Re: [Qemu-devel] [RFC 4/6] target-ppc: add cmprb instruction

[Nikunj A Dadhania]

Richard Henderson  writes:

> This is better implemented without branches, like
>
>TCGv_i32 src1, src2, src2lo, src2hi;
>TCGv_i32 crf = cpu_crf[cdfD(ctx->opcode)];
>
>// allocate all 4 "src" temps
>
>tcg_gen_trunc_tl_i32(src1, cpu_gpr[rA(ctx->opcode)]);
>tcg_gen_trunc_tl_i32(src2, cpu_gpr[rB(ctx->opcode)]);
>

As the user input can pass something more than 0xFF, we need only the
RA(56:63). Anton's fuzzer test hit this bug. :-)

GPR06 0x0706050403021101
cmprb   cr5,1,r6,r6

Should be a match (RA = 0x01, RB=0x03021101), but fails

 tcg_gen_andi_i32(src1, src1, 0xFF);

Will send an fix patch, we can probably squash with the original one.

>tcg_gen_ext8u_i32(src2lo, src2);
>tcg_gen_shri_i32(src2, src2, 8);
>tcg_gen_extu8_i32(src2hi, src2hi);
>
>tcg_gen_setcond_tl(TCG_COND_LEU, src2lo, src2lo, src1);
>tcg_gen_setcond_tl(TCG_COND_LEU, src2hi, src1, src2hi);
>tcg_gen_and_tl(crf, src2lo, src2hi);
>
>if (ctx->opcode & 0x0020) {
>  tcg_gen_shri_i32(src2, src2, 8);
>  tcg_gen_ext8u_i32(src2lo, src2);
>  tcg_gen_shri_i32(src2, src2, 8);
>  tcg_gen_ext8u_i32(src2hi, src2);
>  tcg_gen_setcond_i32(TCG_COND_LEU, src2lo, src2lo, src1);
>  tcg_gen_setcond_i32(TCG_COND_LEU, src2hi, src1, src2hi);
>  tcg_gen_and_i32(src2lo, src2lo, src2hi);
>  tcg_gen_or_i32(crf, crf, src2lo);
>}
>
>tcg_gen_shli_i32(crf, crf, CRF_GT);
>
>// free all 4 "src" temps

Regards
Nikunj

Re: [Qemu-devel] [RFC PATCH V10 4/7] colo-compare: track connection and enqueue packet

[Jason Wang]

On 2016年07月26日 09:49, Zhang Chen wrote:

In this patch we use kernel jhash table to track
connection, and then enqueue net packet like this:

+ CompareState ++
|   |
+---+   +---+ +---+
|conn list  +--->conn   +->conn   |
+---+   +---+ +---+
|   | |   | |  |
+---+ +---v+  +---v++---v+ +---v+
   |primary |  |secondary|primary | |secondary
   |packet  |  |packet  +|packet  | |packet  +
   ++  ++++ ++
   |   | |  |
   +---v+  +---v++---v+ +---v+
   |primary |  |secondary|primary | |secondary
   |packet  |  |packet  +|packet  | |packet  +
   ++  ++++ ++
   |   | |  |
   +---v+  +---v++---v+ +---v+
   |primary |  |secondary|primary | |secondary
   |packet  |  |packet  +|packet  | |packet  +
   ++  ++++ ++

We use conn_list to record connection info.
When we want to enqueue a packet, firstly get the
connection from connection_track_table. then push
the packet to g_queue(pri/sec) in it's own conn.

Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-base.c| 108 +
  net/colo-base.h|  30 +++
  net/colo-compare.c |  70 +-
  3 files changed, 198 insertions(+), 10 deletions(-)

diff --git a/net/colo-base.c b/net/colo-base.c
index f5d5de9..7e91dec 100644
--- a/net/colo-base.c
+++ b/net/colo-base.c
@@ -16,6 +16,29 @@
  #include "qemu/error-report.h"
  #include "net/colo-base.h"
  
+uint32_t connection_key_hash(const void *opaque)

+{
+const ConnectionKey *key = opaque;
+uint32_t a, b, c;
+
+/* Jenkins hash */
+a = b = c = JHASH_INITVAL + sizeof(*key);
+a += key->src.s_addr;
+b += key->dst.s_addr;
+c += (key->src_port | key->dst_port << 16);
+__jhash_mix(a, b, c);
+
+a += key->ip_proto;
+__jhash_final(a, b, c);
+
+return c;
+}
+
+int connection_key_equal(const void *key1, const void *key2)
+{
+return memcmp(key1, key2, sizeof(ConnectionKey)) == 0;
+}
+
  int parse_packet_early(Packet *pkt)
  {
  int network_length;
@@ -47,6 +70,62 @@ int parse_packet_early(Packet *pkt)
  return 0;
  }
  
+void fill_connection_key(Packet *pkt, ConnectionKey *key)

+{
+uint32_t tmp_ports;
+
+key->ip_proto = pkt->ip->ip_p;
+
+switch (key->ip_proto) {
+case IPPROTO_TCP:
+case IPPROTO_UDP:
+case IPPROTO_DCCP:
+case IPPROTO_ESP:
+case IPPROTO_SCTP:
+case IPPROTO_UDPLITE:
+tmp_ports = *(uint32_t *)(pkt->transport_layer);
+key->src = pkt->ip->ip_src;
+key->dst = pkt->ip->ip_dst;
+key->src_port = ntohs(tmp_ports & 0x);
+key->dst_port = ntohs(tmp_ports >> 16);
+break;
+case IPPROTO_AH:
+tmp_ports = *(uint32_t *)(pkt->transport_layer + 4);
+key->src = pkt->ip->ip_src;
+key->dst = pkt->ip->ip_dst;
+key->src_port = ntohs(tmp_ports & 0x);
+key->dst_port = ntohs(tmp_ports >> 16);
+break;
+default:
+key->src_port = 0;
+key->dst_port = 0;
+break;
+}
+}
+
+Connection *connection_new(ConnectionKey *key)
+{
+Connection *conn = g_slice_new(Connection);
+
+conn->ip_proto = key->ip_proto;
+conn->processing = false;
+g_queue_init(&conn->primary_list);
+g_queue_init(&conn->secondary_list);
+
+return conn;
+}
+
+void connection_destroy(void *opaque)
+{
+Connection *conn = opaque;
+
+g_queue_foreach(&conn->primary_list, packet_destroy, NULL);
+g_queue_free(&conn->primary_list);
+g_queue_foreach(&conn->secondary_list, packet_destroy, NULL);
+g_queue_free(&conn->secondary_list);
+g_slice_free(Connection, conn);
+}
+
  Packet *packet_new(const void *data, int size)
  {
  Packet *pkt = g_slice_new(Packet);
@@ -72,3 +151,32 @@ void connection_hashtable_reset(GHashTable 
*connection_track_table)
  {
  g_hash_table_remove_all(connection_track_table);
  }
+
+/* if not found, create a new connection and add to hash table */
+Connection *connection_get(GHashTable *connection_track_table,
+   ConnectionKey *key,
+   uint32_t *hashtable_size)
+{
+Connection *conn = g_hash_table_lookup(connection_track_table, key);
+
+if (conn == NULL) {
+ConnectionKey *new_key = g_memdup(key, sizeof(*key));
+
+conn = connection_new(key);
+
+(*has

Re: [Qemu-devel] [PATCH] virtio-blk: Release s->rq queue at system_reset

[Fam Zheng]

On Tue, 08/02 08:46, Paolo Bonzini wrote:
> 
> 
> On 29/07/2016 12:22, Fam Zheng wrote:
> > At system_reset, there is no point in retrying the queued request,
> > because the driver that issued the request won't be around any more.
> > 
> > Analyzed-by: Laszlo Ersek 
> > Reported-by: Laszlo Ersek 
> > Signed-off-by: Fam Zheng 
> > ---
> >  hw/block/virtio-blk.c | 6 ++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> > index 475a822..89eca65 100644
> > --- a/hw/block/virtio-blk.c
> > +++ b/hw/block/virtio-blk.c
> > @@ -654,6 +654,7 @@ static void virtio_blk_reset(VirtIODevice *vdev)
> >  {
> >  VirtIOBlock *s = VIRTIO_BLK(vdev);
> >  AioContext *ctx;
> > +VirtIOBlockReq *req;
> >  
> >  /*
> >   * This should cancel pending requests, but can't do nicely until there
> > @@ -661,6 +662,11 @@ static void virtio_blk_reset(VirtIODevice *vdev)
> >   */
> >  ctx = blk_get_aio_context(s->blk);
> >  aio_context_acquire(ctx);
> > +while (s->rq) {
> > +req = s->rq;
> > +s->rq = req->next;
> > +virtio_blk_free_request(req);
> > +}
> >  blk_drain(s->blk);
> 
> blk_drain can consume requests too, so I think it should be the other
> way round: first drain, then drop any failed request that's been left in
> s->rq.

I don't think there is any difference in this, blk_drain cannot trigger
virtio_blk_dma_restart_cb, because it is only hooked to vm state change.

Fam

Re: [Qemu-devel] [PATCH] virtio-blk: Release s->rq queue at system_reset

[Fam Zheng]

On Tue, 08/02 15:24, Fam Zheng wrote:
> On Tue, 08/02 08:46, Paolo Bonzini wrote:
> > 
> > 
> > On 29/07/2016 12:22, Fam Zheng wrote:
> > > At system_reset, there is no point in retrying the queued request,
> > > because the driver that issued the request won't be around any more.
> > > 
> > > Analyzed-by: Laszlo Ersek 
> > > Reported-by: Laszlo Ersek 
> > > Signed-off-by: Fam Zheng 
> > > ---
> > >  hw/block/virtio-blk.c | 6 ++
> > >  1 file changed, 6 insertions(+)
> > > 
> > > diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
> > > index 475a822..89eca65 100644
> > > --- a/hw/block/virtio-blk.c
> > > +++ b/hw/block/virtio-blk.c
> > > @@ -654,6 +654,7 @@ static void virtio_blk_reset(VirtIODevice *vdev)
> > >  {
> > >  VirtIOBlock *s = VIRTIO_BLK(vdev);
> > >  AioContext *ctx;
> > > +VirtIOBlockReq *req;
> > >  
> > >  /*
> > >   * This should cancel pending requests, but can't do nicely until 
> > > there
> > > @@ -661,6 +662,11 @@ static void virtio_blk_reset(VirtIODevice *vdev)
> > >   */
> > >  ctx = blk_get_aio_context(s->blk);
> > >  aio_context_acquire(ctx);
> > > +while (s->rq) {
> > > +req = s->rq;
> > > +s->rq = req->next;
> > > +virtio_blk_free_request(req);
> > > +}
> > >  blk_drain(s->blk);
> > 
> > blk_drain can consume requests too, so I think it should be the other
> > way round: first drain, then drop any failed request that's been left in
> > s->rq.
> 
> I don't think there is any difference in this, blk_drain cannot trigger
> virtio_blk_dma_restart_cb, because it is only hooked to vm state change.

Oh you mean that blk_drain can queue more requests to s->rq. That is a good
point, indeed.

Fam

Re: [Qemu-devel] [RFC PATCH V10 6/7] colo-compare: introduce packet comparison thread

[Jason Wang]

On 2016年07月26日 09:49, Zhang Chen wrote:

If primary packet is same with secondary packet,
we will send primary packet and drop secondary
packet, otherwise notify COLO frame to do checkpoint.
If primary packet comes and secondary packet not,


s/and/but/  and /packet not/packet does not/


after REGULAR_PACKET_CHECK_MS milliseconds we set
the primary packet as old_packet,then do a checkpoint.

Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-base.c|   1 +
  net/colo-base.h|   3 +
  net/colo-compare.c | 212 +
  trace-events   |   2 +
  4 files changed, 218 insertions(+)

diff --git a/net/colo-base.c b/net/colo-base.c
index 7e91dec..eb1b631 100644
--- a/net/colo-base.c
+++ b/net/colo-base.c
@@ -132,6 +132,7 @@ Packet *packet_new(const void *data, int size)
  
  pkt->data = g_memdup(data, size);

  pkt->size = size;
+pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST);
  
  return pkt;

  }
diff --git a/net/colo-base.h b/net/colo-base.h
index 0505608..06d6dca 100644
--- a/net/colo-base.h
+++ b/net/colo-base.h
@@ -17,6 +17,7 @@
  
  #include "slirp/slirp.h"

  #include "qemu/jhash.h"
+#include "qemu/timer.h"
  
  #define HASHTABLE_MAX_SIZE 16384
  
@@ -28,6 +29,8 @@ typedef struct Packet {

  };
  uint8_t *transport_layer;
  int size;
+/* Time of packet creation, in wall clock ms */
+int64_t creation_ms;
  } Packet;
  
  typedef struct ConnectionKey {

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 5f87710..e020edc 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -36,6 +36,8 @@
  
  #define COMPARE_READ_LEN_MAX NET_BUFSIZE

  #define MAX_QUEUE_SIZE 1024
+/* TODO: Should be configurable */
+#define REGULAR_PACKET_CHECK_MS 3000
  
  /*

+ CompareState ++
@@ -83,6 +85,10 @@ typedef struct CompareState {
  GQueue unprocessed_connections;
  /* proxy current hash size */
  uint32_t hashtable_size;
+/* compare thread, a thread for each NIC */
+QemuThread thread;
+/* Timer used on the primary to find packets that are never matched */
+QEMUTimer *timer;
  } CompareState;
  
  typedef struct CompareClass {

@@ -170,6 +176,112 @@ static int packet_enqueue(CompareState *s, int mode)
  return 0;
  }
  
+/*

+ * The IP packets sent by primary and secondary
+ * will be compared in here
+ * TODO support ip fragment, Out-Of-Order
+ * return:0  means packet same
+ *> 0 || < 0 means packet different
+ */
+static int colo_packet_compare(Packet *ppkt, Packet *spkt)
+{
+trace_colo_compare_ip_info(ppkt->size, inet_ntoa(ppkt->ip->ip_src),
+   inet_ntoa(ppkt->ip->ip_dst), spkt->size,
+   inet_ntoa(spkt->ip->ip_src),
+   inet_ntoa(spkt->ip->ip_dst));
+
+if (ppkt->size == spkt->size) {
+return memcmp(ppkt->data, spkt->data, spkt->size);
+} else {
+return -1;
+}
+}
+
+static int colo_packet_compare_all(Packet *spkt, Packet *ppkt)
+{
+trace_colo_compare_main("compare all");
+return colo_packet_compare(ppkt, spkt);
+}
+
+static void colo_old_packet_check_one(void *opaque_packet,
+  void *opaque_found)
+{
+int64_t now;
+bool *found_old = (bool *)opaque_found;
+Packet *ppkt = (Packet *)opaque_packet;
+
+if (*found_old) {
+/* Someone found an old packet earlier in the queue */
+return;
+}
+
+now = qemu_clock_get_ms(QEMU_CLOCK_HOST);
+if ((now - ppkt->creation_ms) > REGULAR_PACKET_CHECK_MS) {
+trace_colo_old_packet_check_found(ppkt->creation_ms);
+*found_old = true;
+}
+}
+
+static void colo_old_packet_check_one_conn(void *opaque,
+   void *user_data)
+{


user_data is unused.


+bool found_old = false;
+Connection *conn = opaque;
+
+g_queue_foreach(&conn->primary_list, colo_old_packet_check_one,
+&found_old);


To avoid odd API for colo_old_packet_check_one, maybe you can try use 
use QTAILQ and QTAILQ_FOREACH() or g_queue_find_custom() for avoiding 
iterating each element?



+if (found_old) {
+/* do checkpoint will flush old packet */
+/* TODO: colo_notify_checkpoint();*/
+}
+}
+
+/*
+ * Look for old packets that the secondary hasn't matched,
+ * if we have some then we have to checkpoint to wake
+ * the secondary up.
+ */
+static void colo_old_packet_check(void *opaque)
+{
+CompareState *s = opaque;
+
+g_queue_foreach(&s->conn_list, colo_old_packet_check_one_conn, NULL);
+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare connection
+ */
+static void colo_compare_connection(void *opaque, void *user_data)
+{
+CompareState *s = user_data;
+Connection *conn = opaque;
+Packet *pkt = NULL;
+GList *result = NULL;
+int ret;
+
+while (!g_queue_is_empty(&co

[Qemu-devel] [PATCH v1 2/2] target-ppc: cmprb - truncate RA to 8bits

[Nikunj A Dadhania]

Missed the following bit in the instruction coding.

src1 ← EXTZ(RA(56:63))

Reported-by: Anton Blanchard 
Signed-off-by: Nikunj A Dadhania 
---

Can be squashed with the original commit

 target-ppc/translate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index dc89e6a..14f4b68 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -867,6 +867,7 @@ static void gen_cmprb(DisasContext *ctx)
 tcg_gen_trunc_tl_i32(src1, cpu_gpr[rA(ctx->opcode)]);
 tcg_gen_trunc_tl_i32(src2, cpu_gpr[rB(ctx->opcode)]);
 
+tcg_gen_andi_i32(src1, src1, 0xFF);
 tcg_gen_ext8u_i32(src2lo, src2);
 tcg_gen_shri_i32(src2, src2, 8);
 tcg_gen_ext8u_i32(src2hi, src2);
-- 
2.7.4

[Qemu-devel] [PATCH v1 1/2] target-ppc: modsw - return 64-bit sign extended

[Nikunj A Dadhania]

Reported-by: Anton Blanchard 
Signed-off-by: Nikunj A Dadhania 
---

Can be squashed with the original commit

 target-ppc/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index fc3d371..dc89e6a 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -1243,7 +1243,7 @@ static inline void gen_op_arith_modw(DisasContext *ctx, 
TCGv ret, TCGv arg1,
 tcg_gen_movi_i32(t3, 0);
 tcg_gen_movcond_i32(TCG_COND_NE, t1, t2, t3, t2, t1);
 tcg_gen_rem_i32(t3, t0, t1);
-tcg_gen_extu_i32_tl(ret, t3);
+tcg_gen_ext_i32_tl(ret, t3);
 tcg_temp_free_i32(t2);
 tcg_temp_free_i32(t3);
 } else {
-- 
2.7.4

Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path

[Igor Mammedov]

On Tue,  2 Aug 2016 11:41:41 +0800
Fam Zheng  wrote:

> Since 69382d8b (qdev: Fix object reference leak in case device.realize()
> fails), object_property_set_bool could release the object. The error
> path wants the type name, so hold an reference before realizing it.
> 
> Cc: Igor Mammedov 
> Signed-off-by: Fam Zheng 
> ---
>  hw/core/qdev.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index ee4a083..5783442 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
>  
>  assert(!dev->realized);
>  
> +object_ref(OBJECT(dev));
>  object_property_set_bool(OBJECT(dev), true, "realized", &err);
>  if (err) {
>  error_reportf_err(err, "Initialization of device %s failed: ",
>object_get_typename(OBJECT(dev)));
>  exit(1);
>  }
> +object_unref(OBJECT(dev));
>  }
>  
>  void qdev_machine_creation_done(void)

I'm not sure that this is the right fix, commit 69382d8b only affects
reference created by realize() itself.
Probably reference counting wrong somewhere else,
for typical device call sequence is following:

 qdev_create() {
object_new() -> ref == 1
qdev_set_parent_bus() -> ref == 2
object_unref() -> ref == 1
 } -> ref == 1
 
 do property settings and other stuff ...

 
 qdev_init_nofail() { called with ref == 1
object_property_set_bool(true, "realized")
if error:
  ref == 1
else:
  ref == 2 (+1 for implicitly assigned parent)
 }

Re: [Qemu-devel] [RFC PATCH 1/3] hw/arm/virt: add hotplug memory support

[Peter Maydell]

On 1 August 2016 at 10:14, Igor Mammedov  wrote:
> On Mon, 1 Aug 2016 09:13:34 +0100
> Peter Maydell  wrote:
>> On 1 August 2016 at 08:46, Igor Mammedov  wrote:
>> > Base alignment comes from max supported hugepage size,
>>
>> Max hugepage size for any host? (if so, should be defined
>> in a common header somewhere)
>> Max hugepage size for ARM hosts? (if so, why is TCG
>> different from KVM?, and should still be in a common
>> header somewhere)
> It's the same for TCG but it probably doesn't matter much there,
> main usage is to provide better performance with KVM.
>
> So I'd say it's host depended (for x86 it's 1Gb),
> probably other values for ARM and PPC

We probably don't want to make the memory layout depend
on the host architecture, though :-(

>>
>> > while
>> > size alignment should depend on backend's page size
>>
>> Which page size do you have in mind here? TARGET_PAGE_SIZE
>> is often not the right answer, since it doesn't
>> correspond either to the actual page size being used
>> by the host kernel or to the actual page size used
>> by the guest kernel...
> alignment comes from here: memory_region_get_alignment()
>
> exec:c
>MAX(page_size, QEMU_VMALLOC_ALIGN)
> so it's either backend's page size or a min chunk QEMU
> allocates memory to make KVM/valgrind/whatnot happy.

Since that's always larger than TARGET_PAGE_SIZE
why are we checking for an alignment here that's
not actually sufficient to make things work?

thanks
-- PMM

Re: [Qemu-devel] [RFC PATCH V10 7/7] colo-compare: add TCP, UDP, ICMP packet comparison

[Jason Wang]

On 2016年07月26日 09:49, Zhang Chen wrote:

We add TCP,UDP,ICMP packet comparison to replace
IP packet comparison. This can increase the
accuracy of the package comparison.
less checkpoint more efficiency.


s/less/Less/



Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-compare.c | 174 +++--
  trace-events   |   4 ++
  2 files changed, 174 insertions(+), 4 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index e020edc..c7bb5f7 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -18,6 +18,7 @@
  #include "qapi/qmp/qerror.h"
  #include "qapi/error.h"
  #include "net/net.h"
+#include "net/eth.h"
  #include "net/vhost_net.h"
  #include "qom/object_interfaces.h"
  #include "qemu/iov.h"
@@ -197,9 +198,158 @@ static int colo_packet_compare(Packet *ppkt, Packet *spkt)
  }
  }
  
-static int colo_packet_compare_all(Packet *spkt, Packet *ppkt)

+/*
+ * called from the compare thread on the primary
+ * for compare tcp packet
+ * compare_tcp copied from Dr. David Alan Gilbert's branch
+ */
+static int colo_packet_compare_tcp(Packet *spkt, Packet *ppkt)
+{
+struct tcphdr *ptcp, *stcp;
+int res;
+char *sdebug, *ddebug;
+
+trace_colo_compare_main("compare tcp");
+if (ppkt->size != spkt->size) {
+if (trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {
+trace_colo_compare_main("pkt size not same");
+}
+return -1;
+}
+
+ptcp = (struct tcphdr *)ppkt->transport_layer;
+stcp = (struct tcphdr *)spkt->transport_layer;
+
+if (ptcp->th_seq != stcp->th_seq) {
+if (trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {
+trace_colo_compare_main("pkt tcp seq not same");
+}
+return -1;
+}
+
+/*
+ * The 'identification' field in the IP header is *very* random
+ * it almost never matches.  Fudge this by ignoring differences in
+ * unfragmented packets; they'll normally sort themselves out if different
+ * anyway, and it should recover at the TCP level.
+ * An alternative would be to get both the primary and secondary to rewrite
+ * somehow; but that would need some sync traffic to sync the state
+ */
+if (ntohs(ppkt->ip->ip_off) & IP_DF) {
+spkt->ip->ip_id = ppkt->ip->ip_id;
+/* and the sum will be different if the IDs were different */
+spkt->ip->ip_sum = ppkt->ip->ip_sum;


This looks dangerous. If packet were not logical same, ip cusm of 
secondary were changed.



+}
+
+res = memcmp(ppkt->data + ETH_HLEN, spkt->data + ETH_HLEN,
+(spkt->size - ETH_HLEN));
+
+if (res != 0 && trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {
+sdebug = strdup(inet_ntoa(ppkt->ip->ip_src));
+ddebug = strdup(inet_ntoa(ppkt->ip->ip_dst));
+fprintf(stderr, "%s: src/dst: %s/%s p: seq/ack=%u/%u"
+" s: seq/ack=%u/%u res=%d flags=%x/%x\n", __func__,
+   sdebug, ddebug,
+   ntohl(ptcp->th_seq), ntohl(ptcp->th_ack),
+   ntohl(stcp->th_seq), ntohl(stcp->th_ack),
+   res, ptcp->th_flags, stcp->th_flags);
+
+trace_colo_compare_tcp_miscompare("Primary len", ppkt->size);
+qemu_hexdump((char *)ppkt->data, stderr, "colo-compare", ppkt->size);
+trace_colo_compare_tcp_miscompare("Secondary len", spkt->size);
+qemu_hexdump((char *)spkt->data, stderr, "colo-compare", spkt->size);
+
+g_free(sdebug);
+g_free(ddebug);
+}
+
+return res;
+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare udp packet
+ */
+static int colo_packet_compare_udp(Packet *spkt, Packet *ppkt)
+{
+int ret;
+
+trace_colo_compare_main("compare udp");
+ret = colo_packet_compare(ppkt, spkt);
+
+if (ret) {
+trace_colo_compare_udp_miscompare("primary pkt size", ppkt->size);
+qemu_hexdump((char *)ppkt->data, stderr, "colo-compare", ppkt->size);
+trace_colo_compare_udp_miscompare("Secondary pkt size", spkt->size);
+qemu_hexdump((char *)spkt->data, stderr, "colo-compare", spkt->size);
+}
+
+return ret;
+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare icmp packet
+ */
+static int colo_packet_compare_icmp(Packet *spkt, Packet *ppkt)
  {


Consider icmp packet were usually not big, why not simply use memcpy? (I 
think I asked the same question in the past).



-trace_colo_compare_main("compare all");
+int network_length;
+struct icmp *icmp_ppkt, *icmp_spkt;
+
+trace_colo_compare_main("compare icmp");
+network_length = ppkt->ip->ip_hl * 4;
+if (ppkt->size != spkt->size ||
+ppkt->size < network_length + ETH_HLEN) {
+return -1;
+}
+icmp_ppkt = (struct icmp *)(ppkt->data + network_length + ETH_HLEN);
+icmp_spkt = (struct icmp *)(spkt->data + network_length + ETH_HLEN);
+
+if ((i

Re: [Qemu-devel] [RFC PATCH 02/11] qemu-clk: allow to attach a clock to a device

[KONRAD Frederic]

Le 29/06/2016 à 02:15, Alistair Francis a écrit :

On Mon, Jun 13, 2016 at 9:27 AM,   wrote:

From: KONRAD Frederic 

This allows to attach a clock to a DeviceState.
Contrary to gpios, the clock pins are not contained in the DeviceState but
with the child property so they can appears in the qom-tree.

Signed-off-by: KONRAD Frederic 
---
  include/qemu/qemu-clock.h | 24 +++-
  qemu-clock.c  | 22 ++
  2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/include/qemu/qemu-clock.h b/include/qemu/qemu-clock.h
index e7acd68..a2ba105 100644
--- a/include/qemu/qemu-clock.h
+++ b/include/qemu/qemu-clock.h
@@ -33,8 +33,30 @@
  typedef struct qemu_clk {
  /*< private >*/
  Object parent_obj;
+char *name;/* name of this clock in the device. */
  } *qemu_clk;

-#endif /* QEMU_CLOCK_H */
+/**
+ * qemu_clk_attach_to_device:
+ * @d: the device on which the clock need to be attached.
+ * @clk: the clock which need to be attached.
+ * @name: the name of the clock can't be NULL.
+ *
+ * Attach @clk named @name to the device @d.
+ *
+ */
+void qemu_clk_attach_to_device(DeviceState *d, qemu_clk clk,

dev instead of just d


+   const char *name);

+/**
+ * qemu_clk_get_pin:
+ * @d: the device which contain the clock.
+ * @name: the name of the clock.
+ *
+ * Get the clock named @name located in the device @d, or NULL if not found.
+ *
+ * Returns the clock named @name contained in @d.
+ */
+qemu_clk qemu_clk_get_pin(DeviceState *d, const char *name);

+#endif /* QEMU_CLOCK_H */
diff --git a/qemu-clock.c b/qemu-clock.c
index 4a47fb4..81f2852 100644
--- a/qemu-clock.c
+++ b/qemu-clock.c
@@ -23,6 +23,7 @@

  #include "qemu/qemu-clock.h"
  #include "hw/hw.h"
+#include "qapi/error.h"

  /* #define DEBUG_QEMU_CLOCK */

@@ -33,6 +34,27 @@ do { printf("qemu-clock: " fmt , ## __VA_ARGS__); } while (0)
  #define DPRINTF(fmt, ...) do { } while (0)
  #endif

+void qemu_clk_attach_to_device(DeviceState *d, qemu_clk clk, const char *name)
+{
+assert(name);
+assert(!clk->name);
+object_property_add_child(OBJECT(d), name, OBJECT(clk), &error_abort);
+clk->name = g_strdup(name);
+}
+
+qemu_clk qemu_clk_get_pin(DeviceState *d, const char *name)
+{
+gchar *path = NULL;
+Object *clk;
+bool ambiguous;
+
+path = g_strdup_printf("%s/%s", object_get_canonical_path(OBJECT(d)),
+   name);
+clk = object_resolve_path(path, &ambiguous);

Should ambiguous be passed back to the caller?


Up to you, I don't see the use case in the machine where we want to get 
the clock?





+g_free(path);
+return QEMU_CLOCK(clk);

Shouldn't you check to see if you got something valid before casting?


Yes true, I was relying on the fact that QEMU_CLOCK is in the end:
object_dynamic_cast_assert(..) which according to the doc:

 * If an invalid object is passed to this function, a run time assert 
will be

 * generated.

but it seems not to be the case in reality if CONFIG_QOM_CAST_DEBUG is 
disabled:


Object *object_dynamic_cast_assert(Object *obj, const char *typename,
   const char *file, int line, const 
char *func)

{
trace_object_dynamic_cast_assert(obj ? obj->class->type->name : 
"(null)",

 typename, file, line, func);

#ifdef CONFIG_QOM_CAST_DEBUG
int i;
Object *inst;

for (i = 0; obj && i < OBJECT_CLASS_CAST_CACHE; i++) {
if (obj->class->object_cast_cache[i] == typename) {
goto out;
}
}

inst = object_dynamic_cast(obj, typename);

if (!inst && obj) {
fprintf(stderr, "%s:%d:%s: Object %p is not an instance of type 
%s\n",

file, line, func, obj, typename);
abort();
}

assert(obj == inst);

if (obj && obj == inst) {
for (i = 1; i < OBJECT_CLASS_CAST_CACHE; i++) {
obj->class->object_cast_cache[i - 1] =
obj->class->object_cast_cache[i];
}
obj->class->object_cast_cache[i - 1] = typename;
}

out:
#endif
return obj;
}

Is that normal?

Thanks,
Fred



Thanks,

Alistair


+}
+
  static const TypeInfo qemu_clk_info = {
  .name  = TYPE_CLOCK,
  .parent= TYPE_OBJECT,
--
2.5.5

Re: [Qemu-devel] [PATCH] spapr: Don't support query-hotpluggable-cpus on earlier pseries machine types

[Igor Mammedov]

On Tue, 2 Aug 2016 16:20:50 +1000
David Gibson  wrote:

> On Tue, Aug 02, 2016 at 10:34:34AM +0530, Bharata B Rao wrote:
> > On Tue, Aug 02, 2016 at 02:25:08PM +1000, David Gibson wrote:  
> > > On Power, support for vCPU hotplug is new in qemu 2.7.  However, we
> > > currently implement the query_hotpluggable_cpus hook the same for all
> > > pseries machine type versions.
> > > 
> > > However, the old-style CPU initialization doesn't work with the new query
> > > code, meaning that attempting to use query-hotpluggable-cpus on a
> > > pseries-2.6 or earlier VM will cause qemu to SEGV.
> > > 
> > > This fixes the problem by simply disabling the hook for earlier machine
> > > types.  
> > 
> > I had sent a patch to fix this and a couple of other related issues
> > some time back and it indeed was accepted into your ppc-for-2.7 branch.
> > 
> > https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg01539.html
> > 
> > Only now I am realizing that somehow that patch didn't make it to mainline. 
> >  
> 
> Oh.. good point.  Sorry, that one somehow slipped through the cracks.
> 
> So, the remaining question is, what's the preferred behaviour for
> older machine types:
> 
>   1) should query-hotpluggable-cpus give an error, the same as it does
>  on machine types which have never supported it (this is what my
>  patch does)
> 
> or
> 
>   2) Should query-hotpluggable-cpus succeed, but return an empty list?
>  (this is what Bharata's patch does)
> 
> Igor and / or Peter, do you have an opinion on which behaviour is preferable?
> 

If it doesn't have any output then it makes sense to set handler to NULL
so it would return error.

Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path

[Fam Zheng]

On Tue, 08/02 10:14, Igor Mammedov wrote:
> On Tue, 2 Aug 2016 00:00:27 -0400
> John Snow  wrote:
> 
> > On 08/01/2016 11:41 PM, Fam Zheng wrote:
> > > Since 69382d8b (qdev: Fix object reference leak in case device.realize()
> > > fails), object_property_set_bool could release the object. The error
> > > path wants the type name, so hold an reference before realizing it.
> > >
> > > Cc: Igor Mammedov 
> > > Signed-off-by: Fam Zheng 
> > > ---
> > >  hw/core/qdev.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >
> > > diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> > > index ee4a083..5783442 100644
> > > --- a/hw/core/qdev.c
> > > +++ b/hw/core/qdev.c
> > > @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
> > >
> > >  assert(!dev->realized);
> > >
> > > +object_ref(OBJECT(dev));
> > >  object_property_set_bool(OBJECT(dev), true, "realized", &err);
> > >  if (err) {
> > >  error_reportf_err(err, "Initialization of device %s failed: ",
> > >object_get_typename(OBJECT(dev)));
> > >  exit(1);
> > >  }
> > > +object_unref(OBJECT(dev));
> > >  }
> > >
> > >  void qdev_machine_creation_done(void)
> > >  
> > 
> > Thanks :)
> > 
> > (For the list: this fixes qcow2 iotest 051. This is for-2.7.)
> I don't see any error at 'make check' time,
> could you provide reproducer CLI?

It crashes for me with something as simple as:

 $ qemu-system-x86_64 -drive if=ide

Fam

Re: [Qemu-devel] [PATCH V11 0/9] Introduce COLO-compare and filter-rewriter

[Jason Wang]

On 2016年07月28日 18:12, Zhang Chen wrote:

COLO-compare is a part of COLO project. It is used
to compare the network package to help COLO decide
whether to do checkpoint.

Filter-rewriter is a part of COLO project too.
It will rewrite some of secondary packet to make
secondary guest's connection established successfully.
In this module we will rewrite tcp packet's ack to the secondary
from primary,and rewrite tcp packet's seq to the primary from
secondary.

This series depend on
[PATCH V3] qemu-char: Add qemu_chr_add_handlers_full() for GMaincontext

The full version in this github:
https://github.com/zhangckid/qemu/tree/colo-v2.7-proxy-mode-compare-and-rewriter-jul28


Thanks for the series, I've finished v10's reviewing, and reply there. 
Looks like most comments apply to this series too. So I won't reply it 
again, please see the comments there. For filter-rewriter part, I will 
reply in this version.


Thanks



v11:
   - Make patch 5 to a independent patch series.
 [PATCH V3] qemu-char: Add qemu_chr_add_handlers_full() for GMaincontext
   - For Jason's comments, merge filter-rewriter to this series.
 (patch 7,8,9)
   - Add reverse_connection_key()
   - remove conn_list in filter-rewriter
   - remove unprocessed_connections
   - add some comments

v10:
   - fix typo
   - Should we make patch 5 independent with this series?
 This patch just add a API for qemu-char.

v9:
  p5:
   - use chr_update_read_handler_full() replace
 the chr_update_read_handler()
   - use io_watch_poll_prepare_full() replace
 the io_watch_poll_prepare()
   - use io_watch_poll_funcs_full replace
 the io_watch_poll_funcs
   - avoid code duplication

v8:
  p5:
   - add new patch:
 qemu-char: Add qemu_chr_add_handlers_full() for GMaincontext

v7:
  p5:
- add [PATCH]qemu-char: Fix context for g_source_attach()
  in this patch series.

v6:
  p6:
- add more commit log.
- fix icmp comparison to compare all packet.

  p5:
- add more cpmments in commit log.
- change REGULAR_CHECK_MS to REGULAR_PACKET_CHECK_MS
- make check old packet independent to compare thread
- remove thread_status

  p4:
- change this patch only about
  Connection and ConnectionKey.
- add some comments in commit log.
- remove mode in fill_connection_key().
- fix some comments and bug.
- move colo_conn_state to patch of
  "work with colo-frame"
- remove conn_list_lock.
- add MAX_QUEUE_SIZE, if primary_list or
  secondary_list biger than MAX_QUEUE_SIZE
  we will drop packet.

  p3:
- add new independent kernel jhash patch.

  p2:
- add new independent colo-base patch.

  p1:
- add a ascii figure and some comments to explain it
- move trace.h to p2
- move QTAILQ_HEAD(, CompareState) net_compares to
  patch of "work with colo-frame"
- add some comments in qemu-option.hx


v5:
  p3:
 - comments from Jason
   we poll and handle chardev in comapre thread,
   Through this way, there's no need for extra
   synchronization with main loop
   this depend on another patch:
   qemu-char: Fix context for g_source_attach()
 - remove QemuEvent
  p2:
 - remove conn->list_lock
  p1:
 - move compare_pri/sec_chr_in to p3
 - move compare_chr_send to p2

v4:
  p4:
 - add some comments
 - fix some trace-events
 - fix tcp compare error
  p3:
 - add rcu_read_lock().
 - fix trace name
 - fix jason's other comments
 - rebase some Dave's branch function
  p2:
 - colo_compare_connection() change g_queue_push_head() to
 - g_queue_push_tail() match to sorted order.
 - remove pkt->s
 - move data structure to colo-base.h
 - add colo-base.c reuse codes for filter-rewriter
 - add some filter-rewriter needs struct
 - depends on previous SocketReadState patch
  p1:
 - except move qemu_chr_add_handlers()
   to colo thread
 - remove class_finalize
 - remove secondary arp codes
 - depends on previous SocketReadState patch

v3:
   - rebase colo-compare to colo-frame v2.7
   - fix most of Dave's comments
 (except RCU)
   - add TCP,UDP,ICMP and other packet comparison
   - add trace-event
   - add some comments
   - other bug fix
   - add RFC index
   - add usage in patch 1/4

v2:
   - add jhash.h

v1:
   - initial patch


Zhang Chen (9):
   colo-compare: introduce colo compare initialization
   colo-base: add colo-base to define and handle packet
   Jhash: add linux kernel jhashtable in qemu
   colo-compare: track connection and enqueue packet
   colo-compare: introduce packet comparison thread
   colo-compare: add TCP,UDP,ICMP packet comparison
   filter-rewriter: introduce filter-rewriter initialization
   filter-rewriter: track connection and parse packet
   filter-rewriter: rewrite tcp packet to keep secondary connection

  include/qemu/jhash.h  |  61 
  net/Makefile.objs |   3 +
  net/colo-base.c   | 199 +
  net/colo-base.h   |  7

Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path

[Igor Mammedov]

On Tue, 2 Aug 2016 00:00:27 -0400
John Snow  wrote:

> On 08/01/2016 11:41 PM, Fam Zheng wrote:
> > Since 69382d8b (qdev: Fix object reference leak in case device.realize()
> > fails), object_property_set_bool could release the object. The error
> > path wants the type name, so hold an reference before realizing it.
> >
> > Cc: Igor Mammedov 
> > Signed-off-by: Fam Zheng 
> > ---
> >  hw/core/qdev.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> > index ee4a083..5783442 100644
> > --- a/hw/core/qdev.c
> > +++ b/hw/core/qdev.c
> > @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
> >
> >  assert(!dev->realized);
> >
> > +object_ref(OBJECT(dev));
> >  object_property_set_bool(OBJECT(dev), true, "realized", &err);
> >  if (err) {
> >  error_reportf_err(err, "Initialization of device %s failed: ",
> >object_get_typename(OBJECT(dev)));
> >  exit(1);
> >  }
> > +object_unref(OBJECT(dev));
> >  }
> >
> >  void qdev_machine_creation_done(void)
> >  
> 
> Thanks :)
> 
> (For the list: this fixes qcow2 iotest 051. This is for-2.7.)
I don't see any error at 'make check' time,
could you provide reproducer CLI?

> 
> Reviewed-by: John Snow 

Re: [Qemu-devel] [PATCH V11 8/9] filter-rewriter: track connection and parse packet

[Jason Wang]

On 2016年07月28日 18:12, Zhang Chen wrote:

We use colo-base.h to track connection and parse packet

Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-base.c   | 14 ++
  net/colo-base.h   |  1 +
  net/filter-rewriter.c | 50 ++
  3 files changed, 65 insertions(+)

diff --git a/net/colo-base.c b/net/colo-base.c
index eb1b631..20797b5 100644
--- a/net/colo-base.c
+++ b/net/colo-base.c
@@ -103,6 +103,20 @@ void fill_connection_key(Packet *pkt, ConnectionKey *key)
  }
  }
  
+void reverse_connection_key(ConnectionKey *key)

+{
+struct in_addr tmp_ip;
+uint16_t tmp_port;
+
+tmp_ip = key->src;
+key->src = key->dst;
+key->dst = tmp_ip;
+
+tmp_port = key->src_port;
+key->src_port = key->dst_port;
+key->dst_port = tmp_port;
+}
+
  Connection *connection_new(ConnectionKey *key)
  {
  Connection *conn = g_slice_new(Connection);
diff --git a/net/colo-base.h b/net/colo-base.h
index 860a148..8d402a3 100644
--- a/net/colo-base.h
+++ b/net/colo-base.h
@@ -56,6 +56,7 @@ uint32_t connection_key_hash(const void *opaque);
  int connection_key_equal(const void *opaque1, const void *opaque2);
  int parse_packet_early(Packet *pkt);
  void fill_connection_key(Packet *pkt, ConnectionKey *key);
+void reverse_connection_key(ConnectionKey *key);
  Connection *connection_new(ConnectionKey *key);
  void connection_destroy(void *opaque);
  Connection *connection_get(GHashTable *connection_track_table,
diff --git a/net/filter-rewriter.c b/net/filter-rewriter.c
index 3a39f52..6350080 100644
--- a/net/filter-rewriter.c
+++ b/net/filter-rewriter.c
@@ -51,6 +51,20 @@ static void filter_rewriter_flush(NetFilterState *nf)
  }
  }
  
+/*

+ * Return 1 on success, if return 0 means the pkt
+ * is not TCP packet
+ */
+static int is_tcp_packet(Packet *pkt)
+{
+if (!parse_packet_early(pkt) &&
+pkt->ip->ip_p == IPPROTO_TCP) {
+return 1;
+} else {
+return 0;
+}
+}
+
  static ssize_t colo_rewriter_receive_iov(NetFilterState *nf,
   NetClientState *sender,
   unsigned flags,
@@ -58,11 +72,47 @@ static ssize_t colo_rewriter_receive_iov(NetFilterState *nf,
   int iovcnt,
   NetPacketSent *sent_cb)
  {
+RewriterState *s = FILTER_COLO_REWRITER(nf);
+Connection *conn;
+ConnectionKey key = {{ 0 } };
+Packet *pkt;
+ssize_t size = iov_size(iov, iovcnt);
+char *buf = g_malloc0(size);
+
+iov_to_buf(iov, iovcnt, 0, buf, size);
+pkt = packet_new(buf, size);
+
  /*
   * if we get tcp packet
   * we will rewrite it to make secondary guest's
   * connection established successfully
   */
+if (is_tcp_packet(pkt)) {
+
+fill_connection_key(pkt, &key);
+
+if (sender == nf->netdev) {
+/*
+ * We need make tcp TX and RX packet
+ * into one connection.
+ */
+reverse_connection_key(&key);


Why not simply do the comparing and swap in fill_connection_key()?


+}
+conn = connection_get(s->connection_track_table,
+  &key,
+  &s->hashtable_size);
+
+if (sender == nf->netdev) {
+/* NET_FILTER_DIRECTION_TX */
+/* handle_primary_tcp_pkt */
+} else {
+/* NET_FILTER_DIRECTION_RX */
+/* handle_secondary_tcp_pkt */
+}
+}
+
+packet_destroy(pkt, NULL);
+pkt = NULL;
  return 0;
  }
  

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[Peter Xu]

On Mon, Aug 01, 2016 at 06:39:05PM +0200, Jan Kiszka wrote:

[...]

> >  static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
> > @@ -2209,11 +2250,17 @@ static MemTxResult vtd_mem_ir_write(void *opaque, 
> > hwaddr addr,
> >  {
> >  int ret = 0;
> >  MSIMessage from = {}, to = {};
> > +uint16_t sid = X86_IOMMU_SID_INVALID;
> >  
> >  from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
> >  from.data = (uint32_t) value;
> >  
> > -ret = vtd_interrupt_remap_msi(opaque, &from, &to);
> > +if (!attrs.unspecified) {
> > +/* We have explicit Source ID */
> > +sid = attrs.requester_id;
> > +}
> 
> ...here you fall back to X86_IOMMU_SID_INVALID if writer to this region
> has not provided some valid attrs. That is questionable, defeats
> validation of the IOAPIC e.g. (and you can see lots of
> X86_IOMMU_SID_INVALID in vtd_irte_get when booting a guest).
> 
> The credits also go to David who noticed that he still doesn't get a
> proper ID from the IOAPIC while implementing AMD IR. Looks like we need
> to enlighten the IOAPIC MSI writes...

Jan, David,

At the time when drafting the patch, I skipped SID verification for
IOAPIC interrupts since it differs from generic PCI devices (no
natural requester ID, so need some hacky lines to enable it).

I can try to cook another seperate patch to enable it (for 2.8
possibly?). Thanks for pointing out this issue.

-- peterx

[Qemu-devel] [V15 1/4] hw/pci: Prepare for AMD IOMMU

[David Kiarie]

Introduce PCI macros from for use by AMD IOMMU

Signed-off-by: David Kiarie 
---
 include/hw/pci/pci.h | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 929ec2f..d47e0e6 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -11,11 +11,14 @@
 #include "hw/pci/pcie.h"
 
 /* PCI bus */
-
+#define PCI_BDF(bus, devfn) uint16_t)(bus)) << 8) | (devfn))
 #define PCI_DEVFN(slot, func)   slot) & 0x1f) << 3) | ((func) & 0x07))
+#define PCI_BUS_NUM(x)  (((x) >> 8) & 0xff)
 #define PCI_SLOT(devfn) (((devfn) >> 3) & 0x1f)
 #define PCI_FUNC(devfn) ((devfn) & 0x07)
 #define PCI_BUILD_BDF(bus, devfn) ((bus << 8) | (devfn))
+#define PCI_BUS_MAX 256
+#define PCI_DEVFN_MAX   256
 #define PCI_SLOT_MAX32
 #define PCI_FUNC_MAX8
 
-- 
2.1.4

[Qemu-devel] [V15 4/4] hw/i386: AMD IOMMU IVRS table

[David Kiarie]

Add IVRS table for AMD IOMMU. Generate IVRS or DMAR
depending on emulated IOMMU.

Signed-off-by: David Kiarie 
---
 hw/acpi/aml-build.c |  2 +-
 hw/i386/acpi-build.c| 76 -
 hw/i386/x86-iommu.c | 19 
 include/hw/acpi/aml-build.h |  1 +
 include/hw/i386/x86-iommu.h | 11 +++
 5 files changed, 101 insertions(+), 8 deletions(-)

diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index db3e914..b2a1e40 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -226,7 +226,7 @@ static void build_extop_package(GArray *package, uint8_t op)
 build_prepend_byte(package, 0x5B); /* ExtOpPrefix */
 }
 
-static void build_append_int_noprefix(GArray *table, uint64_t value, int size)
+void build_append_int_noprefix(GArray *table, uint64_t value, int size)
 {
 int i;
 
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a26a4bb..efed318 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -59,7 +59,8 @@
 
 #include "qapi/qmp/qint.h"
 #include "qom/qom-qobject.h"
-#include "hw/i386/x86-iommu.h"
+#include "hw/i386/amd_iommu.h"
+#include "hw/i386/intel_iommu.h"
 
 #include "hw/acpi/ipmi.h"
 
@@ -2562,6 +2563,68 @@ build_dmar_q35(GArray *table_data, BIOSLinker *linker)
 build_header(linker, table_data, (void *)(table_data->data + dmar_start),
  "DMAR", table_data->len - dmar_start, 1, NULL, NULL);
 }
+/*
+ *   IVRS table as specified in AMD IOMMU Specification v2.62, Section 5.2
+ *   accessible here http://support.amd.com/TechDocs/48882_IOMMU.pdf
+ */
+static void
+build_amd_iommu(GArray *table_data, BIOSLinker *linker)
+{
+int iommu_start = table_data->len;
+AMDVIState *s = AMD_IOMMU_DEVICE(x86_iommu_get_default());
+assert(s);
+
+/* IVRS header */
+acpi_data_push(table_data, sizeof(AcpiTableHeader));
+/* IVinfo - IO virtualization information common to all IOMMU
+ * units in a system
+ */
+build_append_int_noprefix(table_data, 40UL << 8/* PASize */, 4);
+/* reserved */
+build_append_int_noprefix(table_data, 0, 8);
+
+/* IVHD definition - type 10h */
+build_append_int_noprefix(table_data, 0x10, 1);
+/* virtualization flags */
+build_append_int_noprefix(table_data,
+ (1UL << 0) | /* HtTunEn  */
+ (1UL << 4) | /* iotblSup */
+ (1UL << 6) | /* PrefSup  */
+ (1UL << 7),  /* PPRSup   */
+ 1);
+/* IVHD length */
+build_append_int_noprefix(table_data, 0x28, 2);
+/* DeviceID */
+build_append_int_noprefix(table_data, s->devid, 2);
+/* Capability offset */
+build_append_int_noprefix(table_data, s->capab_offset, 2);
+/* IOMMU base address */
+build_append_int_noprefix(table_data, s->mmio.addr, 8);
+/* PCI Segment Group */
+build_append_int_noprefix(table_data, 0, 2);
+/* IOMMU info */
+build_append_int_noprefix(table_data, 0, 2);
+/* IOMMU Feature Reporting */
+build_append_int_noprefix(table_data,
+ (48UL << 30) | /* HATS   */
+ (48UL << 28) | /* GATS   */
+ (1UL << 2),/* GTSup  */
+ 4);
+/* Add device flags here
+ *   These are 4-byte device entries currently reporting the range of
+ *   devices 00h - h; all devices
+ *   Device setting affecting all devices should be made here
+ *
+ *   Refer to Spec - Table 95:IVHD Device Entry Type Codes(4-byte)
+ */
+/* start of device range, 4-byte entries */
+build_append_int_noprefix(table_data, 0x0003, 4);
+/* end of device range */
+build_append_int_noprefix(table_data, 0x0004, 4);
+
+build_header(linker, table_data, (void *)(table_data->data + iommu_start),
+ "IVRS", table_data->len - iommu_start, 1, NULL, NULL);
+}
 
 static GArray *
 build_rsdp(GArray *rsdp_table, BIOSLinker *linker, unsigned rsdt_tbl_offset)
@@ -2622,11 +2685,6 @@ static bool acpi_get_mcfg(AcpiMcfgInfo *mcfg)
 return true;
 }
 
-static bool acpi_has_iommu(void)
-{
-return !!x86_iommu_get_default();
-}
-
 static
 void acpi_build(AcpiBuildTables *tables, MachineState *machine)
 {
@@ -2639,6 +2697,7 @@ void acpi_build(AcpiBuildTables *tables, MachineState 
*machine)
 AcpiMcfgInfo mcfg;
 Range pci_hole, pci_hole64;
 uint8_t *u;
+IommuType IOMMUType = x86_iommu_get_type();
 size_t aml_len = 0;
 GArray *tables_blob = tables->table_data;
 AcpiSlicOem slic_oem = { .id = NULL, .table_id = NULL };
@@ -2706,7 +2765,10 @@ void acpi_build(AcpiBuildTables *tables, MachineState 
*machine)
 acpi_add_table(table_offsets, tables_blob);
 build_mcfg_q35(tables_blob, tables->linker, &mcfg);
 }
-if (acpi_has_iommu()) {
+if (IOMMUType == TYPE_AMD) {
+acpi_add_table(table_offsets, 

[Qemu-devel] [V15 0/4] AMD IOMMU

[David Kiarie]

Hi all,

This patchset adds basic AMD IOMMU emulation support to Qemu. This version 
happens to have been delayed since I expected to send it together with IR code 
but it seems that may take even longer so I'm sending this first.

Changes since v13
   -Added an error to make AMD IOMMU incompatible with device assignment.[Alex]
   -Converted AMD IOMMU into a composite PCI and System Bus device. This helps 
with:
  -We can now inherit from X86 IOMMU base class(which is implemented as a 
System Bus device).
  -We can now reserve MMIO region for IOMMU without a BAR register and 
without a hack.

Changes since v12

   -Coding style fixes [Jan, Michael]
   -Error logging fix to avoid using a macro[Jan]
   -moved some PCI macros to PCI header[Jan]
   -Use a lookup table for MMIO register names when tracing[Jan]

Changes since V11
   -AMD IOMMU is not started with -device amd-iommu (with a dependency on 
Marcel's patches).
   -IOMMU commands are represented using bitfields which is less error prone 
and more readable[Peter]
   -Changed from debug fprintfs to tracing[Jan]

Changes since V10
 
   -Support for huge pages including some obscure AMD IOMMU feature that allows 
default page size override[Jan].
   -Fixed an issue with generation of interrupts. We noted that AMD IOMMU has 
BusMaster- and is therefore not able to generate interrupts like any other PCI 
device. We have resulted in writing directly to system address but this could 
be fixed by some patches which have not been merged yet.

Changes since v9

   -amd_iommu prefixes have been renamed to a shorter 'amdvi' both in the macros
and in the functions/code. The register macros have not been moved to the 
implementation file since almost the macros there are basically macros and 
I 
reckoned renaming them should suffice.
   -taken care of byte order in the use of 'dma_memory_read'[Michael]
   -Taken care of invalid DTE entries to ensure no DMA unless a device is 
configured to allow it.
   -An issue with the emulate IOMMU defaulting to AMD_IOMMU has been 
fixed[Marcel]
   
You can test[1] this patches by starting with parameters 
qemu-system-x86_64 -M -device amd-iommu -m 2G -enable-kvm -smp 4 -cpu host 
-hda file.img -soundhw ac97 
emulating whatever devices you want.

Not passing any command line parameters to linux should be enough to test this 
patches since the devices are basically
passes-through but to the 'host' (l1 guest). You can still go ahead pass 
command line parameter 'iommu=pt iommu=1'
and try to pass a device to L2 guest. This can also done without passing any 
iommu related parameters to the kernel. 

David Kiarie (4):
  hw/pci: Prepare for AMD IOMMU
  hw/i386/trace-events: Add AMD IOMMU trace events
  hw/i386: Introduce AMD IOMMU
  hw/i386: AMD IOMMU IVRS table

 hw/acpi/aml-build.c |2 +-
 hw/i386/Makefile.objs   |1 +
 hw/i386/acpi-build.c|   76 ++-
 hw/i386/amd_iommu.c | 1397 +++
 hw/i386/amd_iommu.h |  390 
 hw/i386/trace-events|   36 ++
 hw/i386/x86-iommu.c |   19 +
 include/hw/acpi/aml-build.h |1 +
 include/hw/i386/x86-iommu.h |   11 +
 include/hw/pci/pci.h|5 +-
 10 files changed, 1929 insertions(+), 9 deletions(-)
 create mode 100644 hw/i386/amd_iommu.c
 create mode 100644 hw/i386/amd_iommu.h

-- 
2.1.4

[Qemu-devel] [V15 2/4] hw/i386/trace-events: Add AMD IOMMU trace events

[David Kiarie]

Signed-off-by: David Kiarie 
---
 hw/i386/trace-events | 29 +
 1 file changed, 29 insertions(+)

diff --git a/hw/i386/trace-events b/hw/i386/trace-events
index b4882c1..592de3a 100644
--- a/hw/i386/trace-events
+++ b/hw/i386/trace-events
@@ -13,3 +13,32 @@ mhp_pc_dimm_assigned_address(uint64_t addr) "0x%"PRIx64
 
 # hw/i386/x86-iommu.c
 x86_iommu_iec_notify(bool global, uint32_t index, uint32_t mask) "Notify IEC 
invalidation: global=%d index=%" PRIu32 " mask=%" PRIu32
+
+# hw/i386/amd_iommu.c
+amdvi_evntlog_fail(uint64_t addr, uint32_t head) "error: fail to write at addr 
0x%"PRIx64 " +  offset 0x%"PRIx32
+amdvi_cache_update(uint16_t domid, uint32_t bus, uint32_t slot, uint32_t func, 
uint64_t gpa, uint64_t txaddr) " update iotlb domid 0x%"PRIx16" devid: 
%02x:%02x.%x gpa 0x%"PRIx64 " hpa 0x%"PRIx64
+amdvi_completion_wait_fail(uint64_t addr) "error: fail to write at address 
0x%"PRIx64
+amdvi_mmio_write(const char *reg, uint64_t addr, unsigned size, uint64_t val, 
unsigned long offset) "%s write addr 0x%"PRIx64 ", size %d, val 0x%"PRIx64 ", 
offset 0x%"PRIx64
+amdvi_mmio_read(const char *reg, uint64_t addr, unsigned size, uint64_t 
offset) "%s read addr 0x%"PRIx64", size %d offset 0x%"PRIx64
+amdvi_command_error(uint64_t status) "error: Executing commands with command 
buffer disabled 0x%"PRIx64
+amdvi_command_read_fail(uint64_t addr, uint32_t head) "error: fail to access 
memory at 0x%"PRIx64" + 0x%"PRIu32
+amdvi_command_exec(uint32_t head, uint32_t tail, uint64_t buf) "command buffer 
head at 0x%"PRIx32 " command buffer tail at 0x%"PRIx32" command buffer base at 
0x%" PRIx64
+amdvi_unhandled_command(uint8_t type) "unhandled command %d"
+amdvi_intr_inval(void) "Interrupt table invalidated"
+amdvi_iotlb_inval(void) "IOTLB pages invalidated"
+amdvi_prefetch_pages(void) "Pre-fetch of AMD-Vi pages requested"
+amdvi_pages_inval(uint16_t domid) "AMD-Vi pages for domain 0x%"PRIx16 " 
invalidated"
+amdvi_all_inval(void) "Invalidation of all AMD-Vi cache requested "
+amdvi_ppr_exec(void) "Execution of PPR queue requested "
+amdvi_devtab_inval(uint16_t bus, uint16_t slot, uint16_t func) "device table 
entry for devid: %02x:%02x.%x invalidated"
+amdvi_completion_wait(uint64_t addr, uint64_t data) "completion wait requested 
with store address 0x%"PRIx64" and store data 0x%"PRIx64
+amdvi_control_status(uint64_t val) "MMIO_STATUS state 0x%"PRIx64
+amdvi_iotlb_reset(void) "IOTLB exceed size limit - reset "
+amdvi_completion_wait_exec(uint64_t addr, uint64_t data) "completion wait 
requested with store address 0x%"PRIx64" and store data 0x%"PRIx64
+amdvi_dte_get_fail(uint64_t addr, uint32_t offset) "error: failed to access 
Device Entry devtab 0x%"PRIx64" offset 0x%"PRIx32
+amdvi_invalid_dte(uint64_t addr) "PTE entry at 0x%"PRIx64" is invalid "
+amdvi_get_pte_hwerror(uint64_t addr) "hardware error eccessing PTE at addr 
0x%"PRIx64
+amdvi_mode_invalid(unsigned level, uint64_t addr)"error: translation level 
0x%"PRIu8" translating addr 0x%"PRIx64
+amdvi_page_fault(uint64_t addr) "error: page fault accessing guest physical 
address 0x%"PRIx64
+amdvi_iotlb_hit(uint16_t bus, uint16_t slot, uint16_t func, uint64_t addr, 
uint64_t txaddr) "hit iotlb devid %02x:%02x.%x gpa 0x%"PRIx64 " hpa 0x%"PRIx64
+amdvi_translation_result(uint16_t bus, uint16_t slot, uint16_t func, uint64_t 
addr, uint64_t txaddr) "devid: %02x:%02x.%x gpa 0x%"PRIx64 " hpa 0x%"PRIx64
-- 
2.1.4

Re: [Qemu-devel] [PATCH] qdev: Fix use after free in qdev_init_nofail error path

[Fam Zheng]

On Tue, 08/02 09:55, Igor Mammedov wrote:
>  qdev_init_nofail() { called with ref == 1

Yes it does.

> object_property_set_bool(true, "realized")
> if error:
>   ref == 1
^

This is not the case for qdev, the object is actually released by
object_property_set_bool if fail.

The problem seems to be that qdev_create doesn't set OBJECT(dev)->parent,
because it eventually calls object_property_add_link instead of
object_property_add_child.

> else:
>   ref == 2 (+1 for implicitly assigned parent)
>  }

Fam

[Qemu-devel] [V15 3/4] hw/i386: Introduce AMD IOMMU

[David Kiarie]

Add AMD IOMMU emulaton to Qemu in addition to Intel IOMMU.
The IOMMU does basic translation, error checking and has a
minimal IOTLB implementation. This IOMMU bypassed the need
for target aborts by responding with IOMMU_NONE access rights
and exempts the region 0xfee0-0xfeef from translation
as it is the q35 interrupt region.

We advertise features that are not yet implemented to please
the Linux IOMMU driver.

IOTLB aims at implementing commands on real IOMMUs which is
essential for debugging and may not offer any performance
benefits

Signed-off-by: David Kiarie 
---
 hw/i386/Makefile.objs |1 +
 hw/i386/amd_iommu.c   | 1397 +
 hw/i386/amd_iommu.h   |  390 ++
 hw/i386/trace-events  |7 +
 4 files changed, 1795 insertions(+)
 create mode 100644 hw/i386/amd_iommu.c
 create mode 100644 hw/i386/amd_iommu.h

diff --git a/hw/i386/Makefile.objs b/hw/i386/Makefile.objs
index 90e94ff..909ead6 100644
--- a/hw/i386/Makefile.objs
+++ b/hw/i386/Makefile.objs
@@ -3,6 +3,7 @@ obj-y += multiboot.o
 obj-y += pc.o pc_piix.o pc_q35.o
 obj-y += pc_sysfw.o
 obj-y += x86-iommu.o intel_iommu.o
+obj-y += amd_iommu.o
 obj-$(CONFIG_XEN) += ../xenpv/ xen/
 
 obj-y += kvmvapic.o
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
new file mode 100644
index 000..7b64dd7
--- /dev/null
+++ b/hw/i386/amd_iommu.c
@@ -0,0 +1,1397 @@
+/*
+ * QEMU emulation of AMD IOMMU (AMD-Vi)
+ *
+ * Copyright (C) 2011 Eduard - Gabriel Munteanu
+ * Copyright (C) 2015 David Kiarie, 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ *
+ * Cache implementation inspired by hw/i386/intel_iommu.c
+ *
+ */
+#include "qemu/osdep.h"
+#include 
+#include "hw/pci/msi.h"
+#include "hw/i386/pc.h"
+#include "hw/i386/amd_iommu.h"
+#include "hw/pci/pci_bus.h"
+#include "trace.h"
+
+/* used AMD-Vi MMIO registers */
+const char *amdvi_mmio_low[] = {
+"AMDVI_MMIO_DEVTAB_BASE",
+"AMDVI_MMIO_CMDBUF_BASE",
+"AMDVI_MMIO_EVTLOG_BASE",
+"AMDVI_MMIO_CONTROL",
+"AMDVI_MMIO_EXCL_BASE",
+"AMDVI_MMIO_EXCL_LIMIT",
+"AMDVI_MMIO_EXT_FEATURES",
+"AMDVI_MMIO_PPR_BASE",
+"UNHANDLED"
+};
+const char *amdvi_mmio_high[] = {
+"AMDVI_MMIO_COMMAND_HEAD",
+"AMDVI_MMIO_COMMAND_TAIL",
+"AMDVI_MMIO_EVTLOG_HEAD",
+"AMDVI_MMIO_EVTLOG_TAIL",
+"AMDVI_MMIO_STATUS",
+"AMDVI_MMIO_PPR_HEAD",
+"AMDVI_MMIO_PPR_TAIL",
+"UNHANDLED"
+};
+typedef struct AMDVIAddressSpace {
+uint8_t bus_num;/* bus number   */
+uint8_t devfn;  /* device function  */
+AMDVIState *iommu_state;/* AMDVI - one per machine  */
+MemoryRegion iommu; /* Device's address translation region  */
+MemoryRegion iommu_ir;  /* Device's interrupt remapping region  */
+AddressSpace as;/* device's corresponding address space */
+} AMDVIAddressSpace;
+
+/* AMDVI cache entry */
+typedef struct AMDVIIOTLBEntry {
+uint64_t gfn;   /* guest frame number  */
+uint16_t domid; /* assigned domain id  */
+uint16_t devid; /* device owning entry */
+uint64_t perms; /* access permissions  */
+uint64_t translated_addr;   /* translated address  */
+uint64_t page_mask; /* physical page size  */
+} AMDVIIOTLBEntry;
+
+/* serialize IOMMU command processing */
+typedef struct QEMU_PACKED {
+#ifdef HOST_WORDS_BIGENDIAN
+uint64_t type:4;   /* command type   */
+uint64_t reserved:8;
+uint64_t store_addr:49;/* addr to write  */
+uint64_t completion_flush:1;   /* allow more executions  */
+uint64_t completion_int:1; /* set MMIOWAITINT*/
+uint64_t completion_store:1;   /* write data to address  */
+#else
+uint64_t completion_store:1;
+uint64_t completion_int:1;
+uint64_t completion_flush:1;
+uint64_t store_addr:49;
+uint64_t reserved:8;
+uint64_t type:4;
+#endif /* __BIG_ENDIAN_BITFIELD */
+uint64_t store_data;   /* data to write  */
+} CMDCompletionWait;
+
+/* invalidate internal caches for devid */
+typedef struct QEMU_PACKED {
+#ifdef HOST_WORDS_BIGENDIAN
+uint64_t devid;/* device to invalidate   */
+uint64_t reserved_1:44;
+uint64_t type:4;   /* command type 

Re: [Qemu-devel] [PATCH] ppc: Add MacOS VGA driver ROM

[Gerd Hoffmann]

On Di, 2016-08-02 at 15:35 +1000, Benjamin Herrenschmidt wrote:
> On Tue, 2016-08-02 at 07:25 +0200, Gerd Hoffmann wrote:
> > > That's the part we cannot provide unfortunately. There is sadly no
> > > toolchain that can produce a MacOS PEF binary other than hosted in
> > > MacOS itself. In fact I don't think Apple XCode can either, which
> > > leaves us with CodeWarrior (commercial) or MPW (which I think at some
> > > point became free but I didn't find it and it doesn't work on OS X
> > > afaik).
> > 
> > Firmware builds often have specific requirements, such as only working
> > on $arch due to firmware not being cross-buildable (thats why there are
> > the prebuilt binaries in the first place).  So if those makefile rules
> > work only on macos with CodeWarrior installed that is perfectly fine.
> 
> Right though in that case it's not a Makefile, it's a CodeWarrior
> project in .xml form ;-) It is included in the git repo.

Good, that simplifies the makesfile rules to something like:

macosdrivers:
(cd $submodule: cw-build-tool $args $project.xml)
cp -v $submodule/$binary ../pc-bios

> CodeWarrior for MacOS X does come with command line versions of the
> tools, I plan to look into doing a Makefile once I've sorted out the
> various arguments for these things at least.

Yes, you do that once, put it into roms/Makefile, and the next time you
just do "make -C roms macosdrivers" instead of sorting out the various
arguments *again*.

Bonus: Any possible contributers will have an easier start too.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH] ppc: Add MacOS VGA driver ROM

[Benjamin Herrenschmidt]

On Tue, 2016-08-02 at 10:55 +0200, Gerd Hoffmann wrote:
> > CodeWarrior for MacOS X does come with command line versions of the
> > tools, I plan to look into doing a Makefile once I've sorted out the
> > various arguments for these things at least.
> 
> Yes, you do that once, put it into roms/Makefile, and the next time you
> just do "make -C roms macosdrivers" instead of sorting out the various
> arguments *again*.
> 
> Bonus: Any possible contributers will have an easier start too.

I did notice that having Makefiles in the roms directory make
git submodule barf ... I had to remove them for it to be able
to clone the submodules.

Cheers,
Ben.

[Qemu-devel] [PATCH 2/7] vhdx: Use QEMU UUID API

[Fam Zheng]

This removes our dependency to libuuid, so that the driver can always be
built.

Similar to how we handled data plane configure options, --enable-vhdx
and --disable-vhdx are also changed to a nop with a message saying it's
obsolete.

Signed-off-by: Fam Zheng 
---
 block/Makefile.objs |  2 +-
 block/vhdx-endian.c |  3 ---
 block/vhdx.c|  7 +++
 configure   | 27 +++
 4 files changed, 7 insertions(+), 32 deletions(-)

diff --git a/block/Makefile.objs b/block/Makefile.objs
index 2593a2f..013abb8 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -2,7 +2,7 @@ block-obj-y += raw_bsd.o qcow.o vdi.o vmdk.o cloop.o bochs.o 
vpc.o vvfat.o
 block-obj-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o 
qcow2-cache.o
 block-obj-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
 block-obj-y += qed-check.o
-block-obj-$(CONFIG_VHDX) += vhdx.o vhdx-endian.o vhdx-log.o
+block-obj-y += vhdx.o vhdx-endian.o vhdx-log.o
 block-obj-y += quorum.o
 block-obj-y += parallels.o blkdebug.o blkverify.o blkreplay.o
 block-obj-y += block-backend.o snapshot.o qapi.o
diff --git a/block/vhdx-endian.c b/block/vhdx-endian.c
index c306b90..429d755 100644
--- a/block/vhdx-endian.c
+++ b/block/vhdx-endian.c
@@ -21,9 +21,6 @@
 #include "qemu/bswap.h"
 #include "block/vhdx.h"
 
-#include 
-
-
 /*
  * All the VHDX formats on disk are little endian - the following
  * are helper import/export functions to correctly convert
diff --git a/block/vhdx.c b/block/vhdx.c
index 75ef2b1..a11f0ca 100644
--- a/block/vhdx.c
+++ b/block/vhdx.c
@@ -25,8 +25,7 @@
 #include "qemu/bswap.h"
 #include "block/vhdx.h"
 #include "migration/migration.h"
-
-#include 
+#include "qemu/uuid.h"
 
 /* Options for VHDX creation */
 
@@ -213,10 +212,10 @@ bool vhdx_checksum_is_valid(uint8_t *buf, size_t size, 
int crc_offset)
  */
 void vhdx_guid_generate(MSGUID *guid)
 {
-uuid_t uuid;
+qemu_uuid_t uuid;
 assert(guid != NULL);
 
-uuid_generate(uuid);
+qemu_uuid_generate(uuid);
 memcpy(guid, uuid, sizeof(MSGUID));
 }
 
diff --git a/configure b/configure
index f57fcc6..cbb96d5 100755
--- a/configure
+++ b/configure
@@ -316,7 +316,6 @@ vte=""
 virglrenderer=""
 tpm="yes"
 libssh2=""
-vhdx=""
 numa=""
 tcmalloc="no"
 jemalloc="no"
@@ -1094,6 +1093,9 @@ for opt do
   --disable-virtio-blk-data-plane|--enable-virtio-blk-data-plane)
   echo "$0: $opt is obsolete, virtio-blk data-plane is always on" >&2
   ;;
+  --enable-vhdx|--disable-vhdx)
+  echo "$0: $opt is obsolete, VHDX driver is always built"
+  ;;
   --disable-gtk) gtk="no"
   ;;
   --enable-gtk) gtk="yes"
@@ -1134,10 +1136,6 @@ for opt do
   ;;
   --enable-libssh2) libssh2="yes"
   ;;
-  --enable-vhdx) vhdx="yes"
-  ;;
-  --disable-vhdx) vhdx="no"
-  ;;
   --disable-numa) numa="no"
   ;;
   --enable-numa) numa="yes"
@@ -1376,7 +1374,6 @@ disabled with --disable-FEATURE, default is enabled if 
available:
   archipelago Archipelago backend
   tpm TPM support
   libssh2 ssh block device support
-  vhdxsupport for the Microsoft VHDX image format
   numalibnuma support
   tcmalloctcmalloc support
   jemallocjemalloc support
@@ -2685,19 +2682,6 @@ EOF
   fi
 fi
 
-if test "$vhdx" = "yes" ; then
-if test "$uuid" = "no" ; then
-error_exit "uuid required for VHDX support"
-fi
-elif test "$vhdx" != "no" ; then
-if test "$uuid" = "yes" ; then
-vhdx=yes
-else
-vhdx=no
-fi
-fi
-
-##
 # xfsctl() probe, used for raw-posix
 if test "$xfs" != "no" ; then
   cat > $TMPC << EOF
@@ -4891,7 +4875,6 @@ echo "TPM support   $tpm"
 echo "libssh2 support   $libssh2"
 echo "TPM passthrough   $tpm_passthrough"
 echo "QOM debugging $qom_cast_debug"
-echo "vhdx  $vhdx"
 echo "lzo support   $lzo"
 echo "snappy support$snappy"
 echo "bzip2 support $bzip2"
@@ -5412,10 +5395,6 @@ if test "$libssh2" = "yes" ; then
   echo "LIBSSH2_LIBS=$libssh2_libs" >> $config_host_mak
 fi
 
-if test "$vhdx" = "yes" ; then
-  echo "CONFIG_VHDX=y" >> $config_host_mak
-fi
-
 # USB host support
 if test "$libusb" = "yes"; then
   echo "HOST_USB=libusb legacy" >> $config_host_mak
-- 
2.7.4

[Qemu-devel] [PATCH 1/7] util: Add UUID API

[Fam Zheng]

A number of different places across the code base use CONFIG_UUID. Some
of them are soft dependency, some are not built if libuuid is not
available, some come with dummy fallback, some throws runtime error.

It is hard to maintain, and hard to reason for users.

Since UUID is a simple standard with only a small number of operations,
it is cleaner to have a central support in libqemuutil. This patch adds
qemu_uuid_* the functions so that all uuid users in the code base can
rely on. Except for qemu_uuid_generate which is new code, all other
functions are just copy from existing fallbacks from other files.

Signed-off-by: Fam Zheng 
---
 arch_init.c | 19 ---
 block/iscsi.c   |  2 +-
 hw/smbios/smbios.c  |  1 +
 include/qemu/uuid.h | 37 +
 include/sysemu/sysemu.h |  4 
 qmp.c   |  1 +
 stubs/uuid.c|  2 +-
 util/Makefile.objs  |  1 +
 util/uuid.c | 63 +
 vl.c|  1 +
 10 files changed, 106 insertions(+), 25 deletions(-)
 create mode 100644 include/qemu/uuid.h
 create mode 100644 util/uuid.c

diff --git a/arch_init.c b/arch_init.c
index fa05973..5cc58b2 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -235,25 +235,6 @@ void audio_init(void)
 }
 }
 
-int qemu_uuid_parse(const char *str, uint8_t *uuid)
-{
-int ret;
-
-if (strlen(str) != 36) {
-return -1;
-}
-
-ret = sscanf(str, UUID_FMT, &uuid[0], &uuid[1], &uuid[2], &uuid[3],
- &uuid[4], &uuid[5], &uuid[6], &uuid[7], &uuid[8], &uuid[9],
- &uuid[10], &uuid[11], &uuid[12], &uuid[13], &uuid[14],
- &uuid[15]);
-
-if (ret != 16) {
-return -1;
-}
-return 0;
-}
-
 void do_acpitable_option(const QemuOpts *opts)
 {
 #ifdef TARGET_I386
diff --git a/block/iscsi.c b/block/iscsi.c
index 95ce9e1..961ac76 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -36,7 +36,7 @@
 #include "block/block_int.h"
 #include "block/scsi.h"
 #include "qemu/iov.h"
-#include "sysemu/sysemu.h"
+#include "qemu/uuid.h"
 #include "qmp-commands.h"
 #include "qapi/qmp/qstring.h"
 #include "crypto/secret.h"
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 74c7102..0705eb1 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -20,6 +20,7 @@
 #include "qemu/config-file.h"
 #include "qemu/error-report.h"
 #include "sysemu/sysemu.h"
+#include "qemu/uuid.h"
 #include "sysemu/cpus.h"
 #include "hw/smbios/smbios.h"
 #include "hw/loader.h"
diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h
new file mode 100644
index 000..53d572f
--- /dev/null
+++ b/include/qemu/uuid.h
@@ -0,0 +1,37 @@
+/*
+ *  QEMU UUID functions
+ *
+ *  Copyright 2016 Red Hat, Inc.,
+ *
+ *  Authors:
+ *   Fam Zheng 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+#ifndef QEMU_UUID_H
+#define QEMU_UUID_H
+
+#include "qemu-common.h"
+
+typedef unsigned char qemu_uuid_t[16];
+
+#define UUID_FMT "%02hhx%02hhx%02hhx%02hhx-" \
+ "%02hhx%02hhx-%02hhx%02hhx-" \
+ "%02hhx%02hhx-" \
+ "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
+#define UUID_NONE "----"
+
+void qemu_uuid_generate(qemu_uuid_t out);
+
+int qemu_uuid_is_null(const qemu_uuid_t uu);
+
+void qemu_uuid_unparse(const qemu_uuid_t uu, char *out);
+
+int qemu_uuid_parse(const char *str, uint8_t *uuid);
+
+#endif
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index ee7c760..6111950 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -18,10 +18,6 @@ extern const char *bios_name;
 extern const char *qemu_name;
 extern uint8_t qemu_uuid[];
 extern bool qemu_uuid_set;
-int qemu_uuid_parse(const char *str, uint8_t *uuid);
-
-#define UUID_FMT 
"%02hhx%02hhx%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
-#define UUID_NONE "----"
 
 bool runstate_check(RunState state);
 void runstate_set(RunState new_state);
diff --git a/qmp.c b/qmp.c
index b6d531e..7fbde29 100644
--- a/qmp.c
+++ b/qmp.c
@@ -35,6 +35,7 @@
 #include "qom/object_interfaces.h"
 #include "hw/mem/pc-dimm.h"
 #include "hw/acpi/acpi_dev_interface.h"
+#include "qemu/uuid.h"
 
 NameInfo *qmp_query_name(Error **errp)
 {
diff --git a/stubs/uuid.c b/stubs/uuid.c
index 92ad717..a880de8 100644
--- a/stubs/uuid.c
+++ b/stubs/uuid.c
@@ -1,6 +1,6 @@
 #include "qemu/osdep.h"
 #include "qemu-common.h"
-#include "sysemu/sysemu.h"
+#include "qemu/uuid.h"
 #include "qmp-commands.h"
 
 UuidInfo *qmp_query_uuid(Error **errp)
diff --git a/util/Makefile.objs b/util/Makefile.objs
index 96cb1e0..31bba15 100644
--- a/util/Makefile.objs
+++ b/util/Makefile.objs
@@ -20,6 +20,

[Qemu-devel] [PATCH 7/7] configure: Remove detection code for UUID

[Fam Zheng]

All code now uses built-in UUID implementation. Remove the code of
libuuid and make --enable-uuid and --disable-uuid only print a message.

Signed-off-by: Fam Zheng 
---
 configure | 43 ---
 1 file changed, 4 insertions(+), 39 deletions(-)

diff --git a/configure b/configure
index cbb96d5..d6d71f3 100755
--- a/configure
+++ b/configure
@@ -212,7 +212,6 @@ sdlabi=""
 virtfs=""
 vnc="yes"
 sparse="no"
-uuid=""
 vde=""
 vnc_sasl=""
 vnc_jpeg=""
@@ -881,10 +880,6 @@ for opt do
   ;;
   --disable-slirp) slirp="no"
   ;;
-  --disable-uuid) uuid="no"
-  ;;
-  --enable-uuid) uuid="yes"
-  ;;
   --disable-vde) vde="no"
   ;;
   --enable-vde) vde="yes"
@@ -1096,6 +1091,9 @@ for opt do
   --enable-vhdx|--disable-vhdx)
   echo "$0: $opt is obsolete, VHDX driver is always built"
   ;;
+  --enable-uuid|--disable-uuid)
+  echo "$0: $opt is obsolete, UUID support is always built"
+  ;;
   --disable-gtk) gtk="no"
   ;;
   --enable-gtk) gtk="yes"
@@ -1350,7 +1348,6 @@ disabled with --disable-FEATURE, default is enabled if 
available:
   bluez   bluez stack connectivity
   kvm KVM acceleration support
   rdmaRDMA-based migration support
-  uuiduuid support
   vde support for vde network
   netmap  support for netmap network
   linux-aio   Linux AIO support
@@ -2654,34 +2651,6 @@ if compile_prog "" "" ; then
 fi
 
 ##
-# uuid_generate() probe, used for vdi block driver
-# Note that on some systems (notably MacOSX) no extra library
-# need be linked to get the uuid functions.
-if test "$uuid" != "no" ; then
-  uuid_libs="-luuid"
-  cat > $TMPC << EOF
-#include 
-int main(void)
-{
-uuid_t my_uuid;
-uuid_generate(my_uuid);
-return 0;
-}
-EOF
-  if compile_prog "" "" ; then
-uuid="yes"
-  elif compile_prog "" "$uuid_libs" ; then
-uuid="yes"
-libs_softmmu="$uuid_libs $libs_softmmu"
-libs_tools="$uuid_libs $libs_tools"
-  else
-if test "$uuid" = "yes" ; then
-  feature_not_found "uuid" "Install libuuid devel"
-fi
-uuid=no
-  fi
-fi
-
 # xfsctl() probe, used for raw-posix
 if test "$xfs" != "no" ; then
   cat > $TMPC << EOF
@@ -4054,7 +4023,7 @@ EOF
   if compile_prog "$vss_win32_include" "" ; then
 guest_agent_with_vss="yes"
 QEMU_CFLAGS="$QEMU_CFLAGS $vss_win32_include"
-libs_qga="-lole32 -loleaut32 -lshlwapi -luuid -lstdc++ 
-Wl,--enable-stdcall-fixup $libs_qga"
+libs_qga="-lole32 -loleaut32 -lshlwapi -lstdc++ -Wl,--enable-stdcall-fixup 
$libs_qga"
 qga_vss_provider="qga/vss-win32/qga-vss.dll qga/vss-win32/qga-vss.tlb"
   else
 if test "$vss_win32_sdk" != "" ; then
@@ -4842,7 +4811,6 @@ echo "preadv support$preadv"
 echo "fdatasync $fdatasync"
 echo "madvise   $madvise"
 echo "posix_madvise $posix_madvise"
-echo "uuid support  $uuid"
 echo "libcap-ng support $cap_ng"
 echo "vhost-net support $vhost_net"
 echo "vhost-scsi support $vhost_scsi"
@@ -5030,9 +4998,6 @@ fi
 if test "$fnmatch" = "yes" ; then
   echo "CONFIG_FNMATCH=y" >> $config_host_mak
 fi
-if test "$uuid" = "yes" ; then
-  echo "CONFIG_UUID=y" >> $config_host_mak
-fi
 if test "$xfs" = "yes" ; then
   echo "CONFIG_XFS=y" >> $config_host_mak
 fi
-- 
2.7.4

[Qemu-devel] [PATCH 4/7] vpc: Use QEMU UUID API

[Fam Zheng]

Previously we conditionally generate if footer->uuid, when libuuid is
available. Now that we have a built-in implementation, we can switch to
it.

Signed-off-by: Fam Zheng 
---
 block/vpc.c | 8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/block/vpc.c b/block/vpc.c
index 43707ed..4a60438 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -30,9 +30,7 @@
 #include "qemu/module.h"
 #include "migration/migration.h"
 #include "qemu/bswap.h"
-#if defined(CONFIG_UUID)
-#include 
-#endif
+#include "qemu/uuid.h"
 
 /**/
 
@@ -980,9 +978,7 @@ static int vpc_create(const char *filename, QemuOpts *opts, 
Error **errp)
 
 footer->type = cpu_to_be32(disk_type);
 
-#if defined(CONFIG_UUID)
-uuid_generate(footer->uuid);
-#endif
+qemu_uuid_generate(footer->uuid);
 
 footer->checksum = cpu_to_be32(vpc_checksum(buf, HEADER_SIZE));
 
-- 
2.7.4

[Qemu-devel] [PATCH 6/7] tests: No longer dependent on CONFIG_UUID

[Fam Zheng]

crypto now uses built-in uuid implementation, so this check is not
needed.

Signed-off-by: Fam Zheng 
---
 tests/test-crypto-block.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index a38110d..1957a86 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -28,7 +28,7 @@
 #include 
 #endif
 
-#if defined(CONFIG_UUID) && (defined(_WIN32) || defined RUSAGE_THREAD)
+#if (defined(_WIN32) || defined RUSAGE_THREAD)
 #define TEST_LUKS
 #else
 #undef TEST_LUKS
-- 
2.7.4

[Qemu-devel] [PATCH 0/7] UUID clean ups for 2.8

[Fam Zheng]

The facts how we use libuuid now are not particularly pleasant.

- VHDX driver depends on uuid, but is unconditionally checked in iotests 109.
  If it is not built, the test would fail, leaving no hint about that. In fact
  this even makes the feature implementation a bit ugly because it compromises
  the write protection on block 0 with image probing, silently.

- A few other libuuid users, in block/ and crypto/, use it as an optional
  dependency, and compromises certain functionalities if it is not available.

- On the other hand, there are already a few uuid function fallbacks in those
  callers.

So instead of making libuuid a hard requirement, let's simply move the
fallbacks to util and implement the random version of uuid generation, and be
done with it.

Fam

Fam Zheng (7):
  util: Add UUID API
  vhdx: Use QEMU UUID API
  vdi: Use QEMU UUID API
  vpc: Use QEMU UUID API
  crypto: Switch to QEMU UUID API
  tests: No longer dependent on CONFIG_UUID
  configure: Remove detection code for UUID

 arch_init.c   | 19 -
 block/Makefile.objs   |  2 +-
 block/iscsi.c |  2 +-
 block/vdi.c   | 49 +++--
 block/vhdx-endian.c   |  3 --
 block/vhdx.c  |  7 ++---
 block/vpc.c   |  8 ++
 configure | 70 +--
 crypto/block-luks.c   | 26 +-
 hw/smbios/smbios.c|  1 +
 include/qemu/uuid.h   | 37 +
 include/sysemu/sysemu.h   |  4 ---
 qmp.c |  1 +
 stubs/uuid.c  |  2 +-
 tests/test-crypto-block.c |  2 +-
 util/Makefile.objs|  1 +
 util/uuid.c   | 63 ++
 vl.c  |  1 +
 18 files changed, 137 insertions(+), 161 deletions(-)
 create mode 100644 include/qemu/uuid.h
 create mode 100644 util/uuid.c

-- 
2.7.4

[Qemu-devel] [PATCH 3/7] vdi: Use QEMU UUID API

[Fam Zheng]

The QEMU UUID api, including the data structure (qemu_uuid_t), is fully
compatible with libuuid.  Use it, and remove the unused code.

Signed-off-by: Fam Zheng 
---
 block/vdi.c | 49 ++---
 1 file changed, 10 insertions(+), 39 deletions(-)

diff --git a/block/vdi.c b/block/vdi.c
index 8a1cf97..ed63184 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -58,14 +58,7 @@
 #include "migration/migration.h"
 #include "qemu/coroutine.h"
 #include "qemu/cutils.h"
-
-#if defined(CONFIG_UUID)
-#include 
-#else
-/* TODO: move uuid emulation to some central place in QEMU. */
-#include "sysemu/sysemu.h" /* UUID_FMT */
-typedef unsigned char uuid_t[16];
-#endif
+#include "qemu/uuid.h"
 
 /* Code configuration options. */
 
@@ -140,28 +133,6 @@ typedef unsigned char uuid_t[16];
 #define VDI_DISK_SIZE_MAX((uint64_t)VDI_BLOCKS_IN_IMAGE_MAX * \
   (uint64_t)DEFAULT_CLUSTER_SIZE)
 
-#if !defined(CONFIG_UUID)
-static inline void uuid_generate(uuid_t out)
-{
-memset(out, 0, sizeof(uuid_t));
-}
-
-static inline int uuid_is_null(const uuid_t uu)
-{
-uuid_t null_uuid = { 0 };
-return memcmp(uu, null_uuid, sizeof(uuid_t)) == 0;
-}
-
-# if defined(CONFIG_VDI_DEBUG)
-static inline void uuid_unparse(const uuid_t uu, char *out)
-{
-snprintf(out, 37, UUID_FMT,
-uu[0], uu[1], uu[2], uu[3], uu[4], uu[5], uu[6], uu[7],
-uu[8], uu[9], uu[10], uu[11], uu[12], uu[13], uu[14], uu[15]);
-}
-# endif
-#endif
-
 typedef struct {
 char text[0x40];
 uint32_t signature;
@@ -182,10 +153,10 @@ typedef struct {
 uint32_t block_extra;   /* unused here */
 uint32_t blocks_in_image;
 uint32_t blocks_allocated;
-uuid_t uuid_image;
-uuid_t uuid_last_snap;
-uuid_t uuid_link;
-uuid_t uuid_parent;
+qemu_uuid_t uuid_image;
+qemu_uuid_t uuid_last_snap;
+qemu_uuid_t uuid_link;
+qemu_uuid_t uuid_parent;
 uint64_t unused2[7];
 } QEMU_PACKED VdiHeader;
 
@@ -209,7 +180,7 @@ typedef struct {
 /* Change UUID from little endian (IPRT = VirtualBox format) to big endian
  * format (network byte order, standard, see RFC 4122) and vice versa.
  */
-static void uuid_convert(uuid_t uuid)
+static void uuid_convert(qemu_uuid_t uuid)
 {
 bswap32s((uint32_t *)&uuid[0]);
 bswap16s((uint16_t *)&uuid[4]);
@@ -469,11 +440,11 @@ static int vdi_open(BlockDriverState *bs, QDict *options, 
int flags,
(uint64_t)header.blocks_in_image * header.block_size);
 ret = -ENOTSUP;
 goto fail;
-} else if (!uuid_is_null(header.uuid_link)) {
+} else if (!qemu_uuid_is_null(header.uuid_link)) {
 error_setg(errp, "unsupported VDI image (non-NULL link UUID)");
 ret = -ENOTSUP;
 goto fail;
-} else if (!uuid_is_null(header.uuid_parent)) {
+} else if (!qemu_uuid_is_null(header.uuid_parent)) {
 error_setg(errp, "unsupported VDI image (non-NULL parent UUID)");
 ret = -ENOTSUP;
 goto fail;
@@ -821,8 +792,8 @@ static int vdi_create(const char *filename, QemuOpts *opts, 
Error **errp)
 if (image_type == VDI_TYPE_STATIC) {
 header.blocks_allocated = blocks;
 }
-uuid_generate(header.uuid_image);
-uuid_generate(header.uuid_last_snap);
+qemu_uuid_generate(header.uuid_image);
+qemu_uuid_generate(header.uuid_last_snap);
 /* There is no need to set header.uuid_link or header.uuid_parent here. */
 #if defined(CONFIG_VDI_DEBUG)
 vdi_header_print(&header);
-- 
2.7.4

Re: [Qemu-devel] [RFC PATCH 05/11] docs: add qemu-clock documentation

[KONRAD Frederic]

Le 29/06/2016 à 02:38, Alistair Francis a écrit :

On Mon, Jun 13, 2016 at 9:27 AM,   wrote:

From: KONRAD Frederic 

This adds the qemu-clock documentation.

Signed-off-by: KONRAD Frederic 
---
  docs/clock.txt | 112 +
  1 file changed, 112 insertions(+)
  create mode 100644 docs/clock.txt

diff --git a/docs/clock.txt b/docs/clock.txt
new file mode 100644
index 000..f4ad4c8
--- /dev/null
+++ b/docs/clock.txt
@@ -0,0 +1,112 @@
+
+What is a QEMU_CLOCK
+
+
+A QEMU_CLOCK is a QOM Object developed for the purpose of modeling a clock tree
+with QEMU.
+
+It only simulates the clock by keeping a copy of the current frequency and
+doesn't model the signal itself such as pin toggle or duty cycle.
+
+It allows to model the impact of badly configured PLL, clock source selection
+or disabled clock on the models.
+
+Bounding the clock together to create a tree
+
+
+In order to create a clock tree with QEMU_CLOCK two or more clock must be bound
+together. Let's say there are two clocks clk_a and clk_b:
+Using qemu_clk_bound(clk_a, clk_b) will bound clk_a and clk_b.
+
+Binding two qemu-clk together is a unidirectional link which means that 
changing
+the rate of clk_a will propagate to clk_b and not the opposite. The bound
+process automatically refresh clk_b rate.
+
+Clock can be bound and unbound during execution for modeling eg: a clock
+selector.
+
+A clock can drive more than one other clock. eg with this code:
+qemu_clk_bound(clk_a, clk_b);
+qemu_clk_bound(clk_a, clk_c);
+
+A clock rate change one clk_a will propagate to clk_b and clk_c.
+
+Implementing a callback on a rate change
+
+
+The function prototype is the following:
+typedef float (*qemu_clk_rate_change_cb)(void *opaque, float rate);
+
+It's main goal is to modify the rate before it's passed to the next clocks in
+the tree.
+
+eg: for a 4x PLL the function will be:
+float qemu_clk_rate_change_cb(void *opaque, float rate)
+{
+return 4.0 * rate;
+}
+
+To set the callback for the clock:
+void qemu_clk_set_callback(qemu_clk clk, qemu_clk_on_rate_update_cb cb,
+   void *opaque);
+can be called.
+
+NOTE: It's not recommended that the clock is driven by more than one clock as 
it
+would mean that we don't know which clock trigger the callback.

Would this not be something worth knowing?


I think it shouldn't be the case as connecting two inputs on an output 
doesn't mean anything?
Maybe worth adding something to ensure it can't happen and modify 
qemu_clk_bind_clock to automatically unbind the old clock?


Fred


Thanks,

Alistair


+The rate update process
+===
+
+The rate update happen in this way:
+When a model wants to update a clock frequency (eg: based on a register change
+or something similar) it will call qemu_clk_update_rate(..) on the clock:
+  * The callback associated to the clock is called with the new rate.
+  * qemu_clk_update_rate(..) is then called on all bound clock with the
+value returned by the callback.
+
+NOTE: When no callback is attached the clock qemu_clk_update_rate(..) is called
+with the unmodified rate.
+
+Attaching a QEMU_CLOCK to a DeviceState
+===
+
+Attaching a qemu-clk to a DeviceState is required to be able to get the clock
+outside the model through qemu_clk_get_pin(..).
+
+It is also required to be able to print the clock and its rate with info qtree.
+For example:
+
+  type System
+  dev: xlnx.zynqmp_crf, id ""
+gpio-out "sysbus-irq" 1
+gpio-out "RST_A9" 4
+qemu-clk "dbg_trace" 0.0
+qemu-clk "vpll_to_lpd" 62500.0
+qemu-clk "dp_stc_ref" 0.0
+qemu-clk "dpll_to_lpd" 1250.0
+qemu-clk "acpu_clk" 0.0
+qemu-clk "pcie_ref" 0.0
+qemu-clk "topsw_main" 0.0
+qemu-clk "topsw_lsbus" 0.0
+qemu-clk "dp_audio_ref" 0.0
+qemu-clk "sata_ref" 0.0
+qemu-clk "dp_video_ref" 71428568.0
+qemu-clk "vpll_clk" 25.0
+qemu-clk "apll_to_lpd" 1250.0
+qemu-clk "dpll_clk" 5000.0
+qemu-clk "gpu_ref" 0.0
+qemu-clk "aux_refclk" 0.0
+qemu-clk "video_clk" 2700.0
+qemu-clk "gdma_ref" 0.0
+qemu-clk "gt_crx_ref_clk" 0.0
+qemu-clk "dbg_fdp" 0.0
+qemu-clk "apll_clk" 5000.0
+qemu-clk "pss_alt_ref_clk" 0.0
+qemu-clk "ddr" 0.0
+qemu-clk "pss_ref_clk" 5000.0
+qemu-clk "dpdma_ref" 0.0
+qemu-clk "dbg_tstmp" 0.0
+mmio fd1a/010c
+
+This way a DeviceState can have multiple clock input or output.
+
--
2.5.5

[Qemu-devel] [PATCH 5/7] crypto: Switch to QEMU UUID API

[Fam Zheng]

The uuid generation doesn't return error, so update the function
signature and calling code accordingly.

Signed-off-by: Fam Zheng 
---
 crypto/block-luks.c | 26 +++---
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index aba4455..92b5ee5 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -29,10 +29,7 @@
 #include "crypto/pbkdf.h"
 #include "crypto/secret.h"
 #include "crypto/random.h"
-
-#ifdef CONFIG_UUID
-#include 
-#endif
+#include "qemu/uuid.h"
 
 #include "qemu/coroutine.h"
 
@@ -877,18 +874,12 @@ qcrypto_block_luks_open(QCryptoBlock *block,
 }
 
 
-static int
-qcrypto_block_luks_uuid_gen(uint8_t *uuidstr, Error **errp)
+static void
+qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
 {
-#ifdef CONFIG_UUID
-uuid_t uuid;
-uuid_generate(uuid);
-uuid_unparse(uuid, (char *)uuidstr);
-return 0;
-#else
-error_setg(errp, "Unable to generate uuids on this platform");
-return -1;
-#endif
+qemu_uuid_t uuid;
+qemu_uuid_generate(uuid);
+qemu_uuid_unparse(uuid, (char *)uuidstr);
 }
 
 static int
@@ -961,10 +952,7 @@ qcrypto_block_luks_create(QCryptoBlock *block,
  * it out to disk
  */
 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
-if (qcrypto_block_luks_uuid_gen(luks->header.uuid,
-errp) < 0) {
-goto error;
-}
+qcrypto_block_luks_uuid_gen(luks->header.uuid);
 
 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
   errp);
-- 
2.7.4

Re: [Qemu-devel] [PATCH] mptsas: Fix a migration compatible issue

[Cao jin]

Hi

On 08/01/2016 11:29 PM, Amit Shah wrote:

On (Mon) 01 Aug 2016 [10:16:50], Paolo Bonzini wrote:



@@ -1370,7 +1370,7 @@ static const VMStateDescription vmstate_mptsas = {
  .post_load = mptsas_post_load,
  .fields  = (VMStateField[]) {
  VMSTATE_PCI_DEVICE(dev, MPTSASState),
-
+VMSTATE_UNUSED(sizeof(bool)), /* Was msi_in_use */


This needs to be "1", not sizeof(bool), because vmstate_info_bool writes
a single byte.  I'll fix this and queue the patch (removing Amit's
reviewed-by since it's effectively a different change).


Eeks, yes.

This patch was merged in the meantime, so Cao Jin, please post a
revert and a fix, thanks!

Amit



Before I send the fix, I did a quick test on linux as following:

#include 
#include 

int main()
{
printf("bool size = %d\n", sizeof(bool));
}


then:
./a.out
bool size = 1

and there is mptsas.c #include "qemu/osdep.h", osdep.h #include 

So, am I missing something?
--
Yours Sincerely,

Cao jin

[Qemu-devel] [PATCH] ppc: Fix macio ESCC legacy mapping

[Benjamin Herrenschmidt]

The current mapping, while correct for the base ports (which is all the
driver uses these days), is wrong for the extended registers. 

I suspect the bugs come from incorrect tables in the CHRP IO Ref document,
I have verified the new values here match Apple's MacTech.pdf.

Note: Nothing that I know of actually uses these registers so it's not a
huge deal, but this patch has the added advantage of adding comments to
document what the registers are.

Signed-off-by: Benjamin Herrenschmidt 
---

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index be03926..5d57f45 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -89,22 +89,16 @@ static void macio_escc_legacy_setup(MacIOState *macio_state)
 MemoryRegion *bar = &macio_state->bar;
 int i;
 static const int maps[] = {
-0x00, 0x00,
-0x02, 0x20,
-0x04, 0x10,
-0x06, 0x30,
-0x08, 0x40,
-0x0A, 0x50,
-0x60, 0x60,
-0x70, 0x70,
-0x80, 0x70,
-0x90, 0x80,
-0xA0, 0x90,
-0xB0, 0xA0,
-0xC0, 0xB0,
-0xD0, 0xC0,
-0xE0, 0xD0,
-0xF0, 0xE0,
+0x00, 0x00, /* Command B */
+0x02, 0x20, /* Command A */
+0x04, 0x10, /* Data B */
+0x06, 0x30, /* Data A */
+0x08, 0x40, /* Enhancement B */
+0x0A, 0x50, /* Enhancement A */
+0x80, 0x80, /* Recovery count */
+0x90, 0x90, /* Start A */
+0xa0, 0xa0, /* Start B */
+0xb0, 0xb0, /* Detect AB */
 };
 
 memory_region_init(escc_legacy, OBJECT(macio_state), "escc-legacy", 256);

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[Jan Kiszka]

[always keep the list in CC]

On 2016-08-02 10:54, David Kiarie wrote:
> 
> 
> On Tue, Aug 2, 2016 at 11:46 AM, Jan Kiszka  > wrote:
> 
> On 2016-08-02 10:36, Peter Xu wrote:
> > On Mon, Aug 01, 2016 at 06:39:05PM +0200, Jan Kiszka wrote:
> >
> > [...]
> >
> >>>  static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
> >>> @@ -2209,11 +2250,17 @@ static MemTxResult vtd_mem_ir_write(void
> *opaque, hwaddr addr,
> >>>  {
> >>>  int ret = 0;
> >>>  MSIMessage from = {}, to = {};
> >>> +uint16_t sid = X86_IOMMU_SID_INVALID;
> >>>
> >>>  from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
> >>>  from.data = (uint32_t) value;
> >>>
> >>> -ret = vtd_interrupt_remap_msi(opaque, &from, &to);
> >>> +if (!attrs.unspecified) {
> >>> +/* We have explicit Source ID */
> >>> +sid = attrs.requester_id;
> >>> +}
> >>
> >> ...here you fall back to X86_IOMMU_SID_INVALID if writer to this
> region
> >> has not provided some valid attrs. That is questionable, defeats
> >> validation of the IOAPIC e.g. (and you can see lots of
> >> X86_IOMMU_SID_INVALID in vtd_irte_get when booting a guest).
> >>
> >> The credits also go to David who noticed that he still doesn't get a
> >> proper ID from the IOAPIC while implementing AMD IR. Looks like
> we need
> >> to enlighten the IOAPIC MSI writes...
> >
> > Jan, David,
> >
> > At the time when drafting the patch, I skipped SID verification for
> > IOAPIC interrupts since it differs from generic PCI devices (no
> > natural requester ID, so need some hacky lines to enable it).
> 
> It's not hacky at all if done properly. For Intel it is simply
> (Q35_PSEUDO_BUS_PLATFORM << 8) | Q35_PSEUDO_DEVFN_IOAPIC, but it will be
> 0x00a0 (as constant as well) for AMD. So we need some interface to tell
> those parameters to the IOMMU. Keep in mind that we will need a similar
> interface for other platform devices, e.g. the HPET.
> 
> 
> In my case IOMMU knows about these parameters but IOAPIC makes interrupt
> requests with a different ID. I thought we should make IOAPIC (and other
> platform devices) make requests using specified IDs.
>  

In fact, intel_iommu knows them as well: The write request comes in via
a well-known address space, the one handed out to the IOMMU. Some for
other platform devices. Associating the ID on write with the requester
would basically mean using the pattern we had in the old iommu code
prior to the introduction of MemTxAttrs. Not sure, though, what is
cleaner here.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[Jan Kiszka]

On 2016-08-02 10:36, Peter Xu wrote:
> On Mon, Aug 01, 2016 at 06:39:05PM +0200, Jan Kiszka wrote:
> 
> [...]
> 
>>>  static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
>>> @@ -2209,11 +2250,17 @@ static MemTxResult vtd_mem_ir_write(void *opaque, 
>>> hwaddr addr,
>>>  {
>>>  int ret = 0;
>>>  MSIMessage from = {}, to = {};
>>> +uint16_t sid = X86_IOMMU_SID_INVALID;
>>>  
>>>  from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
>>>  from.data = (uint32_t) value;
>>>  
>>> -ret = vtd_interrupt_remap_msi(opaque, &from, &to);
>>> +if (!attrs.unspecified) {
>>> +/* We have explicit Source ID */
>>> +sid = attrs.requester_id;
>>> +}
>>
>> ...here you fall back to X86_IOMMU_SID_INVALID if writer to this region
>> has not provided some valid attrs. That is questionable, defeats
>> validation of the IOAPIC e.g. (and you can see lots of
>> X86_IOMMU_SID_INVALID in vtd_irte_get when booting a guest).
>>
>> The credits also go to David who noticed that he still doesn't get a
>> proper ID from the IOAPIC while implementing AMD IR. Looks like we need
>> to enlighten the IOAPIC MSI writes...
> 
> Jan, David,
> 
> At the time when drafting the patch, I skipped SID verification for
> IOAPIC interrupts since it differs from generic PCI devices (no
> natural requester ID, so need some hacky lines to enable it).

It's not hacky at all if done properly. For Intel it is simply
(Q35_PSEUDO_BUS_PLATFORM << 8) | Q35_PSEUDO_DEVFN_IOAPIC, but it will be
0x00a0 (as constant as well) for AMD. So we need some interface to tell
those parameters to the IOMMU. Keep in mind that we will need a similar
interface for other platform devices, e.g. the HPET.

> 
> I can try to cook another seperate patch to enable it (for 2.8
> possibly?). Thanks for pointing out this issue.

David needs that IOAPIC ID as well in order to finish interrupt
remapping on AMD. Please synchronize with him who will implement what.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PATCH for-2.4] Revert "vhost-user: Send VHOST_RESET_OWNER on vhost stop"

[Luke Gorrie]

Hi Michael & all,

On 4 August 2015 at 21:00, Luke Gorrie  wrote:

> Hi Michael,
>
> Sorry I didn't see this mail sooner -
>
> On 30 July 2015 at 10:36, Michael S. Tsirkin  wrote:
>
>> This reverts commit 294ce717e0f212ed0763307f3eab72b4a1bdf4d0.
>>
>> vhost stop happens e.g. when guest unloads the driver,
>> so closing the backend connection is not the right
>> thing to do here.
>>
>> VHOST_RESET_OWNER should happen on vhost_dev_cleanup - it's
>> the counterpart of VHOST_SET_OWNER.
>>
>> Cc: Luke Gorrie 
>> Signed-off-by: Michael S. Tsirkin 
>> ---
>>
>> I think we need this in 2.4 to avoid introducing regressions
>> in the protocol. We'll fix properly in 2.5.
>> Luke, can you comment please?
>>
>
> Interesting. Currently we don't have a test case in Snabb Switch CI for
> guests reloading drivers. We need to add that and let you know how it goes.
>

We have this test case now. Took a year to add, almost to the day, but here
we are :-).

Specifically we have beefed up our CI for Snabb to run some tens of
thousands of end-to-end tests with VMs nightly. This includes testing a
bunch of different QEMU versions with a bunch of different Snabb (host) and
DPDK (guest) versions. It also exercises the transition where the guest
first initializes a Virtio-net device with the kernel driver and then later
hands the device over to the DPDK driver.

The data we have now shows that this test case is only working reliably
with QEMU 2.4.1. My hypothesis is that this QEMU version is sending the
VHOST_RESET_OWNER when the kernel driver shuts down - so that vswitch knows
not to process descriptors - while the other versions are skipping this
(because the patch was not introduced yet, or because the patch was
reverted).

Here is the full thread on Github, becoming more QEMU-oriented as you
scroll down:
https://github.com/snabbco/snabb/issues/976#issuecomment-236838883

So, question for QEMU upstream, is there currently a supported way for the
host vswitch to detect when the vrings are invalid? How should we operate
to be safe from serving garbage DMA requests during guest driver resets and
reboots?

Cheers and sorry for the e-mail latency :-)
-Luke

[Qemu-devel] [PATCH v2] util: Fix assertion in iov_copy() upon zero 'bytes' and non-zero 'offset'

[Shmulik Ladkani]

From: Shmulik Ladkani 

In cases where iov_copy() is passed with zero 'bytes' argument and a
non-zero 'offset' argument, nothing gets copied - as expected.

However no copy iterations are performed, so 'offset' is left
unaltered, leading to the final assert(offset == 0) to fail.

Instead, change the loop condition to continue as long as 'offset || bytes',
similar to other iov_* functions.

This ensures 'offset' gets zeroed (even if no actual copy is made),
unless it is beyond end of source iov - which is asserted.

Signed-off-by: Shmulik Ladkani 
---
 util/iov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

 v2: Instead of relaxing the assertion, modify loop condition,
 as suggested by Paolo

diff --git a/util/iov.c b/util/iov.c
index 003fcce..74e6ca8 100644
--- a/util/iov.c
+++ b/util/iov.c
@@ -247,7 +247,8 @@ unsigned iov_copy(struct iovec *dst_iov, unsigned int 
dst_iov_cnt,
 {
 size_t len;
 unsigned int i, j;
-for (i = 0, j = 0; i < iov_cnt && j < dst_iov_cnt && bytes; i++) {
+for (i = 0, j = 0;
+ i < iov_cnt && j < dst_iov_cnt && (offset || bytes); i++) {
 if (offset >= iov[i].iov_len) {
 offset -= iov[i].iov_len;
 continue;
-- 
1.9.1

Re: [Qemu-devel] [PATCH] mptsas: Fix a migration compatible issue

[Paolo Bonzini]

> Before I send the fix, I did a quick test on linux as following:
> 
> #include 
> #include 
> 
> int main()
> {
>  printf("bool size = %d\n", sizeof(bool));
> }
> 
> 
> then:
> ./a.out
> bool size = 1
> 
> and there is mptsas.c #include "qemu/osdep.h", osdep.h #include 
> 
> So, am I missing something?

You are missing that the patch is: 1) not portable, because there's no guarantee
that sizeof(bool)==1; 2) wrong, because using sizeof within VMSTATE_UNUSED would
suggest a dependency of the migration stream on the host---and such a dependency
should not be there at all.

In fact, the patch is also wrong because old versions of QEMU _do_ need 
msi_in_use
so you need to either generate it or bump the migration version.  I'm sending a
patch now.

Paolo

[Qemu-devel] [RFC PATCH v1 0/2] Live migration optimization for Thunderx platform

[vijay . kilari]

From: Vijaya Kumar K 

The CPU MIDR_EL1 register is exposed to userspace for arm64
with the below patch.
https://lkml.org/lkml/2016/7/8/467

Thunderx platform requires explicit prefetch instruction to
provide prefetch hint. Using MIDR_EL1 information, provided
by above kernel patch, prefetch is executed if the platform
is Thunderx.

The results of live migration time improvement is provided
in commit message of patch 2.

Vijaya Kumar K (2):
  utils: Add helper to read arm MIDR_EL1 register
  utils: Add prefetch for Thunderx platform

 include/qemu-common.h |2 ++
 util/Makefile.objs|1 +
 util/cpuinfo.c|   90 +
 util/cutils.c |   22 
 4 files changed, 115 insertions(+)
 create mode 100644 util/cpuinfo.c

-- 
1.7.9.5

[Qemu-devel] [RFC PATCH v1 1/2] utils: Add helper to read arm MIDR_EL1 register

[vijay . kilari]

From: Vijaya Kumar K 

Add helper API to read MIDR_EL1 registers to fetch
cpu identification information. This helps in
adding errata's and architecture specific features.

This is implemented only for arm architecture.

Signed-off-by: Vijaya Kumar K 
---
 include/qemu-common.h |1 +
 util/Makefile.objs|1 +
 util/cpuinfo.c|   52 +
 3 files changed, 54 insertions(+)

diff --git a/include/qemu-common.h b/include/qemu-common.h
index 1f2cb94..62ad674 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -134,4 +134,5 @@ void page_size_init(void);
  * returned. */
 bool dump_in_progress(void);
 
+long int qemu_read_cpuid_info(void);
 #endif
diff --git a/util/Makefile.objs b/util/Makefile.objs
index 96cb1e0..9d25a72 100644
--- a/util/Makefile.objs
+++ b/util/Makefile.objs
@@ -35,3 +35,4 @@ util-obj-y += log.o
 util-obj-y += qdist.o
 util-obj-y += qht.o
 util-obj-y += range.o
+util-obj-y += cpuinfo.o
diff --git a/util/cpuinfo.c b/util/cpuinfo.c
new file mode 100644
index 000..3ba7194
--- /dev/null
+++ b/util/cpuinfo.c
@@ -0,0 +1,52 @@
+/*
+ * Dealing with arm cpu identification information.
+ *
+ * Copyright (C) 2016 Cavium, Inc.
+ *
+ * Authors:
+ *  Vijaya Kumar K 
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2.1
+ * or later.  See the COPYING.LIB file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/cutils.h"
+
+#if defined(__aarch64__)
+
+long int qemu_read_cpuid_info(void)
+{
+FILE *fp;
+char *buf;
+long int midr = 0;
+#define BUF_SIZE 32
+
+fp = fopen("/sys/devices/system/cpu/cpu0/regs/identification/midr_el1",
+   "r");
+if (!fp) {
+return 0;
+}
+
+buf = g_malloc0(BUF_SIZE);
+if (!buf) {
+fclose(fp);
+return 0;
+}
+
+if (buf != fgets(buf, BUF_SIZE - 1, fp)) {
+goto out;
+}
+
+if (qemu_strtol(buf, NULL, 0, &midr) < 0) {
+goto out;
+}
+
+out:
+g_free(buf);
+fclose(fp);
+
+return midr;
+}
+#endif
-- 
1.7.9.5

[Qemu-devel] [RFC PATCH v1 2/2] utils: Add prefetch for Thunderx platform

[vijay . kilari]

From: Vijaya Kumar K 

Thunderx pass2 chip requires explicit prefetch
instruction to give prefetch hint.

To speed up live migration on Thunderx platform,
prefetch instruction is added in zero buffer check
function.

The below results show live migration time improvement
with prefetch instruction with 1K and 4K page size.
VM with 4 VCPUs, 8GB RAM is migrated.

1K page size, no prefetch
=
Migration status: completed
total time: 13012 milliseconds
downtime: 10 milliseconds
setup: 15 milliseconds
transferred ram: 268131 kbytes
throughput: 168.84 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 8338072 pages
skipped: 0 pages
normal: 193335 pages
normal bytes: 193335 kbytes
dirty sync count: 4

1K page size with prefetch
=
Migration status: completed
total time: 7493 milliseconds
downtime: 71 milliseconds
setup: 16 milliseconds
transferred ram: 269666 kbytes
throughput: 294.88 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 8340596 pages
skipped: 0 pages
normal: 194837 pages
normal bytes: 194837 kbytes
dirty sync count: 3

4K page size with no prefetch
=
Migration status: completed
total time: 10456 milliseconds
downtime: 49 milliseconds
setup: 5 milliseconds
transferred ram: 231726 kbytes
throughput: 181.59 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 2079914 pages
skipped: 0 pages
normal: 53257 pages
normal bytes: 213028 kbytes
dirty sync count: 3

4K page size with prefetch
==
Migration status: completed
total time: 3937 milliseconds
downtime: 23 milliseconds
setup: 5 milliseconds
transferred ram: 229283 kbytes
throughput: 477.19 mbps
remaining ram: 0 kbytes
total ram: 8519872 kbytes
duplicate: 2079775 pages
skipped: 0 pages
normal: 52648 pages
normal bytes: 210592 kbytes
dirty sync count: 3

Signed-off-by: Vijaya Kumar K 
---
 include/qemu-common.h |1 +
 util/cpuinfo.c|   38 ++
 util/cutils.c |   22 ++
 3 files changed, 61 insertions(+)

diff --git a/include/qemu-common.h b/include/qemu-common.h
index 62ad674..3d8a32c 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -135,4 +135,5 @@ void page_size_init(void);
 bool dump_in_progress(void);
 
 long int qemu_read_cpuid_info(void);
+bool is_thunder_pass2_cpu(void);
 #endif
diff --git a/util/cpuinfo.c b/util/cpuinfo.c
index 3ba7194..0e72a34 100644
--- a/util/cpuinfo.c
+++ b/util/cpuinfo.c
@@ -16,6 +16,26 @@
 
 #if defined(__aarch64__)
 
+#define MIDR_IMPLEMENTER_SHIFT  24
+#define MIDR_IMPLEMENTER_MASK   (0xffULL << MIDR_IMPLEMENTER_SHIFT)
+#define MIDR_ARCHITECTURE_SHIFT 16
+#define MIDR_ARCHITECTURE_MASK  (0xf << MIDR_ARCHITECTURE_SHIFT)
+#define MIDR_PARTNUM_SHIFT  4
+#define MIDR_PARTNUM_MASK   (0xfff << MIDR_PARTNUM_SHIFT)
+
+#define MIDR_CPU_PART(imp, partnum) \
+(((imp) << MIDR_IMPLEMENTER_SHIFT)  | \
+(0xf<< MIDR_ARCHITECTURE_SHIFT) | \
+((partnum)  << MIDR_PARTNUM_SHIFT))
+
+#define ARM_CPU_IMP_CAVIUM0x43
+#define CAVIUM_CPU_PART_THUNDERX  0x0A1
+
+#define MIDR_THUNDERX  \
+   MIDR_CPU_PART(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
+#define CPU_MODEL_MASK  (MIDR_IMPLEMENTER_MASK | MIDR_ARCHITECTURE_MASK | \
+ MIDR_PARTNUM_MASK)
+
 long int qemu_read_cpuid_info(void)
 {
 FILE *fp;
@@ -49,4 +69,22 @@ out:
 
 return midr;
 }
+
+bool is_thunder_pass2_cpu(void)
+{
+static bool cpu_info_read;
+static long int midr_thunder_val;
+
+if (!cpu_info_read) {
+midr_thunder_val = qemu_read_cpuid_info();
+midr_thunder_val &= CPU_MODEL_MASK;
+cpu_info_read = 1;
+}
+
+if (midr_thunder_val == MIDR_THUNDERX) {
+return 1;
+} else {
+return 0;
+}
+}
 #endif
diff --git a/util/cutils.c b/util/cutils.c
index 7505fda..66c816b 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -191,6 +191,8 @@ int qemu_fdatasync(int fd)
 ((vgetq_lane_u64(v1, 0) == vgetq_lane_u64(v2, 0)) && \
  (vgetq_lane_u64(v1, 1) == vgetq_lane_u64(v2, 1)))
 #define VEC_OR(v1, v2) ((v1) | (v2))
+#define VEC_PREFETCH(base, index) \
+asm volatile ("prfm pldl1strm, [%x[a]]\n" : : [a]"r"(&base[(index)]))
 #else
 #define VECTYPEunsigned long
 #define SPLAT(p)   (*(p) * (~0UL / 255))
@@ -233,6 +235,9 @@ static size_t buffer_find_nonzero_offset_inner(const void 
*buf, size_t len)
 const VECTYPE *p = buf;
 const VECTYPE zero = (VECTYPE){0};
 size_t i;
+#if defined (__aarch64__)
+bool do_prefetch;
+#endif
 
 assert(can_use_buffer_find_nonzero_offset_inner(buf, len));
 
@@ -246,9 +251,26 @@ static size_t buffer_find_nonzero_offset_inner(const void 
*buf, size_t len)
 }
 }
 
+#if defined (__aarch64__)
+do_prefetch = is_thunder_pass2_cpu();
+if (do_prefetch) {
+VEC_PREFETCH(p, 8);
+VEC_PRE

Re: [Qemu-devel] Making cputlb.c operations safe for MTTCG

[Paolo Bonzini]

> > - tlb_set_page_with_attrs is also hard-ish to get right, but perhaps the
> > same idea of adding the callback last would work:
> >
> > /* First set addr_write so that concurrent tlb_reset_dirty_range
> >  * finds a match.
> >  */
> > te->addr_write = address;
> > if (memory_region_is_ram(section->mr)) {
> > if (cpu_physical_memory_is_clean(
> >  memory_region_get_ram_addr(section->mr) + xlat)) {
> > te->addr_write = address | TLB_NOTDIRTY;
> > }
> > }
> 
> Why not just write addr_write completely at the end?

I suspect that another thread can come around and make the page "not dirty",
while the CPU that "owns" the TLB has decided that the page is dirty and does
not set the bit.  So you have

CPU thread   other thread
----
compute addr_write
 page is now clean
write addr_write without TLB_NOTDIRTY

By the way, the same happens in victim_tlb_hit.  You have to recompute
TLB_NOTDIRTY after setting *tlb, something like:

tmptlb = *vtlb;
*vtlb = *tlb;

if (tmptlb.addr_write & (TLB_INVALID_MASK|TLB_MMIO)) {
*tlb = tmptlb;
} else {
/* First write TLB entry without TLB_NOTDIRTY.  */
tmptlb.addr_write &= ~TLB_NOTDIRTY;
*tlb = tmptlb;
smp_wmb();
/* Then set NOTDIRTY in tlb->addr_write if necessary.
 * IIRC the IOTLB lets you get back to the ram_addr, and
 * pass it to cpu_physical_memory_is_clean.
 */
if (cpu_physical_memory_is_clean(tlb_get_ram_addr(&tmptlb))) {
tlb->addr_write = tmptlb.addr_write | TLB_NOTDIRTY;
}
}

The silver lining is that tlb_set_dirty now does not need anymore to check
the victim TLB.

Paolo

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[Peter Xu]

On Tue, Aug 02, 2016 at 10:46:13AM +0200, Jan Kiszka wrote:
> On 2016-08-02 10:36, Peter Xu wrote:
> > On Mon, Aug 01, 2016 at 06:39:05PM +0200, Jan Kiszka wrote:
> > 
> > [...]
> > 
> >>>  static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
> >>> @@ -2209,11 +2250,17 @@ static MemTxResult vtd_mem_ir_write(void *opaque, 
> >>> hwaddr addr,
> >>>  {
> >>>  int ret = 0;
> >>>  MSIMessage from = {}, to = {};
> >>> +uint16_t sid = X86_IOMMU_SID_INVALID;
> >>>  
> >>>  from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
> >>>  from.data = (uint32_t) value;
> >>>  
> >>> -ret = vtd_interrupt_remap_msi(opaque, &from, &to);
> >>> +if (!attrs.unspecified) {
> >>> +/* We have explicit Source ID */
> >>> +sid = attrs.requester_id;
> >>> +}
> >>
> >> ...here you fall back to X86_IOMMU_SID_INVALID if writer to this region
> >> has not provided some valid attrs. That is questionable, defeats
> >> validation of the IOAPIC e.g. (and you can see lots of
> >> X86_IOMMU_SID_INVALID in vtd_irte_get when booting a guest).
> >>
> >> The credits also go to David who noticed that he still doesn't get a
> >> proper ID from the IOAPIC while implementing AMD IR. Looks like we need
> >> to enlighten the IOAPIC MSI writes...
> > 
> > Jan, David,
> > 
> > At the time when drafting the patch, I skipped SID verification for
> > IOAPIC interrupts since it differs from generic PCI devices (no
> > natural requester ID, so need some hacky lines to enable it).
> 
> It's not hacky at all if done properly. For Intel it is simply
> (Q35_PSEUDO_BUS_PLATFORM << 8) | Q35_PSEUDO_DEVFN_IOAPIC, but it will be
> 0x00a0 (as constant as well) for AMD. So we need some interface to tell
> those parameters to the IOMMU. Keep in mind that we will need a similar
> interface for other platform devices, e.g. the HPET.

Okay.

> 
> > 
> > I can try to cook another seperate patch to enable it (for 2.8
> > possibly?). Thanks for pointing out this issue.
> 
> David needs that IOAPIC ID as well in order to finish interrupt
> remapping on AMD. Please synchronize with him who will implement what.

Sure. David, so do you like to do it or I cook this patch? :)

Thanks,

-- peterx

[Qemu-devel] [PATCH] mptsas: really fix migration compatibility

[Paolo Bonzini]

Commit 2e2aa316 removed internal flag msi_in_use, but it
existed in vmstate.  Restore it for migration to older QEMU
versions.

Reported-by: Amit Shah 
Suggested-by: Amit Shah 
Cc: Markus Armbruster 
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini 
Cc: Michael S. Tsirkin 
Cc: Amit Shah 
Cc: Cao jin 
Signed-off-by: Paolo Bonzini 
---
 hw/scsi/mptsas.c | 4 +++-
 hw/scsi/mptsas.h | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index bebe513..0e0a22f 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -1295,6 +1295,8 @@ static void mptsas_scsi_init(PCIDevice *dev, Error **errp)
 /* With msi=auto, we fall back to MSI off silently */
 error_free(err);
 
+/* Only used for migration.  */
+s->msi_in_use = (ret == 0);
 }
 
 memory_region_init_io(&s->mmio_io, OBJECT(s), &mptsas_mmio_ops, s,
@@ -1370,7 +1372,7 @@ static const VMStateDescription vmstate_mptsas = {
 .post_load = mptsas_post_load,
 .fields  = (VMStateField[]) {
 VMSTATE_PCI_DEVICE(dev, MPTSASState),
-VMSTATE_UNUSED(sizeof(bool)), /* Was msi_in_use */
+VMSTATE_BOOL(msi_in_use, MPTSASState),
 VMSTATE_UINT32(state, MPTSASState),
 VMSTATE_UINT8(who_init, MPTSASState),
 VMSTATE_UINT8(doorbell_state, MPTSASState),
diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
index da014a3..0436a33 100644
--- a/hw/scsi/mptsas.h
+++ b/hw/scsi/mptsas.h
@@ -31,6 +31,8 @@ struct MPTSASState {
 OnOffAuto msi;
 uint64_t sas_addr;
 
+bool msi_in_use;
+
 /* Doorbell register */
 uint32_t state;
 uint8_t who_init;
-- 
2.7.4

Re: [Qemu-devel] [PATCH V11 8/9] filter-rewriter: track connection and parse packet

[Zhang Chen]

On 08/02/2016 04:23 PM, Jason Wang wrote:



On 2016年07月28日 18:12, Zhang Chen wrote:

We use colo-base.h to track connection and parse packet

Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-base.c   | 14 ++
  net/colo-base.h   |  1 +
  net/filter-rewriter.c | 50 
++

  3 files changed, 65 insertions(+)

diff --git a/net/colo-base.c b/net/colo-base.c
index eb1b631..20797b5 100644
--- a/net/colo-base.c
+++ b/net/colo-base.c
@@ -103,6 +103,20 @@ void fill_connection_key(Packet *pkt, 
ConnectionKey *key)

  }
  }
  +void reverse_connection_key(ConnectionKey *key)
+{
+struct in_addr tmp_ip;
+uint16_t tmp_port;
+
+tmp_ip = key->src;
+key->src = key->dst;
+key->dst = tmp_ip;
+
+tmp_port = key->src_port;
+key->src_port = key->dst_port;
+key->dst_port = tmp_port;
+}
+
  Connection *connection_new(ConnectionKey *key)
  {
  Connection *conn = g_slice_new(Connection);
diff --git a/net/colo-base.h b/net/colo-base.h
index 860a148..8d402a3 100644
--- a/net/colo-base.h
+++ b/net/colo-base.h
@@ -56,6 +56,7 @@ uint32_t connection_key_hash(const void *opaque);
  int connection_key_equal(const void *opaque1, const void *opaque2);
  int parse_packet_early(Packet *pkt);
  void fill_connection_key(Packet *pkt, ConnectionKey *key);
+void reverse_connection_key(ConnectionKey *key);
  Connection *connection_new(ConnectionKey *key);
  void connection_destroy(void *opaque);
  Connection *connection_get(GHashTable *connection_track_table,
diff --git a/net/filter-rewriter.c b/net/filter-rewriter.c
index 3a39f52..6350080 100644
--- a/net/filter-rewriter.c
+++ b/net/filter-rewriter.c
@@ -51,6 +51,20 @@ static void filter_rewriter_flush(NetFilterState *nf)
  }
  }
  +/*
+ * Return 1 on success, if return 0 means the pkt
+ * is not TCP packet
+ */
+static int is_tcp_packet(Packet *pkt)
+{
+if (!parse_packet_early(pkt) &&
+pkt->ip->ip_p == IPPROTO_TCP) {
+return 1;
+} else {
+return 0;
+}
+}
+
  static ssize_t colo_rewriter_receive_iov(NetFilterState *nf,
   NetClientState *sender,
   unsigned flags,
@@ -58,11 +72,47 @@ static ssize_t 
colo_rewriter_receive_iov(NetFilterState *nf,

   int iovcnt,
   NetPacketSent *sent_cb)
  {
+RewriterState *s = FILTER_COLO_REWRITER(nf);
+Connection *conn;
+ConnectionKey key = {{ 0 } };
+Packet *pkt;
+ssize_t size = iov_size(iov, iovcnt);
+char *buf = g_malloc0(size);
+
+iov_to_buf(iov, iovcnt, 0, buf, size);
+pkt = packet_new(buf, size);
+
  /*
   * if we get tcp packet
   * we will rewrite it to make secondary guest's
   * connection established successfully
   */
+if (is_tcp_packet(pkt)) {
+
+fill_connection_key(pkt, &key);
+
+if (sender == nf->netdev) {
+/*
+ * We need make tcp TX and RX packet
+ * into one connection.
+ */
+reverse_connection_key(&key);


Why not simply do the comparing and swap in fill_connection_key()?


Because we need use conn->offset in both TX and RX, so,we make
TX and RX packet in same connection.

Thanks
ZhangChen





+}
+conn = connection_get(s->connection_track_table,
+  &key,
+  &s->hashtable_size);
+
+if (sender == nf->netdev) {
+/* NET_FILTER_DIRECTION_TX */
+/* handle_primary_tcp_pkt */
+} else {
+/* NET_FILTER_DIRECTION_RX */
+/* handle_secondary_tcp_pkt */
+}
+}
+
+packet_destroy(pkt, NULL);
+pkt = NULL;
  return 0;
  }




.



--
Thanks
zhangchen

[Qemu-devel] [PATCH v1 3/3] vnc: ensure connection sharing/limits is always configured

[Daniel P. Berrange]

The connection sharing / limits are only set in the
vnc_display_open() method and so missed when VNC is running
with '-vnc none'. This in turn prevents clients being added
to the VNC server with the QMP "add_client" command.

This was introduced in

  commit e5f34cdd2da54f28d90889a3afd15fad2d6105ff
  Author: Gerd Hoffmann 
  Date:   Thu Oct 2 12:09:34 2014 +0200

  vnc: track & limit connections

Signed-off-by: Daniel P. Berrange 
---
 ui/vnc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index f2f5dc1..4ce9034 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3150,6 +3150,9 @@ void vnc_display_init(const char *id)
 if (!vs->kbd_layout)
 exit(1);
 
+vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
+vs->connections_limit = 32;
+
 qemu_mutex_init(&vs->mutex);
 vnc_start_worker_thread();
 
-- 
2.7.4

[Qemu-devel] [PATCH v1 2/3] vnc: fix crash when vnc_server_info_get has an error

[Daniel P. Berrange]

The vnc_server_info_get will allocate the VncServerInfo
struct and then call vnc_init_basic_info_from_server_addr
to populate the basic fields. If this returns an error
though, the qapi_free_VncServerInfo call will then crash
because the VncServerInfo struct instance was not properly
NULL-initialized and thus contains random stack garbage.

 #0  0x7f1987c8e6f5 in raise () at /lib64/libc.so.6
 #1  0x7f1987c902fa in abort () at /lib64/libc.so.6
 #2  0x7f1987ccf600 in __libc_message () at /lib64/libc.so.6
 #3  0x7f1987cd7d4a in _int_free () at /lib64/libc.so.6
 #4  0x7f1987cdb2ac in free () at /lib64/libc.so.6
 #5  0x7f198b654f6e in g_free () at /lib64/libglib-2.0.so.0
 #6  0x559193cdcf54 in visit_type_str (v=v@entry=
 0x5591972f14b0, name=name@entry=0x559193de1e29 "host", 
obj=obj@entry=0x5591961dbfa0, errp=errp@entry=0x7fffd7899d80)
 at qapi/qapi-visit-core.c:255
 #7  0x559193cca8f3 in visit_type_VncBasicInfo_members (v=v@entry=
 0x5591972f14b0, obj=obj@entry=0x5591961dbfa0, 
errp=errp@entry=0x7fffd7899dc0) at qapi-visit.c:12307
 #8  0x559193ccb523 in visit_type_VncServerInfo_members (v=v@entry=
 0x5591972f14b0, obj=0x5591961dbfa0, errp=errp@entry=0x7fffd7899e00) at 
qapi-visit.c:12632
 #9  0x559193ccb60b in visit_type_VncServerInfo (v=v@entry=
 0x5591972f14b0, name=name@entry=0x0, obj=obj@entry=0x7fffd7899e48, 
errp=errp@entry=0x0) at qapi-visit.c:12658
 #10 0x559193cb53d8 in qapi_free_VncServerInfo (obj=) at 
qapi-types.c:3970
 #11 0x559193c1e6ba in vnc_server_info_get (vd=0x7f1951498010) at 
ui/vnc.c:233
 #12 0x559193c24275 in vnc_connect (vs=0x559197b2f200, vs=0x559197b2f200, 
event=QAPI_EVENT_VNC_CONNECTED) at ui/vnc.c:284
 #13 0x559193c24275 in vnc_connect (vd=vd@entry=0x7f1951498010, 
sioc=sioc@entry=0x559196bf9c00, skipauth=skipauth@entry=tru e, 
websocket=websocket@entry=false) at ui/vnc.c:3039
 #14 0x559193c25806 in vnc_display_add_client (id=, 
csock=, skipauth=)
 at ui/vnc.c:3877
 #15 0x559193a90c28 in qmp_marshal_add_client (args=, 
ret=, errp=0x7fffd7899f90)
 at qmp-marshal.c:105
 #16 0x55919399c2b7 in handle_qmp_command (parser=, 
tokens=)
 at /home/berrange/src/virt/qemu/monitor.c:3971
 #17 0x559193ce3307 in json_message_process_token (lexer=0x559194ab0838, 
input=0x559194a6d940, type=JSON_RCURLY, x=111, y=1 2) at 
qobject/json-streamer.c:105
 #18 0x559193cfa90d in json_lexer_feed_char 
(lexer=lexer@entry=0x559194ab0838, ch=125 '}', flush=flush@entry=false)
 at qobject/json-lexer.c:319
 #19 0x559193cfaa1e in json_lexer_feed (lexer=0x559194ab0838, 
buffer=, size=)
 at qobject/json-lexer.c:369
 #20 0x559193ce33c9 in json_message_parser_feed (parser=, 
buffer=, size=)
 at qobject/json-streamer.c:124
 #21 0x55919399a85b in monitor_qmp_read (opaque=, 
buf=, size=)
 at /home/berrange/src/virt/qemu/monitor.c:3987
 #22 0x559193a87d00 in tcp_chr_read (chan=, cond=, opaque=0x559194a7d900)
 at qemu-char.c:2895
 #23 0x7f198b64f703 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
 #24 0x559193c484b3 in main_loop_wait () at main-loop.c:213
 #25 0x559193c484b3 in main_loop_wait (timeout=) at 
main-loop.c:258
 #26 0x559193c484b3 in main_loop_wait (nonblocking=) at 
main-loop.c:506
 #27 0x559193964c55 in main () at vl.c:1908
 #28 0x559193964c55 in main (argc=, argv=, 
envp=) at vl.c:4603

This was introduced in

  commit 98481bfcd661daa3c160cc87a297b0e60a307788
  Author: Eric Blake 
  Date:   Mon Oct 26 16:34:45 2015 -0600

vnc: Hoist allocation of VncBasicInfo to callers

which added error reporting for vnc_init_basic_info_from_server_addr
but didn't change the g_malloc calls to g_malloc0.

Signed-off-by: Daniel P. Berrange 
---
 ui/vnc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index f183d00..f2f5dc1 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -224,7 +224,7 @@ static VncServerInfo *vnc_server_info_get(VncDisplay *vd)
 VncServerInfo *info;
 Error *err = NULL;
 
-info = g_malloc(sizeof(*info));
+info = g_malloc0(sizeof(*info));
 vnc_init_basic_info_from_server_addr(vd->lsock,
  qapi_VncServerInfo_base(info), &err);
 info->has_auth = true;
-- 
2.7.4

[Qemu-devel] [PATCH v1 0/3] Fix QMP add_client with -vnc none

[Daniel P. Berrange]

This series of patches fixes 3 bugs which prevent the use
of QMP add_client to attach VNC clients when no listener
socket is present with -vnc none.

This has been originally broken since 2.3.0 with the introduction
of VNC client limits, and later turned into a crash.

Daniel P. Berrange (3):
  vnc: don't crash getting server info if lsock is NULL
  vnc: fix crash when vnc_server_info_get has an error
  vnc: ensure connection sharing/limits is always configured

 ui/vnc.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

-- 
2.7.4

[Qemu-devel] [PATCH v1 1/3] vnc: don't crash getting server info if lsock is NULL

[Daniel P. Berrange]

When VNC is started with '-vnc none' there will be no
listener socket present. When we try to populate the
VncServerInfo we'll crash accessing a NULL 'lsock'
field.

 #0  qio_channel_socket_get_local_address (ioc=0x0, 
errp=errp@entry=0x7ffd5b8aa0f0) at io/channel-socket.c:33
 #1  0x7f4b9a297d6f in vnc_init_basic_info_from_server_addr 
(errp=0x7ffd5b8aa0f0, info=0x7f4b9d425460, ioc=)  at ui/vnc.c:146
 #2  vnc_server_info_get (vd=0x7f4b9e858000) at ui/vnc.c:223
 #3  0x7f4b9a29d318 in vnc_qmp_event (vs=0x7f4b9ef82000, vs=0x7f4b9ef82000, 
event=QAPI_EVENT_VNC_CONNECTED) at ui/vnc.c:279
 #4  vnc_connect (vd=vd@entry=0x7f4b9e858000, sioc=sioc@entry=0x7f4b9e8b3a20, 
skipauth=skipauth@entry=true, websocket=websocket @entry=false) at ui/vnc.c:2994
 #5  0x7f4b9a29e8c8 in vnc_display_add_client (id=, 
csock=, skipauth=) at ui/v nc.c:3825
 #6  0x7f4b9a18d8a1 in qmp_marshal_add_client (args=, 
ret=, errp=0x7ffd5b8aa230) at qmp-marsh al.c:123
 #7  0x7f4b9a0b53f5 in handle_qmp_command (parser=, 
tokens=) at /usr/src/debug/qemu-2.6.0/mon itor.c:3922
 #8  0x7f4b9a348580 in json_message_process_token (lexer=0x7f4b9c78dfe8, 
input=0x7f4b9c7350e0, type=JSON_RCURLY, x=111, y=5 9) at 
qobject/json-streamer.c:94
 #9  0x7f4b9a35cfeb in json_lexer_feed_char 
(lexer=lexer@entry=0x7f4b9c78dfe8, ch=125 '}', flush=flush@entry=false) at qobj 
ect/json-lexer.c:310
 #10 0x7f4b9a35d0ae in json_lexer_feed (lexer=0x7f4b9c78dfe8, 
buffer=, size=) at qobject/json -lexer.c:360
 #11 0x7f4b9a348679 in json_message_parser_feed (parser=, 
buffer=, size=) at q object/json-streamer.c:114
 #12 0x7f4b9a0b3a1b in monitor_qmp_read (opaque=, 
buf=, size=) at /usr/src/deb 
ug/qemu-2.6.0/monitor.c:3938
 #13 0x7f4b9a186751 in tcp_chr_read (chan=, cond=, opaque=0x7f4b9c7add40) at qemu-char.c:2895
 #14 0x7f4b92b5c79a in g_main_context_dispatch () from 
/lib64/libglib-2.0.so.0
 #15 0x7f4b9a2bb0c0 in glib_pollfds_poll () at main-loop.c:213
 #16 os_host_main_loop_wait (timeout=) at main-loop.c:258
 #17 main_loop_wait (nonblocking=) at main-loop.c:506
 #18 0x7f4b9a0835cf in main_loop () at vl.c:1934
 #19 main (argc=, argv=, envp=) at 
vl.c:4667

Do an upfront check for a NULL lsock and report an error to
the caller, which matches behaviour from before

  commit 04d2529da27db512dcbd5e99d0e26d333f16efcc
  Author: Daniel P. Berrange 
  Date:   Fri Feb 27 16:20:57 2015 +

ui: convert VNC server to use QIOChannelSocket

where getsockname() would be given a FD value -1 and thus report
an error to the caller.

Signed-off-by: Daniel P. Berrange 
---
 ui/vnc.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ui/vnc.c b/ui/vnc.c
index 3ce3a5b..f183d00 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -143,6 +143,11 @@ static void 
vnc_init_basic_info_from_server_addr(QIOChannelSocket *ioc,
 {
 SocketAddress *addr = NULL;
 
+if (!ioc) {
+error_setg(errp, "No listener socket available");
+return;
+}
+
 addr = qio_channel_socket_get_local_address(ioc, errp);
 if (!addr) {
 return;
-- 
2.7.4

[Qemu-devel] [PATCH v2] qdev: Fix use after free in qdev_init_nofail error path

[Igor Mammedov]

Since 69382d8b (qdev: Fix object reference leak in case device.realize()
fails), object_property_set_bool releases the device object
in case realize's failed and device hasn't explicitly assigned
parent. It happens due to object_unparent() on error handling
path releases not only implicitly set parent but also calls
device_unparent() which releases the remaining reference hold
buy parent bus.

qdev_try_create() created device has only 1 reference hold by
parent bus which makes impossible to unparent/re-parent object
without destroying it.

Fix it by making caller of qdev_try_create()/qdev_init_nofail()
own a reference from object_new() until qdev_init_nofail() is
successfully executed so that uparenting won't destroy device
until caller owns pointer returned by qdev_try_create().

Signed-off-by: Igor Mammedov 
---
 hw/core/qdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index ee4a083..0139d67 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -151,7 +151,6 @@ DeviceState *qdev_try_create(BusState *bus, const char 
*type)
 }
 
 qdev_set_parent_bus(dev, bus);
-object_unref(OBJECT(dev));
 return dev;
 }
 
@@ -360,6 +359,7 @@ void qdev_init_nofail(DeviceState *dev)
   object_get_typename(OBJECT(dev)));
 exit(1);
 }
+object_unref(OBJECT(dev));
 }
 
 void qdev_machine_creation_done(void)
-- 
2.7.4

[Qemu-devel] [PATCH] hw/ide: fix a writing to null pointer exception

[忽朝俭]

From b5e5c01b025e83500ca46628add7f63f42f9b2ab Mon Sep 17 00:00:00 2001From: 
chaojianhu Date: Tue, 2 Aug 2016 17:39:16 +0800Subject: 
[PATCH] hw/ide: fix a writing to null pointer exception
In qemu less than v2.1.3, ide_flush_cache calls ide_flush_cb with s->bs == 
NULL,and ide_flush_cb calls bdrv_acct_done without checking s->bs neither. 
Finally, bdrv_acct_done writes s->bs directly!
Reported-by: chaojianhu Signed-off-by: chaojianhu 

--- hw/ide/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/ide/core.c b/hw/ide/core.cindex fa4cafa..c39eedc 100644--- 
a/hw/ide/core.c+++ b/hw/ide/core.c@@ -839,7 +839,9 @@ static void 
ide_flush_cb(void *opaque, int ret) } } -bdrv_acct_done(s->bs, 
&s->acct);+if (s->bs){+bdrv_acct_done(s->bs, &s->acct);+} 
s->status = READY_STAT | SEEK_STAT; ide_async_cmd_done(s); 
ide_set_irq(s->bus);-- 1.9.1
  

Re: [Qemu-devel] [RFC PATCH v1 1/2] utils: Add helper to read arm MIDR_EL1 register

[Paolo Bonzini]

- Original Message -
> From: "vijay kilari" 
> To: qemu-...@nongnu.org, "peter maydell" , 
> pbonz...@redhat.com
> Cc: qemu-devel@nongnu.org, "Prasun Kapoor" , "vijay 
> kilari" ,
> "Vijaya Kumar K" 
> Sent: Tuesday, August 2, 2016 12:20:15 PM
> Subject: [RFC PATCH v1 1/2] utils: Add helper to read arm MIDR_EL1 register
> 
> From: Vijaya Kumar K 
> 
> Add helper API to read MIDR_EL1 registers to fetch
> cpu identification information. This helps in
> adding errata's and architecture specific features.
> 
> This is implemented only for arm architecture.
> 
> Signed-off-by: Vijaya Kumar K 
> ---
>  include/qemu-common.h |1 +
>  util/Makefile.objs|1 +
>  util/cpuinfo.c|   52
>  +
>  3 files changed, 54 insertions(+)
> 
> diff --git a/include/qemu-common.h b/include/qemu-common.h
> index 1f2cb94..62ad674 100644
> --- a/include/qemu-common.h
> +++ b/include/qemu-common.h
> @@ -134,4 +134,5 @@ void page_size_init(void);
>   * returned. */
>  bool dump_in_progress(void);
>  
> +long int qemu_read_cpuid_info(void);

First, please avoid adding to include/qemu-common.h (it really should
go away).

Second, this is too generic a name.  Please call it something like
qemu_read_aarch64_midr_el1.

Third, it's probably a bad idea to call this function from generic code, so
make it static and add the detection function from patch 2/2 already here.
By making it static, it's also possible to define it only if CONFIG_LINUX
is defined; the ThunderX detection will then return false if !CONFIG_LINUX.

Thanks,

Paolo

>  #endif
> diff --git a/util/Makefile.objs b/util/Makefile.objs
> index 96cb1e0..9d25a72 100644
> --- a/util/Makefile.objs
> +++ b/util/Makefile.objs
> @@ -35,3 +35,4 @@ util-obj-y += log.o
>  util-obj-y += qdist.o
>  util-obj-y += qht.o
>  util-obj-y += range.o
> +util-obj-y += cpuinfo.o
> diff --git a/util/cpuinfo.c b/util/cpuinfo.c
> new file mode 100644
> index 000..3ba7194
> --- /dev/null
> +++ b/util/cpuinfo.c
> @@ -0,0 +1,52 @@
> +/*
> + * Dealing with arm cpu identification information.
> + *
> + * Copyright (C) 2016 Cavium, Inc.
> + *
> + * Authors:
> + *  Vijaya Kumar K 
> + *
> + * This work is licensed under the terms of the GNU LGPL, version 2.1
> + * or later.  See the COPYING.LIB file in the top-level directory.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qemu-common.h"
> +#include "qemu/cutils.h"
> +
> +#if defined(__aarch64__)
> +
> +long int qemu_read_cpuid_info(void)
> +{
> +FILE *fp;
> +char *buf;
> +long int midr = 0;
> +#define BUF_SIZE 32
> +
> +fp = fopen("/sys/devices/system/cpu/cpu0/regs/identification/midr_el1",
> +   "r");
> +if (!fp) {
> +return 0;
> +}
> +
> +buf = g_malloc0(BUF_SIZE);
> +if (!buf) {
> +fclose(fp);
> +return 0;
> +}
> +
> +if (buf != fgets(buf, BUF_SIZE - 1, fp)) {
> +goto out;
> +}
> +
> +if (qemu_strtol(buf, NULL, 0, &midr) < 0) {
> +goto out;
> +}
> +
> +out:
> +g_free(buf);
> +fclose(fp);
> +
> +return midr;
> +}
> +#endif
> --
> 1.7.9.5
> 
> 

Re: [Qemu-devel] [PATCH] ppc: Add MacOS VGA driver ROM

[Gerd Hoffmann]

On Di, 2016-08-02 at 19:17 +1000, Benjamin Herrenschmidt wrote:
> On Tue, 2016-08-02 at 10:55 +0200, Gerd Hoffmann wrote:
> > > CodeWarrior for MacOS X does come with command line versions of the
> > > tools, I plan to look into doing a Makefile once I've sorted out the
> > > various arguments for these things at least.
> > 
> > Yes, you do that once, put it into roms/Makefile, and the next time you
> > just do "make -C roms macosdrivers" instead of sorting out the various
> > arguments *again*.
> > 
> > Bonus: Any possible contributers will have an easier start too.
> 
> I did notice that having Makefiles in the roms directory make
> git submodule barf ... I had to remove them for it to be able
> to clone the submodules.

I mean roms/Makefile, not roms/$submodule/Makefile

cheers,
  Gerd

Re: [Qemu-devel] [PATCH] mptsas: really fix migration compatibility

[Cao jin]

On 08/02/2016 06:34 PM, Paolo Bonzini wrote:

Commit 2e2aa316 removed internal flag msi_in_use, but it
existed in vmstate.  Restore it for migration to older QEMU
versions.

Reported-by: Amit Shah 
Suggested-by: Amit Shah 
Cc: Markus Armbruster 
Cc: Marcel Apfelbaum 
Cc: Paolo Bonzini 
Cc: Michael S. Tsirkin 
Cc: Amit Shah 
Cc: Cao jin 
Signed-off-by: Paolo Bonzini 
---
  hw/scsi/mptsas.c | 4 +++-
  hw/scsi/mptsas.h | 2 ++
  2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index bebe513..0e0a22f 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -1295,6 +1295,8 @@ static void mptsas_scsi_init(PCIDevice *dev, Error **errp)
  /* With msi=auto, we fall back to MSI off silently */
  error_free(err);

+/* Only used for migration.  */
+s->msi_in_use = (ret == 0);
  }

  memory_region_init_io(&s->mmio_io, OBJECT(s), &mptsas_mmio_ops, s,
@@ -1370,7 +1372,7 @@ static const VMStateDescription vmstate_mptsas = {
  .post_load = mptsas_post_load,
  .fields  = (VMStateField[]) {
  VMSTATE_PCI_DEVICE(dev, MPTSASState),
-VMSTATE_UNUSED(sizeof(bool)), /* Was msi_in_use */
+VMSTATE_BOOL(msi_in_use, MPTSASState),
  VMSTATE_UINT32(state, MPTSASState),
  VMSTATE_UINT8(who_init, MPTSASState),
  VMSTATE_UINT8(doorbell_state, MPTSASState),
diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
index da014a3..0436a33 100644
--- a/hw/scsi/mptsas.h
+++ b/hw/scsi/mptsas.h
@@ -31,6 +31,8 @@ struct MPTSASState {
  OnOffAuto msi;
  uint64_t sas_addr;

+bool msi_in_use;
+
  /* Doorbell register */
  uint32_t state;
  uint8_t who_init;



Thanks for saving my mistake.
Just FYI: there is a superfluous newline in mptsas_scsi_init() made by 
me, maybe is handy to remove.

--
Yours Sincerely,

Cao jin

Re: [Qemu-devel] [Qemu-block] [PATCH 1/3] blockjob: fix dead pointer in txn list

[Vladimir Sementsov-Ogievskiy]

On 02.08.2016 01:39, John Snow wrote:

On 07/27/2016 06:49 AM, Vladimir Sementsov-Ogievskiy wrote:

Job may be freed in block_job_unref and in this case this would break
transaction QLIST.

Fix this by removing job from this list before unref.

Signed-off-by: Vladimir Sementsov-Ogievskiy 
---
 blockjob.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/blockjob.c b/blockjob.c
index a5ba3be..e045091 100644
--- a/blockjob.c
+++ b/blockjob.c
@@ -216,6 +216,7 @@ static void block_job_completed_single(BlockJob 
*job)

 }
 job->cb(job->opaque, job->ret);
 if (job->txn) {
+QLIST_REMOVE(job, txn_list);
 block_job_txn_unref(job->txn);
 }
 block_job_unref(job);



Has this caused actual problems for you?


Yes, with the same changed test 124 (my parallel thread). Backup job can 
finish  too early (if dirty bitmap is empty) and then we use this 
transaction job list with dead pointer.




This function is only ever called in a transactional context if the 
transaction is over -- so we're not likely to use the pointers ever 
again anyway.


Backup job may finish even earlier than all jobs are added to the list. 
(same case, empty dirty bitmap for one of drives).




Still, it's good practice, and the caller uses a safe iteration of the 
list, so I think this should be safe.


But I don't think this SHOULD fix an actual bug. If it does, I think 
something else is wrong.


Tested-by: John Snow 
Reviewed-by: John Snow 



--
Best regards,
Vladimir

Re: [Qemu-devel] [RFC PATCH v1 1/2] utils: Add helper to read arm MIDR_EL1 register

[Peter Maydell]

On 2 August 2016 at 11:20,   wrote:
> +long int qemu_read_cpuid_info(void)

Don't use "long" here, it might be 32 or 64 bits.
The kernel ABI for the /sys/ file we're reading says it
is a 64-bit value, so uint64_t is what you want.

> +{
> +FILE *fp;
> +char *buf;
> +long int midr = 0;
> +#define BUF_SIZE 32
> +
> +fp = fopen("/sys/devices/system/cpu/cpu0/regs/identification/midr_el1",
> +   "r");
> +if (!fp) {
> +return 0;
> +}
> +
> +buf = g_malloc0(BUF_SIZE);
> +if (!buf) {
> +fclose(fp);
> +return 0;
> +}
> +
> +if (buf != fgets(buf, BUF_SIZE - 1, fp)) {
> +goto out;
> +}

g_file_get_contents() is probably easier than manually
opening the file and reading it into an allocated buffer.

> +
> +if (qemu_strtol(buf, NULL, 0, &midr) < 0) {

qemu_strtoull().

> +goto out;
> +}
> +
> +out:
> +g_free(buf);
> +fclose(fp);
> +
> +return midr;
> +}
> +#endif
> --
> 1.7.9.5
>

thanks
-- PMM

[Qemu-devel] [PULL 1/1] MAINTAINERS: Add Host Memory Backends section

[Eduardo Habkost]

The hostmem code is closely related to the NUMA code, so I am
willing to handle patches to those files and share the work with
Igor (the original author of that code).

Acked-by: Igor Mammedov 
Reviewed-by: Markus Armbruster 
Signed-off-by: Eduardo Habkost 
---
 MAINTAINERS | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 9c88c44..b6fb84e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1169,6 +1169,13 @@ F: numa.c
 F: include/sysemu/numa.h
 T: git git://github.com/ehabkost/qemu.git numa
 
+Host Memory Backends
+M: Eduardo Habkost 
+M: Igor Mammedov 
+S: Maintained
+F: backends/hostmem*.c
+F: include/sysemu/hostmem.h
+
 QAPI
 M: Markus Armbruster 
 M: Michael Roth 
-- 
2.5.5

[Qemu-devel] [PULL 0/1] MAINTAINERS: Add Host Memory Backends section

[Eduardo Habkost]

The following changes since commit cc0100f464c94bf80ad36cd432f4a1ed58126b60:

  MAINTAINERS: Update the Xilinx maintainers (2016-08-01 15:31:32 +0100)

are available in the git repository at:

  git://github.com/ehabkost/qemu.git tags/numa-pull-request

for you to fetch changes up to 4fc264f49c2998cacbc1146b80529c5f768eebdb:

  MAINTAINERS: Add Host Memory Backends section (2016-08-02 08:22:02 -0300)


MAINTAINERS: Add Host Memory Backends section



Eduardo Habkost (1):
  MAINTAINERS: Add Host Memory Backends section

 MAINTAINERS | 7 +++
 1 file changed, 7 insertions(+)

-- 
2.5.5

Re: [Qemu-devel] [PATCH for-2.7] wxx: Fix compilation of host-libusb.c

[Gerd Hoffmann]

On Fr, 2016-07-29 at 08:55 +0200, Stefan Weil wrote:
> libusb.h uses the WINAPI calling convention for all function
> callbacks.
> 
> Cross compilation with Mingw-w64 on Cygwin fails when this calling
> convention is missing.

queued up both mingw fixes.

thanks,
  Gerd

Re: [Qemu-devel] [PATCH 1/1] ehci: faster frame index calculation for skipped frames

[Gerd Hoffmann]

On Mi, 2016-07-27 at 19:55 +0300, Denis V. Lunev wrote:
> ehci_update_frindex takes time linearly proportional to a number
> of uframes to calculate new frame index and raise FLR interrupts,
> which is a problem for large amounts of uframes.
> 
> If we experience large delays between echi timer callbacks (i.e.
> because
> other periodic handlers have taken a lot of time to complete) we
> get a lot of skipped frames which then delay ehci timer callback more
> and this leads to deadlocking the system when ehci schedules next
> callback to be too soon.
> 
> Observable behaviour is qemu consuming 100% host CPU time while guest
> is unresponsive. This misbehavior could happen for a while and QEMU
> does
> not get out from this state automatically without the patch.
> 
> This change makes ehci_update_frindex execute in constant time.
> 

queued up for 2.7

thanks,
  Gerd

Re: [Qemu-devel] [PATCH 2/2] xen: drain submit queue in xen-usb before removing device

[Gerd Hoffmann]

On Fr, 2016-07-29 at 13:17 +0200, Juergen Gross wrote:
> When unplugging a device in the Xen pvusb backend drain the submit
> queue before deallocation of the control structures. Otherwise there
> will be bogus memory accesses when I/O contracts are finished.
> 
> Correlated to this issue is the handling of cancel requests: a packet
> cancelled will still lead to the call of complete, so add a flag
> A

=== checkpatch complains ===
WARNING: braces {} are necessary for all arms of this statement
#105: FILE: hw/usb/xen-usb.c:696:
+if (sched)
[...]

WARNING: braces {} are necessary for all arms of this statement
#111: FILE: hw/usb/xen-usb.c:702:
+if (!usbif->ports[port - 1].attached)
[...]

WARNING: braces {} are necessary for all arms of this statement
#152: FILE: hw/usb/xen-usb.c:847:
+if (usbif->ports[i].dev)
[...]

cheers,
  Gerd

[Qemu-devel] [PATCH] net: vmxnet: check fragment length during fragmentation

[P J P]

From: Prasad J Pandit 

VMware VMXNET* NIC emulator supports packet fragmentation.
While fragmenting a packet, it checks for more fragments based
on packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang 
Signed-off-by: Prasad J Pandit 
---
 hw/net/vmxnet_tx_pkt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c
index 91e1e08..f4d0f5f 100644
--- a/hw/net/vmxnet_tx_pkt.c
+++ b/hw/net/vmxnet_tx_pkt.c
@@ -544,7 +544,7 @@ static bool vmxnet_tx_pkt_do_sw_fragmentation(struct 
VmxnetTxPkt *pkt,
 
 fragment_offset += fragment_len;
 
-} while (more_frags);
+} while (fragment_len && more_frags);
 
 return true;
 }
-- 
2.5.5

Re: [Qemu-devel] [PATCH v2 7/6] exec: ensure the only one cpu_index allocation method is used

[Eduardo Habkost]

On Wed, Jul 27, 2016 at 11:24:54AM +0200, Igor Mammedov wrote:
> Make sure that cpu_index auto allocation isn't used in
> combination with manual cpu_index assignment. And
> dissallow out of order cpu removal if auto allocation
> is in use.
> 
> Target that wishes to support out of order unplug should
> switch to manual cpu_index assignment. Following patch
> could be used as an example:
>  (pc: init CPUState->cpu_index with index in possible_cpus[]))
> 
> Signed-off-by: Igor Mammedov 

Sorry for the delay, applied to x86-next. Thanks!

-- 
Eduardo

Re: [Qemu-devel] [PATCH] xen: use a common function for pv and hvm guest backend register calls

[Gerd Hoffmann]

On Di, 2016-08-02 at 08:32 +0200, Juergen Gross wrote:
> Instead of calling xen_be_register() for each supported backend type
> for hvm and pv guests in their machine init functions use a common
> function in order not to have to add new backends twice.
> 
> This at once fixes the error that hvm domains couldn't use the qusb
> backend.

Looks good to me.  Should I take this through the usb patch queue,
together with the other xen-usb fixes (once codestyle issues are fixed)?
If so, can I get an ack from xen please, preferably fast enough for
-rc2?

thanks,
  Gerd

Re: [Qemu-devel] [PATCH 2/2] xen: drain submit queue in xen-usb before removing device

[Juergen Gross]

On 02/08/16 13:37, Gerd Hoffmann wrote:
> On Fr, 2016-07-29 at 13:17 +0200, Juergen Gross wrote:
>> When unplugging a device in the Xen pvusb backend drain the submit
>> queue before deallocation of the control structures. Otherwise there
>> will be bogus memory accesses when I/O contracts are finished.
>>
>> Correlated to this issue is the handling of cancel requests: a packet
>> cancelled will still lead to the call of complete, so add a flag
>> A
> 
> === checkpatch complains ===

Aargh, sorry! Wrote too many Xen and Linux patches recently. I'll
correct those.


Juergen

Re: [Qemu-devel] [RFC PATCH 06/11] introduce fixed-clock

[KONRAD Frederic]

Le 02/07/2016 à 01:07, Alistair Francis a écrit :

On Mon, Jun 13, 2016 at 9:27 AM,   wrote:

From: KONRAD Frederic 

This is a fixed clock device.
It justs behave as an empty device with a parametrable output rate.

Signed-off-by: KONRAD Frederic 
---
  hw/misc/Makefile.objs |  2 +
  hw/misc/fixed-clock.c | 87 +++
  include/hw/misc/fixed-clock.h | 30 +++
  3 files changed, 119 insertions(+)
  create mode 100644 hw/misc/fixed-clock.c
  create mode 100644 include/hw/misc/fixed-clock.h

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index e504463..e8b8855 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -52,3 +52,5 @@ obj-$(CONFIG_MIPS_ITU) += mips_itu.o
  obj-$(CONFIG_PVPANIC) += pvpanic.o
  obj-$(CONFIG_EDU) += edu.o
  obj-$(CONFIG_HYPERV_TESTDEV) += hyperv_testdev.o
+
+obj-y += fixed-clock.o
diff --git a/hw/misc/fixed-clock.c b/hw/misc/fixed-clock.c
new file mode 100644
index 000..c273a91
--- /dev/null
+++ b/hw/misc/fixed-clock.c
@@ -0,0 +1,87 @@
+/*
+ * Fixed clock
+ *
+ *  Copyright (C) 2016 : GreenSocs Ltd
+ *  http://www.greensocs.com/ , email: i...@greensocs.com
+ *
+ *  Frederic Konrad   
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "hw/qdev.h"
+#include "hw/misc/fixed-clock.h"
+#include "qemu/qemu-clock.h"
+#include "qapi/error.h"
+
+/* #define DEBUG_FIXED_CLOCK */

Don't include this.


+
+#ifdef DEBUG_FIXED_CLOCK
+#define DPRINTF(fmt, ...) \
+do { printf("fixed-clock: " fmt , ## __VA_ARGS__); } while (0)

It might be better to use __func__ here.

It should also be qemu_log instead of printf().


+#else
+#define DPRINTF(fmt, ...) do { } while (0)
+#endif
+
+typedef struct {
+DeviceState parent_obj;
+
+uint32_t rate;
+struct qemu_clk out;
+} FixedClock;

Doesn't this need to be in the header file?


I think it's not necessary as we get the clock through the API?



+
+static Property fixed_clock_properties[] = {
+DEFINE_PROP_UINT32("rate", FixedClock, rate, 0),
+DEFINE_PROP_END_OF_LIST()
+};
+
+static void fixed_clock_realizefn(DeviceState *d, Error **errp)

dev instead of d

Thanks,

Alistair


+{
+FixedClock *s = FIXED_CLOCK(d);
+
+qemu_clk_update_rate(&s->out, s->rate);
+}
+
+static void fixed_clock_instance_init(Object *obj)
+{
+FixedClock *s = FIXED_CLOCK(obj);
+
+object_initialize(&s->out, sizeof(s->out), TYPE_CLOCK);
+qemu_clk_attach_to_device(DEVICE(obj), &s->out, "clk_out");
+}
+
+static void fixed_clock_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+
+dc->realize = fixed_clock_realizefn;
+dc->props = fixed_clock_properties;
+}
+
+static const TypeInfo fixed_clock_info = {
+.name  = TYPE_FIXED_CLOCK,
+.parent= TYPE_DEVICE,
+.instance_size = sizeof(FixedClock),
+.instance_init = fixed_clock_instance_init,
+.class_init= fixed_clock_class_init,
+};
+
+static void fixed_clock_register_types(void)
+{
+type_register_static(&fixed_clock_info);
+}
+
+type_init(fixed_clock_register_types);
diff --git a/include/hw/misc/fixed-clock.h b/include/hw/misc/fixed-clock.h
new file mode 100644
index 000..1376444
--- /dev/null
+++ b/include/hw/misc/fixed-clock.h
@@ -0,0 +1,30 @@
+/*
+ * Fixed clock
+ *
+ *  Copyright (C) 2016 : GreenSocs Ltd
+ *  http://www.greensocs.com/ , email: i...@greensocs.com
+ *
+ *  Frederic Konrad   
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ *
+ */
+
+#ifndef FIXED_CLOCK_H
+#define FIXED_CLOCK_H
+
+#define TYPE_FIXED_CLOCK "fixed-clock"
+#define FIXED_CLOCK(obj) OBJECT_CHECK(FixedClock, (obj), TYPE_FIXED_CLOCK)
+
+#endif /* FIXED_CLOCK_H */
--
2.5.5

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[David Kiarie]

On Tue, Aug 2, 2016 at 1:28 PM, Peter Xu  wrote:

> On Tue, Aug 02, 2016 at 10:46:13AM +0200, Jan Kiszka wrote:
> > On 2016-08-02 10:36, Peter Xu wrote:
> > > On Mon, Aug 01, 2016 at 06:39:05PM +0200, Jan Kiszka wrote:
> > >
> > > [...]
> > >
> > >>>  static MemTxResult vtd_mem_ir_read(void *opaque, hwaddr addr,
> > >>> @@ -2209,11 +2250,17 @@ static MemTxResult vtd_mem_ir_write(void
> *opaque, hwaddr addr,
> > >>>  {
> > >>>  int ret = 0;
> > >>>  MSIMessage from = {}, to = {};
> > >>> +uint16_t sid = X86_IOMMU_SID_INVALID;
> > >>>
> > >>>  from.address = (uint64_t) addr + VTD_INTERRUPT_ADDR_FIRST;
> > >>>  from.data = (uint32_t) value;
> > >>>
> > >>> -ret = vtd_interrupt_remap_msi(opaque, &from, &to);
> > >>> +if (!attrs.unspecified) {
> > >>> +/* We have explicit Source ID */
> > >>> +sid = attrs.requester_id;
> > >>> +}
> > >>
> > >> ...here you fall back to X86_IOMMU_SID_INVALID if writer to this
> region
> > >> has not provided some valid attrs. That is questionable, defeats
> > >> validation of the IOAPIC e.g. (and you can see lots of
> > >> X86_IOMMU_SID_INVALID in vtd_irte_get when booting a guest).
> > >>
> > >> The credits also go to David who noticed that he still doesn't get a
> > >> proper ID from the IOAPIC while implementing AMD IR. Looks like we
> need
> > >> to enlighten the IOAPIC MSI writes...
> > >
> > > Jan, David,
> > >
> > > At the time when drafting the patch, I skipped SID verification for
> > > IOAPIC interrupts since it differs from generic PCI devices (no
> > > natural requester ID, so need some hacky lines to enable it).
> >
> > It's not hacky at all if done properly. For Intel it is simply
> > (Q35_PSEUDO_BUS_PLATFORM << 8) | Q35_PSEUDO_DEVFN_IOAPIC, but it will be
> > 0x00a0 (as constant as well) for AMD. So we need some interface to tell
> > those parameters to the IOMMU. Keep in mind that we will need a similar
> > interface for other platform devices, e.g. the HPET.
>
> Okay.
>
> >
> > >
> > > I can try to cook another seperate patch to enable it (for 2.8
> > > possibly?). Thanks for pointing out this issue.
> >
> > David needs that IOAPIC ID as well in order to finish interrupt
> > remapping on AMD. Please synchronize with him who will implement what.
>
> Sure. David, so do you like to do it or I cook this patch? :)


If there are no objections I will look at this employing Jan's approach:
associating a write with an address space.


>


> Thanks,
>
> -- peterx
>

[Qemu-devel] [Patch v1 03/29] s390x/cpumodel: expose CPU class properties

[David Hildenbrand]

Let's expose the description and migration safety and whether a definition
is static, as class properties, this can be helpful in the future.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu.c|  1 +
 target-s390x/cpu.h|  1 +
 target-s390x/cpu_models.c | 25 +
 3 files changed, 27 insertions(+)

diff --git a/target-s390x/cpu.c b/target-s390x/cpu.c
index 44e53ec..d7d0b62 100644
--- a/target-s390x/cpu.c
+++ b/target-s390x/cpu.c
@@ -445,6 +445,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
  * object_unref().
  */
 dc->cannot_destroy_with_object_finalize_yet = true;
+s390_cpu_model_class_register_props(oc);
 }
 
 static const TypeInfo s390_cpu_type_info = {
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index e34742e..075bb37 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -631,6 +631,7 @@ extern void subsystem_reset(void);
 
 void s390_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #define cpu_list s390_cpu_list
+void s390_cpu_model_class_register_props(ObjectClass *oc);
 void s390_realize_cpu_model(CPUState *cs, Error **errp);
 ObjectClass *s390_cpu_class_by_name(const char *name);
 
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index cff02b2..c875719 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -111,6 +111,31 @@ static void s390_cpu_model_finalize(Object *obj)
 {
 }
 
+static bool get_is_migration_safe(Object *obj, Error **errp)
+{
+return S390_CPU_GET_CLASS(obj)->is_migration_safe;
+}
+
+static bool get_is_static(Object *obj, Error **errp)
+{
+return S390_CPU_GET_CLASS(obj)->is_static;
+}
+
+static char *get_description(Object *obj, Error **errp)
+{
+return g_strdup(S390_CPU_GET_CLASS(obj)->desc);
+}
+
+void s390_cpu_model_class_register_props(ObjectClass *oc)
+{
+object_class_property_add_bool(oc, "migration-safe", get_is_migration_safe,
+   NULL, NULL);
+object_class_property_add_bool(oc, "static", get_is_static,
+   NULL, NULL);
+object_class_property_add_str(oc, "description", get_description, NULL,
+  NULL);
+}
+
 #ifdef CONFIG_KVM
 static void s390_host_cpu_model_class_init(ObjectClass *oc, void *data)
 {
-- 
2.6.6

[Qemu-devel] [Patch v1 05/29] s390x/cpumodel: generate CPU feature lists for CPU models

[David Hildenbrand]

From: Michael Mueller 

This patch introduces the helper "gen-features" which allows to generate
feature list definitions at compile time. Its flexibility is better and the
error-proneness is lower when compared to static programming time added
statements.

The helper includes "target-s390x/cpu_features.h" to be able to use named
facility bits instead of numbers. The generated defines will be used for
the definition of CPU models.

We generate feature lists for each HW generation and GA for EC models. BC
models are always based on a EC version and have no separate definitions.

Base features: Features we expect to be always available in sane setups.
Migration safe - will never change. Can be seen as "minimum features
required for a CPU model".

Default features: Features we expect to be stable and around in latest
setups (e.g. having KVM support) - not migration safe.

Max features: All supported features that are theoretically allowed for a
CPU model. Exceeding these features could otherwise produce problems with
IBC (instruction blocking controls) in KVM.

Acked-by: Cornelia Huck 
Signed-off-by: Michael Mueller 
Signed-off-by: David Hildenbrand 
[generate base, default and models. renaming and cleanup]
---
 Makefile.target |   2 +-
 rules.mak   |   1 +
 target-s390x/Makefile.objs  |  20 ++
 target-s390x/gen-features.c | 506 
 4 files changed, 528 insertions(+), 1 deletion(-)
 create mode 100644 target-s390x/gen-features.c

diff --git a/Makefile.target b/Makefile.target
index a440bcb..8c7a072 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -212,7 +212,7 @@ hmp-commands-info.h: $(SRC_PATH)/hmp-commands-info.hx 
$(SRC_PATH)/scripts/hxtool
 qmp-commands-old.h: $(SRC_PATH)/qmp-commands.hx $(SRC_PATH)/scripts/hxtool
$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN  
 $(TARGET_DIR)$@")
 
-clean:
+clean: clean-target
rm -f *.a *~ $(PROGS)
rm -f $(shell find . -name '*.[od]')
rm -f hmp-commands.h qmp-commands-old.h gdbstub-xml.c
diff --git a/rules.mak b/rules.mak
index 99cd0b3..55b0121 100644
--- a/rules.mak
+++ b/rules.mak
@@ -14,6 +14,7 @@ MAKEFLAGS += -rR
 %.cpp:
 %.m:
 %.mak:
+clean-target:
 
 # Flags for C++ compilation
 QEMU_CXXFLAGS = -D__STDC_LIMIT_MACROS $(filter-out -Wstrict-prototypes 
-Wmissing-prototypes -Wnested-externs -Wold-style-declaration 
-Wold-style-definition -Wredundant-decls, $(QEMU_CFLAGS))
diff --git a/target-s390x/Makefile.objs b/target-s390x/Makefile.objs
index 4266c87..745d501 100644
--- a/target-s390x/Makefile.objs
+++ b/target-s390x/Makefile.objs
@@ -3,3 +3,23 @@ obj-y += int_helper.o fpu_helper.o cc_helper.o mem_helper.o 
misc_helper.o
 obj-y += gdbstub.o cpu_models.o cpu_features.o
 obj-$(CONFIG_SOFTMMU) += machine.o ioinst.o arch_dump.o mmu_helper.o
 obj-$(CONFIG_KVM) += kvm.o
+
+# build and run feature list generator
+feat-src = $(SRC_PATH)/target-$(TARGET_BASE_ARCH)/
+feat-dst = $(BUILD_DIR)/$(TARGET_DIR)
+ifneq ($(MAKECMDGOALS),clean)
+GENERATED_HEADERS += $(feat-dst)gen-features.h
+endif
+
+$(feat-dst)gen-features.h: $(feat-dst)gen-features.h-timestamp
+   @cmp $< $@ >/dev/null 2>&1 || cp $< $@
+$(feat-dst)gen-features.h-timestamp: $(feat-dst)gen-features
+   $(call quiet-command,$< >$@,"  GEN   $(TARGET_DIR)gen-features.h")
+
+$(feat-dst)gen-features: $(feat-src)gen-features.c config-target.h
+   $(call quiet-command,$(CC) $(QEMU_INCLUDES) $(QEMU_CFLAGS) $(CFLAGS) -o 
$@ $<,"  CC$(TARGET_DIR)gen-features")
+
+clean-target:
+   rm -f gen-features.h-timestamp
+   rm -f gen-features.h
+   rm -f gen-features
diff --git a/target-s390x/gen-features.c b/target-s390x/gen-features.c
new file mode 100644
index 000..3a7c373
--- /dev/null
+++ b/target-s390x/gen-features.c
@@ -0,0 +1,506 @@
+/*
+ * S390 feature list generator
+ *
+ * Copyright 2016 IBM Corp.
+ *
+ * Author(s): Michael Mueller 
+ *David Hildenbrand 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
+ * your option) any later version. See the COPYING file in the top-level
+ * directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "cpu_features.h"
+
+/* BEGIN FEATURE DEFS */
+
+#define S390_FEAT_GROUP_PLO \
+S390_FEAT_PLO_CL, \
+S390_FEAT_PLO_CLG, \
+S390_FEAT_PLO_CLGR, \
+S390_FEAT_PLO_CLX, \
+S390_FEAT_PLO_CS, \
+S390_FEAT_PLO_CSG, \
+S390_FEAT_PLO_CSGR, \
+S390_FEAT_PLO_CSX, \
+S390_FEAT_PLO_DCS, \
+S390_FEAT_PLO_DCSG, \
+S390_FEAT_PLO_DCSGR, \
+S390_FEAT_PLO_DCSX, \
+S390_FEAT_PLO_CSST, \
+S390_FEAT_PLO_CSSTG, \
+S390_FEAT_PLO_CSSTGR, \
+S390_FEAT_PLO_CSSTX, \
+S390_FEAT_PLO_CSDST, \
+S390_FEAT_PLO_CSDSTG, \
+S390_FEAT_PLO_CSDSTGR, \
+S390_FEAT_PLO_CSDSTX, \
+S390_FEAT_PLO_CSTST, \
+S390_FEAT_PLO_CSTSTG, \
+S390_FEAT_PLO_CSTSTGR, \
+S390_FEAT_PLO_CSTSTX
+
+#define S390_FEAT_GROUP_TOD_CLOCK_STEERING \
+S390_FEAT

[Qemu-devel] [Patch v1 07/29] s390x/cpumodel: introduce CPU feature group definitions

[David Hildenbrand]

Let's use the generated groups to create feature group representations for
the user. These groups can later be used to enable/disable multiple
features in one shot and will be used to reduce the amount of reported
features to the user if all subfeatures are in place.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_features.c | 44 +++-
 target-s390x/cpu_features.h | 23 +++
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/target-s390x/cpu_features.c b/target-s390x/cpu_features.c
index 5aa5981..a8ca9ca 100644
--- a/target-s390x/cpu_features.c
+++ b/target-s390x/cpu_features.c
@@ -12,6 +12,7 @@
 
 #include "qemu/osdep.h"
 #include "cpu_features.h"
+#include "gen-features.h"
 
 #define FEAT_INIT(_name, _type, _bit, _desc) \
 {\
@@ -321,14 +322,55 @@ void s390_add_from_feat_block(S390FeatBitmap features, 
S390FeatType type,
 }
 }
 
-void s390_feat_bitmap_to_ascii(const S390FeatBitmap bitmap, void *opaque,
+void s390_feat_bitmap_to_ascii(const S390FeatBitmap features, void *opaque,
void (*fn)(const char *name, void *opaque))
 {
+S390FeatBitmap bitmap, tmp;
+S390FeatGroup group;
 S390Feat feat;
 
+bitmap_copy(bitmap, features, S390_FEAT_MAX);
+
+/* process whole groups first */
+for (group = 0; group < S390_FEAT_GROUP_MAX; group++) {
+const S390FeatGroupDef *def = s390_feat_group_def(group);
+
+bitmap_and(tmp, bitmap, def->feat, S390_FEAT_MAX);
+if (bitmap_equal(tmp, def->feat, S390_FEAT_MAX)) {
+bitmap_andnot(bitmap, bitmap, def->feat, S390_FEAT_MAX);
+fn(def->name, opaque);
+}
+}
+
+/* report leftovers as separate features */
 feat = find_first_bit(bitmap, S390_FEAT_MAX);
 while (feat < S390_FEAT_MAX) {
 fn(s390_feat_def(feat)->name, opaque);
 feat = find_next_bit(bitmap, S390_FEAT_MAX, feat + 1);
 };
 }
+
+#define FEAT_GROUP_INIT(_name, _group, _desc)\
+{\
+.name = _name,   \
+.desc = _desc,   \
+.feat = { S390_FEAT_GROUP_LIST_ ## _group }, \
+}
+
+/* indexed by feature group number for easy lookup */
+static const S390FeatGroupDef s390_feature_groups[] = {
+FEAT_GROUP_INIT("plo", PLO, "Perform-locked-operation facility"),
+FEAT_GROUP_INIT("tods", TOD_CLOCK_STEERING, "Tod-clock-steering facility"),
+FEAT_GROUP_INIT("gen13ptff", GEN13_PTFF, "PTFF enhancements introduced 
with z13"),
+FEAT_GROUP_INIT("msa", MSA, "Message-security-assist facility"),
+FEAT_GROUP_INIT("msa1", MSA_EXT_1, "Message-security-assist-extension 1 
facility"),
+FEAT_GROUP_INIT("msa2", MSA_EXT_2, "Message-security-assist-extension 2 
facility"),
+FEAT_GROUP_INIT("msa3", MSA_EXT_3, "Message-security-assist-extension 3 
facility"),
+FEAT_GROUP_INIT("msa4", MSA_EXT_4, "Message-security-assist-extension 4 
facility"),
+FEAT_GROUP_INIT("msa5", MSA_EXT_5, "Message-security-assist-extension 5 
facility"),
+};
+
+const S390FeatGroupDef *s390_feat_group_def(S390FeatGroup group)
+{
+return &s390_feature_groups[group];
+}
diff --git a/target-s390x/cpu_features.h b/target-s390x/cpu_features.h
index 485446c..e40a636 100644
--- a/target-s390x/cpu_features.h
+++ b/target-s390x/cpu_features.h
@@ -273,6 +273,29 @@ void s390_add_from_feat_block(S390FeatBitmap features, 
S390FeatType type,
 void s390_feat_bitmap_to_ascii(const S390FeatBitmap features, void *opaque,
void (*fn)(const char *name, void *opaque));
 
+/* static groups that will never change */
+typedef enum {
+S390_FEAT_GROUP_PLO,
+S390_FEAT_GROUP_TOD_CLOCK_STEERING,
+S390_FEAT_GROUP_GEN13_PTFF_ENH,
+S390_FEAT_GROUP_MSA,
+S390_FEAT_GROUP_MSA_EXT_1,
+S390_FEAT_GROUP_MSA_EXT_2,
+S390_FEAT_GROUP_MSA_EXT_3,
+S390_FEAT_GROUP_MSA_EXT_4,
+S390_FEAT_GROUP_MSA_EXT_5,
+S390_FEAT_GROUP_MAX,
+} S390FeatGroup;
+
+/* Definition of a CPU feature group */
+typedef struct {
+const char *name;   /* name exposed to the user */
+const char *desc;   /* description exposed to the user */
+S390FeatBitmap feat;/* features contained in the group */
+} S390FeatGroupDef;
+
+const S390FeatGroupDef *s390_feat_group_def(S390FeatGroup group);
+
 #define BE_BIT_NR(BIT) (BIT ^ (BITS_PER_LONG - 1))
 #define BE_BIT(BIT) (1ULL < BE_BIT_NR(BIT))
 
-- 
2.6.6

[Qemu-devel] [Patch v1 13/29] s390x/sclp: factor out preparation of cpu entries

[David Hildenbrand]

Let's factor out the common code of "read cpu info" and "read scp
info". This will make the introduction of new cpu entry fields easier.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/sclp.c | 22 --
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index fca37f5..15d7114 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -29,6 +29,16 @@ static inline SCLPDevice *get_sclp_device(void)
 return SCLP(object_resolve_path_type("", TYPE_SCLP, NULL));
 }
 
+static void prepare_cpu_entries(SCLPDevice *sclp, CPUEntry *entry, int count)
+{
+int i;
+
+for (i = 0; i < count; i++) {
+entry[i].address = i;
+entry[i].type = 0;
+}
+}
+
 /* Provide information about the configuration, CPUs and storage */
 static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 {
@@ -37,7 +47,6 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 sclpMemoryHotplugDev *mhd = get_sclp_memory_hotplug_dev();
 CPUState *cpu;
 int cpu_count = 0;
-int i = 0;
 int rnsize, rnmax;
 int slots = MIN(machine->ram_slots, s390_get_memslot_count(kvm_state));
 
@@ -50,10 +59,7 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 read_info->offset_cpu = cpu_to_be16(offsetof(ReadInfo, entries));
 read_info->highest_cpu = cpu_to_be16(max_cpus);
 
-for (i = 0; i < cpu_count; i++) {
-read_info->entries[i].address = i;
-read_info->entries[i].type = 0;
-}
+prepare_cpu_entries(sclp, read_info->entries, cpu_count);
 
 read_info->facilities = cpu_to_be64(SCLP_HAS_CPU_INFO |
 SCLP_HAS_PCI_RECONFIG);
@@ -304,7 +310,6 @@ static void sclp_read_cpu_info(SCLPDevice *sclp, SCCB *sccb)
 ReadCpuInfo *cpu_info = (ReadCpuInfo *) sccb;
 CPUState *cpu;
 int cpu_count = 0;
-int i = 0;
 
 CPU_FOREACH(cpu) {
 cpu_count++;
@@ -318,10 +323,7 @@ static void sclp_read_cpu_info(SCLPDevice *sclp, SCCB 
*sccb)
 cpu_info->offset_standby = cpu_to_be16(cpu_info->offset_configured
 + cpu_info->nr_configured*sizeof(CPUEntry));
 
-for (i = 0; i < cpu_count; i++) {
-cpu_info->entries[i].address = i;
-cpu_info->entries[i].type = 0;
-}
+prepare_cpu_entries(sclp, cpu_info->entries, cpu_count);
 
 sccb->h.response_code = cpu_to_be16(SCLP_RC_NORMAL_READ_COMPLETION);
 }
-- 
2.6.6

[Qemu-devel] [Patch v1 02/29] s390x/cpumodel: "host" and "qemu" as CPU subclasses

[David Hildenbrand]

This patch introduces two CPU models, "host" and "qemu".
"qemu" is used as default when running under TCG. "host" is used
as default when running under KVM. "host" cannot be used without KVM.
"host" is not migration-safe. They both inherit from the base s390x CPU,
which is turned into an abstract class.

This patch also changes CPU creation to take care of the passed CPU string
and reuses common code parse_features() function for that purpose. Unknown
CPU definitions are now reported. The "-cpu ?" and "query-cpu-definition"
commands are changed to list all CPU subclasses automatically, including
migration-safety and whether static.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/s390-virtio.c |   6 +-
 target-s390x/Makefile.objs |   2 +-
 target-s390x/cpu-qom.h |   4 +
 target-s390x/cpu.c |  33 ++---
 target-s390x/cpu.h |   2 +
 target-s390x/cpu_models.c  | 178 +
 target-s390x/helper.c  |  33 -
 7 files changed, 230 insertions(+), 28 deletions(-)
 create mode 100644 target-s390x/cpu_models.c

diff --git a/hw/s390x/s390-virtio.c b/hw/s390x/s390-virtio.c
index 544c616..0a96347 100644
--- a/hw/s390x/s390-virtio.c
+++ b/hw/s390x/s390-virtio.c
@@ -101,7 +101,11 @@ void s390_init_cpus(MachineState *machine)
 gchar *name;
 
 if (machine->cpu_model == NULL) {
-machine->cpu_model = "host";
+if (kvm_enabled()) {
+machine->cpu_model = "host";
+} else {
+machine->cpu_model = "qemu";
+}
 }
 
 cpu_states = g_new0(S390CPU *, max_cpus);
diff --git a/target-s390x/Makefile.objs b/target-s390x/Makefile.objs
index dd62cbd..34bd693 100644
--- a/target-s390x/Makefile.objs
+++ b/target-s390x/Makefile.objs
@@ -1,5 +1,5 @@
 obj-y += translate.o helper.o cpu.o interrupt.o
 obj-y += int_helper.o fpu_helper.o cc_helper.o mem_helper.o misc_helper.o
-obj-y += gdbstub.o
+obj-y += gdbstub.o cpu_models.o
 obj-$(CONFIG_SOFTMMU) += machine.o ioinst.o arch_dump.o mmu_helper.o
 obj-$(CONFIG_KVM) += kvm.o
diff --git a/target-s390x/cpu-qom.h b/target-s390x/cpu-qom.h
index 66b5d18..bb993d4 100644
--- a/target-s390x/cpu-qom.h
+++ b/target-s390x/cpu-qom.h
@@ -45,6 +45,10 @@ typedef struct S390CPUClass {
 /*< private >*/
 CPUClass parent_class;
 /*< public >*/
+bool kvm_required;
+bool is_static;
+bool is_migration_safe;
+const char *desc;
 
 int64_t next_cpu_id;
 
diff --git a/target-s390x/cpu.c b/target-s390x/cpu.c
index e43e2d6..44e53ec 100644
--- a/target-s390x/cpu.c
+++ b/target-s390x/cpu.c
@@ -44,30 +44,6 @@
 #define CR0_RESET   0xE0UL
 #define CR14_RESET  0xC200UL;
 
-/* generate CPU information for cpu -? */
-void s390_cpu_list(FILE *f, fprintf_function cpu_fprintf)
-{
-#ifdef CONFIG_KVM
-(*cpu_fprintf)(f, "s390 %16s\n", "host");
-#endif
-}
-
-#ifndef CONFIG_USER_ONLY
-CpuDefinitionInfoList *arch_query_cpu_definitions(Error **errp)
-{
-CpuDefinitionInfoList *entry;
-CpuDefinitionInfo *info;
-
-info = g_malloc0(sizeof(*info));
-info->name = g_strdup("host");
-
-entry = g_malloc0(sizeof(*entry));
-entry->value = info;
-
-return entry;
-}
-#endif
-
 static void s390_cpu_set_pc(CPUState *cs, vaddr value)
 {
 S390CPU *cpu = S390_CPU(cs);
@@ -206,6 +182,12 @@ static void s390_cpu_realizefn(DeviceState *dev, Error 
**errp)
 CPUS390XState *env = &cpu->env;
 Error *err = NULL;
 
+/* the model has to be realized before qemu_init_vcpu() due to kvm */
+s390_realize_cpu_model(cs, &err);
+if (err) {
+goto out;
+}
+
 #if !defined(CONFIG_USER_ONLY)
 if (cpu->id >= max_cpus) {
 error_setg(&err, "Unable to add CPU: %" PRIi64
@@ -435,6 +417,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
 scc->cpu_reset = s390_cpu_reset;
 scc->initial_cpu_reset = s390_cpu_initial_reset;
 cc->reset = s390_cpu_full_reset;
+cc->class_by_name = s390_cpu_class_by_name,
 cc->has_work = s390_cpu_has_work;
 cc->do_interrupt = s390_cpu_do_interrupt;
 cc->dump_state = s390_cpu_dump_state;
@@ -470,7 +453,7 @@ static const TypeInfo s390_cpu_type_info = {
 .instance_size = sizeof(S390CPU),
 .instance_init = s390_cpu_initfn,
 .instance_finalize = s390_cpu_finalize,
-.abstract = false,
+.abstract = true,
 .class_size = sizeof(S390CPUClass),
 .class_init = s390_cpu_class_init,
 };
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index c216bda..e34742e 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -631,6 +631,8 @@ extern void subsystem_reset(void);
 
 void s390_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #define cpu_list s390_cpu_list
+void s390_realize_cpu_model(CPUState *cs, Error **errp);
+ObjectClass *s390_cpu_class_by_name(const char *name);
 
 #define EXCP_EXT 1 /* external interrupt */
 #define EXCP_SVC 2 /* supervisor call (syscall) */
diff --git a/target-s390x/cpu_models.c b/target-s390x

[Qemu-devel] [Patch v1 11/29] s390x/cpumodel: let the CPU model handle feature checks

[David Hildenbrand]

If we have certain features enabled, we have to migrate additional state
(e.g. vector registers or runtime-instrumentation registers). Let the
CPU model control that unless we have no "host" CPU model in the KVM
case. This will later on be the case for compatibility machines, so
migration from QEMU versions without the CPU model will still work.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_models.c | 24 
 target-s390x/cpu_models.h |  2 ++
 target-s390x/machine.c| 14 ++
 3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 9532b46..b698b80 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -73,6 +73,30 @@ static const S390CPUDef s390_cpu_defs[] = {
 CPUDEF_INIT(0x2965, 13, 2, 47, 0x0800U, "z13s", "IBM z13s GA1"),
 };
 
+bool s390_has_feat(S390Feat feat)
+{
+static S390CPU *cpu;
+
+if (!cpu) {
+cpu = S390_CPU(qemu_get_cpu(0));
+}
+
+if (!cpu || !cpu->model) {
+#ifdef CONFIG_KVM
+if (kvm_enabled()) {
+if (feat == S390_FEAT_VECTOR) {
+return kvm_check_extension(kvm_state, 
KVM_CAP_S390_VECTOR_REGISTERS);
+}
+if (feat == S390_FEAT_RUNTIME_INSTRUMENTATION) {
+return kvm_s390_get_ri();
+}
+}
+#endif
+return 0;
+}
+return test_bit(feat, cpu->model->features);
+}
+
 struct S390PrintCpuListInfo {
 FILE *f;
 fprintf_function print;
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index 244256b..fe988cc 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -43,4 +43,6 @@ typedef struct S390CPUModel {
 uint8_t cpu_ver;/* CPU version, usually "ff" for kvm */
 } S390CPUModel;
 
+bool s390_has_feat(S390Feat feat);
+
 #endif /* TARGET_S390X_CPU_MODELS_H */
diff --git a/target-s390x/machine.c b/target-s390x/machine.c
index aa39e5d..edc3a47 100644
--- a/target-s390x/machine.c
+++ b/target-s390x/machine.c
@@ -78,12 +78,7 @@ static const VMStateDescription vmstate_fpu = {
 
 static bool vregs_needed(void *opaque)
 {
-#ifdef CONFIG_KVM
-if (kvm_enabled()) {
-return kvm_check_extension(kvm_state, KVM_CAP_S390_VECTOR_REGISTERS);
-}
-#endif
-return 0;
+return s390_has_feat(S390_FEAT_VECTOR);
 }
 
 static const VMStateDescription vmstate_vregs = {
@@ -147,12 +142,7 @@ static const VMStateDescription vmstate_vregs = {
 
 static bool riccb_needed(void *opaque)
 {
-#ifdef CONFIG_KVM
-if (kvm_enabled()) {
-return kvm_s390_get_ri();
-}
-#endif
-return 0;
+return s390_has_feat(S390_FEAT_RUNTIME_INSTRUMENTATION);
 }
 
 const VMStateDescription vmstate_riccb = {
-- 
2.6.6

[Qemu-devel] [Patch v1 08/29] s390x/cpumodel: register defined CPU models as subclasses

[David Hildenbrand]

This patch adds the CPU model definitions that are known on s390x -
like z900, zBC12 or z13. For each definition, introduce two CPU models:

1. Base model (e.g. z13-base): Minimum feature set we expect to be around
   on all z13 systems. These models are migration-safe and will never
   change.
2. Flexible models (e.g. z13): Models that can change between QEMU versions
   and will be extended over time as we implement further features that
   are already part of such a model in real hardware of certain
   configurations.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu-qom.h|   2 +
 target-s390x/cpu_models.c | 113 ++
 target-s390x/cpu_models.h |  36 +++
 3 files changed, 151 insertions(+)
 create mode 100644 target-s390x/cpu_models.h

diff --git a/target-s390x/cpu-qom.h b/target-s390x/cpu-qom.h
index bb993d4..4e936e7 100644
--- a/target-s390x/cpu-qom.h
+++ b/target-s390x/cpu-qom.h
@@ -21,6 +21,7 @@
 #define QEMU_S390_CPU_QOM_H
 
 #include "qom/cpu.h"
+#include "cpu_models.h"
 
 #define TYPE_S390_CPU "s390-cpu"
 
@@ -45,6 +46,7 @@ typedef struct S390CPUClass {
 /*< private >*/
 CPUClass parent_class;
 /*< public >*/
+const S390CPUDef *cpu_def;
 bool kvm_required;
 bool is_static;
 bool is_migration_safe;
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index c875719..2bd5048 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -12,11 +12,66 @@
 
 #include "qemu/osdep.h"
 #include "cpu.h"
+#include "gen-features.h"
 #include "qapi/error.h"
 #ifndef CONFIG_USER_ONLY
 #include "sysemu/arch_init.h"
 #endif
 
+#define CPUDEF_INIT(_type, _gen, _ec_ga, _mha_pow, _hmfai, _name, _desc) \
+{ \
+.name = _name,\
+.type = _type,\
+.gen = _gen,  \
+.ec_ga = _ec_ga,  \
+.mha_pow = _mha_pow,  \
+.hmfai = _hmfai,  \
+.desc = _desc,\
+.base_feat = { S390_FEAT_LIST_GEN ## _gen ## _GA ## _ec_ga ## _BASE }, 
 \
+.default_feat = { S390_FEAT_LIST_GEN ## _gen ## _GA ## _ec_ga ## 
_DEFAULT },  \
+.full_feat = { S390_FEAT_LIST_GEN ## _gen ## _GA ## _ec_ga ## _FULL }, 
 \
+}
+
+/*
+ * CPU definiton list in order of release. For now, base features of a
+ * following release are always a subset of base features of the previous
+ * release. Same is correct for the other feature sets.
+ * A BC release always follows the corresponding EC release.
+ */
+static const S390CPUDef s390_cpu_defs[] = {
+CPUDEF_INIT(0x2064, 7, 1, 38, 0xU, "z900", "IBM zSeries 900 GA1"),
+CPUDEF_INIT(0x2064, 7, 2, 38, 0xU, "z900.2", "IBM zSeries 900 
GA2"),
+CPUDEF_INIT(0x2064, 7, 3, 38, 0xU, "z900.3", "IBM zSeries 900 
GA3"),
+CPUDEF_INIT(0x2066, 7, 3, 38, 0xU, "z800", "IBM zSeries 800 GA1"),
+CPUDEF_INIT(0x2084, 8, 1, 38, 0xU, "z990", "IBM zSeries 990 GA1"),
+CPUDEF_INIT(0x2084, 8, 2, 38, 0xU, "z990.2", "IBM zSeries 990 
GA2"),
+CPUDEF_INIT(0x2084, 8, 3, 38, 0xU, "z990.3", "IBM zSeries 990 
GA3"),
+CPUDEF_INIT(0x2086, 8, 3, 38, 0xU, "z890", "IBM zSeries 880 GA1"),
+CPUDEF_INIT(0x2084, 8, 4, 38, 0xU, "z990.4", "IBM zSeries 990 
GA4"),
+CPUDEF_INIT(0x2086, 8, 4, 38, 0xU, "z890.2", "IBM zSeries 880 
GA2"),
+CPUDEF_INIT(0x2084, 8, 5, 38, 0xU, "z990.5", "IBM zSeries 990 
GA5"),
+CPUDEF_INIT(0x2086, 8, 5, 38, 0xU, "z890.3", "IBM zSeries 880 
GA3"),
+CPUDEF_INIT(0x2094, 9, 1, 40, 0xU, "z9EC", "IBM System z9 EC GA1"),
+CPUDEF_INIT(0x2094, 9, 2, 40, 0xU, "z9EC.2", "IBM System z9 EC 
GA2"),
+CPUDEF_INIT(0x2096, 9, 2, 40, 0xU, "z9BC", "IBM System z9 BC GA1"),
+CPUDEF_INIT(0x2094, 9, 3, 40, 0xU, "z9EC.3", "IBM System z9 EC 
GA3"),
+CPUDEF_INIT(0x2096, 9, 3, 40, 0xU, "z9BC.2", "IBM System z9 BC 
GA2"),
+CPUDEF_INIT(0x2097, 10, 1, 43, 0xU, "z10EC", "IBM System z10 EC 
GA1"),
+CPUDEF_INIT(0x2097, 10, 2, 43, 0xU, "z10EC.2", "IBM System z10 EC 
GA2"),
+CPUDEF_INIT(0x2098, 10, 2, 43, 0xU, "z10BC", "IBM System z10 BC 
GA1"),
+CPUDEF_INIT(0x2097, 10, 3, 43, 0xU, "z10EC.3", "IBM System z10 EC 
GA3"),
+CPUDEF_INIT(0x2098, 10, 3, 43, 0xU, "z10BC.2", "IBM System z10 BC 
GA2"),
+CPUDEF_INIT(0x2817, 11, 1, 44, 0x0800U, "z196", "IBM zEnterprise 196 
GA1"),
+CPUDEF_INIT(0x2817, 11, 2, 44, 0x0800U, "z196.2", "IBM zEnterprise 196 
GA2"),
+CPUDEF_INIT(0x2818, 11, 2, 44, 0x0800U, "z114", "IBM zEnterprise 114 
GA1"),
+C

[Qemu-devel] [Patch v1 01/29] qmp: details about CPU definitions in query-cpu-definitions

[David Hildenbrand]

It might be of interest for tooling whether a CPU definition can be safely
used when migrating, or if e.g. CPU features might get lost during
migration when migrationg from/to a different QEMU version or host, even if
the same compatibility machine is used.

Also, we want to know if a CPU definition is static and will never change.
Beause these definitions can then be used independantly of a compatibility
machine and will always have the same feature set, they can e.g. be used
to indicate the "host" model in libvirt later on.

Let's add optional return values to query-cpu-definitions, stating for
each returned CPU definition, if it is migration-safe and if it is static.

Signed-off-by: David Hildenbrand 
---
 qapi-schema.json | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/qapi-schema.json b/qapi-schema.json
index 5658723..3f50c1d 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3038,10 +3038,19 @@
 #
 # @name: the name of the CPU definition
 #
+# @migration-safe: #optional whether a CPU definition can be safely used for
+#  migration in combination with a QEMU compatibility machine
+#  when migrating between different QMU versions and hosts.
+#  If not provided, information is not available.
+#
+# @static: #optional whether a CPU definition is static and will not change
+#  between QEMU versions / QEMU machines. A static model is always
+#  migration-safe. If not provided, information is not available.
+#
 # Since: 1.2.0
 ##
 { 'struct': 'CpuDefinitionInfo',
-  'data': { 'name': 'str' } }
+  'data': { 'name': 'str', '*migration-safe' : 'bool', '*static' : 'bool' } }
 
 ##
 # @query-cpu-definitions:
-- 
2.6.6

[Qemu-devel] [Patch v1 09/29] s390x/cpumodel: store the CPU model in the CPU instance

[David Hildenbrand]

A CPU model consists of a CPU definition, to which delta changes are
applied - features added or removed (e.g. z13-base,vx=on). In addition,
certain properties (e.g. cpu id) can later on change during migration
but belong into the CPU model. This data will later be filled from the
host model in the KVM case.

Therefore, store the configured CPU model inside the CPU instance, so
we can later on perform delta changes using properties.

For the "qemu" model, we emulate in TCG a z900. "host" will be
uninitialized (cpu->model == NULL) unless we have CPU model support in KVM
later on. The other models are all initialized from their definitions.
Only the "host" model can have a cpu->model == NULL.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu.h|  1 +
 target-s390x/cpu_models.c | 26 ++
 target-s390x/cpu_models.h | 10 ++
 3 files changed, 37 insertions(+)

diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 075bb37..3b76654 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -188,6 +188,7 @@ struct S390CPU {
 
 CPUS390XState env;
 int64_t id;
+S390CPUModel *model;
 /* needed for live migration */
 void *irqstate;
 uint32_t irqstate_saved_size;
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 2bd5048..bd88a9e 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -154,6 +154,21 @@ void s390_realize_cpu_model(CPUState *cs, Error **errp)
 
 static void s390_cpu_model_initfn(Object *obj)
 {
+S390CPU *cpu = S390_CPU(obj);
+S390CPUClass *xcc = S390_CPU_GET_CLASS(cpu);
+
+cpu->model = g_malloc0(sizeof(*cpu->model));
+/* copy the model, so we can modify it */
+cpu->model->def = xcc->cpu_def;
+if (xcc->is_static) {
+/* base model - features will never change */
+bitmap_copy(cpu->model->features, cpu->model->def->base_feat,
+S390_FEAT_MAX);
+} else {
+/* latest model - features can change */
+bitmap_copy(cpu->model->features,
+cpu->model->def->default_feat, S390_FEAT_MAX);
+}
 }
 
 #ifdef CONFIG_KVM
@@ -164,10 +179,21 @@ static void s390_host_cpu_model_initfn(Object *obj)
 
 static void s390_qemu_cpu_model_initfn(Object *obj)
 {
+S390CPU *cpu = S390_CPU(obj);
+
+cpu->model = g_malloc0(sizeof(*cpu->model));
+/* TCG emulates a z900 */
+cpu->model->def = &s390_cpu_defs[0];
+bitmap_copy(cpu->model->features, cpu->model->def->default_feat,
+S390_FEAT_MAX);
 }
 
 static void s390_cpu_model_finalize(Object *obj)
 {
+S390CPU *cpu = S390_CPU(obj);
+
+g_free(cpu->model);
+cpu->model = NULL;
 }
 
 static bool get_is_migration_safe(Object *obj, Error **errp)
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index 13f7217..244256b 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -33,4 +33,14 @@ typedef struct S390CPUDef {
 S390FeatBitmap full_feat;
 } S390CPUDef;
 
+/* CPU model based on a CPU definition */
+typedef struct S390CPUModel {
+const S390CPUDef *def;
+S390FeatBitmap features;
+/* values copied from the "host" model, can change during migration */
+uint16_t lowest_ibc;/* lowest IBC that the hardware supports */
+uint32_t cpu_id;/* CPU id */
+uint8_t cpu_ver;/* CPU version, usually "ff" for kvm */
+} S390CPUModel;
+
 #endif /* TARGET_S390X_CPU_MODELS_H */
-- 
2.6.6

[Qemu-devel] [Patch v1 00/29] s390x CPU models: exposing features

[David Hildenbrand]

After a very helpful discussion with Eduardo, we I did some changes to the
patch series, the most important ones being:
- All models except "host" will be "migration-safe" on s390x
- CPU model expansion now has only two types "full" and "static"
- The parameter "type" from CPU model baseline has been dropped
- "query-cpu-definitions" is extended by "static" and "migration-safe"
- Updated + clarified description of new QMP interfaces
Full list of changes can be found at the end of this length cover letter.

Latest version can be found on branch:
github.com/cohuck/qemu cpumodel-s390x-v1

Concept

This is our second attempt to implement CPU models for s390x. We realized
that we also want to have features exposed via the CPU model. While doing
that we realized that we want to have a better interface for libvirt.

Unfortunately, CPU models on s390x are special and we have to take care of:
- A CPU like z13 looks differently in various environments (under different
  LPAR versions, under different z/VM versions, under different KVM
  versions, export regulation) - we have _a lot_ of feature variability.
- We still have certain features that are not published but might be
  implemented/introduced in the future. As they are a theoretical part
  of a CPU already, we have to find a way to model these future changes.
- We still have certain features that are already published, but not
  implemented. Implementation might be added in the future in KVM.
- We heavily rely on KVM to tell us which features it can actually
  virtualize - user space queries like "STFL(e)" give no guarantees.
- Certain "subfeatures" were introduced in one run. In practice, they are
  always around, but in theory, subfeatures could be dropped in the future.
- Just because two CPU models have the same features doesn't mean they
  are equal - some internal numbers might be different. E.g. we won't allow
  running a z13 under a zBC12 just by turning off features.
- We cannot blindly enable all possible features for a CPU generation,
  the IBC "Instruction Blocking Control" in KVM will try to block
  instructions introduced with certain features. So a CPU generation always
  has some maximum feature set that is guaranteed to work.

It all boils down to a specific released CPU to have.
a) A minimum feature set that we expect it to be have on every hypervisor.
b) A variable part that depends on the hypervisor and that could be
   extended in the future (adding not yet implemented features) that we
   always want to enable later on.
c) A variable part that we want to enable only if requested - nested
   virtualization ("vsie") and assists are one example.

As we want our users to always make use of most features, e.g. when using
the "z13" CPU model, we will have to update our CPU models between QEMU
releases, to include the latest feature additions we implemented/unlocked.
We're badically trying to be able at one point in the future to really look
like a maximum "z13" CPU in QEMU. However, that means that a "z13" CPU
looks differently on different QEMU versions. We will make sure using
compatibility machines, that migration stays safe.

However, if the feature set of a CPU model is bound to a compatibility
machine, how can it be of any help when used without a compatibility
machine? E.g. when indicating the host CPU model in "virsh capabilities",
simply saying "z13" is not really clear. Also when baselining and
comparing CPU models, we usually have no compatibility machine "context"
at hand. For this reason we introduce "static" CPU models, which will
never change, so everybody knows without a compatibility machine, what we
are talking about.

CPU definitions/models can be categorized:
1. migratable: all features _can_ be identified + properly migrated.
--> With migratable=off on x86, "host" cannot be migrated properly.
2. migration-safe: in combination with a QEMU machine, migration will work.
--> No CPU features are lost/added during migration
3. static: not bound to a QEMU machine - featureset will never* change.
--> Everybody knows which features are part of it, not affected by a compat
machine. "virsh capabilities" can show this as "host" model.
*except for trivial bugfixes, especially on very old models nobody used in
production. Should be avoided.

We are currently planning to also support a "migratable=off" on s390x
for the "-cpu host" model, in order to enable all features, including not
recognized ones.

So we have on s390x:
a) A static CPU model for each released CPU that will never change and
   maps to the minimum feature set we expect to be around on all
   hypervisors. e.g. "z13-base" or "z10EC.2-base".
b) A "default" CPU model for each released CPU, that can change between
   QEMU versions and that will always include the features we expect to
   be around in our currently supported environments and will contain only
   features we expect to be stable. E.g. nes

[Qemu-devel] [Patch v1 14/29] s390x/sclp: introduce sclp feature blocks

[David Hildenbrand]

The sclp "read cpu info" and "read scp info" commands can include
features for the cpu info and configuration characteristics (extended),
decribing some advanced features available in the configuration.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 include/hw/s390x/sclp.h | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index ba28d1d..30a40ea 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -98,11 +98,14 @@ typedef struct SCCBHeader {
 } QEMU_PACKED SCCBHeader;
 
 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader))
+#define SCCB_CPU_FEATURE_LEN 6
 
 /* CPU information */
 typedef struct CPUEntry {
 uint8_t address;
-uint8_t reserved0[13];
+uint8_t reserved0;
+uint8_t features[SCCB_CPU_FEATURE_LEN];
+uint8_t reserved2[6];
 uint8_t type;
 uint8_t reserved1;
 } QEMU_PACKED CPUEntry;
@@ -118,10 +121,13 @@ typedef struct ReadInfo {
 uint8_t  loadparm[8];   /* 24-31 */
 uint8_t  _reserved3[48 - 32];   /* 32-47 */
 uint64_t facilities;/* 48-55 */
-uint8_t  _reserved0[100 - 56];
+uint8_t  _reserved0[80 - 56];   /* 56-79 */
+uint8_t  conf_char[96 - 80];/* 80-95 */
+uint8_t  _reserved4[100 - 96];  /* 96-99 */
 uint32_t rnsize2;
 uint64_t rnmax2;
-uint8_t  _reserved4[120-112];   /* 112-119 */
+uint8_t  _reserved6[116 - 112]; /* 112-115 */
+uint8_t  conf_char_ext[120 - 116];   /* 116-119 */
 uint16_t highest_cpu;
 uint8_t  _reserved5[128 - 122]; /* 122-127 */
 struct CPUEntry entries[0];
-- 
2.6.6

[Qemu-devel] [Patch v1 10/29] s390x/cpumodel: expose features and feature groups as properties

[David Hildenbrand]

Let's add all features and feature groups as properties to all CPU models.
If the "host" CPU model is unknown, we can neither query nor change
features. KVM will just continue to work like it did until now.

We will not allow to enable features that were not part of the original
CPU model, because that could collide with the IBC in KVM.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu.c|   1 +
 target-s390x/cpu.h|   1 +
 target-s390x/cpu_models.c | 149 ++
 3 files changed, 151 insertions(+)

diff --git a/target-s390x/cpu.c b/target-s390x/cpu.c
index d7d0b62..2f3c8e2 100644
--- a/target-s390x/cpu.c
+++ b/target-s390x/cpu.c
@@ -291,6 +291,7 @@ static void s390_cpu_initfn(Object *obj)
 cs->exception_index = EXCP_HLT;
 object_property_add(OBJECT(cpu), "id", "int64_t", s390x_cpu_get_id,
 s390x_cpu_set_id, NULL, NULL, NULL);
+s390_cpu_model_register_props(obj);
 #if !defined(CONFIG_USER_ONLY)
 qemu_get_timedate(&tm, 0);
 env->tod_offset = TOD_UNIX_EPOCH +
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 3b76654..d03f0f1 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -632,6 +632,7 @@ extern void subsystem_reset(void);
 
 void s390_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #define cpu_list s390_cpu_list
+void s390_cpu_model_register_props(Object *obj);
 void s390_cpu_model_class_register_props(ObjectClass *oc);
 void s390_realize_cpu_model(CPUState *cs, Error **errp);
 ObjectClass *s390_cpu_class_by_name(const char *name);
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index bd88a9e..9532b46 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -14,6 +14,7 @@
 #include "cpu.h"
 #include "gen-features.h"
 #include "qapi/error.h"
+#include "qapi/visitor.h"
 #ifndef CONFIG_USER_ONLY
 #include "sysemu/arch_init.h"
 #endif
@@ -103,8 +104,24 @@ void s390_cpu_list(FILE *f, fprintf_function print)
 f = f,
 print = print,
 };
+S390FeatGroup group;
+S390Feat feat;
 
 object_class_foreach(print_cpu_model_list, TYPE_S390_CPU, false, &info);
+
+(*print)(f, "\nRecognized feature flags:\n");
+for (feat = 0; feat < S390_FEAT_MAX; feat++) {
+const S390FeatDef *def = s390_feat_def(feat);
+
+(*print)(f, "%-20s %-50s\n", def->name, def->desc);
+}
+
+(*print)(f, "\nRecognized feature groups:\n");
+for (group = 0; group < S390_FEAT_GROUP_MAX; group++) {
+const S390FeatGroupDef *def = s390_feat_group_def(group);
+
+(*print)(f, "%-20s %-50s\n", def->name, def->desc);
+}
 }
 
 #ifndef CONFIG_USER_ONLY
@@ -152,6 +169,138 @@ void s390_realize_cpu_model(CPUState *cs, Error **errp)
 }
 }
 
+static void get_feature(Object *obj, Visitor *v, const char *name,
+void *opaque, Error **errp)
+{
+S390Feat feat = (S390Feat) opaque;
+S390CPU *cpu = S390_CPU(obj);
+bool value;
+
+if (!cpu->model) {
+error_setg(errp, "Details about the host CPU model are not available, "
+ "features cannot be queried.");
+return;
+}
+
+value = test_bit(feat, cpu->model->features);
+visit_type_bool(v, name, &value, errp);
+}
+
+static void set_feature(Object *obj, Visitor *v, const char *name,
+void *opaque, Error **errp)
+{
+S390Feat feat = (S390Feat) opaque;
+DeviceState *dev = DEVICE(obj);
+S390CPU *cpu = S390_CPU(obj);
+bool value;
+
+if (dev->realized) {
+error_setg(errp, "Attempt to set property '%s' on '%s' after "
+   "it was realized", name, object_get_typename(obj));
+return;
+} else if (!cpu->model) {
+error_setg(errp, "Details about the host CPU model are not available, "
+ "features cannot be changed.");
+return;
+}
+
+visit_type_bool(v, name, &value, errp);
+if (*errp) {
+return;
+}
+if (value) {
+if (!test_bit(feat, cpu->model->def->full_feat)) {
+error_setg(errp, "Feature '%s' is not available for CPU model 
'%s',"
+   " it was introduced with later models.",
+   name, cpu->model->def->name);
+return;
+}
+set_bit(feat, cpu->model->features);
+} else {
+clear_bit(feat, cpu->model->features);
+}
+}
+
+static void get_feature_group(Object *obj, Visitor *v, const char *name,
+  void *opaque, Error **errp)
+{
+S390FeatGroup group = (S390FeatGroup) opaque;
+const S390FeatGroupDef *def = s390_feat_group_def(group);
+S390CPU *cpu = S390_CPU(obj);
+S390FeatBitmap tmp;
+bool value;
+
+if (!cpu->model) {
+error_setg(errp, "Details about the host CPU model are not available, "
+ "features cannot be queried.");
+return;
+}
+
+/* a group is

[Qemu-devel] [Patch v1 16/29] s390x/sclp: propagate the ibc val(lowest and unblocked ibc)

[David Hildenbrand]

If we have a lowest ibc, we can indicate the ibc to the guest.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/sclp.c   |  2 ++
 include/hw/s390x/sclp.h   |  3 ++-
 target-s390x/cpu_models.c | 21 +
 target-s390x/cpu_models.h | 12 
 4 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 3c126ee..52f8bb9 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -62,6 +62,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 read_info->offset_cpu = cpu_to_be16(offsetof(ReadInfo, entries));
 read_info->highest_cpu = cpu_to_be16(max_cpus);
 
+read_info->ibc_val = cpu_to_be32(s390_get_ibc_val());
+
 /* Configuration Characteristic (Extension) */
 s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR,
  read_info->conf_char);
diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index 30a40ea..664be9b 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -121,7 +121,8 @@ typedef struct ReadInfo {
 uint8_t  loadparm[8];   /* 24-31 */
 uint8_t  _reserved3[48 - 32];   /* 32-47 */
 uint64_t facilities;/* 48-55 */
-uint8_t  _reserved0[80 - 56];   /* 56-79 */
+uint8_t  _reserved0[76 - 56];   /* 56-75 */
+uint32_t ibc_val;
 uint8_t  conf_char[96 - 80];/* 80-95 */
 uint8_t  _reserved4[100 - 96];  /* 96-99 */
 uint32_t rnsize2;
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 641aad0..51ce3d8 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -74,6 +74,27 @@ static const S390CPUDef s390_cpu_defs[] = {
 CPUDEF_INIT(0x2965, 13, 2, 47, 0x0800U, "z13s", "IBM z13s GA1"),
 };
 
+uint32_t s390_get_ibc_val(void)
+{
+uint16_t unblocked_ibc, lowest_ibc;
+static S390CPU *cpu;
+
+if (!cpu) {
+cpu = S390_CPU(qemu_get_cpu(0));
+}
+
+if (!cpu || !cpu->model) {
+return 0;
+}
+unblocked_ibc = s390_ibc_from_cpu_model(cpu->model);
+lowest_ibc = cpu->model->lowest_ibc;
+/* the lowest_ibc always has to be <= unblocked_ibc */
+if (!lowest_ibc || lowest_ibc > unblocked_ibc) {
+return 0;
+}
+return ((uint32_t) lowest_ibc << 16) | unblocked_ibc;
+}
+
 void s390_get_feat_block(S390FeatType type, uint8_t *data)
 {
 static S390CPU *cpu;
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index 04c47c6..bbb85ac 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -43,6 +43,18 @@ typedef struct S390CPUModel {
 uint8_t cpu_ver;/* CPU version, usually "ff" for kvm */
 } S390CPUModel;
 
+#define S390_GEN_Z10 0xa
+
+uint32_t s390_get_ibc_val(void);
+static inline uint16_t s390_ibc_from_cpu_model(const S390CPUModel *model)
+{
+uint16_t ibc = 0;
+
+if (model->def->gen >= S390_GEN_Z10) {
+ibc = ((model->def->gen - S390_GEN_Z10) << 4) + model->def->ec_ga;
+}
+return ibc;
+}
 void s390_get_feat_block(S390FeatType type, uint8_t *data);
 bool s390_has_feat(S390Feat feat);
 
-- 
2.6.6

[Qemu-devel] [Patch v1 25/29] qmp: add QMP interface "query-cpu-model-comparison"

[David Hildenbrand]

Let's provide a standardized interface to compare two CPU models.

query-cpu-model-compare takes two models and returns what it knows about
their compability under a certain QEMU machine QEMU has been started with.

If modelA is a subset of modelB or if both are identical, modelA will run
in the same configuration as modelB. If modelA is however a superset of
modelB or if both are incompatible, one can try to create a compatible one
by "baselining" both models (follow up patch).

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 include/sysemu/arch_init.h  |  3 ++
 qapi-schema.json| 65 +
 qmp-commands.hx |  6 +++
 qmp.c   |  7 
 stubs/Makefile.objs |  1 +
 stubs/arch-query-cpu-model-comparison.c | 12 ++
 6 files changed, 94 insertions(+)
 create mode 100644 stubs/arch-query-cpu-model-comparison.c

diff --git a/include/sysemu/arch_init.h b/include/sysemu/arch_init.h
index 37b2e86..96d47c0 100644
--- a/include/sysemu/arch_init.h
+++ b/include/sysemu/arch_init.h
@@ -38,5 +38,8 @@ CpuDefinitionInfoList *arch_query_cpu_definitions(Error 
**errp);
 CpuModelExpansionInfo *arch_query_cpu_model_expansion(CpuModelExpansionType 
type,
   CpuModelInfo *mode,
   Error **errp);
+CpuModelCompareInfo *arch_query_cpu_model_comparison(CpuModelInfo *modela,
+ CpuModelInfo *modelb,
+ Error **errp);
 
 #endif
diff --git a/qapi-schema.json b/qapi-schema.json
index 43f7969..1f8f8ec 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3149,6 +3149,71 @@
 'model': 'CpuModelInfo' },
   'returns': 'CpuModelExpansionInfo' }
 
+##
+# @CpuModelCompareResult:
+#
+# An enumeration of CPU model comparation results.
+#
+# @incompatible: both model definition are incompatible
+#
+# @identical: model A == model B
+#
+# @superset: model A > model B
+#
+# @subset: model A < model B
+#
+# Since: 2.8.0
+##
+{ 'enum': 'CpuModelCompareResult',
+  'data': [ 'incompatible', 'identical', 'superset', 'subset' ] }
+
+##
+# @CpuModelCompareInfo
+#
+# The result of a CPU model comparison.
+#
+# @result: The result of the compare operation.
+# @responsible-properties: List of properties that led to the comparison result
+#  not being identical.
+#
+# @responsible-properties is a list of QOM property names that led to
+# both CPUs not being detected as identical. For identical models, this
+# list is empty.
+# If a QOM property is read-only, that means there's no known way to make the
+# CPU models identical. If the special property name "type" is included, the
+# models are by definition not identical and cannot be made identical.
+#
+# Since: 2.8.0
+##
+{ 'struct': 'CpuModelCompareInfo',
+  'data': {'result': 'CpuModelCompareResult',
+   'responsible-properties': ['str']
+  }
+}
+
+##
+# @query-cpu-model-comparison:
+#
+# Compares two CPU models, returning how they compare under a specific QEMU
+# machine.
+#
+# Note: This interface should not be used when global properties of CPU classes
+#   are changed (e.g. via "-cpu ...").
+#
+# s390x supports comparing of all CPU models. Other architectures are not
+# supported yet.
+#
+# Returns: a CpuModelBaselineInfo. Returns an error if comparing CPU models is
+#  not supported, if a model cannot be used, if a model contains
+#  an unknown cpu definition name, unknown properties or properties
+#  with wrong types.
+#
+# Since: 2.8.0
+##
+{ 'command': 'query-cpu-model-comparison',
+  'data': { 'modela': 'CpuModelInfo', 'modelb': 'CpuModelInfo' },
+  'returns': 'CpuModelCompareInfo' }
+
 # @AddfdInfo:
 #
 # Information about a file descriptor that was added to an fd set.
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 7ed9528..0af2098 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -3948,6 +3948,12 @@ EQMP
 },
 
 {
+.name   = "query-cpu-model-comparison",
+.args_type  = "modela:q,modelb:q",
+.mhandler.cmd_new = qmp_marshal_query_cpu_model_comparison,
+},
+
+{
 .name   = "query-target",
 .args_type  = "",
 .mhandler.cmd_new = qmp_marshal_query_target,
diff --git a/qmp.c b/qmp.c
index 29fbfb8..f551019 100644
--- a/qmp.c
+++ b/qmp.c
@@ -614,6 +614,13 @@ CpuModelExpansionInfo 
*qmp_query_cpu_model_expansion(CpuModelExpansionType type,
 return arch_query_cpu_model_expansion(type, model, errp);
 }
 
+CpuModelCompareInfo *qmp_query_cpu_model_comparison(CpuModelInfo *modela,
+CpuModelInfo *modelb,
+Error **errp)
+{
+return arch_query_cpu_model_comparison(modela, modelb, errp);
+}

[Qemu-devel] [Patch v1 12/29] s390x/cpumodel: check and apply the CPU model

[David Hildenbrand]

We have to test if a configured CPU model is runnable in the current
configuration, and if not report why that is the case. This is done by
comparing it to the maximum supported model (host for KVM or z900 for TCG).
Also, we want to do some base sanity checking for a configured CPU model.

We'll cache the maximum model and the applied model (for performance
reasons and because KVM can only be configured before any VCPU is created).

For unavailable "host" model, we have to make sure that we inform KVM,
so it can do some compatibility stuff (enable CMMA later on to be precise).

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_models.c | 154 ++
 1 file changed, 154 insertions(+)

diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index b698b80..3fe85fa 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -15,6 +15,7 @@
 #include "gen-features.h"
 #include "qapi/error.h"
 #include "qapi/visitor.h"
+#include "qemu/error-report.h"
 #ifndef CONFIG_USER_ONLY
 #include "sysemu/arch_init.h"
 #endif
@@ -183,14 +184,167 @@ CpuDefinitionInfoList *arch_query_cpu_definitions(Error 
**errp)
 }
 #endif
 
+static void check_consistency(const S390CPUModel *model)
+{
+static int dep[][2] = {
+{ S390_FEAT_IPTE_RANGE, S390_FEAT_DAT_ENH_1 },
+{ S390_FEAT_IDTE_SEGMENT, S390_FEAT_DAT_ENH_1 },
+{ S390_FEAT_IDTE_REGION, S390_FEAT_DAT_ENH_1 },
+{ S390_FEAT_IDTE_REGION, S390_FEAT_IDTE_SEGMENT },
+{ S390_FEAT_LOCAL_TLB_CLEARING, S390_FEAT_DAT_ENH_1},
+{ S390_FEAT_LONG_DISPLACEMENT_FAST, S390_FEAT_LONG_DISPLACEMENT },
+{ S390_FEAT_DFP_FAST, S390_FEAT_DFP },
+{ S390_FEAT_TRANSACTIONAL_EXE, S390_FEAT_GEN12_ENH },
+{ S390_FEAT_CONSTRAINT_TRANSACTIONAL_EXE, S390_FEAT_TRANSACTIONAL_EXE 
},
+{ S390_FEAT_EDAT_2, S390_FEAT_EDAT_1},
+{ S390_FEAT_MSA_EXT_5, S390_FEAT_KIMD_SHA_512 },
+{ S390_FEAT_MSA_EXT_5, S390_FEAT_KLMD_SHA_512 },
+{ S390_FEAT_MSA_EXT_4, S390_FEAT_MSA_EXT_3 },
+{ S390_FEAT_SIE_CMMA, S390_FEAT_CMM },
+{ S390_FEAT_SIE_CMMA, S390_FEAT_SIE_GSLS },
+{ S390_FEAT_SIE_PFMFI, S390_FEAT_EDAT_1 },
+};
+int i;
+
+for (i = 0; i < ARRAY_SIZE(dep); i++) {
+if (test_bit(dep[i][0], model->features) &&
+!test_bit(dep[i][1], model->features)) {
+error_report("Warning: \'%s\' requires \'%s\'.",
+ s390_feat_def(dep[i][0])->name,
+ s390_feat_def(dep[i][1])->name);
+}
+}
+}
+
+static void error_prepend_missing_feat(const char *name, void *opaque)
+{
+error_prepend((Error **) opaque, "%s ", name);
+}
+
+static void check_compatibility(const S390CPUModel *max_model,
+const S390CPUModel *model, Error **errp)
+{
+S390FeatBitmap missing;
+
+if (model->def->gen > max_model->def->gen) {
+error_setg(errp, "Selected CPU generation is too new. Maximum "
+   "supported model in the configuration: \'%s\'",
+   max_model->def->name);
+return;
+} else if (model->def->gen == max_model->def->gen &&
+   model->def->ec_ga > max_model->def->ec_ga) {
+error_setg(errp, "Selected CPU GA level is too new. Maximum "
+   "supported model in the configuration: \'%s\'",
+   max_model->def->name);
+return;
+}
+
+/* detect the missing features to properly report them */
+bitmap_andnot(missing, model->features, max_model->features, 
S390_FEAT_MAX);
+if (bitmap_empty(missing, S390_FEAT_MAX)) {
+return;
+}
+
+error_setg(errp, " ");
+s390_feat_bitmap_to_ascii(missing, errp, error_prepend_missing_feat);
+error_prepend(errp, "Some features requested in the CPU model are not "
+  "available in the configuration: ");
+}
+
+static S390CPUModel *get_max_cpu_model(Error **errp)
+{
+#ifndef CONFIG_USER_ONLY
+static S390CPUModel max_model;
+static bool cached;
+
+if (cached) {
+return &max_model;
+}
+
+if (kvm_enabled()) {
+error_setg(errp, "KVM does not support CPU models.");
+} else {
+/* TCG enulates a z900 */
+max_model.def = &s390_cpu_defs[0];
+bitmap_copy(max_model.features, max_model.def->default_feat,
+S390_FEAT_MAX);
+}
+if (!*errp) {
+cached = true;
+return &max_model;
+}
+#endif
+return NULL;
+}
+
+static inline void apply_cpu_model(const S390CPUModel *model, Error **errp)
+{
+#ifndef CONFIG_USER_ONLY
+static S390CPUModel applied_model;
+static bool applied;
+
+/*
+ * We have the same model for all VCPUs. KVM can only be configured before
+ * any VCPUs are defined in KVM.
+ */
+if (applied) {
+if (model && memcmp(&applied_model, model, sizeof(S390CPUModel))) {
+error_s

[Qemu-devel] [Patch v1 17/29] s390x/sclp: propagate the mha via sclp

[David Hildenbrand]

The mha is provided in the CPU model, so get any CPU and extract the value.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/sclp.c   |  1 +
 include/hw/s390x/sclp.h   |  3 ++-
 target-s390x/cpu_models.c | 14 ++
 target-s390x/cpu_models.h |  1 +
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 52f8bb9..5ffcf51 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -105,6 +105,7 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 
 read_info->facilities |= cpu_to_be64(SCLP_FC_ASSIGN_ATTACH_READ_STOR);
 }
+read_info->mha_pow = s390_get_mha_pow();
 
 rnsize = 1 << (sclp->increment_size - 20);
 if (rnsize <= 128) {
diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index 664be9b..dab3c0f 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -124,7 +124,8 @@ typedef struct ReadInfo {
 uint8_t  _reserved0[76 - 56];   /* 56-75 */
 uint32_t ibc_val;
 uint8_t  conf_char[96 - 80];/* 80-95 */
-uint8_t  _reserved4[100 - 96];  /* 96-99 */
+uint8_t  _reserved4[99 - 96];   /* 96-98 */
+uint8_t mha_pow;
 uint32_t rnsize2;
 uint64_t rnmax2;
 uint8_t  _reserved6[116 - 112]; /* 112-115 */
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 51ce3d8..2363027 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -74,6 +74,20 @@ static const S390CPUDef s390_cpu_defs[] = {
 CPUDEF_INIT(0x2965, 13, 2, 47, 0x0800U, "z13s", "IBM z13s GA1"),
 };
 
+uint8_t s390_get_mha_pow(void)
+{
+static S390CPU *cpu;
+
+if (!cpu) {
+cpu = S390_CPU(qemu_get_cpu(0));
+}
+
+if (!cpu || !cpu->model) {
+return 0;
+}
+return cpu->model->def->mha_pow;
+}
+
 uint32_t s390_get_ibc_val(void)
 {
 uint16_t unblocked_ibc, lowest_ibc;
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index bbb85ac..ee019b4 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -45,6 +45,7 @@ typedef struct S390CPUModel {
 
 #define S390_GEN_Z10 0xa
 
+uint8_t s390_get_mha_pow(void);
 uint32_t s390_get_ibc_val(void);
 static inline uint16_t s390_ibc_from_cpu_model(const S390CPUModel *model)
 {
-- 
2.6.6

[Qemu-devel] [Patch v1 04/29] s390x/cpumodel: introduce CPU features

[David Hildenbrand]

From: Michael Mueller 

The patch introduces s390x CPU features (most of them refered to as
facilities) along with their discription and some functions that will be
helpful when working with the features later on.

Please note that we don't introduce all known CPU features, only the
ones currently supported by KVM + QEMU. We don't want to enable later
on blindly any facilities, for which we don't know yet if we need QEMU
support to properly support them (e.g. migrate additional state when
active). We can update QEMU later on.

Acked-by: Cornelia Huck 
Signed-off-by: Michael Mueller 
Signed-off-by: David Hildenbrand 
[reworked to include non-stfle features, added definitions]
---
 target-s390x/Makefile.objs  |   2 +-
 target-s390x/cpu_features.c | 334 
 target-s390x/cpu_features.h | 279 
 3 files changed, 614 insertions(+), 1 deletion(-)
 create mode 100644 target-s390x/cpu_features.c
 create mode 100644 target-s390x/cpu_features.h

diff --git a/target-s390x/Makefile.objs b/target-s390x/Makefile.objs
index 34bd693..4266c87 100644
--- a/target-s390x/Makefile.objs
+++ b/target-s390x/Makefile.objs
@@ -1,5 +1,5 @@
 obj-y += translate.o helper.o cpu.o interrupt.o
 obj-y += int_helper.o fpu_helper.o cc_helper.o mem_helper.o misc_helper.o
-obj-y += gdbstub.o cpu_models.o
+obj-y += gdbstub.o cpu_models.o cpu_features.o
 obj-$(CONFIG_SOFTMMU) += machine.o ioinst.o arch_dump.o mmu_helper.o
 obj-$(CONFIG_KVM) += kvm.o
diff --git a/target-s390x/cpu_features.c b/target-s390x/cpu_features.c
new file mode 100644
index 000..5aa5981
--- /dev/null
+++ b/target-s390x/cpu_features.c
@@ -0,0 +1,334 @@
+/*
+ * CPU features/facilities for s390x
+ *
+ * Copyright 2016 IBM Corp.
+ *
+ * Author(s): David Hildenbrand 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
+ * your option) any later version. See the COPYING file in the top-level
+ * directory.
+ */
+
+#include "qemu/osdep.h"
+#include "cpu_features.h"
+
+#define FEAT_INIT(_name, _type, _bit, _desc) \
+{\
+.name = _name,   \
+.type = _type,   \
+.bit = _bit, \
+.desc = _desc,   \
+}
+
+/* indexed by feature number for easy lookup */
+static const S390FeatDef s390_features[] = {
+FEAT_INIT("n3", S390_FEAT_TYPE_STFL, 0, "Instructions marked as n3"),
+FEAT_INIT("z", S390_FEAT_TYPE_STFL, 1, "z/Architecture architectural 
mode"),
+FEAT_INIT("dateh1", S390_FEAT_TYPE_STFL, 3, "DAT-enhancement facility 1"),
+FEAT_INIT("idtes", S390_FEAT_TYPE_STFL, 4, "IDTE selective TLB 
segment-table clearing"),
+FEAT_INIT("idter", S390_FEAT_TYPE_STFL, 5, "IDTE selective TLB 
region-table clearing"),
+FEAT_INIT("asnlxr", S390_FEAT_TYPE_STFL, 6, "ASN-and-LX reuse facility"),
+FEAT_INIT("stfle", S390_FEAT_TYPE_STFL, 7, "Store-facility-list-extended 
facility"),
+FEAT_INIT("edat1", S390_FEAT_TYPE_STFL, 8, "Enhanced-DAT facility 1"),
+FEAT_INIT("srs", S390_FEAT_TYPE_STFL, 9, "Sense-running-status facility"),
+FEAT_INIT("csske", S390_FEAT_TYPE_STFL, 10, "Conditional-SSKE facility"),
+FEAT_INIT("ctop", S390_FEAT_TYPE_STFL, 11, "Configuration-topology 
facility"),
+FEAT_INIT("ipter", S390_FEAT_TYPE_STFL, 13, "IPTE-range facility"),
+FEAT_INIT("nonqks", S390_FEAT_TYPE_STFL, 14, "Nonquiescing key-setting 
facility"),
+FEAT_INIT("etf2", S390_FEAT_TYPE_STFL, 16, "Extended-translation facility 
2"),
+FEAT_INIT("msa-base", S390_FEAT_TYPE_STFL, 17, "Message-security-assist 
facility (excluding subfunctions)"),
+FEAT_INIT("ldisp", S390_FEAT_TYPE_STFL, 18, "Long-displacement facility"),
+FEAT_INIT("ldisphp", S390_FEAT_TYPE_STFL, 19, "Long-displacement facility 
has high performance"),
+FEAT_INIT("hfpm", S390_FEAT_TYPE_STFL, 20, "HFP-multiply-add/subtract 
facility"),
+FEAT_INIT("eimm", S390_FEAT_TYPE_STFL, 21, "Extended-immediate facility"),
+FEAT_INIT("etf3", S390_FEAT_TYPE_STFL, 22, "Extended-translation facility 
3"),
+FEAT_INIT("hfpue", S390_FEAT_TYPE_STFL, 23, "HFP-unnormalized-extension 
facility"),
+FEAT_INIT("etf2eh", S390_FEAT_TYPE_STFL, 24, "ETF2-enhancement facility"),
+FEAT_INIT("stckf", S390_FEAT_TYPE_STFL, 25, "Store-clock-fast facility"),
+FEAT_INIT("parseh", S390_FEAT_TYPE_STFL, 26, "Parsing-enhancement 
facility"),
+FEAT_INIT("mvcos", S390_FEAT_TYPE_STFL, 27, 
"Move-with-optional-specification facility"),
+FEAT_INIT("tods-base", S390_FEAT_TYPE_STFL, 28, "TOD-clock-steering 
facility (excluding subfunctions)"),
+FEAT_INIT("etf3eh", S390_FEAT_TYPE_STFL, 30, "ETF3-enhancement facility"),
+FEAT_INIT("ecput", S390_FEAT_TYPE_STFL, 31, "Extract-CPU-time facility"),
+FEAT_INIT("csst", S390_FEAT_TYPE_STFL, 32, "Compare-and-swap-and-store 
facility"),
+FEAT_INIT("csst2", S390_F

[Qemu-devel] [Patch v1 20/29] s390x/kvm: allow runtime-instrumentation for "none" machine

[David Hildenbrand]

To be able to query the correct host model for the "none" machine,
let's allow runtime-instrumentation for that machine.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/s390-virtio-ccw.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index 91d9cef..f7dd2c8 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -249,6 +249,11 @@ bool ri_allowed(void)
 
 return s390mc->ri_allowed;
 }
+/*
+ * Make sure the "none" machine can have ri, otherwise it won't * be
+ * unlocked in KVM and therefore the host CPU model might be wrong.
+ */
+return true;
 }
 return 0;
 }
-- 
2.6.6

[Qemu-devel] [Patch v1 15/29] s390x/sclp: indicate sclp features

[David Hildenbrand]

We have three different blocks in the SCLP read-SCP information response
that indicate sclp features. Let's prepare propagation.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/sclp.c   |  9 +
 target-s390x/cpu_models.c | 14 ++
 target-s390x/cpu_models.h |  1 +
 3 files changed, 24 insertions(+)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 15d7114..3c126ee 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -31,11 +31,14 @@ static inline SCLPDevice *get_sclp_device(void)
 
 static void prepare_cpu_entries(SCLPDevice *sclp, CPUEntry *entry, int count)
 {
+uint8_t features[SCCB_CPU_FEATURE_LEN] = { 0 };
 int i;
 
+s390_get_feat_block(S390_FEAT_TYPE_SCLP_CPU, features);
 for (i = 0; i < count; i++) {
 entry[i].address = i;
 entry[i].type = 0;
+memcpy(entry[i].features, features, sizeof(entry[i].features));
 }
 }
 
@@ -59,6 +62,12 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 read_info->offset_cpu = cpu_to_be16(offsetof(ReadInfo, entries));
 read_info->highest_cpu = cpu_to_be16(max_cpus);
 
+/* Configuration Characteristic (Extension) */
+s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR,
+ read_info->conf_char);
+s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT,
+ read_info->conf_char_ext);
+
 prepare_cpu_entries(sclp, read_info->entries, cpu_count);
 
 read_info->facilities = cpu_to_be64(SCLP_HAS_CPU_INFO |
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 3fe85fa..641aad0 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -74,6 +74,20 @@ static const S390CPUDef s390_cpu_defs[] = {
 CPUDEF_INIT(0x2965, 13, 2, 47, 0x0800U, "z13s", "IBM z13s GA1"),
 };
 
+void s390_get_feat_block(S390FeatType type, uint8_t *data)
+{
+static S390CPU *cpu;
+
+if (!cpu) {
+cpu = S390_CPU(qemu_get_cpu(0));
+}
+
+if (!cpu || !cpu->model) {
+return;
+}
+return s390_fill_feat_block(cpu->model->features, type, data);
+}
+
 bool s390_has_feat(S390Feat feat)
 {
 static S390CPU *cpu;
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index fe988cc..04c47c6 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -43,6 +43,7 @@ typedef struct S390CPUModel {
 uint8_t cpu_ver;/* CPU version, usually "ff" for kvm */
 } S390CPUModel;
 
+void s390_get_feat_block(S390FeatType type, uint8_t *data);
 bool s390_has_feat(S390Feat feat);
 
 #endif /* TARGET_S390X_CPU_MODELS_H */
-- 
2.6.6

[Qemu-devel] [PATCH v2 1/2] xen: when removing a backend don't remove many of them

[Juergen Gross]

When a Xenstore watch fires indicating a backend has to be removed
don't remove all backends for that domain with the specified device
index, but just the one which has the correct type.

The easiest way to achieve this is to use the already determined
xendev as parameter for xen_be_del_xendev() instead of only the domid
and device index.

This at once removes the open coded QTAILQ_FOREACH_SAVE() in
xen_be_del_xendev() as there is no need to search for the correct
xendev any longer.

Signed-off-by: Juergen Gross 
Reviewed-by: Stefano Stabellini 
---
 hw/xen/xen_backend.c | 58 +---
 1 file changed, 19 insertions(+), 39 deletions(-)

diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index bab79b1..3ceb778 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -321,48 +321,28 @@ static struct XenDevice *xen_be_get_xendev(const char 
*type, int dom, int dev,
 /*
  * release xen backend device.
  */
-static struct XenDevice *xen_be_del_xendev(int dom, int dev)
+static void xen_be_del_xendev(struct XenDevice *xendev)
 {
-struct XenDevice *xendev, *xnext;
-
-/*
- * This is pretty much like QTAILQ_FOREACH(xendev, &xendevs, next) but
- * we save the next pointer in xnext because we might free xendev.
- */
-xnext = xendevs.tqh_first;
-while (xnext) {
-xendev = xnext;
-xnext = xendev->next.tqe_next;
-
-if (xendev->dom != dom) {
-continue;
-}
-if (xendev->dev != dev && dev != -1) {
-continue;
-}
-
-if (xendev->ops->free) {
-xendev->ops->free(xendev);
-}
-
-if (xendev->fe) {
-char token[XEN_BUFSIZE];
-snprintf(token, sizeof(token), "fe:%p", xendev);
-xs_unwatch(xenstore, xendev->fe, token);
-g_free(xendev->fe);
-}
+if (xendev->ops->free) {
+xendev->ops->free(xendev);
+}
 
-if (xendev->evtchndev != NULL) {
-xenevtchn_close(xendev->evtchndev);
-}
-if (xendev->gnttabdev != NULL) {
-xengnttab_close(xendev->gnttabdev);
-}
+if (xendev->fe) {
+char token[XEN_BUFSIZE];
+snprintf(token, sizeof(token), "fe:%p", xendev);
+xs_unwatch(xenstore, xendev->fe, token);
+g_free(xendev->fe);
+}
 
-QTAILQ_REMOVE(&xendevs, xendev, next);
-g_free(xendev);
+if (xendev->evtchndev != NULL) {
+xenevtchn_close(xendev->evtchndev);
 }
-return NULL;
+if (xendev->gnttabdev != NULL) {
+xengnttab_close(xendev->gnttabdev);
+}
+
+QTAILQ_REMOVE(&xendevs, xendev, next);
+g_free(xendev);
 }
 
 /*
@@ -682,7 +662,7 @@ static void xenstore_update_be(char *watch, char *type, int 
dom,
 if (xendev != NULL) {
 bepath = xs_read(xenstore, 0, xendev->be, &len);
 if (bepath == NULL) {
-xen_be_del_xendev(dom, dev);
+xen_be_del_xendev(xendev);
 } else {
 free(bepath);
 xen_be_backend_changed(xendev, path);
-- 
2.6.6

[Qemu-devel] [Patch v1 29/29] s390x/cpumodel: implement QMP interface "query-cpu-model-baseline"

[David Hildenbrand]

Let's implement that interface by reusing our conversion code and
lookup code for CPU definitions.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_models.c | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 22feebe..476bb76 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -527,6 +527,61 @@ CpuModelCompareInfo 
*arch_query_cpu_model_comparison(CpuModelInfo *infoa,
 }
 return compare_info;
 }
+
+CpuModelBaselineInfo *arch_query_cpu_model_baseline(CpuModelInfo *infoa,
+CpuModelInfo *infob,
+Error **errp)
+{
+CpuModelBaselineInfo *baseline_info;
+S390CPUModel modela, modelb, model;
+uint16_t cpu_type;
+uint8_t max_gen_ga;
+uint8_t max_gen;
+
+/* convert both models to our internal representation */
+cpu_model_from_info(&modela, infoa, errp);
+if (*errp) {
+return NULL;
+}
+
+cpu_model_from_info(&modelb, infob, errp);
+if (*errp) {
+return NULL;
+}
+
+/* features both models support */
+bitmap_and(model.features, modela.features, modelb.features, 
S390_FEAT_MAX);
+
+/* detect the maximum model not regarding features */
+if (modela.def->gen == modelb.def->gen) {
+if (modela.def->type == modelb.def->type) {
+cpu_type = modela.def->type;
+} else {
+cpu_type = 0;
+}
+max_gen = modela.def->gen;
+max_gen_ga = MIN(modela.def->ec_ga, modelb.def->ec_ga);
+} else if (modela.def->gen > modelb.def->gen) {
+cpu_type = modelb.def->type;
+max_gen = modelb.def->gen;
+max_gen_ga = modelb.def->ec_ga;
+} else {
+cpu_type = modela.def->type;
+max_gen = modela.def->gen;
+max_gen_ga = modela.def->ec_ga;
+}
+
+model.def = s390_find_cpu_def(cpu_type, max_gen, max_gen_ga,
+  model.features);
+/* strip off features not part of the max model */
+bitmap_and(model.features, model.features, model.def->full_feat,
+   S390_FEAT_MAX);
+
+baseline_info = g_malloc0(sizeof(*baseline_info));
+baseline_info->model = g_malloc0(sizeof(*baseline_info->model));
+cpu_info_from_model(baseline_info->model, &model, true);
+return baseline_info;
+}
 #endif
 
 static void check_consistency(const S390CPUModel *model)
-- 
2.6.6

[Qemu-devel] [Patch v1 23/29] s390x/kvm: let the CPU model control CMM(A)

[David Hildenbrand]

Starting with recent kernels, if the cmma attributes are available, we
actually have hardware support. Enabling CMMA then means providing the
guest VCPU with CMM, therefore enabling its CMM facility.

Let's not blindly enable CMM anymore but let's control it using CPU models.
For disabled CPU models, CMMA will continue to always get enabled.

Also enable it in the applicable default models.

Please note that CMM doesn't work with hugetlbfs, therefore we will
warn the user and keep it disabled. Migrating from/to a hugetlbfs
configuration works, as it will be disabled on both sides.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/gen-features.c |  1 +
 target-s390x/kvm.c  | 47 ++---
 2 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/target-s390x/gen-features.c b/target-s390x/gen-features.c
index d4f4b29..52d46dc 100644
--- a/target-s390x/gen-features.c
+++ b/target-s390x/gen-features.c
@@ -371,6 +371,7 @@ static uint16_t full_GEN13_GA1[] = {
 #define default_GEN8_GA5 EmptyFeat
 static uint16_t default_GEN9_GA1[] = {
 S390_FEAT_GROUP_MSA_EXT_1,
+S390_FEAT_CMM,
 };
 #define default_GEN9_GA2 EmptyFeat
 #define default_GEN9_GA3 EmptyFeat
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index 4020328..a089c03 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -174,6 +174,18 @@ int kvm_s390_set_mem_limit(KVMState *s, uint64_t 
new_limit, uint64_t *hw_limit)
 return kvm_vm_ioctl(s, KVM_SET_DEVICE_ATTR, &attr);
 }
 
+static bool kvm_s390_cmma_available(void)
+{
+static bool initialized, value;
+
+if (!initialized) {
+initialized = true;
+value = kvm_vm_check_mem_attr(kvm_state, KVM_S390_VM_MEM_ENABLE_CMMA) 
&&
+kvm_vm_check_mem_attr(kvm_state, KVM_S390_VM_MEM_CLR_CMMA);
+}
+return value;
+}
+
 void kvm_s390_cmma_reset(void)
 {
 int rc;
@@ -182,11 +194,15 @@ void kvm_s390_cmma_reset(void)
 .attr = KVM_S390_VM_MEM_CLR_CMMA,
 };
 
+if (!mem_path || !kvm_s390_cmma_available()) {
+return;
+}
+
 rc = kvm_vm_ioctl(kvm_state, KVM_SET_DEVICE_ATTR, &attr);
 trace_kvm_clear_cmma(rc);
 }
 
-static void kvm_s390_enable_cmma(KVMState *s)
+static void kvm_s390_enable_cmma(void)
 {
 int rc;
 struct kvm_device_attr attr = {
@@ -194,12 +210,7 @@ static void kvm_s390_enable_cmma(KVMState *s)
 .attr = KVM_S390_VM_MEM_ENABLE_CMMA,
 };
 
-if (!kvm_vm_check_mem_attr(s, KVM_S390_VM_MEM_ENABLE_CMMA) ||
-!kvm_vm_check_mem_attr(s, KVM_S390_VM_MEM_CLR_CMMA)) {
-return;
-}
-
-rc = kvm_vm_ioctl(s, KVM_SET_DEVICE_ATTR, &attr);
+rc = kvm_vm_ioctl(kvm_state, KVM_SET_DEVICE_ATTR, &attr);
 trace_kvm_enable_cmma(rc);
 }
 
@@ -259,10 +270,6 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP);
 cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ);
 
-if (!mem_path) {
-kvm_s390_enable_cmma(s);
-}
-
 if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
 || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
 phys_mem_set_alloc(legacy_s390_alloc);
@@ -2520,6 +2527,11 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, 
Error **errp)
 return;
 }
 
+/* with cpu model support, CMM is only indicated if really available */
+if (kvm_s390_cmma_available()) {
+set_bit(S390_FEAT_CMM, model->features);
+}
+
 if (s390_known_cpu_type(cpu_type)) {
 /* we want the exact model, even if some features are missing */
 model->def = s390_find_cpu_def(cpu_type, ibc_gen(unblocked_ibc),
@@ -2552,6 +2564,10 @@ void kvm_s390_apply_cpu_model(const S390CPUModel *model, 
Error **errp)
 int rc;
 
 if (!model) {
+/* compatibility handling if cpu models are disabled */
+if (kvm_s390_cmma_available() && !mem_path) {
+kvm_s390_enable_cmma();
+}
 return;
 }
 if (!kvm_s390_cpu_models_supported()) {
@@ -2580,4 +2596,13 @@ void kvm_s390_apply_cpu_model(const S390CPUModel *model, 
Error **errp)
 error_setg(errp, "KVM: Error configuring CPU subfunctions: %d", rc);
 return;
 }
+/* enable CMM via CMMA - disable on hugetlbfs */
+if (test_bit(S390_FEAT_CMM, model->features)) {
+if (mem_path) {
+error_report("Warning: CMM will not be enabled because it is not "
+ "compatible to hugetlbfs.");
+} else {
+kvm_s390_enable_cmma();
+}
+}
 }
-- 
2.6.6

[Qemu-devel] [Patch v1 18/29] s390x/sclp: propagate hmfai

[David Hildenbrand]

hmfai is provided on CPU models >= z196. Let's propagate it properly.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 hw/s390x/sclp.c   |  1 +
 include/hw/s390x/sclp.h   |  3 ++-
 target-s390x/cpu_models.c | 14 ++
 target-s390x/cpu_models.h |  1 +
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
index 5ffcf51..883592c 100644
--- a/hw/s390x/sclp.c
+++ b/hw/s390x/sclp.c
@@ -106,6 +106,7 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
 read_info->facilities |= cpu_to_be64(SCLP_FC_ASSIGN_ATTACH_READ_STOR);
 }
 read_info->mha_pow = s390_get_mha_pow();
+read_info->hmfai = cpu_to_be32(s390_get_hmfai());
 
 rnsize = 1 << (sclp->increment_size - 20);
 if (rnsize <= 128) {
diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
index dab3c0f..3008a51 100644
--- a/include/hw/s390x/sclp.h
+++ b/include/hw/s390x/sclp.h
@@ -131,7 +131,8 @@ typedef struct ReadInfo {
 uint8_t  _reserved6[116 - 112]; /* 112-115 */
 uint8_t  conf_char_ext[120 - 116];   /* 116-119 */
 uint16_t highest_cpu;
-uint8_t  _reserved5[128 - 122]; /* 122-127 */
+uint8_t  _reserved5[124 - 122]; /* 122-123 */
+uint32_t hmfai;
 struct CPUEntry entries[0];
 } QEMU_PACKED ReadInfo;
 
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 2363027..9115731 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -74,6 +74,20 @@ static const S390CPUDef s390_cpu_defs[] = {
 CPUDEF_INIT(0x2965, 13, 2, 47, 0x0800U, "z13s", "IBM z13s GA1"),
 };
 
+uint32_t s390_get_hmfai(void)
+{
+static S390CPU *cpu;
+
+if (!cpu) {
+cpu = S390_CPU(qemu_get_cpu(0));
+}
+
+if (!cpu || !cpu->model) {
+return 0;
+}
+return cpu->model->def->hmfai;
+}
+
 uint8_t s390_get_mha_pow(void)
 {
 static S390CPU *cpu;
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index ee019b4..986f7cb 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -45,6 +45,7 @@ typedef struct S390CPUModel {
 
 #define S390_GEN_Z10 0xa
 
+uint32_t s390_get_hmfai(void);
 uint8_t s390_get_mha_pow(void);
 uint32_t s390_get_ibc_val(void);
 static inline uint16_t s390_ibc_from_cpu_model(const S390CPUModel *model)
-- 
2.6.6

[Qemu-devel] [Patch v1 28/29] s390x/cpumodel: implement QMP interface "query-cpu-model-comparison"

[David Hildenbrand]

Let's implement that interface by reusing our convertion code
implemented for expansion.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_models.c | 84 +++
 1 file changed, 84 insertions(+)

diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 6353b8c..22feebe 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -443,6 +443,90 @@ CpuModelExpansionInfo 
*arch_query_cpu_model_expansion(CpuModelExpansionType type
 cpu_info_from_model(expansion_info->model, &s390_model, delta_changes);
 return expansion_info;
 }
+
+static void list_add_feat(const char *name, void *opaque)
+{
+strList **last = (strList **) opaque;
+strList *entry;
+
+entry = g_malloc0(sizeof(*entry));
+entry->value = g_strdup(name);
+entry->next = *last;
+*last = entry;
+}
+
+CpuModelCompareInfo *arch_query_cpu_model_comparison(CpuModelInfo *infoa,
+ CpuModelInfo *infob,
+ Error **errp)
+{
+CpuModelCompareResult feat_result, gen_result;
+CpuModelCompareInfo *compare_info;
+S390FeatBitmap missing, added;
+S390CPUModel modela, modelb;
+
+/* convert both models to our internal representation */
+cpu_model_from_info(&modela, infoa, errp);
+if (*errp) {
+return NULL;
+}
+cpu_model_from_info(&modelb, infob, errp);
+if (*errp) {
+return NULL;
+}
+compare_info = g_malloc0(sizeof(*compare_info));
+
+/* check the cpu generation and ga level */
+if (modela.def->gen == modelb.def->gen) {
+if (modela.def->ec_ga == modelb.def->ec_ga) {
+/* ec and corresponding bc are identical */
+gen_result = CPU_MODEL_COMPARE_RESULT_IDENTICAL;
+} else if (modela.def->ec_ga < modelb.def->ec_ga) {
+gen_result = CPU_MODEL_COMPARE_RESULT_SUBSET;
+} else {
+gen_result = CPU_MODEL_COMPARE_RESULT_SUPERSET;
+}
+} else if (modela.def->gen < modelb.def->gen) {
+gen_result = CPU_MODEL_COMPARE_RESULT_SUBSET;
+} else {
+gen_result = CPU_MODEL_COMPARE_RESULT_SUPERSET;
+}
+if (gen_result != CPU_MODEL_COMPARE_RESULT_IDENTICAL) {
+/* both models cannot be made identical */
+list_add_feat("type", &compare_info->responsible_properties);
+}
+
+/* check the feature set */
+if (bitmap_equal(modela.features, modelb.features, S390_FEAT_MAX)) {
+feat_result = CPU_MODEL_COMPARE_RESULT_IDENTICAL;
+} else {
+bitmap_andnot(missing, modela.features, modelb.features, 
S390_FEAT_MAX);
+s390_feat_bitmap_to_ascii(missing,
+  &compare_info->responsible_properties,
+  list_add_feat);
+bitmap_andnot(added, modelb.features, modela.features, S390_FEAT_MAX);
+s390_feat_bitmap_to_ascii(added, &compare_info->responsible_properties,
+  list_add_feat);
+if (bitmap_empty(missing, S390_FEAT_MAX)) {
+feat_result = CPU_MODEL_COMPARE_RESULT_SUBSET;
+} else if (bitmap_empty(added, S390_FEAT_MAX)) {
+feat_result = CPU_MODEL_COMPARE_RESULT_SUPERSET;
+} else {
+feat_result = CPU_MODEL_COMPARE_RESULT_INCOMPATIBLE;
+}
+}
+
+/* combine the results */
+if (gen_result == feat_result) {
+compare_info->result = gen_result;
+} else if (feat_result == CPU_MODEL_COMPARE_RESULT_IDENTICAL) {
+compare_info->result = gen_result;
+} else if (gen_result == CPU_MODEL_COMPARE_RESULT_IDENTICAL) {
+compare_info->result = feat_result;
+} else {
+compare_info->result = CPU_MODEL_COMPARE_RESULT_INCOMPATIBLE;
+}
+return compare_info;
+}
 #endif
 
 static void check_consistency(const S390CPUModel *model)
-- 
2.6.6

[Qemu-devel] [Patch v1 21/29] s390x/kvm: implement CPU model support

[David Hildenbrand]

Let's implement our two hooks so we can support CPU models.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/cpu_models.c |  75 +++-
 target-s390x/cpu_models.h |  50 
 target-s390x/kvm.c| 295 ++
 3 files changed, 417 insertions(+), 3 deletions(-)

diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index 9115731..b2d722b 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -161,6 +161,61 @@ bool s390_has_feat(S390Feat feat)
 return test_bit(feat, cpu->model->features);
 }
 
+uint8_t s390_get_gen_for_cpu_type(uint16_t type)
+{
+int i;
+
+for (i = 0; i < ARRAY_SIZE(s390_cpu_defs); i++) {
+if (s390_cpu_defs[i].type == type) {
+return s390_cpu_defs[i].gen;
+}
+}
+return 0;
+}
+
+const S390CPUDef *s390_find_cpu_def(uint16_t type, uint8_t gen, uint8_t ec_ga,
+S390FeatBitmap features)
+{
+const S390CPUDef *last_compatible = NULL;
+int i;
+
+if (!gen) {
+ec_ga = 0;
+}
+if (!gen && type) {
+gen = s390_get_gen_for_cpu_type(type);
+}
+
+for (i = 0; i < ARRAY_SIZE(s390_cpu_defs); i++) {
+const S390CPUDef *def = &s390_cpu_defs[i];
+S390FeatBitmap missing;
+
+/* don't even try newer generations if we know the generation */
+if (gen) {
+if (def->gen > gen) {
+break;
+} else if (def->gen == gen && ec_ga && def->ec_ga > ec_ga) {
+break;
+}
+}
+
+if (features) {
+/* see if the model satisfies the minimum features */
+bitmap_andnot(missing, def->base_feat, features, S390_FEAT_MAX);
+if (!bitmap_empty(missing, S390_FEAT_MAX)) {
+break;
+}
+}
+
+/* stop the search if we found the exact model */
+if (def->type == type && def->ec_ga == ec_ga) {
+return def;
+}
+last_compatible = def;
+}
+return last_compatible;
+}
+
 struct S390PrintCpuListInfo {
 FILE *f;
 fprintf_function print;
@@ -325,7 +380,7 @@ static S390CPUModel *get_max_cpu_model(Error **errp)
 }
 
 if (kvm_enabled()) {
-error_setg(errp, "KVM does not support CPU models.");
+kvm_s390_get_host_cpu_model(&max_model, errp);
 } else {
 /* TCG enulates a z900 */
 max_model.def = &s390_cpu_defs[0];
@@ -358,8 +413,7 @@ static inline void apply_cpu_model(const S390CPUModel 
*model, Error **errp)
 }
 
 if (kvm_enabled()) {
-/* FIXME KVM */
-error_setg(errp, "KVM doesn't support CPU models.");
+kvm_s390_apply_cpu_model(model, errp);
 } else if (model) {
 /* FIXME TCG - use data for stdip/stfl */
 }
@@ -564,6 +618,21 @@ static void s390_cpu_model_initfn(Object *obj)
 #ifdef CONFIG_KVM
 static void s390_host_cpu_model_initfn(Object *obj)
 {
+S390CPU *cpu = S390_CPU(obj);
+Error *err = NULL;
+
+if (!kvm_enabled() || !kvm_s390_cpu_models_supported()) {
+return;
+}
+
+cpu->model = g_malloc0(sizeof(*cpu->model));
+kvm_s390_get_host_cpu_model(cpu->model, &err);
+if (err) {
+error_report_err(err);
+g_free(cpu->model);
+/* fallback to unsupported cpu models */
+cpu->model = NULL;
+}
 }
 #endif
 
diff --git a/target-s390x/cpu_models.h b/target-s390x/cpu_models.h
index 986f7cb..a1ee3d6 100644
--- a/target-s390x/cpu_models.h
+++ b/target-s390x/cpu_models.h
@@ -43,7 +43,25 @@ typedef struct S390CPUModel {
 uint8_t cpu_ver;/* CPU version, usually "ff" for kvm */
 } S390CPUModel;
 
+/*
+ * CPU ID
+ *
+ * bits 0-7: Zeroes (ff for kvm)
+ * bits 8-31: CPU ID (serial number)
+ * bits 32-48: Machine type
+ * bits 48-63: Zeroes
+ */
+#define cpuid_type(x) (((x) >> 16) & 0x)
+#define cpuid_id(x)   (((x) >> 32) & 0xff)
+#define cpuid_ver(x)  (((x) >> 56) & 0xff)
+
+#define lowest_ibc(x) (((uint32_t)(x) >> 16) & 0xfff)
+#define unblocked_ibc(x)  ((uint32_t)(x) & 0xfff)
+#define has_ibc(x)(lowest_ibc(x) != 0)
+
 #define S390_GEN_Z10 0xa
+#define ibc_gen(x)(x == 0 ? 0 : ((x >> 4) + S390_GEN_Z10))
+#define ibc_ec_ga(x)  (x & 0xf)
 
 uint32_t s390_get_hmfai(void);
 uint8_t s390_get_mha_pow(void);
@@ -59,5 +77,37 @@ static inline uint16_t s390_ibc_from_cpu_model(const 
S390CPUModel *model)
 }
 void s390_get_feat_block(S390FeatType type, uint8_t *data);
 bool s390_has_feat(S390Feat feat);
+uint8_t s390_get_gen_for_cpu_type(uint16_t type);
+static inline bool s390_known_cpu_type(uint16_t type)
+{
+return s390_get_gen_for_cpu_type(type) != 0;
+}
+static inline uint64_t s390_cpuid_from_cpu_model(const S390CPUModel *model)
+{
+return ((uint64_t)model->cpu_ver << 56) |
+   ((uint64_t)model->cpu_id << 32) |
+   ((uint64_t)model->def->type << 16);
+}
+S390CPUDef const *s390_fin

[Qemu-devel] [Patch v1 19/29] linux-headers: update against kvm/next

[David Hildenbrand]

Update against 601045bff745 ("Merge branch 'kvm-ppc-next'...").

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 linux-headers/asm-arm64/kvm.h |  2 ++
 linux-headers/asm-s390/kvm.h  | 41 +
 linux-headers/linux/kvm.h | 12 +++-
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
index 7d82d1f..fd5a276 100644
--- a/linux-headers/asm-arm64/kvm.h
+++ b/linux-headers/asm-arm64/kvm.h
@@ -87,9 +87,11 @@ struct kvm_regs {
 /* Supported VGICv3 address types  */
 #define KVM_VGIC_V3_ADDR_TYPE_DIST 2
 #define KVM_VGIC_V3_ADDR_TYPE_REDIST   3
+#define KVM_VGIC_ITS_ADDR_TYPE 4
 
 #define KVM_VGIC_V3_DIST_SIZE  SZ_64K
 #define KVM_VGIC_V3_REDIST_SIZE(2 * SZ_64K)
+#define KVM_VGIC_V3_ITS_SIZE   (2 * SZ_64K)
 
 #define KVM_ARM_VCPU_POWER_OFF 0 /* CPU is started in OFF state */
 #define KVM_ARM_VCPU_EL1_32BIT 1 /* CPU running a 32bit VM */
diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h
index 09ae5dc..ac63ca6 100644
--- a/linux-headers/asm-s390/kvm.h
+++ b/linux-headers/asm-s390/kvm.h
@@ -93,6 +93,47 @@ struct kvm_s390_vm_cpu_machine {
__u64 fac_list[256];
 };
 
+#define KVM_S390_VM_CPU_PROCESSOR_FEAT 2
+#define KVM_S390_VM_CPU_MACHINE_FEAT   3
+
+#define KVM_S390_VM_CPU_FEAT_NR_BITS   1024
+#define KVM_S390_VM_CPU_FEAT_ESOP  0
+#define KVM_S390_VM_CPU_FEAT_SIEF2 1
+#define KVM_S390_VM_CPU_FEAT_64BSCAO   2
+#define KVM_S390_VM_CPU_FEAT_SIIF  3
+#define KVM_S390_VM_CPU_FEAT_GPERE 4
+#define KVM_S390_VM_CPU_FEAT_GSLS  5
+#define KVM_S390_VM_CPU_FEAT_IB6
+#define KVM_S390_VM_CPU_FEAT_CEI   7
+#define KVM_S390_VM_CPU_FEAT_IBS   8
+#define KVM_S390_VM_CPU_FEAT_SKEY  9
+#define KVM_S390_VM_CPU_FEAT_CMMA  10
+#define KVM_S390_VM_CPU_FEAT_PFMFI 11
+#define KVM_S390_VM_CPU_FEAT_SIGPIF12
+struct kvm_s390_vm_cpu_feat {
+   __u64 feat[16];
+};
+
+#define KVM_S390_VM_CPU_PROCESSOR_SUBFUNC  4
+#define KVM_S390_VM_CPU_MACHINE_SUBFUNC5
+/* for "test bit" instructions MSB 0 bit ordering, for "query" raw blocks */
+struct kvm_s390_vm_cpu_subfunc {
+   __u8 plo[32];   /* always */
+   __u8 ptff[16];  /* with TOD-clock steering */
+   __u8 kmac[16];  /* with MSA */
+   __u8 kmc[16];   /* with MSA */
+   __u8 km[16];/* with MSA */
+   __u8 kimd[16];  /* with MSA */
+   __u8 klmd[16];  /* with MSA */
+   __u8 pckmo[16]; /* with MSA3 */
+   __u8 kmctr[16]; /* with MSA4 */
+   __u8 kmf[16];   /* with MSA4 */
+   __u8 kmo[16];   /* with MSA4 */
+   __u8 pcc[16];   /* with MSA4 */
+   __u8 ppno[16];  /* with MSA5 */
+   __u8 reserved[1824];
+};
+
 /* kvm attributes for crypto */
 #define KVM_S390_VM_CRYPTO_ENABLE_AES_KW   0
 #define KVM_S390_VM_CRYPTO_ENABLE_DEA_KW   1
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index e60e21b..bf91e47 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -866,6 +866,9 @@ struct kvm_ppc_smmu_info {
 #define KVM_CAP_ARM_PMU_V3 126
 #define KVM_CAP_VCPU_ATTRIBUTES 127
 #define KVM_CAP_MAX_VCPU_ID 128
+#define KVM_CAP_X2APIC_API 129
+#define KVM_CAP_S390_USER_INSTR0 130
+#define KVM_CAP_MSI_DEVID 131
 
 #ifdef KVM_CAP_IRQ_ROUTING
 
@@ -1024,12 +1027,14 @@ struct kvm_one_reg {
__u64 addr;
 };
 
+#define KVM_MSI_VALID_DEVID(1U << 0)
 struct kvm_msi {
__u32 address_lo;
__u32 address_hi;
__u32 data;
__u32 flags;
-   __u8  pad[16];
+   __u32 devid;
+   __u8  pad[12];
 };
 
 struct kvm_arm_device_addr {
@@ -1074,6 +1079,8 @@ enum kvm_device_type {
 #define KVM_DEV_TYPE_FLIC  KVM_DEV_TYPE_FLIC
KVM_DEV_TYPE_ARM_VGIC_V3,
 #define KVM_DEV_TYPE_ARM_VGIC_V3   KVM_DEV_TYPE_ARM_VGIC_V3
+   KVM_DEV_TYPE_ARM_VGIC_ITS,
+#define KVM_DEV_TYPE_ARM_VGIC_ITS  KVM_DEV_TYPE_ARM_VGIC_ITS
KVM_DEV_TYPE_MAX,
 };
 
@@ -1313,4 +1320,7 @@ struct kvm_assigned_msix_entry {
__u16 padding[3];
 };
 
+#define KVM_X2APIC_API_USE_32BIT_IDS(1ULL << 0)
+#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK  (1ULL << 1)
+
 #endif /* __LINUX_KVM_H */
-- 
2.6.6

Re: [Qemu-devel] [PULL v5 29/57] intel_iommu: add SID validation for IR

[Jan Kiszka]

On 2016-08-02 14:17, David Kiarie wrote:
> 
> 
> On Tue, Aug 2, 2016 at 3:12 PM, Peter Xu  > wrote:
> 
> On Tue, Aug 02, 2016 at 02:58:55PM +0300, David Kiarie wrote:
> > > Sure. David, so do you like to do it or I cook this patch? :)
> >
> > If there are no objections I will look at this employing Jan's approach:
> > associating a write with an address space.
> 
> Do you mean to translate current stl_le_phys() into something like
> address_space_stl_le(), with MemTxAttrs? (in ioapic_service())
> 
> 
> I tried doing something like that but the write gets discarded
> somewhere. I don't see the write from IOMMU side. 
> 
> 
> Also, IIUC we also need to tweak a little bit more for split irqchip
> case in kvm_arch_fixup_msi_route(). Actually for this one, I think
> maybe we can assume the requester ID be IOAPIC's when dev == NULL,
> since HPET should not be using kernel irqchip, right?
> 
> 
> I meant do have something like what is here
> http://git.kiszka.org/?p=qemu.git;a=commitdiff;h=4f27331e7769a571c7d7fb61cf75e1b2fe908f85
>  
> 

This didn't take irq routes into account that start with in-kernel
devices. Peter is right, there is more than just patching the MSI write
handlers in the IOMMUs.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux

[Qemu-devel] [Patch v1 24/29] qmp: add QMP interface "query-cpu-model-expansion"

[David Hildenbrand]

Let's provide a standardized interface to expand CPU models, like the
host model. This interface can be used by tooling to get details about a
specific CPU model, e.g. the "host" model.

To take care of all architectures, two detail levels for an expansion
are introduced. Certain architectures might not support all detail levels.
While "full" will expand and indicate all relevant properties/features
of a CPU model, "static" expands to a static base CPU model, that will
never change between QEMU versions and therefore have the same features
when used under different compatibility machines.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 include/sysemu/arch_init.h |  3 ++
 qapi-schema.json   | 86 ++
 qmp-commands.hx|  6 +++
 qmp.c  |  7 +++
 stubs/Makefile.objs|  1 +
 stubs/arch-query-cpu-model-expansion.c | 12 +
 6 files changed, 115 insertions(+)
 create mode 100644 stubs/arch-query-cpu-model-expansion.c

diff --git a/include/sysemu/arch_init.h b/include/sysemu/arch_init.h
index d690dfa..37b2e86 100644
--- a/include/sysemu/arch_init.h
+++ b/include/sysemu/arch_init.h
@@ -35,5 +35,8 @@ int kvm_available(void);
 int xen_available(void);
 
 CpuDefinitionInfoList *arch_query_cpu_definitions(Error **errp);
+CpuModelExpansionInfo *arch_query_cpu_model_expansion(CpuModelExpansionType 
type,
+  CpuModelInfo *mode,
+  Error **errp);
 
 #endif
diff --git a/qapi-schema.json b/qapi-schema.json
index 3f50c1d..43f7969 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -3063,6 +3063,92 @@
 ##
 { 'command': 'query-cpu-definitions', 'returns': ['CpuDefinitionInfo'] }
 
+##
+# @CpuModelInfo:
+#
+# Virtual CPU model.
+#
+# A CPU model consists of the name of a CPU definition, to which
+# delta changes are applied (e.g. features added/removed). Most magic values
+# that an architecture might require should be hidden behind the name.
+# However, if required, architectures can expose relevant properties.
+#
+# @name: the name of the CPU definition the model is based on
+# @props: #optional a dictionary of properties to be applied
+#
+# Since: 2.8.0
+##
+{ 'struct': 'CpuModelInfo',
+  'data': { 'name': 'str',
+'*props': 'any' } }
+
+##
+# @CpuModelExpansionType
+#
+# An enumeration of CPU model expansion types.
+#
+# @static: Expand to a static CPU model, a combination of a static base
+#  model name and property delta changes. As the static base model will
+#  never change, the expanded CPU model will be the same, independant 
of
+#  QEMU version or compatibility machines. Therefore, the resulting
+#  model can be used by tooling without having to specify a
+#  compatibility machine - e.g. when displaying the "host" model.
+#  All static CPU models are migration-safe.
+#
+# @full: Expand all properties. The produced model is not guaranteed to be
+#migration-safe, but allows tooling to get an insight and work with
+#model details.
+#
+# Since: 2.8.0
+##
+{ 'enum': 'CpuModelExpansionType',
+  'data': [ 'static', 'full' ] }
+
+
+##
+# @CpuModelExpansionInfo
+#
+# The result of a cpu model expansion.
+#
+# @model: the expanded CpuModelInfo.
+#
+# Since: 2.8.0
+##
+{ 'struct': 'CpuModelExpansionInfo',
+  'data': { 'model': 'CpuModelInfo' } }
+
+
+##
+# @query-cpu-model-expansion:
+#
+# Expands the given CPU model to different granularities, allowing tooling
+# to get an understanding what a specific CPU model looks like in QEMU
+# under a certain QEMU machine.
+#
+# Expanding CPU models is in general independant of the accelerator, except
+# for models like "host" that explicitly rely on an accelerator and can
+# vary in different configurations. This interface can therefore also be used
+# to query the "host" CPU model.
+#
+# Note: This interface should not be used when global properties of CPU classes
+#   are changed (e.g. via "-cpu ...").
+#
+# s390x supports expanding of all CPU models with all expansion types. Other
+# architectures are not supported yet.
+#
+# Returns: a CpuModelExpansionInfo. Returns an error if expanding CPU models is
+#  not supported, if the model cannot be expanded, if the model 
contains
+#  an unknown CPU definition name, unknown properties or properties
+#  with a wrong type. Also returns an error if an expansion type is
+#  not supported.
+#
+# Since: 2.8.0
+##
+{ 'command': 'query-cpu-model-expansion',
+  'data': { 'type': 'CpuModelExpansionType',
+'model': 'CpuModelInfo' },
+  'returns': 'CpuModelExpansionInfo' }
+
 # @AddfdInfo:
 #
 # Information about a file descriptor that was added to an fd set.
diff --git a/qmp-commands.hx b/qmp-commands.hx
index c8d360a..7ed9528 100644
--- a/qmp-commands.hx
+++ b/qmp-comma

[Qemu-devel] [Patch v1 22/29] s390x/kvm: disable host model for existing compat machines

[David Hildenbrand]

Compatibility machines that touch runtime-instrumentation should not
be used with the CPU model. Otherwise the host model will look different,
depending on the QEMU machine QEMU has been started with.

So let's simply disable the host model for existing compatibility machines
that all disable ri.

Acked-by: Cornelia Huck 
Signed-off-by: David Hildenbrand 
---
 target-s390x/kvm.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index edebc6d..4020328 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -2451,6 +2451,10 @@ static int configure_cpu_feat(const S390FeatBitmap 
features)
 
 bool kvm_s390_cpu_models_supported(void)
 {
+if (!ri_allowed()) {
+/* compatibility machines interfere with the cpu model */
+return false;
+}
 return kvm_vm_check_attr(kvm_state, KVM_S390_VM_CPU_MODEL,
  KVM_S390_VM_CPU_MACHINE) &&
kvm_vm_check_attr(kvm_state, KVM_S390_VM_CPU_MODEL,
-- 
2.6.6

[Qemu-devel] [PATCH v2 2/2] xen: drain submit queue in xen-usb before removing device

[Juergen Gross]

When unplugging a device in the Xen pvusb backend drain the submit
queue before deallocation of the control structures. Otherwise there
will be bogus memory accesses when I/O contracts are finished.

Correlated to this issue is the handling of cancel requests: a packet
cancelled will still lead to the call of complete, so add a flag
to the request indicating it should be just dropped on complete.

Signed-off-by: Juergen Gross 
---
 hw/usb/xen-usb.c | 94 +---
 1 file changed, 62 insertions(+), 32 deletions(-)

diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c
index 7992456..174d715 100644
--- a/hw/usb/xen-usb.c
+++ b/hw/usb/xen-usb.c
@@ -90,6 +90,8 @@ struct usbback_req {
 void *buffer;
 void *isoc_buffer;
 struct libusb_transfer   *xfer;
+
+bool cancelled;
 };
 
 struct usbback_hotplug {
@@ -301,20 +303,23 @@ static void usbback_do_response(struct usbback_req 
*usbback_req, int32_t status,
 usbback_req->isoc_buffer = NULL;
 }
 
-res = RING_GET_RESPONSE(&usbif->urb_ring, usbif->urb_ring.rsp_prod_pvt);
-res->id = usbback_req->req.id;
-res->status = status;
-res->actual_length = actual_length;
-res->error_count = error_count;
-res->start_frame = 0;
-usbif->urb_ring.rsp_prod_pvt++;
-RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify);
+if (usbif->urb_sring) {
+res = RING_GET_RESPONSE(&usbif->urb_ring, 
usbif->urb_ring.rsp_prod_pvt);
+res->id = usbback_req->req.id;
+res->status = status;
+res->actual_length = actual_length;
+res->error_count = error_count;
+res->start_frame = 0;
+usbif->urb_ring.rsp_prod_pvt++;
+RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify);
 
-if (notify) {
-xen_be_send_notify(xendev);
+if (notify) {
+xen_be_send_notify(xendev);
+}
 }
 
-usbback_put_req(usbback_req);
+if (!usbback_req->cancelled)
+usbback_put_req(usbback_req);
 }
 
 static void usbback_do_response_ret(struct usbback_req *usbback_req,
@@ -366,15 +371,14 @@ static void usbback_set_address(struct usbback_info 
*usbif,
 }
 }
 
-static bool usbback_cancel_req(struct usbback_req *usbback_req)
+static void usbback_cancel_req(struct usbback_req *usbback_req)
 {
-bool ret = false;
-
 if (usb_packet_is_inflight(&usbback_req->packet)) {
 usb_cancel_packet(&usbback_req->packet);
-ret = true;
+QTAILQ_REMOVE(&usbback_req->stub->submit_q, usbback_req, q);
+usbback_req->cancelled = true;
+usbback_do_response_ret(usbback_req, -EPROTO);
 }
-return ret;
 }
 
 static void usbback_process_unlink_req(struct usbback_req *usbback_req)
@@ -391,7 +395,7 @@ static void usbback_process_unlink_req(struct usbback_req 
*usbback_req)
 devnum = usbif_pipedevice(usbback_req->req.pipe);
 if (unlikely(devnum == 0)) {
 usbback_req->stub = usbif->ports +
-usbif_pipeportnum(usbback_req->req.pipe);
+usbif_pipeportnum(usbback_req->req.pipe) - 1;
 if (unlikely(!usbback_req->stub)) {
 ret = -ENODEV;
 goto fail_response;
@@ -406,9 +410,7 @@ static void usbback_process_unlink_req(struct usbback_req 
*usbback_req)
 
 QTAILQ_FOREACH(unlink_req, &usbback_req->stub->submit_q, q) {
 if (unlink_req->req.id == id) {
-if (usbback_cancel_req(unlink_req)) {
-usbback_do_response_ret(unlink_req, -EPROTO);
-}
+usbback_cancel_req(unlink_req);
 break;
 }
 }
@@ -681,6 +683,33 @@ static void usbback_hotplug_enq(struct usbback_info 
*usbif, unsigned port)
 usbback_hotplug_notify(usbif);
 }
 
+static void usbback_portid_drain(struct usbback_info *usbif, unsigned port)
+{
+struct usbback_req *req, *tmp;
+bool sched = false;
+
+QTAILQ_FOREACH_SAFE(req, &usbif->ports[port - 1].submit_q, q, tmp) {
+usbback_cancel_req(req);
+sched = true;
+}
+
+if (sched) {
+qemu_bh_schedule(usbif->bh);
+}
+}
+
+static void usbback_portid_detach(struct usbback_info *usbif, unsigned port)
+{
+if (!usbif->ports[port - 1].attached) {
+return;
+}
+
+usbif->ports[port - 1].speed = USBIF_SPEED_NONE;
+usbif->ports[port - 1].attached = false;
+usbback_portid_drain(usbif, port);
+usbback_hotplug_enq(usbif, port);
+}
+
 static void usbback_portid_remove(struct usbback_info *usbif, unsigned port)
 {
 USBPort *p;
@@ -694,9 +723,7 @@ static void usbback_portid_remove(struct usbback_info 
*usbif, unsigned port)
 
 object_unparent(OBJECT(usbif->ports[port - 1].dev));
 usbif->ports[port - 1].dev = NULL;
-usbif->ports[port - 1].speed = USBIF_SPEED_NONE;
-usbif->ports[port - 1].attached = false;
-usbback_hotplug_enq(usbif, port);
+usbback_portid_detac