Re: [Qemu-devel] [PATCH 0/7] memory: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> I noticed that the introduction of flatview_{read,write} placed
> address_space_to_flatview outside the RCU lock.  This is wrong and has
> to be fixed, because address_space_to_flatview does an atomic_rcu_read.
> These patches fix this one function at a time.


out of curiosity - has this caused any actual bug? should be hard to
reproduce, I suppose...


> 
> Paolo Bonzini (7):
>   openpic_kvm: drop address_space_to_flatview call
>   memory: inline some performance-sensitive accessors
>   address_space_write: address_space_to_flatview needs RCU lock
>   address_space_read: address_space_to_flatview needs RCU lock
>   address_space_access_valid: address_space_to_flatview needs RCU lock
>   address_space_map: address_space_to_flatview needs RCU lock
>   address_space_rw: address_space_to_flatview needs RCU lock
> 
>  exec.c | 90 
> +-
>  hw/intc/openpic_kvm.c  |  4 --
>  include/exec/memory-internal.h | 13 --
>  include/exec/memory.h  | 47 ++
>  memory.c   | 30 --
>  5 files changed, 93 insertions(+), 91 deletions(-)
> 


-- 
Alexey

Re: [Qemu-devel] [PATCH v1 1/1] iotests: bypass s390x for case 200

[Christian Borntraeger]

Nack. This will be fixed by 

s390/ipl: only print boot menu error if -boot menu=on was specified

On 03/06/2018 08:54 AM, QingFeng Hao wrote:
> In s390x, the case 200 failed as:
>  === Starting QEMU VM ===
> 
> +QEMU_PROG: boot menu is not supported for this device type.
>  {"return": {}}
> 
>  === Sending stream/cancel, checking for SIGSEGV only ===
> Failures: 200
> Failed 1 of 1 tests
> 
> It was caused by the command which isn't supported by s390x now:
> qemu-system-s390x -device pci-bridge,id=bridge1,chassis_nr=1,bus=pci.0 
> -object iothread,id=iothread0 -device 
> virtio-scsi-pci,bus=bridge1,addr=0x1f,id=scsi0,iothread=iothread0 -drive 
> file=.../scratch/test.img,media=disk,if=none,cache=writeback,id=drive_sysdisk,format=qcow2
>  -device scsi-hd,drive=drive_sysdisk,bus=scsi0.0,id=sysdisk,bootindex=0 
> -nographic
> 
> Signed-off-by: QingFeng Hao 
> ---
>  tests/qemu-iotests/200 | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/tests/qemu-iotests/200 b/tests/qemu-iotests/200
> index ddbdedc476..7e53bd7774 100755
> --- a/tests/qemu-iotests/200
> +++ b/tests/qemu-iotests/200
> @@ -45,6 +45,10 @@ _supported_fmt qcow2 qed
>  _supported_proto file
>  _supported_os Linux
> 
> +if [ "$QEMU_DEFAULT_MACHINE" != "pc" ]; then
> +_notrun "Requires a PC machine"
> +fi
> +
>  BACKING_IMG="${TEST_DIR}/backing.img"
>  TEST_IMG="${TEST_DIR}/test.img"
> 

Re: [Qemu-devel] [PATCH 7/7] address_space_rw: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> address_space_rw is calling address_space_to_flatview but it can
> be called outside the RCU lock.  To fix it, transform flatview_rw
> into address_space_rw, since flatview_rw is otherwise unused.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 



> ---
>  exec.c | 28 ++--
>  1 file changed, 10 insertions(+), 18 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 070eaff3e7..8a99114c69 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -3177,24 +3177,6 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr 
> addr,
>addr1, l, mr);
>  }
>  
> -static MemTxResult flatview_rw(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
> -   uint8_t *buf, int len, bool is_write)
> -{
> -if (is_write) {
> -return flatview_write(fv, addr, attrs, (uint8_t *)buf, len);
> -} else {
> -return flatview_read(fv, addr, attrs, (uint8_t *)buf, len);
> -}
> -}
> -
> -MemTxResult address_space_rw(AddressSpace *as, hwaddr addr,
> - MemTxAttrs attrs, uint8_t *buf,
> - int len, bool is_write)
> -{
> -return flatview_rw(address_space_to_flatview(as),
> -   addr, attrs, buf, len, is_write);
> -}
> -
>  MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
>  MemTxAttrs attrs, uint8_t *buf, int len)
>  {
> @@ -3228,6 +3210,16 @@ MemTxResult address_space_write(AddressSpace *as, 
> hwaddr addr,
>  return result;
>  }
>  
> +MemTxResult address_space_rw(AddressSpace *as, hwaddr addr, MemTxAttrs attrs,
> + uint8_t *buf, int len, bool is_write)
> +{
> +if (is_write) {
> +return address_space_write(as, addr, attrs, buf, len);
> +} else {
> +return address_space_read_full(as, addr, attrs, buf, len);
> +}
> +}
> +
>  void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
>  int len, int is_write)
>  {
> 


-- 
Alexey

[Qemu-devel] [PATCH v1 1/1] iotests: bypass s390x for case 200

[QingFeng Hao]

In s390x, the case 200 failed as:
 === Starting QEMU VM ===

+QEMU_PROG: boot menu is not supported for this device type.
 {"return": {}}

 === Sending stream/cancel, checking for SIGSEGV only ===
Failures: 200
Failed 1 of 1 tests

It was caused by the command which isn't supported by s390x now:
qemu-system-s390x -device pci-bridge,id=bridge1,chassis_nr=1,bus=pci.0 -object 
iothread,id=iothread0 -device 
virtio-scsi-pci,bus=bridge1,addr=0x1f,id=scsi0,iothread=iothread0 -drive 
file=.../scratch/test.img,media=disk,if=none,cache=writeback,id=drive_sysdisk,format=qcow2
 -device scsi-hd,drive=drive_sysdisk,bus=scsi0.0,id=sysdisk,bootindex=0 
-nographic

Signed-off-by: QingFeng Hao 
---
 tests/qemu-iotests/200 | 4 
 1 file changed, 4 insertions(+)

diff --git a/tests/qemu-iotests/200 b/tests/qemu-iotests/200
index ddbdedc476..7e53bd7774 100755
--- a/tests/qemu-iotests/200
+++ b/tests/qemu-iotests/200
@@ -45,6 +45,10 @@ _supported_fmt qcow2 qed
 _supported_proto file
 _supported_os Linux
 
+if [ "$QEMU_DEFAULT_MACHINE" != "pc" ]; then
+_notrun "Requires a PC machine"
+fi
+
 BACKING_IMG="${TEST_DIR}/backing.img"
 TEST_IMG="${TEST_DIR}/test.img"
 
-- 
2.13.5

Re: [Qemu-devel] [PATCH 6/7] address_space_map: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> address_space_map is calling address_space_to_flatview but it can
> be called outside the RCU lock.  The function itself is calling
> rcu_read_lock/rcu_read_unlock, just in the wrong place, so the
> fix is easy.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 


> ---
>  exec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/exec.c b/exec.c
> index 177583c2ee..070eaff3e7 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -3464,7 +3464,7 @@ void *address_space_map(AddressSpace *as,
>  hwaddr l, xlat;
>  MemoryRegion *mr;
>  void *ptr;
> -FlatView *fv = address_space_to_flatview(as);
> +FlatView *fv;
>  
>  if (len == 0) {
>  return NULL;
> @@ -3472,6 +3472,7 @@ void *address_space_map(AddressSpace *as,
>  
>  l = len;
>  rcu_read_lock();
> +fv = address_space_to_flatview(as);
>  mr = flatview_translate(fv, addr, , , is_write);
>  
>  if (!memory_access_is_direct(mr, is_write)) {
> 


-- 
Alexey

Re: [Qemu-devel] [PATCH 5/7] address_space_access_valid: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> address_space_access_valid is calling address_space_to_flatview but it can
> be called outside the RCU lock.  To fix it, push the rcu_read_lock/unlock
> pair up from flatview_access_valid to address_space_access_valid.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 

> ---
>  exec.c | 12 
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 55b7452bd7..177583c2ee 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -3391,7 +3391,6 @@ static bool flatview_access_valid(FlatView *fv, hwaddr 
> addr, int len,
>  MemoryRegion *mr;
>  hwaddr l, xlat;
>  
> -rcu_read_lock();
>  while (len > 0) {
>  l = len;
>  mr = flatview_translate(fv, addr, , , is_write);
> @@ -3406,15 +3405,20 @@ static bool flatview_access_valid(FlatView *fv, 
> hwaddr addr, int len,
>  len -= l;
>  addr += l;
>  }
> -rcu_read_unlock();
>  return true;
>  }
>  
>  bool address_space_access_valid(AddressSpace *as, hwaddr addr,
>  int len, bool is_write)
>  {
> -return flatview_access_valid(address_space_to_flatview(as),
> - addr, len, is_write);
> +FlatView *fv;
> +bool result;
> +
> +rcu_read_lock();
> +fv = address_space_to_flatview(as);
> +result = flatview_access_valid(fv, addr, len, is_write);
> +rcu_read_unlock();
> +return result;
>  }
>  
>  static hwaddr
> 


-- 
Alexey

Re: [Qemu-devel] [PATCH 4/7] address_space_read: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> address_space_read is calling address_space_to_flatview but it can
> be called outside the RCU lock.  To fix it, push the rcu_read_lock/unlock
> pair up from flatview_read_full to address_space_read's constant size
> fast path and address_space_read_full.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 

> ---
>  exec.c| 44 
>  include/exec/memory.h | 25 ++---
>  2 files changed, 38 insertions(+), 31 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 0b74b58d45..55b7452bd7 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2612,6 +2612,8 @@ static const MemoryRegionOps watch_mem_ops = {
>  },
>  };
>  
> +static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
> +  MemTxAttrs attrs, uint8_t *buf, int 
> len);
>  static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs 
> attrs,
>const uint8_t *buf, int len);
>  static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
> @@ -3161,24 +3163,18 @@ MemTxResult flatview_read_continue(FlatView *fv, 
> hwaddr addr,
>  return result;
>  }
>  
> -MemTxResult flatview_read_full(FlatView *fv, hwaddr addr,
> -   MemTxAttrs attrs, uint8_t *buf, int len)
> +/* Called from RCU critical section.  */
> +static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
> + MemTxAttrs attrs, uint8_t *buf, int len)
>  {
>  hwaddr l;
>  hwaddr addr1;
>  MemoryRegion *mr;
> -MemTxResult result = MEMTX_OK;
> -
> -if (len > 0) {
> -rcu_read_lock();
> -l = len;
> -mr = flatview_translate(fv, addr, , , false);
> -result = flatview_read_continue(fv, addr, attrs, buf, len,
> -addr1, l, mr);
> -rcu_read_unlock();
> -}
>  
> -return result;
> +l = len;
> +mr = flatview_translate(fv, addr, , , false);
> +return flatview_read_continue(fv, addr, attrs, buf, len,
> +  addr1, l, mr);
>  }
>  
>  static MemTxResult flatview_rw(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
> @@ -3199,6 +3195,22 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr 
> addr,
> addr, attrs, buf, len, is_write);
>  }
>  
> +MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
> +MemTxAttrs attrs, uint8_t *buf, int len)
> +{
> +MemTxResult result = MEMTX_OK;
> +FlatView *fv;
> +
> +if (len > 0) {
> +rcu_read_lock();
> +fv = address_space_to_flatview(as);
> +result = flatview_read(fv, addr, attrs, buf, len);
> +rcu_read_unlock();
> +}
> +
> +return result;
> +}
> +
>  MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
>  MemTxAttrs attrs,
>  const uint8_t *buf, int len)
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index 6c8e394675..54ff81fbd1 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -1894,13 +1894,12 @@ void address_space_unmap(AddressSpace *as, void 
> *buffer, hwaddr len,
>  
>  
>  /* Internal functions, part of the implementation of address_space_read.  */
> +MemTxResult address_space_read_full(AddressSpace *as, hwaddr addr,
> +MemTxAttrs attrs, uint8_t *buf, int len);
>  MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
> MemTxAttrs attrs, uint8_t *buf,
> int len, hwaddr addr1, hwaddr l,
> MemoryRegion *mr);
> -
> -MemTxResult flatview_read_full(FlatView *fv, hwaddr addr,
> -   MemTxAttrs attrs, uint8_t *buf, int len);
>  void *qemu_map_ram_ptr(RAMBlock *ram_block, ram_addr_t addr);
>  
>  static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
> @@ -1919,25 +1918,28 @@ static inline bool 
> memory_access_is_direct(MemoryRegion *mr, bool is_write)
>   *
>   * Return a MemTxResult indicating whether the operation succeeded
>   * or failed (eg unassigned memory, device rejected the transaction,
> - * IOMMU fault).
> + * IOMMU fault).  Called within RCU critical section.
>   *
> - * @fv: #FlatView to be accessed
> + * @as: #AddressSpace to be accessed
>   * @addr: address within that address space
>   * @attrs: memory transaction attributes
>   * @buf: buffer with the data transferred
>   */
>  static inline __attribute__((__always_inline__))
> -MemTxResult flatview_read(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
> -  uint8_t *buf, int len)
> +MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
> +

Re: [Qemu-devel] [PATCH v3 00/12] Introduce new iommu notifier framework for virt-SVA

[Liu, Yi L]

> From: Peter Xu [mailto:pet...@redhat.com]
> Sent: Tuesday, March 6, 2018 2:56 PM
> Subject: Re: [PATCH v3 00/12] Introduce new iommu notifier framework for 
> virt-SVA
> 
> On Thu, Mar 01, 2018 at 06:33:23PM +0800, Liu, Yi L wrote:
> > This patchset is to introduce a notifier framework for virt-SVA.
> > You may find virt-SVA design details from the link below.
> >
> > https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04925.html
> >
> > SVA is short for Shared Virtual Addressing. This is also called Shared
> > Virtual Memory in previous patchsets. However, SVM is confusing as it
> > can also be short for Secure Virtual Machine. So this patchset use
> > Shared Virtual Addressing instead of Shared Virtual Memory. And it
> > would be applied in future (SVA)related patch series as well.
> >
> > Qemu has an existing notifier framework based on MemoryRegion, which
> > are used for MAP/UNMAP. However, it is not well suited for virt-SVA.
> > Reasons are as below:
> > - virt-SVA works along with PT = 1
> > - if PT = 1 IOMMU MR are disabled so MR notifier are not registered
> > - new notifiers do not fit nicely in this framework as they need to be
> >   registered even if PT = 1
> > - need a new framework to attach the new notifiers
> > - Additional background can be got from:
> >   https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04931.html
> >
> > So a new iommu notifier framework is needed. This patchset introduces
> > a notifier framework based on IOMMUSVAContext. IOMMUSVAContext is
> > introduced to be an abstract of virt-SVA operations in Qemu.
> >
> > Patch Overview:
> > * 1 - 2: rename existing naming, the IOMMU MemoryRegion Notifier
> >  framework
> > * 3 - 4: introduce SVA notifier framework based on IOMMUSVAContext
> > * 5 - 7: introduce PCISVAOps and expose the SVA notfier framework
> >  through hw/pci layer
> > * 8 - 12: show the usage of SVA notifier in Intel vIOMMU emulator
> 
> Do you have online branch so that I can check out?

yes, I should have pasted it. Here it is:
https://github.com/luxis1999/sva_notifier.git

> The patches are a bit scattered and it's really hard for me to
> reference things within it... So a complete tree to read would be
> nice.
> 
> I roughly went over most of the patches, and the framework you
> introduced is still not that clear to me.  For now I feel like it can
> be simplified somehow, but I'll hold and speak after I read the whole
> tree again.
> 
> Also, it'll be good too if you can always provide some status update
> of the kernel-counterpart it.

Good suggestion. For this patchset, it only affects Qemu. Yeah, but for
the whole virt-SVA enabling, there is kernel-counterparts. I would do
it in the virt-SVA patchset series.

Thanks,
Yi Liu

Re: [Qemu-devel] [PATCH 2/7] memory: inline some performance-sensitive accessors

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> These accessors are called from inlined functions, and the call sequence
> is much more expensive than just inlining the access.  Move the
> struct declaration to memory-internal.h so that exec.c and memory.c
> can both use an inline function.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 

> ---
>  include/exec/memory-internal.h | 13 +
>  include/exec/memory.h  | 22 +-
>  memory.c   | 30 --
>  3 files changed, 30 insertions(+), 35 deletions(-)
> 
> diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
> index 4162474fd5..6a5ee42d36 100644
> --- a/include/exec/memory-internal.h
> +++ b/include/exec/memory-internal.h
> @@ -21,7 +21,15 @@
>  #define MEMORY_INTERNAL_H
>  
>  #ifndef CONFIG_USER_ONLY
> -typedef struct AddressSpaceDispatch AddressSpaceDispatch;
> +static inline AddressSpaceDispatch *flatview_to_dispatch(FlatView *fv)
> +{
> +return fv->dispatch;
> +}
> +
> +static inline AddressSpaceDispatch *address_space_to_dispatch(AddressSpace 
> *as)
> +{
> +return flatview_to_dispatch(address_space_to_flatview(as));
> +}
>  
>  extern const MemoryRegionOps unassigned_mem_ops;
>  
> @@ -31,9 +39,6 @@ bool memory_region_access_valid(MemoryRegion *mr, hwaddr 
> addr,
>  void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
>  AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
>  void address_space_dispatch_compact(AddressSpaceDispatch *d);
> -
> -AddressSpaceDispatch *address_space_to_dispatch(AddressSpace *as);
> -AddressSpaceDispatch *flatview_to_dispatch(FlatView *fv);
>  void address_space_dispatch_free(AddressSpaceDispatch *d);
>  
>  void mtree_print_dispatch(fprintf_function mon, void *f,
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index fff9b1d871..6c8e394675 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -326,7 +326,27 @@ struct AddressSpace {
>  QTAILQ_ENTRY(AddressSpace) address_spaces_link;
>  };
>  
> -FlatView *address_space_to_flatview(AddressSpace *as);
> +typedef struct AddressSpaceDispatch AddressSpaceDispatch;
> +typedef struct FlatRange FlatRange;
> +
> +/* Flattened global view of current active memory hierarchy.  Kept in sorted
> + * order.
> + */
> +struct FlatView {
> +struct rcu_head rcu;
> +unsigned ref;
> +FlatRange *ranges;
> +unsigned nr;
> +unsigned nr_allocated;
> +struct AddressSpaceDispatch *dispatch;
> +MemoryRegion *root;
> +};
> +
> +static inline FlatView *address_space_to_flatview(AddressSpace *as)
> +{
> +return atomic_rcu_read(>current_map);
> +}
> +
>  
>  /**
>   * MemoryRegionSection: describes a fragment of a #MemoryRegion
> diff --git a/memory.c b/memory.c
> index c7f6588452..78d07aa51d 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -210,8 +210,6 @@ static bool 
> memory_region_ioeventfd_equal(MemoryRegionIoeventfd a,
>  && !memory_region_ioeventfd_before(b, a);
>  }
>  
> -typedef struct FlatRange FlatRange;
> -
>  /* Range of memory in the global map.  Addresses are absolute. */
>  struct FlatRange {
>  MemoryRegion *mr;
> @@ -222,19 +220,6 @@ struct FlatRange {
>  bool readonly;
>  };
>  
> -/* Flattened global view of current active memory hierarchy.  Kept in sorted
> - * order.
> - */
> -struct FlatView {
> -struct rcu_head rcu;
> -unsigned ref;
> -FlatRange *ranges;
> -unsigned nr;
> -unsigned nr_allocated;
> -struct AddressSpaceDispatch *dispatch;
> -MemoryRegion *root;
> -};
> -
>  typedef struct AddressSpaceOps AddressSpaceOps;
>  
>  #define FOR_EACH_FLAT_RANGE(var, view)  \
> @@ -322,21 +307,6 @@ static void flatview_unref(FlatView *view)
>  }
>  }
>  
> -FlatView *address_space_to_flatview(AddressSpace *as)
> -{
> -return atomic_rcu_read(>current_map);
> -}
> -
> -AddressSpaceDispatch *flatview_to_dispatch(FlatView *fv)
> -{
> -return fv->dispatch;
> -}
> -
> -AddressSpaceDispatch *address_space_to_dispatch(AddressSpace *as)
> -{
> -return flatview_to_dispatch(address_space_to_flatview(as));
> -}
> -
>  static bool can_merge(FlatRange *r1, FlatRange *r2)
>  {
>  return int128_eq(addrrange_end(r1->addr), r2->addr.start)
> 


-- 
Alexey

[Qemu-devel] [PATCH 7/7] audio/sdl: build as module

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 configure   | 2 +-
 audio/Makefile.objs | 9 ++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 3abee54cfc..b1930cd828 100755
--- a/configure
+++ b/configure
@@ -5983,7 +5983,7 @@ echo "CONFIG_AUDIO_DRIVERS=$audio_drv_list" >> 
$config_host_mak
 for drv in $audio_drv_list; do
 def=CONFIG_AUDIO_$(echo $drv | LC_ALL=C tr '[a-z]' '[A-Z]')
 case "$drv" in
-   alsa | oss | pa)
+   alsa | oss | pa | sdl)
echo "$def=m" >> $config_host_mak ;;
*)
echo "$def=y" >> $config_host_mak ;;
diff --git a/audio/Makefile.objs b/audio/Makefile.objs
index b98835934d..db4fa7f18f 100644
--- a/audio/Makefile.objs
+++ b/audio/Makefile.objs
@@ -1,5 +1,4 @@
 common-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
-common-obj-$(CONFIG_AUDIO_SDL) += sdlaudio.o
 common-obj-$(CONFIG_SPICE) += spiceaudio.o
 common-obj-$(CONFIG_AUDIO_COREAUDIO) += coreaudio.o
 common-obj-$(CONFIG_AUDIO_DSOUND) += dsoundaudio.o
@@ -7,8 +6,6 @@ common-obj-$(CONFIG_AUDIO_PT_INT) += audio_pt_int.o
 common-obj-$(CONFIG_AUDIO_WIN_INT) += audio_win_int.o
 common-obj-y += wavcapture.o
 
-sdlaudio.o-cflags := $(SDL_CFLAGS)
-sdlaudio.o-libs := $(SDL_LIBS)
 coreaudio.o-libs := $(COREAUDIO_LIBS)
 dsoundaudio.o-libs := $(DSOUND_LIBS)
 
@@ -26,3 +23,9 @@ oss.mo-libs := $(OSS_LIBS)
 common-obj-$(CONFIG_AUDIO_PA) += pa.mo
 pa.mo-objs = paaudio.o
 pa.mo-libs := $(PULSE_LIBS)
+
+# sdl module
+common-obj-$(CONFIG_AUDIO_SDL) += sdl.mo
+sdl.mo-objs = sdlaudio.o
+sdl.mo-cflags := $(SDL_CFLAGS)
+sdl.mo-libs := $(SDL_LIBS)
-- 
2.9.3

Re: [Qemu-devel] [PATCH 3/7] address_space_write: address_space_to_flatview needs RCU lock

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> address_space_write is calling address_space_to_flatview but it can
> be called outside the RCU lock.  To fix it, push the rcu_read_lock/unlock
> pair up from flatview_write to address_space_write.
> 
> Cc: qemu-sta...@nongnu.org

Reviewed-by: Alexey Kardashevskiy 


> Signed-off-by: Paolo Bonzini 
> ---
>  exec.c | 37 ++---
>  1 file changed, 22 insertions(+), 15 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index e8d7b335b6..0b74b58d45 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -3074,6 +3074,7 @@ static MemTxResult flatview_write_continue(FlatView 
> *fv, hwaddr addr,
>  return result;
>  }
>  
> +/* Called from RCU critical section.  */
>  static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs 
> attrs,
>const uint8_t *buf, int len)
>  {
> @@ -3082,25 +3083,14 @@ static MemTxResult flatview_write(FlatView *fv, 
> hwaddr addr, MemTxAttrs attrs,
>  MemoryRegion *mr;
>  MemTxResult result = MEMTX_OK;
>  
> -if (len > 0) {
> -rcu_read_lock();
> -l = len;
> -mr = flatview_translate(fv, addr, , , true);
> -result = flatview_write_continue(fv, addr, attrs, buf, len,
> - addr1, l, mr);
> -rcu_read_unlock();
> -}
> +l = len;
> +mr = flatview_translate(fv, addr, , , true);
> +result = flatview_write_continue(fv, addr, attrs, buf, len,
> + addr1, l, mr);
>  
>  return result;
>  }
>  
> -MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
> -  MemTxAttrs attrs,
> -  const uint8_t *buf, int len)
> -{
> -return flatview_write(address_space_to_flatview(as), addr, attrs, buf, 
> len);
> -}
> -
>  /* Called within RCU critical section.  */
>  MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
> MemTxAttrs attrs, uint8_t *buf,
> @@ -3209,6 +3199,23 @@ MemTxResult address_space_rw(AddressSpace *as, hwaddr 
> addr,
> addr, attrs, buf, len, is_write);
>  }
>  
> +MemTxResult address_space_write(AddressSpace *as, hwaddr addr,
> +MemTxAttrs attrs,
> +const uint8_t *buf, int len)
> +{
> +MemTxResult result = MEMTX_OK;
> +FlatView *fv;
> +
> +if (len > 0) {
> +rcu_read_lock();
> +fv = address_space_to_flatview(as);
> +result = flatview_write(fv, addr, attrs, buf, len);
> +rcu_read_unlock();
> +}
> +
> +return result;
> +}
> +
>  void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
>  int len, int is_write)
>  {
> 


-- 
Alexey

[Qemu-devel] [PATCH 1/7] audio: add driver registry

[Gerd Hoffmann]

Add registry for audio drivers, using the existing audio_driver struct.
Make all drivers register themself.  The old list of audio_driver struct
pointers is now a list of audio driver names, specifying the priority
(aka probe order) in case no driver is explicitly asked for.

Signed-off-by: Gerd Hoffmann 
---
 audio/audio_int.h | 14 
 audio/alsaaudio.c |  8 ++-
 audio/audio.c | 63 ++-
 audio/coreaudio.c |  8 ++-
 audio/dsoundaudio.c   |  8 ++-
 audio/noaudio.c   |  8 ++-
 audio/ossaudio.c  |  8 ++-
 audio/paaudio.c   |  8 ++-
 audio/sdlaudio.c  |  8 ++-
 audio/spiceaudio.c|  8 ++-
 audio/wavaudio.c  |  8 ++-
 scripts/create_config |  2 +-
 12 files changed, 106 insertions(+), 45 deletions(-)

diff --git a/audio/audio_int.h b/audio/audio_int.h
index 700bd43143..244b454012 100644
--- a/audio/audio_int.h
+++ b/audio/audio_int.h
@@ -141,6 +141,7 @@ struct SWVoiceIn {
 QLIST_ENTRY (SWVoiceIn) entries;
 };
 
+typedef struct audio_driver audio_driver;
 struct audio_driver {
 const char *name;
 const char *descr;
@@ -154,6 +155,7 @@ struct audio_driver {
 int voice_size_out;
 int voice_size_in;
 int ctl_caps;
+QLIST_ENTRY(audio_driver) next;
 };
 
 struct audio_pcm_ops {
@@ -203,17 +205,11 @@ struct AudioState {
 int vm_running;
 };
 
-extern struct audio_driver no_audio_driver;
-extern struct audio_driver oss_audio_driver;
-extern struct audio_driver sdl_audio_driver;
-extern struct audio_driver wav_audio_driver;
-extern struct audio_driver alsa_audio_driver;
-extern struct audio_driver coreaudio_audio_driver;
-extern struct audio_driver dsound_audio_driver;
-extern struct audio_driver pa_audio_driver;
-extern struct audio_driver spice_audio_driver;
 extern const struct mixeng_volume nominal_volume;
 
+void audio_driver_register(audio_driver *drv);
+audio_driver *audio_driver_lookup(const char *name);
+
 void audio_pcm_init_info (struct audio_pcm_info *info, struct audsettings *as);
 void audio_pcm_info_clear_buf (struct audio_pcm_info *info, void *buf, int 
len);
 
diff --git a/audio/alsaaudio.c b/audio/alsaaudio.c
index 92a96f8b2b..362a2276fd 100644
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -1213,7 +1213,7 @@ static struct audio_pcm_ops alsa_pcm_ops = {
 .ctl_in   = alsa_ctl_in,
 };
 
-struct audio_driver alsa_audio_driver = {
+static struct audio_driver alsa_audio_driver = {
 .name   = "alsa",
 .descr  = "ALSA http://www.alsa-project.org;,
 .options= alsa_options,
@@ -1226,3 +1226,9 @@ struct audio_driver alsa_audio_driver = {
 .voice_size_out = sizeof (ALSAVoiceOut),
 .voice_size_in  = sizeof (ALSAVoiceIn)
 };
+
+static void register_audio_alsa(void)
+{
+audio_driver_register(_audio_driver);
+}
+type_init(register_audio_alsa);
diff --git a/audio/audio.c b/audio/audio.c
index 7658d2af66..2384612b87 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -45,15 +45,32 @@
The 1st one is the one used by default, that is the reason
 that we generate the list.
 */
-static struct audio_driver *drvtab[] = {
-#ifdef CONFIG_SPICE
-_audio_driver,
-#endif
+static const char *audio_prio_list[] = {
+"spice",
 CONFIG_AUDIO_DRIVERS
-_audio_driver,
-_audio_driver
+"none",
+"wav",
 };
 
+static QLIST_HEAD(, audio_driver) audio_drivers;
+
+void audio_driver_register(audio_driver *drv)
+{
+QLIST_INSERT_HEAD(_drivers, drv, next);
+}
+
+audio_driver *audio_driver_lookup(const char *name)
+{
+struct audio_driver *d;
+
+QLIST_FOREACH(d, _drivers, next) {
+if (strcmp(name, d->name) == 0) {
+return d;
+}
+}
+return NULL;
+}
+
 struct fixed_settings {
 int enabled;
 int nb_voices;
@@ -1656,11 +1673,10 @@ static void audio_pp_nb_voices (const char *typ, int nb)
 
 void AUD_help (void)
 {
-size_t i;
+struct audio_driver *d;
 
 audio_process_options ("AUDIO", audio_options);
-for (i = 0; i < ARRAY_SIZE (drvtab); i++) {
-struct audio_driver *d = drvtab[i];
+QLIST_FOREACH(d, _drivers, next) {
 if (d->options) {
 audio_process_options (d->name, d->options);
 }
@@ -1672,8 +1688,7 @@ void AUD_help (void)
 
 printf ("Available drivers:\n");
 
-for (i = 0; i < ARRAY_SIZE (drvtab); i++) {
-struct audio_driver *d = drvtab[i];
+QLIST_FOREACH(d, _drivers, next) {
 
 printf ("Name: %s\n", d->name);
 printf ("Description: %s\n", d->descr);
@@ -1807,6 +1822,7 @@ static void audio_init (void)
 const char *drvname;
 VMChangeStateEntry *e;
 AudioState *s = _audio_state;
+struct audio_driver *driver;
 
 if (s->drv) {
 return;
@@ -1842,32 +1858,27 @@ static void audio_init (void)
 }
 
 if (drvname) {
-int found = 0;
-
-for (i = 0; i < ARRAY_SIZE (drvtab); i++) {
-if 

Re: [Qemu-devel] [PATCH 1/7] openpic_kvm: drop address_space_to_flatview call

[Alexey Kardashevskiy]

On 05/03/18 19:36, Paolo Bonzini wrote:
> The MemoryListener is registered on address_space_memory, there is
> not much to assert.  This currently works because the callback
> is invoked only once when the listener is registered, but section->fv
> is the _new_ FlatView, not the old one on later calls and that
> would break.
> 
> This confines address_space_to_flatview to exec.c and memory.c.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Alexey Kardashevskiy 

> ---
>  hw/intc/openpic_kvm.c | 4 
>  1 file changed, 4 deletions(-)
> 
> diff --git a/hw/intc/openpic_kvm.c b/hw/intc/openpic_kvm.c
> index fa83420254..39a6f369c5 100644
> --- a/hw/intc/openpic_kvm.c
> +++ b/hw/intc/openpic_kvm.c
> @@ -124,10 +124,6 @@ static void kvm_openpic_region_add(MemoryListener 
> *listener,
>  uint64_t reg_base;
>  int ret;
>  
> -if (section->fv != address_space_to_flatview(_space_memory)) {
> -abort();
> -}
> -
>  /* Ignore events on regions that are not us */
>  if (section->mr != >mem) {
>  return;
> 


-- 
Alexey

[Qemu-devel] [PATCH 4/7] audio/alsa: build as module

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 configure   | 7 ++-
 audio/Makefile.objs | 7 +--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index 27d3f66bd5..46274301bd 100755
--- a/configure
+++ b/configure
@@ -5982,7 +5982,12 @@ fi
 echo "CONFIG_AUDIO_DRIVERS=$audio_drv_list" >> $config_host_mak
 for drv in $audio_drv_list; do
 def=CONFIG_AUDIO_$(echo $drv | LC_ALL=C tr '[a-z]' '[A-Z]')
-echo "$def=y" >> $config_host_mak
+case "$drv" in
+   alsa)
+   echo "$def=m" >> $config_host_mak ;;
+   *)
+   echo "$def=y" >> $config_host_mak ;;
+esac
 done
 echo "ALSA_LIBS=$alsa_libs" >> $config_host_mak
 echo "PULSE_LIBS=$pulse_libs" >> $config_host_mak
diff --git a/audio/Makefile.objs b/audio/Makefile.objs
index f6ce5c6744..97f22ec097 100644
--- a/audio/Makefile.objs
+++ b/audio/Makefile.objs
@@ -3,7 +3,6 @@ common-obj-$(CONFIG_AUDIO_SDL) += sdlaudio.o
 common-obj-$(CONFIG_AUDIO_OSS) += ossaudio.o
 common-obj-$(CONFIG_SPICE) += spiceaudio.o
 common-obj-$(CONFIG_AUDIO_COREAUDIO) += coreaudio.o
-common-obj-$(CONFIG_AUDIO_ALSA) += alsaaudio.o
 common-obj-$(CONFIG_AUDIO_DSOUND) += dsoundaudio.o
 common-obj-$(CONFIG_AUDIO_PA) += paaudio.o
 common-obj-$(CONFIG_AUDIO_PT_INT) += audio_pt_int.o
@@ -12,8 +11,12 @@ common-obj-y += wavcapture.o
 
 sdlaudio.o-cflags := $(SDL_CFLAGS)
 sdlaudio.o-libs := $(SDL_LIBS)
-alsaaudio.o-libs := $(ALSA_LIBS)
 paaudio.o-libs := $(PULSE_LIBS)
 coreaudio.o-libs := $(COREAUDIO_LIBS)
 dsoundaudio.o-libs := $(DSOUND_LIBS)
 ossaudio.o-libs := $(OSS_LIBS)
+
+# alsa module
+common-obj-$(CONFIG_AUDIO_ALSA) += alsa.mo
+alsa.mo-objs = alsaaudio.o
+alsa.mo-libs := $(ALSA_LIBS)
-- 
2.9.3

[Qemu-devel] [PATCH 3/7] build: enable audio modules

[Gerd Hoffmann]

Add audio/ to common-obj-m variable.

Also run both audio and ui variables through unnest-vars.
This avoids sdl.mo (exists in both audio/ and ui/) name clashes.

Signed-off-by: Gerd Hoffmann 
---
 Makefile  | 4 
 Makefile.objs | 1 +
 2 files changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index 4df1f67fe4..20abbe66ad 100644
--- a/Makefile
+++ b/Makefile
@@ -425,6 +425,10 @@ dummy := $(call unnest-vars,, \
 io-obj-y \
 common-obj-y \
 common-obj-m \
+ui-obj-y \
+ui-obj-m \
+audio-obj-y \
+audio-obj-m \
 trace-obj-y)
 
 include $(SRC_PATH)/tests/Makefile.include
diff --git a/Makefile.objs b/Makefile.objs
index 69413d33b1..ffae665ea9 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -104,6 +104,7 @@ common-obj-$(CONFIG_LINUX) += fsdev/
 common-obj-y += migration/
 
 common-obj-y += audio/
+common-obj-m += audio/
 common-obj-y += hw/
 
 common-obj-y += replay/
-- 
2.9.3

[Qemu-devel] [PATCH 0/7] audio: modularize

[Gerd Hoffmann]

Add audio driver (host backend) registry.  Add audio module support.
Enable module builds for alsa, oss, pulse and sdl.

Gerd Hoffmann (7):
  audio: add driver registry
  audio: add module loading support
  build: enable audio modules
  audio/alsa: build as module
  audio/oss: build as module
  audio/pulseaudio: build as module
  audio/sdl: build as module

 configure |  7 -
 Makefile  |  4 +++
 Makefile.objs |  1 +
 audio/audio_int.h | 14 -
 include/qemu/module.h |  1 +
 audio/alsaaudio.c |  8 -
 audio/audio.c | 83 +++
 audio/coreaudio.c |  8 -
 audio/dsoundaudio.c   |  8 -
 audio/noaudio.c   |  8 -
 audio/ossaudio.c  |  8 -
 audio/paaudio.c   |  8 -
 audio/sdlaudio.c  |  8 -
 audio/spiceaudio.c|  8 -
 audio/wavaudio.c  |  8 -
 audio/Makefile.objs   | 30 +--
 scripts/create_config |  2 +-
 17 files changed, 159 insertions(+), 55 deletions(-)

-- 
2.9.3

[Qemu-devel] [PATCH 6/7] audio/pulseaudio: build as module

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 configure   | 2 +-
 audio/Makefile.objs | 7 +--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index 5014c900bd..3abee54cfc 100755
--- a/configure
+++ b/configure
@@ -5983,7 +5983,7 @@ echo "CONFIG_AUDIO_DRIVERS=$audio_drv_list" >> 
$config_host_mak
 for drv in $audio_drv_list; do
 def=CONFIG_AUDIO_$(echo $drv | LC_ALL=C tr '[a-z]' '[A-Z]')
 case "$drv" in
-   alsa | oss)
+   alsa | oss | pa)
echo "$def=m" >> $config_host_mak ;;
*)
echo "$def=y" >> $config_host_mak ;;
diff --git a/audio/Makefile.objs b/audio/Makefile.objs
index 9ea19c6a87..b98835934d 100644
--- a/audio/Makefile.objs
+++ b/audio/Makefile.objs
@@ -3,14 +3,12 @@ common-obj-$(CONFIG_AUDIO_SDL) += sdlaudio.o
 common-obj-$(CONFIG_SPICE) += spiceaudio.o
 common-obj-$(CONFIG_AUDIO_COREAUDIO) += coreaudio.o
 common-obj-$(CONFIG_AUDIO_DSOUND) += dsoundaudio.o
-common-obj-$(CONFIG_AUDIO_PA) += paaudio.o
 common-obj-$(CONFIG_AUDIO_PT_INT) += audio_pt_int.o
 common-obj-$(CONFIG_AUDIO_WIN_INT) += audio_win_int.o
 common-obj-y += wavcapture.o
 
 sdlaudio.o-cflags := $(SDL_CFLAGS)
 sdlaudio.o-libs := $(SDL_LIBS)
-paaudio.o-libs := $(PULSE_LIBS)
 coreaudio.o-libs := $(COREAUDIO_LIBS)
 dsoundaudio.o-libs := $(DSOUND_LIBS)
 
@@ -23,3 +21,8 @@ alsa.mo-libs := $(ALSA_LIBS)
 common-obj-$(CONFIG_AUDIO_OSS) += oss.mo
 oss.mo-objs = ossaudio.o
 oss.mo-libs := $(OSS_LIBS)
+
+# pulseaudio module
+common-obj-$(CONFIG_AUDIO_PA) += pa.mo
+pa.mo-objs = paaudio.o
+pa.mo-libs := $(PULSE_LIBS)
-- 
2.9.3

[Qemu-devel] [PATCH 5/7] audio/oss: build as module

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 configure   | 2 +-
 audio/Makefile.objs | 7 +--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index 46274301bd..5014c900bd 100755
--- a/configure
+++ b/configure
@@ -5983,7 +5983,7 @@ echo "CONFIG_AUDIO_DRIVERS=$audio_drv_list" >> 
$config_host_mak
 for drv in $audio_drv_list; do
 def=CONFIG_AUDIO_$(echo $drv | LC_ALL=C tr '[a-z]' '[A-Z]')
 case "$drv" in
-   alsa)
+   alsa | oss)
echo "$def=m" >> $config_host_mak ;;
*)
echo "$def=y" >> $config_host_mak ;;
diff --git a/audio/Makefile.objs b/audio/Makefile.objs
index 97f22ec097..9ea19c6a87 100644
--- a/audio/Makefile.objs
+++ b/audio/Makefile.objs
@@ -1,6 +1,5 @@
 common-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 common-obj-$(CONFIG_AUDIO_SDL) += sdlaudio.o
-common-obj-$(CONFIG_AUDIO_OSS) += ossaudio.o
 common-obj-$(CONFIG_SPICE) += spiceaudio.o
 common-obj-$(CONFIG_AUDIO_COREAUDIO) += coreaudio.o
 common-obj-$(CONFIG_AUDIO_DSOUND) += dsoundaudio.o
@@ -14,9 +13,13 @@ sdlaudio.o-libs := $(SDL_LIBS)
 paaudio.o-libs := $(PULSE_LIBS)
 coreaudio.o-libs := $(COREAUDIO_LIBS)
 dsoundaudio.o-libs := $(DSOUND_LIBS)
-ossaudio.o-libs := $(OSS_LIBS)
 
 # alsa module
 common-obj-$(CONFIG_AUDIO_ALSA) += alsa.mo
 alsa.mo-objs = alsaaudio.o
 alsa.mo-libs := $(ALSA_LIBS)
+
+# oss module
+common-obj-$(CONFIG_AUDIO_OSS) += oss.mo
+oss.mo-objs = ossaudio.o
+oss.mo-libs := $(OSS_LIBS)
-- 
2.9.3

[Qemu-devel] [PATCH 2/7] audio: add module loading support

[Gerd Hoffmann]

Make audio_driver_lookup() try load the module in case it doesn't find
the driver in the registry.  Also load all modules for -audio-help, so
the help output includes the help text for modular audio drivers.

Signed-off-by: Gerd Hoffmann 
---
 include/qemu/module.h |  1 +
 audio/audio.c | 20 
 2 files changed, 21 insertions(+)

diff --git a/include/qemu/module.h b/include/qemu/module.h
index 9fea75aaeb..54300ab6e5 100644
--- a/include/qemu/module.h
+++ b/include/qemu/module.h
@@ -54,6 +54,7 @@ typedef enum {
 
 #define block_module_load_one(lib) module_load_one("block-", lib)
 #define ui_module_load_one(lib) module_load_one("ui-", lib)
+#define audio_module_load_one(lib) module_load_one("audio-", lib)
 
 void register_module_init(void (*fn)(void), module_init_type type);
 void register_dso_module_init(void (*fn)(void), module_init_type type);
diff --git a/audio/audio.c b/audio/audio.c
index 2384612b87..6eccdb17ee 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -68,9 +68,26 @@ audio_driver *audio_driver_lookup(const char *name)
 return d;
 }
 }
+
+audio_module_load_one(name);
+QLIST_FOREACH(d, _drivers, next) {
+if (strcmp(name, d->name) == 0) {
+return d;
+}
+}
+
 return NULL;
 }
 
+static void audio_module_load_all(void)
+{
+int i;
+
+for (i = 0; i < ARRAY_SIZE(audio_prio_list); i++) {
+audio_driver_lookup(audio_prio_list[i]);
+}
+}
+
 struct fixed_settings {
 int enabled;
 int nb_voices;
@@ -1675,6 +1692,9 @@ void AUD_help (void)
 {
 struct audio_driver *d;
 
+/* make sure we print the help text for modular drivers too */
+audio_module_load_all();
+
 audio_process_options ("AUDIO", audio_options);
 QLIST_FOREACH(d, _drivers, next) {
 if (d->options) {
-- 
2.9.3

Re: [Qemu-devel] [PATCH v3 21/29] vhost+postcopy: Add vhost waker

[Peter Xu]

On Mon, Mar 05, 2018 at 08:16:44PM +, Dr. David Alan Gilbert wrote:
> * Peter Xu (pet...@redhat.com) wrote:
> > On Fri, Feb 16, 2018 at 01:16:17PM +, Dr. David Alan Gilbert (git) 
> > wrote:
> > > From: "Dr. David Alan Gilbert" 
> > > 
> > > Register a waker function in vhost-user code to be notified when
> > > pages arrive or requests to previously mapped pages get requested.
> > > 
> > > Signed-off-by: Dr. David Alan Gilbert 
> > > ---
> > >  hw/virtio/trace-events |  3 +++
> > >  hw/virtio/vhost-user.c | 30 ++
> > >  2 files changed, 33 insertions(+)
> > > 
> > > diff --git a/hw/virtio/trace-events b/hw/virtio/trace-events
> > > index 3afd12cfea..fe5e0ff856 100644
> > > --- a/hw/virtio/trace-events
> > > +++ b/hw/virtio/trace-events
> > > @@ -13,6 +13,9 @@ vhost_user_postcopy_fault_handler_found(int i, uint64_t 
> > > region_offset, uint64_t
> > >  vhost_user_postcopy_listen(void) ""
> > >  vhost_user_set_mem_table_postcopy(uint64_t client_addr, uint64_t qhva, 
> > > int reply_i, int region_i) "client:0x%"PRIx64" for hva: 0x%"PRIx64" reply 
> > > %d region %d"
> > >  vhost_user_set_mem_table_withfd(int index, const char *name, uint64_t 
> > > memory_size, uint64_t guest_phys_addr, uint64_t userspace_addr, uint64_t 
> > > offset) "%d:%s: size:0x%"PRIx64" GPA:0x%"PRIx64" 
> > > QVA/userspace:0x%"PRIx64" RB offset:0x%"PRIx64
> > > +vhost_user_postcopy_waker(const char *rb, uint64_t rb_offset) "%s + 
> > > 0x%"PRIx64
> > > +vhost_user_postcopy_waker_found(uint64_t client_addr) "0x%"PRIx64
> > > +vhost_user_postcopy_waker_nomatch(const char *rb, uint64_t rb_offset) 
> > > "%s + 0x%"PRIx64
> > >  
> > >  # hw/virtio/virtio.c
> > >  virtqueue_alloc_element(void *elem, size_t sz, unsigned in_num, unsigned 
> > > out_num) "elem %p size %zd in_num %u out_num %u"
> > > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
> > > index 4589bfd92e..74807091a0 100644
> > > --- a/hw/virtio/vhost-user.c
> > > +++ b/hw/virtio/vhost-user.c
> > > @@ -990,6 +990,35 @@ static int vhost_user_postcopy_fault_handler(struct 
> > > PostCopyFD *pcfd,
> > >  return -1;
> > >  }
> > >  
> > > +static int vhost_user_postcopy_waker(struct PostCopyFD *pcfd, RAMBlock 
> > > *rb,
> > > + uint64_t offset)
> > > +{
> > > +struct vhost_dev *dev = pcfd->data;
> > > +struct vhost_user *u = dev->opaque;
> > > +int i;
> > > +
> > > +trace_vhost_user_postcopy_waker(qemu_ram_get_idstr(rb), offset);
> > > +
> > > +if (!u) {
> > > +return 0;
> > > +}
> > > +/* Translate the offset into an address in the clients address space 
> > > */
> > > +for (i = 0; i < MIN(dev->mem->nregions, u->region_rb_len); i++) {
> > > +if (u->region_rb[i] == rb &&
> > > +offset >= u->region_rb_offset[i] &&
> > > +offset < (u->region_rb_offset[i] +
> > > +  dev->mem->regions[i].memory_size)) {
> > > +uint64_t client_addr = (offset - u->region_rb_offset[i]) +
> > > +   u->postcopy_client_bases[i];
> > > +trace_vhost_user_postcopy_waker_found(client_addr);
> > > +return postcopy_wake_shared(pcfd, client_addr, rb);
> > > +}
> > > +}
> > > +
> > > +trace_vhost_user_postcopy_waker_nomatch(qemu_ram_get_idstr(rb), 
> > > offset);
> > > +return 0;
> > 
> > Can we really reach here?
> 
> Yes; note that all the waker's registered get called for all pages
> received
> so that:
>   a) A page not in shared memory, or not actually registered with a
> device, still calls the waker's and it's upto the waker to figure out
> whether it's interested for the device it belongs to.
> 
>   b) With two devices registered, they might each have registered
> different areas of shared memory, and thus it's upto the waker to figure
> out if it's interested in this specific page.

Indeed.

Again, if we note down faulted addresses for reach PostcopyFD, IMHO we
can even ignore this check, since if the copied page covers any of the
faulted addresses of the FD we'll definitely need to send the wake,
otherwise we don't need to.  But current patch is also okay to me now.

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v3 11/29] vhost+postcopy: Transmit 'listen' to client

[Peter Xu]

On Mon, Mar 05, 2018 at 05:42:42PM +, Dr. David Alan Gilbert wrote:
> * Peter Xu (pet...@redhat.com) wrote:
> > On Fri, Feb 16, 2018 at 01:16:07PM +, Dr. David Alan Gilbert (git) 
> > wrote:
> > 
> > [...]
> > 
> > >  typedef struct VuVirtqElement {
> > > diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> > > index 621543e654..bdec9ec0e8 100644
> > > --- a/docs/interop/vhost-user.txt
> > > +++ b/docs/interop/vhost-user.txt
> > > @@ -682,6 +682,12 @@ Master message types
> > >the slave must open a userfaultfd for later use.
> > >Note that at this stage the migration is still in precopy mode.
> > >  
> > > + * VHOST_USER_POSTCOPY_LISTEN
> > > +  Id: 27
> > > +  Master payload: N/A
> > > +
> > > +  Master advises slave that a transition to postcopy mode has 
> > > happened.
> > 
> > Could we add something to explain why this listen needs to be
> > broadcasted to clients?  Since I failed to find it out quickly
> > myself. :(
> 
> I've changed this to:
> 
>  * VHOST_USER_POSTCOPY_LISTEN
>   Id: 29
>   Master payload: N/A
> 
>   Master advises slave that a transition to postcopy mode has happened.
>   The slave must ensure that shared memory is registered with userfaultfd
>   to cause faulting of non-present pages.

But shouldn't this be assured by the SET_MEM_TABLE call?

Sorry for being not that familiar with vhost-user protocol... but
what's the correct order of these commands?

  POSTCOPY_ADVISE
  POSTCOPY_LISTEN
  SET_MEM_TABLE

?  Thanks,

> 
>   This is always sent sometime after a VHOST_USER_POSTCOPY_ADVISE, and
>   thus only when VHOST_USER_PROTOCOL_F_PAGEFAULT is supported.
> 
> Dave
> 
> > -- 
> > Peter Xu
> --
> Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

-- 
Peter Xu

[Qemu-devel] [PATCH v4] scripts/checkpatch.pl: add check for `while` and `for`

[Su Hang]

Adding check for `while` and `for` statements, which condition has more than
one line.

The former checkpatch.pl can check `if` statement, which condition has more
than one line, whether block misses brace round, like this:
'''
if (cond1 ||
cond2)
statement;
'''
But it doesn't do the same check for `for` and `while` statements.

Using `(?:...)` instead of `(...)` in regex pattern catch.
Because `(?:...)` is faster and avoids unwanted side-effect.

Suggested-by: Stefan Hajnoczi 
Suggested-by: Eric Blake 
Suggested-by: Thomas Huth 
Signed-off-by: Su Hang 
---
 scripts/checkpatch.pl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index 1b4b812e28fa..b1a8407d7406 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -2352,8 +2352,9 @@ sub process {
}
}
 
-# check for missing bracing round if etc
-   if ($line =~ /(^.*)\bif\b/ && $line !~ /\#\s*if/) {
+# check for missing bracing around if etc
+   if ($line =~ /(^.*)\b(?:if|while|for)\b/ &&
+   $line !~ /\#\s*(?:if|while|for)/) {
my ($level, $endln, @chunks) =
ctx_statement_full($linenr, $realcnt, 1);
 if ($dbg_adv_apw) {
-- 
2.7.4

Re: [Qemu-devel] [PATCH v3 00/12] Introduce new iommu notifier framework for virt-SVA

[Peter Xu]

On Thu, Mar 01, 2018 at 06:33:23PM +0800, Liu, Yi L wrote:
> This patchset is to introduce a notifier framework for virt-SVA.
> You may find virt-SVA design details from the link below.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04925.html
> 
> SVA is short for Shared Virtual Addressing. This is also called Shared
> Virtual Memory in previous patchsets. However, SVM is confusing as it
> can also be short for Secure Virtual Machine. So this patchset use
> Shared Virtual Addressing instead of Shared Virtual Memory. And it
> would be applied in future (SVA)related patch series as well.
> 
> Qemu has an existing notifier framework based on MemoryRegion, which
> are used for MAP/UNMAP. However, it is not well suited for virt-SVA.
> Reasons are as below:
> - virt-SVA works along with PT = 1
> - if PT = 1 IOMMU MR are disabled so MR notifier are not registered
> - new notifiers do not fit nicely in this framework as they need to be
>   registered even if PT = 1
> - need a new framework to attach the new notifiers
> - Additional background can be got from:
>   https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04931.html
> 
> So a new iommu notifier framework is needed. This patchset introduces
> a notifier framework based on IOMMUSVAContext. IOMMUSVAContext is
> introduced to be an abstract of virt-SVA operations in Qemu.
> 
> Patch Overview:
> * 1 - 2: rename existing naming, the IOMMU MemoryRegion Notifier
>  framework
> * 3 - 4: introduce SVA notifier framework based on IOMMUSVAContext
> * 5 - 7: introduce PCISVAOps and expose the SVA notfier framework
>  through hw/pci layer
> * 8 - 12: show the usage of SVA notifier in Intel vIOMMU emulator

Do you have online branch so that I can check out?

The patches are a bit scattered and it's really hard for me to
reference things within it... So a complete tree to read would be
nice.

I roughly went over most of the patches, and the framework you
introduced is still not that clear to me.  For now I feel like it can
be simplified somehow, but I'll hold and speak after I read the whole
tree again.

Also, it'll be good too if you can always provide some status update
of the kernel-counterpart it.

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 3/3] vfio/pci: Add ioeventfd support

[kbuild test robot]

Hi Alex,

I love your patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v4.16-rc4 next-20180306]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Alex-Williamson/vfio-pci-Pull-BAR-mapping-setup-from-read-write-path/20180303-015851
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__


sparse warnings: (new ones prefixed by >>)

>> drivers/vfio/pci/vfio_pci_rdwr.c:290:1: sparse: incorrect type in argument 2 
>> (different address spaces) @@expected void [noderef] * 
>> @@got sn:2>* @@
   drivers/vfio/pci/vfio_pci_rdwr.c:290:1:expected void [noderef] 
*
   drivers/vfio/pci/vfio_pci_rdwr.c:290:1:got void *opaque
   drivers/vfio/pci/vfio_pci_rdwr.c:291:1: sparse: incorrect type in argument 2 
(different address spaces) @@expected void [noderef] * @@   
 got sn:2>* @@
   drivers/vfio/pci/vfio_pci_rdwr.c:291:1:expected void [noderef] 
*
   drivers/vfio/pci/vfio_pci_rdwr.c:291:1:got void *opaque
   drivers/vfio/pci/vfio_pci_rdwr.c:292:1: sparse: incorrect type in argument 2 
(different address spaces) @@expected void [noderef] * @@   
 got sn:2>* @@
   drivers/vfio/pci/vfio_pci_rdwr.c:292:1:expected void [noderef] 
*
   drivers/vfio/pci/vfio_pci_rdwr.c:292:1:got void *opaque
>> drivers/vfio/pci/vfio_pci_rdwr.c:378:52: sparse: incorrect type in argument 
>> 1 (different address spaces) @@expected void *opaque @@got void 
>> [noderef] *

vim +290 drivers/vfio/pci/vfio_pci_rdwr.c

   286  
   287  #ifdef iowrite64
   288  VFIO_PCI_IOEVENTFD_HANDLER(64)
   289  #endif
 > 290  VFIO_PCI_IOEVENTFD_HANDLER(32)
   291  VFIO_PCI_IOEVENTFD_HANDLER(16)
   292  VFIO_PCI_IOEVENTFD_HANDLER(8)
   293  
   294  long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset,
   295  uint64_t data, int count, int fd)
   296  {
   297  struct pci_dev *pdev = vdev->pdev;
   298  loff_t pos = offset & VFIO_PCI_OFFSET_MASK;
   299  int ret, bar = VFIO_PCI_OFFSET_TO_INDEX(offset);
   300  struct vfio_pci_ioeventfd *ioeventfd;
   301  int (*handler)(void *addr, void *value);
   302  
   303  /* Only support ioeventfds into BARs */
   304  if (bar > VFIO_PCI_BAR5_REGION_INDEX)
   305  return -EINVAL;
   306  
   307  if (pos + count > pci_resource_len(pdev, bar))
   308  return -EINVAL;
   309  
   310  /* Disallow ioeventfds working around MSI-X table writes */
   311  if (bar == vdev->msix_bar &&
   312  !(pos + count <= vdev->msix_offset ||
   313pos >= vdev->msix_offset + vdev->msix_size))
   314  return -EINVAL;
   315  
   316  switch (count) {
   317  case 1:
   318  handler = _pci_ioeventfd_handler8;
   319  break;
   320  case 2:
   321  handler = _pci_ioeventfd_handler16;
   322  break;
   323  case 4:
   324  handler = _pci_ioeventfd_handler32;
   325  break;
   326  #ifdef iowrite64
   327  case 8:
   328  handler = _pci_ioeventfd_handler64;
   329  break;
   330  #endif
   331  default:
   332  return -EINVAL;
   333  }
   334  
   335  ret = vfio_pci_setup_barmap(vdev, bar);
   336  if (ret)
   337  return ret;
   338  
   339  mutex_lock(>ioeventfds_lock);
   340  
   341  list_for_each_entry(ioeventfd, >ioeventfds_list, next) {
   342  if (ioeventfd->pos == pos && ioeventfd->bar == bar &&
   343  ioeventfd->data == data && ioeventfd->count == 
count) {
   344  if (fd == -1) {
   345  vfio_virqfd_disable(>virqfd);
   346  list_del(>next);
   347  vdev->ioeventfds_nr--;
   348  kfree(ioeventfd);
   349  ret = 0;
   350  } else
   351  ret = -EEXIST;
   352  
   353  goto out_unlock;
   354  }
   355  }
   356  
   357  if (fd < 0) {
   358  ret = -ENODEV;
   359  goto out_unlock;
   360  }
   361  
   362  if (vdev->ioeventfds_nr >= VFIO_PCI_IOEVENTFD_MAX) {
   363  ret = -ENOSPC;
   364  goto out_unlock;
   365  }
   366  
   367  ioeventfd = kzalloc(sizeof(*ioeventfd), GFP_KERNEL);
   368  if (!ioeventfd) {
   369  ret = -ENOMEM;
   370  goto out_unlock;
   371

Re: [Qemu-devel] [PATCH v3 07/12] vfio/pci: register sva notifier

[Peter Xu]

On Thu, Mar 01, 2018 at 06:33:30PM +0800, Liu, Yi L wrote:
> This patch shows how sva notifier is registered. And provided
> an example by registering notify func for tlb flush propagation.
> 
> Signed-off-by: Liu, Yi L 
> ---
>  hw/vfio/pci.c | 55 +--
>  1 file changed, 53 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index a60a4d7..b7297cc 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -2775,6 +2775,26 @@ static void vfio_unregister_req_notifier(VFIOPCIDevice 
> *vdev)
>  vdev->req_enabled = false;
>  }
>  
> +static VFIOContainer *vfio_get_container_from_busdev(PCIBus *bus,
> + int32_t devfn)
> +{
> +VFIOGroup *group;
> +VFIOPCIDevice *vdev_iter;
> +VFIODevice *vbasedev_iter;
> +PCIDevice *pdev_iter;
> +
> +QLIST_FOREACH(group, _group_list, next) {
> +QLIST_FOREACH(vbasedev_iter, >device_list, next) {
> +vdev_iter = container_of(vbasedev_iter, VFIOPCIDevice, vbasedev);
> +pdev_iter = _iter->pdev;
> +if (pci_get_bus(pdev_iter) == bus && pdev_iter->devfn == devfn) {
> +return group->container;
> +}
> +}
> +}
> +return NULL;
> +}
> +
>  static void vfio_pci_device_sva_bind_pasid_table(PCIBus *bus,
>   int32_t devfn, uint64_t pasidt_addr, uint32_t size)
>  {
> @@ -2783,11 +2803,42 @@ static void 
> vfio_pci_device_sva_bind_pasid_table(PCIBus *bus,
>  So far, Intel VT-d and AMD IOMMU requires it. */
>  }
>  
> +static void vfio_iommu_sva_tlb_invalidate_notify(IOMMUSVANotifier *n,
> + IOMMUSVAEventData 
> *event_data)
> +{
> +/*  Sample code, would be detailed in coming virt-SVA patchset.
> +VFIOGuestIOMMUSVAContext *gsva_ctx;
> +IOMMUSVAContext *sva_ctx;
> +VFIOContainer *container;
> +
> +gsva_ctx = container_of(n, VFIOGuestIOMMUSVAContext, n);
> +container = gsva_ctx->container;
> +
> +TODO: forward to host through VFIO IOCTL

IMHO if the series is not ready for merging, we can still mark it as
RFC and declare that so people won't need to go into details of the
patches.

> +*/
> +}
> +
>  static void vfio_pci_device_sva_register_notifier(PCIBus *bus,
>int32_t devfn, IOMMUSVAContext *sva_ctx)
>  {
> -/* Register notifier for TLB invalidation propagation
> -   */
> +VFIOContainer *container = vfio_get_container_from_busdev(bus, devfn);
> +
> +if (container != NULL) {
> +VFIOGuestIOMMUSVAContext *gsva_ctx;
> +gsva_ctx = g_malloc0(sizeof(*gsva_ctx));
> +gsva_ctx->sva_ctx = sva_ctx;
> +gsva_ctx->container = container;
> +QLIST_INSERT_HEAD(>gsva_ctx_list,
> +  gsva_ctx,
> +  gsva_ctx_next);
> +   /* Register vfio_iommu_sva_tlb_invalidate_notify with event flag
> +   IOMMU_SVA_EVENT_TLB_INV */
> +iommu_sva_notifier_register(sva_ctx,
> +_ctx->n,
> +vfio_iommu_sva_tlb_invalidate_notify,
> +IOMMU_SVA_EVENT_TLB_INV);

I would squash this patch into previous one since basically this is
only part of the implementation to provide vfio-speicific register
hook.

But a more important question is... why this?

IMHO the notifier registration can be general for PCI.  Why vfio needs
to provide it's own register callback?  Would it be enough if it only
provides its own notify callback?

Thanks,

> +return;
> +}
>  }
>  
>  static void vfio_pci_device_sva_unregister_notifier(PCIBus *bus,
> -- 
> 1.9.1
> 

-- 
Peter Xu

[Qemu-devel] [PATCH risu 3/3] risu_reginfo_ppc64.c: Fix register name prefix

[Sandipan Das]

Use 'f' instead of 'r' as the prefix when dumping the values
of floating-point registers.

Signed-off-by: Sandipan Das 
---
 risu_reginfo_ppc64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/risu_reginfo_ppc64.c b/risu_reginfo_ppc64.c
index eb9c12b..5f33648 100644
--- a/risu_reginfo_ppc64.c
+++ b/risu_reginfo_ppc64.c
@@ -122,7 +122,7 @@ int reginfo_dump(struct reginfo *ri, FILE * f)
 fprintf(f, "\tdscr   : %16lx\n\n", ri->gregs[44]);
 
 for (i = 0; i < 16; i++) {
-fprintf(f, "\tf%2d: %.4f\tr%2d: %.4f\n", i, ri->fpregs[i],
+fprintf(f, "\tf%2d: %.4f\tf%2d: %.4f\n", i, ri->fpregs[i],
 i + 16, ri->fpregs[i + 16]);
 }
 fprintf(f, "\tfpscr: %f\n\n", ri->fpregs[32]);
@@ -167,7 +167,7 @@ int reginfo_dump_mismatch(struct reginfo *m, struct reginfo 
*a, FILE *f)
 }
 
 if (m->fpregs[i] != a->fpregs[i]) {
-fprintf(f, "Mismatch: Register r%d\n", i);
+fprintf(f, "Mismatch: Register f%d\n", i);
 fprintf(f, "m: [%f] != a: [%f]\n", m->fpregs[i], a->fpregs[i]);
 }
 }
-- 
2.14.3

[Qemu-devel] [PATCH risu 2/3] ppc64.risu: Fix pattern for load qword

[Sandipan Das]

The pattern for the Load Quadword (lq) instruction is fixed.

If rtp is 0 or 12, the instruction will overwrite r0, r1 or
r12, r13 respectively. However, r1 is the stack frame pointer
and r13 is the thread pointer. So, overwriting them can cause
a crash. This is avoided by putting a constraint to prevent
rtp from being 0 or 12.

For a given effective address (ea), this instruction loads
two dwords from ea and ea+8. However, if ea is the start
address of the current stack frame, then the value of the
back chain dword from the previous stack frame, which is at
ea+8, is loaded on to one of the registers. This can cause
a mismatch as the addresses may vary across the master and
the apprentice instances. This is avoided by always adding
8 to the offset used for calculating the ea.

Signed-off-by: Sandipan Das 
---
 ppc64.risu | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ppc64.risu b/ppc64.risu
index 13b95ac..2018103 100644
--- a/ppc64.risu
+++ b/ppc64.risu
@@ -1050,8 +1050,8 @@ LHZX PPC64LE 01 rt:5 ra:5 rb:5 01000101110 \
 
 # format:DQ book:I page:59 v2.03 lq Load Qword
 LQ PPC64LE 111000 rtp:5 ra:5 imm:12  \
-!constraints { $rtp % 2 == 0 && $ra != 1 && $ra != 13 && $ra != 0 && $ra != 
$rtp && $imm <= 2032; } \
-!memory { reg_plus_imm($ra, $imm << 4); }
+!constraints { $rtp % 2 == 0 && $rtp != 0 && $rtp != 12 && $ra != 1 && $ra != 
13 && $ra != 0 && $ra != $rtp && $imm <= 2032; } \
+!memory { reg_plus_imm($ra, ($imm << 4) + 8); }
 
 # format:X book:I page:65 v:P1 lswi Load String Word Immediate
 LSWI PPC64LE 01 rt:5 ra:5 rb:5 10010101010 \
-- 
2.14.3

[Qemu-devel] [PATCH risu 1/3] ppc64.risu: Add missing byte and dword loads

[Sandipan Das]

The patterns for the following instructions are added:
 * Load Byte and Zero (lbz)
 * Load Byte and Zero with Update (lbzu)
 * Load Byte and Zero Indexed (lbzx)
 * Load Byte and Zero with Update Indexed (lbzux)
 * Load Doubleword (ld)

Signed-off-by: Sandipan Das 
---
 ppc64.risu | 25 +
 1 file changed, 25 insertions(+)

diff --git a/ppc64.risu b/ppc64.risu
index e2fd4f6..13b95ac 100644
--- a/ppc64.risu
+++ b/ppc64.risu
@@ -887,6 +887,31 @@ FTSQRT PPC64LE 11 bf:3 000 frb:5 0010100
 ISEL PPC64LE 01 rt:5 ra:5 rb:5 bc:5 00 \
 !constraints { $rt != 1 && $ra != 1 && $rb != 1 && $rt != 13 && $ra != 13 && 
$rb != 13; }
 
+# format:D book:I page:48 v:P1 lbz Load Byte & Zero
+LBZ PPC64LE 100010 rt:5 ra:5 imm:16 \
+!constraints { $rt != 1 && $ra != 1 && $rt != 13 && $ra != 13 && $ra != 0 && 
$ra != $rt && $imm <= 32752; } \
+!memory { reg_plus_imm($ra, $imm); }
+
+# format:D book:I page:48 v:P1 lbzu Load Byte & Zero with Update
+LBZU PPC64LE 100011 rt:5 ra:5 imm:16 \
+!constraints { $rt != 1 && $ra != 1 && $rt != 13 && $ra != 13 && $ra != 0 && 
$ra != $rt && $imm <= 32752; } \
+!memory { reg_plus_imm($ra, $imm); }
+
+# format:X book:I page:49 v:P1 lbzux Load Byte & Zero with Update Indexed
+LBZUX PPC64LE 01 rt:5 ra:5 rb:5 00011101110 \
+!constraints { $rt != 1 && $ra != 1 && $rb != 1 && $rt != 13 && $ra != 13 && 
$rb != 13 && $ra != 0 && $ra != $rt && $ra != $rb && $rt != $rb; } \
+!memory { reg_plus_reg($ra, $rb); }
+
+# format:X book:I page:49 v:P1 lbzx Load Byte & Zero Indexed
+LBZX PPC64LE 01 rt:5 ra:5 rb:5 00010101110 \
+!constraints { $rt != 1 && $ra != 1 && $rb != 1 && $rt != 13 && $ra != 13 && 
$rb != 13 && $ra != 0 && $ra != $rt && $ra != $rb && $rt != $rb; } \
+!memory { reg_plus_reg($ra, $rb); }
+
+# format:DS book:I page:53 PPC ld Load Dword
+LD PPC64LE 111010 rt:5 ra:5 imm:14 00 \
+!constraints { $rt != 1 && $ra != 1 && $rt != 13 && $ra != 13 && $ra != 0 && 
$ra != $rt && $imm <= 8176; } \
+!memory { reg_plus_imm($ra, $imm << 2); }
+
 # format:X book:I page:62 v2.06 ldbrx Load Dword Byte-Reverse Indexed
 LDBRX PPC64LE 01 rt:5 ra:5 rb:5 1101000 \
 !constraints { $rt != 1 && $ra != 1 && $rb != 1 && $rt != 13 && $ra != 13 && 
$rb != 13 && $ra != 0 && $ra != $rt && $ra != $rb && $rt != $rb; } \
-- 
2.14.3

Re: [Qemu-devel] [BUG] I/O thread segfault for QEMU on s390x

[Martin Schwidefsky]

On Mon, 5 Mar 2018 20:08:45 +0100
Christian Borntraeger  wrote:

> Do you happen to run with a recent host kernel that has 
> 
> commit 7041d28115e91f2144f811ffe8a195c696b1e1d0
> s390: scrub registers on kernel entry and KVM exit
> 
> Can you run with this on top
> diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
> index 13a133a6015c..d6dc0e5e8f74 100644
> --- a/arch/s390/kernel/entry.S
> +++ b/arch/s390/kernel/entry.S
> @@ -426,13 +426,13 @@ ENTRY(system_call)
> UPDATE_VTIME %r8,%r9,__LC_SYNC_ENTER_TIMER
> BPENTER __TI_flags(%r12),_TIF_ISOLATE_BP
> stmg%r0,%r7,__PT_R0(%r11)
> -   # clear user controlled register to prevent speculative use
> -   xgr %r0,%r0
> mvc __PT_R8(64,%r11),__LC_SAVE_AREA_SYNC
> mvc __PT_PSW(16,%r11),__LC_SVC_OLD_PSW
> mvc __PT_INT_CODE(4,%r11),__LC_SVC_ILC
> stg %r14,__PT_FLAGS(%r11)
>  .Lsysc_do_svc:
> +   # clear user controlled register to prevent speculative use
> +   xgr %r0,%r0
> # load address of system call table
> lg  %r10,__THREAD_sysc_table(%r13,%r12)
> llgh%r8,__PT_INT_CODE+2(%r11)
> 
> 
> To me it looks like that the critical section cleanup (interrupt during 
> system call entry) might
> save the registers again into ptregs but we have already zeroed out r0.
> This patch moves the clearing of r0 after sysc_do_svc, which should fix the 
> critical
> section cleanup.
> 
> Adding Martin and Heiko. Will spin a patch.

Argh, yes. Thanks Chrisitan, this is it. I have been searching for the bug
for days now. The point is that if the system call handler is interrupted
after the xgr but before .Lsysc_do_svc the code at .Lcleanup_system_call 
repeats the stmg for %r0-%r7 but now %r0 is already zero.

Please commit a patch for this and I'll will queue it up immediately.

-- 
blue skies,
   Martin.

"Reality continues to ruin my life." - Calvin.

[Qemu-devel] [PATCH v2] pc-bios/s390-ccw: Move string arrays from bootmap header to .c file

[Thomas Huth]

bootmap.h can currently only be included once - otherwise the linker
complains about multiple definitions of the "magic" strings. It's a
bad style to define string arrays in header files, so let's better
move these to the bootmap.c file instead where they are used.

Signed-off-by: Thomas Huth 
---
 v2:
 - Removed duplicated vol_desc_magic (copy-n-paste error)

 pc-bios/s390-ccw/bootmap.c | 20 
 pc-bios/s390-ccw/bootmap.h | 19 ---
 2 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 29bfd8c..fc2a9fe 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -37,6 +37,26 @@ typedef struct ResetInfo {
 
 static ResetInfo save;
 
+const uint8_t el_torito_magic[] = "EL TORITO SPECIFICATION"
+  "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+/*
+ * Match two CCWs located after PSW and eight filler bytes.
+ * From libmagic and arch/s390/kernel/head.S.
+ */
+const uint8_t linux_s390_magic[] = "\x02\x00\x00\x18\x60\x00\x00\x50\x02\x00"
+   "\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40"
+   "\x40\x40\x40\x40";
+
+static inline bool is_iso_vd_valid(IsoVolDesc *vd)
+{
+const uint8_t vol_desc_magic[] = "CD001";
+
+return !memcmp(>ident[0], vol_desc_magic, 5) &&
+   vd->version == 0x1 &&
+   vd->type <= VOL_DESC_TYPE_PARTITION;
+}
+
 static void jump_to_IPL_2(void)
 {
 ResetInfo *current = 0;
diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
index c636626..07eb600 100644
--- a/pc-bios/s390-ccw/bootmap.h
+++ b/pc-bios/s390-ccw/bootmap.h
@@ -375,9 +375,6 @@ static inline void read_iso_boot_image(uint32_t 
block_offset, void *load_addr,
"Failed to read boot image!");
 }
 
-const uint8_t el_torito_magic[] = "EL TORITO SPECIFICATION"
-  "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
-
 #define ISO9660_MAX_DIR_DEPTH 8
 
 typedef struct IsoDirHdr {
@@ -430,20 +427,12 @@ typedef struct IsoVolDesc {
 } vd;
 } __attribute__((packed)) IsoVolDesc;
 
-const uint8_t vol_desc_magic[] = "CD001";
 #define VOL_DESC_TYPE_BOOT 0
 #define VOL_DESC_TYPE_PRIMARY 1
 #define VOL_DESC_TYPE_SUPPLEMENT 2
 #define VOL_DESC_TYPE_PARTITION 3
 #define VOL_DESC_TERMINATOR 255
 
-static inline bool is_iso_vd_valid(IsoVolDesc *vd)
-{
-return !memcmp(>ident[0], vol_desc_magic, 5) &&
-   vd->version == 0x1 &&
-   vd->type <= VOL_DESC_TYPE_PARTITION;
-}
-
 typedef struct IsoBcValid {
 uint8_t platform_id;
 uint16_t reserved;
@@ -468,14 +457,6 @@ typedef struct IsoBcHdr {
 uint8_t id[28];
 } __attribute__((packed)) IsoBcHdr;
 
-/*
- * Match two CCWs located after PSW and eight filler bytes.
- * From libmagic and arch/s390/kernel/head.S.
- */
-const uint8_t linux_s390_magic[] = "\x02\x00\x00\x18\x60\x00\x00\x50\x02\x00"
-   "\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40"
-   "\x40\x40\x40\x40";
-
 typedef struct IsoBcEntry {
 uint8_t id;
 union {
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH] pc-bios/s390-ccw: Move string arrays from bootmap header to .c file

[Thomas Huth]

On 05.03.2018 20:32, no-re...@patchew.org wrote:
> Hi,
> 
> This series failed build test on s390x host. Please find the details below.
[...]
> /var/tmp/patchew-tester-tmp-tbi65_5t/src/pc-bios/s390-ccw/bootmap.c:51:22: 
> error: ‘vol_desc_magic’ defined but not used [-Werror=unused-const-variable=]
>  static const uint8_t vol_desc_magic[] = "CD001";
>   ^~

Oops, copy-n-paste error, please ignore this version of the patch! (I
wonder why my compiler did not complain here...)

 Thomas

[Qemu-devel] [PATCH v2 7/9] chardev: tcp: postpone async connection setup

[Peter Xu]

This patch allows the socket chardev async connection be setup with
non-default gcontext.  We do it by postponing the setup to machine done,
since until then we can know which context we should run the async
operation on.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 1ce5adad9a..165612845a 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -1004,9 +1004,8 @@ static void qmp_chardev_open_socket(Chardev *chr,
 s->reconnect_time = reconnect;
 }
 
-if (s->reconnect_time) {
-tcp_chr_connect_async(chr);
-} else {
+/* If reconnect_time is set, will do that in chr_machine_done. */
+if (!s->reconnect_time) {
 if (s->is_listen) {
 char *name;
 s->listener = qio_net_listener_new();
@@ -1138,6 +1137,17 @@ char_socket_get_connected(Object *obj, Error **errp)
 return s->connected;
 }
 
+static int tcp_chr_machine_done_hook(Chardev *chr)
+{
+SocketChardev *s = SOCKET_CHARDEV(chr);
+
+if (s->reconnect_time) {
+tcp_chr_connect_async(chr);
+}
+
+return 0;
+}
+
 static void char_socket_class_init(ObjectClass *oc, void *data)
 {
 ChardevClass *cc = CHARDEV_CLASS(oc);
@@ -1153,6 +1163,7 @@ static void char_socket_class_init(ObjectClass *oc, void 
*data)
 cc->chr_add_client = tcp_chr_add_client;
 cc->chr_add_watch = tcp_chr_add_watch;
 cc->chr_update_read_handler = tcp_chr_update_read_handler;
+cc->chr_machine_done = tcp_chr_machine_done_hook;
 
 object_class_property_add(oc, "addr", "SocketAddress",
   char_socket_get_addr, NULL,
-- 
2.14.3

[Qemu-devel] [PATCH v2 9/9] chardev: tcp: postpone TLS work until machine done

[Peter Xu]

TLS handshake may create background GSource tasks, while we won't know
the correct GMainContext until the whole chardev (including frontend)
inited.  Let's postpone the initial TLS handshake until machine done.

For dynamically created tcp chardev, we don't postpone that by checking
the init_machine_done variable.

Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index bd40864f87..997c70dd7d 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -31,6 +31,7 @@
 #include "qemu/option.h"
 #include "qapi/error.h"
 #include "qapi/clone-visitor.h"
+#include "sysemu/sysemu.h"
 
 #include "chardev/char-io.h"
 
@@ -722,6 +723,11 @@ static void tcp_chr_tls_init(Chardev *chr)
 Error *err = NULL;
 gchar *name;
 
+if (!machine_init_done) {
+/* This will be postponed to machine_done notifier */
+return;
+}
+
 if (s->is_listen) {
 tioc = qio_channel_tls_new_server(
 s->ioc, s->tls_creds,
@@ -1145,6 +1151,10 @@ static int tcp_chr_machine_done_hook(Chardev *chr)
 tcp_chr_connect_async(chr);
 }
 
+if (s->tls_creds) {
+tcp_chr_tls_init(chr);
+}
+
 return 0;
 }
 
-- 
2.14.3

[Qemu-devel] [PATCH v2 6/9] chardev: use chardev's gcontext for async connect

[Peter Xu]

Generalize the function to create the async QIO task connection.  Also,
fix the context pointer to use the chardev's gcontext.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 25 ++---
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index c22b3f330c..1ce5adad9a 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -901,11 +901,22 @@ cleanup:
 object_unref(OBJECT(sioc));
 }
 
+static void tcp_chr_connect_async(Chardev *chr)
+{
+SocketChardev *s = SOCKET_CHARDEV(chr);
+QIOChannelSocket *sioc;
+
+sioc = qio_channel_socket_new();
+tcp_chr_set_client_ioc_name(chr, sioc);
+qio_channel_socket_connect_async(sioc, s->addr,
+ qemu_chr_socket_connected,
+ chr, NULL, chr->gcontext);
+}
+
 static gboolean socket_reconnect_timeout(gpointer opaque)
 {
 Chardev *chr = CHARDEV(opaque);
 SocketChardev *s = SOCKET_CHARDEV(opaque);
-QIOChannelSocket *sioc;
 
 g_source_unref(s->reconnect_timer);
 s->reconnect_timer = NULL;
@@ -914,11 +925,7 @@ static gboolean socket_reconnect_timeout(gpointer opaque)
 return false;
 }
 
-sioc = qio_channel_socket_new();
-tcp_chr_set_client_ioc_name(chr, sioc);
-qio_channel_socket_connect_async(sioc, s->addr,
- qemu_chr_socket_connected,
- chr, NULL, NULL);
+tcp_chr_connect_async(chr);
 
 return false;
 }
@@ -998,11 +1005,7 @@ static void qmp_chardev_open_socket(Chardev *chr,
 }
 
 if (s->reconnect_time) {
-sioc = qio_channel_socket_new();
-tcp_chr_set_client_ioc_name(chr, sioc);
-qio_channel_socket_connect_async(sioc, s->addr,
- qemu_chr_socket_connected,
- chr, NULL, NULL);
+tcp_chr_connect_async(chr);
 } else {
 if (s->is_listen) {
 char *name;
-- 
2.14.3

[Qemu-devel] [PATCH v2 5/9] chardev: introduce chr_machine_done hook

[Peter Xu]

Introduce ChardevClass.chr_machine_done() hook so that chardevs can run
customized procedures after machine init.

There was an existing mux user already that did similar thing but used a
raw machine done notifier.  Generalize it into a framework, and let the
mux chardevs provide such a class-specific hook to achieve the same
thing.  Then we can move the mux related code to the char-mux.c file.

Since at it, replace the mux_realized variable with the global
machine_init_done varible.

This notifier framework will be further leverged by other type of
chardevs soon.

Signed-off-by: Peter Xu 
---
 chardev/char-mux.c | 33 +
 chardev/char.c | 43 +--
 include/chardev/char-mux.h |  2 --
 include/chardev/char.h |  2 ++
 tests/test-char.c  |  1 -
 5 files changed, 48 insertions(+), 33 deletions(-)

diff --git a/chardev/char-mux.c b/chardev/char-mux.c
index d48e78103a..1b925c8dec 100644
--- a/chardev/char-mux.c
+++ b/chardev/char-mux.c
@@ -27,6 +27,7 @@
 #include "qemu/option.h"
 #include "chardev/char.h"
 #include "sysemu/block-backend.h"
+#include "sysemu/sysemu.h"
 #include "chardev/char-mux.h"
 
 /* MUX driver for serial I/O splitting */
@@ -230,14 +231,12 @@ static void mux_chr_read(void *opaque, const uint8_t 
*buf, int size)
 }
 }
 
-bool muxes_realized;
-
 void mux_chr_send_all_event(Chardev *chr, int event)
 {
 MuxChardev *d = MUX_CHARDEV(chr);
 int i;
 
-if (!muxes_realized) {
+if (!machine_init_done) {
 return;
 }
 
@@ -327,7 +326,7 @@ static void qemu_chr_open_mux(Chardev *chr,
 /* only default to opened state if we've realized the initial
  * set of muxes
  */
-*be_opened = muxes_realized;
+*be_opened = machine_init_done;
 qemu_chr_fe_init(>chr, drv, errp);
 }
 
@@ -347,6 +346,31 @@ static void qemu_chr_parse_mux(QemuOpts *opts, 
ChardevBackend *backend,
 mux->chardev = g_strdup(chardev);
 }
 
+/**
+ * Called after processing of default and command-line-specified
+ * chardevs to deliver CHR_EVENT_OPENED events to any FEs attached
+ * to a mux chardev. This is done here to ensure that
+ * output/prompts/banners are only displayed for the FE that has
+ * focus when initial command-line processing/machine init is
+ * completed.
+ *
+ * After this point, any new FE attached to any new or existing
+ * mux will receive CHR_EVENT_OPENED notifications for the BE
+ * immediately.
+ */
+static int open_muxes(Chardev *chr)
+{
+/* send OPENED to all already-attached FEs */
+mux_chr_send_all_event(chr, CHR_EVENT_OPENED);
+/*
+ * mark mux as OPENED so any new FEs will immediately receive
+ * OPENED event
+ */
+qemu_chr_be_event(chr, CHR_EVENT_OPENED);
+
+return 0;
+}
+
 static void char_mux_class_init(ObjectClass *oc, void *data)
 {
 ChardevClass *cc = CHARDEV_CLASS(oc);
@@ -357,6 +381,7 @@ static void char_mux_class_init(ObjectClass *oc, void *data)
 cc->chr_accept_input = mux_chr_accept_input;
 cc->chr_add_watch = mux_chr_add_watch;
 cc->chr_be_event = mux_chr_be_event;
+cc->chr_machine_done = open_muxes;
 }
 
 static const TypeInfo char_mux_type_info = {
diff --git a/chardev/char.c b/chardev/char.c
index 01d979a1da..fda820863c 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -281,40 +281,31 @@ static const TypeInfo char_type_info = {
 .class_init = char_class_init,
 };
 
-/**
- * Called after processing of default and command-line-specified
- * chardevs to deliver CHR_EVENT_OPENED events to any FEs attached
- * to a mux chardev. This is done here to ensure that
- * output/prompts/banners are only displayed for the FE that has
- * focus when initial command-line processing/machine init is
- * completed.
- *
- * After this point, any new FE attached to any new or existing
- * mux will receive CHR_EVENT_OPENED notifications for the BE
- * immediately.
- */
-static int open_muxes(Object *child, void *opaque)
+static int chardev_machine_done_notify_one(Object *child, void *opaque)
 {
-if (CHARDEV_IS_MUX(child)) {
-/* send OPENED to all already-attached FEs */
-mux_chr_send_all_event(CHARDEV(child), CHR_EVENT_OPENED);
-/* mark mux as OPENED so any new FEs will immediately receive
- * OPENED event
- */
-qemu_chr_be_event(CHARDEV(child), CHR_EVENT_OPENED);
+Chardev *chr = (Chardev *)child;
+ChardevClass *class = CHARDEV_GET_CLASS(chr);
+
+if (class->chr_machine_done) {
+return class->chr_machine_done(chr);
 }
 
 return 0;
 }
 
-static void muxes_realize_done(Notifier *notifier, void *unused)
+static void chardev_machine_done_hook(Notifier *notifier, void *unused)
 {
-muxes_realized = true;
-object_child_foreach(get_chardevs_root(), open_muxes, NULL);
+int ret = object_child_foreach(get_chardevs_root(),
+   chardev_machine_done_notify_one, NULL);
+
+if 

[Qemu-devel] [PATCH v2 1/9] vl: export machine_init_done

[Peter Xu]

We have that variable but not exported.  Export that so modules can have
a way to poke on whether machine init has finished.

Meanwhile, set that up even before calling the notifiers, so that
notifiers who may depend on this field will get a correct answer.

Suggested-by: Paolo Bonzini 
Reviewed-by: Marc-André Lureau 
Signed-off-by: Peter Xu 
---
 include/sysemu/sysemu.h   | 2 ++
 stubs/machine-init-done.c | 2 ++
 vl.c  | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 77bb3da582..3f0f35610b 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -86,6 +86,8 @@ void qemu_system_guest_panicked(GuestPanicInformation *info);
 void qemu_add_exit_notifier(Notifier *notify);
 void qemu_remove_exit_notifier(Notifier *notify);
 
+extern bool machine_init_done;
+
 void qemu_add_machine_init_done_notifier(Notifier *notify);
 void qemu_remove_machine_init_done_notifier(Notifier *notify);
 
diff --git a/stubs/machine-init-done.c b/stubs/machine-init-done.c
index 9a0d62514f..4121f1709b 100644
--- a/stubs/machine-init-done.c
+++ b/stubs/machine-init-done.c
@@ -2,6 +2,8 @@
 #include "qemu-common.h"
 #include "sysemu/sysemu.h"
 
+bool machine_init_done = true;
+
 void qemu_add_machine_init_done_notifier(Notifier *notify)
 {
 }
diff --git a/vl.c b/vl.c
index a33ac008fb..5e8d47 100644
--- a/vl.c
+++ b/vl.c
@@ -2712,7 +2712,7 @@ static void qemu_run_exit_notifiers(void)
 notifier_list_notify(_notifiers, NULL);
 }
 
-static bool machine_init_done;
+bool machine_init_done;
 
 void qemu_add_machine_init_done_notifier(Notifier *notify)
 {
@@ -2729,8 +2729,8 @@ void qemu_remove_machine_init_done_notifier(Notifier 
*notify)
 
 static void qemu_run_machine_init_done_notifiers(void)
 {
-notifier_list_notify(_init_done_notifiers, NULL);
 machine_init_done = true;
+notifier_list_notify(_init_done_notifiers, NULL);
 }
 
 static const QEMUOption *lookup_opt(int argc, char **argv,
-- 
2.14.3

[Qemu-devel] [PATCH v2 8/9] chardev: tcp: let TLS run on chardev context

[Peter Xu]

Now qio_channel_tls_handshake() is ready to receive the context.  Let
socket chardev use it, then the TLS handshake of chardev will always be
with the chardev's context.

Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 165612845a..bd40864f87 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -750,7 +750,7 @@ static void tcp_chr_tls_init(Chardev *chr)
   tcp_chr_tls_handshake,
   chr,
   NULL,
-  NULL);
+  chr->gcontext);
 }
 
 
-- 
2.14.3

[Qemu-devel] [PATCH v2 4/9] chardev: allow telnet gsource to switch gcontext

[Peter Xu]

It was originally created by qio_channel_add_watch() so it's always
assigning the task to main context.  Now we use the new API called
qio_channel_add_watch_source() so that we get the GSource handle rather
than the tag ID.

Meanwhile, caching the gsource and TCPChardevTelnetInit (which holds the
handshake data) in SocketChardev.telnet_source so that we can also do
dynamic context switch when update read handlers.

Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 67 +++
 1 file changed, 51 insertions(+), 16 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 5aa01e15ff..c22b3f330c 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -39,6 +39,11 @@
 
 #define TCP_MAX_FDS 16
 
+typedef struct {
+char buf[21];
+size_t buflen;
+} TCPChardevTelnetInit;
+
 typedef struct {
 Chardev parent;
 QIOChannel *ioc; /* Client I/O channel */
@@ -59,6 +64,8 @@ typedef struct {
 bool is_listen;
 bool is_telnet;
 bool is_tn3270;
+GSource *telnet_source;
+TCPChardevTelnetInit *telnet_init;
 
 GSource *reconnect_timer;
 int64_t reconnect_time;
@@ -69,6 +76,7 @@ typedef struct {
 OBJECT_CHECK(SocketChardev, (obj), TYPE_CHARDEV_SOCKET)
 
 static gboolean socket_reconnect_timeout(gpointer opaque);
+static void tcp_chr_telnet_init(Chardev *chr);
 
 static void tcp_chr_reconn_timer_cancel(SocketChardev *s)
 {
@@ -555,6 +563,15 @@ static void tcp_chr_connect(void *opaque)
 qemu_chr_be_event(chr, CHR_EVENT_OPENED);
 }
 
+static void tcp_chr_telnet_destroy(SocketChardev *s)
+{
+if (s->telnet_source) {
+g_source_destroy(s->telnet_source);
+g_source_unref(s->telnet_source);
+s->telnet_source = NULL;
+}
+}
+
 static void tcp_chr_update_read_handler(Chardev *chr)
 {
 SocketChardev *s = SOCKET_CHARDEV(chr);
@@ -569,6 +586,10 @@ static void tcp_chr_update_read_handler(Chardev *chr)
   chr, NULL, chr->gcontext);
 }
 
+if (s->telnet_source) {
+tcp_chr_telnet_init(CHARDEV(s));
+}
+
 if (!s->connected) {
 return;
 }
@@ -582,32 +603,30 @@ static void tcp_chr_update_read_handler(Chardev *chr)
 }
 }
 
-typedef struct {
-Chardev *chr;
-char buf[21];
-size_t buflen;
-} TCPChardevTelnetInit;
-
 static gboolean tcp_chr_telnet_init_io(QIOChannel *ioc,
GIOCondition cond G_GNUC_UNUSED,
gpointer user_data)
 {
-TCPChardevTelnetInit *init = user_data;
+SocketChardev *s = user_data;
+Chardev *chr = CHARDEV(s);
+TCPChardevTelnetInit *init = s->telnet_init;
 ssize_t ret;
 
+assert(init);
+
 ret = qio_channel_write(ioc, init->buf, init->buflen, NULL);
 if (ret < 0) {
 if (ret == QIO_CHANNEL_ERR_BLOCK) {
 ret = 0;
 } else {
-tcp_chr_disconnect(init->chr);
+tcp_chr_disconnect(chr);
 goto end;
 }
 }
 init->buflen -= ret;
 
 if (init->buflen == 0) {
-tcp_chr_connect(init->chr);
+tcp_chr_connect(chr);
 goto end;
 }
 
@@ -616,16 +635,30 @@ static gboolean tcp_chr_telnet_init_io(QIOChannel *ioc,
 return G_SOURCE_CONTINUE;
 
 end:
-g_free(init);
+g_free(s->telnet_init);
+s->telnet_init = NULL;
+g_source_unref(s->telnet_source);
+s->telnet_source = NULL;
 return G_SOURCE_REMOVE;
 }
 
 static void tcp_chr_telnet_init(Chardev *chr)
 {
 SocketChardev *s = SOCKET_CHARDEV(chr);
-TCPChardevTelnetInit *init = g_new0(TCPChardevTelnetInit, 1);
+TCPChardevTelnetInit *init;
 size_t n = 0;
 
+/* Destroy existing task */
+tcp_chr_telnet_destroy(s);
+
+if (s->telnet_init) {
+/* We are possibly during a handshake already */
+goto cont;
+}
+
+s->telnet_init = g_new0(TCPChardevTelnetInit, 1);
+init = s->telnet_init;
+
 #define IACSET(x, a, b, c)  \
 do {\
 x[n++] = a; \
@@ -633,7 +666,6 @@ static void tcp_chr_telnet_init(Chardev *chr)
 x[n++] = c; \
 } while (0)
 
-init->chr = chr;
 if (!s->is_tn3270) {
 init->buflen = 12;
 /* Prep the telnet negotion to put telnet in binary,
@@ -656,10 +688,11 @@ static void tcp_chr_telnet_init(Chardev *chr)
 
 #undef IACSET
 
-qio_channel_add_watch(
-s->ioc, G_IO_OUT,
-tcp_chr_telnet_init_io,
-init, NULL);
+cont:
+s->telnet_source = qio_channel_add_watch_source(s->ioc, G_IO_OUT,
+tcp_chr_telnet_init_io,
+s, NULL,
+chr->gcontext);
 }
 
 
@@ -834,6 +867,8 @@ static void char_socket_finalize(Object *obj)
 

[Qemu-devel] [PATCH v2 0/9] chardev: qio related non-default context support

[Peter Xu]

Based-on: <20180305064324.9238-1-pet...@redhat.com>

This series is based on the QIO part:
  [PATCH v3 0/6] qio: general non-default GMainContext support

v2:
- fix the reported problem by patchew in patch 5
- added some r-bs from Marc-Andre

Please review, thanks.

Peter Xu (9):
  vl: export machine_init_done
  chardev: fix leak in tcp_chr_telnet_init_io()
  chardev: update net listener gcontext
  chardev: allow telnet gsource to switch gcontext
  chardev: introduce chr_machine_done hook
  chardev: use chardev's gcontext for async connect
  chardev: tcp: postpone async connection setup
  chardev: tcp: let TLS run on chardev context
  chardev: tcp: postpone TLS work until machine done

 chardev/char-mux.c |  33 --
 chardev/char-socket.c  | 153 ++---
 chardev/char.c |  43 +
 include/chardev/char-mux.h |   2 -
 include/chardev/char.h |   2 +
 include/sysemu/sysemu.h|   2 +
 stubs/machine-init-done.c  |   2 +
 tests/test-char.c  |   1 -
 vl.c   |   4 +-
 9 files changed, 169 insertions(+), 73 deletions(-)

-- 
2.14.3

[Qemu-devel] [PATCH v2 2/9] chardev: fix leak in tcp_chr_telnet_init_io()

[Peter Xu]

Need to free TCPChardevTelnetInit when session established.

Since at it, switch to use G_SOURCE_* macros.

Reviewed-by: Daniel P. Berrange 
Reviewed-by: Paolo Bonzini 
Reviewed-by: Marc-André Lureau 
Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 113feaf948..205ee377a4 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -591,19 +591,23 @@ static gboolean tcp_chr_telnet_init_io(QIOChannel *ioc,
 ret = 0;
 } else {
 tcp_chr_disconnect(init->chr);
-return FALSE;
+goto end;
 }
 }
 init->buflen -= ret;
 
 if (init->buflen == 0) {
 tcp_chr_connect(init->chr);
-return FALSE;
+goto end;
 }
 
 memmove(init->buf, init->buf + ret, init->buflen);
 
-return TRUE;
+return G_SOURCE_CONTINUE;
+
+end:
+g_free(init);
+return G_SOURCE_REMOVE;
 }
 
 static void tcp_chr_telnet_init(Chardev *chr)
-- 
2.14.3

[Qemu-devel] [PATCH v2 3/9] chardev: update net listener gcontext

[Peter Xu]

TCP chardevs can be using QIO network listeners working in the
background when in listening mode.  However the network listeners are
always running in main context.  This can race with chardevs that are
running in non-main contexts.

To solve this, we need to re-setup the net listeners in
tcp_chr_update_read_handler() with the newly cached gcontext.

Reviewed-by: Marc-André Lureau 
Signed-off-by: Peter Xu 
---
 chardev/char-socket.c | 26 --
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 205ee377a4..5aa01e15ff 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -422,8 +422,8 @@ static void tcp_chr_disconnect(Chardev *chr)
 tcp_chr_free_connection(chr);
 
 if (s->listener) {
-qio_net_listener_set_client_func(s->listener, tcp_chr_accept,
- chr, NULL);
+qio_net_listener_set_client_func_full(s->listener, tcp_chr_accept,
+  chr, NULL, chr->gcontext);
 }
 update_disconnected_filename(s);
 if (emit_close) {
@@ -559,6 +559,16 @@ static void tcp_chr_update_read_handler(Chardev *chr)
 {
 SocketChardev *s = SOCKET_CHARDEV(chr);
 
+if (s->listener) {
+/*
+ * It's possible that chardev context is changed in
+ * qemu_chr_be_update_read_handlers().  Reset it for QIO net
+ * listener if there is.
+ */
+qio_net_listener_set_client_func_full(s->listener, tcp_chr_accept,
+  chr, NULL, chr->gcontext);
+}
+
 if (!s->connected) {
 return;
 }
@@ -743,7 +753,8 @@ static int tcp_chr_new_client(Chardev *chr, 
QIOChannelSocket *sioc)
 qio_channel_set_delay(s->ioc, false);
 }
 if (s->listener) {
-qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+qio_net_listener_set_client_func_full(s->listener, NULL, NULL,
+  NULL, chr->gcontext);
 }
 
 if (s->tls_creds) {
@@ -824,7 +835,8 @@ static void char_socket_finalize(Object *obj)
 tcp_chr_reconn_timer_cancel(s);
 qapi_free_SocketAddress(s->addr);
 if (s->listener) {
-qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+qio_net_listener_set_client_func_full(s->listener, NULL, NULL,
+  NULL, chr->gcontext);
 object_unref(OBJECT(s->listener));
 }
 if (s->tls_creds) {
@@ -980,8 +992,10 @@ static void qmp_chardev_open_socket(Chardev *chr,
 return;
 }
 if (!s->ioc) {
-qio_net_listener_set_client_func(s->listener, tcp_chr_accept,
- chr, NULL);
+qio_net_listener_set_client_func_full(s->listener,
+  tcp_chr_accept,
+  chr, NULL,
+  chr->gcontext);
 }
 } else if (qemu_chr_wait_connected(chr, errp) < 0) {
 goto error;
-- 
2.14.3

Re: [Qemu-devel] [PATCH 5/9] chardev: introduce chr_machine_done hook

[Peter Xu]

On Mon, Mar 05, 2018 at 11:54:22AM +0100, Marc-André Lureau wrote:
> Hi
> 
> On Mon, Mar 5, 2018 at 7:50 AM, Peter Xu  wrote:
> > Introduce ChardevClass.chr_machine_done() hook so that chardevs can run
> > customized procedures after machine init.
> >
> > There was an existing mux user already that did similar thing but used a
> > raw machine done notifier.  Generalize it into a framework, and let the
> > mux chardevs provide such a class-specific hook to achieve the same
> > thing.  Then we can move the mux related code to the char-mux.c file.
> >
> > Since at it, replace the mux_realized variable with the global
> > machine_init_done varible.
> >
> > This notifier framework will be further leverged by other type of
> > chardevs soon.
> >
> > Reviewed-by: Paolo Bonzini 
> > Signed-off-by: Peter Xu 
> 
> patchew caught that:
> tests/test-char.o: In function `char_mux_test':
> /tmp/qemu-test/src/tests/test-char.c:169: undefined reference to
> `muxes_realized'

Yeh, I replied to patchew mail with a fix to be squashed.

I was planning to repost some days later, but let me repost now in
case that it may ease the reviewers a bit.  Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 1/9] vl: export machine_init_done

[Peter Xu]

On Mon, Mar 05, 2018 at 12:48:27PM +0100, Marc-André Lureau wrote:
> Hi
> 
> On Mon, Mar 5, 2018 at 7:50 AM, Peter Xu  wrote:
> > We have that variable but not exported.  Export that so modules can have
> > a way to poke on whether machine init has finished.
> 
> Which modules?

E.g., the mux code in patch 5.

> 
> > Meanwhile, set that up even before calling the notifiers, so that
> > notifiers who may depend on this field will get a correct answer.
> >
> > Suggested-by: Paolo Bonzini 
> > Signed-off-by: Peter Xu 
> 
> Reviewed-by: Marc-André Lureau 

Thanks,

-- 
Peter Xu

[Qemu-devel] [PATCH] tap: delete tap(net client) if net_init_tap_one failed

[linzhecheng]

If net_init_tap_one failed but net_tap_fd_init succeeded, we should
delete the TAPState *s without vhostforce and has_vhostforce flag.

Signed-off-by: linzhecheng 

diff --git a/net/tap.c b/net/tap.c
index 2b3a36f9b5..1cb8eaf31f 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -651,7 +651,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 tap_set_sndbuf(s->fd, tap, );
 if (err) {
 error_propagate(errp, err);
-return;
+goto fail;
 }
 
 if (tap->has_fd || tap->has_fds) {
@@ -688,6 +688,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 if (vhostfd == -1) {
 if (tap->has_vhostforce && tap->vhostforce) {
 error_propagate(errp, err);
+goto fail;
 } else {
 warn_report_err(err);
 }
@@ -699,6 +700,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 if (tap->has_vhostforce && tap->vhostforce) {
 error_setg_errno(errp, errno,
  "tap: open vhost char device failed");
+goto fail;
 } else {
 warn_report("tap: open vhost char device failed: %s",
 strerror(errno));
@@ -713,6 +715,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 if (!s->vhost_net) {
 if (tap->has_vhostforce && tap->vhostforce) {
 error_setg(errp, VHOST_NET_INIT_FAILED);
+goto fail;
 } else {
 warn_report(VHOST_NET_INIT_FAILED);
 }
@@ -720,7 +723,11 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 }
 } else if (vhostfdname) {
 error_setg(errp, "vhostfd(s)= is not valid without vhost");
+goto fail;
 }
+return;
+fail:
+qemu_del_net_client(>nc);
 }
 
 static int get_fds(char *str, char *fds[], int max)
-- 
2.12.2.windows.2

Re: [Qemu-devel] [PULL 00/30] ppc-for-2.12 queue 20180306

[David Gibson]

On Mon, Mar 05, 2018 at 08:30:40PM -0800, no-re...@patchew.org wrote:
> Hi,
> 
> This series seems to have some coding style problems. See output below for
> more information:
> 
> Type: series
> Message-id: 20180306040154.3669-1-da...@gibson.dropbear.id.au
> Subject: [Qemu-devel] [PULL 00/30] ppc-for-2.12 queue 20180306
> 
> === TEST SCRIPT BEGIN ===
> #!/bin/bash
> 
> BASE=base
> n=1
> total=$(git log --oneline $BASE.. | wc -l)
> failed=0
> 
> git config --local diff.renamelimit 0
> git config --local diff.renames True
> git config --local diff.algorithm histogram
> 
> commits="$(git log --format=%H --reverse $BASE..)"
> for c in $commits; do
> echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
> if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; 
> then
> failed=1
> echo
> fi
> n=$((n+1))
> done
> 
> exit $failed
> === TEST SCRIPT END ===
> 
> Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
> From https://github.com/patchew-project/qemu
>  * [new tag]   
> patchew/20180306040154.3669-1-da...@gibson.dropbear.id.au -> 
> patchew/20180306040154.3669-1-da...@gibson.dropbear.id.au
> Switched to a new branch 'test'
> 710332af72 PowerPC: Add TS bits into msr_mask
> 1d843d531b adb: add trace-events for monitoring keyboard/mouse during bus 
> enumeration
> e0dcafa414 PPC: e500: Fix duplicate kernel load and device tree overlap
> ca32627c89 hw/ppc/spapr, e500: Use new property "stdout-path" for boot console
> 7ec999efd1 ppc/spapr-caps: Define the pseries-2.12-sxxm machine type
> c5c9d5e6b5 ppc/spapr-caps: Convert cap-ibs to custom spapr-cap
> d1f8d2a7ec ppc/spapr-caps: Convert cap-sbbc to custom spapr-cap
> dee8ac698b ppc/spapr-caps: Convert cap-cfpc to custom spapr-cap
> be78220976 ppc/spapr-caps: Add support for custom spapr_capabilities
> 41fe6c3234 target/ppc: Check mask when setting cap_ppc_safe_indirect_branch
> 925dc8c8ab macio: remove macio_init() function
> 0cdc7ef4d3 macio: move setting of CUDA timebase frequency to 
> macio_common_realize()
> 333e2d72ae mac_newworld: use object link to pass OpenPIC object to macio
> 6352921fc0 openpic: move OpenPIC state and related definitions to openpic.h
> f6528ecaad openpic: move KVM-specific declarations into separate 
> openpic_kvm.h file
> ff45ce713e mac_oldworld: use object link to pass heathrow PIC object to macio
> 7a6c79ea44 macio: move macio related structures and defines into separate 
> macio.h file
> 314c9858ad heathrow: change heathrow_pic_init() to return the heathrow device
> f5b91571dc heathrow: convert to trace-events
> 3045694ed1 heathrow: QOMify heathrow PIC
> ad17492d9b macio: move ESCC device within the macio device
> 777c94a3ee macio: embed DBDMA device directly within macio
> 2ea90e405c spapr: harden code that depends on VSMT
> 00226ad7c9 spapr: register dummy ICPs later
> 7ed96e066b ppc: Add aCube Sam460ex board
> 9abb284ab2 pc-bios: Added u-boot-sam460 firmware binary
> e4cb279fb1 roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)
> a2279cf053 ppc440: Add emulation of plb-pcix controller found in some 440 SoCs
> 3e9afde83e ppc440_uc: Fix unintialized variable warning with older gcc
> 8e4c18ae65 spapr: fix missing CPU core nodes in DT when running with TCG
> 
> === OUTPUT BEGIN ===
> Checking PATCH 1/30: spapr: fix missing CPU core nodes in DT when running 
> with TCG...
> Checking PATCH 2/30: ppc440_uc: Fix unintialized variable warning with older 
> gcc...
> Checking PATCH 3/30: ppc440: Add emulation of plb-pcix controller found in 
> some 440 SoCs...
> Checking PATCH 4/30: roms: Added git submodule for u-boot-sam460 (firmware 
> for sam460ex)...
> Checking PATCH 5/30: pc-bios: Added u-boot-sam460 firmware binary...
> Checking PATCH 6/30: ppc: Add aCube Sam460ex board...
> Checking PATCH 7/30: spapr: register dummy ICPs later...
> Checking PATCH 8/30: spapr: harden code that depends on VSMT...
> Checking PATCH 9/30: macio: embed DBDMA device directly within macio...
> Checking PATCH 10/30: macio: move ESCC device within the macio device...
> Checking PATCH 11/30: heathrow: QOMify heathrow PIC...
> Checking PATCH 12/30: heathrow: convert to trace-events...
> Checking PATCH 13/30: heathrow: change heathrow_pic_init() to return the 
> heathrow device...
> Checking PATCH 14/30: macio: move macio related structures and defines into 
> separate macio.h file...
> Checking PATCH 15/30: mac_oldworld: use object link to pass heathrow PIC 
> object to macio...
> Checking PATCH 16/30: openpic: move KVM-specific declarations into separate 
> openpic_kvm.h file...
> Checking PATCH 17/30: openpic: move OpenPIC state and related definitions to 
> openpic.h...
> ERROR: "foo * bar" should be "foo *bar"
> #250: FILE: include/hw/ppc/openpic.h:57:
> +#define RAVEN_DBL_IRQ(RAVEN_IPI_IRQ + (RAVEN_MAX_CPU * RAVEN_MAX_IPI))
> 
> total: 1 errors, 0 warnings, 353 lines checked

This is a false positive.  For some reason it's misidentifying a
multiply as a 

Re: [Qemu-devel] [RFC PATCH v2 12/22] hw/isa/superio: Add a keyboard/mouse controller (8042)

[David Gibson]

On Mon, Mar 05, 2018 at 06:19:18PM -0300, Philippe Mathieu-Daudé wrote:
> Since the PC87312 inherits this abstract model, we remove the I8042
> instance in the PREP machine.
> 
> Signed-off-by: Philippe Mathieu-Daudé 

Acked-by: David Gibson 

> ---
>  include/hw/isa/superio.h | 1 +
>  hw/isa/isa-superio.c | 3 +++
>  hw/ppc/prep.c| 1 -
>  3 files changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/include/hw/isa/superio.h b/include/hw/isa/superio.h
> index e8007b9eee..2fc33bf3d3 100644
> --- a/include/hw/isa/superio.h
> +++ b/include/hw/isa/superio.h
> @@ -30,6 +30,7 @@ typedef struct ISASuperIODevice {
>  ISADevice *parallel[MAX_PARALLEL_PORTS];
>  ISADevice *serial[MAX_SERIAL_PORTS];
>  ISADevice *floppy;
> +ISADevice *kbc;
>  } ISASuperIODevice;
>  
>  typedef struct ISASuperIOFuncs {
> diff --git a/hw/isa/isa-superio.c b/hw/isa/isa-superio.c
> index 22bf79d3c3..6a24ac0259 100644
> --- a/hw/isa/isa-superio.c
> +++ b/hw/isa/isa-superio.c
> @@ -17,6 +17,7 @@
>  #include "sysemu/blockdev.h"
>  #include "chardev/char.h"
>  #include "hw/isa/superio.h"
> +#include "hw/input/i8042.h"
>  #include "hw/char/serial.h"
>  #include "trace.h"
>  
> @@ -139,6 +140,8 @@ static void isa_superio_realize(DeviceState *dev, Error 
> **errp)
>  k->floppy.get_irq(sio, 0) : -1);
>  }
>  
> +/* Keyboard, mouse */
> +sio->kbc = isa_create_simple(bus, TYPE_I8042);
>  }
>  
>  static void isa_superio_class_init(ObjectClass *oc, void *data)
> diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
> index 610ec7ec32..96d319b87c 100644
> --- a/hw/ppc/prep.c
> +++ b/hw/ppc/prep.c
> @@ -642,7 +642,6 @@ static void ppc_prep_init(MachineState *machine)
>   hd[2 * i],
>hd[2 * i + 1]);
>  }
> -isa_create_simple(isa_bus, TYPE_I8042);
>  
>  cpu = POWERPC_CPU(first_cpu);
>  sysctrl->reset_irq = cpu->env.irq_inputs[PPC6xx_INPUT_HRESET];

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH v3] scripts/checkpatch.pl: add check for `while` and `for`

[Su Hang]

As too many emails overwhelmed my email box, I am very sorry for not seeing 
your reply until this morning.

I will fix wrong using of git right now!

"Stefan Hajnoczi" wrote:
> On Wed, Feb 28, 2018 at 11:31:29AM +0800, Su Hang wrote:
> > Adding check for `while` and `for` statements, which condition has more than
> > one line.
> > 
> > The former checkpatch.pl can check `if` statement, which condition has more
> > than one line, whether block misses brace round, like this:
> > '''
> > if (cond1 ||
> > cond2)
> > statement;
> > '''
> > But it doesn't do the same check for `for` and `while` statements.
> > 
> > Using `(?:...)` instead of `(...)` in regex pattern catch.
> > Because `(?:...)` is faster and avoids unwanted side-effect.
> 
> This patch doesn't apply to qemu.git/master because it's based on your
> v2 patch.
> 
> Please send a single v4 patch that combines v2 and v3 changes and can be
> applied to qemu.git/master.
> 
> You can use "git rebase -i origin/master" to combine changes and put
> them onto the latest origin/master.  See the "fixup" and "squash"
> commands in git-rebase(1)'s interactive mode for combining patches.
> 
> Thanks!
> 
> > Suggested-by: Stefan Hajnoczi 
> > Suggested-by: Eric Blake 
> > Suggested-by: Thomas Huth 
> > Signed-off-by: Su Hang 
> > ---
> >  scripts/checkpatch.pl | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
> > index 10c138344fa9..bed1dbbd54d1 100755
> > --- a/scripts/checkpatch.pl
> > +++ b/scripts/checkpatch.pl
> > @@ -2352,9 +2352,9 @@ sub process {
> > }
> > }
> >  
> > -# check for missing bracing round if etc
> > -   if ($line =~ /(^.*)\b(for|while|if)\b/ &&
> > -   $line !~ /\#\s*(for|while|if)/) {
> > +# check for missing bracing around if etc
> > +   if ($line =~ /(^.*)\b(?:for|while|if)\b/ &&
> > +   $line !~ /\#\s*(?:for|while|if)/) {
> > my ($level, $endln, @chunks) =
> > ctx_statement_full($linenr, $realcnt, 1);
> >  if ($dbg_adv_apw) {
> > -- 
> > 2.7.4
> > 

[Qemu-devel] [PULL 23/30] ppc/spapr-caps: Convert cap-cfpc to custom spapr-cap

[David Gibson]

From: Suraj Jitindar Singh 

Convert cap-cfpc (cache flush on privilege change) to a custom spapr-cap
type.

Signed-off-by: Suraj Jitindar Singh 
[dwg: Don't explicitly list "?"/help option, trusting convention]
[dwg: Strip no-longer-necessary ATTRIBUTE_UNUSED back off]
[dwg: Fix some minor style problems]
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_caps.c | 33 ++---
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 3d8b796df9..b5a991f97a 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -149,9 +149,8 @@ out:
 g_free(val);
 }
 
-static void ATTRIBUTE_UNUSED spapr_cap_get_string(Object *obj, Visitor *v,
-  const char *name,
-  void *opaque, Error **errp)
+static void  spapr_cap_get_string(Object *obj, Visitor *v, const char *name,
+  void *opaque, Error **errp)
 {
 sPAPRCapabilityInfo *cap = opaque;
 sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
@@ -169,9 +168,8 @@ static void ATTRIBUTE_UNUSED spapr_cap_get_string(Object 
*obj, Visitor *v,
 g_free(val);
 }
 
-static void ATTRIBUTE_UNUSED spapr_cap_set_string(Object *obj, Visitor *v,
-  const char *name,
-  void *opaque, Error **errp)
+static void spapr_cap_set_string(Object *obj, Visitor *v, const char *name,
+ void *opaque, Error **errp)
 {
 sPAPRCapabilityInfo *cap = opaque;
 sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
@@ -250,14 +248,26 @@ static void cap_dfp_apply(sPAPRMachineState *spapr, 
uint8_t val, Error **errp)
 }
 }
 
+sPAPRCapPossible cap_cfpc_possible = {
+.num = 3,
+.vals = {"broken", "workaround", "fixed"},
+.help = "broken - no protection, workaround - workaround available,"
+" fixed - fixed in hardware",
+};
+
 static void cap_safe_cache_apply(sPAPRMachineState *spapr, uint8_t val,
  Error **errp)
 {
+uint8_t kvm_val =  kvmppc_get_cap_safe_cache();
+
 if (tcg_enabled() && val) {
 /* TODO - for now only allow broken for TCG */
-error_setg(errp, "Requested safe cache capability level not supported 
by tcg, try a different value for cap-cfpc");
-} else if (kvm_enabled() && (val > kvmppc_get_cap_safe_cache())) {
-error_setg(errp, "Requested safe cache capability level not supported 
by kvm, try a different value for cap-cfpc");
+error_setg(errp,
+"Requested safe cache capability level not supported by tcg, try a different 
value for cap-cfpc");
+} else if (kvm_enabled() && (val > kvm_val)) {
+error_setg(errp,
+"Requested safe cache capability level not supported by kvm, try cap-cfpc=%s",
+   cap_cfpc_possible.vals[kvm_val]);
 }
 }
 
@@ -319,9 +329,10 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 .name = "cfpc",
 .description = "Cache Flush on Privilege Change" VALUE_DESC_TRISTATE,
 .index = SPAPR_CAP_CFPC,
-.get = spapr_cap_get_tristate,
-.set = spapr_cap_set_tristate,
+.get = spapr_cap_get_string,
+.set = spapr_cap_set_string,
 .type = "string",
+.possible = _cfpc_possible,
 .apply = cap_safe_cache_apply,
 },
 [SPAPR_CAP_SBBC] = {
-- 
2.14.3

[Qemu-devel] [PULL 28/30] PPC: e500: Fix duplicate kernel load and device tree overlap

[David Gibson]

From: David Engraf 

This patch fixes an incorrect behavior when the -kernel argument has been
specified without -bios. In this case the kernel was loaded twice. At address
32M as a raw image and afterwards by load_elf/load_uimage at the
corresponding load address. In this case the region for the device tree and
the raw kernel image may overlap.

The patch fixes the behavior by loading the kernel image once with
load_elf/load_uimage and skips loading the raw image.

When here do not use bios_name/size for the kernel and use a more generic
name called payload_name/size.

New in v3: dtb must be stored between kernel and initrd because Linux can
   handle the dtb only within the first 64MB. Add a comment to
   clarify the behavior.

Signed-off-by: David Engraf 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/ppc/e500.c | 116 +++---
 1 file changed, 70 insertions(+), 46 deletions(-)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index ef541a00be..43c15d18c4 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -792,8 +792,10 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 int initrd_size = 0;
 hwaddr cur_base = 0;
 char *filename;
+const char *payload_name;
+bool kernel_as_payload;
 hwaddr bios_entry = 0;
-target_long bios_size;
+target_long payload_size;
 struct boot_info *boot_info;
 int dt_size;
 int i;
@@ -921,11 +923,6 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 /* Register spinning region */
 sysbus_create_simple("e500-spin", params->spin_base, NULL);
 
-if (cur_base < (32 * 1024 * 1024)) {
-/* u-boot occupies memory up to 32MB, so load blobs above */
-cur_base = (32 * 1024 * 1024);
-}
-
 if (params->has_mpc8xxx_gpio) {
 qemu_irq poweroff_irq;
 
@@ -960,8 +957,61 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 sysbus_mmio_get_region(s, 0));
 }
 
-/* Load kernel. */
-if (machine->kernel_filename) {
+/*
+ * Smart firmware defaults ahead!
+ *
+ * We follow the following table to select which payload we execute.
+ *
+ *  -kernel | -bios | payload
+ * -+---+-
+ * N|   Y   | u-boot
+ * N|   N   | u-boot
+ * Y|   Y   | u-boot
+ * Y|   N   | kernel
+ *
+ * This ensures backwards compatibility with how we used to expose
+ * -kernel to users but allows them to run through u-boot as well.
+ */
+kernel_as_payload = false;
+if (bios_name == NULL) {
+if (machine->kernel_filename) {
+payload_name = machine->kernel_filename;
+kernel_as_payload = true;
+} else {
+payload_name = "u-boot.e500";
+}
+} else {
+payload_name = bios_name;
+}
+
+filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, payload_name);
+
+payload_size = load_elf(filename, NULL, NULL, _entry, , NULL,
+1, PPC_ELF_MACHINE, 0, 0);
+if (payload_size < 0) {
+/*
+ * Hrm. No ELF image? Try a uImage, maybe someone is giving us an
+ * ePAPR compliant kernel
+ */
+payload_size = load_uimage(filename, _entry, , NULL,
+   NULL, NULL);
+if (payload_size < 0) {
+error_report("qemu: could not load firmware '%s'", filename);
+exit(1);
+}
+}
+
+g_free(filename);
+
+if (kernel_as_payload) {
+kernel_base = loadaddr;
+kernel_size = payload_size;
+}
+
+cur_base = loadaddr + payload_size;
+
+/* Load bare kernel only if no bios/u-boot has been provided */
+if (machine->kernel_filename && !kernel_as_payload) {
 kernel_base = cur_base;
 kernel_size = load_image_targphys(machine->kernel_filename,
   cur_base,
@@ -975,6 +1025,11 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 cur_base += kernel_size;
 }
 
+if (cur_base < (32 * 1024 * 1024)) {
+/* u-boot occupies memory up to 32MB, so load blobs above */
+cur_base = (32 * 1024 * 1024);
+}
+
 /* Load initrd. */
 if (machine->initrd_filename) {
 initrd_base = (cur_base + INITRD_LOAD_PAD) & ~INITRD_PAD_MASK;
@@ -991,47 +1046,16 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 }
 
 /*
- * Smart firmware defaults ahead!
- *
- * We follow the following table to select which payload we execute.
- *
- *  -kernel | -bios | payload
- * -+---+-
- * N|   Y   | u-boot
- * N|   N   | u-boot
- * Y|   Y   | u-boot
- * Y|   N   | kernel
- *

[Qemu-devel] [PULL 11/30] heathrow: QOMify heathrow PIC

[David Gibson]

From: Mark Cave-Ayland 

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/intc/heathrow_pic.c | 126 +++--
 include/hw/intc/heathrow_pic.h |  49 
 2 files changed, 119 insertions(+), 56 deletions(-)
 create mode 100644 include/hw/intc/heathrow_pic.h

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 171f5ed814..7bf44e0d86 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -25,6 +25,7 @@
 #include "qemu/osdep.h"
 #include "hw/hw.h"
 #include "hw/ppc/mac.h"
+#include "hw/intc/heathrow_pic.h"
 
 /* debug PIC */
 //#define DEBUG_PIC
@@ -36,39 +37,27 @@
 #define PIC_DPRINTF(fmt, ...)
 #endif
 
-typedef struct HeathrowPIC {
-uint32_t events;
-uint32_t mask;
-uint32_t levels;
-uint32_t level_triggered;
-} HeathrowPIC;
-
-typedef struct HeathrowPICS {
-MemoryRegion mem;
-HeathrowPIC pics[2];
-qemu_irq *irqs;
-} HeathrowPICS;
-
-static inline int check_irq(HeathrowPIC *pic)
+static inline int heathrow_check_irq(HeathrowPICState *pic)
 {
 return (pic->events | (pic->levels & pic->level_triggered)) & pic->mask;
 }
 
 /* update the CPU irq state */
-static void heathrow_pic_update(HeathrowPICS *s)
+static void heathrow_update_irq(HeathrowState *s)
 {
-if (check_irq(>pics[0]) || check_irq(>pics[1])) {
+if (heathrow_check_irq(>pics[0]) ||
+heathrow_check_irq(>pics[1])) {
 qemu_irq_raise(s->irqs[0]);
 } else {
 qemu_irq_lower(s->irqs[0]);
 }
 }
 
-static void pic_write(void *opaque, hwaddr addr,
-  uint64_t value, unsigned size)
+static void heathrow_write(void *opaque, hwaddr addr,
+   uint64_t value, unsigned size)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int n;
 
 n = ((addr & 0xfff) - 0x10) >> 4;
@@ -79,24 +68,24 @@ static void pic_write(void *opaque, hwaddr addr,
 switch(addr & 0xf) {
 case 0x04:
 pic->mask = value;
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 break;
 case 0x08:
 /* do not reset level triggered IRQs */
 value &= ~pic->level_triggered;
 pic->events &= ~value;
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 break;
 default:
 break;
 }
 }
 
-static uint64_t pic_read(void *opaque, hwaddr addr,
- unsigned size)
+static uint64_t heathrow_read(void *opaque, hwaddr addr,
+  unsigned size)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int n;
 uint32_t value;
 
@@ -124,16 +113,16 @@ static uint64_t pic_read(void *opaque, hwaddr addr,
 return value;
 }
 
-static const MemoryRegionOps heathrow_pic_ops = {
-.read = pic_read,
-.write = pic_write,
+static const MemoryRegionOps heathrow_ops = {
+.read = heathrow_read,
+.write = heathrow_write,
 .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
-static void heathrow_pic_set_irq(void *opaque, int num, int level)
+static void heathrow_set_irq(void *opaque, int num, int level)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int irq_bit;
 
 #if defined(DEBUG)
@@ -153,7 +142,7 @@ static void heathrow_pic_set_irq(void *opaque, int num, int 
level)
 } else {
 pic->levels &= ~irq_bit;
 }
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 }
 
 static const VMStateDescription vmstate_heathrow_pic_one = {
@@ -161,54 +150,79 @@ static const VMStateDescription vmstate_heathrow_pic_one 
= {
 .version_id = 0,
 .minimum_version_id = 0,
 .fields = (VMStateField[]) {
-VMSTATE_UINT32(events, HeathrowPIC),
-VMSTATE_UINT32(mask, HeathrowPIC),
-VMSTATE_UINT32(levels, HeathrowPIC),
-VMSTATE_UINT32(level_triggered, HeathrowPIC),
+VMSTATE_UINT32(events, HeathrowPICState),
+VMSTATE_UINT32(mask, HeathrowPICState),
+VMSTATE_UINT32(levels, HeathrowPICState),
+VMSTATE_UINT32(level_triggered, HeathrowPICState),
 VMSTATE_END_OF_LIST()
 }
 };
 
-static const VMStateDescription vmstate_heathrow_pic = {
+static const VMStateDescription vmstate_heathrow = {
 .name = "heathrow_pic",
 .version_id = 1,
 .minimum_version_id = 1,
 .fields = (VMStateField[]) {
-VMSTATE_STRUCT_ARRAY(pics, HeathrowPICS, 2, 1,
- vmstate_heathrow_pic_one, HeathrowPIC),
+VMSTATE_STRUCT_ARRAY(pics, HeathrowState, 2, 1,
+ vmstate_heathrow_pic_one, HeathrowPICState),
 VMSTATE_END_OF_LIST()
 }
 };
 
-static void heathrow_pic_reset_one(HeathrowPIC *s)
+static void 

[Qemu-devel] [PULL 06/30] ppc: Add aCube Sam460ex board

[David Gibson]

From: BALATON Zoltan 

Add emulation of aCube Sam460ex board based on AMCC 460EX embedded SoC.
This is not a complete implementation yet with a lot of components
still missing but enough for the U-Boot firmware to start and to boot
a Linux kernel or AROS.

Signed-off-by: François Revol 
Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 Makefile   |   2 +-
 default-configs/ppc-softmmu.mak|   2 +
 default-configs/ppcemb-softmmu.mak |   1 +
 hw/ppc/Makefile.objs   |   3 +-
 hw/ppc/sam460ex.c  | 603 +
 pc-bios/canyonlands.dtb| Bin 0 -> 9779 bytes
 pc-bios/canyonlands.dts| 566 ++
 7 files changed, 1175 insertions(+), 2 deletions(-)
 create mode 100644 hw/ppc/sam460ex.c
 create mode 100644 pc-bios/canyonlands.dtb
 create mode 100644 pc-bios/canyonlands.dts

diff --git a/Makefile b/Makefile
index 352f3d5104..9a75c48ae0 100644
--- a/Makefile
+++ b/Makefile
@@ -779,7 +779,7 @@ efi-e1000.rom efi-eepro100.rom efi-ne2k_pci.rom \
 efi-pcnet.rom efi-rtl8139.rom efi-virtio.rom \
 efi-e1000e.rom efi-vmxnet3.rom \
 qemu-icon.bmp qemu_logo_no_text.svg \
-bamboo.dtb petalogix-s3adsp1800.dtb petalogix-ml605.dtb \
+bamboo.dtb canyonlands.dtb petalogix-s3adsp1800.dtb petalogix-ml605.dtb \
 multiboot.bin linuxboot.bin linuxboot_dma.bin kvmvapic.bin \
 s390-ccw.img s390-netboot.img \
 spapr-rtas.bin slof.bin skiboot.lid \
diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index 76e29cfa14..4d7be45ac5 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -21,6 +21,8 @@ CONFIG_E500=y
 CONFIG_OPENPIC_KVM=$(call land,$(CONFIG_E500),$(CONFIG_KVM))
 CONFIG_PLATFORM_BUS=y
 CONFIG_ETSEC=y
+# For Sam460ex
+CONFIG_USB_EHCI_SYSBUS=y
 CONFIG_SM501=y
 CONFIG_IDE_SII3112=y
 CONFIG_I2C=y
diff --git a/default-configs/ppcemb-softmmu.mak 
b/default-configs/ppcemb-softmmu.mak
index bc5e1b3ffe..67d18b2e0e 100644
--- a/default-configs/ppcemb-softmmu.mak
+++ b/default-configs/ppcemb-softmmu.mak
@@ -15,6 +15,7 @@ CONFIG_PTIMER=y
 CONFIG_I8259=y
 CONFIG_XILINX=y
 CONFIG_XILINX_ETHLITE=y
+CONFIG_USB_EHCI_SYSBUS=y
 CONFIG_SM501=y
 CONFIG_IDE_SII3112=y
 CONFIG_I2C=y
diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index bddc742bfb..86d82a6ec3 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -13,7 +13,8 @@ endif
 obj-$(CONFIG_PSERIES) += spapr_rtas_ddw.o
 # PowerPC 4xx boards
 obj-y += ppc4xx_devs.o ppc405_uc.o
-obj-$(CONFIG_PPC4XX) += ppc4xx_pci.o ppc405_boards.o ppc440_bamboo.o 
ppc440_pcix.o
+obj-$(CONFIG_PPC4XX) += ppc4xx_pci.o ppc405_boards.o
+obj-$(CONFIG_PPC4XX) += ppc440_bamboo.o ppc440_pcix.o ppc440_uc.o sam460ex.o
 # PReP
 obj-$(CONFIG_PREP) += prep.o
 obj-$(CONFIG_PREP) += prep_systemio.o
diff --git a/hw/ppc/sam460ex.c b/hw/ppc/sam460ex.c
new file mode 100644
index 00..70b8e76d9c
--- /dev/null
+++ b/hw/ppc/sam460ex.c
@@ -0,0 +1,603 @@
+/*
+ * QEMU aCube Sam460ex board emulation
+ *
+ * Copyright (c) 2012 François Revol
+ * Copyright (c) 2016-2018 BALATON Zoltan
+ *
+ * This file is derived from hw/ppc440_bamboo.c,
+ * the copyright for that material belongs to the original owners.
+ *
+ * This work is licensed under the GNU GPL license version 2 or later.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/cutils.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+#include "hw/hw.h"
+#include "sysemu/blockdev.h"
+#include "hw/boards.h"
+#include "sysemu/kvm.h"
+#include "kvm_ppc.h"
+#include "sysemu/device_tree.h"
+#include "sysemu/block-backend.h"
+#include "hw/loader.h"
+#include "elf.h"
+#include "exec/address-spaces.h"
+#include "exec/memory.h"
+#include "hw/ppc/ppc440.h"
+#include "hw/ppc/ppc405.h"
+#include "hw/block/flash.h"
+#include "sysemu/sysemu.h"
+#include "sysemu/qtest.h"
+#include "hw/sysbus.h"
+#include "hw/char/serial.h"
+#include "hw/i2c/ppc4xx_i2c.h"
+#include "hw/i2c/smbus.h"
+#include "hw/usb/hcd-ehci.h"
+
+#define BINARY_DEVICE_TREE_FILE "canyonlands.dtb"
+#define UBOOT_FILENAME "u-boot-sam460-20100605.bin"
+/* to extract the official U-Boot bin from the updater: */
+/* dd bs=1 skip=$(($(stat -c '%s' updater/updater-460) - 0x8)) \
+ if=updater/updater-460 of=u-boot-sam460-20100605.bin */
+
+/* from Sam460 U-Boot include/configs/Sam460ex.h */
+#define FLASH_BASE 0xfff0
+#define FLASH_BASE_H   0x4
+#define FLASH_SIZE (1 << 20)
+#define UBOOT_LOAD_BASE0xfff8
+#define UBOOT_SIZE 0x0008
+#define UBOOT_ENTRY0xfffc
+
+/* from U-Boot */
+#define EPAPR_MAGIC   (0x45504150)
+#define KERNEL_ADDR   0x100
+#define FDT_ADDR  0x180
+#define RAMDISK_ADDR  0x190
+
+/* Sam460ex IRQ MAP:
+   IRQ0  = ETH_INT
+   IRQ1  = FPGA_INT
+   IRQ2  = 

[Qemu-devel] [PULL 21/30] target/ppc: Check mask when setting cap_ppc_safe_indirect_branch

[David Gibson]

From: Suraj Jitindar Singh 

Check the character and character_mask field when setting
cap_ppc_safe_indirect_branch based on the hypervisor response
to KVM_PPC_GET_CPU_CHAR. Previously the mask field wasn't checked
which was incorrect.

Fixes: 8acc2ae5 (target/ppc/kvm: Add 
cap_ppc_safe_[cache/bounds_check/indirect_branch])

Signed-off-by: Suraj Jitindar Singh 
Signed-off-by: David Gibson 
---
 target/ppc/kvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index 9842b3bb12..2c183f61e2 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -2494,7 +2494,7 @@ static void kvmppc_get_cpu_characteristics(KVMState *s)
 cap_ppc_safe_bounds_check = 1;
 }
 /* Parse and set cap_ppc_safe_indirect_branch */
-if (c.character & H_CPU_CHAR_BCCTRL_SERIALISED) {
+if (c.character & c.character_mask & H_CPU_CHAR_BCCTRL_SERIALISED) {
 cap_ppc_safe_indirect_branch = 2;
 }
 }
-- 
2.14.3

[Qemu-devel] [PULL 19/30] macio: move setting of CUDA timebase frequency to macio_common_realize()

[David Gibson]

From: Mark Cave-Ayland 

This removes the last of the functionality from macio_init() in preparation
for its subsequent removal.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index e5288f1084..f71ed61819 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -101,6 +101,8 @@ static void macio_common_realize(PCIDevice *d, Error **errp)
 memory_region_add_subregion(>bar, 0x08000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
+qdev_prop_set_uint64(DEVICE(>cuda), "timebase-frequency",
+ s->frequency);
 object_property_set_bool(OBJECT(>cuda), true, "realized", );
 if (err) {
 error_propagate(errp, err);
@@ -444,12 +446,7 @@ type_init(macio_register_types)
 void macio_init(PCIDevice *d,
 MemoryRegion *pic_mem)
 {
-MacIOState *macio_state = MACIO(d);
-
 /* Note: this code is strongly inspirated from the corresponding code
in PearPC */
-qdev_prop_set_uint64(DEVICE(_state->cuda), "timebase-frequency",
- macio_state->frequency);
-
 qdev_init_nofail(DEVICE(d));
 }
-- 
2.14.3

[Qemu-devel] [PULL 17/30] openpic: move OpenPIC state and related definitions to openpic.h

[David Gibson]

From: Mark Cave-Ayland 

This is to faciliate access to OpenPICState when wiring up the PIC to the macio
controller.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/intc/openpic.c| 157 --
 include/hw/ppc/openpic.h | 159 ++-
 2 files changed, 158 insertions(+), 158 deletions(-)

diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
index 9159a06f07..811cee9b26 100644
--- a/hw/intc/openpic.c
+++ b/hw/intc/openpic.c
@@ -63,10 +63,6 @@ static int get_current_cpu(void);
 } \
 } while (0)
 
-#define MAX_CPU 32
-#define MAX_MSI 8
-#define VID 0x03 /* MPIC version ID */
-
 /* OpenPIC capability flags */
 #define OPENPIC_FLAG_IDR_CRIT (1 << 0)
 #define OPENPIC_FLAG_ILR  (2 << 0)
@@ -85,35 +81,6 @@ static int get_current_cpu(void);
 #define OPENPIC_CPU_REG_START0x2
 #define OPENPIC_CPU_REG_SIZE 0x100 + ((MAX_CPU - 1) * 0x1000)
 
-/* Raven */
-#define RAVEN_MAX_CPU  2
-#define RAVEN_MAX_EXT 48
-#define RAVEN_MAX_IRQ 64
-#define RAVEN_MAX_TMR  OPENPIC_MAX_TMR
-#define RAVEN_MAX_IPI  OPENPIC_MAX_IPI
-
-/* KeyLargo */
-#define KEYLARGO_MAX_CPU  4
-#define KEYLARGO_MAX_EXT  64
-#define KEYLARGO_MAX_IPI  4
-#define KEYLARGO_MAX_IRQ  (64 + KEYLARGO_MAX_IPI)
-#define KEYLARGO_MAX_TMR  0
-#define KEYLARGO_IPI_IRQ  (KEYLARGO_MAX_EXT) /* First IPI IRQ */
-/* Timers don't exist but this makes the code happy... */
-#define KEYLARGO_TMR_IRQ  (KEYLARGO_IPI_IRQ + KEYLARGO_MAX_IPI)
-
-/* Interrupt definitions */
-#define RAVEN_FE_IRQ (RAVEN_MAX_EXT) /* Internal functional IRQ */
-#define RAVEN_ERR_IRQ(RAVEN_MAX_EXT + 1) /* Error IRQ */
-#define RAVEN_TMR_IRQ(RAVEN_MAX_EXT + 2) /* First timer IRQ */
-#define RAVEN_IPI_IRQ(RAVEN_TMR_IRQ + RAVEN_MAX_TMR) /* First IPI IRQ */
-/* First doorbell IRQ */
-#define RAVEN_DBL_IRQ(RAVEN_IPI_IRQ + (RAVEN_MAX_CPU * RAVEN_MAX_IPI))
-
-typedef struct FslMpicInfo {
-int max_ext;
-} FslMpicInfo;
-
 static FslMpicInfo fsl_mpic_20 = {
 .max_ext = 12,
 };
@@ -211,55 +178,6 @@ static void openpic_cpu_write_internal(void *opaque, 
hwaddr addr,
uint32_t val, int idx);
 static void openpic_reset(DeviceState *d);
 
-typedef enum IRQType {
-IRQ_TYPE_NORMAL = 0,
-IRQ_TYPE_FSLINT,/* FSL internal interrupt -- level only */
-IRQ_TYPE_FSLSPECIAL,/* FSL timer/IPI interrupt, edge, no polarity */
-} IRQType;
-
-/* Round up to the nearest 64 IRQs so that the queue length
- * won't change when moving between 32 and 64 bit hosts.
- */
-#define IRQQUEUE_SIZE_BITS ((OPENPIC_MAX_IRQ + 63) & ~63)
-
-typedef struct IRQQueue {
-unsigned long *queue;
-int32_t queue_size; /* Only used for VMSTATE_BITMAP */
-int next;
-int priority;
-} IRQQueue;
-
-typedef struct IRQSource {
-uint32_t ivpr;  /* IRQ vector/priority register */
-uint32_t idr;   /* IRQ destination register */
-uint32_t destmask; /* bitmap of CPU destinations */
-int last_cpu;
-int output; /* IRQ level, e.g. OPENPIC_OUTPUT_INT */
-int pending;/* TRUE if IRQ is pending */
-IRQType type;
-bool level:1;   /* level-triggered */
-bool nomask:1;  /* critical interrupts ignore mask on some FSL MPICs */
-} IRQSource;
-
-#define IVPR_MASK_SHIFT   31
-#define IVPR_MASK_MASK(1U << IVPR_MASK_SHIFT)
-#define IVPR_ACTIVITY_SHIFT   30
-#define IVPR_ACTIVITY_MASK(1U << IVPR_ACTIVITY_SHIFT)
-#define IVPR_MODE_SHIFT   29
-#define IVPR_MODE_MASK(1U << IVPR_MODE_SHIFT)
-#define IVPR_POLARITY_SHIFT   23
-#define IVPR_POLARITY_MASK(1U << IVPR_POLARITY_SHIFT)
-#define IVPR_SENSE_SHIFT  22
-#define IVPR_SENSE_MASK   (1U << IVPR_SENSE_SHIFT)
-
-#define IVPR_PRIORITY_MASK (0xFU << 16)
-#define IVPR_PRIORITY(_ivprr_) ((int)(((_ivprr_) & IVPR_PRIORITY_MASK) >> 16))
-#define IVPR_VECTOR(opp, _ivprr_) ((_ivprr_) & (opp)->vector_mask)
-
-/* IDR[EP/CI] are only for FSL MPIC prior to v4.0 */
-#define IDR_EP  0x8000  /* external pin */
-#define IDR_CI  0x4000  /* critical interrupt */
-
 /* Convert between openpic clock ticks and nanosecs.  In the hardware the clock
frequency is driven by board inputs to the PIC which the PIC would then
divide by 4 or 8.  For now hard code to 25MZ.
@@ -275,81 +193,6 @@ static inline uint64_t ticks_to_ns(uint64_t ticks)
 return ticks * OPENPIC_TIMER_NS_PER_TICK;
 }
 
-typedef struct OpenPICTimer {
-uint32_t tccr;  /* Global timer current count register */
-uint32_t tbcr;  /* Global timer base count register */
-int   n_IRQ;
-bool  qemu_timer_active; /* Is the qemu_timer is running? 
*/
-struct QEMUTimer *qemu_timer;
-struct OpenPICState  *opp; 

[Qemu-devel] [PULL 16/30] openpic: move KVM-specific declarations into separate openpic_kvm.h file

[David Gibson]

From: Mark Cave-Ayland 

This is needed before the next patch because the target-dependent kvm stub
uses the existing kvm_openpic_connect_vcpu() declaration, making it impossible
to move the device-specific declarations into the same file without breaking
ppc-linux-user compilation.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/intc/openpic_kvm.c| 1 +
 hw/ppc/e500.c| 1 +
 include/hw/ppc/openpic.h | 3 ---
 include/hw/ppc/openpic_kvm.h | 7 +++
 target/ppc/kvm-stub.c| 2 +-
 5 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 include/hw/ppc/openpic_kvm.h

diff --git a/hw/intc/openpic_kvm.c b/hw/intc/openpic_kvm.c
index fa83420254..f1a59e5a85 100644
--- a/hw/intc/openpic_kvm.c
+++ b/hw/intc/openpic_kvm.c
@@ -30,6 +30,7 @@
 #include "exec/address-spaces.h"
 #include "hw/hw.h"
 #include "hw/ppc/openpic.h"
+#include "hw/ppc/openpic_kvm.h"
 #include "hw/pci/msi.h"
 #include "hw/sysbus.h"
 #include "sysemu/kvm.h"
diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index a40d3ec3e3..13a34f50b7 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -29,6 +29,7 @@
 #include "kvm_ppc.h"
 #include "sysemu/device_tree.h"
 #include "hw/ppc/openpic.h"
+#include "hw/ppc/openpic_kvm.h"
 #include "hw/ppc/ppc.h"
 #include "hw/loader.h"
 #include "elf.h"
diff --git a/include/hw/ppc/openpic.h b/include/hw/ppc/openpic.h
index e55ce546aa..693e981965 100644
--- a/include/hw/ppc/openpic.h
+++ b/include/hw/ppc/openpic.h
@@ -28,7 +28,4 @@ enum {
 #define OPENPIC_MAX_IRQ (OPENPIC_MAX_SRC + OPENPIC_MAX_IPI + \
  OPENPIC_MAX_TMR)
 
-#define TYPE_KVM_OPENPIC "kvm-openpic"
-int kvm_openpic_connect_vcpu(DeviceState *d, CPUState *cs);
-
 #endif /* OPENPIC_H */
diff --git a/include/hw/ppc/openpic_kvm.h b/include/hw/ppc/openpic_kvm.h
new file mode 100644
index 00..9ef4215257
--- /dev/null
+++ b/include/hw/ppc/openpic_kvm.h
@@ -0,0 +1,7 @@
+#ifndef OPENPIC_KVM_H
+#define OPENPIC_KVM_H
+
+#define TYPE_KVM_OPENPIC "kvm-openpic"
+int kvm_openpic_connect_vcpu(DeviceState *d, CPUState *cs);
+
+#endif /* OPENPIC_KVM_H */
diff --git a/target/ppc/kvm-stub.c b/target/ppc/kvm-stub.c
index efeafca1df..b8aa97f2d4 100644
--- a/target/ppc/kvm-stub.c
+++ b/target/ppc/kvm-stub.c
@@ -12,7 +12,7 @@
 #include "qemu/osdep.h"
 #include "qemu-common.h"
 #include "cpu.h"
-#include "hw/ppc/openpic.h"
+#include "hw/ppc/openpic_kvm.h"
 
 int kvm_openpic_connect_vcpu(DeviceState *d, CPUState *cs)
 {
-- 
2.14.3

Re: [Qemu-devel] [Xen-devel] [RFC QEMU PATCH v4 00/10] Implement vNVDIMM for Xen HVM guest

[Haozhong Zhang]

On 03/02/18 12:03 +, Anthony PERARD wrote:
> On Wed, Feb 28, 2018 at 05:36:59PM +0800, Haozhong Zhang wrote:
> > On 02/27/18 17:22 +, Anthony PERARD wrote:
> > > On Thu, Dec 07, 2017 at 06:18:02PM +0800, Haozhong Zhang wrote:
> > > > This is the QEMU part patches that works with the associated Xen
> > > > patches to enable vNVDIMM support for Xen HVM domains. Xen relies on
> > > > QEMU to build guest NFIT and NVDIMM namespace devices, and allocate
> > > > guest address space for vNVDIMM devices.
> > > 
> > > I've got other question, and maybe possible improvements.
> > > 
> > > When QEMU build the ACPI tables, it also initialize some MemoryRegion,
> > > which use more guest memory. Do you know if those regions are used with
> > > your patch series on Xen?
> > 
> > Yes, that's why dm_acpi_size is introduced.
> > 
> > > Otherwise, we could try to avoid their
> > > creation with this:
> > > In xenfv_machine_options()
> > > m->rom_file_has_mr = false;
> > > (setting this in xen_hvm_init() would probably be better, but I havn't
> > > try)
> > 
> > If my memory is correct, simply setting rom_file_has_mr to false does
> > not work (though I cannot remind the exact reason). I'll have a look
> > as the code to refresh my memory.
> 
> I've played a bit with this idea, but without a proper NVDIMM available
> for the guest, so I don't know if it's going to work properly without
> the mr.
> 
> To make it work, I had to disable some code in acpi_build_update() that
> make use of the MemoryRegions, as well as an assert in acpi_setup().
> After those small hacks, I could boot the guest, and I've check that the
> expected ACPI tables where there, and they looked correct to my eyes.
> And least `ndctl list` works and showed the nvdimm (that I have
> configured on QEMU's cmdline).
> 
> But I may not have been far enough with my tests, and maybe something
> later relies on the MRs, especially the _DSM method that I don't know if
> it was working properly.
> 
> Anyway, that why I proposed the idea, and if we can avoid more
> uncertainty about how much guest memory QEMU is going to use, that would
> be good.
> 

Yes, I also tested some non-trivial _DSM methods and it looks rom
files without memory regions can work with Xen after some
modifications. I'll apply this idea in the next version if no other
issues are found.

Thanks,
Haozhong

[Qemu-devel] [PULL 24/30] ppc/spapr-caps: Convert cap-sbbc to custom spapr-cap

[David Gibson]

From: Suraj Jitindar Singh 

Convert cap-sbbc (speculation barrier bounds checking) to a custom
spapr-cap type.

Signed-off-by: Suraj Jitindar Singh 
[dwg: Removed trailing whitespace]
[dwg: Don't explicitly list "?"/help option, trust convention]
[dwg: Fix some minor style problems]
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_caps.c | 23 ++-
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index b5a991f97a..8748692425 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -271,14 +271,26 @@ static void cap_safe_cache_apply(sPAPRMachineState 
*spapr, uint8_t val,
 }
 }
 
+sPAPRCapPossible cap_sbbc_possible = {
+.num = 3,
+.vals = {"broken", "workaround", "fixed"},
+.help = "broken - no protection, workaround - workaround available,"
+" fixed - fixed in hardware",
+};
+
 static void cap_safe_bounds_check_apply(sPAPRMachineState *spapr, uint8_t val,
 Error **errp)
 {
+uint8_t kvm_val =  kvmppc_get_cap_safe_bounds_check();
+
 if (tcg_enabled() && val) {
 /* TODO - for now only allow broken for TCG */
-error_setg(errp, "Requested safe bounds check capability level not 
supported by tcg, try a different value for cap-sbbc");
-} else if (kvm_enabled() && (val > kvmppc_get_cap_safe_bounds_check())) {
-error_setg(errp, "Requested safe bounds check capability level not 
supported by kvm, try a different value for cap-sbbc");
+error_setg(errp,
+"Requested safe bounds check capability level not supported by tcg, try a 
different value for cap-sbbc");
+} else if (kvm_enabled() && (val > kvm_val)) {
+error_setg(errp,
+"Requested safe bounds check capability level not supported by kvm, try 
cap-sbbc=%s",
+   cap_sbbc_possible.vals[kvm_val]);
 }
 }
 
@@ -339,9 +351,10 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 .name = "sbbc",
 .description = "Speculation Barrier Bounds Checking" 
VALUE_DESC_TRISTATE,
 .index = SPAPR_CAP_SBBC,
-.get = spapr_cap_get_tristate,
-.set = spapr_cap_set_tristate,
+.get = spapr_cap_get_string,
+.set = spapr_cap_set_string,
 .type = "string",
+.possible = _sbbc_possible,
 .apply = cap_safe_bounds_check_apply,
 },
 [SPAPR_CAP_IBS] = {
-- 
2.14.3

[Qemu-devel] [PULL 12/30] heathrow: convert to trace-events

[David Gibson]

From: Mark Cave-Ayland 

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/intc/heathrow_pic.c | 32 +++-
 hw/intc/trace-events   |  5 +
 2 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 7bf44e0d86..5fd2b33a12 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -26,16 +26,7 @@
 #include "hw/hw.h"
 #include "hw/ppc/mac.h"
 #include "hw/intc/heathrow_pic.h"
-
-/* debug PIC */
-//#define DEBUG_PIC
-
-#ifdef DEBUG_PIC
-#define PIC_DPRINTF(fmt, ...)   \
-do { printf("PIC: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define PIC_DPRINTF(fmt, ...)
-#endif
+#include "trace.h"
 
 static inline int heathrow_check_irq(HeathrowPICState *pic)
 {
@@ -61,7 +52,7 @@ static void heathrow_write(void *opaque, hwaddr addr,
 unsigned int n;
 
 n = ((addr & 0xfff) - 0x10) >> 4;
-PIC_DPRINTF("writel: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
+trace_heathrow_write(addr, n, value);
 if (n >= 2)
 return;
 pic = >pics[n];
@@ -109,7 +100,7 @@ static uint64_t heathrow_read(void *opaque, hwaddr addr,
 break;
 }
 }
-PIC_DPRINTF("readl: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
+trace_heathrow_read(addr, n, value);
 return value;
 }
 
@@ -124,24 +115,23 @@ static void heathrow_set_irq(void *opaque, int num, int 
level)
 HeathrowState *s = opaque;
 HeathrowPICState *pic;
 unsigned int irq_bit;
+int last_level;
 
-#if defined(DEBUG)
-{
-static int last_level[64];
-if (last_level[num] != level) {
-PIC_DPRINTF("set_irq: num=0x%02x level=%d\n", num, level);
-last_level[num] = level;
-}
-}
-#endif
 pic = >pics[1 - (num >> 5)];
 irq_bit = 1 << (num & 0x1f);
+last_level = (pic->levels & irq_bit) ? 1 : 0;
+
 if (level) {
 pic->events |= irq_bit & ~pic->level_triggered;
 pic->levels |= irq_bit;
 } else {
 pic->levels &= ~irq_bit;
 }
+
+if (last_level != level) {
+trace_heathrow_set_irq(num, level);
+}
+
 heathrow_update_irq(s);
 }
 
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 4092d2825e..55e8c2570c 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -186,3 +186,8 @@ nvic_complete_irq(int irq, bool secure) "NVIC complete IRQ 
%d (secure %d)"
 nvic_set_irq_level(int irq, int level) "NVIC external irq %d level set to %d"
 nvic_sysreg_read(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg 
read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 nvic_sysreg_write(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg 
write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
+
+# hw/intc/heathrow_pic.c
+heathrow_write(uint64_t addr, unsigned int n, uint64_t value) "0x%"PRIx64" %u: 
0x%"PRIx64
+heathrow_read(uint64_t addr, unsigned int n, uint64_t value) "0x%"PRIx64" %u: 
0x%"PRIx64
+heathrow_set_irq(int num, int level) "set_irq: num=0x%02x level=%d"
-- 
2.14.3

[Qemu-devel] [PULL 22/30] ppc/spapr-caps: Add support for custom spapr_capabilities

[David Gibson]

From: Suraj Jitindar Singh 

There are currently 2 implemented types of spapr-caps, boolean and
tristate. However there may be a need for caps which don't fit either of
these options. Add a custom capability type for which a list of custom
valid strings can be specified and implement the get/set functions for
these. Also add a field for help text to describe the available options.

Signed-off-by: Suraj Jitindar Singh 
[dwg: Change "help" option to "?" matching qemu conventions]
[dwg: Add ATTRIBUTE_UNUSED to avoid breaking bisect]
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_caps.c | 70 +
 1 file changed, 70 insertions(+)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 99a4b71d19..3d8b796df9 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -32,6 +32,20 @@
 
 #include "hw/ppc/spapr.h"
 
+typedef struct sPAPRCapPossible {
+int num;/* size of vals array below */
+const char *help;   /* help text for vals */
+/*
+ * Note:
+ * - because of the way compatibility is determined vals MUST be ordered
+ *   such that later options are a superset of all preceding options.
+ * - the order of vals must be preserved, that is their index is important,
+ *   however vals may be added to the end of the list so long as the above
+ *   point is observed
+ */
+const char *vals[];
+} sPAPRCapPossible;
+
 typedef struct sPAPRCapabilityInfo {
 const char *name;
 const char *description;
@@ -41,6 +55,8 @@ typedef struct sPAPRCapabilityInfo {
 ObjectPropertyAccessor *get;
 ObjectPropertyAccessor *set;
 const char *type;
+/* Possible values if this is a custom string type */
+sPAPRCapPossible *possible;
 /* Make sure the virtual hardware can support this capability */
 void (*apply)(sPAPRMachineState *spapr, uint8_t val, Error **errp);
 } sPAPRCapabilityInfo;
@@ -133,6 +149,60 @@ out:
 g_free(val);
 }
 
+static void ATTRIBUTE_UNUSED spapr_cap_get_string(Object *obj, Visitor *v,
+  const char *name,
+  void *opaque, Error **errp)
+{
+sPAPRCapabilityInfo *cap = opaque;
+sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+char *val = NULL;
+uint8_t value = spapr_get_cap(spapr, cap->index);
+
+if (value >= cap->possible->num) {
+error_setg(errp, "Invalid value (%d) for cap-%s", value, cap->name);
+return;
+}
+
+val = g_strdup(cap->possible->vals[value]);
+
+visit_type_str(v, name, , errp);
+g_free(val);
+}
+
+static void ATTRIBUTE_UNUSED spapr_cap_set_string(Object *obj, Visitor *v,
+  const char *name,
+  void *opaque, Error **errp)
+{
+sPAPRCapabilityInfo *cap = opaque;
+sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+Error *local_err = NULL;
+uint8_t i;
+char *val;
+
+visit_type_str(v, name, , _err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+if (!strcmp(val, "?")) {
+error_setg(errp, "%s", cap->possible->help);
+goto out;
+}
+for (i = 0; i < cap->possible->num; i++) {
+if (!strcasecmp(val, cap->possible->vals[i])) {
+spapr->cmd_line_caps[cap->index] = true;
+spapr->eff.caps[cap->index] = i;
+goto out;
+}
+}
+
+error_setg(errp, "Invalid capability mode \"%s\" for cap-%s", val,
+   cap->name);
+out:
+g_free(val);
+}
+
 static void cap_htm_apply(sPAPRMachineState *spapr, uint8_t val, Error **errp)
 {
 if (!val) {
-- 
2.14.3

[Qemu-devel] [PULL 29/30] adb: add trace-events for monitoring keyboard/mouse during bus enumeration

[David Gibson]

From: Mark Cave-Ayland 

This is useful to help diagnose problems related to address clashes during
MacOS 9 boot.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/input/adb-kbd.c| 4 
 hw/input/adb-mouse.c  | 5 +
 hw/input/trace-events | 5 +
 3 files changed, 14 insertions(+)

diff --git a/hw/input/adb-kbd.c b/hw/input/adb-kbd.c
index 266aed1b7b..50b62712c8 100644
--- a/hw/input/adb-kbd.c
+++ b/hw/input/adb-kbd.c
@@ -258,6 +258,7 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
 case ADB_CMD_CHANGE_ID_AND_ACT:
 case ADB_CMD_CHANGE_ID_AND_ENABLE:
 d->devaddr = buf[1] & 0xf;
+trace_adb_kbd_request_change_addr(d->devaddr);
 break;
 default:
 d->devaddr = buf[1] & 0xf;
@@ -269,6 +270,9 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
 if (buf[2] == 1 || buf[2] == 2 || buf[2] == 3) {
 d->handler = buf[2];
 }
+
+trace_adb_kbd_request_change_addr_and_handler(d->devaddr,
+  d->handler);
 break;
 }
 }
diff --git a/hw/input/adb-mouse.c b/hw/input/adb-mouse.c
index 47e88faf25..3ba6027d33 100644
--- a/hw/input/adb-mouse.c
+++ b/hw/input/adb-mouse.c
@@ -118,6 +118,7 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
 s->dx = 0;
 s->dy = 0;
 s->dz = 0;
+trace_adb_mouse_flush();
 return 0;
 }
 
@@ -138,6 +139,7 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
 case ADB_CMD_CHANGE_ID_AND_ACT:
 case ADB_CMD_CHANGE_ID_AND_ENABLE:
 d->devaddr = buf[1] & 0xf;
+trace_adb_mouse_request_change_addr(d->devaddr);
 break;
 default:
 d->devaddr = buf[1] & 0xf;
@@ -155,6 +157,9 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
 if (buf[2] == 1 || buf[2] == 2) {
 d->handler = buf[2];
 }
+
+trace_adb_mouse_request_change_addr_and_handler(d->devaddr,
+d->handler);
 break;
 }
 }
diff --git a/hw/input/trace-events b/hw/input/trace-events
index 5affabc81d..db72484a25 100644
--- a/hw/input/trace-events
+++ b/hw/input/trace-events
@@ -4,10 +4,15 @@
 adb_kbd_no_key(void) "Ignoring NO_KEY"
 adb_kbd_writereg(int reg, uint8_t val) "reg %d val 0x%2.2x"
 adb_kbd_readreg(int reg, uint8_t val0, uint8_t val1) "reg %d obuf[0] 0x%2.2x 
obuf[1] 0x%2.2x"
+adb_kbd_request_change_addr(int devaddr) "change addr to 0x%x"
+adb_kbd_request_change_addr_and_handler(int devaddr, int handler) "change addr 
and handler to 0x%x, 0x%x"
 
 # hw/input/adb-mouse.c
+adb_mouse_flush(void) "flush"
 adb_mouse_writereg(int reg, uint8_t val) "reg %d val 0x%2.2x"
 adb_mouse_readreg(int reg, uint8_t val0, uint8_t val1) "reg %d obuf[0] 0x%2.2x 
obuf[1] 0x%2.2x"
+adb_mouse_request_change_addr(int devaddr) "change addr to 0x%x"
+adb_mouse_request_change_addr_and_handler(int devaddr, int handler) "change 
addr and handler to 0x%x, 0x%x"
 
 # hw/input/ps2.c
 ps2_put_keycode(void *opaque, int keycode) "%p keycode 0x%02x"
-- 
2.14.3

[Qemu-devel] [PULL 20/30] macio: remove macio_init() function

[David Gibson]

From: Mark Cave-Ayland 

Move the remaining comment into macio.c for reference, then remove the
macio_init() function and instantiate the macio devices for both Old World
and New World machines via qdev_init_nofail() directly.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 11 +++
 hw/ppc/mac_newworld.c |  4 +---
 hw/ppc/mac_oldworld.c |  4 +---
 3 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index f71ed61819..af1bd46b4b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -33,6 +33,9 @@
 #include "hw/misc/macio/macio.h"
 #include "hw/intc/heathrow_pic.h"
 
+/* Note: this code is strongly inspirated from the corresponding code
+ * in PearPC */
+
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
  * while the other one is the normal, current ESCC interface.
@@ -442,11 +445,3 @@ static void macio_register_types(void)
 }
 
 type_init(macio_register_types)
-
-void macio_init(PCIDevice *d,
-MemoryRegion *pic_mem)
-{
-/* Note: this code is strongly inspirated from the corresponding code
-   in PearPC */
-qdev_init_nofail(DEVICE(d));
-}
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index c7960ab67a..a749e2565d 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -160,7 +160,6 @@ static void ppc_core99_init(MachineState *machine)
 MacIONVRAMState *nvr;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
-MemoryRegion *pic_mem;
 int ppc_boot_device;
 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
 void *fw_cfg;
@@ -337,7 +336,6 @@ static void ppc_core99_init(MachineState *machine)
 qdev_prop_set_uint32(pic_dev, "model", OPENPIC_MODEL_KEYLARGO);
 qdev_init_nofail(pic_dev);
 s = SYS_BUS_DEVICE(pic_dev);
-pic_mem = s->mmio[0].memory;
 k = 0;
 for (i = 0; i < smp_cpus; i++) {
 for (j = 0; j < OPENPIC_OUTPUT_NB; j++) {
@@ -381,7 +379,7 @@ static void ppc_core99_init(MachineState *machine)
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
-macio_init(PCI_DEVICE(macio), pic_mem);
+qdev_init_nofail(dev);
 
 /* We only emulate 2 out of 3 IDE controllers for now */
 ide_drive_get(hd, ARRAY_SIZE(hd));
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 3ac5b19073..935493c966 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -96,7 +96,6 @@ static void ppc_heathrow_init(MachineState *machine)
 OldWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 DeviceState *dev, *pic_dev;
-SysBusDevice *sbd;
 BusState *adb_bus;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
@@ -283,8 +282,7 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
-sbd = SYS_BUS_DEVICE(pic_dev);
-macio_init(PCI_DEVICE(macio), sysbus_mmio_get_region(sbd, 0));
+qdev_init_nofail(dev);
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
-- 
2.14.3

[Qemu-devel] [PULL 18/30] mac_newworld: use object link to pass OpenPIC object to macio

[David Gibson]

From: Mark Cave-Ayland 

Also switch macio_newworld_realize() over to use it rather than using the 
pic_mem
memory region directly.

Now that both Old World and New World macio devices no longer make use of the
pic_mem memory region directly, we can remove it.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 14 +-
 hw/ppc/mac_newworld.c | 20 +++-
 include/hw/misc/macio/macio.h |  4 +++-
 3 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index d4c1d190c4..e5288f1084 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -279,10 +279,10 @@ static void macio_newworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
 sysbus_connect_irq(sysbus_dev, 1, ns->irqs[cur_irq++]);
 
-if (s->pic_mem) {
-/* OpenPIC */
-memory_region_add_subregion(>bar, 0x4, s->pic_mem);
-}
+/* OpenPIC */
+sysbus_dev = SYS_BUS_DEVICE(ns->pic);
+memory_region_add_subregion(>bar, 0x4,
+sysbus_mmio_get_region(sysbus_dev, 0));
 
 /* IDE buses */
 for (i = 0; i < ARRAY_SIZE(ns->ide); i++) {
@@ -311,6 +311,11 @@ static void macio_newworld_init(Object *obj)
 
 qdev_init_gpio_out(DEVICE(obj), ns->irqs, ARRAY_SIZE(ns->irqs));
 
+object_property_add_link(obj, "pic", TYPE_OPENPIC,
+ (Object **) >pic,
+ qdev_prop_allow_set_link_before_realize,
+ 0, NULL);
+
 for (i = 0; i < 2; i++) {
 macio_init_ide(s, >ide[i], sizeof(ns->ide[i]), i);
 }
@@ -441,7 +446,6 @@ void macio_init(PCIDevice *d,
 {
 MacIOState *macio_state = MACIO(d);
 
-macio_state->pic_mem = pic_mem;
 /* Note: this code is strongly inspirated from the corresponding code
in PearPC */
 qdev_prop_set_uint64(DEVICE(_state->cuda), "timebase-frequency",
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 396216954e..c7960ab67a 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -154,7 +154,7 @@ static void ppc_core99_init(MachineState *machine)
 hwaddr kernel_base, initrd_base, cmdline_base = 0;
 long kernel_size, initrd_size;
 PCIBus *pci_bus;
-PCIDevice *macio;
+NewWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 BusState *adb_bus;
 MacIONVRAMState *nvr;
@@ -166,7 +166,7 @@ static void ppc_core99_init(MachineState *machine)
 void *fw_cfg;
 int machine_arch;
 SysBusDevice *s;
-DeviceState *dev;
+DeviceState *dev, *pic_dev;
 int *token = g_new(int, 1);
 hwaddr nvram_addr = 0xFFF04000;
 uint64_t tbfreq;
@@ -333,10 +333,10 @@ static void ppc_core99_init(MachineState *machine)
 
 pic = g_new0(qemu_irq, 64);
 
-dev = qdev_create(NULL, TYPE_OPENPIC);
-qdev_prop_set_uint32(dev, "model", OPENPIC_MODEL_KEYLARGO);
-qdev_init_nofail(dev);
-s = SYS_BUS_DEVICE(dev);
+pic_dev = qdev_create(NULL, TYPE_OPENPIC);
+qdev_prop_set_uint32(pic_dev, "model", OPENPIC_MODEL_KEYLARGO);
+qdev_init_nofail(pic_dev);
+s = SYS_BUS_DEVICE(pic_dev);
 pic_mem = s->mmio[0].memory;
 k = 0;
 for (i = 0; i < smp_cpus; i++) {
@@ -346,7 +346,7 @@ static void ppc_core99_init(MachineState *machine)
 }
 
 for (i = 0; i < 64; i++) {
-pic[i] = qdev_get_gpio_in(dev, i);
+pic[i] = qdev_get_gpio_in(pic_dev, i);
 }
 
 if (PPC_INPUT(env) == PPC_FLAGS_INPUT_970) {
@@ -369,7 +369,7 @@ static void ppc_core99_init(MachineState *machine)
 }
 
 /* MacIO */
-macio = pci_create(pci_bus, -1, TYPE_NEWWORLD_MACIO);
+macio = NEWWORLD_MACIO(pci_create(pci_bus, -1, TYPE_NEWWORLD_MACIO));
 dev = DEVICE(macio);
 qdev_connect_gpio_out(dev, 0, pic[0x19]); /* CUDA */
 qdev_connect_gpio_out(dev, 1, pic[0x24]); /* ESCC-B */
@@ -379,7 +379,9 @@ static void ppc_core99_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0e]); /* IDE */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
-macio_init(macio, pic_mem);
+object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
+ _abort);
+macio_init(PCI_DEVICE(macio), pic_mem);
 
 /* We only emulate 2 out of 3 IDE controllers for now */
 ide_drive_get(hd, ARRAY_SIZE(hd));
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index 843c114c07..4528282b36 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -29,6 +29,7 @@
 #include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
 #include "hw/ppc/mac_dbdma.h"
+#include "hw/ppc/openpic.h"
 
 #define TYPE_MACIO "macio"
 

[Qemu-devel] [PULL 25/30] ppc/spapr-caps: Convert cap-ibs to custom spapr-cap

[David Gibson]

From: Suraj Jitindar Singh 

Convert cap-ibs (indirect branch speculation) to a custom spapr-cap
type.

All tristate caps have now been converted to custom spapr-caps, so
remove the remaining support for them.

Signed-off-by: Suraj Jitindar Singh 
[dwg: Don't explicitly list "?"/help option, trust convention]
[dwg: Fold tristate removal into here, to not break bisect]
[dwg: Fix minor style problems]
Signed-off-by: David Gibson 
---
 hw/ppc/spapr_caps.c| 90 ++
 hw/ppc/spapr_hcall.c   |  5 ++-
 include/hw/ppc/spapr.h |  5 ++-
 target/ppc/kvm.c   |  6 ++--
 4 files changed, 36 insertions(+), 70 deletions(-)

diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 8748692425..da1f519e13 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -89,65 +89,6 @@ static void spapr_cap_set_bool(Object *obj, Visitor *v, 
const char *name,
 spapr->eff.caps[cap->index] = value ? SPAPR_CAP_ON : SPAPR_CAP_OFF;
 }
 
-static void spapr_cap_get_tristate(Object *obj, Visitor *v, const char *name,
-   void *opaque, Error **errp)
-{
-sPAPRCapabilityInfo *cap = opaque;
-sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
-char *val = NULL;
-uint8_t value = spapr_get_cap(spapr, cap->index);
-
-switch (value) {
-case SPAPR_CAP_BROKEN:
-val = g_strdup("broken");
-break;
-case SPAPR_CAP_WORKAROUND:
-val = g_strdup("workaround");
-break;
-case SPAPR_CAP_FIXED:
-val = g_strdup("fixed");
-break;
-default:
-error_setg(errp, "Invalid value (%d) for cap-%s", value, cap->name);
-return;
-}
-
-visit_type_str(v, name, , errp);
-g_free(val);
-}
-
-static void spapr_cap_set_tristate(Object *obj, Visitor *v, const char *name,
-   void *opaque, Error **errp)
-{
-sPAPRCapabilityInfo *cap = opaque;
-sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
-char *val;
-Error *local_err = NULL;
-uint8_t value;
-
-visit_type_str(v, name, , _err);
-if (local_err) {
-error_propagate(errp, local_err);
-return;
-}
-
-if (!strcasecmp(val, "broken")) {
-value = SPAPR_CAP_BROKEN;
-} else if (!strcasecmp(val, "workaround")) {
-value = SPAPR_CAP_WORKAROUND;
-} else if (!strcasecmp(val, "fixed")) {
-value = SPAPR_CAP_FIXED;
-} else {
-error_setg(errp, "Invalid capability mode \"%s\" for cap-%s", val,
-   cap->name);
-goto out;
-}
-
-spapr->cmd_line_caps[cap->index] = true;
-spapr->eff.caps[cap->index] = value;
-out:
-g_free(val);
-}
 
 static void  spapr_cap_get_string(Object *obj, Visitor *v, const char *name,
   void *opaque, Error **errp)
@@ -294,16 +235,31 @@ static void cap_safe_bounds_check_apply(sPAPRMachineState 
*spapr, uint8_t val,
 }
 }
 
+sPAPRCapPossible cap_ibs_possible = {
+.num = 4,
+/* Note workaround only maintained for compatibility */
+.vals = {"broken", "workaround", "fixed-ibs", "fixed-ccd"},
+.help = "broken - no protection, fixed-ibs - indirect branch 
serialisation,"
+" fixed-ccd - cache count disabled",
+};
+
 static void cap_safe_indirect_branch_apply(sPAPRMachineState *spapr,
uint8_t val, Error **errp)
 {
+uint8_t kvm_val = kvmppc_get_cap_safe_indirect_branch();
+
 if (val == SPAPR_CAP_WORKAROUND) { /* Can only be Broken or Fixed */
-error_setg(errp, "Requested safe indirect branch capability level 
\"workaround\" not valid, try cap-ibs=fixed");
+error_setg(errp,
+"Requested safe indirect branch capability level \"workaround\" not valid, try 
cap-ibs=%s",
+   cap_ibs_possible.vals[kvm_val]);
 } else if (tcg_enabled() && val) {
 /* TODO - for now only allow broken for TCG */
-error_setg(errp, "Requested safe indirect branch capability level not 
supported by tcg, try a different value for cap-ibs");
-} else if (kvm_enabled() && (val > kvmppc_get_cap_safe_indirect_branch())) 
{
-error_setg(errp, "Requested safe indirect branch capability level not 
supported by kvm, try a different value for cap-ibs");
+error_setg(errp,
+"Requested safe indirect branch capability level not supported by tcg, try a 
different value for cap-ibs");
+} else if (kvm_enabled() && val && (val != kvm_val)) {
+error_setg(errp,
+"Requested safe indirect branch capability level not supported by kvm, try 
cap-ibs=%s",
+   cap_ibs_possible.vals[kvm_val]);
 }
 }
 
@@ -359,11 +315,13 @@ sPAPRCapabilityInfo capability_table[SPAPR_CAP_NUM] = {
 },
 [SPAPR_CAP_IBS] = {
 .name = "ibs",
-.description = "Indirect Branch Serialisation (broken, fixed)",
+.description =
+

[Qemu-devel] [PULL 14/30] macio: move macio related structures and defines into separate macio.h file

[David Gibson]

From: Mark Cave-Ayland 

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 43 +
 hw/ppc/mac.h  |  3 --
 hw/ppc/mac_newworld.c |  1 +
 hw/ppc/mac_oldworld.c |  1 +
 include/hw/misc/macio/macio.h | 75 +++
 5 files changed, 78 insertions(+), 45 deletions(-)
 create mode 100644 include/hw/misc/macio/macio.h

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 1c10d8a1d7..4e502ede2e 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -30,48 +30,7 @@
 #include "hw/pci/pci.h"
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/char/escc.h"
-
-#define TYPE_MACIO "macio"
-#define MACIO(obj) OBJECT_CHECK(MacIOState, (obj), TYPE_MACIO)
-
-typedef struct MacIOState
-{
-/*< private >*/
-PCIDevice parent;
-/*< public >*/
-
-MemoryRegion bar;
-CUDAState cuda;
-DBDMAState dbdma;
-ESCCState escc;
-MemoryRegion *pic_mem;
-uint64_t frequency;
-} MacIOState;
-
-#define OLDWORLD_MACIO(obj) \
-OBJECT_CHECK(OldWorldMacIOState, (obj), TYPE_OLDWORLD_MACIO)
-
-typedef struct OldWorldMacIOState {
-/*< private >*/
-MacIOState parent_obj;
-/*< public >*/
-
-qemu_irq irqs[7];
-
-MacIONVRAMState nvram;
-MACIOIDEState ide[2];
-} OldWorldMacIOState;
-
-#define NEWWORLD_MACIO(obj) \
-OBJECT_CHECK(NewWorldMacIOState, (obj), TYPE_NEWWORLD_MACIO)
-
-typedef struct NewWorldMacIOState {
-/*< private >*/
-MacIOState parent_obj;
-/*< public >*/
-qemu_irq irqs[7];
-MACIOIDEState ide[2];
-} NewWorldMacIOState;
+#include "hw/misc/macio/macio.h"
 
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 5b5fffdff3..a02f797598 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -47,9 +47,6 @@
 
 
 /* MacIO */
-#define TYPE_OLDWORLD_MACIO "macio-oldworld"
-#define TYPE_NEWWORLD_MACIO "macio-newworld"
-
 #define TYPE_MACIO_IDE "macio-ide"
 #define MACIO_IDE(obj) OBJECT_CHECK(MACIOIDEState, (obj), TYPE_MACIO_IDE)
 
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 5e82158759..396216954e 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -60,6 +60,7 @@
 #include "hw/boards.h"
 #include "hw/nvram/fw_cfg.h"
 #include "hw/char/escc.h"
+#include "hw/misc/macio/macio.h"
 #include "hw/ppc/openpic.h"
 #include "hw/ide.h"
 #include "hw/loader.h"
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 06a61220cb..5903ff47d3 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -37,6 +37,7 @@
 #include "hw/boards.h"
 #include "hw/nvram/fw_cfg.h"
 #include "hw/char/escc.h"
+#include "hw/misc/macio/macio.h"
 #include "hw/ide.h"
 #include "hw/loader.h"
 #include "elf.h"
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
new file mode 100644
index 00..e1e249f898
--- /dev/null
+++ b/include/hw/misc/macio/macio.h
@@ -0,0 +1,75 @@
+/*
+ * PowerMac MacIO device emulation
+ *
+ * Copyright (c) 2005-2007 Fabrice Bellard
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef MACIO_H
+#define MACIO_H
+
+#include "hw/misc/macio/cuda.h"
+#include "hw/ppc/mac_dbdma.h"
+
+#define TYPE_MACIO "macio"
+#define MACIO(obj) OBJECT_CHECK(MacIOState, (obj), TYPE_MACIO)
+
+typedef struct MacIOState {
+/*< private >*/
+PCIDevice parent;
+/*< public >*/
+
+MemoryRegion bar;
+CUDAState cuda;
+DBDMAState dbdma;
+ESCCState escc;
+MemoryRegion *pic_mem;
+uint64_t frequency;
+} MacIOState;
+
+#define TYPE_OLDWORLD_MACIO "macio-oldworld"
+#define OLDWORLD_MACIO(obj) \
+

[Qemu-devel] [PULL 26/30] ppc/spapr-caps: Define the pseries-2.12-sxxm machine type

[David Gibson]

From: Suraj Jitindar Singh 

The sxxm (speculative execution exploit mitigation) machine type is a
variant of the 2.12 machine type with workarounds for speculative
execution vulnerabilities enabled by default.

Signed-off-by: Suraj Jitindar Singh 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c  | 17 +
 hw/ppc/spapr_caps.c | 11 +++
 2 files changed, 28 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 1c2703cb6b..1b6ddd827e 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3983,6 +3983,23 @@ static void 
spapr_machine_2_12_class_options(MachineClass *mc)
 
 DEFINE_SPAPR_MACHINE(2_12, "2.12", true);
 
+static void spapr_machine_2_12_sxxm_instance_options(MachineState *machine)
+{
+spapr_machine_2_12_instance_options(machine);
+}
+
+static void spapr_machine_2_12_sxxm_class_options(MachineClass *mc)
+{
+sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
+
+spapr_machine_2_12_class_options(mc);
+smc->default_caps.caps[SPAPR_CAP_CFPC] = SPAPR_CAP_WORKAROUND;
+smc->default_caps.caps[SPAPR_CAP_SBBC] = SPAPR_CAP_WORKAROUND;
+smc->default_caps.caps[SPAPR_CAP_IBS] = SPAPR_CAP_FIXED_CCD;
+}
+
+DEFINE_SPAPR_MACHINE(2_12_sxxm, "2.12-sxxm", false);
+
 /*
  * pseries-2.11
  */
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index da1f519e13..531e145114 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -335,15 +335,26 @@ static sPAPRCapabilities 
default_caps_with_cpu(sPAPRMachineState *spapr,
 
 caps = smc->default_caps;
 
+if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_3_00,
+  0, spapr->max_compat_pvr)) {
+caps.caps[SPAPR_CAP_CFPC] = SPAPR_CAP_BROKEN;
+}
+
 if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_07,
   0, spapr->max_compat_pvr)) {
 caps.caps[SPAPR_CAP_HTM] = SPAPR_CAP_OFF;
 }
 
+if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_06_PLUS,
+  0, spapr->max_compat_pvr)) {
+caps.caps[SPAPR_CAP_SBBC] = SPAPR_CAP_BROKEN;
+}
+
 if (!ppc_check_compat(cpu, CPU_POWERPC_LOGICAL_2_06,
   0, spapr->max_compat_pvr)) {
 caps.caps[SPAPR_CAP_VSX] = SPAPR_CAP_OFF;
 caps.caps[SPAPR_CAP_DFP] = SPAPR_CAP_OFF;
+caps.caps[SPAPR_CAP_IBS] = SPAPR_CAP_BROKEN;
 }
 
 return caps;
-- 
2.14.3

[Qemu-devel] [PULL 00/30] ppc-for-2.12 queue 20180306

[David Gibson]

The following changes since commit f2bb2d14c2958f3f5aef456bd2cdb1ff99f4a562:

  Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into 
staging (2018-03-05 16:41:20 +)

are available in the Git repository at:

  git://github.com/dgibson/qemu.git tags/ppc-for-2.12-20180306

for you to fetch changes up to 21b786f607b11d888f90bbb8c3414500515d11e7:

  PowerPC: Add TS bits into msr_mask (2018-03-06 13:16:29 +1100)


ppc patch queue 2018-03-06

This pull request supersedes ppc-for-2.12-20180302 which had compile
problems with some gcc versions.  It also contains a few additional
patches.

Highlights are:
* New Sam460ex machine type
* Yet more fixes related to vcpu id allocation for spapr
* Numerous macio cleanupsr
* Some enhancements to the Spectre/Meltdown fixes for pseries,
  allowing use of a better mitigation for indirect branch based
  exploits
* New pseries machine types with Spectre/Meltdown mitigations
  enabled (stop gap until libvirt and management understands the
  machine options)
* A handful of other fixes


BALATON Zoltan (5):
  ppc440_uc: Fix unintialized variable warning with older gcc
  ppc440: Add emulation of plb-pcix controller found in some 440 SoCs
  roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)
  pc-bios: Added u-boot-sam460 firmware binary
  ppc: Add aCube Sam460ex board

David Engraf (1):
  PPC: e500: Fix duplicate kernel load and device tree overlap

Greg Kurz (3):
  spapr: fix missing CPU core nodes in DT when running with TCG
  spapr: register dummy ICPs later
  spapr: harden code that depends on VSMT

Mark Cave-Ayland (13):
  macio: embed DBDMA device directly within macio
  macio: move ESCC device within the macio device
  heathrow: QOMify heathrow PIC
  heathrow: convert to trace-events
  heathrow: change heathrow_pic_init() to return the heathrow device
  macio: move macio related structures and defines into separate macio.h 
file
  mac_oldworld: use object link to pass heathrow PIC object to macio
  openpic: move KVM-specific declarations into separate openpic_kvm.h file
  openpic: move OpenPIC state and related definitions to openpic.h
  mac_newworld: use object link to pass OpenPIC object to macio
  macio: move setting of CUDA timebase frequency to macio_common_realize()
  macio: remove macio_init() function
  adb: add trace-events for monitoring keyboard/mouse during bus enumeration

Nikunj A Dadhania (1):
  hw/ppc/spapr,e500: Use new property "stdout-path" for boot console

Simon Guo (1):
  PowerPC: Add TS bits into msr_mask

Suraj Jitindar Singh (6):
  target/ppc: Check mask when setting cap_ppc_safe_indirect_branch
  ppc/spapr-caps: Add support for custom spapr_capabilities
  ppc/spapr-caps: Convert cap-cfpc to custom spapr-cap
  ppc/spapr-caps: Convert cap-sbbc to custom spapr-cap
  ppc/spapr-caps: Convert cap-ibs to custom spapr-cap
  ppc/spapr-caps: Define the pseries-2.12-sxxm machine type

 .gitmodules|   3 +
 Makefile   |   4 +-
 default-configs/ppc-softmmu.mak|   2 +
 default-configs/ppcemb-softmmu.mak |   1 +
 hw/input/adb-kbd.c |   4 +
 hw/input/adb-mouse.c   |   5 +
 hw/input/trace-events  |   5 +
 hw/intc/heathrow_pic.c | 166 +-
 hw/intc/openpic.c  | 157 --
 hw/intc/openpic_kvm.c  |   1 +
 hw/intc/trace-events   |   5 +
 hw/misc/macio/macio.c  | 150 +
 hw/ppc/Makefile.objs   |   3 +-
 hw/ppc/e500.c  | 124 +---
 hw/ppc/mac.h   |  10 +-
 hw/ppc/mac_newworld.c  |  56 ++--
 hw/ppc/mac_oldworld.c  |  50 ++-
 hw/ppc/ppc440_pcix.c   | 528 
 hw/ppc/ppc440_uc.c |   3 +
 hw/ppc/sam460ex.c  | 603 +
 hw/ppc/spapr.c | 176 ++-
 hw/ppc/spapr_caps.c| 153 +++---
 hw/ppc/spapr_hcall.c   |   5 +-
 hw/ppc/trace-events|   8 +
 include/hw/intc/heathrow_pic.h |  49 +++
 include/hw/misc/macio/macio.h  |  79 +
 include/hw/ppc/openpic.h   | 160 +-
 include/hw/ppc/openpic_kvm.h   |   7 +
 include/hw/ppc/spapr.h |   5 +-
 pc-bios/canyonlands.dtb| Bin 0 -> 9779 bytes
 pc-bios/canyonlands.dts| 566 ++
 pc-bios/u-boot-sam460-20100605.bin | Bin 0 -> 524288 bytes
 roms/Makefile  |   7 +
 roms/u-boot-sam460ex   |   1 +
 target/ppc/kvm-stub.c  |   2 +-
 target/ppc/kvm.c   

[Qemu-devel] [PULL 27/30] hw/ppc/spapr, e500: Use new property "stdout-path" for boot console

[David Gibson]

From: Nikunj A Dadhania 

Linux kernel commit 2a9d832cc9aae21ea827520fef635b6c49a06c6d
(of: Add bindings for chosen node, stdout-path) deprecated chosen property
"linux,stdout-path" and "stdout".

Introduce the new property "stdout-path" and continue supporting the older
property to remain compatible with existing/older firmware. This older property
can be deprecated after 5 years.

Signed-off-by: Nikunj A Dadhania 
Signed-off-by: David Gibson 
---
 hw/ppc/e500.c  | 7 +++
 hw/ppc/spapr.c | 7 +++
 2 files changed, 14 insertions(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 13a34f50b7..ef541a00be 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -120,7 +120,14 @@ static void dt_serial_create(void *fdt, unsigned long long 
offset,
 qemu_fdt_setprop_string(fdt, "/aliases", alias, ser);
 
 if (defcon) {
+/*
+ * "linux,stdout-path" and "stdout" properties are deprecated by linux
+ * kernel. New platforms should only use the "stdout-path" property. 
Set
+ * the new property and continue using older property to remain
+ * compatible with the existing firmware.
+ */
 qemu_fdt_setprop_string(fdt, "/chosen", "linux,stdout-path", ser);
+qemu_fdt_setprop_string(fdt, "/chosen", "stdout-path", ser);
 }
 }
 
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 1b6ddd827e..7e1c858566 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1053,7 +1053,14 @@ static void spapr_dt_chosen(sPAPRMachineState *spapr, 
void *fdt)
 }
 
 if (!spapr->has_graphics && stdout_path) {
+/*
+ * "linux,stdout-path" and "stdout" properties are deprecated by linux
+ * kernel. New platforms should only use the "stdout-path" property. 
Set
+ * the new property and continue using older property to remain
+ * compatible with the existing firmware.
+ */
 _FDT(fdt_setprop_string(fdt, chosen, "linux,stdout-path", 
stdout_path));
+_FDT(fdt_setprop_string(fdt, chosen, "stdout-path", stdout_path));
 }
 
 spapr_dt_ov5_platform_support(fdt, chosen);
-- 
2.14.3

[Qemu-devel] [PULL 30/30] PowerPC: Add TS bits into msr_mask

[David Gibson]

From: Simon Guo 

During migration, after MSR bits is synced, cpu_post_load() will use
msr_mask to determine which PPC MSR bits will be applied into the target
side. Hardware Transaction Memory(HTM) has been supported since Power8,
but TS0/TS1 bit was not in msr_mask yet. That will prevent target KVM
from loading TM checkpointed values.

This patch adds TS bits into msr_mask for Power8, so that transactional
application can be migrated across qemu.

Signed-off-by: Simon Guo 
Signed-off-by: David Gibson 
---
 target/ppc/translate_init.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/ppc/translate_init.c b/target/ppc/translate_init.c
index 17a87df654..391b94b97d 100644
--- a/target/ppc/translate_init.c
+++ b/target/ppc/translate_init.c
@@ -8692,6 +8692,8 @@ POWERPC_FAMILY(POWER8)(ObjectClass *oc, void *data)
 (1ull << MSR_DR) |
 (1ull << MSR_PMM) |
 (1ull << MSR_RI) |
+(1ull << MSR_TS0) |
+(1ull << MSR_TS1) |
 (1ull << MSR_LE);
 pcc->mmu_model = POWERPC_MMU_2_07;
 #if defined(CONFIG_SOFTMMU)
-- 
2.14.3

[Qemu-devel] [PULL 10/30] macio: move ESCC device within the macio device

[David Gibson]

From: Mark Cave-Ayland 

Now that the ESCC device is instantiated directly via qdev, move it to within
the macio device and wire up the IRQs and memory regions using the sysbus API.

This enables to remove the now-obsolete escc_mem parameter to the macio_init()
function.

(Note this patch also contains small touch-ups to the formatting in
macio_escc_legacy_setup() and ppc_heathrow_init() in order to keep checkpatch
happy)

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 60 ---
 hw/ppc/mac.h  |  3 +--
 hw/ppc/mac_newworld.c | 37 ---
 hw/ppc/mac_oldworld.c | 38 +---
 4 files changed, 63 insertions(+), 75 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 7174135c8b..1c10d8a1d7 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -43,8 +43,8 @@ typedef struct MacIOState
 MemoryRegion bar;
 CUDAState cuda;
 DBDMAState dbdma;
+ESCCState escc;
 MemoryRegion *pic_mem;
-MemoryRegion *escc_mem;
 uint64_t frequency;
 } MacIOState;
 
@@ -56,7 +56,7 @@ typedef struct OldWorldMacIOState {
 MacIOState parent_obj;
 /*< public >*/
 
-qemu_irq irqs[5];
+qemu_irq irqs[7];
 
 MacIONVRAMState nvram;
 MACIOIDEState ide[2];
@@ -69,7 +69,7 @@ typedef struct NewWorldMacIOState {
 /*< private >*/
 MacIOState parent_obj;
 /*< public >*/
-qemu_irq irqs[5];
+qemu_irq irqs[7];
 MACIOIDEState ide[2];
 } NewWorldMacIOState;
 
@@ -84,10 +84,12 @@ typedef struct NewWorldMacIOState {
  *
  * Reference: 
ftp://ftp.software.ibm.com/rs6000/technology/spec/chrp/inwork/CHRP_IORef_1.0.pdf
  */
-static void macio_escc_legacy_setup(MacIOState *macio_state)
+static void macio_escc_legacy_setup(MacIOState *s)
 {
+ESCCState *escc = ESCC(>escc);
+SysBusDevice *sbd = SYS_BUS_DEVICE(escc);
 MemoryRegion *escc_legacy = g_new(MemoryRegion, 1);
-MemoryRegion *bar = _state->bar;
+MemoryRegion *bar = >bar;
 int i;
 static const int maps[] = {
 0x00, 0x00, /* Command B */
@@ -102,25 +104,26 @@ static void macio_escc_legacy_setup(MacIOState 
*macio_state)
 0xb0, 0xb0, /* Detect AB */
 };
 
-memory_region_init(escc_legacy, OBJECT(macio_state), "escc-legacy", 256);
+memory_region_init(escc_legacy, OBJECT(s), "escc-legacy", 256);
 for (i = 0; i < ARRAY_SIZE(maps); i += 2) {
 MemoryRegion *port = g_new(MemoryRegion, 1);
-memory_region_init_alias(port, OBJECT(macio_state), "escc-legacy-port",
- macio_state->escc_mem, maps[i+1], 0x2);
+memory_region_init_alias(port, OBJECT(s), "escc-legacy-port",
+ sysbus_mmio_get_region(sbd, 0),
+ maps[i + 1], 0x2);
 memory_region_add_subregion(escc_legacy, maps[i], port);
 }
 
 memory_region_add_subregion(bar, 0x12000, escc_legacy);
 }
 
-static void macio_bar_setup(MacIOState *macio_state)
+static void macio_bar_setup(MacIOState *s)
 {
-MemoryRegion *bar = _state->bar;
+ESCCState *escc = ESCC(>escc);
+SysBusDevice *sbd = SYS_BUS_DEVICE(escc);
+MemoryRegion *bar = >bar;
 
-if (macio_state->escc_mem) {
-memory_region_add_subregion(bar, 0x13000, macio_state->escc_mem);
-macio_escc_legacy_setup(macio_state);
-}
+memory_region_add_subregion(bar, 0x13000, sysbus_mmio_get_region(sbd, 0));
+macio_escc_legacy_setup(s);
 }
 
 static void macio_common_realize(PCIDevice *d, Error **errp)
@@ -147,6 +150,12 @@ static void macio_common_realize(PCIDevice *d, Error 
**errp)
 memory_region_add_subregion(>bar, 0x16000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
+object_property_set_bool(OBJECT(>escc), true, "realized", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
 macio_bar_setup(s);
 pci_register_bar(d, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, >bar);
 }
@@ -185,6 +194,10 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_dev = SYS_BUS_DEVICE(>cuda);
 sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
 
+sysbus_dev = SYS_BUS_DEVICE(>escc);
+sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
+sysbus_connect_irq(sysbus_dev, 1, os->irqs[cur_irq++]);
+
 object_property_set_bool(OBJECT(>nvram), true, "realized", );
 if (err) {
 error_propagate(errp, err);
@@ -297,6 +310,10 @@ static void macio_newworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_dev = SYS_BUS_DEVICE(>cuda);
 sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
 
+sysbus_dev = SYS_BUS_DEVICE(>escc);
+sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
+

[Qemu-devel] [PULL 04/30] roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)

[David Gibson]

From: BALATON Zoltan 

Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 .gitmodules  | 3 +++
 roms/Makefile| 7 +++
 roms/u-boot-sam460ex | 1 +
 3 files changed, 11 insertions(+)
 create mode 16 roms/u-boot-sam460ex

diff --git a/.gitmodules b/.gitmodules
index 7a8282df46..b76fb450a4 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -43,3 +43,6 @@
 [submodule "roms/seabios-hppa"]
path = roms/seabios-hppa
url = git://github.com/hdeller/seabios-hppa.git
+[submodule "roms/u-boot-sam460ex"]
+   path = roms/u-boot-sam460ex
+   url = git://github.com/zbalaton/u-boot-sam460ex
diff --git a/roms/Makefile b/roms/Makefile
index b5e5a69e91..02b69fbac8 100644
--- a/roms/Makefile
+++ b/roms/Makefile
@@ -65,6 +65,7 @@ default:
@echo "  slof   -- update slof.bin"
@echo "  skiboot-- update skiboot.lid"
@echo "  u-boot.e500-- update u-boot.e500"
+   @echo "  u-boot.sam460  -- update u-boot.sam460"
 
 bios: build-seabios-config-seabios-128k build-seabios-config-seabios-256k
cp seabios/builds/seabios-128k/bios.bin ../pc-bios/bios.bin
@@ -147,6 +148,11 @@ u-boot.e500:
$(powerpc_cross_prefix)strip u-boot/build.e500/u-boot -o \
../pc-bios/u-boot.e500
 
+u-boot.sam460:
+   $(MAKE) -C u-boot-sam460ex Sam460ex_config
+   $(MAKE) -C u-boot-sam460ex CROSS_COMPILE=$(powerpc_cross_prefix)
+   cp u-boot-sam460ex/u-boot.bin ../pc-bios/u-boot-sam460-20100605.bin
+
 skiboot:
$(MAKE) -C skiboot CROSS=$(powerpc64_cross_prefix)
cp skiboot/skiboot.lid ../pc-bios/skiboot.lid
@@ -160,4 +166,5 @@ clean:
$(MAKE) -C ipxe/src veryclean
$(MAKE) -C SLOF clean
rm -rf u-boot/build.e500
+   $(MAKE) -C u-boot-sam460ex distclean
$(MAKE) -C skiboot clean
diff --git a/roms/u-boot-sam460ex b/roms/u-boot-sam460ex
new file mode 16
index 00..119aa277f7
--- /dev/null
+++ b/roms/u-boot-sam460ex
@@ -0,0 +1 @@
+Subproject commit 119aa277f74a4a2d3f7ab6c9471292308eba14e4
-- 
2.14.3

[Qemu-devel] [PULL 13/30] heathrow: change heathrow_pic_init() to return the heathrow device

[David Gibson]

From: Mark Cave-Ayland 

This enables the device to be made available during the setup of the Old World
machine. In order to pass back the previous set of IRQs we temporarily introduce
a new pic_irqs parameter until it can be removed.

An additional benefit of this change is that it is also possible to remove the
pic_mem pointer used for macio by accessing the memory region via sysbus.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/intc/heathrow_pic.c | 10 ++
 hw/ppc/mac.h   |  4 ++--
 hw/ppc/mac_oldworld.c  |  9 +
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 5fd2b33a12..393fdd7326 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -170,13 +170,15 @@ static void heathrow_reset(DeviceState *d)
 static void heathrow_init(Object *obj)
 {
 HeathrowState *s = HEATHROW(obj);
+SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 
 memory_region_init_io(>mem, OBJECT(s), _ops, s,
   "heathrow-pic", 0x1000);
+sysbus_init_mmio(sbd, >mem);
 }
 
-qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
-int nb_cpus, qemu_irq **irqs)
+DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
+   qemu_irq **pic_irqs)
 {
 DeviceState *d;
 HeathrowState *s;
@@ -188,9 +190,9 @@ qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
 /* only 1 CPU */
 s->irqs = irqs[0];
 
-*pmem = >mem;
+*pic_irqs = qemu_allocate_irqs(heathrow_set_irq, s, HEATHROW_NUM_IRQS);
 
-return qemu_allocate_irqs(heathrow_set_irq, s, HEATHROW_NUM_IRQS);
+return d;
 }
 
 static void heathrow_class_init(ObjectClass *oc, void *data)
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 261b519aa5..5b5fffdff3 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -79,8 +79,8 @@ void macio_init(PCIDevice *dev,
 MemoryRegion *pic_mem);
 
 /* Heathrow PIC */
-qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
-int nb_cpus, qemu_irq **irqs);
+DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
+   qemu_irq **pic_irqs);
 
 /* Grackle PCI */
 #define TYPE_GRACKLE_PCI_HOST_BRIDGE "grackle-pcihost"
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 4401ce5af2..06a61220cb 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -94,11 +94,11 @@ static void ppc_heathrow_init(MachineState *machine)
 PCIBus *pci_bus;
 PCIDevice *macio;
 MACIOIDEState *macio_ide;
-DeviceState *dev;
+DeviceState *dev, *pic_dev;
+SysBusDevice *sbd;
 BusState *adb_bus;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
-MemoryRegion *pic_mem;
 uint16_t ppc_boot_device;
 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
 void *fw_cfg;
@@ -257,7 +257,7 @@ static void ppc_heathrow_init(MachineState *machine)
 error_report("Only 6xx bus is supported on heathrow machine");
 exit(1);
 }
-pic = heathrow_pic_init(_mem, 1, heathrow_irqs);
+pic_dev = heathrow_pic_init(1, heathrow_irqs, );
 pci_bus = pci_grackle_init(0xfec0, pic,
get_system_memory(),
get_system_io());
@@ -280,7 +280,8 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0E]); /* IDE-1 */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE-1 DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
-macio_init(macio, pic_mem);
+sbd = SYS_BUS_DEVICE(pic_dev);
+macio_init(macio, sysbus_mmio_get_region(sbd, 0));
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
-- 
2.14.3

[Qemu-devel] [PULL 09/30] macio: embed DBDMA device directly within macio

[David Gibson]

From: Mark Cave-Ayland 

The current recommendation is to embed subdevices directly within their 
container
device, so do this for the DBDMA device.

Signed-off-by: Mark Cave-Ayland 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 024f8557ab..7174135c8b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -42,7 +42,7 @@ typedef struct MacIOState
 
 MemoryRegion bar;
 CUDAState cuda;
-DBDMAState *dbdma;
+DBDMAState dbdma;
 MemoryRegion *pic_mem;
 MemoryRegion *escc_mem;
 uint64_t frequency;
@@ -129,12 +129,12 @@ static void macio_common_realize(PCIDevice *d, Error 
**errp)
 SysBusDevice *sysbus_dev;
 Error *err = NULL;
 
-object_property_set_bool(OBJECT(s->dbdma), true, "realized", );
+object_property_set_bool(OBJECT(>dbdma), true, "realized", );
 if (err) {
 error_propagate(errp, err);
 return;
 }
-sysbus_dev = SYS_BUS_DEVICE(s->dbdma);
+sysbus_dev = SYS_BUS_DEVICE(>dbdma);
 memory_region_add_subregion(>bar, 0x08000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
@@ -161,7 +161,7 @@ static void macio_realize_ide(MacIOState *s, MACIOIDEState 
*ide,
 sysbus_connect_irq(sysbus_dev, 0, irq0);
 sysbus_connect_irq(sysbus_dev, 1, irq1);
 qdev_prop_set_uint32(DEVICE(ide), "channel", dmaid);
-object_property_set_link(OBJECT(ide), OBJECT(s->dbdma), "dbdma", errp);
+object_property_set_link(OBJECT(ide), OBJECT(>dbdma), "dbdma", errp);
 macio_ide_register_dma(ide);
 
 object_property_set_bool(OBJECT(ide), true, "realized", errp);
@@ -344,8 +344,9 @@ static void macio_instance_init(Object *obj)
 qdev_set_parent_bus(DEVICE(>cuda), sysbus_get_default());
 object_property_add_child(obj, "cuda", OBJECT(>cuda), NULL);
 
-s->dbdma = MAC_DBDMA(object_new(TYPE_MAC_DBDMA));
-object_property_add_child(obj, "dbdma", OBJECT(s->dbdma), NULL);
+object_initialize(>dbdma, sizeof(s->dbdma), TYPE_MAC_DBDMA);
+qdev_set_parent_bus(DEVICE(>dbdma), sysbus_get_default());
+object_property_add_child(obj, "dbdma", OBJECT(>dbdma), NULL);
 }
 
 static const VMStateDescription vmstate_macio_oldworld = {
-- 
2.14.3

[Qemu-devel] [PULL 02/30] ppc440_uc: Fix unintialized variable warning with older gcc

[David Gibson]

From: BALATON Zoltan 

Signed-off-by: BALATON Zoltan 
Signed-off-by: David Gibson 
---
 hw/ppc/ppc440_uc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/ppc/ppc440_uc.c b/hw/ppc/ppc440_uc.c
index 4e2523a64f..976ab2b5d8 100644
--- a/hw/ppc/ppc440_uc.c
+++ b/hw/ppc/ppc440_uc.c
@@ -1050,6 +1050,9 @@ static void ppc460ex_pcie_realize(DeviceState *dev, Error 
**errp)
 case DCRN_PCIE1_BASE:
 id = 1;
 break;
+default:
+error_setg(errp, "invalid PCIe DCRN base");
+return;
 }
 snprintf(buf, sizeof(buf), "pcie%d-io", id);
 memory_region_init(>iomem, OBJECT(s), buf, UINT64_MAX);
-- 
2.14.3

[Qemu-devel] [PULL 15/30] mac_oldworld: use object link to pass heathrow PIC object to macio

[David Gibson]

From: Mark Cave-Ayland 

Also switch macio_oldworld_realize() over to use it rather than using the 
pic_mem
memory region directly.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
Signed-off-by: David Gibson 
---
 hw/misc/macio/macio.c | 14 ++
 hw/ppc/mac_oldworld.c |  8 +---
 include/hw/misc/macio/macio.h |  2 ++
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 4e502ede2e..d4c1d190c4 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -31,6 +31,7 @@
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/char/escc.h"
 #include "hw/misc/macio/macio.h"
+#include "hw/intc/heathrow_pic.h"
 
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
@@ -167,10 +168,10 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_mmio_get_region(sysbus_dev, 0));
 pmac_format_nvram_partition(>nvram, os->nvram.size);
 
-if (s->pic_mem) {
-/* Heathrow PIC */
-memory_region_add_subregion(>bar, 0x0, s->pic_mem);
-}
+/* Heathrow PIC */
+sysbus_dev = SYS_BUS_DEVICE(os->pic);
+memory_region_add_subregion(>bar, 0x0,
+sysbus_mmio_get_region(sysbus_dev, 0));
 
 /* IDE buses */
 for (i = 0; i < ARRAY_SIZE(os->ide); i++) {
@@ -208,6 +209,11 @@ static void macio_oldworld_init(Object *obj)
 
 qdev_init_gpio_out(DEVICE(obj), os->irqs, ARRAY_SIZE(os->irqs));
 
+object_property_add_link(obj, "pic", TYPE_HEATHROW,
+ (Object **) >pic,
+ qdev_prop_allow_set_link_before_realize,
+ 0, NULL);
+
 object_initialize(>nvram, sizeof(os->nvram), TYPE_MACIO_NVRAM);
 dev = DEVICE(>nvram);
 qdev_prop_set_uint32(dev, "size", 0x2000);
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 5903ff47d3..3ac5b19073 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -93,7 +93,7 @@ static void ppc_heathrow_init(MachineState *machine)
 uint32_t kernel_base, initrd_base, cmdline_base = 0;
 int32_t kernel_size, initrd_size;
 PCIBus *pci_bus;
-PCIDevice *macio;
+OldWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 DeviceState *dev, *pic_dev;
 SysBusDevice *sbd;
@@ -271,7 +271,7 @@ static void ppc_heathrow_init(MachineState *machine)
 ide_drive_get(hd, ARRAY_SIZE(hd));
 
 /* MacIO */
-macio = pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO);
+macio = OLDWORLD_MACIO(pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO));
 dev = DEVICE(macio);
 qdev_connect_gpio_out(dev, 0, pic[0x12]); /* CUDA */
 qdev_connect_gpio_out(dev, 1, pic[0x10]); /* ESCC-B */
@@ -281,8 +281,10 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0E]); /* IDE-1 */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE-1 DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
+object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
+ _abort);
 sbd = SYS_BUS_DEVICE(pic_dev);
-macio_init(macio, sysbus_mmio_get_region(sbd, 0));
+macio_init(PCI_DEVICE(macio), sysbus_mmio_get_region(sbd, 0));
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index e1e249f898..843c114c07 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -26,6 +26,7 @@
 #ifndef MACIO_H
 #define MACIO_H
 
+#include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
 #include "hw/ppc/mac_dbdma.h"
 
@@ -54,6 +55,7 @@ typedef struct OldWorldMacIOState {
 MacIOState parent_obj;
 /*< public >*/
 
+HeathrowState *pic;
 qemu_irq irqs[7];
 
 MacIONVRAMState nvram;
-- 
2.14.3

[Qemu-devel] [PULL 01/30] spapr: fix missing CPU core nodes in DT when running with TCG

[David Gibson]

From: Greg Kurz 

Commit 5d0fb1508e2d "spapr: consolidate the VCPU id numbering logic
in a single place" introduced a helper to detect thread0 of a virtual
core based on its VCPU id. This is used to create CPU core nodes in
the DT, but it is broken in TCG.

$ qemu-system-ppc64 -nographic -accel tcg -machine dumpdtb=dtb.bin \
-smp cores=16,maxcpus=16,threads=1
$ dtc -f -O dts dtb.bin | grep POWER8
PowerPC,POWER8@0 {
PowerPC,POWER8@8 {

instead of the expected 16 cores that we get with KVM:

$ dtc -f -O dts dtb.bin | grep POWER8
PowerPC,POWER8@0 {
PowerPC,POWER8@8 {
PowerPC,POWER8@10 {
PowerPC,POWER8@18 {
PowerPC,POWER8@20 {
PowerPC,POWER8@28 {
PowerPC,POWER8@30 {
PowerPC,POWER8@38 {
PowerPC,POWER8@40 {
PowerPC,POWER8@48 {
PowerPC,POWER8@50 {
PowerPC,POWER8@58 {
PowerPC,POWER8@60 {
PowerPC,POWER8@68 {
PowerPC,POWER8@70 {
PowerPC,POWER8@78 {

This happens because spapr_get_vcpu_id() maps VCPU ids to
cs->cpu_index in TCG mode. This confuses the code in
spapr_is_thread0_in_vcore(), since it assumes thread0 VCPU
ids to have a spapr->vsmt spacing.

spapr_get_vcpu_id(cpu) % spapr->vsmt == 0

Actually, there's no real reason to expose cs->cpu_index instead
of the VCPU id, since we also generate it with TCG. Also we already
set it explicitly in spapr_set_vcpu_id(), so there's no real reason
either to call kvm_arch_vcpu_id() with KVM.

This patch unifies spapr_get_vcpu_id() to always return the computed
VCPU id both in TCG and KVM. This is one step forward towards KVM<->TCG
migration.

Fixes: 5d0fb1508e2d
Reported-by: Cédric Le Goater 
Signed-off-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 8 +---
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 83c9d66dd5..d6fd0e666e 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3810,13 +3810,7 @@ static void spapr_pic_print_info(InterruptStatsProvider 
*obj,
 
 int spapr_get_vcpu_id(PowerPCCPU *cpu)
 {
-CPUState *cs = CPU(cpu);
-
-if (kvm_enabled()) {
-return kvm_arch_vcpu_id(cs);
-} else {
-return cs->cpu_index;
-}
+return cpu->vcpu_id;
 }
 
 void spapr_set_vcpu_id(PowerPCCPU *cpu, int cpu_index, Error **errp)
-- 
2.14.3

[Qemu-devel] [PULL 07/30] spapr: register dummy ICPs later

[David Gibson]

From: Greg Kurz 

Some older machine types create more ICPs than needed. We hence
need to register up to xics_max_server_number() dummy ICPs to
accomodate the migration of these machine types.

Recent VSMT rework changed xics_max_server_number() to return

DIV_ROUND_UP(max_cpus * spapr->vsmt, smp_threads)

instead of

DIV_ROUND_UP(max_cpus * kvmppc_smt_threads(), smp_threads);

The change is okay but it requires spapr->vsmt to be set, which
isn't the case with the current code. This causes the formula to
return zero and we don't create dummy ICPs. This breaks migration
of older guests as reported here:

https://bugzilla.redhat.com/show_bug.cgi?id=1549087

The dummy ICP workaround doesn't really have a dependency on XICS
itself. But it does depend on proper VCPU id numbering and it must
be applied before creating vCPUs (ie, creating real ICPs). So this
patch moves the workaround to spapr_init_cpus(), which already
assumes VSMT to be set.

Fixes: 72194664c8a1 ("spapr: use spapr->vsmt to compute VCPU ids")
Reported-by: Lukas Doktor 
Signed-off-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index d6fd0e666e..3f1c5c5133 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -183,7 +183,6 @@ static int xics_max_server_number(sPAPRMachineState *spapr)
 static void xics_system_init(MachineState *machine, int nr_irqs, Error **errp)
 {
 sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
-sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(machine);
 
 if (kvm_enabled()) {
 if (machine_kernel_irqchip_allowed(machine) &&
@@ -205,17 +204,6 @@ static void xics_system_init(MachineState *machine, int 
nr_irqs, Error **errp)
 return;
 }
 }
-
-if (smc->pre_2_10_has_unused_icps) {
-int i;
-
-for (i = 0; i < xics_max_server_number(spapr); i++) {
-/* Dummy entries get deregistered when real ICPState objects
- * are registered during CPU core hotplug.
- */
-pre_2_10_vmstate_register_dummy_icp(i);
-}
-}
 }
 
 static int spapr_fixup_cpu_smt_dt(void *fdt, int offset, PowerPCCPU *cpu,
@@ -2236,6 +2224,7 @@ static void spapr_init_cpus(sPAPRMachineState *spapr)
 {
 MachineState *machine = MACHINE(spapr);
 MachineClass *mc = MACHINE_GET_CLASS(machine);
+sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(machine);
 const char *type = spapr_get_cpu_core_type(machine->cpu_type);
 const CPUArchIdList *possible_cpus;
 int boot_cores_nr = smp_cpus / smp_threads;
@@ -2261,6 +2250,17 @@ static void spapr_init_cpus(sPAPRMachineState *spapr)
 boot_cores_nr = possible_cpus->len;
 }
 
+if (smc->pre_2_10_has_unused_icps) {
+int i;
+
+for (i = 0; i < xics_max_server_number(spapr); i++) {
+/* Dummy entries get deregistered when real ICPState objects
+ * are registered during CPU core hotplug.
+ */
+pre_2_10_vmstate_register_dummy_icp(i);
+}
+}
+
 for (i = 0; i < possible_cpus->len; i++) {
 int core_id = i * smp_threads;
 
-- 
2.14.3

[Qemu-devel] [PULL 03/30] ppc440: Add emulation of plb-pcix controller found in some 440 SoCs

[David Gibson]

From: BALATON Zoltan 

This is the PCIX controller found in newer 440 core SoCs e.g. the
AMMC 460EX. The device tree refers to this as plb-pcix compared to
the plb-pci controller in older 440 SoCs.

Signed-off-by: BALATON Zoltan 
[dwg: Remove hwaddr from trace-events, that doesn't work with some
 trace backends]
Signed-off-by: David Gibson 
---
 hw/ppc/Makefile.objs |   2 +-
 hw/ppc/ppc440_pcix.c | 528 +++
 hw/ppc/trace-events  |   8 +
 3 files changed, 537 insertions(+), 1 deletion(-)
 create mode 100644 hw/ppc/ppc440_pcix.c

diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index ad1928c5d8..bddc742bfb 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -13,7 +13,7 @@ endif
 obj-$(CONFIG_PSERIES) += spapr_rtas_ddw.o
 # PowerPC 4xx boards
 obj-y += ppc4xx_devs.o ppc405_uc.o
-obj-$(CONFIG_PPC4XX) += ppc4xx_pci.o ppc405_boards.o ppc440_bamboo.o
+obj-$(CONFIG_PPC4XX) += ppc4xx_pci.o ppc405_boards.o ppc440_bamboo.o 
ppc440_pcix.o
 # PReP
 obj-$(CONFIG_PREP) += prep.o
 obj-$(CONFIG_PREP) += prep_systemio.o
diff --git a/hw/ppc/ppc440_pcix.c b/hw/ppc/ppc440_pcix.c
new file mode 100644
index 00..ab2626a9de
--- /dev/null
+++ b/hw/ppc/ppc440_pcix.c
@@ -0,0 +1,528 @@
+/*
+ * Emulation of the ibm,plb-pcix PCI controller
+ * This is found in some 440 SoCs e.g. the 460EX.
+ *
+ * Copyright (c) 2016-2018 BALATON Zoltan
+ *
+ * Derived from ppc4xx_pci.c and pci-host/ppce500.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License, version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "hw/hw.h"
+#include "hw/ppc/ppc.h"
+#include "hw/ppc/ppc4xx.h"
+#include "hw/pci/pci.h"
+#include "hw/pci/pci_host.h"
+#include "exec/address-spaces.h"
+#include "trace.h"
+
+struct PLBOutMap {
+uint64_t la;
+uint64_t pcia;
+uint32_t sa;
+MemoryRegion mr;
+};
+
+struct PLBInMap {
+uint64_t sa;
+uint64_t la;
+MemoryRegion mr;
+};
+
+#define TYPE_PPC440_PCIX_HOST_BRIDGE "ppc440-pcix-host"
+#define PPC440_PCIX_HOST_BRIDGE(obj) \
+OBJECT_CHECK(PPC440PCIXState, (obj), TYPE_PPC440_PCIX_HOST_BRIDGE)
+
+#define PPC440_PCIX_NR_POMS 3
+#define PPC440_PCIX_NR_PIMS 3
+
+typedef struct PPC440PCIXState {
+PCIHostState parent_obj;
+
+PCIDevice *dev;
+struct PLBOutMap pom[PPC440_PCIX_NR_POMS];
+struct PLBInMap pim[PPC440_PCIX_NR_PIMS];
+uint32_t sts;
+qemu_irq irq[PCI_NUM_PINS];
+AddressSpace bm_as;
+MemoryRegion bm;
+
+MemoryRegion container;
+MemoryRegion iomem;
+MemoryRegion busmem;
+} PPC440PCIXState;
+
+#define PPC440_REG_BASE 0x8
+#define PPC440_REG_SIZE 0xff
+
+#define PCIC0_CFGADDR   0x0
+#define PCIC0_CFGDATA   0x4
+
+#define PCIX0_POM0LAL   0x68
+#define PCIX0_POM0LAH   0x6c
+#define PCIX0_POM0SA0x70
+#define PCIX0_POM0PCIAL 0x74
+#define PCIX0_POM0PCIAH 0x78
+#define PCIX0_POM1LAL   0x7c
+#define PCIX0_POM1LAH   0x80
+#define PCIX0_POM1SA0x84
+#define PCIX0_POM1PCIAL 0x88
+#define PCIX0_POM1PCIAH 0x8c
+#define PCIX0_POM2SA0x90
+
+#define PCIX0_PIM0SAL   0x98
+#define PCIX0_PIM0LAL   0x9c
+#define PCIX0_PIM0LAH   0xa0
+#define PCIX0_PIM1SA0xa4
+#define PCIX0_PIM1LAL   0xa8
+#define PCIX0_PIM1LAH   0xac
+#define PCIX0_PIM2SAL   0xb0
+#define PCIX0_PIM2LAL   0xb4
+#define PCIX0_PIM2LAH   0xb8
+#define PCIX0_PIM0SAH   0xf8
+#define PCIX0_PIM2SAH   0xfc
+
+#define PCIX0_STS   0xe0
+
+#define PCI_ALL_SIZE(PPC440_REG_BASE + PPC440_REG_SIZE)
+
+static void ppc440_pcix_clear_region(MemoryRegion *parent,
+ MemoryRegion *mem)
+{
+if (memory_region_is_mapped(mem)) {
+memory_region_del_subregion(parent, mem);
+object_unparent(OBJECT(mem));
+}
+}
+
+/* DMA mapping */
+static void ppc440_pcix_update_pim(PPC440PCIXState *s, int idx)
+{
+MemoryRegion *mem = >pim[idx].mr;
+char *name;
+uint64_t size;
+
+/* Before we modify anything, unmap and destroy the region */
+ppc440_pcix_clear_region(>bm, mem);
+
+if (!(s->pim[idx].sa & 1)) {
+/* Not enabled, nothing to do */
+return;
+}
+
+name = g_strdup_printf("PCI Inbound Window %d", idx);
+size = ~(s->pim[idx].sa & ~7ULL) + 1;
+memory_region_init_alias(mem, OBJECT(s), name, get_system_memory(),
+   

[Qemu-devel] [PULL 08/30] spapr: harden code that depends on VSMT

[David Gibson]

From: Greg Kurz 

VSMT must be set in order to compute VCPU ids. This means that the
following functions must not be called before spapr_set_vsmt_mode()
was called:
- spapr_vcpu_id()
- spapr_is_thread0_in_vcore()
- xics_max_server_number()

We had a recent regression where the latter would be called before VSMT
was set, and broke migration of some old machine types. This patch
adds assert() in the above functions to avoid problems in the future.

Also, since VSMT is really a CPU related thing, spapr_set_vsmt_mode() is
now called from spapr_init_cpus(), just before the first VSMT user.

Signed-off-by: Greg Kurz 
Signed-off-by: David Gibson 
---
 hw/ppc/spapr.c | 144 ++---
 1 file changed, 75 insertions(+), 69 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 3f1c5c5133..1c2703cb6b 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -105,12 +105,14 @@
  */
 static int spapr_vcpu_id(sPAPRMachineState *spapr, int cpu_index)
 {
+assert(spapr->vsmt);
 return
 (cpu_index / smp_threads) * spapr->vsmt + cpu_index % smp_threads;
 }
 static bool spapr_is_thread0_in_vcore(sPAPRMachineState *spapr,
   PowerPCCPU *cpu)
 {
+assert(spapr->vsmt);
 return spapr_get_vcpu_id(cpu) % spapr->vsmt == 0;
 }
 
@@ -177,6 +179,7 @@ static void pre_2_10_vmstate_unregister_dummy_icp(int i)
 
 static int xics_max_server_number(sPAPRMachineState *spapr)
 {
+assert(spapr->vsmt);
 return DIV_ROUND_UP(max_cpus * spapr->vsmt, smp_threads);
 }
 
@@ -2220,73 +2223,6 @@ static CPUArchId *spapr_find_cpu_slot(MachineState *ms, 
uint32_t id, int *idx)
 return >possible_cpus->cpus[index];
 }
 
-static void spapr_init_cpus(sPAPRMachineState *spapr)
-{
-MachineState *machine = MACHINE(spapr);
-MachineClass *mc = MACHINE_GET_CLASS(machine);
-sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(machine);
-const char *type = spapr_get_cpu_core_type(machine->cpu_type);
-const CPUArchIdList *possible_cpus;
-int boot_cores_nr = smp_cpus / smp_threads;
-int i;
-
-possible_cpus = mc->possible_cpu_arch_ids(machine);
-if (mc->has_hotpluggable_cpus) {
-if (smp_cpus % smp_threads) {
-error_report("smp_cpus (%u) must be multiple of threads (%u)",
- smp_cpus, smp_threads);
-exit(1);
-}
-if (max_cpus % smp_threads) {
-error_report("max_cpus (%u) must be multiple of threads (%u)",
- max_cpus, smp_threads);
-exit(1);
-}
-} else {
-if (max_cpus != smp_cpus) {
-error_report("This machine version does not support CPU hotplug");
-exit(1);
-}
-boot_cores_nr = possible_cpus->len;
-}
-
-if (smc->pre_2_10_has_unused_icps) {
-int i;
-
-for (i = 0; i < xics_max_server_number(spapr); i++) {
-/* Dummy entries get deregistered when real ICPState objects
- * are registered during CPU core hotplug.
- */
-pre_2_10_vmstate_register_dummy_icp(i);
-}
-}
-
-for (i = 0; i < possible_cpus->len; i++) {
-int core_id = i * smp_threads;
-
-if (mc->has_hotpluggable_cpus) {
-spapr_dr_connector_new(OBJECT(spapr), TYPE_SPAPR_DRC_CPU,
-   spapr_vcpu_id(spapr, core_id));
-}
-
-if (i < boot_cores_nr) {
-Object *core  = object_new(type);
-int nr_threads = smp_threads;
-
-/* Handle the partially filled core for older machine types */
-if ((i + 1) * smp_threads >= smp_cpus) {
-nr_threads = smp_cpus - i * smp_threads;
-}
-
-object_property_set_int(core, nr_threads, "nr-threads",
-_fatal);
-object_property_set_int(core, core_id, CPU_CORE_PROP_CORE_ID,
-_fatal);
-object_property_set_bool(core, true, "realized", _fatal);
-}
-}
-}
-
 static void spapr_set_vsmt_mode(sPAPRMachineState *spapr, Error **errp)
 {
 Error *local_err = NULL;
@@ -2359,6 +2295,78 @@ out:
 error_propagate(errp, local_err);
 }
 
+static void spapr_init_cpus(sPAPRMachineState *spapr)
+{
+MachineState *machine = MACHINE(spapr);
+MachineClass *mc = MACHINE_GET_CLASS(machine);
+sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(machine);
+const char *type = spapr_get_cpu_core_type(machine->cpu_type);
+const CPUArchIdList *possible_cpus;
+int boot_cores_nr = smp_cpus / smp_threads;
+int i;
+
+possible_cpus = mc->possible_cpu_arch_ids(machine);
+if (mc->has_hotpluggable_cpus) {
+if (smp_cpus % smp_threads) {
+error_report("smp_cpus (%u) must be multiple of threads (%u)",
+ smp_cpus, smp_threads);
+   

Re: [Qemu-devel] [PATCHv1 00/14] Translation loop conversion for sh4/sparc/mips/s390x/openrisc targets

[Michael Clark]

On Tue, 6 Mar 2018 at 3:57 PM, Emilio G. Cota  wrote:

> On Tue, Mar 06, 2018 at 12:57:13 +1300, Michael Clark wrote:
> > On Fri, Mar 2, 2018 at 11:53 AM, Emilio G. Cota  wrote:
> >
> > > [ What is this all about? See this message:
> > >   http://lists.gnu.org/archive/html/qemu-devel/2018-02/msg04785.html ]
> (snip)
> > > You can fetch this series from:
> > >   https://github.com/cota/qemu/tree/trloop-conv-v1
> >
> >
> > Curious to know what we would need to change in RISC-V translate.c:
> >
> > -
> >
> https://github.com/riscv/riscv-qemu/blob/qemu-upstream-v8/target/riscv/translate.c
> >
> > I'm going to make a v8.1 branch and tag that is a rebase of the v8 patch
> > series against current QEMU master, and hopefully we get the RISC-V port
> > merged before the soft-freeze. Fingers crossed.
>
> I have patches that convert riscv as well.
>
> Once riscv is on master I'll send the patches to the list; I don't want
> this work to delay the riscv merge even more!


Appreciated. Thanks very much!

Michael

>
>

Re: [Qemu-devel] [PATCH v3 20/29] postcopy: postcopy_notify_shared_wake

[Peter Xu]

On Mon, Mar 05, 2018 at 07:55:13PM +, Dr. David Alan Gilbert wrote:
> * Peter Xu (pet...@redhat.com) wrote:
> > On Fri, Feb 16, 2018 at 01:16:16PM +, Dr. David Alan Gilbert (git) 
> > wrote:
> > > From: "Dr. David Alan Gilbert" 
> > > 
> > > Add a hook to allow a client userfaultfd to be 'woken'
> > > when a page arrives, and a walker that calls that
> > > hook for relevant clients given a RAMBlock and offset.
> > > 
> > > Signed-off-by: Dr. David Alan Gilbert 
> > > ---
> > >  migration/postcopy-ram.c | 16 
> > >  migration/postcopy-ram.h | 10 ++
> > >  2 files changed, 26 insertions(+)
> > > 
> > > diff --git a/migration/postcopy-ram.c b/migration/postcopy-ram.c
> > > index 67deae7e1c..879711968c 100644
> > > --- a/migration/postcopy-ram.c
> > > +++ b/migration/postcopy-ram.c
> > > @@ -824,6 +824,22 @@ static int qemu_ufd_copy_ioctl(int userfault_fd, 
> > > void *host_addr,
> > >  return ret;
> > >  }
> > >  
> > > +int postcopy_notify_shared_wake(RAMBlock *rb, uint64_t offset)
> > > +{
> > > +int i;
> > > +MigrationIncomingState *mis = migration_incoming_get_current();
> > > +GArray *pcrfds = mis->postcopy_remote_fds;
> > > +
> > > +for (i = 0; i < pcrfds->len; i++) {
> > > +struct PostCopyFD *cur = _array_index(pcrfds, struct 
> > > PostCopyFD, i);
> > > +int ret = cur->waker(cur, rb, offset);
> > > +if (ret) {
> > > +return ret;
> > > +}
> > > +}
> > > +return 0;
> > > +}
> > > +
> > 
> > We should know that which FD needs what pages, right?  If with that
> > information, we can only notify the ones who have page faulted on
> > exactly the same page?  Otherwise we do UFFDIO_WAKE once for each
> > client when a page is ready, even if the clients have not page faulted
> > at all?
> 
> The 'waker' function we call knows that, we don't; see the
> 'vhost_user_postcopy_waker' in the next patch, and it hunts down whether
> the address the waker is called for is one it's responsible for.

For vhost-user devices, they should be always responsible for mostly
all RAM exported on the guest?  If so, they will always be notified to
wake up if a page is copied?

Here I was thinking not only about responsible ranges - It was about
whether each PostcopyFD could note down the faulted addresses that
were waiting to be service.  Then when we do the wake up, we could
possibly skip notifying the PostcopyFD when the copied page is not
covering any of the faulted addresses on that PostcopyFD?

> Also note that a shared page might be shared between multiple other
> programs - not just one.  In our case that could be two vhost-user
> devices wired to two separate processes.

Yeah, but the idea still stands IMHO - we can notify only those
PostcopyFDs that have faulted on the page already and skip the rest.
For sure there can be more than one candidate for the wakeup, since
there can be multiple PostcopyFDs that captured page fault on the same
page (or even, same address).

> 
> > But for the first version, I think it's fine.  And I believe if we
> > maintain the faulted addresses we need some way to sync between the
> > wake thread and fault thread too.
> 
> Hmm can you explain that a bit more?

Basically above was what I thought - to record the faulted addresses
with specific PostcopyFD when page fault happened, then we may know
which page(s) will a PostcopyFD need.  But when with that, we'll
possibly need a lock to protect the information (or any other sync
method).

(Hope I didn't miss anything important along the way)

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [edk2] [PATCH 3/7] HACK: HobLib: workaround infinite loop

[Brian J. Johnson]

On 03/05/2018 12:22 PM, Laszlo Ersek wrote:

PEIMs generally "execute in place" (XIP), i.e. they run from flash, not
RAM. In this status they use "temporary RAM" (e.g. CPU caches configured
like RAM) for stack & heap; whatever HOBs they produce are stored in
"temp RAM" as well. Then one of the PEIMs "discovers permanent RAM"
(basically it programs the memory controller and publishes the RAM
ranges). In turn the PEI core "migrates" PEIMs from temporary to
permanent RAM, including the HOB list.

Before the temporary RAM migration (when still executing in place from
flash), PEIMs cannot have writeable global variables. For example,
dynamic PCDs are also maintained in a HOB (the PCD HOB).

A PEIM normally cannot (and shouldn't) tell whether it is dispatched
before or after permanent RAM is published. If needed, a PEIM can
advertise that it depends on permanent RAM (for example because it needs
a lot of heap memory) by including "gEfiPeiMemoryDiscoveredPpiGuid" in
its DEPEX.

Finally, it seems like a PEIM can also express, "I'm fine with being
dispatched from both flash (XIP) vs. permanent RAM, just the PEI core
tell me whichever it is". Apparently, if the PEIM is dispatched from
flash (before permanent RAM is available), its call to
RegisterForShadow() returns EFI_SUCCESS (and then its entry point
function will be invoked for a 2nd time, after the temp RAM migration).
And when a PEIM is dispatched from RAM (either for the very first time,
or for the second time, after being dispatched from flash first), the
same call returns EFI_ALREADY_STARTED.

Honestly, I'm unsure what this is good for (both in general, and
specifically for Tcg2Pei). Apparently, Tcg2Pei needs permanent RAM for
doing the measurements (which makes sense); I just wonder what exactly
it does so that it cannot simply specify
"gEfiPeiMemoryDiscoveredPpiGuid" in its DEPEX.


I haven't looked at this particular PEIM.  But one case where 
registering for shadowing is useful is for improving performance when 
running from permanent RAM, where writable global variables are 
available.  For instance, when running from flash, a ReportStatusCode 
PEIM may need to go through a slow process to locate an output hardware 
device on every PPI call.  This may involve traversing the HOB list, 
consulting other PPIs, even probing hardware addresses.  But once it's 
shadowed to RAM, it can locate the device once, then cache its address 
in a global.  Not to mention that the code itself is far, far faster 
when run from RAM vs. flash.  (That's probably a key difference between 
a real machine and a VM.)


Also, I've personally written a PEIM which saves a bunch of internal 
state in a HOB, since that's the main writable storage when running from 
flash.  That state includes pointers to other data (in flash.)  Once the 
data is all shadowed to RAM, it updates the HOB to point to the data in 
RAM.  That way it's a lot faster to access the data.


I also have other PEIMs which are constrained (via DEPEX) to run *only* 
from RAM, since they have larger memory requirements than can be 
satisfied from temporary cache-as-RAM.  That's certainly a valid 
technique as well.


RegisterForShadow() is a useful tool for making the most of the 
restricted PEI environment.  And having it standardized like this is, as 
Andrew said, a lot better than the hacks people had to use beforehand.


Thanks,
--
Brian J. Johnson
Enterprise X86 Lab

Hewlett Packard Enterprise

brian.john...@hpe.com

Re: [Qemu-devel] [edk2] [PATCH 3/7] HACK: HobLib: workaround infinite loop

[Gao, Liming]

Laszlo:
  I also suggest to check the generated ProcessLibraryConstructorList () 
function. It is in the driver build output AutoGen.c code. You can check what 
library function be called in this function. Then, further add debug message in 
the library function. I suspect some function does the wrong operation and 
corrupt the memory. 

Thanks
Liming
> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo 
> Ersek
> Sent: Tuesday, March 6, 2018 2:23 AM
> To: Marc-André Lureau ; Andrew Fish 
> 
> Cc: edk2-de...@lists.01.org; Peter Jones ; Yao, Jiewen 
> ; QEMU
> ; Javier Martinez Canillas 
> Subject: Re: [edk2] [PATCH 3/7] HACK: HobLib: workaround infinite loop
> 
> On 03/05/18 15:05, Marc-André Lureau wrote:
> > Hi
> >
> > On Fri, Feb 23, 2018 at 8:45 PM, Andrew Fish  wrote:
> >>
> >>
> >>> On Feb 23, 2018, at 5:23 AM, marcandre.lur...@redhat.com wrote:
> >>>
> >>> From: Marc-André Lureau 
> >>>
> >>> Without this hack, GetNextHob() loops infinitely with the next
> >>> patch. I don't understand the reason.
> >>>
> >>> The loop is triggered by the GetFirstGuidHob ()
> >>> call.
> >>>
> >>> CC: Laszlo Ersek 
> >>> CC: Stefan Berger 
> >>> Contributed-under: TianoCore Contribution Agreement 1.0
> >>> Signed-off-by: Marc-André Lureau 
> >>> ---
> >>> MdePkg/Library/PeiHobLib/HobLib.c | 4 
> >>> 1 file changed, 4 insertions(+)
> >>>
> >>> diff --git a/MdePkg/Library/PeiHobLib/HobLib.c 
> >>> b/MdePkg/Library/PeiHobLib/HobLib.c
> >>> index 5c0eeb992f..ed3c5fbd6d 100644
> >>> --- a/MdePkg/Library/PeiHobLib/HobLib.c
> >>> +++ b/MdePkg/Library/PeiHobLib/HobLib.c
> >>> @@ -89,6 +89,10 @@ GetNextHob (
> >>> if (Hob.Header->HobType == Type) {
> >>>   return Hob.Raw;
> >>> }
> >>> +if (GET_HOB_LENGTH (HobStart) == 0) {
> >>
> >> As Laszlo points out this error condition is likely memory
> >> corruption. Thus it would be better to check for all know illegal
> >> values?
> >>
> >> if (GET_HOB_LENGTH(HobStart) < sizeof (EFI_HOB_GENERIC_HEADER)
> >>
> >
> > Thanks, I have adjusted the check.
> >
> > With manual calls and printf (I don't know  a better way to debug ovmf
> > ;),
> 
> Well that's how I generally debug it too :)
> 
> > I try to locate the issue. It's somehow related to
> > RegisterForShadow(). The "corruption" seems to happen during the
> > second call. After the
> > PeiLoadImage(...,PEIM_STATE_REGISTER_FOR_SHADOW,..), right before
> > calling PeimEntryPoint(), a GetFirstGuidHob() succeed, but inside the
> > function, it fails (with the same arguments). Right after it succeeds
> > again... The PeimEntryPoint() is not the Tcg2Pei:PeimEntryMA(), I
> > suppose there is some kind of wrapping code, but I fail to find where.
> > Any idea?
> 
> This sounds helpful. I don't know what the problem is, but I can
> elaborate on your details a bit; perhaps someone else will have more
> ideas.
> 
> Apparently there is a PEI service called RegisterForShadow().
> ("Apparently", because I've never seen, let alone written, a PEIM
> calling this service.) The service is specified in the PI spec, which is
> quoted in the edk2 tree [MdePkg/Include/Pi/PiPeiCis.h]:
> 
> > /**
> >   Register a PEIM so that it will be shadowed and called again.
> >
> >   This service registers a file handle so that after memory is
> >   available, the PEIM will be re-loaded into permanent memory and
> >   re-initialized. The PEIM registered this way will always be
> >   initialized twice. The first time, this function call will
> >   return EFI_SUCCESS. The second time, this function call will
> >   return EFI_ALREADY_STARTED. Depending on the order in which
> >   PEIMs are dispatched, the PEIM making this call may be
> >   initialized after permanent memory is installed, even the first
> >   time.
> >
> >   @param  FileHandlePEIM's file handle. Must be the currently
> > executing PEIM.
> >
> >   @retval EFI_SUCCESS   The PEIM was successfully registered for
> > shadowing.
> >   @retval EFI_ALREADY_STARTED   The PEIM was previously
> > registered for shadowing.
> >   @retval EFI_NOT_FOUND The FileHandle does not refer to a
> > valid file handle.
> >
> > **/
> > typedef
> > EFI_STATUS
> > (EFIAPI *EFI_PEI_REGISTER_FOR_SHADOW)(
> >   IN  EFI_PEI_FILE_HANDLE FileHandle
> >   );
> 
> PEIMs generally "execute in place" (XIP), i.e. they run from flash, not
> RAM. In this status they use "temporary RAM" (e.g. CPU caches configured
> like RAM) for stack & heap; whatever HOBs they produce are stored in
> "temp RAM" as well. Then one of the PEIMs "discovers permanent RAM"
> (basically it 

Re: [Qemu-devel] [PATCH v2] PowerPC: Add TS bits into msr_mask

[David Gibson]

On Mon, Mar 05, 2018 at 06:53:48PM +0800, wei.guo.si...@gmail.com wrote:
> From: Simon Guo 
> 
> During migration, after MSR bits is synced, cpu_post_load() will use
> msr_mask to determine which PPC MSR bits will be applied into the target
> side. Hardware Transaction Memory(HTM) has been supported since Power8,
> but TS0/TS1 bit was not in msr_mask yet. That will prevent target KVM
> from loading TM checkpointed values.
> 
> This patch adds TS bits into msr_mask for Power8, so that transactional
> application can be migrated across qemu.
> 
> Signed-off-by: Simon Guo 

Much better, applied, thanks.

> ---
>  target/ppc/translate_init.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/target/ppc/translate_init.c b/target/ppc/translate_init.c
> index 55c99c9..ca06028 100644
> --- a/target/ppc/translate_init.c
> +++ b/target/ppc/translate_init.c
> @@ -8689,6 +8689,8 @@ POWERPC_FAMILY(POWER8)(ObjectClass *oc, void *data)
>  (1ull << MSR_DR) |
>  (1ull << MSR_PMM) |
>  (1ull << MSR_RI) |
> +(1ull << MSR_TS0) |
> +(1ull << MSR_TS1) |
>  (1ull << MSR_LE);
>  pcc->mmu_model = POWERPC_MMU_2_07;
>  #if defined(CONFIG_SOFTMMU)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH] adb: add trace-events for monitoring keyboard/mouse during bus enumeration

[David Gibson]

On Mon, Mar 05, 2018 at 09:51:13PM +, Mark Cave-Ayland wrote:
> This is useful to help diagnose problems related to address clashes during
> MacOS 9 boot.
> 
> Signed-off-by: Mark Cave-Ayland 

Applied, thanks.

> ---
>  hw/input/adb-kbd.c| 4 
>  hw/input/adb-mouse.c  | 5 +
>  hw/input/trace-events | 5 +
>  3 files changed, 14 insertions(+)
> 
> diff --git a/hw/input/adb-kbd.c b/hw/input/adb-kbd.c
> index 266aed1b7b..50b62712c8 100644
> --- a/hw/input/adb-kbd.c
> +++ b/hw/input/adb-kbd.c
> @@ -258,6 +258,7 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
>  case ADB_CMD_CHANGE_ID_AND_ACT:
>  case ADB_CMD_CHANGE_ID_AND_ENABLE:
>  d->devaddr = buf[1] & 0xf;
> +trace_adb_kbd_request_change_addr(d->devaddr);
>  break;
>  default:
>  d->devaddr = buf[1] & 0xf;
> @@ -269,6 +270,9 @@ static int adb_kbd_request(ADBDevice *d, uint8_t *obuf,
>  if (buf[2] == 1 || buf[2] == 2 || buf[2] == 3) {
>  d->handler = buf[2];
>  }
> +
> +trace_adb_kbd_request_change_addr_and_handler(d->devaddr,
> +  d->handler);
>  break;
>  }
>  }
> diff --git a/hw/input/adb-mouse.c b/hw/input/adb-mouse.c
> index 47e88faf25..3ba6027d33 100644
> --- a/hw/input/adb-mouse.c
> +++ b/hw/input/adb-mouse.c
> @@ -118,6 +118,7 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
>  s->dx = 0;
>  s->dy = 0;
>  s->dz = 0;
> +trace_adb_mouse_flush();
>  return 0;
>  }
>  
> @@ -138,6 +139,7 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
>  case ADB_CMD_CHANGE_ID_AND_ACT:
>  case ADB_CMD_CHANGE_ID_AND_ENABLE:
>  d->devaddr = buf[1] & 0xf;
> +trace_adb_mouse_request_change_addr(d->devaddr);
>  break;
>  default:
>  d->devaddr = buf[1] & 0xf;
> @@ -155,6 +157,9 @@ static int adb_mouse_request(ADBDevice *d, uint8_t *obuf,
>  if (buf[2] == 1 || buf[2] == 2) {
>  d->handler = buf[2];
>  }
> +
> +trace_adb_mouse_request_change_addr_and_handler(d->devaddr,
> +d->handler);
>  break;
>  }
>  }
> diff --git a/hw/input/trace-events b/hw/input/trace-events
> index 5affabc81d..db72484a25 100644
> --- a/hw/input/trace-events
> +++ b/hw/input/trace-events
> @@ -4,10 +4,15 @@
>  adb_kbd_no_key(void) "Ignoring NO_KEY"
>  adb_kbd_writereg(int reg, uint8_t val) "reg %d val 0x%2.2x"
>  adb_kbd_readreg(int reg, uint8_t val0, uint8_t val1) "reg %d obuf[0] 0x%2.2x 
> obuf[1] 0x%2.2x"
> +adb_kbd_request_change_addr(int devaddr) "change addr to 0x%x"
> +adb_kbd_request_change_addr_and_handler(int devaddr, int handler) "change 
> addr and handler to 0x%x, 0x%x"
>  
>  # hw/input/adb-mouse.c
> +adb_mouse_flush(void) "flush"
>  adb_mouse_writereg(int reg, uint8_t val) "reg %d val 0x%2.2x"
>  adb_mouse_readreg(int reg, uint8_t val0, uint8_t val1) "reg %d obuf[0] 
> 0x%2.2x obuf[1] 0x%2.2x"
> +adb_mouse_request_change_addr(int devaddr) "change addr to 0x%x"
> +adb_mouse_request_change_addr_and_handler(int devaddr, int handler) "change 
> addr and handler to 0x%x, 0x%x"
>  
>  # hw/input/ps2.c
>  ps2_put_keycode(void *opaque, int keycode) "%p keycode 0x%02x"

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] question about "warning: TCG doesn't support requested feature: CPUID.01H:ECX.f16c "

[Wangjintang]

Hi all,

We run application with qemu, get the below error, the reason is that " 
TCG doesn't support requested feature: CPUID.01H:ECX.f16c ".
Does TCG in qemu support " CPUID.01H:ECX.f16c "? 
If TCG in qemu support, then how to use?  Thanks.

$ sudo  ./qemu-2.11.1_bin/bin/qemu-system-x86_64 -cpu Skylake-Server -M q35 -m 
4096 -smp 1 -nographic  -kernel bzImage-4.4.0 -initrd 
initrd.img-4.4.0-31-generic  -append "root=/dev/vda1 console=ttyS0" -boot d 
-drive if=virtio,file=./ubuntu2.img -net nic,model=virtio -net 
tap,ifname=tap26,script=no,downscript=no
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.fma [bit 12]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.pcid [bit 17]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.x2apic [bit 21]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.tsc-deadline [bit 24]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.avx [bit 28]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.f16c [bit 29]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.01H:ECX.rdrand [bit 30]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx2 [bit 5]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.invpcid [bit 10]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.rtm [bit 11]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx512f [bit 16]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx512dq [bit 17]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.rdseed [bit 18]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx512cd [bit 28]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx512bw [bit 30]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.07H:EBX.avx512vl [bit 31]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.8001H:ECX.3dnowprefetch [bit 8]
qemu-system-x86_64: warning: TCG doesn't support requested feature: 
CPUID.0DH:EAX.xsavec [bit 1]
SeaBIOS (version rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org)
 

Regards,
Wang Jintang 
 

Re: [Qemu-devel] [PATCHv1 00/14] Translation loop conversion for sh4/sparc/mips/s390x/openrisc targets

[Emilio G. Cota]

On Tue, Mar 06, 2018 at 12:57:13 +1300, Michael Clark wrote:
> On Fri, Mar 2, 2018 at 11:53 AM, Emilio G. Cota  wrote:
> 
> > [ What is this all about? See this message:
> >   http://lists.gnu.org/archive/html/qemu-devel/2018-02/msg04785.html ]
(snip)
> > You can fetch this series from:
> >   https://github.com/cota/qemu/tree/trloop-conv-v1
> 
> 
> Curious to know what we would need to change in RISC-V translate.c:
> 
> -
> https://github.com/riscv/riscv-qemu/blob/qemu-upstream-v8/target/riscv/translate.c
> 
> I'm going to make a v8.1 branch and tag that is a rebase of the v8 patch
> series against current QEMU master, and hopefully we get the RISC-V port
> merged before the soft-freeze. Fingers crossed.

I have patches that convert riscv as well.

Once riscv is on master I'll send the patches to the list; I don't want
this work to delay the riscv merge even more!

Emilio

[Qemu-devel] [PATCH] README: Fix typo 'git-publish'

[Fam Zheng]

Reported-by: Alberto Garcia 
Signed-off-by: Fam Zheng 
---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 7833b97365..49a9fd09cd 100644
--- a/README
+++ b/README
@@ -73,7 +73,7 @@ The QEMU website is also maintained under source control.
   git clone git://git.qemu.org/qemu-web.git
   https://www.qemu.org/2017/02/04/the-new-qemu-website-is-up/
 
-A 'git-profile' utility was created to make above process less
+A 'git-publish' utility was created to make above process less
 cumbersome, and is highly recommended for making regular contributions,
 or even just for sending consecutive patch series revisions. It also
 requires a working 'git send-email' setup, and by default doesn't
-- 
2.14.3

Re: [Qemu-devel] [PATCH v3 2/3] virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT

[Michael S. Tsirkin]

On Tue, Mar 06, 2018 at 09:54:49AM +0800, Wei Wang wrote:
> On 03/05/2018 10:09 PM, Michael S. Tsirkin wrote:
> > On Mon, Mar 05, 2018 at 11:36:15AM +0800, Wei Wang wrote:
> > > On 03/03/2018 02:37 AM, Michael S. Tsirkin wrote:
> > > > On Fri, Mar 02, 2018 at 04:47:29PM +0800, Wei Wang wrote:
> > > > > diff --git a/include/sysemu/balloon.h b/include/sysemu/balloon.h
> > > > > index af49e19..16a2aae 100644
> > > > > --- a/include/sysemu/balloon.h
> > > > > +++ b/include/sysemu/balloon.h
> > > > ...
> > > > 
> > > > > +typedef void (QEMUBalloonFreePageStart)(void *opaque);
> > > > > +typedef void (QEMUBalloonFreePageStop)(void *opaque);
> > > > So I think the rule is that no bitmap sync must happen
> > > > between these two, otherwise a hint might arrive and
> > > > override the sync output.
> > > > 
> > > > Should be documented I think.
> > > > 
> > > Yes, agree.
> > Ideally we'd also detect violations and trigger an assert.
> 
> How about just invoking
> 
> if (rs->free_page_support)
> balloon_free_page_stop();
> 
> at the beginning of migration_bitmap_sync()? (balloon_free_page_stop will
> just return if the optimization has stopped.)
> 
> In this way, we can always have the guarantee that "no bitmap sync must
> happen between these two"

Why not. And in fact you can do balloon_free_page_start at the
end of sync.

> 
> > 
> > > How about adding the following new balloon API explanation to
> > > this patch's commit:
> > > 
> > >  - balloon_free_page_start: Callers call this API to obtain guest free
> > >page hints, and clear the related bits from the migration dirty
> > > bitmap.
> > >The whole process is implemented in a new thread independent of the
> > >migration thread. Free page hints imply the part of guest memory is
> > >likely to be free without a guarantee. That is, the reported free
> > > pages
> > >may not be free any more when QEMU receives them, so callers are
> > >responsible for detecting those pages that are not free pages after
> > > the
> > >bits are cleared from the dirty bitmap. To ensure the above, this 
> > > API
> > >should be used when the migration dirty logging mechanism (e.g.
> > >guest memory write-protection) has started.
> > > 
> > >  - balloon_free_page_stop: Callers call this API to stop the guest 
> > > from
> > >reporting free page hints. Bits from the dirty bitmap are safe to
> > >be cleared on condition that the dirty logging mechanism is 
> > > recording
> > >pages that the guest has written to. To avoid the case that 
> > > clearing
> > >bits of free page hints overrides the dirty bits offered by the 
> > > dirty
> > >logging mechanism, this API is suggested to be called before QEMU
> > >synchronizes the dirty logging bitmap.
> > > 
> > >  - balloon_free_page_support: This API is called to check whether the
> > >balloon device supports the guest free page reporting feature. The
> > >balloon_free_page_start and balloon_free_page_stop APIs should be 
> > > used
> > >only when this API returns true.
> > > 
> > > 
> > > Best,
> > > Wei
> > I find this more confusing than explaining.
> > 
> > Let me try
> > 
> > balloon_free_page_start - start guest free page hint reporting.
> > Note: balloon will report pages which were free at the time
> > of this call. As the reporting happens asynchronously,
> > we rely on dirty logging to be started before this call is made.
> > 
> > The dirty logging bitmap must be synchronized before this call
> > and then after balloon_free_page_stop.
> 
> I think it would be better to remove the above one sentence.
> I agree "No dirty bitmap synchronizations are allowed between
> balloon_free_page_start and balloon_free_page_stop", but "The dirty logging
> bitmap MUST be synchronized before balloon_free_page_start" seems confusing,
> for example the bulk stage doesn't have to start with a bitmap sync.

OK I guess "dirty logging must be enabled" would be better.
And with above we can say hinting must be disabled
before logging bitmap is synchronized.

> 
> > 
> > balloon_free_page_stop: stop the guest reporting
> > of free pages. dirty logging bitmap can be synchronized
> > after this point.
> > 
> > No bitmap synchronizations are allowed between these two points.
> > 
> 
> Best,
> Wei

Re: [Qemu-devel] [PATCH v3 2/3] virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT

[Wei Wang]

On 03/05/2018 10:09 PM, Michael S. Tsirkin wrote:

On Mon, Mar 05, 2018 at 11:36:15AM +0800, Wei Wang wrote:

On 03/03/2018 02:37 AM, Michael S. Tsirkin wrote:

On Fri, Mar 02, 2018 at 04:47:29PM +0800, Wei Wang wrote:

diff --git a/include/sysemu/balloon.h b/include/sysemu/balloon.h
index af49e19..16a2aae 100644
--- a/include/sysemu/balloon.h
+++ b/include/sysemu/balloon.h

...


+typedef void (QEMUBalloonFreePageStart)(void *opaque);
+typedef void (QEMUBalloonFreePageStop)(void *opaque);

So I think the rule is that no bitmap sync must happen
between these two, otherwise a hint might arrive and
override the sync output.

Should be documented I think.


Yes, agree.

Ideally we'd also detect violations and trigger an assert.


How about just invoking

if (rs->free_page_support)
balloon_free_page_stop();

at the beginning of migration_bitmap_sync()? (balloon_free_page_stop 
will just return if the optimization has stopped.)


In this way, we can always have the guarantee that "no bitmap sync must 
happen between these two"






How about adding the following new balloon API explanation to
this patch's commit:

 - balloon_free_page_start: Callers call this API to obtain guest free
   page hints, and clear the related bits from the migration dirty
bitmap.
   The whole process is implemented in a new thread independent of the
   migration thread. Free page hints imply the part of guest memory is
   likely to be free without a guarantee. That is, the reported free
pages
   may not be free any more when QEMU receives them, so callers are
   responsible for detecting those pages that are not free pages after
the
   bits are cleared from the dirty bitmap. To ensure the above, this API
   should be used when the migration dirty logging mechanism (e.g.
   guest memory write-protection) has started.

 - balloon_free_page_stop: Callers call this API to stop the guest from
   reporting free page hints. Bits from the dirty bitmap are safe to
   be cleared on condition that the dirty logging mechanism is recording
   pages that the guest has written to. To avoid the case that clearing
   bits of free page hints overrides the dirty bits offered by the dirty
   logging mechanism, this API is suggested to be called before QEMU
   synchronizes the dirty logging bitmap.

 - balloon_free_page_support: This API is called to check whether the
   balloon device supports the guest free page reporting feature. The
   balloon_free_page_start and balloon_free_page_stop APIs should be used
   only when this API returns true.


Best,
Wei

I find this more confusing than explaining.

Let me try

balloon_free_page_start - start guest free page hint reporting.
Note: balloon will report pages which were free at the time
of this call. As the reporting happens asynchronously,
we rely on dirty logging to be started before this call is made.

The dirty logging bitmap must be synchronized before this call
and then after balloon_free_page_stop.


I think it would be better to remove the above one sentence.
I agree "No dirty bitmap synchronizations are allowed between 
balloon_free_page_start and balloon_free_page_stop", but "The dirty 
logging bitmap MUST be synchronized before balloon_free_page_start" 
seems confusing, for example the bulk stage doesn't have to start with a 
bitmap sync.





balloon_free_page_stop: stop the guest reporting
of free pages. dirty logging bitmap can be synchronized
after this point.

No bitmap synchronizations are allowed between these two points.



Best,
Wei

Re: [Qemu-devel] [PULL] RISC-V QEMU Port Submission v8

[Michael Clark]

On Tue, Mar 6, 2018 at 12:10 PM, Michael Clark  wrote:

>
>
> On Sun, Mar 4, 2018 at 11:52 AM, Peter Maydell 
> wrote:
>
>> On 3 March 2018 at 02:46, Michael Clark  wrote:
>> > On Sat, Mar 3, 2018 at 3:22 AM, Peter Maydell > >
>> > wrote:
>> >> Please don't send pull requests until after patches have been put
>> >> on list and been reviewed. A minor update to a pullreq is OK if
>> >> it's something like a trivial compiler fix or just dropping some
>> >> patches that had problems, but if you have this many changes that
>> >> deserves a fresh patchset to be sent to the list for review.
>> >>
>> >> (For the QEMU workflow, a pull request isn't a request for patch
>> >> review, it's a statement that patches have all had review and
>> >> are ready to go into master immediately.)
>> >
>> >
>> > My apoligies. I won't do this again.
>>
>> No worries, it's just a workflow thing (which differs a lot from
>> project to project), and we don't really have much documentation
>> on the submaintainer part of the process. (What we do have is here:
>> https://wiki.qemu.org/Contribute/SubmitAPullRequest  )
>>
>> The basic idea is that for us code review happens in the "patches
>> posted to list" phase, and then "pull request" is pretty much
>> the same as "commit to master". As the submaintainer you review,
>> test and accumulate in a branch patches from yourself and other
>> people, and then send them out in a pull request. In the ideal
>> case that goes straight into master without problems. Sometimes
>> it runs into trouble (like a compile issue on an oddball platform),
>> and then rather than going through the whole process again for
>> something as small as a messed up format string you can just fix
>> and resend the pullreq. (There are examples of this on list at
>> the moment, for instance.)
>> Bigger stuff it's usually easier to drop the relevant patches
>> from the pull, and then respin them and resend for review before
>> putting them in a later pull. The dividing line for what you
>> can get away with fixing up locally and what you can't is
>> kind of similar to what you can tweak without needing to drop
>> a reviewed-by: tag from a changed patch and get it re-reviewed.
>> When you get familiar with the process and what people do you
>> can take shortcuts sometimes (this is me posting what I'm
>> going to squash into a patch as a followup, to save reposting
>> a 20 patch series, for instance:
>> http://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg00310.html).
>> For getting started as a submaintainer, it's probably easiest
>> to follow the 'by the book' process: patches go to mailing
>> list as 'PATCH', get review, changes made, patch series resent,
>> reviewed patches go into pull requests. (The idea is to ensure
>> that anything that goes into master has been on list for at
>> least a few days so people who want to review can do so.)
>>
>> > I have some very very minor cleanups that do not affect logic, but
>> perhaps
>> > we could address this after getting approval to make a pull request for
>> v8.
>> >
>> > My qemu-devel branch holds changes against the latest rebase:
>> >
>> > - https://github.com/michaeljclark/riscv-qemu/tree/qemu-devel
>> >
>> > Someone raised timebase frequency on the RISC-V sw-dev and after
>> looking at
>> > the code I noticed we had a hard-coded value for a few of the constants
>> we
>> > put in device tree, and i spotted a missed rename. I'm going to have to
>> > learn about the qemu-devel process for trivial fixes...
>>
>> I would probably squash in the missed rename into the relevant
>> patch, at any rate. The rest can probably go through the post
>> patch/get review/sent pull request cycle after this first lot
>> have been applied.
>>
>
> It seems I need to rebase against master based on recent changes, so I'll
> make a v9 tag, include the minimal missed rename but exluding my queued
> changes. The changes in v8 are the minimum required to allow us to keep the
> SiFive machines as we renamed them and added the SiFive cpu models. The
> essence of the v8 patch series.
>
> The trivial fixes to v8 ended up becoming non-trivial and now includes a
> lot of specification conformance issues (essentially specification related
> bug fixes) and a fix for a potential buffer overflow wrt. device-tree, that
> doesn't appear to trigger in practice. I was also able to shed some dead
> code (machines aren't objects, so empty object boilerplate was removed):
>
> - https://github.com/riscv/riscv-qemu/pull/112
>
> We'll hold off merging these changes into the v8 branch, and will send
> them as a post merge cleanup and bugfix patch series, hopefully after
> getting the port merged.
>
> I'll get back to you when I have rebased against master...
>

I've squashed the trivial spike rename fix and rebased against master as of
commit f2bb2d14c2958f3f5aef456bd2cdb1ff99f4a562 Merge remote-tracking
branch 

Re: [Qemu-devel] [PATCH v3 2/5] qmp: distinguish PC-DIMM and NVDIMM in MemoryDeviceInfoList

[Haozhong Zhang]

On 03/05/18 13:14 -0600, Eric Blake wrote:
> On 03/05/2018 12:57 AM, Haozhong Zhang wrote:
> > It may need to treat PC-DIMM and NVDIMM differently, e.g., when
> > deciding the necessity of non-volatile flag bit in SRAT memory
> > affinity structures.
> > 
> > NVDIMMDeviceInfo, which inherits from PCDIMMDeviceInfo, is added to
> > union type MemoryDeviceInfo to record information of NVDIMM devices.
> > The NVDIMM-specific data is currently left empty and will be filled
> > when necessary in the future.
> > 
> > Signed-off-by: Haozhong Zhang 
> > ---
> >   hmp.c| 14 +++---
> >   hw/mem/pc-dimm.c | 20 ++--
> >   numa.c   | 19 +--
> >   qapi-schema.json | 18 +-
> 
> Will need rebasing now that the contents live in qapi/misc.json.

will do

> 
> > +++ b/qapi-schema.json
> > @@ -2920,6 +2920,18 @@
> > }
> >   }
> > +##
> > +# @NVDIMMDeviceInfo:
> > +#
> > +# NVDIMMDevice state information
> > +#
> > +# Since: 2.12
> > +##
> > +{ 'struct': 'NVDIMMDeviceInfo',
> > +  'base': 'PCDIMMDeviceInfo',
> > +  'data': {}
> > +}
> 
> You added no data, so why did you need the type?
> 
> > +
> >   ##
> >   # @MemoryDeviceInfo:
> >   #
> > @@ -2927,7 +2939,11 @@
> >   #
> >   # Since: 2.1
> >   ##
> > -{ 'union': 'MemoryDeviceInfo', 'data': {'dimm': 'PCDIMMDeviceInfo'} }
> > +{ 'union': 'MemoryDeviceInfo',
> > +  'data': { 'dimm': 'PCDIMMDeviceInfo',
> > +'nvdimm': 'NVDIMMDeviceInfo'
> 
> Names aren't part of the interface; would it be better to rename
> PCDIMMDeviceInfo into something that can be generically shared between both
> the 'dimm' and 'nvdimm' branches without having to create a pointless
> subtype?
>

The purpose of this NVDIMMDeviceInfo is to introduce
MEMORY_DEVICE_INFO_KIND_NVDIMM, which can be used to distinguish
NVDIMM from PC-DIMM in the list returned from query-memory-device.

If 'data' of NVDIMMDeviceInfo is filled with NVDIMM-specific
information (there does have some), would it make this type less
pointless?

Thanks,
Haozhong

Re: [Qemu-devel] [RFC PATCH v2 03/22] hw/input/i8042: Extract declarations from i386/pc.h into input/i8042.h

[David Gibson]

On Mon, Mar 05, 2018 at 06:19:09PM -0300, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 

hw/ppc part
Acked-by: David Gibson 

> ---
>  include/hw/i386/pc.h |  9 -
>  include/hw/input/i8042.h | 24 
>  hw/alpha/dp264.c |  3 ++-
>  hw/i386/pc.c |  1 +
>  hw/i386/vmmouse.c|  1 +
>  hw/i386/vmport.c |  1 +
>  hw/input/pckbd.c |  2 +-
>  hw/mips/mips_fulong2e.c  |  3 ++-
>  hw/mips/mips_jazz.c  |  1 +
>  hw/mips/mips_malta.c |  3 ++-
>  hw/mips/mips_r4k.c   |  3 ++-
>  hw/ppc/prep.c|  5 +++--
>  hw/sparc64/sun4u.c   |  1 +
>  hw/unicore32/puv3.c  |  1 +
>  MAINTAINERS  |  1 +
>  15 files changed, 43 insertions(+), 16 deletions(-)
>  create mode 100644 include/hw/input/i8042.h
> 
> diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
> index f1feb18c3c..1638618dfc 100644
> --- a/include/hw/i386/pc.h
> +++ b/include/hw/i386/pc.h
> @@ -188,15 +188,6 @@ void vmport_register(unsigned char command, 
> VMPortReadFunc *func, void *opaque);
>  void vmmouse_get_data(uint32_t *data);
>  void vmmouse_set_data(const uint32_t *data);
>  
> -/* pckbd.c */
> -#define I8042_A20_LINE "a20"
> -
> -void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
> -   MemoryRegion *region, ram_addr_t size,
> -   hwaddr mask);
> -void i8042_isa_mouse_fake_event(void *opaque);
> -void i8042_setup_a20_line(ISADevice *dev, qemu_irq a20_out);
> -
>  /* pc.c */
>  extern int fd_bootchk;
>  
> diff --git a/include/hw/input/i8042.h b/include/hw/input/i8042.h
> new file mode 100644
> index 00..f6ff146364
> --- /dev/null
> +++ b/include/hw/input/i8042.h
> @@ -0,0 +1,24 @@
> +/*
> + * QEMU PS/2 Controller
> + *
> + * Copyright (c) 2003 Fabrice Bellard
> + *
> + * SPDX-License-Identifier: MIT
> + */
> +#ifndef HW_INPUT_I8042_H
> +#define HW_INPUT_I8042_H
> +
> +#include "hw/hw.h"
> +#include "hw/isa/isa.h"
> +
> +#define TYPE_I8042 "i8042"
> +
> +#define I8042_A20_LINE "a20"
> +
> +void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
> +   MemoryRegion *region, ram_addr_t size,
> +   hwaddr mask);
> +void i8042_isa_mouse_fake_event(void *opaque);
> +void i8042_setup_a20_line(ISADevice *dev, qemu_irq a20_out);
> +
> +#endif /* HW_INPUT_I8042_H */
> diff --git a/hw/alpha/dp264.c b/hw/alpha/dp264.c
> index 766373eec7..e13cb576fd 100644
> --- a/hw/alpha/dp264.c
> +++ b/hw/alpha/dp264.c
> @@ -19,6 +19,7 @@
>  #include "hw/timer/mc146818rtc.h"
>  #include "hw/ide.h"
>  #include "hw/timer/i8254.h"
> +#include "hw/input/i8042.h"
>  #include "hw/char/serial.h"
>  #include "qemu/cutils.h"
>  
> @@ -81,7 +82,7 @@ static void clipper_init(MachineState *machine)
>  mc146818_rtc_init(isa_bus, 1900, rtc_irq);
>  
>  i8254_pit_init(isa_bus, 0x40, 0, NULL);
> -isa_create_simple(isa_bus, "i8042");
> +isa_create_simple(isa_bus, TYPE_I8042);
>  
>  /* VGA setup.  Don't bother loading the bios.  */
>  pci_vga_init(pci_bus);
> diff --git a/hw/i386/pc.c b/hw/i386/pc.c
> index 95b3fb3523..efb1b3bccf 100644
> --- a/hw/i386/pc.c
> +++ b/hw/i386/pc.c
> @@ -43,6 +43,7 @@
>  #include "hw/timer/mc146818rtc.h"
>  #include "hw/dma/i8257.h"
>  #include "hw/timer/i8254.h"
> +#include "hw/input/i8042.h"
>  #include "hw/audio/pcspk.h"
>  #include "hw/pci/msi.h"
>  #include "hw/sysbus.h"
> diff --git a/hw/i386/vmmouse.c b/hw/i386/vmmouse.c
> index 65ef55329e..5d2d278be4 100644
> --- a/hw/i386/vmmouse.c
> +++ b/hw/i386/vmmouse.c
> @@ -25,6 +25,7 @@
>  #include "hw/hw.h"
>  #include "ui/console.h"
>  #include "hw/i386/pc.h"
> +#include "hw/input/i8042.h"
>  #include "hw/qdev.h"
>  
>  /* debug only vmmouse */
> diff --git a/hw/i386/vmport.c b/hw/i386/vmport.c
> index 116aa09819..3bf8cfe041 100644
> --- a/hw/i386/vmport.c
> +++ b/hw/i386/vmport.c
> @@ -25,6 +25,7 @@
>  #include "hw/hw.h"
>  #include "hw/isa/isa.h"
>  #include "hw/i386/pc.h"
> +#include "hw/input/i8042.h"
>  #include "sysemu/hw_accel.h"
>  #include "hw/qdev.h"
>  #include "qemu/log.h"
> diff --git a/hw/input/pckbd.c b/hw/input/pckbd.c
> index c479f827b6..f17f18e51b 100644
> --- a/hw/input/pckbd.c
> +++ b/hw/input/pckbd.c
> @@ -26,6 +26,7 @@
>  #include "hw/isa/isa.h"
>  #include "hw/i386/pc.h"
>  #include "hw/input/ps2.h"
> +#include "hw/input/i8042.h"
>  #include "sysemu/sysemu.h"
>  
>  /* debug PC keyboard */
> @@ -480,7 +481,6 @@ void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
>  qemu_register_reset(kbd_reset, s);
>  }
>  
> -#define TYPE_I8042 "i8042"
>  #define I8042(obj) OBJECT_CHECK(ISAKBDState, (obj), TYPE_I8042)
>  
>  typedef struct ISAKBDState {
> diff --git a/hw/mips/mips_fulong2e.c b/hw/mips/mips_fulong2e.c
> index 0545fcd899..9339e02120 100644
> --- a/hw/mips/mips_fulong2e.c
> +++ b/hw/mips/mips_fulong2e.c
> @@ -44,6 +44,7 @@
>  #include "hw/isa/vt82c686.h"
>  #include "hw/timer/mc146818rtc.h"
>  

Re: [Qemu-devel] [RFC PATCH v2 04/22] hw/isa/pc87312: Rename the device type as TYPE_PC87312_SUPERIO

[David Gibson]

On Mon, Mar 05, 2018 at 06:19:10PM -0300, Philippe Mathieu-Daudé wrote:
> Signed-off-by: Philippe Mathieu-Daudé 

hw/ppc part
Acked-by: David Gibson 

> ---
>  include/hw/isa/pc87312.h | 4 ++--
>  hw/isa/pc87312.c | 2 +-
>  hw/ppc/prep.c| 2 +-
>  3 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/include/hw/isa/pc87312.h b/include/hw/isa/pc87312.h
> index bf74470d40..710eb1c807 100644
> --- a/include/hw/isa/pc87312.h
> +++ b/include/hw/isa/pc87312.h
> @@ -28,8 +28,8 @@
>  #include "hw/isa/isa.h"
>  
>  
> -#define TYPE_PC87312 "pc87312"
> -#define PC87312(obj) OBJECT_CHECK(PC87312State, (obj), TYPE_PC87312)
> +#define TYPE_PC87312_SUPERIO "pc87312"
> +#define PC87312(obj) OBJECT_CHECK(PC87312State, (obj), TYPE_PC87312_SUPERIO)
>  
>  typedef struct PC87312State {
>  ISADevice dev;
> diff --git a/hw/isa/pc87312.c b/hw/isa/pc87312.c
> index 48b29e3c3c..e9edbc6c50 100644
> --- a/hw/isa/pc87312.c
> +++ b/hw/isa/pc87312.c
> @@ -391,7 +391,7 @@ static void pc87312_class_init(ObjectClass *klass, void 
> *data)
>  }
>  
>  static const TypeInfo pc87312_type_info = {
> -.name  = TYPE_PC87312,
> +.name  = TYPE_PC87312_SUPERIO,
>  .parent= TYPE_ISA_DEVICE,
>  .instance_size = sizeof(PC87312State),
>  .instance_init = pc87312_initfn,
> diff --git a/hw/ppc/prep.c b/hw/ppc/prep.c
> index ae724b0613..610ec7ec32 100644
> --- a/hw/ppc/prep.c
> +++ b/hw/ppc/prep.c
> @@ -613,7 +613,7 @@ static void ppc_prep_init(MachineState *machine)
>  isa_bus = ISA_BUS(qdev_get_child_bus(DEVICE(pci), "isa.0"));
>  
>  /* Super I/O (parallel + serial ports) */
> -isa = isa_create(isa_bus, TYPE_PC87312);
> +isa = isa_create(isa_bus, TYPE_PC87312_SUPERIO);
>  dev = DEVICE(isa);
>  qdev_prop_set_uint8(dev, "config", 13); /* fdc, ser0, ser1, par0 */
>  qdev_init_nofail(dev);

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH 1/7] openpic_kvm: drop address_space_to_flatview call

[David Gibson]

On Mon, Mar 05, 2018 at 09:36:49AM +0100, Paolo Bonzini wrote:
> The MemoryListener is registered on address_space_memory, there is
> not much to assert.  This currently works because the callback
> is invoked only once when the listener is registered, but section->fv
> is the _new_ FlatView, not the old one on later calls and that
> would break.
> 
> This confines address_space_to_flatview to exec.c and memory.c.
> 
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Paolo Bonzini 

Acked-by: David Gibson 

Do you want me to take this through my tree?


> ---
>  hw/intc/openpic_kvm.c | 4 
>  1 file changed, 4 deletions(-)
> 
> diff --git a/hw/intc/openpic_kvm.c b/hw/intc/openpic_kvm.c
> index fa83420254..39a6f369c5 100644
> --- a/hw/intc/openpic_kvm.c
> +++ b/hw/intc/openpic_kvm.c
> @@ -124,10 +124,6 @@ static void kvm_openpic_region_add(MemoryListener 
> *listener,
>  uint64_t reg_base;
>  int ret;
>  
> -if (section->fv != address_space_to_flatview(_space_memory)) {
> -abort();
> -}
> -
>  /* Ignore events on regions that are not us */
>  if (section->mr != >mem) {
>  return;

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCHv1 00/14] Translation loop conversion for sh4/sparc/mips/s390x/openrisc targets

[Michael Clark]

On Fri, Mar 2, 2018 at 11:53 AM, Emilio G. Cota  wrote:

> [ What is this all about? See this message:
>   http://lists.gnu.org/archive/html/qemu-devel/2018-02/msg04785.html ]
>
> Merged the separate patchsets I sent in the last couple of weeks into
> one set. This will be easier to merge since it will avoid potential
> merge conflicts due to adding max_insns to dc->base.
>
> Changes since sending the separate series for
> sh4/sparc/mips/s390x/openrisc:
> - Rebased on top of master (669743979)
> - Added R-b's
> - sh4: no changes since v3
> - mips: no changes (no reviews yet!)
> - sparc:
>   + Use base.singlestep_enabled and singlestep like in other targets,
> e.g. Alpha.
>   + Remove the unnecessary
>  (dc.pc - pc_start) < (TARGET_PAGE_SIZE - 32))
> check.
> - s390x:
>   + Remove dc->pc, use pc_next instead as David suggested.
>   + Use dc for DisasContext instead of s.
>   + Compute next_page in translate_insn instead of keeping it in dc.
>   + Looked into dropping dc->do_debug, but don't see an easy way to do so.
> - openrisc:
>   + Consistently use DISAS_NORETURN after generating an
> exception; fixed the two call sites that Richard pointed out,
> plus a couple of others that weren't visible in the previous patch.
>   + Remove the dc->next_page_start field; instead, set the max_insn
> bound in translate_insn.
>
> You can fetch this series from:
>   https://github.com/cota/qemu/tree/trloop-conv-v1


Curious to know what we would need to change in RISC-V translate.c:

-
https://github.com/riscv/riscv-qemu/blob/qemu-upstream-v8/target/riscv/translate.c

I'm going to make a v8.1 branch and tag that is a rebase of the v8 patch
series against current QEMU master, and hopefully we get the RISC-V port
merged before the soft-freeze. Fingers crossed.

Diffstat below.
>
> Thanks,
>
> Emilio
>
>  accel/tcg/translator.c  |   21 +-
>  include/exec/translator.h   |8 +-
>  target/alpha/translate.c|6 +-
>  target/arm/translate-a64.c  |8 +-
>  target/arm/translate.c  |9 +-
>  target/hppa/translate.c |7 +-
>  target/i386/translate.c |5 +-
>  target/mips/translate.c |  623 +--
>  target/openrisc/translate.c |  226 ++--
>  target/ppc/translate.c  |5 +-
>  target/s390x/translate.c| 1527 +--
>  target/sh4/translate.c  |  171 +--
>  target/sparc/translate.c|  207 ++--
>  13 files changed, 1401 insertions(+), 1422 deletions(-)
>
>

Re: [Qemu-devel] [patches] Re: [PULL] RISC-V QEMU Port Submission

[Michael Clark]

On Tue, Mar 6, 2018 at 8:00 AM, Emilio G. Cota  wrote:

> On Sat, Mar 03, 2018 at 02:26:12 +1300, Michael Clark wrote:
> > It was qemu-2.7.50 (late 2016). The benchmarks were generated mid last
> year.
> >
> > I can run the benchmarks again... Has it doubled in speed?
>
> It depends on the benchmarks. Small-ish benchmarks such as rv8-bench
> show about a 1.5x speedup since QEMU v2.6.0 for Aarch64:
>
> Aarch64 rv8-bench performance under QEMU user-mode
>   Host: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
>
>   4.5 +-++--+--+--+--+--+--+--+---
> ---++-+
>   | ++
>   |
> 4 +-+..v2.8.0.v2.9.0v2.10.0.%%.
> v2.11.0+-+
>   3.5 +-+...%%@...
> +-+
>   | %%@
>  |
> 3 +-+...%%@...
> +-+
>   2.5 +-+...%%@...
> +-+
>   | ++$$$%@
>  |
> 2 +-+.$$$%@..##.$%@...
> +-+
>   |  ##+$%@ ##$$%@   ## $%@
>  |
>   1.5 +-+..+++%%@...**#.$%@.##.$%@%%@##.$%@...
> .##$$%@.+-+
> 1 +-+.**#$$%@+##$$%@**#.$%@**#.$%@**#$$%@**#$$%@**#.$%@**#$$%@
> **#.$%@.+-+
>   |   **# $%@**# $%@**# $%@**# $%@**# $%@**#+$%@**# $%@**# $%@**# $%@
>  |
>   0.5 +-+-**#$$%@**#$$%@**#$$%@**#$$%@**#$$%@**#$$%@**#$$%@**#$$%@
> **#$$%@-+-+
>   aes bigidhrystone  miniz   norx primes  qsort sha512geomean
>   png: https://imgur.com/Agr5CJd
>
> SPEC06int shows a larger improvement, up to ~2x avg speedup for the train
> set:
>   Aarch64 SPEC06int (train set) performance under QEMU user-mode
>   Host: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
>
> 4 +-+--+++++++++++
> ++--+-+
>   |%%   ++
>   |
>   3.5 +-+..%%@.v2.8.0.v2.9.0v2.10.0.%%+
> v2.11.0+-+
>   |%%@  %%@   ++
>   |
> 3 +-+..%%@...++.%%@...
> %%+.+-+
>   |   +$%@|+%%@   %%@
>  |
>   2.5 +-+.##%@...%%@...+$%@...
> %%@.+-+
> 2 +-+.##%@..+%%@...%%@.%%@.##%@...
> %%@..++.+-+
>   |   ##%@  %%@ ##%@  +$%@   %%@   %%@ ##%@   $%@
> %%@  |
>   1.5 +-+**#%@.##%@.##%@..##%@...$%@...$%@.##%@..%%+.#
> #%@.##%@+-+
>   |  **#%@**#%@**#%@  +++**#%@  ##%@  ++  ##%@**#%@ ##%@ ##%@
> ##%@  |
> 1 +-+**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@+##%@**#%@+##%@**
> #%@**#%@+-+
>   |  **#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@
> |
>   0.5 +-+**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**#%@**
> #%@**#%@+-+
>401.bzi403.g429445.g456.h462.libq464.h471.omn4483.xalancbgeomean
>   png: https://imgur.com/JknVT5H
>
> Note that the test set is less sensitive to the changes:
>   https://imgur.com/W7CT0eO
>
> Running small benchmarks (such as SPEC "test" or rv8-bench) is
> very useful to get quick feedback on optimizations. However, some
> of these runs are still dominated by parts of the code that aren't
> that relevant -- for instance, some of them take so little time to
> run that the major contributor to execution time is memory allocation.
> Therefore, when publishing results it's best to stick with larger
> benchmarks that run for longer (e.g. SPEC "train" set), which are more
> sensitive to DBT performance.
>
> I tried running some other benchmarks, such as nbench[1], under rv-jit.
> I quickly get a "bus error" though -- don't know if I'm doing anything
> wrong, or maybe compiling with the glibc cross-compiler I used
> to build riscv linux isn't supported.
> I managed though to run rv8-bench on both rv-jit and qemu (v8 patchset);
> rv-jit is 1.30x faster on average for those, although note I dropped
> qsort because it wasn't working properly on rv-jit:
>

That's interesting. I know from some analysis that the current slow-down in
rv8 is mostly from accessing statically spilled registers (which in many
cases we embed in x86 memory operands to keep up code density, and make use
of the instruction cracker and uop cache in Intel's front-end). The
slowdown is mostly L1 cache latency vs register access latency given we are
emulating 31 registers on a 16 register host with a static register
allocation (based on the compiler register allocation order which optimizes
for the RVC accessible registers). With the addition of a register
allocator, I am sure I can make rv8 substantially faster. perhaps 1.7x

The user-mode emulation in rv8 is very limited, and 

Re: [Qemu-devel] [PULL] RISC-V QEMU Port Submission v8

[Michael Clark]

On Sun, Mar 4, 2018 at 11:52 AM, Peter Maydell 
wrote:

> On 3 March 2018 at 02:46, Michael Clark  wrote:
> > On Sat, Mar 3, 2018 at 3:22 AM, Peter Maydell 
> > wrote:
> >> Please don't send pull requests until after patches have been put
> >> on list and been reviewed. A minor update to a pullreq is OK if
> >> it's something like a trivial compiler fix or just dropping some
> >> patches that had problems, but if you have this many changes that
> >> deserves a fresh patchset to be sent to the list for review.
> >>
> >> (For the QEMU workflow, a pull request isn't a request for patch
> >> review, it's a statement that patches have all had review and
> >> are ready to go into master immediately.)
> >
> >
> > My apoligies. I won't do this again.
>
> No worries, it's just a workflow thing (which differs a lot from
> project to project), and we don't really have much documentation
> on the submaintainer part of the process. (What we do have is here:
> https://wiki.qemu.org/Contribute/SubmitAPullRequest  )
>
> The basic idea is that for us code review happens in the "patches
> posted to list" phase, and then "pull request" is pretty much
> the same as "commit to master". As the submaintainer you review,
> test and accumulate in a branch patches from yourself and other
> people, and then send them out in a pull request. In the ideal
> case that goes straight into master without problems. Sometimes
> it runs into trouble (like a compile issue on an oddball platform),
> and then rather than going through the whole process again for
> something as small as a messed up format string you can just fix
> and resend the pullreq. (There are examples of this on list at
> the moment, for instance.)
> Bigger stuff it's usually easier to drop the relevant patches
> from the pull, and then respin them and resend for review before
> putting them in a later pull. The dividing line for what you
> can get away with fixing up locally and what you can't is
> kind of similar to what you can tweak without needing to drop
> a reviewed-by: tag from a changed patch and get it re-reviewed.
> When you get familiar with the process and what people do you
> can take shortcuts sometimes (this is me posting what I'm
> going to squash into a patch as a followup, to save reposting
> a 20 patch series, for instance:
> http://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg00310.html).
> For getting started as a submaintainer, it's probably easiest
> to follow the 'by the book' process: patches go to mailing
> list as 'PATCH', get review, changes made, patch series resent,
> reviewed patches go into pull requests. (The idea is to ensure
> that anything that goes into master has been on list for at
> least a few days so people who want to review can do so.)
>
> > I have some very very minor cleanups that do not affect logic, but
> perhaps
> > we could address this after getting approval to make a pull request for
> v8.
> >
> > My qemu-devel branch holds changes against the latest rebase:
> >
> > - https://github.com/michaeljclark/riscv-qemu/tree/qemu-devel
> >
> > Someone raised timebase frequency on the RISC-V sw-dev and after looking
> at
> > the code I noticed we had a hard-coded value for a few of the constants
> we
> > put in device tree, and i spotted a missed rename. I'm going to have to
> > learn about the qemu-devel process for trivial fixes...
>
> I would probably squash in the missed rename into the relevant
> patch, at any rate. The rest can probably go through the post
> patch/get review/sent pull request cycle after this first lot
> have been applied.
>

It seems I need to rebase against master based on recent changes, so I'll
make a v9 tag, include the minimal missed rename but exluding my queued
changes. The changes in v8 are the minimum required to allow us to keep the
SiFive machines as we renamed them and added the SiFive cpu models. The
essence of the v8 patch series.

The trivial fixes to v8 ended up becoming non-trivial and now includes a
lot of specification conformance issues (essentially specification related
bug fixes) and a fix for a potential buffer overflow wrt. device-tree, that
doesn't appear to trigger in practice. I was also able to shed some dead
code (machines aren't objects, so empty object boilerplate was removed):

- https://github.com/riscv/riscv-qemu/pull/112

We'll hold off merging these changes into the v8 branch, and will send them
as a post merge cleanup and bugfix patch series, hopefully after getting
the port merged.

I'll get back to you when I have rebased against master...

We have some objectives with regards to the sifive_e and sifive_u machines,
such that we may properly abstract the SOC/board and also have a
configurable SOC as we need to model configurable soft-core IP as well as
actual SOCs based on this IP. This will be in the future. The machines at
this point are relatively simple.

Thanks,
Michael.

Re: [Qemu-devel] [PATCH v2 1/2] ipmi: Use proper struct reference for KCS vmstate

[Corey Minyard]

On 03/05/2018 08:09 AM, Dr. David Alan Gilbert wrote:

* miny...@acm.org (miny...@acm.org) wrote:

From: Corey Minyard 

The vmstate for isa_ipmi_kcs was referencing into the kcs structure,
instead create a kcs structure separate and use that.

There were also some issues in the state transfer.  The inlen field
was not being transferred, so if a transaction was in process during
the transfer it would be messed up.  And the use_irq field was
transferred, but that should come from the configuration.
And the
name on the man VMStateDescription was incorrect, it needed to be
differentiated from the BT one.

I think that's a bigger problem; lets see below.


To fix this, a new VMStateDescription is added that is hopefully
correct, and the old one is kept (modified to remove use_irq) in
a way that it can be received from the remote but will not be sent.
So an upgrade should work for KCS.

Signed-off-by: Corey Minyard 
Cc: Dr. David Alan Gilbert 
---
  hw/ipmi/isa_ipmi_kcs.c | 77 --
  1 file changed, 75 insertions(+), 2 deletions(-)

diff --git a/hw/ipmi/isa_ipmi_kcs.c b/hw/ipmi/isa_ipmi_kcs.c
index 689587b..2a2784d 100644
--- a/hw/ipmi/isa_ipmi_kcs.c
+++ b/hw/ipmi/isa_ipmi_kcs.c
@@ -422,14 +422,86 @@ static void ipmi_isa_realize(DeviceState *dev, Error 
**errp)
  isa_register_ioport(isadev, >kcs.io, iik->kcs.io_base);
  }
  
-const VMStateDescription vmstate_ISAIPMIKCSDevice = {

+static int ipmi_kcs_vmstate_post_load(void *opaque, int version)
+{
+IPMIKCS *ik = opaque;
+
+/* Make sure all the values are sane. */
+if (ik->outpos >= MAX_IPMI_MSG_SIZE || ik->outlen >= MAX_IPMI_MSG_SIZE ||
+ik->outpos >= ik->outlen) {
+ik->outpos = 0;
+ik->outlen = 0;
+}
+
+if (ik->inlen >= MAX_IPMI_MSG_SIZE) {
+ik->inlen = 0;
+}
+
+return 0;
+}
+
+static const VMStateDescription vmstate_IPMIKCS = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "kcs",
+.version_id = 1,
+.minimum_version_id = 1,
+.post_load = ipmi_kcs_vmstate_post_load,
+.fields  = (VMStateField[]) {
+VMSTATE_BOOL(obf_irq_set, IPMIKCS),
+VMSTATE_BOOL(atn_irq_set, IPMIKCS),
+VMSTATE_BOOL(irqs_enabled, IPMIKCS),
+VMSTATE_UINT32(outpos, IPMIKCS),
+VMSTATE_UINT32(outlen, IPMIKCS),
+VMSTATE_UINT8_ARRAY(outmsg, IPMIKCS, MAX_IPMI_MSG_SIZE),
+VMSTATE_UINT32(inlen, IPMIKCS),
+VMSTATE_UINT8_ARRAY(inmsg, IPMIKCS, MAX_IPMI_MSG_SIZE),
+VMSTATE_BOOL(write_end, IPMIKCS),
+VMSTATE_UINT8(status_reg, IPMIKCS),
+VMSTATE_UINT8(data_out_reg, IPMIKCS),
+VMSTATE_INT16(data_in_reg, IPMIKCS),
+VMSTATE_INT16(cmd_reg, IPMIKCS),
+VMSTATE_UINT8(waiting_rsp, IPMIKCS),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const VMStateDescription vmstate_ISAIPMIKCSDevice = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "isa-kcs",
+.version_id = 2,
+.minimum_version_id = 2,
+.fields  = (VMStateField[]) {
+VMSTATE_STRUCT(kcs, ISAIPMIKCSDevice, 1, vmstate_IPMIKCS, IPMIKCS),
+VMSTATE_END_OF_LIST()
+}
+};

I've got the following, which is only build tested but:

+static const VMStateDescription vmstate_IPMIKCS = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "kcs",
+.version_id = 2,
+.minimum_version_id = 1,
+.post_load = ipmi_kcs_vmstate_post_load,
+.fields  = (VMStateField[]) {
+VMSTATE_BOOL(obf_irq_set, IPMIKCS),
+VMSTATE_BOOL(atn_irq_set, IPMIKCS),
+VMSTATE_UNUSED(1), /* Was use_irq */
+VMSTATE_BOOL(irqs_enabled, IPMIKCS),
+VMSTATE_UINT32(outpos, IPMIKCS),
+VMSTATE_UINT32_V(outlen, IPMIKCS,2),
+VMSTATE_UINT8_ARRAY(outmsg, IPMIKCS, MAX_IPMI_MSG_SIZE),
+VMSTATE_UINT32_V(inlen, IPMIKCS,2),
+VMSTATE_UINT8_ARRAY(inmsg, IPMIKCS, MAX_IPMI_MSG_SIZE),
+VMSTATE_BOOL(write_end, IPMIKCS),
+VMSTATE_UINT8(status_reg, IPMIKCS),
+VMSTATE_UINT8(data_out_reg, IPMIKCS),
+VMSTATE_INT16(data_in_reg, IPMIKCS),
+VMSTATE_INT16(cmd_reg, IPMIKCS),
+VMSTATE_UINT8(waiting_rsp, IPMIKCS),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const VMStateDescription vmstate_ISAIPMIKCSDevice = {
+.name = TYPE_IPMI_INTERFACE_PREFIX "isa-kcs",
+.version_id = 2,
+.minimum_version_id = 2,
+.fields  = (VMStateField[]) {
+VMSTATE_STRUCT(kcs, ISAIPMIKCSDevice, 2, vmstate_IPMIKCS, IPMIKCS),
+VMSTATE_END_OF_LIST()
+}
+};

Note how the outlen and inlen fields use the _V modifier and are only
bound to v2, and I leave the UNUSED in for use_irq, that means we can
then mae the vmstate_v1_ISAIPMIKCSDevice just have:

const VMStateDescription vmstate_v1_ISAIPMIKCSDevice = {
 .name = TYPE_IPMI_INTERFACE,
 .version_id = 1,
 .minimum_version_id = 1,
 .post_load = ipmi_kcs_v1_vmstate_post_load,
 .needed = ipmi_kcs_v1_vmstate_needed,
 

Re: [Qemu-devel] [PATCHv1 00/14] Translation loop conversion for sh4/sparc/mips/s390x/openrisc targets

[Emilio G. Cota]

On Mon, Mar 05, 2018 at 21:58:52 +, Mark Cave-Ayland wrote:
> I don't have enough knowledge of TCG internals to review this myself,
> however I can run it through my complete set of OpenBIOS test images for
> qemu-system-sparc and qemu-system-sparc64 if that helps?

That would be appreciated -- I only tested sparc64 by booting a NetBSD
guest.

Thanks,

Emilio

Re: [Qemu-devel] [PATCH v8 03/23] RISC-V CPU Core Definition

[Michael Clark]

On Mon, Mar 5, 2018 at 10:44 PM, Igor Mammedov  wrote:

> On Sat,  3 Mar 2018 02:51:31 +1300
> Michael Clark  wrote:
>
> > Add CPU state header, CPU definitions and initialization routines
> >
> > Reviewed-by: Richard Henderson 
> > Signed-off-by: Sagar Karandikar 
> > Signed-off-by: Michael Clark 
> > ---
> >  target/riscv/cpu.c  | 432 ++
> ++
> >  target/riscv/cpu.h  | 296 +
> >  target/riscv/cpu_bits.h | 411 ++
> +++
> >  3 files changed, 1139 insertions(+)
> >  create mode 100644 target/riscv/cpu.c
> >  create mode 100644 target/riscv/cpu.h
> >  create mode 100644 target/riscv/cpu_bits.h
> >
> > diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> > new file mode 100644
> > index 000..4851890
> > --- /dev/null
> > +++ b/target/riscv/cpu.c
> [...]
>
> > +
> > +typedef struct RISCVCPUInfo {
> > +const int bit_widths;
> > +const char *name;
> > +void (*initfn)(Object *obj);
> > +} RISCVCPUInfo;
> > +
> [...]
>
> > +static const RISCVCPUInfo riscv_cpus[] = {
> > +{ 96, TYPE_RISCV_CPU_ANY,  riscv_any_cpu_init },
> > +{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_09_1,
> rv32gcsu_priv1_09_1_cpu_init },
> > +{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_10_0,
> rv32gcsu_priv1_10_0_cpu_init },
> > +{ 32, TYPE_RISCV_CPU_RV32IMACU_NOMMU,  rv32imacu_nommu_cpu_init },
> > +{ 32, TYPE_RISCV_CPU_SIFIVE_E31,   rv32imacu_nommu_cpu_init },
> > +{ 32, TYPE_RISCV_CPU_SIFIVE_U34,   rv32gcsu_priv1_10_0_cpu_init
> },
> > +{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_09_1,
> rv64gcsu_priv1_09_1_cpu_init },
> > +{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_10_0,
> rv64gcsu_priv1_10_0_cpu_init },
> > +{ 64, TYPE_RISCV_CPU_RV64IMACU_NOMMU,  rv64imacu_nommu_cpu_init },
> > +{ 64, TYPE_RISCV_CPU_SIFIVE_E51,   rv64imacu_nommu_cpu_init },
> > +{ 64, TYPE_RISCV_CPU_SIFIVE_U54,   rv64gcsu_priv1_10_0_cpu_init
> },
> > +{ 0, NULL, NULL }
> > +};
> > +
> [...]
>
> > +static void cpu_register(const RISCVCPUInfo *info)
> > +{
> > +TypeInfo type_info = {
> > +.name = info->name,
> > +.parent = TYPE_RISCV_CPU,
> > +.instance_size = sizeof(RISCVCPU),
> > +.instance_init = info->initfn,
> > +};
> > +
> > +type_register(_info);
> > +}
> [...]
>
> > +void riscv_cpu_list(FILE *f, fprintf_function cpu_fprintf)
> > +{
> > +const RISCVCPUInfo *info = riscv_cpus;
> > +
> > +while (info->name) {
> > +if (info->bit_widths & TARGET_LONG_BITS) {
> > +(*cpu_fprintf)(f, "%s\n", info->name);
> > +}
> > +info++;
> > +}
> > +}
> > +
> > +static void riscv_cpu_register_types(void)
> > +{
> > +const RISCVCPUInfo *info = riscv_cpus;
> > +
> > +type_register_static(_cpu_type_info);
> > +
> > +while (info->name) {
> > +if (info->bit_widths & TARGET_LONG_BITS) {
> > +cpu_register(info);
> > +}
> > +info++;
> > +}
> > +}
> > +
> > +type_init(riscv_cpu_register_types)
> This still isn't fixed as requested
>  http://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06412.html


It's possibly because I explicitly requested a clarification. Pointing at a
commit and being asked to infer what the desired change is, is not what I
would call reasonable feedback. The code has already been reviewed. We have
just expanded on it in a manner consistent with how the ARM port handled
cpu initialization.

I'm happy to comply if you give me detailed instructions on what is wrong,
why, and how to fix it versus infer your problem from this commit to
another architecture.

Apologies if i'm a bit slow, but I really don't understand the change you
intend us to make.