Re: [Qemu-devel] [PULL 00/12] Misc bugfixes for QEMU hard freeze

[Eric Blake]

On 7/5/19 11:32 PM, Eric Blake wrote:
> On 7/5/19 2:50 PM, Paolo Bonzini wrote:
>> The following changes since commit 68d7ff0cff0c4905802104843cf0100543b47314:
>>
>>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
>> staging (2019-06-21 13:32:10 +0100)
>>
>> are available in the git repository at:
>>
>>
>>   git://github.com/bonzini/qemu.git tags/for-upstream
>>
>> for you to fetch changes up to 2994e7e66a8902d0e42c5e528489ca6484c66d2d:
>>
>>   ioapic: use irq number instead of vector in ioapic_eoi_broadcast 
>> (2019-07-05 18:35:43 +0200)
> 
> Missing v2 in the subject line to distinguish this from the failed v1
> pull request. And per the comments on 11/12, it may need a v3 pull
> request to fix an issue with a missing S-o-b.

Or is this the v1, and the other posting v2?

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PULL 11/12] hw/i386: Fix linker error when ISAPC is disabled

[Markus Armbruster]

Markus Armbruster  writes:

> Paolo Bonzini  writes:
>
>> From: Julio Montes 
>>
>> v2: include config-devices.h to use CONFIG_IDE_ISA
>>
>> Message-Id: <20190705143554.10295-2-julio.mon...@intel.com>
>> Signed-off-by: Paolo Bonzini 
>
> You lost Julio's S-o-B due to his ill-advised '---' line.  Also the part
> of his commit message that should be committed.  Same for PULL 10/12.

Ah, you fixed the S-o-B in v2.  You decide whether restoring the lost
parts of the commit message is worth a respin.

Re: [Qemu-devel] [PULL 00/12] Misc bugfixes for QEMU hard freeze

[Eric Blake]

On 7/5/19 2:50 PM, Paolo Bonzini wrote:
> The following changes since commit 68d7ff0cff0c4905802104843cf0100543b47314:
> 
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2019-06-21 13:32:10 +0100)
> 
> are available in the git repository at:
> 
> 
>   git://github.com/bonzini/qemu.git tags/for-upstream
> 
> for you to fetch changes up to 2994e7e66a8902d0e42c5e528489ca6484c66d2d:
> 
>   ioapic: use irq number instead of vector in ioapic_eoi_broadcast 
> (2019-07-05 18:35:43 +0200)

Missing v2 in the subject line to distinguish this from the failed v1
pull request. And per the comments on 11/12, it may need a v3 pull
request to fix an issue with a missing S-o-b.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PULL 11/12] hw/i386: Fix linker error when ISAPC is disabled

[Markus Armbruster]

Paolo Bonzini  writes:

> From: Julio Montes 
>
> v2: include config-devices.h to use CONFIG_IDE_ISA
>
> Message-Id: <20190705143554.10295-2-julio.mon...@intel.com>
> Signed-off-by: Paolo Bonzini 

You lost Julio's S-o-B due to his ill-advised '---' line.  Also the part
of his commit message that should be committed.  Same for PULL 10/12.

Re: [Qemu-devel] [PATCH v2 1/2] Makefile: generate header file with the list of devices enabled

[Markus Armbruster]

Advice for your *next* patch submission (this one's already queued):

1. Use a cover letter for submitting multiple patches together.

Julio Montes  writes:

> v2: generate config-devices.h which contains the list of devices enabled
> ---
> config-devices.h is an auto-generated header file that will use
> config-devices.mak to define the list of devices enabled.
> Configs that are set to 'n' are ignored.
>
> Signed-off-by: Julio Montes 

2. Anything below a '---' line will be thrown away on commit.  The text
describing the patch must go above the '---' line, not below.
Additional notes of no permanent interest, such as changes since prior
revisions, go below the '---' line.

[Qemu-devel] [RFC v2 1/2] hw/pvrdma: make DSR mapping idempotent in load_dsr()

[Sukrit Bhatnagar]

Map to DSR only when there is no mapping done already i.e., when
dev->dsr_info.dsr is NULL. This allows the rest of mappings and
ring inits to be done by calling load_dsr() when DSR has already
been mapped to, somewhere else.

Move free_dsr() out of load_dsr() and call it before the latter
as and when needed. This aids the case where load_dsr() is called
having DSR mapping already done, but the rest of map and init
operations are pending, and prevents an unmap of the DSR.

Cc: Marcel Apfelbaum 
Cc: Yuval Shaia 
Signed-off-by: Sukrit Bhatnagar 
---
 hw/rdma/vmw/pvrdma_main.c | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index adcf79cd63..6c90db96f9 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -172,15 +172,15 @@ static int load_dsr(PVRDMADev *dev)
 DSRInfo *dsr_info;
 struct pvrdma_device_shared_region *dsr;
 
-free_dsr(dev);
-
-/* Map to DSR */
-dev->dsr_info.dsr = rdma_pci_dma_map(pci_dev, dev->dsr_info.dma,
-  sizeof(struct pvrdma_device_shared_region));
 if (!dev->dsr_info.dsr) {
-rdma_error_report("Failed to map to DSR");
-rc = -ENOMEM;
-goto out;
+/* Map to DSR */
+dev->dsr_info.dsr = rdma_pci_dma_map(pci_dev, dev->dsr_info.dma,
+  sizeof(struct pvrdma_device_shared_region));
+if (!dev->dsr_info.dsr) {
+rdma_error_report("Failed to map to DSR");
+rc = -ENOMEM;
+goto out;
+}
 }
 
 /* Shortcuts */
@@ -402,6 +402,7 @@ static void pvrdma_regs_write(void *opaque, hwaddr addr, 
uint64_t val,
 case PVRDMA_REG_DSRHIGH:
 trace_pvrdma_regs_write(addr, val, "DSRHIGH", "");
 dev->dsr_info.dma |= val << 32;
+free_dsr(dev);
 load_dsr(dev);
 init_dsr_dev_caps(dev);
 break;
-- 
2.21.0

[Qemu-devel] [RFC v2 2/2] hw/pvrdma: add live migration support

[Sukrit Bhatnagar]

Use VMStateDescription for migrating device state. Currently,
'vmstate_pvrdma' describes the PCI and MSIX state for pvrdma and
'vmstate_pvrdma_dsr_dma' describes a temporary state containing
some values obtained only after mapping to dsr in the source.
Since the dsr will not be available on dest until we map to the
dma address we had on source, these values cannot be migrated
directly.

Add PVRDMAMigTmp to store this temporary state which consists of
dma addresses and ring page information. The 'parent' member is
used to refer to the device state (PVRDMADev) so that parent PCI
device object is accessible, which is needed to remap to DSR.

pvrdma_dsr_dma_pre_save() saves the dsr state into this temporary
representation and pvrdma_dsr_dma_post_load() loads it back.
This load function also remaps to the dsr and and calls
load_dsr() for further map and ring init operations.

Please note that this call to load_dsr() can be removed from the
migration flow and included in pvrdma_regs_write() to perform a
lazy load.
As of now, migration will fail if there in an error in load_dsr().
Also, there might be a considerable amount of pages in the rings,
which will have dma map operations when the init functions are
called.
If this takes noticeable time, it might be better to have lazy
load instead.

Cc: Marcel Apfelbaum 
Cc: Yuval Shaia 
Signed-off-by: Sukrit Bhatnagar 
---
 hw/rdma/vmw/pvrdma_main.c | 87 +++
 1 file changed, 87 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 6c90db96f9..4a10bd2fc7 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -28,6 +28,7 @@
 #include "sysemu/sysemu.h"
 #include "monitor/monitor.h"
 #include "hw/rdma/rdma.h"
+#include "migration/register.h"
 
 #include "../rdma_rm.h"
 #include "../rdma_backend.h"
@@ -593,6 +594,91 @@ static void pvrdma_shutdown_notifier(Notifier *n, void 
*opaque)
 pvrdma_fini(pci_dev);
 }
 
+struct PVRDMAMigTmp {
+PVRDMADev *parent;
+uint64_t dma;
+uint64_t cmd_slot_dma;
+uint64_t resp_slot_dma;
+uint32_t cq_ring_pages_num_pages;
+uint64_t cq_ring_pages_pdir_dma;
+uint32_t async_ring_pages_num_pages;
+uint64_t async_ring_pages_pdir_dma;
+};
+
+static int pvrdma_dsr_dma_pre_save(void *opaque)
+{
+struct PVRDMAMigTmp *tmp = opaque;
+DSRInfo *dsr_info = >parent->dsr_info;
+struct pvrdma_device_shared_region *dsr = dsr_info->dsr;
+
+tmp->dma = dsr_info->dma;
+tmp->cmd_slot_dma = dsr->cmd_slot_dma;
+tmp->resp_slot_dma = dsr->resp_slot_dma;
+tmp->cq_ring_pages_num_pages = dsr->cq_ring_pages.num_pages;
+tmp->cq_ring_pages_pdir_dma = dsr->cq_ring_pages.pdir_dma;
+tmp->async_ring_pages_num_pages = dsr->async_ring_pages.num_pages;
+tmp->async_ring_pages_pdir_dma = dsr->async_ring_pages.pdir_dma;
+
+return 0;
+}
+
+static int pvrdma_dsr_dma_post_load(void *opaque, int version_id)
+{
+struct PVRDMAMigTmp *tmp = opaque;
+PVRDMADev *dev = tmp->parent;
+PCIDevice *pci_dev = PCI_DEVICE(dev);
+DSRInfo *dsr_info = >dsr_info;
+struct pvrdma_device_shared_region *dsr;
+
+dsr_info->dma = tmp->dma;
+dsr_info->dsr = rdma_pci_dma_map(pci_dev, dsr_info->dma,
+sizeof(struct pvrdma_device_shared_region));
+if (!dsr_info->dsr) {
+rdma_error_report("Failed to map to DSR");
+return -ENOMEM;
+}
+
+dsr = dsr_info->dsr;
+dsr->cmd_slot_dma = tmp->cmd_slot_dma;
+dsr->resp_slot_dma = tmp->resp_slot_dma;
+dsr->cq_ring_pages.num_pages = tmp->cq_ring_pages_num_pages;
+dsr->cq_ring_pages.pdir_dma = tmp->cq_ring_pages_pdir_dma;
+dsr->async_ring_pages.num_pages = tmp->async_ring_pages_num_pages;
+dsr->async_ring_pages.pdir_dma = tmp->async_ring_pages_pdir_dma;
+
+return load_dsr(dev);
+}
+
+static const VMStateDescription vmstate_pvrdma_dsr_dma = {
+.name = "pvrdma-dsr-dma",
+.pre_save = pvrdma_dsr_dma_pre_save,
+.post_load = pvrdma_dsr_dma_post_load,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(dma, struct PVRDMAMigTmp),
+VMSTATE_UINT64(cmd_slot_dma, struct PVRDMAMigTmp),
+VMSTATE_UINT64(resp_slot_dma, struct PVRDMAMigTmp),
+VMSTATE_UINT32(async_ring_pages_num_pages, struct PVRDMAMigTmp),
+VMSTATE_UINT64(async_ring_pages_pdir_dma, struct PVRDMAMigTmp),
+VMSTATE_UINT32(cq_ring_pages_num_pages, struct PVRDMAMigTmp),
+VMSTATE_UINT64(cq_ring_pages_pdir_dma, struct PVRDMAMigTmp),
+VMSTATE_END_OF_LIST()
+}
+};
+
+static const VMStateDescription vmstate_pvrdma = {
+.name = "pvrdma",
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_PCI_DEVICE(parent_obj, PVRDMADev),
+VMSTATE_MSIX(parent_obj, PVRDMADev),
+VMSTATE_WITH_TMP(PVRDMADev,
+ struct PVRDMAMigTmp,
+ 

[Qemu-devel] [RFC v2 0/2] Add live migration support in the PVRDMA device

[Sukrit Bhatnagar]

Changes in v2:

* Modify load_dsr() such that dsr mapping is not performed if dsr value
  is non-NULL. Also move free_dsr() out of load_dsr() and call it right
  before if needed. These two changes will allow us to call load_dsr()
  even when we have already done dsr mapping and would like to go on
  with the rest of mappings.

* Use VMStateDescription instead of SaveVMHandlers to describe migration
  state. Also add fields for parent PCI object and MSIX.

* Use a temporary structure (struct PVRDMAMigTmp) to hold some fields
  during migration. These fields, such as cmd_slot_dma and resp_slot_dma
  inside dsr, do not fit into VMSTATE macros as their container
  (dsr_info->dsr) will not be ready until it is mapped on the dest.

* Perform mappings to CQ and event notification rings after the state is
  loaded. This is an extension to the mappings performed in v1;
  following the flow of load_dsr(). All the mappings are succesfully
  done on the dest on state load.

Link(s) to v1:
https://lists.gnu.org/archive/html/qemu-devel/2019-06/msg04924.html
https://lists.gnu.org/archive/html/qemu-devel/2019-06/msg04923.html


Things working now (were not working at the time of v1):

* vmxnet3 is migrating successfully. The issue was in the migration of
  its PCI configuration space, and is solved by the patch Marcel had sent:
  https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01500.html

* There is no problem due to BounceBuffers which were failing the dma mapping
  calls in state load logic earlier. Not sure exactly how it went away. I am
  guessing that adding the PCI and MSIX state to migration solved the issue.


What is still needed:

* A workaround to get libvirt to support same-host migration. Since
  the problems faced in v1 (mentioned above) are out of the way, we
  can move further, and in doing so, we will need this.

Sukrit Bhatnagar (2):
  hw/pvrdma: make DSR mapping idempotent in load_dsr()
  hw/pvrdma: add live migration support

 hw/rdma/vmw/pvrdma_main.c | 104 +++---
 1 file changed, 96 insertions(+), 8 deletions(-)

-- 
2.21.0

Re: [Qemu-devel] [PATCH v2 01/18] qapi/block-core: Introduce BackupCommon

[Markus Armbruster]

John Snow  writes:

> On 7/5/19 10:14 AM, Markus Armbruster wrote:
>> John Snow  writes:
>> 
>>> drive-backup and blockdev-backup have an awful lot of things in common
>>> that are the same. Let's fix that.
>>>
>>> I don't deduplicate 'target', because the semantics actually did change
>>> between each structure. Leave that one alone so it can be documented
>>> separately.
>>>
>>> Signed-off-by: John Snow 
>>> ---
>>>  qapi/block-core.json | 103 ++-
>>>  1 file changed, 33 insertions(+), 70 deletions(-)
>>>
>>> diff --git a/qapi/block-core.json b/qapi/block-core.json
>>> index 0d43d4f37c..7b23efcf13 100644
>>> --- a/qapi/block-core.json
>>> +++ b/qapi/block-core.json
>>> @@ -1315,32 +1315,23 @@
>>>'data': { 'node': 'str', 'overlay': 'str' } }
>>>  
>>>  ##
>>> -# @DriveBackup:
>>> +# @BackupCommon:
>>>  #
>>>  # @job-id: identifier for the newly-created block job. If
>>>  #  omitted, the device name will be used. (Since 2.7)
>>>  #
>>>  # @device: the device name or node-name of a root node which should be 
>>> copied.
>>>  #
>>> -# @target: the target of the new image. If the file exists, or if it
>>> -#  is a device, the existing file/device will be used as the new
>>> -#  destination.  If it does not exist, a new file will be created.
>>> -#
>>> -# @format: the format of the new destination, default is to
>>> -#  probe if @mode is 'existing', else the format of the source
>>> -#
>>>  # @sync: what parts of the disk image should be copied to the destination
>>>  #(all the disk, only the sectors allocated in the topmost image, 
>>> from a
>>>  #dirty bitmap, or only new I/O).
>> 
>> This is DriveBackup's wording.  Blockdev lacks "from a dirty bitmap, ".
>> Is this a doc fix?
>
> Yes.

Worth mentioning in the commit message?

>>>  #
>>> -# @mode: whether and how QEMU should create a new image, default is
>>> -#'absolute-paths'.
>>> -#
>>> -# @speed: the maximum speed, in bytes per second
>>> +# @speed: the maximum speed, in bytes per second. The default is 0,
>>> +# for unlimited.
>> 
>> This is Blockdev's wording.  DriveBackup lacks "the default is 0, for
>> unlimited."  Is this a doc fix?
>
> Yes.

Worth mentioning in the commit message?

[...]

Re: [Qemu-devel] [RFC PATCH-for-4.2] tracing: Allow to tune tracing options via the environment

[Markus Armbruster]

Philippe Mathieu-Daudé  writes:

> On 7/5/19 3:19 PM, Markus Armbruster wrote:
>> Philippe Mathieu-Daudé  writes:
>>> On 7/5/19 10:07 AM, Stefan Hajnoczi wrote:
 On Thu, Jul 04, 2019 at 11:28:37AM +0100, Daniel P. Berrangé wrote:
> On Thu, Jul 04, 2019 at 11:24:57AM +0100, Stefan Hajnoczi wrote:
[...]
>> What is the concern about adding these environment variables to QEMU?
>>
>> It is convenient to be able to use tracing even if QEMU is invoked by
>> something you cannot modify/control.
>>
>> The main issues I see with environment variables are:
>>
>> 1. Security.  Is there a scenario where an attacker can use environment
>>variables to influence the behavior of a QEMU process running at a
>>different trust level?
>> 
>> The common (and sad) solution for this is to require whatever runs $PROG
>> at a different trust level to scrub the environment.
>
> I hope people concerned by security build QEMU with the NOP trace backend.

I sure hope at least one of our tracing backends (other than nop) can be
used safely in production.

>> 2. Name collision.  What is the chance that existing users already
>>define environment variables with these names and that unexpected
>>behavior could result?
[...]

Re: [Qemu-devel] [PATCH v22 00/22] Add RX archtecture support

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20190705083141.106254-1-ys...@users.sourceforge.jp/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Subject: [Qemu-devel] [PATCH v22 00/22] Add RX archtecture support
Message-id: 20190705083141.106254-1-ys...@users.sourceforge.jp

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

From https://github.com/patchew-project/qemu
 - [tag update]  patchew/20190705083141.106254-1-ys...@users.sourceforge.jp 
-> patchew/20190705083141.106254-1-ys...@users.sourceforge.jp
Switched to a new branch 'test'
768db26 target/rx: remove unused functions.
ed8a99e BootLinuxConsoleTest: Test the RX-Virt machine
ce60411 Add rx-softmmu
c5fdb33 hw/rx: Restrict the RX62N microcontroller to the RX62N CPU core
42ed9fc hw/rx: Honor -accel qtest
0af198e hw/rx: RX Target hardware definition
9dba70d hw/char: RX62N serial communication interface (SCI)
bb02bef hw/timer: RX62N internal timer modules
84a988c hw/intc: RX62N interrupt controller (ICUa)
214861a target/rx: Dump bytes for each insn during disassembly
bc5426a target/rx: Collect all bytes during disassembly
be621d1 target/rx: Emit all disassembly in one prt()
c033e57 target/rx: Use prt_ldmi for XCHG_mr disassembly
8c061e4 target/rx: Replace operand with prt_ldmi in disassembler
5fd1d69 target/rx: Disassemble rx_index_addr into a string
4b360ac target/rx: RX disassembler
5900729 target/rx: CPU definition
a2a8f4d target/rx: TCG helper
4bafc3d target/rx: TCG translation
cba7819 hw/registerfields.h: Add 8bit and 16bit register macros
9a9de6e qemu/bitops.h: Add extract8 and extract16
8ca7f4f MAINTAINERS: Add RX

=== OUTPUT BEGIN ===
1/22 Checking commit 8ca7f4ffdd07 (MAINTAINERS: Add RX)
2/22 Checking commit 9a9de6ed241d (qemu/bitops.h: Add extract8 and extract16)
3/22 Checking commit cba7819b1f0a (hw/registerfields.h: Add 8bit and 16bit 
register macros)
Use of uninitialized value in concatenation (.) or string at 
./scripts/checkpatch.pl line 2467.
ERROR: Macros with multiple statements should be enclosed in a do - while loop
#27: FILE: include/hw/registerfields.h:25:
+#define REG8(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) };

ERROR: Macros with multiple statements should be enclosed in a do - while loop
#31: FILE: include/hw/registerfields.h:29:
+#define REG16(reg, addr)  \
+enum { A_ ## reg = (addr) };  \
+enum { R_ ## reg = (addr) / 2 };

total: 2 errors, 0 warnings, 56 lines checked

Patch 3/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

4/22 Checking commit 4bafc3dd09d7 (target/rx: TCG translation)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#20: 
new file mode 100644

total: 0 errors, 1 warnings, 3065 lines checked

Patch 4/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
5/22 Checking commit a2a8f4dcb738 (target/rx: TCG helper)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#25: 
new file mode 100644

total: 0 errors, 1 warnings, 649 lines checked

Patch 5/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
6/22 Checking commit 5900729079cb (target/rx: CPU definition)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#29: 
new file mode 100644

total: 0 errors, 1 warnings, 622 lines checked

Patch 6/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
7/22 Checking commit 4b360ac5c2a1 (target/rx: RX disassembler)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#38: 
new file mode 100644

total: 0 errors, 1 warnings, 1497 lines checked

Patch 7/22 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
8/22 Checking commit 5fd1d69a85e3 (target/rx: Disassemble rx_index_addr into a 
string)
9/22 Checking commit 8c061e412fe5 (target/rx: Replace operand with prt_ldmi in 
disassembler)
10/22 Checking commit c033e579b386 (target/rx: Use prt_ldmi for XCHG_mr 
disassembly)
11/22 Checking commit be621d169e8f (target/rx: Emit all disassembly in one 
prt())
12/22 Checking commit bc5426af2c01 (target/rx: Collect all bytes during 
disassembly)
13/22 Checking commit 214861ad93dd (target/rx: Dump 

Re: [Qemu-devel] [PATCH 6/7] target/i386: add VMX features

[Paolo Bonzini]

On 06/07/19 00:33, Eduardo Habkost wrote:
> Oh, that's the info I was missing.  I always expected
> kvm_arch_get_supported_*() to be subject to change (depending on
> KVM and hardware capabilities), and not be part of guest ABI.

For most bits that's true.  Just not for these ones, because they are
integer values rather than bit flags.

The reason for the complex rules is that you need to know what is a
flag, what is a fixed value that the guest uses, and what is a maximum
supported value.  Simpler userspace than QEMU can just use the defaults
since they don't care about maintaining the guest ABI.

> Now, if KVM is going to to implement the guest ABI guarantee at
> KVM_GET_MSRS, that's OK.  Is this going to be obvious to people
> touching KVM_GET_MSRS in the future?
> 
> What if we do want the guest ABI to change in the future?  How do
> you expect QEMU to ask KVM to enable the new guest ABI?  How do
> you expect the user to ask QEMU to enable the new guest ABI?

That would be with ioctl(KVM_ENABLE_CAP) for KVM, and with -cpu for QEMU.

>> - KVM could change bits 16-24, but it always allows writing a value that
>> is _smaller_ than the one you read.  So I'm zeroing those, ensuring no
>> future ABI changes.
>>
>> - KVM could in theory change bits 25-27: here it also allows writing a
>> value that is smaller than the one you read, so guest ABI is preserved.
>>  Such a change is very unlikely, all Intel silicon has always had 0
>> here.  But I can change the code to zero these three bits just like bits
>> 16-24.
> 
> The complex rules above make me a bit nervous.  Can we at least
> make QEMU validate the values returned by
> kvm_arch_get_supported_msr_feature() to catch ABI-breaking
> mistakes in the future?

I don't know... I'm a bit wary of adding hard-coded values in QEMU,
userspace simply should not care.  But I can add comments to KVM to
remind people of values that should not be changed.

Paolo

Re: [Qemu-devel] [RFC PATCH-for-4.1 v4 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]

[Francisco Iglesias]

Hi Philippe,

On [2019 Jul 05] Fri 22:25:00, Philippe Mathieu-Daudé wrote:
> Both lqspi_read() and lqspi_load_cache() expect a 32-bit
> aligned address.
> 
> Set MemoryRegionOps.impl values to force 32-bit accesses,
> this way we are sure we do not access the lqspi_buf[] array
> out of bound.

The patch and correction follows chapter 24 aswell (UG1085) so I suggest
dropping 'RFC' in the subject.

> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Late friday patch...
> 
>  hw/ssi/xilinx_spips.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 3c4e8365ee..8f705132a3 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -1243,6 +1243,10 @@ static const MemoryRegionOps lqspi_ops = {
>  .min_access_size = 1,
>  .max_access_size = 4
>  }

A comma is missing on the line above (else the patch doesn't compile).

Best regards,
Francisco

> +.impl = {
> +.min_access_size = 4,
> +.max_access_size = 4,
> +}
>  };
>  
>  static void xilinx_spips_realize(DeviceState *dev, Error **errp)
> -- 
> 2.20.1
> 

Re: [Qemu-devel] [PATCH 6/7] target/i386: add VMX features

[Eduardo Habkost]

On Sat, Jul 06, 2019 at 12:42:22AM +0200, Paolo Bonzini wrote:
> On 06/07/19 00:33, Eduardo Habkost wrote:
> > Oh, that's the info I was missing.  I always expected
> > kvm_arch_get_supported_*() to be subject to change (depending on
> > KVM and hardware capabilities), and not be part of guest ABI.
> 
> For most bits that's true.  Just not for these ones, because they are
> integer values rather than bit flags.
> 
> The reason for the complex rules is that you need to know what is a
> flag, what is a fixed value that the guest uses, and what is a maximum
> supported value.  Simpler userspace than QEMU can just use the defaults
> since they don't care about maintaining the guest ABI.
> 
> > Now, if KVM is going to to implement the guest ABI guarantee at
> > KVM_GET_MSRS, that's OK.  Is this going to be obvious to people
> > touching KVM_GET_MSRS in the future?
> > 
> > What if we do want the guest ABI to change in the future?  How do
> > you expect QEMU to ask KVM to enable the new guest ABI?  How do
> > you expect the user to ask QEMU to enable the new guest ABI?
> 
> That would be with ioctl(KVM_ENABLE_CAP) for KVM, and with -cpu for QEMU.

Makes sense to me.

> 
> >> - KVM could change bits 16-24, but it always allows writing a value that
> >> is _smaller_ than the one you read.  So I'm zeroing those, ensuring no
> >> future ABI changes.
> >>
> >> - KVM could in theory change bits 25-27: here it also allows writing a
> >> value that is smaller than the one you read, so guest ABI is preserved.
> >>  Such a change is very unlikely, all Intel silicon has always had 0
> >> here.  But I can change the code to zero these three bits just like bits
> >> 16-24.
> > 
> > The complex rules above make me a bit nervous.  Can we at least
> > make QEMU validate the values returned by
> > kvm_arch_get_supported_msr_feature() to catch ABI-breaking
> > mistakes in the future?
> 
> I don't know... I'm a bit wary of adding hard-coded values in QEMU,
> userspace simply should not care.  But I can add comments to KVM to
> remind people of values that should not be changed.

Sounds good to me.  If we're worried about breaking guest ABI by
accident, we can include the MSRs in the guest ABI validation
test cases I'm working on.

-- 
Eduardo

[Qemu-devel] [PULL v6 36/42] i386: Replace -noTSX, -IBRS, -IBPB CPU models with aliases

[Eduardo Habkost]

The old CPU models will be just aliases for specific versions of
the original CPU models.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-7-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 601 ++
 1 file changed, 21 insertions(+), 580 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 51beebdb27..f41917649d 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1439,6 +1439,7 @@ typedef struct PropValue {
 
 typedef struct X86CPUVersionDefinition {
 X86CPUVersion version;
+const char *alias;
 PropValue *props;
 } X86CPUVersionDefinition;
 
@@ -1855,7 +1856,7 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { .version = 1 },
 {
 .version = 2,
-/* Equivalent to Nehalem-IBRS */
+.alias = "Nehalem-IBRS",
 .props = (PropValue[]) {
 { "spec-ctrl", "on" },
 { "model-id",
@@ -1866,36 +1867,6 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { /* end of list */ }
 }
 },
-{
-.name = "Nehalem-IBRS",
-.level = 11,
-.vendor = CPUID_VENDOR_INTEL,
-.family = 6,
-.model = 26,
-.stepping = 3,
-.features[FEAT_1_EDX] =
-CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
-CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
-CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
-CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
-CPUID_DE | CPUID_FP87,
-.features[FEAT_1_ECX] =
-CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
-CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3,
-.features[FEAT_7_0_EDX] =
-CPUID_7_0_EDX_SPEC_CTRL,
-.features[FEAT_8000_0001_EDX] =
-CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
-.features[FEAT_8000_0001_ECX] =
-CPUID_EXT3_LAHF_LM,
-.xlevel = 0x8008,
-.model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)",
-/*
- * This CPU model will eventually be replaced by an alias,
- * don't register any versions for it.
- */
-.versions = (X86CPUVersionDefinition[]) { { /* end of list */ } },
-},
 {
 .name = "Westmere",
 .level = 11,
@@ -1925,7 +1896,7 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { .version = 1 },
 {
 .version = 2,
-/* Equivalent to Westmere-IBRS */
+.alias = "Westmere-IBRS",
 .props = (PropValue[]) {
 { "spec-ctrl", "on" },
 { "model-id",
@@ -1936,39 +1907,6 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { /* end of list */ }
 }
 },
-{
-.name = "Westmere-IBRS",
-.level = 11,
-.vendor = CPUID_VENDOR_INTEL,
-.family = 6,
-.model = 44,
-.stepping = 1,
-.features[FEAT_1_EDX] =
-CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
-CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
-CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
-CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
-CPUID_DE | CPUID_FP87,
-.features[FEAT_1_ECX] =
-CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 |
-CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
-CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3,
-.features[FEAT_8000_0001_EDX] =
-CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
-.features[FEAT_8000_0001_ECX] =
-CPUID_EXT3_LAHF_LM,
-.features[FEAT_7_0_EDX] =
-CPUID_7_0_EDX_SPEC_CTRL,
-.features[FEAT_6_EAX] =
-CPUID_6_EAX_ARAT,
-.xlevel = 0x8008,
-.model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)",
-/*
- * This CPU model will eventually be replaced by an alias,
- * don't register any versions for it.
- */
-.versions = (X86CPUVersionDefinition[]) { { /* end of list */ } },
-},
 {
 .name = "SandyBridge",
 .level = 0xd,
@@ -2003,7 +1941,7 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { .version = 1 },
 {
 .version = 2,
-/* Equivalent to SandyBridge-IBRS */
+.alias = "SandyBridge-IBRS",
 .props = (PropValue[]) {
 { "spec-ctrl", "on" },
 { "model-id",
@@ -2014,44 +1952,6 @@ static X86CPUDefinition builtin_x86_defs[] = {
 { /* end of list */ }
 }
 },
-{
-.name = 

[Qemu-devel] [PULL v6 40/42] numa: Make deprecation warnings conditional on !qtest_enabled()

[Eduardo Habkost]

This will help us avoid spurious warnings during "make check".

Note that this will silence the warnings generated by
tests/numa-test, but not the ones generated by
tests/bios-tables-test.  We still need to change
tests/bios-tables-test to use "-numa ...,memdev=" to silence
these warnings.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190702215726.23661-1-ehabk...@redhat.com>
---
 hw/core/numa.c | 15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index dd5c6e2334..2d984b025b 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -31,6 +31,7 @@
 #include "qapi/error.h"
 #include "qapi/opts-visitor.h"
 #include "qapi/qapi-visit-machine.h"
+#include "sysemu/qtest.h"
 #include "hw/mem/pc-dimm.h"
 #include "hw/mem/memory-device.h"
 #include "qemu/option.h"
@@ -118,8 +119,10 @@ static void parse_numa_node(MachineState *ms, 
NumaNodeOptions *node,
 
 if (node->has_mem) {
 numa_info[nodenr].node_mem = node->mem;
-warn_report("Parameter -numa node,mem is deprecated,"
-" use -numa node,memdev instead");
+if (!qtest_enabled()) {
+warn_report("Parameter -numa node,mem is deprecated,"
+" use -numa node,memdev instead");
+}
 }
 if (node->has_memdev) {
 Object *o;
@@ -405,9 +408,11 @@ void numa_complete_configuration(MachineState *ms)
 if (i == nb_numa_nodes) {
 assert(mc->numa_auto_assign_ram);
 mc->numa_auto_assign_ram(mc, numa_info, nb_numa_nodes, ram_size);
-warn_report("Default splitting of RAM between nodes is deprecated,"
-" Use '-numa node,memdev' to explictly define RAM"
-" allocation per node");
+if (!qtest_enabled()) {
+warn_report("Default splitting of RAM between nodes is 
deprecated,"
+" Use '-numa node,memdev' to explictly define RAM"
+" allocation per node");
+}
 }
 
 numa_total = 0;
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 34/42] i386: Register versioned CPU models

[Eduardo Habkost]

Add support for registration of multiple versions of CPU models.

The existing CPU models will be registered with a "-v1" suffix.

The -noTSX, -IBRS, and -IBPB CPU model variants will become
versions of the original models in a separate patch, so
make sure we register no versions for them.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-5-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu-qom.h  |  10 +-
 target/i386/cpu.h  |  10 +
 target/i386/cpu.c  | 223 +++--
 tests/acceptance/x86_cpu_model_versions.py | 105 ++
 4 files changed, 318 insertions(+), 30 deletions(-)
 create mode 100644 tests/acceptance/x86_cpu_model_versions.py

diff --git a/target/i386/cpu-qom.h b/target/i386/cpu-qom.h
index 22f95eb3a4..1a52f02a4c 100644
--- a/target/i386/cpu-qom.h
+++ b/target/i386/cpu-qom.h
@@ -36,13 +36,7 @@
 #define X86_CPU_GET_CLASS(obj) \
 OBJECT_GET_CLASS(X86CPUClass, (obj), TYPE_X86_CPU)
 
-/**
- * X86CPUDefinition:
- *
- * CPU model definition data that was not converted to QOM per-subclass
- * property defaults yet.
- */
-typedef struct X86CPUDefinition X86CPUDefinition;
+typedef struct X86CPUModel X86CPUModel;
 
 /**
  * X86CPUClass:
@@ -64,7 +58,7 @@ typedef struct X86CPUClass {
 /* CPU definition, automatically loaded by instance_init if not NULL.
  * Should be eventually replaced by subclass-specific property defaults.
  */
-X86CPUDefinition *cpu_def;
+X86CPUModel *model;
 
 bool host_cpuid_required;
 int ordering;
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 4727226a6a..12bc3cd4a8 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1929,6 +1929,16 @@ void apic_handle_tpr_access_report(DeviceState *d, 
target_ulong ip,
  */
 void x86_cpu_change_kvm_default(const char *prop, const char *value);
 
+/* Special values for X86CPUVersion: */
+
+/* Resolve to latest CPU version */
+#define CPU_VERSION_LATEST -1
+
+/* Don't resolve to any versioned CPU models, like old QEMU versions */
+#define CPU_VERSION_LEGACY  0
+
+typedef int X86CPUVersion;
+
 /* Return name of 32-bit register, from a R_* constant */
 const char *get_register_name_32(unsigned int reg);
 
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a0e422adf3..87555a1c5a 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1433,7 +1433,17 @@ static char *x86_cpu_class_get_model_name(X86CPUClass 
*cc)
  strlen(class_name) - strlen(X86_CPU_TYPE_SUFFIX));
 }
 
-struct X86CPUDefinition {
+typedef struct PropValue {
+const char *prop, *value;
+} PropValue;
+
+typedef struct X86CPUVersionDefinition {
+X86CPUVersion version;
+PropValue *props;
+} X86CPUVersionDefinition;
+
+/* Base definition for a CPU model */
+typedef struct X86CPUDefinition {
 const char *name;
 uint32_t level;
 uint32_t xlevel;
@@ -1445,8 +1455,41 @@ struct X86CPUDefinition {
 FeatureWordArray features;
 const char *model_id;
 CPUCaches *cache_info;
+/*
+ * Definitions for alternative versions of CPU model.
+ * List is terminated by item with version == 0.
+ * If NULL, version 1 will be registered automatically.
+ */
+const X86CPUVersionDefinition *versions;
+} X86CPUDefinition;
+
+/* Reference to a specific CPU model version */
+struct X86CPUModel {
+/* Base CPU definition */
+X86CPUDefinition *cpudef;
+/* CPU model version */
+X86CPUVersion version;
 };
 
+/* Get full model name for CPU version */
+static char *x86_cpu_versioned_model_name(X86CPUDefinition *cpudef,
+  X86CPUVersion version)
+{
+assert(version > 0);
+return g_strdup_printf("%s-v%d", cpudef->name, (int)version);
+}
+
+static const X86CPUVersionDefinition 
*x86_cpu_def_get_versions(X86CPUDefinition *def)
+{
+/* When X86CPUDefinition::versions is NULL, we register only v1 */
+static const X86CPUVersionDefinition default_version_list[] = {
+{ 1 },
+{ /* end of list */ }
+};
+
+return def->versions ?: default_version_list;
+}
+
 static CPUCaches epyc_cache_info = {
 .l1d_cache = &(CPUCacheInfo) {
 .type = DATA_CACHE,
@@ -1833,6 +1876,11 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_EXT3_LAHF_LM,
 .xlevel = 0x8008,
 .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)",
+/*
+ * This CPU model will eventually be replaced by an alias,
+ * don't register any versions for it.
+ */
+.versions = (X86CPUVersionDefinition[]) { { /* end of list */ } },
 },
 {
 .name = "Westmere",
@@ -1887,6 +1935,11 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)",
+/*
+ * This CPU model will 

[Qemu-devel] [PULL v6 39/42] i386: Add Cascadelake-Server-v2 CPU model

[Eduardo Habkost]

Add new version of Cascadelake-Server CPU model, setting
stepping=5 and enabling the IA32_ARCH_CAPABILITIES MSR
with some flags.

The new feature will introduce a new host software requirement,
breaking our CPU model runnability promises.  This means we can't
enable the new CPU model version by default in QEMU 4.1, because
management software isn't ready yet to resolve CPU model aliases.
This is why "pc-*-4.1" will keep returning Cascadelake-Server-v1
if "-cpu Cascadelake-Server" is specified.

Includes a test case to ensure the right combinations of
machine-type + CPU model + command-line feature flags will work
as expected.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-10-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Message-Id: <20190703221723.8161-1-ehabk...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c  | 14 +
 tests/acceptance/x86_cpu_model_versions.py | 73 ++
 2 files changed, 87 insertions(+)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 0cf8e545c6..805ce95247 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2343,6 +2343,20 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Intel Xeon Processor (Cascadelake)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{ .version = 2,
+  .props = (PropValue[]) {
+  { "arch-capabilities", "on" },
+  { "rdctl-no", "on" },
+  { "ibrs-all", "on" },
+  { "skip-l1dfl-vmentry", "on" },
+  { "mds-no", "on" },
+  { /* end of list */ }
+  },
+},
+{ /* end of list */ }
+}
 },
 {
 .name = "Icelake-Client",
diff --git a/tests/acceptance/x86_cpu_model_versions.py 
b/tests/acceptance/x86_cpu_model_versions.py
index 165c0c7601..1c9fd6a56e 100644
--- a/tests/acceptance/x86_cpu_model_versions.py
+++ b/tests/acceptance/x86_cpu_model_versions.py
@@ -25,6 +25,10 @@
 import avocado_qemu
 import re
 
+def get_cpu_prop(vm, prop):
+cpu_path = vm.command('query-cpus')[0].get('qom_path')
+return vm.command('qom-get', path=cpu_path, property=prop)
+
 class X86CPUModelAliases(avocado_qemu.Test):
 """
 Validation of PC CPU model versions and CPU model aliases
@@ -229,3 +233,72 @@ class X86CPUModelAliases(avocado_qemu.Test):
  'qemu64-v1 must not be an alias')
 
 self.validate_aliases(cpus)
+
+def test_Cascadelake_arch_capabilities_result(self):
+# machine-type only:
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.1')
+vm.add_args('-cpu', 
'Cascadelake-Server,x-force-features=on,check=off,enforce=off')
+vm.launch()
+self.assertFalse(get_cpu_prop(vm, 'arch-capabilities'),
+ 'pc-i440fx-4.1 + Cascadelake-Server should not have 
arch-capabilities')
+
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.0')
+vm.add_args('-cpu', 
'Cascadelake-Server,x-force-features=on,check=off,enforce=off')
+vm.launch()
+self.assertFalse(get_cpu_prop(vm, 'arch-capabilities'),
+ 'pc-i440fx-4.0 + Cascadelake-Server should not have 
arch-capabilities')
+
+# command line must override machine-type if CPU model is not 
versioned:
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.0')
+vm.add_args('-cpu', 
'Cascadelake-Server,x-force-features=on,check=off,enforce=off,+arch-capabilities')
+vm.launch()
+self.assertTrue(get_cpu_prop(vm, 'arch-capabilities'),
+'pc-i440fx-4.0 + Cascadelake-Server,+arch-capabilities 
should have arch-capabilities')
+
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.1')
+vm.add_args('-cpu', 
'Cascadelake-Server,x-force-features=on,check=off,enforce=off,-arch-capabilities')
+vm.launch()
+self.assertFalse(get_cpu_prop(vm, 'arch-capabilities'),
+ 'pc-i440fx-4.1 + 
Cascadelake-Server,-arch-capabilities should not have arch-capabilities')
+
+# versioned CPU model overrides machine-type:
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.0')
+vm.add_args('-cpu', 
'Cascadelake-Server-v1,x-force-features=on,check=off,enforce=off')
+vm.launch()
+self.assertFalse(get_cpu_prop(vm, 'arch-capabilities'),
+ 'pc-i440fx-4.1 + Cascadelake-Server-v1 should not 
have arch-capabilities')
+
+vm = self.get_vm()
+vm.add_args('-S')
+vm.set_machine('pc-i440fx-4.0')
+vm.add_args('-cpu', 
'Cascadelake-Server-v2,x-force-features=on,check=off,enforce=off')
+  

Re: [Qemu-devel] [PATCH 6/7] target/i386: add VMX features

[Eduardo Habkost]

On Sat, Jul 06, 2019 at 12:12:49AM +0200, Paolo Bonzini wrote:
> On 05/07/19 23:22, Eduardo Habkost wrote:
> >> +switch (index) {
> >> +case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
> >> +default1 = 0x0016;
> >> +break;
> >> +case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
> >> +default1 = 0x0401e172;
> >> +break;
> >> +case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
> >> +default1 = 0x11ff;
> >> +break;
> >> +case MSR_IA32_VMX_TRUE_EXIT_CTLS:
> >> +default1 = 0x00036dff;
> >> +break;
> >> +case MSR_IA32_VMX_PROCBASED_CTLS2:
> >> +default1 = 0;
> >> +break;
> > How do you plan to implement backwards compatibility if these
> > defaults ever change?  Shouldn't these values be part of the CPU
> > model definitions so we can update them in the future?
> 
> These are not defaults, they are "default-1 bits": if a feature is
> disabled, these bits are 1 in both halves of the MSR rather than zero.
> The set of default-1 bits is documented and is not going to change in
> the future.
> 
> Some default-1 bits *could* however become features in the future, and
> four of these already have features associated to them:
> vmx-cr3-load-noexit, vmx-cr3-store-noexit, vmx-exit-nosave-debugctl,
> vmx-entry-noload-debugctl.  You can see that they have "no" in their
> name because the feature is about the ability to "do less" rather than
> "do more".

Understood.  Thanks!

> 
> >> +uint64_t kvm_vmx_basic =
> >> +kvm_arch_get_supported_msr_feature(kvm_state,
> >> +   MSR_IA32_VMX_BASIC);
> >> +uint64_t kvm_vmx_misc =
> >> +kvm_arch_get_supported_msr_feature(kvm_state,
> >> +   MSR_IA32_VMX_MISC);
> >> +uint64_t kvm_vmx_ept_vpid =
> >> +kvm_arch_get_supported_msr_feature(kvm_state,
> >> +   MSR_IA32_VMX_EPT_VPID_CAP);
> > 
> > If the MSR value we're exposing to the guest depends on
> > kvm_arch_get_supported_msr_feature(), how will we ensure this
> > will be safe for live migration?
> 
> Because KVM guarantees that this part of the guest ABI will never
> change.  These values do not come from the host values of the MSRs, they
> are fixed by KVM.  More details below.
> 
> > If we really need to tweak the MSR values based on the host for
> > some reason (which is not clear to me yet), why don't we update
> > env->features[...] at x86_cpu_expand_features() to reflect what
> > the guest is really seeing?
> > 
> > 
> >> +/*
> >> + * Bits 0-30, 32-44 and 50-53 come from the host.  KVM should
> >> + * not change them for backwards compatibility.
> > 
> > Backwards compatibility with what?
> > 
> > Don't we want the MSR values to depend solely on the QEMU command
> > line in the future?
> 
> These bits are: VMCS revision, VMCS size and VMCS memory type.  QEMU
> cannot know them, as they depend on the internal implementation details
> of KVM.
> 
> Now that KVM supports nested virt live migration they cannot change
> anymore---otherwise KVM would break KVM live migration compatibility.
> However, theoretically in the future KVM could add some capability
> (which userspace would have to manually enable) and when the capability
> is enabled the values can change.

Oh, that's the info I was missing.  I always expected
kvm_arch_get_supported_*() to be subject to change (depending on
KVM and hardware capabilities), and not be part of guest ABI.

Now, if KVM is going to to implement the guest ABI guarantee at
KVM_GET_MSRS, that's OK.  Is this going to be obvious to people
touching KVM_GET_MSRS in the future?

What if we do want the guest ABI to change in the future?  How do
you expect QEMU to ask KVM to enable the new guest ABI?  How do
you expect the user to ask QEMU to enable the new guest ABI?


> 
> > +/*
> > + * Same for bits 0-4 and 25-27.  Bits 16-24 (CR3 target count) can
> > + * change in the future but are always zero for now, clear them to be
> > + * future proof.  Bits 32-63 in theory could change, though KVM does
> > + * not support dual-monitor treatment and probably never will; mask
> > + * them out as well.
> > + */
> 
> The reasoning is more or less the same here.  These bits are part of the
> guest ABI (preemption timer scaling, CR3 target count, MSR count, MSEG
> revision).  Right now bits 0-4 are 5 and the others are 0; in the future:
> 
> - KVM cannot change bits 0-4 and 32-63 them without breaking guest ABI
> (the values must match between what you read and what you set)
> 
> - KVM could change bits 16-24, but it always allows writing a value that
> is _smaller_ than the one you read.  So I'm zeroing those, ensuring no
> future ABI changes.
> 
> - KVM could in theory change bits 25-27: here it also allows writing a
> value that is smaller than the one you read, so guest ABI is preserved.
>  Such a change is very unlikely, all Intel silicon has always 

[Qemu-devel] [PULL v6 30/42] i386: Introduce SnowRidge CPU model

[Eduardo Habkost]

From: Paul Lai 

SnowRidge CPU supports Accelerator Infrastrcture Architecture (MOVDIRI,
MOVDIR64B), CLDEMOTE and SPLIT_LOCK_DISABLE.

MOVDIRI, MOVDIR64B, and CLDEMOTE are found via CPUID.
The availability of SPLIT_LOCK_DISABLE is check via msr access

References can be found in either:
 https://software.intel.com/en-us/articles/intel-sdm
 
https://software.intel.com/en-us/download/intel-architecture-instruction-set-extensions-and-future-features-programming-reference

Signed-off-by: Paul Lai 
Tested-by: Tao3 Xu 
Message-Id: <20190626162129.25345-1-paul.c@intel.com>
[ehabkost: squashed SPLIT_LOCK_DETECT patch]
Message-Id: <20190626163232.25711-1-paul.c@intel.com>
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 71 +++
 1 file changed, 71 insertions(+)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 296ef6c918..62043fee54 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -2688,6 +2688,77 @@ static X86CPUDefinition builtin_x86_defs[] = {
 .xlevel = 0x8008,
 .model_id = "Intel Xeon Processor (Icelake)",
 },
+{
+.name = "SnowRidge-Server",
+.level = 27,
+.vendor = CPUID_VENDOR_INTEL,
+.family = 6,
+.model = 134,
+.stepping = 1,
+.features[FEAT_1_EDX] =
+/* missing: CPUID_PN CPUID_IA64 */
+/* missing: CPUID_DTS, CPUID_HT, CPUID_TM, CPUID_PBE */
+CPUID_FP87 | CPUID_VME | CPUID_DE | CPUID_PSE |
+CPUID_TSC | CPUID_MSR | CPUID_PAE | CPUID_MCE |
+CPUID_CX8 | CPUID_APIC | CPUID_SEP |
+CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV |
+CPUID_PAT | CPUID_PSE36 | CPUID_CLFLUSH |
+CPUID_MMX |
+CPUID_FXSR | CPUID_SSE | CPUID_SSE2,
+.features[FEAT_1_ECX] =
+CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | CPUID_EXT_MONITOR |
+CPUID_EXT_VMX |
+CPUID_EXT_SSSE3 |
+CPUID_EXT_CX16 |
+CPUID_EXT_SSE41 |
+CPUID_EXT_SSE42 | CPUID_EXT_X2APIC | CPUID_EXT_MOVBE |
+CPUID_EXT_POPCNT |
+CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_AES | CPUID_EXT_XSAVE |
+CPUID_EXT_RDRAND,
+.features[FEAT_8000_0001_EDX] =
+CPUID_EXT2_SYSCALL |
+CPUID_EXT2_NX |
+CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP |
+CPUID_EXT2_LM,
+.features[FEAT_8000_0001_ECX] =
+CPUID_EXT3_LAHF_LM |
+CPUID_EXT3_3DNOWPREFETCH,
+.features[FEAT_7_0_EBX] =
+CPUID_7_0_EBX_FSGSBASE |
+CPUID_7_0_EBX_SMEP |
+CPUID_7_0_EBX_ERMS |
+CPUID_7_0_EBX_MPX |  /* missing bits 13, 15 */
+CPUID_7_0_EBX_RDSEED |
+CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_CLFLUSHOPT |
+CPUID_7_0_EBX_CLWB |
+CPUID_7_0_EBX_SHA_NI,
+.features[FEAT_7_0_ECX] =
+CPUID_7_0_ECX_UMIP |
+/* missing bit 5 */
+CPUID_7_0_ECX_GFNI |
+CPUID_7_0_ECX_MOVDIRI | CPUID_7_0_ECX_CLDEMOTE |
+CPUID_7_0_ECX_MOVDIR64B,
+.features[FEAT_7_0_EDX] =
+CPUID_7_0_EDX_SPEC_CTRL |
+CPUID_7_0_EDX_ARCH_CAPABILITIES | CPUID_7_0_EDX_SPEC_CTRL_SSBD |
+CPUID_7_0_EDX_CORE_CAPABILITY,
+.features[FEAT_CORE_CAPABILITY] =
+MSR_CORE_CAP_SPLIT_LOCK_DETECT,
+/*
+ * Missing: XSAVES (not supported by some Linux versions,
+ * including v4.1 to v4.12).
+ * KVM doesn't yet expose any XSAVES state save component,
+ * and the only one defined in Skylake (processor tracing)
+ * probably will block migration anyway.
+ */
+.features[FEAT_XSAVE] =
+CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC |
+CPUID_XSAVE_XGETBV1,
+.features[FEAT_6_EAX] =
+CPUID_6_EAX_ARAT,
+.xlevel = 0x8008,
+.model_id = "Intel Atom Processor (SnowRidge)",
+},
 {
 .name = "KnightsMill",
 .level = 0xd,
-- 
2.18.0.rc1.1.g3f1ff2140

Re: [Qemu-devel] [PATCH-for-4.1 v4 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs

[Francisco Iglesias]

On [2019 Jul 05] Fri 22:24:58, Philippe Mathieu-Daudé wrote:
> In the next commit we will implement the write_with_attrs()
> handler. To avoid using different APIs, convert the read()
> handler first.
> 
> Signed-off-by: Philippe Mathieu-Daudé 

Reviewed-by: Francisco Iglesias 

> ---
> v4: Do not ignore lqspi_read() return value (Francisco)
> ---
>  hw/ssi/xilinx_spips.c | 23 +++
>  1 file changed, 11 insertions(+), 12 deletions(-)
> 
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 8115bb6d46..b7c7275dbe 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -1202,27 +1202,26 @@ static void lqspi_load_cache(void *opaque, hwaddr 
> addr)
>  }
>  }
>  
> -static uint64_t
> -lqspi_read(void *opaque, hwaddr addr, unsigned int size)
> +static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
> +  unsigned size, MemTxAttrs attrs)
>  {
> -XilinxQSPIPS *q = opaque;
> -uint32_t ret;
> +XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
>  
>  if (addr >= q->lqspi_cached_addr &&
>  addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
>  uint8_t *retp = >lqspi_buf[addr - q->lqspi_cached_addr];
> -ret = cpu_to_le32(*(uint32_t *)retp);
> -DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
> -   (unsigned)ret);
> -return ret;
> -} else {
> -lqspi_load_cache(opaque, addr);
> -return lqspi_read(opaque, addr, size);
> +*value = cpu_to_le32(*(uint32_t *)retp);
> +DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
> +   addr, *value);
> +return MEMTX_OK;
>  }
> +
> +lqspi_load_cache(opaque, addr);
> +return lqspi_read(opaque, addr, value, size, attrs);
>  }
>  
>  static const MemoryRegionOps lqspi_ops = {
> -.read = lqspi_read,
> +.read_with_attrs = lqspi_read,
>  .endianness = DEVICE_NATIVE_ENDIAN,
>  .valid = {
>  .min_access_size = 1,
> -- 
> 2.20.1
> 

[Qemu-devel] [PULL v6 28/42] vl.c: Add -smp, dies=* command line support and update doc

[Eduardo Habkost]

From: Like Xu 

For PC target, users could configure the number of dies per one package
via command line with this patch, such as "-smp dies=2,cores=4".

The parsing rules of new cpu-topology model obey the same restrictions/logic
as the legacy socket/core/thread model especially on missing values computing.

Signed-off-by: Like Xu 
Message-Id: <20190620054525.37188-4-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 hw/i386/pc.c| 30 +-
 vl.c|  3 +++
 qemu-options.hx | 17 +
 3 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 894084c4e1..b9c55301a2 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1540,9 +1540,12 @@ static void pc_new_cpu(PCMachineState *pcms, int64_t 
apic_id, Error **errp)
  */
 void pc_smp_parse(MachineState *ms, QemuOpts *opts)
 {
+PCMachineState *pcms = PC_MACHINE(ms);
+
 if (opts) {
 unsigned cpus= qemu_opt_get_number(opts, "cpus", 0);
 unsigned sockets = qemu_opt_get_number(opts, "sockets", 0);
+unsigned dies = qemu_opt_get_number(opts, "dies", 1);
 unsigned cores   = qemu_opt_get_number(opts, "cores", 0);
 unsigned threads = qemu_opt_get_number(opts, "threads", 0);
 
@@ -1552,24 +1555,24 @@ void pc_smp_parse(MachineState *ms, QemuOpts *opts)
 threads = threads > 0 ? threads : 1;
 if (cpus == 0) {
 sockets = sockets > 0 ? sockets : 1;
-cpus = cores * threads * sockets;
+cpus = cores * threads * dies * sockets;
 } else {
 ms->smp.max_cpus =
 qemu_opt_get_number(opts, "maxcpus", cpus);
-sockets = ms->smp.max_cpus / (cores * threads);
+sockets = ms->smp.max_cpus / (cores * threads * dies);
 }
 } else if (cores == 0) {
 threads = threads > 0 ? threads : 1;
-cores = cpus / (sockets * threads);
+cores = cpus / (sockets * dies * threads);
 cores = cores > 0 ? cores : 1;
 } else if (threads == 0) {
-threads = cpus / (cores * sockets);
+threads = cpus / (cores * dies * sockets);
 threads = threads > 0 ? threads : 1;
-} else if (sockets * cores * threads < cpus) {
+} else if (sockets * dies * cores * threads < cpus) {
 error_report("cpu topology: "
- "sockets (%u) * cores (%u) * threads (%u) < "
+ "sockets (%u) * dies (%u) * cores (%u) * threads (%u) 
< "
  "smp_cpus (%u)",
- sockets, cores, threads, cpus);
+ sockets, dies, cores, threads, cpus);
 exit(1);
 }
 
@@ -1581,26 +1584,27 @@ void pc_smp_parse(MachineState *ms, QemuOpts *opts)
 exit(1);
 }
 
-if (sockets * cores * threads > ms->smp.max_cpus) {
+if (sockets * dies * cores * threads > ms->smp.max_cpus) {
 error_report("cpu topology: "
- "sockets (%u) * cores (%u) * threads (%u) > "
+ "sockets (%u) * dies (%u) * cores (%u) * threads (%u) 
> "
  "maxcpus (%u)",
- sockets, cores, threads,
+ sockets, dies, cores, threads,
  ms->smp.max_cpus);
 exit(1);
 }
 
-if (sockets * cores * threads != ms->smp.max_cpus) {
+if (sockets * dies * cores * threads != ms->smp.max_cpus) {
 warn_report("Invalid CPU topology deprecated: "
-"sockets (%u) * cores (%u) * threads (%u) "
+"sockets (%u) * dies (%u) * cores (%u) * threads (%u) "
 "!= maxcpus (%u)",
-sockets, cores, threads,
+sockets, dies, cores, threads,
 ms->smp.max_cpus);
 }
 
 ms->smp.cpus = cpus;
 ms->smp.cores = cores;
 ms->smp.threads = threads;
+pcms->smp_dies = dies;
 }
 
 if (ms->smp.cpus > 1) {
diff --git a/vl.c b/vl.c
index 96d2456f70..280e709e2c 100644
--- a/vl.c
+++ b/vl.c
@@ -1231,6 +1231,9 @@ static QemuOptsList qemu_smp_opts = {
 }, {
 .name = "sockets",
 .type = QEMU_OPT_NUMBER,
+}, {
+.name = "dies",
+.type = QEMU_OPT_NUMBER,
 }, {
 .name = "cores",
 .type = QEMU_OPT_NUMBER,
diff --git a/qemu-options.hx b/qemu-options.hx
index af850923f7..9621e934c0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -138,25 +138,26 @@ no incompatible TCG features have been enabled (e.g. 
icount/replay).
 ETEXI
 
 DEF("smp", HAS_ARG, QEMU_OPTION_smp,
-"-smp 
[cpus=]n[,maxcpus=cpus][,cores=cores][,threads=threads][,sockets=sockets]\n"
+"-smp 

[Qemu-devel] [PULL v6 42/42] tests: use -numa memdev option in tests instead of legacy 'mem' option

[Eduardo Habkost]

From: Igor Mammedov 

it will test preferred memdev option more extensively and remove
undesired deprecation warnings during 'make check'

Signed-off-by: Igor Mammedov 
Message-Id: <20190702140745.27767-3-imamm...@redhat.com>
[ehabkost: remove numa-test.c changes]
Signed-off-by: Eduardo Habkost 
---
 tests/bios-tables-test.c | 40 
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/tests/bios-tables-test.c b/tests/bios-tables-test.c
index 0ce55182f2..d863233fe9 100644
--- a/tests/bios-tables-test.c
+++ b/tests/bios-tables-test.c
@@ -688,6 +688,8 @@ static void test_acpi_q35_tcg_mmio64(void)
 };
 
 test_acpi_one("-m 128M,slots=1,maxmem=2G "
+  "-object memory-backend-ram,id=ram0,size=128M "
+  "-numa node,memdev=ram0 "
   "-device pci-testdev,membar=2G",
   );
 free_test_data();
@@ -701,7 +703,9 @@ static void test_acpi_piix4_tcg_cphp(void)
 data.machine = MACHINE_PC;
 data.variant = ".cphp";
 test_acpi_one("-smp 2,cores=3,sockets=2,maxcpus=6"
-  " -numa node -numa node"
+  " -object memory-backend-ram,id=ram0,size=64M"
+  " -object memory-backend-ram,id=ram1,size=64M"
+  " -numa node,memdev=ram0 -numa node,memdev=ram1"
   " -numa dist,src=0,dst=1,val=21",
   );
 free_test_data();
@@ -715,7 +719,9 @@ static void test_acpi_q35_tcg_cphp(void)
 data.machine = MACHINE_Q35;
 data.variant = ".cphp";
 test_acpi_one(" -smp 2,cores=3,sockets=2,maxcpus=6"
-  " -numa node -numa node"
+  " -object memory-backend-ram,id=ram0,size=64M"
+  " -object memory-backend-ram,id=ram1,size=64M"
+  " -numa node,memdev=ram0 -numa node,memdev=ram1"
   " -numa dist,src=0,dst=1,val=21",
   );
 free_test_data();
@@ -766,7 +772,9 @@ static void test_acpi_q35_tcg_memhp(void)
 data.machine = MACHINE_Q35;
 data.variant = ".memhp";
 test_acpi_one(" -m 128,slots=3,maxmem=1G"
-  " -numa node -numa node"
+  " -object memory-backend-ram,id=ram0,size=64M"
+  " -object memory-backend-ram,id=ram1,size=64M"
+  " -numa node,memdev=ram0 -numa node,memdev=ram1"
   " -numa dist,src=0,dst=1,val=21",
   );
 free_test_data();
@@ -780,7 +788,9 @@ static void test_acpi_piix4_tcg_memhp(void)
 data.machine = MACHINE_PC;
 data.variant = ".memhp";
 test_acpi_one(" -m 128,slots=3,maxmem=1G"
-  " -numa node -numa node"
+  " -object memory-backend-ram,id=ram0,size=64M"
+  " -object memory-backend-ram,id=ram1,size=64M"
+  " -numa node,memdev=ram0 -numa node,memdev=ram1"
   " -numa dist,src=0,dst=1,val=21",
   );
 free_test_data();
@@ -793,7 +803,8 @@ static void test_acpi_q35_tcg_numamem(void)
 memset(, 0, sizeof(data));
 data.machine = MACHINE_Q35;
 data.variant = ".numamem";
-test_acpi_one(" -numa node -numa node,mem=128", );
+test_acpi_one(" -object memory-backend-ram,id=ram0,size=128M"
+  " -numa node -numa node,memdev=ram0", );
 free_test_data();
 }
 
@@ -804,7 +815,8 @@ static void test_acpi_piix4_tcg_numamem(void)
 memset(, 0, sizeof(data));
 data.machine = MACHINE_PC;
 data.variant = ".numamem";
-test_acpi_one(" -numa node -numa node,mem=128", );
+test_acpi_one(" -object memory-backend-ram,id=ram0,size=128M"
+  " -numa node -numa node,memdev=ram0", );
 free_test_data();
 }
 
@@ -818,17 +830,21 @@ static void test_acpi_tcg_dimm_pxm(const char *machine)
 test_acpi_one(" -machine nvdimm=on,nvdimm-persistence=cpu"
   " -smp 4,sockets=4"
   " -m 128M,slots=3,maxmem=1G"
-  " -numa node,mem=32M,nodeid=0"
-  " -numa node,mem=32M,nodeid=1"
-  " -numa node,mem=32M,nodeid=2"
-  " -numa node,mem=32M,nodeid=3"
+  " -object memory-backend-ram,id=ram0,size=32M"
+  " -object memory-backend-ram,id=ram1,size=32M"
+  " -object memory-backend-ram,id=ram2,size=32M"
+  " -object memory-backend-ram,id=ram3,size=32M"
+  " -numa node,memdev=ram0,nodeid=0"
+  " -numa node,memdev=ram1,nodeid=1"
+  " -numa node,memdev=ram2,nodeid=2"
+  " -numa node,memdev=ram3,nodeid=3"
   " -numa cpu,node-id=0,socket-id=0"
   " -numa cpu,node-id=1,socket-id=1"
   " -numa cpu,node-id=2,socket-id=2"
   " -numa cpu,node-id=3,socket-id=3"
-  " -object memory-backend-ram,id=ram0,size=128M"
+  " -object memory-backend-ram,id=ram4,size=128M"

[Qemu-devel] [PULL v6 29/42] qmp: Add deprecation information to query-machines

[Eduardo Habkost]

Export machine type deprecation status through the query-machines
QMP command.  With this, libvirt and management software will be
able to show this information to users and/or suggest changes to
VM configuration to avoid deprecated machines.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190608233447.27970-2-ehabk...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 qapi/machine.json  | 7 ++-
 hw/core/machine-qmp-cmds.c | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index 78d34ef717..6db8a7e2ec 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -321,12 +321,17 @@
 # @numa-mem-supported: true if '-numa node,mem' option is supported by
 #  the machine type and false otherwise (since 4.1)
 #
+# @deprecated: if true, the machine type is deprecated and may be removed
+#  in future versions of QEMU according to the QEMU deprecation
+#  policy (since 4.1.0)
+#
 # Since: 1.2.0
 ##
 { 'struct': 'MachineInfo',
   'data': { 'name': 'str', '*alias': 'str',
 '*is-default': 'bool', 'cpu-max': 'int',
-'hotpluggable-cpus': 'bool', 'numa-mem-supported': 'bool'} }
+'hotpluggable-cpus': 'bool',  'numa-mem-supported': 'bool',
+'deprecated': 'bool' } }
 
 ##
 # @query-machines:
diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
index 754ce77664..5bd95b8ab0 100644
--- a/hw/core/machine-qmp-cmds.c
+++ b/hw/core/machine-qmp-cmds.c
@@ -227,6 +227,7 @@ MachineInfoList *qmp_query_machines(Error **errp)
 info->cpu_max = !mc->max_cpus ? 1 : mc->max_cpus;
 info->hotpluggable_cpus = mc->has_hotpluggable_cpus;
 info->numa_mem_supported = mc->numa_mem_supported;
+info->deprecated = !!mc->deprecation_reason;
 
 entry = g_malloc0(sizeof(*entry));
 entry->value = info;
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 37/42] i386: Make unversioned CPU models be aliases

[Eduardo Habkost]

This will make unversioned CPU models behavior depend on the
machine type:

* "pc-*-4.0" and older will not report them as aliases.
  This is done to keep compatibility with older QEMU versions
  after management software starts translating aliases.

* "pc-*-4.1" will translate unversioned CPU models to -v1.
  This is done to keep compatibility with existing management
  software, that still relies on CPU model runnability promises.

* "none" will translate unversioned CPU models to their latest
  version.  This is planned become the default in future machine
  types (probably in pc-*-4.3).

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-8-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 include/hw/i386/pc.h   |   3 +
 target/i386/cpu.h  |  12 ++
 hw/i386/pc.c   |   3 +
 hw/i386/pc_piix.c  |   4 +
 hw/i386/pc_q35.c   |   4 +
 target/i386/cpu.c  |  52 -
 tests/acceptance/x86_cpu_model_versions.py | 126 +
 7 files changed, 203 insertions(+), 1 deletion(-)

diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 0fa3e3beeb..859b64c51d 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -109,6 +109,9 @@ typedef struct PCMachineClass {
 
 /* Compat options: */
 
+/* Default CPU model version.  See x86_cpu_set_default_version(). */
+int default_cpu_version;
+
 /* ACPI compat: */
 bool has_acpi_build;
 bool rsdp_in_ram;
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 12bc3cd4a8..05393cf9d1 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1934,11 +1934,23 @@ void x86_cpu_change_kvm_default(const char *prop, const 
char *value);
 /* Resolve to latest CPU version */
 #define CPU_VERSION_LATEST -1
 
+/*
+ * Resolve to version defined by current machine type.
+ * See x86_cpu_set_default_version()
+ */
+#define CPU_VERSION_AUTO   -2
+
 /* Don't resolve to any versioned CPU models, like old QEMU versions */
 #define CPU_VERSION_LEGACY  0
 
 typedef int X86CPUVersion;
 
+/*
+ * Set default CPU model version for CPU models having
+ * version == CPU_VERSION_AUTO.
+ */
+void x86_cpu_set_default_version(X86CPUVersion version);
+
 /* Return name of 32-bit register, from a R_* constant */
 const char *get_register_name_32(unsigned int reg);
 
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index b9c55301a2..c33ce47578 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1645,6 +1645,9 @@ void pc_cpus_init(PCMachineState *pcms)
 const CPUArchIdList *possible_cpus;
 MachineState *ms = MACHINE(pcms);
 MachineClass *mc = MACHINE_GET_CLASS(pcms);
+PCMachineClass *pcmc = PC_MACHINE_CLASS(mc);
+
+x86_cpu_set_default_version(pcmc->default_cpu_version);
 
 /* Calculates the limit to CPU APIC ID values
  *
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index f29de58636..581b3c2baa 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -429,9 +429,11 @@ static void pc_i440fx_machine_options(MachineClass *m)
 
 static void pc_i440fx_4_1_machine_options(MachineClass *m)
 {
+PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
 pc_i440fx_machine_options(m);
 m->alias = "pc";
 m->is_default = 1;
+pcmc->default_cpu_version = 1;
 }
 
 DEFINE_I440FX_MACHINE(v4_1, "pc-i440fx-4.1", NULL,
@@ -439,9 +441,11 @@ DEFINE_I440FX_MACHINE(v4_1, "pc-i440fx-4.1", NULL,
 
 static void pc_i440fx_4_0_machine_options(MachineClass *m)
 {
+PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
 pc_i440fx_4_1_machine_options(m);
 m->alias = NULL;
 m->is_default = 0;
+pcmc->default_cpu_version = CPU_VERSION_LEGACY;
 compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len);
 compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
 }
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 57232aed6b..397e1fdd2f 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -367,8 +367,10 @@ static void pc_q35_machine_options(MachineClass *m)
 
 static void pc_q35_4_1_machine_options(MachineClass *m)
 {
+PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
 pc_q35_machine_options(m);
 m->alias = "q35";
+pcmc->default_cpu_version = 1;
 }
 
 DEFINE_Q35_MACHINE(v4_1, "pc-q35-4.1", NULL,
@@ -376,8 +378,10 @@ DEFINE_Q35_MACHINE(v4_1, "pc-q35-4.1", NULL,
 
 static void pc_q35_4_0_1_machine_options(MachineClass *m)
 {
+PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
 pc_q35_4_1_machine_options(m);
 m->alias = NULL;
+pcmc->default_cpu_version = CPU_VERSION_LEGACY;
 /*
  * This is the default machine for the 4.0-stable branch. It is basically
  * a 4.0 that doesn't use split irqchip by default. It MUST hence apply the
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index f41917649d..0cf8e545c6 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1470,6 +1470,11 @@ struct 

[Qemu-devel] [PULL v6 21/42] i386: Don't print warning if phys-bits was set automatically

[Eduardo Habkost]

If cpu->host_phys_bits_limit is set, QEMU will make
cpu->phys_bits be lower than host_phys_bits on some cases.  This
triggers a warning that was supposed to be printed only if
phys-bits was explicitly set in the command-line.

Reorder the code so the value of cpu->phys_bits is validated
before the cpu->host_phys_bits handling.  This will avoid
unexpected warnings when cpu->host_phys_bits_limit is set.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190611205420.20286-1-ehabk...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index de1a469ae9..f538b54150 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5293,15 +5293,6 @@ static void x86_cpu_realizefn(DeviceState *dev, Error 
**errp)
 uint32_t host_phys_bits = x86_host_phys_bits();
 static bool warned;
 
-if (cpu->host_phys_bits) {
-/* The user asked for us to use the host physical bits */
-cpu->phys_bits = host_phys_bits;
-if (cpu->host_phys_bits_limit &&
-cpu->phys_bits > cpu->host_phys_bits_limit) {
-cpu->phys_bits = cpu->host_phys_bits_limit;
-}
-}
-
 /* Print a warning if the user set it to a value that's not the
  * host value.
  */
@@ -5313,6 +5304,15 @@ static void x86_cpu_realizefn(DeviceState *dev, Error 
**errp)
 warned = true;
 }
 
+if (cpu->host_phys_bits) {
+/* The user asked for us to use the host physical bits */
+cpu->phys_bits = host_phys_bits;
+if (cpu->host_phys_bits_limit &&
+cpu->phys_bits > cpu->host_phys_bits_limit) {
+cpu->phys_bits = cpu->host_phys_bits_limit;
+}
+}
+
 if (cpu->phys_bits &&
 (cpu->phys_bits > TARGET_PHYS_ADDR_SPACE_BITS ||
 cpu->phys_bits < 32)) {
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 20/42] deprecate -mem-path fallback to anonymous RAM

[Eduardo Habkost]

From: Igor Mammedov 

Fallback might affect guest or worse whole host performance
or functionality if backing file were used to share guest RAM
with another process.

Patch deprecates fallback so that we could remove it in future
and ensure that QEMU will provide expected behavior and fail if
it can't use user provided backing file.

Signed-off-by: Igor Mammedov 
Reviewed-by: Daniel P. Berrangé 
Reviewed-by: Markus Armbruster 
Message-Id: <20190626074228.11558-1-imamm...@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Eduardo Habkost 
---
 hw/core/numa.c   | 6 --
 qemu-deprecated.texi | 9 +
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index cb5fdbcb1e..dd5c6e2334 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -479,8 +479,10 @@ static void allocate_system_memory_nonnuma(MemoryRegion 
*mr, Object *owner,
 if (mem_prealloc) {
 exit(1);
 }
-error_report("falling back to regular RAM allocation.");
-
+warn_report("falling back to regular RAM allocation");
+error_printf("This is deprecated. Make sure that -mem-path "
+ " specified path has sufficient resources to allocate"
+ " -m specified RAM amount");
 /* Legacy behavior: if allocation failed, fall back to
  * regular RAM allocation.
  */
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 4a626f535d..e6891c3a93 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -112,6 +112,15 @@ QEMU using implicit generic or board specific splitting 
rule.
 Use @option{memdev} with @var{memory-backend-ram} backend or @option{mem} (if
 it's supported by used machine type) to define mapping explictly instead.
 
+@subsection -mem-path fallback to RAM (since 4.1)
+Currently if guest RAM allocation from file pointed by @option{mem-path}
+fails, QEMU falls back to allocating from RAM, which might result
+in unpredictable behavior since the backing file specified by the user
+is ignored. In the future, users will be responsible for making sure
+the backing storage specified with @option{-mem-path} can actually provide
+the guest RAM configured with @option{-m} and QEMU will fail to start up if
+RAM allocation is unsuccessful.
+
 @section QEMU Machine Protocol (QMP) commands
 
 @subsection block-dirty-bitmap-add "autoload" parameter (since 2.12.0)
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 38/42] docs: Deprecate CPU model runnability guarantees

[Eduardo Habkost]

Document that CPU model runnability guarantees won't apply to
unversioned CPU models anymore.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-9-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 qemu-deprecated.texi | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index e6891c3a93..c90b08d553 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -292,3 +292,22 @@ subset of the image.
 In the future, QEMU will require Python 3 to be available at
 build time.  Support for Python 2 in scripts shipped with QEMU
 is deprecated.
+
+@section Backwards compatibility
+
+@subsection Runnability guarantee of CPU models (since 4.1.0)
+
+Previous versions of QEMU never changed existing CPU models in
+ways that introduced additional host software or hardware
+requirements to the VM.  This allowed management software to
+safely change the machine type of an existing VM without
+introducing new requirements ("runnability guarantee").  This
+prevented CPU models from being updated to include CPU
+vulnerability mitigations, leaving guests vulnerable in the
+default configuration.
+
+The CPU model runnability guarantee won't apply anymore to
+existing CPU models.  Management software that needs runnability
+guarantees must resolve the CPU model aliases using te
+``alias-of'' field returned by the ``query-cpu-definitions'' QMP
+command.
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 41/42] numa: allow memory-less nodes when using memdev as backend

[Eduardo Habkost]

From: Igor Mammedov 

QEMU fails to start if memory-less node is present when memdev
is used
  qemu-system-x86_64 -object memory-backend-ram,id=ram0,size=128M \
 -numa node -numa node,memdev=ram0
with error:
  "memdev option must be specified for either all or no nodes"

which works as expected if legacy 'mem' is used.

Fix check to make memory-less nodes valid when memdev option is used
but still disallow mix of mem and memdev options.

Signed-off-by: Igor Mammedov 
Message-Id: <20190702140745.27767-2-imamm...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 hw/core/numa.c | 19 +++
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index 2d984b025b..a11431483c 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -45,7 +45,8 @@ QemuOptsList qemu_numa_opts = {
 .desc = { { 0 } } /* validated with OptsVisitor */
 };
 
-static int have_memdevs = -1;
+static int have_memdevs;
+static int have_mem;
 static int max_numa_nodeid; /* Highest specified NUMA node ID, plus one.
  * For all nodes, nodeid < max_numa_nodeid
  */
@@ -103,17 +104,11 @@ static void parse_numa_node(MachineState *ms, 
NumaNodeOptions *node,
 }
 }
 
-if (node->has_mem && node->has_memdev) {
-error_setg(errp, "cannot specify both mem= and memdev=");
-return;
-}
-
-if (have_memdevs == -1) {
-have_memdevs = node->has_memdev;
-}
-if (node->has_memdev != have_memdevs) {
-error_setg(errp, "memdev option must be specified for either "
-   "all or no nodes");
+have_memdevs = have_memdevs ? : node->has_memdev;
+have_mem = have_mem ? : node->has_mem;
+if ((node->has_mem && have_memdevs) || (node->has_memdev && have_mem)) {
+error_setg(errp, "numa configuration should use either mem= or 
memdev=,"
+   "mixing both is not allowed");
 return;
 }
 
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 19/42] hppa: Delete unused hppa_cpu_list() function

[Eduardo Habkost]

hppa_cpu_list() is dead code and is never called.  Delete it.

Cc: Richard Henderson 
Reviewed-by: Igor Mammedov 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Eduardo Habkost 
Message-Id: <20190517191332.23400-1-ehabk...@redhat.com>
Acked-by: Richard Henderson 
Signed-off-by: Eduardo Habkost 
---
 target/hppa/cpu.h |  2 --
 target/hppa/cpu.c | 17 -
 2 files changed, 19 deletions(-)

diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h
index 2e1f2ac67c..aab251bc4b 100644
--- a/target/hppa/cpu.h
+++ b/target/hppa/cpu.h
@@ -241,8 +241,6 @@ void hppa_translate_init(void);
 
 #define CPU_RESOLVING_TYPE TYPE_HPPA_CPU
 
-void hppa_cpu_list(void);
-
 static inline target_ulong hppa_form_gva_psw(target_ureg psw, uint64_t spc,
  target_ureg off)
 {
diff --git a/target/hppa/cpu.c b/target/hppa/cpu.c
index 368cb71e6d..71b6aca45d 100644
--- a/target/hppa/cpu.c
+++ b/target/hppa/cpu.c
@@ -111,23 +111,6 @@ static void hppa_cpu_realizefn(DeviceState *dev, Error 
**errp)
 #endif
 }
 
-static void hppa_cpu_list_entry(gpointer data, gpointer user_data)
-{
-ObjectClass *oc = data;
-
-qemu_printf("  %s\n", object_class_get_name(oc));
-}
-
-void hppa_cpu_list(void)
-{
-GSList *list;
-
-list = object_class_get_list_sorted(TYPE_HPPA_CPU, false);
-qemu_printf("Available CPUs:\n");
-g_slist_foreach(list, hppa_cpu_list_entry, NULL);
-g_slist_free(list);
-}
-
 static void hppa_cpu_initfn(Object *obj)
 {
 CPUState *cs = CPU(obj);
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 35/42] i386: Define -IBRS, -noTSX, -IBRS versions of CPU models

[Eduardo Habkost]

Add versions of CPU models that are equivalent to their -IBRS,
-noTSX and -IBRS variants.

The separate variants will eventually be removed and become
aliases for these CPU versions.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-6-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 186 ++
 1 file changed, 186 insertions(+)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 87555a1c5a..51beebdb27 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1851,6 +1851,20 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_EXT3_LAHF_LM,
 .xlevel = 0x8008,
 .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{
+.version = 2,
+/* Equivalent to Nehalem-IBRS */
+.props = (PropValue[]) {
+{ "spec-ctrl", "on" },
+{ "model-id",
+  "Intel Core i7 9xx (Nehalem Core i7, IBRS update)" },
+{ /* end of list */ }
+}
+},
+{ /* end of list */ }
+}
 },
 {
 .name = "Nehalem-IBRS",
@@ -1907,6 +1921,20 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{
+.version = 2,
+/* Equivalent to Westmere-IBRS */
+.props = (PropValue[]) {
+{ "spec-ctrl", "on" },
+{ "model-id",
+  "Westmere E56xx/L56xx/X56xx (IBRS update)" },
+{ /* end of list */ }
+}
+},
+{ /* end of list */ }
+}
 },
 {
 .name = "Westmere-IBRS",
@@ -1971,6 +1999,20 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Intel Xeon E312xx (Sandy Bridge)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{
+.version = 2,
+/* Equivalent to SandyBridge-IBRS */
+.props = (PropValue[]) {
+{ "spec-ctrl", "on" },
+{ "model-id",
+  "Intel Xeon E312xx (Sandy Bridge, IBRS update)" },
+{ /* end of list */ }
+}
+},
+{ /* end of list */ }
+}
 },
 {
 .name = "SandyBridge-IBRS",
@@ -2043,6 +2085,20 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{
+.version = 2,
+/* Equivalent to IvyBridge-IBRS */
+.props = (PropValue[]) {
+{ "spec-ctrl", "on" },
+{ "model-id",
+  "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)" },
+{ /* end of list */ }
+}
+},
+{ /* end of list */ }
+}
 },
 {
 .name = "IvyBridge-IBRS",
@@ -2205,6 +2261,52 @@ static X86CPUDefinition builtin_x86_defs[] = {
 CPUID_6_EAX_ARAT,
 .xlevel = 0x8008,
 .model_id = "Intel Core Processor (Haswell)",
+.versions = (X86CPUVersionDefinition[]) {
+{ .version = 1 },
+{
+.version = 2,
+/* Equivalent to Haswell-noTSX */
+.props = (PropValue[]) {
+{ "hle", "off" },
+{ "rtm", "off" },
+{ "stepping", "1" },
+{ "model-id", "Intel Core Processor (Haswell, no TSX)", },
+{ /* end of list */ }
+},
+},
+{
+.version = 3,
+/* Equivalent to Haswell-IBRS */
+.props = (PropValue[]) {
+/* Restore TSX features removed by -v2 above */
+{ "hle", "on" },
+{ "rtm", "on" },
+/*
+ * Haswell and Haswell-IBRS had stepping=4 in
+ * QEMU 4.0 and older
+ */
+{ "stepping", "4" },
+{ "spec-ctrl", "on" },
+{ "model-id",
+  "Intel Core Processor (Haswell, IBRS)" },
+{ /* end of list */ }
+}
+},
+{
+.version = 4,
+

[Qemu-devel] [PULL v6 15/42] pc: fix possible NULL pointer dereference in pc_machine_get_device_memory_region_size()

[Eduardo Habkost]

From: Igor Mammedov 

QEMU will crash when device-memory-region-size property is read if 
ms->device_memory
wasn't initialized yet.

Crash can be reproduced with:
 $QEMU -preconfig -qmp unix:qmp_socket,server,nowait &
 ./scripts/qmp/qom-get -s qmp_socket /machine.device-memory-region-size

Instead of crashing return 0 if ms->device_memory hasn't been initialized.

Signed-off-by: Igor Mammedov 
Message-Id: <20190624090200.5383-1-imamm...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 hw/i386/pc.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index e8378f6a0a..2107532d12 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -2553,7 +2553,11 @@ pc_machine_get_device_memory_region_size(Object *obj, 
Visitor *v,
  Error **errp)
 {
 MachineState *ms = MACHINE(obj);
-int64_t value = memory_region_size(>device_memory->mr);
+int64_t value = 0;
+
+if (ms->device_memory) {
+value = memory_region_size(>device_memory->mr);
+}
 
 visit_type_int(v, name, , errp);
 }
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 18/42] numa: deprecate implict memory distribution between nodes

[Eduardo Habkost]

From: Igor Mammedov 

Implicit RAM distribution between nodes has exactly the same issues as:
  "numa: deprecate 'mem' parameter of '-numa node' option"
only with QEMU being the user that's 'adding' 'mem' parameter.

Deprecate it, to get it out of the way so that we could consolidate
guest RAM allocation using memory backends making it consistent and
possibly later on transition to using memory devices instead of
adhoc memory mapping for the initial RAM.

Signed-off-by: Igor Mammedov 
Message-Id: <1559205199-233510-4-git-send-email-imamm...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 hw/core/numa.c   | 3 +++
 qemu-deprecated.texi | 8 
 2 files changed, 11 insertions(+)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index b9e79b8c8b..cb5fdbcb1e 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -405,6 +405,9 @@ void numa_complete_configuration(MachineState *ms)
 if (i == nb_numa_nodes) {
 assert(mc->numa_auto_assign_ram);
 mc->numa_auto_assign_ram(mc, numa_info, nb_numa_nodes, ram_size);
+warn_report("Default splitting of RAM between nodes is deprecated,"
+" Use '-numa node,memdev' to explictly define RAM"
+" allocation per node");
 }
 
 numa_total = 0;
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index ba52999f7f..4a626f535d 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -104,6 +104,14 @@ In future new machine versions will not accept the option 
but it will still
 work with old machine types. User can check QAPI schema to see if the legacy
 option is supported by looking at MachineInfo::numa-mem-supported property.
 
+@subsection -numa node (without memory specified) (since 4.1)
+
+Splitting RAM by default between NUMA nodes has the same issues as @option{mem}
+parameter described above with the difference that the role of the user plays
+QEMU using implicit generic or board specific splitting rule.
+Use @option{memdev} with @var{memory-backend-ram} backend or @option{mem} (if
+it's supported by used machine type) to define mapping explictly instead.
+
 @section QEMU Machine Protocol (QMP) commands
 
 @subsection block-dirty-bitmap-add "autoload" parameter (since 2.12.0)
-- 
2.18.0.rc1.1.g3f1ff2140

Re: [Qemu-devel] [PATCH 1/7] target/i386: handle filtered_features in a new function mark_unavailable_features

[Eduardo Habkost]

On Sat, Jul 06, 2019 at 12:07:29AM +0200, Paolo Bonzini wrote:
> On 05/07/19 23:44, Eduardo Habkost wrote:
> > On Fri, Jul 05, 2019 at 11:32:07PM +0200, Paolo Bonzini wrote:
> >> On 05/07/19 22:37, Eduardo Habkost wrote:
> >>> Filtering and reporting is separate because
> >>> x86_cpu_filter_features() is also called from a QMP command
> >>> handler that is not supposed to generate any warnings on stderr
> >>> (query-cpu-model-expansion).
> >>
> >> But that one should not set check_cpuid or enforce_cpuid, should it?
> > 
> > check_cpuid is set to true by default.
> 
> Ok, that's what I missed.
> 
> >>
> >> (I can still split the filtering and reporting if you prefer).
> > 
> > Maybe it will work if we just add a 'bool verbose' parameter to
> > x86_cpu_filter_features().
> > 
> > x86_cpu_realizefn() would call:
> >   x86_cpu_filter_features(cpu, cpu->check_cpuid);
> 
> ... "|| cpu->enforce_cpuid".
> 
> > x86_cpu_class_check_missing_features() would call:
> >   x86_cpu_filter_features(cpu, false);
> 
> Or set check_cpuid to false there after creating the object?

It would work too, but I prefer to make the side effects of
x86_cpu_filter_features() more explicit.

-- 
Eduardo

[Qemu-devel] [PULL v6 33/42] i386: Get model-id from CPU object on "-cpu help"

[Eduardo Habkost]

When introducing versioned CPU models, the string at
X86CPUDefinition::model_id might not be the model-id we'll really
use.  Instantiate a CPU object and check the model-id property on
"-cpu help"

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-4-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 8852b57c0b..a0e422adf3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3837,18 +3837,28 @@ static GSList *get_sorted_cpu_model_list(void)
 return list;
 }
 
+static char *x86_cpu_class_get_model_id(X86CPUClass *xc)
+{
+Object *obj = object_new(object_class_get_name(OBJECT_CLASS(xc)));
+char *r = object_property_get_str(obj, "model-id", _abort);
+object_unref(obj);
+return r;
+}
+
 static void x86_cpu_list_entry(gpointer data, gpointer user_data)
 {
 ObjectClass *oc = data;
 X86CPUClass *cc = X86_CPU_CLASS(oc);
 char *name = x86_cpu_class_get_model_name(cc);
-const char *desc = cc->model_description;
-if (!desc && cc->cpu_def) {
-desc = cc->cpu_def->model_id;
+char *desc = g_strdup(cc->model_description);
+
+if (!desc) {
+desc = x86_cpu_class_get_model_id(cc);
 }
 
 qemu_printf("x86 %-20s  %-48s\n", name, desc);
 g_free(name);
+g_free(desc);
 }
 
 /* list available CPU models and flags */
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 10/42] vl.c: Replace smp global variables with smp machine properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in vl.c are completely replaced with machine 
properties.

Form this commit, the smp_cpus/smp_cores/smp_threads/max_cpus are deprecated
and only machine properties within MachineState are fully applied and enabled.

Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-11-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 vl.c | 53 ++---
 1 file changed, 26 insertions(+), 27 deletions(-)

diff --git a/vl.c b/vl.c
index d657faec03..56aa221385 100644
--- a/vl.c
+++ b/vl.c
@@ -163,10 +163,6 @@ static Chardev **serial_hds;
 Chardev *parallel_hds[MAX_PARALLEL_PORTS];
 int win2k_install_hack = 0;
 int singlestep = 0;
-int smp_cpus;
-unsigned int max_cpus;
-int smp_cores = 1;
-int smp_threads = 1;
 int acpi_enabled = 1;
 int no_hpet = 0;
 int fd_bootchk = 1;
@@ -1265,8 +1261,9 @@ static void smp_parse(QemuOpts *opts)
 sockets = sockets > 0 ? sockets : 1;
 cpus = cores * threads * sockets;
 } else {
-max_cpus = qemu_opt_get_number(opts, "maxcpus", cpus);
-sockets = max_cpus / (cores * threads);
+current_machine->smp.max_cpus =
+qemu_opt_get_number(opts, "maxcpus", cpus);
+sockets = current_machine->smp.max_cpus / (cores * threads);
 }
 } else if (cores == 0) {
 threads = threads > 0 ? threads : 1;
@@ -1283,34 +1280,37 @@ static void smp_parse(QemuOpts *opts)
 exit(1);
 }
 
-max_cpus = qemu_opt_get_number(opts, "maxcpus", cpus);
+current_machine->smp.max_cpus =
+qemu_opt_get_number(opts, "maxcpus", cpus);
 
-if (max_cpus < cpus) {
+if (current_machine->smp.max_cpus < cpus) {
 error_report("maxcpus must be equal to or greater than smp");
 exit(1);
 }
 
-if (sockets * cores * threads > max_cpus) {
+if (sockets * cores * threads > current_machine->smp.max_cpus) {
 error_report("cpu topology: "
  "sockets (%u) * cores (%u) * threads (%u) > "
  "maxcpus (%u)",
- sockets, cores, threads, max_cpus);
+ sockets, cores, threads,
+ current_machine->smp.max_cpus);
 exit(1);
 }
 
-if (sockets * cores * threads != max_cpus) {
+if (sockets * cores * threads != current_machine->smp.max_cpus) {
 warn_report("Invalid CPU topology deprecated: "
 "sockets (%u) * cores (%u) * threads (%u) "
 "!= maxcpus (%u)",
-sockets, cores, threads, max_cpus);
+sockets, cores, threads,
+current_machine->smp.max_cpus);
 }
 
-smp_cpus = cpus;
-smp_cores = cores;
-smp_threads = threads;
+current_machine->smp.cpus = cpus;
+current_machine->smp.cores = cores;
+current_machine->smp.threads = threads;
 }
 
-if (smp_cpus > 1) {
+if (current_machine->smp.cpus > 1) {
 Error *blocker = NULL;
 error_setg(, QERR_REPLAY_NOT_SUPPORTED, "smp");
 replay_add_blocker(blocker);
@@ -4009,26 +4009,25 @@ int main(int argc, char **argv, char **envp)
 machine_class->default_cpus = machine_class->default_cpus ?: 1;
 
 /* default to machine_class->default_cpus */
-smp_cpus = machine_class->default_cpus;
-max_cpus = machine_class->default_cpus;
+current_machine->smp.cpus = machine_class->default_cpus;
+current_machine->smp.max_cpus = machine_class->default_cpus;
+current_machine->smp.cores = 1;
+current_machine->smp.threads = 1;
 
 smp_parse(qemu_opts_find(qemu_find_opts("smp-opts"), NULL));
 
-current_machine->smp.cpus = smp_cpus;
-current_machine->smp.max_cpus = max_cpus;
-current_machine->smp.cores = smp_cores;
-current_machine->smp.threads = smp_threads;
-
 /* sanity-check smp_cpus and max_cpus against machine_class */
-if (smp_cpus < machine_class->min_cpus) {
+if (current_machine->smp.cpus < machine_class->min_cpus) {
 error_report("Invalid SMP CPUs %d. The min CPUs "
- "supported by machine '%s' is %d", smp_cpus,
+ "supported by machine '%s' is %d",
+ current_machine->smp.cpus,
  machine_class->name, machine_class->min_cpus);
 exit(1);
 }
-if (max_cpus > machine_class->max_cpus) {
+if (current_machine->smp.max_cpus > machine_class->max_cpus) {
 error_report("Invalid SMP CPUs %d. The max CPUs "
- "supported by machine '%s' is %d", max_cpus,
+ "supported by machine '%s' is %d",
+ current_machine->smp.max_cpus,
 

[Qemu-devel] [PULL v6 17/42] numa: deprecate 'mem' parameter of '-numa node' option

[Eduardo Habkost]

From: Igor Mammedov 

The parameter allows to configure fake NUMA topology where guest
VM simulates NUMA topology but not actually getting performance
benefits from it. The same or better results could be achieved
using 'memdev' parameter.
Beside of unpredictable performance, '-numa node.mem' option has
other issues when it's used with combination of -mem-path +
+ -mem-prealloc + memdev backends (pc-dimm), breaking binding of
memdev backends since mem-path/mem-prealloc are global and affect
the most of RAM allocations.

It's possible to make memdevs and global -mem-path/mem-prealloc
to play nicely together but that will just complicate already
complicated code and add unobious ways it could break on 2
different memmory allocation pathes and their combinations.

Instead of it, consolidate all guest RAM allocation over memdev
which still allows to create fake NUMA configurations if desired
and leaves one simplifyed code path to consider when it comes
to guest RAM allocation.

To achieve desired simplification deprecate 'mem' parameter as its
ad-hoc partitioning of initial RAM MemoryRegion can't be translated
to memdev based backend transparently to users and in compatible
manner (migration wise).

Later down the road that will allow to consolidate means of how
guest RAM is allocated and would permit us to clean up quite
a bit memory allocations and numa code, leaving only 'memdev'
implementation in place.

Signed-off-by: Igor Mammedov 
Message-Id: <1559205199-233510-3-git-send-email-imamm...@redhat.com>
Signed-off-by: Eduardo Habkost 
---
 hw/core/numa.c   |  2 ++
 qemu-deprecated.texi | 16 
 2 files changed, 18 insertions(+)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index 4252af7100..b9e79b8c8b 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -118,6 +118,8 @@ static void parse_numa_node(MachineState *ms, 
NumaNodeOptions *node,
 
 if (node->has_mem) {
 numa_info[nodenr].node_mem = node->mem;
+warn_report("Parameter -numa node,mem is deprecated,"
+" use -numa node,memdev instead");
 }
 if (node->has_memdev) {
 Object *o;
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
index 40c017b426..ba52999f7f 100644
--- a/qemu-deprecated.texi
+++ b/qemu-deprecated.texi
@@ -88,6 +88,22 @@ The @code{-realtime mlock=on|off} argument has been replaced 
by the
 The ``-virtfs_synth'' argument is now deprecated. Please use ``-fsdev synth''
 and ``-device virtio-9p-...'' instead.
 
+@subsection -numa node,mem=@var{size} (since 4.1)
+
+The parameter @option{mem} of @option{-numa node} is used to assign a part of
+guest RAM to a NUMA node. But when using it, it's impossible to manage 
specified
+RAM chunk on the host side (like bind it to a host node, setting bind policy, 
...),
+so guest end-ups with the fake NUMA configuration with suboptiomal performance.
+However since 2014 there is an alternative way to assign RAM to a NUMA node
+using parameter @option{memdev}, which does the same as @option{mem} and adds
+means to actualy manage node RAM on the host side. Use parameter 
@option{memdev}
+with @var{memory-backend-ram} backend as an replacement for parameter 
@option{mem}
+to achieve the same fake NUMA effect or a properly configured
+@var{memory-backend-file} backend to actually benefit from NUMA configuration.
+In future new machine versions will not accept the option but it will still
+work with old machine types. User can check QAPI schema to see if the legacy
+option is supported by looking at MachineInfo::numa-mem-supported property.
+
 @section QEMU Machine Protocol (QMP) commands
 
 @subsection block-dirty-bitmap-add "autoload" parameter (since 2.12.0)
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 32/42] i386: Add x-force-features option for testing

[Eduardo Habkost]

Add a new option that can be used to disable feature flag
filtering.  This will allow CPU model compatibility test cases to
work without host hardware dependencies.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-3-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.h | 6 ++
 target/i386/cpu.c | 8 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 0a96c78669..4727226a6a 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1417,6 +1417,12 @@ struct X86CPU {
 
 bool check_cpuid;
 bool enforce_cpuid;
+/*
+ * Force features to be enabled even if the host doesn't support them.
+ * This is dangerous and should be done only for testing CPUID
+ * compatibility.
+ */
+bool force_features;
 bool expose_kvm;
 bool expose_tcg;
 bool migratable;
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 62043fee54..8852b57c0b 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5250,8 +5250,11 @@ static int x86_cpu_filter_features(X86CPU *cpu)
 uint32_t host_feat =
 x86_cpu_get_supported_feature_word(w, false);
 uint32_t requested_features = env->features[w];
-env->features[w] &= host_feat;
-cpu->filtered_features[w] = requested_features & ~env->features[w];
+uint32_t available_features = requested_features & host_feat;
+if (!cpu->force_features) {
+env->features[w] = available_features;
+}
+cpu->filtered_features[w] = requested_features & ~available_features;
 if (cpu->filtered_features[w]) {
 rv = 1;
 }
@@ -5980,6 +5983,7 @@ static Property x86_cpu_properties[] = {
 
 DEFINE_PROP_BOOL("check", X86CPU, check_cpuid, true),
 DEFINE_PROP_BOOL("enforce", X86CPU, enforce_cpuid, false),
+DEFINE_PROP_BOOL("x-force-features", X86CPU, force_features, false),
 DEFINE_PROP_BOOL("kvm", X86CPU, expose_kvm, true),
 DEFINE_PROP_UINT32("phys-bits", X86CPU, phys_bits, 0),
 DEFINE_PROP_BOOL("host-phys-bits", X86CPU, host_phys_bits, false),
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 31/42] qmp: Add "alias-of" field to query-cpu-definitions

[Eduardo Habkost]

Management software will be expected to resolve CPU model name
aliases using the new field.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190628002844.24894-2-ehabk...@redhat.com>
Reviewed-by: Daniel P. Berrangé 
Signed-off-by: Eduardo Habkost 
---
 qapi/machine-target.json | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/qapi/machine-target.json b/qapi/machine-target.json
index 5d7480f6ab..55310a6aa2 100644
--- a/qapi/machine-target.json
+++ b/qapi/machine-target.json
@@ -279,6 +279,12 @@
 #to introspect properties configurable using -cpu or -global.
 #(since 2.9)
 #
+# @alias-of: Name of CPU model this model is an alias for.  The target of the
+#CPU model alias may change depending on the machine type.
+#Management software is supposed to translate CPU model aliases
+#in the VM configuration, because aliases may stop being
+#migration-safe in the future (since 4.1)
+#
 # @unavailable-features is a list of QOM property names that
 # represent CPU model attributes that prevent the CPU from running.
 # If the QOM property is read-only, that means there's no known
@@ -302,7 +308,8 @@
 '*migration-safe': 'bool',
 'static': 'bool',
 '*unavailable-features': [ 'str' ],
-'typename': 'str' },
+'typename': 'str',
+'*alias-of' : 'str' },
   'if': 'defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_I386) || 
defined(TARGET_S390X) || defined(TARGET_MIPS)' }
 
 ##
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 12/42] hw/i386: Adjust nr_dies with configured smp_dies for PCMachine

[Eduardo Habkost]

From: Like Xu 

To support multiple dies configuration on PCMachine, the best place to
set CPUX86State->nr_dies with requested PCMachineState->smp_dies is in
pc_new_cpu() and pc_cpu_pre_plug(). Refactoring pc_new_cpu() is applied
and redundant parameter "const char *typename" would be removed.

Suggested-by: Eduardo Habkost 
Signed-off-by: Like Xu 
Message-Id: <20190612084104.34984-3-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 hw/i386/pc.c | 16 +++-
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index d44b2d06db..4dac96860d 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1514,12 +1514,16 @@ void pc_acpi_smi_interrupt(void *opaque, int irq, int 
level)
 }
 }
 
-static void pc_new_cpu(const char *typename, int64_t apic_id, Error **errp)
+static void pc_new_cpu(PCMachineState *pcms, int64_t apic_id, Error **errp)
 {
 Object *cpu = NULL;
 Error *local_err = NULL;
+CPUX86State *env = NULL;
 
-cpu = object_new(typename);
+cpu = object_new(MACHINE(pcms)->cpu_type);
+
+env = _CPU(cpu)->env;
+env->nr_dies = pcms->smp_dies;
 
 object_property_set_uint(cpu, apic_id, "apic-id", _err);
 object_property_set_bool(cpu, true, "realized", _err);
@@ -1546,7 +1550,7 @@ void pc_hot_add_cpu(MachineState *ms, const int64_t id, 
Error **errp)
 return;
 }
 
-pc_new_cpu(ms->cpu_type, apic_id, _err);
+pc_new_cpu(PC_MACHINE(ms), apic_id, _err);
 if (local_err) {
 error_propagate(errp, local_err);
 return;
@@ -1571,8 +1575,7 @@ void pc_cpus_init(PCMachineState *pcms)
  ms->smp.max_cpus - 1) + 1;
 possible_cpus = mc->possible_cpu_arch_ids(ms);
 for (i = 0; i < ms->smp.cpus; i++) {
-pc_new_cpu(possible_cpus->cpus[i].type, possible_cpus->cpus[i].arch_id,
-   _fatal);
+pc_new_cpu(pcms, possible_cpus->cpus[i].arch_id, _fatal);
 }
 }
 
@@ -2292,6 +2295,7 @@ static void pc_cpu_pre_plug(HotplugHandler *hotplug_dev,
 CPUArchId *cpu_slot;
 X86CPUTopoInfo topo;
 X86CPU *cpu = X86_CPU(dev);
+CPUX86State *env = >env;
 MachineState *ms = MACHINE(hotplug_dev);
 PCMachineState *pcms = PC_MACHINE(hotplug_dev);
 unsigned int smp_cores = ms->smp.cores;
@@ -2303,6 +2307,8 @@ static void pc_cpu_pre_plug(HotplugHandler *hotplug_dev,
 return;
 }
 
+env->nr_dies = pcms->smp_dies;
+
 /*
  * If APIC ID is not set,
  * set it based on socket/die/core/thread properties.
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 25/42] i386: Remove unused host_cpudef variable

[Eduardo Habkost]

The variable is completely unused, probably a leftover from
previous code clean up.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190625050008.12789-3-ehabk...@redhat.com>
Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 6 --
 1 file changed, 6 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 6787da4209..b9d6f32945 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3134,14 +3134,8 @@ static void max_x86_cpu_initfn(Object *obj)
 char vendor[CPUID_VENDOR_SZ + 1] = { 0 };
 char model_id[CPUID_MODEL_ID_SZ + 1] = { 0 };
 int family, model, stepping;
-X86CPUDefinition host_cpudef = { };
-uint32_t eax = 0, ebx = 0, ecx = 0, edx = 0;
-
-host_cpuid(0x0, 0, , , , );
-x86_cpu_vendor_words2str(host_cpudef.vendor, ebx, edx, ecx);
 
 host_vendor_fms(vendor, , , );
-
 cpu_x86_fill_model_id(model_id);
 
 object_property_set_str(OBJECT(cpu), vendor, "vendor", _abort);
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 16/42] machine: show if CLI option '-numa node, mem' is supported in QAPI schema

[Eduardo Habkost]

From: Igor Mammedov 

Legacy '-numa node,mem' option has a number of issues and mgmt often
defaults to it. Unfortunately it's no possible to replace it with
an alternative '-numa memdev' without breaking migration compatibility.
What's possible though is to deprecate it, keeping option working with
old machine types only.

In order to help users to find out if being deprecated CLI option
'-numa node,mem' is still supported by particular machine type, add new
"numa-mem-supported" property to output of query-machines.

"numa-mem-supported" is set to 'true' for machines that currently support
NUMA, but it will be flipped to 'false' later on, once deprecation period
expires and kept 'true' only for old machine types that used to support
the legacy option so it won't break existing configuration that are using
it.

Signed-off-by: Igor Mammedov 
Message-Id: <1560172207-378962-1-git-send-email-imamm...@redhat.com>
Reviewed-by: Markus Armbruster 
Signed-off-by: Eduardo Habkost 
---
 qapi/machine.json  | 5 -
 include/hw/boards.h| 3 +++
 hw/arm/virt.c  | 1 +
 hw/core/machine-qmp-cmds.c | 1 +
 hw/i386/pc.c   | 1 +
 hw/ppc/spapr.c | 1 +
 6 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index 979bc41e49..78d34ef717 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -318,12 +318,15 @@
 #
 # @hotpluggable-cpus: cpu hotplug via -device is supported (since 2.7.0)
 #
+# @numa-mem-supported: true if '-numa node,mem' option is supported by
+#  the machine type and false otherwise (since 4.1)
+#
 # Since: 1.2.0
 ##
 { 'struct': 'MachineInfo',
   'data': { 'name': 'str', '*alias': 'str',
 '*is-default': 'bool', 'cpu-max': 'int',
-'hotpluggable-cpus': 'bool'} }
+'hotpluggable-cpus': 'bool', 'numa-mem-supported': 'bool'} }
 
 ##
 # @query-machines:
diff --git a/include/hw/boards.h b/include/hw/boards.h
index d84f48c4af..ae7a542511 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -160,6 +160,8 @@ typedef struct {
  * @kvm_type:
  *Return the type of KVM corresponding to the kvm-type string option or
  *computed based on other criteria such as the host kernel capabilities.
+ * @numa_mem_supported:
+ *true if '--numa node.mem' option is supported and false otherwise
  */
 struct MachineClass {
 /*< private >*/
@@ -212,6 +214,7 @@ struct MachineClass {
 bool ignore_boot_device_suffixes;
 bool smbus_no_migration_support;
 bool nvdimm_supported;
+bool numa_mem_supported;
 
 HotplugHandler *(*get_hotplug_handler)(MachineState *machine,
DeviceState *dev);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 20f191bc93..0b5138cb22 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1952,6 +1952,7 @@ static void virt_machine_class_init(ObjectClass *oc, void 
*data)
 assert(!mc->get_hotplug_handler);
 mc->get_hotplug_handler = virt_machine_get_hotplug_handler;
 hc->plug = virt_machine_device_plug_cb;
+mc->numa_mem_supported = true;
 }
 
 static void virt_instance_init(Object *obj)
diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
index 14dbad1d6e..754ce77664 100644
--- a/hw/core/machine-qmp-cmds.c
+++ b/hw/core/machine-qmp-cmds.c
@@ -226,6 +226,7 @@ MachineInfoList *qmp_query_machines(Error **errp)
 info->name = g_strdup(mc->name);
 info->cpu_max = !mc->max_cpus ? 1 : mc->max_cpus;
 info->hotpluggable_cpus = mc->has_hotpluggable_cpus;
+info->numa_mem_supported = mc->numa_mem_supported;
 
 entry = g_malloc0(sizeof(*entry));
 entry->value = info;
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 2107532d12..14f7b4532e 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -2856,6 +2856,7 @@ static void pc_machine_class_init(ObjectClass *oc, void 
*data)
 nc->nmi_monitor_handler = x86_nmi;
 mc->default_cpu_type = TARGET_DEFAULT_CPU_TYPE;
 mc->nvdimm_supported = true;
+mc->numa_mem_supported = true;
 
 object_class_property_add(oc, PC_MACHINE_DEVMEM_REGION_SIZE, "int",
 pc_machine_get_device_memory_region_size, NULL,
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 51256ac9ca..821f0d4a49 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4367,6 +4367,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
  * in which LMBs are represented and hot-added
  */
 mc->numa_mem_align_shift = 28;
+mc->numa_mem_supported = true;
 
 smc->default_caps.caps[SPAPR_CAP_HTM] = SPAPR_CAP_OFF;
 smc->default_caps.caps[SPAPR_CAP_VSX] = SPAPR_CAP_ON;
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 27/42] machine: Refactor smp_parse() in vl.c as MachineClass::smp_parse()

[Eduardo Habkost]

From: Like Xu 

To make smp_parse() more flexible and expansive, a smp_parse function
pointer is added to MachineClass that machine types could override.

The generic smp_parse() code in vl.c is moved to hw/core/machine.c, and
become the default implementation of MachineClass::smp_parse. A PC-specific
function called pc_smp_parse() has been added to hw/i386/pc.c, which in
this patch changes nothing against the default one .

Suggested-by: Eduardo Habkost 
Signed-off-by: Like Xu 
Reviewed-by: Eduardo Habkost 
Message-Id: <20190620054525.37188-3-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 include/hw/boards.h  |  5 +++
 include/hw/i386/pc.h |  1 +
 hw/core/machine.c| 76 ++
 hw/i386/pc.c | 79 
 vl.c | 75 ++---
 5 files changed, 163 insertions(+), 73 deletions(-)

diff --git a/include/hw/boards.h b/include/hw/boards.h
index ae7a542511..a71d1a53a5 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -162,6 +162,10 @@ typedef struct {
  *computed based on other criteria such as the host kernel capabilities.
  * @numa_mem_supported:
  *true if '--numa node.mem' option is supported and false otherwise
+ * @smp_parse:
+ *The function pointer to hook different machine specific functions for
+ *parsing "smp-opts" from QemuOpts to MachineState::CpuTopology and more
+ *machine specific topology fields, such as smp_dies for PCMachine.
  */
 struct MachineClass {
 /*< private >*/
@@ -178,6 +182,7 @@ struct MachineClass {
 void (*reset)(MachineState *state);
 void (*hot_add_cpu)(MachineState *state, const int64_t id, Error **errp);
 int (*kvm_type)(MachineState *machine, const char *arg);
+void (*smp_parse)(MachineState *ms, QemuOpts *opts);
 
 BlockInterfaceType block_default_type;
 int units_per_default_bus;
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index e56c1a39cb..0fa3e3beeb 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -192,6 +192,7 @@ void pc_acpi_smi_interrupt(void *opaque, int irq, int 
level);
 
 void pc_cpus_init(PCMachineState *pcms);
 void pc_hot_add_cpu(MachineState *ms, const int64_t id, Error **errp);
+void pc_smp_parse(MachineState *ms, QemuOpts *opts);
 
 void pc_guest_info_init(PCMachineState *pcms);
 
diff --git a/hw/core/machine.c b/hw/core/machine.c
index b35dea05bd..2be19ec0cd 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -11,6 +11,9 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/option.h"
+#include "qapi/qmp/qerror.h"
+#include "sysemu/replay.h"
 #include "qemu/units.h"
 #include "hw/boards.h"
 #include "qapi/error.h"
@@ -726,6 +729,78 @@ void machine_set_cpu_numa_node(MachineState *machine,
 }
 }
 
+static void smp_parse(MachineState *ms, QemuOpts *opts)
+{
+if (opts) {
+unsigned cpus= qemu_opt_get_number(opts, "cpus", 0);
+unsigned sockets = qemu_opt_get_number(opts, "sockets", 0);
+unsigned cores   = qemu_opt_get_number(opts, "cores", 0);
+unsigned threads = qemu_opt_get_number(opts, "threads", 0);
+
+/* compute missing values, prefer sockets over cores over threads */
+if (cpus == 0 || sockets == 0) {
+cores = cores > 0 ? cores : 1;
+threads = threads > 0 ? threads : 1;
+if (cpus == 0) {
+sockets = sockets > 0 ? sockets : 1;
+cpus = cores * threads * sockets;
+} else {
+ms->smp.max_cpus =
+qemu_opt_get_number(opts, "maxcpus", cpus);
+sockets = ms->smp.max_cpus / (cores * threads);
+}
+} else if (cores == 0) {
+threads = threads > 0 ? threads : 1;
+cores = cpus / (sockets * threads);
+cores = cores > 0 ? cores : 1;
+} else if (threads == 0) {
+threads = cpus / (cores * sockets);
+threads = threads > 0 ? threads : 1;
+} else if (sockets * cores * threads < cpus) {
+error_report("cpu topology: "
+ "sockets (%u) * cores (%u) * threads (%u) < "
+ "smp_cpus (%u)",
+ sockets, cores, threads, cpus);
+exit(1);
+}
+
+ms->smp.max_cpus =
+qemu_opt_get_number(opts, "maxcpus", cpus);
+
+if (ms->smp.max_cpus < cpus) {
+error_report("maxcpus must be equal to or greater than smp");
+exit(1);
+}
+
+if (sockets * cores * threads > ms->smp.max_cpus) {
+error_report("cpu topology: "
+ "sockets (%u) * cores (%u) * threads (%u) > "
+ "maxcpus (%u)",
+ sockets, cores, threads,
+ ms->smp.max_cpus);
+exit(1);
+}
+
+if (sockets * cores * threads != 

[Qemu-devel] [PULL v6 09/42] hw: Replace global smp variables with MachineState for all remaining archs

[Eduardo Habkost]

From: Like Xu 

The global smp variables in alpha/hppa/mips/openrisc/sparc*/xtensa codes
are replaced with smp properties from MachineState.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-10-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 hw/alpha/dp264.c   | 1 +
 hw/hppa/machine.c  | 2 ++
 hw/mips/boston.c   | 2 +-
 hw/mips/mips_malta.c   | 2 ++
 hw/openrisc/openrisc_sim.c | 1 +
 hw/sparc/sun4m.c   | 2 ++
 hw/sparc64/sun4u.c | 4 ++--
 hw/xtensa/sim.c| 2 +-
 hw/xtensa/xtfpga.c | 1 +
 9 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/hw/alpha/dp264.c b/hw/alpha/dp264.c
index 0347eb897c..9dfb835013 100644
--- a/hw/alpha/dp264.c
+++ b/hw/alpha/dp264.c
@@ -63,6 +63,7 @@ static void clipper_init(MachineState *machine)
 char *palcode_filename;
 uint64_t palcode_entry, palcode_low, palcode_high;
 uint64_t kernel_entry, kernel_low, kernel_high;
+unsigned int smp_cpus = machine->smp.cpus;
 
 /* Create up to 4 cpus.  */
 memset(cpus, 0, sizeof(cpus));
diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c
index 416e67bab1..662838d83b 100644
--- a/hw/hppa/machine.c
+++ b/hw/hppa/machine.c
@@ -72,6 +72,7 @@ static void machine_hppa_init(MachineState *machine)
 MemoryRegion *ram_region;
 MemoryRegion *cpu_region;
 long i;
+unsigned int smp_cpus = machine->smp.cpus;
 
 ram_size = machine->ram_size;
 
@@ -242,6 +243,7 @@ static void machine_hppa_init(MachineState *machine)
 
 static void hppa_machine_reset(MachineState *ms)
 {
+unsigned int smp_cpus = ms->smp.cpus;
 int i;
 
 qemu_devices_reset();
diff --git a/hw/mips/boston.c b/hw/mips/boston.c
index 749582e5aa..9eeccbea9a 100644
--- a/hw/mips/boston.c
+++ b/hw/mips/boston.c
@@ -458,7 +458,7 @@ static void boston_mach_init(MachineState *machine)
   sizeof(s->cps), TYPE_MIPS_CPS);
 object_property_set_str(OBJECT(>cps), machine->cpu_type, "cpu-type",
 );
-object_property_set_int(OBJECT(>cps), smp_cpus, "num-vp", );
+object_property_set_int(OBJECT(>cps), machine->smp.cpus, "num-vp", 
);
 object_property_set_bool(OBJECT(>cps), true, "realized", );
 
 if (err != NULL) {
diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 132127882d..20e019bf66 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -1095,6 +1095,8 @@ static int64_t load_kernel (void)
 
 static void malta_mips_config(MIPSCPU *cpu)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
+unsigned int smp_cpus = ms->smp.cpus;
 CPUMIPSState *env = >env;
 CPUState *cs = CPU(cpu);
 
diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
index 87b9feaa96..b85f0df323 100644
--- a/hw/openrisc/openrisc_sim.c
+++ b/hw/openrisc/openrisc_sim.c
@@ -130,6 +130,7 @@ static void openrisc_sim_init(MachineState *machine)
 qemu_irq *cpu_irqs[2];
 qemu_irq serial_irq;
 int n;
+unsigned int smp_cpus = machine->smp.cpus;
 
 for (n = 0; n < smp_cpus; n++) {
 cpu = OPENRISC_CPU(cpu_create(machine->cpu_type));
diff --git a/hw/sparc/sun4m.c b/hw/sparc/sun4m.c
index 99f53e87f7..b2342f2a89 100644
--- a/hw/sparc/sun4m.c
+++ b/hw/sparc/sun4m.c
@@ -871,6 +871,8 @@ static void sun4m_hw_init(const struct sun4m_hwdef *hwdef,
 FWCfgState *fw_cfg;
 DeviceState *dev;
 SysBusDevice *s;
+unsigned int smp_cpus = machine->smp.cpus;
+unsigned int max_cpus = machine->smp.max_cpus;
 
 /* init CPUs */
 for(i = 0; i < smp_cpus; i++) {
diff --git a/hw/sparc64/sun4u.c b/hw/sparc64/sun4u.c
index 4230b17b87..5d87be811d 100644
--- a/hw/sparc64/sun4u.c
+++ b/hw/sparc64/sun4u.c
@@ -697,8 +697,8 @@ static void sun4uv_init(MemoryRegion *address_space_mem,
 _CFG_IO(dev)->comb_iomem);
 
 fw_cfg = FW_CFG(dev);
-fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)smp_cpus);
-fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
+fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)machine->smp.cpus);
+fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)machine->smp.max_cpus);
 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)ram_size);
 fw_cfg_add_i16(fw_cfg, FW_CFG_MACHINE_ID, hwdef->machine_id);
 fw_cfg_add_i64(fw_cfg, FW_CFG_KERNEL_ADDR, kernel_entry);
diff --git a/hw/xtensa/sim.c b/hw/xtensa/sim.c
index b6922c39d5..09165b6f4d 100644
--- a/hw/xtensa/sim.c
+++ b/hw/xtensa/sim.c
@@ -59,7 +59,7 @@ static void xtensa_sim_init(MachineState *machine)
 const char *kernel_filename = machine->kernel_filename;
 int n;
 
-for (n = 0; n < smp_cpus; n++) {
+for (n = 0; n < machine->smp.cpus; n++) {
 cpu = XTENSA_CPU(cpu_create(machine->cpu_type));

[Qemu-devel] [PULL v6 23/42] i386: make 'hv-spinlocks' a regular uint32 property

[Eduardo Habkost]

From: Roman Kagan 

X86CPU.hv-spinlocks is a uint32 property that has a special setter
validating the value to be no less than 0xFFF and no bigger than
UINT_MAX.  The latter check is redundant; as for the former, there
appears to be no reason to prohibit the user from setting it to a lower
value.

So nuke the dedicated getter/setter pair and convert 'hv-spinlocks' to a
regular uint32 property.

Signed-off-by: Roman Kagan 
Message-Id: <20190618110659.14744-1-rka...@virtuozzo.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.c | 45 ++---
 1 file changed, 2 insertions(+), 43 deletions(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index f538b54150..6787da4209 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3518,46 +3518,6 @@ static void x86_cpu_get_feature_words(Object *obj, 
Visitor *v,
 visit_type_X86CPUFeatureWordInfoList(v, "feature-words", , errp);
 }
 
-static void x86_get_hv_spinlocks(Object *obj, Visitor *v, const char *name,
- void *opaque, Error **errp)
-{
-X86CPU *cpu = X86_CPU(obj);
-int64_t value = cpu->hyperv_spinlock_attempts;
-
-visit_type_int(v, name, , errp);
-}
-
-static void x86_set_hv_spinlocks(Object *obj, Visitor *v, const char *name,
- void *opaque, Error **errp)
-{
-const int64_t min = 0xFFF;
-const int64_t max = UINT_MAX;
-X86CPU *cpu = X86_CPU(obj);
-Error *err = NULL;
-int64_t value;
-
-visit_type_int(v, name, , );
-if (err) {
-error_propagate(errp, err);
-return;
-}
-
-if (value < min || value > max) {
-error_setg(errp, "Property %s.%s doesn't take value %" PRId64
-   " (minimum: %" PRId64 ", maximum: %" PRId64 ")",
-   object_get_typename(obj), name ? name : "null",
-   value, min, max);
-return;
-}
-cpu->hyperv_spinlock_attempts = value;
-}
-
-static const PropertyInfo qdev_prop_spinlocks = {
-.name  = "int",
-.get   = x86_get_hv_spinlocks,
-.set   = x86_set_hv_spinlocks,
-};
-
 /* Convert all '_' in a feature string option name to '-', to make feature
  * name conform to QOM property naming rule, which uses '-' instead of '_'.
  */
@@ -5682,8 +5642,6 @@ static void x86_cpu_initfn(Object *obj)
 object_property_add(obj, "crash-information", "GuestPanicInformation",
 x86_cpu_get_crash_info_qom, NULL, NULL, NULL, NULL);
 
-cpu->hyperv_spinlock_attempts = HYPERV_SPINLOCK_NEVER_RETRY;
-
 for (w = 0; w < FEATURE_WORDS; w++) {
 int bitnr;
 
@@ -5880,7 +5838,8 @@ static Property x86_cpu_properties[] = {
 DEFINE_PROP_INT32("node-id", X86CPU, node_id, CPU_UNSET_NUMA_NODE_ID),
 DEFINE_PROP_BOOL("pmu", X86CPU, enable_pmu, false),
 
-{ .name  = "hv-spinlocks", .info  = _prop_spinlocks },
+DEFINE_PROP_UINT32("hv-spinlocks", X86CPU, hyperv_spinlock_attempts,
+   HYPERV_SPINLOCK_NEVER_RETRY),
 DEFINE_PROP_BIT64("hv-relaxed", X86CPU, hyperv_features,
   HYPERV_FEAT_RELAXED, 0),
 DEFINE_PROP_BIT64("hv-vapic", X86CPU, hyperv_features,
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 03/42] general: Replace global smp variables with smp machine properties

[Eduardo Habkost]

From: Like Xu 

Basically, the context could get the MachineState reference via call
chains or unrecommended qdev_get_machine() in !CONFIG_USER_ONLY mode.

A local variable of the same name would be introduced in the declaration
phase out of less effort OR replace it on the spot if it's only used
once in the context. No semantic changes.

Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-4-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 accel/kvm/kvm-all.c  |  4 ++--
 backends/hostmem.c   |  6 --
 cpus.c   |  7 +--
 exec.c   |  3 ++-
 gdbstub.c|  4 
 hw/core/numa.c   |  1 +
 hw/cpu/core.c|  4 +++-
 migration/postcopy-ram.c |  8 +++-
 target/openrisc/sys_helper.c |  6 +-
 tcg/tcg.c| 13 -
 10 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index e3cf72883b..3d86ae5052 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -1542,8 +1542,8 @@ static int kvm_init(MachineState *ms)
 const char *name;
 int num;
 } num_cpus[] = {
-{ "SMP",  smp_cpus },
-{ "hotpluggable", max_cpus },
+{ "SMP",  ms->smp.cpus },
+{ "hotpluggable", ms->smp.max_cpus },
 { NULL, }
 }, *nc = num_cpus;
 int soft_vcpus_limit, hard_vcpus_limit;
diff --git a/backends/hostmem.c b/backends/hostmem.c
index 04baf479a1..463102aa15 100644
--- a/backends/hostmem.c
+++ b/backends/hostmem.c
@@ -222,6 +222,7 @@ static void host_memory_backend_set_prealloc(Object *obj, 
bool value,
 {
 Error *local_err = NULL;
 HostMemoryBackend *backend = MEMORY_BACKEND(obj);
+MachineState *ms = MACHINE(qdev_get_machine());
 
 if (backend->force_prealloc) {
 if (value) {
@@ -241,7 +242,7 @@ static void host_memory_backend_set_prealloc(Object *obj, 
bool value,
 void *ptr = memory_region_get_ram_ptr(>mr);
 uint64_t sz = memory_region_size(>mr);
 
-os_mem_prealloc(fd, ptr, sz, smp_cpus, _err);
+os_mem_prealloc(fd, ptr, sz, ms->smp.cpus, _err);
 if (local_err) {
 error_propagate(errp, local_err);
 return;
@@ -311,6 +312,7 @@ host_memory_backend_memory_complete(UserCreatable *uc, 
Error **errp)
 {
 HostMemoryBackend *backend = MEMORY_BACKEND(uc);
 HostMemoryBackendClass *bc = MEMORY_BACKEND_GET_CLASS(uc);
+MachineState *ms = MACHINE(qdev_get_machine());
 Error *local_err = NULL;
 void *ptr;
 uint64_t sz;
@@ -375,7 +377,7 @@ host_memory_backend_memory_complete(UserCreatable *uc, 
Error **errp)
  */
 if (backend->prealloc) {
 os_mem_prealloc(memory_region_get_fd(>mr), ptr, sz,
-smp_cpus, _err);
+ms->smp.cpus, _err);
 if (local_err) {
 goto out;
 }
diff --git a/cpus.c b/cpus.c
index eef7b007ae..927a00aa90 100644
--- a/cpus.c
+++ b/cpus.c
@@ -54,6 +54,7 @@
 #include "tcg.h"
 #include "hw/nmi.h"
 #include "sysemu/replay.h"
+#include "hw/boards.h"
 
 #ifdef CONFIG_LINUX
 
@@ -2075,8 +2076,10 @@ static void qemu_dummy_start_vcpu(CPUState *cpu)
 
 void qemu_init_vcpu(CPUState *cpu)
 {
-cpu->nr_cores = smp_cores;
-cpu->nr_threads = smp_threads;
+MachineState *ms = MACHINE(qdev_get_machine());
+
+cpu->nr_cores = ms->smp.cores;
+cpu->nr_threads =  ms->smp.threads;
 cpu->stopped = true;
 cpu->random_seed = qemu_guest_random_seed_thread_part1();
 
diff --git a/exec.c b/exec.c
index e7622d1956..50ea9c5aaa 100644
--- a/exec.c
+++ b/exec.c
@@ -1874,6 +1874,7 @@ static void *file_ram_alloc(RAMBlock *block,
 bool truncate,
 Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 void *area;
 
 block->page_size = qemu_fd_getpagesize(fd);
@@ -1930,7 +1931,7 @@ static void *file_ram_alloc(RAMBlock *block,
 }
 
 if (mem_prealloc) {
-os_mem_prealloc(fd, area, memory, smp_cpus, errp);
+os_mem_prealloc(fd, area, memory, ms->smp.cpus, errp);
 if (errp && *errp) {
 qemu_ram_munmap(fd, area, memory);
 return NULL;
diff --git a/gdbstub.c b/gdbstub.c
index 8618e34311..687c02e598 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -34,6 +34,7 @@
 #include "sysemu/sysemu.h"
 #include "exec/gdbstub.h"
 #include "hw/cpu/cluster.h"
+#include "hw/boards.h"
 #endif
 
 #define MAX_PACKET_LENGTH 4096
@@ -1171,6 +1172,9 @@ static int gdb_handle_vcont(GDBState *s, const char *p)
 CPU_FOREACH(cpu) {
 max_cpus = max_cpus <= cpu->cpu_index ? cpu->cpu_index + 1 : max_cpus;
 }
+#else
+MachineState *ms = MACHINE(qdev_get_machine());
+unsigned int max_cpus = ms->smp.max_cpus;
 #endif
 /* uninitialised CPUs stay 0 */
 newstates = g_new0(char, 

[Qemu-devel] [PULL v6 14/42] i386: Update new x86_apicid parsing rules with die_offset support

[Eduardo Habkost]

From: Like Xu 

In new sockets/dies/cores/threads model, the apicid of logical cpu could
imply die level info of guest cpu topology thus x86_apicid_from_cpu_idx()
need to be refactored with #dies value, so does apicid_*_offset().

To keep semantic compatibility, the legacy pkg_offset which helps to
generate CPUIDs such as 0x3 for L3 cache should be mapping to die_offset.

Signed-off-by: Like Xu 
Message-Id: <20190612084104.34984-5-like...@linux.intel.com>
[ehabkost: squash unit test patch]
Message-Id: <20190612084104.34984-6-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 include/hw/i386/topology.h | 76 --
 hw/i386/pc.c   | 27 +++-
 target/i386/cpu.c  | 13 +++---
 tests/test-x86-cpuid.c | 84 --
 4 files changed, 124 insertions(+), 76 deletions(-)

diff --git a/include/hw/i386/topology.h b/include/hw/i386/topology.h
index c9fb41588e..4ff5b2da6c 100644
--- a/include/hw/i386/topology.h
+++ b/include/hw/i386/topology.h
@@ -63,88 +63,120 @@ static unsigned apicid_bitwidth_for_count(unsigned count)
 
 /* Bit width of the SMT_ID (thread ID) field on the APIC ID
  */
-static inline unsigned apicid_smt_width(unsigned nr_cores, unsigned nr_threads)
+static inline unsigned apicid_smt_width(unsigned nr_dies,
+unsigned nr_cores,
+unsigned nr_threads)
 {
 return apicid_bitwidth_for_count(nr_threads);
 }
 
 /* Bit width of the Core_ID field
  */
-static inline unsigned apicid_core_width(unsigned nr_cores, unsigned 
nr_threads)
+static inline unsigned apicid_core_width(unsigned nr_dies,
+ unsigned nr_cores,
+ unsigned nr_threads)
 {
 return apicid_bitwidth_for_count(nr_cores);
 }
 
+/* Bit width of the Die_ID field */
+static inline unsigned apicid_die_width(unsigned nr_dies,
+unsigned nr_cores,
+unsigned nr_threads)
+{
+return apicid_bitwidth_for_count(nr_dies);
+}
+
 /* Bit offset of the Core_ID field
  */
-static inline unsigned apicid_core_offset(unsigned nr_cores,
+static inline unsigned apicid_core_offset(unsigned nr_dies,
+  unsigned nr_cores,
   unsigned nr_threads)
 {
-return apicid_smt_width(nr_cores, nr_threads);
+return apicid_smt_width(nr_dies, nr_cores, nr_threads);
+}
+
+/* Bit offset of the Die_ID field */
+static inline unsigned apicid_die_offset(unsigned nr_dies,
+  unsigned nr_cores,
+   unsigned nr_threads)
+{
+return apicid_core_offset(nr_dies, nr_cores, nr_threads) +
+   apicid_core_width(nr_dies, nr_cores, nr_threads);
 }
 
 /* Bit offset of the Pkg_ID (socket ID) field
  */
-static inline unsigned apicid_pkg_offset(unsigned nr_cores, unsigned 
nr_threads)
+static inline unsigned apicid_pkg_offset(unsigned nr_dies,
+ unsigned nr_cores,
+ unsigned nr_threads)
 {
-return apicid_core_offset(nr_cores, nr_threads) +
-   apicid_core_width(nr_cores, nr_threads);
+return apicid_die_offset(nr_dies, nr_cores, nr_threads) +
+   apicid_die_width(nr_dies, nr_cores, nr_threads);
 }
 
 /* Make APIC ID for the CPU based on Pkg_ID, Core_ID, SMT_ID
  *
  * The caller must make sure core_id < nr_cores and smt_id < nr_threads.
  */
-static inline apic_id_t apicid_from_topo_ids(unsigned nr_cores,
+static inline apic_id_t apicid_from_topo_ids(unsigned nr_dies,
+ unsigned nr_cores,
  unsigned nr_threads,
  const X86CPUTopoInfo *topo)
 {
-return (topo->pkg_id  << apicid_pkg_offset(nr_cores, nr_threads)) |
-   (topo->core_id << apicid_core_offset(nr_cores, nr_threads)) |
+return (topo->pkg_id  << apicid_pkg_offset(nr_dies, nr_cores, nr_threads)) 
|
+   (topo->die_id  << apicid_die_offset(nr_dies, nr_cores, nr_threads)) 
|
+  (topo->core_id << apicid_core_offset(nr_dies, nr_cores, nr_threads)) 
|
topo->smt_id;
 }
 
 /* Calculate thread/core/package IDs for a specific topology,
  * based on (contiguous) CPU index
  */
-static inline void x86_topo_ids_from_idx(unsigned nr_cores,
+static inline void x86_topo_ids_from_idx(unsigned nr_dies,
+ unsigned nr_cores,
  unsigned nr_threads,
  unsigned cpu_index,
  X86CPUTopoInfo *topo)
 {
-unsigned core_index = cpu_index / nr_threads;
+topo->pkg_id = cpu_index / (nr_dies * nr_cores 

[Qemu-devel] [PULL v6 26/42] target/i386: Add CPUID.1F generation support for multi-dies PCMachine

[Eduardo Habkost]

From: Like Xu 

The CPUID.1F as Intel V2 Extended Topology Enumeration Leaf would be
exposed if guests want to emulate multiple software-visible die within
each package. Per Intel's SDM, the 0x1f is a superset of 0xb, thus they
can be generated by almost same code as 0xb except die_offset setting.

If the number of dies per package is greater than 1, the cpuid_min_level
would be adjusted to 0x1f regardless of whether the host supports CPUID.1F.
Likewise, the CPUID.1F wouldn't be exposed if env->nr_dies < 2.

Suggested-by: Eduardo Habkost 
Signed-off-by: Like Xu 
Message-Id: <20190620054525.37188-2-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.h |  1 +
 target/i386/cpu.c | 41 +
 target/i386/kvm.c | 12 
 3 files changed, 54 insertions(+)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 85319f4ae1..0a96c78669 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -736,6 +736,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
 #define CPUID_TOPOLOGY_LEVEL_INVALID  (0U << 8)
 #define CPUID_TOPOLOGY_LEVEL_SMT  (1U << 8)
 #define CPUID_TOPOLOGY_LEVEL_CORE (2U << 8)
+#define CPUID_TOPOLOGY_LEVEL_DIE  (5U << 8)
 
 /* MSR Feature Bits */
 #define MSR_ARCH_CAP_RDCL_NO(1U << 0)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index b9d6f32945..296ef6c918 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -4413,6 +4413,42 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, 
uint32_t count,
 *ecx |= CPUID_TOPOLOGY_LEVEL_INVALID;
 }
 
+assert(!(*eax & ~0x1f));
+*ebx &= 0x; /* The count doesn't need to be reliable. */
+break;
+case 0x1F:
+/* V2 Extended Topology Enumeration Leaf */
+if (env->nr_dies < 2) {
+*eax = *ebx = *ecx = *edx = 0;
+break;
+}
+
+*ecx = count & 0xff;
+*edx = cpu->apic_id;
+switch (count) {
+case 0:
+*eax = apicid_core_offset(env->nr_dies, cs->nr_cores,
+cs->nr_threads);
+*ebx = cs->nr_threads;
+*ecx |= CPUID_TOPOLOGY_LEVEL_SMT;
+break;
+case 1:
+*eax = apicid_die_offset(env->nr_dies, cs->nr_cores,
+   cs->nr_threads);
+*ebx = cs->nr_cores * cs->nr_threads;
+*ecx |= CPUID_TOPOLOGY_LEVEL_CORE;
+break;
+case 2:
+*eax = apicid_pkg_offset(env->nr_dies, cs->nr_cores,
+   cs->nr_threads);
+*ebx = env->nr_dies * cs->nr_cores * cs->nr_threads;
+*ecx |= CPUID_TOPOLOGY_LEVEL_DIE;
+break;
+default:
+*eax = 0;
+*ebx = 0;
+*ecx |= CPUID_TOPOLOGY_LEVEL_INVALID;
+}
 assert(!(*eax & ~0x1f));
 *ebx &= 0x; /* The count doesn't need to be reliable. */
 break;
@@ -5094,6 +5130,11 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error 
**errp)
 x86_cpu_adjust_level(cpu, >env.cpuid_min_level, 0x14);
 }
 
+/* CPU topology with multi-dies support requires CPUID[0x1F] */
+if (env->nr_dies > 1) {
+x86_cpu_adjust_level(cpu, >cpuid_min_level, 0x1F);
+}
+
 /* SVM requires CPUID[0x800A] */
 if (env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM) {
 x86_cpu_adjust_level(cpu, >cpuid_min_xlevel, 0x800A);
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index e4b4f5756a..473a17e9a5 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -1451,6 +1451,10 @@ int kvm_arch_init_vcpu(CPUState *cs)
 }
 break;
 }
+case 0x1f:
+if (env->nr_dies < 2) {
+break;
+}
 case 4:
 case 0xb:
 case 0xd:
@@ -1458,6 +1462,11 @@ int kvm_arch_init_vcpu(CPUState *cs)
 if (i == 0xd && j == 64) {
 break;
 }
+
+if (i == 0x1f && j == 64) {
+break;
+}
+
 c->function = i;
 c->flags = KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
 c->index = j;
@@ -1469,6 +1478,9 @@ int kvm_arch_init_vcpu(CPUState *cs)
 if (i == 0xb && !(c->ecx & 0xff00)) {
 break;
 }
+if (i == 0x1f && !(c->ecx & 0xff00)) {
+break;
+}
 if (i == 0xd && c->eax == 0) {
 continue;
 }
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 24/42] x86/cpu: use FeatureWordArray to define filtered_features

[Eduardo Habkost]

From: Wei Yang 

Use the same definition as features/user_features in CPUX86State.

Signed-off-by: Wei Yang 
Message-Id: <20190620023746.9869-1-richardw.y...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index ff26351538..85319f4ae1 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1440,7 +1440,7 @@ struct X86CPU {
 } mwait;
 
 /* Features that were filtered out because of missing host capabilities */
-uint32_t filtered_features[FEATURE_WORDS];
+FeatureWordArray filtered_features;
 
 /* Enable PMU CPUID bits. This can't be enabled by default yet because
  * it doesn't have ABI stability guarantees, as it passes all PMU CPUID
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 22/42] i386: Fix signedness of hyperv_spinlock_attempts

[Eduardo Habkost]

The current default value for hv-spinlocks is 0x (meaning
"never retry").  However, the value is stored as a signed
integer, making the getter of the hv-spinlocks QOM property
return -1 instead of 0x.

Fix this by changing the type of X86CPU::hyperv_spinlock_attempts
to uint32_t.  This has no visible effect to guest operating
systems, affecting just the behavior of the QOM getter.

Signed-off-by: Eduardo Habkost 
Message-Id: <20190615200505.31348-1-ehabk...@redhat.com>
Reviewed-by: Vitaly Kuznetsov 
Reviewed-by: Roman Kagan 
Signed-off-by: Eduardo Habkost 
---
 target/i386/cpu.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 4d2ae2384e..ff26351538 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1408,7 +1408,7 @@ struct X86CPU {
 CPUNegativeOffsetState neg;
 CPUX86State env;
 
-int hyperv_spinlock_attempts;
+uint32_t hyperv_spinlock_attempts;
 char *hyperv_vendor_id;
 bool hyperv_synic_kvm_only;
 uint64_t hyperv_features;
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 05/42] hw/riscv: Replace global smp variables with machine smp properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in riscv are replaced with smp machine properties.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Message-Id: <20190518205428.90532-6-like...@linux.intel.com>
Reviewed-by: Alistair Francis 
[ehabkost: fix spike_board_init()]
[ehabkost: fix riscv_sifive_e_soc_init()]
Signed-off-by: Eduardo Habkost 
---
 hw/riscv/sifive_e.c|  6 --
 hw/riscv/sifive_plic.c |  3 +++
 hw/riscv/sifive_u.c| 11 +++
 hw/riscv/spike.c   |  3 +++
 hw/riscv/virt.c|  1 +
 5 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index d27f626529..2a499d8ed2 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -124,6 +124,7 @@ static void riscv_sifive_e_init(MachineState *machine)
 
 static void riscv_sifive_e_soc_init(Object *obj)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 SiFiveESoCState *s = RISCV_E_SOC(obj);
 
 object_initialize_child(obj, "cpus", >cpus,
@@ -131,7 +132,7 @@ static void riscv_sifive_e_soc_init(Object *obj)
 _abort, NULL);
 object_property_set_str(OBJECT(>cpus), SIFIVE_E_CPU, "cpu-type",
 _abort);
-object_property_set_int(OBJECT(>cpus), smp_cpus, "num-harts",
+object_property_set_int(OBJECT(>cpus), ms->smp.cpus, "num-harts",
 _abort);
 sysbus_init_child_obj(obj, "riscv.sifive.e.gpio0",
   >gpio, sizeof(s->gpio),
@@ -140,6 +141,7 @@ static void riscv_sifive_e_soc_init(Object *obj)
 
 static void riscv_sifive_e_soc_realize(DeviceState *dev, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 const struct MemmapEntry *memmap = sifive_e_memmap;
 Error *err = NULL;
 
@@ -168,7 +170,7 @@ static void riscv_sifive_e_soc_realize(DeviceState *dev, 
Error **errp)
 SIFIVE_E_PLIC_CONTEXT_STRIDE,
 memmap[SIFIVE_E_PLIC].size);
 sifive_clint_create(memmap[SIFIVE_E_CLINT].base,
-memmap[SIFIVE_E_CLINT].size, smp_cpus,
+memmap[SIFIVE_E_CLINT].size, ms->smp.cpus,
 SIFIVE_SIP_BASE, SIFIVE_TIMECMP_BASE, SIFIVE_TIME_BASE);
 sifive_mmio_emulate(sys_mem, "riscv.sifive.e.aon",
 memmap[SIFIVE_E_AON].base, memmap[SIFIVE_E_AON].size);
diff --git a/hw/riscv/sifive_plic.c b/hw/riscv/sifive_plic.c
index 70a4413599..0950e89e15 100644
--- a/hw/riscv/sifive_plic.c
+++ b/hw/riscv/sifive_plic.c
@@ -24,6 +24,7 @@
 #include "qemu/error-report.h"
 #include "hw/sysbus.h"
 #include "hw/pci/msi.h"
+#include "hw/boards.h"
 #include "target/riscv/cpu.h"
 #include "sysemu/sysemu.h"
 #include "hw/riscv/sifive_plic.h"
@@ -439,6 +440,8 @@ static void sifive_plic_irq_request(void *opaque, int irq, 
int level)
 
 static void sifive_plic_realize(DeviceState *dev, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
+unsigned int smp_cpus = ms->smp.cpus;
 SiFivePLICState *plic = SIFIVE_PLIC(dev);
 int i;
 
diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 4208671552..ca53a9290d 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -315,13 +315,14 @@ static void riscv_sifive_u_init(MachineState *machine)
 
 static void riscv_sifive_u_soc_init(Object *obj)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 SiFiveUSoCState *s = RISCV_U_SOC(obj);
 
 object_initialize_child(obj, "cpus", >cpus, sizeof(s->cpus),
 TYPE_RISCV_HART_ARRAY, _abort, NULL);
 object_property_set_str(OBJECT(>cpus), SIFIVE_U_CPU, "cpu-type",
 _abort);
-object_property_set_int(OBJECT(>cpus), smp_cpus, "num-harts",
+object_property_set_int(OBJECT(>cpus), ms->smp.cpus, "num-harts",
 _abort);
 
 sysbus_init_child_obj(obj, "gem", >gem, sizeof(s->gem),
@@ -330,6 +331,7 @@ static void riscv_sifive_u_soc_init(Object *obj)
 
 static void riscv_sifive_u_soc_realize(DeviceState *dev, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 SiFiveUSoCState *s = RISCV_U_SOC(dev);
 const struct MemmapEntry *memmap = sifive_u_memmap;
 MemoryRegion *system_memory = get_system_memory();
@@ -351,9 +353,10 @@ static void riscv_sifive_u_soc_realize(DeviceState *dev, 
Error **errp)
 mask_rom);
 
 /* create PLIC hart topology configuration string */
-plic_hart_config_len = (strlen(SIFIVE_U_PLIC_HART_CONFIG) + 1) * smp_cpus;
+plic_hart_config_len = (strlen(SIFIVE_U_PLIC_HART_CONFIG) + 1) *
+   ms->smp.cpus;
 plic_hart_config = g_malloc0(plic_hart_config_len);
-for (i = 0; i < smp_cpus; i++) {
+for (i = 0; i < ms->smp.cpus; i++) {
 if (i != 0) {
 strncat(plic_hart_config, ",", plic_hart_config_len);
 }
@@ -379,7 +382,7 @@ 

[Qemu-devel] [PULL v6 08/42] hw/arm: Replace global smp variables with machine smp properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in arm are replaced with smp machine properties.
The init_cpus() and *_create_rpu() are refactored to pass MachineState.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-9-like...@linux.intel.com>
[ehabkost: Fix hw/arm/sbsa-ref.c and hw/arm/aspeed.c]
Signed-off-by: Eduardo Habkost 
---
 hw/arm/aspeed.c|  2 +-
 hw/arm/fsl-imx6.c  |  6 +-
 hw/arm/fsl-imx6ul.c|  6 +-
 hw/arm/fsl-imx7.c  |  7 +--
 hw/arm/highbank.c  |  1 +
 hw/arm/mcimx6ul-evk.c  |  2 +-
 hw/arm/mcimx7d-sabre.c |  2 +-
 hw/arm/raspi.c |  4 ++--
 hw/arm/realview.c  |  1 +
 hw/arm/sabrelite.c |  2 +-
 hw/arm/sbsa-ref.c  |  4 
 hw/arm/vexpress.c  | 16 ++--
 hw/arm/virt.c  |  8 +++-
 hw/arm/xlnx-zynqmp.c   | 16 ++--
 target/arm/cpu.c   |  8 +++-
 15 files changed, 61 insertions(+), 24 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index 8b6d304247..843b708247 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -187,7 +187,7 @@ static void aspeed_board_init(MachineState *machine,
 _abort);
 object_property_set_int(OBJECT(>soc), cfg->num_cs, "num-cs",
 _abort);
-object_property_set_int(OBJECT(>soc), smp_cpus, "num-cpus",
+object_property_set_int(OBJECT(>soc), machine->smp.cpus, "num-cpus",
 _abort);
 if (machine->kernel_filename) {
 /*
diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
index 7129517378..de45833097 100644
--- a/hw/arm/fsl-imx6.c
+++ b/hw/arm/fsl-imx6.c
@@ -22,6 +22,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "hw/arm/fsl-imx6.h"
+#include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "chardev/char.h"
 #include "qemu/error-report.h"
@@ -33,11 +34,12 @@
 
 static void fsl_imx6_init(Object *obj)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 FslIMX6State *s = FSL_IMX6(obj);
 char name[NAME_SIZE];
 int i;
 
-for (i = 0; i < MIN(smp_cpus, FSL_IMX6_NUM_CPUS); i++) {
+for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX6_NUM_CPUS); i++) {
 snprintf(name, NAME_SIZE, "cpu%d", i);
 object_initialize_child(obj, name, >cpu[i], sizeof(s->cpu[i]),
 "cortex-a9-" TYPE_ARM_CPU, _abort, NULL);
@@ -93,9 +95,11 @@ static void fsl_imx6_init(Object *obj)
 
 static void fsl_imx6_realize(DeviceState *dev, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 FslIMX6State *s = FSL_IMX6(dev);
 uint16_t i;
 Error *err = NULL;
+unsigned int smp_cpus = ms->smp.cpus;
 
 if (smp_cpus > FSL_IMX6_NUM_CPUS) {
 error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
index 05505bac56..f860165438 100644
--- a/hw/arm/fsl-imx6ul.c
+++ b/hw/arm/fsl-imx6ul.c
@@ -20,6 +20,7 @@
 #include "qapi/error.h"
 #include "hw/arm/fsl-imx6ul.h"
 #include "hw/misc/unimp.h"
+#include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "qemu/error-report.h"
 #include "qemu/module.h"
@@ -28,11 +29,12 @@
 
 static void fsl_imx6ul_init(Object *obj)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 FslIMX6ULState *s = FSL_IMX6UL(obj);
 char name[NAME_SIZE];
 int i;
 
-for (i = 0; i < MIN(smp_cpus, FSL_IMX6UL_NUM_CPUS); i++) {
+for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX6UL_NUM_CPUS); i++) {
 snprintf(name, NAME_SIZE, "cpu%d", i);
 object_initialize_child(obj, name, >cpu[i], sizeof(s->cpu[i]),
 "cortex-a7-" TYPE_ARM_CPU, _abort, NULL);
@@ -156,10 +158,12 @@ static void fsl_imx6ul_init(Object *obj)
 
 static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 FslIMX6ULState *s = FSL_IMX6UL(dev);
 int i;
 qemu_irq irq;
 char name[NAME_SIZE];
+unsigned int smp_cpus = ms->smp.cpus;
 
 if (smp_cpus > FSL_IMX6UL_NUM_CPUS) {
 error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
index 2eddf3f25c..119b281a50 100644
--- a/hw/arm/fsl-imx7.c
+++ b/hw/arm/fsl-imx7.c
@@ -22,6 +22,7 @@
 #include "qapi/error.h"
 #include "hw/arm/fsl-imx7.h"
 #include "hw/misc/unimp.h"
+#include "hw/boards.h"
 #include "sysemu/sysemu.h"
 #include "qemu/error-report.h"
 #include "qemu/module.h"
@@ -30,12 +31,12 @@
 
 static void fsl_imx7_init(Object *obj)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 FslIMX7State *s = FSL_IMX7(obj);
 char name[NAME_SIZE];
 int i;
 
-
-for (i = 0; i < MIN(smp_cpus, FSL_IMX7_NUM_CPUS); i++) {
+for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX7_NUM_CPUS); i++) 

[Qemu-devel] [PULL v6 13/42] i386/cpu: Consolidate die-id validity in smp context

[Eduardo Habkost]

From: Like Xu 

The field die_id (default as 0) and has_die_id are introduced to X86CPU.
Following the legacy smp check rules, the die_id validity is added to
the same contexts as leagcy smp variables such as hmp_hotpluggable_cpus(),
machine_set_cpu_numa_node(), cpu_slot_to_string() and pc_cpu_pre_plug().

Acked-by: Dr. David Alan Gilbert 
Signed-off-by: Like Xu 
Message-Id: <20190612084104.34984-4-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 qapi/machine.json  |  7 ---
 include/hw/i386/topology.h |  2 ++
 target/i386/cpu.h  |  1 +
 hw/core/machine-hmp-cmds.c |  3 +++
 hw/core/machine.c  | 12 
 hw/i386/pc.c   | 14 ++
 target/i386/cpu.c  |  2 ++
 7 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index 81849acb3a..979bc41e49 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -588,10 +588,10 @@
 #
 # @node-id: NUMA node ID the CPU belongs to
 # @socket-id: socket number within node/board the CPU belongs to
-# @core-id: core number within socket the CPU belongs to
-# @thread-id: thread number within core the CPU belongs to
+# @die-id: die number within node/board the CPU belongs to (Since 4.1)
+# @core-id: core number within die the CPU belongs to# @thread-id: thread 
number within core the CPU belongs to
 #
-# Note: currently there are 4 properties that could be present
+# Note: currently there are 5 properties that could be present
 # but management should be prepared to pass through other
 # properties with device_add command to allow for future
 # interface extension. This also requires the filed names to be kept in
@@ -602,6 +602,7 @@
 { 'struct': 'CpuInstanceProperties',
   'data': { '*node-id': 'int',
 '*socket-id': 'int',
+'*die-id': 'int',
 '*core-id': 'int',
 '*thread-id': 'int'
   }
diff --git a/include/hw/i386/topology.h b/include/hw/i386/topology.h
index 1ebaee0f76..c9fb41588e 100644
--- a/include/hw/i386/topology.h
+++ b/include/hw/i386/topology.h
@@ -47,6 +47,7 @@ typedef uint32_t apic_id_t;
 
 typedef struct X86CPUTopoInfo {
 unsigned pkg_id;
+unsigned die_id;
 unsigned core_id;
 unsigned smt_id;
 } X86CPUTopoInfo;
@@ -130,6 +131,7 @@ static inline void x86_topo_ids_from_apicid(apic_id_t 
apicid,
 topo->core_id = (apicid >> apicid_core_offset(nr_cores, nr_threads)) &
~(0xUL << apicid_core_width(nr_cores, nr_threads));
 topo->pkg_id = apicid >> apicid_pkg_offset(nr_cores, nr_threads);
+topo->die_id = 0;
 }
 
 /* Make APIC ID for the CPU 'cpu_index'
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 14c19e61b1..4d2ae2384e 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1500,6 +1500,7 @@ struct X86CPU {
 
 int32_t node_id; /* NUMA node this CPU belongs to */
 int32_t socket_id;
+int32_t die_id;
 int32_t core_id;
 int32_t thread_id;
 
diff --git a/hw/core/machine-hmp-cmds.c b/hw/core/machine-hmp-cmds.c
index 7fa6075f1e..1f66bda346 100644
--- a/hw/core/machine-hmp-cmds.c
+++ b/hw/core/machine-hmp-cmds.c
@@ -86,6 +86,9 @@ void hmp_hotpluggable_cpus(Monitor *mon, const QDict *qdict)
 if (c->has_socket_id) {
 monitor_printf(mon, "socket-id: \"%" PRIu64 "\"\n", 
c->socket_id);
 }
+if (c->has_die_id) {
+monitor_printf(mon, "die-id: \"%" PRIu64 "\"\n", c->die_id);
+}
 if (c->has_core_id) {
 monitor_printf(mon, "core-id: \"%" PRIu64 "\"\n", c->core_id);
 }
diff --git a/hw/core/machine.c b/hw/core/machine.c
index ea84bd6788..b35dea05bd 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -683,6 +683,11 @@ void machine_set_cpu_numa_node(MachineState *machine,
 return;
 }
 
+if (props->has_die_id && !slot->props.has_die_id) {
+error_setg(errp, "die-id is not supported");
+return;
+}
+
 /* skip slots with explicit mismatch */
 if (props->has_thread_id && props->thread_id != slot->props.thread_id) 
{
 continue;
@@ -692,6 +697,10 @@ void machine_set_cpu_numa_node(MachineState *machine,
 continue;
 }
 
+if (props->has_die_id && props->die_id != slot->props.die_id) {
+continue;
+}
+
 if (props->has_socket_id && props->socket_id != slot->props.socket_id) 
{
 continue;
 }
@@ -949,6 +958,9 @@ static char *cpu_slot_to_string(const CPUArchId *cpu)
 if (cpu->props.has_socket_id) {
 g_string_append_printf(s, "socket-id: %"PRId64, cpu->props.socket_id);
 }
+if (cpu->props.has_die_id) {
+g_string_append_printf(s, "die-id: %"PRId64, cpu->props.die_id);
+}
 if (cpu->props.has_core_id) {
 if (s->len) {
 g_string_append_printf(s, ", ");
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 

[Qemu-devel] [PULL v6 07/42] hw/i386: Replace global smp variables with machine smp properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in i386 are replaced with smp machine properties.
To avoid calling qdev_get_machine() as much as possible, some related funtions
for acpi data generations are refactored. No semantic changes.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Message-Id: <20190518205428.90532-8-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 hw/i386/acpi-build.c  | 11 +++
 hw/i386/kvmvapic.c|  7 +--
 hw/i386/pc.c  | 18 --
 hw/i386/xen/xen-hvm.c |  4 
 target/i386/cpu.c |  4 +++-
 5 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 8ae7d88b11..d281ffa89e 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -43,6 +43,7 @@
 #include "sysemu/tpm.h"
 #include "hw/acpi/tpm.h"
 #include "hw/acpi/vmgenid.h"
+#include "hw/boards.h"
 #include "sysemu/tpm_backend.h"
 #include "hw/timer/mc146818rtc_regs.h"
 #include "hw/mem/memory-device.h"
@@ -123,7 +124,8 @@ typedef struct FwCfgTPMConfig {
 
 static bool acpi_get_mcfg(AcpiMcfgInfo *mcfg);
 
-static void init_common_fadt_data(Object *o, AcpiFadtData *data)
+static void init_common_fadt_data(MachineState *ms, Object *o,
+  AcpiFadtData *data)
 {
 uint32_t io = object_property_get_uint(o, ACPI_PM_PROP_PM_IO_BASE, NULL);
 AmlAddressSpace as = AML_AS_SYSTEM_IO;
@@ -139,7 +141,8 @@ static void init_common_fadt_data(Object *o, AcpiFadtData 
*data)
  * CPUs for more than 8 CPUs, "Clustered Logical" mode has to be
  * used
  */
-((max_cpus > 8) ? (1 << ACPI_FADT_F_FORCE_APIC_CLUSTER_MODEL) : 0),
+((ms->smp.max_cpus > 8) ?
+(1 << ACPI_FADT_F_FORCE_APIC_CLUSTER_MODEL) : 0),
 .int_model = 1 /* Multiple APIC */,
 .rtc_century = RTC_CENTURY,
 .plvl2_lat = 0xfff /* C2 state not supported */,
@@ -173,7 +176,7 @@ static Object *object_resolve_type_unambiguous(const char 
*typename)
 return o;
 }
 
-static void acpi_get_pm_info(AcpiPmInfo *pm)
+static void acpi_get_pm_info(MachineState *machine, AcpiPmInfo *pm)
 {
 Object *piix = object_resolve_type_unambiguous(TYPE_PIIX4_PM);
 Object *lpc = object_resolve_type_unambiguous(TYPE_ICH9_LPC_DEVICE);
@@ -2612,7 +2615,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState 
*machine)
 AcpiSlicOem slic_oem = { .id = NULL, .table_id = NULL };
 Object *vmgenid_dev;
 
-acpi_get_pm_info();
+acpi_get_pm_info(machine, );
 acpi_get_misc_info();
 acpi_get_pci_holes(_hole, _hole64);
 acpi_get_slic_oem(_oem);
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index ca8df462b6..9c2ab4aac5 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -18,6 +18,7 @@
 #include "sysemu/kvm.h"
 #include "hw/i386/apic_internal.h"
 #include "hw/sysbus.h"
+#include "hw/boards.h"
 #include "tcg/tcg.h"
 
 #define VAPIC_IO_PORT   0x7e
@@ -442,11 +443,12 @@ static void do_patch_instruction(CPUState *cs, 
run_on_cpu_data data)
 
 static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 CPUState *cs = CPU(cpu);
 VAPICHandlers *handlers;
 PatchInfo *info;
 
-if (smp_cpus == 1) {
+if (ms->smp.cpus == 1) {
 handlers = >rom_state.up;
 } else {
 handlers = >rom_state.mp;
@@ -747,6 +749,7 @@ static void do_vapic_enable(CPUState *cs, run_on_cpu_data 
data)
 static void kvmvapic_vm_state_change(void *opaque, int running,
  RunState state)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 VAPICROMState *s = opaque;
 uint8_t *zero;
 
@@ -755,7 +758,7 @@ static void kvmvapic_vm_state_change(void *opaque, int 
running,
 }
 
 if (s->state == VAPIC_ACTIVE) {
-if (smp_cpus == 1) {
+if (ms->smp.cpus == 1) {
 run_on_cpu(first_cpu, do_vapic_enable, RUN_ON_CPU_HOST_PTR(s));
 } else {
 zero = g_malloc0(s->rom_state.vapic_size);
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 0b0b55afd2..269e44f0d0 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -925,11 +925,13 @@ bool e820_get_entry(int idx, uint32_t type, uint64_t 
*address, uint64_t *length)
 static uint32_t x86_cpu_apic_id_from_index(PCMachineState *pcms,
unsigned int cpu_index)
 {
+MachineState *ms = MACHINE(pcms);
 PCMachineClass *pcmc = PC_MACHINE_GET_CLASS(pcms);
 uint32_t correct_id;
 static bool warned;
 
-correct_id = x86_apicid_from_cpu_idx(smp_cores, smp_threads, cpu_index);
+correct_id = x86_apicid_from_cpu_idx(ms->smp.cores,
+ ms->smp.threads, cpu_index);
 

[Qemu-devel] [PULL v6 02/42] machine: Refactor smp-related call chains to pass MachineState

[Eduardo Habkost]

From: Like Xu 

To get rid of the global smp_* variables we're currently using, it's recommended
to pass MachineState in the list of incoming parameters for functions that use
global smp variables, thus some redundant parameters are dropped. It's applied
for legacy smbios_*(), *_machine_reset(), hot_add_cpu() and mips *_create_cpu().

Suggested-by: Igor Mammedov 
Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-3-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 include/hw/boards.h  |  4 ++--
 include/hw/firmware/smbios.h |  5 +++--
 include/hw/i386/pc.h |  2 +-
 hw/arm/virt.c|  2 +-
 hw/core/machine-qmp-cmds.c   |  2 +-
 hw/hppa/machine.c|  2 +-
 hw/i386/acpi-build.c |  2 +-
 hw/i386/pc.c |  9 -
 hw/mips/mips_malta.c | 22 +++---
 hw/ppc/pnv.c |  3 +--
 hw/ppc/spapr.c   |  3 +--
 hw/s390x/s390-virtio-ccw.c   |  6 +++---
 hw/smbios/smbios.c   | 26 +++---
 vl.c |  2 +-
 14 files changed, 46 insertions(+), 44 deletions(-)

diff --git a/include/hw/boards.h b/include/hw/boards.h
index 9597140936..d84f48c4af 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -173,8 +173,8 @@ struct MachineClass {
 const char *deprecation_reason;
 
 void (*init)(MachineState *state);
-void (*reset)(void);
-void (*hot_add_cpu)(const int64_t id, Error **errp);
+void (*reset)(MachineState *state);
+void (*hot_add_cpu)(MachineState *state, const int64_t id, Error **errp);
 int (*kvm_type)(MachineState *machine, const char *arg);
 
 BlockInterfaceType block_default_type;
diff --git a/include/hw/firmware/smbios.h b/include/hw/firmware/smbios.h
index 6fef32a3c9..02a0ced0a0 100644
--- a/include/hw/firmware/smbios.h
+++ b/include/hw/firmware/smbios.h
@@ -268,8 +268,9 @@ void smbios_set_cpuid(uint32_t version, uint32_t features);
 void smbios_set_defaults(const char *manufacturer, const char *product,
  const char *version, bool legacy_mode,
  bool uuid_encoded, SmbiosEntryPointType ep_type);
-uint8_t *smbios_get_table_legacy(size_t *length);
-void smbios_get_tables(const struct smbios_phys_mem_area *mem_array,
+uint8_t *smbios_get_table_legacy(MachineState *ms, size_t *length);
+void smbios_get_tables(MachineState *ms,
+   const struct smbios_phys_mem_area *mem_array,
const unsigned int mem_array_size,
uint8_t **tables, size_t *tables_len,
uint8_t **anchor, size_t *anchor_len);
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 853502f277..de3bd32f52 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -189,7 +189,7 @@ void pc_register_ferr_irq(qemu_irq irq);
 void pc_acpi_smi_interrupt(void *opaque, int irq, int level);
 
 void pc_cpus_init(PCMachineState *pcms);
-void pc_hot_add_cpu(const int64_t id, Error **errp);
+void pc_hot_add_cpu(MachineState *ms, const int64_t id, Error **errp);
 
 void pc_guest_info_init(PCMachineState *pcms);
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index ed009fa447..7b63a924a3 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1345,7 +1345,7 @@ static void virt_build_smbios(VirtMachineState *vms)
 vmc->smbios_old_sys_ver ? "1.0" : mc->name, false,
 true, SMBIOS_ENTRY_POINT_30);
 
-smbios_get_tables(NULL, 0, _tables, _tables_len,
+smbios_get_tables(MACHINE(vms), NULL, 0, _tables, 
_tables_len,
   _anchor, _anchor_len);
 
 if (smbios_anchor) {
diff --git a/hw/core/machine-qmp-cmds.c b/hw/core/machine-qmp-cmds.c
index 1e08252af7..14dbad1d6e 100644
--- a/hw/core/machine-qmp-cmds.c
+++ b/hw/core/machine-qmp-cmds.c
@@ -264,7 +264,7 @@ void qmp_cpu_add(int64_t id, Error **errp)
 
 mc = MACHINE_GET_CLASS(current_machine);
 if (mc->hot_add_cpu) {
-mc->hot_add_cpu(id, errp);
+mc->hot_add_cpu(current_machine, id, errp);
 } else {
 error_setg(errp, "Not supported");
 }
diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c
index d1b1d3caa4..416e67bab1 100644
--- a/hw/hppa/machine.c
+++ b/hw/hppa/machine.c
@@ -240,7 +240,7 @@ static void machine_hppa_init(MachineState *machine)
 cpu[0]->env.gr[21] = smp_cpus;
 }
 
-static void hppa_machine_reset(void)
+static void hppa_machine_reset(MachineState *ms)
 {
 int i;
 
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 31a1c1e3ad..8ae7d88b11 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -184,7 +184,7 @@ static void acpi_get_pm_info(AcpiPmInfo *pm)
 pm->pcihp_io_len = 0;
 
 assert(obj);
-init_common_fadt_data(obj, >fadt);
+init_common_fadt_data(machine, obj, >fadt);
 if (piix) {
 /* w2k requires FADT(rev1) or it won't boot, keep PC compatible */
 pm->fadt.rev 

[Qemu-devel] [PULL v6 04/42] hw/ppc: Replace global smp variables with machine smp properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in ppc are replaced with smp machine properties.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Message-Id: <20190518205428.90532-5-like...@linux.intel.com>
Acked-by: David Gibson 
Signed-off-by: Eduardo Habkost 
---
 hw/ppc/e500.c |  3 +++
 hw/ppc/mac_newworld.c |  3 ++-
 hw/ppc/mac_oldworld.c |  3 ++-
 hw/ppc/pnv.c  |  6 --
 hw/ppc/prep.c |  4 ++--
 hw/ppc/spapr.c| 34 ++
 hw/ppc/spapr_rtas.c   |  4 +++-
 7 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index bfda1266af..a3eac7f057 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -308,6 +308,7 @@ static int ppce500_load_device_tree(PPCE500MachineState 
*pms,
 bool dry_run)
 {
 MachineState *machine = MACHINE(pms);
+unsigned int smp_cpus = machine->smp.cpus;
 const PPCE500MachineClass *pmc = PPCE500_MACHINE_GET_CLASS(pms);
 CPUPPCState *env = first_cpu->env_ptr;
 int ret = -1;
@@ -735,6 +736,7 @@ static DeviceState 
*ppce500_init_mpic_qemu(PPCE500MachineState *pms,
 SysBusDevice *s;
 int i, j, k;
 MachineState *machine = MACHINE(pms);
+unsigned int smp_cpus = machine->smp.cpus;
 const PPCE500MachineClass *pmc = PPCE500_MACHINE_GET_CLASS(pms);
 
 dev = qdev_create(NULL, TYPE_OPENPIC);
@@ -847,6 +849,7 @@ void ppce500_init(MachineState *machine)
 struct boot_info *boot_info;
 int dt_size;
 int i;
+unsigned int smp_cpus = machine->smp.cpus;
 /* irq num for pin INTA, INTB, INTC and INTD is 1, 2, 3 and
  * 4 respectively */
 unsigned int pci_irq_nrs[PCI_NUM_PINS] = {1, 2, 3, 4};
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index c8d3245524..09bc6068f3 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -136,6 +136,7 @@ static void ppc_core99_init(MachineState *machine)
 DeviceState *dev, *pic_dev;
 hwaddr nvram_addr = 0xFFF04000;
 uint64_t tbfreq;
+unsigned int smp_cpus = machine->smp.cpus;
 
 linux_boot = (kernel_filename != NULL);
 
@@ -463,7 +464,7 @@ static void ppc_core99_init(MachineState *machine)
 sysbus_mmio_map(s, 1, CFG_ADDR + 2);
 
 fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)smp_cpus);
-fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
+fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)machine->smp.max_cpus);
 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)ram_size);
 fw_cfg_add_i16(fw_cfg, FW_CFG_MACHINE_ID, machine_arch);
 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ADDR, kernel_base);
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index da751addc4..9ffde5b6f7 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -101,6 +101,7 @@ static void ppc_heathrow_init(MachineState *machine)
 DeviceState *dev, *pic_dev;
 BusState *adb_bus;
 int bios_size;
+unsigned int smp_cpus = machine->smp.cpus;
 uint16_t ppc_boot_device;
 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
 void *fw_cfg;
@@ -324,7 +325,7 @@ static void ppc_heathrow_init(MachineState *machine)
 sysbus_mmio_map(s, 1, CFG_ADDR + 2);
 
 fw_cfg_add_i16(fw_cfg, FW_CFG_NB_CPUS, (uint16_t)smp_cpus);
-fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
+fw_cfg_add_i16(fw_cfg, FW_CFG_MAX_CPUS, (uint16_t)machine->smp.max_cpus);
 fw_cfg_add_i64(fw_cfg, FW_CFG_RAM_SIZE, (uint64_t)ram_size);
 fw_cfg_add_i16(fw_cfg, FW_CFG_MACHINE_ID, ARCH_HEATHROW);
 fw_cfg_add_i32(fw_cfg, FW_CFG_KERNEL_ADDR, kernel_base);
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index e364f79efd..bd4531c822 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -688,7 +688,8 @@ static void pnv_init(MachineState *machine)
 object_property_add_child(OBJECT(pnv), chip_name, chip, _fatal);
 object_property_set_int(chip, PNV_CHIP_HWID(i), "chip-id",
 _fatal);
-object_property_set_int(chip, smp_cores, "nr-cores", _fatal);
+object_property_set_int(chip, machine->smp.cores,
+"nr-cores", _fatal);
 object_property_set_bool(chip, true, "realized", _fatal);
 }
 g_free(chip_typename);
@@ -1149,6 +1150,7 @@ static void pnv_chip_core_sanitize(PnvChip *chip, Error 
**errp)
 
 static void pnv_chip_core_realize(PnvChip *chip, Error **errp)
 {
+MachineState *ms = MACHINE(qdev_get_machine());
 Error *error = NULL;
 PnvChipClass *pcc = PNV_CHIP_GET_CLASS(chip);
 const char *typename = pnv_chip_core_typename(chip);
@@ -1182,7 +1184,7 @@ static void pnv_chip_core_realize(PnvChip *chip, Error 
**errp)
 snprintf(core_name, sizeof(core_name), "core[%d]", core_hwid);
 object_initialize_child(OBJECT(chip), core_name, pnv_core, typesize,
   

[Qemu-devel] [PULL v6 11/42] i386: Add die-level cpu topology to x86CPU on PCMachine

[Eduardo Habkost]

From: Like Xu 

The die-level as the first PC-specific cpu topology is added to the leagcy
cpu topology model, which has one die per package implicitly and only the
numbers of sockets/cores/threads are configurable.

In the new model with die-level support, the total number of logical
processors (including offline) on board will be calculated as:

 #cpus = #sockets * #dies * #cores * #threads

and considering compatibility, the default value for #dies would be
initialized to one in x86_cpu_initfn() and pc_machine_initfn().

Signed-off-by: Like Xu 
Message-Id: <20190612084104.34984-2-like...@linux.intel.com>
Reviewed-by: Eduardo Habkost 
Signed-off-by: Eduardo Habkost 
---
 include/hw/i386/pc.h | 2 ++
 target/i386/cpu.h| 2 ++
 hw/i386/pc.c | 9 +++--
 target/i386/cpu.c| 1 +
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index de3bd32f52..e56c1a39cb 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -24,6 +24,7 @@
  * PCMachineState:
  * @acpi_dev: link to ACPI PM device that performs ACPI hotplug handling
  * @boot_cpus: number of present VCPUs
+ * @smp_dies: number of dies per one package
  */
 struct PCMachineState {
 /*< private >*/
@@ -59,6 +60,7 @@ struct PCMachineState {
 bool apic_xrupt_override;
 unsigned apic_id_limit;
 uint16_t boot_cpus;
+unsigned smp_dies;
 
 /* NUMA information: */
 uint64_t numa_nodes;
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 93345792f4..14c19e61b1 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1385,6 +1385,8 @@ typedef struct CPUX86State {
 uint64_t xss;
 
 TPRAccess tpr_access_type;
+
+unsigned nr_dies;
 } CPUX86State;
 
 struct kvm_msrs;
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 269e44f0d0..d44b2d06db 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -2303,9 +2303,13 @@ static void pc_cpu_pre_plug(HotplugHandler *hotplug_dev,
 return;
 }
 
-/* if APIC ID is not set, set it based on socket/core/thread properties */
+/*
+ * If APIC ID is not set,
+ * set it based on socket/die/core/thread properties.
+ */
 if (cpu->apic_id == UNASSIGNED_APIC_ID) {
-int max_socket = (ms->smp.max_cpus - 1) / smp_threads / smp_cores;
+int max_socket = (ms->smp.max_cpus - 1) /
+smp_threads / smp_cores / pcms->smp_dies;
 
 if (cpu->socket_id < 0) {
 error_setg(errp, "CPU socket-id is not set");
@@ -2684,6 +2688,7 @@ static void pc_machine_initfn(Object *obj)
 pcms->smbus_enabled = true;
 pcms->sata_enabled = true;
 pcms->pit_enabled = true;
+pcms->smp_dies = 1;
 
 pc_system_flash_create(pcms);
 }
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4b5cd49338..8ef3063140 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5639,6 +5639,7 @@ static void x86_cpu_initfn(Object *obj)
 CPUX86State *env = >env;
 FeatureWord w;
 
+env->nr_dies = 1;
 cpu_set_cpustate_pointers(cpu);
 
 object_property_add(obj, "family", "int",
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 01/42] hw/boards: Add struct CpuTopology to MachineState

[Eduardo Habkost]

From: Like Xu 

The cpu topology property CpuTopology is added to the MachineState
and its members are initialized with the leagcy global smp variables.

>From this commit, the code in the system emulation mode is supposed to
use cpu topology variables from MachineState instead of the global ones
defined in vl.c and there is no semantic change.

Suggested-by: Igor Mammedov 
Suggested-by: Eduardo Habkost 
Signed-off-by: Like Xu 
Reviewed-by: Alistair Francis 
Message-Id: <20190518205428.90532-2-like...@linux.intel.com>
Signed-off-by: Eduardo Habkost 
---
 include/hw/boards.h | 15 +++
 vl.c|  5 +
 2 files changed, 20 insertions(+)

diff --git a/include/hw/boards.h b/include/hw/boards.h
index c6ad196b14..9597140936 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -232,6 +232,20 @@ typedef struct DeviceMemoryState {
 MemoryRegion mr;
 } DeviceMemoryState;
 
+/**
+ * CpuTopology:
+ * @cpus: the number of present logical processors on the machine
+ * @cores: the number of cores in one package
+ * @threads: the number of threads in one core
+ * @max_cpus: the maximum number of logical processors on the machine
+ */
+typedef struct CpuTopology {
+unsigned int cpus;
+unsigned int cores;
+unsigned int threads;
+unsigned int max_cpus;
+} CpuTopology;
+
 /**
  * MachineState:
  */
@@ -274,6 +288,7 @@ struct MachineState {
 const char *cpu_type;
 AccelState *accelerator;
 CPUArchIdList *possible_cpus;
+CpuTopology smp;
 struct NVDIMMState *nvdimms_state;
 };
 
diff --git a/vl.c b/vl.c
index ddefa75c1d..43113386f7 100644
--- a/vl.c
+++ b/vl.c
@@ -4014,6 +4014,11 @@ int main(int argc, char **argv, char **envp)
 
 smp_parse(qemu_opts_find(qemu_find_opts("smp-opts"), NULL));
 
+current_machine->smp.cpus = smp_cpus;
+current_machine->smp.max_cpus = max_cpus;
+current_machine->smp.cores = smp_cores;
+current_machine->smp.threads = smp_threads;
+
 /* sanity-check smp_cpus and max_cpus against machine_class */
 if (smp_cpus < machine_class->min_cpus) {
 error_report("Invalid SMP CPUs %d. The min CPUs "
-- 
2.18.0.rc1.1.g3f1ff2140

[Qemu-devel] [PULL v6 00/42] Machine and x86 queue, 2019-07-05

[Eduardo Habkost]

Changes v5 -> v6:
* Rebase and solve conflicts with other pull requests
  (for the 4th time)
* Included Cascadelake-Server-v2 update

Changes v4 -> v5:
* Rebase and solve conflicts with commit 374f63f6810a ("Merge remote-tracking
  branch 'remotes/armbru/tags/pull-monitor-2019-07-02-v2' into staging")

Changes v3 -> v4:
* Fix ppc64 "make check" failure

Changes v2 -> v3:
* Fix "make check" warnings (Igor Mammedov)
* Fix conflicts of "hw/arm: Replace global smp variables with
  machine smp properties" with recent arm changes (Eduardo Habkost)
* x86 versioned CPU models (Eduardo Habkost)
* SnowRidge CPU model (Paul Lai)
* Add deprecation information to query-machines (Eduardo Habkost)

Changes v1 -> v2:
* Fix s390x build failure

The following changes since commit d2c5f91ca944aaade642624397e1853801bbc744:

  Merge remote-tracking branch 
'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-07-05 
16:16:15 +0100)

are available in the Git repository at:

  git://github.com/ehabkost/qemu.git tags/machine-next-pull-request

for you to fetch changes up to af135030e3405af5ce234a9f92cf8cc4e55fec96:

  tests: use -numa memdev option in tests instead of legacy 'mem' option 
(2019-07-05 17:12:45 -0300)


Machine and x86 queue, 2019-07-05

* CPU die topology support (Like Xu)
* Deprecation of features (Igor Mammedov):
  * 'mem' parameter of '-numa node' option
  * implict memory distribution between NUMA nodes
  * deprecate -mem-path fallback to anonymous RAM
* x86 versioned CPU models (Eduardo Habkost)
* SnowRidge CPU model (Paul Lai)
* Add deprecation information to query-machines (Eduardo Habkost)
* Other i386 fixes



Queue for Machine Core patches


Eduardo Habkost (15):
  hppa: Delete unused hppa_cpu_list() function
  i386: Don't print warning if phys-bits was set automatically
  i386: Fix signedness of hyperv_spinlock_attempts
  i386: Remove unused host_cpudef variable
  qmp: Add deprecation information to query-machines
  qmp: Add "alias-of" field to query-cpu-definitions
  i386: Add x-force-features option for testing
  i386: Get model-id from CPU object on "-cpu help"
  i386: Register versioned CPU models
  i386: Define -IBRS, -noTSX, -IBRS versions of CPU models
  i386: Replace -noTSX, -IBRS, -IBPB CPU models with aliases
  i386: Make unversioned CPU models be aliases
  docs: Deprecate CPU model runnability guarantees
  i386: Add Cascadelake-Server-v2 CPU model
  numa: Make deprecation warnings conditional on !qtest_enabled()

Igor Mammedov (7):
  pc: fix possible NULL pointer dereference in
pc_machine_get_device_memory_region_size()
  machine: show if CLI option '-numa node,mem' is supported in QAPI
schema
  numa: deprecate 'mem' parameter of '-numa node' option
  numa: deprecate implict memory distribution between nodes
  deprecate -mem-path fallback to anonymous RAM
  numa: allow memory-less nodes when using memdev as backend
  tests: use -numa memdev option in tests instead of legacy 'mem' option

Like Xu (17):
  hw/boards: Add struct CpuTopology to MachineState
  machine: Refactor smp-related call chains to pass MachineState
  general: Replace global smp variables with smp machine properties
  hw/ppc: Replace global smp variables with machine smp properties
  hw/riscv: Replace global smp variables with machine smp properties
  hw/s390x: Replace global smp variables with machine smp properties
  hw/i386: Replace global smp variables with machine smp properties
  hw/arm: Replace global smp variables with machine smp properties
  hw: Replace global smp variables with MachineState for all remaining
archs
  vl.c: Replace smp global variables with smp machine properties
  i386: Add die-level cpu topology to x86CPU on PCMachine
  hw/i386: Adjust nr_dies with configured smp_dies for PCMachine
  i386/cpu: Consolidate die-id validity in smp context
  i386: Update new x86_apicid parsing rules with die_offset support
  target/i386: Add CPUID.1F generation support for multi-dies PCMachine
  machine: Refactor smp_parse() in vl.c as MachineClass::smp_parse()
  vl.c: Add -smp, dies=* command line support and update doc

Paul Lai (1):
  i386: Introduce SnowRidge CPU model

Roman Kagan (1):
  i386: make 'hv-spinlocks' a regular uint32 property

Wei Yang (1):
  x86/cpu: use FeatureWordArray to define filtered_features

 qapi/machine-target.json   |9 +-
 qapi/machine.json  |   17 +-
 include/hw/boards.h|   27 +-
 include/hw/firmware/smbios.h   |5 +-
 include/hw/i386/pc.h   |8 +-
 include/hw/i386/topology.h |   76 +-
 target/hppa/cpu.h  |2 -
 target/i386/cpu-qom.h  |   10 +-
 target/i386/cpu.h  |   36 +-
 accel/kvm/kvm-all.c|4 +-
 

[Qemu-devel] [PULL v6 06/42] hw/s390x: Replace global smp variables with machine smp properties

[Eduardo Habkost]

From: Like Xu 

The global smp variables in s390x are replaced with smp machine properties.

A local variable of the same name would be introduced in the declaration
phase if it's used widely in the context OR replace it on the spot if it's
only used once. No semantic changes.

Signed-off-by: Like Xu 
Message-Id: <20190518205428.90532-7-like...@linux.intel.com>
Acked-by: Christian Borntraeger 
Reviewed-by: Cornelia Huck 
[ehabkost: fix build failure at VCPU_IRQ_BUF_SIZE]
Signed-off-by: Eduardo Habkost 

fixup! hw/s390x: Replace global smp variables with machine smp properties

Signed-off-by: Eduardo Habkost 
---
 hw/s390x/s390-virtio-ccw.c |  3 ++-
 hw/s390x/sclp.c|  2 +-
 target/s390x/cpu.c |  3 +++
 target/s390x/excp_helper.c |  5 +
 target/s390x/kvm.c | 10 ++
 5 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index e09bf8f1b6..5b6a9a4e55 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -84,7 +84,7 @@ static void s390_init_cpus(MachineState *machine)
 /* initialize possible_cpus */
 mc->possible_cpu_arch_ids(machine);
 
-for (i = 0; i < smp_cpus; i++) {
+for (i = 0; i < machine->smp.cpus; i++) {
 s390x_new_cpu(machine->cpu_type, i, _fatal);
 }
 }
@@ -411,6 +411,7 @@ static CpuInstanceProperties 
s390_cpu_index_to_props(MachineState *ms,
 static const CPUArchIdList *s390_possible_cpu_arch_ids(MachineState *ms)
 {
 int i;
+unsigned int max_cpus = ms->smp.max_cpus;
 
 if (ms->possible_cpus) {
 g_assert(ms->possible_cpus && ms->possible_cpus->len == max_cpus);
diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 4510a800cb..fac7c3bb6c 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -64,7 +64,7 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 prepare_cpu_entries(sclp, read_info->entries, _count);
 read_info->entries_cpu = cpu_to_be16(cpu_count);
 read_info->offset_cpu = cpu_to_be16(offsetof(ReadInfo, entries));
-read_info->highest_cpu = cpu_to_be16(max_cpus - 1);
+read_info->highest_cpu = cpu_to_be16(machine->smp.max_cpus - 1);
 
 read_info->ibc_val = cpu_to_be32(s390_get_ibc_val());
 
diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
index 8540e7a2cb..736a7903e2 100644
--- a/target/s390x/cpu.c
+++ b/target/s390x/cpu.c
@@ -37,6 +37,7 @@
 #include "hw/qdev-properties.h"
 #ifndef CONFIG_USER_ONLY
 #include "hw/hw.h"
+#include "hw/boards.h"
 #include "sysemu/arch_init.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/tcg.h"
@@ -197,6 +198,8 @@ static void s390_cpu_realizefn(DeviceState *dev, Error 
**errp)
 }
 
 #if !defined(CONFIG_USER_ONLY)
+MachineState *ms = MACHINE(qdev_get_machine());
+unsigned int max_cpus = ms->smp.max_cpus;
 if (cpu->env.core_id >= max_cpus) {
 error_setg(, "Unable to add CPU with core-id: %" PRIu32
", maximum core-id: %d", cpu->env.core_id,
diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
index 202456cdc5..892f659d5a 100644
--- a/target/s390x/excp_helper.c
+++ b/target/s390x/excp_helper.c
@@ -31,6 +31,7 @@
 #ifndef CONFIG_USER_ONLY
 #include "sysemu/sysemu.h"
 #include "hw/s390x/s390_flic.h"
+#include "hw/boards.h"
 #endif
 
 void QEMU_NORETURN tcg_s390_program_interrupt(CPUS390XState *env, uint32_t 
code,
@@ -315,6 +316,10 @@ static void do_ext_interrupt(CPUS390XState *env)
 g_assert(cpu_addr < S390_MAX_CPUS);
 lowcore->cpu_addr = cpu_to_be16(cpu_addr);
 clear_bit(cpu_addr, env->emergency_signals);
+#ifndef CONFIG_USER_ONLY
+MachineState *ms = MACHINE(qdev_get_machine());
+unsigned int max_cpus = ms->smp.max_cpus;
+#endif
 if (bitmap_empty(env->emergency_signals, max_cpus)) {
 env->pending_int &= ~INTERRUPT_EMERGENCY_SIGNAL;
 }
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index 0267c6c2f6..6e814c230b 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -119,8 +119,8 @@
  * Needs to be big enough to contain max_cpus emergency signals
  * and in addition NR_LOCAL_IRQS interrupts
  */
-#define VCPU_IRQ_BUF_SIZE (sizeof(struct kvm_s390_irq) * \
-   (max_cpus + NR_LOCAL_IRQS))
+#define VCPU_IRQ_BUF_SIZE(max_cpus) (sizeof(struct kvm_s390_irq) * \
+ (max_cpus + NR_LOCAL_IRQS))
 
 static CPUWatchpoint hw_watchpoint;
 /*
@@ -362,9 +362,10 @@ unsigned long kvm_arch_vcpu_id(CPUState *cpu)
 
 int kvm_arch_init_vcpu(CPUState *cs)
 {
+unsigned int max_cpus = MACHINE(qdev_get_machine())->smp.max_cpus;
 S390CPU *cpu = S390_CPU(cs);
 kvm_s390_set_cpu_state(cpu, cpu->env.cpu_state);
-cpu->irqstate = g_malloc0(VCPU_IRQ_BUF_SIZE);
+cpu->irqstate = g_malloc0(VCPU_IRQ_BUF_SIZE(max_cpus));
 return 0;
 }
 
@@ -1950,9 +1951,10 @@ int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t 
cpu_state)
 
 void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu)
 {
+

Re: [Qemu-devel] [PATCH 6/7] target/i386: add VMX features

[Paolo Bonzini]

On 05/07/19 23:22, Eduardo Habkost wrote:
>> +switch (index) {
>> +case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
>> +default1 = 0x0016;
>> +break;
>> +case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
>> +default1 = 0x0401e172;
>> +break;
>> +case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
>> +default1 = 0x11ff;
>> +break;
>> +case MSR_IA32_VMX_TRUE_EXIT_CTLS:
>> +default1 = 0x00036dff;
>> +break;
>> +case MSR_IA32_VMX_PROCBASED_CTLS2:
>> +default1 = 0;
>> +break;
> How do you plan to implement backwards compatibility if these
> defaults ever change?  Shouldn't these values be part of the CPU
> model definitions so we can update them in the future?

These are not defaults, they are "default-1 bits": if a feature is
disabled, these bits are 1 in both halves of the MSR rather than zero.
The set of default-1 bits is documented and is not going to change in
the future.

Some default-1 bits *could* however become features in the future, and
four of these already have features associated to them:
vmx-cr3-load-noexit, vmx-cr3-store-noexit, vmx-exit-nosave-debugctl,
vmx-entry-noload-debugctl.  You can see that they have "no" in their
name because the feature is about the ability to "do less" rather than
"do more".

>> +uint64_t kvm_vmx_basic =
>> +kvm_arch_get_supported_msr_feature(kvm_state,
>> +   MSR_IA32_VMX_BASIC);
>> +uint64_t kvm_vmx_misc =
>> +kvm_arch_get_supported_msr_feature(kvm_state,
>> +   MSR_IA32_VMX_MISC);
>> +uint64_t kvm_vmx_ept_vpid =
>> +kvm_arch_get_supported_msr_feature(kvm_state,
>> +   MSR_IA32_VMX_EPT_VPID_CAP);
> 
> If the MSR value we're exposing to the guest depends on
> kvm_arch_get_supported_msr_feature(), how will we ensure this
> will be safe for live migration?

Because KVM guarantees that this part of the guest ABI will never
change.  These values do not come from the host values of the MSRs, they
are fixed by KVM.  More details below.

> If we really need to tweak the MSR values based on the host for
> some reason (which is not clear to me yet), why don't we update
> env->features[...] at x86_cpu_expand_features() to reflect what
> the guest is really seeing?
> 
> 
>> +/*
>> + * Bits 0-30, 32-44 and 50-53 come from the host.  KVM should
>> + * not change them for backwards compatibility.
> 
> Backwards compatibility with what?
> 
> Don't we want the MSR values to depend solely on the QEMU command
> line in the future?

These bits are: VMCS revision, VMCS size and VMCS memory type.  QEMU
cannot know them, as they depend on the internal implementation details
of KVM.

Now that KVM supports nested virt live migration they cannot change
anymore---otherwise KVM would break KVM live migration compatibility.
However, theoretically in the future KVM could add some capability
(which userspace would have to manually enable) and when the capability
is enabled the values can change.

> +/*
> + * Same for bits 0-4 and 25-27.  Bits 16-24 (CR3 target count) can
> + * change in the future but are always zero for now, clear them to be
> + * future proof.  Bits 32-63 in theory could change, though KVM does
> + * not support dual-monitor treatment and probably never will; mask
> + * them out as well.
> + */

The reasoning is more or less the same here.  These bits are part of the
guest ABI (preemption timer scaling, CR3 target count, MSR count, MSEG
revision).  Right now bits 0-4 are 5 and the others are 0; in the future:

- KVM cannot change bits 0-4 and 32-63 them without breaking guest ABI
(the values must match between what you read and what you set)

- KVM could change bits 16-24, but it always allows writing a value that
is _smaller_ than the one you read.  So I'm zeroing those, ensuring no
future ABI changes.

- KVM could in theory change bits 25-27: here it also allows writing a
value that is smaller than the one you read, so guest ABI is preserved.
 Such a change is very unlikely, all Intel silicon has always had 0
here.  But I can change the code to zero these three bits just like bits
16-24.

Paolo

Re: [Qemu-devel] [PATCH 1/7] target/i386: handle filtered_features in a new function mark_unavailable_features

[Paolo Bonzini]

On 05/07/19 23:44, Eduardo Habkost wrote:
> On Fri, Jul 05, 2019 at 11:32:07PM +0200, Paolo Bonzini wrote:
>> On 05/07/19 22:37, Eduardo Habkost wrote:
>>> Filtering and reporting is separate because
>>> x86_cpu_filter_features() is also called from a QMP command
>>> handler that is not supposed to generate any warnings on stderr
>>> (query-cpu-model-expansion).
>>
>> But that one should not set check_cpuid or enforce_cpuid, should it?
> 
> check_cpuid is set to true by default.

Ok, that's what I missed.

>>
>> (I can still split the filtering and reporting if you prefer).
> 
> Maybe it will work if we just add a 'bool verbose' parameter to
> x86_cpu_filter_features().
> 
> x86_cpu_realizefn() would call:
>   x86_cpu_filter_features(cpu, cpu->check_cpuid);

... "|| cpu->enforce_cpuid".

> x86_cpu_class_check_missing_features() would call:
>   x86_cpu_filter_features(cpu, false);

Or set check_cpuid to false there after creating the object?

Paolo

Re: [Qemu-devel] [PATCH 2/7] target/i386: introduce generic feature dependency mechanism

[Paolo Bonzini]

On 05/07/19 23:41, Eduardo Habkost wrote:
 +for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
 +FeatureDep *d = _dependencies[i];
 +if ((env->user_features[d->from] & d->from_flag) &&
 +!(env->features[d->from] & d->from_flag)) {
>>> Why does it matter if the feature was cleared explicitly by the
>>> user?
>> Because the feature set of named CPU models should be internally
>> consistent.  I thought of this mechanism as a quick "clean up user's
>> choices" pass to avoid having to remember a multitude of VMX features,
>> for example it makes "-cpu host,-rdtscp" just work.
> If named CPU models are already consistent, ignoring
> user_features shouldn't make a difference, right?  It would also
> be a useful mechanism to detect inconsistencies in internal CPU
> model definitions.

Ok, I can drop that check.

>> It has to be done before expansion, so that env->user_features is set
>> properly before -cpu host is expanded.
> 
> I don't get it.  It looks like you only need env->user_features
> to be set above because you are handling dependencies before
> cpu->max_features is handled.
> 
> If you handle dependencies at x86_cpu_filter_features() instead
> (after cpu->max_features was already handled), you don't even
> need to worry about setting user_features.

I think you're right, but on the other hand setting user_features is
cleaner.  Effectively the dependent features have been disabled because
of something the user told QEMU.  So on one hand I can move the loop to
x86_cpu_filter_features, on the other hand I'd prefer to set
user_features and then it feels more like expansion (e.g. of vmx-ept=off
to vmx-ept=off,vmx-unrestricted-guest=off) than filtering.

Paolo

Re: [Qemu-devel] [PATCH 1/7] target/i386: handle filtered_features in a new function mark_unavailable_features

[Eduardo Habkost]

On Fri, Jul 05, 2019 at 11:32:07PM +0200, Paolo Bonzini wrote:
> On 05/07/19 22:37, Eduardo Habkost wrote:
> > Filtering and reporting is separate because
> > x86_cpu_filter_features() is also called from a QMP command
> > handler that is not supposed to generate any warnings on stderr
> > (query-cpu-model-expansion).
> 
> But that one should not set check_cpuid or enforce_cpuid, should it?

check_cpuid is set to true by default.

> 
> (I can still split the filtering and reporting if you prefer).

Maybe it will work if we just add a 'bool verbose' parameter to
x86_cpu_filter_features().

x86_cpu_realizefn() would call:
  x86_cpu_filter_features(cpu, cpu->check_cpuid);

x86_cpu_class_check_missing_features() would call:
  x86_cpu_filter_features(cpu, false);

-- 
Eduardo

Re: [Qemu-devel] [PATCH 2/7] target/i386: introduce generic feature dependency mechanism

[Eduardo Habkost]

On Fri, Jul 05, 2019 at 11:12:11PM +0200, Paolo Bonzini wrote:
> On 05/07/19 22:52, Eduardo Habkost wrote:
> >> +typedef struct FeatureDep {
> >> +uint16_t from, to;
> > 
> > Why uint16_t and not FeatureWord?
> 
> Ok.
> 
> >> +uint64_t from_flag, to_flags;
> > 
> > There are other parts of the code that take a
> > FeatureWord/uint32_t pair (which will become uint64_t).  I'd wrap
> > this into a typedef.  I also miss documentation on the exact
> > meaning of those fields.
> > 
> > typedef struct FeatureMask {
> > FeatureWord w;
> > uint64_t mask;
> > };
> 
> Sounds good, I was optimizing the layout by putting small fields
> together.  Perhaps prematurely. :)
> 
> >> +for (l = plus_features; l; l = l->next) {
> >> +const char *prop = l->data;
> >> +object_property_set_bool(OBJECT(cpu), true, prop, _err);
> >> +if (local_err) {
> >> +goto out;
> >> +}
> >> +}
> >> +
> >> +for (l = minus_features; l; l = l->next) {
> >> +const char *prop = l->data;
> >> +object_property_set_bool(OBJECT(cpu), false, prop, _err);
> >> +if (local_err) {
> >> +goto out;
> >> +}
> >> +}
> > 
> > Maybe getting rid of plus_features/minus_features (as described
> > in the TODO comment below) will make things simpler.
> 
> This is just moving code.  I can look at getting rid of plus_features
> and minus_features but I was wary of the effects that global properties
> have on query_cpu_model_expansion.

Shouldn't be a problem, as query-cpu-model-expansion
documentation already advises against using "-cpu" when calling
it.


> 
> In any case, that would basically be rewriting "+foo" and "-foo" to
> "foo=on" and "foo=off" respectively, right?

I don't mean changing the command line interface, but just
changing the implementation of "+foo" and "-foo".

In theory the code was already fixed to make this safe, but I
agree this might be tricky.  Let's worry about
plus_features/minus_features later.


> 
> >> +
> >> +for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
> >> +FeatureDep *d = _dependencies[i];
> >> +if ((env->user_features[d->from] & d->from_flag) &&
> >> +!(env->features[d->from] & d->from_flag)) {
> > 
> > Why does it matter if the feature was cleared explicitly by the
> > user?
> 
> Because the feature set of named CPU models should be internally
> consistent.  I thought of this mechanism as a quick "clean up user's
> choices" pass to avoid having to remember a multitude of VMX features,
> for example it makes "-cpu host,-rdtscp" just work.

If named CPU models are already consistent, ignoring
user_features shouldn't make a difference, right?  It would also
be a useful mechanism to detect inconsistencies in internal CPU
model definitions.

I don't understand why the user_features check would be necessary
to make "-cpu host,-rdtscp" work.

> 
> >> +uint64_t unavailable_features = env->features[d->to] & 
> >> d->to_flags;
> >> +
> >> +/* Not an error unless the dependent feature was added 
> >> explicitly.  */
> >> +mark_unavailable_features(cpu, d->to, unavailable_features & 
> >> env->user_features[d->to],
> >> +  "This feature depends on other 
> >> features that were not requested");
> >> +
> >> +/* Prevent adding the feature in the loop below.  */
> >> +env->user_features[d->to] |= d->to_flags;
> >> +env->features[d->to] &= ~d->to_flags;
> >> +}
> >> +}
> > 
> > Maybe move this entire block inside x86_cpu_filter_features()?
> 
> It has to be done before expansion, so that env->user_features is set
> properly before -cpu host is expanded.

I don't get it.  It looks like you only need env->user_features
to be set above because you are handling dependencies before
cpu->max_features is handled.

If you handle dependencies at x86_cpu_filter_features() instead
(after cpu->max_features was already handled), you don't even
need to worry about setting user_features.

> 
> Paolo
> 
> >> +
> >>  /*TODO: Now cpu->max_features doesn't overwrite features
> >>   * set using QOM properties, and we can convert
> >>   * plus_features & minus_features to global properties
> >> @@ -5106,22 +5143,6 @@ static void x86_cpu_expand_features(X86CPU *cpu, 
> >> Error **errp)
> >>  }
> >>  }
> >>  
> >> -for (l = plus_features; l; l = l->next) {
> >> -const char *prop = l->data;
> >> -object_property_set_bool(OBJECT(cpu), true, prop, _err);
> >> -if (local_err) {
> >> -goto out;
> >> -}
> >> -}
> >> -
> >> -for (l = minus_features; l; l = l->next) {
> >> -const char *prop = l->data;
> >> -object_property_set_bool(OBJECT(cpu), false, prop, _err);
> >> -if (local_err) {
> >> -goto out;
> >> -}
> >> -}
> >> -
> >>  if (!kvm_enabled() || 

Re: [Qemu-devel] [PATCH 1/7] target/i386: handle filtered_features in a new function mark_unavailable_features

[Paolo Bonzini]

On 05/07/19 22:37, Eduardo Habkost wrote:
> Filtering and reporting is separate because
> x86_cpu_filter_features() is also called from a QMP command
> handler that is not supposed to generate any warnings on stderr
> (query-cpu-model-expansion).

But that one should not set check_cpuid or enforce_cpuid, should it?

(I can still split the filtering and reporting if you prefer).

Paolo

Re: [Qemu-devel] [PULL 4/4] Makefile: Reuse all's recursion machinery for clean and install

[Christian Borntraeger]

This seems to break "make clean" and "make distclean" in the source directory 
if there was never
a configure.

qemu]$ make clean
  LD  recurse-clean.mo
cc: fatal error: no input files
compilation terminated.
make: *** [rules.mak:118: recurse-clean.mo] Error 1



On 02.07.19 13:34, Markus Armbruster wrote:
> Targets "clean" and "install" run make recursively in a for loop.
> This ignores -j and -k.  Target "all" depends on SUBDIR/all to recurse
> into each SUBDIR.  Behaves nicely with -j and -k.  Put that to use for
> "clean" and "install": depend on SUBDIR/clean or SUBDIR/install,
> respectively, and delete the loop.
> 
> Signed-off-by: Markus Armbruster 
> Reviewed-by: Richard Henderson 
> Message-Id: <20190528082308.22032-5-arm...@redhat.com>
> Reviewed-by: Philippe Mathieu-Daudé 
> ---
>  Makefile | 53 +
>  1 file changed, 25 insertions(+), 28 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index e68982bd99..8cf6cbc4c4 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -454,20 +454,22 @@ config-host.h-timestamp: config-host.mak
>  qemu-options.def: $(SRC_PATH)/qemu-options.hx $(SRC_PATH)/scripts/hxtool
>   $(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > 
> $@,"GEN","$@")
>  
> -SUBDIR_RULES=$(addsuffix /all, $(TARGET_DIRS))
> -SOFTMMU_SUBDIR_RULES=$(filter %-softmmu/all,$(SUBDIR_RULES))
> +TARGET_DIRS_RULES := $(foreach t, all clean install, $(addsuffix /$(t), 
> $(TARGET_DIRS)))
>  
> -$(SOFTMMU_SUBDIR_RULES): $(authz-obj-y)
> -$(SOFTMMU_SUBDIR_RULES): $(block-obj-y)
> -$(SOFTMMU_SUBDIR_RULES): $(chardev-obj-y)
> -$(SOFTMMU_SUBDIR_RULES): $(crypto-obj-y)
> -$(SOFTMMU_SUBDIR_RULES): $(io-obj-y)
> -$(SOFTMMU_SUBDIR_RULES): config-all-devices.mak
> -$(SOFTMMU_SUBDIR_RULES): $(edk2-decompressed)
> +SOFTMMU_ALL_RULES=$(filter %-softmmu/all, $(TARGET_DIRS_RULES))
> +$(SOFTMMU_ALL_RULES): $(authz-obj-y)
> +$(SOFTMMU_ALL_RULES): $(block-obj-y)
> +$(SOFTMMU_ALL_RULES): $(chardev-obj-y)
> +$(SOFTMMU_ALL_RULES): $(crypto-obj-y)
> +$(SOFTMMU_ALL_RULES): $(io-obj-y)
> +$(SOFTMMU_ALL_RULES): config-all-devices.mak
> +$(SOFTMMU_ALL_RULES): $(edk2-decompressed)
>  
> -.PHONY: $(SUBDIR_RULES)
> -$(SUBDIR_RULES):
> - $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $(dir $@) V="$(V)" 
> TARGET_DIR="$(dir $@)" all,)
> +.PHONY: $(TARGET_DIRS_RULES)
> +# The $(TARGET_DIRS_RULES) are of the form SUBDIR/GOAL, so that
> +# $(dir $@) yields the sub-directory, and $(notdir $@) yields the sub-goal
> +$(TARGET_DIRS_RULES):
> + $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $(dir $@) V="$(V)" 
> TARGET_DIR="$(dir $@)" $(notdir $@),)
>  
>  DTC_MAKE_ARGS=-I$(SRC_PATH)/dtc VPATH=$(SRC_PATH)/dtc -C dtc V="$(V)" 
> LIBFDT_srcdir=$(SRC_PATH)/dtc/libfdt
>  DTC_CFLAGS=$(CFLAGS) $(QEMU_CFLAGS)
> @@ -500,19 +502,19 @@ capstone/all: .git-submodule-status
>  slirp/all: .git-submodule-status
>   $(call quiet-command,$(MAKE) -C $(SRC_PATH)/slirp 
> BUILD_DIR="$(BUILD_DIR)/slirp" CC="$(CC)" AR="$(AR)" LD="$(LD)" 
> RANLIB="$(RANLIB)" CFLAGS="$(QEMU_CFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)")
>  
> -$(SUBDIR_RULES): libqemuutil.a $(common-obj-y) \
> +$(filter %/all, $(TARGET_DIRS_RULES)): libqemuutil.a $(common-obj-y) \
>   $(qom-obj-y) $(crypto-user-obj-$(CONFIG_USER_ONLY))
>  
>  ROM_DIRS = $(addprefix pc-bios/, $(ROMS))
> -ROMSUBDIR_RULES=$(addsuffix /all, $(ROM_DIRS))
> +ROM_DIRS_RULES=$(foreach t, all clean, $(addsuffix /$(t), $(ROM_DIRS)))
>  # Only keep -O and -g cflags
> -.PHONY: $(ROMSUBDIR_RULES)
> -$(ROMSUBDIR_RULES):
> - $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $(dir $@) V="$(V)" 
> TARGET_DIR="$(dir $@)" CFLAGS="$(filter -O% -g%,$(CFLAGS))",)
> +.PHONY: $(ROM_DIRS_RULES)
> +$(ROM_DIRS_RULES):
> + $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $(dir $@) V="$(V)" 
> TARGET_DIR="$(dir $@)" CFLAGS="$(filter -O% -g%,$(CFLAGS))" $(notdir $@),)
>  
> -ALL_SUBDIRS=$(TARGET_DIRS) $(ROM_DIRS)
> -
> -recurse-all: $(SUBDIR_RULES) $(ROMSUBDIR_RULES)
> +recurse-all: $(addsuffix /all, $(TARGET_DIRS) $(ROM_DIRS))
> +recurse-clean: $(addsuffix /clean, $(TARGET_DIRS) $(ROM_DIRS))
> +recurse-install: $(addsuffix /install, $(TARGET_DIRS))
>  
>  $(BUILD_DIR)/version.o: $(SRC_PATH)/version.rc config-host.h
>   $(call quiet-command,$(WINDRES) -I$(BUILD_DIR) -o $@ 
> $<,"RC","version.o")
> @@ -661,7 +663,7 @@ clean-coverage:
>   "CLEAN", "coverage files")
>  endif
>  
> -clean:
> +clean: recurse-clean
>  # avoid old build problems by removing potentially incorrect old files
>   rm -f config.mak op-i386.h opc-i386.h gen-op-i386.h op-arm.h opc-arm.h 
> gen-op-arm.h
>   rm -f qemu-options.def
> @@ -682,9 +684,6 @@ clean:
>   rm -f $(foreach f,$(generated-files-y),$(f) $(f)-timestamp)
>   rm -f qapi-gen-timestamp
>   rm -rf qga/qapi-generated
> - for d in $(ALL_SUBDIRS); do \
> - if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
> -done
>   rm -f config-all-devices.mak
>  
>  

Re: [Qemu-devel] [PATCH 6/7] target/i386: add VMX features

[Eduardo Habkost]

On Tue, Jul 02, 2019 at 05:01:20PM +0200, Paolo Bonzini wrote:
> Add code to convert the VMX feature words back into MSR values,
> allowing the user to enable/disable VMX features as they wish.  The same
> infrastructure enables support for limiting VMX features in named
> CPU models.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  target/i386/cpu.c | 221 
> ++
>  target/i386/cpu.h |   9 +++
>  target/i386/kvm.c | 154 -
>  3 files changed, 382 insertions(+), 2 deletions(-)
> 
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 4de44e4..12f76a3 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1211,6 +1211,163 @@ static FeatureWordInfo 
> feature_word_info[FEATURE_WORDS] = {
>  .index = MSR_IA32_CORE_CAPABILITY,
>  },
>  },
> +
> +[FEAT_VMX_PROCBASED_CTLS] = {
> +.type = MSR_FEATURE_WORD,
> +.feat_names = {
> +NULL, NULL, "vmx-vintr-pending", "vmx-tsc-offset",
> +NULL, NULL, NULL, "vmx-hlt-exit",
> +NULL, "vmx-invlpg-exit", "vmx-mwait-exit", "vmx-rdpmc-exit",
> +"vmx-rdtsc-exit", NULL, NULL, "vmx-cr3-load-noexit",
> +"vmx-cr3-store-noexit", NULL, NULL, "vmx-cr8-load-exit",
> +"vmx-cr8-store-exit", "vmx-flexpriority", "vmx-vnmi-pending", 
> "vmx-movdr-exit",
> +"vmx-io-exit", "vmx-io-bitmap", NULL, "vmx-mtf",
> +"vmx-msr-bitmap", "vmx-monitor-exit", "vmx-pause-exit", 
> "vmx-secondary-ctls",
> +},
> +.msr = {
> +.index = MSR_IA32_VMX_TRUE_PROCBASED_CTLS,
> +}
> +},
> +
> +[FEAT_VMX_SECONDARY_CTLS] = {
> +.type = MSR_FEATURE_WORD,
> +.feat_names = {
> +"vmx-apicv-xapic", "vmx-ept", "vmx-desc-exit", "vmx-rdtscp-exit",
> +"vmx-apicv-x2apic", "vmx-vpid", "vmx-wbinvd-exit", 
> "vmx-unrestricted-guest",
> +"vmx-apicv-register", "vmx-apicv-vid", "vmx-ple", 
> "vmx-rdrand-exit",
> +"vmx-invpcid-exit", "vmx-vmfunc", "vmx-shadow-vmcs", 
> "vmx-encls-exit",
> +"vmx-rdseed-exit", "vmx-pml", NULL, NULL,
> +"vmx-xsaves", NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +},
> +.msr = {
> +.index = MSR_IA32_VMX_PROCBASED_CTLS2,
> +}
> +},
> +
> +[FEAT_VMX_PINBASED_CTLS] = {
> +.type = MSR_FEATURE_WORD,
> +.feat_names = {
> +"vmx-intr-exit", NULL, NULL, "vmx-nmi-exit",
> +NULL, "vmx-vnmi", "vmx-preemption-timer", "vmx-posted-intr",
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +},
> +.msr = {
> +.index = MSR_IA32_VMX_TRUE_PINBASED_CTLS,
> +}
> +},
> +
> +[FEAT_VMX_EXIT_CTLS] = {
> +.type = MSR_FEATURE_WORD,
> +/*
> + * VMX_VM_EXIT_HOST_ADDR_SPACE_SIZE is copied from
> + * the LM CPUID bit.
> + */
> +.feat_names = {
> +NULL, NULL, "vmx-exit-nosave-debugctl", NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL /* vmx-exit-host-addr-space-size */, NULL, NULL,
> +"vmx-exit-load-perf-global-ctrl", NULL, NULL, 
> "vmx-exit-ack-intr",
> +NULL, NULL, "vmx-exit-save-pat", "vmx-exit-load-pat",
> +"vmx-exit-save-efer", "vmx-exit-load-efer",
> +"vmx-exit-save-preemption-timer", "vmx-exit-clear-bndcfgs",
> +NULL, "vmx-exit-clear-rtit-ctl", NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +},
> +.msr = {
> +.index = MSR_IA32_VMX_TRUE_EXIT_CTLS,
> +}
> +},
> +
> +[FEAT_VMX_ENTRY_CTLS] = {
> +.type = MSR_FEATURE_WORD,
> +.feat_names = {
> +NULL, NULL, "vmx-entry-noload-debugctl", NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, "vmx-entry-ia32e-mode", NULL, NULL,
> +NULL, "vmx-entry-load-perf-global-ctrl", "vmx-entry-load-pat", 
> "vmx-entry-load-efer",
> +"vmx-entry-load-bndcfgs", NULL, "vmx-entry-load-rtit-ctl", NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +},
> +.msr = {
> +.index = MSR_IA32_VMX_TRUE_ENTRY_CTLS,
> +}
> +},
> +
> +[FEAT_VMX_MISC] = {
> +.type = MSR_FEATURE_WORD,
> +.feat_names = {
> +NULL, NULL, NULL, NULL,
> +NULL, "vmx-store-lma", "vmx-activity-hlt", 
> "vmx-activity-shutdown",
> +"vmx-activity-wait-sipi", NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, NULL, NULL, NULL,
> +NULL, 

[Qemu-devel] [PATCH 3/4] target/i386: kvm: Save nested-state only in case vCPU have set VMXON region

[Liran Alon]

Having (nested_state->hdr.vmx.vmxon_pa != -1ull) signals that vCPU have set
at some point in time a VMXON region. Note that even though when vCPU enters
SMM mode it temporarily exit VMX operation, KVM still reports (vmxon_pa != 
-1ull).
Therefore, this field can be used as a reliable indicator on when we require to
send VMX nested-state as part of migration stream.

Reviewed-by: Joao Martins 
Signed-off-by: Liran Alon 
---
 target/i386/machine.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/i386/machine.c b/target/i386/machine.c
index 851b249d1a39..20bda9f80154 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -997,9 +997,8 @@ static bool vmx_nested_state_needed(void *opaque)
 {
 struct kvm_nested_state *nested_state = opaque;
 
-return ((nested_state->format == KVM_STATE_NESTED_FORMAT_VMX) &&
-((nested_state->hdr.vmx.vmxon_pa != -1ull) ||
- (nested_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_VMXON)));
+return (nested_state->format == KVM_STATE_NESTED_FORMAT_VMX) &&
+   (nested_state->hdr.vmx.vmxon_pa != -1ull);
 }
 
 static const VMStateDescription vmstate_vmx_nested_state = {
-- 
2.20.1

[Qemu-devel] [PATCH 1/4] target/i386: kvm: Init nested-state for VMX when vCPU expose VMX

[Liran Alon]

Reviewed-by: Joao Martins 
Signed-off-by: Liran Alon 
---
 target/i386/kvm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index e4b4f5756a34..b57f873ec9e8 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -1714,7 +1714,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
 
 env->nested_state->size = max_nested_state_len;
 
-if (IS_INTEL_CPU(env)) {
+if (cpu_has_vmx(env)) {
 struct kvm_vmx_nested_state_hdr *vmx_hdr =
 >nested_state->hdr.vmx;
 
-- 
2.20.1

Re: [Qemu-devel] [PATCH 2/7] target/i386: introduce generic feature dependency mechanism

[Paolo Bonzini]

On 05/07/19 22:52, Eduardo Habkost wrote:
>> +typedef struct FeatureDep {
>> +uint16_t from, to;
> 
> Why uint16_t and not FeatureWord?

Ok.

>> +uint64_t from_flag, to_flags;
> 
> There are other parts of the code that take a
> FeatureWord/uint32_t pair (which will become uint64_t).  I'd wrap
> this into a typedef.  I also miss documentation on the exact
> meaning of those fields.
> 
> typedef struct FeatureMask {
> FeatureWord w;
> uint64_t mask;
> };

Sounds good, I was optimizing the layout by putting small fields
together.  Perhaps prematurely. :)

>> +for (l = plus_features; l; l = l->next) {
>> +const char *prop = l->data;
>> +object_property_set_bool(OBJECT(cpu), true, prop, _err);
>> +if (local_err) {
>> +goto out;
>> +}
>> +}
>> +
>> +for (l = minus_features; l; l = l->next) {
>> +const char *prop = l->data;
>> +object_property_set_bool(OBJECT(cpu), false, prop, _err);
>> +if (local_err) {
>> +goto out;
>> +}
>> +}
> 
> Maybe getting rid of plus_features/minus_features (as described
> in the TODO comment below) will make things simpler.

This is just moving code.  I can look at getting rid of plus_features
and minus_features but I was wary of the effects that global properties
have on query_cpu_model_expansion.

In any case, that would basically be rewriting "+foo" and "-foo" to
"foo=on" and "foo=off" respectively, right?

>> +
>> +for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
>> +FeatureDep *d = _dependencies[i];
>> +if ((env->user_features[d->from] & d->from_flag) &&
>> +!(env->features[d->from] & d->from_flag)) {
> 
> Why does it matter if the feature was cleared explicitly by the
> user?

Because the feature set of named CPU models should be internally
consistent.  I thought of this mechanism as a quick "clean up user's
choices" pass to avoid having to remember a multitude of VMX features,
for example it makes "-cpu host,-rdtscp" just work.

>> +uint64_t unavailable_features = env->features[d->to] & 
>> d->to_flags;
>> +
>> +/* Not an error unless the dependent feature was added 
>> explicitly.  */
>> +mark_unavailable_features(cpu, d->to, unavailable_features & 
>> env->user_features[d->to],
>> +  "This feature depends on other 
>> features that were not requested");
>> +
>> +/* Prevent adding the feature in the loop below.  */
>> +env->user_features[d->to] |= d->to_flags;
>> +env->features[d->to] &= ~d->to_flags;
>> +}
>> +}
> 
> Maybe move this entire block inside x86_cpu_filter_features()?

It has to be done before expansion, so that env->user_features is set
properly before -cpu host is expanded.

Paolo

>> +
>>  /*TODO: Now cpu->max_features doesn't overwrite features
>>   * set using QOM properties, and we can convert
>>   * plus_features & minus_features to global properties
>> @@ -5106,22 +5143,6 @@ static void x86_cpu_expand_features(X86CPU *cpu, 
>> Error **errp)
>>  }
>>  }
>>  
>> -for (l = plus_features; l; l = l->next) {
>> -const char *prop = l->data;
>> -object_property_set_bool(OBJECT(cpu), true, prop, _err);
>> -if (local_err) {
>> -goto out;
>> -}
>> -}
>> -
>> -for (l = minus_features; l; l = l->next) {
>> -const char *prop = l->data;
>> -object_property_set_bool(OBJECT(cpu), false, prop, _err);
>> -if (local_err) {
>> -goto out;
>> -}
>> -}
>> -
>>  if (!kvm_enabled() || !cpu->expose_kvm) {
>>  env->features[FEAT_KVM] = 0;
>>  }
>> -- 
>> 1.8.3.1
>>
>>
>>
> 

[Qemu-devel] [PATCH 2/4] target/i386: kvm: Init nested-state for vCPU exposed with SVM

[Liran Alon]

Reviewed-by: Joao Martins 
Signed-off-by: Liran Alon 
---
 target/i386/cpu.h | 5 +
 target/i386/kvm.c | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 93345792f4cb..cdb0e43676a9 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1867,6 +1867,11 @@ static inline bool cpu_has_vmx(CPUX86State *env)
 return env->features[FEAT_1_ECX] & CPUID_EXT_VMX;
 }
 
+static inline bool cpu_has_svm(CPUX86State *env)
+{
+return env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM;
+}
+
 /* fpu_helper.c */
 void update_fp_status(CPUX86State *env);
 void update_mxcsr_status(CPUX86State *env);
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index b57f873ec9e8..4e2c8652168f 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -1721,6 +1721,8 @@ int kvm_arch_init_vcpu(CPUState *cs)
 env->nested_state->format = KVM_STATE_NESTED_FORMAT_VMX;
 vmx_hdr->vmxon_pa = -1ull;
 vmx_hdr->vmcs12_pa = -1ull;
+} else if (cpu_has_svm(env)) {
+env->nested_state->format = KVM_STATE_NESTED_FORMAT_SVM;
 }
 }
 
-- 
2.20.1

[Qemu-devel] [PATCH 4/4] target/i386: kvm: Demand nested migration kernel capabilities only when vCPU may have enabled VMX

[Liran Alon]

Previous to this change, a vCPU exposed with VMX running on a kernel without 
KVM_CAP_NESTED_STATE
or KVM_CAP_EXCEPTION_PAYLOAD resulted in adding a migration blocker. This was 
because when code
was written it was thought there is no way to reliabely know if a vCPU is 
utilising VMX or not
at runtime. However, it turns out that this can be known to some extent:

In order for a vCPU to enter VMX operation it must have CR4.VMXE set.
Since it was set, CR4.VMXE must remain set as long as vCPU is in
VMX operation. This is because CR4.VMXE is one of the bits set
in MSR_IA32_VMX_CR4_FIXED1.
There is one exception to above statement when vCPU enters SMM mode.
When a vCPU enters SMM mode, it temporarily exit VMX operation and
may also reset CR4.VMXE during execution in SMM mode.
When vCPU exits SMM mode, vCPU state is restored to be in VMX operation
and CR4.VMXE is restored to it's original value of being set.
Therefore, when vCPU is not in SMM mode, we can infer whether
VMX is being used by examining CR4.VMXE. Otherwise, we cannot
know for certain but assume the worse that vCPU may utilise VMX.

Summaring all the above, a vCPU may have enabled VMX in case
CR4.VMXE is set or vCPU is in SMM mode.

Therefore, remove migration blocker and check before migration (cpu_pre_save())
if vCPU may have enabled VMX. If true, only then require relevant kernel 
capabilities.

While at it, demand KVM_CAP_EXCEPTION_PAYLOAD only when vCPU is in guest-mode 
and
there is a pending/injected exception. Otherwise, this kernel capability is
not required for proper migration.

Reviewed-by: Joao Martins 
Signed-off-by: Liran Alon 
---
 target/i386/cpu.h  | 22 ++
 target/i386/kvm.c  | 26 ++
 target/i386/kvm_i386.h |  1 +
 target/i386/machine.c  | 24 
 4 files changed, 49 insertions(+), 24 deletions(-)

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index cdb0e43676a9..c752c4d936ee 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1872,6 +1872,28 @@ static inline bool cpu_has_svm(CPUX86State *env)
 return env->features[FEAT_8000_0001_ECX] & CPUID_EXT3_SVM;
 }
 
+/*
+ * In order for a vCPU to enter VMX operation it must have CR4.VMXE set.
+ * Since it was set, CR4.VMXE must remain set as long as vCPU is in
+ * VMX operation. This is because CR4.VMXE is one of the bits set
+ * in MSR_IA32_VMX_CR4_FIXED1.
+ *
+ * There is one exception to above statement when vCPU enters SMM mode.
+ * When a vCPU enters SMM mode, it temporarily exit VMX operation and
+ * may also reset CR4.VMXE during execution in SMM mode.
+ * When vCPU exits SMM mode, vCPU state is restored to be in VMX operation
+ * and CR4.VMXE is restored to it's original value of being set.
+ *
+ * Therefore, when vCPU is not in SMM mode, we can infer whether
+ * VMX is being used by examining CR4.VMXE. Otherwise, we cannot
+ * know for certain.
+ */
+static inline bool cpu_vmx_maybe_enabled(CPUX86State *env)
+{
+return cpu_has_vmx(env) &&
+   ((env->cr[4] & CR4_VMXE_MASK) || (env->hflags & HF_SMM_MASK));
+}
+
 /* fpu_helper.c */
 void update_fp_status(CPUX86State *env);
 void update_mxcsr_status(CPUX86State *env);
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 4e2c8652168f..d3af445eeb5d 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -128,6 +128,11 @@ bool kvm_has_adjust_clock_stable(void)
 return (ret == KVM_CLOCK_TSC_STABLE);
 }
 
+bool kvm_has_exception_payload(void)
+{
+return has_exception_payload;
+}
+
 bool kvm_allows_irq0_override(void)
 {
 return !kvm_irqchip_in_kernel() || kvm_has_gsi_routing();
@@ -1341,7 +1346,6 @@ static int hyperv_init_vcpu(X86CPU *cpu)
 }
 
 static Error *invtsc_mig_blocker;
-static Error *nested_virt_mig_blocker;
 
 #define KVM_MAX_CPUID_ENTRIES  100
 
@@ -1640,22 +1644,6 @@ int kvm_arch_init_vcpu(CPUState *cs)
   !!(c->ecx & CPUID_EXT_SMX);
 }
 
-if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&
-((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
-error_setg(_virt_mig_blocker,
-   "Kernel do not provide required capabilities for "
-   "nested virtualization migration. "
-   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
-   kvm_max_nested_state_length() > 0,
-   has_exception_payload);
-r = migrate_add_blocker(nested_virt_mig_blocker, _err);
-if (local_err) {
-error_report_err(local_err);
-error_free(nested_virt_mig_blocker);
-return r;
-}
-}
-
 if (env->mcg_cap & MCG_LMCE_P) {
 has_msr_mcg_ext_ctl = has_msr_feature_control = true;
 }
@@ -1670,7 +1658,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
 if (local_err) {
 error_report_err(local_err);
 error_free(invtsc_mig_blocker);
-goto fail2;
+return r;
 

[Qemu-devel] [PATCH-for-4.1 v4 0/3] hw/ssi/xilinx_spips: Avoid NULL pointer deference

[Philippe Mathieu-Daudé]

v1: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01238.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01586.html
v3: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01657.html
v4
- address Francisco comments from v3
- RFC avoid out-of-bound

Philippe Mathieu-Daudé (3):
  hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
  hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
  hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]

 hw/ssi/xilinx_spips.c | 43 +++
 1 file changed, 31 insertions(+), 12 deletions(-)

-- 
2.20.1

[Qemu-devel] [RFC PATCH-for-4.1 v4 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]

[Philippe Mathieu-Daudé]

Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.

Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.

Signed-off-by: Philippe Mathieu-Daudé 
---
Late friday patch...

 hw/ssi/xilinx_spips.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 3c4e8365ee..8f705132a3 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1243,6 +1243,10 @@ static const MemoryRegionOps lqspi_ops = {
 .min_access_size = 1,
 .max_access_size = 4
 }
+.impl = {
+.min_access_size = 4,
+.max_access_size = 4,
+}
 };
 
 static void xilinx_spips_realize(DeviceState *dev, Error **errp)
-- 
2.20.1

[Qemu-devel] [PATCH 0/4] target/i386: kvm: Various nested-state fixes

[Liran Alon]

Hi,

This series is just a bunch of small fixes to recent QEMU nested-state
migration support.

1st and 2nd patch can be considered as trivial refactoring patches.

3rd patch fixes a bug of requiring to save VMX nested-state when it is
not needed.

4rd patch removes migration blocker when vCPU is exposed with VMX and
instead demand nested migration kernel capabilities only when vCPU may
have enabled VMX. To provide for better backwards-compatible migration
scenarios. For more info, refer to relevant commit message.

Thanks,
-Liran

Re: [Qemu-devel] [PATCH v2 RFC] qemu-nbd: Permit TLS with Unix sockets

[Eric Blake]

On 7/5/19 4:31 AM, Max Reitz wrote:
> On 04.07.19 00:47, Eric Blake wrote:
>> Although you generally won't use encryption with a Unix socket (after
>> all, everything is local, so why waste the CPU power), there are
>> situations in testsuites where Unix sockets are much nicer than TCP
>> sockets.  Since nbdkit allows encryption over both types of sockets,
>> it makes sense for qemu-nbd to do likewise.
> 
> Hmm.  The code is simple enough, so I don’t see a good reason not to.
> 

> Um, also, a perhaps stupid question: Why is there no passing test for
> client authorization?
> 

Not a stupid question. It's copy-and-paste from the existing test over
TCP, which Dan added in b25e12daf without any additional successful test
I guess the earlier tests in the file are the success cases, and this
just checks that authz restrictions cover the expected failure case of
something that would succeed without authz? Or maybe that commit really
is incomplete?

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH-for-4.1 v4 2/3] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory

[Philippe Mathieu-Daudé]

Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.

>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).

Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).

[*] 
https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

Reported-by: Lei Sun 
Reviewed-by: Francisco Iglesias 
Signed-off-by: Philippe Mathieu-Daudé 
---
v4: Fix typos (Francisco)
---
 hw/ssi/xilinx_spips.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index b7c7275dbe..3c4e8365ee 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, 
uint64_t *value,
 return lqspi_read(opaque, addr, value, size, attrs);
 }
 
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+   unsigned size, MemTxAttrs attrs)
+{
+/*
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
+ * - Writes are ignored
+ * - AXI writes generate an external AXI slave error (SLVERR)
+ */
+qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+   " (value: 0x%" PRIx64 "\n",
+  __func__, size << 3, offset, value);
+
+return MEMTX_ERROR;
+}
+
 static const MemoryRegionOps lqspi_ops = {
 .read_with_attrs = lqspi_read,
+.write_with_attrs = lqspi_write,
 .endianness = DEVICE_NATIVE_ENDIAN,
 .valid = {
 .min_access_size = 1,
-- 
2.20.1

Re: [Qemu-devel] [PULL 00/12] Misc bugfixes for QEMU hard freeze

[Paolo Bonzini]

On 05/07/19 21:50, Paolo Bonzini wrote:
> The following changes since commit 68d7ff0cff0c4905802104843cf0100543b47314:
> 
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2019-06-21 13:32:10 +0100)
> 
> are available in the git repository at:
> 
> 
>   git://github.com/bonzini/qemu.git tags/for-upstream
> 
> for you to fetch changes up to 2994e7e66a8902d0e42c5e528489ca6484c66d2d:
> 
>   ioapic: use irq number instead of vector in ioapic_eoi_broadcast 
> (2019-07-05 18:35:43 +0200)
> 
> 
> Bugfixes.
> 
> 
> Alex Bennée (1):
>   target/i386: fix feature check in hyperv-stub.c
> 
> Igor Mammedov (1):
>   pc: fix possible NULL pointer dereference in 
> pc_machine_get_device_memory_region_size()
> 
> Julio Montes (2):
>   Makefile: generate header file with the list of devices enabled
>   hw/i386: Fix linker error when ISAPC is disabled
> 
> Li Qiang (2):
>   ioapic: clear irq_eoi when updating the ioapic redirect table entry
>   ioapic: use irq number instead of vector in ioapic_eoi_broadcast
> 
> Liran Alon (1):
>   target/i386: kvm: Fix when nested state is needed for migration
> 
> Max Reitz (1):
>   i386/kvm: Fix build with -m32
> 
> Paolo Bonzini (2):
>   checkpatch: do not warn for multiline parenthesized returned value
>   minikconf: do not include variables from MINIKCONF_ARGS in 
> config-all-devices.mak
> 
> Peter Xu (1):
>   intel_iommu: Fix unexpected unmaps during global unmap
> 
> Yan Zhao (1):
>   intel_iommu: Fix incorrect "end" for vtd_address_space_unmap
> 
>  Makefile.target   |  5 
>  hw/i386/intel_iommu.c | 71 
> ---
>  hw/i386/pc.c  |  6 +++-
>  hw/i386/pc_piix.c | 12 ++--
>  hw/intc/ioapic.c  | 11 
>  scripts/checkpatch.pl |  3 +-
>  scripts/clean-includes|  2 +-
>  scripts/create_config |  2 ++
>  scripts/minikconf.py  |  5 +++-
>  target/i386/hyperv-stub.c |  2 +-
>  target/i386/kvm.c |  7 +++--
>  target/i386/machine.c |  5 ++--
>  12 files changed, 84 insertions(+), 47 deletions(-)
> 

Sent v2 with a compilation fix I had not committed. :(

Paolo

[Qemu-devel] [PULL 08/12] minikconf: do not include variables from MINIKCONF_ARGS in config-all-devices.mak

[Paolo Bonzini]

When minikconf writes config-devices.mak, it includes all variables including
those from MINIKCONF_ARGS.  This causes values from config-host.mak to "stick" 
to
the ones used in generating config-devices.mak, because config-devices.mak is
included after config-host.mak.  Avoid this by omitting assignments coming
from the command line in the output of minikconf.

Reported-by: Christophe de Dinechin 
Reviewed-by: Christophe de Dinechin 
Tested-by: Christophe de Dinechin 
Signed-off-by: Paolo Bonzini 
---
 scripts/minikconf.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/minikconf.py b/scripts/minikconf.py
index 0ffc6c3..3109a81 100644
--- a/scripts/minikconf.py
+++ b/scripts/minikconf.py
@@ -688,11 +688,13 @@ if __name__ == '__main__':
 
 data = KconfigData(mode)
 parser = KconfigParser(data)
+external_vars = set()
 for arg in argv[3:]:
 m = re.match(r'^(CONFIG_[A-Z0-9_]+)=([yn]?)$', arg)
 if m is not None:
 name, value = m.groups()
 parser.do_assignment(name, value == 'y')
+external_vars.add(name[7:])
 else:
 fp = open(arg, 'r')
 parser.parse_file(fp)
@@ -700,7 +702,8 @@ if __name__ == '__main__':
 
 config = data.compute_config()
 for key in sorted(config.keys()):
-print ('CONFIG_%s=%s' % (key, ('y' if config[key] else 'n')))
+if key not in external_vars:
+print ('CONFIG_%s=%s' % (key, ('y' if config[key] else 'n')))
 
 deps = open(argv[2], 'w')
 for fname in data.previously_included:
-- 
1.8.3.1

[Qemu-devel] [PULL 03/12] i386/kvm: Fix build with -m32

[Paolo Bonzini]

From: Max Reitz 

find_next_bit() takes a pointer of type "const unsigned long *", but the
first argument passed here is a "uint64_t *".  These types are
incompatible when compiling qemu with -m32.

Just use ctz64() instead.

Fixes: c686193072a47032d83cb4e131dc49ae30f9e5d
Signed-off-by: Max Reitz 
Reviewed-by: Eduardo Habkost 
Message-Id: <20190624193913.28343-1-mre...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 target/i386/kvm.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index e4b4f57..31490bf 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -1043,14 +1043,15 @@ static int hv_cpuid_check_and_set(CPUState *cs, struct 
kvm_cpuid2 *cpuid,
 CPUX86State *env = >env;
 uint32_t r, fw, bits;
 uint64_t deps;
-int i, dep_feat = 0;
+int i, dep_feat;
 
 if (!hyperv_feat_enabled(cpu, feature) && !cpu->hyperv_passthrough) {
 return 0;
 }
 
 deps = kvm_hyperv_properties[feature].dependencies;
-while ((dep_feat = find_next_bit(, 64, dep_feat)) < 64) {
+while (deps) {
+dep_feat = ctz64(deps);
 if (!(hyperv_feat_enabled(cpu, dep_feat))) {
 fprintf(stderr,
 "Hyper-V %s requires Hyper-V %s\n",
@@ -1058,7 +1059,7 @@ static int hv_cpuid_check_and_set(CPUState *cs, struct 
kvm_cpuid2 *cpuid,
 kvm_hyperv_properties[dep_feat].desc);
 return 1;
 }
-dep_feat++;
+deps &= ~(1ull << dep_feat);
 }
 
 for (i = 0; i < ARRAY_SIZE(kvm_hyperv_properties[feature].flags); i++) {
-- 
1.8.3.1

[Qemu-devel] [PULL 10/12] Makefile: generate header file with the list of devices enabled

[Paolo Bonzini]

From: Julio Montes 

v2: generate config-devices.h which contains the list of devices enabled

Message-Id: <20190705143554.10295-1-julio.mon...@intel.com>
Signed-off-by: Paolo Bonzini 
Signed-off-by: Julio Montes 
---
 Makefile.target   | 4 
 scripts/create_config | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/Makefile.target b/Makefile.target
index 72c267f..7154e99 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -45,6 +45,9 @@ include $(SRC_PATH)/tests/tcg/Makefile.include
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
+config-devices.h: config-devices.h-timestamp
+config-devices.h-timestamp: config-devices.mak
+
 ifdef CONFIG_TRACE_SYSTEMTAP
 stap: $(QEMU_PROG).stp-installed $(QEMU_PROG).stp $(QEMU_PROG)-simpletrace.stp 
$(QEMU_PROG)-log.stp
 
@@ -168,6 +171,7 @@ obj-y += hw/$(TARGET_BASE_ARCH)/
 endif
 
 generated-files-y += hmp-commands.h hmp-commands-info.h
+generated-files-y += config-devices.h
 
 endif # CONFIG_SOFTMMU
 
diff --git a/scripts/create_config b/scripts/create_config
index d727e5e..00e86c8 100755
--- a/scripts/create_config
+++ b/scripts/create_config
@@ -58,6 +58,8 @@ case $line in
 name=${line%=*}
 echo "#define $name 1"
 ;;
+ CONFIG_*=n) # configuration
+;;
  CONFIG_*=*) # configuration
 name=${line%=*}
 value=${line#*=}
-- 
1.8.3.1

[Qemu-devel] [PULL 06/12] ioapic: clear irq_eoi when updating the ioapic redirect table entry

[Paolo Bonzini]

From: Li Qiang 

irq_eoi is used to count the number of irq injected during eoi
broadcast. It should be set to 0 when updating the ioapic's redirect
table entry.

Suggested-by: Peter Xu 
Signed-off-by: Li Qiang 
Reviewed-by: Peter Xu 
Message-Id: <20190624151635.22494-1-liq...@163.com>
Signed-off-by: Paolo Bonzini 
---
 hw/intc/ioapic.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/intc/ioapic.c b/hw/intc/ioapic.c
index 7074489..db9e518 100644
--- a/hw/intc/ioapic.c
+++ b/hw/intc/ioapic.c
@@ -380,6 +380,7 @@ ioapic_mem_write(void *opaque, hwaddr addr, uint64_t val,
 /* restore RO bits */
 s->ioredtbl[index] &= IOAPIC_RW_BITS;
 s->ioredtbl[index] |= ro_bits;
+s->irq_eoi[index] = 0;
 ioapic_fix_edge_remote_irr(>ioredtbl[index]);
 ioapic_service(s);
 }
-- 
1.8.3.1

[Qemu-devel] [PULL 11/12] hw/i386: Fix linker error when ISAPC is disabled

[Paolo Bonzini]

From: Julio Montes 

v2: include config-devices.h to use CONFIG_IDE_ISA

Message-Id: <20190705143554.10295-2-julio.mon...@intel.com>
Signed-off-by: Paolo Bonzini 
Signed-off-by: Julio Montes 
---
 hw/i386/pc_piix.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index c07c4a5..cc04c01 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -23,6 +23,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "config-devices.h"
 
 #include "qemu/units.h"
 #include "hw/hw.h"
@@ -61,9 +62,11 @@
 
 #define MAX_IDE_BUS 2
 
+#ifdef CONFIG_IDE_ISA
 static const int ide_iobase[MAX_IDE_BUS] = { 0x1f0, 0x170 };
 static const int ide_iobase2[MAX_IDE_BUS] = { 0x3f6, 0x376 };
 static const int ide_irq[MAX_IDE_BUS] = { 14, 15 };
+#endif
 
 /* PC hardware initialisation */
 static void pc_init1(MachineState *machine,
@@ -254,7 +257,10 @@ static void pc_init1(MachineState *machine,
 }
 idebus[0] = qdev_get_child_bus(>qdev, "ide.0");
 idebus[1] = qdev_get_child_bus(>qdev, "ide.1");
-} else {
+pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
+}
+#ifdef CONFIG_IDE_ISA
+else {
 for(i = 0; i < MAX_IDE_BUS; i++) {
 ISADevice *dev;
 char busname[] = "ide.0";
@@ -268,9 +274,9 @@ static void pc_init1(MachineState *machine,
 busname[4] = '0' + i;
 idebus[i] = qdev_get_child_bus(DEVICE(dev), busname);
 }
+pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
 }
-
-pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
+#endif
 
 if (pcmc->pci_enabled && machine_usb(machine)) {
 pci_create_simple(pci_bus, piix3_devfn + 2, "piix3-usb-uhci");
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH 2/7] target/i386: introduce generic feature dependency mechanism

[Eduardo Habkost]

On Tue, Jul 02, 2019 at 05:01:16PM +0200, Paolo Bonzini wrote:
> Sometimes a CPU feature does not make sense unless another is
> present.  In the case of VMX features, KVM does not even allow
> setting the VMX controls to some invalid combinations.
> 
> Therefore, this patch adds a generic mechanism that looks for bits
> that the user explicitly cleared, and uses them to remove other bits
> from the expanded CPU definition.  If these dependent bits were also
> explicitly *set* by the user, this will be a warning for "-cpu check"
> and an error for "-cpu enforce".  If not, then the dependent bits are
> cleared silently, for convenience.
> 
> With VMX features, this will be used so that for example
> "-cpu host,-rdrand" will also hide support for RDRAND exiting.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  target/i386/cpu.c | 77 
> +++
>  1 file changed, 49 insertions(+), 28 deletions(-)
> 
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 9149d0d..412e834 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -799,10 +799,6 @@ typedef struct FeatureWordInfo {
>  /* If type==MSR_FEATURE_WORD */
>  struct {
>  uint32_t index;
> -struct {   /*CPUID that enumerate this MSR*/
> -FeatureWord cpuid_class;
> -uint32_tcpuid_flag;
> -} cpuid_dep;
>  } msr;
>  };
>  uint32_t tcg_features; /* Feature flags supported by TCG */
> @@ -1197,10 +1193,6 @@ static FeatureWordInfo 
> feature_word_info[FEATURE_WORDS] = {
>  },
>  .msr = {
>  .index = MSR_IA32_ARCH_CAPABILITIES,
> -.cpuid_dep = {
> -FEAT_7_0_EDX,
> -CPUID_7_0_EDX_ARCH_CAPABILITIES
> -}
>  },
>  },
>  [FEAT_CORE_CAPABILITY] = {
> @@ -1217,14 +1209,26 @@ static FeatureWordInfo 
> feature_word_info[FEATURE_WORDS] = {
>  },
>  .msr = {
>  .index = MSR_IA32_CORE_CAPABILITY,
> -.cpuid_dep = {
> -FEAT_7_0_EDX,
> -CPUID_7_0_EDX_CORE_CAPABILITY,
> -},
>  },
>  },
>  };
>  
> +typedef struct FeatureDep {
> +uint16_t from, to;

Why uint16_t and not FeatureWord?

> +uint64_t from_flag, to_flags;

There are other parts of the code that take a
FeatureWord/uint32_t pair (which will become uint64_t).  I'd wrap
this into a typedef.  I also miss documentation on the exact
meaning of those fields.

typedef struct FeatureMask {
FeatureWord w;
uint64_t mask;
};


typedef struct FeatureDependency {
   /*
* Features in @to may be present only if _all_ features in @from
* present too.
*/
   FeatureMask from, to;
};

static FeatureDep feature_dependencies[] = {
{
.from = { FEAT_7_0_EDX, CPUID_7_0_EDX_ARCH_CAPABILITIES
.to =   { FEAT_ARCH_CAPABILITIES, ~0ull },
},
{
.from = { FEAT_7_0_EDX, CPUID_7_0_EDX_CORE_CAPABILITY },
.to =   { FEAT_CORE_CAPABILITY, ~0ull },
},
};


> +} FeatureDep;
> +
> +static FeatureDep feature_dependencies[] = {
> +{
> +.from = FEAT_7_0_EDX,.from_flag = 
> CPUID_7_0_EDX_ARCH_CAPABILITIES,
> +.to = FEAT_ARCH_CAPABILITIES,.to_flags = ~0ull,
> +},
> +{
> +.from = FEAT_7_0_EDX,.from_flag = 
> CPUID_7_0_EDX_CORE_CAPABILITY,
> +.to = FEAT_CORE_CAPABILITY,  .to_flags = ~0ull,
> +},
> +};
> +
>  typedef struct X86RegisterInfo32 {
>  /* Name of register */
>  const char *name;
> @@ -5086,9 +5090,42 @@ static void x86_cpu_expand_features(X86CPU *cpu, Error 
> **errp)
>  {
>  CPUX86State *env = >env;
>  FeatureWord w;
> +int i;
>  GList *l;
>  Error *local_err = NULL;
>  
> +for (l = plus_features; l; l = l->next) {
> +const char *prop = l->data;
> +object_property_set_bool(OBJECT(cpu), true, prop, _err);
> +if (local_err) {
> +goto out;
> +}
> +}
> +
> +for (l = minus_features; l; l = l->next) {
> +const char *prop = l->data;
> +object_property_set_bool(OBJECT(cpu), false, prop, _err);
> +if (local_err) {
> +goto out;
> +}
> +}

Maybe getting rid of plus_features/minus_features (as described
in the TODO comment below) will make things simpler.

> +
> +for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
> +FeatureDep *d = _dependencies[i];
> +if ((env->user_features[d->from] & d->from_flag) &&
> +!(env->features[d->from] & d->from_flag)) {

Why does it matter if the feature was cleared explicitly by the
user?

> +uint64_t unavailable_features = env->features[d->to] & 
> d->to_flags;
> +
> +/* Not an error unless the dependent feature was added 
> explicitly.  */
> +   

[Qemu-devel] [PULL 00/12] Misc bugfixes for QEMU hard freeze

[Paolo Bonzini]

The following changes since commit 39d1b92b810793e02558e05efa23059f67520bc9:

  Merge remote-tracking branch 
'remotes/bkoppelmann2/tags/pull-tricore-20190625' into staging (2019-07-01 
13:47:21 +0100)

are available in the git repository at:


  git://github.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to 03f990a5e31e28c9a2794729638f2117e028bfa5:

  ioapic: use irq number instead of vector in ioapic_eoi_broadcast (2019-07-05 
22:19:59 +0200)


Bugfixes.


Alex Bennée (1):
  target/i386: fix feature check in hyperv-stub.c

Igor Mammedov (1):
  pc: fix possible NULL pointer dereference in 
pc_machine_get_device_memory_region_size()

Julio Montes (2):
  Makefile: generate header file with the list of devices enabled
  hw/i386: Fix linker error when ISAPC is disabled

Li Qiang (2):
  ioapic: clear irq_eoi when updating the ioapic redirect table entry
  ioapic: use irq number instead of vector in ioapic_eoi_broadcast

Liran Alon (1):
  target/i386: kvm: Fix when nested state is needed for migration

Max Reitz (1):
  i386/kvm: Fix build with -m32

Paolo Bonzini (2):
  checkpatch: do not warn for multiline parenthesized returned value
  minikconf: do not include variables from MINIKCONF_ARGS in 
config-all-devices.mak

Peter Xu (1):
  intel_iommu: Fix unexpected unmaps during global unmap

Yan Zhao (1):
  intel_iommu: Fix incorrect "end" for vtd_address_space_unmap

 Makefile.target   |  4 +++
 hw/i386/intel_iommu.c | 71 ---
 hw/i386/pc.c  |  6 +++-
 hw/i386/pc_piix.c | 12 ++--
 hw/intc/ioapic.c  | 11 
 scripts/checkpatch.pl |  3 +-
 scripts/create_config |  2 ++
 scripts/minikconf.py  |  5 +++-
 target/i386/hyperv-stub.c |  2 +-
 target/i386/kvm.c |  7 +++--
 target/i386/machine.c |  5 ++--
 11 files changed, 82 insertions(+), 46 deletions(-)
-- 
1.8.3.1

[Qemu-devel] [PULL 04/12] intel_iommu: Fix incorrect "end" for vtd_address_space_unmap

[Paolo Bonzini]

From: Yan Zhao 

IOMMUNotifier is with inclusive ranges, so we should check
against (VTD_ADDRESS_SIZE(s->aw_bits) - 1).

Signed-off-by: Yan Zhao 
[peterx: split from another bigger patch]
Reviewed-by: Eric Auger 
Signed-off-by: Peter Xu 
Message-Id: <20190624091811.30412-2-pet...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 hw/i386/intel_iommu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 44b1231..719ce19 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -3379,12 +3379,12 @@ static void vtd_address_space_unmap(VTDAddressSpace 
*as, IOMMUNotifier *n)
  * VT-d spec), otherwise we need to consider overflow of 64 bits.
  */
 
-if (end > VTD_ADDRESS_SIZE(s->aw_bits)) {
+if (end > VTD_ADDRESS_SIZE(s->aw_bits) - 1) {
 /*
  * Don't need to unmap regions that is bigger than the whole
  * VT-d supported address space size
  */
-end = VTD_ADDRESS_SIZE(s->aw_bits);
+end = VTD_ADDRESS_SIZE(s->aw_bits) - 1;
 }
 
 assert(start <= end);
-- 
1.8.3.1

[Qemu-devel] [PULL 05/12] intel_iommu: Fix unexpected unmaps during global unmap

[Paolo Bonzini]

From: Peter Xu 

This is an replacement work of Yan Zhao's patch:

https://www.mail-archive.com/qemu-devel@nongnu.org/msg625340.html

vtd_address_space_unmap() will do proper page mask alignment to make
sure each IOTLB message will have correct masks for notification
messages (2^N-1), but sometimes it can be expanded to even supercede
the registered range.  That could lead to unexpected UNMAP of already
mapped regions in some other notifiers.

Instead of doing mindless expension of the start address and address
mask, we split the range into smaller ones and guarantee that each
small range will have correct masks (2^N-1) and at the same time we
should also try our best to generate as less IOTLB messages as
possible.

Reported-by: Yan Zhao 
Signed-off-by: Peter Xu 
Reviewed-by: Eric Auger 
Tested-by: Yan Zhao 
Message-Id: <20190624091811.30412-3-pet...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 hw/i386/intel_iommu.c | 67 +++
 1 file changed, 41 insertions(+), 26 deletions(-)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 719ce19..de86f53 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -3363,11 +3363,28 @@ VTDAddressSpace *vtd_find_add_as(IntelIOMMUState *s, 
PCIBus *bus, int devfn)
 return vtd_dev_as;
 }
 
+static uint64_t get_naturally_aligned_size(uint64_t start,
+   uint64_t size, int gaw)
+{
+uint64_t max_mask = 1ULL << gaw;
+uint64_t alignment = start ? start & -start : max_mask;
+
+alignment = MIN(alignment, max_mask);
+size = MIN(size, max_mask);
+
+if (alignment <= size) {
+/* Increase the alignment of start */
+return alignment;
+} else {
+/* Find the largest page mask from size */
+return 1ULL << (63 - clz64(size));
+}
+}
+
 /* Unmap the whole range in the notifier's scope. */
 static void vtd_address_space_unmap(VTDAddressSpace *as, IOMMUNotifier *n)
 {
-IOMMUTLBEntry entry;
-hwaddr size;
+hwaddr size, remain;
 hwaddr start = n->start;
 hwaddr end = n->end;
 IntelIOMMUState *s = as->iommu_state;
@@ -3388,39 +3405,37 @@ static void vtd_address_space_unmap(VTDAddressSpace 
*as, IOMMUNotifier *n)
 }
 
 assert(start <= end);
-size = end - start;
+size = remain = end - start + 1;
 
-if (ctpop64(size) != 1) {
-/*
- * This size cannot format a correct mask. Let's enlarge it to
- * suite the minimum available mask.
- */
-int n = 64 - clz64(size);
-if (n > s->aw_bits) {
-/* should not happen, but in case it happens, limit it */
-n = s->aw_bits;
-}
-size = 1ULL << n;
+while (remain >= VTD_PAGE_SIZE) {
+IOMMUTLBEntry entry;
+uint64_t mask = get_naturally_aligned_size(start, remain, s->aw_bits);
+
+assert(mask);
+
+entry.iova = start;
+entry.addr_mask = mask - 1;
+entry.target_as = _space_memory;
+entry.perm = IOMMU_NONE;
+/* This field is meaningless for unmap */
+entry.translated_addr = 0;
+
+memory_region_notify_one(n, );
+
+start += mask;
+remain -= mask;
 }
 
-entry.target_as = _space_memory;
-/* Adjust iova for the size */
-entry.iova = n->start & ~(size - 1);
-/* This field is meaningless for unmap */
-entry.translated_addr = 0;
-entry.perm = IOMMU_NONE;
-entry.addr_mask = size - 1;
+assert(!remain);
 
 trace_vtd_as_unmap_whole(pci_bus_num(as->bus),
  VTD_PCI_SLOT(as->devfn),
  VTD_PCI_FUNC(as->devfn),
- entry.iova, size);
+ n->start, size);
 
-map.iova = entry.iova;
-map.size = entry.addr_mask;
+map.iova = n->start;
+map.size = size;
 iova_tree_remove(as->iova_tree, );
-
-memory_region_notify_one(n, );
 }
 
 static void vtd_address_space_unmap_all(IntelIOMMUState *s)
-- 
1.8.3.1

[Qemu-devel] [PATCH v3 1/2] Makefile: generate header file with the list of devices enabled

[Paolo Bonzini]

From: Julio Montes 

v2: generate config-devices.h which contains the list of devices enabled

Message-Id: <20190705143554.10295-1-julio.mon...@intel.com>
Signed-off-by: Paolo Bonzini 
Signed-off-by: Julio Montes 
---
 Makefile.target   | 4 
 scripts/create_config | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/Makefile.target b/Makefile.target
index 72c267f..7154e99 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -45,6 +45,9 @@ include $(SRC_PATH)/tests/tcg/Makefile.include
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
+config-devices.h: config-devices.h-timestamp
+config-devices.h-timestamp: config-devices.mak
+
 ifdef CONFIG_TRACE_SYSTEMTAP
 stap: $(QEMU_PROG).stp-installed $(QEMU_PROG).stp $(QEMU_PROG)-simpletrace.stp 
$(QEMU_PROG)-log.stp
 
@@ -168,6 +171,7 @@ obj-y += hw/$(TARGET_BASE_ARCH)/
 endif
 
 generated-files-y += hmp-commands.h hmp-commands-info.h
+generated-files-y += config-devices.h
 
 endif # CONFIG_SOFTMMU
 
diff --git a/scripts/create_config b/scripts/create_config
index d727e5e..00e86c8 100755
--- a/scripts/create_config
+++ b/scripts/create_config
@@ -58,6 +58,8 @@ case $line in
 name=${line%=*}
 echo "#define $name 1"
 ;;
+ CONFIG_*=n) # configuration
+;;
  CONFIG_*=*) # configuration
 name=${line%=*}
 value=${line#*=}
-- 
1.8.3.1

[Qemu-devel] [PATCH-for-4.1 v4 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs

[Philippe Mathieu-Daudé]

In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.

Signed-off-by: Philippe Mathieu-Daudé 
---
v4: Do not ignore lqspi_read() return value (Francisco)
---
 hw/ssi/xilinx_spips.c | 23 +++
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 8115bb6d46..b7c7275dbe 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1202,27 +1202,26 @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
 }
 }
 
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+  unsigned size, MemTxAttrs attrs)
 {
-XilinxQSPIPS *q = opaque;
-uint32_t ret;
+XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
 
 if (addr >= q->lqspi_cached_addr &&
 addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
 uint8_t *retp = >lqspi_buf[addr - q->lqspi_cached_addr];
-ret = cpu_to_le32(*(uint32_t *)retp);
-DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-   (unsigned)ret);
-return ret;
-} else {
-lqspi_load_cache(opaque, addr);
-return lqspi_read(opaque, addr, size);
+*value = cpu_to_le32(*(uint32_t *)retp);
+DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+   addr, *value);
+return MEMTX_OK;
 }
+
+lqspi_load_cache(opaque, addr);
+return lqspi_read(opaque, addr, value, size, attrs);
 }
 
 static const MemoryRegionOps lqspi_ops = {
-.read = lqspi_read,
+.read_with_attrs = lqspi_read,
 .endianness = DEVICE_NATIVE_ENDIAN,
 .valid = {
 .min_access_size = 1,
-- 
2.20.1

[Qemu-devel] [PATCH v3 2/2] hw/i386: Fix linker error when ISAPC is disabled

[Paolo Bonzini]

From: Julio Montes 

v2: include config-devices.h to use CONFIG_IDE_ISA

Message-Id: <20190705143554.10295-2-julio.mon...@intel.com>
Signed-off-by: Paolo Bonzini 
Signed-off-by: Julio Montes 
---
 hw/i386/pc_piix.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index c07c4a5..cc04c01 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -23,6 +23,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "config-devices.h"
 
 #include "qemu/units.h"
 #include "hw/hw.h"
@@ -61,9 +62,11 @@
 
 #define MAX_IDE_BUS 2
 
+#ifdef CONFIG_IDE_ISA
 static const int ide_iobase[MAX_IDE_BUS] = { 0x1f0, 0x170 };
 static const int ide_iobase2[MAX_IDE_BUS] = { 0x3f6, 0x376 };
 static const int ide_irq[MAX_IDE_BUS] = { 14, 15 };
+#endif
 
 /* PC hardware initialisation */
 static void pc_init1(MachineState *machine,
@@ -254,7 +257,10 @@ static void pc_init1(MachineState *machine,
 }
 idebus[0] = qdev_get_child_bus(>qdev, "ide.0");
 idebus[1] = qdev_get_child_bus(>qdev, "ide.1");
-} else {
+pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
+}
+#ifdef CONFIG_IDE_ISA
+else {
 for(i = 0; i < MAX_IDE_BUS; i++) {
 ISADevice *dev;
 char busname[] = "ide.0";
@@ -268,9 +274,9 @@ static void pc_init1(MachineState *machine,
 busname[4] = '0' + i;
 idebus[i] = qdev_get_child_bus(DEVICE(dev), busname);
 }
+pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
 }
-
-pc_cmos_init(pcms, idebus[0], idebus[1], rtc_state);
+#endif
 
 if (pcmc->pci_enabled && machine_usb(machine)) {
 pci_create_simple(pci_bus, piix3_devfn + 2, "piix3-usb-uhci");
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH 1/7] target/i386: handle filtered_features in a new function mark_unavailable_features

[Eduardo Habkost]

On Tue, Jul 02, 2019 at 05:01:15PM +0200, Paolo Bonzini wrote:
> The next patch will add a different reason for filtering features, unrelated
> to host feature support.  Extract a new function that takes care of disabling
> the features and reporting them.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  target/i386/cpu.c | 76 
> ++-
>  1 file changed, 41 insertions(+), 35 deletions(-)
> 
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index da6eb67..9149d0d 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -3236,17 +3236,39 @@ static char *feature_word_description(FeatureWordInfo 
> *f, uint32_t bit)
>  return NULL;
>  }
>  
> -static void report_unavailable_features(FeatureWord w, uint32_t mask)
> +static bool x86_cpu_have_filtered_features(X86CPU *cpu)
>  {
> +FeatureWord w;
> +
> +for (w = 0; w < ARRAY_SIZE(feature_word_info); w++) {

I prefer to use FEATURE_WORDS instead of
ARRAY_SIZE(feature_word_info), for consistency.

I'm becoming more and more inclined to transform FeatureWordArray
into a bitmap.  We have too many "for (w; w < FEATURE_WORDS;
w++)" loops in the code that could be simplified using bitmap
operations.

But this is independent from this patch.


> + if (cpu->filtered_features[w]) {
> + return true;
> + }
> +}
> +
> +return false;
> +}
> +
> +static void mark_unavailable_features(X86CPU *cpu, FeatureWord w, uint32_t 
> mask,
> +  const char *prefix)
> +{
> +CPUX86State *env = >env;
>  FeatureWordInfo *f = _word_info[w];
>  int i;
>  char *feat_word_str;
>  
> +env->features[w] &= ~mask;
> +cpu->filtered_features[w] |= mask;
> +
> +if (!cpu->check_cpuid && !cpu->enforce_cpuid) {
> +return;
> +}
> +
>  for (i = 0; i < 32; ++i) {
>  if ((1UL << i) & mask) {
>  feat_word_str = feature_word_description(f, i);
> -warn_report("%s doesn't support requested feature: %s%s%s [bit 
> %d]",
> -accel_uses_host_cpuid() ? "host" : "TCG",
> +warn_report("%s: %s%s%s [bit %d]",
> +prefix,
>  feat_word_str,
>  f->feat_names[i] ? "." : "",
>  f->feat_names[i] ? f->feat_names[i] : "", i);

This seems to undo commit 8ca30e8673af ("target-i386: Move
warning code outside x86_cpu_filter_features()").

Filtering and reporting is separate because
x86_cpu_filter_features() is also called from a QMP command
handler that is not supposed to generate any warnings on stderr
(query-cpu-model-expansion).


> @@ -3691,7 +3713,7 @@ static void x86_cpu_parse_featurestr(const char 
> *typename, char *features,
>  }
>  
>  static void x86_cpu_expand_features(X86CPU *cpu, Error **errp);
> -static int x86_cpu_filter_features(X86CPU *cpu);
> +static void x86_cpu_filter_features(X86CPU *cpu);
>  
>  /* Build a list with the name of all features on a feature word array */
>  static void x86_cpu_list_feature_names(FeatureWordArray features,
> @@ -3923,15 +3945,6 @@ static uint32_t 
> x86_cpu_get_supported_feature_word(FeatureWord w,
>  return r;
>  }
>  
> -static void x86_cpu_report_filtered_features(X86CPU *cpu)
> -{
> -FeatureWord w;
> -
> -for (w = 0; w < FEATURE_WORDS; w++) {
> -report_unavailable_features(w, cpu->filtered_features[w]);
> -}
> -}
> -
>  static void x86_cpu_apply_props(X86CPU *cpu, PropValue *props)
>  {
>  PropValue *pv;
> @@ -5170,21 +5183,20 @@ out:
>   *
>   * Returns: 0 if all flags are supported by the host, non-zero otherwise.
>   */
> -static int x86_cpu_filter_features(X86CPU *cpu)
> +static void x86_cpu_filter_features(X86CPU *cpu)
>  {
>  CPUX86State *env = >env;
>  FeatureWord w;
> -int rv = 0;
> +const char *prefix = accel_uses_host_cpuid()
> + ? "host doesn't support requested feature"
> + : "TCG doesn't support requested feature";
>  
>  for (w = 0; w < FEATURE_WORDS; w++) {
>  uint32_t host_feat =
>  x86_cpu_get_supported_feature_word(w, false);
>  uint32_t requested_features = env->features[w];
> -env->features[w] &= host_feat;
> -cpu->filtered_features[w] = requested_features & ~env->features[w];
> -if (cpu->filtered_features[w]) {
> -rv = 1;
> -}
> +uint32_t unavailable_features = requested_features & ~host_feat;
> +mark_unavailable_features(cpu, w, unavailable_features, prefix);
>  }
>  
>  if ((env->features[FEAT_7_0_EBX] & CPUID_7_0_EBX_INTEL_PT) &&
> @@ -5210,13 +5222,9 @@ static int x86_cpu_filter_features(X86CPU *cpu)
>   * host can't emulate the capabilities we report on
>   * cpu_x86_cpuid(), intel-pt can't be enabled on the current 
> host.
>   */
> -env->features[FEAT_7_0_EBX] &= 

[Qemu-devel] [PATCH v3 0/2] hw/i386: Fix linker error when ISAPC is disabled

[Paolo Bonzini]

v3 fixes the issue pointed out by Patchew and Philippe.

Julio Montes (2):
  Makefile: generate header file with the list of devices enabled
  hw/i386: Fix linker error when ISAPC is disabled

 Makefile.target   |  4 
 hw/i386/pc_piix.c | 12 +---
 scripts/create_config |  2 ++
 3 files changed, 15 insertions(+), 3 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH v3 18/18] block/backup: loosen restriction on readonly bitmaps

[John Snow]

With the "never" sync policy, we actually can utilize readonly bitmaps
now. Loosen the check at the QMP level, and tighten it based on
provided arguments down at the job creation level instead.

Reviewed-by: Max Reitz 
Signed-off-by: John Snow 
---
 block/backup.c | 6 ++
 blockdev.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/block/backup.c b/block/backup.c
index b25e6179cf..a59962cea8 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -607,6 +607,12 @@ BlockJob *backup_job_create(const char *job_id, 
BlockDriverState *bs,
 return NULL;
 }
 
+/* If we need to write to this bitmap, check that we can: */
+if (bitmap_mode != BITMAP_SYNC_MODE_NEVER &&
+bdrv_dirty_bitmap_check(sync_bitmap, BDRV_BITMAP_DEFAULT, errp)) {
+return NULL;
+}
+
 /* Create a new bitmap, and freeze/disable this one. */
 if (bdrv_dirty_bitmap_create_successor(bs, sync_bitmap, errp) < 0) {
 return NULL;
diff --git a/blockdev.c b/blockdev.c
index 5dfaa976c9..3e30bc2ca7 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -3489,7 +3489,7 @@ static BlockJob *do_backup_common(BackupCommon *backup,
"when providing a bitmap");
 return NULL;
 }
-if (bdrv_dirty_bitmap_check(bmap, BDRV_BITMAP_DEFAULT, errp)) {
+if (bdrv_dirty_bitmap_check(bmap, BDRV_BITMAP_ALLOW_RO, errp)) {
 return NULL;
 }
 }
-- 
2.21.0

[Qemu-devel] [PULL 12/12] ioapic: use irq number instead of vector in ioapic_eoi_broadcast

[Paolo Bonzini]

From: Li Qiang 

When emulating irqchip in qemu, such as following command:

x86_64-softmmu/qemu-system-x86_64 -m 1024 -smp 4 -hda /home/test/test.img
-machine kernel-irqchip=off --enable-kvm -vnc :0 -device edu -monitor stdio

We will get a crash with following asan output:

(qemu) /home/test/qemu5/qemu/hw/intc/ioapic.c:266:27: runtime error: index 35 
out of bounds for type 'int [24]'
=
==113504==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61b03114 at pc 0x5579e3c7a80f bp 0x7fd004bf8c10 sp 0x7fd004bf8c00
WRITE of size 4 at 0x61b03114 thread T4
#0 0x5579e3c7a80e in ioapic_eoi_broadcast 
/home/test/qemu5/qemu/hw/intc/ioapic.c:266
#1 0x5579e3c6f480 in apic_eoi /home/test/qemu5/qemu/hw/intc/apic.c:428
#2 0x5579e3c720a7 in apic_mem_write /home/test/qemu5/qemu/hw/intc/apic.c:802
#3 0x5579e3b1e31a in memory_region_write_accessor 
/home/test/qemu5/qemu/memory.c:503
#4 0x5579e3b1e6a2 in access_with_adjusted_size 
/home/test/qemu5/qemu/memory.c:569
#5 0x5579e3b28d77 in memory_region_dispatch_write 
/home/test/qemu5/qemu/memory.c:1497
#6 0x5579e3a1b36b in flatview_write_continue 
/home/test/qemu5/qemu/exec.c:3323
#7 0x5579e3a1b633 in flatview_write /home/test/qemu5/qemu/exec.c:3362
#8 0x5579e3a1bcb1 in address_space_write /home/test/qemu5/qemu/exec.c:3452
#9 0x5579e3a1bd03 in address_space_rw /home/test/qemu5/qemu/exec.c:3463
#10 0x5579e3b8b979 in kvm_cpu_exec 
/home/test/qemu5/qemu/accel/kvm/kvm-all.c:2045
#11 0x5579e3ae4499 in qemu_kvm_cpu_thread_fn 
/home/test/qemu5/qemu/cpus.c:1287
#12 0x5579e4cbdb9f in qemu_thread_start util/qemu-thread-posix.c:502
#13 0x7fd0146376da in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#14 0x7fd01436088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e

This is because in ioapic_eoi_broadcast function, we uses 'vector' to
index the 's->irq_eoi'. To fix this, we should uses the irq number.

Signed-off-by: Li Qiang 
Reviewed-by: Peter Xu 
Message-Id: <20190622002119.126834-1-liq...@163.com>
---
 hw/intc/ioapic.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/intc/ioapic.c b/hw/intc/ioapic.c
index db9e518..c408749 100644
--- a/hw/intc/ioapic.c
+++ b/hw/intc/ioapic.c
@@ -245,8 +245,8 @@ void ioapic_eoi_broadcast(int vector)
 s->ioredtbl[n] = entry & ~IOAPIC_LVT_REMOTE_IRR;
 
 if (!(entry & IOAPIC_LVT_MASKED) && (s->irr & (1 << n))) {
-++s->irq_eoi[vector];
-if (s->irq_eoi[vector] >= SUCCESSIVE_IRQ_MAX_COUNT) {
+++s->irq_eoi[n];
+if (s->irq_eoi[n] >= SUCCESSIVE_IRQ_MAX_COUNT) {
 /*
  * Real hardware does not deliver the interrupt immediately
  * during eoi broadcast, and this lets a buggy guest make
@@ -254,16 +254,16 @@ void ioapic_eoi_broadcast(int vector)
  * level-triggered interrupt. Emulate this behavior if we
  * detect an interrupt storm.
  */
-s->irq_eoi[vector] = 0;
+s->irq_eoi[n] = 0;
 timer_mod_anticipate(s->delayed_ioapic_service_timer,
  qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 
+
  NANOSECONDS_PER_SECOND / 100);
-trace_ioapic_eoi_delayed_reassert(vector);
+trace_ioapic_eoi_delayed_reassert(n);
 } else {
 ioapic_service(s);
 }
 } else {
-s->irq_eoi[vector] = 0;
+s->irq_eoi[n] = 0;
 }
 }
 }
-- 
1.8.3.1

[Qemu-devel] [PATCH v3 17/18] iotests: add test 257 for bitmap-mode backups

[John Snow]

Signed-off-by: John Snow 
---
 tests/qemu-iotests/257 |  409 +++
 tests/qemu-iotests/257.out | 2199 
 tests/qemu-iotests/group   |1 +
 3 files changed, 2609 insertions(+)
 create mode 100755 tests/qemu-iotests/257
 create mode 100644 tests/qemu-iotests/257.out

diff --git a/tests/qemu-iotests/257 b/tests/qemu-iotests/257
new file mode 100755
index 00..fd3b3328d8
--- /dev/null
+++ b/tests/qemu-iotests/257
@@ -0,0 +1,409 @@
+#!/usr/bin/env python
+#
+# Test bitmap-sync backups (incremental, differential, and partials)
+#
+# Copyright (c) 2019 John Snow for Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+# owner=js...@redhat.com
+
+from collections import namedtuple
+import math
+import os
+
+import iotests
+from iotests import log, qemu_img
+
+SIZE = 64 * 1024 * 1024
+GRANULARITY = 64 * 1024
+
+Pattern = namedtuple('Pattern', ['byte', 'offset', 'size'])
+def mkpattern(byte, offset, size=GRANULARITY):
+"""Constructor for Pattern() with default size"""
+return Pattern(byte, offset, size)
+
+class PatternGroup:
+"""Grouping of Pattern objects. Initialize with an iterable of Patterns."""
+def __init__(self, patterns):
+self.patterns = patterns
+
+def bits(self, granularity):
+"""Calculate the unique bits dirtied by this pattern grouping"""
+res = set()
+for pattern in self.patterns:
+lower = math.floor(pattern.offset / granularity)
+upper = math.floor((pattern.offset + pattern.size - 1) / 
granularity)
+res = res | set(range(lower, upper + 1))
+return res
+
+GROUPS = [
+PatternGroup([
+# Batch 0: 4 clusters
+mkpattern('0x49', 0x000),
+mkpattern('0x6c', 0x010),   # 1M
+mkpattern('0x6f', 0x200),   # 32M
+mkpattern('0x76', 0x3ff)]), # 64M - 64K
+PatternGroup([
+# Batch 1: 6 clusters (3 new)
+mkpattern('0x65', 0x000),   # Full overwrite
+mkpattern('0x77', 0x00f8000),   # Partial-left (1M-32K)
+mkpattern('0x72', 0x2008000),   # Partial-right (32M+32K)
+mkpattern('0x69', 0x3fe)]), # Adjacent-left (64M - 128K)
+PatternGroup([
+# Batch 2: 7 clusters (3 new)
+mkpattern('0x74', 0x001),   # Adjacent-right
+mkpattern('0x69', 0x00e8000),   # Partial-left  (1M-96K)
+mkpattern('0x6e', 0x2018000),   # Partial-right (32M+96K)
+mkpattern('0x67', 0x3fe,
+  2*GRANULARITY)]), # Overwrite [(64M-128K)-64M)
+PatternGroup([
+# Batch 3: 8 clusters (5 new)
+# Carefully chosen such that nothing re-dirties the one cluster
+# that copies out successfully before failure in Group #1.
+mkpattern('0xaa', 0x001,
+  3*GRANULARITY),   # Overwrite and 2x Adjacent-right
+mkpattern('0xbb', 0x00d8000),   # Partial-left (1M-160K)
+mkpattern('0xcc', 0x2028000),   # Partial-right (32M+160K)
+mkpattern('0xdd', 0x3fc)]), # New; leaving a gap to the right
+]
+
+class Drive:
+"""Represents, vaguely, a drive attached to a VM.
+Includes format, graph, and device information."""
+
+def __init__(self, path, vm=None):
+self.path = path
+self.vm = vm
+self.fmt = None
+self.size = None
+self.node = None
+self.device = None
+
+@property
+def name(self):
+return self.node or self.device
+
+def img_create(self, fmt, size):
+self.fmt = fmt
+self.size = size
+iotests.qemu_img_create('-f', self.fmt, self.path, str(self.size))
+
+def create_target(self, name, fmt, size):
+basename = os.path.basename(self.path)
+file_node_name = "file_{}".format(basename)
+vm = self.vm
+
+log(vm.command('blockdev-create', job_id='bdc-file-job',
+   options={
+   'driver': 'file',
+   'filename': self.path,
+   'size': 0,
+   }))
+vm.run_job('bdc-file-job')
+log(vm.command('blockdev-add', driver='file',
+   node_name=file_node_name, filename=self.path))
+
+log(vm.command('blockdev-create', job_id='bdc-fmt-job',
+   options={
+   

[Qemu-devel] [PULL 07/12] target/i386: fix feature check in hyperv-stub.c

[Paolo Bonzini]

From: Alex Bennée 

Commit 2d384d7c8 broken the build when built with:

  configure --without-default-devices --disable-user

The reason was the conversion of cpu->hyperv_synic to
cpu->hyperv_synic_kvm_only although the rest of the patch introduces a
feature checking mechanism. So I've fixed the KVM_EXIT_HYPERV_SYNIC in
hyperv-stub to do the same feature check as in the real hyperv.c

Signed-off-by: Alex Bennée 
Cc: Vitaly Kuznetsov 
Cc: Paolo Bonzini 
Cc: Roman Kagan 
Message-Id: <20190624123835.28869-1-alex.ben...@linaro.org>
Reviewed-by: Vitaly Kuznetsov 
Signed-off-by: Paolo Bonzini 
---
 target/i386/hyperv-stub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/hyperv-stub.c b/target/i386/hyperv-stub.c
index fe548cb..0028527 100644
--- a/target/i386/hyperv-stub.c
+++ b/target/i386/hyperv-stub.c
@@ -15,7 +15,7 @@ int kvm_hv_handle_exit(X86CPU *cpu, struct kvm_hyperv_exit 
*exit)
 {
 switch (exit->type) {
 case KVM_EXIT_HYPERV_SYNIC:
-if (!cpu->hyperv_synic) {
+if (!hyperv_feat_enabled(cpu, HYPERV_FEAT_SYNIC)) {
 return -1;
 }
 
-- 
1.8.3.1

[Qemu-devel] [PULL 09/12] target/i386: kvm: Fix when nested state is needed for migration

[Paolo Bonzini]

From: Liran Alon 

When vCPU is in VMX operation and enters SMM mode,
it temporarily exits VMX operation but KVM maintained nested-state
still stores the VMXON region physical address, i.e. even when the
vCPU is in SMM mode then (nested_state->hdr.vmx.vmxon_pa != -1ull).

Therefore, there is no need to explicitly check for
KVM_STATE_NESTED_SMM_VMXON to determine if it is necessary
to save nested-state as part of migration stream.

Reviewed-by: Karl Heubaum 
Signed-off-by: Liran Alon 
Message-Id: <20190624230514.53326-1-liran.a...@oracle.com>
Signed-off-by: Paolo Bonzini 
---
 target/i386/machine.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/i386/machine.c b/target/i386/machine.c
index 851b249..704ba6d 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -997,9 +997,8 @@ static bool vmx_nested_state_needed(void *opaque)
 {
 struct kvm_nested_state *nested_state = opaque;
 
-return ((nested_state->format == KVM_STATE_NESTED_FORMAT_VMX) &&
-((nested_state->hdr.vmx.vmxon_pa != -1ull) ||
- (nested_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_VMXON)));
+return (nested_state->format == KVM_STATE_NESTED_FORMAT_VMX &&
+nested_state->hdr.vmx.vmxon_pa != -1ull);
 }
 
 static const VMStateDescription vmstate_vmx_nested_state = {
-- 
1.8.3.1

[Qemu-devel] [PATCH v3 16/18] iotests: Add virtio-scsi device helper

[John Snow]

Seems that it comes up enough.

Reviewed-by: Max Reitz 
Signed-off-by: John Snow 
---
 tests/qemu-iotests/040| 6 +-
 tests/qemu-iotests/093| 6 ++
 tests/qemu-iotests/139| 7 ++-
 tests/qemu-iotests/238| 5 +
 tests/qemu-iotests/iotests.py | 4 
 5 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/tests/qemu-iotests/040 b/tests/qemu-iotests/040
index b81133a474..657b37103c 100755
--- a/tests/qemu-iotests/040
+++ b/tests/qemu-iotests/040
@@ -85,11 +85,7 @@ class TestSingleDrive(ImageCommitTestCase):
 qemu_io('-f', 'raw', '-c', 'write -P 0xab 0 524288', backing_img)
 qemu_io('-f', iotests.imgfmt, '-c', 'write -P 0xef 524288 524288', 
mid_img)
 self.vm = iotests.VM().add_drive(test_img, 
"node-name=top,backing.node-name=mid,backing.backing.node-name=base", 
interface="none")
-if iotests.qemu_default_machine == 's390-ccw-virtio':
-self.vm.add_device("virtio-scsi-ccw")
-else:
-self.vm.add_device("virtio-scsi-pci")
-
+self.vm.add_device(iotests.get_virtio_scsi_device())
 self.vm.add_device("scsi-hd,id=scsi0,drive=drive0")
 self.vm.launch()
 
diff --git a/tests/qemu-iotests/093 b/tests/qemu-iotests/093
index d88fbc182e..46153220f8 100755
--- a/tests/qemu-iotests/093
+++ b/tests/qemu-iotests/093
@@ -366,10 +366,8 @@ class ThrottleTestGroupNames(iotests.QMPTestCase):
 class ThrottleTestRemovableMedia(iotests.QMPTestCase):
 def setUp(self):
 self.vm = iotests.VM()
-if iotests.qemu_default_machine == 's390-ccw-virtio':
-self.vm.add_device("virtio-scsi-ccw,id=virtio-scsi")
-else:
-self.vm.add_device("virtio-scsi-pci,id=virtio-scsi")
+self.vm.add_device("{},id=virtio-scsi".format(
+iotests.get_virtio_scsi_device()))
 self.vm.launch()
 
 def tearDown(self):
diff --git a/tests/qemu-iotests/139 b/tests/qemu-iotests/139
index 933b45121a..2176ea51ba 100755
--- a/tests/qemu-iotests/139
+++ b/tests/qemu-iotests/139
@@ -35,11 +35,8 @@ class TestBlockdevDel(iotests.QMPTestCase):
 def setUp(self):
 iotests.qemu_img('create', '-f', iotests.imgfmt, base_img, '1M')
 self.vm = iotests.VM()
-if iotests.qemu_default_machine == 's390-ccw-virtio':
-self.vm.add_device("virtio-scsi-ccw,id=virtio-scsi")
-else:
-self.vm.add_device("virtio-scsi-pci,id=virtio-scsi")
-
+self.vm.add_device("{},id=virtio-scsi".format(
+iotests.get_virtio_scsi_device()))
 self.vm.launch()
 
 def tearDown(self):
diff --git a/tests/qemu-iotests/238 b/tests/qemu-iotests/238
index 1c0a46fa90..387a77b2cd 100755
--- a/tests/qemu-iotests/238
+++ b/tests/qemu-iotests/238
@@ -23,10 +23,7 @@ import os
 import iotests
 from iotests import log
 
-if iotests.qemu_default_machine == 's390-ccw-virtio':
-virtio_scsi_device = 'virtio-scsi-ccw'
-else:
-virtio_scsi_device = 'virtio-scsi-pci'
+virtio_scsi_device = iotests.get_virtio_scsi_device()
 
 vm = iotests.VM()
 vm.launch()
diff --git a/tests/qemu-iotests/iotests.py b/tests/qemu-iotests/iotests.py
index 6135c9663d..8ae7bc353e 100644
--- a/tests/qemu-iotests/iotests.py
+++ b/tests/qemu-iotests/iotests.py
@@ -164,6 +164,10 @@ def qemu_io_silent(*args):
  (-exitcode, ' '.join(args)))
 return exitcode
 
+def get_virtio_scsi_device():
+if qemu_default_machine == 's390-ccw-virtio':
+return 'virtio-scsi-ccw'
+return 'virtio-scsi-pci'
 
 class QemuIoInteractive:
 def __init__(self, *args):
-- 
2.21.0

[Qemu-devel] [PULL 01/12] pc: fix possible NULL pointer dereference in pc_machine_get_device_memory_region_size()

[Paolo Bonzini]

From: Igor Mammedov 

QEMU will crash when device-memory-region-size property is read if 
ms->device_memory
wasn't initialized yet.

Crash can be reproduced with:
 $QEMU -preconfig -qmp unix:qmp_socket,server,nowait &
 ./scripts/qmp/qom-get -s qmp_socket /machine.device-memory-region-size

Instead of crashing return 0 if ms->device_memory hasn't been initialized.

Signed-off-by: Igor Mammedov 
Message-Id: <1560174635-22602-1-git-send-email-imamm...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 hw/i386/pc.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index e96360b..552f340 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -2458,7 +2458,11 @@ pc_machine_get_device_memory_region_size(Object *obj, 
Visitor *v,
  Error **errp)
 {
 MachineState *ms = MACHINE(obj);
-int64_t value = memory_region_size(>device_memory->mr);
+int64_t value = 0;
+
+if (ms->device_memory) {
+value = memory_region_size(>device_memory->mr);
+}
 
 visit_type_int(v, name, , errp);
 }
-- 
1.8.3.1