Re: [PATCH v2] block: Refactor get_tmp_filename()

[Markus Armbruster]

Bin Meng  writes:

> On Mon, Sep 26, 2022 at 6:13 PM Markus Armbruster  wrote:
>>
>> Bin Meng  writes:
>>
>> > From: Bin Meng 
>> >
>> > At present there are two callers of get_tmp_filename() and they are
>> > inconsistent.
>> >
>> > One does:
>> >
>> > /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
>> > char *tmp_filename = g_malloc0(PATH_MAX + 1);
>> > ...
>> > ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
>> >
>> > while the other does:
>> >
>> > s->qcow_filename = g_malloc(PATH_MAX);
>> > ret = get_tmp_filename(s->qcow_filename, PATH_MAX);
>> >
>> > As we can see different 'size' arguments are passed. There are also
>> > platform specific implementations inside the function, and this use
>> > of snprintf is really undesirable.
>> >
>> > Refactor this routine by changing its signature to:
>> >
>> > char *get_tmp_filename(void)
>> >
>> > and use g_file_open_tmp() for a consistent implementation.
>> >
>> > Signed-off-by: Bin Meng 
>> > ---
>> >
>> > Changes in v2:
>> > - Use g_autofree and g_steal_pointer
>> >
>> >  include/block/block_int-common.h |  2 +-
>> >  block.c  | 42 ++--
>> >  block/vvfat.c|  8 +++---
>> >  3 files changed, 18 insertions(+), 34 deletions(-)
>> >
>> > diff --git a/include/block/block_int-common.h 
>> > b/include/block/block_int-common.h
>> > index 8947abab76..ea69a9349c 100644
>> > --- a/include/block/block_int-common.h
>> > +++ b/include/block/block_int-common.h
>> > @@ -1230,7 +1230,7 @@ static inline BlockDriverState *child_bs(BdrvChild 
>> > *child)
>> >  }
>> >
>> >  int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp);
>> > -int get_tmp_filename(char *filename, int size);
>> > +char *get_tmp_filename(void);
>> >  void bdrv_parse_filename_strip_prefix(const char *filename, const char 
>> > *prefix,
>> >QDict *options);
>> >
>> > diff --git a/block.c b/block.c
>> > index bc85f46eed..4e7a795566 100644
>> > --- a/block.c
>> > +++ b/block.c
>> > @@ -860,38 +860,23 @@ int bdrv_probe_geometry(BlockDriverState *bs, 
>> > HDGeometry *geo)
>> >
>> >  /*
>> >   * Create a uniquely-named empty temporary file.
>> > - * Return 0 upon success, otherwise a negative errno value.
>> > + * Return the actual name used upon success, otherwise NULL.
>> > + * The called function is responsible for freeing it.
>> >   */
>> > -int get_tmp_filename(char *filename, int size)
>> > +char *get_tmp_filename(void)
>> >  {
>> > -#ifdef _WIN32
>> > -char temp_dir[MAX_PATH];
>> > -/* GetTempFileName requires that its output buffer (4th param)
>> > -   have length MAX_PATH or greater.  */
>> > -assert(size >= MAX_PATH);
>> > -return (GetTempPath(MAX_PATH, temp_dir)
>> > -&& GetTempFileName(temp_dir, "qem", 0, filename)
>> > -? 0 : -GetLastError());
>> > -#else
>> > +g_autofree char *filename = NULL;
>> >  int fd;
>> > -const char *tmpdir;
>> > -tmpdir = getenv("TMPDIR");
>> > -if (!tmpdir) {
>> > -tmpdir = "/var/tmp";
>> > -}
>> > -if (snprintf(filename, size, "%s/vl.XX", tmpdir) >= size) {
>> > -return -EOVERFLOW;
>> > -}
>> > -fd = mkstemp(filename);
>> > +
>> > +fd = g_file_open_tmp("vl.XX", , NULL);
>> >  if (fd < 0) {
>> > -return -errno;
>> > +return NULL;
>> >  }
>> >  if (close(fd) != 0) {
>> >  unlink(filename);
>> > -return -errno;
>> > +return NULL;
>> >  }
>> > -return 0;
>> > -#endif
>> > +return g_steal_pointer();
>> >  }
>>
>> Oh my, what a lovely mess you're messing with!
>>
>> The function creates a temporary *file*, not just a filename.  Makes
>> sense, as creating a unique filename is inherently racy.  The contract
>> is clear enough ("Create a uniquely-named empty temporary file"), but
>> the function name is actively misleading.
>
> Agreed that the name is misleading.

Care to fix that?

>> Of course, creating a temporary file for the caller to (re)open is also
>> racy.  By the time the caller gets around to it, the filename could name
>> anything.  Return an open file file descriptor is a better idea.  It's
>> basically g_file_open_tmp().  Could we rework the two users of
>> get_tmp_filename() accept a file descriptor?
>
> I looked at the 2 callers, and it looks like we need to do more than
> these 2 callers to teach them to accept a file descriptor. :(

Looks like it requires surgery to bdrv_create() at least.  I'm not
demanding you do that now.

[...]

[PULL v2 11/22] target/riscv: Check the correct exception cause in vector GDB stub

[Alistair Francis]

From: Frank Chang 

After RISCVException enum is introduced, riscv_csrrw_debug() returns
RISCV_EXCP_NONE to indicate there's no error. RISC-V vector GDB stub
should check the result against RISCV_EXCP_NONE instead of value 0.
Otherwise, 'E14' packet would be incorrectly reported for vector CSRs
when using "info reg vector" GDB command.

Signed-off-by: Frank Chang 
Reviewed-by: Jim Shu 
Reviewed-by: Tommy Wu 
Reviewed-by: Alistair Francis 
Reviewed-by: LIU Zhiwei 
Message-Id: <20220918083245.13028-1-frank.ch...@sifive.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/gdbstub.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/riscv/gdbstub.c b/target/riscv/gdbstub.c
index 9974b7aac6..6e7bbdbd5e 100644
--- a/target/riscv/gdbstub.c
+++ b/target/riscv/gdbstub.c
@@ -183,7 +183,7 @@ static int riscv_gdb_get_vector(CPURISCVState *env, 
GByteArray *buf, int n)
 target_ulong val = 0;
 int result = riscv_csrrw_debug(env, csrno, , 0, 0);
 
-if (result == 0) {
+if (result == RISCV_EXCP_NONE) {
 return gdb_get_regl(buf, val);
 }
 
@@ -210,7 +210,7 @@ static int riscv_gdb_set_vector(CPURISCVState *env, uint8_t 
*mem_buf, int n)
 target_ulong val = ldtul_p(mem_buf);
 int result = riscv_csrrw_debug(env, csrno, NULL, val, -1);
 
-if (result == 0) {
+if (result == RISCV_EXCP_NONE) {
 return sizeof(target_ulong);
 }
 
-- 
2.37.3

[PULL v2 03/22] docs/system: clean up code escape for riscv virt platform

[Alistair Francis]

From: Alex Bennée 

The example code is rendered slightly mangled due to missing code
block. Properly escape the code block and add shell prompt and qemu to
fit in with the other examples on the page.

Signed-off-by: Alex Bennée 
Reviewed-by: Alistair Francis 
Message-Id: <20220905163939.1599368-1-alex.ben...@linaro.org>
Signed-off-by: Alistair Francis 
---
 docs/system/riscv/virt.rst | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/docs/system/riscv/virt.rst b/docs/system/riscv/virt.rst
index f8ecec95f3..4b16e41d7f 100644
--- a/docs/system/riscv/virt.rst
+++ b/docs/system/riscv/virt.rst
@@ -168,14 +168,19 @@ Enabling TPM
 
 A TPM device can be connected to the virt board by following the steps below.
 
-First launch the TPM emulator
+First launch the TPM emulator:
 
-swtpm socket --tpm2 -t -d --tpmstate dir=/tmp/tpm \
+.. code-block:: bash
+
+  $ swtpm socket --tpm2 -t -d --tpmstate dir=/tmp/tpm \
 --ctrl type=unixio,path=swtpm-sock
 
-Then launch QEMU with:
+Then launch QEMU with some additional arguments to link a TPM device to the 
backend:
+
+.. code-block:: bash
 
-...
+  $ qemu-system-riscv64 \
+... other args  \
 -chardev socket,id=chrtpm,path=swtpm-sock \
 -tpmdev emulator,id=tpm0,chardev=chrtpm \
 -device tpm-tis-device,tpmdev=tpm0
-- 
2.37.3

[PULL v2 16/22] target/riscv: debug: Restrict the range of tselect value can be written

[Alistair Francis]

From: Frank Chang 

The value of tselect CSR can be written should be limited within the
range of supported triggers number.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
Message-Id: <20220909134215.1843865-5-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/debug.c | 9 +++--
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index 06feef7d67..d164cd 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -127,10 +127,6 @@ bool tdata_available(CPURISCVState *env, int tdata_index)
 return false;
 }
 
-if (unlikely(env->trigger_cur >= RV_MAX_TRIGGERS)) {
-return false;
-}
-
 return tdata_mapping[trigger_type][tdata_index];
 }
 
@@ -141,8 +137,9 @@ target_ulong tselect_csr_read(CPURISCVState *env)
 
 void tselect_csr_write(CPURISCVState *env, target_ulong val)
 {
-/* all target_ulong bits of tselect are implemented */
-env->trigger_cur = val;
+if (val < RV_MAX_TRIGGERS) {
+env->trigger_cur = val;
+}
 }
 
 static target_ulong tdata1_validate(CPURISCVState *env, target_ulong val,
-- 
2.37.3

Re: [PATCH v2] block: Refactor get_tmp_filename()

[Markus Armbruster]

Bin Meng  writes:

> Hi Markus,
>
> On Tue, Sep 27, 2022 at 2:22 PM Markus Armbruster  wrote:
>>
>> Bin Meng  writes:
>>
>> > On Mon, Sep 26, 2022 at 6:13 PM Markus Armbruster  
>> > wrote:
>> >>
>> >> Bin Meng  writes:
>> >>
>> >> > From: Bin Meng 
>> >> >
>> >> > At present there are two callers of get_tmp_filename() and they are
>> >> > inconsistent.
>> >> >
>> >> > One does:
>> >> >
>> >> > /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. 
>> >> > */
>> >> > char *tmp_filename = g_malloc0(PATH_MAX + 1);
>> >> > ...
>> >> > ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
>> >> >
>> >> > while the other does:
>> >> >
>> >> > s->qcow_filename = g_malloc(PATH_MAX);
>> >> > ret = get_tmp_filename(s->qcow_filename, PATH_MAX);
>> >> >
>> >> > As we can see different 'size' arguments are passed. There are also
>> >> > platform specific implementations inside the function, and this use
>> >> > of snprintf is really undesirable.
>> >> >
>> >> > Refactor this routine by changing its signature to:
>> >> >
>> >> > char *get_tmp_filename(void)
>> >> >
>> >> > and use g_file_open_tmp() for a consistent implementation.
>> >> >
>> >> > Signed-off-by: Bin Meng 
>> >> > ---
>> >> >
>> >> > Changes in v2:
>> >> > - Use g_autofree and g_steal_pointer
>> >> >
>> >> >  include/block/block_int-common.h |  2 +-
>> >> >  block.c  | 42 ++--
>> >> >  block/vvfat.c|  8 +++---
>> >> >  3 files changed, 18 insertions(+), 34 deletions(-)
>> >> >
>> >> > diff --git a/include/block/block_int-common.h 
>> >> > b/include/block/block_int-common.h
>> >> > index 8947abab76..ea69a9349c 100644
>> >> > --- a/include/block/block_int-common.h
>> >> > +++ b/include/block/block_int-common.h
>> >> > @@ -1230,7 +1230,7 @@ static inline BlockDriverState 
>> >> > *child_bs(BdrvChild *child)
>> >> >  }
>> >> >
>> >> >  int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp);
>> >> > -int get_tmp_filename(char *filename, int size);
>> >> > +char *get_tmp_filename(void);
>> >> >  void bdrv_parse_filename_strip_prefix(const char *filename, const char 
>> >> > *prefix,
>> >> >QDict *options);
>> >> >
>> >> > diff --git a/block.c b/block.c
>> >> > index bc85f46eed..4e7a795566 100644
>> >> > --- a/block.c
>> >> > +++ b/block.c
>> >> > @@ -860,38 +860,23 @@ int bdrv_probe_geometry(BlockDriverState *bs, 
>> >> > HDGeometry *geo)
>> >> >
>> >> >  /*
>> >> >   * Create a uniquely-named empty temporary file.
>> >> > - * Return 0 upon success, otherwise a negative errno value.
>> >> > + * Return the actual name used upon success, otherwise NULL.
>> >> > + * The called function is responsible for freeing it.
>> >> >   */
>> >> > -int get_tmp_filename(char *filename, int size)
>> >> > +char *get_tmp_filename(void)
>> >> >  {
>> >> > -#ifdef _WIN32
>> >> > -char temp_dir[MAX_PATH];
>> >> > -/* GetTempFileName requires that its output buffer (4th param)
>> >> > -   have length MAX_PATH or greater.  */
>> >> > -assert(size >= MAX_PATH);
>> >> > -return (GetTempPath(MAX_PATH, temp_dir)
>> >> > -&& GetTempFileName(temp_dir, "qem", 0, filename)
>> >> > -? 0 : -GetLastError());
>> >> > -#else
>> >> > +g_autofree char *filename = NULL;
>> >> >  int fd;
>> >> > -const char *tmpdir;
>> >> > -tmpdir = getenv("TMPDIR");
>> >> > -if (!tmpdir) {
>> >> > -tmpdir = "/var/tmp";
>> >> > -}
>> >> > -if (snprintf(filename, size, "%s/vl.XX", tmpdir) >= size) {
>> >> > -return -EOVERFLOW;
>> >> > -}
>> >> > -fd = mkstemp(filename);
>> >> > +
>> >> > +fd = g_file_open_tmp("vl.XX", , NULL);
>> >> >  if (fd < 0) {
>> >> > -return -errno;
>> >> > +return NULL;
>> >> >  }
>> >> >  if (close(fd) != 0) {
>> >> >  unlink(filename);
>> >> > -return -errno;
>> >> > +return NULL;
>> >> >  }
>> >> > -return 0;
>> >> > -#endif
>> >> > +return g_steal_pointer();
>> >> >  }
>> >>
>> >> Oh my, what a lovely mess you're messing with!
>> >>
>> >> The function creates a temporary *file*, not just a filename.  Makes
>> >> sense, as creating a unique filename is inherently racy.  The contract
>> >> is clear enough ("Create a uniquely-named empty temporary file"), but
>> >> the function name is actively misleading.
>> >
>> > Agreed that the name is misleading.
>>
>> Care to fix that?
>
> How about create_tmp_file()?

Works for me!

[...]

[PATCH v2 3/4] target/loongarch: Fix fnm{sub/add}_{s/d} set wrong flags

[Song Gao]

Signed-off-by: Song Gao 
---
 target/loongarch/insn_trans/trans_farith.c.inc | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/target/loongarch/insn_trans/trans_farith.c.inc 
b/target/loongarch/insn_trans/trans_farith.c.inc
index 65ad2ffab8..7bb3f41aee 100644
--- a/target/loongarch/insn_trans/trans_farith.c.inc
+++ b/target/loongarch/insn_trans/trans_farith.c.inc
@@ -97,9 +97,9 @@ TRANS(fmadd_s, gen_muladd, gen_helper_fmuladd_s, 0)
 TRANS(fmadd_d, gen_muladd, gen_helper_fmuladd_d, 0)
 TRANS(fmsub_s, gen_muladd, gen_helper_fmuladd_s, float_muladd_negate_c)
 TRANS(fmsub_d, gen_muladd, gen_helper_fmuladd_d, float_muladd_negate_c)
-TRANS(fnmadd_s, gen_muladd, gen_helper_fmuladd_s,
-  float_muladd_negate_product | float_muladd_negate_c)
-TRANS(fnmadd_d, gen_muladd, gen_helper_fmuladd_d,
-  float_muladd_negate_product | float_muladd_negate_c)
-TRANS(fnmsub_s, gen_muladd, gen_helper_fmuladd_s, float_muladd_negate_product)
-TRANS(fnmsub_d, gen_muladd, gen_helper_fmuladd_d, float_muladd_negate_product)
+TRANS(fnmadd_s, gen_muladd, gen_helper_fmuladd_s, float_muladd_negate_result)
+TRANS(fnmadd_d, gen_muladd, gen_helper_fmuladd_d, float_muladd_negate_result)
+TRANS(fnmsub_s, gen_muladd, gen_helper_fmuladd_s,
+  float_muladd_negate_c | float_muladd_negate_result)
+TRANS(fnmsub_d, gen_muladd, gen_helper_fmuladd_d,
+  float_muladd_negate_c | float_muladd_negate_result)
-- 
2.31.1

[PULL 1/8] e1000e: set RX desc status with DD flag in a separate operation

[Jason Wang]

From: Ding Hui 

Like commit 034d00d48581 ("e1000: set RX descriptor status in
a separate operation"), there is also same issue in e1000e, which
would cause lost packets or stop sending packets to VM with DPDK.

Do similar fix in e1000e.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/402
Signed-off-by: Ding Hui 
Signed-off-by: Jason Wang 
---
 hw/net/e1000e_core.c | 53 +++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index 82aa61f..fc9cdb4 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -1364,6 +1364,57 @@ struct NetRxPkt *pkt, const E1000E_RSSInfo *rss_info,
 }
 }
 
+static inline void
+e1000e_pci_dma_write_rx_desc(E1000ECore *core, dma_addr_t addr,
+ uint8_t *desc, dma_addr_t len)
+{
+PCIDevice *dev = core->owner;
+
+if (e1000e_rx_use_legacy_descriptor(core)) {
+struct e1000_rx_desc *d = (struct e1000_rx_desc *) desc;
+size_t offset = offsetof(struct e1000_rx_desc, status);
+uint8_t status = d->status;
+
+d->status &= ~E1000_RXD_STAT_DD;
+pci_dma_write(dev, addr, desc, len);
+
+if (status & E1000_RXD_STAT_DD) {
+d->status = status;
+pci_dma_write(dev, addr + offset, , sizeof(status));
+}
+} else {
+if (core->mac[RCTL] & E1000_RCTL_DTYP_PS) {
+union e1000_rx_desc_packet_split *d =
+(union e1000_rx_desc_packet_split *) desc;
+size_t offset = offsetof(union e1000_rx_desc_packet_split,
+wb.middle.status_error);
+uint32_t status = d->wb.middle.status_error;
+
+d->wb.middle.status_error &= ~E1000_RXD_STAT_DD;
+pci_dma_write(dev, addr, desc, len);
+
+if (status & E1000_RXD_STAT_DD) {
+d->wb.middle.status_error = status;
+pci_dma_write(dev, addr + offset, , sizeof(status));
+}
+} else {
+union e1000_rx_desc_extended *d =
+(union e1000_rx_desc_extended *) desc;
+size_t offset = offsetof(union e1000_rx_desc_extended,
+wb.upper.status_error);
+uint32_t status = d->wb.upper.status_error;
+
+d->wb.upper.status_error &= ~E1000_RXD_STAT_DD;
+pci_dma_write(dev, addr, desc, len);
+
+if (status & E1000_RXD_STAT_DD) {
+d->wb.upper.status_error = status;
+pci_dma_write(dev, addr + offset, , sizeof(status));
+}
+}
+}
+}
+
 typedef struct e1000e_ba_state_st {
 uint16_t written[MAX_PS_BUFFERS];
 uint8_t cur_idx;
@@ -1600,7 +1651,7 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct 
NetRxPkt *pkt,
 
 e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
rss_info, do_ps ? ps_hdr_len : 0, );
-pci_dma_write(d, base, , core->rx_desc_len);
+e1000e_pci_dma_write_rx_desc(core, base, desc, core->rx_desc_len);
 
 e1000e_ring_advance(core, rxi,
 core->rx_desc_len / E1000_MIN_RX_DESC_LEN);
-- 
2.7.4

[PULL 10/24] ui/console: fix three double frees in png_save()

[Gerd Hoffmann]

From: Volker Rümelin 

The png_destroy_write_struct() function frees all memory used by
libpng. Don't use the glib auto cleanup mechanism to free the
memory allocated by libpng again. For the pixman image, use only the
auto cleanup mechanism and remove the qemu_pixman_image_unref()
function call to prevent another double free.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1210
Fixes: 9a0a119a38 ("Added parameter to take screenshot with screendump as PNG")
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Volker Rümelin 
Message-Id: <20220919061956.30929-1-vr_q...@t-online.de>
Signed-off-by: Gerd Hoffmann 
---
 ui/console.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ui/console.c b/ui/console.c
index 243f2f6e64ae..49da6a91df6f 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -304,8 +304,8 @@ static bool png_save(int fd, pixman_image_t *image, Error 
**errp)
 {
 int width = pixman_image_get_width(image);
 int height = pixman_image_get_height(image);
-g_autofree png_struct *png_ptr = NULL;
-g_autofree png_info *info_ptr = NULL;
+png_struct *png_ptr;
+png_info *info_ptr;
 g_autoptr(pixman_image_t) linebuf =
 qemu_pixman_linebuf_create(PIXMAN_a8r8g8b8, width);
 uint8_t *buf = (uint8_t *)pixman_image_get_data(linebuf);
@@ -346,7 +346,6 @@ static bool png_save(int fd, pixman_image_t *image, Error 
**errp)
 qemu_pixman_linebuf_fill(linebuf, image, width, 0, y);
 png_write_row(png_ptr, buf);
 }
-qemu_pixman_image_unref(linebuf);
 
 png_write_end(png_ptr, NULL);
 
-- 
2.37.3

[PULL 16/24] usbnet: Add missing usb_wakeup() call in usbnet_receive()

[Gerd Hoffmann]

From: Michael Brown 

usbnet_receive() does not currently wake up the USB endpoint, leading
to a dead RX datapath when used with a host controller such as xHCI
that relies on being woken up.

Fix by adding a call to usb_wakeup() at the end of usbnet_receive().

Signed-off-by: Michael Brown 
Message-Id: <20220906183053.3625472-2-mc...@ipxe.org>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/dev-network.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 6c49c16015e0..61bf598870cb 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -647,6 +647,7 @@ struct USBNetState {
 uint8_t in_buf[2048];
 
 USBEndpoint *intr;
+USBEndpoint *bulk_in;
 
 char usbstring_mac[13];
 NICState *nic;
@@ -1317,6 +1318,7 @@ static ssize_t usbnet_receive(NetClientState *nc, const 
uint8_t *buf, size_t siz
 memcpy(in_buf, buf, size);
 s->in_len = total_size;
 s->in_ptr = 0;
+usb_wakeup(s->bulk_in, 0);
 return size;
 }
 
@@ -1359,6 +1361,7 @@ static void usb_net_realize(USBDevice *dev, Error **errp)
 s->filter = 0;
 s->vendorid = 0x1234;
 s->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);
+s->bulk_in = usb_ep_get(dev, USB_TOKEN_IN, 2);
 
 qemu_macaddr_default_if_unset(>conf.macaddr);
 s->nic = qemu_new_nic(_usbnet_info, >conf,
-- 
2.37.3

[PULL 06/24] ui/clipboard: fix serial priority

[Gerd Hoffmann]

From: Marc-André Lureau 

The incoming grab event should have a higher serial.
See also "vdagent: introduce VD_AGENT_CAP_CLIPBOARD_GRAB_SERIAL":
https://gitlab.freedesktop.org/spice/spice-protocol/-/commit/045a6978d6dbbf7046affc5c321fa8177c8cce56

This is only a relevant fix for the -display dbus, only user of that
function.

Signed-off-by: Marc-André Lureau 
Message-Id: <20220912102455.111765-3-marcandre.lur...@redhat.com>
Signed-off-by: Gerd Hoffmann 
---
 ui/clipboard.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ui/clipboard.c b/ui/clipboard.c
index cd5382fcb0c1..3e2d02d5490c 100644
--- a/ui/clipboard.c
+++ b/ui/clipboard.c
@@ -54,9 +54,9 @@ bool qemu_clipboard_check_serial(QemuClipboardInfo *info, 
bool client)
 }
 
 if (client) {
-ok = cbinfo[info->selection]->serial >= info->serial;
+ok = info->serial >= cbinfo[info->selection]->serial;
 } else {
-ok = cbinfo[info->selection]->serial > info->serial;
+ok = info->serial > cbinfo[info->selection]->serial;
 }
 
 trace_clipboard_check_serial(cbinfo[info->selection]->serial, 
info->serial, ok);
-- 
2.37.3

Should we maybe move Cirrus-CI jobs away from Gitlab again?

[Thomas Huth]

 Hi all,

now that Gitlab is giving us pressure on the amount of free CI minutes, I 
wonder whether we should maybe move the Cirrus-CI jobs out of the gitlab-CI 
dashboard again? We could add the jobs to our .cirrus-ci.yml file instead, 
like we did it in former times...


Big advantage would be of course that the time for those jobs would not 
count in the Gitlab-CI minutes anymore. Disadvantage is of course that they 
do not show up in the gitlab-CI dashboard anymore, so there is no more 
e-mail notification about failed jobs, and you have to push to github, too, 
and finally check the results manually on cirrus-ci.com ...


Opinions?

 Thomas

[PULL 15/24] hcd-xhci: drop operation with secondary stream arrays enabled

[Gerd Hoffmann]

From: Qiang Liu 

The abort() in xhci_find_stream() can be triggered via enabling the secondary
stream arrays by setting linear stream array (LSA) bit (in endpoint context) to
0. We may show warnings and drop this operation.

Fixes: 024426acc0a2 ("usb-xhci: usb3 streams")
Reported-by: Qiang Liu 
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1192
Signed-off-by: Qiang Liu 
Message-Id: <20220904125926.2141607-1-cyruscy...@gmail.com>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-xhci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index acd60b1a4904..8299f35e6695 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1020,7 +1020,9 @@ static XHCIStreamContext *xhci_find_stream(XHCIEPContext 
*epctx,
 }
 sctx = epctx->pstreams + streamid;
 } else {
-FIXME("secondary streams not implemented yet");
+fprintf(stderr, "xhci: FIXME: secondary streams not implemented yet");
+*cc_error = CC_INVALID_STREAM_TYPE_ERROR;
+return NULL;
 }
 
 if (sctx->sct == -1) {
-- 
2.37.3

Re: [PATCH v2 4/4] virtio-gpu: Don't require udmabuf when blob support is enabled

[Gerd Hoffmann]

On Mon, Sep 26, 2022 at 09:32:40PM +0300, Dmitry Osipenko wrote:
> On 9/23/22 15:32, Gerd Hoffmann wrote:
> > On Tue, Sep 13, 2022 at 12:50:22PM +0200, Antonio Caggiano wrote:
> >> From: Dmitry Osipenko 
> >>
> >> Host blobs don't need udmabuf, it's only needed by guest blobs. The host
> >> blobs are utilized by the Mesa virgl driver when persistent memory mapping
> >> is needed by a GL buffer, otherwise virgl driver doesn't use blobs.
> >> Persistent mapping support bumps GL version from 4.3 to 4.5 in guest.
> >> Relax the udmabuf requirement.
> > 
> > What about blob=on,virgl=off?
> > 
> > In that case qemu manages the resources and continued to require
> > udmabuf.
> 
> The udmabuf is used only by the blob resource-creation command in Qemu.
> I couldn't find when we could hit that udmabuf code path in Qemu because
> BLOB_MEM_GUEST resource type is used only by crosvm+Venus when crosvm
> uses a dedicated render-server for virglrenderer.

Recent enough linux guest driver will use BLOB_MEM_GUEST resources
with blob=on + virgl=off

>   - /dev/udmabuf isn't accessible by normal user
>   - udmabuf driver isn't shipped by all of the popular Linux distros,
> for example Debian doesn't ship it

That's why blob resources are off by default.

> Because of all of the above, I don't think it makes sense to
> hard-require udmabuf at the start of Qemu. It's much better to fail
> resource creation dynamically.

Disagree.  When virgl/venus is enabled, then yes, qemu would let
virglrenderer manage resources and I'm ok with whatever requirements
virglrenderer has.  When qemu manages resources by itself udmabuf is
a hard requirement for blob support though.

take care,
  Gerd

[PULL 2/3] target/m68k: use M68K_FEATURE_MOVEFROMSR_PRIV feature for move_from_sr privilege check

[Laurent Vivier]

From: Mark Cave-Ayland 

Now that M68K_FEATURE_M68000 has been renamed to M68K_FEATURE_M68K it is easier
to see that the privilege exception check is wrong: it is currently only 
generated
for ColdFire CPUs when in fact it should also be generated for Motorola CPUs 
from
the 68010 onwards.

Introduce a new M68K_FEATURE_MOVEFROMSR_PRIV feature which is set for all non-
Motorola CPUs, and for all Motorola CPUs from the 68010 onwards and use it to
determine whether a privilege exception should be generated for the MOVE-from-SR
instruction.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: Richard Henderson 
Message-Id: <20220925134804.139706-3-mark.cave-ayl...@ilande.co.uk>
Signed-off-by: Laurent Vivier 
---
 target/m68k/cpu.h   | 2 ++
 target/m68k/cpu.c   | 5 +
 target/m68k/translate.c | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index f5c6e95cb44a..3a9cfe2f33a7 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -537,6 +537,8 @@ enum m68k_features {
 M68K_FEATURE_UNALIGNED_DATA,
 /* TRAPcc insn. (680[2346]0, and CPU32) */
 M68K_FEATURE_TRAPCC,
+/* MOVE from SR privileged (from 68010) */
+M68K_FEATURE_MOVEFROMSR_PRIV,
 };
 
 static inline bool m68k_feature(CPUM68KState *env, int feature)
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index 8d23c72056fd..25d610db21f7 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -102,6 +102,7 @@ static void m5206_cpu_initfn(Object *obj)
 CPUM68KState *env = >env;
 
 m68k_set_feature(env, M68K_FEATURE_CF_ISA_A);
+m68k_set_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV);
 }
 
 /* Base feature set, including isns. for m68k family */
@@ -129,6 +130,7 @@ static void m68010_cpu_initfn(Object *obj)
 m68k_set_feature(env, M68K_FEATURE_RTD);
 m68k_set_feature(env, M68K_FEATURE_BKPT);
 m68k_set_feature(env, M68K_FEATURE_MOVEC);
+m68k_set_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV);
 }
 
 /*
@@ -241,6 +243,7 @@ static void m5208_cpu_initfn(Object *obj)
 m68k_set_feature(env, M68K_FEATURE_BRAL);
 m68k_set_feature(env, M68K_FEATURE_CF_EMAC);
 m68k_set_feature(env, M68K_FEATURE_USP);
+m68k_set_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV);
 }
 
 static void cfv4e_cpu_initfn(Object *obj)
@@ -254,6 +257,7 @@ static void cfv4e_cpu_initfn(Object *obj)
 m68k_set_feature(env, M68K_FEATURE_CF_FPU);
 m68k_set_feature(env, M68K_FEATURE_CF_EMAC);
 m68k_set_feature(env, M68K_FEATURE_USP);
+m68k_set_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV);
 }
 
 static void any_cpu_initfn(Object *obj)
@@ -275,6 +279,7 @@ static void any_cpu_initfn(Object *obj)
 m68k_set_feature(env, M68K_FEATURE_USP);
 m68k_set_feature(env, M68K_FEATURE_EXT_FULL);
 m68k_set_feature(env, M68K_FEATURE_WORD_INDEX);
+m68k_set_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV);
 }
 
 static void m68k_cpu_realizefn(DeviceState *dev, Error **errp)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index 233b9d8e5783..9df17aa4b2d8 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -4624,7 +4624,7 @@ DISAS_INSN(move_from_sr)
 {
 TCGv sr;
 
-if (IS_USER(s) && !m68k_feature(env, M68K_FEATURE_M68K)) {
+if (IS_USER(s) && m68k_feature(env, M68K_FEATURE_MOVEFROMSR_PRIV)) {
 gen_exception(s, s->base.pc_next, EXCP_PRIVILEGE);
 return;
 }
-- 
2.37.3

[PULL v2 10/22] hw/riscv: opentitan: Expose the resetvec as a SoC property

[Alistair Francis]

From: Alistair Francis 

On the OpenTitan hardware the resetvec is fixed at the start of ROM. In
QEMU we don't run the ROM code and instead just jump to the next stage.
This means we need to be a little more flexible about what the resetvec
is.

This patch allows us to set the resetvec from the command line with
something like this:
-global driver=riscv.lowrisc.ibex.soc,property=resetvec,value=0x2400

This way as the next stage changes we can update the resetvec.

Signed-off-by: Alistair Francis 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20220914101108.82571-4-alistair.fran...@wdc.com>
Signed-off-by: Alistair Francis 
---
 include/hw/riscv/opentitan.h | 2 ++
 hw/riscv/opentitan.c | 8 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/hw/riscv/opentitan.h b/include/hw/riscv/opentitan.h
index 26d960f288..6665cd5794 100644
--- a/include/hw/riscv/opentitan.h
+++ b/include/hw/riscv/opentitan.h
@@ -46,6 +46,8 @@ struct LowRISCIbexSoCState {
 IbexTimerState timer;
 IbexSPIHostState spi_host[OPENTITAN_NUM_SPI_HOSTS];
 
+uint32_t resetvec;
+
 MemoryRegion flash_mem;
 MemoryRegion rom;
 MemoryRegion flash_alias;
diff --git a/hw/riscv/opentitan.c b/hw/riscv/opentitan.c
index 45c92c9bbc..be7ff1eea0 100644
--- a/hw/riscv/opentitan.c
+++ b/hw/riscv/opentitan.c
@@ -142,7 +142,7 @@ static void lowrisc_ibex_soc_realize(DeviceState *dev_soc, 
Error **errp)
 _abort);
 object_property_set_int(OBJECT(>cpus), "num-harts", ms->smp.cpus,
 _abort);
-object_property_set_int(OBJECT(>cpus), "resetvec", 0x2400,
+object_property_set_int(OBJECT(>cpus), "resetvec", s->resetvec,
 _abort);
 sysbus_realize(SYS_BUS_DEVICE(>cpus), _fatal);
 
@@ -297,10 +297,16 @@ static void lowrisc_ibex_soc_realize(DeviceState 
*dev_soc, Error **errp)
 memmap[IBEX_DEV_PERI].base, memmap[IBEX_DEV_PERI].size);
 }
 
+static Property lowrisc_ibex_soc_props[] = {
+DEFINE_PROP_UINT32("resetvec", LowRISCIbexSoCState, resetvec, 0x2400),
+DEFINE_PROP_END_OF_LIST()
+};
+
 static void lowrisc_ibex_soc_class_init(ObjectClass *oc, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(oc);
 
+device_class_set_props(dc, lowrisc_ibex_soc_props);
 dc->realize = lowrisc_ibex_soc_realize;
 /* Reason: Uses serial_hds in realize function, thus can't be used twice */
 dc->user_creatable = false;
-- 
2.37.3

[PULL v2 18/22] target/riscv: debug: Create common trigger actions function

[Alistair Francis]

From: Frank Chang 

Trigger actions are shared among all triggers. Extract to a common
function.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
[bmeng: handle the DBG_ACTION_NONE case]
Signed-off-by: Bin Meng 
Message-Id: <20220909134215.1843865-7-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/debug.h | 13 ++
 target/riscv/debug.c | 59 ++--
 2 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index 9f69c64591..0e4859cf74 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -44,6 +44,19 @@ typedef enum {
 TRIGGER_TYPE_NUM
 } trigger_type_t;
 
+/* actions */
+typedef enum {
+DBG_ACTION_NONE = -1,   /* sentinel value */
+DBG_ACTION_BP = 0,
+DBG_ACTION_DBG_MODE,
+DBG_ACTION_TRACE0,
+DBG_ACTION_TRACE1,
+DBG_ACTION_TRACE2,
+DBG_ACTION_TRACE3,
+DBG_ACTION_EXT_DBG0 = 8,
+DBG_ACTION_EXT_DBG1
+} trigger_action_t;
+
 /* tdata1 field masks */
 
 #define RV32_TYPE(t)((uint32_t)(t) << 28)
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index 7d546ace42..7a8910f980 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -92,6 +92,37 @@ static inline target_ulong get_trigger_type(CPURISCVState 
*env,
 return extract_trigger_type(env, env->tdata1[trigger_index]);
 }
 
+static trigger_action_t get_trigger_action(CPURISCVState *env,
+   target_ulong trigger_index)
+{
+target_ulong tdata1 = env->tdata1[trigger_index];
+int trigger_type = get_trigger_type(env, trigger_index);
+trigger_action_t action = DBG_ACTION_NONE;
+
+switch (trigger_type) {
+case TRIGGER_TYPE_AD_MATCH:
+action = (tdata1 & TYPE2_ACTION) >> 12;
+break;
+case TRIGGER_TYPE_INST_CNT:
+case TRIGGER_TYPE_INT:
+case TRIGGER_TYPE_EXCP:
+case TRIGGER_TYPE_AD_MATCH6:
+case TRIGGER_TYPE_EXT_SRC:
+qemu_log_mask(LOG_UNIMP, "trigger type: %d is not supported\n",
+  trigger_type);
+break;
+case TRIGGER_TYPE_NO_EXIST:
+case TRIGGER_TYPE_UNAVAIL:
+qemu_log_mask(LOG_GUEST_ERROR, "trigger type: %d does not exit\n",
+  trigger_type);
+break;
+default:
+g_assert_not_reached();
+}
+
+return action;
+}
+
 static inline target_ulong build_tdata1(CPURISCVState *env,
 trigger_type_t type,
 bool dmode, target_ulong data)
@@ -182,6 +213,30 @@ static inline void warn_always_zero_bit(target_ulong val, 
target_ulong mask,
 }
 }
 
+static void do_trigger_action(CPURISCVState *env, target_ulong trigger_index)
+{
+trigger_action_t action = get_trigger_action(env, trigger_index);
+
+switch (action) {
+case DBG_ACTION_NONE:
+break;
+case DBG_ACTION_BP:
+riscv_raise_exception(env, RISCV_EXCP_BREAKPOINT, 0);
+break;
+case DBG_ACTION_DBG_MODE:
+case DBG_ACTION_TRACE0:
+case DBG_ACTION_TRACE1:
+case DBG_ACTION_TRACE2:
+case DBG_ACTION_TRACE3:
+case DBG_ACTION_EXT_DBG0:
+case DBG_ACTION_EXT_DBG1:
+qemu_log_mask(LOG_UNIMP, "action: %d is not supported\n", action);
+break;
+default:
+g_assert_not_reached();
+}
+}
+
 /* type 2 trigger */
 
 static uint32_t type2_breakpoint_size(CPURISCVState *env, target_ulong ctrl)
@@ -384,11 +439,11 @@ void riscv_cpu_debug_excp_handler(CPUState *cs)
 if (cs->watchpoint_hit) {
 if (cs->watchpoint_hit->flags & BP_CPU) {
 cs->watchpoint_hit = NULL;
-riscv_raise_exception(env, RISCV_EXCP_BREAKPOINT, 0);
+do_trigger_action(env, DBG_ACTION_BP);
 }
 } else {
 if (cpu_breakpoint_test(cs, env->pc, BP_CPU)) {
-riscv_raise_exception(env, RISCV_EXCP_BREAKPOINT, 0);
+do_trigger_action(env, DBG_ACTION_BP);
 }
 }
 }
-- 
2.37.3

[PULL v2 20/22] target/riscv: debug: Add initial support of type 6 trigger

[Alistair Francis]

From: Frank Chang 

Type 6 trigger is similar to a type 2 trigger, but provides additional
functionality and should be used instead of type 2 in newer
implementations.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Message-Id: <20220909134215.1843865-9-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/debug.h |  18 +
 target/riscv/debug.c | 174 ++-
 2 files changed, 188 insertions(+), 4 deletions(-)

diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index 0e4859cf74..a1226b4d29 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -85,6 +85,24 @@ typedef enum {
 #define TYPE2_HIT   BIT(20)
 #define TYPE2_SIZEHI(0x3 << 21) /* RV64 only */
 
+/* mcontrol6 field masks */
+
+#define TYPE6_LOAD  BIT(0)
+#define TYPE6_STORE BIT(1)
+#define TYPE6_EXEC  BIT(2)
+#define TYPE6_U BIT(3)
+#define TYPE6_S BIT(4)
+#define TYPE6_M BIT(6)
+#define TYPE6_MATCH (0xf << 7)
+#define TYPE6_CHAIN BIT(11)
+#define TYPE6_ACTION(0xf << 12)
+#define TYPE6_SIZE  (0xf << 16)
+#define TYPE6_TIMINGBIT(20)
+#define TYPE6_SELECTBIT(21)
+#define TYPE6_HIT   BIT(22)
+#define TYPE6_VUBIT(23)
+#define TYPE6_VSBIT(24)
+
 /* access size */
 enum {
 SIZE_ANY = 0,
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index e16d5c070a..26ea764407 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -39,7 +39,7 @@
  * - tdata3
  * - tinfo
  *
- * The following triggers are implemented:
+ * The following triggers are initialized by default:
  *
  * Index | Type |  tdata mapping | Description
  * --+--++
@@ -103,10 +103,12 @@ static trigger_action_t get_trigger_action(CPURISCVState 
*env,
 case TRIGGER_TYPE_AD_MATCH:
 action = (tdata1 & TYPE2_ACTION) >> 12;
 break;
+case TRIGGER_TYPE_AD_MATCH6:
+action = (tdata1 & TYPE6_ACTION) >> 12;
+break;
 case TRIGGER_TYPE_INST_CNT:
 case TRIGGER_TYPE_INT:
 case TRIGGER_TYPE_EXCP:
-case TRIGGER_TYPE_AD_MATCH6:
 case TRIGGER_TYPE_EXT_SRC:
 qemu_log_mask(LOG_UNIMP, "trigger type: %d is not supported\n",
   trigger_type);
@@ -379,6 +381,123 @@ static void type2_reg_write(CPURISCVState *env, 
target_ulong index,
 return;
 }
 
+/* type 6 trigger */
+
+static inline bool type6_breakpoint_enabled(target_ulong ctrl)
+{
+bool mode = !!(ctrl & (TYPE6_VU | TYPE6_VS | TYPE6_U | TYPE6_S | TYPE6_M));
+bool rwx = !!(ctrl & (TYPE6_LOAD | TYPE6_STORE | TYPE6_EXEC));
+
+return mode && rwx;
+}
+
+static target_ulong type6_mcontrol6_validate(CPURISCVState *env,
+ target_ulong ctrl)
+{
+target_ulong val;
+uint32_t size;
+
+/* validate the generic part first */
+val = tdata1_validate(env, ctrl, TRIGGER_TYPE_AD_MATCH6);
+
+/* validate unimplemented (always zero) bits */
+warn_always_zero_bit(ctrl, TYPE6_MATCH, "match");
+warn_always_zero_bit(ctrl, TYPE6_CHAIN, "chain");
+warn_always_zero_bit(ctrl, TYPE6_ACTION, "action");
+warn_always_zero_bit(ctrl, TYPE6_TIMING, "timing");
+warn_always_zero_bit(ctrl, TYPE6_SELECT, "select");
+warn_always_zero_bit(ctrl, TYPE6_HIT, "hit");
+
+/* validate size encoding */
+size = extract32(ctrl, 16, 4);
+if (access_size[size] == -1) {
+qemu_log_mask(LOG_UNIMP, "access size %d is not supported, using 
SIZE_ANY\n",
+  size);
+} else {
+val |= (ctrl & TYPE6_SIZE);
+}
+
+/* keep the mode and attribute bits */
+val |= (ctrl & (TYPE6_VU | TYPE6_VS | TYPE6_U | TYPE6_S | TYPE6_M |
+TYPE6_LOAD | TYPE6_STORE | TYPE6_EXEC));
+
+return val;
+}
+
+static void type6_breakpoint_insert(CPURISCVState *env, target_ulong index)
+{
+target_ulong ctrl = env->tdata1[index];
+target_ulong addr = env->tdata2[index];
+bool enabled = type6_breakpoint_enabled(ctrl);
+CPUState *cs = env_cpu(env);
+int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
+uint32_t size;
+
+if (!enabled) {
+return;
+}
+
+if (ctrl & TYPE6_EXEC) {
+cpu_breakpoint_insert(cs, addr, flags, >cpu_breakpoint[index]);
+}
+
+if (ctrl & TYPE6_LOAD) {
+flags |= BP_MEM_READ;
+}
+
+if (ctrl & TYPE6_STORE) {
+flags |= BP_MEM_WRITE;
+}
+
+if (flags & BP_MEM_ACCESS) {
+size = extract32(ctrl, 16, 4);
+if (size != 0) {
+cpu_watchpoint_insert(cs, addr, size, flags,
+  >cpu_watchpoint[index]);
+} else {
+cpu_watchpoint_insert(cs, addr, 8, flags,
+  >cpu_watchpoint[index]);
+}
+}
+}
+
+static void type6_breakpoint_remove(CPURISCVState *env, target_ulong index)
+{
+type2_breakpoint_remove(env, index);
+}
+
+static void 

[PATCH v2 0/4] Fix some loongarch tcg bugs

[Song Gao]

Hi,

This series fix some bugs find from RISU test.

v2:
  -remove patch5 div if x/0 set dividend to 0.

Song Gao (4):
  target/loongarch: ftint_xxx insns set the result high 32bit 0x
  target/loongarch: bstrins.w need set dest register EXT_SIGN
  target/loongarch: Fix fnm{sub/add}_{s/d} set wrong flags
  target/loongarch: flogb_{s/d} add set float_flag_divbyzero

 target/loongarch/fpu_helper.c | 32 +--
 target/loongarch/insn_trans/trans_bit.c.inc   |  4 +--
 .../loongarch/insn_trans/trans_farith.c.inc   | 12 +++
 3 files changed, 31 insertions(+), 17 deletions(-)

-- 
2.31.1

[PULL 5/8] vdpa: validate MQ CVQ commands

[Jason Wang]

From: Eugenio Pérez 

So we are sure we can update the device model properly before sending to
the device.

Signed-off-by: Eugenio Pérez 
Signed-off-by: Jason Wang 
---
 net/vhost-vdpa.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 3950e4f..c6cbe2f 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -486,6 +486,15 @@ static bool vhost_vdpa_net_cvq_validate_cmd(const void 
*out_buf, size_t len)
   __func__, ctrl.cmd);
 };
 break;
+case VIRTIO_NET_CTRL_MQ:
+switch (ctrl.cmd) {
+case VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET:
+return true;
+default:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid mq cmd %u\n",
+  __func__, ctrl.cmd);
+};
+break;
 default:
 qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid control class %u\n",
   __func__, ctrl.class);
-- 
2.7.4

Re: [PATCH 1/3] hw/misc: sifive_e_aon: Support the watchdog timer of HiFive 1 rev b.

[Frank Chang]

Reviewed-by: Frank Chang 

On Thu, Sep 22, 2022 at 4:41 PM Tommy Wu  wrote:

> The watchdog timer is in the always-on domain device of HiFive 1 rev b,
> so this patch added the AON device to the sifive_e machine. This patch
> only implemented the functionality of the watchdog timer.
>
> Signed-off-by: Tommy Wu 
> ---
>  hw/misc/Kconfig|   3 +
>  hw/misc/meson.build|   1 +
>  hw/misc/sifive_e_aon.c | 330 +
>  include/hw/misc/sifive_e_aon.h |  87 +
>  4 files changed, 421 insertions(+)
>  create mode 100644 hw/misc/sifive_e_aon.c
>  create mode 100644 include/hw/misc/sifive_e_aon.h
>
> diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
> index cbabe9f78c..7d1247822e 100644
> --- a/hw/misc/Kconfig
> +++ b/hw/misc/Kconfig
> @@ -162,6 +162,9 @@ config SIFIVE_TEST
>  config SIFIVE_E_PRCI
>  bool
>
> +config SIFIVE_E_AON
> +bool
> +
>  config SIFIVE_U_OTP
>  bool
>
> diff --git a/hw/misc/meson.build b/hw/misc/meson.build
> index 95268eddc0..1536a0cc2e 100644
> --- a/hw/misc/meson.build
> +++ b/hw/misc/meson.build
> @@ -30,6 +30,7 @@ softmmu_ss.add(when: 'CONFIG_MCHP_PFSOC_DMC', if_true:
> files('mchp_pfsoc_dmc.c')
>  softmmu_ss.add(when: 'CONFIG_MCHP_PFSOC_IOSCB', if_true:
> files('mchp_pfsoc_ioscb.c'))
>  softmmu_ss.add(when: 'CONFIG_MCHP_PFSOC_SYSREG', if_true:
> files('mchp_pfsoc_sysreg.c'))
>  softmmu_ss.add(when: 'CONFIG_SIFIVE_TEST', if_true:
> files('sifive_test.c'))
> +softmmu_ss.add(when: 'CONFIG_SIFIVE_E_AON', if_true:
> files('sifive_e_aon.c'))
>  softmmu_ss.add(when: 'CONFIG_SIFIVE_E_PRCI', if_true:
> files('sifive_e_prci.c'))
>  softmmu_ss.add(when: 'CONFIG_SIFIVE_U_OTP', if_true:
> files('sifive_u_otp.c'))
>  softmmu_ss.add(when: 'CONFIG_SIFIVE_U_PRCI', if_true:
> files('sifive_u_prci.c'))
> diff --git a/hw/misc/sifive_e_aon.c b/hw/misc/sifive_e_aon.c
> new file mode 100644
> index 00..7773dfb168
> --- /dev/null
> +++ b/hw/misc/sifive_e_aon.c
> @@ -0,0 +1,330 @@
> +/*
> + * SiFive HiFive1 AON (Always On Domain) for QEMU.
> + *
> + * Copyright (c) 2022 SiFive, Inc. All rights reserved.
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms and conditions of the GNU General Public License,
> + * version 2 or later, as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope it will be useful, but WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
> for
> + * more details.
> + *
> + * You should have received a copy of the GNU General Public License
> along with
> + * this program.  If not, see .
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qapi/error.h"
> +#include "qemu/timer.h"
> +#include "qemu/log.h"
> +#include "hw/irq.h"
> +#include "sysemu/watchdog.h"
> +#include "qapi/visitor.h"
> +#include "hw/misc/sifive_e_aon.h"
> +
> +static void sifive_e_aon_wdt_update_wdogcount(SiFiveEAONState *r)
> +{
> +if (0 == r->wdogcfg.wdogenalways &&
> +0 == r->wdogcfg.wdogencoreawake) {
> +return;
> +}
> +int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
> +r->wdogcount += muldiv64(now - r->wdog_restart_time,
> + r->wdogclk_freq, NANOSECONDS_PER_SECOND);
> +/* Clean the most significant bit. */
> +r->wdogcount = ((r->wdogcount << 1) >> 1);
> +r->wdog_restart_time = now;
> +}
> +
> +static void sifive_e_aon_wdt_update_state(SiFiveEAONState *r)
> +{
> +sifive_e_aon_wdt_update_wdogcount(r);
> +uint16_t wdogs = (uint16_t)(r->wdogcount >> r->wdogcfg.wdogscale);
> +bool cmp_signal = false;
> +if (wdogs >= r->wdogcmp0) {
> +cmp_signal = true;
> +if (1 == r->wdogcfg.wdogzerocmp) {
> +r->wdogcount = 0;
> +wdogs = 0;
> +}
> +}
> +
> +if (cmp_signal) {
> +if (1 == r->wdogcfg.wdogrsten) {
> +watchdog_perform_action();
> +}
> +r->wdogcfg.wdogip0 = 1;
> +}
> +
> +qemu_set_irq(r->wdog_irq, r->wdogcfg.wdogip0);
> +
> +if (wdogs < r->wdogcmp0 &&
> +(r->wdogcfg.wdogenalways ||
> + r->wdogcfg.wdogencoreawake)) {
> +int64_t next = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
> +next += muldiv64((r->wdogcmp0 - wdogs) << r->wdogcfg.wdogscale,
> + NANOSECONDS_PER_SECOND, r->wdogclk_freq);
> +timer_mod(r->wdog_timer, next);
> +} else {
> +timer_mod(r->wdog_timer, INT64_MAX);
> +}
> +}
> +
> +/*
> + * Callback used when the timer set using timer_mod expires.
> + */
> +static void sifive_e_aon_wdt_expired_cb(void *opaque)
> +{
> +SiFiveEAONState *r = SIFIVE_E_AON(opaque);
> +sifive_e_aon_wdt_update_state(r);
> +}
> +
> +static uint64_t
> +sifive_e_aon_wdt_read(void *opaque, hwaddr addr, unsigned int size)
> +{
> +SiFiveEAONState *r = 

[PULL 4/8] vdpa: Add vhost_vdpa_net_load_mq

[Jason Wang]

From: Eugenio Pérez 

Same way as with the MAC, restore the expected number of queues at
device's start.

Signed-off-by: Eugenio Pérez 
Signed-off-by: Jason Wang 
---
 net/vhost-vdpa.c | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index e799e74..3950e4f 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -400,6 +400,28 @@ static int vhost_vdpa_net_load_mac(VhostVDPAState *s, 
const VirtIONet *n)
 return 0;
 }
 
+static int vhost_vdpa_net_load_mq(VhostVDPAState *s,
+  const VirtIONet *n)
+{
+struct virtio_net_ctrl_mq mq;
+uint64_t features = n->parent_obj.guest_features;
+ssize_t dev_written;
+
+if (!(features & BIT_ULL(VIRTIO_NET_F_MQ))) {
+return 0;
+}
+
+mq.virtqueue_pairs = cpu_to_le16(n->curr_queue_pairs);
+dev_written = vhost_vdpa_net_load_cmd(s, VIRTIO_NET_CTRL_MQ,
+  VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET, ,
+  sizeof(mq));
+if (unlikely(dev_written < 0)) {
+return dev_written;
+}
+
+return *s->status != VIRTIO_NET_OK;
+}
+
 static int vhost_vdpa_net_load(NetClientState *nc)
 {
 VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
@@ -418,6 +440,10 @@ static int vhost_vdpa_net_load(NetClientState *nc)
 if (unlikely(r < 0)) {
 return r;
 }
+r = vhost_vdpa_net_load_mq(s, n);
+if (unlikely(r)) {
+return r;
+}
 
 return 0;
 }
-- 
2.7.4

[PULL 05/24] ui: add some vdagent related traces

[Gerd Hoffmann]

From: Marc-André Lureau 

This helps debugging clipboard serial sync issues.

Signed-off-by: Marc-André Lureau 
Message-Id: <20220912102455.111765-2-marcandre.lur...@redhat.com>

[ kraxel: code style fix ]

Signed-off-by: Gerd Hoffmann 
---
 ui/clipboard.c  | 11 +--
 ui/vdagent.c|  4 
 ui/trace-events |  5 +
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/ui/clipboard.c b/ui/clipboard.c
index 9079ef829b51..cd5382fcb0c1 100644
--- a/ui/clipboard.c
+++ b/ui/clipboard.c
@@ -1,5 +1,6 @@
 #include "qemu/osdep.h"
 #include "ui/clipboard.h"
+#include "trace.h"
 
 static NotifierList clipboard_notifiers =
 NOTIFIER_LIST_INITIALIZER(clipboard_notifiers);
@@ -43,17 +44,23 @@ void qemu_clipboard_peer_release(QemuClipboardPeer *peer,
 
 bool qemu_clipboard_check_serial(QemuClipboardInfo *info, bool client)
 {
+bool ok;
+
 if (!info->has_serial ||
 !cbinfo[info->selection] ||
 !cbinfo[info->selection]->has_serial) {
+trace_clipboard_check_serial(-1, -1, true);
 return true;
 }
 
 if (client) {
-return cbinfo[info->selection]->serial >= info->serial;
+ok = cbinfo[info->selection]->serial >= info->serial;
 } else {
-return cbinfo[info->selection]->serial > info->serial;
+ok = cbinfo[info->selection]->serial > info->serial;
 }
+
+trace_clipboard_check_serial(cbinfo[info->selection]->serial, 
info->serial, ok);
+return ok;
 }
 
 void qemu_clipboard_update(QemuClipboardInfo *info)
diff --git a/ui/vdagent.c b/ui/vdagent.c
index a899eed195d3..58ce7507fddc 100644
--- a/ui/vdagent.c
+++ b/ui/vdagent.c
@@ -533,6 +533,8 @@ static void vdagent_clipboard_recv_grab(VDAgentChardev *vd, 
uint8_t s, uint32_t
 info->has_serial = true;
 info->serial = *(uint32_t *)data;
 if (info->serial < vd->last_serial[s]) {
+trace_vdagent_cb_grab_discard(GET_NAME(sel_name, s),
+  vd->last_serial[s], info->serial);
 /* discard lower-ordering guest grab */
 return;
 }
@@ -853,6 +855,8 @@ static void vdagent_chr_accept_input(Chardev *chr)
 
 static void vdagent_disconnect(VDAgentChardev *vd)
 {
+trace_vdagent_disconnect();
+
 buffer_reset(>outbuf);
 vdagent_reset_bufs(vd);
 vd->caps = 0;
diff --git a/ui/trace-events b/ui/trace-events
index a922f00e10b4..977577fbba58 100644
--- a/ui/trace-events
+++ b/ui/trace-events
@@ -127,15 +127,20 @@ xkeymap_vendor(const char *name) "vendor '%s'"
 xkeymap_keycodes(const char *name) "keycodes '%s'"
 xkeymap_keymap(const char *name) "keymap '%s'"
 
+# clipboard.c
+clipboard_check_serial(int cur, int recv, bool ok) "cur:%d recv:%d %d"
+
 # vdagent.c
 vdagent_open(void) ""
 vdagent_close(void) ""
+vdagent_disconnect(void) ""
 vdagent_send(const char *name) "msg %s"
 vdagent_send_empty_clipboard(void) ""
 vdagent_recv_chunk(uint32_t size) "size %d"
 vdagent_recv_msg(const char *name, uint32_t size) "msg %s, size %d"
 vdagent_peer_cap(const char *name) "cap %s"
 vdagent_cb_grab_selection(const char *name) "selection %s"
+vdagent_cb_grab_discard(const char *name, int cur, int recv) "selection %s, 
cur:%d recv:%d"
 vdagent_cb_grab_type(const char *name) "type %s"
 vdagent_cb_serial_discard(uint32_t current, uint32_t received) "current=%u, 
received=%u"
 
-- 
2.37.3

[PULL 11/24] hw/usb/hcd-xhci: Check whether DMA accesses fail

[Gerd Hoffmann]

From: Thomas Huth 

If a guest sets up bad descriptors, it could force QEMU to access
non-existing memory regions. Thus we should check the return value
of dma_memory_read/write() to make sure that these errors don't go
unnoticed.

Signed-off-by: Thomas Huth 
Message-Id: <20220817160016.49752-1-th...@redhat.com>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-xhci.c | 64 +++
 1 file changed, 48 insertions(+), 16 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 3c48b58ddeb5..acd60b1a4904 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -463,6 +463,12 @@ static void xhci_mfwrap_timer(void *opaque)
 xhci_mfwrap_update(xhci);
 }
 
+static void xhci_die(XHCIState *xhci)
+{
+xhci->usbsts |= USBSTS_HCE;
+DPRINTF("xhci: asserted controller error\n");
+}
+
 static inline dma_addr_t xhci_addr64(uint32_t low, uint32_t high)
 {
 if (sizeof(dma_addr_t) == 4) {
@@ -488,7 +494,14 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, 
dma_addr_t addr,
 
 assert((len % sizeof(uint32_t)) == 0);
 
-dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
+if (dma_memory_read(xhci->as, addr, buf, len,
+MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+  __func__);
+memset(buf, 0xff, len);
+xhci_die(xhci);
+return;
+}
 
 for (i = 0; i < (len / sizeof(uint32_t)); i++) {
 buf[i] = le32_to_cpu(buf[i]);
@@ -496,7 +509,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, 
dma_addr_t addr,
 }
 
 static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr,
-   uint32_t *buf, size_t len)
+   const uint32_t *buf, size_t len)
 {
 int i;
 uint32_t tmp[5];
@@ -508,7 +521,13 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, 
dma_addr_t addr,
 for (i = 0; i < n; i++) {
 tmp[i] = cpu_to_le32(buf[i]);
 }
-dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED);
+if (dma_memory_write(xhci->as, addr, tmp, len,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+  __func__);
+xhci_die(xhci);
+return;
+}
 }
 
 static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport)
@@ -593,12 +612,6 @@ static inline int xhci_running(XHCIState *xhci)
 return !(xhci->usbsts & USBSTS_HCH);
 }
 
-static void xhci_die(XHCIState *xhci)
-{
-xhci->usbsts |= USBSTS_HCE;
-DPRINTF("xhci: asserted controller error\n");
-}
-
 static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v)
 {
 XHCIInterrupter *intr = >intr[v];
@@ -619,7 +632,12 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent 
*event, int v)
ev_trb.status, ev_trb.control);
 
 addr = intr->er_start + TRB_SIZE*intr->er_ep_idx;
-dma_memory_write(xhci->as, addr, _trb, TRB_SIZE, 
MEMTXATTRS_UNSPECIFIED);
+if (dma_memory_write(xhci->as, addr, _trb, TRB_SIZE,
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+  __func__);
+xhci_die(xhci);
+}
 
 intr->er_ep_idx++;
 if (intr->er_ep_idx >= intr->er_size) {
@@ -680,8 +698,12 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing 
*ring, XHCITRB *trb,
 
 while (1) {
 TRBType type;
-dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
-MEMTXATTRS_UNSPECIFIED);
+if (dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
+MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+  __func__);
+return 0;
+}
 trb->addr = ring->dequeue;
 trb->ccs = ring->ccs;
 le64_to_cpus(>parameter);
@@ -798,8 +820,14 @@ static void xhci_er_reset(XHCIState *xhci, int v)
 xhci_die(xhci);
 return;
 }
-dma_memory_read(xhci->as, erstba, , sizeof(seg),
-MEMTXATTRS_UNSPECIFIED);
+if (dma_memory_read(xhci->as, erstba, , sizeof(seg),
+MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
+  __func__);
+xhci_die(xhci);
+return;
+}
+
 le32_to_cpus(_low);
 le32_to_cpus(_high);
 le32_to_cpus();
@@ -2415,8 +2443,12 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, 
uint64_t pctx)
 /* TODO: actually implement real values here */
 bw_ctx[0] = 0;
 memset(_ctx[1], 80, xhci->numports); /* 80% */
-dma_memory_write(xhci->as, ctx, bw_ctx, 

Re: [RFC PATCH] ast2600: Fix CPU features

[Cédric Le Goater]

On 9/27/22 03:49, Joel Stanley wrote:

On Mon, 26 Sept 2022 at 07:05, Cédric Le Goater  wrote:


On 9/26/22 08:26, Cédric Le Goater wrote:

Currently, the CPU features exposed to the AST2600 QEMU machines are :

half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm

But, the features of the Cortex A7 CPU on the Aspeed AST2600 A3 SoC
are :

half thumb fastmult vfp edsp vfpv3 vfpv3d16 tls vfpv4 idiva idivt
lpae evtstrm

The vfpv3d16 feature bit is common to both vfpv3 and vfpv4, and for
this SoC, QEMU should advertise a VFPv4 unit with 16 double-precision
registers, and not 32 registers.

Drop neon support and hack the default mvfr0 register value of the
cortex A7 to advertise 16 registers.

How can that be done cleanly ? Should we :

   * introduce a new A7 CPU with its own _initfn routine ?
   * introduce a new CPU property to set the number of "Advanced SIMD
 and floating-point" registers in arm_cpu_realizefn() ?


This is a note in the Cortex A7 MPCore Technical reference saying :

"When FPU option is selected without NEON, the FPU is VFPv4-D16 and uses 16
double-precision registers. When the FPU is implemented with NEON, the FPU is
VFPv4-D32 and uses 32 double-precision registers. This register bank is shared
with NEON."


The datasheet only has this to say:

"1.2GHz dual-core ARM Cortex A7 (r0p5) 32-bit CPU with FPU"

With no details about the FPU. The hardware is a golden reference though:

  fpsid: 41023075
  mvfr0: 10110221
  mvfr1: 1111

$ bitfield mvfr0 0x10110221
decoding as Media and VFP Feature Register 0
0x10110221 [269550113]
   A_SIMD registers: 0x1 [16 x 64-bit registers]
   Single precision: 0x2 [Supported, VFPv4 or VFPv3]
   Double precision: 0x2 [Supported, VFPv4 or VFPv3]
VFP exception trapping: 0x0 [Not supported]
 Divide: 0x1 [Hardware divide is supported]
Square Root: 0x1 [Hardware square root supported]
  Short vectors: 0x0 [Not supported]
 VFP Rounding Modes: 0x1 [All modes supported]

$ bitfield mvfr1 0x1111
decoding as Media and VFP Feature Register 1
0x1111 [285212689]
FZ: 0x1
D_NaN mode: 0x1
A_SIMD load/store: 0x0
A_SIMD integer: 0x0
   A_SIMD SPFP: 0x0
   A_SIMD HPFP: 0x0
  VFP HPFP: 0x2
   A_SIMD FMAC: 0x1

As you say, no NEON  and 16 64-bit registers.



Could we deduce the number of registers from the availability of the NEON
feature, on A7 only ?


We certainly should make the NEON property match the mvfr1 value.
Linux tests for NEON with this:

(fmrx(MVFR1) & 0x000fff00) == 0x00011100)

https://elixir.bootlin.com/linux/v5.19/source/arch/arm/vfp/vfpmodule.c#L812



ok. I will resend with 2 patches. An obvious first one removing NEON
from the AsT2600 SoC and a second decreasing the number of registers
to 16 when NEON is off.


Thanks,

C.


Cheers,

Joel



This problem was raised by a buildroot rootfs compiled with vfpv4.
Boot went fine under QEMU but on real HW, user space binaries had
issues with output. Compiling buildroot with vfpv4d16 fixed it and
I didn't dig further. Nevertheless, it would be nice to catch such
issues with QEMU.

Signed-off-by: Cédric Le Goater 
---
   hw/arm/aspeed_ast2600.c | 2 ++
   target/arm/cpu_tcg.c| 2 +-
   2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
index dcdc9bc54456..af987fd418ec 100644
--- a/hw/arm/aspeed_ast2600.c
+++ b/hw/arm/aspeed_ast2600.c
@@ -330,6 +330,8 @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, 
Error **errp)

   object_property_set_int(OBJECT(>cpu[i]), "cntfrq", 112500,
   _abort);
+object_property_set_bool(OBJECT(>cpu[i]), "neon", false,
+_abort);
   object_property_set_link(OBJECT(>cpu[i]), "memory",
OBJECT(s->memory), _abort);

diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index 98b5ba216041..b3f93783a061 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -545,7 +545,7 @@ static void cortex_a7_initfn(Object *obj)
   cpu->kvm_target = QEMU_KVM_ARM_TARGET_CORTEX_A7;
   cpu->midr = 0x410fc075;
   cpu->reset_fpsid = 0x41023075;
-cpu->isar.mvfr0 = 0x10110222;
+cpu->isar.mvfr0 = 0x10110221; /* SIMDREG == 0x1 -> 16 registers */
   cpu->isar.mvfr1 = 0x;
   cpu->ctr = 0x84448003;
   cpu->reset_sctlr = 0x00c50078;

Re: [PATCH v3 00/12] linux-user: Add more syscalls, enhance tracing & logging enhancements

[Helge Deller]

On 9/27/22 09:32, Laurent Vivier wrote:

Le 18/09/2022 à 21:45, Helge Deller a écrit :

Here is a bunch of patches for linux-user.

Most of them add missing syscalls and enhance the tracing/logging.
Some of the patches are target-hppa specific.
I've tested those on productive hppa debian buildd servers (running qemu-user).

Thanks!
Helge

Changes to v2:
- Fix build of close_range() and pidfd_*() patches on older Linux
   distributions (noticed by Stefan Hajnoczi)

Changes to v1:
- Dropped the faccessat2() syscall patch in favour of Richard's patch
- Various changes to the "missing signals in strace output" patch based on
   Richard's feedback, e.g. static arrays, fixed usage of _NSIG, fix build when
   TARGET_SIGIOT does not exist
- Use FUTEX_CMD_MASK in "Show timespec on strace for futex" patch
   unconditionally and turn into a switch statement - as suggested by Richard

Helge Deller (12):
   linux-user: Add missing signals in strace output
   linux-user: Add missing clock_gettime64() syscall strace
   linux-user: Add pidfd_open(), pidfd_send_signal() and pidfd_getfd()
 syscalls
   linux-user: Log failing executable in EXCP_DUMP()
   linux-user/hppa: Use EXCP_DUMP() to show enhanced debug info
   linux-user/hppa: Dump IIR on register dump
   linux-user: Fix strace of chmod() if mode == 0
   linux-user/hppa: Set TASK_UNMAPPED_BASE to 0xfa00 for hppa arch
   linux-user: Add strace for clock_nanosleep()
   linux-user: Show timespec on strace for futex()
   linux-user: Add close_range() syscall
   linux-user: Add parameters of getrandom() syscall for strace

  linux-user/cpu_loop-common.h |   2 +
  linux-user/hppa/cpu_loop.c   |   6 +-
  linux-user/mmap.c    |   4 +
  linux-user/signal-common.h   |  46 
  linux-user/signal.c  |  37 +
  linux-user/strace.c  | 142 ++-
  linux-user/strace.list   |  21 +-
  linux-user/syscall.c |  50 
  target/hppa/helper.c |   6 +-
  9 files changed, 255 insertions(+), 59 deletions(-)



Series applied to my linux-user-for-7.2 branch,
except PATCH 11 and 12 that have comments.


Thank you !!
I'll send updated versions for patches 11 and 12 asap.
Btw, where can I find your linux-user-for-7.2 branch?
It would help me to diff the new patches against this branch...

Helge

[PULL 24/24] virtio-gpu: update scanout if there is any area covered by the rect

[Gerd Hoffmann]

From: Dongwon Kim 

The scanout is currently updated only if the whole rect is inside the
scanout space. This is not a correct condition because the scanout should
be updated even a small area in the scanout space is covered by the rect.

Cc: Gerd Hoffmann 
Signed-off-by: Dongwon Kim 
Reviewed-by: Marc-André Lureau 
Message-Id: <20220909014052.7297-1-dongwon@intel.com>
Signed-off-by: Gerd Hoffmann 
---
 hw/display/virtio-gpu.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 20cc703dcc6e..5e15c79b94a5 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -515,9 +515,10 @@ static void virtio_gpu_resource_flush(VirtIOGPU *g,
 for (i = 0; i < g->parent_obj.conf.max_outputs; i++) {
 scanout = >parent_obj.scanout[i];
 if (scanout->resource_id == res->resource_id &&
-rf.r.x >= scanout->x && rf.r.y >= scanout->y &&
-rf.r.x + rf.r.width <= scanout->x + scanout->width &&
-rf.r.y + rf.r.height <= scanout->y + scanout->height &&
+rf.r.x < scanout->x + scanout->width &&
+rf.r.x + rf.r.width >= scanout->x &&
+rf.r.y < scanout->y + scanout->height &&
+rf.r.y + rf.r.height >= scanout->y &&
 console_has_gl(scanout->con)) {
 dpy_gl_update(scanout->con, 0, 0, scanout->width,
   scanout->height);
-- 
2.37.3

[PULL 18/24] usbnet: Detect short packets as sent by the xHCI controller

[Gerd Hoffmann]

From: Michael Brown 

The xHCI controller will ignore the endpoint MTU and so may deliver
packets of any length.  Detect short packets as being any packet that
has a length of zero or a length that is not a multiple of the MTU.

Signed-off-by: Michael Brown 
Message-Id: <20220906183053.3625472-4-mc...@ipxe.org>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/dev-network.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 155df935cd68..9d83974ec9f0 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -1211,7 +1211,7 @@ static void usb_net_handle_dataout(USBNetState *s, 
USBPacket *p)
 s->out_ptr += sz;
 
 if (!is_rndis(s)) {
-if (p->iov.size < 64) {
+if (p->iov.size % 64 || p->iov.size == 0) {
 qemu_send_packet(qemu_get_queue(s->nic), s->out_buf, s->out_ptr);
 s->out_ptr = 0;
 }
-- 
2.37.3

[PATCH 2/2] linux-user: Add parameters of getrandom() syscall for strace

[Helge Deller]

Signed-off-by: Helge Deller 
---
 linux-user/strace.list | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/strace.list b/linux-user/strace.list
index 31a2ccd76d..9bb234a584 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -358,7 +358,7 @@
 { TARGET_NR_getpriority, "getpriority", "%s(%#x,%#x)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_getrandom
-{ TARGET_NR_getrandom, "getrandom", NULL, NULL, NULL },
+{ TARGET_NR_getrandom, "getrandom", "%s(%p,%u,%u)", NULL, NULL },
 #endif
 #ifdef TARGET_NR_getresgid
 { TARGET_NR_getresgid, "getresgid" , NULL, NULL, NULL },
--
2.37.3

Re: [PATCH] qemu-nbd: set timeout to qemu-nbd socket

[luzhipeng]

在 2022/9/26 20:44, Vladimir Sementsov-Ogievskiy 写道:

On 9/26/22 14:34, Denis V. Lunev wrote:

On 9/26/22 12:05, Vladimir Sementsov-Ogievskiy wrote:

[+ Den]

On 9/25/22 16:53, luzhipeng wrote:

From: lu zhipeng 

Prevent the NBD socket stuck all the time, So
set timeout.

Signed-off-by: lu zhipeng 
---
  nbd/client.c | 8 
  1 file changed, 8 insertions(+)

diff --git a/nbd/client.c b/nbd/client.c
index 30d5383cb1..89dde53a0f 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -24,6 +24,8 @@
  #include "nbd-internal.h"
  #include "qemu/cutils.h"
  +#define NBD_DEFAULT_TIMEOUT 30
+
  /* Definitions for opaque data types */
    static QTAILQ_HEAD(, NBDExport) exports = 
QTAILQ_HEAD_INITIALIZER(exports);
@@ -1301,6 +1303,12 @@ int nbd_init(int fd, QIOChannelSocket *sioc, 
NBDExportInfo *info,

  }
  }
  +    if (ioctl(fd, NBD_SET_TIMEOUT, NBD_DEFAULT_TIMEOUT) < 0) {
+    int serrno = errno;
+    error_setg(errp, "Failed setting timeout");
+    return -serrno;
+    }
+
  trace_nbd_init_finish();
    return 0;



Personally, I don't see a problem in enabling timeout by default.. 
But probably we need a new option instead?




I believe that this should be the same story as we have had with
KEEPALIVE. This should be set as an option and downstream
will change its default when necessary.



It's also interesting, how NBD_SET_TIMEOUT would interfere with 
keep-alive options set on the socket. Isn't existing keep-alive option 
already enough, do we need both timeouts?


(and yes, if we need both ways for different cases, we definitely should 
keep a possibility for the user to enable only one timeout, so now I 
agree, that we need an option for this new feature)


Keep alive is only valid for tcp, but not for unix sockets

[PULL v2 02/22] hw/ssi: ibex_spi: update reg addr

[Alistair Francis]

From: Wilfred Mallawa 

Updates the `EVENT_ENABLE` register to offset `0x34` as per
OpenTitan spec [1].

[1] https://docs.opentitan.org/hw/ip/spi_host/doc/#Reg_event_enable

Signed-off-by: Wilfred Mallawa 
Reviewed-by: Alistair Francis 
Message-Id: <20220823061201.132342-5-wilfred.mall...@opensource.wdc.com>
Signed-off-by: Alistair Francis 
---
 hw/ssi/ibex_spi_host.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ssi/ibex_spi_host.c b/hw/ssi/ibex_spi_host.c
index 601041d719..94d7da9cc2 100644
--- a/hw/ssi/ibex_spi_host.c
+++ b/hw/ssi/ibex_spi_host.c
@@ -93,7 +93,7 @@ REG32(ERROR_STATUS, 0x30)
 FIELD(ERROR_STATUS, CMDINVAL, 3, 1)
 FIELD(ERROR_STATUS, CSIDINVAL, 4, 1)
 FIELD(ERROR_STATUS, ACCESSINVAL, 5, 1)
-REG32(EVENT_ENABLE, 0x30)
+REG32(EVENT_ENABLE, 0x34)
 FIELD(EVENT_ENABLE, RXFULL, 0, 1)
 FIELD(EVENT_ENABLE, TXEMPTY, 1, 1)
 FIELD(EVENT_ENABLE, RXWM, 2, 1)
-- 
2.37.3

[PULL 0/3] M68k for 7.2 patches

[Laurent Vivier]

The following changes since commit 99d6b11b5b44d7dd64f4cb1973184e40a4a174f8:

  Merge tag 'pull-target-arm-20220922' of 
https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-09-26 
13:38:26 -0400)

are available in the Git repository at:

  https://github.com/vivier/qemu-m68k.git tags/m68k-for-7.2-pull-request

for you to fetch changes up to 2cfa963126fe77fac034a43f986b2bf3e8fe6a4f:

  m68k: align bootinfo strings and data to 4 bytes (2022-09-26 23:37:22 +0200)


M68k pull request 20220927

Align bootinfo tags
fix move from sr



Jason A. Donenfeld (1):
  m68k: align bootinfo strings and data to 4 bytes

Mark Cave-Ayland (2):
  target/m68k: increase size of m68k CPU features from uint32_t to
uint64_t
  target/m68k: use M68K_FEATURE_MOVEFROMSR_PRIV feature for move_from_sr
privilege check

 hw/m68k/bootinfo.h  | 10 ++
 target/m68k/cpu.h   |  8 +---
 target/m68k/cpu.c   |  9 +++--
 target/m68k/translate.c |  2 +-
 4 files changed, 19 insertions(+), 10 deletions(-)

-- 
2.37.3

Re: [PATCH v2 1/3] hw/watchdog: wdt_ibex_aon.c: Implement the watchdog for the OpenTitan

[Thomas Huth]

 Hi Tyler!

On 27/09/2022 01.03, Tyler Ng wrote:

Hi Thomas,

On Thu, Sep 22, 2022 at 9:17 AM Thomas Huth > wrote:


On 22/09/2022 17.58, Tyler Ng wrote:
 > This commit adds most of an implementation of the OpenTitan Always-On
 > Timer. The documentation for this timer is found here:
 >
 > https://docs.opentitan.org/hw/ip/aon_timer/doc/

 >
 > Using commit 217a0168ba118503c166a9587819e3811eeb0c0c
 >
 > The implementation includes most of the watchdog features; it does not
 > implement the wakeup timer.
 >
 > An important note: the OpenTitan board uses the sifive_plic. The plic
 > will not be able to claim the bark interrupt (159) because the sifive
 > plic sets priority[159], but checks priority[158] for the priority, so
 > it thinks that the interrupt's priority is 0 (effectively disabled).
...
 > diff --git a/tests/qtest/ibex-aon-timer-test.c
 > b/tests/qtest/ibex-aon-timer-test.c
 > new file mode 100644
 > index 00..af33feac39
 > --- /dev/null
 > +++ b/tests/qtest/ibex-aon-timer-test.c
 > @@ -0,0 +1,189 @@
 > +/*
 > + * Testing the OpenTitan AON Timer
 > + *
 > + * Copyright (c) 2022 Rivos Inc.
 > + *
 > + * Permission is hereby granted, free of charge, to any person
obtaining a copy
 > + * of this software and associated documentation files (the
 > "Software"), to deal
 > + * in the Software without restriction, including without limitation
the rights
 > + * to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell
 > + * copies of the Software, and to permit persons to whom the Software is
 > + * furnished to do so, subject to the following conditions:
 > + *
 > + * The above copyright notice and this permission notice shall be
included in
 > + * all copies or substantial portions of the Software.
 > + *
 > + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR
 > + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY,
 > + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL
 > + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
OR OTHER
 > + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
 > ARISING FROM,
 > + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN
 > + * THE SOFTWARE.

Could you maybe add a SPDX license identifier at the beginning of the
comment, so that it's easier to identify the license at a first glance?
(also in the other new files)

Will do, was actually thinking of switching over to GPL-2.0-or-later as 
opposed to MIT.


Yes, that would be the best fit for QEMU, I think.


 > + */
 > +
 > +#include "qemu/osdep.h"
 > +#include "libqtest.h"
 > +#include "qapi/qmp/qdict.h"
 > +
 > +#define AON_BASE_ADDR (0x4047ul)
 > +#define AON_ADDR(addr) (AON_BASE_ADDR + addr)
 > +#define AON_WKUP_IRQ 158
 > +#define AON_BARK_IRQ 159
 > +#define AON_FREQ 20 /* 200 KHz */
 > +#define AON_PERIOD_NS 5000
 > +#define NANOS_PER_SECOND 10LL
 > +/* Test that reads work, and that the regs get reset to the correct
value */
 > +static void test_reads(void)
 > +{
 > +    QTestState *test = qtest_init("-M opentitan");
 > +    g_assert(qtest_readl(test, AON_ADDR(0x00)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x04)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x08)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x0c)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x10)) == 1); > +   
g_assert(qtest_readl(test, AON_ADDR(0x14)) == 0);

 > +    g_assert(qtest_readl(test, AON_ADDR(0x18)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x1c)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x20)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x24)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x28)) == 0);
 > +    g_assert(qtest_readl(test, AON_ADDR(0x2c)) == 0);

The read tests that check for 0 could maybe be simplified with a for-loop
(or two).

I'm not entirely sure about what benefit this would bring after writing it out.


Mostly a matter of taste. Keep it in the current shape if you prefer that.


 > +    qtest_quit(test);
 > +}
 > +
 > +static void test_writes(void)
 > +{
 > +    /* Test that writes worked, while the config is unlocked */
 > +    QTestState *test = qtest_init("-M opentitan");
 > +
 > +
 > +    qtest_writel(test, AON_ADDR(0x18), (1 << 19)); /* WDOG_BARK_THOLD */
 > +    g_assert_cmpuint(qtest_readl(test, AON_ADDR(0x18)),
 > +                     ==, (1 << 19));
 > +
 > +    qtest_writel(test, 

[PULL v2 07/22] target/riscv: remove fixed numbering from GDB xml feature files

[Alistair Francis]

From: Andrew Burgess 

The fixed register numbering in the various GDB feature files for
RISC-V only exists because these files were originally copied from the
GDB source tree.

However, the fixed numbering only exists in the GDB source tree so
that GDB, when it connects to a target that doesn't provide a target
description, will use a specific numbering scheme.

That numbering scheme is designed to be compatible with the first
versions of QEMU (for RISC-V), that didn't send a target description,
and relied on a fixed numbering scheme.

Because of the way that QEMU manages its target descriptions,
recording the number of registers in each feature, and just relying on
GDB's numbering starting from 0, then I propose that we remove all the
fixed numbering from the RISC-V feature xml files, and just rely on
the standard numbering scheme.  Plenty of other targets manage their
xml files this way, e.g. ARM, AArch64, Loongarch, m68k, rx, and s390.

Signed-off-by: Andrew Burgess 
Acked-by: Alistair Francis 
Reviewed-by: Palmer Dabbelt 
Message-Id: 
<6069395f90e6fc24dac92197be815fedf42f5974.1661934573.git.aburg...@redhat.com>
Signed-off-by: Alistair Francis 
---
 gdb-xml/riscv-32bit-cpu.xml | 6 +-
 gdb-xml/riscv-32bit-fpu.xml | 6 +-
 gdb-xml/riscv-64bit-cpu.xml | 6 +-
 gdb-xml/riscv-64bit-fpu.xml | 6 +-
 4 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/gdb-xml/riscv-32bit-cpu.xml b/gdb-xml/riscv-32bit-cpu.xml
index 0d07aaec85..466f2c0648 100644
--- a/gdb-xml/riscv-32bit-cpu.xml
+++ b/gdb-xml/riscv-32bit-cpu.xml
@@ -5,13 +5,9 @@
  are permitted in any medium without royalty provided the copyright
  notice and this notice are preserved.  -->
 
-
-
 
 
-  
+  
   
   
   
diff --git a/gdb-xml/riscv-32bit-fpu.xml b/gdb-xml/riscv-32bit-fpu.xml
index 84a44ba8df..24aa087031 100644
--- a/gdb-xml/riscv-32bit-fpu.xml
+++ b/gdb-xml/riscv-32bit-fpu.xml
@@ -5,13 +5,9 @@
  are permitted in any medium without royalty provided the copyright
  notice and this notice are preserved.  -->
 
-
-
 
 
-  
+  
   
   
   
diff --git a/gdb-xml/riscv-64bit-cpu.xml b/gdb-xml/riscv-64bit-cpu.xml
index b8aa424ae4..c4d83de09b 100644
--- a/gdb-xml/riscv-64bit-cpu.xml
+++ b/gdb-xml/riscv-64bit-cpu.xml
@@ -5,13 +5,9 @@
  are permitted in any medium without royalty provided the copyright
  notice and this notice are preserved.  -->
 
-
-
 
 
-  
+  
   
   
   
diff --git a/gdb-xml/riscv-64bit-fpu.xml b/gdb-xml/riscv-64bit-fpu.xml
index 9856a9d1d3..d0f17f9984 100644
--- a/gdb-xml/riscv-64bit-fpu.xml
+++ b/gdb-xml/riscv-64bit-fpu.xml
@@ -5,10 +5,6 @@
  are permitted in any medium without royalty provided the copyright
  notice and this notice are preserved.  -->
 
-
-
 
 
 
@@ -17,7 +13,7 @@
 
   
 
-  
+  
   
   
   
-- 
2.37.3

[PULL v2 17/22] target/riscv: debug: Introduce tinfo CSR

[Alistair Francis]

From: Frank Chang 

tinfo.info:
  One bit for each possible type enumerated in tdata1.
  If the bit is set, then that type is supported by the currently
  selected trigger.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
Message-Id: <20220909134215.1843865-6-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/cpu_bits.h |  1 +
 target/riscv/debug.h|  2 ++
 target/riscv/csr.c  |  8 
 target/riscv/debug.c| 10 +++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/target/riscv/cpu_bits.h b/target/riscv/cpu_bits.h
index b762807e4e..d8f5f0abed 100644
--- a/target/riscv/cpu_bits.h
+++ b/target/riscv/cpu_bits.h
@@ -319,6 +319,7 @@
 #define CSR_TDATA1  0x7a1
 #define CSR_TDATA2  0x7a2
 #define CSR_TDATA3  0x7a3
+#define CSR_TINFO   0x7a4
 
 /* Debug Mode Registers */
 #define CSR_DCSR0x7b0
diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index 76146f373a..9f69c64591 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -95,6 +95,8 @@ void tselect_csr_write(CPURISCVState *env, target_ulong val);
 target_ulong tdata_csr_read(CPURISCVState *env, int tdata_index);
 void tdata_csr_write(CPURISCVState *env, int tdata_index, target_ulong val);
 
+target_ulong tinfo_csr_read(CPURISCVState *env);
+
 void riscv_cpu_debug_excp_handler(CPUState *cs);
 bool riscv_cpu_debug_check_breakpoint(CPUState *cs);
 bool riscv_cpu_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp);
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 2c84c29bf0..5c9a7ee287 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3094,6 +3094,13 @@ static RISCVException write_tdata(CPURISCVState *env, 
int csrno,
 return RISCV_EXCP_NONE;
 }
 
+static RISCVException read_tinfo(CPURISCVState *env, int csrno,
+ target_ulong *val)
+{
+*val = tinfo_csr_read(env);
+return RISCV_EXCP_NONE;
+}
+
 /*
  * Functions to access Pointer Masking feature registers
  * We have to check if current priv lvl could modify
@@ -3898,6 +3905,7 @@ riscv_csr_operations csr_ops[CSR_TABLE_SIZE] = {
 [CSR_TDATA1]=  { "tdata1",  debug, read_tdata,   write_tdata   },
 [CSR_TDATA2]=  { "tdata2",  debug, read_tdata,   write_tdata   },
 [CSR_TDATA3]=  { "tdata3",  debug, read_tdata,   write_tdata   },
+[CSR_TINFO] =  { "tinfo",   debug, read_tinfo,   write_ignore  },
 
 /* User Pointer Masking */
 [CSR_UMTE]={ "umte",pointer_masking, read_umte,  write_umte },
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index d164cd..7d546ace42 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -37,9 +37,7 @@
  * - tdata1
  * - tdata2
  * - tdata3
- *
- * We don't support writable 'type' field in the tdata1 register, so there is
- * no need to implement the "tinfo" CSR.
+ * - tinfo
  *
  * The following triggers are implemented:
  *
@@ -372,6 +370,12 @@ void tdata_csr_write(CPURISCVState *env, int tdata_index, 
target_ulong val)
 }
 }
 
+target_ulong tinfo_csr_read(CPURISCVState *env)
+{
+/* assume all triggers support the same types of triggers */
+return BIT(TRIGGER_TYPE_AD_MATCH);
+}
+
 void riscv_cpu_debug_excp_handler(CPUState *cs)
 {
 RISCVCPU *cpu = RISCV_CPU(cs);
-- 
2.37.3

[PULL v2 08/22] target/riscv: Set the CPU resetvec directly

[Alistair Francis]

From: Alistair Francis 

Instead of using our properties to set a config value which then might
be used to set the resetvec (depending on your timing), let's instead
just set the resetvec directly in the env struct.

This allows us to set the reset vec from the command line with:
-global driver=riscv.hart_array,property=resetvec,value=0x2400

Signed-off-by: Alistair Francis 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20220914101108.82571-2-alistair.fran...@wdc.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h |  3 +--
 target/riscv/cpu.c | 13 +++--
 target/riscv/machine.c |  6 +++---
 3 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 06751e1e3e..22344a620b 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -190,7 +190,7 @@ struct CPUArchState {
 /* This contains QEMU specific information about the virt state. */
 target_ulong virt;
 target_ulong geilen;
-target_ulong resetvec;
+uint64_t resetvec;
 
 target_ulong mhartid;
 /*
@@ -474,7 +474,6 @@ struct RISCVCPUConfig {
 bool pmp;
 bool epmp;
 bool debug;
-uint64_t resetvec;
 
 bool short_isa_string;
 };
diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index aee14a239a..b29c88b9f0 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -228,13 +228,6 @@ static void set_vext_version(CPURISCVState *env, int 
vext_ver)
 env->vext_ver = vext_ver;
 }
 
-static void set_resetvec(CPURISCVState *env, target_ulong resetvec)
-{
-#ifndef CONFIG_USER_ONLY
-env->resetvec = resetvec;
-#endif
-}
-
 static void riscv_any_cpu_init(Object *obj)
 {
 CPURISCVState *env = _CPU(obj)->env;
@@ -336,7 +329,6 @@ static void rv32_imafcu_nommu_cpu_init(Object *obj)
 
 set_misa(env, MXL_RV32, RVI | RVM | RVA | RVF | RVC | RVU);
 set_priv_version(env, PRIV_VERSION_1_10_0);
-set_resetvec(env, DEFAULT_RSTVEC);
 cpu->cfg.mmu = false;
 }
 #endif
@@ -676,7 +668,6 @@ static void riscv_cpu_realize(DeviceState *dev, Error 
**errp)
 riscv_set_feature(env, RISCV_FEATURE_DEBUG);
 }
 
-set_resetvec(env, cpu->cfg.resetvec);
 
 #ifndef CONFIG_USER_ONLY
 if (cpu->cfg.ext_sstc) {
@@ -1079,7 +1070,9 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_UINT64("marchid", RISCVCPU, cfg.marchid, RISCV_CPU_MARCHID),
 DEFINE_PROP_UINT64("mimpid", RISCVCPU, cfg.mimpid, RISCV_CPU_MIMPID),
 
-DEFINE_PROP_UINT64("resetvec", RISCVCPU, cfg.resetvec, DEFAULT_RSTVEC),
+#ifndef CONFIG_USER_ONLY
+DEFINE_PROP_UINT64("resetvec", RISCVCPU, env.resetvec, DEFAULT_RSTVEC),
+#endif
 
 DEFINE_PROP_BOOL("short-isa-string", RISCVCPU, cfg.short_isa_string, 
false),
 
diff --git a/target/riscv/machine.c b/target/riscv/machine.c
index 41098f6ad0..c4e6b3bba4 100644
--- a/target/riscv/machine.c
+++ b/target/riscv/machine.c
@@ -308,8 +308,8 @@ static const VMStateDescription vmstate_pmu_ctr_state = {
 
 const VMStateDescription vmstate_riscv_cpu = {
 .name = "cpu",
-.version_id = 4,
-.minimum_version_id = 4,
+.version_id = 5,
+.minimum_version_id = 5,
 .post_load = riscv_cpu_post_load,
 .fields = (VMStateField[]) {
 VMSTATE_UINTTL_ARRAY(env.gpr, RISCVCPU, 32),
@@ -331,7 +331,7 @@ const VMStateDescription vmstate_riscv_cpu = {
 VMSTATE_UINT32(env.features, RISCVCPU),
 VMSTATE_UINTTL(env.priv, RISCVCPU),
 VMSTATE_UINTTL(env.virt, RISCVCPU),
-VMSTATE_UINTTL(env.resetvec, RISCVCPU),
+VMSTATE_UINT64(env.resetvec, RISCVCPU),
 VMSTATE_UINTTL(env.mhartid, RISCVCPU),
 VMSTATE_UINT64(env.mstatus, RISCVCPU),
 VMSTATE_UINT64(env.mip, RISCVCPU),
-- 
2.37.3

[PULL v2 12/22] hw/riscv/sifive_e: Fix inheritance of SiFiveEState

[Alistair Francis]

From: Bernhard Beschow 

SiFiveEState inherits from SysBusDevice while it's TypeInfo claims it to
inherit from TYPE_MACHINE. This is an inconsistency which can cause
undefined behavior such as memory corruption.

Change SiFiveEState to inherit from MachineState since it is registered
as a machine.

Fixes: 0869490b1c ("riscv: sifive_e: Manually define the machine")

Signed-off-by: Bernhard Beschow 
Reviewed-by: Alistair Francis 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20220922075232.33653-1-shen...@gmail.com>
Signed-off-by: Alistair Francis 
---
 include/hw/riscv/sifive_e.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/hw/riscv/sifive_e.h b/include/hw/riscv/sifive_e.h
index 83604da805..d738745925 100644
--- a/include/hw/riscv/sifive_e.h
+++ b/include/hw/riscv/sifive_e.h
@@ -22,6 +22,7 @@
 #include "hw/riscv/riscv_hart.h"
 #include "hw/riscv/sifive_cpu.h"
 #include "hw/gpio/sifive_gpio.h"
+#include "hw/boards.h"
 
 #define TYPE_RISCV_E_SOC "riscv.sifive.e.soc"
 #define RISCV_E_SOC(obj) \
@@ -41,7 +42,7 @@ typedef struct SiFiveESoCState {
 
 typedef struct SiFiveEState {
 /*< private >*/
-SysBusDevice parent_obj;
+MachineState parent_obj;
 
 /*< public >*/
 SiFiveESoCState soc;
-- 
2.37.3

[PULL 3/8] vdpa: extract vhost_vdpa_net_load_mac from vhost_vdpa_net_load

[Jason Wang]

From: Eugenio Pérez 

Since there may be many commands we need to issue to load the NIC
state, let's split them in individual functions

Signed-off-by: Eugenio Pérez 
Signed-off-by: Jason Wang 
---
 net/vhost-vdpa.c | 62 
 1 file changed, 40 insertions(+), 22 deletions(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 535315c..e799e74 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -365,12 +365,47 @@ static ssize_t vhost_vdpa_net_cvq_add(VhostVDPAState *s, 
size_t out_len,
 return vhost_svq_poll(svq);
 }
 
+static ssize_t vhost_vdpa_net_load_cmd(VhostVDPAState *s, uint8_t class,
+   uint8_t cmd, const void *data,
+   size_t data_size)
+{
+const struct virtio_net_ctrl_hdr ctrl = {
+.class = class,
+.cmd = cmd,
+};
+
+assert(data_size < vhost_vdpa_net_cvq_cmd_page_len() - sizeof(ctrl));
+
+memcpy(s->cvq_cmd_out_buffer, , sizeof(ctrl));
+memcpy(s->cvq_cmd_out_buffer + sizeof(ctrl), data, data_size);
+
+return vhost_vdpa_net_cvq_add(s, sizeof(ctrl) + data_size,
+  sizeof(virtio_net_ctrl_ack));
+}
+
+static int vhost_vdpa_net_load_mac(VhostVDPAState *s, const VirtIONet *n)
+{
+uint64_t features = n->parent_obj.guest_features;
+if (features & BIT_ULL(VIRTIO_NET_F_CTRL_MAC_ADDR)) {
+ssize_t dev_written = vhost_vdpa_net_load_cmd(s, VIRTIO_NET_CTRL_MAC,
+  VIRTIO_NET_CTRL_MAC_ADDR_SET,
+  n->mac, sizeof(n->mac));
+if (unlikely(dev_written < 0)) {
+return dev_written;
+}
+
+return *s->status != VIRTIO_NET_OK;
+}
+
+return 0;
+}
+
 static int vhost_vdpa_net_load(NetClientState *nc)
 {
 VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
-const struct vhost_vdpa *v = >vhost_vdpa;
+struct vhost_vdpa *v = >vhost_vdpa;
 const VirtIONet *n;
-uint64_t features;
+int r;
 
 assert(nc->info->type == NET_CLIENT_DRIVER_VHOST_VDPA);
 
@@ -379,26 +414,9 @@ static int vhost_vdpa_net_load(NetClientState *nc)
 }
 
 n = VIRTIO_NET(v->dev->vdev);
-features = n->parent_obj.guest_features;
-if (features & BIT_ULL(VIRTIO_NET_F_CTRL_MAC_ADDR)) {
-const struct virtio_net_ctrl_hdr ctrl = {
-.class = VIRTIO_NET_CTRL_MAC,
-.cmd = VIRTIO_NET_CTRL_MAC_ADDR_SET,
-};
-char *cursor = s->cvq_cmd_out_buffer;
-ssize_t dev_written;
-
-memcpy(cursor, , sizeof(ctrl));
-cursor += sizeof(ctrl);
-memcpy(cursor, n->mac, sizeof(n->mac));
-
-dev_written = vhost_vdpa_net_cvq_add(s, sizeof(ctrl) + sizeof(n->mac),
- sizeof(virtio_net_ctrl_ack));
-if (unlikely(dev_written < 0)) {
-return dev_written;
-}
-
-return *s->status != VIRTIO_NET_OK;
+r = vhost_vdpa_net_load_mac(s, n);
+if (unlikely(r < 0)) {
+return r;
 }
 
 return 0;
-- 
2.7.4

[PULL 8/8] virtio: del net client if net_init_tap_one failed

[Jason Wang]

From: lu zhipeng 

If the net tap initializes successful, but failed during
network card hot-plugging, the net-tap will remains,
so cleanup.

Signed-off-by: lu zhipeng 
Signed-off-by: Jason Wang 
---
 net/tap.c | 18 --
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/tap.c b/net/tap.c
index b3ddfd4..e203d07 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -686,7 +686,7 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 tap_set_sndbuf(s->fd, tap, );
 if (err) {
 error_propagate(errp, err);
-return;
+goto failed;
 }
 
 if (tap->has_fd || tap->has_fds) {
@@ -726,12 +726,12 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 } else {
 warn_report_err(err);
 }
-return;
+goto failed;
 }
 if (!g_unix_set_fd_nonblocking(vhostfd, true, NULL)) {
 error_setg_errno(errp, errno, "%s: Can't use file descriptor 
%d",
  name, fd);
-return;
+goto failed;
 }
 } else {
 vhostfd = open("/dev/vhost-net", O_RDWR);
@@ -743,11 +743,11 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 warn_report("tap: open vhost char device failed: %s",
 strerror(errno));
 }
-return;
+goto failed;
 }
 if (!g_unix_set_fd_nonblocking(vhostfd, true, NULL)) {
 error_setg_errno(errp, errno, "Failed to set FD nonblocking");
-return;
+goto failed;
 }
 }
 options.opaque = (void *)(uintptr_t)vhostfd;
@@ -760,11 +760,17 @@ static void net_init_tap_one(const NetdevTapOptions *tap, 
NetClientState *peer,
 } else {
 warn_report(VHOST_NET_INIT_FAILED);
 }
-return;
+goto failed;
 }
 } else if (vhostfdname) {
 error_setg(errp, "vhostfd(s)= is not valid without vhost");
+goto failed;
 }
+
+return;
+
+failed:
+qemu_del_net_client(>nc);
 }
 
 static int get_fds(char *str, char *fds[], int max)
-- 
2.7.4

Re: [PATCH v6 3/5] module: add Error arguments to module_load and module_load_qom

[Markus Armbruster]

Claudio Fontana  writes:

> On 9/26/22 12:38, Kevin Wolf wrote:
>> Am 24.09.2022 um 01:21 hat Claudio Fontana geschrieben:
>>> improve error handling during module load, by changing:
>>>
>>> bool module_load(const char *prefix, const char *lib_name);
>>> void module_load_qom(const char *type);
>>>
>>> to:
>>>
>>> int module_load(const char *prefix, const char *name, Error **errp);
>>> int module_load_qom(const char *type, Error **errp);
>>>
>>> where the return value is:
>>>
>>>  -1 on module load error, and errp is set with the error
>>>   0 on module or one of its dependencies are not installed
>>>   1 on module load success
>>>   2 on module load success (module already loaded or built-in)
>>>
>>> module_load_qom_one has been introduced in:
>>>
>>> commit 28457744c345 ("module: qom module support"), which built on top of
>>> module_load_one, but discarded the bool return value. Restore it.
>>>
>>> Adapt all callers to emit errors, or ignore them, or fail hard,
>>> as appropriate in each context.
>>>
>>> Some memory leaks also fixed as part of the module_load changes.
>>>
>>> audio: when attempting to load an audio module, report module load errors.
>>> block: when attempting to load a block module, report module load errors.
>>> console: when attempting to load a display module, report module load 
>>> errors.
>>>
>>> qdev: when creating a new qdev Device object (DeviceState), report load 
>>> errors.
>>>   If a module cannot be loaded to create that device, now abort 
>>> execution.
>>>
>>> qom/object.c: when initializing a QOM object, or looking up class_by_name,
>>>   report module load errors.
>>>
>>> qtest: when processing the "module_load" qtest command, report errors
>>>in the load of the module.
>>>
>>> Signed-off-by: Claudio Fontana 
>> 
>>> diff --git a/block/dmg.c b/block/dmg.c
>>> index 007b8d9996..a422cf8d5b 100644
>>> --- a/block/dmg.c
>>> +++ b/block/dmg.c
>>> @@ -434,6 +434,7 @@ static int dmg_open(BlockDriverState *bs, QDict 
>>> *options, int flags,
>>>  uint64_t plist_xml_offset, plist_xml_length;
>>>  int64_t offset;
>>>  int ret;
>>> +Error *local_err = NULL;
>>>  
>>>  ret = bdrv_apply_auto_read_only(bs, NULL, errp);
>>>  if (ret < 0) {
>>> @@ -446,8 +447,15 @@ static int dmg_open(BlockDriverState *bs, QDict 
>>> *options, int flags,
>>>  return -EINVAL;
>>>  }
>>>  
>>> -block_module_load("dmg-bz2");
>>> -block_module_load("dmg-lzfse");
>>> +if (block_module_load("dmg-bz2", _err) < 0) {
>>> +error_report_err(local_err);
>>> +return -EINVAL;
>>> +}
>>> +local_err = NULL;
>>> +if (block_module_load("dmg-lzfse", _err) < 0) {
>>> +error_report_err(local_err);
>>> +return -EINVAL;
>
> I am concerned about the resources allocation here though,
> is returning EINVAL here right, vs using "goto fail"?
>
> I matched the behavior of the preceding call:
>
> bs->file = bdrv_open_child(NULL, options, "file", bs, _of_bds,
>BDRV_CHILD_IMAGE, false, errp);
> if (!bs->file) {
> return -EINVAL;
> }
>
> But afterwards the code goes:
> .
> /* locate the UDIF trailer */
> offset = dmg_find_koly_offset(bs->file, errp);
> if (offset < 0) {
> ret = offset;
> goto fail;
> }
>
> Should the resources be freed or not in your view?

Functions should generally fail cleanly, and that means undoing side
effects such as allocations.

Typically, we undo in reverse order, and goto the right spot in that
sequence.

When the undo can be made to work whether the "do" happened or not, we
can use fewer labels for simplicity.  For instance, g_free(mumble) works
as long as mumble is initialized to NULL.

In this function:

   fail:
   g_free(s->types);
   g_free(s->offsets);
   g_free(s->lengths);
   g_free(s->sectors);
   g_free(s->sectorcounts);
   qemu_vfree(s->compressed_chunk);
   qemu_vfree(s->uncompressed_chunk);
   return ret;

I figure this undoes side effects hidden in the read functions called.

Potential issue before this patch: I can't see bdrv_open_child() being
undone.  Shouldn't we close bs->file?  And what about
bdrv_open_child()'s side effect on @options?

[...]

[PULL 03/24] Revert "main-loop: Disable block backend global state assertion on Cocoa"

[Gerd Hoffmann]

From: Akihiko Odaki 

This reverts commit 47281859f66bdab1974fb122cab2cbb4a1c9af7f.

Signed-off-by: Akihiko Odaki 
Reviewed-by: Emanuele Giuseppe Esposito 
Reviewed-by: Peter Maydell 
Reviewed-by: Paolo Bonzini 
Message-Id: <20220819132756.74641-3-akihiko.od...@gmail.com>
Signed-off-by: Gerd Hoffmann 
---
 include/qemu/main-loop.h | 13 -
 1 file changed, 13 deletions(-)

diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h
index c50d1b7e3ab6..aac707d073a1 100644
--- a/include/qemu/main-loop.h
+++ b/include/qemu/main-loop.h
@@ -284,23 +284,10 @@ bool qemu_in_main_thread(void);
  * Please refer to include/block/block-global-state.h for more
  * information about GS API.
  */
-#ifdef CONFIG_COCOA
-/*
- * When using the Cocoa UI, addRemovableDevicesMenuItems() is called from
- * a thread different from the QEMU main thread and can not take the BQL,
- * triggering this assertions in the block layer (commit 0439c5a462).
- * As the Cocoa fix is not trivial, disable this assertion for the v7.0.0
- * release (when using Cocoa); we will restore it immediately after the
- * release.
- * This issue is tracked as https://gitlab.com/qemu-project/qemu/-/issues/926
- */
-#define GLOBAL_STATE_CODE()
-#else
 #define GLOBAL_STATE_CODE() \
 do {\
 assert(qemu_in_main_thread());  \
 } while (0)
-#endif /* CONFIG_COCOA */
 
 /*
  * Mark and check that the function is part of the I/O API.
-- 
2.37.3

[PULL 22/24] audio: remove abort() in audio_bug()

[Gerd Hoffmann]

From: Volker Rümelin 

Commit ab32b78cd1 "audio: Simplify audio_bug() removing old code"
introduced abort() in audio_bug() for regular builds.

audio_bug() was never meant to abort QEMU for the following
reasons.

  - There's code in audio_bug() that expects audio_bug() gets
called more than once with error condition true. The variable
'shown' is only 0 on first error.

  - All call sites test the return code of audio_bug(), print
an error context message and handle the errror.

  - The abort() in audio_bug() enables a class of guest-triggered
aborts similar to the Launchpad Bug #1910603 at
https://bugs.launchpad.net/bugs/1910603.

Fixes: ab32b78cd1 "audio: Simplify audio_bug() removing old code"
Buglink: https://bugs.launchpad.net/bugs/1910603
Signed-off-by: Volker Rümelin 
Message-Id: <20220917131626.7521-2-vr_q...@t-online.de>
Signed-off-by: Gerd Hoffmann 
---
 audio/audio.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/audio/audio.c b/audio/audio.c
index d96a13055940..df6818ed5598 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -118,7 +118,6 @@ int audio_bug (const char *funcname, int cond)
 AUD_log (NULL, "I am sorry\n");
 }
 AUD_log (NULL, "Context:\n");
-abort();
 }
 
 return cond;
-- 
2.37.3

[PULL 21/24] Revert "audio: Log context for audio bug"

[Gerd Hoffmann]

From: Volker Rümelin 

This reverts commit 8e30d39bade3010387177ca23dbc2244352ed4a3.

Revert commit 8e30d39bad "audio: Log context for audio bug"
to make error propagation work again.

Signed-off-by: Volker Rümelin 
Message-Id: <20220917131626.7521-1-vr_q...@t-online.de>
Signed-off-by: Gerd Hoffmann 
---
 audio/audio_template.h | 27 +++
 audio/audio.c  | 25 +
 2 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/audio/audio_template.h b/audio/audio_template.h
index 81860cea6202..98ab557684d8 100644
--- a/audio/audio_template.h
+++ b/audio/audio_template.h
@@ -59,13 +59,12 @@ static void glue(audio_init_nb_voices_, TYPE)(AudioState *s,
 if (audio_bug(__func__, !voice_size && max_voices)) {
 dolog ("drv=`%s' voice_size=0 max_voices=%d\n",
drv->name, max_voices);
-abort();
+glue (s->nb_hw_voices_, TYPE) = 0;
 }
 
 if (audio_bug(__func__, voice_size && !max_voices)) {
 dolog ("drv=`%s' voice_size=%d max_voices=0\n",
drv->name, voice_size);
-abort();
 }
 }
 
@@ -82,7 +81,6 @@ static void glue(audio_pcm_hw_alloc_resources_, TYPE)(HW *hw)
 size_t samples = hw->samples;
 if (audio_bug(__func__, samples == 0)) {
 dolog("Attempted to allocate empty buffer\n");
-abort();
 }
 
 HWBUF = g_malloc0(sizeof(STSampleBuffer) + sizeof(st_sample) * 
samples);
@@ -254,12 +252,12 @@ static HW *glue(audio_pcm_hw_add_new_, TYPE)(AudioState 
*s,
 
 if (audio_bug(__func__, !drv)) {
 dolog ("No host audio driver\n");
-abort();
+return NULL;
 }
 
 if (audio_bug(__func__, !drv->pcm_ops)) {
 dolog ("Host audio driver without pcm_ops\n");
-abort();
+return NULL;
 }
 
 hw = audio_calloc(__func__, 1, glue(drv->voice_size_, TYPE));
@@ -277,13 +275,12 @@ static HW *glue(audio_pcm_hw_add_new_, TYPE)(AudioState 
*s,
 QLIST_INIT (>cap_head);
 #endif
 if (glue (hw->pcm_ops->init_, TYPE) (hw, as, s->drv_opaque)) {
-g_free(hw);
-return NULL;
+goto err0;
 }
 
 if (audio_bug(__func__, hw->samples <= 0)) {
 dolog("hw->samples=%zd\n", hw->samples);
-abort();
+goto err1;
 }
 
 if (hw->info.is_float) {
@@ -312,6 +309,12 @@ static HW *glue(audio_pcm_hw_add_new_, TYPE)(AudioState *s,
 audio_attach_capture (hw);
 #endif
 return hw;
+
+ err1:
+glue (hw->pcm_ops->fini_, TYPE) (hw);
+ err0:
+g_free (hw);
+return NULL;
 }
 
 AudiodevPerDirectionOptions *glue(audio_get_pdo_, TYPE)(Audiodev *dev)
@@ -434,7 +437,7 @@ void glue (AUD_close_, TYPE) (QEMUSoundCard *card, SW *sw)
 if (sw) {
 if (audio_bug(__func__, !card)) {
 dolog ("card=%p\n", card);
-abort();
+return;
 }
 
 glue (audio_close_, TYPE) (sw);
@@ -456,7 +459,7 @@ SW *glue (AUD_open_, TYPE) (
 if (audio_bug(__func__, !card || !name || !callback_fn || !as)) {
 dolog ("card=%p name=%p callback_fn=%p as=%p\n",
card, name, callback_fn, as);
-abort();
+goto fail;
 }
 
 s = card->state;
@@ -467,12 +470,12 @@ SW *glue (AUD_open_, TYPE) (
 
 if (audio_bug(__func__, audio_validate_settings(as))) {
 audio_print_settings (as);
-abort();
+goto fail;
 }
 
 if (audio_bug(__func__, !s->drv)) {
 dolog ("Can not open `%s' (no host audio driver)\n", name);
-abort();
+goto fail;
 }
 
 if (sw && audio_pcm_info_eq (>info, as)) {
diff --git a/audio/audio.c b/audio/audio.c
index 5600593da043..d96a13055940 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -118,6 +118,7 @@ int audio_bug (const char *funcname, int cond)
 AUD_log (NULL, "I am sorry\n");
 }
 AUD_log (NULL, "Context:\n");
+abort();
 }
 
 return cond;
@@ -138,7 +139,7 @@ static inline int audio_bits_to_index (int bits)
 default:
 audio_bug ("bits_to_index", 1);
 AUD_log (NULL, "invalid bits %d\n", bits);
-abort();
+return 0;
 }
 }
 
@@ -156,7 +157,7 @@ void *audio_calloc (const char *funcname, int nmemb, size_t 
size)
 AUD_log (NULL, "%s passed invalid arguments to audio_calloc\n",
  funcname);
 AUD_log (NULL, "nmemb=%d size=%zu (len=%zu)\n", nmemb, size, len);
-abort();
+return NULL;
 }
 
 return g_malloc0 (len);
@@ -543,7 +544,7 @@ static size_t audio_pcm_hw_get_live_in(HWVoiceIn *hw)
 size_t live = hw->total_samples_captured - audio_pcm_hw_find_min_in (hw);
 if (audio_bug(__func__, live > hw->conv_buf->size)) {
 dolog("live=%zu hw->conv_buf->size=%zu\n", live, hw->conv_buf->size);
-abort();
+return 0;
 }
 return live;
 }
@@ -581,7 +582,7 @@ static size_t audio_pcm_sw_read(SWVoiceIn *sw, void *buf, 
size_t size)
 }
 if 

Re: [PATCH v2 07/11] acpi/tests/bits: add python test that exercizes QEMU bios tables using biosbits

[Ani Sinha]

On Sun, Sep 18, 2022 at 1:58 AM Michael S. Tsirkin  wrote:
>
> On Fri, Sep 16, 2022 at 09:30:42PM +0530, Ani Sinha wrote:
> > On Thu, Jul 28, 2022 at 12:08 AM Ani Sinha  wrote:
> > >
> > >
> > >
> > > On Mon, 25 Jul 2022, Ani Sinha wrote:
> > >
> > > >
> > > >
> > > > On Sat, 16 Jul 2022, Michael S. Tsirkin wrote:
> > > >
> > > > > On Sat, Jul 16, 2022 at 12:06:00PM +0530, Ani Sinha wrote:
> > > > > >
> > > > > >
> > > > > > On Fri, Jul 15, 2022 at 11:20 Michael S. Tsirkin  
> > > > > > wrote:
> > > > > >
> > > > > > On Fri, Jul 15, 2022 at 09:47:27AM +0530, Ani Sinha wrote:
> > > > > > > > Instead of all this mess, can't we just spawn e.g. "git 
> > > > > > clone --depth
> > > > > > 1"?
> > > > > > > > And if the directory exists I would fetch and checkout.
> > > > > > >
> > > > > > > There are two reasons I can think of why I do not like this 
> > > > > > idea:
> > > > > > >
> > > > > > > (a) a git clone of a whole directory would download all 
> > > > > > versions of the
> > > > > > > binary whereas we want only a specific version.
> > > > > >
> > > > > > You mention shallow clone yourself, and I used --depth 1 above.
> > > > > >
> > > > > > > Downloading a single file
> > > > > > > by shallow cloning or creating a git archive is overkill IMHO 
> > > > > > when a wget
> > > > > > > style retrieval works just fine.
> > > > > >
> > > > > > However, it does not provide for versioning, tagging etc so you 
> > > > > > have
> > > > > > to implement your own schema.
> > > > > >
> > > > > >
> > > > > > Hmm I’m not sure if we need all that. Bits has its own versioning 
> > > > > > mechanism and
> > > > > > I think all we need to do is maintain the same versioning logic and 
> > > > > > maintain
> > > > > > binaries of different  versions. Do we really need the power of 
> > > > > > git/version
> > > > > > control here? Dunno.
> > > > >
> > > > > Well we need some schema. Given we are not using official bits 
> > > > > releases
> > > > > I don't think we can reuse theirs.
> > > >
> > > > OK fine. Lets figuire out how to push bits somewhere in git.qemu.org and
> > > > the binaries in some other repo first. Everything else hinges on that. 
> > > > We
> > > > can fix the rest of the bits later incrementally.
> > >
> > > DanPB, any thoughts on putting bits on git.qemu.org or where and how to
> > > keep the binaries?
> >
> > Can we please conclude on this?
> > Peter, can you please fork the repo? I have tried many times to reach
> > you on IRC but failed.
>
> Probably because of travel around KVM forum.
>
> I think given our CI is under pressure again due to gitlab free tier
> limits, tying binaries to CI isn't a great idea at this stage.
> Can Ani just upload binaies to qemu.org for now?

I agree with Michael here. Having a full ci/cd job for this is
overkill IMHO. We should create a repo just for the binaries, have a
README there to explain how we generate them and check in new versions
as and when needed (it won't be frequent).
How about biosbits-bin repo?


>
> --
> MST
>

Re: [PATCH v2 1/2] linux-user: Introduce stubs for ELF AT_BASE_PLATFORM

[Laurent Vivier]

Le 03/08/2022 à 12:30, Jiaxun Yang a écrit :

AT_BASE_PLATFORM is a elf auxiliary vector pointing to a string
to pass some architecture information.
See getauxval(3) man-page.

Signed-off-by: Jiaxun Yang 
Reviewed-by: Philippe Mathieu-Daudé 
---
  linux-user/elfload.c | 29 +++--
  1 file changed, 27 insertions(+), 2 deletions(-)



Applied to my linux-user-for-7.2 branch.

Thanks,
Laurent

Re: [PATCH v6 3/5] module: add Error arguments to module_load and module_load_qom

[Claudio Fontana]

On 9/27/22 09:54, Markus Armbruster wrote:
> Claudio Fontana  writes:
> 
>> On 9/26/22 12:38, Kevin Wolf wrote:
>>> Am 24.09.2022 um 01:21 hat Claudio Fontana geschrieben:
 improve error handling during module load, by changing:

 bool module_load(const char *prefix, const char *lib_name);
 void module_load_qom(const char *type);

 to:

 int module_load(const char *prefix, const char *name, Error **errp);
 int module_load_qom(const char *type, Error **errp);

 where the return value is:

  -1 on module load error, and errp is set with the error
   0 on module or one of its dependencies are not installed
   1 on module load success
   2 on module load success (module already loaded or built-in)

 module_load_qom_one has been introduced in:

 commit 28457744c345 ("module: qom module support"), which built on top of
 module_load_one, but discarded the bool return value. Restore it.

 Adapt all callers to emit errors, or ignore them, or fail hard,
 as appropriate in each context.

 Some memory leaks also fixed as part of the module_load changes.

 audio: when attempting to load an audio module, report module load errors.
 block: when attempting to load a block module, report module load errors.
 console: when attempting to load a display module, report module load 
 errors.

 qdev: when creating a new qdev Device object (DeviceState), report load 
 errors.
   If a module cannot be loaded to create that device, now abort 
 execution.

 qom/object.c: when initializing a QOM object, or looking up class_by_name,
   report module load errors.

 qtest: when processing the "module_load" qtest command, report errors
in the load of the module.

 Signed-off-by: Claudio Fontana 
>>>
 diff --git a/block/dmg.c b/block/dmg.c
 index 007b8d9996..a422cf8d5b 100644
 --- a/block/dmg.c
 +++ b/block/dmg.c
 @@ -434,6 +434,7 @@ static int dmg_open(BlockDriverState *bs, QDict 
 *options, int flags,
  uint64_t plist_xml_offset, plist_xml_length;
  int64_t offset;
  int ret;
 +Error *local_err = NULL;
  
  ret = bdrv_apply_auto_read_only(bs, NULL, errp);
  if (ret < 0) {
 @@ -446,8 +447,15 @@ static int dmg_open(BlockDriverState *bs, QDict 
 *options, int flags,
  return -EINVAL;
  }
  
 -block_module_load("dmg-bz2");
 -block_module_load("dmg-lzfse");
 +if (block_module_load("dmg-bz2", _err) < 0) {
 +error_report_err(local_err);
 +return -EINVAL;
 +}
 +local_err = NULL;
 +if (block_module_load("dmg-lzfse", _err) < 0) {
 +error_report_err(local_err);
 +return -EINVAL;
>>
>> I am concerned about the resources allocation here though,
>> is returning EINVAL here right, vs using "goto fail"?
>>
>> I matched the behavior of the preceding call:
>>
>> bs->file = bdrv_open_child(NULL, options, "file", bs, _of_bds,
>>BDRV_CHILD_IMAGE, false, errp);
>> if (!bs->file) {
>> return -EINVAL;
>> }
>>
>> But afterwards the code goes:
>> .
>> /* locate the UDIF trailer */
>> offset = dmg_find_koly_offset(bs->file, errp);
>> if (offset < 0) {
>> ret = offset;
>> goto fail;
>> }
>>
>> Should the resources be freed or not in your view?
> 
> Functions should generally fail cleanly, and that means undoing side
> effects such as allocations.

This is pretty obvious.

Note that this function does not perform the allocations,
bdrv_open is called with existing allocated resources,
and then frees those resources only in specific code paths.

I am asking here because the code preceding my hunk is doing:

"
ret = bdrv_apply_auto_read_only(bs, NULL, errp);
if (ret < 0) {
return ret;
}

bs->file = bdrv_open_child(NULL, options, "file", bs, _of_bds,
   BDRV_CHILD_IMAGE, false, errp);
if (!bs->file) {
return -EINVAL;
}
"

So something seems fishy here, looks inconsistent with the successive code that 
instead frees bs resources on error.

Might be correct, but would need looking deeper into this by block-aware 
people. Kevin?

Re: [PATCH] linux-user: Don't assume 0 is not a valid host timer_t value

[Laurent Vivier]

Le 25/07/2022 à 13:00, Peter Maydell a écrit :

For handling guest POSIX timers, we currently use an array
g_posix_timers[], whose entries are a host timer_t value, or 0 for
"this slot is unused".  When the guest calls the timer_create syscall
we look through the array for a slot containing 0, and use that for
the new timer.

This scheme assumes that host timer_t values can never be zero.  This
is unfortunately not a valid assumption -- for some host libc
versions, timer_t values are simply indexes starting at 0.  When
using this kind of host libc, the effect is that the first and second
timers end up sharing a slot, and so when the guest tries to operate
on the first timer it changes the second timer instead.

Rework the timer allocation code, so that:
  * the 'slot in use' indication uses a separate array from the
host timer_t array
  * we grab the free slot atomically, to avoid races when multiple
threads call timer_create simultaneously
  * releasing an allocated slot is abstracted out into a new
free_host_timer_slot() function called in the correct places

This fixes:
  * problems on hosts where timer_t 0 is valid
  * the FIXME in next_free_host_timer() about locking
  * bugs in the error paths in timer_create where we forgot to release
the slot we grabbed, or forgot to free the host timer

Reported-by: Jon Alduan 
Signed-off-by: Peter Maydell 
---
  linux-user/syscall.c | 24 
  1 file changed, 16 insertions(+), 8 deletions(-)



Applied to my linux-user-for-7.2 branch.

Thanks,
Laurent

Re: [PATCH v2 07/11] acpi/tests/bits: add python test that exercizes QEMU bios tables using biosbits

[Daniel P . Berrangé]

On Tue, Sep 27, 2022 at 01:43:15PM +0530, Ani Sinha wrote:
> On Sun, Sep 18, 2022 at 1:58 AM Michael S. Tsirkin  wrote:
> >
> > On Fri, Sep 16, 2022 at 09:30:42PM +0530, Ani Sinha wrote:
> > > On Thu, Jul 28, 2022 at 12:08 AM Ani Sinha  wrote:
> > > >
> > > >
> > > >
> > > > On Mon, 25 Jul 2022, Ani Sinha wrote:
> > > >
> > > > >
> > > > >
> > > > > On Sat, 16 Jul 2022, Michael S. Tsirkin wrote:
> > > > >
> > > > > > On Sat, Jul 16, 2022 at 12:06:00PM +0530, Ani Sinha wrote:
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Jul 15, 2022 at 11:20 Michael S. Tsirkin 
> > > > > > >  wrote:
> > > > > > >
> > > > > > > On Fri, Jul 15, 2022 at 09:47:27AM +0530, Ani Sinha wrote:
> > > > > > > > > Instead of all this mess, can't we just spawn e.g. "git 
> > > > > > > clone --depth
> > > > > > > 1"?
> > > > > > > > > And if the directory exists I would fetch and checkout.
> > > > > > > >
> > > > > > > > There are two reasons I can think of why I do not like this 
> > > > > > > idea:
> > > > > > > >
> > > > > > > > (a) a git clone of a whole directory would download all 
> > > > > > > versions of the
> > > > > > > > binary whereas we want only a specific version.
> > > > > > >
> > > > > > > You mention shallow clone yourself, and I used --depth 1 
> > > > > > > above.
> > > > > > >
> > > > > > > > Downloading a single file
> > > > > > > > by shallow cloning or creating a git archive is overkill 
> > > > > > > IMHO when a wget
> > > > > > > > style retrieval works just fine.
> > > > > > >
> > > > > > > However, it does not provide for versioning, tagging etc so 
> > > > > > > you have
> > > > > > > to implement your own schema.
> > > > > > >
> > > > > > >
> > > > > > > Hmm I’m not sure if we need all that. Bits has its own versioning 
> > > > > > > mechanism and
> > > > > > > I think all we need to do is maintain the same versioning logic 
> > > > > > > and maintain
> > > > > > > binaries of different  versions. Do we really need the power of 
> > > > > > > git/version
> > > > > > > control here? Dunno.
> > > > > >
> > > > > > Well we need some schema. Given we are not using official bits 
> > > > > > releases
> > > > > > I don't think we can reuse theirs.
> > > > >
> > > > > OK fine. Lets figuire out how to push bits somewhere in git.qemu.org 
> > > > > and
> > > > > the binaries in some other repo first. Everything else hinges on 
> > > > > that. We
> > > > > can fix the rest of the bits later incrementally.
> > > >
> > > > DanPB, any thoughts on putting bits on git.qemu.org or where and how to
> > > > keep the binaries?
> > >
> > > Can we please conclude on this?
> > > Peter, can you please fork the repo? I have tried many times to reach
> > > you on IRC but failed.
> >
> > Probably because of travel around KVM forum.
> >
> > I think given our CI is under pressure again due to gitlab free tier
> > limits, tying binaries to CI isn't a great idea at this stage.
> > Can Ani just upload binaies to qemu.org for now?
> 
> I agree with Michael here. Having a full ci/cd job for this is
> overkill IMHO. We should create a repo just for the binaries, have a
> README there to explain how we generate them and check in new versions
> as and when needed (it won't be frequent).
> How about biosbits-bin repo?

If QEMU is hosting binaries, where any part contains GPL code, then we
need to be providing the full and corresponding source and the build
scripts needed to re-create the binary. Once we have such scripts it
should be trivial to trigger that from a CI job. If it isn't then
we're doing something wrong.  The CI quota is not an issue, because
this is not a job that we need to run continuously. It can be triggered
manually as & when we decide we need to refresh the binary, so would
be a small one-off CI quota hit.

Also note that gitlab is intending to start enforcing storage quota
on projects in the not too distant future. This makes it unappealing
to store binaries in git repos, unless we genuinely need the ability
to access historical versions of the binary. I don't believe we need
that for biosbits.

The binary can be published as a CI artifact and accessed directly
from the latest artifact download link. This ensures we only consume
quota for the most recently published binary artifact. So I don't see
a compelling reason to upload binaries into git.

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [PATCH v3 42/54] chardev/char-file: Add FILE_SHARE_WRITE when opening the file for win32

[Marc-André Lureau]

Hi

On Mon, Sep 26, 2022 at 7:05 PM Bin Meng  wrote:

> On Mon, Sep 26, 2022 at 9:27 PM Marc-André Lureau
>  wrote:
> >
> > Hi
> >
> > On Sun, Sep 25, 2022 at 4:35 PM Bin Meng  wrote:
> >>
> >> From: Xuzhou Cheng 
> >>
> >> The combination of GENERIC_WRITE and FILE_SHARE_READ options does not
> >> allow the same file to be opened again by CreateFile() from another
> >> QEMU process with the same options when the previous QEMU process
> >> still holds the file handle opened.
> >>
> >> This was triggered by running the test_multifd_tcp_cancel() case on
> >> Windows, which cancels the migration, and launches another QEMU
> >> process to migrate with the same file opened for write. Chances are
> >> that the previous QEMU process does not quit before the new QEMU
> >> process runs hence the old one still holds the file handle that does
> >> not allow shared write permission then the new QEMU process will fail.
> >>
> >> There is another test case boot-serial-test that triggers the same
> >> issue. The qtest executable created a serial chardev file to be
> >> passed to the QEMU executable. The serial file was created by
> >> g_file_open_tmp(), which internally opens the file with
> >> FILE_SHARE_WRITE security attribute, and based on [1], there is
> >> only one case that allows the first call to CreateFile() with
> >> GENERIC_READ & FILE_SHARE_WRITE, and second call to CreateFile()
> >> with GENERIC_WRITE & FILE_SHARE_READ. All other combinations
> >> require FILE_SHARE_WRITE in the second call. But there is no way
> >> for the second call (in this case the QEMU executable) to know
> >> what combination was passed to the first call, so we will have to
> >> add FILE_SHARE_WRITE to the second call.
> >>
> >> For both scenarios we should add FILE_SHARE_WRITE in the chardev
> >> file backend driver. This change also makes the behavior to be
> >> consistent with the POSIX platforms.
> >
> >
> > It seems to me the tests should be fixed instead. I thought you fixed
> the first case. For the second case, why not close the file before starting
> qemu? If you have issues, I will take a deeper look.
>
> Indeed, the following test case change can "fix" this issue:
>
> diff --git a/tests/qtest/boot-serial-test.c
> b/tests/qtest/boot-serial-test.c
> index 72310ba30e..f192fbc181 100644
> --- a/tests/qtest/boot-serial-test.c
> +++ b/tests/qtest/boot-serial-test.c
> @@ -233,6 +233,7 @@ static void test_machine(const void *data)
> ser_fd = g_file_open_tmp("qtest-boot-serial-sXX", , NULL);
> g_assert(ser_fd != -1);
> + close(ser_fd);
> if (test->kernel) {
> code = test->kernel;
> @@ -266,6 +267,7 @@ static void test_machine(const void *data)
> unlink(codetmp);
> }
> + ser_fd = open(serialtmp, O_RDONLY);
> if (!check_guest_output(qts, test, ser_fd)) {
> g_error("Failed to find expected string. Please check '%s'",
> serialtmp);
>
>
Please send this fix as a new patch in the series.


> But I think it just workarounds the problem. The original test case
> looks reasonable to me. If we update the case like above, we cannot
> guarantee users will do like the updated test case does.
>

If the test is enabled, it will fail, and the reasons are reasonably valid:
two processes shouldn't share the same file for writing with a chardev.

I still think the windows file chardev behavior is superior and we should
instead teach the posix implementation of exclusive write access, rather
than downgrading the windows implementation. I'd drop this patch from the
series for now.


>
> >
> >>
> >>
> >> [1]
> https://docs.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files
> >>
> >> Signed-off-by: Xuzhou Cheng 
> >> Signed-off-by: Bin Meng 
> >> ---
> >>
> >> Changes in v3:
> >> - Add another case "boot-serial-test" to justify the change
> >>
> >> Changes in v2:
> >> - Update commit message to include the use case why we should set
> >>   FILE_SHARE_WRITE when opening the file for win32
> >>
> >>  chardev/char-file.c | 4 ++--
> >>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>
>
> Regards,
> Bin
>


-- 
Marc-André Lureau

Re: [PATCH v2 04/11] qtest: make read/write operation appear to be from CPU

[Thomas Huth]

On 26/09/2022 15.38, Alex Bennée wrote:

The point of qtest is to simulate how running code might interact with
the system. However because it's not a real system we have places in
the code which especially handle check qtest_enabled() before
referencing current_cpu. Now we can encode these details in the
MemTxAttrs lets do that so we can start removing them.


s/lets/let's/


Signed-off-by: Alex Bennée 

---
v2
   - use a common macro instead of specific MEMTXATTRS_QTEST
v3
   - macro moved to earlier
---
  softmmu/qtest.c | 26 +-
  1 file changed, 13 insertions(+), 13 deletions(-)


Acked-by: Thomas Huth 

[PATCH v2 3/3] hw/intc: Fix LoongArch ipi device emulation

[Xiaojuan Yang]

In ipi_send function, it should not to set irq before
writing data to dest cpu iocsr space, as the irq will
trigger after data writing.

Signed-off-by: Xiaojuan Yang 
---
 hw/intc/loongarch_ipi.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hw/intc/loongarch_ipi.c b/hw/intc/loongarch_ipi.c
index 4f3c58f872..aa4bf9eb74 100644
--- a/hw/intc/loongarch_ipi.c
+++ b/hw/intc/loongarch_ipi.c
@@ -88,7 +88,6 @@ static void ipi_send(uint64_t val)
 cs = qemu_get_cpu(cpuid);
 cpu = LOONGARCH_CPU(cs);
 env = >env;
-loongarch_cpu_set_irq(cpu, IRQ_IPI, 1);
 address_space_stl(>address_space_iocsr, 0x1008,
   data, MEMTXATTRS_UNSPECIFIED, NULL);
 
-- 
2.31.1

[PULL v2 00/22] riscv-to-apply queue

[Alistair Francis]

From: Alistair Francis 

The following changes since commit 99d6b11b5b44d7dd64f4cb1973184e40a4a174f8:

  Merge tag 'pull-target-arm-20220922' of 
https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-09-26 
13:38:26 -0400)

are available in the Git repository at:

  https://github.com/alistair23/qemu.git tags/pull-riscv-to-apply-20220927

for you to fetch changes up to a3ab69f9f6c000481c439923d16416b8941d5b37:

  target/riscv: rvv-1.0: vf[w]redsum distinguish between ordered/unordered 
(2022-09-27 11:23:57 +1000)


Second RISC-V PR for QEMU 7.2

* Fixup typos and register addresses for Ibex SPI
* Cleanup the RISC-V virt machine documentation
* Remove the sideleg and sedeleg CSR macros
* Fix the CSR check for cycle{h}, instret{h}, time{h}, hpmcounter3-31{h}
* Remove fixed numbering from GDB xml feature files
* Allow setting the resetvec for the OpenTitan machine
* Check the correct exception cause in vector GDB stub
* Fix inheritance of SiFiveEState
* Improvements to the RISC-V debugger spec
* Simplify some vector code


Alex Bennée (1):
  docs/system: clean up code escape for riscv virt platform

Alistair Francis (3):
  target/riscv: Set the CPU resetvec directly
  hw/riscv: opentitan: Fixup resetvec
  hw/riscv: opentitan: Expose the resetvec as a SoC property

Andrew Burgess (2):
  target/riscv: remove fflags, frm, and fcsr from riscv-*-fpu.xml
  target/riscv: remove fixed numbering from GDB xml feature files

Bernhard Beschow (1):
  hw/riscv/sifive_e: Fix inheritance of SiFiveEState

Frank Chang (9):
  target/riscv: Check the correct exception cause in vector GDB stub
  target/riscv: debug: Determine the trigger type from tdata1.type
  target/riscv: debug: Introduce build_tdata1() to build tdata1 register 
content
  target/riscv: debug: Introduce tdata1, tdata2, and tdata3 CSRs
  target/riscv: debug: Restrict the range of tselect value can be written
  target/riscv: debug: Introduce tinfo CSR
  target/riscv: debug: Create common trigger actions function
  target/riscv: debug: Check VU/VS modes for type 2 trigger
  target/riscv: debug: Add initial support of type 6 trigger

Rahul Pathak (1):
  target/riscv: Remove sideleg and sedeleg

Weiwei Li (1):
  target/riscv: fix csr check for cycle{h}, instret{h}, time{h}, 
hpmcounter3-31{h}

Wilfred Mallawa (2):
  hw/ssi: ibex_spi: fixup typos in ibex_spi_host
  hw/ssi: ibex_spi: update reg addr

Yang Liu (2):
  target/riscv: rvv-1.0: Simplify vfwredsum code
  target/riscv: rvv-1.0: vf[w]redsum distinguish between ordered/unordered

 docs/system/riscv/virt.rst  |  13 +-
 include/hw/riscv/opentitan.h|   2 +
 include/hw/riscv/sifive_e.h |   3 +-
 target/riscv/cpu.h  |   9 +-
 target/riscv/cpu_bits.h |   3 +-
 target/riscv/debug.h|  55 ++--
 target/riscv/helper.h   |  15 +-
 target/riscv/insn32.decode  |   6 +-
 disas/riscv.c   |   2 -
 hw/riscv/opentitan.c|   8 +-
 hw/ssi/ibex_spi_host.c  |   8 +-
 target/riscv/cpu.c  |  13 +-
 target/riscv/csr.c  |  23 +-
 target/riscv/debug.c| 484 +---
 target/riscv/gdbstub.c  |  36 +--
 target/riscv/machine.c  |  26 +-
 target/riscv/vector_helper.c|  69 ++---
 target/riscv/insn_trans/trans_rvv.c.inc |   6 +-
 gdb-xml/riscv-32bit-cpu.xml |   6 +-
 gdb-xml/riscv-32bit-fpu.xml |  10 +-
 gdb-xml/riscv-64bit-cpu.xml |   6 +-
 gdb-xml/riscv-64bit-fpu.xml |  10 +-
 22 files changed, 531 insertions(+), 282 deletions(-)

[PULL 3/3] m68k: align bootinfo strings and data to 4 bytes

[Laurent Vivier]

From: "Jason A. Donenfeld" 

Various tools, such as kexec-tools and m68k-bootinfo, expect each
bootinfo entry to be aligned to 4 bytes, not 2 bytes. So adjust the
padding to fill this out as such.

Also, break apart the padding additions from the other field length
additions, so that it's more clear why these magic numbers are being
added, and comment them too.

Reported-by: Geert Uytterhoeven 
Cc: Laurent Vivier 
Signed-off-by: Jason A. Donenfeld 
Reviewed-by: Laurent Vivier 
Message-Id: <20220926113900.1256630-2-ja...@zx2c4.com>
Signed-off-by: Laurent Vivier 
---
 hw/m68k/bootinfo.h | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/m68k/bootinfo.h b/hw/m68k/bootinfo.h
index bd8b212fd35c..897162b8189c 100644
--- a/hw/m68k/bootinfo.h
+++ b/hw/m68k/bootinfo.h
@@ -48,13 +48,14 @@
 stw_phys(as, base, id); \
 base += 2; \
 stw_phys(as, base, \
- (sizeof(struct bi_record) + strlen(string) + 2) & ~1); \
+ (sizeof(struct bi_record) + strlen(string) + \
+  1 /* null termination */ + 3 /* padding */) & ~3); \
 base += 2; \
 for (i = 0; string[i]; i++) { \
 stb_phys(as, base++, string[i]); \
 } \
 stb_phys(as, base++, 0); \
-base = (base + 1) & ~1; \
+base = (base + 3) & ~3; \
 } while (0)
 
 #define BOOTINFODATA(as, base, id, data, len) \
@@ -63,13 +64,14 @@
 stw_phys(as, base, id); \
 base += 2; \
 stw_phys(as, base, \
- (sizeof(struct bi_record) + len + 3) & ~1); \
+ (sizeof(struct bi_record) + len + \
+  2 /* length field */ + 3 /* padding */) & ~3); \
 base += 2; \
 stw_phys(as, base, len); \
 base += 2; \
 for (i = 0; i < len; ++i) { \
 stb_phys(as, base++, data[i]); \
 } \
-base = (base + 1) & ~1; \
+base = (base + 3) & ~3; \
 } while (0)
 #endif
-- 
2.37.3

[PULL v2 01/22] hw/ssi: ibex_spi: fixup typos in ibex_spi_host

[Alistair Francis]

From: Wilfred Mallawa 

This patch fixes up minor typos in ibex_spi_host

Signed-off-by: Wilfred Mallawa 
Reviewed-by: Alistair Francis 
Reviewed-by: Andrew Jones 
Message-Id: <20220823061201.132342-2-wilfred.mall...@opensource.wdc.com>
Signed-off-by: Alistair Francis 
---
 hw/ssi/ibex_spi_host.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/ssi/ibex_spi_host.c b/hw/ssi/ibex_spi_host.c
index d14580b409..601041d719 100644
--- a/hw/ssi/ibex_spi_host.c
+++ b/hw/ssi/ibex_spi_host.c
@@ -172,7 +172,7 @@ static void ibex_spi_host_irq(IbexSPIHostState *s)
 & R_INTR_STATE_SPI_EVENT_MASK;
 int err_irq = 0, event_irq = 0;
 
-/* Error IRQ enabled and Error IRQ Cleared*/
+/* Error IRQ enabled and Error IRQ Cleared */
 if (error_en && !err_pending) {
 /* Event enabled, Interrupt Test Error */
 if (s->regs[IBEX_SPI_HOST_INTR_TEST] & R_INTR_TEST_ERROR_MASK) {
@@ -434,7 +434,7 @@ static void ibex_spi_host_write(void *opaque, hwaddr addr,
 case IBEX_SPI_HOST_TXDATA:
 /*
  * This is a hardware `feature` where
- * the first word written TXDATA after init is omitted entirely
+ * the first word written to TXDATA after init is omitted entirely
  */
 if (s->init_status) {
 s->init_status = false;
@@ -487,7 +487,7 @@ static void ibex_spi_host_write(void *opaque, hwaddr addr,
 break;
 case IBEX_SPI_HOST_ERROR_STATUS:
 /*
- *  Indicates that any errors that have occurred.
+ *  Indicates any errors that have occurred.
  *  When an error occurs, the corresponding bit must be cleared
  *  here before issuing any further commands
  */
-- 
2.37.3

[PULL v2 19/22] target/riscv: debug: Check VU/VS modes for type 2 trigger

[Alistair Francis]

From: Frank Chang 

Type 2 trigger cannot be fired in VU/VS modes.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Message-Id: <20220909134215.1843865-8-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/debug.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index 7a8910f980..e16d5c070a 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -464,6 +464,11 @@ bool riscv_cpu_debug_check_breakpoint(CPUState *cs)
 
 switch (trigger_type) {
 case TRIGGER_TYPE_AD_MATCH:
+/* type 2 trigger cannot be fired in VU/VS mode */
+if (riscv_cpu_virt_enabled(env)) {
+return false;
+}
+
 ctrl = env->tdata1[i];
 pc = env->tdata2[i];
 
@@ -499,6 +504,11 @@ bool riscv_cpu_debug_check_watchpoint(CPUState *cs, 
CPUWatchpoint *wp)
 
 switch (trigger_type) {
 case TRIGGER_TYPE_AD_MATCH:
+/* type 2 trigger cannot be fired in VU/VS mode */
+if (riscv_cpu_virt_enabled(env)) {
+return false;
+}
+
 ctrl = env->tdata1[i];
 addr = env->tdata2[i];
 flags = 0;
-- 
2.37.3

[PULL 6/8] virtio-net: Update virtio-net curr_queue_pairs in vdpa backends

[Jason Wang]

From: Eugenio Pérez 

It was returned as error before. Instead of it, simply update the
corresponding field so qemu can send it in the migration data.

Signed-off-by: Eugenio Pérez 
Acked-by: Si-Wei Liu 
Signed-off-by: Jason Wang 
---
 hw/net/virtio-net.c | 17 ++---
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index dd0d056..63a8332 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1412,19 +1412,14 @@ static int virtio_net_handle_mq(VirtIONet *n, uint8_t 
cmd,
 return VIRTIO_NET_ERR;
 }
 
-/* Avoid changing the number of queue_pairs for vdpa device in
- * userspace handler. A future fix is needed to handle the mq
- * change in userspace handler with vhost-vdpa. Let's disable
- * the mq handling from userspace for now and only allow get
- * done through the kernel. Ripples may be seen when falling
- * back to userspace, but without doing it qemu process would
- * crash on a recursive entry to virtio_net_set_status().
- */
+n->curr_queue_pairs = queue_pairs;
 if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_VHOST_VDPA) {
-return VIRTIO_NET_ERR;
+/*
+ * Avoid updating the backend for a vdpa device: We're only interested
+ * in updating the device model queues.
+ */
+return VIRTIO_NET_OK;
 }
-
-n->curr_queue_pairs = queue_pairs;
 /* stop the backend before changing the number of queue_pairs to avoid 
handling a
  * disabled queue */
 virtio_net_set_status(vdev, vdev->status);
-- 
2.7.4

Re: [PATCH 3/3] tests/qtest: sifive-e-aon-watchdog-test.c : Add QTest of watchdog of sifive_e

[Frank Chang]

Reviewed-by: Frank Chang 

On Thu, Sep 22, 2022 at 4:42 PM Tommy Wu  wrote:

> Add some simple tests of the watchdog timer in the always-on domain device
> of HiFive 1 rev b.
>
> Signed-off-by: Tommy Wu 
> ---
>  tests/qtest/meson.build  |   3 +
>  tests/qtest/sifive-e-aon-watchdog-test.c | 400 +++
>  2 files changed, 403 insertions(+)
>  create mode 100644 tests/qtest/sifive-e-aon-watchdog-test.c
>
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index e910cb32ca..446115ea34 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -234,6 +234,9 @@ qtests_s390x = \
> 'cpu-plug-test',
> 'migration-test']
>
> +qtests_riscv32 = \
> +  (config_all_devices.has_key('CONFIG_SIFIVE_E_AON') ?
> ['sifive-e-aon-watchdog-test'] : [])
> +
>  qos_test_ss = ss.source_set()
>  qos_test_ss.add(
>'ac97-test.c',
> diff --git a/tests/qtest/sifive-e-aon-watchdog-test.c
> b/tests/qtest/sifive-e-aon-watchdog-test.c
> new file mode 100644
> index 00..a583539346
> --- /dev/null
> +++ b/tests/qtest/sifive-e-aon-watchdog-test.c
> @@ -0,0 +1,400 @@
> +#include "qemu/osdep.h"
> +#include "qemu/timer.h"
> +#include "qemu/bitops.h"
> +#include "libqtest-single.h"
> +#include "hw/misc/sifive_e_aon.h"
> +
> +#define WDOG_BASE (0x1000)
> +#define WDOGCFG (0x0)
> +#define WDOGCOUNT (0x8)
> +#define WDOGS (0x10)
> +#define WDOGFEED (0x18)
> +#define WDOGKEY (0x1c)
> +#define WDOGCMP0 (0x20)
> +
> +#define SIFIVE_E_AON_WDOGKEY (0x51F15E)
> +#define SIFIVE_E_AON_WDOGFEED (0xD09F00D)
> +#define SIFIVE_E_LFCLK_DEFAULT_FREQ (32768)
> +
> +static void test_init(void)
> +{
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCOUNT, 0);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCFG, 0);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCMP0, 0xBEEF);
> +}
> +
> +static void test_wdogcount(void)
> +{
> +test_init();
> +
> +uint64_t tmp;
> +tmp = readl(WDOG_BASE + WDOGCOUNT);
> +writel(WDOG_BASE + WDOGCOUNT, 0xBEEF);
> +g_assert(readl(WDOG_BASE + WDOGCOUNT) == tmp);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCOUNT, 0xBEEF);
> +g_assert(0xBEEF == readl(WDOG_BASE + WDOGCOUNT));
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCOUNT, 0x);
> +g_assert(0x2AAA == readl(WDOG_BASE + WDOGCOUNT));
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGFEED, 0x);
> +g_assert(0x2AAA == readl(WDOG_BASE + WDOGCOUNT));
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGFEED, SIFIVE_E_AON_WDOGFEED);
> +g_assert(0 == readl(WDOG_BASE + WDOGCOUNT));
> +}
> +
> +static void test_wdogcfg(void)
> +{
> +test_init();
> +
> +wdogcfg_s tmp;
> +tmp.value = readl(WDOG_BASE + WDOGCFG);
> +writel(WDOG_BASE + WDOGCFG, 0x);
> +g_assert(readl(WDOG_BASE + WDOGCFG) == tmp.value);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCFG, 0x);
> +g_assert(0x == readl(WDOG_BASE + WDOGCFG));
> +
> +tmp.value = readl(WDOG_BASE + WDOGCFG);
> +g_assert(15 == tmp.wdogscale);
> +g_assert(1 == tmp.wdogrsten);
> +g_assert(1 == tmp.wdogzerocmp);
> +g_assert(1 == tmp.wdogenalways);
> +g_assert(1 == tmp.wdogencoreawake);
> +g_assert(1 == tmp.wdogip0);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCFG, 0);
> +g_assert(0 == readl(WDOG_BASE + WDOGCFG));
> +
> +tmp.value = readl(WDOG_BASE + WDOGCFG);
> +g_assert(0 == tmp.wdogscale);
> +g_assert(0 == tmp.wdogrsten);
> +g_assert(0 == tmp.wdogzerocmp);
> +g_assert(0 == tmp.wdogenalways);
> +g_assert(0 == tmp.wdogencoreawake);
> +g_assert(0 == tmp.wdogip0);
> +}
> +
> +static void test_wdogcmp0(void)
> +{
> +test_init();
> +
> +wdogcfg_s tmp;
> +tmp.value = readl(WDOG_BASE + WDOGCMP0);
> +writel(WDOG_BASE + WDOGCMP0, 0xBEEF);
> +g_assert(readl(WDOG_BASE + WDOGCMP0) == tmp.value);
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +writel(WDOG_BASE + WDOGCMP0, 0xBEEF);
> +g_assert(0xBEEF == readl(WDOG_BASE + WDOGCMP0));
> +}
> +
> +static void test_wdogkey(void)
> +{
> +test_init();
> +
> +g_assert(0 == readl(WDOG_BASE + WDOGKEY));
> +
> +writel(WDOG_BASE + WDOGKEY, 0x);
> +g_assert(0 == readl(WDOG_BASE + WDOGKEY));
> +
> +writel(WDOG_BASE + WDOGKEY, SIFIVE_E_AON_WDOGKEY);
> +g_assert(1 == readl(WDOG_BASE + WDOGKEY));
> +
> +writel(WDOG_BASE + WDOGFEED, 0x);
> +g_assert(0 == readl(WDOG_BASE + WDOGKEY));
> +}
> +
> +static void test_wdogfeed(void)
> +{
> +test_init();
> +
> +g_assert(0 == readl(WDOG_BASE + WDOGFEED));
> +
> +

[PATCH v2 4/4] target/loongarch: flogb_{s/d} add set float_flag_divbyzero

[Song Gao]

if fj ==0 or fj == INT32_MIN/INT64_MIN, LoongArch host set fcsr cause exception 
FP_DIV0,
So we need set exception flags float_flagdivbyzero if fj ==0.

Signed-off-by: Song Gao 
---
 target/loongarch/fpu_helper.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/target/loongarch/fpu_helper.c b/target/loongarch/fpu_helper.c
index 1a24667eaf..d40e608bb4 100644
--- a/target/loongarch/fpu_helper.c
+++ b/target/loongarch/fpu_helper.c
@@ -322,6 +322,13 @@ uint64_t helper_flogb_s(CPULoongArchState *env, uint64_t 
fj)
 fp = float32_log2((uint32_t)fj, status);
 fd = nanbox_s(float32_round_to_int(fp, status));
 set_float_rounding_mode(old_mode, status);
+/*
+ * LoongArch host if fj == 0 or INT32_MIN , set the fcsr cause FP_DIV0
+ * so we need set exception flags float_flag_divbyzero.
+ */
+if (((uint32_t)fj == 0) | ((uint32_t)fj == INT32_MIN)) {
+set_float_exception_flags(float_flag_divbyzero, status);
+}
 update_fcsr0_mask(env, GETPC(), float_flag_inexact);
 return fd;
 }
@@ -336,6 +343,13 @@ uint64_t helper_flogb_d(CPULoongArchState *env, uint64_t 
fj)
 fd = float64_log2(fj, status);
 fd = float64_round_to_int(fd, status);
 set_float_rounding_mode(old_mode, status);
+/*
+ * LoongArch host if fj == 0 or INT64_MIN , set the fcsr cause FP_DIV0
+ * so we need set exception flags float_flag_divbyzero.
+ */
+if ((fj == 0) | (fj == INT64_MIN)) {
+set_float_exception_flags(float_flag_divbyzero, status);
+}
 update_fcsr0_mask(env, GETPC(), float_flag_inexact);
 return fd;
 }
-- 
2.31.1

Re: [PATCH 0/7] linux-user fixes for hppa target - part 2

[Laurent Vivier]

Le 24/09/2022 à 13:44, Helge Deller a écrit :

Some additional patches for linux-user, which mostly target
the hppa platform.
This series is on top of my previous posted patch series.

Please review.

Helge

Helge Deller (7):
   linux-user: Fix TARGET_PROT_SEM for XTENSA
   linux-user: Add proper strace format strings for
 getdents()/getdents64()
   linux-user/hppa: Add signal trampoline for hppa target
   linux-user/hppa: Drop stack guard page on hppa target
   linux-user/hppa: Increase guest stack size to 80MB for hppa target
   linux-user/hppa: Allow PROT_GROWSUP and PROT_GROWSDOWN in mprotect()
   linux-user/hppa: Fix setup_sigcontext()

  linux-user/elfload.c | 13 +---
  linux-user/hppa/signal.c | 57 +++-
  linux-user/hppa/target_signal.h  | 14 +---
  linux-user/hppa/target_syscall.h |  2 ++
  linux-user/main.c|  9 +++--
  linux-user/mmap.c|  2 ++
  linux-user/strace.list   |  4 +--
  linux-user/syscall.c |  4 +++
  linux-user/syscall_defs.h|  2 +-
  9 files changed, 62 insertions(+), 45 deletions(-)

--
2.37.3




Series applied to linux-user-for-7.2 branch.

Thanks,
Laurent

[PULL 7/8] vdpa: Allow MQ feature in SVQ

[Jason Wang]

From: Eugenio Pérez 

Finally enable SVQ with MQ feature.

Signed-off-by: Eugenio Pérez 
Signed-off-by: Jason Wang 
---
 net/vhost-vdpa.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index c6cbe2f..4bc3fd0 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -94,6 +94,7 @@ static const uint64_t vdpa_svq_device_features =
 BIT_ULL(VIRTIO_NET_F_MRG_RXBUF) |
 BIT_ULL(VIRTIO_NET_F_STATUS) |
 BIT_ULL(VIRTIO_NET_F_CTRL_VQ) |
+BIT_ULL(VIRTIO_NET_F_MQ) |
 BIT_ULL(VIRTIO_F_ANY_LAYOUT) |
 BIT_ULL(VIRTIO_NET_F_CTRL_MAC_ADDR) |
 BIT_ULL(VIRTIO_NET_F_RSC_EXT) |
-- 
2.7.4

[PULL 09/24] ui/vdagent: fix serial reset of guest agent

[Gerd Hoffmann]

From: Marc-André Lureau 

In order to reset the guest agent, we send CLOSED & OPENED events.

They are correctly received by the guest kernel. However, they might not
be noticed by the guest agent process, as the IO task (poll() for
example) might be wake up after both CLOSED & OPENED have been
processed.

Wait until the guest agent is disconnected to re-open our side.

Signed-off-by: Marc-André Lureau 
Message-Id: <20220912102455.111765-6-marcandre.lur...@redhat.com>
Signed-off-by: Gerd Hoffmann 
---
 ui/vdagent.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ui/vdagent.c b/ui/vdagent.c
index 819e0dc1435b..4bf50f0c4d88 100644
--- a/ui/vdagent.c
+++ b/ui/vdagent.c
@@ -471,7 +471,7 @@ static void vdagent_clipboard_reset_serial(VDAgentChardev 
*vd)
 
 /* reopen the agent connection to reset the serial state */
 qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
-qemu_chr_be_event(chr, CHR_EVENT_OPENED);
+/* OPENED again after the guest disconnected, see set_fe_open */
 }
 
 static void vdagent_clipboard_notify(Notifier *notifier, void *data)
@@ -875,6 +875,9 @@ static void vdagent_chr_set_fe_open(struct Chardev *chr, 
int fe_open)
 {
 if (!fe_open) {
 trace_vdagent_close();
+/* To reset_serial, we CLOSED our side. Make sure the other end knows 
we
+ * are ready again. */
+qemu_chr_be_event(chr, CHR_EVENT_OPENED);
 return;
 }
 
-- 
2.37.3

[PULL 17/24] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request

[Gerd Hoffmann]

From: Michael Brown 

The USB_CDC_SET_ETHERNET_PACKET_FILTER request is mandatory for
CDC-ECM devices.  Accept this request, ignoring the actual filter
value (to match the existing behaviour for RNDIS).

Signed-off-by: Michael Brown 
Message-Id: <20220906183053.3625472-3-mc...@ipxe.org>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/dev-network.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 61bf598870cb..155df935cd68 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -1122,6 +1122,12 @@ static void usb_net_handle_control(USBDevice *dev, 
USBPacket *p,
 #endif
 break;
 
+case ClassInterfaceOutRequest | USB_CDC_SET_ETHERNET_PACKET_FILTER:
+if (is_rndis(s)) {
+goto fail;
+}
+break;
+
 default:
 fail:
 fprintf(stderr, "usbnet: failed control transaction: "
-- 
2.37.3

Re: [PATCH v3 00/12] linux-user: Add more syscalls, enhance tracing & logging enhancements

[Laurent Vivier]

Le 27/09/2022 à 10:56, Helge Deller a écrit :

On 9/27/22 09:32, Laurent Vivier wrote:

Le 18/09/2022 à 21:45, Helge Deller a écrit :

Here is a bunch of patches for linux-user.

Most of them add missing syscalls and enhance the tracing/logging.
Some of the patches are target-hppa specific.
I've tested those on productive hppa debian buildd servers (running qemu-user).

Thanks!
Helge

Changes to v2:
- Fix build of close_range() and pidfd_*() patches on older Linux
   distributions (noticed by Stefan Hajnoczi)

Changes to v1:
- Dropped the faccessat2() syscall patch in favour of Richard's patch
- Various changes to the "missing signals in strace output" patch based on
   Richard's feedback, e.g. static arrays, fixed usage of _NSIG, fix build when
   TARGET_SIGIOT does not exist
- Use FUTEX_CMD_MASK in "Show timespec on strace for futex" patch
   unconditionally and turn into a switch statement - as suggested by Richard

Helge Deller (12):
   linux-user: Add missing signals in strace output
   linux-user: Add missing clock_gettime64() syscall strace
   linux-user: Add pidfd_open(), pidfd_send_signal() and pidfd_getfd()
 syscalls
   linux-user: Log failing executable in EXCP_DUMP()
   linux-user/hppa: Use EXCP_DUMP() to show enhanced debug info
   linux-user/hppa: Dump IIR on register dump
   linux-user: Fix strace of chmod() if mode == 0
   linux-user/hppa: Set TASK_UNMAPPED_BASE to 0xfa00 for hppa arch
   linux-user: Add strace for clock_nanosleep()
   linux-user: Show timespec on strace for futex()
   linux-user: Add close_range() syscall
   linux-user: Add parameters of getrandom() syscall for strace

  linux-user/cpu_loop-common.h |   2 +
  linux-user/hppa/cpu_loop.c   |   6 +-
  linux-user/mmap.c    |   4 +
  linux-user/signal-common.h   |  46 
  linux-user/signal.c  |  37 +
  linux-user/strace.c  | 142 ++-
  linux-user/strace.list   |  21 +-
  linux-user/syscall.c |  50 
  target/hppa/helper.c |   6 +-
  9 files changed, 255 insertions(+), 59 deletions(-)



Series applied to my linux-user-for-7.2 branch,
except PATCH 11 and 12 that have comments.


Thank you !!
I'll send updated versions for patches 11 and 12 asap.
Btw, where can I find your linux-user-for-7.2 branch?
It would help me to diff the new patches against this branch...



https://gitlab.com/laurent_vivier/qemu/-/commits/linux-user-for-7.2/

But I can update and remove some patches if they appear to be broken when I 
test them.

Thanks,
Laurent

Re: [PATCH v9 05/16] qapi: net: add stream and dgram netdevs

[Markus Armbruster]

Laurent Vivier  writes:

> Copied from socket netdev file and modified to use SocketAddress
> to be able to introduce new features like unix socket.
>
> "udp" and "mcast" are squashed into dgram netdev, multicast is detected
> according to the IP address type.
> "listen" and "connect" modes are managed by stream netdev. An optional
> parameter "server" defines the mode (server by default)
>
> The two new types need to be parsed the modern way with -netdev, because
> with the traditional way, the "type" field of netdev structure collides with
> the "type" field of SocketAddress and prevents the correct evaluation of the
> command line option. Moreover the traditional way doesn't allow to use
> the same type (SocketAddress) several times with the -netdev option
> (needed to specify "local" and "remote" addresses).
>
> The previous commit paved the way for parsing the modern way, but
> omitted one detail: how to pick modern vs. traditional, in
> netdev_is_modern().
>
> We want to pick based on the value of parameter "type".  But how to
> extract it from the option argument?
>
> Parsing the option argument, either the modern or the traditional way,
> extracts it for us, but only if parsing succeeds.
>
> If parsing fails, there is no good option.  No matter which parser we
> pick, it'll be the wrong one for some arguments, and the error
> reporting will be confusing.
>
> Fortunately, the traditional parser accepts *anything* when called in
> a certain way.  This maximizes our chance to extract the value of
> "type", and in turn minimizes the risk of confusing error reporting.
>
> Signed-off-by: Laurent Vivier 
> Reviewed-by: Stefano Brivio 
> ---
>  hmp-commands.hx |   2 +-
>  net/clients.h   |   6 +
>  net/dgram.c | 542 
>  net/hub.c   |   2 +
>  net/meson.build |   2 +
>  net/net.c   |  30 ++-
>  net/stream.c| 423 +
>  qapi/net.json   |  63 +-
>  qemu-options.hx |  12 ++
>  9 files changed, 1078 insertions(+), 4 deletions(-)
>  create mode 100644 net/dgram.c
>  create mode 100644 net/stream.c
>
> diff --git a/hmp-commands.hx b/hmp-commands.hx
> index 8ab8000acd9e..da40a7eb04ed 100644
> --- a/hmp-commands.hx
> +++ b/hmp-commands.hx
> @@ -1276,7 +1276,7 @@ ERST
>  {
>  .name   = "netdev_add",
>  .args_type  = "netdev:O",
> -.params = "[user|tap|socket|vde|bridge|hubport|netmap|vhost-user"
> +.params = 
> "[user|tap|socket|stream|dgram|vde|bridge|hubport|netmap|vhost-user"
>  #ifdef CONFIG_VMNET
>"|vmnet-host|vmnet-shared|vmnet-bridged"
>  #endif
> diff --git a/net/clients.h b/net/clients.h

[...]

> diff --git a/qapi/net.json b/qapi/net.json
> index dd088c09c509..e02e8001a000 100644
> --- a/qapi/net.json
> +++ b/qapi/net.json
> @@ -7,6 +7,7 @@
>  ##
>  
>  { 'include': 'common.json' }
> +{ 'include': 'sockets.json' }
>  
>  ##
>  # @set_link:
> @@ -573,6 +574,61 @@
>  '*isolated':  'bool' },
>'if': 'CONFIG_VMNET' }
>  
> +##
> +# @NetdevStreamOptions:
> +#
> +# Configuration info for stream socket netdev
> +#
> +# @addr: socket address to listen on (server=true)
> +#or connect to (server=false)
> +# @server: create server socket (default: true)
> +#
> +# Only SocketAddress types 'inet' and 'fd' are supported.
> +#
> +# Since: 7.1
> +##
> +{ 'struct': 'NetdevStreamOptions',
> +  'data': {
> +'addr':   'SocketAddress',
> +'*server': 'bool' } }
> +
> +##
> +# @NetdevDgramOptions:
> +#
> +# Configuration info for datagram socket netdev.
> +#
> +# @remote: remote address
> +# @local: local address
> +#
> +# Only SocketAddress types 'inet' and 'fd' are supported.
> +#
> +# The code checks there is at least one of these options and reports an error
> +# if not.

Can we drop this sentence?

>If remote address is present and it's a multicast address, local
> +# address is optional. Otherwise local address is required and remote address
> +# is optional.
> +#
> +# .. table:: Valid parameters combination table
> +#:widths: auto
> +#
> +#=    =
> +#remote local okay?
> +#=    =
> +#absent absentno
> +#absent not fdno
> +#absent fdyes
> +#multicast  absentyes
> +#multicast  present   yes
> +#not multicast  absentno
> +#not multicast  present   yes
> +#=    =
> +#
> +# Since: 7.1
> +##

My networking fu is not strong enough to suggest further improvements.
So let's go with what we have here.

> +{ 'struct': 'NetdevDgramOptions',
> +  'data': {
> +'*local':  'SocketAddress',
> +'*remote': 'SocketAddress' } }
> +
>  ##
>  # @NetClientDriver:
>  #
> @@ -586,8 +642,9 @@
>  #@vmnet-bridged since 7.1
>  ##
>  { 'enum': 'NetClientDriver',
> -  'data': [ 'none', 'nic', 'user', 'tap', 'l2tpv3', 'socket', 'vde',
> -   

Re: [PATCH v3 1/5] msmouse: Handle mouse reset

[Marc-André Lureau]

Hi

On Sun, Sep 11, 2022 at 10:39 PM Arwed Meyer  wrote:

> Detect mouse reset via RTS or DTR line:
> Don't send or process anything while in reset.
> When coming out of reset, send ID sequence first thing.
> This allows msmouse to be detected by common mouse drivers.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/77
> Signed-off-by: Arwed Meyer 
>

lgtm,
Acked-by: Marc-André Lureau 

It would be great to open an issue on gitlab wrt migration handling that
Peter pointed out in v2 (
https://patchew.org/QEMU/20220908173120.16779-1-arwed.me...@gmx.de/20220908173120.16779-2-arwed.me...@gmx.de/)
and perhaps a comment with this patch that links to the issue?


---
>  chardev/msmouse.c | 63 +--
>  1 file changed, 61 insertions(+), 2 deletions(-)
>
> diff --git a/chardev/msmouse.c b/chardev/msmouse.c
> index eb9231dcdb..95fa488339 100644
> --- a/chardev/msmouse.c
> +++ b/chardev/msmouse.c
> @@ -25,17 +25,20 @@
>  #include "qemu/osdep.h"
>  #include "qemu/module.h"
>  #include "chardev/char.h"
> +#include "chardev/char-serial.h"
>  #include "ui/console.h"
>  #include "ui/input.h"
>  #include "qom/object.h"
>
> -#define MSMOUSE_LO6(n) ((n) & 0x3f)
> -#define MSMOUSE_HI2(n) (((n) & 0xc0) >> 6)
> +#define MSMOUSE_LO6(n)  ((n) & 0x3f)
> +#define MSMOUSE_HI2(n)  (((n) & 0xc0) >> 6)
> +#define MSMOUSE_PWR(cm) (cm & (CHR_TIOCM_RTS | CHR_TIOCM_DTR))
>
>  struct MouseChardev {
>  Chardev parent;
>
>  QemuInputHandlerState *hs;
> +int tiocm;
>  int axis[INPUT_AXIS__MAX];
>  bool btns[INPUT_BUTTON__MAX];
>  bool btnc[INPUT_BUTTON__MAX];
> @@ -109,6 +112,11 @@ static void msmouse_input_event(DeviceState *dev,
> QemuConsole *src,
>  InputMoveEvent *move;
>  InputBtnEvent *btn;
>
> +/* Ignore events if serial mouse powered down. */
> +if (!MSMOUSE_PWR(mouse->tiocm)) {
> +return;
> +}
> +
>  switch (evt->type) {
>  case INPUT_EVENT_KIND_REL:
>  move = evt->u.rel.data;
> @@ -132,6 +140,11 @@ static void msmouse_input_sync(DeviceState *dev)
>  MouseChardev *mouse = MOUSE_CHARDEV(dev);
>  Chardev *chr = CHARDEV(dev);
>
> +/* Ignore events if serial mouse powered down. */
> +if (!MSMOUSE_PWR(mouse->tiocm)) {
> +return;
> +}
> +
>  msmouse_queue_event(mouse);
>  msmouse_chr_accept_input(chr);
>  }
> @@ -142,6 +155,50 @@ static int msmouse_chr_write(struct Chardev *s, const
> uint8_t *buf, int len)
>  return len;
>  }
>
> +static int msmouse_ioctl(Chardev *chr, int cmd, void *arg)
> +{
> +MouseChardev *mouse = MOUSE_CHARDEV(chr);
> +int c;
> +int *targ = (int *)arg;
> +
> +switch (cmd) {
> +case CHR_IOCTL_SERIAL_SET_TIOCM:
> +c = mouse->tiocm;
> +mouse->tiocm = *(int *)arg;
> +if (MSMOUSE_PWR(mouse->tiocm)) {
> +if (!MSMOUSE_PWR(c)) {
> +/*
> + * Power on after reset: send "M3"
> + * cause we behave like a 3 button logitech
> + * mouse.
> + */
> +mouse->outbuf[0] = 'M';
> +mouse->outbuf[1] = '3';
> +mouse->outlen = 2;
> +/* Start sending data to serial. */
> +msmouse_chr_accept_input(chr);
> +}
> +break;
> +}
> +/*
> + * Reset mouse buffers on power down.
> + * Mouse won't send anything without power.
> + */
> +mouse->outlen = 0;
> +memset(mouse->axis, 0, sizeof(mouse->axis));
> +memset(mouse->btns, false, sizeof(mouse->btns));
> +memset(mouse->btnc, false, sizeof(mouse->btns));
> +break;
> +case CHR_IOCTL_SERIAL_GET_TIOCM:
> +/* Remember line control status. */
> +*targ = mouse->tiocm;
> +break;
> +default:
> +return -ENOTSUP;
> +}
> +return 0;
> +}
> +
>  static void char_msmouse_finalize(Object *obj)
>  {
>  MouseChardev *mouse = MOUSE_CHARDEV(obj);
> @@ -166,6 +223,7 @@ static void msmouse_chr_open(Chardev *chr,
>  *be_opened = false;
>  mouse->hs = qemu_input_handler_register((DeviceState *)mouse,
>  _handler);
> +mouse->tiocm = 0;
>  }
>
>  static void char_msmouse_class_init(ObjectClass *oc, void *data)
> @@ -175,6 +233,7 @@ static void char_msmouse_class_init(ObjectClass *oc,
> void *data)
>  cc->open = msmouse_chr_open;
>  cc->chr_write = msmouse_chr_write;
>  cc->chr_accept_input = msmouse_chr_accept_input;
> +cc->chr_ioctl = msmouse_ioctl;
>  }
>
>  static const TypeInfo char_msmouse_type_info = {
> --
> 2.34.1
>
>
>

-- 
Marc-André Lureau

Re: [PATCH] linux-user/s390x: Save/restore fpc when handling a signal

[Laurent Vivier]

Le 17/08/2022 à 14:39, Ilya Leoshkevich a écrit :

Linux kernel does this in fpregs_store() and fpregs_load(), so
qemu-user should do this as well.

Found by running valgrind's none/tests/s390x/test_sig.

Signed-off-by: Ilya Leoshkevich 
---
  linux-user/s390x/signal.c | 2 ++
  1 file changed, 2 insertions(+)


Applied to my linux-user-for-7.2 branch.

Thanks,
Laurent

Re: [PATCH] gtk: Add show_menubar=on|off command line option.

[Markus Armbruster]

Please post revisions in a new thread (not in reply to anything), and
with a subject like [PATCH v2].  You can use "git format-patch -v2" to
get such subjects.

Bryce Mills  writes:

> The patch adds "show_menubar" command line option for GTK UI similar to
> "show_tabs". This option allows to hide menu bar initially, it still can
> be toggled by shortcut and other shortcuts still work.
>
> Signed-off-by: Bryce Mills 
> ---
>  qapi/ui.json|  6 +-
>  qemu-options.hx |  3 +++
>  ui/gtk.c| 15 ++-
>  3 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/qapi/ui.json b/qapi/ui.json
> index 286c5731d1..cb252bdf86 100644
> --- a/qapi/ui.json
> +++ b/qapi/ui.json
> @@ -1200,12 +1200,16 @@
>  #   by default.
>  #   Since 7.1
>  #

Drop the blank line, please.

> +# @show-menubar:  Display the main window menubar. Defaults to "on".
> +# Since 8.0
> +#
>  # Since: 2.12
>  ##
>  { 'struct'  : 'DisplayGTK',
>'data': { '*grab-on-hover' : 'bool',
>  '*zoom-to-fit'   : 'bool',
> -'*show-tabs' : 'bool'  } }
> +'*show-tabs' : 'bool',
> +'*show-menubar'  : 'bool'  } }
>  
>  ##
>  # @DisplayEGLHeadless:

With that done, QAPI schema
Acked-by: Markus Armbruster 

Two more remarks below.

> diff --git a/qemu-options.hx b/qemu-options.hx
> index d8b5ce5b43..62d3ce10bf 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -1947,6 +1947,7 @@ DEF("display", HAS_ARG, QEMU_OPTION_display,
>  #if defined(CONFIG_GTK)
>  "-display gtk[,full-screen=on|off][,gl=on|off][,grab-on-hover=on|off]\n"
>  "
> [,show-tabs=on|off][,show-cursor=on|off][,window-close=on|off]\n"
> +"[,show-menubar=on|off]\n"

Not this patch's fault: help neglects to explain the option parameters.

>  #endif
>  #if defined(CONFIG_VNC)
>  "-display vnc=[,]\n"
> @@ -2039,6 +2040,8 @@ SRST
>  
>  ``window-close=on|off`` : Allow to quit qemu with window close button
>  
> +``show-menubar=on|off`` : Display then main window menubar
> +

Please specify the default here as well.

>  ``curses[,charset=]``
>  Display video output via curses. For graphics device models
>  which support a text mode, QEMU can display this output using a

[...]

Re: [PATCH v2] block: Refactor get_tmp_filename()

[Bin Meng]

Hi Markus,

On Tue, Sep 27, 2022 at 2:22 PM Markus Armbruster  wrote:
>
> Bin Meng  writes:
>
> > On Mon, Sep 26, 2022 at 6:13 PM Markus Armbruster  wrote:
> >>
> >> Bin Meng  writes:
> >>
> >> > From: Bin Meng 
> >> >
> >> > At present there are two callers of get_tmp_filename() and they are
> >> > inconsistent.
> >> >
> >> > One does:
> >> >
> >> > /* TODO: extra byte is a hack to ensure MAX_PATH space on Windows. */
> >> > char *tmp_filename = g_malloc0(PATH_MAX + 1);
> >> > ...
> >> > ret = get_tmp_filename(tmp_filename, PATH_MAX + 1);
> >> >
> >> > while the other does:
> >> >
> >> > s->qcow_filename = g_malloc(PATH_MAX);
> >> > ret = get_tmp_filename(s->qcow_filename, PATH_MAX);
> >> >
> >> > As we can see different 'size' arguments are passed. There are also
> >> > platform specific implementations inside the function, and this use
> >> > of snprintf is really undesirable.
> >> >
> >> > Refactor this routine by changing its signature to:
> >> >
> >> > char *get_tmp_filename(void)
> >> >
> >> > and use g_file_open_tmp() for a consistent implementation.
> >> >
> >> > Signed-off-by: Bin Meng 
> >> > ---
> >> >
> >> > Changes in v2:
> >> > - Use g_autofree and g_steal_pointer
> >> >
> >> >  include/block/block_int-common.h |  2 +-
> >> >  block.c  | 42 ++--
> >> >  block/vvfat.c|  8 +++---
> >> >  3 files changed, 18 insertions(+), 34 deletions(-)
> >> >
> >> > diff --git a/include/block/block_int-common.h 
> >> > b/include/block/block_int-common.h
> >> > index 8947abab76..ea69a9349c 100644
> >> > --- a/include/block/block_int-common.h
> >> > +++ b/include/block/block_int-common.h
> >> > @@ -1230,7 +1230,7 @@ static inline BlockDriverState *child_bs(BdrvChild 
> >> > *child)
> >> >  }
> >> >
> >> >  int bdrv_check_request(int64_t offset, int64_t bytes, Error **errp);
> >> > -int get_tmp_filename(char *filename, int size);
> >> > +char *get_tmp_filename(void);
> >> >  void bdrv_parse_filename_strip_prefix(const char *filename, const char 
> >> > *prefix,
> >> >QDict *options);
> >> >
> >> > diff --git a/block.c b/block.c
> >> > index bc85f46eed..4e7a795566 100644
> >> > --- a/block.c
> >> > +++ b/block.c
> >> > @@ -860,38 +860,23 @@ int bdrv_probe_geometry(BlockDriverState *bs, 
> >> > HDGeometry *geo)
> >> >
> >> >  /*
> >> >   * Create a uniquely-named empty temporary file.
> >> > - * Return 0 upon success, otherwise a negative errno value.
> >> > + * Return the actual name used upon success, otherwise NULL.
> >> > + * The called function is responsible for freeing it.
> >> >   */
> >> > -int get_tmp_filename(char *filename, int size)
> >> > +char *get_tmp_filename(void)
> >> >  {
> >> > -#ifdef _WIN32
> >> > -char temp_dir[MAX_PATH];
> >> > -/* GetTempFileName requires that its output buffer (4th param)
> >> > -   have length MAX_PATH or greater.  */
> >> > -assert(size >= MAX_PATH);
> >> > -return (GetTempPath(MAX_PATH, temp_dir)
> >> > -&& GetTempFileName(temp_dir, "qem", 0, filename)
> >> > -? 0 : -GetLastError());
> >> > -#else
> >> > +g_autofree char *filename = NULL;
> >> >  int fd;
> >> > -const char *tmpdir;
> >> > -tmpdir = getenv("TMPDIR");
> >> > -if (!tmpdir) {
> >> > -tmpdir = "/var/tmp";
> >> > -}
> >> > -if (snprintf(filename, size, "%s/vl.XX", tmpdir) >= size) {
> >> > -return -EOVERFLOW;
> >> > -}
> >> > -fd = mkstemp(filename);
> >> > +
> >> > +fd = g_file_open_tmp("vl.XX", , NULL);
> >> >  if (fd < 0) {
> >> > -return -errno;
> >> > +return NULL;
> >> >  }
> >> >  if (close(fd) != 0) {
> >> >  unlink(filename);
> >> > -return -errno;
> >> > +return NULL;
> >> >  }
> >> > -return 0;
> >> > -#endif
> >> > +return g_steal_pointer();
> >> >  }
> >>
> >> Oh my, what a lovely mess you're messing with!
> >>
> >> The function creates a temporary *file*, not just a filename.  Makes
> >> sense, as creating a unique filename is inherently racy.  The contract
> >> is clear enough ("Create a uniquely-named empty temporary file"), but
> >> the function name is actively misleading.
> >
> > Agreed that the name is misleading.
>
> Care to fix that?

How about create_tmp_file()?

>
> >> Of course, creating a temporary file for the caller to (re)open is also
> >> racy.  By the time the caller gets around to it, the filename could name
> >> anything.  Return an open file file descriptor is a better idea.  It's
> >> basically g_file_open_tmp().  Could we rework the two users of
> >> get_tmp_filename() accept a file descriptor?
> >
> > I looked at the 2 callers, and it looks like we need to do more than
> > these 2 callers to teach them to accept a file descriptor. :(
>
> Looks like it requires surgery to bdrv_create() at least.  I'm not
> demanding you do that now.
>

Yes, big surgery to struct 

[PULL v2 05/22] target/riscv: fix csr check for cycle{h}, instret{h}, time{h}, hpmcounter3-31{h}

[Alistair Francis]

From: Weiwei Li 

- modify check for mcounteren to work in all less-privilege mode
- modify check for scounteren to work only when S mode is enabled
- distinguish the exception type raised by check for scounteren between U
and VU mode

Signed-off-by: Weiwei Li 
Signed-off-by: Junqiang Wang 
Reviewed-by: Alistair Francis 
Message-Id: <20220817083756.12471-1-liwei...@iscas.ac.cn>
Signed-off-by: Alistair Francis 
---
 target/riscv/csr.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index b96db1b62b..092b425196 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -98,17 +98,22 @@ static RISCVException ctr(CPURISCVState *env, int csrno)
 
 skip_ext_pmu_check:
 
-if (((env->priv == PRV_S) && (!get_field(env->mcounteren, ctr_mask))) ||
-((env->priv == PRV_U) && (!get_field(env->scounteren, ctr_mask {
+if (env->priv < PRV_M && !get_field(env->mcounteren, ctr_mask)) {
 return RISCV_EXCP_ILLEGAL_INST;
 }
 
 if (riscv_cpu_virt_enabled(env)) {
-if (!get_field(env->hcounteren, ctr_mask) &&
-get_field(env->mcounteren, ctr_mask)) {
+if (!get_field(env->hcounteren, ctr_mask) ||
+(env->priv == PRV_U && !get_field(env->scounteren, ctr_mask))) {
 return RISCV_EXCP_VIRT_INSTRUCTION_FAULT;
 }
 }
+
+if (riscv_has_ext(env, RVS) && env->priv == PRV_U &&
+!get_field(env->scounteren, ctr_mask)) {
+return RISCV_EXCP_ILLEGAL_INST;
+}
+
 #endif
 return RISCV_EXCP_NONE;
 }
-- 
2.37.3

Re: [PATCH 2/3] hw/riscv: sifive_e: Support the watchdog timer of HiFive 1 rev b.

[Frank Chang]

Reviewed-by: Frank Chang 

On Thu, Sep 22, 2022 at 4:41 PM Tommy Wu  wrote:

> Create the AON device when we realize the sifive_e machine.
> This patch only implemented the functionality of the watchdog timer,
> not all the functionality of the AON device.
>
> Signed-off-by: Tommy Wu 
> ---
>  hw/riscv/Kconfig| 1 +
>  hw/riscv/sifive_e.c | 5 +++--
>  include/hw/riscv/sifive_e.h | 7 ---
>  3 files changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/hw/riscv/Kconfig b/hw/riscv/Kconfig
> index 79ff61c464..50890b1b75 100644
> --- a/hw/riscv/Kconfig
> +++ b/hw/riscv/Kconfig
> @@ -59,6 +59,7 @@ config SIFIVE_E
>  select SIFIVE_PLIC
>  select SIFIVE_UART
>  select SIFIVE_E_PRCI
> +select SIFIVE_E_AON
>  select UNIMP
>
>  config SIFIVE_U
> diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
> index d65d2fd869..f9c05cfd3a 100644
> --- a/hw/riscv/sifive_e.c
> +++ b/hw/riscv/sifive_e.c
> @@ -45,6 +45,7 @@
>  #include "hw/intc/riscv_aclint.h"
>  #include "hw/intc/sifive_plic.h"
>  #include "hw/misc/sifive_e_prci.h"
> +#include "hw/misc/sifive_e_aon.h"
>  #include "chardev/char.h"
>  #include "sysemu/sysemu.h"
>
> @@ -222,8 +223,8 @@ static void sifive_e_soc_realize(DeviceState *dev,
> Error **errp)
>  RISCV_ACLINT_DEFAULT_MTIMER_SIZE, 0, ms->smp.cpus,
>  RISCV_ACLINT_DEFAULT_MTIMECMP, RISCV_ACLINT_DEFAULT_MTIME,
>  RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ, false);
> -create_unimplemented_device("riscv.sifive.e.aon",
> -memmap[SIFIVE_E_DEV_AON].base, memmap[SIFIVE_E_DEV_AON].size);
> +sifive_e_aon_create(sys_mem, memmap[SIFIVE_E_DEV_AON].base,
> +qdev_get_gpio_in(DEVICE(s->plic), SIFIVE_E_AON_WDT_IRQ));
>  sifive_e_prci_create(memmap[SIFIVE_E_DEV_PRCI].base);
>
>  /* GPIO */
> diff --git a/include/hw/riscv/sifive_e.h b/include/hw/riscv/sifive_e.h
> index 83604da805..7de2221564 100644
> --- a/include/hw/riscv/sifive_e.h
> +++ b/include/hw/riscv/sifive_e.h
> @@ -75,9 +75,10 @@ enum {
>  };
>
>  enum {
> -SIFIVE_E_UART0_IRQ  = 3,
> -SIFIVE_E_UART1_IRQ  = 4,
> -SIFIVE_E_GPIO0_IRQ0 = 8
> +SIFIVE_E_AON_WDT_IRQ  = 1,
> +SIFIVE_E_UART0_IRQ= 3,
> +SIFIVE_E_UART1_IRQ= 4,
> +SIFIVE_E_GPIO0_IRQ0   = 8
>  };
>
>  #define SIFIVE_E_PLIC_HART_CONFIG "M"
> --
> 2.27.0
>
>
>

[PULL 12/24] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero

[Gerd Hoffmann]

From: Qiang Liu 

An abort happens in ohci_frame_boundary() when ohci->done is 0 [1].

``` c
static void ohci_frame_boundary(void *opaque)
{
// ...
if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
if (!ohci->done)
abort(); <- [1]
```

This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/,
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and
https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with
the latest QEMU.

This happends due to crafted ED with putting ISO_TD at physical address 0.

Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal
memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count
[4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f,
suppose 1), we then control the value of relative_frame_number to be 1 [6]. The
control flow goes to [7] where ohci->done is 0. Have returned from
ohci_service_iso_td(), ohci_frame_boundary() will abort() [1].

``` c
static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
{
// ...
addr = ed->head & OHCI_DPTR_MASK; // <- [2]

if (ohci_read_iso_td(ohci, addr, _td)) {   // < [3]
// ...

starting_frame = OHCI_BM(iso_td.flags, TD_SF); // < [4]
frame_count = OHCI_BM(iso_td.flags, TD_FC);// < [5]
relative_frame_number = USUB(ohci->frame_number, starting_frame);
   // < [6]
if (relative_frame_number < 0) {
return 1;
} else if (relative_frame_number > frame_count) {
// ...
ohci->done = addr; // < [7]
// ...
}
```

As only (afaik) a guest root user can manipulate ED, TD and the physical memory,
this assertion failure is not a security bug.

The idea to fix this issue is to drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is 0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.

Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-by: Gaoning Pan 
Reported-by: Alexander Bulekov 
Reported-by: Qiang Liu 
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545
Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html
Buglink: https://bugs.launchpad.net/qemu/+bug/1911216
Signed-off-by: Qiang Liu 
Message-Id: <20220826051557.119570-1-cyruscy...@gmail.com>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ohci.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 895b29fb8657..72bdde92617c 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -571,6 +571,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct 
ohci_ed *ed)
 
 addr = ed->head & OHCI_DPTR_MASK;
 
+if (addr == 0) {
+ohci_die(ohci);
+return 1;
+}
+
 if (ohci_read_iso_td(ohci, addr, _td)) {
 trace_usb_ohci_iso_td_read_failed(addr);
 ohci_die(ohci);
@@ -858,6 +863,11 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed 
*ed)
 int completion;
 
 addr = ed->head & OHCI_DPTR_MASK;
+if (addr == 0) {
+ohci_die(ohci);
+return 1;
+}
+
 /* See if this TD has already been submitted to the device.  */
 completion = (addr == ohci->async_td);
 if (completion && !ohci->async_complete) {
-- 
2.37.3

[PULL 23/24] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)

[Gerd Hoffmann]

From: Philippe Mathieu-Daudé 

When building QEMU with DEBUG_ATI defined then running with
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
we get:

  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
  ati_mm_write 4 0x16c8 DP_MIX <- 0xff
  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe0
  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
  ati_2d_blt: vram:0x7fff5fa0 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 
rop:0xff
  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
  ati_2d_blt: pixman_fill(dst:0x7fff5fa0, stride:254, bpp:8, x:16383, 
y:16383, w:16383, h:16383, xor:0xff00)
  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
  (gdb) bt
  #0  0x77f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
  #1  0x77f09278 in pixman_fill () at /lib64/libpixman-1.so.0
  #2  0x57b5a9af in ati_2d_blt (s=0x63128800) at 
hw/display/ati_2d.c:196
  #3  0x57b4b5a2 in ati_mm_write (opaque=0x63128800, addr=5512, 
data=1073692671, size=4) at hw/display/ati.c:843
  #4  0x58b90ec4 in memory_region_write_accessor (mr=0x63139cc0, 
addr=5512, ..., size=4, ...) at softmmu/memory.c:492

Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
the local dst_x and dst_y which adjust the (x, y) coordinates
depending on the direction in the SRCCOPY ROP3 operation, but
forgot to address the same issue for the PATCOPY, BLACKNESS and
WHITENESS operations, which also call pixman_fill().

Fix that now by using the adjusted coordinates in the pixman_fill
call, and update the related debug printf().

Reported-by: Qiang Liu 
Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
Signed-off-by: Philippe Mathieu-Daudé 
Tested-by: Mauro Matteo Cascella 
Message-Id: <20210906153103.1661195-1-phi...@redhat.com>
Signed-off-by: Gerd Hoffmann 
---
 hw/display/ati_2d.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index 4dc10ea79529..692bec91de45 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
 DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
 s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
 s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
-s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
+s->regs.src_x, s->regs.src_y, dst_x, dst_y,
 s->regs.dst_width, s->regs.dst_height,
 (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
 (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
 dst_stride /= sizeof(uint32_t);
 DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
 dst_bits, dst_stride, bpp,
-s->regs.dst_x, s->regs.dst_y,
+dst_x, dst_y,
 s->regs.dst_width, s->regs.dst_height,
 filler);
 pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
-s->regs.dst_x, s->regs.dst_y,
+dst_x, dst_y,
 s->regs.dst_width, s->regs.dst_height,
 filler);
 if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
-- 
2.37.3

[PULL 20/24] audio: Add sndio backend

[Gerd Hoffmann]

From: Alexandre Ratchov 

sndio is the native API used by OpenBSD, although it has been ported to
other *BSD's and Linux (packages for Ubuntu, Debian, Void, Arch, etc.).

Signed-off-by: Brad Smith 
Signed-off-by: Alexandre Ratchov 
Reviewed-by: Volker Rümelin 
Tested-by: Volker Rümelin 
Message-Id: 
Signed-off-by: Gerd Hoffmann 
---
 meson_options.txt |   4 +-
 audio/audio_template.h|   2 +
 audio/audio.c |   1 +
 audio/sndioaudio.c| 565 ++
 MAINTAINERS   |   7 +
 audio/meson.build |   1 +
 meson.build   |   9 +-
 qapi/audio.json   |  25 +-
 qemu-options.hx   |  16 +
 scripts/meson-buildoptions.sh |   7 +-
 10 files changed, 632 insertions(+), 5 deletions(-)
 create mode 100644 audio/sndioaudio.c

diff --git a/meson_options.txt b/meson_options.txt
index 63f072517427..9df9e86d7d35 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -21,7 +21,7 @@ option('tls_priority', type : 'string', value : 'NORMAL',
 option('default_devices', type : 'boolean', value : true,
description: 'Include a default selection of devices in emulators')
 option('audio_drv_list', type: 'array', value: ['default'],
-   choices: ['alsa', 'coreaudio', 'default', 'dsound', 'jack', 'oss', 
'pa', 'sdl'],
+   choices: ['alsa', 'coreaudio', 'default', 'dsound', 'jack', 'oss', 
'pa', 'sdl', 'sndio'],
description: 'Set audio driver list')
 option('block_drv_rw_whitelist', type : 'string', value : '',
description: 'set block driver read-write whitelist (by default affects 
only QEMU, not tools like qemu-img)')
@@ -240,6 +240,8 @@ option('oss', type: 'feature', value: 'auto',
description: 'OSS sound support')
 option('pa', type: 'feature', value: 'auto',
description: 'PulseAudio sound support')
+option('sndio', type: 'feature', value: 'auto',
+   description: 'sndio sound support')
 
 option('vhost_kernel', type: 'feature', value: 'auto',
description: 'vhost kernel backend support')
diff --git a/audio/audio_template.h b/audio/audio_template.h
index 7192b19e7390..81860cea6202 100644
--- a/audio/audio_template.h
+++ b/audio/audio_template.h
@@ -336,6 +336,8 @@ AudiodevPerDirectionOptions *glue(audio_get_pdo_, 
TYPE)(Audiodev *dev)
 return qapi_AudiodevPaPerDirectionOptions_base(dev->u.pa.TYPE);
 case AUDIODEV_DRIVER_SDL:
 return qapi_AudiodevSdlPerDirectionOptions_base(dev->u.sdl.TYPE);
+case AUDIODEV_DRIVER_SNDIO:
+return dev->u.sndio.TYPE;
 case AUDIODEV_DRIVER_SPICE:
 return dev->u.spice.TYPE;
 case AUDIODEV_DRIVER_WAV:
diff --git a/audio/audio.c b/audio/audio.c
index cfa4119c0598..5600593da043 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -2030,6 +2030,7 @@ void audio_create_pdos(Audiodev *dev)
 CASE(OSS, oss, Oss);
 CASE(PA, pa, Pa);
 CASE(SDL, sdl, Sdl);
+CASE(SNDIO, sndio, );
 CASE(SPICE, spice, );
 CASE(WAV, wav, );
 
diff --git a/audio/sndioaudio.c b/audio/sndioaudio.c
new file mode 100644
index ..7c45276d36ce
--- /dev/null
+++ b/audio/sndioaudio.c
@@ -0,0 +1,565 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2019 Alexandre Ratchov 
+ */
+
+/*
+ * TODO :
+ *
+ * Use a single device and open it in full-duplex rather than
+ * opening it twice (once for playback once for recording).
+ *
+ * This is the only way to ensure that playback doesn't drift with respect
+ * to recording, which is what guest systems expect.
+ */
+
+#include 
+#include 
+#include "qemu/osdep.h"
+#include "qemu/main-loop.h"
+#include "audio.h"
+#include "trace.h"
+
+#define AUDIO_CAP "sndio"
+#include "audio_int.h"
+
+/* default latency in microseconds if no option is set */
+#define SNDIO_LATENCY_US   5
+
+typedef struct SndioVoice {
+union {
+HWVoiceOut out;
+HWVoiceIn in;
+} hw;
+struct sio_par par;
+struct sio_hdl *hdl;
+struct pollfd *pfds;
+struct pollindex {
+struct SndioVoice *self;
+int index;
+} *pindexes;
+unsigned char *buf;
+size_t buf_size;
+size_t sndio_pos;
+size_t qemu_pos;
+unsigned int mode;
+unsigned int nfds;
+bool enabled;
+} SndioVoice;
+
+typedef struct SndioConf {
+const char *devname;
+unsigned int latency;
+} SndioConf;
+
+/* needed for forward reference */
+static void sndio_poll_in(void *arg);
+static void sndio_poll_out(void *arg);
+
+/*
+ * stop polling descriptors
+ */
+static void sndio_poll_clear(SndioVoice *self)
+{
+struct pollfd *pfd;
+int i;
+
+for (i = 0; i < self->nfds; i++) {
+pfd = >pfds[i];
+qemu_set_fd_handler(pfd->fd, NULL, NULL, NULL);
+}
+
+self->nfds = 0;
+}
+
+/*
+ * write data to the device until it blocks or
+ * all of our buffered data is written
+ */
+static void sndio_write(SndioVoice *self)
+{
+size_t todo, n;
+
+todo = self->qemu_pos - 

[PULL 02/24] ui/cocoa: Run qemu_init in the main thread

[Gerd Hoffmann]

From: Akihiko Odaki 

This work is based on:
https://patchew.org/QEMU/20220317125534.38706-1-philippe.mathieu.da...@gmail.com/

Simplify the initialization dance by running qemu_init() in the main
thread before the Cocoa event loop starts. The secondary thread only
runs only qemu_main_loop() and qemu_cleanup().

This fixes a case where addRemovableDevicesMenuItems() calls
qmp_query_block() while expecting the main thread to still hold
the BQL.

Overriding the code after calling qemu_init() is done by dynamically
replacing a function pointer variable, qemu_main when initializing
ui/cocoa, which unifies the static implementation of main() for
builds with ui/cocoa and ones without ui/cocoa.

Signed-off-by: Akihiko Odaki 
Message-Id: <20220819132756.74641-2-akihiko.od...@gmail.com>
Signed-off-by: Gerd Hoffmann 
---
 include/qemu-main.h |   3 +-
 include/sysemu/sysemu.h |   2 +-
 softmmu/main.c  |  10 +--
 softmmu/vl.c|   2 +-
 tests/qtest/fuzz/fuzz.c |   2 +-
 docs/devel/fuzzing.rst  |   4 +-
 ui/cocoa.m  | 144 ++--
 7 files changed, 62 insertions(+), 105 deletions(-)

diff --git a/include/qemu-main.h b/include/qemu-main.h
index 6a3e90d0ad59..940960a7dbcb 100644
--- a/include/qemu-main.h
+++ b/include/qemu-main.h
@@ -5,6 +5,7 @@
 #ifndef QEMU_MAIN_H
 #define QEMU_MAIN_H
 
-int qemu_main(int argc, char **argv, char **envp);
+int qemu_default_main(void);
+extern int (*qemu_main)(void);
 
 #endif /* QEMU_MAIN_H */
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 31aa45160be8..6a7a31e64dea 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -102,7 +102,7 @@ void qemu_boot_set(const char *boot_order, Error **errp);
 
 bool defaults_enabled(void);
 
-void qemu_init(int argc, char **argv, char **envp);
+void qemu_init(int argc, char **argv);
 int qemu_main_loop(void);
 void qemu_cleanup(void);
 
diff --git a/softmmu/main.c b/softmmu/main.c
index 1b675a8c036f..694388bd7f7f 100644
--- a/softmmu/main.c
+++ b/softmmu/main.c
@@ -30,20 +30,20 @@
 #include 
 #endif
 
-int qemu_main(int argc, char **argv, char **envp)
+int qemu_default_main(void)
 {
 int status;
 
-qemu_init(argc, argv, envp);
 status = qemu_main_loop();
 qemu_cleanup();
 
 return status;
 }
 
-#ifndef CONFIG_COCOA
+int (*qemu_main)(void) = qemu_default_main;
+
 int main(int argc, char **argv)
 {
-return qemu_main(argc, argv, NULL);
+qemu_init(argc, argv);
+return qemu_main();
 }
-#endif
diff --git a/softmmu/vl.c b/softmmu/vl.c
index e62b9cc35d75..9abadcc15051 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -2605,7 +2605,7 @@ void qmp_x_exit_preconfig(Error **errp)
 }
 }
 
-void qemu_init(int argc, char **argv, char **envp)
+void qemu_init(int argc, char **argv)
 {
 QemuOpts *opts;
 QemuOpts *icount_opts = NULL, *accel_opts = NULL;
diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
index 2b3bc1fb9df5..eb7520544b80 100644
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -218,7 +218,7 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char 
***envp)
 g_free(pretty_cmd_line);
 }
 
-qemu_init(result.we_wordc, result.we_wordv, NULL);
+qemu_init(result.we_wordc, result.we_wordv);
 
 /* re-enable the rcu atfork, which was previously disabled in qemu_init */
 rcu_enable_atfork();
diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst
index 784ecb99e667..715330c85613 100644
--- a/docs/devel/fuzzing.rst
+++ b/docs/devel/fuzzing.rst
@@ -287,8 +287,8 @@ select the fuzz target. Then, the qtest client is 
initialized. If the target
 requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized.
 Then the QGraph is walked and the QEMU cmd_line is determined and saved.
 
-After this, the ``vl.c:qemu_main`` is called to set up the guest. There are
-target-specific hooks that can be called before and after qemu_main, for
+After this, the ``vl.c:main`` is called to set up the guest. There are
+target-specific hooks that can be called before and after main, for
 additional setup(e.g. PCI setup, or VM snapshotting).
 
 ``LLVMFuzzerTestOneInput``: Uses qtest/qos functions to act based on the fuzz
diff --git a/ui/cocoa.m b/ui/cocoa.m
index 5a8bd5dd84e0..660d3e093569 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -100,13 +100,9 @@ static void cocoa_switch(DisplayChangeListener *dcl,
 static int left_command_key_enabled = 1;
 static bool swap_opt_cmd;
 
-static int gArgc;
-static char **gArgv;
 static bool stretch_video;
 static NSTextField *pauseLabel;
 
-static QemuSemaphore display_init_sem;
-static QemuSemaphore app_started_sem;
 static bool allow_events;
 
 static NSInteger cbchangecount = -1;
@@ -597,7 +593,7 @@ - (void) updateUIInfo
 /*
  * Don't try to tell QEMU about UI information in the application
  * startup phase -- we haven't yet registered dcl with the QEMU UI
- * layer, and also trying to take the iothread lock 

Re: [PATCH 3/8] linux-user: Implement FUTEX_WAKE_BITSET

[Laurent Vivier]

Le 29/08/2022 à 04:10, Richard Henderson a écrit :

Signed-off-by: Richard Henderson 
---
  linux-user/syscall.c | 1 +
  1 file changed, 1 insertion(+)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8fbd5a9556..8bf4b79a9e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7774,6 +7774,7 @@ static int do_futex(CPUState *cpu, bool time64, 
target_ulong uaddr,
  val = tswap32(val);
  break;
  case FUTEX_WAKE:
+case FUTEX_WAKE_BITSET:
  timeout = 0;
  break;
  case FUTEX_FD:


Reviewed-by: Laurent Vivier 

[PATCH v2 0/3] Add memmap and fix bugs for LoongArch

[Xiaojuan Yang]

This series add memmap table and fix extioi, ipi device
emulation for LoongArch virt machine.

Changes for v2:
1. Adjust the position of 'PLATFORM' element in memmap table

Changes for v1: 
1. Add memmap table for LoongArch virt machine
2. Fix LoongArch extioi function
3. Fix LoongArch ipi device emulation

Thanks for your reviewing.

Xiaojuan Yang (3):
  hw/loongarch: Add memmap for LoongArch virt machine
  hw/intc: Fix LoongArch extioi function
  hw/intc: Fix LoongArch ipi device emulation

 hw/intc/loongarch_extioi.c  |  17 +++--
 hw/intc/loongarch_ipi.c |   1 -
 hw/loongarch/acpi-build.c   |  46 ++--
 hw/loongarch/fw_cfg.c   |   5 +-
 hw/loongarch/virt.c | 138 ++--
 include/hw/loongarch/virt.h |  34 +
 include/hw/pci-host/ls7a.h  |  18 -
 7 files changed, 143 insertions(+), 116 deletions(-)

-- 
2.31.1

[PATCH v2 2/3] hw/intc: Fix LoongArch extioi function

[Xiaojuan Yang]

1.When cpu read or write extioi COREISR reg, it should access
the reg belonged to itself, so the index of 's->coreisr' is
current cpu number.
2.Remove the unused extioi system memory region and we only
support the extioi iocsr memory region now.

Signed-off-by: Xiaojuan Yang 
---
 hw/intc/loongarch_extioi.c | 17 ++---
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/hw/intc/loongarch_extioi.c b/hw/intc/loongarch_extioi.c
index 22803969bc..b89ec2e2a6 100644
--- a/hw/intc/loongarch_extioi.c
+++ b/hw/intc/loongarch_extioi.c
@@ -17,6 +17,12 @@
 #include "migration/vmstate.h"
 #include "trace.h"
 
+static inline int get_current_cpu(void)
+{
+int cpu_id = current_cpu ? current_cpu->cpu_index : 0;
+
+return cpu_id;
+}
 
 static void extioi_update_irq(LoongArchExtIOI *s, int irq, int level)
 {
@@ -92,8 +98,8 @@ static uint64_t extioi_readw(void *opaque, hwaddr addr, 
unsigned size)
 ret = s->bounce[index];
 break;
 case EXTIOI_COREISR_START ... EXTIOI_COREISR_END - 1:
-index = ((offset - EXTIOI_COREISR_START) & 0x1f) >> 2;
-cpu = ((offset - EXTIOI_COREISR_START) >> 8) & 0x3;
+index = (offset - EXTIOI_COREISR_START) >> 2;
+cpu = get_current_cpu();
 ret = s->coreisr[cpu][index];
 break;
 case EXTIOI_COREMAP_START ... EXTIOI_COREMAP_END - 1:
@@ -183,8 +189,8 @@ static void extioi_writew(void *opaque, hwaddr addr,
 s->bounce[index] = val;
 break;
 case EXTIOI_COREISR_START ... EXTIOI_COREISR_END - 1:
-index = ((offset - EXTIOI_COREISR_START) & 0x1f) >> 2;
-cpu = ((offset - EXTIOI_COREISR_START) >> 8) & 0x3;
+index = (offset - EXTIOI_COREISR_START) >> 2;
+cpu = get_current_cpu();
 old_data = s->coreisr[cpu][index];
 s->coreisr[cpu][index] = old_data & ~val;
 /* write 1 to clear interrrupt */
@@ -284,9 +290,6 @@ static void loongarch_extioi_instance_init(Object *obj)
 qdev_init_gpio_out(DEVICE(obj), >parent_irq[cpu][pin], 1);
 }
 }
-memory_region_init_io(>extioi_system_mem, OBJECT(s), _ops,
-  s, "extioi_system_mem", 0x900);
-sysbus_init_mmio(SYS_BUS_DEVICE(dev), >extioi_system_mem);
 }
 
 static void loongarch_extioi_class_init(ObjectClass *klass, void *data)
-- 
2.31.1

[PATCH v2 1/3] hw/loongarch: Add memmap for LoongArch virt machine

[Xiaojuan Yang]

Using memmap table for loongarch virt machine type, this method
comes from arm/riscv architectures.

Signed-off-by: Xiaojuan Yang 
---
 hw/loongarch/acpi-build.c   |  46 ++--
 hw/loongarch/fw_cfg.c   |   5 +-
 hw/loongarch/virt.c | 138 ++--
 include/hw/loongarch/virt.h |  34 +
 include/hw/pci-host/ls7a.h  |  18 -
 5 files changed, 133 insertions(+), 108 deletions(-)

diff --git a/hw/loongarch/acpi-build.c b/hw/loongarch/acpi-build.c
index 378a6d9d38..cbc3f3fdf0 100644
--- a/hw/loongarch/acpi-build.c
+++ b/hw/loongarch/acpi-build.c
@@ -43,8 +43,10 @@
 #endif
 
 /* build FADT */
-static void init_common_fadt_data(AcpiFadtData *data)
+static void init_common_fadt_data(LoongArchMachineState *ms, AcpiFadtData 
*data)
 {
+hwaddr base = ms->memmap[VIRT_ACPI_GED].base + ACPI_GED_EVT_SEL_LEN +
+  MEMORY_HOTPLUG_IO_LEN;
 AcpiFadtData fadt = {
 /* ACPI 5.0: 4.1 Hardware-Reduced ACPI */
 .rev = 5,
@@ -55,19 +57,19 @@ static void init_common_fadt_data(AcpiFadtData *data)
 .sleep_ctl = {
 .space_id = AML_AS_SYSTEM_MEMORY,
 .bit_width = 8,
-.address = VIRT_GED_REG_ADDR + ACPI_GED_REG_SLEEP_CTL,
+.address = base + ACPI_GED_REG_SLEEP_CTL,
 },
 .sleep_sts = {
 .space_id = AML_AS_SYSTEM_MEMORY,
 .bit_width = 8,
-.address = VIRT_GED_REG_ADDR + ACPI_GED_REG_SLEEP_STS,
+.address = base + ACPI_GED_REG_SLEEP_STS,
 },
 
 /* ACPI 5.0: 4.8.3.6 Reset Register */
 .reset_reg = {
 .space_id = AML_AS_SYSTEM_MEMORY,
 .bit_width = 8,
-.address = VIRT_GED_REG_ADDR + ACPI_GED_REG_RESET,
+.address = base + ACPI_GED_REG_RESET,
 },
 .reset_val = ACPI_GED_RESET_VALUE,
 };
@@ -136,7 +138,7 @@ build_madt(GArray *table_data, BIOSLinker *linker, 
LoongArchMachineState *lams)
 build_append_int_noprefix(table_data, 21, 1);/* Type */
 build_append_int_noprefix(table_data, 19, 1);/* Length */
 build_append_int_noprefix(table_data, 1, 1); /* Version */
-build_append_int_noprefix(table_data, VIRT_PCH_MSI_ADDR_LOW, 8);/* Address 
*/
+build_append_int_noprefix(table_data, lams->memmap[VIRT_MSI].base, 8);/* 
Address */
 build_append_int_noprefix(table_data, 0x40, 4);  /* Start */
 build_append_int_noprefix(table_data, 0xc0, 4);  /* Count */
 
@@ -144,8 +146,8 @@ build_madt(GArray *table_data, BIOSLinker *linker, 
LoongArchMachineState *lams)
 build_append_int_noprefix(table_data, 22, 1);/* Type */
 build_append_int_noprefix(table_data, 17, 1);/* Length */
 build_append_int_noprefix(table_data, 1, 1); /* Version */
-build_append_int_noprefix(table_data, VIRT_PCH_REG_BASE, 8);/* Address */
-build_append_int_noprefix(table_data, 0x1000, 2);/* Size */
+build_append_int_noprefix(table_data, lams->memmap[VIRT_PCH].base, 8);/* 
Address */
+build_append_int_noprefix(table_data, lams->memmap[VIRT_PCH].size, 2);/* 
Size */
 build_append_int_noprefix(table_data, 0, 2); /* Id */
 build_append_int_noprefix(table_data, 0x40, 2);  /* Base */
 
@@ -181,10 +183,11 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 build_append_int_noprefix(table_data, 0, 4); /* Reserved */
 }
 
-build_srat_memory(table_data, VIRT_LOWMEM_BASE, VIRT_LOWMEM_SIZE,
-  0, MEM_AFFINITY_ENABLED);
+build_srat_memory(table_data, lams->memmap[VIRT_LOWDDR].base,
+  lams->memmap[VIRT_LOWDDR].size, 0, MEM_AFFINITY_ENABLED);
 
-build_srat_memory(table_data, VIRT_HIGHMEM_BASE, machine->ram_size - 
VIRT_LOWMEM_SIZE,
+build_srat_memory(table_data, lams->memmap[VIRT_HIGHDDR].base,
+  machine->ram_size - lams->memmap[VIRT_LOWDDR].size,
   0, MEM_AFFINITY_ENABLED);
 
 if (ms->device_memory) {
@@ -249,25 +252,26 @@ build_la_ged_aml(Aml *dsdt, MachineState *machine)
 build_ged_aml(dsdt, "\\_SB."GED_DEVICE,
   HOTPLUG_HANDLER(lams->acpi_ged),
   VIRT_SCI_IRQ, AML_SYSTEM_MEMORY,
-  VIRT_GED_EVT_ADDR);
+  lams->memmap[VIRT_ACPI_GED].base);
 event = object_property_get_uint(OBJECT(lams->acpi_ged),
  "ged-event", _abort);
 if (event & ACPI_GED_MEM_HOTPLUG_EVT) {
 build_memory_hotplug_aml(dsdt, machine->ram_slots, "\\_SB", NULL,
  AML_SYSTEM_MEMORY,
- VIRT_GED_MEM_ADDR);
+ lams->memmap[VIRT_ACPI_GED].base +
+ ACPI_GED_EVT_SEL_LEN);
 }
 }
 
 static void build_pci_device_aml(Aml *scope, LoongArchMachineState *lams)
 {
 struct GPEXConfig cfg = {
-.mmio64.base = VIRT_PCI_MEM_BASE,
- 

[PULL v2 06/22] target/riscv: remove fflags, frm, and fcsr from riscv-*-fpu.xml

[Alistair Francis]

From: Andrew Burgess 

While testing some changes to GDB's handling for the RISC-V registers
fcsr, fflags, and frm, I spotted that QEMU includes these registers
twice in the target description it sends to GDB, once in the fpu
feature, and once in the csr feature.

Right now things basically work OK, QEMU maps these registers onto two
different register numbers, e.g. fcsr maps to both 68 and 73, and GDB
can use either of these to access the register.

However, GDB's target descriptions don't really work this way, each
register should appear just once in a target description, mapping the
register name onto the number GDB should use when accessing the
register on the target.  Duplicate register names actually result in
duplicate registers on the GDB side, however, as the registers have
the same name, the user can only access one of these registers.

Currently GDB has a hack in place, specifically for RISC-V, to spot
the duplicate copies of these three registers, and hide them from the
user, ensuring the user only ever sees a single copy of each.

In this commit I propose fixing this issue on the QEMU side, and in
the process, simplify the fpu register handling a little.

I think we should, remove fflags, frm, and fcsr from the two (32-bit
and 64-bit) fpu feature xml files.  These files will only contain the
32 core floating point register f0 to f31.  The fflags, frm, and fcsr
registers will continue to be advertised in the csr feature as they
currently are.

With that change made, I will simplify riscv_gdb_get_fpu and
riscv_gdb_set_fpu, removing the extra handling for the 3 status
registers.

Signed-off-by: Andrew Burgess 
Reviewed-by: Alistair Francis 
Message-Id: 
<0fbf2a5b12e3210ff3867d5cf7022b3f3462c9c8.1661934573.git.aburg...@redhat.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/gdbstub.c  | 32 ++--
 gdb-xml/riscv-32bit-fpu.xml |  4 
 gdb-xml/riscv-64bit-fpu.xml |  4 
 3 files changed, 2 insertions(+), 38 deletions(-)

diff --git a/target/riscv/gdbstub.c b/target/riscv/gdbstub.c
index 9ed049c29e..9974b7aac6 100644
--- a/target/riscv/gdbstub.c
+++ b/target/riscv/gdbstub.c
@@ -114,20 +114,6 @@ static int riscv_gdb_get_fpu(CPURISCVState *env, 
GByteArray *buf, int n)
 if (env->misa_ext & RVF) {
 return gdb_get_reg32(buf, env->fpr[n]);
 }
-/* there is hole between ft11 and fflags in fpu.xml */
-} else if (n < 36 && n > 32) {
-target_ulong val = 0;
-int result;
-/*
- * CSR_FFLAGS is at index 1 in csr_register, and gdb says it is FP
- * register 33, so we recalculate the map index.
- * This also works for CSR_FRM and CSR_FCSR.
- */
-result = riscv_csrrw_debug(env, n - 32, ,
-   0, 0);
-if (result == RISCV_EXCP_NONE) {
-return gdb_get_regl(buf, val);
-}
 }
 return 0;
 }
@@ -137,20 +123,6 @@ static int riscv_gdb_set_fpu(CPURISCVState *env, uint8_t 
*mem_buf, int n)
 if (n < 32) {
 env->fpr[n] = ldq_p(mem_buf); /* always 64-bit */
 return sizeof(uint64_t);
-/* there is hole between ft11 and fflags in fpu.xml */
-} else if (n < 36 && n > 32) {
-target_ulong val = ldtul_p(mem_buf);
-int result;
-/*
- * CSR_FFLAGS is at index 1 in csr_register, and gdb says it is FP
- * register 33, so we recalculate the map index.
- * This also works for CSR_FRM and CSR_FCSR.
- */
-result = riscv_csrrw_debug(env, n - 32, NULL,
-   val, -1);
-if (result == RISCV_EXCP_NONE) {
-return sizeof(target_ulong);
-}
 }
 return 0;
 }
@@ -404,10 +376,10 @@ void riscv_cpu_register_gdb_regs_for_features(CPUState 
*cs)
 CPURISCVState *env = >env;
 if (env->misa_ext & RVD) {
 gdb_register_coprocessor(cs, riscv_gdb_get_fpu, riscv_gdb_set_fpu,
- 36, "riscv-64bit-fpu.xml", 0);
+ 32, "riscv-64bit-fpu.xml", 0);
 } else if (env->misa_ext & RVF) {
 gdb_register_coprocessor(cs, riscv_gdb_get_fpu, riscv_gdb_set_fpu,
- 36, "riscv-32bit-fpu.xml", 0);
+ 32, "riscv-32bit-fpu.xml", 0);
 }
 if (env->misa_ext & RVV) {
 gdb_register_coprocessor(cs, riscv_gdb_get_vector, 
riscv_gdb_set_vector,
diff --git a/gdb-xml/riscv-32bit-fpu.xml b/gdb-xml/riscv-32bit-fpu.xml
index 1eaae9119e..84a44ba8df 100644
--- a/gdb-xml/riscv-32bit-fpu.xml
+++ b/gdb-xml/riscv-32bit-fpu.xml
@@ -43,8 +43,4 @@
   
   
   
-
-  
-  
-  
 
diff --git a/gdb-xml/riscv-64bit-fpu.xml b/gdb-xml/riscv-64bit-fpu.xml
index 794854cc01..9856a9d1d3 100644
--- a/gdb-xml/riscv-64bit-fpu.xml
+++ b/gdb-xml/riscv-64bit-fpu.xml
@@ -49,8 +49,4 @@
   
   
   
-
-  
-  
-  
 
-- 
2.37.3

[PATCH v2 1/4] target/loongarch: ftint_xxx insns set the result high 32bit 0xffffffff

[Song Gao]

we just set high 32bit 0x as the other float instructions do.

Signed-off-by: Song Gao 
---
 target/loongarch/fpu_helper.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/target/loongarch/fpu_helper.c b/target/loongarch/fpu_helper.c
index 4b9637210a..1a24667eaf 100644
--- a/target/loongarch/fpu_helper.c
+++ b/target/loongarch/fpu_helper.c
@@ -518,7 +518,7 @@ uint64_t helper_frint_s(CPULoongArchState *env, uint64_t fj)
 {
 uint64_t fd;
 
-fd = (uint64_t)(float32_round_to_int((uint32_t)fj, >fp_status));
+fd = nanbox_s(float32_round_to_int((uint32_t)fj, >fp_status));
 update_fcsr0(env, GETPC());
 return fd;
 }
@@ -574,7 +574,7 @@ uint64_t helper_ftintrm_w_d(CPULoongArchState *env, 
uint64_t fj)
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
 set_float_rounding_mode(float_round_down, >fp_status);
-fd = (uint64_t)float64_to_int32(fj, >fp_status);
+fd = nanbox_s(float64_to_int32(fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -592,7 +592,7 @@ uint64_t helper_ftintrm_w_s(CPULoongArchState *env, 
uint64_t fj)
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
 set_float_rounding_mode(float_round_down, >fp_status);
-fd = (uint64_t)float32_to_int32((uint32_t)fj, >fp_status);
+fd = nanbox_s(float32_to_int32((uint32_t)fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -646,7 +646,7 @@ uint64_t helper_ftintrp_w_d(CPULoongArchState *env, 
uint64_t fj)
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
 set_float_rounding_mode(float_round_up, >fp_status);
-fd = (uint64_t)float64_to_int32(fj, >fp_status);
+fd = nanbox_s(float64_to_int32(fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -664,7 +664,7 @@ uint64_t helper_ftintrp_w_s(CPULoongArchState *env, 
uint64_t fj)
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
 set_float_rounding_mode(float_round_up, >fp_status);
-fd = (uint64_t)float32_to_int32((uint32_t)fj, >fp_status);
+fd = nanbox_s(float32_to_int32((uint32_t)fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -715,7 +715,7 @@ uint64_t helper_ftintrz_w_d(CPULoongArchState *env, 
uint64_t fj)
 uint64_t fd;
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
-fd = (uint64_t)float64_to_int32_round_to_zero(fj, >fp_status);
+fd = nanbox_s(float64_to_int32_round_to_zero(fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -786,7 +786,7 @@ uint64_t helper_ftintrne_w_d(CPULoongArchState *env, 
uint64_t fj)
 FloatRoundMode old_mode = get_float_rounding_mode(>fp_status);
 
 set_float_rounding_mode(float_round_nearest_even, >fp_status);
-fd = (uint64_t)float64_to_int32(fj, >fp_status);
+fd = nanbox_s(float64_to_int32(fj, >fp_status));
 set_float_rounding_mode(old_mode, >fp_status);
 
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
@@ -848,7 +848,7 @@ uint64_t helper_ftint_w_s(CPULoongArchState *env, uint64_t 
fj)
 {
 uint64_t fd;
 
-fd = (uint64_t)float32_to_int32((uint32_t)fj, >fp_status);
+fd = nanbox_s(float32_to_int32((uint32_t)fj, >fp_status));
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
 if (float32_is_any_nan((uint32_t)fj)) {
 fd = 0;
@@ -862,7 +862,7 @@ uint64_t helper_ftint_w_d(CPULoongArchState *env, uint64_t 
fj)
 {
 uint64_t fd;
 
-fd = (uint64_t)float64_to_int32(fj, >fp_status);
+fd = nanbox_s(float64_to_int32(fj, >fp_status));
 if (get_float_exception_flags(>fp_status) & (float_flag_invalid)) {
 if (float64_is_any_nan(fj)) {
 fd = 0;
-- 
2.31.1

[PULL v2 13/22] target/riscv: debug: Determine the trigger type from tdata1.type

[Alistair Francis]

From: Frank Chang 

Current RISC-V debug assumes that only type 2 trigger is supported.
To allow more types of triggers to be supported in the future
(e.g. type 6 trigger, which is similar to type 2 trigger with additional
 functionality), we should determine the trigger type from tdata1.type.

RV_MAX_TRIGGERS is also introduced in replacement of TRIGGER_TYPE2_NUM.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
[bmeng: fixed MXL_RV128 case, and moved macros to the following patch]
Signed-off-by: Bin Meng 
Message-Id: <20220909134215.1843865-2-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h |   2 +-
 target/riscv/debug.h   |  13 +--
 target/riscv/csr.c |   2 +-
 target/riscv/debug.c   | 188 +
 target/riscv/machine.c |   2 +-
 5 files changed, 140 insertions(+), 67 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 22344a620b..73bcad3c9b 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -324,7 +324,7 @@ struct CPUArchState {
 
 /* trigger module */
 target_ulong trigger_cur;
-type2_trigger_t type2_trig[TRIGGER_TYPE2_NUM];
+type2_trigger_t type2_trig[RV_MAX_TRIGGERS];
 
 /* machine specific rdtime callback */
 uint64_t (*rdtime_fn)(void *);
diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index 27b9cac6b4..72e4edcd8c 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -22,13 +22,7 @@
 #ifndef RISCV_DEBUG_H
 #define RISCV_DEBUG_H
 
-/* trigger indexes implemented */
-enum {
-TRIGGER_TYPE2_IDX_0 = 0,
-TRIGGER_TYPE2_IDX_1,
-TRIGGER_TYPE2_NUM,
-TRIGGER_NUM = TRIGGER_TYPE2_NUM
-};
+#define RV_MAX_TRIGGERS 2
 
 /* register index of tdata CSRs */
 enum {
@@ -46,7 +40,8 @@ typedef enum {
 TRIGGER_TYPE_EXCP = 5,  /* exception trigger */
 TRIGGER_TYPE_AD_MATCH6 = 6, /* new address/data match trigger */
 TRIGGER_TYPE_EXT_SRC = 7,   /* external source trigger */
-TRIGGER_TYPE_UNAVAIL = 15   /* trigger exists, but unavailable */
+TRIGGER_TYPE_UNAVAIL = 15,  /* trigger exists, but unavailable */
+TRIGGER_TYPE_NUM
 } trigger_type_t;
 
 typedef struct {
@@ -56,7 +51,7 @@ typedef struct {
 struct CPUWatchpoint *wp;
 } type2_trigger_t;
 
-/* tdata field masks */
+/* tdata1 field masks */
 
 #define RV32_TYPE(t)((uint32_t)(t) << 28)
 #define RV32_TYPE_MASK  (0xf << 28)
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 092b425196..2c84c29bf0 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3070,7 +3070,7 @@ static RISCVException read_tdata(CPURISCVState *env, int 
csrno,
  target_ulong *val)
 {
 /* return 0 in tdata1 to end the trigger enumeration */
-if (env->trigger_cur >= TRIGGER_NUM && csrno == CSR_TDATA1) {
+if (env->trigger_cur >= RV_MAX_TRIGGERS && csrno == CSR_TDATA1) {
 *val = 0;
 return RISCV_EXCP_NONE;
 }
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index fc6e13222f..9dd468753a 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -52,8 +52,15 @@
 /* tdata availability of a trigger */
 typedef bool tdata_avail[TDATA_NUM];
 
-static tdata_avail tdata_mapping[TRIGGER_NUM] = {
-[TRIGGER_TYPE2_IDX_0 ... TRIGGER_TYPE2_IDX_1] = { true, true, false },
+static tdata_avail tdata_mapping[TRIGGER_TYPE_NUM] = {
+[TRIGGER_TYPE_NO_EXIST] = { false, false, false },
+[TRIGGER_TYPE_AD_MATCH] = { true, true, true },
+[TRIGGER_TYPE_INST_CNT] = { true, false, true },
+[TRIGGER_TYPE_INT] = { true, true, true },
+[TRIGGER_TYPE_EXCP] = { true, true, true },
+[TRIGGER_TYPE_AD_MATCH6] = { true, true, true },
+[TRIGGER_TYPE_EXT_SRC] = { true, false, false },
+[TRIGGER_TYPE_UNAVAIL] = { true, true, true }
 };
 
 /* only breakpoint size 1/2/4/8 supported */
@@ -67,6 +74,27 @@ static int access_size[SIZE_NUM] = {
 [6 ... 15] = -1,
 };
 
+static inline target_ulong extract_trigger_type(CPURISCVState *env,
+target_ulong tdata1)
+{
+switch (riscv_cpu_mxl(env)) {
+case MXL_RV32:
+return extract32(tdata1, 28, 4);
+case MXL_RV64:
+case MXL_RV128:
+return extract64(tdata1, 60, 4);
+default:
+g_assert_not_reached();
+}
+}
+
+static inline target_ulong get_trigger_type(CPURISCVState *env,
+target_ulong trigger_index)
+{
+target_ulong tdata1 = env->type2_trig[trigger_index].mcontrol;
+return extract_trigger_type(env, tdata1);
+}
+
 static inline target_ulong trigger_type(CPURISCVState *env,
 trigger_type_t type)
 {
@@ -89,15 +117,17 @@ static inline target_ulong trigger_type(CPURISCVState *env,
 
 bool tdata_available(CPURISCVState *env, int tdata_index)
 {
+int trigger_type = get_trigger_type(env, env->trigger_cur);
+
 if 

[PULL v2 21/22] target/riscv: rvv-1.0: Simplify vfwredsum code

[Alistair Francis]

From: Yang Liu 

Remove duplicate code by wrapping vfwredsum_vs's OP function.

Signed-off-by: Yang Liu 
Reviewed-by: Alistair Francis 
Reviewed-by: Frank Chang 
Message-Id: <20220817074802.20765-1-liuyan...@iscas.ac.cn>
Signed-off-by: Alistair Francis 
---
 target/riscv/vector_helper.c | 56 +++-
 1 file changed, 10 insertions(+), 46 deletions(-)

diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index d224861c2c..2828073497 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -4728,58 +4728,22 @@ GEN_VEXT_FRED(vfredmin_vs_h, uint16_t, uint16_t, H2, 
H2, float16_minimum_number)
 GEN_VEXT_FRED(vfredmin_vs_w, uint32_t, uint32_t, H4, H4, 
float32_minimum_number)
 GEN_VEXT_FRED(vfredmin_vs_d, uint64_t, uint64_t, H8, H8, 
float64_minimum_number)
 
-/* Vector Widening Floating-Point Reduction Instructions */
-/* Unordered reduce 2*SEW = 2*SEW + sum(promote(SEW)) */
-void HELPER(vfwredsum_vs_h)(void *vd, void *v0, void *vs1,
-void *vs2, CPURISCVState *env, uint32_t desc)
+/* Vector Widening Floating-Point Add Instructions */
+static uint32_t fwadd16(uint32_t a, uint16_t b, float_status *s)
 {
-uint32_t vm = vext_vm(desc);
-uint32_t vl = env->vl;
-uint32_t esz = sizeof(uint32_t);
-uint32_t vlenb = simd_maxsz(desc);
-uint32_t vta = vext_vta(desc);
-uint32_t i;
-uint32_t s1 =  *((uint32_t *)vs1 + H4(0));
-
-for (i = env->vstart; i < vl; i++) {
-uint16_t s2 = *((uint16_t *)vs2 + H2(i));
-if (!vm && !vext_elem_mask(v0, i)) {
-continue;
-}
-s1 = float32_add(s1, float16_to_float32(s2, true, >fp_status),
- >fp_status);
-}
-*((uint32_t *)vd + H4(0)) = s1;
-env->vstart = 0;
-/* set tail elements to 1s */
-vext_set_elems_1s(vd, vta, esz, vlenb);
+return float32_add(a, float16_to_float32(b, true, s), s);
 }
 
-void HELPER(vfwredsum_vs_w)(void *vd, void *v0, void *vs1,
-void *vs2, CPURISCVState *env, uint32_t desc)
+static uint64_t fwadd32(uint64_t a, uint32_t b, float_status *s)
 {
-uint32_t vm = vext_vm(desc);
-uint32_t vl = env->vl;
-uint32_t esz = sizeof(uint64_t);
-uint32_t vlenb = simd_maxsz(desc);
-uint32_t vta = vext_vta(desc);
-uint32_t i;
-uint64_t s1 =  *((uint64_t *)vs1);
-
-for (i = env->vstart; i < vl; i++) {
-uint32_t s2 = *((uint32_t *)vs2 + H4(i));
-if (!vm && !vext_elem_mask(v0, i)) {
-continue;
-}
-s1 = float64_add(s1, float32_to_float64(s2, >fp_status),
- >fp_status);
-}
-*((uint64_t *)vd) = s1;
-env->vstart = 0;
-/* set tail elements to 1s */
-vext_set_elems_1s(vd, vta, esz, vlenb);
+return float64_add(a, float32_to_float64(b, s), s);
 }
 
+/* Vector Widening Floating-Point Reduction Instructions */
+/* Unordered reduce 2*SEW = 2*SEW + sum(promote(SEW)) */
+GEN_VEXT_FRED(vfwredsum_vs_h, uint32_t, uint16_t, H4, H2, fwadd16)
+GEN_VEXT_FRED(vfwredsum_vs_w, uint64_t, uint32_t, H8, H4, fwadd32)
+
 /*
  *** Vector Mask Operations
  */
-- 
2.37.3

[PULL 2/8] vdpa: Make VhostVDPAState cvq_cmd_in_buffer control ack type

[Jason Wang]

From: Eugenio Pérez 

This allows to simplify the code. Rename to status while we're at it.

Signed-off-by: Eugenio Pérez 
Signed-off-by: Jason Wang 
---
 net/vhost-vdpa.c | 23 ---
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
index 6ce68fc..535315c 100644
--- a/net/vhost-vdpa.c
+++ b/net/vhost-vdpa.c
@@ -35,7 +35,9 @@ typedef struct VhostVDPAState {
 VHostNetState *vhost_net;
 
 /* Control commands shadow buffers */
-void *cvq_cmd_out_buffer, *cvq_cmd_in_buffer;
+void *cvq_cmd_out_buffer;
+virtio_net_ctrl_ack *status;
+
 bool started;
 } VhostVDPAState;
 
@@ -158,7 +160,7 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
 struct vhost_dev *dev = >vhost_net->dev;
 
 qemu_vfree(s->cvq_cmd_out_buffer);
-qemu_vfree(s->cvq_cmd_in_buffer);
+qemu_vfree(s->status);
 if (dev->vq_index + dev->nvqs == dev->vq_index_end) {
 g_clear_pointer(>vhost_vdpa.iova_tree, vhost_iova_tree_delete);
 }
@@ -310,7 +312,7 @@ static int vhost_vdpa_net_cvq_start(NetClientState *nc)
 return r;
 }
 
-r = vhost_vdpa_cvq_map_buf(>vhost_vdpa, s->cvq_cmd_in_buffer,
+r = vhost_vdpa_cvq_map_buf(>vhost_vdpa, s->status,
vhost_vdpa_net_cvq_cmd_page_len(), true);
 if (unlikely(r < 0)) {
 vhost_vdpa_cvq_unmap_buf(>vhost_vdpa, s->cvq_cmd_out_buffer);
@@ -327,7 +329,7 @@ static void vhost_vdpa_net_cvq_stop(NetClientState *nc)
 
 if (s->vhost_vdpa.shadow_vqs_enabled) {
 vhost_vdpa_cvq_unmap_buf(>vhost_vdpa, s->cvq_cmd_out_buffer);
-vhost_vdpa_cvq_unmap_buf(>vhost_vdpa, s->cvq_cmd_in_buffer);
+vhost_vdpa_cvq_unmap_buf(>vhost_vdpa, s->status);
 }
 }
 
@@ -340,7 +342,7 @@ static ssize_t vhost_vdpa_net_cvq_add(VhostVDPAState *s, 
size_t out_len,
 .iov_len = out_len,
 };
 const struct iovec in = {
-.iov_base = s->cvq_cmd_in_buffer,
+.iov_base = s->status,
 .iov_len = sizeof(virtio_net_ctrl_ack),
 };
 VhostShadowVirtqueue *svq = g_ptr_array_index(s->vhost_vdpa.shadow_vqs, 0);
@@ -396,7 +398,7 @@ static int vhost_vdpa_net_load(NetClientState *nc)
 return dev_written;
 }
 
-return *((virtio_net_ctrl_ack *)s->cvq_cmd_in_buffer) != VIRTIO_NET_OK;
+return *s->status != VIRTIO_NET_OK;
 }
 
 return 0;
@@ -491,8 +493,7 @@ static int 
vhost_vdpa_net_handle_ctrl_avail(VhostShadowVirtqueue *svq,
 goto out;
 }
 
-memcpy(, s->cvq_cmd_in_buffer, sizeof(status));
-if (status != VIRTIO_NET_OK) {
+if (*s->status != VIRTIO_NET_OK) {
 return VIRTIO_NET_ERR;
 }
 
@@ -549,9 +550,9 @@ static NetClientState *net_vhost_vdpa_init(NetClientState 
*peer,
 s->cvq_cmd_out_buffer = qemu_memalign(qemu_real_host_page_size(),
 vhost_vdpa_net_cvq_cmd_page_len());
 memset(s->cvq_cmd_out_buffer, 0, vhost_vdpa_net_cvq_cmd_page_len());
-s->cvq_cmd_in_buffer = qemu_memalign(qemu_real_host_page_size(),
-vhost_vdpa_net_cvq_cmd_page_len());
-memset(s->cvq_cmd_in_buffer, 0, vhost_vdpa_net_cvq_cmd_page_len());
+s->status = qemu_memalign(qemu_real_host_page_size(),
+  vhost_vdpa_net_cvq_cmd_page_len());
+memset(s->status, 0, vhost_vdpa_net_cvq_cmd_page_len());
 
 s->vhost_vdpa.shadow_vq_ops = _vdpa_net_svq_ops;
 s->vhost_vdpa.shadow_vq_ops_opaque = s;
-- 
2.7.4

[PULL 00/24] Kraxel 20220927 patches

[Gerd Hoffmann]

The following changes since commit 6160d8ff81fb9fba70f5dad88d43ffd0fa44984c:

  Merge tag 'edgar/xilinx-next-2022-09-21.for-upstream' of 
https://github.com/edgarigl/qemu into staging (2022-09-22 13:24:28 -0400)

are available in the Git repository at:

  https://gitlab.com/kraxel/qemu.git tags/kraxel-20220927-pull-request

for you to fetch changes up to 49a99ecb2290571b2e3f464c13e9c73b87ca91c4:

  virtio-gpu: update scanout if there is any area covered by the rect 
(2022-09-27 07:32:31 +0200)


usb: make usbnet work with xhci.
audio: add sndio backend.
misc bugfixes for console, xhci, audio, ati-vga and virtio-gpu.



Akihiko Odaki (3):
  ui/cocoa: Run qemu_init in the main thread
  Revert "main-loop: Disable block backend global state assertion on
Cocoa"
  meson: Allow to enable gtk and sdl while cocoa is enabled

Alexandre Ratchov (1):
  audio: Add sndio backend

Cal Peake (1):
  ui/console: Get tab completion working again in the SDL monitor vc

Dongwon Kim (1):
  virtio-gpu: update scanout if there is any area covered by the rect

Gerd Hoffmann (2):
  usb/msd: move usb_msd_packet_complete()
  usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert

Marc-André Lureau (5):
  ui: add some vdagent related traces
  ui/clipboard: fix serial priority
  ui/vdagent: always reset the clipboard serial on caps
  ui/clipboard: reset the serial state on reset
  ui/vdagent: fix serial reset of guest agent

Michael Brown (4):
  usbnet: Add missing usb_wakeup() call in usbnet_receive()
  usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request
  usbnet: Detect short packets as sent by the xHCI controller
  usbnet: Report link-up via interrupt endpoint in CDC-ECM mode

Philippe Mathieu-Daudé (1):
  hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)

Qiang Liu (2):
  hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is
zero
  hcd-xhci: drop operation with secondary stream arrays enabled

Thomas Huth (1):
  hw/usb/hcd-xhci: Check whether DMA accesses fail

Volker Rümelin (3):
  ui/console: fix three double frees in png_save()
  Revert "audio: Log context for audio bug"
  audio: remove abort() in audio_bug()

 meson_options.txt |   4 +-
 audio/audio_template.h|  29 +-
 include/hw/usb/msd.h  |   1 +
 include/qemu-main.h   |   3 +-
 include/qemu/main-loop.h  |  13 -
 include/sysemu/sysemu.h   |   2 +-
 include/ui/console.h  |   1 +
 audio/audio.c |  25 +-
 audio/sndioaudio.c| 565 ++
 hw/display/ati_2d.c   |   6 +-
 hw/display/virtio-gpu.c   |   7 +-
 hw/usb/dev-network.c  |  38 ++-
 hw/usb/dev-storage.c  |  56 +++-
 hw/usb/hcd-ohci.c |  10 +
 hw/usb/hcd-xhci.c |  68 +++-
 softmmu/main.c|  10 +-
 softmmu/vl.c  |   2 +-
 tests/qtest/fuzz/fuzz.c   |   2 +-
 ui/clipboard.c|  18 +-
 ui/console.c  |   6 +-
 ui/vdagent.c  |  13 +-
 MAINTAINERS   |   7 +
 audio/meson.build |   1 +
 docs/devel/fuzzing.rst|   4 +-
 hw/usb/trace-events   |   1 +
 meson.build   |  19 +-
 qapi/audio.json   |  25 +-
 qemu-options.hx   |  16 +
 scripts/meson-buildoptions.sh |   7 +-
 ui/cocoa.m| 144 +++--
 ui/trace-events   |   5 +
 31 files changed, 903 insertions(+), 205 deletions(-)
 create mode 100644 audio/sndioaudio.c

-- 
2.37.3

Re: [PATCH] linux-user: fix bug about missing signum convert of sigqueue

[Laurent Vivier]

Le 05/09/2022 à 19:54, Richard Henderson a écrit :

On 8/31/22 05:10, fa...@mail.ustc.edu.cn wrote:

 From 4ebe8a67ed7c4b1220957b2b67a62ba60e0e80ec Mon Sep 17 00:00:00 2001
From: fanwenjie 
Date: Wed, 31 Aug 2022 11:55:25 +0800
Subject: [PATCH] linux-user: fix bug about missing signum convert of sigqueue

Signed-off-by: fanwenjie 


Queued to linux-user-next.


I'm preparing a PR, do you want I take it?

Thanks,
Laurent

[PULL 08/24] ui/clipboard: reset the serial state on reset

[Gerd Hoffmann]

From: Marc-André Lureau 

Not only we have to reset the vdagent clipboards serial state, but also
the current QEMU clipboards info serial (the value is currently used by
qemu_clipboard_check_serial, only used by -display dbus).

Signed-off-by: Marc-André Lureau 
Message-Id: <20220912102455.111765-5-marcandre.lur...@redhat.com>
Signed-off-by: Gerd Hoffmann 
---
 ui/clipboard.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ui/clipboard.c b/ui/clipboard.c
index 3e2d02d5490c..3d14bffaf80f 100644
--- a/ui/clipboard.c
+++ b/ui/clipboard.c
@@ -139,7 +139,14 @@ void qemu_clipboard_request(QemuClipboardInfo *info,
 void qemu_clipboard_reset_serial(void)
 {
 QemuClipboardNotify notify = { .type = QEMU_CLIPBOARD_RESET_SERIAL };
+int i;
 
+for (i = 0; i < QEMU_CLIPBOARD_SELECTION__COUNT; i++) {
+QemuClipboardInfo *info = qemu_clipboard_info(i);
+if (info) {
+info->serial = 0;
+}
+}
 notifier_list_notify(_notifiers, );
 }
 
-- 
2.37.3

Re: [PATCH v3 5/5] serial: Allow unaligned i/o access

[Marc-André Lureau]

On Sun, Sep 11, 2022 at 10:46 PM Arwed Meyer  wrote:

> Unaligned i/o access on serial UART works on real PCs.
> This is used for example by FreeDOS CTMouse driver. Without this it
> can't reset and detect serial mice.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/77
> Signed-off-by: Arwed Meyer 
>

Reviewed-by: Marc-André Lureau 

Michael, can you r-b too?



> ---
>  hw/char/serial.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/hw/char/serial.c b/hw/char/serial.c
> index 7061aacbce..41b5e61977 100644
> --- a/hw/char/serial.c
> +++ b/hw/char/serial.c
> @@ -961,6 +961,9 @@ void serial_set_frequency(SerialState *s, uint32_t
> frequency)
>  const MemoryRegionOps serial_io_ops = {
>  .read = serial_ioport_read,
>  .write = serial_ioport_write,
> +.valid = {
> +.unaligned = 1,
> +},
>  .impl = {
>  .min_access_size = 1,
>  .max_access_size = 1,
> --
> 2.34.1
>
>
>

-- 
Marc-André Lureau

[PULL 14/24] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert

[Gerd Hoffmann]

Add handler for fatal errors.  Moves device into error state where it
stops responding until the guest resets it.

Guest can send illegal requests where scsi command and usb packet
transfer directions are inconsistent.  Use the new usb_msd_fatal_error()
function instead of assert() in that case.

Reported-by: Qiang Liu 
Signed-off-by: Gerd Hoffmann 
Tested-by: Qiang Liu 
Message-Id: <20220830063827.813053-3-kra...@redhat.com>
---
 include/hw/usb/msd.h |  1 +
 hw/usb/dev-storage.c | 30 +-
 hw/usb/trace-events  |  1 +
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/include/hw/usb/msd.h b/include/hw/usb/msd.h
index 54e9f38bda46..f9fd862b529a 100644
--- a/include/hw/usb/msd.h
+++ b/include/hw/usb/msd.h
@@ -40,6 +40,7 @@ struct MSDState {
 bool removable;
 bool commandlog;
 SCSIDevice *scsi_dev;
+bool needs_reset;
 };
 
 typedef struct MSDState MSDState;
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index 140ef2aeaa80..e3bcffb3e0d7 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -191,6 +191,23 @@ static void usb_msd_packet_complete(MSDState *s)
 usb_packet_complete(>dev, p);
 }
 
+static void usb_msd_fatal_error(MSDState *s)
+{
+trace_usb_msd_fatal_error();
+
+if (s->packet) {
+s->packet->status = USB_RET_STALL;
+usb_msd_packet_complete(s);
+}
+
+/*
+ * Guest messed up up device state with illegal requests.  Go
+ * ignore any requests until the guests resets the device (and
+ * brings it into a known state that way).
+ */
+s->needs_reset = true;
+}
+
 static void usb_msd_copy_data(MSDState *s, USBPacket *p)
 {
 uint32_t len;
@@ -227,7 +244,11 @@ void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
 USBPacket *p = s->packet;
 
-assert((s->mode == USB_MSDM_DATAOUT) == (req->cmd.mode == 
SCSI_XFER_TO_DEV));
+if ((s->mode == USB_MSDM_DATAOUT) != (req->cmd.mode == SCSI_XFER_TO_DEV)) {
+usb_msd_fatal_error(s);
+return;
+}
+
 s->scsi_len = len;
 s->scsi_off = 0;
 if (p) {
@@ -317,6 +338,8 @@ void usb_msd_handle_reset(USBDevice *dev)
 
 memset(>csw, 0, sizeof(s->csw));
 s->mode = USB_MSDM_CBW;
+
+s->needs_reset = false;
 }
 
 static void usb_msd_handle_control(USBDevice *dev, USBPacket *p,
@@ -382,6 +405,11 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket 
*p)
 SCSIDevice *scsi_dev;
 uint32_t len;
 
+if (s->needs_reset) {
+p->status = USB_RET_STALL;
+return;
+}
+
 switch (p->pid) {
 case USB_TOKEN_OUT:
 if (devep != 2)
diff --git a/hw/usb/trace-events b/hw/usb/trace-events
index 914ca7166829..b65269892c5e 100644
--- a/hw/usb/trace-events
+++ b/hw/usb/trace-events
@@ -263,6 +263,7 @@ usb_msd_packet_complete(void) ""
 usb_msd_cmd_submit(unsigned lun, unsigned tag, unsigned flags, unsigned len, 
unsigned data_len) "lun %u, tag 0x%x, flags 0x%08x, len %d, data-len %d"
 usb_msd_cmd_complete(unsigned status, unsigned tag) "status %d, tag 0x%x"
 usb_msd_cmd_cancel(unsigned tag) "tag 0x%x"
+usb_msd_fatal_error(void) ""
 
 # dev-uas.c
 usb_uas_reset(int addr) "dev %d"
-- 
2.37.3

Re: [PATCH v2] Revert "intel_iommu: Fix irqchip / X2APIC configuration checks"

[Igor Mammedov]

On Mon, 26 Sep 2022 11:32:06 -0400
Peter Xu  wrote:

> It's true that when vcpus<=255 we don't require the length of 32bit APIC
> IDs.  However here since we already have EIM=ON it means the hypervisor
> will declare the VM as x2apic supported (e.g. VT-d ECAP register will have
> EIM bit 4 set), so the guest should assume the APIC IDs are 32bits width
> even if vcpus<=255.  In short, commit 77250171bdc breaks any simple cmdline
> that wants to boot a VM with >=9 but <=255 vcpus with:
> 
>   -device intel-iommu,intremap=on
> 
> For anyone who does not want to enable x2apic, we can use eim=off in the
> intel-iommu parameters to skip enabling KVM x2apic.
> 
> This partly reverts commit 77250171bdc02aee106083fd2a068147befa1a38, while
> keeping the valid bit on checking split irqchip, but revert the other change.
> 
> One thing to mention is that this patch may break migration compatibility
> of such VM, however that's probably the best thing we can do, because the
> old behavior was simply wrong and not working for >8 vcpus.  For <=8 vcpus,
> there could be a light guest ABI change (by enabling KVM x2apic after this
> patch), but logically it shouldn't affect the migration from working.
> 
> Also, this is not the 1st commit to change x2apic behavior.  Igor provided
> a full history of how this evolved for the past few years:
> 
> https://lore.kernel.org/qemu-devel/20220922154617.57d1a...@redhat.com/
> 
> Relevant commits for reference:
> 
>   fb506e701e ("intel_iommu: reject broken EIM", 2016-10-17)
>   c1bb5418e3 ("target/i386: Support up to 32768 CPUs without IRQ remapping", 
> 2020-12-10)
>   77250171bd ("intel_iommu: Fix irqchip / X2APIC configuration checks", 
> 2022-05-16)
>   dc89f32d92 ("target/i386: Fix sanity check on max APIC ID / X2APIC 
> enablement", 2022-05-16)
> 
> We may want to have this for stable too (mostly for 7.1.0 only).  Adding a
> fixes tag.
> 
> Cc: David Woodhouse 
> Cc: Claudio Fontana 
> Cc: Igor Mammedov 
> Fixes: 77250171bd ("intel_iommu: Fix irqchip / X2APIC configuration checks")
> Signed-off-by: Peter Xu 

Reviewed-by: Igor Mammedov 

> ---
> v2:
> - Added some more information into commit message [Igor]
> ---
>  hw/i386/intel_iommu.c | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
> index 05d53a1aa9..6524c2ee32 100644
> --- a/hw/i386/intel_iommu.c
> +++ b/hw/i386/intel_iommu.c
> @@ -3818,6 +3818,11 @@ static bool vtd_decide_config(IntelIOMMUState *s, 
> Error **errp)
>  error_setg(errp, "eim=on requires 
> accel=kvm,kernel-irqchip=split");
>  return false;
>  }
> +if (!kvm_enable_x2apic()) {
> +error_setg(errp, "eim=on requires support on the KVM side"
> + "(X2APIC_API, first shipped in v4.7)");
> +return false;
> +}
>  }
>  
>  /* Currently only address widths supported are 39 and 48 bits */

[PULL 13/24] usb/msd: move usb_msd_packet_complete()

[Gerd Hoffmann]

Change ordering to avoid adding forward declarations in
following patches.  Fix comment code style while being
at it.  No functional change.

Signed-off-by: Gerd Hoffmann 
Message-Id: <20220830063827.813053-2-kra...@redhat.com>
---
 hw/usb/dev-storage.c | 26 ++
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index 98639696e6d8..140ef2aeaa80 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -177,6 +177,20 @@ static const USBDesc desc = {
 .str   = desc_strings,
 };
 
+static void usb_msd_packet_complete(MSDState *s)
+{
+USBPacket *p = s->packet;
+
+/*
+ * Set s->packet to NULL before calling usb_packet_complete
+ * because another request may be issued before
+ * usb_packet_complete returns.
+ */
+trace_usb_msd_packet_complete();
+s->packet = NULL;
+usb_packet_complete(>dev, p);
+}
+
 static void usb_msd_copy_data(MSDState *s, USBPacket *p)
 {
 uint32_t len;
@@ -208,18 +222,6 @@ static void usb_msd_send_status(MSDState *s, USBPacket *p)
 memset(>csw, 0, sizeof(s->csw));
 }
 
-static void usb_msd_packet_complete(MSDState *s)
-{
-USBPacket *p = s->packet;
-
-/* Set s->packet to NULL before calling usb_packet_complete
-   because another request may be issued before
-   usb_packet_complete returns.  */
-trace_usb_msd_packet_complete();
-s->packet = NULL;
-usb_packet_complete(>dev, p);
-}
-
 void usb_msd_transfer_data(SCSIRequest *req, uint32_t len)
 {
 MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
-- 
2.37.3

Re: [patch v0] qapi/qmp: Add timestamps to qmp command responses.

[Markus Armbruster]

Daniel P. Berrangé  writes:

> On Mon, Sep 26, 2022 at 12:59:40PM +0300, Denis Plotnikov wrote:
>> Add "start" & "end" timestamps to qmp command responses.
>> It's disabled by default, but can be enabled with 'timestamp=on'
>> monitor's parameter, e.g.:
>> -chardev  socket,id=mon1,path=/tmp/qmp.socket,server=on,wait=off
>> -mon chardev=mon1,mode=control,timestamp=on
>
> I'm not convinced a cmdline flag is the right approach here.
>
> I think it ought be something defined by the QMP spec.

The QMP spec is docs/interop/qmp-spec.txt.  The feature needs to be
defined there regardless of how we control it.

> The "QMP" greeting should report "timestamp" capabilities.
>
> The 'qmp_capabilities' command can be used to turn on this
> capability for all commands henceforth.

Yes, this is how optional QMP protocol features should be controlled.

Bonus: control is per connection, not just globally.

> As an option extra, the 'execute' command could gain a
> parameter to allow this to be requested for only an
> individual command.

Needs a use case.

> Alternatively we could say the overhead of adding the timestmaps
> is small enough that we just add this unconditionally for
> everything hence, with no opt-in/opt-out.

Yes, because the extension is backwards compatible.

Aside: qmp-spec.txt could be clearer on what that means.

>> Example of result:
>> 
>> ./qemu/scripts/qmp/qmp-shell /tmp/qmp.socket
>> 
>> (QEMU) query-status
>> {"end": {"seconds": 1650367305, "microseconds": 831032},
>>  "start": {"seconds": 1650367305, "microseconds": 831012},
>>  "return": {"status": "running", "singlestep": false, "running": true}}
>> 
>> The responce of the qmp command contains the start & end time of
>> the qmp command processing.

Seconds and microseconds since when?  The update to qmp-spec.txt should
tell.

Why split the time into seconds and microseconds?  If you use
microseconds since the Unix epoch (1970-01-01 UTC), 64 bit unsigned will
result in a year 586524 problem:

$ date --date "@`echo '2^64/100' | bc`"
Wed Jan 19 09:01:49 CET 586524

Even a mere 53 bits will last until 2255.

>> These times may be helpful for the management layer in understanding of
>> the actual timeline of a qmp command processing.
>
> Can you explain the problem scenario in more detail.

Yes, please, because:

> The mgmt app already knows when it send the QMP command and knows
> when it gets the QMP reply.  This covers the time the QMP was
> queued before processing (might be large if QMP is blocked on
> another slow command) , the processing time, and the time any
> reply was queued before sending (ought to be small).
>
> So IIUC, the value these fields add is that they let the mgmt
> app extract only the command processing time, eliminating
> any variance do to queue before/after.
>
>> Suggested-by: Andrey Ryabinin 
>> Signed-off-by: Denis Plotnikov 

[PULL 1/3] target/m68k: increase size of m68k CPU features from uint32_t to uint64_t

[Laurent Vivier]

From: Mark Cave-Ayland 

There are already 32 feature bits in use, so change the size of the m68k
CPU features to uint64_t (along with the associated m68k_feature()
functions) to allow up to 64 feature bits to be used.

At the same time make use of the BIT_ULL() macro when reading/writing
the CPU feature bits to improve readability, and also update m68k_feature()
to return a bool rather than an int.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20220925134804.139706-2-mark.cave-ayl...@ilande.co.uk>
Signed-off-by: Laurent Vivier 
---
 target/m68k/cpu.h | 6 +++---
 target/m68k/cpu.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/m68k/cpu.h b/target/m68k/cpu.h
index 67b6c12c2892..f5c6e95cb44a 100644
--- a/target/m68k/cpu.h
+++ b/target/m68k/cpu.h
@@ -154,7 +154,7 @@ typedef struct CPUArchState {
 struct {} end_reset_fields;
 
 /* Fields from here on are preserved across CPU reset. */
-uint32_t features;
+uint64_t features;
 } CPUM68KState;
 
 /*
@@ -539,9 +539,9 @@ enum m68k_features {
 M68K_FEATURE_TRAPCC,
 };
 
-static inline int m68k_feature(CPUM68KState *env, int feature)
+static inline bool m68k_feature(CPUM68KState *env, int feature)
 {
-return (env->features & (1u << feature)) != 0;
+return (env->features & BIT_ULL(feature)) != 0;
 }
 
 void m68k_cpu_list(void);
diff --git a/target/m68k/cpu.c b/target/m68k/cpu.c
index f681be3a2a58..8d23c72056fd 100644
--- a/target/m68k/cpu.c
+++ b/target/m68k/cpu.c
@@ -38,12 +38,12 @@ static bool m68k_cpu_has_work(CPUState *cs)
 
 static void m68k_set_feature(CPUM68KState *env, int feature)
 {
-env->features |= (1u << feature);
+env->features |= BIT_ULL(feature);
 }
 
 static void m68k_unset_feature(CPUM68KState *env, int feature)
 {
-env->features &= (-1u - (1u << feature));
+env->features &= ~BIT_ULL(feature);
 }
 
 static void m68k_cpu_reset(DeviceState *dev)
-- 
2.37.3

[PULL v2 15/22] target/riscv: debug: Introduce tdata1, tdata2, and tdata3 CSRs

[Alistair Francis]

From: Frank Chang 

Replace type2_trigger_t with the real tdata1, tdata2, and tdata3 CSRs,
which allows us to support more types of triggers in the future.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
Message-Id: <20220909134215.1843865-4-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.h |   6 ++-
 target/riscv/debug.h   |   7 ---
 target/riscv/debug.c   | 103 +++--
 target/riscv/machine.c |  20 ++--
 4 files changed, 48 insertions(+), 88 deletions(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 73bcad3c9b..b131fa8c8e 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -324,7 +324,11 @@ struct CPUArchState {
 
 /* trigger module */
 target_ulong trigger_cur;
-type2_trigger_t type2_trig[RV_MAX_TRIGGERS];
+target_ulong tdata1[RV_MAX_TRIGGERS];
+target_ulong tdata2[RV_MAX_TRIGGERS];
+target_ulong tdata3[RV_MAX_TRIGGERS];
+struct CPUBreakpoint *cpu_breakpoint[RV_MAX_TRIGGERS];
+struct CPUWatchpoint *cpu_watchpoint[RV_MAX_TRIGGERS];
 
 /* machine specific rdtime callback */
 uint64_t (*rdtime_fn)(void *);
diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index c422553c27..76146f373a 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -44,13 +44,6 @@ typedef enum {
 TRIGGER_TYPE_NUM
 } trigger_type_t;
 
-typedef struct {
-target_ulong mcontrol;
-target_ulong maddress;
-struct CPUBreakpoint *bp;
-struct CPUWatchpoint *wp;
-} type2_trigger_t;
-
 /* tdata1 field masks */
 
 #define RV32_TYPE(t)((uint32_t)(t) << 28)
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index 45aae87ec3..06feef7d67 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -91,8 +91,7 @@ static inline target_ulong extract_trigger_type(CPURISCVState 
*env,
 static inline target_ulong get_trigger_type(CPURISCVState *env,
 target_ulong trigger_index)
 {
-target_ulong tdata1 = env->type2_trig[trigger_index].mcontrol;
-return extract_trigger_type(env, tdata1);
+return extract_trigger_type(env, env->tdata1[trigger_index]);
 }
 
 static inline target_ulong build_tdata1(CPURISCVState *env,
@@ -188,6 +187,8 @@ static inline void warn_always_zero_bit(target_ulong val, 
target_ulong mask,
 }
 }
 
+/* type 2 trigger */
+
 static uint32_t type2_breakpoint_size(CPURISCVState *env, target_ulong ctrl)
 {
 uint32_t size, sizelo, sizehi = 0;
@@ -247,8 +248,8 @@ static target_ulong type2_mcontrol_validate(CPURISCVState 
*env,
 
 static void type2_breakpoint_insert(CPURISCVState *env, target_ulong index)
 {
-target_ulong ctrl = env->type2_trig[index].mcontrol;
-target_ulong addr = env->type2_trig[index].maddress;
+target_ulong ctrl = env->tdata1[index];
+target_ulong addr = env->tdata2[index];
 bool enabled = type2_breakpoint_enabled(ctrl);
 CPUState *cs = env_cpu(env);
 int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
@@ -259,7 +260,7 @@ static void type2_breakpoint_insert(CPURISCVState *env, 
target_ulong index)
 }
 
 if (ctrl & TYPE2_EXEC) {
-cpu_breakpoint_insert(cs, addr, flags, >type2_trig[index].bp);
+cpu_breakpoint_insert(cs, addr, flags, >cpu_breakpoint[index]);
 }
 
 if (ctrl & TYPE2_LOAD) {
@@ -273,10 +274,10 @@ static void type2_breakpoint_insert(CPURISCVState *env, 
target_ulong index)
 size = type2_breakpoint_size(env, ctrl);
 if (size != 0) {
 cpu_watchpoint_insert(cs, addr, size, flags,
-  >type2_trig[index].wp);
+  >cpu_watchpoint[index]);
 } else {
 cpu_watchpoint_insert(cs, addr, 8, flags,
-  >type2_trig[index].wp);
+  >cpu_watchpoint[index]);
 }
 }
 }
@@ -285,36 +286,17 @@ static void type2_breakpoint_remove(CPURISCVState *env, 
target_ulong index)
 {
 CPUState *cs = env_cpu(env);
 
-if (env->type2_trig[index].bp) {
-cpu_breakpoint_remove_by_ref(cs, env->type2_trig[index].bp);
-env->type2_trig[index].bp = NULL;
+if (env->cpu_breakpoint[index]) {
+cpu_breakpoint_remove_by_ref(cs, env->cpu_breakpoint[index]);
+env->cpu_breakpoint[index] = NULL;
 }
 
-if (env->type2_trig[index].wp) {
-cpu_watchpoint_remove_by_ref(cs, env->type2_trig[index].wp);
-env->type2_trig[index].wp = NULL;
+if (env->cpu_watchpoint[index]) {
+cpu_watchpoint_remove_by_ref(cs, env->cpu_watchpoint[index]);
+env->cpu_watchpoint[index] = NULL;
 }
 }
 
-static target_ulong type2_reg_read(CPURISCVState *env,
-   target_ulong index, int tdata_index)
-{
-target_ulong tdata;
-
-switch (tdata_index) {
-case TDATA1:
-tdata = env->type2_trig[index].mcontrol;
-break;
-case TDATA2:
- 

[PULL v2 09/22] hw/riscv: opentitan: Fixup resetvec

[Alistair Francis]

From: Alistair Francis 

The resetvec for the OpenTitan machine ended up being set to an out of
date value, so let's fix that and bump it to the correct start address
(after the boot ROM)

Fixes: bf8803c64d75 "hw/riscv: opentitan: bump opentitan version"
Signed-off-by: Alistair Francis 
Message-Id: <20220914101108.82571-3-alistair.fran...@wdc.com>
Signed-off-by: Alistair Francis 
---
 hw/riscv/opentitan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/riscv/opentitan.c b/hw/riscv/opentitan.c
index af13dbe3b1..45c92c9bbc 100644
--- a/hw/riscv/opentitan.c
+++ b/hw/riscv/opentitan.c
@@ -142,7 +142,7 @@ static void lowrisc_ibex_soc_realize(DeviceState *dev_soc, 
Error **errp)
 _abort);
 object_property_set_int(OBJECT(>cpus), "num-harts", ms->smp.cpus,
 _abort);
-object_property_set_int(OBJECT(>cpus), "resetvec", 0x2490,
+object_property_set_int(OBJECT(>cpus), "resetvec", 0x2400,
 _abort);
 sysbus_realize(SYS_BUS_DEVICE(>cpus), _fatal);
 
-- 
2.37.3

[PULL v2 22/22] target/riscv: rvv-1.0: vf[w]redsum distinguish between ordered/unordered

[Alistair Francis]

From: Yang Liu 

Starting with RVV1.0, the original vf[w]redsum_vs instruction was renamed
to vf[w]redusum_vs. The distinction between ordered and unordered is also
more consistent with other instructions, although there is no difference
in implementation between the two for QEMU.

Signed-off-by: Yang Liu 
Acked-by: Alistair Francis 
Reviewed-by: Frank Chang 
Message-Id: <20220817074802.20765-2-liuyan...@iscas.ac.cn>
Signed-off-by: Alistair Francis 
---
 target/riscv/helper.h   | 15 ++-
 target/riscv/insn32.decode  |  6 --
 target/riscv/vector_helper.c| 19 +--
 target/riscv/insn_trans/trans_rvv.c.inc |  6 --
 4 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index 4ef3b2251d..a03014fe67 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -1009,9 +1009,12 @@ DEF_HELPER_6(vwredsum_vs_b, void, ptr, ptr, ptr, ptr, 
env, i32)
 DEF_HELPER_6(vwredsum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vwredsum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
 
-DEF_HELPER_6(vfredsum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
-DEF_HELPER_6(vfredsum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
-DEF_HELPER_6(vfredsum_vs_d, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredusum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredusum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredusum_vs_d, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredosum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredosum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfredosum_vs_d, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vfredmax_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vfredmax_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vfredmax_vs_d, void, ptr, ptr, ptr, ptr, env, i32)
@@ -1019,8 +1022,10 @@ DEF_HELPER_6(vfredmin_vs_h, void, ptr, ptr, ptr, ptr, 
env, i32)
 DEF_HELPER_6(vfredmin_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vfredmin_vs_d, void, ptr, ptr, ptr, ptr, env, i32)
 
-DEF_HELPER_6(vfwredsum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
-DEF_HELPER_6(vfwredsum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfwredusum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfwredusum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfwredosum_vs_h, void, ptr, ptr, ptr, ptr, env, i32)
+DEF_HELPER_6(vfwredosum_vs_w, void, ptr, ptr, ptr, ptr, env, i32)
 
 DEF_HELPER_6(vmand_mm, void, ptr, ptr, ptr, ptr, env, i32)
 DEF_HELPER_6(vmnand_mm, void, ptr, ptr, ptr, ptr, env, i32)
diff --git a/target/riscv/insn32.decode b/target/riscv/insn32.decode
index 595fdcdad8..d0253b8104 100644
--- a/target/riscv/insn32.decode
+++ b/target/riscv/insn32.decode
@@ -664,11 +664,13 @@ vredmax_vs  000111 . . . 010 . 1010111 
@r_vm
 vwredsumu_vs11 . . . 000 . 1010111 @r_vm
 vwredsum_vs 110001 . . . 000 . 1010111 @r_vm
 # Vector ordered and unordered reduction sum
-vfredsum_vs -1 . . . 001 . 1010111 @r_vm
+vfredusum_vs01 . . . 001 . 1010111 @r_vm
+vfredosum_vs11 . . . 001 . 1010111 @r_vm
 vfredmin_vs 000101 . . . 001 . 1010111 @r_vm
 vfredmax_vs 000111 . . . 001 . 1010111 @r_vm
 # Vector widening ordered and unordered float reduction sum
-vfwredsum_vs1100-1 . . . 001 . 1010111 @r_vm
+vfwredusum_vs   110001 . . . 001 . 1010111 @r_vm
+vfwredosum_vs   110011 . . . 001 . 1010111 @r_vm
 vmand_mm011001 - . . 010 . 1010111 @r
 vmnand_mm   011101 - . . 010 . 1010111 @r
 vmandn_mm   011000 - . . 010 . 1010111 @r
diff --git a/target/riscv/vector_helper.c b/target/riscv/vector_helper.c
index 2828073497..b94f809eb3 100644
--- a/target/riscv/vector_helper.c
+++ b/target/riscv/vector_helper.c
@@ -4714,9 +4714,14 @@ void HELPER(NAME)(void *vd, void *v0, void *vs1, 
  \
 }
 
 /* Unordered sum */
-GEN_VEXT_FRED(vfredsum_vs_h, uint16_t, uint16_t, H2, H2, float16_add)
-GEN_VEXT_FRED(vfredsum_vs_w, uint32_t, uint32_t, H4, H4, float32_add)
-GEN_VEXT_FRED(vfredsum_vs_d, uint64_t, uint64_t, H8, H8, float64_add)
+GEN_VEXT_FRED(vfredusum_vs_h, uint16_t, uint16_t, H2, H2, float16_add)
+GEN_VEXT_FRED(vfredusum_vs_w, uint32_t, uint32_t, H4, H4, float32_add)
+GEN_VEXT_FRED(vfredusum_vs_d, uint64_t, uint64_t, H8, H8, float64_add)
+
+/* Ordered sum */
+GEN_VEXT_FRED(vfredosum_vs_h, uint16_t, uint16_t, H2, H2, float16_add)
+GEN_VEXT_FRED(vfredosum_vs_w, uint32_t, uint32_t, H4, H4, float32_add)
+GEN_VEXT_FRED(vfredosum_vs_d, uint64_t, uint64_t, H8, H8, float64_add)
 
 /* Maximum value */
 GEN_VEXT_FRED(vfredmax_vs_h, uint16_t, uint16_t, H2, H2, 
float16_maximum_number)
@@ -4740,9 +4745,11 @@ static uint64_t fwadd32(uint64_t a, uint32_t b, 
float_status *s)
 }
 
 /* Vector Widening Floating-Point 

[PULL v2 14/22] target/riscv: debug: Introduce build_tdata1() to build tdata1 register content

[Alistair Francis]

From: Frank Chang 

Introduce build_tdata1() to build tdata1 register content, which can be
shared among all types of triggers.

Signed-off-by: Frank Chang 
Reviewed-by: Bin Meng 
Signed-off-by: Bin Meng 
Reviewed-by: LIU Zhiwei 
[bmeng: moved RV{32,64}_DATA_MASK definition to this patch]
Signed-off-by: Bin Meng 
Message-Id: <20220909134215.1843865-3-bmeng...@gmail.com>
Signed-off-by: Alistair Francis 
---
 target/riscv/debug.h |  2 ++
 target/riscv/debug.c | 15 ++-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/target/riscv/debug.h b/target/riscv/debug.h
index 72e4edcd8c..c422553c27 100644
--- a/target/riscv/debug.h
+++ b/target/riscv/debug.h
@@ -56,9 +56,11 @@ typedef struct {
 #define RV32_TYPE(t)((uint32_t)(t) << 28)
 #define RV32_TYPE_MASK  (0xf << 28)
 #define RV32_DMODE  BIT(27)
+#define RV32_DATA_MASK  0x7ff
 #define RV64_TYPE(t)((uint64_t)(t) << 60)
 #define RV64_TYPE_MASK  (0xfULL << 60)
 #define RV64_DMODE  BIT_ULL(59)
+#define RV64_DATA_MASK  0x7ff
 
 /* mcontrol field masks */
 
diff --git a/target/riscv/debug.c b/target/riscv/debug.c
index 9dd468753a..45aae87ec3 100644
--- a/target/riscv/debug.c
+++ b/target/riscv/debug.c
@@ -95,18 +95,23 @@ static inline target_ulong get_trigger_type(CPURISCVState 
*env,
 return extract_trigger_type(env, tdata1);
 }
 
-static inline target_ulong trigger_type(CPURISCVState *env,
-trigger_type_t type)
+static inline target_ulong build_tdata1(CPURISCVState *env,
+trigger_type_t type,
+bool dmode, target_ulong data)
 {
 target_ulong tdata1;
 
 switch (riscv_cpu_mxl(env)) {
 case MXL_RV32:
-tdata1 = RV32_TYPE(type);
+tdata1 = RV32_TYPE(type) |
+ (dmode ? RV32_DMODE : 0) |
+ (data & RV32_DATA_MASK);
 break;
 case MXL_RV64:
 case MXL_RV128:
-tdata1 = RV64_TYPE(type);
+tdata1 = RV64_TYPE(type) |
+ (dmode ? RV64_DMODE : 0) |
+ (data & RV64_DATA_MASK);
 break;
 default:
 g_assert_not_reached();
@@ -495,7 +500,7 @@ bool riscv_cpu_debug_check_watchpoint(CPUState *cs, 
CPUWatchpoint *wp)
 
 void riscv_trigger_init(CPURISCVState *env)
 {
-target_ulong tdata1 = trigger_type(env, TRIGGER_TYPE_AD_MATCH);
+target_ulong tdata1 = build_tdata1(env, TRIGGER_TYPE_AD_MATCH, 0, 0);
 int i;
 
 /* init to type 2 triggers */
-- 
2.37.3

[PULL 0/8] Net patches

[Jason Wang]

The following changes since commit 99d6b11b5b44d7dd64f4cb1973184e40a4a174f8:

  Merge tag 'pull-target-arm-20220922' of 
https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-09-26 
13:38:26 -0400)

are available in the git repository at:

  https://github.com/jasowang/qemu.git tags/net-pull-request

for you to fetch changes up to bf769f742c3624952f125b303878a77ea870c156:

  virtio: del net client if net_init_tap_one failed (2022-09-27 15:14:37 +0800)




Ding Hui (1):
  e1000e: set RX desc status with DD flag in a separate operation

Eugenio Pérez (6):
  vdpa: Make VhostVDPAState cvq_cmd_in_buffer control ack type
  vdpa: extract vhost_vdpa_net_load_mac from vhost_vdpa_net_load
  vdpa: Add vhost_vdpa_net_load_mq
  vdpa: validate MQ CVQ commands
  virtio-net: Update virtio-net curr_queue_pairs in vdpa backends
  vdpa: Allow MQ feature in SVQ

lu zhipeng (1):
  virtio: del net client if net_init_tap_one failed

 hw/net/e1000e_core.c |  53 ++-
 hw/net/virtio-net.c  |  17 +++-
 net/tap.c|  18 +---
 net/vhost-vdpa.c | 119 +--
 4 files changed, 157 insertions(+), 50 deletions(-)

Ding Hui (1):
  e1000e: set RX desc status with DD flag in a separate operation

Eugenio Pérez (6):
  vdpa: Make VhostVDPAState cvq_cmd_in_buffer control ack type
  vdpa: extract vhost_vdpa_net_load_mac from vhost_vdpa_net_load
  vdpa: Add vhost_vdpa_net_load_mq
  vdpa: validate MQ CVQ commands
  virtio-net: Update virtio-net curr_queue_pairs in vdpa backends
  vdpa: Allow MQ feature in SVQ

lu zhipeng (1):
  virtio: del net client if net_init_tap_one failed

 hw/net/e1000e_core.c |  53 ++-
 hw/net/virtio-net.c  |  17 +++-
 net/tap.c|  18 +---
 net/vhost-vdpa.c | 119 +--
 4 files changed, 157 insertions(+), 50 deletions(-)

-- 
2.7.4

[PATCH v2 2/4] target/loongarch: bstrins.w need set dest register EXT_SIGN

[Song Gao]

Signed-off-by: Song Gao 
---
 target/loongarch/insn_trans/trans_bit.c.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/loongarch/insn_trans/trans_bit.c.inc 
b/target/loongarch/insn_trans/trans_bit.c.inc
index 9337714ec4..33e94878fd 100644
--- a/target/loongarch/insn_trans/trans_bit.c.inc
+++ b/target/loongarch/insn_trans/trans_bit.c.inc
@@ -37,7 +37,7 @@ static bool gen_rr_ms_ls(DisasContext *ctx, arg_rr_ms_ls *a,
  DisasExtend src_ext, DisasExtend dst_ext,
  void (*func)(TCGv, TCGv, unsigned int, unsigned int))
 {
-TCGv dest = gpr_dst(ctx, a->rd, dst_ext);
+TCGv dest = gpr_dst(ctx, a->rd, EXT_NONE);
 TCGv src1 = gpr_src(ctx, a->rj, src_ext);
 
 if (a->ls > a->ms) {
@@ -206,7 +206,7 @@ TRANS(maskeqz, gen_rrr, EXT_NONE, EXT_NONE, EXT_NONE, 
gen_maskeqz)
 TRANS(masknez, gen_rrr, EXT_NONE, EXT_NONE, EXT_NONE, gen_masknez)
 TRANS(bytepick_w, gen_rrr_sa, EXT_NONE, EXT_NONE, gen_bytepick_w)
 TRANS(bytepick_d, gen_rrr_sa, EXT_NONE, EXT_NONE, gen_bytepick_d)
-TRANS(bstrins_w, gen_rr_ms_ls, EXT_NONE, EXT_NONE, gen_bstrins)
+TRANS(bstrins_w, gen_rr_ms_ls, EXT_NONE, EXT_SIGN, gen_bstrins)
 TRANS(bstrins_d, gen_rr_ms_ls, EXT_NONE, EXT_NONE, gen_bstrins)
 TRANS(bstrpick_w, gen_rr_ms_ls, EXT_NONE, EXT_SIGN, tcg_gen_extract_tl)
 TRANS(bstrpick_d, gen_rr_ms_ls, EXT_NONE, EXT_NONE, tcg_gen_extract_tl)
-- 
2.31.1

Re: [PATCH v3 00/12] linux-user: Add more syscalls, enhance tracing & logging enhancements

[Laurent Vivier]

Le 18/09/2022 à 21:45, Helge Deller a écrit :

Here is a bunch of patches for linux-user.

Most of them add missing syscalls and enhance the tracing/logging.
Some of the patches are target-hppa specific.
I've tested those on productive hppa debian buildd servers (running qemu-user).

Thanks!
Helge

Changes to v2:
- Fix build of close_range() and pidfd_*() patches on older Linux
   distributions (noticed by Stefan Hajnoczi)

Changes to v1:
- Dropped the faccessat2() syscall patch in favour of Richard's patch
- Various changes to the "missing signals in strace output" patch based on
   Richard's feedback, e.g. static arrays, fixed usage of _NSIG, fix build when
   TARGET_SIGIOT does not exist
- Use FUTEX_CMD_MASK in "Show timespec on strace for futex" patch
   unconditionally and turn into a switch statement - as suggested by Richard

Helge Deller (12):
   linux-user: Add missing signals in strace output
   linux-user: Add missing clock_gettime64() syscall strace
   linux-user: Add pidfd_open(), pidfd_send_signal() and pidfd_getfd()
 syscalls
   linux-user: Log failing executable in EXCP_DUMP()
   linux-user/hppa: Use EXCP_DUMP() to show enhanced debug info
   linux-user/hppa: Dump IIR on register dump
   linux-user: Fix strace of chmod() if mode == 0
   linux-user/hppa: Set TASK_UNMAPPED_BASE to 0xfa00 for hppa arch
   linux-user: Add strace for clock_nanosleep()
   linux-user: Show timespec on strace for futex()
   linux-user: Add close_range() syscall
   linux-user: Add parameters of getrandom() syscall for strace

  linux-user/cpu_loop-common.h |   2 +
  linux-user/hppa/cpu_loop.c   |   6 +-
  linux-user/mmap.c|   4 +
  linux-user/signal-common.h   |  46 
  linux-user/signal.c  |  37 +
  linux-user/strace.c  | 142 ++-
  linux-user/strace.list   |  21 +-
  linux-user/syscall.c |  50 
  target/hppa/helper.c |   6 +-
  9 files changed, 255 insertions(+), 59 deletions(-)

--
2.37.3



Series applied to my linux-user-for-7.2 branch,
except PATCH 11 and 12 that have comments.

Thanks,
Laurent

[PULL 04/24] meson: Allow to enable gtk and sdl while cocoa is enabled

[Gerd Hoffmann]

From: Akihiko Odaki 

As ui/cocoa does no longer override main(), ui/gtk and ui/sdl
can be enabled even ui/cocoa is enabled.

Signed-off-by: Akihiko Odaki 
Reviewed-by: Peter Maydell 
Reviewed-by: Paolo Bonzini 
Message-Id: <20220819132756.74641-4-akihiko.od...@gmail.com>
Signed-off-by: Gerd Hoffmann 
---
 meson.build | 10 ++
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/meson.build b/meson.build
index 3885fc107633..d9ac91ff3659 100644
--- a/meson.build
+++ b/meson.build
@@ -589,12 +589,6 @@ endif
 
 cocoa = dependency('appleframeworks', modules: ['Cocoa', 'CoreVideo'],
required: get_option('cocoa'))
-if cocoa.found() and get_option('sdl').enabled()
-  error('Cocoa and SDL cannot be enabled at the same time')
-endif
-if cocoa.found() and get_option('gtk').enabled()
-  error('Cocoa and GTK+ cannot be enabled at the same time')
-endif
 
 vmnet = dependency('appleframeworks', modules: 'vmnet', required: 
get_option('vmnet'))
 if vmnet.found() and not cc.has_header_symbol('vmnet/vmnet.h',
@@ -921,7 +915,7 @@ if not get_option('brlapi').auto() or have_system
 endif
 
 sdl = not_found
-if not get_option('sdl').auto() or (have_system and not cocoa.found())
+if not get_option('sdl').auto() or have_system
   sdl = dependency('sdl2', required: get_option('sdl'), kwargs: static_kwargs)
   sdl_image = not_found
 endif
@@ -1187,7 +1181,7 @@ endif
 gtk = not_found
 gtkx11 = not_found
 vte = not_found
-if not get_option('gtk').auto() or (have_system and not cocoa.found())
+if not get_option('gtk').auto() or have_system
   gtk = dependency('gtk+-3.0', version: '>=3.22.0',
method: 'pkg-config',
required: get_option('gtk'),
-- 
2.37.3

[PULL 19/24] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode

[Gerd Hoffmann]

From: Michael Brown 

Signed-off-by: Michael Brown 
Message-Id: <20220906183053.3625472-5-mc...@ipxe.org>
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/dev-network.c | 27 +--
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
index 9d83974ec9f0..ac1adca54355 100644
--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
@@ -91,6 +91,8 @@ enum usbstring_idx {
 #define USB_CDC_SET_ETHERNET_PACKET_FILTER 0x43
 #define USB_CDC_GET_ETHERNET_STATISTIC 0x44
 
+#define USB_CDC_NETWORK_CONNECTION 0x00
+
 #define LOG2_STATUS_INTERVAL_MSEC  5/* 1 << 5 == 32 msec */
 #define STATUS_BYTECOUNT   16   /* 8 byte header + data */
 
@@ -640,6 +642,8 @@ struct USBNetState {
 uint16_t filter;
 uint32_t vendorid;
 
+uint16_t connection;
+
 unsigned int out_ptr;
 uint8_t out_buf[2048];
 
@@ -1140,18 +1144,28 @@ static void usb_net_handle_control(USBDevice *dev, 
USBPacket *p,
 
 static void usb_net_handle_statusin(USBNetState *s, USBPacket *p)
 {
-le32 buf[2];
+le32 rbuf[2];
+uint16_t ebuf[4];
 
 if (p->iov.size < 8) {
 p->status = USB_RET_STALL;
 return;
 }
 
-buf[0] = cpu_to_le32(1);
-buf[1] = cpu_to_le32(0);
-usb_packet_copy(p, buf, 8);
-if (!s->rndis_resp.tqh_first) {
-p->status = USB_RET_NAK;
+if (is_rndis(s)) {
+rbuf[0] = cpu_to_le32(1);
+rbuf[1] = cpu_to_le32(0);
+usb_packet_copy(p, rbuf, 8);
+if (!s->rndis_resp.tqh_first) {
+p->status = USB_RET_NAK;
+}
+} else {
+ebuf[0] =
+cpu_to_be16(ClassInterfaceRequest | USB_CDC_NETWORK_CONNECTION);
+ebuf[1] = cpu_to_le16(s->connection);
+ebuf[2] = cpu_to_le16(1);
+ebuf[3] = cpu_to_le16(0);
+usb_packet_copy(p, ebuf, 8);
 }
 
 #ifdef TRAFFIC_DEBUG
@@ -1366,6 +1380,7 @@ static void usb_net_realize(USBDevice *dev, Error **errp)
 s->media_state = 0;/* NDIS_MEDIA_STATE_CONNECTED */;
 s->filter = 0;
 s->vendorid = 0x1234;
+s->connection = 1; /* Connected */
 s->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);
 s->bulk_in = usb_ep_get(dev, USB_TOKEN_IN, 2);
 
-- 
2.37.3