Re: [PATCH] hw/ssi: imx_spi: Improve chip select handling

[Guenter Roeck]

On 9/4/21 4:19 PM, Philippe Mathieu-Daudé wrote:

On 9/5/21 1:06 AM, Bin Meng wrote:

On Sun, Sep 5, 2021 at 1:13 AM Guenter Roeck  wrote:


On 9/2/21 12:29 PM, Peter Maydell wrote:

On Thu, 2 Sept 2021 at 17:09, Guenter Roeck  wrote:


On 9/2/21 8:58 AM, Peter Maydell wrote:

On Sun, 8 Aug 2021 at 02:34, Guenter Roeck  wrote:


The control register does not really have a means to deselect
all chip selects directly. As result, CS is effectively never
deselected, and connected flash chips fail to perform read
operations since they don't get the expected chip select signals
to reset their state machine.

Normally and per controller documentation one would assume that
chip select should be set whenever a transfer starts (XCH is
set or the tx fifo is written into), and that it should be disabled
whenever a transfer is complete. However, that does not work in
practice: attempts to implement this approach resulted in failures,
presumably because a single transaction can be split into multiple
transfers.

At the same time, there is no explicit signal from the host indicating
if chip select should be active or not. In the absence of such a direct
signal, use the burst length written into the control register to
determine if an access is ongoing or not. Disable all chip selects
if the burst length field in the configuration register is set to 0,
and (re-)enable chip select if a transfer is started. This is possible
because the Linux driver clears the burst length field whenever it
prepares the controller for the next transfer.
This solution  is less than perfect since it effectively only disables
chip select when initiating the next transfer, but it does work with
Linux and should otherwise do no harm.

Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer.

With this patch, a command line parameter such as "-drive
file=flash.sabre,format=raw,if=mtd" can be used to instantiate the
flash chip in the sabrelite emulation. Without this patch, the
flash instantiates, but it only reads zeroes.

Signed-off-by: Guenter Roeck 
---
I am not entirely happy with this solution, but it is the best I was
able to come up with. If anyone has a better idea, I'll be happy
to give it a try.

hw/ssi/imx_spi.c | 17 +++--
1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 189423bb3a..7a093156bd 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -167,6 +167,8 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
DPRINTF("Begin: TX Fifo Size = %d, RX Fifo Size = %d\n",
fifo32_num_used(>tx_fifo), fifo32_num_used(>rx_fifo));

+qemu_set_irq(s->cs_lines[imx_spi_selected_channel(s)], 0);
+
while (!fifo32_is_empty(>tx_fifo)) {
int tx_burst = 0;

@@ -385,13 +387,6 @@ static void imx_spi_write(void *opaque, hwaddr offset, 
uint64_t value,
case ECSPI_CONREG:
s->regs[ECSPI_CONREG] = value;

-burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
-if (burst % 8) {
-qemu_log_mask(LOG_UNIMP,
-  "[%s]%s: burst length %d not supported: rounding up to 
next multiple of 8\n",
-  TYPE_IMX_SPI, __func__, burst);
-}


Why has this log message been removed ?


What I wanted to do is:

"Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer."

What I did instead is to remove the message entirely.

How about the rest of the patch ? Is it worth a resend with the message
restored (except for burst size == 0), or is it not acceptable anyway ?


I did the easy bit of the code review because answering this
question is probably a multiple-hour job...this is still on my
todo list, but I'm hoping somebody who understands the MIX
SPI device gets to it first.



Makes sense. Of course, it would be even better if someone can explain
how this works on real hardware.



I happened to notice this patch today. Better to cc people who once
worked on this part from "git blame" or "git log".


Even better if you add yourself as designated reviewer ;)

$ ./scripts/get_maintainer.pl -f hw/ssi/imx_spi.c
Alistair Francis  (maintainer:SSI)
Peter Maydell  (odd fixer:i.MX31 (kzm))
Jean-Christophe Dubois  (reviewer:SABRELITE / i.MX6)




In this context, it would be useful to know if real SPI flash chips
reset their state to idle under some conditions which are not covered
by the current code in hw/block/m25p80.c. Maybe the real problem is
as simple as that code setting data_read_loop when it should not,
or that it doesn't reset that flag when it should (unless I am missing
something, the flag is currently only reset by disabling chip select).


Plausible hypothesis.



Possibly. Note that I did check the flash chip specification, but I don't
see a notable difference to the qemu implementation. But then, again,
I may be 

Re: [PATCH] hw/ssi: imx_spi: Improve chip select handling

[Guenter Roeck]

On 9/4/21 4:06 PM, Bin Meng wrote:

On Sun, Sep 5, 2021 at 1:13 AM Guenter Roeck  wrote:


On 9/2/21 12:29 PM, Peter Maydell wrote:

On Thu, 2 Sept 2021 at 17:09, Guenter Roeck  wrote:


On 9/2/21 8:58 AM, Peter Maydell wrote:

On Sun, 8 Aug 2021 at 02:34, Guenter Roeck  wrote:


The control register does not really have a means to deselect
all chip selects directly. As result, CS is effectively never
deselected, and connected flash chips fail to perform read
operations since they don't get the expected chip select signals
to reset their state machine.

Normally and per controller documentation one would assume that
chip select should be set whenever a transfer starts (XCH is
set or the tx fifo is written into), and that it should be disabled
whenever a transfer is complete. However, that does not work in
practice: attempts to implement this approach resulted in failures,
presumably because a single transaction can be split into multiple
transfers.

At the same time, there is no explicit signal from the host indicating
if chip select should be active or not. In the absence of such a direct
signal, use the burst length written into the control register to
determine if an access is ongoing or not. Disable all chip selects
if the burst length field in the configuration register is set to 0,
and (re-)enable chip select if a transfer is started. This is possible
because the Linux driver clears the burst length field whenever it
prepares the controller for the next transfer.
This solution  is less than perfect since it effectively only disables
chip select when initiating the next transfer, but it does work with
Linux and should otherwise do no harm.

Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer.

With this patch, a command line parameter such as "-drive
file=flash.sabre,format=raw,if=mtd" can be used to instantiate the
flash chip in the sabrelite emulation. Without this patch, the
flash instantiates, but it only reads zeroes.

Signed-off-by: Guenter Roeck 
---
I am not entirely happy with this solution, but it is the best I was
able to come up with. If anyone has a better idea, I'll be happy
to give it a try.

hw/ssi/imx_spi.c | 17 +++--
1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 189423bb3a..7a093156bd 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -167,6 +167,8 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
DPRINTF("Begin: TX Fifo Size = %d, RX Fifo Size = %d\n",
fifo32_num_used(>tx_fifo), fifo32_num_used(>rx_fifo));

+qemu_set_irq(s->cs_lines[imx_spi_selected_channel(s)], 0);
+
while (!fifo32_is_empty(>tx_fifo)) {
int tx_burst = 0;

@@ -385,13 +387,6 @@ static void imx_spi_write(void *opaque, hwaddr offset, 
uint64_t value,
case ECSPI_CONREG:
s->regs[ECSPI_CONREG] = value;

-burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
-if (burst % 8) {
-qemu_log_mask(LOG_UNIMP,
-  "[%s]%s: burst length %d not supported: rounding up to 
next multiple of 8\n",
-  TYPE_IMX_SPI, __func__, burst);
-}


Why has this log message been removed ?


What I wanted to do is:

"Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer."

What I did instead is to remove the message entirely.

How about the rest of the patch ? Is it worth a resend with the message
restored (except for burst size == 0), or is it not acceptable anyway ?


I did the easy bit of the code review because answering this
question is probably a multiple-hour job...this is still on my
todo list, but I'm hoping somebody who understands the MIX
SPI device gets to it first.



Makes sense. Of course, it would be even better if someone can explain
how this works on real hardware.



I happened to notice this patch today. Better to cc people who once
worked on this part from "git blame" or "git log".



I copy people and mailing lists as provided by scripts/get_maintainer.pl.
I don't think it would be appropriate to copy additional people; anyone
interested in patches for a specific file should be listed in
MAINTAINERS. After all, that is what it is for.


In this context, it would be useful to know if real SPI flash chips
reset their state to idle under some conditions which are not covered
by the current code in hw/block/m25p80.c. Maybe the real problem is
as simple as that code setting data_read_loop when it should not,
or that it doesn't reset that flag when it should (unless I am missing
something, the flag is currently only reset by disabling chip select).



One quick question, did you test this on the latest QEMU? Is that
Linux used for testing? There have been a number of bug fixes in
imx_spi recently.



I implemented and tested this patch on top if qemu v6.0.0, 

[PATCH] user: Mark cpu_loop() with noreturn attribute

[Philippe Mathieu-Daudé]

cpu_loop() never exits, so mark it with QEMU_NORETURN.

Signed-off-by: Philippe Mathieu-Daudé 
---
 bsd-user/qemu.h   | 2 +-
 linux-user/qemu.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h
index c02e8a5ca1a..05bee7aefe5 100644
--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -155,7 +155,7 @@ abi_long do_openbsd_syscall(void *cpu_env, int num, 
abi_long arg1,
 abi_long arg5, abi_long arg6);
 void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 extern THREAD CPUState *thread_cpu;
-void cpu_loop(CPUArchState *env);
+void QEMU_NORETURN cpu_loop(CPUArchState *env);
 char *target_strerror(int err);
 int get_osversion(void);
 void fork_start(void);
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 3b0b6b75fe8..5b2c764ae78 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -236,7 +236,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
 abi_long arg5, abi_long arg6, abi_long arg7,
 abi_long arg8);
 extern __thread CPUState *thread_cpu;
-void cpu_loop(CPUArchState *env);
+void QEMU_NORETURN cpu_loop(CPUArchState *env);
 const char *target_strerror(int err);
 int get_osversion(void);
 void init_qemu_uname_release(void);
-- 
2.31.1

[PATCH v2 23/24] accel/tcg: Restrict TCGCPUOps::cpu_exec_interrupt() to sysemu

[Philippe Mathieu-Daudé]

All targets call TCGCPUOps::cpu_exec_interrupt() from sysemu code.
Move its declaration to restrict it to system emulation.
Extend the code guarded.
Restrict the static inlined need_replay_interrupt() method to
avoid a "defined but not used" warning.

Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 include/hw/core/tcg-cpu-ops.h |  4 ++--
 accel/tcg/cpu-exec.c  | 10 +++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/include/hw/core/tcg-cpu-ops.h b/include/hw/core/tcg-cpu-ops.h
index 6c7ab9600ba..55123cb4d22 100644
--- a/include/hw/core/tcg-cpu-ops.h
+++ b/include/hw/core/tcg-cpu-ops.h
@@ -35,8 +35,6 @@ struct TCGCPUOps {
 void (*cpu_exec_enter)(CPUState *cpu);
 /** @cpu_exec_exit: Callback for cpu_exec cleanup */
 void (*cpu_exec_exit)(CPUState *cpu);
-/** @cpu_exec_interrupt: Callback for processing interrupts in cpu_exec */
-bool (*cpu_exec_interrupt)(CPUState *cpu, int interrupt_request);
 /**
  * @tlb_fill: Handle a softmmu tlb miss or user-only address fault
  *
@@ -68,6 +66,8 @@ struct TCGCPUOps {
 void (*do_interrupt)(CPUState *cpu);
 #endif /* !CONFIG_USER_ONLY || !TARGET_I386 */
 #ifdef CONFIG_SOFTMMU
+/** @cpu_exec_interrupt: Callback for processing interrupts in cpu_exec */
+bool (*cpu_exec_interrupt)(CPUState *cpu, int interrupt_request);
 /**
  * @do_transaction_failed: Callback for handling failed memory transactions
  * (ie bus faults or external aborts; not MMU faults)
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 2838177e7f0..75dbc1e4e33 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -685,6 +685,7 @@ static inline bool cpu_handle_exception(CPUState *cpu, int 
*ret)
 return false;
 }
 
+#ifndef CONFIG_USER_ONLY
 /*
  * CPU_INTERRUPT_POLL is a virtual event which gets converted into a
  * "real" interrupt event later. It does not need to be recorded for
@@ -698,12 +699,11 @@ static inline bool need_replay_interrupt(int 
interrupt_request)
 return true;
 #endif
 }
+#endif /* !CONFIG_USER_ONLY */
 
 static inline bool cpu_handle_interrupt(CPUState *cpu,
 TranslationBlock **last_tb)
 {
-CPUClass *cc = CPU_GET_CLASS(cpu);
-
 /* Clear the interrupt flag now since we're processing
  * cpu->interrupt_request and cpu->exit_request.
  * Ensure zeroing happens before reading cpu->exit_request or
@@ -725,6 +725,7 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
 qemu_mutex_unlock_iothread();
 return true;
 }
+#if !defined(CONFIG_USER_ONLY)
 if (replay_mode == REPLAY_MODE_PLAY && !replay_has_interrupt()) {
 /* Do nothing */
 } else if (interrupt_request & CPU_INTERRUPT_HALT) {
@@ -753,12 +754,14 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
 qemu_mutex_unlock_iothread();
 return true;
 }
-#endif
+#endif /* !TARGET_I386 */
 /* The target hook has 3 exit conditions:
False when the interrupt isn't processed,
True when it is, and we should restart on a new TB,
and via longjmp via cpu_loop_exit.  */
 else {
+CPUClass *cc = CPU_GET_CLASS(cpu);
+
 if (cc->tcg_ops->cpu_exec_interrupt &&
 cc->tcg_ops->cpu_exec_interrupt(cpu, interrupt_request)) {
 if (need_replay_interrupt(interrupt_request)) {
@@ -777,6 +780,7 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
  * reload the 'interrupt_request' value */
 interrupt_request = cpu->interrupt_request;
 }
+#endif /* !CONFIG_USER_ONLY */
 if (interrupt_request & CPU_INTERRUPT_EXITTB) {
 cpu->interrupt_request &= ~CPU_INTERRUPT_EXITTB;
 /* ensure that no TB jump will be modified as
-- 
2.31.1

[PATCH v2 22/24] target/xtensa: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/xtensa/cpu.h| 4 ++--
 target/xtensa/cpu.c| 2 +-
 target/xtensa/exc_helper.c | 7 ++-
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 1e0cb1535ca..cbb720e7cca 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -566,14 +566,14 @@ struct XtensaCPU {
 bool xtensa_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
  MMUAccessType access_type, int mmu_idx,
  bool probe, uintptr_t retaddr);
+#ifndef CONFIG_USER_ONLY
 void xtensa_cpu_do_interrupt(CPUState *cpu);
 bool xtensa_cpu_exec_interrupt(CPUState *cpu, int interrupt_request);
-#ifndef CONFIG_USER_ONLY
 void xtensa_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr, vaddr 
addr,
   unsigned size, MMUAccessType access_type,
   int mmu_idx, MemTxAttrs attrs,
   MemTxResult response, uintptr_t retaddr);
-#endif /* !CONFIG_USER_ONLY */
+#endif
 void xtensa_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr xtensa_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 void xtensa_count_regs(const XtensaConfig *config,
diff --git a/target/xtensa/cpu.c b/target/xtensa/cpu.c
index 58ec3a08622..c1cbd03595e 100644
--- a/target/xtensa/cpu.c
+++ b/target/xtensa/cpu.c
@@ -192,11 +192,11 @@ static const struct SysemuCPUOps xtensa_sysemu_ops = {
 
 static const struct TCGCPUOps xtensa_tcg_ops = {
 .initialize = xtensa_translate_init,
-.cpu_exec_interrupt = xtensa_cpu_exec_interrupt,
 .tlb_fill = xtensa_cpu_tlb_fill,
 .debug_excp_handler = xtensa_breakpoint_handler,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = xtensa_cpu_exec_interrupt,
 .do_interrupt = xtensa_cpu_do_interrupt,
 .do_transaction_failed = xtensa_cpu_do_transaction_failed,
 .do_unaligned_access = xtensa_cpu_do_unaligned_access,
diff --git a/target/xtensa/exc_helper.c b/target/xtensa/exc_helper.c
index 10e75ab070d..9bc7f50d355 100644
--- a/target/xtensa/exc_helper.c
+++ b/target/xtensa/exc_helper.c
@@ -255,11 +255,6 @@ void xtensa_cpu_do_interrupt(CPUState *cs)
 }
 check_interrupts(env);
 }
-#else
-void xtensa_cpu_do_interrupt(CPUState *cs)
-{
-}
-#endif
 
 bool xtensa_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
@@ -270,3 +265,5 @@ bool xtensa_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 }
 return false;
 }
+
+#endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 21/24] target/rx: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/rx/cpu.h| 2 ++
 target/rx/cpu.c| 2 +-
 target/rx/helper.c | 4 
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/target/rx/cpu.h b/target/rx/cpu.h
index 0b4b998c7be..faa3606f52f 100644
--- a/target/rx/cpu.h
+++ b/target/rx/cpu.h
@@ -124,8 +124,10 @@ typedef RXCPU ArchCPU;
 #define CPU_RESOLVING_TYPE TYPE_RX_CPU
 
 const char *rx_crname(uint8_t cr);
+#ifndef CONFIG_USER_ONLY
 void rx_cpu_do_interrupt(CPUState *cpu);
 bool rx_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif /* !CONFIG_USER_ONLY */
 void rx_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 int rx_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
 int rx_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
diff --git a/target/rx/cpu.c b/target/rx/cpu.c
index 96cc96e514f..25a4aa2976d 100644
--- a/target/rx/cpu.c
+++ b/target/rx/cpu.c
@@ -186,10 +186,10 @@ static const struct SysemuCPUOps rx_sysemu_ops = {
 static const struct TCGCPUOps rx_tcg_ops = {
 .initialize = rx_translate_init,
 .synchronize_from_tb = rx_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = rx_cpu_exec_interrupt,
 .tlb_fill = rx_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = rx_cpu_exec_interrupt,
 .do_interrupt = rx_cpu_do_interrupt,
 #endif /* !CONFIG_USER_ONLY */
 };
diff --git a/target/rx/helper.c b/target/rx/helper.c
index db6b07e3890..f34945e7e2c 100644
--- a/target/rx/helper.c
+++ b/target/rx/helper.c
@@ -40,6 +40,8 @@ void rx_cpu_unpack_psw(CPURXState *env, uint32_t psw, int rte)
 env->psw_c = FIELD_EX32(psw, PSW, C);
 }
 
+#ifndef CONFIG_USER_ONLY
+
 #define INT_FLAGS (CPU_INTERRUPT_HARD | CPU_INTERRUPT_FIR)
 void rx_cpu_do_interrupt(CPUState *cs)
 {
@@ -142,6 +144,8 @@ bool rx_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 hwaddr rx_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
 {
 return addr;
-- 
2.31.1

[PATCH v2 17/24] target/ppc: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Acked-by: David Gibson 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/ppc/cpu.h |  4 ++--
 target/ppc/cpu_init.c|  2 +-
 target/ppc/excp_helper.c | 21 +++--
 3 files changed, 6 insertions(+), 21 deletions(-)

diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index 500205229c0..362e7c4c5c7 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -1254,8 +1254,6 @@ DECLARE_OBJ_CHECKERS(PPCVirtualHypervisor, 
PPCVirtualHypervisorClass,
  PPC_VIRTUAL_HYPERVISOR, TYPE_PPC_VIRTUAL_HYPERVISOR)
 #endif /* CONFIG_USER_ONLY */
 
-void ppc_cpu_do_interrupt(CPUState *cpu);
-bool ppc_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void ppc_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr ppc_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 int ppc_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
@@ -1271,6 +1269,8 @@ int ppc64_cpu_write_elf64_note(WriteCoreDumpFunction f, 
CPUState *cs,
 int ppc32_cpu_write_elf32_note(WriteCoreDumpFunction f, CPUState *cs,
int cpuid, void *opaque);
 #ifndef CONFIG_USER_ONLY
+void ppc_cpu_do_interrupt(CPUState *cpu);
+bool ppc_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void ppc_cpu_do_system_reset(CPUState *cs);
 void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, target_ulong vector);
 extern const VMStateDescription vmstate_ppc_cpu;
diff --git a/target/ppc/cpu_init.c b/target/ppc/cpu_init.c
index ad7abc6041a..6aad01d1d3a 100644
--- a/target/ppc/cpu_init.c
+++ b/target/ppc/cpu_init.c
@@ -9014,10 +9014,10 @@ static const struct SysemuCPUOps ppc_sysemu_ops = {
 
 static const struct TCGCPUOps ppc_tcg_ops = {
   .initialize = ppc_translate_init,
-  .cpu_exec_interrupt = ppc_cpu_exec_interrupt,
   .tlb_fill = ppc_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+  .cpu_exec_interrupt = ppc_cpu_exec_interrupt,
   .do_interrupt = ppc_cpu_do_interrupt,
   .cpu_exec_enter = ppc_cpu_exec_enter,
   .cpu_exec_exit = ppc_cpu_exec_exit,
diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index 7b6ac16eef7..d7e32ee107e 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -40,24 +40,8 @@
 
 /*/
 /* Exception processing */
-#if defined(CONFIG_USER_ONLY)
-void ppc_cpu_do_interrupt(CPUState *cs)
-{
-PowerPCCPU *cpu = POWERPC_CPU(cs);
-CPUPPCState *env = >env;
+#if !defined(CONFIG_USER_ONLY)
 
-cs->exception_index = POWERPC_EXCP_NONE;
-env->error_code = 0;
-}
-
-static void ppc_hw_interrupt(CPUPPCState *env)
-{
-CPUState *cs = env_cpu(env);
-
-cs->exception_index = POWERPC_EXCP_NONE;
-env->error_code = 0;
-}
-#else /* defined(CONFIG_USER_ONLY) */
 static inline void dump_syscall(CPUPPCState *env)
 {
 qemu_log_mask(CPU_LOG_INT, "syscall r0=%016" PRIx64
@@ -1113,7 +1097,6 @@ void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, 
target_ulong vector)
 
 powerpc_set_excp_state(cpu, vector, msr);
 }
-#endif /* !CONFIG_USER_ONLY */
 
 bool ppc_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
@@ -1130,6 +1113,8 @@ bool ppc_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 #if defined(DEBUG_OP)
 static void cpu_dump_rfi(target_ulong RA, target_ulong msr)
 {
-- 
2.31.1

[PATCH v2 15/24] target/nios2: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/nios2/cpu.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/nios2/cpu.c b/target/nios2/cpu.c
index 5e37defef80..947bb09bc1e 100644
--- a/target/nios2/cpu.c
+++ b/target/nios2/cpu.c
@@ -127,6 +127,7 @@ static void nios2_cpu_realizefn(DeviceState *dev, Error 
**errp)
 ncc->parent_realize(dev, errp);
 }
 
+#ifndef CONFIG_USER_ONLY
 static bool nios2_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 Nios2CPU *cpu = NIOS2_CPU(cs);
@@ -140,7 +141,7 @@ static bool nios2_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 }
 return false;
 }
-
+#endif /* !CONFIG_USER_ONLY */
 
 static void nios2_cpu_disas_set_info(CPUState *cpu, disassemble_info *info)
 {
@@ -219,10 +220,10 @@ static const struct SysemuCPUOps nios2_sysemu_ops = {
 
 static const struct TCGCPUOps nios2_tcg_ops = {
 .initialize = nios2_tcg_init,
-.cpu_exec_interrupt = nios2_cpu_exec_interrupt,
 .tlb_fill = nios2_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = nios2_cpu_exec_interrupt,
 .do_interrupt = nios2_cpu_do_interrupt,
 .do_unaligned_access = nios2_cpu_do_unaligned_access,
 #endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 14/24] target/mips: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/mips/tcg/tcg-internal.h  |  5 +++--
 target/mips/cpu.c   |  2 +-
 target/mips/tcg/exception.c | 18 --
 target/mips/tcg/sysemu/tlb_helper.c | 18 ++
 target/mips/tcg/user/tlb_helper.c   |  5 -
 5 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/target/mips/tcg/tcg-internal.h b/target/mips/tcg/tcg-internal.h
index 81b14eb219e..c7a77ddccdd 100644
--- a/target/mips/tcg/tcg-internal.h
+++ b/target/mips/tcg/tcg-internal.h
@@ -18,8 +18,6 @@
 void mips_tcg_init(void);
 
 void mips_cpu_synchronize_from_tb(CPUState *cs, const TranslationBlock *tb);
-void mips_cpu_do_interrupt(CPUState *cpu);
-bool mips_cpu_exec_interrupt(CPUState *cpu, int int_req);
 bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
MMUAccessType access_type, int mmu_idx,
bool probe, uintptr_t retaddr);
@@ -41,6 +39,9 @@ static inline void QEMU_NORETURN 
do_raise_exception(CPUMIPSState *env,
 
 #if !defined(CONFIG_USER_ONLY)
 
+void mips_cpu_do_interrupt(CPUState *cpu);
+bool mips_cpu_exec_interrupt(CPUState *cpu, int int_req);
+
 void mmu_init(CPUMIPSState *env, const mips_def_t *def);
 
 void update_pagemask(CPUMIPSState *env, target_ulong arg1, int32_t *pagemask);
diff --git a/target/mips/cpu.c b/target/mips/cpu.c
index d426918291a..00e0c55d0e4 100644
--- a/target/mips/cpu.c
+++ b/target/mips/cpu.c
@@ -539,10 +539,10 @@ static const struct SysemuCPUOps mips_sysemu_ops = {
 static const struct TCGCPUOps mips_tcg_ops = {
 .initialize = mips_tcg_init,
 .synchronize_from_tb = mips_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = mips_cpu_exec_interrupt,
 .tlb_fill = mips_cpu_tlb_fill,
 
 #if !defined(CONFIG_USER_ONLY)
+.cpu_exec_interrupt = mips_cpu_exec_interrupt,
 .do_interrupt = mips_cpu_do_interrupt,
 .do_transaction_failed = mips_cpu_do_transaction_failed,
 .do_unaligned_access = mips_cpu_do_unaligned_access,
diff --git a/target/mips/tcg/exception.c b/target/mips/tcg/exception.c
index 4fb8b00711d..7b3026b105b 100644
--- a/target/mips/tcg/exception.c
+++ b/target/mips/tcg/exception.c
@@ -86,24 +86,6 @@ void mips_cpu_synchronize_from_tb(CPUState *cs, const 
TranslationBlock *tb)
 env->hflags |= tb->flags & MIPS_HFLAG_BMASK;
 }
 
-bool mips_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-{
-if (interrupt_request & CPU_INTERRUPT_HARD) {
-MIPSCPU *cpu = MIPS_CPU(cs);
-CPUMIPSState *env = >env;
-
-if (cpu_mips_hw_interrupts_enabled(env) &&
-cpu_mips_hw_interrupts_pending(env)) {
-/* Raise it */
-cs->exception_index = EXCP_EXT_INTERRUPT;
-env->error_code = 0;
-mips_cpu_do_interrupt(cs);
-return true;
-}
-}
-return false;
-}
-
 static const char * const excp_names[EXCP_LAST + 1] = {
 [EXCP_RESET] = "reset",
 [EXCP_SRESET] = "soft reset",
diff --git a/target/mips/tcg/sysemu/tlb_helper.c 
b/target/mips/tcg/sysemu/tlb_helper.c
index a150a014ec1..73254d19298 100644
--- a/target/mips/tcg/sysemu/tlb_helper.c
+++ b/target/mips/tcg/sysemu/tlb_helper.c
@@ -1339,6 +1339,24 @@ void mips_cpu_do_interrupt(CPUState *cs)
 cs->exception_index = EXCP_NONE;
 }
 
+bool mips_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+{
+if (interrupt_request & CPU_INTERRUPT_HARD) {
+MIPSCPU *cpu = MIPS_CPU(cs);
+CPUMIPSState *env = >env;
+
+if (cpu_mips_hw_interrupts_enabled(env) &&
+cpu_mips_hw_interrupts_pending(env)) {
+/* Raise it */
+cs->exception_index = EXCP_EXT_INTERRUPT;
+env->error_code = 0;
+mips_cpu_do_interrupt(cs);
+return true;
+}
+}
+return false;
+}
+
 void r4k_invalidate_tlb(CPUMIPSState *env, int idx, int use_extra)
 {
 CPUState *cs = env_cpu(env);
diff --git a/target/mips/tcg/user/tlb_helper.c 
b/target/mips/tcg/user/tlb_helper.c
index b835144b820..210c6d529ef 100644
--- a/target/mips/tcg/user/tlb_helper.c
+++ b/target/mips/tcg/user/tlb_helper.c
@@ -57,8 +57,3 @@ bool mips_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 raise_mmu_exception(env, address, access_type);
 do_raise_exception_err(env, cs->exception_index, env->error_code, retaddr);
 }
-
-void mips_cpu_do_interrupt(CPUState *cs)
-{
-cs->exception_index = EXCP_NONE;
-}
-- 
2.31.1

[PATCH v2 12/24] target/m68k: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/m68k/cpu.h   |  2 ++
 target/m68k/cpu.c   |  2 +-
 target/m68k/op_helper.c | 16 +++-
 3 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 997d588911c..550eb028b6e 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -166,8 +166,10 @@ struct M68kCPU {
 };
 
 
+#ifndef CONFIG_USER_ONLY
 void m68k_cpu_do_interrupt(CPUState *cpu);
 bool m68k_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif /* !CONFIG_USER_ONLY */
 void m68k_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr m68k_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 int m68k_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index 72de6e97262..66d22d11895 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -515,10 +515,10 @@ static const struct SysemuCPUOps m68k_sysemu_ops = {
 
 static const struct TCGCPUOps m68k_tcg_ops = {
 .initialize = m68k_tcg_init,
-.cpu_exec_interrupt = m68k_cpu_exec_interrupt,
 .tlb_fill = m68k_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = m68k_cpu_exec_interrupt,
 .do_interrupt = m68k_cpu_do_interrupt,
 .do_transaction_failed = m68k_cpu_transaction_failed,
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target/m68k/op_helper.c b/target/m68k/op_helper.c
index d006d1cb3ea..5d624838ae6 100644
--- a/target/m68k/op_helper.c
+++ b/target/m68k/op_helper.c
@@ -24,18 +24,7 @@
 #include "semihosting/semihost.h"
 #include "tcg/tcg.h"
 
-#if defined(CONFIG_USER_ONLY)
-
-void m68k_cpu_do_interrupt(CPUState *cs)
-{
-cs->exception_index = -1;
-}
-
-static inline void do_interrupt_m68k_hardirq(CPUM68KState *env)
-{
-}
-
-#else
+#if !defined(CONFIG_USER_ONLY)
 
 static void cf_rte(CPUM68KState *env)
 {
@@ -516,7 +505,6 @@ void m68k_cpu_transaction_failed(CPUState *cs, hwaddr 
physaddr, vaddr addr,
 cpu_loop_exit(cs);
 }
 }
-#endif
 
 bool m68k_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
@@ -538,6 +526,8 @@ bool m68k_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 static void raise_exception_ra(CPUM68KState *env, int tt, uintptr_t raddr)
 {
 CPUState *cs = env_cpu(env);
-- 
2.31.1

[PATCH v2 24/24] user: Remove cpu_get_pic_interrupt() stubs

[Philippe Mathieu-Daudé]

cpu_get_pic_interrupt() is now unreachable from user-mode,
delete the unnecessary stubs.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/i386/cpu.h | 2 +-
 bsd-user/main.c   | 7 ---
 linux-user/main.c | 7 ---
 3 files changed, 1 insertion(+), 15 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index c241bc183d2..c7cc65e92d5 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1832,9 +1832,9 @@ int x86_cpu_gdb_write_register(CPUState *cpu, uint8_t 
*buf, int reg);
 void x86_cpu_list(void);
 int cpu_x86_support_mca_broadcast(CPUX86State *env);
 
+#ifndef CONFIG_USER_ONLY
 int cpu_get_pic_interrupt(CPUX86State *s);
 
-#ifndef CONFIG_USER_ONLY
 /* MSDOS compatibility mode FPU exception support */
 void x86_register_ferr_irq(qemu_irq irq);
 void fpu_check_raise_ferr_irq(CPUX86State *s);
diff --git a/bsd-user/main.c b/bsd-user/main.c
index fe66204b6b7..e358c38c353 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -66,13 +66,6 @@ void gemu_log(const char *fmt, ...)
 va_end(ap);
 }
 
-#if defined(TARGET_I386)
-int cpu_get_pic_interrupt(CPUX86State *env)
-{
-return -1;
-}
-#endif
-
 void fork_start(void)
 {
 }
diff --git a/linux-user/main.c b/linux-user/main.c
index a6094563b6b..45bde4598d5 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -120,13 +120,6 @@ const char *qemu_uname_release;
by remapping the process stack directly at the right place */
 unsigned long guest_stack_size = 8 * 1024 * 1024UL;
 
-#if defined(TARGET_I386)
-int cpu_get_pic_interrupt(CPUX86State *env)
-{
-return -1;
-}
-#endif
-
 /***/
 /* Helper routines for implementing atomic operations.  */
 
-- 
2.31.1

[PATCH v2 18/24] target/riscv: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/riscv/cpu.h| 2 +-
 target/riscv/cpu.c| 2 +-
 target/riscv/cpu_helper.c | 5 -
 3 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index bf1c899c00b..e735e53e26c 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -334,7 +334,6 @@ int riscv_cpu_write_elf32_note(WriteCoreDumpFunction f, 
CPUState *cs,
int cpuid, void *opaque);
 int riscv_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
 int riscv_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
-bool riscv_cpu_exec_interrupt(CPUState *cs, int interrupt_request);
 bool riscv_cpu_fp_enabled(CPURISCVState *env);
 bool riscv_cpu_virt_enabled(CPURISCVState *env);
 void riscv_cpu_set_virt_enabled(CPURISCVState *env, bool enable);
@@ -362,6 +361,7 @@ void riscv_cpu_list(void);
 #define cpu_mmu_index riscv_cpu_mmu_index
 
 #ifndef CONFIG_USER_ONLY
+bool riscv_cpu_exec_interrupt(CPUState *cs, int interrupt_request);
 void riscv_cpu_swap_hypervisor_regs(CPURISCVState *env);
 int riscv_cpu_claim_interrupts(RISCVCPU *cpu, uint32_t interrupts);
 uint32_t riscv_cpu_update_mip(RISCVCPU *cpu, uint32_t mask, uint32_t value);
diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1a2b03d579c..13575c14085 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -644,10 +644,10 @@ static const struct SysemuCPUOps riscv_sysemu_ops = {
 static const struct TCGCPUOps riscv_tcg_ops = {
 .initialize = riscv_translate_init,
 .synchronize_from_tb = riscv_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = riscv_cpu_exec_interrupt,
 .tlb_fill = riscv_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = riscv_cpu_exec_interrupt,
 .do_interrupt = riscv_cpu_do_interrupt,
 .do_transaction_failed = riscv_cpu_do_transaction_failed,
 .do_unaligned_access = riscv_cpu_do_unaligned_access,
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 968cb8046f4..701858d670c 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -75,11 +75,9 @@ static int riscv_cpu_local_irq_pending(CPURISCVState *env)
 return RISCV_EXCP_NONE; /* indicates no pending interrupt */
 }
 }
-#endif
 
 bool riscv_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
-#if !defined(CONFIG_USER_ONLY)
 if (interrupt_request & CPU_INTERRUPT_HARD) {
 RISCVCPU *cpu = RISCV_CPU(cs);
 CPURISCVState *env = >env;
@@ -90,12 +88,9 @@ bool riscv_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return true;
 }
 }
-#endif
 return false;
 }
 
-#if !defined(CONFIG_USER_ONLY)
-
 /* Return true is floating point support is currently enabled */
 bool riscv_cpu_fp_enabled(CPURISCVState *env)
 {
-- 
2.31.1

[PATCH v2 19/24] target/sh4: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/sh4/cpu.h| 4 ++--
 target/sh4/cpu.c| 2 +-
 target/sh4/helper.c | 9 ++---
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/target/sh4/cpu.h b/target/sh4/cpu.h
index 01c43440822..017a7702140 100644
--- a/target/sh4/cpu.h
+++ b/target/sh4/cpu.h
@@ -204,8 +204,6 @@ struct SuperHCPU {
 };
 
 
-void superh_cpu_do_interrupt(CPUState *cpu);
-bool superh_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void superh_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr superh_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 int superh_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
@@ -223,6 +221,8 @@ bool superh_cpu_tlb_fill(CPUState *cs, vaddr address, int 
size,
 
 void sh4_cpu_list(void);
 #if !defined(CONFIG_USER_ONLY)
+void superh_cpu_do_interrupt(CPUState *cpu);
+bool superh_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void cpu_sh4_invalidate_tlb(CPUSH4State *s);
 uint32_t cpu_sh4_read_mmaped_itlb_addr(CPUSH4State *s,
hwaddr addr);
diff --git a/target/sh4/cpu.c b/target/sh4/cpu.c
index 83269229421..2047742d03c 100644
--- a/target/sh4/cpu.c
+++ b/target/sh4/cpu.c
@@ -236,10 +236,10 @@ static const struct SysemuCPUOps sh4_sysemu_ops = {
 static const struct TCGCPUOps superh_tcg_ops = {
 .initialize = sh4_translate_init,
 .synchronize_from_tb = superh_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = superh_cpu_exec_interrupt,
 .tlb_fill = superh_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = superh_cpu_exec_interrupt,
 .do_interrupt = superh_cpu_do_interrupt,
 .do_unaligned_access = superh_cpu_do_unaligned_access,
 .io_recompile_replay_branch = superh_io_recompile_replay_branch,
diff --git a/target/sh4/helper.c b/target/sh4/helper.c
index 2d622081e85..53cb9c3b631 100644
--- a/target/sh4/helper.c
+++ b/target/sh4/helper.c
@@ -45,11 +45,6 @@
 
 #if defined(CONFIG_USER_ONLY)
 
-void superh_cpu_do_interrupt(CPUState *cs)
-{
-cs->exception_index = -1;
-}
-
 int cpu_sh4_is_cached(CPUSH4State *env, target_ulong addr)
 {
 /* For user mode, only U0 area is cacheable. */
@@ -784,8 +779,6 @@ int cpu_sh4_is_cached(CPUSH4State * env, target_ulong addr)
 return 0;
 }
 
-#endif
-
 bool superh_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 if (interrupt_request & CPU_INTERRUPT_HARD) {
@@ -803,6 +796,8 @@ bool superh_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 bool superh_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
  MMUAccessType access_type, int mmu_idx,
  bool probe, uintptr_t retaddr)
-- 
2.31.1

[PATCH v2 20/24] target/sparc: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/sparc/cpu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/sparc/cpu.c b/target/sparc/cpu.c
index da6b30ec747..5a8a4ce7506 100644
--- a/target/sparc/cpu.c
+++ b/target/sparc/cpu.c
@@ -77,6 +77,7 @@ static void sparc_cpu_reset(DeviceState *dev)
 env->cache_control = 0;
 }
 
+#ifndef CONFIG_USER_ONLY
 static bool sparc_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 if (interrupt_request & CPU_INTERRUPT_HARD) {
@@ -96,6 +97,7 @@ static bool sparc_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 }
 return false;
 }
+#endif /* !CONFIG_USER_ONLY */
 
 static void cpu_sparc_disas_set_info(CPUState *cpu, disassemble_info *info)
 {
@@ -863,10 +865,10 @@ static const struct SysemuCPUOps sparc_sysemu_ops = {
 static const struct TCGCPUOps sparc_tcg_ops = {
 .initialize = sparc_tcg_init,
 .synchronize_from_tb = sparc_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = sparc_cpu_exec_interrupt,
 .tlb_fill = sparc_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = sparc_cpu_exec_interrupt,
 .do_interrupt = sparc_cpu_do_interrupt,
 .do_transaction_failed = sparc_cpu_do_transaction_failed,
 .do_unaligned_access = sparc_cpu_do_unaligned_access,
-- 
2.31.1

[PATCH v2 11/24] target/i386: Move x86_cpu_exec_interrupt() under sysemu/ folder

[Philippe Mathieu-Daudé]

Following the logic of commit 30493a030ff ("i386: split seg_helper
into user-only and sysemu parts"), move x86_cpu_exec_interrupt()
under sysemu/seg_helper.c.

Signed-off-by: Philippe Mathieu-Daudé 
---
I prefer to not squash this into the previous patch because the
ifdef'ry removal (in previous patch) is not trivial IMO.
---
 target/i386/tcg/seg_helper.c| 64 
 target/i386/tcg/sysemu/seg_helper.c | 65 +
 2 files changed, 65 insertions(+), 64 deletions(-)

diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 13c6e6ee62e..baa905a0cd6 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -1110,70 +1110,6 @@ void do_interrupt_x86_hardirq(CPUX86State *env, int 
intno, int is_hw)
 do_interrupt_all(env_archcpu(env), intno, 0, 0, 0, is_hw);
 }
 
-#ifndef CONFIG_USER_ONLY
-bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-{
-X86CPU *cpu = X86_CPU(cs);
-CPUX86State *env = >env;
-int intno;
-
-interrupt_request = x86_cpu_pending_interrupt(cs, interrupt_request);
-if (!interrupt_request) {
-return false;
-}
-
-/* Don't process multiple interrupt requests in a single call.
- * This is required to make icount-driven execution deterministic.
- */
-switch (interrupt_request) {
-case CPU_INTERRUPT_POLL:
-cs->interrupt_request &= ~CPU_INTERRUPT_POLL;
-apic_poll_irq(cpu->apic_state);
-break;
-case CPU_INTERRUPT_SIPI:
-do_cpu_sipi(cpu);
-break;
-case CPU_INTERRUPT_SMI:
-cpu_svm_check_intercept_param(env, SVM_EXIT_SMI, 0, 0);
-cs->interrupt_request &= ~CPU_INTERRUPT_SMI;
-do_smm_enter(cpu);
-break;
-case CPU_INTERRUPT_NMI:
-cpu_svm_check_intercept_param(env, SVM_EXIT_NMI, 0, 0);
-cs->interrupt_request &= ~CPU_INTERRUPT_NMI;
-env->hflags2 |= HF2_NMI_MASK;
-do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
-break;
-case CPU_INTERRUPT_MCE:
-cs->interrupt_request &= ~CPU_INTERRUPT_MCE;
-do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
-break;
-case CPU_INTERRUPT_HARD:
-cpu_svm_check_intercept_param(env, SVM_EXIT_INTR, 0, 0);
-cs->interrupt_request &= ~(CPU_INTERRUPT_HARD |
-   CPU_INTERRUPT_VIRQ);
-intno = cpu_get_pic_interrupt(env);
-qemu_log_mask(CPU_LOG_TB_IN_ASM,
-  "Servicing hardware INT=0x%02x\n", intno);
-do_interrupt_x86_hardirq(env, intno, 1);
-break;
-case CPU_INTERRUPT_VIRQ:
-/* FIXME: this should respect TPR */
-cpu_svm_check_intercept_param(env, SVM_EXIT_VINTR, 0, 0);
-intno = x86_ldl_phys(cs, env->vm_vmcb
- + offsetof(struct vmcb, control.int_vector));
-qemu_log_mask(CPU_LOG_TB_IN_ASM,
-  "Servicing virtual hardware INT=0x%02x\n", intno);
-do_interrupt_x86_hardirq(env, intno, 1);
-cs->interrupt_request &= ~CPU_INTERRUPT_VIRQ;
-break;
-}
-
-/* Ensure that no TB jump will be modified as the program flow was 
changed.  */
-return true;
-}
-#endif /* CONFIG_USER_ONLY */
-
 void helper_lldt(CPUX86State *env, int selector)
 {
 SegmentCache *dt;
diff --git a/target/i386/tcg/sysemu/seg_helper.c 
b/target/i386/tcg/sysemu/seg_helper.c
index 82c0856c417..b425b930f9d 100644
--- a/target/i386/tcg/sysemu/seg_helper.c
+++ b/target/i386/tcg/sysemu/seg_helper.c
@@ -125,6 +125,71 @@ void x86_cpu_do_interrupt(CPUState *cs)
 }
 }
 
+bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+{
+X86CPU *cpu = X86_CPU(cs);
+CPUX86State *env = >env;
+int intno;
+
+interrupt_request = x86_cpu_pending_interrupt(cs, interrupt_request);
+if (!interrupt_request) {
+return false;
+}
+
+/*
+ * Don't process multiple interrupt requests in a single call.
+ * This is required to make icount-driven execution deterministic.
+ */
+switch (interrupt_request) {
+case CPU_INTERRUPT_POLL:
+cs->interrupt_request &= ~CPU_INTERRUPT_POLL;
+apic_poll_irq(cpu->apic_state);
+break;
+case CPU_INTERRUPT_SIPI:
+do_cpu_sipi(cpu);
+break;
+case CPU_INTERRUPT_SMI:
+cpu_svm_check_intercept_param(env, SVM_EXIT_SMI, 0, 0);
+cs->interrupt_request &= ~CPU_INTERRUPT_SMI;
+do_smm_enter(cpu);
+break;
+case CPU_INTERRUPT_NMI:
+cpu_svm_check_intercept_param(env, SVM_EXIT_NMI, 0, 0);
+cs->interrupt_request &= ~CPU_INTERRUPT_NMI;
+env->hflags2 |= HF2_NMI_MASK;
+do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
+break;
+case CPU_INTERRUPT_MCE:
+cs->interrupt_request &= ~CPU_INTERRUPT_MCE;
+do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
+break;
+case CPU_INTERRUPT_HARD:
+cpu_svm_check_intercept_param(env, 

[PATCH v2 08/24] target/cris: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/cris/cpu.h|  2 +-
 target/cris/cpu.c|  4 ++--
 target/cris/helper.c | 17 ++---
 3 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/target/cris/cpu.h b/target/cris/cpu.h
index d3b64929096..be021899ae8 100644
--- a/target/cris/cpu.h
+++ b/target/cris/cpu.h
@@ -185,11 +185,11 @@ struct CRISCPU {
 
 #ifndef CONFIG_USER_ONLY
 extern const VMStateDescription vmstate_cris_cpu;
-#endif
 
 void cris_cpu_do_interrupt(CPUState *cpu);
 void crisv10_cpu_do_interrupt(CPUState *cpu);
 bool cris_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif
 
 void cris_cpu_dump_state(CPUState *cs, FILE *f, int flags);
 
diff --git a/target/cris/cpu.c b/target/cris/cpu.c
index 70932b1f8c7..c2e7483f5bd 100644
--- a/target/cris/cpu.c
+++ b/target/cris/cpu.c
@@ -205,20 +205,20 @@ static const struct SysemuCPUOps cris_sysemu_ops = {
 
 static const struct TCGCPUOps crisv10_tcg_ops = {
 .initialize = cris_initialize_crisv10_tcg,
-.cpu_exec_interrupt = cris_cpu_exec_interrupt,
 .tlb_fill = cris_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = cris_cpu_exec_interrupt,
 .do_interrupt = crisv10_cpu_do_interrupt,
 #endif /* !CONFIG_USER_ONLY */
 };
 
 static const struct TCGCPUOps crisv32_tcg_ops = {
 .initialize = cris_initialize_tcg,
-.cpu_exec_interrupt = cris_cpu_exec_interrupt,
 .tlb_fill = cris_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = cris_cpu_exec_interrupt,
 .do_interrupt = cris_cpu_do_interrupt,
 #endif /* !CONFIG_USER_ONLY */
 };
diff --git a/target/cris/helper.c b/target/cris/helper.c
index 911867f3b48..36926faf323 100644
--- a/target/cris/helper.c
+++ b/target/cris/helper.c
@@ -41,20 +41,6 @@
 
 #if defined(CONFIG_USER_ONLY)
 
-void cris_cpu_do_interrupt(CPUState *cs)
-{
-CRISCPU *cpu = CRIS_CPU(cs);
-CPUCRISState *env = >env;
-
-cs->exception_index = -1;
-env->pregs[PR_ERP] = env->pc;
-}
-
-void crisv10_cpu_do_interrupt(CPUState *cs)
-{
-cris_cpu_do_interrupt(cs);
-}
-
 bool cris_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
MMUAccessType access_type, int mmu_idx,
bool probe, uintptr_t retaddr)
@@ -287,7 +273,6 @@ hwaddr cris_cpu_get_phys_page_debug(CPUState *cs, vaddr 
addr)
 D(fprintf(stderr, "%s %x -> %x\n", __func__, addr, phy));
 return phy;
 }
-#endif
 
 bool cris_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
@@ -319,3 +304,5 @@ bool cris_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 
 return ret;
 }
+
+#endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 16/24] target/openrisc: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/openrisc/cpu.h   | 5 +++--
 target/openrisc/cpu.c   | 2 +-
 target/openrisc/interrupt.c | 2 --
 target/openrisc/meson.build | 6 --
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/target/openrisc/cpu.h b/target/openrisc/cpu.h
index 82cbaeb4f84..be6df81a810 100644
--- a/target/openrisc/cpu.h
+++ b/target/openrisc/cpu.h
@@ -312,8 +312,6 @@ struct OpenRISCCPU {
 
 
 void cpu_openrisc_list(void);
-void openrisc_cpu_do_interrupt(CPUState *cpu);
-bool openrisc_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void openrisc_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr openrisc_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 int openrisc_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
@@ -331,6 +329,9 @@ int print_insn_or1k(bfd_vma addr, disassemble_info *info);
 #ifndef CONFIG_USER_ONLY
 extern const VMStateDescription vmstate_openrisc_cpu;
 
+void openrisc_cpu_do_interrupt(CPUState *cpu);
+bool openrisc_cpu_exec_interrupt(CPUState *cpu, int int_req);
+
 /* hw/openrisc_pic.c */
 void cpu_openrisc_pic_init(OpenRISCCPU *cpu);
 
diff --git a/target/openrisc/cpu.c b/target/openrisc/cpu.c
index bd34e429ecb..27cb04152f9 100644
--- a/target/openrisc/cpu.c
+++ b/target/openrisc/cpu.c
@@ -186,10 +186,10 @@ static const struct SysemuCPUOps openrisc_sysemu_ops = {
 
 static const struct TCGCPUOps openrisc_tcg_ops = {
 .initialize = openrisc_translate_init,
-.cpu_exec_interrupt = openrisc_cpu_exec_interrupt,
 .tlb_fill = openrisc_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = openrisc_cpu_exec_interrupt,
 .do_interrupt = openrisc_cpu_do_interrupt,
 #endif /* !CONFIG_USER_ONLY */
 };
diff --git a/target/openrisc/interrupt.c b/target/openrisc/interrupt.c
index 3eab771dcda..19223e3f25b 100644
--- a/target/openrisc/interrupt.c
+++ b/target/openrisc/interrupt.c
@@ -28,7 +28,6 @@
 
 void openrisc_cpu_do_interrupt(CPUState *cs)
 {
-#ifndef CONFIG_USER_ONLY
 OpenRISCCPU *cpu = OPENRISC_CPU(cs);
 CPUOpenRISCState *env = >env;
 int exception = cs->exception_index;
@@ -96,7 +95,6 @@ void openrisc_cpu_do_interrupt(CPUState *cs)
 } else {
 cpu_abort(cs, "Unhandled exception 0x%x\n", exception);
 }
-#endif
 
 cs->exception_index = -1;
 }
diff --git a/target/openrisc/meson.build b/target/openrisc/meson.build
index 9774a583065..e445dec4a00 100644
--- a/target/openrisc/meson.build
+++ b/target/openrisc/meson.build
@@ -9,7 +9,6 @@
   'exception_helper.c',
   'fpu_helper.c',
   'gdbstub.c',
-  'interrupt.c',
   'interrupt_helper.c',
   'mmu.c',
   'sys_helper.c',
@@ -17,7 +16,10 @@
 ))
 
 openrisc_softmmu_ss = ss.source_set()
-openrisc_softmmu_ss.add(files('machine.c'))
+openrisc_softmmu_ss.add(files(
+  'interrupt.c',
+  'machine.c',
+))
 
 target_arch += {'openrisc': openrisc_ss}
 target_softmmu_arch += {'openrisc': openrisc_softmmu_ss}
-- 
2.31.1

[PATCH v2 10/24] target/i386: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/i386/tcg/helper-tcg.h |  2 ++
 target/i386/tcg/seg_helper.c | 10 ++
 target/i386/tcg/tcg-cpu.c|  2 +-
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/target/i386/tcg/helper-tcg.h b/target/i386/tcg/helper-tcg.h
index 2510cc244e9..60ca09e95eb 100644
--- a/target/i386/tcg/helper-tcg.h
+++ b/target/i386/tcg/helper-tcg.h
@@ -38,7 +38,9 @@ QEMU_BUILD_BUG_ON(TCG_PHYS_ADDR_BITS > 
TARGET_PHYS_ADDR_SPACE_BITS);
  * @cpu: vCPU the interrupt is to be handled by.
  */
 void x86_cpu_do_interrupt(CPUState *cpu);
+#ifndef CONFIG_USER_ONLY
 bool x86_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif
 
 /* helper.c */
 bool x86_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index dee7bef68c6..13c6e6ee62e 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -1110,6 +1110,7 @@ void do_interrupt_x86_hardirq(CPUX86State *env, int 
intno, int is_hw)
 do_interrupt_all(env_archcpu(env), intno, 0, 0, 0, is_hw);
 }
 
+#ifndef CONFIG_USER_ONLY
 bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 X86CPU *cpu = X86_CPU(cs);
@@ -1125,23 +1126,17 @@ bool x86_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
  * This is required to make icount-driven execution deterministic.
  */
 switch (interrupt_request) {
-#if !defined(CONFIG_USER_ONLY)
 case CPU_INTERRUPT_POLL:
 cs->interrupt_request &= ~CPU_INTERRUPT_POLL;
 apic_poll_irq(cpu->apic_state);
 break;
-#endif
 case CPU_INTERRUPT_SIPI:
 do_cpu_sipi(cpu);
 break;
 case CPU_INTERRUPT_SMI:
 cpu_svm_check_intercept_param(env, SVM_EXIT_SMI, 0, 0);
 cs->interrupt_request &= ~CPU_INTERRUPT_SMI;
-#ifdef CONFIG_USER_ONLY
-cpu_abort(CPU(cpu), "SMI interrupt: cannot enter SMM in user-mode");
-#else
 do_smm_enter(cpu);
-#endif /* CONFIG_USER_ONLY */
 break;
 case CPU_INTERRUPT_NMI:
 cpu_svm_check_intercept_param(env, SVM_EXIT_NMI, 0, 0);
@@ -1162,7 +1157,6 @@ bool x86_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
   "Servicing hardware INT=0x%02x\n", intno);
 do_interrupt_x86_hardirq(env, intno, 1);
 break;
-#if !defined(CONFIG_USER_ONLY)
 case CPU_INTERRUPT_VIRQ:
 /* FIXME: this should respect TPR */
 cpu_svm_check_intercept_param(env, SVM_EXIT_VINTR, 0, 0);
@@ -1173,12 +1167,12 @@ bool x86_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 do_interrupt_x86_hardirq(env, intno, 1);
 cs->interrupt_request &= ~CPU_INTERRUPT_VIRQ;
 break;
-#endif
 }
 
 /* Ensure that no TB jump will be modified as the program flow was 
changed.  */
 return true;
 }
+#endif /* CONFIG_USER_ONLY */
 
 void helper_lldt(CPUX86State *env, int selector)
 {
diff --git a/target/i386/tcg/tcg-cpu.c b/target/i386/tcg/tcg-cpu.c
index 04c35486a2f..3ecfae34cb5 100644
--- a/target/i386/tcg/tcg-cpu.c
+++ b/target/i386/tcg/tcg-cpu.c
@@ -72,12 +72,12 @@ static const struct TCGCPUOps x86_tcg_ops = {
 .synchronize_from_tb = x86_cpu_synchronize_from_tb,
 .cpu_exec_enter = x86_cpu_exec_enter,
 .cpu_exec_exit = x86_cpu_exec_exit,
-.cpu_exec_interrupt = x86_cpu_exec_interrupt,
 .tlb_fill = x86_cpu_tlb_fill,
 #ifdef CONFIG_USER_ONLY
 .fake_user_interrupt = x86_cpu_do_interrupt,
 #else
 .do_interrupt = x86_cpu_do_interrupt,
+.cpu_exec_interrupt = x86_cpu_exec_interrupt,
 .debug_excp_handler = breakpoint_handler,
 .debug_check_breakpoint = x86_debug_check_breakpoint,
 #endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 06/24] target/alpha: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/alpha/cpu.h| 2 +-
 target/alpha/cpu.c| 2 +-
 target/alpha/helper.c | 5 ++---
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/target/alpha/cpu.h b/target/alpha/cpu.h
index 82df108967b..4e993bd15bd 100644
--- a/target/alpha/cpu.h
+++ b/target/alpha/cpu.h
@@ -274,10 +274,10 @@ struct AlphaCPU {
 
 #ifndef CONFIG_USER_ONLY
 extern const VMStateDescription vmstate_alpha_cpu;
-#endif
 
 void alpha_cpu_do_interrupt(CPUState *cpu);
 bool alpha_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif /* !CONFIG_USER_ONLY */
 void alpha_cpu_dump_state(CPUState *cs, FILE *f, int flags);
 hwaddr alpha_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 int alpha_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
index 4871ad0c0a6..93e16a2ffb4 100644
--- a/target/alpha/cpu.c
+++ b/target/alpha/cpu.c
@@ -218,10 +218,10 @@ static const struct SysemuCPUOps alpha_sysemu_ops = {
 
 static const struct TCGCPUOps alpha_tcg_ops = {
 .initialize = alpha_translate_init,
-.cpu_exec_interrupt = alpha_cpu_exec_interrupt,
 .tlb_fill = alpha_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = alpha_cpu_exec_interrupt,
 .do_interrupt = alpha_cpu_do_interrupt,
 .do_transaction_failed = alpha_cpu_do_transaction_failed,
 .do_unaligned_access = alpha_cpu_do_unaligned_access,
diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index 4f56fe4d231..81550d9e2ff 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -293,7 +293,6 @@ bool alpha_cpu_tlb_fill(CPUState *cs, vaddr addr, int size,
  prot, mmu_idx, TARGET_PAGE_SIZE);
 return true;
 }
-#endif /* USER_ONLY */
 
 void alpha_cpu_do_interrupt(CPUState *cs)
 {
@@ -348,7 +347,6 @@ void alpha_cpu_do_interrupt(CPUState *cs)
 
 cs->exception_index = -1;
 
-#if !defined(CONFIG_USER_ONLY)
 switch (i) {
 case EXCP_RESET:
 i = 0x;
@@ -404,7 +402,6 @@ void alpha_cpu_do_interrupt(CPUState *cs)
 
 /* Switch to PALmode.  */
 env->flags |= ENV_FLAG_PAL_MODE;
-#endif /* !USER_ONLY */
 }
 
 bool alpha_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
@@ -451,6 +448,8 @@ bool alpha_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 void alpha_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 {
 static const char linux_reg_names[31][4] = {
-- 
2.31.1

[PATCH v2 05/24] accel/tcg: Rename user-mode do_interrupt hack as fake_user_interrupt

[Philippe Mathieu-Daudé]

do_interrupt() is sysemu specific. However due to some X86
specific hack, it is also used in user-mode emulation, which
is why it couldn't be restricted to CONFIG_SOFTMMU (see the
comment around added in commit 78271684719: "cpu: tcg_ops:
move to tcg-cpu-ops.h, keep a pointer in CPUClass").
Keep the hack but rename the handler as fake_user_interrupt()
and restrict do_interrupt() to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 include/hw/core/tcg-cpu-ops.h | 22 ++
 accel/tcg/cpu-exec.c  |  4 ++--
 target/i386/tcg/tcg-cpu.c |  6 --
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/include/hw/core/tcg-cpu-ops.h b/include/hw/core/tcg-cpu-ops.h
index eab27d0c030..6c7ab9600ba 100644
--- a/include/hw/core/tcg-cpu-ops.h
+++ b/include/hw/core/tcg-cpu-ops.h
@@ -37,14 +37,6 @@ struct TCGCPUOps {
 void (*cpu_exec_exit)(CPUState *cpu);
 /** @cpu_exec_interrupt: Callback for processing interrupts in cpu_exec */
 bool (*cpu_exec_interrupt)(CPUState *cpu, int interrupt_request);
-/**
- * @do_interrupt: Callback for interrupt handling.
- *
- * note that this is in general SOFTMMU only, but it actually isn't
- * because of an x86 hack (accel/tcg/cpu-exec.c), so we cannot put it
- * in the SOFTMMU section in general.
- */
-void (*do_interrupt)(CPUState *cpu);
 /**
  * @tlb_fill: Handle a softmmu tlb miss or user-only address fault
  *
@@ -61,6 +53,20 @@ struct TCGCPUOps {
 void (*debug_excp_handler)(CPUState *cpu);
 
 #ifdef NEED_CPU_H
+#if defined(CONFIG_USER_ONLY) && defined(TARGET_I386)
+/**
+ * @fake_user_interrupt: Callback for 'fake exception' handling.
+ *
+ * Simulate 'fake exception' which will be handled outside the
+ * cpu execution loop (hack for x86 user mode).
+ */
+void (*fake_user_interrupt)(CPUState *cpu);
+#else
+/**
+ * @do_interrupt: Callback for interrupt handling.
+ */
+void (*do_interrupt)(CPUState *cpu);
+#endif /* !CONFIG_USER_ONLY || !TARGET_I386 */
 #ifdef CONFIG_SOFTMMU
 /**
  * @do_transaction_failed: Callback for handling failed memory transactions
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index e5c0ccd1a2a..2838177e7f0 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -651,8 +651,8 @@ static inline bool cpu_handle_exception(CPUState *cpu, int 
*ret)
loop */
 #if defined(TARGET_I386)
 CPUClass *cc = CPU_GET_CLASS(cpu);
-cc->tcg_ops->do_interrupt(cpu);
-#endif
+cc->tcg_ops->fake_user_interrupt(cpu);
+#endif /* TARGET_I386 */
 *ret = cpu->exception_index;
 cpu->exception_index = -1;
 return true;
diff --git a/target/i386/tcg/tcg-cpu.c b/target/i386/tcg/tcg-cpu.c
index 93a79a57415..04c35486a2f 100644
--- a/target/i386/tcg/tcg-cpu.c
+++ b/target/i386/tcg/tcg-cpu.c
@@ -73,9 +73,11 @@ static const struct TCGCPUOps x86_tcg_ops = {
 .cpu_exec_enter = x86_cpu_exec_enter,
 .cpu_exec_exit = x86_cpu_exec_exit,
 .cpu_exec_interrupt = x86_cpu_exec_interrupt,
-.do_interrupt = x86_cpu_do_interrupt,
 .tlb_fill = x86_cpu_tlb_fill,
-#ifndef CONFIG_USER_ONLY
+#ifdef CONFIG_USER_ONLY
+.fake_user_interrupt = x86_cpu_do_interrupt,
+#else
+.do_interrupt = x86_cpu_do_interrupt,
 .debug_excp_handler = breakpoint_handler,
 .debug_check_breakpoint = x86_debug_check_breakpoint,
 #endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 13/24] target/microblaze: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/microblaze/cpu.h|  2 ++
 target/microblaze/cpu.c|  2 +-
 target/microblaze/helper.c | 13 ++---
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/target/microblaze/cpu.h b/target/microblaze/cpu.h
index e4bba8a7551..40401c33b72 100644
--- a/target/microblaze/cpu.h
+++ b/target/microblaze/cpu.h
@@ -355,8 +355,10 @@ struct MicroBlazeCPU {
 };
 
 
+#ifndef CONFIG_USER_ONLY
 void mb_cpu_do_interrupt(CPUState *cs);
 bool mb_cpu_exec_interrupt(CPUState *cs, int int_req);
+#endif /* !CONFIG_USER_ONLY */
 void mb_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
 MMUAccessType access_type,
 int mmu_idx, uintptr_t retaddr);
diff --git a/target/microblaze/cpu.c b/target/microblaze/cpu.c
index 72d8f2a0daa..15db277925f 100644
--- a/target/microblaze/cpu.c
+++ b/target/microblaze/cpu.c
@@ -365,10 +365,10 @@ static const struct SysemuCPUOps mb_sysemu_ops = {
 static const struct TCGCPUOps mb_tcg_ops = {
 .initialize = mb_tcg_init,
 .synchronize_from_tb = mb_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = mb_cpu_exec_interrupt,
 .tlb_fill = mb_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = mb_cpu_exec_interrupt,
 .do_interrupt = mb_cpu_do_interrupt,
 .do_transaction_failed = mb_cpu_transaction_failed,
 .do_unaligned_access = mb_cpu_do_unaligned_access,
diff --git a/target/microblaze/helper.c b/target/microblaze/helper.c
index 20dbd673136..dd2aecd1d58 100644
--- a/target/microblaze/helper.c
+++ b/target/microblaze/helper.c
@@ -26,16 +26,6 @@
 
 #if defined(CONFIG_USER_ONLY)
 
-void mb_cpu_do_interrupt(CPUState *cs)
-{
-MicroBlazeCPU *cpu = MICROBLAZE_CPU(cs);
-CPUMBState *env = >env;
-
-cs->exception_index = -1;
-env->res_addr = RES_ADDR_NONE;
-env->regs[14] = env->pc;
-}
-
 bool mb_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
  MMUAccessType access_type, int mmu_idx,
  bool probe, uintptr_t retaddr)
@@ -271,7 +261,6 @@ hwaddr mb_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr 
addr,
 
 return paddr;
 }
-#endif
 
 bool mb_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
@@ -289,6 +278,8 @@ bool mb_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 return false;
 }
 
+#endif /* !CONFIG_USER_ONLY */
+
 void mb_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
 MMUAccessType access_type,
 int mmu_idx, uintptr_t retaddr)
-- 
2.31.1

[PATCH v2 07/24] target/arm: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/arm/cpu.h | 3 +--
 target/arm/cpu.c | 7 +--
 target/arm/cpu_tcg.c | 6 +++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 6a987f65e41..cfd755cff99 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1040,11 +1040,10 @@ uint64_t arm_cpu_mp_affinity(int idx, uint8_t 
clustersz);
 
 #ifndef CONFIG_USER_ONLY
 extern const VMStateDescription vmstate_arm_cpu;
-#endif
 
 void arm_cpu_do_interrupt(CPUState *cpu);
 void arm_v7m_cpu_do_interrupt(CPUState *cpu);
-bool arm_cpu_exec_interrupt(CPUState *cpu, int int_req);
+#endif /* !CONFIG_USER_ONLY */
 
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr,
  MemTxAttrs *attrs);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index d631c4683c4..ba0741b20e4 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -440,6 +440,8 @@ static void arm_cpu_reset(DeviceState *dev)
 arm_rebuild_hflags(env);
 }
 
+#ifndef CONFIG_USER_ONLY
+
 static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
  unsigned int target_el,
  unsigned int cur_el, bool secure,
@@ -556,7 +558,7 @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned 
int excp_idx,
 return unmasked || pstate_unmasked;
 }
 
-bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+static bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 CPUClass *cc = CPU_GET_CLASS(cs);
 CPUARMState *env = cs->env_ptr;
@@ -608,6 +610,7 @@ bool arm_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 cc->tcg_ops->do_interrupt(cs);
 return true;
 }
+#endif /* !CONFIG_USER_ONLY */
 
 void arm_cpu_update_virq(ARMCPU *cpu)
 {
@@ -2010,11 +2013,11 @@ static const struct SysemuCPUOps arm_sysemu_ops = {
 static const struct TCGCPUOps arm_tcg_ops = {
 .initialize = arm_translate_init,
 .synchronize_from_tb = arm_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = arm_cpu_exec_interrupt,
 .tlb_fill = arm_cpu_tlb_fill,
 .debug_excp_handler = arm_debug_excp_handler,
 
 #if !defined(CONFIG_USER_ONLY)
+.cpu_exec_interrupt = arm_cpu_exec_interrupt,
 .do_interrupt = arm_cpu_do_interrupt,
 .do_transaction_failed = arm_cpu_do_transaction_failed,
 .do_unaligned_access = arm_cpu_do_unaligned_access,
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index 33cc75af57d..0d5adccf1a7 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -22,7 +22,7 @@
 /* CPU models. These are not needed for the AArch64 linux-user build. */
 #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 
-#ifdef CONFIG_TCG
+#if !defined(CONFIG_USER_ONLY) && defined(CONFIG_TCG)
 static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
 CPUClass *cc = CPU_GET_CLASS(cs);
@@ -46,7 +46,7 @@ static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 }
 return ret;
 }
-#endif /* CONFIG_TCG */
+#endif /* !CONFIG_USER_ONLY && CONFIG_TCG */
 
 static void arm926_initfn(Object *obj)
 {
@@ -898,11 +898,11 @@ static void pxa270c5_initfn(Object *obj)
 static const struct TCGCPUOps arm_v7m_tcg_ops = {
 .initialize = arm_translate_init,
 .synchronize_from_tb = arm_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt,
 .tlb_fill = arm_cpu_tlb_fill,
 .debug_excp_handler = arm_debug_excp_handler,
 
 #if !defined(CONFIG_USER_ONLY)
+.cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt,
 .do_interrupt = arm_v7m_cpu_do_interrupt,
 .do_transaction_failed = arm_cpu_do_transaction_failed,
 .do_unaligned_access = arm_cpu_do_unaligned_access,
-- 
2.31.1

[PATCH v2 03/24] target/i386: Simplify TARGET_X86_64 #ifdef'ry

[Philippe Mathieu-Daudé]

Merge two TARGET_X86_64 consecutive blocks.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/i386/tcg/seg_helper.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 3ed20ca31d7..dee7bef68c6 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -929,9 +929,7 @@ static void do_interrupt64(CPUX86State *env, int intno, int 
is_int,
e2);
 env->eip = offset;
 }
-#endif
 
-#ifdef TARGET_X86_64
 void helper_sysret(CPUX86State *env, int dflag)
 {
 int cpl, selector;
@@ -984,7 +982,7 @@ void helper_sysret(CPUX86State *env, int dflag)
DESC_W_MASK | DESC_A_MASK);
 }
 }
-#endif
+#endif /* TARGET_X86_64 */
 
 /* real mode interrupt */
 static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
-- 
2.31.1

[PATCH v2 01/24] target/avr: Remove pointless use of CONFIG_USER_ONLY definition

[Philippe Mathieu-Daudé]

Commit f1c671f96cb ("target/avr: Introduce basic CPU class object")
added to target/avr/cpu.h:

  #ifdef CONFIG_USER_ONLY
  #error "AVR 8-bit does not support user mode"
  #endif

Remove the CONFIG_USER_ONLY definition introduced by mistake in
commit 78271684719 ("cpu: tcg_ops: move to tcg-cpu-ops.h, keep a
pointer in CPUClass").

Reported-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/avr/cpu.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/target/avr/cpu.c b/target/avr/cpu.c
index ea14175ca55..5d70e34dd54 100644
--- a/target/avr/cpu.c
+++ b/target/avr/cpu.c
@@ -197,10 +197,7 @@ static const struct TCGCPUOps avr_tcg_ops = {
 .synchronize_from_tb = avr_cpu_synchronize_from_tb,
 .cpu_exec_interrupt = avr_cpu_exec_interrupt,
 .tlb_fill = avr_cpu_tlb_fill,
-
-#ifndef CONFIG_USER_ONLY
 .do_interrupt = avr_cpu_do_interrupt,
-#endif /* !CONFIG_USER_ONLY */
 };
 
 static void avr_cpu_class_init(ObjectClass *oc, void *data)
-- 
2.31.1

[PATCH v2 09/24] target/hppa: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

Restrict cpu_exec_interrupt() and its callees to sysemu.

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/hppa/cpu.h| 4 ++--
 target/hppa/cpu.c| 2 +-
 target/hppa/int_helper.c | 7 ++-
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 748270bfa31..7854675b903 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -325,13 +325,13 @@ int cpu_hppa_signal_handler(int host_signum, void *pinfo, 
void *puc);
 hwaddr hppa_cpu_get_phys_page_debug(CPUState *cs, vaddr addr);
 int hppa_cpu_gdb_read_register(CPUState *cpu, GByteArray *buf, int reg);
 int hppa_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
-void hppa_cpu_do_interrupt(CPUState *cpu);
-bool hppa_cpu_exec_interrupt(CPUState *cpu, int int_req);
 void hppa_cpu_dump_state(CPUState *cs, FILE *f, int);
 bool hppa_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
MMUAccessType access_type, int mmu_idx,
bool probe, uintptr_t retaddr);
 #ifndef CONFIG_USER_ONLY
+void hppa_cpu_do_interrupt(CPUState *cpu);
+bool hppa_cpu_exec_interrupt(CPUState *cpu, int int_req);
 int hppa_get_physical_address(CPUHPPAState *env, vaddr addr, int mmu_idx,
   int type, hwaddr *pphys, int *pprot);
 extern const MemoryRegionOps hppa_io_eir_ops;
diff --git a/target/hppa/cpu.c b/target/hppa/cpu.c
index 2eace4ee124..e8edd189bfc 100644
--- a/target/hppa/cpu.c
+++ b/target/hppa/cpu.c
@@ -144,10 +144,10 @@ static const struct SysemuCPUOps hppa_sysemu_ops = {
 static const struct TCGCPUOps hppa_tcg_ops = {
 .initialize = hppa_translate_init,
 .synchronize_from_tb = hppa_cpu_synchronize_from_tb,
-.cpu_exec_interrupt = hppa_cpu_exec_interrupt,
 .tlb_fill = hppa_cpu_tlb_fill,
 
 #ifndef CONFIG_USER_ONLY
+.cpu_exec_interrupt = hppa_cpu_exec_interrupt,
 .do_interrupt = hppa_cpu_do_interrupt,
 .do_unaligned_access = hppa_cpu_do_unaligned_access,
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target/hppa/int_helper.c b/target/hppa/int_helper.c
index 349495d3610..13073ae2bda 100644
--- a/target/hppa/int_helper.c
+++ b/target/hppa/int_helper.c
@@ -88,7 +88,6 @@ void HELPER(write_eiem)(CPUHPPAState *env, target_ureg val)
 eval_interrupt(env_archcpu(env));
 qemu_mutex_unlock_iothread();
 }
-#endif /* !CONFIG_USER_ONLY */
 
 void hppa_cpu_do_interrupt(CPUState *cs)
 {
@@ -100,7 +99,6 @@ void hppa_cpu_do_interrupt(CPUState *cs)
 uint64_t iasq_f = env->iasq_f;
 uint64_t iasq_b = env->iasq_b;
 
-#ifndef CONFIG_USER_ONLY
 target_ureg old_psw;
 
 /* As documented in pa2.0 -- interruption handling.  */
@@ -187,7 +185,6 @@ void hppa_cpu_do_interrupt(CPUState *cs)
 env->iaoq_b = env->iaoq_f + 4;
 env->iasq_f = 0;
 env->iasq_b = 0;
-#endif
 
 if (qemu_loglevel_mask(CPU_LOG_INT)) {
 static const char * const names[] = {
@@ -248,7 +245,6 @@ void hppa_cpu_do_interrupt(CPUState *cs)
 
 bool hppa_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
-#ifndef CONFIG_USER_ONLY
 HPPACPU *cpu = HPPA_CPU(cs);
 CPUHPPAState *env = >env;
 
@@ -258,6 +254,7 @@ bool hppa_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
 hppa_cpu_do_interrupt(cs);
 return true;
 }
-#endif
 return false;
 }
+
+#endif /* !CONFIG_USER_ONLY */
-- 
2.31.1

[PATCH v2 04/24] target/xtensa: Restrict do_transaction_failed() to sysemu

[Philippe Mathieu-Daudé]

The do_transaction_failed() is restricted to system emulation since
commit cbc183d2d9f ("cpu: move cc->transaction_failed to tcg_ops").

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/xtensa/cpu.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 2345cb59c79..1e0cb1535ca 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -568,10 +568,12 @@ bool xtensa_cpu_tlb_fill(CPUState *cs, vaddr address, int 
size,
  bool probe, uintptr_t retaddr);
 void xtensa_cpu_do_interrupt(CPUState *cpu);
 bool xtensa_cpu_exec_interrupt(CPUState *cpu, int interrupt_request);
+#ifndef CONFIG_USER_ONLY
 void xtensa_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr, vaddr 
addr,
   unsigned size, MMUAccessType access_type,
   int mmu_idx, MemTxAttrs attrs,
   MemTxResult response, uintptr_t retaddr);
+#endif /* !CONFIG_USER_ONLY */
 void xtensa_cpu_dump_state(CPUState *cpu, FILE *f, int flags);
 hwaddr xtensa_cpu_get_phys_page_debug(CPUState *cpu, vaddr addr);
 void xtensa_count_regs(const XtensaConfig *config,
-- 
2.31.1

[PATCH v2 00/24] accel/tcg: Restrict TCGCPUOps::cpu_exec_interrupt() to sysemu

[Philippe Mathieu-Daudé]

Missing review:
- 01 target/avr: Remove pointless use of CONFIG_USER_ONLY definition
- 11 target/i386: Move x86_cpu_exec_interrupt() under sysemu/ folder

Hi,

The TCGCPUOps::cpu_exec_interrupt() handler is specific to system
emulation. This series remove it from user-mode.
To do so we have to deal with a x86-hack first, then we restrict
each target handler (one target at a time) and finally we restrict
the prototype, simplifying cpu_handle_interrupt().

As a bonus we can remove the cpu_get_pic_interrupt() stubs from
bsd/linux-user.

Since v1:
- Addressed Richard comments (drop AVR patch, remove assert)
- Added R-b

Philippe Mathieu-Daudé (24):
  target/avr: Remove pointless use of CONFIG_USER_ONLY definition
  target/i386: Restrict sysemu-only fpu_helper helpers
  target/i386: Simplify TARGET_X86_64 #ifdef'ry
  target/xtensa: Restrict do_transaction_failed() to sysemu
  accel/tcg: Rename user-mode do_interrupt hack as fake_user_interrupt
  target/alpha: Restrict cpu_exec_interrupt() handler to sysemu
  target/arm: Restrict cpu_exec_interrupt() handler to sysemu
  target/cris: Restrict cpu_exec_interrupt() handler to sysemu
  target/hppa: Restrict cpu_exec_interrupt() handler to sysemu
  target/i386: Restrict cpu_exec_interrupt() handler to sysemu
  target/i386: Move x86_cpu_exec_interrupt() under sysemu/ folder
  target/m68k: Restrict cpu_exec_interrupt() handler to sysemu
  target/microblaze: Restrict cpu_exec_interrupt() handler to sysemu
  target/mips: Restrict cpu_exec_interrupt() handler to sysemu
  target/nios2: Restrict cpu_exec_interrupt() handler to sysemu
  target/openrisc: Restrict cpu_exec_interrupt() handler to sysemu
  target/ppc: Restrict cpu_exec_interrupt() handler to sysemu
  target/riscv: Restrict cpu_exec_interrupt() handler to sysemu
  target/sh4: Restrict cpu_exec_interrupt() handler to sysemu
  target/sparc: Restrict cpu_exec_interrupt() handler to sysemu
  target/rx: Restrict cpu_exec_interrupt() handler to sysemu
  target/xtensa: Restrict cpu_exec_interrupt() handler to sysemu
  accel/tcg: Restrict TCGCPUOps::cpu_exec_interrupt() to sysemu
  user: Remove cpu_get_pic_interrupt() stubs

 include/hw/core/tcg-cpu-ops.h   | 26 ++
 target/alpha/cpu.h  |  2 +-
 target/arm/cpu.h|  3 +-
 target/cris/cpu.h   |  2 +-
 target/hppa/cpu.h   |  4 +-
 target/i386/cpu.h   |  3 ++
 target/i386/tcg/helper-tcg.h|  2 +
 target/m68k/cpu.h   |  2 +
 target/microblaze/cpu.h |  2 +
 target/mips/tcg/tcg-internal.h  |  5 +-
 target/openrisc/cpu.h   |  5 +-
 target/ppc/cpu.h|  4 +-
 target/riscv/cpu.h  |  2 +-
 target/rx/cpu.h |  2 +
 target/sh4/cpu.h|  4 +-
 target/xtensa/cpu.h |  2 +
 accel/tcg/cpu-exec.c| 14 --
 bsd-user/main.c |  7 ---
 linux-user/main.c   |  7 ---
 target/alpha/cpu.c  |  2 +-
 target/alpha/helper.c   |  5 +-
 target/arm/cpu.c|  7 ++-
 target/arm/cpu_tcg.c|  6 +--
 target/avr/cpu.c|  3 --
 target/cris/cpu.c   |  4 +-
 target/cris/helper.c| 17 +--
 target/hppa/cpu.c   |  2 +-
 target/hppa/int_helper.c|  7 +--
 target/i386/tcg/seg_helper.c| 74 +
 target/i386/tcg/sysemu/seg_helper.c | 65 +
 target/i386/tcg/tcg-cpu.c   |  8 ++--
 target/m68k/cpu.c   |  2 +-
 target/m68k/op_helper.c | 16 ++-
 target/microblaze/cpu.c |  2 +-
 target/microblaze/helper.c  | 13 +
 target/mips/cpu.c   |  2 +-
 target/mips/tcg/exception.c | 18 ---
 target/mips/tcg/sysemu/tlb_helper.c | 18 +++
 target/mips/tcg/user/tlb_helper.c   |  5 --
 target/nios2/cpu.c  |  5 +-
 target/openrisc/cpu.c   |  2 +-
 target/openrisc/interrupt.c |  2 -
 target/ppc/cpu_init.c   |  2 +-
 target/ppc/excp_helper.c| 21 ++--
 target/riscv/cpu.c  |  2 +-
 target/riscv/cpu_helper.c   |  5 --
 target/rx/cpu.c |  2 +-
 target/rx/helper.c  |  4 ++
 target/sh4/cpu.c|  2 +-
 target/sh4/helper.c |  9 +---
 target/sparc/cpu.c  |  4 +-
 target/xtensa/cpu.c |  2 +-
 target/xtensa/exc_helper.c  |  7 +--
 target/openrisc/meson.build |  6 ++-
 54 files changed, 196 insertions(+), 253 deletions(-)

-- 
2.31.1

[PATCH v2 02/24] target/i386: Restrict sysemu-only fpu_helper helpers

[Philippe Mathieu-Daudé]

Restrict some sysemu-only fpu_helper helpers (see commit
83a3d9c7402: "i386: separate fpu_helper sysemu-only parts").

Reviewed-by: Warner Losh 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/i386/cpu.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 6c50d3ab4f1..c241bc183d2 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1833,11 +1833,14 @@ void x86_cpu_list(void);
 int cpu_x86_support_mca_broadcast(CPUX86State *env);
 
 int cpu_get_pic_interrupt(CPUX86State *s);
+
+#ifndef CONFIG_USER_ONLY
 /* MSDOS compatibility mode FPU exception support */
 void x86_register_ferr_irq(qemu_irq irq);
 void fpu_check_raise_ferr_irq(CPUX86State *s);
 void cpu_set_ignne(void);
 void cpu_clear_ignne(void);
+#endif
 
 /* mpx_helper.c */
 void cpu_sync_bndcs_hflags(CPUX86State *env);
-- 
2.31.1

Re: [PATCH 16/24] target/openrisc: Restrict cpu_exec_interrupt() handler to sysemu

[Philippe Mathieu-Daudé]

On 9/2/21 10:24 PM, Warner Losh wrote:
> 
> 
> On Thu, Sep 2, 2021 at 9:18 AM Philippe Mathieu-Daudé  > wrote:
> 
> Restrict cpu_exec_interrupt() and its callees to sysemu.
> 
> Signed-off-by: Philippe Mathieu-Daudé  >
> ---
>  target/openrisc/cpu.h       | 5 +++--
>  target/openrisc/cpu.c       | 2 +-
>  target/openrisc/interrupt.c | 2 --
>  target/openrisc/meson.build | 6 --
>  4 files changed, 8 insertions(+), 7 deletions(-)
> 
> 
> I'm not 100% sure about the build changes because my meson fu is weak,
> but they seem right given the rest. 
> 
> Reviewed-by: Warner Losh mailto:i...@bsdimp.com>>

> diff --git a/target/openrisc/meson.build b/target/openrisc/meson.build
> index 9774a583065..e445dec4a00 100644
> --- a/target/openrisc/meson.build
> +++ b/target/openrisc/meson.build
> @@ -9,7 +9,6 @@
>    'exception_helper.c',
>    'fpu_helper.c',
>    'gdbstub.c',
> -  'interrupt.c',

openrisc_ss is a 'Source Set', it is build each time the openrisc
target is selected (regardless system/user).

>    'interrupt_helper.c',
>    'mmu.c',
>    'sys_helper.c',
> @@ -17,7 +16,10 @@
>  ))
> 
>  openrisc_softmmu_ss = ss.source_set()

The 'openrisc_softmmu_ss' source set is only build when sysemu
is selected.

> -openrisc_softmmu_ss.add(files('machine.c'))
> +openrisc_softmmu_ss.add(files(
> +  'interrupt.c',

By moving it to the sysemu-specific set, the file won't be built
for a user-only build.

> +  'machine.c',
> +))
> 
>  target_arch += {'openrisc': openrisc_ss}
>  target_softmmu_arch += {'openrisc': openrisc_softmmu_ss}

BTW the user-equivalent of ARCH_softmmu_ss is ARCH_user_ss, and
is optional:

$ git grep _user_ss.= target
target/i386/meson.build:23:i386_user_ss = ss.source_set()
target/mips/meson.build:1:mips_user_ss = ss.source_set()
target/s390x/meson.build:34:s390x_user_ss = ss.source_set()

Thanks for your reviews!

Phil.

Re: [RFC PATCH 04/24] accel/tcg: Rename user-mode do_interrupt hack as fake_user_exception

[Philippe Mathieu-Daudé]

On 9/3/21 9:07 PM, Richard Henderson wrote:
> On 9/2/21 5:16 PM, Philippe Mathieu-Daudé wrote:
>> do_interrupt() is sysemu specific. However due to some X86
>> specific hack, it is also used in user-mode emulation, which
>> is why it couldn't be restricted to CONFIG_SOFTMMU (see the
>> comment around added in commit 78271684719: "cpu: tcg_ops:
>> move to tcg-cpu-ops.h, keep a pointer in CPUClass").
>> Keep the hack but rename the handler as fake_user_exception()
>> and restrict do_interrupt() to sysemu.
>>
>> Signed-off-by: Philippe Mathieu-Daudé
>> ---
>> RFC: Any better name / idea here?
> 
> I guess I'm ok with fake_user_interrupt.

I can use do_fake_user_interrupt (closer match to do_interrupt
equivalent). Alternative name is "do_interrupt_user", same as
the handler:

/*
 * fake user mode interrupt. is_int is TRUE if coming from the int
 * instruction. next_eip is the env->eip value AFTER the interrupt
 * instruction. It is only relevant if is_int is TRUE or if intno
 * is EXCP_SYSCALL.
 */
static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
  int error_code, target_ulong next_eip)

> But I believe that this could all be moved into cpu_loop.c.

I tried to give it a try, but seems out of my comfort zone.
I'll create an issue to do it as a future cleanup on top of
this series.

> Reviewed-by: Richard Henderson 

Thanks,

Phil.

Re: [PATCH] hw/ssi: imx_spi: Improve chip select handling

[Philippe Mathieu-Daudé]

On 9/5/21 1:06 AM, Bin Meng wrote:
> On Sun, Sep 5, 2021 at 1:13 AM Guenter Roeck  wrote:
>>
>> On 9/2/21 12:29 PM, Peter Maydell wrote:
>>> On Thu, 2 Sept 2021 at 17:09, Guenter Roeck  wrote:

 On 9/2/21 8:58 AM, Peter Maydell wrote:
> On Sun, 8 Aug 2021 at 02:34, Guenter Roeck  wrote:
>>
>> The control register does not really have a means to deselect
>> all chip selects directly. As result, CS is effectively never
>> deselected, and connected flash chips fail to perform read
>> operations since they don't get the expected chip select signals
>> to reset their state machine.
>>
>> Normally and per controller documentation one would assume that
>> chip select should be set whenever a transfer starts (XCH is
>> set or the tx fifo is written into), and that it should be disabled
>> whenever a transfer is complete. However, that does not work in
>> practice: attempts to implement this approach resulted in failures,
>> presumably because a single transaction can be split into multiple
>> transfers.
>>
>> At the same time, there is no explicit signal from the host indicating
>> if chip select should be active or not. In the absence of such a direct
>> signal, use the burst length written into the control register to
>> determine if an access is ongoing or not. Disable all chip selects
>> if the burst length field in the configuration register is set to 0,
>> and (re-)enable chip select if a transfer is started. This is possible
>> because the Linux driver clears the burst length field whenever it
>> prepares the controller for the next transfer.
>> This solution  is less than perfect since it effectively only disables
>> chip select when initiating the next transfer, but it does work with
>> Linux and should otherwise do no harm.
>>
>> Stop complaining if the burst length field is set to a value of 0,
>> since that is done by Linux for every transfer.
>>
>> With this patch, a command line parameter such as "-drive
>> file=flash.sabre,format=raw,if=mtd" can be used to instantiate the
>> flash chip in the sabrelite emulation. Without this patch, the
>> flash instantiates, but it only reads zeroes.
>>
>> Signed-off-by: Guenter Roeck 
>> ---
>> I am not entirely happy with this solution, but it is the best I was
>> able to come up with. If anyone has a better idea, I'll be happy
>> to give it a try.
>>
>>hw/ssi/imx_spi.c | 17 +++--
>>1 file changed, 7 insertions(+), 10 deletions(-)
>>
>> diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
>> index 189423bb3a..7a093156bd 100644
>> --- a/hw/ssi/imx_spi.c
>> +++ b/hw/ssi/imx_spi.c
>> @@ -167,6 +167,8 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
>>DPRINTF("Begin: TX Fifo Size = %d, RX Fifo Size = %d\n",
>>fifo32_num_used(>tx_fifo), 
>> fifo32_num_used(>rx_fifo));
>>
>> +qemu_set_irq(s->cs_lines[imx_spi_selected_channel(s)], 0);
>> +
>>while (!fifo32_is_empty(>tx_fifo)) {
>>int tx_burst = 0;
>>
>> @@ -385,13 +387,6 @@ static void imx_spi_write(void *opaque, hwaddr 
>> offset, uint64_t value,
>>case ECSPI_CONREG:
>>s->regs[ECSPI_CONREG] = value;
>>
>> -burst = EXTRACT(s->regs[ECSPI_CONREG], 
>> ECSPI_CONREG_BURST_LENGTH) + 1;
>> -if (burst % 8) {
>> -qemu_log_mask(LOG_UNIMP,
>> -  "[%s]%s: burst length %d not supported: 
>> rounding up to next multiple of 8\n",
>> -  TYPE_IMX_SPI, __func__, burst);
>> -}
>
> Why has this log message been removed ?

 What I wanted to do is:

 "Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer."

 What I did instead is to remove the message entirely.

 How about the rest of the patch ? Is it worth a resend with the message
 restored (except for burst size == 0), or is it not acceptable anyway ?
>>>
>>> I did the easy bit of the code review because answering this
>>> question is probably a multiple-hour job...this is still on my
>>> todo list, but I'm hoping somebody who understands the MIX
>>> SPI device gets to it first.
>>>
>>
>> Makes sense. Of course, it would be even better if someone can explain
>> how this works on real hardware.
>>
> 
> I happened to notice this patch today. Better to cc people who once
> worked on this part from "git blame" or "git log".

Even better if you add yourself as designated reviewer ;)

$ ./scripts/get_maintainer.pl -f hw/ssi/imx_spi.c
Alistair Francis  (maintainer:SSI)
Peter Maydell  (odd fixer:i.MX31 (kzm))
Jean-Christophe Dubois  (reviewer:SABRELITE / i.MX6)

> 
>> In this context, it would be useful to know if real SPI 

[PATCH v7 2/2] memory: Have 'info mtree' remove duplicated Address Space information

[Philippe Mathieu-Daudé]

Per Peter Maydell [*]:

  'info mtree' monitor command was designed on the assumption that
  there's really only one or two interesting address spaces, and
  with more recent developments that's just not the case any more.

Similarly about how the FlatView are sorted using a GHashTable,
sort the AddressSpace objects to remove the duplications (AS
using the same root MemoryRegion).

This drastically reduces the output of 'info mtree' on some boards.

Before:

  $ (echo info mtree; echo q) \
| qemu-system-aarch64 -S -monitor stdio -M raspi3b \
| wc -l
  423

After:

  $ (echo info mtree; echo q) \
| qemu-system-aarch64 -S -monitor stdio -M raspi3b \
| wc -l
  106

  (qemu) info mtree
  address-space: I/O
- (prio 0, i/o): io

  address-space: cpu-memory-0
  address-space: cpu-memory-1
  address-space: cpu-memory-2
  address-space: cpu-memory-3
  address-space: cpu-secure-memory-0
  address-space: cpu-secure-memory-1
  address-space: cpu-secure-memory-2
  address-space: cpu-secure-memory-3
  address-space: memory
- (prio 0, i/o): system
  -3fff (prio 0, ram): ram
  3f00-3fff (prio 1, i/o): bcm2835-peripherals
3f003000-3f00301f (prio 0, i/o): bcm2835-sys-timer
3f004000-3f004fff (prio -1000, i/o): bcm2835-txp
3f006000-3f006fff (prio 0, i/o): mphi
3f007000-3f007fff (prio 0, i/o): bcm2835-dma
3f00b200-3f00b3ff (prio 0, i/o): bcm2835-ic
3f00b400-3f00b43f (prio -1000, i/o): bcm2835-sp804
3f00b800-3f00bbff (prio 0, i/o): bcm2835-mbox
3f10-3f1001ff (prio 0, i/o): bcm2835-powermgt
3f101000-3f102fff (prio 0, i/o): bcm2835-cprman
3f104000-3f10400f (prio 0, i/o): bcm2835-rng
3f20-3f200fff (prio 0, i/o): bcm2835_gpio
3f201000-3f201fff (prio 0, i/o): pl011
3f202000-3f202fff (prio 0, i/o): bcm2835-sdhost
3f203000-3f2030ff (prio -1000, i/o): bcm2835-i2s
3f204000-3f20401f (prio -1000, i/o): bcm2835-spi0
3f205000-3f20501f (prio -1000, i/o): bcm2835-i2c0
3f20f000-3f20f07f (prio -1000, i/o): bcm2835-otp
3f212000-3f212007 (prio 0, i/o): bcm2835-thermal
3f214000-3f2140ff (prio -1000, i/o): bcm2835-spis
3f215000-3f2150ff (prio 0, i/o): bcm2835-aux
3f30-3f3000ff (prio 0, i/o): sdhci
3f60-3f6000ff (prio -1000, i/o): bcm2835-smi
3f804000-3f80401f (prio -1000, i/o): bcm2835-i2c1
3f805000-3f80501f (prio -1000, i/o): bcm2835-i2c2
3f90-3f907fff (prio -1000, i/o): bcm2835-dbus
3f91-3f917fff (prio -1000, i/o): bcm2835-ave0
3f98-3f990fff (prio 0, i/o): dwc2
  3f98-3f980fff (prio 0, i/o): dwc2-io
  3f981000-3f990fff (prio 0, i/o): dwc2-fifo
3fc0-3fc00fff (prio -1000, i/o): bcm2835-v3d
3fe0-3fe000ff (prio -1000, i/o): bcm2835-sdramc
3fe05000-3fe050ff (prio 0, i/o): bcm2835-dma-chan15
  4000-40ff (prio 0, i/o): bcm2836-control

  address-space: bcm2835-dma-memory
  address-space: bcm2835-fb-memory
  address-space: bcm2835-property-memory
  address-space: dwc2
- (prio 0, i/o): bcm2835-gpu
  -3fff (prio 0, ram): alias 
bcm2835-gpu-ram-alias[*] @ram -3fff
  4000-7fff (prio 0, ram): alias 
bcm2835-gpu-ram-alias[*] @ram -3fff
  7e00-7eff (prio 1, i/o): alias 
bcm2835-peripherals @bcm2835-peripherals -00ff
  8000-bfff (prio 0, ram): alias 
bcm2835-gpu-ram-alias[*] @ram -3fff
  c000- (prio 0, ram): alias 
bcm2835-gpu-ram-alias[*] @ram -3fff

  address-space: bcm2835-mbox-memory
-008f (prio 0, i/o): bcm2835-mbox
  0010-001f (prio 0, i/o): bcm2835-fb
  0080-008f (prio 0, i/o): bcm2835-property

  memory-region: ram
-3fff (prio 0, ram): ram

  memory-region: bcm2835-peripherals
3f00-3fff (prio 1, i/o): bcm2835-peripherals
  3f003000-3f00301f (prio 0, i/o): bcm2835-sys-timer
  

[PATCH v7 1/2] memory: Split mtree_info() as mtree_info_flatview() + mtree_info_as()

[Philippe Mathieu-Daudé]

While mtree_info() handles both ASes and flatviews cases,
the two cases share basically no code. Split mtree_info()
as mtree_info_flatview() + mtree_info_as() to simplify.

Suggested-by: Peter Maydell 
Reviewed-by: David Hildenbrand 
Reviewed-by: Peter Xu 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
 softmmu/memory.c | 87 ++--
 1 file changed, 48 insertions(+), 39 deletions(-)

diff --git a/softmmu/memory.c b/softmmu/memory.c
index bfedaf9c4df..5be7d5e7412 100644
--- a/softmmu/memory.c
+++ b/softmmu/memory.c
@@ -3246,50 +3246,50 @@ static gboolean mtree_info_flatview_free(gpointer key, 
gpointer value,
 return true;
 }
 
-void mtree_info(bool flatview, bool dispatch_tree, bool owner, bool disabled)
+static void mtree_info_flatview(bool dispatch_tree, bool owner)
+{
+struct FlatViewInfo fvi = {
+.counter = 0,
+.dispatch_tree = dispatch_tree,
+.owner = owner,
+};
+AddressSpace *as;
+FlatView *view;
+GArray *fv_address_spaces;
+GHashTable *views = g_hash_table_new(g_direct_hash, g_direct_equal);
+AccelClass *ac = ACCEL_GET_CLASS(current_accel());
+
+if (ac->has_memory) {
+fvi.ac = ac;
+}
+
+/* Gather all FVs in one table */
+QTAILQ_FOREACH(as, _spaces, address_spaces_link) {
+view = address_space_get_flatview(as);
+
+fv_address_spaces = g_hash_table_lookup(views, view);
+if (!fv_address_spaces) {
+fv_address_spaces = g_array_new(false, false, sizeof(as));
+g_hash_table_insert(views, view, fv_address_spaces);
+}
+
+g_array_append_val(fv_address_spaces, as);
+}
+
+/* Print */
+g_hash_table_foreach(views, mtree_print_flatview, );
+
+/* Free */
+g_hash_table_foreach_remove(views, mtree_info_flatview_free, 0);
+g_hash_table_unref(views);
+}
+
+static void mtree_info_as(bool dispatch_tree, bool owner, bool disabled)
 {
 MemoryRegionListHead ml_head;
 MemoryRegionList *ml, *ml2;
 AddressSpace *as;
 
-if (flatview) {
-FlatView *view;
-struct FlatViewInfo fvi = {
-.counter = 0,
-.dispatch_tree = dispatch_tree,
-.owner = owner,
-};
-GArray *fv_address_spaces;
-GHashTable *views = g_hash_table_new(g_direct_hash, g_direct_equal);
-AccelClass *ac = ACCEL_GET_CLASS(current_accel());
-
-if (ac->has_memory) {
-fvi.ac = ac;
-}
-
-/* Gather all FVs in one table */
-QTAILQ_FOREACH(as, _spaces, address_spaces_link) {
-view = address_space_get_flatview(as);
-
-fv_address_spaces = g_hash_table_lookup(views, view);
-if (!fv_address_spaces) {
-fv_address_spaces = g_array_new(false, false, sizeof(as));
-g_hash_table_insert(views, view, fv_address_spaces);
-}
-
-g_array_append_val(fv_address_spaces, as);
-}
-
-/* Print */
-g_hash_table_foreach(views, mtree_print_flatview, );
-
-/* Free */
-g_hash_table_foreach_remove(views, mtree_info_flatview_free, 0);
-g_hash_table_unref(views);
-
-return;
-}
-
 QTAILQ_INIT(_head);
 
 QTAILQ_FOREACH(as, _spaces, address_spaces_link) {
@@ -3310,6 +3310,15 @@ void mtree_info(bool flatview, bool dispatch_tree, bool 
owner, bool disabled)
 }
 }
 
+void mtree_info(bool flatview, bool dispatch_tree, bool owner, bool disabled)
+{
+if (flatview) {
+mtree_info_flatview(dispatch_tree, owner);
+} else {
+mtree_info_as(dispatch_tree, owner, disabled);
+}
+}
+
 void memory_region_init_ram(MemoryRegion *mr,
 Object *owner,
 const char *name,
-- 
2.31.1

[PATCH v7 0/2] memory: Have 'info mtree' remove duplicated Address Space information

[Philippe Mathieu-Daudé]

Series fully reviewed.

Follow Peter Maydell suggestions:
- Split mtree_info() as mtree_info_flatview() + mtree_info_as()
- Remove duplicated Address Space information

Since v6:
- Added missing vertical whitespace (rth)
- Added rth's R-b

Since v5:
- Fixed messed up during v3->v4 (peterx)
  . Restore format
  . Remove unused 'int counter'

Since v4:
- Merged patches 1 & 2 (David)
- Remove unnecessary return void (David)
- Added David R-b

Since v3:
- Fix typos
- Split mtree_info_flatview() + mtree_info_as() first
- Rebased last patch keeping Peter's R-b tag

Since v2:
- Removed unused AddressSpaceInfo::counter

Since v1:
- List AS similarly to 'info mtree -f' (peterx)

checkpatch warning (81 chars):

  WARNING: line over 80 characters
  #86: FILE: softmmu/memory.c:3359:
  +  address_space_compare_name);

Philippe Mathieu-Daudé (2):
  memory: Split mtree_info() as mtree_info_flatview() + mtree_info_as()
  memory: Have 'info mtree' remove duplicated Address Space information

 softmmu/memory.c | 150 ++-
 1 file changed, 108 insertions(+), 42 deletions(-)

-- 
2.31.1

Re: [PATCH] hw/ssi: imx_spi: Improve chip select handling

[Bin Meng]

On Sun, Sep 5, 2021 at 1:13 AM Guenter Roeck  wrote:
>
> On 9/2/21 12:29 PM, Peter Maydell wrote:
> > On Thu, 2 Sept 2021 at 17:09, Guenter Roeck  wrote:
> >>
> >> On 9/2/21 8:58 AM, Peter Maydell wrote:
> >>> On Sun, 8 Aug 2021 at 02:34, Guenter Roeck  wrote:
> 
>  The control register does not really have a means to deselect
>  all chip selects directly. As result, CS is effectively never
>  deselected, and connected flash chips fail to perform read
>  operations since they don't get the expected chip select signals
>  to reset their state machine.
> 
>  Normally and per controller documentation one would assume that
>  chip select should be set whenever a transfer starts (XCH is
>  set or the tx fifo is written into), and that it should be disabled
>  whenever a transfer is complete. However, that does not work in
>  practice: attempts to implement this approach resulted in failures,
>  presumably because a single transaction can be split into multiple
>  transfers.
> 
>  At the same time, there is no explicit signal from the host indicating
>  if chip select should be active or not. In the absence of such a direct
>  signal, use the burst length written into the control register to
>  determine if an access is ongoing or not. Disable all chip selects
>  if the burst length field in the configuration register is set to 0,
>  and (re-)enable chip select if a transfer is started. This is possible
>  because the Linux driver clears the burst length field whenever it
>  prepares the controller for the next transfer.
>  This solution  is less than perfect since it effectively only disables
>  chip select when initiating the next transfer, but it does work with
>  Linux and should otherwise do no harm.
> 
>  Stop complaining if the burst length field is set to a value of 0,
>  since that is done by Linux for every transfer.
> 
>  With this patch, a command line parameter such as "-drive
>  file=flash.sabre,format=raw,if=mtd" can be used to instantiate the
>  flash chip in the sabrelite emulation. Without this patch, the
>  flash instantiates, but it only reads zeroes.
> 
>  Signed-off-by: Guenter Roeck 
>  ---
>  I am not entirely happy with this solution, but it is the best I was
>  able to come up with. If anyone has a better idea, I'll be happy
>  to give it a try.
> 
> hw/ssi/imx_spi.c | 17 +++--
> 1 file changed, 7 insertions(+), 10 deletions(-)
> 
>  diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
>  index 189423bb3a..7a093156bd 100644
>  --- a/hw/ssi/imx_spi.c
>  +++ b/hw/ssi/imx_spi.c
>  @@ -167,6 +167,8 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
> DPRINTF("Begin: TX Fifo Size = %d, RX Fifo Size = %d\n",
> fifo32_num_used(>tx_fifo), 
>  fifo32_num_used(>rx_fifo));
> 
>  +qemu_set_irq(s->cs_lines[imx_spi_selected_channel(s)], 0);
>  +
> while (!fifo32_is_empty(>tx_fifo)) {
> int tx_burst = 0;
> 
>  @@ -385,13 +387,6 @@ static void imx_spi_write(void *opaque, hwaddr 
>  offset, uint64_t value,
> case ECSPI_CONREG:
> s->regs[ECSPI_CONREG] = value;
> 
>  -burst = EXTRACT(s->regs[ECSPI_CONREG], 
>  ECSPI_CONREG_BURST_LENGTH) + 1;
>  -if (burst % 8) {
>  -qemu_log_mask(LOG_UNIMP,
>  -  "[%s]%s: burst length %d not supported: 
>  rounding up to next multiple of 8\n",
>  -  TYPE_IMX_SPI, __func__, burst);
>  -}
> >>>
> >>> Why has this log message been removed ?
> >>
> >> What I wanted to do is:
> >>
> >> "Stop complaining if the burst length field is set to a value of 0,
> >>since that is done by Linux for every transfer."
> >>
> >> What I did instead is to remove the message entirely.
> >>
> >> How about the rest of the patch ? Is it worth a resend with the message
> >> restored (except for burst size == 0), or is it not acceptable anyway ?
> >
> > I did the easy bit of the code review because answering this
> > question is probably a multiple-hour job...this is still on my
> > todo list, but I'm hoping somebody who understands the MIX
> > SPI device gets to it first.
> >
>
> Makes sense. Of course, it would be even better if someone can explain
> how this works on real hardware.
>

I happened to notice this patch today. Better to cc people who once
worked on this part from "git blame" or "git log".

> In this context, it would be useful to know if real SPI flash chips
> reset their state to idle under some conditions which are not covered
> by the current code in hw/block/m25p80.c. Maybe the real problem is
> as simple as that code setting data_read_loop when it should not,
> or that it doesn't reset that flag when it should (unless I am 

Re: [PATCH] MAINTAINERS: add myself as partial audio reviewer

[Philippe Mathieu-Daudé]

On 9/4/21 3:13 PM, Christian Schoenebeck wrote:
> Volunteering as reviewer for some of the audio backends; namely
> ALSA, CoreAudio and JACK.
> 
> Signed-off-by: Christian Schoenebeck 
> ---
>  MAINTAINERS | 3 +++
>  1 file changed, 3 insertions(+)

Thanks!

Reviewed-by: Philippe Mathieu-Daudé 

Re: [PULL 00/14] aspeed queue

[Philippe Mathieu-Daudé]

On 9/4/21 7:33 AM, Cédric Le Goater wrote:
> On 9/3/21 10:41 PM, Philippe Mathieu-Daudé wrote:
>> Hi Peter,
>>
>> On 9/3/21 9:40 PM, Cédric Le Goater wrote:
>>> The following changes since commit 8880cc4362fde4ecdac0b2092318893118206fcf:
>>>
>>>   Merge remote-tracking branch 'remotes/cschoenebeck/tags/pull-9p-20210902' 
>>> into staging (2021-09-03 08:27:38 +0100)
>>>
>>> are available in the Git repository at:
>>>
>>>   https://github.com/legoater/qemu/ tags/pull-aspeed-20210903
>>>
>>> for you to fetch changes up to 907796622b2a6b945c87641d94e254ac898b96ae:
>>>
>>>   hw/arm/aspeed: Add Fuji machine type (2021-09-03 18:43:16 +0200)
>>>
>>> 
>>> Aspeed patches :
>>>
>>> * MAC enablement fixes (Guenter)
>>> * Watchdog  and pca9552 fixes (Andrew)
>>> * GPIO fixes (Joel)
>>> * AST2600A3 SoC and DPS310 models (Joel)
>>> * New Fuji BMC machine (Peter)
>>>
>>> 
>>
>>> Peter Delevoryas (3):
>>>   hw/arm/aspeed: Initialize AST2600 UART clock selection registers
>>>   hw/arm/aspeed: Allow machine to set UART default
>>>   hw/arm/aspeed: Add Fuji machine type
>>
>> I have a pending question with the last patch, do you mind holding
>> this PR until it is resolved with Cédric and the patch author please?
>>
>> Thanks,
>>
>> Phil.
>>
> 
> I guess we can drop the following from the commit log : 
> 
>   git clone https://github.com/facebook/openbmc
>   cd openbmc
>   ./sync_yocto.sh
>   source openbmc-init-build-env fuji build-fuji
>   bitbake fuji-image
>   dd if=/dev/zero of=/tmp/fuji.mtd bs=1M count=128
>   dd if=./tmp/deploy/images/fuji/flash-fuji of=/tmp/fuji.mtd \
>   bs=1k conv=notrunc
>   
>   git clone --branch aspeed-next https://github.com/peterdelevoryas/qemu
>   cd qemu
>   ./configure --target-list=arm-softmmu --disable-vnc
>   make -j $(nproc)
>   ./build/arm-softmmu/qemu-system-arm \
>   -machine fuji-bmc \
>   -drive file=/tmp/fuji.mtd,format=raw,if=mtd \
>   -serial stdio \
>   -nic user,hostfwd=::-:22
>   sshpass -p 0penBmc ssh root@localhost -p 

Sounds good. Eventually document that in docs/system/arm/aspeed.rst
in a follow up patch?

Regards,

Phil.

[PULL 15/35] vhost: correctly detect the enabling IOMMU

[Michael S. Tsirkin]

From: Jason Wang 

Vhost used to compare the dma_as against the address_space_memory to
detect whether the IOMMU is enabled or not. This might not work well
since the virito-bus may call get_dma_as if VIRTIO_F_IOMMU_PLATFORM is
set without an actual IOMMU enabled when device is plugged. In the
case of PCI where pci_get_address_space() is used, the bus master as
is returned. So vhost actually tries to enable device IOTLB even if
the IOMMU is not enabled. This will lead a lots of unnecessary
transactions between vhost and Qemu and will introduce a huge drop of
the performance.

For PCI, an ideal approach is to use pci_device_iommu_address_space()
just for get_dma_as. But Qemu may choose to initialize the IOMMU after
the virtio-pci which lead a wrong address space is returned during
device plugged. So this patch switch to use transport specific way via
iommu_enabled() to detect the IOMMU during vhost start. In this case,
we are fine since we know the IOMMU is initialized correctly.

Signed-off-by: Jason Wang 
Message-Id: <20210804034803.1644-4-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index e21e144510..b4b29413e6 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -315,7 +315,7 @@ static int vhost_dev_has_iommu(struct vhost_dev *dev)
  * does not have IOMMU, there's no need to enable this feature
  * which may cause unnecessary IOTLB miss/update trnasactions.
  */
-return vdev->dma_as != _space_memory &&
+return virtio_bus_device_iommu_enabled(vdev) &&
virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
 }
 
-- 
MST

[PULL 08/35] vhost-user: add missing space in error message

[Michael S. Tsirkin]

From: Alyssa Ross 

This would previously give error messages like

> Received unexpected msg type.Expected 0 received 1

Signed-off-by: Alyssa Ross 
Message-Id: <20210806143926.315725-1...@alyssa.is>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost-user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index a4eb6cde7e..360d9bc040 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -429,7 +429,7 @@ static int process_message_reply(struct vhost_dev *dev,
 }
 
 if (msg_reply.hdr.request != msg->hdr.request) {
-error_report("Received unexpected msg type."
+error_report("Received unexpected msg type. "
  "Expected %d received %d",
  msg->hdr.request, msg_reply.hdr.request);
 return -1;
-- 
MST

[PULL 35/35] vhost-vdpa: remove the unncessary queue_index assignment

[Michael S. Tsirkin]

From: Jason Wang 

The queue_index of NetClientState should be assigned in set_netdev()
afterwards, so trying to net_vhost_vdpa_init() is meaningless. This
patch removes this.

Reviewed-by: Stefano Garzarella 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-12-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index d02cad9855..912686457c 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -165,7 +165,6 @@ static int net_vhost_vdpa_init(NetClientState *peer, const 
char *device,
 assert(name);
 nc = qemu_new_net_client(_vhost_vdpa_info, peer, device, name);
 snprintf(nc->info_str, sizeof(nc->info_str), TYPE_VHOST_VDPA);
-nc->queue_index = 0;
 s = DO_UPCAST(VhostVDPAState, nc, nc);
 vdpa_device_fd = qemu_open_old(vhostdev, O_RDWR);
 if (vdpa_device_fd == -1) {
-- 
MST

[PULL 32/35] vhost-vdpa: fix leaking of vhost_net in vhost_vdpa_add()

[Michael S. Tsirkin]

From: Jason Wang 

Fixes: 1e0a84ea49b68 ("vhost-vdpa: introduce vhost-vdpa net client")
Reviewed-by: Stefano Garzarella 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-9-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 3213e69d63..b43df00a85 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -110,6 +110,7 @@ static int vhost_vdpa_add(NetClientState *ncs, void *be)
 err:
 if (net) {
 vhost_net_cleanup(net);
+g_free(net);
 }
 return -1;
 }
-- 
MST

[PULL 33/35] vhost-vdpa: tweak the error label in vhost_vdpa_add()

[Michael S. Tsirkin]

From: Jason Wang 

Introduce new error label to avoid the unnecessary checking of net
pointer.

Fixes: 1e0a84ea49b68 ("vhost-vdpa: introduce vhost-vdpa net client")
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-10-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 13 ++---
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index b43df00a85..99327d17b4 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -99,19 +99,18 @@ static int vhost_vdpa_add(NetClientState *ncs, void *be)
 net = vhost_net_init();
 if (!net) {
 error_report("failed to init vhost_net for queue");
-goto err;
+goto err_init;
 }
 s->vhost_net = net;
 ret = vhost_vdpa_net_check_device_id(net);
 if (ret) {
-goto err;
+goto err_check;
 }
 return 0;
-err:
-if (net) {
-vhost_net_cleanup(net);
-g_free(net);
-}
+err_check:
+vhost_net_cleanup(net);
+g_free(net);
+err_init:
 return -1;
 }
 
-- 
MST

[PULL 31/35] vhost-vdpa: don't cleanup twice in vhost_vdpa_add()

[Michael S. Tsirkin]

From: Jason Wang 

The previous vhost_net_cleanup is sufficient for freeing, calling
vhost_vdpa_del() in this case will lead an extra round of free. Note
that this kind of "double free" is safe since vhost_dev_cleanup() zero
the whole structure.

Reviewed-by: Stefano Garzarella 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-8-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 11 ---
 1 file changed, 11 deletions(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 5c09cacd5a..3213e69d63 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -81,16 +81,6 @@ static int vhost_vdpa_net_check_device_id(struct vhost_net 
*net)
 return ret;
 }
 
-static void vhost_vdpa_del(NetClientState *ncs)
-{
-VhostVDPAState *s;
-assert(ncs->info->type == NET_CLIENT_DRIVER_VHOST_VDPA);
-s = DO_UPCAST(VhostVDPAState, nc, ncs);
-if (s->vhost_net) {
-vhost_net_cleanup(s->vhost_net);
-}
-}
-
 static int vhost_vdpa_add(NetClientState *ncs, void *be)
 {
 VhostNetOptions options;
@@ -121,7 +111,6 @@ err:
 if (net) {
 vhost_net_cleanup(net);
 }
-vhost_vdpa_del(ncs);
 return -1;
 }
 
-- 
MST

[PULL 34/35] vhost-vdpa: fix the wrong assertion in vhost_vdpa_init()

[Michael S. Tsirkin]

From: Jason Wang 

Vhost_vdpa_add() can fail for various reasons, so the assertion of the
succeed is wrong. Instead, we should free the NetClientState and
propagate the error to the caller

Reviewed-by: Stefano Garzarella 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-11-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 99327d17b4..d02cad9855 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -173,7 +173,10 @@ static int net_vhost_vdpa_init(NetClientState *peer, const 
char *device,
 }
 s->vhost_vdpa.device_fd = vdpa_device_fd;
 ret = vhost_vdpa_add(nc, (void *)>vhost_vdpa);
-assert(s->vhost_net);
+if (ret) {
+qemu_close(vdpa_device_fd);
+qemu_del_net_client(nc);
+}
 return ret;
 }
 
-- 
MST

[PULL 29/35] vhost_net: do not assume nvqs is always 2

[Michael S. Tsirkin]

From: Jason Wang 

This patch switches to initialize dev.nvqs from the VhostNetOptions
instead of assuming it was 2. This is useful for implementing control
virtqueue support which will be a single vhost_net structure with a
single cvq.

Note that nvqs is still set to 2 for all users and this patch does not
change functionality.

Reviewed-by: Stefano Garzarella 
Reviewed-by: Eli Cohen 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-6-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/net/vhost_net.h | 1 +
 hw/net/vhost_net.c  | 2 +-
 net/tap.c   | 1 +
 net/vhost-user.c| 1 +
 net/vhost-vdpa.c| 1 +
 5 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/net/vhost_net.h b/include/net/vhost_net.h
index 172b0051d8..fba40cf695 100644
--- a/include/net/vhost_net.h
+++ b/include/net/vhost_net.h
@@ -14,6 +14,7 @@ typedef struct VhostNetOptions {
 VhostBackendType backend_type;
 NetClientState *net_backend;
 uint32_t busyloop_timeout;
+unsigned int nvqs;
 void *opaque;
 } VhostNetOptions;
 
diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
index 6ed0c39836..386ec2eaa2 100644
--- a/hw/net/vhost_net.c
+++ b/hw/net/vhost_net.c
@@ -165,9 +165,9 @@ struct vhost_net *vhost_net_init(VhostNetOptions *options)
 goto fail;
 }
 net->nc = options->net_backend;
+net->dev.nvqs = options->nvqs;
 
 net->dev.max_queues = 1;
-net->dev.nvqs = 2;
 net->dev.vqs = net->vqs;
 
 if (backend_kernel) {
diff --git a/net/tap.c b/net/tap.c
index f5686bbf77..f716be3e3f 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -749,6 +749,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 qemu_set_nonblock(vhostfd);
 }
 options.opaque = (void *)(uintptr_t)vhostfd;
+options.nvqs = 2;
 
 s->vhost_net = vhost_net_init();
 if (!s->vhost_net) {
diff --git a/net/vhost-user.c b/net/vhost-user.c
index 6adfcd623a..4a939124d2 100644
--- a/net/vhost-user.c
+++ b/net/vhost-user.c
@@ -85,6 +85,7 @@ static int vhost_user_start(int queues, NetClientState *ncs[],
 options.net_backend = ncs[i];
 options.opaque  = be;
 options.busyloop_timeout = 0;
+options.nvqs = 2;
 net = vhost_net_init();
 if (!net) {
 error_report("failed to init vhost_net for queue %d", i);
diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 72829884d7..395117debd 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -104,6 +104,7 @@ static int vhost_vdpa_add(NetClientState *ncs, void *be)
 options.net_backend = ncs;
 options.opaque  = be;
 options.busyloop_timeout = 0;
+options.nvqs = 2;
 
 net = vhost_net_init();
 if (!net) {
-- 
MST

[PULL 26/35] vhost-vdpa: correctly return err in vhost_vdpa_set_backend_cap()

[Michael S. Tsirkin]

From: Jason Wang 

We should return error code instead of zero, otherwise there's no way
for the caller to detect the failure.

Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-3-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost-vdpa.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index ca1227e5dc..7633ea66d1 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -443,13 +443,13 @@ static int vhost_vdpa_set_backend_cap(struct vhost_dev 
*dev)
 int r;
 
 if (vhost_vdpa_call(dev, VHOST_GET_BACKEND_FEATURES, )) {
-return 0;
+return -EFAULT;
 }
 
 features &= f;
 r = vhost_vdpa_call(dev, VHOST_SET_BACKEND_FEATURES, );
 if (r) {
-return 0;
+return -EFAULT;
 }
 
 dev->backend_cap = features;
-- 
MST

[PULL 30/35] vhost-vdpa: remove the unnecessary check in vhost_vdpa_add()

[Michael S. Tsirkin]

From: Jason Wang 

The VhostVDPAState is just allocated by qemu_new_net_client() via
g_malloc0() in net_vhost_vdpa_init(). So s->vhost_net is NULL for
sure, let's remove this unnecessary check in vhost_vdpa_add().

Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-7-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 4 
 1 file changed, 4 deletions(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 395117debd..5c09cacd5a 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -111,10 +111,6 @@ static int vhost_vdpa_add(NetClientState *ncs, void *be)
 error_report("failed to init vhost_net for queue");
 goto err;
 }
-if (s->vhost_net) {
-vhost_net_cleanup(s->vhost_net);
-g_free(s->vhost_net);
-}
 s->vhost_net = net;
 ret = vhost_vdpa_net_check_device_id(net);
 if (ret) {
-- 
MST

[PULL 25/35] vhost-vdpa: remove unused variable "acked_features"

[Michael S. Tsirkin]

From: Jason Wang 

"acked_features" is unused, let's remove that.

Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-2-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 net/vhost-vdpa.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 19187dce8c..72829884d7 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -29,7 +29,6 @@ typedef struct VhostVDPAState {
 NetClientState nc;
 struct vhost_vdpa vhost_vdpa;
 VHostNetState *vhost_net;
-uint64_t acked_features;
 bool started;
 } VhostVDPAState;
 
-- 
MST

[PULL 22/35] hw/virtio: Add flatview update in vhost_user_cleanup()

[Michael S. Tsirkin]

From: Yuwei Zhang 

Qemu will crash on vhost backend unexpected exit and re-connect 
 │
in some case due to access released memory.

Signed-off-by: Yuwei Zhang 
Message-Id: <20210830123433.45727-1-zhangyuwei.9...@bytedance.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost-user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 360d9bc040..2c8556237f 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -2480,7 +2480,7 @@ void vhost_user_cleanup(VhostUserState *user)
 if (!user->chr) {
 return;
 }
-
+memory_region_transaction_begin();
 for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
 if (user->notifier[i].addr) {
 object_unparent(OBJECT(>notifier[i].mr));
@@ -2488,6 +2488,7 @@ void vhost_user_cleanup(VhostUserState *user)
 user->notifier[i].addr = NULL;
 }
 }
+memory_region_transaction_commit();
 user->chr = NULL;
 }
 
-- 
MST

[PULL 21/35] hw/virtio: Remove NULL check in virtio_free_region_cache()

[Michael S. Tsirkin]

From: Philippe Mathieu-Daudé 

virtio_free_region_cache() is called within call_rcu(),
always with a non-NULL argument. Ensure new code keep it
that way by replacing the NULL check by an assertion.
Add a comment this function is called within call_rcu().

Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210826172658.2116840-3-phi...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Stefano Garzarella 
Reviewed-by: Stefan Hajnoczi 
---
 hw/virtio/virtio.c | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index a5214bca61..3a1f6c520c 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -133,12 +133,10 @@ struct VirtQueue
 QLIST_ENTRY(VirtQueue) node;
 };
 
+/* Called within call_rcu().  */
 static void virtio_free_region_cache(VRingMemoryRegionCaches *caches)
 {
-if (!caches) {
-return;
-}
-
+assert(caches != NULL);
 address_space_cache_destroy(>desc);
 address_space_cache_destroy(>avail);
 address_space_cache_destroy(>used);
-- 
MST

[PULL 28/35] vhost: use unsigned int for nvqs

[Michael S. Tsirkin]

From: Jason Wang 

Switch to use unsigned int for nvqs since it's not expected to be
negative.

Reviewed-by: Eli Cohen 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-5-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/virtio/vhost.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
index 5ee306568b..1a9fc65089 100644
--- a/include/hw/virtio/vhost.h
+++ b/include/hw/virtio/vhost.h
@@ -71,7 +71,7 @@ struct vhost_dev {
 int n_tmp_sections;
 MemoryRegionSection *tmp_sections;
 struct vhost_virtqueue *vqs;
-int nvqs;
+unsigned int nvqs;
 /* the first virtqueue which would be used by this vhost dev */
 int vq_index;
 /* if non-zero, minimum required value for max_queues */
-- 
MST

[PULL 24/35] tests/vhost-user-bridge.c: Fix typo in help message

[Michael S. Tsirkin]

From: Peter Maydell 

Fix a typo in the help message printed by vhost-user-bridge.

Signed-off-by: Peter Maydell 
Message-Id: <20210901152713.25701-1-peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Marc-André Lureau 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 tests/vhost-user-bridge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/vhost-user-bridge.c b/tests/vhost-user-bridge.c
index cb009545fa..35088dd67f 100644
--- a/tests/vhost-user-bridge.c
+++ b/tests/vhost-user-bridge.c
@@ -831,7 +831,7 @@ main(int argc, char *argv[])
 out:
 fprintf(stderr, "Usage: %s ", argv[0]);
 fprintf(stderr, "[-c] [-H] [-u ud_socket_path] [-l lhost:lport] [-r 
rhost:rport]\n");
-fprintf(stderr, "\t-u path to unix doman socket. default: %s\n",
+fprintf(stderr, "\t-u path to unix domain socket. default: %s\n",
 DEFAULT_UD_SOCKET);
 fprintf(stderr, "\t-l local host and port. default: %s:%s\n",
 DEFAULT_LHOST, DEFAULT_LPORT);
-- 
MST

[PULL 13/35] virtio-bus: introduce iommu_enabled()

[Michael S. Tsirkin]

From: Jason Wang 

This patch introduce a new method for the virtio-bus for the transport
to report whether or not the IOMMU is enabled for the device.

Signed-off-by: Jason Wang 
Message-Id: <20210804034803.1644-2-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/virtio/virtio-bus.h |  4 +++-
 hw/virtio/virtio-bus.c | 14 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/include/hw/virtio/virtio-bus.h b/include/hw/virtio/virtio-bus.h
index ef8abe49c5..7ab8c9dab0 100644
--- a/include/hw/virtio/virtio-bus.h
+++ b/include/hw/virtio/virtio-bus.h
@@ -93,6 +93,7 @@ struct VirtioBusClass {
  */
 bool has_variable_vring_alignment;
 AddressSpace *(*get_dma_as)(DeviceState *d);
+bool (*iommu_enabled)(DeviceState *d);
 };
 
 struct VirtioBusState {
@@ -154,5 +155,6 @@ void virtio_bus_release_ioeventfd(VirtioBusState *bus);
 int virtio_bus_set_host_notifier(VirtioBusState *bus, int n, bool assign);
 /* Tell the bus that the ioeventfd handler is no longer required. */
 void virtio_bus_cleanup_host_notifier(VirtioBusState *bus, int n);
-
+/* Whether the IOMMU is enabled for this device */
+bool virtio_bus_device_iommu_enabled(VirtIODevice *vdev);
 #endif /* VIRTIO_BUS_H */
diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
index 859978d248..d23db98c56 100644
--- a/hw/virtio/virtio-bus.c
+++ b/hw/virtio/virtio-bus.c
@@ -325,6 +325,20 @@ static char *virtio_bus_get_fw_dev_path(DeviceState *dev)
 return NULL;
 }
 
+bool virtio_bus_device_iommu_enabled(VirtIODevice *vdev)
+{
+DeviceState *qdev = DEVICE(vdev);
+BusState *qbus = BUS(qdev_get_parent_bus(qdev));
+VirtioBusState *bus = VIRTIO_BUS(qbus);
+VirtioBusClass *klass = VIRTIO_BUS_GET_CLASS(bus);
+
+if (!klass->iommu_enabled) {
+return false;
+}
+
+return klass->iommu_enabled(qbus->parent);
+}
+
 static void virtio_bus_class_init(ObjectClass *klass, void *data)
 {
 BusClass *bus_class = BUS_CLASS(klass);
-- 
MST

[PULL 27/35] vhost_net: remove the meaningless assignment in vhost_net_start_one()

[Michael S. Tsirkin]

From: Jason Wang 

The nvqs and vqs have been initialized during vhost_net_init() and are
not expected to change during the life cycle of vhost_net
structure. So this patch removes the meaningless assignment.

Reviewed-by: Eli Cohen 
Signed-off-by: Jason Wang 
Message-Id: <20210903091031.47303-4-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/net/vhost_net.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
index 10a7780a13..6ed0c39836 100644
--- a/hw/net/vhost_net.c
+++ b/hw/net/vhost_net.c
@@ -242,9 +242,6 @@ static int vhost_net_start_one(struct vhost_net *net,
 struct vhost_vring_file file = { };
 int r;
 
-net->dev.nvqs = 2;
-net->dev.vqs = net->vqs;
-
 r = vhost_dev_enable_notifiers(>dev, dev);
 if (r < 0) {
 goto fail_notifiers;
-- 
MST

[PULL 17/35] hw/pci: remove all references to find_i440fx function

[Michael S. Tsirkin]

From: Ani Sinha 

commit c0e427d6eb5fefc538 ("hw/acpi/ich9: Enable ACPI PCI hot-plug") removed all
uses of find_i440fx() function. This has been replaced by the more generic call
acpi_get_i386_pci_host() which maybe able to find the root bus both for i440fx
machine type as well as for the q35 machine type. There seems to be no more any
need to maintain a i440fx specific version of the api call. Remove it.

Tested by building from a clean tree successfully.

Signed-off-by: Ani Sinha 
Reviewed-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20210825031949.919376-2-...@anisinha.ca>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/pci-host/i440fx.h | 1 -
 hw/pci-host/i440fx.c | 6 --
 stubs/pci-host-piix.c| 7 ---
 stubs/meson.build| 1 -
 4 files changed, 15 deletions(-)
 delete mode 100644 stubs/pci-host-piix.c

diff --git a/include/hw/pci-host/i440fx.h b/include/hw/pci-host/i440fx.h
index 7fcfd9485c..f068aaba8f 100644
--- a/include/hw/pci-host/i440fx.h
+++ b/include/hw/pci-host/i440fx.h
@@ -45,6 +45,5 @@ PCIBus *i440fx_init(const char *host_type, const char 
*pci_type,
 MemoryRegion *pci_memory,
 MemoryRegion *ram_memory);
 
-PCIBus *find_i440fx(void);
 
 #endif
diff --git a/hw/pci-host/i440fx.c b/hw/pci-host/i440fx.c
index cd87e21a9b..e08716142b 100644
--- a/hw/pci-host/i440fx.c
+++ b/hw/pci-host/i440fx.c
@@ -314,12 +314,6 @@ PCIBus *i440fx_init(const char *host_type, const char 
*pci_type,
 return b;
 }
 
-PCIBus *find_i440fx(void)
-{
-PCIHostState *s = PCI_HOST_BRIDGE(object_resolve_path("/machine/i440fx", 
NULL));
-return s ? s->bus : NULL;
-}
-
 static void i440fx_class_init(ObjectClass *klass, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
diff --git a/stubs/pci-host-piix.c b/stubs/pci-host-piix.c
deleted file mode 100644
index 93975adbfe..00
--- a/stubs/pci-host-piix.c
+++ /dev/null
@@ -1,7 +0,0 @@
-#include "qemu/osdep.h"
-#include "hw/pci-host/i440fx.h"
-
-PCIBus *find_i440fx(void)
-{
-return NULL;
-}
diff --git a/stubs/meson.build b/stubs/meson.build
index 275ac89c16..beee31ec73 100644
--- a/stubs/meson.build
+++ b/stubs/meson.build
@@ -26,7 +26,6 @@ stub_ss.add(files('module-opts.c'))
 stub_ss.add(files('monitor.c'))
 stub_ss.add(files('monitor-core.c'))
 stub_ss.add(files('pci-bus.c'))
-stub_ss.add(files('pci-host-piix.c'))
 stub_ss.add(files('qemu-timer-notify-cb.c'))
 stub_ss.add(files('qmp_memory_device.c'))
 stub_ss.add(files('qmp-command-available.c'))
-- 
MST

[PULL 18/35] hw/acpi: use existing references to pci device struct within functions

[Michael S. Tsirkin]

From: Ani Sinha 

There is no need to use fresh typecasts to get references to pci device structs
when there is an existing reference to pci device struct. Use existing 
reference.
Minor cleanup.

Signed-off-by: Ani Sinha 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20210825031949.919376-3-...@anisinha.ca>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/acpi/pcihp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index f4d706e47d..f610a25d2e 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -283,7 +283,7 @@ void acpi_pcihp_device_pre_plug_cb(HotplugHandler 
*hotplug_dev,
 
 /* Only hotplugged devices need the hotplug capability. */
 if (dev->hotplugged &&
-acpi_pcihp_get_bsel(pci_get_bus(PCI_DEVICE(dev))) < 0) {
+acpi_pcihp_get_bsel(pci_get_bus(pdev)) < 0) {
 error_setg(errp, "Unsupported bus. Bus doesn't have property '"
ACPI_PCIHP_PROP_BSEL "' set");
 return;
@@ -363,8 +363,8 @@ void acpi_pcihp_device_unplug_cb(HotplugHandler 
*hotplug_dev, AcpiPciHpState *s,
 {
 PCIDevice *pdev = PCI_DEVICE(dev);
 
-trace_acpi_pci_unplug(PCI_SLOT(PCI_DEVICE(dev)->devfn),
-  acpi_pcihp_get_bsel(pci_get_bus(PCI_DEVICE(dev;
+trace_acpi_pci_unplug(PCI_SLOT(pdev->devfn),
+  acpi_pcihp_get_bsel(pci_get_bus(pdev)));
 
 /*
  * clean up acpi-index so it could reused by another device
-- 
MST

[PULL 11/35] virtio-balloon: don't start free page hinting if postcopy is possible

[Michael S. Tsirkin]

From: David Hildenbrand 

Postcopy never worked properly with 'free-page-hint=on', as there are
at least two issues:

1) With postcopy, the guest will never receive a VIRTIO_BALLOON_CMD_ID_DONE
   and consequently won't release free pages back to the OS once
   migration finishes.

   The issue is that for postcopy, we won't do a final bitmap sync while
   the guest is stopped on the source and
   virtio_balloon_free_page_hint_notify() will only call
   virtio_balloon_free_page_done() on the source during
   PRECOPY_NOTIFY_CLEANUP, after the VM state was already migrated to
   the destination.

2) Once the VM touches a page on the destination that has been excluded
   from migration on the source via qemu_guest_free_page_hint() while
   postcopy is active, that thread will stall until postcopy finishes
   and all threads are woken up. (with older Linux kernels that won't
   retry faults when woken up via userfaultfd, we might actually get a
   SEGFAULT)

   The issue is that the source will refuse to migrate any pages that
   are not marked as dirty in the dirty bmap -- for example, because the
   page might just have been sent. Consequently, the faulting thread will
   stall, waiting for the page to be migrated -- which could take quite
   a while and result in guest OS issues.

While we could fix 1) comparatively easily, 2) is harder to get right and
might require more involved RAM migration changes on source and destination
[1].

As it never worked properly, let's not start free page hinting in the
precopy notifier if the postcopy migration capability was enabled to fix
it easily. Capabilities cannot be enabled once migration is already
running.

Note 1: in the future we might either adjust migration code on the source
to track pages that have actually been sent or adjust
migration code on source and destination  to eventually send
pages multiple times from the source and and deal with pages
that are sent multiple times on the destination.

Note 2: virtio-mem has similar issues, however, access to "unplugged"
memory by the guest is very rare and we would have to be very
lucky for it to happen during migration. The spec states
"The driver SHOULD NOT read from unplugged memory blocks ..."
and "The driver MUST NOT write to unplugged memory blocks".
virtio-mem will move away from virtio_balloon_free_page_done()
soon and handle this case explicitly on the destination.

[1] https://lkml.kernel.org/r/e79fd18c-aa62-c1d8-c7f3-ba3fc2c25...@redhat.com

Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Cc: qemu-sta...@nongnu.org
Cc: Wei Wang 
Cc: Michael S. Tsirkin 
Cc: Philippe Mathieu-Daudé 
Cc: Alexander Duyck 
Cc: Juan Quintela 
Cc: "Dr. David Alan Gilbert" 
Cc: Peter Xu 
Signed-off-by: David Hildenbrand 
Message-Id: <20210708095339.20274-2-da...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Peter Xu 
---
 hw/virtio/virtio-balloon.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 4b5d9e5e50..ae7867a8db 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -30,6 +30,7 @@
 #include "trace.h"
 #include "qemu/error-report.h"
 #include "migration/misc.h"
+#include "migration/migration.h"
 
 #include "hw/virtio/virtio-bus.h"
 #include "hw/virtio/virtio-access.h"
@@ -662,6 +663,18 @@ virtio_balloon_free_page_hint_notify(NotifierWithReturn 
*n, void *data)
 return 0;
 }
 
+/*
+ * Pages hinted via qemu_guest_free_page_hint() are cleared from the dirty
+ * bitmap and will not get migrated, especially also not when the postcopy
+ * destination starts using them and requests migration from the source; 
the
+ * faulting thread will stall until postcopy migration finishes and
+ * all threads are woken up. Let's not start free page hinting if postcopy
+ * is possible.
+ */
+if (migrate_postcopy_ram()) {
+return 0;
+}
+
 switch (pnd->reason) {
 case PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC:
 virtio_balloon_free_page_stop(dev);
-- 
MST

[PULL 19/35] MAINTAINERS: Added myself as a reviewer for acpi/smbios subsystem

[Michael S. Tsirkin]

From: Ani Sinha 

I have developed an interest in this space and hopefully can lend some
helping hand to Igor and Michael in reviewing simpler patches.

Signed-off-by: Ani Sinha 
Reviewed-by: Philippe Mathieu-Daudé 
Acked-by: Igor Mammedov 
Message-Id: <20210825031949.919376-4-...@anisinha.ca>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 5d923a6544..6c20634d63 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1751,6 +1751,7 @@ F: docs/specs/*pci*
 ACPI/SMBIOS
 M: Michael S. Tsirkin 
 M: Igor Mammedov 
+R: Ani Sinha 
 S: Supported
 F: include/hw/acpi/*
 F: include/hw/firmware/smbios.h
-- 
MST

[PULL 23/35] tests/vhost-user-bridge.c: Sanity check socket path length

[Michael S. Tsirkin]

From: Peter Maydell 

The vhost-user-bridge binary accepts a UNIX socket path on
the command line. Sanity check that this is short enough to
fit into a sockaddr_un before copying it in.

Fixes: Coverity CID 1432866
Signed-off-by: Peter Maydell 
Message-Id: <20210901152632.25511-1-peter.mayd...@linaro.org>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Marc-André Lureau 
---
 tests/vhost-user-bridge.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/tests/vhost-user-bridge.c b/tests/vhost-user-bridge.c
index 24815920b2..cb009545fa 100644
--- a/tests/vhost-user-bridge.c
+++ b/tests/vhost-user-bridge.c
@@ -540,6 +540,11 @@ vubr_new(const char *path, bool client)
 CallbackFunc cb;
 size_t len;
 
+if (strlen(path) >= sizeof(un.sun_path)) {
+fprintf(stderr, "unix domain socket path '%s' is too long\n", path);
+exit(1);
+}
+
 /* Get a UNIX socket. */
 dev->sock = socket(AF_UNIX, SOCK_STREAM, 0);
 if (dev->sock == -1) {
-- 
MST

[PULL 16/35] hw/i386/acpi-build: Get NUMA information from struct NumaState

[Michael S. Tsirkin]

From: Jingqi Liu 

Since commits aa57020774b ("numa: move numa global variable
nb_numa_nodes into MachineState") and 7e721e7b10e ("numa: move
numa global variable numa_info into MachineState"), we can get
NUMA information completely from MachineState::numa_state.

Remove PCMachineState::numa_nodes and PCMachineState::node_mem,
since they are just copied from MachineState::numa_state.

Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Jingqi Liu 
Message-Id: <20210823011254.28506-1-jingqi@intel.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/i386/pc.h |  4 
 hw/i386/acpi-build.c | 12 +++-
 hw/i386/pc.c |  9 -
 3 files changed, 7 insertions(+), 18 deletions(-)

diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 97b4ab79b5..4d2e35a152 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -47,10 +47,6 @@ typedef struct PCMachineState {
 bool default_bus_bypass_iommu;
 uint64_t max_fw_size;
 
-/* NUMA information: */
-uint64_t numa_nodes;
-uint64_t *node_mem;
-
 /* ACPI Memory hotplug IO base address */
 hwaddr memhp_io_base;
 } PCMachineState;
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 9a9572cadb..d1f5fa3b5a 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1914,6 +1914,8 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 X86MachineState *x86ms = X86_MACHINE(machine);
 const CPUArchIdList *apic_ids = mc->possible_cpu_arch_ids(machine);
 PCMachineState *pcms = PC_MACHINE(machine);
+int nb_numa_nodes = machine->numa_state->num_nodes;
+NodeInfo *numa_info = machine->numa_state->nodes;
 ram_addr_t hotplugabble_address_space_size =
 object_property_get_int(OBJECT(pcms), PC_MACHINE_DEVMEM_REGION_SIZE,
 NULL);
@@ -1957,9 +1959,9 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 next_base = 0;
 numa_start = table_data->len;
 
-for (i = 1; i < pcms->numa_nodes + 1; ++i) {
+for (i = 1; i < nb_numa_nodes + 1; ++i) {
 mem_base = next_base;
-mem_len = pcms->node_mem[i - 1];
+mem_len = numa_info[i - 1].node_mem;
 next_base = mem_base + mem_len;
 
 /* Cut out the 640K hole */
@@ -2007,7 +2009,7 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 }
 
 slots = (table_data->len - numa_start) / sizeof *numamem;
-for (; slots < pcms->numa_nodes + 2; slots++) {
+for (; slots < nb_numa_nodes + 2; slots++) {
 numamem = acpi_data_push(table_data, sizeof *numamem);
 build_srat_memory(numamem, 0, 0, 0, MEM_AFFINITY_NOFLAGS);
 }
@@ -2023,7 +2025,7 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 if (hotplugabble_address_space_size) {
 numamem = acpi_data_push(table_data, sizeof *numamem);
 build_srat_memory(numamem, machine->device_memory->base,
-  hotplugabble_address_space_size, pcms->numa_nodes - 
1,
+  hotplugabble_address_space_size, nb_numa_nodes - 1,
   MEM_AFFINITY_HOTPLUGGABLE | MEM_AFFINITY_ENABLED);
 }
 
@@ -2525,7 +2527,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState 
*machine)
 }
 }
 #endif
-if (pcms->numa_nodes) {
+if (machine->numa_state->num_nodes) {
 acpi_add_table(table_offsets, tables_blob);
 build_srat(tables_blob, tables->linker, machine);
 if (machine->numa_state->have_numa_distance) {
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 22aa598d50..7e523b913c 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -802,18 +802,9 @@ void pc_machine_done(Notifier *notifier, void *data)
 
 void pc_guest_info_init(PCMachineState *pcms)
 {
-int i;
-MachineState *ms = MACHINE(pcms);
 X86MachineState *x86ms = X86_MACHINE(pcms);
 
 x86ms->apic_xrupt_override = true;
-pcms->numa_nodes = ms->numa_state->num_nodes;
-pcms->node_mem = g_malloc0(pcms->numa_nodes *
-sizeof *pcms->node_mem);
-for (i = 0; i < ms->numa_state->num_nodes; i++) {
-pcms->node_mem[i] = ms->numa_state->nodes[i].node_mem;
-}
-
 pcms->machine_done.notify = pc_machine_done;
 qemu_add_machine_init_done_notifier(>machine_done);
 }
-- 
MST

[PULL 10/35] Use PCI_HOST_BRIDGE macro

[Michael S. Tsirkin]

From: Eduardo Habkost 

OBJECT_CHECK(PciHostState, ..., TYPE_PCI_HOST_BRIDGE) is exactly
what the PCI_HOST_BRIDGE macro does.  We can just use the macro
instead of using OBJECT_CHECK manually.

Signed-off-by: Eduardo Habkost 
Message-Id: <20210805193431.307761-7-ehabk...@redhat.com>
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/acpi-build.c | 8 ++--
 hw/pci-host/i440fx.c | 4 +---
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 6c27e12e2a..9a9572cadb 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -303,13 +303,9 @@ Object *acpi_get_i386_pci_host(void)
 {
 PCIHostState *host;
 
-host = OBJECT_CHECK(PCIHostState,
-object_resolve_path("/machine/i440fx", NULL),
-TYPE_PCI_HOST_BRIDGE);
+host = PCI_HOST_BRIDGE(object_resolve_path("/machine/i440fx", NULL));
 if (!host) {
-host = OBJECT_CHECK(PCIHostState,
-object_resolve_path("/machine/q35", NULL),
-TYPE_PCI_HOST_BRIDGE);
+host = PCI_HOST_BRIDGE(object_resolve_path("/machine/q35", NULL));
 }
 
 return OBJECT(host);
diff --git a/hw/pci-host/i440fx.c b/hw/pci-host/i440fx.c
index 28c9bae899..cd87e21a9b 100644
--- a/hw/pci-host/i440fx.c
+++ b/hw/pci-host/i440fx.c
@@ -316,9 +316,7 @@ PCIBus *i440fx_init(const char *host_type, const char 
*pci_type,
 
 PCIBus *find_i440fx(void)
 {
-PCIHostState *s = OBJECT_CHECK(PCIHostState,
-   object_resolve_path("/machine/i440fx", 
NULL),
-   TYPE_PCI_HOST_BRIDGE);
+PCIHostState *s = PCI_HOST_BRIDGE(object_resolve_path("/machine/i440fx", 
NULL));
 return s ? s->bus : NULL;
 }
 
-- 
MST

[PULL 20/35] hw/virtio: Document virtio_queue_packed_empty_rcu is called within RCU

[Michael S. Tsirkin]

From: Philippe Mathieu-Daudé 

While virtio_queue_packed_empty_rcu() uses the '_rcu' suffix,
it is not obvious it is called within rcu_read_lock(). All other
functions from this file called with the RCU locked have a comment
describing it. Document this one similarly for consistency.

Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210826172658.2116840-2-phi...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
Reviewed-by: Stefano Garzarella 
Reviewed-by: Stefan Hajnoczi 
---
 hw/virtio/virtio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 874377f37a..a5214bca61 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -634,6 +634,7 @@ static int virtio_queue_split_empty(VirtQueue *vq)
 return empty;
 }
 
+/* Called within rcu_read_lock().  */
 static int virtio_queue_packed_empty_rcu(VirtQueue *vq)
 {
 struct VRingPackedDesc desc;
-- 
MST

[PULL 12/35] virtio-balloon: free page hinting cleanups

[Michael S. Tsirkin]

From: David Hildenbrand 

Let's compress the code a bit to improve readability. We can drop the
vm_running check in virtio_balloon_free_page_start() as it's already
properly checked in the single caller.

Cc: Wei Wang 
Cc: Michael S. Tsirkin 
Cc: Philippe Mathieu-Daudé 
Cc: Alexander Duyck 
Cc: Juan Quintela 
Cc: "Dr. David Alan Gilbert" 
Cc: Peter Xu 
Signed-off-by: David Hildenbrand 
Message-Id: <20210708095339.20274-3-da...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/virtio-balloon.c | 28 
 1 file changed, 8 insertions(+), 20 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index ae7867a8db..5a69dce35d 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -534,22 +534,18 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
 if (dev->free_page_hint_status == FREE_PAGE_HINT_S_REQUESTED &&
 id == dev->free_page_hint_cmd_id) {
 dev->free_page_hint_status = FREE_PAGE_HINT_S_START;
-} else {
+} else if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
 /*
  * Stop the optimization only when it has started. This
  * avoids a stale stop sign for the previous command.
  */
-if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
-dev->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
-}
+dev->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
 }
 }
 
-if (elem->in_num) {
-if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
-qemu_guest_free_page_hint(elem->in_sg[0].iov_base,
-  elem->in_sg[0].iov_len);
-}
+if (elem->in_num && dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
+qemu_guest_free_page_hint(elem->in_sg[0].iov_base,
+  elem->in_sg[0].iov_len);
 }
 
 out:
@@ -592,16 +588,10 @@ static void virtio_balloon_free_page_start(VirtIOBalloon 
*s)
 {
 VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-/* For the stop and copy phase, we don't need to start the optimization */
-if (!vdev->vm_running) {
-return;
-}
-
 qemu_mutex_lock(>free_page_lock);
 
 if (s->free_page_hint_cmd_id == UINT_MAX) {
-s->free_page_hint_cmd_id =
-   VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN;
+s->free_page_hint_cmd_id = VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN;
 } else {
 s->free_page_hint_cmd_id++;
 }
@@ -649,8 +639,7 @@ static void virtio_balloon_free_page_done(VirtIOBalloon *s)
 static int
 virtio_balloon_free_page_hint_notify(NotifierWithReturn *n, void *data)
 {
-VirtIOBalloon *dev = container_of(n, VirtIOBalloon,
-  free_page_hint_notify);
+VirtIOBalloon *dev = container_of(n, VirtIOBalloon, free_page_hint_notify);
 VirtIODevice *vdev = VIRTIO_DEVICE(dev);
 PrecopyNotifyData *pnd = data;
 
@@ -919,8 +908,7 @@ static void virtio_balloon_device_realize(DeviceState *dev, 
Error **errp)
 s->dvq = virtio_add_queue(vdev, 128, virtio_balloon_handle_output);
 s->svq = virtio_add_queue(vdev, 128, virtio_balloon_receive_stats);
 
-if (virtio_has_feature(s->host_features,
-   VIRTIO_BALLOON_F_FREE_PAGE_HINT)) {
+if (virtio_has_feature(s->host_features, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) 
{
 s->free_page_vq = virtio_add_queue(vdev, VIRTQUEUE_MAX_SIZE,
virtio_balloon_handle_free_page_vq);
 precopy_add_notifier(>free_page_hint_notify);
-- 
MST

[PULL 14/35] virtio-pci: implement iommu_enabled()

[Michael S. Tsirkin]

From: Jason Wang 

This patch implements the PCI transport version of iommu_enabled. This
is done by comparing the address space returned by
pci_device_iommu_address_space() against address_space_memory.

Note that an ideal approach is to use pci_device_iommu_address_space()
in get_dma_as(), but it might not work well since the IOMMU could be
initialized after the virtio-pci device is initialized.

Signed-off-by: Jason Wang 
Message-Id: <20210804034803.1644-3-jasow...@redhat.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/virtio-pci.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 433060ac02..6e16e2705c 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1121,6 +1121,19 @@ static AddressSpace *virtio_pci_get_dma_as(DeviceState 
*d)
 return pci_get_address_space(dev);
 }
 
+static bool virtio_pci_iommu_enabled(DeviceState *d)
+{
+VirtIOPCIProxy *proxy = VIRTIO_PCI(d);
+PCIDevice *dev = >pci_dev;
+AddressSpace *dma_as = pci_device_iommu_address_space(dev);
+
+if (dma_as == _space_memory) {
+return false;
+}
+
+return true;
+}
+
 static bool virtio_pci_queue_enabled(DeviceState *d, int n)
 {
 VirtIOPCIProxy *proxy = VIRTIO_PCI(d);
@@ -2202,6 +2215,7 @@ static void virtio_pci_bus_class_init(ObjectClass *klass, 
void *data)
 k->ioeventfd_enabled = virtio_pci_ioeventfd_enabled;
 k->ioeventfd_assign = virtio_pci_ioeventfd_assign;
 k->get_dma_as = virtio_pci_get_dma_as;
+k->iommu_enabled = virtio_pci_iommu_enabled;
 k->queue_enabled = virtio_pci_queue_enabled;
 }
 
-- 
MST

[PULL 06/35] hw/acpi: refactor acpi hp modules so that targets can just use what they need

[Michael S. Tsirkin]

From: Ani Sinha 

Currently various acpi hotplug modules like cpu hotplug, memory hotplug, pci
hotplug, nvdimm hotplug are all pulled in when CONFIG_ACPI_X86 is turned on.
This brings in support for whole lot of subsystems that some targets like
mips does not need. They are added just to satisfy symbol dependencies. This
is ugly and should be avoided. Targets should be able to pull in just what they
need and no more. For example, mips only needs support for PIIX4 and does not
need acpi pci hotplug support or cpu hotplug support or memory hotplug support
etc. This change is an effort to clean this up.
In this change, new config variables are added for various acpi hotplug
subsystems. Targets like mips can only enable PIIX4 support and not the rest
of all the other modules which were being previously pulled in as a part of
CONFIG_ACPI_X86. Function stubs make sure that symbols which piix4 needs but
are not required by mips (for example, symbols specific to pci hotplug etc)
are available to satisfy the dependencies.

Currently, this change only addresses issues with mips malta targets. In future
we might be able to clean up other targets which are similarly pulling in lot
of unnecessary hotplug modules by enabling ACPI_X86.

This change should also address issues such as the following:
https://gitlab.com/qemu-project/qemu/-/issues/221
https://gitlab.com/qemu-project/qemu/-/issues/193

Signed-off-by: Ani Sinha 
Message-Id: <20210812071409.492299-1-...@anisinha.ca>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 configs/devices/mips-softmmu/common.mak |  5 +--
 hw/acpi/acpi-cpu-hotplug-stub.c | 50 +
 hw/acpi/acpi-mem-hotplug-stub.c | 35 +
 hw/acpi/acpi-nvdimm-stub.c  |  8 
 hw/acpi/acpi-pci-hotplug-stub.c | 47 +++
 hw/acpi/Kconfig | 10 +
 hw/acpi/meson.build | 14 +--
 7 files changed, 161 insertions(+), 8 deletions(-)
 create mode 100644 hw/acpi/acpi-cpu-hotplug-stub.c
 create mode 100644 hw/acpi/acpi-mem-hotplug-stub.c
 create mode 100644 hw/acpi/acpi-nvdimm-stub.c
 create mode 100644 hw/acpi/acpi-pci-hotplug-stub.c

diff --git a/configs/devices/mips-softmmu/common.mak 
b/configs/devices/mips-softmmu/common.mak
index ea78fe7275..752b62b1e6 100644
--- a/configs/devices/mips-softmmu/common.mak
+++ b/configs/devices/mips-softmmu/common.mak
@@ -18,10 +18,7 @@ CONFIG_PCSPK=y
 CONFIG_PCKBD=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
-CONFIG_ACPI_X86=y
-CONFIG_ACPI_MEMORY_HOTPLUG=y
-CONFIG_ACPI_NVDIMM=y
-CONFIG_ACPI_CPU_HOTPLUG=y
+CONFIG_ACPI_PIIX4=y
 CONFIG_APM=y
 CONFIG_I8257=y
 CONFIG_PIIX4=y
diff --git a/hw/acpi/acpi-cpu-hotplug-stub.c b/hw/acpi/acpi-cpu-hotplug-stub.c
new file mode 100644
index 00..3fc4b14c26
--- /dev/null
+++ b/hw/acpi/acpi-cpu-hotplug-stub.c
@@ -0,0 +1,50 @@
+#include "qemu/osdep.h"
+#include "hw/acpi/cpu_hotplug.h"
+#include "migration/vmstate.h"
+
+
+/* Following stubs are all related to ACPI cpu hotplug */
+const VMStateDescription vmstate_cpu_hotplug;
+
+void acpi_switch_to_modern_cphp(AcpiCpuHotplug *gpe_cpu,
+CPUHotplugState *cpuhp_state,
+uint16_t io_port)
+{
+return;
+}
+
+void legacy_acpi_cpu_hotplug_init(MemoryRegion *parent, Object *owner,
+  AcpiCpuHotplug *gpe_cpu, uint16_t base)
+{
+return;
+}
+
+void acpi_cpu_ospm_status(CPUHotplugState *cpu_st, ACPIOSTInfoList ***list)
+{
+return;
+}
+
+void acpi_cpu_plug_cb(HotplugHandler *hotplug_dev,
+  CPUHotplugState *cpu_st, DeviceState *dev, Error **errp)
+{
+return;
+}
+
+void legacy_acpi_cpu_plug_cb(HotplugHandler *hotplug_dev,
+ AcpiCpuHotplug *g, DeviceState *dev, Error **errp)
+{
+return;
+}
+
+void acpi_cpu_unplug_cb(CPUHotplugState *cpu_st,
+DeviceState *dev, Error **errp)
+{
+return;
+}
+
+void acpi_cpu_unplug_request_cb(HotplugHandler *hotplug_dev,
+CPUHotplugState *cpu_st,
+DeviceState *dev, Error **errp)
+{
+return;
+}
diff --git a/hw/acpi/acpi-mem-hotplug-stub.c b/hw/acpi/acpi-mem-hotplug-stub.c
new file mode 100644
index 00..73a076a265
--- /dev/null
+++ b/hw/acpi/acpi-mem-hotplug-stub.c
@@ -0,0 +1,35 @@
+#include "qemu/osdep.h"
+#include "hw/acpi/memory_hotplug.h"
+#include "migration/vmstate.h"
+
+const VMStateDescription vmstate_memory_hotplug;
+
+void acpi_memory_hotplug_init(MemoryRegion *as, Object *owner,
+  MemHotplugState *state, hwaddr io_base)
+{
+return;
+}
+
+void acpi_memory_ospm_status(MemHotplugState *mem_st, ACPIOSTInfoList ***list)
+{
+return;
+}
+
+void acpi_memory_plug_cb(HotplugHandler *hotplug_dev, MemHotplugState *mem_st,
+ DeviceState *dev, Error **errp)
+{
+return;
+}
+
+void 

[PULL 09/35] acpi: Delete broken ACPI_GED_X86 macro

[Michael S. Tsirkin]

From: Eduardo Habkost 

The macro never worked and never will, because the
AcpiGedX86State type never existed.

Signed-off-by: Eduardo Habkost 
Message-Id: <20210805193431.307761-2-ehabk...@redhat.com>
Reviewed-by: Igor Mammedov 
Reviewed-by: Gerd Hoffmann 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/acpi/generic_event_device.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/include/hw/acpi/generic_event_device.h 
b/include/hw/acpi/generic_event_device.h
index 6bed92e8fc..d49217c445 100644
--- a/include/hw/acpi/generic_event_device.h
+++ b/include/hw/acpi/generic_event_device.h
@@ -70,8 +70,6 @@
 OBJECT_DECLARE_SIMPLE_TYPE(AcpiGedState, ACPI_GED)
 
 #define TYPE_ACPI_GED_X86 "acpi-ged-x86"
-#define ACPI_GED_X86(obj) \
-OBJECT_CHECK(AcpiGedX86State, (obj), TYPE_ACPI_GED_X86)
 
 #define ACPI_GED_EVT_SEL_OFFSET0x0
 #define ACPI_GED_EVT_SEL_LEN   0x4
-- 
MST

[PULL 00/35] pc,pci,virtio: fixes, cleanups

[Michael S. Tsirkin]

The following changes since commit 8880cc4362fde4ecdac0b2092318893118206fcf:

  Merge remote-tracking branch 'remotes/cschoenebeck/tags/pull-9p-20210902' 
into staging (2021-09-03 08:27:38 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git tags/for_upstream

for you to fetch changes up to 499c8b4de96eecc554a03e452226f79f169a233b:

  vhost-vdpa: remove the unncessary queue_index assignment (2021-09-04 17:34:05 
-0400)


pc,pci,virtio: fixes, cleanups

Fixes, cleanups all over the place.

Signed-off-by: Michael S. Tsirkin 


Alyssa Ross (1):
  vhost-user: add missing space in error message

Ani Sinha (5):
  hw/acpi: define PIIX4 acpi pci hotplug property strings at a single place
  hw/acpi: refactor acpi hp modules so that targets can just use what they 
need
  hw/pci: remove all references to find_i440fx function
  hw/acpi: use existing references to pci device struct within functions
  MAINTAINERS: Added myself as a reviewer for acpi/smbios subsystem

David Hildenbrand (2):
  virtio-balloon: don't start free page hinting if postcopy is possible
  virtio-balloon: free page hinting cleanups

Denis Plotnikov (1):
  vhost: make SET_VRING_ADDR, SET_FEATURES send replies

Eduardo Habkost (2):
  acpi: Delete broken ACPI_GED_X86 macro
  Use PCI_HOST_BRIDGE macro

Eugenio Pérez (1):
  vhost-vdpa: Do not send empty IOTLB update batches

Gerd Hoffmann (1):
  q35: catch invalid cpu hotplug configuration

Jason Wang (14):
  virtio-bus: introduce iommu_enabled()
  virtio-pci: implement iommu_enabled()
  vhost: correctly detect the enabling IOMMU
  vhost-vdpa: remove unused variable "acked_features"
  vhost-vdpa: correctly return err in vhost_vdpa_set_backend_cap()
  vhost_net: remove the meaningless assignment in vhost_net_start_one()
  vhost: use unsigned int for nvqs
  vhost_net: do not assume nvqs is always 2
  vhost-vdpa: remove the unnecessary check in vhost_vdpa_add()
  vhost-vdpa: don't cleanup twice in vhost_vdpa_add()
  vhost-vdpa: fix leaking of vhost_net in vhost_vdpa_add()
  vhost-vdpa: tweak the error label in vhost_vdpa_add()
  vhost-vdpa: fix the wrong assertion in vhost_vdpa_init()
  vhost-vdpa: remove the unncessary queue_index assignment

Jingqi Liu (1):
  hw/i386/acpi-build: Get NUMA information from struct NumaState

Peter Maydell (2):
  tests/vhost-user-bridge.c: Sanity check socket path length
  tests/vhost-user-bridge.c: Fix typo in help message

Philippe Mathieu-Daudé (2):
  hw/virtio: Document virtio_queue_packed_empty_rcu is called within RCU
  hw/virtio: Remove NULL check in virtio_free_region_cache()

Tiberiu Georgescu (1):
  hw/virtio: move vhost_set_backend_type() to vhost.c

Yajun Wu (1):
  hw/virtio: Fix leak of host-notifier memory-region

Yuwei Zhang (1):
  hw/virtio: Add flatview update in vhost_user_cleanup()

 configs/devices/mips-softmmu/common.mak |   5 +-
 include/hw/acpi/acpi.h  |   2 +
 include/hw/acpi/generic_event_device.h  |   2 -
 include/hw/i386/pc.h|   4 -
 include/hw/pci-host/i440fx.h|   1 -
 include/hw/virtio/vhost-backend.h   |   6 --
 include/hw/virtio/vhost-vdpa.h  |   1 +
 include/hw/virtio/vhost.h   |   6 +-
 include/hw/virtio/virtio-bus.h  |   4 +-
 include/net/vhost_net.h |   1 +
 hw/acpi/acpi-cpu-hotplug-stub.c |  50 +++
 hw/acpi/acpi-mem-hotplug-stub.c |  35 
 hw/acpi/acpi-nvdimm-stub.c  |   8 ++
 hw/acpi/acpi-pci-hotplug-stub.c |  47 ++
 hw/acpi/ich9.c  |   2 +-
 hw/acpi/pcihp.c |   6 +-
 hw/acpi/piix4.c |   4 +-
 hw/i386/acpi-build.c|  24 +++--
 hw/i386/pc.c|  13 +--
 hw/i386/pc_q35.c|   2 +-
 hw/isa/lpc_ich9.c   |  13 +++
 hw/net/vhost_net.c  |   5 +-
 hw/pci-host/i440fx.c|   8 --
 hw/virtio/vhost-backend.c   |  30 +--
 hw/virtio/vhost-user.c  | 151 ++--
 hw/virtio/vhost-vdpa.c  |  39 ++---
 hw/virtio/vhost.c   |  31 ++-
 hw/virtio/virtio-balloon.c  |  41 -
 hw/virtio/virtio-bus.c  |  14 +++
 hw/virtio/virtio-pci.c  |  14 +++
 hw/virtio/virtio.c  |   7 +-
 net/tap.c   |   1 +
 net/vhost-user.c|   1 +
 net/vhost-vdpa.c|  35 +++-
 stubs/pci-host-piix.c   |   7 --
 tests/vhost-user-bridge.c   |   7 +-
 MAINTAINERS

[PULL 07/35] hw/virtio: move vhost_set_backend_type() to vhost.c

[Michael S. Tsirkin]

From: Tiberiu Georgescu 

Just a small refactor patch.

vhost_set_backend_type() gets called only in vhost.c, so we can move the
function there and make it static. We can then extern the visibility of
kernel_ops, to match the other VhostOps in vhost-backend.h.
The VhostOps constants now make more sense in vhost.h

Suggested-by: Raphael Norwitz 
Signed-off-by: Tiberiu Georgescu 
Message-Id: <20210809134015.67941-1-tiberiu.george...@nutanix.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/virtio/vhost-backend.h |  6 --
 include/hw/virtio/vhost.h |  4 
 hw/virtio/vhost-backend.c | 30 +-
 hw/virtio/vhost.c | 29 +
 4 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/include/hw/virtio/vhost-backend.h 
b/include/hw/virtio/vhost-backend.h
index 8475c5a29d..81bf3109f8 100644
--- a/include/hw/virtio/vhost-backend.h
+++ b/include/hw/virtio/vhost-backend.h
@@ -173,12 +173,6 @@ typedef struct VhostOps {
 vhost_force_iommu_op vhost_force_iommu;
 } VhostOps;
 
-extern const VhostOps user_ops;
-extern const VhostOps vdpa_ops;
-
-int vhost_set_backend_type(struct vhost_dev *dev,
-   VhostBackendType backend_type);
-
 int vhost_backend_update_device_iotlb(struct vhost_dev *dev,
  uint64_t iova, uint64_t uaddr,
  uint64_t len,
diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
index 045d0fd9f2..5ee306568b 100644
--- a/include/hw/virtio/vhost.h
+++ b/include/hw/virtio/vhost.h
@@ -95,6 +95,10 @@ struct vhost_dev {
 const VhostDevConfigOps *config_ops;
 };
 
+extern const VhostOps kernel_ops;
+extern const VhostOps user_ops;
+extern const VhostOps vdpa_ops;
+
 struct vhost_net {
 struct vhost_dev dev;
 struct vhost_virtqueue vqs[2];
diff --git a/hw/virtio/vhost-backend.c b/hw/virtio/vhost-backend.c
index 594d770b75..b65f8f7e97 100644
--- a/hw/virtio/vhost-backend.c
+++ b/hw/virtio/vhost-backend.c
@@ -293,7 +293,7 @@ static void vhost_kernel_set_iotlb_callback(struct 
vhost_dev *dev,
 qemu_set_fd_handler((uintptr_t)dev->opaque, NULL, NULL, NULL);
 }
 
-static const VhostOps kernel_ops = {
+const VhostOps kernel_ops = {
 .backend_type = VHOST_BACKEND_TYPE_KERNEL,
 .vhost_backend_init = vhost_kernel_init,
 .vhost_backend_cleanup = vhost_kernel_cleanup,
@@ -328,34 +328,6 @@ static const VhostOps kernel_ops = {
 };
 #endif
 
-int vhost_set_backend_type(struct vhost_dev *dev, VhostBackendType 
backend_type)
-{
-int r = 0;
-
-switch (backend_type) {
-#ifdef CONFIG_VHOST_KERNEL
-case VHOST_BACKEND_TYPE_KERNEL:
-dev->vhost_ops = _ops;
-break;
-#endif
-#ifdef CONFIG_VHOST_USER
-case VHOST_BACKEND_TYPE_USER:
-dev->vhost_ops = _ops;
-break;
-#endif
-#ifdef CONFIG_VHOST_VDPA
-case VHOST_BACKEND_TYPE_VDPA:
-dev->vhost_ops = _ops;
-break;
-#endif
-default:
-error_report("Unknown vhost backend type");
-r = -1;
-}
-
-return r;
-}
-
 int vhost_backend_update_device_iotlb(struct vhost_dev *dev,
  uint64_t iova, uint64_t uaddr,
  uint64_t len,
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 3c0b537f89..e21e144510 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -174,6 +174,35 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev)
 return log_size;
 }
 
+static int vhost_set_backend_type(struct vhost_dev *dev,
+  VhostBackendType backend_type)
+{
+int r = 0;
+
+switch (backend_type) {
+#ifdef CONFIG_VHOST_KERNEL
+case VHOST_BACKEND_TYPE_KERNEL:
+dev->vhost_ops = _ops;
+break;
+#endif
+#ifdef CONFIG_VHOST_USER
+case VHOST_BACKEND_TYPE_USER:
+dev->vhost_ops = _ops;
+break;
+#endif
+#ifdef CONFIG_VHOST_VDPA
+case VHOST_BACKEND_TYPE_VDPA:
+dev->vhost_ops = _ops;
+break;
+#endif
+default:
+error_report("Unknown vhost backend type");
+r = -1;
+}
+
+return r;
+}
+
 static struct vhost_log *vhost_log_alloc(uint64_t size, bool share)
 {
 Error *err = NULL;
-- 
MST

[PULL 04/35] hw/acpi: define PIIX4 acpi pci hotplug property strings at a single place

[Michael S. Tsirkin]

From: Ani Sinha 

Now that we have "acpi-pci-hotplug-with-bridge-support" PIIX4 PM property being
used for both q35 and i440fx machine types, it is better that we defined this
property string at a single place within a header file like other PIIX4
properties. We can then use this single definition at all the places that needs
it instead of duplicating the string everywhere. While at it, this change also
adds a definition for "acpi-root-pci-hotplug" PIIX4 PM property and uses
this definition at all places that were formally using the string value.

Signed-off-by: Ani Sinha 
Message-Id: <20210816083214.105740-1-...@anisinha.ca>
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/acpi/acpi.h | 2 ++
 hw/acpi/ich9.c | 2 +-
 hw/acpi/piix4.c| 4 ++--
 hw/i386/acpi-build.c   | 4 ++--
 hw/i386/pc.c   | 4 ++--
 hw/i386/pc_q35.c   | 2 +-
 6 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/include/hw/acpi/acpi.h b/include/hw/acpi/acpi.h
index 9e8a76f2e2..cc0d370745 100644
--- a/include/hw/acpi/acpi.h
+++ b/include/hw/acpi/acpi.h
@@ -47,6 +47,8 @@
 #define ACPI_PM_PROP_PM_IO_BASE "pm_io_base"
 #define ACPI_PM_PROP_GPE0_BLK "gpe0_blk"
 #define ACPI_PM_PROP_GPE0_BLK_LEN "gpe0_blk_len"
+#define ACPI_PM_PROP_ACPI_PCIHP_BRIDGE "acpi-pci-hotplug-with-bridge-support"
+#define ACPI_PM_PROP_ACPI_PCI_ROOTHP "acpi-root-pci-hotplug"
 
 /* PM Timer ticks per second (HZ) */
 #define PM_TIMER_FREQUENCY  3579545
diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
index 778e27b659..1ee2ba2c50 100644
--- a/hw/acpi/ich9.c
+++ b/hw/acpi/ich9.c
@@ -451,7 +451,7 @@ void ich9_pm_add_properties(Object *obj, ICH9LPCPMRegs *pm)
 object_property_add_bool(obj, ACPI_PM_PROP_TCO_ENABLED,
  ich9_pm_get_enable_tco,
  ich9_pm_set_enable_tco);
-object_property_add_bool(obj, "acpi-pci-hotplug-with-bridge-support",
+object_property_add_bool(obj, ACPI_PM_PROP_ACPI_PCIHP_BRIDGE,
  ich9_pm_get_acpi_pci_hotplug,
  ich9_pm_set_acpi_pci_hotplug);
 }
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 48f7a1edbc..f0b5fac44a 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -647,9 +647,9 @@ static Property piix4_pm_properties[] = {
 DEFINE_PROP_UINT8(ACPI_PM_PROP_S3_DISABLED, PIIX4PMState, disable_s3, 0),
 DEFINE_PROP_UINT8(ACPI_PM_PROP_S4_DISABLED, PIIX4PMState, disable_s4, 0),
 DEFINE_PROP_UINT8(ACPI_PM_PROP_S4_VAL, PIIX4PMState, s4_val, 2),
-DEFINE_PROP_BOOL("acpi-pci-hotplug-with-bridge-support", PIIX4PMState,
+DEFINE_PROP_BOOL(ACPI_PM_PROP_ACPI_PCIHP_BRIDGE, PIIX4PMState,
  use_acpi_hotplug_bridge, true),
-DEFINE_PROP_BOOL("acpi-root-pci-hotplug", PIIX4PMState,
+DEFINE_PROP_BOOL(ACPI_PM_PROP_ACPI_PCI_ROOTHP, PIIX4PMState,
  use_acpi_root_pci_hotplug, true),
 DEFINE_PROP_BOOL("memory-hotplug-support", PIIX4PMState,
  acpi_memory_hotplug.is_enabled, true),
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a33ac8b91e..6c27e12e2a 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -267,10 +267,10 @@ static void acpi_get_pm_info(MachineState *machine, 
AcpiPmInfo *pm)
 qobject_unref(o);
 
 pm->pcihp_bridge_en =
-object_property_get_bool(obj, "acpi-pci-hotplug-with-bridge-support",
+object_property_get_bool(obj, ACPI_PM_PROP_ACPI_PCIHP_BRIDGE,
  NULL);
 pm->pcihp_root_en =
-object_property_get_bool(obj, "acpi-root-pci-hotplug",
+object_property_get_bool(obj, ACPI_PM_PROP_ACPI_PCI_ROOTHP,
  NULL);
 }
 
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 1276bfeee4..22aa598d50 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -101,7 +101,7 @@ GlobalProperty pc_compat_6_0[] = {
 { "qemu64" "-" TYPE_X86_CPU, "model", "6" },
 { "qemu64" "-" TYPE_X86_CPU, "stepping", "3" },
 { TYPE_X86_CPU, "x-vendor-cpuid-only", "off" },
-{ "ICH9-LPC", "acpi-pci-hotplug-with-bridge-support", "off" },
+{ "ICH9-LPC", ACPI_PM_PROP_ACPI_PCIHP_BRIDGE, "off" },
 };
 const size_t pc_compat_6_0_len = G_N_ELEMENTS(pc_compat_6_0);
 
@@ -313,7 +313,7 @@ const size_t pc_compat_2_0_len = 
G_N_ELEMENTS(pc_compat_2_0);
 GlobalProperty pc_compat_1_7[] = {
 PC_CPU_MODEL_IDS("1.7.0")
 { TYPE_USB_DEVICE, "msos-desc", "no" },
-{ "PIIX4_PM", "acpi-pci-hotplug-with-bridge-support", "off" },
+{ "PIIX4_PM", ACPI_PM_PROP_ACPI_PCIHP_BRIDGE, "off" },
 { "hpet", HPET_INTCAP, "4" },
 };
 const size_t pc_compat_1_7_len = G_N_ELEMENTS(pc_compat_1_7);
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 565fadce54..46cd542d17 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -238,7 +238,7 @@ static void pc_q35_init(MachineState *machine)
  OBJECT(lpc), _abort);
 
 acpi_pcihp = 

[PULL 05/35] q35: catch invalid cpu hotplug configuration

[Michael S. Tsirkin]

From: Gerd Hoffmann 

Related: https://bugzilla.redhat.com//show_bug.cgi?id=1985924
Signed-off-by: Gerd Hoffmann 
Message-Id: <20210812102341.3316254-1-kra...@redhat.com>
Reviewed-by: Igor Mammedov 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/isa/lpc_ich9.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
index 5f9de0239c..5f143dca17 100644
--- a/hw/isa/lpc_ich9.c
+++ b/hw/isa/lpc_ich9.c
@@ -31,6 +31,7 @@
 #include "qemu/osdep.h"
 #include "qemu/log.h"
 #include "cpu.h"
+#include "qapi/error.h"
 #include "qapi/visitor.h"
 #include "qemu/range.h"
 #include "hw/isa/isa.h"
@@ -676,6 +677,18 @@ static void ich9_lpc_realize(PCIDevice *d, Error **errp)
 DeviceState *dev = DEVICE(d);
 ISABus *isa_bus;
 
+if ((lpc->smi_host_features & BIT_ULL(ICH9_LPC_SMI_F_CPU_HOT_UNPLUG_BIT)) 
&&
+!(lpc->smi_host_features & BIT_ULL(ICH9_LPC_SMI_F_CPU_HOTPLUG_BIT))) {
+/*
+ * smi_features_ok_callback() throws an error on this.
+ *
+ * So bail out here instead of advertizing the invalid
+ * configuration and get obscure firmware failures from that.
+ */
+error_setg(errp, "cpu hot-unplug requires cpu hot-plug");
+return;
+}
+
 isa_bus = isa_bus_new(DEVICE(d), get_system_memory(), get_system_io(),
   errp);
 if (!isa_bus) {
-- 
MST

[PULL 03/35] vhost: make SET_VRING_ADDR, SET_FEATURES send replies

[Michael S. Tsirkin]

From: Denis Plotnikov 

On vhost-user-blk migration, qemu normally sends a number of commands
to enable logging if VHOST_USER_PROTOCOL_F_LOG_SHMFD is negotiated.
Qemu sends VHOST_USER_SET_FEATURES to enable buffers logging and
VHOST_USER_SET_VRING_ADDR per each started ring to enable "used ring"
data logging.
The issue is that qemu doesn't wait for reply from the vhost daemon
for these commands which may result in races between qemu expectation
of logging starting and actual login starting in vhost daemon.

The race can appear as follows: on migration setup, qemu enables dirty page
logging by sending VHOST_USER_SET_FEATURES. The command doesn't arrive to a
vhost-user-blk daemon immediately and the daemon needs some time to turn the
logging on internally. If qemu doesn't wait for reply, after sending the
command, qemu may start migrateing memory pages to a destination. At this time,
the logging may not be actually turned on in the daemon but some guest pages,
which the daemon is about to write to, may have already been transferred
without logging to the destination. Since the logging wasn't turned on,
those pages won't be transferred again as dirty. So we may end up with
corrupted data on the destination.
The same scenario is applicable for "used ring" data logging, which is
turned on with VHOST_USER_SET_VRING_ADDR command.

To resolve this issue, this patch makes qemu wait for the command result
explicitly if VHOST_USER_PROTOCOL_F_REPLY_ACK is negotiated and logging enabled.

Signed-off-by: Denis Plotnikov 

Message-Id: <20210809104824.78830-1-den-plotni...@yandex-team.ru>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost-user.c | 145 -
 1 file changed, 101 insertions(+), 44 deletions(-)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 33002300c2..a4eb6cde7e 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1095,23 +1095,6 @@ static int vhost_user_set_mem_table(struct vhost_dev 
*dev,
 return 0;
 }
 
-static int vhost_user_set_vring_addr(struct vhost_dev *dev,
- struct vhost_vring_addr *addr)
-{
-VhostUserMsg msg = {
-.hdr.request = VHOST_USER_SET_VRING_ADDR,
-.hdr.flags = VHOST_USER_VERSION,
-.payload.addr = *addr,
-.hdr.size = sizeof(msg.payload.addr),
-};
-
-if (vhost_user_write(dev, , NULL, 0) < 0) {
-return -1;
-}
-
-return 0;
-}
-
 static int vhost_user_set_vring_endian(struct vhost_dev *dev,
struct vhost_vring_state *ring)
 {
@@ -1288,33 +1271,6 @@ static int vhost_user_set_vring_call(struct vhost_dev 
*dev,
 return vhost_set_vring_file(dev, VHOST_USER_SET_VRING_CALL, file);
 }
 
-static int vhost_user_set_u64(struct vhost_dev *dev, int request, uint64_t u64)
-{
-VhostUserMsg msg = {
-.hdr.request = request,
-.hdr.flags = VHOST_USER_VERSION,
-.payload.u64 = u64,
-.hdr.size = sizeof(msg.payload.u64),
-};
-
-if (vhost_user_write(dev, , NULL, 0) < 0) {
-return -1;
-}
-
-return 0;
-}
-
-static int vhost_user_set_features(struct vhost_dev *dev,
-   uint64_t features)
-{
-return vhost_user_set_u64(dev, VHOST_USER_SET_FEATURES, features);
-}
-
-static int vhost_user_set_protocol_features(struct vhost_dev *dev,
-uint64_t features)
-{
-return vhost_user_set_u64(dev, VHOST_USER_SET_PROTOCOL_FEATURES, features);
-}
 
 static int vhost_user_get_u64(struct vhost_dev *dev, int request, uint64_t 
*u64)
 {
@@ -1360,6 +1316,107 @@ static int vhost_user_get_features(struct vhost_dev 
*dev, uint64_t *features)
 return 0;
 }
 
+static int enforce_reply(struct vhost_dev *dev,
+ const VhostUserMsg *msg)
+{
+uint64_t dummy;
+
+if (msg->hdr.flags & VHOST_USER_NEED_REPLY_MASK) {
+return process_message_reply(dev, msg);
+}
+
+   /*
+* We need to wait for a reply but the backend does not
+* support replies for the command we just sent.
+* Send VHOST_USER_GET_FEATURES which makes all backends
+* send a reply.
+*/
+return vhost_user_get_features(dev, );
+}
+
+static int vhost_user_set_vring_addr(struct vhost_dev *dev,
+ struct vhost_vring_addr *addr)
+{
+VhostUserMsg msg = {
+.hdr.request = VHOST_USER_SET_VRING_ADDR,
+.hdr.flags = VHOST_USER_VERSION,
+.payload.addr = *addr,
+.hdr.size = sizeof(msg.payload.addr),
+};
+
+bool reply_supported = virtio_has_feature(dev->protocol_features,
+  VHOST_USER_PROTOCOL_F_REPLY_ACK);
+
+/*
+ * wait for a reply if logging is enabled to make sure
+ * backend is actually logging changes
+ */
+bool wait_for_reply = addr->flags & (1 << VHOST_VRING_F_LOG);
+
+if (reply_supported && 

[PULL 01/35] vhost-vdpa: Do not send empty IOTLB update batches

[Michael S. Tsirkin]

From: Eugenio Pérez 

With the introduction of the batch hinting, meaningless batches can be
created with no IOTLB updates if the memory region was skipped by
vhost_vdpa_listener_skipped_section. This is the case of host notifiers
memory regions, device un/realize, and others. This causes the vdpa
device to receive dma mapping settings with no changes, a possibly
expensive operation for nothing.

To avoid that, VHOST_IOTLB_BATCH_BEGIN hint is delayed until we have a
meaningful (not skipped section) mapping or unmapping operation, and
VHOST_IOTLB_BATCH_END is not written unless at least one of _UPDATE /
_INVALIDATE has been issued.

v3:
  * Use a bool instead of a counter avoiding potential number wrapping
  * Fix bad check on _commit
  * Move VHOST_BACKEND_F_IOTLB_BATCH check to
vhost_vdpa_iotlb_batch_begin_once

v2 (from RFC):
  * Rename misleading name
  * Abstract start batching function for listener_add/del

Signed-off-by: Eugenio Pérez 
Message-Id: <20210812140933.226288-1-epere...@redhat.com>
Acked-by: Jason Wang 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/virtio/vhost-vdpa.h |  1 +
 hw/virtio/vhost-vdpa.c | 35 ++
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/include/hw/virtio/vhost-vdpa.h b/include/hw/virtio/vhost-vdpa.h
index 9188226d8b..a8963da2d9 100644
--- a/include/hw/virtio/vhost-vdpa.h
+++ b/include/hw/virtio/vhost-vdpa.h
@@ -22,6 +22,7 @@ typedef struct VhostVDPAHostNotifier {
 typedef struct vhost_vdpa {
 int device_fd;
 uint32_t msg_type;
+bool iotlb_batch_begin_sent;
 MemoryListener listener;
 struct vhost_dev *dev;
 VhostVDPAHostNotifier notifier[VIRTIO_QUEUE_MAX];
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index 4fa414feea..ca1227e5dc 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -89,19 +89,13 @@ static int vhost_vdpa_dma_unmap(struct vhost_vdpa *v, 
hwaddr iova,
 return ret;
 }
 
-static void vhost_vdpa_listener_begin(MemoryListener *listener)
+static void vhost_vdpa_listener_begin_batch(struct vhost_vdpa *v)
 {
-struct vhost_vdpa *v = container_of(listener, struct vhost_vdpa, listener);
-struct vhost_dev *dev = v->dev;
-struct vhost_msg_v2 msg = {};
 int fd = v->device_fd;
-
-if (!(dev->backend_cap & (0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH))) {
-return;
-}
-
-msg.type = v->msg_type;
-msg.iotlb.type = VHOST_IOTLB_BATCH_BEGIN;
+struct vhost_msg_v2 msg = {
+.type = v->msg_type,
+.iotlb.type = VHOST_IOTLB_BATCH_BEGIN,
+};
 
 if (write(fd, , sizeof(msg)) != sizeof(msg)) {
 error_report("failed to write, fd=%d, errno=%d (%s)",
@@ -109,6 +103,16 @@ static void vhost_vdpa_listener_begin(MemoryListener 
*listener)
 }
 }
 
+static void vhost_vdpa_iotlb_batch_begin_once(struct vhost_vdpa *v)
+{
+if (v->dev->backend_cap & (0x1ULL << VHOST_BACKEND_F_IOTLB_BATCH) &&
+!v->iotlb_batch_begin_sent) {
+vhost_vdpa_listener_begin_batch(v);
+}
+
+v->iotlb_batch_begin_sent = true;
+}
+
 static void vhost_vdpa_listener_commit(MemoryListener *listener)
 {
 struct vhost_vdpa *v = container_of(listener, struct vhost_vdpa, listener);
@@ -120,6 +124,10 @@ static void vhost_vdpa_listener_commit(MemoryListener 
*listener)
 return;
 }
 
+if (!v->iotlb_batch_begin_sent) {
+return;
+}
+
 msg.type = v->msg_type;
 msg.iotlb.type = VHOST_IOTLB_BATCH_END;
 
@@ -127,6 +135,8 @@ static void vhost_vdpa_listener_commit(MemoryListener 
*listener)
 error_report("failed to write, fd=%d, errno=%d (%s)",
  fd, errno, strerror(errno));
 }
+
+v->iotlb_batch_begin_sent = false;
 }
 
 static void vhost_vdpa_listener_region_add(MemoryListener *listener,
@@ -170,6 +180,7 @@ static void vhost_vdpa_listener_region_add(MemoryListener 
*listener,
 
 llsize = int128_sub(llend, int128_make64(iova));
 
+vhost_vdpa_iotlb_batch_begin_once(v);
 ret = vhost_vdpa_dma_map(v, iova, int128_get64(llsize),
  vaddr, section->readonly);
 if (ret) {
@@ -221,6 +232,7 @@ static void vhost_vdpa_listener_region_del(MemoryListener 
*listener,
 
 llsize = int128_sub(llend, int128_make64(iova));
 
+vhost_vdpa_iotlb_batch_begin_once(v);
 ret = vhost_vdpa_dma_unmap(v, iova, int128_get64(llsize));
 if (ret) {
 error_report("vhost_vdpa dma unmap error!");
@@ -234,7 +246,6 @@ static void vhost_vdpa_listener_region_del(MemoryListener 
*listener,
  * depends on the addnop().
  */
 static const MemoryListener vhost_vdpa_memory_listener = {
-.begin = vhost_vdpa_listener_begin,
 .commit = vhost_vdpa_listener_commit,
 .region_add = vhost_vdpa_listener_region_add,
 .region_del = vhost_vdpa_listener_region_del,
-- 
MST

[PULL 02/35] hw/virtio: Fix leak of host-notifier memory-region

[Michael S. Tsirkin]

From: Yajun Wu 

If call virtio_queue_set_host_notifier_mr fails, should free
host-notifier memory-region.

Fixes: 44866521bd ("vhost-user: support registering external host notifiers")
Signed-off-by: Yajun Wu 
Message-Id: <1629077555-19907-1-git-send-email-yaj...@nvidia.com>
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/virtio/vhost-user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 2407836fac..33002300c2 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -1474,6 +1474,7 @@ static int 
vhost_user_slave_handle_vring_host_notifier(struct vhost_dev *dev,
 g_free(name);
 
 if (virtio_queue_set_host_notifier_mr(vdev, queue_idx, >mr, true)) {
+object_unparent(OBJECT(>mr));
 munmap(addr, page_size);
 return -1;
 }
-- 
MST

[PATCH v10 15/16] target/riscv: Remove RVB (replaced by Zb[abcs])

[Philipp Tomsich]

With everything classified as Zb[abcs] and pre-0.93 draft-B
instructions that are not part of Zb[abcs] removed, we can remove the
remaining support code for RVB.

Note that RVB has been retired for good and misa.B will neither mean
'some' or 'all of' Zb*:
  https://lists.riscv.org/g/tech-bitmanip/message/532

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- Removing RVB moved into a separate commit at the tail-end of the series.

 target/riscv/cpu.c | 26 --
 target/riscv/cpu.h |  3 ---
 target/riscv/insn32.decode |  4 
 3 files changed, 33 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index ceb7e01810..3a56836f1c 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -127,11 +127,6 @@ static void set_priv_version(CPURISCVState *env, int 
priv_ver)
 env->priv_ver = priv_ver;
 }
 
-static void set_bext_version(CPURISCVState *env, int bext_ver)
-{
-env->bext_ver = bext_ver;
-}
-
 static void set_vext_version(CPURISCVState *env, int vext_ver)
 {
 env->vext_ver = vext_ver;
@@ -496,25 +491,6 @@ static void riscv_cpu_realize(DeviceState *dev, Error 
**errp)
 if (cpu->cfg.ext_h) {
 target_misa |= RVH;
 }
-if (cpu->cfg.ext_b) {
-int bext_version = BEXT_VERSION_0_93_0;
-target_misa |= RVB;
-
-if (cpu->cfg.bext_spec) {
-if (!g_strcmp0(cpu->cfg.bext_spec, "v0.93")) {
-bext_version = BEXT_VERSION_0_93_0;
-} else {
-error_setg(errp,
-   "Unsupported bitmanip spec version '%s'",
-   cpu->cfg.bext_spec);
-return;
-}
-} else {
-qemu_log("bitmanip version is not specified, "
- "use the default value v0.93\n");
-}
-set_bext_version(env, bext_version);
-}
 if (cpu->cfg.ext_v) {
 int vext_version = VEXT_VERSION_0_07_1;
 target_misa |= RVV;
@@ -586,7 +562,6 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
 /* This is experimental so mark with 'x-' */
-DEFINE_PROP_BOOL("x-b", RISCVCPU, cfg.ext_b, false),
 DEFINE_PROP_BOOL("x-zba", RISCVCPU, cfg.ext_zba, false),
 DEFINE_PROP_BOOL("x-zbb", RISCVCPU, cfg.ext_zbb, false),
 DEFINE_PROP_BOOL("x-zbc", RISCVCPU, cfg.ext_zbc, false),
@@ -597,7 +572,6 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
 DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
 DEFINE_PROP_STRING("priv_spec", RISCVCPU, cfg.priv_spec),
-DEFINE_PROP_STRING("bext_spec", RISCVCPU, cfg.bext_spec),
 DEFINE_PROP_STRING("vext_spec", RISCVCPU, cfg.vext_spec),
 DEFINE_PROP_UINT16("vlen", RISCVCPU, cfg.vlen, 128),
 DEFINE_PROP_UINT16("elen", RISCVCPU, cfg.elen, 64),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 7c4cd8ea89..77e8b06106 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -67,7 +67,6 @@
 #define RVS RV('S')
 #define RVU RV('U')
 #define RVH RV('H')
-#define RVB RV('B')
 
 /* S extension denotes that Supervisor mode exists, however it is possible
to have a core that support S mode but does not have an MMU and there
@@ -83,7 +82,6 @@ enum {
 #define PRIV_VERSION_1_10_0 0x00011000
 #define PRIV_VERSION_1_11_0 0x00011100
 
-#define BEXT_VERSION_0_93_0 0x9300
 #define VEXT_VERSION_0_07_1 0x0701
 
 enum {
@@ -288,7 +286,6 @@ struct RISCVCPU {
 bool ext_f;
 bool ext_d;
 bool ext_c;
-bool ext_b;
 bool ext_s;
 bool ext_u;
 bool ext_h;
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index affb99b3e6..2f251dac1b 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -712,10 +712,6 @@ rorw   011 .. 101 . 0111011 @r
 # instruction, so we use different handler functions to differentiate.
 zext_h_64  100 0 . 100 . 0111011 @r2
 
-# *** RV32B Standard Extension ***
-
-# *** RV64B Standard Extension (in addition to RV32B) ***
-
 # *** RV32 Zbc Standard Extension ***
 clmul  101 .. 001 . 0110011 @r
 clmulh 101 .. 011 . 0110011 @r
-- 
2.25.1

[PATCH v10 11/16] target/riscv: Add orc.b instruction for Zbb, removing gorc/gorci

[Philipp Tomsich]

The 1.0.0 version of Zbb does not contain gorc/gorci.  Instead, a
orc.b instruction (equivalent to the orc.b pseudo-instruction built on
gorci from pre-0.93 draft-B) is available, mainly targeting
string-processing workloads.

This commit adds the new orc.b instruction and removed gorc/gorci.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 

---

(no changes since v9)

Changes in v9:
- Picked up Alistair's Reviewed-by, after patman had failed to catch
  it for v8.

Changes in v8:
- Optimize orc.b further by reordering the shift/and, updating the
  comment to reflect that we put the truth-value into the LSB, and
  putting the (now only) constant in a temporary
- Fold the final bitwise-not into the second and, using and andc.

Changes in v7:
- Free TCG temporary in gen_orc_b().

Changes in v6:
- Fixed orc.b (now passes SPEC w/ optimized string functions) by
  adding the missing final negation.

Changes in v4:
- Change orc.b to implementation suggested by Richard Henderson

Changes in v3:
- Moved orc.b and gorc/gorci changes into separate commit.
- Using the simpler orc.b implementation suggested by Richard Henderson

 target/riscv/bitmanip_helper.c  | 26 -
 target/riscv/helper.h   |  2 --
 target/riscv/insn32.decode  |  6 +---
 target/riscv/insn_trans/trans_rvb.c.inc | 39 +++--
 4 files changed, 18 insertions(+), 55 deletions(-)

diff --git a/target/riscv/bitmanip_helper.c b/target/riscv/bitmanip_helper.c
index 73be5a81c7..bb48388fcd 100644
--- a/target/riscv/bitmanip_helper.c
+++ b/target/riscv/bitmanip_helper.c
@@ -64,32 +64,6 @@ target_ulong HELPER(grevw)(target_ulong rs1, target_ulong 
rs2)
 return do_grev(rs1, rs2, 32);
 }
 
-static target_ulong do_gorc(target_ulong rs1,
-target_ulong rs2,
-int bits)
-{
-target_ulong x = rs1;
-int i, shift;
-
-for (i = 0, shift = 1; shift < bits; i++, shift <<= 1) {
-if (rs2 & shift) {
-x |= do_swap(x, adjacent_masks[i], shift);
-}
-}
-
-return x;
-}
-
-target_ulong HELPER(gorc)(target_ulong rs1, target_ulong rs2)
-{
-return do_gorc(rs1, rs2, TARGET_LONG_BITS);
-}
-
-target_ulong HELPER(gorcw)(target_ulong rs1, target_ulong rs2)
-{
-return do_gorc(rs1, rs2, 32);
-}
-
 target_ulong HELPER(clmul)(target_ulong rs1, target_ulong rs2)
 {
 target_ulong result = 0;
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index 8a318a2dbc..a9bda2c8ac 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -61,8 +61,6 @@ DEF_HELPER_FLAGS_1(fclass_d, TCG_CALL_NO_RWG_SE, tl, i64)
 /* Bitmanip */
 DEF_HELPER_FLAGS_2(grev, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(grevw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
-DEF_HELPER_FLAGS_2(gorc, TCG_CALL_NO_RWG_SE, tl, tl, tl)
-DEF_HELPER_FLAGS_2(gorcw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(clmul, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(clmulr, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index a509cfee11..59202196dc 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -681,6 +681,7 @@ max101 .. 110 . 0110011 @r
 maxu   101 .. 111 . 0110011 @r
 min101 .. 100 . 0110011 @r
 minu   101 .. 101 . 0110011 @r
+orc_b  001010 000111 . 101 . 0010011 @r2
 orn010 .. 110 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 ror011 .. 101 . 0110011 @r
@@ -702,19 +703,14 @@ pack   100 .. 100 . 0110011 @r
 packu  0100100 .. 100 . 0110011 @r
 packh  100 .. 111 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
-gorc   0010100 .. 101 . 0110011 @r
-
 grevi  01101. ... 101 . 0010011 @sh
-gorci  00101. ... 101 . 0010011 @sh
 
 # *** RV64B Standard Extension (in addition to RV32B) ***
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
-gorcw  0010100 .. 101 . 0111011 @r
 
 greviw 0110100 .. 101 . 0011011 @sh5
-gorciw 0010100 .. 101 . 0011011 @sh5
 
 # *** RV32 Zbc Standard Extension ***
 clmul  101 .. 001 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 9768271639..05102d54b5 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -295,16 +295,27 @@ static bool trans_grevi(DisasContext *ctx, arg_grevi *a)
 return gen_shift_imm_fn(ctx, a, EXT_NONE, gen_grevi);
 }
 
-static bool trans_gorc(DisasContext *ctx, arg_gorc *a)
+static void gen_orc_b(TCGv ret, 

[PATCH v10 06/16] target/riscv: Remove the W-form instructions from Zbs

[Philipp Tomsich]

Zbs 1.0.0 (just as the 0.93 draft-B before) does no provide for W-form
instructions for Zbs (single-bit instructions).  Remove them.

Note that these instructions had already been removed for the 0.93
version of the draft-B extenstion and have not been present in the
binutils patches circulating in January 2021.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- Remove the W-form instructions from Zbs in a separate commit.

 target/riscv/insn32.decode  |  7 
 target/riscv/insn_trans/trans_rvb.c.inc | 56 -
 2 files changed, 63 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 86f1166dab..b499691a9e 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -717,10 +717,6 @@ cpopw  011 00010 . 001 . 0011011 @r2
 
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
-bsetw  0010100 .. 001 . 0111011 @r
-bclrw  0100100 .. 001 . 0111011 @r
-binvw  0110100 .. 001 . 0111011 @r
-bextw  0100100 .. 101 . 0111011 @r
 slow   001 .. 001 . 0111011 @r
 srow   001 .. 101 . 0111011 @r
 rorw   011 .. 101 . 0111011 @r
@@ -728,9 +724,6 @@ rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
 gorcw  0010100 .. 101 . 0111011 @r
 
-bsetiw 0010100 .. 001 . 0011011 @sh5
-bclriw 0100100 .. 001 . 0011011 @sh5
-binviw 0110100 .. 001 . 0011011 @sh5
 sloiw  001 .. 001 . 0011011 @sh5
 sroiw  001 .. 101 . 0011011 @sh5
 roriw  011 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 7f6d5aa258..ca92920efd 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -420,62 +420,6 @@ static bool trans_packuw(DisasContext *ctx, arg_packuw *a)
 return gen_arith(ctx, a, EXT_NONE, gen_packuw);
 }
 
-static bool trans_bsetw(DisasContext *ctx, arg_bsetw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_NONE, gen_bset);
-}
-
-static bool trans_bsetiw(DisasContext *ctx, arg_bsetiw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_bset);
-}
-
-static bool trans_bclrw(DisasContext *ctx, arg_bclrw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_NONE, gen_bclr);
-}
-
-static bool trans_bclriw(DisasContext *ctx, arg_bclriw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_bclr);
-}
-
-static bool trans_binvw(DisasContext *ctx, arg_binvw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_NONE, gen_binv);
-}
-
-static bool trans_binviw(DisasContext *ctx, arg_binviw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_binv);
-}
-
-static bool trans_bextw(DisasContext *ctx, arg_bextw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_NONE, gen_bext);
-}
-
 static bool trans_slow(DisasContext *ctx, arg_slow *a)
 {
 REQUIRE_64BIT(ctx);
-- 
2.25.1

[PATCH v10 13/16] target/riscv: Add rev8 instruction, removing grev/grevi

[Philipp Tomsich]

The 1.0.0 version of Zbb does not contain grev/grevi.  Instead, a
rev8 instruction (equivalent to the rev8 pseudo-instruction built on
grevi from pre-0.93 draft-B) is available.

This commit adds the new rev8 instruction and removes grev/grevi.

Note that there is no W-form of this instruction (both a
sign-extending and zero-extending 32-bit version can easily be
synthesized by following rev8 with either a srai or srli instruction
on RV64) and that the opcode encodings for rev8 in RV32 and RV64 are
different.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v9)

Changes in v9:
- Rebased to 8880cc4362.
- Fixes a whitespace-at-the-end-of-line warning for the rev8 comment
  in insn32.decode

Changes in v4:
- reorder trans_rev8* functions to be sequential
- rename rev8 to rev8_32 in decoder

Changes in v3:
- rev8-addition & grevi*-removal moved to a separate commit

 target/riscv/bitmanip_helper.c  | 40 -
 target/riscv/helper.h   |  2 --
 target/riscv/insn32.decode  | 12 
 target/riscv/insn_trans/trans_rvb.c.inc | 40 +
 4 files changed, 15 insertions(+), 79 deletions(-)

diff --git a/target/riscv/bitmanip_helper.c b/target/riscv/bitmanip_helper.c
index bb48388fcd..f1b5e5549f 100644
--- a/target/riscv/bitmanip_helper.c
+++ b/target/riscv/bitmanip_helper.c
@@ -24,46 +24,6 @@
 #include "exec/helper-proto.h"
 #include "tcg/tcg.h"
 
-static const uint64_t adjacent_masks[] = {
-dup_const(MO_8, 0x55),
-dup_const(MO_8, 0x33),
-dup_const(MO_8, 0x0f),
-dup_const(MO_16, 0xff),
-dup_const(MO_32, 0x),
-UINT32_MAX
-};
-
-static inline target_ulong do_swap(target_ulong x, uint64_t mask, int shift)
-{
-return ((x & mask) << shift) | ((x & ~mask) >> shift);
-}
-
-static target_ulong do_grev(target_ulong rs1,
-target_ulong rs2,
-int bits)
-{
-target_ulong x = rs1;
-int i, shift;
-
-for (i = 0, shift = 1; shift < bits; i++, shift <<= 1) {
-if (rs2 & shift) {
-x = do_swap(x, adjacent_masks[i], shift);
-}
-}
-
-return x;
-}
-
-target_ulong HELPER(grev)(target_ulong rs1, target_ulong rs2)
-{
-return do_grev(rs1, rs2, TARGET_LONG_BITS);
-}
-
-target_ulong HELPER(grevw)(target_ulong rs1, target_ulong rs2)
-{
-return do_grev(rs1, rs2, 32);
-}
-
 target_ulong HELPER(clmul)(target_ulong rs1, target_ulong rs2)
 {
 target_ulong result = 0;
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index a9bda2c8ac..c7a5376227 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -59,8 +59,6 @@ DEF_HELPER_FLAGS_2(fcvt_d_lu, TCG_CALL_NO_RWG, i64, env, tl)
 DEF_HELPER_FLAGS_1(fclass_d, TCG_CALL_NO_RWG_SE, tl, i64)
 
 /* Bitmanip */
-DEF_HELPER_FLAGS_2(grev, TCG_CALL_NO_RWG_SE, tl, tl, tl)
-DEF_HELPER_FLAGS_2(grevw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(clmul, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(clmulr, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 59202196dc..901a66c0f5 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -683,6 +683,9 @@ min101 .. 100 . 0110011 @r
 minu   101 .. 101 . 0110011 @r
 orc_b  001010 000111 . 101 . 0010011 @r2
 orn010 .. 110 . 0110011 @r
+# The encoding for rev8 differs between RV32 and RV64.
+# rev8_32 denotes the RV32 variant.
+rev8_32011010 011000 . 101 . 0010011 @r2
 rol011 .. 001 . 0110011 @r
 ror011 .. 101 . 0110011 @r
 rori   01100  101 . 0010011 @sh
@@ -694,6 +697,10 @@ xnor   010 .. 100 . 0110011 @r
 clzw   011 0 . 001 . 0011011 @r2
 ctzw   011 1 . 001 . 0011011 @r2
 cpopw  011 00010 . 001 . 0011011 @r2
+# The encoding for rev8 differs between RV32 and RV64.
+# When executing on RV64, the encoding used in RV32 is an illegal
+# instruction, so we use different handler functions to differentiate.
+rev8_64011010 111000 . 101 . 0010011 @r2
 rolw   011 .. 001 . 0111011 @r
 roriw  011 .. 101 . 0011011 @sh5
 rorw   011 .. 101 . 0111011 @r
@@ -702,15 +709,10 @@ rorw   011 .. 101 . 0111011 @r
 pack   100 .. 100 . 0110011 @r
 packu  0100100 .. 100 . 0110011 @r
 packh  100 .. 111 . 0110011 @r
-grev   0110100 .. 101 . 0110011 @r
-grevi  01101. ... 101 . 0010011 @sh
 
 # *** RV64B Standard Extension (in addition to RV32B) ***
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
-grevw  0110100 .. 101 . 0111011 @r

Re: [PATCH V2 18/21] virito-net: use "qps" instead of "queues" when possible

[Michael S. Tsirkin]

On Fri, Sep 03, 2021 at 05:10:28PM +0800, Jason Wang wrote:
> Most of the time, "queues" really means queue pairs. So this patch
> switch to use "qps" to avoid confusion.
> 
> Signed-off-by: Jason Wang 

This is far from a standard terminology, except for the people
like me, who's mind is permanently warped by close contact with infiniband
hardware. Please eschew abbreviation, just say queue_pairs.

> ---
>  hw/net/vhost_net.c |   6 +-
>  hw/net/virtio-net.c| 150 -
>  include/hw/virtio/virtio-net.h |   4 +-
>  3 files changed, 80 insertions(+), 80 deletions(-)
> 
> diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
> index 7e0b60b4d9..b40fdfa625 100644
> --- a/hw/net/vhost_net.c
> +++ b/hw/net/vhost_net.c
> @@ -337,7 +337,7 @@ int vhost_net_start(VirtIODevice *dev, NetClientState 
> *ncs,
>  if (i < data_qps) {
>  peer = qemu_get_peer(ncs, i);
>  } else { /* Control Virtqueue */
> -peer = qemu_get_peer(ncs, n->max_queues);
> +peer = qemu_get_peer(ncs, n->max_qps);
>  }
>  
>  net = get_vhost_net(peer);
> @@ -362,7 +362,7 @@ int vhost_net_start(VirtIODevice *dev, NetClientState 
> *ncs,
>  if (i < data_qps) {
>  peer = qemu_get_peer(ncs, i);
>  } else {
> -peer = qemu_get_peer(ncs, n->max_queues);
> +peer = qemu_get_peer(ncs, n->max_qps);
>  }
>  r = vhost_net_start_one(get_vhost_net(peer), dev);
>  
> @@ -412,7 +412,7 @@ void vhost_net_stop(VirtIODevice *dev, NetClientState 
> *ncs,
>  if (i < data_qps) {
>  peer = qemu_get_peer(ncs, i);
>  } else {
> -peer = qemu_get_peer(ncs, n->max_queues);
> +peer = qemu_get_peer(ncs, n->max_qps);
>  }
>  vhost_net_stop_one(get_vhost_net(peer), dev);
>  }
> diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
> index 8fccbaa44c..0a5d9862ec 100644
> --- a/hw/net/virtio-net.c
> +++ b/hw/net/virtio-net.c
> @@ -54,7 +54,7 @@
>  #define VIRTIO_NET_RX_QUEUE_DEFAULT_SIZE 256
>  #define VIRTIO_NET_TX_QUEUE_DEFAULT_SIZE 256
>  
> -/* for now, only allow larger queues; with virtio-1, guest can downsize */
> +/* for now, only allow larger qps; with virtio-1, guest can downsize */
>  #define VIRTIO_NET_RX_QUEUE_MIN_SIZE VIRTIO_NET_RX_QUEUE_DEFAULT_SIZE
>  #define VIRTIO_NET_TX_QUEUE_MIN_SIZE VIRTIO_NET_TX_QUEUE_DEFAULT_SIZE
>  
> @@ -131,7 +131,7 @@ static void virtio_net_get_config(VirtIODevice *vdev, 
> uint8_t *config)
>  int ret = 0;
>  memset(, 0 , sizeof(struct virtio_net_config));
>  virtio_stw_p(vdev, , n->status);
> -virtio_stw_p(vdev, _virtqueue_pairs, n->max_queues);
> +virtio_stw_p(vdev, _virtqueue_pairs, n->max_qps);
>  virtio_stw_p(vdev, , n->net_conf.mtu);
>  memcpy(netcfg.mac, n->mac, ETH_ALEN);
>  virtio_stl_p(vdev, , n->net_conf.speed);
> @@ -243,7 +243,7 @@ static void virtio_net_vhost_status(VirtIONet *n, uint8_t 
> status)
>  {
>  VirtIODevice *vdev = VIRTIO_DEVICE(n);
>  NetClientState *nc = qemu_get_queue(n->nic);
> -int queues = n->multiqueue ? n->max_queues : 1;
> +int qps = n->multiqueue ? n->max_qps : 1;
>  
>  if (!get_vhost_net(nc->peer)) {
>  return;
> @@ -266,7 +266,7 @@ static void virtio_net_vhost_status(VirtIONet *n, uint8_t 
> status)
>  /* Any packets outstanding? Purge them to avoid touching rings
>   * when vhost is running.
>   */
> -for (i = 0;  i < queues; i++) {
> +for (i = 0;  i < qps; i++) {
>  NetClientState *qnc = qemu_get_subqueue(n->nic, i);
>  
>  /* Purge both directions: TX and RX. */
> @@ -285,14 +285,14 @@ static void virtio_net_vhost_status(VirtIONet *n, 
> uint8_t status)
>  }
>  
>  n->vhost_started = 1;
> -r = vhost_net_start(vdev, n->nic->ncs, queues, 0);
> +r = vhost_net_start(vdev, n->nic->ncs, qps, 0);
>  if (r < 0) {
>  error_report("unable to start vhost net: %d: "
>   "falling back on userspace virtio", -r);
>  n->vhost_started = 0;
>  }
>  } else {
> -vhost_net_stop(vdev, n->nic->ncs, queues, 0);
> +vhost_net_stop(vdev, n->nic->ncs, qps, 0);
>  n->vhost_started = 0;
>  }
>  }
> @@ -309,11 +309,11 @@ static int virtio_net_set_vnet_endian_one(VirtIODevice 
> *vdev,
>  }
>  
>  static bool virtio_net_set_vnet_endian(VirtIODevice *vdev, NetClientState 
> *ncs,
> -   int queues, bool enable)
> +   int qps, bool enable)
>  {
>  int i;
>  
> -for (i = 0; i < queues; i++) {
> +for (i = 0; i < qps; i++) {
>  if (virtio_net_set_vnet_endian_one(vdev, ncs[i].peer, enable) < 0 &&
>  enable) {
>  while (--i >= 0) {
> @@ -330,7 +330,7 @@ static bool virtio_net_set_vnet_endian(VirtIODevice 
> *vdev, 

[PATCH v10 12/16] target/riscv: Add a REQUIRE_32BIT macro

[Philipp Tomsich]

With the changes to Zb[abcs], there's some encodings that are
different in RV64 and RV32 (e.g., for rev8 and zext.h). For these,
we'll need a helper macro allowing us to select on RV32, as well.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- Moved the REQUIRE_32BIT macro into a separate commit.

 target/riscv/translate.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index e356fc6c46..7562b2f87c 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -337,6 +337,12 @@ EX_SH(12)
 }  \
 } while (0)
 
+#define REQUIRE_32BIT(ctx) do { \
+if (!is_32bit(ctx)) {   \
+return false;   \
+}   \
+} while (0)
+
 #define REQUIRE_64BIT(ctx) do { \
 if (is_32bit(ctx)) {\
 return false;   \
-- 
2.25.1

[PATCH v10 16/16] disas/riscv: Add Zb[abcs] instructions

[Philipp Tomsich]

With the addition of Zb[abcs], we also need to add disassembler
support for these new instructions.

Signed-off-by: Philipp Tomsich 
Acked-by: Alistair Francis 

---

(no changes since v2)

Changes in v2:
- Fix missing ';' from last-minute whitespace cleanups.

 disas/riscv.c | 157 +-
 1 file changed, 154 insertions(+), 3 deletions(-)

diff --git a/disas/riscv.c b/disas/riscv.c
index 278d9be924..793ad14c27 100644
--- a/disas/riscv.c
+++ b/disas/riscv.c
@@ -478,6 +478,49 @@ typedef enum {
 rv_op_fsflags = 316,
 rv_op_fsrmi = 317,
 rv_op_fsflagsi = 318,
+rv_op_bseti = 319,
+rv_op_bclri = 320,
+rv_op_binvi = 321,
+rv_op_bexti = 322,
+rv_op_rori = 323,
+rv_op_clz = 324,
+rv_op_ctz = 325,
+rv_op_cpop = 326,
+rv_op_sext_h = 327,
+rv_op_sext_b = 328,
+rv_op_xnor = 329,
+rv_op_orn = 330,
+rv_op_andn = 331,
+rv_op_rol = 332,
+rv_op_ror = 333,
+rv_op_sh1add = 334,
+rv_op_sh2add = 335,
+rv_op_sh3add = 336,
+rv_op_sh1add_uw = 337,
+rv_op_sh2add_uw = 338,
+rv_op_sh3add_uw = 339,
+rv_op_clmul = 340,
+rv_op_clmulr = 341,
+rv_op_clmulh = 342,
+rv_op_min = 343,
+rv_op_minu = 344,
+rv_op_max = 345,
+rv_op_maxu = 346,
+rv_op_clzw = 347,
+rv_op_ctzw = 348,
+rv_op_cpopw = 349,
+rv_op_slli_uw = 350,
+rv_op_add_uw = 351,
+rv_op_rolw = 352,
+rv_op_rorw = 353,
+rv_op_rev8 = 354,
+rv_op_zext_h = 355,
+rv_op_roriw = 356,
+rv_op_orc_b = 357,
+rv_op_bset = 358,
+rv_op_bclr = 359,
+rv_op_binv = 360,
+rv_op_bext = 361,
 } rv_op;
 
 /* structures */
@@ -1117,6 +1160,49 @@ const rv_opcode_data opcode_data[] = {
 { "fsflags", rv_codec_i_csr, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
 { "fsrmi", rv_codec_i_csr, rv_fmt_rd_zimm, NULL, 0, 0, 0 },
 { "fsflagsi", rv_codec_i_csr, rv_fmt_rd_zimm, NULL, 0, 0, 0 },
+{ "bseti", rv_codec_i_sh7, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "bclri", rv_codec_i_sh7, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "binvi", rv_codec_i_sh7, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "bexti", rv_codec_i_sh7, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "rori", rv_codec_i_sh7, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "clz", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "ctz", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "cpop", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "sext.h", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "sext.b", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "xnor", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "orn", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "andn", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "rol", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "ror", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh1add", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh2add", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh3add", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh1add.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh2add.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "sh3add.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "clmul", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "clmulr", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "clmulh", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "min", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "minu", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "max", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "maxu", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "clzw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "clzw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "cpopw", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "slli.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "add.uw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "rolw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "rorw", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "rev8", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "zext.h", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "roriw", rv_codec_i_sh5, rv_fmt_rd_rs1_imm, NULL, 0, 0, 0 },
+{ "orc.b", rv_codec_r, rv_fmt_rd_rs1, NULL, 0, 0, 0 },
+{ "bset", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "bclr", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "binv", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
+{ "bext", rv_codec_r, rv_fmt_rd_rs1_rs2, NULL, 0, 0, 0 },
 };
 
 /* CSR names */
@@ -1507,7 +1593,20 @@ static void decode_inst_opcode(rv_decode *dec, rv_isa 
isa)
 case 0: op = rv_op_addi; break;
 case 1:
 switch (((inst >> 27) & 0b1)) {
-case 0: op = rv_op_slli; break;
+case 0b0: op = rv_op_slli; break;
+

[PATCH v10 08/16] target/riscv: Reassign instructions to the Zbs-extension

[Philipp Tomsich]

The following instructions are part of Zbs:
 - b{set,clr,ext,inv}
 - b{set,clr,ext,inv}i

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- The changes to the Zbs instructions (i.e. the REQUIRE_ZBS macro) and
  its use for qualifying the Zba instructions) are moved into a
  separate commit.

 target/riscv/insn32.decode  | 17 +
 target/riscv/insn_trans/trans_rvb.c.inc | 25 +++--
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index e0f6e315a2..35a3563ff4 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -689,19 +689,11 @@ min101 .. 100 . 0110011 @r
 minu   101 .. 101 . 0110011 @r
 max101 .. 110 . 0110011 @r
 maxu   101 .. 111 . 0110011 @r
-bset   0010100 .. 001 . 0110011 @r
-bclr   0100100 .. 001 . 0110011 @r
-binv   0110100 .. 001 . 0110011 @r
-bext   0100100 .. 101 . 0110011 @r
 ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
 gorc   0010100 .. 101 . 0110011 @r
 
-bseti  00101. ... 001 . 0010011 @sh
-bclri  01001. ... 001 . 0010011 @sh
-binvi  01101. ... 001 . 0010011 @sh
-bexti  01001. ... 101 . 0010011 @sh
 rori   01100. ... 101 . 0010011 @sh
 grevi  01101. ... 101 . 0010011 @sh
 gorci  00101. ... 101 . 0010011 @sh
@@ -722,3 +714,12 @@ roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
 
+# *** RV32 Zbs Standard Extension ***
+bclr   0100100 .. 001 . 0110011 @r
+bclri  01001. ... 001 . 0010011 @sh
+bext   0100100 .. 101 . 0110011 @r
+bexti  01001. ... 101 . 0010011 @sh
+binv   0110100 .. 001 . 0110011 @r
+binvi  01101. ... 001 . 0010011 @sh
+bset   0010100 .. 001 . 0110011 @r
+bseti  00101. ... 001 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 9891c4912a..2c2e4bc3d7 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -1,5 +1,5 @@
 /*
- * RISC-V translation routines for the RVB draft and Zba Standard Extension.
+ * RISC-V translation routines for the RVB draft Zb[as] Standard Extension.
  *
  * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
  * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
@@ -24,11 +24,16 @@
 }\
 } while (0)
 
+#define REQUIRE_ZBS(ctx) do {\
+if (!RISCV_CPU(ctx->cs)->cfg.ext_zbs) {  \
+return false;\
+}\
+} while (0)
+
 static void gen_clz(TCGv ret, TCGv arg1)
 {
 tcg_gen_clzi_tl(ret, arg1, TARGET_LONG_BITS);
 }
-
 static bool trans_clz(DisasContext *ctx, arg_clz *a)
 {
 REQUIRE_EXT(ctx, RVB);
@@ -165,13 +170,13 @@ static void gen_bset(TCGv ret, TCGv arg1, TCGv shamt)
 
 static bool trans_bset(DisasContext *ctx, arg_bset *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift(ctx, a, EXT_NONE, gen_bset);
 }
 
 static bool trans_bseti(DisasContext *ctx, arg_bseti *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_bset);
 }
 
@@ -187,13 +192,13 @@ static void gen_bclr(TCGv ret, TCGv arg1, TCGv shamt)
 
 static bool trans_bclr(DisasContext *ctx, arg_bclr *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift(ctx, a, EXT_NONE, gen_bclr);
 }
 
 static bool trans_bclri(DisasContext *ctx, arg_bclri *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_bclr);
 }
 
@@ -209,13 +214,13 @@ static void gen_binv(TCGv ret, TCGv arg1, TCGv shamt)
 
 static bool trans_binv(DisasContext *ctx, arg_binv *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift(ctx, a, EXT_NONE, gen_binv);
 }
 
 static bool trans_binvi(DisasContext *ctx, arg_binvi *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_binv);
 }
 
@@ -227,13 +232,13 @@ static void gen_bext(TCGv ret, TCGv arg1, TCGv shamt)
 
 static bool trans_bext(DisasContext *ctx, arg_bext *a)
 {
-REQUIRE_EXT(ctx, RVB);
+REQUIRE_ZBS(ctx);
 return gen_shift(ctx, a, EXT_NONE, gen_bext);
 }
 
 static bool trans_bexti(DisasContext *ctx, arg_bexti *a)
 {
-

[PATCH v10 03/16] target/riscv: clwz must ignore high bits (use shift-left & changed logic)

[Philipp Tomsich]

Assume clzw being executed on a register that is not sign-extended, such
as for the following sequence that uses (1ULL << 63) | 392 as the operand
to clzw:
bseti   a2, zero, 63
addia2, a2, 392
clzwa3, a2
The correct result of clzw would be 23, but the current implementation
returns -32 (as it performs a 64bit clz, which results in 0 leading zero
bits, and then subtracts 32).

Fix this by changing the implementation to:
 1. shift the original register up by 32
 2. performs a target-length (64bit) clz
 3. return 32 if no bits are set

Signed-off-by: Philipp Tomsich 
---

Changes in v10:
- New patch, fixing correctnes for clzw called on a register with undefined
  (as in: not properly sign-extended) upper bits.

 target/riscv/insn_trans/trans_rvb.c.inc | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 6c85c89f6d..8d29cadd20 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -349,8 +349,10 @@ GEN_TRANS_SHADD(3)
 
 static void gen_clzw(TCGv ret, TCGv arg1)
 {
-tcg_gen_clzi_tl(ret, arg1, 64);
-tcg_gen_subi_tl(ret, ret, 32);
+TCGv t = tcg_temp_new();
+tcg_gen_shli_tl(t, arg1, 32);
+tcg_gen_clzi_tl(ret, t, 32);
+tcg_temp_free(t);
 }
 
 static bool trans_clzw(DisasContext *ctx, arg_clzw *a)
-- 
2.25.1

Re: [PATCH V2 12/21] vhost-vdpa: open device fd in net_init_vhost_vdpa()

[Michael S. Tsirkin]

On Fri, Sep 03, 2021 at 05:10:22PM +0800, Jason Wang wrote:
> This path switches to open device fd in net_init_vhost_vpda(). This is

patch?

> used to prepare for the multiqueue support.
> 
> Reviewed-by: Stefano Garzarella 
> Signed-off-by: Jason Wang 
> ---
>  net/vhost-vdpa.c | 23 +++
>  1 file changed, 15 insertions(+), 8 deletions(-)
> 
> diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
> index 912686457c..73d29a74ef 100644
> --- a/net/vhost-vdpa.c
> +++ b/net/vhost-vdpa.c
> @@ -156,24 +156,19 @@ static NetClientInfo net_vhost_vdpa_info = {
>  };
>  
>  static int net_vhost_vdpa_init(NetClientState *peer, const char *device,
> -   const char *name, const char *vhostdev)
> +   const char *name, int vdpa_device_fd)
>  {
>  NetClientState *nc = NULL;
>  VhostVDPAState *s;
> -int vdpa_device_fd = -1;
>  int ret = 0;
>  assert(name);
>  nc = qemu_new_net_client(_vhost_vdpa_info, peer, device, name);
>  snprintf(nc->info_str, sizeof(nc->info_str), TYPE_VHOST_VDPA);
>  s = DO_UPCAST(VhostVDPAState, nc, nc);
> -vdpa_device_fd = qemu_open_old(vhostdev, O_RDWR);
> -if (vdpa_device_fd == -1) {
> -return -errno;
> -}
> +
>  s->vhost_vdpa.device_fd = vdpa_device_fd;
>  ret = vhost_vdpa_add(nc, (void *)>vhost_vdpa);
>  if (ret) {
> -qemu_close(vdpa_device_fd);
>  qemu_del_net_client(nc);
>  }
>  return ret;
> @@ -201,6 +196,7 @@ int net_init_vhost_vdpa(const Netdev *netdev, const char 
> *name,
>  NetClientState *peer, Error **errp)
>  {
>  const NetdevVhostVDPAOptions *opts;
> +int vdpa_device_fd, ret;
>  
>  assert(netdev->type == NET_CLIENT_DRIVER_VHOST_VDPA);
>  opts = >u.vhost_vdpa;
> @@ -209,5 +205,16 @@ int net_init_vhost_vdpa(const Netdev *netdev, const char 
> *name,
>(char *)name, errp)) {
>  return -1;
>  }
> -return net_vhost_vdpa_init(peer, TYPE_VHOST_VDPA, name, opts->vhostdev);
> +
> +vdpa_device_fd = qemu_open_old(opts->vhostdev, O_RDWR);
> +if (vdpa_device_fd == -1) {
> +return -errno;
> +}
> +
> +ret = net_vhost_vdpa_init(peer, TYPE_VHOST_VDPA, name, vdpa_device_fd);
> +if (ret) {
> +qemu_close(vdpa_device_fd);
> +}
> +
> +return ret;
>  }
> -- 
> 2.25.1

Re: [PATCH V2 17/21] vhost-net: control virtqueue support

[Michael S. Tsirkin]

On Fri, Sep 03, 2021 at 05:10:27PM +0800, Jason Wang wrote:
> We assume there's no cvq in the past, this is not true when we need
> control virtqueue support for vhost-user backends. So this patch
> implements the control virtqueue support for vhost-net. As datapath,
> the control virtqueue is also required to be coupled with the
> NetClientState. The vhost_net_start/stop() are tweaked to accept the
> number of datapath queue pairs plus the the number of control
> virtqueue for us to start and stop the vhost device.
> 
> Signed-off-by: Jason Wang 


Fails build:

FAILED: libcommon.fa.p/hw_net_vhost_net-stub.c.o 
cc -Ilibcommon.fa.p -I. -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/spice-1 
-I/usr/include/spice-server -I/usr/include/cacard -I/usr/include/glib-2.0 
-I/usr/lib64/glib-2.0/include -I/usr/include/nss3 -I/usr/include/nspr4 
-I/usr/include/libmount -I/usr/include/blkid -I/usr/include/pixman-1 
-I/usr/include/p11-kit-1 -I/usr/include/SDL2 -I/usr/include/libpng16 
-I/usr/include/virgl -I/usr/include/libusb-1.0 -I/usr/include/slirp 
-I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz 
-I/usr/include/freetype2 -I/usr/include/fribidi -I/usr/include/libxml2 
-I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/gio-unix-2.0 
-I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/dbus-1.0 
-I/usr/lib64/dbus-1.0/include -I/usr/include/at-spi-2.0 -I/usr/include/vte-2.91 
-I/usr/include/capstone -fdiagnostics-color=auto -pipe -Wall -Winvalid-pch 
-Werror -std=gnu11 -O2 -g -isystem /scm/qemu/linux-headers -isystem 
linux-headers -iquote . -iquote /scm/qemu -iquote /scm/qemu/include -iquote 
/scm/qemu/disas/libvixl -iquote /scm/qemu/tcg/i386 -pthread -U_FORTIFY_SOURCE 
-D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 
-D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef 
-Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv 
-Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security 
-Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs 
-Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 
-Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi 
-fstack-protector-strong -fPIC -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=600 
-DNCURSES_WIDECHAR -DSTRUCT_IOVEC_DEFINED -D_REENTRANT -Wno-undef -MD -MQ 
libcommon.fa.p/hw_net_vhost_net-stub.c.o -MF 
libcommon.fa.p/hw_net_vhost_net-stub.c.o.d -o 
libcommon.fa.p/hw_net_vhost_net-stub.c.o -c ../hw/net/vhost_net-stub.c
../hw/net/vhost_net-stub.c:34:5: error: conflicting types for ‘vhost_net_start’
   34 | int vhost_net_start(VirtIODevice *dev,
  | ^~~
In file included from ../hw/net/vhost_net-stub.c:19:
/scm/qemu/include/net/vhost_net.h:24:5: note: previous declaration of 
‘vhost_net_start’ was here
   24 | int vhost_net_start(VirtIODevice *dev, NetClientState *ncs,
  | ^~~
../hw/net/vhost_net-stub.c:40:6: error: conflicting types for ‘vhost_net_stop’
   40 | void vhost_net_stop(VirtIODevice *dev,
  |  ^~
In file included from ../hw/net/vhost_net-stub.c:19:
/scm/qemu/include/net/vhost_net.h:26:6: note: previous declaration of 
‘vhost_net_stop’ was here
   26 | void vhost_net_stop(VirtIODevice *dev, NetClientState *ncs,
  |  ^~
ninja: build stopped: subcommand failed.
make[1]: *** [Makefile:156: run-ninja] Error 1



> ---
>  hw/net/vhost_net.c  | 43 ++---
>  hw/net/virtio-net.c |  4 ++--
>  include/net/vhost_net.h |  6 --
>  3 files changed, 38 insertions(+), 15 deletions(-)
> 
> diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
> index 386ec2eaa2..7e0b60b4d9 100644
> --- a/hw/net/vhost_net.c
> +++ b/hw/net/vhost_net.c
> @@ -315,11 +315,14 @@ static void vhost_net_stop_one(struct vhost_net *net,
>  }
>  
>  int vhost_net_start(VirtIODevice *dev, NetClientState *ncs,
> -int total_queues)
> +int data_qps, int cvq)
>  {
>  BusState *qbus = BUS(qdev_get_parent_bus(DEVICE(dev)));
>  VirtioBusState *vbus = VIRTIO_BUS(qbus);
>  VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(vbus);
> +int total_notifiers = data_qps * 2 + cvq;
> +VirtIONet *n = VIRTIO_NET(dev);
> +int nvhosts = data_qps + cvq;
>  struct vhost_net *net;
>  int r, e, i;
>  NetClientState *peer;
> @@ -329,9 +332,14 @@ int vhost_net_start(VirtIODevice *dev, NetClientState 
> *ncs,
>  return -ENOSYS;
>  }
>  
> -for (i = 0; i < total_queues; i++) {
> +for (i = 0; i < nvhosts; i++) {
> +
> +if (i < data_qps) {
> +peer = qemu_get_peer(ncs, i);
> +} else { /* Control Virtqueue */
> +peer = qemu_get_peer(ncs, n->max_queues);
> +}
>  
> -peer = qemu_get_peer(ncs, i);
>  net = get_vhost_net(peer);
>  vhost_net_set_vq_index(net, i * 2);
>  
> @@ -344,14 +352,18 @@ int 

[PATCH v10 01/16] target/riscv: Introduce temporary in gen_add_uw()

[Philipp Tomsich]

Following the recent changes in translate.c, gen_add_uw() causes
failures on CF3 and SPEC2017 due to the reuse of arg1.  Fix these
regressions by introducing a temporary.

Signed-off-by: Philipp Tomsich 
---

Changes in v10:
- new patch

 target/riscv/insn_trans/trans_rvb.c.inc | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index b72e76255c..c0a6e25826 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -624,8 +624,10 @@ GEN_TRANS_SHADD_UW(3)
 
 static void gen_add_uw(TCGv ret, TCGv arg1, TCGv arg2)
 {
-tcg_gen_ext32u_tl(arg1, arg1);
-tcg_gen_add_tl(ret, arg1, arg2);
+TCGv t = tcg_temp_new();
+tcg_gen_ext32u_tl(t, arg1);
+tcg_gen_add_tl(ret, t, arg2);
+tcg_temp_free(t);
 }
 
 static bool trans_add_uw(DisasContext *ctx, arg_add_uw *a)
-- 
2.25.1

[PATCH v10 07/16] target/riscv: Remove shift-one instructions (proposed Zbo in pre-0.93 draft-B)

[Philipp Tomsich]

The Zb[abcs] ratification package does not include the proposed
shift-one instructions. There currently is no clear plan to whether
these (or variants of them) will be ratified as Zbo (or a different
extension) or what the timeframe for such a decision could be.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- Remove shift-one instructions in a separate commit.

 target/riscv/insn32.decode  |  8 ---
 target/riscv/insn_trans/trans_rvb.c.inc | 70 -
 2 files changed, 78 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index b499691a9e..e0f6e315a2 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -693,8 +693,6 @@ bset   0010100 .. 001 . 0110011 @r
 bclr   0100100 .. 001 . 0110011 @r
 binv   0110100 .. 001 . 0110011 @r
 bext   0100100 .. 101 . 0110011 @r
-slo001 .. 001 . 0110011 @r
-sro001 .. 101 . 0110011 @r
 ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
@@ -704,8 +702,6 @@ bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
 binvi  01101. ... 001 . 0010011 @sh
 bexti  01001. ... 101 . 0010011 @sh
-sloi   00100. ... 001 . 0010011 @sh
-sroi   00100. ... 101 . 0010011 @sh
 rori   01100. ... 101 . 0010011 @sh
 grevi  01101. ... 101 . 0010011 @sh
 gorci  00101. ... 101 . 0010011 @sh
@@ -717,15 +713,11 @@ cpopw  011 00010 . 001 . 0011011 @r2
 
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
-slow   001 .. 001 . 0111011 @r
-srow   001 .. 101 . 0111011 @r
 rorw   011 .. 101 . 0111011 @r
 rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
 gorcw  0010100 .. 101 . 0111011 @r
 
-sloiw  001 .. 001 . 0011011 @sh5
-sroiw  001 .. 101 . 0011011 @sh5
 roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index ca92920efd..9891c4912a 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -237,44 +237,6 @@ static bool trans_bexti(DisasContext *ctx, arg_bexti *a)
 return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_bext);
 }
 
-static void gen_slo(TCGv ret, TCGv arg1, TCGv arg2)
-{
-tcg_gen_not_tl(ret, arg1);
-tcg_gen_shl_tl(ret, ret, arg2);
-tcg_gen_not_tl(ret, ret);
-}
-
-static bool trans_slo(DisasContext *ctx, arg_slo *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_shift(ctx, a, EXT_NONE, gen_slo);
-}
-
-static bool trans_sloi(DisasContext *ctx, arg_sloi *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_slo);
-}
-
-static void gen_sro(TCGv ret, TCGv arg1, TCGv arg2)
-{
-tcg_gen_not_tl(ret, arg1);
-tcg_gen_shr_tl(ret, ret, arg2);
-tcg_gen_not_tl(ret, ret);
-}
-
-static bool trans_sro(DisasContext *ctx, arg_sro *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_shift(ctx, a, EXT_ZERO, gen_sro);
-}
-
-static bool trans_sroi(DisasContext *ctx, arg_sroi *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_shift_imm_tl(ctx, a, EXT_ZERO, gen_sro);
-}
-
 static bool trans_ror(DisasContext *ctx, arg_ror *a)
 {
 REQUIRE_EXT(ctx, RVB);
@@ -420,38 +382,6 @@ static bool trans_packuw(DisasContext *ctx, arg_packuw *a)
 return gen_arith(ctx, a, EXT_NONE, gen_packuw);
 }
 
-static bool trans_slow(DisasContext *ctx, arg_slow *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_NONE, gen_slo);
-}
-
-static bool trans_sloiw(DisasContext *ctx, arg_sloiw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift_imm_tl(ctx, a, EXT_NONE, gen_slo);
-}
-
-static bool trans_srow(DisasContext *ctx, arg_srow *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift(ctx, a, EXT_ZERO, gen_sro);
-}
-
-static bool trans_sroiw(DisasContext *ctx, arg_sroiw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-ctx->w = true;
-return gen_shift_imm_tl(ctx, a, EXT_ZERO, gen_sro);
-}
-
 static void gen_rorw(TCGv ret, TCGv arg1, TCGv arg2)
 {
 TCGv_i32 t1 = tcg_temp_new_i32();
-- 
2.25.1

[PATCH v10 14/16] target/riscv: Add zext.h instructions to Zbb, removing pack/packu/packh

[Philipp Tomsich]

The 1.0.0 version of Zbb does not contain pack/packu/packh. However, a
zext.h instruction is provided (built on pack/packh from pre-0.93
draft-B) is available.

This commit adds zext.h and removes the pack* instructions.

Note that the encodings for zext.h are different between RV32 and
RV64, which is handled through REQUIRE_32BIT.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v9)

Changes in v9:
- Rebased to 8880cc4362.

Changes in v4:
- Renamed RV32 variant to zext_h_32.
- Reordered trans_zext_h_{32,64} to be next to each other.

Changes in v3:
- Moved zext.h-addition & pack*-removal to a separate commit.

 target/riscv/insn32.decode  | 12 ++--
 target/riscv/insn_trans/trans_rvb.c.inc | 86 -
 2 files changed, 21 insertions(+), 77 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 901a66c0f5..affb99b3e6 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -692,6 +692,9 @@ rori   01100  101 . 0010011 @sh
 sext_b 011000 000100 . 001 . 0010011 @r2
 sext_h 011000 000101 . 001 . 0010011 @r2
 xnor   010 .. 100 . 0110011 @r
+# The encoding for zext.h differs between RV32 and RV64.
+# zext_h_32 denotes the RV32 variant.
+zext_h_32  100 0 . 100 . 0110011 @r2
 
 # *** RV64 Zbb Standard Extension (in addition to RV32 Zbb) ***
 clzw   011 0 . 001 . 0011011 @r2
@@ -704,15 +707,14 @@ rev8_64011010 111000 . 101 . 0010011 @r2
 rolw   011 .. 001 . 0111011 @r
 roriw  011 .. 101 . 0011011 @sh5
 rorw   011 .. 101 . 0111011 @r
+# The encoding for zext.h differs between RV32 and RV64.
+# When executing on RV64, the encoding used in RV32 is an illegal
+# instruction, so we use different handler functions to differentiate.
+zext_h_64  100 0 . 100 . 0111011 @r2
 
 # *** RV32B Standard Extension ***
-pack   100 .. 100 . 0110011 @r
-packu  0100100 .. 100 . 0110011 @r
-packh  100 .. 111 . 0110011 @r
 
 # *** RV64B Standard Extension (in addition to RV32B) ***
-packw  100 .. 100 . 0111011 @r
-packuw 0100100 .. 100 . 0111011 @r
 
 # *** RV32 Zbc Standard Extension ***
 clmul  101 .. 001 . 0110011 @r
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 6fd1a020b3..badc6882eb 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -88,47 +88,6 @@ static bool trans_xnor(DisasContext *ctx, arg_xnor *a)
 return gen_arith(ctx, a, EXT_NONE, tcg_gen_eqv_tl);
 }
 
-static void gen_pack(TCGv ret, TCGv arg1, TCGv arg2)
-{
-tcg_gen_deposit_tl(ret, arg1, arg2,
-   TARGET_LONG_BITS / 2,
-   TARGET_LONG_BITS / 2);
-}
-
-static bool trans_pack(DisasContext *ctx, arg_pack *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_arith(ctx, a, EXT_NONE, gen_pack);
-}
-
-static void gen_packu(TCGv ret, TCGv arg1, TCGv arg2)
-{
-TCGv t = tcg_temp_new();
-tcg_gen_shri_tl(t, arg1, TARGET_LONG_BITS / 2);
-tcg_gen_deposit_tl(ret, arg2, t, 0, TARGET_LONG_BITS / 2);
-tcg_temp_free(t);
-}
-
-static bool trans_packu(DisasContext *ctx, arg_packu *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_arith(ctx, a, EXT_NONE, gen_packu);
-}
-
-static void gen_packh(TCGv ret, TCGv arg1, TCGv arg2)
-{
-TCGv t = tcg_temp_new();
-tcg_gen_ext8u_tl(t, arg2);
-tcg_gen_deposit_tl(ret, arg1, t, 8, TARGET_LONG_BITS - 8);
-tcg_temp_free(t);
-}
-
-static bool trans_packh(DisasContext *ctx, arg_packh *a)
-{
-REQUIRE_EXT(ctx, RVB);
-return gen_arith(ctx, a, EXT_NONE, gen_packh);
-}
-
 static bool trans_min(DisasContext *ctx, arg_min *a)
 {
 REQUIRE_ZBB(ctx);
@@ -336,6 +295,20 @@ GEN_TRANS_SHADD(1)
 GEN_TRANS_SHADD(2)
 GEN_TRANS_SHADD(3)
 
+static bool trans_zext_h_32(DisasContext *ctx, arg_zext_h_32 *a)
+{
+REQUIRE_32BIT(ctx);
+REQUIRE_ZBB(ctx);
+return gen_unary(ctx, a, EXT_NONE, tcg_gen_ext16u_tl);
+}
+
+static bool trans_zext_h_64(DisasContext *ctx, arg_zext_h_64 *a)
+{
+REQUIRE_64BIT(ctx);
+REQUIRE_ZBB(ctx);
+return gen_unary(ctx, a, EXT_NONE, tcg_gen_ext16u_tl);
+}
+
 static void gen_clzw(TCGv ret, TCGv arg1)
 {
 TCGv t = tcg_temp_new();
@@ -372,37 +345,6 @@ static bool trans_cpopw(DisasContext *ctx, arg_cpopw *a)
 return gen_unary(ctx, a, EXT_ZERO, tcg_gen_ctpop_tl);
 }
 
-static void gen_packw(TCGv ret, TCGv arg1, TCGv arg2)
-{
-TCGv t = tcg_temp_new();
-tcg_gen_ext16s_tl(t, arg2);
-tcg_gen_deposit_tl(ret, arg1, t, 16, 48);
-tcg_temp_free(t);
-}
-
-static bool trans_packw(DisasContext *ctx, arg_packw *a)
-{
-REQUIRE_64BIT(ctx);
-REQUIRE_EXT(ctx, RVB);
-return gen_arith(ctx, a, 

[PATCH v10 05/16] target/riscv: Reassign instructions to the Zba-extension

[Philipp Tomsich]

The following instructions are part of Zba:
 - add.uw (RV64 only)
 - sh[123]add (RV32 and RV64)
 - sh[123]add.uw (RV64-only)
 - slli.uw (RV64-only)

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

Changes in v10:
- Split off gen_add_uw() fix into a separate patch, as requested.

Changes in v9:
- Rebased to 8880cc4362.
- Update gen_add_uw() to use a temporary instead of messing with
  arg1 (fixes a regression after rebase on CF3 and SPEC2017).

Changes in v3:
- The changes to the Zba instructions (i.e. the REQUIRE_ZBA macro
  and its use for qualifying the Zba instructions) are moved into
  a separate commit.

 target/riscv/insn32.decode  | 20 
 target/riscv/insn_trans/trans_rvb.c.inc | 16 +++-
 2 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 2cd921d51c..86f1166dab 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -660,6 +660,18 @@ vamomaxd_v  10100 . . . . 111 . 010 
@r_wdvm
 vamominud_v 11000 . . . . 111 . 010 @r_wdvm
 vamomaxud_v 11100 . . . . 111 . 010 @r_wdvm
 
+# *** RV32 Zba Standard Extension ***
+sh1add 001 .. 010 . 0110011 @r
+sh2add 001 .. 100 . 0110011 @r
+sh3add 001 .. 110 . 0110011 @r
+
+# *** RV64 Zba Standard Extension (in addition to RV32 Zba) ***
+add_uw 100 .. 000 . 0111011 @r
+sh1add_uw  001 .. 010 . 0111011 @r
+sh2add_uw  001 .. 100 . 0111011 @r
+sh3add_uw  001 .. 110 . 0111011 @r
+slli_uw1  001 . 0011011 @sh
+
 # *** RV32B Standard Extension ***
 clz011000 00 . 001 . 0010011 @r2
 ctz011000 01 . 001 . 0010011 @r2
@@ -687,9 +699,6 @@ ror011 .. 101 . 0110011 @r
 rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
 gorc   0010100 .. 101 . 0110011 @r
-sh1add 001 .. 010 . 0110011 @r
-sh2add 001 .. 100 . 0110011 @r
-sh3add 001 .. 110 . 0110011 @r
 
 bseti  00101. ... 001 . 0010011 @sh
 bclri  01001. ... 001 . 0010011 @sh
@@ -718,10 +727,6 @@ rorw   011 .. 101 . 0111011 @r
 rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
 gorcw  0010100 .. 101 . 0111011 @r
-sh1add_uw  001 .. 010 . 0111011 @r
-sh2add_uw  001 .. 100 . 0111011 @r
-sh3add_uw  001 .. 110 . 0111011 @r
-add_uw 100 .. 000 . 0111011 @r
 
 bsetiw 0010100 .. 001 . 0011011 @sh5
 bclriw 0100100 .. 001 . 0011011 @sh5
@@ -732,4 +737,3 @@ roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
 
-slli_uw1. ... 001 . 0011011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 8d29cadd20..7f6d5aa258 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -1,8 +1,9 @@
 /*
- * RISC-V translation routines for the RVB Standard Extension.
+ * RISC-V translation routines for the RVB draft and Zba Standard Extension.
  *
  * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
  * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
+ * Copyright (c) 2021 Philipp Tomsich, philipp.toms...@vrull.eu
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -17,6 +18,11 @@
  * this program.  If not, see .
  */
 
+#define REQUIRE_ZBA(ctx) do {\
+if (!RISCV_CPU(ctx->cs)->cfg.ext_zba) {  \
+return false;\
+}\
+} while (0)
 
 static void gen_clz(TCGv ret, TCGv arg1)
 {
@@ -339,7 +345,7 @@ GEN_SHADD(3)
 #define GEN_TRANS_SHADD(SHAMT) \
 static bool trans_sh##SHAMT##add(DisasContext *ctx, arg_sh##SHAMT##add *a) \
 {  \
-REQUIRE_EXT(ctx, RVB); \
+REQUIRE_ZBA(ctx);  \
 return gen_arith(ctx, a, EXT_NONE, gen_sh##SHAMT##add);\
 }
 
@@ -616,7 +622,7 @@ static bool trans_sh##SHAMT##add_uw(DisasContext *ctx,  
  \
 arg_sh##SHAMT##add_uw *a) \
 { \
 

[PATCH v10 10/16] target/riscv: Reassign instructions to the Zbb-extension

[Philipp Tomsich]

This reassigns the instructions that are part of Zbb into it, with the
notable exceptions of the instructions (rev8, zext.w and orc.b) that
changed due to gorci, grevi and pack not being part of Zb[abcs].

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- The changes to the Zbb instructions (i.e. use the REQUIRE_ZBB macro)
  are now in a separate commit.

 target/riscv/insn32.decode  | 40 ++-
 target/riscv/insn_trans/trans_rvb.c.inc | 51 ++---
 2 files changed, 50 insertions(+), 41 deletions(-)

diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 1658bb4217..a509cfee11 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -672,45 +672,47 @@ sh2add_uw  001 .. 100 . 0111011 @r
 sh3add_uw  001 .. 110 . 0111011 @r
 slli_uw1  001 . 0011011 @sh
 
-# *** RV32B Standard Extension ***
+# *** RV32 Zbb Standard Extension ***
+andn   010 .. 111 . 0110011 @r
 clz011000 00 . 001 . 0010011 @r2
-ctz011000 01 . 001 . 0010011 @r2
 cpop   011000 10 . 001 . 0010011 @r2
+ctz011000 01 . 001 . 0010011 @r2
+max101 .. 110 . 0110011 @r
+maxu   101 .. 111 . 0110011 @r
+min101 .. 100 . 0110011 @r
+minu   101 .. 101 . 0110011 @r
+orn010 .. 110 . 0110011 @r
+rol011 .. 001 . 0110011 @r
+ror011 .. 101 . 0110011 @r
+rori   01100  101 . 0010011 @sh
 sext_b 011000 000100 . 001 . 0010011 @r2
 sext_h 011000 000101 . 001 . 0010011 @r2
-
-andn   010 .. 111 . 0110011 @r
-orn010 .. 110 . 0110011 @r
 xnor   010 .. 100 . 0110011 @r
+
+# *** RV64 Zbb Standard Extension (in addition to RV32 Zbb) ***
+clzw   011 0 . 001 . 0011011 @r2
+ctzw   011 1 . 001 . 0011011 @r2
+cpopw  011 00010 . 001 . 0011011 @r2
+rolw   011 .. 001 . 0111011 @r
+roriw  011 .. 101 . 0011011 @sh5
+rorw   011 .. 101 . 0111011 @r
+
+# *** RV32B Standard Extension ***
 pack   100 .. 100 . 0110011 @r
 packu  0100100 .. 100 . 0110011 @r
 packh  100 .. 111 . 0110011 @r
-min101 .. 100 . 0110011 @r
-minu   101 .. 101 . 0110011 @r
-max101 .. 110 . 0110011 @r
-maxu   101 .. 111 . 0110011 @r
-ror011 .. 101 . 0110011 @r
-rol011 .. 001 . 0110011 @r
 grev   0110100 .. 101 . 0110011 @r
 gorc   0010100 .. 101 . 0110011 @r
 
-rori   01100. ... 101 . 0010011 @sh
 grevi  01101. ... 101 . 0010011 @sh
 gorci  00101. ... 101 . 0010011 @sh
 
 # *** RV64B Standard Extension (in addition to RV32B) ***
-clzw   011 0 . 001 . 0011011 @r2
-ctzw   011 1 . 001 . 0011011 @r2
-cpopw  011 00010 . 001 . 0011011 @r2
-
 packw  100 .. 100 . 0111011 @r
 packuw 0100100 .. 100 . 0111011 @r
-rorw   011 .. 101 . 0111011 @r
-rolw   011 .. 001 . 0111011 @r
 grevw  0110100 .. 101 . 0111011 @r
 gorcw  0010100 .. 101 . 0111011 @r
 
-roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
 
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index bc98f289b3..9768271639 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -1,5 +1,5 @@
 /*
- * RISC-V translation routines for the Zb[acs] Standard Extension.
+ * RISC-V translation routines for the Zb[abcs] Standard Extension.
  *
  * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
  * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
@@ -24,6 +24,12 @@
 }\
 } while (0)
 
+#define REQUIRE_ZBB(ctx) do {\
+if (!RISCV_CPU(ctx->cs)->cfg.ext_zbb) {  \
+return false;\
+}\
+} while (0)
+
 #define REQUIRE_ZBC(ctx) do {\
 if (!RISCV_CPU(ctx->cs)->cfg.ext_zbc) {  \
 return false;\
@@ -40,9 +46,10 @@ static void gen_clz(TCGv ret, TCGv arg1)
 {
 tcg_gen_clzi_tl(ret, arg1, TARGET_LONG_BITS);
 }
+
 static bool trans_clz(DisasContext 

[PATCH v10 04/16] target/riscv: Add x-zba, x-zbb, x-zbc and x-zbs properties

[Philipp Tomsich]

The bitmanipulation ISA extensions will be ratified as individual
small extension packages instead of a large B-extension.  The first
new instructions through the door (these have completed public review)
are Zb[abcs].

This adds new 'x-zba', 'x-zbb', 'x-zbc' and 'x-zbs' properties for
these in target/riscv/cpu.[ch].

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v3)

Changes in v3:
- Split off removal of 'x-b' property and 'ext_b' field into a separate
  patch to ensure bisectability.

 target/riscv/cpu.c | 4 
 target/riscv/cpu.h | 4 
 2 files changed, 8 insertions(+)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1a2b03d579..ceb7e01810 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -587,6 +587,10 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
 /* This is experimental so mark with 'x-' */
 DEFINE_PROP_BOOL("x-b", RISCVCPU, cfg.ext_b, false),
+DEFINE_PROP_BOOL("x-zba", RISCVCPU, cfg.ext_zba, false),
+DEFINE_PROP_BOOL("x-zbb", RISCVCPU, cfg.ext_zbb, false),
+DEFINE_PROP_BOOL("x-zbc", RISCVCPU, cfg.ext_zbc, false),
+DEFINE_PROP_BOOL("x-zbs", RISCVCPU, cfg.ext_zbs, false),
 DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("x-v", RISCVCPU, cfg.ext_v, false),
 DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index bf1c899c00..7c4cd8ea89 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -293,6 +293,10 @@ struct RISCVCPU {
 bool ext_u;
 bool ext_h;
 bool ext_v;
+bool ext_zba;
+bool ext_zbb;
+bool ext_zbc;
+bool ext_zbs;
 bool ext_counters;
 bool ext_ifencei;
 bool ext_icsr;
-- 
2.25.1

[PATCH v10 09/16] target/riscv: Add instructions of the Zbc-extension

[Philipp Tomsich]

The following instructions are part of Zbc:
 - clmul
 - clmulh
 - clmulr

Note that these instructions were already defined in the pre-0.93 and
the 0.93 draft-B proposals, but had not been omitted in the earlier
addition of draft-B to QEmu.

Signed-off-by: Philipp Tomsich 
Reviewed-by: Richard Henderson 
Reviewed-by: Alistair Francis 
---

(no changes since v9)

Changes in v9:
- Rebased to 8880cc4362.

Changes in v6:
- Move gen_clmulh to trans_rvb.c.inc, as per Richard H's request.

Changes in v5:
- Introduce gen_clmulh (as suggested by Richard H) and use to simplify
  trans_clmulh().

Changes in v3:
- This adds the Zbc instructions as a spearate commit.
- Uses a helper for clmul/clmulr instead of inlining the calculation of
  the result (addressing a comment from Richard Henderson).

 target/riscv/bitmanip_helper.c  | 27 +
 target/riscv/helper.h   |  2 ++
 target/riscv/insn32.decode  |  5 
 target/riscv/insn_trans/trans_rvb.c.inc | 32 -
 4 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/target/riscv/bitmanip_helper.c b/target/riscv/bitmanip_helper.c
index 5b2f795d03..73be5a81c7 100644
--- a/target/riscv/bitmanip_helper.c
+++ b/target/riscv/bitmanip_helper.c
@@ -3,6 +3,7 @@
  *
  * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
  * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
+ * Copyright (c) 2021 Philipp Tomsich, philipp.toms...@vrull.eu
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -88,3 +89,29 @@ target_ulong HELPER(gorcw)(target_ulong rs1, target_ulong 
rs2)
 {
 return do_gorc(rs1, rs2, 32);
 }
+
+target_ulong HELPER(clmul)(target_ulong rs1, target_ulong rs2)
+{
+target_ulong result = 0;
+
+for (int i = 0; i < TARGET_LONG_BITS; i++) {
+if ((rs2 >> i) & 1) {
+result ^= (rs1 << i);
+}
+}
+
+return result;
+}
+
+target_ulong HELPER(clmulr)(target_ulong rs1, target_ulong rs2)
+{
+target_ulong result = 0;
+
+for (int i = 0; i < TARGET_LONG_BITS; i++) {
+if ((rs2 >> i) & 1) {
+result ^= (rs1 >> (TARGET_LONG_BITS - i - 1));
+}
+}
+
+return result;
+}
diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index 460eee9988..8a318a2dbc 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -63,6 +63,8 @@ DEF_HELPER_FLAGS_2(grev, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(grevw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(gorc, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 DEF_HELPER_FLAGS_2(gorcw, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+DEF_HELPER_FLAGS_2(clmul, TCG_CALL_NO_RWG_SE, tl, tl, tl)
+DEF_HELPER_FLAGS_2(clmulr, TCG_CALL_NO_RWG_SE, tl, tl, tl)
 
 /* Special functions */
 DEF_HELPER_2(csrr, tl, env, int)
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 35a3563ff4..1658bb4217 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -714,6 +714,11 @@ roriw  011 .. 101 . 0011011 @sh5
 greviw 0110100 .. 101 . 0011011 @sh5
 gorciw 0010100 .. 101 . 0011011 @sh5
 
+# *** RV32 Zbc Standard Extension ***
+clmul  101 .. 001 . 0110011 @r
+clmulh 101 .. 011 . 0110011 @r
+clmulr 101 .. 010 . 0110011 @r
+
 # *** RV32 Zbs Standard Extension ***
 bclr   0100100 .. 001 . 0110011 @r
 bclri  01001. ... 001 . 0010011 @sh
diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index 2c2e4bc3d7..bc98f289b3 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -1,5 +1,5 @@
 /*
- * RISC-V translation routines for the RVB draft Zb[as] Standard Extension.
+ * RISC-V translation routines for the Zb[acs] Standard Extension.
  *
  * Copyright (c) 2020 Kito Cheng, kito.ch...@sifive.com
  * Copyright (c) 2020 Frank Chang, frank.ch...@sifive.com
@@ -24,6 +24,12 @@
 }\
 } while (0)
 
+#define REQUIRE_ZBC(ctx) do {\
+if (!RISCV_CPU(ctx->cs)->cfg.ext_zbc) {  \
+return false;\
+}\
+} while (0)
+
 #define REQUIRE_ZBS(ctx) do {\
 if (!RISCV_CPU(ctx->cs)->cfg.ext_zbs) {  \
 return false;\
@@ -535,3 +541,27 @@ static bool trans_slli_uw(DisasContext *ctx, arg_slli_uw 
*a)
 REQUIRE_ZBA(ctx);
 return gen_shift_imm_fn(ctx, a, EXT_NONE, gen_slli_uw);
 }
+
+static bool trans_clmul(DisasContext *ctx, arg_clmul *a)
+{
+REQUIRE_ZBC(ctx);
+return gen_arith(ctx, a, EXT_NONE, gen_helper_clmul);
+}
+
+static void gen_clmulh(TCGv dst, TCGv src1, TCGv src2)
+{
+ gen_helper_clmulr(dst, src1, src2);
+ tcg_gen_shri_tl(dst, 

[PATCH v10 00/16] target/riscv: Update QEmu for Zb[abcs] 1.0.0

[Philipp Tomsich]

The Zb[abcs] extensions have complete public review and are nearing
ratifications. These individual extensions are one part of what was
previously though of as the "BitManip" (B) extension, leaving the
final details of future Zb* extensions open as they will undergo
further public discourse.

This series updates the earlier support for the B extension by
 - removing those instructions that are not included in Zb[abcs]
 - splitting this into 4 separate extensions that can be independently
   enabled: Zba (addressing), Zbb (basic bit-manip), Zbc (carryless
   multiplication), Zbs (single-bit operations)
 - update the to the 1.0.0 version (e.g. w-forms of rev8 and Zbs
   instructions are not included in Zb[abcs])

For the latest version of the public review speicifcaiton
(incorporating some editorial fixes and corrections from the review
period), refer to:
  
https://github.com/riscv/riscv-bitmanip/releases/download/1.0.0/bitmanip-1.0.0-31-g2af7256.pdf


Changes in v10:
- New patch, introducing a temporary in gen_add_uw
- New patch, fixing regressions in gen_clzw (discovered with x264_r)
- New patch, fixing correctness for gen_clzw, when called on a register 
  with undefined (as in: not properly sign-extended) upper bits.
- Retested with CF3 and SPEC2017 (size=test, size=ref); addressing new
  regressions (due to bugs in gen_clzw) from testing with SPEC2017 using
  different optimization levels
- Split off gen_add_uw() fix into a separate patch, as requested.

Changes in v9:
- Retested with CF3 and SPEC2017 (size=test only).
- Rebased to 8880cc4362.
- Update gen_add_uw() to use a temporary instead of messing with
  arg1 (fixes a regression after rebase on CF3 and SPEC2017).
- Rebased to 8880cc4362.
- Picked up Alistair's Reviewed-by, after patman had failed to catch
  it for v8.
- Rebased to 8880cc4362.
- Fixes a whitespace-at-the-end-of-line warning for the rev8 comment
  in insn32.decode
- Rebased to 8880cc4362.

Changes in v8:
- Optimize orc.b further by reordering the shift/and, updating the
  comment to reflect that we put the truth-value into the LSB, and
  putting the (now only) constant in a temporary
- Fold the final bitwise-not into the second and, using and andc.

Changes in v7:
- Free TCG temporary in gen_orc_b().

Changes in v6:
- Move gen_clmulh to trans_rvb.c.inc, as per Richard H's request.
- Fixed orc.b (now passes SPEC w/ optimized string functions) by
  adding the missing final negation.

Changes in v5:
- Introduce gen_clmulh (as suggested by Richard H) and use to simplify
  trans_clmulh().

Changes in v4:
- Drop rewrite of slli.uw (to match formal specification), as it would
  remove an optimization.
- Change orc.b to implementation suggested by Richard Henderson
- reorder trans_rev8* functions to be sequential
- rename rev8 to rev8_32 in decoder
- Renamed RV32 variant to zext_h_32.
- Reordered trans_zext_h_{32,64} to be next to each other.

Changes in v3:
- Split off removal of 'x-b' property and 'ext_b' field into a separate
  patch to ensure bisectability.
- The changes to the Zba instructions (i.e. the REQUIRE_ZBA macro
  and its use for qualifying the Zba instructions) are moved into
  a separate commit.
- Remove the W-form instructions from Zbs in a separate commit.
- Remove shift-one instructions in a separate commit.
- The changes to the Zbs instructions (i.e. the REQUIRE_ZBS macro) and
  its use for qualifying the Zba instructions) are moved into a
  separate commit.
- This adds the Zbc instructions as a spearate commit.
- Uses a helper for clmul/clmulr instead of inlining the calculation of
  the result (addressing a comment from Richard Henderson).
- The changes to the Zbb instructions (i.e. use the REQUIRE_ZBB macro)
  are now in a separate commit.
- Moved orc.b and gorc/gorci changes into separate commit.
- Using the simpler orc.b implementation suggested by Richard Henderson
- Moved the REQUIRE_32BIT macro into a separate commit.
- rev8-addition & grevi*-removal moved to a separate commit
- Moved zext.h-addition & pack*-removal to a separate commit.
- Removing RVB moved into a separate commit at the tail-end of the series.

Changes in v2:
- Fix missing ';' from last-minute whitespace cleanups.

Philipp Tomsich (16):
  target/riscv: Introduce temporary in gen_add_uw()
  target/riscv: fix clzw implementation to operate on arg1
  target/riscv: clwz must ignore high bits (use shift-left & changed
logic)
  target/riscv: Add x-zba, x-zbb, x-zbc and x-zbs properties
  target/riscv: Reassign instructions to the Zba-extension
  target/riscv: Remove the W-form instructions from Zbs
  target/riscv: Remove shift-one instructions (proposed Zbo in pre-0.93
draft-B)
  target/riscv: Reassign instructions to the Zbs-extension
  target/riscv: Add instructions of the Zbc-extension
  target/riscv: Reassign instructions to the Zbb-extension
  target/riscv: Add orc.b instruction for Zbb, removing gorc/gorci
  target/riscv: Add a REQUIRE_32BIT macro
  target/riscv: Add rev8 instruction, 

[PATCH v10 02/16] target/riscv: fix clzw implementation to operate on arg1

[Philipp Tomsich]

The refactored gen_clzw() uses ret as its argument, instead of arg1.
Fix it.

Signed-off-by: Philipp Tomsich 
---

Changes in v10:
- New patch, fixing regressions discovered with x264_r.

 target/riscv/insn_trans/trans_rvb.c.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/insn_trans/trans_rvb.c.inc 
b/target/riscv/insn_trans/trans_rvb.c.inc
index c0a6e25826..6c85c89f6d 100644
--- a/target/riscv/insn_trans/trans_rvb.c.inc
+++ b/target/riscv/insn_trans/trans_rvb.c.inc
@@ -349,7 +349,7 @@ GEN_TRANS_SHADD(3)
 
 static void gen_clzw(TCGv ret, TCGv arg1)
 {
-tcg_gen_clzi_tl(ret, ret, 64);
+tcg_gen_clzi_tl(ret, arg1, 64);
 tcg_gen_subi_tl(ret, ret, 32);
 }
 
-- 
2.25.1

Re: [PATCH v2 01/35] acpi: add helper routines to initialize ACPI tables

[Michael S. Tsirkin]

On Fri, Sep 03, 2021 at 09:12:21AM +0200, Igor Mammedov wrote:
> On Thu, 2 Sep 2021 14:56:00 +0200
> Eric Auger  wrote:
> 
> > Hi Igor,
> > 
> > On 7/8/21 5:45 PM, Igor Mammedov wrote:
> > > Patch introduces acpi_init_table()/acpi_table_composed() API
> > > that hides pointer/offset arithmetic from user as opposed
> > > to build_header(), to prevent errors caused by it [1].
> > > 
> > >  acpi_init_table():
> > >  initializes table header and keeps track of
> > >  table data/offsets
> > >  acpi_table_composed():
> > >  sets actual table length and tells bios loader
> > >  where table is for the later initialization on
> > >  guest side.  
> > might be worth to put those comments in the code as doc comments since
> > "_composed" terminology is not self-explanatory?
> 
> I'll add doc comments as suggested.
> A better idea how to name function is welcome as well?

Aren't these a pair? acpi_init_table is called before you
start composing it, acpi_table_composed after it's composed?

Then one of the classical pairs will work well, e.g.
acpi_table_begin / acpi_table_end or maybe
acpi_table_compose_begin / acpi_table_compose_end .


> 
> > > 1) commits
> > >bb9feea43179 x86: acpi: use offset instead of pointer when using 
> > > build_header()
> > >4d027afeb3a9 Virt: ACPI: fix qemu assert due to re-assigned table data 
> > > address
> > > 
> > > Signed-off-by: Igor Mammedov 
> > > ---
> > >  include/hw/acpi/aml-build.h | 14 +
> > >  hw/acpi/aml-build.c | 58 +
> > >  2 files changed, 72 insertions(+)
> > > 
> > > diff --git a/include/hw/acpi/aml-build.h b/include/hw/acpi/aml-build.h
> > > index 471266d739..d590660bd2 100644
> > > --- a/include/hw/acpi/aml-build.h
> > > +++ b/include/hw/acpi/aml-build.h
> > > @@ -413,6 +413,20 @@ Aml *aml_concatenate(Aml *source1, Aml *source2, Aml 
> > > *target);
> > >  Aml *aml_object_type(Aml *object);
> > >  
> > >  void build_append_int_noprefix(GArray *table, uint64_t value, int size);
> > > +
> > > +typedef struct AcpiTable {
> > > +const char *sig;
> > > +const uint8_t rev;
> > > +const char *oem_id;
> > > +const char *oem_table_id;
> > > +/* private vars tracking table state */
> > > +GArray *array;
> > > +unsigned table_offset;
> > > +} AcpiTable;
> > > +
> > > +void acpi_init_table(AcpiTable *desc, GArray *array);
> > > +void acpi_table_composed(BIOSLinker *linker, AcpiTable *table);
> > > +
> > >  void
> > >  build_header(BIOSLinker *linker, GArray *table_data,
> > >   AcpiTableHeader *h, const char *sig, int len, uint8_t rev,
> > > diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
> > > index d5103e6d7b..c598010144 100644
> > > --- a/hw/acpi/aml-build.c
> > > +++ b/hw/acpi/aml-build.c
> > > @@ -52,6 +52,19 @@ static void build_append_byte(GArray *array, uint8_t 
> > > val)
> > >  g_array_append_val(array, val);
> > >  }
> > >  
> > > +static void build_append_padded_str(GArray *array, const char *str,
> > > +size_t maxlen, char pad)
> > > +{
> > > +size_t i;
> > > +size_t len = strlen(str);
> > > +
> > > +g_assert(len <= maxlen);
> > > +g_array_append_vals(array, str, len);
> > > +for (i = maxlen - len; i > 0; i--) {
> > > +g_array_append_val(array, pad);
> > > +}
> > > +}
> > > +
> > >  static void build_append_array(GArray *array, GArray *val)
> > >  {
> > >  g_array_append_vals(array, val->data, val->len);
> > > @@ -1692,6 +1705,51 @@ Aml *aml_object_type(Aml *object)
> > >  return var;
> > >  }
> > >  
> > > +void acpi_init_table(AcpiTable *desc, GArray *array)
> > > +{
> > > +
> > > +desc->array = array;
> > > +desc->table_offset = array->len;
> > > +
> > > +/*
> > > + * ACPI spec 1.0b
> > > + * 5.2.3 System Description Table Header
> > > + */
> > > +g_assert(strlen(desc->sig) == 4);
> > > +g_array_append_vals(array, desc->sig, 4); /* Signature */  
> > build_append_padded_str?
> 
> it will do the job even if it's a bit of overkill,
> signature must be 4 characters long so there is nothing to pad here
> (at least till this day).
> Using padded variant may confuse reader in the future,
> so I'd prefer to keep this line as is.
> 
> 
> > > +build_append_int_noprefix(array, 0, 4); /* Length */
> > > +build_append_int_noprefix(array, desc->rev, 1); /* Revision */
> > > +build_append_int_noprefix(array, 0, 1); /* Checksum */
> > > +build_append_padded_str(array, desc->oem_id, 6, ' '); /* OEMID */
> > > +/* OEM Table ID */
> > > +build_append_padded_str(array, desc->oem_table_id, 8, ' ');
> > > +build_append_int_noprefix(array, 1, 4); /* OEM Revision */
> > > +g_array_append_vals(array, ACPI_BUILD_APPNAME8, 4); /* Creator ID */
> 
> here we potentially can reuse build_append_padded_str() if we
> remove padding in ACPI_BUILD_APPNAME8, but that should wait till
> refactoring is complete (to avoid breaking 

Re: [PATCH V2 0/3] virtio: Add vhost-user-i2c device's support

[Michael S. Tsirkin]

On Fri, Jul 09, 2021 at 10:30:15AM +0530, Viresh Kumar wrote:
> Hello,
> 
> This patchset adds vhost-user-i2c device's support in Qemu. Initially I tried 
> to
> add the backend implementation as well into Qemu, but as I was looking for a
> hypervisor agnostic backend implementation, I decided to keep it outside of
> Qemu. Eventually I implemented it in Rust and it works very well with this
> patchset, and it is under review [1] to be merged in common rust vhost devices
> crate.


So I'm not sure whether it's appropriate to merge this right now.
There are several spec change proposals before the virtio TC
and I did not investigate whether this code reflects the
spec before or after these changes. It seems prudent to wait
until the spec changes are finalized and voted on, in any case.

Pls ping me to merge once that has taken place. Thanks!

> The kernel virtio I2C driver [2] is fully reviewed and is ready to be merged 
> soon.
> 
> V1->V2:
> - Dropped the backend support from qemu and minor cleanups.
> 
> I2C Testing:
> 
> 
> I didn't have access to a real hardware where I can play with a I2C
> client device (like RTC, eeprom, etc) to verify the working of the
> backend daemon, so I decided to test it on my x86 box itself with
> hierarchy of two ARM64 guests.
> 
> The first ARM64 guest was passed "-device ds1338,address=0x20" option,
> so it could emulate a ds1338 RTC device, which connects to an I2C bus.
> Once the guest came up, ds1338 device instance was created within the
> guest kernel by doing:
> 
>   echo ds1338 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
> 
> [
>   Note that this may end up binding the ds1338 device to its driver,
>   which won't let our i2c daemon talk to the device. For that we need to
>   manually unbind the device from the driver:
> 
>   echo 0-0020 > /sys/bus/i2c/devices/0-0020/driver/unbind
> ]
> 
> After this is done, you will get /dev/rtc1. This is the device we wanted
> to emulate, which will be accessed by the vhost-user-i2c backend daemon
> via the /dev/i2c-0 file present in the guest VM.
> 
> At this point we need to start the backend daemon and give it a
> socket-path to talk to from qemu (you can pass -v to it to get more
> detailed messages):
> 
>   vhost-user-i2c --socket-path=vi2c.sock -l 0:32
> 
> [ Here, 0:32 is the bus/device mapping, 0 for /dev/i2c-0 and 32 (i.e.
> 0x20) is client address of ds1338 that we used while creating the
> device. ]
> 
> Now we need to start the second level ARM64 guest (from within the first
> guest) to get the i2c-virtio.c Linux driver up. The second level guest
> is passed the following options to connect to the same socket:
> 
>   -chardev socket,path=vi2c.sock0,id=vi2c \
>   -device vhost-user-i2c-pci,chardev=vi2c,id=i2c
> 
> Once the second level guest boots up, we will see the i2c-virtio bus at
> /sys/bus/i2c/devices/i2c-X/. From there we can now make it emulate the
> ds1338 device again by doing:
> 
> 
>   echo ds1338 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
> 
> [ This time we want ds1338's driver to be bound to the device, so it
> should be enabled in the kernel as well. ]
> 
> And we will get /dev/rtc1 device again here in the second level guest.
> Now we can play with the rtc device with help of hwclock utility and we
> can see the following sequence of transfers happening if we try to
> update rtc's time from system time.
> 
> hwclock -w -f /dev/rtc1 (in guest2) ->
>   Reaches i2c-virtio.c (Linux bus driver in guest2) ->
> transfer over virtio ->
>   Reaches the qemu's vhost-i2c device emulation (running over guest1) ->
> Reaches the backend daemon vhost-user-i2c started earlier (in guest1) 
> ->
>   ioctl(/dev/i2c-0, I2C_RDWR, ..); (in guest1) ->
> reaches qemu's hw/rtc/ds1338.c (running over host)
> 
> 
> SMBUS Testing:
> --
> 
> I wasn't required to have such a tedious setup for testing out with
> SMBUS devices. I was able to emulate a SMBUS device on my x86 machine
> using i2c-stub driver.
> 
> $ modprobe i2c-stub chip_addr=0x20
> //Boot the arm64 guest now with i2c-virtio driver and then do:
> $ echo al3320a 0x20 > /sys/class/i2c-adapter/i2c-0/new_device
> $ cat /sys/bus/iio/devices/iio:device0/in_illuminance_raw
> 
> That's it.
> 
> I hope I was able to give a clear picture of my test setup here :)
> 
> --
> Viresh
> 
> Viresh Kumar (3):
>   hw/virtio: add boilerplate for vhost-user-i2c device
>   hw/virtio: add vhost-user-i2c-pci boilerplate
>   MAINTAINERS: Add entry for virtio-i2c
> 
>  MAINTAINERS|   7 +
>  hw/virtio/Kconfig  |   5 +
>  hw/virtio/meson.build  |   2 +
>  hw/virtio/vhost-user-i2c-pci.c |  69 +++
>  hw/virtio/vhost-user-i2c.c | 288 +
>  include/hw/virtio/vhost-user-i2c.h |  28 +++
>  6 files changed, 399 insertions(+)
>  create mode 100644 hw/virtio/vhost-user-i2c-pci.c
>  create mode 100644 hw/virtio/vhost-user-i2c.c
>  create mode 100644 

arm: Launching EFI-enabled arm32 Linux

[Adam Lackorzynski]

Hi,

while trying to launch an EFI-enabled arm32 Linux binary (zImage) I
noticed I get an undefined instruction exception on the first
instruction. Now this is a bit special because Linux uses a nop
instruction there that also is a PE file signature ('MZ') such that the
CPU runs over it and the file is still recognized as a PE binary. Linux
uses 0x13105a4d (tstne r0, #0x4d000) as the instruction (see also
arch/arm/boot/compressed/head.S and efi-header.S in Linux).
However, QEMU's instruction decoder will only recognize TST with bits
12-15 being 0, which this instruction is not fullfilling, and thus the
undef exception. I guess other CPU implementations will allow this
encoding. So while investigating I was doing the following to make Linux
proceed. I also believe this was working in a previous version of QEMU.

diff --git a/target/arm/a32.decode b/target/arm/a32.decode
index fcd8cd4f7d..222553750e 100644
--- a/target/arm/a32.decode
+++ b/target/arm/a32.decode
@@ -127,7 +127,7 @@ ADD_rri   001 0100 .    
  @s_rri_rot
 ADC_rri   001 0101 .      @s_rri_rot
 SBC_rri   001 0110 .      @s_rri_rot
 RSC_rri   001 0111 .      @s_rri_rot
-TST_xri   001 1000 1      @S_xri_rot
+TST_xri   001 1000 1      @S_xri_rot
 TEQ_xri   001 1001 1      @S_xri_rot
 CMP_xri   001 1010 1      @S_xri_rot
 CMN_xri   001 1011 1      @S_xri_rot


Any thoughts on this?



Adam

Re: [PULL 00/22] testing and plugin updates

[Peter Maydell]

On Fri, 3 Sept 2021 at 10:03, Alex Bennée  wrote:
>
> The following changes since commit 079b1252e9de384385c9da910262312ec2e574c8:
>
>   Merge remote-tracking branch 
> 'remotes/pmaydell/tags/pull-target-arm-20210901' into staging (2021-09-01 
> 17:45:38 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/stsquad/qemu.git tags/pull-for-6.2-020921-1
>
> for you to fetch changes up to a35af836d103f781d2fea437129732c16ba64b25:
>
>   docs/devel: be consistent about example plugin names (2021-09-02 11:29:34 
> +0100)
>
> 
> Testing and plugin updates:
>
>   - fix typo in execlog plugin
>   - clean-up and document gitlab FOO_RUNNER_AVAILABLE vars
>   - fix plugin build issue on OSX and modules
>   - add multi-core support to cache modelling plugin
>   - clean-ups for plugin arg=FOO handling


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.2
for any user-visible changes.

-- PMM

Re: [PATCH] hw/ssi: imx_spi: Improve chip select handling

[Guenter Roeck]

On 9/2/21 12:29 PM, Peter Maydell wrote:

On Thu, 2 Sept 2021 at 17:09, Guenter Roeck  wrote:


On 9/2/21 8:58 AM, Peter Maydell wrote:

On Sun, 8 Aug 2021 at 02:34, Guenter Roeck  wrote:


The control register does not really have a means to deselect
all chip selects directly. As result, CS is effectively never
deselected, and connected flash chips fail to perform read
operations since they don't get the expected chip select signals
to reset their state machine.

Normally and per controller documentation one would assume that
chip select should be set whenever a transfer starts (XCH is
set or the tx fifo is written into), and that it should be disabled
whenever a transfer is complete. However, that does not work in
practice: attempts to implement this approach resulted in failures,
presumably because a single transaction can be split into multiple
transfers.

At the same time, there is no explicit signal from the host indicating
if chip select should be active or not. In the absence of such a direct
signal, use the burst length written into the control register to
determine if an access is ongoing or not. Disable all chip selects
if the burst length field in the configuration register is set to 0,
and (re-)enable chip select if a transfer is started. This is possible
because the Linux driver clears the burst length field whenever it
prepares the controller for the next transfer.
This solution  is less than perfect since it effectively only disables
chip select when initiating the next transfer, but it does work with
Linux and should otherwise do no harm.

Stop complaining if the burst length field is set to a value of 0,
since that is done by Linux for every transfer.

With this patch, a command line parameter such as "-drive
file=flash.sabre,format=raw,if=mtd" can be used to instantiate the
flash chip in the sabrelite emulation. Without this patch, the
flash instantiates, but it only reads zeroes.

Signed-off-by: Guenter Roeck 
---
I am not entirely happy with this solution, but it is the best I was
able to come up with. If anyone has a better idea, I'll be happy
to give it a try.

   hw/ssi/imx_spi.c | 17 +++--
   1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 189423bb3a..7a093156bd 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -167,6 +167,8 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
   DPRINTF("Begin: TX Fifo Size = %d, RX Fifo Size = %d\n",
   fifo32_num_used(>tx_fifo), fifo32_num_used(>rx_fifo));

+qemu_set_irq(s->cs_lines[imx_spi_selected_channel(s)], 0);
+
   while (!fifo32_is_empty(>tx_fifo)) {
   int tx_burst = 0;

@@ -385,13 +387,6 @@ static void imx_spi_write(void *opaque, hwaddr offset, 
uint64_t value,
   case ECSPI_CONREG:
   s->regs[ECSPI_CONREG] = value;

-burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
-if (burst % 8) {
-qemu_log_mask(LOG_UNIMP,
-  "[%s]%s: burst length %d not supported: rounding up to 
next multiple of 8\n",
-  TYPE_IMX_SPI, __func__, burst);
-}


Why has this log message been removed ?


What I wanted to do is:

"Stop complaining if the burst length field is set to a value of 0,
   since that is done by Linux for every transfer."

What I did instead is to remove the message entirely.

How about the rest of the patch ? Is it worth a resend with the message
restored (except for burst size == 0), or is it not acceptable anyway ?


I did the easy bit of the code review because answering this
question is probably a multiple-hour job...this is still on my
todo list, but I'm hoping somebody who understands the MIX
SPI device gets to it first.



Makes sense. Of course, it would be even better if someone can explain
how this works on real hardware.

In this context, it would be useful to know if real SPI flash chips
reset their state to idle under some conditions which are not covered
by the current code in hw/block/m25p80.c. Maybe the real problem is
as simple as that code setting data_read_loop when it should not,
or that it doesn't reset that flag when it should (unless I am missing
something, the flag is currently only reset by disabling chip select).

Thanks,
Guenter

[PATCH v7 11/11] qcow2: use reqlist_mark_req_invalid()

[Vladimir Sementsov-Ogievskiy]

Instead of small critical sections which wants only to remove a
request from the list let's use new atomic interface. And don't forget
to call reqlist_free_invalid_reqs() when we are in a critical section
anyway, to not overflow the RAM with invalid requests.

Signed-off-by: Vladimir Sementsov-Ogievskiy 
---
 block/qcow2.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/block/qcow2.c b/block/qcow2.c
index aefe6558b6..f2094c1ecc 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2306,9 +2306,7 @@ static coroutine_fn int 
qcow2_co_preadv_task(BlockDriverState *bs,
 }
 
 if (req) {
-WITH_QEMU_LOCK_GUARD(>lock) {
-reqlist_free_req(req);
-}
+reqlist_mark_req_invalid(req);
 }
 
 return ret;
@@ -2348,6 +2346,7 @@ static coroutine_fn int 
qcow2_co_preadv_part(BlockDriverState *bs,
 }
 
 qemu_co_mutex_lock(>lock);
+reqlist_free_invalid_reqs(>guest_reqs);
 ret = qcow2_get_host_offset(bs, offset, _bytes,
 _offset, , );
 qemu_co_mutex_unlock(>lock);
@@ -2769,6 +2768,8 @@ static void qcow2_close(BlockDriverState *bs)
 
 qcow2_refcount_close(bs);
 qcow2_free_snapshots(bs);
+
+reqlist_free_invalid_reqs(>guest_reqs);
 }
 
 static void coroutine_fn qcow2_co_invalidate_cache(BlockDriverState *bs,
@@ -4619,6 +4620,7 @@ qcow2_co_pwritev_compressed_task(BlockDriverState *bs,
 }
 
 qemu_co_mutex_lock(>lock);
+reqlist_free_invalid_reqs(>guest_reqs);
 ret = qcow2_alloc_compressed_cluster_offset(bs, offset, out_len,
 _offset, );
 if (ret < 0) {
@@ -4641,9 +4643,7 @@ success:
 ret = 0;
 fail:
 if (req) {
-WITH_QEMU_LOCK_GUARD(>lock) {
-reqlist_free_req(req);
-}
+reqlist_mark_req_invalid(req);
 }
 qemu_vfree(buf);
 g_free(out_buf);
-- 
2.29.2

[PATCH v7 10/11] block/reqlist: implement reqlist_mark_req_invalid()

[Vladimir Sementsov-Ogievskiy]

We do lock qcow2 s->lock only to remove request from the reqlist.
That's quite inefficient. Let's implement atomic operation to avoid
extra critical section.

So new interface is:

1. Instead of reqlist_free_req() user may call atomic
   reqlist_mark_req_invalid().

2. At some moment under mutex user calls reqlist_free_invalid_reqs() to
   free RAM.

Signed-off-by: Vladimir Sementsov-Ogievskiy 
---
 include/block/reqlist.h | 13 +
 block/reqlist.c | 23 ++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/include/block/reqlist.h b/include/block/reqlist.h
index 32dc87666f..24d6d93a6e 100644
--- a/include/block/reqlist.h
+++ b/include/block/reqlist.h
@@ -26,6 +26,7 @@
 typedef struct BlockReq {
 int64_t offset;
 int64_t bytes;
+bool valid;
 
 CoQueue wait_queue; /* coroutines blocked on this req */
 QLIST_ENTRY(BlockReq) list;
@@ -84,4 +85,16 @@ static inline void reqlist_free_req(BlockReq *req)
 }
 }
 
+/*
+ * Invalid request will be ignored when searching for conflicts.
+ * The function modifies .valid atomically and intended for use when we
+ * want to avoid using mutex.
+ * If you use this function don't forget to also call
+ * reqlist_free_invalid_reqs() sometimes, so that list doesn't grow endlessly.
+ */
+void reqlist_mark_req_invalid(BlockReq *req);
+
+/* Remove all invalid requests to free RAM space */
+void reqlist_free_invalid_reqs(BlockReqList *reqs);
+
 #endif /* REQLIST_H */
diff --git a/block/reqlist.c b/block/reqlist.c
index c580752db7..641307d80d 100644
--- a/block/reqlist.c
+++ b/block/reqlist.c
@@ -14,6 +14,8 @@
 
 #include "qemu/osdep.h"
 
+#include "qemu/atomic.h"
+
 #include "block/reqlist.h"
 
 void reqlist_init_req(BlockReqList *reqs, BlockReq *req, int64_t offset,
@@ -22,6 +24,7 @@ void reqlist_init_req(BlockReqList *reqs, BlockReq *req, 
int64_t offset,
 *req = (BlockReq) {
 .offset = offset,
 .bytes = bytes,
+.valid = true,
 };
 qemu_co_queue_init(>wait_queue);
 QLIST_INSERT_HEAD(reqs, req, list);
@@ -33,7 +36,9 @@ BlockReq *reqlist_find_conflict(BlockReqList *reqs, int64_t 
offset,
 BlockReq *r;
 
 QLIST_FOREACH(r, reqs, list) {
-if (offset + bytes > r->offset && offset < r->offset + r->bytes) {
+if (r->valid &&
+offset + bytes > r->offset && offset < r->offset + r->bytes)
+{
 return r;
 }
 }
@@ -72,3 +77,19 @@ void coroutine_fn reqlist_remove_req(BlockReq *req)
 QLIST_REMOVE(req, list);
 qemu_co_queue_restart_all(>wait_queue);
 }
+
+void reqlist_mark_req_invalid(BlockReq *req)
+{
+qatomic_set(>valid, false);
+}
+
+void reqlist_free_invalid_reqs(BlockReqList *reqs)
+{
+BlockReq *r, *next;
+
+QLIST_FOREACH_SAFE(r, reqs, list, next) {
+if (!r->valid) {
+reqlist_free_req(r);
+}
+}
+}
-- 
2.29.2