Re: QAPI schema for desired state of LUKS keyslots (was: [PATCH 02/13] qcrypto-luks: implement encryption key management)

[Maxim Levitsky]

On Sat, 2020-02-15 at 15:51 +0100, Markus Armbruster wrote:
> Review of this patch led to a lengthy QAPI schema design discussion.
> Let me try to condense it into a concrete proposal.
> 
> This is about the QAPI schema, and therefore about QMP.  The
> human-friendly interface is out of scope.  Not because it's not
> important (it clearly is!), only because we need to *focus* to have a
> chance at success.
100% agree.
> 
> I'm going to include a few design options.  I'll mark them "Option:".
> 
> The proposed "amend" interface takes a specification of desired state,
> and figures out how to get from here to there by itself.  LUKS keyslots
> are one part of desired state.
> 
> We commonly have eight LUKS keyslots.  Each keyslot is either active or
> inactive.  An active keyslot holds a secret.
> 
> Goal: a QAPI type for specifying desired state of LUKS keyslots.
> 
> Proposal:
> 
> { 'enum': 'LUKSKeyslotState',
>   'data': [ 'active', 'inactive' ] }
> 
> { 'struct': 'LUKSKeyslotActive',
>   'data': { 'secret': 'str',
> '*iter-time': 'int } }
> 
> { 'struct': 'LUKSKeyslotInactive',
>   'data': { '*old-secret': 'str' } }
> 
> { 'union': 'LUKSKeyslotAmend',
>   'base': { '*keyslot': 'int',
> 'state': 'LUKSKeyslotState' }
>   'discriminator': 'state',
>   'data': { 'active': 'LUKSKeyslotActive',
> 'inactive': 'LUKSKeyslotInactive' } }
> 
> LUKSKeyslotAmend specifies desired state for a set of keyslots.
> 
> Four cases:
> 
> * @state is "active"
> 
>   Desired state is active holding the secret given by @secret.  Optional
>   @iter-time tweaks key stretching.
> 
>   The keyslot is chosen either by the user or by the system, as follows:
> 
>   - @keyslot absent
> 
> One inactive keyslot chosen by the system.  If none exists, error.
> 
>   - @keyslot present
> 
> The keyslot given by @keyslot.
> 
> If it's already active holding @secret, no-op.  Rationale: the
> current state is the desired state.
> 
> If it's already active holding another secret, error.  Rationale:
> update in place is unsafe.
> 
> Option: delete the "already active holding @secret" case.  Feels
> inelegant to me.  Okay if it makes things substantially simpler.
I didn't really understand this, since in state=active we shouldn't
delete anything. Looks OK otherwise.

> 
> * @state is "inactive"
> 
>   Desired state is inactive.
> 
>   Error if the current state has active keyslots, but the desired state
>   has none.
> 
>   The user choses the keyslot by number and/or by the secret it holds,
>   as follows:
> 
>   - @keyslot absent, @old-secret present
> 
> All active keyslots holding @old-secret.  If none exists, error.
> 
>   - @keyslot present, @old-secret absent
> 
> The keyslot given by @keyslot.
> 
> If it's already inactive, no-op.  Rationale: the current state is
> the desired state.
> 
>   - both @keyslot and @old-secret present
> 
> The keyslot given by keyslot.
> 
> If it's inactive or holds a secret other than @old-secret, error.
Yea, that would be very nice to have.
> 
> Option: error regardless of @old-secret, if that makes things
> simpler.
> 
>   - neither @keyslot not @old-secret present
> 
> All keyslots.  Note that this will error out due to "desired state
> has no active keyslots" unless the current state has none, either.
> 
> Option: error out unconditionally.
Yep, that the best IMHO.
> 
> Note that LUKSKeyslotAmend can specify only one desired state for
> commonly just one keyslot.  Rationale: this satisfies practical needs.
> An array of LUKSKeyslotAmend could specify desired state for all
> keyslots.  However, multiple array elements could then apply to the same
> slot.  We'd have to specify how to resolve such conflicts, and we'd have
> to code up conflict detection.  Not worth it.
110% agree (that is not a typo :-) )
> 
> Examples:
> 
> * Add a secret to some free keyslot:
> 
>   { "state": "active", "secret": "CIA/GRU/MI6" }
> 
> * Deactivate all keyslots holding a secret:
> 
>   { "state": "inactive", "old-secret": "CIA/GRU/MI6" }
> 
> * Add a secret to a specific keyslot:
> 
>   { "state": "active", "secret": "CIA/GRU/MI6", "keyslot": 0 }
> 
> * Deactivate a specific keyslot:
> 
>   { "state": "inactive", "keyslot": 0 }
> 
>   Possibly less dangerous:
> 
>   { "state": "inactive", "keyslot": 0, "old-secret": "CIA/GRU/MI6" }
> 
> Option: Make use of Max's patches to support optional union tag with
> default value to let us default @state to "active".  I doubt this makes
> much of a difference in QMP.  A human-friendly interface should probably
> be higher level anyway (Daniel pointed to cryptsetup).
Also agree.
> 
> Option: LUKSKeyslotInactive member @old-secret could also be named
> @secret.  I don't care.
I prefer old-secret.
> 
> Option: delete @keyslot.  It provides low-level slot access.
> Complicates the interface.  Fine if we need lov-level slot acces

[Bug 1863445] Re: assertion failed at translate-all.c:2523 with version 3.1.1

[Richard Henderson]

** Changed in: qemu
   Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863445

Title:
  assertion failed at translate-all.c:2523 with version 3.1.1

Status in QEMU:
  Fix Released

Bug description:
  I was trying to debug a userspace binary with radare2 and met the
  following assertion in qemu:

  ```
  qemu-mipsel: /builddir/build/BUILD/qemu-3.1.1/accel/tcg/translate-all.c:2523: 
page_check_range: Assertion `start < ((target_ulong)1 << 
L1_MAP_ADDR_SPACE_BITS)' failed.
  qemu:handle_cpu_signal received signal outside vCPU context @ 
pc=0x7fd1c11c5987
  ```

  ```
  # qemu-mipsel --version   

  qemu-mipsel version 3.1.1 (qemu-3.1.1-2.fc30)
  Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers
  ```

  not much to add. seems like qemu is not properly checking for valid
  addresses

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863445/+subscriptions

Re: [PATCH v2 17/19] tcg: save vaddr temp for plugin usage

[Richard Henderson]

On 2/13/20 2:51 PM, Alex Bennée wrote:
> From: Richard Henderson 
> 
> While do_gen_mem_cb does copy (via extu_tl_i64) vaddr into a new temp
> this won't help if the vaddr temp gets clobbered by the actual
> load/store op. To avoid this clobbering we explicitly copy vaddr
> before the op to ensure it is live my the time we do the
> instrumentation.
> 
> Suggested-by: Richard Henderson 
> Signed-off-by: Alex Bennée 
> Cc: qemu-sta...@nongnu.org
> ---
>  tcg/tcg-op.c | 23 ---
>  1 file changed, 20 insertions(+), 3 deletions(-)

Reviewed-by: Richard Henderson 

r~

Re: [PATCH v2 18/19] tests/tcg: fix typo in configure.sh test for v8.3

[Richard Henderson]

On 2/13/20 2:51 PM, Alex Bennée wrote:
> Although most people use the docker images this can trip up on
> developer systems with actual valid cross-compilers!
> 
> Signed-off-by: Alex Bennée 
> ---
>  tests/tcg/configure.sh | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Richard Henderson 

r~

Re: [PATCH v2 19/19] tests/tcg: take into account expected clashes pauth-4

[Richard Henderson]

On 2/13/20 2:51 PM, Alex Bennée wrote:
> Pointer authentication isn't perfect so measure the percentage of
> failed checks. As we want to vary the pointer that is authenticated we
> recurse down the stack.
> 

You're no longer recursing.

> Signed-off-by: Alex Bennée 
> ---
>  tests/tcg/aarch64/pauth-4.c | 54 +
>  1 file changed, 37 insertions(+), 17 deletions(-)
> 
> diff --git a/tests/tcg/aarch64/pauth-4.c b/tests/tcg/aarch64/pauth-4.c
> index 1040e92aec3..24a639e36ca 100644
> --- a/tests/tcg/aarch64/pauth-4.c
> +++ b/tests/tcg/aarch64/pauth-4.c
> @@ -1,25 +1,45 @@
>  #include 
>  #include 
> +#include 
> +#include 
> +
> +#define TESTS 1000
>  
>  int main()
>  {
> -  uintptr_t x, y;
> +int i, count = 0;
> +float perc;
> +void *base = malloc(TESTS);
> +
> +for (i = 0; i < TESTS; i++) {
> +uintptr_t in, x, y;
> +
> +in = i + (uintptr_t) base;

There's no reason all of these couldn't be char* or void* instead of casting to
uintptr_t.  Nothing else would have to change.

> +
> +asm("mov %0, %[in]\n\t"
> +"pacia %0, sp\n\t"/* sigill if pauth not supported */
> +"eor %0, %0, #4\n\t"  /* corrupt single bit */
> +"mov %1, %0\n\t"
> +"autia %1, sp\n\t"/* validate corrupted pointer */
> +"xpaci %0\n\t"/* strip pac from corrupted pointer */
> +: /* out */ "=r"(x), "=r"(y)
> +: /* in */ [in] "r" (in)

It's weird to have some arguments named and some not.  Why not just use %2,
since this is simple enough?

Otherwise,
Reviewed-by: Richard Henderson 

r~

Re: [PATCH 1/2] dp264: use pci_create() to initialise the cmd646 device

[Richard Henderson]

On 2/14/20 12:46 AM, Mark Cave-Ayland wrote:
> Remove the call to pci_cmd646_ide_init() since global device init functions
> are deprecated in preference of using qdev directly.
> 
> Signed-off-by: Mark Cave-Ayland 
> ---
>  hw/alpha/dp264.c | 8 +++-
>  1 file changed, 7 insertions(+), 1 deletion(-)

Reviewed-by: Richard Henderson 

r~

Re: [PATCH 2/2] cmd646: remove unused pci_cmd646_ide_init() function

[Richard Henderson]

On 2/14/20 12:46 AM, Mark Cave-Ayland wrote:
> Signed-off-by: Mark Cave-Ayland 
> ---
>  hw/ide/cmd646.c  | 12 
>  include/hw/ide.h |  2 --
>  2 files changed, 14 deletions(-)

Reviewed-by: Richard Henderson 

r~

[PATCH v2 2/2] tcg/arm: Expand epilogue inline

[Richard Henderson]

From: Richard Henderson 

It is, after all, just two instructions.

Profiling on a cortex-a15, using -d nochain to increase the number
of exit_tb that are executed, shows a minor improvement of 0.5%.

Signed-off-by: Richard Henderson 
---
 tcg/arm/tcg-target.inc.c | 12 ++--
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/tcg/arm/tcg-target.inc.c b/tcg/arm/tcg-target.inc.c
index e1aa740ba4..6aa7757aac 100644
--- a/tcg/arm/tcg-target.inc.c
+++ b/tcg/arm/tcg-target.inc.c
@@ -1745,7 +1745,6 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg 
*args, bool is64)
 #endif
 }
 
-static tcg_insn_unit *tb_ret_addr;
 static void tcg_out_epilogue(TCGContext *s);
 
 static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
@@ -1756,14 +1755,8 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode 
opc,
 
 switch (opc) {
 case INDEX_op_exit_tb:
-/* Reuse the zeroing that exists for goto_ptr.  */
-a0 = args[0];
-if (a0 == 0) {
-tcg_out_goto(s, COND_AL, s->code_gen_epilogue);
-} else {
-tcg_out_movi32(s, COND_AL, TCG_REG_R0, args[0]);
-tcg_out_goto(s, COND_AL, tb_ret_addr);
-}
+tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R0, args[0]);
+tcg_out_epilogue(s);
 break;
 case INDEX_op_goto_tb:
 {
@@ -2309,7 +2302,6 @@ static void tcg_target_qemu_prologue(TCGContext *s)
  */
 s->code_gen_epilogue = s->code_ptr;
 tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R0, 0);
-tb_ret_addr = s->code_ptr;
 tcg_out_epilogue(s);
 }
 
-- 
2.23.0

[PATCH v2 0/2] tcg/arm: Expand epilogue inline

[Richard Henderson]

From: Richard Henderson 

v1: http://patchwork.ozlabs.org/patch/1176721/
v2 splits the patch in half, as requested by Phil.


r~


Richard Henderson (2):
  tcg/arm: Split out tcg_out_epilogue
  tcg/arm: Expand epilogue inline

 tcg/arm/tcg-target.inc.c | 29 -
 1 file changed, 12 insertions(+), 17 deletions(-)

-- 
2.23.0

[PATCH v2 1/2] tcg/arm: Split out tcg_out_epilogue

[Richard Henderson]

From: Richard Henderson 

We will shortly use this function from tcg_out_op as well.

Signed-off-by: Richard Henderson 
---
 tcg/arm/tcg-target.inc.c | 19 +++
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/tcg/arm/tcg-target.inc.c b/tcg/arm/tcg-target.inc.c
index fffb6611e2..e1aa740ba4 100644
--- a/tcg/arm/tcg-target.inc.c
+++ b/tcg/arm/tcg-target.inc.c
@@ -1746,6 +1746,7 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg 
*args, bool is64)
 }
 
 static tcg_insn_unit *tb_ret_addr;
+static void tcg_out_epilogue(TCGContext *s);
 
 static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
 const TCGArg *args, const int *const_args)
@@ -2284,19 +2285,17 @@ static void tcg_out_nop_fill(tcg_insn_unit *p, int 
count)
   + TCG_TARGET_STACK_ALIGN - 1) \
  & -TCG_TARGET_STACK_ALIGN)
 
+#define STACK_ADDEND  (FRAME_SIZE - PUSH_SIZE)
+
 static void tcg_target_qemu_prologue(TCGContext *s)
 {
-int stack_addend;
-
 /* Calling convention requires us to save r4-r11 and lr.  */
 /* stmdb sp!, { r4 - r11, lr } */
 tcg_out32(s, (COND_AL << 28) | 0x092d4ff0);
 
 /* Reserve callee argument and tcg temp space.  */
-stack_addend = FRAME_SIZE - PUSH_SIZE;
-
 tcg_out_dat_rI(s, COND_AL, ARITH_SUB, TCG_REG_CALL_STACK,
-   TCG_REG_CALL_STACK, stack_addend, 1);
+   TCG_REG_CALL_STACK, STACK_ADDEND, 1);
 tcg_set_frame(s, TCG_REG_CALL_STACK, TCG_STATIC_CALL_ARGS_SIZE,
   CPU_TEMP_BUF_NLONGS * sizeof(long));
 
@@ -2310,11 +2309,15 @@ static void tcg_target_qemu_prologue(TCGContext *s)
  */
 s->code_gen_epilogue = s->code_ptr;
 tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R0, 0);
-
-/* TB epilogue */
 tb_ret_addr = s->code_ptr;
+tcg_out_epilogue(s);
+}
+
+static void tcg_out_epilogue(TCGContext *s)
+{
+/* Release local stack frame.  */
 tcg_out_dat_rI(s, COND_AL, ARITH_ADD, TCG_REG_CALL_STACK,
-   TCG_REG_CALL_STACK, stack_addend, 1);
+   TCG_REG_CALL_STACK, STACK_ADDEND, 1);
 
 /* ldmia sp!, { r4 - r11, pc } */
 tcg_out32(s, (COND_AL << 28) | 0x08bd8ff0);
-- 
2.23.0

[Bug 1855072] Re: ARM: HCR.TVM traps are not implemented

[Richard Henderson]

Yes to both.

** Changed in: qemu
   Status: New => In Progress

** Changed in: qemu
 Assignee: (unassigned) => Richard Henderson (rth)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1855072

Title:
  ARM: HCR.TVM traps are not implemented

Status in QEMU:
  In Progress

Bug description:
  On AARCH64, setting HCR.TVM to 1 is supposed to trap all writes to
  CTLR_EL1, TTBR0_EL1, TTBR1_EL1, TCR_EL1, ESR_EL1, FAR_EL1, AFSR0_EL1,
  AFSR1_EL1, MAIR_EL1, AMAIR_EL1, and CONTEXTIDR_EL1. However, it
  currently has no effect (QEMU emulator version 4.1.1).

  It is also likely that TRVM will not trap, but, I didn't verify this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1855072/+subscriptions

[PATCH v23 1/9] hw/arm/virt: Introduce a RAS machine option

[Dongjiu Geng]

RAS Virtualization feature is not supported now, so add a RAS machine
option and disable it by default.

Reviewed-by: Peter Maydell 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Jonathan Cameron 
---
 hw/arm/virt.c | 23 +++
 include/hw/arm/virt.h |  1 +
 2 files changed, 24 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index f788fe2..9555b8b 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1823,6 +1823,20 @@ static void virt_set_its(Object *obj, bool value, Error 
**errp)
 vms->its = value;
 }
 
+static bool virt_get_ras(Object *obj, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+return vms->ras;
+}
+
+static void virt_set_ras(Object *obj, bool value, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+vms->ras = value;
+}
+
 static char *virt_get_gic_version(Object *obj, Error **errp)
 {
 VirtMachineState *vms = VIRT_MACHINE(obj);
@@ -2126,6 +2140,15 @@ static void virt_instance_init(Object *obj)
 "Valid values are none and smmuv3",
 NULL);
 
+/* Default disallows RAS instantiation */
+vms->ras = false;
+object_property_add_bool(obj, "ras", virt_get_ras,
+ virt_set_ras, NULL);
+object_property_set_description(obj, "ras",
+"Set on/off to enable/disable reporting 
host memory errors "
+"to a KVM guest using ACPI and guest 
external abort exceptions",
+NULL);
+
 vms->irqmap = a15irqmap;
 
 virt_flash_create(vms);
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 71508bf..c32b7c7 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -123,6 +123,7 @@ typedef struct {
 bool highmem_ecam;
 bool its;
 bool virt;
+bool ras;
 int32_t gic_version;
 VirtIOMMUType iommu;
 struct arm_boot_info bootinfo;
-- 
1.8.3.1

[PATCH v23 8/9] target-arm: kvm64: handle SIGBUS signal from kernel or KVM

[Dongjiu Geng]

Add a SIGBUS signal handler. In this handler, it checks the SIGBUS type,
translates the host VA delivered by host to guest PA, then fills this PA
to guest APEI GHES memory, then notifies guest according to the SIGBUS
type.

When guest accesses the poisoned memory, it will generate a Synchronous
External Abort(SEA). Then host kernel gets an APEI notification and calls
memory_failure() to unmapped the affected page in stage 2, finally
returns to guest.

Guest continues to access the PG_hwpoison page, it will trap to KVM as
stage2 fault, then a SIGBUS_MCEERR_AR synchronous signal is delivered to
Qemu, Qemu records this error address into guest APEI GHES memory and
notifes guest using Synchronous-External-Abort(SEA).

In order to inject a vSEA, we introduce the kvm_inject_arm_sea() function
in which we can setup the type of exception and the syndrome information.
When switching to guest, the target vcpu will jump to the synchronous
external abort vector table entry.

The ESR_ELx.DFSC is set to synchronous external abort(0x10), and the
ESR_ELx.FnV is set to not valid(0x1), which will tell guest that FAR is
not valid and hold an UNKNOWN value. These values will be set to KVM
register structures through KVM_SET_ONE_REG IOCTL.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Michael S. Tsirkin 
Acked-by: Xiang Zheng 
---
 include/sysemu/kvm.h|  3 +-
 target/arm/cpu.h|  4 +++
 target/arm/helper.c |  2 +-
 target/arm/internals.h  |  5 ++--
 target/arm/kvm64.c  | 73 +
 target/arm/tlb_helper.c |  2 +-
 target/i386/cpu.h   |  2 ++
 7 files changed, 85 insertions(+), 6 deletions(-)

diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
index 141342d..3b22504 100644
--- a/include/sysemu/kvm.h
+++ b/include/sysemu/kvm.h
@@ -379,8 +379,7 @@ bool kvm_vcpu_id_is_valid(int vcpu_id);
 /* Returns VCPU ID to be used on KVM_CREATE_VCPU ioctl() */
 unsigned long kvm_arch_vcpu_id(CPUState *cpu);
 
-#ifdef TARGET_I386
-#define KVM_HAVE_MCE_INJECTION 1
+#ifdef KVM_HAVE_MCE_INJECTION
 void kvm_arch_on_sigbus_vcpu(CPUState *cpu, int code, void *addr);
 #endif
 
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 0b3036c..a8b7fb0 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -28,6 +28,10 @@
 /* ARM processors have a weak memory model */
 #define TCG_GUEST_DEFAULT_MO  (0)
 
+#ifdef TARGET_AARCH64
+#define KVM_HAVE_MCE_INJECTION 1
+#endif
+
 #define EXCP_UDEF1   /* undefined instruction */
 #define EXCP_SWI 2   /* software interrupt */
 #define EXCP_PREFETCH_ABORT  3
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 7d15d5c..12a95b6 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -3310,7 +3310,7 @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t 
value,
  * Report exception with ESR indicating a fault due to a
  * translation table walk for a cache maintenance instruction.
  */
-syn = syn_data_abort_no_iss(current_el == target_el,
+syn = syn_data_abort_no_iss(current_el == target_el, 0,
 fi.ea, 1, fi.s1ptw, 1, fsc);
 env->exception.vaddress = value;
 env->exception.fsr = fsr;
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 6d4a942..31b7b96 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -451,13 +451,14 @@ static inline uint32_t syn_insn_abort(int same_el, int 
ea, int s1ptw, int fsc)
 | ARM_EL_IL | (ea << 9) | (s1ptw << 7) | fsc;
 }
 
-static inline uint32_t syn_data_abort_no_iss(int same_el,
+static inline uint32_t syn_data_abort_no_iss(int same_el, int fnv,
  int ea, int cm, int s1ptw,
  int wnr, int fsc)
 {
 return (EC_DATAABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
| ARM_EL_IL
-   | (ea << 9) | (cm << 8) | (s1ptw << 7) | (wnr << 6) | fsc;
+   | (fnv << 10) | (ea << 9) | (cm << 8) | (s1ptw << 7)
+   | (wnr << 6) | fsc;
 }
 
 static inline uint32_t syn_data_abort_with_iss(int same_el,
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index fb21ab9..f91b611 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -28,6 +28,8 @@
 #include "sysemu/kvm_int.h"
 #include "kvm_arm.h"
 #include "internals.h"
+#include "hw/acpi/acpi.h"
+#include "hw/acpi/ghes.h"
 
 static bool have_guest_debug;
 
@@ -846,6 +848,30 @@ int kvm_arm_cpreg_level(uint64_t regidx)
 return KVM_PUT_RUNTIME_STATE;
 }
 
+/* Callers must hold the iothread mutex lock */
+static void kvm_inject_arm_sea(CPUState *c)
+{
+ARMCPU *cpu = ARM_CPU(c);
+CPUARMState *env = &cpu->env;
+CPUClass *cc = CPU_GET_CLASS(c);
+uint32_t esr;
+bool same_el;
+
+c->exception_index = EXCP_DATA_ABORT;
+env->exception.target_el = 1;
+
+/*
+ * Set the DFSC to synchronous external ab

[PATCH v23 6/9] KVM: Move hwpoison page related functions into kvm-all.c

[Dongjiu Geng]

kvm_hwpoison_page_add() and kvm_unpoison_all() will both
be used by X86 and ARM platforms, so moving them into
"accel/kvm/kvm-all.c" to avoid duplicate code.

For architectures that don't use the poison-list functionality
the reset handler will harmlessly do nothing, so let's register
the kvm_unpoison_all() function in the generic kvm_init() function.

Reviewed-by: Peter Maydell 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Acked-by: Xiang Zheng 
---
 accel/kvm/kvm-all.c  | 36 
 include/sysemu/kvm_int.h | 12 
 target/i386/kvm.c| 36 
 3 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index c111312..fc4285e 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -44,6 +44,7 @@
 #include "qapi/visitor.h"
 #include "qapi/qapi-types-common.h"
 #include "qapi/qapi-visit-common.h"
+#include "sysemu/reset.h"
 
 #include "hw/boards.h"
 
@@ -873,6 +874,39 @@ int kvm_vm_check_extension(KVMState *s, unsigned int 
extension)
 return ret;
 }
 
+typedef struct HWPoisonPage {
+ram_addr_t ram_addr;
+QLIST_ENTRY(HWPoisonPage) list;
+} HWPoisonPage;
+
+static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
+QLIST_HEAD_INITIALIZER(hwpoison_page_list);
+
+static void kvm_unpoison_all(void *param)
+{
+HWPoisonPage *page, *next_page;
+
+QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
+QLIST_REMOVE(page, list);
+qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
+g_free(page);
+}
+}
+
+void kvm_hwpoison_page_add(ram_addr_t ram_addr)
+{
+HWPoisonPage *page;
+
+QLIST_FOREACH(page, &hwpoison_page_list, list) {
+if (page->ram_addr == ram_addr) {
+return;
+}
+}
+page = g_new(HWPoisonPage, 1);
+page->ram_addr = ram_addr;
+QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
+}
+
 static uint32_t adjust_ioeventfd_endianness(uint32_t val, uint32_t size)
 {
 #if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
@@ -2075,6 +2109,8 @@ static int kvm_init(MachineState *ms)
 s->kernel_irqchip_split = mc->default_kernel_irqchip_split ? 
ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
 }
 
+qemu_register_reset(kvm_unpoison_all, NULL);
+
 if (s->kernel_irqchip_allowed) {
 kvm_irqchip_create(s);
 }
diff --git a/include/sysemu/kvm_int.h b/include/sysemu/kvm_int.h
index ac2d1f8..c660a70 100644
--- a/include/sysemu/kvm_int.h
+++ b/include/sysemu/kvm_int.h
@@ -42,4 +42,16 @@ void kvm_memory_listener_register(KVMState *s, 
KVMMemoryListener *kml,
   AddressSpace *as, int as_id);
 
 void kvm_set_max_memslot_size(hwaddr max_slot_size);
+
+/**
+ * kvm_hwpoison_page_add:
+ *
+ * Parameters:
+ *  @ram_addr: the address in the RAM for the poisoned page
+ *
+ * Add a poisoned page to the list
+ *
+ * Return: None.
+ */
+void kvm_hwpoison_page_add(ram_addr_t ram_addr);
 #endif
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 69eb43d..b8bd979 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -24,7 +24,6 @@
 #include "sysemu/sysemu.h"
 #include "sysemu/hw_accel.h"
 #include "sysemu/kvm_int.h"
-#include "sysemu/reset.h"
 #include "sysemu/runstate.h"
 #include "kvm_i386.h"
 #include "hyperv.h"
@@ -525,40 +524,6 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, 
uint32_t index)
 }
 }
 
-
-typedef struct HWPoisonPage {
-ram_addr_t ram_addr;
-QLIST_ENTRY(HWPoisonPage) list;
-} HWPoisonPage;
-
-static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
-QLIST_HEAD_INITIALIZER(hwpoison_page_list);
-
-static void kvm_unpoison_all(void *param)
-{
-HWPoisonPage *page, *next_page;
-
-QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
-QLIST_REMOVE(page, list);
-qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
-g_free(page);
-}
-}
-
-static void kvm_hwpoison_page_add(ram_addr_t ram_addr)
-{
-HWPoisonPage *page;
-
-QLIST_FOREACH(page, &hwpoison_page_list, list) {
-if (page->ram_addr == ram_addr) {
-return;
-}
-}
-page = g_new(HWPoisonPage, 1);
-page->ram_addr = ram_addr;
-QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
-}
-
 static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
  int *max_banks)
 {
@@ -2169,7 +2134,6 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 fprintf(stderr, "e820_add_entry() table is full\n");
 return ret;
 }
-qemu_register_reset(kvm_unpoison_all, NULL);
 
 shadow_mem = object_property_get_int(OBJECT(s), "kvm-shadow-mem", 
&error_abort);
 if (shadow_mem != -1) {
-- 
1.8.3.1

[PATCH v1] acpi: nvdimm: change NVDIMM_UUID_LE to a common macro

[Dongjiu Geng]

The little end UUID is used in many places, so make
NVDIMM_UUID_LE to a common macro to convert the UUID
to a little end array.

Signed-off-by: Dongjiu Geng 
Reviewed-by: Xiang Zheng 
---
 hw/acpi/nvdimm.c| 8 ++--
 include/qemu/uuid.h | 5 +
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index 9fdad6d..232b701 100644
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -27,6 +27,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/uuid.h"
 #include "hw/acpi/acpi.h"
 #include "hw/acpi/aml-build.h"
 #include "hw/acpi/bios-linker-loader.h"
@@ -60,17 +61,12 @@ static GSList *nvdimm_get_device_list(void)
 return list;
 }
 
-#define NVDIMM_UUID_LE(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
-   { (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, ((a) >> 24) & 0xff, \
- (b) & 0xff, ((b) >> 8) & 0xff, (c) & 0xff, ((c) >> 8) & 0xff,  \
- (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }
-
 /*
  * define Byte Addressable Persistent Memory (PM) Region according to
  * ACPI 6.0: 5.2.25.1 System Physical Address Range Structure.
  */
 static const uint8_t nvdimm_nfit_spa_uuid[] =
-  NVDIMM_UUID_LE(0x66f0d379, 0xb4f3, 0x4074, 0xac, 0x43, 0x0d, 0x33,
+  UUID_LE(0x66f0d379, 0xb4f3, 0x4074, 0xac, 0x43, 0x0d, 0x33,
  0x18, 0xb7, 0x8c, 0xdb);
 
 /*
diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h
index 129c45f..bd38af5 100644
--- a/include/qemu/uuid.h
+++ b/include/qemu/uuid.h
@@ -34,6 +34,11 @@ typedef struct {
 };
 } QemuUUID;
 
+#define UUID_LE(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
+  { (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, ((a) >> 24) & 0xff, \
+ (b) & 0xff, ((b) >> 8) & 0xff, (c) & 0xff, ((c) >> 8) & 0xff,  \
+ (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }
+
 #define UUID_FMT "%02hhx%02hhx%02hhx%02hhx-" \
  "%02hhx%02hhx-%02hhx%02hhx-" \
  "%02hhx%02hhx-" \
-- 
1.8.3.1

[PATCH v23 5/9] ACPI: Record the Generic Error Status Block address

[Dongjiu Geng]

Record the GHEB address via fw_cfg file, when recording
a error to CPER, it will use this address to find out
Generic Error Data Entries and write the error.

In order to avoid migration failure, make hardware
error table address to a part of GED device instead
of global variable, then this address will be migrated
to target QEMU.

Signed-off-by: Dongjiu Geng 
Acked-by: Xiang Zheng 
---
 hw/acpi/generic_event_device.c | 18 ++
 hw/acpi/ghes.c | 17 +
 hw/arm/virt-acpi-build.c   | 10 ++
 include/hw/acpi/generic_event_device.h |  2 ++
 include/hw/acpi/ghes.h |  6 ++
 5 files changed, 53 insertions(+)

diff --git a/hw/acpi/generic_event_device.c b/hw/acpi/generic_event_device.c
index 021ed2b..d59607c 100644
--- a/hw/acpi/generic_event_device.c
+++ b/hw/acpi/generic_event_device.c
@@ -234,6 +234,23 @@ static const VMStateDescription vmstate_ged_state = {
 }
 };
 
+static bool ghes_needed(void *opaque)
+{
+return object_property_get_bool(qdev_get_machine(), "ras", NULL);
+}
+
+static const VMStateDescription vmstate_ghes_state = {
+.name = "acpi-ged/ghes",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = ghes_needed,
+.fields  = (VMStateField[]) {
+VMSTATE_STRUCT(ghes_state, AcpiGedState, 1,
+   vmstate_ghes_state, AcpiGhesState),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static const VMStateDescription vmstate_acpi_ged = {
 .name = "acpi-ged",
 .version_id = 1,
@@ -244,6 +261,7 @@ static const VMStateDescription vmstate_acpi_ged = {
 },
 .subsections = (const VMStateDescription * []) {
 &vmstate_memhp_state,
+&vmstate_ghes_state,
 NULL
 }
 };
diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index 7a7381d..cea2bff 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -24,6 +24,8 @@
 #include "hw/acpi/ghes.h"
 #include "hw/acpi/aml-build.h"
 #include "qemu/error-report.h"
+#include "hw/acpi/generic_event_device.h"
+#include "hw/nvram/fw_cfg.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -213,3 +215,18 @@ void acpi_build_hest(GArray *table_data, BIOSLinker 
*linker)
 build_header(linker, table_data, (void *)(table_data->data + hest_start),
 "HEST", table_data->len - hest_start, 1, NULL, "");
 }
+
+void acpi_ghes_add_fw_cfg(AcpiGhesState *ags, FWCfgState *s,
+  GArray *hardware_error)
+{
+size_t size = 2 * sizeof(uint64_t) + ACPI_GHES_MAX_RAW_DATA_LENGTH;
+size_t request_block_size = ACPI_GHES_ERROR_SOURCE_COUNT * size;
+
+/* Create a read-only fw_cfg file for GHES */
+fw_cfg_add_file(s, ACPI_GHES_ERRORS_FW_CFG_FILE, hardware_error->data,
+request_block_size);
+
+/* Create a read-write fw_cfg file for Address */
+fw_cfg_add_file_callback(s, ACPI_GHES_DATA_ADDR_FW_CFG_FILE, NULL, NULL,
+NULL, &(ags->ghes_addr_le), sizeof(ags->ghes_addr_le), false);
+}
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 12a9a78..d6e7521 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -832,6 +832,7 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables 
*tables)
 build_spcr(tables_blob, tables->linker, vms);
 
 if (vms->ras) {
+assert(vms->acpi_dev);
 acpi_add_table(table_offsets, tables_blob);
 build_ghes_error_table(tables->hardware_errors, tables->linker);
 acpi_build_hest(tables_blob, tables->linker);
@@ -924,6 +925,7 @@ void virt_acpi_setup(VirtMachineState *vms)
 {
 AcpiBuildTables tables;
 AcpiBuildState *build_state;
+AcpiGedState *acpi_ged_state;
 
 if (!vms->fw_cfg) {
 trace_virt_acpi_setup();
@@ -954,6 +956,14 @@ void virt_acpi_setup(VirtMachineState *vms)
 fw_cfg_add_file(vms->fw_cfg, ACPI_BUILD_TPMLOG_FILE, tables.tcpalog->data,
 acpi_data_len(tables.tcpalog));
 
+if (vms->ras) {
+assert(vms->acpi_dev);
+acpi_ged_state = ACPI_GED(object_resolve_path_type("", TYPE_ACPI_GED,
+   NULL));
+acpi_ghes_add_fw_cfg(&acpi_ged_state->ghes_state,
+ vms->fw_cfg, tables.hardware_errors);
+}
+
 build_state->rsdp_mr = acpi_add_rom_blob(virt_acpi_build_update,
  build_state, tables.rsdp,
  ACPI_BUILD_RSDP_FILE, 0);
diff --git a/include/hw/acpi/generic_event_device.h 
b/include/hw/acpi/generic_event_device.h
index d157eac..037d2b5 100644
--- a/include/hw/acpi/generic_event_device.h
+++ b/include/hw/acpi/generic_event_device.h
@@ -61,6 +61,7 @@
 
 #include "hw/sysbus.h"
 #include "hw/acpi/memory_hotplug.h"
+#include "hw/acpi/ghes.h"
 
 #define ACPI_POWER_BUTTON_DEVICE "PWRB"
 
@@ -95,6 +96,7 @@ typedef struct 

[PATCH v23 2/9] docs: APEI GHES generation and CPER record description

[Dongjiu Geng]

Add APEI/GHES detailed design document

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Michael S. Tsirkin 
Reviewed-by: Igor Mammedov 
---
 docs/specs/acpi_hest_ghes.rst | 110 ++
 docs/specs/index.rst  |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 docs/specs/acpi_hest_ghes.rst

diff --git a/docs/specs/acpi_hest_ghes.rst b/docs/specs/acpi_hest_ghes.rst
new file mode 100644
index 000..68f1fbe
--- /dev/null
+++ b/docs/specs/acpi_hest_ghes.rst
@@ -0,0 +1,110 @@
+APEI tables generating and CPER record
+==
+
+..
+   Copyright (c) 2020 HUAWEI TECHNOLOGIES CO., LTD.
+
+   This work is licensed under the terms of the GNU GPL, version 2 or later.
+   See the COPYING file in the top-level directory.
+
+Design Details
+--
+
+::
+
+ etc/acpi/tables   etc/hardware_errors
+     ===
+  + +--+++
+  | | HEST | +->|error_block_address1
|--+
+  | +--+ |  ++ 
 |
+  | | GHES1| | +--->|error_block_address2
|--+-+
+  | +--+ | |++ 
 | |
+  | | .| | ||  ..| 
 | |
+  | | error_status_address-+-+ |-+ 
 | |
+  | | .|   |   +--->|error_block_addressN
|--+-+---+
+  | | read_ack_register+-+ |   |++ 
 | |   |
+  | | read_ack_preserve| +-+---+--->| read_ack_register1 | 
 | |   |
+  | | read_ack_write   |   |   |++ 
 | |   |
+  + +--+   | +-+--->| read_ack_register2 | 
 | |   |
+  | | GHES2|   | | |++ 
 | |   |
+  + +--+   | | ||   .| 
 | |   |
+  | | .|   | | |++ 
 | |   |
+  | | error_status_address-+---+ | | +->| read_ack_registerN | 
 | |   |
+  | | .| | | |  ++ 
 | |   |
+  | | read_ack_register+-+ | |  |Generic Error Status Block 
1|<-+ |   |
+  | | read_ack_preserve|   | |  |-++-+ 
   |   |
+  | | read_ack_write   |   | |  | |  CPER  | | 
   |   |
+  + +--|   | |  | |  CPER  | | 
   |   |
+  | | ...  |   | |  | |    | | 
   |   |
+  + +--+   | |  | |  CPER  | | 
   |   |
+  | | GHESN|   | |  |-++-| 
   |   |
+  + +--+   | |  |Generic Error Status Block 
2|<---+   |
+  | | .|   | |  |-++-+ 
   |
+  | | error_status_address-+---+ |  | |   CPER | | 
   |
+  | | .| |  | |   CPER | | 
   |
+  | | read_ack_register+-+  | |    | | 
   |
+  | | read_ack_preserve|| |   CPER | | 
   |
+  | | read_ack_write   |+-++-+ 
   |
+  + +--+| .. | 
   |
+|+ 
   |
+|Generic Error Status Block N 
|<--+
+|-+-+-+
+| |  CPER   | |
+| |  CPER   | |
+| |     | |
+| |  CPER   | |
++-+-+-+
+
+
+(1) QEMU generates the ACPI HEST table. This table goes in the current
+"etc/acpi/tables" fw_cfg blob. Each error source has different
+notification types.
+
+(2) A new fw_cfg blob called "etc/hardware_errors" is introduced. QEMU
+also needs to populate this blob. The "etc/hardware_errors" fw_cfg blob
+contains an address registers table and an Error Status Data Block table.
+
+(3) The address registers table contains N Error Block Address entries
+and N Read Ack Registe

[PATCH v23 4/9] ACPI: Build Hardware Error Source Table

[Dongjiu Geng]

This patch builds Hardware Error Source Table(HEST) via fw_cfg blobs.
Now it only supports ARMv8 SEA, a type of Generic Hardware Error
Source version 2(GHESv2) error source. Afterwards, we can extend
the supported types if needed. For the CPER section, currently it
is memory section because kernel mainly wants userspace to handle
the memory errors.

This patch follows the spec ACPI 6.2 to build the Hardware Error
Source table. For more detailed information, please refer to
document: docs/specs/acpi_hest_ghes.rst

build_ghes_hw_error_notification() helper will help to add Hardware
Error Notification to ACPI tables without using packed C structures
and avoid endianness issues as API doesn't need explicit conversion.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Acked-by: Xiang Zheng 
---
 hw/acpi/ghes.c   | 126 +++
 hw/arm/virt-acpi-build.c |   1 +
 include/hw/acpi/ghes.h   |  39 +++
 3 files changed, 166 insertions(+)

diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index e1b3f8f..7a7381d 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -23,6 +23,7 @@
 #include "qemu/units.h"
 #include "hw/acpi/ghes.h"
 #include "hw/acpi/aml-build.h"
+#include "qemu/error-report.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -33,6 +34,42 @@
 /* Now only support ARMv8 SEA notification type error source */
 #define ACPI_GHES_ERROR_SOURCE_COUNT1
 
+/* Generic Hardware Error Source version 2 */
+#define ACPI_GHES_SOURCE_GENERIC_ERROR_V2   10
+
+/* Address offset in Generic Address Structure(GAS) */
+#define GAS_ADDR_OFFSET 4
+
+/*
+ * Hardware Error Notification
+ * ACPI 4.0: 17.3.2.7 Hardware Error Notification
+ * Composes dummy Hardware Error Notification descriptor of specified type
+ */
+static void build_ghes_hw_error_notification(GArray *table, const uint8_t type)
+{
+/* Type */
+build_append_int_noprefix(table, type, 1);
+/*
+ * Length:
+ * Total length of the structure in bytes
+ */
+build_append_int_noprefix(table, 28, 1);
+/* Configuration Write Enable */
+build_append_int_noprefix(table, 0, 2);
+/* Poll Interval */
+build_append_int_noprefix(table, 0, 4);
+/* Vector */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+}
+
 /*
  * Build table for the hardware error fw_cfg blob.
  * Initialize "etc/hardware_errors" and "etc/hardware_errors_addr" fw_cfg 
blobs.
@@ -87,3 +124,92 @@ void build_ghes_error_table(GArray *hardware_errors, 
BIOSLinker *linker)
 bios_linker_loader_write_pointer(linker, ACPI_GHES_DATA_ADDR_FW_CFG_FILE,
 0, sizeof(uint64_t), ACPI_GHES_ERRORS_FW_CFG_FILE, 0);
 }
+
+/* Build Generic Hardware Error Source version 2 (GHESv2) */
+static void build_ghes_v2(GArray *table_data, int source_id, BIOSLinker 
*linker)
+{
+uint64_t address_offset;
+/*
+ * Type:
+ * Generic Hardware Error Source version 2(GHESv2 - Type 10)
+ */
+build_append_int_noprefix(table_data, ACPI_GHES_SOURCE_GENERIC_ERROR_V2, 
2);
+/* Source Id */
+build_append_int_noprefix(table_data, source_id, 2);
+/* Related Source Id */
+build_append_int_noprefix(table_data, 0x, 2);
+/* Flags */
+build_append_int_noprefix(table_data, 0, 1);
+/* Enabled */
+build_append_int_noprefix(table_data, 1, 1);
+
+/* Number of Records To Pre-allocate */
+build_append_int_noprefix(table_data, 1, 4);
+/* Max Sections Per Record */
+build_append_int_noprefix(table_data, 1, 4);
+/* Max Raw Data Length */
+build_append_int_noprefix(table_data, ACPI_GHES_MAX_RAW_DATA_LENGTH, 4);
+
+address_offset = table_data->len;
+/* Error Status Address */
+build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 0x40, 0,
+ 4 /* QWord access */, 0);
+bios_linker_loader_add_pointer(linker, ACPI_BUILD_TABLE_FILE,
+address_offset + GAS_ADDR_OFFSET, sizeof(uint64_t),
+ACPI_GHES_ERRORS_FW_CFG_FILE, source_id * sizeof(uint64_t));
+
+switch (source_id) {
+case ACPI_HEST_SRC_ID_SEA:
+/*
+ * Notification Structure
+ * Now only enable ARMv8 SEA notification type
+ */
+build_ghes_hw_error_notification(table_data, ACPI_GHES_NOTIFY_SEA);
+break;
+default:
+error_report("Not support this error source");
+abort();
+}
+
+/* Error Status Block Length */
+build_append_int_noprefix(table_data, ACPI_GHES_MAX_RAW_DATA_LENGTH, 4);
+
+/*
+ * Read Ack Register
+ * ACPI 6.1: 18.3.2.8 Generic Hardware Error Sou

[PATCH v23 3/9] ACPI: Build related register address fields via hardware error fw_cfg blob

[Dongjiu Geng]

This patch builds error_block_address and read_ack_register fields
in hardware errors table , the error_block_address points to Generic
Error Status Block(GESB) via bios_linker. The max size for one GESB
is 1kb in bytes, For more detailed information, please refer to
document: docs/specs/acpi_hest_ghes.rst

Now we only support one Error source, if necessary, we can extend to
support more.

Suggested-by: Laszlo Ersek 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Jonathan Cameron 
---
 default-configs/arm-softmmu.mak |  1 +
 hw/acpi/Kconfig |  4 ++
 hw/acpi/Makefile.objs   |  1 +
 hw/acpi/aml-build.c |  2 +
 hw/acpi/ghes.c  | 89 +
 hw/arm/virt-acpi-build.c|  6 +++
 include/hw/acpi/aml-build.h |  1 +
 include/hw/acpi/ghes.h  | 28 +
 8 files changed, 132 insertions(+)
 create mode 100644 hw/acpi/ghes.c
 create mode 100644 include/hw/acpi/ghes.h

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index 645e620..7648be0 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -41,3 +41,4 @@ CONFIG_FSL_IMX25=y
 CONFIG_FSL_IMX7=y
 CONFIG_FSL_IMX6UL=y
 CONFIG_SEMIHOSTING=y
+CONFIG_ACPI_APEI=y
diff --git a/hw/acpi/Kconfig b/hw/acpi/Kconfig
index 54209c6..1932f66 100644
--- a/hw/acpi/Kconfig
+++ b/hw/acpi/Kconfig
@@ -28,6 +28,10 @@ config ACPI_HMAT
 bool
 depends on ACPI
 
+config ACPI_APEI
+bool
+depends on ACPI
+
 config ACPI_PCI
 bool
 depends on ACPI && PCI
diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
index 777da07..28c5ddb 100644
--- a/hw/acpi/Makefile.objs
+++ b/hw/acpi/Makefile.objs
@@ -8,6 +8,7 @@ common-obj-$(CONFIG_ACPI_NVDIMM) += nvdimm.o
 common-obj-$(CONFIG_ACPI_VMGENID) += vmgenid.o
 common-obj-$(CONFIG_ACPI_HW_REDUCED) += generic_event_device.o
 common-obj-$(CONFIG_ACPI_HMAT) += hmat.o
+common-obj-$(CONFIG_ACPI_APEI) += ghes.o
 common-obj-$(call lnot,$(CONFIG_ACPI_X86)) += acpi-stub.o
 common-obj-$(call lnot,$(CONFIG_PC)) += acpi-x86-stub.o
 
diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index 2c3702b..3681ec6 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -1578,6 +1578,7 @@ void acpi_build_tables_init(AcpiBuildTables *tables)
 tables->table_data = g_array_new(false, true /* clear */, 1);
 tables->tcpalog = g_array_new(false, true /* clear */, 1);
 tables->vmgenid = g_array_new(false, true /* clear */, 1);
+tables->hardware_errors = g_array_new(false, true /* clear */, 1);
 tables->linker = bios_linker_loader_init();
 }
 
@@ -1588,6 +1589,7 @@ void acpi_build_tables_cleanup(AcpiBuildTables *tables, 
bool mfre)
 g_array_free(tables->table_data, true);
 g_array_free(tables->tcpalog, mfre);
 g_array_free(tables->vmgenid, mfre);
+g_array_free(tables->hardware_errors, mfre);
 }
 
 /*
diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
new file mode 100644
index 000..e1b3f8f
--- /dev/null
+++ b/hw/acpi/ghes.c
@@ -0,0 +1,89 @@
+/*
+ * Support for generating APEI tables and recording CPER for Guests
+ *
+ * Copyright (c) 2020 HUAWEI TECHNOLOGIES CO., LTD.
+ *
+ * Author: Dongjiu Geng 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "hw/acpi/ghes.h"
+#include "hw/acpi/aml-build.h"
+
+#define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
+#define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
+
+/* The max size in bytes for one error block */
+#define ACPI_GHES_MAX_RAW_DATA_LENGTH   (1 * KiB)
+
+/* Now only support ARMv8 SEA notification type error source */
+#define ACPI_GHES_ERROR_SOURCE_COUNT1
+
+/*
+ * Build table for the hardware error fw_cfg blob.
+ * Initialize "etc/hardware_errors" and "etc/hardware_errors_addr" fw_cfg 
blobs.
+ * See docs/specs/acpi_hest_ghes.rst for blobs format.
+ */
+void build_ghes_error_table(GArray *hardware_errors, BIOSLinker *linker)
+{
+int i, error_status_block_offset;
+
+/* Build error_block_address */
+for (i = 0; i < ACPI_GHES_ERROR_SOURCE_COUNT; i++) {
+build_append_int_noprefix(hardware_errors, 0, sizeof(uint64_t));
+}
+
+/* Build read_ack_register */
+for (i = 0; i < ACPI_GHES_ERROR_SOURCE_COUNT; i++) {
+/*
+ * Initialize the valu

[PATCH v23 0/9] Add ARMv8 RAS virtualization support in QEMU

[Dongjiu Geng]

In the ARMv8 platform, the CPU error types includes synchronous external 
abort(SEA)
and SError Interrupt (SEI). If exception happens in guest, host does not know 
the
detailed information of guest, so it is expected that guest can do the recovery.
For example, if an exception happens in a guest user-space application, host 
does
not know which application encounters errors, only guest knows it.

For the ARMv8 SEA/SEI, KVM or host kernel delivers SIGBUS to notify userspace.
After user space gets the notification, it will record the CPER into guest GHES
buffer and inject an exception or IRQ to guest.

In the current implementation, if the type of SIGBUS is BUS_MCEERR_AR, we will
treat it as a synchronous exception, and notify guest with ARMv8 SEA
notification type after recording CPER into guest.

A) This series of patches are based on Qemu 4.2, which include two parts:
1. Generate APEI/GHES table.
2. Handle the SIGBUS signal, record the CPER in runtime and fill it into guest
   memory, then notify guest according to the type of SIGBUS.

B) The solution was suggested by James(james.mo...@arm.com); The APEI part 
solution was suggested by Laszlo(ler...@redhat.com). Show some discussions in 
[1].

C) This series of patches have already been tested on ARM64 platform with RAS
feature enabled:
1. Show the APEI part verification result in [2].
2. Show the SIGBUS of BUS_MCEERR_AR handling verification result in [3].

D) Add 'ras' option in command Line to enable guest RAS error recovery feature, 
For example:
KVM model: ./qemu-system-aarch64 --enable-kvm -cpu host --bios QEMU_EFI.fd_new  
-machine virt,gic-version=3,ras,kernel-irqchip=on  -smp 4 -nographic -kernel 
Image  -append "rdinit=/init console=ttyAMA0 mem=512M root=/dev/ram0" -initrd 
guestfs_new.cpio.gz
TCG model: ./qemu-system-aarch64 -cpu cortex-a57 --bios QEMU_EFI.fd_new  
-machine virt,gic-version=3,ras,kernel-irqchip=on  -smp 4 -nographic -kernel 
Image  -append "rdinit=/init console=ttyAMA0 mem=512M root=/dev/ram0" -initrd 
guestfs_new.cpio.gz
---
Change since v22:
1. Using 1 * KiB instead of 0x400 to define max size of one error block
2. Make the alignment to 8 bytes in bios_linker_loader_alloc()
3. Change "Copyright (c) 2019" to "Copyright (c) 2020" in file header
4. Fix some code style warnings/errors and add some comments in code
5. Address Jonathan's comments to easily support CCIX error injection
6. Add vmstate_ghes_state .subsections in vmstate_acpi_ged

Change since v21:
1. Make the user-facing 'ras' option description more clearly to address 
Peter's comments.
2. Update the doc description in "docs/specs/acpi_hest_ghes.rst"
3. Split HEST/GHES patches to more patches to make the review easily
4. Using source_id to index the location to save the CPER.
5. Optimize and simplify the logic to build HEST/GHES table to address 
Igor/Michael/Beata comments.
6. make ghes_addr_le a part of GED device.

Change since v20:
1. Move some implementation details from acpi_ghes.h to acpi_ghes.c
2. Add the reviewers for the ACPI/APEI/GHES part

Change since v19:
1. Fix clang compile error
2. Fix sphinx build error

Change since v18:
1. Fix some code-style and typo/grammar problems.
2. Remove no_ras in the VirtMachineClass struct.
3. Convert documentation to rst format.
4. Simplize the code and add comments for some magic value.
5. Move kvm_inject_arm_sea() function into the patch where it's used.
6. Register the reset handler(kvm_unpoison_all()) in the kvm_init() function.

Change since v17:
1. Improve some commit messages and comments.
2. Fix some code-style problems.
3. Add a *ras* machine option.
4. Move HEST/GHES related structures and macros into "hw/acpi/acpi_ghes.*".
5. Move HWPoison page functions into "include/sysemu/kvm_int.h".
6. Fix some bugs.
7. Improve the design document.

Change since v16:
1. check whether ACPI table is enabled when handling the memory error in the 
SIGBUS handler.

Change since v15:
1. Add a doc-comment in the proper format for 'include/exec/ram_addr.h'
2. Remove write_part_cpustate_to_list() because there is another bug fix patch
   has been merged "arm: Allow system registers for KVM guests to be changed by 
QEMU code"
3. Add some comments for kvm_inject_arm_sea() in 'target/arm/kvm64.c'
4. Compare the arm_current_el() return value to 0,1,2,3, not to PSTATE_MODE_* 
constants.
5. Change the RAS support wasn't introduced before 4.1 QEMU version.
6. Move the no_ras flag  patch to begin in this series

Change since v14:
1. Remove the BUS_MCEERR_AO handling logic because this asynchronous signal was 
masked by main thread
2. Address some Igor Mammedov's comments(ACPI part)
   1) change the comments for the enum AcpiHestNotifyType definition and remove 
ditto in patch 1
   2) change some patch commit messages and separate "APEI GHES table 
generation" patch to more patches.
3. Address some peter's comments(arm64 Synchronous External Abort injection)
   1) change some code notes
   2) using arm_current_el() for current EL
   2) use

[PATCH v23 9/9] MAINTAINERS: Add ACPI/HEST/GHES entries

[Dongjiu Geng]

I and Xiang are willing to review the APEI-related patches and
volunteer as the reviewers for the HEST/GHES part.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Philippe Mathieu-Daudé 
Acked-by: Michael S. Tsirkin 
---
 MAINTAINERS | 9 +
 1 file changed, 9 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index c7717df..0748475 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1446,6 +1446,15 @@ F: tests/qtest/bios-tables-test.c
 F: tests/qtest/acpi-utils.[hc]
 F: tests/data/acpi/
 
+ACPI/HEST/GHES
+R: Dongjiu Geng 
+R: Xiang Zheng 
+L: qemu-...@nongnu.org
+S: Maintained
+F: hw/acpi/ghes.c
+F: include/hw/acpi/ghes.h
+F: docs/specs/acpi_hest_ghes.rst
+
 ppc4xx
 M: David Gibson 
 L: qemu-...@nongnu.org
-- 
1.8.3.1

[PATCH v23 7/9] ACPI: Record Generic Error Status Block(GESB) table

[Dongjiu Geng]

kvm_arch_on_sigbus_vcpu() error injection uses source_id as
index in etc/hardware_errors to find out Error Status Data
Block entry corresponding to error source. So supported source_id
values should be assigned here and not be changed afterwards to
make sure that guest will write error into expected Error Status
Data Block.

Before QEMU writes a new error to ACPI table, it will check whether
previous error has been acknowledged. If not acknowledged, the new
errors will be ignored and not be recorded. For the errors section
type, QEMU simulate it to memory section error.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 hw/acpi/ghes.c | 218 +
 include/hw/acpi/ghes.h |   1 +
 2 files changed, 219 insertions(+)

diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index cea2bff..8e114ee 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -26,6 +26,7 @@
 #include "qemu/error-report.h"
 #include "hw/acpi/generic_event_device.h"
 #include "hw/nvram/fw_cfg.h"
+#include "qemu/uuid.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -43,6 +44,40 @@
 #define GAS_ADDR_OFFSET 4
 
 /*
+ * The total size of Generic Error Data Entry
+ * ACPI 6.1/6.2: 18.3.2.7.1 Generic Error Data,
+ * Table 18-343 Generic Error Data Entry
+ */
+#define ACPI_GHES_DATA_LENGTH   72
+
+/* The memory section CPER size, UEFI 2.6: N.2.5 Memory Error Section */
+#define ACPI_GHES_MEM_CPER_LENGTH   80
+
+/* Masks for block_status flags */
+#define ACPI_GEBS_UNCORRECTABLE 1
+
+#define UEFI_CPER_SEC_PLATFORM_MEM  \
+UUID_LE(0xA5BC1114, 0x6F64, 0x4EDE, 0xB8, 0x63, 0x3E, 0x83, \
+0xED, 0x7C, 0x83, 0xB1)
+
+/*
+ * Total size for Generic Error Status Block except Generic Error Data Entries
+ * ACPI 6.2: 18.3.2.7.1 Generic Error Data,
+ * Table 18-380 Generic Error Status Block
+ */
+#define ACPI_GHES_GESB_SIZE 20
+
+/*
+ * Values for error_severity field
+ */
+enum AcpiGenericErrorSeverity {
+ACPI_CPER_SEV_RECOVERABLE = 0,
+ACPI_CPER_SEV_FATAL = 1,
+ACPI_CPER_SEV_CORRECTED = 2,
+ACPI_CPER_SEV_NONE = 3,
+};
+
+/*
  * Hardware Error Notification
  * ACPI 4.0: 17.3.2.7 Hardware Error Notification
  * Composes dummy Hardware Error Notification descriptor of specified type
@@ -73,6 +108,131 @@ static void build_ghes_hw_error_notification(GArray 
*table, const uint8_t type)
 }
 
 /*
+ * Generic Error Data Entry
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_data(GArray *table, QemuUUID section_type,
+uint32_t error_severity, uint8_t validation_bits, uint8_t 
flags,
+uint32_t error_data_length, QemuUUID fru_id,
+uint64_t time_stamp)
+{
+/* Section Type */
+g_array_append_vals(table, section_type.data,
+ARRAY_SIZE(section_type.data));
+
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+/* Revision */
+build_append_int_noprefix(table, 0x300, 2);
+/* Validation Bits */
+build_append_int_noprefix(table, validation_bits, 1);
+/* Flags */
+build_append_int_noprefix(table, flags, 1);
+/* Error Data Length */
+build_append_int_noprefix(table, error_data_length, 4);
+
+/* FRU Id */
+g_array_append_vals(table, fru_id.data, ARRAY_SIZE(fru_id.data));
+
+/* FRU Text */
+build_append_int_noprefix(table, 0, 20);
+/* Timestamp */
+build_append_int_noprefix(table, time_stamp, 8);
+}
+
+/*
+ * Generic Error Status Block
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_status(GArray *table, uint32_t 
block_status,
+uint32_t raw_data_offset, uint32_t raw_data_length,
+uint32_t data_length, uint32_t error_severity)
+{
+/* Block Status */
+build_append_int_noprefix(table, block_status, 4);
+/* Raw Data Offset */
+build_append_int_noprefix(table, raw_data_offset, 4);
+/* Raw Data Length */
+build_append_int_noprefix(table, raw_data_length, 4);
+/* Data Length */
+build_append_int_noprefix(table, data_length, 4);
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+}
+
+/* UEFI 2.6: N.2.5 Memory Error Section */
+static void acpi_ghes_build_append_mem_cper(GArray *table,
+uint64_t error_physical_addr)
+{
+/*
+ * Memory Error Record
+ */
+
+/* Validation Bits */
+build_append_int_noprefix(table,
+  (1ULL << 14) | /* Type Valid */
+  (1ULL << 1) /* Physical Address Valid */,
+  8);
+/* Error Status */
+build_append_int_noprefix(table, 0, 8);
+/* Physical Address */
+build_append_int_noprefix(table, error_physical_addr, 8);
+/* S

Re: [PATCH v3 1/2] target/arm: Support SError injection

[Marc Zyngier]

Hi Gavin,

On 2020-02-14 05:59, Gavin Shan wrote:

This supports SError injection, which will be used by "virt" board to
simulating the behavior of NMI injection in next patch. As Peter 
Maydell
suggested, this adds a new interrupt (ARM_CPU_SERROR), which is 
parallel

to CPU_INTERRUPT_HARD. The backend depends on if kvm is enabled or not.
kvm_vcpu_ioctl(cpu, KVM_SET_VCPU_EVENTS) is leveraged to inject SError
or data abort to guest. When TCG is enabled, the behavior is simulated
by injecting SError and data abort to guest.

Signed-off-by: Gavin Shan 
---
 target/arm/cpu.c  | 69 +++
 target/arm/cpu.h  | 17 ++-
 target/arm/helper.c   |  6 
 target/arm/m_helper.c |  8 +
 4 files changed, 81 insertions(+), 19 deletions(-)



[...]


@@ -656,7 +682,8 @@ static void arm_cpu_set_irq(void *opaque, int irq,
int level)
 [ARM_CPU_IRQ] = CPU_INTERRUPT_HARD,
 [ARM_CPU_FIQ] = CPU_INTERRUPT_FIQ,
 [ARM_CPU_VIRQ] = CPU_INTERRUPT_VIRQ,
-[ARM_CPU_VFIQ] = CPU_INTERRUPT_VFIQ
+[ARM_CPU_VFIQ] = CPU_INTERRUPT_VFIQ,
+[ARM_CPU_SERROR] = CPU_INTERRUPT_SERROR,


I'm a bit concerned with this. It makes sense for a host, but doesn't
allow the SError signal to be virtualised (there should be a VSError
signal in this list that can be injected via HCR_EL2.VA, just like
VIRQ is injected by HCR_EL2.VI).

Given that people use QEMU as a development platform for hypervisors,
I'd really like this functionality to be supported from day-1.

There is also the whole RAS stuff which quite a lot of work, but let's
start at least with the full ARMv8.0 semantics.

Thanks,

M.
--
Jazz is not dead. It just smells funny...

[PATCH v2] riscv: sifive_u: Add a "serial" property for board serial number

[Bin Meng]

At present the board serial number is hard-coded to 1, and passed
to OTP model during initialization. Firmware (FSBL, U-Boot) uses
the serial number to generate a unique MAC address for the on-chip
ethernet controller. When multiple QEMU 'sifive_u' instances are
created and connected to the same subnet, they all have the same
MAC address hence it creates a unusable network.

A new "serial" property is introduced to specify the board serial
number. When not given, the default serial number 1 is used.

Signed-off-by: Bin Meng 

---

Changes in v2:
- Move setting OTP serial number property from riscv_sifive_u_soc_init()
  to riscv_sifive_u_soc_realize(), to fix the 'check-qtest-riscv' error.
  I am not really sure why doing so could fix the 'make check' error.
  The v1 patch worked fine and nothing seems wrong.

 hw/riscv/sifive_u.c | 21 -
 include/hw/riscv/sifive_u.h |  1 +
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/hw/riscv/sifive_u.c b/hw/riscv/sifive_u.c
index 0e12b3c..ca561d3 100644
--- a/hw/riscv/sifive_u.c
+++ b/hw/riscv/sifive_u.c
@@ -34,6 +34,7 @@
 #include "qemu/log.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
+#include "qapi/visitor.h"
 #include "hw/boards.h"
 #include "hw/loader.h"
 #include "hw/sysbus.h"
@@ -434,7 +435,6 @@ static void riscv_sifive_u_soc_init(Object *obj)
   TYPE_SIFIVE_U_PRCI);
 sysbus_init_child_obj(obj, "otp", &s->otp, sizeof(s->otp),
   TYPE_SIFIVE_U_OTP);
-qdev_prop_set_uint32(DEVICE(&s->otp), "serial", OTP_SERIAL);
 sysbus_init_child_obj(obj, "gem", &s->gem, sizeof(s->gem),
   TYPE_CADENCE_GEM);
 }
@@ -453,6 +453,18 @@ static void sifive_u_set_start_in_flash(Object *obj, bool 
value, Error **errp)
 s->start_in_flash = value;
 }
 
+static void sifive_u_get_serial(Object *obj, Visitor *v, const char *name,
+void *opaque, Error **errp)
+{
+visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+}
+
+static void sifive_u_set_serial(Object *obj, Visitor *v, const char *name,
+void *opaque, Error **errp)
+{
+visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+}
+
 static void riscv_sifive_u_machine_instance_init(Object *obj)
 {
 SiFiveUState *s = RISCV_U_MACHINE(obj);
@@ -464,11 +476,17 @@ static void riscv_sifive_u_machine_instance_init(Object 
*obj)
 "Set on to tell QEMU's ROM to jump to " \
 "flash. Otherwise QEMU will jump to DRAM",
 NULL);
+
+s->serial = OTP_SERIAL;
+object_property_add(obj, "serial", "uint32", sifive_u_get_serial,
+sifive_u_set_serial, NULL, &s->serial, NULL);
+object_property_set_description(obj, "serial", "Board serial number", 
NULL);
 }
 
 static void riscv_sifive_u_soc_realize(DeviceState *dev, Error **errp)
 {
 MachineState *ms = MACHINE(qdev_get_machine());
+SiFiveUState *us = RISCV_U_MACHINE(ms);
 SiFiveUSoCState *s = RISCV_U_SOC(dev);
 const struct MemmapEntry *memmap = sifive_u_memmap;
 MemoryRegion *system_memory = get_system_memory();
@@ -554,6 +572,7 @@ static void riscv_sifive_u_soc_realize(DeviceState *dev, 
Error **errp)
 object_property_set_bool(OBJECT(&s->prci), true, "realized", &err);
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->prci), 0, memmap[SIFIVE_U_PRCI].base);
 
+qdev_prop_set_uint32(DEVICE(&s->otp), "serial", us->serial);
 object_property_set_bool(OBJECT(&s->otp), true, "realized", &err);
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->otp), 0, memmap[SIFIVE_U_OTP].base);
 
diff --git a/include/hw/riscv/sifive_u.h b/include/hw/riscv/sifive_u.h
index 82667b5..7cf742e 100644
--- a/include/hw/riscv/sifive_u.h
+++ b/include/hw/riscv/sifive_u.h
@@ -59,6 +59,7 @@ typedef struct SiFiveUState {
 int fdt_size;
 
 bool start_in_flash;
+uint32_t serial;
 } SiFiveUState;
 
 enum {
-- 
2.7.4

[PATCH v3] Implement the Screamer sound chip for the mac99 machine type

[John Arbuckle]

Signed-off-by: John Arbuckle 
---
v3 changes:
- Updated the location of patched code in hw/ppc/kconfig.
- Removed setting the props variable in screamer.c.
- Removed the screamer_properties variable in screamer.c.

v2 changes:
- Fixed a bug that prevented the sampling rate from being changed.

 hw/audio/Kconfig  |   3 +
 hw/audio/Makefile.objs|   2 +
 hw/audio/screamer.c   | 983 ++
 hw/misc/macio/macio.c |  35 +-
 hw/ppc/Kconfig|   1 +
 hw/ppc/mac.h  |   5 +
 include/hw/audio/screamer.h   |  42 ++
 include/hw/misc/macio/macio.h |   2 +
 8 files changed, 1072 insertions(+), 1 deletion(-)
 create mode 100644 hw/audio/screamer.c
 create mode 100644 include/hw/audio/screamer.h

diff --git a/hw/audio/Kconfig b/hw/audio/Kconfig
index e9c6fed826..196da6c3fe 100644
--- a/hw/audio/Kconfig
+++ b/hw/audio/Kconfig
@@ -50,3 +50,6 @@ config CS4231
 
 config MARVELL_88W8618
 bool
+
+config SCREAMER
+bool
diff --git a/hw/audio/Makefile.objs b/hw/audio/Makefile.objs
index 63db383709..55906886bc 100644
--- a/hw/audio/Makefile.objs
+++ b/hw/audio/Makefile.objs
@@ -15,4 +15,6 @@ common-obj-$(CONFIG_CS4231) += cs4231.o
 common-obj-$(CONFIG_MARVELL_88W8618) += marvell_88w8618.o
 common-obj-$(CONFIG_MILKYMIST) += milkymist-ac97.o
 
+common-obj-$(CONFIG_SCREAMER) += screamer.o
+
 common-obj-y += soundhw.o
diff --git a/hw/audio/screamer.c b/hw/audio/screamer.c
new file mode 100644
index 00..ad4aba12eb
--- /dev/null
+++ b/hw/audio/screamer.c
@@ -0,0 +1,983 @@
+/*
+ * File: Screamer.c
+ * Description: Implement the Screamer sound chip used in Apple Macintoshes.
+ * It works by filling a buffer, then playing the buffer.
+ */
+
+#include "qemu/osdep.h"
+#include "audio/audio.h"
+#include "hw/hw.h"
+#include "hw/irq.h"
+#include 
+#include "hw/ppc/mac.h"
+#include "hw/qdev-properties.h"
+#include "migration/vmstate.h"
+#include "include/hw/audio/screamer.h"
+
+#define DEBUG_SCREAMER 0
+#define DPRINTF(fmt, ...) \
+do { if (DEBUG_SCREAMER) { printf(fmt , ## __VA_ARGS__); } } while (0)
+
+#define SOUND_CONTROL_REG  0
+#define CODEC_CONTROL_REG  1
+#define CODEC_STATUS_REG   2
+#define CLIP_COUNT_REG 3
+#define BYTE_SWAP_REG  4
+#define FRAME_COUNT_REG5
+
+#define AWACS_BUSY 0x0100
+
+/* Used with AWACS register 1 */
+#define RECALIBRATE 0x004
+#define LOOPTHRU0x040
+#define SPEAKER_MUTE0x080
+#define HEADPHONE_MUTE  0x200
+#define OUTPUT_ZERO 0x400
+#define OUTPUT_ONE  0x800
+#define PARALLEL_OUTPUT 0xc00
+
+/* Function prototypes */
+static uint32_t set_busy_bit(uint32_t value, int bit);
+static uint32_t set_part_ready_bit(uint32_t value, int bit_value);
+static uint32_t set_revision(uint32_t input_value);
+static uint32_t set_manufacturer(uint32_t input_value);
+static int get_sampling_rate(ScreamerState *s);
+static uint32_t get_frame_count_reg(ScreamerState *s);
+static void add_to_speaker_buffer(DBDMA_io *io);
+static void dma_request(DBDMA_io *io);
+
+
+/ Getters */
+
+/* Returns the codec control register's encoded AWACS address */
+static uint8_t get_codec_control_address(uint32_t value)
+{
+uint8_t return_value;
+return_value = (value >> 12) & 0x0fff;
+return return_value;
+}
+
+
+static uint32_t get_sound_control_reg(ScreamerState *s)
+{
+DPRINTF("%s() called - returned 0x%x\n", __func__, s->sound_control);
+return s->sound_control;
+}
+
+/* The AWACS registers are accessed thru this register */
+static uint32_t get_codec_control_reg(ScreamerState *s)
+{
+int awacs_register = get_codec_control_address(s->codec_control);
+uint32_t return_value = s->awacs[awacs_register];
+return_value = set_busy_bit(return_value, 0); /* Tell CPU we are ready */
+DPRINTF("%s() called - returned 0x%x\tAWACS register: %d\n", __func__,
+return_value, awacs_register);
+return return_value;
+}
+
+/*
+ * Determines if the readback bit is set.
+ * It is used by the Codec Control register.
+ */
+static bool readback_enabled(ScreamerState *s)
+{
+/* Note: bit zero is the readback enabled bit */
+if (s->awacs[7] & 1) {
+return true;
+} else {
+return false;
+}
+}
+
+static uint32_t get_codec_status_reg(ScreamerState *s)
+{
+uint32_t return_value;
+
+/* if in readback mode - return AWACS register value */
+if (readback_enabled(s)) {
+int awacs_register = (s->awacs[7] & 0xe) >> 1;
+s->awacs[7] = s->awacs[7] & 0xfffe; /* turn off readback mode */
+return_value = s->awacs[awacs_register] << 4;
+DPRINTF("readback enable bit is set, returning AWACS register %d\t"
+"value:0x%x\n", awacs_register, return_value);
+
+return return_value;
+}
+
+/* Tell CPU we are ready */
+return_value = set_part_ready_bit(s->codec_status, 1);
+
+/* Set Revision to Sc

Re: [PATCH] MAINTAINERS: Orphan MIPS KVM CPUs

[Aleksandar Markovic]

On Sunday, February 16, 2020, Paolo Bonzini  wrote:

> On 16/02/20 07:57, James Hogan wrote:
> >> We are in the process of handling this within the company, and this
> >> patch should go via MIPS tree, not trivial tree - will be updated when
> >> the opinions are crystallized, and all consultations with others were
> >> done. There is no rush.
> > Hi Aleksandar,
> >
> > I respectfully disagree. In the mean time I am still listed as
> > maintainer even though this patch has reflected reality for more than 18
> > months since the 2018 closure of the MIPS UK offices.
> >
> > If "the company" wish to eventually crystalize their opinion and assign
> > someone else this role (which they've had at least 6 weeks to do even
> > since I sent the patch) they can always submit a new patch.
> >
> > In the mean time I'd appreciate if somebody could take the patch ASAP.
>
> I agree with James, the situation has already crystallized long before
> the opinions will have.  You have done excellent work on the TCG side,
> but neither the kernel nor the QEMU side of KVM have seen any
> significant activity.  If your employer becomes more interested in KVM
> then the status can be changed.
>
> I think it's okay if we delay the patch a couple weeks more (which is
> more or less when Laurent or I will send the next pull request), but
> certainly not past 5.0 soft freeze.
>
>
OK, I will add the patch in the next MIPS queue, since I think its
significance is more than trivial. It will be sent no later than two weeks
from now. I just wanted the patch to be in the same queue when we will
provide replacement. But, honestly, if the factual state lasted that long,
I don't see the reason for such sudden hurry, do you?

I do not act alone (as an independant person) in this community, I
represent the company I am working for (in this case Wave, the owner of
MIPS), and of course I need from time to time to consult other people,
which takes some tome sometimes. Most of you are, I guess, in the same
situation from time to time.

Of course I respect James' decision, although I am trully sorry about it.
My only slight objection is that James should have sent this patch sooner,
rather than just leave an impression that there is a maintainer, while in
fact there wasn't. What did you wait? But, never mind, I understand your
hesitation. The best outcome would be that James remained in that role (I
do remember him as an excellent, thorough engineer, that is approachable
and very helpful to others), but what can we do now. I wish we work
together in future, who knows? Thanks, James, for taking care of KVM for
MIPS for number of years!

Thanks to all too,
Aleksandar




> Thanks,
>
> Paolo
>
>

[Bug 1863486] [NEW] aarch64/tcg crash with malloc(): unsorted double linked list corrupted

[Philippe Mathieu-Daudé]

Public bug reported:

Based on commit b29c3e23f64938784c42ef9fca896829e3c19120,
QEMU configured with --enable-debug --extra-cflags=-ggdb.

Download Raspberry Pi 3 UEFI Firmware v1.15 from:
https://github.com/pbatard/RPi3/releases/tag/v1.15
(unzip RPi3_UEFI_Firmware_v1.15.zip)

Run QEMU with:

$ qemu-system-aarch64 -M raspi3 \
  -serial null -serial stdio \
  -device loader,file=RPI_EFI.fd,force-raw=true 

Normal behavior:

NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v2.1(release):v2.1
NOTICE:  BL1: Built : 15:26:06, May 13 2019
NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
NOTICE:  BL1: Booting BL2
ERROR:   rpi3_sdhost: timeout status 0x40
NOTICE:  BL2: v2.1(release):v2.1
NOTICE:  BL2: Built : 15:26:01, May 13 2019
NOTICE:  BL1: Booting BL31
NOTICE:  BL31: v2.1(release):v2.1
NOTICE:  BL31: Built : 15:26:04, May 13 2019
=UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)


Synchronous Exception at 0x37A1A4E8

But I sometimes get:

NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v2.1(release):v2.1
NOTICE:  BL1: Built : 15:26:06, May 13 2019
NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
NOTICE:  BL1: Booting BL2
ERROR:   rpi3_sdhost: timeout status 0x40
NOTICE:  BL2: v2.1(release):v2.1
NOTICE:  BL2: Built : 15:26:01, May 13 2019
NOTICE:  BL1: Booting BL31
NOTICE:  BL31: v2.1(release):v2.1
NOTICE:  BL31: Built : 15:26:04, May 13 2019
=UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
malloc(): unsorted double linked list corrupted

Thread 3 "qemu-system-aar" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffe9c22700 (LWP 22746)]
0x7515ce35 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x7515ce35 in raise () at /lib64/libc.so.6
#1  0x75147895 in abort () at /lib64/libc.so.6
#2  0x751a008f in __libc_message () at /lib64/libc.so.6
#3  0x751a740c in  () at /lib64/libc.so.6
#4  0x751aa48c in _int_malloc () at /lib64/libc.so.6
#5  0x751aad4e in _int_memalign () at /lib64/libc.so.6
#6  0x751abdda in _mid_memalign () at /lib64/libc.so.6
#7  0x751ad3c6 in posix_memalign () at /lib64/libc.so.6
#8  0x77be2407 in slab_allocator_alloc_chunk () at 
/lib64/libglib-2.0.so.0
#9  0x77be3573 in g_slice_alloc () at /lib64/libglib-2.0.so.0
#10 0x77bf410a in g_tree_insert_internal () at /lib64/libglib-2.0.so.0
#11 0x55853f10 in tcg_tb_insert (tb=0x7fffd44b4d80 
) at tcg/tcg.c:425
#12 0x558dbe3d in tb_gen_code (cpu=0x56afa640, pc=92960, 
cs_base=0, flags=2216689664, cflags=-16252928) at accel/tcg/translate-all.c:1875
#13 0x558d7c73 in tb_find (cpu=0x56afa640, last_tb=0x7fffd44b4c40 
, tb_exit=0, cf_mask=524288) at 
accel/tcg/cpu-exec.c:406
#14 0x558d8543 in cpu_exec (cpu=0x56afa640) at 
accel/tcg/cpu-exec.c:730
#15 0x558981e1 in tcg_cpu_exec (cpu=0x56afa640) at cpus.c:1405
#16 0x55898a37 in qemu_tcg_cpu_thread_fn (arg=0x56afa640) at 
cpus.c:1713
#17 0x56057af8 in qemu_thread_start (args=0x57511570) at 
util/qemu-thread-posix.c:519
#18 0x752f34c0 in start_thread () at /lib64/libpthread.so.0
#19 0x75221163 in clone () at /lib64/libc.so.6

** Affects: qemu
 Importance: Undecided
 Status: New


** Tags: arm tcg

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863486

Title:
  aarch64/tcg crash with malloc(): unsorted double linked list corrupted

Status in QEMU:
  New

Bug description:
  Based on commit b29c3e23f64938784c42ef9fca896829e3c19120,
  QEMU configured with --enable-debug --extra-cflags=-ggdb.

  Download Raspberry Pi 3 UEFI Firmware v1.15 from:
  https://github.com/pbatard/RPi3/releases/tag/v1.15
  (unzip RPi3_UEFI_Firmware_v1.15.zip)

  Run QEMU with:

  $ qemu-system-aarch64 -M raspi3 \
-serial null -serial stdio \
-device loader,file=RPI_EFI.fd,force-raw=true 

  Normal behavior:

  NOTICE:  Booting Trusted Firmware
  NOTICE:  BL1: v2.1(release):v2.1
  NOTICE:  BL1: Built : 15:26:06, May 13 2019
  NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
  NOTICE:  BL1: Booting BL2
  ERROR:   rpi3_sdhost: timeout status 0x40
  NOTICE:  BL2: v2.1(release):v2.1
  NOTICE:  BL2: Built : 15:26:01, May 13 2019
  NOTICE:  BL1: Booting BL31
  NOTICE:  BL31: v2.1(release):v2.1
  NOTICE:  BL31: Built : 15:26:04, May 13 2019
  =UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
  

  Synchronous Exception at 0x37A1A4E8

  But I sometimes get:

  NOTICE:  Booting Trusted Firmware
  NOTICE:  BL1: v2.1(release):v2.1
  NOTICE:  BL1: Built : 15:26:06, May 13 2019
  NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
  NOTICE:  BL1: Booting BL2
  ERROR:   rpi3_sdhost: timeout status 0x40
  NOTICE

Re: [RFC v2 0/6] vTPM for aarch64

[Ard Biesheuvel]

On Fri, 14 Feb 2020 at 19:37, Eric Auger  wrote:
>
> This series adds the capability to instantiate an MMIO TPM TIS
> in ARM virt.
>
> The existing TPM TIS code is reshuffled into a generic part,
> the ISA device and the sysbus device. The last patch allows
> the instantiation of the TPM TIS sysbus device in ARM virt.
>
> The series was tested with the swtpm/libtpms emulator.
> Automatic guest LUKS volume unlocking (tpm2) was successful.
> EDK2 support is under development [3]. Thanks to Ard
> for supporting me when setting up the test environment.
>
> Best Regards
>
> Eric
>
> Testing:
>
> mkdir /tmp/tpm
> swtpm socket \
> --tpm2 \
> -t -d \
> --tpmstate dir=/tmp/tpm \
> --ctrl type=unixio,path=/tmp/swtpm-sock
>
> qemu command line must be augmented with the following options:
>
> -chardev socket,id=chrtpm,path=/tmp/swtpm-sock \
> -tpmdev emulator,id=tpm0,chardev=chrtpm \
> -device tpm-tis-device,tpmdev=tpm0 \
>
> References:
> [1] libtpms: https://github.com/stefanberger/libtpms/wiki
> [2] swtpm: https://github.com/stefanberger/swtpm/wiki
> [3] [PATCH 0/4] ArmVirtPkg: implement measured boot for ArmVirtQemu
>
> This series can be found at:
> https://github.com/eauger/qemu/tree/v4.2.0-tpm-rfc-v2
>
> History:
>
> RFC v1 -> RFC v2:
> - restructure the existing code with common, ISA and sysbus part.
> - both ARM and x86 integration were tested.
> - acknowledgement: migration has not been tested
>
> Eric Auger (6):
>   tpm: rename TPM_TIS into TPM_TIS_ISA
>   tpm: Use TPMState as a common struct
>   tpm: Separate tpm_tis common functions from isa code
>   tpm: Separate TPM_TIS and TPM_TIS_ISA configs
>   tpm: Add the SysBus TPM TIS device
>   hw/arm/virt: vTPM support
>

Many thanks to Eric for his work on this.

I have tested this with my EDK2 code and a Linux/arm64 VM booting in
DT mode with the tpm-tis driver enabled, and it works as expected. I
can observe the firmware taking measurements during boot, and can dump
the PCRs from Linux using tpm2_pcrlist.

Tested-by: Ard Biesheuvel 
Acked-by: Ard Biesheuvel 

Note that the UEFI firmware is itself a consumer of the DT
description, so we need the DT related changes regardless of whether
the VM boots in DT or ACPI mode.



>  default-configs/i386-softmmu.mak   |   2 +-
>  hw/arm/Kconfig |   1 +
>  hw/arm/sysbus-fdt.c|  36 +
>  hw/arm/virt.c  |   7 +
>  hw/i386/Kconfig|   2 +-
>  hw/i386/acpi-build.c   |   6 +-
>  hw/tpm/Kconfig |  12 +-
>  hw/tpm/Makefile.objs   |   4 +-
>  hw/tpm/tpm_tis.h   |  91 +
>  hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 181 ++---
>  hw/tpm/tpm_tis_isa.c   | 170 +++
>  hw/tpm/tpm_tis_sysbus.c| 159 ++
>  include/sysemu/tpm.h   |   7 +-
>  tests/qtest/Makefile.include   |   4 +-
>  14 files changed, 502 insertions(+), 180 deletions(-)
>  create mode 100644 hw/tpm/tpm_tis.h
>  rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (85%)
>  create mode 100644 hw/tpm/tpm_tis_isa.c
>  create mode 100644 hw/tpm/tpm_tis_sysbus.c
>
> --
> 2.20.1
>

[PATCH] tests/boot_linux_console: Boot Trusted Firmware-A on the Raspberry Pi 3

[Philippe Mathieu-Daudé]

This test runs Trusted Firmware-A on the Raspberry Pi 3.
We deliberately stop the boot process when the EDK2 UEFI version
is displayed.

The binary is build on AppVeyor CI using Pete Batard repository [1].
ATF v2.1 binary are used (see [2]).

It is very simple and fast:

  $ avocado --show=app,console run -t atf tests/acceptance
  JOB ID : 1e748d7c9e9011cf0af3250ddc8ebf2389d6204e
  JOB LOG: avocado/job-results/job-2020-02-16T18.08-1e748d7/job.log
   (1/1) 
tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_aarch64_raspi3_atf:
  console: NOTICE:  Booting Trusted Firmware
  console: NOTICE:  BL1: v2.1(release):v2.1
  console: NOTICE:  BL1: Built : 15:26:06, May 13 2019
  console: NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) 
[0x00a02082]
  console: NOTICE:  BL1: Booting BL2
  console: ERROR:   rpi3_sdhost: timeout status 0x40
  console: NOTICE:  BL2: v2.1(release):v2.1
  console: NOTICE:  BL2: Built : 15:26:01, May 13 2019
  console: NOTICE:  BL1: Booting BL31
  console: NOTICE:  BL31: v2.1(release):v2.1
  console: NOTICE:  BL31: Built : 15:26:04, May 13 2019
  console: =UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 
14 2020)
  PASS (1.54 s)
  RESULTS: PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | 
CANCEL 0
  JOB TIME   : 1.88 s

[1] https://github.com/pbatard/RPi3#summary
[2] 
https://github.com/ARM-software/arm-trusted-firmware/blob/v2.1/docs/plat/rpi3.rst

Signed-off-by: Philippe Mathieu-Daudé 
---
 tests/acceptance/boot_linux_console.py | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/tests/acceptance/boot_linux_console.py 
b/tests/acceptance/boot_linux_console.py
index 34d37eba3b..51f24c462a 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -507,6 +507,28 @@ def test_arm_cubieboard_sata(self):
 exec_command_and_wait_for_pattern(self, 'reboot',
 'reboot: Restarting system')
 
+def test_aarch64_raspi3_atf(self):
+"""
+:avocado: tags=arch:aarch64
+:avocado: tags=machine:raspi3
+:avocado: tags=cpu:cortex-a53
+:avocado: tags=device:pl011
+:avocado: tags=atf
+"""
+zip_url = ('https://github.com/pbatard/RPi3/releases/download/'
+   'v1.15/RPi3_UEFI_Firmware_v1.15.zip')
+zip_hash = '74b3bd0de92683cadb14e008a7575e1d0c3cafb9'
+zip_path = self.fetch_asset(zip_url, asset_hash=zip_hash)
+
+archive.extract(zip_path, self.workdir)
+efi_fd = os.path.join(self.workdir, 'RPI_EFI.fd')
+
+self.vm.set_console(console_index=1)
+self.vm.add_args('-nodefaults',
+ '-device', 'loader,file=%s,force-raw=true' % efi_fd)
+self.vm.launch()
+self.wait_for_console_pattern('version UEFI Firmware v1.15')
+
 def test_s390x_s390_ccw_virtio(self):
 """
 :avocado: tags=arch:s390x
-- 
2.21.1

[Bug 1863486] Re: aarch64/tcg crash with malloc(): unsorted double linked list corrupted

[Philippe Mathieu-Daudé]

Maybe the same problem we had with U-boot, the SoC starts with only 1
core enabled.

I'm now trying with `-global bcm2836.enabled-cpus=1`.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863486

Title:
  aarch64/tcg crash with malloc(): unsorted double linked list corrupted

Status in QEMU:
  New

Bug description:
  Based on commit b29c3e23f64938784c42ef9fca896829e3c19120,
  QEMU configured with --enable-debug --extra-cflags=-ggdb.

  Download Raspberry Pi 3 UEFI Firmware v1.15 from:
  https://github.com/pbatard/RPi3/releases/tag/v1.15
  (unzip RPi3_UEFI_Firmware_v1.15.zip)

  Run QEMU with:

  $ qemu-system-aarch64 -M raspi3 \
-serial null -serial stdio \
-device loader,file=RPI_EFI.fd,force-raw=true 

  Normal behavior:

  NOTICE:  Booting Trusted Firmware
  NOTICE:  BL1: v2.1(release):v2.1
  NOTICE:  BL1: Built : 15:26:06, May 13 2019
  NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
  NOTICE:  BL1: Booting BL2
  ERROR:   rpi3_sdhost: timeout status 0x40
  NOTICE:  BL2: v2.1(release):v2.1
  NOTICE:  BL2: Built : 15:26:01, May 13 2019
  NOTICE:  BL1: Booting BL31
  NOTICE:  BL31: v2.1(release):v2.1
  NOTICE:  BL31: Built : 15:26:04, May 13 2019
  =UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
  

  Synchronous Exception at 0x37A1A4E8

  But I sometimes get:

  NOTICE:  Booting Trusted Firmware
  NOTICE:  BL1: v2.1(release):v2.1
  NOTICE:  BL1: Built : 15:26:06, May 13 2019
  NOTICE:  rpi3: Detected: Raspberry Pi 3 Model B (1GB, Sony, UK) [0x00a02082]
  NOTICE:  BL1: Booting BL2
  ERROR:   rpi3_sdhost: timeout status 0x40
  NOTICE:  BL2: v2.1(release):v2.1
  NOTICE:  BL2: Built : 15:26:01, May 13 2019
  NOTICE:  BL1: Booting BL31
  NOTICE:  BL31: v2.1(release):v2.1
  NOTICE:  BL31: Built : 15:26:04, May 13 2019
  =UEFI firmware (version UEFI Firmware v1.15 built at 11:58:44 on Feb 14 2020)
  malloc(): unsorted double linked list corrupted

  Thread 3 "qemu-system-aar" received signal SIGABRT, Aborted.
  [Switching to Thread 0x7fffe9c22700 (LWP 22746)]
  0x7515ce35 in raise () from /lib64/libc.so.6
  (gdb) bt
  #0  0x7515ce35 in raise () at /lib64/libc.so.6
  #1  0x75147895 in abort () at /lib64/libc.so.6
  #2  0x751a008f in __libc_message () at /lib64/libc.so.6
  #3  0x751a740c in  () at /lib64/libc.so.6
  #4  0x751aa48c in _int_malloc () at /lib64/libc.so.6
  #5  0x751aad4e in _int_memalign () at /lib64/libc.so.6
  #6  0x751abdda in _mid_memalign () at /lib64/libc.so.6
  #7  0x751ad3c6 in posix_memalign () at /lib64/libc.so.6
  #8  0x77be2407 in slab_allocator_alloc_chunk () at 
/lib64/libglib-2.0.so.0
  #9  0x77be3573 in g_slice_alloc () at /lib64/libglib-2.0.so.0
  #10 0x77bf410a in g_tree_insert_internal () at /lib64/libglib-2.0.so.0
  #11 0x55853f10 in tcg_tb_insert (tb=0x7fffd44b4d80 
) at tcg/tcg.c:425
  #12 0x558dbe3d in tb_gen_code (cpu=0x56afa640, pc=92960, 
cs_base=0, flags=2216689664, cflags=-16252928) at accel/tcg/translate-all.c:1875
  #13 0x558d7c73 in tb_find (cpu=0x56afa640, last_tb=0x7fffd44b4c40 
, tb_exit=0, cf_mask=524288) at 
accel/tcg/cpu-exec.c:406
  #14 0x558d8543 in cpu_exec (cpu=0x56afa640) at 
accel/tcg/cpu-exec.c:730
  #15 0x558981e1 in tcg_cpu_exec (cpu=0x56afa640) at cpus.c:1405
  #16 0x55898a37 in qemu_tcg_cpu_thread_fn (arg=0x56afa640) at 
cpus.c:1713
  #17 0x56057af8 in qemu_thread_start (args=0x57511570) at 
util/qemu-thread-posix.c:519
  #18 0x752f34c0 in start_thread () at /lib64/libpthread.so.0
  #19 0x75221163 in clone () at /lib64/libc.so.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863486/+subscriptions

Re: [RFC v2 1/6] tpm: rename TPM_TIS into TPM_TIS_ISA

[Stefan Berger]

On 2/14/20 1:36 PM, Eric Auger wrote:

As we plan to introduce a sysbus TPM_TIS, let's rename
TPM_TIS into TPM_TIS_ISA.

Reviewed-by: Stefan Berger 


Signed-off-by: Eric Auger 
---
  hw/i386/acpi-build.c | 6 +++---
  hw/tpm/tpm_tis.c | 4 ++--
  include/sysemu/tpm.h | 6 +++---
  3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 9c4e46fa74..26777f8828 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2026,7 +2026,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
  }
  }
  
-if (TPM_IS_TIS(tpm_find())) {

+if (TPM_IS_TIS_ISA(tpm_find())) {
  aml_append(crs, aml_memory32_fixed(TPM_TIS_ADDR_BASE,
 TPM_TIS_ADDR_SIZE, AML_READ_WRITE));
  }
@@ -2197,7 +2197,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
  /* Scan all PCI buses. Generate tables to support hotplug. */
  build_append_pci_bus_devices(scope, bus, pm->pcihp_bridge_en);
  
-if (TPM_IS_TIS(tpm)) {

+if (TPM_IS_TIS_ISA(tpm)) {
  if (misc->tpm_version == TPM_VERSION_2_0) {
  dev = aml_device("TPM");
  aml_append(dev, aml_name_decl("_HID",
@@ -2304,7 +2304,7 @@ build_tpm2(GArray *table_data, BIOSLinker *linker, GArray 
*tcpalog)
  (char *)&tpm2_ptr->log_area_start_address - table_data->data;
  
  tpm2_ptr->platform_class = cpu_to_le16(TPM2_ACPI_CLASS_CLIENT);

-if (TPM_IS_TIS(tpm_find())) {
+if (TPM_IS_TIS_ISA(tpm_find())) {
  tpm2_ptr->control_area_address = cpu_to_le64(0);
  tpm2_ptr->start_method = cpu_to_le32(TPM2_START_METHOD_MMIO);
  } else if (TPM_IS_CRB(tpm_find())) {
diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
index 31facb896d..c609737272 100644
--- a/hw/tpm/tpm_tis.c
+++ b/hw/tpm/tpm_tis.c
@@ -91,7 +91,7 @@ typedef struct TPMState {
  TPMPPI ppi;
  } TPMState;
  
-#define TPM(obj) OBJECT_CHECK(TPMState, (obj), TYPE_TPM_TIS)

+#define TPM(obj) OBJECT_CHECK(TPMState, (obj), TYPE_TPM_TIS_ISA)
  
  #define DEBUG_TIS 0
  
@@ -1008,7 +1008,7 @@ static void tpm_tis_class_init(ObjectClass *klass, void *data)

  }
  
  static const TypeInfo tpm_tis_info = {

-.name = TYPE_TPM_TIS,
+.name = TYPE_TPM_TIS_ISA,
  .parent = TYPE_ISA_DEVICE,
  .instance_size = sizeof(TPMState),
  .instance_init = tpm_tis_initfn,
diff --git a/include/sysemu/tpm.h b/include/sysemu/tpm.h
index 15979a3647..1691b92c28 100644
--- a/include/sysemu/tpm.h
+++ b/include/sysemu/tpm.h
@@ -43,12 +43,12 @@ typedef struct TPMIfClass {
  enum TPMVersion (*get_version)(TPMIf *obj);
  } TPMIfClass;
  
-#define TYPE_TPM_TIS"tpm-tis"

+#define TYPE_TPM_TIS_ISA"tpm-tis"
  #define TYPE_TPM_CRB"tpm-crb"
  #define TYPE_TPM_SPAPR  "tpm-spapr"
  
-#define TPM_IS_TIS(chr) \

-object_dynamic_cast(OBJECT(chr), TYPE_TPM_TIS)
+#define TPM_IS_TIS_ISA(chr) \
+object_dynamic_cast(OBJECT(chr), TYPE_TPM_TIS_ISA)
  #define TPM_IS_CRB(chr) \
  object_dynamic_cast(OBJECT(chr), TYPE_TPM_CRB)
  #define TPM_IS_SPAPR(chr)   \

Re: [RFC v2 2/6] tpm: Use TPMState as a common struct

[Stefan Berger]

On 2/14/20 1:37 PM, Eric Auger wrote:

As we plan to introdce a SysBus TPM TIS device, let's
make the TPMState a common struct usable by both the
ISADevice and the SysBusDevice. TPMStateISA embeds the
struct and inherits from the ISADevice.

The prototype of functions bound to be used by both
the ISA and SysBus devices is changed to take TPMState
handle.

A bunch of structs also are renamed to be specialized
for the ISA device. Besides those transformations, no
functional change is expected.

Signed-off-by: Eric Auger 



Reviewed-by: Stefan Berger 



---
  hw/tpm/tpm_tis.c | 146 +--
  1 file changed, 91 insertions(+), 55 deletions(-)

diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
index c609737272..fc6d7ca579 100644
--- a/hw/tpm/tpm_tis.c
+++ b/hw/tpm/tpm_tis.c
@@ -65,7 +65,6 @@ typedef struct TPMLocality {
  } TPMLocality;
  
  typedef struct TPMState {

-ISADevice busdev;
  MemoryRegion mmio;
  
  unsigned char buffer[TPM_TIS_BUFFER_MAX];

@@ -91,7 +90,15 @@ typedef struct TPMState {
  TPMPPI ppi;
  } TPMState;
  
-#define TPM(obj) OBJECT_CHECK(TPMState, (obj), TYPE_TPM_TIS_ISA)

+typedef struct TPMStateISA {
+/*< private >*/
+ISADevice parent_obj;
+
+/*< public >*/
+TPMState state; /* not a QOM object */
+} TPMStateISA;
+
+#define TPM_TIS_ISA(obj) OBJECT_CHECK(TPMStateISA, (obj), TYPE_TPM_TIS_ISA)
  
  #define DEBUG_TIS 0
  
@@ -281,9 +288,8 @@ static void tpm_tis_prep_abort(TPMState *s, uint8_t locty, uint8_t newlocty)

  /*
   * Callback from the TPM to indicate that the response was received.
   */
-static void tpm_tis_request_completed(TPMIf *ti, int ret)
+static void tpm_tis_request_completed(TPMState *s, int ret)
  {
-TPMState *s = TPM(ti);
  uint8_t locty = s->cmd.locty;
  uint8_t l;
  
@@ -338,7 +344,7 @@ static uint32_t tpm_tis_data_read(TPMState *s, uint8_t locty)

  }
  
  #ifdef DEBUG_TIS

-static void tpm_tis_dump_state(void *opaque, hwaddr addr)
+static void tpm_tis_dump_state(TPMState *s, hwaddr addr)
  {
  static const unsigned regs[] = {
  TPM_TIS_REG_ACCESS,
@@ -353,7 +359,6 @@ static void tpm_tis_dump_state(void *opaque, hwaddr addr)
  int idx;
  uint8_t locty = tpm_tis_locality_from_addr(addr);
  hwaddr base = addr & ~0xfff;
-TPMState *s = opaque;
  
  printf("tpm_tis: active locality  : %d\n"

 "tpm_tis: state of locality %d : %d\n"
@@ -363,7 +368,7 @@ static void tpm_tis_dump_state(void *opaque, hwaddr addr)
  
  for (idx = 0; regs[idx] != 0xfff; idx++) {

  printf("tpm_tis: 0x%04x : 0x%08x\n", regs[idx],
-   (int)tpm_tis_mmio_read(opaque, base + regs[idx], 4));
+   (int)tpm_tis_mmio_read(s, base + regs[idx], 4));
  }
  
  printf("tpm_tis: r/w offset: %d\n"

@@ -488,7 +493,7 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
  break;
  #ifdef DEBUG_TIS
  case TPM_TIS_REG_DEBUG:
-tpm_tis_dump_state(opaque, addr);
+tpm_tis_dump_state(s, addr);
  break;
  #endif
  }
@@ -835,10 +840,8 @@ static const MemoryRegionOps tpm_tis_memory_ops = {
  /*
   * Get the TPMVersion of the backend device being used
   */
-static enum TPMVersion tpm_tis_get_tpm_version(TPMIf *ti)
+static enum TPMVersion tpm_tis_get_tpm_version(TPMState *s)
  {
-TPMState *s = TPM(ti);
-
  if (tpm_backend_had_startup_error(s->be_driver)) {
  return TPM_VERSION_UNSPEC;
  }
@@ -850,9 +853,8 @@ static enum TPMVersion tpm_tis_get_tpm_version(TPMIf *ti)
   * This function is called when the machine starts, resets or due to
   * S3 resume.
   */
-static void tpm_tis_reset(DeviceState *dev)
+static void tpm_tis_reset(TPMState *s)
  {
-TPMState *s = TPM(dev);
  int c;
  
  s->be_tpm_version = tpm_backend_get_tpm_version(s->be_driver);

@@ -896,15 +898,14 @@ static void tpm_tis_reset(DeviceState *dev)
  
  /* persistent state handling */
  
-static int tpm_tis_pre_save(void *opaque)

+static int tpm_tis_pre_save(TPMState *s)
  {
-TPMState *s = opaque;
  uint8_t locty = s->active_locty;
  
  trace_tpm_tis_pre_save(locty, s->rw_offset);
  
  if (DEBUG_TIS) {

-tpm_tis_dump_state(opaque, 0);
+tpm_tis_dump_state(s, 0);
  }
  
  /*

@@ -929,34 +930,78 @@ static const VMStateDescription vmstate_locty = {
  }
  };
  
-static const VMStateDescription vmstate_tpm_tis = {

+/* ISA */
+
+static int tpm_tis_pre_save_isa(void *opaque)
+{
+TPMStateISA *isadev = opaque;
+
+return tpm_tis_pre_save(&isadev->state);
+}
+
+static const VMStateDescription vmstate_tpm_tis_isa = {
  .name = "tpm-tis",
  .version_id = 0,
-.pre_save  = tpm_tis_pre_save,
+.pre_save  = tpm_tis_pre_save_isa,
  .fields = (VMStateField[]) {
-VMSTATE_BUFFER(buffer, TPMState),
-VMSTATE_UINT16(rw_offset, TPMState),
-VMSTATE_UINT8(active_locty, TPMState),
-VMSTATE_UINT8(aborting_locty, TPMState),
-VM

Re: [RFC v2 3/6] tpm: Separate tpm_tis common functions from isa code

[Stefan Berger]

On 2/14/20 1:37 PM, Eric Auger wrote:

Move the device agnostic code into tpm_tis_common.c and
put the ISA device specific code into tpm_tis_isa.c

Signed-off-by: Eric Auger 


Reviewed-by: Stefan Berger 



---
  hw/tpm/Makefile.objs   |   2 +-
  hw/tpm/tpm_tis.h   |  91 +++
  hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 209 ++---
  hw/tpm/tpm_tis_isa.c   | 170 
  4 files changed, 271 insertions(+), 201 deletions(-)
  create mode 100644 hw/tpm/tpm_tis.h
  rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (83%)
  create mode 100644 hw/tpm/tpm_tis_isa.c

diff --git a/hw/tpm/Makefile.objs b/hw/tpm/Makefile.objs
index 85eb99ae05..fcc4c2f27c 100644
--- a/hw/tpm/Makefile.objs
+++ b/hw/tpm/Makefile.objs
@@ -1,6 +1,6 @@
  common-obj-$(CONFIG_TPM) += tpm_util.o
  obj-$(call lor,$(CONFIG_TPM_TIS),$(CONFIG_TPM_CRB)) += tpm_ppi.o
-common-obj-$(CONFIG_TPM_TIS) += tpm_tis.o
+common-obj-$(CONFIG_TPM_TIS) += tpm_tis_isa.o tpm_tis_common.o
  common-obj-$(CONFIG_TPM_CRB) += tpm_crb.o
  common-obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
  common-obj-$(CONFIG_TPM_EMULATOR) += tpm_emulator.o
diff --git a/hw/tpm/tpm_tis.h b/hw/tpm/tpm_tis.h
new file mode 100644
index 00..5554989395
--- /dev/null
+++ b/hw/tpm/tpm_tis.h
@@ -0,0 +1,91 @@
+/*
+ * tpm_tis.h - QEMU's TPM TIS common header
+ *
+ * Copyright (C) 2006,2010-2013 IBM Corporation
+ *
+ * Authors:
+ *  Stefan Berger 
+ *  David Safford 
+ *
+ * Xen 4 support: Andrease Niederl 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * Implementation of the TIS interface according to specs found at
+ * http://www.trustedcomputinggroup.org. This implementation currently
+ * supports version 1.3, 21 March 2013
+ * In the developers menu choose the PC Client section then find the TIS
+ * specification.
+ *
+ * TPM TIS for TPM 2 implementation following TCG PC Client Platform
+ * TPM Profile (PTP) Specification, Familiy 2.0, Revision 00.43
+ */
+#ifndef TPM_TPM_TIS_H
+#define TPM_TPM_TIS_H
+
+#include "qemu/osdep.h"
+#include "sysemu/tpm_backend.h"
+#include "tpm_ppi.h"
+
+#define TPM_TIS_NUM_LOCALITIES  5 /* per spec */
+#define TPM_TIS_LOCALITY_SHIFT  12
+#define TPM_TIS_NO_LOCALITY 0xff
+
+#define TPM_TIS_IS_VALID_LOCTY(x)   ((x) < TPM_TIS_NUM_LOCALITIES)
+
+#define TPM_TIS_BUFFER_MAX  4096
+
+typedef enum {
+TPM_TIS_STATE_IDLE = 0,
+TPM_TIS_STATE_READY,
+TPM_TIS_STATE_COMPLETION,
+TPM_TIS_STATE_EXECUTION,
+TPM_TIS_STATE_RECEPTION,
+} TPMTISState;
+
+/* locality data  -- all fields are persisted */
+typedef struct TPMLocality {
+TPMTISState state;
+uint8_t access;
+uint32_t sts;
+uint32_t iface_id;
+uint32_t inte;
+uint32_t ints;
+} TPMLocality;
+
+typedef struct TPMState {
+MemoryRegion mmio;
+
+unsigned char buffer[TPM_TIS_BUFFER_MAX];
+uint16_t rw_offset;
+
+uint8_t active_locty;
+uint8_t aborting_locty;
+uint8_t next_locty;
+
+TPMLocality loc[TPM_TIS_NUM_LOCALITIES];
+
+qemu_irq irq;
+uint32_t irq_num;
+
+TPMBackendCmd cmd;
+
+TPMBackend *be_driver;
+TPMVersion be_tpm_version;
+
+size_t be_buffer_size;
+
+bool ppi_enabled;
+TPMPPI ppi;
+} TPMState;
+
+extern const VMStateDescription vmstate_locty;
+extern const MemoryRegionOps tpm_tis_memory_ops;
+
+int tpm_tis_pre_save(TPMState *s);
+void tpm_tis_reset(TPMState *s);
+enum TPMVersion tpm_tis_get_tpm_version(TPMState *s);
+void tpm_tis_request_completed(TPMState *s, int ret);
+
+#endif /* TPM_TPM_TIS_H */
diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis_common.c
similarity index 83%
rename from hw/tpm/tpm_tis.c
rename to hw/tpm/tpm_tis_common.c
index fc6d7ca579..9ce64d4836 100644
--- a/hw/tpm/tpm_tis.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -1,5 +1,6 @@
  /*
- * tpm_tis.c - QEMU's TPM TIS interface emulator
+ * tpm_tis_common.c - QEMU's TPM TIS interface emulator
+ * device agnostic functions
   *
   * Copyright (C) 2006,2010-2013 IBM Corporation
   *
@@ -21,7 +22,6 @@
   * TPM TIS for TPM 2 implementation following TCG PC Client Platform
   * TPM Profile (PTP) Specification, Familiy 2.0, Revision 00.43
   */
-
  #include "qemu/osdep.h"
  #include "hw/irq.h"
  #include "hw/isa/isa.h"
@@ -38,67 +38,7 @@
  #include "tpm_ppi.h"
  #include "trace.h"
  
-#define TPM_TIS_NUM_LOCALITIES  5 /* per spec */

-#define TPM_TIS_LOCALITY_SHIFT  12
-#define TPM_TIS_NO_LOCALITY 0xff
-
-#define TPM_TIS_IS_VALID_LOCTY(x)   ((x) < TPM_TIS_NUM_LOCALITIES)
-
-#define TPM_TIS_BUFFER_MAX  4096
-
-typedef enum {
-TPM_TIS_STATE_IDLE = 0,
-TPM_TIS_STATE_READY,
-TPM_TIS_STATE_COMPLETION,
-TPM_TIS_STATE_EXECUTION,
-TPM_TIS_STATE_RECEPTION,
-} TPMTISState;
-
-/* locality data  -- all fields are persisted */
-typedef struct TPMLocality {
-TPMTISState state;
-uint8_t access;
-uint32_

Re: [RFC v2 5/6] tpm: Add the SysBus TPM TIS device

[Stefan Berger]

On 2/14/20 1:37 PM, Eric Auger wrote:

Introduce the tpm-tis-device which is a sysbus device
and is bound to be used on ARM.

Signed-off-by: Eric Auger 
---
  hw/tpm/Kconfig  |   5 ++
  hw/tpm/Makefile.objs|   1 +
  hw/tpm/tpm_tis_sysbus.c | 159 
  include/sysemu/tpm.h|   1 +
  4 files changed, 166 insertions(+)
  create mode 100644 hw/tpm/tpm_tis_sysbus.c

diff --git a/hw/tpm/Kconfig b/hw/tpm/Kconfig
index 686f8206bb..4794e7fe28 100644
--- a/hw/tpm/Kconfig
+++ b/hw/tpm/Kconfig
@@ -7,6 +7,11 @@ config TPM_TIS_ISA
  depends on TPM && ISA_BUS
  select TPM_TIS
  
+config TPM_TIS_SYSBUS

+bool
+depends on TPM
+select TPM_TIS
+
  config TPM_TIS
  bool
  depends on TPM
diff --git a/hw/tpm/Makefile.objs b/hw/tpm/Makefile.objs
index 3ef2036cca..f1ec4beb95 100644
--- a/hw/tpm/Makefile.objs
+++ b/hw/tpm/Makefile.objs
@@ -1,6 +1,7 @@
  common-obj-$(CONFIG_TPM) += tpm_util.o
  obj-$(call lor,$(CONFIG_TPM_TIS),$(CONFIG_TPM_CRB)) += tpm_ppi.o
  common-obj-$(CONFIG_TPM_TIS_ISA) += tpm_tis_isa.o
+common-obj-$(CONFIG_TPM_TIS_SYSBUS) += tpm_tis_sysbus.o
  common-obj-$(CONFIG_TPM_TIS) += tpm_tis_common.o
  common-obj-$(CONFIG_TPM_CRB) += tpm_crb.o
  common-obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
diff --git a/hw/tpm/tpm_tis_sysbus.c b/hw/tpm/tpm_tis_sysbus.c
new file mode 100644
index 00..18c02aed67
--- /dev/null
+++ b/hw/tpm/tpm_tis_sysbus.c
@@ -0,0 +1,159 @@
+/*
+ * tpm_tis_sysbus.c - QEMU's TPM TIS SYSBUS Device
+ *
+ * Copyright (C) 2006,2010-2013 IBM Corporation
+ *
+ * Authors:
+ *  Stefan Berger 
+ *  David Safford 
+ *
+ * Xen 4 support: Andrease Niederl 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * Implementation of the TIS interface according to specs found at
+ * http://www.trustedcomputinggroup.org. This implementation currently
+ * supports version 1.3, 21 March 2013
+ * In the developers menu choose the PC Client section then find the TIS
+ * specification.
+ *
+ * TPM TIS for TPM 2 implementation following TCG PC Client Platform
+ * TPM Profile (PTP) Specification, Familiy 2.0, Revision 00.43
+ */
+
+#include "qemu/osdep.h"
+#include "hw/qdev-properties.h"
+#include "migration/vmstate.h"
+#include "tpm_util.h"
+#include "hw/sysbus.h"
+#include "tpm_tis.h"
+
+typedef struct TPMStateSysBus {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+TPMState state; /* not a QOM object */
+} TPMStateSysBus;
+
+#define TPM_TIS_SYSBUS(obj) OBJECT_CHECK(TPMStateSysBus, (obj), 
TYPE_TPM_TIS_SYSBUS)
+
+static int tpm_tis_pre_save_sysbus(void *opaque)
+{
+TPMStateSysBus *sbdev = opaque;
+
+return tpm_tis_pre_save(&sbdev->state);
+}
+
+static const VMStateDescription vmstate_tpm_tis_sysbus = {
+.name = "tpm-tis",
+.version_id = 0,
+.pre_save  = tpm_tis_pre_save_sysbus,
+.fields = (VMStateField[]) {
+VMSTATE_BUFFER(state.buffer, TPMStateSysBus),
+VMSTATE_UINT16(state.rw_offset, TPMStateSysBus),
+VMSTATE_UINT8(state.active_locty, TPMStateSysBus),
+VMSTATE_UINT8(state.aborting_locty, TPMStateSysBus),
+VMSTATE_UINT8(state.next_locty, TPMStateSysBus),
+
+VMSTATE_STRUCT_ARRAY(state.loc, TPMStateSysBus, TPM_TIS_NUM_LOCALITIES,
+ 0, vmstate_locty, TPMLocality),
+
+VMSTATE_END_OF_LIST()
+}
+};
+
+static void tpm_tis_sysbus_request_completed(TPMIf *ti, int ret)
+{
+TPMStateSysBus *sbdev = TPM_TIS_SYSBUS(ti);
+TPMState *s = &sbdev->state;
+
+tpm_tis_request_completed(s, ret);
+}
+
+static enum TPMVersion tpm_tis_sysbus_get_tpm_version(TPMIf *ti)
+{
+TPMStateSysBus *sbdev = TPM_TIS_SYSBUS(ti);
+TPMState *s = &sbdev->state;
+
+return tpm_tis_get_tpm_version(s);
+}
+
+static void tpm_tis_sysbus_reset(DeviceState *dev)
+{
+TPMStateSysBus *sbdev = TPM_TIS_SYSBUS(dev);
+TPMState *s = &sbdev->state;
+
+return tpm_tis_reset(s);
+}
+
+static Property tpm_tis_sysbus_properties[] = {
+DEFINE_PROP_UINT32("irq", TPMStateSysBus, state.irq_num, TPM_TIS_IRQ),
+DEFINE_PROP_TPMBE("tpmdev", TPMStateSysBus, state.be_driver),
+DEFINE_PROP_BOOL("ppi", TPMStateSysBus, state.ppi_enabled, true),
+DEFINE_PROP_END_OF_LIST(),
+};
+
+static void tpm_tis_sysbus_initfn(Object *obj)
+{
+TPMStateSysBus *sbdev = TPM_TIS_SYSBUS(obj);
+TPMState *s = &sbdev->state;
+
+memory_region_init_io(&s->mmio, obj, &tpm_tis_memory_ops,
+  s, "tpm-tis-mmio",
+  TPM_TIS_NUM_LOCALITIES << TPM_TIS_LOCALITY_SHIFT);
+
+sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
+sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq);
+}
+
+static void tpm_tis_sysbus_realizefn(DeviceState *dev, Error **errp)
+{
+TPMStateSysBus *sbdev = TPM_TIS_SYSBUS(dev);
+TPMState *s = &sbdev->state;
+
+if (!tpm_find()) {
+error_setg(errp, "at most one TPM

Re: [RFC v2 6/6] hw/arm/virt: vTPM support

[Stefan Berger]

On 2/14/20 1:37 PM, Eric Auger wrote:

Let the TPM TIS SYSBUS device be dynamically instantiable
in ARM virt.  A device tree node is dynamically created
(TPM via MMIO).

The TPM Physical Presence interface (PPI) is not supported.

To run with the swtmp TPM emulator, the qemu command line must
be augmented with:

 -chardev socket,id=chrtpm,path=swtpm-sock \
 -tpmdev emulator,id=tpm0,chardev=chrtpm \
 -device tpm-tis-device,tpmdev=tpm0 \

swtpm/libtpms command line example:

swtpm socket --tpm2 -t -d --tpmstate dir=/tmp/tpm \
--ctrl type=unixio,path=swtpm-sock



Can you also extend docs/spec/tpm.rst for the arm case? And the test 
cases should probably also cover the arm sysbus device.





Signed-off-by: Eric Auger 
---
  hw/arm/Kconfig  |  1 +
  hw/arm/sysbus-fdt.c | 36 
  hw/arm/virt.c   |  7 +++
  3 files changed, 44 insertions(+)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 3d86691ae0..b6f03f7f53 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -5,6 +5,7 @@ config ARM_VIRT
  imply VFIO_AMD_XGBE
  imply VFIO_PLATFORM
  imply VFIO_XGMAC
+imply TPM_TIS_SYSBUS
  select A15MPCORE
  select ACPI
  select ARM_SMMUV3
diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c
index 022fc97ecd..adf50444c2 100644
--- a/hw/arm/sysbus-fdt.c
+++ b/hw/arm/sysbus-fdt.c
@@ -30,6 +30,7 @@
  #include "hw/arm/sysbus-fdt.h"
  #include "qemu/error-report.h"
  #include "sysemu/device_tree.h"
+#include "sysemu/tpm.h"
  #include "hw/platform-bus.h"
  #include "hw/vfio/vfio-platform.h"
  #include "hw/vfio/vfio-calxeda-xgmac.h"
@@ -434,6 +435,40 @@ static bool vfio_platform_match(SysBusDevice *sbdev,
  #define VFIO_PLATFORM_BINDING(compat, add_fn) \
  {TYPE_VFIO_PLATFORM, (compat), (add_fn), vfio_platform_match}
  
+/*

+ * add_tpm_tis_fdt_node: Create a DT node for TPM TIS
+ *
+ * See kernel documentation:
+ * Documentation/devicetree/bindings/security/tpm/tpm_tis_mmio.txt
+ * Optional interrupt for command completion is not exposed
+ */
+static int add_tpm_tis_fdt_node(SysBusDevice *sbdev, void *opaque)
+{
+PlatformBusFDTData *data = opaque;
+PlatformBusDevice *pbus = data->pbus;
+void *fdt = data->fdt;
+const char *parent_node = data->pbus_node_name;
+int compat_str_len;
+char *nodename;
+uint32_t reg_attr[2];
+uint64_t mmio_base;
+
+mmio_base = platform_bus_get_mmio_addr(pbus, sbdev, 0);


I suppose any conditional creation of this device tree entry is covered 
with the TYPE_BINDING below, meaning no device tree is created if the 
device wasn't added.




+nodename = g_strdup_printf("%s/tpm_tis@%" PRIx64, parent_node, mmio_base);
+qemu_fdt_add_subnode(fdt, nodename);
+
+compat_str_len = strlen("tcg,tpm-tis-mmio") + 1;
+qemu_fdt_setprop(fdt, nodename, "compatible", "tcg,tpm-tis-mmio",
+ compat_str_len);


You probably can use qemu_fdt_setprop_string()?



+
+reg_attr[0] = cpu_to_be32(mmio_base);
+reg_attr[1] = cpu_to_be32(0x5000);
+qemu_fdt_setprop(fdt, nodename, "reg", reg_attr, 2 * sizeof(uint32_t));
+
+g_free(nodename);
+return 0;
+}
+
  #endif /* CONFIG_LINUX */
  
  static int no_fdt_node(SysBusDevice *sbdev, void *opaque)

@@ -455,6 +490,7 @@ static const BindingEntry bindings[] = {
  TYPE_BINDING(TYPE_VFIO_CALXEDA_XGMAC, add_calxeda_midway_xgmac_fdt_node),
  TYPE_BINDING(TYPE_VFIO_AMD_XGBE, add_amd_xgbe_fdt_node),
  VFIO_PLATFORM_BINDING("amd,xgbe-seattle-v1a", add_amd_xgbe_fdt_node),
+TYPE_BINDING(TYPE_TPM_TIS_SYSBUS, add_tpm_tis_fdt_node),
  #endif
  TYPE_BINDING(TYPE_RAMFB_DEVICE, no_fdt_node),
  TYPE_BINDING("", NULL), /* last element */
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index f788fe27d6..4b967e39d1 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -47,6 +47,7 @@
  #include "sysemu/numa.h"
  #include "sysemu/runstate.h"
  #include "sysemu/sysemu.h"
+#include "sysemu/tpm.h"
  #include "sysemu/kvm.h"
  #include "hw/loader.h"
  #include "exec/address-spaces.h"
@@ -2041,6 +2042,7 @@ static void virt_machine_class_init(ObjectClass *oc, void 
*data)
  machine_class_allow_dynamic_sysbus_dev(mc, TYPE_VFIO_AMD_XGBE);
  machine_class_allow_dynamic_sysbus_dev(mc, TYPE_RAMFB_DEVICE);
  machine_class_allow_dynamic_sysbus_dev(mc, TYPE_VFIO_PLATFORM);
+machine_class_allow_dynamic_sysbus_dev(mc, TYPE_TPM_TIS_SYSBUS);
  mc->block_default_type = IF_VIRTIO;
  mc->no_cdrom = 1;
  mc->pci_allow_0_address = true;
@@ -2153,6 +2155,11 @@ type_init(machvirt_machine_init);
  
  static void virt_machine_5_0_options(MachineClass *mc)

  {
+static GlobalProperty compat[] = {
+{ TYPE_TPM_TIS_SYSBUS, "ppi", "false" },
+};
+
+compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
  }
  DEFINE_VIRT_MACHINE_AS_LATEST(5, 0)
  

Re: [PATCH] configure: Avoid compiling system tools on user build by default

[Aleksandar Markovic]

5:23 PM Sub, 15.02.2020. Philippe Mathieu-Daudé  је
написао/ла:
>
> User-mode does not need the sytem tools. Do not build them by
> default if user specified --disable-system.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  configure | 11 ++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>

It would be nice if somebody comes up with more detailed analysis on what
is built for --disable-system, but in fact not needed at all.

How does your change affect the size of the executable?

> diff --git a/configure b/configure
> index 16f94cd96b..557ca4bd04 100755
> --- a/configure
> +++ b/configure
> @@ -455,7 +455,7 @@ guest_agent_ntddscsi="no"
>  guest_agent_msi=""
>  vss_win32_sdk=""
>  win_sdk="no"
> -want_tools="yes"
> +want_tools=""
>  libiscsi=""
>  libnfs=""
>  coroutine=""
> @@ -2199,6 +2199,15 @@ else
>  echo big/little test failed
>  fi
>
> +##
> +# system tools
> +if test "$want_tools" != "yes" && test "$softmmu" = "no"; then
> +want_tools=no
> +fi
> +if test -z "$want_tools"; then
> +want_tools=yes
> +fi
> +
>  ##
>  # cocoa implies not SDL or GTK
>  # (the cocoa UI code currently assumes it is always the active UI
> --
> 2.21.1
>
>

[Bug 1863508] [NEW] qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

[Helmut]

Public bug reported:

Segmentation fault when trying to start FreeBSD-arm system with qemu-
system-arm (version 4.1.1 on Fedora 31)

Commandline:
gdb -q --args /bin/qemu-system-arm \
 -name FreeBSD12,debug-threads=on \
 -m 1536 -machine virt -smp 2 \
 -M virt,highmem=off -serial mon:stdio -monitor telnet::45452,server,nowait \
 -machine virt,accel=tcg,usb=off,dump-guest-core=off,gic-version=2 \
 -overcommit mem-lock=off -no-reboot -device virtio-rng-device \
 -bios u-boot-qemu.bin \
 -drive 
file=FreeBSD-12.1-RELEASE-arm-armv7-CUBIEBOARD2.img,if=none,id=drive0,format=raw
 \
 -device ich9-ahci,id=ahci -device ide-drive,drive=drive0,bus=ahci.0 

Results:

Mounting local filesystems:.

Thread 4 "CPU 1/TCG" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffcedfe700 (LWP 53608)]
0x558d9332 in helper_gvec_eq16 (d=0x566748d8, a=0x566748e0, 
b=0x566748d0, desc=0) at 
/usr/src/debug/qemu-4.1.1-1.fc31.x86_64/accel/tcg/tcg-runtime-gvec.c:948
948 DO_CMP2(16)

Tested different versions of qemu. qemu-3.0.1 worked, but qemu-3.1.1
failed with the same error.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863508

Title:
  qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

Status in QEMU:
  New

Bug description:
  Segmentation fault when trying to start FreeBSD-arm system with qemu-
  system-arm (version 4.1.1 on Fedora 31)

  Commandline:
  gdb -q --args /bin/qemu-system-arm \
   -name FreeBSD12,debug-threads=on \
   -m 1536 -machine virt -smp 2 \
   -M virt,highmem=off -serial mon:stdio -monitor telnet::45452,server,nowait \
   -machine virt,accel=tcg,usb=off,dump-guest-core=off,gic-version=2 \
   -overcommit mem-lock=off -no-reboot -device virtio-rng-device \
   -bios u-boot-qemu.bin \
   -drive 
file=FreeBSD-12.1-RELEASE-arm-armv7-CUBIEBOARD2.img,if=none,id=drive0,format=raw
 \
   -device ich9-ahci,id=ahci -device ide-drive,drive=drive0,bus=ahci.0 

  Results:
  
  Mounting local filesystems:.

  Thread 4 "CPU 1/TCG" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7fffcedfe700 (LWP 53608)]
  0x558d9332 in helper_gvec_eq16 (d=0x566748d8, a=0x566748e0, 
b=0x566748d0, desc=0) at 
/usr/src/debug/qemu-4.1.1-1.fc31.x86_64/accel/tcg/tcg-runtime-gvec.c:948
  948 DO_CMP2(16)

  Tested different versions of qemu. qemu-3.0.1 worked, but qemu-3.1.1
  failed with the same error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863508/+subscriptions

Re: [PATCH 1/2] hw/ipmi/bmc: Delay timer_new_ns() from init to realize to avoid memleaks

[Corey Minyard]

On Sat, Feb 15, 2020 at 04:47:05PM +0100, Philippe Mathieu-Daudé wrote:
> In commit f3a508eb4e the Euler Robot reported calling timer_new()
> in instance_init() can leak heap memory. The easier fix is to
> delay the timer creation at instance realize(). Similarly move
> timer_del() into a new instance unrealize() method.
> 
> This case was found with the following coccinelle script:
> 
> @ match @
> identifier instance_init;
> typedef Object;
> identifier obj;
> expression val, scale;
> identifier clock_type, callback, opaque;
> position pos;
> @@
> static void instance_init(Object *obj)
> {
>   <...
> (
>   val = timer_new@pos(clock_type, scale, callback, opaque);
> |
>   val = timer_new_ns@pos(clock_type, callback, opaque);
> |
>   val = timer_new_us@pos(clock_type, callback, opaque);
> |
>   val = timer_new_ms@pos(clock_type, callback, opaque);
> )
>   ...>
> }
> 
> @ script:python @
> f << match.instance_init;
> p << match.pos;
> @@
> print "check %s:%s:%s in %s()" % (p[0].file, p[0].line, p[0].column, f)
> 
> Signed-off-by: Philippe Mathieu-Daudé 

This looks ok to me:

Acked-by: Corey Minyard 

I can take it into my tree, if you like.

-corey

> ---
> Cc: Pan Nengyuan 
> ---
>  hw/ipmi/ipmi_bmc_extern.c | 12 ++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/ipmi/ipmi_bmc_extern.c b/hw/ipmi/ipmi_bmc_extern.c
> index f9a13e0a44..9144ac6c38 100644
> --- a/hw/ipmi/ipmi_bmc_extern.c
> +++ b/hw/ipmi/ipmi_bmc_extern.c
> @@ -463,6 +463,15 @@ static void ipmi_bmc_extern_realize(DeviceState *dev, 
> Error **errp)
>  
>  qemu_chr_fe_set_handlers(&ibe->chr, can_receive, receive,
>   chr_event, NULL, ibe, NULL, true);
> +
> +ibe->extern_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, extern_timeout, 
> ibe);
> +}
> +
> +static void ipmi_bmc_extern_unrealize(DeviceState *dev, Error **errp)
> +{
> +IPMIBmcExtern *ibe = IPMI_BMC_EXTERN(dev);
> +
> +timer_del(ibe->extern_timer);
>  }
>  
>  static int ipmi_bmc_extern_post_migrate(void *opaque, int version_id)
> @@ -502,7 +511,6 @@ static void ipmi_bmc_extern_init(Object *obj)
>  {
>  IPMIBmcExtern *ibe = IPMI_BMC_EXTERN(obj);
>  
> -ibe->extern_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, extern_timeout, 
> ibe);
>  vmstate_register(NULL, 0, &vmstate_ipmi_bmc_extern, ibe);
>  }
>  
> @@ -510,7 +518,6 @@ static void ipmi_bmc_extern_finalize(Object *obj)
>  {
>  IPMIBmcExtern *ibe = IPMI_BMC_EXTERN(obj);
>  
> -timer_del(ibe->extern_timer);
>  timer_free(ibe->extern_timer);
>  }
>  
> @@ -528,6 +535,7 @@ static void ipmi_bmc_extern_class_init(ObjectClass *oc, 
> void *data)
>  bk->handle_reset = ipmi_bmc_extern_handle_reset;
>  dc->hotpluggable = false;
>  dc->realize = ipmi_bmc_extern_realize;
> +dc->unrealize = ipmi_bmc_extern_unrealize;
>  device_class_set_props(dc, ipmi_bmc_extern_properties);
>  }
>  
> -- 
> 2.21.1
> 

[PATCH v3 1/4] target/arm: Use bit 55 explicitly for pauth

[Richard Henderson]

The psuedocode in aarch64/functions/pac/auth/Auth and
aarch64/functions/pac/strip/Strip always uses bit 55 for
extfield and do not consider if the current regime has 2 ranges.

Suggested-by: Peter Maydell 
Signed-off-by: Richard Henderson 
---
 target/arm/pauth_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
index 9746e32bf8..b909630317 100644
--- a/target/arm/pauth_helper.c
+++ b/target/arm/pauth_helper.c
@@ -320,7 +320,8 @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t 
ptr, uint64_t modifier,
 
 static uint64_t pauth_original_ptr(uint64_t ptr, ARMVAParameters param)
 {
-uint64_t extfield = -param.select;
+/* Note that bit 55 is used whether or not the regime has 2 ranges. */
+uint64_t extfield = sextract64(ptr, 55, 1);
 int bot_pac_bit = 64 - param.tsz;
 int top_pac_bit = 64 - 8 * param.tbi;
 
-- 
2.20.1

[PATCH v3 4/4] target/arm: Split out aa64_va_parameter_tbi, aa64_va_parameter_tbid

[Richard Henderson]

For the purpose of rebuild_hflags_a64, we do not need to compute
all of the va parameters, only tbi.  Moreover, we can compute them
in a form that is more useful to storing in hflags.

This eliminates the need for aa64_va_parameter_both, so fold that
in to aa64_va_parameter.  The remaining calls to aa64_va_parameter
are in get_phys_addr_lpae and in pauth_helper.c.

This reduces the total cpu consumption of aa64_va_parameter in a
kernel boot plus a kvm guest kernel boot from 3% to 0.5%.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
---
 target/arm/internals.h |  3 --
 target/arm/helper.c| 68 +++---
 2 files changed, 37 insertions(+), 34 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 58c4d707c5..14328e3f7d 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1127,15 +1127,12 @@ typedef struct ARMVAParameters {
 unsigned tsz: 8;
 unsigned select : 1;
 bool tbi: 1;
-bool tbid   : 1;
 bool epd: 1;
 bool hpd: 1;
 bool using16k   : 1;
 bool using64k   : 1;
 } ARMVAParameters;
 
-ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
-ARMMMUIdx mmu_idx);
 ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
ARMMMUIdx mmu_idx, bool data);
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index eec7b01ab3..8d0f6eca27 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10234,12 +10234,34 @@ static uint8_t convert_stage2_attrs(CPUARMState *env, 
uint8_t s2attrs)
 }
 #endif /* !CONFIG_USER_ONLY */
 
-ARMVAParameters aa64_va_parameters_both(CPUARMState *env, uint64_t va,
-ARMMMUIdx mmu_idx)
+static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx)
+{
+if (regime_has_2_ranges(mmu_idx)) {
+return extract64(tcr, 37, 2);
+} else if (mmu_idx == ARMMMUIdx_Stage2) {
+return 0; /* VTCR_EL2 */
+} else {
+return extract32(tcr, 20, 1);
+}
+}
+
+static int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx)
+{
+if (regime_has_2_ranges(mmu_idx)) {
+return extract64(tcr, 51, 2);
+} else if (mmu_idx == ARMMMUIdx_Stage2) {
+return 0; /* VTCR_EL2 */
+} else {
+return extract32(tcr, 29, 1);
+}
+}
+
+ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
+   ARMMMUIdx mmu_idx, bool data)
 {
 uint64_t tcr = regime_tcr(env, mmu_idx)->raw_tcr;
-bool tbi, tbid, epd, hpd, using16k, using64k;
-int select, tsz;
+bool epd, hpd, using16k, using64k;
+int select, tsz, tbi;
 
 if (!regime_has_2_ranges(mmu_idx)) {
 select = 0;
@@ -10248,11 +10270,9 @@ ARMVAParameters aa64_va_parameters_both(CPUARMState 
*env, uint64_t va,
 using16k = extract32(tcr, 15, 1);
 if (mmu_idx == ARMMMUIdx_Stage2) {
 /* VTCR_EL2 */
-tbi = tbid = hpd = false;
+hpd = false;
 } else {
-tbi = extract32(tcr, 20, 1);
 hpd = extract32(tcr, 24, 1);
-tbid = extract32(tcr, 29, 1);
 }
 epd = false;
 } else {
@@ -10266,28 +10286,30 @@ ARMVAParameters aa64_va_parameters_both(CPUARMState 
*env, uint64_t va,
 epd = extract32(tcr, 7, 1);
 using64k = extract32(tcr, 14, 1);
 using16k = extract32(tcr, 15, 1);
-tbi = extract64(tcr, 37, 1);
 hpd = extract64(tcr, 41, 1);
-tbid = extract64(tcr, 51, 1);
 } else {
 int tg = extract32(tcr, 30, 2);
 using16k = tg == 1;
 using64k = tg == 3;
 tsz = extract32(tcr, 16, 6);
 epd = extract32(tcr, 23, 1);
-tbi = extract64(tcr, 38, 1);
 hpd = extract64(tcr, 42, 1);
-tbid = extract64(tcr, 52, 1);
 }
 }
 tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
 tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
 
+/* Present TBI as a composite with TBID.  */
+tbi = aa64_va_parameter_tbi(tcr, mmu_idx);
+if (!data) {
+tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);
+}
+tbi = (tbi >> select) & 1;
+
 return (ARMVAParameters) {
 .tsz = tsz,
 .select = select,
 .tbi = tbi,
-.tbid = tbid,
 .epd = epd,
 .hpd = hpd,
 .using16k = using16k,
@@ -10295,16 +10317,6 @@ ARMVAParameters aa64_va_parameters_both(CPUARMState 
*env, uint64_t va,
 };
 }
 
-ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,
-   ARMMMUIdx mmu_idx, bool data)
-{
-ARMVAParameters ret = aa64_va_parameters_both(env, va, mmu_idx);
-
-/* Present TBI as a composite with TBID.  */
-ret.tbi &= (data || !ret.tbid);
-return ret;
-}
-
 #ifndef CONFIG_USER_ONLY
 static ARMVAParamete

[PATCH v3 0/4] target/arm: Reduce aa64_va_parameter overhead

[Richard Henderson]

Something I noticed while developing and testing VHE.

For v2, fix select as a separate patch.
For v3, adjust pauth to use bit 55 explicitly, and remove a
now duplicate test within get_phys_addr_lpae.


r~


Richard Henderson (4):
  target/arm: Use bit 55 explicitly for pauth
  target/arm: Fix select for aa64_va_parameters_both
  target/arm: Remove ttbr1_valid check from get_phys_addr_lpae
  target/arm: Split out aa64_va_parameter_tbi, aa64_va_parameter_tbid

 target/arm/internals.h|   3 -
 target/arm/helper.c   | 144 --
 target/arm/pauth_helper.c |   3 +-
 3 files changed, 76 insertions(+), 74 deletions(-)

-- 
2.20.1

[PATCH v3 3/4] target/arm: Remove ttbr1_valid check from get_phys_addr_lpae

[Richard Henderson]

Now that aa64_va_parameters_both sets select based on the number
of ranges in the regime, the ttbr1_valid check is redundant.

Signed-off-by: Richard Henderson 
---
 target/arm/helper.c | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index b09a501284..eec7b01ab3 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10390,7 +10390,6 @@ static bool get_phys_addr_lpae(CPUARMState *env, 
target_ulong address,
 TCR *tcr = regime_tcr(env, mmu_idx);
 int ap, ns, xn, pxn;
 uint32_t el = regime_el(env, mmu_idx);
-bool ttbr1_valid;
 uint64_t descaddrmask;
 bool aarch64 = arm_el_is_aa64(env, el);
 bool guarded = false;
@@ -10405,14 +10404,11 @@ static bool get_phys_addr_lpae(CPUARMState *env, 
target_ulong address,
 param = aa64_va_parameters(env, address, mmu_idx,
access_type != MMU_INST_FETCH);
 level = 0;
-ttbr1_valid = regime_has_2_ranges(mmu_idx);
 addrsize = 64 - 8 * param.tbi;
 inputsize = 64 - param.tsz;
 } else {
 param = aa32_va_parameters(env, address, mmu_idx);
 level = 1;
-/* There is no TTBR1 for EL2 */
-ttbr1_valid = (el != 2);
 addrsize = (mmu_idx == ARMMMUIdx_Stage2 ? 40 : 32);
 inputsize = addrsize - param.tsz;
 }
@@ -10429,7 +10425,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, 
target_ulong address,
 if (inputsize < addrsize) {
 target_ulong top_bits = sextract64(address, inputsize,
addrsize - inputsize);
-if (-top_bits != param.select || (param.select && !ttbr1_valid)) {
+if (-top_bits != param.select) {
 /* The gap between the two regions is a Translation fault */
 fault_type = ARMFault_Translation;
 goto do_fault;
-- 
2.20.1

[PATCH v3 2/4] target/arm: Fix select for aa64_va_parameters_both

[Richard Henderson]

Select should always be 0 for a regime with one range.

Reviewed-by: Peter Maydell 
Signed-off-by: Richard Henderson 
---
 target/arm/helper.c | 46 +++--
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 366dbcf460..b09a501284 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -10241,13 +10241,8 @@ ARMVAParameters aa64_va_parameters_both(CPUARMState 
*env, uint64_t va,
 bool tbi, tbid, epd, hpd, using16k, using64k;
 int select, tsz;
 
-/*
- * Bit 55 is always between the two regions, and is canonical for
- * determining if address tagging is enabled.
- */
-select = extract64(va, 55, 1);
-
 if (!regime_has_2_ranges(mmu_idx)) {
+select = 0;
 tsz = extract32(tcr, 0, 6);
 using64k = extract32(tcr, 14, 1);
 using16k = extract32(tcr, 15, 1);
@@ -10260,23 +10255,30 @@ ARMVAParameters aa64_va_parameters_both(CPUARMState 
*env, uint64_t va,
 tbid = extract32(tcr, 29, 1);
 }
 epd = false;
-} else if (!select) {
-tsz = extract32(tcr, 0, 6);
-epd = extract32(tcr, 7, 1);
-using64k = extract32(tcr, 14, 1);
-using16k = extract32(tcr, 15, 1);
-tbi = extract64(tcr, 37, 1);
-hpd = extract64(tcr, 41, 1);
-tbid = extract64(tcr, 51, 1);
 } else {
-int tg = extract32(tcr, 30, 2);
-using16k = tg == 1;
-using64k = tg == 3;
-tsz = extract32(tcr, 16, 6);
-epd = extract32(tcr, 23, 1);
-tbi = extract64(tcr, 38, 1);
-hpd = extract64(tcr, 42, 1);
-tbid = extract64(tcr, 52, 1);
+/*
+ * Bit 55 is always between the two regions, and is canonical for
+ * determining if address tagging is enabled.
+ */
+select = extract64(va, 55, 1);
+if (!select) {
+tsz = extract32(tcr, 0, 6);
+epd = extract32(tcr, 7, 1);
+using64k = extract32(tcr, 14, 1);
+using16k = extract32(tcr, 15, 1);
+tbi = extract64(tcr, 37, 1);
+hpd = extract64(tcr, 41, 1);
+tbid = extract64(tcr, 51, 1);
+} else {
+int tg = extract32(tcr, 30, 2);
+using16k = tg == 1;
+using64k = tg == 3;
+tsz = extract32(tcr, 16, 6);
+epd = extract32(tcr, 23, 1);
+tbi = extract64(tcr, 38, 1);
+hpd = extract64(tcr, 42, 1);
+tbid = extract64(tcr, 52, 1);
+}
 }
 tsz = MIN(tsz, 39);  /* TODO: ARMv8.4-TTST */
 tsz = MAX(tsz, 16);  /* TODO: ARMv8.2-LVA  */
-- 
2.20.1

Re: [PATCH v3] Implement the Screamer sound chip for the mac99 machine type

[Howard Spoelstra]

On Sun, Feb 16, 2020 at 5:32 PM John Arbuckle 
wrote:

> Signed-off-by: John Arbuckle 
> ---
> v3 changes:
> - Updated the location of patched code in hw/ppc/kconfig.
> - Removed setting the props variable in screamer.c.
> - Removed the screamer_properties variable in screamer.c.
>
> v2 changes:
> - Fixed a bug that prevented the sampling rate from being changed.
>
>  hw/audio/Kconfig  |   3 +
>  hw/audio/Makefile.objs|   2 +
>  hw/audio/screamer.c   | 983
> ++
>  hw/misc/macio/macio.c |  35 +-
>  hw/ppc/Kconfig|   1 +
>  hw/ppc/mac.h  |   5 +
>  include/hw/audio/screamer.h   |  42 ++
>  include/hw/misc/macio/macio.h |   2 +
>  8 files changed, 1072 insertions(+), 1 deletion(-)
>  create mode 100644 hw/audio/screamer.c
>  create mode 100644 include/hw/audio/screamer.h
>
> diff --git a/hw/audio/Kconfig b/hw/audio/Kconfig
> index e9c6fed826..196da6c3fe 100644
> --- a/hw/audio/Kconfig
> +++ b/hw/audio/Kconfig
> @@ -50,3 +50,6 @@ config CS4231
>
>  config MARVELL_88W8618
>  bool
> +
> +config SCREAMER
> +bool
> diff --git a/hw/audio/Makefile.objs b/hw/audio/Makefile.objs
> index 63db383709..55906886bc 100644
> --- a/hw/audio/Makefile.objs
> +++ b/hw/audio/Makefile.objs
> @@ -15,4 +15,6 @@ common-obj-$(CONFIG_CS4231) += cs4231.o
>  common-obj-$(CONFIG_MARVELL_88W8618) += marvell_88w8618.o
>  common-obj-$(CONFIG_MILKYMIST) += milkymist-ac97.o
>
> +common-obj-$(CONFIG_SCREAMER) += screamer.o
> +
>  common-obj-y += soundhw.o
> diff --git a/hw/audio/screamer.c b/hw/audio/screamer.c
> new file mode 100644
> index 00..ad4aba12eb
> --- /dev/null
> +++ b/hw/audio/screamer.c
> @@ -0,0 +1,983 @@
> +/*
> + * File: Screamer.c
> + * Description: Implement the Screamer sound chip used in Apple
> Macintoshes.
> + * It works by filling a buffer, then playing the buffer.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "audio/audio.h"
> +#include "hw/hw.h"
> +#include "hw/irq.h"
> +#include 
> +#include "hw/ppc/mac.h"
> +#include "hw/qdev-properties.h"
> +#include "migration/vmstate.h"
> +#include "include/hw/audio/screamer.h"
> +
> +#define DEBUG_SCREAMER 0
> +#define DPRINTF(fmt, ...) \
> +do { if (DEBUG_SCREAMER) { printf(fmt , ## __VA_ARGS__); } } while (0)
> +
> +#define SOUND_CONTROL_REG  0
> +#define CODEC_CONTROL_REG  1
> +#define CODEC_STATUS_REG   2
> +#define CLIP_COUNT_REG 3
> +#define BYTE_SWAP_REG  4
> +#define FRAME_COUNT_REG5
> +
> +#define AWACS_BUSY 0x0100
> +
> +/* Used with AWACS register 1 */
> +#define RECALIBRATE 0x004
> +#define LOOPTHRU0x040
> +#define SPEAKER_MUTE0x080
> +#define HEADPHONE_MUTE  0x200
> +#define OUTPUT_ZERO 0x400
> +#define OUTPUT_ONE  0x800
> +#define PARALLEL_OUTPUT 0xc00
> +
> +/* Function prototypes */
> +static uint32_t set_busy_bit(uint32_t value, int bit);
> +static uint32_t set_part_ready_bit(uint32_t value, int bit_value);
> +static uint32_t set_revision(uint32_t input_value);
> +static uint32_t set_manufacturer(uint32_t input_value);
> +static int get_sampling_rate(ScreamerState *s);
> +static uint32_t get_frame_count_reg(ScreamerState *s);
> +static void add_to_speaker_buffer(DBDMA_io *io);
> +static void dma_request(DBDMA_io *io);
> +
> +
> +/ Getters */
> +
> +/* Returns the codec control register's encoded AWACS address */
> +static uint8_t get_codec_control_address(uint32_t value)
> +{
> +uint8_t return_value;
> +return_value = (value >> 12) & 0x0fff;
> +return return_value;
> +}
> +
> +
> +static uint32_t get_sound_control_reg(ScreamerState *s)
> +{
> +DPRINTF("%s() called - returned 0x%x\n", __func__, s->sound_control);
> +return s->sound_control;
> +}
> +
> +/* The AWACS registers are accessed thru this register */
> +static uint32_t get_codec_control_reg(ScreamerState *s)
> +{
> +int awacs_register = get_codec_control_address(s->codec_control);
> +uint32_t return_value = s->awacs[awacs_register];
> +return_value = set_busy_bit(return_value, 0); /* Tell CPU we are
> ready */
> +DPRINTF("%s() called - returned 0x%x\tAWACS register: %d\n", __func__,
> +return_value, awacs_register);
> +return return_value;
> +}
> +
> +/*
> + * Determines if the readback bit is set.
> + * It is used by the Codec Control register.
> + */
> +static bool readback_enabled(ScreamerState *s)
> +{
> +/* Note: bit zero is the readback enabled bit */
> +if (s->awacs[7] & 1) {
> +return true;
> +} else {
> +return false;
> +}
> +}
> +
> +static uint32_t get_codec_status_reg(ScreamerState *s)
> +{
> +uint32_t return_value;
> +
> +/* if in readback mode - return AWACS register value */
> +if (readback_enabled(s)) {
> +int awacs_register = (s->awacs[7] & 0xe) >> 1;
> +s->awacs[7] = s->awacs[7] & 0xfffe; /* turn off readback mode
> */
> + 

Re: [PATCH v3 1/4] target/arm: Use bit 55 explicitly for pauth

[Peter Maydell]

On Sun, 16 Feb 2020 at 19:43, Richard Henderson
 wrote:
>
> The psuedocode in aarch64/functions/pac/auth/Auth and
> aarch64/functions/pac/strip/Strip always uses bit 55 for
> extfield and do not consider if the current regime has 2 ranges.
>
> Suggested-by: Peter Maydell 
> Signed-off-by: Richard Henderson 
> ---
>  target/arm/pauth_helper.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Reviewed-by: Peter Maydell 

('pseudocode', but I'll fix the typo when I apply it if
it doesn't need a respin for some other reason)

thanks
-- PMM

Re: [PATCH 1/3] block/qcow2-bitmap: Remove unneeded variable assignment

[Ján Tomko]

On Sat, Feb 15, 2020 at 05:15:55PM +0100, Philippe Mathieu-Daudé wrote:

Fix warning reported by Clang static code analyzer:

   CC  block/qcow2-bitmap.o
 block/qcow2-bitmap.c:650:5: warning: Value stored to 'ret' is never read
 ret = -EINVAL;
 ^ ~~~

Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé 
---
block/qcow2-bitmap.c | 1 -
1 file changed, 1 deletion(-)



Reviewed-by: Ján Tomko 

Unused since its introduction in 88ddffae8fc1e30cc907c2dbb989b7eba9e62319

Jano


signature.asc
Description: PGP signature

Re: [PULL] RISC-V Patches for the 5.0 Soft Freeze, Part 2

[Peter Maydell]

On Wed, 12 Feb 2020 at 17:30, Palmer Dabbelt  wrote:
>
> The following changes since commit 81a23caf47956778c5a5056ad656d1ef92bf9659:
>
>   Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
> into staging (2020-02-10 17:08:51 +)
>
> are available in the Git repository at:
>
>   g...@github.com:palmer-dabbelt/qemu.git tags/riscv-for-master-5.0-sf2
>
> for you to fetch changes up to 9c8fdcece53e05590441785ab22d91a22da36e29:
>
>   MAINTAINERS: Add maintainer entry for Goldfish RTC (2020-02-10 12:01:39 
> -0800)
>
> 
> RISC-V Patches for the 5.0 Soft Freeze, Part 2
>
> This is a fairly light-weight pull request, but I wanted to send it out to
> avoid the Goldfish stuff getting buried as the next PR should contain the H
> extension implementation.
>
> As far as this PR goes, it contains:
>
> * The addition of syscon device tree nodes for reboot and poweroff, which
>   allows Linux to control QEMU without an additional driver.  The existing
>   device was already compatible with the syscon interface.
> * A fix to our GDB stub to avoid confusing XLEN and FLEN, specifically useful
>   for rv32id-based systems.
> * A device emulation for the Goldfish RTC device, a simple memory-mapped RTC.
> * The addition of the Goldfish RTC device to the RISC-V virt board.
>
> This passes "make check" and boots buildroot for me.
>
> 
>
> Peter: I'm sending hw/rtc code because it was suggested that the Goldfish
> implementation gets handled via the RISC-V tree as our virt board is the only
> user.  I'm happy to do things differently in the future (maybe send
> goldfish-specific PRs?) if that's better for you.  Just LMK what makes sense, 
> I
> anticipate that this'll be a pretty low traffic device so I'm fine with pretty
> much anything.

If it's a device that's only used in risc-v boards I'm happy for
you to just fold those patches into the main risc-v pullreq.

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.0
for any user-visible changes.

-- PMM

Re: [PATCH 1/3] tools/virtiofsd/passthrough_ll: Remove unneeded variable assignment

[Ján Tomko]

On Sat, Feb 15, 2020 at 05:07:14PM +0100, Philippe Mathieu-Daudé wrote:

Fix warning reported by Clang static code analyzer:

   CC  tools/virtiofsd/passthrough_ll.o
 tools/virtiofsd/passthrough_ll.c:1083:5: warning: Value stored to 'saverr' is 
never read
 saverr = ENOMEM;
 ^~~

Fixes: 7c6b66027
Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé 
---
tools/virtiofsd/passthrough_ll.c | 2 --
1 file changed, 2 deletions(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 2/3] tools/virtiofsd/passthrough_ll: Remove unneeded variable assignment

[Ján Tomko]

On Sat, Feb 15, 2020 at 05:07:15PM +0100, Philippe Mathieu-Daudé wrote:

Fix warning reported by Clang static code analyzer:

   CC  tools/virtiofsd/passthrough_ll.o
 tools/virtiofsd/passthrough_ll.c:925:9: warning: Value stored to 'newfd' is 
never read
 newfd = -1;
 ^   ~~
 tools/virtiofsd/passthrough_ll.c:942:9: warning: Value stored to 'newfd' is 
never read
 newfd = -1;
 ^   ~~

Fixes: 7c6b66027
Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé 
---
tools/virtiofsd/passthrough_ll.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index e9e71d5fc2..b38e0e4d84 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -922,7 +922,6 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, 
const char *name,
inode = lo_find(lo, &e->attr);
if (inode) {
close(newfd);
-newfd = -1;
} else {
inode = calloc(1, sizeof(struct lo_inode));
if (!inode) {
@@ -938,8 +937,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, 
const char *name,
g_atomic_int_set(&inode->refcount, 2);

inode->nlookup = 1;
-inode->fd = newfd;
-newfd = -1;
+inode->fd = -1;


The functional equivalent is:
inode->fd = newfd;

newfd cannot contain -1 here, as checked a few lines above:
 newfd = openat(dir->fd, name, O_PATH | O_NOFOLLOW);
 if (newfd == -1) {
 goto out_err;
 }

Jano


inode->key.ino = e->attr.st_ino;
inode->key.dev = e->attr.st_dev;
pthread_mutex_init(&inode->plock_mutex, NULL);
--
2.21.1




signature.asc
Description: PGP signature

Re: [PATCH 3/3] tools/virtiofsd/fuse_lowlevel: Fix fuse_out_header.error value

[Ján Tomko]

On Sat, Feb 15, 2020 at 05:07:16PM +0100, Philippe Mathieu-Daudé wrote:

Fix warning reported by Clang static code analyzer:

   CC  tools/virtiofsd/fuse_lowlevel.o
 tools/virtiofsd/fuse_lowlevel.c:195:9: warning: Value stored to 'error' is 
never read
 error = -ERANGE;
 ^   ~~~

Fixes: 2de121f01e
Reported-by: Clang Static Analyzer
Signed-off-by: Philippe Mathieu-Daudé 
---
RFC because untested
---
tools/virtiofsd/fuse_lowlevel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

[PATCH 2/2] target/ppc/cpu.h: Clean up comments in the struct CPUPPCState definition

[BALATON Zoltan]

The cpu env struct is quite complex but comments supposed to explain
it in its definition just make it harder to read. Reformat and reword
some comments to make it clearer and more readable.

Signed-off-by: BALATON Zoltan 
---
 target/ppc/cpu.h | 145 ++-
 1 file changed, 54 insertions(+), 91 deletions(-)

diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index c3b0a00064..b283042515 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -960,116 +960,88 @@ struct ppc_radix_page_info {
 #define PPC_CPU_INDIRECT_OPCODES_LEN 0x20
 
 struct CPUPPCState {
-/*
- * First are the most commonly used resources during translated
- * code execution
- */
-/* general purpose registers */
-target_ulong gpr[32];
-/* Storage for GPR MSB, used by the SPE extension */
-target_ulong gprh[32];
-/* LR */
+/* Most commonly used resources during translated code execution first */
+target_ulong gpr[32];  /* general purpose registers */
+target_ulong gprh[32]; /* storage for GPR MSB, used by the SPE extension */
 target_ulong lr;
-/* CTR */
 target_ulong ctr;
-/* condition register */
-uint32_t crf[8];
+uint32_t crf[8];   /* condition register */
 #if defined(TARGET_PPC64)
-/* CFAR */
 target_ulong cfar;
 #endif
-/* XER (with SO, OV, CA split out) */
-target_ulong xer;
+target_ulong xer;  /* XER (with SO, OV, CA split out) */
 target_ulong so;
 target_ulong ov;
 target_ulong ca;
 target_ulong ov32;
 target_ulong ca32;
-/* Reservation address */
-target_ulong reserve_addr;
-/* Reservation value */
-target_ulong reserve_val;
-target_ulong reserve_val2;
 
-/* Those ones are used in supervisor mode only */
-/* machine state register */
-target_ulong msr;
-/* temporary general purpose registers */
-target_ulong tgpr[4]; /* Used to speed-up TLB assist handlers */
+target_ulong reserve_addr; /* Reservation address */
+target_ulong reserve_val;  /* Reservation value */
+target_ulong reserve_val2;
 
-/* Next instruction pointer */
-target_ulong nip;
+/* These are used in supervisor mode only */
+target_ulong msr;  /* machine state register */
+target_ulong tgpr[4];  /* temporary general purpose registers, */
+   /* used to speed-up TLB assist handlers */
 
-/* High part of 128-bit helper return.  */
-uint64_t retxh;
+target_ulong nip;  /* next instruction pointer */
+uint64_t retxh;/* high part of 128-bit helper return */
 
 /* when a memory exception occurs, the access type is stored here */
 int access_type;
 
-/* MMU context - only relevant for full system emulation */
 #if !defined(CONFIG_USER_ONLY)
+/* MMU context, only relevant for full system emulation */
 #if defined(TARGET_PPC64)
-/* PowerPC 64 SLB area */
-ppc_slb_t slb[MAX_SLB_ENTRIES];
-/* tcg TLB needs flush (deferred slb inval instruction typically) */
+ppc_slb_t slb[MAX_SLB_ENTRIES]; /* PowerPC 64 SLB area */
 #endif
-/* segment registers */
-target_ulong sr[32];
-/* BATs */
-uint32_t nb_BATs;
+target_ulong sr[32];   /* segment registers */
+uint32_t nb_BATs;  /* number of BATs */
 target_ulong DBAT[2][8];
 target_ulong IBAT[2][8];
 /* PowerPC TLB registers (for 4xx, e500 and 60x software driven TLBs) */
-int32_t nb_tlb;  /* Total number of TLB  */
+int32_t nb_tlb;  /* Total number of TLB */
 int tlb_per_way; /* Speed-up helper: used to avoid divisions at run time */
-int nb_ways; /* Number of ways in the TLB set*/
-int last_way;/* Last used way used to allocate TLB in a LRU way  */
+int nb_ways; /* Number of ways in the TLB set */
+int last_way;/* Last used way used to allocate TLB in a LRU way */
 int id_tlbs; /* If 1, MMU has separated TLBs for instructions & data */
-int nb_pids; /* Number of available PID registers*/
-int tlb_type;/* Type of TLB we're dealing with   */
-ppc_tlb_t tlb;   /* TLB is optional. Allocate them only if needed*/
-/* 403 dedicated access protection registers */
-target_ulong pb[4];
-bool tlb_dirty;   /* Set to non-zero when modifying TLB  */
-bool kvm_sw_tlb;  /* non-zero if KVM SW TLB API is active*/
+int nb_pids; /* Number of available PID registers */
+int tlb_type;/* Type of TLB we're dealing with */
+ppc_tlb_t tlb;   /* TLB is optional. Allocate them only if needed */
+target_ulong pb[4]; /* 403 dedicated access protection registers */
+bool tlb_dirty;  /* Set to non-zero when modifying TLB */
+bool kvm_sw_tlb; /* non-zero if KVM SW TLB API is active */
 uint32_t tlb_need_flush; /* Delayed flush needed */
 #define TLB_NEED_LOC

[PATCH 1/2] target/ppc/cpu.h: Move fpu related members closer in cpu env

[BALATON Zoltan]

Move fp_status and fpscr closer to other floating point and vector
related members in cpu env definition so they are in one group.

Signed-off-by: BALATON Zoltan 
---
 target/ppc/cpu.h | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h
index 07dd2b4da7..c3b0a00064 100644
--- a/target/ppc/cpu.h
+++ b/target/ppc/cpu.h
@@ -997,11 +997,6 @@ struct CPUPPCState {
 /* temporary general purpose registers */
 target_ulong tgpr[4]; /* Used to speed-up TLB assist handlers */
 
-/* Floating point execution context */
-float_status fp_status;
-/* floating point status and control register */
-target_ulong fpscr;
-
 /* Next instruction pointer */
 target_ulong nip;
 
@@ -1060,6 +1055,10 @@ struct CPUPPCState {
  * used simultaneously
  */
 float_status vec_status;
+/* Floating point execution context */
+float_status fp_status;
+/* floating point status and control register */
+target_ulong fpscr;
 
 /* Internal devices resources */
 /* Time base and decrementer */
-- 
2.21.1

[PATCH 0/2] Small clean up in target/ppc/cpu.h

[BALATON Zoltan]

Just some small clean ups to improve readability of struct CPUPPCState.

BALATON Zoltan (2):
  target/ppc/cpu.h: Move fpu related members closer in cpu env
  target/ppc/cpu.h: Clean up comments in the struct CPUPPCState
definition

 target/ppc/cpu.h | 146 ++-
 1 file changed, 54 insertions(+), 92 deletions(-)

-- 
2.21.1

[PATCH v2 2/4] target/arm: Convert PMUL.8 to gvec

[Richard Henderson]

The gvec form will be needed for implementing SVE2.

Extend the implementation to operate on uint64_t instead of uint32_t.
Use a counted inner loop instead of terminating when op1 goes to zero,
looking toward the required implementation for ARMv8.4-DIT.

Tested-by: Alex Bennée 
Reviewed-by: Alex Bennée 
Signed-off-by: Richard Henderson 
---
v3: Elide mask after right-shift on N, as we already do N & 1
at the top of the loop.
---
 target/arm/helper.h|  3 ++-
 target/arm/neon_helper.c   | 22 --
 target/arm/translate-a64.c | 10 +++---
 target/arm/translate.c | 11 ---
 target/arm/vec_helper.c| 30 ++
 5 files changed, 39 insertions(+), 37 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index 459a278b5c..82450a3f96 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -342,7 +342,6 @@ DEF_HELPER_2(neon_sub_u8, i32, i32, i32)
 DEF_HELPER_2(neon_sub_u16, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u8, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u16, i32, i32, i32)
-DEF_HELPER_2(neon_mul_p8, i32, i32, i32)
 DEF_HELPER_2(neon_mull_p8, i64, i32, i32)
 
 DEF_HELPER_2(neon_tst_u8, i32, i32, i32)
@@ -696,6 +695,8 @@ DEF_HELPER_FLAGS_4(gvec_sshl_h, TCG_CALL_NO_RWG, void, ptr, 
ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index c581ffb7d3..9e7a9a1ac5 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -1131,28 +1131,6 @@ NEON_VOP(mul_u16, neon_u16, 2)
 
 /* Polynomial multiplication is like integer multiplication except the
partial products are XORed, not added.  */
-uint32_t HELPER(neon_mul_p8)(uint32_t op1, uint32_t op2)
-{
-uint32_t mask;
-uint32_t result;
-result = 0;
-while (op1) {
-mask = 0;
-if (op1 & 1)
-mask |= 0xff;
-if (op1 & (1 << 8))
-mask |= (0xff << 8);
-if (op1 & (1 << 16))
-mask |= (0xff << 16);
-if (op1 & (1 << 24))
-mask |= (0xff << 24);
-result ^= op2 & mask;
-op1 = (op1 >> 1) & 0x7f7f7f7f;
-op2 = (op2 << 1) & 0xfefefefe;
-}
-return result;
-}
-
 uint64_t HELPER(neon_mull_p8)(uint32_t op1, uint32_t op2)
 {
 uint64_t result = 0;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index e42dcfebdd..c96ed28f9d 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11160,9 +11160,10 @@ static void disas_simd_3same_int(DisasContext *s, 
uint32_t insn)
 case 0x13: /* MUL, PMUL */
 if (!u) { /* MUL */
 gen_gvec_fn3(s, is_q, rd, rn, rm, tcg_gen_gvec_mul, size);
-return;
+} else {  /* PMUL */
+gen_gvec_op3_ool(s, is_q, rd, rn, rm, 0, gen_helper_gvec_pmul_b);
 }
-break;
+return;
 case 0x12: /* MLA, MLS */
 if (u) {
 gen_gvec_op3(s, is_q, rd, rn, rm, &mls_op[size]);
@@ -11292,11 +11293,6 @@ static void disas_simd_3same_int(DisasContext *s, 
uint32_t insn)
 genfn = fns[size][u];
 break;
 }
-case 0x13: /* MUL, PMUL */
-assert(u); /* PMUL */
-assert(size == 0);
-genfn = gen_helper_neon_mul_p8;
-break;
 case 0x16: /* SQDMULH, SQRDMULH */
 {
 static NeonGenTwoOpEnvFn * const fns[2][2] = {
diff --git a/target/arm/translate.c b/target/arm/translate.c
index c4dd14e053..4581373e31 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -5007,16 +5007,17 @@ static int disas_neon_data_insn(DisasContext *s, 
uint32_t insn)
 
 case NEON_3R_VMUL: /* VMUL */
 if (u) {
-/* Polynomial case allows only P8 and is handled below.  */
+/* Polynomial case allows only P8.  */
 if (size != 0) {
 return 1;
 }
+tcg_gen_gvec_3_ool(rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size,
+   0, gen_helper_gvec_pmul_b);
 } else {
 tcg_gen_gvec_mul(size, rd_ofs, rn_ofs, rm_ofs,
  vec_size, vec_size);
-return 0;
 }
-break;
+return 0;
 
 case NEON_3R_VML: /* VMLA, VMLS */
 tcg_gen_gvec_3(rd_ofs, rn_ofs, rm_ofs, vec_size, vec_size,
@@ -5206,10 +5207,6 @@ static int disas_neon_data_insn(DisasContext *s, 
uint32_t insn)
 tmp2 = neon_load_reg(rd, pass);
 gen_neon_add(size, tmp, tmp2);
 break;
-case NEON_3R_VMUL:
-/* VMUL.P8; other

[PATCH v2 0/4] target/arm vector improvements

[Richard Henderson]

Changes for v2:

* Rename function arguments as requested by ajb.
* Minor optimization in helper_gvec_pmul_b.

Original blurb:

The first patch has been seen before.

  https://patchwork.ozlabs.org/patch/1115039/

It had a bug and I didn't fix it right away and then forgot.
Fixed now; I had mixed up the operand ordering for aarch32.

The next 3 are something that I noticed while doing other stuff.

In particular, pmull is used heavily during https transfers.
While cloning a repository, the old code peaks at 27% of the
total runtime, as measured by perf top.  The new code does
not quite reach 3% repeating the same clone.

In addition, the new helper functions are in the form that
will be required for the implementation of SVE2.


r~

Richard Henderson (4):
  target/arm: Vectorize USHL and SSHL
  target/arm: Convert PMUL.8 to gvec
  target/arm: Convert PMULL.64 to gvec
  target/arm: Convert PMULL.8 to gvec

 target/arm/helper-sve.h|   2 +
 target/arm/helper.h|  21 ++-
 target/arm/translate.h |   6 +
 target/arm/neon_helper.c   | 117 -
 target/arm/translate-a64.c |  83 -
 target/arm/translate.c | 348 -
 target/arm/vec_helper.c| 211 ++
 7 files changed, 560 insertions(+), 228 deletions(-)

-- 
2.20.1

[PATCH v2 3/4] target/arm: Convert PMULL.64 to gvec

[Richard Henderson]

The gvec form will be needed for implementing SVE2.

Tested-by: Alex Bennée 
Reviewed-by: Alex Bennée 
Signed-off-by: Richard Henderson 
---
 target/arm/helper.h|  4 +---
 target/arm/neon_helper.c   | 30 --
 target/arm/translate-a64.c | 28 +++-
 target/arm/translate.c | 16 ++--
 target/arm/vec_helper.c| 33 +
 5 files changed, 39 insertions(+), 72 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index 82450a3f96..4352fae3db 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -562,9 +562,6 @@ DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, 
i32, i32)
 DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_2(dc_zva, void, env, i64)
 
-DEF_HELPER_FLAGS_2(neon_pmull_64_lo, TCG_CALL_NO_RWG_SE, i64, i64, i64)
-DEF_HELPER_FLAGS_2(neon_pmull_64_hi, TCG_CALL_NO_RWG_SE, i64, i64, i64)
-
 DEF_HELPER_FLAGS_5(gvec_qrdmlah_s16, TCG_CALL_NO_RWG,
void, ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(gvec_qrdmlsh_s16, TCG_CALL_NO_RWG,
@@ -696,6 +693,7 @@ DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, 
ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index 9e7a9a1ac5..6a107da0e1 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -2152,33 +2152,3 @@ void HELPER(neon_zip16)(void *vd, void *vm)
 rm[0] = m0;
 rd[0] = d0;
 }
-
-/* Helper function for 64 bit polynomial multiply case:
- * perform PolynomialMult(op1, op2) and return either the top or
- * bottom half of the 128 bit result.
- */
-uint64_t HELPER(neon_pmull_64_lo)(uint64_t op1, uint64_t op2)
-{
-int bitnum;
-uint64_t res = 0;
-
-for (bitnum = 0; bitnum < 64; bitnum++) {
-if (op1 & (1ULL << bitnum)) {
-res ^= op2 << bitnum;
-}
-}
-return res;
-}
-uint64_t HELPER(neon_pmull_64_hi)(uint64_t op1, uint64_t op2)
-{
-int bitnum;
-uint64_t res = 0;
-
-/* bit 0 of op1 can't influence the high 64 bits at all */
-for (bitnum = 1; bitnum < 64; bitnum++) {
-if (op1 & (1ULL << bitnum)) {
-res ^= op2 >> (64 - bitnum);
-}
-}
-return res;
-}
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index c96ed28f9d..6ce1131860 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -10648,30 +10648,6 @@ static void handle_3rd_narrowing(DisasContext *s, int 
is_q, int is_u, int size,
 clear_vec_high(s, is_q, rd);
 }
 
-static void handle_pmull_64(DisasContext *s, int is_q, int rd, int rn, int rm)
-{
-/* PMULL of 64 x 64 -> 128 is an odd special case because it
- * is the only three-reg-diff instruction which produces a
- * 128-bit wide result from a single operation. However since
- * it's possible to calculate the two halves more or less
- * separately we just use two helper calls.
- */
-TCGv_i64 tcg_op1 = tcg_temp_new_i64();
-TCGv_i64 tcg_op2 = tcg_temp_new_i64();
-TCGv_i64 tcg_res = tcg_temp_new_i64();
-
-read_vec_element(s, tcg_op1, rn, is_q, MO_64);
-read_vec_element(s, tcg_op2, rm, is_q, MO_64);
-gen_helper_neon_pmull_64_lo(tcg_res, tcg_op1, tcg_op2);
-write_vec_element(s, tcg_res, rd, 0, MO_64);
-gen_helper_neon_pmull_64_hi(tcg_res, tcg_op1, tcg_op2);
-write_vec_element(s, tcg_res, rd, 1, MO_64);
-
-tcg_temp_free_i64(tcg_op1);
-tcg_temp_free_i64(tcg_op2);
-tcg_temp_free_i64(tcg_res);
-}
-
 /* AdvSIMD three different
  *   31  30  29 28   24 23  22  21 20  16 1512 11 10 95 40
  * +---+---+---+---+--+---+--++-+--+--+
@@ -10736,7 +10712,9 @@ static void disas_simd_three_reg_diff(DisasContext *s, 
uint32_t insn)
 if (!fp_access_check(s)) {
 return;
 }
-handle_pmull_64(s, is_q, rd, rn, rm);
+/* The Q field specifies lo/hi half input for this insn.  */
+gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
+ gen_helper_gvec_pmull_q);
 return;
 }
 goto is_widening;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 4581373e31..e2dbafa161 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -5870,23 +5870,11 @@ static int disas_neon_data_insn(DisasContext *s, 
uint32_t insn)
  * outside the loop below as it only performs a single pass.
  */
 if (op == 14 && size == 2) {
-TCGv_i64 tcg_rn, tcg_rm, tcg_rd;
-
 if (!dc_isar_feature(aa32_pmull, s)) {
  

[PATCH v2 1/4] target/arm: Vectorize USHL and SSHL

[Richard Henderson]

These instructions shift left or right depending on the sign
of the input, and 7 bits are significant to the shift.  This
requires several masks and selects in addition to the actual
shifts to form the complete answer.

That said, the operation is still a small improvement even for
two 64-bit elements -- 13 vector operations instead of 2 * 7
integer operations.

Reviewed-by: Alex Bennée 
Signed-off-by: Richard Henderson 
---
v2: Fix operand ordering for aa32 VSHL.
v3: Rename operand for inline tcg expanders (ajb).
---
 target/arm/helper.h|  11 +-
 target/arm/translate.h |   6 +
 target/arm/neon_helper.c   |  33 
 target/arm/translate-a64.c |  18 +--
 target/arm/translate.c | 299 +++--
 target/arm/vec_helper.c|  88 +++
 6 files changed, 389 insertions(+), 66 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index aa3d8cd08f..459a278b5c 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -303,14 +303,8 @@ DEF_HELPER_2(neon_abd_s16, i32, i32, i32)
 DEF_HELPER_2(neon_abd_u32, i32, i32, i32)
 DEF_HELPER_2(neon_abd_s32, i32, i32, i32)
 
-DEF_HELPER_2(neon_shl_u8, i32, i32, i32)
-DEF_HELPER_2(neon_shl_s8, i32, i32, i32)
 DEF_HELPER_2(neon_shl_u16, i32, i32, i32)
 DEF_HELPER_2(neon_shl_s16, i32, i32, i32)
-DEF_HELPER_2(neon_shl_u32, i32, i32, i32)
-DEF_HELPER_2(neon_shl_s32, i32, i32, i32)
-DEF_HELPER_2(neon_shl_u64, i64, i64, i64)
-DEF_HELPER_2(neon_shl_s64, i64, i64, i64)
 DEF_HELPER_2(neon_rshl_u8, i32, i32, i32)
 DEF_HELPER_2(neon_rshl_s8, i32, i32, i32)
 DEF_HELPER_2(neon_rshl_u16, i32, i32, i32)
@@ -697,6 +691,11 @@ DEF_HELPER_FLAGS_2(frint64_s, TCG_CALL_NO_RWG, f32, f32, 
ptr)
 DEF_HELPER_FLAGS_2(frint32_d, TCG_CALL_NO_RWG, f64, f64, ptr)
 DEF_HELPER_FLAGS_2(frint64_d, TCG_CALL_NO_RWG, f64, f64, ptr)
 
+DEF_HELPER_FLAGS_4(gvec_sshl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_sshl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_ushl_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/translate.h b/target/arm/translate.h
index 5b167c416a..d9ea0c99cc 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -278,6 +278,8 @@ uint64_t vfp_expand_imm(int size, uint8_t imm8);
 extern const GVecGen3 mla_op[4];
 extern const GVecGen3 mls_op[4];
 extern const GVecGen3 cmtst_op[4];
+extern const GVecGen3 sshl_op[4];
+extern const GVecGen3 ushl_op[4];
 extern const GVecGen2i ssra_op[4];
 extern const GVecGen2i usra_op[4];
 extern const GVecGen2i sri_op[4];
@@ -287,6 +289,10 @@ extern const GVecGen4 sqadd_op[4];
 extern const GVecGen4 uqsub_op[4];
 extern const GVecGen4 sqsub_op[4];
 void gen_cmtst_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
+void gen_ushl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
+void gen_sshl_i32(TCGv_i32 d, TCGv_i32 a, TCGv_i32 b);
+void gen_ushl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
+void gen_sshl_i64(TCGv_i64 d, TCGv_i64 a, TCGv_i64 b);
 
 /*
  * Forward to the isar_feature_* tests given a DisasContext pointer.
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index 4259056723..c581ffb7d3 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -615,24 +615,9 @@ NEON_VOP(abd_u32, neon_u32, 1)
 } else { \
 dest = src1 << tmp; \
 }} while (0)
-NEON_VOP(shl_u8, neon_u8, 4)
 NEON_VOP(shl_u16, neon_u16, 2)
-NEON_VOP(shl_u32, neon_u32, 1)
 #undef NEON_FN
 
-uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t shiftop)
-{
-int8_t shift = (int8_t)shiftop;
-if (shift >= 64 || shift <= -64) {
-val = 0;
-} else if (shift < 0) {
-val >>= -shift;
-} else {
-val <<= shift;
-}
-return val;
-}
-
 #define NEON_FN(dest, src1, src2) do { \
 int8_t tmp; \
 tmp = (int8_t)src2; \
@@ -645,27 +630,9 @@ uint64_t HELPER(neon_shl_u64)(uint64_t val, uint64_t 
shiftop)
 } else { \
 dest = src1 << tmp; \
 }} while (0)
-NEON_VOP(shl_s8, neon_s8, 4)
 NEON_VOP(shl_s16, neon_s16, 2)
-NEON_VOP(shl_s32, neon_s32, 1)
 #undef NEON_FN
 
-uint64_t HELPER(neon_shl_s64)(uint64_t valop, uint64_t shiftop)
-{
-int8_t shift = (int8_t)shiftop;
-int64_t val = valop;
-if (shift >= 64) {
-val = 0;
-} else if (shift <= -64) {
-val >>= 63;
-} else if (shift < 0) {
-val >>= -shift;
-} else {
-val <<= shift;
-}
-return val;
-}
-
 #define NEON_FN(dest, src1, src2) do { \
 int8_t tmp; \
 tmp = (int8_t)src2; \
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 7c26c3bfeb..e42dcfebdd 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -8735,9 +8735,9 @@ static void handle_3same_64(DisasContext *s, int opcode, 
bool u,
 break;
 case 0x8: /* SSHL, USHL */
 if (u) {
-gen_helper

[PATCH v2 4/4] target/arm: Convert PMULL.8 to gvec

[Richard Henderson]

We still need two different helpers, since NEON and SVE2 get the
inputs from different locations within the source vector.  However,
we can convert both to the same internal form for computation.

The sve2 helper is not used yet, but adding it with this patch
helps illustrate why the neon changes are helpful.

Tested-by: Alex Bennée 
Reviewed-by: Alex Bennée 
Signed-off-by: Richard Henderson 
---
 target/arm/helper-sve.h|  2 ++
 target/arm/helper.h|  3 +-
 target/arm/neon_helper.c   | 32 
 target/arm/translate-a64.c | 27 +++--
 target/arm/translate.c | 26 -
 target/arm/vec_helper.c| 60 ++
 6 files changed, 95 insertions(+), 55 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index 9e79182ab4..2f47279155 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -1574,3 +1574,5 @@ DEF_HELPER_FLAGS_6(sve_stdd_le_zd, TCG_CALL_NO_WG,
void, env, ptr, ptr, ptr, tl, i32)
 DEF_HELPER_FLAGS_6(sve_stdd_be_zd, TCG_CALL_NO_WG,
void, env, ptr, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_4(sve2_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
diff --git a/target/arm/helper.h b/target/arm/helper.h
index 4352fae3db..fcbf504121 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -342,7 +342,6 @@ DEF_HELPER_2(neon_sub_u8, i32, i32, i32)
 DEF_HELPER_2(neon_sub_u16, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u8, i32, i32, i32)
 DEF_HELPER_2(neon_mul_u16, i32, i32, i32)
-DEF_HELPER_2(neon_mull_p8, i64, i32, i32)
 
 DEF_HELPER_2(neon_tst_u8, i32, i32, i32)
 DEF_HELPER_2(neon_tst_u16, i32, i32, i32)
@@ -695,6 +694,8 @@ DEF_HELPER_FLAGS_4(gvec_ushl_h, TCG_CALL_NO_RWG, void, ptr, 
ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_pmul_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_pmull_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(neon_pmull_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/neon_helper.c b/target/arm/neon_helper.c
index 6a107da0e1..c7a8438b42 100644
--- a/target/arm/neon_helper.c
+++ b/target/arm/neon_helper.c
@@ -1129,38 +1129,6 @@ NEON_VOP(mul_u8, neon_u8, 4)
 NEON_VOP(mul_u16, neon_u16, 2)
 #undef NEON_FN
 
-/* Polynomial multiplication is like integer multiplication except the
-   partial products are XORed, not added.  */
-uint64_t HELPER(neon_mull_p8)(uint32_t op1, uint32_t op2)
-{
-uint64_t result = 0;
-uint64_t mask;
-uint64_t op2ex = op2;
-op2ex = (op2ex & 0xff) |
-((op2ex & 0xff00) << 8) |
-((op2ex & 0xff) << 16) |
-((op2ex & 0xff00) << 24);
-while (op1) {
-mask = 0;
-if (op1 & 1) {
-mask |= 0x;
-}
-if (op1 & (1 << 8)) {
-mask |= (0xU << 16);
-}
-if (op1 & (1 << 16)) {
-mask |= (0xULL << 32);
-}
-if (op1 & (1 << 24)) {
-mask |= (0xULL << 48);
-}
-result ^= op2ex & mask;
-op1 = (op1 >> 1) & 0x7f7f7f7f;
-op2ex <<= 1;
-}
-return result;
-}
-
 #define NEON_FN(dest, src1, src2) dest = (src1 & src2) ? -1 : 0
 NEON_VOP(tst_u8, neon_u8, 4)
 NEON_VOP(tst_u16, neon_u16, 2)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 6ce1131860..63ff042d60 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -10533,10 +10533,6 @@ static void handle_3rd_widening(DisasContext *s, int 
is_q, int is_u, int size,
 gen_helper_neon_addl_saturate_s32(tcg_passres, cpu_env,
   tcg_passres, tcg_passres);
 break;
-case 14: /* PMULL */
-assert(size == 0);
-gen_helper_neon_mull_p8(tcg_passres, tcg_op1, tcg_op2);
-break;
 default:
 g_assert_not_reached();
 }
@@ -10700,11 +10696,21 @@ static void disas_simd_three_reg_diff(DisasContext 
*s, uint32_t insn)
 handle_3rd_narrowing(s, is_q, is_u, size, opcode, rd, rn, rm);
 break;
 case 14: /* PMULL, PMULL2 */
-if (is_u || size == 1 || size == 2) {
+if (is_u) {
 unallocated_encoding(s);
 return;
 }
-if (size == 3) {
+switch (size) {
+case 0: /* PMULL.P8 */
+if (!fp_access_check(s)) {
+return;
+}
+/* The Q field specifies lo/hi half input for this insn.  */
+gen_gvec_op3_ool(s, true, rd, rn, rm, is_q,
+ gen_helper_neon_pmull_h);
+break;
+
+case 3: /* PMULL.P64 */
 if (!dc_isar_feature(aa64_pmull, s)) {
 unallocated_encoding(s);
 return;
@@ -10715,9 +10721,13 @@ static void disas_simd_three_reg_diff(Disas

Re: [PATCH 2/7] commit: Remove unused bytes_written

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:07PM +0100, Kevin Wolf wrote:

The bytes_written variable is only ever written to, it serves no
purpose. This has actually been the case since the commit job was first
introduced in commit 747ff602636.

Signed-off-by: Kevin Wolf 
---
block/commit.c | 2 --
1 file changed, 2 deletions(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 3/7] commit: Fix argument order for block_job_error_action()

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:08PM +0100, Kevin Wolf wrote:

The block_job_error_action() error call in the commit job gives the
on_err and is_read arguments in the wrong order. Fix this.

(Of course, hard-coded is_read = false is wrong, too, but that's a
separate problem for a separate patch.)

Signed-off-by: Kevin Wolf 
---
block/commit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 1/7] qapi: Document meaning of 'ignore' BlockdevOnError for jobs

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:06PM +0100, Kevin Wolf wrote:

It is not obvious what 'ignore' actually means for block jobs: It could
be continuing the job and returning success in the end despite the error
(no block job does this). It could also mean continuing and returning
failure in the end (this is what stream does). And it can mean retrying
the failed request later (this is what backup, commit and mirror do).

This (somewhat inconsistent) behaviour was introduced and described for
stream and mirror in commit ae586d6158. backup and commit were


fatal: ambiguous argument 'ae586d6158': unknown revision or path not in the 
working tree.


introduced later and use the same model as mirror.

Signed-off-by: Kevin Wolf 
---
qapi/block-core.json | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 5/7] commit: Fix is_read for block_job_error_action()

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:10PM +0100, Kevin Wolf wrote:

block_job_error_action() needs to know if reading from the top node or
writing to the base node failed so that it can set the right 'operation'
in the BLOCK_JOB_ERROR QMP event.

Signed-off-by: Kevin Wolf 
---
block/commit.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 6/7] commit: Expose on-error option in QMP

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:11PM +0100, Kevin Wolf wrote:

Now that the error handling in the common block job is fixed, we can
expose the on-error option in QMP instead of hard-coding it as 'report'
in qmp_block_commit().

This fulfills the promise that the old comment in that function made,
even if a bit later than expected: "This will be part of the QMP
command, if/when the BlockdevOnError change for blkmirror makes it in".

Signed-off-by: Kevin Wolf 
---
qapi/block-core.json | 4 
blockdev.c   | 8 
2 files changed, 8 insertions(+), 4 deletions(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH 4/7] commit: Inline commit_populate()

[Ján Tomko]

On Fri, Feb 14, 2020 at 09:08:09PM +0100, Kevin Wolf wrote:

commit_populate() is a very short function and only called in a single
place. Its return value doesn't tell us whether an error happened while
reading or writing, which would be necessary for sending the right data
in the BLOCK_JOB_ERROR QMP event.

Signed-off-by: Kevin Wolf 
---
block/commit.c | 28 ++--
1 file changed, 6 insertions(+), 22 deletions(-)



Reviewed-by: Ján Tomko 

Jano


signature.asc
Description: PGP signature

Re: [PATCH v3] Implement the Screamer sound chip for the mac99 machine type

[BALATON Zoltan]

On Sun, 16 Feb 2020, Howard Spoelstra wrote:

On Sun, Feb 16, 2020 at 5:32 PM John Arbuckle 
wrote:

diff --git a/hw/audio/screamer.c b/hw/audio/screamer.c
new file mode 100644
index 00..ad4aba12eb
--- /dev/null
+++ b/hw/audio/screamer.c
@@ -0,0 +1,983 @@
+/*
+ * File: Screamer.c
+ * Description: Implement the Screamer sound chip used in Apple
Macintoshes.
+ * It works by filling a buffer, then playing the buffer.
+ */


Do you need a copyright and license header here? Especially if this is not 
all your original work but based on previous code (don't know if it is 
just saying in case as I know Mark also had some similar patches before 
but not sure how are those related if at all). If this contains code from 
somewhere else then license and author of that code may need to be 
included too.



+/* Called when the CPU writes to the memory addresses assigned to
Screamer */
+static void screamer_mmio_write(void *opaque, hwaddr addr, uint64_t
raw_value,
+unsigned size)
+{
+DPRINTF("screamer_mmio_write() called - size: %d\n", size);
+ScreamerState *state = opaque;
+uint32_t value = raw_value & 0x;
+addr = addr >> 4;
+
+switch (addr) {
+case SOUND_CONTROL_REG:
+set_sound_control_reg(state, value);
+break;
+case CODEC_CONTROL_REG:
+set_codec_control_reg(state, value);
+break;
+case CODEC_STATUS_REG:
+set_codec_status_reg(state, value);
+break;
+case CLIP_COUNT_REG:
+set_clip_count_reg(state, value);
+break;
+case BYTE_SWAP_REG:
+set_byte_swap_reg(state, value);
+break;
+case FRAME_COUNT_REG:
+set_frame_count_reg(state, value);
+break;
+default:
+DPRINTF("Unknown register write - addr:%llu\tvalue:%d\n", addr,
value);
+}
+}

Hi,


This patch will not compile without errors. Host is Fedora 31.
The compiler suggests changing lines 839, 842 and 878 in screamer.c so the
DPRINTF arguments use %lu instead of %llu.
With that fixed, compiling completes succesfully.


Replacing with %lu may fix 32bit build but would break 64bit one. Use 
HWADDR_PRIx format string instead to print hwaddr but others will probably 
tell to remove DPRINTFs alltogether when they are not needed any more and 
replace the remaining few useful ones with traces if debugging is still 
needed. I don't mind DPRINTFs that much at least until things are stable 
enough but once the code is stable most DPRINTFs may not be needed any 
more.


I can't really review the actual patch because I don't know audio in QEMU.

Regards,
BALATON Zoltan

Re: [PATCH v2 0/4] target/arm vector improvements

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200216214232.4230-1-richard.hender...@linaro.org/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Subject: [PATCH v2 0/4] target/arm vector improvements
Message-id: 20200216214232.4230-1-richard.hender...@linaro.org
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

From https://github.com/patchew-project/qemu
 * [new tag] patchew/20200216214232.4230-1-richard.hender...@linaro.org 
-> patchew/20200216214232.4230-1-richard.hender...@linaro.org
Switched to a new branch 'test'
2236552 target/arm: Convert PMULL.8 to gvec
8892524 target/arm: Convert PMULL.64 to gvec
a438d40 target/arm: Convert PMUL.8 to gvec
39164de target/arm: Vectorize USHL and SSHL

=== OUTPUT BEGIN ===
1/4 Checking commit 39164de944d5 (target/arm: Vectorize USHL and SSHL)
ERROR: trailing statements should be on next line
#161: FILE: target/arm/translate.c:3578:
+case 2: gen_ushl_i32(var, var, shift); break;

ERROR: trailing statements should be on next line
#168: FILE: target/arm/translate.c:3584:
+case 2: gen_sshl_i32(var, var, shift); break;

total: 2 errors, 0 warnings, 569 lines checked

Patch 1/4 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

2/4 Checking commit a438d4012b70 (target/arm: Convert PMUL.8 to gvec)
3/4 Checking commit 889252410254 (target/arm: Convert PMULL.64 to gvec)
4/4 Checking commit 2236552a4b44 (target/arm: Convert PMULL.8 to gvec)
=== OUTPUT END ===

Test command exited with code: 1


The full log is available at
http://patchew.org/logs/20200216214232.4230-1-richard.hender...@linaro.org/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

Re: [PATCH 0/2] Small clean up in target/ppc/cpu.h

[David Gibson]

On Sun, Feb 16, 2020 at 10:33:54PM +0100, BALATON Zoltan wrote:
> Just some small clean ups to improve readability of struct CPUPPCState.

Applied to ppc-for-5.0, thanks.

> BALATON Zoltan (2):
>   target/ppc/cpu.h: Move fpu related members closer in cpu env
>   target/ppc/cpu.h: Clean up comments in the struct CPUPPCState
> definition
> 
>  target/ppc/cpu.h | 146 ++-
>  1 file changed, 54 insertions(+), 92 deletions(-)
> 

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH] MAINTAINERS: Orphan MIPS KVM CPUs

[James Hogan]

On Sun, Feb 16, 2020 at 05:33:44PM +0100, Aleksandar Markovic wrote:
> OK, I will add the patch in the next MIPS queue, since I think its
> significance is more than trivial. It will be sent no later than two weeks
> from now.

Thanks Aleksandar.

> I just wanted the patch to be in the same queue when we will
> provide replacement. But, honestly, if the factual state lasted that long,
> I don't see the reason for such sudden hurry, do you?

Yes.

My main reasons for not wanting this dragged out any longer are:

1) Personally, I just want to let go of it now, and that's slightly
   harder to do when I'm still keeping an eye on whether this patch is
   merged yet, or worse, waiting for Wave to act.

2) In principle it feels wrong to delay a maintainer's name being
   removed at their own request (even if it came late!) for an
   indeterminate amount of time. This patch simply shouldn't be blocked
   waiting for Wave to make a decision I've been waiting to see if it
   would make for too long already.

3) Maybe publicly recognising the orphaned state might motivate Wave or
   others to step up and take a lead with further development.

> Of course I respect James' decision, although I am trully sorry about it.
> My only slight objection is that James should have sent this patch sooner,
> rather than just leave an impression that there is a maintainer, while in
> fact there wasn't. What did you wait?

LOL, well I doubt MIPS (as a company) was under any illusion since they
pulled the trigger :-P

Seriously though, I intended to keep an eye on things in my own time
(both on kernel & QEMU side) and just be ready to answer questions and
hand over the reigns if/when somebody from Wave got up to speed. I was
probably also wary of making MIPS look bad for closing their UK
operation (again) and "orphaning" my code (that I was probably too
emotionally invested in, LOL!).

In practice Paul took care of the MIPS arch stuff and there was
virtually no activity on the MIPS KVM front from Wave so real life
mostly pushed it off my radar. I did discuss orphaning it with Paul last
year but there was mention of Wave folk getting up to speed with it so I
held off for a bit longer.

Anyway FWIW I'm sorry for any confusion caused by my hesitation.

> But, never mind, I understand your
> hesitation. The best outcome would be that James remained in that role (I
> do remember him as an excellent, thorough engineer, that is approachable
> and very helpful to others), but what can we do now. I wish we work
> together in future, who knows? Thanks, James, for taking care of KVM for
> MIPS for number of years!

Thanks, my pleasure.

Cheers
James

[Bug 1863526] [NEW] NVIC CCR register not 8-bit accessible using Cortex-M4

[Philippe Mathieu-Daudé]

Public bug reported:

Head at commit b29c3e23f64938.

Running with '-d unimp,guest_errors -trace nvic\*' I get:

8871@1581892794.295746:nvic_sysreg_read NVIC sysreg read addr 0xd88 data 
0xf0 size 4
8871@1581892794.295752:nvic_sysreg_write NVIC sysreg write addr 0xd88 data 
0xf0 size 4
8871@1581892794.297780:nvic_sysreg_write NVIC sysreg write addr 0xd08 data 
0x4200 size 4
8871@1581892794.298040:nvic_sysreg_write NVIC sysreg write addr 0xd15 data 0x0 
size 1
NVIC: Bad write of size 1 at offset 0xd15
8871@1581892794.298081:nvic_sysreg_write NVIC sysreg write addr 0xd16 data 0x0 
size 1
NVIC: Bad write of size 1 at offset 0xd16
8871@1581892794.298116:nvic_sysreg_write NVIC sysreg write addr 0xd17 data 0x0 
size 1
NVIC: Bad write of size 1 at offset 0xd17
8871@1581892794.298156:nvic_sysreg_write NVIC sysreg write addr 0xd18 data 0x0 
size 1
8871@1581892794.298161:nvic_set_prio NVIC set irq 4 secure-bank 0 priority 0
8871@1581892794.298164:nvic_recompute_state NVIC state recomputed: vectpending 
0 vectpending_prio 256 exception_prio 256
8871@1581892794.298168:nvic_irq_update NVIC vectpending 0 pending prio 256 
exception_prio 256: setting irq line to 0
8871@1581892794.298201:nvic_sysreg_write NVIC sysreg write addr 0xd19 data 0x0 
size 1
8871@1581892794.298206:nvic_set_prio NVIC set irq 5 secure-bank 0 priority 0

** Affects: qemu
 Importance: Undecided
 Status: New


** Tags: arm nvic

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863526

Title:
  NVIC CCR register not 8-bit accessible using Cortex-M4

Status in QEMU:
  New

Bug description:
  Head at commit b29c3e23f64938.

  Running with '-d unimp,guest_errors -trace nvic\*' I get:

  8871@1581892794.295746:nvic_sysreg_read NVIC sysreg read addr 0xd88 data 
0xf0 size 4
  8871@1581892794.295752:nvic_sysreg_write NVIC sysreg write addr 0xd88 data 
0xf0 size 4
  8871@1581892794.297780:nvic_sysreg_write NVIC sysreg write addr 0xd08 data 
0x4200 size 4
  8871@1581892794.298040:nvic_sysreg_write NVIC sysreg write addr 0xd15 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd15
  8871@1581892794.298081:nvic_sysreg_write NVIC sysreg write addr 0xd16 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd16
  8871@1581892794.298116:nvic_sysreg_write NVIC sysreg write addr 0xd17 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd17
  8871@1581892794.298156:nvic_sysreg_write NVIC sysreg write addr 0xd18 data 
0x0 size 1
  8871@1581892794.298161:nvic_set_prio NVIC set irq 4 secure-bank 0 priority 0
  8871@1581892794.298164:nvic_recompute_state NVIC state recomputed: 
vectpending 0 vectpending_prio 256 exception_prio 256
  8871@1581892794.298168:nvic_irq_update NVIC vectpending 0 pending prio 256 
exception_prio 256: setting irq line to 0
  8871@1581892794.298201:nvic_sysreg_write NVIC sysreg write addr 0xd19 data 
0x0 size 1
  8871@1581892794.298206:nvic_set_prio NVIC set irq 5 secure-bank 0 priority 0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863526/+subscriptions

[Bug 1863526] Re: NVIC CCR register not 8-bit accessible using Cortex-M4

[Philippe Mathieu-Daudé]

I am not sure this register can not be accessed differently than 32-bit.
Still I used this patch as a kludge, but it doesn't seem a clean fix:

-- >8 --
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -2160,6 +2161,10 @@ static MemTxResult nvic_sysreg_read(void *opaque, hwaddr 
addr,
 }
 }
 break;
+case 0xd14 ... 0xd17: /* Configuration and Control Register */
+val = extract32(nvic_readl(s, offset & ~3, attrs),
+(offset - 0xd14) * 8, size * 8);
+break;
 case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
 if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
 val = 0;
@@ -2282,6 +2287,11 @@ static MemTxResult nvic_sysreg_write(void *opaque, 
hwaddr addr,
 }
 nvic_irq_update(s);
 goto exit_ok;
+case 0xd14 ... 0xd17: /* Configuration and Control Register */
+value = deposit32(value, (offset - 0xd14) * 8, size * 8,
+  nvic_readl(s, offset & ~3, attrs));
+nvic_writel(s, offset & ~3, value, attrs);
+goto exit_ok;
 case 0xd18 ... 0xd1b: /* System Handler Priority (SHPR1) */
 if (!arm_feature(&s->cpu->env, ARM_FEATURE_M_MAIN)) {
 goto exit_ok;
---

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863526

Title:
  NVIC CCR register not 8-bit accessible using Cortex-M4

Status in QEMU:
  New

Bug description:
  Head at commit b29c3e23f64938.

  Running with '-d unimp,guest_errors -trace nvic\*' I get:

  8871@1581892794.295746:nvic_sysreg_read NVIC sysreg read addr 0xd88 data 
0xf0 size 4
  8871@1581892794.295752:nvic_sysreg_write NVIC sysreg write addr 0xd88 data 
0xf0 size 4
  8871@1581892794.297780:nvic_sysreg_write NVIC sysreg write addr 0xd08 data 
0x4200 size 4
  8871@1581892794.298040:nvic_sysreg_write NVIC sysreg write addr 0xd15 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd15
  8871@1581892794.298081:nvic_sysreg_write NVIC sysreg write addr 0xd16 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd16
  8871@1581892794.298116:nvic_sysreg_write NVIC sysreg write addr 0xd17 data 
0x0 size 1
  NVIC: Bad write of size 1 at offset 0xd17
  8871@1581892794.298156:nvic_sysreg_write NVIC sysreg write addr 0xd18 data 
0x0 size 1
  8871@1581892794.298161:nvic_set_prio NVIC set irq 4 secure-bank 0 priority 0
  8871@1581892794.298164:nvic_recompute_state NVIC state recomputed: 
vectpending 0 vectpending_prio 256 exception_prio 256
  8871@1581892794.298168:nvic_irq_update NVIC vectpending 0 pending prio 256 
exception_prio 256: setting irq line to 0
  8871@1581892794.298201:nvic_sysreg_write NVIC sysreg write addr 0xd19 data 
0x0 size 1
  8871@1581892794.298206:nvic_set_prio NVIC set irq 5 secure-bank 0 priority 0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863526/+subscriptions

Re: [PATCH v3 1/2] target/arm: Support SError injection

[Gavin Shan]

On 2/16/20 2:41 PM, Richard Henderson wrote:

On 2/13/20 9:59 PM, Gavin Shan wrote:

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index b0762a76c4..180e29fb83 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -78,7 +78,7 @@ static bool arm_cpu_has_work(CPUState *cs)
  && cs->interrupt_request &
  (CPU_INTERRUPT_FIQ | CPU_INTERRUPT_HARD
   | CPU_INTERRUPT_VFIQ | CPU_INTERRUPT_VIRQ
- | CPU_INTERRUPT_EXITTB);
+ | ARM_CPU_SERROR | CPU_INTERRUPT_EXITTB);


CPU_INTERRUPT_SERROR, not ARM_CPU_SERROR.



Yep, will be corrected in v4.


@@ -570,6 +573,16 @@ bool arm_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
  goto found;
  }
  }
+
+if (interrupt_request & CPU_INTERRUPT_SERROR) {
+excp_idx = EXCP_SERROR;
+target_el = arm_phys_excp_target_el(cs, excp_idx, cur_el, secure);
+if (arm_excp_unmasked(cs, excp_idx, target_el,
+  cur_el, secure, hcr_el2)) {
+goto found;
+}
+}
+
  return false;
  
   found:


If you're intending to use Serror for NMI, perhaps it should be the first bit
tested, not the last.  Otherwise some bug that leaves a normal hard interrupt
line high will keep delivering the interrupt, and not the Serror.

As the comment at the top of the function says, the priority is implementation
defined, so we can put it anywhere we like.



Yes, SError will have highest priority in v4.


@@ -594,13 +607,26 @@ static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int 
interrupt_request)
   * (which depends on state like BASEPRI, FAULTMASK and the
   * currently active exception).
   */
-if (interrupt_request & CPU_INTERRUPT_HARD
-&& (armv7m_nvic_can_take_pending_exception(env->nvic))) {
-cs->exception_index = EXCP_IRQ;
-cc->do_interrupt(cs);
-ret = true;
+if (!armv7m_nvic_can_take_pending_exception(env->nvic)) {
+return false;
+}
+
+if (interrupt_request & CPU_INTERRUPT_HARD) {
+excp_idx = EXCP_IRQ;
+goto found;
  }
-return ret;
+
+if (interrupt_request & CPU_INTERRUPT_SERROR) {
+excp_idx = EXCP_SERROR;
+goto found;
+}


Likewise.



Thanks, SError will have highest priority in v4.


-qdev_init_gpio_in(DEVICE(cpu), arm_cpu_kvm_set_irq, 4);
+qdev_init_gpio_in(DEVICE(cpu), arm_cpu_kvm_set_irq, 5);
  } else {
-qdev_init_gpio_in(DEVICE(cpu), arm_cpu_set_irq, 4);
+qdev_init_gpio_in(DEVICE(cpu), arm_cpu_set_irq, 5);


I wonder if we should have an ARM_CPU_NUM_IRQ define so that this is more
automatic.



Yes, It makes sense. ARM_CPU_NUM_IRQ will be introduced in v4.


@@ -98,10 +100,11 @@ enum {
  #endif
  
  /* Meanings of the ARMCPU object's four inbound GPIO lines */

-#define ARM_CPU_IRQ 0
-#define ARM_CPU_FIQ 1
-#define ARM_CPU_VIRQ 2
-#define ARM_CPU_VFIQ 3
+#define ARM_CPU_IRQ0
+#define ARM_CPU_FIQ1
+#define ARM_CPU_VIRQ   2
+#define ARM_CPU_VFIQ   3
+#define ARM_CPU_SERROR 4


Comment is now wrong about the count.



Yes, It will be corrected to "ARMCPU object's inbound GPIO lines" in v4.

Thanks,
Gavin

[Bug 1863508] Re: qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

[Richard Henderson]

** Changed in: qemu
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863508

Title:
  qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

Status in QEMU:
  In Progress

Bug description:
  Segmentation fault when trying to start FreeBSD-arm system with qemu-
  system-arm (version 4.1.1 on Fedora 31)

  Commandline:
  gdb -q --args /bin/qemu-system-arm \
   -name FreeBSD12,debug-threads=on \
   -m 1536 -machine virt -smp 2 \
   -M virt,highmem=off -serial mon:stdio -monitor telnet::45452,server,nowait \
   -machine virt,accel=tcg,usb=off,dump-guest-core=off,gic-version=2 \
   -overcommit mem-lock=off -no-reboot -device virtio-rng-device \
   -bios u-boot-qemu.bin \
   -drive 
file=FreeBSD-12.1-RELEASE-arm-armv7-CUBIEBOARD2.img,if=none,id=drive0,format=raw
 \
   -device ich9-ahci,id=ahci -device ide-drive,drive=drive0,bus=ahci.0 

  Results:
  
  Mounting local filesystems:.

  Thread 4 "CPU 1/TCG" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7fffcedfe700 (LWP 53608)]
  0x558d9332 in helper_gvec_eq16 (d=0x566748d8, a=0x566748e0, 
b=0x566748d0, desc=0) at 
/usr/src/debug/qemu-4.1.1-1.fc31.x86_64/accel/tcg/tcg-runtime-gvec.c:948
  948 DO_CMP2(16)

  Tested different versions of qemu. qemu-3.0.1 worked, but qemu-3.1.1
  failed with the same error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863508/+subscriptions

[Bug 1863508] Re: qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

[Richard Henderson]

I infer from the traceback that your host does not support AVX1.

** Changed in: qemu
   Status: Incomplete => In Progress

** Changed in: qemu
 Assignee: (unassigned) => Richard Henderson (rth)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863508

Title:
  qemu-system-arm stops with SIGSEGV in helper_gvec_eq16

Status in QEMU:
  In Progress

Bug description:
  Segmentation fault when trying to start FreeBSD-arm system with qemu-
  system-arm (version 4.1.1 on Fedora 31)

  Commandline:
  gdb -q --args /bin/qemu-system-arm \
   -name FreeBSD12,debug-threads=on \
   -m 1536 -machine virt -smp 2 \
   -M virt,highmem=off -serial mon:stdio -monitor telnet::45452,server,nowait \
   -machine virt,accel=tcg,usb=off,dump-guest-core=off,gic-version=2 \
   -overcommit mem-lock=off -no-reboot -device virtio-rng-device \
   -bios u-boot-qemu.bin \
   -drive 
file=FreeBSD-12.1-RELEASE-arm-armv7-CUBIEBOARD2.img,if=none,id=drive0,format=raw
 \
   -device ich9-ahci,id=ahci -device ide-drive,drive=drive0,bus=ahci.0 

  Results:
  
  Mounting local filesystems:.

  Thread 4 "CPU 1/TCG" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7fffcedfe700 (LWP 53608)]
  0x558d9332 in helper_gvec_eq16 (d=0x566748d8, a=0x566748e0, 
b=0x566748d0, desc=0) at 
/usr/src/debug/qemu-4.1.1-1.fc31.x86_64/accel/tcg/tcg-runtime-gvec.c:948
  948 DO_CMP2(16)

  Tested different versions of qemu. qemu-3.0.1 worked, but qemu-3.1.1
  failed with the same error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1863508/+subscriptions

Re: [PATCH] ppc: free 'fdt' after reset the machine

[David Gibson]

On Sat, Feb 15, 2020 at 09:30:56AM +0800, Pan Nengyuan wrote:
> 
> 
> On 2/14/2020 11:48 PM, Greg Kurz wrote:
> > On Fri, 14 Feb 2020 11:32:06 +0800
> >  wrote:
> > 
> >> From: Pan Nengyuan 
> >>
> >> 'fdt' forgot to clean both e500 and pnv when we call 'system_reset' on ppc,
> >> this patch fix it. The leak stacks are as follow:
> >>
> >> Direct leak of 4194304 byte(s) in 4 object(s) allocated from:
> >> #0 0x7fafe37dd970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
> >> #1 0x7fafe2e3149d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
> >> #2 0x561876f7f80d in create_device_tree 
> >> /mnt/sdb/qemu-new/qemu/device_tree.c:40
> >> #3 0x561876b7ac29 in ppce500_load_device_tree 
> >> /mnt/sdb/qemu-new/qemu/hw/ppc/e500.c:364
> >> #4 0x561876b7f437 in ppce500_reset_device_tree 
> >> /mnt/sdb/qemu-new/qemu/hw/ppc/e500.c:617
> >> #5 0x56187718b1ae in qemu_devices_reset 
> >> /mnt/sdb/qemu-new/qemu/hw/core/reset.c:69
> >> #6 0x561876f6938d in qemu_system_reset /mnt/sdb/qemu-new/qemu/vl.c:1412
> >> #7 0x561876f6a25b in main_loop_should_exit 
> >> /mnt/sdb/qemu-new/qemu/vl.c:1645
> >> #8 0x561876f6a398 in main_loop /mnt/sdb/qemu-new/qemu/vl.c:1679
> >> #9 0x561876f7da8e in main /mnt/sdb/qemu-new/qemu/vl.c:4438
> >> #10 0x7fafde16b812 in __libc_start_main ../csu/libc-start.c:308
> >> #11 0x5618765c055d in _start 
> >> (/mnt/sdb/qemu-new/qemu/build/ppc64-softmmu/qemu-system-ppc64+0x2b1555d)
> >>
> >> Direct leak of 1048576 byte(s) in 1 object(s) allocated from:
> >> #0 0x7fc0a6f1b970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
> >> #1 0x7fc0a656f49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
> >> #2 0x55eb05acd2ca in pnv_dt_create 
> >> /mnt/sdb/qemu-new/qemu/hw/ppc/pnv.c:507
> >> #3 0x55eb05ace5bf in pnv_reset /mnt/sdb/qemu-new/qemu/hw/ppc/pnv.c:578
> >> #4 0x55eb05f2f395 in qemu_system_reset /mnt/sdb/qemu-new/qemu/vl.c:1410
> >> #5 0x55eb05f43850 in main /mnt/sdb/qemu-new/qemu/vl.c:4403
> >> #6 0x7fc0a18a9812 in __libc_start_main ../csu/libc-start.c:308
> >> #7 0x55eb0558655d in _start 
> >> (/mnt/sdb/qemu-new/qemu/build/ppc64-softmmu/qemu-system-ppc64+0x2b1555d)
> >>
> >> Reported-by: Euler Robot 
> > 
> > The recipient list and 'git log' seem to agree on the fact that 'Euler 
> > Robot'
> > has its own email address, that is not yours ;-)
> > 
> > Reported-by: Euler Robot 
> > 
> > I guess David can fix this when applying the patch. No need to repost
> > unless explicitly asked to do so.
> 
> Yes, your guess is right. I'm sorry for my carelessness.

Corrected inline and merged, thanks.

Oddly, the original mail of this series didn't seem to appear in my
inbox, although the replies did, even though I see that you've CCed
me.

I hope that just means that it did appear and I accidentally deleted
it, not that something is wrong with my mail setup.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH v2 0/2] spapr: Fix device unplug vs CAS or migration

[David Gibson]

On Fri, Feb 14, 2020 at 04:01:16PM +0100, Greg Kurz wrote:
> While working on getting rid of CAS reboot, I realized that we currently
> don't handle device hot unplug properly in the following situations:
> 
> 1) if the device is unplugged between boot and CAS, SLOF doesn't handle
>the even, which is a known limitation. The device hence stays around
>forever (specifically, until some other event is emitted and the guest
>eventually completes the unplug or a reboot). Until we can teach SLOF
>to correctly process the full FDT at CAS, we should trigger a CAS reboot,
>like we already do for hotplug.
> 
> 2) if the guest is migrated after the even was emitted but before the
>guest could process it, the destination is unaware of the pending
>unplug operation and doesn't remove the device when the guests
>releases it. The 'unplug_requested' field of the DRC is actually state
>that should be migrated.
> 
> Changes since v1:
>- new spapr_drc_transient() helper that covers pending plug and unplug
>  situations for both CAS and migration
>- as a mechanical consequence, fix unplug for CAS an migration in the
>  same patch

Applied to ppc-for-5.0, thanks.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [PATCH] configure: Avoid compiling system tools on user build by default

[Philippe Mathieu-Daudé]

On Sun, Feb 16, 2020 at 8:27 PM Aleksandar Markovic
 wrote:
>
> 5:23 PM Sub, 15.02.2020. Philippe Mathieu-Daudé  је 
> написао/ла:
> >
> > User-mode does not need the sytem tools. Do not build them by
> > default if user specified --disable-system.
> >
> > Signed-off-by: Philippe Mathieu-Daudé 
> > ---
> >  configure | 11 ++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> >
>
> It would be nice if somebody comes up with more detailed analysis on what is 
> built for --disable-system, but in fact not needed at all.

This patch disable building the following binary on a user-only build:

- elf2dmp
- qemu-edid
- qemu-ga
- qemu-img
- qemu-io
- qemu-nbd
- ivshmem-client
- ivshmem-server

Maybe Laurent can amend that to the description, else I can respin.

> How does your change affect the size of the executable?

Their size depends of the build option used (i.e. -ggdb vs -Os -s).

The bigger difference is the build runs faster.

> > diff --git a/configure b/configure
> > index 16f94cd96b..557ca4bd04 100755
> > --- a/configure
> > +++ b/configure
> > @@ -455,7 +455,7 @@ guest_agent_ntddscsi="no"
> >  guest_agent_msi=""
> >  vss_win32_sdk=""
> >  win_sdk="no"
> > -want_tools="yes"
> > +want_tools=""
> >  libiscsi=""
> >  libnfs=""
> >  coroutine=""
> > @@ -2199,6 +2199,15 @@ else
> >  echo big/little test failed
> >  fi
> >
> > +##
> > +# system tools
> > +if test "$want_tools" != "yes" && test "$softmmu" = "no"; then
> > +want_tools=no
> > +fi
> > +if test -z "$want_tools"; then
> > +want_tools=yes
> > +fi
> > +
> >  ##
> >  # cocoa implies not SDL or GTK
> >  # (the cocoa UI code currently assumes it is always the active UI
> > --
> > 2.21.1
> >
> >

Re: [PATCH v2 07/30] qapi/block-core.json: Use literal block for ascii art

[Philippe Mathieu-Daudé]

On Sat, Feb 15, 2020 at 10:01 PM Aleksandar Markovic
 wrote:
> 9:56 PM Sub, 15.02.2020. Philippe Mathieu-Daudé  
> је написао/ла:
> > On Fri, Feb 14, 2020 at 12:04 AM Aleksandar Markovic
> >  wrote:
> > >
> > > 6:59 PM Čet, 13.02.2020. Peter Maydell  је 
> > > написао/ла:
> > > >
> > > > The ascii-art graph
> > >
> > > Just out of couriousity, are unicode characters allowed in rst files?
> >
> > I remember 2 years ago a blind developer thanked the QEMU community to
> > still restrict commits to 80 characters, because while 4K display are
> > available, he and other visually impaired developers cloud still
> > browse the QEMU codebase with their refreshable Braille display (which
> > was 80 cels). I don't know how many visually impaired developers are
> > following this project. A quick google returns " There is no concept
> > of Unicode in Braille. In that sense Braille is similar to old 8-bit
> > code pages which represented different symbols in different languages
> > for the same symbol code."
> > (https://superuser.com/questions/629443/represent-unicode-characters-in-braille).
> >
> > (I'm Cc'ing Samuel who cares about Braille displays.)
> >
>
> Got it.

AFAIK there are no particular care in the project regarding visually
impaired developers, maybe we are already using things that exclude
them.
IOW without a project policy to include visually impaired developers,
my comment is irrelevant and it shouldn't restrict the use of unicode
to improve documentation.
Personally I'd rather we keep the project open to all possible contributors.

> > >
> > > The boxes could've been rendered in a much more beautifull way using 
> > > "lines and corners" group of unicode characters.
> > >
> > > Aleksandar

Re: [PATCH v3] Implement the Screamer sound chip for the mac99 machine type

[Programmingkid]

> On Feb 16, 2020, at 4:59 PM, BALATON Zoltan  wrote:
> 
> On Sun, 16 Feb 2020, Howard Spoelstra wrote:
>> On Sun, Feb 16, 2020 at 5:32 PM John Arbuckle 
>> wrote:
>>> diff --git a/hw/audio/screamer.c b/hw/audio/screamer.c
>>> new file mode 100644
>>> index 00..ad4aba12eb
>>> --- /dev/null
>>> +++ b/hw/audio/screamer.c
>>> @@ -0,0 +1,983 @@
>>> +/*
>>> + * File: Screamer.c
>>> + * Description: Implement the Screamer sound chip used in Apple
>>> Macintoshes.
>>> + * It works by filling a buffer, then playing the buffer.
>>> + */
> 
> Do you need a copyright and license header here? Especially if this is not 
> all your original work but based on previous code (don't know if it is just 
> saying in case as I know Mark also had some similar patches before but not 
> sure how are those related if at all). If this contains code from somewhere 
> else then license and author of that code may need to be included too.

That is a good question. According to this page https://wiki.qemu.org/License, 
files that don't have licensing information default under the GNU GPL v2. I'm 
fine with that.

> 
>>> +/* Called when the CPU writes to the memory addresses assigned to
>>> Screamer */
>>> +static void screamer_mmio_write(void *opaque, hwaddr addr, uint64_t
>>> raw_value,
>>> +unsigned size)
>>> +{
>>> +DPRINTF("screamer_mmio_write() called - size: %d\n", size);
>>> +ScreamerState *state = opaque;
>>> +uint32_t value = raw_value & 0x;
>>> +addr = addr >> 4;
>>> +
>>> +switch (addr) {
>>> +case SOUND_CONTROL_REG:
>>> +set_sound_control_reg(state, value);
>>> +break;
>>> +case CODEC_CONTROL_REG:
>>> +set_codec_control_reg(state, value);
>>> +break;
>>> +case CODEC_STATUS_REG:
>>> +set_codec_status_reg(state, value);
>>> +break;
>>> +case CLIP_COUNT_REG:
>>> +set_clip_count_reg(state, value);
>>> +break;
>>> +case BYTE_SWAP_REG:
>>> +set_byte_swap_reg(state, value);
>>> +break;
>>> +case FRAME_COUNT_REG:
>>> +set_frame_count_reg(state, value);
>>> +break;
>>> +default:
>>> +DPRINTF("Unknown register write - addr:%llu\tvalue:%d\n", addr,
>>> value);
>>> +}
>>> +}
>>> 
>>> Hi,
>> 
>> This patch will not compile without errors. Host is Fedora 31.
>> The compiler suggests changing lines 839, 842 and 878 in screamer.c so the
>> DPRINTF arguments use %lu instead of %llu.
>> With that fixed, compiling completes succesfully.
> 
> Replacing with %lu may fix 32bit build but would break 64bit one. Use 
> HWADDR_PRIx format string instead to print hwaddr but others will probably 
> tell to remove DPRINTFs alltogether when they are not needed any more and 
> replace the remaining few useful ones with traces if debugging is still 
> needed. I don't mind DPRINTFs that much at least until things are stable 
> enough but once the code is stable most DPRINTFs may not be needed any more.
> 
> I can't really review the actual patch because I don't know audio in QEMU.
> 
> Regards,
> BALATON Zoltan

Your HWADDR_PRIx suggestion was great. I am making a small patch to test out 
your suggestion.

Thank you.

Re: [PATCH v3] Implement the Screamer sound chip for the mac99 machine type

[Programmingkid]

> On Feb 16, 2020, at 2:57 PM, Howard Spoelstra  wrote:
> 
> 
> 
> 
> On Sun, Feb 16, 2020 at 5:32 PM John Arbuckle  
> wrote:
> Signed-off-by: John Arbuckle 
> ---
> v3 changes:
> - Updated the location of patched code in hw/ppc/kconfig.
> - Removed setting the props variable in screamer.c.
> - Removed the screamer_properties variable in screamer.c.
> 
> v2 changes:
> - Fixed a bug that prevented the sampling rate from being changed.
> 
>  hw/audio/Kconfig  |   3 +
>  hw/audio/Makefile.objs|   2 +
>  hw/audio/screamer.c   | 983 
> ++
>  hw/misc/macio/macio.c |  35 +-
>  hw/ppc/Kconfig|   1 +
>  hw/ppc/mac.h  |   5 +
>  include/hw/audio/screamer.h   |  42 ++
>  include/hw/misc/macio/macio.h |   2 +
>  8 files changed, 1072 insertions(+), 1 deletion(-)
>  create mode 100644 hw/audio/screamer.c
>  create mode 100644 include/hw/audio/screamer.h
> 
> diff --git a/hw/audio/Kconfig b/hw/audio/Kconfig
> index e9c6fed826..196da6c3fe 100644
> --- a/hw/audio/Kconfig
> +++ b/hw/audio/Kconfig
> @@ -50,3 +50,6 @@ config CS4231
> 
>  config MARVELL_88W8618
>  bool
> +
> +config SCREAMER
> +bool
> diff --git a/hw/audio/Makefile.objs b/hw/audio/Makefile.objs
> index 63db383709..55906886bc 100644
> --- a/hw/audio/Makefile.objs
> +++ b/hw/audio/Makefile.objs
> @@ -15,4 +15,6 @@ common-obj-$(CONFIG_CS4231) += cs4231.o
>  common-obj-$(CONFIG_MARVELL_88W8618) += marvell_88w8618.o
>  common-obj-$(CONFIG_MILKYMIST) += milkymist-ac97.o
> 
> +common-obj-$(CONFIG_SCREAMER) += screamer.o
> +
>  common-obj-y += soundhw.o
> diff --git a/hw/audio/screamer.c b/hw/audio/screamer.c
> new file mode 100644
> index 00..ad4aba12eb
> --- /dev/null
> +++ b/hw/audio/screamer.c
> @@ -0,0 +1,983 @@
> +/*
> + * File: Screamer.c
> + * Description: Implement the Screamer sound chip used in Apple Macintoshes.
> + * It works by filling a buffer, then playing the buffer.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "audio/audio.h"
> +#include "hw/hw.h"
> +#include "hw/irq.h"
> +#include 
> +#include "hw/ppc/mac.h"
> +#include "hw/qdev-properties.h"
> +#include "migration/vmstate.h"
> +#include "include/hw/audio/screamer.h"
> +
> +#define DEBUG_SCREAMER 0
> +#define DPRINTF(fmt, ...) \
> +do { if (DEBUG_SCREAMER) { printf(fmt , ## __VA_ARGS__); } } while (0)
> +
> +#define SOUND_CONTROL_REG  0
> +#define CODEC_CONTROL_REG  1
> +#define CODEC_STATUS_REG   2
> +#define CLIP_COUNT_REG 3
> +#define BYTE_SWAP_REG  4
> +#define FRAME_COUNT_REG5
> +
> +#define AWACS_BUSY 0x0100
> +
> +/* Used with AWACS register 1 */
> +#define RECALIBRATE 0x004
> +#define LOOPTHRU0x040
> +#define SPEAKER_MUTE0x080
> +#define HEADPHONE_MUTE  0x200
> +#define OUTPUT_ZERO 0x400
> +#define OUTPUT_ONE  0x800
> +#define PARALLEL_OUTPUT 0xc00
> +
> +/* Function prototypes */
> +static uint32_t set_busy_bit(uint32_t value, int bit);
> +static uint32_t set_part_ready_bit(uint32_t value, int bit_value);
> +static uint32_t set_revision(uint32_t input_value);
> +static uint32_t set_manufacturer(uint32_t input_value);
> +static int get_sampling_rate(ScreamerState *s);
> +static uint32_t get_frame_count_reg(ScreamerState *s);
> +static void add_to_speaker_buffer(DBDMA_io *io);
> +static void dma_request(DBDMA_io *io);
> +
> +
> +/ Getters */
> +
> +/* Returns the codec control register's encoded AWACS address */
> +static uint8_t get_codec_control_address(uint32_t value)
> +{
> +uint8_t return_value;
> +return_value = (value >> 12) & 0x0fff;
> +return return_value;
> +}
> +
> +
> +static uint32_t get_sound_control_reg(ScreamerState *s)
> +{
> +DPRINTF("%s() called - returned 0x%x\n", __func__, s->sound_control);
> +return s->sound_control;
> +}
> +
> +/* The AWACS registers are accessed thru this register */
> +static uint32_t get_codec_control_reg(ScreamerState *s)
> +{
> +int awacs_register = get_codec_control_address(s->codec_control);
> +uint32_t return_value = s->awacs[awacs_register];
> +return_value = set_busy_bit(return_value, 0); /* Tell CPU we are ready */
> +DPRINTF("%s() called - returned 0x%x\tAWACS register: %d\n", __func__,
> +return_value, awacs_register);
> +return return_value;
> +}
> +
> +/*
> + * Determines if the readback bit is set.
> + * It is used by the Codec Control register.
> + */
> +static bool readback_enabled(ScreamerState *s)
> +{
> +/* Note: bit zero is the readback enabled bit */
> +if (s->awacs[7] & 1) {
> +return true;
> +} else {
> +return false;
> +}
> +}
> +
> +static uint32_t get_codec_status_reg(ScreamerState *s)
> +{
> +uint32_t return_value;
> +
> +/* if in readback mode - return AWACS register value */
> +if (readback_enabled(s)) {
> +int awacs_register = (s->awacs[7] & 0xe) >> 1;
> +   

[PATCH 1/3] migration/colo: wrap incoming checkpoint process into new helper

[Hailiang Zhang]

Split checkpoint incoming process into a helper.

Signed-off-by: Hailiang Zhang 
---
 migration/colo.c | 260 ---
 1 file changed, 133 insertions(+), 127 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index 2c88aa57a2..93c5a452fb 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -664,13 +664,138 @@ void migrate_start_colo_process(MigrationState *s)
 qemu_mutex_lock_iothread();
 }
 
-static void colo_wait_handle_message(QEMUFile *f, int *checkpoint_request,
- Error **errp)
+static void colo_incoming_process_checkpoint(MigrationIncomingState *mis,
+  QEMUFile *fb, QIOChannelBuffer *bioc, Error **errp)
+{
+uint64_t total_size;
+uint64_t value;
+Error *local_err = NULL;
+int ret;
+
+qemu_mutex_lock_iothread();
+vm_stop_force_state(RUN_STATE_COLO);
+trace_colo_vm_state_change("run", "stop");
+qemu_mutex_unlock_iothread();
+
+/* FIXME: This is unnecessary for periodic checkpoint mode */
+colo_send_message(mis->to_src_file, COLO_MESSAGE_CHECKPOINT_REPLY,
+ &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+colo_receive_check_message(mis->from_src_file,
+   COLO_MESSAGE_VMSTATE_SEND, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+qemu_mutex_lock_iothread();
+cpu_synchronize_all_pre_loadvm();
+ret = qemu_loadvm_state_main(mis->from_src_file, mis);
+qemu_mutex_unlock_iothread();
+
+if (ret < 0) {
+error_setg(errp, "Load VM's live state (ram) error");
+return;
+}
+
+value = colo_receive_message_value(mis->from_src_file,
+ COLO_MESSAGE_VMSTATE_SIZE, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+/*
+ * Read VM device state data into channel buffer,
+ * It's better to re-use the memory allocated.
+ * Here we need to handle the channel buffer directly.
+ */
+if (value > bioc->capacity) {
+bioc->capacity = value;
+bioc->data = g_realloc(bioc->data, bioc->capacity);
+}
+total_size = qemu_get_buffer(mis->from_src_file, bioc->data, value);
+if (total_size != value) {
+error_setg(errp, "Got %" PRIu64 " VMState data, less than expected"
+" %" PRIu64, total_size, value);
+return;
+}
+bioc->usage = total_size;
+qio_channel_io_seek(QIO_CHANNEL(bioc), 0, 0, NULL);
+
+colo_send_message(mis->to_src_file, COLO_MESSAGE_VMSTATE_RECEIVED,
+ &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+qemu_mutex_lock_iothread();
+vmstate_loading = true;
+ret = qemu_load_device_state(fb);
+if (ret < 0) {
+error_setg(errp, "COLO: load device state failed");
+qemu_mutex_unlock_iothread();
+return;
+}
+
+#ifdef CONFIG_REPLICATION
+replication_get_error_all(&local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+
+/* discard colo disk buffer */
+replication_do_checkpoint_all(&local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+#else
+abort();
+#endif
+/* Notify all filters of all NIC to do checkpoint */
+colo_notify_filters_event(COLO_EVENT_CHECKPOINT, &local_err);
+
+if (local_err) {
+error_propagate(errp, local_err);
+qemu_mutex_unlock_iothread();
+return;
+}
+
+vmstate_loading = false;
+vm_start();
+trace_colo_vm_state_change("stop", "run");
+qemu_mutex_unlock_iothread();
+
+if (failover_get_state() == FAILOVER_STATUS_RELAUNCH) {
+failover_set_state(FAILOVER_STATUS_RELAUNCH,
+FAILOVER_STATUS_NONE);
+failover_request_active(NULL);
+return;
+}
+
+colo_send_message(mis->to_src_file, COLO_MESSAGE_VMSTATE_LOADED,
+ &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+}
+}
+
+static void colo_wait_handle_message(MigrationIncomingState *mis,
+QEMUFile *fb, QIOChannelBuffer *bioc, Error **errp)
 {
 COLOMessage msg;
 Error *local_err = NULL;
 
-msg = colo_receive_message(f, &local_err);
+msg = colo_receive_message(mis->from_src_file, &local_err);
 if (local_err) {
 error_propagate(errp, local_err);
 return;
@@ -678,10 +803,9 @@ static void colo_wait_handle_message(QEMUFile *f, int 
*checkpoint_request,
 
 switch (msg) {
 case COLO_MESSAGE_CHECKPOINT_REQUEST:
-*checkpoint_request = 1;
+colo_incoming_process_checkpoint(mis, fb, bioc, errp);
 break;
 default:
-*checkp

[PATCH 0/3] Optimize VM's downtime while do checkpoint in COLO

[Hailiang Zhang]

Hi,

This is an untested serial that tries to reduce VM's pause time
while do checkpoint in COLO state.

The second patch tries to reduce the total number of dirty pages
while do checkpoint with VM been paused, instead of sending all
dirty pages while VM been pause, it sends part of dirty pages during
the gap time of two checkpoints when SVM and PVM are running.

The third patch tries to reduce the pause time of backup ram into
cache in secondary part.


Hailiang Zhang (3):
  migration/colo: wrap incoming checkpoint process into new helper
  COLO: Migrate dirty pages during the gap of checkpointing
  COLO: Optimize memory back-up process

 migration/colo.c   | 332 +
 migration/migration.h  |   1 +
 migration/ram.c|  35 -
 migration/ram.h|   1 +
 migration/trace-events |   1 +
 qapi/migration.json|   4 +-
 6 files changed, 234 insertions(+), 140 deletions(-)

-- 
2.21.0

[PATCH 3/3] COLO: Optimize memory back-up process

[Hailiang Zhang]

This patch will reduce the downtime of VM for the initial process,
Privously, we copied all these memory in preparing stage of COLO
while we need to stop VM, which is a time-consuming process.
Here we optimize it by a trick, back-up every page while in migration
process while COLO is enabled, though it affects the speed of the
migration, but it obviously reduce the downtime of back-up all SVM'S
memory in COLO preparing stage.

Signed-off-by: Hailiang Zhang 
---
 migration/colo.c |  3 +++
 migration/ram.c  | 35 +++
 migration/ram.h  |  1 +
 3 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index d30c6bc4ad..febf010571 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -26,6 +26,7 @@
 #include "qemu/main-loop.h"
 #include "qemu/rcu.h"
 #include "migration/failover.h"
+#include "migration/ram.h"
 #ifdef CONFIG_REPLICATION
 #include "replication.h"
 #endif
@@ -906,6 +907,8 @@ void *colo_process_incoming_thread(void *opaque)
  */
 qemu_file_set_blocking(mis->from_src_file, true);
 
+colo_incoming_start_dirty_log();
+
 bioc = qio_channel_buffer_new(COLO_BUFFER_BASE_SIZE);
 fb = qemu_fopen_channel_input(QIO_CHANNEL(bioc));
 object_unref(OBJECT(bioc));
diff --git a/migration/ram.c b/migration/ram.c
index ed23ed1c7c..24a8aa3527 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -2986,7 +2986,6 @@ int colo_init_ram_cache(void)
 }
 return -errno;
 }
-memcpy(block->colo_cache, block->host, block->used_length);
 }
 }
 
@@ -3005,12 +3004,16 @@ int colo_init_ram_cache(void)
 bitmap_set(block->bmap, 0, pages);
 }
 }
+
+return 0;
+}
+
+void colo_incoming_start_dirty_log(void)
+{
 ram_state = g_new0(RAMState, 1);
 ram_state->migration_dirty_pages = 0;
 qemu_mutex_init(&ram_state->bitmap_mutex);
 memory_global_dirty_log_start();
-
-return 0;
 }
 
 /* It is need to hold the global lock to call this helper */
@@ -3348,7 +3351,7 @@ static int ram_load_precopy(QEMUFile *f)
 
 while (!ret && !(flags & RAM_SAVE_FLAG_EOS)) {
 ram_addr_t addr, total_ram_bytes;
-void *host = NULL;
+void *host = NULL, *host_bak = NULL;
 uint8_t ch;
 
 /*
@@ -3378,13 +3381,26 @@ static int ram_load_precopy(QEMUFile *f)
 if (flags & (RAM_SAVE_FLAG_ZERO | RAM_SAVE_FLAG_PAGE |
  RAM_SAVE_FLAG_COMPRESS_PAGE | RAM_SAVE_FLAG_XBZRLE)) {
 RAMBlock *block = ram_block_from_stream(f, flags);
-
 /*
- * After going into COLO, we should load the Page into colo_cache.
+ * After going into COLO, we should load the Page into colo_cache
+ * NOTE: We need to keep a copy of SVM's ram in colo_cache.
+ * Privously, we copied all these memory in preparing stage of COLO
+ * while we need to stop VM, which is a time-consuming process.
+ * Here we optimize it by a trick, back-up every page while in
+ * migration process while COLO is enabled, though it affects the
+ * speed of the migration, but it obviously reduce the downtime of
+ * back-up all SVM'S memory in COLO preparing stage.
  */
-if (migration_incoming_in_colo_state()) {
+if (migration_incoming_colo_enabled()) {
 host = colo_cache_from_block_offset(block, addr);
-} else {
+/*
+ * After going into COLO, load the Page into colo_cache.
+ */
+if (!migration_incoming_in_colo_state()) {
+host_bak = host;
+}
+}
+if (!migration_incoming_in_colo_state()) {
 host = host_from_ram_block_offset(block, addr);
 }
 if (!host) {
@@ -3506,6 +3522,9 @@ static int ram_load_precopy(QEMUFile *f)
 if (!ret) {
 ret = qemu_file_get_error(f);
 }
+if (!ret && host_bak && host) {
+memcpy(host_bak, host, TARGET_PAGE_SIZE);
+}
 }
 
 ret |= wait_for_decompress_done();
diff --git a/migration/ram.h b/migration/ram.h
index a553d40751..5ceaff7cb4 100644
--- a/migration/ram.h
+++ b/migration/ram.h
@@ -66,5 +66,6 @@ int ram_dirty_bitmap_reload(MigrationState *s, RAMBlock *rb);
 /* ram cache */
 int colo_init_ram_cache(void);
 void colo_release_ram_cache(void);
+void colo_incoming_start_dirty_log(void);
 
 #endif
-- 
2.21.0

[PATCH 2/3] COLO: Migrate dirty pages during the gap of checkpointing

[Hailiang Zhang]

We can migrate some dirty pages during the gap of checkpointing,
by this way, we can reduce the amount of ram migrated during checkpointing.

Signed-off-by: Hailiang Zhang 
---
 migration/colo.c   | 69 +++---
 migration/migration.h  |  1 +
 migration/trace-events |  1 +
 qapi/migration.json|  4 ++-
 4 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/migration/colo.c b/migration/colo.c
index 93c5a452fb..d30c6bc4ad 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -46,6 +46,13 @@ static COLOMode last_colo_mode;
 
 #define COLO_BUFFER_BASE_SIZE (4 * 1024 * 1024)
 
+#define DEFAULT_RAM_PENDING_CHECK 1000
+
+/* should be calculated by bandwidth and max downtime ? */
+#define THRESHOLD_PENDING_SIZE (100 * 1024 * 1024UL)
+
+static int checkpoint_request;
+
 bool migration_in_colo_state(void)
 {
 MigrationState *s = migrate_get_current();
@@ -516,6 +523,20 @@ static void colo_compare_notify_checkpoint(Notifier 
*notifier, void *data)
 colo_checkpoint_notify(data);
 }
 
+static bool colo_need_migrate_ram_background(MigrationState *s)
+{
+uint64_t pending_size, pend_pre, pend_compat, pend_post;
+int64_t max_size = THRESHOLD_PENDING_SIZE;
+
+qemu_savevm_state_pending(s->to_dst_file, max_size, &pend_pre,
+  &pend_compat, &pend_post);
+pending_size = pend_pre + pend_compat + pend_post;
+
+trace_colo_need_migrate_ram_background(pending_size);
+return (pending_size >= max_size);
+}
+
+
 static void colo_process_checkpoint(MigrationState *s)
 {
 QIOChannelBuffer *bioc;
@@ -571,6 +592,8 @@ static void colo_process_checkpoint(MigrationState *s)
 
 timer_mod(s->colo_delay_timer,
 current_time + s->parameters.x_checkpoint_delay);
+timer_mod(s->pending_ram_check_timer,
+current_time + DEFAULT_RAM_PENDING_CHECK);
 
 while (s->state == MIGRATION_STATUS_COLO) {
 if (failover_get_state() != FAILOVER_STATUS_NONE) {
@@ -583,10 +606,25 @@ static void colo_process_checkpoint(MigrationState *s)
 if (s->state != MIGRATION_STATUS_COLO) {
 goto out;
 }
-ret = colo_do_checkpoint_transaction(s, bioc, fb);
-if (ret < 0) {
-goto out;
-}
+if (atomic_xchg(&checkpoint_request, 0)) {
+/* start a colo checkpoint */
+ret = colo_do_checkpoint_transaction(s, bioc, fb);
+if (ret < 0) {
+goto out;
+}
+} else {
+if (colo_need_migrate_ram_background(s)) {
+colo_send_message(s->to_dst_file,
+  COLO_MESSAGE_MIGRATE_RAM_BACKGROUND,
+  &local_err);
+if (local_err) {
+goto out;
+}
+
+qemu_savevm_state_iterate(s->to_dst_file, false);
+qemu_put_byte(s->to_dst_file, QEMU_VM_EOF);
+}
+ }
 }
 
 out:
@@ -626,6 +664,8 @@ out:
 colo_compare_unregister_notifier(&packets_compare_notifier);
 timer_del(s->colo_delay_timer);
 timer_free(s->colo_delay_timer);
+timer_del(s->pending_ram_check_timer);
+timer_free(s->pending_ram_check_timer);
 qemu_sem_destroy(&s->colo_checkpoint_sem);
 
 /*
@@ -643,6 +683,7 @@ void colo_checkpoint_notify(void *opaque)
 MigrationState *s = opaque;
 int64_t next_notify_time;
 
+atomic_inc(&checkpoint_request);
 qemu_sem_post(&s->colo_checkpoint_sem);
 s->colo_checkpoint_time = qemu_clock_get_ms(QEMU_CLOCK_HOST);
 next_notify_time = s->colo_checkpoint_time +
@@ -650,6 +691,19 @@ void colo_checkpoint_notify(void *opaque)
 timer_mod(s->colo_delay_timer, next_notify_time);
 }
 
+static void colo_pending_ram_check_notify(void *opaque)
+{
+int64_t next_notify_time;
+MigrationState *s = opaque;
+
+if (migration_in_colo_state()) {
+next_notify_time = DEFAULT_RAM_PENDING_CHECK +
+   qemu_clock_get_ms(QEMU_CLOCK_HOST);
+timer_mod(s->pending_ram_check_timer, next_notify_time);
+qemu_sem_post(&s->colo_checkpoint_sem);
+}
+}
+
 void migrate_start_colo_process(MigrationState *s)
 {
 qemu_mutex_unlock_iothread();
@@ -657,6 +711,8 @@ void migrate_start_colo_process(MigrationState *s)
 s->colo_delay_timer =  timer_new_ms(QEMU_CLOCK_HOST,
 colo_checkpoint_notify, s);
 
+s->pending_ram_check_timer = timer_new_ms(QEMU_CLOCK_HOST,
+colo_pending_ram_check_notify, s);
 qemu_sem_init(&s->colo_exit_sem, 0);
 migrate_set_state(&s->state, MIGRATION_STATUS_ACTIVE,
   MIGRATION_STATUS_COLO);
@@ -805,6 +861,11 @@ static void 
colo_wait_handle_message(MigrationIncomingState *mis,
 case COLO_MESSAGE_CHECKPOINT_REQUEST:
 colo_incoming_process_checkpoint(mis, fb, bioc, errp);
 break;
+case COLO_MESSAGE_MIGRATE_RAM_BACKGROUND:
+  

[PATCH RESEND v23 07/10] KVM: Move hwpoison page related functions into kvm-all.c

[Dongjiu Geng]

kvm_hwpoison_page_add() and kvm_unpoison_all() will both
be used by X86 and ARM platforms, so moving them into
"accel/kvm/kvm-all.c" to avoid duplicate code.

For architectures that don't use the poison-list functionality
the reset handler will harmlessly do nothing, so let's register
the kvm_unpoison_all() function in the generic kvm_init() function.

Reviewed-by: Peter Maydell 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Acked-by: Xiang Zheng 
---
 accel/kvm/kvm-all.c  | 36 
 include/sysemu/kvm_int.h | 12 
 target/i386/kvm.c| 36 
 3 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index c111312..fc4285e 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -44,6 +44,7 @@
 #include "qapi/visitor.h"
 #include "qapi/qapi-types-common.h"
 #include "qapi/qapi-visit-common.h"
+#include "sysemu/reset.h"
 
 #include "hw/boards.h"
 
@@ -873,6 +874,39 @@ int kvm_vm_check_extension(KVMState *s, unsigned int 
extension)
 return ret;
 }
 
+typedef struct HWPoisonPage {
+ram_addr_t ram_addr;
+QLIST_ENTRY(HWPoisonPage) list;
+} HWPoisonPage;
+
+static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
+QLIST_HEAD_INITIALIZER(hwpoison_page_list);
+
+static void kvm_unpoison_all(void *param)
+{
+HWPoisonPage *page, *next_page;
+
+QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
+QLIST_REMOVE(page, list);
+qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
+g_free(page);
+}
+}
+
+void kvm_hwpoison_page_add(ram_addr_t ram_addr)
+{
+HWPoisonPage *page;
+
+QLIST_FOREACH(page, &hwpoison_page_list, list) {
+if (page->ram_addr == ram_addr) {
+return;
+}
+}
+page = g_new(HWPoisonPage, 1);
+page->ram_addr = ram_addr;
+QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
+}
+
 static uint32_t adjust_ioeventfd_endianness(uint32_t val, uint32_t size)
 {
 #if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
@@ -2075,6 +2109,8 @@ static int kvm_init(MachineState *ms)
 s->kernel_irqchip_split = mc->default_kernel_irqchip_split ? 
ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
 }
 
+qemu_register_reset(kvm_unpoison_all, NULL);
+
 if (s->kernel_irqchip_allowed) {
 kvm_irqchip_create(s);
 }
diff --git a/include/sysemu/kvm_int.h b/include/sysemu/kvm_int.h
index ac2d1f8..c660a70 100644
--- a/include/sysemu/kvm_int.h
+++ b/include/sysemu/kvm_int.h
@@ -42,4 +42,16 @@ void kvm_memory_listener_register(KVMState *s, 
KVMMemoryListener *kml,
   AddressSpace *as, int as_id);
 
 void kvm_set_max_memslot_size(hwaddr max_slot_size);
+
+/**
+ * kvm_hwpoison_page_add:
+ *
+ * Parameters:
+ *  @ram_addr: the address in the RAM for the poisoned page
+ *
+ * Add a poisoned page to the list
+ *
+ * Return: None.
+ */
+void kvm_hwpoison_page_add(ram_addr_t ram_addr);
 #endif
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 69eb43d..b8bd979 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -24,7 +24,6 @@
 #include "sysemu/sysemu.h"
 #include "sysemu/hw_accel.h"
 #include "sysemu/kvm_int.h"
-#include "sysemu/reset.h"
 #include "sysemu/runstate.h"
 #include "kvm_i386.h"
 #include "hyperv.h"
@@ -525,40 +524,6 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, 
uint32_t index)
 }
 }
 
-
-typedef struct HWPoisonPage {
-ram_addr_t ram_addr;
-QLIST_ENTRY(HWPoisonPage) list;
-} HWPoisonPage;
-
-static QLIST_HEAD(, HWPoisonPage) hwpoison_page_list =
-QLIST_HEAD_INITIALIZER(hwpoison_page_list);
-
-static void kvm_unpoison_all(void *param)
-{
-HWPoisonPage *page, *next_page;
-
-QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
-QLIST_REMOVE(page, list);
-qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
-g_free(page);
-}
-}
-
-static void kvm_hwpoison_page_add(ram_addr_t ram_addr)
-{
-HWPoisonPage *page;
-
-QLIST_FOREACH(page, &hwpoison_page_list, list) {
-if (page->ram_addr == ram_addr) {
-return;
-}
-}
-page = g_new(HWPoisonPage, 1);
-page->ram_addr = ram_addr;
-QLIST_INSERT_HEAD(&hwpoison_page_list, page, list);
-}
-
 static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
  int *max_banks)
 {
@@ -2169,7 +2134,6 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 fprintf(stderr, "e820_add_entry() table is full\n");
 return ret;
 }
-qemu_register_reset(kvm_unpoison_all, NULL);
 
 shadow_mem = object_property_get_int(OBJECT(s), "kvm-shadow-mem", 
&error_abort);
 if (shadow_mem != -1) {
-- 
1.8.3.1

[PATCH RESEND v23 00/10] Add ARMv8 RAS virtualization support in QEMU

[Dongjiu Geng]

In the ARMv8 platform, the CPU error types includes synchronous external 
abort(SEA)
and SError Interrupt (SEI). If exception happens in guest, host does not know 
the
detailed information of guest, so it is expected that guest can do the recovery.
For example, if an exception happens in a guest user-space application, host 
does
not know which application encounters errors, only guest knows it.

For the ARMv8 SEA/SEI, KVM or host kernel delivers SIGBUS to notify userspace.
After user space gets the notification, it will record the CPER into guest GHES
buffer and inject an exception or IRQ to guest.

In the current implementation, if the type of SIGBUS is BUS_MCEERR_AR, we will
treat it as a synchronous exception, and notify guest with ARMv8 SEA
notification type after recording CPER into guest.

A) This series of patches are based on Qemu 4.2, which include two parts:
1. Generate APEI/GHES table.
2. Handle the SIGBUS signal, record the CPER in runtime and fill it into guest
   memory, then notify guest according to the type of SIGBUS.

B) The solution was suggested by James(james.mo...@arm.com); The APEI part 
solution was suggested by Laszlo(ler...@redhat.com). Show some discussions in 
[1].

C) This series of patches have already been tested on ARM64 platform with RAS
feature enabled:
1. Show the APEI part verification result in [2].
2. Show the SIGBUS of BUS_MCEERR_AR handling verification result in [3].

D) Add 'ras' option in command Line to enable guest RAS error recovery feature, 
For example:
KVM model: ./qemu-system-aarch64 --enable-kvm -cpu host --bios QEMU_EFI.fd_new  
-machine virt,gic-version=3,ras,kernel-irqchip=on  -smp 4 -nographic -kernel 
Image  -append "rdinit=/init console=ttyAMA0 mem=512M root=/dev/ram0" -initrd 
guestfs_new.cpio.gz
TCG model: ./qemu-system-aarch64 -cpu cortex-a57 --bios QEMU_EFI.fd_new  
-machine virt,gic-version=3,ras,kernel-irqchip=on  -smp 4 -nographic -kernel 
Image  -append "rdinit=/init console=ttyAMA0 mem=512M root=/dev/ram0" -initrd 
guestfs_new.cpio.gz
---
Change since v22:
1. Using 1 * KiB instead of 0x400 to define max size of one error block
2. Make the alignment to 8 bytes in bios_linker_loader_alloc()
3. Change "Copyright (c) 2019" to "Copyright (c) 2020" in file header
4. Fix some code style warnings/errors and add some comments in code
5. Address Jonathan's comments to easily support CCIX error injection
6. Add vmstate_ghes_state .subsections in vmstate_acpi_ged

Change since v21:
1. Make the user-facing 'ras' option description more clearly to address 
Peter's comments.
2. Update the doc description in "docs/specs/acpi_hest_ghes.rst"
3. Split HEST/GHES patches to more patches to make the review easily
4. Using source_id to index the location to save the CPER.
5. Optimize and simplify the logic to build HEST/GHES table to address 
Igor/Michael/Beata comments.
6. make ghes_addr_le a part of GED device.

Change since v20:
1. Move some implementation details from acpi_ghes.h to acpi_ghes.c
2. Add the reviewers for the ACPI/APEI/GHES part

Change since v19:
1. Fix clang compile error
2. Fix sphinx build error

Change since v18:
1. Fix some code-style and typo/grammar problems.
2. Remove no_ras in the VirtMachineClass struct.
3. Convert documentation to rst format.
4. Simplize the code and add comments for some magic value.
5. Move kvm_inject_arm_sea() function into the patch where it's used.
6. Register the reset handler(kvm_unpoison_all()) in the kvm_init() function.

Change since v17:
1. Improve some commit messages and comments.
2. Fix some code-style problems.
3. Add a *ras* machine option.
4. Move HEST/GHES related structures and macros into "hw/acpi/acpi_ghes.*".
5. Move HWPoison page functions into "include/sysemu/kvm_int.h".
6. Fix some bugs.
7. Improve the design document.

Change since v16:
1. check whether ACPI table is enabled when handling the memory error in the 
SIGBUS handler.

Change since v15:
1. Add a doc-comment in the proper format for 'include/exec/ram_addr.h'
2. Remove write_part_cpustate_to_list() because there is another bug fix patch
   has been merged "arm: Allow system registers for KVM guests to be changed by 
QEMU code"
3. Add some comments for kvm_inject_arm_sea() in 'target/arm/kvm64.c'
4. Compare the arm_current_el() return value to 0,1,2,3, not to PSTATE_MODE_* 
constants.
5. Change the RAS support wasn't introduced before 4.1 QEMU version.
6. Move the no_ras flag  patch to begin in this series

Change since v14:
1. Remove the BUS_MCEERR_AO handling logic because this asynchronous signal was 
masked by main thread
2. Address some Igor Mammedov's comments(ACPI part)
   1) change the comments for the enum AcpiHestNotifyType definition and remove 
ditto in patch 1
   2) change some patch commit messages and separate "APEI GHES table 
generation" patch to more patches.
3. Address some peter's comments(arm64 Synchronous External Abort injection)
   1) change some code notes
   2) using arm_current_el() for current EL
   2) use

[PATCH RESEND v23 01/10] acpi: nvdimm: change NVDIMM_UUID_LE to a common macro

[Dongjiu Geng]

The little end UUID is used in many places, so make
NVDIMM_UUID_LE to a common macro to convert the UUID
to a little end array.

Signed-off-by: Dongjiu Geng 
Reviewed-by: Xiang Zheng 
---
 hw/acpi/nvdimm.c| 8 ++--
 include/qemu/uuid.h | 5 +
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index 9fdad6d..232b701 100644
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -27,6 +27,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/uuid.h"
 #include "hw/acpi/acpi.h"
 #include "hw/acpi/aml-build.h"
 #include "hw/acpi/bios-linker-loader.h"
@@ -60,17 +61,12 @@ static GSList *nvdimm_get_device_list(void)
 return list;
 }
 
-#define NVDIMM_UUID_LE(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
-   { (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, ((a) >> 24) & 0xff, \
- (b) & 0xff, ((b) >> 8) & 0xff, (c) & 0xff, ((c) >> 8) & 0xff,  \
- (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }
-
 /*
  * define Byte Addressable Persistent Memory (PM) Region according to
  * ACPI 6.0: 5.2.25.1 System Physical Address Range Structure.
  */
 static const uint8_t nvdimm_nfit_spa_uuid[] =
-  NVDIMM_UUID_LE(0x66f0d379, 0xb4f3, 0x4074, 0xac, 0x43, 0x0d, 0x33,
+  UUID_LE(0x66f0d379, 0xb4f3, 0x4074, 0xac, 0x43, 0x0d, 0x33,
  0x18, 0xb7, 0x8c, 0xdb);
 
 /*
diff --git a/include/qemu/uuid.h b/include/qemu/uuid.h
index 129c45f..bd38af5 100644
--- a/include/qemu/uuid.h
+++ b/include/qemu/uuid.h
@@ -34,6 +34,11 @@ typedef struct {
 };
 } QemuUUID;
 
+#define UUID_LE(a, b, c, d0, d1, d2, d3, d4, d5, d6, d7) \
+  { (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, ((a) >> 24) & 0xff, \
+ (b) & 0xff, ((b) >> 8) & 0xff, (c) & 0xff, ((c) >> 8) & 0xff,  \
+ (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }
+
 #define UUID_FMT "%02hhx%02hhx%02hhx%02hhx-" \
  "%02hhx%02hhx-%02hhx%02hhx-" \
  "%02hhx%02hhx-" \
-- 
1.8.3.1

[PATCH RESEND v23 02/10] hw/arm/virt: Introduce a RAS machine option

[Dongjiu Geng]

RAS Virtualization feature is not supported now, so add a RAS machine
option and disable it by default.

Reviewed-by: Peter Maydell 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Jonathan Cameron 
---
 hw/arm/virt.c | 23 +++
 include/hw/arm/virt.h |  1 +
 2 files changed, 24 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index f788fe2..9555b8b 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1823,6 +1823,20 @@ static void virt_set_its(Object *obj, bool value, Error 
**errp)
 vms->its = value;
 }
 
+static bool virt_get_ras(Object *obj, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+return vms->ras;
+}
+
+static void virt_set_ras(Object *obj, bool value, Error **errp)
+{
+VirtMachineState *vms = VIRT_MACHINE(obj);
+
+vms->ras = value;
+}
+
 static char *virt_get_gic_version(Object *obj, Error **errp)
 {
 VirtMachineState *vms = VIRT_MACHINE(obj);
@@ -2126,6 +2140,15 @@ static void virt_instance_init(Object *obj)
 "Valid values are none and smmuv3",
 NULL);
 
+/* Default disallows RAS instantiation */
+vms->ras = false;
+object_property_add_bool(obj, "ras", virt_get_ras,
+ virt_set_ras, NULL);
+object_property_set_description(obj, "ras",
+"Set on/off to enable/disable reporting 
host memory errors "
+"to a KVM guest using ACPI and guest 
external abort exceptions",
+NULL);
+
 vms->irqmap = a15irqmap;
 
 virt_flash_create(vms);
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 71508bf..c32b7c7 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -123,6 +123,7 @@ typedef struct {
 bool highmem_ecam;
 bool its;
 bool virt;
+bool ras;
 int32_t gic_version;
 VirtIOMMUType iommu;
 struct arm_boot_info bootinfo;
-- 
1.8.3.1

[PATCH RESEND v23 04/10] ACPI: Build related register address fields via hardware error fw_cfg blob

[Dongjiu Geng]

This patch builds error_block_address and read_ack_register fields
in hardware errors table , the error_block_address points to Generic
Error Status Block(GESB) via bios_linker. The max size for one GESB
is 1kb in bytes, For more detailed information, please refer to
document: docs/specs/acpi_hest_ghes.rst

Now we only support one Error source, if necessary, we can extend to
support more.

Suggested-by: Laszlo Ersek 
Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Jonathan Cameron 
---
 default-configs/arm-softmmu.mak |  1 +
 hw/acpi/Kconfig |  4 ++
 hw/acpi/Makefile.objs   |  1 +
 hw/acpi/aml-build.c |  2 +
 hw/acpi/ghes.c  | 89 +
 hw/arm/virt-acpi-build.c|  6 +++
 include/hw/acpi/aml-build.h |  1 +
 include/hw/acpi/ghes.h  | 28 +
 8 files changed, 132 insertions(+)
 create mode 100644 hw/acpi/ghes.c
 create mode 100644 include/hw/acpi/ghes.h

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index 645e620..7648be0 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -41,3 +41,4 @@ CONFIG_FSL_IMX25=y
 CONFIG_FSL_IMX7=y
 CONFIG_FSL_IMX6UL=y
 CONFIG_SEMIHOSTING=y
+CONFIG_ACPI_APEI=y
diff --git a/hw/acpi/Kconfig b/hw/acpi/Kconfig
index 54209c6..1932f66 100644
--- a/hw/acpi/Kconfig
+++ b/hw/acpi/Kconfig
@@ -28,6 +28,10 @@ config ACPI_HMAT
 bool
 depends on ACPI
 
+config ACPI_APEI
+bool
+depends on ACPI
+
 config ACPI_PCI
 bool
 depends on ACPI && PCI
diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
index 777da07..28c5ddb 100644
--- a/hw/acpi/Makefile.objs
+++ b/hw/acpi/Makefile.objs
@@ -8,6 +8,7 @@ common-obj-$(CONFIG_ACPI_NVDIMM) += nvdimm.o
 common-obj-$(CONFIG_ACPI_VMGENID) += vmgenid.o
 common-obj-$(CONFIG_ACPI_HW_REDUCED) += generic_event_device.o
 common-obj-$(CONFIG_ACPI_HMAT) += hmat.o
+common-obj-$(CONFIG_ACPI_APEI) += ghes.o
 common-obj-$(call lnot,$(CONFIG_ACPI_X86)) += acpi-stub.o
 common-obj-$(call lnot,$(CONFIG_PC)) += acpi-x86-stub.o
 
diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index 2c3702b..3681ec6 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -1578,6 +1578,7 @@ void acpi_build_tables_init(AcpiBuildTables *tables)
 tables->table_data = g_array_new(false, true /* clear */, 1);
 tables->tcpalog = g_array_new(false, true /* clear */, 1);
 tables->vmgenid = g_array_new(false, true /* clear */, 1);
+tables->hardware_errors = g_array_new(false, true /* clear */, 1);
 tables->linker = bios_linker_loader_init();
 }
 
@@ -1588,6 +1589,7 @@ void acpi_build_tables_cleanup(AcpiBuildTables *tables, 
bool mfre)
 g_array_free(tables->table_data, true);
 g_array_free(tables->tcpalog, mfre);
 g_array_free(tables->vmgenid, mfre);
+g_array_free(tables->hardware_errors, mfre);
 }
 
 /*
diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
new file mode 100644
index 000..e1b3f8f
--- /dev/null
+++ b/hw/acpi/ghes.c
@@ -0,0 +1,89 @@
+/*
+ * Support for generating APEI tables and recording CPER for Guests
+ *
+ * Copyright (c) 2020 HUAWEI TECHNOLOGIES CO., LTD.
+ *
+ * Author: Dongjiu Geng 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "hw/acpi/ghes.h"
+#include "hw/acpi/aml-build.h"
+
+#define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
+#define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
+
+/* The max size in bytes for one error block */
+#define ACPI_GHES_MAX_RAW_DATA_LENGTH   (1 * KiB)
+
+/* Now only support ARMv8 SEA notification type error source */
+#define ACPI_GHES_ERROR_SOURCE_COUNT1
+
+/*
+ * Build table for the hardware error fw_cfg blob.
+ * Initialize "etc/hardware_errors" and "etc/hardware_errors_addr" fw_cfg 
blobs.
+ * See docs/specs/acpi_hest_ghes.rst for blobs format.
+ */
+void build_ghes_error_table(GArray *hardware_errors, BIOSLinker *linker)
+{
+int i, error_status_block_offset;
+
+/* Build error_block_address */
+for (i = 0; i < ACPI_GHES_ERROR_SOURCE_COUNT; i++) {
+build_append_int_noprefix(hardware_errors, 0, sizeof(uint64_t));
+}
+
+/* Build read_ack_register */
+for (i = 0; i < ACPI_GHES_ERROR_SOURCE_COUNT; i++) {
+/*
+ * Initialize the valu

[PATCH RESEND v23 03/10] docs: APEI GHES generation and CPER record description

[Dongjiu Geng]

Add APEI/GHES detailed design document

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Michael S. Tsirkin 
Reviewed-by: Igor Mammedov 
---
 docs/specs/acpi_hest_ghes.rst | 110 ++
 docs/specs/index.rst  |   1 +
 2 files changed, 111 insertions(+)
 create mode 100644 docs/specs/acpi_hest_ghes.rst

diff --git a/docs/specs/acpi_hest_ghes.rst b/docs/specs/acpi_hest_ghes.rst
new file mode 100644
index 000..68f1fbe
--- /dev/null
+++ b/docs/specs/acpi_hest_ghes.rst
@@ -0,0 +1,110 @@
+APEI tables generating and CPER record
+==
+
+..
+   Copyright (c) 2020 HUAWEI TECHNOLOGIES CO., LTD.
+
+   This work is licensed under the terms of the GNU GPL, version 2 or later.
+   See the COPYING file in the top-level directory.
+
+Design Details
+--
+
+::
+
+ etc/acpi/tables   etc/hardware_errors
+     ===
+  + +--+++
+  | | HEST | +->|error_block_address1
|--+
+  | +--+ |  ++ 
 |
+  | | GHES1| | +--->|error_block_address2
|--+-+
+  | +--+ | |++ 
 | |
+  | | .| | ||  ..| 
 | |
+  | | error_status_address-+-+ |-+ 
 | |
+  | | .|   |   +--->|error_block_addressN
|--+-+---+
+  | | read_ack_register+-+ |   |++ 
 | |   |
+  | | read_ack_preserve| +-+---+--->| read_ack_register1 | 
 | |   |
+  | | read_ack_write   |   |   |++ 
 | |   |
+  + +--+   | +-+--->| read_ack_register2 | 
 | |   |
+  | | GHES2|   | | |++ 
 | |   |
+  + +--+   | | ||   .| 
 | |   |
+  | | .|   | | |++ 
 | |   |
+  | | error_status_address-+---+ | | +->| read_ack_registerN | 
 | |   |
+  | | .| | | |  ++ 
 | |   |
+  | | read_ack_register+-+ | |  |Generic Error Status Block 
1|<-+ |   |
+  | | read_ack_preserve|   | |  |-++-+ 
   |   |
+  | | read_ack_write   |   | |  | |  CPER  | | 
   |   |
+  + +--|   | |  | |  CPER  | | 
   |   |
+  | | ...  |   | |  | |    | | 
   |   |
+  + +--+   | |  | |  CPER  | | 
   |   |
+  | | GHESN|   | |  |-++-| 
   |   |
+  + +--+   | |  |Generic Error Status Block 
2|<---+   |
+  | | .|   | |  |-++-+ 
   |
+  | | error_status_address-+---+ |  | |   CPER | | 
   |
+  | | .| |  | |   CPER | | 
   |
+  | | read_ack_register+-+  | |    | | 
   |
+  | | read_ack_preserve|| |   CPER | | 
   |
+  | | read_ack_write   |+-++-+ 
   |
+  + +--+| .. | 
   |
+|+ 
   |
+|Generic Error Status Block N 
|<--+
+|-+-+-+
+| |  CPER   | |
+| |  CPER   | |
+| |     | |
+| |  CPER   | |
++-+-+-+
+
+
+(1) QEMU generates the ACPI HEST table. This table goes in the current
+"etc/acpi/tables" fw_cfg blob. Each error source has different
+notification types.
+
+(2) A new fw_cfg blob called "etc/hardware_errors" is introduced. QEMU
+also needs to populate this blob. The "etc/hardware_errors" fw_cfg blob
+contains an address registers table and an Error Status Data Block table.
+
+(3) The address registers table contains N Error Block Address entries
+and N Read Ack Registe

[PATCH RESEND v23 06/10] ACPI: Record the Generic Error Status Block address

[Dongjiu Geng]

Record the GHEB address via fw_cfg file, when recording
a error to CPER, it will use this address to find out
Generic Error Data Entries and write the error.

In order to avoid migration failure, make hardware
error table address to a part of GED device instead
of global variable, then this address will be migrated
to target QEMU.

Signed-off-by: Dongjiu Geng 
Acked-by: Xiang Zheng 
---
 hw/acpi/generic_event_device.c | 18 ++
 hw/acpi/ghes.c | 17 +
 hw/arm/virt-acpi-build.c   | 10 ++
 include/hw/acpi/generic_event_device.h |  2 ++
 include/hw/acpi/ghes.h |  6 ++
 5 files changed, 53 insertions(+)

diff --git a/hw/acpi/generic_event_device.c b/hw/acpi/generic_event_device.c
index 021ed2b..d59607c 100644
--- a/hw/acpi/generic_event_device.c
+++ b/hw/acpi/generic_event_device.c
@@ -234,6 +234,23 @@ static const VMStateDescription vmstate_ged_state = {
 }
 };
 
+static bool ghes_needed(void *opaque)
+{
+return object_property_get_bool(qdev_get_machine(), "ras", NULL);
+}
+
+static const VMStateDescription vmstate_ghes_state = {
+.name = "acpi-ged/ghes",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = ghes_needed,
+.fields  = (VMStateField[]) {
+VMSTATE_STRUCT(ghes_state, AcpiGedState, 1,
+   vmstate_ghes_state, AcpiGhesState),
+VMSTATE_END_OF_LIST()
+}
+};
+
 static const VMStateDescription vmstate_acpi_ged = {
 .name = "acpi-ged",
 .version_id = 1,
@@ -244,6 +261,7 @@ static const VMStateDescription vmstate_acpi_ged = {
 },
 .subsections = (const VMStateDescription * []) {
 &vmstate_memhp_state,
+&vmstate_ghes_state,
 NULL
 }
 };
diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index 7a7381d..cea2bff 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -24,6 +24,8 @@
 #include "hw/acpi/ghes.h"
 #include "hw/acpi/aml-build.h"
 #include "qemu/error-report.h"
+#include "hw/acpi/generic_event_device.h"
+#include "hw/nvram/fw_cfg.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -213,3 +215,18 @@ void acpi_build_hest(GArray *table_data, BIOSLinker 
*linker)
 build_header(linker, table_data, (void *)(table_data->data + hest_start),
 "HEST", table_data->len - hest_start, 1, NULL, "");
 }
+
+void acpi_ghes_add_fw_cfg(AcpiGhesState *ags, FWCfgState *s,
+  GArray *hardware_error)
+{
+size_t size = 2 * sizeof(uint64_t) + ACPI_GHES_MAX_RAW_DATA_LENGTH;
+size_t request_block_size = ACPI_GHES_ERROR_SOURCE_COUNT * size;
+
+/* Create a read-only fw_cfg file for GHES */
+fw_cfg_add_file(s, ACPI_GHES_ERRORS_FW_CFG_FILE, hardware_error->data,
+request_block_size);
+
+/* Create a read-write fw_cfg file for Address */
+fw_cfg_add_file_callback(s, ACPI_GHES_DATA_ADDR_FW_CFG_FILE, NULL, NULL,
+NULL, &(ags->ghes_addr_le), sizeof(ags->ghes_addr_le), false);
+}
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 12a9a78..d6e7521 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -832,6 +832,7 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables 
*tables)
 build_spcr(tables_blob, tables->linker, vms);
 
 if (vms->ras) {
+assert(vms->acpi_dev);
 acpi_add_table(table_offsets, tables_blob);
 build_ghes_error_table(tables->hardware_errors, tables->linker);
 acpi_build_hest(tables_blob, tables->linker);
@@ -924,6 +925,7 @@ void virt_acpi_setup(VirtMachineState *vms)
 {
 AcpiBuildTables tables;
 AcpiBuildState *build_state;
+AcpiGedState *acpi_ged_state;
 
 if (!vms->fw_cfg) {
 trace_virt_acpi_setup();
@@ -954,6 +956,14 @@ void virt_acpi_setup(VirtMachineState *vms)
 fw_cfg_add_file(vms->fw_cfg, ACPI_BUILD_TPMLOG_FILE, tables.tcpalog->data,
 acpi_data_len(tables.tcpalog));
 
+if (vms->ras) {
+assert(vms->acpi_dev);
+acpi_ged_state = ACPI_GED(object_resolve_path_type("", TYPE_ACPI_GED,
+   NULL));
+acpi_ghes_add_fw_cfg(&acpi_ged_state->ghes_state,
+ vms->fw_cfg, tables.hardware_errors);
+}
+
 build_state->rsdp_mr = acpi_add_rom_blob(virt_acpi_build_update,
  build_state, tables.rsdp,
  ACPI_BUILD_RSDP_FILE, 0);
diff --git a/include/hw/acpi/generic_event_device.h 
b/include/hw/acpi/generic_event_device.h
index d157eac..037d2b5 100644
--- a/include/hw/acpi/generic_event_device.h
+++ b/include/hw/acpi/generic_event_device.h
@@ -61,6 +61,7 @@
 
 #include "hw/sysbus.h"
 #include "hw/acpi/memory_hotplug.h"
+#include "hw/acpi/ghes.h"
 
 #define ACPI_POWER_BUTTON_DEVICE "PWRB"
 
@@ -95,6 +96,7 @@ typedef struct 

[PATCH RESEND v23 09/10] target-arm: kvm64: handle SIGBUS signal from kernel or KVM

[Dongjiu Geng]

Add a SIGBUS signal handler. In this handler, it checks the SIGBUS type,
translates the host VA delivered by host to guest PA, then fills this PA
to guest APEI GHES memory, then notifies guest according to the SIGBUS
type.

When guest accesses the poisoned memory, it will generate a Synchronous
External Abort(SEA). Then host kernel gets an APEI notification and calls
memory_failure() to unmapped the affected page in stage 2, finally
returns to guest.

Guest continues to access the PG_hwpoison page, it will trap to KVM as
stage2 fault, then a SIGBUS_MCEERR_AR synchronous signal is delivered to
Qemu, Qemu records this error address into guest APEI GHES memory and
notifes guest using Synchronous-External-Abort(SEA).

In order to inject a vSEA, we introduce the kvm_inject_arm_sea() function
in which we can setup the type of exception and the syndrome information.
When switching to guest, the target vcpu will jump to the synchronous
external abort vector table entry.

The ESR_ELx.DFSC is set to synchronous external abort(0x10), and the
ESR_ELx.FnV is set to not valid(0x1), which will tell guest that FAR is
not valid and hold an UNKNOWN value. These values will be set to KVM
register structures through KVM_SET_ONE_REG IOCTL.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Michael S. Tsirkin 
Acked-by: Xiang Zheng 
---
 include/sysemu/kvm.h|  3 +-
 target/arm/cpu.h|  4 +++
 target/arm/helper.c |  2 +-
 target/arm/internals.h  |  5 ++--
 target/arm/kvm64.c  | 73 +
 target/arm/tlb_helper.c |  2 +-
 target/i386/cpu.h   |  2 ++
 7 files changed, 85 insertions(+), 6 deletions(-)

diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
index 141342d..3b22504 100644
--- a/include/sysemu/kvm.h
+++ b/include/sysemu/kvm.h
@@ -379,8 +379,7 @@ bool kvm_vcpu_id_is_valid(int vcpu_id);
 /* Returns VCPU ID to be used on KVM_CREATE_VCPU ioctl() */
 unsigned long kvm_arch_vcpu_id(CPUState *cpu);
 
-#ifdef TARGET_I386
-#define KVM_HAVE_MCE_INJECTION 1
+#ifdef KVM_HAVE_MCE_INJECTION
 void kvm_arch_on_sigbus_vcpu(CPUState *cpu, int code, void *addr);
 #endif
 
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 0b3036c..a8b7fb0 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -28,6 +28,10 @@
 /* ARM processors have a weak memory model */
 #define TCG_GUEST_DEFAULT_MO  (0)
 
+#ifdef TARGET_AARCH64
+#define KVM_HAVE_MCE_INJECTION 1
+#endif
+
 #define EXCP_UDEF1   /* undefined instruction */
 #define EXCP_SWI 2   /* software interrupt */
 #define EXCP_PREFETCH_ABORT  3
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 7d15d5c..12a95b6 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -3310,7 +3310,7 @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t 
value,
  * Report exception with ESR indicating a fault due to a
  * translation table walk for a cache maintenance instruction.
  */
-syn = syn_data_abort_no_iss(current_el == target_el,
+syn = syn_data_abort_no_iss(current_el == target_el, 0,
 fi.ea, 1, fi.s1ptw, 1, fsc);
 env->exception.vaddress = value;
 env->exception.fsr = fsr;
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 6d4a942..31b7b96 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -451,13 +451,14 @@ static inline uint32_t syn_insn_abort(int same_el, int 
ea, int s1ptw, int fsc)
 | ARM_EL_IL | (ea << 9) | (s1ptw << 7) | fsc;
 }
 
-static inline uint32_t syn_data_abort_no_iss(int same_el,
+static inline uint32_t syn_data_abort_no_iss(int same_el, int fnv,
  int ea, int cm, int s1ptw,
  int wnr, int fsc)
 {
 return (EC_DATAABORT << ARM_EL_EC_SHIFT) | (same_el << ARM_EL_EC_SHIFT)
| ARM_EL_IL
-   | (ea << 9) | (cm << 8) | (s1ptw << 7) | (wnr << 6) | fsc;
+   | (fnv << 10) | (ea << 9) | (cm << 8) | (s1ptw << 7)
+   | (wnr << 6) | fsc;
 }
 
 static inline uint32_t syn_data_abort_with_iss(int same_el,
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index fb21ab9..f91b611 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -28,6 +28,8 @@
 #include "sysemu/kvm_int.h"
 #include "kvm_arm.h"
 #include "internals.h"
+#include "hw/acpi/acpi.h"
+#include "hw/acpi/ghes.h"
 
 static bool have_guest_debug;
 
@@ -846,6 +848,30 @@ int kvm_arm_cpreg_level(uint64_t regidx)
 return KVM_PUT_RUNTIME_STATE;
 }
 
+/* Callers must hold the iothread mutex lock */
+static void kvm_inject_arm_sea(CPUState *c)
+{
+ARMCPU *cpu = ARM_CPU(c);
+CPUARMState *env = &cpu->env;
+CPUClass *cc = CPU_GET_CLASS(c);
+uint32_t esr;
+bool same_el;
+
+c->exception_index = EXCP_DATA_ABORT;
+env->exception.target_el = 1;
+
+/*
+ * Set the DFSC to synchronous external ab

[PATCH RESEND v23 05/10] ACPI: Build Hardware Error Source Table

[Dongjiu Geng]

This patch builds Hardware Error Source Table(HEST) via fw_cfg blobs.
Now it only supports ARMv8 SEA, a type of Generic Hardware Error
Source version 2(GHESv2) error source. Afterwards, we can extend
the supported types if needed. For the CPER section, currently it
is memory section because kernel mainly wants userspace to handle
the memory errors.

This patch follows the spec ACPI 6.2 to build the Hardware Error
Source table. For more detailed information, please refer to
document: docs/specs/acpi_hest_ghes.rst

build_ghes_hw_error_notification() helper will help to add Hardware
Error Notification to ACPI tables without using packed C structures
and avoid endianness issues as API doesn't need explicit conversion.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Acked-by: Xiang Zheng 
---
 hw/acpi/ghes.c   | 126 +++
 hw/arm/virt-acpi-build.c |   1 +
 include/hw/acpi/ghes.h   |  39 +++
 3 files changed, 166 insertions(+)

diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index e1b3f8f..7a7381d 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -23,6 +23,7 @@
 #include "qemu/units.h"
 #include "hw/acpi/ghes.h"
 #include "hw/acpi/aml-build.h"
+#include "qemu/error-report.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -33,6 +34,42 @@
 /* Now only support ARMv8 SEA notification type error source */
 #define ACPI_GHES_ERROR_SOURCE_COUNT1
 
+/* Generic Hardware Error Source version 2 */
+#define ACPI_GHES_SOURCE_GENERIC_ERROR_V2   10
+
+/* Address offset in Generic Address Structure(GAS) */
+#define GAS_ADDR_OFFSET 4
+
+/*
+ * Hardware Error Notification
+ * ACPI 4.0: 17.3.2.7 Hardware Error Notification
+ * Composes dummy Hardware Error Notification descriptor of specified type
+ */
+static void build_ghes_hw_error_notification(GArray *table, const uint8_t type)
+{
+/* Type */
+build_append_int_noprefix(table, type, 1);
+/*
+ * Length:
+ * Total length of the structure in bytes
+ */
+build_append_int_noprefix(table, 28, 1);
+/* Configuration Write Enable */
+build_append_int_noprefix(table, 0, 2);
+/* Poll Interval */
+build_append_int_noprefix(table, 0, 4);
+/* Vector */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Switch To Polling Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Value */
+build_append_int_noprefix(table, 0, 4);
+/* Error Threshold Window */
+build_append_int_noprefix(table, 0, 4);
+}
+
 /*
  * Build table for the hardware error fw_cfg blob.
  * Initialize "etc/hardware_errors" and "etc/hardware_errors_addr" fw_cfg 
blobs.
@@ -87,3 +124,92 @@ void build_ghes_error_table(GArray *hardware_errors, 
BIOSLinker *linker)
 bios_linker_loader_write_pointer(linker, ACPI_GHES_DATA_ADDR_FW_CFG_FILE,
 0, sizeof(uint64_t), ACPI_GHES_ERRORS_FW_CFG_FILE, 0);
 }
+
+/* Build Generic Hardware Error Source version 2 (GHESv2) */
+static void build_ghes_v2(GArray *table_data, int source_id, BIOSLinker 
*linker)
+{
+uint64_t address_offset;
+/*
+ * Type:
+ * Generic Hardware Error Source version 2(GHESv2 - Type 10)
+ */
+build_append_int_noprefix(table_data, ACPI_GHES_SOURCE_GENERIC_ERROR_V2, 
2);
+/* Source Id */
+build_append_int_noprefix(table_data, source_id, 2);
+/* Related Source Id */
+build_append_int_noprefix(table_data, 0x, 2);
+/* Flags */
+build_append_int_noprefix(table_data, 0, 1);
+/* Enabled */
+build_append_int_noprefix(table_data, 1, 1);
+
+/* Number of Records To Pre-allocate */
+build_append_int_noprefix(table_data, 1, 4);
+/* Max Sections Per Record */
+build_append_int_noprefix(table_data, 1, 4);
+/* Max Raw Data Length */
+build_append_int_noprefix(table_data, ACPI_GHES_MAX_RAW_DATA_LENGTH, 4);
+
+address_offset = table_data->len;
+/* Error Status Address */
+build_append_gas(table_data, AML_AS_SYSTEM_MEMORY, 0x40, 0,
+ 4 /* QWord access */, 0);
+bios_linker_loader_add_pointer(linker, ACPI_BUILD_TABLE_FILE,
+address_offset + GAS_ADDR_OFFSET, sizeof(uint64_t),
+ACPI_GHES_ERRORS_FW_CFG_FILE, source_id * sizeof(uint64_t));
+
+switch (source_id) {
+case ACPI_HEST_SRC_ID_SEA:
+/*
+ * Notification Structure
+ * Now only enable ARMv8 SEA notification type
+ */
+build_ghes_hw_error_notification(table_data, ACPI_GHES_NOTIFY_SEA);
+break;
+default:
+error_report("Not support this error source");
+abort();
+}
+
+/* Error Status Block Length */
+build_append_int_noprefix(table_data, ACPI_GHES_MAX_RAW_DATA_LENGTH, 4);
+
+/*
+ * Read Ack Register
+ * ACPI 6.1: 18.3.2.8 Generic Hardware Error Sou

[PATCH RESEND v23 10/10] MAINTAINERS: Add ACPI/HEST/GHES entries

[Dongjiu Geng]

I and Xiang are willing to review the APEI-related patches and
volunteer as the reviewers for the HEST/GHES part.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
Reviewed-by: Philippe Mathieu-Daudé 
Acked-by: Michael S. Tsirkin 
---
 MAINTAINERS | 9 +
 1 file changed, 9 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index c7717df..0748475 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1446,6 +1446,15 @@ F: tests/qtest/bios-tables-test.c
 F: tests/qtest/acpi-utils.[hc]
 F: tests/data/acpi/
 
+ACPI/HEST/GHES
+R: Dongjiu Geng 
+R: Xiang Zheng 
+L: qemu-...@nongnu.org
+S: Maintained
+F: hw/acpi/ghes.c
+F: include/hw/acpi/ghes.h
+F: docs/specs/acpi_hest_ghes.rst
+
 ppc4xx
 M: David Gibson 
 L: qemu-...@nongnu.org
-- 
1.8.3.1

[PATCH RESEND v23 08/10] ACPI: Record Generic Error Status Block(GESB) table

[Dongjiu Geng]

kvm_arch_on_sigbus_vcpu() error injection uses source_id as
index in etc/hardware_errors to find out Error Status Data
Block entry corresponding to error source. So supported source_id
values should be assigned here and not be changed afterwards to
make sure that guest will write error into expected Error Status
Data Block.

Before QEMU writes a new error to ACPI table, it will check whether
previous error has been acknowledged. If not acknowledged, the new
errors will be ignored and not be recorded. For the errors section
type, QEMU simulate it to memory section error.

Signed-off-by: Dongjiu Geng 
Signed-off-by: Xiang Zheng 
---
 hw/acpi/ghes.c | 218 +
 include/hw/acpi/ghes.h |   1 +
 2 files changed, 219 insertions(+)

diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index cea2bff..8e114ee 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -26,6 +26,7 @@
 #include "qemu/error-report.h"
 #include "hw/acpi/generic_event_device.h"
 #include "hw/nvram/fw_cfg.h"
+#include "qemu/uuid.h"
 
 #define ACPI_GHES_ERRORS_FW_CFG_FILE"etc/hardware_errors"
 #define ACPI_GHES_DATA_ADDR_FW_CFG_FILE "etc/hardware_errors_addr"
@@ -43,6 +44,40 @@
 #define GAS_ADDR_OFFSET 4
 
 /*
+ * The total size of Generic Error Data Entry
+ * ACPI 6.1/6.2: 18.3.2.7.1 Generic Error Data,
+ * Table 18-343 Generic Error Data Entry
+ */
+#define ACPI_GHES_DATA_LENGTH   72
+
+/* The memory section CPER size, UEFI 2.6: N.2.5 Memory Error Section */
+#define ACPI_GHES_MEM_CPER_LENGTH   80
+
+/* Masks for block_status flags */
+#define ACPI_GEBS_UNCORRECTABLE 1
+
+#define UEFI_CPER_SEC_PLATFORM_MEM  \
+UUID_LE(0xA5BC1114, 0x6F64, 0x4EDE, 0xB8, 0x63, 0x3E, 0x83, \
+0xED, 0x7C, 0x83, 0xB1)
+
+/*
+ * Total size for Generic Error Status Block except Generic Error Data Entries
+ * ACPI 6.2: 18.3.2.7.1 Generic Error Data,
+ * Table 18-380 Generic Error Status Block
+ */
+#define ACPI_GHES_GESB_SIZE 20
+
+/*
+ * Values for error_severity field
+ */
+enum AcpiGenericErrorSeverity {
+ACPI_CPER_SEV_RECOVERABLE = 0,
+ACPI_CPER_SEV_FATAL = 1,
+ACPI_CPER_SEV_CORRECTED = 2,
+ACPI_CPER_SEV_NONE = 3,
+};
+
+/*
  * Hardware Error Notification
  * ACPI 4.0: 17.3.2.7 Hardware Error Notification
  * Composes dummy Hardware Error Notification descriptor of specified type
@@ -73,6 +108,131 @@ static void build_ghes_hw_error_notification(GArray 
*table, const uint8_t type)
 }
 
 /*
+ * Generic Error Data Entry
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_data(GArray *table, QemuUUID section_type,
+uint32_t error_severity, uint8_t validation_bits, uint8_t 
flags,
+uint32_t error_data_length, QemuUUID fru_id,
+uint64_t time_stamp)
+{
+/* Section Type */
+g_array_append_vals(table, section_type.data,
+ARRAY_SIZE(section_type.data));
+
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+/* Revision */
+build_append_int_noprefix(table, 0x300, 2);
+/* Validation Bits */
+build_append_int_noprefix(table, validation_bits, 1);
+/* Flags */
+build_append_int_noprefix(table, flags, 1);
+/* Error Data Length */
+build_append_int_noprefix(table, error_data_length, 4);
+
+/* FRU Id */
+g_array_append_vals(table, fru_id.data, ARRAY_SIZE(fru_id.data));
+
+/* FRU Text */
+build_append_int_noprefix(table, 0, 20);
+/* Timestamp */
+build_append_int_noprefix(table, time_stamp, 8);
+}
+
+/*
+ * Generic Error Status Block
+ * ACPI 6.1: 18.3.2.7.1 Generic Error Data
+ */
+static void acpi_ghes_generic_error_status(GArray *table, uint32_t 
block_status,
+uint32_t raw_data_offset, uint32_t raw_data_length,
+uint32_t data_length, uint32_t error_severity)
+{
+/* Block Status */
+build_append_int_noprefix(table, block_status, 4);
+/* Raw Data Offset */
+build_append_int_noprefix(table, raw_data_offset, 4);
+/* Raw Data Length */
+build_append_int_noprefix(table, raw_data_length, 4);
+/* Data Length */
+build_append_int_noprefix(table, data_length, 4);
+/* Error Severity */
+build_append_int_noprefix(table, error_severity, 4);
+}
+
+/* UEFI 2.6: N.2.5 Memory Error Section */
+static void acpi_ghes_build_append_mem_cper(GArray *table,
+uint64_t error_physical_addr)
+{
+/*
+ * Memory Error Record
+ */
+
+/* Validation Bits */
+build_append_int_noprefix(table,
+  (1ULL << 14) | /* Type Valid */
+  (1ULL << 1) /* Physical Address Valid */,
+  8);
+/* Error Status */
+build_append_int_noprefix(table, 0, 8);
+/* Physical Address */
+build_append_int_noprefix(table, error_physical_addr, 8);
+/* S

RE: The issues about architecture of the COLO checkpoint

[Zhanghailiang]

Hi Daniel,

I have rebased these patches with newest upstream version, this series 
“Optimize VM's downtime while do checkpoint in COLO”,
It is not been tested, please let me known if there are any problems.

Thanks,
Hailiang

From: Daniel Cho [mailto:daniel...@qnap.com]
Sent: Saturday, February 15, 2020 11:36 AM
To: Dr. David Alan Gilbert 
Cc: Zhang, Chen ; Zhanghailiang 
; qemu-devel@nongnu.org; Jason Wang 

Subject: Re: The issues about architecture of the COLO checkpoint

Hi Dave,

Yes, I agree with you, it does need a timeout.

Hi Hailiang,

We base on qemu-4.1.0 for using COLO feature, in your patch, we found a lot of 
difference  between your version and ours.
Could you give us a latest release version which is close your developing code?

Thanks.

Regards
Daniel Cho

Dr. David Alan Gilbert mailto:dgilb...@redhat.com>> 於 
2020年2月13日 週四 下午6:38寫道：
* Daniel Cho (daniel...@qnap.com) wrote:
> Hi Hailiang,
>
> 1.
> OK, we will try the patch
> “0001-COLO-Optimize-memory-back-up-process.patch”,
> and thanks for your help.
>
> 2.
> We understand the reason to compare PVM and SVM's packet. However, the
> empty of SVM's packet queue might happened on setting COLO feature and SVM
> broken.
>
> On situation 1 ( setting COLO feature ):
> We could force do checkpoint after setting COLO feature finish, then it
> will protect the state of PVM and SVM . As the Zhang Chen said.
>
> On situation 2 ( SVM broken ):
> COLO will do failover for PVM, so it might not cause any wrong on PVM.
>
> However, those situations are our views, so there might be a big difference
> between reality and our views.
> If we have any wrong views and opinions, please let us know, and correct
> us.

It does need a timeout; the SVM being broken or being in a state where
it never sends the corresponding packet (because of a state difference)
can happen and COLO needs to timeout when the packet hasn't arrived
after a while and trigger the checkpoint.

Dave

> Thanks.
>
> Best regards,
> Daniel Cho
>
> Zhang, Chen mailto:chen.zh...@intel.com>> 於 2020年2月13日 
> 週四 上午10:17寫道：
>
> > Add cc Jason Wang, he is a network expert.
> >
> > In case some network things goes wrong.
> >
> >
> >
> > Thanks
> >
> > Zhang Chen
> >
> >
> >
> > *From:* Zhang, Chen
> > *Sent:* Thursday, February 13, 2020 10:10 AM
> > *To:* 'Zhanghailiang' 
> > mailto:zhang.zhanghaili...@huawei.com>>; 
> > Daniel Cho <
> > daniel...@qnap.com>
> > *Cc:* Dr. David Alan Gilbert 
> > mailto:dgilb...@redhat.com>>; 
> > qemu-devel@nongnu.org
> > *Subject:* RE: The issues about architecture of the COLO checkpoint
> >
> >
> >
> > For the issue 2:
> >
> >
> >
> > COLO need use the network packets to confirm PVM and SVM in the same state,
> >
> > Generally speaking, we can’t send PVM packets without compared with SVM
> > packets.
> >
> > But to prevent jamming, I think COLO can do force checkpoint and send the
> > PVM packets in this case.
> >
> >
> >
> > Thanks
> >
> > Zhang Chen
> >
> >
> >
> > *From:* Zhanghailiang 
> > mailto:zhang.zhanghaili...@huawei.com>>
> > *Sent:* Thursday, February 13, 2020 9:45 AM
> > *To:* Daniel Cho mailto:daniel...@qnap.com>>
> > *Cc:* Dr. David Alan Gilbert 
> > mailto:dgilb...@redhat.com>>; 
> > qemu-devel@nongnu.org;
> > Zhang, Chen mailto:chen.zh...@intel.com>>
> > *Subject:* RE: The issues about architecture of the COLO checkpoint
> >
> >
> >
> > Hi,
> >
> >
> >
> > 1.   After re-walked through the codes, yes, you are right, actually,
> > after the first migration, we will keep dirty log on in primary side,
> >
> > And only send the dirty pages in PVM to SVM. The ram cache in secondary
> > side is always a backup of PVM, so we don’t have to
> >
> > Re-send the none-dirtied pages.
> >
> > The reason why the first checkpoint takes longer time is we have to backup
> > the whole VM’s ram into ram cache, that is colo_init_ram_cache().
> >
> > It is time consuming, but I have optimized in the second patch
> > “0001-COLO-Optimize-memory-back-up-process.patch” which you can find in my
> > previous reply.
> >
> >
> >
> > Besides, I found that, In my previous reply “We can only copy the pages
> > that dirtied by PVM and SVM in last checkpoint.”,
> >
> > We have done this optimization in current upstream codes.
> >
> >
> >
> > 2．I don’t quite understand this question. For COLO, we always need both
> > network packets of PVM’s and SVM’s to compare before send this packets to
> > client.
> >
> > It depends on this to decide whether or not PVM and SVM are in same state.
> >
> >
> >
> > Thanks,
> >
> > hailiang
> >
> >
> >
> > *From:* Daniel Cho [mailto:daniel...@qnap.com 
> > mailto:daniel...@qnap.com>>]
> > *Sent:* Wednesday, February 12, 2020 4:37 PM
> > *To:* Zhang, Chen mailto:chen.zh...@intel.com>>
> > *Cc:* Zhanghailiang 
> > mailto:zhang.zhanghaili...@huawei.com>>; 
> > Dr. David Alan
> > Gilbert mailto:dgi

BIOS updates

[Alexey Kardashevskiy]

Hi!

We have a SLOF repo mirrored at git.qemu.org. Once I push an update to
my github repo, it gets mirrored soon, it works fine.

Now to the problems :)

1. by accident I pushed a branch with a lot of debug stuff on top. When
I noticed, I force-pushed the correct one but it was too late - the
incorrect branch got mirrored. Is there a way to fix this on
https://git.qemu.org/git/SLOF.git? This is the correct one:

42228d763f1f (tag: qemu-slof-20200217, github/master) version: update to
20200217

https://github.com/aik/SLOF/commits/qemu-slof-20200217


2. it appears that the mirroring scripts pulls all branches from my
github repo, can we please configure that mirroring script only to pull
"master"?

Thanks,


-- 
Alexey

Re: BIOS updates

[Alexey Kardashevskiy]

On 17/02/2020 12:27, Alexey Kardashevskiy wrote:
> Hi!
> 
> We have a SLOF repo mirrored at git.qemu.org. Once I push an update to
> my github repo, it gets mirrored soon, it works fine.
> 
> Now to the problems :)
> 
> 1. by accident I pushed a branch with a lot of debug stuff on top. When
> I noticed, I force-pushed the correct one but it was too late - the
> incorrect branch got mirrored. Is there a way to fix this on
> https://git.qemu.org/git/SLOF.git? This is the correct one:
> 
> 42228d763f1f (tag: qemu-slof-20200217, github/master) version: update to
> 20200217
> 
> https://github.com/aik/SLOF/commits/qemu-slof-20200217

Huh, this one got resolved, was it a script or a person? :)


> 
> 2. it appears that the mirroring scripts pulls all branches from my
> github repo, can we please configure that mirroring script only to pull
> "master"?

I removed extra branches from my git repo and this got mirrored to
git.qemu.org so things are clean now but the question remains whether we
want anything but "master" mirrored.



-- 
Alexey

Re: [PATCH RESEND v23 00/10] Add ARMv8 RAS virtualization support in QEMU

[no-reply]

Patchew URL: 
https://patchew.org/QEMU/20200217012737.30231-1-gengdong...@huawei.com/



Hi,

This series failed the docker-mingw@fedora build test. Please find the testing 
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#! /bin/bash
export ARCH=x86_64
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===

  CC  hw/audio/sb16.o
In file included from /tmp/qemu-test/src/hw/acpi/ghes.c:29:
/tmp/qemu-test/src/hw/acpi/ghes.c: In function 'acpi_ghes_record_mem_error':
/tmp/qemu-test/src/include/qemu/uuid.h:38:3: error: missing braces around 
initializer [-Werror=missing-braces]
   { (a) & 0xff, ((a) >> 8) & 0xff, ((a) >> 16) & 0xff, ((a) >> 24) & 0xff, \
   ^
/tmp/qemu-test/src/hw/acpi/ghes.c:60:5: note: in expansion of macro 'UUID_LE'
---
 QemuUUID mem_section_id_le = UEFI_CPER_SEC_PLATFORM_MEM;
  ^~
cc1: all warnings being treated as errors
make: *** [/tmp/qemu-test/src/rules.mak:69: hw/acpi/ghes.o] Error 1
make: *** Waiting for unfinished jobs
  CC  hw/audio/es1370.o
Traceback (most recent call last):
---
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', 
'--label', 'com.qemu.instance.uuid=9a76402463c345328be56ae4097cee3b', '-u', 
'1003', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', 
'-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 
'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', 
'/home/patchew2/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 
'/var/tmp/patchew-tester-tmp-lfhq_j5a/src/docker-src.2020-02-16-20.55.36.13397:/var/tmp/qemu:z,ro',
 'qemu:fedora', '/var/tmp/qemu/run', 'test-mingw']' returned non-zero exit 
status 2.
filter=--filter=label=com.qemu.instance.uuid=9a76402463c345328be56ae4097cee3b
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-lfhq_j5a/src'
make: *** [docker-run-test-mingw@fedora] Error 2

real2m35.466s
user0m8.231s


The full log is available at
http://patchew.org/logs/20200217012737.30231-1-gengdong...@huawei.com/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-de...@redhat.com

[PULL SUBSYSTEM qemu-pseries] pseries: Update SLOF firmware image

[Alexey Kardashevskiy]

The following changes since commit 05943fb4ca41f626078014c0327781815c6584c5:

  ppc: free 'fdt' after reset the machine (2020-02-17 11:27:23 +1100)

are available in the Git repository at:

  g...@github.com:aik/qemu.git tags/qemu-slof-20200217

for you to fetch changes up to ea9a03e5aa023c5391bab5259898475d0298aac2:

  pseries: Update SLOF firmware image (2020-02-17 13:08:59 +1100)


Alexey Kardashevskiy (1):
  pseries: Update SLOF firmware image

 pc-bios/README   |   2 +-
 pc-bios/slof.bin | Bin 931032 -> 968560 bytes
 roms/SLOF|   2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)


*** Note: this is not for master, this is for pseries

Re: [PULL SUBSYSTEM qemu-pseries] pseries: Update SLOF firmware image

[David Gibson]

On Mon, Feb 17, 2020 at 01:12:17PM +1100, Alexey Kardashevskiy wrote:
> The following changes since commit 05943fb4ca41f626078014c0327781815c6584c5:
> 
>   ppc: free 'fdt' after reset the machine (2020-02-17 11:27:23 +1100)
> 
> are available in the Git repository at:
> 
>   g...@github.com:aik/qemu.git tags/qemu-slof-20200217
> 
> for you to fetch changes up to ea9a03e5aa023c5391bab5259898475d0298aac2:
> 
>   pseries: Update SLOF firmware image (2020-02-17 13:08:59 +1100)
> 
> 
> Alexey Kardashevskiy (1):
>   pseries: Update SLOF firmware image
> 
>  pc-bios/README   |   2 +-
>  pc-bios/slof.bin | Bin 931032 -> 968560 bytes
>  roms/SLOF|   2 +-
>  3 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> *** Note: this is not for master, this is for pseries

Merged to ppc-for-5.0, thanks.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature