[Qemu-devel] [PATCH] fw_cfg: print error message when reading splashfile failed

[Li Qiang]

Also remove unnecessary 'res' variable.

Signed-off-by: Li Qiang 
---
 hw/nvram/fw_cfg.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index 946f765..f4a52d8 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -68,15 +68,14 @@ static char *read_splashfile(char *filename, gsize 
*file_sizep,
  int *file_typep)
 {
 GError *err = NULL;
-gboolean res;
 gchar *content;
 int file_type;
 unsigned int filehead;
 int bmp_bpp;
 
-res = g_file_get_contents(filename, , file_sizep, );
-if (res == FALSE) {
-error_report("failed to read splash file '%s'", filename);
+if (!g_file_get_contents(filename, , file_sizep, )) {
+error_report("failed to read splash file '%s', %s",
+ filename, err->message);
 g_error_free(err);
 return NULL;
 }
-- 
1.8.3.1

Re: [Qemu-devel] [PULL v2 00/40] Error reporting patches for 2018-10-22

[Markus Armbruster]

Peter Maydell  writes:

> On 23 October 2018 at 14:04, Markus Armbruster  wrote:
>> The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
>>
>>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
>> staging (2018-10-19 19:01:07 +0100)
>>
>> are available in the Git repository at:
>>
>>   git://repo.or.cz/qemu/armbru.git tags/pull-error-2018-10-22-v2
>>
>> for you to fetch changes up to 70f81ac4800c5cf33415c966d63bf89af5cefbb9:
>>
>>   error: Drop bogus "use error_setg() instead" admonitions (2018-10-23 
>> 14:48:32 +0200)
>>
>> 
>> Error reporting patches for 2018-10-22
>>
>> * Replace some unwise uses of error_report() & friends
>> * Print error when using incorrect backend for debugcon
>>
>> 
>> v2: Fix a stale sentence in commit message of PATCH 05/40.
>
> Sorry, I'd already pushed the merge of v1 to master before I saw this one.

No biggie.  It was worth a try.

Re: [Qemu-devel] [PATCH v2] s390x/pci: add common fmb

[Yi Min Zhao]

在 2018/10/24 上午5:25, Cornelia Huck 写道:

On Mon, 22 Oct 2018 13:17:34 +0100
Thomas Huth  wrote:


On 2018-10-22 10:02, Yi Min Zhao wrote:

Common function measurement block is used to report counters of
successfully issued pcilg/stg/stb and rpcit instructions. This patch
introduces a new struct ZpciFmb and schedules a timer callback to
copy fmb to the guest memory at a interval time which is set to
4s by default. While attemping to update fmb failed, an event error
would be generated. After pcilg/stg/stb and rpcit interception
handlers issue successfully, increase the related counter. The guest
could pass null address to switch off FMB and stop corresponding
timer.

Signed-off-by: Yi Min Zhao 
Reviewed-by: Pierre Morel 
---

[...]

+static int fmb_do_update(S390PCIBusDevice *pbdev, uint8_t offset, int len)
+{
+MemTxResult ret;
+
+ret = address_space_write(_space_memory,
+  pbdev->fmb_addr + (uint64_t)offset,
+  MEMTXATTRS_UNSPECIFIED,
+  (uint8_t *)>fmb + offset,
+  len);
+if (ret) {
+s390_pci_generate_error_event(ERR_EVENT_FMBA, pbdev->fh, pbdev->fid,
+  pbdev->fmb_addr, 0);
+fmb_timer_free(pbdev);
+}
+
+return ret;
+}
+
+static void fmb_update(void *opaque)
+{
+S390PCIBusDevice *pbdev = opaque;
+int64_t t = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
+uint8_t offset = offsetof(ZpciFmb, last_update);
+
+/* Update U bit */
+pbdev->fmb.last_update |= UPDATE_U_BIT;
+if (fmb_do_update(pbdev, offset, sizeof(uint64_t))) {
+return;
+}
+
+/* Update FMB counters */
+pbdev->fmb.sample++;
+if (fmb_do_update(pbdev, 0, sizeof(ZpciFmb))) {
+return;
+}
+
+/* Clear U bit and update the time */
+pbdev->fmb.last_update = time2tod(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
+pbdev->fmb.last_update &= ~UPDATE_U_BIT;
+if (fmb_do_update(pbdev, offset, sizeof(uint64_t))) {
+return;
+}
+
+timer_mod(pbdev->fmb_timer, t + DEFAULT_MUI);
+}

Sorry for noticing this in v1 already, but is this code endianess-safe?
I.e. can this also work with qemu-system-s390x running with TCG on a x86
host? I think you might have to use something like this here instead:

   pbdev->fmb.sample = cpu_to_be32(be32_to_cpu(pbdev->fmb.sample) + 1);

etc.

Agreed, that may need some endianness handling.

I would test this with tcg on a LE host, but how can I verify this? Yi
Min, do you have some kind of test tooling you can share?


There's no tool now. You could startup a guest. And then in the guest, 
install

PCI driver and read FMB values from /sys/kernel/debug/pci//statistics.

If endianness has error, I think the values must looks wrong.
The right thing is that values increase from 0 and intervally.

--
Yi Min

[Qemu-devel] [PATCH] vl.c: print error message if loading fw_cfg file failed

[Li Qiang]

It makes sense to print the error message while reading
file failed.

Signed-off-by: Li Qiang 
---
 vl.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vl.c b/vl.c
index b2a405f..ee6f982 100644
--- a/vl.c
+++ b/vl.c
@@ -2234,8 +2234,10 @@ static int parse_fw_cfg(void *opaque, QemuOpts *opts, 
Error **errp)
 size = strlen(str); /* NUL terminator NOT included in fw_cfg blob */
 buf = g_memdup(str, size);
 } else {
-if (!g_file_get_contents(file, , , NULL)) {
-error_setg(errp, "can't load %s", file);
+GError *err = NULL;
+if (!g_file_get_contents(file, , , )) {
+error_setg(errp, "can't load %s, %s", file, err->message);
+g_error_free(err);
 return -1;
 }
 }
-- 
1.8.3.1

[Qemu-devel] [PATCH] linux-user/flatload: fix initial stack pointer alignment

[Max Filippov]

Stack pointer alignment code incorrectly adds stack_size to sp instead
of subtracting it. It also does not take flat_argvp_envp_on_stack() into
account when calculating stack_size. This results in initial stack
pointer misalignment with certain set of command line arguments and
environment variables and correct alignment for the same binary with a
different set of arguments. This misalignment causes failures in the
following tests in the testsuite of gcc built for xtensa uclinux:

  gcc.dg/torture/vshuf-v64qi.c
  gcc.dg/torture/vshuf-v8sf.c
  gcc.dg/torture/vshuf-v8si.c

Signed-off-by: Max Filippov 
---
 linux-user/flatload.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index 2eefe55e5000..1893966b5b30 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -771,10 +771,12 @@ int load_flt_binary(struct linux_binprm *bprm, struct 
image_info *info)
 /* Enforce final stack alignment of 16 bytes.  This is sufficient
for all current targets, and excess alignment is harmless.  */
 stack_len = bprm->envc + bprm->argc + 2;
-stack_len += 3;/* argc, arvg, argp */
+stack_len += flat_argvp_envp_on_stack() ? 2 : 0; /* arvg, argp */
+stack_len += 1; /* argc */
 stack_len *= sizeof(abi_ulong);
-if ((sp + stack_len) & 15)
-sp -= 16 - ((sp + stack_len) & 15);
+if ((sp - stack_len) & 15) {
+sp -= ((sp - stack_len) & 15);
+}
 sp = loader_build_argptr(bprm->envc, bprm->argc, sp, p,
  flat_argvp_envp_on_stack());
 
-- 
2.11.0

[Qemu-devel] [PULL 26/28] piix: use TYPE_FOO constants than string constats

[Michael S. Tsirkin]

From: Li Qiang 

Make them more QOMConventional.
Cc:qemu-triv...@nongnu.org

Signed-off-by: Li Qiang 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci-host/piix.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index 82421a86e3..731190d92d 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -95,6 +95,9 @@ typedef struct PIIX3State {
 #define I440FX_PCI_DEVICE(obj) \
 OBJECT_CHECK(PCII440FXState, (obj), TYPE_I440FX_PCI_DEVICE)
 
+#define TYPE_PIIX3_DEVICE "PIIX3"
+#define TYPE_PIIX3_XEN_DEVICE "PIIX3-xen"
+
 struct PCII440FXState {
 /*< private >*/
 PCIDevice parent_obj;
@@ -424,13 +427,13 @@ PCIBus *i440fx_init(const char *host_type, const char 
*pci_type,
  * These additional routes can be discovered through ACPI. */
 if (xen_enabled()) {
 PCIDevice *pci_dev = pci_create_simple_multifunction(b,
- -1, true, "PIIX3-xen");
+ -1, true, TYPE_PIIX3_XEN_DEVICE);
 piix3 = PIIX3_PCI_DEVICE(pci_dev);
 pci_bus_irqs(b, xen_piix3_set_irq, xen_pci_slot_get_pirq,
 piix3, XEN_PIIX_NUM_PIRQS);
 } else {
 PCIDevice *pci_dev = pci_create_simple_multifunction(b,
- -1, true, "PIIX3");
+ -1, true, TYPE_PIIX3_DEVICE);
 piix3 = PIIX3_PCI_DEVICE(pci_dev);
 pci_bus_irqs(b, piix3_set_irq, pci_slot_get_pirq, piix3,
 PIIX_NUM_PIRQS);
@@ -748,7 +751,7 @@ static void piix3_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo piix3_info = {
-.name  = "PIIX3",
+.name  = TYPE_PIIX3_DEVICE,
 .parent= TYPE_PIIX3_PCI_DEVICE,
 .class_init= piix3_class_init,
 };
@@ -761,7 +764,7 @@ static void piix3_xen_class_init(ObjectClass *klass, void 
*data)
 };
 
 static const TypeInfo piix3_xen_info = {
-.name  = "PIIX3-xen",
+.name  = TYPE_PIIX3_XEN_DEVICE,
 .parent= TYPE_PIIX3_PCI_DEVICE,
 .class_init= piix3_xen_class_init,
 };
-- 
MST

[Qemu-devel] [PULL 20/28] tests/bios-tables-test: add 64-bit PCI MMIO aperture round-up test on Q35

[Michael S. Tsirkin]

From: Laszlo Ersek 

In commit 9fa99d2519cb ("hw/pci-host: Fix x86 Host Bridges 64bit PCI
hole", 2017-11-16), we meant to expose such a 64-bit PCI MMIO aperture in
the ACPI DSDT that would be at least as large as the new "pci-hole64-size"
property (2GB on i440fx, 32GB on q35). The goal was to offer "enough"
64-bit MMIO aperture to the guest OS for hotplug purposes.

Currently the aperture is extended relative to a possibly incorrect base.
This may result in an aperture size that is smaller than the intent of
commit 9fa99d2519cb.

We're going to fix the error in a later patch in this series; now we just
add a test case that reproduces and captures the problem. In the fix, the
test data will be updated as well.

In the test case being added:
- use 128 MB initial RAM size,
- ask for one DIMM hotplug slot,
- ask for 2 GB maximum RAM size,
- use a pci-testdev with a 64-bit BAR of 2 GB size.

Consequences:

(1) In pc_memory_init() [hw/i386/pc.c], the DIMM hotplug area size is
initially set to 2048-128 = 1920 MB. (Maximum RAM size minus initial
RAM size.)

(2) The DIMM area base is set to 4096 MB (because the initial RAM is only
128 MB -- there is no initial "high RAM").

(3) Due to commit 085f8e88ba73 ("pc: count in 1Gb hugepage alignment when
sizing hotplug-memory container", 2014-11-24), we add 1 GB for the one
DIMM hotplug slot that was specified. This sets the DIMM area size to
1920+1024 = 2944 MB.

(4) The reserved-memory-end address (exclusive) is set to 4096 + 2944 =
7040 MB (DIMM area base plus DIMM area size).

(5) The reserved-memory-end address is rounded up to GB alignment,
yielding 7 GB (7168 MB).

(6) Given the 2 GB BAR size of pci-testdev, SeaBIOS allocates said 64-bit
BAR in 64-bit address space.

(7) Because reserved-memory-end is at 7 GB, it is unaligned for the 2 GB
BAR. Therefore SeaBIOS allocates the BAR at 8 GB. QEMU then
(correctly) assigns the root bridge aperture base this BAR address, to
be exposed in \_SB.PCI0._CRS.

(8) The intent of commit 9fa99d2519cb dictates that QEMU extend the
aperture size to 32 GB, implying a 40 GB end address. However, QEMU
performs the extension relative to reserved-memory-end (7 GB), not
relative to the bridge aperture base that was correctly deduced from
SeaBIOS's BAR programming (8 GB). Therefore we see 39 GB as the
aperture end address in \_SB.PCI0._CRS:

> QWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, Cacheable, 
> ReadWrite,
> 0x, // Granularity
> 0x0002, // Range Minimum
> 0x0009BFFF, // Range Maximum
> 0x, // Translation Offset
> 0x0007C000, // Length
> ,, , AddressRangeMemory, TypeStatic)

Cc: "Michael S. Tsirkin" 
Cc: Alex Williamson 
Cc: Gerd Hoffmann 
Cc: Igor Mammedov 
Cc: Marcel Apfelbaum 
Signed-off-by: Laszlo Ersek 
Reviewed-by: Marcel Apfelbaum
Reviewed-by: Marcel Apfelbaum
Reviewed-by: Marcel Apfelbaum
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 tests/bios-tables-test.c |  16 
 tests/acpi-test-data/q35/DSDT.mmio64 | Bin 0 -> 8947 bytes
 tests/acpi-test-data/q35/SRAT.mmio64 | Bin 0 -> 224 bytes
 3 files changed, 16 insertions(+)
 create mode 100644 tests/acpi-test-data/q35/DSDT.mmio64
 create mode 100644 tests/acpi-test-data/q35/SRAT.mmio64

diff --git a/tests/bios-tables-test.c b/tests/bios-tables-test.c
index 4e24930c4b..9dd88f9d86 100644
--- a/tests/bios-tables-test.c
+++ b/tests/bios-tables-test.c
@@ -708,6 +708,21 @@ static void test_acpi_q35_tcg_bridge(void)
 free_test_data();
 }
 
+static void test_acpi_q35_tcg_mmio64(void)
+{
+test_data data = {
+.machine = MACHINE_Q35,
+.variant = ".mmio64",
+.required_struct_types = base_required_struct_types,
+.required_struct_types_len = ARRAY_SIZE(base_required_struct_types)
+};
+
+test_acpi_one("-m 128M,slots=1,maxmem=2G "
+  "-device pci-testdev,membar=2G",
+  );
+free_test_data();
+}
+
 static void test_acpi_piix4_tcg_cphp(void)
 {
 test_data data;
@@ -875,6 +890,7 @@ int main(int argc, char *argv[])
 qtest_add_func("acpi/piix4/bridge", test_acpi_piix4_tcg_bridge);
 qtest_add_func("acpi/q35", test_acpi_q35_tcg);
 qtest_add_func("acpi/q35/bridge", test_acpi_q35_tcg_bridge);
+qtest_add_func("acpi/q35/mmio64", test_acpi_q35_tcg_mmio64);
 qtest_add_func("acpi/piix4/ipmi", test_acpi_piix4_tcg_ipmi);
 qtest_add_func("acpi/q35/ipmi", test_acpi_q35_tcg_ipmi);
 qtest_add_func("acpi/piix4/cpuhp", test_acpi_piix4_tcg_cphp);
diff --git a/tests/acpi-test-data/q35/DSDT.mmio64 
b/tests/acpi-test-data/q35/DSDT.mmio64
new file mode 100644
index 
..a058ff2ee31a22a55b5b198bc1531c7f20b243f6
GIT binary patch
literal 8947
zcmb7KTW=f38J*=#t05`MZVWfQbOALxMpqxlJWYk`r6l^h@YaKZ)QiHSyDi(2XemIbG~oR

[Qemu-devel] [PULL 28/28] vhost-scsi: prevent using uninitialized vqs

[Michael S. Tsirkin]

From: yuchenlin 

There are 3 virtqueues (ctrl, event and cmd) for virtio scsi device,
but seabios will only set the physical address for the 3rd one (cmd).
Then in vhost_virtqueue_start(), virtio_queue_get_desc_addr()
will be 0 for ctrl and event vq.

In this case, ctrl and event vq are not initialized.
vhost_verify_ring_mappings may use uninitialized vhost_virtqueue
such that vhost_verify_ring_part_mapping returns ENOMEM.

When encountered this problem, we got the following logs:

qemu-system-x86_64: Unable to map available ring for ring 0
qemu-system-x86_64: Verify ring failure on region 0

Signed-off-by: Forrest Liu 
Signed-off-by: yuchenlin 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/scsi/vhost-scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/vhost-scsi.c b/hw/scsi/vhost-scsi.c
index becf550085..7f21b4f9d6 100644
--- a/hw/scsi/vhost-scsi.c
+++ b/hw/scsi/vhost-scsi.c
@@ -183,7 +183,7 @@ static void vhost_scsi_realize(DeviceState *dev, Error 
**errp)
 }
 
 vsc->dev.nvqs = VHOST_SCSI_VQ_NUM_FIXED + vs->conf.num_queues;
-vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
+vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
 vsc->dev.vq_index = 0;
 vsc->dev.backend_features = 0;
 
-- 
MST

[Qemu-devel] [PULL 19/28] hw/pci-host/x86: extend the 64-bit PCI hole relative to the fw-assigned base

[Michael S. Tsirkin]

From: Laszlo Ersek 

In commit 9fa99d2519cb ("hw/pci-host: Fix x86 Host Bridges 64bit PCI
hole", 2017-11-16), we meant to expose such a 64-bit PCI MMIO aperture in
the ACPI DSDT that would be at least as large as the new "pci-hole64-size"
property (2GB on i440fx, 32GB on q35). The goal was to offer "enough"
64-bit MMIO aperture to the guest OS for hotplug purposes.

In that commit, we added or modified five functions:

- pc_pci_hole64_start(): shared between i440fx and q35. Provides a default
  64-bit base, which starts beyond the cold-plugged 64-bit RAM, and skips
  the DIMM hotplug area too (if any).

- i440fx_pcihost_get_pci_hole64_start(), q35_host_get_pci_hole64_start():
  board-specific 64-bit base property getters called abstractly by the
  ACPI generator. Both of these fall back to pc_pci_hole64_start() if the
  firmware didn't program any 64-bit hole (i.e. if the firmware didn't
  assign a 64-bit GPA to any MMIO BAR on any device). Otherwise, they
  honor the firmware's BAR assignments (i.e., they treat the lowest 64-bit
  GPA programmed by the firmware as the base address for the aperture).

- i440fx_pcihost_get_pci_hole64_end(), q35_host_get_pci_hole64_end():
  these intended to extend the aperture to our size recommendation,
  calculated relative to the base of the aperture.

Despite the original intent, i440fx_pcihost_get_pci_hole64_end() and
q35_host_get_pci_hole64_end() currently only extend the aperture relative
to the default base (pc_pci_hole64_start()), ignoring any programming done
by the firmware. This means that our size recommendation may not be met.
Fix it by honoring the firmware's address assignments.

The strange extension sizes were spotted by Alex, in the log of a guest
kernel running on top of OVMF (which prefers to assign 64-bit GPAs to
64-bit BARs).

This change only affects DSDT generation, therefore no new compat property
is being introduced.

Using an i440fx OVMF guest with 5GB RAM, an example _CRS change is:

> @@ -881,9 +881,9 @@
>  QWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, 
> Cacheable, ReadWrite,
>  0x, // Granularity
>  0x0008, // Range Minimum
> -0x00080001C0FF, // Range Maximum
> +0x00087FFF, // Range Maximum
>  0x, // Translation Offset
> -0x0001C100, // Length
> +0x8000, // Length
>  ,, , AddressRangeMemory, TypeStatic)
>  })
>  Device (GPE0)

(On i440fx, the low RAM split is at 3GB, in this case. Therefore, with 5GB
guest RAM and no DIMM hotplug range, pc_pci_hole64_start() returns 4 +
(5-3) = 6 GB. Adding the 2GB extension to that yields 8GB, which is below
the firmware-programmed base of 32GB, before the patch. Therefore, before
the patch, the extension is ineffective. After the patch, we add the 2GB
extension to the firmware-programmed base, namely 32GB.)

Using a q35 OVMF guest with 5GB RAM, an example _CRS change is:

> @@ -3162,9 +3162,9 @@
>  QWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, 
> Cacheable, ReadWrite,
>  0x, // Granularity
>  0x0008, // Range Minimum
> -0x0009BFFF, // Range Maximum
> +0x000F, // Range Maximum
>  0x, // Translation Offset
> -0x0001C000, // Length
> +0x0008, // Length
>  ,, , AddressRangeMemory, TypeStatic)
>  })
>  Device (GPE0)

(On Q35, the low RAM split is at 2GB. Therefore, with 5GB guest RAM and no
DIMM hotplug range, pc_pci_hole64_start() returns 4 + (5-2) = 7 GB. Adding
the 32GB extension to that yields 39GB (0x_0009_BFFF_ + 1), before
the patch. After the patch, we add the 32GB extension to the
firmware-programmed base, namely 32GB.)

The ACPI test data for the bios-tables-test case that we added earlier in
this series are corrected too, as follows:

> @@ -3339,9 +3339,9 @@
>  QWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed, 
> Cacheable, ReadWrite,
>  0x, // Granularity
>  0x0002, // Range Minimum
> -0x0009BFFF, // Range Maximum
> +0x0009, // Range Maximum
>  0x, // Translation Offset
> -0x0007C000, // Length
> +0x0008, // Length
>  ,, , AddressRangeMemory, TypeStatic)
>  })
>  Device (GPE0)

Cc: "Michael S. Tsirkin" 
Cc: Alex Williamson 
Cc: Gerd Hoffmann 
Cc: Igor Mammedov 
Cc: Marcel Apfelbaum 
Fixes: 9fa99d2519cbf71f871e46871df12cb446dc1c3e
Signed-off-by: Laszlo Ersek 
Reviewed-by: Marcel Apfelbaum 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. 

[Qemu-devel] [PULL 15/28] x86_iommu/amd: Enable Guest virtual APIC support

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Now that amd-iommu support interrupt remapping, enable the GASup in IVRS
table and GASup in extended feature register to indicate that IOMMU
support guest virtual APIC mode. GASup provides option to guest OS to
make use of 128-bit IRTE.

Note that the GAMSup is set to zero to indicate that amd-iommu does not
support guest virtual APIC mode (aka AVIC) which would be used for the
nested VMs.

See Table 21 from IOMMU spec for interrupt virtualization controls

Signed-off-by: Brijesh Singh 
Reviewed-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.h  | 2 +-
 hw/i386/acpi-build.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/i386/amd_iommu.h b/hw/i386/amd_iommu.h
index 8061e9c49c..687fcd8521 100644
--- a/hw/i386/amd_iommu.h
+++ b/hw/i386/amd_iommu.h
@@ -176,7 +176,7 @@
 /* extended feature support */
 #define AMDVI_EXT_FEATURES (AMDVI_FEATURE_PREFETCH | AMDVI_FEATURE_PPR | \
 AMDVI_FEATURE_IA | AMDVI_FEATURE_GT | AMDVI_FEATURE_HE | \
-AMDVI_GATS_MODE | AMDVI_HATS_MODE)
+AMDVI_GATS_MODE | AMDVI_HATS_MODE | AMDVI_FEATURE_GA)
 
 /* capabilities header */
 #define AMDVI_CAPAB_FEATURES (AMDVI_CAPAB_FLAT_EXT | \
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 1ef396ddbb..236a20eaa8 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2518,7 +2518,8 @@ build_amd_iommu(GArray *table_data, BIOSLinker *linker)
 build_append_int_noprefix(table_data,
  (48UL << 30) | /* HATS   */
  (48UL << 28) | /* GATS   */
- (1UL << 2),/* GTSup  */
+ (1UL << 2)   | /* GTSup  */
+ (1UL << 6),/* GASup  */
  4);
 /*
  *   Type 1 device entry reporting all devices
-- 
MST

[Qemu-devel] [PULL 22/28] hw/pci-bridge/ioh3420: Remove unuseful header

[Michael S. Tsirkin]

From: Philippe Mathieu-Daudé 

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci-bridge/ioh3420.h | 6 --
 hw/pci-bridge/ioh3420.c | 2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)
 delete mode 100644 hw/pci-bridge/ioh3420.h

diff --git a/hw/pci-bridge/ioh3420.h b/hw/pci-bridge/ioh3420.h
deleted file mode 100644
index ea423cb991..00
--- a/hw/pci-bridge/ioh3420.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef QEMU_IOH3420_H
-#define QEMU_IOH3420_H
-
-#include "hw/pci/pcie_port.h"
-
-#endif /* QEMU_IOH3420_H */
diff --git a/hw/pci-bridge/ioh3420.c b/hw/pci-bridge/ioh3420.c
index a451d74ee6..81f2de6f07 100644
--- a/hw/pci-bridge/ioh3420.c
+++ b/hw/pci-bridge/ioh3420.c
@@ -24,7 +24,7 @@
 #include "hw/pci/pci_ids.h"
 #include "hw/pci/msi.h"
 #include "hw/pci/pcie.h"
-#include "ioh3420.h"
+#include "hw/pci/pcie_port.h"
 
 #define PCI_DEVICE_ID_IOH_EPORT 0x3420  /* D0:F0 express mode */
 #define PCI_DEVICE_ID_IOH_REV   0x2
-- 
MST

[Qemu-devel] [PULL 27/28] piix_pci: fix i440fx data sheet link

[Michael S. Tsirkin]

From: Li Qiang 

It seems that the intel link is unavailable, change it to point to the
qemu site.

Signed-off-by: Li Qiang 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Marcel Apfelbaum
Acked-by: Michael S. Tsirkin 
Reviewed-by: Michael S. Tsirkin 
---
 hw/pci-host/piix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index 731190d92d..213a81e669 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -40,7 +40,7 @@
 
 /*
  * I440FX chipset data sheet.
- * http://download.intel.com/design/chipsets/datashts/29054901.pdf
+ * https://wiki.qemu.org/File:29054901.pdf
  */
 
 #define I440FX_PCI_HOST_BRIDGE(obj) \
-- 
MST

[Qemu-devel] [PULL 14/28] x86_iommu/amd: Add interrupt remap support when VAPIC is enabled

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Emulate the interrupt remapping support when guest virtual APIC is
enabled.

For more information refer: IOMMU spec rev 3.0 (section 2.2.5.2)

When VAPIC is enabled, it uses interrupt remapping as defined in
Table 22 and Figure 17 from IOMMU spec.

Signed-off-by: Brijesh Singh 
Reviewed-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.h  | 36 +++
 hw/i386/amd_iommu.c  | 69 +++-
 hw/i386/trace-events |  2 ++
 3 files changed, 106 insertions(+), 1 deletion(-)

diff --git a/hw/i386/amd_iommu.h b/hw/i386/amd_iommu.h
index f73be48fca..8061e9c49c 100644
--- a/hw/i386/amd_iommu.h
+++ b/hw/i386/amd_iommu.h
@@ -103,6 +103,7 @@
 #define AMDVI_MMIO_CONTROL_EVENTINTEN (1ULL << 3)
 #define AMDVI_MMIO_CONTROL_COMWAITINTEN   (1ULL << 4)
 #define AMDVI_MMIO_CONTROL_CMDBUFLEN  (1ULL << 12)
+#define AMDVI_MMIO_CONTROL_GAEN   (1ULL << 17)
 
 /* MMIO status register bits */
 #define AMDVI_MMIO_STATUS_CMDBUF_RUN  (1 << 4)
@@ -263,6 +264,38 @@ union irte {
 } fields;
 };
 
+/* Interrupt remapping table fields (Guest VAPIC is enabled) */
+union irte_ga_lo {
+  uint64_t val;
+
+  /* For int remapping */
+  struct {
+  uint64_t  valid:1,
+no_fault:1,
+/* -- */
+int_type:3,
+rq_eoi:1,
+dm:1,
+/* -- */
+guest_mode:1,
+destination:8,
+rsvd_1:48;
+  } fields_remap;
+};
+
+union irte_ga_hi {
+  uint64_t val;
+  struct {
+  uint64_t  vector:8,
+rsvd_2:56;
+  } fields;
+};
+
+struct irte_ga {
+  union irte_ga_lo lo;
+  union irte_ga_hi hi;
+};
+
 #define TYPE_AMD_IOMMU_DEVICE "amd-iommu"
 #define AMD_IOMMU_DEVICE(obj)\
 OBJECT_CHECK(AMDVIState, (obj), TYPE_AMD_IOMMU_DEVICE)
@@ -332,6 +365,9 @@ typedef struct AMDVIState {
 
 /* IOTLB */
 GHashTable *iotlb;
+
+/* Interrupt remapping */
+bool ga_enabled;
 } AMDVIState;
 
 #endif
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index 8e2f13c029..353a810e6b 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -608,6 +608,7 @@ static void amdvi_handle_control_write(AMDVIState *s)
 s->completion_wait_intr = !!(control & AMDVI_MMIO_CONTROL_COMWAITINTEN);
 s->cmdbuf_enabled = s->enabled && !!(control &
 AMDVI_MMIO_CONTROL_CMDBUFLEN);
+s->ga_enabled = !!(control & AMDVI_MMIO_CONTROL_GAEN);
 
 /* update the flags depending on the control register */
 if (s->cmdbuf_enabled) {
@@ -1094,6 +1095,65 @@ static int amdvi_int_remap_legacy(AMDVIState *iommu,
 return 0;
 }
 
+static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
+ struct irte_ga *irte, uint16_t devid)
+{
+uint64_t irte_root, offset;
+
+irte_root = dte[2] & AMDVI_IR_PHYS_ADDR_MASK;
+offset = (origin->data & AMDVI_IRTE_OFFSET) << 4;
+trace_amdvi_ir_irte(irte_root, offset);
+
+if (dma_memory_read(_space_memory, irte_root + offset,
+irte, sizeof(*irte))) {
+trace_amdvi_ir_err("failed to get irte_ga");
+return -AMDVI_IR_GET_IRTE;
+}
+
+trace_amdvi_ir_irte_ga_val(irte->hi.val, irte->lo.val);
+return 0;
+}
+
+static int amdvi_int_remap_ga(AMDVIState *iommu,
+  MSIMessage *origin,
+  MSIMessage *translated,
+  uint64_t *dte,
+  X86IOMMUIrq *irq,
+  uint16_t sid)
+{
+int ret;
+struct irte_ga irte;
+
+/* get interrupt remapping table */
+ret = amdvi_get_irte_ga(iommu, origin, dte, , sid);
+if (ret < 0) {
+return ret;
+}
+
+if (!irte.lo.fields_remap.valid) {
+trace_amdvi_ir_target_abort("RemapEn is disabled");
+return -AMDVI_IR_TARGET_ABORT;
+}
+
+if (irte.lo.fields_remap.guest_mode) {
+error_report_once("guest mode is not zero");
+return -AMDVI_IR_ERR;
+}
+
+if (irte.lo.fields_remap.int_type > AMDVI_IOAPIC_INT_TYPE_ARBITRATED) {
+error_report_once("reserved int_type is set");
+return -AMDVI_IR_ERR;
+}
+
+irq->delivery_mode = irte.lo.fields_remap.int_type;
+irq->vector = irte.hi.fields.vector;
+irq->dest_mode = irte.lo.fields_remap.dm;
+irq->redir_hint = irte.lo.fields_remap.rq_eoi;
+irq->dest = irte.lo.fields_remap.destination;
+
+return 0;
+}
+
 static int __amdvi_int_remap_msi(AMDVIState *iommu,
  MSIMessage *origin,
  MSIMessage *translated,
@@ -1101,6 +1161,7 @@ static int __amdvi_int_remap_msi(AMDVIState *iommu,
   

[Qemu-devel] [PULL 23/28] hw/pci: Add missing include

[Michael S. Tsirkin]

From: Philippe Mathieu-Daudé 

Noted while refactoring:

  CC  mips-softmmu/hw/mips/gt64xxx_pci.o
In file included from include/hw/pci-host/gt64xxx.h:2,
 from hw/mips/gt64xxx_pci.c:30:
include/hw/pci/pci_bus.h:23:5: error: unknown type name ‘PCIIOMMUFunc’
 PCIIOMMUFunc iommu_fn;
 ^~~~
include/hw/pci/pci_bus.h:27:5: error: unknown type name ‘pci_set_irq_fn’
 pci_set_irq_fn set_irq;
 ^~
include/hw/pci/pci_bus.h:28:5: error: unknown type name ‘pci_map_irq_fn’
 pci_map_irq_fn map_irq;
 ^~
include/hw/pci/pci_bus.h:29:5: error: unknown type name ‘pci_route_irq_fn’
 pci_route_irq_fn route_intx_to_irq;
 ^~~~
include/hw/pci/pci_bus.h:31:24: error: ‘PCI_SLOT_MAX’ undeclared here (not 
in a function)
 PCIDevice *devices[PCI_SLOT_MAX * PCI_FUNC_MAX];
^~~~
include/hw/pci/pci_bus.h:31:39: error: ‘PCI_FUNC_MAX’ undeclared here (not 
in a function)
 PCIDevice *devices[PCI_SLOT_MAX * PCI_FUNC_MAX];
   ^~~~
make[1]: *** [rules.mak:69: hw/mips/gt64xxx_pci.o] Error 1
make: *** [Makefile:482: subdir-mips-softmmu] Error 2

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/pci/pci_bus.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/hw/pci/pci_bus.h b/include/hw/pci/pci_bus.h
index b7da8f555b..dfb75752cb 100644
--- a/include/hw/pci/pci_bus.h
+++ b/include/hw/pci/pci_bus.h
@@ -1,6 +1,8 @@
 #ifndef QEMU_PCI_BUS_H
 #define QEMU_PCI_BUS_H
 
+#include "hw/pci/pci.h"
+
 /*
  * PCI Bus datastructures.
  *
-- 
MST

[Qemu-devel] [PULL 03/28] intel_iommu: better handling of dmar state switch

[Michael S. Tsirkin]

From: Peter Xu 

QEMU is not handling the global DMAR switch well, especially when from
"on" to "off".

Let's first take the example of system reset.

Assuming that a guest has IOMMU enabled.  When it reboots, we will drop
all the existing DMAR mappings to handle the system reset, however we'll
still keep the existing memory layouts which has the IOMMU memory region
enabled.  So after the reboot and before the kernel reloads again, there
will be no mapping at all for the host device.  That's problematic since
any software (for example, SeaBIOS) that runs earlier than the kernel
after the reboot will assume the IOMMU is disabled, so any DMA from the
software will fail.

For example, a guest that boots on an assigned NVMe device might fail to
find the boot device after a system reboot/reset and we'll be able to
observe SeaBIOS errors if we capture the debugging log:

  WARNING - Timeout at nvme_wait:144!

Meanwhile, we should see DMAR errors on the host of that NVMe device.
It's the DMA fault that caused a NVMe driver timeout.

The correct fix should be that we do proper switching of device DMA
address spaces when system resets, which will setup correct memory
regions and notify the backend of the devices.  This might not affect
much on non-assigned devices since QEMU VT-d emulation will assume a
default passthrough mapping if DMAR is not enabled in the GCMD
register (please refer to vtd_iommu_translate).  However that's required
for an assigned devices, since that'll rebuild the correct GPA to HPA
mapping that is needed for any DMA operation during guest bootstrap.

Besides the system reset, we have some other places that might change
the global DMAR status and we'd better do the same thing there.  For
example, when we change the state of GCMD register, or the DMAR root
pointer.  Do the same refresh for all these places.  For these two
places we'll also need to explicitly invalidate the context entry cache
and iotlb cache.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1625173
CC: QEMU Stable 
Reported-by: Cong Li 
Signed-off-by: Peter Xu 
--
v2:
- do the same for GCMD write, or root pointer update [Alex]
- test is carried out by me this time, by observing the
  vtd_switch_address_space tracepoint after system reboot
v3:
- rewrite commit message as suggested by Alex
Signed-off-by: Peter Xu 
Reviewed-by: Eric Auger 
Reviewed-by: Jason Wang 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/intel_iommu.c | 21 ++---
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 1137861a9d..306708eb3b 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -37,6 +37,8 @@
 #include "kvm_i386.h"
 #include "trace.h"
 
+static void vtd_address_space_refresh_all(IntelIOMMUState *s);
+
 static void vtd_define_quad(IntelIOMMUState *s, hwaddr addr, uint64_t val,
 uint64_t wmask, uint64_t w1cmask)
 {
@@ -1436,7 +1438,7 @@ static void vtd_context_global_invalidate(IntelIOMMUState 
*s)
 vtd_reset_context_cache_locked(s);
 }
 vtd_iommu_unlock(s);
-vtd_switch_address_space_all(s);
+vtd_address_space_refresh_all(s);
 /*
  * From VT-d spec 6.5.2.1, a global context entry invalidation
  * should be followed by a IOTLB global invalidation, so we should
@@ -1727,6 +1729,8 @@ static void vtd_handle_gcmd_srtp(IntelIOMMUState *s)
 vtd_root_table_setup(s);
 /* Ok - report back to driver */
 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, 0, VTD_GSTS_RTPS);
+vtd_reset_caches(s);
+vtd_address_space_refresh_all(s);
 }
 
 /* Set Interrupt Remap Table Pointer */
@@ -1759,7 +1763,8 @@ static void vtd_handle_gcmd_te(IntelIOMMUState *s, bool 
en)
 vtd_set_clear_mask_long(s, DMAR_GSTS_REG, VTD_GSTS_TES, 0);
 }
 
-vtd_switch_address_space_all(s);
+vtd_reset_caches(s);
+vtd_address_space_refresh_all(s);
 }
 
 /* Handle Interrupt Remap Enable/Disable */
@@ -3059,6 +3064,12 @@ static void vtd_address_space_unmap_all(IntelIOMMUState 
*s)
 }
 }
 
+static void vtd_address_space_refresh_all(IntelIOMMUState *s)
+{
+vtd_address_space_unmap_all(s);
+vtd_switch_address_space_all(s);
+}
+
 static int vtd_replay_hook(IOMMUTLBEntry *entry, void *private)
 {
 memory_region_notify_one((IOMMUNotifier *)private, entry);
@@ -3231,11 +3242,7 @@ static void vtd_reset(DeviceState *dev)
 IntelIOMMUState *s = INTEL_IOMMU_DEVICE(dev);
 
 vtd_init(s);
-
-/*
- * When device reset, throw away all mappings and external caches
- */
-vtd_address_space_unmap_all(s);
+vtd_address_space_refresh_all(s);
 }
 
 static AddressSpace *vtd_host_dma_iommu(PCIBus *bus, void *opaque, int devfn)
-- 
MST

[Qemu-devel] [PULL 25/28] i440fx: use ARRAY_SIZE for pam_regions

[Michael S. Tsirkin]

From: Li Qiang 

Cc: qemu-triv...@nongnu.org

Signed-off-by: Li Qiang 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci-host/piix.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index 999db824da..82421a86e3 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -142,7 +142,7 @@ static void i440fx_update_memory_mappings(PCII440FXState *d)
 PCIDevice *pd = PCI_DEVICE(d);
 
 memory_region_transaction_begin();
-for (i = 0; i < 13; i++) {
+for (i = 0; i < ARRAY_SIZE(d->pam_regions); i++) {
 pam_update(>pam_regions[i], i,
pd->config[I440FX_PAM + (DIV_ROUND_UP(i, 2))]);
 }
@@ -412,7 +412,7 @@ PCIBus *i440fx_init(const char *host_type, const char 
*pci_type,
 
 init_pam(dev, f->ram_memory, f->system_memory, f->pci_address_space,
  >pam_regions[0], PAM_BIOS_BASE, PAM_BIOS_SIZE);
-for (i = 0; i < 12; ++i) {
+for (i = 0; i < ARRAY_SIZE(f->pam_regions) - 1; ++i) {
 init_pam(dev, f->ram_memory, f->system_memory, f->pci_address_space,
  >pam_regions[i+1], PAM_EXPAN_BASE + i * PAM_EXPAN_SIZE,
  PAM_EXPAN_SIZE);
-- 
MST

[Qemu-devel] [PULL 12/28] x86_iommu/amd: Add interrupt remap support when VAPIC is not enabled

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Emulate the interrupt remapping support when guest virtual APIC is
not enabled.

For more info Refer: AMD IOMMU spec Rev 3.0 - section 2.2.5.1

When VAPIC is not enabled, it uses interrupt remapping as defined in
Table 20 and Figure 15 from IOMMU spec.

Signed-off-by: Brijesh Singh 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Peter Xu 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.h  |  44 ++
 hw/i386/amd_iommu.c  | 199 ++-
 hw/i386/trace-events |   7 ++
 3 files changed, 249 insertions(+), 1 deletion(-)

diff --git a/hw/i386/amd_iommu.h b/hw/i386/amd_iommu.h
index 4e7cc271c4..f73be48fca 100644
--- a/hw/i386/amd_iommu.h
+++ b/hw/i386/amd_iommu.h
@@ -217,7 +217,51 @@
 
 /* Interrupt remapping errors */
 #define AMDVI_IR_ERR0x1
+#define AMDVI_IR_GET_IRTE   0x2
+#define AMDVI_IR_TARGET_ABORT   0x3
 
+/* Interrupt remapping */
+#define AMDVI_IR_REMAP_ENABLE   1ULL
+#define AMDVI_IR_INTCTL_SHIFT   60
+#define AMDVI_IR_INTCTL_ABORT   0
+#define AMDVI_IR_INTCTL_PASS1
+#define AMDVI_IR_INTCTL_REMAP   2
+
+#define AMDVI_IR_PHYS_ADDR_MASK (((1ULL << 45) - 1) << 6)
+
+/* MSI data 10:0 bits (section 2.2.5.1 Fig 14) */
+#define AMDVI_IRTE_OFFSET   0x7ff
+
+/* Delivery mode of MSI data (same as IOAPIC deilver mode encoding) */
+#define AMDVI_IOAPIC_INT_TYPE_FIXED  0x0
+#define AMDVI_IOAPIC_INT_TYPE_ARBITRATED 0x1
+#define AMDVI_IOAPIC_INT_TYPE_SMI0x2
+#define AMDVI_IOAPIC_INT_TYPE_NMI0x4
+#define AMDVI_IOAPIC_INT_TYPE_INIT   0x5
+#define AMDVI_IOAPIC_INT_TYPE_EINT   0x7
+
+/* Pass through interrupt */
+#define AMDVI_DEV_INT_PASS_MASK (1UL << 56)
+#define AMDVI_DEV_EINT_PASS_MASK(1UL << 57)
+#define AMDVI_DEV_NMI_PASS_MASK (1UL << 58)
+#define AMDVI_DEV_LINT0_PASS_MASK   (1UL << 62)
+#define AMDVI_DEV_LINT1_PASS_MASK   (1UL << 63)
+
+/* Interrupt remapping table fields (Guest VAPIC not enabled) */
+union irte {
+uint32_t val;
+struct {
+uint32_t valid:1,
+ no_fault:1,
+ int_type:3,
+ rq_eoi:1,
+ dm:1,
+ guest_mode:1,
+ destination:8,
+ vector:8,
+ rsvd:8;
+} fields;
+};
 
 #define TYPE_AMD_IOMMU_DEVICE "amd-iommu"
 #define AMD_IOMMU_DEVICE(obj)\
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index 9118a75530..8e2f13c029 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -28,6 +28,7 @@
 #include "qemu/error-report.h"
 #include "hw/i386/apic_internal.h"
 #include "trace.h"
+#include "hw/i386/apic-msidef.h"
 
 /* used AMD-Vi MMIO registers */
 const char *amdvi_mmio_low[] = {
@@ -1032,21 +1033,146 @@ static IOMMUTLBEntry amdvi_translate(IOMMUMemoryRegion 
*iommu, hwaddr addr,
 return ret;
 }
 
+static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
+  union irte *irte, uint16_t devid)
+{
+uint64_t irte_root, offset;
+
+irte_root = dte[2] & AMDVI_IR_PHYS_ADDR_MASK;
+offset = (origin->data & AMDVI_IRTE_OFFSET) << 2;
+
+trace_amdvi_ir_irte(irte_root, offset);
+
+if (dma_memory_read(_space_memory, irte_root + offset,
+irte, sizeof(*irte))) {
+trace_amdvi_ir_err("failed to get irte");
+return -AMDVI_IR_GET_IRTE;
+}
+
+trace_amdvi_ir_irte_val(irte->val);
+
+return 0;
+}
+
+static int amdvi_int_remap_legacy(AMDVIState *iommu,
+  MSIMessage *origin,
+  MSIMessage *translated,
+  uint64_t *dte,
+  X86IOMMUIrq *irq,
+  uint16_t sid)
+{
+int ret;
+union irte irte;
+
+/* get interrupt remapping table */
+ret = amdvi_get_irte(iommu, origin, dte, , sid);
+if (ret < 0) {
+return ret;
+}
+
+if (!irte.fields.valid) {
+trace_amdvi_ir_target_abort("RemapEn is disabled");
+return -AMDVI_IR_TARGET_ABORT;
+}
+
+if (irte.fields.guest_mode) {
+error_report_once("guest mode is not zero");
+return -AMDVI_IR_ERR;
+}
+
+if (irte.fields.int_type > AMDVI_IOAPIC_INT_TYPE_ARBITRATED) {
+error_report_once("reserved int_type");
+return -AMDVI_IR_ERR;
+}
+
+irq->delivery_mode = irte.fields.int_type;
+irq->vector = irte.fields.vector;
+irq->dest_mode = irte.fields.dm;
+irq->redir_hint = irte.fields.rq_eoi;
+irq->dest = irte.fields.destination;
+
+return 0;
+}
+
+static int __amdvi_int_remap_msi(AMDVIState *iommu,
+ MSIMessage *origin,
+  

[Qemu-devel] [PULL 24/28] pci_bridge: fix typo in comment

[Michael S. Tsirkin]

From: Mao Zhongyi 

Signed-off-by: Mao Zhongyi 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci/pci_bridge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/pci/pci_bridge.c b/hw/pci/pci_bridge.c
index 08b7e44e2e..ee9dff2d3a 100644
--- a/hw/pci/pci_bridge.c
+++ b/hw/pci/pci_bridge.c
@@ -399,7 +399,7 @@ void pci_bridge_exitfn(PCIDevice *pci_dev)
 
 /*
  * before qdev initialization(qdev_init()), this function sets bus_name and
- * map_irq callback which are necessry for pci_bridge_initfn() to
+ * map_irq callback which are necessary for pci_bridge_initfn() to
  * initialize bus.
  */
 void pci_bridge_map_irq(PCIBridge *br, const char* bus_name,
-- 
MST

[Qemu-devel] [PULL 17/28] pci-testdev: add optional memory bar

[Michael S. Tsirkin]

From: Gerd Hoffmann 

Add memory bar to pci-testdev.  Size is configurable using the membar
property.  Setting the size to zero (default) turns it off.  Can be used
to check whether guests handle large pci bars correctly.

Reviewed-by: Marc-André Lureau 
Reviewed-by: Laszlo Ersek 
Tested-by: Laszlo Ersek 
Signed-off-by: Gerd Hoffmann 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 docs/specs/pci-testdev.txt | 15 ++-
 hw/misc/pci-testdev.c  | 19 +++
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/docs/specs/pci-testdev.txt b/docs/specs/pci-testdev.txt
index 128ae222ef..4280a1e73c 100644
--- a/docs/specs/pci-testdev.txt
+++ b/docs/specs/pci-testdev.txt
@@ -1,11 +1,11 @@
 pci-test is a device used for testing low level IO
 
-device implements up to two BARs: BAR0 and BAR1.
-Each BAR can be memory or IO. Guests must detect
-BAR type and act accordingly.
+device implements up to three BARs: BAR0, BAR1 and BAR2.
+Each of BAR 0+1 can be memory or IO. Guests must detect
+BAR types and act accordingly.
 
-Each BAR size is up to 4K bytes.
-Each BAR starts with the following header:
+BAR 0+1 size is up to 4K bytes each.
+BAR 0+1 starts with the following header:
 
 typedef struct PCITestDevHdr {
 uint8_t test;  <- write-only, starts a given test number
@@ -24,3 +24,8 @@ All registers are little endian.
 device is expected to always implement tests 0 to N on each BAR, and to add new
 tests with higher numbers.  In this way a guest can scan test numbers until it
 detects an access type that it does not support on this BAR, then stop.
+
+BAR2 is a 64bit memory bar, without backing storage.  It is disabled
+by default and can be enabled using the membar= property.  This
+can be used to test whether guests handle pci bars of a specific
+(possibly quite large) size correctly.
diff --git a/hw/misc/pci-testdev.c b/hw/misc/pci-testdev.c
index 32041f535f..a811b2ce20 100644
--- a/hw/misc/pci-testdev.c
+++ b/hw/misc/pci-testdev.c
@@ -85,6 +85,9 @@ typedef struct PCITestDevState {
 MemoryRegion portio;
 IOTest *tests;
 int current;
+
+size_t membar_size;
+MemoryRegion membar;
 } PCITestDevState;
 
 #define TYPE_PCI_TEST_DEV "pci-testdev"
@@ -253,6 +256,16 @@ static void pci_testdev_realize(PCIDevice *pci_dev, Error 
**errp)
 pci_register_bar(pci_dev, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, >mmio);
 pci_register_bar(pci_dev, 1, PCI_BASE_ADDRESS_SPACE_IO, >portio);
 
+if (d->membar_size) {
+memory_region_init(>membar, OBJECT(d), "pci-testdev-membar",
+   d->membar_size);
+pci_register_bar(pci_dev, 2,
+ PCI_BASE_ADDRESS_SPACE_MEMORY |
+ PCI_BASE_ADDRESS_MEM_PREFETCH |
+ PCI_BASE_ADDRESS_MEM_TYPE_64,
+ >membar);
+}
+
 d->current = -1;
 d->tests = g_malloc0(IOTEST_MAX * sizeof *d->tests);
 for (i = 0; i < IOTEST_MAX; ++i) {
@@ -305,6 +318,11 @@ static void qdev_pci_testdev_reset(DeviceState *dev)
 pci_testdev_reset(d);
 }
 
+static Property pci_testdev_properties[] = {
+DEFINE_PROP_SIZE("membar", PCITestDevState, membar_size, 0),
+DEFINE_PROP_END_OF_LIST(),
+};
+
 static void pci_testdev_class_init(ObjectClass *klass, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
@@ -319,6 +337,7 @@ static void pci_testdev_class_init(ObjectClass *klass, void 
*data)
 dc->desc = "PCI Test Device";
 set_bit(DEVICE_CATEGORY_MISC, dc->categories);
 dc->reset = qdev_pci_testdev_reset;
+dc->props = pci_testdev_properties;
 }
 
 static const TypeInfo pci_testdev_info = {
-- 
MST

[Qemu-devel] [PULL 11/28] x86_iommu/amd: Prepare for interrupt remap support

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Register the interrupt remapping callback and read/write ops for the
amd-iommu-ir memory region.

amd-iommu-ir is set to higher priority to ensure that this region won't
be masked out by other memory regions.

Signed-off-by: Brijesh Singh 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Peter Xu 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.h  |  14 +-
 hw/i386/amd_iommu.c  | 106 +++
 hw/i386/trace-events |   5 ++
 3 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/hw/i386/amd_iommu.h b/hw/i386/amd_iommu.h
index 874030582d..4e7cc271c4 100644
--- a/hw/i386/amd_iommu.h
+++ b/hw/i386/amd_iommu.h
@@ -206,8 +206,18 @@
 
 #define AMDVI_COMMAND_SIZE   16
 
-#define AMDVI_INT_ADDR_FIRST 0xfee0
-#define AMDVI_INT_ADDR_LAST  0xfeef
+#define AMDVI_INT_ADDR_FIRST0xfee0
+#define AMDVI_INT_ADDR_LAST 0xfeef
+#define AMDVI_INT_ADDR_SIZE (AMDVI_INT_ADDR_LAST - AMDVI_INT_ADDR_FIRST + 
1)
+#define AMDVI_MSI_ADDR_HI_MASK  (0xULL)
+#define AMDVI_MSI_ADDR_LO_MASK  (0xULL)
+
+/* SB IOAPIC is always on this device in AMD systems */
+#define AMDVI_IOAPIC_SB_DEVID   PCI_BUILD_BDF(0, PCI_DEVFN(0x14, 0))
+
+/* Interrupt remapping errors */
+#define AMDVI_IR_ERR0x1
+
 
 #define TYPE_AMD_IOMMU_DEVICE "amd-iommu"
 #define AMD_IOMMU_DEVICE(obj)\
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index 4bec1c6688..9118a75530 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -26,6 +26,7 @@
 #include "amd_iommu.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
+#include "hw/i386/apic_internal.h"
 #include "trace.h"
 
 /* used AMD-Vi MMIO registers */
@@ -1031,6 +1032,99 @@ static IOMMUTLBEntry amdvi_translate(IOMMUMemoryRegion 
*iommu, hwaddr addr,
 return ret;
 }
 
+/* Interrupt remapping for MSI/MSI-X entry */
+static int amdvi_int_remap_msi(AMDVIState *iommu,
+   MSIMessage *origin,
+   MSIMessage *translated,
+   uint16_t sid)
+{
+assert(origin && translated);
+
+trace_amdvi_ir_remap_msi_req(origin->address, origin->data, sid);
+
+if (!iommu || !X86_IOMMU_DEVICE(iommu)->intr_supported) {
+memcpy(translated, origin, sizeof(*origin));
+goto out;
+}
+
+if (origin->address & AMDVI_MSI_ADDR_HI_MASK) {
+trace_amdvi_err("MSI address high 32 bits non-zero when "
+"Interrupt Remapping enabled.");
+return -AMDVI_IR_ERR;
+}
+
+if ((origin->address & AMDVI_MSI_ADDR_LO_MASK) != APIC_DEFAULT_ADDRESS) {
+trace_amdvi_err("MSI is not from IOAPIC.");
+return -AMDVI_IR_ERR;
+}
+
+out:
+trace_amdvi_ir_remap_msi(origin->address, origin->data,
+ translated->address, translated->data);
+return 0;
+}
+
+static int amdvi_int_remap(X86IOMMUState *iommu,
+   MSIMessage *origin,
+   MSIMessage *translated,
+   uint16_t sid)
+{
+return amdvi_int_remap_msi(AMD_IOMMU_DEVICE(iommu), origin,
+   translated, sid);
+}
+
+static MemTxResult amdvi_mem_ir_write(void *opaque, hwaddr addr,
+  uint64_t value, unsigned size,
+  MemTxAttrs attrs)
+{
+int ret;
+MSIMessage from = { 0, 0 }, to = { 0, 0 };
+uint16_t sid = AMDVI_IOAPIC_SB_DEVID;
+
+from.address = (uint64_t) addr + AMDVI_INT_ADDR_FIRST;
+from.data = (uint32_t) value;
+
+trace_amdvi_mem_ir_write_req(addr, value, size);
+
+if (!attrs.unspecified) {
+/* We have explicit Source ID */
+sid = attrs.requester_id;
+}
+
+ret = amdvi_int_remap_msi(opaque, , , sid);
+if (ret < 0) {
+/* TODO: log the event using IOMMU log event interface */
+error_report_once("failed to remap interrupt from devid 0x%x", sid);
+return MEMTX_ERROR;
+}
+
+apic_get_class()->send_msi();
+
+trace_amdvi_mem_ir_write(to.address, to.data);
+return MEMTX_OK;
+}
+
+static MemTxResult amdvi_mem_ir_read(void *opaque, hwaddr addr,
+ uint64_t *data, unsigned size,
+ MemTxAttrs attrs)
+{
+return MEMTX_OK;
+}
+
+static const MemoryRegionOps amdvi_ir_ops = {
+.read_with_attrs = amdvi_mem_ir_read,
+.write_with_attrs = amdvi_mem_ir_write,
+.endianness = DEVICE_LITTLE_ENDIAN,
+.impl = {
+.min_access_size = 4,
+.max_access_size = 4,
+},
+.valid = {
+.min_access_size = 4,
+.max_access_size = 4,
+}
+};
+
 static AddressSpace *amdvi_host_dma_iommu(PCIBus *bus, void *opaque, int devfn)
 {

[Qemu-devel] [PULL 16/28] MAINTAINERS: list "tests/acpi-test-data" files in ACPI/SMBIOS section

[Michael S. Tsirkin]

From: Laszlo Ersek 

The "tests/acpi-test-data" files are currently not covered by any section
in MAINTAINERS, and "scripts/checkpatch.pl" complains when new data files
are added.

Cc: "Michael S. Tsirkin" 
Cc: Alex Williamson 
Cc: Gerd Hoffmann 
Cc: Igor Mammedov 
Cc: Marcel Apfelbaum 
Signed-off-by: Laszlo Ersek 
Reviewed-by: Marcel Apfelbaum
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 MAINTAINERS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 40672c4eba..b4d4bd4129 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1113,6 +1113,8 @@ F: hw/i386/acpi-build.[hc]
 F: hw/arm/virt-acpi-build.c
 F: tests/bios-tables-test.c
 F: tests/acpi-utils.[hc]
+F: tests/acpi-test-data/*
+F: tests/acpi-test-data/*/*
 
 ppc4xx
 M: Alexander Graf 
-- 
MST

[Qemu-devel] [PULL 00/28] pci, pc, virtio: fixes, features

[Michael S. Tsirkin]

The following changes since commit 13399aad4fa87b2878c49d02a5d3bafa6c966ba3:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2018-10-22' into 
staging (2018-10-23 17:20:23 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git tags/for_upstream

for you to fetch changes up to 57b279df457c2c4ef66ce9e1b813df35abde69f7:

  vhost-scsi: prevent using uninitialized vqs (2018-10-23 19:29:58 -0400)


pci, pc, virtio: fixes, features

AMD IOMMU VAPIC support + fixes all over the place.

Signed-off-by: Michael S. Tsirkin 


Gerd Hoffmann (1):
  pci-testdev: add optional memory bar

Laszlo Ersek (4):
  MAINTAINERS: list "tests/acpi-test-data" files in ACPI/SMBIOS section
  hw/pci-host/x86: extract get_pci_hole64_start_value() helpers
  hw/pci-host/x86: extend the 64-bit PCI hole relative to the fw-assigned 
base
  tests/bios-tables-test: add 64-bit PCI MMIO aperture round-up test on Q35

Li Qiang (3):
  i440fx: use ARRAY_SIZE for pam_regions
  piix: use TYPE_FOO constants than string constats
  piix_pci: fix i440fx data sheet link

Mao Zhongyi (1):
  pci_bridge: fix typo in comment

Peter Xu (4):
  intel_iommu: introduce vtd_reset_caches()
  intel_iommu: better handling of dmar state switch
  intel_iommu: move ce fetching out when sync shadow
  intel_iommu: handle invalid ce for shadow sync

Philippe Mathieu-Daudé (3):
  hw/pci-bridge/xio3130: Remove unused functions
  hw/pci-bridge/ioh3420: Remove unuseful header
  hw/pci: Add missing include

Singh, Brijesh (9):
  x86_iommu: move the kernel-irqchip check in common code
  x86_iommu: move vtd_generate_msi_message in common file
  x86_iommu/amd: remove V=1 check from amdvi_validate_dte()
  x86_iommu/amd: make the address space naming consistent with intel-iommu
  x86_iommu/amd: Prepare for interrupt remap support
  x86_iommu/amd: Add interrupt remap support when VAPIC is not enabled
  i386: acpi: add IVHD device entry for IOAPIC
  x86_iommu/amd: Add interrupt remap support when VAPIC is enabled
  x86_iommu/amd: Enable Guest virtual APIC support

Yaowei Bai (1):
  virtio-blk: fix comment for virtio_blk_rw_complete

Yongji Xie (1):
  vhost-user-blk: start vhost when guest kicks

yuchenlin (1):
  vhost-scsi: prevent using uninitialized vqs

 docs/specs/pci-testdev.txt   |  15 +-
 hw/i386/amd_iommu.h  |  96 +++-
 hw/pci-bridge/ioh3420.h  |   6 -
 hw/pci-bridge/xio3130_downstream.h   |  11 -
 hw/pci-bridge/xio3130_upstream.h |  10 -
 include/hw/i386/intel_iommu.h|  59 -
 include/hw/i386/x86-iommu.h  |  66 ++
 include/hw/pci/pci_bus.h |   2 +
 hw/block/vhost-user-blk.c|  25 +++
 hw/block/virtio-blk.c|   4 +-
 hw/i386/acpi-build.c |  31 ++-
 hw/i386/amd_iommu.c  | 414 ++-
 hw/i386/intel_iommu.c| 131 +--
 hw/i386/x86-iommu.c  |  33 +++
 hw/misc/pci-testdev.c|  19 ++
 hw/pci-bridge/ioh3420.c  |   2 +-
 hw/pci-bridge/xio3130_downstream.c   |  28 +--
 hw/pci-bridge/xio3130_upstream.c |  24 +-
 hw/pci-host/piix.c   |  34 ++-
 hw/pci-host/q35.c|  17 +-
 hw/pci/pci_bridge.c  |   2 +-
 hw/scsi/vhost-scsi.c |   2 +-
 tests/bios-tables-test.c |  16 ++
 MAINTAINERS  |   2 +
 dtc  |   2 +-
 hw/i386/trace-events |  14 ++
 tests/acpi-test-data/q35/DSDT.mmio64 | Bin 0 -> 8947 bytes
 tests/acpi-test-data/q35/SRAT.mmio64 | Bin 0 -> 224 bytes
 28 files changed, 812 insertions(+), 253 deletions(-)
 delete mode 100644 hw/pci-bridge/ioh3420.h
 delete mode 100644 hw/pci-bridge/xio3130_downstream.h
 delete mode 100644 hw/pci-bridge/xio3130_upstream.h
 create mode 100644 tests/acpi-test-data/q35/DSDT.mmio64
 create mode 100644 tests/acpi-test-data/q35/SRAT.mmio64

[Qemu-devel] [PULL 09/28] x86_iommu/amd: remove V=1 check from amdvi_validate_dte()

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Currently, the amdvi_validate_dte() assumes that a valid DTE will
always have V=1. This is not true. The V=1 means that bit[127:1] are
valid. A valid DTE can have IV=1 and V=0 (i.e address translation
disabled and interrupt remapping enabled)

Remove the V=1 check from amdvi_validate_dte(), make the caller
responsible to check for V or IV bits.

This also fixes a bug in existing code that when error is
detected during the translation we'll fail the translation
instead of assuming a passthrough mode.

Signed-off-by: Brijesh Singh 
Reviewed-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index 1fd669fef8..7206bb09c2 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -807,7 +807,7 @@ static inline uint64_t amdvi_get_perms(uint64_t entry)
AMDVI_DEV_PERM_SHIFT;
 }
 
-/* a valid entry should have V = 1 and reserved bits honoured */
+/* validate that reserved bits are honoured */
 static bool amdvi_validate_dte(AMDVIState *s, uint16_t devid,
uint64_t *dte)
 {
@@ -820,7 +820,7 @@ static bool amdvi_validate_dte(AMDVIState *s, uint16_t 
devid,
 return false;
 }
 
-return dte[0] & AMDVI_DEV_VALID;
+return true;
 }
 
 /* get a device table entry given the devid */
@@ -966,8 +966,12 @@ static void amdvi_do_translate(AMDVIAddressSpace *as, 
hwaddr addr,
 return;
 }
 
-/* devices with V = 0 are not translated */
 if (!amdvi_get_dte(s, devid, entry)) {
+return;
+}
+
+/* devices with V = 0 are not translated */
+if (!(entry[0] & AMDVI_DEV_VALID)) {
 goto out;
 }
 
-- 
MST

[Qemu-devel] [PULL 08/28] x86_iommu: move vtd_generate_msi_message in common file

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

The vtd_generate_msi_message() in intel-iommu is used to construct a MSI
Message from IRQ. A similar function will be needed when we add interrupt
remapping support in amd-iommu. Moving the function in common file to
avoid the code duplication. Rename it to x86_iommu_irq_to_msi_message().
There is no logic changes in the code flow.

Signed-off-by: Brijesh Singh 
Suggested-by: Peter Xu 
Reviewed-by: Eduardo Habkost 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 include/hw/i386/intel_iommu.h | 59 ---
 include/hw/i386/x86-iommu.h   | 66 +++
 hw/i386/intel_iommu.c | 32 +++--
 hw/i386/x86-iommu.c   | 24 +
 4 files changed, 94 insertions(+), 87 deletions(-)

diff --git a/include/hw/i386/intel_iommu.h b/include/hw/i386/intel_iommu.h
index fbfedcb1c0..ed4e758273 100644
--- a/include/hw/i386/intel_iommu.h
+++ b/include/hw/i386/intel_iommu.h
@@ -66,8 +66,6 @@ typedef struct VTDIOTLBEntry VTDIOTLBEntry;
 typedef struct VTDBus VTDBus;
 typedef union VTD_IR_TableEntry VTD_IR_TableEntry;
 typedef union VTD_IR_MSIAddress VTD_IR_MSIAddress;
-typedef struct VTDIrq VTDIrq;
-typedef struct VTD_MSIMessage VTD_MSIMessage;
 
 /* Context-Entry */
 struct VTDContextEntry {
@@ -197,63 +195,6 @@ union VTD_IR_MSIAddress {
 uint32_t data;
 };
 
-/* Generic IRQ entry information */
-struct VTDIrq {
-/* Used by both IOAPIC/MSI interrupt remapping */
-uint8_t trigger_mode;
-uint8_t vector;
-uint8_t delivery_mode;
-uint32_t dest;
-uint8_t dest_mode;
-
-/* only used by MSI interrupt remapping */
-uint8_t redir_hint;
-uint8_t msi_addr_last_bits;
-};
-
-struct VTD_MSIMessage {
-union {
-struct {
-#ifdef HOST_WORDS_BIGENDIAN
-uint32_t __addr_head:12; /* 0xfee */
-uint32_t dest:8;
-uint32_t __reserved:8;
-uint32_t redir_hint:1;
-uint32_t dest_mode:1;
-uint32_t __not_used:2;
-#else
-uint32_t __not_used:2;
-uint32_t dest_mode:1;
-uint32_t redir_hint:1;
-uint32_t __reserved:8;
-uint32_t dest:8;
-uint32_t __addr_head:12; /* 0xfee */
-#endif
-uint32_t __addr_hi;
-} QEMU_PACKED;
-uint64_t msi_addr;
-};
-union {
-struct {
-#ifdef HOST_WORDS_BIGENDIAN
-uint16_t trigger_mode:1;
-uint16_t level:1;
-uint16_t __resved:3;
-uint16_t delivery_mode:3;
-uint16_t vector:8;
-#else
-uint16_t vector:8;
-uint16_t delivery_mode:3;
-uint16_t __resved:3;
-uint16_t level:1;
-uint16_t trigger_mode:1;
-#endif
-uint16_t __resved1;
-} QEMU_PACKED;
-uint32_t msi_data;
-};
-};
-
 /* When IR is enabled, all MSI/MSI-X data bits should be zero */
 #define VTD_IR_MSI_DATA  (0)
 
diff --git a/include/hw/i386/x86-iommu.h b/include/hw/i386/x86-iommu.h
index 7c71fc7470..2b22a579a3 100644
--- a/include/hw/i386/x86-iommu.h
+++ b/include/hw/i386/x86-iommu.h
@@ -22,6 +22,7 @@
 
 #include "hw/sysbus.h"
 #include "hw/pci/pci.h"
+#include "hw/pci/msi.h"
 
 #define  TYPE_X86_IOMMU_DEVICE  ("x86-iommu")
 #define  X86_IOMMU_DEVICE(obj) \
@@ -35,6 +36,8 @@
 
 typedef struct X86IOMMUState X86IOMMUState;
 typedef struct X86IOMMUClass X86IOMMUClass;
+typedef struct X86IOMMUIrq X86IOMMUIrq;
+typedef struct X86IOMMU_MSIMessage X86IOMMU_MSIMessage;
 
 typedef enum IommuType {
 TYPE_INTEL,
@@ -78,6 +81,63 @@ struct X86IOMMUState {
 QLIST_HEAD(, IEC_Notifier) iec_notifiers; /* IEC notify list */
 };
 
+/* Generic IRQ entry information when interrupt remapping is enabled */
+struct X86IOMMUIrq {
+/* Used by both IOAPIC/MSI interrupt remapping */
+uint8_t trigger_mode;
+uint8_t vector;
+uint8_t delivery_mode;
+uint32_t dest;
+uint8_t dest_mode;
+
+/* only used by MSI interrupt remapping */
+uint8_t redir_hint;
+uint8_t msi_addr_last_bits;
+};
+
+struct X86IOMMU_MSIMessage {
+union {
+struct {
+#ifdef HOST_WORDS_BIGENDIAN
+uint32_t __addr_head:12; /* 0xfee */
+uint32_t dest:8;
+uint32_t __reserved:8;
+uint32_t redir_hint:1;
+uint32_t dest_mode:1;
+uint32_t __not_used:2;
+#else
+uint32_t __not_used:2;
+uint32_t dest_mode:1;
+uint32_t redir_hint:1;
+uint32_t __reserved:8;
+uint32_t dest:8;
+uint32_t __addr_head:12; /* 0xfee */
+#endif
+uint32_t __addr_hi;
+} QEMU_PACKED;
+uint64_t msi_addr;
+};
+union {
+struct {
+#ifdef HOST_WORDS_BIGENDIAN
+

[Qemu-devel] [PULL 18/28] hw/pci-host/x86: extract get_pci_hole64_start_value() helpers

[Michael S. Tsirkin]

From: Laszlo Ersek 

Expose the calculated "hole64 start" GPAs as plain uint64_t values,
extracting the internals of the current property getters.

This patch doesn't change behavior.

Cc: "Michael S. Tsirkin" 
Cc: Alex Williamson 
Cc: Gerd Hoffmann 
Cc: Igor Mammedov 
Cc: Marcel Apfelbaum 
Signed-off-by: Laszlo Ersek 
Reviewed-by: Marcel Apfelbaum 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci-host/piix.c | 15 +++
 hw/pci-host/q35.c  | 15 +++
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
index da73743fa2..15cc34912e 100644
--- a/hw/pci-host/piix.c
+++ b/hw/pci-host/piix.c
@@ -249,9 +249,7 @@ static void i440fx_pcihost_get_pci_hole_end(Object *obj, 
Visitor *v,
  * the 64bit PCI hole will start after "over 4G RAM" and the
  * reserved space for memory hotplug if any.
  */
-static void i440fx_pcihost_get_pci_hole64_start(Object *obj, Visitor *v,
-const char *name,
-void *opaque, Error **errp)
+static uint64_t i440fx_pcihost_get_pci_hole64_start_value(Object *obj)
 {
 PCIHostState *h = PCI_HOST_BRIDGE(obj);
 I440FXState *s = I440FX_PCI_HOST_BRIDGE(obj);
@@ -263,7 +261,16 @@ static void i440fx_pcihost_get_pci_hole64_start(Object 
*obj, Visitor *v,
 if (!value && s->pci_hole64_fix) {
 value = pc_pci_hole64_start();
 }
-visit_type_uint64(v, name, , errp);
+return value;
+}
+
+static void i440fx_pcihost_get_pci_hole64_start(Object *obj, Visitor *v,
+const char *name,
+void *opaque, Error **errp)
+{
+uint64_t hole64_start = i440fx_pcihost_get_pci_hole64_start_value(obj);
+
+visit_type_uint64(v, name, _start, errp);
 }
 
 /*
diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
index 8ce1e09932..919de104fc 100644
--- a/hw/pci-host/q35.c
+++ b/hw/pci-host/q35.c
@@ -113,9 +113,7 @@ static void q35_host_get_pci_hole_end(Object *obj, Visitor 
*v,
  * the 64bit PCI hole will start after "over 4G RAM" and the
  * reserved space for memory hotplug if any.
  */
-static void q35_host_get_pci_hole64_start(Object *obj, Visitor *v,
-  const char *name, void *opaque,
-  Error **errp)
+static uint64_t q35_host_get_pci_hole64_start_value(Object *obj)
 {
 PCIHostState *h = PCI_HOST_BRIDGE(obj);
 Q35PCIHost *s = Q35_HOST_DEVICE(obj);
@@ -127,7 +125,16 @@ static void q35_host_get_pci_hole64_start(Object *obj, 
Visitor *v,
 if (!value && s->pci_hole64_fix) {
 value = pc_pci_hole64_start();
 }
-visit_type_uint64(v, name, , errp);
+return value;
+}
+
+static void q35_host_get_pci_hole64_start(Object *obj, Visitor *v,
+  const char *name, void *opaque,
+  Error **errp)
+{
+uint64_t hole64_start = q35_host_get_pci_hole64_start_value(obj);
+
+visit_type_uint64(v, name, _start, errp);
 }
 
 /*
-- 
MST

[Qemu-devel] [PULL 05/28] intel_iommu: handle invalid ce for shadow sync

[Michael S. Tsirkin]

From: Peter Xu 

We should handle VTD_FR_CONTEXT_ENTRY_P properly when synchronizing
shadow page tables.  Having invalid context entry there is perfectly
valid when we move a device out of an existing domain.  When that
happens, instead of posting an error we invalidate the whole region.

Without this patch, QEMU will crash if we do these steps:

(1) start QEMU with VT-d IOMMU and two 10G NICs (ixgbe)
(2) bind the NICs with vfio-pci in the guest
(3) start testpmd with the NICs applied
(4) stop testpmd
(5) rebind the NIC back to ixgbe kernel driver

The patch should fix it.

Reported-by: Pei Zhang 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1627272
Signed-off-by: Peter Xu 
Reviewed-by: Eric Auger 
Reviewed-by: Maxime Coquelin 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/intel_iommu.c | 17 +
 1 file changed, 17 insertions(+)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 25e54671f4..f24ebfca1c 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -38,6 +38,7 @@
 #include "trace.h"
 
 static void vtd_address_space_refresh_all(IntelIOMMUState *s);
+static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n);
 
 static void vtd_define_quad(IntelIOMMUState *s, hwaddr addr, uint64_t val,
 uint64_t wmask, uint64_t w1cmask)
@@ -1066,11 +1067,27 @@ static int vtd_sync_shadow_page_table(VTDAddressSpace 
*vtd_as)
 {
 int ret;
 VTDContextEntry ce;
+IOMMUNotifier *n;
 
 ret = vtd_dev_to_context_entry(vtd_as->iommu_state,
pci_bus_num(vtd_as->bus),
vtd_as->devfn, );
 if (ret) {
+if (ret == -VTD_FR_CONTEXT_ENTRY_P) {
+/*
+ * It's a valid scenario to have a context entry that is
+ * not present.  For example, when a device is removed
+ * from an existing domain then the context entry will be
+ * zeroed by the guest before it was put into another
+ * domain.  When this happens, instead of synchronizing
+ * the shadow pages we should invalidate all existing
+ * mappings and notify the backends.
+ */
+IOMMU_NOTIFIER_FOREACH(n, _as->iommu) {
+vtd_address_space_unmap(vtd_as, n);
+}
+ret = 0;
+}
 return ret;
 }
 
-- 
MST

[Qemu-devel] [PULL 21/28] hw/pci-bridge/xio3130: Remove unused functions

[Michael S. Tsirkin]

From: Philippe Mathieu-Daudé 

Introduced in 48ebf2f90f8 and faf1e708d5b, these functions
were never used. Remove them.

Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/pci-bridge/xio3130_downstream.h | 11 ---
 hw/pci-bridge/xio3130_upstream.h   | 10 --
 hw/pci-bridge/xio3130_downstream.c | 28 +---
 hw/pci-bridge/xio3130_upstream.c   | 24 +---
 4 files changed, 2 insertions(+), 71 deletions(-)
 delete mode 100644 hw/pci-bridge/xio3130_downstream.h
 delete mode 100644 hw/pci-bridge/xio3130_upstream.h

diff --git a/hw/pci-bridge/xio3130_downstream.h 
b/hw/pci-bridge/xio3130_downstream.h
deleted file mode 100644
index 8426d9ffa6..00
--- a/hw/pci-bridge/xio3130_downstream.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef QEMU_XIO3130_DOWNSTREAM_H
-#define QEMU_XIO3130_DOWNSTREAM_H
-
-#include "hw/pci/pcie_port.h"
-
-PCIESlot *xio3130_downstream_init(PCIBus *bus, int devfn, bool multifunction,
-  const char *bus_name, pci_map_irq_fn map_irq,
-  uint8_t port, uint8_t chassis,
-  uint16_t slot);
-
-#endif /* QEMU_XIO3130_DOWNSTREAM_H */
diff --git a/hw/pci-bridge/xio3130_upstream.h b/hw/pci-bridge/xio3130_upstream.h
deleted file mode 100644
index d0ab7577e2..00
--- a/hw/pci-bridge/xio3130_upstream.h
+++ /dev/null
@@ -1,10 +0,0 @@
-#ifndef QEMU_XIO3130_UPSTREAM_H
-#define QEMU_XIO3130_UPSTREAM_H
-
-#include "hw/pci/pcie_port.h"
-
-PCIEPort *xio3130_upstream_init(PCIBus *bus, int devfn, bool multifunction,
-const char *bus_name, pci_map_irq_fn map_irq,
-uint8_t port);
-
-#endif /* QEMU_XIO3130_UPSTREAM_H */
diff --git a/hw/pci-bridge/xio3130_downstream.c 
b/hw/pci-bridge/xio3130_downstream.c
index b202657954..467bbabe4c 100644
--- a/hw/pci-bridge/xio3130_downstream.c
+++ b/hw/pci-bridge/xio3130_downstream.c
@@ -23,7 +23,7 @@
 #include "hw/pci/pci_ids.h"
 #include "hw/pci/msi.h"
 #include "hw/pci/pcie.h"
-#include "xio3130_downstream.h"
+#include "hw/pci/pcie_port.h"
 #include "qapi/error.h"
 
 #define PCI_DEVICE_ID_TI_XIO3130D   0x8233  /* downstream port */
@@ -127,32 +127,6 @@ static void xio3130_downstream_exitfn(PCIDevice *d)
 pci_bridge_exitfn(d);
 }
 
-PCIESlot *xio3130_downstream_init(PCIBus *bus, int devfn, bool multifunction,
-  const char *bus_name, pci_map_irq_fn map_irq,
-  uint8_t port, uint8_t chassis,
-  uint16_t slot)
-{
-PCIDevice *d;
-PCIBridge *br;
-DeviceState *qdev;
-
-d = pci_create_multifunction(bus, devfn, multifunction,
- "xio3130-downstream");
-if (!d) {
-return NULL;
-}
-br = PCI_BRIDGE(d);
-
-qdev = DEVICE(d);
-pci_bridge_map_irq(br, bus_name, map_irq);
-qdev_prop_set_uint8(qdev, "port", port);
-qdev_prop_set_uint8(qdev, "chassis", chassis);
-qdev_prop_set_uint16(qdev, "slot", slot);
-qdev_init_nofail(qdev);
-
-return PCIE_SLOT(d);
-}
-
 static Property xio3130_downstream_props[] = {
 DEFINE_PROP_BIT(COMPAT_PROP_PCP, PCIDevice, cap_present,
 QEMU_PCIE_SLTCAP_PCP_BITNR, true),
diff --git a/hw/pci-bridge/xio3130_upstream.c b/hw/pci-bridge/xio3130_upstream.c
index bca2f9a5ea..b524908cf1 100644
--- a/hw/pci-bridge/xio3130_upstream.c
+++ b/hw/pci-bridge/xio3130_upstream.c
@@ -23,7 +23,7 @@
 #include "hw/pci/pci_ids.h"
 #include "hw/pci/msi.h"
 #include "hw/pci/pcie.h"
-#include "xio3130_upstream.h"
+#include "hw/pci/pcie_port.h"
 
 #define PCI_DEVICE_ID_TI_XIO3130U   0x8232  /* upstream port */
 #define XIO3130_REVISION0x2
@@ -108,28 +108,6 @@ static void xio3130_upstream_exitfn(PCIDevice *d)
 pci_bridge_exitfn(d);
 }
 
-PCIEPort *xio3130_upstream_init(PCIBus *bus, int devfn, bool multifunction,
- const char *bus_name, pci_map_irq_fn map_irq,
- uint8_t port)
-{
-PCIDevice *d;
-PCIBridge *br;
-DeviceState *qdev;
-
-d = pci_create_multifunction(bus, devfn, multifunction, "x3130-upstream");
-if (!d) {
-return NULL;
-}
-br = PCI_BRIDGE(d);
-
-qdev = DEVICE(d);
-pci_bridge_map_irq(br, bus_name, map_irq);
-qdev_prop_set_uint8(qdev, "port", port);
-qdev_init_nofail(qdev);
-
-return PCIE_PORT(d);
-}
-
 static const VMStateDescription vmstate_xio3130_upstream = {
 .name = "xio3130-express-upstream-port",
 .priority = MIG_PRI_PCI_BUS,
-- 
MST

[Qemu-devel] [PULL 06/28] vhost-user-blk: start vhost when guest kicks

[Michael S. Tsirkin]

From: Yongji Xie 

Some old guests (before commit 7a11370e5: "virtio_blk: enable VQs early")
kick virtqueue before setting VIRTIO_CONFIG_S_DRIVER_OK. This violates
the virtio spec. But virtio 1.0 transitional devices support this behaviour.
So we should start vhost when guest kicks in this case.

Signed-off-by: Yongji Xie 
Signed-off-by: Chai Wen 
Signed-off-by: Ni Xun 
Reviewed-by: Stefan Hajnoczi 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/block/vhost-user-blk.c | 25 +
 1 file changed, 25 insertions(+)

diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c
index d755223643..1451940845 100644
--- a/hw/block/vhost-user-blk.c
+++ b/hw/block/vhost-user-blk.c
@@ -217,7 +217,32 @@ static uint64_t vhost_user_blk_get_features(VirtIODevice 
*vdev,
 
 static void vhost_user_blk_handle_output(VirtIODevice *vdev, VirtQueue *vq)
 {
+VHostUserBlk *s = VHOST_USER_BLK(vdev);
+int i;
 
+if (!(virtio_host_has_feature(vdev, VIRTIO_F_VERSION_1) &&
+!virtio_vdev_has_feature(vdev, VIRTIO_F_VERSION_1))) {
+return;
+}
+
+if (s->dev.started) {
+return;
+}
+
+/* Some guests kick before setting VIRTIO_CONFIG_S_DRIVER_OK so start
+ * vhost here instead of waiting for .set_status().
+ */
+vhost_user_blk_start(vdev);
+
+/* Kick right away to begin processing requests already in vring */
+for (i = 0; i < s->dev.nvqs; i++) {
+VirtQueue *kick_vq = virtio_get_queue(vdev, i);
+
+if (!virtio_queue_get_desc_addr(vdev, i)) {
+continue;
+}
+event_notifier_set(virtio_queue_get_host_notifier(kick_vq));
+}
 }
 
 static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp)
-- 
MST

[Qemu-devel] [PULL 10/28] x86_iommu/amd: make the address space naming consistent with intel-iommu

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

To be consistent with intel-iommu:

- rename the address space to use '_' instead of '-'
- update the memory region relationships

Signed-off-by: Brijesh Singh 
Reviewed-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/amd_iommu.c | 34 +++---
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
index 7206bb09c2..4bec1c6688 100644
--- a/hw/i386/amd_iommu.c
+++ b/hw/i386/amd_iommu.c
@@ -55,6 +55,7 @@ struct AMDVIAddressSpace {
 uint8_t bus_num;/* bus number   */
 uint8_t devfn;  /* device function  */
 AMDVIState *iommu_state;/* AMDVI - one per machine  */
+MemoryRegion root;  /* AMDVI Root memory map region */
 IOMMUMemoryRegion iommu;/* Device's address translation region  */
 MemoryRegion iommu_ir;  /* Device's interrupt remapping region  */
 AddressSpace as;/* device's corresponding address space */
@@ -1032,8 +1033,9 @@ static IOMMUTLBEntry amdvi_translate(IOMMUMemoryRegion 
*iommu, hwaddr addr,
 
 static AddressSpace *amdvi_host_dma_iommu(PCIBus *bus, void *opaque, int devfn)
 {
+char name[128];
 AMDVIState *s = opaque;
-AMDVIAddressSpace **iommu_as;
+AMDVIAddressSpace **iommu_as, *amdvi_dev_as;
 int bus_num = pci_bus_num(bus);
 
 iommu_as = s->address_spaces[bus_num];
@@ -1046,19 +1048,37 @@ static AddressSpace *amdvi_host_dma_iommu(PCIBus *bus, 
void *opaque, int devfn)
 
 /* set up AMD-Vi region */
 if (!iommu_as[devfn]) {
+snprintf(name, sizeof(name), "amd_iommu_devfn_%d", devfn);
+
 iommu_as[devfn] = g_malloc0(sizeof(AMDVIAddressSpace));
 iommu_as[devfn]->bus_num = (uint8_t)bus_num;
 iommu_as[devfn]->devfn = (uint8_t)devfn;
 iommu_as[devfn]->iommu_state = s;
 
-memory_region_init_iommu(_as[devfn]->iommu,
- sizeof(iommu_as[devfn]->iommu),
+amdvi_dev_as = iommu_as[devfn];
+
+/*
+ * Memory region relationships looks like (Address range shows
+ * only lower 32 bits to make it short in length...):
+ *
+ * |-+---+--|
+ * | Name| Address range | Priority |
+ * |-+---+--+
+ * | amdvi_root  | - |0 |
+ * |  amdvi_iommu| - |1 |
+ * |-+---+--|
+ */
+memory_region_init_iommu(_dev_as->iommu,
+ sizeof(amdvi_dev_as->iommu),
  TYPE_AMD_IOMMU_MEMORY_REGION,
  OBJECT(s),
- "amd-iommu", UINT64_MAX);
-address_space_init(_as[devfn]->as,
-   MEMORY_REGION(_as[devfn]->iommu),
-   "amd-iommu");
+ "amd_iommu", UINT64_MAX);
+memory_region_init(_dev_as->root, OBJECT(s),
+   "amdvi_root", UINT64_MAX);
+address_space_init(_dev_as->as, _dev_as->root, name);
+memory_region_add_subregion_overlap(_dev_as->root, 0,
+
MEMORY_REGION(_dev_as->iommu),
+1);
 }
 return _as[devfn]->as;
 }
-- 
MST

[Qemu-devel] [PULL 01/28] virtio-blk: fix comment for virtio_blk_rw_complete

[Michael S. Tsirkin]

From: Yaowei Bai 

Here should be submit_requests, there is no submit_merged_requests
function.

Signed-off-by: Yaowei Bai 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/block/virtio-blk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 225fe44b7a..83cf5c01f9 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -97,8 +97,8 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
 
 if (req->qiov.nalloc != -1) {
 /* If nalloc is != 1 req->qiov is a local copy of the original
- * external iovec. It was allocated in submit_merged_requests
- * to be able to merge requests. */
+ * external iovec. It was allocated in submit_requests to be
+ * able to merge requests. */
 qemu_iovec_destroy(>qiov);
 }
 
-- 
MST

[Qemu-devel] [PULL 07/28] x86_iommu: move the kernel-irqchip check in common code

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

Interrupt remapping needs kernel-irqchip={off|split} on both Intel and AMD
platforms. Move the check in common place.

Signed-off-by: Brijesh Singh 
Reviewed-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/intel_iommu.c | 7 ---
 hw/i386/x86-iommu.c   | 9 +
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index f24ebfca1c..015a6fc492 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -3262,13 +3262,6 @@ static bool vtd_decide_config(IntelIOMMUState *s, Error 
**errp)
 {
 X86IOMMUState *x86_iommu = X86_IOMMU_DEVICE(s);
 
-/* Currently Intel IOMMU IR only support "kernel-irqchip={off|split}" */
-if (x86_iommu->intr_supported && kvm_irqchip_in_kernel() &&
-!kvm_irqchip_is_split()) {
-error_setg(errp, "Intel Interrupt Remapping cannot work with "
- "kernel-irqchip=on, please use 'split|off'.");
-return false;
-}
 if (s->intr_eim == ON_OFF_AUTO_ON && !x86_iommu->intr_supported) {
 error_setg(errp, "eim=on cannot be selected without intremap=on");
 return false;
diff --git a/hw/i386/x86-iommu.c b/hw/i386/x86-iommu.c
index 8a01a2dd25..7440cb8d60 100644
--- a/hw/i386/x86-iommu.c
+++ b/hw/i386/x86-iommu.c
@@ -25,6 +25,7 @@
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "trace.h"
+#include "sysemu/kvm.h"
 
 void x86_iommu_iec_register_notifier(X86IOMMUState *iommu,
  iec_notify_fn fn, void *data)
@@ -94,6 +95,14 @@ static void x86_iommu_realize(DeviceState *dev, Error **errp)
 return;
 }
 
+/* Both Intel and AMD IOMMU IR only support "kernel-irqchip={off|split}" */
+if (x86_iommu->intr_supported && kvm_irqchip_in_kernel() &&
+!kvm_irqchip_is_split()) {
+error_setg(errp, "Interrupt Remapping cannot work with "
+ "kernel-irqchip=on, please use 'split|off'.");
+return;
+}
+
 if (x86_class->realize) {
 x86_class->realize(dev, errp);
 }
-- 
MST

[Qemu-devel] [PULL 13/28] i386: acpi: add IVHD device entry for IOAPIC

[Michael S. Tsirkin]

From: "Singh, Brijesh" 

When interrupt remapping is enabled, add a special IVHD device
(type IOAPIC).

Signed-off-by: Brijesh Singh 
Acked-by: Peter Xu 
Cc: Peter Xu 
Cc: "Michael S. Tsirkin" 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: Eduardo Habkost 
Cc: Marcel Apfelbaum 
Cc: Tom Lendacky 
Cc: Suravee Suthikulpanit 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/acpi-build.c | 28 +++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 1599caa7c5..1ef396ddbb 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2467,9 +2467,12 @@ build_dmar_q35(GArray *table_data, BIOSLinker *linker)
  *   IVRS table as specified in AMD IOMMU Specification v2.62, Section 5.2
  *   accessible here http://support.amd.com/TechDocs/48882_IOMMU.pdf
  */
+#define IOAPIC_SB_DEVID   (uint64_t)PCI_BUILD_BDF(0, PCI_DEVFN(0x14, 0))
+
 static void
 build_amd_iommu(GArray *table_data, BIOSLinker *linker)
 {
+int ivhd_table_len = 28;
 int iommu_start = table_data->len;
 AMDVIState *s = AMD_IOMMU_DEVICE(x86_iommu_get_default());
 
@@ -2491,8 +2494,16 @@ build_amd_iommu(GArray *table_data, BIOSLinker *linker)
  (1UL << 6) | /* PrefSup  */
  (1UL << 7),  /* PPRSup   */
  1);
+
+/*
+ * When interrupt remapping is supported, we add a special IVHD device
+ * for type IO-APIC.
+ */
+if (x86_iommu_get_default()->intr_supported) {
+ivhd_table_len += 8;
+}
 /* IVHD length */
-build_append_int_noprefix(table_data, 28, 2);
+build_append_int_noprefix(table_data, ivhd_table_len, 2);
 /* DeviceID */
 build_append_int_noprefix(table_data, s->devid, 2);
 /* Capability offset */
@@ -2516,6 +2527,21 @@ build_amd_iommu(GArray *table_data, BIOSLinker *linker)
  */
 build_append_int_noprefix(table_data, 0x001, 4);
 
+/*
+ * Add a special IVHD device type.
+ * Refer to spec - Table 95: IVHD device entry type codes
+ *
+ * Linux IOMMU driver checks for the special IVHD device (type IO-APIC).
+ * See Linux kernel commit 'c2ff5cf5294bcbd7fa50f7d860e90a66db7e5059'
+ */
+if (x86_iommu_get_default()->intr_supported) {
+build_append_int_noprefix(table_data,
+ (0x1ull << 56) |   /* type IOAPIC */
+ (IOAPIC_SB_DEVID << 40) |  /* IOAPIC devid */
+ 0x48,  /* special device 
*/
+ 8);
+}
+
 build_header(linker, table_data, (void *)(table_data->data + iommu_start),
  "IVRS", table_data->len - iommu_start, 1, NULL, NULL);
 }
-- 
MST

[Qemu-devel] [PULL 02/28] intel_iommu: introduce vtd_reset_caches()

[Michael S. Tsirkin]

From: Peter Xu 

Provide the function and use it in vtd_init().  Used to reset both
context entry cache and iotlb cache for the whole IOMMU unit.

Signed-off-by: Peter Xu 
Reviewed-by: Eric Auger 
Reviewed-by: Jason Wang 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/intel_iommu.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 3dfada19a6..1137861a9d 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -227,6 +227,14 @@ static void vtd_reset_iotlb(IntelIOMMUState *s)
 vtd_iommu_unlock(s);
 }
 
+static void vtd_reset_caches(IntelIOMMUState *s)
+{
+vtd_iommu_lock(s);
+vtd_reset_iotlb_locked(s);
+vtd_reset_context_cache_locked(s);
+vtd_iommu_unlock(s);
+}
+
 static uint64_t vtd_get_iotlb_key(uint64_t gfn, uint16_t source_id,
   uint32_t level)
 {
@@ -3160,10 +3168,7 @@ static void vtd_init(IntelIOMMUState *s)
 s->cap |= VTD_CAP_CM;
 }
 
-vtd_iommu_lock(s);
-vtd_reset_context_cache_locked(s);
-vtd_reset_iotlb_locked(s);
-vtd_iommu_unlock(s);
+vtd_reset_caches(s);
 
 /* Define registers with default values and bit semantics */
 vtd_define_long(s, DMAR_VER_REG, 0x10UL, 0, 0);
-- 
MST

[Qemu-devel] [PULL 04/28] intel_iommu: move ce fetching out when sync shadow

[Michael S. Tsirkin]

From: Peter Xu 

There are two callers for vtd_sync_shadow_page_table_range(): one
provided a valid context entry and one not.  Move that fetching
operation into the caller vtd_sync_shadow_page_table() where we need to
fetch the context entry.

Meanwhile, remove the error_report_once() directly since we're already
tracing all the error cases in the previous call.  Instead, return error
number back to caller.  This will not change anything functional since
callers are dropping it after all.

We do this move majorly because we want to do something more later in
vtd_sync_shadow_page_table().

Signed-off-by: Peter Xu 
Reviewed-by: Eric Auger 
Reviewed-by: Maxime Coquelin 
Reviewed-by: Michael S. Tsirkin 
Signed-off-by: Michael S. Tsirkin 
---
 hw/i386/intel_iommu.c | 41 +
 dtc   |  2 +-
 2 files changed, 14 insertions(+), 29 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 306708eb3b..25e54671f4 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -1045,7 +1045,6 @@ static int vtd_sync_shadow_page_hook(IOMMUTLBEntry *entry,
 return 0;
 }
 
-/* If context entry is NULL, we'll try to fetch it on our own. */
 static int vtd_sync_shadow_page_table_range(VTDAddressSpace *vtd_as,
 VTDContextEntry *ce,
 hwaddr addr, hwaddr size)
@@ -1057,39 +1056,25 @@ static int 
vtd_sync_shadow_page_table_range(VTDAddressSpace *vtd_as,
 .notify_unmap = true,
 .aw = s->aw_bits,
 .as = vtd_as,
+.domain_id = VTD_CONTEXT_ENTRY_DID(ce->hi),
 };
-VTDContextEntry ce_cache;
-int ret;
 
-if (ce) {
-/* If the caller provided context entry, use it */
-ce_cache = *ce;
-} else {
-/* If the caller didn't provide ce, try to fetch */
-ret = vtd_dev_to_context_entry(s, pci_bus_num(vtd_as->bus),
-   vtd_as->devfn, _cache);
-if (ret) {
-/*
- * This should not really happen, but in case it happens,
- * we just skip the sync for this time.  After all we even
- * don't have the root table pointer!
- */
-error_report_once("%s: invalid context entry for bus 0x%x"
-  " devfn 0x%x",
-  __func__, pci_bus_num(vtd_as->bus),
-  vtd_as->devfn);
-return 0;
-}
-}
-
-info.domain_id = VTD_CONTEXT_ENTRY_DID(ce_cache.hi);
-
-return vtd_page_walk(_cache, addr, addr + size, );
+return vtd_page_walk(ce, addr, addr + size, );
 }
 
 static int vtd_sync_shadow_page_table(VTDAddressSpace *vtd_as)
 {
-return vtd_sync_shadow_page_table_range(vtd_as, NULL, 0, UINT64_MAX);
+int ret;
+VTDContextEntry ce;
+
+ret = vtd_dev_to_context_entry(vtd_as->iommu_state,
+   pci_bus_num(vtd_as->bus),
+   vtd_as->devfn, );
+if (ret) {
+return ret;
+}
+
+return vtd_sync_shadow_page_table_range(vtd_as, , 0, UINT64_MAX);
 }
 
 /*
diff --git a/dtc b/dtc
index 88f18909db..e54388015a 16
--- a/dtc
+++ b/dtc
@@ -1 +1 @@
-Subproject commit 88f18909db731a627456f26d779445f84e449536
+Subproject commit e54388015af1fb4bf04d0bca99caba1074d9cc42
-- 
MST

Re: [Qemu-devel] [RFC v1] block/NVMe: introduce a new vhost NVMe host device to QEMU

[Michael S. Tsirkin]

On Tue, Jan 16, 2018 at 06:06:56PM +0100, Paolo Bonzini wrote:
> Second, virtio-based vhost-user remains QEMU's preferred method for
> high-performance I/O in guests.  Discard support is missing and that is
> important for SSDs; that should be fixed in the virtio spec.

BTW could you reply on the thread of the patch
virtio_blk: add discard and write zeroes support

Christoph Hellwig thinks we should change the spec and defer
implementation until we do. What's your take on this?


-- 
MST

[Qemu-devel] [Bug 1798451] Re: HVF linux on OSX hangs 2nd time started after adding socket

[Roman Bolshakov]

Considering the fact that both Ubuntu and Elementary require SSE to
boot, I'd wait to get decoding fixed. I wrote a test kernel module that
reliably reproduces your issue on qemu edu device. Whenever QEMU prints
Unimplemented handler Instruction pointer only moves two bytes further,
instead of the instruction length. That corrupts code execution as the
next instruction after unimplemented handler is decoded from the wrong
address.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1798451

Title:
  HVF linux on OSX hangs 2nd time started after adding socket

Status in QEMU:
  New

Bug description:
  
  Robs-MacBook-Pro-2:~ robmaskell$ qemu-system-x86_64 --version
  QEMU emulator version 3.0.0

  Host: MacOS - 10.13.6
Model Name: MacBook Pro
Model Identifier:   MacBookPro14,3
Processor Name: Intel Core i7
Processor Speed:2.8 GHz
Number of Processors:   1
Total Number of Cores:  4
L2 Cache (per Core):256 KB
L3 Cache:   6 MB
Memory: 16 GB

  Guest OS: Elementary Linux Loki 0.4.1, patched up to date

  Command used to start QEMU:

  qemu-system-x86_64 \
-name ElementaryLokiDev \
-machine pc,accel=hvf \
-cpu max \
-smp cpus=2,sockets=2,cores=1,threads=1,maxcpus=2 \
-numa node,nodeid=0 \
-numa cpu,node-id=0,socket-id=0 -numa cpu,node-id=0,socket-id=1 \
-m 8G \
-vga vmware \
-hda e4.qcow2

  Symptoms: Started without the -smp / -numa commands to install the OS,
  then added -smp / -numa and the machine boots and lscpu reports extra
  cpu as expected. Restart VM and it hangs on startup. Remove -smp /
  -numa and machine starts again.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1798451/+subscriptions

Re: [Qemu-devel] [PATCH 00/27] ACPI hardware-reduced support

[Paolo Bonzini]

On 22/10/2018 20:36, Samuel Ortiz wrote:
> This patch set implements support for the ACPI hardware-reduced
> specification.
> 
> The changes are coming from the NEMU [1] project where we're defining
> a new x86 machine type: i386/virt. This is an EFI only, ACPI
> hardware-reduced platform and as such we had to implement support
> for the latter.
> 
> As a preliminary for adding hardware-reduced support to QEMU, we did
> some ACPI code reorganization with the following goals:
> 
> * Share as much as possible of the current ACPI build APIs between
>   legacy and hardware-reduced ACPI.
> * Share the ACPI build code across machine types and architectures and
>   remove the typical PC machine type dependency.
>   Eventually we hope to see arm/virt also re-use much of that code.
> 
> The rest of the patchset adds the hardware-reduced support on top of
> this code reorganization. Here again, the implementation is machine
> type, platform and architecture independent.
> 
> [1] https://github.com/intel/nemu

I think the first part of the series is very valuable, and also the
FirmwareBuildMethods idea is good even though I have some comments on
how to model it in C.  It won't make it in 3.1, but I suppose you
expected that.

Including the second part in QEMU however would be premature, since it
is not used by anything.  As mentioned earlier, my suggestion is that
you convert the ARM virt machine type to FirmwareBuildMethods and
HW-reduced ACPI.  It shouldn't be a large amount of work and it should
let you reduce the ACPI delta between QEMU and NEMU.

Also, I would like to understand if you NEMU people are interested in
refactoring the ACPI builder code to move DSDT-building code closer to
the device, or perhaps have already done that.  For example, the
infamous floppy cannot be disabled right now because of the call to
isa_fdc_get_drive_type in hw/i386/acpi-build.c.  As I understand it,
your initial patches have the side effect of letting you bypass this
issue---because you don't include hw/i386/acpi-build.c in your virt
machine type.  That is totally fine, but of course it doesn't help if
you want to compile the floppy out of a QEMU that supports -M q35 but
not -M pc.  Therefore I would love to know that I'm wrong, or just that
you're planning to fix that too. :)

Paolo

Re: [Qemu-devel] [PATCH v2] piix_pci: change the i440fx data sheet link

[Michael S. Tsirkin]

On Thu, Oct 11, 2018 at 09:18:20AM -0700, Li Qiang wrote:
> Seems the intel link is unavailable, change it to qemu site.
> 
> Signed-off-by: Li Qiang 
> Reviewed-by: Philippe Mathieu-Daudé 

BTW you need to fix up your setup: patches you sent confuse git
am and other tools. Somethig to do with encoding.

> ---
>  hw/pci-host/piix.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
> index 0e608347c1..56a42055f1 100644
> --- a/hw/pci-host/piix.c
> +++ b/hw/pci-host/piix.c
> @@ -40,7 +40,7 @@
>  
>  /*
>   * I440FX chipset data sheet.
> - * http://download.intel.com/design/chipsets/datashts/29054901.pdf
> + * https://wiki.qemu.org/File:29054901.pdf
>   */
>  
>  #define I440FX_PCI_HOST_BRIDGE(obj) \
> -- 
> 2.17.1
> 
> 

Re: [Qemu-devel] [PATCH] vhost-user: fix qemu crash caused by failed backend

[Michael S. Tsirkin]

On Tue, Oct 02, 2018 at 01:54:25PM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Thu, Sep 27, 2018 at 7:37 PM Liang Li  wrote:
> >
> > During live migration, when stopping vhost-user device, 'vhost_dev_stop'
> > will be called, 'vhost_dev_stop' will call a batch of 'vhost_user_read'
> > and 'vhost_user_write'. If a previous 'vhost_user_read' or 
> > 'vhost_user_write'
> > failed because the vhost user backend failed, the 'CHR_EVENT_CLOSED' event
> > will be triggerd, followed by the call chain 
> > chr_closed_bh()->vhost_user_stop()->
> > vhost_net_cleanup()->vhost_dev_cleanup()
> >
> > vhost_dev_cleanup will clear vhost_dev struct, so the later 
> > 'vhost_user_read'
> > or 'vhost_user_read' will reference null pointer and cause qemu crash
> 
> Do you have a backtrace to help understand the issue?
> thanks


Marc-André you forgot to Cc the contributor with your question.
Liang Li, could you please answer Marc-André?
It is unfortunate that we need more state, maybe there
is a way to avoid that.

Thanks!

> >
> > Signed-off-by: Liang Li 
> > ---
> >  hw/net/vhost_net.c|  6 ++
> >  hw/virtio/vhost-user.c| 15 +--
> >  include/hw/virtio/vhost.h |  1 +
> >  include/net/vhost_net.h   |  1 +
> >  net/vhost-user.c  |  3 +++
> >  5 files changed, 24 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
> > index e037db6..77994e9 100644
> > --- a/hw/net/vhost_net.c
> > +++ b/hw/net/vhost_net.c
> > @@ -113,6 +113,11 @@ uint64_t vhost_net_get_features(struct vhost_net *net, 
> > uint64_t features)
> >  features);
> >  }
> >
> > +void vhost_net_mark_break_down(struct vhost_net *net)
> > +{
> > +net->dev.break_down = true;
> > +}
> > +
> >  void vhost_net_ack_features(struct vhost_net *net, uint64_t features)
> >  {
> >  net->dev.acked_features = net->dev.backend_features;
> > @@ -156,6 +161,7 @@ struct vhost_net *vhost_net_init(VhostNetOptions 
> > *options)
> >  net->dev.max_queues = 1;
> >  net->dev.nvqs = 2;
> >  net->dev.vqs = net->vqs;
> > +net->dev.break_down = false;
> >
> >  if (backend_kernel) {
> >  r = vhost_net_get_fd(options->net_backend);
> > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
> > index b041343..1394719 100644
> > --- a/hw/virtio/vhost-user.c
> > +++ b/hw/virtio/vhost-user.c
> > @@ -213,14 +213,20 @@ static bool ioeventfd_enabled(void)
> >  static int vhost_user_read(struct vhost_dev *dev, VhostUserMsg *msg)
> >  {
> >  struct vhost_user *u = dev->opaque;
> > -CharBackend *chr = u->user->chr;
> > +CharBackend *chr;
> >  uint8_t *p = (uint8_t *) msg;
> >  int r, size = VHOST_USER_HDR_SIZE;
> >
> > +if (dev->break_down) {
> > +goto fail;
> > +}
> > +
> > +chr = u->user->chr;
> >  r = qemu_chr_fe_read_all(chr, p, size);
> >  if (r != size) {
> >  error_report("Failed to read msg header. Read %d instead of %d."
> >   " Original request %d.", r, size, msg->hdr.request);
> > +dev->break_down = true;
> >  goto fail;
> >  }
> >
> > @@ -299,9 +305,12 @@ static int vhost_user_write(struct vhost_dev *dev, 
> > VhostUserMsg *msg,
> >  int *fds, int fd_num)
> >  {
> >  struct vhost_user *u = dev->opaque;
> > -CharBackend *chr = u->user->chr;
> > +CharBackend *chr;
> >  int ret, size = VHOST_USER_HDR_SIZE + msg->hdr.size;
> >
> > +if (dev->break_down) {
> > +return -1;
> > +}
> >  /*
> >   * For non-vring specific requests, like VHOST_USER_SET_MEM_TABLE,
> >   * we just need send it once in the first time. For later such
> > @@ -312,6 +321,7 @@ static int vhost_user_write(struct vhost_dev *dev, 
> > VhostUserMsg *msg,
> >  return 0;
> >  }
> >
> > +chr = u->user->chr;
> >  if (qemu_chr_fe_set_msgfds(chr, fds, fd_num) < 0) {
> >  error_report("Failed to set msg fds.");
> >  return -1;
> > @@ -319,6 +329,7 @@ static int vhost_user_write(struct vhost_dev *dev, 
> > VhostUserMsg *msg,
> >
> >  ret = qemu_chr_fe_write_all(chr, (const uint8_t *) msg, size);
> >  if (ret != size) {
> > +dev->break_down = true;
> >  error_report("Failed to write msg."
> >   " Wrote %d instead of %d.", ret, size);
> >  return -1;
> > diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h
> > index a7f449f..86d0dc5 100644
> > --- a/include/hw/virtio/vhost.h
> > +++ b/include/hw/virtio/vhost.h
> > @@ -74,6 +74,7 @@ struct vhost_dev {
> >  bool started;
> >  bool log_enabled;
> >  uint64_t log_size;
> > +bool break_down;
> >  Error *migration_blocker;
> >  const VhostOps *vhost_ops;
> >  void *opaque;
> > diff --git a/include/net/vhost_net.h b/include/net/vhost_net.h
> > index 77e4739..06f2c08 100644
> > --- a/include/net/vhost_net.h
> > +++ b/include/net/vhost_net.h
> > @@ -27,6 +27,7 @@ void 

Re: [Qemu-devel] [PATCH v2] lsi: Reselection needed to remove pending commands from queue

[Paolo Bonzini]

On 24/10/2018 00:11, George Kennedy wrote:
>>>
>> What about "req->hba_private != s->current"?  That should cause a call
>> to lsi_queue_req, and then you can check s->want_resel in lsi_queue_req.
> 
> For the extended period of time where lsi_queue_req() is not being
> called from lsi_transfer_data(), my debug shows "s->waiting" is not "1"
> and req->hba_private is equal to s->current.

That would mean indeed that no reselection is needed---but that's wrong.

Why didn't lsi_do_command invoke lsi_queue_command?  That would set
s->current to NULL (on the SCSI level, that means the bus is freed; on
the QEMU level, the idea is that lsi_transfer_data would then start a
reselection).

Thanks,

Paolo

> req->hba_private is set to NULL in lsi_command_complete() and that's
> where I tried to add a call to lsi_reselect(), but the Scripts are not
> in the correct state to allow the call.
> 
> lsi_transfer_data() or lsi_command_complete() are probably the 2
> potential places where a fix could be added if the Script state would
> allow it.

Re: [Qemu-devel] [PATCH 18/26] hw: acpi: Initial hardware-reduced support

[Paolo Bonzini]

On 22/10/2018 20:36, Samuel Ortiz wrote:
> +
> +static void acpi_reduced_build_update(void *build_opaque)
> +{
> +MachineState *ms = MACHINE(build_opaque);
> +AcpiBuildState *build_state = ms->firmware_build_state.acpi.state;
> +AcpiConfiguration *conf = ms->firmware_build_state.acpi.conf;
> +AcpiBuildTables tables;
> +
> +/* No ACPI configuration? Nothing to do. */
> +if (!conf) {
> +return;
> +}
> +
> +/* No state to update or already patched? Nothing to do. */
> +if (!build_state || build_state->patched) {
> +return;
> +}
> +build_state->patched = true;
> +
> +acpi_build_tables_init();
> +
> +acpi_reduced_build(ms, , conf);
> +
> +acpi_ram_update(build_state->table_mr, tables.table_data);
> +acpi_ram_update(build_state->rsdp_mr, tables.rsdp);
> +acpi_ram_update(build_state->linker_mr, tables.linker->cmd_blob);
> +
> +acpi_build_tables_cleanup(, true);
> +}
> +

ms is not needed here; just pass the FirmwareBuildState as the opaque
value in rom_add_blob.

In fact, here:

> +AcpiBuildState *build_state;
> +
> +build_state = g_malloc0(sizeof(*build_state));
> +machine->firmware_build_state.acpi.state = build_state;
> +machine->firmware_build_state.acpi.conf = conf;
> +

I would say that you don't need FirmwareBuildState at all.  I cannot be
100% sure because I cannot see the caller of acpi_reduced_setup, but I
think you can add an AcpiConfiguration* field to AcpiBuildState and
encapsulate everything in AcpiBuildState.  In addition, the
AcpiBuildState need not be stored in the MachineState.

Instead, FirmwareBuildMethods should be a QOM interface (also please
refer explicitly to ACPI in the names, don't call it "firmware").  The
setup method of FirmwareBuildMethods can take that QOM interface, not
the MachineState, i.e. its prototype should be

void (*setup)(AcpiBuildMethods *acpibuild,
  AcpiConfiguration *conf);

so that pc_machine_done does

if (pcms->acpi_build_enabled) {
acpi_conf_pc_init(pcms);
/* This calls the ->setup method.  */
acpi_builder_setup(ACPI_BUILD_METHODS(pcms),
   >acpi_configuration);
}

This is because MachineClass is used for dozens of machines that have
nothing to with ACPI.  Instead, machines that use ACPI (either reduced
or normal) can define the AcpiBuildMethods interface, and invoke the
entry point firmware_build_methods->setup (either acpi_setup or
acpi_reduced_setup) through acpi_builder_setup.

Paolo

Re: [Qemu-devel] [PATCH 01/26] hw: i386: Decouple the ACPI build from the PC machine type

[Paolo Bonzini]

On 22/10/2018 20:36, Samuel Ortiz wrote:
> +static void acpi_conf_pc_init(MachineState *machine)

This should take a PCMachineState*, since you never use "machine" except
for downcasting.

Paolo

> +{
> +PCMachineState *pcms = PC_MACHINE(machine);
> +PCMachineClass *pcmc = PC_MACHINE_GET_CLASS(machine);
> +AcpiConfiguration *conf = >acpi_configuration;
> +
> +/* Machine class settings */
> +conf->legacy_acpi_table_size = pcmc->legacy_acpi_table_size;
> +conf->legacy_cpu_hotplug = pcmc->legacy_cpu_hotplug;
> +conf->rsdp_in_ram = pcmc->rsdp_in_ram;
> +
> +/* ACPI build state */
> +conf->build_state = NULL;
> +}
> +

Re: [Qemu-devel] [PATCH 17/26] hw: i386: Convert PC machine type to firmware build methods

[Paolo Bonzini]

On 22/10/2018 20:36, Samuel Ortiz wrote:
> +/* Firmware building handler */
> +mc->firmware_build_methods.acpi.madt = build_madt;
> +mc->firmware_build_methods.acpi.rsdp = build_rsdp_rsdt;
> +mc->firmware_build_methods.acpi.setup = acpi_setup;
> +mc->firmware_build_methods.acpi.mcfg = build_mcfg;
> +mc->firmware_build_methods.acpi.srat = build_srat;
> +mc->firmware_build_methods.acpi.slit = build_slit;
> +

mc->firmware_build_methods.acpi.setup is not called anywhere, as far as
I can see?

Paolo

Re: [Qemu-devel] [PATCH v8 00/38] target/mips: Limited support for the R5900

[Maciej W. Rozycki]

Hi Fredrik,

> > target/mips/translate.c:4888:38: error: passing argument 3 of
> > ‘tcg_gen_add2_i32’ from incompatible pointer type
> > [-Werror=incompatible-pointer-types]
> >  tcg_gen_add2_i32(t2, t3, cpu_LO[acc], cpu_HI[acc], t2, t3);
> >   ^~
> 
> Would you know if any MIPS ISA have LO and HI registers that are not
> 32-bit? In QEMU they can obviously be either 32-bit or 64-bit, which
> causes the compilation error here.

 Actually with all 64-bit MIPS ISAs HI/LO are a pair of 64-bit registers, 
that is with MIPS III, MIPS IV, and then MIPS64 R1 to R5 ISAs (base R6 ISA 
removed the MD accumulator, although it has been retained along with the 3 
other ones in the DSP ASE).

 The R5900 CPU is an oddball here, having no 64-bit multiply or divide 
instructions, however documentation indicates these registers are still 
64-bit as far as the base instruction set is concerned, i.e. it says you 
can actually write the upper halves with any bit patterns explicitly with 
the MTHI and MTLO instructions.  And then they're really 128-bit as far as 
the full instruction set of the R5900 is concerned, for all the pipeline 1 
MD instructions operate on bits 95:64 and some MMI instructions operate on 
the full 128-bit width of the accumulator.

 Interestingly enough architecturally trying to use HI/LO values that are 
not properly sign-extended 32-bit numbers does not make the operation of 
32-bit multiply-accumulate instructions unpredictable, as they are 
specified to simply ignore the upper 32 bits of a 64-bit value contained 
there, and the the TX79 manual follows.

 This is unlike with the GPR inputs to all MD instructions, which 
architecturally have to be sign-extended.  Contrariwise, the TX79 manual 
says that GPR inputs to the unsigned variants of MD instructions have to 
be zero-extended, and I do hope this is just an editorial mistake and 
hardware does not follow (especially as the description of MULTU on page 
A-87 disagress in this regard with one on page B-25, and all the relevant 
pseudocode operation specifications consistently use NotWordValue as the 
input validation condition, although that has been nowhere actually 
formally defined).  Otherwise lots of software would break and you'd have 
to use a DSLL32/DSRL32 instruction pair every time before feeding the 
result of other 32-bit calculations to those instructions.

 BTW, notice that the pseudocode operation specification of the TX79 MD 
instructions does clearly indicate the sign-extension of output HI/LO 
contents, e.g. for MULTU we have:

prod <- (0 || GPR[rs]31..0) * (0 || GPR[rt]31..0)
LO63..0  <- (prod 31)32 || prod31..0
HI63..0  <- (prod 63)32 || prod63..32
GPR[rd]63..0 <- (prod 31)32 || prod31..0

 HTH,

  Maciej

Re: [Qemu-devel] [PATCH v4 0/2] intel_iommu: better handling of dmar state switch

[Peter Xu]

Hi, Michael,

Just a kind reminder that this series has got enough ACKs and please
consider to merge it in your next pull.  Thanks!

On Sat, Sep 29, 2018 at 11:36:13AM +0800, Peter Xu wrote:
> v4:
> - add a patch to introduce vtd_reset_caches()
> - reset the caches in the two places where GCMD update happens [Eric]
> 
> Please review, thanks.
> 
> Peter Xu (2):
>   intel_iommu: introduce vtd_reset_caches()
>   intel_iommu: better handling of dmar state switch
> 
>  hw/i386/intel_iommu.c | 34 +++---
>  1 file changed, 23 insertions(+), 11 deletions(-)
> 
> -- 
> 2.17.1
> 

Regards,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 18/26] hw: acpi: Initial hardware-reduced support

[Paolo Bonzini]

On 22/10/2018 20:36, Samuel Ortiz wrote:
> We build a minimal set of ACPI hardware-reduced tables: XSDT,
> FADT, MADT and a DSDT pointed by a RSDP.
> The DSDT only contains one PCI host bridge for now.
> 
> This API will be consumed by new x86 machine type but also potentially
> by the ARM virt one.
> 
> Cc: "Michael S. Tsirkin" 
> Cc: Igor Mammedov 
> Signed-off-by: Samuel Ortiz 

Do not include patches that essentially add dead code.  It is nice to
have hardware-reduced support, but if you want to contribute it you need
to add a user as well, for example the ARM virt machine type.

In fact, using it in the ARM virt machine type is a no-brainer, so doing
that change (even if it's not yet part of NEMU) would be an excellent
way to reduce your delta, without going through the processing of
convincing QEMU maintainers of the advantages of your new x86 machine type.

Paolo

Re: [Qemu-devel] [PATCH v3 0/2] intel_iommu: handle invalid ce for shadow sync

[Peter Xu]

Hi, Michael,

Just a kind reminder that this series has got enough ACKs and please
consider to merge it in your next pull.  Thanks!

On Tue, Oct 09, 2018 at 03:45:41PM +0800, Peter Xu wrote:
> v3:
> - pick r-b
> - return when -VTD_FR_CONTEXT_ENTRY_P is detected (v1 is correct here,
>   but I did wrong thing when splitting the patch in v2) [Eric]
> 
> v2:
> - split patch into more, remove useless comment [Eric]
> - remove one error_report_once() when rework the code [Jason]
> 
> This series fixes a QEMU crash reported here:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1627272
> 
> Please review, thanks.
> 
> Peter Xu (2):
>   intel_iommu: move ce fetching out when sync shadow
>   intel_iommu: handle invalid ce for shadow sync
> 
>  dtc   |  2 +-
>  hw/i386/intel_iommu.c | 55 +++
>  2 files changed, 30 insertions(+), 27 deletions(-)
> 
> -- 
> 2.17.1
> 

Regards,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v2] lsi: Reselection needed to remove pending commands from queue

[George Kennedy]

On 10/23/2018 5:50 PM, Paolo Bonzini wrote:

On 23/10/2018 23:36, George Kennedy wrote:


On 10/23/2018 10:33 AM, Paolo Bonzini wrote:

On 22/10/2018 23:28, George Kennedy wrote:

As you suggested I moved the loading of "s->resel_dsp" down to the
"Wait Reselect"
case. The address of the Reselection Scripts, though, is contained in
"s->dsp - 8"
and not in s->dnad.

Are you sure?  s->dsp - 8 should be the address of the Wait Reselect
instruction itself.  But you're right that s->dnad is the address at
which to jump "if the LSI53C895A is selected before being reselected"
(as the spec puts it) so the reselection DSP should be just s->dsp.

See within the 1st 25 lines of lsi_execute_script() where dsp is bumped
up by 8, "s->dsp += 8", so it needs to be adjusted back to what it was.

The spec says "If the LSI53C895A is reselected, it fetches the next
instruction from the address pointed to by the DMA
SCRIPTS Pointer (DSP) register".  The first instruction of the
reselection scripts is the one after WAIT RESELECT, i.e. s->dsp.



Reselection should only happen when the target needs access to the bus,
which is when I/O has finished.  There should be no need for such a
deadline; reselection should already be happening at the right time when
lsi_transfer_data calls lsi_queue_req, which in turn calls lsi_reselect.

Agree that it should happen as you describe, but under heavy IO (fio),
it does not.

When it works as expected the check for "s->waiting == 1" (Wait Reselect
instruction has been issued) in lsi_transfer_data() is true. Under heavy
IO, s->waiting is not "1" for an extended period of time

What about "req->hba_private != s->current"?  That should cause a call
to lsi_queue_req, and then you can check s->want_resel in lsi_queue_req.


For the extended period of time where lsi_queue_req() is not being 
called from lsi_transfer_data(), my debug shows "s->waiting" is not "1" 
and req->hba_private is equal to s->current.


req->hba_private is set to NULL in lsi_command_complete() and that's 
where I tried to add a call to lsi_reselect(), but the Scripts are not 
in the correct state to allow the call.


lsi_transfer_data() or lsi_command_complete() are probably the 2 
potential places where a fix could be added if the Script state would 
allow it.



I am not strongly attached to my proposed fix. If an alternative fix can
be suggested, I'd be more than willing to try that.

The problem is that the timeout has no explanation under the SCSI
protocol, so I would like to understand where the logic is wrong in the
Parallel SCSI emulation.


Agreed. That's why I'm hoping for an alternate fix.

Thank you,
George


Paolo

Re: [Qemu-devel] [PATCH v2] lsi: Reselection needed to remove pending commands from queue

[Paolo Bonzini]

On 23/10/2018 23:36, George Kennedy wrote:
> 
> 
> On 10/23/2018 10:33 AM, Paolo Bonzini wrote:
>> On 22/10/2018 23:28, George Kennedy wrote:
>>> As you suggested I moved the loading of "s->resel_dsp" down to the
>>> "Wait Reselect"
>>> case. The address of the Reselection Scripts, though, is contained in
>>> "s->dsp - 8"
>>> and not in s->dnad.
>> Are you sure?  s->dsp - 8 should be the address of the Wait Reselect
>> instruction itself.  But you're right that s->dnad is the address at
>> which to jump "if the LSI53C895A is selected before being reselected"
>> (as the spec puts it) so the reselection DSP should be just s->dsp.
> 
> See within the 1st 25 lines of lsi_execute_script() where dsp is bumped
> up by 8, "s->dsp += 8", so it needs to be adjusted back to what it was.

The spec says "If the LSI53C895A is reselected, it fetches the next
instruction from the address pointed to by the DMA
SCRIPTS Pointer (DSP) register".  The first instruction of the
reselection scripts is the one after WAIT RESELECT, i.e. s->dsp.


>> Reselection should only happen when the target needs access to the bus,
>> which is when I/O has finished.  There should be no need for such a
>> deadline; reselection should already be happening at the right time when
>> lsi_transfer_data calls lsi_queue_req, which in turn calls lsi_reselect.
> Agree that it should happen as you describe, but under heavy IO (fio),
> it does not.
> 
> When it works as expected the check for "s->waiting == 1" (Wait Reselect
> instruction has been issued) in lsi_transfer_data() is true. Under heavy
> IO, s->waiting is not "1" for an extended period of time

What about "req->hba_private != s->current"?  That should cause a call
to lsi_queue_req, and then you can check s->want_resel in lsi_queue_req.

> I am not strongly attached to my proposed fix. If an alternative fix can
> be suggested, I'd be more than willing to try that.

The problem is that the timeout has no explanation under the SCSI
protocol, so I would like to understand where the logic is wrong in the
Parallel SCSI emulation.

Paolo

[Qemu-devel] [PATCH] vl: Avoid crash when -mon is underspecified

[Eric Blake]

A quick coredump on an incomplete command line:
./x86_64-softmmu/qemu-system-x86_64 -mon mode=control,pretty=on

 #0  0x7723d9e4 in g_str_hash () at /lib64/libglib-2.0.so.0
 #1  0x7723ce38 in g_hash_table_lookup () at /lib64/libglib-2.0.so.0
 #2  0x55cc0073 in object_class_property_find (klass=0x566a94b0, 
name=0x0, errp=0x0) at qom/object.c:1135
 #3  0x55cc004b in object_class_property_find (klass=0x566a9440, 
name=0x0, errp=0x0) at qom/object.c:1129
 #4  0x55cbfe6e in object_property_find (obj=0x568348c0, name=0x0, 
errp=0x0) at qom/object.c:1080
 #5  0x55cc183d in object_resolve_path_component 
(parent=0x568348c0, part=0x0) at qom/object.c:1762
 #6  0x55d82071 in qemu_chr_find (name=0x0) at chardev/char.c:802
 #7  0x559d77cb in mon_init_func (opaque=0x0, opts=0x566b65a0, 
errp=0x0) at vl.c:2291

Fix it to instead fail gracefully.

Signed-off-by: Eric Blake 
---
 vl.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/vl.c b/vl.c
index 4e25c78bff0..2ed8672eb79 100644
--- a/vl.c
+++ b/vl.c
@@ -2288,6 +2288,10 @@ static int mon_init_func(void *opaque, QemuOpts *opts, 
Error **errp)
 }

 chardev = qemu_opt_get(opts, "chardev");
+if (!chardev) {
+error_report("chardev is required");
+exit(1);
+}
 chr = qemu_chr_find(chardev);
 if (chr == NULL) {
 error_report("chardev \"%s\" not found", chardev);
-- 
2.17.2

Re: [Qemu-devel] [PATCH] vl: Avoid crash when -mon is underspecified

[Paolo Bonzini]

On 23/10/2018 23:35, Eric Blake wrote:
> A quick coredump on an incomplete command line:
> ./x86_64-softmmu/qemu-system-x86_64 -mon mode=control,pretty=on
> 
>  #0  0x7723d9e4 in g_str_hash () at /lib64/libglib-2.0.so.0
>  #1  0x7723ce38 in g_hash_table_lookup () at /lib64/libglib-2.0.so.0
>  #2  0x55cc0073 in object_class_property_find (klass=0x566a94b0, 
> name=0x0, errp=0x0) at qom/object.c:1135
>  #3  0x55cc004b in object_class_property_find (klass=0x566a9440, 
> name=0x0, errp=0x0) at qom/object.c:1129
>  #4  0x55cbfe6e in object_property_find (obj=0x568348c0, 
> name=0x0, errp=0x0) at qom/object.c:1080
>  #5  0x55cc183d in object_resolve_path_component 
> (parent=0x568348c0, part=0x0) at qom/object.c:1762
>  #6  0x55d82071 in qemu_chr_find (name=0x0) at chardev/char.c:802
>  #7  0x559d77cb in mon_init_func (opaque=0x0, opts=0x566b65a0, 
> errp=0x0) at vl.c:2291
> 
> Fix it to instead fail gracefully.
> 
> Signed-off-by: Eric Blake 
> ---
>  vl.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/vl.c b/vl.c
> index 4e25c78bff0..2ed8672eb79 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -2288,6 +2288,10 @@ static int mon_init_func(void *opaque, QemuOpts *opts, 
> Error **errp)
>  }
> 
>  chardev = qemu_opt_get(opts, "chardev");
> +if (!chardev) {
> +error_report("chardev is required");
> +exit(1);
> +}
>  chr = qemu_chr_find(chardev);
>  if (chr == NULL) {
>  error_report("chardev \"%s\" not found", chardev);
> 

Reviewed-by: Paolo Bonzini 

Re: [Qemu-devel] [PATCH v2] lsi: Reselection needed to remove pending commands from queue

[George Kennedy]

On 10/23/2018 10:33 AM, Paolo Bonzini wrote:

On 22/10/2018 23:28, George Kennedy wrote:

As you suggested I moved the loading of "s->resel_dsp" down to the "Wait 
Reselect"
case. The address of the Reselection Scripts, though, is contained in "s->dsp - 
8"
and not in s->dnad.

Are you sure?  s->dsp - 8 should be the address of the Wait Reselect
instruction itself.  But you're right that s->dnad is the address at
which to jump "if the LSI53C895A is selected before being reselected"
(as the spec puts it) so the reselection DSP should be just s->dsp.


See within the 1st 25 lines of lsi_execute_script() where dsp is bumped 
up by 8, "s->dsp += 8", so it needs to be adjusted back to what it was.





The reason the timeout is needed is that under heavy IO some pending commands
stay on the pending queue longer than the 30 second command timeout set by the
linux upper layer scsi driver (sym53c8xx). When command timeouts occur, the
upper layer scsi driver sends SCSI Abort messages to remove the timed out
commands. The command timeouts are caused by the fact that under heavy IO,
lsi_reselect() in qemu "hw/scsi/lsi53c895a.c" is not being called before the
upper layer scsi driver 30 second command timeout goes off.

If lsi_reselect() were called more frequently, the command timeout problem would
probably not occur. There are a number of places where lsi_reselect() is 
supposed
to get called (e.g. at the end of lsi_update_irq()), but the only place that I
have observed lsi_reselect() being called is from lsi_execute_script() when
lsi_wait_reselect() is called because of a SCRIPT "Wait Select" IO Instruction.

Reselection should only happen when the target needs access to the bus,
which is when I/O has finished.  There should be no need for such a
deadline; reselection should already be happening at the right time when
lsi_transfer_data calls lsi_queue_req, which in turn calls lsi_reselect.
Agree that it should happen as you describe, but under heavy IO (fio), 
it does not.


When it works as expected the check for "s->waiting == 1" (Wait Reselect 
instruction has been issued) in lsi_transfer_data() is true. Under heavy 
IO, s->waiting is not "1" for an extended period of time and 
lsi_queue_req() does not get called, which leaves any pending commands 
"stuck" on the queue because lsi_reselect() does not get called.


The Scripts are the only place where lsi_wait_reselect() is called and 
the only place where "s->waiting = 1" is set. So, the delay in getting a 
Scripts Wait Reselect command is the root cause of the problem.


The check in lsi_transfer_data() where it decides whether to call 
lsi_queue_req() is probably the preferred place to add a fix, but I have 
not been able to come up with a fix here that does not run into problems 
because of Script state.


Maybe many of the places that call lsi_irq_on_rsl(s) also need to check
s->want_resel?


I've added debug to all the places where lsi_reselect() should be 
called, but under heavy IO lsi_reselect() does not get called for a 
period of time exceeding the upper layer's 30 second command timeout, 
hence the need for the patch which injects a Scripts Wait Reselect IO 
command.


My test setup consists of 5 remote iscsi disks. Here are the fio write 
arguments, which show the problem:


[global]
bs=256k
iodepth=2
direct=1
ioengine=libaio
randrepeat=0
group_reporting
time_based
runtime=60
numjobs=40
name=test
rw=write

[job1]
filename=/dev/sda
filename=/dev/sdb
filename=/dev/sdc
filename=/dev/sdd
filename=/dev/sde


I am not strongly attached to my proposed fix. If an alternative fix can 
be suggested, I'd be more than willing to try that.


Thank you,
George



Paolo

Re: [Qemu-devel] [PATCH v2] s390x/pci: add common fmb

[Cornelia Huck]

On Mon, 22 Oct 2018 13:17:34 +0100
Thomas Huth  wrote:

> On 2018-10-22 10:02, Yi Min Zhao wrote:
> > Common function measurement block is used to report counters of
> > successfully issued pcilg/stg/stb and rpcit instructions. This patch
> > introduces a new struct ZpciFmb and schedules a timer callback to
> > copy fmb to the guest memory at a interval time which is set to
> > 4s by default. While attemping to update fmb failed, an event error
> > would be generated. After pcilg/stg/stb and rpcit interception
> > handlers issue successfully, increase the related counter. The guest
> > could pass null address to switch off FMB and stop corresponding
> > timer.
> > 
> > Signed-off-by: Yi Min Zhao 
> > Reviewed-by: Pierre Morel 
> > ---  
> [...]
> > +static int fmb_do_update(S390PCIBusDevice *pbdev, uint8_t offset, int len)
> > +{
> > +MemTxResult ret;
> > +
> > +ret = address_space_write(_space_memory,
> > +  pbdev->fmb_addr + (uint64_t)offset,
> > +  MEMTXATTRS_UNSPECIFIED,
> > +  (uint8_t *)>fmb + offset,
> > +  len);
> > +if (ret) {
> > +s390_pci_generate_error_event(ERR_EVENT_FMBA, pbdev->fh, 
> > pbdev->fid,
> > +  pbdev->fmb_addr, 0);
> > +fmb_timer_free(pbdev);
> > +}
> > +
> > +return ret;
> > +}
> > +
> > +static void fmb_update(void *opaque)
> > +{
> > +S390PCIBusDevice *pbdev = opaque;
> > +int64_t t = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
> > +uint8_t offset = offsetof(ZpciFmb, last_update);
> > +
> > +/* Update U bit */
> > +pbdev->fmb.last_update |= UPDATE_U_BIT;
> > +if (fmb_do_update(pbdev, offset, sizeof(uint64_t))) {
> > +return;
> > +}
> > +
> > +/* Update FMB counters */
> > +pbdev->fmb.sample++;
> > +if (fmb_do_update(pbdev, 0, sizeof(ZpciFmb))) {
> > +return;
> > +}
> > +
> > +/* Clear U bit and update the time */
> > +pbdev->fmb.last_update = 
> > time2tod(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
> > +pbdev->fmb.last_update &= ~UPDATE_U_BIT;
> > +if (fmb_do_update(pbdev, offset, sizeof(uint64_t))) {
> > +return;
> > +}
> > +
> > +timer_mod(pbdev->fmb_timer, t + DEFAULT_MUI);
> > +}  
> 
> Sorry for noticing this in v1 already, but is this code endianess-safe?
> I.e. can this also work with qemu-system-s390x running with TCG on a x86
> host? I think you might have to use something like this here instead:
> 
>   pbdev->fmb.sample = cpu_to_be32(be32_to_cpu(pbdev->fmb.sample) + 1);
> 
> etc.

Agreed, that may need some endianness handling.

I would test this with tcg on a LE host, but how can I verify this? Yi
Min, do you have some kind of test tooling you can share?

Re: [Qemu-devel] [PATCH] qemu-iotests: convert `pwd` and $(pwd) to $PWD

[Eric Blake]

On 10/22/18 2:48 PM, Mao Zhongyi wrote:

The subject line says "what", but the commit body should say "why".  My 
suggestion:


POSIX requires $PWD to be reliable, and we expect all shells used by 
qemu scripts to be relatively close to POSIX.  Thus, it is smarter to 
avoid forking the pwd executable for something that is already available 
in the environment.




If it was done mechanically, it may also help to capture the command you 
used to drive the change (sed or otherwise), to make it easier for 
someone backporting this patch to rerun the same steps to regenerate the 
patch for a different set of files on the backport.



Suggested-by: Eric Blake 
Signed-off-by: Mao Zhongyi 
---



+++ b/tests/qemu-iotests/001
@@ -24,7 +24,7 @@ owner=h...@lst.de
  seq=`basename $0`
  echo "QA output created by $seq"
  
-here=`pwd`

+here=$PWD


As this is a mechanical search-and-replace, this is fine.  However,
 git grep '\$here' tests/qemu-iotests
has 0 hits, which means we are setting a variable that has no use.  A 
good followup patch would be to delete all of the 'here=...' lines as 
dead code. Or even do that first, and then this patch second, for less 
churn.



+++ b/tests/qemu-iotests/check
@@ -80,17 +80,17 @@ _full_imgfmt_details()
  
  _full_platform_details()

  {
-os=`uname -s`
-host=`hostname -s`
-kernel=`uname -r`
-platform=`uname -m`
+os=$(uname -s)
+host=$(hostname -s)
+kernel=$(uname -r)
+platform=$(uname -m)
  echo "$os/$platform $host $kernel"


These changes are unrelated to the commit subject. Please split them 
into a separate commit...



  }
  
  # $1 = prog to look for

  set_prog_path()
  {
-p=`command -v $1 2> /dev/null`
+p=$(command -v $1 2> /dev/null)
  if [ -n "$p" -a -x "$p" ]; then
  type -p "$p"
  else
@@ -99,7 +99,7 @@ set_prog_path()
  }
  
  if [ -z "$TEST_DIR" ]; then

-TEST_DIR=`pwd`/scratch
+TEST_DIR=$PWD/scratch
  fi


...This hunk is okay, but the rest of the file is not.



+++ b/tests/qemu-iotests/common.config
@@ -21,11 +21,11 @@ export LANG=C
  
  PATH=".:$PATH"
  
-HOSTOS=`uname -s`

-arch=`uname -m`
+HOSTOS=$(uname -s)
+arch=$(uname -m)


Another file with too many hunks.

Looking forward to v2.

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH] qapi: Fix COLOStatus and query-colo-status since version

[Eric Blake]

On 10/22/18 5:41 PM, Zhang Chen wrote:

This structure and command have missed qemu version 3.0, so fix it to since 
version 3.1.

Signed-off-by: Zhang Chen 
---
  qapi/migration.json | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)


Reviewed-by: Eric Blake 



diff --git a/qapi/migration.json b/qapi/migration.json
index 0928f4b727..38d4c41d88 100644
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -1317,7 +1317,7 @@
  #
  # @reason: describes the reason for the COLO exit.
  #
-# Since: 3.0
+# Since: 3.1
  ##
  { 'struct': 'COLOStatus',
'data': { 'mode': 'COLOMode', 'reason': 'COLOExitReason' } }
@@ -1334,7 +1334,7 @@
  # -> { "execute": "query-colo-status" }
  # <- { "return": { "mode": "primary", "active": true, "reason": "request" } }
  #
-# Since: 3.0
+# Since: 3.1
  ##
  { 'command': 'query-colo-status',
'returns': 'COLOStatus' }



--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH v8 00/38] target/mips: Limited support for the R5900

[Fredrik Noring]

Hi Peter, Aleksandar,

> Hi: I get compile errors on 32-bit hosts:
>
> /home/petmay01/qemu-for-merges/disas/mips.c:615:35: error: large
> integer implicitly truncated to unsigned type [-Werror=overflow]
>  #define INSN_5900 0x1
>^
> /home/petmay01/qemu-for-merges/disas/mips.c:1200:17: note: in
> expansion of macro 'INSN_5900'
>  #define EE  INSN_5900/* Emotion Engine */
>  ^
> /home/petmay01/qemu-for-merges/disas/mips.c:2326:73: note: in
> expansion of macro 'EE'
>  {"div1","z,s,t",  0x701a, 0xfc00, RD_s | RD_t | WR_HILO, 0, EE },
>  ^
>
> (and repeats on other similar uses).
>
> This is because this line is an initializer for "struct mips_opcode",
> and the final field is "unsigned long membership", which may be only
> 32 bits wide, but you're trying to put a number in that's too big for that.

I am sorry about that. We are out of bits.

Option 1: Discard all disassembly parts of the series. I would prefer this
if possible -- they are not essential now in my opinion.

Option 2: Drop all R5900 related changes for now.

Option 3: Extend the mips_opcode::membership field.

Fredrik

[Qemu-devel] [Bug 1796754] Re: ioctl SIOCGIFCONF causes qemu-aarch64-static to crash with "received signal outside vCPU context"

[Alex Bennée]

** Changed in: qemu
   Status: New => In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1796754

Title:
  ioctl SIOCGIFCONF causes qemu-aarch64-static to crash with "received
  signal outside vCPU context"

Status in QEMU:
  In Progress

Bug description:
  To reproduce it, compile the attached crash.c under aarch64 to a.out and 
execute on x86_64
  qemu-aarch64-static ./a.out

  It will print the following and crash:

  socket=3
  qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x60038cd6
  qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x6000157a

  The version of qemu-aarch64-static is

  qemu-aarch64 version 3.0.0 (qemu-3.0.0-1.fc29)
  Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers

  But it did also happen in previous versions so it is not a regression
  but a bug existed ever since.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1796754/+subscriptions

Re: [Qemu-devel] [PATCH v2 1/3] linux-user: Add support for statx() syscall

[Laurent Vivier]

On 23/10/2018 14:07, Aleksandar Markovic wrote:
> From: Aleksandar Rikalo 
> 
> Implement support for translation of system call statx(). The
> implementation includes invoking other (more mature) syscalls
> (from the same 'stat' family) on the host side. This way,
> problems of availability of statx() on the host side are
> avoided.
> 
> Signed-off-by: Aleksandar Rikalo 
> Signed-off-by: Stefan Markovic 
> Signed-off-by: Aleksandar Markovic 
> ---
>  linux-user/syscall.c  | 129 
> +-
>  linux-user/syscall_defs.h |  38 ++
>  2 files changed, 166 insertions(+), 1 deletion(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index d2cc971..8b01ab0 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -6710,7 +6710,8 @@ static abi_long do_syscall1(void *cpu_env, int num, 
> abi_long arg1,
>  abi_long ret;
>  #if defined(TARGET_NR_stat) || defined(TARGET_NR_stat64) \
>  || defined(TARGET_NR_lstat) || defined(TARGET_NR_lstat64) \
> -|| defined(TARGET_NR_fstat) || defined(TARGET_NR_fstat64)
> +|| defined(TARGET_NR_fstat) || defined(TARGET_NR_fstat64) \
> +|| defined(TARGET_NR_statx)
>  struct stat st;
>  #endif
>  #if defined(TARGET_NR_statfs) || defined(TARGET_NR_statfs64) \
> @@ -9635,6 +9636,132 @@ static abi_long do_syscall1(void *cpu_env, int num, 
> abi_long arg1,
>  ret = host_to_target_stat64(cpu_env, arg3, );
>  return ret;
>  #endif
> +#if defined(TARGET_NR_statx)
> +case TARGET_NR_statx:
> +{
> +struct target_statx *target_stx;
> +int dirfd = tswap32(arg1);
> +int flags = tswap32(arg3);
> +

Normally arg1, arg3 are already in the host byte order (like arg2 below)

> +p = lock_user_string(arg2);
> +if (p == NULL) {
> +return -TARGET_EFAULT;
> +}
> +#if defined(__NR_statx)
> +{
> +/*
> + * It is assumed that struct statx is arhitecture independent
> + */
> +struct target_statx host_stx;

if it is host_statx, the structure to use is statx, not target_statx.

> +int mask = tswap32(arg4);

no tswap32() needed

> +
> +ret = get_errno(syscall(__NR_statx, dirfd, p, flags, mask,
> +_stx));
> +if (!is_error(ret)) {
> +unlock_user(p, arg2, 0);
> +if (!lock_user_struct(VERIFY_WRITE, target_stx, arg5, 
> 0)) {
> +return -TARGET_EFAULT;
> +}
> +memset(target_stx, 0, sizeof(*target_stx));


It would be clearer to put the following conversion lines into a
separate function like host_to_target_statx().

> +__put_user(host_stx.stx_mask, _stx->stx_mask);
> +__put_user(host_stx.stx_blksize, 
> _stx->stx_blksize);
> +__put_user(host_stx.stx_attributes,
> +   _stx->stx_attributes);
> +__put_user(host_stx.stx_nlink, _stx->stx_nlink);
> +__put_user(host_stx.stx_uid, _stx->stx_uid);
> +__put_user(host_stx.stx_gid, _stx->stx_gid);
> +__put_user(host_stx.stx_mode, _stx->stx_mode);
> +__put_user(host_stx.stx_ino, _stx->stx_ino);
> +__put_user(host_stx.stx_size, _stx->stx_size);
> +__put_user(host_stx.stx_blocks, _stx->stx_blocks);
> +__put_user(host_stx.stx_attributes_mask,
> +   _stx->stx_attributes_mask);

perhaps you can also define host_target_statx_timestamp() function to
convert the timestamps.

> +__put_user(host_stx.stx_atime.tv_sec,
> +   _stx->stx_atime.tv_sec);
> +__put_user(host_stx.stx_atime.tv_nsec,
> +   _stx->stx_atime.tv_nsec);
> +__put_user(host_stx.stx_btime.tv_sec,
> +   _stx->stx_atime.tv_sec);
> +__put_user(host_stx.stx_btime.tv_nsec,
> +   _stx->stx_atime.tv_nsec);
> +__put_user(host_stx.stx_ctime.tv_sec,
> +   _stx->stx_atime.tv_sec);
> +__put_user(host_stx.stx_ctime.tv_nsec,
> +   _stx->stx_atime.tv_nsec);
> +__put_user(host_stx.stx_mtime.tv_sec,
> +   _stx->stx_atime.tv_sec);
> +__put_user(host_stx.stx_mtime.tv_nsec,
> +   _stx->stx_atime.tv_nsec);
> +__put_user(host_stx.stx_rdev_major,
> +   _stx->stx_rdev_major);
> +__put_user(host_stx.stx_rdev_minor,
> +   

[Qemu-devel] [Bug 1737444] Re: gccgo setcontext conftest crashes qemu-sh4

[Alex Bennée]

** Tags added: linux-user sh4

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1737444

Title:
  gccgo setcontext conftest crashes qemu-sh4

Status in QEMU:
  New

Bug description:
  While testing gccgo on sh4 to add SH platform definitions to libgo, I
  discovered that the following conftest program which is part of the
  libgo configure script crashes on qemu-sh4:

  (sid-sh4-sbuild)root@z6:/# cat setcontext.c
  #include   


 
  #include


 
  #include  


 
  #include


 

  __thread int tls;

  static char stack[10 * 1024 * 1024];
  static ucontext_t c;

  /* Called via makecontext/setcontext.  */

  static void
  cfn (void)
  {
exit (tls);
  }

  /* Called via pthread_create.  */

  static void *
  tfn (void *dummy)
  {
/* The thread should still see this value after calling
   setcontext.  */
tls = 0;

setcontext ();

/* The call to setcontext should not return.  */
abort ();
  }

  int
  main ()
  {
pthread_t tid;

/* The thread should not see this value.  */
tls = 1;

if (getcontext () < 0)
  abort ();

c.uc_stack.ss_sp = stack;
  #ifdef MAKECONTEXT_STACK_TOP  


 
c.uc_stack.ss_sp += sizeof stack;
  #endif


 
c.uc_stack.ss_flags = 0;
c.uc_stack.ss_size = sizeof stack;
c.uc_link = NULL;
makecontext (, cfn, 0);

if (pthread_create (, NULL, tfn, NULL) != 0)
  abort ();

if (pthread_join (tid, NULL) != 0)
  abort ();

/* The thread should have called exit.  */
abort ();
  }

  (sid-sh4-sbuild)root@z6:/# gcc -o setcontext -lpthread setcontext.c
  (sid-sh4-sbuild)root@z6:/# ./setcontext 
  Unhandled trap: 0x180
  pc=0x7f69235e sr=0x pr=0x00400710 fpscr=0x0008
  spc=0x ssr=0x gbr=0x7f658478 vbr=0x
  sgr=0x dbr=0x delayed_pc=0x7f692320 fpul=0x
  r0=0x00e11158 r1=0x r2=0x0001 r3=0x72e0
  r4=0x00e11068 r5=0x7314 r6=0x731c r7=0x
  r8=0x004007b0 r9=0x r10=0x r11=0x
  r12=0x7f79ac54 r13=0x r14=0x7288 r15=0x7288
  r16=0x r17=0x r18=0x r19=0x
  r20=0x r21=0x r22=0x r23=0x
  (sid-sh4-sbuild)root@z6:/#

  The same code works fine on my Renesas SH7785LCR evaluation board:

  root@tirpitz:~> uname -a
  Linux tirpitz 3.16.7-ckt7 #8 PREEMPT Fri Oct 21 18:47:41 CEST 2016 sh4a 
GNU/Linux
  root@tirpitz:~> gcc -o setcontext setcontext.c  -lpthread
  root@tirpitz:~> ./setcontext 
  root@tirpitz:~> echo $?
  0
  root@tirpitz:~>

  Due to this bug, it is not possible to compile gcc-7 with the Go
  frontend enabled on qemu-sh4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1737444/+subscriptions

[Qemu-devel] [Bug 1775702] Re: High host CPU load and slower guest after upgrade guest OS Windows 10 to ver 1803

[Alex Bennée]

** Tags added: windows10

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1775702

Title:
  High host CPU load and slower guest after upgrade guest OS Windows 10
  to ver 1803

Status in QEMU:
  New

Bug description:
  After upgrading Windows 10 guest to version 1803, guests VM runs
  slower and there is high host CPU load even when guest is almost idle.
  Did not happened with windows 10 up to version 1709.

  See my 1st report here:
  
https://askubuntu.com/questions/1033985/kvm-high-host-cpu-load-after-upgrading-vm-to-windows-10-1803

  Another user report is here:
  https://lime-technology.com/forums/topic/71479-windows-10-vm-cpu-usage/

  Tested on: Ubuntu 16.04 with qemu 2.5.0 and i3-3217U, Arch with qemu
  2.12 i5-7200U, Ubuntu 18.04 qemu 2.11.1 AMD FX-4300. All three
  platform showing the same slowdown and higher host cpu load with
  windows 10 1803 VM compared to windows 10 1709 VM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1775702/+subscriptions

Re: [Qemu-devel] [RFC v3 30/56] i386: convert to cpu_interrupt_request

[Emilio G. Cota]

On Sun, Oct 21, 2018 at 14:27:22 +0100, Richard Henderson wrote:
> On 10/19/18 2:05 AM, Emilio G. Cota wrote:
> > @@ -713,9 +713,9 @@ int hvf_vcpu_exec(CPUState *cpu)
> >  switch (exit_reason) {
> >  case EXIT_REASON_HLT: {
> >  macvm_set_rip(cpu, rip + ins_len);
> > -if (!((cpu->interrupt_request & CPU_INTERRUPT_HARD) &&
> > +if (!((cpu_interrupt_request(cpu) & CPU_INTERRUPT_HARD) &&
> >  (EFLAGS(env) & IF_MASK))
> > -&& !(cpu->interrupt_request & CPU_INTERRUPT_NMI) &&
> > +&& !(cpu_interrupt_request(cpu) & CPU_INTERRUPT_NMI) &&
> >  !(idtvec_info & VMCS_IDT_VEC_VALID)) {
> >  cpu_halted_set(cpu, 1);
> >  ret = EXCP_HLT;
> 
> Likewise wrt multiple calls.
> 
> > @@ -400,7 +401,8 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
> >  };
> >  }
> >  
> > -if (cpu_state->interrupt_request & CPU_INTERRUPT_NMI) {
> > +cpu_mutex_lock(cpu_state);
> > +if (cpu_interrupt_request(cpu_state) & CPU_INTERRUPT_NMI) {
> >  if (!(env->hflags2 & HF2_NMI_MASK) && !(info & VMCS_INTR_VALID)) {
> >  cpu_reset_interrupt(cpu_state, CPU_INTERRUPT_NMI);
> >  info = VMCS_INTR_VALID | VMCS_INTR_T_NMI | NMI_VEC;
> > @@ -411,7 +413,7 @@ bool hvf_inject_interrupts(CPUState *cpu_state)
> >  }
> >  
> >  if (!(env->hflags & HF_INHIBIT_IRQ_MASK) &&
> > -(cpu_state->interrupt_request & CPU_INTERRUPT_HARD) &&
> > +(cpu_interrupt_request(cpu_state) & CPU_INTERRUPT_HARD) &&
> >  (EFLAGS(env) & IF_MASK) && !(info & VMCS_INTR_VALID)) {
> >  int line = cpu_get_pic_interrupt(>env);
> >  cpu_reset_interrupt(cpu_state, CPU_INTERRUPT_HARD);
> 
> Likewise.
> 
> I think you need to be more careful about this in the conversions.  
> Previously,
> the compiler would CSE these two loads; now you're taking a lock twice.
> 
> Or in the second instance, once, since you explicitly take the lock around a
> big block.  But I think that's papering over the fact that you make 4 calls
> when you should have made one, *and* not hold the lock across all that code.

Yes, I'm aware of this. For a first pass I wanted to make sure no updates
would be lost, e.g.

int interrupt_request = cpu_interrupt_request(cpu);
if (interrupt_request & FOO) {
do_foo(); /* sets cpu->interrupt_request | BAR */
}
if (interrupt_request & BAR) { /* wrongly misses BAR update */
do_bar();
}

I'll go through the entire patch to amend these.

Thanks,

E.

Re: [Qemu-devel] [RFC v3 46/56] accel/tcg: convert to cpu_interrupt_request

[Emilio G. Cota]

On Tue, Oct 23, 2018 at 03:17:11 +0100, Richard Henderson wrote:
> On 10/23/18 12:50 AM, Emilio G. Cota wrote:
> > On Sun, Oct 21, 2018 at 14:34:25 +0100, Richard Henderson wrote:
> >> On 10/19/18 2:06 AM, Emilio G. Cota wrote:
> >>> @@ -540,16 +540,16 @@ static inline bool cpu_handle_interrupt(CPUState 
> >>> *cpu,
> >>>   */
> >>>  atomic_mb_set(>icount_decr.u16.high, 0);
> >>>  
> >>> -if (unlikely(atomic_read(>interrupt_request))) {
> >>> +if (unlikely(cpu_interrupt_request(cpu))) {
> >>>  int interrupt_request;
> >>>  qemu_mutex_lock_iothread();
> >>> -interrupt_request = cpu->interrupt_request;
> >>> +interrupt_request = cpu_interrupt_request(cpu);
> >>>  if (unlikely(cpu->singlestep_enabled & SSTEP_NOIRQ)) {
> >>>  /* Mask out external interrupts for this step. */
> >>>  interrupt_request &= ~CPU_INTERRUPT_SSTEP_MASK;
> >>>  }
> >>>  if (interrupt_request & CPU_INTERRUPT_DEBUG) {
> >>> -cpu->interrupt_request &= ~CPU_INTERRUPT_DEBUG;
> >>> +cpu_reset_interrupt(cpu, CPU_INTERRUPT_DEBUG);
> >>>  cpu->exception_index = EXCP_DEBUG;
> >>>  qemu_mutex_unlock_iothread();
> >>>  return true;
> >>
> >> Multiple calls.
> > 
> > I'd rather keep it as is.
> > 
> > The first read takes the lock, and that has to stay unless
> > we want to use atomic_set on interrupt_request everywhere.
> 
> Why not?  That's even cheaper.
> 
> > Given that the CPU lock is uncontended (so it's cheap to
> > acquire) ...
> 
> It still requires at minimum a "lock xchg" (or equivalent on non-x86), which
> isn't free -- think 50-ish cycles minimum just for that one insn, plus call
> overhead.

OK, I changed the first read to atomic_read (changing all the other
writers to atomic_set, but thanks to the helpers it's just very
few of them), and then I'm holding both the BQL + cpu->lock throughout.

Thanks,

Emilio

Re: [Qemu-devel] [PULL 00/34] MIPS queue for October 2018 - part 2

[Peter Maydell]

On 22 October 2018 at 13:57, Aleksandar Markovic
 wrote:
> From: Aleksandar Markovic 
>
> The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2018-10-19 19:01:07 +0100)
>
> are available in the git repository at:
>
>   https://github.com/AMarkovic/qemu tags/mips-queue-oct-2018-part-2
>
> for you to fetch changes up to 2ec219776c633df9e43c5fa1557f70ee4f735f9d:
>
>   target/mips: Fix decoding of ALIGN and DALIGN instructions (2018-10-22 
> 14:41:47 +0200)
>
> 
> MIPS queue for October 2018 - part 2
>
> Limited support for R5900 ISA, MMI ASE, and two misc fixes.
>
> 

Hi: I get compile errors on 32-bit hosts:

/home/petmay01/qemu-for-merges/disas/mips.c:615:35: error: large
integer implicitly truncated to unsigned type [-Werror=overflow]
 #define INSN_5900 0x1
   ^
/home/petmay01/qemu-for-merges/disas/mips.c:1200:17: note: in
expansion of macro 'INSN_5900'
 #define EE  INSN_5900/* Emotion Engine */
 ^
/home/petmay01/qemu-for-merges/disas/mips.c:2326:73: note: in
expansion of macro 'EE'
 {"div1","z,s,t",  0x701a, 0xfc00, RD_s | RD_t | WR_HILO, 0, EE },
 ^

(and repeats on other similar uses).

This is because this line is an initializer for "struct mips_opcode",
and the final field is "unsigned long membership", which may be only
32 bits wide, but you're trying to put a number in that's too big for that.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v8 00/38] target/mips: Limited support for the R5900

[Fredrik Noring]

Hi Maciej,

> target/mips/translate.c:4888:38: error: passing argument 3 of
> ‘tcg_gen_add2_i32’ from incompatible pointer type
> [-Werror=incompatible-pointer-types]
>  tcg_gen_add2_i32(t2, t3, cpu_LO[acc], cpu_HI[acc], t2, t3);
>   ^~

Would you know if any MIPS ISA have LO and HI registers that are not
32-bit? In QEMU they can obviously be either 32-bit or 64-bit, which
causes the compilation error here.

Fredrik

Re: [Qemu-devel] [PATCH 00/27] ACPI hardware-reduced support

[Peter Maydell]

On 23 October 2018 at 20:08, Samuel Ortiz  wrote:
> Hi Peter,
>
> On Tue, Oct 23, 2018 at 08:01:26PM +0100, Peter Maydell wrote:
>> Hi -- I'd appreciate it if you don't send pull-requests for
>> patch series. They show up in my queue of things to merge directly
>> into master otherwise. Just send them as a patch-series email with
>> a cover letter, please.
> Apologies, I did not know. I'll fix that with the next revision of
> this patch set.

No problem. You can give a git branch URL for reviewers to look
at if you think it's helpful; just avoid using the stock git
pull-request email wording about 'for you to fetch changes', because
that's what my email filters look for :-)

thanks
-- PMM

Re: [Qemu-devel] [PATCH v8 00/38] target/mips: Limited support for the R5900

[Fredrik Noring]

Hi Maciej,

>  I have no authority to approve such a change for the kernel, but it looks 
> reasonable to me and I will support you with it, with one reservation 
> however.  As this is an ISA extension in the vendor-specific space, I 
> think it belongs to a vendor-specific namespace, so as to make it clear it 
> is not a generic architectural feature and also to avoid name clashes.
> 
>  So it has to be called Toshiba MMI or suchlike, similarly to how I 
> requested that for the Longsoon MMI feature in a recent binutils review 
> (cf  and 
> binutils commit 8095d2f70e1a ("MIPS/GAS: Split Loongson MMI Instructions 
> from loongson2f/3a")), with all the consequences throughout.

Vendor ASE namespaces makes sense to me. I can prepare a patch for it.

>  NB all but pipeline 1 instructions of these are also implemented by other 
> members of the TXx9 family.  They seem to be referred to as just "multiply 
> and multiply-add instructions" in the TX79 manual (cf Section B.3.1).

Would

ASE_TOSHIBA_MMI  -- TX79 128-bit multimedia instructions
ASE_TOSHIBA_MAC  -- TXx9 multiply and multiply-add instructions (MADD etc.)
ASE_TOSHIBA_MAC1 -- TX79 pipeline 1 variant of ASE_TOSHIBA_MAC
ASE_TOSHIBA_FMA  -- R5900 FPU extensions (MADD.s etc.)

be acceptable for the currently known Toshiba extensions? (Please propose
better names.) One complication is that it seems only 8 bits are available
for all vendor ASEs, and Toshiba would then scoop up half of those.

Fredrik

Re: [Qemu-devel] [PATCH 00/27] ACPI hardware-reduced support

[Samuel Ortiz]

Hi Peter,

On Tue, Oct 23, 2018 at 08:01:26PM +0100, Peter Maydell wrote:
> On 22 October 2018 at 19:36, Samuel Ortiz  wrote:
> > This patch set implements support for the ACPI hardware-reduced
> > specification.
> >
> > The changes are coming from the NEMU [1] project where we're defining
> > a new x86 machine type: i386/virt. This is an EFI only, ACPI
> > hardware-reduced platform and as such we had to implement support
> > for the latter.
> >
> > As a preliminary for adding hardware-reduced support to QEMU, we did
> > some ACPI code reorganization with the following goals:
> >
> > * Share as much as possible of the current ACPI build APIs between
> >   legacy and hardware-reduced ACPI.
> > * Share the ACPI build code across machine types and architectures and
> >   remove the typical PC machine type dependency.
> >   Eventually we hope to see arm/virt also re-use much of that code.
> >
> > The rest of the patchset adds the hardware-reduced support on top of
> > this code reorganization. Here again, the implementation is machine
> > type, platform and architecture independent.
> >
> > [1] https://github.com/intel/nemu
> >
> >
> > The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
> >
> >   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> > staging (2018-10-19 19:01:07 +0100)
> >
> > are available in the Git repository at:
> >
> >   g...@github.com:intel/nemu topic/upstream/acpi
> >
> > for you to fetch changes up to 4133ebe0d638d0a3d583bd89aa2360ef35ba746b:
> >
> >   hw: acpi: reduced: Add PCI hotplug support (2018-10-22 20:32:23 +0200)
> 
> Hi -- I'd appreciate it if you don't send pull-requests for
> patch series. They show up in my queue of things to merge directly
> into master otherwise. Just send them as a patch-series email with
> a cover letter, please.
Apologies, I did not know. I'll fix that with the next revision of
this patch set.

Cheers,
Samuel.

Re: [Qemu-devel] [PATCH 00/27] ACPI hardware-reduced support

[Peter Maydell]

On 22 October 2018 at 19:36, Samuel Ortiz  wrote:
> This patch set implements support for the ACPI hardware-reduced
> specification.
>
> The changes are coming from the NEMU [1] project where we're defining
> a new x86 machine type: i386/virt. This is an EFI only, ACPI
> hardware-reduced platform and as such we had to implement support
> for the latter.
>
> As a preliminary for adding hardware-reduced support to QEMU, we did
> some ACPI code reorganization with the following goals:
>
> * Share as much as possible of the current ACPI build APIs between
>   legacy and hardware-reduced ACPI.
> * Share the ACPI build code across machine types and architectures and
>   remove the typical PC machine type dependency.
>   Eventually we hope to see arm/virt also re-use much of that code.
>
> The rest of the patchset adds the hardware-reduced support on top of
> this code reorganization. Here again, the implementation is machine
> type, platform and architecture independent.
>
> [1] https://github.com/intel/nemu
>
>
> The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2018-10-19 19:01:07 +0100)
>
> are available in the Git repository at:
>
>   g...@github.com:intel/nemu topic/upstream/acpi
>
> for you to fetch changes up to 4133ebe0d638d0a3d583bd89aa2360ef35ba746b:
>
>   hw: acpi: reduced: Add PCI hotplug support (2018-10-22 20:32:23 +0200)

Hi -- I'd appreciate it if you don't send pull-requests for
patch series. They show up in my queue of things to merge directly
into master otherwise. Just send them as a patch-series email with
a cover letter, please.

thanks
-- PMM

Re: [Qemu-devel] [PULL v2 00/40] Error reporting patches for 2018-10-22

[Peter Maydell]

On 23 October 2018 at 14:04, Markus Armbruster  wrote:
> The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2018-10-19 19:01:07 +0100)
>
> are available in the Git repository at:
>
>   git://repo.or.cz/qemu/armbru.git tags/pull-error-2018-10-22-v2
>
> for you to fetch changes up to 70f81ac4800c5cf33415c966d63bf89af5cefbb9:
>
>   error: Drop bogus "use error_setg() instead" admonitions (2018-10-23 
> 14:48:32 +0200)
>
> 
> Error reporting patches for 2018-10-22
>
> * Replace some unwise uses of error_report() & friends
> * Print error when using incorrect backend for debugcon
>
> 
> v2: Fix a stale sentence in commit message of PATCH 05/40.

Sorry, I'd already pushed the merge of v1 to master before I saw this one.

-- PMM

Re: [Qemu-devel] [PULL 00/40] Error reporting patches for 2018-10-22

[Peter Maydell]

On 22 October 2018 at 13:33, Markus Armbruster  wrote:
> The following changes since commit 1b7490446bf41f54130c2d495dd4c8768c8e1ce3:
>
>   Merge remote-tracking branch 
> 'remotes/vivier2/tags/linux-user-for-3.1-pull-request' into staging 
> (2018-10-19 11:20:05 +0100)
>
> are available in the Git repository at:
>
>   git://repo.or.cz/qemu/armbru.git tags/pull-error-2018-10-22
>
> for you to fetch changes up to 80313fb53d8048882848b6f63daaeb29dc319765:
>
>   error: Drop bogus "use error_setg() instead" admonitions (2018-10-19 
> 15:47:09 +0200)
>
> 
> Error reporting patches for 2018-10-22
>
> * Replace some unwise uses of error_report() & friends
> * Print error when using incorrect backend for debugcon
>


Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH 1/7] decodetree: Add !extern flag to argument sets

[Philippe Mathieu-Daudé]

On 23/10/18 15:54, Richard Henderson wrote:

On 10/23/18 2:27 PM, Philippe Mathieu-Daudé wrote:

+    if re_fullmatch('!extern', t):
+    extern = True


It looks odd to match a negative form then use a positive one.

Why not simply use 'extern'?


"!" is an escape character here.
Just "escape" would be a field named "escape".

It follows existing similar syntax for !function=foo


Oh OK!

Thanks,

Phil.

Re: [Qemu-devel] [PATCH v2 2/3] linux-user: Add support for semtimedop() syscall

[Laurent Vivier]

On 23/10/2018 14:07, Aleksandar Markovic wrote:
> From: Aleksandar Rikalo 
> 
> Add support for semtimedop() emulation.
> 
> Signed-off-by: Aleksandar Rikalo 
> Signed-off-by: Aleksandar Markovic 
> ---
>  linux-user/syscall.c | 27 +++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 8b01ab0..e722ba8 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -6162,7 +6162,29 @@ static inline abi_long host_to_target_stat64(void 
> *cpu_env,
>  return 0;
>  }
>  #endif
> +#ifdef TARGET_NR_semtimedop
> +static inline abi_long do_semtimedop(int semid, abi_long ptr, unsigned nsops,
> + abi_long timeout)
> +{
> +struct sembuf sops[nsops];
> +struct timespec ts, *pts;
> +
> +if (timeout) {
> +pts = 
> +if (target_to_host_timespec(pts, timeout)) {
> +return -TARGET_EFAULT;
> +}
> +} else {
> +pts = NULL;
> +}
>  
> +if (target_to_host_sembuf(sops, ptr, nsops)) {
> +return -TARGET_EFAULT;
> +}
> +
> +return get_errno(semtimedop(semid, sops, nsops, pts));
> +}

The current function do_semop() actually uses a safe_semtimedop() with a
NULL timeout pointer. Perhaps you can change/rename this function to
take the timeout pointer and convert it, and use it for TARGET_NR_semop
with NULL timeout pointer and with TARGET_NR_semtimeop with the pointer
to the target timeout.

And agree with Philippe, I think it's a good opportunity to replace the
stack allocated structure by a g_mallocated_one()

Thanks,
Laurent

Re: [Qemu-devel] [PATCH v2 3/3] linux-user: Add support for SO_REUSEPORT

[Laurent Vivier]

On 23/10/2018 14:07, Aleksandar Markovic wrote:
> From: Yunqiang Su 
> 
> Add support for SO_REUSEPORT, including strace support. SO_REUSEPORT
> was introduced relatively recently, since Linux 3.9, so use
> '#if defined SO_REUSEPORT'.
> 
> Signed-off-by: Yunqiang Su 
> Signed-off-by: Aleksandar Markovic 
> ---
>  linux-user/strace.c  |  3 +++
>  linux-user/syscall.c | 10 ++
>  2 files changed, 13 insertions(+)

Reviewed-by: Laurent Vivier 

Re: [Qemu-devel] [PATCH 00/10] cputlb: track dirty tlbs and general cleanup

[Emilio G. Cota]

On Tue, Oct 23, 2018 at 08:02:42 +0100, Richard Henderson wrote:
> The motivation here is reducing the total overhead.
> 
> Before a few patches went into target-arm.next, I measured total
> tlb flush overhead for aarch64 at 25%.  This appears to reduce the
> total overhead to about 5% (I do need to re-run the control tests,
> not just watch perf top as I'm doing now).

I'd like to see those absolute perf numbers; I ran a few Ubuntu aarch64
boots and the noise is just too high to draw any conclusions (I'm
using your tlb-dirty branch on github).

When booting the much smaller debian image, these patches are
performance-neutral though. So,
  Reviewed-by: Emilio G. Cota 
for the series.

(On a pedantic note: consider s/miniscule/minuscule/ in patches 6-7)

> The final patch is somewhat of an RFC.  I'd like to know what
> benchmark was used when putting in pending_tlb_flushes, and I
> have not done any archaeology to find out.  I suspect that it
> does make any measurable difference beyond tlb_c.dirty, and I
> think the code is a bit cleaner without it.

I suspect that pending_tlb_flushes was premature optimization.
Avoiding an async job sounds like a good idea, since it is very
expensive for the remote vCPU.
However, in most cases we'll be taking a lock (or a full barrier
in the original code) but we won't avoid the async job (because
a race when flushing other vCPUs is unlikely), therefore wasting
cycles in the lock (formerly barrier).

Thanks,

Emilio

[Qemu-devel] [PATCH v6 15/18] target/mips: Add emulation of MXU instruction D16MUL

[Aleksandar Markovic]

From: Craig Janeczek 

Add support for emulating the D16MUL MXU instruction.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 66 ++---
 1 file changed, 63 insertions(+), 3 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index a9915c4..fec5163 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24040,6 +24040,68 @@ static void gen_mxu_s8ldd(DisasContext *ctx)
 tcg_temp_free(t1);
 }
 
+/*
+ * D16MUL XRa, XRb, XRc, XRd, optn2 - Signed 16 bit pattern multiplication
+ */
+static void gen_mxu_d16mul(DisasContext *ctx)
+{
+TCGv t0, t1, t2, t3;
+TCGLabel *l0;
+uint32_t XRa, XRb, XRc, XRd, optn2;
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+t2 = tcg_temp_new();
+t3 = tcg_temp_new();
+
+l0 = gen_new_label();
+
+XRa = extract32(ctx->opcode, 6, 4);
+XRb = extract32(ctx->opcode, 10, 4);
+XRc = extract32(ctx->opcode, 14, 4);
+XRd = extract32(ctx->opcode, 18, 4);
+optn2 = extract32(ctx->opcode, 22, 2);
+
+gen_load_mxu_cr(t0);
+tcg_gen_andi_tl(t0, t0, MXU_CR_MXU_EN);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, MXU_CR_MXU_EN, l0);
+
+gen_load_mxu_gpr(t1, XRb);
+tcg_gen_sextract_tl(t0, t1, 0, 16);
+tcg_gen_sextract_tl(t1, t1, 16, 16);
+gen_load_mxu_gpr(t3, XRc);
+tcg_gen_sextract_tl(t2, t3, 0, 16);
+tcg_gen_sextract_tl(t3, t3, 16, 16);
+
+switch (optn2) {
+case MXU_OPTN2_WW: /* XRB.H*XRC.H == lop, XRB.L*XRC.L == rop */
+tcg_gen_mul_tl(t3, t1, t3);
+tcg_gen_mul_tl(t2, t0, t2);
+break;
+case MXU_OPTN2_LW: /* XRB.L*XRC.H == lop, XRB.L*XRC.L == rop */
+tcg_gen_mul_tl(t3, t0, t3);
+tcg_gen_mul_tl(t2, t0, t2);
+break;
+case MXU_OPTN2_HW: /* XRB.H*XRC.H == lop, XRB.H*XRC.L == rop */
+tcg_gen_mul_tl(t3, t1, t3);
+tcg_gen_mul_tl(t2, t1, t2);
+break;
+case MXU_OPTN2_XW: /* XRB.L*XRC.H == lop, XRB.H*XRC.L == rop */
+tcg_gen_mul_tl(t3, t0, t3);
+tcg_gen_mul_tl(t2, t1, t2);
+break;
+}
+gen_store_mxu_gpr(t3, XRa);
+gen_store_mxu_gpr(t2, XRd);
+
+gen_set_label(l0);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+tcg_temp_free(t2);
+tcg_temp_free(t3);
+}
+
 
 /*
  * Decoding engine for MXU
@@ -24999,9 +25061,7 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 decode_opc_mxu__pool02(env, ctx);
 break;
 case OPC_MXU_D16MUL:
-/* TODO: Implement emulation of D16MUL instruction. */
-MIPS_INVAL("OPC_MXU_D16MUL");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_d16mul(ctx);
 break;
 case OPC_MXU__POOL03:
 decode_opc_mxu__pool03(env, ctx);
-- 
2.7.4

[Qemu-devel] [PATCH v6 09/18] target/mips: Add bit encoding for MXU operand getting pattern 'optn2'

[Aleksandar Markovic]

From: Craig Janeczek 

Add bit encoding for MXU operand getting pattern 'optn2'.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 665a584..f3e87ce 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23861,6 +23861,12 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 #define MXU_EPTN2_SA2
 #define MXU_EPTN2_SS3
 
+/* MXU operand getting pattern 'optn2' */
+#define MXU_OPTN2_WW0
+#define MXU_OPTN2_LW1
+#define MXU_OPTN2_HW2
+#define MXU_OPTN2_XW3
+
 
 /*
  *
-- 
2.7.4

[Qemu-devel] [PATCH v6 11/18] target/mips: Add emulation of non-MXU MULL within MXU decoding engine

[Aleksandar Markovic]

From: Craig Janeczek 

Add emulation of non-MXU MULL within MXU decoding engine.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 14 +-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 5bcf6a4..29df4ce 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -1654,7 +1654,7 @@ enum {
 enum {
 OPC_MXU_S32MADD  = 0x00,
 OPC_MXU_S32MADDU = 0x01,
-/* not assigned 0x02 */
+OPC__MXU_MUL = 0x02,
 OPC_MXU__POOL00  = 0x03,
 OPC_MXU_S32MSUB  = 0x04,
 OPC_MXU_S32MSUBU = 0x05,
@@ -24788,6 +24788,18 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 MIPS_INVAL("OPC_MXU_S32MADDU");
 generate_exception_end(ctx, EXCP_RI);
 break;
+case OPC__MXU_MUL: /* 0x2 - unused in MXU specs */
+{
+uint32_t  rs, rt, rd, op1;
+
+rs = extract32(ctx->opcode, 21, 5);
+rt = extract32(ctx->opcode, 16, 5);
+rd = extract32(ctx->opcode, 11, 5);
+op1 = MASK_SPECIAL2(ctx->opcode);
+
+gen_arith(ctx, op1, rd, rs, rt);
+}
+break;
 case OPC_MXU__POOL00:
 decode_opc_mxu__pool00(env, ctx);
 break;
-- 
2.7.4

[Qemu-devel] [PATCH v6 12/18] target/mips: Add emulation of MXU instructions S32I2M and S32M2I

[Aleksandar Markovic]

From: Craig Janeczek 

Add support for emulating the S32I2M and S32M2I MXU instructions.
This commit also contains utility functions for reading/writing
to MXU registers. This is required for overall MXU instruction
support.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 90 +
 1 file changed, 84 insertions(+), 6 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 29df4ce..c8c71c4 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2575,6 +2575,35 @@ static inline void gen_store_srsgpr (int from, int to)
 }
 }
 
+/* MXU General purpose registers moves. */
+static inline void gen_load_mxu_gpr(TCGv t, unsigned int reg)
+{
+if (reg == 0) {
+tcg_gen_movi_tl(t, 0);
+} else if (reg <= 15) {
+tcg_gen_mov_tl(t, mxu_gpr[reg - 1]);
+}
+}
+
+static inline void gen_store_mxu_gpr(TCGv t, unsigned int reg)
+{
+if (reg > 0 && reg <= 15) {
+tcg_gen_mov_tl(mxu_gpr[reg - 1], t);
+}
+}
+
+/* MXU control register moves. */
+static inline void gen_load_mxu_cr(TCGv t)
+{
+tcg_gen_mov_tl(t, mxu_CR);
+}
+
+static inline void gen_store_mxu_cr(TCGv t)
+{
+tcg_gen_mov_tl(mxu_CR, t);
+}
+
+
 /* Tests */
 static inline void gen_save_pc(target_ulong pc)
 {
@@ -23879,6 +23908,59 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 
 
 /*
+ * S32I2M XRa, rb - Register move from GRF to XRF
+ */
+static void gen_mxu_s32i2m(DisasContext *ctx)
+{
+TCGv t0;
+uint32_t XRa, Rb;
+
+t0 = tcg_temp_new();
+
+XRa = extract32(ctx->opcode, 6, 5);
+Rb = extract32(ctx->opcode, 16, 5);
+
+gen_load_gpr(t0, Rb);
+if (XRa <= 15) {
+gen_store_mxu_gpr(t0, XRa);
+} else if (XRa == 16) {
+gen_store_mxu_cr(t0);
+}
+
+tcg_temp_free(t0);
+}
+
+/*
+ * S32M2I XRa, rb - Register move from XRF to GRF
+ */
+static void gen_mxu_s32m2i(DisasContext *ctx)
+{
+TCGv t0;
+uint32_t XRa, Rb;
+
+t0 = tcg_temp_new();
+
+XRa = extract32(ctx->opcode, 6, 5);
+Rb = extract32(ctx->opcode, 16, 5);
+
+if (XRa <= 15) {
+gen_load_mxu_gpr(t0, XRa);
+} else if (XRa == 16) {
+gen_load_mxu_cr(t0);
+}
+
+gen_store_gpr(t0, Rb);
+
+tcg_temp_free(t0);
+}
+
+
+/*
+ * Decoding engine for MXU
+ * ===
+ */
+
+/*
  *
  * Decode MXU pool00
  *
@@ -24952,14 +25034,10 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 generate_exception_end(ctx, EXCP_RI);
 break;
 case OPC_MXU_S32M2I:
-/* TODO: Implement emulation of S32M2I instruction. */
-MIPS_INVAL("OPC_MXU_S32M2I");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_s32m2i(ctx);
 break;
 case OPC_MXU_S32I2M:
-/* TODO: Implement emulation of S32I2M instruction. */
-MIPS_INVAL("OPC_MXU_S32I2M");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_s32i2m(ctx);
 break;
 case OPC_MXU_D32SLL:
 /* TODO: Implement emulation of D32SLL instruction. */
-- 
2.7.4

[Qemu-devel] [PATCH v6 13/18] target/mips: Move MUL, S32M2I, S32I2M handling out of main MXU switch

[Aleksandar Markovic]

From: Aleksandar Markovic 

Move MUL, S32M2I, S32I2M handling out of switch. These are all
instructions that do not depend on MXU_EN flag of MXU_CR.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 41 +++--
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index c8c71c4..111affb 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24859,6 +24859,29 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 {
 uint32_t opcode = extract32(ctx->opcode, 0, 6);
 
+if (opcode == OPC__MXU_MUL) {
+uint32_t  rs, rt, rd, op1;
+
+rs = extract32(ctx->opcode, 21, 5);
+rt = extract32(ctx->opcode, 16, 5);
+rd = extract32(ctx->opcode, 11, 5);
+op1 = MASK_SPECIAL2(ctx->opcode);
+
+gen_arith(ctx, op1, rd, rs, rt);
+
+return;
+}
+
+if (opcode == OPC_MXU_S32M2I) {
+gen_mxu_s32m2i(ctx);
+return;
+}
+
+if (opcode == OPC_MXU_S32I2M) {
+gen_mxu_s32i2m(ctx);
+return;
+}
+
 switch (opcode) {
 case OPC_MXU_S32MADD:
 /* TODO: Implement emulation of S32MADD instruction. */
@@ -24870,18 +24893,6 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 MIPS_INVAL("OPC_MXU_S32MADDU");
 generate_exception_end(ctx, EXCP_RI);
 break;
-case OPC__MXU_MUL: /* 0x2 - unused in MXU specs */
-{
-uint32_t  rs, rt, rd, op1;
-
-rs = extract32(ctx->opcode, 21, 5);
-rt = extract32(ctx->opcode, 16, 5);
-rd = extract32(ctx->opcode, 11, 5);
-op1 = MASK_SPECIAL2(ctx->opcode);
-
-gen_arith(ctx, op1, rd, rs, rt);
-}
-break;
 case OPC_MXU__POOL00:
 decode_opc_mxu__pool00(env, ctx);
 break;
@@ -25033,12 +25044,6 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 MIPS_INVAL("OPC_MXU_S16SDI");
 generate_exception_end(ctx, EXCP_RI);
 break;
-case OPC_MXU_S32M2I:
-gen_mxu_s32m2i(ctx);
-break;
-case OPC_MXU_S32I2M:
-gen_mxu_s32i2m(ctx);
-break;
 case OPC_MXU_D32SLL:
 /* TODO: Implement emulation of D32SLL instruction. */
 MIPS_INVAL("OPC_MXU_D32SLL");
-- 
2.7.4

[Qemu-devel] [PATCH v6 18/18] target/mips: Add emulation of MXU instructions S32LDD and S32LDDR

[Aleksandar Markovic]

From: Craig Janeczek 

Add support for emulating the S32LDD and S32LDDR MXU instructions.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 54 ++---
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index d53e386..61c1662 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24281,6 +24281,52 @@ static void gen_mxu_q8mul_q8mulsu(DisasContext *ctx)
 tcg_temp_free(t7);
 }
 
+/*
+ * S32LDD  XRa, Rb, S12 - Load a word from memory to XRF
+ * S32LDDR XRa, Rb, S12 - Load a word from memory to XRF, reversed byte seq.
+ */
+static void gen_mxu_s32ldd_s32lddr(DisasContext *ctx)
+{
+TCGv t0, t1;
+TCGLabel *l0;
+uint32_t XRa, Rb, s12, sel;
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+
+l0 = gen_new_label();
+
+XRa = extract32(ctx->opcode, 6, 4);
+s12 = extract32(ctx->opcode, 10, 10);
+sel = extract32(ctx->opcode, 20, 1);
+Rb = extract32(ctx->opcode, 21, 5);
+
+gen_load_mxu_cr(t0);
+tcg_gen_andi_tl(t0, t0, MXU_CR_MXU_EN);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, MXU_CR_MXU_EN, l0);
+
+gen_load_gpr(t0, Rb);
+
+tcg_gen_movi_tl(t1, s12);
+tcg_gen_shli_tl(t1, t1, 2);
+if (s12 & 0x200) {
+tcg_gen_ori_tl(t1, t1, 0xF000);
+}
+tcg_gen_add_tl(t1, t0, t1);
+tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, MO_SL);
+
+if (sel == 1) {
+/* S32LDDR */
+tcg_gen_bswap32_tl(t1, t1);
+}
+gen_store_mxu_gpr(t1, XRa);
+
+gen_set_label(l0);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+}
+
 
 /*
  * Decoding engine for MXU
@@ -24510,14 +24556,8 @@ static void decode_opc_mxu__pool04(CPUMIPSState *env, 
DisasContext *ctx)
 
 switch (opcode) {
 case OPC_MXU_S32LDD:
-/* TODO: Implement emulation of S32LDD instruction. */
-MIPS_INVAL("OPC_MXU_S32LDD");
-generate_exception_end(ctx, EXCP_RI);
-break;
 case OPC_MXU_S32LDDR:
-/* TODO: Implement emulation of S32LDDR instruction. */
-MIPS_INVAL("OPC_MXU_S32LDDR");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_s32ldd_s32lddr(ctx);
 break;
 default:
 MIPS_INVAL("decode_opc_mxu");
-- 
2.7.4

[Qemu-devel] [PATCH v6 06/18] target/mips: Add bit encoding for MXU accumulate add/sub 1-bit pattern 'aptn1'

[Aleksandar Markovic]

From: Aleksandar Markovic 

Add bit encoding for MXU accumulate add/subtract 1-bit pattern
'aptn1'.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index ed72b32..f274ac1 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23844,6 +23844,12 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+
+/* MXU accumulate add/subtract 1-bit pattern 'aptn1' */
+#define MXU_APTN1_A0
+#define MXU_APTN1_S1
+
+
 /*
  *
  * Decode MXU pool00
-- 
2.7.4

[Qemu-devel] [PATCH v6 17/18] target/mips: Add emulation of MXU instructions Q8MUL and Q8MULSU

[Aleksandar Markovic]

From: Craig Janeczek 

Adds support for emulating the Q8MUL and Q8MULSU MXU instructions.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 101 
 1 file changed, 94 insertions(+), 7 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 4c66eae..d53e386 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24188,6 +24188,99 @@ static void gen_mxu_d16mac(DisasContext *ctx)
 tcg_temp_free(t3);
 }
 
+/*
+ * Q8MUL   XRa, XRb, XRc, XRd - Parallel unsigned 8 bit pattern multiply
+ * Q8MULSU XRa, XRb, XRc, XRd - Parallel signed 8 bit pattern multiply
+ */
+static void gen_mxu_q8mul_q8mulsu(DisasContext *ctx)
+{
+TCGv t0, t1, t2, t3, t4, t5, t6, t7;
+TCGLabel *l0;
+uint32_t XRa, XRb, XRc, XRd, sel;
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+t2 = tcg_temp_new();
+t3 = tcg_temp_new();
+t4 = tcg_temp_new();
+t5 = tcg_temp_new();
+t6 = tcg_temp_new();
+t7 = tcg_temp_new();
+
+l0 = gen_new_label();
+
+XRa = extract32(ctx->opcode, 6, 4);
+XRb = extract32(ctx->opcode, 10, 4);
+XRc = extract32(ctx->opcode, 14, 4);
+XRd = extract32(ctx->opcode, 18, 4);
+sel = extract32(ctx->opcode, 22, 2);
+
+gen_load_mxu_cr(t0);
+tcg_gen_andi_tl(t0, t0, MXU_CR_MXU_EN);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, MXU_CR_MXU_EN, l0);
+
+gen_load_mxu_gpr(t3, XRb);
+gen_load_mxu_gpr(t7, XRc);
+
+if (sel == 0x2) {
+/* Q8MULSU */
+tcg_gen_ext8s_tl(t0, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8s_tl(t1, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8s_tl(t2, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8s_tl(t3, t3);
+} else {
+/* Q8MUL */
+tcg_gen_ext8u_tl(t0, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8u_tl(t1, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8u_tl(t2, t3);
+tcg_gen_shri_tl(t3, t3, 8);
+tcg_gen_ext8u_tl(t3, t3);
+}
+
+tcg_gen_ext8u_tl(t4, t7);
+tcg_gen_shri_tl(t7, t7, 8);
+tcg_gen_ext8u_tl(t5, t7);
+tcg_gen_shri_tl(t7, t7, 8);
+tcg_gen_ext8u_tl(t6, t7);
+tcg_gen_shri_tl(t7, t7, 8);
+tcg_gen_ext8u_tl(t7, t7);
+
+tcg_gen_mul_tl(t0, t0, t4);
+tcg_gen_mul_tl(t1, t1, t5);
+tcg_gen_mul_tl(t2, t2, t6);
+tcg_gen_mul_tl(t3, t3, t7);
+
+tcg_gen_andi_tl(t0, t0, 0x);
+tcg_gen_andi_tl(t1, t1, 0x);
+tcg_gen_andi_tl(t2, t2, 0x);
+tcg_gen_andi_tl(t3, t3, 0x);
+
+tcg_gen_shli_tl(t1, t1, 16);
+tcg_gen_shli_tl(t3, t3, 16);
+
+tcg_gen_or_tl(t0, t0, t1);
+tcg_gen_or_tl(t1, t2, t3);
+
+gen_store_mxu_gpr(t0, XRd);
+gen_store_mxu_gpr(t1, XRa);
+
+gen_set_label(l0);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+tcg_temp_free(t2);
+tcg_temp_free(t3);
+tcg_temp_free(t4);
+tcg_temp_free(t5);
+tcg_temp_free(t6);
+tcg_temp_free(t7);
+}
+
 
 /*
  * Decoding engine for MXU
@@ -24979,14 +25072,8 @@ static void decode_opc_mxu__pool18(CPUMIPSState *env, 
DisasContext *ctx)
 
 switch (opcode) {
 case OPC_MXU_Q8MUL:
-/* TODO: Implement emulation of Q8MUL instruction. */
-MIPS_INVAL("OPC_MXU_Q8MUL");
-generate_exception_end(ctx, EXCP_RI);
-break;
 case OPC_MXU_Q8MULSU:
-/* TODO: Implement emulation of Q8MULSU instruction. */
-MIPS_INVAL("OPC_MXU_Q8MULSU");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_q8mul_q8mulsu(ctx);
 break;
 default:
 MIPS_INVAL("decode_opc_mxu");
-- 
2.7.4

[Qemu-devel] [PATCH v6 05/18] target/mips: Add MXU decoding engine

[Aleksandar Markovic]

From: Aleksandar Markovic 

Add MXU decoding engine: add handlers for all instruction pools,
and main decode handler. The handlers, for now, for the purpose
of this patch, contain only sceleton in the form of a single
switch statement.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 1143 ++-
 1 file changed, 1141 insertions(+), 2 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 128cabe..ed72b32 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23844,12 +23844,1151 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+/*
+ *
+ * Decode MXU pool00
+ *
+ *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ *  +---+-+-+---+---+---+---+
+ *  |  SPECIAL2 |0 0 0 0 0|x x x|  XRc  |  XRb  |  XRa  |MXU__POOL00|
+ *  +---+-+-+---+---+---+---+
+ *
+ */
+static void decode_opc_mxu__pool00(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opcode = extract32(ctx->opcode, 18, 3);
+
+switch (opcode) {
+case OPC_MXU_S32MAX:
+/* TODO: Implement emulation of S32MAX instruction. */
+MIPS_INVAL("OPC_MXU_S32MAX");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_S32MIN:
+/* TODO: Implement emulation of S32MIN instruction. */
+MIPS_INVAL("OPC_MXU_S32MIN");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_D16MAX:
+/* TODO: Implement emulation of D16MAX instruction. */
+MIPS_INVAL("OPC_MXU_D16MAX");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_D16MIN:
+/* TODO: Implement emulation of D16MIN instruction. */
+MIPS_INVAL("OPC_MXU_D16MIN");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8MAX:
+/* TODO: Implement emulation of Q8MAX instruction. */
+MIPS_INVAL("OPC_MXU_Q8MAX");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8MIN:
+/* TODO: Implement emulation of Q8MIN instruction. */
+MIPS_INVAL("OPC_MXU_Q8MIN");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8SLT:
+/* TODO: Implement emulation of Q8SLT instruction. */
+MIPS_INVAL("OPC_MXU_Q8SLT");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8SLTU:
+/* TODO: Implement emulation of Q8SLTU instruction. */
+MIPS_INVAL("OPC_MXU_Q8SLTU");
+generate_exception_end(ctx, EXCP_RI);
+break;
+default:
+MIPS_INVAL("decode_opc_mxu");
+generate_exception_end(ctx, EXCP_RI);
+break;
+}
+}
+
+/*
+ *
+ * Decode MXU pool01
+ *
+ *  S32SLT, D16SLT, D16AVG, D16AVGR, Q8AVG, Q8AVGR:
+ *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ *  +---+-+-+---+---+---+---+
+ *  |  SPECIAL2 |0 0 0 0 0|x x x|  XRc  |  XRb  |  XRa  |MXU__POOL01|
+ *  +---+-+-+---+---+---+---+
+ *
+ *  Q8MADD:
+ *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ *  +---+---+-+-+---+---+---+---+
+ *  |  SPECIAL2 |en2|0 0 0|x x x|  XRc  |  XRb  |  XRa  |MXU__POOL01|
+ *  +---+---+-+-+---+---+---+---+
+ *
+ */
+static void decode_opc_mxu__pool01(CPUMIPSState *env, DisasContext *ctx)
+{
+uint32_t opcode = extract32(ctx->opcode, 18, 3);
+
+switch (opcode) {
+case OPC_MXU_S32SLT:
+/* TODO: Implement emulation of S32SLT instruction. */
+MIPS_INVAL("OPC_MXU_S32SLT");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_D16SLT:
+/* TODO: Implement emulation of D16SLT instruction. */
+MIPS_INVAL("OPC_MXU_D16SLT");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_D16AVG:
+/* TODO: Implement emulation of D16AVG instruction. */
+MIPS_INVAL("OPC_MXU_D16AVG");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_D16AVGR:
+/* TODO: Implement emulation of D16AVGR instruction. */
+MIPS_INVAL("OPC_MXU_D16AVGR");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8AVG:
+/* TODO: Implement emulation of Q8AVG instruction. */
+MIPS_INVAL("OPC_MXU_Q8AVG");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8AVGR:
+/* TODO: Implement emulation of Q8AVGR instruction. */
+MIPS_INVAL("OPC_MXU_Q8AVGR");
+generate_exception_end(ctx, EXCP_RI);
+break;
+case OPC_MXU_Q8ADD:
+/* TODO: Implement emulation of Q8ADD instruction. */
+MIPS_INVAL("OPC_MXU_Q8ADD");
+generate_exception_end(ctx, EXCP_RI);
+break;
+

[Qemu-devel] [PATCH v6 16/18] target/mips: Add emulation of MXU instruction D16MAC

[Aleksandar Markovic]

From: Craig Janeczek 

Add support for emulating the D16MAC MXU instruction.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 90 +++--
 1 file changed, 87 insertions(+), 3 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index fec5163..4c66eae 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -24102,6 +24102,92 @@ static void gen_mxu_d16mul(DisasContext *ctx)
 tcg_temp_free(t3);
 }
 
+/*
+ * D16MAC XRa, XRb, XRc, XRd, aptn2, optn2 - Signed 16 bit pattern multiply
+ *   and accumulate
+ */
+static void gen_mxu_d16mac(DisasContext *ctx)
+{
+TCGv t0, t1, t2, t3;
+TCGLabel *l0;
+uint32_t XRa, XRb, XRc, XRd, optn2, aptn2;
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+t2 = tcg_temp_new();
+t3 = tcg_temp_new();
+
+l0 = gen_new_label();
+
+XRa = extract32(ctx->opcode, 6, 4);
+XRb = extract32(ctx->opcode, 10, 4);
+XRc = extract32(ctx->opcode, 14, 4);
+XRd = extract32(ctx->opcode, 18, 4);
+optn2 = extract32(ctx->opcode, 22, 2);
+aptn2 = extract32(ctx->opcode, 24, 2);
+
+gen_load_mxu_cr(t0);
+tcg_gen_andi_tl(t0, t0, MXU_CR_MXU_EN);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, MXU_CR_MXU_EN, l0);
+
+gen_load_mxu_gpr(t1, XRb);
+tcg_gen_sextract_tl(t0, t1, 0, 16);
+tcg_gen_sextract_tl(t1, t1, 16, 16);
+
+gen_load_mxu_gpr(t3, XRc);
+tcg_gen_sextract_tl(t2, t3, 0, 16);
+tcg_gen_sextract_tl(t3, t3, 16, 16);
+
+switch (optn2) {
+case MXU_OPTN2_WW: /* XRB.H*XRC.H == lop, XRB.L*XRC.L == rop */
+tcg_gen_mul_tl(t3, t1, t3);
+tcg_gen_mul_tl(t2, t0, t2);
+break;
+case MXU_OPTN2_LW: /* XRB.L*XRC.H == lop, XRB.L*XRC.L == rop */
+tcg_gen_mul_tl(t3, t0, t3);
+tcg_gen_mul_tl(t2, t0, t2);
+break;
+case MXU_OPTN2_HW: /* XRB.H*XRC.H == lop, XRB.H*XRC.L == rop */
+tcg_gen_mul_tl(t3, t1, t3);
+tcg_gen_mul_tl(t2, t1, t2);
+break;
+case MXU_OPTN2_XW: /* XRB.L*XRC.H == lop, XRB.H*XRC.L == rop */
+tcg_gen_mul_tl(t3, t0, t3);
+tcg_gen_mul_tl(t2, t1, t2);
+break;
+}
+gen_load_mxu_gpr(t0, XRa);
+gen_load_mxu_gpr(t1, XRd);
+
+switch (aptn2) {
+case MXU_APTN2_AA:
+tcg_gen_add_tl(t3, t0, t3);
+tcg_gen_add_tl(t2, t1, t2);
+break;
+case MXU_APTN2_AS:
+tcg_gen_add_tl(t3, t0, t3);
+tcg_gen_sub_tl(t2, t1, t2);
+break;
+case MXU_APTN2_SA:
+tcg_gen_sub_tl(t3, t0, t3);
+tcg_gen_add_tl(t2, t1, t2);
+break;
+case MXU_APTN2_SS:
+tcg_gen_sub_tl(t3, t0, t3);
+tcg_gen_sub_tl(t2, t1, t2);
+break;
+}
+gen_store_mxu_gpr(t3, XRa);
+gen_store_mxu_gpr(t2, XRd);
+
+gen_set_label(l0);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+tcg_temp_free(t2);
+tcg_temp_free(t3);
+}
+
 
 /*
  * Decoding engine for MXU
@@ -25067,9 +25153,7 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 decode_opc_mxu__pool03(env, ctx);
 break;
 case OPC_MXU_D16MAC:
-/* TODO: Implement emulation of D16MAC instruction. */
-MIPS_INVAL("OPC_MXU_D16MAC");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_d16mac(ctx);
 break;
 case OPC_MXU_D16MACF:
 /* TODO: Implement emulation of D16MACF instruction. */
-- 
2.7.4

[Qemu-devel] [PATCH v6 14/18] target/mips: Add emulation of MXU instruction S8LDD

[Aleksandar Markovic]

From: Craig Janeczek 

Add support for emulating the S8LDD MXU instruction.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 90 +++--
 1 file changed, 87 insertions(+), 3 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 111affb..a9915c4 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23954,6 +23954,92 @@ static void gen_mxu_s32m2i(DisasContext *ctx)
 tcg_temp_free(t0);
 }
 
+/*
+ * S8LDD XRa, Rb, s8, optn3 - Load a byte from memory to XRF
+ */
+static void gen_mxu_s8ldd(DisasContext *ctx)
+{
+TCGv t0, t1;
+TCGLabel *l0;
+uint32_t XRa, Rb, s8, optn3;
+
+t0 = tcg_temp_new();
+t1 = tcg_temp_new();
+
+l0 = gen_new_label();
+
+XRa = extract32(ctx->opcode, 6, 4);
+s8 = extract32(ctx->opcode, 10, 8);
+optn3 = extract32(ctx->opcode, 18, 3);
+Rb = extract32(ctx->opcode, 21, 5);
+
+gen_load_mxu_cr(t0);
+tcg_gen_andi_tl(t0, t0, MXU_CR_MXU_EN);
+tcg_gen_brcondi_tl(TCG_COND_NE, t0, MXU_CR_MXU_EN, l0);
+
+gen_load_gpr(t0, Rb);
+tcg_gen_addi_tl(t0, t0, (int8_t)s8);
+
+switch (optn3) {
+/* XRa[7:0] = tmp8 */
+case MXU_OPTN3_PTN0:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+gen_load_mxu_gpr(t0, XRa);
+tcg_gen_deposit_tl(t0, t0, t1, 0, 8);
+break;
+/* XRa[15:8] = tmp8 */
+case MXU_OPTN3_PTN1:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+gen_load_mxu_gpr(t0, XRa);
+tcg_gen_deposit_tl(t0, t0, t1, 8, 8);
+break;
+/* XRa[23:16] = tmp8 */
+case MXU_OPTN3_PTN2:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+gen_load_mxu_gpr(t0, XRa);
+tcg_gen_deposit_tl(t0, t0, t1, 16, 8);
+break;
+/* XRa[31:24] = tmp8 */
+case MXU_OPTN3_PTN3:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+gen_load_mxu_gpr(t0, XRa);
+tcg_gen_deposit_tl(t0, t0, t1, 24, 8);
+break;
+/* XRa = {8'b0, tmp8, 8'b0, tmp8} */
+case MXU_OPTN3_PTN4:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+tcg_gen_deposit_tl(t0, t1, t1, 16, 16);
+break;
+/* XRa = {tmp8, 8'b0, tmp8, 8'b0} */
+case MXU_OPTN3_PTN5:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+tcg_gen_shli_tl(t1, t1, 8);
+tcg_gen_deposit_tl(t0, t1, t1, 16, 16);
+break;
+/* XRa = {{8{sign of tmp8}}, tmp8, {8{sign of tmp8}}, tmp8} */
+case MXU_OPTN3_PTN6:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_SB);
+tcg_gen_mov_tl(t0, t1);
+tcg_gen_andi_tl(t0, t0, 0xFF00);
+tcg_gen_shli_tl(t1, t1, 16);
+tcg_gen_or_tl(t0, t0, t1);
+break;
+/* XRa = {tmp8, tmp8, tmp8, tmp8} */
+case MXU_OPTN3_PTN7:
+tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_UB);
+tcg_gen_deposit_tl(t1, t1, t1, 8, 8);
+tcg_gen_deposit_tl(t0, t1, t1, 16, 16);
+break;
+}
+
+gen_store_mxu_gpr(t0, XRa);
+
+gen_set_label(l0);
+
+tcg_temp_free(t0);
+tcg_temp_free(t1);
+}
+
 
 /*
  * Decoding engine for MXU
@@ -24994,9 +25080,7 @@ static void decode_opc_mxu(CPUMIPSState *env, 
DisasContext *ctx)
 generate_exception_end(ctx, EXCP_RI);
 break;
 case OPC_MXU_S8LDD:
-/* TODO: Implement emulation of S8LDD instruction. */
-MIPS_INVAL("OPC_MXU_S8LDD");
-generate_exception_end(ctx, EXCP_RI);
+gen_mxu_s8ldd(ctx);
 break;
 case OPC_MXU_S8STD:
 /* TODO: Implement emulation of S8STD instruction. */
-- 
2.7.4

[Qemu-devel] [PATCH v6 03/18] target/mips: Amend MXU instruction opcodes

[Aleksandar Markovic]

From: Aleksandar Markovic 

Amend MXU instruction opcodes. Pool04 is actually only instruction
OPC_MXU_S16MAD. Two cases within S16MAD are recognized by 1-bit
subfield 'aptn1'.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 142 +---
 1 file changed, 63 insertions(+), 79 deletions(-)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index c1f692c..fefe9ac 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -1486,7 +1486,7 @@ enum {
  *  S32OR XRa, XRb, XRc   D32SARW XRa, XRb, XRc, Rb
  *Q16SLL XRa, XRb, XRc, XRd, sft4
  *Q16SLR XRa, XRb, XRc, XRd, sft4
- * Miscelaneous instructions  Q16SAR XRa, XRb, XRc, XRd, sft4
+ * Miscellaneous instructions Q16SAR XRa, XRb, XRc, XRd, sft4
  * -  Q16SLLV XRa, XRb, Rb
  *Q16SLRV XRa, XRb, Rb
  *  S32SFL XRa, XRb, XRc, XRd, optn2  Q16SARV XRa, XRb, Rb
@@ -1504,7 +1504,7 @@ enum {
  *
  *  ┌─ 00 ─ OPC_MXU_S32MADD
  *  ├─ 01 ─ OPC_MXU_S32MADDU
- *  ├─ 10 ─ 
+ *  ├─ 10 ─  (non-MXU OPC_MULL)
  *  │   20..18
  *  ├─ 11 ─ OPC_MXU__POOL00 ─┬─ 000 ─ OPC_MXU_S32MAX
  *  │├─ 001 ─ OPC_MXU_S32MIN
@@ -1536,55 +1536,53 @@ enum {
  *  ├─ 001010 ─ OPC_MXU_D16MAC
  *  ├─ 001011 ─ OPC_MXU_D16MACF
  *  ├─ 001100 ─ OPC_MXU_D16MADL
- *  │   25..24
- *  ├─ 001101 ─ OPC_MXU__POOL04 ─┬─ 00 ─ OPC_MXU_S16MAD
- *  │└─ 01 ─ OPC_MXU_S16MAD_1
+ *  ├─ 001101 ─ OPC_MXU_S16MAD
  *  ├─ 001110 ─ OPC_MXU_Q16ADD
  *  ├─ 00 ─ OPC_MXU_D16MACE
  *  │   23
- *  ├─ 01 ─ OPC_MXU__POOL05 ─┬─ 0 ─ OPC_MXU_S32LDD
+ *  ├─ 01 ─ OPC_MXU__POOL04 ─┬─ 0 ─ OPC_MXU_S32LDD
  *  │└─ 1 ─ OPC_MXU_S32LDDR
  *  │
  *  │   23
- *  ├─ 010001 ─ OPC_MXU__POOL06 ─┬─ 0 ─ OPC_MXU_S32STD
+ *  ├─ 010001 ─ OPC_MXU__POOL05 ─┬─ 0 ─ OPC_MXU_S32STD
  *  │└─ 1 ─ OPC_MXU_S32STDR
  *  │
  *  │   13..10
- *  ├─ 010010 ─ OPC_MXU__POOL07 ─┬─  ─ OPC_MXU_S32LDDV
+ *  ├─ 010010 ─ OPC_MXU__POOL06 ─┬─  ─ OPC_MXU_S32LDDV
  *  │└─ 0001 ─ OPC_MXU_S32LDDVR
  *  │
  *  │   13..10
- *  ├─ 010011 ─ OPC_MXU__POOL08 ─┬─  ─ OPC_MXU_S32STDV
+ *  ├─ 010011 ─ OPC_MXU__POOL07 ─┬─  ─ OPC_MXU_S32STDV
  *  │└─ 0001 ─ OPC_MXU_S32STDVR
  *  │
  *  │   23
- *  ├─ 010100 ─ OPC_MXU__POOL09 ─┬─ 0 ─ OPC_MXU_S32LDI
+ *  ├─ 010100 ─ OPC_MXU__POOL08 ─┬─ 0 ─ OPC_MXU_S32LDI
  *  │└─ 1 ─ OPC_MXU_S32LDIR
  *  │
  *  │   23
- *  ├─ 010101 ─ OPC_MXU__POOL10 ─┬─ 0 ─ OPC_MXU_S32SDI
+ *  ├─ 010101 ─ OPC_MXU__POOL09 ─┬─ 0 ─ OPC_MXU_S32SDI
  *  │└─ 1 ─ OPC_MXU_S32SDIR
  *  │
  *  │   13..10
- *  ├─ 010110 ─ OPC_MXU__POOL11 ─┬─  ─ OPC_MXU_S32LDIV
+ *  ├─ 010110 ─ OPC_MXU__POOL10 ─┬─  ─ OPC_MXU_S32LDIV
  *  │└─ 0001 ─ OPC_MXU_S32LDIVR
  *  │
  *  │   13..10
- *  ├─ 010111 ─ OPC_MXU__POOL12 ─┬─  ─ OPC_MXU_S32SDIV
+ *  ├─ 010111 ─ OPC_MXU__POOL11 ─┬─  ─ OPC_MXU_S32SDIV
  *  │└─ 0001 ─ OPC_MXU_S32SDIVR
  *  ├─ 011000 ─ OPC_MXU_D32ADD
  *  │   23..22
- *   MXU├─ 011001 ─ OPC_MXU__POOL13 ─┬─ 00 ─ OPC_MXU_D32ACC
+ *   MXU├─ 011001 ─ OPC_MXU__POOL12 ─┬─ 00 ─ OPC_MXU_D32ACC
  * opcodes ─┤├─ 01 ─ OPC_MXU_D32ACCM
  *  │└─ 10 ─ OPC_MXU_D32ASUM
  *  ├─ 011010 ─ 
  *  │   23..22
- *  ├─ 011011 ─ OPC_MXU__POOL14 ─┬─ 00 ─ OPC_MXU_Q16ACC
+ *  ├─ 011011 ─ OPC_MXU__POOL13 ─┬─ 00 ─ OPC_MXU_Q16ACC
  *  │├─ 01 ─ OPC_MXU_Q16ACCM
  *  │└─ 10 ─ OPC_MXU_Q16ASUM
  *  │
  *  │   23..22
- *  ├─ 011100 ─ OPC_MXU__POOL15 ─┬─ 00 ─ OPC_MXU_Q8ADDE
+ *  ├─ 011100 ─ OPC_MXU__POOL14 ─┬─ 00 ─ OPC_MXU_Q8ADDE
  *  │├─ 01 ─ OPC_MXU_D8SUM
  *  ├─ 011101 ─ OPC_MXU_Q8ACCE   └─ 10 ─ 

Re: [Qemu-devel] [PULL 0/2] slirp updates

[Peter Maydell]

On 21 October 2018 at 20:30, Samuel Thibault
 wrote:
> The following changes since commit b312532fd03413d0e6ae6767ec793a3e30f487b8:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2018-10-19 19:01:07 +0100)
>
> are available in the Git repository at:
>
>   https://people.debian.org/~sthibault/qemu.git tags/samuel-thibault
>
> for you to fetch changes up to 0fca92b9077af9817c04545cdfc519fe95c6fde9:
>
>   slirp: Implement RFC2132 TFTP server name (2018-10-21 21:24:55 +0200)
>
> 
> Fam Zheng (2):
>   slirp: Add sanity check for str option length
>   slirp: Implement RFC2132 TFTP server name
>
> 
> Fam Zheng (2):
>   slirp: Add sanity check for str option length
>   slirp: Implement RFC2132 TFTP server name
>


Applied, thanks.

-- PMM

[Qemu-devel] [PATCH v6 08/18] target/mips: Add bit encoding for MXU execute add/sub pattern 'eptn2'

[Aleksandar Markovic]

From: Aleksandar Markovic 

Add bit encoding for MXU execute 2-bit add/subtract pattern 'eptn2'.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index 97fb2e0..665a584 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23855,6 +23855,12 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 #define MXU_APTN2_SA2
 #define MXU_APTN2_SS3
 
+/* MXU execute add/subtract 2-bit pattern 'eptn2' */
+#define MXU_EPTN2_AA0
+#define MXU_EPTN2_AS1
+#define MXU_EPTN2_SA2
+#define MXU_EPTN2_SS3
+
 
 /*
  *
-- 
2.7.4

[Qemu-devel] [PATCH v6 02/18] target/mips: Define a bit for MXU in insn_flags

[Aleksandar Markovic]

From: Craig Janeczek 

Define a bit for MXU in insn_flags. This is the first non-MIPS
(third party) ASE supported in QEMU for MIPS, so it is placed in
the section "bits 56-63: vendor-specific ASEs".

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/mips-defs.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/mips/mips-defs.h b/target/mips/mips-defs.h
index 5177618..dbdb4b2 100644
--- a/target/mips/mips-defs.h
+++ b/target/mips/mips-defs.h
@@ -69,6 +69,7 @@
  *   bits 56-63: vendor-specific ASEs
  */
 #define ASE_MMI   0x0100ULL
+#define ASE_MXU   0x0200ULL
 
 /* MIPS CPU defines. */
 #defineCPU_MIPS1   (ISA_MIPS1)
-- 
2.7.4

[Qemu-devel] [PATCH v6 10/18] target/mips: Add bit encoding for MXU operand getting pattern 'optn3'

[Aleksandar Markovic]

From: Craig Janeczek 

Add bit encoding for MXU operand getting pattern 'optn3'.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index f3e87ce..5bcf6a4 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23867,6 +23867,16 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 #define MXU_OPTN2_HW2
 #define MXU_OPTN2_XW3
 
+/* MXU operand getting pattern 'optn3' */
+#define MXU_OPTN3_PTN0  0
+#define MXU_OPTN3_PTN1  1
+#define MXU_OPTN3_PTN2  2
+#define MXU_OPTN3_PTN3  3
+#define MXU_OPTN3_PTN4  4
+#define MXU_OPTN3_PTN5  5
+#define MXU_OPTN3_PTN6  6
+#define MXU_OPTN3_PTN7  7
+
 
 /*
  *
-- 
2.7.4

[Qemu-devel] [PATCH v6 07/18] target/mips: Add bit encoding for MXU accumulate add/sub 2-bit pattern 'aptn2'

[Aleksandar Markovic]

From: Craig Janeczek 

Add bit encoding for MXU accumulate add/subtract 2-bit pattern
'aptn2'.

Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index f274ac1..97fb2e0 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23849,6 +23849,12 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 #define MXU_APTN1_A0
 #define MXU_APTN1_S1
 
+/* MXU accumulate add/subtract 2-bit pattern 'aptn2' */
+#define MXU_APTN2_AA0
+#define MXU_APTN2_AS1
+#define MXU_APTN2_SA2
+#define MXU_APTN2_SS3
+
 
 /*
  *
-- 
2.7.4

[Qemu-devel] [PATCH v6 04/18] target/mips: Add and integrate MXU decoding engine placeholder

[Aleksandar Markovic]

From: Aleksandar Markovic 

Provide the placeholder and add the invocation logic for MXU
decoding engine.

Signed-off-by: Aleksandar Markovic 
---
 target/mips/translate.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/target/mips/translate.c b/target/mips/translate.c
index fefe9ac..128cabe 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -23844,6 +23844,12 @@ static void decode_opc_special(CPUMIPSState *env, 
DisasContext *ctx)
 }
 }
 
+static void decode_opc_mxu(CPUMIPSState *env, DisasContext *ctx)
+{
+MIPS_INVAL("decode_opc_mxu");
+generate_exception_end(ctx, EXCP_RI);
+}
+
 static void decode_opc_special2_legacy(CPUMIPSState *env, DisasContext *ctx)
 {
 int rs, rt, rd;
@@ -26087,6 +26093,8 @@ static void decode_opc(CPUMIPSState *env, DisasContext 
*ctx)
 case OPC_SPECIAL2:
 if ((ctx->insn_flags & INSN_R5900) && (ctx->insn_flags & ASE_MMI)) {
 decode_tx79_mmi(env, ctx);
+} else if (ctx->insn_flags & ASE_MXU) {
+decode_opc_mxu(env, ctx);
 } else {
 decode_opc_special2_legacy(env, ctx);
 }
-- 
2.7.4

[Qemu-devel] [PATCH v6 01/18] target/mips: Introduce MXU registers

[Aleksandar Markovic]

From: Craig Janeczek 

Define and initialize the 16 MXU registers - 15 general computational
register, and 1 control register). There is also a zero register, but
it does not have any corresponding variable.

Reviewed-by: Richard Henderson 
Signed-off-by: Craig Janeczek 
Signed-off-by: Aleksandar Markovic 
---
 target/mips/cpu.h   | 10 ++
 target/mips/translate.c | 20 
 2 files changed, 30 insertions(+)

diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index e48be4b..03c03fd 100644
--- a/target/mips/cpu.h
+++ b/target/mips/cpu.h
@@ -170,6 +170,16 @@ struct TCState {
 MSACSR_FS_MASK)
 
 float_status msa_fp_status;
+
+#define NUMBER_OF_MXU_REGISTERS 16
+target_ulong mxu_gpr[NUMBER_OF_MXU_REGISTERS - 1];
+target_ulong mxu_cr;
+#define MXU_CR_LC   31
+#define MXU_CR_RC   30
+#define MXU_CR_BIAS 2
+#define MXU_CR_RD_EN1
+#define MXU_CR_MXU_EN   0
+
 };
 
 typedef struct CPUMIPSState CPUMIPSState;
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 92df8da..c1f692c 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -2379,6 +2379,10 @@ static TCGv_i32 fpu_fcr0, fpu_fcr31;
 static TCGv_i64 fpu_f64[32];
 static TCGv_i64 msa_wr_d[64];
 
+/* MXU registers */
+static TCGv mxu_gpr[NUMBER_OF_MXU_REGISTERS - 1];
+static TCGv mxu_CR;
+
 #include "exec/gen-icount.h"
 
 #define gen_helper_0e0i(name, arg) do {   \
@@ -2501,6 +2505,11 @@ static const char * const msaregnames[] = {
 "w30.d0", "w30.d1", "w31.d0", "w31.d1",
 };
 
+static const char * const mxuregnames[] = {
+"XR1",  "XR2",  "XR3",  "XR4",  "XR5",  "XR6",  "XR7",  "XR8",
+"XR9",  "XR10", "XR11", "XR12", "XR13", "XR14", "XR15", "MXU_CR",
+};
+
 #define LOG_DISAS(...)\
 do {  \
 if (MIPS_DEBUG_DISAS) {   \
@@ -27091,6 +27100,17 @@ void mips_tcg_init(void)
 fpu_fcr31 = tcg_global_mem_new_i32(cpu_env,
offsetof(CPUMIPSState, 
active_fpu.fcr31),
"fcr31");
+
+for (i = 0; i < NUMBER_OF_MXU_REGISTERS - 1; i++) {
+mxu_gpr[i] = tcg_global_mem_new(cpu_env,
+offsetof(CPUMIPSState,
+ active_tc.mxu_gpr[i]),
+mxuregnames[i]);
+}
+
+mxu_CR = tcg_global_mem_new(cpu_env,
+offsetof(CPUMIPSState, active_tc.mxu_cr),
+mxuregnames[NUMBER_OF_MXU_REGISTERS - 1]);
 }
 
 #include "translate_init.inc.c"
-- 
2.7.4

[Qemu-devel] [PATCH v6 00/18] target/mips: Add limited support for Ingenic's MXU ASE

[Aleksandar Markovic]

From: Aleksandar Markovic 

This patch set begins to add MXU ASE instruction support.

v5->v6:

  - added bit definitions for 'aptn1' and 'eptn2'. 
  - pool04 eliminated, since it is covered by a single instruction.
  - moved MUL, S32M2I, S32I2M handling out of main MXU switch.
  - rebased to the latest code (this series applies on top of
the current MIPS pull request)

v4->v5:

  - added full decoding engine for MXU ASE
  - changes on aptn2, optn2, optn3 are now stand-alone patches
  - all patches on individual instructions are reworked to fit
new decoding engine, and also cosmetically improved
  - rebased to the latest code

Aleksandar Markovic (6):
  target/mips: Amend MXU instruction opcodes
  target/mips: Add and integrate MXU decoding engine placeholder
  target/mips: Add MXU decoding engine
  target/mips: Add bit encoding for MXU accumulate add/sub 1-bit pattern
'aptn1'
  target/mips: Add bit encoding for MXU execute add/sub pattern 'eptn2'
  target/mips: Move MUL, S32M2I, S32I2M handling out of main MXU switch

Craig Janeczek (12):
  target/mips: Introduce MXU registers
  target/mips: Define a bit for MXU in insn_flags
  target/mips: Add bit encoding for MXU accumulate add/sub 2-bit pattern
'aptn2'
  target/mips: Add bit encoding for MXU operand getting pattern 'optn2'
  target/mips: Add bit encoding for MXU operand getting pattern 'optn3'
  target/mips: Add emulation of non-MXU MULL within MXU decoding engine
  target/mips: Add emulation of MXU instructions S32I2M and S32M2I
  target/mips: Add emulation of MXU instruction S8LDD
  target/mips: Add emulation of MXU instruction D16MUL
  target/mips: Add emulation of MXU instruction D16MAC
  target/mips: Add emulation of MXU instructions Q8MUL and Q8MULSU
  target/mips: Add emulation of MXU instructions S32LDD and S32LDDR

 target/mips/cpu.h   |   10 +
 target/mips/mips-defs.h |1 +
 target/mips/translate.c | 2039 ++-
 3 files changed, 1848 insertions(+), 202 deletions(-)

-- 
2.7.4

[Qemu-devel] [PATCH v3 6/7] memory-device: avoid overflows on very huge devices

[David Hildenbrand]

Should not be a problem right now, but it could theoretically happen
in the future.

Signed-off-by: David Hildenbrand 
---
 hw/mem/memory-device.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/mem/memory-device.c b/hw/mem/memory-device.c
index 996ad1490f..8be63c8032 100644
--- a/hw/mem/memory-device.c
+++ b/hw/mem/memory-device.c
@@ -85,7 +85,8 @@ static void memory_device_check_addable(MachineState *ms, 
uint64_t size,
 
 /* will we exceed the total amount of memory specified */
 memory_device_used_region_size(OBJECT(ms), _region_size);
-if (used_region_size + size > ms->maxram_size - ms->ram_size) {
+if (used_region_size + size < used_region_size ||
+used_region_size + size > ms->maxram_size - ms->ram_size) {
 error_setg(errp, "not enough space, currently 0x%" PRIx64
" in use of total space for memory devices 0x" RAM_ADDR_FMT,
used_region_size, ms->maxram_size - ms->ram_size);
-- 
2.17.1

[Qemu-devel] [PATCH v3 0/7] qapi/range/memory-device: fixes and cleanups

[David Hildenbrand]

While working on memory device code, I noticed that specifiying an uint64_t
on command line does not work in all cases as we always parse an int64_t.
So I fix that and also cleanup the old int64_t parser.

To be able to fix some overflows in memory-device code in a clean way,
I am reusing the range implementation of qemu, for which I need some
more helpers.

This series is based on
"[PATCH v5 00/16] memory-device: complete refactoring"
which should get pulled soon.

v2 -> v3:
- "qapi: correctly parse uint64_t values from strings"
-- don't parse range
-- don't rename "parse_str"

v1 -> v2:
- "range: add some more functions"
-- Reduce number of functions
-- make range_init() return an error in case of overflow
-- provide range_init_nofail()
- "memory-device: rewrite address assignment using ranges"
-- Use new functions range_init/range_init_nofail
-- Use range_contains_range instead of starts_before/ends_after


David Hildenbrand (7):
  qapi: use qemu_strtoi64() in parse_str
  qapi: correctly parse uint64_t values from strings
  range: pass const pointer where possible
  range: add some more functions
  memory-device: use QEMU_IS_ALIGNED
  memory-device: avoid overflows on very huge devices
  memory-device: rewrite address assignment using ranges

 hw/mem/memory-device.c  | 60 ++--
 include/qemu/range.h| 68 +++--
 qapi/string-input-visitor.c | 34 ---
 3 files changed, 114 insertions(+), 48 deletions(-)

-- 
2.17.1

Re: [Qemu-devel] [PULL 04/45] numa: Fix QMP command set-numa-node error handling

[David Gibson]

On Thu, Oct 18, 2018 at 05:03:41PM -0300, Eduardo Habkost wrote:
> From: Markus Armbruster 
> 
> Calling error_report() in a function that takes an Error ** argument
> is suspicious.  parse_numa_node() does that, and then exit()s.  It
> also passes _fatal to machine_set_cpu_numa_node().  Both wrong.
> Attempting to configure numa when the machine doesn't support it kills
> the VM:
> 
> $ qemu-system-x86_64 -nodefaults -S -display none -M none -preconfig -qmp 
> stdio
> {"QMP": {"version": {"qemu": {"micro": 50, "minor": 0, "major": 3}, 
> "package": "v3.0.0-837-gc5e4e49258"}, "capabilities": []}}
> {"execute": "qmp_capabilities"}
> {"return": {}}
> {"execute": "set-numa-node", "arguments": {"type": "node"}}
> NUMA is not supported by this machine-type
> $ echo $?
> 1
> 
> Messed up when commit 64c2a8f6d3f and 7c88e65d9e9 (v2.10.0) added
> incorrect error handling right next to correct examples.  Latent bug
> until commit f3be67812c2 (v3.0.0) made it accessible via QMP.  Fairly
> harmless in practice, because it's limited to RUN_STATE_PRECONFIG.
> The fix is obvious: replace error_report(); exit() by error_setg();
> return.
> 
> This affects parse_numa_node()'s other caller
> numa_complete_configuration(): since it ignores errors, the "NUMA is
> not supported by this machine-type" is now ignored, too.  But that
> error is as unexpected there as any other.  Change it to abort on
> error instead.
> 
> Fixes: f3be67812c226162f86ce92634bd913714445420
> Cc: Igor Mammedov 
> Signed-off-by: Markus Armbruster 
> Message-Id: <20181008173125.19678-15-arm...@redhat.com>
> Reviewed-by: Eduardo Habkost 
> Reviewed-by: Igor Mammedov 
> Signed-off-by: Eduardo Habkost 

Reviewed-by: David Gibson 

> ---
>  numa.c | 13 +
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/numa.c b/numa.c
> index 81542d4ebb..1d7c49ad43 100644
> --- a/numa.c
> +++ b/numa.c
> @@ -60,6 +60,7 @@ NodeInfo numa_info[MAX_NODES];
>  static void parse_numa_node(MachineState *ms, NumaNodeOptions *node,
>  Error **errp)
>  {
> +Error *err = NULL;
>  uint16_t nodenr;
>  uint16List *cpus = NULL;
>  MachineClass *mc = MACHINE_GET_CLASS(ms);
> @@ -82,8 +83,8 @@ static void parse_numa_node(MachineState *ms, 
> NumaNodeOptions *node,
>  }
>  
>  if (!mc->cpu_index_to_instance_props || !mc->get_default_cpu_node_id) {
> -error_report("NUMA is not supported by this machine-type");
> -exit(1);
> +error_setg(errp, "NUMA is not supported by this machine-type");
> +return;
>  }
>  for (cpus = node->cpus; cpus; cpus = cpus->next) {
>  CpuInstanceProperties props;
> @@ -97,7 +98,11 @@ static void parse_numa_node(MachineState *ms, 
> NumaNodeOptions *node,
>  props = mc->cpu_index_to_instance_props(ms, cpus->value);
>  props.node_id = nodenr;
>  props.has_node_id = true;
> -machine_set_cpu_numa_node(ms, , _fatal);
> +machine_set_cpu_numa_node(ms, , );
> +if (err) {
> +error_propagate(errp, err);
> +return;
> +}
>  }
>  
>  if (node->has_mem && node->has_memdev) {
> @@ -367,7 +372,7 @@ void numa_complete_configuration(MachineState *ms)
>  if (ms->ram_slots > 0 && nb_numa_nodes == 0 &&
>  mc->auto_enable_numa_with_memhp) {
>  NumaNodeOptions node = { };
> -parse_numa_node(ms, , NULL);
> +parse_numa_node(ms, , _abort);
>  }
>  
>  assert(max_numa_nodeid <= MAX_NODES);

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PATCH v3 1/7] qapi: use qemu_strtoi64() in parse_str

[David Hildenbrand]

The qemu api claims to be easier to use, and the resulting code seems to
agree.

Signed-off-by: David Hildenbrand 
---
 qapi/string-input-visitor.c | 17 ++---
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/qapi/string-input-visitor.c b/qapi/string-input-visitor.c
index b3fdd0827d..c1454f999f 100644
--- a/qapi/string-input-visitor.c
+++ b/qapi/string-input-visitor.c
@@ -20,6 +20,7 @@
 #include "qemu/option.h"
 #include "qemu/queue.h"
 #include "qemu/range.h"
+#include "qemu/cutils.h"
 
 
 struct StringInputVisitor
@@ -46,10 +47,10 @@ static void free_range(void *range, void *dummy)
 
 static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
 {
-char *str = (char *) siv->string;
-long long start, end;
+const char *str = (char *) siv->string;
+const char *endptr;
+int64_t start, end;
 Range *cur;
-char *endptr;
 
 if (siv->ranges) {
 return 0;
@@ -60,9 +61,7 @@ static int parse_str(StringInputVisitor *siv, const char 
*name, Error **errp)
 }
 
 do {
-errno = 0;
-start = strtoll(str, , 0);
-if (errno == 0 && endptr > str) {
+if (!qemu_strtoi64(str, , 0, )) {
 if (*endptr == '\0') {
 cur = g_malloc0(sizeof(*cur));
 range_set_bounds(cur, start, start);
@@ -71,11 +70,7 @@ static int parse_str(StringInputVisitor *siv, const char 
*name, Error **errp)
 str = NULL;
 } else if (*endptr == '-') {
 str = endptr + 1;
-errno = 0;
-end = strtoll(str, , 0);
-if (errno == 0 && endptr > str && start <= end &&
-(start > INT64_MAX - 65536 ||
- end < start + 65536)) {
+if (!qemu_strtoi64(str, , 0, ) && start < end) {
 if (*endptr == '\0') {
 cur = g_malloc0(sizeof(*cur));
 range_set_bounds(cur, start, end);
-- 
2.17.1

Re: [Qemu-devel] [PULL 07/45] hw/timer/sun4v-rtc: Use DeviceState::realize rather than SysBusDevice::init

[David Gibson]

On Thu, Oct 18, 2018 at 05:03:44PM -0300, Eduardo Habkost wrote:
> From: Philippe Mathieu-Daudé 
> 
> Move from the legacy SysBusDevice::init method to using DeviceState::realize.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> Reviewed-by: Thomas Huth 
> Reviewed-by: Cédric Le Goater 
> Message-Id: <20181002212522.23303-4-f4...@amsat.org>
> Signed-off-by: Eduardo Habkost 

Reviewed-by: David Gibson 

> ---
>  hw/timer/sun4v-rtc.c | 10 +-
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/hw/timer/sun4v-rtc.c b/hw/timer/sun4v-rtc.c
> index 13be94f8da..4e7f6a1eff 100644
> --- a/hw/timer/sun4v-rtc.c
> +++ b/hw/timer/sun4v-rtc.c
> @@ -63,21 +63,21 @@ void sun4v_rtc_init(hwaddr addr)
>  sysbus_mmio_map(s, 0, addr);
>  }
>  
> -static int sun4v_rtc_init1(SysBusDevice *dev)
> +static void sun4v_rtc_realize(DeviceState *dev, Error **errp)
>  {
> +SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
>  Sun4vRtc *s = SUN4V_RTC(dev);
>  
>  memory_region_init_io(>iomem, OBJECT(s), _rtc_ops, s,
>"sun4v-rtc", 0x08ULL);
> -sysbus_init_mmio(dev, >iomem);
> -return 0;
> +sysbus_init_mmio(sbd, >iomem);
>  }
>  
>  static void sun4v_rtc_class_init(ObjectClass *klass, void *data)
>  {
> -SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
> +DeviceClass *dc = DEVICE_CLASS(klass);
>  
> -k->init = sun4v_rtc_init1;
> +dc->realize = sun4v_rtc_realize;
>  }
>  
>  static const TypeInfo sun4v_rtc_info = {

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

[Qemu-devel] [PATCH v3 5/7] memory-device: use QEMU_IS_ALIGNED

[David Hildenbrand]

Shorter and easier to read.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: David Hildenbrand 
---
 hw/mem/memory-device.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/mem/memory-device.c b/hw/mem/memory-device.c
index 7de1ccd497..996ad1490f 100644
--- a/hw/mem/memory-device.c
+++ b/hw/mem/memory-device.c
@@ -120,7 +120,7 @@ static uint64_t memory_device_get_free_addr(MachineState 
*ms,
 g_assert(address_space_end >= address_space_start);
 
 /* address_space_start indicates the maximum alignment we expect */
-if (QEMU_ALIGN_UP(address_space_start, align) != address_space_start) {
+if (!QEMU_IS_ALIGNED(address_space_start, align)) {
 error_setg(errp, "the alignment (0x%" PRIx64 ") is not supported",
align);
 return 0;
@@ -131,13 +131,13 @@ static uint64_t memory_device_get_free_addr(MachineState 
*ms,
 return 0;
 }
 
-if (hint && QEMU_ALIGN_UP(*hint, align) != *hint) {
+if (hint && !QEMU_IS_ALIGNED(*hint, align)) {
 error_setg(errp, "address must be aligned to 0x%" PRIx64 " bytes",
align);
 return 0;
 }
 
-if (QEMU_ALIGN_UP(size, align) != size) {
+if (!QEMU_IS_ALIGNED(size, align)) {
 error_setg(errp, "backend memory size must be multiple of 0x%"
PRIx64, align);
 return 0;
-- 
2.17.1