helper_csrw(cpu_env, csr, src);
+return do_csr_post(ctx);
+}
+
+static bool do_csrrw(DisasContext *ctx, int rd, int rc, TCGv src, TCGv mask)
+{
+TCGv dest = g

[Bug 1861161] Re: qemu-arm-static stuck with 100% CPU when cross-compiling emacs

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1861161

Title:
  qemu-arm-static stuck with 100% CPU when cross-compiling emacs

Status in QEMU:
  Expired

Bug description:
  Hello,

  I'm trying to build multi-arch docker images for
  https://hub.docker.com/r/silex/emacs.

  Here is the machine I'm building on (hetzner cloud machine):

  root@ubuntu-4gb-fsn1-1:~# lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:Ubuntu 18.04.3 LTS
  Release:18.04
  Codename:   bionic
  root@ubuntu-4gb-fsn1-1:~# uname -a
  Linux ubuntu-4gb-fsn1-1 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

  Whenever I try to build the following alpine Dockerfile
  https://gitlab.com/Silex777/docker-
  emacs/blob/master/26.3/alpine/3.9/dev/Dockerfile like this:

  $ sysctl kernel.randomize_va_space=0
  $ docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
  $ docker build --pull -t test --platform arm .

  It builds fine until this:

  root@ubuntu-4gb-fsn1-1:~# ps -ef | grep qemu
  root 26473 26465 99 14:26 pts/001:59:58 /usr/bin/qemu-arm-static 
../src/bootstrap-emacs -batch --no-site-file --no-site-lisp --eval (setq 
load-prefer-newer t) -f batch-byte-compile emacs-lisp/macroexp.el

  This is supposed to take a few seconds, but here it takes 100% CPU and
  never ends. When I strace the process I see a never ending loop like
  this:

  getdents64(5, /* 0 entries */, 2048)= 0
  lseek(5, 0, SEEK_SET)   = 0
  getdents64(5, /* 5 entries */, 2048)= 120
  tgkill(5875, 5878, SIGRT_2) = -1 EAGAIN (Resource temporarily 
unavailable)
  getdents64(5, /* 0 entries */, 2048)= 0
  lseek(5, 0, SEEK_SET)   = 0
  getdents64(5, /* 5 entries */, 2048)= 120
  tgkill(5875, 5878, SIGRT_2) = -1 EAGAIN (Resource temporarily 
unavailable)
  getdents64(5, /* 0 entries */, 2048)= 0
  lseek(5, 0, SEEK_SET)   = 0
  getdents64(5, /* 5 entries */, 2048)= 120
  tgkill(5875, 5878, SIGRT_2) = -1 EAGAIN (Resource temporarily 
unavailable)
  getdents64(5, /* 0 entries */, 2048)= 0
  lseek(5, 0, SEEK_SET)   = 0
  getdents64(5, /* 5 entries */, 2048)= 120
  tgkill(5875, 5878, SIGRT_2) = -1 EAGAIN (Resource temporarily 
unavailable)
  getdents64(5, /* 0 entries */, 2048)= 0
  lseek(5, 0, SEEK_SET)   = 0
  getdents64(5, /* 5 entries */, 2048)= 120
  tgkill(5875, 5878, SIGRT_2) = -1 EAGAIN (Resource temporarily 
unavailable)

  It happens with all the QEMU versions I tested:
  - 2.11.1 (OS version)
  - 4.1.1-1 (from multiarch/qemu-user-static:4.1.1-1)
  - 4.2.0-2 (from multiarch/qemu-user-static)

  Any ideas of what I could do to debug it further?

  Kind regards,
  Philippe

  p.s: Everything builds fine when the base image is ubuntu. I also had
  similar hangs with basic commands like "apt-get install foo"
  sometimes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1861161/+subscriptions

[PATCH 04/17] target/riscv: Use gpr_{src, dst} in word division operations

[Richard Henderson]

Allocate new temps to hold the source extensions, and
extend directly from the source registers.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c | 46 +++-
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index a60b198623..7dedfd548b 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -502,42 +502,40 @@ static void gen_mulw(TCGv ret, TCGv arg1, TCGv arg2)
 static bool gen_arith_div_w(DisasContext *ctx, arg_r *a,
 void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1, source2;
-source1 = tcg_temp_new();
-source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext1 = tcg_temp_new();
+TCGv ext2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-tcg_gen_ext32s_tl(source1, source1);
-tcg_gen_ext32s_tl(source2, source2);
+tcg_gen_ext32s_tl(ext1, src1);
+tcg_gen_ext32s_tl(ext2, src2);
 
-(*func)(source1, source1, source2);
+(*func)(dest, ext1, ext2);
+tcg_temp_free(ext1);
+tcg_temp_free(ext2);
 
-tcg_gen_ext32s_tl(source1, source1);
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_gen_ext32s_tl(dest, dest);
 return true;
 }
 
 static bool gen_arith_div_uw(DisasContext *ctx, arg_r *a,
 void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1, source2;
-source1 = tcg_temp_new();
-source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext1 = tcg_temp_new();
+TCGv ext2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-tcg_gen_ext32u_tl(source1, source1);
-tcg_gen_ext32u_tl(source2, source2);
+tcg_gen_ext32u_tl(ext1, src1);
+tcg_gen_ext32u_tl(ext2, src2);
 
-(*func)(source1, source1, source2);
+(*func)(dest, ext1, ext2);
+tcg_temp_free(ext1);
+tcg_temp_free(ext2);
 
-tcg_gen_ext32s_tl(source1, source1);
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_gen_ext32s_tl(dest, dest);
 return true;
 }
 
-- 
2.25.1

[PATCH 16/17] target/riscv: Use gpr_{src,dst} for RVV

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvv.c.inc | 79 +++--
 1 file changed, 20 insertions(+), 59 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvv.c.inc 
b/target/riscv/insn_trans/trans_rvv.c.inc
index a8e7272487..84a45fac38 100644
--- a/target/riscv/insn_trans/trans_rvv.c.inc
+++ b/target/riscv/insn_trans/trans_rvv.c.inc
@@ -27,27 +27,21 @@ static bool trans_vsetvl(DisasContext *ctx, arg_vsetvl *a)
 return false;
 }
 
-s2 = tcg_temp_new();
-dst = tcg_temp_new();
+s2 = gpr_src(ctx, a->rs2);
+dst = gpr_dst(ctx, a->rd);
 
 /* Using x0 as the rs1 register specifier, encodes an infinite AVL */
 if (a->rs1 == 0) {
 /* As the mask is at least one bit, RV_VLEN_MAX is >= VLMAX */
 s1 = tcg_constant_tl(RV_VLEN_MAX);
 } else {
-s1 = tcg_temp_new();
-gen_get_gpr(s1, a->rs1);
+s1 = gpr_src(ctx, a->rs1);
 }
-gen_get_gpr(s2, a->rs2);
 gen_helper_vsetvl(dst, cpu_env, s1, s2);
-gen_set_gpr(a->rd, dst);
+
 tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
 lookup_and_goto_ptr(ctx);
 ctx->base.is_jmp = DISAS_NORETURN;
-
-tcg_temp_free(s1);
-tcg_temp_free(s2);
-tcg_temp_free(dst);
 return true;
 }
 
@@ -60,23 +54,19 @@ static bool trans_vsetvli(DisasContext *ctx, arg_vsetvli *a)
 }
 
 s2 = tcg_constant_tl(a->zimm);
-dst = tcg_temp_new();
+dst = gpr_dst(ctx, a->rd);
 
 /* Using x0 as the rs1 register specifier, encodes an infinite AVL */
 if (a->rs1 == 0) {
 /* As the mask is at least one bit, RV_VLEN_MAX is >= VLMAX */
 s1 = tcg_constant_tl(RV_VLEN_MAX);
 } else {
-s1 = tcg_temp_new();
-gen_get_gpr(s1, a->rs1);
+s1 = gpr_src(ctx, a->rs1);
 }
 gen_helper_vsetvl(dst, cpu_env, s1, s2);
-gen_set_gpr(a->rd, dst);
+
 gen_goto_tb(ctx, 0, ctx->pc_succ_insn);
 ctx->base.is_jmp = DISAS_NORETURN;
-
-tcg_temp_free(s1);
-tcg_temp_free(dst);
 return true;
 }
 
@@ -173,7 +163,7 @@ static bool ldst_us_trans(uint32_t vd, uint32_t rs1, 
uint32_t data,
 
 dest = tcg_temp_new_ptr();
 mask = tcg_temp_new_ptr();
-base = tcg_temp_new();
+base = gpr_src(s, rs1);
 
 /*
  * As simd_desc supports at most 256 bytes, and in this implementation,
@@ -184,7 +174,6 @@ static bool ldst_us_trans(uint32_t vd, uint32_t rs1, 
uint32_t data,
  */
 desc = tcg_constant_i32(simd_desc(s->vlen / 8, s->vlen / 8, data));
 
-gen_get_gpr(base, rs1);
 tcg_gen_addi_ptr(dest, cpu_env, vreg_ofs(s, vd));
 tcg_gen_addi_ptr(mask, cpu_env, vreg_ofs(s, 0));
 
@@ -192,7 +181,6 @@ static bool ldst_us_trans(uint32_t vd, uint32_t rs1, 
uint32_t data,
 
 tcg_temp_free_ptr(dest);
 tcg_temp_free_ptr(mask);
-tcg_temp_free(base);
 gen_set_label(over);
 return true;
 }
@@ -330,12 +318,10 @@ static bool ldst_stride_trans(uint32_t vd, uint32_t rs1, 
uint32_t rs2,
 
 dest = tcg_temp_new_ptr();
 mask = tcg_temp_new_ptr();
-base = tcg_temp_new();
-stride = tcg_temp_new();
+base = gpr_src(s, rs1);
+stride = gpr_src(s, rs2);
 desc = tcg_constant_i32(simd_desc(s->vlen / 8, s->vlen / 8, data));
 
-gen_get_gpr(base, rs1);
-gen_get_gpr(stride, rs2);
 tcg_gen_addi_ptr(dest, cpu_env, vreg_ofs(s, vd));
 tcg_gen_addi_ptr(mask, cpu_env, vreg_ofs(s, 0));
 
@@ -343,8 +329,6 @@ static bool ldst_stride_trans(uint32_t vd, uint32_t rs1, 
uint32_t rs2,
 
 tcg_temp_free_ptr(dest);
 tcg_temp_free_ptr(mask);
-tcg_temp_free(base);
-tcg_temp_free(stride);
 gen_set_label(over);
 return true;
 }
@@ -458,10 +442,9 @@ static bool ldst_index_trans(uint32_t vd, uint32_t rs1, 
uint32_t vs2,
 dest = tcg_temp_new_ptr();
 mask = tcg_temp_new_ptr();
 index = tcg_temp_new_ptr();
-base = tcg_temp_new();
+base = gpr_src(s, rs1);
 desc = tcg_constant_i32(simd_desc(s->vlen / 8, s->vlen / 8, data));
 
-gen_get_gpr(base, rs1);
 tcg_gen_addi_ptr(dest, cpu_env, vreg_ofs(s, vd));
 tcg_gen_addi_ptr(index, cpu_env, vreg_ofs(s, vs2));
 tcg_gen_addi_ptr(mask, cpu_env, vreg_ofs(s, 0));
@@ -471,7 +454,6 @@ static bool ldst_index_trans(uint32_t vd, uint32_t rs1, 
uint32_t vs2,
 tcg_temp_free_ptr(dest);
 tcg_temp_free_ptr(mask);
 tcg_temp_free_ptr(index);
-tcg_temp_free(base);
 gen_set_label(over);
 return true;
 }
@@ -589,10 +571,9 @@ static bool ldff_trans(uint32_t vd, uint32_t rs1, uint32_t 
data,
 
 dest = tcg_temp_new_ptr();
 mask = tcg_temp_new_ptr();
-base = tcg_temp_new();
+base = gpr_src(s, rs1);
 desc = tcg_constant_i32(simd_desc(s->vlen / 8, s->vlen / 8, data));
 
-gen_get_gpr(base, rs1);
 tcg_gen_addi_ptr(dest, cpu_env, vreg_ofs(s, vd));
 tcg_gen_addi_ptr(mask, cpu_env, vreg_ofs(s, 0));
 
@@ -600,7 +581,6 @@ static bool ldff_trans(uint32_t vd, uint32_t rs1, uint32_t 
data,
 
 tcg_temp_free_ptr(dest);
 tcg_temp_free_ptr(mask);
- 

[PATCH 03/17] target/riscv: Use gpr_{src,dst} in shift operations

[Richard Henderson]

These operations are slightly more complicated since
we need to crop the shift operand.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c | 68 +++-
 1 file changed, 26 insertions(+), 42 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 2cfcb849b8..a60b198623 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -778,18 +778,14 @@ static bool gen_arith(DisasContext *ctx, arg_r *a,
 static bool gen_shift(DisasContext *ctx, arg_r *a,
 void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-
-tcg_gen_andi_tl(source2, source2, TARGET_LONG_BITS - 1);
-(*func)(source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_gen_andi_tl(ext2, src2, TARGET_LONG_BITS - 1);
+(*func)(dest, src1, ext2);
+tcg_temp_free(ext2);
 return true;
 }
 
@@ -805,58 +801,46 @@ static uint32_t opcode_at(DisasContextBase *dcbase, 
target_ulong pc)
 static bool gen_shifti(DisasContext *ctx, arg_shift *a,
void(*func)(TCGv, TCGv, TCGv))
 {
+TCGv dest, src1, src2;
+
 if (a->shamt >= TARGET_LONG_BITS) {
 return false;
 }
 
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
+dest = gpr_dst(ctx, a->rd);
+src1 = gpr_src(ctx, a->rs1);
+src2 = tcg_constant_tl(a->shamt);
 
-gen_get_gpr(source1, a->rs1);
-
-tcg_gen_movi_tl(source2, a->shamt);
-(*func)(source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+(*func)(dest, src1, src2);
 return true;
 }
 
 static bool gen_shiftw(DisasContext *ctx, arg_r *a,
void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
+tcg_gen_andi_tl(ext2, src2, 31);
+(*func)(dest, src1, ext2);
+tcg_gen_ext32s_tl(dest, dest);
 
-tcg_gen_andi_tl(source2, source2, 31);
-(*func)(source1, source1, source2);
-tcg_gen_ext32s_tl(source1, source1);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_temp_free(ext2);
 return true;
 }
 
 static bool gen_shiftiw(DisasContext *ctx, arg_shift *a,
 void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = tcg_constant_tl(a->shamt);
 
-gen_get_gpr(source1, a->rs1);
-tcg_gen_movi_tl(source2, a->shamt);
+(*func)(dest, src1, src2);
+tcg_gen_ext32s_tl(dest, dest);
 
-(*func)(source1, source1, source2);
-tcg_gen_ext32s_tl(source1, source1);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
 return true;
 }
 
-- 
2.25.1

[PATCH 13/17] target/riscv: Use gpr_{src,dst} for RVD

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvd.c.inc | 116 +---
 1 file changed, 44 insertions(+), 72 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvd.c.inc 
b/target/riscv/insn_trans/trans_rvd.c.inc
index 7e45538ae0..9bb15fdc12 100644
--- a/target/riscv/insn_trans/trans_rvd.c.inc
+++ b/target/riscv/insn_trans/trans_rvd.c.inc
@@ -22,14 +22,22 @@ static bool trans_fld(DisasContext *ctx, arg_fld *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-tcg_gen_addi_tl(t0, t0, a->imm);
 
-tcg_gen_qemu_ld_i64(cpu_fpr[a->rd], t0, ctx->mem_idx, MO_TEQ);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv temp = NULL;
 
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
+
+tcg_gen_qemu_ld_i64(cpu_fpr[a->rd], addr, ctx->mem_idx, MO_TEQ);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 mark_fs_dirty(ctx);
-tcg_temp_free(t0);
 return true;
 }
 
@@ -37,13 +45,21 @@ static bool trans_fsd(DisasContext *ctx, arg_fsd *a)
 {
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-tcg_gen_addi_tl(t0, t0, a->imm);
 
-tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], t0, ctx->mem_idx, MO_TEQ);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv temp = NULL;
 
-tcg_temp_free(t0);
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
+
+tcg_gen_qemu_st_i64(cpu_fpr[a->rs2], addr, ctx->mem_idx, MO_TEQ);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 return true;
 }
 
@@ -252,11 +268,8 @@ static bool trans_feq_d(DisasContext *ctx, arg_feq_d *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_helper_feq_d(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_feq_d(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -265,11 +278,8 @@ static bool trans_flt_d(DisasContext *ctx, arg_flt_d *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_helper_flt_d(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_flt_d(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -278,11 +288,8 @@ static bool trans_fle_d(DisasContext *ctx, arg_fle_d *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_helper_fle_d(t0, cpu_env, cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fle_d(gpr_dst(ctx, a->rd), cpu_env,
+ cpu_fpr[a->rs1], cpu_fpr[a->rs2]);
 return true;
 }
 
@@ -291,10 +298,7 @@ static bool trans_fclass_d(DisasContext *ctx, arg_fclass_d 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_helper_fclass_d(t0, cpu_fpr[a->rs1]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
+gen_helper_fclass_d(gpr_dst(ctx, a->rd), cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -303,12 +307,8 @@ static bool trans_fcvt_w_d(DisasContext *ctx, arg_fcvt_w_d 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_w_d(t0, cpu_env, cpu_fpr[a->rs1]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fcvt_w_d(gpr_dst(ctx, a->rd), cpu_env, cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -317,12 +317,8 @@ static bool trans_fcvt_wu_d(DisasContext *ctx, 
arg_fcvt_wu_d *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_wu_d(t0, cpu_env, cpu_fpr[a->rs1]);
-gen_set_gpr(a->rd, t0);
-tcg_temp_free(t0);
-
+gen_helper_fcvt_wu_d(gpr_dst(ctx, a->rd), cpu_env, cpu_fpr[a->rs1]);
 return true;
 }
 
@@ -331,12 +327,8 @@ static bool trans_fcvt_d_w(DisasContext *ctx, arg_fcvt_d_w 
*a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_d_w(cpu_fpr[a->rd], cpu_env, t0);
-tcg_temp_free(t0);
+gen_helper_fcvt_d_w(cpu_fpr[a->rd], cpu_env, gpr_src(ctx, a->rs1));
 
 mark_fs_dirty(ctx);
 return true;
@@ -347,12 +339,8 @@ static bool trans_fcvt_d_wu(DisasContext *ctx, 
arg_fcvt_d_wu *a)
 REQUIRE_FPU;
 REQUIRE_EXT(ctx, RVD);
 
-TCGv t0 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-
 gen_set_rm(ctx, a->rm);
-gen_helper_fcvt_d_wu(cpu_fpr[a->rd], cpu_env, t0);
-tcg_temp_free(t0);
+gen_helper_fcvt_d_wu(cpu_fpr[a->rd], cpu_env, gpr_src(ctx, a->rs1));
 
 mark_fs_dirty(ctx);
 return true;
@@ -364,11 +352,8 @@ static b

[PATCH 02/17] target/riscv: Introduce gpr_src, gpr_dst

[Richard Henderson]

New helpers that do not force tcg globals into temps,
returning a constant 0 for $zero as source and a new
temp for $zero as destination.

Use them in gen_arith_imm_{fn,tl}, gen_arith, gen_unary.
These are simplest because no further temps required.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c | 83 ++--
 1 file changed, 45 insertions(+), 38 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index bba5ad8ec4..2cfcb849b8 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -65,6 +65,8 @@ typedef struct DisasContext {
 uint16_t mlen;
 bool vl_eq_vlmax;
 CPUState *cs;
+TCGv zero;
+TCGv sink;
 } DisasContext;
 
 static inline bool has_ext(DisasContext *ctx, uint32_t ext)
@@ -202,6 +204,14 @@ static inline void gen_get_gpr(TCGv t, int reg_num)
 }
 }
 
+static TCGv gpr_src(DisasContext *ctx, int reg_num)
+{
+if (reg_num == 0) {
+return ctx->zero;
+}
+return cpu_gpr[reg_num];
+}
+
 /* Wrapper for setting reg values - need to check of reg is zero since
  * cpu_gpr[0] is not actually allocated. this is more for safety purposes,
  * since we usually avoid calling the OP_TYPE_gen function if we see a write to
@@ -214,6 +224,17 @@ static inline void gen_set_gpr(int reg_num_dst, TCGv t)
 }
 }
 
+static TCGv gpr_dst(DisasContext *ctx, int reg_num)
+{
+if (reg_num == 0) {
+if (ctx->sink == NULL) {
+ctx->sink = tcg_temp_new();
+}
+return ctx->sink;
+}
+return cpu_gpr[reg_num];
+}
+
 static void gen_mulhsu(TCGv ret, TCGv arg1, TCGv arg2)
 {
 TCGv rl = tcg_temp_new();
@@ -442,33 +463,21 @@ static int ex_rvc_shifti(DisasContext *ctx, int imm)
 static bool gen_arith_imm_fn(DisasContext *ctx, arg_i *a,
  void (*func)(TCGv, TCGv, target_long))
 {
-TCGv source1;
-source1 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
 
-gen_get_gpr(source1, a->rs1);
-
-(*func)(source1, source1, a->imm);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
+(*func)(dest, src1, a->imm);
 return true;
 }
 
 static bool gen_arith_imm_tl(DisasContext *ctx, arg_i *a,
  void (*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1, source2;
-source1 = tcg_temp_new();
-source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = tcg_constant_tl(a->imm);
 
-gen_get_gpr(source1, a->rs1);
-tcg_gen_movi_tl(source2, a->imm);
-
-(*func)(source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+(*func)(dest, src1, src2);
 return true;
 }
 
@@ -758,18 +767,11 @@ static void gen_add_uw(TCGv ret, TCGv arg1, TCGv arg2)
 static bool gen_arith(DisasContext *ctx, arg_r *a,
   void(*func)(TCGv, TCGv, TCGv))
 {
-TCGv source1, source2;
-source1 = tcg_temp_new();
-source2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-
-(*func)(source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+(*func)(dest, src1, src2);
 return true;
 }
 
@@ -871,14 +873,10 @@ static void gen_clz(TCGv ret, TCGv arg1)
 static bool gen_unary(DisasContext *ctx, arg_r2 *a,
   void(*func)(TCGv, TCGv))
 {
-TCGv source = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
 
-gen_get_gpr(source, a->rs1);
-
-(*func)(source, source);
-
-gen_set_gpr(a->rd, source);
-tcg_temp_free(source);
+(*func)(dest, src1);
 return true;
 }
 
@@ -952,8 +950,12 @@ static void riscv_tr_init_disas_context(DisasContextBase 
*dcbase, CPUState *cs)
 ctx->cs = cs;
 }
 
-static void riscv_tr_tb_start(DisasContextBase *db, CPUState *cpu)
+static void riscv_tr_tb_start(DisasContextBase *dcbase, CPUState *cpu)
 {
+DisasContext *ctx = container_of(dcbase, DisasContext, base);
+
+ctx->sink = NULL;
+ctx->zero = tcg_constant_tl(0);
 }
 
 static void riscv_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
@@ -988,6 +990,11 @@ static void riscv_tr_translate_insn(DisasContextBase 
*dcbase, CPUState *cpu)
 decode_opc(env, ctx, opcode16);
 ctx->base.pc_next = ctx->pc_succ_insn;
 
+if (ctx->sink) {
+tcg_temp_free(ctx->sink);
+ctx->sink = NULL;
+}
+
 if (ctx->base.is_jmp == DISAS_NEXT) {
 target_ulong page_start;
 
-- 
2.25.1

[PATCH 15/17] target/riscv: Use gen_arith for mulh and mulhu

[Richard Henderson]

Split out gen_mulh and gen_mulhu and use the common helper.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c| 16 
 target/riscv/insn_trans/trans_rvm.c.inc | 24 ++--
 2 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 6ad40e43b0..8ff75a5798 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -235,6 +235,22 @@ static TCGv gpr_dst(DisasContext *ctx, int reg_num)
 return cpu_gpr[reg_num];
 }
 
+static void gen_mulh(TCGv ret, TCGv s1, TCGv s2)
+{
+TCGv discard = tcg_temp_new();
+
+tcg_gen_muls2_tl(discard, ret, s1, s2);
+tcg_temp_free(discard);
+}
+
+static void gen_mulhu(TCGv ret, TCGv s1, TCGv s2)
+{
+TCGv discard = tcg_temp_new();
+
+tcg_gen_mulu2_tl(discard, ret, s1, s2);
+tcg_temp_free(discard);
+}
+
 static void gen_mulhsu(TCGv ret, TCGv arg1, TCGv arg2)
 {
 TCGv rl = tcg_temp_new();
diff --git a/target/riscv/insn_trans/trans_rvm.c.inc 
b/target/riscv/insn_trans/trans_rvm.c.inc
index 10ecc456fc..34220b824d 100644
--- a/target/riscv/insn_trans/trans_rvm.c.inc
+++ b/target/riscv/insn_trans/trans_rvm.c.inc
@@ -28,17 +28,7 @@ static bool trans_mul(DisasContext *ctx, arg_mul *a)
 static bool trans_mulh(DisasContext *ctx, arg_mulh *a)
 {
 REQUIRE_EXT(ctx, RVM);
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-
-tcg_gen_muls2_tl(source2, source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
-return true;
+return gen_arith(ctx, a, gen_mulh);
 }
 
 static bool trans_mulhsu(DisasContext *ctx, arg_mulhsu *a)
@@ -50,17 +40,7 @@ static bool trans_mulhsu(DisasContext *ctx, arg_mulhsu *a)
 static bool trans_mulhu(DisasContext *ctx, arg_mulhu *a)
 {
 REQUIRE_EXT(ctx, RVM);
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-
-tcg_gen_mulu2_tl(source2, source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
-return true;
+return gen_arith(ctx, a, gen_mulhu);
 }
 
 static bool trans_div(DisasContext *ctx, arg_div *a)
-- 
2.25.1

[Bug 1898490] Re: gtk with virtio and opengl black screen

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1898490

Title:
  gtk with virtio and opengl black screen

Status in QEMU:
  Expired

Bug description:
  qemu-system-x86_64 -name manjaro -enable-kvm -cpu host -smp
  cores=4,threads=1 -M q35 -m 8G -cdrom /mnt/Storage/ISO/manjaro-
  gnome-20.0.3-minimal-200606-linux56.iso -machine type=pc,accel=kvm
  -vga virtio -display sdl,gl=on Boots properly and has working 3d
  acceleration with virgl.

  Running qemu-system-x86_64 -name manjaro -enable-kvm -cpu host -smp
  cores=4,threads=1 -M q35 -m 8G -cdrom /mnt/Storage/ISO/manjaro-
  gnome-20.0.3-minimal-200606-linux56.iso -machine type=pc,accel=kvm
  -vga virtio -display gtk,gl=on however, (difference being gtk instead
  of sdl), the screen is black, and the vm still starts.

  System Specs
  Gentoo Linux 64bit
  Gentoo-Sources 5.8.13 Kernel
  Qemu 5.10.0-r1 compiled with USE="aio bzip2 caps curl fdt filecaps gtk jpeg 
ncurses nls opengl oss pin-upstream-blobs png pulseaudio sdl seccomp slirp 
spice usb usbredir vhost-net virgl vnc xattr xkb" PYTHON_TARGETS="python3_7" 
QEMU_SOFTMMU_TARGETS="x86_64" QEMU_USER_TARGETS="x86_64"

  Ryzen 7 2700x
  Nvidia 1070ti GPU

  I can confirm the same issue when using libvirt with opengl.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1898490/+subscriptions

[PATCH 10/17] target/riscv: Use gpr_{src,dst} for RVA

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rva.c.inc | 42 +
 1 file changed, 14 insertions(+), 28 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rva.c.inc 
b/target/riscv/insn_trans/trans_rva.c.inc
index ab2ec4f0a5..5bb5bbd09c 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -18,11 +18,11 @@
  * this program.  If not, see .
  */
 
-static inline bool gen_lr(DisasContext *ctx, arg_atomic *a, MemOp mop)
+static bool gen_lr(DisasContext *ctx, arg_atomic *a, MemOp mop)
 {
-TCGv src1 = tcg_temp_new();
+TCGv src1 = gpr_src(ctx, a->rs1);
+
 /* Put addr in load_res, data in load_val.  */
-gen_get_gpr(src1, a->rs1);
 if (a->rl) {
 tcg_gen_mb(TCG_MO_ALL | TCG_BAR_STRL);
 }
@@ -33,30 +33,26 @@ static inline bool gen_lr(DisasContext *ctx, arg_atomic *a, 
MemOp mop)
 tcg_gen_mov_tl(load_res, src1);
 gen_set_gpr(a->rd, load_val);
 
-tcg_temp_free(src1);
 return true;
 }
 
-static inline bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
+static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
 {
-TCGv src1 = tcg_temp_new();
-TCGv src2 = tcg_temp_new();
-TCGv dat = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
 TCGLabel *l1 = gen_new_label();
 TCGLabel *l2 = gen_new_label();
 
-gen_get_gpr(src1, a->rs1);
 tcg_gen_brcond_tl(TCG_COND_NE, load_res, src1, l1);
 
-gen_get_gpr(src2, a->rs2);
 /*
  * Note that the TCG atomic primitives are SC,
  * so we can ignore AQ/RL along this path.
  */
-tcg_gen_atomic_cmpxchg_tl(src1, load_res, load_val, src2,
+tcg_gen_atomic_cmpxchg_tl(dest, load_res, load_val, src2,
   ctx->mem_idx, mop);
-tcg_gen_setcond_tl(TCG_COND_NE, dat, src1, load_val);
-gen_set_gpr(a->rd, dat);
+tcg_gen_setcond_tl(TCG_COND_NE, dest, dest, load_val);
 tcg_gen_br(l2);
 
 gen_set_label(l1);
@@ -65,8 +61,7 @@ static inline bool gen_sc(DisasContext *ctx, arg_atomic *a, 
MemOp mop)
  * provide the memory barrier implied by AQ/RL.
  */
 tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + a->rl * TCG_BAR_STRL);
-tcg_gen_movi_tl(dat, 1);
-gen_set_gpr(a->rd, dat);
+tcg_gen_movi_tl(dest, 1);
 
 gen_set_label(l2);
 /*
@@ -75,9 +70,6 @@ static inline bool gen_sc(DisasContext *ctx, arg_atomic *a, 
MemOp mop)
  */
 tcg_gen_movi_tl(load_res, -1);
 
-tcg_temp_free(dat);
-tcg_temp_free(src1);
-tcg_temp_free(src2);
 return true;
 }
 
@@ -85,17 +77,11 @@ static bool gen_amo(DisasContext *ctx, arg_atomic *a,
 void(*func)(TCGv, TCGv, TCGv, TCGArg, MemOp),
 MemOp mop)
 {
-TCGv src1 = tcg_temp_new();
-TCGv src2 = tcg_temp_new();
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
 
-gen_get_gpr(src1, a->rs1);
-gen_get_gpr(src2, a->rs2);
-
-(*func)(src2, src1, src2, ctx->mem_idx, mop);
-
-gen_set_gpr(a->rd, src2);
-tcg_temp_free(src1);
-tcg_temp_free(src2);
+(*func)(dest, src1, src2, ctx->mem_idx, mop);
 return true;
 }
 
-- 
2.25.1

[PATCH 06/17] target/riscv: Use gpr_src in branches

[Richard Henderson]

Narrow the scope of t0 in trans_jalr.

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvi.c.inc | 25 ++---
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvi.c.inc 
b/target/riscv/insn_trans/trans_rvi.c.inc
index 6e736c9d0d..a603925637 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -54,24 +54,25 @@ static bool trans_jal(DisasContext *ctx, arg_jal *a)
 
 static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
 {
-/* no chaining with JALR */
 TCGLabel *misaligned = NULL;
-TCGv t0 = tcg_temp_new();
 
-
-gen_get_gpr(cpu_pc, a->rs1);
-tcg_gen_addi_tl(cpu_pc, cpu_pc, a->imm);
+tcg_gen_addi_tl(cpu_pc, gpr_src(ctx, a->rs1), a->imm);
 tcg_gen_andi_tl(cpu_pc, cpu_pc, (target_ulong)-2);
 
 if (!has_ext(ctx, RVC)) {
+TCGv t0 = tcg_temp_new();
+
 misaligned = gen_new_label();
 tcg_gen_andi_tl(t0, cpu_pc, 0x2);
 tcg_gen_brcondi_tl(TCG_COND_NE, t0, 0x0, misaligned);
+tcg_temp_free(t0);
 }
 
 if (a->rd != 0) {
 tcg_gen_movi_tl(cpu_gpr[a->rd], ctx->pc_succ_insn);
 }
+
+/* No chaining with JALR. */
 lookup_and_goto_ptr(ctx);
 
 if (misaligned) {
@@ -80,21 +81,18 @@ static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
 }
 ctx->base.is_jmp = DISAS_NORETURN;
 
-tcg_temp_free(t0);
 return true;
 }
 
 static bool gen_branch(DisasContext *ctx, arg_b *a, TCGCond cond)
 {
 TCGLabel *l = gen_new_label();
-TCGv source1, source2;
-source1 = tcg_temp_new();
-source2 = tcg_temp_new();
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
 
-tcg_gen_brcond_tl(cond, source1, source2, l);
+tcg_gen_brcond_tl(cond, src1, src2, l);
 gen_goto_tb(ctx, 1, ctx->pc_succ_insn);
+
 gen_set_label(l); /* branch taken */
 
 if (!has_ext(ctx, RVC) && ((ctx->base.pc_next + a->imm) & 0x3)) {
@@ -105,9 +103,6 @@ static bool gen_branch(DisasContext *ctx, arg_b *a, TCGCond 
cond)
 }
 ctx->base.is_jmp = DISAS_NORETURN;
 
-tcg_temp_free(source1);
-tcg_temp_free(source2);
-
 return true;
 }
 
-- 
2.25.1

[PATCH 11/17] target/riscv: Use gpr_{src,dst} for RVB

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvb.c.inc | 11 ---
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 9e81f6e3de..58921f3224 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -423,16 +423,13 @@ static bool trans_slli_uw(DisasContext *ctx, arg_slli_uw 
*a)
 REQUIRE_64BIT(ctx);
 REQUIRE_EXT(ctx, RVB);
 
-TCGv source1 = tcg_temp_new();
-gen_get_gpr(source1, a->rs1);
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
 
 if (a->shamt < 32) {
-tcg_gen_deposit_z_tl(source1, source1, a->shamt, 32);
+tcg_gen_deposit_z_tl(dest, src1, a->shamt, 32);
 } else {
-tcg_gen_shli_tl(source1, source1, a->shamt);
+tcg_gen_shli_tl(dest, src1, a->shamt);
 }
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
 return true;
 }
-- 
2.25.1

[Bug 1896561] Re: EFI GOP Mode 1366x768

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1896561

Title:
  EFI GOP Mode 1366x768

Status in QEMU:
  Expired

Bug description:
  When using the EFI firmware from
  https://www.kraxel.org/repos/jenkins/edk2/
  (https://www.kraxel.org/repos/jenkins/edk2/edk2.git-
  ovmf-x64-0-20200919.1453.g7faece6985.noarch.rpm) (OVMF-pure-efi.fd and
  OVMF_VARS-pure-efi.fd) then using the GOP, setting the mode to
  1366x768, QEMU uses a width of 1360 instead.

  I am using QEMU for windows (https://qemu.weilnetz.de/) on a Windows
  10 machine.

  To verify, while in the EFI firmware loaded code (within BOOTx64.EFI)
  and before ExitBootServices(), I choose the 1360x768 mode.  I then
  took notice of where the host window was and how many pixels it
  occupied.  I then reset the emulation (without quitting) and chose the
  1366x768 mode.  QEMU set the host window to the exact same width as
  the 1360 mode.  i.e.: The same exact pixels where shown in the host
  background.  The window did not expand the extra 6 pixels.

  I allowed the firmware to run its course to my test environment when
  using mode 1366x768, all pixels are 6 pixels off to the right.  i.e.:
  6 pixels down the Frame Buffer.  If my test environment changes its
  HORZ WIDTH and PIXELS PER SCANLINE to 1360 while using this (1366x768)
  mode, the display is correct.

  This told me that it could be a few things.
  1) Since most (I didn't check them all) of the other modes have the width 
value's bits 2:0 clear, mode 1366x768 is the only mode the EDK2 firmware has 
with a width where bits 2:0 are not zero.  Could EDK2 or QEMU (which for the 
Windows version may use SDL2 so it must be considered here) be clearing these 
bits?  The value of 1366 when clearing bits 2:0 is 1360.

  2) Could there be a typo in the code EDK2 where the width should have been 
1366?
  (I went looking at both QEMU (for Windows) and EDK2 and after looking at many 
lines of code, I could not find anywhere where this might happen. 

  By the way, in /ui/sdl2-2d.c (QEMU Windows version only?), there is a
  typo in a comment, missing the second 'e':

  Line 156:  * the native ones. Thes are the ones I have tested.

  3) Could EDK2 be sending 1360 instead of 1366?
  4) Could QEMU (passing it on to SDL2 in SDL_SetWindowSize()?) be destroying 
the value (bottom three bits)?

  Anyway, using the latest version of the EDK2 from the URL listed
  above, choosing the 1366x768 mode, does not set QEMU (for Windows) to
  1366 pixels in width.

  Ben

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1896561/+subscriptions

[PATCH 01/17] target/riscv: Use tcg_constant_*

[Richard Henderson]

Replace uses of tcg_const_* with the allocate and free close together.

Signed-off-by: Richard Henderson 
---
 target/riscv/translate.c| 36 --
 target/riscv/insn_trans/trans_rvf.c.inc |  3 +-
 target/riscv/insn_trans/trans_rvv.c.inc | 65 +
 3 files changed, 34 insertions(+), 70 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index 62a7d7e4c7..bba5ad8ec4 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -104,20 +104,16 @@ static void gen_nanbox_s(TCGv_i64 out, TCGv_i64 in)
  */
 static void gen_check_nanbox_s(TCGv_i64 out, TCGv_i64 in)
 {
-TCGv_i64 t_max = tcg_const_i64(0xull);
-TCGv_i64 t_nan = tcg_const_i64(0x7fc0ull);
+TCGv_i64 t_max = tcg_constant_i64(0xull);
+TCGv_i64 t_nan = tcg_constant_i64(0x7fc0ull);
 
 tcg_gen_movcond_i64(TCG_COND_GEU, out, in, t_max, in, t_nan);
-tcg_temp_free_i64(t_max);
-tcg_temp_free_i64(t_nan);
 }
 
 static void generate_exception(DisasContext *ctx, int excp)
 {
 tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
-TCGv_i32 helper_tmp = tcg_const_i32(excp);
-gen_helper_raise_exception(cpu_env, helper_tmp);
-tcg_temp_free_i32(helper_tmp);
+gen_helper_raise_exception(cpu_env, tcg_constant_i32(excp));
 ctx->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -125,17 +121,13 @@ static void generate_exception_mtval(DisasContext *ctx, 
int excp)
 {
 tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
 tcg_gen_st_tl(cpu_pc, cpu_env, offsetof(CPURISCVState, badaddr));
-TCGv_i32 helper_tmp = tcg_const_i32(excp);
-gen_helper_raise_exception(cpu_env, helper_tmp);
-tcg_temp_free_i32(helper_tmp);
+gen_helper_raise_exception(cpu_env, tcg_constant_i32(excp));
 ctx->base.is_jmp = DISAS_NORETURN;
 }
 
 static void gen_exception_debug(void)
 {
-TCGv_i32 helper_tmp = tcg_const_i32(EXCP_DEBUG);
-gen_helper_raise_exception(cpu_env, helper_tmp);
-tcg_temp_free_i32(helper_tmp);
+gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
 }
 
 /* Wrapper around tcg_gen_exit_tb that handles single stepping */
@@ -247,7 +239,7 @@ static void gen_div(TCGv ret, TCGv source1, TCGv source2)
  */
 cond1 = tcg_temp_new();
 cond2 = tcg_temp_new();
-zeroreg = tcg_const_tl(0);
+zeroreg = tcg_constant_tl(0);
 resultopt1 = tcg_temp_new();
 
 tcg_gen_movi_tl(resultopt1, (target_ulong)-1);
@@ -268,7 +260,6 @@ static void gen_div(TCGv ret, TCGv source1, TCGv source2)
 
 tcg_temp_free(cond1);
 tcg_temp_free(cond2);
-tcg_temp_free(zeroreg);
 tcg_temp_free(resultopt1);
 }
 
@@ -277,7 +268,7 @@ static void gen_divu(TCGv ret, TCGv source1, TCGv source2)
 TCGv cond1, zeroreg, resultopt1;
 cond1 = tcg_temp_new();
 
-zeroreg = tcg_const_tl(0);
+zeroreg = tcg_constant_tl(0);
 resultopt1 = tcg_temp_new();
 
 tcg_gen_setcondi_tl(TCG_COND_EQ, cond1, source2, 0);
@@ -290,7 +281,6 @@ static void gen_divu(TCGv ret, TCGv source1, TCGv source2)
 tcg_gen_divu_tl(ret, source1, source2);
 
 tcg_temp_free(cond1);
-tcg_temp_free(zeroreg);
 tcg_temp_free(resultopt1);
 }
 
@@ -300,7 +290,7 @@ static void gen_rem(TCGv ret, TCGv source1, TCGv source2)
 
 cond1 = tcg_temp_new();
 cond2 = tcg_temp_new();
-zeroreg = tcg_const_tl(0);
+zeroreg = tcg_constant_tl(0);
 resultopt1 = tcg_temp_new();
 
 tcg_gen_movi_tl(resultopt1, 1L);
@@ -320,7 +310,6 @@ static void gen_rem(TCGv ret, TCGv source1, TCGv source2)
 
 tcg_temp_free(cond1);
 tcg_temp_free(cond2);
-tcg_temp_free(zeroreg);
 tcg_temp_free(resultopt1);
 }
 
@@ -328,7 +317,7 @@ static void gen_remu(TCGv ret, TCGv source1, TCGv source2)
 {
 TCGv cond1, zeroreg, resultopt1;
 cond1 = tcg_temp_new();
-zeroreg = tcg_const_tl(0);
+zeroreg = tcg_constant_tl(0);
 resultopt1 = tcg_temp_new();
 
 tcg_gen_movi_tl(resultopt1, (target_ulong)1);
@@ -341,7 +330,6 @@ static void gen_remu(TCGv ret, TCGv source1, TCGv source2)
 source1);
 
 tcg_temp_free(cond1);
-tcg_temp_free(zeroreg);
 tcg_temp_free(resultopt1);
 }
 
@@ -402,15 +390,11 @@ static inline void mark_fs_dirty(DisasContext *ctx) { }
 
 static void gen_set_rm(DisasContext *ctx, int rm)
 {
-TCGv_i32 t0;
-
 if (ctx->frm == rm) {
 return;
 }
 ctx->frm = rm;
-t0 = tcg_const_i32(rm);
-gen_helper_set_rounding_mode(cpu_env, t0);
-tcg_temp_free_i32(t0);
+gen_helper_set_rounding_mode(cpu_env, tcg_constant_i32(rm));
 }
 
 static int ex_plus_1(DisasContext *ctx, int nf)
diff --git a/target/riscv/insn_trans/trans_rvf.c.inc 
b/target/riscv/insn_trans/trans_rvf.c.inc
index db1c0c9974..89f78701e7 100644
--- a/target/riscv/insn_trans/trans_rvf.c.inc
+++ b/target/riscv/insn_trans/trans_rvf.c.inc
@@ -200,12 +200,11 @@ static bool trans_fsgnjn_s(DisasContext *ctx, 
arg_fsgnjn_s *a)
  * Replace bit 31 in rs1 with inverse i

[PATCH 08/17] target/riscv: Use gpr_{src, dst} for word shift operations

[Richard Henderson]

For trans_sllw, we can just use gen_shiftw.  The others use
various tricks to reduce the tcg operation count.

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvi.c.inc | 82 ++---
 1 file changed, 31 insertions(+), 51 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvi.c.inc 
b/target/riscv/insn_trans/trans_rvi.c.inc
index a422dc9ef4..840187a4d6 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -352,24 +352,23 @@ static bool trans_slliw(DisasContext *ctx, arg_slliw *a)
 static bool trans_srliw(DisasContext *ctx, arg_srliw *a)
 {
 REQUIRE_64BIT(ctx);
-TCGv t = tcg_temp_new();
-gen_get_gpr(t, a->rs1);
-tcg_gen_extract_tl(t, t, a->shamt, 32 - a->shamt);
-/* sign-extend for W instructions */
-tcg_gen_ext32s_tl(t, t);
-gen_set_gpr(a->rd, t);
-tcg_temp_free(t);
+
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+
+tcg_gen_extract_tl(dest, src1, a->shamt, 32 - a->shamt);
+tcg_gen_ext32s_tl(dest, dest);
 return true;
 }
 
 static bool trans_sraiw(DisasContext *ctx, arg_sraiw *a)
 {
 REQUIRE_64BIT(ctx);
-TCGv t = tcg_temp_new();
-gen_get_gpr(t, a->rs1);
-tcg_gen_sextract_tl(t, t, a->shamt, 32 - a->shamt);
-gen_set_gpr(a->rd, t);
-tcg_temp_free(t);
+
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+
+tcg_gen_sextract_tl(dest, src1, a->shamt, 32 - a->shamt);
 return true;
 }
 
@@ -388,64 +387,45 @@ static bool trans_subw(DisasContext *ctx, arg_subw *a)
 static bool trans_sllw(DisasContext *ctx, arg_sllw *a)
 {
 REQUIRE_64BIT(ctx);
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
-
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
-
-tcg_gen_andi_tl(source2, source2, 0x1F);
-tcg_gen_shl_tl(source1, source1, source2);
-
-tcg_gen_ext32s_tl(source1, source1);
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
-return true;
+return gen_shiftw(ctx, a, tcg_gen_shl_tl);
 }
 
 static bool trans_srlw(DisasContext *ctx, arg_srlw *a)
 {
 REQUIRE_64BIT(ctx);
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext2 = tcg_temp_new();
 
-/* clear upper 32 */
-tcg_gen_ext32u_tl(source1, source1);
-tcg_gen_andi_tl(source2, source2, 0x1F);
-tcg_gen_shr_tl(source1, source1, source2);
+tcg_gen_andi_tl(ext2, src2, 31);
+tcg_gen_ext32u_tl(dest, src1);
+tcg_gen_shr_tl(dest, dest, ext2);
+tcg_gen_ext32s_tl(dest, dest);
 
-tcg_gen_ext32s_tl(source1, source1);
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_temp_free(ext2);
 return true;
 }
 
 static bool trans_sraw(DisasContext *ctx, arg_sraw *a)
 {
 REQUIRE_64BIT(ctx);
-TCGv source1 = tcg_temp_new();
-TCGv source2 = tcg_temp_new();
 
-gen_get_gpr(source1, a->rs1);
-gen_get_gpr(source2, a->rs2);
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv src1 = gpr_src(ctx, a->rs1);
+TCGv src2 = gpr_src(ctx, a->rs2);
+TCGv ext2 = tcg_temp_new();
 
+tcg_gen_andi_tl(ext2, src2, 31);
 /*
- * first, trick to get it to act like working on 32 bits (get rid of
- * upper 32, sign extend to fill space)
+ * First, trick to get it to act like working on 32 bits
+ * (get rid of upper 32, sign extend to fill space)
  */
-tcg_gen_ext32s_tl(source1, source1);
-tcg_gen_andi_tl(source2, source2, 0x1F);
-tcg_gen_sar_tl(source1, source1, source2);
-
-gen_set_gpr(a->rd, source1);
-tcg_temp_free(source1);
-tcg_temp_free(source2);
+tcg_gen_ext32s_tl(dest, src1);
+tcg_gen_sar_tl(dest, dest, ext2);
 
+tcg_temp_free(ext2);
 return true;
 }
 
-- 
2.25.1

[Bug 1899082] Re: ReplayKernel.test_x86_64_pc fails intermittently

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1899082

Title:
  ReplayKernel.test_x86_64_pc fails intermittently

Status in QEMU:
  Expired

Bug description:
  Even though this acceptance test is already skipped on GitLab CI, the
  intermittent failures can be seen on other environments too.

  The record phase works fine, but during the replay phase fail to
  finish booting the kernel (until the expected place):

  16:34:47 DEBUG| [0.034498] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 
1GB 0
  16:34:47 DEBUG| [0.034790] Spectre V2 : Spectre mitigation: LFENCE not 
serializing, switching to generic retpoline
  16:34:47 DEBUG| [0.035093] Spectre V2 : Mitigation: Full generic retpoline
  16:34:47 DEBUG| [0.035347] Spectre V2 : Spectre v2 / SpectreRSB 
mitigation: Filling RSB on context switch
  16:34:47 DEBUG| [0.035667]
  16:36:02 ERROR| 
  16:36:02 ERROR| Reproduced traceback from: 
/home/cleber/src/avocado/avocado/avocado/core/test.py:767
  16:36:02 ERROR| Traceback (most recent call last):
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/replay_kernel.py", line 92, 
in test_x86_64_pc
  16:36:02 ERROR| self.run_rr(kernel_path, kernel_command_line, 
console_pattern, shift=5)
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/replay_kernel.py", line 73, 
in run_rr
  16:36:02 ERROR| False, shift, args, replay_path)
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/replay_kernel.py", line 55, 
in run_vm
  16:36:02 ERROR| self.wait_for_console_pattern(console_pattern, vm)
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/boot_linux_console.py", line 
53, in wait_for_console_pattern
  16:36:02 ERROR| vm=vm)
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/avocado_qemu/__init__.py", 
line 130, in wait_for_console_pattern
  16:36:02 ERROR| _console_interaction(test, success_message, 
failure_message, None, vm=vm)
  16:36:02 ERROR|   File 
"/var/lib/users/cleber/build/qemu/tests/acceptance/avocado_qemu/__init__.py", 
line 82, in _console_interaction
  16:36:02 ERROR| msg = console.readline().strip()
  16:36:02 ERROR|   File "/usr/lib64/python3.7/socket.py", line 575, in readinto
  16:36:02 ERROR| def readinto(self, b):
  16:36:02 ERROR|   File 
"/home/cleber/src/avocado/avocado/avocado/plugins/runner.py", line 77, in 
sigterm_handler
  16:36:02 ERROR| raise RuntimeError("Test interrupted by SIGTERM")
  16:36:02 ERROR| RuntimeError: Test interrupted by SIGTERM
  16:36:02 ERROR| 

  On my workstation, I can replicate the failure roughly once every 50
  runs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1899082/+subscriptions

[Bug 1896342] Re: IDE ATA IDENTIFY WORD 106

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1896342

Title:
  IDE ATA IDENTIFY WORD 106

Status in QEMU:
  Expired

Bug description:
  The code at line 202 in hw/ide/core.c
   (https://git.qemu.org/?p=qemu.git;a=blob;f=hw/ide/core.c;#l201)
  hard codes bit 13 set.  However, get_physical_block_exp() can and may return 
0, which is a valid response. If get_physical_block_exp() does return zero, bit 
13 should not be set.

  ATAPI8 states (Section 7.17.7.73):
   "Bit 13 of word 106 shall be set to one to indicate that the device has more 
than one logical sector per physical sector"

  and gives the examples:
Bits (3:0): 0 = 2^0 = 1 logical sector per physical sector
Bits (3:0): 1 = 2^1 = 2 logical sector per physical sector
Bits (3:0): 2 = 2^2 = 4 logical sector per physical sector
Bits (3:0): 3 = 2^3 = 8 logical sector per physical sector

  Therefore, if bit 13 is set, bits 3:0 must be greater than zero.

  If get_physical_block_exp() returns zero then there is a 1:1 ratio and
  bit 13 must be 0.

  Just my opinion.

  Thanks,
  Ben

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1896342/+subscriptions

[Bug 1900122] Re: Unsupported ioctl: cmd=0xffffffff80685600 when accessing /dev/video* in aarch64 guest

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1900122

Title:
  Unsupported ioctl: cmd=0x80685600 when accessing /dev/video*
  in aarch64 guest

Status in QEMU:
  Expired

Bug description:
  **Description:**
  Any attempt to work with video in aarch64 architecture emulated on x86_64 
leads currently to the error "Function not implemented". For example:

  ```
  # v4l2-ctl -l --verbose
  Failed to open /dev/video0: Function not implemented

  root@12dd9b6fcfcb:/# ll /dev/video*
  crw-rw 1 root video 81, 0 Oct 16 09:23 /dev/video0
  crw-rw 1 root video 81, 1 Oct 16 09:23 /dev/video1

  ```

  **Steps to reproduce the issue:**

  I have a following setup:

  Host Hardware: x86_64 equipped with a webcam (tried different webcams)
  Host OS: Ubuntu 20.04.1

  Guest Architecture: aarch64
  Guest OS: Ubuntu 20.04 (also tried 16.x and 18.x)

  Emulation: quemu-user-static (also tried binfmt)

  Guest OS is running via Docker + QEMU

  ```
  ➜ cat /proc/sys/fs/binfmt_misc/qemu-aarch64
  enabled
  interpreter /usr/bin/qemu-aarch64-static
  flags: F
  offset 0
  magic 7f454c46020101000200b700
  mask ff00feff
  ```

  **Results received:**
  see desrciption.

  
  **Environment:**

  * QEMU version: (if you can know it):

  ipxe-qemu-256k-compat-efi-roms/focal,now 1.0.0+git-20150424.a25a16d-0ubuntu4 
all [installed,automatic]
  ipxe-qemu/focal-updates,now 1.0.0+git-20190109.133f4c4-0ubuntu3.2 all 
[installed,automatic]
  qemu-block-extra/focal-updates,now 1:4.2-3ubuntu6.7 amd64 
[installed,automatic]
  qemu-kvm/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed]
  qemu-system-common/focal-updates,now 1:4.2-3ubuntu6.7 amd64 
[installed,automatic]
  qemu-system-data/focal-updates,now 1:4.2-3ubuntu6.7 all [installed,automatic]
  qemu-system-gui/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed,automatic]
  qemu-system-x86/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed,automatic]
  qemu-user-binfmt/focal-updates,now 1:4.2-3ubuntu6.7 amd64 
[installed,automatic]
  qemu-user/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed]
  qemu-utils/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed,automatic]
  qemu/focal-updates,now 1:4.2-3ubuntu6.7 amd64 [installed]

  * Container application: Docker

  **Output of `docker version`, `podman version` or `singularity
  version`**

  ```
  ➜ docker version
  Client: Docker Engine - Community
   Version:   20.10.0-beta1
   API version:   1.40
   Go version:go1.13.15
   Git commit:ac365d7
   Built: Tue Oct 13 18:15:22 2020
   OS/Arch:   linux/amd64
   Context:   default
   Experimental:  true

  Server: Docker Engine - Community
   Engine:
    Version:  19.03.13
    API version:  1.40 (minimum version 1.12)
    Go version:   go1.13.15
    Git commit:   4484c46d9d
    Built:Wed Sep 16 17:01:20 2020
    OS/Arch:  linux/amd64
    Experimental: false
   containerd:
    Version:  1.4.1
    GitCommit:c623d1b36f09f8ef6536a057bd658b3aa8632828
   runc:
    Version:  1.0.0-rc92
    GitCommit:ff819c7e9184c13b7c2607fe6c30ae19403a7aff
   docker-init:
    Version:  0.18.0
    GitCommit:fec3683

  ```

  Guest aarch64 runs in privileged mode:

  `docker run --privileged --device=/dev/video0:/dev/video0 --env
  DISPLAY=unix$DISPLAY -v $XAUTH:/root/.Xauthority  -v
  /tmp/.X11-unix:/tmp/.X11-unix -it --rm arm64v8/ubuntu:20.04 bash`

  **Additional information:**
  I tried also binfmt way to register emulators. The output of `v4l-ctl` was a 
little bit different:

  ```
  # v4l2-ctl -l
  Unsupported ioctl: cmd=0x80685600
  Failed to open /dev/video0: Function not implemented

  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1900122/+subscriptions

[PATCH 07/17] target/riscv: Use gpr_{src,dst} for integer load/store

[Richard Henderson]

Signed-off-by: Richard Henderson 
---
 target/riscv/insn_trans/trans_rvi.c.inc | 45 +++--
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvi.c.inc 
b/target/riscv/insn_trans/trans_rvi.c.inc
index a603925637..a422dc9ef4 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -138,15 +138,21 @@ static bool trans_bgeu(DisasContext *ctx, arg_bgeu *a)
 
 static bool gen_load(DisasContext *ctx, arg_lb *a, MemOp memop)
 {
-TCGv t0 = tcg_temp_new();
-TCGv t1 = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-tcg_gen_addi_tl(t0, t0, a->imm);
+TCGv dest = gpr_dst(ctx, a->rd);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv temp = NULL;
 
-tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, memop);
-gen_set_gpr(a->rd, t1);
-tcg_temp_free(t0);
-tcg_temp_free(t1);
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
+
+tcg_gen_qemu_ld_tl(dest, addr, ctx->mem_idx, memop);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 return true;
 }
 
@@ -177,19 +183,24 @@ static bool trans_lhu(DisasContext *ctx, arg_lhu *a)
 
 static bool gen_store(DisasContext *ctx, arg_sb *a, MemOp memop)
 {
-TCGv t0 = tcg_temp_new();
-TCGv dat = tcg_temp_new();
-gen_get_gpr(t0, a->rs1);
-tcg_gen_addi_tl(t0, t0, a->imm);
-gen_get_gpr(dat, a->rs2);
+TCGv addr = gpr_src(ctx, a->rs1);
+TCGv data = gpr_src(ctx, a->rs2);
+TCGv temp = NULL;
 
-tcg_gen_qemu_st_tl(dat, t0, ctx->mem_idx, memop);
-tcg_temp_free(t0);
-tcg_temp_free(dat);
+if (a->imm) {
+temp = tcg_temp_new();
+tcg_gen_addi_tl(temp, addr, a->imm);
+addr = temp;
+}
+
+tcg_gen_qemu_st_tl(data, addr, ctx->mem_idx, memop);
+
+if (temp) {
+tcg_temp_free(temp);
+}
 return true;
 }
 
-
 static bool trans_sb(DisasContext *ctx, arg_sb *a)
 {
 return gen_store(ctx, a, MO_SB);
-- 
2.25.1

[Bug 1898954] Re: x86 f1 opcode hangs qemu

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1898954

Title:
  x86 f1 opcode hangs qemu

Status in QEMU:
  Expired

Bug description:
  I have qemu installed and running in linux and windows
  in linux i execute the following simple code in real mode of cpu in my vm
  90 nop
  90 nop
  90 nop
  f1 ;this should conjure up my interrupt handler from ivt int 1
  - end of code 
  it works properly in vbox,qemu linux,and even in my boot loder
  on a real platform
 it doeas not work fine in windows 10 (32 bit efi) based qemu
  ---
  all of the below was retyped there may be typo
  so onwards to the flawed software 
  ** for qemu-system-x86_64.exe **
  info version 
  4.2.0v4.2.0.11797-g2890edc853-dirty
  ** for qemu-system-i386.exe **
  info version 
  4.2.0v4.2.0.11797-g2890edc853-dirty
  ***
  my startup code is
  "d:\programs\qemu\qemu-system-x86_64.exe" -m 16M -boot a -fda "d:\floppy.img" 
-cpu Nehalem -machine pc
  ---
  also same flaw if i change above section to
  "d:\programs\qemu\qemu-system-i386.exe"

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1898954/+subscriptions

[Bug 1900352] Re: no sound in spice when VNC enabled

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1900352

Title:
  no sound in spice when VNC enabled

Status in QEMU:
  Expired

Bug description:
  Running Fedora32 with virt-manager → libvirt → qemu  I noticed that I
  got no sound in my spice client. The VM is configured with a SPICE-
  server and a QXL display, and in addition a VNC display.

  Apparently when I remove the VNC display, then the sound is routed
  just fine to the spice client: I can hear it, and
  `G_MESSAGES_DEBUG=all remote-viewer --spice-debug
  spice://localhost:5900` mentions SpicePlaybackChannel and
  SpiceRecordChannel. With the VNC server configured, such messages are
  missing, and I cannot hear the sound (which is sent by the guest OS to
  the virtual hardware).

  qemu-4.2.1-1.fc32

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1900352/+subscriptions

[Bug 1901892] Re: qemu-img create corrupts the qcow2 if the file already exists

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1901892

Title:
  qemu-img create corrupts the qcow2 if the file already exists

Status in QEMU:
  Expired

Bug description:
  When creating a disk using qemu-img create command, if the destination
  path of the qcow2 file already exists, it will show the error saying
  that it cannot get a lock so it exits with exit status 1 but it will
  corrupt the qcow2 file anyway.

  Steps to reproduce:
  1. Have a guest running with a root (vda) and a second device (vdc).
  In my case is a clean Ubuntu 16.04 image with kernel 4.4.0-190-generic x86_64
  vdc disk is called testadddisk-3.qcow2
  2. vdc is an xfs over lvm.
  pvcreacte /dev/vdc
  vgcreate myVg /dev/vdc
  lvcreate -l+100%FREE -n myLv myVg
  mkfs.xfs /dev/mapper/myVg-myLv
  mount /dev/mapper/myVg-myLv /mnt
  3. Create disk IO on that device in the guest.
  while true ; do dd if=/dev/zero of=/mnt/testfile bs=1024 count=1000 ; sleep 
1; done
  4. Execute the command to create a new device but use the same name of the 
device attached:
  sudo qemu-img create -f qcow2 testadddisk-3.qcow2 20G
  The output of the command is this:
  Formatting 'testadddisk-3.qcow2', fmt=qcow2 size=21474836480 
cluster_size=65536 lazy_refcounts=off refcount_bits=16
  qemu-img: testadddisk-3.qcow2: Failed to get "write" lock
  Is another process using the image?

  The write continues in the guest but when it is shutdown, when it is powered 
on again you get this:
  error: Failed to start domain testadddisk
  error: internal error: process exited while connecting to monitor: 
2020-10-27T22:00:51.628374Z qemu-system-x86_64: -drive 
file=/var/lib/vmImages/testadddisk-3.qcow2,format=qcow2,if=none,id=drive-virtio-disk2:
 Image is not in qcow2 format

  I run the qemu-img create command with an strace and I believe that
  first it tries to open the file in write mode, then does a truncate on
  it and after that says it cannot get a lock. The output is in the file
  attached. As well as the guest xml just in case.

  The host: 
  Ubuntu 18.04.5 LTS
  4.15.0-112-generic x86_64
  qemu packages installed:
  ii  qemu-block-extra:amd64 1:2.11+dfsg-1ubuntu7.32
 amd64extra block backend modules for qemu-system and 
qemu-utils
  ii  qemu-kvm   1:2.11+dfsg-1ubuntu7.31
 amd64QEMU Full virtualization on x86 hardware
  ii  qemu-system-common 1:2.11+dfsg-1ubuntu7.32
 amd64QEMU full system emulation binaries (common files)
  ii  qemu-system-x861:2.11+dfsg-1ubuntu7.31
 amd64QEMU full system emulation binaries (x86)
  ii  qemu-utils 1:2.11+dfsg-1ubuntu7.32
 amd64QEMU utilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1901892/+subscriptions

[Bug 1901068] Re: Deleted tests are still run if they exist in the build tree

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1901068

Title:
  Deleted tests are still run if they exist in the build tree

Status in QEMU:
  Expired

Bug description:
  Steps to reproduce:
  1. Add a new device along with a qtest to exercise it.
  2. Run make check-qtest. It passes.
  3. Revert the commit that added the device and qtest.
  4. Run make check-qtest again. It now fails because the device no longer 
exists, but the test is somehow still there even though the source files are 
gone and it's not mentioned in tests/qtest/meson.build.

  After running make clean, make check-qtest passes again.

  $ git describe
  v5.1.0-2465-g4c5b97bfd0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1901068/+subscriptions

[PATCH 00/17] target/riscv: Use tcg_constant_*

[Richard Henderson]

Replace use of tcg_const_*, which makes a copy into a temp
which must be freed, with direct use of the constant.

Reorg handling of $zero, with different accessors for
source and destination.

Reorg handling of csrs, passing the actual write_mask
instead of a regno.

Use more helpers for RVH expansion.


r~


Richard Henderson (17):
  target/riscv: Use tcg_constant_*
  target/riscv: Introduce gpr_src, gpr_dst
  target/riscv: Use gpr_{src,dst} in shift operations
  target/riscv: Use gpr_{src,dst} in word division operations
  target/riscv: Use gpr_{src,dst} and tcg_constant_tl in gen_grevi
  target/riscv: Use gpr_src in branches
  target/riscv: Use gpr_{src,dst} for integer load/store
  target/riscv: Use gpr_{src,dst} for word shift operations
  target/riscv: Reorg csr instructions
  target/riscv: Use gpr_{src,dst} for RVA
  target/riscv: Use gpr_{src,dst} for RVB
  target/riscv: Use gpr_{src,dst} for RVF
  target/riscv: Use gpr_{src,dst} for RVD
  target/riscv: Tidy trans_rvh.c.inc
  target/riscv: Use gen_arith for mulh and mulhu
  target/riscv: Use gpr_{src,dst} for RVV
  target/riscv: Remove gen_get_gpr

 target/riscv/helper.h   |   6 +-
 target/riscv/insn32.decode  |   1 +
 target/riscv/op_helper.c|  18 +-
 target/riscv/translate.c| 273 +---
 target/riscv/insn_trans/trans_rva.c.inc |  42 ++--
 target/riscv/insn_trans/trans_rvb.c.inc |  11 +-
 target/riscv/insn_trans/trans_rvd.c.inc | 116 -
 target/riscv/insn_trans/trans_rvf.c.inc | 134 --
 target/riscv/insn_trans/trans_rvh.c.inc | 264 ---
 target/riscv/insn_trans/trans_rvi.c.inc | 322 ++--
 target/riscv/insn_trans/trans_rvm.c.inc |  24 +-
 target/riscv/insn_trans/trans_rvv.c.inc | 144 ---
 12 files changed, 534 insertions(+), 821 deletions(-)

-- 
2.25.1

[Bug 1900919] Re: PXB selected as root bus incorrectly

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1900919

Title:
  PXB selected as root bus incorrectly

Status in QEMU:
  Expired

Bug description:
  release: 4c41341af76cfc85b5a6c0f87de4838672ab9f89

  qdev_device_add() will search for the "closest" bus possible, and bail out 
early if that bus is a root bus. pxb devices are considered root buses and so 
if you either
  1. Add a PCI device on the QEMU command line *after* a pxb device, or
  2. Add an integrated PCI device (like a watchdog)

  #1: -device pxb-pcie,id=cxl.0,bus=pcie.0,bus_nr=52 -device 
ahci,id=sata0,addr=0x8
  #2: -watchdog i6300esb -device pxb-pcie,id=cxl.0,bus=pcie.0,bus_nr=52

  The PXB will get selected as the bus (instead of the real root bus)
  and this will cause an assertion failure with the message like "qemu-
  system-x86_64: -device ahci,id=sata0,addr=0x8: PCI: Only PCI/PCIe
  bridges can be plugged into pxb-pcie"

  I think this is relatively solvable in the code base by determining if
  a bus is an expander, and skipping it if so. However, I wonder if it
  makes more sense to just allow expanders to have endpoint devices.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1900919/+subscriptions

[Bug 1902267] Re: CPU not support 32-bit stack in 32-bit unreal mode

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902267

Title:
  CPU not support 32-bit stack in 32-bit unreal mode

Status in QEMU:
  Expired

Bug description:
  QEMU version 5.0.0 supports 32-bit and 16-bit unreal mode. Great!
  Unfortunately, QEMU does not support 32-bit stack in unreal 32-bit mode.
  After the INT instruction, the stack is switched to 16-bit, which should not 
be the case. 
  At BOCHS, my code works 100%. At QEMU not works.

  Sample code to find out:

  use32
  cli
  mov ax,cs
  shl eax,16
  mov ax,NewInt80h
  mov [IDT32+4*80h],eax
  mov edx,esp
  mov esp,0x1
  int 80h
  NewInt80h:
  xchg esp,edx
  cmp edx,0x1-6
  jnz IsStack16Bit

  Stack selector loaded from GDT:
  GDT:
  real32_GDT
  dq 0
  dw 0x,0x,9A00h,0xCF ; 32-bit code descriptor
  dw 0x,0x,9200h,0x8F ;   4 GB data descriptor
  dw 0x,0x,9A00h,0x00 ; 16-bit code descriptor
  dw 0x,0x,9200h,0xCF ; 32-bit data descriptor stack

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1902267/+subscriptions

[Bug 1902451] Re: incorrect cpuid feature detection

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902451

Title:
  incorrect cpuid feature detection

Status in QEMU:
  Expired

Bug description:
  Hello,

  I am currently developing a x64 kernel and I wanted to check through
  cpuid if some features are available in the guest. When I try to
  enable cpu features like vmcb_clean or constant_tsc qemu is saying
  that my host doesn't support the requested features. However cat
  /proc/cpuinfo tells a different story:

  model name:  AMD Ryzen 5 3500U
  flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb 
rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf 
pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx 
f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 
3dnowprefetch osvw skinit wdt tce topoext perfctr_core perfctr_nb bpext 
perfctr_llc mwaitx cpb hw_pstate sme pti ssbd sev ibpb vmmcall fsgsbase bmi1 
avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 xsaves 
clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean 
flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif 
overflow_recov succor smca

  I also checked it myself by running cpuid and check the bits as in the
  AMD Manual. Everything checks out but qemu still fails.

  QEMU version: QEMU emulator version 4.2.0

  $ qemu-system-x86_64 -cpu host,+vmcb_clean,enforce -enable-kvm -drive 
format=raw,file=target/x86_64-os/debug/bootimage-my_kernel.bin -serial stdio 
-display none
  qemu-system-x86_64: warning: host doesn't support requested feature: 
CPUID.800AH:EDX.vmcb-clean [bit 5]
  qemu-system-x86_64: Host doesn't support requested features

  or

  $ qemu-system-x86_64 -cpu host,+constant_tsc,enforce -enable-kvm -drive 
format=raw,file=target/x86_64-os/debug/bootimage-my_kernel.bin -serial stdio 
-display none
  qemu-system-x86_64: Property '.constant_tsc' not found

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1902451/+subscriptions

[Bug 1901359] Re: ignore bit 0 in pci CONFIG_ADDRESS register write for Type 1 access

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1901359

Title:
  ignore bit 0 in pci CONFIG_ADDRESS register write for Type 1 access

Status in QEMU:
  Expired

Bug description:
  I'v recently stumbled upon a bug in the Plan9 PCI config space access
  routines for config mode #1.

  The code used to set bit 0 in the CONFIG_ADDRESS register for a Type 1
  access.

  This was most likely a misreading of the PCI local bus specification
  on our side.

  However, in the PCI local bus specification 3.0, it states the
  following:

  > 3.2.2.3.2 Software Generation of Configuration Transactions
  > ...
  > For Type 1 translations, the host bridge directly copies the contents of the
  > CONFIG_ADDRESS register (excluding bits 31 and 0) onto the PCI AD lines 
during the
  > address phase of a configuration transaction making sure that AD[1::0] is 
"01".

  note the: "excluding bits 31 and 0"

  What happens in qemu instead is that it uses bit 0 of the CONFIG_ADDRESS
  register as part of the register offset (when it probably should ignore it)
  when translating from Type 1 to Type 0 address. So once it reaches the device
  behind the bridge the register address is off by one.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1901359/+subscriptions

[Bug 1902394] Re: Guest stuck in Paused state right after created It

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902394

Title:
  Guest stuck in Paused state right after created It

Status in QEMU:
  Expired

Bug description:
  Im using Centos 8 . I have try to use many Distribution such as :
  Centos, Ubuntum, Debian,.. on the guest but still all the the VM get
  into paused state immidiately after using virt-install ( I have tried
  using virt-manager too )

  CPU INFO :
  Architecture:x86_64
  CPU op-mode(s):  32-bit, 64-bit
  Byte Order:  Little Endian
  CPU(s):  8
  On-line CPU(s) list: 0-7
  Thread(s) per core:  1
  Core(s) per socket:  1
  Socket(s):   8
  NUMA node(s):1
  Vendor ID:   GenuineIntel
  CPU family:  6
  Model:   85
  Model name:  Intel(R) Xeon(R) Silver 4214 CPU @ 2.20GHz
  Stepping:7
  CPU MHz: 2199.998
  BogoMIPS:4399.99
  Virtualization:  VT-x
  Hypervisor vendor:   KVM
  Virtualization type: full
  L1d cache:   32K
  L1i cache:   32K
  L2 cache:4096K
  L3 cache:16384K
  NUMA node0 CPU(s):   0-7
  Flags:   fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm 
constant_tsc arch_perfmon rep_good nopl xtopology cpuid tsc_known_freq pni 
pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt 
tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 
3dnowprefetch invpcid_single pti ssbd ibrs ibpb tpr_shadow vnmi flexpriority 
ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx 
avx512f rdseed adx smap clflushopt clwb avx512cd xsaveopt xsavec xgetbv1 arat

  VM Log :

  2020-10-31 08:29:51.737+: starting up libvirt version: 4.5.0, package: 
42.module_el8.2.0+320+13f867d7 (CentOS Buildsys , 
2020-05-28-17:13:31, ), qemu version: 
2.12.0qemu-kvm-2.12.0-99.module_el8.2.0+524+f765f7e0.4, kernel: 
4.18.0-193.28.1.el8_2.x86_64, hostname: interns.novalocal
  LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin 
QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name guest=cirros,debug-threads=on 
-S -object 
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-18-cirros/master-key.aes
 -machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off 
-cpu 
Cascadelake-Server,ss=on,hypervisor=on,tsc-adjust=on,arch-capabilities=on,ibpb=on,skip-l1dfl-vmentry=on,invpcid=off,avx512dq=off,avx512bw=off,avx512vl=off,pku=off,avx512vnni=off,pdpe1gb=off
 -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 
ef9573a3-a02d-4ef0-86cb-e38da7b7b20d -no-user-config -nodefaults -chardev 
socket,id=charmonitor,fd=29,server,nowait -mon 
chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global 
kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global 
PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device 
ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device 
ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 
-device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 
-device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive 
file=/home/kvm/cirros-0.3.0-x86_64-disk.img,format=qcow2,if=none,id=drive-ide0-0-0
 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 
-netdev tap,fd=31,id=hostnet0 -device 
e1000,netdev=hostnet0,id=net0,mac=52:54:00:c3:32:b0,bus=pci.0,addr=0x3 -chardev 
pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev 
spicevmc,id=charchannel0,name=vdagent -device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0
 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice 
port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on
 -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2
 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device 
hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev 
spicevmc,id=charredir0,name=usbredir -device 
usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev 
spicevmc,id=charredir1,name=usbredir -device 
usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device 
virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -sandbox 
on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg 
timestamp=on
  2020-10-31T08:29:51.815604Z qemu-kvm: -chardev pty,id=charserial0: char 
device redirected to /dev/pts/1 (label charserial0)
  KVM: exception 0 exit (error code 0x0)
  EAX=0

[Bug 1902262] Re: vmstate_load_state return error into virtio_load function

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902262

Title:
  vmstate_load_state return error into virtio_load function

Status in QEMU:
  Expired

Bug description:
  Qemu version 4.2.1

  In the function of virtio_load, the vmstate_load_state will return
  error in the following case.

  The virtio is legacy mode(disable-modern=on,disable-legacy=off),
  virtio_device is in reset state.

  In the the function of "vmstate_load_state", it will load all subsection. For 
the vmstate_virtio_extra_state subsection. 
  It will execute:
  vmstate_load_state   -->
ret = field->info->get(f, curr_elem, size, field);line 143  
vmstate.c.
 -->virtio_pci_load_extra_state
  -->  vmstate_load_state
   -->qemu_peek_byte
  But if the f->buf_index is same with buf_size, qemu_peek_byte function will 
set "-EIO" error. 
  the field->info->get will return 0, then it will get the error "ret = 
qemu_file_get_error(f);". then the vmstate_load_state will return error.

  It output is "Failed to load virtio/extra_state:extra_state"

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1902262/+subscriptions

[Bug 1903493] Re: About wireless network card bridging

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1903493

Title:
  About wireless network card bridging

Status in QEMU:
  Expired

Bug description:
  As a rookie, I don’t know if I should ask this question here. If it’s
  not right, I hope people who see it can help submit it to the right
  place.Can Qemu or kvm add wireless network card bridging ? after all,
  now you see that vbox and vmware can directly choose wireless network
  card bridging, and even hyper-v can be easily set up, arp proxy is too
  difficult for us rookies . I hope that qemu or other links can add a
  function to bridge the wireless network card, which can be directly
  set in virt-manager (for so many years, it seems that I can only use
  bridge-utils to bridge the Ethernet,and Now more and more laptops
  don't have Ethernet ports)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1903493/+subscriptions

[Bug 1902365] Re: 3x 100% host CPU core usage while virtual machine is in idle

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902365

Title:
  3x 100% host CPU core usage while virtual machine is in idle

Status in QEMU:
  Expired

Bug description:
  My Fedora 33 machine "top" command shows qemu-system-x86_64 process
  using ~300% CPU, that means 3x CPU cores at 100%. Since the virtual
  machine (named CentOS 8) is almost in idle (top command inside the VM
  shows ~0% CPU usage), there must be something wrong. I attach qemu
  process GDB backtrace, and virtual machine libvirt XML

  Host details:
  libvirt-6.6.0-2.fc33.x86_64
  qemu-system-x86-5.1.0-5.fc33.x86_64
  virt-manager-3.1.0-1.fc33.noarch
  kernel 5.8.16-300.fc33.x86_64
  CPU: AMD Ryzen 5 3600

  # gdb qemu-system-x86_64 405756
  GNU gdb (GDB) Fedora 9.2-7.fc33
  Copyright (C) 2020 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later 
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Type "show copying" and "show warranty" for details.
  This GDB was configured as "x86_64-redhat-linux-gnu".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  .
  Find the GDB manual and other documentation resources online at:
  .

  For help, type "help".
  Type "apropos word" to search for commands related to "word"...
  Reading symbols from qemu-system-x86_64...
  Reading symbols from .gnu_debugdata for /usr/bin/qemu-system-x86_64...
  (No debugging symbols found in .gnu_debugdata for /usr/bin/qemu-system-x86_64)
  Attaching to program: /usr/bin/qemu-system-x86_64, process 405756
  [New LWP 405788]
  [New LWP 405798]
  [New LWP 405799]
  [New LWP 405800]
  [New LWP 405801]
  [New LWP 405802]
  [New LWP 405804]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib64/libthread_db.so.1".
  0x7f549d0bdb0e in ppoll () from target:/lib64/libc.so.6
  (gdb) set height 0
  (gdb) set print elements 0
  (gdb) set print frame-arguments all
  (gdb) thread apply all backtrace

  Thread 8 (Thread 0x7f53837ff640 (LWP 405804)):
  #0  0x7f549d0bda0f in poll () from target:/lib64/libc.so.6
  #1  0x7f549e4c2d1e in g_main_context_iterate.constprop () from 
target:/lib64/libglib-2.0.so.0
  #2  0x7f549e4716ab in g_main_loop_run () from 
target:/lib64/libglib-2.0.so.0
  #3  0x7f549dcfcc66 in red_worker_main.lto_priv () from 
target:/lib64/libspice-server.so.1
  #4  0x7f549d19c3f9 in start_thread () from target:/lib64/libpthread.so.0
  #5  0x7f549d0c8b03 in clone () from target:/lib64/libc.so.6

  Thread 7 (Thread 0x7f5390dfd640 (LWP 405802)):
  #0  0x7f549d0bf58b in ioctl () from target:/lib64/libc.so.6
  #1  0x55a60728ec87 in kvm_vcpu_ioctl ()
  #2  0x55a60728edc1 in kvm_cpu_exec ()
  #3  0x55a60734dc04 in qemu_kvm_cpu_thread_fn ()
  #4  0x55a6076dc0ff in qemu_thread_start ()
  #5  0x7f549d19c3f9 in start_thread () from target:/lib64/libpthread.so.0
  #6  0x7f549d0c8b03 in clone () from target:/lib64/libc.so.6

  Thread 6 (Thread 0x7f53915fe640 (LWP 405801)):
  #0  0x7f549d0bf58b in ioctl () from target:/lib64/libc.so.6
  #1  0x55a60728ec87 in kvm_vcpu_ioctl ()
  #2  0x55a60728edc1 in kvm_cpu_exec ()
  #3  0x55a60734dc04 in qemu_kvm_cpu_thread_fn ()
  #4  0x55a6076dc0ff in qemu_thread_start ()
  #5  0x7f549d19c3f9 in start_thread () from target:/lib64/libpthread.so.0
  #6  0x7f549d0c8b03 in clone () from target:/lib64/libc.so.6

  Thread 5 (Thread 0x7f5391dff640 (LWP 405800)):
  #0  0x7f549d0bf58b in ioctl () from target:/lib64/libc.so.6
  #1  0x55a60728ec87 in kvm_vcpu_ioctl ()
  #2  0x55a60728edc1 in kvm_cpu_exec ()
  #3  0x55a60734dc04 in qemu_kvm_cpu_thread_fn ()
  #4  0x55a6076dc0ff in qemu_thread_start ()
  #5  0x7f549d19c3f9 in start_thread () from target:/lib64/libpthread.so.0
  #6  0x7f549d0c8b03 in clone () from target:/lib64/libc.so.6

  Thread 4 (Thread 0x7f54988b7640 (LWP 405799)):
  #0  0x7f549d0bf58b in ioctl () from target:/lib64/libc.so.6
  #1  0x55a60728ec87 in kvm_vcpu_ioctl ()
  #2  0x55a60728edc1 in kvm_cpu_exec ()
  #3  0x55a60734dc04 in qemu_kvm_cpu_thread_fn ()
  #4  0x55a6076dc0ff in qemu_thread_start ()
  #5  0x7f549d19c3f9 in start_thread () from target:/lib64/libpthread.so.0
  #6  0x7f549d0c8b03 in clone () from target:/lib64/libc.so.6

  Thread 3 (Thread 0x7f549917b640 (LWP 405798)):
  #0  0x7f549d0bda0f in poll () from target:/lib64/libc.so.6
  #1  0x7f549e4c2d1e in g_main_context_iterate.constprop () from 
target:/lib64/libglib-2.0.so.0
  #2  0x7f549e4716ab i