[PATCH] riscv: Set 5.4 as minimum kernel version for riscv32

[Khem Raj]

5.4 is first stable API as far as rv32 is concerned see [1]

[1] 
https://sourceware.org/git/?p=glibc.git;a=commit;h=7a55dd3fb6d2c307a002a16776be84310b9c8989

Signed-off-by: Khem Raj 
Cc: Palmer Dabbelt 
Cc: Alistair Francis 
Cc: Bin Meng 
---
 linux-user/riscv/target_syscall.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux-user/riscv/target_syscall.h 
b/linux-user/riscv/target_syscall.h
index dc597c8972..9b13161324 100644
--- a/linux-user/riscv/target_syscall.h
+++ b/linux-user/riscv/target_syscall.h
@@ -45,10 +45,11 @@ struct target_pt_regs {
 
 #ifdef TARGET_RISCV32
 #define UNAME_MACHINE "riscv32"
+#define UNAME_MINIMUM_RELEASE "5.4.0"
 #else
 #define UNAME_MACHINE "riscv64"
-#endif
 #define UNAME_MINIMUM_RELEASE "4.15.0"
+#endif
 
 #define TARGET_MINSIGSTKSZ 2048
 #define TARGET_MCL_CURRENT 1
-- 
2.34.1

Re: [PATCH v2 1/2] target/arm: Implement Cortex-A5

[Byron Lathi]

..and I've just realized that I left the processor id as C0F instead of C05
again.
I also removed the generic timer as I don't think the A5 has one.

On Thu, Dec 16, 2021 at 12:48 AM Byron Lathi  wrote:

> Add support for the Cortex-A5. These changes are based off of the A7 and
> A9 Init functions, using the appropriate values from the technical
> reference manual for the A5.
>
> Signed-off-by: Byron Lathi 
> ---
>  target/arm/cpu_tcg.c | 36 
>  1 file changed, 36 insertions(+)
>
> diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
> index 13d0e9b195..2b54fb618b 100644
> --- a/target/arm/cpu_tcg.c
> +++ b/target/arm/cpu_tcg.c
> @@ -304,6 +304,41 @@ static void cortex_a8_initfn(Object *obj)
>  define_arm_cp_regs(cpu, cortexa8_cp_reginfo);
>  }
>
> +static void cortex_a5_initfn(Object *obj)
> +{
> +ARMCPU *cpu = ARM_CPU(obj);
> +
> +cpu->dtb_compatible = "arm,cortex-a5";
> +set_feature(&cpu->env, ARM_FEATURE_V7);
> +set_feature(&cpu->env, ARM_FEATURE_NEON);
> +set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
> +set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
> +set_feature(&cpu->env, ARM_FEATURE_PMU);
> +cpu->midr = 0x410fc0f1;
> +cpu->reset_fpsid = 0x41023051;
> +cpu->isar.mvfr0 = 0x10110221;
> +cpu->isar.mvfr1 = 0x1111;
> +cpu->ctr = 0x83338003;
> +cpu->reset_sctlr = 0x00c50078;
> +cpu->isar.id_pfr0 = 0x1231;
> +cpu->isar.id_pfr1 = 0x0011;
> +cpu->isar.id_dfr0 = 0x02010444;
> +cpu->id_afr0 = 0x;
> +cpu->isar.id_mmfr0 = 0x00100103;
> +cpu->isar.id_mmfr1 = 0x4000;
> +cpu->isar.id_mmfr2 = 0x0123;
> +cpu->isar.id_mmfr3 = 0x00102211;
> +cpu->isar.id_isar0 = 0x0010;
> +cpu->isar.id_isar1 = 0x13112111;
> +cpu->isar.id_isar2 = 0x21232041;
> +cpu->isar.id_isar3 = 0x2131;
> +cpu->isar.id_isar4 = 0x00011142;
> +cpu->isar.dbgdidr = 0x1203f001;
> +cpu->clidr = 0x0923;
> +cpu->ccsidr[0] = 0x701fe00a;
> +cpu->ccsidr[1] = 0x203fe00a;
> +}
> +
>  static const ARMCPRegInfo cortexa9_cp_reginfo[] = {
>  /*
>   * power_control should be set to maximum latency. Again,
> @@ -1019,6 +1054,7 @@ static const ARMCPUInfo arm_tcg_cpus[] = {
>  { .name = "arm1136", .initfn = arm1136_initfn },
>  { .name = "arm1176", .initfn = arm1176_initfn },
>  { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
> +{ .name = "cortex-a5",  .initfn = cortex_a5_initfn },
>  { .name = "cortex-a7",   .initfn = cortex_a7_initfn },
>  { .name = "cortex-a8",   .initfn = cortex_a8_initfn },
>  { .name = "cortex-a9",   .initfn = cortex_a9_initfn },
> --
> 2.30.2
>
>

Re: [PULL 000/102] ppc queue

[Cédric Le Goater]

Fails testing:

/home/gitlab-runner/builds/yKcZqVC9/0/qemu-project/qemu/docs/specs/ppc-spapr-hcalls.rst:101:Block
 quote ends without a blank line; unexpected unindent.


I didn't see it under  :

  https://gitlab.com/legoater/qemu/-/pipelines/429852244

Is the job being run by default ?


It's certainly due to

  [PULL 017/102] docs: rSTify ppc-spapr-hcalls.txt

However, it does not reproduce on f34 and 21.10 systems using python-sphinx
3.4.3-2 and 3.5.4-2

Thanks,

C.

[PATCH v2 1/2] target/arm: Implement Cortex-A5

[Byron Lathi]

Add support for the Cortex-A5. These changes are based off of the A7 and
A9 Init functions, using the appropriate values from the technical
reference manual for the A5.

Signed-off-by: Byron Lathi 
---
 target/arm/cpu_tcg.c | 36 
 1 file changed, 36 insertions(+)

diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index 13d0e9b195..2b54fb618b 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -304,6 +304,41 @@ static void cortex_a8_initfn(Object *obj)
 define_arm_cp_regs(cpu, cortexa8_cp_reginfo);
 }
 
+static void cortex_a5_initfn(Object *obj)
+{
+ARMCPU *cpu = ARM_CPU(obj);
+
+cpu->dtb_compatible = "arm,cortex-a5";
+set_feature(&cpu->env, ARM_FEATURE_V7);
+set_feature(&cpu->env, ARM_FEATURE_NEON);
+set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
+set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+set_feature(&cpu->env, ARM_FEATURE_PMU);
+cpu->midr = 0x410fc0f1;
+cpu->reset_fpsid = 0x41023051;
+cpu->isar.mvfr0 = 0x10110221;
+cpu->isar.mvfr1 = 0x1111;
+cpu->ctr = 0x83338003;
+cpu->reset_sctlr = 0x00c50078;
+cpu->isar.id_pfr0 = 0x1231;
+cpu->isar.id_pfr1 = 0x0011;
+cpu->isar.id_dfr0 = 0x02010444;
+cpu->id_afr0 = 0x;
+cpu->isar.id_mmfr0 = 0x00100103;
+cpu->isar.id_mmfr1 = 0x4000;
+cpu->isar.id_mmfr2 = 0x0123;
+cpu->isar.id_mmfr3 = 0x00102211;
+cpu->isar.id_isar0 = 0x0010;
+cpu->isar.id_isar1 = 0x13112111;
+cpu->isar.id_isar2 = 0x21232041;
+cpu->isar.id_isar3 = 0x2131;
+cpu->isar.id_isar4 = 0x00011142;
+cpu->isar.dbgdidr = 0x1203f001;
+cpu->clidr = 0x0923;
+cpu->ccsidr[0] = 0x701fe00a;
+cpu->ccsidr[1] = 0x203fe00a;
+}
+
 static const ARMCPRegInfo cortexa9_cp_reginfo[] = {
 /*
  * power_control should be set to maximum latency. Again,
@@ -1019,6 +1054,7 @@ static const ARMCPUInfo arm_tcg_cpus[] = {
 { .name = "arm1136", .initfn = arm1136_initfn },
 { .name = "arm1176", .initfn = arm1176_initfn },
 { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
+{ .name = "cortex-a5",  .initfn = cortex_a5_initfn },
 { .name = "cortex-a7",   .initfn = cortex_a7_initfn },
 { .name = "cortex-a8",   .initfn = cortex_a8_initfn },
 { .name = "cortex-a9",   .initfn = cortex_a9_initfn },
-- 
2.30.2

[PATCH v2 2/2] hw/arm: Add Cortex-A5 to virt device

[Byron Lathi]

Add the Cortex-A5 to the list of supported CPUs by the virt platform.

Signed-off-by: Byron Lathi 
---
 docs/system/arm/virt.rst | 1 +
 hw/arm/virt.c| 1 +
 2 files changed, 2 insertions(+)

diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
index 850787495b..2384606ae7 100644
--- a/docs/system/arm/virt.rst
+++ b/docs/system/arm/virt.rst
@@ -50,6 +50,7 @@ The virt board supports:
 
 Supported guest CPU types:
 
+- ``cortex-a5`` (32-bit)
 - ``cortex-a7`` (32-bit)
 - ``cortex-a15`` (32-bit; the default)
 - ``cortex-a53`` (64-bit)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 6bce595aba..545bd2f958 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -195,6 +195,7 @@ static const int a15irqmap[] = {
 };
 
 static const char *valid_cpus[] = {
+ARM_CPU_TYPE_NAME("cortex-a5"),
 ARM_CPU_TYPE_NAME("cortex-a7"),
 ARM_CPU_TYPE_NAME("cortex-a15"),
 ARM_CPU_TYPE_NAME("cortex-a53"),
-- 
2.30.2

[PATCH v2 0/2] Implement Cortex-A5 and add to virt device

[Byron Lathi]

Patch 1 adds the Cortex-A5 to the tcg
Patch 2 adds the Cortex-A5 as a supported cpu for the virt machine, and updates 
the documentation accordingly.

Byron Lathi (2):
  target/arm: Implement Cortex-A5
  hw/arm: Add Cortex-A5 to virt device

 docs/system/arm/virt.rst |  1 +
 hw/arm/virt.c|  1 +
 target/arm/cpu_tcg.c | 36 
 3 files changed, 38 insertions(+)

-- 
2.30.2

Re: [PATCH v11 00/77] support vector extension v1.0

[Alistair Francis]

On Fri, Dec 10, 2021 at 6:00 PM  wrote:
>
> From: Frank Chang 
>
> This patchset implements the vector extension v1.0 for RISC-V on QEMU.
>
> RVV v1.0 spec is now fronzen for public review:
> https://github.com/riscv/riscv-v-spec/releases/tag/v1.0
>
> The port is available here:
> https://github.com/sifive/qemu/tree/rvv-1.0-upstream-v11
>
> RVV v1.0 can be enabled with -cpu option: v=true and specify vext_spec
> option to v1.0 (i.e. vext_spec=v1.0)
>
> Note: This patchset depends on other patchsets listed in Based-on
>   section below so it is not able to be built unless those patchsets
>   are applied.
>
> Changelog:
>
> v11
>   * Rebase on riscv-to-apply.next.
>
> v10
>   * Add ELEN checks for widening and narrowing instructions.
>
> v9
>   * Remove explicitly set mstatus.SD patches as mstatus.SD is now
> set in add_status_sd().
>   * Rebase on riscv-to-apply.next branch.
>
> v8
>   * Use {get,dest}_gpr APIs.
>   * remove vector AMO instructions.
>   * rename vpopc.m to vcpop.m.
>   * rename vle1.v and vse1.v to vlm.v and vsm.v.
>   * rename vmandnot.mm and vmornot.mm to vmandn.mm and vmorn.mm.
>
> v7
>   * remove hardcoded GDB vector registers list.
>   * add vsetivli instruction.
>   * add vle1.v and vse1.v instructions.
>
> v6
>   * add vector floating-point reciprocal estimate instruction.
>   * add vector floating-point reciprocal square-root estimate instruction.
>   * update check rules for segment register groups, each segment register
> group has to follow overlap rules.
>   * update viota.m instruction check rules.
>
> v5
>   * refactor RVV v1.0 check functions.
> (Thanks to Richard Henderson's bitwise tricks.)
>   * relax RV_VLEN_MAX to 1024-bits.
>   * implement vstart CSR's behaviors.
>   * trigger illegal instruction exception if frm is not valid for
> vector floating-point instructions.
>   * rebase on riscv-to-apply.next.
>
> v4
>   * remove explicit float flmul variable in DisasContext.
>   * replace floating-point calculations with shift operations to
> improve performance.
>   * relax RV_VLEN_MAX to 512-bits.
>
> v3
>   * apply nan-box helpers from Richard Henderson.
>   * remove fp16 api changes as they are sent independently in another
> pathcset by Chih-Min Chao.
>   * remove all tail elements clear functions as tail elements can
> retain unchanged for either VTA set to undisturbed or agnostic.
>   * add fp16 nan-box check generator function.
>   * add floating-point rounding mode enum.
>   * replace flmul arithmetic with shifts to avoid floating-point
> conversions.
>   * add Zvqmac extension.
>   * replace gdbstub vector register xml files with dynamic generator.
>   * bumped to RVV v1.0.
>   * RVV v1.0 related changes:
> * add vlre.v and vsr.v vector whole register
>   load/store instructions
> * add vrgatherei16 instruction.
> * rearranged bits in vtype to make vlmul bits into a contiguous
>   field.
>
> v2
>   * drop v0.7.1 support.
>   * replace invisible return check macros with functions.
>   * move mark_vs_dirty() to translators.
>   * add SSTATUS_VS flag for s-mode.
>   * nan-box scalar fp register for floating-point operations.
>   * add gdbstub files for vector registers to allow system-mode
> debugging with GDB.
>
> Based-on: <20211021160847.2748577-1-frank.ch...@sifive.com>
> Based-on: <20211210074329.5775-1-frank.ch...@sifive.com>
>
> Frank Chang (72):
>   target/riscv: drop vector 0.7.1 and add 1.0 support
>   target/riscv: Use FIELD_EX32() to extract wd field
>   target/riscv: rvv-1.0: set mstatus.SD bit if mstatus.VS is dirty
>   target/riscv: rvv-1.0: introduce writable misa.v field
>   target/riscv: rvv-1.0: add translation-time vector context status
>   target/riscv: rvv-1.0: remove rvv related codes from fcsr registers
>   target/riscv: rvv-1.0: check MSTATUS_VS when accessing vector csr
> registers
>   target/riscv: rvv-1.0: remove MLEN calculations
>   target/riscv: rvv-1.0: add fractional LMUL
>   target/riscv: rvv-1.0: add VMA and VTA
>   target/riscv: rvv-1.0: update check functions
>   target/riscv: introduce more imm value modes in translator functions
>   target/riscv: rvv:1.0: add translation-time nan-box helper function
>   target/riscv: rvv-1.0: remove amo operations instructions
>   target/riscv: rvv-1.0: configure instructions
>   target/riscv: rvv-1.0: stride load and store instructions
>   target/riscv: rvv-1.0: index load and store instructions
>   target/riscv: rvv-1.0: fix address index overflow bug of indexed
> load/store insns
>   target/riscv: rvv-1.0: fault-only-first unit stride load
>   target/riscv: rvv-1.0: load/store whole register instructions
>   target/riscv: rvv-1.0: update vext_max_elems() for load/store insns
>   target/riscv: rvv-1.0: take fractional LMUL into vector max elements
> calculation
>   target/riscv: rvv-1.0: floating-point square-root instruction
>   target/riscv: rvv-1.0: floating-point classify instructions
>   target/riscv: rvv-1.0: count

Re: [PATCH v2 1/4] target/i386: Fix sanity check on max APIC ID / X2APIC enablement

[Peter Xu]

On Thu, Dec 09, 2021 at 10:08:37PM +, David Woodhouse wrote:
> The check on x86ms->apic_id_limit in pc_machine_done() had two problems.
> 
> Firstly, we need KVM to support the X2APIC API in order to allow IRQ
> delivery to APICs >= 255. So we need to call/check kvm_enable_x2apic(),
> which was done elsewhere in *some* cases but not all.
> 
> Secondly, microvm needs the same check. So move it from pc_machine_done()
> to x86_cpus_init() where it will work for both.
> 
> The check in kvm_cpu_instance_init() is now redundant and can be dropped.
> 
> Signed-off-by: David Woodhouse 
> Acked-by: Claudio Fontana 
> ---
>  hw/i386/pc.c  |  8 
>  hw/i386/x86.c | 16 
>  target/i386/kvm/kvm-cpu.c |  2 +-
>  3 files changed, 17 insertions(+), 9 deletions(-)
> 
> diff --git a/hw/i386/pc.c b/hw/i386/pc.c
> index a2ef40ecbc..9959f93216 100644
> --- a/hw/i386/pc.c
> +++ b/hw/i386/pc.c
> @@ -736,14 +736,6 @@ void pc_machine_done(Notifier *notifier, void *data)
>  /* update FW_CFG_NB_CPUS to account for -device added CPUs */
>  fw_cfg_modify_i16(x86ms->fw_cfg, FW_CFG_NB_CPUS, x86ms->boot_cpus);
>  }
> -
> -
> -if (x86ms->apic_id_limit > 255 && !xen_enabled() &&
> -!kvm_irqchip_in_kernel()) {
> -error_report("current -smp configuration requires kernel "
> - "irqchip support.");
> -exit(EXIT_FAILURE);
> -}
>  }
>  
>  void pc_guest_info_init(PCMachineState *pcms)
> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
> index b84840a1bb..f64639b873 100644
> --- a/hw/i386/x86.c
> +++ b/hw/i386/x86.c
> @@ -39,6 +39,7 @@
>  #include "sysemu/replay.h"
>  #include "sysemu/sysemu.h"
>  #include "sysemu/cpu-timers.h"
> +#include "sysemu/xen.h"
>  #include "trace.h"
>  
>  #include "hw/i386/x86.h"
> @@ -136,6 +137,21 @@ void x86_cpus_init(X86MachineState *x86ms, int 
> default_cpu_version)
>   */
>  x86ms->apic_id_limit = x86_cpu_apic_id_from_index(x86ms,
>ms->smp.max_cpus - 1) 
> + 1;
> +
> +/*
> + * Can we support APIC ID 255 or higher?
> + *
> + * Under Xen: yes.
> + * With userspace emulated lapic: no
> + * With KVM's in-kernel lapic: only if X2APIC API is enabled.
> + */
> +if (x86ms->apic_id_limit > 255 && !xen_enabled() &&
> +(!kvm_irqchip_in_kernel() || !kvm_enable_x2apic())) {

I'm wondering whether we should still leave it be in the accel code, or is
therer something that guarantees when reaching here kvm accel is initialized?

> +error_report("current -smp configuration requires kernel "
> + "irqchip and X2APIC API support.");
> +exit(EXIT_FAILURE);
> +}
> +
>  possible_cpus = mc->possible_cpu_arch_ids(ms);
>  for (i = 0; i < ms->smp.cpus; i++) {
>  x86_cpu_new(x86ms, possible_cpus->cpus[i].arch_id, &error_fatal);
> diff --git a/target/i386/kvm/kvm-cpu.c b/target/i386/kvm/kvm-cpu.c
> index d95028018e..c60cb2dafb 100644
> --- a/target/i386/kvm/kvm-cpu.c
> +++ b/target/i386/kvm/kvm-cpu.c
> @@ -165,7 +165,7 @@ static void kvm_cpu_instance_init(CPUState *cs)
>  /* only applies to builtin_x86_defs cpus */
>  if (!kvm_irqchip_in_kernel()) {
>  x86_cpu_change_kvm_default("x2apic", "off");
> -} else if (kvm_irqchip_is_split() && kvm_enable_x2apic()) {
> +} else if (kvm_irqchip_is_split()) {
>  x86_cpu_change_kvm_default("kvm-msi-ext-dest-id", "on");
>  }
>  
> -- 
> 2.31.1
> 

-- 
Peter Xu

Re: [PATCH v10 3/3] cpus-common: implement dirty page limit on virtual CPU

[Peter Xu]

On Wed, Dec 15, 2021 at 02:41:32PM +0100, Markus Armbruster wrote:
> Peter Xu  writes:
> 
> > On Wed, Dec 15, 2021 at 03:56:55PM +0800, Hyman Huang wrote:
> >> > > +{ 'command': 'vcpu-dirty-limit',
> >> > > +  'data': { 'enable': 'bool',
> >> > > +'*cpu-index': 'uint64',
> >> > > +'*dirty-rate': 'uint64'} }
> >> > 
> >> > Drop @enable, please.
> >> > 
> >> > If @dirty-rate is present, set the limit to its value.
> >> > 
> >> > If it's absent, cancel the limit.
> >> > 
> >> Ok. Indeed, this is the simplest style. :)
> >> 
> >> So the final qmp format should be like:
> >> 
> >> case 1: setup vcpu 0 dirty page limit 100MB/s
> >> vcpu-dirty-limit  cpu-index=0   dirty-rate=100MB/s
> >> 
> >> case 2: cancle vcpu 0 dirty page limit
> >> vcpu-dirty-limit  cpu-index=0
> >
> > I actually agree with what you said... for human beings no one will read it 
> > as
> > "disable vcpu throttling", instead people could consider it enables vcpu
> > throttle with a default dirty rate from a gut feeling.
> >
> > I think what Markus suggested is the simplest solution for computers, but it
> > can confuse human beings.  So it turns out to be a general question to QMP
> > scheme design: should we always assume QMP client to be a piece of 
> > software, or
> > should we still consider the feeling of human beings operating on QMP
> > interfaces using qmp-shell.
> >
> > IMHO we should still consider the latter, if we don't lose much, anyway.  
> > But I
> > don't have a strong opinion.
> 
> If you want a more explicit interface, then I'd recommend to go right
> back to v7:
> 
> {"execute": "set-vcpu-dirty-limit",
>  "arguments": {"cpu-index": 0, "dirtyrate": 200}}
> 
> {"execute": "cancel-vcpu-dirty-limit",
>  "arguments": {"cpu-index": 0}}
> 
> Bonus: it already has my Acked-by.

Fair enough. :)  That looks good to me too.

Yong, please hold-off a bit on reposting (if there's a plan) - I'll read the
other parts soon..

Thanks,

-- 
Peter Xu

Re: [PULL 000/102] ppc queue

[Cédric Le Goater]

On 12/16/21 04:53, Richard Henderson wrote:

On 12/15/21 8:57 AM, Cédric Le Goater wrote:

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into 
staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

   https://github.com/legoater/qemu/ tags/pull-ppc-20211215

for you to fetch changes up to cdf906d7ea79afb3283b57e3cf1b89f1334f7f2b:

   ppc/pnv: Use QOM hierarchy to scan PEC PHB4 devices (2021-12-15 08:20:37 
+0100)


ppc 7.0 queue:

* General cleanup for Mac machines (Peter)
* Fixes for FPU exceptions (Lucas)
* Support for new ISA31 instructions (Matheus)
* Fixes for ivshmem (Daniel)
* Cleanups for PowerNV PHB (Christophe and Cedric)
* Updates of PowerNV and pSeries documentation (Leonardo and Daniel)
* Fixes for PowerNV (Daniel)
* Large cleanup of FPU implementation (Richard)
* Removal of SoftTLBs support for PPC74x CPUs (Fabiano)
* Fixes for exception models in MPCx and 60x CPUs (Fabiano)
* Removal of 401/403 CPUs (Cedric)
* Deprecation of taihu machine (Thomas)
* Large rework of PPC405 machine (Cedric)
* Fixes for VSX instructions (Victor and Matheus)
* Fix for e6500 CPU (Fabiano)
* Initial support for PMU (Daniel)


Alexey Kardashevskiy (1):
   pseries: Update SLOF firmware image

Christophe Lombard (1):
   pci-host: Allow extended config space access for PowerNV PHB4 model

Cédric Le Goater (28):
   Merge tag 'qemu-slof-2022' of github.com:aik/qemu into ppc-next
   target/ppc: remove 401/403 CPUs
   ppc/ppc405: Change kernel load address
   ppc: Add trace-events for DCR accesses
   ppc/ppc405: Convert printfs to trace-events
   ppc/ppc405: Drop flag parameter in ppc405_set_bootinfo()
   ppc/ppc405: Change ppc405ep_init() return value
   ppc/ppc405: Add some address space definitions
   ppc/ppc405: Remove flash support
   ppc/ppc405: Rework FW load
   ppc/ppc405: Introduce ppc405_set_default_bootinfo()
   ppc/ppc405: Fix boot from kernel
   ppc/ppc405: Change default PLL values at reset
   ppc/ppc405: Fix bi_pci_enetaddr2 field in U-Boot board information
   ppc/ppc405: Add update of bi_procfreq field
   ppc/pnv: Introduce a "chip" property under PHB3
   ppc/pnv: Use the chip class to check the index of PHB3 devices
   ppc/pnv: Drop the "num-phbs" property
   ppc/pnv: Move mapping of the PHB3 CQ regions under pnv_pbcq_realize()
   ppc/pnv: Use QOM hierarchy to scan PHB3 devices
   ppc/pnv: Introduce a num_pecs class attribute for PHB4 PEC devices
   ppc/pnv: Introduce version and device_id class atributes for PHB4 devices
   ppc/pnv: Introduce a "chip" property under the PHB4 model
   ppc/pnv: Introduce a num_stack class attribute
   ppc/pnv: Compute the PHB index from the PHB4 PEC model
   ppc/pnv: Remove "system-memory" property from PHB4 PEC
   ppc/pnv: Move realize of PEC stacks under the PEC model
   ppc/pnv: Use QOM hierarchy to scan PEC PHB4 devices

Daniel Henrique Barboza (13):
   ivshmem.c: change endianness to LITTLE_ENDIAN
   ivshmem-test.c: enable test_ivshmem_server for ppc64 arch
   ppc/pnv.c: add a friendly warning when accel=kvm is used
   docs/system/ppc/powernv.rst: document KVM support status
   ppc/pnv.c: fix "system-id" FDT when -uuid is set
   target/ppc: introduce PMUEventType and PMU overflow timers
   target/ppc: PMU basic cycle count for pseries TCG
   target/ppc: PMU: update counters on PMCs r/w
   target/ppc: PMU: update counters on MMCR1 write
   target/ppc: enable PMU counter overflow with cycle events
   target/ppc: enable PMU instruction count
   target/ppc/power8-pmu.c: add PM_RUN_INST_CMPL (0xFA) event
   PPC64/TCG: Implement 'rfebb' instruction

Fabiano Rosas (8):
   target/ppc: Disable software TLB for the 7450 family
   target/ppc: Disable unused facilities in the e600 CPU
   target/ppc: Remove the software TLB model of 7450 CPUs
   target/ppc: Fix MPCxxx FPU interrupt address
   target/ppc: Remove 603e exception model
   target/ppc: Set 601v exception model id
   target/ppc: Fix e6500 boot
   Revert "target/ppc: Move SPR_DSISR setting to powerpc_excp"

Leonardo Garcia (5):
   docs: Minor updates on the powernv documentation.
   docs: Introducing pseries documentation.
   docs: rSTify ppc-spapr-hcalls.txt
   docs: Rename ppc-spapr-hcalls.txt to ppc-spapr-hcalls.rst.
   Link new ppc-spapr-hcalls.rst file to pseries.rst.

Lucas Mateus Castro (alqotel) (3):
   target/ppc: Fixed call to deferred exception
   test/tcg/ppc64le: test mtfsf
   target/ppc: ppc_store_fpscr doesn't update bits 0 to 

Re: [PATCH 1/1] pcie: Do not set power state for some hot-plugged devices

[Gerd Hoffmann]

  Hi,

> > Maybe we should just not set DeviceState->hotplugged = true for devices
> > added in VM_STATE_PRELAUNCH?  It's not actual hotplug (i.e. device added
> > while the system is running) after all ...

> Simply not setting "DeviceState->hotplugged" doesn't work. Devices created
> in
> PHASE_MACHINE_READY phase are treated as hot-plugged devices. So I just
> tried
> following change for the quick test, the device is still invisible to the
> firmware with
> this change.

Looking again, the difference is probably the reset handling.
pcie_cap_slot_reset() will turn on power (via PCI_EXP_SLTCTL_PCC) in
case some device is plugged into the slot.

So I suspect when plugging devices during VM_STATE_PRELAUNCH they are
resetted individually (specifically before the device is plugged),
whereas otherwise they are resetted when all devices are plugged in.

Does resetting devices when leaving RUN_STATE_PRELAUNCH fix this?

take care,
  Gerd

Re: [PATCH v2 5/9] target/riscv: Mark the Hypervisor extension as non experimental

[Anup Patel]

On Thu, Dec 16, 2021 at 10:27 AM Alistair Francis
 wrote:
>
> From: Alistair Francis 
>
> The Hypervisor spec is now frozen, so remove the experimental tag.
>
> Signed-off-by: Alistair Francis 

Looks good to me.

Reviewed-by: Anup Patel 

Regards,
Anup

> ---
>  target/riscv/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index f812998123..1edb2771b4 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -626,6 +626,7 @@ static Property riscv_cpu_properties[] = {
>  DEFINE_PROP_BOOL("c", RISCVCPU, cfg.ext_c, true),
>  DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
>  DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
> +DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, false),
>  DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
>  DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
>  DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
> @@ -639,7 +640,6 @@ static Property riscv_cpu_properties[] = {
>  DEFINE_PROP_BOOL("x-zbb", RISCVCPU, cfg.ext_zbb, false),
>  DEFINE_PROP_BOOL("x-zbc", RISCVCPU, cfg.ext_zbc, false),
>  DEFINE_PROP_BOOL("x-zbs", RISCVCPU, cfg.ext_zbs, false),
> -DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
>  DEFINE_PROP_BOOL("x-j", RISCVCPU, cfg.ext_j, false),
>  DEFINE_PROP_BOOL("x-v", RISCVCPU, cfg.ext_v, false),
>  DEFINE_PROP_STRING("vext_spec", RISCVCPU, cfg.vext_spec),
> --
> 2.31.1
>
>

Re: [PATCH v2 8/9] hw/riscv: virt: Allow support for 32 cores

[Anup Patel]

On Thu, Dec 16, 2021 at 10:27 AM Alistair Francis
 wrote:
>
> From: Alistair Francis 
>
> Linux supports up to 32 cores for both 32-bit and 64-bit RISC-V, so
> let's set that as the maximum for the virt board.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/435
> Signed-off-by: Alistair Francis 

Overall, no issues with this patch. I have added PATCH23 in
the AIA v5 series which allows upto 512 CPUs . This is a hard
limit based on address space based on PLIC, ACLINT, IMSIC,
and APLIC address utilization and is also suitable for both RV32
and RV64.

IMO, we should keep QEMU VIRT_CPUS_MAX as high as
possible to allow any kind of software Linux, OpenSBI, FreeBSD,
Xvisor, Xen, etc. Let the guest software decide it's own limit (such
as NR_CPUS of Linux).

Reviewed-by: Anup Patel 

Regards,
Anup

> ---
>  include/hw/riscv/virt.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
> index b8ef99f348..6e9f61ccd9 100644
> --- a/include/hw/riscv/virt.h
> +++ b/include/hw/riscv/virt.h
> @@ -24,7 +24,7 @@
>  #include "hw/block/flash.h"
>  #include "qom/object.h"
>
> -#define VIRT_CPUS_MAX 8
> +#define VIRT_CPUS_MAX 32
>  #define VIRT_SOCKETS_MAX 8
>
>  #define TYPE_RISCV_VIRT_MACHINE MACHINE_TYPE_NAME("virt")
> --
> 2.31.1
>
>

Re: [PATCH v2 6/9] target/riscv: Enable the Hypervisor extension by default

[Anup Patel]

On Thu, Dec 16, 2021 at 10:29 AM Alistair Francis
 wrote:
>
> From: Alistair Francis 
>
> Let's enable the Hypervisor extension by default. This doesn't affect
> named CPUs (such as lowrisc-ibex or sifive-u54) but does enable the
> Hypervisor extensions by default for the virt machine.
>
> Signed-off-by: Alistair Francis 

Looks good to me.

Reviewed-by: Anup Patel 

Regards,
Anup
> ---
>  target/riscv/cpu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
> index 1edb2771b4..013a8760b5 100644
> --- a/target/riscv/cpu.c
> +++ b/target/riscv/cpu.c
> @@ -626,7 +626,7 @@ static Property riscv_cpu_properties[] = {
>  DEFINE_PROP_BOOL("c", RISCVCPU, cfg.ext_c, true),
>  DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
>  DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
> -DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, false),
> +DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, true),
>  DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
>  DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
>  DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
> --
> 2.31.1
>
>

Re: [PATCH v2 9/9] hw/riscv: virt: Set the clock-frequency

[Anup Patel]

On Thu, Dec 16, 2021 at 10:31 AM Alistair Francis
 wrote:
>
> From: Alistair Francis 
>
> As per the device tree specification let's set the clock-frequency for
> the virt CPUs.
>
> QEMU doesn't really have an exact clock, so let's just 100 as it's a
> nice round number and matches the sifive_u CLINT_TIMEBASE_FREQ.
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/472 (RISC-V virt)
> Signed-off-by: Alistair Francis 
> ---
>  hw/riscv/virt.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index 3af074148e..41a85cfc60 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -202,6 +202,7 @@ static void create_fdt_socket_cpus(RISCVVirtState *s, int 
> socket,
>  qemu_fdt_setprop_cell(mc->fdt, cpu_name, "reg",
>  s->soc[socket].hartid_base + cpu);
>  qemu_fdt_setprop_string(mc->fdt, cpu_name, "device_type", "cpu");
> +qemu_fdt_setprop_cell(mc->fdt, cpu_name, "clock-frequency", 100);

Instead of hard-coding, please use the same define used for timebase-frequency
(i.e. RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ)

Regards,
Anup

>  riscv_socket_fdt_write_id(mc, mc->fdt, cpu_name, socket);
>  qemu_fdt_setprop_cell(mc->fdt, cpu_name, "phandle", cpu_phandle);
>
> --
> 2.31.1
>
>

[PATCH] target/riscv: Enable bitmanip Zb[abcs] instructions

[Vineet Gupta]

The bitmanip extension has now been ratified [1] and upstream tooling
(gcc/binutils) support it too, so move them out of experimental and also
enable by default (for better test exposure/coverage)

[1] https://wiki.riscv.org/display/TECH/Recently+Ratified+Extensions

Signed-off-by: Vineet Gupta 
---
 target/riscv/cpu.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index f81299812350..c00d59cd04b5 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -635,10 +635,10 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_STRING("priv_spec", RISCVCPU, cfg.priv_spec),
 
 /* These are experimental so mark with 'x-' */
-DEFINE_PROP_BOOL("x-zba", RISCVCPU, cfg.ext_zba, false),
-DEFINE_PROP_BOOL("x-zbb", RISCVCPU, cfg.ext_zbb, false),
-DEFINE_PROP_BOOL("x-zbc", RISCVCPU, cfg.ext_zbc, false),
-DEFINE_PROP_BOOL("x-zbs", RISCVCPU, cfg.ext_zbs, false),
+DEFINE_PROP_BOOL("zba", RISCVCPU, cfg.ext_zba, true),
+DEFINE_PROP_BOOL("zbb", RISCVCPU, cfg.ext_zbb, true),
+DEFINE_PROP_BOOL("zbc", RISCVCPU, cfg.ext_zbc, true),
+DEFINE_PROP_BOOL("zbs", RISCVCPU, cfg.ext_zbs, true),
 DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("x-j", RISCVCPU, cfg.ext_j, false),
 DEFINE_PROP_BOOL("x-v", RISCVCPU, cfg.ext_v, false),
-- 
2.30.2

[PATCH v2 9/9] hw/riscv: virt: Set the clock-frequency

[Alistair Francis]

From: Alistair Francis 

As per the device tree specification let's set the clock-frequency for
the virt CPUs.

QEMU doesn't really have an exact clock, so let's just 100 as it's a
nice round number and matches the sifive_u CLINT_TIMEBASE_FREQ.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/472 (RISC-V virt)
Signed-off-by: Alistair Francis 
---
 hw/riscv/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
index 3af074148e..41a85cfc60 100644
--- a/hw/riscv/virt.c
+++ b/hw/riscv/virt.c
@@ -202,6 +202,7 @@ static void create_fdt_socket_cpus(RISCVVirtState *s, int 
socket,
 qemu_fdt_setprop_cell(mc->fdt, cpu_name, "reg",
 s->soc[socket].hartid_base + cpu);
 qemu_fdt_setprop_string(mc->fdt, cpu_name, "device_type", "cpu");
+qemu_fdt_setprop_cell(mc->fdt, cpu_name, "clock-frequency", 100);
 riscv_socket_fdt_write_id(mc, mc->fdt, cpu_name, socket);
 qemu_fdt_setprop_cell(mc->fdt, cpu_name, "phandle", cpu_phandle);
 
-- 
2.31.1

[PATCH v2 7/9] hw/riscv: Use error_fatal for SoC realisation

[Alistair Francis]

From: Alistair Francis 

When realising the SoC use error_fatal instead of error_abort as the
process can fail and report useful information to the user.

Currently a user can see this:

   $ ../qemu/bld/qemu-system-riscv64 -M sifive_u -S -monitor stdio -display 
none -drive if=pflash
QEMU 6.1.93 monitor - type 'help' for more information
(qemu) Unexpected error in sifive_u_otp_realize() at 
../hw/misc/sifive_u_otp.c:229:
qemu-system-riscv64: OTP drive size < 16K
Aborted (core dumped)

Which this patch addresses

Signed-off-by: Alistair Francis 
Reported-by: Markus Armbruster 
Reviewed-by: Philippe Mathieu-Daudé 
Reviewed-by: Markus Armbruster 
---
 hw/riscv/microchip_pfsoc.c | 2 +-
 hw/riscv/opentitan.c   | 2 +-
 hw/riscv/sifive_e.c| 2 +-
 hw/riscv/sifive_u.c| 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/riscv/microchip_pfsoc.c b/hw/riscv/microchip_pfsoc.c
index 57d779fb55..f16e4d10eb 100644
--- a/hw/riscv/microchip_pfsoc.c
+++ b/hw/riscv/microchip_pfsoc.c
@@ -471,7 +471,7 @@ static void microchip_icicle_kit_machine_init(MachineState 
*machine)
 /* Initialize SoC */
 object_initialize_child(OBJECT(machine), "soc", &s->soc,
 TYPE_MICROCHIP_PFSOC);
-qdev_realize(DEVICE(&s->soc), NULL, &error_abort);
+qdev_realize(DEVICE(&s->soc), NULL, &error_fatal);
 
 /* Split RAM into low and high regions using aliases to machine->ram */
 mem_low_size = memmap[MICROCHIP_PFSOC_DRAM_LO].size;
diff --git a/hw/riscv/opentitan.c b/hw/riscv/opentitan.c
index c531450b9f..0856c347e8 100644
--- a/hw/riscv/opentitan.c
+++ b/hw/riscv/opentitan.c
@@ -80,7 +80,7 @@ static void opentitan_board_init(MachineState *machine)
 /* Initialize SoC */
 object_initialize_child(OBJECT(machine), "soc", &s->soc,
 TYPE_RISCV_IBEX_SOC);
-qdev_realize(DEVICE(&s->soc), NULL, &error_abort);
+qdev_realize(DEVICE(&s->soc), NULL, &error_fatal);
 
 memory_region_add_subregion(sys_mem,
 memmap[IBEX_DEV_RAM].base, machine->ram);
diff --git a/hw/riscv/sifive_e.c b/hw/riscv/sifive_e.c
index 9b206407a6..dcb87b6cfd 100644
--- a/hw/riscv/sifive_e.c
+++ b/hw/riscv/sifive_e.c
@@ -88,7 +88,7 @@ static void sifive_e_machine_init(MachineState *machine)
 
 /* Initialize SoC */
 object_initialize_child(OBJECT(machine), "soc", &s->soc, TYPE_RISCV_E_SOC);
-qdev_realize(DEVICE(&s->soc), NULL, &error_abort);
+qdev_realize(DEVICE(&s->soc), NULL, &error_fatal);
 
 /* Data Tightly Integrated Memory */
 memory_region_add_subregion(sys_mem,
diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 589ae72a59..d576484851 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -545,7 +545,7 @@ static void sifive_u_machine_init(MachineState *machine)
  &error_abort);
 object_property_set_str(OBJECT(&s->soc), "cpu-type", machine->cpu_type,
  &error_abort);
-qdev_realize(DEVICE(&s->soc), NULL, &error_abort);
+qdev_realize(DEVICE(&s->soc), NULL, &error_fatal);
 
 /* register RAM */
 memory_region_add_subregion(system_memory, memmap[SIFIVE_U_DEV_DRAM].base,
-- 
2.31.1

[PATCH v2 8/9] hw/riscv: virt: Allow support for 32 cores

[Alistair Francis]

From: Alistair Francis 

Linux supports up to 32 cores for both 32-bit and 64-bit RISC-V, so
let's set that as the maximum for the virt board.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/435
Signed-off-by: Alistair Francis 
---
 include/hw/riscv/virt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/hw/riscv/virt.h b/include/hw/riscv/virt.h
index b8ef99f348..6e9f61ccd9 100644
--- a/include/hw/riscv/virt.h
+++ b/include/hw/riscv/virt.h
@@ -24,7 +24,7 @@
 #include "hw/block/flash.h"
 #include "qom/object.h"
 
-#define VIRT_CPUS_MAX 8
+#define VIRT_CPUS_MAX 32
 #define VIRT_SOCKETS_MAX 8
 
 #define TYPE_RISCV_VIRT_MACHINE MACHINE_TYPE_NAME("virt")
-- 
2.31.1

[PATCH v2 6/9] target/riscv: Enable the Hypervisor extension by default

[Alistair Francis]

From: Alistair Francis 

Let's enable the Hypervisor extension by default. This doesn't affect
named CPUs (such as lowrisc-ibex or sifive-u54) but does enable the
Hypervisor extensions by default for the virt machine.

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1edb2771b4..013a8760b5 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -626,7 +626,7 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("c", RISCVCPU, cfg.ext_c, true),
 DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
-DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, false),
+DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, true),
 DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
 DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
 DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
-- 
2.31.1

[PATCH v2 2/9] hw/intc: sifive_plic: Cleanup the write function

[Alistair Francis]

From: Alistair Francis 

Signed-off-by: Alistair Francis 
Reviewed-by: Bin Meng 
---
 hw/intc/sifive_plic.c | 76 +++
 1 file changed, 27 insertions(+), 49 deletions(-)

diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c
index a9f7a1bfb0..698492ce77 100644
--- a/hw/intc/sifive_plic.c
+++ b/hw/intc/sifive_plic.c
@@ -33,6 +33,11 @@
 
 #define RISCV_DEBUG_PLIC 0
 
+static bool addr_between(uint32_t addr, uint32_t base, uint32_t num)
+{
+return addr >= base && addr - base < num;
+}
+
 static PLICMode char_to_mode(char c)
 {
 switch (c) {
@@ -269,80 +274,53 @@ static void sifive_plic_write(void *opaque, hwaddr addr, 
uint64_t value,
 {
 SiFivePLICState *plic = opaque;
 
-/* writes must be 4 byte words */
-if ((addr & 0x3) != 0) {
-goto err;
-}
-
-if (addr >= plic->priority_base && /* 4 bytes per source */
-addr < plic->priority_base + (plic->num_sources << 2))
-{
+if (addr_between(addr, plic->priority_base, plic->num_sources << 2)) {
 uint32_t irq = ((addr - plic->priority_base) >> 2) + 1;
+
 plic->source_priority[irq] = value & 7;
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: write priority: irq=%d priority=%d\n",
-irq, plic->source_priority[irq]);
-}
 sifive_plic_update(plic);
-return;
-} else if (addr >= plic->pending_base && /* 1 bit per source */
-   addr < plic->pending_base + (plic->num_sources >> 3))
-{
+} else if (addr_between(addr, plic->pending_base,
+plic->num_sources >> 3)) {
 qemu_log_mask(LOG_GUEST_ERROR,
   "%s: invalid pending write: 0x%" HWADDR_PRIx "",
   __func__, addr);
-return;
-} else if (addr >= plic->enable_base && /* 1 bit per source */
-addr < plic->enable_base + plic->num_addrs * plic->enable_stride)
-{
+} else if (addr_between(addr, plic->enable_base,
+plic->num_addrs * plic->enable_stride)) {
 uint32_t addrid = (addr - plic->enable_base) / plic->enable_stride;
 uint32_t wordid = (addr & (plic->enable_stride - 1)) >> 2;
+
 if (wordid < plic->bitfield_words) {
 plic->enable[addrid * plic->bitfield_words + wordid] = value;
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: write enable: hart%d-%c word=%d value=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode), wordid,
-plic->enable[addrid * plic->bitfield_words + wordid]);
-}
-return;
+} else {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s: Invalid enable write 0x%" HWADDR_PRIx "\n",
+  __func__, addr);
 }
-} else if (addr >= plic->context_base && /* 4 bytes per reg */
-addr < plic->context_base + plic->num_addrs * plic->context_stride)
-{
+} else if (addr_between(addr, plic->context_base,
+plic->num_addrs * plic->context_stride)) {
 uint32_t addrid = (addr - plic->context_base) / plic->context_stride;
 uint32_t contextid = (addr & (plic->context_stride - 1));
+
 if (contextid == 0) {
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: write priority: hart%d-%c priority=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode),
-plic->target_priority[addrid]);
-}
 if (value <= plic->num_priorities) {
 plic->target_priority[addrid] = value;
 sifive_plic_update(plic);
 }
-return;
 } else if (contextid == 4) {
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: write claim: hart%d-%c irq=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode),
-(uint32_t)value);
-}
 if (value < plic->num_sources) {
 sifive_plic_set_claimed(plic, value, false);
 sifive_plic_update(plic);
 }
-return;
+} else {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s: Invalid context write 0x%" HWADDR_PRIx "\n",
+  __func__, addr);
 }
+} else {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s: Invalid register write 0x%" HWADDR_PRIx "\n",
+  __func__, addr);
 }
-
-err:
-qemu_log_mask(LOG_GUEST_ERROR,
-  "%s: Invalid register write 0x%" HWADDR_PRIx "\n",
-  __func__, addr);
 }
 
 static const MemoryRegionOps sifive_plic_ops = {
-- 
2.31.1

[PATCH v2 4/9] hw/intc: sifive_plic: Cleanup remaining functions

[Alistair Francis]

From: Alistair Francis 

We can remove the original sifive_plic_irqs_pending() function and
instead just use the sifive_plic_claim() function (renamed to
sifive_plic_claimed()) to determine if any interrupts are pending.

This requires move the side effects outside of sifive_plic_claimed(),
but as they are only invoked once that isn't a problem.

We have also removed all of the old #ifdef debugging logs, so let's
cleanup the last remaining debug function while we are here.

Signed-off-by: Alistair Francis 
---
 hw/intc/sifive_plic.c | 109 +-
 1 file changed, 22 insertions(+), 87 deletions(-)

diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c
index 44d24b3c59..746c0f0343 100644
--- a/hw/intc/sifive_plic.c
+++ b/hw/intc/sifive_plic.c
@@ -31,8 +31,6 @@
 #include "migration/vmstate.h"
 #include "hw/irq.h"
 
-#define RISCV_DEBUG_PLIC 0
-
 static bool addr_between(uint32_t addr, uint32_t base, uint32_t num)
 {
 return addr >= base && addr - base < num;
@@ -51,47 +49,6 @@ static PLICMode char_to_mode(char c)
 }
 }
 
-static char mode_to_char(PLICMode m)
-{
-switch (m) {
-case PLICMode_U: return 'U';
-case PLICMode_S: return 'S';
-case PLICMode_H: return 'H';
-case PLICMode_M: return 'M';
-default: return '?';
-}
-}
-
-static void sifive_plic_print_state(SiFivePLICState *plic)
-{
-int i;
-int addrid;
-
-/* pending */
-qemu_log("pending   : ");
-for (i = plic->bitfield_words - 1; i >= 0; i--) {
-qemu_log("%08x", plic->pending[i]);
-}
-qemu_log("\n");
-
-/* pending */
-qemu_log("claimed   : ");
-for (i = plic->bitfield_words - 1; i >= 0; i--) {
-qemu_log("%08x", plic->claimed[i]);
-}
-qemu_log("\n");
-
-for (addrid = 0; addrid < plic->num_addrs; addrid++) {
-qemu_log("hart%d-%c enable: ",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode));
-for (i = plic->bitfield_words - 1; i >= 0; i--) {
-qemu_log("%08x", plic->enable[addrid * plic->bitfield_words + i]);
-}
-qemu_log("\n");
-}
-}
-
 static uint32_t atomic_set_masked(uint32_t *a, uint32_t mask, uint32_t value)
 {
 uint32_t old, new, cmp = qatomic_read(a);
@@ -115,26 +72,34 @@ static void sifive_plic_set_claimed(SiFivePLICState *plic, 
int irq, bool level)
 atomic_set_masked(&plic->claimed[irq >> 5], 1 << (irq & 31), -!!level);
 }
 
-static int sifive_plic_irqs_pending(SiFivePLICState *plic, uint32_t addrid)
+static uint32_t sifive_plic_claimed(SiFivePLICState *plic, uint32_t addrid)
 {
+uint32_t max_irq = 0;
+uint32_t max_prio = plic->target_priority[addrid];
 int i, j;
+
 for (i = 0; i < plic->bitfield_words; i++) {
 uint32_t pending_enabled_not_claimed =
-(plic->pending[i] & ~plic->claimed[i]) &
-plic->enable[addrid * plic->bitfield_words + i];
+(plic->pending[i] & ~plic->claimed[i]) &
+plic->enable[addrid * plic->bitfield_words + i];
+
 if (!pending_enabled_not_claimed) {
 continue;
 }
+
 for (j = 0; j < 32; j++) {
 int irq = (i << 5) + j;
 uint32_t prio = plic->source_priority[irq];
 int enabled = pending_enabled_not_claimed & (1 << j);
-if (enabled && prio > plic->target_priority[addrid]) {
-return 1;
+
+if (enabled && prio > max_prio) {
+max_irq = irq;
+max_prio = prio;
 }
 }
 }
-return 0;
+
+return max_irq;
 }
 
 static void sifive_plic_update(SiFivePLICState *plic)
@@ -145,7 +110,7 @@ static void sifive_plic_update(SiFivePLICState *plic)
 for (addrid = 0; addrid < plic->num_addrs; addrid++) {
 uint32_t hartid = plic->addr_config[addrid].hartid;
 PLICMode mode = plic->addr_config[addrid].mode;
-int level = sifive_plic_irqs_pending(plic, addrid);
+bool level = !!sifive_plic_claimed(plic, addrid);
 
 switch (mode) {
 case PLICMode_M:
@@ -158,41 +123,6 @@ static void sifive_plic_update(SiFivePLICState *plic)
 break;
 }
 }
-
-if (RISCV_DEBUG_PLIC) {
-sifive_plic_print_state(plic);
-}
-}
-
-static uint32_t sifive_plic_claim(SiFivePLICState *plic, uint32_t addrid)
-{
-int i, j;
-uint32_t max_irq = 0;
-uint32_t max_prio = plic->target_priority[addrid];
-
-for (i = 0; i < plic->bitfield_words; i++) {
-uint32_t pending_enabled_not_claimed =
-(plic->pending[i] & ~plic->claimed[i]) &
-plic->enable[addrid * plic->bitfield_words + i];
-if (!pending_enabled_not_claimed) {
-continue;
-}
-for (j = 0; j < 32; j++) {
-int irq = (i << 5) + j;
-uint32_t prio = plic->source_priority[irq];
-int enabled = pending_enabled_not_claimed & 

[PATCH v2 5/9] target/riscv: Mark the Hypervisor extension as non experimental

[Alistair Francis]

From: Alistair Francis 

The Hypervisor spec is now frozen, so remove the experimental tag.

Signed-off-by: Alistair Francis 
---
 target/riscv/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index f812998123..1edb2771b4 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -626,6 +626,7 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("c", RISCVCPU, cfg.ext_c, true),
 DEFINE_PROP_BOOL("s", RISCVCPU, cfg.ext_s, true),
 DEFINE_PROP_BOOL("u", RISCVCPU, cfg.ext_u, true),
+DEFINE_PROP_BOOL("h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("Counters", RISCVCPU, cfg.ext_counters, true),
 DEFINE_PROP_BOOL("Zifencei", RISCVCPU, cfg.ext_ifencei, true),
 DEFINE_PROP_BOOL("Zicsr", RISCVCPU, cfg.ext_icsr, true),
@@ -639,7 +640,6 @@ static Property riscv_cpu_properties[] = {
 DEFINE_PROP_BOOL("x-zbb", RISCVCPU, cfg.ext_zbb, false),
 DEFINE_PROP_BOOL("x-zbc", RISCVCPU, cfg.ext_zbc, false),
 DEFINE_PROP_BOOL("x-zbs", RISCVCPU, cfg.ext_zbs, false),
-DEFINE_PROP_BOOL("x-h", RISCVCPU, cfg.ext_h, false),
 DEFINE_PROP_BOOL("x-j", RISCVCPU, cfg.ext_j, false),
 DEFINE_PROP_BOOL("x-v", RISCVCPU, cfg.ext_v, false),
 DEFINE_PROP_STRING("vext_spec", RISCVCPU, cfg.vext_spec),
-- 
2.31.1

[PATCH v2 3/9] hw/intc: sifive_plic: Cleanup the read function

[Alistair Francis]

From: Alistair Francis 

Signed-off-by: Alistair Francis 
Reviewed-by: Bin Meng 
---
 hw/intc/sifive_plic.c | 55 +--
 1 file changed, 11 insertions(+), 44 deletions(-)

diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c
index 698492ce77..44d24b3c59 100644
--- a/hw/intc/sifive_plic.c
+++ b/hw/intc/sifive_plic.c
@@ -199,70 +199,37 @@ static uint64_t sifive_plic_read(void *opaque, hwaddr 
addr, unsigned size)
 {
 SiFivePLICState *plic = opaque;
 
-/* writes must be 4 byte words */
-if ((addr & 0x3) != 0) {
-goto err;
-}
-
-if (addr >= plic->priority_base && /* 4 bytes per source */
-addr < plic->priority_base + (plic->num_sources << 2))
-{
+if (addr_between(addr, plic->priority_base, plic->num_sources << 2)) {
 uint32_t irq = ((addr - plic->priority_base) >> 2) + 1;
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: read priority: irq=%d priority=%d\n",
-irq, plic->source_priority[irq]);
-}
+
 return plic->source_priority[irq];
-} else if (addr >= plic->pending_base && /* 1 bit per source */
-   addr < plic->pending_base + (plic->num_sources >> 3))
-{
+} else if (addr_between(addr, plic->pending_base, plic->num_sources >> 3)) 
{
 uint32_t word = (addr - plic->pending_base) >> 2;
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: read pending: word=%d value=%d\n",
-word, plic->pending[word]);
-}
+
 return plic->pending[word];
-} else if (addr >= plic->enable_base && /* 1 bit per source */
- addr < plic->enable_base + plic->num_addrs * plic->enable_stride)
-{
+} else if (addr_between(addr, plic->enable_base,
+plic->num_addrs * plic->enable_stride)) {
 uint32_t addrid = (addr - plic->enable_base) / plic->enable_stride;
 uint32_t wordid = (addr & (plic->enable_stride - 1)) >> 2;
+
 if (wordid < plic->bitfield_words) {
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: read enable: hart%d-%c word=%d value=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode), wordid,
-plic->enable[addrid * plic->bitfield_words + wordid]);
-}
 return plic->enable[addrid * plic->bitfield_words + wordid];
 }
-} else if (addr >= plic->context_base && /* 1 bit per source */
- addr < plic->context_base + plic->num_addrs * 
plic->context_stride)
-{
+} else if (addr_between(addr, plic->context_base,
+plic->num_addrs * plic->context_stride)) {
 uint32_t addrid = (addr - plic->context_base) / plic->context_stride;
 uint32_t contextid = (addr & (plic->context_stride - 1));
+
 if (contextid == 0) {
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: read priority: hart%d-%c priority=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode),
-plic->target_priority[addrid]);
-}
 return plic->target_priority[addrid];
 } else if (contextid == 4) {
 uint32_t value = sifive_plic_claim(plic, addrid);
-if (RISCV_DEBUG_PLIC) {
-qemu_log("plic: read claim: hart%d-%c irq=%x\n",
-plic->addr_config[addrid].hartid,
-mode_to_char(plic->addr_config[addrid].mode),
-value);
-}
+
 sifive_plic_update(plic);
 return value;
 }
 }
 
-err:
 qemu_log_mask(LOG_GUEST_ERROR,
   "%s: Invalid register read 0x%" HWADDR_PRIx "\n",
   __func__, addr);
-- 
2.31.1

[PATCH v2 0/9] A collection of RISC-V cleanups and improvements

[Alistair Francis]

From: Alistair Francis 

This is a few patches to cleanup some RISC-V hardware and mark the
Hyperisor extension as non experimental.

v2:
 - Add some more fixes
 - Address review comments

Alistair Francis (9):
  hw/intc: sifive_plic: Add a reset function
  hw/intc: sifive_plic: Cleanup the write function
  hw/intc: sifive_plic: Cleanup the read function
  hw/intc: sifive_plic: Cleanup remaining functions
  target/riscv: Mark the Hypervisor extension as non experimental
  target/riscv: Enable the Hypervisor extension by default
  hw/riscv: Use error_fatal for SoC realisation
  hw/riscv: virt: Allow support for 32 cores
  hw/riscv: virt: Set the clock-frequency

 include/hw/riscv/virt.h|   2 +-
 hw/intc/sifive_plic.c  | 254 +++--
 hw/riscv/microchip_pfsoc.c |   2 +-
 hw/riscv/opentitan.c   |   2 +-
 hw/riscv/sifive_e.c|   2 +-
 hw/riscv/sifive_u.c|   2 +-
 hw/riscv/virt.c|   1 +
 target/riscv/cpu.c |   2 +-
 8 files changed, 83 insertions(+), 184 deletions(-)

-- 
2.31.1

[PATCH v2 1/9] hw/intc: sifive_plic: Add a reset function

[Alistair Francis]

From: Alistair Francis 

Signed-off-by: Alistair Francis 
---
 hw/intc/sifive_plic.c | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/hw/intc/sifive_plic.c b/hw/intc/sifive_plic.c
index 877e76877c..a9f7a1bfb0 100644
--- a/hw/intc/sifive_plic.c
+++ b/hw/intc/sifive_plic.c
@@ -355,6 +355,23 @@ static const MemoryRegionOps sifive_plic_ops = {
 }
 };
 
+static void sifive_plic_reset(DeviceState *dev)
+{
+SiFivePLICState *s = SIFIVE_PLIC(dev);
+int i;
+
+memset(s->source_priority, 0, sizeof(uint32_t) * s->num_sources);
+memset(s->target_priority, 0, sizeof(uint32_t) * s->num_addrs);
+memset(s->pending, 0, sizeof(uint32_t) * s->bitfield_words);
+memset(s->claimed, 0, sizeof(uint32_t) * s->bitfield_words);
+memset(s->enable, 0, sizeof(uint32_t) * s->num_enables);
+
+for (i = 0; i < s->num_harts; i++) {
+qemu_set_irq(s->m_external_irqs[i], 0);
+qemu_set_irq(s->s_external_irqs[i], 0);
+}
+}
+
 /*
  * parse PLIC hart/mode address offset config
  *
@@ -501,6 +518,7 @@ static void sifive_plic_class_init(ObjectClass *klass, void 
*data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
 
+dc->reset = sifive_plic_reset;
 device_class_set_props(dc, sifive_plic_properties);
 dc->realize = sifive_plic_realize;
 dc->vmsd = &vmstate_sifive_plic;
-- 
2.31.1

Re: [PULL 000/102] ppc queue

[Richard Henderson]

On 12/15/21 8:57 AM, Cédric Le Goater wrote:

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into 
staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

   https://github.com/legoater/qemu/ tags/pull-ppc-20211215

for you to fetch changes up to cdf906d7ea79afb3283b57e3cf1b89f1334f7f2b:

   ppc/pnv: Use QOM hierarchy to scan PEC PHB4 devices (2021-12-15 08:20:37 
+0100)


ppc 7.0 queue:

* General cleanup for Mac machines (Peter)
* Fixes for FPU exceptions (Lucas)
* Support for new ISA31 instructions (Matheus)
* Fixes for ivshmem (Daniel)
* Cleanups for PowerNV PHB (Christophe and Cedric)
* Updates of PowerNV and pSeries documentation (Leonardo and Daniel)
* Fixes for PowerNV (Daniel)
* Large cleanup of FPU implementation (Richard)
* Removal of SoftTLBs support for PPC74x CPUs (Fabiano)
* Fixes for exception models in MPCx and 60x CPUs (Fabiano)
* Removal of 401/403 CPUs (Cedric)
* Deprecation of taihu machine (Thomas)
* Large rework of PPC405 machine (Cedric)
* Fixes for VSX instructions (Victor and Matheus)
* Fix for e6500 CPU (Fabiano)
* Initial support for PMU (Daniel)


Alexey Kardashevskiy (1):
   pseries: Update SLOF firmware image

Christophe Lombard (1):
   pci-host: Allow extended config space access for PowerNV PHB4 model

Cédric Le Goater (28):
   Merge tag 'qemu-slof-2022' of github.com:aik/qemu into ppc-next
   target/ppc: remove 401/403 CPUs
   ppc/ppc405: Change kernel load address
   ppc: Add trace-events for DCR accesses
   ppc/ppc405: Convert printfs to trace-events
   ppc/ppc405: Drop flag parameter in ppc405_set_bootinfo()
   ppc/ppc405: Change ppc405ep_init() return value
   ppc/ppc405: Add some address space definitions
   ppc/ppc405: Remove flash support
   ppc/ppc405: Rework FW load
   ppc/ppc405: Introduce ppc405_set_default_bootinfo()
   ppc/ppc405: Fix boot from kernel
   ppc/ppc405: Change default PLL values at reset
   ppc/ppc405: Fix bi_pci_enetaddr2 field in U-Boot board information
   ppc/ppc405: Add update of bi_procfreq field
   ppc/pnv: Introduce a "chip" property under PHB3
   ppc/pnv: Use the chip class to check the index of PHB3 devices
   ppc/pnv: Drop the "num-phbs" property
   ppc/pnv: Move mapping of the PHB3 CQ regions under pnv_pbcq_realize()
   ppc/pnv: Use QOM hierarchy to scan PHB3 devices
   ppc/pnv: Introduce a num_pecs class attribute for PHB4 PEC devices
   ppc/pnv: Introduce version and device_id class atributes for PHB4 devices
   ppc/pnv: Introduce a "chip" property under the PHB4 model
   ppc/pnv: Introduce a num_stack class attribute
   ppc/pnv: Compute the PHB index from the PHB4 PEC model
   ppc/pnv: Remove "system-memory" property from PHB4 PEC
   ppc/pnv: Move realize of PEC stacks under the PEC model
   ppc/pnv: Use QOM hierarchy to scan PEC PHB4 devices

Daniel Henrique Barboza (13):
   ivshmem.c: change endianness to LITTLE_ENDIAN
   ivshmem-test.c: enable test_ivshmem_server for ppc64 arch
   ppc/pnv.c: add a friendly warning when accel=kvm is used
   docs/system/ppc/powernv.rst: document KVM support status
   ppc/pnv.c: fix "system-id" FDT when -uuid is set
   target/ppc: introduce PMUEventType and PMU overflow timers
   target/ppc: PMU basic cycle count for pseries TCG
   target/ppc: PMU: update counters on PMCs r/w
   target/ppc: PMU: update counters on MMCR1 write
   target/ppc: enable PMU counter overflow with cycle events
   target/ppc: enable PMU instruction count
   target/ppc/power8-pmu.c: add PM_RUN_INST_CMPL (0xFA) event
   PPC64/TCG: Implement 'rfebb' instruction

Fabiano Rosas (8):
   target/ppc: Disable software TLB for the 7450 family
   target/ppc: Disable unused facilities in the e600 CPU
   target/ppc: Remove the software TLB model of 7450 CPUs
   target/ppc: Fix MPCxxx FPU interrupt address
   target/ppc: Remove 603e exception model
   target/ppc: Set 601v exception model id
   target/ppc: Fix e6500 boot
   Revert "target/ppc: Move SPR_DSISR setting to powerpc_excp"

Leonardo Garcia (5):
   docs: Minor updates on the powernv documentation.
   docs: Introducing pseries documentation.
   docs: rSTify ppc-spapr-hcalls.txt
   docs: Rename ppc-spapr-hcalls.txt to ppc-spapr-hcalls.rst.
   Link new ppc-spapr-hcalls.rst file to pseries.rst.

Lucas Mateus Castro (alqotel) (3):
   target/ppc: Fixed call to deferred exception
   test/tcg/ppc64le: test mtfsf
   target/ppc: ppc_store_fpscr doesn't update bits 0 to 28 and 52

Matheus Ferst (6):
   target/p

Re: [PATCH] hw/net/vmxnet3: Log guest-triggerable errors using LOG_GUEST_ERROR

[Jason Wang]

On Wed, Dec 15, 2021 at 10:47 PM Philippe Mathieu-Daudé
 wrote:
>
> The "Interrupt Cause" register (VMXNET3_REG_ICR) is read-only.
> Write accesses are ignored. Log them with as LOG_GUEST_ERROR
> instead of aborting:
>
>   [R +0.239743] writeq 0xe0002031 0x46291a5a55460800
>   ERROR:hw/net/vmxnet3.c:1819:vmxnet3_io_bar1_write: code should not be 
> reached
>   Thread 1 "qemu-system-i38" received signal SIGABRT, Aborted.
>   (gdb) bt
>   #3  0x74c397d3 in __GI_abort () at abort.c:79
>   #4  0x76d3cd4c in g_assertion_message (domain=, 
> file=, line=, func=, 
> message=) at ../glib/gtestutils.c:3223
>   #5  0x76d9d45f in g_assertion_message_expr
>   (domain=0x0, file=0x59fc2e53 "hw/net/vmxnet3.c", line=1819, 
> func=0x59fc11e0 <__func__.vmxnet3_io_bar1_write> "vmxnet3_io_bar1_write", 
> expr=)
>   at ../glib/gtestutils.c:3249
>   #6  0x57e80a3a in vmxnet3_io_bar1_write (opaque=0x62814100, addr=56, 
> val=70, size=4) at hw/net/vmxnet3.c:1819
>   #7  0x58c2d894 in memory_region_write_accessor (mr=0x62816b90, addr=56, 
> value=0x7fff9450, size=4, shift=0, mask=4294967295, attrs=...) at 
> softmmu/memory.c:492
>   #8  0x58c2d1d2 in access_with_adjusted_size (addr=56, value=0x7fff9450, 
> size=1, access_size_min=4, access_size_max=4, access_fn=
>   0x58c2d290 , mr=0x62816b90, attrs=...) at 
> softmmu/memory.c:554
>   #9  0x58c2bae7 in memory_region_dispatch_write (mr=0x62816b90, addr=56, 
> data=70, op=MO_8, attrs=...) at softmmu/memory.c:1504
>   #10 0x58bfd034 in flatview_write_continue (fv=0x606000181700, 
> addr=0xe0002038, attrs=..., ptr=0x7fffb9e0, len=1, addr1=56, l=1, 
> mr=0x62816b90)
>   at softmmu/physmem.c:2782
>   #11 0x58beba00 in flatview_write (fv=0x606000181700, addr=0xe0002031, 
> attrs=..., buf=0x7fffb9e0, len=8) at softmmu/physmem.c:2822
>   #12 0x58beb589 in address_space_write (as=0x60815f20, addr=0xe0002031, 
> attrs=..., buf=0x7fffb9e0, len=8) at softmmu/physmem.c:2914
>
> Reported-by: Dike 
> Reported-by: Duhao <504224...@qq.com>
> BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2032932
> Signed-off-by: Philippe Mathieu-Daudé 

Applied.

Thanks

> ---
>  hw/net/vmxnet3.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index f65af4e9ef2..0b7acf7f895 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -1816,7 +1816,9 @@ vmxnet3_io_bar1_write(void *opaque,
>  case VMXNET3_REG_ICR:
>  VMW_CBPRN("Write BAR1 [VMXNET3_REG_ICR] = %" PRIx64 ", size %d",
>val, size);
> -g_assert_not_reached();
> +qemu_log_mask(LOG_GUEST_ERROR,
> +  "%s: write to read-only register VMXNET3_REG_ICR\n",
> +  TYPE_VMXNET3);
>  break;
>
>  /* Event Cause Register */
> --
> 2.33.1
>

Re: [PATCH v4 00/10] ARM virt: Introduce CPU clusters topology support

[wangyanan (Y)]

Ping...

On 2021/11/21 20:24, Yanan Wang wrote:

Hi,

This series introduces the new CPU clusters topology parameter
and enable the support for it on ARM virt machines.

Background and descriptions:
The new Cluster-Aware Scheduling support has landed in Linux 5.16,
which has been proved to benefit the scheduling performance (e.g.
load balance and wake_affine strategy) on both x86_64 and AArch64.
We can see Kernel PR [1] and the latest patch set [2] for reference.

So now in Linux 5.16 we have four-level arch-neutral CPU topology
definition like below and a new scheduler level for clusters.
struct cpu_topology {
 int thread_id;
 int core_id;
 int cluster_id;
 int package_id;
 int llc_id;
 cpumask_t thread_sibling;
 cpumask_t core_sibling;
 cpumask_t cluster_sibling;
 cpumask_t llc_sibling;
}

A cluster generally means a group of CPU cores which share L2 cache
or other mid-level resources, and it is the shared resources that
is used to improve scheduler's behavior. From the point of view of
the size range, it's between CPU die and CPU core. For example, on
some ARM64 Kunpeng servers, we have 6 clusters in each NUMA node,
and 4 CPU cores in each cluster. The 4 CPU cores share a separate
L2 cache and a L3 cache tag, which brings cache affinity advantage.

[1] 
https://lore.kernel.org/lkml/163572864855.3357115.17938524897008353101.tglx@xen13/
[2] https://lkml.org/lkml/2021/9/24/178

In virtualization, on the Hosts which have pClusters, if we can
design a vCPU topology with cluster level for guest kernel and
have a dedicated vCPU pinning. A Cluster-Aware Guest kernel can
also make use of the cache affinity of CPU clusters to gain
similar scheduling performance.

This series consists of two parts:
The first part (patch 1-3):
Implement infrastructure for CPU cluster level topology support,
including the SMP documentation, configuration and parsing.

The second part (part 4-10):
Enable CPU cluster support on ARM virt machines, so that users
can specify a 4-level CPU hierarchy sockets/clusters/cores/threads.
And the 4-level topology will be described to guest kernel through
ACPI PPTT and DT cpu-map.

Changelog:
v3->v4:
- Significant change from v3 to v4, since the whole series is reworked
   based on latest QEMU SMP frame.
- v3: 
https://lore.kernel.org/qemu-devel/20210516103228.37792-1-wangyana...@huawei.com/

Yanan Wang (10):
   qemu-options: Improve readability of SMP related Docs
   hw/core/machine: Introduce CPU cluster topology support
   hw/core/machine: Wrap target specific parameters together
   hw/arm/virt: Support clusters on ARM virt machines
   hw/arm/virt: Support cluster level in DT cpu-map
   hw/acpi/aml-build: Improve scalability of PPTT generation
   hw/arm/virt-acpi-build: Make an ARM specific PPTT generator
   tests/acpi/bios-tables-test: Allow changes to virt/PPTT file
   hw/acpi/virt-acpi-build: Support cluster level in PPTT generation
   tests/acpi/bios-table-test: Update expected virt/PPTT file

  hw/acpi/aml-build.c |  66 ++
  hw/arm/virt-acpi-build.c|  92 +++-
  hw/arm/virt.c   |  16 ---
  hw/core/machine-smp.c   |  29 +---
  hw/core/machine.c   |   3 ++
  include/hw/acpi/aml-build.h |   5 +-
  include/hw/boards.h |   6 ++-
  qapi/machine.json   |   5 +-
  qemu-options.hx |  91 +++
  softmmu/vl.c|   3 ++
  tests/data/acpi/virt/PPTT   | Bin 76 -> 96 bytes
  11 files changed, 214 insertions(+), 102 deletions(-)

--
2.19.1

.

Re: [PATCH v5 5/8] tests/unit/test-smp-parse: Add 'smp-generic-valid' machine type

[wangyanan (Y)]

On 2021/12/16 0:48, Philippe Mathieu-Daudé wrote:

Keep the common TYPE_MACHINE class initialization in
machine_base_class_init(), make it abstract, and move
the non-common code to a new class: "smp-generic-valid".

Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
  tests/unit/test-smp-parse.c | 19 +++
  1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/tests/unit/test-smp-parse.c b/tests/unit/test-smp-parse.c
index 72e7236afd9..5349ae14824 100644
--- a/tests/unit/test-smp-parse.c
+++ b/tests/unit/test-smp-parse.c
@@ -478,13 +478,19 @@ static void machine_base_class_init(ObjectClass *oc, void 
*data)
  {
  MachineClass *mc = MACHINE_CLASS(oc);
  
+mc->smp_props.prefer_sockets = true;

+
+mc->name = g_strdup(SMP_MACHINE_NAME);
+}
+
+static void machine_without_dies_valid_class_init(ObjectClass *oc, void *data)
+{
+MachineClass *mc = MACHINE_CLASS(oc);
+
  mc->min_cpus = MIN_CPUS;
  mc->max_cpus = MAX_CPUS;
  
-mc->smp_props.prefer_sockets = true;

  mc->smp_props.dies_supported = false;
-
-mc->name = g_strdup(SMP_MACHINE_NAME);
  }
  
  static void machine_without_dies_invalid_class_init(ObjectClass *oc, void *data)

@@ -606,9 +612,14 @@ static const TypeInfo smp_machine_types[] = {
  {
  .name   = TYPE_MACHINE,
  .parent = TYPE_OBJECT,
+.abstract   = true,
  .class_init = machine_base_class_init,
  .class_size = sizeof(MachineClass),
  .instance_size  = sizeof(MachineState),
+}, {
+.name   = MACHINE_TYPE_NAME("smp-generic-valid"),
+.parent = TYPE_MACHINE,
+.class_init = machine_without_dies_valid_class_init,
Similar to patch #4, can we also rename 
"machine_without_dies_valid_class_init"

to "machine_generic_valid_class_init" ?

Thanks,
Yanan

  }, {
  .name   = MACHINE_TYPE_NAME("smp-generic-invalid"),
  .parent = TYPE_MACHINE,
@@ -629,7 +640,7 @@ int main(int argc, char *argv[])
  g_test_init(&argc, &argv, NULL);
  
  g_test_add_data_func("/test-smp-parse/generic/valid",

- TYPE_MACHINE,
+ MACHINE_TYPE_NAME("smp-generic-valid"),
   test_generic_valid);
  g_test_add_data_func("/test-smp-parse/generic/invalid",
   MACHINE_TYPE_NAME("smp-generic-invalid"),

Re: [PATCH v5 4/8] tests/unit/test-smp-parse: Add 'smp-generic-invalid' machine type

[wangyanan (Y)]

Hi Philippe,

On 2021/12/16 0:48, Philippe Mathieu-Daudé wrote:

Avoid modifying the MachineClass internals by adding the
'smp-generic-invalid' machine, which inherits from TYPE_MACHINE.

Reviewed-by: Richard Henderson 
Signed-off-by: Philippe Mathieu-Daudé 
---
  tests/unit/test-smp-parse.c | 25 -
  1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/tests/unit/test-smp-parse.c b/tests/unit/test-smp-parse.c
index f66cf7bb598..72e7236afd9 100644
--- a/tests/unit/test-smp-parse.c
+++ b/tests/unit/test-smp-parse.c
@@ -487,6 +487,17 @@ static void machine_base_class_init(ObjectClass *oc, void 
*data)
  mc->name = g_strdup(SMP_MACHINE_NAME);
  }
  
+static void machine_without_dies_invalid_class_init(ObjectClass *oc, void *data)

+{
+MachineClass *mc = MACHINE_CLASS(oc);
+
+/* Force invalid min CPUs and max CPUs */
+mc->min_cpus = 2;
+mc->max_cpus = 511;
+
+mc->smp_props.dies_supported = false;
+}
+
  static void machine_with_dies_class_init(ObjectClass *oc, void *data)
  {
  MachineClass *mc = MACHINE_CLASS(oc);
@@ -530,10 +541,6 @@ static void test_generic_invalid(const void *opaque)
  SMPTestData *data = &(SMPTestData){};
  int i;
  
-/* Force invalid min CPUs and max CPUs */

-mc->min_cpus = 2;
-mc->max_cpus = 511;
-
  for (i = 0; i < ARRAY_SIZE(data_generic_invalid); i++) {
  *data = data_generic_invalid[i];
  unsupported_params_init(mc, data);
@@ -541,10 +548,6 @@ static void test_generic_invalid(const void *opaque)
  smp_parse_test(ms, data, false);
  }
  
-/* Reset the supported min CPUs and max CPUs */

-mc->min_cpus = MIN_CPUS;
-mc->max_cpus = MAX_CPUS;
-
  object_unref(obj);
  }
  
@@ -606,6 +609,10 @@ static const TypeInfo smp_machine_types[] = {

  .class_init = machine_base_class_init,
  .class_size = sizeof(MachineClass),
  .instance_size  = sizeof(MachineState),
+}, {
+.name   = MACHINE_TYPE_NAME("smp-generic-invalid"),
+.parent = TYPE_MACHINE,
+.class_init = machine_without_dies_invalid_class_init,

Maybe it's better to rename "machine_without_dies_invalid_class_init" to
"machine_generic_invalid_class_init" to be consistent with the .name field.

Thanks,
Yanan

  }, {
  .name   = MACHINE_TYPE_NAME("smp-with-dies"),
  .parent = TYPE_MACHINE,
@@ -625,7 +632,7 @@ int main(int argc, char *argv[])
   TYPE_MACHINE,
   test_generic_valid);
  g_test_add_data_func("/test-smp-parse/generic/invalid",
- TYPE_MACHINE,
+ MACHINE_TYPE_NAME("smp-generic-invalid"),
   test_generic_invalid);
  g_test_add_data_func("/test-smp-parse/with_dies",
   MACHINE_TYPE_NAME("smp-with-dies"),

Re: [RFC PATCH 2/3] hw/sd/sdhci: Prohibit DMA accesses to devices

[Jason Wang]

On Thu, Dec 16, 2021 at 4:57 AM Philippe Mathieu-Daudé
 wrote:
>
> From: Philippe Mathieu-Daudé 
>
> The issue reported by OSS-Fuzz produces the following backtrace:
>
>   ==447470==ERROR: AddressSanitizer: heap-buffer-overflow
>   READ of size 1 at 0x6152a080 thread T0
>   #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
>   #1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
>   #2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
>   #3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
>   #4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
>   #5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
>   #6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
>   #7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
>   #8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
>   #9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
>   #10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
>   #11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
>   #12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
>   #13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
>   #14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
>   #15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
>   #16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
>   #17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
>   #18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
>   #19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
>   #20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
>   #21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
>   #22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
>   #23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9
>
> A DMA descriptor is previously filled in RAM. An I/O access to the
> device (frames #22 to #16) start the DMA engine (frame #13). The
> engine fetch the descriptor and execute the request, which itself
> accesses the SDHCI I/O registers (frame #1 and #0), triggering a
> re-entrancy issue.
>
> Fix by prohibit transactions from the DMA to devices. The DMA engine
> is thus restricted to memories.
>
> Reported-by: OSS-Fuzz (Issue 36391)
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/sd/sdhci.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index fe2f21f0c37..0e5e988927e 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -741,6 +741,7 @@ static void sdhci_do_adma(SDHCIState *s)
>  {
>  unsigned int begin, length;
>  const uint16_t block_size = s->blksize & BLOCK_SIZE_MASK;
> +const MemTxAttrs attrs = { .memory = true };
>  ADMADescr dscr = {};
>  MemTxResult res;
>  int i;
> @@ -794,7 +795,7 @@ static void sdhci_do_adma(SDHCIState *s)
>  res = dma_memory_write(s->dma_as, dscr.addr,
> &s->fifo_buffer[begin],
> s->data_count - begin,
> -   MEMTXATTRS_UNSPECIFIED);
> +   attrs);
>  if (res != MEMTX_OK) {
>  break;
>  }
> @@ -823,7 +824,7 @@ static void sdhci_do_adma(SDHCIState *s)
>  res = dma_memory_read(s->dma_as, dscr.addr,
>&s->fifo_buffer[begin],
>s->data_count - begin,
> -  MEMTXATTRS_UNSPECIFIED);
> +  attrs);
>  if (res != MEMTX_OK) {
>  break;
>  }

I wonder how we can fix this for other devices, as this seems to be a
known issue for many years. We've received many reports from the
networking side.

It looks like this patch simply forbids p2p which is probably not the
case for other devices.

I remember there's ideas like using bh from Paolo or detecting
reentrancy in the memory core, both of them seems more general than
this?

Thanks

> --
> 2.33.1
>

Re: [RFC] vhost-vdpa-net: add vhost-vdpa-net host device support

[Jason Wang]

On Wed, Dec 15, 2021 at 6:07 PM Stefan Hajnoczi  wrote:
>
> On Wed, Dec 15, 2021 at 11:18:05AM +0800, Jason Wang wrote:
> > On Tue, Dec 14, 2021 at 9:11 PM Stefan Hajnoczi  wrote:
> > >
> > > On Tue, Dec 14, 2021 at 10:22:53AM +0800, Jason Wang wrote:
> > > > On Mon, Dec 13, 2021 at 11:14 PM Stefan Hajnoczi  
> > > > wrote:
> > > > >
> > > > > On Mon, Dec 13, 2021 at 10:47:00AM +0800, Jason Wang wrote:
> > > > > > On Sun, Dec 12, 2021 at 5:30 PM Michael S. Tsirkin 
> > > > > >  wrote:
> > > > > > >
> > > > > > > On Sat, Dec 11, 2021 at 03:00:27AM +, Longpeng (Mike, Cloud 
> > > > > > > Infrastructure Service Product Dept.) wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > > -Original Message-
> > > > > > > > > From: Stefan Hajnoczi [mailto:stefa...@redhat.com]
> > > > > > > > > Sent: Thursday, December 9, 2021 5:17 PM
> > > > > > > > > To: Longpeng (Mike, Cloud Infrastructure Service Product 
> > > > > > > > > Dept.)
> > > > > > > > > 
> > > > > > > > > Cc: jasow...@redhat.com; m...@redhat.com; pa...@nvidia.com;
> > > > > > > > > xieyon...@bytedance.com; sgarz...@redhat.com; Yechuan 
> > > > > > > > > ;
> > > > > > > > > Gonglei (Arei) ; 
> > > > > > > > > qemu-devel@nongnu.org
> > > > > > > > > Subject: Re: [RFC] vhost-vdpa-net: add vhost-vdpa-net host 
> > > > > > > > > device support
> > > > > > > > >
> > > > > > > > > On Wed, Dec 08, 2021 at 01:20:10PM +0800, Longpeng(Mike) 
> > > > > > > > > wrote:
> > > > > > > > > > From: Longpeng 
> > > > > > > > > >
> > > > > > > > > > Hi guys,
> > > > > > > > > >
> > > > > > > > > > This patch introduces vhost-vdpa-net device, which is 
> > > > > > > > > > inspired
> > > > > > > > > > by vhost-user-blk and the proposal of vhost-vdpa-blk device 
> > > > > > > > > > [1].
> > > > > > > > > >
> > > > > > > > > > I've tested this patch on Huawei's offload card:
> > > > > > > > > > ./x86_64-softmmu/qemu-system-x86_64 \
> > > > > > > > > > -device vhost-vdpa-net-pci,vdpa-dev=/dev/vhost-vdpa-0
> > > > > > > > > >
> > > > > > > > > > For virtio hardware offloading, the most important 
> > > > > > > > > > requirement for us
> > > > > > > > > > is to support live migration between offloading cards from 
> > > > > > > > > > different
> > > > > > > > > > vendors, the combination of netdev and virtio-net seems too 
> > > > > > > > > > heavy, we
> > > > > > > > > > prefer a lightweight way.
> > > > > > > > > >
> > > > > > > > > > Maybe we could support both in the future ? Such as:
> > > > > > > > > >
> > > > > > > > > > * Lightweight
> > > > > > > > > >  Net: vhost-vdpa-net
> > > > > > > > > >  Storage: vhost-vdpa-blk
> > > > > > > > > >
> > > > > > > > > > * Heavy but more powerful
> > > > > > > > > >  Net: netdev + virtio-net + vhost-vdpa
> > > > > > > > > >  Storage: bdrv + virtio-blk + vhost-vdpa
> > > > > > > > > >
> > > > > > > > > > [1] 
> > > > > > > > > > https://www.mail-archive.com/qemu-devel@nongnu.org/msg797569.html
> > > > > > > > >
> > > > > > > > > Stefano presented a plan for vdpa-blk at KVM Forum 2021:
> > > > > > > > > https://kvmforum2021.sched.com/event/ke3a/vdpa-blk-unified-hardware-and-sof
> > > > > > > > > tware-offload-for-virtio-blk-stefano-garzarella-red-hat
> > > > > > > > >
> > > > > > > > > It's closer to today's virtio-net + vhost-net approach than 
> > > > > > > > > the
> > > > > > > > > vhost-vdpa-blk device you have mentioned. The idea is to 
> > > > > > > > > treat vDPA as
> > > > > > > > > an offload feature rather than a completely separate code 
> > > > > > > > > path that
> > > > > > > > > needs to be maintained and tested. That way QEMU's block 
> > > > > > > > > layer features
> > > > > > > > > and live migration work with vDPA devices and re-use the 
> > > > > > > > > virtio-blk
> > > > > > > > > code. The key functionality that has not been implemented yet 
> > > > > > > > > is a "fast
> > > > > > > > > path" mechanism that allows the QEMU virtio-blk device's 
> > > > > > > > > virtqueue to be
> > > > > > > > > offloaded to vDPA.
> > > > > > > > >
> > > > > > > > > The unified vdpa-blk architecture should deliver the same 
> > > > > > > > > performance
> > > > > > > > > as the vhost-vdpa-blk device you mentioned but with more 
> > > > > > > > > features, so I
> > > > > > > > > wonder what aspects of the vhost-vdpa-blk idea are important 
> > > > > > > > > to you?
> > > > > > > > >
> > > > > > > > > QEMU already has vhost-user-blk, which takes a similar 
> > > > > > > > > approach as the
> > > > > > > > > vhost-vdpa-blk device you are proposing. I'm not against the
> > > > > > > > > vhost-vdpa-blk approach in priciple, but would like to 
> > > > > > > > > understand your
> > > > > > > > > requirements and see if there is a way to collaborate on one 
> > > > > > > > > vdpa-blk
> > > > > > > > > implementation instead of dividing our efforts between two.
> > > > > > > > >
> > > > > > > >
> > > > > > > > We prefer a simple way in the virtio hardware offloading case, 
> > > > > > > > it could reduce
> > > > > > > > our

Re: 回复： 回复： 回复： 回复： Questiones About MORPHUZZ (the generic-fuzzer)

[Alexander Bulekov]

On 211216 1011, dhbbb wrote:
> Hello Alex,
> I have found some crashes with qemu-fuzz-i386 (generic-fuzz) such as 
> heap-buffer-overflow.But some of the crashes can't reproduce in 
> qemu-system-i386(No segment fault).Are these crashes false positives? 

Usually, when we can't reproduce bugs in qemu-system-i386, it is because
they: 1.) Relied on Double-Fetches. There is no reliable way to
reproduce these bugs, because they are timing-sensitive. An easy way to
check if a bug is a double fetch is to re-run the crash- file with
QEMU_AVOID_DOUBLE_FETCH

2.) Relied on the sparse memory device. In generic_fuzz.c there is a
line: sparse_mem_init(0, UINT64_MAX); Essentially this creates a special
device that we use to simulate "infinite" memory, which makes DMA
fuzzing easier. The problem is that once a bug is found, we need to
somehow remove sparse-memory device, so that we can reproduce in
qemu-system-i386.
For example, look at:
https://gitlab.com/qemu-project/qemu/-/issues/383

The reproducer has a very large address:
write 0xab2c0001 ...
(The VM would need over 188 TB of ram)
So, to account for this, I added an additional memory slot at that
location:
-device pc-dimm,id=nv1,memdev=mem1,addr=0xab2c -object \
memory-backend-ram,id=mem1,size=2M

Another alternative is to try to minimize the crash- file until it does
not contain any large addresses, anymore, however there's not script for
this upstream, yet
-Alex

> 
> 
> 
> -- 原始邮件 --
> 发件人:  
>   "Alexander Bulekov" 
>
>  发送时间: 2021年12月15日(星期三) 晚上11:47
> 收件人: "dhbbb"<504224...@qq.com>;
> 
> 主题: Re: 回复：  回复：  回复： Questiones About MORPHUZZ (the generic-fuzzer)
> 
> 
> 
> Nice! You can send them to qemu-secur...@nongnu.org or with GPG to
> secal...@redhat.com
> 
> Here are the official instructions:
> https://www.qemu.org/contribute/security-process/
> 
> On 211215 1626, dhbbb wrote:
> > Hello Alex,
> > Thanks for your kind reply!It really helps a lot.
> > I seem to have found some bugs in QEMU. Who should I report these 
> problems to? If I want to apply for some CVE numbers, what should I do?
> > 
> > 
> > 
> > 
> > -- 原始邮件 --
> > 
> 发件人:   
>  "Alexander 
> Bulekov"   
>   > 发送时间: 2021年12月10日(星期五) 中午12:15
> > 收件人: "dhbbb"<504224...@qq.com>;
> > 
> > 主题: Re:  回复：  回复： Questiones About MORPHUZZ (the 
> generic-fuzzer)
> > 
> > 
> > 
> > On 211210 1050, dhbbb wrote:
> > > Hello Alex,
> > > When I try to find the memoryregion with info MTREE, it 
> displays Info: no menu item 'MTREE' in node '(DIR) top'.Do I need to start 
> QEMU before running this command?
> > 
> > Yes - this command goes into the qemu monitor, after you start QEMU.
> > https://en.wikibooks.org/wiki/QEMU/Monitor
> > 
> > e.g. start qemu with
> > qemu-system-i386  -monitor stdio -serial none
> > Then type
> > "info mtree" into the monitor
> > 
> > -Alex
> > 
> > > 
> > > 
> > > 
> > > 
> > > 
> --&nbsp;原始邮件&nbsp;--
> > > 
> 发件人:                                                                                                                       
>  "Alexander 
> Bulekov"                                                                                   
>   > > 发送时间:&nbsp;2021年12月3日(星期五) 凌晨2:54
> > > 收件人:&nbsp;"dhbbb"<504224...@qq.com&gt;;
> > > 
> > > 主题:&nbsp;Re:  回复： Questiones About MORPHUZZ 
> (the generic-fuzzer)
> > > 
> > > 
> > > 
> > > Our priority was fuzzing on Google OSS-Fuzz (which required

Re: [PATCH v13 00/26] Add LoongArch linux-user emulation support

[gaosong]

Hi,
On 2021/12/4 下午5:28, Song Gao wrote:

Based-on:https://patchew.org/QEMU/1637893388-10282-1-git-send-email-gaos...@loongson.cn/

Hi all,

This series only support linux-user emulation.
More about LoongArch at:https://github.com/loongson/

The latest kernel:
   *https://github.com/loongson/linux/tree/loongarch-next

Patches need review:
   * 0018-linux-user-Add-LoongArch-specific-structures.patch
   * 0019-linux-user-Add-LoongArch-signal-support.patch

Ping !

Thanks
Song Gao

[RFC PATCH 1/6] hw/gpio/gpio_transmitter: Add Device

[Joe Komlodi]

This adds a GPIO transmitter, a device which takes in the GPIO state of
a GPIO controller and transmits it via chardev.

The purpose of this device is to relay any GPIO changes to external
software that may need to act on them.

To integrate this device into a GPIO controller, the GPIO transmitter
should be initialized like any other device, then any GPIO controllers
being initialized should get a pointer to the transmitter.

To transmit data, the GPIO controller calls google_gpio_tx_transmit()
with the GPIO controller's controller number (i.e. which controller is
currently transmitting out of how many exist in the machine), and the
state of the GPIO pins on that controller.

On an error, the GPIO transmitter doesn't provide any feedback to the
controller and only logs a guest error. This is because it is a
completely separate entity from the GPIO controller and the GPIO
controller doesn't care about it, and because any
errors would be the fault of the external software receiving the GPIO
transmitter packets.

Signed-off-by: Joe Komlodi 
---
 hw/gpio/Kconfig   |   3 +
 hw/gpio/google_gpio_transmitter.c | 127 ++
 hw/gpio/meson.build   |   1 +
 include/hw/gpio/google_gpio_transmitter.h |  46 
 4 files changed, 177 insertions(+)
 create mode 100644 hw/gpio/google_gpio_transmitter.c
 create mode 100644 include/hw/gpio/google_gpio_transmitter.h

diff --git a/hw/gpio/Kconfig b/hw/gpio/Kconfig
index f0e7405f6e..760646cc3a 100644
--- a/hw/gpio/Kconfig
+++ b/hw/gpio/Kconfig
@@ -13,3 +13,6 @@ config GPIO_PWR
 
 config SIFIVE_GPIO
 bool
+
+config GOOGLE_GPIO_TRANSMITTER
+bool
diff --git a/hw/gpio/google_gpio_transmitter.c 
b/hw/gpio/google_gpio_transmitter.c
new file mode 100644
index 00..3429121ccb
--- /dev/null
+++ b/hw/gpio/google_gpio_transmitter.c
@@ -0,0 +1,127 @@
+/*
+ * Google GPIO Transmitter.
+ *
+ * This is a fake hardware model that does not exist on any board or IC.
+ * The purpose of this model is to aggregate GPIO state changes from a GPIO
+ * controller and transmit them via chardev.
+ *
+ * Copyright 2021 Google LLC
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include "qemu/osdep.h"
+
+#include "hw/gpio/google_gpio_transmitter.h"
+#include "hw/qdev-properties-system.h"
+#include "hw/sysbus.h"
+#include "chardev/char-fe.h"
+#include "qapi/error.h"
+#include "qemu/log.h"
+
+#define PACKET_REVISION 0x01
+
+void google_gpio_tx_transmit(GoogleGPIOTXState *s, uint8_t controller,
+  uint32_t gpios)
+{
+uint8_t packet[6];
+
+packet[0] = PACKET_REVISION;
+packet[1] = controller;
+memcpy(&packet[2], &gpios, sizeof(gpios));
+qemu_chr_fe_write_all(&s->chr, packet, ARRAY_SIZE(packet));
+}
+
+static void google_gpio_tx_event(void *opaque, QEMUChrEvent evt)
+{
+switch (evt) {
+case CHR_EVENT_OPENED:
+case CHR_EVENT_CLOSED:
+case CHR_EVENT_BREAK:
+case CHR_EVENT_MUX_IN:
+case CHR_EVENT_MUX_OUT:
+/*
+ * Ignore events.
+ * Our behavior stays the same regardless of what happens.
+ */
+break;
+default:
+g_assert_not_reached();
+}
+}
+
+static void google_gpio_tx_receive(void *opaque, const uint8_t *buf, int size)
+{
+GoogleGPIOTXState *s = GOOGLE_GPIO_TX(opaque);
+
+switch (buf[0]) {
+case GPIOTXCODE_OK:
+break;
+case GPIOTXCODE_MALFORMED_PKT:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: Transmitted malformed packet\n",
+  object_get_canonical_path(OBJECT(s)));
+break;
+case GPIOTXCODE_UNKNOWN_VERSION:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: Transmitted malformed packet "
+  "with a version the recipent can't handle. Sent "
+  "version %d\n", object_get_canonical_path(OBJECT(s)),
+  PACKET_REVISION);
+break;
+default:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown response 0x%x\n",
+  object_get_canonical_path(OBJECT(s)), buf[0]);
+break;
+}
+
+if (size != 1) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: Expects packets only of length 
1\n",
+  object_get_canonical_path(OBJECT(s)));
+}
+}
+
+static int google_gpio_tx_can_receive(void *opaque)
+{
+return 1;
+}
+
+static void google_gpio_tx_realize(DeviceState *dev, Error **errp)
+{
+GoogleGPIOTXState *s = GOOGLE_GPIO_TX(dev);
+
+qemu_chr_fe_set_handlers(&s->chr, google_gpio_tx_can_receive,
+ google_gpio_tx_receiv

[RFC PATCH 5/6] hw/gpio/npcm7xx: init GPIO transmitter allowlist

[Joe Komlodi]

For the GPIO transmitter to properly transmit on pin changes, it must
know the initial state of the GPIO pins on the controller.

Signed-off-by: Joe Komlodi 
---
 hw/gpio/npcm7xx_gpio.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c
index 0d683903a2..64a74c87a5 100644
--- a/hw/gpio/npcm7xx_gpio.c
+++ b/hw/gpio/npcm7xx_gpio.c
@@ -370,6 +370,14 @@ static void npcm7xx_gpio_hold_reset(Object *obj)
 npcm7xx_gpio_update_pins(s, -1);
 }
 
+static void npcm7xx_gpio_realize(DeviceState *dev, Error **errp)
+{
+NPCM7xxGPIOState *s = NPCM7XX_GPIO(dev);
+uint32_t state = s->regs[NPCM7XX_GPIO_DOUT] | s->regs[NPCM7XX_GPIO_DIN];
+
+google_gpio_tx_state_init(s->txs, s->controller_num, state);
+}
+
 static void npcm7xx_gpio_init(Object *obj)
 {
 NPCM7xxGPIOState *s = NPCM7XX_GPIO(obj);
@@ -423,6 +431,7 @@ static void npcm7xx_gpio_class_init(ObjectClass *klass, 
void *data)
 
 dc->desc = "NPCM7xx GPIO Controller";
 dc->vmsd = &vmstate_npcm7xx_gpio;
+dc->realize = npcm7xx_gpio_realize;
 reset->phases.enter = npcm7xx_gpio_enter_reset;
 reset->phases.hold = npcm7xx_gpio_hold_reset;
 device_class_set_props(dc, npcm7xx_gpio_properties);
-- 
2.34.1.173.g76aa8bc2d0-goog

[RFC PATCH 3/6] hw/gpio/npcm7xx: Number controllers

[Joe Komlodi]

For transmitting the GPIO state to the outside world, the GPIO transmitter will
need to know which controller's state has been updated.

To do this, we'll just number each controller at initialization.

Signed-off-by: Joe Komlodi 
---
 hw/arm/npcm7xx.c   | 1 +
 hw/gpio/npcm7xx_gpio.c | 2 ++
 include/hw/gpio/npcm7xx_gpio.h | 1 +
 3 files changed, 4 insertions(+)

diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
index ace21d8943..6a48a9a6d4 100644
--- a/hw/arm/npcm7xx.c
+++ b/hw/arm/npcm7xx.c
@@ -595,6 +595,7 @@ static void npcm7xx_realize(DeviceState *dev, Error **errp)
 for (i = 0; i < ARRAY_SIZE(s->gpio); i++) {
 Object *obj = OBJECT(&s->gpio[i]);
 
+object_property_set_uint(obj, "controller-num", i, &error_abort);
 object_property_set_uint(obj, "reset-pullup",
  npcm7xx_gpio[i].reset_pu, &error_abort);
 object_property_set_uint(obj, "reset-pulldown",
diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c
index 3376901ab1..5075f61b3b 100644
--- a/hw/gpio/npcm7xx_gpio.c
+++ b/hw/gpio/npcm7xx_gpio.c
@@ -387,6 +387,8 @@ static const VMStateDescription vmstate_npcm7xx_gpio = {
 };
 
 static Property npcm7xx_gpio_properties[] = {
+/* The GPIO controller number (out of 8) */
+DEFINE_PROP_UINT8("controller-num", NPCM7xxGPIOState, controller_num, 0),
 /* Bit n set => pin n has pullup enabled by default. */
 DEFINE_PROP_UINT32("reset-pullup", NPCM7xxGPIOState, reset_pu, 0),
 /* Bit n set => pin n has pulldown enabled by default. */
diff --git a/include/hw/gpio/npcm7xx_gpio.h b/include/hw/gpio/npcm7xx_gpio.h
index b1d771bd77..b065bba1c5 100644
--- a/include/hw/gpio/npcm7xx_gpio.h
+++ b/include/hw/gpio/npcm7xx_gpio.h
@@ -35,6 +35,7 @@ typedef struct NPCM7xxGPIOState {
 uint32_t reset_pd;
 uint32_t reset_osrc;
 uint32_t reset_odsc;
+uint8_t  controller_num;
 
 MemoryRegion mmio;
 
-- 
2.34.1.173.g76aa8bc2d0-goog

[RFC PATCH 0/6] Introduce GPIO transmitter and connect to NPCM7xx

[Joe Komlodi]

Hi all,

This series introduces a GPIO transmitter, which allows the transmission
of GPIO controller pin state over chardev, and attaches it to the NPCM7xx
GPIO controller.

The GPIO transmitter takes in a GPIO controller number and a bitfield
containing the GPIO state of that controller, then formats a packet and
sends it via chardev to whomever is listening for it.
The purpose of this is for external software to receive the packet and
interpret it so it can do any actions it needs to, based on GPIO state.

For example, in our use case, we have a VM manager managing an x86 guest
and an ARM (NPCM7xx) guest. On real hardware, the ARM SoC is a BMC which
has some power control over the x86 SoC.
Because of this, we need to relay GPIO power events from the BMC to the
x86 machine (i.e. reset, power off, etc), so we have software read in
the GPIO transmitter packets, keep track of what power state the x86
machine is in based on the GPIO state of the BMC, and notify the VM
manager of any important changes.
The VM manager can then power up/down and reset the x86 machine as
needed.

Thanks!
Joe

Joe Komlodi (6):
  hw/gpio/gpio_transmitter: Add Device
  hw/gpio/gpio_transmitter: Add allowlist
  hw/gpio/npcm7xx: Number controllers
  hw/arm/npcm7xx: gpio: Add GPIO transmitter
  hw/gpio/npcm7xx: init GPIO transmitter allowlist
  qtests/gpio_transmitter: Add test

 hw/arm/Kconfig|   1 +
 hw/arm/npcm7xx.c  |   8 +
 hw/gpio/Kconfig   |   3 +
 hw/gpio/google_gpio_transmitter.c | 249 ++
 hw/gpio/meson.build   |   1 +
 hw/gpio/npcm7xx_gpio.c|  25 +++
 include/hw/arm/npcm7xx.h  |   2 +
 include/hw/gpio/google_gpio_transmitter.h |  66 ++
 include/hw/gpio/npcm7xx_gpio.h|   4 +
 tests/qtest/google_gpio_tx-test.c | 216 +++
 tests/qtest/meson.build   |   1 +
 11 files changed, 576 insertions(+)
 create mode 100644 hw/gpio/google_gpio_transmitter.c
 create mode 100644 include/hw/gpio/google_gpio_transmitter.h
 create mode 100644 tests/qtest/google_gpio_tx-test.c

-- 
2.34.1.173.g76aa8bc2d0-goog

[RFC PATCH 4/6] hw/arm/npcm7xx: gpio: Add GPIO transmitter

[Joe Komlodi]

This adds the GPIO transmitter to the NPCM7xx GPIO controller and
transmits packets any time the pin state changes.

Signed-off-by: Joe Komlodi 
---
 hw/arm/Kconfig |  1 +
 hw/arm/npcm7xx.c   |  7 +++
 hw/gpio/npcm7xx_gpio.c | 14 ++
 include/hw/arm/npcm7xx.h   |  2 ++
 include/hw/gpio/npcm7xx_gpio.h |  3 +++
 5 files changed, 27 insertions(+)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index ac11493667..046e277db8 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -399,6 +399,7 @@ config NPCM7XX
 select UNIMP
 select PCA954X
+select GOOGLE_GPIO_TRANSMITTER
 
 config FSL_IMX25
 bool
 select IMX
diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
index 6a48a9a6d4..b3a65e5298 100644
--- a/hw/arm/npcm7xx.c
+++ b/hw/arm/npcm7xx.c
@@ -433,6 +433,9 @@ static void npcm7xx_init(Object *obj)
 object_initialize_child(obj, "gpio[*]", &s->gpio[i], 
TYPE_NPCM7XX_GPIO);
 }
 
+object_initialize_child(obj, "gpiotx", &s->gpiotx,
+TYPE_GOOGLE_GPIO_TRANSMITTER);
+
 for (i = 0; i < ARRAY_SIZE(s->smbus); i++) {
 object_initialize_child(obj, "smbus[*]", &s->smbus[i],
 TYPE_NPCM7XX_SMBUS);
@@ -590,11 +593,15 @@ static void npcm7xx_realize(DeviceState *dev, Error 
**errp)
 sysbus_realize(SYS_BUS_DEVICE(&s->rng), &error_abort);
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->rng), 0, NPCM7XX_RNG_BA);
 
+sysbus_realize(SYS_BUS_DEVICE(&s->gpiotx), &error_abort);
+
 /* GPIO modules. Cannot fail. */
 QEMU_BUILD_BUG_ON(ARRAY_SIZE(npcm7xx_gpio) != ARRAY_SIZE(s->gpio));
 for (i = 0; i < ARRAY_SIZE(s->gpio); i++) {
 Object *obj = OBJECT(&s->gpio[i]);
 
+object_property_set_link(obj, "gpio-tx", OBJECT(&s->gpiotx),
+ &error_abort);
 object_property_set_uint(obj, "controller-num", i, &error_abort);
 object_property_set_uint(obj, "reset-pullup",
  npcm7xx_gpio[i].reset_pu, &error_abort);
diff --git a/hw/gpio/meson.build b/hw/gpio/meson.build
index db62c4ed00..900436f901 100644
--- a/hw/gpio/meson.build
+++ b/hw/gpio/meson.build
@@ -7,6 +7,7 @@ softmmu_ss.add(when: 'CONFIG_ZAURUS', if_true: 
files('zaurus.c'))
 
 softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('imx_gpio.c'))
 softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_gpio.c'))
+softmmu_ss.add(when: 'CONFIG_NPCM7XX', if_true: 
files('google_gpio_transmitter.c'))
 softmmu_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_gpio.c'))
 softmmu_ss.add(when: 'CONFIG_OMAP', if_true: files('omap_gpio.c'))
 softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_gpio.c'))
diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c
index 5075f61b3b..0d683903a2 100644
--- a/hw/gpio/npcm7xx_gpio.c
+++ b/hw/gpio/npcm7xx_gpio.c
@@ -65,6 +65,16 @@ enum NPCM7xxGPIORegister {
 #define NPCM7XX_GPIO_LOCK_MAGIC1 (0xc0defa73)
 #define NPCM7XX_GPIO_LOCK_MAGIC2 (0xc0de1248)
 
+static void npcm7xx_gpio_tx_state(NPCM7xxGPIOState *s)
+{
+uint32_t state = s->regs[NPCM7XX_GPIO_DOUT] | s->regs[NPCM7XX_GPIO_DIN];
+
+/* Only TX if we have a transmitter */
+if (s->txs) {
+google_gpio_tx_transmit(s->txs, s->controller_num, state);
+}
+}
+
 static void npcm7xx_gpio_update_events(NPCM7xxGPIOState *s, uint32_t din_diff)
 {
 uint32_t din_new = s->regs[NPCM7XX_GPIO_DIN];
@@ -147,6 +157,7 @@ static void npcm7xx_gpio_update_pins(NPCM7xxGPIOState *s, 
uint32_t diff)
 
 /* See if any new events triggered because of all this. */
 npcm7xx_gpio_update_events(s, din_old ^ s->regs[NPCM7XX_GPIO_DIN]);
+npcm7xx_gpio_tx_state(s);
 }
 
 static bool npcm7xx_gpio_is_locked(NPCM7xxGPIOState *s)
@@ -387,6 +398,9 @@ static const VMStateDescription vmstate_npcm7xx_gpio = {
 };
 
 static Property npcm7xx_gpio_properties[] = {
+/* Pointer to the GPIO state transmitter */
+DEFINE_PROP_LINK("gpio-tx", NPCM7xxGPIOState, txs,
+ TYPE_GOOGLE_GPIO_TRANSMITTER, GoogleGPIOTXState *),
 /* The GPIO controller number (out of 8) */
 DEFINE_PROP_UINT8("controller-num", NPCM7xxGPIOState, controller_num, 0),
 /* Bit n set => pin n has pullup enabled by default. */
diff --git a/include/hw/arm/npcm7xx.h b/include/hw/arm/npcm7xx.h
index 106cfb55bf..a52650010f 100644
--- a/include/hw/arm/npcm7xx.h
+++ b/include/hw/arm/npcm7xx.h
@@ -21,6 +21,7 @@
 #include "hw/core/split-irq.h"
 #include "hw/cpu/a9mpcore.h"
 #include "hw/gpio/npcm7xx_gpio.h"
+#include "hw/gpio/google_gpio_transmitter.h"
 #include "hw/i2c/npcm7xx_smbus.h"
 #include "hw/mem/npcm7xx_mc.h"
 #include "hw/misc/npcm7xx_clk.h"
@@ -99,6 +100,7 @@ typedef struct NPCM7xxState {
 NPCM7xxMCState  mc;
 NPCM7xxRNGState rng;
 NPCM7xxGPIOStategpio[8];
+GoogleGPIOTXState   gpiotx;
 NPCM7xxSMBusState   smbus[16];
 EHCISysBusState ehci;
 OHCISysBusState ohci;
diff --git a/include/hw/gpio/npcm7xx_gpio.h

[RFC PATCH 2/6] hw/gpio/gpio_transmitter: Add allowlist

[Joe Komlodi]

To avoid spamming whoever is connected to the chardev any time a pin state
changes, we'll provide an allowlist so the transmitter only transmits on
state changes the user cares about.

The allowlist is a qdev property that takes in an array of pin numbers
to pay attention to, and maps it to a relative pin number on a
controller, assuming each controller has 32-bits of pins.

If no allowlist is specified, we transmit on any pin update.

Signed-off-by: Joe Komlodi 
---
 hw/gpio/google_gpio_transmitter.c | 122 ++
 include/hw/gpio/google_gpio_transmitter.h |  20 
 2 files changed, 142 insertions(+)

diff --git a/hw/gpio/google_gpio_transmitter.c 
b/hw/gpio/google_gpio_transmitter.c
index 3429121ccb..b0331e8f03 100644
--- a/hw/gpio/google_gpio_transmitter.c
+++ b/hw/gpio/google_gpio_transmitter.c
@@ -19,6 +19,7 @@
 
 #include "qemu/osdep.h"
 
+#include "migration/vmstate.h"
 #include "hw/gpio/google_gpio_transmitter.h"
 #include "hw/qdev-properties-system.h"
 #include "hw/sysbus.h"
@@ -28,11 +29,36 @@
 
 #define PACKET_REVISION 0x01
 
+static bool google_gpio_tx_check_allowlist(GoogleGPIOTXState *s,
+   uint32_t controller, uint32_t gpios)
+{
+/* If the user didn't give us a list, allow everything */
+if (!s->gpio_state_by_ctlr) {
+return true;
+}
+
+GPIOCtlrState *gs = g_hash_table_lookup(s->gpio_state_by_ctlr, 
&controller);
+
+if (!gs) {
+return false;
+}
+
+bool updated = (gs->gpios & gs->allowed) != (gpios & gs->allowed);
+/* Update the new state */
+gs->gpios = gpios;
+
+return updated;
+}
+
 void google_gpio_tx_transmit(GoogleGPIOTXState *s, uint8_t controller,
   uint32_t gpios)
 {
 uint8_t packet[6];
 
+if (!google_gpio_tx_check_allowlist(s, controller, gpios)) {
+return;
+}
+
 packet[0] = PACKET_REVISION;
 packet[1] = controller;
 memcpy(&packet[2], &gpios, sizeof(gpios));
@@ -91,18 +117,112 @@ static int google_gpio_tx_can_receive(void *opaque)
 return 1;
 }
 
+void google_gpio_tx_state_init(GoogleGPIOTXState *s, uint8_t controller,
+   uint32_t gpios)
+{
+if (!s->gpio_state_by_ctlr) {
+return;
+}
+
+GPIOCtlrState *gs = g_hash_table_lookup(s->gpio_state_by_ctlr, 
&controller);
+if (gs) {
+gs->gpios = gpios;
+}
+}
+
+void google_gpio_tx_allowlist_qdev_init(GoogleGPIOTXState *s,
+const uint32_t *allowed_pins,
+size_t num)
+{
+size_t i;
+char propname[64];
+
+qdev_prop_set_uint32(DEVICE(s), "len-gpio-allowlist", num);
+
+for (i = 0; i < num; i++) {
+snprintf(propname, sizeof(propname), "gpio-allowlist[%zu]", i);
+qdev_prop_set_uint32(DEVICE(s), propname, allowed_pins[i]);
+}
+}
+
+static void google_gpio_tx_allowlist_init(GoogleGPIOTXState *s)
+{
+size_t i;
+GPIOCtlrState *gs;
+
+if (!s->gpio_allowlist) {
+return;
+}
+
+s->gpio_state_by_ctlr = g_hash_table_new_full(g_int_hash, g_int_equal,
+  g_free, g_free);
+
+for (i = 0; i < s->gpio_allowlist_sz; i++) {
+uint32_t controller = s->gpio_allowlist[i] / 32;
+uint32_t pin = (1 << (s->gpio_allowlist[i] % 32));
+
+gs = g_hash_table_lookup(s->gpio_state_by_ctlr, &controller);
+if (gs) {
+gs->allowed |= pin;
+} else {
+gs = g_malloc0(sizeof(*gs));
+gs->allowed |= pin;
+/*
+ * The hash table relies on a pointer to be the key, so the pointer
+ * containing the controller num must remain unchanged.
+ * Because of that, just allocate a new key with the controller 
num.
+ */
+uint32_t *ctlr = g_memdup(&controller, sizeof(controller));
+g_hash_table_insert(s->gpio_state_by_ctlr, ctlr, gs);
+}
+}
+}
+
 static void google_gpio_tx_realize(DeviceState *dev, Error **errp)
 {
 GoogleGPIOTXState *s = GOOGLE_GPIO_TX(dev);
 
+google_gpio_tx_allowlist_init(s);
+
 qemu_chr_fe_set_handlers(&s->chr, google_gpio_tx_can_receive,
  google_gpio_tx_receive,
  google_gpio_tx_event,
  NULL, OBJECT(s), NULL, true);
 }
 
+static void google_gpio_tx_finalize(Object *obj)
+{
+GoogleGPIOTXState *s = GOOGLE_GPIO_TX(obj);
+
+g_hash_table_destroy(s->gpio_state_by_ctlr);
+g_free(s->gpio_allowlist);
+}
+
+static int google_gpio_tx_post_load(void *opaque, int version_id)
+{
+GoogleGPIOTXState *s = GOOGLE_GPIO_TX(opaque);
+
+google_gpio_tx_allowlist_init(s);
+return 0;
+}
+
+static const VMStateDescription vmstate_google_gpio_tx = {
+.name = "gpio_transmitter",
+.version_id = 1,
+.minimum_version_id = 1,
+.post_load = google_gpio_tx_post_load,
+.fi

[RFC PATCH 6/6] qtests/gpio_transmitter: Add test

[Joe Komlodi]

This tests each NPCM7xx GPIO controller to make sure that when GPIO state is
updated, the controller sends a request to the GPIO transmitter to transmit the
data via chardev.
Along with that, we verify that the data is formatted correctly.

Signed-off-by: Joe Komlodi 
---
 tests/qtest/google_gpio_tx-test.c | 216 ++
 tests/qtest/meson.build   |   1 +
 2 files changed, 217 insertions(+)
 create mode 100644 tests/qtest/google_gpio_tx-test.c

diff --git a/tests/qtest/google_gpio_tx-test.c 
b/tests/qtest/google_gpio_tx-test.c
new file mode 100644
index 00..651c0501bc
--- /dev/null
+++ b/tests/qtest/google_gpio_tx-test.c
@@ -0,0 +1,216 @@
+/*
+ * QTest testcase for the Google GPIO Transmitter, using the NPCM7xx GPIO
+ * controller.
+ *
+ * Copyright 2021 Google LLC
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "qemu/osdep.h"
+#include "libqtest-single.h"
+#include "libqos/libqtest.h"
+
+#define NR_GPIO_DEVICES (8)
+#define GPIO(x) (0xf001 + (x) * 0x1000)
+
+/* GPIO registers */
+#define GP_N_TLOCK1 0x00
+#define GP_N_DIN0x04 /* Data IN */
+#define GP_N_POL0x08 /* Polarity */
+#define GP_N_DOUT   0x0c /* Data OUT */
+#define GP_N_OE 0x10 /* Output Enable */
+#define GP_N_OTYP   0x14
+#define GP_N_MP 0x18
+#define GP_N_PU 0x1c /* Pull-up */
+#define GP_N_PD 0x20 /* Pull-down */
+#define GP_N_DBNC   0x24 /* Debounce */
+#define GP_N_EVTYP  0x28 /* Event Type */
+#define GP_N_EVBE   0x2c /* Event Both Edge */
+#define GP_N_OBL0   0x30
+#define GP_N_OBL1   0x34
+#define GP_N_OBL2   0x38
+#define GP_N_OBL3   0x3c
+#define GP_N_EVEN   0x40 /* Event Enable */
+#define GP_N_EVENS  0x44 /* Event Set (enable) */
+#define GP_N_EVENC  0x48 /* Event Clear (disable) */
+#define GP_N_EVST   0x4c /* Event Status */
+#define GP_N_SPLCK  0x50
+#define GP_N_MPLCK  0x54
+#define GP_N_IEM0x58 /* Input Enable */
+#define GP_N_OSRC   0x5c
+#define GP_N_ODSC   0x60
+#define GP_N_DOS0x68 /* Data OUT Set */
+#define GP_N_DOC0x6c /* Data OUT Clear */
+#define GP_N_OES0x70 /* Output Enable Set */
+#define GP_N_OEC0x74 /* Output Enable Clear */
+#define GP_N_TLOCK2 0x7c
+
+#define PACKET_REVISION 0x01
+
+typedef enum {
+GPIOTXCODE_OK  = 0x00,
+GPIOTXCODE_MALFORMED_PKT   = 0xe0,
+GPIOTXCODE_UNKNOWN_VERSION = 0xe1,
+} GPIOTXCode;
+
+static int sock;
+static int fd;
+
+static in_port_t open_socket(void)
+{
+struct sockaddr_in myaddr;
+struct timeval timeout = { .tv_sec = 1, };
+socklen_t addrlen;
+
+myaddr.sin_family = AF_INET;
+myaddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+myaddr.sin_port = 0;
+sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+g_assert(sock != -1);
+g_assert(bind(sock, (struct sockaddr *) &myaddr, sizeof(myaddr)) != -1);
+setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
+
+addrlen = sizeof(myaddr);
+g_assert(getsockname(sock, (struct sockaddr *) &myaddr , &addrlen) != -1);
+g_assert(listen(sock, 1) != -1);
+return ntohs(myaddr.sin_port);
+}
+
+static void setup_fd(void)
+{
+fd_set readfds;
+
+FD_ZERO(&readfds);
+FD_SET(sock, &readfds);
+g_assert(select(sock + 1, &readfds, NULL, NULL, NULL) == 1);
+
+fd = accept(sock, NULL, 0);
+}
+
+/*
+ * The GPIO controller is naturally chatty and will send us state updates when
+ * any register is written to, since it could impact the GPIO state.
+ * For our purposes, we only care when we set DOUT, so we use this to discard
+
+ * state changes we don't care about.
+ */
+static void purge_read_queue(void)
+{
+uint8_t buf[256];
+ssize_t ret;
+
+do {
+ret = read(fd, buf, sizeof(buf));
+} while (ret > 0);
+}
+
+static void gpio_unlock(int n)
+{
+if (readl(GPIO(n) + GP_N_TLOCK1) != 0) {
+writel(GPIO(n) + GP_N_TLOCK2, 0xc0de1248);
+writel(GPIO(n) + GP_N_TLOCK1, 0xc0defa73);
+}
+}
+
+/* Restore the GPIO controller to a sensible default state. */
+static void gpio_reset(int n)
+{
+gpio_unlock(0);
+
+writel(GPIO(n) + GP_N_EVEN, 0x);
+writel(GPIO(n) + GP_N_EVST, 0x);
+writel(GPIO(n) + GP_N_POL, 0x);
+writel(GPIO(n) + GP_N_DOUT, 0x);
+writel(GPIO(n) + GP_N_OE, 0x);
+writel(GPIO(n) + GP_N_OTYP, 0x);
+writel(GPIO(n) + GP_N_PU, 0x);
+writel(GPIO(n) + GP

RE: [PATCH v2] MAINTAINERS: Change my email address

[Zhang, Chen]

> -Original Message-
> From: Qemu-devel  bounces+chen.zhang=intel@nongnu.org> On Behalf Of Philippe
> Mathieu-Daudé
> Sent: Tuesday, December 14, 2021 6:18 PM
> To: Daniel P. Berrangé 
> Cc: Hailiang Zhang ; quint...@redhat.com;
> Wen Congyang ; qemu-devel@nongnu.org;
> dgilb...@redhat.com; Gonglei 
> Subject: Re: [PATCH v2] MAINTAINERS: Change my email address
> 
> On 12/14/21 10:22, Daniel P. Berrangé wrote:
> > On Tue, Dec 14, 2021 at 10:04:03AM +0100, Philippe Mathieu-Daudé wrote:
> >> On 12/14/21 08:54, Hailiang Zhang wrote:
> >>> The zhang.zhanghaili...@huawei.com email address has been stopped.
> >>> Change it to my new email address.
> >>>
> >>> Signed-off-by: Hailiang Zhang 
> >>> ---
> >>> hi Juan & Dave,
> >>>
> >>> Firstly, thank you for your working on maintaining the COLO framework.
> >>> I didn't have much time on it in the past days.
> >>>
> >>> I may have some time in the next days since my job has changed.
> >>>
> >>> Because of my old email being stopped, i can not use it to send this 
> >>> patch.
> >>> Please help me to merge this patch.
> >>
> >> Can we have an Ack-by from someone working at Huawei?
> >
> > Why do we need that ?
> 
> To avoid anyone impersonating Hailiang Zhang...
> 
> But it doesn't have to be from the same company, as long as someone
> knowing him vouch the change. Anyhow I am not nacking this patch, I am
> trying to have a safer process.
> 
> > Subsystems are not owned by companies.
> >
> > If someone moves company and wants to carry on in their existing role
> > as maintainer that is fine and doesn't need approva from their old
> > company IMHO.
> 
> I agree, this is why it is better to send that kind of change from the to-be-
> stopped email address while it is still valid.

Synced with Hailiang Zhang offline, verified.
Acked-by: Zhang Chen 

Thanks
Chen

> 
> Thanks,
> 
> Phil.
> 

Re: [PULL 00/13] Block device patches patches for 2021-12-15

[Richard Henderson]

On 12/15/21 6:02 AM, Markus Armbruster wrote:

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into 
staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

   git://repo.or.cz/qemu/armbru.git tags/pull-block-2021-12-15

for you to fetch changes up to 95fd260f0a3663ed229b8e0d2ef111a9f8bd93ad:

   blockdev: Drop unused drive_get_next() (2021-12-15 14:56:14 +0100)


Block device patches patches for 2021-12-15


Markus Armbruster (13):
   hw/sd/ssi-sd: Do not create SD card within controller's realize
   hw: Replace trivial drive_get_next() by drive_get()
   hw/arm/npcm7xx_boards: Replace drive_get_next() by drive_get()
   hw/arm/versatilepb hw/arm/vexpress: Replace drive_get_next() by 
drive_get()
   hw/arm/imx25_pdk: Replace drive_get_next() by drive_get()
   hw/arm/mcimx6ul-evk: Replace drive_get_next() by drive_get()
   hw/arm/mcimx7d-sabre: Replace drive_get_next() by drive_get()
   hw/arm/xlnx-versal-virt: Replace drive_get_next() by drive_get()
   hw/microblaze: Replace drive_get_next() by drive_get()
   hw/arm/xlnx-zcu102: Replace drive_get_next() by drive_get()
   hw/arm/xilinx_zynq: Replace drive_get_next() by drive_get()
   hw/arm/aspeed: Replace drive_get_next() by drive_get()
   blockdev: Drop unused drive_get_next()

  include/sysemu/blockdev.h   |  1 -
  blockdev.c  | 10 --
  hw/arm/aspeed.c | 21 +
  hw/arm/cubieboard.c |  2 +-
  hw/arm/imx25_pdk.c  |  2 +-
  hw/arm/integratorcp.c   |  2 +-
  hw/arm/mcimx6ul-evk.c   |  2 +-
  hw/arm/mcimx7d-sabre.c  |  2 +-
  hw/arm/msf2-som.c   |  2 +-
  hw/arm/npcm7xx_boards.c |  6 +++---
  hw/arm/orangepi.c   |  2 +-
  hw/arm/raspi.c  |  2 +-
  hw/arm/realview.c   |  2 +-
  hw/arm/sabrelite.c  |  2 +-
  hw/arm/stellaris.c  | 15 ++-
  hw/arm/versatilepb.c|  4 ++--
  hw/arm/vexpress.c   |  6 +++---
  hw/arm/xilinx_zynq.c| 16 +---
  hw/arm/xlnx-versal-virt.c   |  3 ++-
  hw/arm/xlnx-zcu102.c|  6 +++---
  hw/microblaze/petalogix_ml605_mmu.c |  2 +-
  hw/misc/sifive_u_otp.c  |  4 ++--
  hw/riscv/microchip_pfsoc.c  |  2 +-
  hw/riscv/sifive_u.c | 15 +--
  hw/sd/ssi-sd.c  | 29 +
  hw/sparc64/niagara.c|  2 +-
  26 files changed, 78 insertions(+), 84 deletions(-)


Applied, thanks.

r~

Re: [PULL 31/33] tests/acpi: add test case for VIOT

[Richard Henderson]

On 12/15/21 2:40 AM, Peter Maydell wrote:

From: Jean-Philippe Brucker 

Add two test cases for VIOT, one on the q35 machine and the other on
virt. To test complex topologies the q35 test has two PCIe buses that
bypass the IOMMU (and are therefore not described by VIOT), and two
buses that are translated by virtio-iommu.

Reviewed-by: Eric Auger 
Reviewed-by: Igor Mammedov 
Signed-off-by: Jean-Philippe Brucker 
Message-id: 20211210170415.583179-7-jean-phili...@linaro.org
Signed-off-by: Peter Maydell 
---
  tests/qtest/bios-tables-test.c | 38 ++
  1 file changed, 38 insertions(+)


I should have been more careful while applying.  The aarch64 host failure for this is not 
transient as I first assumed:


PASS 5 qtest-aarch64/bios-tables-test /aarch64/acpi/virt/oem-fields
qemu-system-aarch64: kvm_init_vcpu: kvm_arch_init_vcpu failed (0): Invalid 
argument
Broken pipe
ERROR qtest-aarch64/bios-tables-test - too few tests run (expected 6, got 5)
make: *** [Makefile.mtest:312: run-test-37] Error 1


r~



diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 258874167ef..58df53b15b5 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1465,6 +1465,42 @@ static void test_acpi_virt_tcg(void)
  free_test_data(&data);
  }
  
+static void test_acpi_q35_viot(void)

+{
+test_data data = {
+.machine = MACHINE_Q35,
+.variant = ".viot",
+};
+
+/*
+ * To keep things interesting, two buses bypass the IOMMU.
+ * VIOT should only describes the other two buses.
+ */
+test_acpi_one("-machine default_bus_bypass_iommu=on "
+  "-device virtio-iommu-pci "
+  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
+  "-device 
pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
+  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
+  &data);
+free_test_data(&data);
+}
+
+static void test_acpi_virt_viot(void)
+{
+test_data data = {
+.machine = "virt",
+.uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
+.uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
+.cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
+.ram_start = 0x4000ULL,
+.scan_len = 128ULL * 1024 * 1024,
+};
+
+test_acpi_one("-cpu cortex-a57 "
+  "-device virtio-iommu-pci", &data);
+free_test_data(&data);
+}
+
  static void test_oem_fields(test_data *data)
  {
  int i;
@@ -1639,6 +1675,7 @@ int main(int argc, char *argv[])
  qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
  qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
  }
+qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
  } else if (strcmp(arch, "aarch64") == 0) {
  if (has_tcg) {
  qtest_add_func("acpi/virt", test_acpi_virt_tcg);
@@ -1646,6 +1683,7 @@ int main(int argc, char *argv[])
  qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
  qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
  qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
+qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
  }
  }
  ret = g_test_run();

[RFC 3/5] libvhost-user: Simplify VHOST_USER_REM_MEM_REG

[Raphael Norwitz]

From: David Hildenbrand 

Let's avoid having to manually copy all elements. Copy only the ones
necessary to close the hole and perform the operation in-place without
a second array.

Signed-off-by: David Hildenbrand 
Signed-off-by: Raphael Norwitz 
---
 subprojects/libvhost-user/libvhost-user.c | 30 +++
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index 80ef335254..714cc7e08b 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -802,10 +802,8 @@ static inline bool reg_equal(VuDevRegion *vudev_reg,
 
 static bool
 vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
-int i, j;
-bool found = false;
-VuDevRegion shadow_regions[VHOST_USER_MAX_RAM_SLOTS] = {};
 VhostUserMemoryRegion m = vmsg->payload.memreg.region, *msg_region = &m;
+int i;
 
 if (vmsg->fd_num != 1 ||
 vmsg->size != sizeof(vmsg->payload.memreg)) {
@@ -823,28 +821,28 @@ vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 DPRINT("mmap_offset  0x%016"PRIx64"\n",
msg_region->mmap_offset);
 
-for (i = 0, j = 0; i < dev->nregions; i++) {
-if (!reg_equal(&dev->regions[i], msg_region)) {
-shadow_regions[j].gpa = dev->regions[i].gpa;
-shadow_regions[j].size = dev->regions[i].size;
-shadow_regions[j].qva = dev->regions[i].qva;
-shadow_regions[j].mmap_addr = dev->regions[i].mmap_addr;
-shadow_regions[j].mmap_offset = dev->regions[i].mmap_offset;
-j++;
-} else {
-found = true;
+for (i = 0; i < dev->nregions; i++) {
+if (reg_equal(&dev->regions[i], msg_region)) {
 VuDevRegion *r = &dev->regions[i];
 void *m = (void *) (uintptr_t) r->mmap_addr;
 
 if (m) {
 munmap(m, r->size + r->mmap_offset);
 }
+
+break;
 }
 }
 
-if (found) {
-memcpy(dev->regions, shadow_regions,
-   sizeof(VuDevRegion) * VHOST_USER_MAX_RAM_SLOTS);
+if (i < dev->nregions) {
+/*
+ * Shift all affected entries by 1 to close the hole at index i and
+ * zero out the last entry.
+ */
+memmove(dev->regions + i, dev->regions + i + 1,
+   sizeof(VuDevRegion) * (dev->nregions - i - 1));
+memset(dev->regions + dev->nregions - 1, 0,
+   sizeof(VuDevRegion));
 DPRINT("Successfully removed a region\n");
 dev->nregions--;
 vmsg_set_reply_u64(vmsg, 0);
-- 
2.20.1

[RFC 4/5] libvhost-user: prevent over-running max RAM slots

[Raphael Norwitz]

When VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS support was added to
libvhost-user, no guardrails were added to protect against QEMU
attempting to hot-add too many RAM slots to a VM with a libvhost-user
based backed attached.

This change adds the missing error handling by introducing a check on
the number of RAM slots the device has available before proceeding to
process the VHOST_USER_ADD_MEM_REG message.

Suggested-by: Stefan Hajnoczi 
Signed-off-by: Raphael Norwitz 
---
 subprojects/libvhost-user/libvhost-user.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index 714cc7e08b..74a9980194 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -690,6 +690,11 @@ vu_add_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 VuDevRegion *dev_region = &dev->regions[dev->nregions];
 void *mmap_addr;
 
+if (dev->nregions == VHOST_USER_MAX_RAM_SLOTS) {
+vu_panic(dev, "No free ram slots available");
+return true;
+}
+
 if (vmsg->fd_num != 1 ||
 vmsg->size != sizeof(vmsg->payload.memreg)) {
 vu_panic(dev, "VHOST_USER_REM_MEM_REG received multiple regions");
-- 
2.20.1

[RFC 0/5] Clean up error handling in libvhost-user memory mapping

[Raphael Norwitz]

Hey Stefan, Marc-Andre, MST, David -

As promised here is a series cleaning up error handling in the
libvhost-user memory mapping path. Most of these cleanups are
straightforward and have been discussed on the mailing list in threads
[1] and [2]. Hopefully there is nothing super controversial in the first
4 patches.

I am concerned about is patch 5 “libvhost-user: handle removal of
identical regions”. From my reading of Stefan's comments in [1], the
proposal seemed to be to remove any duplicate regions. I’d prefer to
prevent duplicate regions from being added in the first place. Thoughts? 

[1] 
https://lore.kernel.org/qemu-devel/20211018143319.GA11006@raphael-debian-dev/
[2] 
https://lore.kernel.org/qemu-devel/9391f500-70be-26cf-bcfc-591d3ee84...@redhat.com/

Sorry for the delay,
Raphael

David Hildenbrand (1):
  libvhost-user: Simplify VHOST_USER_REM_MEM_REG

Raphael Norwitz (4):
  libvhost-user: Add vu_rem_mem_reg input validation
  libvhost-user: Add vu_add_mem_reg input validation
  libvhost-user: prevent over-running max RAM slots
  libvhost-user: handle removal of identical regions

 subprojects/libvhost-user/libvhost-user.c | 52 +++
 1 file changed, 34 insertions(+), 18 deletions(-)

-- 
2.20.1

[RFC 5/5] libvhost-user: handle removal of identical regions

[Raphael Norwitz]

Today if QEMU (or any other VMM) has sent multiple copies of the same
region to a libvhost-user based backend and then attempts to remove the
region, only one instance of the region will be removed, leaving stale
copies of the region in dev->regions[].

This change resolves this by having vu_rem_mem_reg() iterate through all
regions in dev->regions[] and delete all matching regions.

Suggested-by: Stefan Hajnoczi 
Signed-off-by: Raphael Norwitz 
---
 subprojects/libvhost-user/libvhost-user.c | 27 ---
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index 74a9980194..2f465a4f0e 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -809,6 +809,7 @@ static bool
 vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 VhostUserMemoryRegion m = vmsg->payload.memreg.region, *msg_region = &m;
 int i;
+bool found = false;
 
 if (vmsg->fd_num != 1 ||
 vmsg->size != sizeof(vmsg->payload.memreg)) {
@@ -831,25 +832,25 @@ vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 VuDevRegion *r = &dev->regions[i];
 void *m = (void *) (uintptr_t) r->mmap_addr;
 
-if (m) {
+if (m && !found) {
 munmap(m, r->size + r->mmap_offset);
 }
 
-break;
+/*
+ * Shift all affected entries by 1 to close the hole at index i and
+ * zero out the last entry.
+ */
+memmove(dev->regions + i, dev->regions + i + 1,
+sizeof(VuDevRegion) * (dev->nregions - i - 1));
+memset(dev->regions + dev->nregions - 1, 0, sizeof(VuDevRegion));
+DPRINT("Successfully removed a region\n");
+dev->nregions--;
+
+found = true;
 }
 }
 
-if (i < dev->nregions) {
-/*
- * Shift all affected entries by 1 to close the hole at index i and
- * zero out the last entry.
- */
-memmove(dev->regions + i, dev->regions + i + 1,
-   sizeof(VuDevRegion) * (dev->nregions - i - 1));
-memset(dev->regions + dev->nregions - 1, 0,
-   sizeof(VuDevRegion));
-DPRINT("Successfully removed a region\n");
-dev->nregions--;
+if (found) {
 vmsg_set_reply_u64(vmsg, 0);
 } else {
 vu_panic(dev, "Specified region not found\n");
-- 
2.20.1

[RFC 2/5] libvhost-user: Add vu_add_mem_reg input validation

[Raphael Norwitz]

Signed-off-by: Raphael Norwitz 
---
 subprojects/libvhost-user/libvhost-user.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index 573212a83b..80ef335254 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -690,6 +690,12 @@ vu_add_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 VuDevRegion *dev_region = &dev->regions[dev->nregions];
 void *mmap_addr;
 
+if (vmsg->fd_num != 1 ||
+vmsg->size != sizeof(vmsg->payload.memreg)) {
+vu_panic(dev, "VHOST_USER_REM_MEM_REG received multiple regions");
+return true;
+}
+
 /*
  * If we are in postcopy mode and we receive a u64 payload with a 0 value
  * we know all the postcopy client bases have been received, and we
-- 
2.20.1

[RFC 1/5] libvhost-user: Add vu_rem_mem_reg input validation

[Raphael Norwitz]

Signed-off-by: Raphael Norwitz 
---
 subprojects/libvhost-user/libvhost-user.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/subprojects/libvhost-user/libvhost-user.c 
b/subprojects/libvhost-user/libvhost-user.c
index 787f4d2d4f..573212a83b 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -801,6 +801,12 @@ vu_rem_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
 VuDevRegion shadow_regions[VHOST_USER_MAX_RAM_SLOTS] = {};
 VhostUserMemoryRegion m = vmsg->payload.memreg.region, *msg_region = &m;
 
+if (vmsg->fd_num != 1 ||
+vmsg->size != sizeof(vmsg->payload.memreg)) {
+vu_panic(dev, "VHOST_USER_REM_MEM_REG received multiple regions");
+return true;
+}
+
 DPRINT("Removing region:\n");
 DPRINT("guest_phys_addr: 0x%016"PRIx64"\n",
msg_region->guest_phys_addr);
-- 
2.20.1

Re: [PATCH v4 02/14] tests/avocado: Specify target VM argument to helper routines

[Beraldo Leal]

On Wed, Dec 15, 2021 at 10:35:26AM -0500, Jagannathan Raman wrote:
> Specify target VM for exec_command and
> exec_command_and_wait_for_pattern routines
> 
> Signed-off-by: Elena Ufimtseva 
> Signed-off-by: John G Johnson 
> Signed-off-by: Jagannathan Raman 
> ---
>  tests/avocado/avocado_qemu/__init__.py | 10 ++
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/tests/avocado/avocado_qemu/__init__.py 
> b/tests/avocado/avocado_qemu/__init__.py
> index 75063c0c30..26ac782f53 100644
> --- a/tests/avocado/avocado_qemu/__init__.py
> +++ b/tests/avocado/avocado_qemu/__init__.py
> @@ -198,7 +198,7 @@ def wait_for_console_pattern(test, success_message, 
> failure_message=None,
>  """
>  _console_interaction(test, success_message, failure_message, None, vm=vm)
>  
> -def exec_command(test, command):
> +def exec_command(test, command, vm=None):

nitpick: if possible, it would be nice to update the docstring, by
adding this new argument.

>  """
>  Send a command to a console (appending CRLF characters), while logging
>  the content.
> @@ -208,10 +208,11 @@ def exec_command(test, command):
>  :param command: the command to send
>  :type command: str
>  """
> -_console_interaction(test, None, None, command + '\r')
> +_console_interaction(test, None, None, command + '\r', vm=vm)
>  
>  def exec_command_and_wait_for_pattern(test, command,
> -  success_message, failure_message=None):
> +  success_message, failure_message=None,
> +  vm=None):

Same here.

Other than that, lgtm.

Reviewed-by: Beraldo Leal 

--
Beraldo

[RFC qemu.qmp PATCH 19/24] python: configure sphinx

[John Snow]

With a Sphinx project auto-generated, configure it to be something a bit
more useful. And pretty.

Signed-off-by: John Snow 
---
 docs/conf.py | 45 -
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/docs/conf.py b/docs/conf.py
index c7ce779..7db99c2 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -9,18 +9,28 @@
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
-#
-# import os
-# import sys
-# sys.path.insert(0, '/home/jsnow/src/tmp/qemu.qmp/qemu')
+
+import os
+import sys
+sys.path.insert(0, os.path.abspath('../'))
 
 
 # -- Project information -
 
-project = 'qemu'
-copyright = '2021, Author'
-author = 'Author'
+project = 'QEMU Monitor Protocol (QMP) Library'
+copyright = '2009-2021, QEMU Project'
+author = 'John Snow'
 
+try:
+import setuptools_scm
+extracted_version = setuptools_scm.get_version()
+except:
+extracted_version = None
+finally:
+if extracted_version:
+version = release = extracted_version
+else:
+version = release = "unknown version"
 
 # -- General configuration ---
 
@@ -51,13 +61,30 @@ language = 'en'
 # This pattern also affects html_static_path and html_extra_path.
 exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
 
+# Interpret `this` to be a cross-reference to "anything".
+default_role = 'any'
 
 # -- Options for HTML output -
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
+
+# 
https://sphinx-rtd-theme.readthedocs.io/en/stable/configuring.html#theme-options
+html_theme_options = {
+'collapse_navigation': False,
+'display_version': True,
+'prev_next_buttons_location': 'both',
+}
+
+html_context = {
+"display_gitlab": True,
+"gitlab_user": "jsnow",
+"gitlab_repo": "qemu.qmp",
+"gitlab_version": "main",
+"conf_py_path": "/docs/",
+}
 
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
@@ -77,4 +104,4 @@ intersphinx_mapping = {
 # -- Options for todo extension --
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
-todo_include_todos = True
\ No newline at end of file
+todo_include_todos = True
-- 
2.31.1

Re: [PATCH v3] monitor: move x-query-profile into accel/tcg to fix build

[Mark Cave-Ayland]

On 15/12/2021 14:04, Alex Bennée wrote:


As --enable-profiler isn't defended in CI we missed this breakage.
Move the qmp handler into accel/tcg so we have access to the helpers
we need. While we are at it ensure we gate the feature on CONFIG_TCG.

Signed-off-by: Alex Bennée 
Suggested-by: Daniel P. Berrangé 
Reported-by: Mark Cave-Ayland 
Fixes: 37087fde0e ("qapi: introduce x-query-profile QMP command")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/773
Reviewed-by: Daniel P. Berrangé 
Message-Id: <20211214195048.1438209-1-alex.ben...@linaro.org>

---
v3
   - also add #ifdef CONFIG_TCG to hmp-commands-info.hx
---
  qapi/machine.json|  1 +
  accel/tcg/cpu-exec.c | 31 +++
  monitor/qmp-cmds.c   | 31 ---
  hmp-commands-info.hx |  2 ++
  4 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index 067e3f5378..0c9f24a712 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -1492,6 +1492,7 @@
  ##
  { 'command': 'x-query-profile',
'returns': 'HumanReadableText',
+  'if': 'CONFIG_TCG',
'features': [ 'unstable' ] }
  
  ##

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 409ec8c38c..8b4cd6c59d 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -1090,4 +1090,35 @@ HumanReadableText *qmp_x_query_opcount(Error **errp)
  return human_readable_text_from_str(buf);
  }
  
+#ifdef CONFIG_PROFILER

+
+int64_t dev_time;
+
+HumanReadableText *qmp_x_query_profile(Error **errp)
+{
+g_autoptr(GString) buf = g_string_new("");
+static int64_t last_cpu_exec_time;
+int64_t cpu_exec_time;
+int64_t delta;
+
+cpu_exec_time = tcg_cpu_exec_time();
+delta = cpu_exec_time - last_cpu_exec_time;
+
+g_string_append_printf(buf, "async time  %" PRId64 " (%0.3f)\n",
+   dev_time, dev_time / 
(double)NANOSECONDS_PER_SECOND);
+g_string_append_printf(buf, "qemu time   %" PRId64 " (%0.3f)\n",
+   delta, delta / (double)NANOSECONDS_PER_SECOND);
+last_cpu_exec_time = cpu_exec_time;
+dev_time = 0;
+
+return human_readable_text_from_str(buf);
+}
+#else
+HumanReadableText *qmp_x_query_profile(Error **errp)
+{
+error_setg(errp, "Internal profiler not compiled");
+return NULL;
+}
+#endif
+
  #endif /* !CONFIG_USER_ONLY */
diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index 343353e27a..be5e44c569 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -355,37 +355,6 @@ void qmp_display_reload(DisplayReloadOptions *arg, Error 
**errp)
  }
  }
  
-#ifdef CONFIG_PROFILER

-
-int64_t dev_time;
-
-HumanReadableText *qmp_x_query_profile(Error **errp)
-{
-g_autoptr(GString) buf = g_string_new("");
-static int64_t last_cpu_exec_time;
-int64_t cpu_exec_time;
-int64_t delta;
-
-cpu_exec_time = tcg_cpu_exec_time();
-delta = cpu_exec_time - last_cpu_exec_time;
-
-g_string_append_printf(buf, "async time  %" PRId64 " (%0.3f)\n",
-   dev_time, dev_time / 
(double)NANOSECONDS_PER_SECOND);
-g_string_append_printf(buf, "qemu time   %" PRId64 " (%0.3f)\n",
-   delta, delta / (double)NANOSECONDS_PER_SECOND);
-last_cpu_exec_time = cpu_exec_time;
-dev_time = 0;
-
-return human_readable_text_from_str(buf);
-}
-#else
-HumanReadableText *qmp_x_query_profile(Error **errp)
-{
-error_setg(errp, "Internal profiler not compiled");
-return NULL;
-}
-#endif
-
  static int qmp_x_query_rdma_foreach(Object *obj, void *opaque)
  {
  RdmaProvider *rdma;
diff --git a/hmp-commands-info.hx b/hmp-commands-info.hx
index 407a1da800..e90f20a107 100644
--- a/hmp-commands-info.hx
+++ b/hmp-commands-info.hx
@@ -358,6 +358,7 @@ SRST
  Show host USB devices.
  ERST
  
+#if defined(CONFIG_TCG)

  {
  .name   = "profile",
  .args_type  = "",
@@ -365,6 +366,7 @@ ERST
  .help   = "show profiling information",
  .cmd_info_hrt = qmp_x_query_profile,
  },
+#endif
  
  SRST

``info profile``


Thanks Alex, I can confirm that a build of git master with --enable-profiler now 
works for my test case with this patch applied:


Tested-by: Mark Cave-Ayland 


ATB,

Mark.

[RFC qemu.qmp PATCH 24/24] v0.0.1

[John Snow]

Add v0.0.1 tag, marking the first public alpha release of the qemu.qmp
package.
---
 README.rst | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index bd4a301..e82ac03 100644
--- a/README.rst
+++ b/README.rst
@@ -126,4 +126,7 @@ locally before submitting to GitLab CI as my due diligence.)
 Changelog
 -
 
-- No public release yet.
+0.0.1 (2022-xx-xx)
+^^
+
+- Initial public release.
-- 
2.31.1

[RFC qemu.qmp PATCH 20/24] python: adjust apidoc stubs

[John Snow]

Change the configuration for the generated apidoc stubs.

Some of the changes, as a summary:

- Collapse the hierarchy to omit the QEMU namespace page
- Add more meaningful titles to the subpackages
- Prefer source ordering in most places
- Do not index pages that do not define their own symbols (via __all__)
- Show hidden members for qemu.aqmp.protocol, since this interface is
  designed to be extended.

Signed-off-by: John Snow 
---
 docs/index.rst   |  6 +++---
 docs/qemu.qmp.aqmp_tui.rst   |  7 ---
 docs/qemu.qmp.error.rst  |  1 +
 docs/qemu.qmp.message.rst|  1 +
 docs/qemu.qmp.models.rst |  1 +
 docs/qemu.qmp.protocol.rst   |  2 ++
 docs/qemu.qmp.qmp_client.rst |  1 +
 docs/qemu.qmp.qmp_shell.rst  |  7 ---
 docs/qemu.qmp.rst|  8 
 docs/qemu.qmp.util.rst   |  1 +
 docs/qemu.rst| 10 --
 11 files changed, 14 insertions(+), 31 deletions(-)
 delete mode 100644 docs/qemu.qmp.aqmp_tui.rst
 delete mode 100644 docs/qemu.qmp.qmp_shell.rst
 delete mode 100644 docs/qemu.rst

diff --git a/docs/index.rst b/docs/index.rst
index bff786a..2c7ccdb 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -3,14 +3,14 @@
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
 
-Welcome to qemu's documentation!
-
+qemu.qmp library documentation
+==
 
 .. toctree::
:maxdepth: 4
:caption: Contents:
 
-   qemu
+   qemu.qmp
 
 
 Indices and tables
diff --git a/docs/qemu.qmp.aqmp_tui.rst b/docs/qemu.qmp.aqmp_tui.rst
deleted file mode 100644
index a5c55f9..000
--- a/docs/qemu.qmp.aqmp_tui.rst
+++ /dev/null
@@ -1,7 +0,0 @@
-qemu.qmp.aqmp\_tui module
-=
-
-.. automodule:: qemu.qmp.aqmp_tui
-   :members:
-   :undoc-members:
-   :show-inheritance:
diff --git a/docs/qemu.qmp.error.rst b/docs/qemu.qmp.error.rst
index 89f069d..5105330 100644
--- a/docs/qemu.qmp.error.rst
+++ b/docs/qemu.qmp.error.rst
@@ -5,3 +5,4 @@ qemu.qmp.error module
:members:
:undoc-members:
:show-inheritance:
+   :member-order: bysource
diff --git a/docs/qemu.qmp.message.rst b/docs/qemu.qmp.message.rst
index 765ae63..b824dc6 100644
--- a/docs/qemu.qmp.message.rst
+++ b/docs/qemu.qmp.message.rst
@@ -5,3 +5,4 @@ qemu.qmp.message module
:members:
:undoc-members:
:show-inheritance:
+   :member-order: bysource
diff --git a/docs/qemu.qmp.models.rst b/docs/qemu.qmp.models.rst
index 55585b7..1e2f608 100644
--- a/docs/qemu.qmp.models.rst
+++ b/docs/qemu.qmp.models.rst
@@ -5,3 +5,4 @@ qemu.qmp.models module
:members:
:undoc-members:
:show-inheritance:
+   :member-order: bysource
diff --git a/docs/qemu.qmp.protocol.rst b/docs/qemu.qmp.protocol.rst
index fca55ad..947e15f 100644
--- a/docs/qemu.qmp.protocol.rst
+++ b/docs/qemu.qmp.protocol.rst
@@ -5,3 +5,5 @@ qemu.qmp.protocol module
:members:
:undoc-members:
:show-inheritance:
+   :private-members:
+   :member-order: bysource
diff --git a/docs/qemu.qmp.qmp_client.rst b/docs/qemu.qmp.qmp_client.rst
index 1d5beda..83b8101 100644
--- a/docs/qemu.qmp.qmp_client.rst
+++ b/docs/qemu.qmp.qmp_client.rst
@@ -5,3 +5,4 @@ qemu.qmp.qmp\_client module
:members:
:undoc-members:
:show-inheritance:
+   :member-order: bysource
diff --git a/docs/qemu.qmp.qmp_shell.rst b/docs/qemu.qmp.qmp_shell.rst
deleted file mode 100644
index 0510cd3..000
--- a/docs/qemu.qmp.qmp_shell.rst
+++ /dev/null
@@ -1,7 +0,0 @@
-qemu.qmp.qmp\_shell module
-==
-
-.. automodule:: qemu.qmp.qmp_shell
-   :members:
-   :undoc-members:
-   :show-inheritance:
diff --git a/docs/qemu.qmp.rst b/docs/qemu.qmp.rst
index 305e5b0..d1d2cd3 100644
--- a/docs/qemu.qmp.rst
+++ b/docs/qemu.qmp.rst
@@ -1,10 +1,12 @@
-qemu.qmp package
-
+qemu.qmp - Asynchronous QEMU Monitor Protocol (QMP) library
+===
 
 .. automodule:: qemu.qmp
:members:
:undoc-members:
:show-inheritance:
+   :noindex:
+   :member-order: bysource
 
 Submodules
 --
@@ -12,7 +14,6 @@ Submodules
 .. toctree::
:maxdepth: 4
 
-   qemu.qmp.aqmp_tui
qemu.qmp.error
qemu.qmp.events
qemu.qmp.legacy
@@ -20,5 +21,4 @@ Submodules
qemu.qmp.models
qemu.qmp.protocol
qemu.qmp.qmp_client
-   qemu.qmp.qmp_shell
qemu.qmp.util
diff --git a/docs/qemu.qmp.util.rst b/docs/qemu.qmp.util.rst
index 8f2ac87..24a6f82 100644
--- a/docs/qemu.qmp.util.rst
+++ b/docs/qemu.qmp.util.rst
@@ -5,3 +5,4 @@ qemu.qmp.util module
:members:
:undoc-members:
:show-inheritance:
+   :member-order: bysource
diff --git a/docs/qemu.rst b/docs/qemu.rst
deleted file mode 100644
index f33a4f4..000
--- a/docs/qemu.rst
+++ /dev/null
@@ -1,10 +0,0 @@
-qemu namespace
-==
-
-Subpackages

-
-.. toctree::
-   :maxdepth: 4
-
-   qemu.qmp
-- 
2.31.1

[RFC qemu.qmp PATCH 22/24] docs: add Makefile target

[John Snow]

Signed-off-by: John Snow 
---
 Makefile | 5 +
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index 81bfca8..029a824 100644
--- a/Makefile
+++ b/Makefile
@@ -103,6 +103,7 @@ check-coverage:
 clean:
python3 setup.py clean --all
rm -f pyproject.toml
+   make -C docs clean
 
 .PHONY: distclean
 distclean: clean
@@ -142,3 +143,7 @@ publish: pre-publish
 .PHONY: publish-test
 publish-test: pre-publish
python3 -m twine upload --verbose -r testpypi dist/*
+
+.PHONY: docs
+docs:
+   make -C docs html
-- 
2.31.1

[RFC qemu.qmp PATCH 16/24] Add setuptools_scm package versioning

[John Snow]

The version number will now be generated using the setuptools_scm
package, which pulls the version number from git tags.

As PEP660 is not yet usable with pyproject.toml style packages, we will
be sticking to setup.py style installation for now.

"version = 0.0.0" exists as a fallback in the event that the
build/installation environment does not have setuptools_scm
installed. Further, if setuptools_scm *is* installed but we are trying
to install directly from a source tarball (instead of from a python
source distribution), 'fallback_version': '0.0.0' will be utilized as
the fallback.

Lastly, tag this release as v0.0.0 to give setuptools_scm something to
work with and establish precedent for future releases.

Signed-off-by: John Snow 
---
 .gitlab-ci.d/build.yml |  2 +-
 .gitlab-ci.d/python.Dockerfile |  1 +
 INDEX.rst  |  2 --
 MANIFEST.in|  1 -
 VERSION|  1 -
 setup.cfg  |  3 ++-
 setup.py   | 11 ++-
 7 files changed, 14 insertions(+), 7 deletions(-)
 delete mode 100644 VERSION

diff --git a/.gitlab-ci.d/build.yml b/.gitlab-ci.d/build.yml
index 6a68408..bf2d487 100644
--- a/.gitlab-ci.d/build.yml
+++ b/.gitlab-ci.d/build.yml
@@ -10,4 +10,4 @@ build-package:
 paths:
   - dist/*
   variables:
-GIT_DEPTH: 1
+GIT_DEPTH: 0
\ No newline at end of file
diff --git a/.gitlab-ci.d/python.Dockerfile b/.gitlab-ci.d/python.Dockerfile
index 35d84f3..93661b2 100644
--- a/.gitlab-ci.d/python.Dockerfile
+++ b/.gitlab-ci.d/python.Dockerfile
@@ -25,6 +25,7 @@ RUN dnf --setopt=install_weak_deps=False install -y \
 && python3 -m pip install --upgrade \
 build \
 pip \
+setuptools_scm \
 twine \
 && dnf clean all \
 && rm -rf ~/.cache/pip \
diff --git a/INDEX.rst b/INDEX.rst
index 8b7a56a..dddfcde 100644
--- a/INDEX.rst
+++ b/INDEX.rst
@@ -62,5 +62,3 @@ Files in this directory
 - ``README.rst`` is used as the README file that is visible on PyPI.org.
 - ``setup.cfg`` houses setuptools package configuration.
 - ``setup.py`` is the setuptools installer used by pip; See above.
-- ``VERSION`` contains the PEP-440 compliant version used to describe
-  this package; it is referenced by ``setup.cfg``.
diff --git a/MANIFEST.in b/MANIFEST.in
index 2a3fc58..9561fb1 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,2 +1 @@
-include VERSION
 include README.rst
diff --git a/VERSION b/VERSION
deleted file mode 100644
index 7741e1a..000
--- a/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-0.0.0a1
diff --git a/setup.cfg b/setup.cfg
index f4a02d6..03dd4f0 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = qemu.qmp
-version = file:VERSION
+version = 0.0.0
 author = John Snow
 author_email = js...@redhat.com
 maintainer = QEMU Project
@@ -26,6 +26,7 @@ classifiers =
 Typing :: Typed
 
 [options]
+setup_requires = setuptools_scm
 python_requires = >= 3.6
 packages =
 qemu.qmp
diff --git a/setup.py b/setup.py
index cb9b9b6..5904d07 100755
--- a/setup.py
+++ b/setup.py
@@ -7,6 +7,12 @@ Copyright (c) 2020-2021 John Snow for Red Hat, Inc.
 import setuptools
 import pkg_resources
 
+try:
+import setuptools_scm
+_HAVE_SCM = True
+except ModuleNotFoundError:
+_HAVE_SCM = False
+
 
 def main():
 """
@@ -16,7 +22,10 @@ def main():
 # 
https://medium.com/@daveshawley/safely-using-setup-cfg-for-metadata-1babbe54c108
 pkg_resources.require('setuptools>=39.2')
 
-setuptools.setup()
+if _HAVE_SCM:
+setuptools.setup(use_scm_version={'fallback_version': '0.0.0'})
+else:
+setuptools.setup()
 
 
 if __name__ == '__main__':
-- 
2.31.1

[RFC qemu.qmp PATCH 15/24] GitLab CI: Publish python packages to GitLab package repo

[John Snow]

Signed-off-by: John Snow 
---
 .gitlab-ci.d/index.yml |  2 ++
 .gitlab-ci.d/publish.yml   | 11 +++
 .gitlab-ci.d/python.Dockerfile |  1 +
 3 files changed, 14 insertions(+)
 create mode 100644 .gitlab-ci.d/publish.yml

diff --git a/.gitlab-ci.d/index.yml b/.gitlab-ci.d/index.yml
index cd6a65e..564308c 100644
--- a/.gitlab-ci.d/index.yml
+++ b/.gitlab-ci.d/index.yml
@@ -5,8 +5,10 @@ stages:
   - containers
   - build
   - test
+  - publish
 
 include:
   - local: '/.gitlab-ci.d/containers.yml'
   - local: '/.gitlab-ci.d/build.yml'
   - local: '/.gitlab-ci.d/test.yml'
+  - local: '/.gitlab-ci.d/publish.yml'
\ No newline at end of file
diff --git a/.gitlab-ci.d/publish.yml b/.gitlab-ci.d/publish.yml
new file mode 100644
index 000..8d05e05
--- /dev/null
+++ b/.gitlab-ci.d/publish.yml
@@ -0,0 +1,11 @@
+publish-package:
+  stage: publish
+  image: $CI_REGISTRY_IMAGE/python:latest
+  needs:
+job: build-package
+  script:
+- TWINE_PASSWORD=${CI_JOB_TOKEN} TWINE_USERNAME=gitlab-ci-token
+  python3 -m twine upload
+  --verbose
+  --repository-url 
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi"
+  dist/*
diff --git a/.gitlab-ci.d/python.Dockerfile b/.gitlab-ci.d/python.Dockerfile
index 9501ed4..35d84f3 100644
--- a/.gitlab-ci.d/python.Dockerfile
+++ b/.gitlab-ci.d/python.Dockerfile
@@ -25,6 +25,7 @@ RUN dnf --setopt=install_weak_deps=False install -y \
 && python3 -m pip install --upgrade \
 build \
 pip \
+twine \
 && dnf clean all \
 && rm -rf ~/.cache/pip \
 && rm -rf /var/cache/dnf \
-- 
2.31.1

[RFC qemu.qmp PATCH 23/24] docs: add doc build to GitLab CI build step

[John Snow]

Signed-off-by: John Snow 
---
 .gitlab-ci.d/build.yml | 1 +
 .gitlab-ci.d/python.Dockerfile | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.gitlab-ci.d/build.yml b/.gitlab-ci.d/build.yml
index bf2d487..5634173 100644
--- a/.gitlab-ci.d/build.yml
+++ b/.gitlab-ci.d/build.yml
@@ -4,6 +4,7 @@ build-package:
   needs:
 job: python-container
   script:
+- make docs
 - python3 -m build
   artifacts:
 name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA"
diff --git a/.gitlab-ci.d/python.Dockerfile b/.gitlab-ci.d/python.Dockerfile
index 93661b2..728d8d8 100644
--- a/.gitlab-ci.d/python.Dockerfile
+++ b/.gitlab-ci.d/python.Dockerfile
@@ -15,6 +15,8 @@ RUN dnf --setopt=install_weak_deps=False install -y \
 pipenv \
 python3 \
 python3-pip \
+python3-sphinx \
+python3-sphinx_rtd_theme \
 python3-tox \
 python3-virtualenv \
 python3.10 \
-- 
2.31.1

[RFC qemu.qmp PATCH 21/24] Fix doc cross-reference regressions

[John Snow]

Before enabling docs building as a CI step, lingering cross-reference
failures need to be addressed.

Signed-off-by: John Snow 
---
 qemu/qmp/legacy.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/qemu/qmp/legacy.py b/qemu/qmp/legacy.py
index 6c250cd..8e976f9 100644
--- a/qemu/qmp/legacy.py
+++ b/qemu/qmp/legacy.py
@@ -71,7 +71,7 @@ class QEMUMonitorProtocol:
 :param nickname: Optional nickname used for logging.
 
 ..note::
-No connection is established during `__init__`, this is done by
+No connection is established during ``__init__``, this is done by
 the `connect()` or `accept()` methods.
 """
 
@@ -287,7 +287,7 @@ class QEMUMonitorProtocol:
 Set the timeout for QMP RPC execution.
 
 This timeout affects the `cmd`, `cmd_obj`, and `command` methods.
-The `accept`, `pull_event` and `get_event` methods have their
+The `accept`, `pull_event` and `get_events` methods have their
 own configurable timeouts.
 
 :param timeout:
-- 
2.31.1

[RFC qemu.qmp PATCH 18/24] add Sphinx documentation config stub

[John Snow]

This is the result of this command:

sphinx-apidoc --separate \
  --no-toc \
  --module-first \
  --implicit-namespaces \
  --full \
  --ext-intersphinx \
  --ext-coverage \
  --ext-viewcode \
  -o docs/ \
  qemu/

(And `touch docs/_static/.gitignore`, to create an "empty" directory.)

This configuration is not yet functional, but I wanted to distinguish
between automatically generated boilerplate and intentional
configuration changes so as to document the entire process of getting
sphinx doc generation up, running, and fully configured.

Signed-off-by: John Snow 
---
 docs/Makefile| 20 +
 docs/conf.py | 80 
 docs/index.rst   | 21 ++
 docs/make.bat| 35 
 docs/qemu.qmp.aqmp_tui.rst   |  7 
 docs/qemu.qmp.error.rst  |  7 
 docs/qemu.qmp.events.rst |  7 
 docs/qemu.qmp.legacy.rst |  7 
 docs/qemu.qmp.message.rst|  7 
 docs/qemu.qmp.models.rst |  7 
 docs/qemu.qmp.protocol.rst   |  7 
 docs/qemu.qmp.qmp_client.rst |  7 
 docs/qemu.qmp.qmp_shell.rst  |  7 
 docs/qemu.qmp.rst| 24 +++
 docs/qemu.qmp.util.rst   |  7 
 docs/qemu.rst| 10 +
 16 files changed, 260 insertions(+)
 create mode 100644 docs/Makefile
 create mode 100644 docs/conf.py
 create mode 100644 docs/index.rst
 create mode 100644 docs/make.bat
 create mode 100644 docs/qemu.qmp.aqmp_tui.rst
 create mode 100644 docs/qemu.qmp.error.rst
 create mode 100644 docs/qemu.qmp.events.rst
 create mode 100644 docs/qemu.qmp.legacy.rst
 create mode 100644 docs/qemu.qmp.message.rst
 create mode 100644 docs/qemu.qmp.models.rst
 create mode 100644 docs/qemu.qmp.protocol.rst
 create mode 100644 docs/qemu.qmp.qmp_client.rst
 create mode 100644 docs/qemu.qmp.qmp_shell.rst
 create mode 100644 docs/qemu.qmp.rst
 create mode 100644 docs/qemu.qmp.util.rst
 create mode 100644 docs/qemu.rst

diff --git a/docs/Makefile b/docs/Makefile
new file mode 100644
index 000..d4bb2cb
--- /dev/null
+++ b/docs/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR = .
+BUILDDIR  = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+   @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+   @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/docs/conf.py b/docs/conf.py
new file mode 100644
index 000..c7ce779
--- /dev/null
+++ b/docs/conf.py
@@ -0,0 +1,80 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Path setup --
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, '/home/jsnow/src/tmp/qemu.qmp/qemu')
+
+
+# -- Project information -
+
+project = 'qemu'
+copyright = '2021, Author'
+author = 'Author'
+
+
+# -- General configuration ---
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+'sphinx.ext.autodoc',
+'sphinx.ext.viewcode',
+'sphinx.ext.todo',
+'sphinx.ext.intersphinx',
+'sphinx.ext.coverage',
+'sphinx.ext.viewcode',
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = 'en'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+
+# -- Options for HTML output -
+
+# The theme to us

[RFC qemu.qmp PATCH 13/24] GitLab CI: Add pipenv and tox tests

[John Snow]

FIXME: For testing purposes, this patch is still using my personal
GitLab URLs, which will have to be changed before this is pushed to
production.

Signed-off-by: John Snow 
---
 .gitlab-ci.d/test.yml | 43 +++
 1 file changed, 43 insertions(+)

diff --git a/.gitlab-ci.d/test.yml b/.gitlab-ci.d/test.yml
index 35fa105..19e0c37 100644
--- a/.gitlab-ci.d/test.yml
+++ b/.gitlab-ci.d/test.yml
@@ -13,3 +13,46 @@ check-dco:
 - if: '$CI_PROJECT_NAMESPACE == "jsnow" && $CI_COMMIT_BRANCH == 
$CI_DEFAULT_BRANCH'
   when: never
 - when: on_success
+
+.python_test:
+  stage: test
+  image: $CI_REGISTRY_IMAGE/python:latest
+  variables:
+GIT_DEPTH: 1
+  needs:
+job: python-container
+
+check-python-pipenv:
+  extends: .python_test
+  script:
+- make check-pipenv
+
+check-python-36:
+  extends: .python_test
+  script:
+- QEMU_TOX_EXTRA_ARGS="-e py36" make check-tox
+  allow_failure: true
+
+check-python-37:
+  extends: .python_test
+  script:
+- QEMU_TOX_EXTRA_ARGS="-e py37" make check-tox
+  allow_failure: true
+
+check-python-38:
+  extends: .python_test
+  script:
+- QEMU_TOX_EXTRA_ARGS="-e py38" make check-tox
+  allow_failure: true
+
+check-python-39:
+  extends: .python_test
+  script:
+- QEMU_TOX_EXTRA_ARGS="-e py39" make check-tox
+  allow_failure: true
+
+check-python-310:
+  extends: .python_test
+  script:
+- QEMU_TOX_EXTRA_ARGS="-e py310" make check-tox
+  allow_failure: true
-- 
2.31.1

[RFC qemu.qmp PATCH 17/24] Makefile: add build and publish targets

[John Snow]

Signed-off-by: John Snow 
---
 Makefile | 32 
 1 file changed, 32 insertions(+)

diff --git a/Makefile b/Makefile
index 97d737a..81bfca8 100644
--- a/Makefile
+++ b/Makefile
@@ -110,3 +110,35 @@ distclean: clean
rm -f .coverage .coverage.*
rm -rf htmlcov/
rm -rf test-results/
+
+.PHONY: pristine
+pristine:
+   @git diff-files --quiet --ignore-submodules -- || \
+   (echo "You have unstaged changes."; exit 1)
+   @git diff-index --cached --quiet HEAD --ignore-submodules -- || \
+   (echo "Your index contains uncommitted changes."; exit 1)
+   @[ -z "$(shell git ls-files -o)" ] || \
+   (echo "You have untracked files: $(shell git ls-files -o)"; 
exit 1)
+
+dist: setup.cfg setup.py Makefile README.rst
+   python3 -m build
+   @touch dist
+
+.PHONY: pre-publish
+pre-publish: pristine dist
+   @git describe --exact-match 2>/dev/null || \
+   (echo -e "\033[0;31mThere is no annotated tag for this 
commit.\033[0m"; exit 1)
+   python3 -m twine check --strict dist/*
+   git push -v --atomic --follow-tags --dry-run
+
+.PHONY: publish
+publish: pre-publish
+   # Set the username via TWINE_USERNAME.
+   # Set the password via TWINE_PASSWORD.
+   # Set the pkg repository via TWINE_REPOSITORY.
+   python3 -m twine upload --verbose dist/*
+   git push -v --atomic --follow-tags
+
+.PHONY: publish-test
+publish-test: pre-publish
+   python3 -m twine upload --verbose -r testpypi dist/*
-- 
2.31.1

[RFC qemu.qmp PATCH 11/24] Add package build step to GitLab CI

[John Snow]

Signed-off-by: John Snow 
---
 .gitlab-ci.d/build.yml | 13 +
 .gitlab-ci.d/index.yml |  2 ++
 2 files changed, 15 insertions(+)
 create mode 100644 .gitlab-ci.d/build.yml

diff --git a/.gitlab-ci.d/build.yml b/.gitlab-ci.d/build.yml
new file mode 100644
index 000..6a68408
--- /dev/null
+++ b/.gitlab-ci.d/build.yml
@@ -0,0 +1,13 @@
+build-package:
+  stage: build
+  image: $CI_REGISTRY_IMAGE/python:latest
+  needs:
+job: python-container
+  script:
+- python3 -m build
+  artifacts:
+name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA"
+paths:
+  - dist/*
+  variables:
+GIT_DEPTH: 1
diff --git a/.gitlab-ci.d/index.yml b/.gitlab-ci.d/index.yml
index 5ef8fcf..cf61dec 100644
--- a/.gitlab-ci.d/index.yml
+++ b/.gitlab-ci.d/index.yml
@@ -3,6 +3,8 @@
 
 stages:
   - containers
+  - build
 
 include:
   - local: '/.gitlab-ci.d/containers.yml'
+  - local: '/.gitlab-ci.d/build.yml'
-- 
2.31.1

[RFC qemu.qmp PATCH 14/24] GitLab CI: Add avocado junit XML output to tests

[John Snow]

Signed-off-by: John Snow 
---
 .gitlab-ci.d/test.yml | 16 
 Makefile  |  1 +
 avocado.cfg   |  7 +++
 3 files changed, 24 insertions(+)

diff --git a/.gitlab-ci.d/test.yml b/.gitlab-ci.d/test.yml
index 19e0c37..3b2a142 100644
--- a/.gitlab-ci.d/test.yml
+++ b/.gitlab-ci.d/test.yml
@@ -14,7 +14,23 @@ check-dco:
   when: never
 - when: on_success
 
+.avocado:
+  before_script:
+- echo "" >> avocado.cfg
+- echo "[datadir.paths]" >> avocado.cfg
+- echo "logs_dir = ./test-results/" >> avocado.cfg
+  artifacts:
+name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA"
+when: always
+expire_in: 7 days
+paths:
+  - test-results/latest/results.xml
+  - test-results/latest/test-results
+reports:
+  junit: test-results/latest/results.xml
+
 .python_test:
+  extends: .avocado
   stage: test
   image: $CI_REGISTRY_IMAGE/python:latest
   variables:
diff --git a/Makefile b/Makefile
index a2d2f2c..97d737a 100644
--- a/Makefile
+++ b/Makefile
@@ -109,3 +109,4 @@ distclean: clean
rm -rf qemu.qmp.egg-info/ .venv/ .tox/ $(QEMU_VENV_DIR) dist/
rm -f .coverage .coverage.*
rm -rf htmlcov/
+   rm -rf test-results/
diff --git a/avocado.cfg b/avocado.cfg
index c7722e7..a7b9935 100644
--- a/avocado.cfg
+++ b/avocado.cfg
@@ -11,3 +11,10 @@ output.testlogs.logfiles = ['stdout', 'stderr']
 
 # Show full stdout/stderr only on tests that FAIL
 output.testlogs.statuses = ['FAIL']
+
+# NOTE: Various gitlab CI jobs will append configuration
+# similar to the following, in order to keep test output
+# inside of the project root:
+#
+# [datadir.paths]
+# logs_dir = ./test-results/
-- 
2.31.1

[RFC qemu.qmp PATCH 07/24] Move PACKAGE.rst to README.rst and update

[John Snow]

The README here will reflect both what is shown on GitLab and on the
PyPI landing page. Update it accordingly.

Signed-off-by: John Snow 
---
 INDEX.rst   |   2 +-
 MANIFEST.in |   2 +-
 PACKAGE.rst |  43 --
 README.rst  | 129 
 setup.cfg   |   2 +-
 5 files changed, 132 insertions(+), 46 deletions(-)
 delete mode 100644 PACKAGE.rst
 create mode 100644 README.rst

diff --git a/INDEX.rst b/INDEX.rst
index 45b0dbf..9c45740 100644
--- a/INDEX.rst
+++ b/INDEX.rst
@@ -54,10 +54,10 @@ Files in this directory
   Try ``make help`` to see available targets.
 - ``MANIFEST.in`` is read by python setuptools, it specifies additional files
   that should be included by a source distribution.
-- ``PACKAGE.rst`` is used as the README file that is visible on PyPI.org.
 - ``Pipfile`` is used by Pipenv to generate ``Pipfile.lock``.
 - ``Pipfile.lock`` is a set of pinned package dependencies that this package
   is tested under in our CI suite. It is used by ``make check-pipenv``.
+- ``README.rst`` is used as the README file that is visible on PyPI.org.
 - ``setup.cfg`` houses setuptools package configuration.
 - ``setup.py`` is the setuptools installer used by pip; See above.
 - ``VERSION`` contains the PEP-440 compliant version used to describe
diff --git a/MANIFEST.in b/MANIFEST.in
index 639caae..2a3fc58 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,2 +1,2 @@
 include VERSION
-include PACKAGE.rst
+include README.rst
diff --git a/PACKAGE.rst b/PACKAGE.rst
deleted file mode 100644
index b0b86cc..000
--- a/PACKAGE.rst
+++ /dev/null
@@ -1,43 +0,0 @@
-QEMU Python Tooling
-===
-
-This package provides QEMU tooling used by the QEMU project to build,
-configure, and test QEMU. It is not a fully-fledged SDK and it is subject
-to change at any time.
-
-Usage
--
-
-The ``qemu.qmp`` subpackage provides a library for communicating with
-QMP servers. The ``qemu.machine`` subpackage offers rudimentary
-facilities for launching and managing QEMU processes. Refer to each
-package's documentation
-(``>>> help(qemu.qmp)``, ``>>> help(qemu.machine)``)
-for more information.
-
-Contributing
-
-
-This package is maintained by John Snow  as part of
-the QEMU source tree. Contributions are welcome and follow the `QEMU
-patch submission process
-`_, which involves
-sending patches to the QEMU development mailing list.
-
-John maintains a `GitLab staging branch
-`_, and there is an
-official `GitLab mirror `_.
-
-Please report bugs on the `QEMU issue tracker
-`_ and tag ``@jsnow`` in
-the report.
-
-Optional packages necessary for running code quality analysis for this
-package can be installed with the optional dependency group "devel":
-``pip install qemu[devel]``.
-
-``make develop`` can be used to install this package in editable mode
-(to the current environment) *and* bring in testing dependencies in one
-command.
-
-``make check`` can be used to run the available tests.
diff --git a/README.rst b/README.rst
new file mode 100644
index 000..bd4a301
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,129 @@
+QEMU Monitor Protocol (QMP) Library
+===
+
+This package provides an asyncio library used for communicating with
+QEMU Monitor Protocol ("QMP") servers. It requires Python 3.6+ and has
+no other dependencies.
+
+This library can be used for communicating with QEMU emulators or with
+the QEMU Guest Agent (QGA), QEMU Storage Daemon (QSD) or any other
+utility or application that speaks QMP.
+
+This library makes as little assumptions as possible about the actual
+version or what type of endpoint it will be communicating with;
+i.e. this library does not contain command definitions and does not seek
+to be an SDK or a replacement for tools like libvirt/virsh. It is
+"simply" the protocol (QMP) and not the vocabulary (QAPI). It is up to
+the programmer (you!) to know which commands and arguments you want to
+send.
+
+
+Who is this library for?
+
+
+It is firstly for developers of QEMU themselves; as the test
+infrastructure of QEMU itself needs a convenient and scriptable
+interface for testing QEMU. This library was split out of the QEMU
+source tree in order to share a reference version of a QMP library that
+was usable both within and outside of the QEMU source tree.
+
+Second, it's for those who are developing *for* QEMU by adding new
+architectures, devices, or functionality; as well as targeting those who
+are developing *with* QEMU, i.e. developers working on integrating QEMU
+features into other projects such as libvirt, kubevirt, kata
+containers, etc. Occasionally, using existing VM management stacks that
+integrate QEMU+kvm can make developing, testing, and debugging features
+difficult and more 'raw' acces

[RFC qemu.qmp PATCH 08/24] Update Pipfile.lock

[John Snow]

The name of the package has changed, and the dependencies are different
now as well. Re-do the Pipfile.

This is a little annoying, but Python doesn't offer any tool that
behaves in a manner that gives you the *oldest* but still adequate
versions of dependencies.

So, I'm doing this manually: pin every version at the minimum that still
allows the tests to succeed.

Most of these follow from just observing the minimum stated requirements
for each package, manually, recursively. However, I observed that toml's
stated dependency of >= 0.9.4 in pylint actually needs to be >= 0.10.0.

Signed-off-by: John Snow 
---
 Pipfile  |  37 +-
 Pipfile.lock | 314 ---
 2 files changed, 210 insertions(+), 141 deletions(-)

diff --git a/Pipfile b/Pipfile
index e7acb8c..de498ad 100644
--- a/Pipfile
+++ b/Pipfile
@@ -4,10 +4,43 @@ url = "https://pypi.org/simple";
 verify_ssl = true
 
 [dev-packages]
-qemu = {editable = true, extras = ["devel"], path = "."}
+avocado-framework = "==90.0"
+isort = "==5.1.2"
+tox = "==3.18.0"
+toml = "==0.10.0"
+six = "==1.14.0"
+filelock = "==3.0.0"
+virtualenv = "==16.0.0"
+py = "==1.4.17"
+pluggy = "==0.12.0"
+pyparsing = "==2.0.2"
+"backports.entry-points-selectable" = "==1.0.4"
+platformdirs = "==2.0.0"
+distlib = "==0.3.1"
+importlib-metadata = "==0.12"
+zipp = "==0.5"
+pylint = "==2.8.0"
+astroid = "==2.5.4"
+mccabe = "==0.6"
+lazy-object-proxy = "==1.4.0"
+wrapt = "==1.11"
+flake8 = "==3.6.0"
+pycodestyle = "==2.4.0"
+pyflakes = "==2.0.0"
+mypy = "==0.770"
+typed-ast = "==1.4.0"
+typing-extensions = "==3.7.4"
+mypy-extensions = "==0.4.3"
+urwid = "==2.1.2"
+urwid-readline = "==0.13"
+Pygments = "==2.9.0"
+"qemu.qmp" = {editable = true, extras = ["devel"], path = "."}
 
 [packages]
-qemu = {editable = true,path = "."}
+urwid = "==2.1.2"
+urwid-readline = "==0.13"
+Pygments = "==2.9.0"
+"qemu.qmp" = {editable = true, extras = ["tui"], path = "."}
 
 [requires]
 python_version = "3.6"
diff --git a/Pipfile.lock b/Pipfile.lock
index d2a7dbd..9d1c2cc 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
 {
 "_meta": {
 "hash": {
-"sha256": 
"784b327272db32403d5a488507853b5afba850ba26a5948e5b6a90c1baef2d9c"
+"sha256": 
"76bfa8e7ee1fd855ff03697a0bc7076f4ffda0897e21c94d202cf07b609d63cb"
 },
 "pipfile-spec": 6,
 "requires": {
@@ -16,26 +16,51 @@
 ]
 },
 "default": {
-"qemu": {
+"pygments": {
+"hashes": [
+
"sha256:a18f47b506a429f6f4b9df81bb02beab9ca21d0a5fee38ed15aef65f0545519f",
+
"sha256:d66e804411278594d764fc69ec36ec13d9ae9147193a1740cd34d272ca383b8e"
+],
+"index": "pypi",
+"version": "==2.9.0"
+},
+"qemu-qmp": {
 "editable": true,
+"extras": [
+"tui"
+],
 "path": "."
+},
+"qemu.qmp": {
+"editable": true,
+"extras": [
+"tui"
+],
+"path": "."
+},
+"urwid": {
+"hashes": [
+
"sha256:588bee9c1cb208d0906a9f73c613d2bd32c3ed3702012f51efe318a3f2127eae"
+],
+"index": "pypi",
+"version": "==2.1.2"
+},
+"urwid-readline": {
+"hashes": [
+
"sha256:018020cbc864bb5ed87be17dc26b069eae2755cb29f3a9c569aac3bded1efaf4"
+],
+"index": "pypi",
+"version": "==0.13"
 }
 },
 "develop": {
-"appdirs": {
-"hashes": [
-
"sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41",
-
"sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128"
-],
-"version": "==1.4.4"
-},
 "astroid": {
 "hashes": [
-
"sha256:09bdb456e02564731f8b5957cdd0c98a7f01d2db5e90eb1d794c353c28bfd705",
-
"sha256:6a8a51f64dae307f6e0c9db752b66a7951e282389d8362cc1d39a56f3feeb31d"
+
"sha256:f040fe9c4a2a7699a8ec30c9ed10fb59067c97f64c36577f476c0953ba29847c",
+
"sha256:f9f472d4002d55199b1c151ef0570cf71d42aaa34aaa3d29c3e41c75f6f47564"
 ],
-"markers": "python_version ~= '3.6'",
-"version": "==2.6.0"
+"index": "pypi",
+"version": "==2.5.4"
 },
 "avocado-framework": {
 "hashes": [
@@ -45,19 +70,28 @@
 "index": "pypi",
 "version": "==90.0"
 },
+"backports.entry-points-selectable": {
+"hashes": [
+
"sha256:2a238e1d8b212b9cf50156b63cd748d54dc33df74e590d614507fc9ce57d0d4a",
+
"sha256:4acda84d96855beece3bf9aad9a1030aceb5f744b8ce9af7d5ee6dd672cdd3bd"
+],
+"index": "pypi",
+"version": "==1.0.4"
+},
 "d

[RFC qemu.qmp PATCH 04/24] Update project description

[John Snow]

Signed-off-by: John Snow 
---
 setup.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.cfg b/setup.cfg
index 7cd8470..9946875 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -7,7 +7,7 @@ maintainer = QEMU Project
 maintainer_email = qemu-devel@nongnu.org
 url = https://www.qemu.org/
 download_url = https://www.qemu.org/download/
-description = QEMU Python Build, Debug and SDK tooling.
+description = QEMU Monitor Protocol library.
 long_description = file:PACKAGE.rst
 long_description_content_type = text/x-rst
 classifiers =
-- 
2.31.1

[RFC qemu.qmp PATCH 09/24] Remove sub-dependency pins from Pipfile

[John Snow]

Now that we've got a Pipfile.lock generated that works, we can remove
the static pins from the Pipfile to allow various dependencies to be
added or removed as necessary when updating our direct dependencies in
the future.

So long as --keep-outdated is always passed to Pipenv, items that aren't
absolutely necessary to update will not be, which will help keep our
requirements more at the very oldest possible versions that still work.

Signed-off-by: John Snow 
---
 Pipfile | 33 -
 1 file changed, 33 deletions(-)

diff --git a/Pipfile b/Pipfile
index de498ad..f44fd1e 100644
--- a/Pipfile
+++ b/Pipfile
@@ -4,42 +4,9 @@ url = "https://pypi.org/simple";
 verify_ssl = true
 
 [dev-packages]
-avocado-framework = "==90.0"
-isort = "==5.1.2"
-tox = "==3.18.0"
-toml = "==0.10.0"
-six = "==1.14.0"
-filelock = "==3.0.0"
-virtualenv = "==16.0.0"
-py = "==1.4.17"
-pluggy = "==0.12.0"
-pyparsing = "==2.0.2"
-"backports.entry-points-selectable" = "==1.0.4"
-platformdirs = "==2.0.0"
-distlib = "==0.3.1"
-importlib-metadata = "==0.12"
-zipp = "==0.5"
-pylint = "==2.8.0"
-astroid = "==2.5.4"
-mccabe = "==0.6"
-lazy-object-proxy = "==1.4.0"
-wrapt = "==1.11"
-flake8 = "==3.6.0"
-pycodestyle = "==2.4.0"
-pyflakes = "==2.0.0"
-mypy = "==0.770"
-typed-ast = "==1.4.0"
-typing-extensions = "==3.7.4"
-mypy-extensions = "==0.4.3"
-urwid = "==2.1.2"
-urwid-readline = "==0.13"
-Pygments = "==2.9.0"
 "qemu.qmp" = {editable = true, extras = ["devel"], path = "."}
 
 [packages]
-urwid = "==2.1.2"
-urwid-readline = "==0.13"
-Pygments = "==2.9.0"
 "qemu.qmp" = {editable = true, extras = ["tui"], path = "."}
 
 [requires]
-- 
2.31.1

[RFC qemu.qmp PATCH 12/24] GitLab CI: Add check-dco script

[John Snow]

Borrowed with minor modifications from qemu.git.

Signed-off-by: John Snow 
---
 .gitlab-ci.d/check-dco.py | 98 +++
 .gitlab-ci.d/index.yml|  2 +
 .gitlab-ci.d/test.yml | 15 ++
 3 files changed, 115 insertions(+)
 create mode 100755 .gitlab-ci.d/check-dco.py
 create mode 100644 .gitlab-ci.d/test.yml

diff --git a/.gitlab-ci.d/check-dco.py b/.gitlab-ci.d/check-dco.py
new file mode 100755
index 000..747cd54
--- /dev/null
+++ b/.gitlab-ci.d/check-dco.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+#
+# check-dco.py: validate all commits are signed off
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import argparse
+import os
+import os.path
+import sys
+import subprocess
+
+parser = argparse.ArgumentParser("check-dco")
+parser.add_argument(
+"repourl",
+help="upstream repo URL"
+)
+parser.add_argument(
+"refspec",
+help="upstream's default branch (or other refspec)"
+)
+args = parser.parse_args()
+
+
+subprocess.check_call(["git", "remote", "add", "check-dco", args.repourl])
+subprocess.check_call(["git", "fetch", "check-dco", args.refspec],
+  stdout=subprocess.DEVNULL,
+  stderr=subprocess.DEVNULL)
+
+ancestor = subprocess.check_output(
+["git", "merge-base", f"check-dco/{args.refspec}", "HEAD"],
+universal_newlines=True)
+ancestor = ancestor.strip()
+
+subprocess.check_call(["git", "remote", "rm", "check-dco"])
+
+errors = False
+
+print("\nChecking for 'Signed-off-by: NAME ' " +
+  "on all commits since %s...\n" % ancestor)
+
+log = subprocess.check_output(["git", "log", "--format=%H %s",
+   ancestor + "..."],
+  universal_newlines=True)
+
+if log == "":
+commits = []
+else:
+commits = [[c[0:40], c[41:]] for c in log.strip().split("\n")]
+
+for sha, subject in commits:
+
+msg = subprocess.check_output(["git", "show", "-s", sha],
+  universal_newlines=True)
+lines = msg.strip().split("\n")
+
+print("🔍 %s %s" % (sha, subject))
+sob = False
+for line in lines:
+if "Signed-off-by:" in line:
+sob = True
+if "localhost" in line:
+print("❌ FAIL: bad email in %s" % line)
+errors = True
+
+if not sob:
+print("❌ FAIL missing Signed-off-by tag")
+errors = True
+
+if errors:
+print("""
+
+❌ ERROR: One or more commits are missing a valid Signed-off-By tag.
+
+
+This project requires all contributors to assert that their contributions
+are provided in compliance with the terms of the Developer's Certificate
+of Origin 1.1 (DCO):
+
+  https://developercertificate.org/
+
+To indicate acceptance of the DCO every commit must have a tag
+
+  Signed-off-by: REAL NAME 
+
+This can be achieved by passing the "-s" flag to the "git commit" command.
+
+To bulk update all commits on current branch "git rebase" can be used:
+
+  git rebase -i master -x 'git commit --amend --no-edit -s'
+
+""")
+
+sys.exit(1)
+
+sys.exit(0)
diff --git a/.gitlab-ci.d/index.yml b/.gitlab-ci.d/index.yml
index cf61dec..cd6a65e 100644
--- a/.gitlab-ci.d/index.yml
+++ b/.gitlab-ci.d/index.yml
@@ -4,7 +4,9 @@
 stages:
   - containers
   - build
+  - test
 
 include:
   - local: '/.gitlab-ci.d/containers.yml'
   - local: '/.gitlab-ci.d/build.yml'
+  - local: '/.gitlab-ci.d/test.yml'
diff --git a/.gitlab-ci.d/test.yml b/.gitlab-ci.d/test.yml
new file mode 100644
index 000..35fa105
--- /dev/null
+++ b/.gitlab-ci.d/test.yml
@@ -0,0 +1,15 @@
+check-dco:
+  stage: test
+  image: $CI_REGISTRY_IMAGE/python:latest
+  needs:
+job: python-container
+  script:
+- .gitlab-ci.d/check-dco.py
+  "https://gitlab.com/jsnow/qemu.qmp.git";
+  "main"
+  variables:
+GIT_DEPTH: 1000
+  rules:
+- if: '$CI_PROJECT_NAMESPACE == "jsnow" && $CI_COMMIT_BRANCH == 
$CI_DEFAULT_BRANCH'
+  when: never
+- when: on_success
-- 
2.31.1

[RFC qemu.qmp PATCH 05/24] Update project URLs

[John Snow]

Point to this library's URLs instead of the entire project's.

FIXME: In development, the URLs here are jsnow/qemu.qmp. It is intended
that the production version that gets pushed to qemu-project/qemu.qmp
will use URLs that reflect that repository appropriately.

Signed-off-by: John Snow 
---
 setup.cfg | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/setup.cfg b/setup.cfg
index 9946875..0f14bda 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -5,8 +5,10 @@ author = John Snow
 author_email = js...@redhat.com
 maintainer = QEMU Project
 maintainer_email = qemu-devel@nongnu.org
-url = https://www.qemu.org/
-download_url = https://www.qemu.org/download/
+# NOTE: Remember to update the commit message when changing these URLs.
+url = https://gitlab.com/jsnow/qemu.qmp
+download_url = https://gitlab.com/jsnow/qemu.qmp/-/packages
+# NOTE: Remember to update the commit message when changing these URLs.
 description = QEMU Monitor Protocol library.
 long_description = file:PACKAGE.rst
 long_description_content_type = text/x-rst
-- 
2.31.1

[RFC qemu.qmp PATCH 03/24] Update maintainer metadata

[John Snow]

I'm the primary author of this particular component; update the metadata
accordingly.

Signed-off-by: John Snow 
---
 setup.cfg | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/setup.cfg b/setup.cfg
index bca..7cd8470 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,7 +1,9 @@
 [metadata]
 name = qemu.qmp
 version = file:VERSION
-maintainer = QEMU Developer Team
+author = John Snow
+author_email = js...@redhat.com
+maintainer = QEMU Project
 maintainer_email = qemu-devel@nongnu.org
 url = https://www.qemu.org/
 download_url = https://www.qemu.org/download/
-- 
2.31.1

[RFC qemu.qmp PATCH 06/24] Move README.rst to INDEX.rst and update

[John Snow]

The intent is to use README.rst as the new package-level readme that
will be bundled with the source; so move the old "git level readme" over
to INDEX.rst instead, and update it accordingly.

This is primarily here to just document and explain what all the little
bits and pieces of files in the root are and what they do. I find this
stuff helpful when I wander over into other projects, so I'd like to
extend the same courtesy.

Signed-off-by: John Snow 
---
 README.rst => INDEX.rst | 49 +++--
 MANIFEST.in |  1 -
 2 files changed, 13 insertions(+), 37 deletions(-)
 rename README.rst => INDEX.rst (64%)

diff --git a/README.rst b/INDEX.rst
similarity index 64%
rename from README.rst
rename to INDEX.rst
index 9c1fcea..45b0dbf 100644
--- a/README.rst
+++ b/INDEX.rst
@@ -1,9 +1,14 @@
-QEMU Python Tooling
+qemu.qmp File Index
 ===
 
-This directory houses Python tooling used by the QEMU project to build,
-configure, and test QEMU. It is organized by namespace (``qemu``), and
-then by package (e.g. ``qemu/machine``, ``qemu/qmp``, etc).
+This file is here to explain the purpose of all the little bits and
+pieces of project files in the root directory and how they are
+used. It's useful info for those contributing to this project, but not
+so much for those who just want to use the library.
+
+
+Much ado about packaging
+
 
 ``setup.py`` is used by ``pip`` to install this tooling to the current
 environment. ``setup.cfg`` provides the packaging configuration used by
@@ -20,7 +25,7 @@ environment. ``setup.cfg`` provides the packaging 
configuration used by
 
 If you append the ``--editable`` or ``-e`` argument to either invocation
 above, pip will install in "editable" mode. This installs the package as
-a forwarder ("qemu.egg-link") that points to the source tree. In so
+a forwarder ("qemu.qmp.egg-link") that points to the source tree. In so
 doing, the installed package always reflects the latest version in your
 source tree.
 
@@ -37,34 +42,6 @@ See `Installing packages using pip and virtual environments
 for more information.
 
 
-Using these packages without installing them
-
-
-These packages may be used without installing them first, by using one
-of two tricks:
-
-1. Set your PYTHONPATH environment variable to include this source
-   directory, e.g. ``~/src/qemu/python``. See
-   https://docs.python.org/3/using/cmdline.html#envvar-PYTHONPATH
-
-2. Inside a Python script, use ``sys.path`` to forcibly include a search
-   path prior to importing the ``qemu`` namespace. See
-   https://docs.python.org/3/library/sys.html#sys.path
-
-A strong downside to both approaches is that they generally interfere
-with static analysis tools being able to locate and analyze the code
-being imported.
-
-Package installation also normally provides executable console scripts,
-so that tools like ``qmp-shell`` are always available via $PATH. To
-invoke them without installation, you can invoke e.g.:
-
-``> PYTHONPATH=~/src/qemu/python python3 -m qemu.qmp.qmp_shell``
-
-The mappings between console script name and python module path can be
-found in ``setup.cfg``.
-
-
 Files in this directory
 ---
 
@@ -72,6 +49,7 @@ Files in this directory
 - ``tests/`` Python package tests directory.
 - ``avocado.cfg`` Configuration for the Avocado test-runner.
   Used by ``make check`` et al.
+- ``INDEX.rst`` you are here!
 - ``Makefile`` provides some common testing/installation invocations.
   Try ``make help`` to see available targets.
 - ``MANIFEST.in`` is read by python setuptools, it specifies additional files
@@ -80,8 +58,7 @@ Files in this directory
 - ``Pipfile`` is used by Pipenv to generate ``Pipfile.lock``.
 - ``Pipfile.lock`` is a set of pinned package dependencies that this package
   is tested under in our CI suite. It is used by ``make check-pipenv``.
-- ``README.rst`` you are here!
-- ``VERSION`` contains the PEP-440 compliant version used to describe
-  this package; it is referenced by ``setup.cfg``.
 - ``setup.cfg`` houses setuptools package configuration.
 - ``setup.py`` is the setuptools installer used by pip; See above.
+- ``VERSION`` contains the PEP-440 compliant version used to describe
+  this package; it is referenced by ``setup.cfg``.
diff --git a/MANIFEST.in b/MANIFEST.in
index 7059ad2..639caae 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,3 +1,2 @@
 include VERSION
 include PACKAGE.rst
-exclude README.rst
-- 
2.31.1

[RFC qemu.qmp PATCH 02/24] Update VERSION to 0.0.0a1

[John Snow]

qemu.qmp will be independently versioned, without regard to QMP
version. While the repo is being established here, set the version to
something impossibly low.

Signed-off-by: John Snow 
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index c19f3b8..7741e1a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.6.1.0a1
+0.0.0a1
-- 
2.31.1

[RFC qemu.qmp PATCH 10/24] Add build and test container to gitlab CI configuration

[John Snow]

Heavily copy-pasted from the QEMU source tree, with bits and pieces not
needed for this repository trimmed down.

Signed-off-by: John Snow 
---
 .gitlab-ci.d/containers.yml| 28 
 .gitlab-ci.d/index.yml |  8 
 .gitlab-ci.d/python.Dockerfile | 31 +++
 .gitlab-ci.yml |  3 +++
 INDEX.rst  |  2 ++
 5 files changed, 72 insertions(+)
 create mode 100644 .gitlab-ci.d/containers.yml
 create mode 100644 .gitlab-ci.d/index.yml
 create mode 100644 .gitlab-ci.d/python.Dockerfile
 create mode 100644 .gitlab-ci.yml

diff --git a/.gitlab-ci.d/containers.yml b/.gitlab-ci.d/containers.yml
new file mode 100644
index 000..fdcbbe4
--- /dev/null
+++ b/.gitlab-ci.d/containers.yml
@@ -0,0 +1,28 @@
+# Heavily inspired-by/copy-pasted-from the
+# container template from the QEMU source tree.
+
+.container_job_template:
+  image: docker:stable
+  stage: containers
+  services:
+- docker:dind
+  before_script:
+- export TAG="$NAME"
+- export FQTAG="$CI_REGISTRY_IMAGE/$TAG:latest"
+- docker info
+- docker login $CI_REGISTRY -u "$CI_REGISTRY_USER" -p 
"$CI_REGISTRY_PASSWORD"
+  script:
+- echo "TAG:$TAG"
+- echo "FQTAG:$FQTAG"
+- cd .gitlab-ci.d
+- docker pull "$FQTAG"
+- docker build --cache-from "$FQTAG" -t "$TAG" -f "$NAME.Dockerfile" .
+- docker tag "$TAG" "$FQTAG"
+- docker push "$FQTAG"
+  after_script:
+- docker logout
+
+python-container:
+  extends: .container_job_template
+  variables:
+NAME: python
diff --git a/.gitlab-ci.d/index.yml b/.gitlab-ci.d/index.yml
new file mode 100644
index 000..5ef8fcf
--- /dev/null
+++ b/.gitlab-ci.d/index.yml
@@ -0,0 +1,8 @@
+# This file contains the set of jobs run by this project:
+# https://gitlab.com/jsnow/qemu.qmp/-/pipelines
+
+stages:
+  - containers
+
+include:
+  - local: '/.gitlab-ci.d/containers.yml'
diff --git a/.gitlab-ci.d/python.Dockerfile b/.gitlab-ci.d/python.Dockerfile
new file mode 100644
index 000..9501ed4
--- /dev/null
+++ b/.gitlab-ci.d/python.Dockerfile
@@ -0,0 +1,31 @@
+# Python library build & testing environment.
+
+# Fedora is convenient, as it allows us to easily access multiple
+# versions of the python interpreter, which is great for tox testing.
+FROM fedora:latest
+
+# 「はじめまして！」
+MAINTAINER John Snow 
+
+# Please keep the packages sorted alphabetically.
+RUN dnf --setopt=install_weak_deps=False install -y \
+gcc \
+git \
+make \
+pipenv \
+python3 \
+python3-pip \
+python3-tox \
+python3-virtualenv \
+python3.10 \
+python3.6 \
+python3.7 \
+python3.8 \
+python3.9 \
+&& python3 -m pip install --upgrade \
+build \
+pip \
+&& dnf clean all \
+&& rm -rf ~/.cache/pip \
+&& rm -rf /var/cache/dnf \
+;
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 000..f93a1e1
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,3 @@
+# Hello, is it me you're looking for?
+include:
+  - local: '/.gitlab-ci.d/index.yml'
diff --git a/INDEX.rst b/INDEX.rst
index 9c45740..8b7a56a 100644
--- a/INDEX.rst
+++ b/INDEX.rst
@@ -47,6 +47,8 @@ Files in this directory
 
 - ``qemu/`` Python 'qemu' namespace package source directory.
 - ``tests/`` Python package tests directory.
+- ``.gitlab-ci.d/`` Files used for GitLab CI configuration.
+- ``.gitlab-ci.yml`` Primary GitLab CI configuration file.
 - ``avocado.cfg`` Configuration for the Avocado test-runner.
   Used by ``make check`` et al.
 - ``INDEX.rst`` you are here!
-- 
2.31.1

[RFC qemu.qmp PATCH 01/24] Fork qemu.qmp from qemu.git

[John Snow]

Split python/ from qemu.git, using these commands:

> git subtree split -P python/ -b python-split-v2
> mkdir ~/src/tmp
> cd ~/src/tmp
> git clone --no-local --branch python-split-v2 --single-branch ~/src/qemu
> cd qemu
> git filter-repo --path qemu/machine/   \
  --path qemu/utils/ \
  --path tests/iotests-mypy.sh   \
  --path tests/iotests-pylint.sh \
  --invert-paths

This commit performs some minimum cleanup to reflect the deletion of the
other subpackages. It is not intended to be exhaustive, and further
edits are made in forthcoming commits.

Signed-off-by: John Snow 
---
 .gitignore |  2 +-
 Makefile   | 16 
 setup.cfg  | 24 +---
 setup.py   |  2 +-
 4 files changed, 11 insertions(+), 33 deletions(-)

diff --git a/.gitignore b/.gitignore
index 904f324..b071f02 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@
 # python packaging
 build/
 dist/
-qemu.egg-info/
+qemu.qmp.egg-info/
 
 # editor config
 .idea/
diff --git a/Makefile b/Makefile
index 3334311..a2d2f2c 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ help:
@echo ""
@echo "make develop:"
@echo "Install deps needed for for 'make check',"
-   @echo "and install the qemu package in editable mode."
+   @echo "and install the qemu.qmp package in editable mode."
@echo "(Can be used in or outside of a venv.)"
@echo ""
@echo "make pipenv"
@@ -43,7 +43,7 @@ help:
@echo "Remove package build output."
@echo ""
@echo "make distclean:"
-   @echo "remove pipenv/venv files, qemu package forwarder,"
+   @echo "remove pipenv/venv files, qemu.qmp package forwarder,"
@echo "built distribution files, and everything from 'make clean'."
@echo ""
@echo -e "Have a nice day ^_^\n"
@@ -64,11 +64,11 @@ dev-venv: $(QEMU_VENV_DIR) $(QEMU_VENV_DIR)/bin/activate
 $(QEMU_VENV_DIR) $(QEMU_VENV_DIR)/bin/activate: setup.cfg
@echo "VENV $(QEMU_VENV_DIR)"
@python3 -m venv $(QEMU_VENV_DIR)
-   @(  \
-   echo "ACTIVATE $(QEMU_VENV_DIR)";   \
-   . $(QEMU_VENV_DIR)/bin/activate;\
-   echo "INSTALL qemu[devel] $(QEMU_VENV_DIR)";\
-   make develop 1>/dev/null;   \
+   @(  \
+   echo "ACTIVATE $(QEMU_VENV_DIR)";   \
+   . $(QEMU_VENV_DIR)/bin/activate;\
+   echo "INSTALL qemu.qmp[devel] $(QEMU_VENV_DIR)";\
+   make develop 1>/dev/null;   \
)
@touch $(QEMU_VENV_DIR)
 
@@ -106,6 +106,6 @@ clean:
 
 .PHONY: distclean
 distclean: clean
-   rm -rf qemu.egg-info/ .venv/ .tox/ $(QEMU_VENV_DIR) dist/
+   rm -rf qemu.qmp.egg-info/ .venv/ .tox/ $(QEMU_VENV_DIR) dist/
rm -f .coverage .coverage.*
rm -rf htmlcov/
diff --git a/setup.cfg b/setup.cfg
index 911ae02..bca 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,5 +1,5 @@
 [metadata]
-name = qemu
+name = qemu.qmp
 version = file:VERSION
 maintainer = QEMU Developer Team
 maintainer_email = qemu-devel@nongnu.org
@@ -25,8 +25,6 @@ classifiers =
 python_requires = >= 3.6
 packages =
 qemu.qmp
-qemu.machine
-qemu.utils
 
 [options.package_data]
 * = py.typed
@@ -38,7 +36,6 @@ packages =
 devel =
 avocado-framework >= 90.0
 flake8 >= 3.6.0
-fusepy >= 2.0.4
 isort >= 5.1.2
 mypy >= 0.770
 pylint >= 2.8.0
@@ -47,10 +44,6 @@ devel =
 urwid-readline >= 0.13
 Pygments >= 2.9.0
 
-# Provides qom-fuse functionality
-fuse =
-fusepy >= 2.0.4
-
 # AQMP TUI dependencies
 tui =
 urwid >= 2.1.2
@@ -59,13 +52,6 @@ tui =
 
 [options.entry_points]
 console_scripts =
-qom = qemu.utils.qom:main
-qom-set = qemu.utils.qom:QOMSet.entry_point
-qom-get = qemu.utils.qom:QOMGet.entry_point
-qom-list = qemu.utils.qom:QOMList.entry_point
-qom-tree = qemu.utils.qom:QOMTree.entry_point
-qom-fuse = qemu.utils.qom_fuse:QOMFuse.entry_point [fuse]
-qemu-ga-client = qemu.utils.qemu_ga_client:main
 qmp-shell = qemu.qmp.qmp_shell:main
 aqmp-tui = qemu.qmp.aqmp_tui:main [tui]
 
@@ -79,19 +65,12 @@ python_version = 3.6
 warn_unused_configs = True
 namespace_packages = True
 
-[mypy-qemu.utils.qom_fuse]
-# fusepy has no type stubs:
-allow_subclassing_any = True
-
 [mypy-qemu.qmp.aqmp_tui]
 # urwid and urwid_readline have no type stubs:
 allow_subclassing_any = True
 
 # The following missing import directives are because these libraries do not
 # provide type stubs. Allow them on an as-needed basis for mypy.
-[mypy-fuse]
-ignore_missing_imports = True
-
 [mypy-urwid]
 ignore_missing_imports = True
 
@@ -160,7 +139,6 @@ skip_missing_in

[RFC qemu.qmp PATCH 00/24] Python: Fork qemu.qmp Python lib into independent repo

[John Snow]

Hi, this series is part of an effort to publish the qemu.qmp package on
PyPI. It is the second of three series to complete this work:

(1) Switch the new Async QMP library in to python/qemu/qmp
--> (2) Fork python/qemu/qmp out into its own repository,
with updated GitLab CI/CD targets to build packages.
(3) Update qemu.git to install qemu.qmp from PyPI,
and then delete python/qemu/qmp.

This series is not meant to apply to qemu.git, rather -- it's the series
that performs the split and would apply to a brand new repository.

I am submitting it to the QEMU mailing list for these reasons:

(1) To more broadly announce my intentions, and as reference alongside
series #1 and #3 detailed above.

(2) To ask for permission to become the maintainer of a
'qemu-project/qemu.qmp' repository, where I would like to host this
subproject.

(3) To ask for review on the README.rst file which details my intended
contribution guidelines for this subproject.

(4) To ask for review on the .gitlab-ci.d/ files and other repo-level
CI/CD ephemera, including and especially the docs-building process.  I
think the generated docs are still ugly, and I'd like to upload them to
readthedocs, among other things -- hence the RFC quality of this series.

Some review/RFC notes:

- I use jsnow/qemu.qmp as the repo name throughout the series; that will
  have to be changed eventually, but for the purposes of prototyping, it
  was nicer to have a fully working series.

- I'm planning on using gitlab issues and MRs for the subproject.

- I plan to version this lib independently, starting at 0.0.1 for the
  initial public release and bumping only the micro version for every
  last release. I plan to bump the minor version once it hits a "beta"
  state. There will be no cross-versioning against QEMU. I don't plan to
  publish new releases during QEMU freezes.

- Check out a completed pipeline here:
  https://gitlab.com/jsnow/qemu.qmp/-/pipelines/430528258

  It offers build artifacts, junit xml artifacts and GitLab
  test-level-view into the avocado unit tests. The build container is
  uploaded to GitLab's container registry and can be used to reproduce
  potential build/packaging errors.

  Every pipeline will produce built python packages and upload them to
  the GitLab package repository, see
  https://gitlab.com/jsnow/qemu.qmp/-/packages

Known problems:

- Sphinx output is still subjectively ugly, with too many layers of
  nesting

- Docs are not yet uploaded anywhere (GitLab pages, readthedocs?)

- Tags on a commit trigger two pipelines; this causes one of the package
  builds to fail as the version number will be duplicated in this
  case. Not entirely sure how I want to fix this yet ...

~ Happy Holidays ~, --js.

John Snow (24):
  Fork qemu.qmp from qemu.git
  Update VERSION to 0.0.0a1
  Update maintainer metadata
  Update project description
  Update project URLs
  Move README.rst to INDEX.rst and update
  Move PACKAGE.rst to README.rst and update
  Update Pipfile.lock
  Remove sub-dependency pins from Pipfile
  Add build and test container to gitlab CI configuration
  Add package build step to GitLab CI
  GitLab CI: Add check-dco script
  GitLab CI: Add pipenv and tox tests
  GitLab CI: Add avocado junit XML output to tests
  GitLab CI: Publish python packages to GitLab package repo
  Add setuptools_scm package versioning
  Makefile: add build and publish targets
  add Sphinx documentation config stub
  python: configure sphinx
  python: adjust apidoc stubs
  Fix doc cross-reference regressions
  docs: add Makefile target
  docs: add doc build to GitLab CI build step
  v0.0.1

 .gitignore |   2 +-
 .gitlab-ci.d/build.yml |  14 ++
 .gitlab-ci.d/check-dco.py  |  98 ++
 .gitlab-ci.d/containers.yml|  28 +++
 .gitlab-ci.d/index.yml |  14 ++
 .gitlab-ci.d/publish.yml   |  11 ++
 .gitlab-ci.d/python.Dockerfile |  35 
 .gitlab-ci.d/test.yml  |  74 
 .gitlab-ci.yml |   3 +
 INDEX.rst  |  64 +++
 MANIFEST.in|   4 +-
 Makefile   |  54 +-
 PACKAGE.rst|  43 -
 Pipfile|   4 +-
 Pipfile.lock   | 314 ++---
 README.rst | 219 ++-
 VERSION|   1 -
 avocado.cfg|   7 +
 docs/Makefile  |  20 +++
 docs/conf.py   | 107 +++
 docs/index.rst |  21 +++
 docs/make.bat  |  35 
 docs/qemu.qmp.error.rst|   8 +
 docs/qemu.qmp.events.rst   |   7 +
 docs/qemu.qmp.legacy.rst   |   7 +
 docs/qemu.qmp.message.rst  |   8 +
 docs/qemu.qmp.models.rst   |   8 +
 docs/qemu.qmp.protocol.rst |   9 +
 docs/qemu.qmp.qmp_client.rst   |   8 +
 docs/qemu.qmp.rst  |  24 +++
 docs/qemu.qmp.util.rst |   8 +
 qemu/

[RFC PATCH 3/3] tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225)

[Philippe Mathieu-Daudé]

Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/451. Without
the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test qtest-i386/fuzz-sdcard-test
  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6152a080 at pc 0x564c71766d48 bp 0x7ffc126c62b0 sp 0x7ffc126c62a8
  READ of size 1 at 0x6152a080 thread T0
  #0 0x564c71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
  #1 0x564c7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
  #2 0x564c721b937b in memory_region_read_accessor softmmu/memory.c:440:11
  #3 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
  #4 0x564c7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
  #5 0x564c7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
  #6 0x564c7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
  #7 0x564c7212f958 in flatview_read softmmu/physmem.c:2921:12
  #8 0x564c7212f418 in address_space_read_full softmmu/physmem.c:2934:18
  #9 0x564c721305a9 in address_space_rw softmmu/physmem.c:2962:16
  #10 0x564c7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
  #11 0x564c7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
  #12 0x564c71759684 in dma_memory_read include/sysemu/dma.h:152:12
  #13 0x564c7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
  #14 0x564c7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
  #15 0x564c7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
  #16 0x564c717629ee in sdhci_write hw/sd/sdhci.c:1212:9
  #17 0x564c72172513 in memory_region_write_accessor softmmu/memory.c:492:5
  #18 0x564c72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
  #19 0x564c72170766 in memory_region_dispatch_write 
softmmu/memory.c:1504:16
  #20 0x564c721419ee in flatview_write_continue softmmu/physmem.c:2812:23
  #21 0x564c721301eb in flatview_write softmmu/physmem.c:2854:12
  #22 0x564c7212fca8 in address_space_write softmmu/physmem.c:2950:18
  #23 0x564c721d9a53 in qtest_process_command softmmu/qtest.c:727:9

  0x6152a080 is located 0 bytes to the right of 512-byte region 
[0x61529e80,0x6152a080)
  allocated by thread T0 here:
  #0 0x564c708e1737 in __interceptor_calloc (qemu-system-i386+0x1e6a737)
  #1 0x7ff05567b5e0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x5a5e0)
  #2 0x564c71774adb in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5

  SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:474:18 in 
sdhci_read_dataport
  Shadow bytes around the buggy address:
0x0c2a7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c2a7fffd410:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffd420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fffd460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Heap left redzone:   fa
Freed heap region:   fd
  ==447470==ABORTING
  Broken pipe
  ERROR qtest-i386/fuzz-sdcard-test - too few tests run (expected 3, got 2)

Signed-off-by: Philippe Mathieu-Daudé 
---
 tests/qtest/fuzz-sdcard-test.c | 76 ++
 1 file changed, 76 insertions(+)

diff --git a/tests/qtest/fuzz-sdcard-test.c b/tests/qtest/fuzz-sdcard-test.c
index ae14305344a..6dfe26e983c 100644
--- a/tests/qtest/fuzz-sdcard-test.c
+++ b/tests/qtest/fuzz-sdcard-test.c
@@ -87,6 +87,81 @@ static void oss_fuzz_36217(void)
 qtest_quit(s);
 }
 
+/*
+ * https://gitlab.com/qemu-project/qemu/-/issues/451
+ * Used to trigger a heap buffer overflow.
+ */
+static void oss_fuzz_36391(void)
+{
+QTestState *s;
+
+s = qtest_init(" -display none -m 4G -nodefaults -nographic"
+   " -device sdhci-pci,sd-spec-version=3"
+   " -device sd-card,drive=drv"
+   " -drive 
if=none,index=0,file=null-co://,format=raw,id=drv");
+qtest_outl(s, 0xcf8, 0x80001010);
+qtest_outl(s, 0xcfc, 0xe000);
+qtest_outl(s, 0xcf8, 0x80001004);
+qtest_outw(s, 0xcfc, 0x7);
+qtest_bufwrite(s, 0xe005, "\x73", 0x1);
+qtest_bufwrite(s, 0xe028, "\x55", 0x1);
+qtest_bufwrite(s, 0xe02c, "\x55", 0x1);
+qtest_bufwrite(s, 0x0, "\x65", 0x1);
+qtest_bufwrite(s, 0x7, "\x69", 0x1);
+qtest_bufwrite(s, 0x8, "\x65", 0x1);
+qtest_bufwrite(s, 0xf, "\x69", 0x1);
+qtest_bufwrite(s, 0x

[RFC PATCH 2/3] hw/sd/sdhci: Prohibit DMA accesses to devices

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

The issue reported by OSS-Fuzz produces the following backtrace:

  ==447470==ERROR: AddressSanitizer: heap-buffer-overflow
  READ of size 1 at 0x6152a080 thread T0
  #0 0x71766d47 in sdhci_read_dataport hw/sd/sdhci.c:474:18
  #1 0x7175f139 in sdhci_read hw/sd/sdhci.c:1022:19
  #2 0x721b937b in memory_region_read_accessor softmmu/memory.c:440:11
  #3 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
  #4 0x7216f47c in memory_region_dispatch_read1 softmmu/memory.c:1424:16
  #5 0x7216ebb9 in memory_region_dispatch_read softmmu/memory.c:1452:9
  #6 0x7212db5d in flatview_read_continue softmmu/physmem.c:2879:23
  #7 0x7212f958 in flatview_read softmmu/physmem.c:2921:12
  #8 0x7212f418 in address_space_read_full softmmu/physmem.c:2934:18
  #9 0x721305a9 in address_space_rw softmmu/physmem.c:2962:16
  #10 0x7175a392 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
  #11 0x7175a0ea in dma_memory_rw include/sysemu/dma.h:132:12
  #12 0x71759684 in dma_memory_read include/sysemu/dma.h:152:12
  #13 0x7175518c in sdhci_do_adma hw/sd/sdhci.c:823:27
  #14 0x7174bf69 in sdhci_data_transfer hw/sd/sdhci.c:935:13
  #15 0x7176aaa7 in sdhci_send_command hw/sd/sdhci.c:376:9
  #16 0x717629ee in sdhci_write hw/sd/sdhci.c:1212:9
  #17 0x72172513 in memory_region_write_accessor softmmu/memory.c:492:5
  #18 0x72171e51 in access_with_adjusted_size softmmu/memory.c:554:18
  #19 0x72170766 in memory_region_dispatch_write softmmu/memory.c:1504:16
  #20 0x721419ee in flatview_write_continue softmmu/physmem.c:2812:23
  #21 0x721301eb in flatview_write softmmu/physmem.c:2854:12
  #22 0x7212fca8 in address_space_write softmmu/physmem.c:2950:18
  #23 0x721d9a53 in qtest_process_command softmmu/qtest.c:727:9

A DMA descriptor is previously filled in RAM. An I/O access to the
device (frames #22 to #16) start the DMA engine (frame #13). The
engine fetch the descriptor and execute the request, which itself
accesses the SDHCI I/O registers (frame #1 and #0), triggering a
re-entrancy issue.

Fix by prohibit transactions from the DMA to devices. The DMA engine
is thus restricted to memories.

Reported-by: OSS-Fuzz (Issue 36391)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/451
Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/sd/sdhci.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index fe2f21f0c37..0e5e988927e 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -741,6 +741,7 @@ static void sdhci_do_adma(SDHCIState *s)
 {
 unsigned int begin, length;
 const uint16_t block_size = s->blksize & BLOCK_SIZE_MASK;
+const MemTxAttrs attrs = { .memory = true };
 ADMADescr dscr = {};
 MemTxResult res;
 int i;
@@ -794,7 +795,7 @@ static void sdhci_do_adma(SDHCIState *s)
 res = dma_memory_write(s->dma_as, dscr.addr,
&s->fifo_buffer[begin],
s->data_count - begin,
-   MEMTXATTRS_UNSPECIFIED);
+   attrs);
 if (res != MEMTX_OK) {
 break;
 }
@@ -823,7 +824,7 @@ static void sdhci_do_adma(SDHCIState *s)
 res = dma_memory_read(s->dma_as, dscr.addr,
   &s->fifo_buffer[begin],
   s->data_count - begin,
-  MEMTXATTRS_UNSPECIFIED);
+  attrs);
 if (res != MEMTX_OK) {
 break;
 }
-- 
2.33.1

[RFC PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue

[Philippe Mathieu-Daudé]

Hi,

This series is an attempt to fix the DMA re-entrancy problem
on the SDHCI device. OSS-Fuzz found it and Alexander generated
a helpful reproducer.

By setting the MemTxAttrs::memory bit before doing DMA transactions,
the flatview API will return MEMTX_BUS_ERROR if the transaction
targets a non-memory (a device), which is usually how DMA-reentrancy
bugs are exploited.

On real hardware, the checks are on the interconnect bus, not in
the SDHCI block. However QEMU blocks aren't modelled that way.
Using the flatview API seems (to me) the simplest and closer
to hardware, it is a generic API and we can use it to trace
bus transactions on all blocks.

Note this series is simply one example to fix the generic
issues. The important changes are in the previous series:
https://lore.kernel.org/qemu-devel/20211215182421.418374-1-phi...@redhat.com/
Based-on: <20211215182421.418374-1-phi...@redhat.com>
"physmem: Have flatview API check bus permission from MemTxAttrs"

Cc: Mauro Matteo Cascella 
Cc: Qiuhao Li 
Cc: Peter Xu 
Cc: Jason Wang 
Cc: David Hildenbrand 
Cc: Gerd Hoffmann 
Cc: Peter Maydell 
Cc: Li Qiang 
Cc: Thomas Huth 
Cc: Laurent Vivier 
Cc: Bandan Das 
Cc: Edgar E. Iglesias 
Cc: Darren Kenny 
Cc: Bin Meng 
Cc: Paolo Bonzini 
Cc: Alexander Bulekov 
Cc: Stefan Hajnoczi 

Philippe Mathieu-Daudé (3):
  hw/sd/sdhci: Honor failed DMA transactions
  hw/sd/sdhci: Prohibit DMA accesses to devices
  tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue
29225)

 hw/sd/sdhci.c  | 35 
 tests/qtest/fuzz-sdcard-test.c | 76 ++
 2 files changed, 102 insertions(+), 9 deletions(-)

-- 
2.33.1

[RFC PATCH 1/3] hw/sd/sdhci: Honor failed DMA transactions

[Philippe Mathieu-Daudé]

From: Philippe Mathieu-Daudé 

DMA transactions might fail. The DMA API returns a MemTxResult,
indicating such failures. Do not ignore it. On failure, raise
the ADMA error flag and eventually triggering an IRQ (see spec
chapter 1.13.5: "ADMA2 States").

Signed-off-by: Philippe Mathieu-Daudé 
---
 hw/sd/sdhci.c | 34 +-
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index e0bbc903446..fe2f21f0c37 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -742,6 +742,7 @@ static void sdhci_do_adma(SDHCIState *s)
 unsigned int begin, length;
 const uint16_t block_size = s->blksize & BLOCK_SIZE_MASK;
 ADMADescr dscr = {};
+MemTxResult res;
 int i;
 
 if (s->trnmod & SDHC_TRNS_BLK_CNT_EN && !s->blkcnt) {
@@ -790,10 +791,13 @@ static void sdhci_do_adma(SDHCIState *s)
 s->data_count = block_size;
 length -= block_size - begin;
 }
-dma_memory_write(s->dma_as, dscr.addr,
- &s->fifo_buffer[begin],
- s->data_count - begin,
- MEMTXATTRS_UNSPECIFIED);
+res = dma_memory_write(s->dma_as, dscr.addr,
+   &s->fifo_buffer[begin],
+   s->data_count - begin,
+   MEMTXATTRS_UNSPECIFIED);
+if (res != MEMTX_OK) {
+break;
+}
 dscr.addr += s->data_count - begin;
 if (s->data_count == block_size) {
 s->data_count = 0;
@@ -816,10 +820,13 @@ static void sdhci_do_adma(SDHCIState *s)
 s->data_count = block_size;
 length -= block_size - begin;
 }
-dma_memory_read(s->dma_as, dscr.addr,
-&s->fifo_buffer[begin],
-s->data_count - begin,
-MEMTXATTRS_UNSPECIFIED);
+res = dma_memory_read(s->dma_as, dscr.addr,
+  &s->fifo_buffer[begin],
+  s->data_count - begin,
+  MEMTXATTRS_UNSPECIFIED);
+if (res != MEMTX_OK) {
+break;
+}
 dscr.addr += s->data_count - begin;
 if (s->data_count == block_size) {
 sdbus_write_data(&s->sdbus, s->fifo_buffer, 
block_size);
@@ -833,7 +840,16 @@ static void sdhci_do_adma(SDHCIState *s)
 }
 }
 }
-s->admasysaddr += dscr.incr;
+if (res != MEMTX_OK) {
+if (s->errintstsen & SDHC_EISEN_ADMAERR) {
+trace_sdhci_error("Set ADMA error flag");
+s->errintsts |= SDHC_EIS_ADMAERR;
+s->norintsts |= SDHC_NIS_ERR;
+}
+sdhci_update_irq(s);
+} else {
+s->admasysaddr += dscr.incr;
+}
 break;
 case SDHC_ADMA_ATTR_ACT_LINK:   /* link to next descriptor table */
 s->admasysaddr = dscr.addr;
-- 
2.33.1

Re: [PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue

[Philippe Mathieu-Daudé]

On 12/15/21 21:55, Philippe Mathieu-Daudé wrote:
> Hi,
> 
> This series is an attempt to fix the DMA re-entrancy problem
> on the SDHCI device. OSS-Fuzz found it and Alexander generated
> a helpful reproducer.
> 
> By setting the MemTxAttrs::memory bit before doing DMA transactions,
> the flatview API will return MEMTX_BUS_ERROR if the transaction
> targets a non-memory (a device), which is usually how DMA-reentrancy
> bugs are exploited.
> 
> On real hardware, the checks are on the interconnect bus, not in
> the SDHCI block. However QEMU blocks aren't modelled that way.
> Using the flatview API seems (to me) the simplest and closer
> to hardware, it is a generic API and we can use it to trace
> bus transactions on all blocks.
> 
> Note this series is simply one example to fix the generic
> issues. The important changes are in the previous series:
> https://lore.kernel.org/qemu-devel/20211215182421.418374-1-phi...@redhat.com/
> Based-on: <20211215182421.418374-1-phi...@redhat.com>
> "physmem: Have flatview API check bus permission from MemTxAttrs"

Please disregard this cover, I forgot to post as RFC...

[PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue

[Philippe Mathieu-Daudé]

Hi,

This series is an attempt to fix the DMA re-entrancy problem
on the SDHCI device. OSS-Fuzz found it and Alexander generated
a helpful reproducer.

By setting the MemTxAttrs::memory bit before doing DMA transactions,
the flatview API will return MEMTX_BUS_ERROR if the transaction
targets a non-memory (a device), which is usually how DMA-reentrancy
bugs are exploited.

On real hardware, the checks are on the interconnect bus, not in
the SDHCI block. However QEMU blocks aren't modelled that way.
Using the flatview API seems (to me) the simplest and closer
to hardware, it is a generic API and we can use it to trace
bus transactions on all blocks.

Note this series is simply one example to fix the generic
issues. The important changes are in the previous series:
https://lore.kernel.org/qemu-devel/20211215182421.418374-1-phi...@redhat.com/
Based-on: <20211215182421.418374-1-phi...@redhat.com>
"physmem: Have flatview API check bus permission from MemTxAttrs"

Cc: Mauro Matteo Cascella 
Cc: Qiuhao Li 
Cc: Peter Xu 
Cc: Jason Wang 
Cc: David Hildenbrand 
Cc: Gerd Hoffmann 
Cc: Peter Maydell 
Cc: Li Qiang 
Cc: Thomas Huth 
Cc: Laurent Vivier 
Cc: Bandan Das 
Cc: Edgar E. Iglesias 
Cc: Darren Kenny 
Cc: Bin Meng 
Cc: Paolo Bonzini 
Cc: Alexander Bulekov 
Cc: Stefan Hajnoczi 

Philippe Mathieu-Daudé (3):
  hw/sd/sdhci: Honor failed DMA transactions
  hw/sd/sdhci: Prohibit DMA accesses to devices
  tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue
29225)

 hw/sd/sdhci.c  | 35 
 tests/qtest/fuzz-sdcard-test.c | 76 ++
 2 files changed, 102 insertions(+), 9 deletions(-)

-- 
2.33.1

Re: [PULL 00/16] qtest and gitlab-CI improvements

[Thomas Huth]

On 15/12/2021 18.14, Richard Henderson wrote:

On 12/14/21 11:33 PM, Thomas Huth wrote:

  Hi!

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into 
staging (2021-12-14 12:46:18 -0800)


are available in the Git repository at:

   https://gitlab.com/thuth/qemu.git tags/pull-request-2021-12-15

for you to fetch changes up to 7876cba8fc0cab9a4c803a30f427d4b20b95a868:

   gitlab-ci: Test compilation on Windows with MSYS2 (2021-12-15 08:08:59 
+0100)



* Add virtio-net failover test
* Make qtests a little bit more flexible with regards to reduced configs
* Move libssh setup from configure to meson.build
* Run device-crash-test in CI
* Add jobs for NetBSD and OpenBSD to the CI
* Test compilation with MSYS2 in the gitlab-ci, too
* Add new virtio-iommu test


Eric Auger (4):
   virtio-iommu: Remove set_config callback
   virtio-iommu: Fix endianness in get_config
   virtio-iommu: Fix the domain_range end
   tests: qtest: Add virtio-iommu test

Laurent Vivier (4):
   qtest/libqos: add a function to initialize secondary PCI buses
   tests/qtest: add some tests for virtio-net failover
   tests/libqtest: add some virtio-net failover migration cancelling 
tests
   tests/libqtest: add a migration test with two couples of failover 
devices


Thomas Huth (8):
   tests/qtest: Run the PPC 32-bit tests with the 64-bit target 
binary, too
   tests/qtest: Fence the tests that need xlnx-zcu102 with 
CONFIG_XLNX_ZYNQMP_ARM
   tests/qtest: Add a function that gets a list with available machine 
types

   tests/qtest: Add a function to check whether a machine is available
   Move the libssh setup from configure to meson.build
   gitlab-ci.d/buildtest: Add jobs that run the device-crash-test
   gitlab-ci: Add cirrus-ci based tests for NetBSD and OpenBSD
   gitlab-ci: Test compilation on Windows with MSYS2

  .gitlab-ci.d/buildtest.yml    |   23 +
  .gitlab-ci.d/cirrus.yml   |   35 +
  .gitlab-ci.d/cirrus/kvm-build.yml |   31 +
  .gitlab-ci.d/qemu-project.yml |    1 +
  .gitlab-ci.d/windows.yml  |   98 +++
  configure |   27 -
  hw/virtio/trace-events    |    3 +-
  hw/virtio/virtio-iommu.c  |   42 +-
  include/hw/pci/pci_bridge.h   |    8 +
  meson.build   |   13 +-
  meson_options.txt |    2 +
  scripts/meson-buildoptions.sh |    3 +
  tests/qtest/boot-serial-test.c    |    3 +-
  tests/qtest/cdrom-test.c  |    8 +-
  tests/qtest/libqos/libqtest.h |    8 +
  tests/qtest/libqos/meson.build    |    1 +
  tests/qtest/libqos/pci.c  |  119 
  tests/qtest/libqos/pci.h  |    1 +
  tests/qtest/libqos/virtio-iommu.c |  126 
  tests/qtest/libqos/virtio-iommu.h |   40 ++
  tests/qtest/libqtest.c    |   79 ++-
  tests/qtest/meson.build   |    9 +-
  tests/qtest/prom-env-test.c   |    8 +-
  tests/qtest/virtio-iommu-test.c   |  326 +
  tests/qtest/virtio-net-failover.c | 1352 
+

  25 files changed, 2290 insertions(+), 76 deletions(-)
  create mode 100644 .gitlab-ci.d/cirrus/kvm-build.yml
  create mode 100644 .gitlab-ci.d/windows.yml
  create mode 100644 tests/qtest/libqos/virtio-iommu.c
  create mode 100644 tests/qtest/libqos/virtio-iommu.h
  create mode 100644 tests/qtest/virtio-iommu-test.c
  create mode 100644 tests/qtest/virtio-net-failover.c


Applied, thanks.


Thanks!

... hmm, looking at the latest builds, it seems like the new msys2-64bit job 
timed out a couple of times after 60 minutes, e.g.:


 https://gitlab.com/qemu-project/qemu/-/jobs/1889554588

And I already put a "timeout: 70m" in there, so I wonder why this wasn't 
taken into account? Maybe it does not work for the Windows machines?
Let's keep an eye on this - if this keeps happening, we either got to 
disable that job again or switch to another target CPU that has less code to 
compile and test.


 Thomas

[PULL 13/13] configure: remove dead variables

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini 
---
 configure | 5 -
 1 file changed, 5 deletions(-)

diff --git a/configure b/configure
index 48c21775f3..d3aac031a5 100755
--- a/configure
+++ b/configure
@@ -626,7 +626,6 @@ fi
 case $targetos in
 MINGW32*)
   mingw32="yes"
-  supported_os="yes"
   plugins="no"
   pie="no"
 ;;
@@ -668,7 +667,6 @@ SunOS)
   QEMU_CFLAGS="-D__EXTENSIONS__ $QEMU_CFLAGS"
 ;;
 Haiku)
-  haiku="yes"
   pie="no"
   QEMU_CFLAGS="-DB_USE_POSITIVE_POSIX_ERRORS -D_BSD_SOURCE -fPIC $QEMU_CFLAGS"
 ;;
@@ -3472,9 +3470,6 @@ fi
 if test "$solaris" = "yes" ; then
   echo "CONFIG_SOLARIS=y" >> $config_host_mak
 fi
-if test "$haiku" = "yes" ; then
-  echo "CONFIG_HAIKU=y" >> $config_host_mak
-fi
 if test "$static" = "yes" ; then
   echo "CONFIG_STATIC=y" >> $config_host_mak
 fi
-- 
2.33.1

[PULL 11/13] numa: Support SGX numa in the monitor and Libvirt interfaces

[Paolo Bonzini]

From: Yang Zhong 

Add the SGXEPCSection list into SGXInfo to show the multiple
SGX EPC sections detailed info, not the total size like before.
This patch can enable numa support for 'info sgx' command and
QMP interfaces. The new interfaces show each EPC section info
in one numa node. Libvirt can use QMP interface to get the
detailed host SGX EPC capabilities to decide how to allocate
host EPC sections to guest.

(qemu) info sgx
 SGX support: enabled
 SGX1 support: enabled
 SGX2 support: enabled
 FLC support: enabled
 NUMA node #0: size=67108864
 NUMA node #1: size=29360128

The QMP interface show:
(QEMU) query-sgx
{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
[{"node": 0, "size": 67108864}, {"node": 1, "size": 29360128}], "flc": true}}

(QEMU) query-sgx-capabilities
{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
[{"node": 0, "size": 17070817280}, {"node": 1, "size": 17079205888}], "flc": 
true}}

Signed-off-by: Yang Zhong 
Message-Id: <20211101162009.62161-4-yang.zh...@intel.com>
Signed-off-by: Paolo Bonzini 
---
 hw/i386/sgx.c | 51 +++
 qapi/misc-target.json | 19 ++--
 2 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index d04299904a..5de5dd0893 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -83,11 +83,13 @@ static uint64_t sgx_calc_section_metric(uint64_t low, 
uint64_t high)
((high & MAKE_64BIT_MASK(0, 20)) << 32);
 }
 
-static uint64_t sgx_calc_host_epc_section_size(void)
+static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
 {
+SGXEPCSectionList *head = NULL, **tail = &head;
+SGXEPCSection *section;
 uint32_t i, type;
 uint32_t eax, ebx, ecx, edx;
-uint64_t size = 0;
+uint32_t j = 0;
 
 for (i = 0; i < SGX_MAX_EPC_SECTIONS; i++) {
 host_cpuid(0x12, i + 2, &eax, &ebx, &ecx, &edx);
@@ -101,10 +103,13 @@ static uint64_t sgx_calc_host_epc_section_size(void)
 break;
 }
 
-size += sgx_calc_section_metric(ecx, edx);
+section = g_new0(SGXEPCSection, 1);
+section->node = j++;
+section->size = sgx_calc_section_metric(ecx, edx);
+QAPI_LIST_APPEND(tail, section);
 }
 
-return size;
+return head;
 }
 
 static void sgx_epc_reset(void *opaque)
@@ -168,13 +173,35 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
 info->sgx1 = eax & (1U << 0) ? true : false;
 info->sgx2 = eax & (1U << 1) ? true : false;
 
-info->section_size = sgx_calc_host_epc_section_size();
+info->sections = sgx_calc_host_epc_sections();
 
 close(fd);
 
 return info;
 }
 
+static SGXEPCSectionList *sgx_get_epc_sections_list(void)
+{
+GSList *device_list = sgx_epc_get_device_list();
+SGXEPCSectionList *head = NULL, **tail = &head;
+SGXEPCSection *section;
+
+for (; device_list; device_list = device_list->next) {
+DeviceState *dev = device_list->data;
+Object *obj = OBJECT(dev);
+
+section = g_new0(SGXEPCSection, 1);
+section->node = object_property_get_uint(obj, SGX_EPC_NUMA_NODE_PROP,
+ &error_abort);
+section->size = object_property_get_uint(obj, SGX_EPC_SIZE_PROP,
+ &error_abort);
+QAPI_LIST_APPEND(tail, section);
+}
+g_slist_free(device_list);
+
+return head;
+}
+
 SGXInfo *qmp_query_sgx(Error **errp)
 {
 SGXInfo *info = NULL;
@@ -193,14 +220,13 @@ SGXInfo *qmp_query_sgx(Error **errp)
 return NULL;
 }
 
-SGXEPCState *sgx_epc = &pcms->sgx_epc;
 info = g_new0(SGXInfo, 1);
 
 info->sgx = true;
 info->sgx1 = true;
 info->sgx2 = true;
 info->flc = true;
-info->section_size = sgx_epc->size;
+info->sections = sgx_get_epc_sections_list();
 
 return info;
 }
@@ -208,6 +234,7 @@ SGXInfo *qmp_query_sgx(Error **errp)
 void hmp_info_sgx(Monitor *mon, const QDict *qdict)
 {
 Error *err = NULL;
+SGXEPCSectionList *section_list, *section;
 g_autoptr(SGXInfo) info = qmp_query_sgx(&err);
 
 if (err) {
@@ -222,8 +249,14 @@ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
info->sgx2 ? "enabled" : "disabled");
 monitor_printf(mon, "FLC support: %s\n",
info->flc ? "enabled" : "disabled");
-monitor_printf(mon, "size: %" PRIu64 "\n",
-   info->section_size);
+
+section_list = info->sections;
+for (section = section_list; section; section = section->next) {
+monitor_printf(mon, "NUMA node #%" PRId64 ": ",
+   section->value->node);
+monitor_printf(mon, "size=%" PRIu64 "\n",
+   section->value->size);
+}
 }
 
 bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index 5aa2b95b7d..1022aa0184 100644
--- a/qapi/misc-target.json
++

[PULL 09/13] kvm: add support for KVM_GUESTDBG_BLOCKIRQ

[Paolo Bonzini]

From: Maxim Levitsky 

Use the KVM_GUESTDBG_BLOCKIRQ debug flag if supported.

Signed-off-by: Maxim Levitsky 
[Extracted from Maxim's patch into a separate commit. - Paolo]
Signed-off-by: Paolo Bonzini 
Reviewed-by: Alex Bennée 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <2021110604.207376-6-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 accel/kvm/kvm-all.c | 17 +
 1 file changed, 17 insertions(+)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 2f5597572a..0e66ebb497 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -61,6 +61,10 @@
 #endif
 #define PAGE_SIZE qemu_real_host_page_size
 
+#ifndef KVM_GUESTDBG_BLOCKIRQ
+#define KVM_GUESTDBG_BLOCKIRQ 0
+#endif
+
 //#define DEBUG_KVM
 
 #ifdef DEBUG_KVM
@@ -2574,6 +2578,15 @@ static int kvm_init(MachineState *ms)
 kvm_sstep_flags = 0;
 if (kvm_has_guest_debug) {
 kvm_sstep_flags = SSTEP_ENABLE;
+
+#if defined KVM_CAP_SET_GUEST_DEBUG2
+int guest_debug_flags =
+kvm_check_extension(s, KVM_CAP_SET_GUEST_DEBUG2);
+
+if (guest_debug_flags & KVM_GUESTDBG_BLOCKIRQ) {
+kvm_sstep_flags |= SSTEP_NOIRQ;
+}
+#endif
 }
 
 kvm_state = s;
@@ -3205,6 +3218,10 @@ int kvm_update_guest_debug(CPUState *cpu, unsigned long 
reinject_trap)
 
 if (cpu->singlestep_enabled) {
 data.dbg.control |= KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_SINGLESTEP;
+
+if (cpu->singlestep_enabled & SSTEP_NOIRQ) {
+data.dbg.control |= KVM_GUESTDBG_BLOCKIRQ;
+}
 }
 kvm_arch_update_guest_debug(cpu, &data.dbg);
 
-- 
2.33.1

[PULL 06/13] linux-headers: update to 5.16-rc1

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini 
Acked-by: Cornelia Huck 
Reviewed-by: Alex Bennée 
Message-Id: <2021110604.207376-3-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 include/standard-headers/drm/drm_fourcc.h | 121 +-
 include/standard-headers/linux/ethtool.h  |  31 +
 include/standard-headers/linux/fuse.h |  10 +-
 include/standard-headers/linux/pci_regs.h |   6 +
 include/standard-headers/linux/virtio_gpu.h   |  18 ++-
 include/standard-headers/linux/virtio_ids.h   |  24 
 include/standard-headers/linux/virtio_vsock.h |   3 +-
 linux-headers/asm-arm64/unistd.h  |   1 +
 linux-headers/asm-generic/unistd.h|  22 +++-
 linux-headers/asm-mips/unistd_n32.h   |   1 +
 linux-headers/asm-mips/unistd_n64.h   |   1 +
 linux-headers/asm-mips/unistd_o32.h   |   1 +
 linux-headers/asm-powerpc/unistd_32.h |   1 +
 linux-headers/asm-powerpc/unistd_64.h |   1 +
 linux-headers/asm-s390/unistd_32.h|   1 +
 linux-headers/asm-s390/unistd_64.h|   1 +
 linux-headers/asm-x86/kvm.h   |   5 +
 linux-headers/asm-x86/unistd_32.h |   3 +
 linux-headers/asm-x86/unistd_64.h |   3 +
 linux-headers/asm-x86/unistd_x32.h|   3 +
 linux-headers/linux/kvm.h |  40 +-
 21 files changed, 276 insertions(+), 21 deletions(-)

diff --git a/include/standard-headers/drm/drm_fourcc.h 
b/include/standard-headers/drm/drm_fourcc.h
index 352b51fd0a..2c025cb4fe 100644
--- a/include/standard-headers/drm/drm_fourcc.h
+++ b/include/standard-headers/drm/drm_fourcc.h
@@ -103,6 +103,12 @@ extern "C" {
 /* 8 bpp Red */
 #define DRM_FORMAT_R8  fourcc_code('R', '8', ' ', ' ') /* [7:0] R */
 
+/* 10 bpp Red */
+#define DRM_FORMAT_R10 fourcc_code('R', '1', '0', ' ') /* [15:0] x:R 
6:10 little endian */
+
+/* 12 bpp Red */
+#define DRM_FORMAT_R12 fourcc_code('R', '1', '2', ' ') /* [15:0] x:R 
4:12 little endian */
+
 /* 16 bpp Red */
 #define DRM_FORMAT_R16 fourcc_code('R', '1', '6', ' ') /* [15:0] R 
little endian */
 
@@ -372,6 +378,12 @@ extern "C" {
 
 #define DRM_FORMAT_RESERVED  ((1ULL << 56) - 1)
 
+#define fourcc_mod_get_vendor(modifier) \
+   (((modifier) >> 56) & 0xff)
+
+#define fourcc_mod_is_vendor(modifier, vendor) \
+   (fourcc_mod_get_vendor(modifier) == DRM_FORMAT_MOD_VENDOR_## vendor)
+
 #define fourcc_mod_code(vendor, val) \
uint64_t)DRM_FORMAT_MOD_VENDOR_## vendor) << 56) | ((val) & 
0x00ffULL))
 
@@ -899,9 +911,9 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier)
 
 /*
  * The top 4 bits (out of the 56 bits alloted for specifying vendor specific
- * modifiers) denote the category for modifiers. Currently we have only two
- * categories of modifiers ie AFBC and MISC. We can have a maximum of sixteen
- * different categories.
+ * modifiers) denote the category for modifiers. Currently we have three
+ * categories of modifiers ie AFBC, MISC and AFRC. We can have a maximum of
+ * sixteen different categories.
  */
 #define DRM_FORMAT_MOD_ARM_CODE(__type, __val) \
fourcc_mod_code(ARM, ((uint64_t)(__type) << 52) | ((__val) & 
0x000fULL))
@@ -1016,6 +1028,109 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t 
modifier)
  */
 #define AFBC_FORMAT_MOD_USM(1ULL << 12)
 
+/*
+ * Arm Fixed-Rate Compression (AFRC) modifiers
+ *
+ * AFRC is a proprietary fixed rate image compression protocol and format,
+ * designed to provide guaranteed bandwidth and memory footprint
+ * reductions in graphics and media use-cases.
+ *
+ * AFRC buffers consist of one or more planes, with the same components
+ * and meaning as an uncompressed buffer using the same pixel format.
+ *
+ * Within each plane, the pixel/luma/chroma values are grouped into
+ * "coding unit" blocks which are individually compressed to a
+ * fixed size (in bytes). All coding units within a given plane of a buffer
+ * store the same number of values, and have the same compressed size.
+ *
+ * The coding unit size is configurable, allowing different rates of 
compression.
+ *
+ * The start of each AFRC buffer plane must be aligned to an alignment granule 
which
+ * depends on the coding unit size.
+ *
+ * Coding Unit Size   Plane Alignment
+ *    ---
+ * 16 bytes   1024 bytes
+ * 24 bytes   512  bytes
+ * 32 bytes   2048 bytes
+ *
+ * Coding units are grouped into paging tiles. AFRC buffer dimensions must be 
aligned
+ * to a multiple of the paging tile dimensions.
+ * The dimensions of each paging tile depend on whether the buffer is 
optimised for
+ * scanline (SCAN layout) or rotated (ROT layout) access.
+ *
+ * Layout   Paging Tile Width   Paging Tile Height
+ * --   -   --
+ * SCAN 16 coding units 4 coding units
+ * ROT  8  coding units 8 coding units
+ *
+ * The dimensions of ea

[PULL 05/13] virtio-gpu: do not byteswap padding

[Paolo Bonzini]

In Linux 5.16, the padding of struct virtio_gpu_ctrl_hdr has become a
single-byte field followed by a uint8_t[3] array of padding bytes,
and virtio_gpu_ctrl_hdr_bswap does not compile anymore.

Signed-off-by: Paolo Bonzini 
Acked-by: Cornelia Huck 
Reviewed-by: Alex Bennée 
Reviewed-by: Michael S. Tsirkin 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <2021110604.207376-2-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 include/hw/virtio/virtio-gpu-bswap.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/include/hw/virtio/virtio-gpu-bswap.h 
b/include/hw/virtio/virtio-gpu-bswap.h
index e2bee8f595..5faac0d8d5 100644
--- a/include/hw/virtio/virtio-gpu-bswap.h
+++ b/include/hw/virtio/virtio-gpu-bswap.h
@@ -24,7 +24,6 @@ virtio_gpu_ctrl_hdr_bswap(struct virtio_gpu_ctrl_hdr *hdr)
 le32_to_cpus(&hdr->flags);
 le64_to_cpus(&hdr->fence_id);
 le32_to_cpus(&hdr->ctx_id);
-le32_to_cpus(&hdr->padding);
 }
 
 static inline void
-- 
2.33.1

[PULL 04/13] scripts/entitlement.sh: Use backward-compatible cp flags

[Paolo Bonzini]

From: Evan Miller 

Older versions of Mac OS X do not support cp -a. The cp man page indicates
that -a is equivalent to -pPR.

Signed-off-by: Evan Miller 
Message-Id: <40635c6e-059a-4146-b1e2-f6376700e...@gmail.com>
[Leave out -R, these are files and not directories. - Paolo]
Signed-off-by: Paolo Bonzini 
---
 scripts/entitlement.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index e2c956a3ac..0f412949ec 100755
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -15,7 +15,7 @@ ENTITLEMENT="$4"
 
 if $in_place; then
   trap 'rm "$DST.tmp"' exit
-  cp -af "$SRC" "$DST.tmp"
+  cp -pPf "$SRC" "$DST.tmp"
   SRC="$DST.tmp"
 else
   cd "$MESON_INSTALL_DESTDIR_PREFIX"
-- 
2.33.1

[PULL 01/13] hw/scsi/lsi53c895a: Do not abort when DMA requested and no data queued

[Paolo Bonzini]

From: Philippe Mathieu-Daudé 

If asked for DMA request and no data is available, simply wait
for data to be queued, do not abort. This fixes:

  $ cat << EOF | \
qemu-system-i386 -nographic -M q35,accel=qtest -serial none \
  -monitor none -qtest stdio -trace lsi* \
  -drive if=none,id=drive0,file=null-co://,file.read-zeroes=on,format=raw \
  -device lsi53c895a,id=scsi0 -device 
scsi-hd,drive=drive0,bus=scsi0.0,channel=0,scsi-id=0,lun=0
  lsi_reset Reset
  lsi_reg_write Write reg DSP2 0x2e = 0xff
  lsi_reg_write Write reg DSP3 0x2f = 0xff
  lsi_execute_script SCRIPTS dsp=0x opcode 0x184a3900 arg 0x4a8b2d75
  qemu-system-i386: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion 
`s->current' failed.

  (gdb) bt
  #5  0x74e8a3a6 in __GI___assert_fail
  (assertion=0x560accbc "s->current", file=0x560acc28 
"hw/scsi/lsi53c895a.c", line=624, function=0x560adb18 "lsi_do_dma") at 
assert.c:101
  #6  0x55aa33b9 in lsi_do_dma (s=0x57805ac0, out=1) at 
hw/scsi/lsi53c895a.c:624
  #7  0x55aa5042 in lsi_execute_script (s=0x57805ac0) at 
hw/scsi/lsi53c895a.c:1250
  #8  0x55aa757a in lsi_reg_writeb (s=0x57805ac0, offset=47, 
val=255 '\377') at hw/scsi/lsi53c895a.c:1984
  #9  0x55aa875b in lsi_mmio_write (opaque=0x57805ac0, addr=47, 
val=255, size=1) at hw/scsi/lsi53c895a.c:2095

Cc: qemu-sta...@nongnu.org
Cc: Gerd Hoffmann 
Cc: Vadim Rozenfeld 
Cc: Stefan Hajnoczi 
Reported-by: Jérôme Poulin 
Reported-by: Ruhr-University 
Reported-by: Gaoning Pan 
Reported-by: Cheolwoo Myung 
Fixes: b96a0da06bd ("lsi: move dma_len+dma_buf into lsi_request")
BugLink: https://bugs.launchpad.net/qemu/+bug/697510
BugLink: https://bugs.launchpad.net/qemu/+bug/1905521
BugLink: https://bugs.launchpad.net/qemu/+bug/1908515
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/84
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/305
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/552
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Laurent Vivier 
Message-Id: <20211123111732.83137-2-phi...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 hw/scsi/lsi53c895a.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 85e907a785..4c431adb77 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -621,8 +621,7 @@ static void lsi_do_dma(LSIState *s, int out)
 dma_addr_t addr;
 SCSIDevice *dev;
 
-assert(s->current);
-if (!s->current->dma_len) {
+if (!s->current || !s->current->dma_len) {
 /* Wait until data is available.  */
 trace_lsi_do_dma_unavailable();
 return;
-- 
2.33.1

[PULL 03/13] qapi/machine.json: Fix incorrect description for die-id

[Paolo Bonzini]

From: Yanan Wang 

In terms of scope, die-id should mean "the die number within
socket the CPU belongs to" instead of "the die number within
node/board the CPU belongs to". Fix it to avoid confusing
the Doc reader.

Fixes: 176d2cda0d ("i386/cpu: Consolidate die-id validity in smp context")
Signed-off-by: Yanan Wang 
Reviewed-by: Eric Blake 
Message-Id: <20211122032651.16064-1-wangyana...@huawei.com>
Signed-off-by: Paolo Bonzini 
---
 qapi/machine.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index 067e3f5378..f1839acf20 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -867,7 +867,7 @@
 #
 # @node-id: NUMA node ID the CPU belongs to
 # @socket-id: socket number within node/board the CPU belongs to
-# @die-id: die number within node/board the CPU belongs to (Since 4.1)
+# @die-id: die number within socket the CPU belongs to (since 4.1)
 # @core-id: core number within die the CPU belongs to
 # @thread-id: thread number within core the CPU belongs to
 #
-- 
2.33.1

[PULL 10/13] numa: Enable numa for SGX EPC sections

[Paolo Bonzini]

From: Yang Zhong 

The basic SGX did not enable numa for SGX EPC sections, which
result in all EPC sections located in numa node 0. This patch
enable SGX numa function in the guest and the EPC section can
work with RAM as one numa node.

The Guest kernel related log:
[0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x18000-0x183ff]
[0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x18400-0x185bf]
The SRAT table can normally show SGX EPC sections menory info in different
numa nodes.

The SGX EPC numa related command:
 ..
 -m 4G,maxmem=20G \
 -smp sockets=2,cores=2 \
 -cpu host,+sgx-provisionkey \
 -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \
 -object 
memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \
 -numa node,nodeid=0,cpus=0-1,memdev=node0 \
 -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \
 -object 
memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \
 -numa node,nodeid=1,cpus=2-3,memdev=node1 \
 -M 
sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1 \
 ..

Signed-off-by: Yang Zhong 
Message-Id: <20211101162009.62161-2-yang.zh...@intel.com>
Signed-off-by: Paolo Bonzini 
---
 hw/core/numa.c|  5 ++---
 hw/i386/acpi-build.c  |  2 ++
 hw/i386/sgx-epc.c |  3 +++
 hw/i386/sgx-stub.c|  4 
 hw/i386/sgx.c | 44 +++
 include/hw/i386/sgx-epc.h |  3 +++
 monitor/hmp-cmds.c|  1 +
 qapi/machine.json | 10 -
 qemu-options.hx   |  4 ++--
 9 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/hw/core/numa.c b/hw/core/numa.c
index e6050b2273..1aa05dcf42 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -784,9 +784,8 @@ static void numa_stat_memory_devices(NumaNodeMem node_mem[])
 break;
 case MEMORY_DEVICE_INFO_KIND_SGX_EPC:
 se = value->u.sgx_epc.data;
-/* TODO: once we support numa, assign to right node */
-node_mem[0].node_mem += se->size;
-node_mem[0].node_plugged_mem += se->size;
+node_mem[se->node].node_mem += se->size;
+node_mem[se->node].node_plugged_mem = 0;
 break;
 default:
 g_assert_not_reached();
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a99c6e4fe3..8383b83ee3 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2068,6 +2068,8 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 nvdimm_build_srat(table_data);
 }
 
+sgx_epc_build_srat(table_data);
+
 /*
  * TODO: this part is not in ACPI spec and current linux kernel boots fine
  * without these entries. But I recall there were issues the last time I
diff --git a/hw/i386/sgx-epc.c b/hw/i386/sgx-epc.c
index e508827e78..96b2940d75 100644
--- a/hw/i386/sgx-epc.c
+++ b/hw/i386/sgx-epc.c
@@ -21,6 +21,7 @@
 
 static Property sgx_epc_properties[] = {
 DEFINE_PROP_UINT64(SGX_EPC_ADDR_PROP, SGXEPCDevice, addr, 0),
+DEFINE_PROP_UINT32(SGX_EPC_NUMA_NODE_PROP, SGXEPCDevice, node, 0),
 DEFINE_PROP_LINK(SGX_EPC_MEMDEV_PROP, SGXEPCDevice, hostmem,
  TYPE_MEMORY_BACKEND_EPC, HostMemoryBackendEpc *),
 DEFINE_PROP_END_OF_LIST(),
@@ -139,6 +140,8 @@ static void sgx_epc_md_fill_device_info(const 
MemoryDeviceState *md,
 se->memaddr = epc->addr;
 se->size = object_property_get_uint(OBJECT(epc), SGX_EPC_SIZE_PROP,
 NULL);
+se->node = object_property_get_uint(OBJECT(epc), SGX_EPC_NUMA_NODE_PROP,
+NULL);
 se->memdev = object_get_canonical_path(OBJECT(epc->hostmem));
 
 info->u.sgx_epc.data = se;
diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
index c9b379e665..26833eb233 100644
--- a/hw/i386/sgx-stub.c
+++ b/hw/i386/sgx-stub.c
@@ -6,6 +6,10 @@
 #include "qapi/error.h"
 #include "qapi/qapi-commands-misc-target.h"
 
+void sgx_epc_build_srat(GArray *table_data)
+{
+}
+
 SGXInfo *qmp_query_sgx(Error **errp)
 {
 error_setg(errp, "SGX support is not compiled in");
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index 8fef3dd8fa..d04299904a 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -23,6 +23,7 @@
 #include "sysemu/hw_accel.h"
 #include "sysemu/reset.h"
 #include 
+#include "hw/acpi/aml-build.h"
 
 #define SGX_MAX_EPC_SECTIONS8
 #define SGX_CPUID_EPC_INVALID   0x0
@@ -36,6 +37,46 @@
 
 #define RETRY_NUM   2
 
+static int sgx_epc_device_list(Object *obj, void *opaque)
+{
+GSList **list = opaque;
+
+if (object_dynamic_cast(obj, TYPE_SGX_EPC)) {
+*list = g_slist_append(*list, DEVICE(obj));
+}
+
+object_child_foreach(obj, sgx_epc_device_list, opaque);
+return 0;
+}
+
+static GSList *sgx_epc_get_device_list(void)
+{
+GSList *list = NULL;
+
+object_child_foreach(qdev_

[PULL 12/13] doc: Add the SGX numa description

[Paolo Bonzini]

From: Yang Zhong 

Add the SGX numa reference command and how to check if
SGX numa is support or not with multiple EPC sections.

Signed-off-by: Yang Zhong 
Message-Id: <20211101162009.62161-5-yang.zh...@intel.com>
Signed-off-by: Paolo Bonzini 
---
 docs/system/i386/sgx.rst | 31 +++
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/docs/system/i386/sgx.rst b/docs/system/i386/sgx.rst
index f8fade5ac2..0f0a73f758 100644
--- a/docs/system/i386/sgx.rst
+++ b/docs/system/i386/sgx.rst
@@ -141,8 +141,7 @@ To launch a SGX guest:
   |qemu_system_x86| \\
-cpu host,+sgx-provisionkey \\
-object memory-backend-epc,id=mem1,size=64M,prealloc=on \\
-   -object memory-backend-epc,id=mem2,size=28M \\
-   -M sgx-epc.0.memdev=mem1,sgx-epc.1.memdev=mem2
+   -M sgx-epc.0.memdev=mem1,sgx-epc.0.node=0
 
 Utilizing SGX in the guest requires a kernel/OS with SGX support.
 The support can be determined in guest by::
@@ -152,8 +151,32 @@ The support can be determined in guest by::
 and SGX epc info by::
 
   $ dmesg | grep sgx
-  [1.242142] sgx: EPC section 0x18000-0x181bf
-  [1.242319] sgx: EPC section 0x181c0-0x1837f
+  [0.182807] sgx: EPC section 0x14000-0x143ff
+  [0.183695] sgx: [Firmware Bug]: Unable to map EPC section to online 
node. Fallback to the NUMA node 0.
+
+To launch a SGX numa guest:
+
+.. parsed-literal::
+
+  |qemu_system_x86| \\
+   -cpu host,+sgx-provisionkey \\
+   -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \\
+   -object 
memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \\
+   -numa node,nodeid=0,cpus=0-1,memdev=node0 \\
+   -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \\
+   -object 
memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \\
+   -numa node,nodeid=1,cpus=2-3,memdev=node1 \\
+   -M 
sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1
+
+and SGX epc numa info by::
+
+  $ dmesg | grep sgx
+  [0.369937] sgx: EPC section 0x18000-0x183ff
+  [0.370259] sgx: EPC section 0x18400-0x185bf
+
+  $ dmesg | grep SRAT
+  [0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x18000-0x183ff]
+  [0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x18400-0x185bf]
 
 References
 --
-- 
2.33.1

[PULL 08/13] gdbstub, kvm: let KVM report supported singlestep flags

[Paolo Bonzini]

From: Maxim Levitsky 

Signed-off-by: Maxim Levitsky 
[Extracted from Maxim's patch into a separate commit. - Paolo]
Signed-off-by: Paolo Bonzini 
Reviewed-by: Alex Bennée 
Message-Id: <2021110604.207376-5-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 accel/kvm/kvm-all.c  | 12 
 gdbstub.c| 10 +-
 include/sysemu/kvm.h | 15 +++
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index eecd8031cf..2f5597572a 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -168,6 +168,8 @@ bool kvm_vm_attributes_allowed;
 bool kvm_direct_msi_allowed;
 bool kvm_ioeventfd_any_length_allowed;
 bool kvm_msi_use_devid;
+bool kvm_has_guest_debug;
+int kvm_sstep_flags;
 static bool kvm_immediate_exit;
 static hwaddr kvm_max_slot_size = ~0;
 
@@ -2564,6 +2566,16 @@ static int kvm_init(MachineState *ms)
 kvm_ioeventfd_any_length_allowed =
 (kvm_check_extension(s, KVM_CAP_IOEVENTFD_ANY_LENGTH) > 0);
 
+#ifdef KVM_CAP_SET_GUEST_DEBUG
+kvm_has_guest_debug =
+(kvm_check_extension(s, KVM_CAP_SET_GUEST_DEBUG) > 0);
+#endif
+
+kvm_sstep_flags = 0;
+if (kvm_has_guest_debug) {
+kvm_sstep_flags = SSTEP_ENABLE;
+}
+
 kvm_state = s;
 
 ret = kvm_arch_init(ms, s);
diff --git a/gdbstub.c b/gdbstub.c
index a955175fd4..3c14c6a038 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -391,6 +391,8 @@ static void init_gdbserver_state(void)
  */
 if (replay_mode != REPLAY_MODE_NONE) {
 gdbserver_state.supported_sstep_flags = SSTEP_ENABLE;
+} else if (kvm_enabled()) {
+gdbserver_state.supported_sstep_flags = 
kvm_get_supported_sstep_flags();
 } else {
 gdbserver_state.supported_sstep_flags =
 SSTEP_ENABLE | SSTEP_NOIRQ | SSTEP_NOTIMER;
@@ -400,7 +402,8 @@ static void init_gdbserver_state(void)
  * By default use no IRQs and no timers while single stepping so as to
  * make single stepping like an ICE HW step.
  */
-gdbserver_state.sstep_flags = gdbserver_state.supported_sstep_flags;
+gdbserver_state.sstep_flags = SSTEP_ENABLE | SSTEP_NOIRQ | SSTEP_NOTIMER;
+gdbserver_state.sstep_flags &= gdbserver_state.supported_sstep_flags;
 
 }
 
@@ -3520,6 +3523,11 @@ int gdbserver_start(const char *device)
 return -1;
 }
 
+if (kvm_enabled() && !kvm_supports_guest_debug()) {
+error_report("gdbstub: KVM doesn't support guest debugging");
+return -1;
+}
+
 if (!device)
 return -1;
 if (strcmp(device, "none") != 0) {
diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
index 7b22aeb6ae..6eb39a088b 100644
--- a/include/sysemu/kvm.h
+++ b/include/sysemu/kvm.h
@@ -46,6 +46,8 @@ extern bool kvm_readonly_mem_allowed;
 extern bool kvm_direct_msi_allowed;
 extern bool kvm_ioeventfd_any_length_allowed;
 extern bool kvm_msi_use_devid;
+extern bool kvm_has_guest_debug;
+extern int kvm_sstep_flags;
 
 #define kvm_enabled()   (kvm_allowed)
 /**
@@ -167,6 +169,17 @@ extern bool kvm_msi_use_devid;
  */
 #define kvm_msi_devid_required() (kvm_msi_use_devid)
 
+/*
+ * Does KVM support guest debugging
+ */
+#define kvm_supports_guest_debug() (kvm_has_guest_debug)
+
+/*
+ * kvm_supported_sstep_flags
+ * Returns: SSTEP_* flags that KVM supports for guest debug
+ */
+#define kvm_get_supported_sstep_flags() (kvm_sstep_flags)
+
 #else
 
 #define kvm_enabled()   (0)
@@ -184,6 +197,8 @@ extern bool kvm_msi_use_devid;
 #define kvm_direct_msi_enabled() (false)
 #define kvm_ioeventfd_any_length_enabled() (false)
 #define kvm_msi_devid_required() (false)
+#define kvm_supports_guest_debug() (false)
+#define kvm_get_supported_sstep_flags() (0)
 
 #endif  /* CONFIG_KVM_IS_POSSIBLE */
 
-- 
2.33.1

[PULL 02/13] tests/qtest: Add fuzz-lsi53c895a-test

[Paolo Bonzini]

From: Philippe Mathieu-Daudé 

Without the previous commit, this test triggers:

  $ make check-qtest-x86_64
  [...]
  Running test qtest-x86_64/fuzz-lsi53c895a-test
  qemu-system-x86_64: hw/scsi/lsi53c895a.c:624: lsi_do_dma: Assertion 
`s->current' failed.
  ERROR qtest-x86_64/fuzz-lsi53c895a-test - too few tests run (expected 1, got 
0)

Suggested-by: Alexander Bulekov 
Signed-off-by: Philippe Mathieu-Daudé 
Reviewed-by: Laurent Vivier 
Message-Id: <20211123111732.83137-3-phi...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 MAINTAINERS|  1 +
 tests/qtest/fuzz-lsi53c895a-test.c | 52 ++
 tests/qtest/meson.build|  1 +
 3 files changed, 54 insertions(+)
 create mode 100644 tests/qtest/fuzz-lsi53c895a-test.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 006a2293ba..4d2143ff23 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1825,6 +1825,7 @@ F: hw/scsi/*
 F: tests/qtest/virtio-scsi-test.c
 F: tests/qtest/fuzz-virtio-scsi-test.c
 F: tests/qtest/am53c974-test.c
+F: tests/qtest/fuzz-lsi53c895a-test.c
 T: git https://github.com/bonzini/qemu.git scsi-next
 
 SSI
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c 
b/tests/qtest/fuzz-lsi53c895a-test.c
new file mode 100644
index 00..ba5d468970
--- /dev/null
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * QTest fuzzer-generated testcase for LSI53C895A device
+ *
+ * Copyright (c) Red Hat
+ */
+
+#include "qemu/osdep.h"
+#include "libqos/libqtest.h"
+
+/*
+ * This used to trigger the assert in lsi_do_dma()
+ * https://bugs.launchpad.net/qemu/+bug/697510
+ * https://bugs.launchpad.net/qemu/+bug/1905521
+ * https://bugs.launchpad.net/qemu/+bug/1908515
+ */
+static void test_lsi_do_dma_empty_queue(void)
+{
+QTestState *s;
+
+s = qtest_init("-M q35 -nographic -monitor none -serial none "
+   "-drive if=none,id=drive0,"
+"file=null-co://,file.read-zeroes=on,format=raw "
+   "-device lsi53c895a,id=scsi0 "
+   "-device scsi-hd,drive=drive0,"
+"bus=scsi0.0,channel=0,scsi-id=0,lun=0");
+qtest_outl(s, 0xcf8, 0x80001814);
+qtest_outl(s, 0xcfc, 0xe1068000);
+qtest_outl(s, 0xcf8, 0x80001818);
+qtest_outl(s, 0xcf8, 0x80001804);
+qtest_outw(s, 0xcfc, 0x7);
+qtest_outl(s, 0xcf8, 0x80002010);
+
+qtest_writeb(s, 0xe106802e, 0xff); /* Fill DSP bits 16-23 */
+qtest_writeb(s, 0xe106802f, 0xff); /* Fill DSP bits 24-31: trigger SCRIPT 
*/
+
+qtest_quit(s);
+}
+
+int main(int argc, char **argv)
+{
+const char *arch = qtest_get_arch();
+
+g_test_init(&argc, &argv, NULL);
+
+if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+qtest_add_func("fuzz/lsi53c895a/lsi_do_dma_empty_queue",
+   test_lsi_do_dma_empty_queue);
+}
+
+return g_test_run();
+}
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index c9d8458062..d2ce20d304 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -19,6 +19,7 @@ slow_qtests = {
 
 qtests_generic = \
   (config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? 
['fuzz-megasas-test'] : []) + \
+  (config_all_devices.has_key('CONFIG_LSI_SCSI_PCI') ? 
['fuzz-lsi53c895a-test'] : []) + \
   (config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? 
['fuzz-virtio-scsi-test'] : []) + \
   (config_all_devices.has_key('CONFIG_SB16') ? ['fuzz-sb16-test'] : []) + \
   (config_all_devices.has_key('CONFIG_SDHCI_PCI') ? ['fuzz-sdcard-test'] : []) 
+ \
-- 
2.33.1

[PULL 07/13] gdbstub: reject unsupported flags in handle_set_qemu_sstep

[Paolo Bonzini]

From: Maxim Levitsky 

handle_query_qemu_sstepbits is reporting NOIRQ and NOTIMER bits
even if they are not supported (as is the case with record/replay).
Instead, store the supported singlestep flags and reject
any unsupported bits in handle_set_qemu_sstep.  This removes
the need for the get_sstep_flags() wrapper.

While at it, move the variables in GDBState, instead of using
global variables.

Signed-off-by: Maxim Levitsky 
[Extracted from Maxim's patch into a separate commit. - Paolo]
Signed-off-by: Paolo Bonzini 
Reviewed-by: Alex Bennée 
Message-Id: <2021110604.207376-4-pbonz...@redhat.com>
Signed-off-by: Paolo Bonzini 
---
 gdbstub.c | 75 ---
 1 file changed, 49 insertions(+), 26 deletions(-)

diff --git a/gdbstub.c b/gdbstub.c
index 141d7bc4ec..a955175fd4 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -368,27 +368,10 @@ typedef struct GDBState {
 gdb_syscall_complete_cb current_syscall_cb;
 GString *str_buf;
 GByteArray *mem_buf;
+int sstep_flags;
+int supported_sstep_flags;
 } GDBState;
 
-/* By default use no IRQs and no timers while single stepping so as to
- * make single stepping like an ICE HW step.
- */
-static int sstep_flags = SSTEP_ENABLE|SSTEP_NOIRQ|SSTEP_NOTIMER;
-
-/* Retrieves flags for single step mode. */
-static int get_sstep_flags(void)
-{
-/*
- * In replay mode all events written into the log should be replayed.
- * That is why NOIRQ flag is removed in this mode.
- */
-if (replay_mode != REPLAY_MODE_NONE) {
-return SSTEP_ENABLE;
-} else {
-return sstep_flags;
-}
-}
-
 static GDBState gdbserver_state;
 
 static void init_gdbserver_state(void)
@@ -399,6 +382,26 @@ static void init_gdbserver_state(void)
 gdbserver_state.str_buf = g_string_new(NULL);
 gdbserver_state.mem_buf = g_byte_array_sized_new(MAX_PACKET_LENGTH);
 gdbserver_state.last_packet = g_byte_array_sized_new(MAX_PACKET_LENGTH + 
4);
+
+/*
+ * In replay mode all events will come from the log and can't be
+ * suppressed otherwise we would break determinism. However as those
+ * events are tied to the number of executed instructions we won't see
+ * them occurring every time we single step.
+ */
+if (replay_mode != REPLAY_MODE_NONE) {
+gdbserver_state.supported_sstep_flags = SSTEP_ENABLE;
+} else {
+gdbserver_state.supported_sstep_flags =
+SSTEP_ENABLE | SSTEP_NOIRQ | SSTEP_NOTIMER;
+}
+
+/*
+ * By default use no IRQs and no timers while single stepping so as to
+ * make single stepping like an ICE HW step.
+ */
+gdbserver_state.sstep_flags = gdbserver_state.supported_sstep_flags;
+
 }
 
 #ifndef CONFIG_USER_ONLY
@@ -505,7 +508,7 @@ static int gdb_continue_partial(char *newstates)
 CPU_FOREACH(cpu) {
 if (newstates[cpu->cpu_index] == 's') {
 trace_gdbstub_op_stepping(cpu->cpu_index);
-cpu_single_step(cpu, sstep_flags);
+cpu_single_step(cpu, gdbserver_state.sstep_flags);
 }
 }
 gdbserver_state.running_state = 1;
@@ -524,7 +527,7 @@ static int gdb_continue_partial(char *newstates)
 break; /* nothing to do here */
 case 's':
 trace_gdbstub_op_stepping(cpu->cpu_index);
-cpu_single_step(cpu, get_sstep_flags());
+cpu_single_step(cpu, gdbserver_state.sstep_flags);
 cpu_resume(cpu);
 flag = 1;
 break;
@@ -1883,7 +1886,7 @@ static void handle_step(GArray *params, void *user_ctx)
 gdb_set_cpu_pc((target_ulong)get_param(params, 0)->val_ull);
 }
 
-cpu_single_step(gdbserver_state.c_cpu, get_sstep_flags());
+cpu_single_step(gdbserver_state.c_cpu, gdbserver_state.sstep_flags);
 gdb_continue();
 }
 
@@ -2017,24 +2020,44 @@ static void handle_v_commands(GArray *params, void 
*user_ctx)
 
 static void handle_query_qemu_sstepbits(GArray *params, void *user_ctx)
 {
-g_string_printf(gdbserver_state.str_buf, "ENABLE=%x,NOIRQ=%x,NOTIMER=%x",
-SSTEP_ENABLE, SSTEP_NOIRQ, SSTEP_NOTIMER);
+g_string_printf(gdbserver_state.str_buf, "ENABLE=%x", SSTEP_ENABLE);
+
+if (gdbserver_state.supported_sstep_flags & SSTEP_NOIRQ) {
+g_string_append_printf(gdbserver_state.str_buf, ",NOIRQ=%x",
+   SSTEP_NOIRQ);
+}
+
+if (gdbserver_state.supported_sstep_flags & SSTEP_NOTIMER) {
+g_string_append_printf(gdbserver_state.str_buf, ",NOTIMER=%x",
+   SSTEP_NOTIMER);
+}
+
 put_strbuf();
 }
 
 static void handle_set_qemu_sstep(GArray *params, void *user_ctx)
 {
+int new_sstep_flags;
+
 if (!params->len) {
 return;
 }
 
-sstep_flags = get_param(params, 0)->val_ul;
+new_sstep_flags = get_param(params, 0)->val_ul;
+
+if (new_sstep_flags  & ~gdbserver_state.supported_sstep_flags) {
+put_packet("E22");
+  

[PULL 00/13] Misc patches for 2021-12-15

[Paolo Bonzini]

The following changes since commit 50456a6794fbb8dc94a31eb9534e91c586da7add:

  Merge tag 'pull-ppc-20211129' of https://github.com/legoater/qemu into 
staging (2021-11-29 21:56:06 +0100)

are available in the Git repository at:

  https://gitlab.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to cbe08c35cfa8f96125512a8aa3e1bf251b1410a5:

  configure: remove dead variables (2021-12-10 09:47:18 +0100)


* improve compatibility for macOS scripts/entitlement.sh (Evan)
* add support for KVM_GUESTDBG_BLOCKIRQ (Maxim)
* update linux-headers to Linux 5.16 (myself)
* configure cleanups (myself)
* lsi53c895a assertion failure fix (Philippe)
* fix incorrect description for die-id (Yanan)
* support for NUMA in SGX enclave memory (Yang Zhong)


Evan Miller (1):
  scripts/entitlement.sh: Use backward-compatible cp flags

Maxim Levitsky (3):
  gdbstub: reject unsupported flags in handle_set_qemu_sstep
  gdbstub, kvm: let KVM report supported singlestep flags
  kvm: add support for KVM_GUESTDBG_BLOCKIRQ

Paolo Bonzini (3):
  virtio-gpu: do not byteswap padding
  linux-headers: update to 5.16-rc1
  configure: remove dead variables

Philippe Mathieu-Daudé (2):
  hw/scsi/lsi53c895a: Do not abort when DMA requested and no data queued
  tests/qtest: Add fuzz-lsi53c895a-test

Yanan Wang (1):
  qapi/machine.json: Fix incorrect description for die-id

Yang Zhong (3):
  numa: Enable numa for SGX EPC sections
  numa: Support SGX numa in the monitor and Libvirt interfaces
  doc: Add the SGX numa description

 MAINTAINERS   |   1 +
 accel/kvm/kvm-all.c   |  29 ++
 configure |   5 --
 docs/system/i386/sgx.rst  |  31 ++-
 gdbstub.c |  83 --
 hw/core/numa.c|   5 +-
 hw/i386/acpi-build.c  |   2 +
 hw/i386/sgx-epc.c |   3 +
 hw/i386/sgx-stub.c|   4 +
 hw/i386/sgx.c |  95 ++--
 hw/scsi/lsi53c895a.c  |   3 +-
 include/hw/i386/sgx-epc.h |   3 +
 include/hw/virtio/virtio-gpu-bswap.h  |   1 -
 include/standard-headers/drm/drm_fourcc.h | 121 +-
 include/standard-headers/linux/ethtool.h  |  31 +++
 include/standard-headers/linux/fuse.h |  10 ++-
 include/standard-headers/linux/pci_regs.h |   6 ++
 include/standard-headers/linux/virtio_gpu.h   |  18 +++-
 include/standard-headers/linux/virtio_ids.h   |  24 +
 include/standard-headers/linux/virtio_vsock.h |   3 +-
 include/sysemu/kvm.h  |  15 
 linux-headers/asm-arm64/unistd.h  |   1 +
 linux-headers/asm-generic/unistd.h|  22 +++--
 linux-headers/asm-mips/unistd_n32.h   |   1 +
 linux-headers/asm-mips/unistd_n64.h   |   1 +
 linux-headers/asm-mips/unistd_o32.h   |   1 +
 linux-headers/asm-powerpc/unistd_32.h |   1 +
 linux-headers/asm-powerpc/unistd_64.h |   1 +
 linux-headers/asm-s390/unistd_32.h|   1 +
 linux-headers/asm-s390/unistd_64.h|   1 +
 linux-headers/asm-x86/kvm.h   |   5 ++
 linux-headers/asm-x86/unistd_32.h |   3 +
 linux-headers/asm-x86/unistd_64.h |   3 +
 linux-headers/asm-x86/unistd_x32.h|   3 +
 linux-headers/linux/kvm.h |  40 +++--
 monitor/hmp-cmds.c|   1 +
 qapi/machine.json |  12 ++-
 qapi/misc-target.json |  19 +++-
 qemu-options.hx   |   4 +-
 scripts/entitlement.sh|   2 +-
 tests/qtest/fuzz-lsi53c895a-test.c|  52 +++
 tests/qtest/meson.build   |   1 +
 42 files changed, 590 insertions(+), 78 deletions(-)
 create mode 100644 tests/qtest/fuzz-lsi53c895a-test.c
-- 
2.33.1

Re: Redesign of QEMU startup & initial configuration

[Mark Burton]

FWIW I Agree.

(Which probably means somethings hiding somewhere :-) )

Cheers
Mark.

> On 15 Dec 2021, at 21:00, Paolo Bonzini  wrote:
> 
> On 12/14/21 12:48, Markus Armbruster wrote:
>> Let's start with where we (hopefully) agree:
> 
> More or less I do agree with this, except for a couple points below where I 
> think we disagree.
> 
>> * We need a single, cohesive, low-level interface suitable for
>>   management applications.
>> * The existing interface is specified in QAPI.  Its concrete transport
>>   is QMP.
>> * The existing interface is not complete: certain things can only be
>>   done with the CLI.
>> 
>> * The existing transport is not available early enough to permit
>>   completing the interface.
> 
> So far so good.
> 
>> * Fixing that involves a rework of startup.
>> * Reworking the existing startup and managing incompatible changes is
>>   impractical, and likely to make the mess we have on our hands worse.
> 
> Not really, in particular the startup has been mostly reworked already and I 
> disagree that it is messy.  softmmu/vl.c is messy, sure: it has N different 
> command line parser for command line options, magic related to default 
> devices, and complicated ordering of -object creation.
> 
> But the building of emulator data structures is not messy; only the code that 
> transforms the user's instructions into startup commands.  The messy parts 
> are almost entirely contained within softmmu/vl.c.
> 
> The one (and important, but fixable) exception is backends for on-board 
> devices: serial_hd, drive_get, and nd_table.
> 
>> * A new binary sidesteps the need to manage incompatible change.
> 
> More precisely, a new binary sidesteps the need to integrate an existing 
> mechanism with a new transport, and deal with the incompatibilities that 
> arise.
> 
>> Any objections so far?
>> Now let me make a few more points:
>> * Single, cohesive interface does not require single transport.  In
>>   fact, we already have two: QMP and the (internal) C interface.
>> * QMP encodes the abstract interface in JSON, and offers the result on a
>>   Unix domain socket[1].
>> * The (internal) C interface encodes the abstract interface as a set of
>>   C data types and functions.
>> * Consider a configuration file transport that encodes the abstract
>>   interface in JSON.  The only wart this adds is syntax that is
>>   arguiably ill-suited to the purpose.  More suitable syntax exists.
>> * Similar for CLI.
>> * To get a "a second set of warts layered on top", we actually have to
>>   layer something on top that isn't utterly trivial.  Like a
>>   higher-level interface.  The "second set of warts" objection does not
>>   apply to (sane) transports.
> 
> The problem is that CLI and HMP, being targeted to humans (and as you say 
> below humans matter), are not necessarily trivial transports.  If people find 
> the trivial transport unusable, we will not be able to retire the old CLI.
> 
> Bad CLI is also very hard to deprecate because, unlike QMP (for which you can 
> delegate the workarounds to Libvirt & friends) and HMP (for which people can 
> just learn the new thing and type it), it is baked in countless scripts.  
> People hate it when scripts break.
> 
>> * The old CLI is partly layered on QMP, partly on HMP, and partly on
>>   internal C interfaces.  It's full of warts.
> 
> I've worked on moving it more towards QMP or at least QOM, and much less on 
> internal C interfaces.  It still has warts but they are self-contained and 
> due to the baroque ordering of options.  My point is that we can continue 
> this work to the point that having separate entry points (one CLI-centered, 
> one QMP-only) is not a problem.
> 
> The issues with the CLI then can be completely self-contained within 
> softmmu/vl.c, and will not influence the innards of QEMU.
> 
> Paolo
> 
>> * Management applications are not the only users that matter.  Humans
>>   matter.  Simple programs like ad hoc scripts matter.