Re: [PATCH] configure / meson: Move the GBM handling to meson.build

[Paolo Bonzini]

On 13/07/21 13:15, Thomas Huth wrote:

The GBM library detection does not need to be in the configure script,
since it does not have any user-facing options (there are no
--enable-gbm or --disable-gbm switches). Let's move it to meson.build
instead, so we don't have to clutter config-host.mak with the related
switches.

Additionally, only check for GBM if it is really required, i.e. if we
either compile with OpenGL or with virglrenderer support.

Signed-off-by: Thomas Huth 


Queued, thanks.

Paolo

Re: [RFC PATCH 0/6] job: replace AioContext lock with job_mutex

[Stefan Hajnoczi]

On Mon, Jul 12, 2021 at 10:41:46AM +0200, Emanuele Giuseppe Esposito wrote:
> 
> 
> On 08/07/2021 15:04, Stefan Hajnoczi wrote:
> > On Thu, Jul 08, 2021 at 01:32:12PM +0200, Paolo Bonzini wrote:
> > > On 08/07/21 12:36, Stefan Hajnoczi wrote:
> > > > > What is very clear from this patch is that it
> > > > > is strictly related to the brdv_* and lower level calls, because
> > > > > they also internally check or even use the aiocontext lock.
> > > > > Therefore, in order to make it work, I temporarly added some
> > > > > aiocontext_acquire/release pair around the function that
> > > > > still assert for them or assume they are hold and temporarly
> > > > > unlock (unlock() - lock()).
> > > > 
> > > > Sounds like the issue is that this patch series assumes AioContext locks
> > > > are no longer required for calling the blk_*()/bdrv_*() APIs? That is
> > > > not the case yet, so you had to then add those aio_context_lock() calls
> > > > back in elsewhere. This approach introduces unnecessary risk. I think we
> > > > should wait until blk_*()/bdrv_*() no longer requires the caller to hold
> > > > the AioContext lock before applying this series.
> > > 
> > > In general I'm in favor of pushing the lock further down into smaller and
> > > smaller critical sections; it's a good approach to make further audits
> > > easier until it's "obvious" that the lock is unnecessary.  I haven't yet
> > > reviewed Emanuele's patches to see if this is what he's doing where he's
> > > adding the acquire/release calls, but that's my understanding of both his
> > > cover letter and your reply.
> > 
> > The problem is the unnecessary risk. We know what the goal is for
> > blk_*()/bdrv_*() but it's not quite there yet. Does making changes in
> > block jobs help solve the final issues with blk_*()/bdrv_*()?
> 
> Correct me if I am wrong, but it seems to me that the bdrv_*()/blk_*()
> operation mostly take care of building, modifying and walking the bds graph.
> So since graph nodes can have multiple AioContext, it makes sense that we
> have a lock when modifying the graph, right?
> 
> If so, we can simply try to replace the AioContext lock with a graph lock,
> or something like that. But I am not sure of this.

Block graph manipulation (all_bdrv_states and friends) requires the BQL.
It has always been this way.

This raises the question: if block graph manipulation is already under
the BQL and BlockDriver callbacks don't need the AioContext anymore, why
are aio_context_acquire() calls still needed in block jobs?

AIO_WAIT_WHILE() requires that AioContext is acquired according to its
documentation, but I'm not sure that's true anymore. Thread-safe/atomic
primitives are used by AIO_WAIT_WHILE(), so as long as the condition
being waited for is thread-safe too it should work without the
AioContext lock.

Back to my comment about unnecessary risk, pushing the lock down is a
strategy for exploring the problem, but I'm not sure those intermediate
commits need to be committed to qemu.git/master because of the time
required to review them and the risk of introducing (temporary) bugs.
Maybe there's a benefit to this patch series that I've missed?

Stefan


signature.asc
Description: PGP signature

[PATCH for-6.2 09/34] target/arm: Factor out mve_eci_mask()

[Peter Maydell]

In some situations we need a mask telling us which parts of the
vector correspond to beats that are not being executed because of
ECI, separately from the combined "which bytes are predicated away"
mask.  Factor this mask calculation out of mve_element_mask() into
its own function.

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 58 -
 1 file changed, 34 insertions(+), 24 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index b111ba3b106..b0cbfda3cce 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -26,6 +26,35 @@
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
 
+static uint16_t mve_eci_mask(CPUARMState *env)
+{
+/*
+ * Return the mask of which elements in the MVE vector correspond
+ * to beats being executed. The mask has 1 bits for executed lanes
+ * and 0 bits where ECI says this beat was already executed.
+ */
+int eci;
+
+if ((env->condexec_bits & 0xf) != 0) {
+return 0x;
+}
+
+eci = env->condexec_bits >> 4;
+switch (eci) {
+case ECI_NONE:
+return 0x;
+case ECI_A0:
+return 0xfff0;
+case ECI_A0A1:
+return 0xff00;
+case ECI_A0A1A2:
+case ECI_A0A1A2B0:
+return 0xf000;
+default:
+g_assert_not_reached();
+}
+}
+
 static uint16_t mve_element_mask(CPUARMState *env)
 {
 /*
@@ -68,30 +97,11 @@ static uint16_t mve_element_mask(CPUARMState *env)
 mask &= ltpmask;
 }
 
-if ((env->condexec_bits & 0xf) == 0) {
-/*
- * ECI bits indicate which beats are already executed;
- * we handle this by effectively predicating them out.
- */
-int eci = env->condexec_bits >> 4;
-switch (eci) {
-case ECI_NONE:
-break;
-case ECI_A0:
-mask &= 0xfff0;
-break;
-case ECI_A0A1:
-mask &= 0xff00;
-break;
-case ECI_A0A1A2:
-case ECI_A0A1A2B0:
-mask &= 0xf000;
-break;
-default:
-g_assert_not_reached();
-}
-}
-
+/*
+ * ECI bits indicate which beats are already executed;
+ * we handle this by effectively predicating them out.
+ */
+mask &= mve_eci_mask(env);
 return mask;
 }
 
-- 
2.20.1

[PATCH for-6.2 11/34] target/arm: Implement MVE VMULL (polynomial)

[Peter Maydell]

Implement the MVE VMULL (polynomial) insn.  Unlike Neon, this comes
in two flavours: 8x8->16 and a 16x16->32.  Also unlike Neon, the
inputs are in either the low or the high half of each double-width
element.

The assembler for this insn indicates the size with "P8" or "P16",
encoded into bit 28 as size = 0 or 1. We choose to follow the
same encoding as VQDMULL and decode this into a->size as MO_16
or MO_32 indicating the size of the result elements. This then
carries through to the helper function names where it then
matches up with the existing pmull_h() which does an 8x8->16
operation and a new pmull_w() which does the 16x16->32.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  5 +
 target/arm/vec_internal.h  | 11 +++
 target/arm/mve.decode  | 14 ++
 target/arm/mve_helper.c| 16 
 target/arm/translate-mve.c | 28 
 target/arm/vec_helper.c| 14 +-
 6 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 56e40844ad9..84adfb21517 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -145,6 +145,11 @@ DEF_HELPER_FLAGS_4(mve_vmulltub, TCG_CALL_NO_WG, void, 
env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vmulltuh, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vmulltuw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 
+DEF_HELPER_FLAGS_4(mve_vmullpbh, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_4(mve_vmullpth, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_4(mve_vmullpbw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_4(mve_vmullptw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
+
 DEF_HELPER_FLAGS_4(mve_vqdmulhb, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vqdmulhh, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vqdmulhw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
diff --git a/target/arm/vec_internal.h b/target/arm/vec_internal.h
index 865d2139447..2a335582906 100644
--- a/target/arm/vec_internal.h
+++ b/target/arm/vec_internal.h
@@ -206,4 +206,15 @@ int16_t do_sqrdmlah_h(int16_t, int16_t, int16_t, bool, 
bool, uint32_t *);
 int32_t do_sqrdmlah_s(int32_t, int32_t, int32_t, bool, bool, uint32_t *);
 int64_t do_sqrdmlah_d(int64_t, int64_t, int64_t, bool, bool);
 
+/*
+ * 8 x 8 -> 16 vector polynomial multiply where the inputs are
+ * in the low 8 bits of each 16-bit element
+*/
+uint64_t pmull_h(uint64_t op1, uint64_t op2);
+/*
+ * 16 x 16 -> 32 vector polynomial multiply where the inputs are
+ * in the low 16 bits of each 32-bit element
+ */
+uint64_t pmull_w(uint64_t op1, uint64_t op2);
+
 #endif /* TARGET_ARM_VEC_INTERNALS_H */
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index fa9d921f933..de079ec517d 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -173,10 +173,16 @@ VHADD_U  111 1  0 . .. ... 0 ... 0  . 1 . 
0 ... 0 @2op
 VHSUB_S  111 0  0 . .. ... 0 ... 0 0010 . 1 . 0 ... 0 @2op
 VHSUB_U  111 1  0 . .. ... 0 ... 0 0010 . 1 . 0 ... 0 @2op
 
-VMULL_BS 111 0 1110 0 . .. ... 1 ... 0 1110 . 0 . 0 ... 0 @2op
-VMULL_BU 111 1 1110 0 . .. ... 1 ... 0 1110 . 0 . 0 ... 0 @2op
-VMULL_TS 111 0 1110 0 . .. ... 1 ... 1 1110 . 0 . 0 ... 0 @2op
-VMULL_TU 111 1 1110 0 . .. ... 1 ... 1 1110 . 0 . 0 ... 0 @2op
+{
+  VMULLP_B   111 . 1110 0 . 11 ... 1 ... 0 1110 . 0 . 0 ... 0 @2op_sz28
+  VMULL_BS   111 0 1110 0 . .. ... 1 ... 0 1110 . 0 . 0 ... 0 @2op
+  VMULL_BU   111 1 1110 0 . .. ... 1 ... 0 1110 . 0 . 0 ... 0 @2op
+}
+{
+  VMULLP_T   111 . 1110 0 . 11 ... 1 ... 1 1110 . 0 . 0 ... 0 @2op_sz28
+  VMULL_TS   111 0 1110 0 . .. ... 1 ... 1 1110 . 0 . 0 ... 0 @2op
+  VMULL_TU   111 1 1110 0 . .. ... 1 ... 1 1110 . 0 . 0 ... 0 @2op
+}
 
 VQDMULH  1110  0 . .. ... 0 ... 0 1011 . 1 . 0 ... 0 @2op
 VQRDMULH   0 . .. ... 0 ... 0 1011 . 1 . 0 ... 0 @2op
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index f78228f70c1..db5ec9266d1 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -488,6 +488,22 @@ DO_2OP_L(vmulltub, 1, 1, uint8_t, 2, uint16_t, DO_MUL)
 DO_2OP_L(vmulltuh, 1, 2, uint16_t, 4, uint32_t, DO_MUL)
 DO_2OP_L(vmulltuw, 1, 4, uint32_t, 8, uint64_t, DO_MUL)
 
+/*
+ * Polynomial multiply. We can always do this generating 64 bits
+ * of the result at a time, so we don't need to use DO_2OP_L.
+ */
+#define VMULLPH_MASK 0x00ff00ff00ff00ffULL
+#define VMULLPW_MASK 0xULL
+#define DO_VMULLPBH(N, M) pmull_h((N) & VMULLPH_MASK, (M) & VMULLPH_MASK)
+#define DO_VMULLPTH(N, M) DO_VMULLPBH((N) >> 8, (M) >> 8)
+#define DO_VMULLPBW(N, M) pmull_w((N) & VMULLPW_MASK, (M) & VMULLPW_MASK)
+#define DO_VMULLPTW(N, M) DO_VMULLPBW((N) >> 16, (M) >> 16)
+
+DO_2OP(vmullpbh, 8, uint64_t, DO_VMULLPBH)
+DO_2OP(vmullpth, 8, uint64_t, DO_VMULLPTH)
+DO_2OP(vmullpbw, 8, uint64_t, 

[PATCH for-6.2 13/34] target/arm: Factor out gen_vpst()

[Peter Maydell]

Factor out the "generate code to update VPR.MASK01/MASK23" part of
trans_VPST(); we are going to want to reuse it for the VPT insns.

Signed-off-by: Peter Maydell 
---
 target/arm/translate-mve.c | 31 +--
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index 52400864692..de65a1c3cf1 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -737,33 +737,24 @@ static bool trans_VRMLSLDAVH(DisasContext *s, 
arg_vmlaldav *a)
 return do_long_dual_acc(s, a, fns[a->x]);
 }
 
-static bool trans_VPST(DisasContext *s, arg_VPST *a)
+static void gen_vpst(DisasContext *s, uint32_t mask)
 {
-TCGv_i32 vpr;
-
-/* mask == 0 is a "related encoding" */
-if (!dc_isar_feature(aa32_mve, s) || !a->mask) {
-return false;
-}
-if (!mve_eci_check(s) || !vfp_access_check(s)) {
-return true;
-}
 /*
  * Set the VPR mask fields. We take advantage of MASK01 and MASK23
  * being adjacent fields in the register.
  *
- * This insn is not predicated, but it is subject to beat-wise
+ * Updating the masks is not predicated, but it is subject to beat-wise
  * execution, and the mask is updated on the odd-numbered beats.
  * So if PSR.ECI says we should skip beat 1, we mustn't update the
  * 01 mask field.
  */
-vpr = load_cpu_field(v7m.vpr);
+TCGv_i32 vpr = load_cpu_field(v7m.vpr);
 switch (s->eci) {
 case ECI_NONE:
 case ECI_A0:
 /* Update both 01 and 23 fields */
 tcg_gen_deposit_i32(vpr, vpr,
-tcg_constant_i32(a->mask | (a->mask << 4)),
+tcg_constant_i32(mask | (mask << 4)),
 R_V7M_VPR_MASK01_SHIFT,
 R_V7M_VPR_MASK01_LENGTH + R_V7M_VPR_MASK23_LENGTH);
 break;
@@ -772,13 +763,25 @@ static bool trans_VPST(DisasContext *s, arg_VPST *a)
 case ECI_A0A1A2B0:
 /* Update only the 23 mask field */
 tcg_gen_deposit_i32(vpr, vpr,
-tcg_constant_i32(a->mask),
+tcg_constant_i32(mask),
 R_V7M_VPR_MASK23_SHIFT, R_V7M_VPR_MASK23_LENGTH);
 break;
 default:
 g_assert_not_reached();
 }
 store_cpu_field(vpr, v7m.vpr);
+}
+
+static bool trans_VPST(DisasContext *s, arg_VPST *a)
+{
+/* mask == 0 is a "related encoding" */
+if (!dc_isar_feature(aa32_mve, s) || !a->mask) {
+return false;
+}
+if (!mve_eci_check(s) || !vfp_access_check(s)) {
+return true;
+}
+gen_vpst(s, a->mask);
 mve_update_and_store_eci(s);
 return true;
 }
-- 
2.20.1

[PATCH for-6.2 08/34] target/arm: Fix VPT advance when ECI is non-zero

[Peter Maydell]

We were not paying attention to the ECI state when advancing the VPT
state.  Architecturally, VPT state advance happens for every beat
(see the pseudocode VPTAdvance()), so on every beat the 4 bits of
VPR.P0 corresponding to the current beat are inverted if required,
and at the end of beats 1 and 3 the VPR MASK fields are updated.
This means that if the ECI state says we should not be executing all
4 beats then we need to skip some of the updating of the VPR that we
currently do in mve_advance_vpt().

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 29 +++--
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index c75432c5fef..b111ba3b106 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -100,9 +100,11 @@ static void mve_advance_vpt(CPUARMState *env)
 /* Advance the VPT and ECI state if necessary */
 uint32_t vpr = env->v7m.vpr;
 unsigned mask01, mask23;
+int eci = ECI_NONE;
 
 if ((env->condexec_bits & 0xf) == 0) {
-env->condexec_bits = (env->condexec_bits == (ECI_A0A1A2B0 << 4)) ?
+eci = env->condexec_bits >> 4;
+env->condexec_bits = (eci == ECI_A0A1A2B0) ?
 (ECI_A0 << 4) : (ECI_NONE << 4);
 }
 
@@ -111,17 +113,32 @@ static void mve_advance_vpt(CPUARMState *env)
 return;
 }
 
+/* Invert P0 bits if needed, but only for beats we actually executed */
 mask01 = FIELD_EX32(vpr, V7M_VPR, MASK01);
 mask23 = FIELD_EX32(vpr, V7M_VPR, MASK23);
 if (mask01 > 8) {
-/* high bit set, but not 0b1000: invert the relevant half of P0 */
-vpr ^= 0xff;
+if (eci == ECI_NONE) {
+/* high bit set, but not 0b1000: invert the relevant half of P0 */
+vpr ^= 0xff;
+} else if (eci == ECI_A0) {
+/* Invert only the beat 1 P0 bits, as we didn't execute beat 0 */
+vpr ^= 0xf0;
+} /* otherwise we didn't execute either beat 0 or beat 1 */
 }
 if (mask23 > 8) {
-/* high bit set, but not 0b1000: invert the relevant half of P0 */
-vpr ^= 0xff00;
+if (eci != ECI_A0A1A2 && eci != ECI_A0A1A2B0) {
+/* high bit set, but not 0b1000: invert the relevant half of P0 */
+vpr ^= 0xff00;
+} else {
+/* We didn't execute beat 2, only invert the beat 3 P0 bits */
+vpr ^= 0xf000;
+}
 }
-vpr = FIELD_DP32(vpr, V7M_VPR, MASK01, mask01 << 1);
+/* Only update MASK01 if beat 1 executed */
+if (eci == ECI_NONE || eci == ECI_A0) {
+vpr = FIELD_DP32(vpr, V7M_VPR, MASK01, mask01 << 1);
+}
+/* Beat 3 always executes, so update MASK23 */
 vpr = FIELD_DP32(vpr, V7M_VPR, MASK23, mask23 << 1);
 env->v7m.vpr = vpr;
 }
-- 
2.20.1

Re: [RFC PATCH 2/6] i386/sev: extend sev-guest property to include SEV-SNP

[Markus Armbruster]

Brijesh Singh  writes:

> To launch the SEV-SNP guest, a user can specify up to 8 parameters.
> Passing all parameters through command line can be difficult. To simplify
> the launch parameter passing, introduce a .ini-like config file that can be
> used for passing the parameters to the launch flow.
>
> The contents of the config file will look like this:
>
> $ cat snp-launch.init
>
> # SNP launch parameters
> [SEV-SNP]
> init_flags = 0
> policy = 0x1000
> id_block = "YWFhYWFhYWFhYWFhYWFhCg=="
>
>
> Add 'snp' property that can be used to indicate that SEV guest launch
> should enable the SNP support.
>
> SEV-SNP guest launch examples:
>
> 1) launch without additional parameters
>
>   $(QEMU_CLI) \
> -object sev-guest,id=sev0,snp=on
>
> 2) launch with optional parameters
>   $(QEMU_CLI) \
> -object sev-guest,id=sev0,snp=on,launch-config=
>
> Signed-off-by: Brijesh Singh 

I acknowledge doing complex configuration on the command line can be
awkward.  But if we added a separate configuration file for every
configurable thing where that's the case, we'd have too many already,
and we'd constantly grow more.  I don't think this is a viable solution.

In my opinion, much of what we do on the command line should be done in
configuration files instead.  Not in several different configuration
languages, mind, but using one common language for all our configuration
needs.

Some of us argue this language already exists: QMP.  It can't do
everything the command line can do, but that's a matter of putting in
the work.  However, JSON isn't a good configuration language[1].  To get
a decent one, we'd have to to extend JSON[2], or wrap another concrete
syntax around QMP's abstract syntax.

But this doesn't help you at all *now*.

I recommend to do exactly what we've done before for complex
configuration: define it in the QAPI schema, so we can use both dotted
keys and JSON on the command line, and can have QMP, too.  Examples:
-blockdev, -display, -compat.

Questions?


[1] 
https://www.lucidchart.com/techblog/2018/07/16/why-json-isnt-a-good-configuration-language/

[2] Thanks, but no thanks.  Let's make new and interesting mistakes
instead of repeating old and tired ones.

Re: [PATCH V5 20/25] chardev: cpr framework

[Steven Sistare]

On 7/12/2021 3:49 PM, Marc-André Lureau wrote:
> Hi
> 
> On Mon, Jul 12, 2021 at 11:20 PM Steven Sistare  > wrote:
> 
> On 7/8/2021 12:03 PM, Marc-André Lureau wrote:
> > Hi
> >
> > On Wed, Jul 7, 2021 at 9:37 PM Steve Sistare    >> wrote:
> >
> >     Add QEMU_CHAR_FEATURE_CPR for devices that support cpr.
> >     Add the chardev close_on_cpr option for devices that can be closed 
> on cpr
> >     and reopened after exec.
> >     cpr is allowed only if either QEMU_CHAR_FEATURE_CPR or close_on_cpr 
> is set
> >     for all chardevs in the configuration.
> >
> >
> > Why not do the right thing by default?
> 
> Char devices with buffering in the qemu process do not support cpr, as 
> there is no general mechanism
> for saving and restoring the buffer and synchronizing that with device 
> operation.  In theory vmstate
> could provide that mechanism, but sync'ing the device with vmstate 
> operations would be non-trivial,
> as every device handles it differently, and I did not tackle it.  
> However, some very  useful devices
> do not buffer, and do support cpr, so I introduce QEMU_CHAR_FEATURE_CPR 
> to identify them.  CPR support
> can be incrementally added to more devices in the future via this 
> mechanism.
> 
> > Could use some tests in tests/unit/test-char.c
> 
> OK, I'll check it out.  I have deferred adding unit tests until I get 
> more buy in on the patch series.
> 
> 
> I understand :) Tbh, I have no clue if you are close to acceptance. (too late 
> for 6.1 anyway, you can already update the docs)
> 
> 
> >     Signed-off-by: Steve Sistare    >>
> >     ---
> >      chardev/char.c         | 41 
> ++---
> >      include/chardev/char.h |  5 +
> >      migration/cpr.c        |  3 +++
> >      qapi/char.json         |  5 -
> >      qemu-options.hx        | 26 ++
> >      5 files changed, 72 insertions(+), 8 deletions(-)
> >
> >     diff --git a/chardev/char.c b/chardev/char.c
> >     index d959eec..f10fb94 100644
> >     --- a/chardev/char.c
> >     +++ b/chardev/char.c
> >     @@ -36,6 +36,7 @@
> >      #include "qemu/help_option.h"
> >      #include "qemu/module.h"
> >      #include "qemu/option.h"
> >     +#include "qemu/env.h"
> >      #include "qemu/id.h"
> >      #include "qemu/coroutine.h"
> >      #include "qemu/yank.h"
> >     @@ -239,6 +240,9 @@ static void qemu_char_open(Chardev *chr, 
> ChardevBackend *backend,
> >          ChardevClass *cc = CHARDEV_GET_CLASS(chr);
> >          /* Any ChardevCommon member would work */
> >          ChardevCommon *common = backend ? backend->u.null.data : NULL;
> >     +    char fdname[40];
> >
> >
> > Please use g_autoptr char *fdname = NULL; & g_strdup_printf()
> 
> Will do. 
> (the glibc functions are new to me, and my fingers do not automatically 
> type them).
> 
> >     +
> >     +    chr->close_on_cpr = (common && common->close_on_cpr);
> >
> >          if (common && common->has_logfile) {
> >              int flags = O_WRONLY | O_CREAT;
> >     @@ -248,7 +252,14 @@ static void qemu_char_open(Chardev *chr, 
> ChardevBackend *backend,
> >              } else {
> >                  flags |= O_TRUNC;
> >              }
> >     -        chr->logfd = qemu_open_old(common->logfile, flags, 0666);
> >     +        snprintf(fdname, sizeof(fdname), "%s_log", chr->label);
> >     +        chr->logfd = getenv_fd(fdname);
> >     +        if (chr->logfd < 0) {
> >     +            chr->logfd = qemu_open_old(common->logfile, flags, 
> 0666);
> >     +            if (!chr->close_on_cpr) {
> >     +                setenv_fd(fdname, chr->logfd);
> >     +            }
> >     +        }
> >              if (chr->logfd < 0) {
> >                  error_setg_errno(errp, errno,
> >                                   "Unable to open logfile %s",
> >     @@ -300,11 +311,12 @@ static void char_finalize(Object *obj)
> >          if (chr->be) {
> >              chr->be->chr = NULL;
> >          }
> >     -    g_free(chr->filename);
> >     -    g_free(chr->label);
> >          if (chr->logfd != -1) {
> >              close(chr->logfd);
> >     +        unsetenv_fdv("%s_log", chr->label);
> >          }
> >     +    g_free(chr->filename);
> >     +    g_free(chr->label);
> >          qemu_mutex_destroy(>chr_write_lock);
> >      }
> >
> >     @@ -504,6 +516,8 @@ void qemu_chr_parse_common(QemuOpts *opts, 
> ChardevCommon 

[PULL v2 4/4] fuzz: add an instrumentation filter

[Alexander Bulekov]

By default, -fsanitize=fuzzer instruments all code with coverage
information. However, this means that libfuzzer will track coverage over
hundreds of source files that are unrelated to virtual-devices. This
means that libfuzzer will optimize inputs for coverage observed in timer
code, memory APIs etc. This slows down the fuzzer and stores many inputs
that are not relevant to the actual virtual-devices.

With this change, clang versions that support the
"-fsanitize-coverage-allowlist" will only instrument a subset of the
compiled code, that is directly related to virtual-devices.

Signed-off-by: Alexander Bulekov 
Reviewed-by: Darren Kenny 
---
 configure | 28 +++
 .../oss-fuzz/instrumentation-filter-template  | 15 ++
 2 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 scripts/oss-fuzz/instrumentation-filter-template

diff --git a/configure b/configure
index e799d908a3..99d6182af9 100755
--- a/configure
+++ b/configure
@@ -4943,13 +4943,21 @@ fi
 
 ##
 # checks for fuzzer
-if test "$fuzzing" = "yes" && test -z "${LIB_FUZZING_ENGINE+xxx}"; then
+if test "$fuzzing" = "yes" ; then
   write_c_fuzzer_skeleton
-  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
-have_fuzzer=yes
-  else
-error_exit "Your compiler doesn't support -fsanitize=fuzzer"
-exit 1
+  if test -z "${LIB_FUZZING_ENGINE+xxx}"; then
+if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
+  have_fuzzer=yes
+else
+  error_exit "Your compiler doesn't support -fsanitize=fuzzer"
+  exit 1
+fi
+  fi
+
+  have_clang_coverage_filter=no
+  echo > $TMPTXT
+  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer 
-fsanitize-coverage-allowlist=$TMPTXT" ""; then
+have_clang_coverage_filter=yes
   fi
 fi
 
@@ -5843,6 +5851,14 @@ if test "$fuzzing" = "yes" ; then
   else
 FUZZ_EXE_LDFLAGS="$LIB_FUZZING_ENGINE"
   fi
+
+  # Specify a filter to only instrument code that is directly related to
+  # virtual-devices.
+  if test "$have_clang_coverage_filter" = "yes" ; then
+cp "$source_path/scripts/oss-fuzz/instrumentation-filter-template" \
+   instrumentation-filter
+QEMU_CFLAGS="$QEMU_CFLAGS 
-fsanitize-coverage-allowlist=instrumentation-filter"
+  fi
 fi
 
 if test "$plugins" = "yes" ; then
diff --git a/scripts/oss-fuzz/instrumentation-filter-template 
b/scripts/oss-fuzz/instrumentation-filter-template
new file mode 100644
index 00..76d2b6139a
--- /dev/null
+++ b/scripts/oss-fuzz/instrumentation-filter-template
@@ -0,0 +1,15 @@
+# Code that we actually want the fuzzer to target
+# See: 
https://clang.llvm.org/docs/SanitizerCoverage.html#disabling-instrumentation-without-source-modification
+#
+src:*/hw/*
+src:*/include/hw/*
+src:*/slirp/*
+src:*/net/*
+
+# We don't care about coverage over fuzzer-specific code, however we should
+# instrument the fuzzer entry-point so libFuzzer always sees at least some
+# coverage - otherwise it will exit after the first input
+src:*/tests/qtest/fuzz/fuzz.c
+
+# Enable instrumentation for all functions in those files
+fun:*
-- 
2.28.0

Re: [PATCH v6 5/6] hw/acpi/ich9: Set ACPI PCI hot-plug as default on Q35

[Michael S. Tsirkin]

On Tue, Jul 13, 2021 at 09:59:31AM +0200, Igor Mammedov wrote:
> On Tue, 13 Jul 2021 02:42:04 +0200
> Julia Suvorova  wrote:
> 
> > Q35 has three different types of PCI devices hot-plug: PCIe Native,
> > SHPC Native and ACPI hot-plug. This patch changes the default choice
> > for cold-plugged bridges from PCIe Native to ACPI Hot-plug with
> > ability to use SHPC and PCIe Native for hot-plugged bridges.
> 
> Before we flip the switch,
> has the issue about not hotplug ports not getting IO (Michael)
> been addressed, if not are there any plans to fix it?
> 

I think it's a guest bug frankly. We'll workaround it
by setting io-reserve to 4k for hotplugged bridges,
I think this is minor enough that it's better to just
merge now and fix on top.
I've added this note to the commit log though.

> > This is a list of the PCIe Native hot-plug issues that led to this
> > change:
> > * no racy behavior during boot (see 110c477c2ed)
> > * no delay during deleting - after the actual power off software
> >   must wait at least 1 second before indicating about it. This case
> >   is quite important for users, it even has its own bug:
> >   https://bugzilla.redhat.com/show_bug.cgi?id=1594168
> > * no timer-based behavior - in addition to the previous example,
> >   the attention button has a 5-second waiting period, during which
> >   the operation can be canceled with a second press. While this
> >   looks fine for manual button control, automation will result in
> >   the need to queue or drop events, and the software receiving
> >   events in all sort of unspecified combinations of attention/power
> >   indicator states, which is racy and uppredictable.
> > * fixes:
> > * https://bugzilla.redhat.com/show_bug.cgi?id=1752465
> > * https://bugzilla.redhat.com/show_bug.cgi?id=1690256
> > 
> > To return to PCIe Native hot-plug:
> > -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off
> > 
> > Signed-off-by: Julia Suvorova 
> > Reviewed-by: Igor Mammedov 
> > ---
> >  hw/acpi/ich9.c | 2 +-
> >  hw/i386/pc.c   | 1 +
> >  2 files changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
> > index 2f4eb453ac..778e27b659 100644
> > --- a/hw/acpi/ich9.c
> > +++ b/hw/acpi/ich9.c
> > @@ -427,7 +427,7 @@ void ich9_pm_add_properties(Object *obj, ICH9LPCPMRegs 
> > *pm)
> >  pm->disable_s3 = 0;
> >  pm->disable_s4 = 0;
> >  pm->s4_val = 2;
> > -pm->use_acpi_hotplug_bridge = false;
> > +pm->use_acpi_hotplug_bridge = true;
> >  
> >  object_property_add_uint32_ptr(obj, ACPI_PM_PROP_PM_IO_BASE,
> > >pm_io_base, OBJ_PROP_FLAG_READ);
> > diff --git a/hw/i386/pc.c b/hw/i386/pc.c
> > index 8e1220db72..7e03848792 100644
> > --- a/hw/i386/pc.c
> > +++ b/hw/i386/pc.c
> > @@ -98,6 +98,7 @@ GlobalProperty pc_compat_6_0[] = {
> >  { "qemu64" "-" TYPE_X86_CPU, "family", "6" },
> >  { "qemu64" "-" TYPE_X86_CPU, "model", "6" },
> >  { "qemu64" "-" TYPE_X86_CPU, "stepping", "3" },
> > +{ "ICH9-LPC", "acpi-pci-hotplug-with-bridge-support", "off" },
> >  };
> >  const size_t pc_compat_6_0_len = G_N_ELEMENTS(pc_compat_6_0);
> >  

[PULL 4/6] migration: Don't do migrate cleanup if during postcopy resume

[Dr. David Alan Gilbert (git)]

From: Peter Xu 

Below process could crash qemu with postcopy recovery:

  1. (hmp) migrate -d ..
  2. (hmp) migrate_start_postcopy
  3. [network down, postcopy paused]
  4. (hmp) migrate -r $WRONG_PORT
 when try the recover on an invalid $WRONG_PORT, cleanup_bh will be cleared
  5. (hmp) migrate -r $RIGHT_PORT
 [qemu crash on assert(cleanup_bh)]

The thing is we shouldn't cleanup if it's postcopy resume; the error is set
mostly because the channel is wrong, so we return directly waiting for the user
to retry.

migrate_fd_cleanup() should only be called when migration is cancelled or
completed.

Signed-off-by: Peter Xu 
Message-Id: <20210708190653.252961-3-pet...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/migration.c | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/migration/migration.c b/migration/migration.c
index 38ebc6c1ab..20c48cfff1 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -3979,7 +3979,18 @@ void migrate_fd_connect(MigrationState *s, Error 
*error_in)
 }
 if (error_in) {
 migrate_fd_error(s, error_in);
-migrate_fd_cleanup(s);
+if (resume) {
+/*
+ * Don't do cleanup for resume if channel is invalid, but only dump
+ * the error.  We wait for another channel connect from the user.
+ * The error_report still gives HMP user a hint on what failed.
+ * It's normally done in migrate_fd_cleanup(), but call it here
+ * explicitly.
+ */
+error_report_err(error_copy(s->error));
+} else {
+migrate_fd_cleanup(s);
+}
 return;
 }
 
-- 
2.31.1

[PULL 5/6] migration: Clear error at entry of migrate_fd_connect()

[Dr. David Alan Gilbert (git)]

From: Peter Xu 

For each "migrate" command, remember to clear the s->error before going on.
For one reason, when there's a new error it'll be still remembered; see
migrate_set_error() who only sets the error if error==NULL.  Meanwhile if a
failed migration completes (e.g., postcopy recovered and finished), we
shouldn't dump an error when calling migrate_fd_cleanup() at last.

Signed-off-by: Peter Xu 
Message-Id: <20210708190653.252961-4-pet...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/migration.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/migration/migration.c b/migration/migration.c
index 20c48cfff1..2d306582eb 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -1855,6 +1855,15 @@ void migrate_set_error(MigrationState *s, const Error 
*error)
 }
 }
 
+static void migrate_error_free(MigrationState *s)
+{
+QEMU_LOCK_GUARD(>error_mutex);
+if (s->error) {
+error_free(s->error);
+s->error = NULL;
+}
+}
+
 void migrate_fd_error(MigrationState *s, const Error *error)
 {
 trace_migrate_fd_error(error_get_pretty(error));
@@ -3970,6 +3979,13 @@ void migrate_fd_connect(MigrationState *s, Error 
*error_in)
 int64_t rate_limit;
 bool resume = s->state == MIGRATION_STATUS_POSTCOPY_PAUSED;
 
+/*
+ * If there's a previous error, free it and prepare for another one.
+ * Meanwhile if migration completes successfully, there won't have an error
+ * dumped when calling migrate_fd_cleanup().
+ */
+migrate_error_free(s);
+
 s->expected_downtime = s->parameters.downtime_limit;
 if (resume) {
 assert(s->cleanup_bh);
-- 
2.31.1

[PATCH 0/5] ebpf: Added ebpf helper for libvirtd.

[Andrew Melnychenko]

Libvirt usually launches qemu with strict permissions.
To enable eBPF RSS steering, qemu-ebpf-rss-helper was added.

Added property "ebpf_rss_fds" for "virtio-net" that allows to
initialize eBPF RSS context with passed program & maps fds.

Added qemu-ebpf-rss-helper - simple helper that loads eBPF
context and passes fds through unix socket.
Libvirt should call the helper and pass fds to qemu through
"ebpf_rss_fds" property.

Added explicit target OS check for libbpf dependency in meson.
eBPF RSS works only with Linux TAP, so there is no reason to
build eBPF loader/helper for non-Linux.

Changed Qemu updates eBPF maps to array mmaping. Mmaping allows
bypassing unprivileged BPF map update. Also, instead of 3 maps
(config, key and indirection table) there is one map that
combines everything.

Added helper stamp. To check that helper was build with qemu,
qemu would check helper symbols that should contain the stamp.
It was done similar to qemu modules, but checking was performed
by the helper's ELF parsing.

Overall, libvirt process should not be aware of the "interface"
of eBPF RSS, it will not be aware of eBPF maps/program "type" and
their quantity. That's why qemu and the helper should be from
the same build and be "synchronized". Technically each qemu may
have its own helper. That's why "query-helper-paths" qmp command
was added. Qemu should return the path to the helper that suits
and libvirt should use "that" helper for "that" emulator.

qmp sample:
C: { "execute": "query-helper-paths" }
S: { "return": [
 {
   "name": "qemu-ebpf-rss-helper",
   "path": "/usr/local/libexec/qemu-ebpf-rss-helper"
 }
]
   }

Changes since v1:
* Mmap() used instead if bpf_map_update_elem().
* Added helper stamp.

Andrew Melnychenko (5):
  ebpf: Added eBPF initialization by fds and map update.
  virtio-net: Added property to load eBPF RSS with fds.
  qmp: Added the helper stamp check.
  ebpf_rss_helper: Added helper for eBPF RSS.
  qmp: Added qemu-ebpf-rss-path command.

 ebpf/ebpf_rss-stub.c  |   6 +
 ebpf/ebpf_rss.c   | 120 ---
 ebpf/ebpf_rss.h   |   8 +-
 ebpf/qemu-ebpf-rss-helper.c   | 130 +++
 ebpf/rss.bpf.skeleton.h   | 557 +++---
 hw/net/virtio-net.c   |  77 -
 include/hw/virtio/virtio-net.h|   1 +
 meson.build   |  47 ++-
 monitor/meson.build   |   1 +
 monitor/qemu-helper-stamp-utils.c | 297 
 monitor/qemu-helper-stamp-utils.h |  24 ++
 monitor/qmp-cmds.c|  32 ++
 qapi/misc.json|  33 ++
 tools/ebpf/rss.bpf.c  |  67 ++--
 14 files changed, 990 insertions(+), 410 deletions(-)
 create mode 100644 ebpf/qemu-ebpf-rss-helper.c
 create mode 100644 monitor/qemu-helper-stamp-utils.c
 create mode 100644 monitor/qemu-helper-stamp-utils.h

-- 
2.31.1

[PATCH 2/5] virtio-net: Added property to load eBPF RSS with fds.

[Andrew Melnychenko]

eBPF RSS program and maps now may be passed during initialization.
Initially was implemented for libvirt to launch qemu without permissions.

Signed-off-by: Andrew Melnychenko 
---
 hw/net/virtio-net.c| 77 --
 include/hw/virtio/virtio-net.h |  1 +
 2 files changed, 74 insertions(+), 4 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index bd7958b9f0..0602b1772e 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -41,6 +41,7 @@
 #include "sysemu/sysemu.h"
 #include "trace.h"
 #include "monitor/qdev.h"
+#include "monitor/monitor.h"
 #include "hw/pci/pci.h"
 #include "net_rx_pkt.h"
 #include "hw/virtio/vhost.h"
@@ -1223,14 +1224,81 @@ static void virtio_net_detach_epbf_rss(VirtIONet *n)
 virtio_net_attach_ebpf_to_backend(n->nic, -1);
 }
 
-static bool virtio_net_load_ebpf(VirtIONet *n)
+static int virtio_net_get_ebpf_rss_fds(char *str, char *fds[], int nfds)
 {
-if (!virtio_net_attach_ebpf_to_backend(n->nic, -1)) {
-/* backend does't support steering ebpf */
+char *ptr = str;
+char *cur = NULL;
+size_t len = strlen(str);
+int i = 0;
+
+for (; i < nfds && ptr < str + len;) {
+cur = strchr(ptr, ':');
+
+if (cur == NULL) {
+fds[i] = g_strdup(ptr);
+} else {
+fds[i] = g_strndup(ptr, cur - ptr);
+}
+
+i++;
+if (cur == NULL) {
+break;
+} else {
+ptr = cur + 1;
+}
+}
+
+return i;
+}
+
+static bool virtio_net_load_ebpf_fds(VirtIONet *n)
+{
+char *fds_strs[EBPF_RSS_MAX_FDS];
+int fds[EBPF_RSS_MAX_FDS];
+int nfds;
+int ret = false;
+Error *errp;
+int i = 0;
+
+if (n == NULL || !n->ebpf_rss_fds) {
 return false;
 }
 
-return ebpf_rss_load(>ebpf_rss);
+nfds = virtio_net_get_ebpf_rss_fds(n->ebpf_rss_fds,
+   fds_strs, EBPF_RSS_MAX_FDS);
+for (i = 0; i < nfds; i++) {
+fds[i] = monitor_fd_param(monitor_cur(), fds_strs[i], );
+}
+
+if (nfds == EBPF_RSS_MAX_FDS) {
+ret = ebpf_rss_load_fds(>ebpf_rss, fds[0], fds[1], fds[2], fds[3]);
+}
+
+if (!ret) {
+for (i = 0; i < nfds; i++) {
+close(fds[i]);
+}
+}
+
+for (i = 0; i < nfds; i++) {
+g_free(fds_strs[i]);
+}
+
+return ret;
+}
+
+static bool virtio_net_load_ebpf(VirtIONet *n)
+{
+bool ret = true;
+
+if (virtio_net_attach_ebpf_to_backend(n->nic, -1)) {
+if (!(n->ebpf_rss_fds
+&& virtio_net_load_ebpf_fds(n))) {
+ret = ebpf_rss_load(>ebpf_rss);
+}
+}
+
+return ret;
 }
 
 static void virtio_net_unload_ebpf(VirtIONet *n)
@@ -3605,6 +3673,7 @@ static Property virtio_net_properties[] = {
 VIRTIO_NET_F_RSS, false),
 DEFINE_PROP_BIT64("hash", VirtIONet, host_features,
 VIRTIO_NET_F_HASH_REPORT, false),
+DEFINE_PROP_STRING("ebpf_rss_fds", VirtIONet, ebpf_rss_fds),
 DEFINE_PROP_BIT64("guest_rsc_ext", VirtIONet, host_features,
 VIRTIO_NET_F_RSC_EXT, false),
 DEFINE_PROP_UINT32("rsc_interval", VirtIONet, rsc_timeout,
diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
index 824a69c23f..993f2f3036 100644
--- a/include/hw/virtio/virtio-net.h
+++ b/include/hw/virtio/virtio-net.h
@@ -213,6 +213,7 @@ struct VirtIONet {
 VirtioNetRssData rss_data;
 struct NetRxPkt *rx_pkt;
 struct EBPFRSSContext ebpf_rss;
+char *ebpf_rss_fds;
 };
 
 void virtio_net_set_netclient_name(VirtIONet *n, const char *name,
-- 
2.31.1

[PATCH 3/5] qmp: Added the helper stamp check.

[Andrew Melnychenko]

Added function to check the stamp in the helper.
eBPF helper should have a special symbol that generates during build.
QEMU checks the helper and determinates that it fits, so the helper
will produce proper output.

Signed-off-by: Andrew Melnychenko 
---
 meson.build   |  10 +
 monitor/meson.build   |   1 +
 monitor/qemu-helper-stamp-utils.c | 297 ++
 monitor/qemu-helper-stamp-utils.h |  24 +++
 4 files changed, 332 insertions(+)
 create mode 100644 monitor/qemu-helper-stamp-utils.c
 create mode 100644 monitor/qemu-helper-stamp-utils.h

diff --git a/meson.build b/meson.build
index 626cf932c1..257e51d91b 100644
--- a/meson.build
+++ b/meson.build
@@ -1757,6 +1757,16 @@ foreach d : hx_headers
 endforeach
 genh += hxdep
 
+helper_stamp = custom_target(
+'qemu-helper-stamp.h',
+output : 'qemu-helper-stamp.h',
+input : 'ebpf/rss.bpf.skeleton.h',
+command : [python, '-c', 'import hashlib; print(\'#define 
QEMU_HELPER_STAMP qemuHelperStamp_{}\'.format(hashlib.sha1(open(\'@INPUT@\', 
\'rb\').read()).hexdigest()))'],
+capture: true,
+)
+
+genh += helper_stamp
+
 ###
 # Collect sources #
 ###
diff --git a/monitor/meson.build b/monitor/meson.build
index 6d00985ace..2b6b39549b 100644
--- a/monitor/meson.build
+++ b/monitor/meson.build
@@ -5,5 +5,6 @@ softmmu_ss.add(files(
   'hmp.c',
 ))
 softmmu_ss.add([spice_headers, files('qmp-cmds.c')])
+softmmu_ss.add(files('qemu-helper-stamp-utils.c'))
 
 specific_ss.add(when: 'CONFIG_SOFTMMU', if_true: [files('misc.c'), spice])
diff --git a/monitor/qemu-helper-stamp-utils.c 
b/monitor/qemu-helper-stamp-utils.c
new file mode 100644
index 00..d34c3b94c5
--- /dev/null
+++ b/monitor/qemu-helper-stamp-utils.c
@@ -0,0 +1,297 @@
+/*
+ * QEMU helper stamp check utils.
+ *
+ * Developed by Daynix Computing LTD (http://www.daynix.com)
+ *
+ * Authors:
+ *  Andrew Melnychenko 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ * Description: This file mostly implements helper stamp checking.
+ *  The stamp is implemented in a similar way as in qemu modules.
+ *  The helper should contain a specific symbol.
+ *  Not in a similar way is symbol checking - here we parse
+ *  the ELF file. For now(10.07.2021), only eBPF helper contains
+ *  the stamp, and the stamp is generated from
+ *  sha1 ebpf/rss.bpf.skeleton.h (see meson.build).
+ */
+
+#include "qemu/osdep.h"
+#include "elf.h"
+#include "qemu-helper-stamp-utils.h"
+
+#include 
+
+#ifdef CONFIG_LINUX
+
+static void *file_allocate_and_read(int fd, off_t off, size_t size)
+{
+void *data;
+int err;
+
+if (fd < 0) {
+return NULL;
+}
+
+err = lseek(fd, off, SEEK_SET);
+if (err < 0) {
+return NULL;
+}
+
+data = g_new0(char, size);
+if (data == NULL) {
+return NULL;
+}
+
+err = read(fd, data, size);
+if (err < 0) {
+g_free(data);
+return NULL;
+}
+
+return data;
+}
+
+static Elf64_Shdr *elf64_get_section_table(int fd, Elf64_Ehdr *elf_header)
+{
+if (elf_header == NULL) {
+return NULL;
+}
+return (Elf64_Shdr *)file_allocate_and_read(fd, elf_header->e_shoff,
+ elf_header->e_shnum * elf_header->e_shentsize);
+}
+
+static Elf32_Shdr *elf32_get_section_table(int fd, Elf32_Ehdr *elf_header)
+{
+if (elf_header == NULL) {
+return NULL;
+}
+return (Elf32_Shdr *)file_allocate_and_read(fd, elf_header->e_shoff,
+ elf_header->e_shnum * elf_header->e_shentsize);
+}
+
+static void *elf64_get_section_data(int fd, const Elf64_Shdr* section_header)
+{
+if (fd < 0 || section_header == NULL) {
+return NULL;
+}
+return file_allocate_and_read(fd, section_header->sh_offset,
+  section_header->sh_size);
+}
+
+static void *elf32_get_section_data(int fd, const Elf32_Shdr* section_header)
+{
+if (fd < 0 || section_header == NULL) {
+return NULL;
+}
+return file_allocate_and_read(fd, section_header->sh_offset,
+  section_header->sh_size);
+}
+
+static bool elf64_check_symbol_in_symbol_table(int fd,
+   Elf64_Shdr *section_table,
+   Elf64_Shdr *symbol_section,
+   const char *symbol)
+{
+Elf64_Sym *symbol_table;
+char *string_table;
+uint32_t i;
+bool ret = false;
+
+symbol_table = (Elf64_Sym *) elf64_get_section_data(fd, symbol_section);
+if (symbol_table == NULL) {
+return false;
+}
+
+string_table = (char *) elf64_get_section_data(
+fd, section_table + symbol_section->sh_link);
+if (string_table == NULL) {
+

Re: [PATCH 01/11] nbd/server: Remove unused variable

[Eric Blake]

On Tue, Jul 13, 2021 at 08:01:34AM -0500, Eric Blake wrote:
> > > @@ -973,7 +973,6 @@ static int nbd_negotiate_meta_queries(NBDClient 
> > > *client,
> > >   {
> > >   int ret;
> > >   g_autofree char *export_name = NULL;
> > > -g_autofree bool *bitmaps = NULL;
> > >   NBDExportMetaContexts local_meta = {0};
> > Actually, "bitmaps" _is_ used, in cleanup handler, setup by g_autofree. So 
> > it's a false positive.
> >
> 
> Correct; this patch is wrong, and would cause a memory leak. This is a
> false positive in clang, and a known issue that clang is in general
> unable to see that g_autofree variables are used, sometimes for their
> intentional side effects such as easier memory cleanup as done here.
> 
> I suspect that the definition of g_autofree already uses
> __attribute__((unused)) to work around clang's oddities, which means
> I'm not sure how to silence clang on this one.

Hmm; in glib 2.68.2 (on Fedora 34), g_autofree does NOT include an
attribute unused.  Thus, does this silence the compiler?  (Even cooler
would be making the comment a link to an actual bug in the clang
database, but I couldn't quickly find one)

diff --git i/nbd/server.c w/nbd/server.c
index b60ebc3ab6ac..393cbd81c57a 100644
--- i/nbd/server.c
+++ w/nbd/server.c
@@ -973,7 +973,8 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
 {
 int ret;
 g_autofree char *export_name = NULL;
-g_autofree bool *bitmaps = NULL;
+/* G_GNUC_UNUSED needed to work around a clang bug */
+g_autofree G_GNUC_UNUSED bool *bitmaps = NULL;
 NBDExportMetaContexts local_meta = {0};
 uint32_t nb_queries;
 size_t i;


-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[PATCH for-6.2 00/34] target/arm: Third slice of MVE implementation

[Peter Maydell]

This patchseries provides the third slice of the MVE implementation.
In this series:
 * fixes for minor bugs in a couple of the insns already upstream
 * all the remaining integer instructions
 * the remaining loads and stores (scatter-gather and interleaving)

This is obviously for-6.2 material, so no urgency in reviewing it.
But "all the integer stuff done" seemed like an obvious natural
break point to send out what I've done so far.

I apologize in advance for the final patch, which was tricky for
me to write and is probably going to be painful to review too.
This is mostly because I find the interleaving loads/stores
rather confusing...

thanks
-- PMM

Peter Maydell (34):
  target/arm: Note that we handle VMOVL as a special case of VSHLL
  target/arm: Print MVE VPR in CPU dumps
  target/arm: Fix MVE VSLI by 0 and VSRI by 
  target/arm: Fix signed VADDV
  target/arm: Fix mask handling for MVE narrowing operations
  target/arm: Fix 48-bit saturating shifts
  target/arm: Fix calculation of LTP mask when LR is 0
  target/arm: Fix VPT advance when ECI is non-zero
  target/arm: Factor out mve_eci_mask()
  target/arm: Fix VLDRB/H/W for predicated elements
  target/arm: Implement MVE VMULL (polynomial)
  target/arm: Implement MVE incrementing/decrementing dup insns
  target/arm: Factor out gen_vpst()
  target/arm: Implement MVE integer vector comparisons
  target/arm: Implement MVE integer vector-vs-scalar comparisons
  target/arm: Implement MVE VPSEL
  target/arm: Implement MVE VMLAS
  target/arm: Implement MVE shift-by-scalar
  target/arm: Move 'x' and 'a' bit definitions into vmlaldav formats
  target/arm: Implement MVE integer min/max across vector
  target/arm: Implement MVE VABAV
  target/arm: Implement MVE narrowing moves
  target/arm: Rename MVEGenDualAccOpFn to MVEGenLongDualAccOpFn
  target/arm: Implement MVE VMLADAV and VMLSLDAV
  target/arm: Implement MVE VMLA
  target/arm: Implement MVE saturating doubling multiply accumulates
  target/arm: Implement MVE VQABS, VQNEG
  target/arm: Implement MVE VMAXA, VMINA
  target/arm: Implement MVE VMOV to/from 2 general-purpose registers
  target/arm: Implement MVE VPNOT
  target/arm: Implement MVE VCTP
  target/arm: Implement MVE scatter-gather insns
  target/arm: Implement MVE scatter-gather immediate forms
  target/arm: Implement MVE interleaving loads/stores

 target/arm/helper-mve.h|  295 +
 target/arm/translate-a32.h |2 +
 target/arm/vec_internal.h  |   11 +
 target/arm/mve.decode  |  228 ++-
 target/arm/t32.decode  |1 +
 target/arm/cpu.c   |3 +
 target/arm/mve_helper.c| 1259 ++--
 target/arm/translate-mve.c |  865 -
 target/arm/translate-vfp.c |2 +-
 target/arm/translate.c |   33 +
 target/arm/vec_helper.c|   14 +-
 11 files changed, 2628 insertions(+), 85 deletions(-)

-- 
2.20.1

[PATCH for-6.2 02/34] target/arm: Print MVE VPR in CPU dumps

[Peter Maydell]

Include the MVE VPR register value in the CPU dumps produced by
arm_cpu_dump_state() if we are printing FPU information. This
makes it easier to interpret debug logs when predication is
active.

Signed-off-by: Peter Maydell 
---
 target/arm/cpu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 9cddfd6a442..6d6b037 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1016,6 +1016,9 @@ static void arm_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
  i, v);
 }
 qemu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
+if (cpu_isar_feature(aa32_mve, cpu)) {
+qemu_fprintf(f, "VPR: %08x\n", env->v7m.vpr);
+}
 }
 }
 
-- 
2.20.1

[PATCH for-6.2 21/34] target/arm: Implement MVE VABAV

[Peter Maydell]

Implement the MVE VABAV insn, which computes absolute differences
between elements of two vectors and accumulates the result into
a general purpose register.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  7 +++
 target/arm/mve.decode  |  6 ++
 target/arm/mve_helper.c| 26 +++
 target/arm/translate-mve.c | 43 ++
 4 files changed, 82 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 282bfe80942..5c3f8a26df0 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -410,6 +410,13 @@ DEF_HELPER_FLAGS_3(mve_vminavw, TCG_CALL_NO_WG, i32, env, 
ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vaddlv_s, TCG_CALL_NO_WG, i64, env, ptr, i64)
 DEF_HELPER_FLAGS_3(mve_vaddlv_u, TCG_CALL_NO_WG, i64, env, ptr, i64)
 
+DEF_HELPER_FLAGS_4(mve_vabavsb, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vabavsh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vabavsw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vabavub, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vabavuh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vabavuw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_3(mve_vmovi, TCG_CALL_NO_WG, void, env, ptr, i64)
 DEF_HELPER_FLAGS_3(mve_vandi, TCG_CALL_NO_WG, void, env, ptr, i64)
 DEF_HELPER_FLAGS_3(mve_vorri, TCG_CALL_NO_WG, void, env, ptr, i64)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 9ae417b718a..bf6cf6f8383 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -41,6 +41,7 @@
 _scalar qn rm size mask
 _scalar qda rm size
  qm rda size
+ qn qm rda size
 
 @vldr_vstr ... . . . . l:1 rn:4 ... .. imm:7 _vstr qd=%qd u=0
 # Note that both Rn and Qd are 3 bits only (no D bit)
@@ -386,6 +387,11 @@ VMLAS_U   1110 0 . .. ... 1 ... 1 1110 . 100 
 @2scalar
  rdahi=%rdahi rdalo=%rdalo
 }
 
+@vabav     .. size:2  rda:4     qn=%qn 
qm=%qm
+
+VABAV_S  111 0 1110 10 .. ... 0   . 0 . 0 ... 1 @vabav
+VABAV_U  111 1 1110 10 .. ... 0   . 0 . 0 ... 1 @vabav
+
 # Logical immediate operations (1 reg and modified-immediate)
 
 # The cmode/op bits here decode VORR/VBIC/VMOV/VMVN, but
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 5066ee3169a..4eb5dbce6d7 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1335,6 +1335,32 @@ DO_VMAXMINV(vminavb, 1, int8_t, uint8_t, do_mina)
 DO_VMAXMINV(vminavh, 2, int16_t, uint16_t, do_mina)
 DO_VMAXMINV(vminavw, 4, int32_t, uint32_t, do_mina)
 
+#define DO_VABAV(OP, ESIZE, TYPE)   \
+uint32_t HELPER(glue(mve_, OP))(CPUARMState *env, void *vn, \
+void *vm, uint32_t ra)  \
+{   \
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+TYPE *m = vm, *n = vn;  \
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+if (mask & 1) { \
+int64_t n0 = n[H##ESIZE(e)];\
+int64_t m0 = m[H##ESIZE(e)];\
+uint32_t r = n0 >= m0 ? (n0 - m0) : (m0 - n0);  \
+ra += r;\
+}   \
+}   \
+mve_advance_vpt(env);   \
+return ra;  \
+}
+
+DO_VABAV(vabavsb, 1, int8_t)
+DO_VABAV(vabavsh, 2, int16_t)
+DO_VABAV(vabavsw, 4, int32_t)
+DO_VABAV(vabavub, 1, uint8_t)
+DO_VABAV(vabavuh, 2, uint16_t)
+DO_VABAV(vabavuw, 4, uint32_t)
+
 #define DO_VADDLV(OP, TYPE, LTYPE)  \
 uint64_t HELPER(glue(mve_, OP))(CPUARMState *env, void *vm, \
 uint64_t ra)\
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index 949c11344e3..c304b8d6e41 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -45,6 +45,7 @@ typedef void MVEGenVIDUPFn(TCGv_i32, TCGv_ptr, TCGv_ptr, 
TCGv_i32, TCGv_i32);
 typedef void MVEGenVIWDUPFn(TCGv_i32, TCGv_ptr, TCGv_ptr, TCGv_i32, TCGv_i32, 
TCGv_i32);
 typedef void MVEGenCmpFn(TCGv_ptr, TCGv_ptr, TCGv_ptr);
 typedef void MVEGenScalarCmpFn(TCGv_ptr, TCGv_ptr, TCGv_i32);
+typedef void MVEGenVABAVFn(TCGv_i32, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_i32);
 
 /* Return the offset of a Qn register (same semantics as aa32_vfp_qreg()) */
 static inline long mve_qreg_offset(unsigned reg)
@@ -1368,3 +1369,45 @@ DO_VMAXV(VMAXAV, vmaxav)
 DO_VMAXV(VMINV_S, vminvs)
 

[PATCH for-6.2 28/34] target/arm: Implement MVE VMAXA, VMINA

[Peter Maydell]

Implement the MVE VMAXA and VMINA insns, which take the absolute
value of the signed elements in the input vector and then accumulate
the unsigned max or min into the destination vector.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  8 
 target/arm/mve.decode  |  4 
 target/arm/mve_helper.c| 26 ++
 target/arm/translate-mve.c |  2 ++
 4 files changed, 40 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 69f0474f6a3..c36640e75e9 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -88,6 +88,14 @@ DEF_HELPER_FLAGS_3(mve_vqnegb, TCG_CALL_NO_WG, void, env, 
ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vqnegh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vqnegw, TCG_CALL_NO_WG, void, env, ptr, ptr)
 
+DEF_HELPER_FLAGS_3(mve_vmaxab, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vmaxah, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vmaxaw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vminab, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vminah, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vminaw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
 DEF_HELPER_FLAGS_3(mve_vmovnbb, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vmovnbh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vmovntb, TCG_CALL_NO_WG, void, env, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 1d38dd8dba3..3899937f033 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -156,6 +156,8 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VQMOVUNB   111 0 1110 0 . 11 .. 01 ... 0 1110 1 0 . 0 ... 1 @1op
   VQMOVN_BS  111 0 1110 0 . 11 .. 11 ... 0 1110 0 0 . 0 ... 1 @1op
 
+  VMAXA  111 0 1110 0 . 11 .. 11 ... 0 1110 1 0 . 0 ... 1 @1op
+
   VMULH_S111 0 1110 0 . .. ...1 ... 0 1110 . 0 . 0 ... 1 @2op
 }
 
@@ -176,6 +178,8 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VQMOVUNT   111 0 1110 0 . 11 .. 01 ... 1 1110 1 0 . 0 ... 1 @1op
   VQMOVN_TS  111 0 1110 0 . 11 .. 11 ... 1 1110 0 0 . 0 ... 1 @1op
 
+  VMINA  111 0 1110 0 . 11 .. 11 ... 1 1110 1 0 . 0 ... 1 @1op
+
   VRMULH_S   111 0 1110 0 . .. ...1 ... 1 1110 . 0 . 0 ... 1 @2op
 }
 
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 3b3695885ef..40e652229d6 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -2250,3 +2250,29 @@ DO_1OP_SAT(vqabsw, 4, int32_t, DO_VQABS_W)
 DO_1OP_SAT(vqnegb, 1, int8_t, DO_VQNEG_B)
 DO_1OP_SAT(vqnegh, 2, int16_t, DO_VQNEG_H)
 DO_1OP_SAT(vqnegw, 4, int32_t, DO_VQNEG_W)
+
+/*
+ * VMAXA, VMINA: vd is unsigned; vm is signed, and we take its
+ * absolute value; we then do an unsigned comparison.
+ */
+#define DO_VMAXMINA(OP, ESIZE, STYPE, UTYPE, FN)\
+void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm) \
+{   \
+UTYPE *d = vd;  \
+STYPE *m = vm;  \
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+UTYPE r = DO_ABS(m[H##ESIZE(e)]);   \
+r = FN(d[H##ESIZE(e)], r);  \
+mergemask([H##ESIZE(e)], r, mask);\
+}   \
+mve_advance_vpt(env);   \
+}
+
+DO_VMAXMINA(vmaxab, 1, int8_t, uint8_t, DO_MAX)
+DO_VMAXMINA(vmaxah, 2, int16_t, uint16_t, DO_MAX)
+DO_VMAXMINA(vmaxaw, 4, int32_t, uint32_t, DO_MAX)
+DO_VMAXMINA(vminab, 1, int8_t, uint8_t, DO_MIN)
+DO_VMAXMINA(vminah, 2, int16_t, uint16_t, DO_MIN)
+DO_VMAXMINA(vminaw, 4, int32_t, uint32_t, DO_MIN)
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index 59e09f58a8c..f243c34bd21 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -277,6 +277,8 @@ DO_1OP(VABS, vabs)
 DO_1OP(VNEG, vneg)
 DO_1OP(VQABS, vqabs)
 DO_1OP(VQNEG, vqneg)
+DO_1OP(VMAXA, vmaxa)
+DO_1OP(VMINA, vmina)
 
 /* Narrowing moves: only size 0 and 1 are valid */
 #define DO_VMOVN(INSN, FN) \
-- 
2.20.1

[PATCH for-6.2 27/34] target/arm: Implement MVE VQABS, VQNEG

[Peter Maydell]

Implement the MVE 1-operand saturating operations VQABS and VQNEG.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  8 
 target/arm/mve.decode  |  3 +++
 target/arm/mve_helper.c| 37 +
 target/arm/translate-mve.c |  2 ++
 4 files changed, 50 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index e61c5d56f41..69f0474f6a3 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -80,6 +80,14 @@ DEF_HELPER_FLAGS_3(mve_vnegw, TCG_CALL_NO_WG, void, env, 
ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vfnegh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vfnegs, TCG_CALL_NO_WG, void, env, ptr, ptr)
 
+DEF_HELPER_FLAGS_3(mve_vqabsb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqabsh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqabsw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vqnegb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqnegh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqnegw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
 DEF_HELPER_FLAGS_3(mve_vmovnbb, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vmovnbh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vmovntb, TCG_CALL_NO_WG, void, env, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 99cea8d39b6..1d38dd8dba3 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -279,6 +279,9 @@ VABS_fp    1 . 11 .. 01 ... 0 0111 01 . 0 
... 0 @1op
 VNEG   1 . 11 .. 01 ... 0 0011 11 . 0 ... 0 @1op
 VNEG_fp    1 . 11 .. 01 ... 0 0111 11 . 0 ... 0 @1op
 
+VQABS  1 . 11 .. 00 ... 0 0111 01 . 0 ... 0 @1op
+VQNEG  1 . 11 .. 00 ... 0 0111 11 . 0 ... 0 @1op
+
  qd rt size
 # Qd is in the fields usually named Qn
 @vdup  . . .. ... . rt:4  . . . .  qd=%qn 
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 1013060baeb..3b3695885ef 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -2213,3 +2213,40 @@ void HELPER(mve_vpsel)(CPUARMState *env, void *vd, void 
*vn, void *vm)
 }
 mve_advance_vpt(env);
 }
+
+#define DO_1OP_SAT(OP, ESIZE, TYPE, FN) \
+void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm) \
+{   \
+TYPE *d = vd, *m = vm;  \
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+bool qc = false;\
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+bool sat = false;   \
+mergemask([H##ESIZE(e)], FN(m[H##ESIZE(e)], ), mask); \
+qc |= sat & mask & 1;   \
+}   \
+if (qc) {   \
+env->vfp.qc[0] = qc;\
+}   \
+mve_advance_vpt(env);   \
+}
+
+#define DO_VQABS_B(N, SATP) \
+do_sat_bhs(DO_ABS((int64_t)N), INT8_MIN, INT8_MAX, SATP)
+#define DO_VQABS_H(N, SATP) \
+do_sat_bhs(DO_ABS((int64_t)N), INT16_MIN, INT16_MAX, SATP)
+#define DO_VQABS_W(N, SATP) \
+do_sat_bhs(DO_ABS((int64_t)N), INT32_MIN, INT32_MAX, SATP)
+
+#define DO_VQNEG_B(N, SATP) do_sat_bhs(-(int64_t)N, INT8_MIN, INT8_MAX, SATP)
+#define DO_VQNEG_H(N, SATP) do_sat_bhs(-(int64_t)N, INT16_MIN, INT16_MAX, SATP)
+#define DO_VQNEG_W(N, SATP) do_sat_bhs(-(int64_t)N, INT32_MIN, INT32_MAX, SATP)
+
+DO_1OP_SAT(vqabsb, 1, int8_t, DO_VQABS_B)
+DO_1OP_SAT(vqabsh, 2, int16_t, DO_VQABS_H)
+DO_1OP_SAT(vqabsw, 4, int32_t, DO_VQABS_W)
+
+DO_1OP_SAT(vqnegb, 1, int8_t, DO_VQNEG_B)
+DO_1OP_SAT(vqnegh, 2, int16_t, DO_VQNEG_H)
+DO_1OP_SAT(vqnegw, 4, int32_t, DO_VQNEG_W)
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index f8b34c9ef36..59e09f58a8c 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -275,6 +275,8 @@ DO_1OP(VCLZ, vclz)
 DO_1OP(VCLS, vcls)
 DO_1OP(VABS, vabs)
 DO_1OP(VNEG, vneg)
+DO_1OP(VQABS, vqabs)
+DO_1OP(VQNEG, vqneg)
 
 /* Narrowing moves: only size 0 and 1 are valid */
 #define DO_VMOVN(INSN, FN) \
-- 
2.20.1

[PULL 06/12] linux-user/mips: Move errno definitions to 'target_errno_defs.h'

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Suggested-by: Richard Henderson 
Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-7-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/mips/target_errno_defs.h   | 215 ++
 linux-user/mips/target_syscall.h  | 211 -
 linux-user/mips64/target_errno_defs.h |   6 +-
 linux-user/mips64/target_syscall.h| 211 -
 4 files changed, 220 insertions(+), 423 deletions(-)

diff --git a/linux-user/mips/target_errno_defs.h 
b/linux-user/mips/target_errno_defs.h
index daef95ea7030..5685cda10db8 100644
--- a/linux-user/mips/target_errno_defs.h
+++ b/linux-user/mips/target_errno_defs.h
@@ -3,4 +3,219 @@
 
 #include "../generic/target_errno_defs.h"
 
+/*
+ * Generic target errno overridden with definitions taken
+ * from asm-mips/errno.h
+ */
+
+#undef TARGET_EWOULDBLOCK
+#define TARGET_EWOULDBLOCK TARGET_EAGAIN /* Operation would block */
+#undef TARGET_ENOMSG
+#define TARGET_ENOMSG  35  /* Identifier removed */
+#undef TARGET_EIDRM
+#define TARGET_EIDRM   36  /* Identifier removed */
+#undef TARGET_ECHRNG
+#define TARGET_ECHRNG  37  /* Channel number out of range */
+#undef TARGET_EL2NSYNC
+#define TARGET_EL2NSYNC38  /* Level 2 not synchronized */
+#undef TARGET_EL3HLT
+#define TARGET_EL3HLT  39  /* Level 3 halted */
+#undef TARGET_EL3RST
+#define TARGET_EL3RST  40  /* Level 3 reset */
+#undef TARGET_ELNRNG
+#define TARGET_ELNRNG  41  /* Link number out of range */
+#undef TARGET_EUNATCH
+#define TARGET_EUNATCH 42  /* Protocol driver not attached */
+#undef TARGET_ENOCSI
+#define TARGET_ENOCSI  43  /* No CSI structure available */
+#undef TARGET_EL2HLT
+#define TARGET_EL2HLT  44  /* Level 2 halted */
+#undef TARGET_EDEADLK
+#define TARGET_EDEADLK 45  /* Resource deadlock would occur */
+#undef TARGET_ENOLCK
+#define TARGET_ENOLCK  46  /* No record locks available */
+#undef TARGET_EBADE
+#define TARGET_EBADE   50  /* Invalid exchange */
+#undef TARGET_EBADR
+#define TARGET_EBADR   51  /* Invalid request descriptor */
+#undef TARGET_EXFULL
+#define TARGET_EXFULL  52  /* TARGET_Exchange full */
+#undef TARGET_ENOANO
+#define TARGET_ENOANO  53  /* No anode */
+#undef TARGET_EBADRQC
+#define TARGET_EBADRQC 54  /* Invalid request code */
+#undef TARGET_EBADSLT
+#define TARGET_EBADSLT 55  /* Invalid slot */
+#undef TARGET_EDEADLOCK
+#define TARGET_EDEADLOCK   56  /* File locking deadlock error */
+#undef TARGET_EBFONT
+#define TARGET_EBFONT  59  /* Bad font file format */
+#undef TARGET_ENOSTR
+#define TARGET_ENOSTR  60  /* Device not a stream */
+#undef TARGET_ENODATA
+#define TARGET_ENODATA 61  /* No data available */
+#undef TARGET_ETIME
+#define TARGET_ETIME   62  /* Timer expired */
+#undef TARGET_ENOSR
+#define TARGET_ENOSR   63  /* Out of streams resources */
+#undef TARGET_ENONET
+#define TARGET_ENONET  64  /* Machine is not on the network */
+#undef TARGET_ENOPKG
+#define TARGET_ENOPKG  65  /* Package not installed */
+#undef TARGET_EREMOTE
+#define TARGET_EREMOTE 66  /* Object is remote */
+#undef TARGET_ENOLINK
+#define TARGET_ENOLINK 67  /* Link has been severed */
+#undef TARGET_EADV
+#define TARGET_EADV68  /* Advertise error */
+#undef TARGET_ESRMNT
+#define TARGET_ESRMNT  69  /* Srmount error */
+#undef TARGET_ECOMM
+#define TARGET_ECOMM   70  /* Communication error on send */
+#undef TARGET_EPROTO
+#define TARGET_EPROTO  71  /* Protocol error */
+#undef TARGET_EDOTDOT
+#define TARGET_EDOTDOT 73  /* RFS specific error */
+#undef TARGET_EMULTIHOP
+#define TARGET_EMULTIHOP   74  /* Multihop attempted */
+#undef TARGET_EBADMSG
+#define TARGET_EBADMSG 77  /* Not a data message */
+#undef TARGET_ENAMETOOLONG
+#define TARGET_ENAMETOOLONG78  /* File name too long */
+#undef TARGET_EOVERFLOW
+#define TARGET_EOVERFLOW   79  /* Value too large for defined data 
type */
+#undef TARGET_ENOTUNIQ
+#define TARGET_ENOTUNIQ80  /* Name not unique on network */
+#undef TARGET_EBADFD
+#define TARGET_EBADFD  81  /* File descriptor in bad state */
+#undef TARGET_EREMCHG
+#define TARGET_EREMCHG 82  /* Remote address changed */
+#undef TARGET_ELIBACC
+#define TARGET_ELIBACC 83  /* Can not access a needed shared 
library */
+#undef TARGET_ELIBBAD
+#define TARGET_ELIBBAD 84  /* Accessing a corrupted shared library 
*/
+#undef TARGET_ELIBSCN
+#define TARGET_ELIBSCN 85  /* .lib section in a.out corrupted */
+#undef TARGET_ELIBMAX
+#define 

[PULL 10/12] linux-user: update syscall_nr.h to Linux v5.13

[Laurent Vivier]

Automatically generated using scripts/gensyscalls.sh

Signed-off-by: Laurent Vivier 
Reviewed-by: Taylor Simpson 
Message-Id: <20210708215756.268805-2-laur...@vivier.eu>
Signed-off-by: Laurent Vivier 
---
 linux-user/aarch64/syscall_nr.h  |  8 +++-
 linux-user/hexagon/syscall_nr.h  | 12 +++-
 linux-user/nios2/syscall_nr.h|  8 +++-
 linux-user/openrisc/syscall_nr.h |  8 +++-
 linux-user/riscv/syscall32_nr.h  |  8 +++-
 linux-user/riscv/syscall64_nr.h  |  8 +++-
 6 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/linux-user/aarch64/syscall_nr.h b/linux-user/aarch64/syscall_nr.h
index 6fd5b331e780..12ef002d60f9 100644
--- a/linux-user/aarch64/syscall_nr.h
+++ b/linux-user/aarch64/syscall_nr.h
@@ -302,6 +302,12 @@
 #define TARGET_NR_openat2 437
 #define TARGET_NR_pidfd_getfd 438
 #define TARGET_NR_faccessat2 439
-#define TARGET_NR_syscalls 440
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_AARCH64_SYSCALL_NR_H */
diff --git a/linux-user/hexagon/syscall_nr.h b/linux-user/hexagon/syscall_nr.h
index da1314f7132d..b047dbbf6df3 100644
--- a/linux-user/hexagon/syscall_nr.h
+++ b/linux-user/hexagon/syscall_nr.h
@@ -317,6 +317,16 @@
 #define TARGET_NR_fsmount 432
 #define TARGET_NR_fspick 433
 #define TARGET_NR_pidfd_open 434
-#define TARGET_NR_syscalls 436
+#define TARGET_NR_close_range 436
+#define TARGET_NR_openat2 437
+#define TARGET_NR_pidfd_getfd 438
+#define TARGET_NR_faccessat2 439
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_HEXAGON_SYSCALL_NR_H */
diff --git a/linux-user/nios2/syscall_nr.h b/linux-user/nios2/syscall_nr.h
index e37f40179bf3..11a37b32e8b1 100644
--- a/linux-user/nios2/syscall_nr.h
+++ b/linux-user/nios2/syscall_nr.h
@@ -322,6 +322,12 @@
 #define TARGET_NR_openat2 437
 #define TARGET_NR_pidfd_getfd 438
 #define TARGET_NR_faccessat2 439
-#define TARGET_NR_syscalls 440
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_NIOS2_SYSCALL_NR_H */
diff --git a/linux-user/openrisc/syscall_nr.h b/linux-user/openrisc/syscall_nr.h
index a8fc0295109a..f7faddb54c58 100644
--- a/linux-user/openrisc/syscall_nr.h
+++ b/linux-user/openrisc/syscall_nr.h
@@ -323,6 +323,12 @@
 #define TARGET_NR_openat2 437
 #define TARGET_NR_pidfd_getfd 438
 #define TARGET_NR_faccessat2 439
-#define TARGET_NR_syscalls 440
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_OPENRISC_SYSCALL_NR_H */
diff --git a/linux-user/riscv/syscall32_nr.h b/linux-user/riscv/syscall32_nr.h
index 079b804daef5..1327d7dffab9 100644
--- a/linux-user/riscv/syscall32_nr.h
+++ b/linux-user/riscv/syscall32_nr.h
@@ -296,6 +296,12 @@
 #define TARGET_NR_openat2 437
 #define TARGET_NR_pidfd_getfd 438
 #define TARGET_NR_faccessat2 439
-#define TARGET_NR_syscalls 440
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_RISCV_SYSCALL32_NR_H */
diff --git a/linux-user/riscv/syscall64_nr.h b/linux-user/riscv/syscall64_nr.h
index d54224ccec64..6659751933d5 100644
--- a/linux-user/riscv/syscall64_nr.h
+++ b/linux-user/riscv/syscall64_nr.h
@@ -302,6 +302,12 @@
 #define TARGET_NR_openat2 437
 #define TARGET_NR_pidfd_getfd 438
 #define TARGET_NR_faccessat2 439
-#define TARGET_NR_syscalls 440
+#define TARGET_NR_process_madvise 440
+#define TARGET_NR_epoll_pwait2 441
+#define TARGET_NR_mount_setattr 442
+#define TARGET_NR_landlock_create_ruleset 444
+#define TARGET_NR_landlock_add_rule 445
+#define TARGET_NR_landlock_restrict_self 446
+#define TARGET_NR_syscalls 447
 
 #endif /* LINUX_USER_RISCV_SYSCALL64_NR_H */
-- 
2.31.1

[PULL 09/12] fd-trans: Fix race condition on reallocation of the translation table.

[Laurent Vivier]

From: Owen Anderson 

The mapping from file-descriptors to translator functions is not guarded
on realloc which may cause invalid function pointers to be read from a
previously deallocated mapping.

Signed-off-by: Owen Anderson 
Reviewed-by: Laurent Vivier 
Message-Id: <20210701221255.107976-1-oande...@google.com>
Signed-off-by: Laurent Vivier 
---
 linux-user/fd-trans.c |  1 +
 linux-user/fd-trans.h | 55 +--
 linux-user/main.c |  3 +++
 3 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c
index 23adaca83639..86b6f484d30b 100644
--- a/linux-user/fd-trans.c
+++ b/linux-user/fd-trans.c
@@ -267,6 +267,7 @@ enum {
 };
 
 TargetFdTrans **target_fd_trans;
+QemuMutex target_fd_trans_lock;
 unsigned int target_fd_max;
 
 static void tswap_nlmsghdr(struct nlmsghdr *nlh)
diff --git a/linux-user/fd-trans.h b/linux-user/fd-trans.h
index a3fcdaabc758..1b9fa2041c06 100644
--- a/linux-user/fd-trans.h
+++ b/linux-user/fd-trans.h
@@ -16,6 +16,8 @@
 #ifndef FD_TRANS_H
 #define FD_TRANS_H
 
+#include "qemu/lockable.h"
+
 typedef abi_long (*TargetFdDataFunc)(void *, size_t);
 typedef abi_long (*TargetFdAddrFunc)(void *, abi_ulong, socklen_t);
 typedef struct TargetFdTrans {
@@ -25,12 +27,23 @@ typedef struct TargetFdTrans {
 } TargetFdTrans;
 
 extern TargetFdTrans **target_fd_trans;
+extern QemuMutex target_fd_trans_lock;
 
 extern unsigned int target_fd_max;
 
+static inline void fd_trans_init(void)
+{
+qemu_mutex_init(_fd_trans_lock);
+}
+
 static inline TargetFdDataFunc fd_trans_target_to_host_data(int fd)
 {
-if (fd >= 0 && fd < target_fd_max && target_fd_trans[fd]) {
+if (fd < 0) {
+return NULL;
+}
+
+QEMU_LOCK_GUARD(_fd_trans_lock);
+if (fd < target_fd_max && target_fd_trans[fd]) {
 return target_fd_trans[fd]->target_to_host_data;
 }
 return NULL;
@@ -38,7 +51,12 @@ static inline TargetFdDataFunc 
fd_trans_target_to_host_data(int fd)
 
 static inline TargetFdDataFunc fd_trans_host_to_target_data(int fd)
 {
-if (fd >= 0 && fd < target_fd_max && target_fd_trans[fd]) {
+if (fd < 0) {
+return NULL;
+}
+
+QEMU_LOCK_GUARD(_fd_trans_lock);
+if (fd < target_fd_max && target_fd_trans[fd]) {
 return target_fd_trans[fd]->host_to_target_data;
 }
 return NULL;
@@ -46,13 +64,19 @@ static inline TargetFdDataFunc 
fd_trans_host_to_target_data(int fd)
 
 static inline TargetFdAddrFunc fd_trans_target_to_host_addr(int fd)
 {
-if (fd >= 0 && fd < target_fd_max && target_fd_trans[fd]) {
+if (fd < 0) {
+return NULL;
+}
+
+QEMU_LOCK_GUARD(_fd_trans_lock);
+if (fd < target_fd_max && target_fd_trans[fd]) {
 return target_fd_trans[fd]->target_to_host_addr;
 }
 return NULL;
 }
 
-static inline void fd_trans_register(int fd, TargetFdTrans *trans)
+static inline void internal_fd_trans_register_unsafe(int fd,
+ TargetFdTrans *trans)
 {
 unsigned int oldmax;
 
@@ -67,18 +91,35 @@ static inline void fd_trans_register(int fd, TargetFdTrans 
*trans)
 target_fd_trans[fd] = trans;
 }
 
-static inline void fd_trans_unregister(int fd)
+static inline void fd_trans_register(int fd, TargetFdTrans *trans)
+{
+QEMU_LOCK_GUARD(_fd_trans_lock);
+internal_fd_trans_register_unsafe(fd, trans);
+}
+
+static inline void internal_fd_trans_unregister_unsafe(int fd)
 {
 if (fd >= 0 && fd < target_fd_max) {
 target_fd_trans[fd] = NULL;
 }
 }
 
+static inline void fd_trans_unregister(int fd)
+{
+if (fd < 0) {
+return;
+}
+
+QEMU_LOCK_GUARD(_fd_trans_lock);
+internal_fd_trans_unregister_unsafe(fd);
+}
+
 static inline void fd_trans_dup(int oldfd, int newfd)
 {
-fd_trans_unregister(newfd);
+QEMU_LOCK_GUARD(_fd_trans_lock);
+internal_fd_trans_unregister_unsafe(newfd);
 if (oldfd < target_fd_max && target_fd_trans[oldfd]) {
-fd_trans_register(newfd, target_fd_trans[oldfd]);
+internal_fd_trans_register_unsafe(newfd, target_fd_trans[oldfd]);
 }
 }
 
diff --git a/linux-user/main.c b/linux-user/main.c
index 2fb3a366a699..37ed50d98e2e 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -48,6 +48,7 @@
 #include "target_elf.h"
 #include "cpu_loop-common.h"
 #include "crypto/init.h"
+#include "fd-trans.h"
 
 #ifndef AT_FLAGS_PRESERVE_ARGV0
 #define AT_FLAGS_PRESERVE_ARGV0_BIT 0
@@ -829,6 +830,8 @@ int main(int argc, char **argv, char **envp)
 cpu->opaque = ts;
 task_settid(ts);
 
+fd_trans_init();
+
 ret = loader_exec(execfd, exec_path, target_argv, target_environ, regs,
 info, );
 if (ret != 0) {
-- 
2.31.1

[PATCH v2 0/3] docs: document cubieboard, emcraft-sf2, highbank, midway

[Peter Maydell]

This patchset adds documentation of the four board
models cubieboard, emcraft-sf2, highbank and midway.
The documentation here is rather skeletal, being based
on a quick read of sources, cover letter from original
patch submission, etc.

People interested in these machines are encouraged to
improve on these docs, but I would like us to at least
have a stub for all the Arm boards we emulate.

For the record, as well as these we have another ten
undocumented boards:
  imx25-pdk, kzm, mainstone, mcimx6ul-evk, mcimx7d-sabre,
  nuri, smdkc210, xilinx-zynq-a9, xlnx-zcu102, z2

v2: updated cubieboard and emcraft-sf2 files to list emulated devices
(thanks to Philippe for the lists of devices).

thanks
-- PMM

Peter Maydell (3):
  docs: Add skeletal documentation of cubieboard
  docs: Add skeletal documentation of the emcraft-sf2
  docs: Add skeletal documentation of highbank and midway

 docs/system/arm/cubieboard.rst  | 16 
 docs/system/arm/emcraft-sf2.rst | 15 +++
 docs/system/arm/highbank.rst| 19 +++
 docs/system/target-arm.rst  |  3 +++
 MAINTAINERS |  3 +++
 5 files changed, 56 insertions(+)
 create mode 100644 docs/system/arm/cubieboard.rst
 create mode 100644 docs/system/arm/emcraft-sf2.rst
 create mode 100644 docs/system/arm/highbank.rst

-- 
2.20.1

Re: [PATCH 0/7] docs: State QEMU version and license in all HTML footers

[Peter Maydell]

On Mon, 5 Jul 2021 at 10:55, Peter Maydell  wrote:
>
> This patchset is an effort to fix something up which I promised
> Markus I would do after we got the initial conversion to Sphinx
> done. The old QAPI reference documentation noted the documentation
> license in the texinfo source (but not in the generated HTML or
> in the generated manpages); Sphinx generated docs currently don't.

> I'm open to suggestions on:
>  * name of the new top-level section
>  * text wording
>  * whether we need to have the version number in the footer
>(it's already in the sidebar under the QEMU logo, but this
>seemed a bit too inconspicious, so I added it to the footer
>since I was messing with it anyway)
>
> You can find a built version of the docs at:
> https://pm215.gitlab.io/-/qemu/-/jobs/1399259647/artifacts/public/index.html
>
> I had a look at getting our manpages to also state the license,
> but this is tricky due to various deficiencies in Sphinx.
> (We never have stated the license in our manpages, so this isn't
> a regression compared to the old texinfo setup.)
>
> Markus: do you feel this series is sufficient that we can remove
> the TODO lines in docs/interop/qemu-ga-ref.rst,
> docs/interop/qemu-qmp-ref.rst and docs/interop/qemu-storage-daemon-qmp-ref.rst
> as now being done?

Ping for any further review/opinions, in particular from Markus.
I'm intending to put this in for 6.1.

thanks
-- PMM

Re: [PATCH] hw/nvme: fix mmio read

[Klaus Jensen]

On Jul 13 12:34, Klaus Jensen wrote:
> On Jul 13 11:31, Peter Maydell wrote:
> > On Tue, 13 Jul 2021 at 11:19, Klaus Jensen  wrote:
> > >
> > > On Jul 13 11:07, Peter Maydell wrote:
> > > > Looking at the surrounding code, I notice that we guard this "read size 
> > > > bytes
> > > > from >bar + addr" with
> > > > if (addr < sizeof(n->bar)) {
> > > >
> > > > but that doesn't account for 'size', so if the guest asks to read
> > > > 4 bytes starting at offset sizeof(n->bar)-1 then we'll still read
> > > > 3 bytes beyond the end of the buffer...
> > >
> > > The buffer is at least sizeof(n->bar) + 8 bytes (there are two doorbell
> > > registers following the controller registers). It is wrong for the host
> > > to read those, but as per the spec it is undefined behavior.
> > 
> > I don't know about the doorbell registers, but with this code
> > (or the old memcpy()) you'll access whatever the next thing after
> > "NvmeBar bar" in the NvmeCtrl struct is, which looks like it's the
> > first part of 'struct NvmeParams".
> > 
> 
> Sorry, you are of course right. I remembered how the bar was allocated
> incorrectly.

I fixed this properly by holding all bar values in little endian as per
the spec.

I'll clean it up and send it tonight.


signature.asc
Description: PGP signature

[PULL v2 2/4] fuzz: adjust timeout to allow for longer inputs

[Alexander Bulekov]

Using a custom timeout is useful to continue fuzzing complex devices,
even after we run into some slow code-path. However, simply adding a
fixed timeout to each input effectively caps the maximum input
length/number of operations at some artificial value. There are two
major problems with this:
1. Some code might only be reachable through long IO sequences.
2. Longer inputs can actually be _better_ for performance. While the
   raw number of fuzzer executions decreases with larger inputs, the
   number of MMIO/PIO/DMA operation/second actually increases, since
   were are speding proportionately less time fork()ing.

With this change, we keep the custom-timeout, but we renew it, prior to
each MMIO/PIO/DMA operation. Thus, we time-out only when a specific
operation takes a long time.

Reviewed-by: Darren Kenny 
Signed-off-by: Alexander Bulekov 
---
 tests/qtest/fuzz/generic_fuzz.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 0ea47298b7..80eb29bd2d 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -668,15 +668,16 @@ static void generic_fuzz(QTestState *s, const unsigned 
char *Data, size_t Size)
 uint8_t op;
 
 if (fork() == 0) {
+struct sigaction sact;
+struct itimerval timer;
 /*
  * Sometimes the fuzzer will find inputs that take quite a long time to
  * process. Often times, these inputs do not result in new coverage.
  * Even if these inputs might be interesting, they can slow down the
- * fuzzer, overall. Set a timeout to avoid hurting performance, too 
much
+ * fuzzer, overall. Set a timeout for each command to avoid hurting
+ * performance, too much
  */
 if (timeout) {
-struct sigaction sact;
-struct itimerval timer;
 
 sigemptyset(_mask);
 sact.sa_flags   = SA_NODEFER;
@@ -686,13 +687,17 @@ static void generic_fuzz(QTestState *s, const unsigned 
char *Data, size_t Size)
 memset(, 0, sizeof(timer));
 timer.it_value.tv_sec = timeout / USEC_IN_SEC;
 timer.it_value.tv_usec = timeout % USEC_IN_SEC;
-setitimer(ITIMER_VIRTUAL, , NULL);
 }
 
 op_clear_dma_patterns(s, NULL, 0);
 pci_disabled = false;
 
 while (cmd && Size) {
+/* Reset the timeout, each time we run a new command */
+if (timeout) {
+setitimer(ITIMER_VIRTUAL, , NULL);
+}
+
 /* Get the length until the next command or end of input */
 nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR));
 cmd_len = nextcmd ? nextcmd - cmd : Size;
-- 
2.28.0

Re: [RFC PATCH 0/6] job: replace AioContext lock with job_mutex

[Vladimir Sementsov-Ogievskiy]

13.07.2021 16:10, Stefan Hajnoczi wrote:

On Mon, Jul 12, 2021 at 10:41:46AM +0200, Emanuele Giuseppe Esposito wrote:



On 08/07/2021 15:04, Stefan Hajnoczi wrote:

On Thu, Jul 08, 2021 at 01:32:12PM +0200, Paolo Bonzini wrote:

On 08/07/21 12:36, Stefan Hajnoczi wrote:

What is very clear from this patch is that it
is strictly related to the brdv_* and lower level calls, because
they also internally check or even use the aiocontext lock.
Therefore, in order to make it work, I temporarly added some
aiocontext_acquire/release pair around the function that
still assert for them or assume they are hold and temporarly
unlock (unlock() - lock()).


Sounds like the issue is that this patch series assumes AioContext locks
are no longer required for calling the blk_*()/bdrv_*() APIs? That is
not the case yet, so you had to then add those aio_context_lock() calls
back in elsewhere. This approach introduces unnecessary risk. I think we
should wait until blk_*()/bdrv_*() no longer requires the caller to hold
the AioContext lock before applying this series.


In general I'm in favor of pushing the lock further down into smaller and
smaller critical sections; it's a good approach to make further audits
easier until it's "obvious" that the lock is unnecessary.  I haven't yet
reviewed Emanuele's patches to see if this is what he's doing where he's
adding the acquire/release calls, but that's my understanding of both his
cover letter and your reply.


The problem is the unnecessary risk. We know what the goal is for
blk_*()/bdrv_*() but it's not quite there yet. Does making changes in
block jobs help solve the final issues with blk_*()/bdrv_*()?


Correct me if I am wrong, but it seems to me that the bdrv_*()/blk_*()
operation mostly take care of building, modifying and walking the bds graph.
So since graph nodes can have multiple AioContext, it makes sense that we
have a lock when modifying the graph, right?

If so, we can simply try to replace the AioContext lock with a graph lock,
or something like that. But I am not sure of this.


Block graph manipulation (all_bdrv_states and friends) requires the BQL.
It has always been this way.

This raises the question: if block graph manipulation is already under
the BQL and BlockDriver callbacks don't need the AioContext anymore, why


I don't believe that block drivers are thread-safe now. They have some 
mutexes.. But who make an audit of thread-safety? I work mostly with nbd and 
qcow2 drivers, and they never seemd to be thread-safe to me. For example, qcow2 
driver has enough operations that are done from non-coroutine context and 
therefore qcow2 co-mutex just not locked.


are aio_context_acquire() calls still needed in block jobs?

AIO_WAIT_WHILE() requires that AioContext is acquired according to its
documentation, but I'm not sure that's true anymore. Thread-safe/atomic
primitives are used by AIO_WAIT_WHILE(), so as long as the condition
being waited for is thread-safe too it should work without the
AioContext lock.

Back to my comment about unnecessary risk, pushing the lock down is a
strategy for exploring the problem, but I'm not sure those intermediate
commits need to be committed to qemu.git/master because of the time
required to review them and the risk of introducing (temporary) bugs.


I agree. Add my bit of criticism:

What I dislike about the whole thread-safe update you do:

1. There is no proof of concept - some good example of multiqueue, or something that uses mutliple 
threads and shows good performance. Something that works, and shows where are we going to and why 
it is good. That may be draft patches with a lot of "FIXME" and "TODO", but 
working. For now I feel that I've spent my time to reviewing and proving to myself thread-safety of 
two previous thread-safe series, but I don't have a hope to see a benefit of it in the near future..

1.1 If we have a proof of concept, that also gives a kind of plan: a list of 
subsystems (patch series) to do step by step and finally come to what we want. 
Do you have a kind of plan (of the whole feature) now?

2. There are no tests: something that doesn't work before the series and start 
to work after. Why it is important:

All these thread-safe primitives are complicated enough. They hard to review 
and prove correctness. And very simple to break by new code. Tests that runs by 
CI proves that we don't break subsystems that are already thread-safe. For 
example, you've recently updated block-copy and several related things. But we 
have no tests. So, assume, a year later you finish the work of updating all 
other subsystems to be thread-safe. You'll have no guarantee that block-copy is 
still thread-safe, and you'll have to start from the beginning.

3. As I said, I really doubt that block drivers are already thread safe. An 
audit and/or tests are needed at least.


--
Best regards,
Vladimir

[PULL 6/6] migration: Move bitmap_mutex out of migration_bitmap_clear_dirty()

[Dr. David Alan Gilbert (git)]

From: Peter Xu 

Taking the mutex every time for each dirty bit to clear is too slow, especially
we'll take/release even if the dirty bit is cleared.  So far it's only used to
sync with special cases with qemu_guest_free_page_hint() against migration
thread, nothing really that serious yet.  Let's move the lock to be upper.

There're two callers of migration_bitmap_clear_dirty().

For migration, move it into ram_save_iterate().  With the help of MAX_WAIT
logic, we'll only run ram_save_iterate() for no more than 50ms-ish time, so
taking the lock once there at the entry.  It also means any call sites to
qemu_guest_free_page_hint() can be delayed; but it should be very rare, only
during migration, and I don't see a problem with it.

For COLO, move it up to colo_flush_ram_cache().  I think COLO forgot to take
that lock even when calling ramblock_sync_dirty_bitmap(), where another example
is migration_bitmap_sync() who took it right.  So let the mutex cover both the
ramblock_sync_dirty_bitmap() and migration_bitmap_clear_dirty() calls.

It's even possible to drop the lock so we use atomic operations upon rb->bmap
and the variable migration_dirty_pages.  I didn't do it just to still be safe,
also not predictable whether the frequent atomic ops could bring overhead too
e.g. on huge vms when it happens very often.  When that really comes, we can
keep a local counter and periodically call atomic ops.  Keep it simple for now.

Cc: Wei Wang 
Cc: David Hildenbrand 
Cc: Hailiang Zhang 
Cc: Dr. David Alan Gilbert 
Cc: Juan Quintela 
Cc: Leonardo Bras Soares Passos 
Signed-off-by: Peter Xu 
Message-Id: <20210630200805.280905-1-pet...@redhat.com>
Reviewed-by: Wei Wang 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/ram.c | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/migration/ram.c b/migration/ram.c
index 88ff34f574..b5fc454b2f 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -795,8 +795,6 @@ static inline bool migration_bitmap_clear_dirty(RAMState 
*rs,
 {
 bool ret;
 
-QEMU_LOCK_GUARD(>bitmap_mutex);
-
 /*
  * Clear dirty bitmap if needed.  This _must_ be called before we
  * send any of the page in the chunk because we need to make sure
@@ -2834,6 +2832,14 @@ static int ram_save_iterate(QEMUFile *f, void *opaque)
 goto out;
 }
 
+/*
+ * We'll take this lock a little bit long, but it's okay for two reasons.
+ * Firstly, the only possible other thread to take it is who calls
+ * qemu_guest_free_page_hint(), which should be rare; secondly, see
+ * MAX_WAIT (if curious, further see commit 4508bd9ed8053ce) below, which
+ * guarantees that we'll at least released it in a regular basis.
+ */
+qemu_mutex_lock(>bitmap_mutex);
 WITH_RCU_READ_LOCK_GUARD() {
 if (ram_list.version != rs->last_version) {
 ram_state_reset(rs);
@@ -2893,6 +2899,7 @@ static int ram_save_iterate(QEMUFile *f, void *opaque)
 i++;
 }
 }
+qemu_mutex_unlock(>bitmap_mutex);
 
 /*
  * Must occur before EOS (or any QEMUFile operation)
@@ -3682,6 +3689,7 @@ void colo_flush_ram_cache(void)
 unsigned long offset = 0;
 
 memory_global_dirty_log_sync();
+qemu_mutex_lock(_state->bitmap_mutex);
 WITH_RCU_READ_LOCK_GUARD() {
 RAMBLOCK_FOREACH_NOT_IGNORED(block) {
 ramblock_sync_dirty_bitmap(ram_state, block);
@@ -3710,6 +3718,7 @@ void colo_flush_ram_cache(void)
 }
 }
 trace_colo_flush_ram_cache_end();
+qemu_mutex_unlock(_state->bitmap_mutex);
 }
 
 /**
-- 
2.31.1

[PULL 3/6] migration: Release return path early for paused postcopy

[Dr. David Alan Gilbert (git)]

From: Peter Xu 

When postcopy pause triggered, we rely on the migration thread to cleanup the
to_dst_file handle, and the return path thread to cleanup the from_dst_file
handle (which is stored in the local variable "rp").

Within the process, from_dst_file cleanup (qemu_fclose) is postponed until it's
setup again due to a postcopy recovery.

It used to work before yank was born; after yank is introduced we rely on the
refcount of IOC to correctly unregister yank function in channel_close().  If
without the early and on-time release of from_dst_file handle the yank function
will be leftover during paused postcopy.

Without this patch, below steps (quoted from Xiaohui) could trigger qemu src
crash:

  1.Boot vm on src host
  2.Boot vm on dst host
  3.Enable postcopy on src host
  4.Load stressapptest in vm and set postcopy speed to 50M
  5.Start migration from src to dst host, change into postcopy mode when 
migration is active.
  6.When postcopy is active, down the network card(do migration via this 
network) on dst host.
  7.Wait untill postcopy is paused on src host.
  8.Before up network card, recover migration on dst host, will get error like 
following.
  9.Ignore the error of step 8, go on recovering migration on src host:

  After step 9, qemu on src host will core dump after some seconds:
  qemu-kvm: ../util/yank.c:107: yank_unregister_instance: Assertion 
`QLIST_EMPTY(>yankfns)' failed.
  1.sh: line 38: 44662 Aborted (core dumped)

Reported-by: Li Xiaohui 
Signed-off-by: Peter Xu 
Message-Id: <20210708190653.252961-2-pet...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/migration.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index d717cd089a..38ebc6c1ab 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2818,12 +2818,12 @@ out:
  * Maybe there is something we can do: it looks like a
  * network down issue, and we pause for a recovery.
  */
+qemu_fclose(rp);
+ms->rp_state.from_dst_file = NULL;
+rp = NULL;
 if (postcopy_pause_return_path_thread(ms)) {
 /* Reload rp, reset the rest */
-if (rp != ms->rp_state.from_dst_file) {
-qemu_fclose(rp);
-rp = ms->rp_state.from_dst_file;
-}
+rp = ms->rp_state.from_dst_file;
 ms->rp_state.error = false;
 goto retry;
 }
-- 
2.31.1

Re: [PATCH] hw/display/xlnx_dp: fix an out-of-bounds read in xlnx_dp_read

[Qiang Liu]

On Tue, Jul 13, 2021 at 6:24 PM Philippe Mathieu-Daudé  wrote:
>
> On 7/13/21 12:20 PM, Philippe Mathieu-Daudé wrote:
> > On 7/13/21 5:14 AM, Qiang Liu wrote:
> >> xlnx_dp_read allows an out-of-bounds read at its default branch because
> >> of an improper index.
> >>
> >> According to
> >> https://www.xilinx.com/html_docs/registers/ug1087/ug1087-zynq-ultrascale-registers.html
> >> (DP Module), registers 0x3A4/0x3A4/0x3AC are allowed.
> >>
> >> DP_INT_MASK  0x03A4  32  mixed   0xF03F  Interrupt 
> >> Mask Register for intrN.
> >> DP_INT_EN0x03A8  32  mixed   0x  Interrupt 
> >> Enable Register.
> >> DP_INT_DS0x03AC  32  mixed   0x  Interrupt 
> >> Disable Register.
> >>
> >> In xlnx_dp_write, when the offset is 0x3A8 and 0x3AC, the virtual device
> >> will write s->core_registers[0x3A4
>  2]. That is to say, the maxize of s->core_registers could be ((0x3A4
>  2) + 1). However, the current size of s->core_registers is (0x3AF >>
>  2), that is ((0x3A4 >> 2) + 2), which is out of the range.
> >> In xlxn_dp_read, the access to offset 0x3A8 or 0x3AC will be directed to
> >> the offset 0x3A8 (incorrect functionality) or 0x3AC (out-of-bounds read)
> >> rather than 0x3A4.
> >>
> >> This patch adjusts the size of s->core_registers and enforces the read
> >> access to offset 0x3A* and 0x3AC to 0x3A4. BTW, because the size of this
> >> MMIO region is 0x3AF, this patch also removes the assertion in
> >> xlnx_dp_write.
> >>
> >> Fixes: 58ac482a66de ("introduce xlnx-dp")
> >> Signed-off-by: Qiang Liu 
> >> ---
> >>  hw/display/xlnx_dp.c | 7 ---
> >>  include/hw/display/xlnx_dp.h | 2 +-
> >>  2 files changed, 5 insertions(+), 4 deletions(-)
> >
> > Can you provide a qtest reproducer please?
>
> See examples in tests/qtest/fuzz*test.c
Yeah. I can add the qtest reproducer.

> >> diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
> >> index 7bcbb13..8903181 100644
> >> --- a/hw/display/xlnx_dp.c
> >> +++ b/hw/display/xlnx_dp.c
> >> @@ -713,8 +713,10 @@ static uint64_t xlnx_dp_read(void *opaque, hwaddr 
> >> offset, unsigned size)
> >>  ret = 0;
> >>  break;
> >>  default:
> >> -assert(offset <= (0x3AC >> 2));
> >> -ret = s->core_registers[offset];
> >> +if (offset == (0x3A8 >> 2) || offset == (0x3AC >> 2))
> >> +ret = s->core_registers[DP_INT_MASK];
> >> +else
> >
> > Invalid code style.
Will refine it.

> >> +ret = s->core_registers[offset];
> >>  break;
> >>  }
> >>
> >> @@ -876,7 +878,6 @@ static void xlnx_dp_write(void *opaque, hwaddr offset, 
> >> uint64_t value,
> >>  xlnx_dp_update_irq(s);
> >>  break;
> >>  default:
> >> -assert(offset <= (0x504C >> 2));
> >>  s->core_registers[offset] = value;
> >>  break;
> >>  }
> >> diff --git a/include/hw/display/xlnx_dp.h b/include/hw/display/xlnx_dp.h
> >> index e85e428..99a6d47 100644
> >> --- a/include/hw/display/xlnx_dp.h
> >> +++ b/include/hw/display/xlnx_dp.h
> >> @@ -39,7 +39,7 @@
> >>  #define AUD_CHBUF_MAX_DEPTH (32 * KiB)
> >>  #define MAX_QEMU_BUFFER_SIZE(4 * KiB)
> >>
> >> -#define DP_CORE_REG_ARRAY_SIZE  (0x3AF >> 2)
> >> +#define DP_CORE_REG_ARRAY_SIZE  (0x3A8 >> 2)
> >
> > NAck: this breaks migration.
I will not modify this.

> >>  #define DP_AVBUF_REG_ARRAY_SIZE (0x238 >> 2)
> >>  #define DP_VBLEND_REG_ARRAY_SIZE(0x1DF >> 2)
> >>  #define DP_AUDIO_REG_ARRAY_SIZE (0x50 >> 2)

Thank you for the review. I will resend the patch soon.

Best,
Qiang

Re: [PATCH v3 0/2] linux-user/s390x: signal with SIGFPE on compare-and-trap

[Laurent Vivier]

Le 12/07/2021 à 23:29, jonathan.albrecht a écrit :
> On 2021-07-12 4:02 pm, Laurent Vivier wrote:
>> Le 09/07/2021 à 18:04, Jonathan Albrecht a écrit :
>>> qemu-s390x signals with SIGILL on compare-and-trap instructions. This
>>> breaks OpenJDK which expects SIGFPE in its implementation of implicit
>>> exceptions.
>>>
>>> This patch depends on [PATCH v6 0/2] target/s390x: Fix SIGILL and SIGFPE
>>> psw.addr reporting
>>> https://lore.kernel.org/qemu-devel/20210705210434.45824-1-...@linux.ibm.com/
>>>
>>> Based-on: 20210705210434.45824-1-...@linux.ibm.com
>>>
>>>
>>
>> Series applied to my linux-user-for-6.1 branch.
>>
> 
> Thanks Laurent, I see this series has been applied to
> https://github.com/vivier/qemu/commits/linux-user-for-6.1 but the following 
> series that this is
> based on also needs to be applied:
> 
> https://lore.kernel.org/qemu-devel/20210705210434.45824-1-...@linux.ibm.com/
> 
> Did some local testing and looks like missing that series caused
> https://app.travis-ci.com/github/vivier/qemu/jobs/523853464 to fail.
> 
> Oh, just saw Ilya's email that the test patch has not been reviewed. 
> Hopefully that can happen so
> they can both make it in.

I've removed these two patches from my patch queue. I'll do a new one with both 
series when they
will be ready.

Thanks,
Laurent

[PATCH for-6.2 05/34] target/arm: Fix mask handling for MVE narrowing operations

[Peter Maydell]

In the MVE helpers for the narrowing operations (DO_VSHRN and
DO_VSHRN_SAT) we were using the wrong bits of the predicate mask for
the 'top' versions of the insn.  This is because the loop works over
the double-sized input elements and shifts the predicate mask by that
many bits each time, but when we write out the half-sized output we
must look at the mask bits for whichever half of the element we are
writing to.

Correct this by shifting the whole mask right by ESIZE bits for the
'top' insns.  This allows us also to simplify the saturation bit
checking (where we had noticed that we needed to look at a different
mask bit for the 'top' insn.)

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 99b4801088f..8cbfd3a8c53 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1361,6 +1361,7 @@ DO_VSHLL_ALL(vshllt, true)
 TYPE *d = vd;   \
 uint16_t mask = mve_element_mask(env);  \
 unsigned le;\
+mask >>= ESIZE * TOP;   \
 for (le = 0; le < 16 / LESIZE; le++, mask >>= LESIZE) { \
 TYPE r = FN(m[H##LESIZE(le)], shift);   \
 mergemask([H##ESIZE(le * 2 + TOP)], r, mask); \
@@ -1422,11 +1423,12 @@ static inline int32_t do_sat_bhs(int64_t val, int64_t 
min, int64_t max,
 uint16_t mask = mve_element_mask(env);  \
 bool qc = false;\
 unsigned le;\
+mask >>= ESIZE * TOP;   \
 for (le = 0; le < 16 / LESIZE; le++, mask >>= LESIZE) { \
 bool sat = false;   \
 TYPE r = FN(m[H##LESIZE(le)], shift, ); \
 mergemask([H##ESIZE(le * 2 + TOP)], r, mask); \
-qc |= sat && (mask & 1 << (TOP * ESIZE));   \
+qc |= sat & mask & 1;   \
 }   \
 if (qc) {   \
 env->vfp.qc[0] = qc;\
-- 
2.20.1

[PATCH for-6.2 03/34] target/arm: Fix MVE VSLI by 0 and VSRI by

[Peter Maydell]

In the MVE shift-and-insert insns, we special case VSLI by 0
and VSRI by , both of which mean "no shift". However we
incorrectly implemented these as "don't update the destination",
which works only if Qd == Qm. When Qd != Qm this kind of
shift must update Qd, honouring the predicate mask.

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index db5d6220854..16a701933b8 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1276,19 +1276,23 @@ DO_2SHIFT_S(vrshli_s, DO_VRSHLS)
 void *vm, uint32_t shift)   \
 {   \
 uint64_t *d = vd, *m = vm;  \
-uint16_t mask;  \
+uint16_t mask = mve_element_mask(env);  \
 uint64_t shiftmask; \
 unsigned e; \
 if (shift == 0 || shift == ESIZE * 8) { \
 /*  \
  * Only VSLI can shift by 0; only VSRI can shift by .   \
  * The generic logic would give the right answer for 0 but  \
- * fails for .  \
+ * fails for . In both cases, we must not shift the \
+ * input but just copy it to the destination, honouring \
+ * the predicate mask.  \
  */ \
+for (e = 0; e < 16 / 8; e++, mask >>= 8) {  \
+mergemask([H8(e)], m[H8(e)], mask);   \
+}   \
 goto done;  \
 }   \
 assert(shift < ESIZE * 8);  \
-mask = mve_element_mask(env);   \
 /* ESIZE / 2 gives the MO_* value if ESIZE is in [1,2,4] */ \
 shiftmask = dup_const(ESIZE / 2, MASKFN(ESIZE * 8, shift)); \
 for (e = 0; e < 16 / 8; e++, mask >>= 8) {  \
-- 
2.20.1

[PATCH for-6.2 16/34] target/arm: Implement MVE VPSEL

[Peter Maydell]

Implement the MVE VPSEL insn, which sets each byte of the destination
vector Qd to the byte from either Qn or Qm depending on the value of
the corresponding bit in VPR.P0.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  2 ++
 target/arm/mve.decode  |  7 +--
 target/arm/mve_helper.c| 19 +++
 target/arm/translate-mve.c |  2 ++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 035779b0576..f1a54aba5d4 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -86,6 +86,8 @@ DEF_HELPER_FLAGS_4(mve_vorr, TCG_CALL_NO_WG, void, env, ptr, 
ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vorn, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_veor, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 
+DEF_HELPER_FLAGS_4(mve_vpsel, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
+
 DEF_HELPER_FLAGS_4(mve_vaddb, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vaddh, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vaddw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index ef708ba80ff..4bd20a9a319 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -468,8 +468,11 @@ VSHLC 111 0 1110 1 . 1 imm:5 ... 0  1100 
rdm:4 qd=%qd
 # effectively "VCMP then VPST". A plain "VCMP" has a mask field of zero.
 VCMPEQ 1110 0 . .. ... 1 ... 0  0 0 . 0 ... 0 @vcmp
 VCMPNE 1110 0 . .. ... 1 ... 0  1 0 . 0 ... 0 @vcmp
-VCMPCS 1110 0 . .. ... 1 ... 0  0 0 . 0 ... 1 @vcmp
-VCMPHI 1110 0 . .. ... 1 ... 0  1 0 . 0 ... 1 @vcmp
+{
+  VPSEL    1110 0 . 11 ... 1 ... 0  . 0 . 0 ... 1 @2op_nosz
+  VCMPCS   1110 0 . .. ... 1 ... 0  0 0 . 0 ... 1 @vcmp
+  VCMPHI   1110 0 . .. ... 1 ... 0  1 0 . 0 ... 1 @vcmp
+}
 VCMPGE 1110 0 . .. ... 1 ... 1  0 0 . 0 ... 0 @vcmp
 VCMPLT 1110 0 . .. ... 1 ... 1  1 0 . 0 ... 0 @vcmp
 VCMPGT 1110 0 . .. ... 1 ... 1  0 0 . 0 ... 1 @vcmp
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 57a92bc6841..be67e7cea26 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1846,3 +1846,22 @@ DO_VCMP_S(vcmpge, DO_GE)
 DO_VCMP_S(vcmplt, DO_LT)
 DO_VCMP_S(vcmpgt, DO_GT)
 DO_VCMP_S(vcmple, DO_LE)
+
+void HELPER(mve_vpsel)(CPUARMState *env, void *vd, void *vn, void *vm)
+{
+/*
+ * Qd[n] = VPR.P0[n] ? Qn[n] : Qm[n]
+ * but note that whether bytes are written to Qd is still subject
+ * to (all forms of) predication in the usual way.
+ */
+uint64_t *d = vd, *n = vn, *m = vm;
+uint16_t mask = mve_element_mask(env);
+uint16_t p0 = FIELD_EX32(env->v7m.vpr, V7M_VPR, P0);
+unsigned e;
+for (e = 0; e < 16 / 8; e++, mask >>= 8, p0 >>= 8) {
+uint64_t r = m[H8(e)];
+mergemask(, n[H8(e)], p0);
+mergemask([H8(e)], r, mask);
+}
+mve_advance_vpt(env);
+}
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index f8b8639eab7..689e15c069b 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -376,6 +376,8 @@ DO_LOGIC(VORR, gen_helper_mve_vorr)
 DO_LOGIC(VORN, gen_helper_mve_vorn)
 DO_LOGIC(VEOR, gen_helper_mve_veor)
 
+DO_LOGIC(VPSEL, gen_helper_mve_vpsel)
+
 #define DO_2OP(INSN, FN) \
 static bool trans_##INSN(DisasContext *s, arg_2op *a)   \
 {   \
-- 
2.20.1

[PATCH for-6.2 23/34] target/arm: Rename MVEGenDualAccOpFn to MVEGenLongDualAccOpFn

[Peter Maydell]

The MVEGenDualAccOpFn is a bit misnamed, since it is used for
the "long dual accumulate" operations that use a 64-bit
accumulator. Rename it to MVEGenLongDualAccOpFn so we can
use the former name for the 32-bit accumulator insns.

Signed-off-by: Peter Maydell 
---
 target/arm/translate-mve.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index ba5b7809b09..22b178296f4 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -38,7 +38,7 @@ typedef void MVEGenOneOpFn(TCGv_ptr, TCGv_ptr, TCGv_ptr);
 typedef void MVEGenTwoOpFn(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr);
 typedef void MVEGenTwoOpScalarFn(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_i32);
 typedef void MVEGenTwoOpShiftFn(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_i32);
-typedef void MVEGenDualAccOpFn(TCGv_i64, TCGv_ptr, TCGv_ptr, TCGv_ptr, 
TCGv_i64);
+typedef void MVEGenLongDualAccOpFn(TCGv_i64, TCGv_ptr, TCGv_ptr, TCGv_ptr, 
TCGv_i64);
 typedef void MVEGenVADDVFn(TCGv_i32, TCGv_ptr, TCGv_ptr, TCGv_i32);
 typedef void MVEGenOneOpImmFn(TCGv_ptr, TCGv_ptr, TCGv_i64);
 typedef void MVEGenVIDUPFn(TCGv_i32, TCGv_ptr, TCGv_ptr, TCGv_i32, TCGv_i32);
@@ -653,7 +653,7 @@ static bool trans_VQDMULLT_scalar(DisasContext *s, 
arg_2scalar *a)
 }
 
 static bool do_long_dual_acc(DisasContext *s, arg_vmlaldav *a,
- MVEGenDualAccOpFn *fn)
+ MVEGenLongDualAccOpFn *fn)
 {
 TCGv_ptr qn, qm;
 TCGv_i64 rda;
@@ -711,7 +711,7 @@ static bool do_long_dual_acc(DisasContext *s, arg_vmlaldav 
*a,
 
 static bool trans_VMLALDAV_S(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[4][2] = {
+static MVEGenLongDualAccOpFn * const fns[4][2] = {
 { NULL, NULL },
 { gen_helper_mve_vmlaldavsh, gen_helper_mve_vmlaldavxsh },
 { gen_helper_mve_vmlaldavsw, gen_helper_mve_vmlaldavxsw },
@@ -722,7 +722,7 @@ static bool trans_VMLALDAV_S(DisasContext *s, arg_vmlaldav 
*a)
 
 static bool trans_VMLALDAV_U(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[4][2] = {
+static MVEGenLongDualAccOpFn * const fns[4][2] = {
 { NULL, NULL },
 { gen_helper_mve_vmlaldavuh, NULL },
 { gen_helper_mve_vmlaldavuw, NULL },
@@ -733,7 +733,7 @@ static bool trans_VMLALDAV_U(DisasContext *s, arg_vmlaldav 
*a)
 
 static bool trans_VMLSLDAV(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[4][2] = {
+static MVEGenLongDualAccOpFn * const fns[4][2] = {
 { NULL, NULL },
 { gen_helper_mve_vmlsldavsh, gen_helper_mve_vmlsldavxsh },
 { gen_helper_mve_vmlsldavsw, gen_helper_mve_vmlsldavxsw },
@@ -744,7 +744,7 @@ static bool trans_VMLSLDAV(DisasContext *s, arg_vmlaldav *a)
 
 static bool trans_VRMLALDAVH_S(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[] = {
+static MVEGenLongDualAccOpFn * const fns[] = {
 gen_helper_mve_vrmlaldavhsw, gen_helper_mve_vrmlaldavhxsw,
 };
 return do_long_dual_acc(s, a, fns[a->x]);
@@ -752,7 +752,7 @@ static bool trans_VRMLALDAVH_S(DisasContext *s, 
arg_vmlaldav *a)
 
 static bool trans_VRMLALDAVH_U(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[] = {
+static MVEGenLongDualAccOpFn * const fns[] = {
 gen_helper_mve_vrmlaldavhuw, NULL,
 };
 return do_long_dual_acc(s, a, fns[a->x]);
@@ -760,7 +760,7 @@ static bool trans_VRMLALDAVH_U(DisasContext *s, 
arg_vmlaldav *a)
 
 static bool trans_VRMLSLDAVH(DisasContext *s, arg_vmlaldav *a)
 {
-static MVEGenDualAccOpFn * const fns[] = {
+static MVEGenLongDualAccOpFn * const fns[] = {
 gen_helper_mve_vrmlsldavhsw, gen_helper_mve_vrmlsldavhxsw,
 };
 return do_long_dual_acc(s, a, fns[a->x]);
-- 
2.20.1

[PATCH for-6.2 12/34] target/arm: Implement MVE incrementing/decrementing dup insns

[Peter Maydell]

Implement the MVE incrementing/decrementing dup insns VIDUP, VDDUP,
VIWDUP and VDWDUP.  These fill the elements of a vector with
successively incrementing values, starting at the offset specified in
a general purpose register.  The final value of the offset is written
back to this register.  The wrapping variants take a second general
purpose register which specifies the point where the count should
wrap back to 0.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  16 +
 target/arm/mve.decode  |  25 
 target/arm/mve_helper.c|  64 
 target/arm/translate-mve.c | 118 +
 4 files changed, 223 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 84adfb21517..54b252e98af 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -35,6 +35,22 @@ DEF_HELPER_FLAGS_3(mve_vstrh_w, TCG_CALL_NO_WG, void, env, 
ptr, i32)
 
 DEF_HELPER_FLAGS_3(mve_vdup, TCG_CALL_NO_WG, void, env, ptr, i32)
 
+DEF_HELPER_FLAGS_4(mve_vidupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+DEF_HELPER_FLAGS_4(mve_viduph, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+DEF_HELPER_FLAGS_4(mve_vidupw, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+
+DEF_HELPER_FLAGS_4(mve_vddupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+DEF_HELPER_FLAGS_4(mve_vdduph, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+DEF_HELPER_FLAGS_4(mve_vddupw, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
+
+DEF_HELPER_FLAGS_5(mve_viwdupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+DEF_HELPER_FLAGS_5(mve_viwduph, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+DEF_HELPER_FLAGS_5(mve_viwdupw, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+
+DEF_HELPER_FLAGS_5(mve_vdwdupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+DEF_HELPER_FLAGS_5(mve_vdwduph, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+DEF_HELPER_FLAGS_5(mve_vdwdupw, TCG_CALL_NO_WG, i32, env, ptr, i32, i32, i32)
+
 DEF_HELPER_FLAGS_3(mve_vclsb, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vclsh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vclsw, TCG_CALL_NO_WG, void, env, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index de079ec517d..88c9c18ebf1 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -35,6 +35,8 @@
 &2scalar qd qn rm size
 &1imm qd imm cmode op
 &2shift qd qm shift size
+ qd rn size imm
+ qd rn rm size imm
 
 @vldr_vstr ... . . . . l:1 rn:4 ... .. imm:7 _vstr qd=%qd u=0
 # Note that both Rn and Qd are 3 bits only (no D bit)
@@ -259,6 +261,29 @@ VDUP 1110 1110 1 1 10 ... 0  1011 . 0 0 1 
 @vdup size=0
 VDUP 1110 1110 1 0 10 ... 0  1011 . 0 1 1  @vdup size=1
 VDUP 1110 1110 1 0 10 ... 0  1011 . 0 0 1  @vdup size=2
 
+# Incrementing and decrementing dup
+
+# VIDUP, VDDUP format immediate: 1 << (immh:imml)
+%imm_vidup 7:1 0:1 !function=vidup_imm
+
+# VIDUP, VDDUP registers: Rm bits [3:1] from insn, bit 0 is 1;
+# Rn bits [3:1] from insn, bit 0 is 0
+%vidup_rm 1:3 !function=times_2_plus_1
+%vidup_rn 17:3 !function=times_2
+
+@vidup     . . size:2      \
+ qd=%qd imm=%imm_vidup rn=%vidup_rn 
+@viwdup    . . size:2      \
+ qd=%qd imm=%imm_vidup rm=%vidup_rm rn=%vidup_rn 
+{
+  VIDUP  1110 1110 0 . .. ... 1 ... 0  . 110 111 . @vidup
+  VIWDUP 1110 1110 0 . .. ... 1 ... 0  . 110 ... . @viwdup
+}
+{
+  VDDUP  1110 1110 0 . .. ... 1 ... 1  . 110 111 . @vidup
+  VDWDUP 1110 1110 0 . .. ... 1 ... 1  . 110 ... . @viwdup
+}
+
 # multiply-add long dual accumulate
 # rdahi: bits [3:1] from insn, bit 0 is 1
 # rdalo: bits [3:1] from insn, bit 0 is 0
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index db5ec9266d1..0ef5f5d8871 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1698,3 +1698,67 @@ uint32_t HELPER(mve_sqrshr)(CPUARMState *env, uint32_t 
n, uint32_t shift)
 {
 return do_sqrshl_bhs(n, -(int8_t)shift, 32, true, >QF);
 }
+
+#define DO_VIDUP(OP, ESIZE, TYPE, FN)   \
+uint32_t HELPER(mve_##OP)(CPUARMState *env, void *vd,   \
+   uint32_t offset, uint32_t imm)   \
+{   \
+TYPE *d = vd;   \
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+mergemask([H##ESIZE(e)], offset, mask);   \
+offset = FN(offset, imm);   \
+}   \
+mve_advance_vpt(env);   \
+return offset;  \
+

[PATCH for-6.2 25/34] target/arm: Implement MVE VMLA

[Peter Maydell]

Implement the MVE VMLA insn, which multiplies a vector by a scalar
and accumulates into another vector.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 8 
 target/arm/mve.decode  | 3 +++
 target/arm/mve_helper.c| 6 ++
 target/arm/translate-mve.c | 2 ++
 4 files changed, 19 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 088bdd3ca50..50b34c601e1 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -371,6 +371,14 @@ DEF_HELPER_FLAGS_4(mve_vqdmullb_scalarw, TCG_CALL_NO_WG, 
void, env, ptr, ptr, i3
 DEF_HELPER_FLAGS_4(mve_vqdmullt_scalarh, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 DEF_HELPER_FLAGS_4(mve_vqdmullt_scalarw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 
+DEF_HELPER_FLAGS_4(mve_vmlasb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlash, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlasw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vmlaub, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlauh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlauw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(mve_vmlassb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(mve_vmlassh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(mve_vmlassw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 0c4708ea988..2e2df61c860 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -412,6 +412,9 @@ VHSUB_U_scalar    1110 0 . .. ... 0 ... 1  . 100 
 @2scalar
 VQDMULH_scalar   1110 1110 0 . .. ... 1 ... 0 1110 . 110  @2scalar
 VQRDMULH_scalar   1110 0 . .. ... 1 ... 0 1110 . 110  @2scalar
 
+VMLA_S   1110 1110 0 . .. ... 1 ... 0 1110 . 100  @2scalar
+VMLA_U    1110 0 . .. ... 1 ... 0 1110 . 100  @2scalar
+
 VMLAS_S  1110 1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
 VMLAS_U   1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
 
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 8b70362f012..91c0add8da7 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1019,6 +1019,12 @@ DO_2OP_SAT_SCALAR(vqrdmulh_scalarb, 1, int8_t, 
DO_QRDMULH_B)
 DO_2OP_SAT_SCALAR(vqrdmulh_scalarh, 2, int16_t, DO_QRDMULH_H)
 DO_2OP_SAT_SCALAR(vqrdmulh_scalarw, 4, int32_t, DO_QRDMULH_W)
 
+/* Vector by scalar plus vector */
+#define DO_VMLA(D, N, M) ((N) * (M) + (D))
+
+DO_2OP_ACC_SCALAR_S(vmlas, DO_VMLA)
+DO_2OP_ACC_SCALAR_U(vmlau, DO_VMLA)
+
 /* Vector by vector plus scalar */
 #define DO_VMLAS(D, N, M) ((N) * (D) + (M))
 
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index 67b9c07447a..650f3b95edf 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -620,6 +620,8 @@ DO_2OP_SCALAR(VQSUB_U_scalar, vqsubu_scalar)
 DO_2OP_SCALAR(VQDMULH_scalar, vqdmulh_scalar)
 DO_2OP_SCALAR(VQRDMULH_scalar, vqrdmulh_scalar)
 DO_2OP_SCALAR(VBRSR, vbrsr)
+DO_2OP_SCALAR(VMLA_S, vmlas)
+DO_2OP_SCALAR(VMLA_U, vmlau)
 DO_2OP_SCALAR(VMLAS_S, vmlass)
 DO_2OP_SCALAR(VMLAS_U, vmlasu)
 
-- 
2.20.1

Re: [PATCH v2] meson: fix condition for io_uring stubs

[Daniel P . Berrangé]

On Mon, Jul 12, 2021 at 05:18:10PM +0200, Paolo Bonzini wrote:
> CONFIG_LINUX_IO_URING is not included in config-host.mak and therefore is
> not usable in "when" clauses.  Check the availability of the library,
> which matches the condition for the non-stubbed version block/io_uring.c.
> 
> At this point, the difference between libraries that have config-host.mak
> entries and those that do not is quite confusing.  The remaining ~dozen
> should be converted in 6.2.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  stubs/meson.build | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrangé 

> 
> diff --git a/stubs/meson.build b/stubs/meson.build
> index 2e79ff9f4d..d3fa8646b3 100644
> --- a/stubs/meson.build
> +++ b/stubs/meson.build
> @@ -15,7 +15,9 @@ stub_ss.add(files('fdset.c'))
>  stub_ss.add(files('fw_cfg.c'))
>  stub_ss.add(files('gdbstub.c'))
>  stub_ss.add(files('get-vm-name.c'))
> -stub_ss.add(when: 'CONFIG_LINUX_IO_URING', if_true: files('io_uring.c'))
> +if linux_io_uring.found()
> +  stub_ss.add(files('io_uring.c'))
> +endif
>  stub_ss.add(files('iothread-lock.c'))
>  stub_ss.add(files('isa-bus.c'))
>  stub_ss.add(files('is-daemonized.c'))
> -- 
> 2.31.1
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PATCH v2 3/3] docs: Add skeletal documentation of highbank and midway

[Peter Maydell]

Add skeletal documentation for the highbank and midway machines.

Signed-off-by: Peter Maydell 
---
 docs/system/arm/highbank.rst | 19 +++
 docs/system/target-arm.rst   |  1 +
 MAINTAINERS  |  1 +
 3 files changed, 21 insertions(+)
 create mode 100644 docs/system/arm/highbank.rst

diff --git a/docs/system/arm/highbank.rst b/docs/system/arm/highbank.rst
new file mode 100644
index 000..bb4965b367f
--- /dev/null
+++ b/docs/system/arm/highbank.rst
@@ -0,0 +1,19 @@
+Calxeda Highbank and Midway (``highbank``, ``midway``)
+==
+
+``highbank`` is a model of the Calxeda Highbank (ECX-1000) system,
+which has four Cortex-A9 cores.
+
+``midway`` is a model of the Calxeda Midway (ECX-2000) system,
+which has four Cortex-A15 cores.
+
+Emulated devices:
+
+- L2x0 cache controller
+- SP804 dual timer
+- PL011 UART
+- PL061 GPIOs
+- PL031 RTC
+- PL022 synchronous serial port controller
+- AHCI
+- XGMAC ethernet controllers
diff --git a/docs/system/target-arm.rst b/docs/system/target-arm.rst
index c52902acdad..c0c2585c0ad 100644
--- a/docs/system/target-arm.rst
+++ b/docs/system/target-arm.rst
@@ -87,6 +87,7 @@ undocumented; you can get a complete list by running
arm/digic
arm/cubieboard
arm/emcraft-sf2
+   arm/highbank
arm/musicpal
arm/gumstix
arm/nrf
diff --git a/MAINTAINERS b/MAINTAINERS
index f23cf874c66..767adc64ba2 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -642,6 +642,7 @@ L: qemu-...@nongnu.org
 S: Odd Fixes
 F: hw/arm/highbank.c
 F: hw/net/xgmac.c
+F: docs/system/arm/highbank.rst
 
 Canon DIGIC
 M: Antony Pavlov 
-- 
2.20.1

Re: usb-host device not working

[Programmingkid]

> On Jul 13, 2021, at 10:49 AM, Programmingkid  
> wrote:
> 
> I have been having problems with using host USB devices lately. I use to be 
> able to use host USB devices but can't currently. After doing some git 
> bisecting I found it was this patch that causes this issue:
> 
> commit 627302afb2f85cdd4b59595361876487aef19b7a (refs/bisect/bad)
> Author: Gerd Hoffmann 
> Date:   Thu Jun 24 12:38:35 2021 +0200
> 
>usb: build usb-host as module
> 
>Drop one more shared library dependency (libusb) from core qemu.
> 
>Signed-off-by: Gerd Hoffmann 
>Reviewed-by: Jose R. Ziviani 
>Message-Id: <20210624103836.2382472-34-kra...@redhat.com>
>Signed-off-by: Paolo Bonzini 
> 
> I build QEMU like this:
> 
> ./configure --target-list=i386-softmmu --enable-libusb && make -j 9
> 
> This command use to work but fails now with the above commit:
> 
> qemu-system-i386 -usb -device usb-host,vendorid=0x093a,productid=0x2510
> 
> I think this is a bug with the commit. Any suggestions?
> 
> Thank you.

Forgot to mention this issue is observed on Mac OS 11.1.

Re: [PULL 0/3] Fuzzing Patches

[Alexander Bulekov]

On 210713 0148, Alexander Bulekov wrote:
> Hello Paolo,
> 
> The following changes since commit 711c0418c8c1ce3a24346f058b001c4c5a2f0f81:
> 
>   Merge remote-tracking branch 'remotes/philmd/tags/mips-20210702' into 
> staging (2021-07-04 14:04:12 +0100)
> 
> are available in the Git repository at:
> 
>   https://gitlab.com/a1xndr/qemu tags/pull-request-2021-07-12
> 
> for you to fetch changes up to 3f4a00e1ec2ee9ab34cfbb8a955c3089256b21c2:
> 
>   fuzz: make object-name matching case-insensitive (2021-07-12 09:56:13 -0400)
> 
> 
> Fuzzing PR for 6.1: Bug-fixes and refined timeout mechanism
> 
> 
> Alexander Bulekov (3):
>   fuzz: fix sparse memory access in the DMA callback
>   fuzz: adjust timeout to allow for longer inputs
>   fuzz: make object-name matching case-insensitive
> 
>  tests/qtest/fuzz/generic_fuzz.c | 50 
> +++---
>  1 file changed, 39 insertions(+), 11 deletions(-)
> 
> -- 
> 2.28.0
> 

One more Patch was reviewed, so I just sent a v2.

[PULL 2/6] migration: failover: emit a warning when the card is not fully unplugged

[Dr. David Alan Gilbert (git)]

From: Laurent Vivier 

When the migration fails or is canceled we wait the end of the unplug
operation to be able to plug it back. But if the unplug operation
is never finished we stop to wait and QEMU emits a warning to inform
the user.

Based-on: 20210629155007.629086-1-lviv...@redhat.com
Signed-off-by: Laurent Vivier 
Message-Id: <20210701131458.112036-1-lviv...@redhat.com>
Reviewed-by: Juan Quintela 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/migration.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/migration/migration.c b/migration/migration.c
index 5ff7ba9d5c..d717cd089a 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -3701,6 +3701,10 @@ static void qemu_savevm_wait_unplug(MigrationState *s, 
int old_state,
 while (timeout-- && qemu_savevm_state_guest_unplug_pending()) {
 qemu_sem_timedwait(>wait_unplug_sem, 250);
 }
+if (qemu_savevm_state_guest_unplug_pending()) {
+warn_report("migration: partially unplugged device on "
+"failure");
+}
 }
 
 migrate_set_state(>state, MIGRATION_STATUS_WAIT_UNPLUG, new_state);
-- 
2.31.1

Re: [PATCH v6 0/6] hmp,qmp: Add some commands to introspect virtio devices

[Michael S. Tsirkin]

On Mon, Jul 12, 2021 at 06:35:31AM -0400, Jonah Palmer wrote:
> This series introduces new QMP/HMP commands to dump the status of a
> virtio device at different levels.
> 
> [Jonah: Rebasing previous patchset from March for Qemu 6.1
> (here: 
> https://lore.kernel.org/qemu-devel/1616084984-11263-1-git-send-email-jonah.pal...@oracle.com/)
> from Laurent's original qmp/hmp virtio commands from last May
> (here: 
> https://lore.kernel.org/qemu-devel/20200507134800.10837-1-lviv...@redhat.com/)
> which included updating Makefile to meson.build, adding all virtio/vhost 
> types, and
> other minor patching (e.g. qmp_x_debug_query_virtio uses QAPI_LIST_PREPEND 
> rather
> than open coding to iterate through list of virtio devices, see patch 1/6).
> 
> Also, added new features (since Qemu 6.1) to virtio-gpu, virtio-net, and
> virtio-balloon. Lastly, added display for the virtio device name in a
> few of the qmp/hmp commands as well as relative indicies for vrings 
> (see patches 4/6, 6/6).]


Acked-by: Michael S. Tsirkin 

needs to be either merged or acked by HMP maintainer.


> 1. Main command
> 
> HMP Only:
> 
> virtio [subcommand]
> 
> Example:
> 
> List all sub-commands:
> 
> (qemu) virtio
> virtio query -- List all available virtio devices
> virtio status path -- Display status of a given virtio device
> virtio queue-status path queue -- Display status of a given virtio 
> queue
> virtio queue-element path queue [index] -- Display element of a given 
> virtio queue
> 
> 2. List available virtio deices in the machine
> 
> HMP Form:
> 
> virtio query
> 
> Example:
> 
> (qemu) virtio query
> /machine/peripheral-anon/device[2]/virtio-backend [virtio-scsi]
> /machine/peripheral-anon/device[1]/virtio-backend [virtio-net]
> /machine/peripheral-anon/device[0]/virtio-backend [virtio-serial]
> 
> QMP Form:
> 
> { 'command': 'x-debug-query-virtio', 'returns': ['VirtioInfo'] }
> 
> Example:
> 
> -> { "execute": "x-debug-query-virtio" }
> <- { "return": [
> {
> "path": 
> "/machine/peripheral-anon/device[2]/virtio-backend",
> "type": "virtio-scsi"
> },
> {
> "path": 
> "/machine/peripheral-anon/device[1]/virtio-backend",
> "type": "virtio-net"
> },
> {
> "path": 
> "/machine/peripheral-anon/device[0]/virtio-backend",
> "type": "virtio-serial"
> }
> ]
> }
> 
> 3. Display status of a given virtio device
> 
> HMP Form:
> 
> virtio status 
> 
> Example:
> 
> (qemu) virtio status /machine/peripheral-anon/device[2]/virtio-backend
> /machine/peripheral-anon/device[2]/virtio-backend:
> Device Id:  8
> Guest features: event-idx, indirect-desc, version-1, change,
> hotplug
> Host features:  event-idx, indirect-desc, bad-feature, 
> version-1,
> any-layout, notify-on-empty, change, hotplug
> Backend features:
> Endianness: little
> VirtQueues: 4
> 
> QMP Form:
> 
> { 'command': 'x-debug-virtio-status',
>   'data': { 'path': 'str' },
>   'returns': 'VirtioStatus'
> }
> 
> Example:
> 
> -> { "execute": "x-debug-virtio-status"
>  "arguments": {
> "path": "/machine/peripheral-anon/device[2]/virtio-backend"
>  }
>}
> <- { "return": {
> "device-endian": "little",
> "device-id": 8,
> "backend-features": {
> "transport": [
> ],
> "type": "virtio-scsi",
> "features": [
> ]
> },
> "num-vqs": 4,
> "guest-features": {
> "transport": [
> "event-idx",
> "indirect-desc",
> "version-1"
> ],
> "type": "virtio-scsi",
> "features": [
> "change",
> "hotplug"
> ]
> },
> "host-features": {
> "transport": [
> "event-idx",
> "indirect-desc",
> "bad-feature",
> "version-1",
> "any-layout",
> "notify-on-empty"
> ],
> "type": "virtio-scsi",
> "features": [
> "change",
> "hotplug"
> ]
> }
> 

[PATCH 5/5] qmp: Added qemu-ebpf-rss-path command.

[Andrew Melnychenko]

New qmp command to query ebpf helper.
It's crucial that qemu and helper are in sync and in touch.
Technically helper should pass eBPF fds that qemu may accept.
And different qemu's builds may have different eBPF programs and helpers.
Qemu returns helper that should "fit" to virtio-net.

Signed-off-by: Andrew Melnychenko 
---
 monitor/qmp-cmds.c | 32 
 qapi/misc.json | 33 +
 2 files changed, 65 insertions(+)

diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index f7d64a6457..c042ab5466 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -40,6 +40,7 @@
 #include "qapi/qmp/qerror.h"
 #include "hw/mem/memory-device.h"
 #include "hw/acpi/acpi_dev_interface.h"
+#include "qemu-helper-stamp-utils.h"
 
 NameInfo *qmp_query_name(Error **errp)
 {
@@ -351,3 +352,34 @@ void qmp_display_reload(DisplayReloadOptions *arg, Error 
**errp)
 abort();
 }
 }
+
+HelperPathList *qmp_query_helper_paths(Error **errp)
+{
+HelperPathList *ret = NULL;
+struct {
+const char *helper;
+bool check_stamp;
+} helpers_list[] = {
+#ifdef CONFIG_EBPF
+{ "qemu-ebpf-rss-helper", true },
+#endif
+{ "qemu-pr-helper", false },
+{ "qemu-bridge-helper", false },
+{ NULL, false },
+}, *helper_iter;
+helper_iter = helpers_list;
+
+for (; helper_iter->helper != NULL; ++helper_iter) {
+char *path = qemu_find_helper(helper_iter->helper,
+  helper_iter->check_stamp);
+if (path) {
+HelperPath *helper = g_new0(HelperPath, 1);
+helper->name = g_strdup(helper_iter->helper);
+helper->path = path;
+
+QAPI_LIST_PREPEND(ret, helper);
+}
+}
+
+return ret;
+}
diff --git a/qapi/misc.json b/qapi/misc.json
index 156f98203e..9aaf8fbcca 100644
--- a/qapi/misc.json
+++ b/qapi/misc.json
@@ -519,3 +519,36 @@
  'data': { '*option': 'str' },
  'returns': ['CommandLineOptionInfo'],
  'allow-preconfig': true }
+
+##
+# @HelperPath:
+#
+# Name of the helper and binary location.
+##
+{ 'struct': 'HelperPath',
+  'data': {'name': 'str', 'path': 'str'} }
+
+##
+# @query-helper-paths:
+#
+# Query helper paths. Initially, this command was added for
+# qemu-ebpf-rss-helper. The qemu would check "the stamp" and
+# returns proper helper.
+#
+# Returns: list of object that contains name and path for helper.
+#
+# Since: 6.1
+#
+# Example:
+#
+# -> { "execute": "query-helper-paths" }
+# <- { "return": [
+#{
+#  "name": "qemu-ebpf-rss-helper",
+#  "path": "/usr/local/libexec/qemu-ebpf-rss-helper"
+#}
+#  ]
+#}
+#
+##
+{ 'command': 'query-helper-paths', 'returns': ['HelperPath'] }
-- 
2.31.1

[PATCH 4/5] ebpf_rss_helper: Added helper for eBPF RSS.

[Andrew Melnychenko]

Helper program. Loads eBPF RSS program and maps and passes them through unix 
socket.
Libvirt may launch this helper and pass eBPF fds to qemu virtio-net.
Also, libbpf dependency now exclusively for Linux.
Libbpf is used for eBPF RSS steering, which is supported only by Linux TAP.
There is no reason yet to build eBPF loader and helper for non Linux systems,
even if libbpf is present.

Signed-off-by: Andrew Melnychenko 
---
 ebpf/qemu-ebpf-rss-helper.c | 130 
 meson.build |  37 ++
 2 files changed, 154 insertions(+), 13 deletions(-)
 create mode 100644 ebpf/qemu-ebpf-rss-helper.c

diff --git a/ebpf/qemu-ebpf-rss-helper.c b/ebpf/qemu-ebpf-rss-helper.c
new file mode 100644
index 00..fe68758f57
--- /dev/null
+++ b/ebpf/qemu-ebpf-rss-helper.c
@@ -0,0 +1,130 @@
+/*
+ * eBPF RSS Helper
+ *
+ * Developed by Daynix Computing LTD (http://www.daynix.com)
+ *
+ * Authors:
+ *  Andrew Melnychenko 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ * Description: This is helper program for libvirtd.
+ *  It loads eBPF RSS program and passes fds through unix socket.
+ *  Built by meson, target - 'qemu-ebpf-rss-helper'.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "ebpf_rss.h"
+
+#include "qemu-helper-stamp.h"
+
+void QEMU_HELPER_STAMP(void) {}
+
+static int send_fds(int socket, int *fds, int n)
+{
+struct msghdr msg = {};
+struct cmsghdr *cmsg = NULL;
+char buf[CMSG_SPACE(n * sizeof(int))];
+char dummy_buffer = 0;
+struct iovec io = { .iov_base = _buffer,
+.iov_len = sizeof(dummy_buffer) };
+
+memset(buf, 0, sizeof(buf));
+
+msg.msg_iov = 
+msg.msg_iovlen = 1;
+msg.msg_control = buf;
+msg.msg_controllen = sizeof(buf);
+
+cmsg = CMSG_FIRSTHDR();
+cmsg->cmsg_level = SOL_SOCKET;
+cmsg->cmsg_type = SCM_RIGHTS;
+cmsg->cmsg_len = CMSG_LEN(n * sizeof(int));
+
+memcpy(CMSG_DATA(cmsg), fds, n * sizeof(int));
+
+return sendmsg(socket, , 0);
+}
+
+static void print_help_and_exit(const char *prog, int exitcode)
+{
+fprintf(stderr, "%s - load eBPF RSS program for qemu and pass eBPF fds"
+" through unix socket.\n", prog);
+fprintf(stderr, "\t--fd , -f  - unix socket file descriptor"
+" used to pass eBPF fds.\n");
+fprintf(stderr, "\t--help, -h - this help.\n");
+exit(exitcode);
+}
+
+int main(int argc, char **argv)
+{
+char *fd_string = NULL;
+int unix_fd = 0;
+struct EBPFRSSContext ctx = {};
+int fds[EBPF_RSS_MAX_FDS] = {};
+int ret = -1;
+
+for (;;) {
+int c;
+static struct option long_options[] = {
+{"help",  no_argument, 0, 'h'},
+{"fd",  required_argument, 0, 'f'},
+{0, 0, 0, 0}
+};
+c = getopt_long(argc, argv, "hf:",
+long_options, NULL);
+
+if (c == -1) {
+break;
+}
+
+switch (c) {
+case 'f':
+fd_string = optarg;
+break;
+case 'h':
+default:
+print_help_and_exit(argv[0],
+c == 'h' ? EXIT_SUCCESS : EXIT_FAILURE);
+}
+}
+
+if (!fd_string) {
+fprintf(stderr, "Unix file descriptor not present.\n");
+print_help_and_exit(argv[0], EXIT_FAILURE);
+}
+
+unix_fd = atoi(fd_string);
+
+if (!unix_fd) {
+fprintf(stderr, "Unix file descriptor is invalid.\n");
+return EXIT_FAILURE;
+}
+
+ebpf_rss_init();
+if (!ebpf_rss_load()) {
+fprintf(stderr, "Can't load ebpf.\n");
+return EXIT_FAILURE;
+}
+fds[0] = ctx.program_fd;
+fds[1] = ctx.map_configuration;
+
+ret = send_fds(unix_fd, fds, EBPF_RSS_MAX_FDS);
+if (ret < 0) {
+fprintf(stderr, "Issue while sending fds: %s.\n", strerror(errno));
+}
+
+ebpf_rss_unload();
+
+return ret < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
diff --git a/meson.build b/meson.build
index 257e51d91b..913aa1fee5 100644
--- a/meson.build
+++ b/meson.build
@@ -1033,19 +1033,22 @@ if not get_option('fuse_lseek').disabled()
 endif
 
 # libbpf
-libbpf = dependency('libbpf', required: get_option('bpf'), method: 
'pkg-config')
-if libbpf.found() and not cc.links('''
-   #include 
-   int main(void)
-   {
- bpf_object__destroy_skeleton(NULL);
- return 0;
-   }''', dependencies: libbpf)
-  libbpf = not_found
-  if get_option('bpf').enabled()
-error('libbpf skeleton test failed')
-  else
-warning('libbpf skeleton test failed, disabling')
+libbpf = not_found
+if targetos == 'linux'
+  libbpf = dependency('libbpf', required: get_option('bpf'), method: 
'pkg-config')
+  if libbpf.found() and not cc.links('''
+#include 
+int main(void)
+{
+  bpf_object__destroy_skeleton(NULL);
+  return 0;
+ 

Re: [PULL 0/6] Tracing patches

[Peter Maydell]

On Mon, 12 Jul 2021 at 17:50, Stefan Hajnoczi  wrote:
>
> The following changes since commit bd38ae26cea0d1d6a97f930248df149204c210a2:
>
>   Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210710' 
> into staging (2021-07-12 11:02:39 +0100)
>
> are available in the Git repository at:
>
>   https://gitlab.com/stefanha/qemu.git tags/tracing-pull-request
>
> for you to fetch changes up to bbe47ed2928542e7db58146b6108e3f2836f278f:
>
>   trace, lttng: require .pc files (2021-07-12 17:37:12 +0100)
>
> 
> Pull request


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PATCH for-6.2 29/34] target/arm: Implement MVE VMOV to/from 2 general-purpose registers

[Peter Maydell]

Implement the MVE VMOV forms that move data between 2 general-purpose
registers and 2 32-bit lanes in a vector register.

Signed-off-by: Peter Maydell 
---
 target/arm/translate-a32.h |  1 +
 target/arm/mve.decode  |  4 ++
 target/arm/translate-mve.c | 85 ++
 target/arm/translate-vfp.c |  2 +-
 4 files changed, 91 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a32.h b/target/arm/translate-a32.h
index 6dfcafe1796..6f4d65ddb00 100644
--- a/target/arm/translate-a32.h
+++ b/target/arm/translate-a32.h
@@ -49,6 +49,7 @@ void gen_rev16(TCGv_i32 dest, TCGv_i32 var);
 void clear_eci_state(DisasContext *s);
 bool mve_eci_check(DisasContext *s);
 void mve_update_and_store_eci(DisasContext *s);
+bool mve_skip_vmov(DisasContext *s, int vn, int index, int size);
 
 static inline TCGv_i32 load_cpu_offset(int offset)
 {
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 3899937f033..6ac9cb8e4d4 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -136,6 +136,10 @@ VLDR_VSTR1110110 1 a:1 . w:1 .  ... 01 
...   @vldr_vstr \
 VLDR_VSTR1110110 1 a:1 . w:1 .  ... 10 ...   @vldr_vstr \
  size=2 p=1
 
+# Moves between 2 32-bit vector lanes and 2 general purpose registers
+VMOV_to_2gp  1110 1100 0 . 00 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
+VMOV_from_2gp1110 1100 0 . 01 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
+
 # Vector 2-op
 VAND 1110  0 . 00 ... 0 ... 0 0001 . 1 . 1 ... 0 @2op_nosz
 VBIC 1110  0 . 01 ... 0 ... 0 0001 . 1 . 1 ... 0 @2op_nosz
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index f243c34bd21..43f917e609e 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -1507,3 +1507,88 @@ static bool do_vabav(DisasContext *s, arg_vabav *a, 
MVEGenVABAVFn *fn)
 
 DO_VABAV(VABAV_S, vabavs)
 DO_VABAV(VABAV_U, vabavu)
+
+static bool trans_VMOV_to_2gp(DisasContext *s, arg_VMOV_to_2gp *a)
+{
+/*
+ * VMOV two 32-bit vector lanes to two general-purpose registers.
+ * This insn is not predicated but it is subject to beat-wise
+ * execution if it is not in an IT block. For us this means
+ * only that if PSR.ECI says we should not be executing the beat
+ * corresponding to the lane of the vector register being accessed
+ * then we should skip perfoming the move, and that we need to do
+ * the usual check for bad ECI state and advance of ECI state.
+ * (If PSR.ECI is non-zero then we cannot be in an IT block.)
+ */
+TCGv_i32 tmp;
+int vd;
+
+if (!dc_isar_feature(aa32_mve, s) || !mve_check_qreg_bank(s, a->qd) ||
+a->rt == 13 || a->rt == 15 || a->rt2 == 13 || a->rt2 == 15 ||
+a->rt == a->rt2) {
+/* Rt/Rt2 cases are UNPREDICTABLE */
+return false;
+}
+if (!mve_eci_check(s) || !vfp_access_check(s)) {
+return true;
+}
+
+/* Convert Qreg index to Dreg for read_neon_element32() etc */
+vd = a->qd * 2;
+
+if (!mve_skip_vmov(s, vd, a->idx, MO_32)) {
+tmp = tcg_temp_new_i32();
+read_neon_element32(tmp, vd, a->idx, MO_32);
+store_reg(s, a->rt, tmp);
+}
+if (!mve_skip_vmov(s, vd + 1, a->idx, MO_32)) {
+tmp = tcg_temp_new_i32();
+read_neon_element32(tmp, vd + 1, a->idx, MO_32);
+store_reg(s, a->rt2, tmp);
+}
+
+mve_update_and_store_eci(s);
+return true;
+}
+
+static bool trans_VMOV_from_2gp(DisasContext *s, arg_VMOV_to_2gp *a)
+{
+/*
+ * VMOV two general-purpose registers to two 32-bit vector lanes.
+ * This insn is not predicated but it is subject to beat-wise
+ * execution if it is not in an IT block. For us this means
+ * only that if PSR.ECI says we should not be executing the beat
+ * corresponding to the lane of the vector register being accessed
+ * then we should skip perfoming the move, and that we need to do
+ * the usual check for bad ECI state and advance of ECI state.
+ * (If PSR.ECI is non-zero then we cannot be in an IT block.)
+ */
+TCGv_i32 tmp;
+int vd;
+
+if (!dc_isar_feature(aa32_mve, s) || !mve_check_qreg_bank(s, a->qd) ||
+a->rt == 13 || a->rt == 15 || a->rt2 == 13 || a->rt2 == 15) {
+/* Rt/Rt2 cases are UNPREDICTABLE */
+return false;
+}
+if (!mve_eci_check(s) || !vfp_access_check(s)) {
+return true;
+}
+
+/* Convert Qreg idx to Dreg for read_neon_element32() etc */
+vd = a->qd * 2;
+
+if (!mve_skip_vmov(s, vd, a->idx, MO_32)) {
+tmp = load_reg(s, a->rt);
+write_neon_element32(tmp, vd, a->idx, MO_32);
+tcg_temp_free_i32(tmp);
+}
+if (!mve_skip_vmov(s, vd + 1, a->idx, MO_32)) {
+tmp = load_reg(s, a->rt2);
+write_neon_element32(tmp, vd + 1, a->idx, MO_32);
+tcg_temp_free_i32(tmp);
+}
+
+mve_update_and_store_eci(s);
+return true;
+}
diff --git 

[PULL 07/12] linux-user: Simplify host <-> target errno conversion using macros

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Convert the host_to_target_errno_table[] array to a switch
case to allow compiler optimizations (such noticing the identity
function when host and guest errnos match). Extract the errnos
list as to a new includible unit, using a generic macro. Remove
the code related to target_to_host_errno_table[] initialization.

Suggested-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Message-Id: <20210708170550.1846343-8-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/errnos.c.inc | 140 +++
 linux-user/syscall.c| 159 
 2 files changed, 154 insertions(+), 145 deletions(-)
 create mode 100644 linux-user/errnos.c.inc

diff --git a/linux-user/errnos.c.inc b/linux-user/errnos.c.inc
new file mode 100644
index ..963ba1ce9d11
--- /dev/null
+++ b/linux-user/errnos.c.inc
@@ -0,0 +1,140 @@
+/*
+ * This list is the union of errno values overridden in asm-/errno.h
+ * minus the errnos that are not actually generic to all archs.
+ *
+ * Please keep this list sorted alphabetically.
+ *
+ *  Copyright (c) 2003 Fabrice Bellard
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+E(EADDRINUSE)
+E(EADDRNOTAVAIL)
+E(EADV)
+E(EAFNOSUPPORT)
+E(EAGAIN)
+E(EALREADY)
+E(EBADE)
+E(EBADFD)
+E(EBADMSG)
+E(EBADR)
+E(EBADRQC)
+E(EBADSLT)
+E(EBFONT)
+E(ECANCELED)
+E(ECHRNG)
+E(ECOMM)
+E(ECONNABORTED)
+E(ECONNREFUSED)
+E(ECONNRESET)
+E(EDEADLK)
+E(EDESTADDRREQ)
+E(EDOTDOT)
+E(EDQUOT)
+E(EHOSTDOWN)
+E(EHOSTUNREACH)
+#ifdef EHWPOISON
+E(EHWPOISON)
+#endif
+E(EIDRM)
+E(EILSEQ)
+E(EINPROGRESS)
+E(EISCONN)
+E(EISNAM)
+#ifdef EKEYEXPIRED
+E(EKEYEXPIRED)
+#endif
+#ifdef EKEYREJECTED
+E(EKEYREJECTED)
+#endif
+#ifdef EKEYREVOKED
+E(EKEYREVOKED)
+#endif
+E(EL2HLT)
+E(EL2NSYNC)
+E(EL3HLT)
+E(EL3RST)
+E(ELIBACC)
+E(ELIBBAD)
+E(ELIBEXEC)
+E(ELIBMAX)
+E(ELIBSCN)
+E(ELNRNG)
+E(ELOOP)
+E(EMEDIUMTYPE)
+E(EMSGSIZE)
+E(EMULTIHOP)
+E(ENAMETOOLONG)
+E(ENAVAIL)
+E(ENETDOWN)
+E(ENETRESET)
+E(ENETUNREACH)
+E(ENOANO)
+E(ENOBUFS)
+E(ENOCSI)
+E(ENODATA)
+#ifdef ENOKEY
+E(ENOKEY)
+#endif
+E(ENOLCK)
+E(ENOLINK)
+E(ENOMEDIUM)
+#ifdef ENOMSG
+E(ENOMSG)
+#endif
+E(ENONET)
+E(ENOPKG)
+E(ENOPROTOOPT)
+E(ENOSR)
+E(ENOSTR)
+E(ENOSYS)
+E(ENOTCONN)
+E(ENOTEMPTY)
+E(ENOTNAM)
+#ifdef ENOTRECOVERABLE
+E(ENOTRECOVERABLE)
+#endif
+E(ENOTSOCK)
+E(ENOTUNIQ)
+E(EOPNOTSUPP)
+E(EOVERFLOW)
+#ifdef EOWNERDEAD
+E(EOWNERDEAD)
+#endif
+E(EPFNOSUPPORT)
+E(EPROTO)
+E(EPROTONOSUPPORT)
+E(EPROTOTYPE)
+E(EREMCHG)
+E(EREMOTE)
+E(EREMOTEIO)
+E(ERESTART)
+#ifdef ERFKILL
+E(ERFKILL)
+#endif
+E(ESHUTDOWN)
+E(ESOCKTNOSUPPORT)
+E(ESRMNT)
+E(ESTALE)
+E(ESTRPIPE)
+E(ETIME)
+E(ETIMEDOUT)
+E(ETOOMANYREFS)
+E(EUCLEAN)
+E(EUNATCH)
+E(EUSERS)
+E(EXFULL)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 4842a1987b79..94ec6f730b3f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -509,150 +509,26 @@ static inline int next_free_host_timer(void)
 
 #define ERRNO_TABLE_SIZE 1200
 
-/* target_to_host_errno_table[] is initialized from
- * host_to_target_errno_table[] in syscall_init(). */
-static uint16_t target_to_host_errno_table[ERRNO_TABLE_SIZE] = {
-};
-
-/*
- * This list is the union of errno values overridden in asm-/errno.h
- * minus the errnos that are not actually generic to all archs.
- */
-static uint16_t host_to_target_errno_table[ERRNO_TABLE_SIZE] = {
-[EAGAIN]= TARGET_EAGAIN,
-[EIDRM] = TARGET_EIDRM,
-[ECHRNG]= TARGET_ECHRNG,
-[EL2NSYNC]  = TARGET_EL2NSYNC,
-[EL3HLT]= TARGET_EL3HLT,
-[EL3RST]= TARGET_EL3RST,
-[ELNRNG]= TARGET_ELNRNG,
-[EUNATCH]   = TARGET_EUNATCH,
-[ENOCSI]= TARGET_ENOCSI,
-[EL2HLT]= TARGET_EL2HLT,
-[EDEADLK]   = TARGET_EDEADLK,
-[ENOLCK]= TARGET_ENOLCK,
-[EBADE] = TARGET_EBADE,
-[EBADR] = TARGET_EBADR,
-[EXFULL]= TARGET_EXFULL,
-[ENOANO]= TARGET_ENOANO,
-[EBADRQC]   = TARGET_EBADRQC,
-[EBADSLT]   = TARGET_EBADSLT,
-[EBFONT]= TARGET_EBFONT,
-[ENOSTR]= TARGET_ENOSTR,
-[ENODATA]   = 

[PULL 03/12] linux-user: Extract target errno to 'target_errno_defs.h'

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

We want to access the target errno indepently of the rest of the
linux-user code. Move the header containing the generic errno
definitions ('errno_defs.h') to 'generic/target_errno_defs.h',
create a new 'target_errno_defs.h' in each target which itself
includes 'generic/target_errno_defs.h'.

Suggested-by: Richard Henderson 
Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-4-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/aarch64/target_errno_defs.h   | 7 +++
 linux-user/alpha/target_errno_defs.h | 6 ++
 linux-user/arm/target_errno_defs.h   | 7 +++
 linux-user/cris/target_errno_defs.h  | 7 +++
 linux-user/{errno_defs.h => generic/target_errno_defs.h} | 4 ++--
 linux-user/hexagon/target_errno_defs.h   | 7 +++
 linux-user/hppa/target_errno_defs.h  | 6 ++
 linux-user/i386/target_errno_defs.h  | 7 +++
 linux-user/m68k/target_errno_defs.h  | 7 +++
 linux-user/microblaze/target_errno_defs.h| 7 +++
 linux-user/mips/target_errno_defs.h  | 6 ++
 linux-user/mips64/target_errno_defs.h| 6 ++
 linux-user/nios2/target_errno_defs.h | 7 +++
 linux-user/openrisc/target_errno_defs.h  | 7 +++
 linux-user/ppc/target_errno_defs.h   | 7 +++
 linux-user/riscv/target_errno_defs.h | 7 +++
 linux-user/s390x/target_errno_defs.h | 7 +++
 linux-user/safe-syscall.S| 2 +-
 linux-user/sh4/target_errno_defs.h   | 7 +++
 linux-user/sparc/target_errno_defs.h | 7 ++-
 linux-user/sparc/target_syscall.h| 2 --
 linux-user/syscall_defs.h| 2 +-
 linux-user/x86_64/target_errno_defs.h| 7 +++
 linux-user/xtensa/target_errno_defs.h| 7 +++
 24 files changed, 139 insertions(+), 7 deletions(-)
 create mode 100644 linux-user/aarch64/target_errno_defs.h
 create mode 100644 linux-user/alpha/target_errno_defs.h
 create mode 100644 linux-user/arm/target_errno_defs.h
 create mode 100644 linux-user/cris/target_errno_defs.h
 rename linux-user/{errno_defs.h => generic/target_errno_defs.h} (99%)
 create mode 100644 linux-user/hexagon/target_errno_defs.h
 create mode 100644 linux-user/hppa/target_errno_defs.h
 create mode 100644 linux-user/i386/target_errno_defs.h
 create mode 100644 linux-user/m68k/target_errno_defs.h
 create mode 100644 linux-user/microblaze/target_errno_defs.h
 create mode 100644 linux-user/mips/target_errno_defs.h
 create mode 100644 linux-user/mips64/target_errno_defs.h
 create mode 100644 linux-user/nios2/target_errno_defs.h
 create mode 100644 linux-user/openrisc/target_errno_defs.h
 create mode 100644 linux-user/ppc/target_errno_defs.h
 create mode 100644 linux-user/riscv/target_errno_defs.h
 create mode 100644 linux-user/s390x/target_errno_defs.h
 create mode 100644 linux-user/sh4/target_errno_defs.h
 create mode 100644 linux-user/x86_64/target_errno_defs.h
 create mode 100644 linux-user/xtensa/target_errno_defs.h

diff --git a/linux-user/aarch64/target_errno_defs.h 
b/linux-user/aarch64/target_errno_defs.h
new file mode 100644
index ..461b54772846
--- /dev/null
+++ b/linux-user/aarch64/target_errno_defs.h
@@ -0,0 +1,7 @@
+#ifndef AARCH64_TARGET_ERRNO_DEFS_H
+#define AARCH64_TARGET_ERRNO_DEFS_H
+
+/* Target uses generic errno */
+#include "../generic/target_errno_defs.h"
+
+#endif
diff --git a/linux-user/alpha/target_errno_defs.h 
b/linux-user/alpha/target_errno_defs.h
new file mode 100644
index ..54770108c02a
--- /dev/null
+++ b/linux-user/alpha/target_errno_defs.h
@@ -0,0 +1,6 @@
+#ifndef ALPHA_TARGET_ERRNO_DEFS_H
+#define ALPHA_TARGET_ERRNO_DEFS_H
+
+#include "../generic/target_errno_defs.h"
+
+#endif
diff --git a/linux-user/arm/target_errno_defs.h 
b/linux-user/arm/target_errno_defs.h
new file mode 100644
index ..fd8437323843
--- /dev/null
+++ b/linux-user/arm/target_errno_defs.h
@@ -0,0 +1,7 @@
+#ifndef ARM_TARGET_ERRNO_DEFS_H
+#define ARM_TARGET_ERRNO_DEFS_H
+
+/* Target uses generic errno */
+#include "../generic/target_errno_defs.h"
+
+#endif
diff --git a/linux-user/cris/target_errno_defs.h 
b/linux-user/cris/target_errno_defs.h
new file mode 100644
index ..1cf43b17a500
--- /dev/null
+++ b/linux-user/cris/target_errno_defs.h
@@ -0,0 +1,7 @@
+#ifndef CRIS_TARGET_ERRNO_DEFS_H
+#define CRIS_TARGET_ERRNO_DEFS_H
+
+/* Target uses generic errno */
+#include "../generic/target_errno_defs.h"
+
+#endif
diff --git a/linux-user/errno_defs.h b/linux-user/generic/target_errno_defs.h
similarity index 99%
rename from 

Re: [RFC PATCH 0/6] Add AMD Secure Nested Paging (SEV-SNP) support

[Brijesh Singh]

On 7/13/21 3:05 AM, Dov Murik wrote:>

Particularly confusing is the `policy` attribute which is only relevant
for SEV / SEV-ES, while there's a new `snp.policy` attribute for SNP...
Maybe the irrelevant attributes should not be added to the tree when not
in SNP.


The policy fields are also applicable to the SNP. The main difference are:

- in SEV/SEV-ES the policy is 32-bit compare to 64-bit value in SEV-SNP. 
However, for SEV-SNP spec uses lower 32-bit value and higher bits are 
marked reserved.


- the bit field meaning are different

Based on this, we can introduce a new filed 'snp-policy'.

-Brijesh

Re: [PATCH 01/11] nbd/server: Remove unused variable

[Richard Henderson]

On 7/13/21 6:14 AM, Eric Blake wrote:

Hmm; in glib 2.68.2 (on Fedora 34), g_autofree does NOT include an
attribute unused.  Thus, does this silence the compiler?  (Even cooler
would be making the comment a link to an actual bug in the clang
database, but I couldn't quickly find one)

diff --git i/nbd/server.c w/nbd/server.c
index b60ebc3ab6ac..393cbd81c57a 100644
--- i/nbd/server.c
+++ w/nbd/server.c
@@ -973,7 +973,8 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
  {
  int ret;
  g_autofree char *export_name = NULL;
-g_autofree bool *bitmaps = NULL;
+/* G_GNUC_UNUSED needed to work around a clang bug */
+g_autofree G_GNUC_UNUSED bool *bitmaps = NULL;


That works.  I found

  https://bugs.llvm.org/show_bug.cgi?id=3888

and gave it a nudge.


r~

Re: [PATCH 08/11] linux-user/syscall: Remove unused variable from execve

[Laurent Vivier]

Le 12/07/2021 à 23:55, Richard Henderson a écrit :
> From clang-13:
> linux-user/syscall.c:8503:17: error: variable 'total_size' set but not used \
> [-Werror,-Wunused-but-set-variable]
> 
> Cc: Laurent Vivier 
> Signed-off-by: Richard Henderson 
> ---
>  linux-user/syscall.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 2e826206d2..c27debba8c 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -8500,7 +8500,6 @@ static abi_long do_syscall1(void *cpu_env, int num, 
> abi_long arg1,
>  abi_ulong guest_envp;
>  abi_ulong addr;
>  char **q;
> -int total_size = 0;
>  
>  argc = 0;
>  guest_argp = arg2;
> @@ -8532,7 +8531,6 @@ static abi_long do_syscall1(void *cpu_env, int num, 
> abi_long arg1,
>  break;
>  if (!(*q = lock_user_string(addr)))
>  goto execve_efault;
> -total_size += strlen(*q) + 1;
>  }
>  *q = NULL;
>  
> @@ -8544,7 +8542,6 @@ static abi_long do_syscall1(void *cpu_env, int num, 
> abi_long arg1,
>  break;
>  if (!(*q = lock_user_string(addr)))
>  goto execve_efault;
> -total_size += strlen(*q) + 1;
>  }
>  *q = NULL;
>  
> 

Acked-by: Laurent Vivier 

[PATCH v2 1/3] docs: Add skeletal documentation of cubieboard

[Peter Maydell]

Add skeletal documentation of the cubieboard machine.

Signed-off-by: Peter Maydell 
---
 docs/system/arm/cubieboard.rst | 16 
 docs/system/target-arm.rst |  1 +
 MAINTAINERS|  1 +
 3 files changed, 18 insertions(+)
 create mode 100644 docs/system/arm/cubieboard.rst

diff --git a/docs/system/arm/cubieboard.rst b/docs/system/arm/cubieboard.rst
new file mode 100644
index 000..344ff8cef99
--- /dev/null
+++ b/docs/system/arm/cubieboard.rst
@@ -0,0 +1,16 @@
+Cubietech Cubieboard (``cubieboard``)
+=
+
+The ``cubieboard`` model emulates the Cubietech Cubieboard,
+which is a Cortex-A8 based single-board computer using
+the AllWinner A10 SoC.
+
+Emulated devices:
+
+- Timer
+- UART
+- RTC
+- EMAC
+- SDHCI
+- USB controller
+- SATA controller
diff --git a/docs/system/target-arm.rst b/docs/system/target-arm.rst
index 705b8835e48..e2fcb64872d 100644
--- a/docs/system/target-arm.rst
+++ b/docs/system/target-arm.rst
@@ -85,6 +85,7 @@ undocumented; you can get a complete list by running
arm/aspeed
arm/sabrelite
arm/digic
+   arm/cubieboard
arm/musicpal
arm/gumstix
arm/nrf
diff --git a/MAINTAINERS b/MAINTAINERS
index c340bb02b0f..93b9f900034 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -559,6 +559,7 @@ S: Odd Fixes
 F: hw/*/allwinner*
 F: include/hw/*/allwinner*
 F: hw/arm/cubieboard.c
+F: docs/system/arm/cubieboard.rst
 
 Allwinner-h3
 M: Niek Linnenbank 
-- 
2.20.1

Re: [Virtio-fs] [PATCH v2 7/9] virtiofsd: Add inodes_by_handle hash table

[Max Reitz]

So I’m coming back to this after three weeks (well, PTO), and this again 
turns into a bit of a pain, actually.


I don’t think it’s anything serious, but I had thought we had found 
something that would make us both happy because it wouldn’t be too ugly, 
and now it’s turning ugly again...  So I’m sending this mail as a heads 
up before I send v3 in the next days, to explain my thought process.


On 21.06.21 11:02, Max Reitz wrote:

On 18.06.21 20:29, Vivek Goyal wrote:



[...]


I am still reading your code and trying to understand it. But one
question came to mind. What happens if we can generate file handle
during lookup. But can't generate when same file is looked up again.

- A file foo.txt is looked. We can create file handle and we add it
   to lo->inodes_by_handle as well as lo->inodes_by_ds.

- Say somebody deleted file and created again and inode number got
   reused.

- Now during ->revalidation path, lookup happens again. This time say
   we can't generate file handle. If am reading lo_do_find() code
   correctly, it will find the old inode using ids and return same
   inode as result of lookup. And we did not recognize that inode
   number has been reused.


Oh, that’s a good point.  If an lo_inode has no O_PATH fd but is only 
addressed by handle, we must always look it up by handle.


Also, just wanted to throw in this remark:

Now that I read the code again, lo_do_find() already has a condition to 
prevent this.  It’s this:


if (p && fhandle != NULL && p->fhandle != NULL) {
    p = NULL;
}

There’s just one thing wrong with it, and that is the `fhandle != NULL` 
part.  It has no place there.  But this piece of code does exactly what 
we’d need it do if it were just:


if (p && p->fhandle != NULL) {
    p = NULL;
}

[...]

However, you made a good point in that we must require 
name_to_handle_at() to work if it worked before for some inode, not 
because it would be simpler, but because it would be wrong otherwise.


As for the other way around...  Well, now I don’t have a strong 
opinion on it.  Handling temporary name_to_handle_at() failure after 
it worked the first time should not add extra complexity, but it 
wouldn’t be symmetric.  Like, allowing temporary failure sometimes but 
not at other times.


(I think I mistyped here, it should be “Handling name_to_handle_at() 
randomly working after it failed the first time”.)


The next question is, how do we detect temporary failure, because if 
we look up some new inode, name_to_handle_at() fails, we ignore it, 
and then it starts to work and we fail all further lookups, that’s not 
good.  We should have the first lookup fail.  I suppose ENOTSUPP means 
“OK to ignore”, and for everything else we should let lookup fail?  
(And that pretty much answers my "what if name_to_handle_at() works 
the first time, but then fails" question.  If we let anything but 
ENOTSUPP let the lookup fail, then we should do so every time.)


I don’t think this will work as cleanly as I’d hoped.

The problem I’m facing is that get_file_handle() doesn’t only call 
name_to_handle_at(), but also contains a lot of code managing 
mount_fds.  There are a lot of places that can fail, too, and I think we 
should have them fall back to using an O_PATH FD:


Say mount_fds doesn’t contain an FD for the new handle’s mount ID yet, 
so we want to add one.  However, it turns out that the file is not a 
regular file or directory, so we cannot open it as a regular FD and add 
it to mount_fds; or that it is a regular file, but without permission to 
open it O_RDONLY.  So we cannot return a file handle, because it will 
not be usable until a mount FD is added.


I think in such a case we should fall back to an O_PATH FD, because this 
is not some unexpected error, but just an unfortunate (but reproducible 
and valid) circumstance where using `-o inode_file_handles` fails to do 
something that works without it.


Now, however, this means that the next time we try to generate a handle 
for this file (to look it up), it will absolutely work if some other FD 
was added to mount_fds for this mount ID in the meantime.



We could get around this by not trying to open the file for which we are 
to generate a handle to add its FD to mount_fds, but instead doing what 
the open_by_handle_at() man page suggests:


The mount_id argument returns an identifier for the filesystem mount 
that corresponds to pathname. This corresponds to the first field in 
one of the records in /proc/self/mountinfo. Opening the pathname in 
the fifth field of that record yields a file descriptor for the mount 
point; that file descriptor can be used in a subsequent call to 
open_by_handle_at().


However, I’d rather avoid parsing mountinfo.  And as far as I 
understand, the only problem here is that we’ll have to cope with the 
fact that sometimes on lookups, we can generate a file handle, but the 
lo_inode we want to find has no file handle attached to it (because 
get_file_handle() failed the first time), and 

Re: [PATCH 0/3] Atomic cleanup + clang-12 build fix

[Cole Robinson]

On 7/13/21 10:43 AM, Richard Henderson wrote:
> On 7/12/21 5:37 PM, Richard Henderson wrote:
>> On 7/12/21 2:30 PM, Cole Robinson wrote:
>>> On 7/12/21 11:59 AM, Richard Henderson wrote:
 The first two patches are not strictly required, but they
 were useful in tracking down the root problem here.

 I understand the logic behind the clang-12 warning, but I think
 it's a clear mistake that it should be enabled by default for a
 target where alignment is not enforced by default.

 I found over a dozen places where we would have to manually add
 QEMU_ALIGNED(8) to uint64_t declarations in order to suppress
 all of the instances.  IMO there's no point fighting this.

>>>
>>> I tested your patches, they seem to get rid of the warnings. The errors
>>> persist.
>>>
>>> FWIW here's my reproduce starting from fedora 34 x86_64 host:
>>>
>>> $ sudo mock --root fedora-35-i386 --install dnf --install dnf-utils
>>> --install fedora-packager --install clang
>>> $ sudo mock --root fedora-35-i386 --shell --enable-network
>>> # dnf builddep -y qemu
>>> # git clone https://github.com/qemu/qemu
>>> # cd qemu
>>> # CC=clang CXX=clang++ ./configure --disable-werror
>>> # make V=1
>>
>> Ho hum.  So, the warnings are where clang has decided to insert calls
>> to libatomic.
>>
>> So we either have to
>>
>> (1) work around all of the places, which, unless we set up an i386
>> clang-12 builder will quickly bitrot, or
> 
> Update: (1) is out.  There's a warning in cputlb.c vs a pointer that's
> known to be aligned, and it still fires.  I have filed a bug:
> 
>   https://bugs.llvm.org/show_bug.cgi?id=51076
> 
>>
>> (2) write our own routines, compatible with libatomic, using cmpxchg8b
>> directly.  which requires no (extra) locking, and so is compatible
>> with the tcg jit output, or
>>
>> (3) file a bug with clang, and document "use clang-11 and not clang-12".
> 
> So, Cole, with respect to (3), is this just general regression testing
> that discovered this (in which case, yay) or is there some other reason
> clang is required?
> 
> Assuming that (3) isn't really viable long term, I guess (2) is the only
> viable option.
> 

I never tested building qemu with clang prior to this so no idea if it's
a regression.

There's some interest in using clang (eventually with cfi) to build the
Fedora qemu package,  so I gave it a test run. If this case is
problematic we could keep using gcc for it and clang for every other
arch, in the short/medium term.

Richard can you clarify, do you think the errors are a clang bug as
well, or strictly a qemu issue? If it's clang maybe I can get Red Hat
llvm devs to help

Thanks,
Cole

Re: VFIO/vfio-user: specify NVMe namespace to boot from

[Stefan Hajnoczi]

On Mon, Jul 12, 2021 at 01:24:07PM +, Thanos Makatos wrote:
> We're working on implementing a virtual NVMe controller based on SPDK and a 
> multiprocess-qemu branch that uses the vfio-user. We're facing a problem 
> where the existing API doesn't allow us to tell QEMU from which NVMe 
> namespace we'd like SeaBIOS to boot from.
> 
> How can we solve this problem? Can we add a parameter to the '-boot' option, 
> e.g. '-boot path=/devices/pciblah/...@namespace0'? AFAIK VFIO should have the 
> same problem. 
> 
> The corresponding SeaBIOS patch can be found in 
> https://mail.coreboot.org/hyperkitty/list/seab...@seabios.org/thread/2Q7NPH7TJNHK6JGPHQL7755HILO23ISN/

Hi,
I have CCed Gerd Hoffmann on a hunch that he may have ideas.

Yes, I think the path needs to include the Namespace ID similar to how
SCSI boot paths include the target/channel/LUN.

When the SeaBIOS NVMe driver probes the controller is should discover
the available Namespaces and set up individual drives for each
Namespace. That would be analogous to virtio_scsi_add_lun().

Stefan


signature.asc
Description: PGP signature

Re: [RFC PATCH 0/6] job: replace AioContext lock with job_mutex

[Stefan Hajnoczi]

On Mon, Jul 12, 2021 at 10:42:47AM +0200, Emanuele Giuseppe Esposito wrote:
> On 08/07/2021 15:09, Stefan Hajnoczi wrote:
> > On Wed, Jul 07, 2021 at 06:58:07PM +0200, Emanuele Giuseppe Esposito wrote:
> > > This is a continuation on the work to reduce (and possibly get rid of) 
> > > the usage of AioContext lock, by introducing smaller granularity locks to 
> > > keep the thread safety.
> > > 
> > > This series aims to:
> > > 1) remove the aiocontext lock and substitute it with the already existing
> > > global job_mutex
> > > 2) fix what it looks like to be an oversight when moving the blockjob.c 
> > > logic
> > > into the more generic job.c: job_mutex was introduced especially to
> > > protect job->busy flag, but it seems that it was not used in 
> > > successive
> > > patches, because there are multiple code sections that directly
> > > access the field without any locking.
> > > 3) use job_mutex instead of the aiocontext_lock
> > > 4) extend the reach of the job_mutex to protect all shared fields
> > > that the job structure has.
> > 
> > Can you explain the big picture:
> > 
> > 1. What are the rules for JobDrivers? Imagine you are implementing a new
> > JobDriver. What do you need to know in order to write correct code?
> 
> I think that in general, the rules for JobDrivers remain the same. The
> job_mutex lock should be invisible (or almost) from the point of view of a
> JobDriver, because the job API available for it should take care of the
> necessary locking/unlocking.
> 
> > 
> > 2. What are the rules for monitor? The main pattern is looking up a job,
> > invoking a job API on it, and then calling job_unlock().
> 
> The monitor instead is aware of this lock: the reason for that is exactly
> what you have described here.
> Looking up + invoking a job API operation (for example calling find_job()
> and then job_pause() ) must be performed with the same lock hold all the
> time, otherwise other threads could modify the job while the monitor runs
> its command.

That helps, thanks!

Stefan


signature.asc
Description: PGP signature

Re: [RFC PATCH 2/6] job: _locked functions and public job_lock/unlock for next patch

[Stefan Hajnoczi]

On Mon, Jul 12, 2021 at 10:43:07AM +0200, Emanuele Giuseppe Esposito wrote:
> 
> 
> On 08/07/2021 12:50, Stefan Hajnoczi wrote:
> > On Wed, Jul 07, 2021 at 06:58:09PM +0200, Emanuele Giuseppe Esposito wrote:
> > > diff --git a/job.c b/job.c
> > > index 872bbebb01..96fb8e9730 100644
> > > --- a/job.c
> > > +++ b/job.c
> > > @@ -32,6 +32,10 @@
> > >   #include "trace/trace-root.h"
> > >   #include "qapi/qapi-events-job.h"
> > > +/* job_mutex protexts the jobs list, but also the job operations. */
> > > +static QemuMutex job_mutex;
> > 
> > It's unclear what protecting "job operations" means. I would prefer a
> > fine-grained per-job lock that protects the job's fields instead of a
> > global lock with an unclear scope.
> 
> As I wrote in the cover letter, I wanted to try to keep things as simple as
> possible with a global lock. It is possible to try and have a per-job lock,
> but I don't know how complex will that be then.
> I will try and see what I can do.
> 
> Maybe "job_mutex protexts the jobs list, but also makes the job API
> thread-safe"?

That's clearer, thanks. I thought "job operations" meant the processing
that the actual block jobs do (commit, mirror, stream, backup).

> 
> > 
> > > +
> > > +/* Protected by job_mutex */
> > >   static QLIST_HEAD(, Job) jobs = QLIST_HEAD_INITIALIZER(jobs);
> > >   /* Job State Transition Table */
> > > @@ -64,27 +68,22 @@ bool JobVerbTable[JOB_VERB__MAX][JOB_STATUS__MAX] = {
> > >   /* Transactional group of jobs */
> > >   struct JobTxn {
> > > -/* Is this txn being cancelled? */
> > > +/* Is this txn being cancelled? Atomic.*/
> > >   bool aborting;
> > 
> > The comment says atomic but this field is not accessed using atomic
> > operations (at least at this point in the patch series)?
> 
> Yes sorry I messed up the hunks in one-two patches. These comments were
> supposed to be on patch 4 "job.h: categorize job fields". Even though that
> might also not be ideal, since that patch just introduces the comments,
> without applying the locking/protection yet.
> On the other side, if I merge everything together in patch 5, it will be
> even harder to read.

The commit description can describe changes that currently have no
effect but are anticipating a later patch. That helps reviewers
understand whether the change is intentional/correct.

Stefan


signature.asc
Description: PGP signature

[PATCH for-6.2 07/34] target/arm: Fix calculation of LTP mask when LR is 0

[Peter Maydell]

In mve_element_mask(), we calculate a mask for tail predication which
should have a number of 1 bits based on the value of LR.  However,
our MAKE_64BIT_MASK() macro has undefined behaviour when passed a
zero length.  Special case this to give the all-zeroes mask we
require.

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index f17e5a413fd..c75432c5fef 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -64,7 +64,8 @@ static uint16_t mve_element_mask(CPUARMState *env)
  */
 int masklen = env->regs[14] << env->v7m.ltpsize;
 assert(masklen <= 16);
-mask &= MAKE_64BIT_MASK(0, masklen);
+uint16_t ltpmask = masklen ? MAKE_64BIT_MASK(0, masklen) : 0;
+mask &= ltpmask;
 }
 
 if ((env->condexec_bits & 0xf) == 0) {
-- 
2.20.1

[PATCH for-6.2 19/34] target/arm: Move 'x' and 'a' bit definitions into vmlaldav formats

[Peter Maydell]

All the users of the vmlaldav formats have an 'x bit in bit 12 and an
'a' bit in bit 5; move these to the format rather than specifying them
in each insn pattern.

Signed-off-by: Peter Maydell 
---
Not sure why I didn't write it this way in the first place;
when I came to implement VMLADAV I noticed the oddity and
preferred to fix it rather than either copying it for VMLADAV
or having VMLADAV different.
---
 target/arm/mve.decode | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 1a788e438de..67bd894daf1 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -305,19 +305,19 @@ VDUP 1110 1110 1 0 10 ... 0  1011 . 0 0 1 
 @vdup size=2
 
  rdahi rdalo size qn qm x a
 
-@vmlaldav  . ... ... . ... .   qm:3 . \
+@vmlaldav  . ... ... . ... x:1  .. a:1 . qm:3 . \
  qn=%qn rdahi=%rdahi rdalo=%rdalo size=%size_16 
-@vmlaldav_nosz     . ... ... . ... .   qm:3 . \
+@vmlaldav_nosz     . ... ... . ... x:1  .. a:1 . qm:3 . \
  qn=%qn rdahi=%rdahi rdalo=%rdalo size=0 
-VMLALDAV_S   1110 1110 1 ... ... . ... x:1 1110 . 0 a:1 0 ... 0 @vmlaldav
-VMLALDAV_U    1110 1 ... ... . ... x:1 1110 . 0 a:1 0 ... 0 @vmlaldav
+VMLALDAV_S   1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
+VMLALDAV_U    1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
 
-VMLSLDAV 1110 1110 1 ... ... . ... x:1 1110 . 0 a:1 0 ... 1 @vmlaldav
+VMLSLDAV 1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 1 @vmlaldav
 
-VRMLALDAVH_S 1110 1110 1 ... ... 0 ... x:1  . 0 a:1 0 ... 0 
@vmlaldav_nosz
-VRMLALDAVH_U  1110 1 ... ... 0 ... x:1  . 0 a:1 0 ... 0 
@vmlaldav_nosz
+VRMLALDAVH_S 1110 1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
+VRMLALDAVH_U  1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
 
-VRMLSLDAVH    1110 1 ... ... 0 ... x:1 1110 . 0 a:1 0 ... 1 
@vmlaldav_nosz
+VRMLSLDAVH    1110 1 ... ... 0 ... . 1110 . 0 . 0 ... 1 @vmlaldav_nosz
 
 # Scalar operations
 
-- 
2.20.1

[PATCH for-6.2 06/34] target/arm: Fix 48-bit saturating shifts

[Peter Maydell]

In do_sqrshl48_d() and do_uqrshl48_d() we got some of the edge
cases wrong and failed to saturate correctly:

(1) In do_sqrshl48_d() we used the same code that do_shrshl_bhs()
does to obtain the saturated most-negative and most-positive 48-bit
signed values for the large-shift-left case.  This gives (1 << 47)
for saturate-to-most-negative, but we weren't sign-extending this
value to the 64-bit output as the pseudocode requires.

(2) For left shifts by less than 48, we copied the "8/16 bit" code
from do_sqrshl_bhs() and do_uqrshl_bhs().  This doesn't do the right
thing because it assumes the C type we're working with is at least
twice the number of bits we're saturating to (so that a shift left by
bits-1 can't shift anything off the top of the value).  This isn't
true for bits == 48, so we would incorrectly return 0 rather than the
most-positive value for situations like "shift (1 << 44) right by
20".  Instead check for saturation by doing the shift and signextend
and then testing whether shifting back left again gives the original
value.

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 12 +---
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 8cbfd3a8c53..f17e5a413fd 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1579,9 +1579,8 @@ static inline int64_t do_sqrshl48_d(int64_t src, int64_t 
shift,
 }
 return src >> -shift;
 } else if (shift < 48) {
-int64_t val = src << shift;
-int64_t extval = sextract64(val, 0, 48);
-if (!sat || val == extval) {
+int64_t extval = sextract64(src << shift, 0, 48);
+if (!sat || src == (extval >> shift)) {
 return extval;
 }
 } else if (!sat || src == 0) {
@@ -1589,7 +1588,7 @@ static inline int64_t do_sqrshl48_d(int64_t src, int64_t 
shift,
 }
 
 *sat = 1;
-return (1ULL << 47) - (src >= 0);
+return sextract64((1ULL << 47) - (src >= 0), 0, 48);
 }
 
 /* Operate on 64-bit values, but saturate at 48 bits */
@@ -1612,9 +1611,8 @@ static inline uint64_t do_uqrshl48_d(uint64_t src, 
int64_t shift,
 return extval;
 }
 } else if (shift < 48) {
-uint64_t val = src << shift;
-uint64_t extval = extract64(val, 0, 48);
-if (!sat || val == extval) {
+uint64_t extval = extract64(src << shift, 0, 48);
+if (!sat || src == (extval >> shift)) {
 return extval;
 }
 } else if (!sat || src == 0) {
-- 
2.20.1

[PATCH for-6.2 24/34] target/arm: Implement MVE VMLADAV and VMLSLDAV

[Peter Maydell]

Implement the MVE VMLADAV and VMLSLDAV insns.  Like the VMLALDAV and
VMLSLDAV insns already implemented, these accumulate multiplied
vector elements; but they accumulate a 32-bit result rather than a
64-bit one.

Note that these encodings overlap with what would be RdaHi=0b111 for
VMLALDAV, VMLSLDAV, VRMLALDAVH and VRMLSLDAVH.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 17 ++
 target/arm/mve.decode  | 33 +---
 target/arm/mve_helper.c| 41 
 target/arm/translate-mve.c | 64 ++
 4 files changed, 150 insertions(+), 5 deletions(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 84aa9de6e06..088bdd3ca50 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -400,6 +400,23 @@ DEF_HELPER_FLAGS_4(mve_vrmlaldavhuw, TCG_CALL_NO_WG, i64, 
env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vrmlsldavhsw, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vrmlsldavhxsw, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 
+DEF_HELPER_FLAGS_4(mve_vmladavsb, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavsh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavsw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavub, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavuh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavuw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavb, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vmladavsxb, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavsxh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmladavsxw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavxb, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavxh, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlsdavxw, TCG_CALL_NO_WG, i32, env, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_3(mve_vaddvsb, TCG_CALL_NO_WG, i32, env, ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vaddvub, TCG_CALL_NO_WG, i32, env, ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vaddvsh, TCG_CALL_NO_WG, i32, env, ptr, i32)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 79c529e762f..0c4708ea988 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -320,32 +320,55 @@ VDUP 1110 1110 1 0 10 ... 0  1011 . 0 0 1 
 @vdup size=2
 %size_16 16:1 !function=plus_1
 
  rdahi rdalo size qn qm x a
+ rda size qn qm x a
 
 @vmlaldav  . ... ... . ... x:1  .. a:1 . qm:3 . \
  qn=%qn rdahi=%rdahi rdalo=%rdalo size=%size_16 
 @vmlaldav_nosz     . ... ... . ... x:1  .. a:1 . qm:3 . \
  qn=%qn rdahi=%rdahi rdalo=%rdalo size=0 
-VMLALDAV_S   1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
-VMLALDAV_U    1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
+@vmladav    ... . ... x:1  . . a:1 . qm:3 . \
+ qn=%qn rda=%rdalo size=%size_16 
+@vmladav_nosz   ... . ... x:1  . . a:1 . qm:3 . \
+ qn=%qn rda=%rdalo size=0 
 
-VMLSLDAV 1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 1 @vmlaldav
+{
+  VMLADAV_S  1110 1110   ... . ... . 1110 . 0 . 0 ... 0 @vmladav
+  VMLALDAV_S 1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
+}
+{
+  VMLADAV_U   1110   ... . ... . 1110 . 0 . 0 ... 0 @vmladav
+  VMLALDAV_U  1110 1 ... ... . ... . 1110 . 0 . 0 ... 0 @vmlaldav
+}
+
+{
+  VMLSDAV1110 1110   ... . ... . 1110 . 0 . 0 ... 1 @vmladav
+  VMLSLDAV   1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 1 @vmlaldav
+}
+
+{
+  VMLSDAV 1110   ... 0 ... . 1110 . 0 . 0 ... 1 @vmladav_nosz
+  VRMLSLDAVH  1110 1 ... ... 0 ... . 1110 . 0 . 0 ... 1 @vmlaldav_nosz
+}
+
+VMLADAV_S1110 1110   ... 0 ... .  . 0 . 0 ... 1 @vmladav_nosz
+VMLADAV_U 1110   ... 0 ... .  . 0 . 0 ... 1 @vmladav_nosz
 
 {
   VMAXV_S1110 1110 1110  .. 10    0 0 . 0 ... 0 @vmaxv
   VMINV_S1110 1110 1110  .. 10    1 0 . 0 ... 0 @vmaxv
   VMAXAV 1110 1110 1110  .. 00    0 0 . 0 ... 0 @vmaxv
   VMINAV 1110 1110 1110  .. 00    1 0 . 0 ... 0 @vmaxv
+  VMLADAV_S  1110 1110   ... 0 ... .  . 0 . 0 ... 0 @vmladav_nosz
   VRMLALDAVH_S   1110 1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
 }
 
 {
   VMAXV_U 1110 1110  .. 10    0 0 . 0 ... 0 @vmaxv
   VMINV_U 1110 1110  .. 10    1 0 . 0 ... 0 @vmaxv
+  VMLADAV_U   1110   ... 0 ... .  . 0 . 0 ... 0 @vmladav_nosz
   VRMLALDAVH_U    1110 1 ... 

[PATCH for-6.2 14/34] target/arm: Implement MVE integer vector comparisons

[Peter Maydell]

Implement the MVE integer vector comparison instructions.  These are
"VCMP (vector)" encodings T1, T2 and T3, and "VPT (vector)" encodings
T1, T2 and T3.

These insns compare corresponding elements in each vector, and update
the VPR.P0 predicate bits with the results of the comparison.  VPT
also sets the VPR.MASK01 and VPR.MASK23 fields -- it is effectively
"VCMP then VPST".

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 32 ++
 target/arm/mve.decode  | 18 +++-
 target/arm/mve_helper.c| 56 ++
 target/arm/translate-mve.c | 47 
 4 files changed, 152 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 54b252e98af..e89238eac9d 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -484,3 +484,35 @@ DEF_HELPER_FLAGS_3(mve_uqshl, TCG_CALL_NO_RWG, i32, env, 
i32, i32)
 DEF_HELPER_FLAGS_3(mve_sqshl, TCG_CALL_NO_RWG, i32, env, i32, i32)
 DEF_HELPER_FLAGS_3(mve_uqrshl, TCG_CALL_NO_RWG, i32, env, i32, i32)
 DEF_HELPER_FLAGS_3(mve_sqrshr, TCG_CALL_NO_RWG, i32, env, i32, i32)
+
+DEF_HELPER_FLAGS_3(mve_vcmpeqb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpeqh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpeqw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpneb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpneh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpnew, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpcsb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpcsh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpcsw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmphib, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmphih, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmphiw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpgeb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpgeh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpgew, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpltb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmplth, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpltw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpgtb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpgth, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpgtw, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vcmpleb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmpleh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vcmplew, TCG_CALL_NO_WG, void, env, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 88c9c18ebf1..76bbf9a6136 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -37,6 +37,7 @@
 &2shift qd qm shift size
  qd rn size imm
  qd rn rm size imm
+ qm qn size mask
 
 @vldr_vstr ... . . . . l:1 rn:4 ... .. imm:7 _vstr qd=%qd u=0
 # Note that both Rn and Qd are 3 bits only (no D bit)
@@ -86,6 +87,10 @@
 @2_shr_w   .. 1 .     &2shift qd=%qd qm=%qm \
  size=2 shift=%rshift_i5
 
+# Vector comparison; 4-bit Qm but 3-bit Qn
+%mask_22_13  22:1 13:3
+@vcmp  .. size:2 qn:3 .      qm=%qm 
mask=%mask_22_13
+
 # Vector loads and stores
 
 # Widening loads and narrowing stores:
@@ -345,7 +350,6 @@ VQRDMULH_scalar   1110 0 . .. ... 1 ... 0 1110 . 110 
 @2scalar
 }
 
 # Predicate operations
-%mask_22_13  22:1 13:3
 VPST  1110 0 . 11 000 1 ... 0  0100 1101 mask=%mask_22_13
 
 # Logical immediate operations (1 reg and modified-immediate)
@@ -458,3 +462,15 @@ VQRSHRUNT 111 1 1110 1 . ... ... ... 1  1 1 . 
0 ... 0 @2_shr_b
 VQRSHRUNT 111 1 1110 1 . ... ... ... 1  1 1 . 0 ... 0 @2_shr_h
 
 VSHLC 111 0 1110 1 . 1 imm:5 ... 0  1100 rdm:4 qd=%qd
+
+# Comparisons. We expand out the conditions which are split across
+# encodings T1, T2, T3 and the fc bits. These include VPT, which is
+# effectively "VCMP then VPST". A plain "VCMP" has a mask field of zero.
+VCMPEQ 1110 0 . .. ... 1 ... 0  0 0 . 0 ... 0 @vcmp
+VCMPNE 1110 0 . .. ... 1 ... 0  1 0 . 0 ... 0 @vcmp
+VCMPCS 1110 0 . .. ... 1 ... 0  0 0 . 0 ... 1 @vcmp
+VCMPHI 1110 0 . .. ... 1 ... 0  1 0 . 0 ... 1 @vcmp
+VCMPGE 1110 0 . .. ... 1 ... 1  0 0 . 0 ... 0 @vcmp
+VCMPLT 1110 0 . .. ... 1 ... 1  1 0 . 0 ... 0 @vcmp
+VCMPGT 1110 0 . .. ... 1 ... 1  0 0 . 0 ... 1 @vcmp
+VCMPLE 1110 0 . .. ... 1 ... 1  1 0 . 0 ... 1 @vcmp
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 

[PATCH for-6.2 31/34] target/arm: Implement MVE VCTP

[Peter Maydell]

Implement the MVE VCTP insn, which sets the VPR.P0 predicate bits so
as to predicate any element at index Rn or greater is predicated.  As
with VPNOT, this insn itself is predicable and subject to beatwise
execution.

The calculation of the mask is the same as is used to determine
ltpmask in mve_element_mask(), but we precalculate masklen in
generated code to avoid having to have 4 helpers specialized by size.

We put the decode line in with the low-overhead-loop insns in
t32.decode because it's logically part of that collection of insn
patterns, even though it is an MVE only insn.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  2 ++
 target/arm/translate-a32.h |  1 +
 target/arm/t32.decode  |  1 +
 target/arm/mve_helper.c| 20 
 target/arm/translate-mve.c |  2 +-
 target/arm/translate.c | 33 +
 6 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 5844bb891ed..55f9151ccbf 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -125,6 +125,8 @@ DEF_HELPER_FLAGS_4(mve_veor, TCG_CALL_NO_WG, void, env, 
ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vpsel, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_1(mve_vpnot, TCG_CALL_NO_WG, void, env)
 
+DEF_HELPER_FLAGS_2(mve_vctp, TCG_CALL_NO_WG, void, env, i32)
+
 DEF_HELPER_FLAGS_4(mve_vaddb, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vaddh, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vaddw, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
diff --git a/target/arm/translate-a32.h b/target/arm/translate-a32.h
index 6f4d65ddb00..88f15df60e8 100644
--- a/target/arm/translate-a32.h
+++ b/target/arm/translate-a32.h
@@ -48,6 +48,7 @@ long neon_element_offset(int reg, int element, MemOp memop);
 void gen_rev16(TCGv_i32 dest, TCGv_i32 var);
 void clear_eci_state(DisasContext *s);
 bool mve_eci_check(DisasContext *s);
+void mve_update_eci(DisasContext *s);
 void mve_update_and_store_eci(DisasContext *s);
 bool mve_skip_vmov(DisasContext *s, int vn, int index, int size);
 
diff --git a/target/arm/t32.decode b/target/arm/t32.decode
index 2d47f31f143..78fadef9d62 100644
--- a/target/arm/t32.decode
+++ b/target/arm/t32.decode
@@ -748,5 +748,6 @@ BL    0. .. 11.1    
  @branch24
   # This is DLSTP
   DLS 0  0 size:2 rn:4 1110   0001
 }
+VCTP  0  0 size:2 rn:4 1110 1000  0001
   ]
 }
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 6efb3c69636..210e70d1727 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -2231,6 +2231,26 @@ void HELPER(mve_vpnot)(CPUARMState *env)
 mve_advance_vpt(env);
 }
 
+/*
+ * VCTP: P0 unexecuted bits unchanged, predicated bits zeroed,
+ * otherwise set according to value of Rn. The calculation of
+ * newmask here works in the same way as the calculation of the
+ * ltpmask in mve_element_mask(), but we have pre-calculated
+ * the masklen in the generated code.
+ */
+void HELPER(mve_vctp)(CPUARMState *env, uint32_t masklen)
+{
+uint16_t mask = mve_element_mask(env);
+uint16_t eci_mask = mve_eci_mask(env);
+uint16_t newmask;
+
+assert(masklen <= 16);
+newmask = masklen ? MAKE_64BIT_MASK(0, masklen) : 0;
+newmask &= mask;
+env->v7m.vpr = (env->v7m.vpr & ~(uint32_t)eci_mask) | (newmask & eci_mask);
+mve_advance_vpt(env);
+}
+
 #define DO_1OP_SAT(OP, ESIZE, TYPE, FN) \
 void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm) \
 {   \
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index be961864ada..be5a3e1a1f5 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -93,7 +93,7 @@ bool mve_eci_check(DisasContext *s)
 }
 }
 
-static void mve_update_eci(DisasContext *s)
+void mve_update_eci(DisasContext *s)
 {
 /*
  * The helper function will always update the CPUState field,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 28e478927df..e0b0cabc39f 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -8677,6 +8677,39 @@ static bool trans_LCTP(DisasContext *s, arg_LCTP *a)
 return true;
 }
 
+static bool trans_VCTP(DisasContext *s, arg_VCTP *a)
+{
+/*
+ * M-profile Create Vector Tail Predicate. This insn is itself
+ * predicated and is subject to beatwise execution.
+ */
+TCGv_i32 rn_shifted, masklen;
+
+if (!dc_isar_feature(aa32_mve, s) || a->rn == 13 || a->rn == 15) {
+return false;
+}
+
+if (!mve_eci_check(s) || !vfp_access_check(s)) {
+return true;
+}
+
+/*
+ * We pre-calculate the mask length here to avoid having
+ * to have multiple helpers specialized for size.
+ * We pass the helper "rn <= (1 << (4 - size)) ? (rn << 

[PATCH for-6.2 33/34] target/arm: Implement MVE scatter-gather immediate forms

[Peter Maydell]

Implement the MVE VLDR/VSTR insns which do scatter-gather using base
addresses from Qm plus or minus an immediate offset (possibly with
writeback). Note that writeback is not predicated but it does have
to honour ECI state, so we have to add an eci_mask check to the
VSTR_SG macros (the VLDR_SG macros already needed this to be able
to distinguish "skip beat" from "set predicated element to 0").

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  5 +++
 target/arm/mve.decode  | 10 +
 target/arm/mve_helper.c| 91 --
 target/arm/translate-mve.c | 66 +++
 4 files changed, 140 insertions(+), 32 deletions(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 9c570270c61..16799b110fd 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -65,6 +65,11 @@ DEF_HELPER_FLAGS_4(mve_vstrh_sg_os_uw, TCG_CALL_NO_WG, void, 
env, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(mve_vstrw_sg_os_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 DEF_HELPER_FLAGS_4(mve_vstrd_sg_os_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 
+DEF_HELPER_FLAGS_4(mve_vldrw_sg_wb_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vldrd_sg_wb_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vstrw_sg_wb_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vstrd_sg_wb_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+
 DEF_HELPER_FLAGS_3(mve_vdup, TCG_CALL_NO_WG, void, env, ptr, i32)
 
 DEF_HELPER_FLAGS_4(mve_vidupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index b0e39f36723..76e9b9c721c 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -43,6 +43,7 @@
  qm rda size
  qn qm rda size
 _sg qd qm rn size msize os
+_sg_imm qd qm a w imm
 
 # scatter-gather memory size is in bits 6:4
 %sg_msize 6:1 4:1
@@ -54,6 +55,10 @@
 @vldst_sg    rn:4  ... size:2 ... ... os:1 _sg \
   qd=%qd qm=%qm msize=%sg_msize
 
+# Qm is in the fields usually labeled Qn
+@vldst_sg_imm   a:1 . w:1 .    . imm:7 _sg_imm \
+  qd=%qd qm=%qn
+
 @1op    size:2 ..     &1op qd=%qd qm=%qm
 @1op_nosz         &1op qd=%qd qm=%qm size=0
 @2op   .. size:2      &2op qd=%qd qm=%qm qn=%qn
@@ -148,6 +153,11 @@ VLDR_S_sg111 0 1100 1 . 01  ... 0 111 .  
 @vldst_sg
 VLDR_U_sg111 1 1100 1 . 01  ... 0 111 .   @vldst_sg
 VSTR_sg  111 0 1100 1 . 00  ... 0 111 .   @vldst_sg
 
+VLDRW_sg_imm 111 1 1101 ... 1 ... 0 ... 1 1110   @vldst_sg_imm
+VLDRD_sg_imm 111 1 1101 ... 1 ... 0 ... 1    @vldst_sg_imm
+VSTRW_sg_imm 111 1 1101 ... 0 ... 0 ... 1 1110   @vldst_sg_imm
+VSTRD_sg_imm 111 1 1101 ... 0 ... 0 ... 1    @vldst_sg_imm
+
 # Moves between 2 32-bit vector lanes and 2 general purpose registers
 VMOV_to_2gp  1110 1100 0 . 00 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
 VMOV_from_2gp1110 1100 0 . 01 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 36592b88372..293c0e11819 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -220,7 +220,7 @@ DO_VSTR(vstrh_w, 2, stw, 4, int32_t)
  * For loads, predicated lanes are zeroed instead of retaining
  * their previous values.
  */
-#define DO_VLDR_SG(OP, LDTYPE, ESIZE, TYPE, OFFTYPE, ADDRFN)\
+#define DO_VLDR_SG(OP, LDTYPE, ESIZE, TYPE, OFFTYPE, ADDRFN, WB)\
 void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm, \
   uint32_t base)\
 {   \
@@ -237,25 +237,35 @@ DO_VSTR(vstrh_w, 2, stw, 4, int32_t)
 addr = ADDRFN(base, m[H##ESIZE(e)]);\
 d[H##ESIZE(e)] = (mask & 1) ?   \
 cpu_##LDTYPE##_data_ra(env, addr, GETPC()) : 0; \
+if (WB) {   \
+m[H##ESIZE(e)] = addr;  \
+}   \
 }   \
 mve_advance_vpt(env);   \
 }
 
 /* We know here TYPE is unsigned so always the same as the offset type */
-#define DO_VSTR_SG(OP, STTYPE, ESIZE, TYPE, ADDRFN) \
+#define DO_VSTR_SG(OP, STTYPE, ESIZE, TYPE, ADDRFN, WB) \
 void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm, \
   uint32_t base)\
 {   \
 

[PATCH for-6.2 26/34] target/arm: Implement MVE saturating doubling multiply accumulates

[Peter Maydell]

Implement the MVE saturating doubling multiply accumulate insns
VQDMLAH, VQRDMLAH, VQDMLASH and VQRDMLASH.  These perform a multiply,
double, add the accumulator shifted by the element size, possibly
round, saturate to twice the element size, then take the high half of
the result.  The *MLAH insns do vector * scalar + vector, and the
*MLASH insns do vector * vector + scalar.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 16 +++
 target/arm/mve.decode  |  5 ++
 target/arm/mve_helper.c| 95 ++
 target/arm/translate-mve.c |  4 ++
 4 files changed, 120 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 50b34c601e1..e61c5d56f41 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -387,6 +387,22 @@ DEF_HELPER_FLAGS_4(mve_vmlasub, TCG_CALL_NO_WG, void, env, 
ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(mve_vmlasuh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(mve_vmlasuw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(mve_vqdmlahb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqdmlahh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqdmlahw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vqrdmlahb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqrdmlahh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqrdmlahw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vqdmlashb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqdmlashh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqdmlashw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vqrdmlashb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqrdmlashh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vqrdmlashw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(mve_vmlaldavsh, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vmlaldavsw, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vmlaldavxsh, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 2e2df61c860..99cea8d39b6 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -418,6 +418,11 @@ VMLA_U    1110 0 . .. ... 1 ... 0 1110 . 100 
 @2scalar
 VMLAS_S  1110 1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
 VMLAS_U   1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
 
+VQRDMLAH 1110 1110 0 . .. ... 0 ... 0 1110 . 100  @2scalar
+VQRDMLASH1110 1110 0 . .. ... 0 ... 1 1110 . 100  @2scalar
+VQDMLAH  1110 1110 0 . .. ... 0 ... 0 1110 . 110  @2scalar
+VQDMLASH 1110 1110 0 . .. ... 0 ... 1 1110 . 110  @2scalar
+
 # Vector add across vector
 {
   VADDV  111 u:1 1110  size:2 01 ... 0  0 0 a:1 0 qm:3 0 
rda=%rdalo
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 91c0add8da7..1013060baeb 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -971,6 +971,28 @@ DO_VQDMLADH_OP(vqrdmlsdhxw, 4, int32_t, 1, 1, 
do_vqdmlsdh_w)
 mve_advance_vpt(env);   \
 }
 
+#define DO_2OP_SAT_ACC_SCALAR(OP, ESIZE, TYPE, FN)  \
+void HELPER(glue(mve_, OP))(CPUARMState *env, void *vd, void *vn,   \
+uint32_t rm)\
+{   \
+TYPE *d = vd, *n = vn;  \
+TYPE m = rm;\
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+bool qc = false;\
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+bool sat = false;   \
+mergemask([H##ESIZE(e)],  \
+  FN(d[H##ESIZE(e)], n[H##ESIZE(e)], m, ),  \
+  mask);\
+qc |= sat & mask & 1;   \
+}   \
+if (qc) {   \
+env->vfp.qc[0] = qc;\
+}   \
+mve_advance_vpt(env);   \
+}
+
 /* provide unsigned 2-op scalar helpers for all sizes */
 #define DO_2OP_SCALAR_U(OP, FN) \
 DO_2OP_SCALAR(OP##b, 1, uint8_t, FN)\

[PATCH for-6.2 32/34] target/arm: Implement MVE scatter-gather insns

[Peter Maydell]

Implement the MVE gather-loads and scatter-stores which
form the address by adding a base value from a scalar
register to an offset in each element of a vector.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  32 +
 target/arm/mve.decode  |  12 
 target/arm/mve_helper.c| 129 +
 target/arm/translate-mve.c |  91 ++
 4 files changed, 264 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 55f9151ccbf..9c570270c61 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -33,6 +33,38 @@ DEF_HELPER_FLAGS_3(mve_vstrb_h, TCG_CALL_NO_WG, void, env, 
ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vstrb_w, TCG_CALL_NO_WG, void, env, ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vstrh_w, TCG_CALL_NO_WG, void, env, ptr, i32)
 
+DEF_HELPER_FLAGS_4(mve_vldrb_sg_sh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrb_sg_sw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_sw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vldrb_sg_ub, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrb_sg_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrb_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrw_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vldrd_sg_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vstrb_sg_ub, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrb_sg_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrb_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrh_sg_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrh_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrw_sg_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vstrd_sg_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_os_sw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_os_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vldrh_sg_os_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vldrw_sg_os_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vldrd_sg_os_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+
+DEF_HELPER_FLAGS_4(mve_vstrh_sg_os_uh, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vstrh_sg_os_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vstrw_sg_os_uw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+DEF_HELPER_FLAGS_4(mve_vstrd_sg_os_ud, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
+
 DEF_HELPER_FLAGS_3(mve_vdup, TCG_CALL_NO_WG, void, env, ptr, i32)
 
 DEF_HELPER_FLAGS_4(mve_vidupb, TCG_CALL_NO_WG, i32, env, ptr, i32, i32)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 82dc07bc30e..b0e39f36723 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -42,11 +42,18 @@
 _scalar qda rm size
  qm rda size
  qn qm rda size
+_sg qd qm rn size msize os
+
+# scatter-gather memory size is in bits 6:4
+%sg_msize 6:1 4:1
 
 @vldr_vstr ... . . . . l:1 rn:4 ... .. imm:7 _vstr qd=%qd u=0
 # Note that both Rn and Qd are 3 bits only (no D bit)
 @vldst_wn ... u:1 ... . . . . l:1 . rn:3 qd:3 . ... .. imm:7 _vstr
 
+@vldst_sg    rn:4  ... size:2 ... ... os:1 _sg \
+  qd=%qd qm=%qm msize=%sg_msize
+
 @1op    size:2 ..     &1op qd=%qd qm=%qm
 @1op_nosz         &1op qd=%qd qm=%qm size=0
 @2op   .. size:2      &2op qd=%qd qm=%qm qn=%qn
@@ -136,6 +143,11 @@ VLDR_VSTR1110110 1 a:1 . w:1 .  ... 01 
...   @vldr_vstr \
 VLDR_VSTR1110110 1 a:1 . w:1 .  ... 10 ...   @vldr_vstr \
  size=2 p=1
 
+# gather loads/scatter stores
+VLDR_S_sg111 0 1100 1 . 01  ... 0 111 .   @vldst_sg
+VLDR_U_sg111 1 1100 1 . 01  ... 0 111 .   @vldst_sg
+VSTR_sg  111 0 1100 1 . 00  ... 0 111 .   @vldst_sg
+
 # Moves between 2 32-bit vector lanes and 2 general purpose registers
 VMOV_to_2gp  1110 1100 0 . 00 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
 VMOV_from_2gp1110 1100 0 . 01 rt2:4 ... 0  000 idx:1 rt:4 qd=%qd
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 210e70d1727..36592b88372 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -213,6 +213,135 @@ DO_VSTR(vstrh_w, 2, stw, 4, int32_t)
 #undef DO_VLDR
 #undef DO_VSTR
 
+/*
+ * Gather loads/scatter stores. Here each element of Qm specifies
+ * an offset to use from the base register Rm. In the 

[PULL 00/12] Linux user for 6.1 patches

[Laurent Vivier]

The following changes since commit bd38ae26cea0d1d6a97f930248df149204c210a2:

  Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210710' into 
staging (2021-07-12 11:02:39 +0100)

are available in the Git repository at:

  git://github.com/vivier/qemu.git tags/linux-user-for-6.1-pull-request

for you to fetch changes up to 2fa4ad3f9000c385f71237984fdd1eefe2a91900:

  linux-user: update syscall.tbl to Linux v5.13 (2021-07-13 13:59:59 +0200)


Linux-user pull request 20210713

Update headers to linux v5.13
cleanup errno target headers
Fix race condition on fd translation table



Laurent Vivier (3):
  linux-user: update syscall_nr.h to Linux v5.13
  linux-user, mips: update syscall-args-o32.c.inc to Linux v5.13
  linux-user: update syscall.tbl to Linux v5.13

Owen Anderson (1):
  fd-trans: Fix race condition on reallocation of the translation table.

Philippe Mathieu-Daudé (8):
  linux-user/syscall: Fix RF-kill errno (typo in ERFKILL)
  linux-user/sparc: Rename target_errno.h -> target_errno_defs.h
  linux-user: Extract target errno to 'target_errno_defs.h'
  linux-user/alpha: Move errno definitions to 'target_errno_defs.h'
  linux-user/hppa: Move errno definitions to 'target_errno_defs.h'
  linux-user/mips: Move errno definitions to 'target_errno_defs.h'
  linux-user: Simplify host <-> target errno conversion using macros
  linux-user/syscall: Remove ERRNO_TABLE_SIZE check

 linux-user/aarch64/syscall_nr.h   |   8 +-
 linux-user/aarch64/target_errno_defs.h|   7 +
 linux-user/alpha/syscall.tbl  |   7 +
 linux-user/alpha/target_errno_defs.h  | 204 
 linux-user/alpha/target_syscall.h | 194 ---
 linux-user/arm/syscall.tbl|   7 +
 linux-user/arm/target_errno_defs.h|   7 +
 linux-user/cris/target_errno_defs.h   |   7 +
 linux-user/errnos.c.inc   | 140 +++
 linux-user/fd-trans.c |   1 +
 linux-user/fd-trans.h |  55 -
 .../target_errno_defs.h}  |   4 +-
 linux-user/hexagon/syscall_nr.h   |  12 +-
 linux-user/hexagon/target_errno_defs.h|   7 +
 linux-user/hppa/syscall.tbl   |  31 ++-
 linux-user/hppa/target_errno_defs.h   | 220 +
 linux-user/hppa/target_syscall.h  | 210 -
 linux-user/i386/syscall_32.tbl|  21 +-
 linux-user/i386/target_errno_defs.h   |   7 +
 linux-user/m68k/syscall.tbl   |   7 +
 linux-user/m68k/target_errno_defs.h   |   7 +
 linux-user/main.c |   3 +
 linux-user/microblaze/syscall.tbl |   7 +
 linux-user/microblaze/target_errno_defs.h |   7 +
 linux-user/mips/syscall-args-o32.c.inc|   5 +-
 linux-user/mips/syscall_o32.tbl   |  19 +-
 linux-user/mips/target_errno_defs.h   | 221 ++
 linux-user/mips/target_syscall.h  | 211 -
 linux-user/mips64/syscall_n32.tbl |  19 +-
 linux-user/mips64/syscall_n64.tbl |   7 +
 linux-user/mips64/target_errno_defs.h |  10 +
 linux-user/mips64/target_syscall.h| 211 -
 linux-user/nios2/syscall_nr.h |   8 +-
 linux-user/nios2/target_errno_defs.h  |   7 +
 linux-user/openrisc/syscall_nr.h  |   8 +-
 linux-user/openrisc/target_errno_defs.h   |   7 +
 linux-user/ppc/syscall.tbl|  39 ++--
 linux-user/ppc/target_errno_defs.h|   7 +
 linux-user/riscv/syscall32_nr.h   |   8 +-
 linux-user/riscv/syscall64_nr.h   |   8 +-
 linux-user/riscv/target_errno_defs.h  |   7 +
 linux-user/s390x/syscall.tbl  |  19 +-
 linux-user/s390x/target_errno_defs.h  |   7 +
 linux-user/safe-syscall.S |   2 +-
 linux-user/sh4/syscall.tbl|   7 +
 linux-user/sh4/target_errno_defs.h|   7 +
 linux-user/sparc/syscall.tbl  |  19 +-
 .../{target_errno.h => target_errno_defs.h}   |  11 +-
 linux-user/sparc/target_syscall.h |   2 -
 linux-user/syscall.c  | 164 ++---
 linux-user/syscall_defs.h |   2 +-
 linux-user/x86_64/syscall_64.tbl  |  27 ++-
 linux-user/x86_64/target_errno_defs.h |   7 +
 linux-user/xtensa/syscall.tbl |   7 +
 linux-user/xtensa/target_errno_defs.h |   7 +
 scripts/update-mips-syscall-args.sh   |  13 +-
 56 files changed, 1205 insertions(+), 1078 deletions(-)
 create mode 100644 linux-user/aarch64/target_errno_defs.h
 create mode 100644 linux-user/alpha/target_errno_defs.h
 create mode 100644 li

Re: [PULL 00/22] Crypto and more patches

[Peter Maydell]

On Tue, 13 Jul 2021 at 14:45, Daniel P. Berrangé  wrote:
> Can you confirm what version of gnutls and nettle you have installed
> and what distro this is

Debian GNU/Linux 11 (bullseye)
libgnutls28-dev:ppc64  3.7.1-5
libgnutls30:ppc64  3.7.1-5
nettle-dev:ppc64   3.7.3-1
libnettle8:ppc64   3.7.3-1

(If you happen to have an account on the gcc compilefarm, it's
machine gcc203.)

thanks
-- PMM

Re: [PATCH 0/3] Atomic cleanup + clang-12 build fix

[Richard Henderson]

On 7/12/21 5:37 PM, Richard Henderson wrote:

On 7/12/21 2:30 PM, Cole Robinson wrote:

On 7/12/21 11:59 AM, Richard Henderson wrote:

The first two patches are not strictly required, but they
were useful in tracking down the root problem here.

I understand the logic behind the clang-12 warning, but I think
it's a clear mistake that it should be enabled by default for a
target where alignment is not enforced by default.

I found over a dozen places where we would have to manually add
QEMU_ALIGNED(8) to uint64_t declarations in order to suppress
all of the instances.  IMO there's no point fighting this.



I tested your patches, they seem to get rid of the warnings. The errors
persist.

FWIW here's my reproduce starting from fedora 34 x86_64 host:

$ sudo mock --root fedora-35-i386 --install dnf --install dnf-utils
--install fedora-packager --install clang
$ sudo mock --root fedora-35-i386 --shell --enable-network
# dnf builddep -y qemu
# git clone https://github.com/qemu/qemu
# cd qemu
# CC=clang CXX=clang++ ./configure --disable-werror
# make V=1


Ho hum.  So, the warnings are where clang has decided to insert calls to 
libatomic.

So we either have to

(1) work around all of the places, which, unless we set up an i386 clang-12 builder will 
quickly bitrot, or


Update: (1) is out.  There's a warning in cputlb.c vs a pointer that's known to be 
aligned, and it still fires.  I have filed a bug:


  https://bugs.llvm.org/show_bug.cgi?id=51076



(2) write our own routines, compatible with libatomic, using cmpxchg8b directly.  which 
requires no (extra) locking, and so is compatible with the tcg jit output, or


(3) file a bug with clang, and document "use clang-11 and not clang-12".


So, Cole, with respect to (3), is this just general regression testing that discovered 
this (in which case, yay) or is there some other reason clang is required?


Assuming that (3) isn't really viable long term, I guess (2) is the only viable 
option.

Thoughts?


r~

[PULL v2 0/4] Fuzzing Patches

[Alexander Bulekov]

Hello Paolo,

The following changes since commit 711c0418c8c1ce3a24346f058b001c4c5a2f0f81:

  Merge remote-tracking branch 'remotes/philmd/tags/mips-20210702' into staging 
(2021-07-04 14:04:12 +0100)

are available in the Git repository at:

  https://gitlab.com/a1xndr/qemu tags/pull-request-2021-07-13

for you to fetch changes up to 6dd98f1ee0253a57498010ea54f45609552d729c:

  fuzz: add an instrumentation filter (2021-07-13 10:56:13 -0400)


Fuzzing PR for 6.1:

 * Bug-fixes 
 * Refined timeout mechanism
 * Selective coverage instrumentation


Alexander Bulekov (4):
  fuzz: fix sparse memory access in the DMA callback
  fuzz: adjust timeout to allow for longer inputs
  fuzz: make object-name matching case-insensitive
  fuzz: add an instrumentation filter

 configure| 28 
++--
 scripts/oss-fuzz/instrumentation-filter-template | 15 +++
 tests/qtest/fuzz/generic_fuzz.c  | 50 
+++---
 3 files changed, 76 insertions(+), 17 deletions(-)
 create mode 100644 scripts/oss-fuzz/instrumentation-filter-template

-- 
2.28.0

[PULL v2 1/4] fuzz: fix sparse memory access in the DMA callback

[Alexander Bulekov]

The code mistakenly relied on address_space_translate to store the
length remaining until the next memory-region. We care about this
because when there is RAM or sparse-memory neighboring on an MMIO
region, we should only write up to the border, to prevent inadvertently
invoking MMIO handlers within the DMA callback.

However address_space_translate_internal only stores the length until
the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise
the *len is left unmodified. This caused some false-positive issues,
where the fuzzer found a way to perform a nested MMIO write through a
DMA callback on an [address, length] that started within sparse memory
and spanned some device MMIO regions.

To fix this, write to sparse memory in small chunks of
memory_access_size (similar to the underlying address_space_write code),
which will prevent accidentally hitting MMIO handlers through large
writes.

Signed-off-by: Alexander Bulekov 
Reviewed-by: Darren Kenny 
Reviewed-by: Philippe Mathieu-Daudé 
---
 tests/qtest/fuzz/generic_fuzz.c | 13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 6c67522717..0ea47298b7 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -240,10 +240,17 @@ void fuzz_dma_read_cb(size_t addr, size_t len, 
MemoryRegion *mr)
   addr, , , true,
   MEMTXATTRS_UNSPECIFIED);
 
-if (!(memory_region_is_ram(mr1) ||
-  memory_region_is_romd(mr1)) && mr1 != sparse_mem_mr) {
+/*
+ *  If mr1 isn't RAM, address_space_translate doesn't update l. Use
+ *  memory_access_size to identify the number of bytes that it is safe
+ *  to write without accidentally writing to another MemoryRegion.
+ */
+if (!memory_region_is_ram(mr1)) {
 l = memory_access_size(mr1, l, addr1);
-} else {
+}
+if (memory_region_is_ram(mr1) ||
+memory_region_is_romd(mr1) ||
+mr1 == sparse_mem_mr) {
 /* ROM/RAM case */
 if (qtest_log_enabled) {
 /*
-- 
2.28.0

Re: [PULL v2 0/4] NBD patches for soft freeze, 2021-07-09

[Peter Maydell]

On Mon, 12 Jul 2021 at 18:52, Eric Blake  wrote:
>
> The following changes since commit bd38ae26cea0d1d6a97f930248df149204c210a2:
>
>   Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210710' 
> into staging (2021-07-12 11:02:39 +0100)
>
> are available in the Git repository at:
>
>   https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2021-07-09-v2
>
> for you to fetch changes up to 0b9cd6b947d905b388e84df4070056fad138588e:
>
>   nbd: register yank function earlier (2021-07-12 11:24:00 -0500)
>
> Only sending the altered patch compared to v1
>
> 
> nbd patches for 2021-07-09
>
> - enhance 'qemu-img map --output=json' to make it easier to duplicate
> backing chain allocation patterns
> - fix a race in the 'yank' QMP command in relation to NBD requests
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM

[PULL v2 3/4] fuzz: make object-name matching case-insensitive

[Alexander Bulekov]

We have some configs for devices such as the AC97 and ES1370 that were
not matching memory-regions correctly, because the configs provided
lowercase names. To resolve these problems and prevent them from
occurring again in the future, convert both the pattern and names to
lower-case, prior to checking for a match.

Suggested-by: Darren Kenny 
Reviewed-by: Darren Kenny 
Signed-off-by: Alexander Bulekov 
---
 tests/qtest/fuzz/generic_fuzz.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 80eb29bd2d..3e8ce29227 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -758,8 +758,13 @@ static int locate_fuzz_memory_regions(Object *child, void 
*opaque)
 
 static int locate_fuzz_objects(Object *child, void *opaque)
 {
+GString *type_name;
+GString *path_name;
 char *pattern = opaque;
-if (g_pattern_match_simple(pattern, object_get_typename(child))) {
+
+type_name = g_string_new(object_get_typename(child));
+g_string_ascii_down(type_name);
+if (g_pattern_match_simple(pattern, type_name->str)) {
 /* Find and save ptrs to any child MemoryRegions */
 object_child_foreach_recursive(child, locate_fuzz_memory_regions, 
NULL);
 
@@ -776,8 +781,9 @@ static int locate_fuzz_objects(Object *child, void *opaque)
 g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child));
 }
 } else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) {
-if (g_pattern_match_simple(pattern,
-object_get_canonical_path_component(child))) {
+path_name = g_string_new(object_get_canonical_path_component(child));
+g_string_ascii_down(path_name);
+if (g_pattern_match_simple(pattern, path_name->str)) {
 MemoryRegion *mr;
 mr = MEMORY_REGION(child);
 if ((memory_region_is_ram(mr) ||
@@ -786,7 +792,9 @@ static int locate_fuzz_objects(Object *child, void *opaque)
 g_hash_table_insert(fuzzable_memoryregions, mr, 
(gpointer)true);
 }
 }
+g_string_free(path_name, true);
 }
+g_string_free(type_name, true);
 return 0;
 }
 
@@ -814,6 +822,7 @@ static void generic_pre_fuzz(QTestState *s)
 MemoryRegion *mr;
 QPCIBus *pcibus;
 char **result;
+GString *name_pattern;
 
 if (!getenv("QEMU_FUZZ_OBJECTS")) {
 usage();
@@ -843,10 +852,17 @@ static void generic_pre_fuzz(QTestState *s)
 
 result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1);
 for (int i = 0; result[i] != NULL; i++) {
+name_pattern = g_string_new(result[i]);
+/*
+ * Make the pattern lowercase. We do the same for all the MemoryRegion
+ * and Type names so the configs are case-insensitive.
+ */
+g_string_ascii_down(name_pattern);
 printf("Matching objects by name %s\n", result[i]);
 object_child_foreach_recursive(qdev_get_machine(),
 locate_fuzz_objects,
-result[i]);
+name_pattern->str);
+g_string_free(name_pattern, true);
 }
 g_strfreev(result);
 printf("This process will try to fuzz the following MemoryRegions:\n");
-- 
2.28.0

Re: [PATCH v4 00/10] tests: Add test cases for TPM 1.2 ACPI tables

[Michael S. Tsirkin]

On Mon, Jul 12, 2021 at 04:47:26PM -0400, Stefan Berger wrote:
> This series of patches adds test case for TPM 1.2 ACPI tables.


Acked-by: Michael S. Tsirkin 

Pls feel free to merge through tpm tree.

>   Stefan
> 
> v4:
>   - Added patch 10 that checks for availability of a TPM device model
> using QMP and if not available skips the ACPI table test
> 
> v3:
>   - Define enum TPMVersion for when CONFIG_TPM is not defined
> affected patches 2 and 6
> 
> v2:
>   - Proper handling of renaming of files holding expected ACPI data
> 
> 
> Stefan Berger (10):
>   tests: Rename TestState to TPMTestState
>   tests: Add tpm_version field to TPMTestState and fill it
>   tests: acpi: Prepare for renaming of TPM2 related ACPI files
>   tests: Add suffix 'tpm2' or 'tpm12' to ACPI table files
>   tests: acpi: tpm2: Add the renamed ACPI files and drop old ones
>   tests: tpm: Create TPM 1.2 response in TPM emulator
>   tests: acpi: prepare for new TPM 1.2 related tables
>   tests: acpi: Add test cases for TPM 1.2 with TCPA table
>   tests: acpi: tpm1.2: Add expected TPM 1.2 ACPI blobs
>   tests: Use QMP to check whether a TPM device model is available
> 
>  tests/data/acpi/q35/DSDT.tis.tpm12| Bin 0 -> 8465 bytes
>  .../data/acpi/q35/{DSDT.tis => DSDT.tis.tpm2} | Bin
>  tests/data/acpi/q35/TCPA.tis.tpm12| Bin 0 -> 50 bytes
>  .../data/acpi/q35/{TPM2.tis => TPM2.tis.tpm2} | Bin
>  tests/qtest/bios-tables-test.c|  30 ++---
>  tests/qtest/tpm-crb-test.c|   5 +-
>  tests/qtest/tpm-emu.c |  61 --
>  tests/qtest/tpm-emu.h |  20 +-
>  tests/qtest/tpm-tis-device-test.c |   3 +-
>  tests/qtest/tpm-tis-test.c|   3 +-
>  tests/qtest/tpm-tis-util.c|   2 +-
>  11 files changed, 100 insertions(+), 24 deletions(-)
>  create mode 100644 tests/data/acpi/q35/DSDT.tis.tpm12
>  rename tests/data/acpi/q35/{DSDT.tis => DSDT.tis.tpm2} (100%)
>  create mode 100644 tests/data/acpi/q35/TCPA.tis.tpm12
>  rename tests/data/acpi/q35/{TPM2.tis => TPM2.tis.tpm2} (100%)
> 
> -- 
> 2.31.1
> 
> 

[PULL 1/6] migration/rdma: prevent from double free the same mr

[Dr. David Alan Gilbert (git)]

From: Li Zhijian 

backtrace:
'0x75f44ec2 in __ibv_dereg_mr_1_1 (mr=0x7fff1007d390) at 
/home/lizhijian/rdma-core/libibverbs/verbs.c:478
478 void *addr  = mr->addr;
(gdb) bt
 #0  0x75f44ec2 in __ibv_dereg_mr_1_1 (mr=0x7fff1007d390) at 
/home/lizhijian/rdma-core/libibverbs/verbs.c:478
 #1  0x55891fcc in rdma_delete_block (block=, 
rdma=0x7fff38176010) at ../migration/rdma.c:691
 #2  qemu_rdma_cleanup (rdma=0x7fff38176010) at ../migration/rdma.c:2365
 #3  0x558925b0 in qio_channel_rdma_close_rcu (rcu=0x56b8b6c0) at 
../migration/rdma.c:3073
 #4  0x55d652a3 in call_rcu_thread (opaque=opaque@entry=0x0) at 
../util/rcu.c:281
 #5  0x55d5edf9 in qemu_thread_start (args=0x7fffe88bb4d0) at 
../util/qemu-thread-posix.c:541
 #6  0x754c73f9 in start_thread () at /lib64/libpthread.so.0
 #7  0x753f3b03 in clone () at /lib64/libc.so.6 '

Signed-off-by: Li Zhijian 
Message-Id: <20210708144521.1959614-1-lizhij...@cn.fujitsu.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Dr. David Alan Gilbert 
---
 migration/rdma.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/migration/rdma.c b/migration/rdma.c
index 38a099f7ee..5c2d113aa9 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -1143,6 +1143,7 @@ static int qemu_rdma_reg_whole_ram_blocks(RDMAContext 
*rdma)
 
 for (i--; i >= 0; i--) {
 ibv_dereg_mr(local->block[i].mr);
+local->block[i].mr = NULL;
 rdma->total_registrations--;
 }
 
-- 
2.31.1

[PULL 0/6] migration queue

[Dr. David Alan Gilbert (git)]

From: "Dr. David Alan Gilbert" 

The following changes since commit 708f50199b59476ec4b45ebcdf171550086d6292:

  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-07-09-v2' into 
staging (2021-07-13 14:32:20 +0100)

are available in the Git repository at:

  https://gitlab.com/dagrh/qemu.git tags/pull-migration-20210713a

for you to fetch changes up to 63268c4970a5f126cc9af75f3ccb8057abef5ec0:

  migration: Move bitmap_mutex out of migration_bitmap_clear_dirty() 
(2021-07-13 16:21:57 +0100)


Migration pull 2021-07-13


Laurent Vivier (1):
  migration: failover: emit a warning when the card is not fully unplugged

Li Zhijian (1):
  migration/rdma: prevent from double free the same mr

Peter Xu (4):
  migration: Release return path early for paused postcopy
  migration: Don't do migrate cleanup if during postcopy resume
  migration: Clear error at entry of migrate_fd_connect()
  migration: Move bitmap_mutex out of migration_bitmap_clear_dirty()

 migration/migration.c | 41 -
 migration/ram.c   | 13 +++--
 migration/rdma.c  |  1 +
 3 files changed, 48 insertions(+), 7 deletions(-)

Re: [PATCH v3 0/8] dp8393x: fixes and improvements

[Finn Thain]

On Mon, 12 Jul 2021, Finn Thain wrote:

> On Sun, 11 Jul 2021, Philippe Mathieu-Daudé wrote:
> 
> > 
> > > If I'm right that the big_endian flag should go away, commit 
> > > b1600ff195 ("hw/mips/jazz: specify correct endian for dp8393x 
> > > device") has already taken mainline in the wrong direction and 
> > > amounts to churn.
> > 
> > We might figure out with a BE guest image, the remove the endian flag.
> 
> Yes, it's hard to make progress without a BE guest. However, for testing 
> dp8393x we probably don't need a disk image. I think we only need 
> working firmware, since the RISC/os firmware appears to implement BOOTP 
> and TFTP and appears to contain a SONIC driver.

I think we probably can install RISC/os once the firmware can be made to 
work.

The file "RISCos_5.01.iso", found in the Bitsavers archive, contains 
several kernel binaries, one of which is "unix.r4030eb_std".

From the "r4030" in its name, and from the symbol names and string 
constants it contains, this binary appears to have all the drivers for the 
MIPS Magnum 4000.

Re: [PATCH v2 1/3] hw: aspeed_gpio: Fix memory size

[Rashmica Gupta]

On Tue, 2021-07-13 at 16:28 +0930, Joel Stanley wrote:
> The macro used to calculate the maximum memory size of the MMIO
> region
> had a mistake, causing all GPIO models to create a mapping of 0x9D8.
> The intent was to have it be 0x9D8 - 0x800.
> 
> This extra size doesn't matter on ast2400 and ast2500, which have a
> 4KB
> region set aside for the GPIO controller.
> 
> On the ast2600 the 3.3V and 1.8V GPIO controllers are 2KB apart, so
> the
> regions would overlap. Worse was the 1.8V controller would map over
> the
> top of the following perianal, which happens to be the RTC.
> 
> The mmio region used by each device is a maximum of 2KB, so avoid the
> calculations and hard code this as the maximum.
> 
> Fixes: 36d737ee82b2 ("hw/gpio: Add in AST2600 specific
> implementation")
> Signed-off-by: Joel Stanley 

derp. Sorry about that. This looks correct.

Reviewed-by: Rashmica Gupta 
> ---
>  hw/gpio/aspeed_gpio.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/hw/gpio/aspeed_gpio.c b/hw/gpio/aspeed_gpio.c
> index 6ae0116be70b..b3dec4448009 100644
> --- a/hw/gpio/aspeed_gpio.c
> +++ b/hw/gpio/aspeed_gpio.c
> @@ -207,7 +207,6 @@
>  #define GPIO_1_8V_MEM_SIZE    0x9D8
>  #define GPIO_1_8V_REG_ARRAY_SIZE  ((GPIO_1_8V_MEM_SIZE - \
>    GPIO_1_8V_REG_OFFSET) >> 2)
> -#define GPIO_MAX_MEM_SIZE   MAX(GPIO_3_6V_MEM_SIZE,
> GPIO_1_8V_MEM_SIZE)
>  
>  static int aspeed_evaluate_irq(GPIOSets *regs, int gpio_prev_high,
> int gpio)
>  {
> @@ -849,7 +848,7 @@ static void aspeed_gpio_realize(DeviceState *dev,
> Error **errp)
>  }
>  
>  memory_region_init_io(>iomem, OBJECT(s), _gpio_ops, s,
> -    TYPE_ASPEED_GPIO, GPIO_MAX_MEM_SIZE);
> +    TYPE_ASPEED_GPIO, 0x800);
>  
>  sysbus_init_mmio(sbd, >iomem);
>  }

[PATCH 3/4] configure: Fix the default setting of the "xen" feature

[Thomas Huth]

The "xen" variable should either contain "enabled", "disabled" or
nothing (for auto detection). But when the user currently runs the
configure script with --without-default-features, it gets set to
"no" instead. This does not work as expected, the feature will still
be enabled if the Xen headers are present. Thus set the variable
to "disabled" instead if default_feature switch has been set.

Reported-by: Cole Robinson 
Signed-off-by: Thomas Huth 
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 1974c46f6e..6c7336b763 100755
--- a/configure
+++ b/configure
@@ -311,7 +311,7 @@ vnc_sasl="auto"
 vnc_jpeg="auto"
 vnc_png="auto"
 xkbcommon="auto"
-xen="$default_feature"
+xen=${default_feature:+disabled}
 xen_ctrl_version="$default_feature"
 xen_pci_passthrough="auto"
 linux_aio="$default_feature"
-- 
2.27.0

Re: [PULL 04/15] RISC-V: Copy the fdt in dram instead of ROM

[Peter Maydell]

On Tue, 14 Jul 2020 at 01:44, Alistair Francis  wrote:
>
> From: Atish Patra 
>
> Currently, the fdt is copied to the ROM after the reset vector. The firmware
> has to copy it to DRAM. Instead of this, directly copy the device tree to a
> pre-computed dram address. The device tree load address should be as far as
> possible from kernel and initrd images. That's why it is kept at the end of
> the DRAM or 4GB whichever is lesser.

Hi; Coverity reports an issue in this code (CID 1458136):

> +uint32_t riscv_load_fdt(hwaddr dram_base, uint64_t mem_size, void *fdt)
> +{
> +uint32_t temp, fdt_addr;
> +hwaddr dram_end = dram_base + mem_size;
> +int fdtsize = fdt_totalsize(fdt);
> +
> +if (fdtsize <= 0) {
> +error_report("invalid device-tree");
> +exit(1);
> +}
> +
> +/*
> + * We should put fdt as far as possible to avoid kernel/initrd 
> overwriting
> + * its content. But it should be addressable by 32 bit system as well.
> + * Thus, put it at an aligned address that less than fdt size from end of
> + * dram or 4GB whichever is lesser.
> + */
> +temp = MIN(dram_end, 4096 * MiB);
> +fdt_addr = QEMU_ALIGN_DOWN(temp - fdtsize, 2 * MiB);
> +
> +fdt_pack(fdt);

fdt_pack() can return an error code, but we are not checking its
return value here.

(This is one of Coverity's heuristics where it only reports failure
to check errors if it sees enough other callsites in the codebase
which do check errors to make it decide this is an "always need a
check" API, which is why the error has only popped up now a year on...)

> +/* copy in the device tree */
> +qemu_fdt_dumpdtb(fdt, fdtsize);
> +
> +rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
> +  _space_memory);
> +
> +return fdt_addr;
> +}

thanks
-- PMM

Re: [PATCH 01/11] nbd/server: Remove unused variable

[Eric Blake]

On Tue, Jul 13, 2021 at 12:27:48PM +0300, Vladimir Sementsov-Ogievskiy wrote:
> 13.07.2021 00:55, Richard Henderson wrote:
> >  From clang-13:
> > nbd/server.c:976:22: error: variable 'bitmaps' set but not used \
> >  [-Werror,-Wunused-but-set-variable]
> > 

> > +++ b/nbd/server.c
> > @@ -973,7 +973,6 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
> >   {
> >   int ret;
> >   g_autofree char *export_name = NULL;
> > -g_autofree bool *bitmaps = NULL;
> >   NBDExportMetaContexts local_meta = {0};
> >   uint32_t nb_queries;
> >   size_t i;
> > @@ -1007,9 +1006,6 @@ static int nbd_negotiate_meta_queries(NBDClient 
> > *client,
> >   "export '%s' not present", sane_name);
> >   }
> >   meta->bitmaps = g_new0(bool, meta->exp->nr_export_bitmaps);
> > -if (client->opt == NBD_OPT_LIST_META_CONTEXT) {
> > -bitmaps = meta->bitmaps;
> > -}
> >   ret = nbd_opt_read(client, _queries, sizeof(nb_queries), false, 
> > errp);
> >   if (ret <= 0) {
> > 
> 
> 
> Hm. I'm afraid, this way meta->bitmaps will be leaked in 
> NBD_OPT_LIST_META_CONTEXT case.
> 
> Actually, "bitmaps" _is_ used, in cleanup handler, setup by g_autofree. So 
> it's a false positive.
>

Correct; this patch is wrong, and would cause a memory leak. This is a
false positive in clang, and a known issue that clang is in general
unable to see that g_autofree variables are used, sometimes for their
intentional side effects such as easier memory cleanup as done here.

I suspect that the definition of g_autofree already uses
__attribute__((unused)) to work around clang's oddities, which means
I'm not sure how to silence clang on this one.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[PATCH for-6.2 10/34] target/arm: Fix VLDRB/H/W for predicated elements

[Peter Maydell]

For vector loads, predicated elements are zeroed, instead of
retaining their previous values (as happens for most data
processing operations). This means we need to distinguish
"beat not executed due to ECI" (don't touch destination
element) from "beat executed but predicated out" (zero
destination element).

Signed-off-by: Peter Maydell 
---
 target/arm/mve_helper.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index b0cbfda3cce..f78228f70c1 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -153,12 +153,13 @@ static void mve_advance_vpt(CPUARMState *env)
 env->v7m.vpr = vpr;
 }
 
-
+/* For loads, predicated lanes are zeroed instead of keeping their old values 
*/
 #define DO_VLDR(OP, MSIZE, LDTYPE, ESIZE, TYPE) \
 void HELPER(mve_##OP)(CPUARMState *env, void *vd, uint32_t addr)\
 {   \
 TYPE *d = vd;   \
 uint16_t mask = mve_element_mask(env);  \
+uint16_t eci_mask = mve_eci_mask(env);  \
 unsigned b, e;  \
 /*  \
  * R_SXTM allows the dest reg to become UNKNOWN for abandoned   \
@@ -166,8 +167,9 @@ static void mve_advance_vpt(CPUARMState *env)
  * then take an exception.  \
  */ \
 for (b = 0, e = 0; b < 16; b += ESIZE, e++) {   \
-if (mask & (1 << b)) {  \
-d[H##ESIZE(e)] = cpu_##LDTYPE##_data_ra(env, addr, GETPC()); \
+if (eci_mask & (1 << b)) {  \
+d[H##ESIZE(e)] = (mask & (1 << b)) ?\
+cpu_##LDTYPE##_data_ra(env, addr, GETPC()) : 0; \
 }   \
 addr += MSIZE;  \
 }   \
-- 
2.20.1

[PATCH for-6.2 17/34] target/arm: Implement MVE VMLAS

[Peter Maydell]

Implement the MVE VMLAS insn, which multiplies a vector by a vector
and adds a scalar.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h|  8 
 target/arm/mve.decode  |  3 +++
 target/arm/mve_helper.c| 31 +++
 target/arm/translate-mve.c |  2 ++
 4 files changed, 44 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index f1a54aba5d4..6f2cc5c2929 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -351,6 +351,14 @@ DEF_HELPER_FLAGS_4(mve_vqdmullb_scalarw, TCG_CALL_NO_WG, 
void, env, ptr, ptr, i3
 DEF_HELPER_FLAGS_4(mve_vqdmullt_scalarh, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 DEF_HELPER_FLAGS_4(mve_vqdmullt_scalarw, TCG_CALL_NO_WG, void, env, ptr, ptr, 
i32)
 
+DEF_HELPER_FLAGS_4(mve_vmlassb, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlassh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlassw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_4(mve_vmlasub, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlasuh, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(mve_vmlasuw, TCG_CALL_NO_WG, void, env, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(mve_vmlaldavsh, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vmlaldavsw, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
 DEF_HELPER_FLAGS_4(mve_vmlaldavxsh, TCG_CALL_NO_WG, i64, env, ptr, ptr, i64)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 4bd20a9a319..05c30735545 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -345,6 +345,9 @@ VBRSR 1110 0 . .. ... 1 ... 1 1110 . 110 
 @2scalar
 VQDMULH_scalar   1110 1110 0 . .. ... 1 ... 0 1110 . 110  @2scalar
 VQRDMULH_scalar   1110 0 . .. ... 1 ... 0 1110 . 110  @2scalar
 
+VMLAS_S  1110 1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
+VMLAS_U   1110 0 . .. ... 1 ... 1 1110 . 100  @2scalar
+
 # Vector add across vector
 {
   VADDV  111 u:1 1110  size:2 01 ... 0  0 0 a:1 0 qm:3 0 
rda=%rdalo
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index be67e7cea26..98c3a418dcb 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -955,6 +955,22 @@ DO_VQDMLADH_OP(vqrdmlsdhxw, 4, int32_t, 1, 1, 
do_vqdmlsdh_w)
 mve_advance_vpt(env);   \
 }
 
+/* "accumulating" version where FN takes d as well as n and m */
+#define DO_2OP_ACC_SCALAR(OP, ESIZE, TYPE, FN)  \
+void HELPER(glue(mve_, OP))(CPUARMState *env, void *vd, void *vn,   \
+uint32_t rm)\
+{   \
+TYPE *d = vd, *n = vn;  \
+TYPE m = rm;\
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+for (e = 0; e < 16 / ESIZE; e++, mask >>= ESIZE) {  \
+mergemask([H##ESIZE(e)],  \
+  FN(d[H##ESIZE(e)], n[H##ESIZE(e)], m), mask); \
+}   \
+mve_advance_vpt(env);   \
+}
+
 /* provide unsigned 2-op scalar helpers for all sizes */
 #define DO_2OP_SCALAR_U(OP, FN) \
 DO_2OP_SCALAR(OP##b, 1, uint8_t, FN)\
@@ -965,6 +981,15 @@ DO_VQDMLADH_OP(vqrdmlsdhxw, 4, int32_t, 1, 1, 
do_vqdmlsdh_w)
 DO_2OP_SCALAR(OP##h, 2, int16_t, FN)\
 DO_2OP_SCALAR(OP##w, 4, int32_t, FN)
 
+#define DO_2OP_ACC_SCALAR_U(OP, FN) \
+DO_2OP_ACC_SCALAR(OP##b, 1, uint8_t, FN)\
+DO_2OP_ACC_SCALAR(OP##h, 2, uint16_t, FN)   \
+DO_2OP_ACC_SCALAR(OP##w, 4, uint32_t, FN)
+#define DO_2OP_ACC_SCALAR_S(OP, FN) \
+DO_2OP_ACC_SCALAR(OP##b, 1, int8_t, FN) \
+DO_2OP_ACC_SCALAR(OP##h, 2, int16_t, FN)\
+DO_2OP_ACC_SCALAR(OP##w, 4, int32_t, FN)
+
 DO_2OP_SCALAR_U(vadd_scalar, DO_ADD)
 DO_2OP_SCALAR_U(vsub_scalar, DO_SUB)
 DO_2OP_SCALAR_U(vmul_scalar, DO_MUL)
@@ -994,6 +1019,12 @@ DO_2OP_SAT_SCALAR(vqrdmulh_scalarb, 1, int8_t, 
DO_QRDMULH_B)
 DO_2OP_SAT_SCALAR(vqrdmulh_scalarh, 2, int16_t, DO_QRDMULH_H)
 DO_2OP_SAT_SCALAR(vqrdmulh_scalarw, 4, int32_t, DO_QRDMULH_W)
 
+/* Vector by vector plus scalar */
+#define DO_VMLAS(D, N, M) ((N) * (D) + (M))
+
+DO_2OP_ACC_SCALAR_S(vmlass, DO_VMLAS)
+DO_2OP_ACC_SCALAR_U(vmlasu, DO_VMLAS)
+
 /*
  * Long saturating scalar ops. As with DO_2OP_L, TYPE and H are for the
  * input (smaller) type and LESIZE, LTYPE, LH for the output (long) type.
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index 689e15c069b..011d1d6bcd9 100644
--- 

[PATCH for-6.2 22/34] target/arm: Implement MVE narrowing moves

[Peter Maydell]

Implement the MVE narrowing move insns VMOVN, VQMOVN and VQMOVUN.
These take a double-width input, narrow it (possibly saturating) and
store the result to either the top or bottom half of the output
element.

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 20 ++
 target/arm/mve.decode  | 12 ++
 target/arm/mve_helper.c| 78 ++
 target/arm/translate-mve.c | 22 +++
 4 files changed, 132 insertions(+)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index 5c3f8a26df0..84aa9de6e06 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -80,6 +80,26 @@ DEF_HELPER_FLAGS_3(mve_vnegw, TCG_CALL_NO_WG, void, env, 
ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vfnegh, TCG_CALL_NO_WG, void, env, ptr, ptr)
 DEF_HELPER_FLAGS_3(mve_vfnegs, TCG_CALL_NO_WG, void, env, ptr, ptr)
 
+DEF_HELPER_FLAGS_3(mve_vmovnbb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vmovnbh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vmovntb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vmovnth, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vqmovunbb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovunbh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovuntb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovunth, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vqmovnbsb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovnbsh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovntsb, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovntsh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
+DEF_HELPER_FLAGS_3(mve_vqmovnbub, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovnbuh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovntub, TCG_CALL_NO_WG, void, env, ptr, ptr)
+DEF_HELPER_FLAGS_3(mve_vqmovntuh, TCG_CALL_NO_WG, void, env, ptr, ptr)
+
 DEF_HELPER_FLAGS_4(mve_vand, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vbic, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_4(mve_vorr, TCG_CALL_NO_WG, void, env, ptr, ptr, ptr)
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index bf6cf6f8383..79c529e762f 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -153,6 +153,9 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VSHLL_BS   111 0 1110 0 . 11 .. 01 ... 0 1110 0 0 . 0 ... 1 
@2_shll_esize_b
   VSHLL_BS   111 0 1110 0 . 11 .. 01 ... 0 1110 0 0 . 0 ... 1 
@2_shll_esize_h
 
+  VQMOVUNB   111 0 1110 0 . 11 .. 01 ... 0 1110 1 0 . 0 ... 1 @1op
+  VQMOVN_BS  111 0 1110 0 . 11 .. 11 ... 0 1110 0 0 . 0 ... 1 @1op
+
   VMULH_S111 0 1110 0 . .. ...1 ... 0 1110 . 0 . 0 ... 1 @2op
 }
 
@@ -160,6 +163,9 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VSHLL_BU   111 1 1110 0 . 11 .. 01 ... 0 1110 0 0 . 0 ... 1 
@2_shll_esize_b
   VSHLL_BU   111 1 1110 0 . 11 .. 01 ... 0 1110 0 0 . 0 ... 1 
@2_shll_esize_h
 
+  VMOVNB 111 1 1110 0 . 11 .. 01 ... 0 1110 1 0 . 0 ... 1 @1op
+  VQMOVN_BU  111 1 1110 0 . 11 .. 11 ... 0 1110 0 0 . 0 ... 1 @1op
+
   VMULH_U111 1 1110 0 . .. ...1 ... 0 1110 . 0 . 0 ... 1 @2op
 }
 
@@ -167,6 +173,9 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VSHLL_TS   111 0 1110 0 . 11 .. 01 ... 1 1110 0 0 . 0 ... 1 
@2_shll_esize_b
   VSHLL_TS   111 0 1110 0 . 11 .. 01 ... 1 1110 0 0 . 0 ... 1 
@2_shll_esize_h
 
+  VQMOVUNT   111 0 1110 0 . 11 .. 01 ... 1 1110 1 0 . 0 ... 1 @1op
+  VQMOVN_TS  111 0 1110 0 . 11 .. 11 ... 1 1110 0 0 . 0 ... 1 @1op
+
   VRMULH_S   111 0 1110 0 . .. ...1 ... 1 1110 . 0 . 0 ... 1 @2op
 }
 
@@ -174,6 +183,9 @@ VMUL 1110  0 . .. ... 0 ... 0 1001 . 1 . 1 
... 0 @2op
   VSHLL_TU   111 1 1110 0 . 11 .. 01 ... 1 1110 0 0 . 0 ... 1 
@2_shll_esize_b
   VSHLL_TU   111 1 1110 0 . 11 .. 01 ... 1 1110 0 0 . 0 ... 1 
@2_shll_esize_h
 
+  VMOVNT 111 1 1110 0 . 11 .. 01 ... 1 1110 1 0 . 0 ... 1 @1op
+  VQMOVN_TU  111 1 1110 0 . 11 .. 11 ... 1 1110 0 0 . 0 ... 1 @1op
+
   VRMULH_U   111 1 1110 0 . .. ...1 ... 1 1110 . 0 . 0 ... 1 @2op
 }
 
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index 4eb5dbce6d7..725fe64a348 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1668,6 +1668,84 @@ DO_VSHRN_SAT_UH(vqrshrnb_uh, vqrshrnt_uh, DO_RSHRN_UH)
 DO_VSHRN_SAT_SB(vqrshrunbb, vqrshruntb, DO_RSHRUN_B)
 DO_VSHRN_SAT_SH(vqrshrunbh, vqrshrunth, DO_RSHRUN_H)
 
+#define DO_VMOVN(OP, TOP, ESIZE, TYPE, LESIZE, LTYPE)   \
+void HELPER(mve_##OP)(CPUARMState *env, void *vd, void *vm) \
+{   \
+LTYPE *m = vm;  \
+TYPE *d = vd;  

[PATCH for-6.2 20/34] target/arm: Implement MVE integer min/max across vector

[Peter Maydell]

Implement the MVE integer min/max across vector insns
VMAXV, VMINV, VMAXAV and VMINAV, which find the maximum
from the vector elements and a general purpose register,
and store the maximum back into the general purpose
register.

These insns overlap with VRMLALDAVH (they use what would
be RdaHi=0b110).

Signed-off-by: Peter Maydell 
---
 target/arm/helper-mve.h| 20 +++
 target/arm/mve.decode  | 18 --
 target/arm/mve_helper.c| 69 ++
 target/arm/translate-mve.c | 48 ++
 4 files changed, 153 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper-mve.h b/target/arm/helper-mve.h
index c702db4c39a..282bfe80942 100644
--- a/target/arm/helper-mve.h
+++ b/target/arm/helper-mve.h
@@ -387,6 +387,26 @@ DEF_HELPER_FLAGS_3(mve_vaddvuh, TCG_CALL_NO_WG, i32, env, 
ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vaddvsw, TCG_CALL_NO_WG, i32, env, ptr, i32)
 DEF_HELPER_FLAGS_3(mve_vaddvuw, TCG_CALL_NO_WG, i32, env, ptr, i32)
 
+DEF_HELPER_FLAGS_3(mve_vmaxvsb, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxvsh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxvsw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxvub, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxvuh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxvuw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxavb, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxavh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vmaxavw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+
+DEF_HELPER_FLAGS_3(mve_vminvsb, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminvsh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminvsw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminvub, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminvuh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminvuw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminavb, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminavh, TCG_CALL_NO_WG, i32, env, ptr, i32)
+DEF_HELPER_FLAGS_3(mve_vminavw, TCG_CALL_NO_WG, i32, env, ptr, i32)
+
 DEF_HELPER_FLAGS_3(mve_vaddlv_s, TCG_CALL_NO_WG, i64, env, ptr, i64)
 DEF_HELPER_FLAGS_3(mve_vaddlv_u, TCG_CALL_NO_WG, i64, env, ptr, i64)
 
diff --git a/target/arm/mve.decode b/target/arm/mve.decode
index 67bd894daf1..9ae417b718a 100644
--- a/target/arm/mve.decode
+++ b/target/arm/mve.decode
@@ -40,6 +40,7 @@
  qm qn size mask
 _scalar qn rm size mask
 _scalar qda rm size
+ qm rda size
 
 @vldr_vstr ... . . . . l:1 rn:4 ... .. imm:7 _vstr qd=%qd u=0
 # Note that both Rn and Qd are 3 bits only (no D bit)
@@ -97,6 +98,8 @@
 @vcmp_scalar   .. size:2 qn:3 .    rm:4 _scalar \
  mask=%mask_22_13
 
+@vmaxv    size:2 .. rda:4     qm=%qm
+
 # Vector loads and stores
 
 # Widening loads and narrowing stores:
@@ -314,8 +317,19 @@ VMLALDAV_U    1110 1 ... ... . ... . 1110 . 0 . 0 
... 0 @vmlaldav
 
 VMLSLDAV 1110 1110 1 ... ... . ... . 1110 . 0 . 0 ... 1 @vmlaldav
 
-VRMLALDAVH_S 1110 1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
-VRMLALDAVH_U  1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
+{
+  VMAXV_S1110 1110 1110  .. 10    0 0 . 0 ... 0 @vmaxv
+  VMINV_S1110 1110 1110  .. 10    1 0 . 0 ... 0 @vmaxv
+  VMAXAV 1110 1110 1110  .. 00    0 0 . 0 ... 0 @vmaxv
+  VMINAV 1110 1110 1110  .. 00    1 0 . 0 ... 0 @vmaxv
+  VRMLALDAVH_S   1110 1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
+}
+
+{
+  VMAXV_U 1110 1110  .. 10    0 0 . 0 ... 0 @vmaxv
+  VMINV_U 1110 1110  .. 10    1 0 . 0 ... 0 @vmaxv
+  VRMLALDAVH_U    1110 1 ... ... 0 ... .  . 0 . 0 ... 0 @vmlaldav_nosz
+}
 
 VRMLSLDAVH    1110 1 ... ... 0 ... . 1110 . 0 . 0 ... 1 @vmlaldav_nosz
 
diff --git a/target/arm/mve_helper.c b/target/arm/mve_helper.c
index d44cd80e18b..5066ee3169a 100644
--- a/target/arm/mve_helper.c
+++ b/target/arm/mve_helper.c
@@ -1266,6 +1266,75 @@ DO_VADDV(vaddvub, 1, uint8_t)
 DO_VADDV(vaddvuh, 2, uint16_t)
 DO_VADDV(vaddvuw, 4, uint32_t)
 
+/*
+ * Vector max/min across vector. Unlike VADDV, we must
+ * read ra as the element size, not its full width.
+ * We work with int64_t internally for simplicity.
+ */
+#define DO_VMAXMINV(OP, ESIZE, TYPE, RATYPE, FN)\
+uint32_t HELPER(glue(mve_, OP))(CPUARMState *env, void *vm, \
+uint32_t ra_in) \
+{   \
+uint16_t mask = mve_element_mask(env);  \
+unsigned e; \
+TYPE *m = vm;   \
+int64_t ra = 

[PULL 02/12] linux-user/sparc: Rename target_errno.h -> target_errno_defs.h

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

We want to have one generic target_errno.h (API to access target
errno), and will add target errno definitions in target_errno_defs.h.
The sparc target already have its errnos in an header, simply rename
it.

Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-3-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/sparc/{target_errno.h => target_errno_defs.h} | 4 ++--
 linux-user/sparc/target_syscall.h| 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename linux-user/sparc/{target_errno.h => target_errno_defs.h} (99%)

diff --git a/linux-user/sparc/target_errno.h 
b/linux-user/sparc/target_errno_defs.h
similarity index 99%
rename from linux-user/sparc/target_errno.h
rename to linux-user/sparc/target_errno_defs.h
index 9b846899cd4f..e00081098674 100644
--- a/linux-user/sparc/target_errno.h
+++ b/linux-user/sparc/target_errno_defs.h
@@ -1,5 +1,5 @@
-#ifndef SPARC_TARGET_ERRNO_H
-#define SPARC_TARGET_ERRNO_H
+#ifndef SPARC_TARGET_ERRNO_DEFS_H
+#define SPARC_TARGET_ERRNO_DEFS_H
 
 /* Target errno definitions taken from asm-sparc/errno.h */
 #undef TARGET_EWOULDBLOCK
diff --git a/linux-user/sparc/target_syscall.h 
b/linux-user/sparc/target_syscall.h
index 15d531f38978..dad501d008cd 100644
--- a/linux-user/sparc/target_syscall.h
+++ b/linux-user/sparc/target_syscall.h
@@ -1,7 +1,7 @@
 #ifndef SPARC_TARGET_SYSCALL_H
 #define SPARC_TARGET_SYSCALL_H
 
-#include "target_errno.h"
+#include "target_errno_defs.h"
 
 #if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
 struct target_pt_regs {
-- 
2.31.1

[PULL 04/12] linux-user/alpha: Move errno definitions to 'target_errno_defs.h'

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-5-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/alpha/target_errno_defs.h | 198 +++
 linux-user/alpha/target_syscall.h| 194 --
 2 files changed, 198 insertions(+), 194 deletions(-)

diff --git a/linux-user/alpha/target_errno_defs.h 
b/linux-user/alpha/target_errno_defs.h
index 54770108c02a..07924b13aafe 100644
--- a/linux-user/alpha/target_errno_defs.h
+++ b/linux-user/alpha/target_errno_defs.h
@@ -3,4 +3,202 @@
 
 #include "../generic/target_errno_defs.h"
 
+/*
+ * Generic target errno overridden with definitions taken
+ * from asm-alpha/errno.h
+ */
+#undef TARGET_EWOULDBLOCK
+#define TARGET_EWOULDBLOCK  TARGET_EAGAIN
+#undef TARGET_EDEADLK
+#define TARGET_EDEADLK  11
+#undef TARGET_EAGAIN
+#define TARGET_EAGAIN   35
+#undef TARGET_EINPROGRESS
+#define TARGET_EINPROGRESS  36
+#undef TARGET_EALREADY
+#define TARGET_EALREADY 37
+#undef TARGET_ENOTSOCK
+#define TARGET_ENOTSOCK 38
+#undef TARGET_EDESTADDRREQ
+#define TARGET_EDESTADDRREQ 39
+#undef TARGET_EMSGSIZE
+#define TARGET_EMSGSIZE 40
+#undef TARGET_EPROTOTYPE
+#define TARGET_EPROTOTYPE   41
+#undef TARGET_ENOPROTOOPT
+#define TARGET_ENOPROTOOPT  42
+#undef TARGET_EPROTONOSUPPORT
+#define TARGET_EPROTONOSUPPORT  43
+#undef TARGET_ESOCKTNOSUPPORT
+#define TARGET_ESOCKTNOSUPPORT  44
+#undef TARGET_EOPNOTSUPP
+#define TARGET_EOPNOTSUPP   45
+#undef TARGET_EPFNOSUPPORT
+#define TARGET_EPFNOSUPPORT 46
+#undef TARGET_EAFNOSUPPORT
+#define TARGET_EAFNOSUPPORT 47
+#undef TARGET_EADDRINUSE
+#define TARGET_EADDRINUSE   48
+#undef TARGET_EADDRNOTAVAIL
+#define TARGET_EADDRNOTAVAIL49
+#undef TARGET_ENETDOWN
+#define TARGET_ENETDOWN 50
+#undef TARGET_ENETUNREACH
+#define TARGET_ENETUNREACH  51
+#undef TARGET_ENETRESET
+#define TARGET_ENETRESET52
+#undef TARGET_ECONNABORTED
+#define TARGET_ECONNABORTED 53
+#undef TARGET_ECONNRESET
+#define TARGET_ECONNRESET   54
+#undef TARGET_ENOBUFS
+#define TARGET_ENOBUFS  55
+#undef TARGET_EISCONN
+#define TARGET_EISCONN  56
+#undef TARGET_ENOTCONN
+#define TARGET_ENOTCONN 57
+#undef TARGET_ESHUTDOWN
+#define TARGET_ESHUTDOWN58
+#undef TARGET_ETOOMANYREFS
+#define TARGET_ETOOMANYREFS 59
+#undef TARGET_ETIMEDOUT
+#define TARGET_ETIMEDOUT60
+#undef TARGET_ECONNREFUSED
+#define TARGET_ECONNREFUSED 61
+#undef TARGET_ELOOP
+#define TARGET_ELOOP62
+#undef TARGET_ENAMETOOLONG
+#define TARGET_ENAMETOOLONG 63
+#undef TARGET_EHOSTDOWN
+#define TARGET_EHOSTDOWN64
+#undef TARGET_EHOSTUNREACH
+#define TARGET_EHOSTUNREACH 65
+#undef TARGET_ENOTEMPTY
+#define TARGET_ENOTEMPTY66
+/* Unused   67 */
+#undef TARGET_EUSERS
+#define TARGET_EUSERS   68
+#undef TARGET_EDQUOT
+#define TARGET_EDQUOT   69
+#undef TARGET_ESTALE
+#define TARGET_ESTALE   70
+#undef TARGET_EREMOTE
+#define TARGET_EREMOTE  71
+/* Unused   72-76 */
+#undef TARGET_ENOLCK
+#define TARGET_ENOLCK   77
+#undef TARGET_ENOSYS
+#define TARGET_ENOSYS   78
+/* Unused   79 */
+#undef TARGET_ENOMSG
+#define TARGET_ENOMSG   80
+#undef TARGET_EIDRM
+#define TARGET_EIDRM81
+#undef TARGET_ENOSR
+#define TARGET_ENOSR82
+#undef TARGET_ETIME
+#define TARGET_ETIME83
+#undef TARGET_EBADMSG
+#define TARGET_EBADMSG  84
+#undef TARGET_EPROTO
+#define TARGET_EPROTO   85
+#undef TARGET_ENODATA
+#define TARGET_ENODATA  86
+#undef TARGET_ENOSTR
+#define TARGET_ENOSTR   87
+#undef TARGET_ECHRNG
+#define TARGET_ECHRNG   88
+#undef TARGET_EL2NSYNC
+#define TARGET_EL2NSYNC 89
+#undef TARGET_EL3HLT
+#define TARGET_EL3HLT   90
+#undef TARGET_EL3RST
+#define TARGET_EL3RST   91
+#undef TARGET_ENOPKG
+#define TARGET_ENOPKG   92
+#undef TARGET_ELNRNG
+#define TARGET_ELNRNG   93
+#undef TARGET_EUNATCH
+#define TARGET_EUNATCH  94
+#undef TARGET_ENOCSI
+#define TARGET_ENOCSI   95
+#undef TARGET_EL2HLT
+#define TARGET_EL2HLT   96
+#undef TARGET_EBADE
+#define TARGET_EBADE97
+#undef TARGET_EBADR
+#define TARGET_EBADR98
+#undef TARGET_EXFULL
+#define TARGET_EXFULL   99
+#undef TARGET_ENOANO
+#define TARGET_ENOANO   100
+#undef TARGET_EBADRQC
+#define TARGET_EBADRQC  101
+#undef TARGET_EBADSLT
+#define TARGET_EBADSLT  102
+/* Unused   103 */
+#undef TARGET_EBFONT
+#define TARGET_EBFONT   104
+#undef TARGET_ENONET
+#define TARGET_ENONET   105
+#undef TARGET_ENOLINK
+#define TARGET_ENOLINK  106
+#undef TARGET_EADV
+#define TARGET_EADV 107

Re: [PULL 00/22] Crypto and more patches

[Daniel P . Berrangé]

On Tue, Jul 13, 2021 at 10:25:44AM +0100, Peter Maydell wrote:
> On Mon, 12 Jul 2021 at 14:23, Daniel P. Berrangé  wrote:
> >
> > The following changes since commit bd38ae26cea0d1d6a97f930248df149204c210a2:
> >
> >   Merge remote-tracking branch 'remotes/rth-gitlab/tags/pull-tcg-20210710' 
> > into staging (2021-07-12 11:02:39 +0100)
> >
> > are available in the Git repository at:
> >
> >   https://gitlab.com/berrange/qemu tags/crypto-and-more-pull-request
> >
> > for you to fetch changes up to 1fc9958410c8683950ea22084b133a755561398b:
> >
> >   tests/migration: fix unix socket migration (2021-07-12 14:00:20 +0100)
> >
> > 
> > Merge crypto updates and misc fixes
> >
> >  * Introduce a GNUTLS backend for crypto algorithms
> >  * Change crypto library preference gnutls > gcrypt > nettle > built-in
> >  * Remove built-in DES impl
> >  * Remove XTS mode from built-in AES impl
> >  * Fix seccomp rules to allow resource info getters
> >  * Fix migration performance test
> >  * Use GDateTime in io/ and net/rocker/ code
> >
> > 
> 
> Hi; this failed 'make check' on ppc64be:

> The failure is reproducible. Here's a backtrace from a debug
> build:
> 
> test-crypto-cipher: cbc.c:53: nettle_cbc_encrypt: Assertion `!(length
> % block_size)' failed.
> 
> Thread 1 "test-crypto-cip" received signal SIGABRT, Aborted.
> 0x777b8460 in __libc_signal_restore_set (set=0x7fffe468)
> at ../sysdeps/unix/sysv/linux/internal-signals.h:86
> 86  ../sysdeps/unix/sysv/linux/internal-signals.h: No such file or
> directory.
> (gdb) bt
> #0  0x777b8460 in __libc_signal_restore_set
> (set=0x7fffe468) at
> ../sysdeps/unix/sysv/linux/internal-signals.h:86
> #1  __GI_raise (sig=) at ../sysdeps/unix/sysv/linux/raise.c:48
> #2  0x7779bd40 in __GI_abort () at abort.c:79
> #3  0x777ae490 in __assert_fail_base (fmt=,
> assertion=assertion@entry=0x772b6f38 "!(length % block_size)",
> file=file@entry=0x772b6f30 "cbc.c", line=line@entry=53,
> function=function@entry=0x772b6f50 "nettle_cbc_encrypt") at 
> assert.c:92
> #4  0x777ae528 in __GI___assert_fail (assertion=0x772b6f38
> "!(length % block_size)", file=0x772b6f30 "cbc.c",
> line=, function=0x772b6f50
> "nettle_cbc_encrypt") at assert.c:101
> #5  0x7728c154 in nettle_cbc_encrypt () from
> /usr/lib/powerpc64-linux-gnu/libnettle.so.8
> #6  0x77e6b894 in ?? () from
> /usr/lib/powerpc64-linux-gnu/libgnutls.so.30
> #7  0x77e6c72c in ?? () from
> /usr/lib/powerpc64-linux-gnu/libgnutls.so.30
> #8  0x77d6d794 in gnutls_cipher_encrypt2 () from
> /usr/lib/powerpc64-linux-gnu/libgnutls.so.30
> #9  0x00010003c330 in qcrypto_gnutls_cipher_encrypt
> (cipher=0x10016e550, in=0x7fffeca8, out=0x7fffecc8, len=32,
> errp=0x100122b48 ) at ../../crypto/cipher-gnutls.c.inc:103
> #10 0x00010003cef0 in qcrypto_cipher_encrypt (cipher=0x10016e550,
> in=0x7fffeca8, out=0x7fffecc8, len=32,
> errp=0x100122b48 ) at ../../crypto/cipher.c:177
> #11 0x00010002e75c in test_cipher_null_iv () at
> ../../tests/unit/test-crypto-cipher.c:749
> #12 0x77bbed38 in ?? () from
> /usr/lib/powerpc64-linux-gnu/libglib-2.0.so.0
> #13 0x77bbeabc in ?? () from
> /usr/lib/powerpc64-linux-gnu/libglib-2.0.so.0
> #14 0x77bbeabc in ?? () from
> /usr/lib/powerpc64-linux-gnu/libglib-2.0.so.0
> #15 0x77bbf364 in g_test_run_suite () from
> /usr/lib/powerpc64-linux-gnu/libglib-2.0.so.0
> #16 0x77bbf3bc in g_test_run () from
> /usr/lib/powerpc64-linux-gnu/libglib-2.0.so.0
> #17 0x00010002eb78 in main (argc=1, argv=0x78e8) at
> ../../tests/unit/test-crypto-cipher.c:821
> 
> In frame 9 len is 32 and ctx_>blocksize is 16, so ¯\_(ツ)_/¯

The len in frame 9 is the plain text len, but I think the assert is
complaining about the initialization vector len, which is likely
zero here. I think I know what to fix, but I'm surprised this would
be architecture specific though.

Can you confirm what version of gnutls and nettle you have installed
and what distro this is


Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

[PULL 01/12] linux-user/syscall: Fix RF-kill errno (typo in ERFKILL)

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Affected targets: alpha, hppa, mips/64, sparc

Fixes: fe8ed7d5794 ("linux-user: Handle ERFKILL and EHWPOISON")
Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-2-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 2e826206d227..4842a1987b79 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -629,7 +629,7 @@ static uint16_t 
host_to_target_errno_table[ERRNO_TABLE_SIZE] = {
 #ifdef ENOMSG
 [ENOMSG]= TARGET_ENOMSG,
 #endif
-#ifdef ERKFILL
+#ifdef ERFKILL
 [ERFKILL]   = TARGET_ERFKILL,
 #endif
 #ifdef EHWPOISON
-- 
2.31.1

[PULL 05/12] linux-user/hppa: Move errno definitions to 'target_errno_defs.h'

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Message-Id: <20210708170550.1846343-6-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/hppa/target_errno_defs.h | 214 
 linux-user/hppa/target_syscall.h| 210 ---
 2 files changed, 214 insertions(+), 210 deletions(-)

diff --git a/linux-user/hppa/target_errno_defs.h 
b/linux-user/hppa/target_errno_defs.h
index d6e9676ce254..b8f728f58632 100644
--- a/linux-user/hppa/target_errno_defs.h
+++ b/linux-user/hppa/target_errno_defs.h
@@ -3,4 +3,218 @@
 
 #include "../generic/target_errno_defs.h"
 
+/*
+ * Generic target errno overridden with definitions taken
+ * from asm-parisc/errno.h
+ */
+#undef TARGET_EWOULDBLOCK
+#define TARGET_EWOULDBLOCK TARGET_EAGAIN /* Operation would block */
+#undef  TARGET_ENOMSG
+#define TARGET_ENOMSG  35
+#undef  TARGET_EIDRM
+#define TARGET_EIDRM   36
+#undef  TARGET_ECHRNG
+#define TARGET_ECHRNG  37
+#undef  TARGET_EL2NSYNC
+#define TARGET_EL2NSYNC38
+#undef  TARGET_EL3HLT
+#define TARGET_EL3HLT  39
+#undef  TARGET_EL3RST
+#define TARGET_EL3RST  40
+#undef  TARGET_ELNRNG
+#define TARGET_ELNRNG  41
+#undef  TARGET_EUNATCH
+#define TARGET_EUNATCH 42
+#undef  TARGET_ENOCSI
+#define TARGET_ENOCSI  43
+#undef  TARGET_EL2HLT
+#define TARGET_EL2HLT  44
+#undef  TARGET_EDEADLK
+#define TARGET_EDEADLK 45
+#undef  TARGET_ENOLCK
+#define TARGET_ENOLCK  46
+#undef  TARGET_EILSEQ
+#define TARGET_EILSEQ  47
+
+#undef  TARGET_ENONET
+#define TARGET_ENONET  50
+#undef  TARGET_ENODATA
+#define TARGET_ENODATA 51
+#undef  TARGET_ETIME
+#define TARGET_ETIME   52
+#undef  TARGET_ENOSR
+#define TARGET_ENOSR   53
+#undef  TARGET_ENOSTR
+#define TARGET_ENOSTR  54
+#undef  TARGET_ENOPKG
+#define TARGET_ENOPKG  55
+
+#undef  TARGET_ENOLINK
+#define TARGET_ENOLINK 57
+#undef  TARGET_EADV
+#define TARGET_EADV58
+#undef  TARGET_ESRMNT
+#define TARGET_ESRMNT  59
+#undef  TARGET_ECOMM
+#define TARGET_ECOMM   60
+#undef  TARGET_EPROTO
+#define TARGET_EPROTO  61
+
+#undef  TARGET_EMULTIHOP
+#define TARGET_EMULTIHOP   64
+
+#undef  TARGET_EDOTDOT
+#define TARGET_EDOTDOT 66
+#undef  TARGET_EBADMSG
+#define TARGET_EBADMSG 67
+#undef  TARGET_EUSERS
+#define TARGET_EUSERS  68
+#undef  TARGET_EDQUOT
+#define TARGET_EDQUOT  69
+#undef  TARGET_ESTALE
+#define TARGET_ESTALE  70
+#undef  TARGET_EREMOTE
+#define TARGET_EREMOTE 71
+#undef  TARGET_EOVERFLOW
+#define TARGET_EOVERFLOW   72
+
+#undef  TARGET_EBADE
+#define TARGET_EBADE   160
+#undef  TARGET_EBADR
+#define TARGET_EBADR   161
+#undef  TARGET_EXFULL
+#define TARGET_EXFULL  162
+#undef  TARGET_ENOANO
+#define TARGET_ENOANO  163
+#undef  TARGET_EBADRQC
+#define TARGET_EBADRQC 164
+#undef  TARGET_EBADSLT
+#define TARGET_EBADSLT 165
+#undef  TARGET_EBFONT
+#define TARGET_EBFONT  166
+#undef  TARGET_ENOTUNIQ
+#define TARGET_ENOTUNIQ167
+#undef  TARGET_EBADFD
+#define TARGET_EBADFD  168
+#undef  TARGET_EREMCHG
+#define TARGET_EREMCHG 169
+#undef  TARGET_ELIBACC
+#define TARGET_ELIBACC 170
+#undef  TARGET_ELIBBAD
+#define TARGET_ELIBBAD 171
+#undef  TARGET_ELIBSCN
+#define TARGET_ELIBSCN 172
+#undef  TARGET_ELIBMAX
+#define TARGET_ELIBMAX 173
+#undef  TARGET_ELIBEXEC
+#define TARGET_ELIBEXEC174
+#undef  TARGET_ERESTART
+#define TARGET_ERESTART175
+#undef  TARGET_ESTRPIPE
+#define TARGET_ESTRPIPE176
+#undef  TARGET_EUCLEAN
+#define TARGET_EUCLEAN 177
+#undef  TARGET_ENOTNAM
+#define TARGET_ENOTNAM 178
+#undef  TARGET_ENAVAIL
+#define TARGET_ENAVAIL 179
+#undef  TARGET_EISNAM
+#define TARGET_EISNAM  180
+#undef  TARGET_EREMOTEIO
+#define TARGET_EREMOTEIO   181
+#undef  TARGET_ENOMEDIUM
+#define TARGET_ENOMEDIUM   182
+#undef  TARGET_EMEDIUMTYPE
+#define TARGET_EMEDIUMTYPE 183
+#undef  TARGET_ENOKEY
+#define TARGET_ENOKEY  184
+#undef  TARGET_EKEYEXPIRED
+#define TARGET_EKEYEXPIRED 185
+#undef  TARGET_EKEYREVOKED
+#define TARGET_EKEYREVOKED 186
+#undef  TARGET_EKEYREJECTED
+#define TARGET_EKEYREJECTED187
+
+/* Never used in linux.  */
+/* #define TARGET_ENOSYM  215 */
+#undef  TARGET_ENOTSOCK
+#define TARGET_ENOTSOCK216
+#undef  TARGET_EDESTADDRREQ
+#define TARGET_EDESTADDRREQ217
+#undef  TARGET_EMSGSIZE
+#define TARGET_EMSGSIZE218
+#undef  TARGET_EPROTOTYPE
+#define TARGET_EPROTOTYPE  219
+#undef  TARGET_ENOPROTOOPT
+#define TARGET_ENOPROTOOPT 220
+#undef  TARGET_EPROTONOSUPPORT
+#define TARGET_EPROTONOSUPPORT 221
+#undef  TARGET_ESOCKTNOSUPPORT
+#define TARGET_ESOCKTNOSUPPORT 222
+#undef  

[PULL 08/12] linux-user/syscall: Remove ERRNO_TABLE_SIZE check

[Laurent Vivier]

From: Philippe Mathieu-Daudé 

Now than target_to_host_errno() always return an errno, we can
remove the unused and arbitrary ERRNO_TABLE_SIZE definition.

Suggested-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Message-Id: <20210708170550.1846343-9-f4...@amsat.org>
Signed-off-by: Laurent Vivier 
---
 linux-user/syscall.c | 5 -
 1 file changed, 5 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 94ec6f730b3f..376629c68915 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -507,8 +507,6 @@ static inline int next_free_host_timer(void)
 }
 #endif
 
-#define ERRNO_TABLE_SIZE 1200
-
 static inline int host_to_target_errno(int host_errno)
 {
 switch (host_errno) {
@@ -548,9 +546,6 @@ const char *target_strerror(int err)
 return "Successful exit from sigreturn";
 }
 
-if ((err >= ERRNO_TABLE_SIZE) || (err < 0)) {
-return NULL;
-}
 return strerror(target_to_host_errno(err));
 }
 
-- 
2.31.1

Re: [RFC PATCH 0/6] Add AMD Secure Nested Paging (SEV-SNP) support

[Brijesh Singh]

On 7/13/21 3:31 AM, Dr. David Alan Gilbert wrote:

adding it to QMP as well (unles sit's purely for debug and may change).


We have query-sev QMP, I will extend to add a new 'snp: bool' field.

thanks

[PATCH v2 2/3] docs: Add skeletal documentation of the emcraft-sf2

[Peter Maydell]

Add skeletal documentation of the emcraft-sf2 machine.

Signed-off-by: Peter Maydell 
---
 docs/system/arm/emcraft-sf2.rst | 15 +++
 docs/system/target-arm.rst  |  1 +
 MAINTAINERS |  1 +
 3 files changed, 17 insertions(+)
 create mode 100644 docs/system/arm/emcraft-sf2.rst

diff --git a/docs/system/arm/emcraft-sf2.rst b/docs/system/arm/emcraft-sf2.rst
new file mode 100644
index 000..377e2487206
--- /dev/null
+++ b/docs/system/arm/emcraft-sf2.rst
@@ -0,0 +1,15 @@
+Emcraft SmartFusion2 SOM kit (``emcraft-sf2``)
+==
+
+The ``emcraft-sf2`` board emulates the SmartFusion2 SOM kit from
+Emcraft (M2S010). This is a System-on-Module from EmCraft systems,
+based on the SmartFusion2 SoC FPGA from Microsemi Corporation.
+The SoC is based on a Cortex-M4 processor.
+
+Emulated devices:
+
+- System timer
+- System registers
+- SPI controller
+- UART
+- EMAC
diff --git a/docs/system/target-arm.rst b/docs/system/target-arm.rst
index e2fcb64872d..c52902acdad 100644
--- a/docs/system/target-arm.rst
+++ b/docs/system/target-arm.rst
@@ -86,6 +86,7 @@ undocumented; you can get a complete list by running
arm/sabrelite
arm/digic
arm/cubieboard
+   arm/emcraft-sf2
arm/musicpal
arm/gumstix
arm/nrf
diff --git a/MAINTAINERS b/MAINTAINERS
index 93b9f900034..f23cf874c66 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1023,6 +1023,7 @@ M: Peter Maydell 
 L: qemu-...@nongnu.org
 S: Maintained
 F: hw/arm/msf2-som.c
+F: docs/system/arm/emcraft-sf2.rst
 
 ASPEED BMCs
 M: Cédric Le Goater 
-- 
2.20.1

usb-host device not working

[Programmingkid]

I have been having problems with using host USB devices lately. I use to be 
able to use host USB devices but can't currently. After doing some git 
bisecting I found it was this patch that causes this issue:

commit 627302afb2f85cdd4b59595361876487aef19b7a (refs/bisect/bad)
Author: Gerd Hoffmann 
Date:   Thu Jun 24 12:38:35 2021 +0200

usb: build usb-host as module

Drop one more shared library dependency (libusb) from core qemu.

Signed-off-by: Gerd Hoffmann 
Reviewed-by: Jose R. Ziviani 
Message-Id: <20210624103836.2382472-34-kra...@redhat.com>
Signed-off-by: Paolo Bonzini 

I build QEMU like this:

./configure --target-list=i386-softmmu --enable-libusb && make -j 9

This command use to work but fails now with the above commit:

qemu-system-i386 -usb -device usb-host,vendorid=0x093a,productid=0x2510

I think this is a bug with the commit. Any suggestions?

Thank you.

Re: [PATCH 0/1] target/arm: Fix offsets for TTBCR (#187)

[Peter Maydell]

On Sat, 10 Jul 2021 at 00:07, Richard Henderson
 wrote:
>
> This one patch fixes boot_linux_console test_arm_virt.
>
> It does not fix all of the failures.  The next one on the
> list is test_arm_emcraft_sf2, where the cpu boots fine but
> the net device doesn't work correctly.

Applied to target-arm.next, thanks.

I'm not sure the TCR struct's precalculation of mask and base_mask
is still earning its keep as an optimization. We only use them in
get_level1_table_address() which is old-style v5/v6 page tables only,
and all it's saving us is a bitfield extract and some shifts, which
is peanuts compared to everything else we do in a page table walk.
Perhaps (not for 6.1) we could drop it entirely.

-- PMM

Re: [PATCH 0/4] Fixes for the --without-default-features configure switch

[Cole Robinson]

On 7/13/21 5:31 AM, Thomas Huth wrote:
> Many features do not get properly disabled when the user runs the
> configure script with --without-default-features. Let's fix that now.
> 
> Thomas Huth (4):
>   configure: Fix --without-default-features propagation to meson
>   configure: Allow vnc to get disabled with --without-default-features
>   configure: Fix the default setting of the "xen" feature
>   configure: Let --without-default-features disable vhost-kernel and
> vhost-vdpa
> 

Patches look fine and fix some issues but others persist
(--disable-system isn't triggered). IMO this needs an audit, but more
importantly 'configure' should be rearranged a bit to make this less
likely to regress:

* move all the --enable/--disable variable init into one section with
nothing else mixed in

* convert the values to all use
$default_yes/no/auto/enabled/disabled/... variable syntax so visually
it's consistent, and if a default is ever changed like $default_no ->
$default_yes then we behave correctly (as opposed to 'no' -> 'yes').

Thanks,
Cole

Re: usb-host device not working

[Programmingkid]

> On Jul 13, 2021, at 10:54 AM, Daniel P. Berrangé  wrote:
> 
> On Tue, Jul 13, 2021 at 10:49:12AM -0400, Programmingkid wrote:
>> I have been having problems with using host USB devices lately. I use to be 
>> able to use host USB devices but can't currently. After doing some git 
>> bisecting I found it was this patch that causes this issue:
>> 
>> commit 627302afb2f85cdd4b59595361876487aef19b7a (refs/bisect/bad)
>> Author: Gerd Hoffmann 
>> Date:   Thu Jun 24 12:38:35 2021 +0200
>> 
>>usb: build usb-host as module
>> 
>>Drop one more shared library dependency (libusb) from core qemu.
>> 
>>Signed-off-by: Gerd Hoffmann 
>>Reviewed-by: Jose R. Ziviani 
>>Message-Id: <20210624103836.2382472-34-kra...@redhat.com>
>>Signed-off-by: Paolo Bonzini 
>> 
>> I build QEMU like this:
>> 
>> ./configure --target-list=i386-softmmu --enable-libusb && make -j 9
>> 
>> This command use to work but fails now with the above commit:
>> 
>> qemu-system-i386 -usb -device usb-host,vendorid=0x093a,productid=0x2510
>> 
>> I think this is a bug with the commit. Any suggestions?
> 
> It'll be helpful to explain what kind of failure you observe, including
> any exact error messages seen ? 
> 
> 
> Regards,
> Daniel
> -- 
> |: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
> 

Sure, here is what I see:

qemu-system-i386: -device usb-host,vendorid=0x093a,productid=0x2510: 'usb-host' 
is not a valid device model name