Re: [Qemu-devel] [Qemu-block] block migration and MAX_IN_FLIGHT_IO

[Peter Lieven]

Am 06.03.2018 um 17:35 schrieb Peter Lieven:
> Am 06.03.2018 um 17:07 schrieb Stefan Hajnoczi:
>> On Mon, Mar 05, 2018 at 02:52:16PM +, Dr. David Alan Gilbert wrote:
>>> * Peter Lieven (p...@kamp.de) wrote:
 Am 05.03.2018 um 12:45 schrieb Stefan Hajnoczi:
> On Thu, Feb 22, 2018 at 12:13:50PM +0100, Peter Lieven wrote:
>> I stumbled across the MAX_INFLIGHT_IO field that was introduced in 2015 
>> and was curious what was the reason
>> to choose 512MB as readahead? The question is that I found that the 
>> source VM gets very unresponsive I/O wise
>> while the initial 512MB are read and furthermore seems to stay 
>> unreasponsive if we choose a high migration speed
>> and have a fast storage on the destination VM.
>>
>> In our environment I modified this value to 16MB which seems to work 
>> much smoother. I wonder if we should make
>> this a user configurable value or define a different rate limit for the 
>> block transfer in bulk stage at least?
> I don't know if benchmarks were run when choosing the value.  From the
> commit description it sounds like the main purpose was to limit the
> amount of memory that can be consumed.
>
> 16 MB also fulfills that criteria :), but why is the source VM more
> responsive with a lower value?
>
> Perhaps the issue is queue depth on the storage device - the block
> migration code enqueues up to 512 MB worth of reads, and guest I/O has
> to wait?
 That is my guess. Especially if the destination storage is faster we 
 basically alsways have
 512 I/Os in flight on the source storage.

 Does anyone mind if the reduce that value to 16MB or do we need a better 
 mechanism?
>>> We've got migration-parameters these days; you could connect it to one
>>> of those fairly easily I think.
>>> Try: grep -i 'cpu[-_]throttle[-_]initial'  for an example of one that's
>>> already there.
>>> Then you can set it to whatever you like.
>> It would be nice to solve the performance problem without adding a
>> tuneable.
>>
>> On the other hand, QEMU has no idea what the queue depth of the device
>> is.  Therefore it cannot prioritize guest I/O over block migration I/O.
>>
>> 512 parallel requests is much too high.  Most parallel I/O benchmarking
>> is done at 32-64 queue depth.
>>
>> I think that 16 parallel requests is a reasonable maximum number for a
>> background job.
>>
>> We need to be clear though that the purpose of this change is unrelated
>> to the original 512 MB memory footprint goal.  It just happens to touch
>> the same constant but the goal is now to submit at most 16 I/O requests
>> in parallel to avoid monopolizing the I/O device.
> I think we should really look at this. The variables that control if we stay 
> in the while loop or not are incremented and decremented
> at the following places:
>
> mig_save_device_dirty:
> mig_save_device_bulk:
> block_mig_state.submitted++;
>
> blk_mig_read_cb:
> block_mig_state.submitted--;
> block_mig_state.read_done++;
>
> flush_blks:
> block_mig_state.read_done--;
>
> The condition of the while loop is:
> (block_mig_state.submitted +
> block_mig_state.read_done) * BLOCK_SIZE <
>qemu_file_get_rate_limit(f) &&
>(block_mig_state.submitted +
> block_mig_state.read_done) <
>MAX_INFLIGHT_IO)
>
> At first I wonder if we ever reach the rate-limit because we put the read 
> buffers onto f AFTER we exit the while loop?
>
> And even if we reach the limit we constantly maintain 512 I/Os in parallel 
> because we immediately decrement read_done
> when we put the buffers to f in flush_blks. In the next iteration of the 
> while loop we then read again until we have 512 in-flight I/Os.
>
> And shouldn't we have a time limit to limit the time we stay in the while 
> loop? I think we artificially delay sending data to f?

Thinking about it for a while I would propose the following:

a) rename MAX_INFLIGHT_IO to MAX_IO_BUFFERS
b) add MAX_PARALLEL_IO with a value of 16
c) compare qemu_file_get_rate_limit only with block_mig_state.read_done

This would yield in the following condition for the while loop:

(block_mig_state.read_done * BLOCK_SIZE < qemu_file_get_rate_limit(f) &&
 (block_mig_state.submitted + block_mig_state.read_done) < MAX_IO_BUFFERS &&
 block_mig_state.submitted < MAX_PARALLEL_IO)

Sounds that like a plan?

Peter

Re: [Qemu-devel] [PATCH QEMU v1 4/4] multiboot: fprintf(stderr...) -> error_report()

[P J P]

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Change all fprintf(stderr...) calls in hw/i386/multiboot.c to call
| error_report() instead, including the mb_debug macro.  Remove the "\n"
| from strings passed to all modified calls, since error_report() appends
| one.
| 
| Signed-off-by: Jack Schwartz 
| Reviewed-by: Daniel Kiper 
| ---
|  hw/i386/multiboot.c | 55 
-
|  1 file changed, 29 insertions(+), 26 deletions(-)
| 
| diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
| index 818728b..d9a0a95 100644
| --- a/hw/i386/multiboot.c
| +++ b/hw/i386/multiboot.c
| @@ -31,12 +31,13 @@
|  #include "hw/loader.h"
|  #include "elf.h"
|  #include "sysemu/sysemu.h"
| +#include "qemu/error-report.h"
|  
|  /* Show multiboot debug output */
|  //#define DEBUG_MULTIBOOT
|  
|  #ifdef DEBUG_MULTIBOOT
| -#define mb_debug(a...) fprintf(stderr, ## a)
| +#define mb_debug(a...) error_report(a)
|  #else
|  #define mb_debug(a...)
|  #endif
| @@ -137,7 +138,7 @@ static void mb_add_mod(MultibootState *s,
|  stl_p(p + MB_MOD_END, end);
|  stl_p(p + MB_MOD_CMDLINE, cmdline_phys);
|  
| -mb_debug("mod%02d: "TARGET_FMT_plx" - "TARGET_FMT_plx"\n",
| +mb_debug("mod%02d: "TARGET_FMT_plx" - "TARGET_FMT_plx,
|   s->mb_mods_count, start, end);
|  
|  s->mb_mods_count++;
| @@ -179,12 +180,12 @@ int load_multiboot(FWCfgState *fw_cfg,
|  if (!is_multiboot)
|  return 0; /* no multiboot */
|  
| -mb_debug("qemu: I believe we found a multiboot image!\n");
| +mb_debug("qemu: I believe we found a multiboot image!");
|  memset(bootinfo, 0, sizeof(bootinfo));
|  memset(, 0, sizeof(mbs));
|  
|  if (flags & 0x0004) { /* MULTIBOOT_HEADER_HAS_VBE */
| -fprintf(stderr, "qemu: multiboot knows VBE. we don't.\n");
| +error_report("qemu: multiboot knows VBE. we don't.");
|  }
|  if (!(flags & 0x0001)) { /* MULTIBOOT_HEADER_HAS_ADDR */
|  uint64_t elf_entry;
| @@ -193,7 +194,7 @@ int load_multiboot(FWCfgState *fw_cfg,
|  fclose(f);
|  
|  if (((struct elf64_hdr*)header)->e_machine == EM_X86_64) {
| -fprintf(stderr, "Cannot load x86-64 image, give a 32bit one.\n");
| +error_report("Cannot load x86-64 image, give a 32bit one.");
|  exit(1);
|  }
|  
| @@ -201,7 +202,7 @@ int load_multiboot(FWCfgState *fw_cfg,
| _low, _high, 0, I386_ELF_MACHINE,
| 0, 0);
|  if (kernel_size < 0) {
| -fprintf(stderr, "Error while loading elf kernel\n");
| +error_report("Error while loading elf kernel");
|  exit(1);
|  }
|  mh_load_addr = elf_low;
| @@ -210,12 +211,13 @@ int load_multiboot(FWCfgState *fw_cfg,
|  
|  mbs.mb_buf = g_malloc(mb_kernel_size);
|  if (rom_copy(mbs.mb_buf, mh_load_addr, mb_kernel_size) != 
mb_kernel_size) {
| -fprintf(stderr, "Error while fetching elf kernel from rom\n");
| +error_report("Error while fetching elf kernel from rom");
|  exit(1);
|  }
|  
| -mb_debug("qemu: loading multiboot-elf kernel (%#x bytes) with entry 
%#zx\n",
| -  mb_kernel_size, (size_t)mh_entry_addr);
| +mb_debug("qemu: loading multiboot-elf kernel "
| + "(%#x bytes) with entry %#zx",
| + mb_kernel_size, (size_t)mh_entry_addr);
|  } else {
|  /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_ADDR. */
|  uint32_t mh_header_addr = ldl_p(header+i+12);
| @@ -224,7 +226,7 @@ int load_multiboot(FWCfgState *fw_cfg,
|  
|  mh_load_addr = ldl_p(header+i+16);
|  if (mh_header_addr < mh_load_addr) {
| -fprintf(stderr, "invalid load_addr address\n");
| +error_report("invalid load_addr address");
|  exit(1);
|  }
|  
| @@ -234,20 +236,20 @@ int load_multiboot(FWCfgState *fw_cfg,
|  
|  if (mh_load_end_addr) {
|  if (mh_load_end_addr < mh_load_addr) {
| -fprintf(stderr, "invalid load_end_addr address\n");
| +error_report("invalid load_end_addr address");
|  exit(1);
|  }
|  mb_load_size = mh_load_end_addr - mh_load_addr;
|  } else {
|  if (kernel_file_size < mb_kernel_text_offset) {
| -fprintf(stderr, "invalid kernel_file_size\n");
| +error_report("invalid kernel_file_size");
|  exit(1);
|  }
|  mb_load_size = kernel_file_size - mb_kernel_text_offset;
|  }
|  if (mh_bss_end_addr) {
|  if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
| -fprintf(stderr, "invalid bss_end_addr address\n");
| +error_report("invalid bss_end_addr address");
|  

Re: [Qemu-devel] [PATCH v3 2/2] s390x: Change return type of virtio_ccw_exit to void.

[Cornelia Huck]

On Tue, 6 Mar 2018 23:40:18 +
nee  wrote:

> On Tue, Mar 6, 2018 at 2:40 PM, Cornelia Huck  wrote:
> > On Tue,  6 Mar 2018 10:07:21 +
> > Nia Alarie  wrote:
> >  
> >> Allows a branch to be removed - this function always returns 0.
> >>
> >> Signed-off-by: Nia Alarie 
> >> Reviewed-by: Christian Borntraeger 
> >> ---
> >>  hw/s390x/virtio-ccw.c | 6 +++---
> >>  hw/s390x/virtio-ccw.h | 2 +-
> >>  2 files changed, 4 insertions(+), 4 deletions(-)  
> >
> > While your patch is not wrong, I'd prefer to skip changing the exit
> > functions and convert virtio-ccw to unrealize instead.
> >
> > Should not be too hard; do you want to take a stab at it?  
> 
> Is there any difference in semantics between exit and unrealize aside
> from the arguments and return type?

In our case, it should be a simple transformation to the new functions.

Re: [Qemu-devel] [PATCH QEMU v1 3/4] multiboot: Use header names when displaying fields

[P J P]

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Refer to field names when displaying fields in printf and debug statements.

I wonder if it's required; Having variable names is helpful while going 
through code.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [Qemu-ppc] [PATCH 07/19] uninorth: move PCI mmio memory region initialisation into init function

[Mark Cave-Ayland]

On 07/03/18 07:02, Mark Cave-Ayland wrote:


On 06/03/18 23:44, BALATON Zoltan wrote:


On Tue, 6 Mar 2018, Mark Cave-Ayland wrote:
Whilst we are here, rename the memory regions to better reflect 
whether they

belong to either a PCI or an AGP bus.

Signed-off-by: Mark Cave-Ayland 
---
hw/pci-host/uninorth.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
index b081e3c153..5b8fc3aa16 100644
--- a/hw/pci-host/uninorth.c
+++ b/hw/pci-host/uninorth.c
@@ -111,29 +111,39 @@ static const MemoryRegionOps unin_data_ops = {

static void pci_unin_main_init(Object *obj)
{
+    UNINState *s = UNI_NORTH_PCI_HOST_BRIDGE(obj);
    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
    PCIHostState *h = PCI_HOST_BRIDGE(obj);

    /* Use values found on a real PowerMac */
    /* Uninorth main bus */
    memory_region_init_io(>conf_mem, OBJECT(h), 
_host_conf_le_ops,

-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
    memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+    memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",
+   0x1ULL);
+
    sysbus_init_mmio(sbd, >conf_mem);
    sysbus_init_mmio(sbd, >data_mem);
}

static void pci_u3_agp_init(Object *obj)
{
+    UNINState *s = U3_AGP_HOST_BRIDGE(obj);
    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
    PCIHostState *h = PCI_HOST_BRIDGE(obj);

    /* Uninorth U3 AGP bus */
    memory_region_init_io(>conf_mem, OBJECT(h), 
_host_conf_le_ops,

-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
    memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+    memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",


The name of this function and the above comment both suggest this is 
an AGP bus so did you mean to rename these to unin-agp-* instead of 
unin-pci-*?


Well this patchset purposely avoids doing anything with the U3 model 
other than the required refactoring to move the wiring to board level as 
really the entire U3 model needs some love - I can't even boot Linux 
without this patchset (I suspect it's probably DT related).


Having said that the wiring changes are such an improvement that I would 
argue for applying this patchset if possible since any future fixes will 
be considerably easier based upon it.


Looking in detail I think this naming is still correct: the U3 PCI bus 
address is currently 0xf000 which is actually the AGP bus rather 
than the PCI bus at 0xf200...



ATB,

Mark.

Re: [Qemu-devel] [PATCH QEMU v1 2/4] multiboot: Remove unused variables from multiboot.c

[P J P]

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Remove unused variables: mh_mode_type, mh_width, mh_height, mh_depth
| 
| Signed-off-by: Jack Schwartz 
| Reviewed-by: Daniel Kiper 
| ---
|  hw/i386/multiboot.c | 6 --
|  1 file changed, 6 deletions(-)
| 
| diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
| index ff2733d..964feaf 100644
| --- a/hw/i386/multiboot.c
| +++ b/hw/i386/multiboot.c
| @@ -255,12 +255,6 @@ int load_multiboot(FWCfgState *fw_cfg,
|  mb_kernel_size = mb_load_size;
|  }
|  
| -/* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE.
| -uint32_t mh_mode_type = ldl_p(header+i+32);
| -uint32_t mh_width = ldl_p(header+i+36);
| -uint32_t mh_height = ldl_p(header+i+40);
| -uint32_t mh_depth = ldl_p(header+i+44); */
| -

+1 They are anyway comments.
Reviewed-by: Prasad J Pandit 

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH QEMU v1 1/4] multiboot: bss_end_addr can be zero

[P J P]

+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/),
| section 3.1.3, allows for bss_end_addr to be zero.
| 
| A zero bss_end_addr signifies there is no .bss section.
| 
| Suggested-by: Daniel Kiper 
| Signed-off-by: Jack Schwartz 
| Reviewed-by: Daniel Kiper 
| ---
|  hw/i386/multiboot.c | 18 ++
|  1 file changed, 10 insertions(+), 8 deletions(-)
| 
| diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
| index c7b70c9..ff2733d 100644
| --- a/hw/i386/multiboot.c
| +++ b/hw/i386/multiboot.c
| @@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg,
|  mh_entry_addr = ldl_p(header+i+28);
|  
|  if (mh_load_end_addr) {
| -if (mh_bss_end_addr < mh_load_addr) {
| -fprintf(stderr, "invalid mh_bss_end_addr address\n");
| -exit(1);
| -}
| -mb_kernel_size = mh_bss_end_addr - mh_load_addr;
| -
|  if (mh_load_end_addr < mh_load_addr) {
|  fprintf(stderr, "invalid mh_load_end_addr address\n");
|  exit(1);
| @@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg,
|  fprintf(stderr, "invalid kernel_file_size\n");
|  exit(1);
|  }
| -mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
| -mb_load_size = mb_kernel_size;
| +mb_load_size = kernel_file_size - mb_kernel_text_offset;
| +}
| +if (mh_bss_end_addr) {
| +if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
| +fprintf(stderr, "invalid mh_bss_end_addr address\n");
| +exit(1);
| +}
| +mb_kernel_size = mh_bss_end_addr - mh_load_addr;
| +} else {
| +mb_kernel_size = mb_load_size;
|  }
|  
|  /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE.

Looks good.
Reviewed-by: Prasad J Pandit 

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 1/3] vfio/pci: Pull BAR mapping setup from read-write path

[Peter Xu]

On Wed, Feb 28, 2018 at 01:14:46PM -0700, Alex Williamson wrote:
> This creates a common helper that we'll use for ioeventfd setup.
> 
> Signed-off-by: Alex Williamson 

Reviewed-by: Peter Xu 

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 3/5] vfio/quirks: ioeventfd quirk acceleration

[Peter Xu]

On Wed, Feb 28, 2018 at 01:45:54PM -0700, Alex Williamson wrote:
> The NVIDIA BAR0 quirks virtualize the PCI config space mirrors found
> in device MMIO space.  Normally PCI config space is considered a slow
> path and further optimization is unnecessary, however NVIDIA uses a
> register here to enable the MSI interrupt to re-trigger.  Exiting to
> QEMU for this MSI-ACK handling can therefore rate limit our interrupt
> handling.  Fortunately the MSI-ACK write is easily detected since the
> quirk MemoryRegion otherwise has very few accesses, so simply looking
> for consecutive writes with the same data is sufficient, in this case
> 10 consecutive writes with the same data and size is arbitrarily
> chosen.  We configure the KVM ioeventfd with data match, so there's
> no risk of triggering for the wrong data or size, but we do risk that
> pathological driver behavior might consume all of QEMU's file
> descriptors, so we cap ourselves to 10 ioeventfds for this purpose.
> 
> In support of the above, generic ioeventfd infrastructure is added
> for vfio quirks.  This automatically initializes an ioeventfd list
> per quirk, disables and frees ioeventfds on exit, and allows
> ioeventfds marked as dynamic to be dropped on device reset.  The
> rationale for this latter feature is that useful ioeventfds may
> depend on specific driver behavior and since we necessarily place a
> cap on our use of ioeventfds, a machine reset is a reasonable point
> at which to assume a new driver and re-profile.
> 
> Signed-off-by: Alex Williamson 

I don't know when will there be non-dynamic vfio-ioeventfds, but it
looks fine at least to me even if all of them are dynamic now:

Reviewed-by: Peter Xu 

-- 
Peter Xu

[Qemu-devel] [PATCH] HMP: Initialize err before using

[Zhangjixiang]

When bdrv_snapshot_delete return fail, the errp will not be
assigned a valid value in error_propagate as errp didn't be
initialized in hmp_delvm, then error_reportf_err will use an
uninitialized value(call by hmp_delvm), and qemu crash.

Signed-off-by: zhangjixiang 
---
hmp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hmp.c b/hmp.c
index 7870d6a300..4a4da004e9 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1340,7 +1340,7 @@ void hmp_savevm(Monitor *mon, const QDict *qdict)
void hmp_delvm(Monitor *mon, const QDict *qdict)
{
 BlockDriverState *bs;
-Error *err;
+Error *err = NULL;
 const char *name = qdict_get_str(qdict, "name");
 if (bdrv_all_delete_snapshot(name, , ) < 0) {
--
2.11.0

Re: [Qemu-devel] [PATCH 2/5] vfio/quirks: Add quirk reset callback

[Peter Xu]

On Wed, Feb 28, 2018 at 01:45:37PM -0700, Alex Williamson wrote:
> Quirks can be self modifying, provide a hook to allow them to cleanup
> on device reset if desired.
> 
> Signed-off-by: Alex Williamson 

Reviewed-by: Peter Xu 

-- 
Peter Xu

Re: [Qemu-devel] [PATCH 1/5] vfio/quirks: Add common quirk alloc helper

[Peter Xu]

On Wed, Feb 28, 2018 at 01:45:23PM -0700, Alex Williamson wrote:
> This will later be used to include list initialization.
> 
> Reviewed-by: Eric Auger 
> Signed-off-by: Alex Williamson 

Reviewed-by: Peter Xu 

-- 
Peter Xu

Re: [Qemu-devel] [Qemu-ppc] [PATCH 07/19] uninorth: move PCI mmio memory region initialisation into init function

[Mark Cave-Ayland]

On 06/03/18 23:44, BALATON Zoltan wrote:


On Tue, 6 Mar 2018, Mark Cave-Ayland wrote:
Whilst we are here, rename the memory regions to better reflect 
whether they

belong to either a PCI or an AGP bus.

Signed-off-by: Mark Cave-Ayland 
---
hw/pci-host/uninorth.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
index b081e3c153..5b8fc3aa16 100644
--- a/hw/pci-host/uninorth.c
+++ b/hw/pci-host/uninorth.c
@@ -111,29 +111,39 @@ static const MemoryRegionOps unin_data_ops = {

static void pci_unin_main_init(Object *obj)
{
+    UNINState *s = UNI_NORTH_PCI_HOST_BRIDGE(obj);
    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
    PCIHostState *h = PCI_HOST_BRIDGE(obj);

    /* Use values found on a real PowerMac */
    /* Uninorth main bus */
    memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
    memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+    memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",
+   0x1ULL);
+
    sysbus_init_mmio(sbd, >conf_mem);
    sysbus_init_mmio(sbd, >data_mem);
}

static void pci_u3_agp_init(Object *obj)
{
+    UNINState *s = U3_AGP_HOST_BRIDGE(obj);
    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
    PCIHostState *h = PCI_HOST_BRIDGE(obj);

    /* Uninorth U3 AGP bus */
    memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
    memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+    memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",


The name of this function and the above comment both suggest this is an 
AGP bus so did you mean to rename these to unin-agp-* instead of 
unin-pci-*?


Well this patchset purposely avoids doing anything with the U3 model 
other than the required refactoring to move the wiring to board level as 
really the entire U3 model needs some love - I can't even boot Linux 
without this patchset (I suspect it's probably DT related).


Having said that the wiring changes are such an improvement that I would 
argue for applying this patchset if possible since any future fixes will 
be considerably easier based upon it.



ATB,

Mark.

[Qemu-devel] [PATCH] qemu-doc: Add the paragraph about the -no-frame deprecation again

[Thomas Huth]

The section has accidentially been removed while resolving a
contextual conflict during a rebase, so add this again.

Fixes: f29d4450428fe07e9d6b0655cef2e59bfa0b2ea5
Signed-off-by: Thomas Huth 
---
 NB: I also slightly changed the wording and removed the "SDL 2.0 lacks
 support for frameless windows" part - AFAIK it can do frameless windows
 with the SDL_WINDOW_BORDERLESS flag for SDL_CreateWindow().

 qemu-doc.texi | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 39e38c8..031f443 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -2728,6 +2728,12 @@ filesystem test suite. Also it requires the 
CAP_DAC_READ_SEARCH capability,
 which is not the recommended way to run QEMU. This backend should not be
 used and it will be removed with no replacement.
 
+@subsection -no-frame (since 2.12.0)
+
+The @code{--no-frame} argument works with SDL 1.2 only. The other user
+interfaces never implemented this in the first place. So this will be
+removed together with SDL 1.2 support.
+
 @subsection -rtc-td-hack (since 2.12.0)
 
 The @code{-rtc-td-hack} option has been replaced by
-- 
1.8.3.1

[Qemu-devel] [PATCH v5 05/11] linux-user: fix mmap/munmap/mprotect/mremap/shmat

[Max Filippov]

In linux-user QEMU that runs for a target with TARGET_ABI_BITS bigger
than L1_MAP_ADDR_SPACE_BITS an assertion in page_set_flags fires when
mmap, munmap, mprotect, mremap or shmat is called for an address outside
the guest address space. mmap and mprotect should return ENOMEM in such
case.

Change definition of GUEST_ADDR_MAX to always be the last valid guest
address. Account for this change in open_self_maps.
Add macro guest_addr_valid that verifies if the guest address is valid.
Add function guest_range_valid that verifies if address range is within
guest address space and does not wrap around. Use that macro in
mmap/munmap/mprotect/mremap/shmat for error checking.

Cc: qemu-sta...@nongnu.org
Cc: Riku Voipio 
Cc: Laurent Vivier 
Signed-off-by: Max Filippov 
---
Changes v4->v5:
- change definition of GUEST_ADDR_MAX to always be the last valid guest
  address. Account for this change in guest_addr_valid and open_self_maps.
- turn guest_range_valid into a function.

Changes v3->v4:
- change GUEST_ADDR_MAX and h2g_valid definitions as suggested by Laurent
  Vivier.

Changes v2->v3:
- fix comparison in guest_valid: it must be 'less' to preserve the existing
  functionality, not 'less or equal'.
- fix guest_range_valid: it may not use guest_valid, because single range
  that occupies all of the guest address space is valid.

 include/exec/cpu-all.h  |  6 +-
 include/exec/cpu_ldst.h | 19 ++-
 linux-user/mmap.c   | 20 +++-
 linux-user/syscall.c|  5 -
 4 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 0b141683f095..f4fa94e9669d 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -159,8 +159,12 @@ extern unsigned long guest_base;
 extern int have_guest_base;
 extern unsigned long reserved_va;
 
-#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \
+#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
+#define GUEST_ADDR_MAX (~0ul)
+#else
+#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \
 (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
+#endif
 #else
 
 #include "exec/hwaddr.h"
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index 191f2e962a3c..313664e9dae8 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -51,15 +51,16 @@
 /* All direct uses of g2h and h2g need to go away for usermode softmmu.  */
 #define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base))
 
-#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
-#define h2g_valid(x) 1
-#else
-#define h2g_valid(x) ({ \
-unsigned long __guest = (unsigned long)(x) - guest_base; \
-(__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \
-(!reserved_va || (__guest < reserved_va)); \
-})
-#endif
+#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX)
+#define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
+
+static inline int guest_range_valid(unsigned long start, unsigned long len)
+{
+if (len)
+return guest_addr_valid(len - 1) && start <= GUEST_ADDR_MAX - len + 1;
+else
+return guest_addr_valid(start);
+}
 
 #define h2g_nocheck(x) ({ \
 unsigned long __ret = (unsigned long)(x) - guest_base; \
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 0fbfd6dff20d..df81f9b803b6 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -80,8 +80,9 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
 return -EINVAL;
 len = TARGET_PAGE_ALIGN(len);
 end = start + len;
-if (end < start)
-return -EINVAL;
+if (!guest_range_valid(start, len)) {
+return -ENOMEM;
+}
 prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
 if (len == 0)
 return 0;
@@ -481,8 +482,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int 
prot,
 * It can fail only on 64-bit host with 32-bit target.
 * On any other target/host host mmap() handles this error correctly.
 */
-if ((unsigned long)start + len - 1 > (abi_ulong) -1) {
-errno = EINVAL;
+if (!guest_range_valid(start, len)) {
+errno = ENOMEM;
 goto fail;
 }
 
@@ -622,8 +623,10 @@ int target_munmap(abi_ulong start, abi_ulong len)
 if (start & ~TARGET_PAGE_MASK)
 return -EINVAL;
 len = TARGET_PAGE_ALIGN(len);
-if (len == 0)
+if (len == 0 || !guest_range_valid(start, len)) {
 return -EINVAL;
+}
+
 mmap_lock();
 end = start + len;
 real_start = start & qemu_host_page_mask;
@@ -678,6 +681,13 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong 
old_size,
 int prot;
 void *host_addr;
 
+if (!guest_range_valid(old_addr, old_size) ||
+((flags & MREMAP_FIXED) &&
+ !guest_range_valid(new_addr, new_size))) {
+errno = ENOMEM;
+return -1;
+}
+
 mmap_lock();
 
 if (flags & MREMAP_FIXED) 

Re: [Qemu-devel] [PATCH qemu] slirp/debug: Print IP addresses in human readable form

[Alexey Kardashevskiy]

On 7/3/18 5:24 pm, Thomas Huth wrote:
> On 07.03.2018 04:38, Alexey Kardashevskiy wrote:
>> On 01/02/18 20:35, Alexey Kardashevskiy wrote:
>>> Signed-off-by: Alexey Kardashevskiy 
>>
>> Ping?
>>
>>
>>> ---
>>>  slirp/arp_table.c | 4 ++--
>>>  slirp/socket.c| 8 
>>>  slirp/udp.c   | 4 ++--
>>>  3 files changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/slirp/arp_table.c b/slirp/arp_table.c
>>> index 3547043..bac608f 100644
>>> --- a/slirp/arp_table.c
>>> +++ b/slirp/arp_table.c
>>> @@ -33,7 +33,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, 
>>> uint8_t ethaddr[ETH_ALEN])
>>>  int i;
>>>  
>>>  DEBUG_CALL("arp_table_add");
>>> -DEBUG_ARG("ip = 0x%x", ip_addr);
>>> +DEBUG_ARG("ip = %s", inet_ntoa(*(struct in_addr *)_addr));
> 
> Is this endianness safe? The man-page of inet_ntoa says that the
> function is expecting network byte order, so I wonder whether this works
> right on both, big and little endian hosts?



arp_table_add() is called for either sin_addr (network order) or
slirp_arphdr::ar_sip which is initialized from sin_addr (network order)
with no order conversion. Bugs are still possible, of course :)


-- 
Alexey

Re: [Qemu-devel] [RFC PATCH qemu] slirp: Update forwarding IP address if guest receiver non-default IP

[Thomas Huth]

On 07.03.2018 04:39, Alexey Kardashevskiy wrote:
> On 08/02/18 15:29, Alexey Kardashevskiy wrote:
>> On 01/02/18 20:36, Alexey Kardashevskiy wrote:
>>> If we run QEMU with -netdev user,id=USER0,hostfwd=tcp::-:22, it starts
>>> a DHCP server and starts allocating client IPs from 10.0.2.15 so
>>> this is what the guest normally receives. Since QEMU automatically adds
>>> the DHCP starting address into the forwarding table, everything works.
>>> This is the table before guest started:
>>>
>>> (qemu) info usernet
>>> VLAN -1 (USER0):
>>>   Protocol[State]FD  Source Address  Port   Dest. Address  Port RecvQ 
>>> SendQ
>>>   TCP[HOST_FORWARD]  11   *     10.0.2.1522 0   
>>>   0
>>>
>>> However if the guest happens to have DHCP lease (for example, 10.0.2.16),
>>> the forwarding stops working. The guest can still reach the outer world
>>> (which is expected).
>>>
>>> This updates the forwarding table when QEMU confirms the requested IP
>>> to the guest.
>>>
>>> Signed-off-by: Alexey Kardashevskiy 
>>> ---
>>>
>>> Does this look any useful?
> 
> Ping, anyone?

Maybe you should make sure to put the SLIRP maintainer on CC: ?

>>
>>
>> It does not seem like it does very much but  :)
>>
>>
>>>
>>> Sure I can remove /var/lib/dhcp/dhclient.enp0s1.leases in the guest or
>>> start QEMU with the DHCP start address equal to what the guest wants to
>>> reserve but it is quite confusing why such a simple config just does not
>>> work.
>>>
>>> Found this with the brand new Ubuntu 17.10 which runs dhcp and something
>>> called "netplan" and the guest ends up with 2 IPs from 10.0.2.x network.
>>> After disabling netplan, the lease remains and it is not 10.0.2.15 but
>>> rather .16 or .17.
>>>
>>> Comments? Thanks.
>>>
>>> ---
>>>  slirp/libslirp.h |  2 ++
>>>  slirp/bootp.c|  2 ++
>>>  slirp/slirp.c| 27 +++
>>>  3 files changed, 31 insertions(+)
>>>
>>> diff --git a/slirp/libslirp.h b/slirp/libslirp.h
>>> index 540b3e5..6779081 100644
>>> --- a/slirp/libslirp.h
>>> +++ b/slirp/libslirp.h
>>> @@ -33,6 +33,8 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp,
>>>struct in_addr guest_addr, int guest_port);
>>>  int slirp_remove_hostfwd(Slirp *slirp, int is_udp,
>>>   struct in_addr host_addr, int host_port);
>>> +void slirp_update_hostfwd(Slirp *slirp, struct in_addr old_guest_addr,
>>> +  struct in_addr new_guest_addr);
>>>  int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
>>> struct in_addr *guest_addr, int guest_port);
>>>  
>>> diff --git a/slirp/bootp.c b/slirp/bootp.c
>>> index 5dd1a41..5876004 100644
>>> --- a/slirp/bootp.c
>>> +++ b/slirp/bootp.c
>>> @@ -225,6 +225,8 @@ static void bootp_reply(Slirp *slirp, const struct 
>>> bootp_t *bp)
>>>  /* Update ARP table for this IP address */
>>>  arp_table_add(slirp, daddr.sin_addr.s_addr, client_ethaddr);
>>>  
>>> +slirp_update_hostfwd(slirp, slirp->vdhcp_startaddr, daddr.sin_addr);
>>> +
>>>  saddr.sin_addr = slirp->vhost_addr;
>>>  saddr.sin_port = htons(BOOTP_SERVER);
>>>  
>>> diff --git a/slirp/slirp.c b/slirp/slirp.c
>>> index 1cb6b07..a9d8a16 100644
>>> --- a/slirp/slirp.c
>>> +++ b/slirp/slirp.c
>>> @@ -1061,6 +1061,33 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp, 
>>> struct in_addr host_addr,
>>>  return 0;
>>>  }
>>>  
>>> +static void slirp_do_update_hostfwd(Slirp *slirp, struct socket *head,
>>> +struct in_addr old_guest_addr,
>>> +struct in_addr new_guest_addr)
>>> +{
>>> +struct socket *so;
>>> +char oldaddr[17], newaddr[17];
>>> +
>>> +for (so = head->so_next; so != head; so = so->so_next) {
>>> +if ((so->so_state & SS_HOSTFWD) &&
>>> +so->lhost.sin.sin_addr.s_addr == old_guest_addr.s_addr) {
>>> +strncpy(oldaddr, inet_ntoa(old_guest_addr), sizeof(oldaddr) - 
>>> 1);
>>> +strncpy(newaddr, inet_ntoa(new_guest_addr), sizeof(newaddr) - 
>>> 1);
>>> +DEBUG_ARGS((dfd, "Updating forwarding from %s:%d to %s:%d\n",
>>> +   oldaddr, ntohs(so->lhost.sin.sin_port),
>>> +   newaddr, ntohs(so->lhost.sin.sin_port)));
>>> +so->lhost.sin.sin_addr = new_guest_addr;
>>> +}
>>> +}
>>> +}
>>> +
>>> +void slirp_update_hostfwd(Slirp *slirp, struct in_addr old_guest_addr,
>>> +  struct in_addr new_guest_addr)
>>> +{
>>> +slirp_do_update_hostfwd(slirp, >udb, old_guest_addr, 
>>> new_guest_addr);
>>> +slirp_do_update_hostfwd(slirp, >tcb, old_guest_addr, 
>>> new_guest_addr);
>>> +}
>>> +
>>>  int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
>>> struct in_addr *guest_addr, int guest_port)
>>>  {
>>>
>>
>>
> 
> 

Re: [Qemu-devel] [PATCH qemu] slirp/debug: Print IP addresses in human readable form

[Thomas Huth]

On 07.03.2018 04:38, Alexey Kardashevskiy wrote:
> On 01/02/18 20:35, Alexey Kardashevskiy wrote:
>> Signed-off-by: Alexey Kardashevskiy 
> 
> Ping?
> 
> 
>> ---
>>  slirp/arp_table.c | 4 ++--
>>  slirp/socket.c| 8 
>>  slirp/udp.c   | 4 ++--
>>  3 files changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/slirp/arp_table.c b/slirp/arp_table.c
>> index 3547043..bac608f 100644
>> --- a/slirp/arp_table.c
>> +++ b/slirp/arp_table.c
>> @@ -33,7 +33,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t 
>> ethaddr[ETH_ALEN])
>>  int i;
>>  
>>  DEBUG_CALL("arp_table_add");
>> -DEBUG_ARG("ip = 0x%x", ip_addr);
>> +DEBUG_ARG("ip = %s", inet_ntoa(*(struct in_addr *)_addr));

Is this endianness safe? The man-page of inet_ntoa says that the
function is expecting network byte order, so I wonder whether this works
right on both, big and little endian hosts?

 Thomas

Re: [Qemu-devel] [PATCH 3/3] vfio/pci: Add ioeventfd support

[Peter Xu]

On Wed, Feb 28, 2018 at 01:15:20PM -0700, Alex Williamson wrote:

[...]

> @@ -1174,6 +1206,8 @@ static int vfio_pci_probe(struct pci_dev *pdev, const 
> struct pci_device_id *id)
>   vdev->irq_type = VFIO_PCI_NUM_IRQS;
>   mutex_init(>igate);
>   spin_lock_init(>irqlock);
> + mutex_init(>ioeventfds_lock);

Do we better need to destroy the mutex in vfio_pci_remove?

I see that vfio_pci_device.igate is also without a destructor.  I'm
not sure on both.

Thanks,

> + INIT_LIST_HEAD(>ioeventfds_list);
>  
>   ret = vfio_add_group_dev(>dev, _pci_ops, vdev);
>   if (ret) {

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v3 00/12] Introduce new iommu notifier framework for virt-SVA

[Peter Xu]

On Tue, Mar 06, 2018 at 07:45:39AM +, Liu, Yi L wrote:

[...]

> > Do you have online branch so that I can check out?
> 
> yes, I should have pasted it. Here it is:
> https://github.com/luxis1999/sva_notifier.git

Thanks.

> 
> > The patches are a bit scattered and it's really hard for me to
> > reference things within it... So a complete tree to read would be
> > nice.
> > 
> > I roughly went over most of the patches, and the framework you
> > introduced is still not that clear to me.  For now I feel like it can
> > be simplified somehow, but I'll hold and speak after I read the whole
> > tree again.
> > 
> > Also, it'll be good too if you can always provide some status update
> > of the kernel-counterpart it.
> 
> Good suggestion. For this patchset, it only affects Qemu. Yeah, but for
> the whole virt-SVA enabling, there is kernel-counterparts. I would do
> it in the virt-SVA patchset series.

If you still want to post separately - I'm thinking whether it'll be
good you put the vfio changes into the 2nd virt-sva series, since that
looks more like in that category.  Or say, we can introduce
SVAOps/PASIDOps, we implement more vIOMMU invalidation request
handling, we call it in IOMMU code, but we don't implement any of the
device (vfio) that provide that ops.

Or maybe we can just post the whole stuff altogether, since after all
these two series are still closely related IMHO (e.g., the SVAOps
definition should be closely related to how the first vfio user would
like to use it).

Only my two cents, and I don't know how other people think.  It's up
to you after all. :)

Thanks,

-- 
Peter Xu

Re: [Qemu-devel] [PATCH] tests: Silence migration-test 'bad' test

[Peter Xu]

On Tue, Mar 06, 2018 at 05:30:42PM +, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" 
> 
> In 2c9bb29703c I added a migration test that purposely fails;
> unfortunately it prints a copy of the failure message to stderr
> which makes the output a bit messy.
> 
> Hide stderr for that test.
> 
> Signed-off-by: Dr. David Alan Gilbert 
> ---
>  tests/migration-test.c | 17 ++---
>  1 file changed, 14 insertions(+), 3 deletions(-)
> 
> diff --git a/tests/migration-test.c b/tests/migration-test.c
> index 74f9361bdd..422bf1afdf 100644
> --- a/tests/migration-test.c
> +++ b/tests/migration-test.c
> @@ -382,7 +382,7 @@ static void migrate_start_postcopy(QTestState *who)
>  }
>  
>  static void test_migrate_start(QTestState **from, QTestState **to,
> -   const char *uri)
> +   const char *uri, bool hide_stderr)
>  {
>  gchar *cmd_src, *cmd_dst;
>  char *bootpath = g_strdup_printf("%s/bootsect", tmpfs);
> @@ -427,6 +427,17 @@ static void test_migrate_start(QTestState **from, 
> QTestState **to,
>  
>  g_free(bootpath);
>  
> +if (hide_stderr) {
> +gchar *tmp;
> +tmp = g_strdup_printf("%s 2>/dev/null", cmd_src);
> +g_free(cmd_src);
> +cmd_src = tmp;
> +
> +tmp = g_strdup_printf("%s 2>/dev/null", cmd_dst);
> +g_free(cmd_dst);
> +cmd_dst = tmp;

I thought this would affect QTEST_LOG in
qtest_init_without_qmp_handshake() but I was wrong.  I think that's
because that "/dev/fd/2" is a string passed to QEMU process, so only
the stderr of test process is closed while we kept the QTEST_LOG
there, which seems to be ideal.

Reviewed-by: Peter Xu 
Tested-by: Peter Xu 

-- 
Peter Xu

Re: [Qemu-devel] [PATCH v1 07/22] RISC-V: Remove unused class definitions from

[Michael Clark]

On Wed, Mar 7, 2018 at 5:14 PM, Michael Clark  wrote:

>
>
> On Wed, Mar 7, 2018 at 12:27 PM, Philippe Mathieu-Daudé 
> wrote:
>
>>
>> Ok until here.
>>
>> > diff --git a/include/hw/riscv/sifive_e.h b/include/hw/riscv/sifive_e.h
>> > index 0aebc57..818fbdc 100644
>> > --- a/include/hw/riscv/sifive_e.h
>> > +++ b/include/hw/riscv/sifive_e.h
>> > @@ -19,16 +19,7 @@
>> >  #ifndef HW_SIFIVE_E_H
>> >  #define HW_SIFIVE_E_H
>> >
>> > -#define TYPE_SIFIVE_E "riscv.sifive_e"
>> > -
>> > -#define SIFIVE_E(obj) \
>> > -OBJECT_CHECK(SiFiveEState, (obj), TYPE_SIFIVE_E)
>> > -
>> >  typedef struct SiFiveEState {
>> > -/*< private >*/
>> > -SysBusDevice parent_obj;
>>
>> I'd keep however a 'Object parent_obj' here, to stay QOM; but your patch
>> is valid.
>>
>
> Okay I'll keep parent_obj when I respin.
>

BTW is the string constant in DEFINE_MACHINE a QOM type?

i.e. should I keep the type conversion and type name macros and use the
type name macro in DEFINE_MACHINE?

Re: [Qemu-devel] [PATCH 02/19] uninorth: remove second set of uninorth token registers

[David Gibson]

On Tue, Mar 06, 2018 at 08:30:46PM +, Mark Cave-Ayland wrote:
> Commit 593c181160: "PPC: Newworld: Add second uninorth control register set"
> added a second set of uninorth registers at 0xf300.
> 
> Testing MacOS 9.2 to MacOS X 10.4 reveals no accesses to this address and I
> can't find any reference to it in Apple's Core99.cpp source so I'm assuming
> that this was the result of another bug that has now been fixed.
> 
> Signed-off-by: Mark Cave-Ayland 

Applied, thanks.

> ---
>  hw/ppc/mac_newworld.c | 4 
>  1 file changed, 4 deletions(-)
> 
> diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
> index a749e2565d..1eba79d54b 100644
> --- a/hw/ppc/mac_newworld.c
> +++ b/hw/ppc/mac_newworld.c
> @@ -148,7 +148,6 @@ static void ppc_core99_init(MachineState *machine)
>  qemu_irq *pic, **openpic_irqs;
>  MemoryRegion *isa = g_new(MemoryRegion, 1);
>  MemoryRegion *unin_memory = g_new(MemoryRegion, 1);
> -MemoryRegion *unin2_memory = g_new(MemoryRegion, 1);
>  int linux_boot, i, j, k;
>  MemoryRegion *ram = g_new(MemoryRegion, 1), *bios = g_new(MemoryRegion, 
> 1);
>  hwaddr kernel_base, initrd_base, cmdline_base = 0;
> @@ -283,9 +282,6 @@ static void ppc_core99_init(MachineState *machine)
>  memory_region_init_io(unin_memory, NULL, _ops, token, "unin", 
> 0x1000);
>  memory_region_add_subregion(get_system_memory(), 0xf800, 
> unin_memory);
>  
> -memory_region_init_io(unin2_memory, NULL, _ops, token, "unin", 
> 0x1000);
> -memory_region_add_subregion(get_system_memory(), 0xf300, 
> unin2_memory);
> -
>  openpic_irqs = g_malloc0(smp_cpus * sizeof(qemu_irq *));
>  openpic_irqs[0] =
>  g_malloc0(smp_cpus * sizeof(qemu_irq) * OPENPIC_OUTPUT_NB);

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH v1 09/22] RISC-V: Include hexidecimal instruction in

[Michael Clark]

On Wed, Mar 7, 2018 at 12:09 PM, Philippe Mathieu-Daudé 
wrote:

> On 03/06/2018 05:43 PM, Michael Clark wrote:
> > This was added to help debug issues using -d in_asm. It is
> > useful to see the instruction bytes, as one can detect if
> > one is trying to execute ASCII or device-tree magic.
>
> clean :)


Yap. One feature crept in. I was trying to debug early firmware (to
separate firmware and kernel image) and this helped me discover that I was
jumping into device tree. 0xfeedd00d is the device-tree magic and it is
actually valid RVC code so I was quite puzzled until I modifed the
disassembler to show the instruction bytes.

> Signed-off-by: Michael Clark 
> > Signed-off-by: Palmer Dabbelt 
>
> Reviewed-by: Philippe Mathieu-Daudé 
>
> > ---
> >  disas/riscv.c | 39 ---
> >  1 file changed, 20 insertions(+), 19 deletions(-)
> >
> > diff --git a/disas/riscv.c b/disas/riscv.c
> > index 3c17501..4580308 100644
> > --- a/disas/riscv.c
> > +++ b/disas/riscv.c
> > @@ -2769,25 +2769,6 @@ static void format_inst(char *buf, size_t buflen,
> size_t tab, rv_decode *dec)
> >  char tmp[64];
> >  const char *fmt;
> >
> > -if (dec->op == rv_op_illegal) {
> > -size_t len = inst_length(dec->inst);
> > -switch (len) {
> > -case 2:
> > -snprintf(buf, buflen, "(0x%04" PRIx64 ")", dec->inst);
> > -break;
> > -case 4:
> > -snprintf(buf, buflen, "(0x%08" PRIx64 ")", dec->inst);
> > -break;
> > -case 6:
> > -snprintf(buf, buflen, "(0x%012" PRIx64 ")", dec->inst);
> > -break;
> > -default:
> > -snprintf(buf, buflen, "(0x%016" PRIx64 ")", dec->inst);
> > -break;
> > -}
> > -return;
> > -}
> > -
> >  fmt = opcode_data[dec->op].format;
> >  while (*fmt) {
> >  switch (*fmt) {
> > @@ -3004,6 +2985,11 @@ disasm_inst(char *buf, size_t buflen, rv_isa isa,
> uint64_t pc, rv_inst inst)
> >  format_inst(buf, buflen, 16, );
> >  }
> >
> > +#define INST_FMT_2 "%04" PRIx64 "  "
> > +#define INST_FMT_4 "%08" PRIx64 "  "
> > +#define INST_FMT_6 "%012" PRIx64 "  "
> > +#define INST_FMT_8 "%016" PRIx64 "  "
> > +
> >  static int
> >  print_insn_riscv(bfd_vma memaddr, struct disassemble_info *info, rv_isa
> isa)
> >  {
> > @@ -3031,6 +3017,21 @@ print_insn_riscv(bfd_vma memaddr, struct
> disassemble_info *info, rv_isa isa)
> >  }
> >  }
> >
> > +switch (len) {
> > +case 2:
> > +(*info->fprintf_func)(info->stream, INST_FMT_2, inst);
> > +break;
> > +case 4:
> > +(*info->fprintf_func)(info->stream, INST_FMT_4, inst);
> > +break;
> > +case 6:
> > +(*info->fprintf_func)(info->stream, INST_FMT_6, inst);
> > +break;
> > +default:
> > +(*info->fprintf_func)(info->stream, INST_FMT_8, inst);
> > +break;
> > +}
> > +
> >  disasm_inst(buf, sizeof(buf), isa, memaddr, inst);
> >  (*info->fprintf_func)(info->stream, "%s", buf);
> >
> >
>

Re: [Qemu-devel] [PATCH v1 07/22] RISC-V: Remove unused class definitions from

[Michael Clark]

On Wed, Mar 7, 2018 at 12:27 PM, Philippe Mathieu-Daudé 
wrote:

> Hi Michael,
>
> On 03/06/2018 05:43 PM, Michael Clark wrote:
> > Removes a whole lot of unnecessary boilerplate code. Machines
> > don't need to be objects. The expansion of the SOC object model
> > for the RISC-V machines will happen in the future as SiFive
> > plans to add their FE310 and FU540 SOCs to QEMU. However, it
> > seems that this present boilerplate is complete unnecessary.
> >
> > Signed-off-by: Michael Clark 
> > Signed-off-by: Palmer Dabbelt 
> > ---
> >  hw/riscv/sifive_e.c | 25 -
> >  hw/riscv/sifive_u.c | 25 -
> >  hw/riscv/spike.c| 20 
> >  hw/riscv/virt.c | 25 -
> >  include/hw/riscv/sifive_e.h |  9 -
> >  include/hw/riscv/sifive_u.h |  9 -
> >  include/hw/riscv/virt.h |  9 -
> >  7 files changed, 122 deletions(-)
> >
> > diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
> > index 09c9d49..4872b68 100644
> > --- a/hw/riscv/sifive_e.c
> > +++ b/hw/riscv/sifive_e.c
> > @@ -194,24 +194,6 @@ static void riscv_sifive_e_init(MachineState
> *machine)
> >  }
> >  }
> >
> > -static int riscv_sifive_e_sysbus_device_init(SysBusDevice *sysbusdev)
> > -{
> > -return 0;
> > -}
> > -
> > -static void riscv_sifive_e_class_init(ObjectClass *klass, void *data)
> > -{
> > -SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
> > -k->init = riscv_sifive_e_sysbus_device_init;
> > -}
> > -
> > -static const TypeInfo riscv_sifive_e_device = {
> > -.name  = TYPE_SIFIVE_E,
> > -.parent= TYPE_SYS_BUS_DEVICE,
> > -.instance_size = sizeof(SiFiveEState),
> > -.class_init= riscv_sifive_e_class_init,
> > -};
> > -
> >  static void riscv_sifive_e_machine_init(MachineClass *mc)
> >  {
> >  mc->desc = "RISC-V Board compatible with SiFive E SDK";
> > @@ -220,10 +202,3 @@ static void riscv_sifive_e_machine_init(MachineClass
> *mc)
> >  }
> >
> >  DEFINE_MACHINE("sifive_e", riscv_sifive_e_machine_init)
> > -
> > -static void riscv_sifive_e_register_types(void)
> > -{
> > -type_register_static(_sifive_e_device);
> > -}
> > -
> > -type_init(riscv_sifive_e_register_types);
> > diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
> > index 25df16c..083043a 100644
> > --- a/hw/riscv/sifive_u.c
> > +++ b/hw/riscv/sifive_u.c
> > @@ -302,31 +302,6 @@ static void riscv_sifive_u_init(MachineState
> *machine)
> >  SIFIVE_SIP_BASE, SIFIVE_TIMECMP_BASE, SIFIVE_TIME_BASE);
> >  }
> >
> > -static int riscv_sifive_u_sysbus_device_init(SysBusDevice *sysbusdev)
> > -{
> > -return 0;
> > -}
> > -
> > -static void riscv_sifive_u_class_init(ObjectClass *klass, void *data)
> > -{
> > -SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
> > -k->init = riscv_sifive_u_sysbus_device_init;
> > -}
> > -
> > -static const TypeInfo riscv_sifive_u_device = {
> > -.name  = TYPE_SIFIVE_U,
> > -.parent= TYPE_SYS_BUS_DEVICE,
> > -.instance_size = sizeof(SiFiveUState),
> > -.class_init= riscv_sifive_u_class_init,
> > -};
> > -
> > -static void riscv_sifive_u_register_types(void)
> > -{
> > -type_register_static(_sifive_u_device);
> > -}
> > -
> > -type_init(riscv_sifive_u_register_types);
> > -
> >  static void riscv_sifive_u_machine_init(MachineClass *mc)
> >  {
> >  mc->desc = "RISC-V Board compatible with SiFive U SDK";
> > diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
> > index 74edf33..64e585e 100644
> > --- a/hw/riscv/spike.c
> > +++ b/hw/riscv/spike.c
> > @@ -336,18 +336,6 @@ static void spike_v1_09_1_board_init(MachineState
> *machine)
> >  smp_cpus, SIFIVE_SIP_BASE, SIFIVE_TIMECMP_BASE,
> SIFIVE_TIME_BASE);
> >  }
> >
> > -static const TypeInfo spike_v_1_09_1_device = {
> > -.name  = TYPE_RISCV_SPIKE_V1_09_1_BOARD,
> > -.parent= TYPE_SYS_BUS_DEVICE,
> > -.instance_size = sizeof(SpikeState),
> > -};
> > -
> > -static const TypeInfo spike_v_1_10_0_device = {
> > -.name  = TYPE_RISCV_SPIKE_V1_10_0_BOARD,
> > -.parent= TYPE_SYS_BUS_DEVICE,
> > -.instance_size = sizeof(SpikeState),
> > -};
> > -
> >  static void spike_v1_09_1_machine_init(MachineClass *mc)
> >  {
> >  mc->desc = "RISC-V Spike Board (Privileged ISA v1.9.1)";
> > @@ -365,11 +353,3 @@ static void spike_v1_10_0_machine_init(MachineClass
> *mc)
> >
> >  DEFINE_MACHINE("spike_v1.9.1", spike_v1_09_1_machine_init)
> >  DEFINE_MACHINE("spike_v1.10", spike_v1_10_0_machine_init)
> > -
> > -static void riscv_spike_board_register_types(void)
> > -{
> > -type_register_static(_v_1_09_1_device);
> > -type_register_static(_v_1_10_0_device);
> > -}
> > -
> > -type_init(riscv_spike_board_register_types);
> > diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> > index f1e3641..5913100 100644
> > --- a/hw/riscv/virt.c
> > +++ 

Re: [Qemu-devel] [PATCH qemu v3] RFC: ppc/spapr: Receive and store device tree blob from SLOF

[Alexey Kardashevskiy]

On 15/02/18 16:43, Alexey Kardashevskiy wrote:
> On 10/01/18 19:59, David Gibson wrote:
>> On Mon, Jan 08, 2018 at 07:35:43PM +1100, Alexey Kardashevskiy wrote:
>>> On 03/01/18 11:09, David Gibson wrote:
 On Tue, Jan 02, 2018 at 05:13:09PM +1100, Alexey Kardashevskiy wrote:
> On 11/12/17 17:20, Alexey Kardashevskiy wrote:
>> On 09/11/17 17:38, David Gibson wrote:
>>> On Tue, Nov 07, 2017 at 06:14:04PM +1100, Alexey Kardashevskiy wrote:
 On 20/10/17 11:46, Alexey Kardashevskiy wrote:
> On 19/10/17 17:24, David Gibson wrote:
>> On Tue, Oct 17, 2017 at 04:55:03PM +1100, Alexey Kardashevskiy wrote:
>>> On 16/10/17 20:36, David Gibson wrote:
 On Mon, Oct 16, 2017 at 04:20:04PM +1100, Alexey Kardashevskiy
>>> wrote:
>> [snip]
 ||

 Yeah.. this is all a bit complicated, I'm really thinking about a
 fdt_fsck() function for libfdt.
>>>
>>>
>>> Oh. So what now? Do as below or wait for libdtc update?
>>
>> So I started hacking on this.  It's a bit fiddlier to get right than 
>> I
>> anticipated.  How about you make a placeholder function to "test" the
>> tree for now, with a comment that it will be updated once the libfdt
>> extensions are there.
>
> What would the placeholder do? Nothing or my proposed "FDT_CHK" 
> thingy?
>
> Are we in a hurry with this one at all, or I can wait till libfdt 
> gets this
> fsck()?


 Ping?

 This is not v2.11 material, is it?
>>>
>>> Not at this stage, no.
>>>
>>> I've started looking at writing the fdt_fsck() thing, but got
>>> sidetracked by a bunch of related fixes to safety of handling
>>> corrupted blobs in libfdt.
>>
>> Please let me know when I can repost the "
>> ppc/spapr: Receive and store device tree blob from SLOF" again. Thanks.
>
>
> Still to early to repost?

 No.
>>>
>>>
>>> I looked at the recent libfdt (from qemu tree, sha1  e543880, v1.4.6) and
>>> could not find fdt_fsck() or similar, and I was waiting for this really,
>>> have I missed something?
>>
>> Oh, right, yeah, I haven't had time to look at that again.
> 
> 
> Any progress with fdt_fsck()? Thanks,


Ping?


-- 
Alexey



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] Outreachy 2017-DecemberMarch Aspirant for Vulkan-ize_virgl Project

[Anusha Srivastava]

Hi Stefan,

I have not been able to contact with Marc-Andre.

Could you suggest someone else who could help with this ?
Regards,
Anusha Srivastava


On 3 March 2018 at 11:13, Anusha Srivastava  wrote:
> Hi Marc-Andre,
>
> Any update on this as to how to get started on this ?
>
>
>
> On Mar 1, 2018 13:46, "Stefan Hajnoczi"  wrote:
>>
>> On Wed, Feb 28, 2018 at 5:40 PM, Anusha Srivastava
>>  wrote:
>> > Stefan/Marc-Andre,
>> >
>> > Is it possible to take this project up now for Outreachy/GSOC 2018 ?
>>
>> I have provided Marc-André with information on how to add this project
>> idea to Outreachy.
>>
>> Stefan

Re: [Qemu-devel] [PULL] RISC-V QEMU Port Submission v8

[Michael Clark]

On Wed, Mar 7, 2018 at 12:09 AM, Peter Maydell 
wrote:

> On 6 March 2018 at 01:30, Michael Clark  wrote:
> > I've squashed the trivial spike rename fix and rebased against master as
> of
> > commit f2bb2d14c2958f3f5aef456bd2cdb1ff99f4a562 Merge remote-tracking
> branch
> > 'remotes/stefanha/tags/block-pull-request' into staging. See here:
> >
> > - https://github.com/riscv/riscv-qemu/releases/tag/riscv-
> qemu-upstream-v8.1
>
> OK. In the interests of getting the RISC-V port into upstream before
> the upcoming softfreeze deadline (which is next Tuesday)[*], please
> can you:
>  * make sure you have a signed tag and send it as a proper pull request
> email
>  * send your other queued changes to the mailing list as a patch series
>so they can be reviewed
>  * work with Igor to identify the changes you need to make for the
>CPU type registering issue he's raised, and then send a patch for that
>

I believe I have done all 3 now.

I would also like to forward port the change to implement IEEE-754
minimumNumber/maximumNumber to fix our fmin/fmax regression. I dropped the
patch due to conflicting changes in softfloat. With that change we are
passing all of the current riscv-tests for the Base ISA, with the exception
of returning NaN for SP floating point ops on DP register values. RISC-V
has a NaN boxing scheme to identify the type of floating point values in
memory, unlike SSE registers where the upper bits are undefined, RISC-V
requires the FP register file to "box" SP inside of a wider -NaN. i.e. the
upper 32 bits are all 1s. This was done to support type identification for
FPUs that work with a recoded internal format. The mechanism is described
in "9.2 NaN Boxing of Narrower Values" in the draft RISC-V ISA Manual. The
essence is to solve the context switch issue where FSD (Store Double) is
used to save values from the register file. By defining the upper bits as
Boxed within a NaN, the spec solves a binary compatibility issue between
different RISC-V implementations. For QEMU RISC-V, we'll need to add checks
on all SP floating point operations to check that the value is canonically
boxed, otherwise return a NaN (in the corner case where incorrect code
performs a SP operation on an FPU register containing a DP value). Once we
fix this issue, and minimumNumber/maximumNumber, QEMU RISC-V will be
passing 100% of the current Base ISA tests.

[*] For us, 'softfreeze' means that any new features must be in a pull
> request on the mailing list by that date; after that only bugfixes.
> Hardfreeze and the first rc candidate build is a week after that.
> See https://wiki.qemu.org/Planning/2.12 for other dates.
>
> thanks
> -- PMM
>

Re: [Qemu-devel] [PULL] RISC-V QEMU Port Submission v8

[Michael Clark]

On Tue, Mar 6, 2018 at 10:13 PM, Andrea Bolognani 
wrote:

> On Tue, 2018-03-06 at 14:30 +1300, Michael Clark wrote:
> > I'm currently working on some changes locally to split the firmware from
> > the kernel image. Currently the kernel image is embedded in the firmware
> (r
> > iscv-pk/bbl).
>
> I was wondering about this just yesterday.
>
> Will this eventually lead to a situation where we can have a single
> firmware image which is shared between all guests, a la OVMF/AAVMF,
> with grub and the kernels stored on the virtual disk itself, like
> on most other architectures?
>

Possibly.

My first cut is to put the kernel-entry load address into a "chosen"
device-tree node so that the firmware knows where to jump to, versus having
the kernel as an embedded payload.

Currently the kernel image is embedded inside of the riscv-pk/bbl firmware
which is less than ideal and obviously a temporary solution.

We want to be able to build the firmware, kernel and initramfs separately.

That should make it less awkward to add RISC-V support to libvirt,
> plus I expect it to be kind of a requirement for full distribution
> support, especially when it comes to updates and such.
>

Apparently some folk have spent some time working on UEFI support for
RISC-V and I noticed that there is a UEFI model for passing FDT (versus
other platform specific tables).

The only thing I don't like about UEFI is that it uses LLP64 and PE/COFF vs
LP64/ELF

Re: [Qemu-devel] [RFC PATCH qemu] slirp: Update forwarding IP address if guest receiver non-default IP

[Alexey Kardashevskiy]

On 08/02/18 15:29, Alexey Kardashevskiy wrote:
> On 01/02/18 20:36, Alexey Kardashevskiy wrote:
>> If we run QEMU with -netdev user,id=USER0,hostfwd=tcp::-:22, it starts
>> a DHCP server and starts allocating client IPs from 10.0.2.15 so
>> this is what the guest normally receives. Since QEMU automatically adds
>> the DHCP starting address into the forwarding table, everything works.
>> This is the table before guest started:
>>
>> (qemu) info usernet
>> VLAN -1 (USER0):
>>   Protocol[State]FD  Source Address  Port   Dest. Address  Port RecvQ 
>> SendQ
>>   TCP[HOST_FORWARD]  11   *     10.0.2.1522 0
>>  0
>>
>> However if the guest happens to have DHCP lease (for example, 10.0.2.16),
>> the forwarding stops working. The guest can still reach the outer world
>> (which is expected).
>>
>> This updates the forwarding table when QEMU confirms the requested IP
>> to the guest.
>>
>> Signed-off-by: Alexey Kardashevskiy 
>> ---
>>
>> Does this look any useful?

Ping, anyone?

> 
> 
> It does not seem like it does very much but  :)
> 
> 
>>
>> Sure I can remove /var/lib/dhcp/dhclient.enp0s1.leases in the guest or
>> start QEMU with the DHCP start address equal to what the guest wants to
>> reserve but it is quite confusing why such a simple config just does not
>> work.
>>
>> Found this with the brand new Ubuntu 17.10 which runs dhcp and something
>> called "netplan" and the guest ends up with 2 IPs from 10.0.2.x network.
>> After disabling netplan, the lease remains and it is not 10.0.2.15 but
>> rather .16 or .17.
>>
>> Comments? Thanks.
>>
>> ---
>>  slirp/libslirp.h |  2 ++
>>  slirp/bootp.c|  2 ++
>>  slirp/slirp.c| 27 +++
>>  3 files changed, 31 insertions(+)
>>
>> diff --git a/slirp/libslirp.h b/slirp/libslirp.h
>> index 540b3e5..6779081 100644
>> --- a/slirp/libslirp.h
>> +++ b/slirp/libslirp.h
>> @@ -33,6 +33,8 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp,
>>struct in_addr guest_addr, int guest_port);
>>  int slirp_remove_hostfwd(Slirp *slirp, int is_udp,
>>   struct in_addr host_addr, int host_port);
>> +void slirp_update_hostfwd(Slirp *slirp, struct in_addr old_guest_addr,
>> +  struct in_addr new_guest_addr);
>>  int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
>> struct in_addr *guest_addr, int guest_port);
>>  
>> diff --git a/slirp/bootp.c b/slirp/bootp.c
>> index 5dd1a41..5876004 100644
>> --- a/slirp/bootp.c
>> +++ b/slirp/bootp.c
>> @@ -225,6 +225,8 @@ static void bootp_reply(Slirp *slirp, const struct 
>> bootp_t *bp)
>>  /* Update ARP table for this IP address */
>>  arp_table_add(slirp, daddr.sin_addr.s_addr, client_ethaddr);
>>  
>> +slirp_update_hostfwd(slirp, slirp->vdhcp_startaddr, daddr.sin_addr);
>> +
>>  saddr.sin_addr = slirp->vhost_addr;
>>  saddr.sin_port = htons(BOOTP_SERVER);
>>  
>> diff --git a/slirp/slirp.c b/slirp/slirp.c
>> index 1cb6b07..a9d8a16 100644
>> --- a/slirp/slirp.c
>> +++ b/slirp/slirp.c
>> @@ -1061,6 +1061,33 @@ int slirp_add_hostfwd(Slirp *slirp, int is_udp, 
>> struct in_addr host_addr,
>>  return 0;
>>  }
>>  
>> +static void slirp_do_update_hostfwd(Slirp *slirp, struct socket *head,
>> +struct in_addr old_guest_addr,
>> +struct in_addr new_guest_addr)
>> +{
>> +struct socket *so;
>> +char oldaddr[17], newaddr[17];
>> +
>> +for (so = head->so_next; so != head; so = so->so_next) {
>> +if ((so->so_state & SS_HOSTFWD) &&
>> +so->lhost.sin.sin_addr.s_addr == old_guest_addr.s_addr) {
>> +strncpy(oldaddr, inet_ntoa(old_guest_addr), sizeof(oldaddr) - 
>> 1);
>> +strncpy(newaddr, inet_ntoa(new_guest_addr), sizeof(newaddr) - 
>> 1);
>> +DEBUG_ARGS((dfd, "Updating forwarding from %s:%d to %s:%d\n",
>> +   oldaddr, ntohs(so->lhost.sin.sin_port),
>> +   newaddr, ntohs(so->lhost.sin.sin_port)));
>> +so->lhost.sin.sin_addr = new_guest_addr;
>> +}
>> +}
>> +}
>> +
>> +void slirp_update_hostfwd(Slirp *slirp, struct in_addr old_guest_addr,
>> +  struct in_addr new_guest_addr)
>> +{
>> +slirp_do_update_hostfwd(slirp, >udb, old_guest_addr, 
>> new_guest_addr);
>> +slirp_do_update_hostfwd(slirp, >tcb, old_guest_addr, 
>> new_guest_addr);
>> +}
>> +
>>  int slirp_add_exec(Slirp *slirp, int do_pty, const void *args,
>> struct in_addr *guest_addr, int guest_port)
>>  {
>>
> 
> 


-- 
Alexey

Re: [Qemu-devel] [PATCH qemu] slirp/debug: Print IP addresses in human readable form

[Alexey Kardashevskiy]

On 01/02/18 20:35, Alexey Kardashevskiy wrote:
> Signed-off-by: Alexey Kardashevskiy 

Ping?


> ---
>  slirp/arp_table.c | 4 ++--
>  slirp/socket.c| 8 
>  slirp/udp.c   | 4 ++--
>  3 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/slirp/arp_table.c b/slirp/arp_table.c
> index 3547043..bac608f 100644
> --- a/slirp/arp_table.c
> +++ b/slirp/arp_table.c
> @@ -33,7 +33,7 @@ void arp_table_add(Slirp *slirp, uint32_t ip_addr, uint8_t 
> ethaddr[ETH_ALEN])
>  int i;
>  
>  DEBUG_CALL("arp_table_add");
> -DEBUG_ARG("ip = 0x%x", ip_addr);
> +DEBUG_ARG("ip = %s", inet_ntoa(*(struct in_addr *)_addr));
>  DEBUG_ARGS((dfd, " hw addr = %02x:%02x:%02x:%02x:%02x:%02x\n",
>  ethaddr[0], ethaddr[1], ethaddr[2],
>  ethaddr[3], ethaddr[4], ethaddr[5]));
> @@ -67,7 +67,7 @@ bool arp_table_search(Slirp *slirp, uint32_t ip_addr,
>  int i;
>  
>  DEBUG_CALL("arp_table_search");
> -DEBUG_ARG("ip = 0x%x", ip_addr);
> +DEBUG_ARG("ip = %s", inet_ntoa(*(struct in_addr *)_addr));
>  
>  /* If broadcast address */
>  if (ip_addr == 0x || ip_addr == broadcast_addr) {
> diff --git a/slirp/socket.c b/slirp/socket.c
> index cb7b5b6..61347d1 100644
> --- a/slirp/socket.c
> +++ b/slirp/socket.c
> @@ -701,10 +701,10 @@ tcp_listen(Slirp *slirp, uint32_t haddr, u_int hport, 
> uint32_t laddr,
>   memset(, 0, addrlen);
>  
>   DEBUG_CALL("tcp_listen");
> - DEBUG_ARG("haddr = %x", haddr);
> - DEBUG_ARG("hport = %d", hport);
> - DEBUG_ARG("laddr = %x", laddr);
> - DEBUG_ARG("lport = %d", lport);
> + DEBUG_ARG("haddr = %s", inet_ntoa(*(struct in_addr *)));
> + DEBUG_ARG("hport = %d", ntohs(hport));
> + DEBUG_ARG("laddr = %s", inet_ntoa(*(struct in_addr *)));
> + DEBUG_ARG("lport = %d", ntohs(lport));
>   DEBUG_ARG("flags = %x", flags);
>  
>   so = socreate(slirp);
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 227d779..e5bf065 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -241,8 +241,8 @@ int udp_output(struct socket *so, struct mbuf *m,
>   DEBUG_CALL("udp_output");
>   DEBUG_ARG("so = %p", so);
>   DEBUG_ARG("m = %p", m);
> - DEBUG_ARG("saddr = %lx", (long)saddr->sin_addr.s_addr);
> - DEBUG_ARG("daddr = %lx", (long)daddr->sin_addr.s_addr);
> + DEBUG_ARG("saddr = %s", inet_ntoa(saddr->sin_addr));
> + DEBUG_ARG("daddr = %s", inet_ntoa(daddr->sin_addr));
>  
>   /*
>* Adjust for header
> 


-- 
Alexey

[Qemu-devel] [PATCH v1] RISC-V: Convert cpu definition towards future model

[Michael Clark]

- Model borrowed from target/sh4/cpu.c
- Rewrote riscv_cpu_list to use object_class_get_list
- Dropped 'struct RISCVCPUInfo' and used TypeInfo array
- Replaced riscv_cpu_register_types with DEFINE_TYPES
- Marked base class as abstract

Cc: Igor Mammedov 
Cc: Palmer Dabbelt 
Cc: Sagar Karandikar 
Cc: Bastian Koppelmann 
Signed-off-by Michael Clark 
---
 target/riscv/cpu.c | 123 ++---
 1 file changed, 69 insertions(+), 54 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index d2ae56a..1f25968 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -115,6 +115,8 @@ static void riscv_any_cpu_init(Object *obj)
 set_resetvec(env, DEFAULT_RSTVEC);
 }
 
+#if defined(TARGET_RISCV32)
+
 static void rv32gcsu_priv1_09_1_cpu_init(Object *obj)
 {
 CPURISCVState *env = _CPU(obj)->env;
@@ -141,6 +143,8 @@ static void rv32imacu_nommu_cpu_init(Object *obj)
 set_resetvec(env, DEFAULT_RSTVEC);
 }
 
+#elif defined(TARGET_RISCV64)
+
 static void rv64gcsu_priv1_09_1_cpu_init(Object *obj)
 {
 CPURISCVState *env = _CPU(obj)->env;
@@ -167,20 +171,7 @@ static void rv64imacu_nommu_cpu_init(Object *obj)
 set_resetvec(env, DEFAULT_RSTVEC);
 }
 
-static const RISCVCPUInfo riscv_cpus[] = {
-{ 96, TYPE_RISCV_CPU_ANY,  riscv_any_cpu_init },
-{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_09_1, rv32gcsu_priv1_09_1_cpu_init },
-{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_10_0, rv32gcsu_priv1_10_0_cpu_init },
-{ 32, TYPE_RISCV_CPU_RV32IMACU_NOMMU,  rv32imacu_nommu_cpu_init },
-{ 32, TYPE_RISCV_CPU_SIFIVE_E31,   rv32imacu_nommu_cpu_init },
-{ 32, TYPE_RISCV_CPU_SIFIVE_U34,   rv32gcsu_priv1_10_0_cpu_init },
-{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_09_1, rv64gcsu_priv1_09_1_cpu_init },
-{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_10_0, rv64gcsu_priv1_10_0_cpu_init },
-{ 64, TYPE_RISCV_CPU_RV64IMACU_NOMMU,  rv64imacu_nommu_cpu_init },
-{ 64, TYPE_RISCV_CPU_SIFIVE_E51,   rv64imacu_nommu_cpu_init },
-{ 64, TYPE_RISCV_CPU_SIFIVE_U54,   rv64gcsu_priv1_10_0_cpu_init },
-{ 0, NULL, NULL }
-};
+#endif
 
 static ObjectClass *riscv_cpu_class_by_name(const char *cpu_model)
 {
@@ -366,28 +357,6 @@ static void riscv_cpu_class_init(ObjectClass *c, void 
*data)
 cc->vmsd = _riscv_cpu;
 }
 
-static void cpu_register(const RISCVCPUInfo *info)
-{
-TypeInfo type_info = {
-.name = info->name,
-.parent = TYPE_RISCV_CPU,
-.instance_size = sizeof(RISCVCPU),
-.instance_init = info->initfn,
-};
-
-type_register(_info);
-}
-
-static const TypeInfo riscv_cpu_type_info = {
-.name = TYPE_RISCV_CPU,
-.parent = TYPE_CPU,
-.instance_size = sizeof(RISCVCPU),
-.instance_init = riscv_cpu_init,
-.abstract = false,
-.class_size = sizeof(RISCVCPUClass),
-.class_init = riscv_cpu_class_init,
-};
-
 char *riscv_isa_string(RISCVCPU *cpu)
 {
 int i;
@@ -403,30 +372,76 @@ char *riscv_isa_string(RISCVCPU *cpu)
 return isa_string;
 }
 
-void riscv_cpu_list(FILE *f, fprintf_function cpu_fprintf)
+typedef struct RISCVCPUListState {
+fprintf_function cpu_fprintf;
+FILE *file;
+} RISCVCPUListState;
+
+static gint riscv_cpu_list_compare(gconstpointer a, gconstpointer b)
 {
-const RISCVCPUInfo *info = riscv_cpus;
+ObjectClass *class_a = (ObjectClass *)a;
+ObjectClass *class_b = (ObjectClass *)b;
+const char *name_a, *name_b;
 
-while (info->name) {
-if (info->bit_widths & TARGET_LONG_BITS) {
-(*cpu_fprintf)(f, "%s\n", info->name);
-}
-info++;
-}
+name_a = object_class_get_name(class_a);
+name_b = object_class_get_name(class_b);
+return strcmp(name_a, name_b);
 }
 
-static void riscv_cpu_register_types(void)
+static void riscv_cpu_list_entry(gpointer data, gpointer user_data)
 {
-const RISCVCPUInfo *info = riscv_cpus;
+RISCVCPUListState *s = user_data;
+const char *typename = object_class_get_name(OBJECT_CLASS(data));
+int len = strlen(typename) - strlen(RISCV_CPU_TYPE_SUFFIX);
 
-type_register_static(_cpu_type_info);
+(*s->cpu_fprintf)(s->file, "%.*s\n", len, typename);
+}
 
-while (info->name) {
-if (info->bit_widths & TARGET_LONG_BITS) {
-cpu_register(info);
-}
-info++;
-}
+void riscv_cpu_list(FILE *f, fprintf_function cpu_fprintf)
+{
+RISCVCPUListState s = {
+.cpu_fprintf = cpu_fprintf,
+.file = f,
+};
+GSList *list;
+
+list = object_class_get_list(TYPE_RISCV_CPU, false);
+list = g_slist_sort(list, riscv_cpu_list_compare);
+g_slist_foreach(list, riscv_cpu_list_entry, );
+g_slist_free(list);
 }
 
-type_init(riscv_cpu_register_types)
+#define DEFINE_CPU(type_name, initfn)  \
+{  \
+.name = type_name, \
+.parent = 

Re: [Qemu-devel] [PATCH 2/2] iotests: add 208 nbd-server + blockdev-snapshot-sync test case

[Stefano Panella]

I have applied this patch and when I run the following qmp commands I I do
not see the crash anymore but there is still something wrong because only
/root/a is opened from qemu. It looks like nbd-server-stop is also getting
rid of the nodes added with blockdev-snapshot-sync, therfore is than not
possible to do blockdev-del on /root/d because node-name is not found

{ "execute": "qmp_capabilities" }
{
"execute": "blockdev-add",
"arguments": {
"driver": "qcow2",
"node-name": "/root/a",
"discard": "unmap",
"cache": {
"direct": true
},
"file": {
"driver": "file",
"filename": "/root/a"
}
}
}

{
"execute": "nbd-server-start",
"arguments": {
"addr": {
"type": "unix",
"data": {
"path": "/tmp/nbd.test1"
}
}
}
}

{
"execute": "nbd-server-add",
"arguments": {
"device": "/root/a",
"writable": true
}
}


{
"execute": "blockdev-snapshot-sync",
"arguments": {
"node-name": "/root/a",
"snapshot-node-name": "/root/b",
"snapshot-file": "/root/b"
}
}
{
"execute": "blockdev-snapshot-sync",
"arguments": {
"node-name": "/root/b",
"snapshot-node-name": "/root/c",
"snapshot-file": "/root/c"
}
}
{
"execute": "blockdev-snapshot-sync",
"arguments": {
"node-name": "/root/c",
"snapshot-node-name": "/root/d",
"snapshot-file": "/root/d"
}
}

{
"execute": "nbd-server-stop"
}


On Tue, Mar 6, 2018 at 8:48 PM, Stefan Hajnoczi  wrote:
>
> This test case adds an NBD server export and then invokes
> blockdev-snapshot-sync, which changes the BlockDriverState node that the
> NBD server's BlockBackend points to.  This is an interesting scenario to
> test and exercises the code path fixed by the previous commit.
>
> Signed-off-by: Stefan Hajnoczi 
> ---
>  tests/qemu-iotests/208 | 55
++
>  tests/qemu-iotests/208.out |  9 
>  tests/qemu-iotests/group   |  1 +
>  3 files changed, 65 insertions(+)
>  create mode 100755 tests/qemu-iotests/208
>  create mode 100644 tests/qemu-iotests/208.out
>
> diff --git a/tests/qemu-iotests/208 b/tests/qemu-iotests/208
> new file mode 100755
> index 00..4e82b96c82
> --- /dev/null
> +++ b/tests/qemu-iotests/208
> @@ -0,0 +1,55 @@
> +#!/usr/bin/env python
> +#
> +# Copyright (C) 2018 Red Hat, Inc.
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 2 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see .
> +#
> +# Creator/Owner: Stefan Hajnoczi 
> +#
> +# Check that the runtime NBD server does not crash when stopped after
> +# blockdev-snapshot-sync.
> +
> +import iotests
> +
> +with iotests.FilePath('disk.img') as disk_img_path, \
> + iotests.FilePath('disk-snapshot.img') as disk_snapshot_img_path, \
> + iotests.FilePath('nbd.sock') as nbd_sock_path, \
> + iotests.VM() as vm:
> +
> +img_size = '10M'
> +iotests.qemu_img_pipe('create', '-f', iotests.imgfmt, disk_img_path,
img_size)
> +
> +iotests.log('Launching VM...')
> +(vm.add_drive(disk_img_path, 'node-name=drive0-node',
interface='none')
> +   .launch())
> +
> +iotests.log('Starting NBD server...')
> +iotests.log(vm.qmp('nbd-server-start', addr={
> +"type": "unix",
> +"data": {
> +"path": nbd_sock_path,
> +}
> +}))
> +
> +iotests.log('Adding NBD export...')
> +iotests.log(vm.qmp('nbd-server-add', device='drive0-node',
writable=True))
> +
> +iotests.log('Creating external snapshot...')
> +iotests.log(vm.qmp('blockdev-snapshot-sync',
> +node_name='drive0-node',
> +snapshot_node_name='drive0-snapshot-node',
> +snapshot_file=disk_snapshot_img_path))
> +
> +iotests.log('Stopping NBD server...')
> +iotests.log(vm.qmp('nbd-server-stop'))
> diff --git a/tests/qemu-iotests/208.out b/tests/qemu-iotests/208.out
> new file mode 100644
> index 00..3687e9d0dd
> --- /dev/null
> +++ b/tests/qemu-iotests/208.out
> @@ -0,0 +1,9 @@
> +Launching VM...
> +Starting NBD server...
> +{u'return': {}}
> +Adding NBD export...
> +{u'return': {}}
> +Creating external snapshot...
> +{u'return': {}}
> +Stopping NBD server...
> +{u'return': {}}
> diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
> index a2dfe79d86..01c03019dd 100644
> --- a/tests/qemu-iotests/group
> +++ b/tests/qemu-iotests/group
> @@ -202,3 +202,4 @@
>  203 rw auto
>  204 rw auto quick
>  205 rw auto quick
> +208 rw auto quick
> --
> 2.14.3
>

Re: [Qemu-devel] [PATCH] migration: fix applying wrong capabilities

[Peter Xu]

On Tue, Mar 06, 2018 at 08:08:37PM +, Dr. David Alan Gilbert wrote:
> * Peter Xu (pet...@redhat.com) wrote:
> > When setting migration capabilities via QMP/HMP, we'll apply them even
> > if the capability check failed.  Fix it.
> > 
> > Fixes: 4a84214ebe ("migration: provide migrate_caps_check()", 2017-07-18)
> > Signed-off-by: Peter Xu 
> 
> OK, yes, that works, so:
> 
> 
> Reviewed-by: Dr. David Alan Gilbert 

Thanks.

> 
> 
> It is a little odd in a way; 'caps_check' you might expect only checked
> and didn't change anything.   migrate_params is organised a bit
> differently; and somewhat more confusingly.

Indeed.  Maybe the cap_list copy should be within the function, and
then define the function as:

static bool migrate_caps_check(MigrationCapabilityStatusList *params,
   Error **errp);

Then it at least looks more like the param_check one.

Let me know if you think it's good; I can post another one after
all, and this one would be easy. :)

-- 
Peter Xu

[Qemu-devel] [RFC PATCH v1] spapr: Support ibm, dynamic-memory-v2 property

[Bharata B Rao]

The new property ibm,dynamic-memory-v2 allows memory to be represented
in a more compact manner in device tree.

Signed-off-by: Bharata B Rao 
---
v0: http://lists.gnu.org/archive/html/qemu-ppc/2018-02/msg00236.html
Changes in v1:
- Rebased on top of Haozhong Zhang's qmp_pc_dimm_device_list refactor
  patch.
(http://lists.gnu.org/archive/html/qemu-devel/2018-03/msg00978.html)

 docs/specs/ppc-spapr-hotplug.txt |  19 +++
 hw/ppc/spapr.c   | 256 ---
 include/hw/ppc/spapr.h   |   1 +
 include/hw/ppc/spapr_ovec.h  |   1 +
 4 files changed, 233 insertions(+), 44 deletions(-)

diff --git a/docs/specs/ppc-spapr-hotplug.txt b/docs/specs/ppc-spapr-hotplug.txt
index f57e2a09c6..cc7833108e 100644
--- a/docs/specs/ppc-spapr-hotplug.txt
+++ b/docs/specs/ppc-spapr-hotplug.txt
@@ -387,4 +387,23 @@ Each LMB list entry consists of the following elements:
 - A 32bit flags word. The bit at bit position 0x0008 defines whether
   the LMB is assigned to the the partition as of boot time.
 
+ibm,dynamic-memory-v2
+
+This property describes the dynamically reconfigurable memory. This is
+an alternate and newer way to describe dyanamically reconfigurable memory.
+It is a property encoded array that has an integer N (the number of
+LMB set entries) followed by N LMB set entries. There is an LMB set entry
+for each sequential group of LMBs that share common attributes.
+
+Each LMB set entry consists of the following elements:
+
+- Number of sequential LMBs in the entry represented by a 32bit integer.
+- Logical address of the first LMB in the set encoded as a 64bit integer.
+- DRC index of the first LMB in the set.
+- Associativity list index that is used as an index into
+  ibm,associativity-lookup-arrays property described earlier. This
+  is used to retrieve the right associativity list to be used for all
+  the LMBs in this set.
+- A 32bit flags word that applies to all the LMBs in the set.
+
 [1] http://thread.gmane.org/gmane.linux.ports.ppc.embedded/75350/focus=106867
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 44a0670d11..6361ec20c7 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -669,63 +669,138 @@ static uint32_t spapr_pc_dimm_node(MemoryDeviceInfoList 
*list, ram_addr_t addr)
 return -1;
 }
 
-/*
- * Adds ibm,dynamic-reconfiguration-memory node.
- * Refer to docs/specs/ppc-spapr-hotplug.txt for the documentation
- * of this device tree node.
- */
-static int spapr_populate_drconf_memory(sPAPRMachineState *spapr, void *fdt)
+struct of_drconf_cell_v2 {
+ uint32_t seq_lmbs;
+ uint64_t base_addr;
+ uint32_t drc_index;
+ uint32_t aa_index;
+ uint32_t flags;
+} __attribute__((packed));
+
+#define SPAPR_DRCONF_CELL_SIZE 6
+
+/* ibm,dynamic-memory-v2 */
+static int spapr_populate_drmem_v2(sPAPRMachineState *spapr, void *fdt,
+   int offset, MemoryDeviceInfoList *dimms)
 {
-MachineState *machine = MACHINE(spapr);
-int ret, i, offset;
-uint64_t lmb_size = SPAPR_MEMORY_BLOCK_SIZE;
-uint32_t prop_lmb_size[] = {0, cpu_to_be32(lmb_size)};
-uint32_t hotplug_lmb_start = spapr->hotplug_memory.base / lmb_size;
-uint32_t nr_lmbs = (spapr->hotplug_memory.base +
-   memory_region_size(>hotplug_memory.mr)) /
-   lmb_size;
 uint32_t *int_buf, *cur_index, buf_len;
-int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1;
-MemoryDeviceInfoList *dimms = NULL;
+int ret;
+uint64_t lmb_size = SPAPR_MEMORY_BLOCK_SIZE;
+uint64_t addr, cur_addr, size;
+uint32_t nr_boot_lmbs = (spapr->hotplug_memory.base / lmb_size);
+uint64_t mem_end = spapr->hotplug_memory.base +
+   memory_region_size(>hotplug_memory.mr);
+uint32_t node, nr_entries = 0;
+sPAPRDRConnector *drc;
+typedef struct drconf_cell_queue {
+struct of_drconf_cell_v2 cell;
+QSIMPLEQ_ENTRY(drconf_cell_queue) entry;
+} drconf_cell_queue;
+QSIMPLEQ_HEAD(, drconf_cell_queue) drconf_queue
+= QSIMPLEQ_HEAD_INITIALIZER(drconf_queue);
+drconf_cell_queue *elem, *next;
+MemoryDeviceInfoList *info;
 
-/*
- * Don't create the node if there is no hotpluggable memory
- */
-if (machine->ram_size == machine->maxram_size) {
-return 0;
-}
+/* Entry to cover RAM and the gap area */
+elem = g_malloc0(sizeof(drconf_cell_queue));
+elem->cell.seq_lmbs = cpu_to_be32(nr_boot_lmbs);
+elem->cell.base_addr = cpu_to_be64(0);
+elem->cell.drc_index = cpu_to_be32(0);
+elem->cell.aa_index = cpu_to_be32(-1);
+elem->cell.flags = cpu_to_be32(SPAPR_LMB_FLAGS_RESERVED |
+   SPAPR_LMB_FLAGS_DRC_INVALID);
+QSIMPLEQ_INSERT_TAIL(_queue, elem, entry);
+nr_entries++;
+
+cur_addr = spapr->hotplug_memory.base;
+for (info = dimms; info; info = info->next) {
+PCDIMMDeviceInfo *di = info->value->u.dimm.data;
+
+   

Re: [Qemu-devel] [PATCH v8 03/23] RISC-V CPU Core Definition

[Michael Clark]

On Tue, Mar 6, 2018 at 9:58 PM, Igor Mammedov  wrote:

> On Tue, 6 Mar 2018 11:24:02 +1300
> Michael Clark  wrote:
>
> > On Mon, Mar 5, 2018 at 10:44 PM, Igor Mammedov 
> wrote:
> >
> > > On Sat,  3 Mar 2018 02:51:31 +1300
> > > Michael Clark  wrote:
> > >
> > > > Add CPU state header, CPU definitions and initialization routines
> > > >
> > > > Reviewed-by: Richard Henderson 
> > > > Signed-off-by: Sagar Karandikar 
> > > > Signed-off-by: Michael Clark 
> > > > ---
> > > >  target/riscv/cpu.c  | 432 ++
> > > ++
> > > >  target/riscv/cpu.h  | 296 +
> > > >  target/riscv/cpu_bits.h | 411 ++
> > > +++
> > > >  3 files changed, 1139 insertions(+)
> > > >  create mode 100644 target/riscv/cpu.c
> > > >  create mode 100644 target/riscv/cpu.h
> > > >  create mode 100644 target/riscv/cpu_bits.h
> > > >
> > > > diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> > > > new file mode 100644
> > > > index 000..4851890
> > > > --- /dev/null
> > > > +++ b/target/riscv/cpu.c
> > > [...]
> > >
> > > > +
> > > > +typedef struct RISCVCPUInfo {
> > > > +const int bit_widths;
> > > > +const char *name;
> > > > +void (*initfn)(Object *obj);
> > > > +} RISCVCPUInfo;
> > > > +
> > > [...]
> > >
> > > > +static const RISCVCPUInfo riscv_cpus[] = {
> > > > +{ 96, TYPE_RISCV_CPU_ANY,  riscv_any_cpu_init },
> > > > +{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_09_1,
> > > rv32gcsu_priv1_09_1_cpu_init },
> > > > +{ 32, TYPE_RISCV_CPU_RV32GCSU_V1_10_0,
> > > rv32gcsu_priv1_10_0_cpu_init },
> > > > +{ 32, TYPE_RISCV_CPU_RV32IMACU_NOMMU,
> rv32imacu_nommu_cpu_init },
> > > > +{ 32, TYPE_RISCV_CPU_SIFIVE_E31,   rv32imacu_nommu_cpu_init
> },
> > > > +{ 32, TYPE_RISCV_CPU_SIFIVE_U34,
>  rv32gcsu_priv1_10_0_cpu_init
> > > },
> > > > +{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_09_1,
> > > rv64gcsu_priv1_09_1_cpu_init },
> > > > +{ 64, TYPE_RISCV_CPU_RV64GCSU_V1_10_0,
> > > rv64gcsu_priv1_10_0_cpu_init },
> > > > +{ 64, TYPE_RISCV_CPU_RV64IMACU_NOMMU,
> rv64imacu_nommu_cpu_init },
> > > > +{ 64, TYPE_RISCV_CPU_SIFIVE_E51,   rv64imacu_nommu_cpu_init
> },
> > > > +{ 64, TYPE_RISCV_CPU_SIFIVE_U54,
>  rv64gcsu_priv1_10_0_cpu_init
> > > },
> > > > +{ 0, NULL, NULL }
> > > > +};
> > > > +
> > > [...]
> > >
> > > > +static void cpu_register(const RISCVCPUInfo *info)
> > > > +{
> > > > +TypeInfo type_info = {
> > > > +.name = info->name,
> > > > +.parent = TYPE_RISCV_CPU,
> > > > +.instance_size = sizeof(RISCVCPU),
> > > > +.instance_init = info->initfn,
> > > > +};
> > > > +
> > > > +type_register(_info);
> > > > +}
> > > [...]
> > >
> > > > +void riscv_cpu_list(FILE *f, fprintf_function cpu_fprintf)
> > > > +{
> > > > +const RISCVCPUInfo *info = riscv_cpus;
> > > > +
> > > > +while (info->name) {
> > > > +if (info->bit_widths & TARGET_LONG_BITS) {
> > > > +(*cpu_fprintf)(f, "%s\n", info->name);
> > > > +}
> > > > +info++;
> > > > +}
> > > > +}
> > > > +
> > > > +static void riscv_cpu_register_types(void)
> > > > +{
> > > > +const RISCVCPUInfo *info = riscv_cpus;
> > > > +
> > > > +type_register_static(_cpu_type_info);
> > > > +
> > > > +while (info->name) {
> > > > +if (info->bit_widths & TARGET_LONG_BITS) {
> > > > +cpu_register(info);
> > > > +}
> > > > +info++;
> > > > +}
> > > > +}
> > > > +
> > > > +type_init(riscv_cpu_register_types)
> > > This still isn't fixed as requested
> > >  http://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06412.html
> >
> >
> > It's possibly because I explicitly requested a clarification. Pointing
> at a
> > commit and being asked to infer what the desired change is, is not what I
> > would call reasonable feedback. The code has already been reviewed.
> Well, it's been pointed since v4 (it's not like change has been asked for
> at the last moment) and no one asked for clarification.
>
>
> > We have
> > just expanded on it in a manner consistent with how the ARM port handled
> > cpu initialization.
> > I'm happy to comply if you give me detailed instructions on what is
> wrong,
> > why, and how to fix it versus infer your problem from this commit to
> > another architecture.
> >
> > Apologies if i'm a bit slow, but I really don't understand the change you
> > intend us to make.
> There is nothing wrong and it's totally ok to use existing code to
> start with writing new patches. The only thing is that it's moving
> codebase and new patches shouldn't interfere with ongoing work done
> by others. Hence sometimes you see comments requesting to use
> a particular approach to do something that could be done in
> various ways.
>
> In this 

Re: [Qemu-devel] [RFC v4 15/21] blockjobs: add prepare callback

[John Snow]

On 02/28/2018 12:04 PM, Kevin Wolf wrote:
> Am 24.02.2018 um 00:51 hat John Snow geschrieben:
>> Some jobs upon finalization may need to perform some work that can
>> still fail. If these jobs are part of a transaction, it's important
>> that these callbacks fail the entire transaction.
>>
>> We allow for a new callback in addition to commit/abort/clean that
>> allows us the opportunity to have fairly late-breaking failures
>> in the transactional process.
>>
>> The expected flow is:
>>
>> - All jobs in a transaction converge to the WAITING state
>>   (added in a forthcoming commit)
>> - All jobs prepare to call either commit/abort
>> - If any job fails, is canceled, or fails preparation, all jobs
>>   call their .abort callback.
>> - All jobs enter the PENDING state, awaiting manual intervention
>>   (also added in a forthcoming commit)
>> - block-job-finalize is issued by the user/management layer
>> - All jobs call their commit callbacks.
>>
>> Signed-off-by: John Snow 
> 
> You almost made me believe the scary thought that we need transactional
> graph modifications, but after writing half of the reply, I think it's
> just that your order here is wrong.
> 

Sorry, yes, this blurb was outdated. I regret that it wasted your time.

> So .prepare is the last thing in the whole process that is allowed to
> fail. Graph manipulations such as bdrv_replace_node() can fail. Graph
> manipulations can also only be made in response to block-job-finalize
> because the management layer must be aware of them. Take them together
> and you have a problem.
> 
> Didn't we already establish earlier that .prepare/.commit/.abort must be
> called together and cannot be separated by waiting for a QMP command
> because of locking and things?
> 

Right; so what really happens is that in response to the FINALIZE verb,
the prepare loop is done first to check for success, and then commit or
abort are dispatched as appropriate.

> So if you go to PENDING first, then wait for block-job-finalize and only
> then call .prepare/.commit/.abort, we should be okay for both problems.
> 
> And taking a look at the final state, that seems to be what you do, so
> in the end, it's probably just the commit message that needs a fix.

Yep, sorry.

> 
>>  blockjob.c   | 34 +++---
>>  include/block/blockjob_int.h | 10 ++
>>  2 files changed, 41 insertions(+), 3 deletions(-)
>>
>> diff --git a/blockjob.c b/blockjob.c
>> index 8f02c03880..1c010ec100 100644
>> --- a/blockjob.c
>> +++ b/blockjob.c
>> @@ -394,6 +394,18 @@ static void block_job_update_rc(BlockJob *job)
>>  }
>>  }
>>  
>> +static int block_job_prepare(BlockJob *job)
>> +{
>> +if (job->ret) {
>> +goto out;
>> +}
>> +if (job->driver->prepare) {
>> +job->ret = job->driver->prepare(job);
>> +}
>> + out:
>> +return job->ret;
>> +}
> 
> Why not just if (job->ret == 0 && job->driver->prepare) and save the
> goto?
> 

Churn. ¯\_(ツ)_/¯

> Kevin
> 

Re: [Qemu-devel] [PATCH] block: include original filename when reporting invalid URIs

[Jeff Cody]

On Tue, Feb 06, 2018 at 10:52:04AM +, Daniel P. Berrangé wrote:
> Consider passing a JSON based block driver to "qemu-img commit"
> 
> $ qemu-img commit 'json:{"driver":"qcow2","file":{"driver":"gluster",\
>   "volume":"gv0","path":"sn1.qcow2",
>   "server":[{"type":\
> "tcp","host":"10.73.199.197","port":"24007"}]},}'
> 
> Currently it will commit the content and then report an incredibly
> useless error message when trying to re-open the committed image:
> 
>   qemu-img: invalid URI
>   Usage: 
> file=gluster[+transport]://[host[:port]]volume/path[?socket=...][,file.debug=N][,file.logfile=/path/filename.log]
> 
> With this fix we get:
> 
>   qemu-img: invalid URI json:{"server.0.host": "10.73.199.197",
>   "driver": "gluster", "path": "luks.qcow2", "server.0.type":
>   "tcp", "server.0.port": "24007", "volume": "gv0"}
> 
> Of course the root cause problem still exists, but now we know
> what actually needs fixing.
> 
> Signed-off-by: Daniel P. Berrangé 
> ---
>  block/gluster.c  | 2 +-
>  block/sheepdog.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/block/gluster.c b/block/gluster.c
> index 0f4265a3a4..0215e19087 100644
> --- a/block/gluster.c
> +++ b/block/gluster.c
> @@ -660,7 +660,7 @@ static struct glfs 
> *qemu_gluster_init(BlockdevOptionsGluster *gconf,
>  if (filename) {
>  ret = qemu_gluster_parse_uri(gconf, filename);
>  if (ret < 0) {
> -error_setg(errp, "invalid URI");
> +error_setg(errp, "invalid URI %s", filename);
>  error_append_hint(errp, "Usage: file=gluster[+transport]://"
>  "[host[:port]]volume/path[?socket=...]"
>  "[,file.debug=N]"
> diff --git a/block/sheepdog.c b/block/sheepdog.c
> index f684477328..c847ab6c98 100644
> --- a/block/sheepdog.c
> +++ b/block/sheepdog.c
> @@ -1050,7 +1050,7 @@ static void sd_parse_uri(SheepdogConfig *cfg, const 
> char *filename,
>  
>  cfg->uri = uri = uri_parse(filename);
>  if (!uri) {
> -error_setg(, "invalid URI");
> +error_setg(, "invalid URI '%s'", filename);
>  goto out;
>  }
>  
> -- 
> 2.14.3
> 

Thanks,

Applied to my block branch:

git://github.com/codyprime/qemu-kvm-jtc block

-Jeff

Re: [Qemu-devel] [PATCH] sii3112: Remove unneeded exit function

[John Snow]

On 03/06/2018 09:23 PM, David Gibson wrote:
> On Wed, Mar 07, 2018 at 12:15:15AM +0100, BALATON Zoltan wrote:
>> An exit function was mistakenly left here but it's not needed because
>> the PCI bars are organised differently in this device. Calling this
>> exit function during device_del was causing an abort with
>> memory_region_del_subregion: `Assertion subregion->container == mr' failed.
>>
>> Reported-by: Thomas Huth 
>> Signed-off-by: BALATON Zoltan 
> 
> Applied to ppc-for-2.12, thanks.
> 

Beat me to it, thanks! I'm a little distracted right now.

>> ---
>>  hw/ide/sii3112.c | 12 
>>  1 file changed, 12 deletions(-)
>>
>> diff --git a/hw/ide/sii3112.c b/hw/ide/sii3112.c
>> index e3896c6..743a50e 100644
>> --- a/hw/ide/sii3112.c
>> +++ b/hw/ide/sii3112.c
>> @@ -327,17 +327,6 @@ static void sii3112_pci_realize(PCIDevice *dev, Error 
>> **errp)
>>  qemu_register_reset(sii3112_reset, s);
>>  }
>>  
>> -static void sii3112_pci_exitfn(PCIDevice *dev)
>> -{
>> -PCIIDEState *d = PCI_IDE(dev);
>> -int i;
>> -
>> -for (i = 0; i < 2; ++i) {
>> -memory_region_del_subregion(>bmdma_bar, >bmdma[i].extra_io);
>> -memory_region_del_subregion(>bmdma_bar, 
>> >bmdma[i].addr_ioport);
>> -}
>> -}
>> -
>>  static void sii3112_pci_class_init(ObjectClass *klass, void *data)
>>  {
>>  DeviceClass *dc = DEVICE_CLASS(klass);
>> @@ -348,7 +337,6 @@ static void sii3112_pci_class_init(ObjectClass *klass, 
>> void *data)
>>  pd->class_id = PCI_CLASS_STORAGE_RAID;
>>  pd->revision = 1;
>>  pd->realize = sii3112_pci_realize;
>> -pd->exit = sii3112_pci_exitfn;
>>  dc->desc = "SiI3112A SATA controller";
>>  set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
>>  }
> 

Re: [Qemu-devel] [PATCH] sii3112: Remove unneeded exit function

[David Gibson]

On Wed, Mar 07, 2018 at 12:15:15AM +0100, BALATON Zoltan wrote:
> An exit function was mistakenly left here but it's not needed because
> the PCI bars are organised differently in this device. Calling this
> exit function during device_del was causing an abort with
> memory_region_del_subregion: `Assertion subregion->container == mr' failed.
> 
> Reported-by: Thomas Huth 
> Signed-off-by: BALATON Zoltan 

Applied to ppc-for-2.12, thanks.

> ---
>  hw/ide/sii3112.c | 12 
>  1 file changed, 12 deletions(-)
> 
> diff --git a/hw/ide/sii3112.c b/hw/ide/sii3112.c
> index e3896c6..743a50e 100644
> --- a/hw/ide/sii3112.c
> +++ b/hw/ide/sii3112.c
> @@ -327,17 +327,6 @@ static void sii3112_pci_realize(PCIDevice *dev, Error 
> **errp)
>  qemu_register_reset(sii3112_reset, s);
>  }
>  
> -static void sii3112_pci_exitfn(PCIDevice *dev)
> -{
> -PCIIDEState *d = PCI_IDE(dev);
> -int i;
> -
> -for (i = 0; i < 2; ++i) {
> -memory_region_del_subregion(>bmdma_bar, >bmdma[i].extra_io);
> -memory_region_del_subregion(>bmdma_bar, >bmdma[i].addr_ioport);
> -}
> -}
> -
>  static void sii3112_pci_class_init(ObjectClass *klass, void *data)
>  {
>  DeviceClass *dc = DEVICE_CLASS(klass);
> @@ -348,7 +337,6 @@ static void sii3112_pci_class_init(ObjectClass *klass, 
> void *data)
>  pd->class_id = PCI_CLASS_STORAGE_RAID;
>  pd->revision = 1;
>  pd->realize = sii3112_pci_realize;
> -pd->exit = sii3112_pci_exitfn;
>  dc->desc = "SiI3112A SATA controller";
>  set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
>  }

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH 01/19] uninorth: trivial style fixups

[David Gibson]

On Tue, Mar 06, 2018 at 08:30:45PM +, Mark Cave-Ayland wrote:
> This makes sure we keep patchew/checkpatch happy during the remainder of this
> patchset.
> 
> Signed-off-by: Mark Cave-Ayland 

Applied, thanks.

> ---
>  hw/pci-host/uninorth.c | 29 +++--
>  1 file changed, 19 insertions(+), 10 deletions(-)
> 
> diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
> index 66991da975..710818e355 100644
> --- a/hw/pci-host/uninorth.c
> +++ b/hw/pci-host/uninorth.c
> @@ -272,7 +272,6 @@ PCIBus *pci_pmac_u3_init(qemu_irq *pic,
>  UNINState *d;
>  
>  /* Uninorth AGP bus */
> -
>  dev = qdev_create(NULL, TYPE_U3_AGP_HOST_BRIDGE);
>  qdev_init_nofail(dev);
>  s = SYS_BUS_DEVICE(dev);
> @@ -302,16 +301,23 @@ PCIBus *pci_pmac_u3_init(qemu_irq *pic,
>  
>  static void unin_main_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -d->config[0x34] = 0x00; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer */
> +d->config[0x34] = 0x00;
>  }
>  
>  static void unin_agp_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -//d->config[0x34] = 0x80; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer
> +d->config[0x34] = 0x80; */
> +
>  /*
>   * Set kMacRISCPCIAddressSelect (0x48) register to indicate PCI
>   * memory space with base 0x8000, size 0x1000 for Apple's
> @@ -333,9 +339,12 @@ static void u3_agp_pci_host_realize(PCIDevice *d, Error 
> **errp)
>  
>  static void unin_internal_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -d->config[0x34] = 0x00; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer */
> +d->config[0x34] = 0x00;
>  }
>  
>  static void unin_main_pci_host_class_init(ObjectClass *klass, void *data)

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH qemu v7 2/4] vfio/pci: Relax DMA map errors for MMIO regions

[Alexey Kardashevskiy]

On 26/02/18 19:36, Alexey Kardashevskiy wrote:
> On 19/02/18 13:46, Alexey Kardashevskiy wrote:
>> On 16/02/18 16:28, David Gibson wrote:
>>> On Wed, Feb 14, 2018 at 08:55:41AM -0700, Alex Williamson wrote:
 On Wed, 14 Feb 2018 19:09:16 +1100
 Alexey Kardashevskiy  wrote:

> On 14/02/18 12:33, David Gibson wrote:
>> On Tue, Feb 13, 2018 at 07:20:56PM +1100, Alexey Kardashevskiy wrote:  
>>> On 13/02/18 16:41, David Gibson wrote:  
 On Tue, Feb 13, 2018 at 04:36:30PM +1100, David Gibson wrote:  
> On Tue, Feb 13, 2018 at 12:15:52PM +1100, Alexey Kardashevskiy wrote: 
>  
>> On 13/02/18 03:06, Alex Williamson wrote:  
>>> On Mon, 12 Feb 2018 18:05:54 +1100
>>> Alexey Kardashevskiy  wrote:
>>>  
 On 12/02/18 16:19, David Gibson wrote:  
> On Fri, Feb 09, 2018 at 06:55:01PM +1100, Alexey Kardashevskiy 
> wrote:
>> At the moment if vfio_memory_listener is registered in the 
>> system memory
>> address space, it maps/unmaps every RAM memory region for DMA.
>> It expects system page size aligned memory sections so 
>> vfio_dma_map
>> would not fail and so far this has been the case. A mapping 
>> failure
>> would be fatal. A side effect of such behavior is that some MMIO 
>> pages
>> would not be mapped silently.
>>
>> However we are going to change MSIX BAR handling so we will end 
>> having
>> non-aligned sections in vfio_memory_listener (more details is in
>> the next patch) and vfio_dma_map will exit QEMU.
>>
>> In order to avoid fatal failures on what previously was not a 
>> failure and
>> was just silently ignored, this checks the section alignment to
>> the smallest supported IOMMU page size and prints an error if 
>> not aligned;
>> it also prints an error if vfio_dma_map failed despite the page 
>> size check.
>> Both errors are not fatal; only MMIO RAM regions are checked
>> (aka "RAM device" regions).
>>
>> If the amount of errors printed is overwhelming, the MSIX 
>> relocation
>> could be used to avoid excessive error output.
>>
>> This is unlikely to cause any behavioral change.
>>
>> Signed-off-by: Alexey Kardashevskiy 
>
> There are some relatively superficial problems noted below.
>
> But more fundamentally, this feels like it's extending an existing
> hack past the point of usefulness.
>
> The explicit check for is_ram_device() here has always bothered 
> me -
> it's not like a real bus bridge magically knows whether a target
> address maps to RAM or not.
>
> What I think is really going on is that even for systems without 
> an
> IOMMU, it's not really true to say that the PCI address space maps
> directly onto address_space_memory.  Instead, there's a large, but
> much less than 2^64 sized, "upstream window" at address 0 on the 
> PCI
> bus, which is identity mapped to the system bus.  Details will 
> vary
> with the system, but in practice we expect nothing but RAM to be 
> in
> that window.  Addresses not within that window won't be mapped to 
> the
> system bus but will just be broadcast on the PCI bus and might be
> picked up as a p2p transaction.

 Currently this p2p works only via the IOMMU, direct p2p is not 
 possible as
 the guest needs to know physical MMIO addresses to make p2p work 
 and it
 does not.  
>>>
>>> /me points to the Direct Translated P2P section of the ACS spec, 
>>> though
>>> it's as prone to spoofing by the device as ATS.  In any case, p2p
>>> reflected from the IOMMU is still p2p and offloads the CPU even if
>>> bandwidth suffers vs bare metal depending on if the data doubles 
>>> back
>>> over any links.  Thanks,  
>>
>> Sure, I was just saying that p2p via IOMMU won't be as simple as 
>> broadcast
>> on the PCI bus, IOMMU needs to be programmed in advance to make this 
>> work,
>> and current that broadcast won't work for the passed through 
>> devices.  
>
> Well, sure, p2p in a guest with passthrough devices clearly needs to
> be translated through the IOMMU (and p2p from a passthrough to an

Re: [Qemu-devel] [PATCH V3 0/4] vfio: Introduce Live migration capability to vfio_mdev device

[Tian, Kevin]

> From: Zhang, Yulei
> Sent: Tuesday, March 6, 2018 9:35 PM
> 
> Hi Kirti,
> 
> Yes, that is the plan and we will address it in the coming versions.
> In this version we just rebase the code and looking for more inputs.

It's not how a new version is expected to provide. For review
comments which you received from previous versions, you need
echo them in the new version where 'echo' means either fix and list
in change list or providing a TODO list for unhandled comments 
so reviewers know what to further look at. Also rebase usually
doesn't bear a new version...

btw when describing change list of version history, please use v2->v3
instead of vice versa.

Thanks
Kevin

> 
> Thanks,
> Yulei
> 
> > -Original Message-
> > From: Kirti Wankhede [mailto:kwankh...@nvidia.com]
> > Sent: Monday, March 5, 2018 9:03 PM
> > To: Zhang, Yulei ; qemu-devel@nongnu.org
> > Cc: Tian, Kevin ; zhen...@linux.intel.com;
> > alex.william...@redhat.com
> > Subject: Re: [PATCH V3 0/4] vfio: Introduce Live migration capability to
> > vfio_mdev device
> >
> > Hi Yulei Zhang,
> >
> > This series is same as the previous version, that is, there is no pre-copy
> > phase. This only takes care of stop-and-copy phase.
> > As per we discussed in KVM Forum 2017 in October, there should be
> > provision of pre-copy phase.
> >
> > Thanks,
> > Kirti
> >
> > On 3/5/2018 11:30 AM, Yulei Zhang wrote:
> > > Summary
> > >
> > > This series RFC would like to resume the discussion about how to
> > > introduce the live migration capability to vfio mdev device.
> > >
> > > By adding a new vfio subtype region
> > VFIO_REGION_SUBTYPE_DEVICE_STATE,
> > > the mdev device will be set to migratable if the new region exist
> > > during the initialization.
> > >
> > > The intention to add the new region is using it for mdev device status
> > > save and restore during the migration. The access to this region will
> > > be trapped and forward to the mdev device driver, it also uses the
> > > first byte in the new region to control the running state of mdev
> > > device, so during the migration after stop the mdev driver, qemu could
> > > retrieve the specific device status from this region and transfer to
> > > the target VM side for the mdev device restore.
> > >
> > > In addition,  we add one new ioctl VFIO_IOMMU_GET_DIRTY_BITMAP
> to
> > help
> > > do the mdev device dirty page synchronization during the migration,
> > > currently it is just for static copy, in the future we would like to
> > > add new interface for the pre-copy.
> > >
> > > Below is the vfio_mdev device migration sequence Source VM side:
> > >   start migration
> > >   |
> > >   V
> > >get the cpu state change callback, write to the
> > >subregion's first byte to stop the mdev device
> > >   |
> > >   V
> > >quary the dirty page bitmap from iommu container
> > >and add into qemu dirty list for synchronization
> > >   |
> > >   V
> > >save the deivce status into Qemufile which is
> > >  read from the vfio device subregion
> > >
> > > Target VM side:
> > >  restore the mdev device after get the
> > >saved status context from Qemufile
> > >   |
> > >   V
> > >get the cpu state change callback
> > >write to subregion's first byte to
> > >   start the mdev device to put it in
> > >   running status
> > >   |
> > >   V
> > >   finish migration
> > >
> > > V3->V2:
> > > 1. rebase the patch to Qemu stable 2.10 branch.
> > > 2. use a common name for the subregion instead of specific for
> > >intel IGD.
> > >
> > > V1->V2:
> > > Per Alex's suggestion:
> > > 1. use device subtype region instead of VFIO PCI fixed region.
> > > 2. remove unnecessary ioctl, use the first byte of subregion to
> > >control the running state of mdev device.
> > > 3. for dirty page synchronization, implement the interface with
> > >VFIOContainer instead of vfio pci device.
> > >
> > > Yulei Zhang (4):
> > >   vfio: introduce a new VFIO subregion for mdev device migration
> support
> > >   vfio: Add vm status change callback to stop/restart the mdev device
> > >   vfio: Add struct vfio_vmstate_info to introduce put/get callback
> > > funtion for vfio device status save/restore
> > >   vifo: introduce new VFIO ioctl VFIO_IOMMU_GET_DIRTY_BITMAP
> > >
> > >  hw/vfio/common.c  |  34 +
> > >  hw/vfio/pci.c | 171
> > +-
> > >  hw/vfio/pci.h |   1 +
> > >  include/hw/vfio/vfio-common.h |   1 +
> > >  linux-headers/linux/vfio.h|  

Re: [Qemu-devel] [PATCH QEMU v1 0/4] multiboot: bss_end_addr can be zero / cleanup

[Jack Schwartz]

Hi Kevin and everyone.

On 2018-03-05 00:13, Kevin Wolf wrote:

Am 02.03.2018 um 20:32 hat Jack Schwartz geschrieben:

Hi Kevin.

On 2018-01-15 07:54, Kevin Wolf wrote:

Am 21.12.2017 um 18:25 hat Jack Schwartz geschrieben:

Properly account for the possibility of multiboot kernels with a zero
bss_end_addr.  The Multiboot Specification, section 3.1.3 allows for
kernels without a bss section, by allowing a zeroed bss_end_addr multiboot
header field.

Do some cleanup to multiboot.c as well:
- Remove some unused variables.
- Use more intuitive header names when displaying fields in messages.
- Change fprintf(stderr...) to error_report

There are some conflicts with Anatol's (CCed) multiboot series:
https://lists.nongnu.org/archive/html/qemu-devel/2017-10/msg03003.html

None if these should be hard to resolve, but it would be good if you
could agree with each other whose patch series should come first, and
then the other one should be rebased on top of that.


Testing:
1) Ran the "make check" test suite.
2) Booted multiboot kernel with bss_end_addr=0.  (I rolled my own
   grub multiboot.elf test "kernel" by modifying source.)  Verified
   with gdb that new code that reads addresses/offsets from multiboot
   header was accessed.
3) Booted multiboot kernel with non-zero bss_end_addr.
4) Uncommented DEBUG_MULTIBOOT in multiboot.c and verified messages worked.
5) Code has soaked in an internal repo for two months.

Can you integrate your test kernel from 2) in tests/multiboot/ so we can
keep this as a regression test?

If need be, would you be willing to accept updated versions of these patches
(with another review, of course) without the test file?  I will deliver the
test file later once I get company approvals.  I don't want the test file to
continue holding everything up in the meantime.

Sure, let's move forward with what we have now. Please keep me CCed when
you send a new version and I'll give it a review and hopeuflly get it
merged.

Kevin

Thanks, Kevin.

Patches have not changed, and I verified they still work on a current 
repo.  (Multiboot.c has had a one-line change regarding a header file, 
so I rebuilt and re-tested to make sure.)


Links again, for your reference:

1/4 multiboot: bss_end_addr can be zero
http://patchwork.ozlabs.org/patch/852049/

2/4 multiboot: Remove unused variables from multiboot.c
http://patchwork.ozlabs.org/patch/852045/

3/4 multiboot: Use header names when displaying fields
http://patchwork.ozlabs.org/patch/852046/

4/4 multiboot: fprintf(stderr...) -> error_report()
http://patchwork.ozlabs.org/patch/852051/

    Thanks,
    Jack

Re: [Qemu-devel] [PATCH] build-sys: make help could have 'modules' target

[Fam Zheng]

On Tue, 03/06 17:17, Marc-André Lureau wrote:
> Available when configure --enable-modules.
> 
> Signed-off-by: Marc-André Lureau 
> ---
>  Makefile | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/Makefile b/Makefile
> index 9a75c48ae0..5d9ef3b8fd 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1046,6 +1046,9 @@ include $(SRC_PATH)/tests/vm/Makefile.include
>  help:
>   @echo  'Generic targets:'
>   @echo  '  all - Build all'
> +ifdef CONFIG_MODULES
> + @echo  '  modules - Build all modules'
> +endif

Hi Marc-André,

I'd just remove the 'ifdef' condition and include the line everywhere, since
this is the help. The behavior is fine even without running ./configure:

$ make modules
make: Nothing to be done for 'modules'.
$ make all
make: Nothing to be done for 'all'.

Fam

Re: [Qemu-devel] [PATCH 1/1] scsi-disk.c: consider bl->max_transfer in INQUIRY emulation

[Fam Zheng]

On Tue, 03/06 12:44, Daniel Henrique Barboza wrote:
> The calculation of the max_transfer atribute of BlockDriverState
> makes considerations such as max_segments and transfer_length via
> the BLKSECTGET ioctl (if available).
> 
> However, bl->max_transfer isn't considered when emulating the INQUIRY
> 'Block Limit' response to the scsi-hd devices. This leads to situations
> where the declared max_sectors from the INQUIRY response is inconsistent
> with the block limits, which isn't ideal. It can also be misleading to the
> user that sets /sys/block//queue/max_sectors_kb to a certain
> value, then finds a different value in the guest OS for the same disk.
> 
> Following the same logic scsi_read_complete from scsi-generic.c does
> when patching the response of the Block Limits VPD back to the guest,
> change the max_io_sectors value of the emulated Block Limits VPD
> response by considering the blk_get_max_transfer of the related
> BlockDriverState. Use MIN_NOT_ZERO to be sure that the minimal
> value is chosen.
> 
> Given that we're changing max_io_sectors, consider that min_io_sectors
> and opt_io_sectors can't be greater than the new calculated value.
> 
> Signed-off-by: Daniel Henrique Barboza 
> ---
>  hw/scsi/scsi-disk.c | 15 +++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
> index 49d2559d93..c65c1ce56d 100644
> --- a/hw/scsi/scsi-disk.c
> +++ b/hw/scsi/scsi-disk.c
> @@ -704,6 +704,21 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, 
> uint8_t *outbuf)
>  page_code);
>  return -1;
>  }
> +if (s->qdev.type == TYPE_DISK) {
> +int max_transfer_blk = 
> blk_get_max_transfer(s->qdev.conf.blk);
> +int max_io_sectors_blk =
> +max_transfer_blk / s->qdev.blocksize;
> +
> +max_io_sectors =
> +MIN_NON_ZERO(max_io_sectors_blk, max_io_sectors);
> +
> +/* min_io_size and opt_io_size can't be greater than
> + * max_io_sectors */
> +min_io_size =
> +MIN_NON_ZERO(min_io_size, max_io_sectors);
> +opt_io_size =
> +MIN_NON_ZERO(opt_io_size, max_io_sectors);
> +}
>  /* required VPD size with unmap support */
>  buflen = 0x40;
>  memset(outbuf + 4, 0, buflen - 4);
> -- 
> 2.14.3
> 

Reviewed-by: Fam Zheng 

Re: [Qemu-devel] [PATCH] trace: only permit standard C types and fixed size integer types

[Fam Zheng]

On Tue, 03/06 16:20, Daniel P. Berrangé wrote:
> On Tue, Mar 06, 2018 at 08:05:18AM -0800, no-re...@patchew.org wrote:
> > Hi,
> > 
> > This series failed docker-mingw@fedora build test. Please find the testing 
> > commands and
> > their output below. If you have Docker installed, you can probably 
> > reproduce it
> > locally.
> > 
> > Type: series
> > Message-id: 20180306154625.23910-1-berra...@redhat.com
> > Subject: [Qemu-devel] [PATCH] trace: only permit standard C types and fixed 
> > size integer types
> > 
> > Traceback (most recent call last):
> >   File "/tmp/qemu-test/src/scripts/tracetool.py", line 154, in 
> > main(sys.argv)
> >   File "/tmp/qemu-test/src/scripts/tracetool.py", line 145, in main
> > events.extend(tracetool.read_events(fh))
> >   File "/tmp/qemu-test/src/scripts/tracetool/__init__.py", line 358, in 
> > read_events
> > event = Event.build(line)
> >   File "/tmp/qemu-test/src/scripts/tracetool/__init__.py", line 280, in 
> > build
> > args = Arguments.build(groups["args"])
> >   File "/tmp/qemu-test/src/scripts/tracetool/__init__.py", line 134, in 
> > build
> > validate_type(arg_type)
> >   File "/tmp/qemu-test/src/scripts/tracetool/__init__.py", line 87, in 
> > validate_type
> > "declared as 'void *'" % name)
> > ValueError: Error on line 95: Argument type 'hwaddr' is not in whitelist. 
> > Only standard C types and fixed size integer types should be used. struct, 
> > union, and other complex pointer types should be declared as 'void *'
> 
> 
> This nicely illustrates this patch working as documented !
> 
> The fix for the "hwaddr" mistake was just merged in QEMU git master, so
> if patchew can be re-run, applying to latest master it should pass.

Manually initiated re-apply and re-run.

Fam

Re: [Qemu-devel] [PATCH] trace: only permit standard C types and fixed size integer types

[Fam Zheng]

On Tue, 03/06 16:22, Daniel P. Berrangé wrote:
> RFE for patchew...
> 
> Now we're sending separate email alerts for each build job, can we
> make patchew include the job name in the subject line, so it is
> immediately obvious which job failed without needing to read the
> body.

Yes, doable. Do we still want the original subject (The "Re: ..." part)? If so,
any idea what is a good format for the full subject line?

Fam

Re: [Qemu-devel] [PULL] RISC-V QEMU Port Submission v8.2

[Michael Clark]

FYI - Travis completed builds for v8.2 and it's all green.

- https://travis-ci.org/riscv/riscv-qemu/builds/349981074

The Travis folks kindly bumped our build timeout limit so we can run the
full upstream Travis checks. I've manually tested Linux in all of the
relevant machines, including SMP in the RISC-V virt machine, along with
embedded binaries for the SiFive E series MCU. We test 'sifive_e' with MCU
samples from SiFive's Freedom E SDK. the Freedom U SDK has a
Linux buildroot setup for testing the 'virt' machine. There is additional
documentation on the wiki, such as links to the Fedora images that Richard
W. M. Jones et al have been working on.

- https://github.com/sifive/freedom-e-sdk/
- https://github.com/sifive/freedom-u-sdk/
- https://github.com/riscv/riscv-qemu/wiki

Hopefully, this PR gets merged...

On Wed, Mar 7, 2018 at 8:46 AM, Michael Clark  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> The following changes since commit f32408f3b472a088467474ab152be3
> b6285b2d7b:
>
>   misc: don't use hwaddr as a type in trace events (2018-03-06 14:24:30
> +)
>
> are available in the git repository at:
>
>   https://github.com/riscv/riscv-qemu.git tags/riscv-qemu-upstream-v8.2
>
> for you to fetch changes up to 7051b081bf6796e5e84406f6223a7c4900bf7298:
>
>   RISC-V - Remove support for adhoc non-standard X_COP local-interrupt
> (2018-03-07 08:36:03 +1300)
>
> - 
> QEMU RISC-V Emulation Support (RV64GC, RV32GC)
>
> This release renames the SiFive machines to sifive_e and sifive_u
> to represent the SiFive Everywhere and SiFive Unleashed platforms.
> SiFive has configurable soft-core IP, so it is intended that these
> machines will be extended to enable a variety of SiFive IP blocks.
> The CPU definition infrastructure has been improved and there are
> now vendor CPU modules including the SiFiVe E31, E51, U34 and U54
> cores. The emulation accuracy for the E series has been improved
> by disabling the MMU for the E series. S mode has been disabled on
> cores that only support M mode and U mode. The two Spike machines
> that support two privileged ISA versions have been coalesced into
> one file. This series has Signed-off-by from the core contributors.
>
> *** Known Issues ***
>
> * Disassembler has some checkpatch warnings for the sake of code brevity
> * scripts/qemu-binfmt-conf.sh has checkpatch warnings due to line length
> * PMP (Physical Memory Protection) is as-of-yet unused and needs testing
>
> *** Changelog ***
>
> v8.2
>
> * Rebase
>
> v8.1
>
> * Fix missed case of renaming spike_v1.9 to spike_v1.9.1
>
> v8
>
> * Added linux-user/riscv/target_elf.h during rebase
> * Make resetvec configurable and clear mpp and mie on reset
> * Use SiFive E31, E51, U34 and U54 cores in SiFive machines
> * Define SiFive E31, E51, U34 and U54 cores
> * Refactor CPU core definition in preparation for vendor cores
> * Prevent S or U mode unless S or U extensions are present
> * SiFive E Series cores have no MMU
> * SiFive E Series cores have U mode
> * Make privileged ISA v1.10 implicit in CPU types
> * Remove DRAM_BASE and EXT_IO_BASE as they vary by machine
> * Correctly handle mtvec and stvec alignment with respect to RVC
> * Print more machine mode state in riscv_cpu_dump_state
> * Make riscv_isa_string use compact extension order method
> * Fix bug introduced in v6 RISCV_CPU_TYPE_NAME macro change
> * Parameterize spike v1.9.1 config string
> * Coalesce spike_v1.9.1 and spike_v1.10 machines
> * Rename sifive_e300 to sifive_e, and sifive_u500 to sifive_u
>
> v7
>
> * Make spike_v1.10 the default machine
> * Rename spike_v1.9 to spike_v1.9.1 to match privileged spec version
> * Remove empty target/riscv/trace-events file
> * Monitor ROM 32-bit reset code needs to be target endian
> * Add TARGET_TIOCGPTPEER to linux-user/riscv/termbits.h
> * Add -initrd support to the virt board
> * Fix naming in spike machine interface header
> * Update copyright notice on RISC-V Spike machines
> * Update copyright notice on RISC-V HTIF Console device
> * Change CPU Core and translator to GPLv2+
> * Change RISC-V Disassembler to GPLv2+
> * Change SiFive Test Finisher to GPLv2+
> * Change SiFive CLINT to GPLv2+
> * Change SiFive PRCI to GPLv2+
> * Change SiFive PLIC to GPLv2+
> * Change RISC-V spike machines to GPLv2+
> * Change RISC-V virt machine to GPLv2+
> * Change SiFive E300 machine to GPLv2+
> * Change SiFive U500 machine to GPLv2+
> * Change RISC-V Hart Array to GPLv2+
> * Change RISC-V HTIF device to GPLv2+
> * Change SiFiveUART device to GPLv2+
>
> v6
>
> * Drop IEEE 754-201x minimumNumber/maximumNumber for fmin/fmax
> * Remove some unnecessary commented debug statements
> * Change RISCV_CPU_TYPE_NAME to use riscv-cpu suffix
> * Define all CPU variants for linux-user
> * qemu_log calls require trailing \n
> * Replace PLIC printfs with qemu_log
> * Tear out unused HTIF code and eliminate shouting debug messages
> * Fix 

Re: [Qemu-devel] [PATCH v1 00/22] Spec conformance bug fixes and cleanups

[Michael Clark]

On Wed, Mar 7, 2018 at 12:47 PM, Emilio G. Cota  wrote:

> On Wed, Mar 07, 2018 at 12:07:18 +1300, Michael Clark wrote:
> > BTW Apologies for the duplicate emails. I'm still getting to grips with
> the
> > git-sendemail workflow and was using a sed script to Add Cc's which
> munged
> > the headers as it didn't take into account Subject lines flowing to two
> > lines. I guess I can just include Cc: in the commit message? and
> > git-format-patch will handle it for me? or I just should how to use
> > git-publish...
>
> I don't have experience with git-publish. The following two suggestions
> might help though:
>
> - Yes, add Cc's to individual patches -- those are picked up by send-email.
>   That also applies to the cover letter, although note that if
>   you use --compose then Cc's won't be picked up. Instead, just write
>   the cover letter into a -$cover.patch (with Cc's in there)
>   and do not use --compose.
>
> - Use send-email's --dry-run option to make sure everything looks good
>   without actually sending any emails.


I'll use dry run next time and reword the patches to add 'Cc. The previous
patch series all had subject lines that didn't flow to the next line and I
had script automation to carve up the port. I'm trying to get into a new
habit of making the first line of the patch (Subject) as short as
reasonably possible and instead putting a longer description in the body.
Short subjects and short first lines of commits are better.


> > I still have to work on Igor's requested change to CPU initializer
> > declarations, and i'd also like to get the patch in that fixes fmin/fmax
> > test failures using the riscv-tests testsuite by implementing IEEE-754
> > minimumNumber/maximumNumber. I'll try to get a patch onto the list before
> > soft-freeze. I dropped the patch which was in an earlier version of our
> > port patch series due to a conflict with changes in softfloat (conversion
> > of minmax from a macro to a static function iirc).
>
> Note that if you're fixing a bug (and the fmin/fmax patch qualifies),
> you can definitely get it merged post-soft-freeze.


 Okay. good.

Re: [Qemu-devel] [PATCH v1 00/22] Spec conformance bug fixes and cleanups

[Emilio G. Cota]

On Wed, Mar 07, 2018 at 12:07:18 +1300, Michael Clark wrote:
> BTW Apologies for the duplicate emails. I'm still getting to grips with the
> git-sendemail workflow and was using a sed script to Add Cc's which munged
> the headers as it didn't take into account Subject lines flowing to two
> lines. I guess I can just include Cc: in the commit message? and
> git-format-patch will handle it for me? or I just should how to use
> git-publish...

I don't have experience with git-publish. The following two suggestions
might help though:

- Yes, add Cc's to individual patches -- those are picked up by send-email.
  That also applies to the cover letter, although note that if
  you use --compose then Cc's won't be picked up. Instead, just write
  the cover letter into a -$cover.patch (with Cc's in there)
  and do not use --compose.

- Use send-email's --dry-run option to make sure everything looks good
  without actually sending any emails.

> I still have to work on Igor's requested change to CPU initializer
> declarations, and i'd also like to get the patch in that fixes fmin/fmax
> test failures using the riscv-tests testsuite by implementing IEEE-754
> minimumNumber/maximumNumber. I'll try to get a patch onto the list before
> soft-freeze. I dropped the patch which was in an earlier version of our
> port patch series due to a conflict with changes in softfloat (conversion
> of minmax from a macro to a static function iirc).

Note that if you're fixing a bug (and the fmin/fmax patch qualifies),
you can definitely get it merged post-soft-freeze.

E.

Re: [Qemu-devel] [Qemu-ppc] [PATCH 07/19] uninorth: move PCI mmio memory region initialisation into init function

[BALATON Zoltan]

On Tue, 6 Mar 2018, Mark Cave-Ayland wrote:

Whilst we are here, rename the memory regions to better reflect whether they
belong to either a PCI or an AGP bus.

Signed-off-by: Mark Cave-Ayland 
---
hw/pci-host/uninorth.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
index b081e3c153..5b8fc3aa16 100644
--- a/hw/pci-host/uninorth.c
+++ b/hw/pci-host/uninorth.c
@@ -111,29 +111,39 @@ static const MemoryRegionOps unin_data_ops = {

static void pci_unin_main_init(Object *obj)
{
+UNINState *s = UNI_NORTH_PCI_HOST_BRIDGE(obj);
SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
PCIHostState *h = PCI_HOST_BRIDGE(obj);

/* Use values found on a real PowerMac */
/* Uninorth main bus */
memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",
+   0x1ULL);
+
sysbus_init_mmio(sbd, >conf_mem);
sysbus_init_mmio(sbd, >data_mem);
}

static void pci_u3_agp_init(Object *obj)
{
+UNINState *s = U3_AGP_HOST_BRIDGE(obj);
SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
PCIHostState *h = PCI_HOST_BRIDGE(obj);

/* Uninorth U3 AGP bus */
memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
memory_region_init_io(>data_mem, OBJECT(h), _data_ops, obj,
-  "pci-conf-data", 0x1000);
+  "unin-pci-conf-data", 0x1000);
+
+memory_region_init(>pci_mmio, OBJECT(s), "unin-pci-mmio",


The name of this function and the above comment both suggest this is an 
AGP bus so did you mean to rename these to unin-agp-* instead of 
unin-pci-*?


Regards,
BALATON Zoltan


+   0x1ULL);
+
sysbus_init_mmio(sbd, >conf_mem);
sysbus_init_mmio(sbd, >data_mem);
}
@@ -145,9 +155,9 @@ static void pci_unin_agp_init(Object *obj)

/* Uninorth AGP bus */
memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-agp-conf-idx", 0x1000);
memory_region_init_io(>data_mem, OBJECT(h), _host_data_le_ops,
-  obj, "pci-conf-data", 0x1000);
+  obj, "unin-agp-conf-data", 0x1000);
sysbus_init_mmio(sbd, >conf_mem);
sysbus_init_mmio(sbd, >data_mem);
}
@@ -159,9 +169,9 @@ static void pci_unin_internal_init(Object *obj)

/* Uninorth internal bus */
memory_region_init_io(>conf_mem, OBJECT(h), _host_conf_le_ops,
-  obj, "pci-conf-idx", 0x1000);
+  obj, "unin-pci-conf-idx", 0x1000);
memory_region_init_io(>data_mem, OBJECT(h), _host_data_le_ops,
-  obj, "pci-conf-data", 0x1000);
+  obj, "unin-pci-conf-data", 0x1000);
sysbus_init_mmio(sbd, >conf_mem);
sysbus_init_mmio(sbd, >data_mem);
}
@@ -182,7 +192,6 @@ UNINState *pci_pmac_init(qemu_irq *pic,
s = SYS_BUS_DEVICE(dev);
h = PCI_HOST_BRIDGE(s);
d = UNI_NORTH_PCI_HOST_BRIDGE(dev);
-memory_region_init(>pci_mmio, OBJECT(d), "pci-mmio", 0x1ULL);
memory_region_init_alias(>pci_hole, OBJECT(d), "pci-hole", >pci_mmio,
 0x8000ULL, 0x1000ULL);
memory_region_add_subregion(address_space_mem, 0x8000ULL,
@@ -247,7 +256,6 @@ UNINState *pci_pmac_u3_init(qemu_irq *pic,
h = PCI_HOST_BRIDGE(dev);
d = U3_AGP_HOST_BRIDGE(dev);

-memory_region_init(>pci_mmio, OBJECT(d), "pci-mmio", 0x1ULL);
memory_region_init_alias(>pci_hole, OBJECT(d), "pci-hole", >pci_mmio,
 0x8000ULL, 0x7000ULL);
memory_region_add_subregion(address_space_mem, 0x8000ULL,

Re: [Qemu-devel] [PATCH v3 2/2] s390x: Change return type of virtio_ccw_exit to void.

[nee]

On Tue, Mar 6, 2018 at 2:40 PM, Cornelia Huck  wrote:
> On Tue,  6 Mar 2018 10:07:21 +
> Nia Alarie  wrote:
>
>> Allows a branch to be removed - this function always returns 0.
>>
>> Signed-off-by: Nia Alarie 
>> Reviewed-by: Christian Borntraeger 
>> ---
>>  hw/s390x/virtio-ccw.c | 6 +++---
>>  hw/s390x/virtio-ccw.h | 2 +-
>>  2 files changed, 4 insertions(+), 4 deletions(-)
>
> While your patch is not wrong, I'd prefer to skip changing the exit
> functions and convert virtio-ccw to unrealize instead.
>
> Should not be too hard; do you want to take a stab at it?

Is there any difference in semantics between exit and unrealize aside
from the arguments and return type?

Re: [Qemu-devel] [Qemu-ppc] [PULL 06/11] hw/ide: Emulate SiI3112 SATA controller

[BALATON Zoltan]

On Tue, 6 Mar 2018, Thomas Huth wrote:

On 11.01.2018 05:59, David Gibson wrote:

From: BALATON Zoltan 

This is a common generic PCI SATA controller that is also used in PCs
but more importantly guests running on the Sam460ex board prefer this
card and have a driver for it (unlike for other SATA controllers
already emulated).


Hi,

looks like this new device can now be used to crash QEMU in certain
circumstances:

$ ppc64-softmmu/qemu-system-ppc64 -monitor stdio
QEMU 2.11.50 monitor - type 'help' for more information
(qemu) device_add sii3112,id=x
(qemu) device_del x
qemu-system-ppc64: /home/thuth/devel/qemu/memory.c:2346:
memory_region_del_subregion: Assertion `subregion->container == mr' failed.
Aborted (core dumped)

Any ideas how to fix this?


Looks like the exit function that causes this crash was left there by 
mistake and is not needed. I've sent a patch to remove it.


Thank you,
BALATON Zoltan

[Qemu-devel] [PATCH] sii3112: Remove unneeded exit function

[BALATON Zoltan]

An exit function was mistakenly left here but it's not needed because
the PCI bars are organised differently in this device. Calling this
exit function during device_del was causing an abort with
memory_region_del_subregion: `Assertion subregion->container == mr' failed.

Reported-by: Thomas Huth 
Signed-off-by: BALATON Zoltan 
---
 hw/ide/sii3112.c | 12 
 1 file changed, 12 deletions(-)

diff --git a/hw/ide/sii3112.c b/hw/ide/sii3112.c
index e3896c6..743a50e 100644
--- a/hw/ide/sii3112.c
+++ b/hw/ide/sii3112.c
@@ -327,17 +327,6 @@ static void sii3112_pci_realize(PCIDevice *dev, Error 
**errp)
 qemu_register_reset(sii3112_reset, s);
 }
 
-static void sii3112_pci_exitfn(PCIDevice *dev)
-{
-PCIIDEState *d = PCI_IDE(dev);
-int i;
-
-for (i = 0; i < 2; ++i) {
-memory_region_del_subregion(>bmdma_bar, >bmdma[i].extra_io);
-memory_region_del_subregion(>bmdma_bar, >bmdma[i].addr_ioport);
-}
-}
-
 static void sii3112_pci_class_init(ObjectClass *klass, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
@@ -348,7 +337,6 @@ static void sii3112_pci_class_init(ObjectClass *klass, void 
*data)
 pd->class_id = PCI_CLASS_STORAGE_RAID;
 pd->revision = 1;
 pd->realize = sii3112_pci_realize;
-pd->exit = sii3112_pci_exitfn;
 dc->desc = "SiI3112A SATA controller";
 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
 }
-- 
2.7.6

Re: [Qemu-devel] [PATCH v4 05/11] linux-user: fix mmap/munmap/mprotect/mremap/shmat

[Max Filippov]

On Tue, Mar 6, 2018 at 1:40 PM, Laurent Vivier  wrote:
> Le 06/03/2018 à 20:34, Max Filippov a écrit :
>> In linux-user QEMU that runs for a target with TARGET_ABI_BITS bigger
>> than L1_MAP_ADDR_SPACE_BITS an assertion in page_set_flags fires when
>> mmap, munmap, mprotect, mremap or shmat is called for an address outside
>> the guest address space. mmap and mprotect should return ENOMEM in such
>> case.
>>
>> Introduce macro guest_range_valid that verifies if address range is
>> within guest address space and does not wrap around. Use that macro in
>> mmap/munmap/mprotect/mremap/shmat for error checking.
>>
>> Cc: qemu-sta...@nongnu.org
>> Cc: Riku Voipio 
>> Cc: Laurent Vivier 
>> Signed-off-by: Max Filippov 
>> ---
>> Changes v3->v4:
>> - change GUEST_ADDR_MAX and h2g_valid definitions as suggested by Laurent
>>   Vivier.
>>
>> Changes v2->v3:
>> - fix comparison in guest_valid: it must be 'less' to preserve the existing
>>   functionality, not 'less or equal'.
>> - fix guest_range_valid: it may not use guest_valid, because single range
>>   that occupies all of the guest address space is valid.
>>
>>  include/exec/cpu-all.h  |  4 
>>  include/exec/cpu_ldst.h | 14 --
>>  linux-user/mmap.c   | 20 +++-
>>  linux-user/syscall.c|  3 +++
>>  4 files changed, 30 insertions(+), 11 deletions(-)
>>
>> diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
>> index 0b141683f095..6304cfa7e171 100644
>> --- a/include/exec/cpu-all.h
>> +++ b/include/exec/cpu-all.h
>> @@ -159,8 +159,12 @@ extern unsigned long guest_base;
>>  extern int have_guest_base;
>>  extern unsigned long reserved_va;
>>
>> +#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
>> +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : ~0ul)
>
> In fact, below, for h2g_valid(), reserved_va is ignored in this case, so
> it should be:
>
> #define GUEST_ADDR_MAX (~0ul)
>
> [I know, my bad]
>
>> +#else
>>  #define GUEST_ADDR_MAX (reserved_va ? reserved_va : \
>
> I think it should become "reserved_va ? reserved_va - 1 : \"
> as "reserved_va" is a size but GUEST_ADDR_MAX is the maximum value
> available. See below.

Agree.

>>  (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 
>> 1)
>> +#endif
>>  #else
>>
>>  #include "exec/hwaddr.h"
>> diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
>> index 191f2e962a3c..22f5df9c8a92 100644
>> --- a/include/exec/cpu_ldst.h
>> +++ b/include/exec/cpu_ldst.h
>> @@ -52,15 +52,17 @@
>>  #define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base))
>>
>>  #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
>> -#define h2g_valid(x) 1
>> +#define guest_valid(x) 1
>>  #else
>> -#define h2g_valid(x) ({ \
>> -unsigned long __guest = (unsigned long)(x) - guest_base; \
>> -(__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \
>> -(!reserved_va || (__guest < reserved_va)); \
>> -})
>> +#define guest_valid(x) ((x) < GUEST_ADDR_MAX)
>
> I think it should be ((x) <= GUEST_ADDR_MAX), because
>
> (__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS))
> ->  (__guest <= ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
> ->  (__guest <= GUEST_ADDR_MAX)

Ok

> To work with reserved_va, it has also to be defined as "reserved_va -
> 1". And in open_self_maps() we should have "max = ... :
> (uintptr_t)g2h(GUEST_ADDR_MAX) + 1;" and then we have a "h2g(max - 1)"
> that will correctly return GUEST_ADDR_MAX.

Ok

> Then you don't need the "#if" because if "HOST_LONG_BITS <=
> TARGET_VIRT_ADDR_SPACE_BITS", x is 32bit and GUEST_ADDR_MAX) is ~0uk,
> and then ((x) <= GUEST_ADDR_MAX) is always true.

Ok.

>>  #endif
>>
>> +#define h2g_valid(x) guest_valid((unsigned long)(x) - guest_base)
>> +
>> +#define guest_range_valid(start, len) \
>> +({unsigned long l = (len); \
>> + l <= GUEST_ADDR_MAX && (start) <= GUEST_ADDR_MAX - l; })
>> +
>>  #define h2g_nocheck(x) ({ \
>>  unsigned long __ret = (unsigned long)(x) - guest_base; \
>>  (abi_ulong)__ret; \
> ...
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index e24f43c4a259..79245e73784f 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -4900,6 +4900,9 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
>>  return -TARGET_EINVAL;
>>  }
>>  }
>> +if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) {
>
> if shmaddr is NULL, "the system chooses a suitable (unused) address" so
> you can't check this as is.

Why not? guest_range_valid will be true for shmaddr == NULL and all
valid sizes.

-- 
Thanks.
-- Max

Re: [Qemu-devel] [PATCH] README: Fix typo 'git-publish'

[Philippe Mathieu-Daudé]

On 03/05/2018 11:43 PM, Fam Zheng wrote:
> Reported-by: Alberto Garcia 
> Signed-off-by: Fam Zheng 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  README | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/README b/README
> index 7833b97365..49a9fd09cd 100644
> --- a/README
> +++ b/README
> @@ -73,7 +73,7 @@ The QEMU website is also maintained under source control.
>git clone git://git.qemu.org/qemu-web.git
>https://www.qemu.org/2017/02/04/the-new-qemu-website-is-up/
>  
> -A 'git-profile' utility was created to make above process less
> +A 'git-publish' utility was created to make above process less
>  cumbersome, and is highly recommended for making regular contributions,
>  or even just for sending consecutive patch series revisions. It also
>  requires a working 'git send-email' setup, and by default doesn't
> 

Re: [Qemu-devel] [PATCH] migration: fix minor finalize leak

[Philippe Mathieu-Daudé]

On 03/06/2018 02:09 PM, Marc-André Lureau wrote:
> Spotted thanks to ASAN:
> QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 tests/migration-test -p 
> /x86_64/migration/bad_dest
> 
> ==30302==ERROR: LeakSanitizer: detected memory leaks
> 
> Direct leak of 48 byte(s) in 1 object(s) allocated from:
> #0 0x7f60efba1a38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38)
> #1 0x7f60eef3cf75 in g_malloc0 ../glib/gmem.c:124
> #2 0x55ca9094702c in error_copy /home/elmarco/src/qemu/util/error.c:203
> #3 0x55ca9037a30f in migrate_set_error 
> /home/elmarco/src/qemu/migration/migration.c:1139
> #4 0x55ca9037a462 in migrate_fd_error 
> /home/elmarco/src/qemu/migration/migration.c:1150
> #5 0x55ca9038162b in migrate_fd_connect 
> /home/elmarco/src/qemu/migration/migration.c:2411
> #6 0x55ca90386e41 in migration_channel_connect 
> /home/elmarco/src/qemu/migration/channel.c:81
> #7 0x55ca9038335e in socket_outgoing_migration 
> /home/elmarco/src/qemu/migration/socket.c:85
> #8 0x55ca9083dd3a in qio_task_complete 
> /home/elmarco/src/qemu/io/task.c:142
> #9 0x55ca9083d6cc in gio_task_thread_result 
> /home/elmarco/src/qemu/io/task.c:88
> #10 0x7f60eef37317 in g_idle_dispatch ../glib/gmain.c:5552
> #11 0x7f60eef3490b in g_main_dispatch ../glib/gmain.c:3182
> #12 0x7f60eef357ac in g_main_context_dispatch ../glib/gmain.c:3847
> #13 0x55ca90927231 in glib_pollfds_poll 
> /home/elmarco/src/qemu/util/main-loop.c:214
> #14 0x55ca90927420 in os_host_main_loop_wait 
> /home/elmarco/src/qemu/util/main-loop.c:261
> #15 0x55ca909275fa in main_loop_wait 
> /home/elmarco/src/qemu/util/main-loop.c:515
> #16 0x55ca8fc1c2a4 in main_loop /home/elmarco/src/qemu/vl.c:1942
> #17 0x55ca8fc2eb3a in main /home/elmarco/src/qemu/vl.c:4724
> #18 0x7f60e4082009 in __libc_start_main (/lib64/libc.so.6+0x21009)
> 
> Indirect leak of 45 byte(s) in 1 object(s) allocated from:
> #0 0x7f60efba1850 in malloc (/lib64/libasan.so.4+0xde850)
> #1 0x7f60eef3cf0c in g_malloc ../glib/gmem.c:94
> #2 0x7f60eef3d1cf in g_malloc_n ../glib/gmem.c:331
> #3 0x7f60eef596eb in g_strdup ../glib/gstrfuncs.c:363
> #4 0x55ca90947085 in error_copy /home/elmarco/src/qemu/util/error.c:204
> #5 0x55ca9037a30f in migrate_set_error 
> /home/elmarco/src/qemu/migration/migration.c:1139
> #6 0x55ca9037a462 in migrate_fd_error 
> /home/elmarco/src/qemu/migration/migration.c:1150
> #7 0x55ca9038162b in migrate_fd_connect 
> /home/elmarco/src/qemu/migration/migration.c:2411
> #8 0x55ca90386e41 in migration_channel_connect 
> /home/elmarco/src/qemu/migration/channel.c:81
> #9 0x55ca9038335e in socket_outgoing_migration 
> /home/elmarco/src/qemu/migration/socket.c:85
> #10 0x55ca9083dd3a in qio_task_complete 
> /home/elmarco/src/qemu/io/task.c:142
> #11 0x55ca9083d6cc in gio_task_thread_result 
> /home/elmarco/src/qemu/io/task.c:88
> #12 0x7f60eef37317 in g_idle_dispatch ../glib/gmain.c:5552
> #13 0x7f60eef3490b in g_main_dispatch ../glib/gmain.c:3182
> #14 0x7f60eef357ac in g_main_context_dispatch ../glib/gmain.c:3847
> #15 0x55ca90927231 in glib_pollfds_poll 
> /home/elmarco/src/qemu/util/main-loop.c:214
> #16 0x55ca90927420 in os_host_main_loop_wait 
> /home/elmarco/src/qemu/util/main-loop.c:261
> #17 0x55ca909275fa in main_loop_wait 
> /home/elmarco/src/qemu/util/main-loop.c:515
> #18 0x55ca8fc1c2a4 in main_loop /home/elmarco/src/qemu/vl.c:1942
> #19 0x55ca8fc2eb3a in main /home/elmarco/src/qemu/vl.c:4724
> #20 0x7f60e4082009 in __libc_start_main (/lib64/libc.so.6+0x21009)
> 
> Signed-off-by: Marc-André Lureau 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  migration/migration.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/migration/migration.c b/migration/migration.c
> index e345d0cc7e..62c243d2d4 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -2541,6 +2541,7 @@ static void migration_instance_finalize(Object *obj)
>  g_free(params->tls_hostname);
>  g_free(params->tls_creds);
>  qemu_sem_destroy(>pause_sem);
> +error_free(ms->error);
>  }
>  
>  static void migration_instance_init(Object *obj)
> 

Re: [Qemu-devel] [PATCH 2/3] net: allow using any PCI NICs in -net or -nic

[Philippe Mathieu-Daudé]

On 03/06/2018 01:49 PM, Paolo Bonzini wrote:
> Remove the hard-coded list of PCI NIC names; instead, fill an array
> using all PCI devices listed under DEVICE_CATEGORY_NETWORK. Keep
> the old shortcut "virtio" for virtio-net-pci.
> 
> Suggested-by: Thomas Huth 
> Cc: Jason Wang 
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/pci/pci.c | 61 
> ++--
>  1 file changed, 30 insertions(+), 31 deletions(-)
> 
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 2174c254eb..aa24a26680 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1815,49 +1815,48 @@ PciInfoList *qmp_query_pci(Error **errp)
>  return head;
>  }
>  
> -static const char * const pci_nic_models[] = {
> -"ne2k_pci",
> -"i82551",
> -"i82557b",
> -"i82559er",
> -"rtl8139",
> -"e1000",
> -"pcnet",
> -"virtio",
> -"sungem",
> -NULL
> -};
> -
> -static const char * const pci_nic_names[] = {
> -"ne2k_pci",
> -"i82551",
> -"i82557b",
> -"i82559er",
> -"rtl8139",
> -"e1000",
> -"pcnet",
> -"virtio-net-pci",
> -"sungem",
> -NULL
> -};
> -
>  /* Initialize a PCI NIC.  */
>  PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus,
> const char *default_model,
> const char *default_devaddr)
>  {
>  const char *devaddr = nd->devaddr ? nd->devaddr : default_devaddr;
> +GSList *list;
> +GPtrArray *pci_nic_models;
>  PCIBus *bus;
>  PCIDevice *pci_dev;
>  DeviceState *dev;
>  int devfn;
>  int i;
>  
> -if (qemu_show_nic_models(nd->model, pci_nic_models)) {
> +if (!strcmp(nd->model, "virtio")) {
> +g_free(nd->model);
> +nd->model = g_strdup("virtio-net-pci");
> +}
> +
> +list = object_class_get_list_sorted(TYPE_PCI_DEVICE, false);
> +pci_nic_models = g_ptr_array_new_with_free_func(g_free);
> +while (list) {
> +DeviceClass *dc = OBJECT_CLASS_CHECK(DeviceClass, list->data,
> + TYPE_DEVICE);
> +GSList *next;
> +if (test_bit(DEVICE_CATEGORY_NETWORK, dc->categories) &&
> +dc->user_creatable) {
> +const char *name = object_class_get_name(list->data) ;
> +g_ptr_array_add(pci_nic_models, (gpointer)name);
> +}
> +next = list->next;
> +g_slist_free_1(list);
> +list = next;
> +}
> +g_ptr_array_add(pci_nic_models, NULL);
> +
> +if (qemu_show_nic_models(nd->model, (const char 
> **)pci_nic_models->pdata)) {
>  exit(0);
>  }
>  
> -i = qemu_find_nic_model(nd, pci_nic_models, default_model);
> +i = qemu_find_nic_model(nd, (const char **)pci_nic_models->pdata,
> +default_model);
>  if (i < 0) {
>  exit(1);
>  }
> @@ -1865,15 +1864,15 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus 
> *rootbus,
>  bus = pci_get_bus_devfn(, rootbus, devaddr);
>  if (!bus) {
>  error_report("Invalid PCI device address %s for device %s",
> - devaddr, pci_nic_names[i]);
> + devaddr, nd->model);
>  exit(1);
>  }
>  
> -pci_dev = pci_create(bus, devfn, pci_nic_names[i]);
> +pci_dev = pci_create(bus, devfn, nd->model);
>  dev = _dev->qdev;
>  qdev_set_nic_properties(dev, nd);
>  qdev_init_nofail(dev);
> -
> +g_ptr_array_free(pci_nic_models, true);
>  return pci_dev;
>  }
>  
> 

Re: [Qemu-devel] [PATCH 1/3] qom: introduce object_class_get_list_sorted

[Philippe Mathieu-Daudé]

On 03/06/2018 01:49 PM, Paolo Bonzini wrote:
> Unify half a dozen copies of very similar code (the only difference being
> whether comparisons were case-sensitive) and use it also in Tricore,
> which did not do any sorting of CPU model names.
> 
> Signed-off-by: Paolo Bonzini 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  include/qom/object.h| 10 ++
>  qdev-monitor.c  |  9 +
>  qom/object.c| 14 ++
>  target/alpha/cpu.c  | 15 +--
>  target/hppa/cpu.c   | 14 +-
>  target/lm32/cpu.c   | 15 +--
>  target/sh4/cpu.c| 15 +--
>  target/tricore/helper.c |  2 +-
>  8 files changed, 30 insertions(+), 64 deletions(-)
> 
> diff --git a/include/qom/object.h b/include/qom/object.h
> index 4f07090db0..12c0f58c8f 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -913,6 +913,17 @@ void object_class_foreach(void (*fn)(ObjectClass *klass, 
> void *opaque),
>  GSList *object_class_get_list(const char *implements_type,
>bool include_abstract);
>  
> +/**
> + * object_class_get_list_sorted:
> + * @implements_type: The type to filter for, including its derivatives.
> + * @include_abstract: Whether to include abstract classes.
> + *
> + * Returns: A singly-linked list of the classes in alphabetical
> + * case-insensitive order.
> + */
> +GSList *object_class_get_list_sorted(const char *implements_type,
> +  bool include_abstract);
> +
>  /**
>   * object_ref:
>   * @obj: the object
> diff --git a/qdev-monitor.c b/qdev-monitor.c
> index b7e3291f8b..61e0300991 100644
> --- a/qdev-monitor.c
> +++ b/qdev-monitor.c
> @@ -122,12 +122,6 @@ static void qdev_print_devinfo(DeviceClass *dc)
>  error_printf("\n");
>  }
>  
> -static gint devinfo_cmp(gconstpointer a, gconstpointer b)
> -{
> -return strcasecmp(object_class_get_name((ObjectClass *)a),
> -  object_class_get_name((ObjectClass *)b));
> -}
> -
>  static void qdev_print_devinfos(bool show_no_user)
>  {
>  static const char *cat_name[DEVICE_CATEGORY_MAX + 1] = {
> @@ -146,8 +140,7 @@ static void qdev_print_devinfos(bool show_no_user)
>  int i;
>  bool cat_printed;
>  
> -list = g_slist_sort(object_class_get_list(TYPE_DEVICE, false),
> -devinfo_cmp);
> +list = object_class_get_list_sorted(TYPE_DEVICE, false);
>  
>  for (i = 0; i <= DEVICE_CATEGORY_MAX; i++) {
>  cat_printed = false;
> diff --git a/qom/object.c b/qom/object.c
> index 755ad03819..6088f55943 100644
> --- a/qom/object.c
> +++ b/qom/object.c
> @@ -891,6 +891,19 @@ GSList *object_class_get_list(const char 
> *implements_type,
>  return list;
>  }
>  
> +static gint object_class_cmp(gconstpointer a, gconstpointer b)
> +{
> +return strcasecmp(object_class_get_name((ObjectClass *)a),
> +  object_class_get_name((ObjectClass *)b));
> +}
> +
> +GSList *object_class_get_list_sorted(const char *implements_type,
> + bool include_abstract)
> +{
> +return g_slist_sort(object_class_get_list(implements_type, 
> include_abstract),
> +object_class_cmp);
> +}
> +
>  void object_ref(Object *obj)
>  {
>  if (!obj) {
> diff --git a/target/alpha/cpu.c b/target/alpha/cpu.c
> index 55675ce419..b08078e7fc 100644
> --- a/target/alpha/cpu.c
> +++ b/target/alpha/cpu.c
> @@ -71,18 +71,6 @@ static void alpha_cpu_realizefn(DeviceState *dev, Error 
> **errp)
>  acc->parent_realize(dev, errp);
>  }
>  
> -/* Sort alphabetically by type name. */
> -static gint alpha_cpu_list_compare(gconstpointer a, gconstpointer b)
> -{
> -ObjectClass *class_a = (ObjectClass *)a;
> -ObjectClass *class_b = (ObjectClass *)b;
> -const char *name_a, *name_b;
> -
> -name_a = object_class_get_name(class_a);
> -name_b = object_class_get_name(class_b);
> -return strcmp(name_a, name_b);
> -}
> -
>  static void alpha_cpu_list_entry(gpointer data, gpointer user_data)
>  {
>  ObjectClass *oc = data;
> @@ -100,8 +88,7 @@ void alpha_cpu_list(FILE *f, fprintf_function cpu_fprintf)
>  };
>  GSList *list;
>  
> -list = object_class_get_list(TYPE_ALPHA_CPU, false);
> -list = g_slist_sort(list, alpha_cpu_list_compare);
> +list = object_class_get_list_sorted(TYPE_ALPHA_CPU, false);
>  (*cpu_fprintf)(f, "Available CPUs:\n");
>  g_slist_foreach(list, alpha_cpu_list_entry, );
>  g_slist_free(list);
> diff --git a/target/hppa/cpu.c b/target/hppa/cpu.c
> index 969f628f0a..e5da8c3cab 100644
> --- a/target/hppa/cpu.c
> +++ b/target/hppa/cpu.c
> @@ -110,18 +110,6 @@ static void hppa_cpu_realizefn(DeviceState *dev, Error 
> **errp)
>  #endif
>  }
>  
> -/* Sort hppabetically by type name. */
> -static gint hppa_cpu_list_compare(gconstpointer a, gconstpointer b)
> -{
> -ObjectClass *class_a = (ObjectClass *)a;
> -

[Qemu-devel] [Bug 1753309] Re: Ethernet interrupt vectors for sabrelite machine are defined backwards

[Guenter Roeck]

#3: Correct, Linux version 4.14 and older registers two interrupt lines,
both the correct and the wrong one. With qemu version, the kernel
receives interrupts on irq 151, with the other on 150. So, yes, I guess
it works by accident. My question is what to do with older (pre-4.14)
kernels. Presumably those worked (?) with real hardware, so I am a bit
concerned about the impact of applying 4c8777892e80b to those kernels.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1753309

Title:
  Ethernet interrupt vectors for sabrelite machine are defined backwards

Status in QEMU:
  New

Bug description:
  The sabrelite machine model used by qemu-system-arm is based on the
  Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet
  controller which is supported in QEMU using the imx_fec.c module
  (actually called imx.enet for this model.)

  The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for
  the imx.enet device like this:

  #define FSL_IMX6_ENET_MAC_1588_IRQ 118
  #define FSL_IMX6_ENET_MAC_IRQ 119

  However, this is backwards. The reference manual for the i.MX6D/Q
  devices can be found here:

  https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf

  On page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary, it
  shows the following:

  150 ENET
  MAC 0 IRQ, Logical OR of:
  MAC 0 Periodic Timer Overflow
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Payload Receive Error
  MAC 0 Transmit FIFO Underrun
  MAC 0 Collision Retry Limit
  MAC 0 Late Collision
  MAC 0 Ethernet Bus Error
  MAC 0 MII Data Transfer Done
  MAC 0 Receive Buffer Done
  MAC 0 Receive Frame Done
  MAC 0 Transmit Buffer Done
  MAC 0 Transmit Frame Done
  MAC 0 Graceful Stop
  MAC 0 Babbling Transmit Error
  MAC 0 Babbling Receive Error
  MAC 0 Wakeup Request [synchronous]

  151 ENET
  MAC 0 1588 Timer interrupt [synchronous] request

  Note:
  150 - 32 == 118
  151 - 32 == 119

  In other words, the vector definitions in the fsl-imx6.h file are
  reversed. The correct definition is:

  #define FSL_IMX6_ENET_MAC_IRQ 118
  #define FSL_IMX6_ENET_MAC_1588_IRQ 119

  I tested the sabrelite simulation using VxWorks 7 (which supports the
  SabreLite board) and found that while I was able to send and receive
  packet data via the simulated ethernet interface, the VxWorks i.MX6
  ethernet driver failed to receive any interrupts. When I corrected the
  interrupt vector definitions as shown above and recompiled QEMU,
  everything worked as expected. I was able to exchange ICMP packets
  with the simulated target and telnet to/from the VxWorks instance
  running in the virtual machine. I used the tap interface for this.

  As a workaround I was also able to make the ethernet work by modifying
  the VxWorks imx6q-sabrelite.dts file to change the ethernet interrupt
  property from 150 to 151.

  This problem was observed with the following environment:

  Host: FreeBSD/amd64 11.1-RELEASE
  QEMU version: 2.11.0 and 2.11.1 built from source code

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1753309/+subscriptions

Re: [Qemu-devel] [PATCH v1 18/22] RISC-V: Remove braces from satp case statement with

[Philippe Mathieu-Daudé]

On 03/06/2018 05:43 PM, Michael Clark wrote:
> Signed-off-by: Michael Clark 
> Signed-off-by: Palmer Dabbelt 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  target/riscv/op_helper.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
> index dd3e417..f79716a 100644
> --- a/target/riscv/op_helper.c
> +++ b/target/riscv/op_helper.c
> @@ -240,7 +240,7 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
> val_to_write,
>  csr_write_helper(env, next_mie, CSR_MIE);
>  break;
>  }
> -case CSR_SATP: /* CSR_SPTBR */ {
> +case CSR_SATP: /* CSR_SPTBR */
>  if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
>  break;
>  }
> @@ -258,7 +258,6 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
> val_to_write,
>  env->satp = val_to_write;
>  }
>  break;
> -}
>  case CSR_SEPC:
>  env->sepc = val_to_write;
>  break;
> 

Re: [Qemu-devel] [PATCH v1 09/22] RISC-V: Include hexidecimal instruction in

[Philippe Mathieu-Daudé]

On 03/06/2018 05:43 PM, Michael Clark wrote:
> This was added to help debug issues using -d in_asm. It is
> useful to see the instruction bytes, as one can detect if
> one is trying to execute ASCII or device-tree magic.

clean :)

> 
> Signed-off-by: Michael Clark 
> Signed-off-by: Palmer Dabbelt 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  disas/riscv.c | 39 ---
>  1 file changed, 20 insertions(+), 19 deletions(-)
> 
> diff --git a/disas/riscv.c b/disas/riscv.c
> index 3c17501..4580308 100644
> --- a/disas/riscv.c
> +++ b/disas/riscv.c
> @@ -2769,25 +2769,6 @@ static void format_inst(char *buf, size_t buflen, 
> size_t tab, rv_decode *dec)
>  char tmp[64];
>  const char *fmt;
>  
> -if (dec->op == rv_op_illegal) {
> -size_t len = inst_length(dec->inst);
> -switch (len) {
> -case 2:
> -snprintf(buf, buflen, "(0x%04" PRIx64 ")", dec->inst);
> -break;
> -case 4:
> -snprintf(buf, buflen, "(0x%08" PRIx64 ")", dec->inst);
> -break;
> -case 6:
> -snprintf(buf, buflen, "(0x%012" PRIx64 ")", dec->inst);
> -break;
> -default:
> -snprintf(buf, buflen, "(0x%016" PRIx64 ")", dec->inst);
> -break;
> -}
> -return;
> -}
> -
>  fmt = opcode_data[dec->op].format;
>  while (*fmt) {
>  switch (*fmt) {
> @@ -3004,6 +2985,11 @@ disasm_inst(char *buf, size_t buflen, rv_isa isa, 
> uint64_t pc, rv_inst inst)
>  format_inst(buf, buflen, 16, );
>  }
>  
> +#define INST_FMT_2 "%04" PRIx64 "  "
> +#define INST_FMT_4 "%08" PRIx64 "  "
> +#define INST_FMT_6 "%012" PRIx64 "  "
> +#define INST_FMT_8 "%016" PRIx64 "  "
> +
>  static int
>  print_insn_riscv(bfd_vma memaddr, struct disassemble_info *info, rv_isa isa)
>  {
> @@ -3031,6 +3017,21 @@ print_insn_riscv(bfd_vma memaddr, struct 
> disassemble_info *info, rv_isa isa)
>  }
>  }
>  
> +switch (len) {
> +case 2:
> +(*info->fprintf_func)(info->stream, INST_FMT_2, inst);
> +break;
> +case 4:
> +(*info->fprintf_func)(info->stream, INST_FMT_4, inst);
> +break;
> +case 6:
> +(*info->fprintf_func)(info->stream, INST_FMT_6, inst);
> +break;
> +default:
> +(*info->fprintf_func)(info->stream, INST_FMT_8, inst);
> +break;
> +}
> +
>  disasm_inst(buf, sizeof(buf), isa, memaddr, inst);
>  (*info->fprintf_func)(info->stream, "%s", buf);
>  
> 

Re: [Qemu-devel] [PATCH v1 00/22] Spec conformance bug fixes and cleanups

[Michael Clark]

On Wed, Mar 7, 2018 at 9:43 AM, Michael Clark  wrote:

> This is the series of spec conformance bug fixes and code cleanups.
> We would like to get this series in after our core changes in v8.2.
>
> - Implements WARL behavior for CSRs that don't support writes
> - Improves specification conformance of the page table walker
>   - Change access checks from ternary operator to if statements
>   - Checks for misaligned PPNs
>   - Disallow M-mode or S-mode from fetching from User pages
>   - Adds reserved PTE flag check: W or W|X
>   - Improves page walker comments and general readability
> - Several trivial code cleanups to hw/riscv
>   - Replacing hard coded constants with reference to enums
> or the machine memory maps.
> - Adds bounds checks when writing device-tree to ROM
>
> Michael Clark (22):
>   RISC-V: Make virt create_fdt interface consistent
>   RISC-V: Replace hardcoded constants with enum values
>   RISC-V: Make virt board description match spike
>   RISC-V: Use ROM base address and size from memory map
>   RISC-V: Remove redundant identity_translate from load_elf
>   RISC-V: Mark ROM read-only after copying in code and config
>   RISC-V: Remove unused class definitions from machines
>   RISC-V: Make sure the emulated rom has space for device-tree
>   RISC-V: Include hexidecimal instruction in disassembly
>   RISC-V: Hold rcu_read_lock when accessing memory directly
>   RISC-V: Improve page table walker spec compliance
>   RISC-V: Update E order and I extension order
>   RISC-V: Make spike and virt header guards more specific
>   RISC-V: Make virt header comment title consistent
>   RISC-V: Use memory_region_is_ram in atomic pte update
>   RISC-V: Remove EM_RISCV ELF_MACHINE indirection from load_elf
>   RISC-V: Ingore satp writes and return 0 for reads when no-mmu
>   RISC-V: Remove braces from satp case statement with no locals
>   RISC-V: riscv-qemu port supports sv39 and sv48
>   RISC-V: vectored traps are optional
>   RISC-V: No traps on writes to misa,minstret[h],mcycle[h]
>   RISC-V: Remove support for adhoc X_COP local-interrupt
>
>  disas/riscv.c   | 39 +++--
>  hw/riscv/sifive_clint.c |  9 ++---
>  hw/riscv/sifive_e.c | 34 ++
>  hw/riscv/sifive_u.c | 65 +++---
>  hw/riscv/spike.c| 65 +-
>  hw/riscv/virt.c | 77 ++
> ---
>  include/hw/riscv/sifive_clint.h |  4 +++
>  include/hw/riscv/sifive_e.h |  9 -
>  include/hw/riscv/sifive_u.h | 13 +++
>  include/hw/riscv/spike.h| 16 -
>  include/hw/riscv/virt.h | 21 ---
>  target/riscv/cpu.c  |  2 +-
>  target/riscv/cpu.h  |  6 ++--
>  target/riscv/cpu_bits.h |  3 --
>  target/riscv/helper.c   | 63 +++--
>  target/riscv/op_helper.c| 52 ++--
>  16 files changed, 193 insertions(+), 285 deletions(-)
>

BTW Apologies for the duplicate emails. I'm still getting to grips with the
git-sendemail workflow and was using a sed script to Add Cc's which munged
the headers as it didn't take into account Subject lines flowing to two
lines. I guess I can just include Cc: in the commit message? and
git-format-patch will handle it for me? or I just should how to use
git-publish...

I still have to work on Igor's requested change to CPU initializer
declarations, and i'd also like to get the patch in that fixes fmin/fmax
test failures using the riscv-tests testsuite by implementing IEEE-754
minimumNumber/maximumNumber. I'll try to get a patch onto the list before
soft-freeze. I dropped the patch which was in an earlier version of our
port patch series due to a conflict with changes in softfloat (conversion
of minmax from a macro to a static function iirc).

Michael.

Re: [Qemu-devel] [PATCH v1 05/22] RISC-V: Remove redundant identity_translate from

[Philippe Mathieu-Daudé]

On 03/06/2018 05:43 PM, Michael Clark wrote:
> When load_elf is called with NULL as an argument to the
> address translate callback, it does an identity translation.
> This commit removes the redundant identity_translate callback.
> 
> Signed-off-by: Michael Clark 
> Signed-off-by: Palmer Dabbelt 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/riscv/sifive_e.c | 7 +--
>  hw/riscv/sifive_u.c | 7 +--
>  hw/riscv/spike.c| 7 +--
>  hw/riscv/virt.c | 7 +--
>  4 files changed, 4 insertions(+), 24 deletions(-)
> 
> diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
> index 19eca36..09c9d49 100644
> --- a/hw/riscv/sifive_e.c
> +++ b/hw/riscv/sifive_e.c
> @@ -82,16 +82,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
> size_t len)
>  }
>  }
>  
> -static uint64_t identity_translate(void *opaque, uint64_t addr)
> -{
> -return addr;
> -}
> -
>  static uint64_t load_kernel(const char *kernel_filename)
>  {
>  uint64_t kernel_entry, kernel_high;
>  
> -if (load_elf(kernel_filename, identity_translate, NULL,
> +if (load_elf(kernel_filename, NULL, NULL,
>   _entry, NULL, _high,
>   0, ELF_MACHINE, 1, 0) < 0) {
>  error_report("qemu: could not load kernel '%s'", kernel_filename);
> diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
> index f3f7615..6116c38 100644
> --- a/hw/riscv/sifive_u.c
> +++ b/hw/riscv/sifive_u.c
> @@ -68,16 +68,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
> size_t len)
>  }
>  }
>  
> -static uint64_t identity_translate(void *opaque, uint64_t addr)
> -{
> -return addr;
> -}
> -
>  static uint64_t load_kernel(const char *kernel_filename)
>  {
>  uint64_t kernel_entry, kernel_high;
>  
> -if (load_elf(kernel_filename, identity_translate, NULL,
> +if (load_elf(kernel_filename, NULL, NULL,
>   _entry, NULL, _high,
>   0, ELF_MACHINE, 1, 0) < 0) {
>  error_report("qemu: could not load kernel '%s'", kernel_filename);
> diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
> index 4c233ec..7710333 100644
> --- a/hw/riscv/spike.c
> +++ b/hw/riscv/spike.c
> @@ -59,16 +59,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
> size_t len)
>  }
>  }
>  
> -static uint64_t identity_translate(void *opaque, uint64_t addr)
> -{
> -return addr;
> -}
> -
>  static uint64_t load_kernel(const char *kernel_filename)
>  {
>  uint64_t kernel_entry, kernel_high;
>  
> -if (load_elf_ram_sym(kernel_filename, identity_translate, NULL,
> +if (load_elf_ram_sym(kernel_filename, NULL, NULL,
>  _entry, NULL, _high, 0, ELF_MACHINE, 1, 0,
>  NULL, true, htif_symbol_callback) < 0) {
>  error_report("qemu: could not load kernel '%s'", kernel_filename);
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index 0d101fc..f8c19b4 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -62,16 +62,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
> size_t len)
>  }
>  }
>  
> -static uint64_t identity_translate(void *opaque, uint64_t addr)
> -{
> -return addr;
> -}
> -
>  static uint64_t load_kernel(const char *kernel_filename)
>  {
>  uint64_t kernel_entry, kernel_high;
>  
> -if (load_elf(kernel_filename, identity_translate, NULL,
> +if (load_elf(kernel_filename, NULL, NULL,
>   _entry, NULL, _high,
>   0, ELF_MACHINE, 1, 0) < 0) {
>  error_report("qemu: could not load kernel '%s'", kernel_filename);
> 

Re: [Qemu-devel] [PATCH v1 02/22] RISC-V: Replace hardcoded constants with enum values

[Philippe Mathieu-Daudé]

On 03/06/2018 05:43 PM, Michael Clark wrote:
> The RISC-V device-tree code has a number of hard-coded
> constants and this change moves them into header enums.
> 
> Signed-off-by: Michael Clark 
> Signed-off-by: Palmer Dabbelt 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/riscv/sifive_clint.c | 9 +++--
>  hw/riscv/sifive_u.c | 6 --
>  hw/riscv/spike.c| 6 --
>  hw/riscv/virt.c | 6 --
>  include/hw/riscv/sifive_clint.h | 4 
>  include/hw/riscv/sifive_u.h | 4 
>  include/hw/riscv/spike.h| 4 
>  include/hw/riscv/virt.h | 4 
>  8 files changed, 31 insertions(+), 12 deletions(-)
> 
> diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
> index 4893453..7cc606e 100644
> --- a/hw/riscv/sifive_clint.c
> +++ b/hw/riscv/sifive_clint.c
> @@ -26,13 +26,10 @@
>  #include "hw/riscv/sifive_clint.h"
>  #include "qemu/timer.h"
>  
> -/* See: riscv-pk/machine/sbi_entry.S and arch/riscv/kernel/time.c */
> -#define TIMER_FREQ (10 * 1000 * 1000)
> -
>  static uint64_t cpu_riscv_read_rtc(void)
>  {
> -return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), TIMER_FREQ,
> -NANOSECONDS_PER_SECOND);
> +return muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
> +SIFIVE_CLINT_TIMEBASE_FREQ, NANOSECONDS_PER_SECOND);
>  }
>  
>  /*
> @@ -59,7 +56,7 @@ static void sifive_clint_write_timecmp(RISCVCPU *cpu, 
> uint64_t value)
>  diff = cpu->env.timecmp - rtc_r;
>  /* back to ns (note args switched in muldiv64) */
>  next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
> -muldiv64(diff, NANOSECONDS_PER_SECOND, TIMER_FREQ);
> +muldiv64(diff, NANOSECONDS_PER_SECOND, SIFIVE_CLINT_TIMEBASE_FREQ);
>  timer_mod(cpu->env.timer, next);
>  }
>  
> diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
> index 1c2deef..f3f7615 100644
> --- a/hw/riscv/sifive_u.c
> +++ b/hw/riscv/sifive_u.c
> @@ -122,7 +122,8 @@ static void create_fdt(SiFiveUState *s, const struct 
> MemmapEntry *memmap,
>  g_free(nodename);
>  
>  qemu_fdt_add_subnode(fdt, "/cpus");
> -qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency", 1000);
> +qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency",
> +SIFIVE_CLINT_TIMEBASE_FREQ);
>  qemu_fdt_setprop_cell(fdt, "/cpus", "#size-cells", 0x0);
>  qemu_fdt_setprop_cell(fdt, "/cpus", "#address-cells", 0x1);
>  
> @@ -131,7 +132,8 @@ static void create_fdt(SiFiveUState *s, const struct 
> MemmapEntry *memmap,
>  char *intc = g_strdup_printf("/cpus/cpu@%d/interrupt-controller", 
> cpu);
>  char *isa = riscv_isa_string(>soc.harts[cpu]);
>  qemu_fdt_add_subnode(fdt, nodename);
> -qemu_fdt_setprop_cell(fdt, nodename, "clock-frequency", 10);
> +qemu_fdt_setprop_cell(fdt, nodename, "clock-frequency",
> +  SIFIVE_U_CLOCK_FREQ);
>  qemu_fdt_setprop_string(fdt, nodename, "mmu-type", "riscv,sv48");
>  qemu_fdt_setprop_string(fdt, nodename, "riscv,isa", isa);
>  qemu_fdt_setprop_string(fdt, nodename, "compatible", "riscv");
> diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
> index 2d1f114..4c233ec 100644
> --- a/hw/riscv/spike.c
> +++ b/hw/riscv/spike.c
> @@ -115,7 +115,8 @@ static void create_fdt(SpikeState *s, const struct 
> MemmapEntry *memmap,
>  g_free(nodename);
>  
>  qemu_fdt_add_subnode(fdt, "/cpus");
> -qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency", 1000);
> +qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency",
> +SIFIVE_CLINT_TIMEBASE_FREQ);
>  qemu_fdt_setprop_cell(fdt, "/cpus", "#size-cells", 0x0);
>  qemu_fdt_setprop_cell(fdt, "/cpus", "#address-cells", 0x1);
>  
> @@ -124,7 +125,8 @@ static void create_fdt(SpikeState *s, const struct 
> MemmapEntry *memmap,
>  char *intc = g_strdup_printf("/cpus/cpu@%d/interrupt-controller", 
> cpu);
>  char *isa = riscv_isa_string(>soc.harts[cpu]);
>  qemu_fdt_add_subnode(fdt, nodename);
> -qemu_fdt_setprop_cell(fdt, nodename, "clock-frequency", 10);
> +qemu_fdt_setprop_cell(fdt, nodename, "clock-frequency",
> +  SPIKE_CLOCK_FREQ);
>  qemu_fdt_setprop_string(fdt, nodename, "mmu-type", "riscv,sv48");
>  qemu_fdt_setprop_string(fdt, nodename, "riscv,isa", isa);
>  qemu_fdt_setprop_string(fdt, nodename, "compatible", "riscv");
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index 37968d2..a402856 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -145,7 +145,8 @@ static void create_fdt(RISCVVirtState *s, const struct 
> MemmapEntry *memmap,
>  g_free(nodename);
>  
>  qemu_fdt_add_subnode(fdt, "/cpus");
> -qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency", 1000);
> +qemu_fdt_setprop_cell(fdt, "/cpus", "timebase-frequency",
> +

Re: [Qemu-devel] [PATCH 16/19] uninorth: rename UNINState to UNINHostState

[Philippe Mathieu-Daudé]

On 03/06/2018 05:31 PM, Mark Cave-Ayland wrote:
> The existing UNINState actually represents the PCI/AGP host bridge stage so
> rename it accordingly.
> 
> Signed-off-by: Mark Cave-Ayland 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/pci-host/uninorth.c | 32 
>  hw/ppc/mac.h   |  8 
>  hw/ppc/mac_newworld.c  |  2 +-
>  include/hw/pci-host/uninorth.h | 12 ++--
>  4 files changed, 27 insertions(+), 27 deletions(-)
> 
> diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
> index 3a29a4410e..fada0ffd5f 100644
> --- a/hw/pci-host/uninorth.c
> +++ b/hw/pci-host/uninorth.c
> @@ -38,7 +38,7 @@ static int pci_unin_map_irq(PCIDevice *pci_dev, int irq_num)
>  
>  static void pci_unin_set_irq(void *opaque, int irq_num, int level)
>  {
> -UNINState *s = opaque;
> +UNINHostState *s = opaque;
>  
>  trace_unin_set_irq(unin_irq_line[irq_num], level);
>  qemu_set_irq(s->irqs[irq_num], level);
> @@ -81,7 +81,7 @@ static uint32_t unin_get_config_reg(uint32_t reg, uint32_t 
> addr)
>  static void unin_data_write(void *opaque, hwaddr addr,
>  uint64_t val, unsigned len)
>  {
> -UNINState *s = opaque;
> +UNINHostState *s = opaque;
>  PCIHostState *phb = PCI_HOST_BRIDGE(s);
>  trace_unin_data_write(addr, len, val);
>  pci_data_write(phb->bus,
> @@ -92,7 +92,7 @@ static void unin_data_write(void *opaque, hwaddr addr,
>  static uint64_t unin_data_read(void *opaque, hwaddr addr,
> unsigned len)
>  {
> -UNINState *s = opaque;
> +UNINHostState *s = opaque;
>  PCIHostState *phb = PCI_HOST_BRIDGE(s);
>  uint32_t val;
>  
> @@ -109,7 +109,7 @@ static const MemoryRegionOps unin_data_ops = {
>  .endianness = DEVICE_LITTLE_ENDIAN,
>  };
>  
> -static void pci_unin_init_irqs(UNINState *s)
> +static void pci_unin_init_irqs(UNINHostState *s)
>  {
>  int i;
>  
> @@ -120,7 +120,7 @@ static void pci_unin_init_irqs(UNINState *s)
>  
>  static void pci_unin_main_realize(DeviceState *dev, Error **errp)
>  {
> -UNINState *s = UNI_NORTH_PCI_HOST_BRIDGE(dev);
> +UNINHostState *s = UNI_NORTH_PCI_HOST_BRIDGE(dev);
>  PCIHostState *h = PCI_HOST_BRIDGE(dev);
>  
>  h->bus = pci_register_root_bus(dev, NULL,
> @@ -142,7 +142,7 @@ static void pci_unin_main_realize(DeviceState *dev, Error 
> **errp)
>  
>  static void pci_unin_main_init(Object *obj)
>  {
> -UNINState *s = UNI_NORTH_PCI_HOST_BRIDGE(obj);
> +UNINHostState *s = UNI_NORTH_PCI_HOST_BRIDGE(obj);
>  SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
>  PCIHostState *h = PCI_HOST_BRIDGE(obj);
>  
> @@ -175,7 +175,7 @@ static void pci_unin_main_init(Object *obj)
>  
>  static void pci_u3_agp_realize(DeviceState *dev, Error **errp)
>  {
> -UNINState *s = U3_AGP_HOST_BRIDGE(dev);
> +UNINHostState *s = U3_AGP_HOST_BRIDGE(dev);
>  PCIHostState *h = PCI_HOST_BRIDGE(dev);
>  
>  h->bus = pci_register_root_bus(dev, NULL,
> @@ -191,7 +191,7 @@ static void pci_u3_agp_realize(DeviceState *dev, Error 
> **errp)
>  
>  static void pci_u3_agp_init(Object *obj)
>  {
> -UNINState *s = U3_AGP_HOST_BRIDGE(obj);
> +UNINHostState *s = U3_AGP_HOST_BRIDGE(obj);
>  SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
>  PCIHostState *h = PCI_HOST_BRIDGE(obj);
>  
> @@ -223,7 +223,7 @@ static void pci_u3_agp_init(Object *obj)
>  
>  static void pci_unin_agp_realize(DeviceState *dev, Error **errp)
>  {
> -UNINState *s = UNI_NORTH_AGP_HOST_BRIDGE(dev);
> +UNINHostState *s = UNI_NORTH_AGP_HOST_BRIDGE(dev);
>  PCIHostState *h = PCI_HOST_BRIDGE(dev);
>  
>  h->bus = pci_register_root_bus(dev, NULL,
> @@ -239,7 +239,7 @@ static void pci_unin_agp_realize(DeviceState *dev, Error 
> **errp)
>  
>  static void pci_unin_agp_init(Object *obj)
>  {
> -UNINState *s = UNI_NORTH_AGP_HOST_BRIDGE(obj);
> +UNINHostState *s = UNI_NORTH_AGP_HOST_BRIDGE(obj);
>  SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
>  PCIHostState *h = PCI_HOST_BRIDGE(obj);
>  
> @@ -260,7 +260,7 @@ static void pci_unin_agp_init(Object *obj)
>  
>  static void pci_unin_internal_realize(DeviceState *dev, Error **errp)
>  {
> -UNINState *s = UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(dev);
> +UNINHostState *s = UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(dev);
>  PCIHostState *h = PCI_HOST_BRIDGE(dev);
>  
>  h->bus = pci_register_root_bus(dev, NULL,
> @@ -276,7 +276,7 @@ static void pci_unin_internal_realize(DeviceState *dev, 
> Error **errp)
>  
>  static void pci_unin_internal_init(Object *obj)
>  {
> -UNINState *s = UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(obj);
> +UNINHostState *s = UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(obj);
>  SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
>  PCIHostState *h = PCI_HOST_BRIDGE(obj);
>  
> @@ -466,7 +466,7 @@ static void pci_unin_main_class_init(ObjectClass *klass, 
> void *data)
>  static const TypeInfo 

Re: [Qemu-devel] [PATCH 05/19] uninorth: move uninorth definitions into uninorth.h

[Philippe Mathieu-Daudé]

On 03/06/2018 05:30 PM, Mark Cave-Ayland wrote:
> Signed-off-by: Mark Cave-Ayland 
> ---
>  hw/pci-host/uninorth.c | 22 +--
>  include/hw/pci-host/uninorth.h | 49 
> ++
>  2 files changed, 50 insertions(+), 21 deletions(-)
>  create mode 100644 include/hw/pci-host/uninorth.h
> 
> diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
> index 1d4d3f5705..600d675573 100644
> --- a/hw/pci-host/uninorth.c
> +++ b/hw/pci-host/uninorth.c
> @@ -26,31 +26,11 @@
>  #include "hw/ppc/mac.h"
>  #include "hw/pci/pci.h"
>  #include "hw/pci/pci_host.h"
> +#include "hw/pci-host/uninorth.h"
>  #include "trace.h"
>  
>  static const int unin_irq_line[] = { 0x1b, 0x1c, 0x1d, 0x1e };
>  
> -#define TYPE_UNI_NORTH_PCI_HOST_BRIDGE "uni-north-pci-pcihost"
> -#define TYPE_UNI_NORTH_AGP_HOST_BRIDGE "uni-north-agp-pcihost"
> -#define TYPE_UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE 
> "uni-north-internal-pci-pcihost"
> -#define TYPE_U3_AGP_HOST_BRIDGE "u3-agp-pcihost"
> -
> -#define UNI_NORTH_PCI_HOST_BRIDGE(obj) \
> -OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_PCI_HOST_BRIDGE)
> -#define UNI_NORTH_AGP_HOST_BRIDGE(obj) \
> -OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_AGP_HOST_BRIDGE)
> -#define UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(obj) \
> -OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE)
> -#define U3_AGP_HOST_BRIDGE(obj) \
> -OBJECT_CHECK(UNINState, (obj), TYPE_U3_AGP_HOST_BRIDGE)
> -
> -typedef struct UNINState {
> -PCIHostState parent_obj;
> -
> -MemoryRegion pci_mmio;
> -MemoryRegion pci_hole;
> -} UNINState;
> -
>  static int pci_unin_map_irq(PCIDevice *pci_dev, int irq_num)
>  {
>  return (irq_num + (pci_dev->devfn >> 3)) & 3;
> diff --git a/include/hw/pci-host/uninorth.h b/include/hw/pci-host/uninorth.h
> new file mode 100644
> index 00..9364c14bdd
> --- /dev/null
> +++ b/include/hw/pci-host/uninorth.h
> @@ -0,0 +1,49 @@
> +/*
> + * QEMU Uninorth PCI host (for all Mac99 and newer machines)
> + *
> + * Copyright (c) 2006 Fabrice Bellard
> + *
> + * Permission is hereby granted, free of charge, to any person obtaining a 
> copy
> + * of this software and associated documentation files (the "Software"), to 
> deal
> + * in the Software without restriction, including without limitation the 
> rights
> + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + * copies of the Software, and to permit persons to whom the Software is
> + * furnished to do so, subject to the following conditions:
> + *
> + * The above copyright notice and this permission notice shall be included in
> + * all copies or substantial portions of the Software.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
> FROM,
> + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> + * THE SOFTWARE.
> + */
> +
> +#ifndef UNINORTH_H
> +#define UNINORTH_H

missing:

#include "hw/hw.h"

with it:
Reviewed-by: Philippe Mathieu-Daudé 

> +
> +#define TYPE_UNI_NORTH_PCI_HOST_BRIDGE "uni-north-pci-pcihost"
> +#define TYPE_UNI_NORTH_AGP_HOST_BRIDGE "uni-north-agp-pcihost"
> +#define TYPE_UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE 
> "uni-north-internal-pci-pcihost"
> +#define TYPE_U3_AGP_HOST_BRIDGE "u3-agp-pcihost"
> +
> +#define UNI_NORTH_PCI_HOST_BRIDGE(obj) \
> +OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_PCI_HOST_BRIDGE)
> +#define UNI_NORTH_AGP_HOST_BRIDGE(obj) \
> +OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_AGP_HOST_BRIDGE)
> +#define UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE(obj) \
> +OBJECT_CHECK(UNINState, (obj), TYPE_UNI_NORTH_INTERNAL_PCI_HOST_BRIDGE)
> +#define U3_AGP_HOST_BRIDGE(obj) \
> +OBJECT_CHECK(UNINState, (obj), TYPE_U3_AGP_HOST_BRIDGE)
> +
> +typedef struct UNINState {
> +PCIHostState parent_obj;
> +
> +MemoryRegion pci_mmio;
> +MemoryRegion pci_hole;
> +} UNINState;
> +
> +#endif /* UNINORTH_H */
> 

Re: [Qemu-devel] [PATCH 01/19] uninorth: trivial style fixups

[Philippe Mathieu-Daudé]

On 03/06/2018 05:30 PM, Mark Cave-Ayland wrote:
> This makes sure we keep patchew/checkpatch happy during the remainder of this
> patchset.
> 
> Signed-off-by: Mark Cave-Ayland 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/pci-host/uninorth.c | 29 +++--
>  1 file changed, 19 insertions(+), 10 deletions(-)
> 
> diff --git a/hw/pci-host/uninorth.c b/hw/pci-host/uninorth.c
> index 66991da975..710818e355 100644
> --- a/hw/pci-host/uninorth.c
> +++ b/hw/pci-host/uninorth.c
> @@ -272,7 +272,6 @@ PCIBus *pci_pmac_u3_init(qemu_irq *pic,
>  UNINState *d;
>  
>  /* Uninorth AGP bus */
> -
>  dev = qdev_create(NULL, TYPE_U3_AGP_HOST_BRIDGE);
>  qdev_init_nofail(dev);
>  s = SYS_BUS_DEVICE(dev);
> @@ -302,16 +301,23 @@ PCIBus *pci_pmac_u3_init(qemu_irq *pic,
>  
>  static void unin_main_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -d->config[0x34] = 0x00; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer */
> +d->config[0x34] = 0x00;
>  }
>  
>  static void unin_agp_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -//d->config[0x34] = 0x80; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer
> +d->config[0x34] = 0x80; */
> +
>  /*
>   * Set kMacRISCPCIAddressSelect (0x48) register to indicate PCI
>   * memory space with base 0x8000, size 0x1000 for Apple's
> @@ -333,9 +339,12 @@ static void u3_agp_pci_host_realize(PCIDevice *d, Error 
> **errp)
>  
>  static void unin_internal_pci_host_realize(PCIDevice *d, Error **errp)
>  {
> -d->config[0x0C] = 0x08; // cache_line_size
> -d->config[0x0D] = 0x10; // latency_timer
> -d->config[0x34] = 0x00; // capabilities_pointer
> +/* cache_line_size */
> +d->config[0x0C] = 0x08;
> +/* latency_timer */
> +d->config[0x0D] = 0x10;
> +/* capabilities_pointer */
> +d->config[0x34] = 0x00;
>  }
>  
>  static void unin_main_pci_host_class_init(ObjectClass *klass, void *data)
> 

[Qemu-devel] [PATCH 4/6] grackle: move PCI IO (ISA) memory region into the grackle device

[Mark Cave-Ayland]

This simplifies the Old World machine to simply mapping the ISA memory region
into the main address space.

Signed-off-by: Mark Cave-Ayland 
---
 hw/pci-host/grackle.c | 7 ++-
 hw/ppc/mac_oldworld.c | 9 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/hw/pci-host/grackle.c b/hw/pci-host/grackle.c
index e4583d493b..4810a4de79 100644
--- a/hw/pci-host/grackle.c
+++ b/hw/pci-host/grackle.c
@@ -41,6 +41,7 @@ typedef struct GrackleState {
 qemu_irq irqs[4];
 MemoryRegion pci_mmio;
 MemoryRegion pci_hole;
+MemoryRegion pci_io;
 } GrackleState;
 
 /* Don't know if this matches real hardware, but it agrees with OHW.  */
@@ -76,7 +77,7 @@ static void grackle_realize(DeviceState *dev, Error **errp)
  pci_grackle_map_irq,
  s,
  >pci_mmio,
- get_system_io(),
+ >pci_io,
  0, 4, TYPE_PCI_BUS);
 
 pci_create_simple(phb->bus, 0, "grackle");
@@ -90,6 +91,9 @@ static void grackle_init(Object *obj)
 PCIHostState *phb = PCI_HOST_BRIDGE(obj);
 
 memory_region_init(>pci_mmio, OBJECT(s), "pci-mmio", 0x1ULL);
+memory_region_init_io(>pci_io, OBJECT(s), _io_ops, obj,
+  "pci-isa-mmio", 0x0020);
+
 memory_region_init_alias(>pci_hole, OBJECT(s), "pci-hole", >pci_mmio,
  0x8000ULL, 0x7e00ULL);
 
@@ -106,6 +110,7 @@ static void grackle_init(Object *obj)
 sysbus_init_mmio(sbd, >conf_mem);
 sysbus_init_mmio(sbd, >data_mem);
 sysbus_init_mmio(sbd, >pci_hole);
+sysbus_init_mmio(sbd, >pci_io);
 }
 
 static void grackle_pci_realize(PCIDevice *d, Error **errp)
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index b3c1f1bc1b..2bf70c4375 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -92,7 +92,6 @@ static void ppc_heathrow_init(MachineState *machine)
 int linux_boot, i;
 MemoryRegion *ram = g_new(MemoryRegion, 1);
 MemoryRegion *bios = g_new(MemoryRegion, 1);
-MemoryRegion *isa = g_new(MemoryRegion, 1);
 uint32_t kernel_base, initrd_base, cmdline_base = 0;
 int32_t kernel_size, initrd_size;
 PCIBus *pci_bus;
@@ -226,11 +225,6 @@ static void ppc_heathrow_init(MachineState *machine)
 }
 }
 
-/* Register 2 MB of ISA IO space */
-memory_region_init_alias(isa, NULL, "isa_mmio",
- get_system_io(), 0, 0x0020);
-memory_region_add_subregion(sysmem, 0xfe00, isa);
-
 /* XXX: we register only 1 output pin for heathrow PIC */
 pic_dev = qdev_create(NULL, TYPE_HEATHROW);
 qdev_init_nofail(pic_dev);
@@ -277,6 +271,9 @@ static void ppc_heathrow_init(MachineState *machine)
 /* PCI hole */
 memory_region_add_subregion(get_system_memory(), 0x8000ULL,
 sysbus_mmio_get_region(s, 2));
+/* Register 2 MB of ISA IO space */
+memory_region_add_subregion(get_system_memory(), 0xfe00,
+sysbus_mmio_get_region(s, 3));
 
 pci_bus = PCI_HOST_BRIDGE(dev)->bus;
 
-- 
2.11.0

[Qemu-devel] [PATCH 2/6] grackle: general tidy-up and QOMify

[Mark Cave-Ayland]

This is the first step towards removing the old-style pci_grackle_init()
function. Following on from the previous commit we can now pass the heathrow
device as an object link and wire up the heathrow IRQs via qdev GPIOs.

Signed-off-by: Mark Cave-Ayland 
---
 hw/pci-host/grackle.c | 96 +--
 hw/ppc/mac.h  |  2 +-
 hw/ppc/mac_oldworld.c |  2 +-
 3 files changed, 64 insertions(+), 36 deletions(-)

diff --git a/hw/pci-host/grackle.c b/hw/pci-host/grackle.c
index 033588b7d2..f8935246c3 100644
--- a/hw/pci-host/grackle.c
+++ b/hw/pci-host/grackle.c
@@ -27,6 +27,8 @@
 #include "hw/pci/pci_host.h"
 #include "hw/ppc/mac.h"
 #include "hw/pci/pci.h"
+#include "hw/intc/heathrow_pic.h"
+#include "qapi/error.h"
 #include "trace.h"
 
 #define GRACKLE_PCI_HOST_BRIDGE(obj) \
@@ -35,6 +37,8 @@
 typedef struct GrackleState {
 PCIHostState parent_obj;
 
+HeathrowState *pic;
+qemu_irq irqs[4];
 MemoryRegion pci_mmio;
 MemoryRegion pci_hole;
 } GrackleState;
@@ -47,13 +51,22 @@ static int pci_grackle_map_irq(PCIDevice *pci_dev, int 
irq_num)
 
 static void pci_grackle_set_irq(void *opaque, int irq_num, int level)
 {
-qemu_irq *pic = opaque;
+GrackleState *s = opaque;
 
 trace_grackle_set_irq(irq_num, level);
-qemu_set_irq(pic[irq_num + 0x15], level);
+qemu_set_irq(s->irqs[irq_num], level);
 }
 
-PCIBus *pci_grackle_init(uint32_t base, qemu_irq *pic,
+static void grackle_init_irqs(GrackleState *s)
+{
+int i;
+
+for (i = 0; i < ARRAY_SIZE(s->irqs); i++) {
+s->irqs[i] = qdev_get_gpio_in(DEVICE(s->pic), 0x15 + i);
+}
+}
+
+PCIBus *pci_grackle_init(uint32_t base, DeviceState *pic_dev,
  MemoryRegion *address_space_mem,
  MemoryRegion *address_space_io)
 {
@@ -63,60 +76,75 @@ PCIBus *pci_grackle_init(uint32_t base, qemu_irq *pic,
 GrackleState *d;
 
 dev = qdev_create(NULL, TYPE_GRACKLE_PCI_HOST_BRIDGE);
+object_property_set_link(OBJECT(dev), OBJECT(pic_dev), "pic",
+ _abort);
+qdev_init_nofail(dev);
+
 s = SYS_BUS_DEVICE(dev);
 phb = PCI_HOST_BRIDGE(dev);
 d = GRACKLE_PCI_HOST_BRIDGE(dev);
 
-memory_region_init(>pci_mmio, OBJECT(s), "pci-mmio", 0x1ULL);
-memory_region_init_alias(>pci_hole, OBJECT(s), "pci-hole", >pci_mmio,
- 0x8000ULL, 0x7e00ULL);
 memory_region_add_subregion(address_space_mem, 0x8000ULL,
 >pci_hole);
 
+sysbus_mmio_map(s, 0, base);
+sysbus_mmio_map(s, 1, base + 0x0020);
+
+return phb->bus;
+}
+
+static void grackle_realize(DeviceState *dev, Error **errp)
+{
+GrackleState *s = GRACKLE_PCI_HOST_BRIDGE(dev);
+PCIHostState *phb = PCI_HOST_BRIDGE(dev);
+
 phb->bus = pci_register_root_bus(dev, NULL,
  pci_grackle_set_irq,
  pci_grackle_map_irq,
- pic,
- >pci_mmio,
- address_space_io,
+ s,
+ >pci_mmio,
+ get_system_io(),
  0, 4, TYPE_PCI_BUS);
 
 pci_create_simple(phb->bus, 0, "grackle");
-qdev_init_nofail(dev);
-
-sysbus_mmio_map(s, 0, base);
-sysbus_mmio_map(s, 1, base + 0x0020);
-
-return phb->bus;
+grackle_init_irqs(s);
 }
 
-static int pci_grackle_init_device(SysBusDevice *dev)
+static void grackle_init(Object *obj)
 {
-PCIHostState *phb;
+GrackleState *s = GRACKLE_PCI_HOST_BRIDGE(obj);
+SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+PCIHostState *phb = PCI_HOST_BRIDGE(obj);
 
-phb = PCI_HOST_BRIDGE(dev);
+memory_region_init(>pci_mmio, OBJECT(s), "pci-mmio", 0x1ULL);
+memory_region_init_alias(>pci_hole, OBJECT(s), "pci-hole", >pci_mmio,
+ 0x8000ULL, 0x7e00ULL);
 
-memory_region_init_io(>conf_mem, OBJECT(dev), _host_conf_le_ops,
-  dev, "pci-conf-idx", 0x1000);
-memory_region_init_io(>data_mem, OBJECT(dev), _host_data_le_ops,
-  dev, "pci-data-idx", 0x1000);
-sysbus_init_mmio(dev, >conf_mem);
-sysbus_init_mmio(dev, >data_mem);
+memory_region_init_io(>conf_mem, obj, _host_conf_le_ops,
+  DEVICE(obj), "pci-conf-idx", 0x1000);
+memory_region_init_io(>data_mem, obj, _host_data_le_ops,
+  DEVICE(obj), "pci-data-idx", 0x1000);
 
-return 0;
+object_property_add_link(obj, "pic", TYPE_HEATHROW,
+ (Object **) >pic,
+ qdev_prop_allow_set_link_before_realize,
+ 0, NULL);
+
+sysbus_init_mmio(sbd, >conf_mem);
+sysbus_init_mmio(sbd, 

[Qemu-devel] [PATCH 5/6] mac_oldworld: remove pics IRQ array and wire up macio to heathrow directly

[Mark Cave-Ayland]

Introduce constants for the pre-defined Old World IRQs to help keep things
readable.

Signed-off-by: Mark Cave-Ayland 
---
 hw/ppc/mac.h  |  8 
 hw/ppc/mac_oldworld.c | 27 ++-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 04568c2a22..6f3603c21e 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -45,6 +45,14 @@
 
 #define ESCC_CLOCK 3686400
 
+/* Old World IRQs */
+#define OLDWORLD_CUDA_IRQ  0x12
+#define OLDWORLD_ESCCB_IRQ 0x10
+#define OLDWORLD_ESCCA_IRQ 0xf
+#define OLDWORLD_IDE0_IRQ  0xd
+#define OLDWORLD_IDE0_DMA_IRQ  0x2
+#define OLDWORLD_IDE1_IRQ  0xe
+#define OLDWORLD_IDE1_DMA_IRQ  0x3
 
 /* MacIO */
 #define TYPE_MACIO_IDE "macio-ide"
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 2bf70c4375..048b0cea7e 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -88,7 +88,6 @@ static void ppc_heathrow_init(MachineState *machine)
 PowerPCCPU *cpu = NULL;
 CPUPPCState *env = NULL;
 char *filename;
-qemu_irq *pic;
 int linux_boot, i;
 MemoryRegion *ram = g_new(MemoryRegion, 1);
 MemoryRegion *bios = g_new(MemoryRegion, 1);
@@ -242,11 +241,6 @@ static void ppc_heathrow_init(MachineState *machine)
 }
 }
 
-pic = g_new0(qemu_irq, HEATHROW_NUM_IRQS);
-for (i = 0; i < HEATHROW_NUM_IRQS; i++) {
-pic[i] = qdev_get_gpio_in(pic_dev, i);
-}
-
 /* Timebase Frequency */
 if (kvm_enabled()) {
 tbfreq = kvmppc_get_tbfreq();
@@ -288,13 +282,20 @@ static void ppc_heathrow_init(MachineState *machine)
 /* MacIO */
 macio = OLDWORLD_MACIO(pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO));
 dev = DEVICE(macio);
-qdev_connect_gpio_out(dev, 0, pic[0x12]); /* CUDA */
-qdev_connect_gpio_out(dev, 1, pic[0x10]); /* ESCC-B */
-qdev_connect_gpio_out(dev, 2, pic[0x0F]); /* ESCC-A */
-qdev_connect_gpio_out(dev, 3, pic[0x0D]); /* IDE-0 */
-qdev_connect_gpio_out(dev, 4, pic[0x02]); /* IDE-0 DMA */
-qdev_connect_gpio_out(dev, 5, pic[0x0E]); /* IDE-1 */
-qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE-1 DMA */
+qdev_connect_gpio_out(dev, 0,
+qdev_get_gpio_in(pic_dev, OLDWORLD_CUDA_IRQ));
+qdev_connect_gpio_out(dev, 1,
+qdev_get_gpio_in(pic_dev, OLDWORLD_ESCCB_IRQ));
+qdev_connect_gpio_out(dev, 2,
+qdev_get_gpio_in(pic_dev, OLDWORLD_ESCCA_IRQ));
+qdev_connect_gpio_out(dev, 3,
+qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_IRQ));
+qdev_connect_gpio_out(dev, 4,
+qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_DMA_IRQ));
+qdev_connect_gpio_out(dev, 5,
+qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_IRQ));
+qdev_connect_gpio_out(dev, 6,
+qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_DMA_IRQ));
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
-- 
2.11.0

[Qemu-devel] [PATCH 0/6] heathrow/grackle/mac_oldworld board wiring improvements

[Mark Cave-Ayland]

[This is for Old World Machines: there is a corresponding patch for New World 
Machines]

This patchset is a combination of heathrow/grackle/mac_oldworld cleanup with 
the final
aim of removing the remaining custom init functions and switching IRQ arrays 
over
to qdev GPIOs.

Patch 1 removes the heathrow_init() function, switching over to qdev GPIOs in 
order to
wire up the CPU IRQs.

Patch 2 cleans up and QOMifys the grackle device, allowing the deprecated 
_init()
function to be subsequently removed in patch 3.

Patch 4 wires up the PCI IO space to the PCI host bridge rather than using the 
inbuilt
system IO address space.

Finally patches 5 and 6 remove the pics IRQ array and instead wire up the 
macio_oldworld
device to the PIC directly using the existing object link.

Signed-off-by: Mark Cave-Ayland 

Mark Cave-Ayland (6):
  heathrow: remove obsolete heathow_init() function
  grackle: general tidy-up and QOMify
  grackle: remove deprecated pci_grackle_init() function
  grackle: move PCI IO (ISA) memory region into the grackle device
  mac_oldworld: remove pics IRQ array and wire up macio to heathrow
directly
  mac_oldworld: move wiring of macio IRQs to macio_oldworld_realize()

 hw/intc/heathrow_pic.c |  23 ++---
 hw/misc/macio/macio.c  |  37 +--
 hw/pci-host/grackle.c  | 103 ++---
 hw/ppc/mac.h   |  15 +++---
 hw/ppc/mac_oldworld.c  |  51 ++--
 include/hw/intc/heathrow_pic.h |   2 +-
 include/hw/misc/macio/macio.h  |   1 -
 7 files changed, 118 insertions(+), 114 deletions(-)

-- 
2.11.0

[Qemu-devel] [PATCH 6/6] mac_oldworld: move wiring of macio IRQs to macio_oldworld_realize()

[Mark Cave-Ayland]

Since the macio device has a link to the PIC device, we can now wire up the
IRQs directly via qdev GPIOs rather than having to use an intermediate array.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 37 ++---
 hw/ppc/mac_oldworld.c | 14 --
 include/hw/misc/macio/macio.h |  1 -
 3 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index af1bd46b4b..ea170c0649 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -145,10 +145,9 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 {
 MacIOState *s = MACIO(d);
 OldWorldMacIOState *os = OLDWORLD_MACIO(d);
+DeviceState *pic_dev = DEVICE(os->pic);
 Error *err = NULL;
 SysBusDevice *sysbus_dev;
-int i;
-int cur_irq = 0;
 
 macio_common_realize(d, );
 if (err) {
@@ -157,11 +156,14 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 }
 
 sysbus_dev = SYS_BUS_DEVICE(>cuda);
-sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
+sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
+   OLDWORLD_CUDA_IRQ));
 
 sysbus_dev = SYS_BUS_DEVICE(>escc);
-sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
-sysbus_connect_irq(sysbus_dev, 1, os->irqs[cur_irq++]);
+sysbus_connect_irq(sysbus_dev, 0, qdev_get_gpio_in(pic_dev,
+   OLDWORLD_ESCCB_IRQ));
+sysbus_connect_irq(sysbus_dev, 1, qdev_get_gpio_in(pic_dev,
+   OLDWORLD_ESCCA_IRQ));
 
 object_property_set_bool(OBJECT(>nvram), true, "realized", );
 if (err) {
@@ -179,15 +181,22 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_mmio_get_region(sysbus_dev, 0));
 
 /* IDE buses */
-for (i = 0; i < ARRAY_SIZE(os->ide); i++) {
-qemu_irq irq0 = os->irqs[cur_irq++];
-qemu_irq irq1 = os->irqs[cur_irq++];
+macio_realize_ide(s, >ide[0],
+  qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_IRQ),
+  qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_DMA_IRQ),
+  0x16, );
+if (err) {
+error_propagate(errp, err);
+return;
+}
 
-macio_realize_ide(s, >ide[i], irq0, irq1, 0x16 + (i * 4), );
-if (err) {
-error_propagate(errp, err);
-return;
-}
+macio_realize_ide(s, >ide[1],
+  qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_IRQ),
+  qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_DMA_IRQ),
+  0x1a, );
+if (err) {
+error_propagate(errp, err);
+return;
 }
 }
 
@@ -212,8 +221,6 @@ static void macio_oldworld_init(Object *obj)
 DeviceState *dev;
 int i;
 
-qdev_init_gpio_out(DEVICE(obj), os->irqs, ARRAY_SIZE(os->irqs));
-
 object_property_add_link(obj, "pic", TYPE_HEATHROW,
  (Object **) >pic,
  qdev_prop_allow_set_link_before_realize,
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 048b0cea7e..b3bd00a03d 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -282,20 +282,6 @@ static void ppc_heathrow_init(MachineState *machine)
 /* MacIO */
 macio = OLDWORLD_MACIO(pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO));
 dev = DEVICE(macio);
-qdev_connect_gpio_out(dev, 0,
-qdev_get_gpio_in(pic_dev, OLDWORLD_CUDA_IRQ));
-qdev_connect_gpio_out(dev, 1,
-qdev_get_gpio_in(pic_dev, OLDWORLD_ESCCB_IRQ));
-qdev_connect_gpio_out(dev, 2,
-qdev_get_gpio_in(pic_dev, OLDWORLD_ESCCA_IRQ));
-qdev_connect_gpio_out(dev, 3,
-qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_IRQ));
-qdev_connect_gpio_out(dev, 4,
-qdev_get_gpio_in(pic_dev, OLDWORLD_IDE0_DMA_IRQ));
-qdev_connect_gpio_out(dev, 5,
-qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_IRQ));
-qdev_connect_gpio_out(dev, 6,
-qdev_get_gpio_in(pic_dev, OLDWORLD_IDE1_DMA_IRQ));
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index 4528282b36..64a2584a77 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -56,7 +56,6 @@ typedef struct OldWorldMacIOState {
 /*< public >*/
 
 HeathrowState *pic;
-qemu_irq irqs[7];
 
 MacIONVRAMState nvram;
 MACIOIDEState ide[2];
-- 
2.11.0

[Qemu-devel] [PATCH 3/6] grackle: remove deprecated pci_grackle_init() function

[Mark Cave-Ayland]

Instead wire up the grackle device inside the Mac Old World machine.

Signed-off-by: Mark Cave-Ayland 
---
 hw/pci-host/grackle.c | 28 +---
 hw/ppc/mac.h  |  3 ---
 hw/ppc/mac_oldworld.c | 21 ++---
 3 files changed, 19 insertions(+), 33 deletions(-)

diff --git a/hw/pci-host/grackle.c b/hw/pci-host/grackle.c
index f8935246c3..e4583d493b 100644
--- a/hw/pci-host/grackle.c
+++ b/hw/pci-host/grackle.c
@@ -66,33 +66,6 @@ static void grackle_init_irqs(GrackleState *s)
 }
 }
 
-PCIBus *pci_grackle_init(uint32_t base, DeviceState *pic_dev,
- MemoryRegion *address_space_mem,
- MemoryRegion *address_space_io)
-{
-DeviceState *dev;
-SysBusDevice *s;
-PCIHostState *phb;
-GrackleState *d;
-
-dev = qdev_create(NULL, TYPE_GRACKLE_PCI_HOST_BRIDGE);
-object_property_set_link(OBJECT(dev), OBJECT(pic_dev), "pic",
- _abort);
-qdev_init_nofail(dev);
-
-s = SYS_BUS_DEVICE(dev);
-phb = PCI_HOST_BRIDGE(dev);
-d = GRACKLE_PCI_HOST_BRIDGE(dev);
-
-memory_region_add_subregion(address_space_mem, 0x8000ULL,
->pci_hole);
-
-sysbus_mmio_map(s, 0, base);
-sysbus_mmio_map(s, 1, base + 0x0020);
-
-return phb->bus;
-}
-
 static void grackle_realize(DeviceState *dev, Error **errp)
 {
 GrackleState *s = GRACKLE_PCI_HOST_BRIDGE(dev);
@@ -132,6 +105,7 @@ static void grackle_init(Object *obj)
 
 sysbus_init_mmio(sbd, >conf_mem);
 sysbus_init_mmio(sbd, >data_mem);
+sysbus_init_mmio(sbd, >pci_hole);
 }
 
 static void grackle_pci_realize(PCIDevice *d, Error **errp)
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 2359deb1ec..04568c2a22 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -77,9 +77,6 @@ void macio_init(PCIDevice *dev,
 
 /* Grackle PCI */
 #define TYPE_GRACKLE_PCI_HOST_BRIDGE "grackle-pcihost"
-PCIBus *pci_grackle_init(uint32_t base, DeviceState *pic_dev,
- MemoryRegion *address_space_mem,
- MemoryRegion *address_space_io);
 
 /* UniNorth PCI */
 PCIBus *pci_pmac_init(qemu_irq *pic,
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 17711971e6..b3c1f1bc1b 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -34,6 +34,7 @@
 #include "net/net.h"
 #include "hw/isa/isa.h"
 #include "hw/pci/pci.h"
+#include "hw/pci/pci_host.h"
 #include "hw/boards.h"
 #include "hw/nvram/fw_cfg.h"
 #include "hw/char/escc.h"
@@ -56,6 +57,8 @@
 
 #define NDRV_VGA_FILENAME "qemu_vga.ndrv"
 
+#define GRACKLE_BASE 0xfec0
+
 static void fw_cfg_boot_set(void *opaque, const char *boot_device,
 Error **errp)
 {
@@ -95,6 +98,7 @@ static void ppc_heathrow_init(MachineState *machine)
 PCIBus *pci_bus;
 OldWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
+SysBusDevice *s;
 DeviceState *dev, *pic_dev;
 BusState *adb_bus;
 int bios_size, ndrv_size;
@@ -262,9 +266,20 @@ static void ppc_heathrow_init(MachineState *machine)
 exit(1);
 }
 
-pci_bus = pci_grackle_init(0xfec0, pic_dev,
-   get_system_memory(),
-   get_system_io());
+/* Grackle PCI host bridge */
+dev = qdev_create(NULL, TYPE_GRACKLE_PCI_HOST_BRIDGE);
+object_property_set_link(OBJECT(dev), OBJECT(pic_dev), "pic",
+ _abort);
+qdev_init_nofail(dev);
+s = SYS_BUS_DEVICE(dev);
+sysbus_mmio_map(s, 0, GRACKLE_BASE);
+sysbus_mmio_map(s, 1, GRACKLE_BASE + 0x20);
+/* PCI hole */
+memory_region_add_subregion(get_system_memory(), 0x8000ULL,
+sysbus_mmio_get_region(s, 2));
+
+pci_bus = PCI_HOST_BRIDGE(dev)->bus;
+
 pci_vga_init(pci_bus);
 
 for (i = 0; i < nb_nics; i++) {
-- 
2.11.0

[Qemu-devel] [PATCH 1/6] heathrow: remove obsolete heathow_init() function

[Mark Cave-Ayland]

Instead wire up heathrow to the CPU and grackle PCI host using qdev GPIOs.

Signed-off-by: Mark Cave-Ayland 
---
 hw/intc/heathrow_pic.c | 23 +--
 hw/ppc/mac.h   |  4 
 hw/ppc/mac_oldworld.c  | 20 
 include/hw/intc/heathrow_pic.h |  2 +-
 4 files changed, 18 insertions(+), 31 deletions(-)

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 393fdd7326..b8b997deca 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -172,27 +172,14 @@ static void heathrow_init(Object *obj)
 HeathrowState *s = HEATHROW(obj);
 SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 
-memory_region_init_io(>mem, OBJECT(s), _ops, s,
-  "heathrow-pic", 0x1000);
-sysbus_init_mmio(sbd, >mem);
-}
-
-DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
-   qemu_irq **pic_irqs)
-{
-DeviceState *d;
-HeathrowState *s;
-
-d = qdev_create(NULL, TYPE_HEATHROW);
-qdev_init_nofail(d);
-
-s = HEATHROW(d);
 /* only 1 CPU */
-s->irqs = irqs[0];
+qdev_init_gpio_out(DEVICE(obj), s->irqs, 1);
 
-*pic_irqs = qemu_allocate_irqs(heathrow_set_irq, s, HEATHROW_NUM_IRQS);
+qdev_init_gpio_in(DEVICE(obj), heathrow_set_irq, HEATHROW_NUM_IRQS);
 
-return d;
+memory_region_init_io(>mem, OBJECT(s), _ops, s,
+  "heathrow-pic", 0x1000);
+sysbus_init_mmio(sbd, >mem);
 }
 
 static void heathrow_class_init(ObjectClass *oc, void *data)
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index a02f797598..424d20088b 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -75,10 +75,6 @@ void macio_ide_register_dma(MACIOIDEState *ide);
 void macio_init(PCIDevice *dev,
 MemoryRegion *pic_mem);
 
-/* Heathrow PIC */
-DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
-   qemu_irq **pic_irqs);
-
 /* Grackle PCI */
 #define TYPE_GRACKLE_PCI_HOST_BRIDGE "grackle-pcihost"
 PCIBus *pci_grackle_init(uint32_t base, qemu_irq *pic,
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 935493c966..62788a54c0 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -85,7 +85,7 @@ static void ppc_heathrow_init(MachineState *machine)
 PowerPCCPU *cpu = NULL;
 CPUPPCState *env = NULL;
 char *filename;
-qemu_irq *pic, **heathrow_irqs;
+qemu_irq *pic;
 int linux_boot, i;
 MemoryRegion *ram = g_new(MemoryRegion, 1);
 MemoryRegion *bios = g_new(MemoryRegion, 1);
@@ -228,16 +228,15 @@ static void ppc_heathrow_init(MachineState *machine)
 memory_region_add_subregion(sysmem, 0xfe00, isa);
 
 /* XXX: we register only 1 output pin for heathrow PIC */
-heathrow_irqs = g_malloc0(smp_cpus * sizeof(qemu_irq *));
-heathrow_irqs[0] =
-g_malloc0(smp_cpus * sizeof(qemu_irq) * 1);
+pic_dev = qdev_create(NULL, TYPE_HEATHROW);
+qdev_init_nofail(pic_dev);
+
 /* Connect the heathrow PIC outputs to the 6xx bus */
 for (i = 0; i < smp_cpus; i++) {
 switch (PPC_INPUT(env)) {
 case PPC_FLAGS_INPUT_6xx:
-heathrow_irqs[i] = heathrow_irqs[0] + (i * 1);
-heathrow_irqs[i][0] =
-((qemu_irq *)env->irq_inputs)[PPC6xx_INPUT_INT];
+qdev_connect_gpio_out(pic_dev, 0,
+((qemu_irq *)env->irq_inputs)[PPC6xx_INPUT_INT]);
 break;
 default:
 error_report("Bus model not supported on OldWorld Mac machine");
@@ -245,6 +244,11 @@ static void ppc_heathrow_init(MachineState *machine)
 }
 }
 
+pic = g_new0(qemu_irq, HEATHROW_NUM_IRQS);
+for (i = 0; i < HEATHROW_NUM_IRQS; i++) {
+pic[i] = qdev_get_gpio_in(pic_dev, i);
+}
+
 /* Timebase Frequency */
 if (kvm_enabled()) {
 tbfreq = kvmppc_get_tbfreq();
@@ -257,7 +261,7 @@ static void ppc_heathrow_init(MachineState *machine)
 error_report("Only 6xx bus is supported on heathrow machine");
 exit(1);
 }
-pic_dev = heathrow_pic_init(1, heathrow_irqs, );
+
 pci_bus = pci_grackle_init(0xfec0, pic,
get_system_memory(),
get_system_io());
diff --git a/include/hw/intc/heathrow_pic.h b/include/hw/intc/heathrow_pic.h
index bc3ffaab87..56c2ef339f 100644
--- a/include/hw/intc/heathrow_pic.h
+++ b/include/hw/intc/heathrow_pic.h
@@ -41,7 +41,7 @@ typedef struct HeathrowState {
 
 MemoryRegion mem;
 HeathrowPICState pics[2];
-qemu_irq *irqs;
+qemu_irq irqs[1];
 } HeathrowState;
 
 #define HEATHROW_NUM_IRQS 64
-- 
2.11.0

[Qemu-devel] [Bug 1753309] Re: Ethernet interrupt vectors for sabrelite machine are defined backwards

[Bill Paul]

"4.14+: Both versions of qemu (as-is and interrupts reverted) work fine"

Hm. I really wonder how it can be possible that Linux works with the
interrupt vectors reversed, though to be fair I have not looked at the
Linux i.MX6 ENET driver code. I suppose it's possible that the driver is
binding the same interrupt service routine to both interrupt vectors. If
so, then it works by accident. :)

I think U-Boot uses polling so it wouldn't care if the interrupt vectors
are wrong.

We have several SabreLite boards in house. We also have NXP Sabre SD
reference boards which use the same i.MX6Q SoC and the exact same
ethernet driver with the same interrupt configuration. I have always
used VxWorks with them rather than Linux, and I can say for a fact that
the VxWorks ENET driver only binds an ISR to vector 150 (118) (VxWorks
doesn't currently support the IEEE 1588 feature with this interface so
it never uses vector 151) and it works as expected -- network interrupt
events are indeed received via vector 150.

The same VxWorks image that works with real hardware does not work with
QEMU unless I fix the vectors in fsl-imx6.h.

In short, both the hardware and the manual seem to agree. QEMU is doing
it wrong. :)

Also, the errata sheet for the i.MX6 is here:

https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf

Apparently erratum 6687 is related to power management and wakeup
events. I'm not sure how that factors in to how Linux behaves.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1753309

Title:
  Ethernet interrupt vectors for sabrelite machine are defined backwards

Status in QEMU:
  New

Bug description:
  The sabrelite machine model used by qemu-system-arm is based on the
  Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet
  controller which is supported in QEMU using the imx_fec.c module
  (actually called imx.enet for this model.)

  The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for
  the imx.enet device like this:

  #define FSL_IMX6_ENET_MAC_1588_IRQ 118
  #define FSL_IMX6_ENET_MAC_IRQ 119

  However, this is backwards. The reference manual for the i.MX6D/Q
  devices can be found here:

  https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf

  On page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary, it
  shows the following:

  150 ENET
  MAC 0 IRQ, Logical OR of:
  MAC 0 Periodic Timer Overflow
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Payload Receive Error
  MAC 0 Transmit FIFO Underrun
  MAC 0 Collision Retry Limit
  MAC 0 Late Collision
  MAC 0 Ethernet Bus Error
  MAC 0 MII Data Transfer Done
  MAC 0 Receive Buffer Done
  MAC 0 Receive Frame Done
  MAC 0 Transmit Buffer Done
  MAC 0 Transmit Frame Done
  MAC 0 Graceful Stop
  MAC 0 Babbling Transmit Error
  MAC 0 Babbling Receive Error
  MAC 0 Wakeup Request [synchronous]

  151 ENET
  MAC 0 1588 Timer interrupt [synchronous] request

  Note:
  150 - 32 == 118
  151 - 32 == 119

  In other words, the vector definitions in the fsl-imx6.h file are
  reversed. The correct definition is:

  #define FSL_IMX6_ENET_MAC_IRQ 118
  #define FSL_IMX6_ENET_MAC_1588_IRQ 119

  I tested the sabrelite simulation using VxWorks 7 (which supports the
  SabreLite board) and found that while I was able to send and receive
  packet data via the simulated ethernet interface, the VxWorks i.MX6
  ethernet driver failed to receive any interrupts. When I corrected the
  interrupt vector definitions as shown above and recompiled QEMU,
  everything worked as expected. I was able to exchange ICMP packets
  with the simulated target and telnet to/from the VxWorks instance
  running in the virtual machine. I used the tap interface for this.

  As a workaround I was also able to make the ethernet work by modifying
  the VxWorks imx6q-sabrelite.dts file to change the ethernet interrupt
  property from 150 to 151.

  This problem was observed with the following environment:

  Host: FreeBSD/amd64 11.1-RELEASE
  QEMU version: 2.11.0 and 2.11.1 built from source code

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1753309/+subscriptions

Re: [Qemu-devel] [Qemu-block] [PATCH 0/2] block/ssh: Implement .bdrv_refresh_filename()

[John Snow]

On 02/05/2018 03:22 PM, Max Reitz wrote:
> This series implements .bdrv_refresh_filename() for the ssh block
> driver, along with an appropriate .bdrv_dirname() so we don't chop off
> query strings for backing files with relative filenames.
> 
> This series depends on my “block: Fix some filename generation issues”
> series and on Pino's “ssh: switch from libssh2 to libssh” patch.
> 
> Based-on: 20180205151835.20812-1-mre...@redhat.com
> Based-on: 20180118164439.2120-1-ptosc...@redhat.com
> 
> 
> Max Reitz (2):
>   block/ssh: Implement .bdrv_refresh_filename()
>   block/ssh: Implement .bdrv_dirname()
> 
>  block/ssh.c | 72 
> +++--
>  1 file changed, 65 insertions(+), 7 deletions(-)
> 

Did this one rot on the vine?

>1 month old.

Re: [Qemu-devel] [PATCH v4 05/11] linux-user: fix mmap/munmap/mprotect/mremap/shmat

[Laurent Vivier]

Le 06/03/2018 à 20:34, Max Filippov a écrit :
> In linux-user QEMU that runs for a target with TARGET_ABI_BITS bigger
> than L1_MAP_ADDR_SPACE_BITS an assertion in page_set_flags fires when
> mmap, munmap, mprotect, mremap or shmat is called for an address outside
> the guest address space. mmap and mprotect should return ENOMEM in such
> case.
> 
> Introduce macro guest_range_valid that verifies if address range is
> within guest address space and does not wrap around. Use that macro in
> mmap/munmap/mprotect/mremap/shmat for error checking.
> 
> Cc: qemu-sta...@nongnu.org
> Cc: Riku Voipio 
> Cc: Laurent Vivier 
> Signed-off-by: Max Filippov 
> ---
> Changes v3->v4:
> - change GUEST_ADDR_MAX and h2g_valid definitions as suggested by Laurent
>   Vivier.
> 
> Changes v2->v3:
> - fix comparison in guest_valid: it must be 'less' to preserve the existing
>   functionality, not 'less or equal'.
> - fix guest_range_valid: it may not use guest_valid, because single range
>   that occupies all of the guest address space is valid.
> 
>  include/exec/cpu-all.h  |  4 
>  include/exec/cpu_ldst.h | 14 --
>  linux-user/mmap.c   | 20 +++-
>  linux-user/syscall.c|  3 +++
>  4 files changed, 30 insertions(+), 11 deletions(-)
> 
> diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
> index 0b141683f095..6304cfa7e171 100644
> --- a/include/exec/cpu-all.h
> +++ b/include/exec/cpu-all.h
> @@ -159,8 +159,12 @@ extern unsigned long guest_base;
>  extern int have_guest_base;
>  extern unsigned long reserved_va;
>  
> +#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
> +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : ~0ul)

In fact, below, for h2g_valid(), reserved_va is ignored in this case, so
it should be:

#define GUEST_ADDR_MAX (~0ul)

[I know, my bad]

> +#else
>  #define GUEST_ADDR_MAX (reserved_va ? reserved_va : \

I think it should become "reserved_va ? reserved_va - 1 : \"
as "reserved_va" is a size but GUEST_ADDR_MAX is the maximum value
available. See below.

>  (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
> +#endif
>  #else
>  
>  #include "exec/hwaddr.h"
> diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
> index 191f2e962a3c..22f5df9c8a92 100644
> --- a/include/exec/cpu_ldst.h
> +++ b/include/exec/cpu_ldst.h
> @@ -52,15 +52,17 @@
>  #define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base))
>  
>  #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
> -#define h2g_valid(x) 1
> +#define guest_valid(x) 1
>  #else
> -#define h2g_valid(x) ({ \
> -unsigned long __guest = (unsigned long)(x) - guest_base; \
> -(__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \
> -(!reserved_va || (__guest < reserved_va)); \
> -})
> +#define guest_valid(x) ((x) < GUEST_ADDR_MAX)

I think it should be ((x) <= GUEST_ADDR_MAX), because

(__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS))
->  (__guest <= ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
->  (__guest <= GUEST_ADDR_MAX)

To work with reserved_va, it has also to be defined as "reserved_va -
1". And in open_self_maps() we should have "max = ... :
(uintptr_t)g2h(GUEST_ADDR_MAX) + 1;" and then we have a "h2g(max - 1)"
that will correctly return GUEST_ADDR_MAX.

Then you don't need the "#if" because if "HOST_LONG_BITS <=
TARGET_VIRT_ADDR_SPACE_BITS", x is 32bit and GUEST_ADDR_MAX) is ~0uk,
and then ((x) <= GUEST_ADDR_MAX) is always true.

>  #endif
>  
> +#define h2g_valid(x) guest_valid((unsigned long)(x) - guest_base)
> +
> +#define guest_range_valid(start, len) \
> +({unsigned long l = (len); \
> + l <= GUEST_ADDR_MAX && (start) <= GUEST_ADDR_MAX - l; })
> +
>  #define h2g_nocheck(x) ({ \
>  unsigned long __ret = (unsigned long)(x) - guest_base; \
>  (abi_ulong)__ret; \
...
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index e24f43c4a259..79245e73784f 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -4900,6 +4900,9 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
>  return -TARGET_EINVAL;
>  }
>  }
> +if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) {

if shmaddr is NULL, "the system chooses a suitable (unused) address" so
you can't check this as is.

Thanks,
Laurent

[Qemu-devel] [PATCH v1 17/22] RISC-V: Hardwire satp to 0 for no-mmu case

[Michael Clark]

satp is WARL so it should not trap on illegal writes, rather
it can be hardwired to zero and silently ignore illegal writes.

It seems the RISC-V WARL behaviour is preferred to having to
bear trap overhead, versus simply reading back the value and
checking if the write took (saves hundreds of cycles and much
more complex trap handling code).

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index e34715d..dd3e417 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -242,7 +242,7 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 }
 case CSR_SATP: /* CSR_SPTBR */ {
 if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
-goto do_illegal;
+break;
 }
 if (env->priv_ver <= PRIV_VERSION_1_09_1 && (val_to_write ^ 
env->sptbr))
 {
@@ -452,7 +452,10 @@ target_ulong csr_read_helper(CPURISCVState *env, 
target_ulong csrno)
 return env->scounteren;
 case CSR_SCAUSE:
 return env->scause;
-case CSR_SPTBR:
+case CSR_SATP: /* CSR_SPTBR */
+if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
+return 0;
+}
 if (env->priv_ver >= PRIV_VERSION_1_10_0) {
 return env->satp;
 } else {
-- 
2.7.0

[Qemu-devel] [PATCH v1 21/22] RISC-V: No traps on writes to misa/minstret/mcycle

[Michael Clark]

These fields are marked WARL in the specification so illegal
writes are silently dropped.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 26 +-
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index aa101cc..f8595a6 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -200,17 +200,19 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 break;
 }
 case CSR_MINSTRET:
-qemu_log_mask(LOG_UNIMP, "CSR_MINSTRET: write not implemented");
-goto do_illegal;
+/* minstret is WARL so unsupported writes are ignored */
+break;
 case CSR_MCYCLE:
-qemu_log_mask(LOG_UNIMP, "CSR_MCYCLE: write not implemented");
-goto do_illegal;
+/* mcycle is WARL so unsupported writes are ignored */
+break;
+#if defined(TARGET_RISCV32)
 case CSR_MINSTRETH:
-qemu_log_mask(LOG_UNIMP, "CSR_MINSTRETH: write not implemented");
-goto do_illegal;
+/* minstreth is WARL so unsupported writes are ignored */
+break;
 case CSR_MCYCLEH:
-qemu_log_mask(LOG_UNIMP, "CSR_MCYCLEH: write not implemented");
-goto do_illegal;
+/* mcycleh is WARL so unsupported writes are ignored */
+break;
+#endif
 case CSR_MUCOUNTEREN:
 env->mucounteren = val_to_write;
 break;
@@ -300,10 +302,9 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 case CSR_MBADADDR:
 env->mbadaddr = val_to_write;
 break;
-case CSR_MISA: {
-qemu_log_mask(LOG_UNIMP, "CSR_MISA: misa writes not supported");
-goto do_illegal;
-}
+case CSR_MISA:
+/* misa is WARL so unsupported writes are ignored */
+break;
 case CSR_PMPCFG0:
 case CSR_PMPCFG1:
 case CSR_PMPCFG2:
@@ -328,7 +329,6 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 case CSR_PMPADDR15:
pmpaddr_csr_write(env, csrno - CSR_PMPADDR0, val_to_write);
break;
-do_illegal:
 #endif
 default:
 do_raise_exception_err(env, RISCV_EXCP_ILLEGAL_INST, GETPC());
-- 
2.7.0

Re: [Qemu-devel] [RFC PATCH v2 00/22] remove i386/pc dependency: generic SuperIO

[no-reply]

Hi,

This series failed docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 20180305211928.466-1-f4...@amsat.org
Subject: [Qemu-devel] [RFC PATCH v2 00/22] remove i386/pc dependency: generic 
SuperIO

=== TEST SCRIPT BEGIN ===
#!/bin/bash
set -e
git submodule update --init dtc
# Let docker tests dump environment info
export SHOW_ENV=1
export J=8
time make docker-test-mingw@fedora
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
d9c63caae7 hw/i386/pc: Factor out the superio code
9e67a390dd hw/alpha/dp264: Use the TYPE_SMC37C669_SUPERIO
25db7f9953 hw/alpha/dp264: Add the ISA DMA controller
76d6e67a57 hw/isa/superio: Add the SMC FDC37C669 Super I/O
ffc800b0ca hw/isa/vt82c686: Add the TYPE_VT82C686B_SUPERIO
85a19b0256 hw/isa/vt82c686: Rename vt82c686b_init() -> vt82c686b_isa_init()
d89bbbfee2 hw/mips/mips_fulong2e: Factor out vt82c686b_southbridge_init()
e420c875ee hw/isa/superio: Factor out the FDC37M817 Super I/O from mips_malta.c
d7de9887bb hw/mips/malta: Code movement
791635483e hw/isa/superio: Factor out the IDE code from pc87312.c
394b1f0e62 hw/isa/superio: Add a keyboard/mouse controller (8042)
16497b117a hw/isa/superio: Factor out the floppy disc controller code from 
pc87312.c
6d4c1541cc hw/isa/superio: Factor out the serial code from pc87312.c
c00ea6aea2 hw/isa/superio: Factor out the parallel code from pc87312.c
86481897b6 hw/isa/pc87312: Inherit from the abstract TYPE_ISA_SUPERIO
3fc152c1e1 hw/isa/superio: Add a Super I/O template based on the PC87312 device
20890e64ed hw/isa/pc87312: Use 'unsigned int' for the irq value
58fe8c70e3 hw/isa/pc87312: Use uint16_t for the ISA I/O base address
22258437c7 hw/isa/pc87312: Rename the device type as TYPE_PC87312_SUPERIO
435f762b70 hw/input/i8042: Extract declarations from i386/pc.h into 
input/i8042.h
9782517c54 hw/dma/i8257: Rename DMA_init() to i8257_dma_init()
23bb3a93ed hw/isa: Move parallel_hds_isa_init() to hw/char/parallel-isa.c

=== OUTPUT BEGIN ===
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into '/var/tmp/patchew-tester-tmp-o8ld5l4n/src/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
  BUILD   fedora
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-o8ld5l4n/src'
  GEN 
/var/tmp/patchew-tester-tmp-o8ld5l4n/src/docker-src.2018-03-05-16.48.52.7877/qemu.tar
Cloning into 
'/var/tmp/patchew-tester-tmp-o8ld5l4n/src/docker-src.2018-03-05-16.48.52.7877/qemu.tar.vroot'...
done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into 
'/var/tmp/patchew-tester-tmp-o8ld5l4n/src/docker-src.2018-03-05-16.48.52.7877/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered 
for path 'ui/keycodemapdb'
Cloning into 
'/var/tmp/patchew-tester-tmp-o8ld5l4n/src/docker-src.2018-03-05-16.48.52.7877/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out 
'6b3d716e2b6472eb7189d3220552280ef3d832ce'
  COPYRUNNER
RUN test-mingw in qemu:fedora 
Packages installed:
PyYAML-3.12-5.fc27.x86_64
SDL-devel-1.2.15-29.fc27.x86_64
bc-1.07.1-3.fc27.x86_64
bison-3.0.4-8.fc27.x86_64
bzip2-1.0.6-24.fc27.x86_64
ccache-3.3.5-1.fc27.x86_64
clang-5.0.1-1.fc27.x86_64
findutils-4.6.0-14.fc27.x86_64
flex-2.6.1-5.fc27.x86_64
gcc-7.3.1-2.fc27.x86_64
gcc-c++-7.3.1-2.fc27.x86_64
gettext-0.19.8.1-12.fc27.x86_64
git-2.14.3-2.fc27.x86_64
glib2-devel-2.54.3-2.fc27.x86_64
hostname-3.18-4.fc27.x86_64
libaio-devel-0.3.110-9.fc27.x86_64
libasan-7.3.1-2.fc27.x86_64
libfdt-devel-1.4.6-1.fc27.x86_64
libubsan-7.3.1-2.fc27.x86_64
make-4.2.1-4.fc27.x86_64
mingw32-SDL-1.2.15-9.fc27.noarch
mingw32-bzip2-1.0.6-9.fc27.noarch
mingw32-curl-7.54.1-2.fc27.noarch
mingw32-glib2-2.54.1-1.fc27.noarch
mingw32-gmp-6.1.2-2.fc27.noarch
mingw32-gnutls-3.5.13-2.fc27.noarch
mingw32-gtk2-2.24.31-4.fc27.noarch
mingw32-gtk3-3.22.16-1.fc27.noarch
mingw32-libjpeg-turbo-1.5.1-3.fc27.noarch
mingw32-libpng-1.6.29-2.fc27.noarch
mingw32-libssh2-1.8.0-3.fc27.noarch
mingw32-libtasn1-4.13-1.fc27.noarch
mingw32-nettle-3.3-3.fc27.noarch
mingw32-pixman-0.34.0-3.fc27.noarch
mingw32-pkg-config-0.28-9.fc27.x86_64
mingw64-SDL-1.2.15-9.fc27.noarch
mingw64-bzip2-1.0.6-9.fc27.noarch
mingw64-curl-7.54.1-2.fc27.noarch
mingw64-glib2-2.54.1-1.fc27.noarch
mingw64-gmp-6.1.2-2.fc27.noarch
mingw64-gnutls-3.5.13-2.fc27.noarch
mingw64-gtk2-2.24.31-4.fc27.noarch
mingw64-gtk3-3.22.16-1.fc27.noarch
mingw64-libjpeg-turbo-1.5.1-3.fc27.noarch
mingw64-libpng-1.6.29-2.fc27.noarch
mingw64-libssh2-1.8.0-3.fc27.noarch
mingw64-libtasn1-4.13-1.fc27.noarch
mingw64-nettle-3.3-3.fc27.noarch
mingw64-pixman-0.34.0-3.fc27.noarch
mingw64-pkg-config-0.28-9.fc27.x86_64

[Qemu-devel] [PATCH v1 15/22] RISC-V: Use memory_region_is_ram in pte update

[Michael Clark]

After reading cpu_physical_memory_write and friends, it seems
that memory_region_is_ram is a more appropriate interface,
and matches the intent of the code that is calling it.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/helper.c b/target/riscv/helper.c
index 2165ecb..88551be 100644
--- a/target/riscv/helper.c
+++ b/target/riscv/helper.c
@@ -235,7 +235,7 @@ restart:
 rcu_read_lock();
 mr = address_space_translate(cs->as, pte_addr,
 , , false);
-if (memory_access_is_direct(mr, true)) {
+if (memory_region_is_ram(mr)) {
 target_ulong *pte_pa =
 qemu_map_ram_ptr(mr->ram_block, addr1);
 #if TCG_OVERSIZED_GUEST
-- 
2.7.0

[Qemu-devel] [PATCH v1 19/22] RISC-V: riscv-qemu port supports sv39 and sv48

[Michael Clark]

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/cpu.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 7c4482b..f47fc9c 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -24,8 +24,8 @@
 #define TARGET_PAGE_BITS 12 /* 4 KiB Pages */
 #if defined(TARGET_RISCV64)
 #define TARGET_LONG_BITS 64
-#define TARGET_PHYS_ADDR_SPACE_BITS 50
-#define TARGET_VIRT_ADDR_SPACE_BITS 39
+#define TARGET_PHYS_ADDR_SPACE_BITS 52
+#define TARGET_VIRT_ADDR_SPACE_BITS 48
 #elif defined(TARGET_RISCV32)
 #define TARGET_LONG_BITS 32
 #define TARGET_PHYS_ADDR_SPACE_BITS 34
-- 
2.7.0

[Qemu-devel] [PATCH v1 10/22] RISC-V: Hold rcu_read_lock when accessing memory

[Michael Clark]

>From reading other code that accesses memory regions directly,
it appears that the rcu_read_lock needs to be held. Note: the
original code for accessing RAM directly was added because
there is no other way to use atomic_cmpxchg easily.

Signed-off-by: Michael Clark 
Signed-off-by: Stefan O'Rear 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/helper.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/target/riscv/helper.c b/target/riscv/helper.c
index 02cbcea..228933c 100644
--- a/target/riscv/helper.c
+++ b/target/riscv/helper.c
@@ -209,6 +209,7 @@ restart:
as the PTE is no longer valid */
 MemoryRegion *mr;
 hwaddr l = sizeof(target_ulong), addr1;
+rcu_read_lock();
 mr = address_space_translate(cs->as, pte_addr,
 , , false);
 if (memory_access_is_direct(mr, true)) {
@@ -222,16 +223,19 @@ restart:
 target_ulong old_pte =
 atomic_cmpxchg(pte_pa, pte, updated_pte);
 if (old_pte != pte) {
+rcu_read_unlock();
 goto restart;
 } else {
 pte = updated_pte;
 }
 #endif
 } else {
+rcu_read_unlock();
 /* misconfigured PTE in ROM (AD bits are not preset) or
  * PTE is in IO space and can't be updated atomically */
 return TRANSLATE_FAIL;
 }
+rcu_read_unlock();
 }
 
 /* for superpage mappings, make a fake leaf PTE for the TLB's
-- 
2.7.0

[Qemu-devel] [PATCH v1 18/22] RISC-V: Remove braces from satp case statement

[Michael Clark]

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index dd3e417..f79716a 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -240,7 +240,7 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 csr_write_helper(env, next_mie, CSR_MIE);
 break;
 }
-case CSR_SATP: /* CSR_SPTBR */ {
+case CSR_SATP: /* CSR_SPTBR */
 if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
 break;
 }
@@ -258,7 +258,6 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 env->satp = val_to_write;
 }
 break;
-}
 case CSR_SEPC:
 env->sepc = val_to_write;
 break;
-- 
2.7.0

[Qemu-devel] [Bug 1753309] Re: Ethernet interrupt vectors for sabrelite machine are defined backwards

[Guenter Roeck]

Followup on #1: The relevant upstream commit is 4c8777892e80b ("ARM:
dts: imx6qdl-sabrelite: remove erratum ERR006687 workaround").

Test results with various kernel versions:
4.14+: Both versions of qemu (as-is and interrupts reverted) work fine
4.9.y: Requires cherry-pick of 4c8777892e80b for both versions of qemu to work
4.4.y: Requires backport of 4c8777892e80b for both versions of qemu to work
4.1.y: Requires backport of 4c8777892e80b for both versions of qemu to work

I didn't test older kernels.

Now the big question is if this matches the experience with real
hardware.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1753309

Title:
  Ethernet interrupt vectors for sabrelite machine are defined backwards

Status in QEMU:
  New

Bug description:
  The sabrelite machine model used by qemu-system-arm is based on the
  Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet
  controller which is supported in QEMU using the imx_fec.c module
  (actually called imx.enet for this model.)

  The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for
  the imx.enet device like this:

  #define FSL_IMX6_ENET_MAC_1588_IRQ 118
  #define FSL_IMX6_ENET_MAC_IRQ 119

  However, this is backwards. The reference manual for the i.MX6D/Q
  devices can be found here:

  https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf

  On page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary, it
  shows the following:

  150 ENET
  MAC 0 IRQ, Logical OR of:
  MAC 0 Periodic Timer Overflow
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Time Stamp Available
  MAC 0 Payload Receive Error
  MAC 0 Transmit FIFO Underrun
  MAC 0 Collision Retry Limit
  MAC 0 Late Collision
  MAC 0 Ethernet Bus Error
  MAC 0 MII Data Transfer Done
  MAC 0 Receive Buffer Done
  MAC 0 Receive Frame Done
  MAC 0 Transmit Buffer Done
  MAC 0 Transmit Frame Done
  MAC 0 Graceful Stop
  MAC 0 Babbling Transmit Error
  MAC 0 Babbling Receive Error
  MAC 0 Wakeup Request [synchronous]

  151 ENET
  MAC 0 1588 Timer interrupt [synchronous] request

  Note:
  150 - 32 == 118
  151 - 32 == 119

  In other words, the vector definitions in the fsl-imx6.h file are
  reversed. The correct definition is:

  #define FSL_IMX6_ENET_MAC_IRQ 118
  #define FSL_IMX6_ENET_MAC_1588_IRQ 119

  I tested the sabrelite simulation using VxWorks 7 (which supports the
  SabreLite board) and found that while I was able to send and receive
  packet data via the simulated ethernet interface, the VxWorks i.MX6
  ethernet driver failed to receive any interrupts. When I corrected the
  interrupt vector definitions as shown above and recompiled QEMU,
  everything worked as expected. I was able to exchange ICMP packets
  with the simulated target and telnet to/from the VxWorks instance
  running in the virtual machine. I used the tap interface for this.

  As a workaround I was also able to make the ethernet work by modifying
  the VxWorks imx6q-sabrelite.dts file to change the ethernet interrupt
  property from 150 to 151.

  This problem was observed with the following environment:

  Host: FreeBSD/amd64 11.1-RELEASE
  QEMU version: 2.11.0 and 2.11.1 built from source code

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1753309/+subscriptions

[Qemu-devel] [PATCH v1 05/22] RISC-V: Remove identity_translate from load_elf

[Michael Clark]

When load_elf is called with NULL as an argument to the
address translate callback, it does an identity translation.
This commit removes the redundant identity_translate callback.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 hw/riscv/sifive_e.c | 7 +--
 hw/riscv/sifive_u.c | 7 +--
 hw/riscv/spike.c| 7 +--
 hw/riscv/virt.c | 7 +--
 4 files changed, 4 insertions(+), 24 deletions(-)

diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index 19eca36..09c9d49 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -82,16 +82,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
size_t len)
 }
 }
 
-static uint64_t identity_translate(void *opaque, uint64_t addr)
-{
-return addr;
-}
-
 static uint64_t load_kernel(const char *kernel_filename)
 {
 uint64_t kernel_entry, kernel_high;
 
-if (load_elf(kernel_filename, identity_translate, NULL,
+if (load_elf(kernel_filename, NULL, NULL,
  _entry, NULL, _high,
  0, ELF_MACHINE, 1, 0) < 0) {
 error_report("qemu: could not load kernel '%s'", kernel_filename);
diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index f3f7615..6116c38 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -68,16 +68,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
size_t len)
 }
 }
 
-static uint64_t identity_translate(void *opaque, uint64_t addr)
-{
-return addr;
-}
-
 static uint64_t load_kernel(const char *kernel_filename)
 {
 uint64_t kernel_entry, kernel_high;
 
-if (load_elf(kernel_filename, identity_translate, NULL,
+if (load_elf(kernel_filename, NULL, NULL,
  _entry, NULL, _high,
  0, ELF_MACHINE, 1, 0) < 0) {
 error_report("qemu: could not load kernel '%s'", kernel_filename);
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 4c233ec..7710333 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -59,16 +59,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
size_t len)
 }
 }
 
-static uint64_t identity_translate(void *opaque, uint64_t addr)
-{
-return addr;
-}
-
 static uint64_t load_kernel(const char *kernel_filename)
 {
 uint64_t kernel_entry, kernel_high;
 
-if (load_elf_ram_sym(kernel_filename, identity_translate, NULL,
+if (load_elf_ram_sym(kernel_filename, NULL, NULL,
 _entry, NULL, _high, 0, ELF_MACHINE, 1, 0,
 NULL, true, htif_symbol_callback) < 0) {
 error_report("qemu: could not load kernel '%s'", kernel_filename);
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 0d101fc..f8c19b4 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -62,16 +62,11 @@ static void copy_le32_to_phys(hwaddr pa, uint32_t *rom, 
size_t len)
 }
 }
 
-static uint64_t identity_translate(void *opaque, uint64_t addr)
-{
-return addr;
-}
-
 static uint64_t load_kernel(const char *kernel_filename)
 {
 uint64_t kernel_entry, kernel_high;
 
-if (load_elf(kernel_filename, identity_translate, NULL,
+if (load_elf(kernel_filename, NULL, NULL,
  _entry, NULL, _high,
  0, ELF_MACHINE, 1, 0) < 0) {
 error_report("qemu: could not load kernel '%s'", kernel_filename);
-- 
2.7.0

Re: [Qemu-devel] [RESEND PATCH v7 0/3] Initial i.MX7 support

[Guenter Roeck]

On Mon, Mar 05, 2018 at 07:50:23AM -0800, Andrey Smirnov wrote:
> On Mon, Mar 5, 2018 at 7:31 AM, Peter Maydell  
> wrote:
> > On 5 March 2018 at 06:12, Andrey Smirnov  wrote:
> >> RESEND due to botched original v7 submission (patch 1/3 broken)
> >>
> >> Hi everyone,
> >>
> >> This v7 of the patch series containing the work that I've done in
> >> order to enable support for i.MX7 emulation in QEMU.
> >
> > Thanks; applied to target-arm.next.
> >
> > By the way there were a couple of i.MX bug reports this weekend:
> > https://bugs.launchpad.net/qemu/+bug/1753314  (about the UART)
> 
> Sure, might not be able to look at it immediately but I'll give it a
> spin by the end of this week.
> 
> > https://bugs.launchpad.net/qemu/+bug/1753309  (about ethernet)
> >
> 
> Peter:
> 
> Ha! This is a rather amusing coincidence since I was just talking
> about this exact bug with Guenter Roeck (added to this thread), who
> was going to submit a patch to fix it.
> 
> Guenter:
> 
> Sorry for just randomly pulling you into this seemingly random
> discussion, but I though this additional context would be helpful to
> you.
> 
I just updated https://bugs.launchpad.net/qemu/+bug/1753309 with my
observations. As it turns out, the Ethernet interface on older kernels
(4.9 and older) only works with the current version of qemu. It is
possible to fix the problem by applying upstream commit 4c8777892e80b
to v4.9 and older kernels. However, I don't know if the problem is also
seen with real hardware, or if there is some other problem lurking
somewhere in qemu.

Guenter

[Qemu-devel] [PATCH v1 13/22] RISC-V: Make some header guards more specific

[Michael Clark]

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 include/hw/riscv/spike.h | 4 ++--
 include/hw/riscv/virt.h  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/hw/riscv/spike.h b/include/hw/riscv/spike.h
index 179b6cf..ed9d1db 100644
--- a/include/hw/riscv/spike.h
+++ b/include/hw/riscv/spike.h
@@ -16,8 +16,8 @@
  * this program.  If not, see .
  */
 
-#ifndef HW_SPIKE_H
-#define HW_SPIKE_H
+#ifndef HW_RISCV_SPIKE_H
+#define HW_RISCV_SPIKE_H
 
 #define TYPE_RISCV_SPIKE_V1_09_1_BOARD "riscv.spike_v1_9_1"
 #define TYPE_RISCV_SPIKE_V1_10_0_BOARD "riscv.spike_v1_10"
diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
index 9588909..d22f184 100644
--- a/include/hw/riscv/virt.h
+++ b/include/hw/riscv/virt.h
@@ -16,8 +16,8 @@
  * this program.  If not, see .
  */
 
-#ifndef HW_VIRT_H
-#define HW_VIRT_H
+#ifndef HW_RISCV_VIRT_H
+#define HW_RISCV_VIRT_H
 
 typedef struct {
 RISCVHartArrayState soc;
-- 
2.7.0

[Qemu-devel] [PATCH v1 03/22] RISC-V: Make virt board description match spike

[Michael Clark]

This makes 'qemu-system-riscv64 -machine help' output more tidy
and consistent.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 hw/riscv/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index a402856..0055439 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -404,7 +404,7 @@ static const TypeInfo riscv_virt_board_device = {
 
 static void riscv_virt_board_machine_init(MachineClass *mc)
 {
-mc->desc = "RISC-V VirtIO Board (Privileged spec v1.10)";
+mc->desc = "RISC-V VirtIO Board (Privileged ISA v1.10)";
 mc->init = riscv_virt_board_init;
 mc->max_cpus = 8; /* hardcoded limit in BBL */
 }
-- 
2.7.0

[Qemu-devel] [PATCH v1 09/22] RISC-V: Include hexidecimal in disassembly

[Michael Clark]

This was added to help debug issues using -d in_asm. It is
useful to see the instruction bytes, as one can detect if
one is trying to execute ASCII or device-tree magic.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 disas/riscv.c | 39 ---
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/disas/riscv.c b/disas/riscv.c
index 3c17501..4580308 100644
--- a/disas/riscv.c
+++ b/disas/riscv.c
@@ -2769,25 +2769,6 @@ static void format_inst(char *buf, size_t buflen, size_t 
tab, rv_decode *dec)
 char tmp[64];
 const char *fmt;
 
-if (dec->op == rv_op_illegal) {
-size_t len = inst_length(dec->inst);
-switch (len) {
-case 2:
-snprintf(buf, buflen, "(0x%04" PRIx64 ")", dec->inst);
-break;
-case 4:
-snprintf(buf, buflen, "(0x%08" PRIx64 ")", dec->inst);
-break;
-case 6:
-snprintf(buf, buflen, "(0x%012" PRIx64 ")", dec->inst);
-break;
-default:
-snprintf(buf, buflen, "(0x%016" PRIx64 ")", dec->inst);
-break;
-}
-return;
-}
-
 fmt = opcode_data[dec->op].format;
 while (*fmt) {
 switch (*fmt) {
@@ -3004,6 +2985,11 @@ disasm_inst(char *buf, size_t buflen, rv_isa isa, 
uint64_t pc, rv_inst inst)
 format_inst(buf, buflen, 16, );
 }
 
+#define INST_FMT_2 "%04" PRIx64 "  "
+#define INST_FMT_4 "%08" PRIx64 "  "
+#define INST_FMT_6 "%012" PRIx64 "  "
+#define INST_FMT_8 "%016" PRIx64 "  "
+
 static int
 print_insn_riscv(bfd_vma memaddr, struct disassemble_info *info, rv_isa isa)
 {
@@ -3031,6 +3017,21 @@ print_insn_riscv(bfd_vma memaddr, struct 
disassemble_info *info, rv_isa isa)
 }
 }
 
+switch (len) {
+case 2:
+(*info->fprintf_func)(info->stream, INST_FMT_2, inst);
+break;
+case 4:
+(*info->fprintf_func)(info->stream, INST_FMT_4, inst);
+break;
+case 6:
+(*info->fprintf_func)(info->stream, INST_FMT_6, inst);
+break;
+default:
+(*info->fprintf_func)(info->stream, INST_FMT_8, inst);
+break;
+}
+
 disasm_inst(buf, sizeof(buf), isa, memaddr, inst);
 (*info->fprintf_func)(info->stream, "%s", buf);
 
-- 
2.7.0

Re: [Qemu-devel] [PATCH 00/19] uninorth fixes/mac_newworld board wiring improvements

[no-reply]

Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk
Subject: [Qemu-devel] [PATCH 00/19] uninorth fixes/mac_newworld board wiring 
improvements

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag]   
patchew/20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk -> 
patchew/20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk
Switched to a new branch 'test'
e7f510fb1c mac_newworld: move wiring of macio IRQs to macio_newworld_realize()
e1cb6af9a4 mac_newworld: remove pics IRQ array and wire up macio to OpenPIC 
directly
cf16eb0223 uninorth: create new uninorth device
9a29524fc9 uninorth: rename UNINState to UNINHostState
bd3653709a uninorth: move PCI IO (ISA) memory region into the uninorth device
f1020004d7 uninorth: use object link to pass OpenPIC object to uninorth
000b78ebf1 uninorth: remove obsolete pci_pmac_u3_init() function
019ce970d1 uninorth: remove obsolete pci_pmac_init() function
d74cd9a986 uninorth: enable internal PCI host bridge
eb2d8bcf25 uninorth: fix PCI and AGP bus mixup
a444eabfcb uninorth: move PCI host bridge bus initialisation into device realize
6401c9c37f uninorth: introduce temporary pic_irqs device property
0f5fb4ec70 uninorth: move PCI mmio memory region initialisation into init 
function
2f7a628836 uninorth: alter pci_pmac_init() and pci_pmac_u3_init() to return 
uninorth device
780535bf21 uninorth: move uninorth definitions into uninorth.h
d8816bc167 uninorth: remove stray PCIBus realize from mac_newworld.c
f82a1a6d5c uninorth: QOMify PCI and AGP host bridges
a0c06c803b uninorth: remove second set of uninorth token registers
4baa7ecf3b uninorth: trivial style fixups

=== OUTPUT BEGIN ===
Checking PATCH 1/19: uninorth: trivial style fixups...
Checking PATCH 2/19: uninorth: remove second set of uninorth token registers...
Checking PATCH 3/19: uninorth: QOMify PCI and AGP host bridges...
Checking PATCH 4/19: uninorth: remove stray PCIBus realize from 
mac_newworld.c...
Checking PATCH 5/19: uninorth: move uninorth definitions into uninorth.h...
Checking PATCH 6/19: uninorth: alter pci_pmac_init() and pci_pmac_u3_init() to 
return uninorth device...
Checking PATCH 7/19: uninorth: move PCI mmio memory region initialisation into 
init function...
Checking PATCH 8/19: uninorth: introduce temporary pic_irqs device property...
Checking PATCH 9/19: uninorth: move PCI host bridge bus initialisation into 
device realize...
ERROR: if this code is redundant consider removing it
#41: FILE: hw/pci-host/uninorth.c:127:
+#if 0

total: 1 errors, 0 warnings, 221 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Checking PATCH 10/19: uninorth: fix PCI and AGP bus mixup...
Checking PATCH 11/19: uninorth: enable internal PCI host bridge...
Checking PATCH 12/19: uninorth: remove obsolete pci_pmac_init() function...
Checking PATCH 13/19: uninorth: remove obsolete pci_pmac_u3_init() function...
Checking PATCH 14/19: uninorth: use object link to pass OpenPIC object to 
uninorth...
Checking PATCH 15/19: uninorth: move PCI IO (ISA) memory region into the 
uninorth device...
Checking PATCH 16/19: uninorth: rename UNINState to UNINHostState...
Checking PATCH 17/19: uninorth: create new uninorth device...
Checking PATCH 18/19: mac_newworld: remove pics IRQ array and wire up macio to 
OpenPIC directly...
Checking PATCH 19/19: mac_newworld: move wiring of macio IRQs to 
macio_newworld_realize()...
=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-de...@freelists.org

[Qemu-devel] [PATCH v1 08/22] RISC-V: Make sure rom has space for fdt

[Michael Clark]

Remove a potential buffer overflow (not seen in practice).
Perhaps cpu_physical_memory_write already has bound checks.
This change however makes space for the maximum device tree
size and adds an explicit bounds check and error message.
It doesn't trigger, but it may help in the future if the
device-tree size is exceeded. e.g. large bootargs.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 hw/riscv/sifive_u.c | 20 
 hw/riscv/spike.c| 16 +++-
 hw/riscv/virt.c | 13 +
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 083043a..57b4f4f 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -52,7 +52,7 @@ static const struct MemmapEntry {
 hwaddr size;
 } sifive_u_memmap[] = {
 [SIFIVE_U_DEBUG] ={0x0,  0x100 },
-[SIFIVE_U_MROM] = { 0x1000, 0x2000 },
+[SIFIVE_U_MROM] = { 0x1000,0x11000 },
 [SIFIVE_U_CLINT] ={  0x200,0x1 },
 [SIFIVE_U_PLIC] = {  0xc00,  0x400 },
 [SIFIVE_U_UART0] ={ 0x10013000, 0x1000 },
@@ -221,7 +221,7 @@ static void riscv_sifive_u_init(MachineState *machine)
 const struct MemmapEntry *memmap = sifive_u_memmap;
 
 SiFiveUState *s = g_new0(SiFiveUState, 1);
-MemoryRegion *sys_memory = get_system_memory();
+MemoryRegion *system_memory = get_system_memory();
 MemoryRegion *main_mem = g_new(MemoryRegion, 1);
 MemoryRegion *mask_rom = g_new(MemoryRegion, 1);
 
@@ -239,7 +239,7 @@ static void riscv_sifive_u_init(MachineState *machine)
 /* register RAM */
 memory_region_init_ram(main_mem, NULL, "riscv.sifive.u.ram",
machine->ram_size, _fatal);
-memory_region_add_subregion(sys_memory, memmap[SIFIVE_U_DRAM].base,
+memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DRAM].base,
 main_mem);
 
 /* create device tree */
@@ -247,9 +247,9 @@ static void riscv_sifive_u_init(MachineState *machine)
 
 /* boot rom */
 memory_region_init_ram(mask_rom, NULL, "riscv.sifive.u.mrom",
-   memmap[SIFIVE_U_MROM].base, _fatal);
-memory_region_set_readonly(mask_rom, true);
-memory_region_add_subregion(sys_memory, 0x0, mask_rom);
+   memmap[SIFIVE_U_MROM].size, _fatal);
+memory_region_add_subregion(system_memory, memmap[SIFIVE_U_MROM].base,
+mask_rom);
 
 if (machine->kernel_filename) {
 load_kernel(machine->kernel_filename);
@@ -276,6 +276,10 @@ static void riscv_sifive_u_init(MachineState *machine)
 copy_le32_to_phys(memmap[SIFIVE_U_MROM].base, reset_vec, 
sizeof(reset_vec));
 
 /* copy in the device tree */
+if (s->fdt_size >= memmap[SIFIVE_U_MROM].size - sizeof(reset_vec)) {
+error_report("qemu: not enough space to store device-tree");
+exit(1);
+}
 qemu_fdt_dumpdtb(s->fdt, s->fdt_size);
 cpu_physical_memory_write(memmap[SIFIVE_U_MROM].base +
 sizeof(reset_vec), s->fdt, s->fdt_size);
@@ -293,9 +297,9 @@ static void riscv_sifive_u_init(MachineState *machine)
 SIFIVE_U_PLIC_CONTEXT_BASE,
 SIFIVE_U_PLIC_CONTEXT_STRIDE,
 memmap[SIFIVE_U_PLIC].size);
-sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART0].base,
+sifive_uart_create(system_memory, memmap[SIFIVE_U_UART0].base,
 serial_hds[0], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART0_IRQ]);
-/* sifive_uart_create(sys_memory, memmap[SIFIVE_U_UART1].base,
+/* sifive_uart_create(system_memory, memmap[SIFIVE_U_UART1].base,
 serial_hds[1], SIFIVE_PLIC(s->plic)->irqs[SIFIVE_U_UART1_IRQ]); */
 sifive_clint_create(memmap[SIFIVE_U_CLINT].base,
 memmap[SIFIVE_U_CLINT].size, smp_cpus,
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 64e585e..c7d937b 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -46,7 +46,7 @@ static const struct MemmapEntry {
 hwaddr base;
 hwaddr size;
 } spike_memmap[] = {
-[SPIKE_MROM] = { 0x1000, 0x2000 },
+[SPIKE_MROM] = { 0x1000,0x11000 },
 [SPIKE_CLINT] ={  0x200,0x1 },
 [SPIKE_DRAM] = { 0x8000,0x0 },
 };
@@ -197,8 +197,9 @@ static void spike_v1_10_0_board_init(MachineState *machine)
 
 /* boot rom */
 memory_region_init_ram(mask_rom, NULL, "riscv.spike.mrom",
-   s->fdt_size + 0x2000, _fatal);
-memory_region_add_subregion(system_memory, 0x0, mask_rom);
+   memmap[SPIKE_MROM].size, _fatal);
+memory_region_add_subregion(system_memory, memmap[SPIKE_MROM].base,
+mask_rom);
 
 if (machine->kernel_filename) {
 load_kernel(machine->kernel_filename);
@@ -225,6 +226,10 @@ static void spike_v1_10_0_board_init(MachineState *machine)
 copy_le32_to_phys(memmap[SPIKE_MROM].base, reset_vec, 

[Qemu-devel] [PATCH v1 22/22] RISC-V: Remove support for adhoc X_COP interrupt

[Michael Clark]

This is essentially dead-code elimination. Support for more
local interrupts will be added in a future revision, as they
will be defined in a future version of the Privileged ISA
specification.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/cpu_bits.h  | 1 -
 target/riscv/op_helper.c | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index 12b4757..133e070 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -346,7 +346,6 @@
 #define IRQ_S_EXT   9
 #define IRQ_H_EXT   10 /* until: priv-1.9.1 */
 #define IRQ_M_EXT   11 /* until: priv-1.9.1 */
-#define IRQ_X_COP   12 /* non-standard */
 
 /* Default addresses */
 #define DEFAULT_RSTVEC 0x1000
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index f8595a6..f543e61 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -90,7 +90,7 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 target_ulong csrno)
 {
 #ifndef CONFIG_USER_ONLY
-uint64_t delegable_ints = MIP_SSIP | MIP_STIP | MIP_SEIP | (1 << 
IRQ_X_COP);
+uint64_t delegable_ints = MIP_SSIP | MIP_STIP | MIP_SEIP;
 uint64_t all_ints = delegable_ints | MIP_MSIP | MIP_MTIP;
 #endif
 
-- 
2.7.0

[Qemu-devel] [PATCH v1 07/22] RISC-V: Remove unused class definitions

[Michael Clark]

Removes a whole lot of unnecessary boilerplate code. Machines
don't need to be objects. The expansion of the SOC object model
for the RISC-V machines will happen in the future as SiFive
plans to add their FE310 and FU540 SOCs to QEMU. However, it
seems that this present boilerplate is complete unnecessary.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 hw/riscv/sifive_e.c | 25 -
 hw/riscv/sifive_u.c | 25 -
 hw/riscv/spike.c| 20 
 hw/riscv/virt.c | 25 -
 include/hw/riscv/sifive_e.h |  9 -
 include/hw/riscv/sifive_u.h |  9 -
 include/hw/riscv/virt.h |  9 -
 7 files changed, 122 deletions(-)

diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index 09c9d49..4872b68 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -194,24 +194,6 @@ static void riscv_sifive_e_init(MachineState *machine)
 }
 }
 
-static int riscv_sifive_e_sysbus_device_init(SysBusDevice *sysbusdev)
-{
-return 0;
-}
-
-static void riscv_sifive_e_class_init(ObjectClass *klass, void *data)
-{
-SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
-k->init = riscv_sifive_e_sysbus_device_init;
-}
-
-static const TypeInfo riscv_sifive_e_device = {
-.name  = TYPE_SIFIVE_E,
-.parent= TYPE_SYS_BUS_DEVICE,
-.instance_size = sizeof(SiFiveEState),
-.class_init= riscv_sifive_e_class_init,
-};
-
 static void riscv_sifive_e_machine_init(MachineClass *mc)
 {
 mc->desc = "RISC-V Board compatible with SiFive E SDK";
@@ -220,10 +202,3 @@ static void riscv_sifive_e_machine_init(MachineClass *mc)
 }
 
 DEFINE_MACHINE("sifive_e", riscv_sifive_e_machine_init)
-
-static void riscv_sifive_e_register_types(void)
-{
-type_register_static(_sifive_e_device);
-}
-
-type_init(riscv_sifive_e_register_types);
diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 25df16c..083043a 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -302,31 +302,6 @@ static void riscv_sifive_u_init(MachineState *machine)
 SIFIVE_SIP_BASE, SIFIVE_TIMECMP_BASE, SIFIVE_TIME_BASE);
 }
 
-static int riscv_sifive_u_sysbus_device_init(SysBusDevice *sysbusdev)
-{
-return 0;
-}
-
-static void riscv_sifive_u_class_init(ObjectClass *klass, void *data)
-{
-SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
-k->init = riscv_sifive_u_sysbus_device_init;
-}
-
-static const TypeInfo riscv_sifive_u_device = {
-.name  = TYPE_SIFIVE_U,
-.parent= TYPE_SYS_BUS_DEVICE,
-.instance_size = sizeof(SiFiveUState),
-.class_init= riscv_sifive_u_class_init,
-};
-
-static void riscv_sifive_u_register_types(void)
-{
-type_register_static(_sifive_u_device);
-}
-
-type_init(riscv_sifive_u_register_types);
-
 static void riscv_sifive_u_machine_init(MachineClass *mc)
 {
 mc->desc = "RISC-V Board compatible with SiFive U SDK";
diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
index 74edf33..64e585e 100644
--- a/hw/riscv/spike.c
+++ b/hw/riscv/spike.c
@@ -336,18 +336,6 @@ static void spike_v1_09_1_board_init(MachineState *machine)
 smp_cpus, SIFIVE_SIP_BASE, SIFIVE_TIMECMP_BASE, SIFIVE_TIME_BASE);
 }
 
-static const TypeInfo spike_v_1_09_1_device = {
-.name  = TYPE_RISCV_SPIKE_V1_09_1_BOARD,
-.parent= TYPE_SYS_BUS_DEVICE,
-.instance_size = sizeof(SpikeState),
-};
-
-static const TypeInfo spike_v_1_10_0_device = {
-.name  = TYPE_RISCV_SPIKE_V1_10_0_BOARD,
-.parent= TYPE_SYS_BUS_DEVICE,
-.instance_size = sizeof(SpikeState),
-};
-
 static void spike_v1_09_1_machine_init(MachineClass *mc)
 {
 mc->desc = "RISC-V Spike Board (Privileged ISA v1.9.1)";
@@ -365,11 +353,3 @@ static void spike_v1_10_0_machine_init(MachineClass *mc)
 
 DEFINE_MACHINE("spike_v1.9.1", spike_v1_09_1_machine_init)
 DEFINE_MACHINE("spike_v1.10", spike_v1_10_0_machine_init)
-
-static void riscv_spike_board_register_types(void)
-{
-type_register_static(_v_1_09_1_device);
-type_register_static(_v_1_10_0_device);
-}
-
-type_init(riscv_spike_board_register_types);
diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index f1e3641..5913100 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -380,24 +380,6 @@ static void riscv_virt_board_init(MachineState *machine)
 serial_hds[0], DEVICE_LITTLE_ENDIAN);
 }
 
-static int riscv_virt_board_sysbus_device_init(SysBusDevice *sysbusdev)
-{
-return 0;
-}
-
-static void riscv_virt_board_class_init(ObjectClass *klass, void *data)
-{
-SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
-k->init = riscv_virt_board_sysbus_device_init;
-}
-
-static const TypeInfo riscv_virt_board_device = {
-.name  = TYPE_RISCV_VIRT_BOARD,
-.parent= TYPE_SYS_BUS_DEVICE,
-.instance_size = sizeof(RISCVVirtState),
-.class_init= riscv_virt_board_class_init,
-};
-
 

Re: [Qemu-devel] [PATCH 00/19] uninorth fixes/mac_newworld board wiring improvements

[Mark Cave-Ayland]

On 06/03/18 20:59, no-re...@patchew.org wrote:


Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk
Subject: [Qemu-devel] [PATCH 00/19] uninorth fixes/mac_newworld board wiring 
improvements

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
 echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
 if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; 
then
 failed=1
 echo
 fi
 n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
 From https://github.com/patchew-project/qemu
  * [new tag]   
patchew/20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk -> 
patchew/20180306203103.25563-1-mark.cave-ayl...@ilande.co.uk
Switched to a new branch 'test'
e7f510fb1c mac_newworld: move wiring of macio IRQs to macio_newworld_realize()
e1cb6af9a4 mac_newworld: remove pics IRQ array and wire up macio to OpenPIC 
directly
cf16eb0223 uninorth: create new uninorth device
9a29524fc9 uninorth: rename UNINState to UNINHostState
bd3653709a uninorth: move PCI IO (ISA) memory region into the uninorth device
f1020004d7 uninorth: use object link to pass OpenPIC object to uninorth
000b78ebf1 uninorth: remove obsolete pci_pmac_u3_init() function
019ce970d1 uninorth: remove obsolete pci_pmac_init() function
d74cd9a986 uninorth: enable internal PCI host bridge
eb2d8bcf25 uninorth: fix PCI and AGP bus mixup
a444eabfcb uninorth: move PCI host bridge bus initialisation into device realize
6401c9c37f uninorth: introduce temporary pic_irqs device property
0f5fb4ec70 uninorth: move PCI mmio memory region initialisation into init 
function
2f7a628836 uninorth: alter pci_pmac_init() and pci_pmac_u3_init() to return 
uninorth device
780535bf21 uninorth: move uninorth definitions into uninorth.h
d8816bc167 uninorth: remove stray PCIBus realize from mac_newworld.c
f82a1a6d5c uninorth: QOMify PCI and AGP host bridges
a0c06c803b uninorth: remove second set of uninorth token registers
4baa7ecf3b uninorth: trivial style fixups

=== OUTPUT BEGIN ===
Checking PATCH 1/19: uninorth: trivial style fixups...
Checking PATCH 2/19: uninorth: remove second set of uninorth token registers...
Checking PATCH 3/19: uninorth: QOMify PCI and AGP host bridges...
Checking PATCH 4/19: uninorth: remove stray PCIBus realize from 
mac_newworld.c...
Checking PATCH 5/19: uninorth: move uninorth definitions into uninorth.h...
Checking PATCH 6/19: uninorth: alter pci_pmac_init() and pci_pmac_u3_init() to 
return uninorth device...
Checking PATCH 7/19: uninorth: move PCI mmio memory region initialisation into 
init function...
Checking PATCH 8/19: uninorth: introduce temporary pic_irqs device property...
Checking PATCH 9/19: uninorth: move PCI host bridge bus initialisation into 
device realize...
ERROR: if this code is redundant consider removing it
#41: FILE: hw/pci-host/uninorth.c:127:
+#if 0

total: 1 errors, 0 warnings, 221 lines checked


This is a false alarm since this #if 0 ... #endif block is removed in 
patch 11.



Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

Checking PATCH 10/19: uninorth: fix PCI and AGP bus mixup...
Checking PATCH 11/19: uninorth: enable internal PCI host bridge...
Checking PATCH 12/19: uninorth: remove obsolete pci_pmac_init() function...
Checking PATCH 13/19: uninorth: remove obsolete pci_pmac_u3_init() function...
Checking PATCH 14/19: uninorth: use object link to pass OpenPIC object to 
uninorth...
Checking PATCH 15/19: uninorth: move PCI IO (ISA) memory region into the 
uninorth device...
Checking PATCH 16/19: uninorth: rename UNINState to UNINHostState...
Checking PATCH 17/19: uninorth: create new uninorth device...
Checking PATCH 18/19: mac_newworld: remove pics IRQ array and wire up macio to 
OpenPIC directly...
Checking PATCH 19/19: mac_newworld: move wiring of macio IRQs to 
macio_newworld_realize()...
=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-de...@freelists.org



ATB,

Mark.

Re: [Qemu-devel] [PATCH V4 4/7] CAN bus Kvaser PCI CAN-S (single SJA1000 channel) emulation added.

[Pavel Pisa]

Hello Thomas,

thanks for report but I at this time I am and
can be some time in condition which does not allow
me to access e-mail and normal work

On Tuesday 06 of March 2018 16:29:19 Thomas Huth wrote:
> On 14.01.2018 21:14, p...@cmp.felk.cvut.cz wrote:
> > From: Pavel Pisa 
> >
> > Signed-off-by: Pavel Pisa 
> > ---
> >  default-configs/pci.mak |   1 +
> >  hw/can/Makefile.objs|   1 +
> >  hw/can/can_kvaser_pci.c | 375
> >  3 files changed, 377
> > insertions(+)
> >  create mode 100644 hw/can/can_kvaser_pci.c
>
>  Hi,
>
> the kvaser_pci device introduced a new way to crash QEMU, e.g.:
>
> mips64el-softmmu/qemu-system-mips64el -M malta,accel=qtest \
>   -device kvaser_pci
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x55a6e2ec in can_bus_insert_client (bus=0x0,
> client=client@entry=0x570c4018) at
> /home/thuth/devel/qemu/net/can/can_core.c:50
> 50QTAILQ_INSERT_TAIL(>clients, client, next);

The reason is that parameters canbus0 and canbus1 are required.

  -object can-bus,id=canbus0 \
  -device kvaser_pci,canbus0=canbus0

This could be be fast fix but plead somebody else to send regular
patch.

--- a/net/can/can_host.c
+++ b/net/can/can_host.c
@@ -57,6 +57,10 @@ static void can_host_connect(CanHostState *ch, Error **errp)
 return;
 }

+if (ch->bus_client == NULL) {
+error_setg(errp, "bus is not specified for given device.");
+return;
+}
 can_bus_insert_client(ch->bus, >bus_client);
 }


My personal opinion is to create bus on 

Best wishes,

Pavel Pisa

[Qemu-devel] [PATCH v1 20/22] RISC-V: vectored traps are optional

[Michael Clark]

Vectored traps for asynchrounous interrupts are optional.
The mtvec/stvec mode field is WARL and hence does not trap
if an illegal value is written. Illegal values are ignored.

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 14 ++
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index f79716a..aa101cc 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -262,11 +262,10 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 env->sepc = val_to_write;
 break;
 case CSR_STVEC:
-if (val_to_write & 1) {
-qemu_log_mask(LOG_UNIMP, "CSR_STVEC: vectored traps not 
supported");
-goto do_illegal;
+/* we do not support vectored traps for asynchrounous interrupts */ 
+if ((val_to_write & 3) == 0) {
+env->stvec = val_to_write >> 2 << 2;
 }
-env->stvec = val_to_write >> 2 << 2;
 break;
 case CSR_SCOUNTEREN:
 env->scounteren = val_to_write;
@@ -284,11 +283,10 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 env->mepc = val_to_write;
 break;
 case CSR_MTVEC:
-if (val_to_write & 1) {
-qemu_log_mask(LOG_UNIMP, "CSR_MTVEC: vectored traps not 
supported");
-goto do_illegal;
+/* we do not support vectored traps for asynchrounous interrupts */ 
+if ((val_to_write & 3) == 0) {
+env->mtvec = val_to_write >> 2 << 2;
 }
-env->mtvec = val_to_write >> 2 << 2;
 break;
 case CSR_MCOUNTEREN:
 env->mcounteren = val_to_write;
-- 
2.7.0

[Qemu-devel] [PATCH v1 17/22] RISC-V: Ingore satp writes and return 0 for reads

[Michael Clark]

satp is WARL so it should not trap on illegal writes, rather
it can be hardwired to zero and silently ignore illegal writes.

It seems the RISC-V WARL behaviour is preferred to having to
bear trap overhead, versus simply reading back the value and
checking if the write took (saves hundreds of cycles and much
more complex trap handling code).

Signed-off-by: Michael Clark 
Signed-off-by: Palmer Dabbelt 
---
 target/riscv/op_helper.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index e34715d..dd3e417 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -242,7 +242,7 @@ void csr_write_helper(CPURISCVState *env, target_ulong 
val_to_write,
 }
 case CSR_SATP: /* CSR_SPTBR */ {
 if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
-goto do_illegal;
+break;
 }
 if (env->priv_ver <= PRIV_VERSION_1_09_1 && (val_to_write ^ 
env->sptbr))
 {
@@ -452,7 +452,10 @@ target_ulong csr_read_helper(CPURISCVState *env, 
target_ulong csrno)
 return env->scounteren;
 case CSR_SCAUSE:
 return env->scause;
-case CSR_SPTBR:
+case CSR_SATP: /* CSR_SPTBR */
+if (!riscv_feature(env, RISCV_FEATURE_MMU)) {
+return 0;
+}
 if (env->priv_ver >= PRIV_VERSION_1_10_0) {
 return env->satp;
 } else {
-- 
2.7.0