linux-user: Emulate /proc/self/maps under mmap_lock

If one thread modifies the mappings and another thread prints them,
a situation may occur that the printer thread sees a guest mapping
without a corresponding host mapping, leading to a crash in
open_self_maps_2().

Cc: qemu-stable@nongnu.org
Fixes: 7b7a3366e142 ("linux-user: Use walk_memory_regions for open_self_maps")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241014203441.387560-1-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

target/i386: Remove ra parameter from ptw_translate

This argument is no longer used.

Suggested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241013184733.1423747-4-richard.henderson@linaro.org>

target/i386: Use probe_access_full_mmu in ptw_translate

The probe_access_full_mmu function was designed for this purpose,
and does not report the memory operation event to plugins.

Cc: qemu-stable@nongnu.org
Fixes: 6d03226b422 ("plugins: force slow path when plugins instrument memory ops")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241013184733.1423747-3-richard.henderson@linaro.org>

target/i386: Walk NPT in guest real mode

When translating virtual to physical address with a guest CPU that
supports nested paging (NPT), we need to perform every page table walk
access indirectly through the NPT, which we correctly do.

However, we treat real mode (no page table walk) special: In that case,
we currently just skip any walks and translate VA -> PA. With NPT
enabled, we also need to then perform NPT walk to do GVA -> GPA -> HPA
which we fail to do so far.

The net result of that is that TCG VMs with NPT enabled that execute
real mode code (like SeaBIOS) end up with GPA==HPA mappings which means
the guest accesses host code and data. This typically shows as failure
to boot guests.

This patch changes the page walk logic for NPT enabled guests so that we
always perform a GVA -> GPA translation and then skip any logic that
requires an actual PTE.

That way, all remaining logic to walk the NPT stays and we successfully
walk the NPT in real mode.

Cc: qemu-stable@nongnu.org
Fixes: fe441054bb3f0 ("target-i386: Add NPT support")
Signed-off-by: Alexander Graf <graf@amazon.com>
Reported-by: Eduard Vlad <evlad@amazon.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20240921085712.28902-1-graf@amazon.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

include/exec: Improve probe_access_full{, _mmu} documentation

Suggested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241013184733.1423747-2-richard.henderson@linaro.org>

tcg/ppc: Fix tcg_out_rlw_rc

The TCG IR sequence:

  mov_i32 tmp97,$0xc4240000             dead: 1  pref=0xffffffff
  mov_i32 tmp98,$0x0                    pref=0xffffffff
  rotr_i32 tmp97,tmp97,tmp98            dead: 1 2  pref=0xffffffff

was translated to `slwi r15, r14, 0` instead of `slwi r14, r14, 0`
due to SH field overflow.  SH field is 5 bits, and tcg_out_rlw is called
in some situations with `32-n`, when `n` is 0 it results in an overflow
to RA field.

This commit prevents overflow of that field and adds debug assertions
for the other fields

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Dani Szebenyi <szedani@linux.ibm.com>
Message-ID: <20241022133535.69351-2-szedani@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Enable native vector support for TCG host

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-13-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector roti/v/x ops

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Message-ID: <20241007025700.47259-12-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector shi/s/v ops

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-11-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector min/max ops

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-10-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector sat/mul ops

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-9-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Accept constant first argument to sub_vec

Use vrsub.vi to subtract from a constant.

Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector neg ops

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-8-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector cmp/cmpsel ops

Extend comparison results from mask registers to SEW-width elements,
following recommendations in The RISC-V SPEC Volume I (Version 20240411).
This aligns with TCG's cmp_vec behavior by expanding compare results to
full element width: all 1s for true, all 0s for false.

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-7-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Add support for basic vector opcodes

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-6-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Implement vector mov/dup{m/i}

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-5-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg/riscv: Add basic support for vector

The RISC-V vector instruction set utilizes the LMUL field to group
multiple registers, enabling variable-length vector registers. This
implementation uses only the first register number of each group while
reserving the other register numbers within the group.

In TCG, each VEC_IR can have 3 types (TCG_TYPE_V64/128/256), and the
host runtime needs to adjust LMUL based on the type to use different
register groups.

This presents challenges for TCG's register allocation. Currently, we
avoid modifying the register allocation part of TCG and only expose the
minimum number of vector registers.

For example, when the host vlen is 64 bits and type is TCG_TYPE_V256, with
LMUL equal to 4, we use 4 vector registers as one register group. We can
use a maximum of 8 register groups, but the V0 register number is reserved
as a mask register, so we can effectively use at most 7 register groups.
Moreover, when type is smaller than TCG_TYPE_V256, only 7 registers are
forced to be used. This is because TCG cannot yet dynamically constrain
registers with type; likewise, when the host vlen is 128 bits and
TCG_TYPE_V256, we can use at most 15 registers.

There is not much pressure on vector register allocation in TCG now, so
using 7 registers is feasible and will not have a major impact on code
generation.

This patch:
1. Reserves vector register 0 for use as a mask register.
2. When using register groups, reserves the additional registers within
   each group.

Signed-off-by: Huang Shiyuan <swung0x48@outlook.com>
Co-authored-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20241007025700.47259-3-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

util: Add RISC-V vector extension probe in cpuinfo

Add support for probing RISC-V vector extension availability in
the backend. This information will be used when deciding whether
to use vector instructions in code generation.

Cache lg2(vlenb) for the backend. The storing of lg2(vlenb) means
we can convert all of the division into subtraction.

While the compiler doesn't support RISCV_HWPROBE_EXT_ZVE64X,
we use RISCV_HWPROBE_IMA_V instead. RISCV_HWPROBE_IMA_V is more
strictly constrainted than RISCV_HWPROBE_EXT_ZVE64X. At least in
current QEMU implemenation, the V vector extension depends on the
zve64d extension.

Signed-off-by: TANG Tiancheng <tangtiancheng.ttc@alibaba-inc.com>
Reviewed-by: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
Tested-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20241007025700.47259-2-zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

disas/riscv: Fix vsetivli disassembly

The first immediate field is unsigned, whereas operand_vimm
extracts a signed value.  There is no need to mask the result
with 'u'; just print the immediate with 'i'.

Fixes: 07f4964d178 ("disas/riscv.c: rvv: Add disas support for vector instructions")
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

tcg: Reset data_gen_ptr correctly

This pointer needs to be reset after overflow just like
code_buf and code_ptr.

Cc: qemu-stable@nongnu.org
Fixes: 57a269469db ("tcg: Infrastructure for managing constant pools")
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Merge tag 'pull-request-2024-10-21' of https://gitlab.com/thuth/qemu into staging

* Convert most Tuxrun Avocado tests to the new functional framework
* Update the OpenBSD CI image to OpenBSD v7.6
* Bump timeout of the ide-test
* New maintainer for the QTests
* Disable the pci-bridge on s390x by default

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmcWfCgRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbV6kQ//YwRebyA192IBM+XQK5YYmguieHmWxV8J
# fZf0a1dWN8oiT3jzI48YWttiU9P6AMa/dwiuepVl4G9+d+w1c3RhS6kQqJljNbDb
# NGw+LVZZcwY1FJpEsEwbDfePkugYHmNXUU672kxz3I8bv/8NmLDc7R3cI5U/7+SP
# N4lxVM6Hd3XZZdc+O2S8En20E1oAJ6IvJwwhCqjLlT36Ez8P69KQhE0V8MtLnrBg
# FsXZuzmaxt/ZDMhTsiHNl6f7N1oD7Y2TPJrdq7V2aihpDA+zx0RlvBPpzD98ZgeS
# PtdkqjL63B5S3RL4fjJUSb/gbL4oChQ5TZDb2Dfw7Q5qPMZ1cgeJLBwdzHZEZrzF
# RTtn4fObYUqtRF3M0Ha4xXc8odSzJTV2fvpSVXcljG1E4AMcD6CMK0E472XbhkMS
# txZHW+C/IDVJ4OoSncrH8ybi1JasEqJZ0YaPfb+aTsPV058b65l+0jQJtlxLoTIf
# p5LluL3exwr0sS3Aq5tcV3pNITtCv1FkcUk7So8sohO2OLQtC9QA300CSXna8XhQ
# OxgRA1c3HXw23MTJKSWjseDIt1bajvBu+cr/pmDxlYnWWsSCcEFaAoQohwhOMA6Z
# JfJF0tSv+koUsw6hSl7146aylSvDYUKPilAGgAUAy1yscgglMvtmQqWkEta/XGP2
# U8qvX8nUwOM=
# =DJf9
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 21 Oct 2024 17:07:04 BST
# gpg:                using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg:                issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* tag 'pull-request-2024-10-21' of https://gitlab.com/thuth/qemu:
  tests/functional: Convert the Avocado sh4 tuxrun test
  Revert "hw/sh4/r2d: Realize IDE controller before accessing it"
  tests/functional: Convert the Avocado ppc32 tuxrun test
  tests/functional: Convert the Avocado mips64el tuxrun test
  tests/functional: Convert the Avocado mips64 tuxrun test
  tests/functional: Convert the Avocado mipsel tuxrun test
  tests/functional: Convert the Avocado mips tuxrun test
  tests/functional: Convert the Avocado x86_64 tuxrun test
  tests/functional: Convert the Avocado i386 tuxrun test
  tests/functional: Convert the Avocado riscv64 tuxrun tests
  tests/functional: Convert the Avocado riscv32 tuxrun tests
  tests/functional: Convert the Avocado arm tuxrun tests
  tests/functional: Convert the Avocado s390x tuxrun test
  tests/functional: Convert the Avocado sparc64 tuxrun test
  tests/functional: Convert the Avocado ppc64 tuxrun tests
  tests/functional: Add a base class for the TuxRun tests
  hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge
  MAINTAINERS: A new maintainer for the qtests
  tests/qtest: Raise the ide-test timeout
  tests/vm: update openbsd image to 7.6

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'edgar/xen-queue-2024-10-21.for-upstream' of https://gitlab.com/edgar.iglesias/qemu into staging

Edgars Xen queue.

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEErET+3BT38evtv0FRKcWWeA9ryoMFAmcV7NYACgkQKcWWeA9r
# yoM0pAgA2RNMysVe9IhoAlZ6ThGRvAE9epuHtoPERSTfqtFPOOY3UOU7zxrsX9Ov
# YPh41I5YtbV3fB3X8kp51pqcTOWZBBdyCLtj0EFB0XTArPvpOFPueL1q2LgEnlLV
# 77mBHnMarb3SI4INRm/tWWpk7ljgXMA6TSd2JlmO5l1OcZGlURdhLFWBBIRnTg1n
# K+ZqQyq2KMANhIYvN0JAvM45FkwXntUzbxVMIjo0ICk2/EDgcFnGn9V0TgMkcIs3
# ctBEk6reZrdvNghX02r1wsH0HKGn78358G5uZAo9YEQOoTeGDswujHOVsn73ia2a
# 6DChqCfyvlrJt4ljip2WoaoCMlZGdA==
# =QB2W
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 21 Oct 2024 06:55:34 BST
# gpg:                using RSA key AC44FEDC14F7F1EBEDBF415129C596780F6BCA83
# gpg: Good signature from "Edgar E. Iglesias (Xilinx key) <edgar.iglesias@xilinx.com>" [unknown]
# gpg:                 aka "Edgar E. Iglesias <edgar.iglesias@gmail.com>" [full]
# Primary key fingerprint: AC44 FEDC 14F7 F1EB EDBF  4151 29C5 9678 0F6B CA83

* tag 'edgar/xen-queue-2024-10-21.for-upstream' of https://gitlab.com/edgar.iglesias/qemu:
  hw/xen: Avoid use of uninitialized bufioreq_evtchn

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

tests/functional: Convert the Avocado sh4 tuxrun test

Move the test into a new file so that it can be run via
qemu-system-sh4 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-18-thuth@redhat.com>

Revert "hw/sh4/r2d: Realize IDE controller before accessing it"

This reverts commit 3c5f86a22686ef475a8259c0d8ee714f61c770c9.

Changing the order here caused a regression with the "tuxrun"
kernels (from https://storage.tuxboot.com/20230331/) - ATA commands
fail with a "ata1: lost interrupt (Status 0x58)" message.
Apparently we need to wire the interrupt here first before
realizing the device, so revert the change to the original
behavior.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-17-thuth@redhat.com>

tests/functional: Convert the Avocado ppc32 tuxrun test

Move the test into a new file so that it can be run via
qemu-system-ppc in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-16-thuth@redhat.com>

tests/functional: Convert the Avocado mips64el tuxrun test

Move the test into a new file so that it can be run via
qemu-system-mips64el in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-15-thuth@redhat.com>

tests/functional: Convert the Avocado mips64 tuxrun test

Move the test into a new file so that it can be run via
qemu-system-mips64 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-14-thuth@redhat.com>

tests/functional: Convert the Avocado mipsel tuxrun test

Move the test into a new file so that it can be run via
qemu-system-mipsel in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-13-thuth@redhat.com>

tests/functional: Convert the Avocado mips tuxrun test

Move the test into a new file so that it can be run via
qemu-system-mips in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-12-thuth@redhat.com>

tests/functional: Convert the Avocado x86_64 tuxrun test

Move the tests to a new file so that they can be run via
qemu-system-x86_64 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-11-thuth@redhat.com>

tests/functional: Convert the Avocado i386 tuxrun test

Move the tests to a new file so that they can be run via
qemu-system-i386 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-10-thuth@redhat.com>

tests/functional: Convert the Avocado riscv64 tuxrun tests

Move the tests to a new file so that they can be run via
qemu-system-riscv64 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-9-thuth@redhat.com>

tests/functional: Convert the Avocado riscv32 tuxrun tests

Move the tests to a new file so that they can be run via
qemu-system-riscv32 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-8-thuth@redhat.com>

tests/functional: Convert the Avocado arm tuxrun tests

Move the tests to a new file so that they can be run via
qemu-system-arm in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-7-thuth@redhat.com>

tests/functional: Convert the Avocado s390x tuxrun test

Move the test to a new file so that it can be run via
qemu-system-s390x in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-6-thuth@redhat.com>

tests/functional: Convert the Avocado sparc64 tuxrun test

Move the test to a new file so that it can be run via
qemu-system-sparc64 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-5-thuth@redhat.com>

tests/functional: Convert the Avocado ppc64 tuxrun tests

Move the tests to a new file so that they can be run via
qemu-system-ppc64 in the functional framework.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-3-thuth@redhat.com>

tests/functional: Add a base class for the TuxRun tests

Add a base class for the TuxRun tests, based on the code from
tests/avocado/tuxrun_baselines.py (the test have to be put into
separate file in the following commits, depending on the target
architecture that gets tested).

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241011131937.377223-2-thuth@redhat.com>

hw/pci-bridge: Add a Kconfig switch for the normal PCI bridge

The pci-bridge device is not usable on s390x, so introduce a Kconfig
switch that allows to disable it.

Message-ID: <20240913144844.427899-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

MAINTAINERS: A new maintainer for the qtests

Since I blundered into becoming the maintainer of the new functional
test  framework in QEMU (tests/functional/) recently, I need to drop
some other duties - it's getting too much for me otherwise. Laurent
is also quite busy with other projects nowadays, so I looked around
for help.
Fabiano did quite a lot of work in the qtests in the past already,
and is also already a maintainer for migration, so I thought he
would be a very good fit, thus I asked him whether he would be
interested to help out with the qtests and he agreed.
Thank you very much, Fabiano!

Message-ID: <20241011141344.379781-1-thuth@redhat.com>
Acked-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/qtest: Raise the ide-test timeout

The ide-test occasionally times out: on the system I run
vm-build-openbsd on, it usually takes about 18 seconds, but
occasionally hits the 60s timeout, likely when the host machine is
under heavy load.  I have also seen this test hit its time limit on
the s390x CI runner.

Double the timeout for this test so that it won't hit its timeout
even when the host is running more slowly than usual.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20241015113705.239067-1-peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>

tests/vm: update openbsd image to 7.6

Remove tomli as Python has been updated to 3.11.

[thuth: The "Time appears wrong" line is now necessary since the server
 seems to provide a wrong timestamp. We likely have to remove that again
 later once the server is running with the correct time again]

Signed-off-by: Brad Smith <brad@comstyle.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Message-ID: <ZwtmfVlWgFRF9G8W@humpty.home.comstyle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>

hw/xen: Avoid use of uninitialized bufioreq_evtchn

Avoid use of uninitialized bufioreq_evtchn. It should only
be used if buffered IOREQs are enabled.

Resolves: Coverity CID 1563383
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@amd.com>

Merge tag 'pull-tpm-2024-10-18-1' of https://github.com/stefanberger/qemu-tpm into staging

Merge tpm 2024/10/18 v1

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEuBi5yt+QicLVzsZrda1lgCoLQhEFAmcSXq4ACgkQda1lgCoL
# QhHTRQgAhlSeKfhK1iJsExOmkT/mgAsfoawRUl4DZW4nVmm1xjXmRYcGK8cgEFPn
# gw8UJp294cQqxzP9iehEvXP5zkrjmkIQm8fE3hh9nim6bREeo66uDfcfHJEnUK7i
# eLXLChsTvpCRO6TtILW65jXwvajPzC5ZBu2Wsbao4HUdEPWAm/g6+gMnaHMe4Dq/
# ml19bOhPJy7J7+0g8dBVannD2X/PKbXhBEjbBu15QdvzW8jQNp4s6z3YN84Fec6X
# IoDm+rr0ZZ7hZL/zrbLFT5yGPc23lyVWGyvXBUUNBZCy0jYUFwP7XJFuKwfHp1F1
# 323i4AWBF4fqCtodJje15L+xIJKi1A==
# =c7lX
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 18 Oct 2024 14:12:14 BST
# gpg:                using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE  C66B 75AD 6580 2A0B 4211

* tag 'pull-tpm-2024-10-18-1' of https://github.com/stefanberger/qemu-tpm:
  tests: Wait for migration completion on destination QEMU to avoid failures
  tpm_emulator: Read control channel response in 2 passes
  tpm: Use new ptm_cap_n structure for PTM_GET_CAPABILITY

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge tag 'pull-error-2024-10-18' of https://repo.or.cz/qemu/armbru into staging

Error reporting patches for 2024-10-18

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmcSXQQSHGFybWJydUBy
# ZWRoYXQuY29tAAoJEDhwtADrkYZTRKcP/R/nmE22MJBDT8LLZEaQpvkqEURpHFVY
# uHcLPBfezWy2A9qgWiPMKEs9Q7L3qpJq2FKCPFx7VyzctMcYt2W70AzVpaBOBkTN
# g5JAyFaJ3cGj6VT/HDZrBeIpySHZI1ynZyRqLvay5aV6l2dIzMWAcpFI4w6He0yJ
# 9CVV5z8K3zh7a7HjkBeWeKn75W2v6cE1PnRlPIsA4Q05LGVU6iHOhZ9LCJYpgIlL
# StJh1zlscSItMbHnfdx0iEiEuoP/nqwoFbA+XpDRzZOLX6+dm2oVwFoApv95bE+/
# CZ8QIy3zda6+V1AGhTfBqDV/NfZZCqzi58YPOo+ny4+sNKXsU7/z2OQzGNVd7NqF
# fpflJAPOe+1tuAd/c40VrJn/DN+TgYVV199kMNfbBojMNaoJh262uvQ9L0NuLcW+
# v0cKYRJsTIIHOFj7NwHR8ALY6ZlE3pdLvz9AivFuLLtK+RtfKw2YQvTDTmqXgRsG
# J6glqTeN+2M9cYb7/r6Kc/P9TGEaSEoCwmAadfmfwLSW/m1UkrqNzn+iC4m1iLe1
# bq+N1iW5T4nhibw8dFCvD4AwFSP9VQNAy5AlKW78Y+K/xAC2781A8PHV9QAIM1/t
# Kz6FRts0Jg6uyB0I7AAZ9k18i1oiEqoz3SjGWpQlTiI7VCMCpgHX6nvwWFPf3Zxa
# Rn0SUg10eUW9
# =sR8Q
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 18 Oct 2024 14:05:08 BST
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* tag 'pull-error-2024-10-18' of https://repo.or.cz/qemu/armbru:
  qerror: QERR_PROPERTY_VALUE_OUT_OF_RANGE is no longer used, drop
  hw/intc/openpic: Improve errors for out of bounds property values
  target/i386/cpu: Improve errors for out of bounds property values
  target/i386/cpu: Avoid mixing signed and unsigned in property setters
  block: Adjust check_block_size() signature
  block: Improve errors about block sizes
  error: Drop superfluous #include "qapi/qmp/qerror.h"
  qga: Improve error for guest-set-user-password parameter @crypted
  qga/qapi-schema: Drop obsolete note on "unsupported" errors

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

qerror: QERR_PROPERTY_VALUE_OUT_OF_RANGE is no longer used, drop

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-8-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

hw/intc/openpic: Improve errors for out of bounds property values

The error message doesn't matter much, as the "openpic" device isn't
user-creatable.  But it's the last use of
QERR_PROPERTY_VALUE_OUT_OF_RANGE, which has to go.  Change the message
just like the previous commit did for x86 CPUs.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-7-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

target/i386/cpu: Improve errors for out of bounds property values

The error message for a "stepping" value that is out of bounds is a
bit odd:

    $ qemu-system-x86_64 -cpu qemu64,stepping=16
    qemu-system-x86_64: can't apply global qemu64-x86_64-cpu.stepping=16: Property .stepping doesn't take value 16 (minimum: 0, maximum: 15)

The "can't apply global" part is an unfortunate artifact of -cpu's
implementation.  Left for another day.

The remainder feels overly verbose.  Change it to

    qemu64-x86_64-cpu: can't apply global qemu64-x86_64-cpu.stepping=16: parameter 'stepping' can be at most 15

Likewise for "family", "model", and "tsc-frequency".

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-6-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>

target/i386/cpu: Avoid mixing signed and unsigned in property setters

Properties "family", "model", and "stepping" are visited as signed
integers.  They are backed by bits in CPUX86State member
@cpuid_version.  The code to extract and insert these bits mixes
signed and unsigned.  Not actually wrong, but avoiding such mixing is
good practice.

Visit them as unsigned integers instead.

This adds a few mildly ugly cast in arguments of error_setg().  The
next commit will get rid of them again.

Property "tsc-frequency" is also visited as signed integer.  The value
ultimately flows into the kernel, where it is 31 bits unsigned.  The
QEMU code freely mixes int, uint32_t, int64_t.  I elect not to attempt
draining this swamp today.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-5-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>

block: Adjust check_block_size() signature

Parameter @id is no longer used, drop.  Return a bool to indicate
success / failure, as recommended by qapi/error.h.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-4-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

block: Improve errors about block sizes

Block sizes need to be a power of two between 512 and an arbitrary
limit, currently 2MiB.

Commit 5937835ac4c factored block size checking out of set_blocksize()
into new check_block_size(), for reuse in block/export/.

Its two error messages are okay for the original purpose:

    $ qemu-system-x86_64 -device ide-hd,physical_block_size=1
    qemu-system-x86_64: -device ide-hd,physical_block_size=1: Property .physical_block_size doesn't take value 1 (minimum: 512, maximum: 2097152)
    $ qemu-system-x86_64 -device ide-hd,physical_block_size=513
    qemu-system-x86_64: -device ide-hd,physical_block_size=513: Property .physical_block_size doesn't take value '513', it's not a power of 2

They're mildly off for block exports:

    $ qemu-storage-daemon --blockdev node-name=nod0,driver=file,filename=foo.img --export type=vduse-blk,id=exp0,node-name=nod0,name=foo,logical-block-size=1
    qemu-storage-daemon: --export type=vduse-blk,id=exp0,node-name=nod0,name=foo,logical-block-size=1: Property exp0.logical-block-size doesn't take value 1 (minimum: 512, maximum: 2097152)

The error message talks about a property.  CLI options like --export
don't have properties, they have parameters.

Replace the two error messages by a single one that's okay for both
purposes.  Looks like this:

    qemu-storage-daemon: --export type=vduse-blk,id=exp0,node-name=nod0,name=foo,logical-block-size=1: parameter logical-block-size must be a power of 2 between 512 and 2097152

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-3-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

error: Drop superfluous #include "qapi/qmp/qerror.h"

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20241010150144.986655-2-armbru@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

qga: Improve error for guest-set-user-password parameter @crypted

The Windows version of guest-set-user-password rejects argument
"crypted": true with the rather useless "this feature or command is
not currently supported".  Improve to "'crypted' must be off on this
host".

QERR_UNSUPPORTED is now unused.  Drop.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240911131206.2503035-3-armbru@redhat.com>

qga/qapi-schema: Drop obsolete note on "unsupported" errors

The note talks about "unsupported" errors and QERR_UNSUPPORTED.  The
former is vague, and the latter makes sense only in C, not in external
interface documentation.  Fortunately, we don't have to address this
anymore: recent merge commit 3b5efc553eb got rid of these errors.
Delete the note.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20240911131206.2503035-2-armbru@redhat.com>

tests: Wait for migration completion on destination QEMU to avoid failures

Rather than waiting for the completion of migration on the source side,
wait for it on the destination QEMU side to avoid accessing the TPM TIS
memory mapped registers before QEMU could restore their state. This
error condition could be triggered on busy systems where the destination
QEMU did not have enough time to restore the TIS state while the test case
was already reading its registers. The test case was for example reading
the STS register and received an unexpected value (0xffffffff), which
lead to a segmentation fault later on due to trying to read 0xffff bytes
from the TIS into a buffer.

Cc: <qemu-stable@nongnu.org>
Reported-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

tpm_emulator: Read control channel response in 2 passes

Error responses from swtpm are typically only 4 bytes long with the
exception of a few commands that return more bytes. Therefore, read the
entire response in 2 steps and stop if the first few bytes indicate an
error response with no subsequent bytes readable. Read the rest in a 2nd
step, if needed. This avoids getting stuck while waiting for too many
bytes in case of an error. The 'getting stuck' condition has not been
observed in practice so far, though.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2615
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

tpm: Use new ptm_cap_n structure for PTM_GET_CAPABILITY

Use the new ptm_cap_n structure for getting the PTM_GET_CAPABILITY response
from swtpm. Previously only 17 bits could possibly have been set in ptm_cap
(uint64_t) in big endian order and those bits are now found in the 2nd
32bit word in the response in the caps field.

This data structure makes it now clear that the 1st 32bit word carries the
tpm_result like all the other response structures of all other commands
do.

The changes are taken from the swtpm project's tpm_ioctl.h.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* tcg/s390x: Fix for TSTEQ/TSTNE
* target/i386: Fixes for IN and OUT with REX prefix
* target/i386: New CPUID features and logic fixes
* target/i386: Add support save/load HWCR MSR
* target/i386: Move more instructions to new decoder; separate decoding
  and IR generation
* target/i386/tcg: Use DPL-level accesses for interrupts and call gates
* accel/kvm: perform capability checks on VM file descriptor when necessary
* accel/kvm: dynamically sized kvm memslots array
* target/i386: fixes for Hyper-V
* docs/system: Add recommendations to Hyper-V enlightenments doc

# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmcRTIoUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMCewf8DnZbz7/0beql2YycrdPJZ3xnmfWW
# JenWKIThKHGWRTW2ODsac21n0TNXE0vsOYjw/Z/dNLO+72sLcqvmEB18+dpHAD2J
# ltb8OvuROc3nn64OEi08qIj7JYLmJ/osroI+6NnZrCOHo8nCirXoCHB7ZPqAE7/n
# yDnownWaduXmXt3+Vs1mpqlBklcClxaURDDEQ8CGsxjC3jW03cno6opJPZpJqk0t
# 6aX92vX+3lNhIlije3QESsDX0cP1CFnQmQlNNg/xzk+ZQO+vSRrPV+A/N9xf8m1b
# HiaCrlBWYef/sLgOHziOSrJV5/N8W0GDEVYDmpEswHE81BZxrOTZLxqzWw==
# =qwfc
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 17 Oct 2024 18:42:34 BST
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (26 commits)
  target/i386: Use only 16 and 32-bit operands for IN/OUT
  accel/kvm: check for KVM_CAP_MEMORY_ATTRIBUTES on vm
  accel/kvm: check for KVM_CAP_MULTI_ADDRESS_SPACE on vm
  accel/kvm: check for KVM_CAP_READONLY_MEM on VM
  target/i386/tcg: Use DPL-level accesses for interrupts and call gates
  KVM: Rename KVMState->nr_slots to nr_slots_max
  KVM: Rename KVMMemoryListener.nr_used_slots to nr_slots_used
  KVM: Define KVM_MEMSLOTS_NUM_MAX_DEFAULT
  KVM: Dynamic sized kvm memslots array
  target/i386: assert that cc_op* and pc_save are preserved
  target/i386: list instructions still in translate.c
  target/i386: do not check PREFIX_LOCK in old-style decoder
  target/i386: convert CMPXCHG8B/CMPXCHG16B to new decoder
  target/i386: decode address before going back to translate.c
  target/i386: convert bit test instructions to new decoder
  tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE
  docs/system: Add recommendations to Hyper-V enlightenments doc
  target/i386: Make sure SynIC state is really updated before KVM_RUN
  target/i386: Exclude 'hv-syndbg' from 'hv-passthrough'
  target/i386: Fix conditional CONFIG_SYNDBG enablement
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/i386: Use only 16 and 32-bit operands for IN/OUT

The REX.W prefix is ignored for these instructions.
Mirror the solution already used for INS/OUTS: X86_SIZE_z.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2581
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Cc: qemu-stable@nongnu.org
Link: https://lore.kernel.org/r/20241015004144.2111817-1-richard.henderson@linaro.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

accel/kvm: check for KVM_CAP_MEMORY_ATTRIBUTES on vm

The exact set of available memory attributes can vary by VM.  In the
future it might vary depending on enabled capabilities, too.  Query the
extension on the VM level instead of on the KVM level, and only after
architecture-specific initialization.

Inspired by an analogous patch by Tom Dohrmann.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

accel/kvm: check for KVM_CAP_MULTI_ADDRESS_SPACE on vm

KVM_CAP_MULTI_ADDRESS_SPACE used to be a global capability, but with the
introduction of AMD SEV-SNP confidential VMs, the number of address spaces
can vary by VM type.

Query the extension on the VM level instead of on the KVM level.

Inspired by an analogous patch by Tom Dohrmann.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

accel/kvm: check for KVM_CAP_READONLY_MEM on VM

KVM_CAP_READONLY_MEM used to be a global capability, but with the
introduction of AMD SEV-SNP confidential VMs, this extension is not
always available on all VM types [1,2].

Query the extension on the VM level instead of on the KVM level.

[1] https://patchwork.kernel.org/project/kvm/patch/20240809190319.1710470-2-seanjc@google.com/
[2] https://patchwork.kernel.org/project/kvm/patch/20240902144219.3716974-1-erbse.13@gmx.de/

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Tom Dohrmann <erbse.13@gmx.de>
Link: https://lore.kernel.org/r/20240903062953.3926498-1-erbse.13@gmx.de
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386/tcg: Use DPL-level accesses for interrupts and call gates

Stack accesses should be explicit and use the privilege level of the
target stack.  This ensures that SMAP is not applied when the target
stack is in ring 3.

This fixes a bug wherein i386/tcg assumed that an interrupt return, or a
far call using the CALL or JMP instruction, was always going from kernel
or user mode to kernel mode when using a call gate. This assumption is
violated if the call gate has a DPL that is greater than 0.

Analyzed-by: Robert R. Henry <rrh.henry@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/249
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM: Rename KVMState->nr_slots to nr_slots_max

This value used to reflect the maximum supported memslots from KVM kernel.
Rename it to be clearer.

Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20240917163835.194664-5-peterx@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM: Rename KVMMemoryListener.nr_used_slots to nr_slots_used

This will make all nr_slots counters to be named in the same manner.

Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20240917163835.194664-4-peterx@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM: Define KVM_MEMSLOTS_NUM_MAX_DEFAULT

Make the default max nr_slots a macro, it's only used when KVM reports
nothing.

Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20240917163835.194664-3-peterx@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM: Dynamic sized kvm memslots array

Zhiyi reported an infinite loop issue in VFIO use case.  The cause of that
was a separate discussion, however during that I found a regression of
dirty sync slowness when profiling.

Each KVMMemoryListerner maintains an array of kvm memslots.  Currently it's
statically allocated to be the max supported by the kernel.  However after
Linux commit 4fc096a99e ("KVM: Raise the maximum number of user memslots"),
the max supported memslots reported now grows to some number large enough
so that it may not be wise to always statically allocate with the max
reported.

What's worse, QEMU kvm code still walks all the allocated memslots entries
to do any form of lookups.  It can drastically slow down all memslot
operations because each of such loop can run over 32K times on the new
kernels.

Fix this issue by making the memslots to be allocated dynamically.

Here the initial size was set to 16 because it should cover the basic VM
usages, so that the hope is the majority VM use case may not even need to
grow at all (e.g. if one starts a VM with ./qemu-system-x86_64 by default
it'll consume 9 memslots), however not too large to waste memory.

There can also be even better way to address this, but so far this is the
simplest and should be already better even than before we grow the max
supported memslots.  For example, in the case of above issue when VFIO was
attached on a 32GB system, there are only ~10 memslots used.  So it could
be good enough as of now.

In the above VFIO context, measurement shows that the precopy dirty sync
shrinked from ~86ms to ~3ms after this patch applied.  It should also apply
to any KVM enabled VM even without VFIO.

NOTE: we don't have a FIXES tag for this patch because there's no real
commit that regressed this in QEMU. Such behavior existed for a long time,
but only start to be a problem when the kernel reports very large
nr_slots_max value.  However that's pretty common now (the kernel change
was merged in 2021) so we attached cc:stable because we'll want this change
to be backported to stable branches.

Cc: qemu-stable <qemu-stable@nongnu.org>
Reported-by: Zhiyi Guo <zhguo@redhat.com>
Tested-by: Zhiyi Guo <zhguo@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20240917163835.194664-2-peterx@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: assert that cc_op* and pc_save are preserved

Now all decoding has been done before any code generation.
There is no need anymore to save and restore cc_op* and
pc_save but, for the time being, assert that this is indeed
the case.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: list instructions still in translate.c

Group them so that it is easier to figure out which two-byte opcodes to
tackle together.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: do not check PREFIX_LOCK in old-style decoder

It is already checked before getting there.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: convert CMPXCHG8B/CMPXCHG16B to new decoder

The gen_cmpxchg8b and gen_cmpxchg16b functions even have the correct
prototype already; the only thing that needs to be done is removing the
gen_lea_modrm() call.

This moves the last LOCK-enabled instructions to the new decoder.  It is
now possible to assume that gen_multi0F is called only after checking
that PREFIX_LOCK was not specified.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: decode address before going back to translate.c

There are now relatively few unconverted opcodes in translate.c (there
are 13 of them including 8 for x87), and all of them have the same
format with a mod/rm byte and no immediate.  A good next step is
to remove the early bail out to disas_insn_x87/disas_insn_old,
instead giving these legacy translator functions the same prototype
as the other gen_* functions.

To do this, the X86DecodeInsn can be passed down to the places that
used to fetch address bytes from the instruction stream.  To make
sure that everything is done cleanly, the CPUX86State* argument is
removed.

As part of the unification, the gen_lea_modrm() name is now free,
so rename gen_load_ea() to gen_lea_modrm().  This is as good a name
and it makes the changes to translate.c easier to review.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: convert bit test instructions to new decoder

Code generation was rewritten; it reuses the same trick to use the
CC_OP_SAR values for cc_op, but it tries to use CC_OP_ADCX or CC_OP_ADCOX
instead of CC_OP_EFLAGS.  This is a tiny bit more efficient in the
common case where only CF is checked in the resulting flags.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE

32-bit TSTEQ and TSTNE is subject to the same constraints as
for 64-bit, but setcond_i32 and negsetcond_i32 were incorrectly
using TCG_CT_CONST ("i") instead of TCG_CT_CONST_CMP ("C").

Adjust the constraint and make tcg_target_const_match use the
same sequence as tgen_cmp2: first check if the constant is a
valid operand for TSTEQ/TSTNE, then accept everything for 32-bit
non-test comparisons, finally check if the constant is a valid
operand for 64-bit non-test comparisons.

Reported-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Merge tag 'pull-loongarch-20241016' of https://gitlab.com/gaosong/qemu into staging

pull-loongarch-20241016

# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQS4/x2g0v3LLaCcbCxAov/yOSY+3wUCZw91kQAKCRBAov/yOSY+
# 3+RyA/9vpqCesEBch5mzrazO4MT2IxeN2bstF8mY+EyfEwK7Ocg+esRBsigWw56k
# y6RDyCzHg200GL9TC8bJ/nMiMJjXrahhHRPVs8AADazMzX/Ys7E7ntvUUnqqANh6
# ZX8fzNJMKW6qeUVrCIwCC7E+KjfNu32dcxbXCF4mZsehIumpUQ==
# =uk+a
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 16 Oct 2024 09:13:05 BST
# gpg:                using RSA key B8FF1DA0D2FDCB2DA09C6C2C40A2FFF239263EDF
# gpg: Good signature from "Song Gao <m17746591750@163.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B8FF 1DA0 D2FD CB2D A09C  6C2C 40A2 FFF2 3926 3EDF

* tag 'pull-loongarch-20241016' of https://gitlab.com/gaosong/qemu:
  hw/loongarch/fw_cfg: Build in common_ss[]
  hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion
  target/loongarch: Avoid bits shift exceeding width of bool type
  hw/loongarch/virt: Add FDT table support with acpi ged pm register
  acpi: ged: Add macro for acpi sleep control register

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

docs/system: Add recommendations to Hyper-V enlightenments doc

While hyperv.rst already has all currently implemented Hyper-V
enlightenments documented, it may be unclear what is the recommended set to
achieve the best result. Add the corresponding section to the doc.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20240917160051.2637594-5-vkuznets@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Make sure SynIC state is really updated before KVM_RUN

'hyperv_synic' test from KVM unittests was observed to be flaky on certain
hardware (hangs sometimes). Debugging shows that the problem happens in
hyperv_sint_route_new() when the test tries to set up a new SynIC
route. The function bails out on:

 if (!synic->sctl_enabled) {
         goto cleanup;
 }

but the test writes to HV_X64_MSR_SCONTROL just before it starts
establishing SINT routes. Further investigation shows that
synic_update() (called from async_synic_update()) happens after the SINT
setup attempt and not before. Apparently, the comment before
async_safe_run_on_cpu() in kvm_hv_handle_exit() does not correctly describe
the guarantees async_safe_run_on_cpu() gives. In particular, async worked
added to a CPU is actually processed from qemu_wait_io_event() which is not
always called before KVM_RUN, i.e. kvm_cpu_exec() checks whether an exit
request is pending for a CPU and if not, keeps running the vCPU until it
meets an exit it can't handle internally. Hyper-V specific MSR writes are
not automatically trigger an exit.

Fix the issue by simply raising an exit request for the vCPU where SynIC
update was queued. This is not a performance critical path as SynIC state
does not get updated so often (and async_safe_run_on_cpu() is a big hammer
anyways).

Reported-by: Jan Richter <jarichte@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20240917160051.2637594-4-vkuznets@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Exclude 'hv-syndbg' from 'hv-passthrough'

Windows with Hyper-V role enabled doesn't boot with 'hv-passthrough' when
no debugger is configured, this significantly limits the usefulness of the
feature as there's no support for subtracting Hyper-V features from CPU
flags at this moment (e.g. "-cpu host,hv-passthrough,-hv-syndbg" does not
work). While this is also theoretically fixable, 'hv-syndbg' is likely
very special and unneeded in the default set. Genuine Hyper-V doesn't seem
to enable it either.

Introduce 'skip_passthrough' flag to 'kvm_hyperv_properties' and use it as
one-off to skip 'hv-syndbg' when enabling features in 'hv-passthrough'
mode. Note, "-cpu host,hv-passthrough,hv-syndbg" can still be used if
needed.

As both 'hv-passthrough' and 'hv-syndbg' are debug features, the change
should not have any effect on production environments.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20240917160051.2637594-3-vkuznets@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Fix conditional CONFIG_SYNDBG enablement

Putting HYPERV_FEAT_SYNDBG entry under "#ifdef CONFIG_SYNDBG" in
'kvm_hyperv_properties' array is wrong: as HYPERV_FEAT_SYNDBG is not
the highest feature number, the result is an empty (zeroed) entry in
the array (and not a skipped entry!). hyperv_feature_supported() is
designed to check that all CPUID bits are set but for a zeroed
feature in 'kvm_hyperv_properties' it returns 'true' so QEMU considers
HYPERV_FEAT_SYNDBG as always supported, regardless of whether KVM host
actually supports it.

To fix the issue, leave HYPERV_FEAT_SYNDBG's definition in
'kvm_hyperv_properties' array, there's nothing wrong in having it defined
even when 'CONFIG_SYNDBG' is not set. Instead, put "hv-syndbg" CPU property
under '#ifdef CONFIG_SYNDBG' to alter the existing behavior when the flag
is silently skipped in !CONFIG_SYNDBG builds.

Leave an 'assert' sentinel in hyperv_feature_supported() making sure there
are no 'holes' or improperly defined features in 'kvm_hyperv_properties'.

Fixes: d8701185f40c ("hw: hyperv: Initial commit for Synthetic Debugging device")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20240917160051.2637594-2-vkuznets@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Add support save/load HWCR MSR

KVM commit 191c8137a939 ("x86/kvm: Implement HWCR support")
introduced support for emulating HWCR MSR.

Add support for QEMU to save/load this MSR for migration purposes.

Signed-off-by: Gao Shiyuan <gaoshiyuan@baidu.com>
Signed-off-by: Wang Liang <wangliang44@baidu.com>
Link: https://lore.kernel.org/r/20241009095109.66843-1-gaoshiyuan@baidu.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Add more features enumerated by CPUID.7.2.EDX

Following 5 bits in CPUID.7.2.EDX are supported by KVM. Add their
supports in QEMU. Each of them indicates certain bits of IA32_SPEC_CTRL
are supported. Those bits can control CPU speculation behavior which can
be used to defend against side-channel attacks.

bit0: intel-psfd
  if 1, indicates bit 7 of the IA32_SPEC_CTRL MSR is supported. Bit 7 of
  this MSR disables Fast Store Forwarding Predictor without disabling
  Speculative Store Bypass

bit1: ipred-ctrl
  If 1, indicates bits 3 and 4 of the IA32_SPEC_CTRL MSR are supported.
  Bit 3 of this MSR enables IPRED_DIS control for CPL3. Bit 4 of this
  MSR enables IPRED_DIS control for CPL0/1/2

bit2: rrsba-ctrl
  If 1, indicates bits 5 and 6 of the IA32_SPEC_CTRL MSR are supported.
  Bit 5 of this MSR disables RRSBA behavior for CPL3. Bit 6 of this MSR
  disables RRSBA behavior for CPL0/1/2

bit3: ddpd-u
  If 1, indicates bit 8 of the IA32_SPEC_CTRL MSR is supported. Bit 8 of
  this MSR disables Data Dependent Prefetcher.

bit4: bhi-ctrl
  if 1, indicates bit 10 of the IA32_SPEC_CTRL MSR is supported. Bit 10
  of this MSR enables BHI_DIS_S behavior.

Signed-off-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20240919051011.118309-1-chao.gao@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Make invtsc migratable when user sets tsc-khz explicitly

When user sets tsc-frequency explicitly, the invtsc feature is actually
migratable because the tsc-frequency is supposed to be fixed during the
migration.

See commit d99569d9d856 ("kvm: Allow invtsc migration if tsc-khz
is set explicitly") for referrence.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240814075431.339209-10-xiaoyao.li@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Construct CPUID 2 as stateful iff times > 1

When times == 1, the CPUID leaf 2 is not stateful.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240814075431.339209-6-xiaoyao.li@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Enable fdp-excptn-only and zero-fcs-fds

- CPUID.(EAX=07H,ECX=0H):EBX[bit 6]: x87 FPU Data Pointer updated only
  on x87 exceptions if 1.

- CPUID.(EAX=07H,ECX=0H):EBX[bit 13]: Deprecates FPU CS and FPU DS
  values if 1. i.e., X87 FCS and FDS are always zero.

Define names for them so that they can be exposed to guest with -cpu host.

Also define the bit field MACROs so that named cpu models can add it as
well in the future.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240814075431.339209-3-xiaoyao.li@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

target/i386: Don't construct a all-zero entry for CPUID[0xD 0x3f]

Currently, QEMU always constructs a all-zero CPUID entry for
CPUID[0xD 0x3f].

It's meaningless to construct such a leaf as the end of leaf 0xD. Rework
the logic of how subleaves of 0xD are constructed to get rid of such
all-zero value of subleaf 0x3f.

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240814075431.339209-2-xiaoyao.li@intel.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Merge tag 'single-binary-20241015' of https://github.com/philmd/qemu into staging

Remove some target-specific endianness knowledge from target/.

For MIPS, propagate endianness at the board level, using QOM property.

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmcOihcACgkQ4+MsLN6t
# wN4VaRAAor+5gUJiV0OOMQVfP8e1o9ssKcYy9m31zLeii1Iq2M/2oz6YK4OjdQDe
# oJ8VRJvBPKC2Bpi14TfKsSGaP8CGNO/hdxcMi71pjHZC+bjHt5Uv0U/7T4XCBWuV
# N+85juN1PTc4cci4FkGIXaPB1YWL00L56BDCzja0uhLF4+Xe2eYGVrPXeFCkN/3I
# Ky7jHlB/dgzc47kTXvg5snCee2egDFf/x4igwZj6+gWJyo+jubRpwoOqKbK2M0Nd
# VvNpBVFNGZMP3Fn9lh45uDOuRWGu6zSIPBVkjoFc+wdGsFsITIMrZ3h46UffsGTJ
# F1j6Zsq6hoLbaNRRjZ6OsN6u683oo1lknmWauD62LrjXcX0RlRwRFbMD0AjedR8t
# 6+YHg5LlwGg6r/AOtEe28ggXZohB2vjr2V0MJm1x/XgLYhFHoN3//jxn22oOHj4p
# 0z3+eDc3Se8JNRV6jPMHbbuTqZqZjRgVFbYN3aMbdoXYzhpYnrPj6f7WQL2smiAW
# C2vdswrubQWKou1wcn6rbg0nnMRVTh+GxrtZ3mkgaxNzgNFxsrX8YubMsh77XUcr
# mnCGj1tE3hp40xsuSk6yZXY3ZZiTyZasvO1wq4gWOI9le0Zmq+d335F9+IVJ8RlP
# YhA+MY5aeomsixVRdmrPrgOfanQiHXv02lsbperU8QFfGRhf2Y8=
# =Qydb
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 15 Oct 2024 16:28:23 BST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'single-binary-20241015' of https://github.com/philmd/qemu: (33 commits)
  hw/mips: Have mips_cpu_create_with_clock() take an endianness argument
  hw/mips/cps: Set the vCPU 'cpu-big-endian' property
  target/mips: Expose MIPSCPU::is_big_endian property
  target/mips: Use tcg_constant_tl() instead of tcg_gen_movi_tl()
  target/mips: Use gen_op_addr_addi() when possible
  target/mips: Have gen_addiupc() expand $pc during translation
  target/mips: Replace MO_TE by mo_endian()
  target/mips: Introduce mo_endian() helper
  target/mips: Remove unused MEMOP_IDX() macro
  target/mips: Rename unused sysemu argument of OP_LD_ATOMIC()
  target/mips: Explode MO_TExx -> MO_TE | MO_xx
  target/mips: Factor mo_endian_rev() out of MXU code
  target/mips: Convert mips16e decr_and_load/store() macros to functions
  target/mips: Replace MO_TE by  mo_endian_env() in get_pte()
  target/mips: Introduce mo_endian_env() helper
  target/mips: Rename cpu_is_bigendian() -> disas_is_bigendian()
  target/mips: Declare mips_env_is_bigendian() in 'internal.h'
  hw/xtensa/xtfpga: Remove TARGET_BIG_ENDIAN #ifdef'ry
  target/ppc: Use tcg_constant_tl() instead of tcg_gen_movi_tl()
  target/tricore: Use tcg_constant_tl() instead of tcg_gen_movi_tl()
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/loongarch/fw_cfg: Build in common_ss[]

Nothing in LoongArch fw_cfg.c requires target specific definitions.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20240927213254.17552-3-philmd@linaro.org>
Signed-off-by: Song Gao <gaosong@loongson.cn>

hw/loongarch/virt: Remove unnecessary 'cpu.h' inclusion

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20240927213254.17552-2-philmd@linaro.org>
Signed-off-by: Song Gao <gaosong@loongson.cn>

target/loongarch: Avoid bits shift exceeding width of bool type

Variable env->cf[i] is defined as bool type, it is treated as int type
with shift operation. However the max possible width is 56 for the shift
operation, exceeding the width of int type. And there is existing api
read_fcc() which is converted to u64 type with bitwise shift, it can be
used to dump fp registers into coredump note segment.

Resolves: Coverity CID 1561133
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20240914064645.2099169-1-maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>

hw/loongarch/virt: Add FDT table support with acpi ged pm register

ACPI ged is used for power management on LoongArch virt platform, in
general it is parsed from acpi table. However if system boot directly from
elf kernel, no UEFI bios is provided and acpi table cannot be used also.

Here acpi ged pm register is exposed with FDT table, it is compatbile
with syscon method in FDT table, only that acpi ged pm register is accessed
with 8-bit mode, rather with 32-bit mode.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Tested-by: Song Gao <gaosong@loongson.cn>
Message-Id: <20240918014206.2165821-3-maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>

acpi: ged: Add macro for acpi sleep control register

Macro definition is added for acpi sleep control register, ged emulation
driver can use the macro , also it can be used in FDT table if ged is
exposed with FDT table.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20240918014206.2165821-2-maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>

hw/mips: Have mips_cpu_create_with_clock() take an endianness argument

mips_cpu_create_with_clock() creates a vCPU. Pass it the vCPU
endianness requested by argument. Update the board call sites.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-17-philmd@linaro.org>

hw/mips/cps: Set the vCPU 'cpu-big-endian' property

Have the CPS expose a 'cpu-big-endian' property so it can
set it to the vCPUs it creates.
Note, since the number of vCPUs created is dynamic, we can
not use QOM aliases.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-16-philmd@linaro.org>

target/mips: Expose MIPSCPU::is_big_endian property

Add the "big-endian" property and set the CP0C0_BE bit in CP0_Config0.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-15-philmd@linaro.org>

target/mips: Use tcg_constant_tl() instead of tcg_gen_movi_tl()

Directly use tcg_constant_tl() for constant integer, this
save a call to tcg_gen_movi_tl(), often saving a temp register.

Most of the places found using the following Coccinelle spatch script:

  @@
  identifier tmp;
  constant val;
  @@
  *    TCGv tmp = tcg_temp_new();
       ...
  *    tcg_gen_movi_tl(tmp, val);

  @@
  identifier tmp;
  int val;
  @@
  *    TCGv tmp = tcg_temp_new();
       ...
  *    tcg_gen_movi_i64(tmp, val);

Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241004202621.4321-2-philmd@linaro.org>

target/mips: Use gen_op_addr_addi() when possible

Replace tcg_gen_movi_tl() + gen_op_addr_add() by a single
gen_op_addr_addi() call.

gen_op_addr_addi() calls tcg_gen_addi_tl() which might
optimize if the immediate is zero.

Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-13-philmd@linaro.org>

target/mips: Have gen_addiupc() expand $pc during translation

Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-12-philmd@linaro.org>

target/mips: Replace MO_TE by mo_endian()

Replace compile-time MO_TE evaluation by runtime mo_endian() one,
which expand target endianness from DisasContext.

Mechanical change using:

  $ sed -i -e 's/MO_TE/mo_endian(ctx)/' \
     $(git grep -l MO_TE target/mips)

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-11-philmd@linaro.org>

target/mips: Introduce mo_endian() helper

Introduce mo_endian() which returns the endian MemOp
corresponding to the vCPU DisasContext.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Tested-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241010215015.44326-10-philmd@linaro.org>

target/mips: Remove unused MEMOP_IDX() macro

MEMOP_IDX() is unused since commit 948f88661c6 ("target/mips:
Use cpu_*_data_ra for msa load/store"), remove it.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20241014232235.51988-1-philmd@linaro.org>