Re: [PATCH] .editorconfig: set max line at 70 chars for QAPI files

[Marc-André Lureau]

Hi

On Tue, Mar 7, 2023 at 4:32 PM  wrote:
>
> From: Marc-André Lureau 
>
> This seems to be the preferred style.
>
> The EditorConfig property is not supported by all editors:
> https://github.com/editorconfig/editorconfig/wiki/EditorConfig-Properties#max_line_length
>
> Signed-off-by: Marc-André Lureau 
> ---
>  .editorconfig | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/.editorconfig b/.editorconfig
> index 7303759ed7..8c5ebc6a1b 100644
> --- a/.editorconfig
> +++ b/.editorconfig
> @@ -47,3 +47,4 @@ emacs_mode = glsl
>  [*.json]
>  indent_style = space
>  emacs_mode = python
> +max_line_length = 70

ack or nack ?

Re: [PATCH v14 4/4] vhost-vdpa: Add support for vIOMMU.

[Cindy Lu]

On Tue, Mar 21, 2023 at 11:21 AM Jason Wang  wrote:
>
> On Tue, Mar 21, 2023 at 12:20 AM Cindy Lu  wrote:
> >
> > 1. The vIOMMU support will make vDPA can work in IOMMU mode. This
> > will fix security issues while using the no-IOMMU mode.
> > To support this feature we need to add new functions for IOMMU MR adds and
> > deletes.
> >
> > Also since the SVQ does not support vIOMMU yet, add the check for IOMMU
> > in vhost_vdpa_dev_start, if the SVQ and IOMMU enable at the same time
> > the function will return fail.
> >
> > 2. Skip the iova_max check vhost_vdpa_listener_skipped_section(). While
> > MR is IOMMU, move this check to  vhost_vdpa_iommu_map_notify()
> >
> > Verified in vp_vdpa and vdpa_sim_net driver
> >
> > Signed-off-by: Cindy Lu 
> > ---
> >  hw/virtio/vhost-vdpa.c | 149 +++--
> >  include/hw/virtio/vhost-vdpa.h |  11 +++
> >  2 files changed, 152 insertions(+), 8 deletions(-)
> >
> > diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
> > index 0c8c37e786..b36922b365 100644
> > --- a/hw/virtio/vhost-vdpa.c
> > +++ b/hw/virtio/vhost-vdpa.c
> > @@ -26,6 +26,7 @@
> >  #include "cpu.h"
> >  #include "trace.h"
> >  #include "qapi/error.h"
> > +#include "hw/virtio/virtio-access.h"
> >
> >  /*
> >   * Return one past the end of the end of section. Be careful with uint64_t
> > @@ -60,15 +61,22 @@ static bool 
> > vhost_vdpa_listener_skipped_section(MemoryRegionSection *section,
> >   iova_min, section->offset_within_address_space);
> >  return true;
> >  }
> > +/*
> > + * While using vIOMMU, sometimes the section will be larger than 
> > iova_max,
> > + * but the memory that actually maps is smaller, so move the check to
> > + * function vhost_vdpa_iommu_map_notify(). That function will use the 
> > actual
> > + * size that maps to the kernel
> > + */
> >
> > -llend = vhost_vdpa_section_end(section);
> > -if (int128_gt(llend, int128_make64(iova_max))) {
> > -error_report("RAM section out of device range (max=0x%" PRIx64
> > - ", end addr=0x%" PRIx64 ")",
> > - iova_max, int128_get64(llend));
> > -return true;
> > +if (!memory_region_is_iommu(section->mr)) {
> > +llend = vhost_vdpa_section_end(section);
> > +if (int128_gt(llend, int128_make64(iova_max))) {
> > +error_report("RAM section out of device range (max=0x%" PRIx64
> > + ", end addr=0x%" PRIx64 ")",
> > + iova_max, int128_get64(llend));
> > +return true;
> > +}
> >  }
> > -
>
> Unnecessary changes.
>
will fix this
> >  return false;
> >  }
> >
> > @@ -185,6 +193,118 @@ static void vhost_vdpa_listener_commit(MemoryListener 
> > *listener)
> >  v->iotlb_batch_begin_sent = false;
> >  }
> >
> > +static void vhost_vdpa_iommu_map_notify(IOMMUNotifier *n, IOMMUTLBEntry 
> > *iotlb)
> > +{
> > +struct vdpa_iommu *iommu = container_of(n, struct vdpa_iommu, n);
> > +
> > +hwaddr iova = iotlb->iova + iommu->iommu_offset;
> > +struct vhost_vdpa *v = iommu->dev;
> > +void *vaddr;
> > +int ret;
> > +Int128 llend;
> > +
> > +if (iotlb->target_as != &address_space_memory) {
> > +error_report("Wrong target AS \"%s\", only system memory is 
> > allowed",
> > + iotlb->target_as->name ? iotlb->target_as->name : 
> > "none");
> > +return;
> > +}
> > +RCU_READ_LOCK_GUARD();
> > +/* check if RAM section out of device range */
> > +llend = int128_add(int128_makes64(iotlb->addr_mask), 
> > int128_makes64(iova));
> > +if (int128_gt(llend, int128_make64(v->iova_range.last))) {
> > +error_report("RAM section out of device range (max=0x%" PRIx64
> > + ", end addr=0x%" PRIx64 ")",
> > + v->iova_range.last, int128_get64(llend));
> > +return;
> > +}
> > +
> > +vhost_vdpa_iotlb_batch_begin_once(v);
>
> Quoted from you answer in V1:
>
> "
> the VHOST_IOTLB_BATCH_END message was send by
> vhost_vdpa_listener_commit, because we only use
> one vhost_vdpa_memory_listener and no-iommu mode will also need to use
> this listener, So we still need to add the batch begin here, based on
> my testing after the notify function was called,  the listener_commit
> function was also called .so it works well in this situation
> "
>
> This assumes the map_notify to be called within the memory
> transactions which is not necessarily the case.
>
> I think it could be triggered when guest tries to establish a new
> mapping in the vIOMMU. In this case there's no memory transactions at
> all?
>
sure, thanks will fix this
> Thanks
>

Re: [PULL 2/6] bios-tables-test: use 128M numa nodes on aarch64

[Ani Sinha]

On Mon, Mar 20, 2023 at 3:08 PM Gerd Hoffmann  wrote:
>
> Recent edk2 versions don't boot with very small numa nodes.
> Bump the size from 64M to 128M.

Can you please add the ASL diff between the binary blobs as a result
of the change?
Otherwise.

>
> Signed-off-by: Gerd Hoffmann 
Reviewed-by: Ani Sinha 

> ---
>  tests/qtest/bios-tables-test.c |   6 +++---
>  tests/data/acpi/virt/SRAT.acpihmatvirt | Bin 240 -> 240 bytes
>  tests/data/acpi/virt/SSDT.memhp| Bin 1817 -> 1817 bytes
>  3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
> index 76d510091177..873358943784 100644
> --- a/tests/qtest/bios-tables-test.c
> +++ b/tests/qtest/bios-tables-test.c
> @@ -1679,9 +1679,9 @@ static void test_acpi_virt_tcg_acpi_hmat(void)
>  test_acpi_one(" -machine hmat=on"
>" -cpu cortex-a57"
>" -smp 4,sockets=2"
> -  " -m 256M"
> -  " -object memory-backend-ram,size=64M,id=ram0"
> -  " -object memory-backend-ram,size=64M,id=ram1"
> +  " -m 384M"
> +  " -object memory-backend-ram,size=128M,id=ram0"
> +  " -object memory-backend-ram,size=128M,id=ram1"
>" -object memory-backend-ram,size=128M,id=ram2"
>" -numa node,nodeid=0,memdev=ram0"
>" -numa node,nodeid=1,memdev=ram1"
> diff --git a/tests/data/acpi/virt/SRAT.acpihmatvirt 
> b/tests/data/acpi/virt/SRAT.acpihmatvirt
> index 
> 691ef56e34bc84509270db316d908f5979c209bb..6fe55dd7d07fef0f8fe16a209e96a89dd48ca240
>  100644
> GIT binary patch
> delta 67
> zcmeys_<@ltILI;N0|NsC^R$Uvjf@-JPK>(EIfYJ<%Fb0qY0P4I6
> AJ^%m!
>
> delta 59
> zcmeys_<@ltILI;N0|NsC^Qwtljf^Z4d*l^dfLst@flv$#j4%d}X4GJsxL6ecZ+{66
>
> diff --git a/tests/data/acpi/virt/SSDT.memhp b/tests/data/acpi/virt/SSDT.memhp
> index 
> 2fcfc5fda955dc4ba78a5f4116eed99ec7202fbd..ef93c44464f1fe38f7e5babd5d67f345cc6363a6
>  100644
> GIT binary patch
> delta 22
> dcmbQqH
> delta 22
> dcmbQqH
> --
> 2.39.2
>

Re: [PULL 1/6] acpi: enable tests/data/acpi updates

[Ani Sinha]

On Mon, Mar 20, 2023 at 3:08 PM Gerd Hoffmann  wrote:
>
> Signed-off-by: Gerd Hoffmann 
> ---
>  tests/qtest/bios-tables-test-allowed-diff.h | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/tests/qtest/bios-tables-test-allowed-diff.h 
> b/tests/qtest/bios-tables-test-allowed-diff.h
> index dfb8523c8bf4..b5ed0904b5ff 100644
> --- a/tests/qtest/bios-tables-test-allowed-diff.h
> +++ b/tests/qtest/bios-tables-test-allowed-diff.h
> @@ -1 +1,2 @@
>  /* List of comma-separated changed AML files to ignore */
> +"tests/data/acpi/virt/SRAT.acpihmatvirt",

Should we also add   tests/data/acpi/virt/SSDT.memh ?

> --
> 2.39.2
>

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 14:37, fei2...@intel.com wrote:

From: Fei Wu 

Kernel needs to access user mode memory e.g. during syscalls, the window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
---
  target/riscv/cpu.h|  4 
  target/riscv/cpu_helper.c |  7 +++
  target/riscv/csr.c| 14 +-
  3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
  uint64_t kvm_timer_compare;
  uint64_t kvm_timer_state;
  uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+uint64_t sum_u_count;
+uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
  };
  
  OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
  (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
  *prot |= PAGE_WRITE;
  }
+if ((pte & PTE_U) && (mode & PRV_S) &&
+get_field(env->mstatus, MSTATUS_SUM)) {
+if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+env->sum_u_addr[env->sum_u_count] = addr;
+}
+++env->sum_u_count;
+}
  return TRANSLATE_SUCCESS;
  }
  }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException write_mstatus(CPURISCVState *env, 
int csrno,
  
  /* flush tlb on mstatus fields that affect VM */

  if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-MSTATUS_MPRV | MSTATUS_SUM)) {
+MSTATUS_MPRV)) {
  tlb_flush(env_cpu(env));
+env->sum_u_count = 0;
+} else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+tlb_flush(env_cpu(env));
+} else {
+for (int i = 0; i < env->sum_u_count; ++i) {
+tlb_flush_page_by_mmuidx(env_cpu(env), env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);
+}
+}
+env->sum_u_count = 0;
  }


Whether tlb should  be flushed when SUM is changed from 0 to 1?

Regards,

Weiwei Li


+
  mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
  MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
  MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |

[PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Cédric Le Goater]

From: Cédric Le Goater 

GCC13 reports an error :

../util/async.c: In function ‘aio_bh_poll’:
include/qemu/queue.h:303:22: error: storing the address of local variable 
‘slice’ in ‘*ctx.bh_slice_list.sqh_last’ [-Werror=dangling-pointer=]
  303 | (head)->sqh_last = &(elm)->field.sqe_next;  
\
  | ~^~~~
../util/async.c:169:5: note: in expansion of macro ‘QSIMPLEQ_INSERT_TAIL’
  169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
  | ^~~~
../util/async.c:161:17: note: ‘slice’ declared here
  161 | BHListSlice slice;
  | ^
../util/async.c:161:17: note: ‘ctx’ declared here

But the local variable 'slice' is removed from the global context list
in following loop of the same routine. Add an intermediate helper to
silent GCC. No functional change.

Cc: Stefan Hajnoczi 
Cc: Paolo Bonzini 
Cc: Daniel P. Berrangé 
Signed-off-by: Cédric Le Goater 
---
 util/async.c | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/util/async.c b/util/async.c
index 21016a1ac7..45be1ed218 100644
--- a/util/async.c
+++ b/util/async.c
@@ -155,6 +155,11 @@ void aio_bh_call(QEMUBH *bh)
 bh->cb(bh->opaque);
 }
 
+static void aio_bh_slice_insert(AioContext *ctx, BHListSlice *slice)
+{
+QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, slice, next);
+}
+
 /* Multiple occurrences of aio_bh_poll cannot be called concurrently. */
 int aio_bh_poll(AioContext *ctx)
 {
@@ -164,7 +169,13 @@ int aio_bh_poll(AioContext *ctx)
 
 /* Synchronizes with QSLIST_INSERT_HEAD_ATOMIC in aio_bh_enqueue().  */
 QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
-QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+
+/*
+ * GCC13 [-Werror=dangling-pointer=] complains that the local variable
+ * 'slice' is being stored in a global list in 'ctx->bh_slice_list'.
+ * Use a helper to silent the compiler
+ */
+aio_bh_slice_insert(ctx, &slice);
 
 while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {
 QEMUBH *bh;
-- 
2.39.2

[PATCH for-8.0 3/3] target/ppc: Fix helper_pminsn() prototype

[Cédric Le Goater]

From: Cédric Le Goater 

GCC13 reports an error:

../target/ppc/excp_helper.c:2625:6: error: conflicting types for 
‘helper_pminsn’ due to enum/integer mismatch; have ‘void(CPUPPCState *, 
powerpc_pm_insn_t)’ {aka ‘void(struct CPUArchState *, powerpc_pm_insn_t)’} 
[-Werror=enum-int-mismatch]
 2625 | void helper_pminsn(CPUPPCState *env, powerpc_pm_insn_t insn)
  |  ^
In file included from /home/legoater/work/qemu/qemu.git/include/qemu/osdep.h:49,
 from ../target/ppc/excp_helper.c:19:
/home/legoater/work/qemu/qemu.git/include/exec/helper-head.h:23:27: note: 
previous declaration of ‘helper_pminsn’ with type ‘void(CPUArchState *, 
uint32_t)’ {aka ‘void(CPUArchState *, unsigned int)’}
   23 | #define HELPER(name) glue(helper_, name)
  |   ^~~

Cc: Daniel Henrique Barboza 
Fixes: 7778a575c7 ("ppc: Add P7/P8 Power Management instructions")
Signed-off-by: Cédric Le Goater 
---
 target/ppc/excp_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index 287659c74d..199328f4b6 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -2622,7 +2622,7 @@ void helper_scv(CPUPPCState *env, uint32_t lev)
 }
 }
 
-void helper_pminsn(CPUPPCState *env, powerpc_pm_insn_t insn)
+void helper_pminsn(CPUPPCState *env, uint32_t insn)
 {
 CPUState *cs;
 
-- 
2.39.2

[PATCH for-8.0 0/3] Fixes for GCC13

[Cédric Le Goater]

Hello,

I activated a GH workflow using fedora rawhide and found out that
there were a couple of compile breakage with the new GCC. Here are
fixes, the first requiring more attention.

Thanks,

C. 

Cédric Le Goater (3):
  async: Suppress GCC13 false positive in aio_bh_poll()
  target/s390x: Fix float_comp_to_cc() prototype
  target/ppc: Fix helper_pminsn() prototype

 target/s390x/s390x-internal.h |  3 ++-
 target/ppc/excp_helper.c  |  2 +-
 util/async.c  | 13 -
 3 files changed, 15 insertions(+), 3 deletions(-)

-- 
2.39.2

[PATCH for-8.0 2/3] target/s390x: Fix float_comp_to_cc() prototype

[Cédric Le Goater]

From: Cédric Le Goater 

GCC13 reports an error :

../target/s390x/tcg/fpu_helper.c:123:5: error: conflicting types for 
‘float_comp_to_cc’ due to enum/integer mismatch; have ‘int(CPUS390XState *, 
FloatRelation)’ {aka ‘int(struct CPUArchState *, FloatRelation)’} 
[-Werror=enum-int-mismatch]

  123 | int float_comp_to_cc(CPUS390XState *env, FloatRelation float_compare)
  | ^~~~
In file included from ../target/s390x/tcg/fpu_helper.c:23:
../target/s390x/s390x-internal.h:302:5: note: previous declaration of 
‘float_comp_to_cc’ with type ‘int(CPUS390XState *, int)’ {aka ‘int(struct 
CPUArchState *, int)’}
  302 | int float_comp_to_cc(CPUS390XState *env, int float_compare);
  | ^~~~

Cc: Thomas Huth 
Cc: Richard Henderson 
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Fixes: 71bfd65c5f ("softfloat: Name compare relation enum")
Signed-off-by: Cédric Le Goater 
---
 target/s390x/s390x-internal.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h
index 5d4361d35b..825252d728 100644
--- a/target/s390x/s390x-internal.h
+++ b/target/s390x/s390x-internal.h
@@ -11,6 +11,7 @@
 #define S390X_INTERNAL_H
 
 #include "cpu.h"
+#include "fpu/softfloat.h"
 
 #ifndef CONFIG_USER_ONLY
 typedef struct LowCore {
@@ -299,7 +300,7 @@ uint32_t set_cc_nz_f128(float128 v);
 uint8_t s390_softfloat_exc_to_ieee(unsigned int exc);
 int s390_swap_bfp_rounding_mode(CPUS390XState *env, int m3);
 void s390_restore_bfp_rounding_mode(CPUS390XState *env, int old_mode);
-int float_comp_to_cc(CPUS390XState *env, int float_compare);
+int float_comp_to_cc(CPUS390XState *env, FloatRelation float_compare);
 
 #define DCMASK_ZERO 0x0c00
 #define DCMASK_NORMAL   0x0300
-- 
2.39.2

[BUG][KVM_SET_USER_MEMORY_REGION] KVM_SET_USER_MEMORY_REGION failed

[Simon Jones]

Hi all,

I start a VM in openstack, and openstack use libvirt to start qemu VM, but
now log show this ERROR.
Is there any one know this?

The ERROR log from /var/log/libvirt/qemu/instance-000e.log
```
2023-03-14T10:09:17.674114Z qemu-system-x86_64: kvm_set_user_memory_region:
KVM_SET_USER_MEMORY_REGION failed, slot=4, start=0xfe00,
size=0x2000: Invalid argument
kvm_set_phys_mem: error registering slot: Invalid argument
2023-03-14 10:09:18.198+: shutting down, reason=crashed
```

The xml file
```
root@c1c2:~# cat /etc/libvirt/qemu/instance-000e.xml



  instance-000e
  ff91d2dc-69a1-43ef-abde-c9e4e9a0305b
  
http://openstack.org/xmlns/libvirt/nova/1.1";>
  
  provider-instance
  2023-03-14 10:09:13
  
64
1
0
0
1
  
  
admin
admin
  
  
  

  

  

  
  65536
  65536
  1
  

  OpenStack Foundation
  OpenStack Nova
  25.1.0
  ff91d2dc-69a1-43ef-abde-c9e4e9a0305b
  ff91d2dc-69a1-43ef-abde-c9e4e9a0305b
  Virtual Machine

  
  
hvm


  
  



  
  

  
  



  
  destroy
  restart
  destroy
  
/usr/bin/qemu-system-x86_64

  
  
  
  


  



  
  

  
  


  
  

  


  
  


  




  



  
  


  

  
  


  
  


  /dev/urandom
  

  

```



Simon Jones

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[Wu, Fei]

On 3/21/2023 4:28 PM, liweiwei wrote:
> 
> On 2023/3/21 14:37, fei2...@intel.com wrote:
>> From: Fei Wu 
>>
>> Kernel needs to access user mode memory e.g. during syscalls, the window
>> is usually opened up for a very limited time through MSTATUS.SUM, the
>> overhead is too much if tlb_flush() gets called for every SUM change.
>> This patch saves addresses accessed when SUM=1, and flushs only these
>> pages when SUM changes to 0. If the buffer is not large enough to save
>> all the pages during SUM=1, it will fall back to tlb_flush when
>> necessary.
>>
>> The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
>> most of the time kernel accesses 1 or 2 pages, it's very rare to see
>> more than 4 pages accessed.
>>
>> It's not necessary to save/restore these new added status, as
>> tlb_flush() is always called after restore.
>>
>> Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
>> other syscalls benefit a lot from this one too.
>>
>> Signed-off-by: Fei Wu 
>> Reviewed-by: LIU Zhiwei 
>> ---
>>   target/riscv/cpu.h    |  4 
>>   target/riscv/cpu_helper.c |  7 +++
>>   target/riscv/csr.c    | 14 +-
>>   3 files changed, 24 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
>> index 638e47c75a..926dbce59f 100644
>> --- a/target/riscv/cpu.h
>> +++ b/target/riscv/cpu.h
>> @@ -383,6 +383,10 @@ struct CPUArchState {
>>   uint64_t kvm_timer_compare;
>>   uint64_t kvm_timer_state;
>>   uint64_t kvm_timer_frequency;
>> +
>> +#define MAX_CACHED_SUM_U_ADDR_NUM 4
>> +    uint64_t sum_u_count;
>> +    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
>>   };
>>     OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
>> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> index f88c503cf4..5ad0418eb6 100644
>> --- a/target/riscv/cpu_helper.c
>> +++ b/target/riscv/cpu_helper.c
>> @@ -1068,6 +1068,13 @@ restart:
>>   (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
>>   *prot |= PAGE_WRITE;
>>   }
>> +    if ((pte & PTE_U) && (mode & PRV_S) &&
>> +    get_field(env->mstatus, MSTATUS_SUM)) {
>> +    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    env->sum_u_addr[env->sum_u_count] = addr;
>> +    }
>> +    ++env->sum_u_count;
>> +    }
>>   return TRANSLATE_SUCCESS;
>>   }
>>   }
>> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
>> index ab566639e5..74b7638c8a 100644
>> --- a/target/riscv/csr.c
>> +++ b/target/riscv/csr.c
>> @@ -1246,9 +1246,21 @@ static RISCVException
>> write_mstatus(CPURISCVState *env, int csrno,
>>     /* flush tlb on mstatus fields that affect VM */
>>   if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
>> -    MSTATUS_MPRV | MSTATUS_SUM)) {
>> +    MSTATUS_MPRV)) {
>>   tlb_flush(env_cpu(env));
>> +    env->sum_u_count = 0;
>> +    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
>> +    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    tlb_flush(env_cpu(env));
>> +    } else {
>> +    for (int i = 0; i < env->sum_u_count; ++i) {
>> +    tlb_flush_page_by_mmuidx(env_cpu(env),
>> env->sum_u_addr[i],
>> + 1 << PRV_S | 1 << PRV_M);
>> +    }
>> +    }
>> +    env->sum_u_count = 0;
>>   }
> 
> Whether tlb should  be flushed when SUM is changed from 0 to 1?
> 
When SUM is changed from 0 to 1, all the existing tlb entries remain
valid as the permission is elevated instead of reduced, so I don't think
it's necessary to flush tlb.

Thanks,
Fei.

> Regards,
> 
> Weiwei Li
> 
>> +
>>   mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
>>   MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
>>   MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |
> 

Re: [PULL 2/6] bios-tables-test: use 128M numa nodes on aarch64

[Michael S. Tsirkin]

On Tue, Mar 21, 2023 at 01:52:22PM +0530, Ani Sinha wrote:
> On Mon, Mar 20, 2023 at 3:08 PM Gerd Hoffmann  wrote:
> >
> > Recent edk2 versions don't boot with very small numa nodes.
> > Bump the size from 64M to 128M.
> 
> Can you please add the ASL diff between the binary blobs as a result
> of the change?
> Otherwise.


Peter merged this so too late, but please do it in the future.
Otherwise it is impossible to review the changes.

> >
> > Signed-off-by: Gerd Hoffmann 
> Reviewed-by: Ani Sinha 
> 
> > ---
> >  tests/qtest/bios-tables-test.c |   6 +++---
> >  tests/data/acpi/virt/SRAT.acpihmatvirt | Bin 240 -> 240 bytes
> >  tests/data/acpi/virt/SSDT.memhp| Bin 1817 -> 1817 bytes
> >  3 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
> > index 76d510091177..873358943784 100644
> > --- a/tests/qtest/bios-tables-test.c
> > +++ b/tests/qtest/bios-tables-test.c
> > @@ -1679,9 +1679,9 @@ static void test_acpi_virt_tcg_acpi_hmat(void)
> >  test_acpi_one(" -machine hmat=on"
> >" -cpu cortex-a57"
> >" -smp 4,sockets=2"
> > -  " -m 256M"
> > -  " -object memory-backend-ram,size=64M,id=ram0"
> > -  " -object memory-backend-ram,size=64M,id=ram1"
> > +  " -m 384M"
> > +  " -object memory-backend-ram,size=128M,id=ram0"
> > +  " -object memory-backend-ram,size=128M,id=ram1"
> >" -object memory-backend-ram,size=128M,id=ram2"
> >" -numa node,nodeid=0,memdev=ram0"
> >" -numa node,nodeid=1,memdev=ram1"
> > diff --git a/tests/data/acpi/virt/SRAT.acpihmatvirt 
> > b/tests/data/acpi/virt/SRAT.acpihmatvirt
> > index 
> > 691ef56e34bc84509270db316d908f5979c209bb..6fe55dd7d07fef0f8fe16a209e96a89dd48ca240
> >  100644
> > GIT binary patch
> > delta 67
> > zcmeys_<@ltILI;N0|NsC^R$Uvjf@-JPK>(EIfYJ<%Fb0qY0P4I6
> > AJ^%m!
> >
> > delta 59
> > zcmeys_<@ltILI;N0|NsC^Qwtljf^Z4d*l^dfLst@flv$#j4%d}X4GJsxL6ecZ+{66
> >
> > diff --git a/tests/data/acpi/virt/SSDT.memhp 
> > b/tests/data/acpi/virt/SSDT.memhp
> > index 
> > 2fcfc5fda955dc4ba78a5f4116eed99ec7202fbd..ef93c44464f1fe38f7e5babd5d67f345cc6363a6
> >  100644
> > GIT binary patch
> > delta 22
> > dcmbQqH >
> > delta 22
> > dcmbQqH >
> > --
> > 2.39.2
> >

Re: [PATCH 03/10] accel/tcg: move i386 halt handling to sysemu_ops

[Claudio Fontana]

On 3/20/23 16:34, Philippe Mathieu-Daudé wrote:
> On 20/3/23 16:23, Claudio Fontana wrote:
>> Hi Alex, all,
>>
>> again, this moves TCG-only code to common code, no?
> 
> Oh, good point.
> 
>> Even if this happens to work, the idea is to avoid adding unneeded accel TCG 
>> code to a KVM-only binary.
> 
> Could yet another AccelSysemuCPUOps *accel struct in SysemuCPUOps
> help being stricter? ...

Just a thought, in general I wonder if we could devise a less error prone way 
to keep things in the right place.
Just thinking out loud here, something like a QEMU_ATTRIBUTE_TCG, _KVM, ... to 
add to symbols to avoid ending up in the wrong binary.

Keeping in mind all these dimensions is probably very taxing, maybe getting 
some support from the build system would be beneficial,
checking that a build requested with specific features contains only compatible 
objects.

Any ideas?

Ciao,

C

> 
>> We need to keep in mind all dimensions when we do refactorings:
>>
>> user-mode vs sysemu,
>> the architecture,
>> the accel, in particular tcg, non-tcg (which could be not compiled in, 
>> built-in, or loaded as separate module).
>>
>> In many cases, testing with --disable-tcg --enable-kvm helps to avoid 
>> breakages,
>> but it is possible also to move in unneeded code in a way that does not 
>> generate compile or link-time errors, so we need to be a bit alert to that.
>>
>> Ciao,
>>
>> C
>>
>>
>> On 3/20/23 11:10, Alex Bennée wrote:
>>> We don't want to be polluting the core run loop code with target
>>> specific handling, punt it to sysemu_ops where it belongs.
>>>
>>> Signed-off-by: Alex Bennée 
>>> ---
>>>   include/hw/core/sysemu-cpu-ops.h |  5 +
>>>   target/i386/cpu-internal.h   |  1 +
>>>   accel/tcg/cpu-exec.c | 14 +++---
>>>   target/i386/cpu-sysemu.c | 12 
>>>   target/i386/cpu.c|  1 +
>>>   5 files changed, 22 insertions(+), 11 deletions(-)
>>>
>>> diff --git a/include/hw/core/sysemu-cpu-ops.h 
>>> b/include/hw/core/sysemu-cpu-ops.h
>>> index ee169b872c..c9d30172c4 100644
>>> --- a/include/hw/core/sysemu-cpu-ops.h
>>> +++ b/include/hw/core/sysemu-cpu-ops.h
>>> @@ -48,6 +48,11 @@ typedef struct SysemuCPUOps {
>>>* GUEST_PANICKED events.
>>>*/
>>>   GuestPanicInformation* (*get_crash_info)(CPUState *cpu);
>>> +/**
>>> + * @handle_cpu_halt: Callback for special handling during 
>>> cpu_handle_halt()
>>> + * @cs: The CPUState
>>> + */
> 
> Perhaps insert within a 'tcg' structure for now.
> 
>  #ifdef CONFIG_TCG
>  struct {
> 
>>> +void (*handle_cpu_halt)(CPUState *cpu);
> 
>  } tcg;
>  #endif
> 
> Then we could extract as accel.
> 
>>>   /**
>>>* @write_elf32_note: Callback for writing a CPU-specific ELF note to 
>>> a
>>>* 32-bit VM coredump.
> 
> 

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 16:40, Wu, Fei wrote:

On 3/21/2023 4:28 PM, liweiwei wrote:

On 2023/3/21 14:37, fei2...@intel.com wrote:

From: Fei Wu 

Kernel needs to access user mode memory e.g. during syscalls, the window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
---
   target/riscv/cpu.h    |  4 
   target/riscv/cpu_helper.c |  7 +++
   target/riscv/csr.c    | 14 +-
   3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
   uint64_t kvm_timer_compare;
   uint64_t kvm_timer_state;
   uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+    uint64_t sum_u_count;
+    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
   };
     OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
   (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
   *prot |= PAGE_WRITE;
   }
+    if ((pte & PTE_U) && (mode & PRV_S) &&
+    get_field(env->mstatus, MSTATUS_SUM)) {
+    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+    env->sum_u_addr[env->sum_u_count] = addr;
+    }
+    ++env->sum_u_count;
+    }
   return TRANSLATE_SUCCESS;
   }
   }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException
write_mstatus(CPURISCVState *env, int csrno,
     /* flush tlb on mstatus fields that affect VM */
   if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-    MSTATUS_MPRV | MSTATUS_SUM)) {
+    MSTATUS_MPRV)) {
   tlb_flush(env_cpu(env));
+    env->sum_u_count = 0;
+    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+    tlb_flush(env_cpu(env));
+    } else {
+    for (int i = 0; i < env->sum_u_count; ++i) {
+    tlb_flush_page_by_mmuidx(env_cpu(env),
env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);
+    }
+    }
+    env->sum_u_count = 0;
   }

Whether tlb should  be flushed when SUM is changed from 0 to 1?


When SUM is changed from 0 to 1, all the existing tlb entries remain
valid as the permission is elevated instead of reduced, so I don't think
it's necessary to flush tlb.


If elevated not unchanged, I think the tlb also needs update, since new 
permitted access rights may be added to the tlb.


Regards,

Weiwei Li



Thanks,
Fei.


Regards,

Weiwei Li


+
   mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
   MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
   MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |

[PULL 2/7] ui/spice: fix SOCKET handling regression

[marcandre . lureau]

From: Marc-André Lureau 

Spice uses SOCKET on win32, but QEMU now uses file-descriptors.

Fixes "8.0.0rc0 Regression: spicy windows doesn't open":
https://gitlab.com/qemu-project/qemu/-/issues/1549

Fixes: commit abe34282b ("win32: avoid mixing SOCKET and file descriptor space")
Signed-off-by: Marc-André Lureau 
Reviewed-by: Daniel P. Berrangé 
Message-Id: <20230320133643.1618437-3-marcandre.lur...@redhat.com>
---
 ui/spice-core.c | 29 +++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/ui/spice-core.c b/ui/spice-core.c
index b05c830086..67cfd3ca9c 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -90,13 +90,23 @@ struct SpiceWatch {
 static void watch_read(void *opaque)
 {
 SpiceWatch *watch = opaque;
-watch->func(watch->fd, SPICE_WATCH_EVENT_READ, watch->opaque);
+int fd = watch->fd;
+
+#ifdef WIN32
+fd = _get_osfhandle(fd);
+#endif
+watch->func(fd, SPICE_WATCH_EVENT_READ, watch->opaque);
 }
 
 static void watch_write(void *opaque)
 {
 SpiceWatch *watch = opaque;
-watch->func(watch->fd, SPICE_WATCH_EVENT_WRITE, watch->opaque);
+int fd = watch->fd;
+
+#ifdef WIN32
+fd = _get_osfhandle(fd);
+#endif
+watch->func(fd, SPICE_WATCH_EVENT_WRITE, watch->opaque);
 }
 
 static void watch_update_mask(SpiceWatch *watch, int event_mask)
@@ -117,6 +127,14 @@ static SpiceWatch *watch_add(int fd, int event_mask, 
SpiceWatchFunc func, void *
 {
 SpiceWatch *watch;
 
+#ifdef WIN32
+fd = _open_osfhandle(fd, _O_BINARY);
+if (fd < 0) {
+error_setg_win32(&error_warn, WSAGetLastError(), "Couldn't associate a 
FD with the SOCKET");
+return NULL;
+}
+#endif
+
 watch = g_malloc0(sizeof(*watch));
 watch->fd = fd;
 watch->func   = func;
@@ -129,6 +147,10 @@ static SpiceWatch *watch_add(int fd, int event_mask, 
SpiceWatchFunc func, void *
 static void watch_remove(SpiceWatch *watch)
 {
 qemu_set_fd_handler(watch->fd, NULL, NULL, NULL);
+#ifdef WIN32
+/* SOCKET is owned by spice */
+qemu_close_to_socket(watch->fd);
+#endif
 g_free(watch);
 }
 
@@ -908,6 +930,9 @@ static int qemu_spice_set_pw_expire(time_t expires)
 
 static int qemu_spice_display_add_client(int csock, int skipauth, int tls)
 {
+#ifdef WIN32
+csock = qemu_close_socket_osfhandle(csock);
+#endif
 if (tls) {
 return spice_server_add_ssl_client(spice_server, csock, skipauth);
 } else {
-- 
2.39.2

[PULL 0/7] ui/ fixes for 8.0

[marcandre . lureau]

From: Marc-André Lureau 

The following changes since commit aa9e7fa4689d1becb2faf67f65aafcbcf664f1ce:

  Merge tag 'edk2-stable202302-20230320-pull-request' of 
https://gitlab.com/kraxel/qemu into staging (2023-03-20 13:43:35 +)

are available in the Git repository at:

  https://gitlab.com/marcandre.lureau/qemu.git tags/ui-pull-request

for you to fetch changes up to 49152ac47003ca21fc6f2a5c3e517f79649e1541:

  ui: fix crash on serial reset, during init (2023-03-21 11:46:22 +0400)


ui/ fixes for 8.0



Erico Nunes (1):
  ui/sdl2: remove workaround forcing x11

Marc-André Lureau (6):
  win32: add qemu_close_socket_osfhandle()
  ui/spice: fix SOCKET handling regression
  ui/dbus: fix passing SOCKET to GSocket API & leak
  ui/gtk: fix cursor moved to left corner
  ui: return the default console cursor when con == NULL
  ui: fix crash on serial reset, during init

 include/sysemu/os-win32.h | 15 ++--
 ui/console.c  |  3 ++
 ui/dbus.c |  9 +
 ui/gtk.c  |  7 ++--
 ui/sdl2.c | 16 -
 ui/spice-core.c   | 29 +--
 util/oslib-win32.c| 75 +--
 7 files changed, 97 insertions(+), 57 deletions(-)

-- 
2.39.2

[PULL 6/7] ui/sdl2: remove workaround forcing x11

[marcandre . lureau]

From: Erico Nunes 

This workaround was put in place in the original implementation almost
10 years ago, considering a very old SDL2 version. Currently it prevents
users to run in a wayland-only environment without manually forcing the
backend.
The SDL2 wayland backend has been supported by distributions for a very
long time (e.g. in Fedora, first available 8 years ago), and is now
considered stable and becoming the default for new SDL2 releases.
Instead of requiring the x11 backend to exist by default, let new qemu
releases run with the default chosen by the installed SDL2 version.

Signed-off-by: Erico Nunes 
Reviewed-by: Daniel P. Berrangé 
Reviewed-by: Marc-André Lureau 
Message-Id: <20230301141205.514338-1-ernu...@redhat.com>
---
 ui/sdl2.c | 16 
 1 file changed, 16 deletions(-)

diff --git a/ui/sdl2.c b/ui/sdl2.c
index 35c58c1104..b12dec4caf 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -843,22 +843,6 @@ static void sdl2_display_init(DisplayState *ds, 
DisplayOptions *o)
 
 assert(o->type == DISPLAY_TYPE_SDL);
 
-#ifdef __linux__
-/* on Linux, SDL may use fbcon|directfb|svgalib when run without
- * accessible $DISPLAY to open X11 window.  This is often the case
- * when qemu is run using sudo.  But in this case, and when actually
- * run in X11 environment, SDL fights with X11 for the video card,
- * making current display unavailable, often until reboot.
- * So make x11 the default SDL video driver if this variable is unset.
- * This is a bit hackish but saves us from bigger problem.
- * Maybe it's a good idea to fix this in SDL instead.
- */
-if (!g_setenv("SDL_VIDEODRIVER", "x11", 0)) {
-fprintf(stderr, "Could not set SDL_VIDEODRIVER environment 
variable\n");
-exit(1);
-}
-#endif
-
 if (SDL_GetHintBoolean("QEMU_ENABLE_SDL_LOGGING", SDL_FALSE)) {
 SDL_LogSetAllPriority(SDL_LOG_PRIORITY_VERBOSE);
 }
-- 
2.39.2

[PULL 3/7] ui/dbus: fix passing SOCKET to GSocket API & leak

[marcandre . lureau]

From: Marc-André Lureau 

-display dbus is not currently available to win32 users, so it's not
considered a regression.

Note also the close() leak fix in case of error.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Daniel P. Berrangé 
Message-Id: <20230320133643.1618437-4-marcandre.lur...@redhat.com>
---
 ui/dbus.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/ui/dbus.c b/ui/dbus.c
index 0513de9918..b9e9698503 100644
--- a/ui/dbus.c
+++ b/ui/dbus.c
@@ -304,11 +304,20 @@ dbus_display_add_client(int csock, Error **errp)
 g_cancellable_cancel(dbus_display->add_client_cancellable);
 }
 
+#ifdef WIN32
+socket = g_socket_new_from_fd(_get_osfhandle(csock), &err);
+#else
 socket = g_socket_new_from_fd(csock, &err);
+#endif
 if (!socket) {
 error_setg(errp, "Failed to setup D-Bus socket: %s", err->message);
+close(csock);
 return false;
 }
+#ifdef WIN32
+/* socket owns the SOCKET handle now, so release our osf handle */
+qemu_close_socket_osfhandle(csock);
+#endif
 
 conn = g_socket_connection_factory_create_connection(socket);
 
-- 
2.39.2

[PULL 4/7] ui/gtk: fix cursor moved to left corner

[marcandre . lureau]

From: Marc-André Lureau 

Do not attempt to move the pointer if the widget is not yet realized.
The mouse cursor is placed to the corner of the screen, on X11 at least,
as x_root and y_root are then miscalculated. (this is not reproducible
on Wayland, because Gtk doesn't implement device warping there)

This also fixes the following warning at start:
qemu: Gdk: gdk_window_get_root_coords: assertion 'GDK_IS_WINDOW (window)' failed

Fixes: 6effaa16ac98 ("ui: set cursor position upon listener
registration")
Reported-by: Bernhard Beschow 
Signed-off-by: Marc-André Lureau 
Reviewed-by: Daniel P. Berrangé 
Tested-by: Bernhard Beschow 
Message-Id: <20230320132624.1612464-1-marcandre.lur...@redhat.com>
---
 ui/gtk.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ui/gtk.c b/ui/gtk.c
index fd82e9b1ca..e9564f2baa 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -450,7 +450,8 @@ static void gd_mouse_set(DisplayChangeListener *dcl,
 GdkDisplay *dpy;
 gint x_root, y_root;
 
-if (qemu_input_is_absolute()) {
+if (!gtk_widget_get_realized(vc->gfx.drawing_area) ||
+qemu_input_is_absolute()) {
 return;
 }
 
-- 
2.39.2

[PULL 5/7] ui: return the default console cursor when con == NULL

[marcandre . lureau]

From: Marc-André Lureau 

VNC code relies on con==NULL to mean the default console.

Fixes:
https://gitlab.com/qemu-project/qemu/-/issues/1548

Fixes: commit 385ac97f8 ("ui: keep current cursor with QemuConsole")
Signed-off-by: Marc-André Lureau 
Reported-by: Helge Konetzka 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20230319111017.1319880-1-marcandre.lur...@redhat.com>
---
 ui/console.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ui/console.c b/ui/console.c
index f3783021e5..6e8a3cdc62 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -2303,6 +2303,9 @@ QemuConsole *qemu_console_lookup_unused(void)
 
 QEMUCursor *qemu_console_get_cursor(QemuConsole *con)
 {
+if (con == NULL) {
+con = active_console;
+}
 return con->cursor;
 }
 
-- 
2.39.2

[PULL 1/7] win32: add qemu_close_socket_osfhandle()

[marcandre . lureau]

From: Marc-André Lureau 

Close the given file descriptor, but returns the underlying SOCKET.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Daniel P. Berrangé 
Message-Id: <20230320133643.1618437-2-marcandre.lur...@redhat.com>
---
 include/sysemu/os-win32.h | 15 ++--
 util/oslib-win32.c| 75 +--
 2 files changed, 53 insertions(+), 37 deletions(-)

diff --git a/include/sysemu/os-win32.h b/include/sysemu/os-win32.h
index e2849f88ab..15c296e0eb 100644
--- a/include/sysemu/os-win32.h
+++ b/include/sysemu/os-win32.h
@@ -171,10 +171,21 @@ bool qemu_socket_select(int sockfd, WSAEVENT hEventObject,
 
 bool qemu_socket_unselect(int sockfd, Error **errp);
 
-/* We wrap all the sockets functions so that we can
- * set errno based on WSAGetLastError()
+/* We wrap all the sockets functions so that we can set errno based on
+ * WSAGetLastError(), and use file-descriptors instead of SOCKET.
  */
 
+/*
+ * qemu_close_socket_osfhandle:
+ * @fd: a file descriptor associated with a SOCKET
+ *
+ * Close only the C run-time file descriptor, leave the SOCKET opened.
+ *
+ * Returns zero on success. On error, -1 is returned, and errno is set to
+ * indicate the error.
+ */
+int qemu_close_socket_osfhandle(int fd);
+
 #undef close
 #define close qemu_close_wrap
 int qemu_close_wrap(int fd);
diff --git a/util/oslib-win32.c b/util/oslib-win32.c
index 16f8a67f7e..a98638729a 100644
--- a/util/oslib-win32.c
+++ b/util/oslib-win32.c
@@ -479,40 +479,27 @@ int qemu_bind_wrap(int sockfd, const struct sockaddr 
*addr,
 return ret;
 }
 
-
 #undef close
-int qemu_close_wrap(int fd)
+int qemu_close_socket_osfhandle(int fd)
 {
-int ret;
+SOCKET s = _get_osfhandle(fd);
 DWORD flags = 0;
-SOCKET s = INVALID_SOCKET;
-
-if (fd_is_socket(fd)) {
-s = _get_osfhandle(fd);
-
-/*
- * If we were to just call _close on the descriptor, it would close the
- * HANDLE, but it wouldn't free any of the resources associated to the
- * SOCKET, and we can't call _close after calling closesocket, because
- * closesocket has already closed the HANDLE, and _close would attempt 
to
- * close the HANDLE again, resulting in a double free. We can however
- * protect the HANDLE from actually being closed long enough to close 
the
- * file descriptor, then close the socket itself.
- */
-if (!GetHandleInformation((HANDLE)s, &flags)) {
-errno = EACCES;
-return -1;
-}
 
-if (!SetHandleInformation((HANDLE)s, HANDLE_FLAG_PROTECT_FROM_CLOSE, 
HANDLE_FLAG_PROTECT_FROM_CLOSE)) {
-errno = EACCES;
-return -1;
-}
+/*
+ * If we were to just call _close on the descriptor, it would close the
+ * HANDLE, but it wouldn't free any of the resources associated to the
+ * SOCKET, and we can't call _close after calling closesocket, because
+ * closesocket has already closed the HANDLE, and _close would attempt to
+ * close the HANDLE again, resulting in a double free. We can however
+ * protect the HANDLE from actually being closed long enough to close the
+ * file descriptor, then close the socket itself.
+ */
+if (!GetHandleInformation((HANDLE)s, &flags)) {
+errno = EACCES;
+return -1;
 }
 
-ret = close(fd);
-
-if (s != INVALID_SOCKET && !SetHandleInformation((HANDLE)s, flags, flags)) 
{
+if (!SetHandleInformation((HANDLE)s, HANDLE_FLAG_PROTECT_FROM_CLOSE, 
HANDLE_FLAG_PROTECT_FROM_CLOSE)) {
 errno = EACCES;
 return -1;
 }
@@ -521,15 +508,33 @@ int qemu_close_wrap(int fd)
  * close() returns EBADF since we PROTECT_FROM_CLOSE the underlying handle,
  * but the FD is actually freed
  */
-if (ret < 0 && (s == INVALID_SOCKET || errno != EBADF)) {
-return ret;
+if (close(fd) < 0 && errno != EBADF) {
+return -1;
 }
 
-if (s != INVALID_SOCKET) {
-ret = closesocket(s);
-if (ret < 0) {
-errno = socket_error();
-}
+if (!SetHandleInformation((HANDLE)s, flags, flags)) {
+errno = EACCES;
+return -1;
+}
+
+return 0;
+}
+
+int qemu_close_wrap(int fd)
+{
+SOCKET s = INVALID_SOCKET;
+int ret = -1;
+
+if (!fd_is_socket(fd)) {
+return close(fd);
+}
+
+s = _get_osfhandle(fd);
+qemu_close_socket_osfhandle(fd);
+
+ret = closesocket(s);
+if (ret < 0) {
+errno = socket_error();
 }
 
 return ret;
-- 
2.39.2

[PULL 7/7] ui: fix crash on serial reset, during init

[marcandre . lureau]

From: Marc-André Lureau 

For ex, when resetting the xlnx-zcu102 machine:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason =
EXC_BAD_ACCESS (code=1, address=0x50)
   * frame #0: 0x10020a740 gd_vc_send_chars(vc=0x0) at
gtk.c:1759:41 [opt]
 frame #1: 0x100636264 qemu_chr_fe_accept_input(be=) at
char-fe.c:159:9 [opt]
 frame #2: 0x1000608e0 cadence_uart_reset_hold [inlined]
uart_rx_reset(s=0x10810a960) at cadence_uart.c:158:5 [opt]
 frame #3: 0x1000608d4 cadence_uart_reset_hold(obj=0x10810a960) at
cadence_uart.c:530:5 [opt]
 frame #4: 0x100580ab4 resettable_phase_hold(obj=0x10810a960,
opaque=0x0, type=) at resettable.c:0 [opt]
 frame #5: 0x10057d1b0 bus_reset_child_foreach(obj=,
cb=(resettable_phase_hold at resettable.c:162), opaque=0x0,
type=RESET_TYPE_COLD) at bus.c:97:13 [opt]
 frame #6: 0x1005809f8 resettable_phase_hold [inlined]
resettable_child_foreach(rc=0x6332d2c0, obj=0x62c1c180,
cb=, opaque=0x0, type=RESET_TYPE_COLD) at
resettable.c:96:9 [opt]
 frame #7: 0x1005809d8 resettable_phase_hold(obj=0x62c1c180,
opaque=0x0, type=RESET_TYPE_COLD) at resettable.c:173:5 [opt]
 frame #8: 0x1005803a0
resettable_assert_reset(obj=0x62c1c180, type=) at
resettable.c:60:5 [opt]
 frame #9: 0x10058027c resettable_reset(obj=0x62c1c180,
type=RESET_TYPE_COLD) at resettable.c:45:5 [opt]

While the chardev is created early, the VirtualConsole is associated
after, during qemu_init_displays().

Signed-off-by: Marc-André Lureau 
Tested-by: Philippe Mathieu-Daudé 
Reviewed-by: Philippe Mathieu-Daudé 
Message-Id: <20230220072251.3385878-1-marcandre.lur...@redhat.com>
---
 ui/gtk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ui/gtk.c b/ui/gtk.c
index e9564f2baa..f16e0f8dee 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1784,7 +1784,9 @@ static void gd_vc_chr_accept_input(Chardev *chr)
 VCChardev *vcd = VC_CHARDEV(chr);
 VirtualConsole *vc = vcd->console;
 
-gd_vc_send_chars(vc);
+if (vc) {
+gd_vc_send_chars(vc);
+}
 }
 
 static void gd_vc_chr_set_echo(Chardev *chr, bool echo)
-- 
2.39.2

Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver

[Mauro Matteo Cascella]

Hi Yuval,

Dropping  and . This is CVE-2023-1544.

The patch looks good to me. Thank you.

On Mon, Mar 20, 2023 at 1:07 PM Yuval Shaia  wrote:
>
> Hi,
> Patch is currently under review.
> From my end, it was tested and proved to solve the problem.
>
> To follow up you may need to check qemu-devel@nongnu.org from time to time.
>
> Marcel, any feedback?

-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[Wu, Fei]

On 3/21/2023 4:50 PM, liweiwei wrote:
> 
> On 2023/3/21 16:40, Wu, Fei wrote:
>> On 3/21/2023 4:28 PM, liweiwei wrote:
>>> On 2023/3/21 14:37, fei2...@intel.com wrote:
 From: Fei Wu 

 Kernel needs to access user mode memory e.g. during syscalls, the
 window
 is usually opened up for a very limited time through MSTATUS.SUM, the
 overhead is too much if tlb_flush() gets called for every SUM change.
 This patch saves addresses accessed when SUM=1, and flushs only these
 pages when SUM changes to 0. If the buffer is not large enough to save
 all the pages during SUM=1, it will fall back to tlb_flush when
 necessary.

 The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
 most of the time kernel accesses 1 or 2 pages, it's very rare to see
 more than 4 pages accessed.

 It's not necessary to save/restore these new added status, as
 tlb_flush() is always called after restore.

 Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
 other syscalls benefit a lot from this one too.

 Signed-off-by: Fei Wu 
 Reviewed-by: LIU Zhiwei 
 ---
    target/riscv/cpu.h    |  4 
    target/riscv/cpu_helper.c |  7 +++
    target/riscv/csr.c    | 14 +-
    3 files changed, 24 insertions(+), 1 deletion(-)

 diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
 index 638e47c75a..926dbce59f 100644
 --- a/target/riscv/cpu.h
 +++ b/target/riscv/cpu.h
 @@ -383,6 +383,10 @@ struct CPUArchState {
    uint64_t kvm_timer_compare;
    uint64_t kvm_timer_state;
    uint64_t kvm_timer_frequency;
 +
 +#define MAX_CACHED_SUM_U_ADDR_NUM 4
 +    uint64_t sum_u_count;
 +    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
    };
      OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
 diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
 index f88c503cf4..5ad0418eb6 100644
 --- a/target/riscv/cpu_helper.c
 +++ b/target/riscv/cpu_helper.c
 @@ -1068,6 +1068,13 @@ restart:
    (access_type == MMU_DATA_STORE || (pte &
 PTE_D))) {
    *prot |= PAGE_WRITE;
    }
 +    if ((pte & PTE_U) && (mode & PRV_S) &&
 +    get_field(env->mstatus, MSTATUS_SUM)) {
 +    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
 +    env->sum_u_addr[env->sum_u_count] = addr;
 +    }
 +    ++env->sum_u_count;
 +    }
    return TRANSLATE_SUCCESS;
    }
    }
 diff --git a/target/riscv/csr.c b/target/riscv/csr.c
 index ab566639e5..74b7638c8a 100644
 --- a/target/riscv/csr.c
 +++ b/target/riscv/csr.c
 @@ -1246,9 +1246,21 @@ static RISCVException
 write_mstatus(CPURISCVState *env, int csrno,
      /* flush tlb on mstatus fields that affect VM */
    if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
 -    MSTATUS_MPRV | MSTATUS_SUM)) {
 +    MSTATUS_MPRV)) {
    tlb_flush(env_cpu(env));
 +    env->sum_u_count = 0;
 +    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
 +    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
 +    tlb_flush(env_cpu(env));
 +    } else {
 +    for (int i = 0; i < env->sum_u_count; ++i) {
 +    tlb_flush_page_by_mmuidx(env_cpu(env),
 env->sum_u_addr[i],
 + 1 << PRV_S | 1 << PRV_M);
 +    }
 +    }
 +    env->sum_u_count = 0;
    }
>>> Whether tlb should  be flushed when SUM is changed from 0 to 1?
>>>
>> When SUM is changed from 0 to 1, all the existing tlb entries remain
>> valid as the permission is elevated instead of reduced, so I don't think
>> it's necessary to flush tlb.
> 
> If elevated not unchanged, I think the tlb also needs update, since new
> permitted access rights may be added to the tlb.
> 
Assume the following flow, if the new rights have been added to tlb
during SUM=0, they're visible and still valid after setting SUM=1 again.
Could you please add a specific counter example in this flow?


enable uaccess (set SUM = 1)
... (access user mem from S mode)
disable uaccess (set SUM = 0)

... (update TLB_SUM_0)

<-- flush tlb or not right before enabling uaccess?
enable uaccess (set SUM = 1)
<-- okay to access TLB_SUM_0?
disable uaccess (set SUM = 0)


Thanks,
Fei.

> Regards,
> 
> Weiwei Li
> 
>>
>> Thanks,
>> Fei.
>>
>>> Regards,
>>>
>>> Weiwei Li
>>>
 +
    mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
    MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
    MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |
> 

Re: [PATCH] linux-user/mips: Low down switchable NaN2008 requirement

[Jiaxun Yang]

> 2023年3月15日 08:18，Philippe Mathieu-Daudé  写道：
> 
> On 11/3/23 13:39, Jiaxun Yang wrote:
>>> 2023年3月9日 12:32，Philippe Mathieu-Daudé  写道：
>>> 
>>> Hi Jiaxun,
>>> 
>>> On 11/2/23 18:34, Jiaxun Yang wrote:
 Previously switchable NaN2008 requires fcsr31.nan2008 to be writable
 for guest. However as per MIPS arch spec this bit can never be writable.
 This cause NaN2008 ELF to be rejected by QEMU.
 NaN2008 can be enabled on R2~R5 processors, just make it available
 unconditionally.
 Signed-off-by: Jiaxun Yang 
 ---
  linux-user/mips/cpu_loop.c | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/linux-user/mips/cpu_loop.c b/linux-user/mips/cpu_loop.c
 index d5c1c7941d..b5c2ca4a3e 100644
 --- a/linux-user/mips/cpu_loop.c
 +++ b/linux-user/mips/cpu_loop.c
 @@ -301,8 +301,7 @@ void target_cpu_copy_regs(CPUArchState *env, struct 
 target_pt_regs *regs)
  }
  if (((info->elf_flags & EF_MIPS_NAN2008) != 0) !=
  ((env->active_fpu.fcr31 & (1 << FCR31_NAN2008)) != 0)) {
 -if ((env->active_fpu.fcr31_rw_bitmask &
 -  (1 << FCR31_NAN2008)) == 0) {
 +if (!(env->insn_flags & ISA_MIPS_R2)) {
  fprintf(stderr, "ELF binary's NaN mode not supported by 
 CPU\n");
  exit(1);
  }
>>> 
>>> Looking at R6.06 revision history:
>>> 
>>>  5.03 August 21, 2013
>>> 
>>>  • ABS2008 and NAN2008 fields of Table 5.7 “FCSR RegisterField
>>>Descriptions” were optional in release 3 and could be R/W,
>>>but as of release 5 are required, read-only, and preset by
>>>hardware.
>>> So I tried with this change:
>>> 
>>> -- >8 --
>>> diff --git a/target/mips/cpu.c b/target/mips/cpu.c
>>> index 05caf54999..5f1364ffaf 100644
>>> --- a/target/mips/cpu.c
>>> +++ b/target/mips/cpu.c
>>> @@ -243,6 +243,13 @@ static void mips_cpu_reset_hold(Object *obj)
>>> env->CP0_EBaseWG_rw_bitmask = env->cpu_model->CP0_EBaseWG_rw_bitmask;
>>> env->active_fpu.fcr0 = env->cpu_model->CP1_fcr0;
>>> env->active_fpu.fcr31_rw_bitmask = env->cpu_model->CP1_fcr31_rw_bitmask;
>>> +if (env->insn_flags & ISA_MIPS_R5) {
>>> +assert(!(env->cpu_model->CP1_fcr31_rw_bitmask & (1 << 
>>> FCR31_ABS2008)));
>>> +assert(!(env->cpu_model->CP1_fcr31_rw_bitmask & (1 << 
>>> FCR31_NAN2008)));
>>> +} else if (env->insn_flags & ISA_MIPS_R3) {
>>> +assert(env->cpu_model->CP1_fcr31_rw_bitmask & (1 << 
>>> FCR31_ABS2008));
>>> +assert(env->cpu_model->CP1_fcr31_rw_bitmask & (1 << 
>>> FCR31_NAN2008));
>>> +}
>>> env->active_fpu.fcr31 = env->cpu_model->CP1_fcr31;
>>> env->msair = env->cpu_model->MSAIR;
>>> env->insn_flags = env->cpu_model->insn_flags;
>>> ---
>>> 
>>> and got:
>>> 
>>> $ for cpu in $(./qemu-system-mips64el -cpu help | cut -d\' -f2); do \
>>>  echo -n ${cpu}...;echo q \
>>>  | ./qemu-system-mips64el -accel tcg -cpu ${cpu} \
>>>   -S -monitor stdio 1> /dev/null || break; \
>>>  echo OK; done
>>> 4Kc...OK
>>> 4Km...OK
>>> 4KEcR1...OK
>>> 4KEmR1...OK
>>> 4KEc...OK
>>> 4KEm...OK
>>> 24Kc...OK
>>> 24KEc...OK
>>> 24Kf...OK
>>> 34Kf...OK
>>> 74Kf...OK
>>> M14K...OK
>>> M14Kc...OK
>>> P5600...OK
>>> mips32r6-generic...OK
>>> I7200...OK
>>> R4000...OK
>>> VR5432...OK
>>> 5Kc...OK
>>> 5Kf...OK
>>> 20Kc...OK
>>> MIPS64R2-generic...OK
>>> 5KEc...OK
>>> 5KEf...OK
>>> I6400...OK
>>> I6500...OK
>>> Loongson-2E...OK
>>> Loongson-2F...OK
>>> Loongson-3A1000...OK
>>> Loongson-3A4000...OK
>>> mips64dspr2...OK
>>> Octeon68XX...OK
>>> $
>> Well that’s because there is no CPU being marked as MIPS Release 3 in QEMU, 
>> and only
>> P5600 is marked as MIPS Release 5.
>> In reality R3 implementations are all advertising themself as R2, and later 
>> RCs of microAptiv
>> and interaptiv can all be configured as NaN2008 only. So for those CPUs we 
>> have binary compiled
>> with -march=mips32r2 -mnan=2008.
>> Given that default CPU of mips32r2 in QEMU is 24Kf, I think the best 
>> approach to deal with such
>> situation is to allow NaN2008 to be enabled for early processors for 
>> linux-user.
>> There is a NAN2008 Debian port for test:
>> http://repo.oss.cipunited.com/mipsel-nan2008/tarball/sid-mipsel-nan2008-20230309-1.tar.xz
> 
> $ qemu-mipsel -L sid-mipsel-nan2008-20230313-1/usr -cpu P5600 usr/bin/uname  
> -ms
> Linux mips
> 
> What about something like:

That would lost capability of testing NaN2008 binaries again other CPU models.

Thanks
- Jiaxun

> 
> -- >8 --
> --- a/linux-user/mips/target_elf.h
> +++ b/linux-user/mips/target_elf.h
> @@ -15,6 +15,9 @@ static inline const char *cpu_get_model(uint32_t eflags)
> if ((eflags & EF_MIPS_MACH) == EF_MIPS_MACH_5900) {
> return "R5900";
> }
> +if (eflags & EF_MIPS_NAN2008) {
> +return "P5600";
> +}
> return "24Kf";
> }
> #endif
> ---

Re: [PATCH for-8.0 2/3] target/s390x: Fix float_comp_to_cc() prototype

[Philippe Mathieu-Daudé]

On 21/3/23 09:33, Cédric Le Goater wrote:

From: Cédric Le Goater 

GCC13 reports an error :

../target/s390x/tcg/fpu_helper.c:123:5: error: conflicting types for 
‘float_comp_to_cc’ due to enum/integer mismatch; have ‘int(CPUS390XState *, 
FloatRelation)’ {aka ‘int(struct CPUArchState *, FloatRelation)’} 
[-Werror=enum-int-mismatch]

   123 | int float_comp_to_cc(CPUS390XState *env, FloatRelation float_compare)
   | ^~~~
In file included from ../target/s390x/tcg/fpu_helper.c:23:
../target/s390x/s390x-internal.h:302:5: note: previous declaration of 
‘float_comp_to_cc’ with type ‘int(CPUS390XState *, int)’ {aka ‘int(struct 
CPUArchState *, int)’}
   302 | int float_comp_to_cc(CPUS390XState *env, int float_compare);
   | ^~~~

Cc: Thomas Huth 
Cc: Richard Henderson 
Cc: David Hildenbrand 
Cc: Ilya Leoshkevich 
Fixes: 71bfd65c5f ("softfloat: Name compare relation enum")
Signed-off-by: Cédric Le Goater 
---
  target/s390x/s390x-internal.h | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)


Reviewed-by: Philippe Mathieu-Daudé 

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 17:14, Wu, Fei wrote:

On 3/21/2023 4:50 PM, liweiwei wrote:

On 2023/3/21 16:40, Wu, Fei wrote:

On 3/21/2023 4:28 PM, liweiwei wrote:

On 2023/3/21 14:37, fei2...@intel.com wrote:

From: Fei Wu 

Kernel needs to access user mode memory e.g. during syscalls, the
window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
---
    target/riscv/cpu.h    |  4 
    target/riscv/cpu_helper.c |  7 +++
    target/riscv/csr.c    | 14 +-
    3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
    uint64_t kvm_timer_compare;
    uint64_t kvm_timer_state;
    uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+    uint64_t sum_u_count;
+    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
    };
      OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
    (access_type == MMU_DATA_STORE || (pte &
PTE_D))) {
    *prot |= PAGE_WRITE;
    }
+    if ((pte & PTE_U) && (mode & PRV_S) &&
+    get_field(env->mstatus, MSTATUS_SUM)) {
+    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+    env->sum_u_addr[env->sum_u_count] = addr;
+    }
+    ++env->sum_u_count;
+    }
    return TRANSLATE_SUCCESS;
    }
    }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException
write_mstatus(CPURISCVState *env, int csrno,
      /* flush tlb on mstatus fields that affect VM */
    if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-    MSTATUS_MPRV | MSTATUS_SUM)) {
+    MSTATUS_MPRV)) {
    tlb_flush(env_cpu(env));
+    env->sum_u_count = 0;
+    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+    tlb_flush(env_cpu(env));
+    } else {
+    for (int i = 0; i < env->sum_u_count; ++i) {
+    tlb_flush_page_by_mmuidx(env_cpu(env),
env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);
+    }
+    }
+    env->sum_u_count = 0;
    }

Whether tlb should  be flushed when SUM is changed from 0 to 1?


When SUM is changed from 0 to 1, all the existing tlb entries remain
valid as the permission is elevated instead of reduced, so I don't think
it's necessary to flush tlb.

If elevated not unchanged, I think the tlb also needs update, since new
permitted access rights may be added to the tlb.


Assume the following flow, if the new rights have been added to tlb
during SUM=0, they're visible and still valid after setting SUM=1 again.
Could you please add a specific counter example in this flow?

Assuming addr0 cannot be access from S mode when SUM = 0, but can be 
accessed from S mode if SUM=1,


and there is a tlb entry for it when SUM = 0


enable uaccess (set SUM = 1)

if we don't flush it when we change SUM to 1 in this step

... (access user mem from S mode)
when we access addr0 here, tlb will be hit( not updated) and the access 
will trigger fault instead of allowing the access

disable uaccess (set SUM = 0)

... (update TLB_SUM_0)

 <-- flush tlb or not right before enabling uaccess?
enable uaccess (set SUM = 1)
 <-- okay to access TLB_SUM_0?
disable uaccess (set SUM = 0)


So, I think the question is whether the rights in TLB entry can be 
elevated. Or whether there is legal tlb entry for this addr0 when SUM = 0?


If not,  all my above assumption will not be right.

Regards,

Weiwei Li



Thanks,
Fei.






Regards,

Weiwei Li


Thanks,
Fei.


Regards,

Weiwei Li


+
    mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
    MSTATUS_SP

[PATCH-for-8.1] target/m68k/fpu_helper: Use FloatRelation enum to hold comparison result

[Philippe Mathieu-Daudé]

Use the FloatRelation enum to hold the comparison result (missed
in commit 71bfd65c5f "softfloat: Name compare relation enum").

Inspired-by: Cédric Le Goater 
Signed-off-by: Philippe Mathieu-Daudé 
---
 target/m68k/fpu_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/m68k/fpu_helper.c b/target/m68k/fpu_helper.c
index 3a37d8f584..ab120b5f59 100644
--- a/target/m68k/fpu_helper.c
+++ b/target/m68k/fpu_helper.c
@@ -349,7 +349,7 @@ void HELPER(fsgldiv)(CPUM68KState *env, FPReg *res, FPReg 
*val0, FPReg *val1)
 PREC_END();
 }
 
-static int float_comp_to_cc(int float_compare)
+static int float_comp_to_cc(FloatRelation float_compare)
 {
 switch (float_compare) {
 case float_relation_equal:
@@ -367,7 +367,7 @@ static int float_comp_to_cc(int float_compare)
 
 void HELPER(fcmp)(CPUM68KState *env, FPReg *val0, FPReg *val1)
 {
-int float_compare;
+FloatRelation float_compare;
 
 float_compare = floatx80_compare(val1->d, val0->d, &env->fp_status);
 env->fpsr = (env->fpsr & ~FPSR_CC_MASK) | float_comp_to_cc(float_compare);
-- 
2.38.1

Applying for GSoC 2023: RDP Server

[Ayush Singh]

Hello everyone, I am a Third-Year University Student from India. I am
interested in implementing the RDP server for Qemu in Rust [1]. I have
already introduced myself to the mailing list earlier.

In short, the project will involve the following:
1. Improve and implement missing portions required for the RDB server into
IronRDB.
2. Implement the Qemu RDB server in the qemu-display [2] repo.

I have submitted an initial version of the proposal. I will be happy to
receive feedback and/or questions from anyone interested in the project.

Yours Sincerely
Ayush Singh

[1]: https://wiki.qemu.org/Google_Summer_of_Code_2023#RDP_server
[2]: https://gitlab.com/marcandre.lureau/qemu-display

Re: [PATCH] target/riscv: Fix priv version dependency for vector and zfh

[Daniel Henrique Barboza]

On 3/21/23 01:34, LIU Zhiwei wrote:

Vector implicitly enables zve64d, zve64f, zve32f sub extensions. As vector
only requires PRIV_1_10_0, these sub extensions should not require priv version
higher than that.

The same for Zfh.

Signed-off-by: LIU Zhiwei 
---


Reviewed-by: Daniel Henrique Barboza 


  target/riscv/cpu.c | 8 
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/riscv/cpu.c b/target/riscv/cpu.c
index 1e97473af2..eaf75a00a6 100644
--- a/target/riscv/cpu.c
+++ b/target/riscv/cpu.c
@@ -84,7 +84,7 @@ static const struct isa_ext_data isa_edata_arr[] = {
  ISA_EXT_DATA_ENTRY(zihintpause, true, PRIV_VERSION_1_10_0, 
ext_zihintpause),
  ISA_EXT_DATA_ENTRY(zawrs, true, PRIV_VERSION_1_12_0, ext_zawrs),
  ISA_EXT_DATA_ENTRY(zfh, true, PRIV_VERSION_1_11_0, ext_zfh),
-ISA_EXT_DATA_ENTRY(zfhmin, true, PRIV_VERSION_1_12_0, ext_zfhmin),
+ISA_EXT_DATA_ENTRY(zfhmin, true, PRIV_VERSION_1_11_0, ext_zfhmin),
  ISA_EXT_DATA_ENTRY(zfinx, true, PRIV_VERSION_1_12_0, ext_zfinx),
  ISA_EXT_DATA_ENTRY(zdinx, true, PRIV_VERSION_1_12_0, ext_zdinx),
  ISA_EXT_DATA_ENTRY(zba, true, PRIV_VERSION_1_12_0, ext_zba),
@@ -104,9 +104,9 @@ static const struct isa_ext_data isa_edata_arr[] = {
  ISA_EXT_DATA_ENTRY(zksed, true, PRIV_VERSION_1_12_0, ext_zksed),
  ISA_EXT_DATA_ENTRY(zksh, true, PRIV_VERSION_1_12_0, ext_zksh),
  ISA_EXT_DATA_ENTRY(zkt, true, PRIV_VERSION_1_12_0, ext_zkt),
-ISA_EXT_DATA_ENTRY(zve32f, true, PRIV_VERSION_1_12_0, ext_zve32f),
-ISA_EXT_DATA_ENTRY(zve64f, true, PRIV_VERSION_1_12_0, ext_zve64f),
-ISA_EXT_DATA_ENTRY(zve64d, true, PRIV_VERSION_1_12_0, ext_zve64d),
+ISA_EXT_DATA_ENTRY(zve32f, true, PRIV_VERSION_1_10_0, ext_zve32f),
+ISA_EXT_DATA_ENTRY(zve64f, true, PRIV_VERSION_1_10_0, ext_zve64f),
+ISA_EXT_DATA_ENTRY(zve64d, true, PRIV_VERSION_1_10_0, ext_zve64d),
  ISA_EXT_DATA_ENTRY(zvfh, true, PRIV_VERSION_1_12_0, ext_zvfh),
  ISA_EXT_DATA_ENTRY(zvfhmin, true, PRIV_VERSION_1_12_0, ext_zvfhmin),
  ISA_EXT_DATA_ENTRY(zhinx, true, PRIV_VERSION_1_12_0, ext_zhinx),

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Paolo Bonzini]

On 3/21/23 09:33, Cédric Le Goater wrote:

From: Cédric Le Goater

GCC13 reports an error :

../util/async.c: In function ‘aio_bh_poll’:
include/qemu/queue.h:303:22: error: storing the address of local variable 
‘slice’ in ‘*ctx.bh_slice_list.sqh_last’ [-Werror=dangling-pointer=]
   303 | (head)->sqh_last = &(elm)->field.sqe_next; 
 \
   | ~^~~~
../util/async.c:169:5: note: in expansion of macro ‘QSIMPLEQ_INSERT_TAIL’
   169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
   | ^~~~
../util/async.c:161:17: note: ‘slice’ declared here
   161 | BHListSlice slice;
   | ^
../util/async.c:161:17: note: ‘ctx’ declared here

But the local variable 'slice' is removed from the global context list
in following loop of the same routine. Add an intermediate helper to
silent GCC. No functional change.


Before doing this, I would like to see a case where this bug was _not_ 
caught by either Coverity (which is currently offline but I'm fixing it 
right now) or just cursory review.


I'd rather remove the warning.

Paolo

[PATCH v1 03/11] hw: allwinner-r40: Complete uart devices

[qianfanguijin]

From: qianfan Zhao 

R40 has eight UARTs, support both 16450 and 16550 compatible modes.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c | 32 
 include/hw/arm/allwinner-r40.h |  7 +++
 2 files changed, 39 insertions(+)

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index 3517682aed..fde01783b1 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -45,6 +45,13 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_CCU]= 0x01c2,
 [AW_R40_DEV_PIT]= 0x01c20c00,
 [AW_R40_DEV_UART0]  = 0x01c28000,
+[AW_R40_DEV_UART1]  = 0x01c28400,
+[AW_R40_DEV_UART2]  = 0x01c28800,
+[AW_R40_DEV_UART3]  = 0x01c28c00,
+[AW_R40_DEV_UART4]  = 0x01c29000,
+[AW_R40_DEV_UART5]  = 0x01c29400,
+[AW_R40_DEV_UART6]  = 0x01c29800,
+[AW_R40_DEV_UART7]  = 0x01c29c00,
 [AW_R40_DEV_GIC_DIST]   = 0x01c81000,
 [AW_R40_DEV_GIC_CPU]= 0x01c82000,
 [AW_R40_DEV_GIC_HYP]= 0x01c84000,
@@ -160,6 +167,10 @@ enum {
 AW_R40_GIC_SPI_UART1 =  2,
 AW_R40_GIC_SPI_UART2 =  3,
 AW_R40_GIC_SPI_UART3 =  4,
+AW_R40_GIC_SPI_UART4 = 17,
+AW_R40_GIC_SPI_UART5 = 18,
+AW_R40_GIC_SPI_UART6 = 19,
+AW_R40_GIC_SPI_UART7 = 20,
 AW_R40_GIC_SPI_TIMER0= 22,
 AW_R40_GIC_SPI_TIMER1= 23,
 AW_R40_GIC_SPI_MMC0  = 32,
@@ -396,6 +407,27 @@ static void allwinner_r40_realize(DeviceState *dev, Error 
**errp)
 serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART0], 2,
qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART0),
115200, serial_hd(0), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART1], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART1),
+   115200, serial_hd(1), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART2], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART2),
+   115200, serial_hd(2), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART3], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART3),
+   115200, serial_hd(3), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART4], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART4),
+   115200, serial_hd(4), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART5], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART5),
+   115200, serial_hd(5), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART6], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART6),
+   115200, serial_hd(6), DEVICE_NATIVE_ENDIAN);
+serial_mm_init(get_system_memory(), s->memmap[AW_R40_DEV_UART7], 2,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART7),
+   115200, serial_hd(7), DEVICE_NATIVE_ENDIAN);
 
 /* Unimplemented devices */
 for (i = 0; i < ARRAY_SIZE(r40_unimplemented); i++) {
diff --git a/include/hw/arm/allwinner-r40.h b/include/hw/arm/allwinner-r40.h
index b355af2c4f..dfb5eb609c 100644
--- a/include/hw/arm/allwinner-r40.h
+++ b/include/hw/arm/allwinner-r40.h
@@ -41,6 +41,13 @@ enum {
 AW_R40_DEV_CCU,
 AW_R40_DEV_PIT,
 AW_R40_DEV_UART0,
+AW_R40_DEV_UART1,
+AW_R40_DEV_UART2,
+AW_R40_DEV_UART3,
+AW_R40_DEV_UART4,
+AW_R40_DEV_UART5,
+AW_R40_DEV_UART6,
+AW_R40_DEV_UART7,
 AW_R40_DEV_GIC_DIST,
 AW_R40_DEV_GIC_CPU,
 AW_R40_DEV_GIC_HYP,
-- 
2.25.1

[PATCH v1 00/11] *** add allwinner-r40 support ***

[qianfanguijin]

From: qianfan Zhao 

*** history ***

# v1: 2023-03-21

The first version which add allwinner-r40 support, supported features:

+ ccu
+ dram controller
+ uart
+ i2c and pmic(axp221)
+ sdcard
+ emac/gmac

Also provide a test case under avocado, running quickly test:

$ AVOCADO_ALLOW_LARGE_STORAGE=yes tests/venv/bin/avocado \
--verbose --show=app,console run -t machine:bpim2u \
../tests/avocado/boot_linux_console.py

qianfan Zhao (11):
  hw: arm: Add bananapi M2-Ultra and allwinner-r40 support
  hw/arm/allwinner-r40: add Clock Control Unit
  hw: allwinner-r40: Complete uart devices
  hw: arm: allwinner-r40: Add 5 TWI controllers
  hw/misc: AXP221 PMU Emulation
  hw/arm/allwinner-r40: add SDRAM controller device
  hw: sd: allwinner-sdhost: Add sun50i-a64 SoC support
  hw: arm: allwinner-r40: Fix the mmc controller's type
  hw: arm: allwinner-r40: Add emac and gmac support
  tests: avocado: boot_linux_console: Add test case for bpim2u
  docs: system: arm: Introduce bananapi_m2u

 configs/devices/arm-softmmu/default.mak |   1 +
 docs/system/arm/bananapi_m2u.rst| 138 ++
 hw/arm/Kconfig  |  10 +
 hw/arm/allwinner-r40.c  | 558 
 hw/arm/bananapi_m2u.c   | 131 ++
 hw/arm/meson.build  |   1 +
 hw/misc/Kconfig |   4 +
 hw/misc/allwinner-r40-ccu.c | 207 +
 hw/misc/allwinner-r40-dramc.c   | 499 +
 hw/misc/axp221.c| 196 +
 hw/misc/meson.build |   3 +
 hw/misc/trace-events|  19 +
 hw/sd/allwinner-sdhost.c|  70 ++-
 include/hw/arm/allwinner-r40.h  | 148 +++
 include/hw/misc/allwinner-r40-ccu.h |  65 +++
 include/hw/misc/allwinner-r40-dramc.h   | 108 +
 include/hw/sd/allwinner-sdhost.h|   9 +
 tests/avocado/boot_linux_console.py | 173 
 18 files changed, 2337 insertions(+), 3 deletions(-)
 create mode 100644 docs/system/arm/bananapi_m2u.rst
 create mode 100644 hw/arm/allwinner-r40.c
 create mode 100644 hw/arm/bananapi_m2u.c
 create mode 100644 hw/misc/allwinner-r40-ccu.c
 create mode 100644 hw/misc/allwinner-r40-dramc.c
 create mode 100644 hw/misc/axp221.c
 create mode 100644 include/hw/arm/allwinner-r40.h
 create mode 100644 include/hw/misc/allwinner-r40-ccu.h
 create mode 100644 include/hw/misc/allwinner-r40-dramc.h

-- 
2.25.1

[PATCH v1 01/11] hw: arm: Add bananapi M2-Ultra and allwinner-r40 support

[qianfanguijin]

From: qianfan Zhao 

Allwinner R40 (sun8i) SoC features a Quad-Core Cortex-A7 ARM CPU,
and a Mali400 MP2 GPU from ARM. It's also known as the Allwinner T3
for In-Car Entertainment usage, A40i and A40pro are variants that
differ in applicable temperatures range (industrial and military).

This patch is a draft and provides very few features that we will
improve late.

Signed-off-by: qianfan Zhao 
---
 configs/devices/arm-softmmu/default.mak |   1 +
 hw/arm/Kconfig  |   9 +
 hw/arm/allwinner-r40.c  | 425 
 hw/arm/bananapi_m2u.c   | 116 +++
 hw/arm/meson.build  |   1 +
 include/hw/arm/allwinner-r40.h  | 111 +++
 6 files changed, 663 insertions(+)
 create mode 100644 hw/arm/allwinner-r40.c
 create mode 100644 hw/arm/bananapi_m2u.c
 create mode 100644 include/hw/arm/allwinner-r40.h

diff --git a/configs/devices/arm-softmmu/default.mak 
b/configs/devices/arm-softmmu/default.mak
index 1b49a7830c..76a43add23 100644
--- a/configs/devices/arm-softmmu/default.mak
+++ b/configs/devices/arm-softmmu/default.mak
@@ -43,3 +43,4 @@ CONFIG_FSL_IMX6UL=y
 CONFIG_SEMIHOSTING=y
 CONFIG_ARM_COMPATIBLE_SEMIHOSTING=y
 CONFIG_ALLWINNER_H3=y
+CONFIG_ALLWINNER_R40=y
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index b5aed4aff5..9e14c3427e 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -344,6 +344,15 @@ config ALLWINNER_H3
 select USB_EHCI_SYSBUS
 select SD
 
+config ALLWINNER_R40
+bool
+select ALLWINNER_A10_PIT
+select SERIAL
+select ARM_TIMER
+select ARM_GIC
+select UNIMP
+select SD
+
 config RASPI
 bool
 select FRAMEBUFFER
diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
new file mode 100644
index 00..d0516f4e96
--- /dev/null
+++ b/hw/arm/allwinner-r40.c
@@ -0,0 +1,425 @@
+/*
+ * Allwinner R40/A40i/T3 System on Chip emulation
+ *
+ * Copyright (C) 2023 qianfan Zhao 
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "qemu/bswap.h"
+#include "qemu/module.h"
+#include "qemu/units.h"
+#include "hw/qdev-core.h"
+#include "hw/sysbus.h"
+#include "hw/char/serial.h"
+#include "hw/misc/unimp.h"
+#include "hw/usb/hcd-ehci.h"
+#include "hw/loader.h"
+#include "sysemu/sysemu.h"
+#include "hw/arm/allwinner-r40.h"
+
+/* Memory map */
+const hwaddr allwinner_r40_memmap[] = {
+[AW_R40_DEV_SRAM_A1]= 0x,
+[AW_R40_DEV_SRAM_A2]= 0x4000,
+[AW_R40_DEV_SRAM_A3]= 0x8000,
+[AW_R40_DEV_SRAM_A4]= 0xb400,
+[AW_R40_DEV_MMC0]   = 0x01c0f000,
+[AW_R40_DEV_MMC1]   = 0x01c1,
+[AW_R40_DEV_MMC2]   = 0x01c11000,
+[AW_R40_DEV_MMC3]   = 0x01c12000,
+[AW_R40_DEV_PIT]= 0x01c20c00,
+[AW_R40_DEV_UART0]  = 0x01c28000,
+[AW_R40_DEV_GIC_DIST]   = 0x01c81000,
+[AW_R40_DEV_GIC_CPU]= 0x01c82000,
+[AW_R40_DEV_GIC_HYP]= 0x01c84000,
+[AW_R40_DEV_GIC_VCPU]   = 0x01c86000,
+[AW_R40_DEV_SDRAM]  = 0x4000
+};
+
+/* List of unimplemented devices */
+struct AwR40Unimplemented {
+const char *device_name;
+hwaddr base;
+hwaddr size;
+};
+
+static struct AwR40Unimplemented r40_unimplemented[] = {
+{ "d-engine",   0x0100, 4 * MiB },
+{ "d-inter",0x0140, 128 * KiB },
+{ "sram-c", 0x01c0, 4 * KiB },
+{ "dma",0x01c02000, 4 * KiB },
+{ "nfdc",   0x01c03000, 4 * KiB },
+{ "ts", 0x01c04000, 4 * KiB },
+{ "spi0",   0x01c05000, 4 * KiB },
+{ "spi1",   0x01c06000, 4 * KiB },
+{ "cs0",0x01c09000, 4 * KiB },
+{ "keymem", 0x01c0a000, 4 * KiB },
+{ "emac",   0x01c0b000, 4 * KiB },
+{ "usb0-otg",   0x01c13000, 4 * KiB },
+{ "usb0-host",  0x01c14000, 4 * KiB },
+{ "crypto", 0x01c15000, 4 * KiB },
+{ "spi2",   0x01c17000, 4 * KiB },
+{ "sata",   0x01c18000, 4 * KiB },
+{ "usb1-host",  0x01c19000, 4 * KiB },
+{ "sid",0x01c1b000, 4 * KiB },
+{ "usb2-host",  0x01c1c000, 4 * KiB },
+{ "cs1",0x01c1d000, 4 * KiB },
+{ "spi3",   0x01c1f000, 4 * KiB },
+{ "ccu",0x01c2, 1 * KiB },
+{ "rtc",0x01c20400, 1 * KiB },
+{ "pio",0x01c20800, 1 * KiB },
+{ "owa",0x01c

[PATCH v1 06/11] hw/arm/allwinner-r40: add SDRAM controller device

[qianfanguijin]

From: qianfan Zhao 

Types of memory that the SDRAM controller supports are DDR2/DDR3
and capacities of up to 2GiB. This commit adds emulation support
of the Allwinner R40 SDRAM controller.

This driver only support 256M, 512M and 1024M memory now.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c|  18 +-
 hw/arm/bananapi_m2u.c |   7 +
 hw/misc/allwinner-r40-dramc.c | 499 ++
 hw/misc/meson.build   |   1 +
 hw/misc/trace-events  |  14 +
 include/hw/arm/allwinner-r40.h|  13 +-
 include/hw/misc/allwinner-r40-dramc.h | 108 ++
 7 files changed, 657 insertions(+), 3 deletions(-)
 create mode 100644 hw/misc/allwinner-r40-dramc.c
 create mode 100644 include/hw/misc/allwinner-r40-dramc.h

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index 9fa23e1f33..f1f6803cf7 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -31,6 +31,7 @@
 #include "hw/loader.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/allwinner-r40.h"
+#include "hw/misc/allwinner-r40-dramc.h"
 
 /* Memory map */
 const hwaddr allwinner_r40_memmap[] = {
@@ -57,6 +58,9 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_TWI2]   = 0x01c2b400,
 [AW_R40_DEV_TWI3]   = 0x01c2b800,
 [AW_R40_DEV_TWI4]   = 0x01c2c000,
+[AW_R40_DEV_DRAMCOM]= 0x01c62000,
+[AW_R40_DEV_DRAMCTL]= 0x01c63000,
+[AW_R40_DEV_DRAMPHY]= 0x01c65000,
 [AW_R40_DEV_GIC_DIST]   = 0x01c81000,
 [AW_R40_DEV_GIC_CPU]= 0x01c82000,
 [AW_R40_DEV_GIC_HYP]= 0x01c84000,
@@ -129,8 +133,6 @@ static struct AwR40Unimplemented r40_unimplemented[] = {
 { "gpu",0x01c4, 64 * KiB },
 { "gmac",   0x01c5, 64 * KiB },
 { "hstmr",  0x01c6, 4 * KiB },
-{ "dram-com",   0x01c62000, 4 * KiB },
-{ "dram-ctl",   0x01c63000, 4 * KiB },
 { "tcon-top",   0x01c7, 4 * KiB },
 { "lcd0",   0x01c71000, 4 * KiB },
 { "lcd1",   0x01c72000, 4 * KiB },
@@ -273,6 +275,12 @@ static void allwinner_r40_init(Object *obj)
 object_initialize_child(obj, "twi2", &s->i2c2, TYPE_AW_I2C_SUN6I);
 object_initialize_child(obj, "twi3", &s->i2c3, TYPE_AW_I2C_SUN6I);
 object_initialize_child(obj, "twi4", &s->i2c4, TYPE_AW_I2C_SUN6I);
+
+object_initialize_child(obj, "dramc", &s->dramc, TYPE_AW_R40_DRAMC);
+object_property_add_alias(obj, "ram-addr", OBJECT(&s->dramc),
+ "ram-addr");
+object_property_add_alias(obj, "ram-size", OBJECT(&s->dramc),
+  "ram-size");
 }
 
 static void allwinner_r40_realize(DeviceState *dev, Error **errp)
@@ -466,6 +474,12 @@ static void allwinner_r40_realize(DeviceState *dev, Error 
**errp)
 sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c4), 0,
qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI4));
 
+/* DRAMC */
+sysbus_realize(SYS_BUS_DEVICE(&s->dramc), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->dramc), 0, 
s->memmap[AW_R40_DEV_DRAMCOM]);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->dramc), 1, 
s->memmap[AW_R40_DEV_DRAMCTL]);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->dramc), 2, 
s->memmap[AW_R40_DEV_DRAMPHY]);
+
 /* Unimplemented devices */
 for (i = 0; i < ARRAY_SIZE(r40_unimplemented); i++) {
 create_unimplemented_device(r40_unimplemented[i].device_name,
diff --git a/hw/arm/bananapi_m2u.c b/hw/arm/bananapi_m2u.c
index bdee12efd3..d185f979c0 100644
--- a/hw/arm/bananapi_m2u.c
+++ b/hw/arm/bananapi_m2u.c
@@ -79,6 +79,13 @@ static void bpim2u_init(MachineState *machine)
 object_property_set_int(OBJECT(r40), "clk1-freq", 24 * 1000 * 1000,
 &error_abort);
 
+/* DRAMC */
+r40->ram_size = machine->ram_size / MiB;
+object_property_set_uint(OBJECT(r40), "ram-addr", 
r40->memmap[AW_R40_DEV_SDRAM],
+ &error_abort);
+object_property_set_int(OBJECT(r40), "ram-size", r40->ram_size,
+&error_abort);
+
 /* Mark R40 object realized */
 qdev_realize(DEVICE(r40), NULL, &error_abort);
 
diff --git a/hw/misc/allwinner-r40-dramc.c b/hw/misc/allwinner-r40-dramc.c
new file mode 100644
index 00..67f9031149
--- /dev/null
+++ b/hw/misc/allwinner-r40-dramc.c
@@ -0,0 +1,499 @@
+/*
+ * Allwinner R40 SDRAM Controller emulation
+ *
+ * CCopyright (C) 2023 qianfan Zhao 
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU 

[PATCH v1 07/11] hw: sd: allwinner-sdhost: Add sun50i-a64 SoC support

[qianfanguijin]

From: qianfan Zhao 

A64's sd register was similar to H3, and it introduced a new register
named SAMP_DL_REG location at 0x144. The dma descriptor buffer size of
mmc2 is only 8K and the other mmc controllers has 64K.

Signed-off-by: qianfan Zhao 
---
 hw/sd/allwinner-sdhost.c | 70 ++--
 include/hw/sd/allwinner-sdhost.h |  9 
 2 files changed, 76 insertions(+), 3 deletions(-)

diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c
index 51e5e90830..38e7844399 100644
--- a/hw/sd/allwinner-sdhost.c
+++ b/hw/sd/allwinner-sdhost.c
@@ -77,6 +77,7 @@ enum {
 REG_SD_DATA1_CRC  = 0x12C, /* CRC Data 1 from card/eMMC */
 REG_SD_DATA0_CRC  = 0x130, /* CRC Data 0 from card/eMMC */
 REG_SD_CRC_STA= 0x134, /* CRC status from card/eMMC during write */
+REG_SD_SAMP_DL= 0x144, /* Sample Delay Control (sun50i-a64) */
 REG_SD_FIFO   = 0x200, /* Read/Write FIFO */
 };
 
@@ -158,6 +159,7 @@ enum {
 REG_SD_RES_CRC_RST  = 0x0,
 REG_SD_DATA_CRC_RST = 0x0,
 REG_SD_CRC_STA_RST  = 0x0,
+REG_SD_SAMPLE_DL_RST= 0x2000,
 REG_SD_FIFO_RST = 0x0,
 };
 
@@ -438,6 +440,7 @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr 
offset,
 {
 AwSdHostState *s = AW_SDHOST(opaque);
 AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
+bool out_of_bounds = false;
 uint32_t res = 0;
 
 switch (offset) {
@@ -556,13 +559,24 @@ static uint64_t allwinner_sdhost_read(void *opaque, 
hwaddr offset,
 case REG_SD_FIFO:  /* Read/Write FIFO */
 res = allwinner_sdhost_fifo_read(s);
 break;
+case REG_SD_SAMP_DL: /* Sample Delay */
+if (sc->can_calibrate) {
+res = s->sample_delay;
+} else {
+out_of_bounds = true;
+}
+break;
 default:
-qemu_log_mask(LOG_GUEST_ERROR, "%s: out-of-bounds offset %"
-  HWADDR_PRIx"\n", __func__, offset);
+out_of_bounds = true;
 res = 0;
 break;
 }
 
+if (out_of_bounds) {
+qemu_log_mask(LOG_GUEST_ERROR, "%s: out-of-bounds offset %"
+  HWADDR_PRIx"\n", __func__, offset);
+}
+
 trace_allwinner_sdhost_read(offset, res, size);
 return res;
 }
@@ -581,6 +595,7 @@ static void allwinner_sdhost_write(void *opaque, hwaddr 
offset,
 {
 AwSdHostState *s = AW_SDHOST(opaque);
 AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
+bool out_of_bounds = false;
 
 trace_allwinner_sdhost_write(offset, value, size);
 
@@ -704,10 +719,21 @@ static void allwinner_sdhost_write(void *opaque, hwaddr 
offset,
 case REG_SD_DATA0_CRC: /* CRC Data 0 from card/eMMC */
 case REG_SD_CRC_STA:   /* CRC status from card/eMMC in write operation */
 break;
+case REG_SD_SAMP_DL: /* Sample delay control */
+if (sc->can_calibrate) {
+s->sample_delay = value;
+} else {
+out_of_bounds = true;
+}
+break;
 default:
+out_of_bounds = true;
+break;
+}
+
+if (out_of_bounds) {
 qemu_log_mask(LOG_GUEST_ERROR, "%s: out-of-bounds offset %"
   HWADDR_PRIx"\n", __func__, offset);
-break;
 }
 }
 
@@ -756,6 +782,7 @@ static const VMStateDescription vmstate_allwinner_sdhost = {
 VMSTATE_UINT32(response_crc, AwSdHostState),
 VMSTATE_UINT32_ARRAY(data_crc, AwSdHostState, 8),
 VMSTATE_UINT32(status_crc, AwSdHostState),
+VMSTATE_UINT32(sample_delay, AwSdHostState),
 VMSTATE_END_OF_LIST()
 }
 };
@@ -794,6 +821,7 @@ static void allwinner_sdhost_realize(DeviceState *dev, 
Error **errp)
 static void allwinner_sdhost_reset(DeviceState *dev)
 {
 AwSdHostState *s = AW_SDHOST(dev);
+AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
 
 s->global_ctl = REG_SD_GCTL_RST;
 s->clock_ctl = REG_SD_CKCR_RST;
@@ -834,6 +862,10 @@ static void allwinner_sdhost_reset(DeviceState *dev)
 }
 
 s->status_crc = REG_SD_CRC_STA_RST;
+
+if (sc->can_calibrate) {
+s->sample_delay = REG_SD_SAMPLE_DL_RST;
+}
 }
 
 static void allwinner_sdhost_bus_class_init(ObjectClass *klass, void *data)
@@ -867,6 +899,24 @@ static void allwinner_sdhost_sun5i_class_init(ObjectClass 
*klass, void *data)
 sc->is_sun4i = false;
 }
 
+static void allwinner_sdhost_sun50i_a64_class_init(ObjectClass *klass,
+   void *data)
+{
+AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
+sc->max_desc_size = 64 * KiB;
+sc->is_sun4i = false;
+sc->can_calibrate = true;
+}
+
+static void allwinner_sdhost_sun50i_a64_emmc_class_init(ObjectClass *klass,
+void *data)
+{
+AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
+sc->max_desc_size = 8 * KiB;
+sc->is_sun4i = false;
+sc->can_calibrate = true;
+}
+
 static const TypeInfo allwinner_sdhost_info = {
 .name  = TYPE_AW_SDHOST,
 

[PATCH v1 02/11] hw/arm/allwinner-r40: add Clock Control Unit

[qianfanguijin]

From: qianfan Zhao 

The CCU provides the registers to program the PLLs and the controls
most of the clock generation, division, distribution, synchronization
and gating.

This commit adds support for the Clock Control Unit which emulates
a simple read/write register interface.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c  |   7 +-
 hw/misc/allwinner-r40-ccu.c | 207 
 hw/misc/meson.build |   1 +
 include/hw/arm/allwinner-r40.h  |   2 +
 include/hw/misc/allwinner-r40-ccu.h |  65 +
 5 files changed, 281 insertions(+), 1 deletion(-)
 create mode 100644 hw/misc/allwinner-r40-ccu.c
 create mode 100644 include/hw/misc/allwinner-r40-ccu.h

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index d0516f4e96..3517682aed 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -42,6 +42,7 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_MMC1]   = 0x01c1,
 [AW_R40_DEV_MMC2]   = 0x01c11000,
 [AW_R40_DEV_MMC3]   = 0x01c12000,
+[AW_R40_DEV_CCU]= 0x01c2,
 [AW_R40_DEV_PIT]= 0x01c20c00,
 [AW_R40_DEV_UART0]  = 0x01c28000,
 [AW_R40_DEV_GIC_DIST]   = 0x01c81000,
@@ -80,7 +81,6 @@ static struct AwR40Unimplemented r40_unimplemented[] = {
 { "usb2-host",  0x01c1c000, 4 * KiB },
 { "cs1",0x01c1d000, 4 * KiB },
 { "spi3",   0x01c1f000, 4 * KiB },
-{ "ccu",0x01c2, 1 * KiB },
 { "rtc",0x01c20400, 1 * KiB },
 { "pio",0x01c20800, 1 * KiB },
 { "owa",0x01c21000, 1 * KiB },
@@ -246,6 +246,7 @@ static void allwinner_r40_init(Object *obj)
 object_property_add_alias(obj, "clk1-freq", OBJECT(&s->timer),
   "clk1-freq");
 
+object_initialize_child(obj, "ccu", &s->ccu, TYPE_AW_R40_CCU);
 object_initialize_child(obj, "mmc0", &s->mmc0, TYPE_AW_SDHOST_SUN5I);
 object_initialize_child(obj, "mmc1", &s->mmc1, TYPE_AW_SDHOST_SUN5I);
 object_initialize_child(obj, "mmc2", &s->mmc2, TYPE_AW_SDHOST_SUN5I);
@@ -358,6 +359,10 @@ static void allwinner_r40_realize(DeviceState *dev, Error 
**errp)
 memory_region_add_subregion(get_system_memory(), 
s->memmap[AW_R40_DEV_SRAM_A4],
 &s->sram_a4);
 
+/* Clock Control Unit */
+sysbus_realize(SYS_BUS_DEVICE(&s->ccu), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->ccu), 0, s->memmap[AW_R40_DEV_CCU]);
+
 /* SD/MMC */
 object_property_set_link(OBJECT(&s->mmc0), "dma-memory",
  OBJECT(get_system_memory()), &error_fatal);
diff --git a/hw/misc/allwinner-r40-ccu.c b/hw/misc/allwinner-r40-ccu.c
new file mode 100644
index 00..0abe006874
--- /dev/null
+++ b/hw/misc/allwinner-r40-ccu.c
@@ -0,0 +1,207 @@
+/*
+ * Allwinner R40 Clock Control Unit emulation
+ *
+ * Copyright (C) 2023 qianfan Zhao 
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "hw/sysbus.h"
+#include "migration/vmstate.h"
+#include "qemu/log.h"
+#include "qemu/module.h"
+#include "hw/misc/allwinner-r40-ccu.h"
+
+/* CCU register offsets */
+enum {
+REG_PLL_CPUX_CTRL   = 0x,
+REG_PLL_AUDIO_CTRL  = 0x0008,
+REG_PLL_VIDEO0_CTRL = 0x0010,
+REG_PLL_VE_CTRL = 0x0018,
+REG_PLL_DDR0_CTRL   = 0x0020,
+REG_PLL_PERIPH0_CTRL= 0x0028,
+REG_PLL_PERIPH1_CTRL= 0x002c,
+REG_PLL_VIDEO1_CTRL = 0x0030,
+REG_PLL_SATA_CTRL   = 0x0034,
+REG_PLL_GPU_CTRL= 0x0038,
+REG_PLL_MIPI_CTRL   = 0x0040,
+REG_PLL_DE_CTRL = 0x0048,
+REG_PLL_DDR1_CTRL   = 0x004c,
+REG_AHB1_APB1_CFG   = 0x0054,
+REG_APB2_CFG= 0x0058,
+REG_MMC0_CLK= 0x0088,
+REG_MMC1_CLK= 0x008c,
+REG_MMC2_CLK= 0x0090,
+REG_MMC3_CLK= 0x0094,
+REG_USBPHY_CFG  = 0x00cc,
+REG_PLL_DDR_AUX = 0x00f0,
+REG_DRAM_CFG= 0x00f4,
+REG_PLL_DDR1_CFG= 0x00f8,
+REG_DRAM_CLK_GATING = 0x0100,
+REG_GMAC_CLK= 0x0164,
+REG_SYS_32K_CLK = 0x0310,
+REG_PLL_LOCK_CTRL   = 0x0320,
+};
+
+#defi

[PATCH v1 10/11] tests: avocado: boot_linux_console: Add test case for bpim2u

[qianfanguijin]

From: qianfan Zhao 

Add test case for booting from initrd and sd card.

Signed-off-by: qianfan Zhao 
---
 tests/avocado/boot_linux_console.py | 173 
 1 file changed, 173 insertions(+)

diff --git a/tests/avocado/boot_linux_console.py 
b/tests/avocado/boot_linux_console.py
index 574609bf43..9758fc2b68 100644
--- a/tests/avocado/boot_linux_console.py
+++ b/tests/avocado/boot_linux_console.py
@@ -760,6 +760,179 @@ def test_arm_quanta_gsj_initrd(self):
 self.wait_for_console_pattern(
 'Give root password for system maintenance')
 
+def test_arm_bpim2u(self):
+"""
+:avocado: tags=arch:arm
+:avocado: tags=machine:bpim2u
+:avocado: tags=accel:tcg
+"""
+deb_url = ('https://apt.armbian.com/pool/main/l/'
+   
'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
+deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+kernel_path = self.extract_from_deb(deb_path,
+'/boot/vmlinuz-5.10.16-sunxi')
+dtb_path = 
'/usr/lib/linux-image-current-sunxi/sun8i-r40-bananapi-m2-ultra.dtb'
+dtb_path = self.extract_from_deb(deb_path, dtb_path)
+
+self.vm.set_console()
+kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
+   'console=ttyS0,115200n8 '
+   'earlycon=uart,mmio32,0x1c28000')
+self.vm.add_args('-kernel', kernel_path,
+ '-dtb', dtb_path,
+ '-append', kernel_command_line)
+self.vm.launch()
+console_pattern = 'Kernel command line: %s' % kernel_command_line
+self.wait_for_console_pattern(console_pattern)
+
+def test_arm_bpim2u_initrd(self):
+"""
+:avocado: tags=arch:arm
+:avocado: tags=accel:tcg
+:avocado: tags=machine:bpim2u
+"""
+deb_url = ('https://apt.armbian.com/pool/main/l/'
+   
'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
+deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+kernel_path = self.extract_from_deb(deb_path,
+'/boot/vmlinuz-5.10.16-sunxi')
+dtb_path = 
'/usr/lib/linux-image-current-sunxi/sun8i-r40-bananapi-m2-ultra.dtb'
+dtb_path = self.extract_from_deb(deb_path, dtb_path)
+initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
+  '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+  'arm/rootfs-armv7a.cpio.gz')
+initrd_hash = '604b2e45cdf35045846b8bbfbf2129b1891bdc9c'
+initrd_path_gz = self.fetch_asset(initrd_url, asset_hash=initrd_hash)
+initrd_path = os.path.join(self.workdir, 'rootfs.cpio')
+archive.gzip_uncompress(initrd_path_gz, initrd_path)
+
+self.vm.set_console()
+kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
+   'console=ttyS0,115200 '
+   'panic=-1 noreboot')
+self.vm.add_args('-kernel', kernel_path,
+ '-dtb', dtb_path,
+ '-initrd', initrd_path,
+ '-append', kernel_command_line,
+ '-no-reboot')
+self.vm.launch()
+self.wait_for_console_pattern('Boot successful.')
+
+exec_command_and_wait_for_pattern(self, 'cat /proc/cpuinfo',
+'Allwinner sun8i Family')
+exec_command_and_wait_for_pattern(self, 'cat /proc/iomem',
+'system-control@1c0')
+exec_command_and_wait_for_pattern(self, 'reboot',
+'reboot: Restarting system')
+# Wait for VM to shut down gracefully
+self.vm.wait()
+
+def test_arm_bpim2u_gmac(self):
+"""
+:avocado: tags=arch:arm
+:avocado: tags=accel:tcg
+:avocado: tags=machine:bpim2u
+:avocado: tags=device:sd
+"""
+self.require_netdev('user')
+
+deb_url = ('https://apt.armbian.com/pool/main/l/'
+   
'linux-5.10.16-sunxi/linux-image-current-sunxi_21.02.2_armhf.deb')
+deb_hash = '9fa84beda245cabf0b4fa84cf6eaa7738ead1da0'
+deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+kernel_path = self.extract_from_deb(deb_path,
+'/boot/vmlinuz-5.10.16-sunxi')
+dtb_path = 
'/usr/lib/linux-image-current-sunxi/sun8i-r40-bananapi-m2-ultra.dtb'
+dtb_path = self.extract_from_deb(deb_path, dtb_path)
+rootfs_url = ('http://storage.kernelci.org/images/rootfs/buildroot/'
+  'buildroot-base

[PATCH v1 04/11] hw: arm: allwinner-r40: Add 5 TWI controllers

[qianfanguijin]

From: qianfan Zhao 

TWI(i2c) is designed to be used as an interface between CPU host and the
serial 2-Wire bus. It can support all standard 2-Wire transfer, can be
operated in standard mode(100kbit/s) or fast-mode, supporting data rate
up to 400kbit/s.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c | 47 ++
 include/hw/arm/allwinner-r40.h | 11 
 2 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index fde01783b1..9fa23e1f33 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -52,6 +52,11 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_UART5]  = 0x01c29400,
 [AW_R40_DEV_UART6]  = 0x01c29800,
 [AW_R40_DEV_UART7]  = 0x01c29c00,
+[AW_R40_DEV_TWI0]   = 0x01c2ac00,
+[AW_R40_DEV_TWI1]   = 0x01c2b000,
+[AW_R40_DEV_TWI2]   = 0x01c2b400,
+[AW_R40_DEV_TWI3]   = 0x01c2b800,
+[AW_R40_DEV_TWI4]   = 0x01c2c000,
 [AW_R40_DEV_GIC_DIST]   = 0x01c81000,
 [AW_R40_DEV_GIC_CPU]= 0x01c82000,
 [AW_R40_DEV_GIC_HYP]= 0x01c84000,
@@ -115,11 +120,6 @@ static struct AwR40Unimplemented r40_unimplemented[] = {
 { "uart7",  0x01c29c00, 1 * KiB },
 { "ps20",   0x01c2a000, 1 * KiB },
 { "ps21",   0x01c2a400, 1 * KiB },
-{ "twi0",   0x01c2ac00, 1 * KiB },
-{ "twi1",   0x01c2b000, 1 * KiB },
-{ "twi2",   0x01c2b400, 1 * KiB },
-{ "twi3",   0x01c2b800, 1 * KiB },
-{ "twi4",   0x01c2c000, 1 * KiB },
 { "scr",0x01c2c400, 1 * KiB },
 { "tvd-top",0x01c3, 4 * KiB },
 { "tvd0",   0x01c31000, 4 * KiB },
@@ -167,6 +167,9 @@ enum {
 AW_R40_GIC_SPI_UART1 =  2,
 AW_R40_GIC_SPI_UART2 =  3,
 AW_R40_GIC_SPI_UART3 =  4,
+AW_R40_GIC_SPI_TWI0  =  7,
+AW_R40_GIC_SPI_TWI1  =  8,
+AW_R40_GIC_SPI_TWI2  =  9,
 AW_R40_GIC_SPI_UART4 = 17,
 AW_R40_GIC_SPI_UART5 = 18,
 AW_R40_GIC_SPI_UART6 = 19,
@@ -177,6 +180,8 @@ enum {
 AW_R40_GIC_SPI_MMC1  = 33,
 AW_R40_GIC_SPI_MMC2  = 34,
 AW_R40_GIC_SPI_MMC3  = 35,
+AW_R40_GIC_SPI_TWI3  = 88,
+AW_R40_GIC_SPI_TWI4  = 89,
 };
 
 /* Allwinner R40 general constants */
@@ -262,6 +267,12 @@ static void allwinner_r40_init(Object *obj)
 object_initialize_child(obj, "mmc1", &s->mmc1, TYPE_AW_SDHOST_SUN5I);
 object_initialize_child(obj, "mmc2", &s->mmc2, TYPE_AW_SDHOST_SUN5I);
 object_initialize_child(obj, "mmc3", &s->mmc3, TYPE_AW_SDHOST_SUN5I);
+
+object_initialize_child(obj, "twi0", &s->i2c0, TYPE_AW_I2C_SUN6I);
+object_initialize_child(obj, "twi1", &s->i2c1, TYPE_AW_I2C_SUN6I);
+object_initialize_child(obj, "twi2", &s->i2c2, TYPE_AW_I2C_SUN6I);
+object_initialize_child(obj, "twi3", &s->i2c3, TYPE_AW_I2C_SUN6I);
+object_initialize_child(obj, "twi4", &s->i2c4, TYPE_AW_I2C_SUN6I);
 }
 
 static void allwinner_r40_realize(DeviceState *dev, Error **errp)
@@ -429,6 +440,32 @@ static void allwinner_r40_realize(DeviceState *dev, Error 
**errp)
qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_UART7),
115200, serial_hd(7), DEVICE_NATIVE_ENDIAN);
 
+/* I2C */
+sysbus_realize(SYS_BUS_DEVICE(&s->i2c0), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c0), 0, s->memmap[AW_R40_DEV_TWI0]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c0), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI0));
+
+sysbus_realize(SYS_BUS_DEVICE(&s->i2c1), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c1), 0, s->memmap[AW_R40_DEV_TWI1]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c1), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI1));
+
+sysbus_realize(SYS_BUS_DEVICE(&s->i2c2), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c2), 0, s->memmap[AW_R40_DEV_TWI2]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c2), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI2));
+
+sysbus_realize(SYS_BUS_DEVICE(&s->i2c3), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c3), 0, s->memmap[AW_R40_DEV_TWI3]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c3), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI3));
+
+sysbus_realize(SYS_BUS_DEVICE(&s->i2c4), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c4), 0, s->memmap[AW_R40_DEV_TWI4]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c4), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_TWI4));
+
 /* Unimplemented devices */
 for (i = 0; i < ARRAY_SIZE(r40_unimplemented); i++) {
 create_unimplemented_device(r40_unimplemented[i].device_name,
diff --git a/include/hw/arm/allwinner-r40.h b/include/hw/arm/allwinner-r40.h
index dfb5eb609c..6a7e5c1e31 100644
--- a/include/hw/arm/allwinner-r40.h
+++ b/include/hw/arm/allw

[PATCH v1 08/11] hw: arm: allwinner-r40: Fix the mmc controller's type

[qianfanguijin]

From: qianfan Zhao 

R40 has SAMP_DL_REG register and mmc2 controller has only 8K dma buffer.
Fix it's compatible string.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index f1f6803cf7..191ce8b93c 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -265,10 +265,11 @@ static void allwinner_r40_init(Object *obj)
   "clk1-freq");
 
 object_initialize_child(obj, "ccu", &s->ccu, TYPE_AW_R40_CCU);
-object_initialize_child(obj, "mmc0", &s->mmc0, TYPE_AW_SDHOST_SUN5I);
-object_initialize_child(obj, "mmc1", &s->mmc1, TYPE_AW_SDHOST_SUN5I);
-object_initialize_child(obj, "mmc2", &s->mmc2, TYPE_AW_SDHOST_SUN5I);
-object_initialize_child(obj, "mmc3", &s->mmc3, TYPE_AW_SDHOST_SUN5I);
+object_initialize_child(obj, "mmc0", &s->mmc0, TYPE_AW_SDHOST_SUN50I_A64);
+object_initialize_child(obj, "mmc1", &s->mmc1, TYPE_AW_SDHOST_SUN50I_A64);
+object_initialize_child(obj, "mmc2", &s->mmc2,
+TYPE_AW_SDHOST_SUN50I_A64_EMMC);
+object_initialize_child(obj, "mmc3", &s->mmc3, TYPE_AW_SDHOST_SUN50I_A64);
 
 object_initialize_child(obj, "twi0", &s->i2c0, TYPE_AW_I2C_SUN6I);
 object_initialize_child(obj, "twi1", &s->i2c1, TYPE_AW_I2C_SUN6I);
-- 
2.25.1

[PATCH v1 11/11] docs: system: arm: Introduce bananapi_m2u

[qianfanguijin]

From: qianfan Zhao 

Add documents for Banana Pi M2U

Signed-off-by: qianfan Zhao 
---
 docs/system/arm/bananapi_m2u.rst | 138 +++
 1 file changed, 138 insertions(+)
 create mode 100644 docs/system/arm/bananapi_m2u.rst

diff --git a/docs/system/arm/bananapi_m2u.rst b/docs/system/arm/bananapi_m2u.rst
new file mode 100644
index 00..ae7194a9df
--- /dev/null
+++ b/docs/system/arm/bananapi_m2u.rst
@@ -0,0 +1,138 @@
+Banana Pi BPI-M2U (``bpim2u``)
+^^
+
+Banana Pi BPI-M2 Ultra is a quad-core mini single board computer built with
+Allwinner A40i/R40/V40 SoC. It features 2GB of RAM and 8GB eMMC. It also
+has onboard WiFi and BT. On the ports side, the BPI-M2 Ultra has 2 USB A
+2.0 ports, 1 USB OTG port, 1 HDMI port, 1 audio jack, a DC power port,
+and last but not least, a SATA port.
+
+Supported devices
+"
+
+The Banana Pi M2U machine supports the following devices:
+
+ * SMP (Quad Core Cortex-A7)
+ * Generic Interrupt Controller configuration
+ * SRAM mappings
+ * SDRAM controller
+ * Timer device (re-used from Allwinner A10)
+ * UART
+ * SD/MMC storage controller
+ * EMAC ethernet
+ * GMAC ethernet
+ * Clock Control Unit
+ * TWI (I2C)
+
+Limitations
+"""
+
+Currently, Banana Pi M2U does *not* support the following features:
+
+- Graphical output via HDMI, GPU and/or the Display Engine
+- Audio output
+- Hardware Watchdog
+- Real Time Clock
+- USB 2.0 interfaces
+
+Also see the 'unimplemented' array in the Allwinner R40 SoC module
+for a complete list of unimplemented I/O devices: ``./hw/arm/allwinner-r40.c``
+
+Boot options
+
+
+The Banana Pi M2U machine can start using the standard -kernel functionality
+for loading a Linux kernel or ELF executable. Additionally, the Banana Pi M2U
+machine can also emulate the BootROM which is present on an actual Allwinner 
R40
+based SoC, which loads the bootloader from a SD card, specified via the -sd
+argument to qemu-system-arm.
+
+Running mainline Linux
+""
+
+To build a Linux mainline kernel that can be booted by the Banana Pi M2U 
machine,
+simply configure the kernel using the sunxi_defconfig configuration:
+
+.. code-block:: bash
+
+  $ ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- make mrproper
+  $ ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- make sunxi_defconfig
+
+To boot the newly build linux kernel in QEMU with the Banana Pi M2U machine, 
use:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M bpim2u -nographic \
+  -kernel /path/to/linux/arch/arm/boot/zImage \
+  -append 'console=ttyS0,115200' \
+  -dtb /path/to/linux/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dtb
+
+Banana Pi M2U images
+
+
+Note that the mainline kernel does not have a root filesystem. You can choose
+to build you own image with buildroot using the bananapi_m2_ultra_defconfig.
+Also see https://buildroot.org for more information.
+
+Another possibility is to run an OpenWrt image for Banana Pi M2U which
+can be downloaded from:
+
+   https://downloads.openwrt.org/releases/22.03.3/targets/sunxi/cortexa7/
+
+When using an image as an SD card, it must be resized to a power of two. This 
can be
+done with the ``qemu-img`` command. It is recommended to only increase the 
image size
+instead of shrinking it to a power of two, to avoid loss of data. For example,
+to prepare a downloaded Armbian image, first extract it and then increase
+its size to one gigabyte as follows:
+
+.. code-block:: bash
+
+  $ qemu-img resize \
+openwrt-22.03.3-sunxi-cortexa7-sinovoip_bananapi-m2-ultra-ext4-sdcard.img \
+1G
+
+Instead of providing a custom Linux kernel via the -kernel command you may also
+choose to let the Banana Pi M2U machine load the bootloader from SD card, just 
like
+a real board would do using the BootROM. Simply pass the selected image via 
the -sd
+argument and remove the -kernel, -append, -dbt and -initrd arguments:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M bpim2u -nic user -nographic \
+-sd 
openwrt-22.03.3-sunxi-cortexa7-sinovoip_bananapi-m2-ultra-ext4-sdcard.img
+
+Running U-Boot
+""
+
+U-Boot mainline can be build and configured using the 
Bananapi_M2_Ultra_defconfig
+using similar commands as describe above for Linux. Note that it is recommended
+for development/testing to select the following configuration setting in 
U-Boot:
+
+  Device Tree Control > Provider for DTB for DT Control > Embedded DTB
+
+The BootROM of allwinner R40 loading u-boot from the 8KiB offset of sdcard.
+Let's create an bootable disk image:
+
+.. code-block:: bash
+
+  $ dd if=/dev/zero of=sd.img bs=32M count=1
+  $ dd if=u-boot-sunxi-with-spl.bin of=sd.img bs=1k seek=8 conv=notrunc
+
+And then boot it.
+
+.. code-block:: bash
+  $ qemu-system-arm -M bpim2u -nographic -sd sd.img
+
+Banana Pi M2U integration tests
+""
+
+The Banana Pi M2U machine has several integration tests included.
+To run the whole set of test

[PATCH v1 05/11] hw/misc: AXP221 PMU Emulation

[qianfanguijin]

From: qianfan Zhao 

This patch adds minimal support for AXP-221 PMU and connect it to
bananapi M2U board.

Signed-off-by: qianfan Zhao 
---
 hw/arm/Kconfig|   1 +
 hw/arm/bananapi_m2u.c |   5 ++
 hw/misc/Kconfig   |   4 +
 hw/misc/axp221.c  | 196 ++
 hw/misc/meson.build   |   1 +
 hw/misc/trace-events  |   5 ++
 6 files changed, 212 insertions(+)
 create mode 100644 hw/misc/axp221.c

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 9e14c3427e..cf8fb083f8 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -347,6 +347,7 @@ config ALLWINNER_H3
 config ALLWINNER_R40
 bool
 select ALLWINNER_A10_PIT
+select AXP221_PMU
 select SERIAL
 select ARM_TIMER
 select ARM_GIC
diff --git a/hw/arm/bananapi_m2u.c b/hw/arm/bananapi_m2u.c
index 1b6241719d..bdee12efd3 100644
--- a/hw/arm/bananapi_m2u.c
+++ b/hw/arm/bananapi_m2u.c
@@ -22,6 +22,7 @@
 #include "exec/address-spaces.h"
 #include "qapi/error.h"
 #include "hw/boards.h"
+#include "hw/i2c/i2c.h"
 #include "hw/qdev-properties.h"
 #include "hw/arm/allwinner-r40.h"
 
@@ -91,6 +92,10 @@ static void bpim2u_init(MachineState *machine)
  &bootroom_loaded);
 mmc_attach_drive(r40, &r40->mmc3, 3, false, NULL);
 
+/* Connect AXP221 */
+i2c = I2C_BUS(qdev_get_child_bus(DEVICE(&r40->i2c0), "i2c"));
+i2c_slave_create_simple(i2c, "axp221_pmu", 0x34);
+
 /* SDRAM */
 memory_region_add_subregion(get_system_memory(), 
r40->memmap[AW_R40_DEV_SDRAM],
 machine->ram);
diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index 2ef5781ef8..f66ac390b1 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -180,4 +180,8 @@ config AXP209_PMU
 bool
 depends on I2C
 
+config AXP221_PMU
+bool
+depends on I2C
+
 source macio/Kconfig
diff --git a/hw/misc/axp221.c b/hw/misc/axp221.c
new file mode 100644
index 00..47784bb085
--- /dev/null
+++ b/hw/misc/axp221.c
@@ -0,0 +1,196 @@
+/*
+ * AXP-221/221s PMU Emulation
+ *
+ * Copyright (C) 2023 qianfan Zhao 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qemu/bitops.h"
+#include "trace.h"
+#include "hw/i2c/i2c.h"
+#include "migration/vmstate.h"
+
+#define TYPE_AXP221_PMU "axp221_pmu"
+
+#define AXP221(obj) \
+OBJECT_CHECK(AXP221I2CState, (obj), TYPE_AXP221_PMU)
+
+#define NR_REGS 0xff
+
+/* A simple I2C slave which returns values of ID or CNT register. */
+typedef struct AXP221I2CState {
+/*< private >*/
+I2CSlave i2c;
+/*< public >*/
+uint8_t regs[NR_REGS];  /* peripheral registers */
+uint8_t ptr;/* current register index */
+uint8_t count;  /* counter used for tx/rx */
+} AXP221I2CState;
+
+#define AXP221_PWR_STATUS_ACIN_PRESENT  BIT(7)
+#define AXP221_PWR_STATUS_ACIN_AVAILBIT(6)
+#define AXP221_PWR_STATUS_VBUS_PRESENT  BIT(5)
+#define AXP221_PWR_STATUS_VBUS_USED BIT(4)
+#define AXP221_PWR_STATUS_BAT_CHARGING  BIT(2)
+#define AXP221_PWR_STATUS_ACIN_VBUS_POWERED BIT(1)
+
+/* Reset all counters and load ID register */
+static void axp221_reset_enter(Object *obj, ResetType type)
+{
+AXP221I2CState *s = AXP221(obj);
+
+memset(s->regs, 0, NR_REGS);
+s->ptr = 0;
+s->count = 0;
+
+/* input power status register */
+s->regs[0x00] = AXP221_PWR_STATUS_ACIN_PRESENT
+| AXP221_PWR_STATUS_ACIN_AVAIL
+| AXP221_PWR_STATUS_ACIN_VBUS_POWERED;
+
+s->regs[0x01] = 0x00; /* no battery is connected */
+
+/* CHIPID register, no documented on datasheet, but it is checked in
+ * u-boot spl. I had read it from AXP221s and got 0x06 value.
+ * So leave 06h here.
+ */
+s->regs[0x03] = 0x06;
+
+s->regs[0x10] = 0xbf;
+s->regs[0x13] = 0x01;
+s->regs[0x30] = 0x60;
+   

[PATCH v1 09/11] hw: arm: allwinner-r40: Add emac and gmac support

[qianfanguijin]

From: qianfan Zhao 

R40 has two ethernet controllers named as emac and gmac. The emac is
compatibled with A10, and the GMAC is compatibled with H3.

Signed-off-by: qianfan Zhao 
---
 hw/arm/allwinner-r40.c | 48 --
 hw/arm/bananapi_m2u.c  |  3 +++
 include/hw/arm/allwinner-r40.h |  6 +
 3 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/hw/arm/allwinner-r40.c b/hw/arm/allwinner-r40.c
index 191ce8b93c..a81614c581 100644
--- a/hw/arm/allwinner-r40.c
+++ b/hw/arm/allwinner-r40.c
@@ -39,6 +39,7 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_SRAM_A2]= 0x4000,
 [AW_R40_DEV_SRAM_A3]= 0x8000,
 [AW_R40_DEV_SRAM_A4]= 0xb400,
+[AW_R40_DEV_EMAC]   = 0x01c0b000,
 [AW_R40_DEV_MMC0]   = 0x01c0f000,
 [AW_R40_DEV_MMC1]   = 0x01c1,
 [AW_R40_DEV_MMC2]   = 0x01c11000,
@@ -58,6 +59,7 @@ const hwaddr allwinner_r40_memmap[] = {
 [AW_R40_DEV_TWI2]   = 0x01c2b400,
 [AW_R40_DEV_TWI3]   = 0x01c2b800,
 [AW_R40_DEV_TWI4]   = 0x01c2c000,
+[AW_R40_DEV_GMAC]   = 0x01c5,
 [AW_R40_DEV_DRAMCOM]= 0x01c62000,
 [AW_R40_DEV_DRAMCTL]= 0x01c63000,
 [AW_R40_DEV_DRAMPHY]= 0x01c65000,
@@ -86,7 +88,6 @@ static struct AwR40Unimplemented r40_unimplemented[] = {
 { "spi1",   0x01c06000, 4 * KiB },
 { "cs0",0x01c09000, 4 * KiB },
 { "keymem", 0x01c0a000, 4 * KiB },
-{ "emac",   0x01c0b000, 4 * KiB },
 { "usb0-otg",   0x01c13000, 4 * KiB },
 { "usb0-host",  0x01c14000, 4 * KiB },
 { "crypto", 0x01c15000, 4 * KiB },
@@ -131,7 +132,6 @@ static struct AwR40Unimplemented r40_unimplemented[] = {
 { "tvd2",   0x01c33000, 4 * KiB },
 { "tvd3",   0x01c34000, 4 * KiB },
 { "gpu",0x01c4, 64 * KiB },
-{ "gmac",   0x01c5, 64 * KiB },
 { "hstmr",  0x01c6, 4 * KiB },
 { "tcon-top",   0x01c7, 4 * KiB },
 { "lcd0",   0x01c71000, 4 * KiB },
@@ -182,6 +182,8 @@ enum {
 AW_R40_GIC_SPI_MMC1  = 33,
 AW_R40_GIC_SPI_MMC2  = 34,
 AW_R40_GIC_SPI_MMC3  = 35,
+AW_R40_GIC_SPI_EMAC  = 55,
+AW_R40_GIC_SPI_GMAC  = 85,
 AW_R40_GIC_SPI_TWI3  = 88,
 AW_R40_GIC_SPI_TWI4  = 89,
 };
@@ -277,6 +279,11 @@ static void allwinner_r40_init(Object *obj)
 object_initialize_child(obj, "twi3", &s->i2c3, TYPE_AW_I2C_SUN6I);
 object_initialize_child(obj, "twi4", &s->i2c4, TYPE_AW_I2C_SUN6I);
 
+object_initialize_child(obj, "emac", &s->emac, TYPE_AW_EMAC);
+object_initialize_child(obj, "gmac", &s->gmac, TYPE_AW_SUN8I_EMAC);
+object_property_add_alias(obj, "gmac-phy-addr",
+  OBJECT(&s->gmac), "phy-addr");
+
 object_initialize_child(obj, "dramc", &s->dramc, TYPE_AW_R40_DRAMC);
 object_property_add_alias(obj, "ram-addr", OBJECT(&s->dramc),
  "ram-addr");
@@ -286,6 +293,7 @@ static void allwinner_r40_init(Object *obj)
 
 static void allwinner_r40_realize(DeviceState *dev, Error **errp)
 {
+const char *r40_nic_models[] = { "gmac", "emac", NULL };
 AwR40State *s = AW_R40(dev);
 unsigned i;
 
@@ -481,6 +489,42 @@ static void allwinner_r40_realize(DeviceState *dev, Error 
**errp)
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->dramc), 1, 
s->memmap[AW_R40_DEV_DRAMCTL]);
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->dramc), 2, 
s->memmap[AW_R40_DEV_DRAMPHY]);
 
+/* nic support gmac and emac */
+for (int i = 0; i < ARRAY_SIZE(r40_nic_models) - 1; i++) {
+NICInfo *nic = &nd_table[i];
+
+if (!nic->used)
+continue;
+if (qemu_show_nic_models(nic->model, r40_nic_models))
+exit(0);
+
+switch (qemu_find_nic_model(nic, r40_nic_models, r40_nic_models[0])) {
+case 0: /* gmac */
+qdev_set_nic_properties(DEVICE(&s->gmac), nic);
+break;
+case 1: /* emac */
+qdev_set_nic_properties(DEVICE(&s->emac), nic);
+break;
+default:
+exit(1);
+break;
+}
+}
+
+/* GMAC */
+object_property_set_link(OBJECT(&s->gmac), "dma-memory",
+ OBJECT(get_system_memory()), 
&error_fatal);
+sysbus_realize(SYS_BUS_DEVICE(&s->gmac), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->gmac), 0, s->memmap[AW_R40_DEV_GMAC]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->gmac), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_GMAC));
+
+/* EMAC */
+sysbus_realize(SYS_BUS_DEVICE(&s->emac), &error_fatal);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->emac), 0, s->memmap[AW_R40_DEV_EMAC]);
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->emac), 0,
+   qdev_get_gpio_in(DEVICE(&s->gic), AW_R40_GIC_SPI_EMAC));
+
 /* Unimplemented devices */
 for (i = 0; i < ARRAY_SIZE(r40_unimplemented); i++) {
 create_unimplemented_device(r40_unimp

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Daniel P . Berrangé]

On Tue, Mar 21, 2023 at 11:22:33AM +0100, Paolo Bonzini wrote:
> On 3/21/23 09:33, Cédric Le Goater wrote:
> > From: Cédric Le Goater
> > 
> > GCC13 reports an error :
> > 
> > ../util/async.c: In function ‘aio_bh_poll’:
> > include/qemu/queue.h:303:22: error: storing the address of local variable 
> > ‘slice’ in ‘*ctx.bh_slice_list.sqh_last’ [-Werror=dangling-pointer=]
> >303 | (head)->sqh_last = &(elm)->field.sqe_next; 
> >  \
> >| ~^~~~
> > ../util/async.c:169:5: note: in expansion of macro ‘QSIMPLEQ_INSERT_TAIL’
> >169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
> >| ^~~~
> > ../util/async.c:161:17: note: ‘slice’ declared here
> >161 | BHListSlice slice;
> >| ^
> > ../util/async.c:161:17: note: ‘ctx’ declared here
> > 
> > But the local variable 'slice' is removed from the global context list
> > in following loop of the same routine. Add an intermediate helper to
> > silent GCC. No functional change.
> 
> Before doing this, I would like to see a case where this bug was _not_
> caught by either Coverity (which is currently offline but I'm fixing it
> right now) or just cursory review.

IMHO coverity is not a substitute for this, because it is only available
post merge, while the GCC warning is available to all maintainers on
every build. As for code review, mistakes inevitably happen. 

Personally I find the code in this method pretty obtuse. It is hard to
reason about it to convince yourself that it is safe to be adding the
local variable to the global linked list and have it removed again
before returning.

Stefan has explained why it is correct, but I tend to think of the compiler
warning here as a sign that the code might be better to be written in a
different way that is more obviously correct. If this really is the best
way to write this method though, an alternative could be selectively
disabling the warning with a local pragma, along with adding a comment
to the method to explain why this unusual code pattern is indeed safe.

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [PATCH v2] hw/net/can: Add mcp25625 model

[Ben Dooks]

On 17/03/2023 14:11, Pavel Pisa wrote:

Hello Ben,

thanks for update.

On Thursday 16 of March 2023 13:41:13 Ben Dooks wrote:

From: Ben Dooks 

Add support for Microchip MCP25625 SPI based CAN controller which is
very similar to the MCP2515 (and covered by the same Linux driver).

This can be added to any machine with SPI support in the machine
model file.

Example for using this when configured into a machine:

-object can-bus,id=canbus0 \
-object can-host-socketcan,id=canhost0,if=vcan0,canbus=canbus0 \
-global driver=mcp25625,property=canbus,value=canbus0

There is tracing support with --trace "*mcp25*"


Code looks good, I have patched actual QEMU sources and build
it successfully with your change.

I have not seen any warning.

I would like to test the mcp25625 CAN functionality.

I would prefer against some target which is already available
in QEMU and Linux kernel mainlines, so if somebody can suggest
some ARM which can connect SPI/SSI device it would be great.

I have setup /srv/nfs/debian-riscv64 chroot and used
it to prepare minimal 3 MB ramdisk.cpio with busybox
and full GLIBC and ip package.

I can run it with Debian provided RISC-V kernel
under QEMU compiled with your mcp25625 chip emulation

qemu-system-riscv64 -m 1G -M sifive_u -smp 2 \
   -initrd ramdisk.cpio \
   -kernel vmlinux-6.1.0-6-riscv64 \
   -nographic \
   -object can-bus,id=canbus0 \
   -object can-host-socketcan,id=canhost0,if=can0,canbus=canbus0 \
   -global driver=mcp25625,property=canbus,value=canbus0

I can see

/sys/bus/platform/devices/1004.spi
/sys/bus/platform/devices/1005.spi

I can run

   modprobe spi-sifive.ko

[   41.524160] sifive_spi 1004.spi: mapped; irq=21, cs=1
[   41.529305] sifive_spi 1005.spi: mapped; irq=22, cs=1

   modprobe mcp251x.ko

I can imagine to build device tree overlay and setup it from within
kernel if the device is already mapped

   cd /sys/kernel/config/device-tree/overlays
   [ -d  sifive_u-mcp25625 ] && rmdir sifive_u-mcp25625
   mkdir sifive_u-mcp25625
   cd sifive_u-mcp25625
   cat sifive_u-mcp25625.dtbo >dtbo
   echo 1 >status

which is what we do with CTU CAN FD ip on Zynq system
to run PL/FPGA update.

But from QEMU info qtree, I see that device is not mapped in QEMU...
Which is logic...

So please, can you send instruction how to proceed forward.

Do you have DTB prepared for testing or something similar?

In a longer term perspective, it would be ideal to provide
some update for documentation, how to use mcp25625 emulation

   https://www.qemu.org/docs/master/system/devices/can.html

By the way, if the Raspberry Pi emulation does not provide
right SPI emulation as you have noticed, what about BeagleBoneBlack?


At the moment it seems that the as a whole qemu doesn't have a good
way of adding a generic spi device to a bus.


Does it support SPI? It could be good target to test that mcp25625
chip emulation is portable..


I've pushed our test branch out to:
https://gitlab.com/CodethinkLabs/qemu/-/commits/mcp25625_test

That adds an spi channel to the sifive_u machine and puts the
right dtb entry in there.

--
Ben Dooks   http://www.codethink.co.uk/
Senior Engineer Codethink - Providing Genius

https://www.codethink.co.uk/privacy.html

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Paolo Bonzini]

Il mar 21 mar 2023, 11:30 Daniel P. Berrangé  ha
scritto:

> On Tue, Mar 21, 2023 at 11:22:33AM +0100, Paolo Bonzini wrote:
> > On 3/21/23 09:33, Cédric Le Goater wrote:
> > > From: Cédric Le Goater
> > >
> > > GCC13 reports an error :
> > >
> > > ../util/async.c: In function ‘aio_bh_poll’:
> > > include/qemu/queue.h:303:22: error: storing the address of local
> variable ‘slice’ in ‘*ctx.bh_slice_list.sqh_last’
> [-Werror=dangling-pointer=]
> > >303 | (head)->sqh_last = &(elm)->field.sqe_next;
>   \
> > >| ~^~~~
> > > ../util/async.c:169:5: note: in expansion of macro
> ‘QSIMPLEQ_INSERT_TAIL’
> > >169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
> > >| ^~~~
> > > ../util/async.c:161:17: note: ‘slice’ declared here
> > >161 | BHListSlice slice;
> > >| ^
> > > ../util/async.c:161:17: note: ‘ctx’ declared here
> > >
> > > But the local variable 'slice' is removed from the global context list
> > > in following loop of the same routine. Add an intermediate helper to
> > > silent GCC. No functional change.
> >
> > Before doing this, I would like to see a case where this bug was _not_
> > caught by either Coverity (which is currently offline but I'm fixing it
> > right now) or just cursory review.
>
> IMHO coverity is not a substitute for this, because it is only available
> post merge, while the GCC warning is available to all maintainers on
> every build. As for code review, mistakes inevitably happen.
>

Okay, then I would like to see a single SIGSEGV in QEMU that was caused by
a local variable making its way to a global pointer.

As to this specific case, we could add a bool removed flag to BHListSlice
and assert it before aio_bh_poll() returns, but I think even that is
overkill.

Paolo

Re: [PATCH for-8.0 3/3] target/ppc: Fix helper_pminsn() prototype

[Daniel Henrique Barboza]

On 3/21/23 05:33, Cédric Le Goater wrote:

From: Cédric Le Goater 

GCC13 reports an error:

../target/ppc/excp_helper.c:2625:6: error: conflicting types for 
‘helper_pminsn’ due to enum/integer mismatch; have ‘void(CPUPPCState *, 
powerpc_pm_insn_t)’ {aka ‘void(struct CPUArchState *, powerpc_pm_insn_t)’} 
[-Werror=enum-int-mismatch]
  2625 | void helper_pminsn(CPUPPCState *env, powerpc_pm_insn_t insn)
   |  ^
In file included from /home/legoater/work/qemu/qemu.git/include/qemu/osdep.h:49,
  from ../target/ppc/excp_helper.c:19:
/home/legoater/work/qemu/qemu.git/include/exec/helper-head.h:23:27: note: 
previous declaration of ‘helper_pminsn’ with type ‘void(CPUArchState *, 
uint32_t)’ {aka ‘void(CPUArchState *, unsigned int)’}
23 | #define HELPER(name) glue(helper_, name)
   |   ^~~

Cc: Daniel Henrique Barboza 
Fixes: 7778a575c7 ("ppc: Add P7/P8 Power Management instructions")
Signed-off-by: Cédric Le Goater 
---


Reviewed-by: Daniel Henrique Barboza 


  target/ppc/excp_helper.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index 287659c74d..199328f4b6 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -2622,7 +2622,7 @@ void helper_scv(CPUPPCState *env, uint32_t lev)
  }
  }
  
-void helper_pminsn(CPUPPCState *env, powerpc_pm_insn_t insn)

+void helper_pminsn(CPUPPCState *env, uint32_t insn)
  {
  CPUState *cs;
  

RE: [PATCH for 8.0] igb: Save more Tx states

[Sriram Yagnaraman]

> -Original Message-
> From: qemu-devel-bounces+sriram.yagnaraman=est.t...@nongnu.org
>  On Behalf
> Of Sriram Yagnaraman
> Sent: Friday, 17 March 2023 16:26
> To: Akihiko Odaki 
> Cc: qemu-devel@nongnu.org; Jason Wang ; Dmitry
> Fleytman ; quint...@redhat.com; Philippe
> Mathieu-Daudé 
> Subject: RE: [PATCH for 8.0] igb: Save more Tx states
> 
> 
> > -Original Message-
> > From: Akihiko Odaki 
> > Sent: Friday, 17 March 2023 15:21
> > To: Sriram Yagnaraman 
> > Cc: qemu-devel@nongnu.org; Jason Wang ; Dmitry
> > Fleytman ; quint...@redhat.com; Philippe
> > Mathieu-Daudé 
> > Subject: Re: [PATCH for 8.0] igb: Save more Tx states
> >
> > On 2023/03/17 22:08, Sriram Yagnaraman wrote:
> > >
> > >
> > >> -Original Message-
> > >> From: Akihiko Odaki 
> > >> Sent: Friday, 17 March 2023 13:25
> > >> Cc: qemu-devel@nongnu.org; Jason Wang ;
> > Dmitry
> > >> Fleytman ; quint...@redhat.com; Philippe
> > >> Mathieu-Daudé ; Sriram Yagnaraman
> > >> ; Akihiko Odaki
> > >> 
> > >> Subject: [PATCH for 8.0] igb: Save more Tx states
> > >>
> > >> The current implementation of igb uses only part of a advanced Tx
> > >> context descriptor and first data descriptor because it misses some
> > >> features and sniffs the trait of the packet instead of respecting
> > >> the packet type specified in the descriptor. However, we will
> > >> certainly need the entire Tx context descriptor when we update igb
> > >> to respect these ignored fields. Save the entire context descriptor
> > >> and first data descriptor except the buffer address to prepare for such a
> change.
> > >>
> > >> This also introduces the distinction of contexts with different
> > >> indexes, which was not present in e1000e but in igb.
> > >>
> > >> Signed-off-by: Akihiko Odaki 
> > >> ---
> > >> Supersedes: <20230316155707.27007-1-akihiko.od...@daynix.com>
> > >>
> > >>   hw/net/igb.c  | 25 ++---
> > >>   hw/net/igb_core.c | 36 +++-
> > >>   hw/net/igb_core.h |  8 +++-
> > >>   3 files changed, 40 insertions(+), 29 deletions(-)
> > >>
> > >> diff --git a/hw/net/igb.c b/hw/net/igb.c index
> > >> c6d753df87..7c05896325
> > >> 100644
> > >> --- a/hw/net/igb.c
> > >> +++ b/hw/net/igb.c
> > >> @@ -502,16 +502,27 @@ static int igb_post_load(void *opaque, int
> > >> version_id)
> > >>   return igb_core_post_load(&s->core);  }
> > >>
> > >> -static const VMStateDescription igb_vmstate_tx = {
> > >> -.name = "igb-tx",
> > >> +static const VMStateDescription igb_vmstate_tx_ctx = {
> > >> +.name = "igb-tx-ctx",
> > >>   .version_id = 1,
> > >>   .minimum_version_id = 1,
> > >>   .fields = (VMStateField[]) {
> > >> -VMSTATE_UINT16(vlan, struct igb_tx),
> > >> -VMSTATE_UINT16(mss, struct igb_tx),
> > >> -VMSTATE_BOOL(tse, struct igb_tx),
> > >> -VMSTATE_BOOL(ixsm, struct igb_tx),
> > >> -VMSTATE_BOOL(txsm, struct igb_tx),
> > >> +VMSTATE_UINT32(vlan_macip_lens, struct
> > e1000_adv_tx_context_desc),
> > >> +VMSTATE_UINT32(seqnum_seed, struct
> e1000_adv_tx_context_desc),
> > >> +VMSTATE_UINT32(type_tucmd_mlhl, struct
> > >> e1000_adv_tx_context_desc),
> > >> +VMSTATE_UINT32(mss_l4len_idx, struct
> e1000_adv_tx_context_desc),
> > >> +}
> > >> +};
> > >> +
> > >> +static const VMStateDescription igb_vmstate_tx = {
> > >> +.name = "igb-tx",
> > >> +.version_id = 2,
> > >> +.minimum_version_id = 2,
> > >> +.fields = (VMStateField[]) {
> > >> +VMSTATE_STRUCT_ARRAY(ctx, struct igb_tx, 2, 0,
> igb_vmstate_tx_ctx,
> > >> + struct e1000_adv_tx_context_desc),
> > >> +VMSTATE_UINT32(first_cmd_type_len, struct igb_tx),
> > >> +VMSTATE_UINT32(first_olinfo_status, struct igb_tx),
> > >>   VMSTATE_BOOL(first, struct igb_tx),
> > >>   VMSTATE_BOOL(skip_cp, struct igb_tx),
> > >>   VMSTATE_END_OF_LIST()
> > >> diff --git a/hw/net/igb_core.c b/hw/net/igb_core.c index
> > >> a7c7bfdc75..36027c2b54 100644
> > >> --- a/hw/net/igb_core.c
> > >> +++ b/hw/net/igb_core.c
> > >> @@ -389,8 +389,10 @@ igb_rss_parse_packet(IGBCore *core, struct
> > >> NetRxPkt *pkt, bool tx,  static bool  igb_setup_tx_offloads(IGBCore
> > >> *core, struct igb_tx
> > >> *tx)  {
> > >> -if (tx->tse) {
> > >> -if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true, tx->mss)) 
> > >> {
> > >> +if (tx->first_cmd_type_len & E1000_ADVTXD_DCMD_TSE) {
> > >> +uint32_t idx = (tx->first_olinfo_status >> 4) & 1;
> > >
> > > [...] More below
> > >
> > >> +uint32_t mss = tx->ctx[idx].mss_l4len_idx >> 16;
> > >> +if (!net_tx_pkt_build_vheader(tx->tx_pkt, true, true,
> > >> + mss)) {
> > >>   return false;
> > >>   }
> > >>
> > >> @@ -399,13 +401,13 @@ igb_setup_tx_offloads(IGBCore *core, struct
> > >> igb_tx
> > >> *tx)
> > >>   return true;
> > >>   }
> > >>
> > >> -if (tx->txsm) {
> > >> +

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Stefan Hajnoczi]

On Tue, Mar 21, 2023 at 09:33:20AM +0100, Cédric Le Goater wrote:
> From: Cédric Le Goater 
> 
> GCC13 reports an error :
> 
> ../util/async.c: In function ‘aio_bh_poll’:
> include/qemu/queue.h:303:22: error: storing the address of local variable 
> ‘slice’ in ‘*ctx.bh_slice_list.sqh_last’ [-Werror=dangling-pointer=]
>   303 | (head)->sqh_last = &(elm)->field.sqe_next;
>   \
>   | ~^~~~
> ../util/async.c:169:5: note: in expansion of macro ‘QSIMPLEQ_INSERT_TAIL’
>   169 | QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
>   | ^~~~
> ../util/async.c:161:17: note: ‘slice’ declared here
>   161 | BHListSlice slice;
>   | ^
> ../util/async.c:161:17: note: ‘ctx’ declared here
> 
> But the local variable 'slice' is removed from the global context list
> in following loop of the same routine. Add an intermediate helper to
> silent GCC. No functional change.
> 
> Cc: Stefan Hajnoczi 
> Cc: Paolo Bonzini 
> Cc: Daniel P. Berrangé 
> Signed-off-by: Cédric Le Goater 
> ---
>  util/async.c | 13 -
>  1 file changed, 12 insertions(+), 1 deletion(-)

Thanks!

Reviewed-by: Stefan Hajnoczi 


signature.asc
Description: PGP signature

[RFC PATCH] tests/avocado: probe for multi-process support before running test

[Alex Bennée]

A recent attempt to let avocado run more tests on the CentOS stream
build failed because there was no gating on the multiprocess feature.
Like missing accelerators avocado should gracefully skip when the
feature is not enabled.

In this case we use the existence of the proxy device as a proxy for
multi-process support.

Signed-off-by: Alex Bennée 
Cc: Elena Ufimtseva 
Cc: Jagannathan Raman 
Cc: John G Johnson 
---
 tests/avocado/avocado_qemu/__init__.py | 10 ++
 tests/avocado/multiprocess.py  |  1 +
 2 files changed, 11 insertions(+)

diff --git a/tests/avocado/avocado_qemu/__init__.py 
b/tests/avocado/avocado_qemu/__init__.py
index a313e88c07..cb71f50db9 100644
--- a/tests/avocado/avocado_qemu/__init__.py
+++ b/tests/avocado/avocado_qemu/__init__.py
@@ -309,6 +309,16 @@ def require_netdev(self, netdevname):
 if netdevhelp.find('\n' + netdevname + '\n') < 0:
 self.cancel('no support for user networking')
 
+def require_multiprocess(self):
+"""
+Test for the presence of the x-pci-proxy-dev which is required
+to support multiprocess.
+"""
+devhelp = run_cmd([self.qemu_bin,
+   '-M', 'none', '-device', 'help'])[0];
+if devhelp.find('x-pci-proxy-dev') < 0:
+self.cancel('no support for multiprocess device emulation')
+
 def _new_vm(self, name, *args):
 self._sd = tempfile.TemporaryDirectory(prefix="qemu_")
 vm = QEMUMachine(self.qemu_bin, base_temp_dir=self.workdir,
diff --git a/tests/avocado/multiprocess.py b/tests/avocado/multiprocess.py
index 80a3b8f442..9112a4cacc 100644
--- a/tests/avocado/multiprocess.py
+++ b/tests/avocado/multiprocess.py
@@ -22,6 +22,7 @@ def do_test(self, kernel_url, initrd_url, kernel_command_line,
 machine_type):
 """Main test method"""
 self.require_accelerator('kvm')
+self.require_multiprocess()
 
 # Create socketpair to connect proxy and remote processes
 proxy_sock, remote_sock = socket.socketpair(socket.AF_UNIX,
-- 
2.39.2

Re: [RFC PATCH 40/43] target/loongarch: Implement vreplve vpack vpick

[gaosong]

Hi, Richard

在 2022/12/25 上午5:12, Richard Henderson 写道:

On 12/24/22 00:16, Song Gao wrote:

+TRANS(vreplve_b, gen_vvr, gen_helper_vreplve_b)
+TRANS(vreplve_h, gen_vvr, gen_helper_vreplve_h)
+TRANS(vreplve_w, gen_vvr, gen_helper_vreplve_w)
+TRANS(vreplve_d, gen_vvr, gen_helper_vreplve_d)
+TRANS(vreplvei_b, gen_vv_i, gen_helper_vreplvei_b)
+TRANS(vreplvei_h, gen_vv_i, gen_helper_vreplvei_h)
+TRANS(vreplvei_w, gen_vv_i, gen_helper_vreplvei_w)
+TRANS(vreplvei_d, gen_vv_i, gen_helper_vreplvei_d)

tcg_gen_gvec_dupm.

In the case of imm, this will be cpu_env + offsetof.

e.g  vreplvei_b  vd, vj, imm
vd->B(i) = Vj->B(imm);
tcg_gen_gvec_dup_mem(MO_8,  vreg_full_offset(a->vd), 
offsetof(CPULoongArchState,  fpr[a->vj].vreg.B(a->imm)),

 16, 16);
this case no problem.

In the case of reg, compute cpu_env + register offset + offsetof.


but for this case.
e.g
vreplve_b  vd vj, rk
index  = gpr[rk] % (128/8);
Vd->B(i) = Vj->B(index);
tcg_gen_gvec_dup_mem(MO_8, vreg_full_offset(a->vd), 
offsetof(CPULoongArchState, fpr[a->vj].vreg.B(index))), 16, 16 );


How can we get the index with cpu_env? or  need env->gpr[rk]?
The index type is not TCGv.
I have no idea.

Thanks.
Song Gao

+TRANS(vbsll_v, gen_vv_i, gen_helper_vbsll_v)
+TRANS(vbsrl_v, gen_vv_i, gen_helper_vbsrl_v)


These can use tcg_gen_extract2_i64, with imm * 8 bit shift.


r~

Re: [PATCH v4 1/3] numa: Validate cluster and NUMA node boundary if required

[Alistair Francis]

On Fri, Mar 17, 2023 at 4:29 PM Gavin Shan  wrote:
>
> For some architectures like ARM64, multiple CPUs in one cluster can be
> associated with different NUMA nodes, which is irregular configuration
> because we shouldn't have this in baremetal environment. The irregular
> configuration causes Linux guest to misbehave, as the following warning
> messages indicate.
>
>   -smp 6,maxcpus=6,sockets=2,clusters=1,cores=3,threads=1 \
>   -numa node,nodeid=0,cpus=0-1,memdev=ram0\
>   -numa node,nodeid=1,cpus=2-3,memdev=ram1\
>   -numa node,nodeid=2,cpus=4-5,memdev=ram2\
>
>   [ cut here ]
>   WARNING: CPU: 0 PID: 1 at kernel/sched/topology.c:2271 
> build_sched_domains+0x284/0x910
>   Modules linked in:
>   CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.14.0-268.el9.aarch64 #1
>   pstate: 0045 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>   pc : build_sched_domains+0x284/0x910
>   lr : build_sched_domains+0x184/0x910
>   sp : 8804bd50
>   x29: 8804bd50 x28: 0002 x27: 
>   x26: 89cf9a80 x25:  x24: 89cbf840
>   x23: 80325000 x22: 005df800 x21: 8a4ce508
>   x20:  x19: 80324440 x18: 0014
>   x17: 388925c0 x16: 5386a066 x15: 9c10cc2e
>   x14: 01c0 x13: 0001 x12: 7fffb1a0
>   x11: 7fffb180 x10: 8a4ce508 x9 : 0041
>   x8 : 8a4ce500 x7 : 8a4cf920 x6 : 0001
>   x5 : 0001 x4 : 0007 x3 : 0002
>   x2 : 1000 x1 : 8a4cf928 x0 : 0001
>   Call trace:
>build_sched_domains+0x284/0x910
>sched_init_domains+0xac/0xe0
>sched_init_smp+0x48/0xc8
>kernel_init_freeable+0x140/0x1ac
>kernel_init+0x28/0x140
>ret_from_fork+0x10/0x20
>
> Improve the situation to warn when multiple CPUs in one cluster have
> been associated with different NUMA nodes. However, one NUMA node is
> allowed to be associated with different clusters.
>
> Signed-off-by: Gavin Shan 
> Acked-by: Philippe Mathieu-Daudé 

Acked-by: Alistair Francis 

Alistair

> ---
>  hw/core/machine.c   | 42 ++
>  include/hw/boards.h |  1 +
>  2 files changed, 43 insertions(+)
>
> diff --git a/hw/core/machine.c b/hw/core/machine.c
> index 45e3d24fdc..a2329f975d 100644
> --- a/hw/core/machine.c
> +++ b/hw/core/machine.c
> @@ -1255,6 +1255,45 @@ static void machine_numa_finish_cpu_init(MachineState 
> *machine)
>  g_string_free(s, true);
>  }
>
> +static void validate_cpu_cluster_to_numa_boundary(MachineState *ms)
> +{
> +MachineClass *mc = MACHINE_GET_CLASS(ms);
> +NumaState *state = ms->numa_state;
> +const CPUArchIdList *possible_cpus = mc->possible_cpu_arch_ids(ms);
> +const CPUArchId *cpus = possible_cpus->cpus;
> +int i, j;
> +
> +if (state->num_nodes <= 1 || possible_cpus->len <= 1) {
> +return;
> +}
> +
> +/*
> + * The Linux scheduling domain can't be parsed when the multiple CPUs
> + * in one cluster have been associated with different NUMA nodes. 
> However,
> + * it's fine to associate one NUMA node with CPUs in different clusters.
> + */
> +for (i = 0; i < possible_cpus->len; i++) {
> +for (j = i + 1; j < possible_cpus->len; j++) {
> +if (cpus[i].props.has_socket_id &&
> +cpus[i].props.has_cluster_id &&
> +cpus[i].props.has_node_id &&
> +cpus[j].props.has_socket_id &&
> +cpus[j].props.has_cluster_id &&
> +cpus[j].props.has_node_id &&
> +cpus[i].props.socket_id == cpus[j].props.socket_id &&
> +cpus[i].props.cluster_id == cpus[j].props.cluster_id &&
> +cpus[i].props.node_id != cpus[j].props.node_id) {
> +warn_report("CPU-%d and CPU-%d in socket-%ld-cluster-%ld "
> + "have been associated with node-%ld and 
> node-%ld "
> + "respectively. It can cause OSes like Linux to "
> + "misbehave", i, j, cpus[i].props.socket_id,
> + cpus[i].props.cluster_id, cpus[i].props.node_id,
> + cpus[j].props.node_id);
> +}
> +}
> +}
> +}
> +
>  MemoryRegion *machine_consume_memdev(MachineState *machine,
>   HostMemoryBackend *backend)
>  {
> @@ -1340,6 +1379,9 @@ void machine_run_board_init(MachineState *machine, 
> const char *mem_path, Error *
>  numa_complete_configuration(machine);
>  if (machine->numa_state->num_nodes) {
>  machine_numa_finish_cpu_init(machine);
> +if (machine_class->cpu_cluster_has_numa_boundary) {
> +validate_cpu_cluster_to_numa_boundary(machine);
> + 

Re: [PATCH v4 3/3] hw/riscv: Validate cluster and NUMA node boundary

[Alistair Francis]

On Fri, Mar 17, 2023 at 4:29 PM Gavin Shan  wrote:
>
> There are two RISCV machines where NUMA is aware: 'virt' and 'spike'.
> Both of them are required to follow cluster-NUMA-node boundary. To
> enable the validation to warn about the irregular configuration where
> multiple CPUs in one cluster has been associated with multiple NUMA
> nodes.
>
> Signed-off-by: Gavin Shan 
> Reviewed-by: Daniel Henrique Barboza 

Acked-by: Alistair Francis 

Alistair

> ---
>  hw/riscv/spike.c | 2 ++
>  hw/riscv/virt.c  | 2 ++
>  2 files changed, 4 insertions(+)
>
> diff --git a/hw/riscv/spike.c b/hw/riscv/spike.c
> index a584d5b3a2..4bf783884b 100644
> --- a/hw/riscv/spike.c
> +++ b/hw/riscv/spike.c
> @@ -349,6 +349,8 @@ static void spike_machine_class_init(ObjectClass *oc, 
> void *data)
>  mc->cpu_index_to_instance_props = riscv_numa_cpu_index_to_props;
>  mc->get_default_cpu_node_id = riscv_numa_get_default_cpu_node_id;
>  mc->numa_mem_supported = true;
> +/* platform instead of architectural choice */
> +mc->cpu_cluster_has_numa_boundary = true;
>  mc->default_ram_id = "riscv.spike.ram";
>  }
>
> diff --git a/hw/riscv/virt.c b/hw/riscv/virt.c
> index 4e3efbee16..84a2bca460 100644
> --- a/hw/riscv/virt.c
> +++ b/hw/riscv/virt.c
> @@ -1678,6 +1678,8 @@ static void virt_machine_class_init(ObjectClass *oc, 
> void *data)
>  mc->cpu_index_to_instance_props = riscv_numa_cpu_index_to_props;
>  mc->get_default_cpu_node_id = riscv_numa_get_default_cpu_node_id;
>  mc->numa_mem_supported = true;
> +/* platform instead of architectural choice */
> +mc->cpu_cluster_has_numa_boundary = true;
>  mc->default_ram_id = "riscv_virt_board.ram";
>  assert(!mc->get_hotplug_handler);
>  mc->get_hotplug_handler = virt_machine_get_hotplug_handler;
> --
> 2.23.0
>
>

Re: [PATCH for-8.0] docs/system/arm/cpu-features.rst: Fix formatting

[Peter Maydell]

On Thu, 16 Mar 2023 at 11:41, Peter Maydell  wrote:
>
> On Thu, 16 Mar 2023 at 11:11, Cornelia Huck  wrote:
> >
> > On Thu, Mar 16 2023, Peter Maydell  wrote:
> >
> > > The markup for the Arm CPU feature documentation is incorrect,
> > > and results in the HTML not rendering correctly -- the first
> > > line of each description is rendered in boldface as if it
> > > were part of the option name.
> > >
> > > Reformat to match the styling used in cpu-models-x86.rst.inc.
> > >
> > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1479
> > > Signed-off-by: Peter Maydell 
> > > ---
> > >  docs/system/arm/cpu-features.rst | 68 ++--
> > >  1 file changed, 30 insertions(+), 38 deletions(-)
> >
> > (...)
> >
> > > @@ -217,16 +210,15 @@ TCG VCPU Features
> > >  TCG VCPU features are CPU features that are specific to TCG.
> > >  Below is the list of TCG VCPU features and their descriptions.
> > >
> > > -  pauth-impdef When ``FEAT_Pauth`` is enabled, either the
> > > -   *impdef* (Implementation Defined) algorithm
> > > -   is enabled or the *architected* QARMA 
> > > algorithm
> > > -   is enabled.  By default the impdef algorithm
> > > -   is disabled, and QARMA is enabled.
> > > +``pauth-impdef``
> > > +  When ``FEAT_Pauth`` is enabled, either the *impdef* (Implementation
> > > +  Defined) algorithm is enabled or the *architected* QARMA algorithm
> > > +  is enabled.  By default the impdef algorithm is disabled, and QARMA
> > > +  is enabled.
> > >
> > > -   The architected QARMA algorithm has good
> > > -   cryptographic properties, but can be quite 
> > > slow
> > > -   to emulate.  The impdef algorithm used by QEMU
> > > -   is non-cryptographic but significantly faster.
> > > +  The architected QARMA algorithm has good ryptographic properties,
> >
> > You dropped a 'c' here --^
>
> Well spotted...

There weren't any review comments other than the typo, so I'm going
to fix that and apply to target-arm.next.

thanks
-- PMM

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Paolo Bonzini]

On 3/21/23 09:33, Cédric Le Goater wrote:

+static void aio_bh_slice_insert(AioContext *ctx, BHListSlice *slice)
+{
+QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, slice, next);
+}
+
  /* Multiple occurrences of aio_bh_poll cannot be called concurrently. */
  int aio_bh_poll(AioContext *ctx)
  {
@@ -164,7 +169,13 @@ int aio_bh_poll(AioContext *ctx)
  
  /* Synchronizes with QSLIST_INSERT_HEAD_ATOMIC in aio_bh_enqueue().  */

  QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
-QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+
+/*
+ * GCC13 [-Werror=dangling-pointer=] complains that the local variable
+ * 'slice' is being stored in a global list in 'ctx->bh_slice_list'.
+ * Use a helper to silent the compiler
+ */
+aio_bh_slice_insert(ctx, &slice);
  
  while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {

  QEMUBH *bh;
--


Sorry, but an API that has "insert" and not "remove", and where the 
argument is *expected to be* a local variable (which must be removed to 
avoid a dangling pointer---and the warning is exactly 
-Wdangling-pointer), ranks at least -7 in the bad API ranking[1].


I tried wrapping the BHListSlice and BHListSlice* into an iterator 
struct (which is also really overkill, but at least---in theory---it's 
idiomatic), but the code was hard to follow.


The fact that the workaround is so ugly, in my opinion, points even more 
strongly at the compiler being in the wrong here.


Paolo

[1] http://sweng.the-davies.net/Home/rustys-api-design-manifesto

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[Wu, Fei]

On 3/21/2023 5:47 PM, liweiwei wrote:
> 
> On 2023/3/21 17:14, Wu, Fei wrote:
>> On 3/21/2023 4:50 PM, liweiwei wrote:
>>> On 2023/3/21 16:40, Wu, Fei wrote:
 On 3/21/2023 4:28 PM, liweiwei wrote:
> On 2023/3/21 14:37, fei2...@intel.com wrote:
>> From: Fei Wu 
>>
>> Kernel needs to access user mode memory e.g. during syscalls, the
>> window
>> is usually opened up for a very limited time through MSTATUS.SUM, the
>> overhead is too much if tlb_flush() gets called for every SUM change.
>> This patch saves addresses accessed when SUM=1, and flushs only these
>> pages when SUM changes to 0. If the buffer is not large enough to
>> save
>> all the pages during SUM=1, it will fall back to tlb_flush when
>> necessary.
>>
>> The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
>> most of the time kernel accesses 1 or 2 pages, it's very rare to see
>> more than 4 pages accessed.
>>
>> It's not necessary to save/restore these new added status, as
>> tlb_flush() is always called after restore.
>>
>> Result of 'pipe 10' from unixbench boosts from 223656 to 1327407.
>> Many
>> other syscalls benefit a lot from this one too.
>>
>> Signed-off-by: Fei Wu 
>> Reviewed-by: LIU Zhiwei 
>> ---
>>     target/riscv/cpu.h    |  4 
>>     target/riscv/cpu_helper.c |  7 +++
>>     target/riscv/csr.c    | 14 +-
>>     3 files changed, 24 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
>> index 638e47c75a..926dbce59f 100644
>> --- a/target/riscv/cpu.h
>> +++ b/target/riscv/cpu.h
>> @@ -383,6 +383,10 @@ struct CPUArchState {
>>     uint64_t kvm_timer_compare;
>>     uint64_t kvm_timer_state;
>>     uint64_t kvm_timer_frequency;
>> +
>> +#define MAX_CACHED_SUM_U_ADDR_NUM 4
>> +    uint64_t sum_u_count;
>> +    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
>>     };
>>       OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
>> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> index f88c503cf4..5ad0418eb6 100644
>> --- a/target/riscv/cpu_helper.c
>> +++ b/target/riscv/cpu_helper.c
>> @@ -1068,6 +1068,13 @@ restart:
>>     (access_type == MMU_DATA_STORE || (pte &
>> PTE_D))) {
>>     *prot |= PAGE_WRITE;
>>     }
>> +    if ((pte & PTE_U) && (mode & PRV_S) &&
>> +    get_field(env->mstatus, MSTATUS_SUM)) {
>> +    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    env->sum_u_addr[env->sum_u_count] = addr;
>> +    }
>> +    ++env->sum_u_count;
>> +    }
>>     return TRANSLATE_SUCCESS;
>>     }
>>     }
>> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
>> index ab566639e5..74b7638c8a 100644
>> --- a/target/riscv/csr.c
>> +++ b/target/riscv/csr.c
>> @@ -1246,9 +1246,21 @@ static RISCVException
>> write_mstatus(CPURISCVState *env, int csrno,
>>       /* flush tlb on mstatus fields that affect VM */
>>     if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP |
>> MSTATUS_MPV |
>> -    MSTATUS_MPRV | MSTATUS_SUM)) {
>> +    MSTATUS_MPRV)) {
>>     tlb_flush(env_cpu(env));
>> +    env->sum_u_count = 0;
>> +    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
>> +    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    tlb_flush(env_cpu(env));
>> +    } else {
>> +    for (int i = 0; i < env->sum_u_count; ++i) {
>> +    tlb_flush_page_by_mmuidx(env_cpu(env),
>> env->sum_u_addr[i],
>> + 1 << PRV_S | 1 << PRV_M);
>> +    }
>> +    }
>> +    env->sum_u_count = 0;
>>     }
> Whether tlb should  be flushed when SUM is changed from 0 to 1?
>
 When SUM is changed from 0 to 1, all the existing tlb entries remain
 valid as the permission is elevated instead of reduced, so I don't
 think
 it's necessary to flush tlb.
>>> If elevated not unchanged, I think the tlb also needs update, since new
>>> permitted access rights may be added to the tlb.
>>>
>> Assume the following flow, if the new rights have been added to tlb
>> during SUM=0, they're visible and still valid after setting SUM=1 again.
>> Could you please add a specific counter example in this flow?
>>
> Assuming addr0 cannot be access from S mode when SUM = 0, but can be
> accessed from S mode if SUM=1,
> 
> and there is a tlb entry for it when SUM = 0
> 
>> enable uaccess (set SUM = 1)
> if we don't flush it when we change SUM to 1 in this step
>> ... (access user mem from S mo

Re: [PATCH 02/45] target/riscv: Refactor some of the generic vector functionality

[Christoph Müllner]

On Fri, Mar 10, 2023 at 5:06 PM Lawrence Hunter
 wrote:
>
> From: Kiran Ostrolenk 
>
> Summary of refactoring:
>
> * take some functions/macros out of `vector_helper` and put them in a
> new module called `vector_internals`
>
> * factor the non SEW-specific stuff out of `GEN_OPIVV_TRANS` into
> function `opivv_trans` (similar to `opivi_trans`)

I think splitting this commit into two changes would be better.
Besides that the two changes look reasonable and correct.

BR
Christoph

>
> All this refactoring ensures more functions/macros can be used by both
> vector and vector-crypto helpers (latter implemented in proceeding
> commit).
>
> Signed-off-by: Kiran Ostrolenk 
> ---
>  target/riscv/insn_trans/trans_rvv.c.inc |  62 +-
>  target/riscv/meson.build|   1 +
>  target/riscv/vector_helper.c| 155 +---
>  target/riscv/vector_internals.c |  57 +
>  target/riscv/vector_internals.h | 155 
>  5 files changed, 246 insertions(+), 184 deletions(-)
>  create mode 100644 target/riscv/vector_internals.c
>  create mode 100644 target/riscv/vector_internals.h
>
> diff --git a/target/riscv/insn_trans/trans_rvv.c.inc 
> b/target/riscv/insn_trans/trans_rvv.c.inc
> index f2e3d38515..4106bd6994 100644
> --- a/target/riscv/insn_trans/trans_rvv.c.inc
> +++ b/target/riscv/insn_trans/trans_rvv.c.inc
> @@ -1643,38 +1643,40 @@ GEN_OPIWX_WIDEN_TRANS(vwadd_wx)
>  GEN_OPIWX_WIDEN_TRANS(vwsubu_wx)
>  GEN_OPIWX_WIDEN_TRANS(vwsub_wx)
>
> +static bool opivv_trans(uint32_t vd, uint32_t vs1, uint32_t vs2, uint32_t vm,
> +gen_helper_gvec_4_ptr *fn, DisasContext *s)
> +{
> +uint32_t data = 0;
> +TCGLabel *over = gen_new_label();
> +tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_vl, 0, over);
> +tcg_gen_brcond_tl(TCG_COND_GEU, cpu_vstart, cpu_vl, over);
> +
> +data = FIELD_DP32(data, VDATA, VM, vm);
> +data = FIELD_DP32(data, VDATA, LMUL, s->lmul);
> +data = FIELD_DP32(data, VDATA, VTA, s->vta);
> +data = FIELD_DP32(data, VDATA, VTA_ALL_1S, s->cfg_vta_all_1s);
> +data = FIELD_DP32(data, VDATA, VMA, s->vma);
> +tcg_gen_gvec_4_ptr(vreg_ofs(s, vd), vreg_ofs(s, 0), vreg_ofs(s, vs1),
> +   vreg_ofs(s, vs2), cpu_env, s->cfg_ptr->vlen / 8,
> +   s->cfg_ptr->vlen / 8, data, fn);
> +mark_vs_dirty(s);
> +gen_set_label(over);
> +return true;
> +}
> +
>  /* Vector Integer Add-with-Carry / Subtract-with-Borrow Instructions */
>  /* OPIVV without GVEC IR */
> -#define GEN_OPIVV_TRANS(NAME, CHECK)   \
> -static bool trans_##NAME(DisasContext *s, arg_rmrr *a) \
> -{  \
> -if (CHECK(s, a)) { \
> -uint32_t data = 0; \
> -static gen_helper_gvec_4_ptr * const fns[4] = {\
> -gen_helper_##NAME##_b, gen_helper_##NAME##_h,  \
> -gen_helper_##NAME##_w, gen_helper_##NAME##_d,  \
> -}; \
> -TCGLabel *over = gen_new_label();  \
> -tcg_gen_brcondi_tl(TCG_COND_EQ, cpu_vl, 0, over);  \
> -tcg_gen_brcond_tl(TCG_COND_GEU, cpu_vstart, cpu_vl, over); \
> -   \
> -data = FIELD_DP32(data, VDATA, VM, a->vm); \
> -data = FIELD_DP32(data, VDATA, LMUL, s->lmul); \
> -data = FIELD_DP32(data, VDATA, VTA, s->vta);   \
> -data = \
> -FIELD_DP32(data, VDATA, VTA_ALL_1S, s->cfg_vta_all_1s);\
> -data = FIELD_DP32(data, VDATA, VMA, s->vma);   \
> -tcg_gen_gvec_4_ptr(vreg_ofs(s, a->rd), vreg_ofs(s, 0), \
> -   vreg_ofs(s, a->rs1),\
> -   vreg_ofs(s, a->rs2), cpu_env,   \
> -   s->cfg_ptr->vlen / 8,   \
> -   s->cfg_ptr->vlen / 8, data, \
> -   fns[s->sew]);   \
> -mark_vs_dirty(s);  \
> -gen_set_label(over);   \
> -return true;   \
> -}  \
> -return false;  \
> +#define GEN_OPIVV_TRANS(NAME, CHECK) \
> +static bool trans_##NAME(DisasContext *s, arg_rmrr *a)   \
> +{\
> +if (CHECK(s, a)) { 

Re: [PATCH 00/45] Add RISC-V vector cryptographic instruction set support

[Christoph Müllner]

On Fri, Mar 10, 2023 at 10:16 AM Lawrence Hunter
 wrote:
>
> This patchset provides an implementation for Zvkb, Zvkned, Zvknh, Zvksh, 
> Zvkg, and Zvksed of the draft RISC-V vector cryptography extensions as per 
> the 20230303 version of the specification(1) (1fcbb30). Please note that the 
> Zvkt data-independent execution latency extension has not been implemented, 
> and we would recommend not using these patches in an environment where timing 
> attacks are an issue.
>
> Work performed by Dickon, Lawrence, Nazar, Kiran, and William from Codethink 
> sponsored by SiFive, as well as Max Chou and Frank Chang from SiFive.
>
> For convenience we have created a git repo with our patches on top of a 
> recent master. https://github.com/CodethinkLabs/qemu-ct

I did test and review this patchset.
Since most of my comments affect multiple patches I have summarized
them here in one email.
Observations that only affect a single patch will be sent in response
to the corresponding email.

I have tested this series with the OpenSSL PR for Zvk that can be found here:
  https://github.com/openssl/openssl/pull/20149
I ran with all Zvk* extensions enabled (using Zvkg for GCM) and with
Zvkb only (using Zvkb for GCM).
All tests succeed. Note, however, that the test coverage is limited
(e.g. no .vv instructions, vstart is always zero).

When sending out a follow-up version (even if it just introduces a minimal fix),
then consider using patchset versioning (e.g. git format-patch -v2 ...).

It might be a matter of taste, but I would prefer a series that groups
and orders the commits differently:
  a) independent changes to the existing code (refactoring only, but
no new features) - one commit per topic
  b) introduction of new functionality - one commit per extension
A series using such a commit granularity and order would be easier to
maintain and review (and not result in 45 patches).
Also, the refactoring changes could land before Zvk freezes if
maintainers decide to do so.

So far all translation files in target/riscv/insn_trans/* contain
multiple extensions if they are related.
I think we should follow this pattern and use a common trans_zvk.c.inc file.

All patches to insn32.decode have comments of the form "RV64 Zvk*
vector crypto extension".
What is the point of the "RV64"? I would simply remove that.

All instructions set "env->vstart = 0;" at the end.
I don't think that this is correct (the specification does not require this).

The tests of the reserved encodings are not consistent:
* Zvknh does a dynamic test (query tcg_gen_*())
* Zvkned does a dynamic test (tcg_gen_*())
* Zvkg does not test for (vl%EGS == 0)
The vl CSR can only be updated by the vset{i}vl{i} instructions.
The same applies to the vstart CSR and the vtype CSR that holds vsew,
vlmul and other fields.
The current code tests the VSTART/SEW value using "s->vstart % 4 ==
0"/"s->sew == MO_32".
Why is it not possible to do the same with VL, i.e. "s->vl % 4 == 0"
(after adding it to DisasContext)?
Also, I would introduce named constants or macros for the EGS values
to avoid magic constants in the code
(some extensions do that - e.g. ZVKSED_EGS).

BR
Christoph


>
> 1. https://github.com/riscv/riscv-crypto/releases
>
>
> Dickon Hood (2):
>   qemu/bitops.h: Limit rotate amounts
>   target/riscv: Add vrol.[vv,vx] and vror.[vv,vx,vi] decoding,
> translation and execution support
>
> Kiran Ostrolenk (8):
>   target/riscv: Refactor some of the generic vector functionality
>   target/riscv: Refactor some of the generic vector functionality
>   target/riscv: Refactor some of the generic vector functionality
>   target/riscv: Refactor some of the generic vector functionality
>   target/riscv: Add vsha2ms.vv decoding, translation and execution
> support
>   target/riscv: Add zvksh cpu property
>   target/riscv: Add vsm3c.vi decoding, translation and execution support
>   target/riscv: Expose zvksh cpu property
>
> Lawrence Hunter (17):
>   target/riscv: Add vclmul.vv decoding, translation and execution
> support
>   target/riscv: Add vclmul.vx decoding, translation and execution
> support
>   target/riscv: Add vclmulh.vv decoding, translation and execution
> support
>   target/riscv: Add vclmulh.vx decoding, translation and execution
> support
>   target/riscv: Add vaesef.vv decoding, translation and execution
> support
>   target/riscv: Add vaesef.vs decoding, translation and execution
> support
>   target/riscv: Add vaesdf.vv decoding, translation and execution
> support
>   target/riscv: Add vaesdf.vs decoding, translation and execution
> support
>   target/riscv: Add vaesdm.vv decoding, translation and execution
> support
>   target/riscv: Add vaesdm.vs decoding, translation and execution
> support
>   target/riscv: Add vaesz.vs decoding, translation and execution support
>   target/riscv: Add vsha2c[hl].vv decoding, translation and execution
> support
>   target/riscv: Add vsm3me.vv decoding, translation and 

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Cédric Le Goater]

On 3/21/23 12:57, Paolo Bonzini wrote:

On 3/21/23 09:33, Cédric Le Goater wrote:

+static void aio_bh_slice_insert(AioContext *ctx, BHListSlice *slice)
+{
+    QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, slice, next);
+}
+
  /* Multiple occurrences of aio_bh_poll cannot be called concurrently. */
  int aio_bh_poll(AioContext *ctx)
  {
@@ -164,7 +169,13 @@ int aio_bh_poll(AioContext *ctx)
  /* Synchronizes with QSLIST_INSERT_HEAD_ATOMIC in aio_bh_enqueue().  */
  QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
-    QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+
+    /*
+ * GCC13 [-Werror=dangling-pointer=] complains that the local variable
+ * 'slice' is being stored in a global list in 'ctx->bh_slice_list'.
+ * Use a helper to silent the compiler
+ */
+    aio_bh_slice_insert(ctx, &slice);
  while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {
  QEMUBH *bh;
--


Sorry, but an API that has "insert" and not "remove", and where the argument is 
*expected to be* a local variable (which must be removed to avoid a dangling pointer---and the 
warning is exactly -Wdangling-pointer), ranks at least -7 in the bad API ranking[1].


:)


I tried wrapping the BHListSlice and BHListSlice* into an iterator struct 
(which is also really overkill, but at least---in theory---it's idiomatic), but 
the code was hard to follow.

The fact that the workaround is so ugly, in my opinion, points even more 
strongly at the compiler being in the wrong here.


It was initially called slice_dangling_pointer_fixup() how's that ?

An alternative could be :

@@ -164,7 +164,14 @@ int aio_bh_poll(AioContext *ctx)
 
 /* Synchronizes with QSLIST_INSERT_HEAD_ATOMIC in aio_bh_enqueue().  */

 QSLIST_MOVE_ATOMIC(&slice.bh_list, &ctx->bh_list);
+/*
+ * GCC13 [-Werror=dangling-pointer=] complains that the local variable
+ * 'slice' is being stored in the global list 'ctx->bh_slice_list'.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdangling-pointer="
 QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+#pragma GCC diagnostic pop
 
 while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {

 QEMUBH *bh;

May be that's more explicit. I wonder if we need to ifdef clang also.

Thanks,

C.

Re: [PATCH for-8.0] docs/system/arm/cpu-features.rst: Fix formatting

[Cornelia Huck]

On Tue, Mar 21 2023, Peter Maydell  wrote:

> On Thu, 16 Mar 2023 at 11:41, Peter Maydell  wrote:
>>
>> On Thu, 16 Mar 2023 at 11:11, Cornelia Huck  wrote:
>> >
>> > On Thu, Mar 16 2023, Peter Maydell  wrote:
>> >
>> > > The markup for the Arm CPU feature documentation is incorrect,
>> > > and results in the HTML not rendering correctly -- the first
>> > > line of each description is rendered in boldface as if it
>> > > were part of the option name.
>> > >
>> > > Reformat to match the styling used in cpu-models-x86.rst.inc.
>> > >
>> > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1479
>> > > Signed-off-by: Peter Maydell 
>> > > ---
>> > >  docs/system/arm/cpu-features.rst | 68 ++--
>> > >  1 file changed, 30 insertions(+), 38 deletions(-)
>> >
>> > (...)
>> >
>> > > @@ -217,16 +210,15 @@ TCG VCPU Features
>> > >  TCG VCPU features are CPU features that are specific to TCG.
>> > >  Below is the list of TCG VCPU features and their descriptions.
>> > >
>> > > -  pauth-impdef When ``FEAT_Pauth`` is enabled, either the
>> > > -   *impdef* (Implementation Defined) algorithm
>> > > -   is enabled or the *architected* QARMA 
>> > > algorithm
>> > > -   is enabled.  By default the impdef algorithm
>> > > -   is disabled, and QARMA is enabled.
>> > > +``pauth-impdef``
>> > > +  When ``FEAT_Pauth`` is enabled, either the *impdef* (Implementation
>> > > +  Defined) algorithm is enabled or the *architected* QARMA algorithm
>> > > +  is enabled.  By default the impdef algorithm is disabled, and QARMA
>> > > +  is enabled.
>> > >
>> > > -   The architected QARMA algorithm has good
>> > > -   cryptographic properties, but can be quite 
>> > > slow
>> > > -   to emulate.  The impdef algorithm used by 
>> > > QEMU
>> > > -   is non-cryptographic but significantly 
>> > > faster.
>> > > +  The architected QARMA algorithm has good ryptographic properties,
>> >
>> > You dropped a 'c' here --^
>>
>> Well spotted...
>
> There weren't any review comments other than the typo, so I'm going
> to fix that and apply to target-arm.next.

In that case, please also add my

Reviewed-by: Cornelia Huck 

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 20:00, Wu, Fei wrote:

On 3/21/2023 5:47 PM, liweiwei wrote:

On 2023/3/21 17:14, Wu, Fei wrote:

On 3/21/2023 4:50 PM, liweiwei wrote:

On 2023/3/21 16:40, Wu, Fei wrote:

On 3/21/2023 4:28 PM, liweiwei wrote:

On 2023/3/21 14:37,fei2...@intel.com  wrote:

From: Fei Wu

Kernel needs to access user mode memory e.g. during syscalls, the
window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to
save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407.
Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu
Reviewed-by: LIU Zhiwei
---
     target/riscv/cpu.h    |  4 
     target/riscv/cpu_helper.c |  7 +++
     target/riscv/csr.c    | 14 +-
     3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
     uint64_t kvm_timer_compare;
     uint64_t kvm_timer_state;
     uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+    uint64_t sum_u_count;
+    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
     };
       OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
     (access_type == MMU_DATA_STORE || (pte &
PTE_D))) {
     *prot |= PAGE_WRITE;
     }
+    if ((pte & PTE_U) && (mode & PRV_S) &&

It's more readable to use "mode == PRV_S" instead of  "mode & PRV_S" here.

+    get_field(env->mstatus, MSTATUS_SUM)) {
+    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+    env->sum_u_addr[env->sum_u_count] = addr;
+    }
+    ++env->sum_u_count;
+    }
     return TRANSLATE_SUCCESS;
     }
     }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException
write_mstatus(CPURISCVState *env, int csrno,
       /* flush tlb on mstatus fields that affect VM */
     if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP |
MSTATUS_MPV |
-    MSTATUS_MPRV | MSTATUS_SUM)) {
+    MSTATUS_MPRV)) {
     tlb_flush(env_cpu(env));
+    env->sum_u_count = 0;
+    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+    tlb_flush(env_cpu(env));
+    } else {
+    for (int i = 0; i < env->sum_u_count; ++i) {
+    tlb_flush_page_by_mmuidx(env_cpu(env),
env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);
+    }
+    }
+    env->sum_u_count = 0;
     }

Whether tlb should  be flushed when SUM is changed from 0 to 1?


When SUM is changed from 0 to 1, all the existing tlb entries remain
valid as the permission is elevated instead of reduced, so I don't
think
it's necessary to flush tlb.

If elevated not unchanged, I think the tlb also needs update, since new
permitted access rights may be added to the tlb.


Assume the following flow, if the new rights have been added to tlb
during SUM=0, they're visible and still valid after setting SUM=1 again.
Could you please add a specific counter example in this flow?


Assuming addr0 cannot be access from S mode when SUM = 0, but can be
accessed from S mode if SUM=1,

and there is a tlb entry for it when SUM = 0


enable uaccess (set SUM = 1)

if we don't flush it when we change SUM to 1 in this step

... (access user mem from S mode)

when we access addr0 here, tlb will be hit( not updated) and the access
will trigger fault instead of allowing the access

disable uaccess (set SUM = 0)

... (update TLB_SUM_0)

  <-- flush tlb or not right before enabling uaccess?
enable uaccess (set SUM = 1)
  <-- okay to access TLB_SUM_0?
disable uaccess (set SUM = 0)

So, I think the question is whether the rights in TLB entry can be
elevated. Or whether there is legal tlb entry for this addr0 when SUM = 0?


I think there is no such tlb entry:
* If it's loaded into tlb when SUM = 0. This is i

Re: [PATCH-for-8.1 5/5] bulk: Replace __attribute__((noreturn)) -> G_NORETURN

[Juan Quintela]

Philippe Mathieu-Daudé  wrote:
> Under MSYS2, G_NORETURN is expanded to '[[noreturn]]'.
> Simpler to use the same definition everywhere, unifying
> the code style.
>
> Signed-off-by: Philippe Mathieu-Daudé 

Reviewed-by: Juan Quintela 

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 14:37, fei2...@intel.com wrote:

From: Fei Wu 

Kernel needs to access user mode memory e.g. during syscalls, the window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
---
  target/riscv/cpu.h|  4 
  target/riscv/cpu_helper.c |  7 +++
  target/riscv/csr.c| 14 +-
  3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
  uint64_t kvm_timer_compare;
  uint64_t kvm_timer_state;
  uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+uint64_t sum_u_count;
+uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
  };
  
  OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
  (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
  *prot |= PAGE_WRITE;
  }
+if ((pte & PTE_U) && (mode & PRV_S) &&
+get_field(env->mstatus, MSTATUS_SUM)) {
+if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+env->sum_u_addr[env->sum_u_count] = addr;
+}
+++env->sum_u_count;
+}
  return TRANSLATE_SUCCESS;
  }
  }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException write_mstatus(CPURISCVState *env, 
int csrno,
  
  /* flush tlb on mstatus fields that affect VM */

  if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-MSTATUS_MPRV | MSTATUS_SUM)) {
+MSTATUS_MPRV)) {
  tlb_flush(env_cpu(env));
+env->sum_u_count = 0;
+} else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+tlb_flush(env_cpu(env));


SUM seems only affect S mode TLB. Maybe we can only flush S mode TLB here.


+} else {
+for (int i = 0; i < env->sum_u_count; ++i) {
+tlb_flush_page_by_mmuidx(env_cpu(env), env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);


Similar case here.

Regards,

Weiwei Li


+}
+}
+env->sum_u_count = 0;
  }
+
  mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
  MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
  MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |

Re: [PATCH for-8.0 1/3] async: Suppress GCC13 false positive in aio_bh_poll()

[Paolo Bonzini]

On 3/21/23 13:16, Cédric Le Goater wrote:


+    /*
+ * GCC13 [-Werror=dangling-pointer=] complains that the local variable
+ * 'slice' is being stored in the global list 'ctx->bh_slice_list'.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdangling-pointer="
  QSIMPLEQ_INSERT_TAIL(&ctx->bh_slice_list, &slice, next);
+#pragma GCC diagnostic pop

  while ((s = QSIMPLEQ_FIRST(&ctx->bh_slice_list))) {
  QEMUBH *bh;


Yeah, that's clearer.  Maybe even add "but the list is emptied before 
this function returns".



May be that's more explicit. I wonder if we need to ifdef clang also.


I think clang understand the GCC pragma as well.

Paolo

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Mostafa Saleh]

Hi Eric,

> > + * According to 6.3.6 SMMU_IDR5, OAS must match the system physical 
> > address
> > + * size.
> > + */
> > +ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
> > +uint8_t oas = FIELD_EX64(armcpu->isar.id_aa64mmfr0, ID_AA64MMFR0, 
> > PARANGE);
> is this working in accelerated mode?
I didn't try with accel, I will give it a try, but from what I see, that
ARM_CPU() is used to get the CPU in traget/arm/kvm.c which is used from
accel/kvm-all.c, so it seems this would work for accelerated mode.

> > +
> >  /**
> >   * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
> >   *   multi-level stream table
> > @@ -265,7 +272,7 @@ static void smmuv3_init_regs(SMMUv3State *s)
> >  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
> >  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN16K, 1);
> >  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
> > -s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 
> > bits */
> > +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
> I am not sure you can change that easily. In case of migration this is
> going to change the behavior of the device, no?

I see IDR registers are not migrated. I guess we can add them in a
subsection and if they were not passed (old instances) we set OAS to
44.
Maybe this should be another change outside of this series.

Thanks,
Mostafa

[PULL 0/8] target-arm queue

[Peter Maydell]

The following changes since commit aa9e7fa4689d1becb2faf67f65aafcbcf664f1ce:

  Merge tag 'edk2-stable202302-20230320-pull-request' of 
https://gitlab.com/kraxel/qemu into staging (2023-03-20 13:43:35 +)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git 
tags/pull-target-arm-20230321

for you to fetch changes up to 5787d17a42f7af4bd117e5d6bfa54b1fdf93c255:

  target/arm: Don't advertise aarch64-pauth.xml to gdb (2023-03-21 13:19:08 
+)


target-arm queue:
 * contrib/elf2dmp: Support Windows Server 2022
 * hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
 * target/arm: Add Neoverse-N1 IMPDEF registers
 * hw/usb/imx: Fix out of bounds access in imx_usbphy_read()
 * docs/system/arm/cpu-features.rst: Fix formatting
 * target/arm: Don't advertise aarch64-pauth.xml to gdb


Chen Baozi (1):
  target/arm: Add Neoverse-N1 registers

Guenter Roeck (1):
  hw/usb/imx: Fix out of bounds access in imx_usbphy_read()

Peter Maydell (3):
  hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings
  docs/system/arm/cpu-features.rst: Fix formatting
  target/arm: Don't advertise aarch64-pauth.xml to gdb

Viktor Prutyanov (3):
  contrib/elf2dmp: fix code style
  contrib/elf2dmp: move PE dir search to pe_get_data_dir_entry
  contrib/elf2dmp: add PE name check and Windows Server 2022 support

 docs/system/arm/cpu-features.rst |  68 ++-
 contrib/elf2dmp/pe.h | 115 ++-
 contrib/elf2dmp/addrspace.c  |   1 +
 contrib/elf2dmp/main.c   | 108 
 hw/char/cadence_uart.c   |   6 +-
 hw/usb/imx-usb-phy.c |  19 ++-
 target/arm/cpu64.c   |  69 +++
 target/arm/gdbstub.c |   7 +++
 8 files changed, 267 insertions(+), 126 deletions(-)

[PULL 2/8] hw/char/cadence_uart: Fix guards on invalid BRGR/BDIV settings

[Peter Maydell]

The cadence UART attempts to avoid allowing the guest to set invalid
baud rate register values in the uart_write() function.  However it
does the "mask to the size of the register field" and "check for
invalid values" in the wrong order, which means that a malicious
guest can get a bogus value into the register by setting also some
high bits in the value, and cause QEMU to crash by division-by-zero.

Do the mask before the bounds check instead of afterwards.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1493
Signed-off-by: Peter Maydell 
Reviewed-by: Thomas Huth 
Reviewed-by: Edgar E. Iglesias 
Reviewed-by: Wilfred Mallawa 
Reviewed-by: Alistair Francis 
Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Qiang Liu 
Message-id: 20230314170804.1196232-1-peter.mayd...@linaro.org
---
 hw/char/cadence_uart.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index c069a30842e..807e3985419 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -450,13 +450,15 @@ static MemTxResult uart_write(void *opaque, hwaddr offset,
 }
 break;
 case R_BRGR: /* Baud rate generator */
+value &= 0x;
 if (value >= 0x01) {
-s->r[offset] = value & 0x;
+s->r[offset] = value;
 }
 break;
 case R_BDIV:/* Baud rate divider */
+value &= 0xff;
 if (value >= 0x04) {
-s->r[offset] = value & 0xFF;
+s->r[offset] = value;
 }
 break;
 default:
-- 
2.34.1

[PULL 5/8] contrib/elf2dmp: add PE name check and Windows Server 2022 support

[Peter Maydell]

From: Viktor Prutyanov 

Since its inception elf2dmp has checked MZ signatures within an
address space above IDT[0] interrupt vector and took first PE image
found as Windows Kernel.
But in Windows Server 2022 memory dump this address space range is
full of invalid PE fragments and the tool must check that PE image
is 'ntoskrnl.exe' actually.
So, introduce additional validation by checking image name from
Export Directory against 'ntoskrnl.exe'.

Signed-off-by: Viktor Prutyanov 
Tested-by: Yuri Benditovich 
Reviewed-by: Annie Li 
Message-id: 2023011246.883679-4-vik...@daynix.com
Signed-off-by: Peter Maydell 
---
 contrib/elf2dmp/pe.h   | 15 +++
 contrib/elf2dmp/main.c | 28 ++--
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h
index 807d0063649..71126af1aca 100644
--- a/contrib/elf2dmp/pe.h
+++ b/contrib/elf2dmp/pe.h
@@ -88,6 +88,20 @@ typedef struct IMAGE_NT_HEADERS64 {
 IMAGE_OPTIONAL_HEADER64 OptionalHeader;
 } __attribute__ ((packed)) IMAGE_NT_HEADERS64;
 
+typedef struct IMAGE_EXPORT_DIRECTORY {
+uint32_tCharacteristics;
+uint32_tTimeDateStamp;
+uint16_tMajorVersion;
+uint16_tMinorVersion;
+uint32_tName;
+uint32_tBase;
+uint32_tNumberOfFunctions;
+uint32_tNumberOfNames;
+uint32_tAddressOfFunctions;
+uint32_tAddressOfNames;
+uint32_tAddressOfNameOrdinals;
+} __attribute__ ((packed)) IMAGE_EXPORT_DIRECTORY;
+
 typedef struct IMAGE_DEBUG_DIRECTORY {
 uint32_t Characteristics;
 uint32_t TimeDateStamp;
@@ -102,6 +116,7 @@ typedef struct IMAGE_DEBUG_DIRECTORY {
 #define IMAGE_DEBUG_TYPE_CODEVIEW   2
 #endif
 
+#define IMAGE_FILE_EXPORT_DIRECTORY 0
 #define IMAGE_FILE_DEBUG_DIRECTORY  6
 
 typedef struct guid_t {
diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
index 2f6028d8eb3..89f0c69ab0f 100644
--- a/contrib/elf2dmp/main.c
+++ b/contrib/elf2dmp/main.c
@@ -17,6 +17,7 @@
 
 #define SYM_URL_BASE"https://msdl.microsoft.com/download/symbols/";
 #define PDB_NAME"ntkrnlmp.pdb"
+#define PE_NAME "ntoskrnl.exe"
 
 #define INITIAL_MXCSR   0x1f80
 
@@ -405,6 +406,25 @@ static int write_dump(struct pa_space *ps,
 return fclose(dmp_file);
 }
 
+static bool pe_check_export_name(uint64_t base, void *start_addr,
+struct va_space *vs)
+{
+IMAGE_EXPORT_DIRECTORY export_dir;
+const char *pe_name;
+
+if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_EXPORT_DIRECTORY,
+&export_dir, sizeof(export_dir), vs)) {
+return false;
+}
+
+pe_name = va_space_resolve(vs, base + export_dir.Name);
+if (!pe_name) {
+return false;
+}
+
+return !strcmp(pe_name, PE_NAME);
+}
+
 static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,
 char *hash, struct va_space *vs)
 {
@@ -489,6 +509,7 @@ int main(int argc, char *argv[])
 uint64_t KdDebuggerDataBlock;
 KDDEBUGGER_DATA64 *kdbg;
 uint64_t KdVersionBlock;
+bool kernel_found = false;
 
 if (argc != 3) {
 eprintf("usage:\n\t%s elf_file dmp_file\n", argv[0]);
@@ -536,11 +557,14 @@ int main(int argc, char *argv[])
 }
 
 if (*(uint16_t *)nt_start_addr == 0x5a4d) { /* MZ */
-break;
+if (pe_check_export_name(KernBase, nt_start_addr, &vs)) {
+kernel_found = true;
+break;
+}
 }
 }
 
-if (!nt_start_addr) {
+if (!kernel_found) {
 eprintf("Failed to find NT kernel image\n");
 err = 1;
 goto out_ps;
-- 
2.34.1

[PULL 6/8] hw/usb/imx: Fix out of bounds access in imx_usbphy_read()

[Peter Maydell]

From: Guenter Roeck 

The i.MX USB Phy driver does not check register ranges, resulting in out of
bounds accesses if an attempt is made to access non-existing PHY registers.
Add range check and conditionally report bad accesses to fix the problem.

While at it, also conditionally log attempted writes to non-existing or
read-only registers.

Reported-by: Qiang Liu 
Signed-off-by: Guenter Roeck 
Tested-by: Qiang Liu 
Message-id: 20230316234926.208874-1-li...@roeck-us.net
Link: https://gitlab.com/qemu-project/qemu/-/issues/1408
Fixes: 0701a5efa015 ("hw/usb: Add basic i.MX USB Phy support")
Signed-off-by: Guenter Roeck 
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 hw/usb/imx-usb-phy.c | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/usb/imx-usb-phy.c b/hw/usb/imx-usb-phy.c
index 5d7a549e34d..1a97b36a119 100644
--- a/hw/usb/imx-usb-phy.c
+++ b/hw/usb/imx-usb-phy.c
@@ -13,6 +13,7 @@
 #include "qemu/osdep.h"
 #include "hw/usb/imx-usb-phy.h"
 #include "migration/vmstate.h"
+#include "qemu/log.h"
 #include "qemu/module.h"
 
 static const VMStateDescription vmstate_imx_usbphy = {
@@ -90,7 +91,15 @@ static uint64_t imx_usbphy_read(void *opaque, hwaddr offset, 
unsigned size)
 value = s->usbphy[index - 3];
 break;
 default:
-value = s->usbphy[index];
+if (index < USBPHY_MAX) {
+value = s->usbphy[index];
+} else {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s: Read from non-existing USB PHY register 0x%"
+  HWADDR_PRIx "\n",
+  __func__, offset);
+value = 0;
+}
 break;
 }
 return (uint64_t)value;
@@ -168,7 +177,13 @@ static void imx_usbphy_write(void *opaque, hwaddr offset, 
uint64_t value,
 s->usbphy[index - 3] ^= value;
 break;
 default:
-/* Other registers are read-only */
+/* Other registers are read-only or do not exist */
+qemu_log_mask(LOG_GUEST_ERROR,
+  "%s: Write to %s USB PHY register 0x%"
+  HWADDR_PRIx "\n",
+  __func__,
+  index >= USBPHY_MAX ? "non-existing" : "read-only",
+  offset);
 break;
 }
 }
-- 
2.34.1

[PULL 7/8] docs/system/arm/cpu-features.rst: Fix formatting

[Peter Maydell]

The markup for the Arm CPU feature documentation is incorrect,
and results in the HTML not rendering correctly -- the first
line of each description is rendered in boldface as if it
were part of the option name.

Reformat to match the styling used in cpu-models-x86.rst.inc.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1479
Signed-off-by: Peter Maydell 
Message-id: 20230316105808.1414003-1-peter.mayd...@linaro.org
Reviewed-by: Cornelia Huck 
---
 docs/system/arm/cpu-features.rst | 68 ++--
 1 file changed, 30 insertions(+), 38 deletions(-)

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
index 00c444042ff..f4524b6d3e7 100644
--- a/docs/system/arm/cpu-features.rst
+++ b/docs/system/arm/cpu-features.rst
@@ -177,39 +177,32 @@ are named with the prefix "kvm-".  KVM VCPU features may 
be probed,
 enabled, and disabled in the same way as other CPU features.  Below is
 the list of KVM VCPU features and their descriptions.
 
-  kvm-no-adjvtime  By default kvm-no-adjvtime is disabled.  This
-   means that by default the virtual time
-   adjustment is enabled (vtime is not *not*
-   adjusted).
+``kvm-no-adjvtime``
+  By default kvm-no-adjvtime is disabled.  This means that by default
+  the virtual time adjustment is enabled (vtime is not *not* adjusted).
 
-   When virtual time adjustment is enabled each
-   time the VM transitions back to running state
-   the VCPU's virtual counter is updated to ensure
-   stopped time is not counted.  This avoids time
-   jumps surprising guest OSes and applications,
-   as long as they use the virtual counter for
-   timekeeping.  However it has the side effect of
-   the virtual and physical counters diverging.
-   All timekeeping based on the virtual counter
-   will appear to lag behind any timekeeping that
-   does not subtract VM stopped time.  The guest
-   may resynchronize its virtual counter with
-   other time sources as needed.
+  When virtual time adjustment is enabled each time the VM transitions
+  back to running state the VCPU's virtual counter is updated to
+  ensure stopped time is not counted.  This avoids time jumps
+  surprising guest OSes and applications, as long as they use the
+  virtual counter for timekeeping.  However it has the side effect of
+  the virtual and physical counters diverging.  All timekeeping based
+  on the virtual counter will appear to lag behind any timekeeping
+  that does not subtract VM stopped time.  The guest may resynchronize
+  its virtual counter with other time sources as needed.
 
-   Enable kvm-no-adjvtime to disable virtual time
-   adjustment, also restoring the legacy (pre-5.0)
-   behavior.
+  Enable kvm-no-adjvtime to disable virtual time adjustment, also
+  restoring the legacy (pre-5.0) behavior.
 
-  kvm-steal-time   Since v5.2, kvm-steal-time is enabled by
-   default when KVM is enabled, the feature is
-   supported, and the guest is 64-bit.
+``kvm-steal-time``
+  Since v5.2, kvm-steal-time is enabled by default when KVM is
+  enabled, the feature is supported, and the guest is 64-bit.
 
-   When kvm-steal-time is enabled a 64-bit guest
-   can account for time its CPUs were not running
-   due to the host not scheduling the corresponding
-   VCPU threads.  The accounting statistics may
-   influence the guest scheduler behavior and/or be
-   exposed to the guest userspace.
+  When kvm-steal-time is enabled a 64-bit guest can account for time
+  its CPUs were not running due to the host not scheduling the
+  corresponding VCPU threads.  The accounting statistics may influence
+  the guest scheduler behavior and/or be exposed to the guest
+  userspace.
 
 TCG VCPU Features
 =
@@ -217,16 +210,15 @@ TCG VCPU Features
 TCG VCPU features are CPU features that are specific to TCG.
 Below is the list of TCG VCPU features and their descriptions.
 
-  pauth-impdef When ``FEAT_Pauth`` is enabled, either the
-   *impdef* (Implementation Defined) algorithm
-   is enabled or the *architected* QARMA algorithm
-   is enabled.  By default the impdef algorithm
-   is disabled, and QARMA is enabled.
+``pauth-impdef``
+  When ``FEAT_Pauth`` is enabled, either the *impdef* (Implementation

[PATCH 0/3] Add support for TPM devices over I2C bus

[Ninad Palsule]

This drop adds support for the TPM devices attached to the I2C bus. It
only supports the TPM2 protocol. You need to run it with the external
TPM emulator like swtpm. I have tested it with swtpm.

I have refered to the work done by zhdan...@meta.com but at the core
level out implementation is different.
https://github.com/theopolis/qemu/commit/2e2e57cde9e419c36af8071bb85392ad1ed70966
 

Based-on: $MESSAGE_ID

Ninad Palsule (3):
  Add support for TPM devices over I2C bus
  Add support for TPM devices over I2C bus
  Add support for TPM devices over I2C bus

 docs/specs/tpm.rst  |   5 +-
 hw/tpm/meson.build  |   1 +
 hw/tpm/tpm_tis.h|   2 +
 hw/tpm/tpm_tis_common.c |  33 
 hw/tpm/tpm_tis_i2c.c| 342 
 include/hw/acpi/tpm.h   |   2 +
 include/sysemu/tpm.h|   3 +
 7 files changed, 387 insertions(+), 1 deletion(-)
 create mode 100644 hw/tpm/tpm_tis_i2c.c

-- 
2.37.2

[PATCH 3/3] Add support for TPM devices over I2C bus

[Ninad Palsule]

Qemu already supports devices attached to ISA and sysbus. This drop adds
support for the I2C bus attached TPM devices. I2C model only supports
TPM2 protocol.

This commit includes changes for the common code.
- Added I2C emulation model. Logic was added in the model to temporarily
  cache the data as I2C interface works per byte basis.
- New tpm type "tpm-tis-i2c" added for I2C support. User specify this
  string on command line.

Testing:
  TPM I2C device modulte is tested using SWTPM (software based TPM
  package). The qemu used the rainier machine and it was connected to
  swtpm over the socket interface.

  The command to start swtpm is as follows:
  $ swtpm socket --tpmstate dir=/tmp/mytpm1\
 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock  \
 --tpm2 --log level=100

  The command to start qemu is as follows:
  $ qemu-system-arm -M rainier-bmc -nographic \
-kernel ${IMAGEPATH}/fitImage-linux.bin \
-dtb ${IMAGEPATH}/aspeed-bmc-ibm-rainier.dtb \
-initrd ${IMAGEPATH}/obmc-phosphor-initramfs.rootfs.cpio.xz \
-drive 
file=${IMAGEPATH}/obmc-phosphor-image.rootfs.wic.qcow2,if=sd,index=2 \
-net nic -net 
user,hostfwd=:127.0.0.1:-:22,hostfwd=:127.0.0.1:2443-:443 \
-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
-tpmdev emulator,id=tpm0,chardev=chrtpm \
-device tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e

  Note: Currently you need to specify the I2C bus and device address on
command line. In future we can add a device at board level.

Signed-off-by: Ninad Palsule 
---
 hw/tpm/meson.build   |   1 +
 hw/tpm/tpm_tis_i2c.c | 342 +++
 include/sysemu/tpm.h |   3 +
 3 files changed, 346 insertions(+)
 create mode 100644 hw/tpm/tpm_tis_i2c.c

diff --git a/hw/tpm/meson.build b/hw/tpm/meson.build
index 7abc2d794a..76fe3cb098 100644
--- a/hw/tpm/meson.build
+++ b/hw/tpm/meson.build
@@ -1,6 +1,7 @@
 softmmu_ss.add(when: 'CONFIG_TPM_TIS', if_true: files('tpm_tis_common.c'))
 softmmu_ss.add(when: 'CONFIG_TPM_TIS_ISA', if_true: files('tpm_tis_isa.c'))
 softmmu_ss.add(when: 'CONFIG_TPM_TIS_SYSBUS', if_true: 
files('tpm_tis_sysbus.c'))
+softmmu_ss.add(when: 'CONFIG_TPM_TIS_I2C', if_true: files('tpm_tis_i2c.c'))
 softmmu_ss.add(when: 'CONFIG_TPM_CRB', if_true: files('tpm_crb.c'))
 softmmu_ss.add(when: 'CONFIG_TPM_TIS', if_true: files('tpm_ppi.c'))
 softmmu_ss.add(when: 'CONFIG_TPM_CRB', if_true: files('tpm_ppi.c'))
diff --git a/hw/tpm/tpm_tis_i2c.c b/hw/tpm/tpm_tis_i2c.c
new file mode 100644
index 00..3c45af4140
--- /dev/null
+++ b/hw/tpm/tpm_tis_i2c.c
@@ -0,0 +1,342 @@
+/*
+ * tpm_tis_i2c.c - QEMU's TPM TIS I2C Device
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * Implementation of the TIS interface according to specs found at
+ * http://www.trustedcomputinggroup.org. This implementation currently
+ * supports version 1.3, 21 March 2013
+ * In the developers menu choose the PC Client section then find the TIS
+ * specification.
+ *
+ * TPM TIS for TPM 2 implementation following TCG PC Client Platform
+ * TPM Profile (PTP) Specification, Familiy 2.0, Revision 00.43
+ */
+
+#include "qemu/osdep.h"
+#include "hw/i2c/i2c.h"
+#include "hw/qdev-properties.h"
+#include "hw/acpi/tpm.h"
+#include "migration/vmstate.h"
+#include "tpm_prop.h"
+#include "tpm_tis.h"
+#include "qom/object.h"
+#include "block/aio.h"
+#include "qemu/main-loop.h"
+
+/* TPM TIS I2C registers */
+#define TPM_TIS_I2C_REG_LOC_SEL  0x00
+#define TPM_TIS_I2C_REG_ACCESS   0x04
+#define TPM_TIS_I2C_REG_INT_ENABLE   0x08
+#define TPM_TIS_I2C_REG_INT_CAPABILITY   0x14
+#define TPM_TIS_I2C_REG_STS  0x18
+#define TPM_TIS_I2C_REG_DATA_FIFO0x24
+#define TPM_TIS_I2C_REG_INTF_CAPABILITY  0x30
+#define TPM_TIS_I2C_REG_DATA_CSUM_ENABLE 0x40
+#define TPM_TIS_I2C_REG_DATA_CSUM_GET0x44
+#define TPM_TIS_I2C_REG_DID_VID  0x48
+#define TPM_TIS_I2C_REG_RID  0x4c
+#define TPM_TIS_I2C_REG_UNKNOWN  0xff
+
+/* Operations */
+#define OP_SEND   1
+#define OP_RECV   2
+
+typedef struct TPMStateI2C {
+/*< private >*/
+I2CSlave parent_obj;
+
+int  offset; /* offset in to data[] */
+int  size;   /* Size of the current reg data */
+uint8_t  operation;  /* OP_SEND & OP_RECV */
+uint8_t  data[4096]; /* Data */
+
+/*< public >*/
+TPMState state; /* not a QOM object */
+
+} TPMStateI2C;
+
+DECLARE_INSTANCE_CHECKER(TPMStateI2C, TPM_TIS_I2C,
+ TYPE_TPM_TIS_I2C)
+
+static const VMStateDescription vmstate_tpm_tis_i2c = {
+.name = "tpm",
+.unmigratable = 1,
+};
+
+/* Register map */
+typedef struct reg_map {
+uint16_t  i2c_reg;/* I2C register */
+uint16_t  tis_reg;/* TIS register */
+uint32_t  data_size;  /* data size expected */
+

[PULL 8/8] target/arm: Don't advertise aarch64-pauth.xml to gdb

[Peter Maydell]

Unfortunately a bug in older versions of gdb means that they will
crash if QEMU sends them the aarch64-pauth.xml.  This bug is fixed in
gdb commit 1ba3a3222039eb25, and there are plans to backport that to
affected gdb release branches, but since the bug affects gdb 9
through 12 it is very widely deployed (for instance by distros).

It is not currently clear what the best way to deal with this is; it
has been proposed to define a new XML feature name that old gdb will
ignore but newer gdb can handle.  Since QEMU's 8.0 release is
imminent and at least one of our CI runners is now falling over this,
disable the pauth XML for the moment.  We can follow up with a more
considered fix either in time for 8.0 or else for the 8.1 release.

Signed-off-by: Peter Maydell 
---
 target/arm/gdbstub.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index 78105b8078b..3bd86cee979 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -520,11 +520,18 @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
  aarch64_gdb_set_fpu_reg,
  34, "aarch64-fpu.xml", 0);
 }
+#if 0
+/*
+ * GDB versions 9 through 12 have a bug which means they will
+ * crash if they see this XML from QEMU; disable it for the 8.0
+ * release, pending a better solution.
+ */
 if (isar_feature_aa64_pauth(&cpu->isar)) {
 gdb_register_coprocessor(cs, aarch64_gdb_get_pauth_reg,
  aarch64_gdb_set_pauth_reg,
  4, "aarch64-pauth.xml", 0);
 }
+#endif
 #endif
 } else {
 if (arm_feature(env, ARM_FEATURE_NEON)) {
-- 
2.34.1

[PATCH 2/3] Add support for TPM devices over I2C bus

[Ninad Palsule]

Qemu already supports devices attached to ISA and sysbus. This drop adds
support for the I2C bus attached TPM devices.

This commit includes changes for the common code.
- Added support for the new checksum registers which are required for
  the I2C support. The checksum calculation is handled in the qemu
  common code.
- Added wrapper function for read and write data so that I2C code can
  call it without MMIO interface.

Signed-off-by: Ninad Palsule 
---
 hw/tpm/tpm_tis.h|  2 ++
 hw/tpm/tpm_tis_common.c | 33 +
 include/hw/acpi/tpm.h   |  2 ++
 3 files changed, 37 insertions(+)

diff --git a/hw/tpm/tpm_tis.h b/hw/tpm/tpm_tis.h
index f6b5872ba6..16b7baddd8 100644
--- a/hw/tpm/tpm_tis.h
+++ b/hw/tpm/tpm_tis.h
@@ -86,5 +86,7 @@ int tpm_tis_pre_save(TPMState *s);
 void tpm_tis_reset(TPMState *s);
 enum TPMVersion tpm_tis_get_tpm_version(TPMState *s);
 void tpm_tis_request_completed(TPMState *s, int ret);
+uint32_t tpm_tis_read_data(TPMState *s, hwaddr addr, unsigned size);
+void tpm_tis_write_data(TPMState *s, hwaddr addr, uint64_t val, uint32_t size);
 
 #endif /* TPM_TPM_TIS_H */
diff --git a/hw/tpm/tpm_tis_common.c b/hw/tpm/tpm_tis_common.c
index 503be2a541..3c82f63179 100644
--- a/hw/tpm/tpm_tis_common.c
+++ b/hw/tpm/tpm_tis_common.c
@@ -26,6 +26,8 @@
 #include "hw/irq.h"
 #include "hw/isa/isa.h"
 #include "qapi/error.h"
+#include "qemu/bswap.h"
+#include "qemu/crc-ccitt.h"
 #include "qemu/module.h"
 
 #include "hw/acpi/tpm.h"
@@ -422,6 +424,9 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr addr,
 shift = 0; /* no more adjustments */
 }
 break;
+case TPM_TIS_REG_DATA_CSUM_GET:
+val = bswap16(crc_ccitt(0, s->buffer, s->rw_offset));
+break;
 case TPM_TIS_REG_INTERFACE_ID:
 val = s->loc[locty].iface_id;
 break;
@@ -447,6 +452,15 @@ static uint64_t tpm_tis_mmio_read(void *opaque, hwaddr 
addr,
 return val;
 }
 
+/*
+ * A wrapper read function so that it can be directly called without
+ * mmio.
+ */
+uint32_t tpm_tis_read_data(TPMState *s, hwaddr addr, unsigned size)
+{
+return tpm_tis_mmio_read(s, addr, size);
+}
+
 /*
  * Write a value to a register of the TIS interface
  * See specs pages 33-63 for description of the registers
@@ -600,6 +614,15 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
 case TPM_TIS_REG_INT_VECTOR:
 /* hard wired -- ignore */
 break;
+case TPM_TIS_REG_DATA_CSUM_ENABLE:
+/*
+ * Checksum implemented by common code so no need to set
+ * any flags.
+ */
+break;
+case TPM_TIS_REG_DATA_CSUM_GET:
+/* This is readonly register so ignore */
+break;
 case TPM_TIS_REG_INT_STATUS:
 if (s->active_locty != locty) {
 break;
@@ -703,6 +726,7 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
 break;
 case TPM_TIS_REG_DATA_FIFO:
 case TPM_TIS_REG_DATA_XFIFO ... TPM_TIS_REG_DATA_XFIFO_END:
+
 /* data fifo */
 if (s->active_locty != locty) {
 break;
@@ -767,6 +791,15 @@ static void tpm_tis_mmio_write(void *opaque, hwaddr addr,
 }
 }
 
+/*
+ * A wrapper write function so that it can be directly called without
+ * mmio.
+ */
+void tpm_tis_write_data(TPMState *s, hwaddr addr, uint64_t val, uint32_t size)
+{
+tpm_tis_mmio_write(s, addr, val, size);
+}
+
 const MemoryRegionOps tpm_tis_memory_ops = {
 .read = tpm_tis_mmio_read,
 .write = tpm_tis_mmio_write,
diff --git a/include/hw/acpi/tpm.h b/include/hw/acpi/tpm.h
index 559ba6906c..db12c002f4 100644
--- a/include/hw/acpi/tpm.h
+++ b/include/hw/acpi/tpm.h
@@ -40,6 +40,8 @@
 #define TPM_TIS_REG_STS   0x18
 #define TPM_TIS_REG_DATA_FIFO 0x24
 #define TPM_TIS_REG_INTERFACE_ID  0x30
+#define TPM_TIS_REG_DATA_CSUM_ENABLE  0x40
+#define TPM_TIS_REG_DATA_CSUM_GET 0x44
 #define TPM_TIS_REG_DATA_XFIFO0x80
 #define TPM_TIS_REG_DATA_XFIFO_END0xbc
 #define TPM_TIS_REG_DID_VID   0xf00
-- 
2.37.2

[PATCH 1/3] Add support for TPM devices over I2C bus

[Ninad Palsule]

This is a documentation change for I2C TPM device support.

Qemu already supports devices attached to ISA and sysbus.
This drop adds support for the I2C bus attached TPM devices.

Signed-off-by: Ninad Palsule 
---
 docs/specs/tpm.rst | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst
index 535912a92b..79a79f0640 100644
--- a/docs/specs/tpm.rst
+++ b/docs/specs/tpm.rst
@@ -21,11 +21,14 @@ QEMU files related to TPM TIS interface:
  - ``hw/tpm/tpm_tis_common.c``
  - ``hw/tpm/tpm_tis_isa.c``
  - ``hw/tpm/tpm_tis_sysbus.c``
+ - ``hw/tpm/tpm_tis_i2c.c``
  - ``hw/tpm/tpm_tis.h``
 
 Both an ISA device and a sysbus device are available. The former is
 used with pc/q35 machine while the latter can be instantiated in the
-Arm virt machine.
+Arm virt machine. An I2C device support is also added which can be
+instantiated in the arm based emulation machine. I2C model only supports
+TPM2 protocol.
 
 CRB interface
 -
-- 
2.37.2

[PULL 4/8] contrib/elf2dmp: move PE dir search to pe_get_data_dir_entry

[Peter Maydell]

From: Viktor Prutyanov 

Move out PE directory search functionality to be reused not only
for Debug Directory processing but for arbitrary PE directory.

Signed-off-by: Viktor Prutyanov 
Reviewed-by: Annie Li 
Message-id: 2023011246.883679-3-vik...@daynix.com
Signed-off-by: Peter Maydell 
---
 contrib/elf2dmp/main.c | 71 +-
 1 file changed, 42 insertions(+), 29 deletions(-)

diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
index 92247642395..2f6028d8eb3 100644
--- a/contrib/elf2dmp/main.c
+++ b/contrib/elf2dmp/main.c
@@ -333,6 +333,45 @@ static int fill_context(KDDEBUGGER_DATA64 *kdbg,
 return 0;
 }
 
+static int pe_get_data_dir_entry(uint64_t base, void *start_addr, int idx,
+void *entry, size_t size, struct va_space *vs)
+{
+const char e_magic[2] = "MZ";
+const char Signature[4] = "PE\0\0";
+IMAGE_DOS_HEADER *dos_hdr = start_addr;
+IMAGE_NT_HEADERS64 nt_hdrs;
+IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader;
+IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader;
+IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory;
+
+QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE);
+
+if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) {
+return 1;
+}
+
+if (va_space_rw(vs, base + dos_hdr->e_lfanew,
+&nt_hdrs, sizeof(nt_hdrs), 0)) {
+return 1;
+}
+
+if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) ||
+file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) {
+return 1;
+}
+
+if (va_space_rw(vs,
+base + data_dir[idx].VirtualAddress,
+entry, size, 0)) {
+return 1;
+}
+
+printf("Data directory entry #%d: RVA = 0x%08"PRIx32"\n", idx,
+(uint32_t)data_dir[idx].VirtualAddress);
+
+return 0;
+}
+
 static int write_dump(struct pa_space *ps,
 WinDumpHeader64 *hdr, const char *name)
 {
@@ -369,42 +408,16 @@ static int write_dump(struct pa_space *ps,
 static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,
 char *hash, struct va_space *vs)
 {
-const char e_magic[2] = "MZ";
-const char Signature[4] = "PE\0\0";
 const char sign_rsds[4] = "RSDS";
-IMAGE_DOS_HEADER *dos_hdr = start_addr;
-IMAGE_NT_HEADERS64 nt_hdrs;
-IMAGE_FILE_HEADER *file_hdr = &nt_hdrs.FileHeader;
-IMAGE_OPTIONAL_HEADER64 *opt_hdr = &nt_hdrs.OptionalHeader;
-IMAGE_DATA_DIRECTORY *data_dir = nt_hdrs.OptionalHeader.DataDirectory;
 IMAGE_DEBUG_DIRECTORY debug_dir;
 OMFSignatureRSDS rsds;
 char *pdb_name;
 size_t pdb_name_sz;
 size_t i;
 
-QEMU_BUILD_BUG_ON(sizeof(*dos_hdr) >= ELF2DMP_PAGE_SIZE);
-
-if (memcmp(&dos_hdr->e_magic, e_magic, sizeof(e_magic))) {
-return 1;
-}
-
-if (va_space_rw(vs, base + dos_hdr->e_lfanew,
-&nt_hdrs, sizeof(nt_hdrs), 0)) {
-return 1;
-}
-
-if (memcmp(&nt_hdrs.Signature, Signature, sizeof(Signature)) ||
-file_hdr->Machine != 0x8664 || opt_hdr->Magic != 0x020b) {
-return 1;
-}
-
-printf("Debug Directory RVA = 0x%08"PRIx32"\n",
-(uint32_t)data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress);
-
-if (va_space_rw(vs,
-base + data_dir[IMAGE_FILE_DEBUG_DIRECTORY].VirtualAddress,
-&debug_dir, sizeof(debug_dir), 0)) {
+if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_DEBUG_DIRECTORY,
+&debug_dir, sizeof(debug_dir), vs)) {
+eprintf("Failed to get Debug Directory\n");
 return 1;
 }
 
-- 
2.34.1

[PULL 3/8] contrib/elf2dmp: fix code style

[Peter Maydell]

From: Viktor Prutyanov 

Originally elf2dmp were added with some code style issues,
especially in pe.h header, and some were introduced by
2d0fc797faaa73fbc1d30f5f9e90407bf3dd93f0. Fix them now.

Signed-off-by: Viktor Prutyanov 
Reviewed-by: Annie Li 
Message-id: 2023011246.883679-2-vik...@daynix.com
Signed-off-by: Peter Maydell 
---
 contrib/elf2dmp/pe.h| 100 ++--
 contrib/elf2dmp/addrspace.c |   1 +
 contrib/elf2dmp/main.c  |   9 ++--
 3 files changed, 57 insertions(+), 53 deletions(-)

diff --git a/contrib/elf2dmp/pe.h b/contrib/elf2dmp/pe.h
index c2a4a6ba7c2..807d0063649 100644
--- a/contrib/elf2dmp/pe.h
+++ b/contrib/elf2dmp/pe.h
@@ -33,70 +33,70 @@ typedef struct IMAGE_DOS_HEADER {
 } __attribute__ ((packed)) IMAGE_DOS_HEADER;
 
 typedef struct IMAGE_FILE_HEADER {
-  uint16_t  Machine;
-  uint16_t  NumberOfSections;
-  uint32_t  TimeDateStamp;
-  uint32_t  PointerToSymbolTable;
-  uint32_t  NumberOfSymbols;
-  uint16_t  SizeOfOptionalHeader;
-  uint16_t  Characteristics;
+uint16_t  Machine;
+uint16_t  NumberOfSections;
+uint32_t  TimeDateStamp;
+uint32_t  PointerToSymbolTable;
+uint32_t  NumberOfSymbols;
+uint16_t  SizeOfOptionalHeader;
+uint16_t  Characteristics;
 } __attribute__ ((packed)) IMAGE_FILE_HEADER;
 
 typedef struct IMAGE_DATA_DIRECTORY {
-  uint32_t VirtualAddress;
-  uint32_t Size;
+uint32_t VirtualAddress;
+uint32_t Size;
 } __attribute__ ((packed)) IMAGE_DATA_DIRECTORY;
 
 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
 
 typedef struct IMAGE_OPTIONAL_HEADER64 {
-  uint16_t  Magic; /* 0x20b */
-  uint8_t   MajorLinkerVersion;
-  uint8_t   MinorLinkerVersion;
-  uint32_t  SizeOfCode;
-  uint32_t  SizeOfInitializedData;
-  uint32_t  SizeOfUninitializedData;
-  uint32_t  AddressOfEntryPoint;
-  uint32_t  BaseOfCode;
-  uint64_t  ImageBase;
-  uint32_t  SectionAlignment;
-  uint32_t  FileAlignment;
-  uint16_t  MajorOperatingSystemVersion;
-  uint16_t  MinorOperatingSystemVersion;
-  uint16_t  MajorImageVersion;
-  uint16_t  MinorImageVersion;
-  uint16_t  MajorSubsystemVersion;
-  uint16_t  MinorSubsystemVersion;
-  uint32_t  Win32VersionValue;
-  uint32_t  SizeOfImage;
-  uint32_t  SizeOfHeaders;
-  uint32_t  CheckSum;
-  uint16_t  Subsystem;
-  uint16_t  DllCharacteristics;
-  uint64_t  SizeOfStackReserve;
-  uint64_t  SizeOfStackCommit;
-  uint64_t  SizeOfHeapReserve;
-  uint64_t  SizeOfHeapCommit;
-  uint32_t  LoaderFlags;
-  uint32_t  NumberOfRvaAndSizes;
-  IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
+uint16_t  Magic; /* 0x20b */
+uint8_t   MajorLinkerVersion;
+uint8_t   MinorLinkerVersion;
+uint32_t  SizeOfCode;
+uint32_t  SizeOfInitializedData;
+uint32_t  SizeOfUninitializedData;
+uint32_t  AddressOfEntryPoint;
+uint32_t  BaseOfCode;
+uint64_t  ImageBase;
+uint32_t  SectionAlignment;
+uint32_t  FileAlignment;
+uint16_t  MajorOperatingSystemVersion;
+uint16_t  MinorOperatingSystemVersion;
+uint16_t  MajorImageVersion;
+uint16_t  MinorImageVersion;
+uint16_t  MajorSubsystemVersion;
+uint16_t  MinorSubsystemVersion;
+uint32_t  Win32VersionValue;
+uint32_t  SizeOfImage;
+uint32_t  SizeOfHeaders;
+uint32_t  CheckSum;
+uint16_t  Subsystem;
+uint16_t  DllCharacteristics;
+uint64_t  SizeOfStackReserve;
+uint64_t  SizeOfStackCommit;
+uint64_t  SizeOfHeapReserve;
+uint64_t  SizeOfHeapCommit;
+uint32_t  LoaderFlags;
+uint32_t  NumberOfRvaAndSizes;
+IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
 } __attribute__ ((packed)) IMAGE_OPTIONAL_HEADER64;
 
 typedef struct IMAGE_NT_HEADERS64 {
-  uint32_t Signature;
-  IMAGE_FILE_HEADER FileHeader;
-  IMAGE_OPTIONAL_HEADER64 OptionalHeader;
+uint32_t Signature;
+IMAGE_FILE_HEADER FileHeader;
+IMAGE_OPTIONAL_HEADER64 OptionalHeader;
 } __attribute__ ((packed)) IMAGE_NT_HEADERS64;
 
 typedef struct IMAGE_DEBUG_DIRECTORY {
-  uint32_t Characteristics;
-  uint32_t TimeDateStamp;
-  uint16_t MajorVersion;
-  uint16_t MinorVersion;
-  uint32_t Type;
-  uint32_t SizeOfData;
-  uint32_t AddressOfRawData;
-  uint32_t PointerToRawData;
+uint32_t Characteristics;
+uint32_t TimeDateStamp;
+uint16_t MajorVersion;
+uint16_t MinorVersion;
+uint32_t Type;
+uint32_t SizeOfData;
+uint32_t AddressOfRawData;
+uint32_t PointerToRawData;
 } __attribute__ ((packed)) IMAGE_DEBUG_DIRECTORY;
 
 #define IMAGE_DEBUG_TYPE_CODEVIEW   2
diff --git a/contrib/elf2dmp/addrspace.c b/contrib/elf2dmp/addrspace.c
index 53ded170618..0b04cba00e5 100644
--- a/contrib/elf2dmp/addrspace.c
+++ b/contrib/elf2dmp/addrspace.c
@@ -11,6 +11,7 @@
 static struct pa_block *pa_space_find_block(struct pa_space *ps, uint64_t pa)
 {
 size_t i;
+
 for (i = 0; i < ps->block_nr; i++) {
 if (ps->block[i].paddr <= pa &&
 pa <= ps->block[i].paddr + ps->block[i].size) {
diff --git a/contrib/

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[Wu, Fei]

On 3/21/2023 8:58 PM, liweiwei wrote:
> 
> On 2023/3/21 14:37, fei2...@intel.com wrote:
>> From: Fei Wu 
>>
>> Kernel needs to access user mode memory e.g. during syscalls, the window
>> is usually opened up for a very limited time through MSTATUS.SUM, the
>> overhead is too much if tlb_flush() gets called for every SUM change.
>> This patch saves addresses accessed when SUM=1, and flushs only these
>> pages when SUM changes to 0. If the buffer is not large enough to save
>> all the pages during SUM=1, it will fall back to tlb_flush when
>> necessary.
>>
>> The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
>> most of the time kernel accesses 1 or 2 pages, it's very rare to see
>> more than 4 pages accessed.
>>
>> It's not necessary to save/restore these new added status, as
>> tlb_flush() is always called after restore.
>>
>> Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
>> other syscalls benefit a lot from this one too.
>>
>> Signed-off-by: Fei Wu 
>> Reviewed-by: LIU Zhiwei 
>> ---
>>   target/riscv/cpu.h    |  4 
>>   target/riscv/cpu_helper.c |  7 +++
>>   target/riscv/csr.c    | 14 +-
>>   3 files changed, 24 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
>> index 638e47c75a..926dbce59f 100644
>> --- a/target/riscv/cpu.h
>> +++ b/target/riscv/cpu.h
>> @@ -383,6 +383,10 @@ struct CPUArchState {
>>   uint64_t kvm_timer_compare;
>>   uint64_t kvm_timer_state;
>>   uint64_t kvm_timer_frequency;
>> +
>> +#define MAX_CACHED_SUM_U_ADDR_NUM 4
>> +    uint64_t sum_u_count;
>> +    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
>>   };
>>     OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
>> diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
>> index f88c503cf4..5ad0418eb6 100644
>> --- a/target/riscv/cpu_helper.c
>> +++ b/target/riscv/cpu_helper.c
>> @@ -1068,6 +1068,13 @@ restart:
>>   (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
>>   *prot |= PAGE_WRITE;
>>   }
>> +    if ((pte & PTE_U) && (mode & PRV_S) &&
>> +    get_field(env->mstatus, MSTATUS_SUM)) {
>> +    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    env->sum_u_addr[env->sum_u_count] = addr;
>> +    }
>> +    ++env->sum_u_count;
>> +    }
>>   return TRANSLATE_SUCCESS;
>>   }
>>   }
>> diff --git a/target/riscv/csr.c b/target/riscv/csr.c
>> index ab566639e5..74b7638c8a 100644
>> --- a/target/riscv/csr.c
>> +++ b/target/riscv/csr.c
>> @@ -1246,9 +1246,21 @@ static RISCVException
>> write_mstatus(CPURISCVState *env, int csrno,
>>     /* flush tlb on mstatus fields that affect VM */
>>   if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
>> -    MSTATUS_MPRV | MSTATUS_SUM)) {
>> +    MSTATUS_MPRV)) {
>>   tlb_flush(env_cpu(env));
>> +    env->sum_u_count = 0;
>> +    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
>> +    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
>> +    tlb_flush(env_cpu(env));
> 
> SUM seems only affect S mode TLB. Maybe we can only flush S mode TLB here.
> 
It's also in effect when MPRV=1 and MPP=S in M mode, we can only flush
the tlb of PRV_S and PRV_M.

Thanks,
Fei.

>> +    } else {
>> +    for (int i = 0; i < env->sum_u_count; ++i) {
>> +    tlb_flush_page_by_mmuidx(env_cpu(env),
>> env->sum_u_addr[i],
>> + 1 << PRV_S | 1 << PRV_M);
> 
> Similar case here.
> 
> Regards,
> 
> Weiwei Li
> 
>> +    }
>> +    }
>> +    env->sum_u_count = 0;
>>   }
>> +
>>   mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
>>   MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
>>   MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |
> 

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Eric Auger]

Hi Mostafa,

On 3/21/23 14:06, Mostafa Saleh wrote:
> Hi Eric,
>
>>> + * According to 6.3.6 SMMU_IDR5, OAS must match the system physical 
>>> address
>>> + * size.
>>> + */
>>> +ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
>>> +uint8_t oas = FIELD_EX64(armcpu->isar.id_aa64mmfr0, ID_AA64MMFR0, 
>>> PARANGE);
>> is this working in accelerated mode?
> I didn't try with accel, I will give it a try, but from what I see, that
> ARM_CPU() is used to get the CPU in traget/arm/kvm.c which is used from
> accel/kvm-all.c, so it seems this would work for accelerated mode.

yeah I ma not familiar enough with that code but it is worth to be checked.
>
>>> +
>>>  /**
>>>   * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
>>>   *   multi-level stream table
>>> @@ -265,7 +272,7 @@ static void smmuv3_init_regs(SMMUv3State *s)
>>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
>>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN16K, 1);
>>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
>>> -s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 
>>> bits */
>>> +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
>> I am not sure you can change that easily. In case of migration this is
>> going to change the behavior of the device, no?
> I see IDR registers are not migrated. I guess we can add them in a
> subsection and if they were not passed (old instances) we set OAS to
> 44.
> Maybe this should be another change outside of this series.
Indeed tehy are not migrated so it can lead to inconsistent behavior in
both source and dest. This deserves more analysis to me. In case you
would decide to migrate IDR regs this would need to be done in that
series I think. Migration must not be broken by this series.

Thanks

Eric
>
> Thanks,
> Mostafa
>

[PULL 1/8] target/arm: Add Neoverse-N1 registers

[Peter Maydell]

From: Chen Baozi 

Add implementation defined registers for neoverse-n1 which
would be accessed by TF-A. Since there is no DSU in Qemu,
CPUCFR_EL1.SCU bit is set to 1 to avoid DSU registers definition.

Signed-off-by: Chen Baozi 
Reviewed-by: Peter Maydell 
Tested-by: Marcin Juszkiewicz 
Message-id: 20230313033936.585669-1-chenba...@phytium.com.cn
Signed-off-by: Peter Maydell 
---
 target/arm/cpu64.c | 69 ++
 1 file changed, 69 insertions(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 4066950da15..0fb07cc7b6d 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -21,6 +21,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "cpu.h"
+#include "cpregs.h"
 #include "qemu/module.h"
 #include "sysemu/kvm.h"
 #include "sysemu/hvf.h"
@@ -1027,6 +1028,72 @@ static void aarch64_a64fx_initfn(Object *obj)
 /* TODO:  Add A64FX specific HPC extension registers */
 }
 
+static const ARMCPRegInfo neoverse_n1_cp_reginfo[] = {
+{ .name = "ATCR_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 7, .opc2 = 0,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ATCR_EL2", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 0,
+  .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ATCR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 7, .opc2 = 0,
+  .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ATCR_EL12", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 5, .crn = 15, .crm = 7, .opc2 = 0,
+  .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "AVTCR_EL2", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 4, .crn = 15, .crm = 7, .opc2 = 1,
+  .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 0,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUACTLR2_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 1,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUACTLR3_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 2,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+/*
+ * Report CPUCFR_EL1.SCU as 1, as we do not implement the DSU
+ * (and in particular its system registers).
+ */
+{ .name = "CPUCFR_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 0, .opc2 = 0,
+  .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 4 },
+{ .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 1, .opc2 = 4,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0x961563010 },
+{ .name = "CPUPCR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 1,
+  .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUPMR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 3,
+  .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUPOR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 2,
+  .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUPSELR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 15, .crm = 8, .opc2 = 0,
+  .access = PL3_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "CPUPWRCTLR_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 7,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ERXPFGCDN_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 2,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ERXPFGCTL_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 1,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+{ .name = "ERXPFGF_EL1", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 15, .crm = 2, .opc2 = 0,
+  .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+};
+
+static void define_neoverse_n1_cp_reginfo(ARMCPU *cpu)
+{
+define_arm_cp_regs(cpu, neoverse_n1_cp_reginfo);
+}
+
 static void aarch64_neoverse_n1_initfn(Object *obj)
 {
 ARMCPU *cpu = ARM_CPU(obj);
@@ -1094,6 +1161,8 @@ static void aarch64_neoverse_n1_initfn(Object *obj)
 
 /* From D5.1 AArch64 PMU register summary */
 cpu->isar.reset_pmcr_el0 = 0x410c3000;
+
+define_neoverse_n1_cp_reginfo(cpu);
 }
 
 static void aarch64_host_initfn(Object *obj)
-- 
2.34.1

Re: [PATCH] target/riscv: reduce overhead of MSTATUS_SUM change

[liweiwei]

On 2023/3/21 21:22, Wu, Fei wrote:

On 3/21/2023 8:58 PM, liweiwei wrote:

On 2023/3/21 14:37, fei2...@intel.com wrote:

From: Fei Wu 

Kernel needs to access user mode memory e.g. during syscalls, the window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
---
   target/riscv/cpu.h    |  4 
   target/riscv/cpu_helper.c |  7 +++
   target/riscv/csr.c    | 14 +-
   3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
   uint64_t kvm_timer_compare;
   uint64_t kvm_timer_state;
   uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+    uint64_t sum_u_count;
+    uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
   };
     OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..5ad0418eb6 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
   (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
   *prot |= PAGE_WRITE;
   }
+    if ((pte & PTE_U) && (mode & PRV_S) &&
+    get_field(env->mstatus, MSTATUS_SUM)) {
+    if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+    env->sum_u_addr[env->sum_u_count] = addr;
+    }
+    ++env->sum_u_count;
+    }
   return TRANSLATE_SUCCESS;
   }
   }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..74b7638c8a 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException
write_mstatus(CPURISCVState *env, int csrno,
     /* flush tlb on mstatus fields that affect VM */
   if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-    MSTATUS_MPRV | MSTATUS_SUM)) {
+    MSTATUS_MPRV)) {
   tlb_flush(env_cpu(env));
+    env->sum_u_count = 0;
+    } else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+    if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+    tlb_flush(env_cpu(env));

SUM seems only affect S mode TLB. Maybe we can only flush S mode TLB here.


It's also in effect when MPRV=1 and MPP=S in M mode, we can only flush
the tlb of PRV_S and PRV_M.


OK. Good point.

Regards,

Weiwei Li



Thanks,
Fei.


+    } else {
+    for (int i = 0; i < env->sum_u_count; ++i) {
+    tlb_flush_page_by_mmuidx(env_cpu(env),
env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);

Similar case here.

Regards,

Weiwei Li


+    }
+    }
+    env->sum_u_count = 0;
   }
+
   mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
   MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
   MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Mostafa Saleh]

On Tue, Mar 21, 2023 at 02:23:03PM +0100, Eric Auger wrote:
> >>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
> >>> -s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 
> >>> bits */
> >>> +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
> >> I am not sure you can change that easily. In case of migration this is
> >> going to change the behavior of the device, no?
> > I see IDR registers are not migrated. I guess we can add them in a
> > subsection and if they were not passed (old instances) we set OAS to
> > 44.
> > Maybe this should be another change outside of this series.
> Indeed tehy are not migrated so it can lead to inconsistent behavior in
> both source and dest. This deserves more analysis to me. In case you
> would decide to migrate IDR regs this would need to be done in that
> series I think. Migration must not be broken by this series

I agree, I meant to drop this patch from the series as it is not
really related to stage-2, and we can have another patch for this +
migration for IDR if needed after doing proper analysis.

Thanks,
Mostafa

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Eric Auger]

On 3/21/23 14:29, Mostafa Saleh wrote:
> On Tue, Mar 21, 2023 at 02:23:03PM +0100, Eric Auger wrote:
>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
> -s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 
> bits */
> +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
 I am not sure you can change that easily. In case of migration this is
 going to change the behavior of the device, no?
>>> I see IDR registers are not migrated. I guess we can add them in a
>>> subsection and if they were not passed (old instances) we set OAS to
>>> 44.
>>> Maybe this should be another change outside of this series.
>> Indeed tehy are not migrated so it can lead to inconsistent behavior in
>> both source and dest. This deserves more analysis to me. In case you
>> would decide to migrate IDR regs this would need to be done in that
>> series I think. Migration must not be broken by this series
> I agree, I meant to drop this patch from the series as it is not
> really related to stage-2, and we can have another patch for this +
> migration for IDR if needed after doing proper analysis.

Ah OK. I get it now. Yes this looks sensible

Thanks

Eric
>
> Thanks,
> Mostafa
>

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Peter Maydell]

On Tue, 21 Mar 2023 at 13:23, Eric Auger  wrote:
>
> Hi Mostafa,
>
> On 3/21/23 14:06, Mostafa Saleh wrote:
> > Hi Eric,
> >
> >>> + * According to 6.3.6 SMMU_IDR5, OAS must match the system physical 
> >>> address
> >>> + * size.
> >>> + */
> >>> +ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
> >>> +uint8_t oas = FIELD_EX64(armcpu->isar.id_aa64mmfr0, ID_AA64MMFR0, 
> >>> PARANGE);
> >> is this working in accelerated mode?
> > I didn't try with accel, I will give it a try, but from what I see, that
> > ARM_CPU() is used to get the CPU in traget/arm/kvm.c which is used from
> > accel/kvm-all.c, so it seems this would work for accelerated mode.
>
> yeah I ma not familiar enough with that code but it is worth to be checked.

I'm a bit unsure about fishing around in the CPU ID registers for this.
That's not what you would do in real hardware, you'd just say "the
system is supposed to configure the CPU and the SMMU correctly".

Also, there is no guarantee that CPU 0 is related to this SMMU in
particular.

> >
> >>> +
> >>>  /**
> >>>   * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
> >>>   *   multi-level stream table
> >>> @@ -265,7 +272,7 @@ static void smmuv3_init_regs(SMMUv3State *s)
> >>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
> >>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN16K, 1);
> >>>  s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
> >>> -s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 
> >>> bits */
> >>> +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
> >> I am not sure you can change that easily. In case of migration this is
> >> going to change the behavior of the device, no?
> > I see IDR registers are not migrated. I guess we can add them in a
> > subsection and if they were not passed (old instances) we set OAS to
> > 44.
> > Maybe this should be another change outside of this series.
> Indeed tehy are not migrated so it can lead to inconsistent behavior in
> both source and dest. This deserves more analysis to me. In case you
> would decide to migrate IDR regs this would need to be done in that
> series I think. Migration must not be broken by this series.

Jumping in here without having read much of the context, but why
would we need to migrate the ID registers? They are constant, read-only,
so they will be the same value on both source and destination.

thanks
-- PMM

Re: [RFC PATCH] tests/avocado: probe for multi-process support before running test

[Philippe Mathieu-Daudé]

On 21/3/23 12:17, Alex Bennée wrote:

A recent attempt to let avocado run more tests on the CentOS stream
build failed because there was no gating on the multiprocess feature.
Like missing accelerators avocado should gracefully skip when the
feature is not enabled.

In this case we use the existence of the proxy device as a proxy for
multi-process support.

Signed-off-by: Alex Bennée 
Cc: Elena Ufimtseva 
Cc: Jagannathan Raman 
Cc: John G Johnson 
---
  tests/avocado/avocado_qemu/__init__.py | 10 ++
  tests/avocado/multiprocess.py  |  1 +
  2 files changed, 11 insertions(+)




+"""
+Test for the presence of the x-pci-proxy-dev which is required
+to support multiprocess.
+"""
+devhelp = run_cmd([self.qemu_bin,
+   '-M', 'none', '-device', 'help'])[0];
+if devhelp.find('x-pci-proxy-dev') < 0:
+self.cancel('no support for multiprocess device emulation')


FYI a more generic alternative to this method:
https://lore.kernel.org/qemu-devel/20200129212345.20547-14-phi...@redhat.com/

But yours just works :)

[PATCH v2] target/riscv: reduce overhead of MSTATUS_SUM change

[Fei Wu]

Kernel needs to access user mode memory e.g. during syscalls, the window
is usually opened up for a very limited time through MSTATUS.SUM, the
overhead is too much if tlb_flush() gets called for every SUM change.
This patch saves addresses accessed when SUM=1, and flushs only these
pages when SUM changes to 0. If the buffer is not large enough to save
all the pages during SUM=1, it will fall back to tlb_flush when
necessary.

The buffer size is set to 4 since in this MSTATUS.SUM open-up window,
most of the time kernel accesses 1 or 2 pages, it's very rare to see
more than 4 pages accessed.

It's not necessary to save/restore these new added status, as
tlb_flush() is always called after restore.

Result of 'pipe 10' from unixbench boosts from 223656 to 1327407. Many
other syscalls benefit a lot from this one too.

Signed-off-by: Fei Wu 
Reviewed-by: LIU Zhiwei 
Reviewed-by: Weiwei Li 
---
 target/riscv/cpu.h|  4 
 target/riscv/cpu_helper.c |  7 +++
 target/riscv/csr.c| 14 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu.h b/target/riscv/cpu.h
index 638e47c75a..926dbce59f 100644
--- a/target/riscv/cpu.h
+++ b/target/riscv/cpu.h
@@ -383,6 +383,10 @@ struct CPUArchState {
 uint64_t kvm_timer_compare;
 uint64_t kvm_timer_state;
 uint64_t kvm_timer_frequency;
+
+#define MAX_CACHED_SUM_U_ADDR_NUM 4
+uint64_t sum_u_count;
+uint64_t sum_u_addr[MAX_CACHED_SUM_U_ADDR_NUM];
 };
 
 OBJECT_DECLARE_CPU_TYPE(RISCVCPU, RISCVCPUClass, RISCV_CPU)
diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index f88c503cf4..d701017a60 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1068,6 +1068,13 @@ restart:
 (access_type == MMU_DATA_STORE || (pte & PTE_D))) {
 *prot |= PAGE_WRITE;
 }
+if ((pte & PTE_U) && (mode == PRV_S) &&
+get_field(env->mstatus, MSTATUS_SUM)) {
+if (env->sum_u_count < MAX_CACHED_SUM_U_ADDR_NUM) {
+env->sum_u_addr[env->sum_u_count] = addr;
+}
+++env->sum_u_count;
+}
 return TRANSLATE_SUCCESS;
 }
 }
diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index ab566639e5..e7dfdc6a93 100644
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -1246,9 +1246,21 @@ static RISCVException write_mstatus(CPURISCVState *env, 
int csrno,
 
 /* flush tlb on mstatus fields that affect VM */
 if ((val ^ mstatus) & (MSTATUS_MXR | MSTATUS_MPP | MSTATUS_MPV |
-MSTATUS_MPRV | MSTATUS_SUM)) {
+MSTATUS_MPRV)) {
 tlb_flush(env_cpu(env));
+env->sum_u_count = 0;
+} else if ((mstatus & MSTATUS_SUM) && !(val & MSTATUS_SUM)) {
+if (env->sum_u_count > MAX_CACHED_SUM_U_ADDR_NUM) {
+tlb_flush_by_mmuidx(env_cpu(env), 1 << PRV_S | 1 << PRV_M);
+} else {
+for (int i = 0; i < env->sum_u_count; ++i) {
+tlb_flush_page_by_mmuidx(env_cpu(env), env->sum_u_addr[i],
+ 1 << PRV_S | 1 << PRV_M);
+}
+}
+env->sum_u_count = 0;
 }
+
 mask = MSTATUS_SIE | MSTATUS_SPIE | MSTATUS_MIE | MSTATUS_MPIE |
 MSTATUS_SPP | MSTATUS_MPRV | MSTATUS_SUM |
 MSTATUS_MPP | MSTATUS_MXR | MSTATUS_TVM | MSTATUS_TSR |
-- 
2.25.1

Re: [PATCH 1/2] hw/i2c: smbus_slave: Reset state on reset

[Philippe Mathieu-Daudé]

On 20/3/23 23:14, Joe Komlodi wrote:

If a reset comes while the SMBus device is not in its idle state, it's
possible for it to get confused on valid transactions post-reset.

Signed-off-by: Joe Komlodi 
---
  hw/i2c/smbus_slave.c | 9 +
  1 file changed, 9 insertions(+)


Reviewed-by: Philippe Mathieu-Daudé 

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Mostafa Saleh]

Hi Peter,

On Tue, Mar 21, 2023 at 01:34:55PM +, Peter Maydell wrote:
> > >>> +s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, oas);
> > >> I am not sure you can change that easily. In case of migration this is
> > >> going to change the behavior of the device, no?
> > > I see IDR registers are not migrated. I guess we can add them in a
> > > subsection and if they were not passed (old instances) we set OAS to
> > > 44.
> > > Maybe this should be another change outside of this series.
> > Indeed tehy are not migrated so it can lead to inconsistent behavior in
> > both source and dest. This deserves more analysis to me. In case you
> > would decide to migrate IDR regs this would need to be done in that
> > series I think. Migration must not be broken by this series.
> 
> Jumping in here without having read much of the context, but why
> would we need to migrate the ID registers? They are constant, read-only,
> so they will be the same value on both source and destination.

Currently OAS for SMMU is hardcoded to 44 bits, and the SMMU manual says
"OAS reflects the maximum usable PA output from the last stage of
AArch64 translations, and must match the system physical address size.
The OAS is discoverable from SMMU_IDR5.OAS."
This patch implements OAS based on CPU PARANGE, but this would break
migration from old instances that ran with 44 bits OAS to new code that
configures it based on the current CPU.
So one idea is to migrate the IDRs (or atleast IDR5).
Maybe that is not the best solution, we just need a way to know if the
old instance needs to be 44 bits or not.


Thanks,
Mostafa

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Eric Auger]

Hi Peter,

On 3/21/23 14:34, Peter Maydell wrote:
> thout having read much of the context, but why
> would we need to migrate the ID registers? They are constant, read-only,
> so they will be the same value on both source and destination.
this series modifies the values of IDR[5] (oas).  So my understanding is
the guest is likely to behave differently on src and dst, depending on
the qemu version, no?

Thanks

Eric

Re: [PATCH] .editorconfig: set max line at 70 chars for QAPI files

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> On Tue, Mar 7, 2023 at 4:32 PM  wrote:
>>
>> From: Marc-André Lureau 
>>
>> This seems to be the preferred style.
>>
>> The EditorConfig property is not supported by all editors:
>> https://github.com/editorconfig/editorconfig/wiki/EditorConfig-Properties#max_line_length
>>
>> Signed-off-by: Marc-André Lureau 
>> ---
>>  .editorconfig | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/.editorconfig b/.editorconfig
>> index 7303759ed7..8c5ebc6a1b 100644
>> --- a/.editorconfig
>> +++ b/.editorconfig
>> @@ -47,3 +47,4 @@ emacs_mode = glsl
>>  [*.json]
>>  indent_style = space
>>  emacs_mode = python
>> +max_line_length = 70
>
> ack or nack ?

I think we should first address the doc syntax misfeature that pushes us
to the right, and clean up existing overlong lines.  Can't say how hard
the former would be, so I'm having a look.

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Mostafa Saleh]

Hi Peter,

On Tue, Mar 21, 2023 at 01:34:55PM +, Peter Maydell wrote:
> > >>> + */
> > >>> +ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
> > >>> +uint8_t oas = FIELD_EX64(armcpu->isar.id_aa64mmfr0, ID_AA64MMFR0, 
> > >>> PARANGE);
> > >> is this working in accelerated mode?
> > > I didn't try with accel, I will give it a try, but from what I see, that
> > > ARM_CPU() is used to get the CPU in traget/arm/kvm.c which is used from
> > > accel/kvm-all.c, so it seems this would work for accelerated mode.
> >
> > yeah I ma not familiar enough with that code but it is worth to be checked.
> 
> I'm a bit unsure about fishing around in the CPU ID registers for this.
> That's not what you would do in real hardware, you'd just say "the
> system is supposed to configure the CPU and the SMMU correctly".
> 
> Also, there is no guarantee that CPU 0 is related to this SMMU in
> particular.
Sorry, missed this point in last email.

So, we leave it this way, or there is a better way to discover PARANGE?

Thanks,
Mostafa

vma-pthread unstable on aarch64 hardware

[Alex Bennée]

Date: Tue, 21 Mar 2023 13:48:20 +
User-agent: mu4e 1.9.22; emacs 29.0.60

Hi,

Chasing down some unstable check-tcg tests and I can get vma-pthread to
fail fairly reliably on the CI configuration ('../../configure'
'--enable-debug' '--static' '--disable-system' '--disable-pie') although
it seems to hold up on the default configuration ok.

  retry.py -n 30 -c -- ./qemu-aarch64 ./tests/tcg/aarch64-linux-user/vma-pthread
  ...
  **
  ERROR:../../accel/tcg/cpu-exec.c:1019:cpu_exec_setjmp: assertion failed: (cpu 
== current_cpu)
  Bail out! ERROR:../../accel/tcg/cpu-exec.c:1019:cpu_exec_setjmp: assertion 
failed: (cpu == current_cpu)
  ...
  Results summary:
  0: 29 times (96.67%), avg time 1.503 (0.00 varience/0.00 deviation)
  -5: 1 times (3.33%), avg time 0.252 (0.00 varience/0.00 deviation)
  Ran command 30 times, 29 passes

That said it might be responsible for some of the other tests that fail
when I do something like:

  cd tests/tcg/aarch64-linux-user/
  retry.py -n 30 --until -- make -f ../Makefile.target run

where I've seen random failures in float_convs, mte-1 and testthread
which make me wonder if this is some sort of toolchain/build config
issue?

Any ideas?

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

Re: [PULL 0/7] ui/ fixes for 8.0

[Erico Nunes]

On 21/03/2023 10:03, marcandre.lur...@redhat.com wrote:
> From: Marc-André Lureau 
> 
> The following changes since commit aa9e7fa4689d1becb2faf67f65aafcbcf664f1ce:
> 
>   Merge tag 'edk2-stable202302-20230320-pull-request' of 
> https://gitlab.com/kraxel/qemu into staging (2023-03-20 13:43:35 +)
> 
> are available in the Git repository at:
> 
>   https://gitlab.com/marcandre.lureau/qemu.git tags/ui-pull-request
> 
> for you to fetch changes up to 49152ac47003ca21fc6f2a5c3e517f79649e1541:
> 
>   ui: fix crash on serial reset, during init (2023-03-21 11:46:22 +0400)
> 
> 
> ui/ fixes for 8.0
> 
> 
> 
> Erico Nunes (1):
>   ui/sdl2: remove workaround forcing x11
> 
> Marc-André Lureau (6):
>   win32: add qemu_close_socket_osfhandle()
>   ui/spice: fix SOCKET handling regression
>   ui/dbus: fix passing SOCKET to GSocket API & leak
>   ui/gtk: fix cursor moved to left corner
>   ui: return the default console cursor when con == NULL
>   ui: fix crash on serial reset, during init


May I also suggest this one as a fix for 8.0:
https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05667.html

It was already reviewed about a month ago.

Thanks

Erico

Re: [RFC PATCH v2 10/11] hw/arm/smmuv3: Populate OAS based on CPU PARANGE

[Peter Maydell]

On Tue, 21 Mar 2023 at 13:55, Mostafa Saleh  wrote:
>
> Hi Peter,
>
> On Tue, Mar 21, 2023 at 01:34:55PM +, Peter Maydell wrote:
> > > >>> + */
> > > >>> +ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
> > > >>> +uint8_t oas = FIELD_EX64(armcpu->isar.id_aa64mmfr0, 
> > > >>> ID_AA64MMFR0, PARANGE);
> > > >> is this working in accelerated mode?
> > > > I didn't try with accel, I will give it a try, but from what I see, that
> > > > ARM_CPU() is used to get the CPU in traget/arm/kvm.c which is used from
> > > > accel/kvm-all.c, so it seems this would work for accelerated mode.
> > >
> > > yeah I ma not familiar enough with that code but it is worth to be 
> > > checked.
> >
> > I'm a bit unsure about fishing around in the CPU ID registers for this.
> > That's not what you would do in real hardware, you'd just say "the
> > system is supposed to configure the CPU and the SMMU correctly".
> >
> > Also, there is no guarantee that CPU 0 is related to this SMMU in
> > particular.
> Sorry, missed this point in last email.
>
> So, we leave it this way, or there is a better way to discover PARANGE?

If you really need to know it, put a QOM property on the SMMU device
and have the board code set it. (This is analogous to how it works
in hardware: there are tie-off signals on the SMMU for the OAS value.)

-- PMM

Re: [PULL 0/7] ui/ fixes for 8.0

[Peter Maydell]

On Tue, 21 Mar 2023 at 09:04,  wrote:
>
> From: Marc-André Lureau 
>
> The following changes since commit aa9e7fa4689d1becb2faf67f65aafcbcf664f1ce:
>
>   Merge tag 'edk2-stable202302-20230320-pull-request' of 
> https://gitlab.com/kraxel/qemu into staging (2023-03-20 13:43:35 +)
>
> are available in the Git repository at:
>
>   https://gitlab.com/marcandre.lureau/qemu.git tags/ui-pull-request
>
> for you to fetch changes up to 49152ac47003ca21fc6f2a5c3e517f79649e1541:
>
>   ui: fix crash on serial reset, during init (2023-03-21 11:46:22 +0400)
>
> 
> ui/ fixes for 8.0
>
> 
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

Re: [PATCH v4 0/9] improvement to Python detection, preparation for dropping 3.6

[Philippe Mathieu-Daudé]

On 22/2/23 15:37, Paolo Bonzini wrote:

This is my take on John's patches to improve Python detection and to
prepare for dropping Python 3.6 support.

The main change with respect to John's work is that lcitool is updated
and the container images for CI can install Sphinx via pip; this
way documentation is still built on the CentOS 8 jobs.

A smaller change is that patch "configure: Look for auxiliary Python
installations" will only look at the $PYTHON variable if it is set,
without falling back to a PATH search.

This series includes the final patch to drop support for Python 3.6,
but it makes sense even without it.

Paolo

Supersedes: <20230221012456.2607692-1-js...@redhat.com>


FWIW:

Different patches 1 & 2 have been merged 2 days after you posted
this series (merge commit c3aeccc0ab):
- commit aef633e765 ("python: support pylint 2.16")
- commit 6832189fd7 ("python: drop pipenv")

Patch 3 clashes with commit 1b1be8d3cc ("meson: stop
looking for 'sphinx-build-3'")


John Snow (5):
   python: support pylint 2.16
   python: drop pipenv
   meson: prefer 'sphinx-build' to 'sphinx-build-3'
   configure: Look for auxiliary Python installations
   configure: Add courtesy hint to Python version failure message

Paolo Bonzini (5):
   configure: protect against escaping venv when running Meson
   lcitool: update submodule
   docs/devel: update and clarify lcitool instructions
   ci, docker: update CentOS and OpenSUSE Python to non-EOL versions
   Python: Drop support for Python 3.6

[PATCH 1/2] Use hexagon toolchain version 16.0.0

[Marco Liebel]

Signed-off-by: Marco Liebel 
---
 tests/docker/dockerfiles/debian-hexagon-cross.docker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.docker 
b/tests/docker/dockerfiles/debian-hexagon-cross.docker
index 5308ccb8fe..b99d99f943 100644
--- a/tests/docker/dockerfiles/debian-hexagon-cross.docker
+++ b/tests/docker/dockerfiles/debian-hexagon-cross.docker
@@ -27,7 +27,7 @@ RUN apt-get update && \
 
 
 ENV TOOLCHAIN_INSTALL /opt
-ENV TOOLCHAIN_RELEASE 15.0.3
+ENV TOOLCHAIN_RELEASE 16.0.0
 ENV TOOLCHAIN_BASENAME 
"clang+llvm-${TOOLCHAIN_RELEASE}-cross-hexagon-unknown-linux-musl"
 ENV TOOLCHAIN_URL 
https://codelinaro.jfrog.io/artifactory/codelinaro-toolchain-for-hexagon/v${TOOLCHAIN_RELEASE}/${TOOLCHAIN_BASENAME}.tar.xz
 
-- 
2.25.1

[PATCH 0/2] Update hexagon toolchain

[Marco Liebel]

Updates the hexagon toolchain and adds a test for a bug that was fixed
by the new version.

Marco Liebel (2):
  Use hexagon toolchain version 16.0.0
  Add test for storing .new vector

 .../dockerfiles/debian-hexagon-cross.docker   |  2 +-
 tests/tcg/hexagon/hvx_misc.c  | 29 +++
 2 files changed, 30 insertions(+), 1 deletion(-)

-- 
2.25.1

[PATCH 2/2] Add test for storing .new vector

[Marco Liebel]

Hexagon toolchain version 16.0.0 fixes a bug where the ecoding of
storing a .new vector was incorrect. This resulted in an incorrect
valued being stored. The test checks that the correct value is used.

Signed-off-by: Marco Liebel 
---
 tests/tcg/hexagon/hvx_misc.c | 29 +
 1 file changed, 29 insertions(+)

diff --git a/tests/tcg/hexagon/hvx_misc.c b/tests/tcg/hexagon/hvx_misc.c
index 53d5c9b44f..657e556dd4 100644
--- a/tests/tcg/hexagon/hvx_misc.c
+++ b/tests/tcg/hexagon/hvx_misc.c
@@ -211,6 +211,34 @@ static void test_store_unaligned(void)
 check_output_w(__LINE__, 2);
 }
 
+static void test_store_new(void)
+{
+asm volatile(
+"r0 = #0x0003\n\t"
+"v0 = vsplat(r0)\n\t"
+"r0 = #expect\n\t"
+"vmem(r0+#0) = v0\n\t"
+
+"r0 = #output\n\t"
+"r1 = #0x0001\n\t"
+"r2 = #0x0002\n\t"
+"r3 = #0x0004\n\t"
+
+"v1 = vsplat(r1)\n\t"
+"v2 = vsplat(r2)\n\t"
+"v3 = vsplat(r3)\n\t"
+
+"{"
+"   v3.w,q0 = vadd(v1.w, v2.w):carry\n\t"
+"   vmem(r0+#0) = v3.new\n\t"
+"}"
+
+::: "r0", "r1", "r2", "r3", "v0", "v1", "v2", "v3", "q0", "memory"
+);
+
+check_output_w(__LINE__, 1);
+}
+
 static void test_masked_store(bool invert)
 {
 void *p0 = buffer0;
@@ -620,6 +648,7 @@ int main()
 test_load_unaligned();
 test_store_aligned();
 test_store_unaligned();
+test_store_new();
 test_masked_store(false);
 test_masked_store(true);
 test_new_value_store();
-- 
2.25.1

Re: [PATCH 01/10] metadata: add .git-blame-ignore-revs

[Philippe Mathieu-Daudé]

On 20/3/23 11:10, Alex Bennée wrote:

Someone mentioned this on IRC so I thought I would try it out with a
few commits that are pure code style fixes.

Signed-off-by: Alex Bennée 
---
  .git-blame-ignore-revs | 18 ++
  1 file changed, 18 insertions(+)
  create mode 100644 .git-blame-ignore-revs

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 00..24208ece8c
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,18 @@
+#
+# List of code-formatting clean ups the git blame can ignore
+#
+#   git blame --ignore-revs-file .git-blame-ignore-revs
+#
+# or
+#
+#   git config blame.ignoreRevsFile .git-blame-ignore-revs
+#
+
+# gdbstub: clean-up indents
+ad9e4585b3c7425759d3eea697afbca71d2c2082
+
+# e1000e: fix code style
+0eadd56bf53ab196a16d492d7dd31c62e1c24c32
+
+# target/riscv: coding style fixes
+8c7fed9218b407792120bcfda0347ed16205


Please amend:

+# replace TABs with spaces
+48805df9c22a0700fba4b3b548fafaa21726ca68

Reviewed-by: Philippe Mathieu-Daudé 
Tested-by: Philippe Mathieu-Daudé