Re: [Qemu-devel] Qemu varying performance

[Andreas Färber]

Am 28.09.2011 02:25, schrieb Torbjorn Granlund:
> Another issue I ran into what the sh4 qemu performance.  It is much
> worse than other qemu ports (except perhaps ppc64).  What is the reason
> behind that?  (The idle thing works well for sh4, though.)
>
> My host system runs FreeBSD 8.2.  The Debian installs all use 6.0.2.
Is your host 32-bit? Which architecture?

Andreas

Re: [Qemu-devel] [PATCH 7/7] Enable fork and MIPS64 specific changes in mq_open syscall

[Andreas Färber]

Am 28.09.2011 06:38, schrieb kha...@kics.edu.pk:
> From: Khansa Butt 
>
Please prefix the subject with "linux-user: ".
Where's the preceding 6 patches?

Patch description is missing.
> Signed-off-by: Khansa Butt 
> ---
>  configure|1 +
>  linux-user/syscall.c |   11 +--
>  2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/configure b/configure
> index 5e45a43..8d39fda 100755
> --- a/configure
> +++ b/configure
> @@ -3286,6 +3286,7 @@ case "$target_arch2" in
>  TARGET_ARCH=mips64
>  TARGET_BASE_ARCH=mips
>  echo "TARGET_ABI_MIPSN64=y" >> $config_target_mak
> +target_nptl="yes"
How is this related to the mq_open syscall?
If it isn't, please put it into a separate patch.
>  target_phys_bits=64
>  target_long_alignment=8
>;;
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 6b73769..97ac9fb 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -7799,10 +7799,17 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
> arg1,
>  {
>  struct mq_attr posix_mq_attr;
>  
> +#if defined(TARGET_MIPS64)
> +arg2 = arg2 & 0xff;
> +arg2 = arg2 | 0x40;
What's 0x40? Please use a define or enum instead of the magic number.
I'd also humbly suggest to add inline comments (in addition to an
appropriate description above) to explain *why* this is necessary and
correct.
> +#endif
> +
>  p = lock_user_string(arg1 - 1);
> -if (arg4 != 0)
> +if (arg4 != 0) {
>  copy_from_user_mq_attr (&posix_mq_attr, arg4);
> -ret = get_errno(mq_open(p, arg2, arg3, &posix_mq_attr));
> +ret = get_errno(mq_open(p, arg2, arg3, &posix_mq_attr));
> +} else if (arg4 == 0)
> +ret = get_errno(mq_open(p, arg2, arg3, NULL));
Coding Style requires braces.
>  unlock_user (p, arg1, 0);
>  }
>  break;

Andreas

Re: [Qemu-devel] [PATCH 24/58] PPC: E500: Add PV spinning code

[Alexander Graf]

Am 27.09.2011 um 21:05 schrieb Blue Swirl :

> On Tue, Sep 27, 2011 at 5:23 PM, Alexander Graf  wrote:
>> 
>> On 27.09.2011, at 19:20, Blue Swirl wrote:
>> 
>>> On Tue, Sep 27, 2011 at 5:03 PM, Alexander Graf  wrote:
 
 On 27.09.2011, at 18:53, Blue Swirl wrote:
 
> On Tue, Sep 27, 2011 at 3:59 PM, Alexander Graf  wrote:
>> 
>> On 27.09.2011, at 17:50, Blue Swirl wrote:
>> 
>>> On Mon, Sep 26, 2011 at 11:19 PM, Scott Wood  
>>> wrote:
 On 09/24/2011 05:00 AM, Alexander Graf wrote:
> On 24.09.2011, at 10:44, Blue Swirl wrote:
>> On Sat, Sep 24, 2011 at 8:03 AM, Alexander Graf  
>> wrote:
>>> On 24.09.2011, at 09:41, Blue Swirl wrote:
 On Mon, Sep 19, 2011 at 4:12 PM, Scott Wood 
  wrote:
> The goal with the spin table stuff, suboptimal as it is, was 
> something
> that would work on any powerpc implementation.  Other
> implementation-specific release mechanisms are allowed, and are
> indicated by a property in the cpu node, but only if the loader 
> knows
> that the OS supports it.
> 
>> IIUC the spec that includes these bits is not finalized yet. It 
>> is however in use on all u-boot versions for e500 that I'm aware 
>> of and the method Linux uses to bring up secondary CPUs.
> 
> It's in ePAPR 1.0, which has been out for a while now.  ePAPR 1.1 
> was
> just released which clarifies some things such as WIMG.
> 
>> Stuart / Scott, do you have any pointers to documentation where 
>> the spinning is explained?
> 
> https://www.power.org/resources/downloads/Power_ePAPR_APPROVED_v1.1.pdf
 
 Chapter 5.5.2 describes the table. This is actually an interface
 between OS and Open Firmware, obviously there can't be a real 
 hardware
 device that magically loads r3 etc.
 
 Not Open Firmware, but rather an ePAPR-compliant loader.
>>> 
>>> 'boot program to client program interface definition'.
>>> 
 The device method would break abstraction layers,
 
 Which abstraction layers?
>>> 
>>> QEMU system emulation emulates hardware, not software. Hardware
>>> devices don't touch CPU registers.
>> 
>> The great part about this emulated device is that it's basically guest 
>> software running in host context. To the guest, it's not a device in the 
>> ordinary sense, such as vmport, but rather the same as software running 
>> on another core, just that the other core isn't running any software.
>> 
>> Sure, if you consider this a device, it does break abstraction layers. 
>> Just consider it as host running guest code, then it makes sense :).
>> 
>>> 
 it's much like
 vmport stuff in x86. Using a hypercall would be a small 
 improvement.
 Instead it should be possible to implement a small boot ROM which 
 puts
 the secondary CPUs into managed halt state without spinning, then 
 the
 boot CPU could send an IPI to a halted CPU to wake them up based on
 the spin table, just like real HW would do.
 
 The spin table, with no IPI or halt state, is what real HW does (or
 rather, what software does on real HW) today.  It's ugly and 
 inefficient
 but it should work everywhere.  Anything else would be dependent on a
 specific HW implementation.
>>> 
>>> Yes. Hardware doesn't ever implement the spin table.
>>> 
 On Sparc32 OpenBIOS this
 is something like a few lines of ASM on both sides.
>>> 
>>> That sounds pretty close to what I had implemented in v1. Back then 
>>> the only comment was to do it using this method from Scott.
 
 I had some comments on the actual v1 implementation as well. :-)
 
>>> So we have the choice between having code inside the guest that
>>> spins, maybe even only checks every x ms, by programming a timer,
>>> or we can try to make an event out of the memory write. V1 was
>>> the former, v2 (this one) is the latter. This version performs a
>>> lot better and is easier to understand.
>> 
>> The abstraction layers should not be broken lightly, I suppose some
>> performance or laziness^Wlocal optimization reasons were behind 
>> vmport
>> design too. The ideal way to solve this could be to detect a spinning
>> CPU and optimize that for all architectures, that could be tricky
>> though (if a CPU remains in the same TB for extended periods, inspect
>> the TB: if it performs a loo

Re: [Qemu-devel] [PATCH] event_notifier: move to top-level directory

[Jan Kiszka]

On 2011-09-28 08:27, Paolo Bonzini wrote:
> On 09/27/2011 11:23 PM, Anthony Liguori wrote:
>> On 09/27/2011 11:39 AM, Paolo Bonzini wrote:
>>> On 09/27/2011 06:05 PM, Anthony Liguori wrote:
 Actually, for posix-aio, we can just switch to using g_idle_add().
 g_idle_add() uses g_source_attach which is thread safe. g_idle_add()
 gives you a thread safe mechanism to defer a piece of work to the
 main loop which is really what we want here.
>>>
>>> For that, a bottom half would also do (apart that I am not sure it is
>>> async-safe with TCG). In fact, that would make sense since all of
>>> posix_aio_process_queue could become a bottom half.
>>
>> Bottom halves are signal safe, not thread safe.
>>
>> To make bottom halves thread safe, you would (in the very least) have to
>> add some barriers when reading/writing the scheduling flag.
> 
> You can probably assume that qemu_notify_event (and dually the read in 
> the main loop) are resp. write/read memory barriers.  Or even full.
> 
> If we switch entirely to GSources, it would be nice to use them.  But 
> since we aren't, and our main loop functionality is quite different from 
> glib's (it doesn't rely on abstractions for file descriptors, for 
> example), it is just a painful incomplete transition to use glib's idle 
> sources to do the exact same thing that is done by bottom halves (which 
> are already in our toolbox).

BTW, I just wondered if there is anything conceptually preventing to
skip this ping pong between AIO thread and main loop and just run the
completion over the former context (under global lock protection of course).

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PATCH] linux-user: fix memory leak in failure path

[Peter Maydell]

On 28 September 2011 07:57,   wrote:
> From: Alex Jia 
>
> Haven't released memory of 'array' and 'host_mb' in failure paths.
>
> Signed-off-by: Alex Jia 
> ---
>  linux-user/syscall.c |    6 --
>  1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 7735008..922c2a0 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2523,8 +2523,10 @@ static inline abi_long do_semctl(int semid, int 
> semnum, int cmd,
>        case GETALL:
>        case SETALL:
>             err = target_to_host_semarray(semid, &array, target_su.array);
> -            if (err)
> +            if (err) {
> +                free(array);
>                 return err;
> +            }
>             arg.array = array;
>             ret = get_errno(semctl(semid, semnum, cmd, arg));
>             err = host_to_target_semarray(semid, target_su.array, &array);

This is the wrong place to try to fix this. If target_to_host_semarray
fails it should free() the buffer it malloc()ed itself, not rely on
its caller to do the cleanup.

> @@ -2779,9 +2781,9 @@ static inline abi_long do_msgrcv(int msqid, abi_long 
> msgp,
>     }
>
>     target_mb->mtype = tswapl(host_mb->mtype);
> -    free(host_mb);
>
>  end:
> +    free(host_mb);
>     if (target_mb)
>         unlock_user_struct(target_mb, msgp, 1);
>     return ret;

This change is OK.

Also I note that target_to_host_semarray is doing a plain malloc()
and not checking the return value. You should fix that while you're
doing fixes in this area.

-- PMM

Re: [Qemu-devel] [PATCH] event_notifier: move to top-level directory

[Paolo Bonzini]

On 09/28/2011 09:52 AM, Jan Kiszka wrote:

>  You can probably assume that qemu_notify_event (and dually the read in
>  the main loop) are resp. write/read memory barriers.  Or even full.
>
>  If we switch entirely to GSources, it would be nice to use them.  But
>  since we aren't, and our main loop functionality is quite different from
>  glib's (it doesn't rely on abstractions for file descriptors, for
>  example), it is just a painful incomplete transition to use glib's idle
>  sources to do the exact same thing that is done by bottom halves (which
>  are already in our toolbox).

BTW, I just wondered if there is anything conceptually preventing to
skip this ping pong between AIO thread and main loop and just run the
completion over the former context (under global lock protection of course).


Would be a good idea, but it would require some refactoring because 
tools do not have a global lock.


Paolo

Re: [Qemu-devel] Qemu varying performance

[Torbjorn Granlund]

Andreas Färber  writes:

  Am 28.09.2011 02:25, schrieb Torbjorn Granlund:
  > Another issue I ran into what the sh4 qemu performance.  It is much
  > worse than other qemu ports (except perhaps ppc64).  What is the reason
  > behind that?  (The idle thing works well for sh4, though.)
  >
  > My host system runs FreeBSD 8.2.  The Debian installs all use 6.0.2.
  Is your host 32-bit? Which architecture?
  
It is an amd64 system.  The CPU is a 6-core 3.2 GHz Phenom 2.  The
system has 16 GB RAM.  It is running the 64-bit version of FreeBSD.

The simulated system has only 64 MiB of RAM, but this is not the
problem; my usage of the system requires just a few MiB.

-- 
Torbjörn

[Qemu-devel] [PATCH v2] linux-user: fix memory leak in failure path

[ajia]

From: Alex Jia 

Haven't released memory of 'host_mb' in failure path, and calling malloc 
allocate
memory to 'host_array', however, memory hasn't been freed before the function
target_to_host_semarray returns.

Signed-off-by: Alex Jia 
---
 linux-user/syscall.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7735008..22d4fcc 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2466,6 +2466,7 @@ static inline abi_long target_to_host_semarray(int semid, 
unsigned short **host_
 for(i=0; imtype = tswapl(host_mb->mtype);
-free(host_mb);
 
 end:
+free(host_mb);
 if (target_mb)
 unlock_user_struct(target_mb, msgp, 1);
 return ret;
-- 
1.7.1

Re: [Qemu-devel] [PATCH] linux-user: fix memory leak in failure path

[Alex Jia]

On 09/28/2011 03:55 PM, Peter Maydell wrote:

On 28 September 2011 07:57,  wrote:

From: Alex Jia

Haven't released memory of 'array' and 'host_mb' in failure paths.

Signed-off-by: Alex Jia
---
  linux-user/syscall.c |6 --
  1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7735008..922c2a0 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2523,8 +2523,10 @@ static inline abi_long do_semctl(int semid, int semnum, 
int cmd,
case GETALL:
case SETALL:
 err = target_to_host_semarray(semid,&array, target_su.array);
-if (err)
+if (err) {
+free(array);
 return err;
+}
 arg.array = array;
 ret = get_errno(semctl(semid, semnum, cmd, arg));
 err = host_to_target_semarray(semid, target_su.array,&array);

This is the wrong place to try to fix this. If target_to_host_semarray
fails it should free() the buffer it malloc()ed itself, not rely on
its caller to do the cleanup.


Yeah, caller shouldn't do this.

@@ -2779,9 +2781,9 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
 }

 target_mb->mtype = tswapl(host_mb->mtype);
-free(host_mb);

  end:
+free(host_mb);
 if (target_mb)
 unlock_user_struct(target_mb, msgp, 1);
 return ret;

This change is OK.

Also I note that target_to_host_semarray is doing a plain malloc()
and not checking the return value. You should fix that while you're
doing fixes in this area.

Yeah, for return value check of malloc(), it seems many places haven't
do it.

Thanks,
Alex

-- PMM

Re: [Qemu-devel] [PATCH 5/7] target-mips:Support for Cavium specific instructions

[Andreas Färber]

Am 27.09.2011 06:17, schrieb kha...@kics.edu.pk:
> From: Ehsan-ul-Haq, Abdul Qadeer, Abdul Waheed, Khansa Butt 
> 
>
>
> Signed-off-by: Khansa Butt 

...nor all of mine from previous rounds. Including From vs.
Signed-off-by mixup (From is who sent the patch, not whom the code
originated from), Coding Style issues, misleading "Cavium specific"
comments, typos, ...

A space after the colon in the subject would be more visually pleasing, too.

Further, your patch series is completely missing versioning ([PATCH vX
n/m] and change log). Not seeing what you've actually changed for this
resubmission while still seeing unaddressed flaws we've pointed out
already becomes annoying after a while and will not help your patches
make it into the repository...

Regards,
Andreas

Re: [Qemu-devel] [PATCH] Move filedescriptor parsing code from net.c into qemu_parse_fd()

[Stefan Hajnoczi]

On Tue, Sep 27, 2011 at 5:02 PM, Stefan Berger
 wrote:
> Move the parsing of a filedescriptor into a common function qemu_parse_fd().
> Have the code in net.c call this function.
>
> Signed-off-by: Stefan Berger 
>
> ---
>  net.c       |    8 ++--
>  qemu-char.c |   12 
>  qemu-char.h |    2 ++
>  3 files changed, 16 insertions(+), 6 deletions(-)

Seems fine but what does this have to do with qemu-char.h?  Can this
be a much more generic function, maybe even cutils.c?

Stefan

Re: [Qemu-devel] Using iPXE with older qemu releases?

[Stefan Hajnoczi]

On Tue, Sep 27, 2011 at 6:50 PM, Kenton Cabiness
 wrote:
> Stefan,
>
> On 9/27/2011 2:23 AM, Stefan Hajnoczi wrote:
>>
>> On Mon, Sep 26, 2011 at 02:22:21PM -0500, Kenton Cabiness wrote:
>>>
>>> Is there a way to point an older qemu release (currently running
>>> qemu-kvm-0.12.1.2-2.16) to iPXE products?
>>>
>>> We have built iPXE and installed the files and tested by changing
>>> the symbolic links in /usr/share/qemu-kvm (RH6.1 system) to point to
>>> the iPXE files.  We would like to package the files in an RPM for
>>> installation on several machines, but since the links are owned by
>>> the qemu-kvm package, we cant have the iPXE package overwrite them.
>>>
>>> Is there a command line argument to qemu to point to a different
>>> directory for iPXE?  I've been looking through the code but can't
>>> find what tells qemu where to pick up the files.
>>
>> Try -device virtio-net-pci,romfile=/path/to/ipxe.rom,... as part of your
>> command-line.  If you have trouble getting this working, please post
>> your full command-line.
>>
>> Alternatively use -option-rom /path/to/ipxe.rom.  Either method should
>> work.
>
> Thanks for the reply.  Unfortunately, neither of these works for us.  We are
> using libvirt to configure and start up our VMs and it doesn't support the
> romfile= option (we've got a fairly robust configuration with 16 NICs using
> bridges, so I don't really want to try configuring everything manually and
> wouldn't fly with our project anyway).
>
> The -option-rom method works somewhat (we are using it to load sgabios, so I
> know the arguments are being recognized).   The value doesn't seem to
> override the default path for the romfile for the NIC.  If I remove the gpxe
> rom file from the default directory (or make it 0 length), then it fires off
> the iPXE PXEboot almost immediately (much faster than normal), but it can't
> communicate with the external DHCP server.  If I let it fail a couple of
> times and then reset the VM, then it launches iPXE and everything works
> correctly, so I'd say that something isn't getting initialized correctly if
> the load of the default romfile fails.

This almost sounds like there is a secondary problem with network
connectivity.  You could try booting an ipxe.iso instead of ROM just
to make sure that iPXE works reliably.

One thing that comes to mind is bridges with STP and forwarding delay
enabled, where the link is down for several seconds before traffic is
allowed.  This can cause a network bootloader to time out, may explain
why you need to let it fail a couple of times.

Stefan

Re: [Qemu-devel] [RFC] potential risk for macro QTAILQ_INSERT_BEFORE

[Jan Kiszka]

On 2011-09-28 05:38, Wayne Xia wrote:
> Hi, during my coding, I found macro a bit different from other
> QTAIL macros.
> 
> QTAILQ_INSERT_AFTER was defined as:
> ---
> #define QTAILQ_INSERT_AFTER(head, listelm, elm, field) do { \
> if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
> (elm)->field.tqe_next->field.tqe_prev = \
> &(elm)->field.tqe_next; \
> else\
> (head)->tqh_last = &(elm)->field.tqe_next;  \
> (listelm)->field.tqe_next = (elm);  \
> (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \
> } while (/*CONSTCOND*/0)
> -
>  QTAILQ_INSERT_BEFORE is defined as following:
> 
> #define QTAILQ_INSERT_BEFORE(listelm, elm, field) do {
> (elm)->field.tqe_prev = (listelm)->field.tqe_prev;  \
> (elm)->field.tqe_next = (listelm);  \
> *(listelm)->field.tqe_prev = (elm); \
> (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \
> } while (/*CONSTCOND*/0)
> --
> 
> It did not take care of "head" as QTAILQ_INSERT_AFTER did, so I am
> wondering what would happen if I use QTAILQ_INSERT_BEFORE to insert one
> element to a queue that have only one element in it, would it happen
> that the queue head pointer is not updated and the real first element
> is lost? Currently some codes in qemu have used this macro.

The code is fine: a QTAILQ head consists of a dummy entry element that
looks for the first element as if a normal element would precede it. In
contrast, there is no dummy "end element", the last one just points to
NULL. Therefore we need to handle this separately.

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] virtqueue corruption in emulation mode?

[Stefan Hajnoczi]

On Wed, Sep 28, 2011 at 3:01 AM, Sinha, Ani  wrote:
>
> On Sep 27, 2011, at 12:17 AM, Stefan Hajnoczi wrote:
>
>> On Mon, Sep 26, 2011 at 07:16:56PM -0500, Sinha, Ani wrote:
>>> I am using the virtqueue (virtqueue_pop, virtqueue_push etc) in the 
>>> emulated mode (non-kvm mode) from an IO thread (a separate thread different 
>>> from main QEMU thread). What I am observing is that the virtqueue memory 
>>> seems to get corrupt. Either qemu crashes while performing virtqueue_push() 
>>> (virtqueue_push() -> virtqueue_fill() 
>>> ->bring_used_idx()->lduw_phys()->qemu_get_ram_ptr()->"bad ram offset") or 
>>> crashes when the guest accesses a bad memory while using virtqueue. Now 
>>> this never ever happens when I run QEMU in KVM mode (/dev/kvm present) OR 
>>> when I use my functions from within the main qemu thread. I am unable to 
>>> figure out why this is happening. I have looked into my code over and over 
>>> again and I can't seem to explain this behavior. Can any of you guys give 
>>> me any inkling?
>>
>> QEMU is not thread-safe in general.  It uses a big lock to protect most
>> of its internal state.
>
>
> I see. So may be I should do something like qemu_set_fd_handler(fd, …) where 
> fd is a pipe and the handler does the virtqueue_push() etc?
> Now my question is, is it safe to do elem = virtqueue_pop(vq) from main event 
> loop, then so some work on the elem popped out in an worker thread and then 
> at some later point do a virtqueue_push(vq, elem) from that handler (which is 
> called by main_loop() ->main_loop_wait())?  In other words, the vq reference 
> is being used from the main event loop at two different points from two 
> different functions but not in a contiguous fashion within the same function.

Yes but do you need a helper thread?  Most of QEMU is based on
qemu_set_fd_handler() and callbacks, including for host network and
disk I/O.  If you follow the way QEMU does things it should be
easiest.

Stefan

Re: [Qemu-devel] [PATCH] remove mpc8544ds.dtb

[Alexander Graf]

On 27.09.2011, at 23:58, Scott Wood wrote:

> On 09/24/2011 02:32 AM, Alexander Graf wrote:
>> 
>> On 16.09.2011, at 21:05, Stuart Yoder wrote:
>> 
>>> From: Stuart Yoder 
>>> 
>>> make install now compiles dtb
>> 
>> It doesn't when you don't have dtb installed, breaking the e500
>> target for build environments that don't have dtb. I don't think
>> that's a good idea. It's not been too painful upstream to keep the
>> dtb and dts in sync.
> 
> So now we're avoiding new dependencies. :-)

Sure, it's always painful to add new dependencies. If adding a new dependency 
buys us a tremendous amount of comfort, I'll happily do it. However, this is 
only a convenience thing for whoever changes the dts. And every change to the 
dts should go through upstream. And there I'll generate the dtb. :)

> 
> It was more of an annoyance in internal development as we were
> frequently changing the device tree to configure device assignment and
> such.  For mainline QEMU the long-term plan should be to get rid of the
> static device tree entirely, and to avoid doing configuration that way
> in the first place, so it's not that big of a deal to keep both .dts and
> .dtb around until then.

Yup. Worst case we'd keep around a minimal dtb that doesn't need to be modified 
too often, but yes.


Alex

Re: [Qemu-devel] RFC [v2]: vfio / device assignment -- layout of device fd files

[Alexander Graf]

On 28.09.2011, at 04:40, Alex Williamson wrote:

> On Tue, 2011-09-27 at 16:28 -0500, Scott Wood wrote:
>> On 09/26/2011 07:45 PM, Alex Williamson wrote:
>>> On Mon, 2011-09-26 at 18:59 -0500, Scott Wood wrote:
 On 09/26/2011 01:34 PM, Alex Williamson wrote:
> /* Reset the device */
> #define VFIO_DEVICE_RESET _IO(, ,)
 
 What generic way do we have to do this?  We should probably have a way
 to determine whether it's possible, without actually asking to do it.
>>> 
>>> It's not generic, it could be a VFIO_DEVICE_PCI_RESET or we could add a
>>> bit to the device flags to indicate if it's available or we could add a
>>> "probe" arg to the ioctl to either check for existence or do it.
>> 
>> Even with PCI, isn't this only possible if function-level reset is
>> supported?
> 
> There are a couple other things we can do if FLR isn't present (D3hot
> transition, secondary bus reset, device specific resets are possible).
> 
>> I think we need a flag.
> 
> Ok, PCI has a pci_probe_reset_function() and pci_reset_function().  I'd
> probably mimic those in the vfio device ops.  Common vfio code can probe
> the reset and set the flag appropriately and we can have a common
> VFIO_DEVICE_RESET ioctl that calls into the device ops reset function.
> 
>> For devices that can't be reset by the kernel, we'll want the ability to
>> stop/start DMA acccess through the IOMMU (or other bus-specific means),
>> separate from whether the fd is open.  If a device is assigned to a
>> partition and that partition gets reset, we'll want to disable DMA
>> before we re-use the memory, and enable it after the partition has reset
>> or quiesced the device (which requires the fd to be open).
> 
> Maybe this can be accomplished via an iommu_detach_device() to
> temporarily disassociate it from the domain.  We could also unmap all
> the DMA.  Anyway, a few possibilities.
> 
> /* PCI MSI setup, arg[0] = #, arg[1-n] = eventfds */
> #define VFIO_DEVICE_PCI_SET_MSI_EVENTFDS  _IOW(, , int)
> #define VFIO_DEVICE_PCI_SET_MSIX_EVENTFDS _IOW(, , int)
> 
> Hope that covers it.
 
 It could be done this way, but I predict that the code (both kernel and
 user side) will be larger.  Maybe not much more complex, but more
 boilerplate.
 
 How will you manage extensions to the interface?
>>> 
>>> I would assume we'd do something similar to the kvm capabilities checks.
>> 
>> This information is already built into the data-structure approach.
> 
> If we define it to be part of the flags, then it's built-in to the ioctl
> approach too...
> 
 The table should not be particularly large, and you'll need to keep the
 information around in some form regardless.  Maybe in the PCI case you
 could produce it dynamically (though I probably wouldn't), but it really
 wouldn't make sense in the device tree case.
>>> 
>>> It would be entirely dynamic for PCI, there's no advantage to caching
>>> it.  Even for device tree, if you can't fetch it dynamically, you'd have
>>> to duplicate it between an internal data structure and a buffer reading
>>> the table.
>> 
>> I don't think we'd need to keep the device tree path/index info around
>> for anything but the table -- but really, this is a minor consideration.
>> 
 You also lose the ability to easily have a human look at the hexdump for
 debugging; you'll need a special "lsvfio" tool.  You might want one
 anyway to pretty-print the info, but with ioctls it's mandatory.
>>> 
>>> I don't think this alone justifies duplicating the data and making it
>>> difficult to parse on both ends.  Chances are we won't need such a tool
>>> for the ioctl interface because it's easier to get it right the first
>>> time ;)
>> 
>> It's not just useful for getting the code right, but for e.g. sanity
>> checking that the devices were bound properly.  I think such a tool
>> would be generally useful, no matter what the kernel interface ends up
>> being.  I don't just use lspci to debug the PCI subsystem. :-)
> 
> This is also a minor consideration.  Looking at hexdumps isn't much to
> rely on for debugging and if we take the step of writing a tool, it's
> not much harder to write for either interface.  The table is more akin
> to dumping the data, but I feel the ioctl is easier for how a driver
> would probably make use of the data (linear vs random access).
> 
>>> Note that I'm not stuck on this interface, I was just thinking about how
>>> to generate the table last week, it seemed like a pain so I thought I'd
>>> spend a few minutes outlining an ioctl interface... turns out it's not
>>> so bad.  Thanks,
>> 
>> Yeah, it can work either way, as long as the information's there and
>> there's a way to add new bits of information, or new bus types, down the
>> road.  Mainly a matter of aesthetics between the two.
> 
> It'd be nice if David would chime back in since he objected to the
> table.  Does an ioctl interface look better?  Alex Graf, a

[Qemu-devel] [PATCH 0/1] Make the help info more friendly in monitor

[Wayne Xia]

During my test, I found it inconvenient when I type "help" or "help info",
because the information was shown without orderliness. This patch would just
show the help information in sorted order.

For eg:
(qemu)help
acl_add
acl_policy
acl_remove
acl_reset
acl_show
balloon
block_passwd
...
the command list is sorted.

Wayne Xia (1):
  Sort the help info shown in monitor

 monitor.c |   97 ++--
 1 files changed, 93 insertions(+), 4 deletions(-)

-- 
1.7.6

[Qemu-devel] [PATCH 1/1] Sort the help info shown in monitor

[Wayne Xia]

Introduced two queues to save sorted command list in it, and dump commands
from them. As a result, command help and help info would show a more friendly
sorted command list.

Signed-off-by: Wayne Xia 
---
 monitor.c |   97 ++--
 1 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/monitor.c b/monitor.c
index 8ec2c5e..88938d6 100644
--- a/monitor.c
+++ b/monitor.c
@@ -63,6 +63,7 @@
 #endif
 #include "trace/control.h"
 #include "ui/qemu-spice.h"
+#include "qemu-queue.h"
 
 //#define DEBUG
 //#define DEBUG_COMPLETION
@@ -124,6 +125,17 @@ typedef struct mon_cmd_t {
 int flags;
 } mon_cmd_t;
 
+struct HelpCmdElem {
+QTAILQ_ENTRY(HelpCmdElem) entry;
+const mon_cmd_t *cmd;
+};
+
+typedef struct HelpCmdElem HelpCmdElem;
+
+QTAILQ_HEAD(HelpCmdQueue, HelpCmdElem);
+
+typedef struct HelpCmdQueue HelpCmdQueue;
+
 /* file descriptors passed via SCM_RIGHTS */
 typedef struct mon_fd_t mon_fd_t;
 struct mon_fd_t {
@@ -193,6 +205,8 @@ static QLIST_HEAD(mon_list, Monitor) mon_list;
 
 static const mon_cmd_t mon_cmds[];
 static const mon_cmd_t info_cmds[];
+static HelpCmdQueue *mon_cmds_queue;
+static HelpCmdQueue *info_cmds_queue;
 
 static const mon_cmd_t qmp_cmds[];
 static const mon_cmd_t qmp_query_cmds[];
@@ -560,12 +574,15 @@ static int compare_cmd(const char *name, const char *list)
 return 0;
 }
 
-static void help_cmd_dump(Monitor *mon, const mon_cmd_t *cmds,
+static void help_cmd_dump_queue(Monitor *mon, const HelpCmdQueue *queue,
   const char *prefix, const char *name)
 {
 const mon_cmd_t *cmd;
+HelpCmdElem *elem = NULL;
+HelpCmdElem *next = NULL;
 
-for(cmd = cmds; cmd->name != NULL; cmd++) {
+QTAILQ_FOREACH_SAFE(elem, queue, entry, next) {
+cmd = elem->cmd;
 if (!name || !strcmp(name, cmd->name))
 monitor_printf(mon, "%s%s %s -- %s\n", prefix, cmd->name,
cmd->params, cmd->help);
@@ -575,9 +592,9 @@ static void help_cmd_dump(Monitor *mon, const mon_cmd_t 
*cmds,
 static void help_cmd(Monitor *mon, const char *name)
 {
 if (name && !strcmp(name, "info")) {
-help_cmd_dump(mon, info_cmds, "info ", NULL);
+help_cmd_dump_queue(mon, info_cmds_queue, "info ", NULL);
 } else {
-help_cmd_dump(mon, mon_cmds, "", name);
+help_cmd_dump_queue(mon, mon_cmds_queue, "", name);
 if (name && !strcmp(name, "log")) {
 const CPULogItem *item;
 monitor_printf(mon, "Log items (comma separated):\n");
@@ -5275,6 +5292,76 @@ static void monitor_event(void *opaque, int event)
  * End:
  */
 
+static int cmdlist_sortto_queue(const mon_cmd_t *cmdlist,
+HelpCmdQueue **pqueue)
+{
+const mon_cmd_t *cmd = NULL;
+HelpCmdElem *elem = NULL;
+HelpCmdElem *newelem = NULL;
+HelpCmdElem *next = NULL;
+HelpCmdQueue *cmdqueue = NULL;
+int cmpret1, cmpret2;
+
+if (*pqueue != NULL) {
+/* queue already allocated.
+because the cmd contents would not change when reboot, so skip */
+return 0;
+}
+cmdqueue = g_malloc(sizeof(HelpCmdQueue));
+if (cmdqueue == NULL) {
+return -1;
+}
+QTAILQ_INIT(cmdqueue);
+
+for (cmd = cmdlist; cmd->name != NULL; cmd++) {
+newelem = NULL;
+newelem = g_malloc(sizeof(HelpCmdElem));
+if (newelem == NULL) {
+return -1;
+}
+newelem->cmd = cmd;
+
+if (QTAILQ_EMPTY(cmdqueue)) {
+QTAILQ_INSERT_HEAD(cmdqueue, newelem, entry);
+continue;
+}
+QTAILQ_FOREACH_SAFE(elem, cmdqueue, entry, next) {
+/* search for proper postion */
+cmpret1 = strcmp(cmd->name, elem->cmd->name);
+if (next == NULL) {
+if (cmpret1 >= 0) {
+QTAILQ_INSERT_TAIL(cmdqueue, newelem, entry);
+} else {
+QTAILQ_INSERT_HEAD(cmdqueue, newelem, entry);
+}
+break;
+} else {
+cmpret2 = strcmp(cmd->name, next->cmd->name);
+}
+if ((cmpret1 >= 0) && (cmpret2 <= 0)) {
+QTAILQ_INSERT_AFTER(cmdqueue, elem, newelem, entry);
+break;
+}
+}
+}
+*pqueue = cmdqueue;
+return 1;
+}
+
+static int cmd_queue_init(void)
+{
+int ret;
+ret = cmdlist_sortto_queue(mon_cmds, &mon_cmds_queue);
+if (ret < 0) {
+printf("error in initilize mon cmd queue, return is %d.\n", ret);
+}
+ret = cmdlist_sortto_queue(info_cmds, &info_cmds_queue);
+if (ret < 0) {
+printf("error in initilize info cmd queue, return is %d.\n", ret);
+}
+return ret;
+}
+
 void monitor_init(CharDriverState *chr, int flags)
 {
 static int is_first_init = 1;
@@ -5308,6 +5395,8 @@ void monitor_init(CharDriverState *chr, int flags)
 QLIST_INSERT_HEAD(&mon_list, mon, entry);

Re: [Qemu-devel] [PATCH 3/3] virtio-serial-bus: Add per-port stats for received, sent, discarded bytes

[Amit Shah]

On (Wed) 14 Sep 2011 [15:07:57], Markus Armbruster wrote:
> Amit Shah  writes:
> 
> > This commit adds port-specific stats for the number of bytes received,
> > sent and discarded.  They can be seen in the 'info qtree' monitor output
> > for the specific port.
> >
> > This data can be used to check for data loss bugs (or disprove such
> > claims). It can also be used for accounting, if there's such a need.
> >
> > The stats remain valid throughout the lifetime of the port. Unplugging a
> > port will reset the stats.  The numbers are not reset across port
> > opens/closes.
> >
> > Signed-off-by: Amit Shah 
> 
> I'm not sure "info qtree" is the right place to show device stats.  I
> guess it's the only existing place that comes to mind.  Anthony, what do
> you think?

Ping?

Amit

Re: [Qemu-devel] [PATCH] event_notifier: move to top-level directory

[Stefan Hajnoczi]

On Tue, Sep 27, 2011 at 10:23 PM, Anthony Liguori  wrote:
> On 09/27/2011 11:39 AM, Paolo Bonzini wrote:
>>
>> On 09/27/2011 06:05 PM, Anthony Liguori wrote:
>>>
>>> Actually, for posix-aio, we can just switch to using g_idle_add().
>>> g_idle_add() uses g_source_attach which is thread safe. g_idle_add()
>>> gives you a thread safe mechanism to defer a piece of work to the
>>> main loop which is really what we want here.
>>
>> For that, a bottom half would also do (apart that I am not sure it is
>> async-safe with TCG). In fact, that would make sense since all of
>> posix_aio_process_queue could become a bottom half.
>
> Bottom halves are signal safe, not thread safe.
>
> To make bottom halves thread safe, you would (in the very least) have to add
> some barriers when reading/writing the scheduling flag.  I think it's much
> better to just use GIdle sources though.
>
>>> This can actually be made to work with sync I/O emulation too by
>>> having another GMainLoop in the sync I/O loop although I thought I
>>> recalled a patch series to remove that stuff.
>>
>> ... which stuff? :)
>
> The sync I/O emulation.  Since sync I/O is done in block drivers, they can
> just use coroutine I/O instead of sync I/O.

Yes, I think we should covert sync I/O code to use coroutines, which
is quite natural.  The users of sync I/O today are:
1. Hardware emulation - lesser-used or not performance-critical code
paths still use bdrv_read/write() in places, e.g. sd, nand, fdc, ide
pio.
2. Block drivers.  Some image formats are synchronous, but converting
to coroutines is pretty easy.
3. qemu-tools including qemu-img and qemu-io.

With Paolo's work to make the event loop available in qemu-tools it
should be possible to convert and eliminate synchronous I/O
interfaces.

Stefan

[Qemu-devel] [Bug 861141] Re: Installing libvirt-bin qemu slows host network

[shu ming]

Do you mean the send-receive result is different than receive-send?
What about the result of bi-direction test?  It looks like that the total bytes 
transferred are also different.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/861141

Title:
  Installing libvirt-bin qemu slows host network

Status in QEMU:
  New

Bug description:
  Installing the packages needed for qemu-kvm slows don network
  connectivity between two non-virtual machines. Uninstalling the
  packages does not restore the previous network speeds.

  Hardware:
  I have two identical machines (DELL poweredge R815), each with Broadcom 
NetXtreme II BCM57711 10-Gigabit PCIe connected via a 10G switch.
  Each machine runs 4 socket 12 core AMD Opteron(tm) Processor 6174 and 128GB 
of ram

  Software:
  Both machines ar running ubuntu server 10.04 lts Kernels are:
  Linux whitlam 2.6.32-28-server #55-Ubuntu SMP Mon Jan 10 23:57:16 UTC 2011 
x86_64 GNU/Linux
  Linux fraser 2.6.32-28-server #55-Ubuntu SMP Mon Jan 10 23:57:16 UTC 2011 
x86_64 GNU/Linux

  I have installed iperf on both machines and I am trying to install kvm
  on fraser.

  The tests here involve running whitlam as the iperf server and fraser as the 
client.
  On whitlam I run:
  bioadmin@whitlam:~# iperf -sm

  On fraser I run:
  bioadmin@fraser:~# iperf -c whitlam -d

  before installation I get:
  bioadmin@whitlam:~# iperf -sm
  
  Server listening on TCP port 5001
  TCP window size: 85.3 KByte (default)
  
  [  5] local 10.168.48.14 port 5001 connected with 10.168.48.13 port 37960
  
  Client connecting to 10.168.48.13, TCP port 5001
  TCP window size:   110 KByte (default)
  
  [  6] local 10.168.48.14 port 49627 connected with 10.168.48.13 port 5001
  Waiting for server threads to complete. Interrupt again to force quit.
  [  5]  0.0-10.0 sec  10.8 GBytes  9.23 Gbits/sec
  [  5] MSS size 1448 bytes (MTU 1500 bytes, ethernet)
  [  6]  0.0-10.0 sec  10.6 GBytes  9.11 Gbits/sec
  [  6] MSS size 1448 bytes (MTU 1500 bytes, ethernet)

  Which is nice.

  Next I run:

  aptitude -y install qemu-kvm libvirt-bin ubuntu-vm-builder bridge-
  utils kvm

  Which results in:
  bioadmin@whitlam:~# iperf -sm
  
  Server listening on TCP port 5001
  TCP window size: 85.3 KByte (default)
  
  [  4] local 10.168.48.14 port 5001 connected with 10.168.48.13 port 56405
  
  Client connecting to 10.168.48.13, TCP port 5001
  TCP window size: 1.25 MByte (default)
  
  [  6] local 10.168.48.14 port 57001 connected with 10.168.48.13 port 5001
  Waiting for server threads to complete. Interrupt again to force quit.
  [ ID] Interval   Transfer Bandwidth
  [  4]  0.0-10.0 sec  10.5 GBytes  9.00 Gbits/sec
  [  4] MSS size 1448 bytes (MTU 1500 bytes, ethernet)
  [  6]  0.0-10.0 sec  2.51 GBytes  2.15 Gbits/sec
  [  6] MSS size 1448 bytes (MTU 1500 bytes, ethernet)

  Note that the connection from the machine with KVM installed (fraser)
  to the other machine (whitlam) is not affected. Only the connection
  from whitlam to fraser.

  Both machines are fresh installs with nfs-common, and iperf installed.

  I had problems with qemu version 0.12 and virtio_net so I was using
  Daniel Baumans ppa for virtualisation. But this problem occurs
  regardless of whether I do this or not.

  I am happy to give versions of software but I have no idea which part
  could be causing this problem and installing kvm etc installs quite a
  few dependencies.

  Please let me know if you need more information

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/861141/+subscriptions

Re: [Qemu-devel] [PATCH 0/1] Make the help info more friendly in monitor

[Stefan Hajnoczi]

On Wed, Sep 28, 2011 at 10:00 AM, Wayne Xia  wrote:
> During my test, I found it inconvenient when I type "help" or "help info",
> because the information was shown without orderliness. This patch would just
> show the help information in sorted order.
>
> For eg:
> (qemu)help
> acl_add
> acl_policy
> acl_remove
> acl_reset
> acl_show
> balloon
> block_passwd
> ...
> the command list is sorted.
>
> Wayne Xia (1):
>  Sort the help info shown in monitor
>
>  monitor.c |   97 ++--
>  1 files changed, 93 insertions(+), 4 deletions(-)

This is a nice idea.  We could keep hmp/qmp-commands.hx in sorted
order but that prevents us from keeping related commands together in
those files (and the generated documentation?).  So sorting at
run-time makes sense.

Stefan

[Qemu-devel] [PATCH] mips_fulong2e: Reorder ISA bus and i8259 creation

[Jan Kiszka]

Missed during memory region conversion: The i8259 now depends on the ISA
bus being created first. Reorder the initialization.

Signed-off-by: Jan Kiszka 
---

I had a reordering patch in my i8259-qdev queue as well, and these bits
were left over after rebasing over current master.

 hw/mips_fulong2e.c |8 
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index f52b8c5..04921c1 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -331,10 +331,6 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const 
char *boot_device,
 cpu_mips_irq_init_cpu(env);
 cpu_mips_clock_init(env);
 
-/* Interrupt controller */
-/* The 8259 -> IP5  */
-i8259 = i8259_init(env->irq[5]);
-
 /* North bridge, Bonito --> IP2 */
 pci_bus = bonito_init((qemu_irq *)&(env->irq[2]));
 
@@ -347,7 +343,11 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const 
char *boot_device,
 exit(1);
 }
 
+/* Interrupt controller */
+/* The 8259 -> IP5  */
+i8259 = i8259_init(env->irq[5]);
 isa_bus_irqs(i8259);
+
 vt82c686b_ide_init(pci_bus, hd, PCI_DEVFN(FULONG2E_VIA_SLOT, 1));
 usb_uhci_vt82c686b_init(pci_bus, PCI_DEVFN(FULONG2E_VIA_SLOT, 2));
 usb_uhci_vt82c686b_init(pci_bus, PCI_DEVFN(FULONG2E_VIA_SLOT, 3));
-- 
1.7.3.4

Re: [Qemu-devel] Qemu varying performance

[Edgar E. Iglesias]

On Wed, Sep 28, 2011 at 02:25:43AM +0200, Torbjorn Granlund wrote:
> Running Debian's vmlinux-2.6.32-5-4kc-malta under qemu-system-mips works
> very well--the system is fast, and when it is idle the qemu-system-mips
> process on the host system consumes insignificant CPU.  (The same is
> true for qemu-system-mipsel, using the correesponding 'el' Debian
> kernel.)
> 
> But running Debian's 64-bit kernel vmlinux-2.6.32-5-5kc-malta under
> qemu-system-mips64 consumes 100% on the host system, whether the guest
> is idle or busy.  (And for qemu-system-mips64el, the same is true for the
> corresponding 64-bit el kernel.)
> 
> This cpu usage makes it somewhat inconvenient to let the qemu processes
> stay running.  Is there anything that can be done about the cpu usage?
> Is it a Linux problem (say, that the 64-bit kernel fails to invoke some
> clever system sleep instruction when in the idle loop), or is it a qemu
> problem?

Hi, It could be any of them or both. You'll have to dig a bit deeper and
see if WAIT insns are beeing issued and if QEMU is successfully decoding
them etc.


> Another issue I ran into what the sh4 qemu performance.  It is much
> worse than other qemu ports (except perhaps ppc64).  What is the reason
> behind that?  (The idle thing works well for sh4, though.)

IIRC, the SH has an MMU that is a bit problematic wrt performance in QEMU.

Cheers

Re: [Qemu-devel] [PATCH v2] linux-user: fix memory leak in failure path

[Peter Maydell]

On 28 September 2011 09:24,   wrote:
> From: Alex Jia 
>
> Haven't released memory of 'host_mb' in failure path, and calling malloc 
> allocate
> memory to 'host_array', however, memory hasn't been freed before the function
> target_to_host_semarray returns.
>
> Signed-off-by: Alex Jia 
> ---
>  linux-user/syscall.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 7735008..22d4fcc 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -2466,6 +2466,7 @@ static inline abi_long target_to_host_semarray(int 
> semid, unsigned short **host_
>     for(i=0; i         __get_user((*host_array)[i], &array[i]);
>     }
> +    free(*host_array);
>     unlock_user(array, target_addr, 0);
>
>     return 0;

This is wrong -- you're freeing the array in the exit-success
path, not the error path. And you're still not checking the
return value from malloc().

In fact, on closer examination, this code is pretty nasty:
we allocate the array in target_to_host_semarray and then
free it in host_to_target_semarray, and in both functions
we make a syscall purely to figure out the length of the
array -- so we end up doing that twice when we only need
do it once. And the error exit cases in host_to_target_semarray
don't free the host array either. It could probably be
refactored to make it less ugly: have the code at the
top level do the "find out size of array, malloc it, free"
work, and have host_to_target_semarray and
target_to_host_semarray only do the copying work (this
would match other target_to_host* helpers.)

-- PMM

Re: [Qemu-devel] [PATCH v3 0/6]: block: Add I/O status support

[hkran]

On 09/27/2011 04:43 AM, Luiz Capitulino wrote:

This series adds support to the block layer to keep track of devices'
I/O status. That information is also made available in QMP and HMP.

The goal here is to allow management applications that miss the
BLOCK_IO_ERROR event to able to query the VM to determine if any device has
caused the VM to stop and which device caused it.

Here's an HMP example:

   (qemu) info status
   VM status: paused (io-error)
   (qemu) info block
   ide0-hd0: removable=0 io-status=ok file=disks/test2.img ro=0 drv=qcow2 
encrypted=0
   ide0-hd1: removable=0 io-status=nospace file=/dev/vg_doriath/kvmtest ro=0 
drv=qcow2 encrypted=0
   ide1-cd0: removable=1 locked=0 io-status=ok [not inserted]
   floppy0: removable=1 locked=0 [not inserted]
   sd0: removable=1 locked=0 [not inserted]

The session above shows that the VM is stopped due to an I/O error. By using
the info block command it's possible to determine that the 'ide0-hd1' device
caused the error, which turns out to be due to no space.

changelog
-

v3

o Introduce bdrv_iostatus_disable()
o Also reset the I/O status on bdrv_attach_dev()
o Fix bad assert() in bdrv_iostatus_enable()
o Improve documentation

v2

o Rebase against latest master
o Renamed bdrv_iostatus_update() to bdrv_iostatus_set_err()
o Minor changelog clarifications

  block.c |   57 +++
  block.h |   10 +
  block_int.h |1 +
  hw/ide/core.c   |2 +
  hw/scsi-disk.c  |2 +
  hw/virtio-blk.c |2 +
  monitor.c   |6 +
  qmp-commands.hx |6 +
  8 files changed, 86 insertions(+), 0 deletions(-)


Hi,

How to reproduce a scenario in which the VM is stopped due to the I/O error?
I tried several times by copying data from one place to another place in 
guest OS and finally the system prompted me that there is no space is 
available, however it did not

cause any I/O error and not stop the VM either.

Re: [Qemu-devel] [PATCH V2] Add stdio char device on windows

[Mars.cao]

On 09/27/2011 11:42 PM, Fabien Chouteau wrote:

Simple implementation of an stdio char device on Windows.

Signed-off-by: Fabien Chouteau
---
  qemu-char.c |  199 ++-
  1 files changed, 197 insertions(+), 2 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index 09d2309..46acf1c 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -538,6 +538,9 @@ int send_all(int fd, const void *_buf, int len1)
  }
  #endif /* !_WIN32 */

+#define STDIO_MAX_CLIENTS 1
+static int stdio_nb_clients;


Why change the default initial value (0) of stdio_nb_clients?
Did you mean we should support multiple stdio clients?
But I did not found any other stdio backend in the code.

+
  #ifndef _WIN32

  typedef struct {
@@ -545,8 +548,6 @@ typedef struct {
  int max_size;
  } FDCharDriver;

-#define STDIO_MAX_CLIENTS 1
-static int stdio_nb_clients = 0;

  static int fd_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
  {
@@ -1451,6 +1452,8 @@ static int qemu_chr_open_pp(QemuOpts *opts, 
CharDriverState **_chr)

  #else /* _WIN32 */

+static CharDriverState *stdio_clients[STDIO_MAX_CLIENTS];
+
  typedef struct {
  int max_size;
  HANDLE hcom, hrecv, hsend;
@@ -1809,6 +1812,197 @@ static int qemu_chr_open_win_file_out(QemuOpts *opts, 
CharDriverState **_chr)

  return qemu_chr_open_win_file(fd_out, _chr);
  }
+
+static int win_stdio_write(CharDriverState *chr, const uint8_t *buf, int len)
+{
+HANDLE *hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
+DWORD   dwSize;
+int len1;
+
+len1 = len;
+
+while (len1>  0) {
+if (!WriteFile(hStdOut, buf, len1,&dwSize, NULL)) {
+break;
+}
+buf  += dwSize;
+len1 -= dwSize;
+}
+
+return len - len1;
+}
+
+static HANDLE *hStdIn;
+
+static void win_stdio_wait_func(void *opaque)
+{
+CharDriverState *chr = opaque;
+INPUT_RECORD buf[4];
+int  ret;
+DWORDdwSize;
+int  i;
+
+ret = ReadConsoleInput(hStdIn, buf, sizeof(buf)/sizeof(*buf),&dwSize);
+
+if (!ret) {
+/* Avoid error storm */
+qemu_del_wait_object(hStdIn, NULL, NULL);
+return;
+}
+
+for (i = 0; i<  dwSize; i++) {
+KEY_EVENT_RECORD *kev =&buf[i].Event.KeyEvent;
+
+if (buf[i].EventType == KEY_EVENT&&  kev->bKeyDown) {
+int j;
+if (kev->uChar.AsciiChar != 0) {
+for (j = 0; j<  kev->wRepeatCount; j++)
+if (qemu_chr_be_can_write(chr)) {
+uint8_t c = kev->uChar.AsciiChar;
+qemu_chr_be_write(chr,&c, 1);
+}
+}
+}
+}
+}
+
+static HANDLE  hInputReadyEvent;
+static HANDLE  hInputDoneEvent;
+static uint8_t win_stdio_buf;
+
+static DWORD WINAPI win_stdio_thread(LPVOID param)
+{
+int   ret;
+DWORD dwSize;
+
+while (1) {
+
+/* Wait for one byte */
+ret = ReadFile(hStdIn,&win_stdio_buf, 1,&dwSize, NULL);
+
+/* Exit in case of error, continue if nothing read */
+if (!ret) {
+break;
+}


I think a qemu_del_wait_object() should be added before break.

+if (!dwSize) {
+continue;
+}
+
+/* Some terminal emulator returns \r\n for Enter, just pass \n */
+if (win_stdio_buf == '\r') {
+continue;
+}
+
+/* Signal the main thread and wait until the byte was eaten */
+if (!SetEvent(hInputReadyEvent)) {
+break;
+}
+if (WaitForSingleObject(hInputDoneEvent, INFINITE) != WAIT_OBJECT_0) {
+break;
+}
+}
+
+qemu_del_wait_object(hInputReadyEvent, NULL, NULL);
+return 0;
+}
+
+static void win_stdio_thread_wait_func(void *opaque)
+{
+CharDriverState *chr = opaque;
+
+if (qemu_chr_be_can_write(chr)) {
+qemu_chr_be_write(chr,&win_stdio_buf, 1);
+}
+
+SetEvent(hInputDoneEvent);
+}
+
+static void qemu_chr_set_echo_win_stdio(CharDriverState *chr, bool echo)
+{
+DWORD dwMode = 0;
+
+GetConsoleMode(hStdIn,&dwMode);
+
+if (echo) {
+SetConsoleMode(hStdIn, dwMode | ENABLE_ECHO_INPUT);
+} else {
+SetConsoleMode(hStdIn, dwMode&  ~ENABLE_ECHO_INPUT);
+}
+}
+
+static int qemu_chr_open_win_stdio(QemuOpts *opts,
+CharDriverState **_chr)
+{
+CharDriverState *chr;
+DWORDdwMode;
+int  is_console = 0;
+
+hStdIn = GetStdHandle(STD_INPUT_HANDLE);
+if (hStdIn == INVALID_HANDLE_VALUE) {
+fprintf(stderr, "cannot open stdio: invalid handle\n");
+exit(1);
+}
+
+is_console = GetConsoleMode(hStdIn,&dwMode) != 0;
+
+if (stdio_nb_clients>= STDIO_MAX_CLIENTS
+|| ((display_type != DT_NOGRAPHIC)&&  (stdio_nb_clients != 0))) {
+return -EIO;
+}
+
+chr = g_malloc0(sizeof(CharDriverState));
+if (!chr) {
+

Re: [Qemu-devel] qemu-img: subformat=streamOptimized issue

[Stefan Hajnoczi]

On Wed, Sep 28, 2011 at 12:57 AM, Fam Zheng  wrote:
> This could be a bug. I've briefly checked. It's not limited to
> ISO->streamOptimized, but also reproduced trying to convert from VDI.
> It fails because consequential writes fall into the same cluster of
> target VMDK. The leading write allocates the cluster, and the
> following write fails the check of "no write to allocated cluster"
> because it's already allocated on the previous write.
>
> I'm wondering how we could avoid qemu-img initiating such writes, i.e.
> to ensure it's going in the granularity of VMDK's cluster when
> converting.

Your explanation makes sense.  Have you looked at img_convert() in the
compress=1 case?  There it works in cluster sizes.

Perhaps you can think of a way to take advantage of that or unify the
code with regular convert code path.

Stefan

Re: [Qemu-devel] [PATCH v2] linux-user: fix memory leak in failure path

[Alex Jia]

On 09/28/2011 05:43 PM, Peter Maydell wrote:

On 28 September 2011 09:24,  wrote:

From: Alex Jia

Haven't released memory of 'host_mb' in failure path, and calling malloc 
allocate
memory to 'host_array', however, memory hasn't been freed before the function
target_to_host_semarray returns.

Signed-off-by: Alex Jia
---
  linux-user/syscall.c |3 ++-
  1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7735008..22d4fcc 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2466,6 +2466,7 @@ static inline abi_long target_to_host_semarray(int semid, 
unsigned short **host_
 for(i=0; i
This is wrong -- you're freeing the array in the exit-success
path, not the error path. And you're still not checking the
return value from malloc().

In fact, on closer examination, this code is pretty nasty:
we allocate the array in target_to_host_semarray and then
free it in host_to_target_semarray, and in both functions
we make a syscall purely to figure out the length of the
array -- so we end up doing that twice when we only need
do it once. And the error exit cases in host_to_target_semarray
don't free the host array either. It could probably be
refactored to make it less ugly: have the code at the
top level do the "find out size of array, malloc it, free"

Hi Peter,
You mean caller should free these allocated memory, right?
if so, is v1 patch okay?

Thanks for your nice comment.

Regards,
Alex

work, and have host_to_target_semarray and
target_to_host_semarray only do the copying work (this
would match other target_to_host* helpers.)

-- PMM

[Qemu-devel] [PATCH v2] Move filedescriptor parsing code from net.c into qemu_parse_fd()

[Stefan Berger]

Move the parsing of a filedescriptor into a common function
qemu_parse_fd() so others can use it as well. Have net.c call this
function.

v2:
 - moving qemu_parse_fd into cutils.c

Signed-off-by: Stefan Berger 

---
 cutils.c  |   12 
 net.c |7 +--
 qemu-common.h |1 +
 3 files changed, 14 insertions(+), 6 deletions(-)

Index: qemu-git.pt/net.c
===
--- qemu-git.pt.orig/net.c
+++ qemu-git.pt/net.c
@@ -733,12 +733,7 @@ int net_handle_fd_param(Monitor *mon, co
 return -1;
 }
 } else {
-char *endptr = NULL;
-
-fd = strtol(param, &endptr, 10);
-if (*endptr || (fd == 0 && param == endptr)) {
-return -1;
-}
+fd = qemu_parse_fd(param);
 }
 
 return fd;
Index: qemu-git.pt/qemu-common.h
===
--- qemu-git.pt.orig/qemu-common.h
+++ qemu-git.pt/qemu-common.h
@@ -143,6 +143,7 @@ time_t mktimegm(struct tm *tm);
 int qemu_fls(int i);
 int qemu_fdatasync(int fd);
 int fcntl_setfl(int fd, int flag);
+int qemu_parse_fd(const char *param);
 
 /*
  * strtosz() suffixes used to specify the default treatment of an
Index: qemu-git.pt/cutils.c
===
--- qemu-git.pt.orig/cutils.c
+++ qemu-git.pt/cutils.c
@@ -415,3 +415,15 @@ int64_t strtosz(const char *nptr, char *
 {
 return strtosz_suffix(nptr, end, STRTOSZ_DEFSUFFIX_MB);
 }
+
+int qemu_parse_fd(const char *param)
+{
+int fd;
+char *endptr = NULL;
+
+fd = strtol(param, &endptr, 10);
+if (*endptr || (fd == 0 && param == endptr)) {
+return -1;
+}
+return fd;
+}

Re: [Qemu-devel] [PATCH v2] linux-user: fix memory leak in failure path

[Peter Maydell]

On 28 September 2011 11:37, Alex Jia  wrote:
> On 09/28/2011 05:43 PM, Peter Maydell wrote:
>>
>> On 28 September 2011 09:24,  wrote:
>>>
>>> From: Alex Jia
>>>
>>> Haven't released memory of 'host_mb' in failure path, and calling malloc
>>> allocate
>>> memory to 'host_array', however, memory hasn't been freed before the
>>> function
>>> target_to_host_semarray returns.
>>>
>>> Signed-off-by: Alex Jia
>>> ---
>>>  linux-user/syscall.c |    3 ++-
>>>  1 files changed, 2 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>>> index 7735008..22d4fcc 100644
>>> --- a/linux-user/syscall.c
>>> +++ b/linux-user/syscall.c
>>> @@ -2466,6 +2466,7 @@ static inline abi_long target_to_host_semarray(int
>>> semid, unsigned short **host_
>>>     for(i=0; i>>         __get_user((*host_array)[i],&array[i]);
>>>     }
>>> +    free(*host_array);
>>>     unlock_user(array, target_addr, 0);
>>>
>>>     return 0;
>>
>> This is wrong -- you're freeing the array in the exit-success
>> path, not the error path. And you're still not checking the
>> return value from malloc().
>>
>> In fact, on closer examination, this code is pretty nasty:
>> we allocate the array in target_to_host_semarray and then
>> free it in host_to_target_semarray, and in both functions
>> we make a syscall purely to figure out the length of the
>> array -- so we end up doing that twice when we only need
>> do it once. And the error exit cases in host_to_target_semarray
>> don't free the host array either. It could probably be
>> refactored to make it less ugly: have the code at the
>> top level do the "find out size of array, malloc it, free"
>
> Hi Peter,
> You mean caller should free these allocated memory, right?
> if so, is v1 patch okay?

No, I mean the caller should be doing both the allocation
and the freeing, which means restucturing the code a bit.

-- PMM

[Qemu-devel] [PATCH 06/22] i8259: Drop obsolete prototypes

[Jan Kiszka]

Signed-off-by: Jan Kiszka 
---
 hw/pc.h |2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/hw/pc.h b/hw/pc.h
index 60da282..fd5f9b2 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -62,8 +62,6 @@ bool parallel_mm_init(target_phys_addr_t base, int it_shift, 
qemu_irq irq,
 
 typedef struct PicState2 PicState2;
 extern PicState2 *isa_pic;
-void pic_set_irq(int irq, int level);
-void pic_set_irq_new(void *opaque, int irq, int level);
 qemu_irq *i8259_init(qemu_irq parent_irq);
 int pic_read_irq(PicState2 *s);
 int pic_get_output(PicState2 *s);
-- 
1.7.3.4

[Qemu-devel] [PATCH 22/22] i8259: Move to hw library

[Jan Kiszka]

No target-specific bits remaining, let's move it over.

Signed-off-by: Jan Kiszka 
---
 Makefile.objs   |2 +-
 Makefile.target |8 
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile.objs b/Makefile.objs
index 1c65087..e56c18a 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -276,7 +276,7 @@ hw-obj-$(CONFIG_AHCI) += ide/ich.o
 hw-obj-$(CONFIG_LSI_SCSI_PCI) += lsi53c895a.o
 hw-obj-$(CONFIG_ESP) += esp.o
 
-hw-obj-y += dma-helpers.o sysbus.o isa-bus.o
+hw-obj-y += dma-helpers.o sysbus.o isa-bus.o i8259.o
 hw-obj-y += qdev-addr.o
 
 # VGA
diff --git a/Makefile.target b/Makefile.target
index 88d2f1f..393f58d 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -219,7 +219,7 @@ obj-$(CONFIG_IVSHMEM) += ivshmem.o
 
 # Hardware support
 obj-i386-y += vga.o
-obj-i386-y += mc146818rtc.o i8259.o pc.o
+obj-i386-y += mc146818rtc.o pc.o
 obj-i386-y += cirrus_vga.o sga.o apic.o ioapic.o piix_pci.o
 obj-i386-y += vmport.o
 obj-i386-y += device-hotplug.o pci-hotplug.o smbios.o wdt_ib700.o
@@ -232,7 +232,7 @@ obj-i386-$(CONFIG_SPICE) += qxl.o qxl-logger.o qxl-render.o
 obj-ppc-y = ppc.o
 obj-ppc-y += vga.o
 # PREP target
-obj-ppc-y += i8259.o mc146818rtc.o
+obj-ppc-y += mc146818rtc.o
 obj-ppc-y += ppc_prep.o
 # OldWorld PowerMac
 obj-ppc-y += ppc_oldworld.o
@@ -283,7 +283,7 @@ obj-lm32-y += framebuffer.o
 
 obj-mips-y = mips_r4k.o mips_jazz.o mips_malta.o mips_mipssim.o
 obj-mips-y += mips_addr.o mips_timer.o mips_int.o
-obj-mips-y += vga.o i8259.o
+obj-mips-y += vga.o
 obj-mips-y += jazz_led.o
 obj-mips-y += gt64xxx.o mc146818rtc.o
 obj-mips-y += cirrus_vga.o
@@ -365,7 +365,7 @@ obj-m68k-y += m68k-semi.o dummy_m68k.o
 
 obj-s390x-y = s390-virtio-bus.o s390-virtio.o
 
-obj-alpha-y = i8259.o mc146818rtc.o
+obj-alpha-y = mc146818rtc.o
 obj-alpha-y += vga.o cirrus_vga.o
 
 obj-xtensa-y += xtensa_pic.o
-- 
1.7.3.4

[Qemu-devel] [PATCH 00/22] Rework i8259 and PC interrupt models

[Jan Kiszka]

Highlights of this series:
 - generic i8259, now part of hwlib
 - qdev conversion of i8259
 - fix for i8259 poll mode (and removal of PREP hack)

The refactoring will also be important to instantiate i8259-kvm devices
for in-kernel irqchip acceleration one day.

Note: depends on "mips_fulong2e: Reorder ISA bus and i8259 creation"

CC: Alexander Graf 

Jan Kiszka (22):
  pc: Drop useless test from isa_irq_handler
  pc: Generalize ISA IRQs to GSIs
  pc: Convert GSIState::i8259_irq into array
  pc: Fix and clean up PIC-to-APIC IRQ path
  i8259: Remove premature inline function attributes
  i8259: Drop obsolete prototypes
  i8259: Move pic_set_irq1 after pic_update_irq
  i8239: Introduce per-PIC output interrupt
  i8259: Do not update IRQ output after spurious pic_poll_read
  i8259: Reorder intack in pic_read_irq
  i8259: Update IRQ state after reset
  i8259: Switch to per-PIC IRQ update
  i8259: Fix poll command
  i8259: Clean up pic_ioport_read
  i8259: PREP: Replace pic_intack_read with pic_read_irq
  i8259: Replace PicState::pics_state with master flag
  i8259: Eliminate PicState2
  qdev: Add HEX8 property
  i8259: Convert to qdev
  i8259: Fix coding style
  monitor: Restrict pic/irq_info to supporting targets
  i8259: Move to hw library

 Makefile.objs   |2 +-
 Makefile.target |8 +-
 hw/an5206.c |   10 --
 hw/apic.c   |4 +
 hw/arm_pic.c|   11 --
 hw/cris_pic_cpu.c   |6 -
 hw/etraxfs.h|1 +
 hw/i8259.c  |  387 ---
 hw/ioapic.h |7 +
 hw/isa.h|2 +
 hw/lm32_pic.c   |4 +-
 hw/lm32_pic.h   |3 +
 hw/microblaze_pic_cpu.c |6 -
 hw/pc.c |   24 ++--
 hw/pc.h |   29 ++--
 hw/pc_piix.c|   30 ++--
 hw/ppc_prep.c   |2 +-
 hw/qdev-properties.c|   29 
 hw/qdev.h   |3 +
 hw/s390-virtio.c|   11 --
 hw/shix.c   |   11 --
 hw/slavio_intctl.c  |   14 ++-
 hw/sun4m.c  |   16 +--
 hw/sun4m.h  |6 +-
 hw/sun4u.c  |8 -
 hw/xtensa_pic.c |   10 --
 monitor.c   |   21 +++
 27 files changed, 331 insertions(+), 334 deletions(-)

-- 
1.7.3.4

[Qemu-devel] [PATCH 04/22] pc: Fix and clean up PIC-to-APIC IRQ path

[Jan Kiszka]

The master PIC is connected to the LINTIN0 of the APICs. As the APIC
currently does not track the state of that line, we have to ask the PIC
to reinject its IRQ after the CPU picked up an event from the APIC.

This introduces pic_get_output to read the master PIC IRQ line state
without changing it. The APIC uses this function to decide if a PIC IRQ
should be reinjected on apic_update_irq. This reflects better how the
real hardware works.

The patch fixes some failures of the kvm unit tests apic and eventinj by
allowing to enable the proper CPU IRQ deassertion when the guest masks
some pending IRQs at PIC level.

Signed-off-by: Jan Kiszka 
---
 hw/apic.c  |4 
 hw/i8259.c |   15 +++
 hw/pc.c|3 ---
 hw/pc.h|2 +-
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/hw/apic.c b/hw/apic.c
index d8f56c8..8289eef 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -23,6 +23,7 @@
 #include "host-utils.h"
 #include "sysbus.h"
 #include "trace.h"
+#include "pc.h"
 
 /* APIC Local Vector Table */
 #define APIC_LVT_TIMER   0
@@ -399,6 +400,9 @@ static void apic_update_irq(APICState *s)
 }
 if (apic_irq_pending(s) > 0) {
 cpu_interrupt(s->cpu_env, CPU_INTERRUPT_HARD);
+} else if (apic_accept_pic_intr(&s->busdev.qdev) &&
+   pic_get_output(isa_pic)) {
+apic_deliver_pic_intr(&s->busdev.qdev, 1);
 }
 }
 
diff --git a/hw/i8259.c b/hw/i8259.c
index e5323ff..6006123 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -146,8 +146,7 @@ static int pic_get_irq(PicState *s)
 
 /* raise irq to CPU if necessary. must be called every time the active
irq may change */
-/* XXX: should not export it, but it is needed for an APIC kludge */
-void pic_update_irq(PicState2 *s)
+static void pic_update_irq(PicState2 *s)
 {
 int irq2, irq;
 
@@ -174,14 +173,9 @@ void pic_update_irq(PicState2 *s)
 printf("pic: cpu_interrupt\n");
 #endif
 qemu_irq_raise(s->parent_irq);
-}
-
-/* all targets should do this rather than acking the IRQ in the cpu */
-#if defined(TARGET_MIPS) || defined(TARGET_PPC) || defined(TARGET_ALPHA)
-else {
+} else {
 qemu_irq_lower(s->parent_irq);
 }
-#endif
 }
 
 #ifdef DEBUG_IRQ_LATENCY
@@ -441,6 +435,11 @@ uint32_t pic_intack_read(PicState2 *s)
 return ret;
 }
 
+int pic_get_output(PicState2 *s)
+{
+return (pic_get_irq(&s->pics[0]) >= 0);
+}
+
 static void elcr_ioport_write(void *opaque, target_phys_addr_t addr,
   uint64_t val, unsigned size)
 {
diff --git a/hw/pc.c b/hw/pc.c
index c979d4b..ff2111c 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -155,9 +155,6 @@ int cpu_get_pic_interrupt(CPUState *env)
 
 intno = apic_get_interrupt(env->apic_state);
 if (intno >= 0) {
-/* set irq request if a PIC irq is still pending */
-/* XXX: improve that */
-pic_update_irq(isa_pic);
 return intno;
 }
 /* read the irq from the PIC */
diff --git a/hw/pc.h b/hw/pc.h
index 2870be4..60da282 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -66,7 +66,7 @@ void pic_set_irq(int irq, int level);
 void pic_set_irq_new(void *opaque, int irq, int level);
 qemu_irq *i8259_init(qemu_irq parent_irq);
 int pic_read_irq(PicState2 *s);
-void pic_update_irq(PicState2 *s);
+int pic_get_output(PicState2 *s);
 uint32_t pic_intack_read(PicState2 *s);
 void pic_info(Monitor *mon);
 void irq_info(Monitor *mon);
-- 
1.7.3.4

[Qemu-devel] [PATCH 05/22] i8259: Remove premature inline function attributes

[Jan Kiszka]

The compiler is smarter in choosing the right optimization.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 6006123..f1d58ba 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -80,7 +80,7 @@ static uint64_t irq_count[16];
 PicState2 *isa_pic;
 
 /* set irq level. If an edge is detected, then the IRR is set to 1 */
-static inline void pic_set_irq1(PicState *s, int irq, int level)
+static void pic_set_irq1(PicState *s, int irq, int level)
 {
 int mask;
 mask = 1 << irq;
@@ -107,7 +107,7 @@ static inline void pic_set_irq1(PicState *s, int irq, int 
level)
 
 /* return the highest priority found in mask (highest = smallest
number). Return 8 if no irq */
-static inline int get_priority(PicState *s, int mask)
+static int get_priority(PicState *s, int mask)
 {
 int priority;
 if (mask == 0)
@@ -206,7 +206,7 @@ static void i8259_set_irq(void *opaque, int irq, int level)
 }
 
 /* acknowledge interrupt 'irq' */
-static inline void pic_intack(PicState *s, int irq)
+static void pic_intack(PicState *s, int irq)
 {
 if (s->auto_eoi) {
 if (s->rotate_on_auto_eoi)
-- 
1.7.3.4

[Qemu-devel] [PATCH 1/2] slirp: Fix use after release on tcp_input

[Jan Kiszka]

ti points into the m buffer. But the latter may already be released
right after the dodata: label. Move the test before the potential
release.

Signed-off-by: Jan Kiszka 
---
 slirp/tcp_input.c |   22 ++
 1 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/slirp/tcp_input.c b/slirp/tcp_input.c
index 2f1a196..942aaf4 100644
--- a/slirp/tcp_input.c
+++ b/slirp/tcp_input.c
@@ -1157,6 +1157,16 @@ step6:
 dodata:
 
/*
+* If this is a small packet, then ACK now - with Nagel
+*  congestion avoidance sender won't send more until
+*  he gets an ACK.
+*/
+   if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
+   ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
+   tp->t_flags |= TF_ACKNOW;
+   }
+
+   /*
 * Process the segment text, merging it into the TCP sequencing queue,
 * and arranging for acknowledgment of receipt if necessary.
 * This process logically involves adjusting tp->rcv_wnd as data
@@ -1235,18 +1245,6 @@ dodata:
}
 
/*
-* If this is a small packet, then ACK now - with Nagel
-*  congestion avoidance sender won't send more until
-*  he gets an ACK.
-*
-* See above.
-*/
-   if (ti->ti_len && (unsigned)ti->ti_len <= 5 &&
-   ((struct tcpiphdr_2 *)ti)->first_char == (char)27) {
-   tp->t_flags |= TF_ACKNOW;
-   }
-
-   /*
 * Return any desired output.
 */
if (needoutput || (tp->t_flags & TF_ACKNOW)) {
-- 
1.7.3.4

[Qemu-devel] [PATCH 2/2] slirp: Fix packet expiration

[Jan Kiszka]

From: Thomas Huth 

The two new variables "arp_requested" and "expiration_date" in the mbuf
structure have been added after the variable-sized "m_dat_" array. The
variables have to be added before the m_dat_ array instead.
Without this patch, the expiration_date gets clobbered by code that
accesses the m_dat_ array.
I experienced this problem with the code in slirp/tftp.c: The
tftp_send_data() function created a new packet with the m_get()
function (which fills-in a default expiration_date value). Then the
TFTP code cleared the data section of the packet, which accidentially
also cleared the expiration_date. This zeroed expiration_date then
finally causes the packet to be discarded during if_start(), so that
TFTP packets were not transmitted anymore.

[Jan: added comment as suggested by Fabien ]

CC: Fabien Chouteau 
Signed-off-by: Thomas Huth 
Signed-off-by: Jan Kiszka 
---
 slirp/mbuf.h |5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 55170e5..0708840 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -82,12 +82,13 @@ struct m_hdr {
 struct mbuf {
struct  m_hdr m_hdr;
Slirp *slirp;
+   boolarp_requested;
+   uint64_t expiration_date;
+   /* start of dynamic buffer area, must be last element */
union M_dat {
charm_dat_[1]; /* ANSI don't like 0 sized arrays */
char*m_ext_;
} M_dat;
-bool arp_requested;
-uint64_t expiration_date;
 };
 
 #define m_next m_hdr.mh_next
-- 
1.7.3.4

[Qemu-devel] [PATCH 0/2] [PULL] slirp: Small fixes

[Jan Kiszka]

The following changes since commit 46f3069cba94aab44b3b4f87bc270759b4a700fa:

  PPC: use memory API to construct the PCI hole (2011-09-27 19:16:46 +)

are available in the git repository at:
  git://git.kiszka.org/qemu.git queues/slirp

CC: Fabien Chouteau 
CC: Thomas Huth 

Jan Kiszka (1):
  slirp: Fix use after release on tcp_input

Thomas Huth (1):
  slirp: Fix packet expiration

 slirp/mbuf.h  |5 +++--
 slirp/tcp_input.c |   22 ++
 2 files changed, 13 insertions(+), 14 deletions(-)

-- 
1.7.3.4

Re: [Qemu-devel] [PATCH 15/22] i8259: PREP: Replace pic_intack_read with pic_read_irq

[Alexander Graf]

On 28.09.2011, at 13:01, Jan Kiszka wrote:

> There is nothing in the i8259 spec that justifies the special
> pic_intack_read. At least the Linux PREP kernels configure the PICs
> properly so that pic_read_irq returns identical values, and setting
> read_reg_select in PIC0 cannot be derived from any special i8259 mode.
> 
> So switch ppc_prep to pic_read_irq and drop the now unused PIC code.

Andreas is maintaining PREP :)


Alex

[Qemu-devel] [PATCH 08/22] i8239: Introduce per-PIC output interrupt

[Jan Kiszka]

As a first step towards more generic master-slave support, remove
parent_irq in favor of a per-PIC output interrupt line. The slave's
line is attached to IRQ2 of the master, but it remains unused for now.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   21 -
 1 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index de2d5ca..65123bd 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -58,6 +58,7 @@ typedef struct PicState {
 uint8_t single_mode; /* true if slave pic is not initialized */
 uint8_t elcr; /* PIIX edge/trigger selection*/
 uint8_t elcr_mask;
+qemu_irq int_out;
 PicState2 *pics_state;
 MemoryRegion base_io;
 MemoryRegion elcr_io;
@@ -67,7 +68,6 @@ struct PicState2 {
 /* 0 is master pic, 1 is slave pic */
 /* XXX: better separation between the two pics */
 PicState pics[2];
-qemu_irq parent_irq;
 void *irq_request_opaque;
 };
 
@@ -148,9 +148,9 @@ static void pic_update_irq(PicState2 *s)
 }
 printf("pic: cpu_interrupt\n");
 #endif
-qemu_irq_raise(s->parent_irq);
+qemu_irq_raise(s->pics[0].int_out);
 } else {
-qemu_irq_lower(s->parent_irq);
+qemu_irq_lower(s->pics[0].int_out);
 }
 }
 
@@ -297,7 +297,7 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 /* init */
 pic_reset(s);
 /* deassert a pending interrupt */
-qemu_irq_lower(s->pics_state->parent_irq);
+qemu_irq_lower(s->pics_state->pics[0].int_out);
 s->init_state = 1;
 s->init4 = val & 1;
 s->single_mode = val & 2;
@@ -502,8 +502,10 @@ static const MemoryRegionOps pic_elcr_ioport_ops = {
 };
 
 /* XXX: add generic master/slave system */
-static void pic_init1(int io_addr, int elcr_addr, PicState *s)
+static void pic_init(int io_addr, int elcr_addr, PicState *s, qemu_irq int_out)
 {
+s->int_out = int_out;
+
 memory_region_init_io(&s->base_io, &pic_base_ioport_ops, s, "pic", 2);
 memory_region_init_io(&s->elcr_io, &pic_elcr_ioport_ops, s, "elcr", 1);
 
@@ -553,16 +555,17 @@ void irq_info(Monitor *mon)
 
 qemu_irq *i8259_init(qemu_irq parent_irq)
 {
+qemu_irq *irqs;
 PicState2 *s;
 
 s = g_malloc0(sizeof(PicState2));
-pic_init1(0x20, 0x4d0, &s->pics[0]);
-pic_init1(0xa0, 0x4d1, &s->pics[1]);
+irqs = qemu_allocate_irqs(i8259_set_irq, s, 16);
+pic_init(0x20, 0x4d0, &s->pics[0], parent_irq);
+pic_init(0xa0, 0x4d1, &s->pics[1], irqs[2]);
 s->pics[0].elcr_mask = 0xf8;
 s->pics[1].elcr_mask = 0xde;
-s->parent_irq = parent_irq;
 s->pics[0].pics_state = s;
 s->pics[1].pics_state = s;
 isa_pic = s;
-return qemu_allocate_irqs(i8259_set_irq, s, 16);
+return irqs;
 }
-- 
1.7.3.4

[Qemu-devel] [PATCH 10/22] i8259: Reorder intack in pic_read_irq

[Jan Kiszka]

As we want to move the IRQ update to pic_intack, ordering matters: the
slave ack must be executed before the master ack to avoid missing
further pending slave IRQs.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   10 ++
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index cddd3c7..b7a011f 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -228,7 +228,6 @@ int pic_read_irq(PicState2 *s)
 
 irq = pic_get_irq(&s->pics[0]);
 if (irq >= 0) {
-pic_intack(&s->pics[0], irq);
 if (irq == 2) {
 irq2 = pic_get_irq(&s->pics[1]);
 if (irq2 >= 0) {
@@ -238,12 +237,10 @@ int pic_read_irq(PicState2 *s)
 irq2 = 7;
 }
 intno = s->pics[1].irq_base + irq2;
-#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_LATENCY)
-irq = irq2 + 8;
-#endif
 } else {
 intno = s->pics[0].irq_base + irq;
 }
+pic_intack(&s->pics[0], irq);
 } else {
 /* spurious IRQ on host controller */
 irq = 7;
@@ -251,6 +248,11 @@ int pic_read_irq(PicState2 *s)
 }
 pic_update_irq(s);
 
+#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_LATENCY)
+if (irq == 2) {
+irq = irq2 + 8;
+}
+#endif
 #ifdef DEBUG_IRQ_LATENCY
 printf("IRQ%d latency=%0.3fus\n",
irq,
-- 
1.7.3.4

[Qemu-devel] [PATCH 02/22] pc: Generalize ISA IRQs to GSIs

[Jan Kiszka]

The ISA bus IRQ range is 0..15. What isa_irq_handler and IsaIrqState are
actually dealing with are the Global System Interrupts. Refactor the
code to clarify this.

Signed-off-by: Jan Kiszka 
---
 hw/ioapic.h  |7 +++
 hw/isa.h |2 ++
 hw/pc.c  |   18 +-
 hw/pc.h  |   18 ++
 hw/pc_piix.c |   28 ++--
 5 files changed, 42 insertions(+), 31 deletions(-)

diff --git a/hw/ioapic.h b/hw/ioapic.h
index cb2642a..86e63da 100644
--- a/hw/ioapic.h
+++ b/hw/ioapic.h
@@ -17,4 +17,11 @@
  * License along with this library; if not, see .
  */
 
+#ifndef HW_IOAPIC_H
+#define HW_IOAPIC_H
+
+#define IOAPIC_NUM_PINS 24
+
 void ioapic_eoi_broadcast(int vector);
+
+#endif /* !HW_IOAPIC_H */
diff --git a/hw/isa.h b/hw/isa.h
index 432d17a..820c390 100644
--- a/hw/isa.h
+++ b/hw/isa.h
@@ -7,6 +7,8 @@
 #include "memory.h"
 #include "qdev.h"
 
+#define ISA_NUM_IRQS 16
+
 typedef struct ISABus ISABus;
 typedef struct ISADevice ISADevice;
 typedef struct ISADeviceInfo ISADeviceInfo;
diff --git a/hw/pc.c b/hw/pc.c
index a15d165..c979d4b 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -88,15 +88,15 @@ struct e820_table {
 static struct e820_table e820_table;
 struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX};
 
-void isa_irq_handler(void *opaque, int n, int level)
+void gsi_handler(void *opaque, int n, int level)
 {
-IsaIrqState *isa = (IsaIrqState *)opaque;
+GSIState *s = opaque;
 
-DPRINTF("isa_irqs: %s irq %d\n", level? "raise" : "lower", n);
-if (n < 16) {
-qemu_set_irq(isa->i8259[n], level);
+DPRINTF("pc: %s GSI %d\n", level ? "raising" : "lowering", n);
+if (n < ISA_NUM_IRQS) {
+qemu_set_irq(s->i8259_irq[n], level);
 }
-qemu_set_irq(isa->ioapic[n], level);
+qemu_set_irq(s->ioapic_irq[n], level);
 }
 
 static void ioport80_write(void *opaque, uint32_t addr, uint32_t data)
@@ -1115,7 +1115,7 @@ static void cpu_request_exit(void *opaque, int irq, int 
level)
 }
 }
 
-void pc_basic_device_init(qemu_irq *isa_irq,
+void pc_basic_device_init(qemu_irq *gsi,
   ISADevice **rtc_state,
   bool no_vmport)
 {
@@ -1134,8 +1134,8 @@ void pc_basic_device_init(qemu_irq *isa_irq,
 DeviceState *hpet = sysbus_try_create_simple("hpet", HPET_BASE, NULL);
 
 if (hpet) {
-for (i = 0; i < 24; i++) {
-sysbus_connect_irq(sysbus_from_qdev(hpet), i, isa_irq[i]);
+for (i = 0; i < GSI_NUM_PINS; i++) {
+sysbus_connect_irq(sysbus_from_qdev(hpet), i, gsi[i]);
 }
 rtc_irq = qdev_get_gpio_in(hpet, 0);
 }
diff --git a/hw/pc.h b/hw/pc.h
index 7e6ddba..4333898 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -8,6 +8,7 @@
 #include "fdc.h"
 #include "net.h"
 #include "memory.h"
+#include "ioapic.h"
 
 /* PC-style peripherals (also used by other machines).  */
 
@@ -70,15 +71,16 @@ uint32_t pic_intack_read(PicState2 *s);
 void pic_info(Monitor *mon);
 void irq_info(Monitor *mon);
 
-/* ISA */
-#define IOAPIC_NUM_PINS 0x18
+/* Global System Interrupts */
 
-typedef struct isa_irq_state {
-qemu_irq *i8259;
-qemu_irq ioapic[IOAPIC_NUM_PINS];
-} IsaIrqState;
+#define GSI_NUM_PINS IOAPIC_NUM_PINS
 
-void isa_irq_handler(void *opaque, int n, int level);
+typedef struct GSIState {
+qemu_irq *i8259_irq;
+qemu_irq ioapic_irq[IOAPIC_NUM_PINS];
+} GSIState;
+
+void gsi_handler(void *opaque, int n, int level);
 
 /* i8254.c */
 
@@ -141,7 +143,7 @@ void pc_memory_init(MemoryRegion *system_memory,
 MemoryRegion **ram_memory);
 qemu_irq *pc_allocate_cpu_irq(void);
 void pc_vga_init(PCIBus *pci_bus);
-void pc_basic_device_init(qemu_irq *isa_irq,
+void pc_basic_device_init(qemu_irq *gsi,
   ISADevice **rtc_state,
   bool no_vmport);
 void pc_init_ne2k_isa(NICInfo *nd);
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index ce1c87f..e6e280c 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -53,7 +53,7 @@ static const int ide_iobase[MAX_IDE_BUS] = { 0x1f0, 0x170 };
 static const int ide_iobase2[MAX_IDE_BUS] = { 0x3f6, 0x376 };
 static const int ide_irq[MAX_IDE_BUS] = { 14, 15 };
 
-static void ioapic_init(IsaIrqState *isa_irq_state)
+static void ioapic_init(GSIState *gsi_state)
 {
 DeviceState *dev;
 SysBusDevice *d;
@@ -65,7 +65,7 @@ static void ioapic_init(IsaIrqState *isa_irq_state)
 sysbus_mmio_map(d, 0, 0xfec0);
 
 for (i = 0; i < IOAPIC_NUM_PINS; i++) {
-isa_irq_state->ioapic[i] = qdev_get_gpio_in(dev, i);
+gsi_state->ioapic_irq[i] = qdev_get_gpio_in(dev, i);
 }
 }
 
@@ -87,11 +87,11 @@ static void pc_init1(MemoryRegion *system_memory,
 PCII440FXState *i440fx_state;
 int piix3_devfn = -1;
 qemu_irq *cpu_irq;
-qemu_irq *isa_irq;
+qemu_irq *gsi;
 qemu_irq *i8259;
 qemu_irq *cmos_s3;
 qemu_irq *smi_irq;
-IsaIrqState *isa_irq_state;
+GSIStat

[Qemu-devel] [PATCH 17/22] i8259: Eliminate PicState2

[Jan Kiszka]

Introduce a reference to the slave PIC for the few cases we need to
access it without a proper pointer at hand and drop PicState2. We could
even live without slave_pic if we had a better way of modeling the
cascade bus the PICs are attached to (in addition to the ISA bus).

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   61 +--
 hw/pc.h|8 +++---
 2 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 9a4f112..cf0c6ed 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -40,7 +40,7 @@
 //#define DEBUG_IRQ_LATENCY
 //#define DEBUG_IRQ_COUNT
 
-typedef struct PicState {
+struct PicState {
 uint8_t last_irr; /* edge detection */
 uint8_t irr; /* interrupt request register */
 uint8_t imr; /* interrupt mask register */
@@ -62,13 +62,6 @@ typedef struct PicState {
 bool master; /* reflects /SP input pin */
 MemoryRegion base_io;
 MemoryRegion elcr_io;
-} PicState;
-
-struct PicState2 {
-/* 0 is master pic, 1 is slave pic */
-/* XXX: better separation between the two pics */
-PicState pics[2];
-void *irq_request_opaque;
 };
 
 #if defined(DEBUG_PIC) || defined (DEBUG_IRQ_COUNT)
@@ -77,7 +70,8 @@ static int irq_level[16];
 #ifdef DEBUG_IRQ_COUNT
 static uint64_t irq_count[16];
 #endif
-PicState2 *isa_pic;
+PicState *isa_pic;
+static PicState *slave_pic;
 
 /* return the highest priority found in mask (highest = smallest
number). Return 8 if no irq */
@@ -168,7 +162,7 @@ int64_t irq_time[16];
 
 static void i8259_set_irq(void *opaque, int irq, int level)
 {
-PicState2 *s = opaque;
+PicState *s = irq <= 7 ? isa_pic : slave_pic;
 
 #if defined(DEBUG_PIC) || defined(DEBUG_IRQ_COUNT)
 if (level != irq_level[irq]) {
@@ -185,7 +179,7 @@ static void i8259_set_irq(void *opaque, int irq, int level)
 irq_time[irq] = qemu_get_clock_ns(vm_clock);
 }
 #endif
-pic_set_irq1(&s->pics[irq >> 3], irq & 7, level);
+pic_set_irq1(s, irq & 7, level);
 }
 
 /* acknowledge interrupt 'irq' */
@@ -203,29 +197,29 @@ static void pic_intack(PicState *s, int irq)
 pic_update_irq(s);
 }
 
-int pic_read_irq(PicState2 *s)
+int pic_read_irq(PicState *s)
 {
 int irq, irq2, intno;
 
-irq = pic_get_irq(&s->pics[0]);
+irq = pic_get_irq(s);
 if (irq >= 0) {
 if (irq == 2) {
-irq2 = pic_get_irq(&s->pics[1]);
+irq2 = pic_get_irq(slave_pic);
 if (irq2 >= 0) {
-pic_intack(&s->pics[1], irq2);
+pic_intack(slave_pic, irq2);
 } else {
 /* spurious IRQ on slave controller */
 irq2 = 7;
 }
-intno = s->pics[1].irq_base + irq2;
+intno = slave_pic->irq_base + irq2;
 } else {
-intno = s->pics[0].irq_base + irq;
+intno = s->irq_base + irq;
 }
-pic_intack(&s->pics[0], irq);
+pic_intack(s, irq);
 } else {
 /* spurious IRQ on host controller */
 irq = 7;
-intno = s->pics[0].irq_base + irq;
+intno = s->irq_base + irq;
 }
 
 #if defined(DEBUG_PIC) || defined(DEBUG_IRQ_LATENCY)
@@ -385,9 +379,9 @@ static uint64_t pic_ioport_read(void *opaque, 
target_phys_addr_t addr,
 return ret;
 }
 
-int pic_get_output(PicState2 *s)
+int pic_get_output(PicState *s)
 {
-return (pic_get_irq(&s->pics[0]) >= 0);
+return (pic_get_irq(s) >= 0);
 }
 
 static void elcr_ioport_write(void *opaque, target_phys_addr_t addr,
@@ -475,8 +469,8 @@ void pic_info(Monitor *mon)
 if (!isa_pic)
 return;
 
-for(i=0;i<2;i++) {
-s = &isa_pic->pics[i];
+for (i = 0; i < 2; i++) {
+s = i == 0 ? isa_pic : slave_pic;
 monitor_printf(mon, "pic%d: irr=%02x imr=%02x isr=%02x hprio=%d "
"irq_base=%02x rr_sel=%d elcr=%02x fnm=%d\n",
i, s->irr, s->imr, s->isr, s->priority_add,
@@ -505,14 +499,19 @@ void irq_info(Monitor *mon)
 qemu_irq *i8259_init(qemu_irq parent_irq)
 {
 qemu_irq *irqs;
-PicState2 *s;
-
-s = g_malloc0(sizeof(PicState2));
-irqs = qemu_allocate_irqs(i8259_set_irq, s, 16);
-pic_init(0x20, 0x4d0, &s->pics[0], parent_irq, true);
-pic_init(0xa0, 0x4d1, &s->pics[1], irqs[2], false);
-s->pics[0].elcr_mask = 0xf8;
-s->pics[1].elcr_mask = 0xde;
+PicState *s;
+
+irqs = qemu_allocate_irqs(i8259_set_irq, NULL, 16);
+
+s = g_malloc0(sizeof(PicState));
+pic_init(0x20, 0x4d0, s, parent_irq, true);
+s->elcr_mask = 0xf8;
 isa_pic = s;
+
+s = g_malloc0(sizeof(PicState));
+pic_init(0xa0, 0x4d1, s, irqs[2], false);
+s->elcr_mask = 0xde;
+slave_pic = s;
+
 return irqs;
 }
diff --git a/hw/pc.h b/hw/pc.h
index 14c61a2..bfe3dd1 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -60,11 +60,11 @@ bool parallel_mm_init(target_phys_addr_t base, int 
it_shift, qemu_irq irq,
 
 /* i8259.c */
 
-typedef struct PicState2 PicState2;
-extern

[Qemu-devel] [PATCH 14/22] i8259: Clean up pic_ioport_read

[Jan Kiszka]

Drop redundant local address variable.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 849c82e..9e32ceb 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -380,11 +380,10 @@ static uint32_t pic_poll_read(PicState *s)
 return ret;
 }
 
-static uint64_t pic_ioport_read(void *opaque, target_phys_addr_t addr1,
+static uint64_t pic_ioport_read(void *opaque, target_phys_addr_t addr,
 unsigned size)
 {
 PicState *s = opaque;
-unsigned int addr = addr1;
 int ret;
 
 if (s->poll) {
-- 
1.7.3.4

Re: [Qemu-devel] VirtIO 9p mount_tag (bogus?) limit of 32 bytes

[Harsh Bora]

On 09/22/2011 11:12 PM, Daniel P. Berrange wrote:

I've noticed that if you use a virtio 9p filesystem with a mount_tag
property value that is longer than 32 bytes, it gets silently truncated.

In virtio-9p-device.c

 len = strlen(conf->tag);
 if (len>  MAX_TAG_LEN) {
 len = MAX_TAG_LEN;


I think its better to return here with a failure message saying 
mount_tag too long. IIUC, The 32 byte limit has been kept because of 
understanding that mount_tag is a device name in guest (and not a path 
location).


Aneesh, any inputs ?

- Harsh


 }


The header  virtio-9p.h contains


   /* from Linux's linux/virtio_9p.h */

   /* The ID for virtio console */
   #define VIRTIO_ID_9P9
   #define MAX_REQ 128
   #define MAX_TAG_LEN 32


The Linux kernel's  virtio_9p.h, however, does not have any MAX_TAG_LEN
constant and AFAICT the code in Linux's net/9p/trans_virtio.c is not
placing any 32 byte length restriction on the mount tag.

So is this QEMU length limit legacy code that can be removed ?

If using the mount_tag to specify the desired guest mount location path,
then 32 bytes is really quite limiting - a good 255 bytes is much more
desirable.

Finally, regardless of what limit is imposed, it would be better to
return an error if the user attempts to specify an excessively long
mount tag, rather than truncate it breaking the guest app relying on
the full tag.

Regards,
Daniel

[Qemu-devel] [PATCH 12/22] i8259: Switch to per-PIC IRQ update

[Jan Kiszka]

This converts pic_update_irq to work against a single PIC instead of the
complete cascade. Along this change, the required update after
pic_set_irq1 is now moved into that function.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   59 ---
 1 files changed, 20 insertions(+), 39 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 3498c6b..53b86dd 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -118,39 +118,19 @@ static int pic_get_irq(PicState *s)
 }
 }
 
-static void pic_set_irq1(PicState *s, int irq, int level);
-
-/* raise irq to CPU if necessary. must be called every time the active
-   irq may change */
-static void pic_update_irq(PicState2 *s)
+/* Update INT output. Must be called every time the output may have changed. */
+static void pic_update_irq(PicState *s)
 {
-int irq2, irq;
-
-/* first look at slave pic */
-irq2 = pic_get_irq(&s->pics[1]);
-if (irq2 >= 0) {
-/* if irq request by slave pic, signal master PIC */
-pic_set_irq1(&s->pics[0], 2, 1);
-pic_set_irq1(&s->pics[0], 2, 0);
-}
-/* look at requested irq */
-irq = pic_get_irq(&s->pics[0]);
-if (irq >= 0) {
-#if defined(DEBUG_PIC)
-{
-int i;
-for(i = 0; i < 2; i++) {
-printf("pic%d: imr=%x irr=%x padd=%d\n",
-   i, s->pics[i].imr, s->pics[i].irr,
-   s->pics[i].priority_add);
+int irq;
 
-}
-}
-printf("pic: cpu_interrupt\n");
-#endif
-qemu_irq_raise(s->pics[0].int_out);
+irq = pic_get_irq(s);
+if (irq >= 0) {
+DPRINTF("pic%d: imr=%x irr=%x padd=%d\n",
+s == &s->pics_state->pics[0] ? 0 : 1, s->imr, s->irr,
+s->priority_add);
+qemu_irq_raise(s->int_out);
 } else {
-qemu_irq_lower(s->pics[0].int_out);
+qemu_irq_lower(s->int_out);
 }
 }
 
@@ -179,6 +159,7 @@ static void pic_set_irq1(PicState *s, int irq, int level)
 s->last_irr &= ~mask;
 }
 }
+pic_update_irq(s);
 }
 
 #ifdef DEBUG_IRQ_LATENCY
@@ -205,7 +186,6 @@ static void i8259_set_irq(void *opaque, int irq, int level)
 }
 #endif
 pic_set_irq1(&s->pics[irq >> 3], irq & 7, level);
-pic_update_irq(s);
 }
 
 /* acknowledge interrupt 'irq' */
@@ -220,6 +200,7 @@ static void pic_intack(PicState *s, int irq)
 /* We don't clear a level sensitive interrupt here */
 if (!(s->elcr & (1 << irq)))
 s->irr &= ~(1 << irq);
+pic_update_irq(s);
 }
 
 int pic_read_irq(PicState2 *s)
@@ -246,7 +227,6 @@ int pic_read_irq(PicState2 *s)
 irq = 7;
 intno = s->pics[0].irq_base + irq;
 }
-pic_update_irq(s);
 
 #if defined(DEBUG_PIC) || defined(DEBUG_IRQ_LATENCY)
 if (irq == 2) {
@@ -283,7 +263,7 @@ static void pic_reset(void *opaque)
 s->init4 = 0;
 s->single_mode = 0;
 /* Note: ELCR is not reset */
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 }
 
 static void pic_ioport_write(void *opaque, target_phys_addr_t addr64,
@@ -326,23 +306,23 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 s->isr &= ~(1 << irq);
 if (cmd == 5)
 s->priority_add = (irq + 1) & 7;
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 }
 break;
 case 3:
 irq = val & 7;
 s->isr &= ~(1 << irq);
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 break;
 case 6:
 s->priority_add = (val + 1) & 7;
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 break;
 case 7:
 irq = val & 7;
 s->isr &= ~(1 << irq);
 s->priority_add = (irq + 1) & 7;
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 break;
 default:
 /* no operation */
@@ -354,7 +334,7 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 case 0:
 /* normal mode */
 s->imr = val;
-pic_update_irq(s->pics_state);
+pic_update_irq(s);
 break;
 case 1:
 s->irq_base = val & 0xf8;
@@ -390,8 +370,9 @@ static uint32_t pic_poll_read(PicState *s)
 }
 s->irr &= ~(1 << ret);
 s->isr &= ~(1 << ret);
-if (slave || ret != 2)
-pic_update_irq(s->pics_state);
+if (slave || ret != 2) {
+pic_update_irq(s);
+}
 } else {
 ret = 0x07;
 }
-- 
1.7.3.4

[Qemu-devel] [PATCH 07/22] i8259: Move pic_set_irq1 after pic_update_irq

[Jan Kiszka]

We are about to call the latter from the former. No functional changes.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   55 +--
 1 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index f1d58ba..de2d5ca 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -79,32 +79,6 @@ static uint64_t irq_count[16];
 #endif
 PicState2 *isa_pic;
 
-/* set irq level. If an edge is detected, then the IRR is set to 1 */
-static void pic_set_irq1(PicState *s, int irq, int level)
-{
-int mask;
-mask = 1 << irq;
-if (s->elcr & mask) {
-/* level triggered */
-if (level) {
-s->irr |= mask;
-s->last_irr |= mask;
-} else {
-s->irr &= ~mask;
-s->last_irr &= ~mask;
-}
-} else {
-/* edge triggered */
-if (level) {
-if ((s->last_irr & mask) == 0)
-s->irr |= mask;
-s->last_irr |= mask;
-} else {
-s->last_irr &= ~mask;
-}
-}
-}
-
 /* return the highest priority found in mask (highest = smallest
number). Return 8 if no irq */
 static int get_priority(PicState *s, int mask)
@@ -144,6 +118,8 @@ static int pic_get_irq(PicState *s)
 }
 }
 
+static void pic_set_irq1(PicState *s, int irq, int level);
+
 /* raise irq to CPU if necessary. must be called every time the active
irq may change */
 static void pic_update_irq(PicState2 *s)
@@ -178,6 +154,33 @@ static void pic_update_irq(PicState2 *s)
 }
 }
 
+/* set irq level. If an edge is detected, then the IRR is set to 1 */
+static void pic_set_irq1(PicState *s, int irq, int level)
+{
+int mask;
+mask = 1 << irq;
+if (s->elcr & mask) {
+/* level triggered */
+if (level) {
+s->irr |= mask;
+s->last_irr |= mask;
+} else {
+s->irr &= ~mask;
+s->last_irr &= ~mask;
+}
+} else {
+/* edge triggered */
+if (level) {
+if ((s->last_irr & mask) == 0) {
+s->irr |= mask;
+}
+s->last_irr |= mask;
+} else {
+s->last_irr &= ~mask;
+}
+}
+}
+
 #ifdef DEBUG_IRQ_LATENCY
 int64_t irq_time[16];
 #endif
-- 
1.7.3.4

[Qemu-devel] [PATCH 01/22] pc: Drop useless test from isa_irq_handler

[Jan Kiszka]

IsaIrqState::ioapic is always non-NULL. Probably, the concrete
qemu_irq was supposed to be tested, but that's already done by
qemu_set_irq.

Signed-off-by: Jan Kiszka 
---
 hw/pc.c |5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/pc.c b/hw/pc.c
index 203627d..a15d165 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -96,9 +96,8 @@ void isa_irq_handler(void *opaque, int n, int level)
 if (n < 16) {
 qemu_set_irq(isa->i8259[n], level);
 }
-if (isa->ioapic)
-qemu_set_irq(isa->ioapic[n], level);
-};
+qemu_set_irq(isa->ioapic[n], level);
+}
 
 static void ioport80_write(void *opaque, uint32_t addr, uint32_t data)
 {
-- 
1.7.3.4

[Qemu-devel] [PATCH 15/22] i8259: PREP: Replace pic_intack_read with pic_read_irq

[Jan Kiszka]

There is nothing in the i8259 spec that justifies the special
pic_intack_read. At least the Linux PREP kernels configure the PICs
properly so that pic_read_irq returns identical values, and setting
read_reg_select in PIC0 cannot be derived from any special i8259 mode.

So switch ppc_prep to pic_read_irq and drop the now unused PIC code.

CC: Alexander Graf 
Signed-off-by: Jan Kiszka 
---
 hw/i8259.c|   39 ---
 hw/pc.h   |1 -
 hw/ppc_prep.c |2 +-
 3 files changed, 1 insertions(+), 41 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 9e32ceb..bbb12cf 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -356,30 +356,6 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 }
 }
 
-static uint32_t pic_poll_read(PicState *s)
-{
-int ret;
-
-ret = pic_get_irq(s);
-if (ret >= 0) {
-bool slave = (s == &isa_pic->pics[1]);
-
-if (slave) {
-s->pics_state->pics[0].isr &= ~(1 << 2);
-s->pics_state->pics[0].irr &= ~(1 << 2);
-}
-s->irr &= ~(1 << ret);
-s->isr &= ~(1 << ret);
-if (slave || ret != 2) {
-pic_update_irq(s);
-}
-} else {
-ret = 0x07;
-}
-
-return ret;
-}
-
 static uint64_t pic_ioport_read(void *opaque, target_phys_addr_t addr,
 unsigned size)
 {
@@ -409,21 +385,6 @@ static uint64_t pic_ioport_read(void *opaque, 
target_phys_addr_t addr,
 return ret;
 }
 
-/* memory mapped interrupt status */
-/* XXX: may be the same than pic_read_irq() */
-uint32_t pic_intack_read(PicState2 *s)
-{
-int ret;
-
-ret = pic_poll_read(&s->pics[0]);
-if (ret == 2)
-ret = pic_poll_read(&s->pics[1]) + 8;
-/* Prepare for ISR read */
-s->pics[0].read_reg_select = 1;
-
-return ret;
-}
-
 int pic_get_output(PicState2 *s)
 {
 return (pic_get_irq(&s->pics[0]) >= 0);
diff --git a/hw/pc.h b/hw/pc.h
index fd5f9b2..14c61a2 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -65,7 +65,6 @@ extern PicState2 *isa_pic;
 qemu_irq *i8259_init(qemu_irq parent_irq);
 int pic_read_irq(PicState2 *s);
 int pic_get_output(PicState2 *s);
-uint32_t pic_intack_read(PicState2 *s);
 void pic_info(Monitor *mon);
 void irq_info(Monitor *mon);
 
diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index d26049b..6427baa 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -130,7 +130,7 @@ static inline uint32_t _PPC_intack_read(target_phys_addr_t 
addr)
 uint32_t retval = 0;
 
 if ((addr & 0xf) == 0)
-retval = pic_intack_read(isa_pic);
+retval = pic_read_irq(isa_pic);
 #if 0
 printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
retval);
-- 
1.7.3.4

[Qemu-devel] [PATCH 09/22] i8259: Do not update IRQ output after spurious pic_poll_read

[Jan Kiszka]

If pic_poll_read finds no pending IRQ and return a spurious one instead,
no PIC state is changed, thus we do not need to call pic_update_irq.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 65123bd..cddd3c7 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -393,7 +393,6 @@ static uint32_t pic_poll_read(PicState *s)
 pic_update_irq(s->pics_state);
 } else {
 ret = 0x07;
-pic_update_irq(s->pics_state);
 }
 
 return ret;
-- 
1.7.3.4

[Qemu-devel] [PATCH 20/22] i8259: Fix coding style

[Jan Kiszka]

No functional changes.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   54 ++
 1 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index ae6f784..04ef0ca 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -67,7 +67,7 @@ struct PicState {
 MemoryRegion elcr_io;
 };
 
-#if defined(DEBUG_PIC) || defined (DEBUG_IRQ_COUNT)
+#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_COUNT)
 static int irq_level[16];
 #endif
 #ifdef DEBUG_IRQ_COUNT
@@ -84,11 +84,14 @@ static PicState *slave_pic;
 static int get_priority(PicState *s, int mask)
 {
 int priority;
-if (mask == 0)
+
+if (mask == 0) {
 return 8;
+}
 priority = 0;
-while ((mask & (1 << ((priority + s->priority_add) & 7))) == 0)
+while ((mask & (1 << ((priority + s->priority_add) & 7))) == 0) {
 priority++;
+}
 return priority;
 }
 
@@ -99,14 +102,16 @@ static int pic_get_irq(PicState *s)
 
 mask = s->irr & ~s->imr;
 priority = get_priority(s, mask);
-if (priority == 8)
+if (priority == 8) {
 return -1;
+}
 /* compute current priority. If special fully nested mode on the
master, the IRQ coming from the slave is not taken into account
for the priority computation. */
 mask = s->isr;
-if (s->special_mask)
+if (s->special_mask) {
 mask &= ~s->imr;
+}
 if (s->special_fully_nested_mode && s->master) {
 mask &= ~(1 << 2);
 }
@@ -188,14 +193,16 @@ static void pic_set_irq(void *opaque, int irq, int level)
 static void pic_intack(PicState *s, int irq)
 {
 if (s->auto_eoi) {
-if (s->rotate_on_auto_eoi)
+if (s->rotate_on_auto_eoi) {
 s->priority_add = (irq + 1) & 7;
+}
 } else {
 s->isr |= (1 << irq);
 }
 /* We don't clear a level sensitive interrupt here */
-if (!(s->elcr & (1 << irq)))
+if (!(s->elcr & (1 << irq))) {
 s->irr &= ~(1 << irq);
+}
 pic_update_irq(s);
 }
 
@@ -278,18 +285,22 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 s->init_state = 1;
 s->init4 = val & 1;
 s->single_mode = val & 2;
-if (val & 0x08)
+if (val & 0x08) {
 hw_error("level sensitive irq not supported");
+}
 } else if (val & 0x08) {
-if (val & 0x04)
+if (val & 0x04) {
 s->poll = 1;
-if (val & 0x02)
+}
+if (val & 0x02) {
 s->read_reg_select = val & 1;
-if (val & 0x40)
+}
+if (val & 0x40) {
 s->special_mask = (val >> 5) & 1;
+}
 } else {
 cmd = val >> 5;
-switch(cmd) {
+switch (cmd) {
 case 0:
 case 4:
 s->rotate_on_auto_eoi = cmd >> 2;
@@ -300,8 +311,9 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 if (priority != 8) {
 irq = (priority + s->priority_add) & 7;
 s->isr &= ~(1 << irq);
-if (cmd == 5)
+if (cmd == 5) {
 s->priority_add = (irq + 1) & 7;
+}
 pic_update_irq(s);
 }
 break;
@@ -326,7 +338,7 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 }
 }
 } else {
-switch(s->init_state) {
+switch (s->init_state) {
 case 0:
 /* normal mode */
 s->imr = val;
@@ -369,10 +381,11 @@ static uint64_t pic_ioport_read(void *opaque, 
target_phys_addr_t addr,
 s->poll = 0;
 } else {
 if (addr == 0) {
-if (s->read_reg_select)
+if (s->read_reg_select) {
 ret = s->isr;
-else
+} else {
 ret = s->irr;
+}
 } else {
 ret = s->imr;
 }
@@ -405,7 +418,7 @@ static const VMStateDescription vmstate_pic = {
 .version_id = 1,
 .minimum_version_id = 1,
 .minimum_version_id_old = 1,
-.fields  = (VMStateField []) {
+.fields = (VMStateField[]) {
 VMSTATE_UINT8(last_irr, PicState),
 VMSTATE_UINT8(irr, PicState),
 VMSTATE_UINT8(imr, PicState),
@@ -468,9 +481,9 @@ void pic_info(Monitor *mon)
 int i;
 PicState *s;
 
-if (!isa_pic)
+if (!isa_pic) {
 return;
-
+}
 for (i = 0; i < 2; i++) {
 s = i == 0 ? isa_pic : slave_pic;
 monitor_printf(mon, "pic%d: irr=%02x imr=%02x isr=%02x hprio=%d "
@@ -492,8 +505,9 @@ void irq_info(Monitor *mon)
 monitor_printf(mon, "IRQ statistics:\n");
 for (i = 0; i < 16; i++) {
 count = irq_count[i];
-if (count > 0)
+if (count > 0) {
 monitor_printf(mon, "%2d: %" PRI

[Qemu-devel] [PATCH 16/22] i8259: Replace PicState::pics_state with master flag

[Jan Kiszka]

This reflects how real PICs indentify their role (in non-buffered mode):
Pass the state of the /SP input on pic_init and use it instead of
pics_state to differentiate between master and slave mode.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |   18 +-
 1 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index bbb12cf..9a4f112 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -59,7 +59,7 @@ typedef struct PicState {
 uint8_t elcr; /* PIIX edge/trigger selection*/
 uint8_t elcr_mask;
 qemu_irq int_out;
-PicState2 *pics_state;
+bool master; /* reflects /SP input pin */
 MemoryRegion base_io;
 MemoryRegion elcr_io;
 } PicState;
@@ -107,8 +107,9 @@ static int pic_get_irq(PicState *s)
 mask = s->isr;
 if (s->special_mask)
 mask &= ~s->imr;
-if (s->special_fully_nested_mode && s == &s->pics_state->pics[0])
+if (s->special_fully_nested_mode && s->master) {
 mask &= ~(1 << 2);
+}
 cur_priority = get_priority(s, mask);
 if (priority < cur_priority) {
 /* higher priority found: an irq should be generated */
@@ -126,8 +127,7 @@ static void pic_update_irq(PicState *s)
 irq = pic_get_irq(s);
 if (irq >= 0) {
 DPRINTF("pic%d: imr=%x irr=%x padd=%d\n",
-s == &s->pics_state->pics[0] ? 0 : 1, s->imr, s->irr,
-s->priority_add);
+s->master ? 0 : 1, s->imr, s->irr, s->priority_add);
 qemu_irq_raise(s->int_out);
 } else {
 qemu_irq_lower(s->int_out);
@@ -449,9 +449,11 @@ static const MemoryRegionOps pic_elcr_ioport_ops = {
 };
 
 /* XXX: add generic master/slave system */
-static void pic_init(int io_addr, int elcr_addr, PicState *s, qemu_irq int_out)
+static void pic_init(int io_addr, int elcr_addr, PicState *s, qemu_irq int_out,
+ bool master)
 {
 s->int_out = int_out;
+s->master = master;
 
 memory_region_init_io(&s->base_io, &pic_base_ioport_ops, s, "pic", 2);
 memory_region_init_io(&s->elcr_io, &pic_elcr_ioport_ops, s, "elcr", 1);
@@ -507,12 +509,10 @@ qemu_irq *i8259_init(qemu_irq parent_irq)
 
 s = g_malloc0(sizeof(PicState2));
 irqs = qemu_allocate_irqs(i8259_set_irq, s, 16);
-pic_init(0x20, 0x4d0, &s->pics[0], parent_irq);
-pic_init(0xa0, 0x4d1, &s->pics[1], irqs[2]);
+pic_init(0x20, 0x4d0, &s->pics[0], parent_irq, true);
+pic_init(0xa0, 0x4d1, &s->pics[1], irqs[2], false);
 s->pics[0].elcr_mask = 0xf8;
 s->pics[1].elcr_mask = 0xde;
-s->pics[0].pics_state = s;
-s->pics[1].pics_state = s;
 isa_pic = s;
 return irqs;
 }
-- 
1.7.3.4

[Qemu-devel] [PATCH 03/22] pc: Convert GSIState::i8259_irq into array

[Jan Kiszka]

Will be required when we no longer let i8259_init allocate the PIC IRQs
but convert that chips to qdev.

Signed-off-by: Jan Kiszka 
---
 hw/pc.h  |2 +-
 hw/pc_piix.c |4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/pc.h b/hw/pc.h
index 4333898..2870be4 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -76,7 +76,7 @@ void irq_info(Monitor *mon);
 #define GSI_NUM_PINS IOAPIC_NUM_PINS
 
 typedef struct GSIState {
-qemu_irq *i8259_irq;
+qemu_irq i8259_irq[ISA_NUM_IRQS];
 qemu_irq ioapic_irq[IOAPIC_NUM_PINS];
 } GSIState;
 
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index e6e280c..c89042f 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -158,7 +158,9 @@ static void pc_init1(MemoryRegion *system_memory,
 i8259 = xen_interrupt_controller_init();
 }
 
-gsi_state->i8259_irq = i8259;
+for (i = 0; i < ISA_NUM_IRQS; i++) {
+gsi_state->i8259_irq[i] = i8259[i];
+}
 if (pci_enabled) {
 ioapic_init(gsi_state);
 }
-- 
1.7.3.4

[Qemu-devel] [PATCH 18/22] qdev: Add HEX8 property

[Jan Kiszka]

Signed-off-by: Jan Kiszka 
---
 hw/qdev-properties.c |   29 +
 hw/qdev.h|3 +++
 2 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index e0e54aa..f0b811c 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -93,6 +93,35 @@ PropertyInfo qdev_prop_uint8 = {
 .print = print_uint8,
 };
 
+/* --- 8bit hex value --- */
+
+static int parse_hex8(DeviceState *dev, Property *prop, const char *str)
+{
+uint8_t *ptr = qdev_get_prop_ptr(dev, prop);
+char *end;
+
+*ptr = strtoul(str, &end, 16);
+if ((*end != '\0') || (end == str)) {
+return -EINVAL;
+}
+
+return 0;
+}
+
+static int print_hex8(DeviceState *dev, Property *prop, char *dest, size_t len)
+{
+uint8_t *ptr = qdev_get_prop_ptr(dev, prop);
+return snprintf(dest, len, "0x%" PRIx8, *ptr);
+}
+
+PropertyInfo qdev_prop_hex8 = {
+.name  = "hex8",
+.type  = PROP_TYPE_UINT8,
+.size  = sizeof(uint8_t),
+.parse = parse_hex8,
+.print = print_hex8,
+};
+
 /* --- 16bit integer --- */
 
 static int parse_uint16(DeviceState *dev, Property *prop, const char *str)
diff --git a/hw/qdev.h b/hw/qdev.h
index 8a13ec9..aa7ae36 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -224,6 +224,7 @@ extern PropertyInfo qdev_prop_uint16;
 extern PropertyInfo qdev_prop_uint32;
 extern PropertyInfo qdev_prop_int32;
 extern PropertyInfo qdev_prop_uint64;
+extern PropertyInfo qdev_prop_hex8;
 extern PropertyInfo qdev_prop_hex32;
 extern PropertyInfo qdev_prop_hex64;
 extern PropertyInfo qdev_prop_string;
@@ -267,6 +268,8 @@ extern PropertyInfo qdev_prop_pci_devfn;
 DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_int32, int32_t)
 #define DEFINE_PROP_UINT64(_n, _s, _f, _d)  \
 DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_uint64, uint64_t)
+#define DEFINE_PROP_HEX8(_n, _s, _f, _d)   \
+DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_hex8, uint8_t)
 #define DEFINE_PROP_HEX32(_n, _s, _f, _d)   \
 DEFINE_PROP_DEFAULT(_n, _s, _f, _d, qdev_prop_hex32, uint32_t)
 #define DEFINE_PROP_HEX64(_n, _s, _f, _d)   \
-- 
1.7.3.4

[Qemu-devel] [PATCH 13/22] i8259: Fix poll command

[Jan Kiszka]

This was probably never used so far: According to the spec, polling
means ack'ing the pending IRQ and setting its corresponding bit in isr.
Moreover, we have to signal a pending IRQ via bit 7 of the returned
value, and we must not return a spurious IRQ if none is pending.

This implements the poll command without the help of pic_poll_read which
is left untouched as pic_intack_read is still using it.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |8 +++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index 53b86dd..849c82e 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -388,7 +388,13 @@ static uint64_t pic_ioport_read(void *opaque, 
target_phys_addr_t addr1,
 int ret;
 
 if (s->poll) {
-ret = pic_poll_read(s);
+ret = pic_get_irq(s);
+if (ret >= 0) {
+pic_intack(s, ret);
+ret |= 0x80;
+} else {
+ret = 0;
+}
 s->poll = 0;
 } else {
 if (addr == 0) {
-- 
1.7.3.4

[Qemu-devel] [PATCH 11/22] i8259: Update IRQ state after reset

[Jan Kiszka]

As we clearly modify the PIC state on pic_reset, we also have to update
the IRQ output. This only happened on init so far. Apply this
consistently.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index b7a011f..3498c6b 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -283,6 +283,7 @@ static void pic_reset(void *opaque)
 s->init4 = 0;
 s->single_mode = 0;
 /* Note: ELCR is not reset */
+pic_update_irq(s->pics_state);
 }
 
 static void pic_ioport_write(void *opaque, target_phys_addr_t addr64,
@@ -298,8 +299,6 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 if (val & 0x10) {
 /* init */
 pic_reset(s);
-/* deassert a pending interrupt */
-qemu_irq_lower(s->pics_state->pics[0].int_out);
 s->init_state = 1;
 s->init4 = val & 1;
 s->single_mode = val & 2;
-- 
1.7.3.4

[Qemu-devel] [PATCH 19/22] i8259: Convert to qdev

[Jan Kiszka]

This key cleanup step requires to move the IRQ debugging bit from
i8259_set_irq directly to the per-PIC pic_set_irq, to pass the PIC
parameters (I/O base, ELCR address and mask, master/slave mode) as
qdev properties, and to interconnect the PICs with their environment via
GPIO pins.

Signed-off-by: Jan Kiszka 
---
 hw/i8259.c |  158 ++--
 1 files changed, 100 insertions(+), 58 deletions(-)

diff --git a/hw/i8259.c b/hw/i8259.c
index cf0c6ed..ae6f784 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -41,6 +41,7 @@
 //#define DEBUG_IRQ_COUNT
 
 struct PicState {
+ISADevice dev;
 uint8_t last_irr; /* edge detection */
 uint8_t irr; /* interrupt request register */
 uint8_t imr; /* interrupt mask register */
@@ -58,8 +59,10 @@ struct PicState {
 uint8_t single_mode; /* true if slave pic is not initialized */
 uint8_t elcr; /* PIIX edge/trigger selection*/
 uint8_t elcr_mask;
-qemu_irq int_out;
-bool master; /* reflects /SP input pin */
+qemu_irq int_out[1];
+uint32_t master; /* reflects /SP input pin */
+uint32_t iobase;
+uint32_t elcr_addr;
 MemoryRegion base_io;
 MemoryRegion elcr_io;
 };
@@ -70,6 +73,9 @@ static int irq_level[16];
 #ifdef DEBUG_IRQ_COUNT
 static uint64_t irq_count[16];
 #endif
+#ifdef DEBUG_IRQ_LATENCY
+static int64_t irq_time[16];
+#endif
 PicState *isa_pic;
 static PicState *slave_pic;
 
@@ -122,17 +128,39 @@ static void pic_update_irq(PicState *s)
 if (irq >= 0) {
 DPRINTF("pic%d: imr=%x irr=%x padd=%d\n",
 s->master ? 0 : 1, s->imr, s->irr, s->priority_add);
-qemu_irq_raise(s->int_out);
+qemu_irq_raise(s->int_out[0]);
 } else {
-qemu_irq_lower(s->int_out);
+qemu_irq_lower(s->int_out[0]);
 }
 }
 
 /* set irq level. If an edge is detected, then the IRR is set to 1 */
-static void pic_set_irq1(PicState *s, int irq, int level)
+static void pic_set_irq(void *opaque, int irq, int level)
 {
-int mask;
-mask = 1 << irq;
+PicState *s = opaque;
+int mask = 1 << irq;
+
+#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_COUNT) || \
+defined(DEBUG_IRQ_LATENCY)
+int irq_index = s->master ? irq : irq + 8;
+#endif
+#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_COUNT)
+if (level != irq_level[irq_index]) {
+DPRINTF("pic_set_irq: irq=%d level=%d\n", irq_index, level);
+irq_level[irq_index] = level;
+#ifdef DEBUG_IRQ_COUNT
+if (level == 1) {
+irq_count[irq_index]++;
+}
+#endif
+}
+#endif
+#ifdef DEBUG_IRQ_LATENCY
+if (level) {
+irq_time[irq_index] = qemu_get_clock_ns(vm_clock);
+}
+#endif
+
 if (s->elcr & mask) {
 /* level triggered */
 if (level) {
@@ -156,32 +184,6 @@ static void pic_set_irq1(PicState *s, int irq, int level)
 pic_update_irq(s);
 }
 
-#ifdef DEBUG_IRQ_LATENCY
-int64_t irq_time[16];
-#endif
-
-static void i8259_set_irq(void *opaque, int irq, int level)
-{
-PicState *s = irq <= 7 ? isa_pic : slave_pic;
-
-#if defined(DEBUG_PIC) || defined(DEBUG_IRQ_COUNT)
-if (level != irq_level[irq]) {
-DPRINTF("i8259_set_irq: irq=%d level=%d\n", irq, level);
-irq_level[irq] = level;
-#ifdef DEBUG_IRQ_COUNT
-   if (level == 1)
-   irq_count[irq]++;
-#endif
-}
-#endif
-#ifdef DEBUG_IRQ_LATENCY
-if (level) {
-irq_time[irq] = qemu_get_clock_ns(vm_clock);
-}
-#endif
-pic_set_irq1(s, irq & 7, level);
-}
-
 /* acknowledge interrupt 'irq' */
 static void pic_intack(PicState *s, int irq)
 {
@@ -237,9 +239,9 @@ int pic_read_irq(PicState *s)
 return intno;
 }
 
-static void pic_reset(void *opaque)
+static void pic_reset(DeviceState *dev)
 {
-PicState *s = opaque;
+PicState *s = container_of(dev, PicState, dev.qdev);
 
 s->last_irr = 0;
 s->irr = 0;
@@ -272,7 +274,7 @@ static void pic_ioport_write(void *opaque, 
target_phys_addr_t addr64,
 if (addr == 0) {
 if (val & 0x10) {
 /* init */
-pic_reset(s);
+pic_reset(&s->dev.qdev);
 s->init_state = 1;
 s->init4 = val & 1;
 s->single_mode = val & 2;
@@ -443,22 +445,22 @@ static const MemoryRegionOps pic_elcr_ioport_ops = {
 };
 
 /* XXX: add generic master/slave system */
-static void pic_init(int io_addr, int elcr_addr, PicState *s, qemu_irq int_out,
- bool master)
+static int pic_initfn(ISADevice *dev)
 {
-s->int_out = int_out;
-s->master = master;
+PicState *s = DO_UPCAST(PicState, dev, dev);
 
 memory_region_init_io(&s->base_io, &pic_base_ioport_ops, s, "pic", 2);
 memory_region_init_io(&s->elcr_io, &pic_elcr_ioport_ops, s, "elcr", 1);
 
-isa_register_ioport(NULL, &s->base_io, io_addr);
-if (elcr_addr >= 0) {
-isa_register_ioport(NULL, &s->elcr_io, elcr_addr);
-}
+isa_register_ioport(NULL, &s->base_io, s->iobase);
+isa_register_ioport(NULL, &s->elcr_io, s->elcr

[Qemu-devel] [PATCH] tcg-i386: Introduce specific deposit helpers

[Jan Kiszka]

x86 cannot provide an optimized generic deposit implementation. But at
least for a few special cases, namely for writing bits 0..7, 8..15, and
0..15, a version using only a single instruction is feasible.
Introducing such helpers improves emulating 16-bit x86 code on x86, but
also rarer cases where 32-bit or 64-bit code accesses bytes or words.

Signed-off-by: Jan Kiszka 
---
 tcg/i386/tcg-target.c |   25 +
 tcg/i386/tcg-target.h |6 ++
 tcg/tcg-op.h  |   12 
 tcg/tcg-opc.h |6 ++
 tcg/tcg.h |3 +++
 5 files changed, 52 insertions(+), 0 deletions(-)

diff --git a/tcg/i386/tcg-target.c b/tcg/i386/tcg-target.c
index 281f87d..3f9d0ad 100644
--- a/tcg/i386/tcg-target.c
+++ b/tcg/i386/tcg-target.c
@@ -1747,6 +1747,19 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode 
opc,
 break;
 #endif
 
+OP_32_64(deposit8l):
+tcg_out_modrm(s, OPC_MOVB_EvGv | P_REXB_R | P_REXB_RM,
+  args[2], args[0]);
+break;
+
+OP_32_64(deposit8h):
+tcg_out_modrm(s, OPC_MOVB_EvGv, args[2], args[0] + 4);
+break;
+
+OP_32_64(deposit16l):
+tcg_out_modrm(s, OPC_MOVL_EvGv | P_DATA16, args[2], args[0]);
+break;
+
 default:
 tcg_abort();
 }
@@ -1802,6 +1815,14 @@ static const TCGTargetOpDef x86_op_defs[] = {
 
 { INDEX_op_setcond_i32, { "q", "r", "ri" } },
 
+#if TCG_TARGET_REG_BITS == 64
+{ INDEX_op_deposit8l_i32, { "r", "0", "r" } },
+#else
+{ INDEX_op_deposit8l_i32, { "abcd", "0", "abcd" } },
+#endif
+{ INDEX_op_deposit8h_i32, { "abcd", "0", "abcd" } },
+{ INDEX_op_deposit16l_i32, { "r", "0", "r" } },
+
 #if TCG_TARGET_REG_BITS == 32
 { INDEX_op_mulu2_i32, { "a", "d", "a", "r" } },
 { INDEX_op_add2_i32, { "r", "r", "0", "1", "ri", "ri" } },
@@ -1853,6 +1874,10 @@ static const TCGTargetOpDef x86_op_defs[] = {
 { INDEX_op_ext8u_i64, { "r", "r" } },
 { INDEX_op_ext16u_i64, { "r", "r" } },
 { INDEX_op_ext32u_i64, { "r", "r" } },
+
+{ INDEX_op_deposit8l_i64, { "r", "0", "r" } },
+{ INDEX_op_deposit8h_i64, { "abcd", "0", "abcd" } },
+{ INDEX_op_deposit16l_i64, { "r", "0", "r" } },
 #endif
 
 #if TCG_TARGET_REG_BITS == 64
diff --git a/tcg/i386/tcg-target.h b/tcg/i386/tcg-target.h
index 5088e47..54b2f60 100644
--- a/tcg/i386/tcg-target.h
+++ b/tcg/i386/tcg-target.h
@@ -91,6 +91,9 @@ enum {
 #define TCG_TARGET_HAS_nand_i32 0
 #define TCG_TARGET_HAS_nor_i32  0
 #define TCG_TARGET_HAS_deposit_i32  0
+#define TCG_TARGET_HAS_deposit8l_i321
+#define TCG_TARGET_HAS_deposit8h_i321
+#define TCG_TARGET_HAS_deposit16l_i32   1
 
 #if TCG_TARGET_REG_BITS == 64
 #define TCG_TARGET_HAS_div2_i64 1
@@ -112,6 +115,9 @@ enum {
 #define TCG_TARGET_HAS_nand_i64 0
 #define TCG_TARGET_HAS_nor_i64  0
 #define TCG_TARGET_HAS_deposit_i64  0
+#define TCG_TARGET_HAS_deposit8l_i641
+#define TCG_TARGET_HAS_deposit8h_i641
+#define TCG_TARGET_HAS_deposit16l_i64   1
 #endif
 
 #define TCG_TARGET_HAS_GUEST_BASE
diff --git a/tcg/tcg-op.h b/tcg/tcg-op.h
index 404b637..80ffccb 100644
--- a/tcg/tcg-op.h
+++ b/tcg/tcg-op.h
@@ -2047,6 +2047,12 @@ static inline void tcg_gen_deposit_i32(TCGv_i32 ret, 
TCGv_i32 arg1,
 {
 if (TCG_TARGET_HAS_deposit_i32) {
 tcg_gen_op5ii_i32(INDEX_op_deposit_i32, ret, arg1, arg2, ofs, len);
+} else if (ofs == 0 && len == 8 && TCG_TARGET_HAS_deposit8l_i32) {
+tcg_gen_op3_i32(INDEX_op_deposit8l_i32, ret, arg1, arg2);
+} else if (ofs == 8 && len == 8 && TCG_TARGET_HAS_deposit8h_i32) {
+tcg_gen_op3_i32(INDEX_op_deposit8h_i32, ret, arg1, arg2);
+} else if (ofs == 0 && len == 16 && TCG_TARGET_HAS_deposit16l_i32) {
+tcg_gen_op3_i32(INDEX_op_deposit16l_i32, ret, arg1, arg2);
 } else {
 uint32_t mask = (1u << len) - 1;
 TCGv_i32 t1 = tcg_temp_new_i32 ();
@@ -2066,6 +2072,12 @@ static inline void tcg_gen_deposit_i64(TCGv_i64 ret, 
TCGv_i64 arg1,
 {
 if (TCG_TARGET_HAS_deposit_i64) {
 tcg_gen_op5ii_i64(INDEX_op_deposit_i64, ret, arg1, arg2, ofs, len);
+} else if (ofs == 0 && len == 8 && TCG_TARGET_HAS_deposit8l_i64) {
+tcg_gen_op3_i32(INDEX_op_deposit8l_i64, ret, arg1, arg2);
+} else if (ofs == 8 && len == 8 && TCG_TARGET_HAS_deposit8h_i64) {
+tcg_gen_op3_i32(INDEX_op_deposit8h_i64, ret, arg1, arg2);
+} else if (ofs == 0 && len == 16 && TCG_TARGET_HAS_deposit16l_i64) {
+tcg_gen_op3_i32(INDEX_op_deposit16l_i64, ret, arg1, arg2);
 } else {
 uint64_t mask = (1ull << len) - 1;
 TCGv_i64 t1 = tcg_temp_new_i64 ();
diff --git a/tcg/tcg-opc.h b/tcg/tcg-opc.h
index 8e06d03..0871d15 100644
--- a/tcg/tcg-opc.h
+++ b/tcg/tcg-opc.h
@@ -80,6 +80,9 @@ DEF(sar_i32, 1, 2, 0, 0)
 DEF(rotl_i32, 1, 2, 0, IMPL(TCG_TARGET_HAS_rot_i32))
 DEF(rotr_i32, 1, 2, 0, IMPL(TCG_TARGET_HAS_rot_i32))
 DEF(deposit_i32, 1, 2, 2, IMPL(TCG_TARGET_HAS_deposit_i32))
+DEF(depos

[Qemu-devel] [PATCH 21/22] monitor: Restrict pic/irq_info to supporting targets

[Jan Kiszka]

Signed-off-by: Jan Kiszka 
---
 hw/an5206.c |   10 --
 hw/arm_pic.c|   11 ---
 hw/cris_pic_cpu.c   |6 --
 hw/etraxfs.h|1 +
 hw/lm32_pic.c   |4 ++--
 hw/lm32_pic.h   |3 +++
 hw/microblaze_pic_cpu.c |6 --
 hw/s390-virtio.c|   11 ---
 hw/shix.c   |   11 ---
 hw/slavio_intctl.c  |   14 ++
 hw/sun4m.c  |   16 ++--
 hw/sun4m.h  |6 --
 hw/sun4u.c  |8 
 hw/xtensa_pic.c |   10 --
 monitor.c   |   21 +
 15 files changed, 43 insertions(+), 95 deletions(-)

diff --git a/hw/an5206.c b/hw/an5206.c
index 481ae60..3fe1f00 100644
--- a/hw/an5206.c
+++ b/hw/an5206.c
@@ -7,7 +7,6 @@
  */
 
 #include "hw.h"
-#include "pc.h"
 #include "mcf.h"
 #include "boards.h"
 #include "loader.h"
@@ -18,15 +17,6 @@
 #define AN5206_MBAR_ADDR 0x1000
 #define AN5206_RAMBAR_ADDR 0x2000
 
-/* Stub functions for hardware that doesn't exist.  */
-void pic_info(Monitor *mon)
-{
-}
-
-void irq_info(Monitor *mon)
-{
-}
-
 /* Board init.  */
 
 static void an5206_init(ram_addr_t ram_size,
diff --git a/hw/arm_pic.c b/hw/arm_pic.c
index 985148a..4e63845 100644
--- a/hw/arm_pic.c
+++ b/hw/arm_pic.c
@@ -8,19 +8,8 @@
  */
 
 #include "hw.h"
-#include "pc.h"
 #include "arm-misc.h"
 
-/* Stub functions for hardware that doesn't exist.  */
-void pic_info(Monitor *mon)
-{
-}
-
-void irq_info(Monitor *mon)
-{
-}
-
-
 /* Input 0 is IRQ and input 1 is FIQ.  */
 static void arm_pic_cpu_handler(void *opaque, int irq, int level)
 {
diff --git a/hw/cris_pic_cpu.c b/hw/cris_pic_cpu.c
index 7f1e4ab..06ae484 100644
--- a/hw/cris_pic_cpu.c
+++ b/hw/cris_pic_cpu.c
@@ -24,16 +24,10 @@
 
 #include "sysbus.h"
 #include "hw.h"
-#include "pc.h"
 #include "etraxfs.h"
 
 #define D(x)
 
-void pic_info(Monitor *mon)
-{}
-void irq_info(Monitor *mon)
-{}
-
 static void cris_pic_cpu_handler(void *opaque, int irq, int level)
 {
 CPUState *env = (CPUState *)opaque;
diff --git a/hw/etraxfs.h b/hw/etraxfs.h
index 1554b0b..24e8fd8 100644
--- a/hw/etraxfs.h
+++ b/hw/etraxfs.h
@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 
+#include "net.h"
 #include "etraxfs_dma.h"
 
 qemu_irq *cris_pic_init_cpu(CPUState *env);
diff --git a/hw/lm32_pic.c b/hw/lm32_pic.c
index 02941a7..8dd0050 100644
--- a/hw/lm32_pic.c
+++ b/hw/lm32_pic.c
@@ -39,7 +39,7 @@ struct LM32PicState {
 typedef struct LM32PicState LM32PicState;
 
 static LM32PicState *pic;
-void pic_info(Monitor *mon)
+void lm32_do_pic_info(Monitor *mon)
 {
 if (pic == NULL) {
 return;
@@ -49,7 +49,7 @@ void pic_info(Monitor *mon)
 pic->im, pic->ip, pic->irq_state);
 }
 
-void irq_info(Monitor *mon)
+void lm32_irq_info(Monitor *mon)
 {
 int i;
 uint32_t count;
diff --git a/hw/lm32_pic.h b/hw/lm32_pic.h
index e6479b8..14456f3 100644
--- a/hw/lm32_pic.h
+++ b/hw/lm32_pic.h
@@ -8,4 +8,7 @@ uint32_t lm32_pic_get_im(DeviceState *d);
 void lm32_pic_set_ip(DeviceState *d, uint32_t ip);
 void lm32_pic_set_im(DeviceState *d, uint32_t im);
 
+void lm32_do_pic_info(Monitor *mon);
+void lm32_irq_info(Monitor *mon);
+
 #endif /* QEMU_HW_LM32_PIC_H */
diff --git a/hw/microblaze_pic_cpu.c b/hw/microblaze_pic_cpu.c
index 9ad48b4..8b5623c 100644
--- a/hw/microblaze_pic_cpu.c
+++ b/hw/microblaze_pic_cpu.c
@@ -23,16 +23,10 @@
  */
 
 #include "hw.h"
-#include "pc.h"
 #include "microblaze_pic_cpu.h"
 
 #define D(x)
 
-void pic_info(Monitor *mon)
-{}
-void irq_info(Monitor *mon)
-{}
-
 static void microblaze_pic_cpu_handler(void *opaque, int irq, int level)
 {
 CPUState *env = (CPUState *)opaque;
diff --git a/hw/s390-virtio.c b/hw/s390-virtio.c
index acbf026..778cffe 100644
--- a/hw/s390-virtio.c
+++ b/hw/s390-virtio.c
@@ -62,17 +62,6 @@
 static VirtIOS390Bus *s390_bus;
 static CPUState **ipi_states;
 
-void irq_info(Monitor *mon);
-void pic_info(Monitor *mon);
-
-void irq_info(Monitor *mon)
-{
-}
-
-void pic_info(Monitor *mon)
-{
-}
-
 CPUState *s390_cpu_addr2state(uint16_t cpu_addr)
 {
 if (cpu_addr >= smp_cpus) {
diff --git a/hw/shix.c b/hw/shix.c
index 638bf16..dbf4764 100644
--- a/hw/shix.c
+++ b/hw/shix.c
@@ -28,7 +28,6 @@
More information in target-sh4/README.sh4
 */
 #include "hw.h"
-#include "pc.h"
 #include "sh.h"
 #include "sysemu.h"
 #include "boards.h"
@@ -37,16 +36,6 @@
 #define BIOS_FILENAME "shix_bios.bin"
 #define BIOS_ADDRESS 0xA000
 
-void irq_info(Monitor *mon)
-{
-/* X */
-}
-
-void pic_info(Monitor *mon)
-{
-/* X */
-}
-
 static void shix_init(ram_addr_t ram_size,
const char *boot_device,
   const char *kernel_filename, const char *kernel_cmdline,
diff --git a/hw/slavio_intctl.c b/hw/slavio_intctl.c
index 329c251..2d1dc12 100644
--- a/hw/slavio_intctl.c
+++ b/hw/slavio_intctl.c
@@ -204,13 +204,16 @@ static CPUWriteMemoryFunc * const 
slavio_intctlm_mem_write[3] = {
 slavio_intctlm

[Qemu-devel] Networking problem

[Giovanni Formisano]

Hy all.

I have a problem to configure the network i will try to explain may trouble.
I have to make a cluster of virtual machine with one Head node and N
worknode. I used a kvm and qemu. Now I want that when I start my HeadNode
this one have to send the ip of other machine.
My Headnode have two network device one of this is connect to tap interface
of guest machine and the other one I would use to configure my dhcp-server
that send ip. Above I print my file interface of headnode:

auto eth2
iface eth2 inet static
address 192.168.2.2
netmask 255.255.255.0
broadcast 192.168.2.255
gateway 192.168.2.1 (that is the ip of tap0 device)

auto eth7
iface eth7 inet static
address 10.0.2.254
netmask 255.255.255.0
broadcast 10.0.2.255
network 10.0.2.0

but when i start my worknode it doesn't get the ip

I launch in this way the machine

HEADNODE
qemu-system-x86_64 -hda HeadNode.img -m 1024 -net
nic,model=virtio,macaddr=00:16:3e:75:09:aa -net tap,ifname=tap0,script=no
-vga vmware -net nic,model=rtl8139,macaddr=00:16:3e:74:08:ac

WORKNODE
qemu-system-x86_64 -hda WORKNODE.img -m 1024 -net
nic,model=rtl8139,macaddr=F0:4D:A2:DA:D6:79 -vga vmware

Some help?

Best
Giovanni

[Qemu-devel] [PATCH V11 5/5] Add a TPM Passthrough backend driver implementation

[Stefan Berger]

>From Andreas Niederl's original posting with adaptations where necessary:

This patch is based of off version 9 of Stefan Berger's patch series
  "Qemu Trusted Platform Module (TPM) integration"
and adds a new backend driver for it.

This patch adds a passthrough backend driver for passing commands sent to the
emulated TPM device directly to a TPM device opened on the host machine.

Thus it is possible to use a hardware TPM device in a system running on QEMU,
providing the ability to access a TPM in a special state (e.g. after a Trusted
Boot).

This functionality is being used in the acTvSM Trusted Virtualization Platform
which is available on [1].

Usage example:
  qemu-system-x86_64 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \
 -device tpm-tis,tpmdev=tpm0 \
 -cdrom test.iso -boot d

Some notes about the host TPM:
The TPM needs to be enabled and activated. If that's not the case one
has to go through the BIOS/UEFI and enable and activate that TPM for TPM
commands to work as expected.
It may be necessary to boot the kernel using tpm_tis.force=1 in the boot
command line or 'modprobe tpm_tis force=1' in case of using it as a module.

Changes for v10:
 - clarified documentation
 - using /dev/tpm0 as default device if path option is not given
 - refactored code handling 'device' option into its own function
 - fixed name of structure to TPMPassthruThreadParams
 - only add tpm_passthrough_driver to collection of backends if
   it is compiled on the host

Changes for v9:
 - prefixing of all functions and variables with tpm_passthrough_
 - cleanup of all variables into a structure that is now accessed
   using TPMBackend (tb->s.tpm_pt)
 - build it on Linux machines
 - added function to test whether given device is a TPM and refuse
   startup if it is not

Regards,
Andreas Niederl, Stefan Berger

[1] http://trustedjava.sourceforge.net/

Signed-off-by: Andreas Niederl 
Signed-off-by: Stefan Berger 

---
 Makefile.target  |1 
 configure|3 
 hw/tpm_passthrough.c |  471 +++
 qemu-options.hx  |   33 +++
 tpm.c|   23 ++
 tpm.h|   34 +++
 6 files changed, 565 insertions(+)
 create mode 100644 hw/tpm_passthrough.c

Index: qemu-git.pt/Makefile.target
===
--- qemu-git.pt.orig/Makefile.target
+++ qemu-git.pt/Makefile.target
@@ -195,6 +195,7 @@ obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
 obj-y += memory.o
 obj-$(CONFIG_TPM) += tpm.o tpm_tis.o
+obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
 LIBS+=-lz
 
 QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
Index: qemu-git.pt/configure
===
--- qemu-git.pt.orig/configure
+++ qemu-git.pt/configure
@@ -3565,6 +3565,9 @@ fi
 
 if test "$tpm" = "yes"; then
   if test "$target_softmmu" = "yes" ; then
+if test "$linux" = "yes" ; then
+  echo "CONFIG_TPM_PASSTHROUGH=y" >> $config_target_mak
+fi
 echo "CONFIG_TPM=y" >> $config_host_mak
   fi
 fi
Index: qemu-git.pt/hw/tpm_passthrough.c
===
--- /dev/null
+++ qemu-git.pt/hw/tpm_passthrough.c
@@ -0,0 +1,471 @@
+/*
+ *  passthrough TPM driver
+ *
+ *  Copyright (c) 2010, 2011 IBM Corporation
+ *  Authors:
+ *Stefan Berger 
+ *
+ *  Copyright (C) 2011 IAIK, Graz University of Technology
+ *Author: Andreas Niederl
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see 
+ */
+
+#include "qemu-common.h"
+#include "qemu-error.h"
+#include "tpm.h"
+#include "hw/hw.h"
+#include "hw/tpm_tis.h"
+#include "hw/pc.h"
+
+/* #define DEBUG_TPM */
+
+/* data structures */
+
+typedef struct TPMPassthruThreadParams {
+TPMState *tpm_state;
+
+TPMRecvDataCB *recv_data_callback;
+TPMBackend *tb;
+} TPMPassthruThreadParams;
+
+struct TPMPassthruState {
+QemuThread thread;
+bool thread_terminate;
+bool thread_running;
+
+TPMPassthruThreadParams tpm_thread_params;
+
+char tpm_dev[64];
+int tpm_fd;
+bool had_startup_error;
+};
+
+#define TPM_PASSTHROUGH_DEFAULT_DEVICE "/dev/tpm0"
+
+/* borrowed from qemu-char.c */
+static int tpm_passthrough_unix_write(int fd, const uint8_t *buf, uint32_t len)
+{
+int ret, len1;
+
+len1 = len;
+wh

[Qemu-devel] [PATCH V11 2/5] Add TPM (frontend) hardware interface (TPM TIS) to Qemu

[Stefan Berger]

This patch adds the main code of the TPM frontend driver, the TPM TIS
interface, to Qemu. The code is largely based on the previous implementation
for Xen but has been significantly extended to meet the standard's
requirements, such as the support for changing of localities and all the
functionality of the available flags.

Communication with the backend (i.e., for Xen or the libtpms-based one)
is cleanly separated through an interface which the backend driver needs
to implement.

The TPM TIS driver's backend was previously chosen in the code added
to arch_init. The frontend holds a pointer to the chosen backend (interface).

Communication with the backend is largely based on signals and conditions.
Whenever the frontend has collected a complete packet, it will signal
the backend, which then starts processing the command. Once the result
has been returned, the backend invokes a callback function
(tis_tpm_receive_cb()).

The one tricky part is support for VM suspend while the TPM is processing
a command. In this case the frontend driver is waiting for the backend
to return the result of the last command before shutting down. It waits
on a condition for a signal from the backend, which is delivered in 
tis_tpm_receive_cb().

Testing the proper functioning of the different flags and localities 
cannot be done from user space when running in Linux for example, since
access to the address space of the TPM TIS interface is not possible. Also
the Linux driver itself does not exercise all functionality. So, for
testing there is a fairly extensive test suite as part of the SeaBIOS patches
since from within the BIOS one can have full access to all the TPM's registers.

v11:
  - initialize val with 0x as default value to return from MMIO
read to an undefined location
  - display size of read or write operations in debugging output

v10:
  - Use error_report where necessary
  - Convert to use memory_region_init_io; use DEVICE_NATIVE_ENDIAN which
works for an x86 VM on x86 or ppc host
  - Implement cleanup in tpm_tis_init
  - put frontend model name into TPMBackend driver structure for later display
with the monitor

v9:
  - prefixing all function with tpm_tis_ and all constants with TPM_TIS_
  - adding minimum VMStateDescription and marking device as non-migratable

v5:
  - adding comment to tis_data_read
  - refactoring following support for split command line options
-tpmdev and -device
  - code handling the configuration of the TPM device was moved to tpm.c
  - removed empty line at end of file

v3:
  - prefixing functions with tis_
  - added a function to the backend interface 'early_startup_tpm' that
allows to detect the presence of the block storage and gracefully fails
Qemu if it's not available. This works with migration using shared
storage but doesn't support migration with block storage migration.
For encyrypted QCoW2 and in case of a snapshot resue the late_startup_tpm
interface function is called

Signed-off-by: Stefan Berger 

---
 hw/tpm_tis.c |  820 +++
 1 file changed, 820 insertions(+)

Index: qemu-git.pt/hw/tpm_tis.c
===
--- /dev/null
+++ qemu-git.pt/hw/tpm_tis.c
@@ -0,0 +1,820 @@
+/*
+ * tpm_tis.c - QEMU's TPM TIS interface emulator
+ *
+ * Copyright (C) 2006,2010,2011 IBM Corporation
+ *
+ * Authors:
+ *  Stefan Berger 
+ *  David Safford 
+ *
+ * Xen 4 support: Andrease Niederl 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ *
+ *
+ * Implementation of the TIS interface according to specs found at
+ * http://www.trustedcomputiggroup.org.
+ * In the developers menu choose the PC Client section then find the TIS
+ * specification.
+ */
+
+#include "tpm.h"
+#include "block.h"
+#include "exec-memory.h"
+#include "hw/hw.h"
+#include "hw/pc.h"
+#include "hw/tpm_tis.h"
+#include "qemu-error.h"
+
+#include 
+
+/*#define DEBUG_TIS */
+
+/* whether the STS interrupt is supported */
+/*#define RAISE_STS_IRQ */
+
+/* tis registers */
+#define TPM_TIS_REG_ACCESS0x00
+#define TPM_TIS_REG_INT_ENABLE0x08
+#define TPM_TIS_REG_INT_VECTOR0x0c
+#define TPM_TIS_REG_INT_STATUS0x10
+#define TPM_TIS_REG_INTF_CAPABILITY   0x14
+#define TPM_TIS_REG_STS   0x18
+#define TPM_TIS_REG_DATA_FIFO 0x24
+#define TPM_TIS_REG_DID_VID   0xf00
+#define TPM_TIS_REG_RID   0xf04
+
+#define TPM_TIS_STS_VALID (1 << 7)
+#define TPM_TIS_STS_COMMAND_READY (1 << 6)
+#define TPM_TIS_STS_TPM_GO(1 << 5)
+#define TPM_TIS_STS_DATA_AVAILABLE(1 << 4)
+#define TPM_TIS_STS_EXPECT(1 << 3)
+#define TPM_TIS_STS_RESPONSE_RETRY(1 << 1)
+
+#define TPM

[Qemu-devel] [PATCH V11 0/5] Qemu Trusted Platform Module (TPM) integration

[Stefan Berger]

The following series of patches adds TPM (Trusted Platform Module) support
to Qemu. An emulator for the TIS (TPM Interface Spec) interface is
added that provides the basis for accessing a 'backend' implementing the actual
TPM functionality. The TIS emulator serves as a 'frontend' enabling for
example Linux's TPM TIS (tpm_tis) driver.

In this series I am posting a backend implementation that makes use of the
host's TPM through a passthrough driver, which on Linux is accessed
using /dev/tpm0.


v11:
 - applies to checkout of 46f3069 (Sep 28)
 - some filing on the documentation
 - small nits fixed

v10:
 - applies to checkout of 1ce9ce6 (Sep 27)
 - addressed Michael Tsirkin's comments on v9

v9:
 - addressed Michael Tsirkin's and other reviewers' comments
 - only posting Andreas Niederl's passthrough driver as the backend driver

v8:
 - applies to checkout of f0fb8b7 (Aug 30)
 - fixing compilation error pointed out by Andreas Niederl
 - adding patch that allows to feed an initial state into the libtpms TPM
 - following memory API changes (glib) where necessary

v7:
 - applies to checkout of b9c6cbf (Aug 9)
 - measuring the modules if multiboot is used
 - coding style fixes

v6:
 - applies to checkout of 75ef849 (July 2nd)
 - some fixes and improvements to existing patches; see individual patches
 - added a patch with a null driver responding to all TPM requests with
   a response indicating failure; this backend has no dependencies and
   can alwayy be built;
 - added a patch to support the hashing of kernel, ramfs and command line
   if those were passed to Qemu using -kernel, -initrd and -append
   respectively. Measurements are taken, logged, and passed to SeaBIOS using
   the firmware interface.
 - libtpms revision 7 now requires 83kb of block storage due to having more
   NVRAM space

v5:
 - applies to checkout of 1fddfba1
 - adding support for split command line using the -tpmdev ... -device ...
   options while keeping the -tpm option
 - support for querying the device models using -tpm model=?
 - support for monitor 'info tpm'
 - adding documentation of command line options for man page and web page
 - increasing room for ACPI tables that qemu reserves to 128kb (from 64kb)
 - adding (experimental) support for block migration
 - adding (experimental) support for taking measurements when kernel,
   initrd and kernel command line are directly passed to Qemu

v4:
 - applies to checkout of d2d979c6
 - more coding style fixes
 - adding patch for supporting blob encryption (in addition to the existing
   QCoW2-level encryption)
   - this allows for graceful termination of a migration if the target
 is detected to have a wrong key
   - tested with big and little endian hosts
 - main thread releases mutex while checking for work to do on behalf of
   backend
 - introducing file locking (fcntl) on the block layer for serializing access
   to shared (QCoW2) files (used during migration)

v3:
 - Building a null driver at patch 5/8 that responds to all requests
   with an error response; subsequently this driver is transformed to the
   libtpms-based driver for real TPM functionality
 - Reworked the threading; dropped the patch for qemu_thread_join; the
   main thread synchronizing with the TPM thread termination may need
   to write data to the block storage while waiting for the thread to 
   terminate; did not previously show a problem but is safer
 - A lot of testing based on recent git checkout 4b4a72e5 (4/10):
   - migration of i686 VM from x86_64 host to i686 host to ppc64 host while
 running tests inside the VM
   - tests with S3 suspend/resume
   - tests with snapshots
   - multiple-hour tests with VM suspend/resume (using virsh save/restore)
 while running a TPM test suite inside the VM
   All tests passed; [not all of them were done on the ppc64 host]

v2:
 - splitting some of the patches into smaller ones for easier review
 - fixes in individual patches

Regards,
Stefan

[Qemu-devel] [PATCH V11 4/5] Build the TPM frontend code

[Stefan Berger]

Build the TPM frontend code that has been added so far.

Signed-off-by: Stefan Berger 

---
 Makefile.target |1 +
 configure   |   11 +++
 2 files changed, 12 insertions(+)

Index: qemu-git.pt/Makefile.target
===
--- qemu-git.pt.orig/Makefile.target
+++ qemu-git.pt/Makefile.target
@@ -194,6 +194,7 @@ obj-$(CONFIG_REALLY_VIRTFS) += 9pfs/virt
 obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
 obj-y += memory.o
+obj-$(CONFIG_TPM) += tpm.o tpm_tis.o
 LIBS+=-lz
 
 QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
Index: qemu-git.pt/configure
===
--- qemu-git.pt.orig/configure
+++ qemu-git.pt/configure
@@ -182,6 +182,7 @@ usb_redir=""
 opengl=""
 zlib="yes"
 guest_agent="yes"
+tpm="no"
 
 # parse CC options first
 for opt do
@@ -766,6 +767,8 @@ for opt do
   ;;
   --disable-guest-agent) guest_agent="no"
   ;;
+  --enable-tpm) tpm="yes"
+  ;;
   *) echo "ERROR: unknown option $opt"; show_help="yes"
   ;;
   esac
@@ -1048,6 +1051,7 @@ echo "  --disable-usb-redir  disable
 echo "  --enable-usb-redir   enable usb network redirection support"
 echo "  --disable-guest-agentdisable building of the QEMU Guest Agent"
 echo "  --enable-guest-agent enable building of the QEMU Guest Agent"
+echo "  --enable-tpm enable TPM support"
 echo ""
 echo "NOTE: The object files are built at the place where configure is 
launched"
 exit 1
@@ -2714,6 +2718,7 @@ echo "nss used  $smartcard_nss"
 echo "usb net redir $usb_redir"
 echo "OpenGL support$opengl"
 echo "build guest agent $guest_agent"
+echo "TPM support   $tpm"
 
 if test "$sdl_too_old" = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -3558,6 +3563,12 @@ if test "$gprof" = "yes" ; then
   fi
 fi
 
+if test "$tpm" = "yes"; then
+  if test "$target_softmmu" = "yes" ; then
+echo "CONFIG_TPM=y" >> $config_host_mak
+  fi
+fi
+
 linker_script="-Wl,-T../config-host.ld -Wl,-T,\$(SRC_PATH)/\$(ARCH).ld"
 if test "$target_linux_user" = "yes" -o "$target_bsd_user" = "yes" ; then
   case "$ARCH" in

[Qemu-devel] [PATCH V11 1/5] Support for TPM command line options

[Stefan Berger]

This patch adds support for TPM command line options.
The command line options supported here are

./qemu-... -tpmdev passthrough,path=,id=
   -device tpm-tis,tpmdev=

and

./qemu-... -tpmdev ?

where the latter works similar to -soundhw ? and shows a list of
available TPM backends (for example 'passthrough').

Using the type parameter, the backend is chosen, i.e., 'passthrough' for the
passthrough driver. The interpretation of the other parameters along
with determining whether enough parameters were provided is pushed into
the backend driver, which needs to implement the interface function
'create' and return a TPMDriver structure if the VM can be started or 'NULL'
if not enough or bad parameters were provided.

Monitor support for 'info tpm' has been added. It for example prints the
following:

(qemu) info tpm
TPM devices:
 tpm0: model=tpm-tis
  \ tpm0: type=passthrough,path=/dev/tpm0

v10:
 - tpm_display_backend_drivers always prints to stderr

v9:
 - prefixing all functions with tpm_tis_ and all constants with TPM_TIS_
 - splitting off of -tpm command line support into its own patch
 - only support TPM passthrough for now

v8:
 - adjusting formatting of backend drivers output to accomodate better
   formatting of 'passthrough' backend output

v6:
 - use #idef CONFIG_TPM to surround TPM calls
 - use QLIST_FOREACH_SAFE rather than QLIST_FOREACH in tpm_cleanup
 - commented backend ops in tpm.h
 - moving to IRQ 5 (11 collided with network cards)

v5:
 - fixing typo reported by Serge Hallyn
 - Adapting code to split command line parameters supporting 
   -tpmdev ... -device tpm-tis,tpmdev=...
 - moved code out of arch_init.c|h into tpm.c|h
 - increasing reserved memory for ACPI tables to 128kb (from 64kb)
 - the backend interface has a create() function for interpreting the command
   line parameters and returning a TPMDevice structure; previoulsy
   this function was called handle_options()
 - the backend interface has a destroy() function for cleaning up after
   the create() function was called
 - added support for 'info tpm' in monitor

v4:
 - coding style fixes

v3:
 - added hw/tpm_tis.h to this patch so Qemu compiles at this stage

Signed-off-by: Stefan Berger 

---
 hmp-commands.hx |2 
 hw/tpm_tis.h|   89 +
 monitor.c   |   10 +++
 qemu-config.c   |   20 ++
 qemu-options.hx |   34 +++
 tpm.c   |  167 
 tpm.h   |   90 ++
 vl.c|   15 +
 8 files changed, 427 insertions(+)

Index: qemu-git.pt/qemu-options.hx
===
--- qemu-git.pt.orig/qemu-options.hx
+++ qemu-git.pt/qemu-options.hx
@@ -1760,6 +1760,40 @@ ETEXI
 
 DEFHEADING()
 
+DEFHEADING(TPM device options:)
+
+#ifndef _WIN32
+# ifdef CONFIG_TPM
+DEF("tpmdev", HAS_ARG, QEMU_OPTION_tpmdev, \
+"-tpmdev [],id=str[,option][,option][,...]\n",
+QEMU_ARCH_ALL)
+# endif
+#endif
+STEXI
+
+The general form of a TPM device option is:
+@table @option
+
+@item -tpmdev @var{backend} ,id=@var{id} [,@var{options}]
+@findex -tpmdev
+Backend type must be:
+
+The specific backend type will determine the applicable options.
+The @code{-tpmdev} options requires a @code{-device} option.
+
+Options to each backend are described below.
+
+Use ? to print all available TPM backend types.
+@example
+qemu -tpmdev ?
+@end example
+
+@end table
+
+ETEXI
+
+DEFHEADING()
+
 DEFHEADING(Linux/Multiboot boot specific:)
 STEXI
 
Index: qemu-git.pt/vl.c
===
--- qemu-git.pt.orig/vl.c
+++ qemu-git.pt/vl.c
@@ -139,6 +139,7 @@ int main(int argc, char **argv)
 #include "block.h"
 #include "blockdev.h"
 #include "block-migration.h"
+#include "tpm.h"
 #include "dma.h"
 #include "audio/audio.h"
 #include "migration.h"
@@ -2675,6 +2676,11 @@ int main(int argc, char **argv, char **e
 ram_size = value;
 break;
 }
+#ifdef CONFIG_TPM
+case QEMU_OPTION_tpmdev:
+tpm_config_parse(qemu_find_opts("tpmdev"), optarg);
+break;
+#endif
 case QEMU_OPTION_mempath:
 mem_path = optarg;
 break;
@@ -3327,6 +,12 @@ int main(int argc, char **argv, char **e
 exit(1);
 }
 
+#ifdef CONFIG_TPM
+if (tpm_init() < 0) {
+exit(1);
+}
+#endif
+
 /* init the bluetooth world */
 if (foreach_device_config(DEV_BT, bt_parse))
 exit(1);
@@ -3575,6 +3587,9 @@ int main(int argc, char **argv, char **e
 quit_timers();
 net_cleanup();
 res_free();
+#ifdef CONFIG_TPM
+tpm_cleanup();
+#endif
 
 return 0;
 }
Index: qemu-git.pt/qemu-config.c
===
--- qemu-git.pt.orig/qemu-config.c
+++ qemu-git.pt/qemu-config.c
@@ -508,6 +508,25 @@ QemuOptsList qemu_boot_opts = {
 },
 };
 
+st

[Qemu-devel] [PATCH V11 3/5] Add a debug register

[Stefan Berger]

This patch uses the possibility to add a vendor-specific register and
adds a debug register useful for dumping the TIS's internal state. This
register is only active in a debug build (#define DEBUG_TIS).

v9:
 - prefixing all function with tpm_tis_ and all constants with TPM_TIS_

v3:
 - all output goes to stderr

Signed-off-by: Stefan Berger 

---
 hw/tpm_tis.c |   73 +++
 1 file changed, 73 insertions(+)

Index: qemu-git.pt/hw/tpm_tis.c
===
--- qemu-git.pt.orig/hw/tpm_tis.c
+++ qemu-git.pt/hw/tpm_tis.c
@@ -47,6 +47,9 @@
 #define TPM_TIS_REG_DID_VID   0xf00
 #define TPM_TIS_REG_RID   0xf04
 
+/* vendor-specific registers */
+#define TPM_TIS_REG_DEBUG 0xf90
+
 #define TPM_TIS_STS_VALID (1 << 7)
 #define TPM_TIS_STS_COMMAND_READY (1 << 6)
 #define TPM_TIS_STS_TPM_GO(1 << 5)
@@ -92,6 +95,11 @@
 
 #define TPM_TIS_NO_DATA_BYTE  0xff
 
+/* local prototypes */
+static uint64_t tpm_tis_mmio_read(void *opaque, target_phys_addr_t addr,
+  unsigned size);
+
+
 #ifdef DEBUG_TIS
 static void tpm_tis_show_buffer(const TPMSizedBuffer *sb, const char *string)
 {
@@ -319,6 +327,66 @@ static uint32_t tpm_tis_data_read(TPMSta
 return ret;
 }
 
+#ifdef DEBUG_TIS
+static void tpm_tis_dump_state(void *opaque, target_phys_addr_t addr)
+{
+static const unsigned regs[] = {
+TPM_TIS_REG_ACCESS,
+TPM_TIS_REG_INT_ENABLE,
+TPM_TIS_REG_INT_VECTOR,
+TPM_TIS_REG_INT_STATUS,
+TPM_TIS_REG_INTF_CAPABILITY,
+TPM_TIS_REG_STS,
+TPM_TIS_REG_DID_VID,
+TPM_TIS_REG_RID,
+0xfff};
+int idx;
+uint8_t locty = tpm_tis_locality_from_addr(addr);
+target_phys_addr_t base = addr & ~0xfff;
+TPMState *s = opaque;
+TPMTISState *tis = &s->s.tis;
+
+fprintf(stderr,
+"tpm_tis: active locality  : %d\n"
+"tpm_tis: state of locality %d : %d\n"
+"tpm_tis: register dump:\n",
+tis->active_locty,
+locty, tis->loc[locty].state);
+
+for (idx = 0; regs[idx] != 0xfff; idx++) {
+fprintf(stderr, "tpm_tis: 0x%04x : 0x%08x\n", regs[idx],
+(uint32_t)tpm_tis_mmio_read(opaque, base + regs[idx], 4));
+}
+
+fprintf(stderr,
+"tpm_tis: read offset   : %d\n"
+"tpm_tis: result buffer : ",
+tis->loc[locty].r_offset);
+for (idx = 0;
+ idx < tpm_tis_get_size_from_buffer(&tis->loc[locty].r_buffer);
+ idx++) {
+fprintf(stderr, "%c%02x%s",
+tis->loc[locty].r_offset == idx ? '>' : ' ',
+tis->loc[locty].r_buffer.buffer[idx],
+((idx & 0xf) == 0xf) ? "\ntpm_tis: " : "");
+}
+fprintf(stderr,
+"\n"
+"tpm_tis: write offset  : %d\n"
+"tpm_tis: request buffer: ",
+tis->loc[locty].w_offset);
+for (idx = 0;
+ idx < tpm_tis_get_size_from_buffer(&tis->loc[locty].w_buffer);
+ idx++) {
+fprintf(stderr, "%c%02x%s",
+tis->loc[locty].w_offset == idx ? '>' : ' ',
+tis->loc[locty].w_buffer.buffer[idx],
+((idx & 0xf) == 0xf) ? "\ntpm_tis: " : "");
+}
+fprintf(stderr, "\n");
+}
+#endif
+
 /*
  * Read a register of the TIS interface
  * See specs pages 33-63 for description of the registers
@@ -391,6 +459,11 @@ static uint64_t tpm_tis_mmio_read(void *
 case TPM_TIS_REG_RID:
 val = TPM_TIS_TPM_RID;
 break;
+#ifdef DEBUG_TIS
+case TPM_TIS_REG_DEBUG:
+tpm_tis_dump_state(opaque, addr);
+break;
+#endif
 }
 
 qemu_mutex_unlock(&s->state_lock);

[Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p

[M. Mohan Kumar]

Pass-through security model in QEMU 9p server needs root privilege to do few
file operations (like chown, chmod to any mode/uid:gid).  There are two issues
in pass-through security model

1) TOCTTOU vulnerability: Following symbolic links in the server could
provide access to files beyond 9p export path.

2) When libvirt is configured to run qemu as non-root user (for example, if
qemu is configured to run as normal user 'qemu'), running file operations on
pass-through security model would fail because it needs root privileges.

To overcome above issues, following approach is suggested: A new filesytem
type 'proxy' is introduced. Proxy FS uses chroot + socket combination for
securing the vulnerability known with following symbolic links. Intention of 
adding a new filesystem type is to allow qemu to run in non-root mode, but 
doing privileged operations using socket IO.

A new binary (known as proxy helper) will be provided as part of qemu. Proxy
helper will chroot into 9p export path and create a socket pair or a named
socket based on the command line parameter. Qemu and proxy helper will
communicate using this socket.

We need following changes in the libvirt code to accomodate new 'proxy' 
filesystem type:
If qemu 9p server is configured to use 'proxy' FS, libvirt will do
* Create a socket pair
* invoke proxy_helper binary with one of the socket id from the pair as
command line parameters to it with root privilege
* invoke qemu with one of socket id from the pair as paramter to qemu virtfs
after dropping to the configured user privilege.
ie, libvirt will invoke proxy_helper as:
proxy_helper -i  -p <9p-path-to-export>

and qemu will be invoked with following virtfs parameter:
-virtfs proxy,id=,sock_fd=
,path=/tmp/,security_model=prox,mount_tag=v_pass

People who want to use proxy_helper without libvirt can use following 
interface:
 $   proxy_helper -s  -p <9p-path-to-export>

With following qemu fsdev parameter:
-virtfs proxy,id=,socket=,path=/tmp/,
security_model=prox,mount_tag=v_pass


-- 
Regards,
M. Mohan Kumar

[Qemu-devel] qemu-kvm: Role of flush_icache_range on PPC

[Jan Kiszka]

Alex,

we have this diff in qemu-kvm:

diff --git a/exec.c b/exec.c
index c1e045d..f188549 100644
--- a/exec.c
+++ b/exec.c
@@ -3950,6 +3955,11 @@ void cpu_physical_memory_rw(target_phys_addr_t addr, 
uint8_t *buf,
 cpu_physical_memory_set_dirty_flags(
 addr1, (0xff & ~CODE_DIRTY_FLAG));
 }
+   /* qemu doesn't execute guest code directly, but kvm does
+  therefore flush instruction caches */
+   if (kvm_enabled())
+   flush_icache_range((unsigned long)ptr,
+  ((unsigned long)ptr)+l);
 qemu_put_ram_ptr(ptr);
 }
 } else {


flush_icache_range() is doing something only on PPC hosts. So do we need
this upstream?

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] qemu-kvm: Role of flush_icache_range on PPC

[Alexander Graf]

On 28.09.2011, at 16:23, Jan Kiszka wrote:

> Alex,
> 
> we have this diff in qemu-kvm:
> 
> diff --git a/exec.c b/exec.c
> index c1e045d..f188549 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -3950,6 +3955,11 @@ void cpu_physical_memory_rw(target_phys_addr_t addr, 
> uint8_t *buf,
> cpu_physical_memory_set_dirty_flags(
> addr1, (0xff & ~CODE_DIRTY_FLAG));
> }
> + /* qemu doesn't execute guest code directly, but kvm does
> +therefore flush instruction caches */
> + if (kvm_enabled())
> + flush_icache_range((unsigned long)ptr,
> +((unsigned long)ptr)+l);
> qemu_put_ram_ptr(ptr);
> }
> } else {
> 
> 
> flush_icache_range() is doing something only on PPC hosts. So do we need
> this upstream?

This makes sure that when device emulation overwrites code that is already 
present in the cache of a CPU, it gets flushed from the icache. I'm fairly sure 
we want that :). But let's ask Ben and David as well.


Alex

Re: [Qemu-devel] [PATCH] tcg-i386: Introduce specific deposit helpers

[Richard Henderson]

On 09/28/2011 05:28 AM, Jan Kiszka wrote:
> +#if TCG_TARGET_REG_BITS == 64
> +{ INDEX_op_deposit8l_i32, { "r", "0", "r" } },
> +#else
> +{ INDEX_op_deposit8l_i32, { "abcd", "0", "abcd" } },
> +#endif

At minimum, abcd is spelled "q".

I don't particularly care for the 3 different opcodes.  Perhaps
we'd be better off with an inline predicate for when the deposit
opcode is "valid"?


r~

Re: [Qemu-devel] virtqueue corruption in emulation mode?

[Sinha, Ani]

On Sep 28, 2011, at 1:51 AM, Stefan Hajnoczi wrote:

> On Wed, Sep 28, 2011 at 3:01 AM, Sinha, Ani  wrote:
>>
>> On Sep 27, 2011, at 12:17 AM, Stefan Hajnoczi wrote:
>>
>>> On Mon, Sep 26, 2011 at 07:16:56PM -0500, Sinha, Ani wrote:
 I am using the virtqueue (virtqueue_pop, virtqueue_push etc) in the 
 emulated mode (non-kvm mode) from an IO thread (a separate thread 
 different from main QEMU thread). What I am observing is that the 
 virtqueue memory seems to get corrupt. Either qemu crashes while 
 performing virtqueue_push() (virtqueue_push() -> virtqueue_fill() 
 ->bring_used_idx()->lduw_phys()->qemu_get_ram_ptr()->"bad ram offset") or 
 crashes when the guest accesses a bad memory while using virtqueue. Now 
 this never ever happens when I run QEMU in KVM mode (/dev/kvm present) OR 
 when I use my functions from within the main qemu thread. I am unable to 
 figure out why this is happening. I have looked into my code over and over 
 again and I can't seem to explain this behavior. Can any of you guys give 
 me any inkling?
>>>
>>> QEMU is not thread-safe in general.  It uses a big lock to protect most
>>> of its internal state.
>>
>>
>> I see. So may be I should do something like qemu_set_fd_handler(fd, …) where 
>> fd is a pipe and the handler does the virtqueue_push() etc?
>> Now my question is, is it safe to do elem = virtqueue_pop(vq) from main 
>> event loop, then so some work on the elem popped out in an worker thread and 
>> then at some later point do a virtqueue_push(vq, elem) from that handler 
>> (which is called by main_loop() ->main_loop_wait())?  In other words, the vq 
>> reference is being used from the main event loop at two different points 
>> from two different functions but not in a contiguous fashion within the same 
>> function.
>
> Yes but do you need a helper thread?  Most of QEMU is based on
> qemu_set_fd_handler() and callbacks, including for host network and
> disk I/O.  If you follow the way QEMU does things it should be
> easiest.

I need a helper thread to do blocking IO. The device IOCTLS are inherently 
blocking, unfortunately.

Ani



The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs

Re: [Qemu-devel] [PATCH] tcg-i386: Introduce specific deposit helpers

[Jan Kiszka]

On 2011-09-28 16:26, Richard Henderson wrote:

On 09/28/2011 05:28 AM, Jan Kiszka wrote:

+#if TCG_TARGET_REG_BITS == 64
+{ INDEX_op_deposit8l_i32, { "r", "0", "r" } },
+#else
+{ INDEX_op_deposit8l_i32, { "abcd", "0", "abcd" } },
+#endif


At minimum, abcd is spelled "q".


Ah, perfect.



I don't particularly care for the 3 different opcodes.  Perhaps
we'd be better off with an inline predicate for when the deposit
opcode is "valid"?


We still need to dispatch at tcg generation time which variant is valid. 
Or what do you have in mind?


Thanks,
Jan

--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

[Qemu-devel] [PATCH 02/21] qerror: add qerror_report_err()

[Luiz Capitulino]

From: Anthony Liguori 

This provides a bridge between Error (new error mechanism) and QError (old error
mechanism).  Errors can be propagated whereas QError cannot.

The minor evilness avoids layering violations.  Since QError should go away RSN,
it seems like a reasonable hack.

Signed-off-by: Anthony Liguori 
Signed-off-by: Luiz Capitulino 
---
 qerror.c |   33 +
 qerror.h |2 ++
 2 files changed, 35 insertions(+), 0 deletions(-)

diff --git a/qerror.c b/qerror.c
index c591a54..68998d4 100644
--- a/qerror.c
+++ b/qerror.c
@@ -482,6 +482,39 @@ void qerror_report_internal(const char *file, int linenr, 
const char *func,
 }
 }
 
+/* Evil... */
+struct Error
+{
+QDict *obj;
+const char *fmt;
+char *msg;
+};
+
+void qerror_report_err(Error *err)
+{
+QError *qerr;
+int i;
+
+qerr = qerror_new();
+loc_save(&qerr->loc);
+QINCREF(err->obj);
+qerr->error = err->obj;
+
+for (i = 0; qerror_table[i].error_fmt; i++) {
+if (strcmp(qerror_table[i].error_fmt, err->fmt) == 0) {
+qerr->entry = &qerror_table[i];
+break;
+}
+}
+
+if (monitor_cur_is_qmp()) {
+monitor_set_error(cur_mon, qerr);
+} else {
+qerror_print(qerr);
+QDECREF(qerr);
+}
+}
+
 /**
  * qobject_to_qerror(): Convert a QObject into a QError
  */
diff --git a/qerror.h b/qerror.h
index d407001..d4bfcfd 100644
--- a/qerror.h
+++ b/qerror.h
@@ -15,6 +15,7 @@
 #include "qdict.h"
 #include "qstring.h"
 #include "qemu-error.h"
+#include "error.h"
 #include 
 
 typedef struct QErrorStringTable {
@@ -39,6 +40,7 @@ QString *qerror_human(const QError *qerror);
 void qerror_print(QError *qerror);
 void qerror_report_internal(const char *file, int linenr, const char *func,
 const char *fmt, ...) GCC_FMT_ATTR(4, 5);
+void qerror_report_err(Error *err);
 QString *qerror_format(const char *fmt, QDict *error);
 #define qerror_report(fmt, ...) \
 qerror_report_internal(__FILE__, __LINE__, __func__, fmt, ## __VA_ARGS__)
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 18/21] qapi: Convert quit

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp-commands.hx  |2 +-
 hmp.c|6 ++
 hmp.h|1 +
 monitor.c|   12 
 qapi-schema.json |   11 +++
 qmp-commands.hx  |5 +
 qmp.c|6 ++
 7 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 9e1cca8..2163e6f 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -43,7 +43,7 @@ ETEXI
 .params = "",
 .help   = "quit the emulator",
 .user_print = monitor_user_noop,
-.mhandler.cmd_new = do_quit,
+.mhandler.cmd = hmp_quit,
 },
 
 STEXI
diff --git a/hmp.c b/hmp.c
index 91de86c..1f7000a 100644
--- a/hmp.c
+++ b/hmp.c
@@ -93,3 +93,9 @@ void hmp_info_chardev(Monitor *mon)
 
 qapi_free_ChardevInfoList(char_info);
 }
+
+void hmp_quit(Monitor *mon, const QDict *qdict)
+{
+monitor_suspend(mon);
+qmp_quit(NULL);
+}
diff --git a/hmp.h b/hmp.h
index 7388f9a..a3dfafd 100644
--- a/hmp.h
+++ b/hmp.h
@@ -23,5 +23,6 @@ void hmp_info_kvm(Monitor *mon);
 void hmp_info_status(Monitor *mon);
 void hmp_info_uuid(Monitor *mon);
 void hmp_info_chardev(Monitor *mon);
+void hmp_quit(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/monitor.c b/monitor.c
index d546bad..42c754a 100644
--- a/monitor.c
+++ b/monitor.c
@@ -945,18 +945,6 @@ static void do_trace_print_events(Monitor *mon)
 trace_print_events((FILE *)mon, &monitor_fprintf);
 }
 
-/**
- * do_quit(): Quit QEMU execution
- */
-static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
-{
-monitor_suspend(mon);
-no_shutdown = 0;
-qemu_system_shutdown_request();
-
-return 0;
-}
-
 #ifdef CONFIG_VNC
 static int change_vnc_password(const char *password)
 {
diff --git a/qapi-schema.json b/qapi-schema.json
index b26dd25..d6a60d2 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -225,3 +225,14 @@
 ##
 { 'command': 'query-commands', 'returns': ['CommandInfo'] }
 
+##
+# @quit:
+#
+# This command will cause the QEMU process to exit gracefully.  While every
+# attempt is made to send the QMP response before terminating, this is not
+# guaranteed.  When using this interface, a premature EOF would not be
+# unexpected.
+#
+# Since: 0.14.0
+##
+{ 'command': 'quit' }
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 0fda5c3..151a5fa 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -63,10 +63,7 @@ EQMP
 {
 .name   = "quit",
 .args_type  = "",
-.params = "",
-.help   = "quit the emulator",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_quit,
+.mhandler.cmd_new = qmp_marshal_input_quit,
 },
 
 SQMP
diff --git a/qmp.c b/qmp.c
index 58337c7..1d380b6 100644
--- a/qmp.c
+++ b/qmp.c
@@ -70,3 +70,9 @@ UuidInfo *qmp_query_uuid(Error **errp)
 return info;
 }
 
+void qmp_quit(Error **err)
+{
+no_shutdown = 0;
+qemu_system_shutdown_request();
+}
+
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 06/21] qapi: dealloc visitor, fix premature free and iteration logic

[Luiz Capitulino]

From: Michael Roth 

Currently we do 3 things wrong:

1) The list iterator, in practice, is used in a manner where the pointer
we pass in is the same as the pointer we assign the output to from
visit_next_list(). This causes an infinite loop where we keep freeing
the same structures.

2) We attempt to free list->value rather than list. visit_type_
handles this. We should only be concerned with the containing list.

3) We free prematurely: iterator function will continue accessing values
we've already freed.

This patch should fix all of these issues. QmpOutputVisitor also suffers
from 1).

Signed-off-by: Michael Roth 
Signed-off-by: Luiz Capitulino 
---
 qapi/qapi-dealloc-visitor.c |   20 +++-
 1 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/qapi/qapi-dealloc-visitor.c b/qapi/qapi-dealloc-visitor.c
index f629061..6b586ad 100644
--- a/qapi/qapi-dealloc-visitor.c
+++ b/qapi/qapi-dealloc-visitor.c
@@ -26,6 +26,7 @@ struct QapiDeallocVisitor
 {
 Visitor visitor;
 QTAILQ_HEAD(, StackEntry) stack;
+bool is_list_head;
 };
 
 static QapiDeallocVisitor *to_qov(Visitor *v)
@@ -70,15 +71,24 @@ static void qapi_dealloc_end_struct(Visitor *v, Error 
**errp)
 
 static void qapi_dealloc_start_list(Visitor *v, const char *name, Error **errp)
 {
+QapiDeallocVisitor *qov = to_qov(v);
+qov->is_list_head = true;
 }
 
-static GenericList *qapi_dealloc_next_list(Visitor *v, GenericList **list,
+static GenericList *qapi_dealloc_next_list(Visitor *v, GenericList **listp,
Error **errp)
 {
-GenericList *retval = *list;
-g_free(retval->value);
-*list = retval->next;
-return retval;
+GenericList *list = *listp;
+QapiDeallocVisitor *qov = to_qov(v);
+
+if (!qov->is_list_head) {
+*listp = list->next;
+g_free(list);
+return *listp;
+}
+
+qov->is_list_head = false;
+return list;
 }
 
 static void qapi_dealloc_end_list(Visitor *v, Error **errp)
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] How to configure a QEmu NIC in bridge mode?

[Luiz Antonio Falaguasta Barbosa]

Hi guys,

I know this is not a list of QEmu users, but how it doesn't exist, I'll ask
it here. If antbody could help me, I'll be greatful!

Please, does anybody know how to configure a QEmu NIC in bridge mode?

Thank you in advance!

Regards,

Luiz

Re: [Qemu-devel] qemu-kvm: Role of flush_icache_range on PPC

[Jan Kiszka]

On 2011-09-28 16:45, Jan Kiszka wrote:

On 2011-09-28 16:26, Alexander Graf wrote:


On 28.09.2011, at 16:23, Jan Kiszka wrote:


Alex,

we have this diff in qemu-kvm:

diff --git a/exec.c b/exec.c
index c1e045d..f188549 100644
--- a/exec.c
+++ b/exec.c
@@ -3950,6 +3955,11 @@ void cpu_physical_memory_rw(target_phys_addr_t
addr, uint8_t *buf,
cpu_physical_memory_set_dirty_flags(
addr1, (0xff& ~CODE_DIRTY_FLAG));
}
+ /* qemu doesn't execute guest code directly, but kvm does
+ therefore flush instruction caches */
+ if (kvm_enabled())
+ flush_icache_range((unsigned long)ptr,
+ ((unsigned long)ptr)+l);
qemu_put_ram_ptr(ptr);
}
} else {


flush_icache_range() is doing something only on PPC hosts. So do we need
this upstream?


This makes sure that when device emulation overwrites code that is
already present in the cache of a CPU, it gets flushed from the
icache. I'm fairly sure we want that :). But let's ask Ben and David
as well.


/me wondered which write scenario precisely needs this. It could only be
something synchronous /wrt to some VCPU. Which operations could trigger
such a write? Does PPC inject software breakpoints in form of trap
operations or so?

Mmm, according to our ancient recordings, the hunk above was once
introduced for the sake of IA64: 9dc99a2823. I skipped it in my removal
patch as it has some non-IA64 effect, at least potentially.


Correction: It was introduced by 6d3295f7c8, but generalized with 
f067512c06. That former commit talks about DMA operations on IA64 that 
also updates/drops the icache in reality.


Jan

--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] qemu-kvm: Role of flush_icache_range on PPC

[Alexander Graf]

Am 28.09.2011 um 16:49 schrieb Jan Kiszka :

> On 2011-09-28 16:45, Jan Kiszka wrote:
>> On 2011-09-28 16:26, Alexander Graf wrote:
>>> 
>>> On 28.09.2011, at 16:23, Jan Kiszka wrote:
>>> 
 Alex,
 
 we have this diff in qemu-kvm:
 
 diff --git a/exec.c b/exec.c
 index c1e045d..f188549 100644
 --- a/exec.c
 +++ b/exec.c
 @@ -3950,6 +3955,11 @@ void cpu_physical_memory_rw(target_phys_addr_t
 addr, uint8_t *buf,
 cpu_physical_memory_set_dirty_flags(
 addr1, (0xff& ~CODE_DIRTY_FLAG));
 }
 + /* qemu doesn't execute guest code directly, but kvm does
 + therefore flush instruction caches */
 + if (kvm_enabled())
 + flush_icache_range((unsigned long)ptr,
 + ((unsigned long)ptr)+l);
 qemu_put_ram_ptr(ptr);
 }
 } else {
 
 
 flush_icache_range() is doing something only on PPC hosts. So do we need
 this upstream?
>>> 
>>> This makes sure that when device emulation overwrites code that is
>>> already present in the cache of a CPU, it gets flushed from the
>>> icache. I'm fairly sure we want that :). But let's ask Ben and David
>>> as well.
>> 
>> /me wondered which write scenario precisely needs this. It could only be
>> something synchronous /wrt to some VCPU. Which operations could trigger
>> such a write? Does PPC inject software breakpoints in form of trap
>> operations or so?
>> 
>> Mmm, according to our ancient recordings, the hunk above was once
>> introduced for the sake of IA64: 9dc99a2823. I skipped it in my removal
>> patch as it has some non-IA64 effect, at least potentially.
> 
> Correction: It was introduced by 6d3295f7c8, but generalized with f067512c06. 
> That former commit talks about DMA operations on IA64 that also updates/drops 
> the icache in reality.

Yeah I remember discussions around the topic. IIUC DMA invalidates the cache 
lines of the CPUs in the system for the region it's writing to. At least 
potentially. But again, I'll leave this to the IBM guys to answer :). They know 
best how their hardware works.

Alex

> 

[Qemu-devel] [PATCH 12/21] qapi: Convert query-version

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp.c|   13 +
 hmp.h|1 +
 monitor.c|   46 +++---
 qapi-schema.json |   37 +
 qmp-commands.hx  |6 ++
 qmp.c|   16 
 6 files changed, 76 insertions(+), 43 deletions(-)

diff --git a/hmp.c b/hmp.c
index 47e1ff7..bb6c86f 100644
--- a/hmp.c
+++ b/hmp.c
@@ -24,3 +24,16 @@ void hmp_info_name(Monitor *mon)
 }
 qapi_free_NameInfo(info);
 }
+
+void hmp_info_version(Monitor *mon)
+{
+VersionInfo *info;
+
+info = qmp_query_version(NULL);
+
+monitor_printf(mon, "%" PRId64 ".%" PRId64 ".%" PRId64 "%s\n",
+   info->qemu.major, info->qemu.minor, info->qemu.micro,
+   info->package);
+
+qapi_free_VersionInfo(info);
+}
diff --git a/hmp.h b/hmp.h
index 5fe73f1..2aa75a2 100644
--- a/hmp.h
+++ b/hmp.h
@@ -18,5 +18,6 @@
 #include "qapi-types.h"
 
 void hmp_info_name(Monitor *mon);
+void hmp_info_version(Monitor *mon);
 
 #endif
diff --git a/monitor.c b/monitor.c
index 8af0e27..9edc38c 100644
--- a/monitor.c
+++ b/monitor.c
@@ -730,37 +730,6 @@ help:
 help_cmd(mon, "info");
 }
 
-static void do_info_version_print(Monitor *mon, const QObject *data)
-{
-QDict *qdict;
-QDict *qemu;
-
-qdict = qobject_to_qdict(data);
-qemu = qdict_get_qdict(qdict, "qemu");
-
-monitor_printf(mon, "%" PRId64 ".%" PRId64 ".%" PRId64 "%s\n",
-  qdict_get_int(qemu, "major"),
-  qdict_get_int(qemu, "minor"),
-  qdict_get_int(qemu, "micro"),
-  qdict_get_str(qdict, "package"));
-}
-
-static void do_info_version(Monitor *mon, QObject **ret_data)
-{
-const char *version = QEMU_VERSION;
-int major = 0, minor = 0, micro = 0;
-char *tmp;
-
-major = strtol(version, &tmp, 10);
-tmp++;
-minor = strtol(tmp, &tmp, 10);
-tmp++;
-micro = strtol(tmp, &tmp, 10);
-
-*ret_data = qobject_from_jsonf("{ 'qemu': { 'major': %d, 'minor': %d, \
-'micro': %d }, 'package': %s }", major, minor, micro, QEMU_PKGVERSION);
-}
-
 static QObject *get_cmd_dict(const char *name)
 {
 const char *p;
@@ -2866,8 +2835,7 @@ static const mon_cmd_t info_cmds[] = {
 .args_type  = "",
 .params = "",
 .help   = "show the version of QEMU",
-.user_print = do_info_version_print,
-.mhandler.info_new = do_info_version,
+.mhandler.info = hmp_info_version,
 },
 {
 .name   = "network",
@@ -3159,14 +3127,6 @@ static const mon_cmd_t qmp_cmds[] = {
 
 static const mon_cmd_t qmp_query_cmds[] = {
 {
-.name   = "version",
-.args_type  = "",
-.params = "",
-.help   = "show the version of QEMU",
-.user_print = do_info_version_print,
-.mhandler.info_new = do_info_version,
-},
-{
 .name   = "commands",
 .args_type  = "",
 .params = "",
@@ -5172,9 +5132,9 @@ void monitor_resume(Monitor *mon)
 
 static QObject *get_qmp_greeting(void)
 {
-QObject *ver;
+QObject *ver = NULL;
 
-do_info_version(NULL, &ver);
+qmp_marshal_input_query_version(NULL, NULL, &ver);
 return qobject_from_jsonf("{'QMP':{'version': %p,'capabilities': 
[]}}",ver);
 }
 
diff --git a/qapi-schema.json b/qapi-schema.json
index 3585324..3c0ac4e 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -23,3 +23,40 @@
 # Since 0.14.0
 ##
 { 'command': 'query-name', 'returns': 'NameInfo' }
+
+##
+# @VersionInfo:
+#
+# A description of QEMU's version.
+#
+# @qemu.major:  The major version of QEMU
+#
+# @qemu.minor:  The minor version of QEMU
+#
+# @qemu.micro:  The micro version of QEMU.  By current convention, a micro
+#   version of 50 signifies a development branch.  A micro version
+#   greater than or equal to 90 signifies a release candidate for
+#   the next minor version.  A micro version of less than 50
+#   signifies a stable release.
+#
+# @package: QEMU will always set this field to an empty string.  Downstream
+#   versions of QEMU should set this to a non-empty string.  The
+#   exact format depends on the downstream however it highly
+#   recommended that a unique name is used.
+#
+# Since: 0.14.0
+##
+{ 'type': 'VersionInfo',
+  'data': {'qemu': {'major': 'int', 'minor': 'int', 'micro': 'int'},
+   'package': 'str'} }
+
+##
+# @query-version:
+#
+# Returns the current version of QEMU.
+#
+# Returns:  A @VersionInfo object describing the current version of QEMU.
+#
+# Since: 0.14.0
+##
+{ 'command': 'query-version', 'returns': 'VersionInfo' }
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 7b3839e..9f067ea 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1053,6 +1053,12 @@ Example

Re: [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p

[Daniel P. Berrange]

On Wed, Sep 28, 2011 at 07:49:34PM +0530, M. Mohan Kumar wrote:
> Pass-through security model in QEMU 9p server needs root privilege to do few
> file operations (like chown, chmod to any mode/uid:gid).  There are two issues
> in pass-through security model
> 
> 1) TOCTTOU vulnerability: Following symbolic links in the server could
> provide access to files beyond 9p export path.
> 
> 2) When libvirt is configured to run qemu as non-root user (for example, if
> qemu is configured to run as normal user 'qemu'), running file operations on
> pass-through security model would fail because it needs root privileges.
> 
> To overcome above issues, following approach is suggested: A new filesytem
> type 'proxy' is introduced. Proxy FS uses chroot + socket combination for
> securing the vulnerability known with following symbolic links. Intention of 
> adding a new filesystem type is to allow qemu to run in non-root mode, but 
> doing privileged operations using socket IO.
> 
> A new binary (known as proxy helper) will be provided as part of qemu. Proxy
> helper will chroot into 9p export path and create a socket pair or a named
> socket based on the command line parameter. Qemu and proxy helper will
> communicate using this socket.
> 
> We need following changes in the libvirt code to accomodate new 'proxy' 
> filesystem type:
> If qemu 9p server is configured to use 'proxy' FS, libvirt will do
> * Create a socket pair
> * invoke proxy_helper binary with one of the socket id from the pair as
> command line parameters to it with root privilege
> * invoke qemu with one of socket id from the pair as paramter to qemu virtfs
> after dropping to the configured user privilege.
> ie, libvirt will invoke proxy_helper as:
> proxy_helper -i  -p <9p-path-to-export>
> 
> and qemu will be invoked with following virtfs parameter:
> -virtfs proxy,id=,sock_fd=
>   ,path=/tmp/,security_model=prox,mount_tag=v_pass

Interesting proposal. Explicitly comparing the security characteristics
of running QEMU as root, vs using the proxy helper

 * QEMU run as root

 - QEMU is root, with full capabilities
 - QEMU has read/write any file/dir, regardless of whether it is
   exported via 9p

 * QEMU run as non-root, with proxy_helper root

 - QEMU is non-root, with no capabilities
 - QEMU has write to only files with matching UID/GID
 - proxy_helper is root, with full capabilities
 - proxy_helper has read/write to any file/dir

Since QEMU can send arbitrary FS calls to the proxy_helper, the overall
security of the system clearly depends on the security of the proxy_helper
process.

If we assume that QEMU gets exploited, and that QEMU can find some flaw
in the proxy_helper that it can exploit, what damage can the proxy_helper
do ?  Clearly we want it to not be able to read/write any files other
than those exported, even when it becomes compromised, ideally also
without requiring SELinux/AppArmour to make it safe. If proxy_helper
is running as root with full capabilities, it can trivially escape
the chroot[1], so this isn't all that nice for overall system security.
The attacker simply needs to find a vulnerability in QEMU and in the
proxy_helper, instead of just in QEMU. We want a stronger guarantee
than that.

In order to be able to chown/chmod files etc, the proxy_helper is going
to require some elevated privileges, however, this does not actually
imply that proxy_helper needs to run as root. You don't want the proxy_helper
to be allowed todo various other things that root would be allowed, even
if it is inside a chroot. eg you don't want it being allowed to reboot,
mlock, change network setting, mount volumes, make device nodes, and
quite alot more.

Looking at the man page 'capabilities(7)', I'd venture to suggest that
the proxy_helper does not in fact need to run as the 'root' UID/GID at
all. All it needs is to have the CAP_CHOWN, CAP_DAC_OVERRIDE,
CAP_DAC_READ_SEARCH, CAP_FOWNER capabilities, at which point it could
still run as the 'qemu' user ID (or perhaps another 'qemuhelper' user
ID).

So in summary, I think you have a good idea to separate the file handling
code into a separate proxy_helper binary. It should not, however, be run
as root with all capabilities. It can start as root, and then drop to a
non-root user, only keeping the few capabilities it needs. Or in libvirt
case, libvirt can spawn it with the minimal set of capabilities directly.

eg

 * QEMU run as non-root, with proxy_helper partially privileged

 - QEMU is non-root, with no capabilities
 - QEMU has write to only files with matching UID/GID
 - proxy_helper is non-root, with selected capabilities
 - proxy_helper has read/write to any file/dir inside the
   chroot for the 9p export.


Regards,
Daniel

[1] http://www.bpfh.net/simes/computing/chroot-break.html
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org

Re: [Qemu-devel] qemu-kvm: Role of flush_icache_range on PPC

[Jan Kiszka]

On 2011-09-28 16:26, Alexander Graf wrote:


On 28.09.2011, at 16:23, Jan Kiszka wrote:


Alex,

we have this diff in qemu-kvm:

diff --git a/exec.c b/exec.c
index c1e045d..f188549 100644
--- a/exec.c
+++ b/exec.c
@@ -3950,6 +3955,11 @@ void cpu_physical_memory_rw(target_phys_addr_t addr, 
uint8_t *buf,
 cpu_physical_memory_set_dirty_flags(
 addr1, (0xff&  ~CODE_DIRTY_FLAG));
 }
+   /* qemu doesn't execute guest code directly, but kvm does
+  therefore flush instruction caches */
+   if (kvm_enabled())
+   flush_icache_range((unsigned long)ptr,
+  ((unsigned long)ptr)+l);
 qemu_put_ram_ptr(ptr);
 }
 } else {


flush_icache_range() is doing something only on PPC hosts. So do we need
this upstream?


This makes sure that when device emulation overwrites code that is already 
present in the cache of a CPU, it gets flushed from the icache. I'm fairly sure 
we want that :). But let's ask Ben and David as well.


/me wondered which write scenario precisely needs this. It could only be 
something synchronous /wrt to some VCPU. Which operations could trigger 
such a write? Does PPC inject software breakpoints in form of trap 
operations or so?


Mmm, according to our ancient recordings, the hunk above was once 
introduced for the sake of IA64: 9dc99a2823. I skipped it in my removal 
patch as it has some non-IA64 effect, at least potentially.


Jan

--
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] VirtIO 9p mount_tag (bogus?) limit of 32 bytes

[Daniel P. Berrange]

On Wed, Sep 28, 2011 at 05:22:06PM +0530, Harsh Bora wrote:
> On 09/22/2011 11:12 PM, Daniel P. Berrange wrote:
> >I've noticed that if you use a virtio 9p filesystem with a mount_tag
> >property value that is longer than 32 bytes, it gets silently truncated.
> >
> >In virtio-9p-device.c
> >
> > len = strlen(conf->tag);
> > if (len>  MAX_TAG_LEN) {
> > len = MAX_TAG_LEN;
> 
> I think its better to return here with a failure message saying
> mount_tag too long. IIUC, The 32 byte limit has been kept because of
> understanding that mount_tag is a device name in guest (and not a
> path location).

While I appreciate the fact that 'mount_tag' is not required to be
a path name, so you can allow symbolic naming for exports, in some
use cases it is important / significantly simpler to be able to just
set a path name. I don't think we should mandate symbolic naming,
or path based naming - we should just allow users to choose which
best suits their needs.

For example, I am building appliances which have multiple 9p devices
exported to the guest. These 9p filesystems are all mounted by the
'init' process in the initrd. If I'm forced to use symbolic naming
for devices, it means I need to create a custom initrd for every
appliance configuration I have (many many many of them), with the
init process knowing how to map from symbolic names back to the
mount paths I actually want. If I can just use a path for the
mount_tag, then one single initrd can be used for all my appliances.

So I really would like 'mount_tag' to be significantly larger upto
at least 255 bytes, or more.

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH] tcg-i386: Introduce specific deposit helpers

[Richard Henderson]

On 09/28/2011 07:33 AM, Jan Kiszka wrote:
>> I don't particularly care for the 3 different opcodes.  Perhaps
>> we'd be better off with an inline predicate for when the deposit
>> opcode is "valid"?
> 
> We still need to dispatch at tcg generation time which variant is valid. Or 
> what do you have in mind?

Yes, but we'd know at tcg generation time that it *does* fit one of
the few patterns you point out.

The predicate would be used in e.g. tcg_gen_deposit_i32 to select
either INDEX_op_deposit_i32 or the and/shift/and/or fallback.


r~

[Qemu-devel] [PATCH 16/21] qapi: Convert query-chardev

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp.c|   13 +
 hmp.h|1 +
 monitor.c|   11 +--
 qapi-schema.json |   26 ++
 qemu-char.c  |   35 +++
 qmp-commands.hx  |6 ++
 6 files changed, 58 insertions(+), 34 deletions(-)

diff --git a/hmp.c b/hmp.c
index 1cd40ae..91de86c 100644
--- a/hmp.c
+++ b/hmp.c
@@ -80,3 +80,16 @@ void hmp_info_uuid(Monitor *mon)
 monitor_printf(mon, "%s\n", info->UUID);
 qapi_free_UuidInfo(info);
 }
+
+void hmp_info_chardev(Monitor *mon)
+{
+ChardevInfoList *char_info, *info;
+
+char_info = qmp_query_chardev(NULL);
+for (info = char_info; info; info = info->next) {
+monitor_printf(mon, "%s: filename=%s\n", info->value->label,
+ info->value->filename);
+}
+
+qapi_free_ChardevInfoList(char_info);
+}
diff --git a/hmp.h b/hmp.h
index 49a5971..7388f9a 100644
--- a/hmp.h
+++ b/hmp.h
@@ -22,5 +22,6 @@ void hmp_info_version(Monitor *mon);
 void hmp_info_kvm(Monitor *mon);
 void hmp_info_status(Monitor *mon);
 void hmp_info_uuid(Monitor *mon);
+void hmp_info_chardev(Monitor *mon);
 
 #endif
diff --git a/monitor.c b/monitor.c
index d294bc9..66b3004 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2777,8 +2777,7 @@ static const mon_cmd_t info_cmds[] = {
 .args_type  = "",
 .params = "",
 .help   = "show the character devices",
-.user_print = qemu_chr_info_print,
-.mhandler.info_new = qemu_chr_info,
+.mhandler.info = hmp_info_chardev,
 },
 {
 .name   = "block",
@@ -3060,14 +3059,6 @@ static const mon_cmd_t qmp_query_cmds[] = {
 .mhandler.info_new = do_info_commands,
 },
 {
-.name   = "chardev",
-.args_type  = "",
-.params = "",
-.help   = "show the character devices",
-.user_print = qemu_chr_info_print,
-.mhandler.info_new = qemu_chr_info,
-},
-{
 .name   = "block",
 .args_type  = "",
 .params = "",
diff --git a/qapi-schema.json b/qapi-schema.json
index b678f07..2ebcb1c 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -176,3 +176,29 @@
 ##
 { 'command': 'query-uuid', 'returns': 'UuidInfo' }
 
+##
+# @ChardevInfo:
+#
+# Information about a character device.
+#
+# @label: the label of the character device
+#
+# @filename: the filename of the character device
+#
+# Notes: @filename is encoded using the QEMU command line character device
+#encoding.  See the QEMU man page for details.
+#
+# Since: 0.14.0
+##
+{ 'type': 'ChardevInfo', 'data': {'label': 'str', 'filename': 'str'} }
+
+##
+# @query-chardev:
+#
+# Returns information about current character devices.
+#
+# Returns: a list of @ChardevInfo
+#
+# Since: 0.14.0
+##
+{ 'command': 'query-chardev', 'returns': ['ChardevInfo'] }
diff --git a/qemu-char.c b/qemu-char.c
index 09d2309..8bdbcfd 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -31,7 +31,7 @@
 #include "hw/usb.h"
 #include "hw/baum.h"
 #include "hw/msmouse.h"
-#include "qemu-objects.h"
+#include "qmp-commands.h"
 
 #include 
 #include 
@@ -2650,35 +2650,22 @@ void qemu_chr_delete(CharDriverState *chr)
 g_free(chr);
 }
 
-static void qemu_chr_qlist_iter(QObject *obj, void *opaque)
+ChardevInfoList *qmp_query_chardev(Error **errp)
 {
-QDict *chr_dict;
-Monitor *mon = opaque;
-
-chr_dict = qobject_to_qdict(obj);
-monitor_printf(mon, "%s: filename=%s\n", qdict_get_str(chr_dict, "label"),
- qdict_get_str(chr_dict, "filename"));
-}
-
-void qemu_chr_info_print(Monitor *mon, const QObject *ret_data)
-{
-qlist_iter(qobject_to_qlist(ret_data), qemu_chr_qlist_iter, mon);
-}
-
-void qemu_chr_info(Monitor *mon, QObject **ret_data)
-{
-QList *chr_list;
+ChardevInfoList *chr_list = NULL;
 CharDriverState *chr;
 
-chr_list = qlist_new();
-
 QTAILQ_FOREACH(chr, &chardevs, next) {
-QObject *obj = qobject_from_jsonf("{ 'label': %s, 'filename': %s }",
-  chr->label, chr->filename);
-qlist_append_obj(chr_list, obj);
+ChardevInfoList *info = g_malloc0(sizeof(*info));
+info->value = g_malloc0(sizeof(*info->value));
+info->value->label = g_strdup(chr->label);
+info->value->filename = g_strdup(chr->filename);
+
+info->next = chr_list;
+chr_list = info;
 }
 
-*ret_data = QOBJECT(chr_list);
+return chr_list;
 }
 
 CharDriverState *qemu_chr_find(const char *name)
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 4fef25f..dfc02af 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1120,6 +1120,12 @@ Example:
 
 EQMP
 
+{
+.name   = "query-chardev",
+.args_type  = "",
+.mhandler.cmd_new = qmp_marshal_input_quer

[Qemu-devel] [PATCH 09/21] qapi: dealloc visitor, support freeing of nested lists

[Luiz Capitulino]

From: Michael Roth 

Previously our logic for keeping track of when we're visiting the head
of a list was done via a global bool. This can be overwritten if dealing
with nested lists, so use stack entries to track this instead.

Signed-off-by: Michael Roth 
Signed-off-by: Luiz Capitulino 
---
 qapi/qapi-dealloc-visitor.c |   28 +---
 1 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/qapi/qapi-dealloc-visitor.c b/qapi/qapi-dealloc-visitor.c
index 6b586ad..a154523 100644
--- a/qapi/qapi-dealloc-visitor.c
+++ b/qapi/qapi-dealloc-visitor.c
@@ -19,6 +19,7 @@
 typedef struct StackEntry
 {
 void *value;
+bool is_list_head;
 QTAILQ_ENTRY(StackEntry) node;
 } StackEntry;
 
@@ -39,6 +40,11 @@ static void qapi_dealloc_push(QapiDeallocVisitor *qov, void 
*value)
 StackEntry *e = g_malloc0(sizeof(*e));
 
 e->value = value;
+
+/* see if we're just pushing a list head tracker */
+if (value == NULL) {
+e->is_list_head = true;
+}
 QTAILQ_INSERT_HEAD(&qov->stack, e, node);
 }
 
@@ -72,7 +78,7 @@ static void qapi_dealloc_end_struct(Visitor *v, Error **errp)
 static void qapi_dealloc_start_list(Visitor *v, const char *name, Error **errp)
 {
 QapiDeallocVisitor *qov = to_qov(v);
-qov->is_list_head = true;
+qapi_dealloc_push(qov, NULL);
 }
 
 static GenericList *qapi_dealloc_next_list(Visitor *v, GenericList **listp,
@@ -80,19 +86,27 @@ static GenericList *qapi_dealloc_next_list(Visitor *v, 
GenericList **listp,
 {
 GenericList *list = *listp;
 QapiDeallocVisitor *qov = to_qov(v);
+StackEntry *e = QTAILQ_FIRST(&qov->stack);
 
-if (!qov->is_list_head) {
-*listp = list->next;
-g_free(list);
-return *listp;
+if (e && e->is_list_head) {
+e->is_list_head = false;
+return list;
 }
 
-qov->is_list_head = false;
-return list;
+if (list) {
+list = list->next;
+g_free(*listp);
+return list;
+}
+
+return NULL;
 }
 
 static void qapi_dealloc_end_list(Visitor *v, Error **errp)
 {
+QapiDeallocVisitor *qov = to_qov(v);
+void *obj = qapi_dealloc_pop(qov);
+assert(obj == NULL); /* should've been list head tracker with no payload */
 }
 
 static void qapi_dealloc_type_str(Visitor *v, char **obj, const char *name,
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 01/21] error: let error_is_type take a NULL error

[Luiz Capitulino]

From: Anthony Liguori 

Reported-by: Luiz Capitulino 
Signed-off-by: Anthony Liguori 
Signed-off-by: Luiz Capitulino 
---
 error.c |4 
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/error.c b/error.c
index b802752..68c0039 100644
--- a/error.c
+++ b/error.c
@@ -97,6 +97,10 @@ bool error_is_type(Error *err, const char *fmt)
 char *ptr;
 char *end;
 
+if (!err) {
+return false;
+}
+
 ptr = strstr(fmt, "'class': '");
 assert(ptr != NULL);
 ptr += strlen("'class': '");
-- 
1.7.7.rc0.72.g4b5ea

Re: [Qemu-devel] How to configure a QEmu NIC in bridge mode?

[Ottavio]

> From: Luiz Antonio Falaguasta Barbosa 
> To: qemu-devel@nongnu.org
> Date: Wed, 28 Sep 2011 11:48:05 -0300
> Subject: [Qemu-devel] How to configure a QEmu NIC in bridge mode?
> Hi guys,
> I know this is not a list of QEmu users, but how it doesn't exist, I'll ask 
> it here. If antbody could help me, I'll be greatful!

An unofficial qemu-users mailing list is here:
http://tech.groups.yahoo.com/group/qemu-users/

You won't find much there yet.

> Please, does anybody know how to configure a QEmu NIC in bridge mode?
> Thank you in advance!

Have you looked at the qemu-doc.html file:
http://qemu.weilnetz.de/qemu-doc.html#sec_005finvocation
and:
http://en.wikibooks.org/wiki/QEMU/Networking

-net tap[,vlan=n][,name=name][,fd=h][,ifname=name]
[,script=file][,downscript=dfile]
Connect the host TAP network interface name to VLAN n, use the
network script file to configure it and the network script dfile to
deconfigure it. If name is not provided, the OS automatically provides
one. fd=h can be used to specify the handle of an already opened host
TAP interface. The default network configure script is /etc/qemu-ifup
and the default network deconfigure script is /etc/qemu-ifdown. Use
script=no or downscript=no to disable script execution. Example:

 qemu linux.img -net nic -net tap

More complicated example (two NICs, each one connected to a TAP device)

 qemu linux.img -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 \
 -net nic,vlan=1 -net tap,vlan=1,ifname=tap1




-- 
Ottavio


A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

[Qemu-devel] [PATCH 13/21] qapi: Convert query-kvm

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp.c|   16 
 hmp.h|1 +
 monitor.c|   36 +---
 qapi-schema.json |   25 +
 qmp-commands.hx  |6 ++
 qmp.c|   13 +
 6 files changed, 62 insertions(+), 35 deletions(-)

diff --git a/hmp.c b/hmp.c
index bb6c86f..94a7f74 100644
--- a/hmp.c
+++ b/hmp.c
@@ -37,3 +37,19 @@ void hmp_info_version(Monitor *mon)
 
 qapi_free_VersionInfo(info);
 }
+
+void hmp_info_kvm(Monitor *mon)
+{
+KvmInfo *info;
+
+info = qmp_query_kvm(NULL);
+monitor_printf(mon, "kvm support: ");
+if (info->present) {
+monitor_printf(mon, "%s\n", info->enabled ? "enabled" : "disabled");
+} else {
+monitor_printf(mon, "not compiled\n");
+}
+
+qapi_free_KvmInfo(info);
+}
+
diff --git a/hmp.h b/hmp.h
index 2aa75a2..a93ac1f 100644
--- a/hmp.h
+++ b/hmp.h
@@ -19,5 +19,6 @@
 
 void hmp_info_name(Monitor *mon);
 void hmp_info_version(Monitor *mon);
+void hmp_info_kvm(Monitor *mon);
 
 #endif
diff --git a/monitor.c b/monitor.c
index 9edc38c..edb56b9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2424,31 +2424,6 @@ static void tlb_info(Monitor *mon)
 }
 #endif
 
-static void do_info_kvm_print(Monitor *mon, const QObject *data)
-{
-QDict *qdict;
-
-qdict = qobject_to_qdict(data);
-
-monitor_printf(mon, "kvm support: ");
-if (qdict_get_bool(qdict, "present")) {
-monitor_printf(mon, "%s\n", qdict_get_bool(qdict, "enabled") ?
-"enabled" : "disabled");
-} else {
-monitor_printf(mon, "not compiled\n");
-}
-}
-
-static void do_info_kvm(Monitor *mon, QObject **ret_data)
-{
-#ifdef CONFIG_KVM
-*ret_data = qobject_from_jsonf("{ 'enabled': %i, 'present': true }",
-   kvm_enabled());
-#else
-*ret_data = qobject_from_jsonf("{ 'enabled': false, 'present': false }");
-#endif
-}
-
 static void do_info_numa(Monitor *mon)
 {
 int i;
@@ -2942,8 +2917,7 @@ static const mon_cmd_t info_cmds[] = {
 .args_type  = "",
 .params = "",
 .help   = "show KVM information",
-.user_print = do_info_kvm_print,
-.mhandler.info_new = do_info_kvm,
+.mhandler.info = hmp_info_kvm,
 },
 {
 .name   = "numa",
@@ -3175,14 +3149,6 @@ static const mon_cmd_t qmp_query_cmds[] = {
 .mhandler.info_new = do_pci_info,
 },
 {
-.name   = "kvm",
-.args_type  = "",
-.params = "",
-.help   = "show KVM information",
-.user_print = do_info_kvm_print,
-.mhandler.info_new = do_info_kvm,
-},
-{
 .name   = "status",
 .args_type  = "",
 .params = "",
diff --git a/qapi-schema.json b/qapi-schema.json
index 3c0ac4e..641f12d 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -60,3 +60,28 @@
 # Since: 0.14.0
 ##
 { 'command': 'query-version', 'returns': 'VersionInfo' }
+
+##
+# @KvmInfo:
+#
+# Information about support for KVM acceleration
+#
+# @enabled: true if KVM acceleration is active
+#
+# @present: true if KVM acceleration is built into this executable
+#
+# Since: 0.14.0
+##
+{ 'type': 'KvmInfo', 'data': {'enabled': 'bool', 'present': 'bool'} }
+
+##
+# @query-kvm:
+#
+# Returns information about KVM acceleration
+#
+# Returns: @KvmInfo
+#
+# Since: 0.14.0
+##
+{ 'command': 'query-kvm', 'returns': 'KvmInfo' }
+
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 9f067ea..9f9751d 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1570,6 +1570,12 @@ Example:
 
 EQMP
 
+{
+.name   = "query-kvm",
+.args_type  = "",
+.mhandler.cmd_new = qmp_marshal_input_query_kvm,
+},
+
 SQMP
 query-status
 
diff --git a/qmp.c b/qmp.c
index f978ea4..8f7f666 100644
--- a/qmp.c
+++ b/qmp.c
@@ -14,6 +14,8 @@
 #include "qemu-common.h"
 #include "sysemu.h"
 #include "qmp-commands.h"
+#include "kvm.h"
+#include "arch_init.h"
 
 NameInfo *qmp_query_name(Error **errp)
 {
@@ -42,3 +44,14 @@ VersionInfo *qmp_query_version(Error **err)
 
 return info;
 }
+
+KvmInfo *qmp_query_kvm(Error **errp)
+{
+KvmInfo *info = g_malloc0(sizeof(*info));
+
+info->enabled = kvm_enabled();
+info->present = kvm_available();
+
+return info;
+}
+
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 19/21] qapi: Convert stop

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp-commands.hx  |3 +--
 hmp.c|5 +
 hmp.h|1 +
 monitor.c|9 -
 qapi-schema.json |   12 
 qmp-commands.hx  |5 +
 qmp.c|5 +
 7 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 2163e6f..3ad1ce7 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -290,8 +290,7 @@ ETEXI
 .args_type  = "",
 .params = "",
 .help   = "stop emulation",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_stop,
+.mhandler.cmd = hmp_stop,
 },
 
 STEXI
diff --git a/hmp.c b/hmp.c
index 1f7000a..871f858 100644
--- a/hmp.c
+++ b/hmp.c
@@ -99,3 +99,8 @@ void hmp_quit(Monitor *mon, const QDict *qdict)
 monitor_suspend(mon);
 qmp_quit(NULL);
 }
+
+void hmp_stop(Monitor *mon, const QDict *qdict)
+{
+qmp_stop(NULL);
+}
diff --git a/hmp.h b/hmp.h
index a3dfafd..cb21cce 100644
--- a/hmp.h
+++ b/hmp.h
@@ -24,5 +24,6 @@ void hmp_info_status(Monitor *mon);
 void hmp_info_uuid(Monitor *mon);
 void hmp_info_chardev(Monitor *mon);
 void hmp_quit(Monitor *mon, const QDict *qdict);
+void hmp_stop(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/monitor.c b/monitor.c
index 42c754a..b4a58b1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1211,15 +1211,6 @@ static void do_singlestep(Monitor *mon, const QDict 
*qdict)
 }
 }
 
-/**
- * do_stop(): Stop VM execution
- */
-static int do_stop(Monitor *mon, const QDict *qdict, QObject **ret_data)
-{
-vm_stop(RSTATE_PAUSED);
-return 0;
-}
-
 static void encrypted_bdrv_it(void *opaque, BlockDriverState *bs);
 
 struct bdrv_iterate_context {
diff --git a/qapi-schema.json b/qapi-schema.json
index d6a60d2..830a508 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -236,3 +236,15 @@
 # Since: 0.14.0
 ##
 { 'command': 'quit' }
+
+##
+# @stop:
+#
+# Stop all guest VCPU execution.
+#
+# Since:  0.14.0
+#
+# Notes:  This function will succeed even if the guest is already in the 
stopped
+# state
+##
+{ 'command': 'stop' }
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 151a5fa..2ccddee 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -178,10 +178,7 @@ EQMP
 {
 .name   = "stop",
 .args_type  = "",
-.params = "",
-.help   = "stop emulation",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_stop,
+.mhandler.cmd_new = qmp_marshal_input_stop,
 },
 
 SQMP
diff --git a/qmp.c b/qmp.c
index 1d380b6..e17c8b2 100644
--- a/qmp.c
+++ b/qmp.c
@@ -76,3 +76,8 @@ void qmp_quit(Error **err)
 qemu_system_shutdown_request();
 }
 
+void qmp_stop(Error **errp)
+{
+vm_stop(RSTATE_PAUSED);
+}
+
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 10/21] qapi: modify visitor code generation for list iteration

[Luiz Capitulino]

From: Michael Roth 

Modify logic such that we never assign values to the list head argument
to progress through the list on subsequent iterations, instead rely only
on having our return value passed back in as an argument on the next
call. Also update QMP I/O visitors and test cases accordingly, and add a
missing test case for QmpOutputVisitor.

Signed-off-by: Michael Roth 
Signed-off-by: Luiz Capitulino 
---
 qapi/qmp-input-visitor.c  |4 +-
 qapi/qmp-output-visitor.c |   20 +++---
 scripts/qapi-visit.py |4 +-
 test-visitor.c|   48 +---
 4 files changed, 60 insertions(+), 16 deletions(-)

diff --git a/qapi/qmp-input-visitor.c b/qapi/qmp-input-visitor.c
index fcf8bf9..8cbc0ab 100644
--- a/qapi/qmp-input-visitor.c
+++ b/qapi/qmp-input-visitor.c
@@ -144,8 +144,6 @@ static GenericList *qmp_input_next_list(Visitor *v, 
GenericList **list,
 }
 (*list)->next = entry;
 }
-*list = entry;
-
 
 return entry;
 }
@@ -240,9 +238,11 @@ static void qmp_input_type_enum(Visitor *v, int *obj, 
const char *strings[],
 
 if (strings[value] == NULL) {
 error_set(errp, QERR_INVALID_PARAMETER, name ? name : "null");
+g_free(enum_str);
 return;
 }
 
+g_free(enum_str);
 *obj = value;
 }
 
diff --git a/qapi/qmp-output-visitor.c b/qapi/qmp-output-visitor.c
index 4419a31..d67724e 100644
--- a/qapi/qmp-output-visitor.c
+++ b/qapi/qmp-output-visitor.c
@@ -20,6 +20,7 @@
 typedef struct QStackEntry
 {
 QObject *value;
+bool is_list_head;
 QTAILQ_ENTRY(QStackEntry) node;
 } QStackEntry;
 
@@ -45,6 +46,9 @@ static void qmp_output_push_obj(QmpOutputVisitor *qov, 
QObject *value)
 QStackEntry *e = g_malloc0(sizeof(*e));
 
 e->value = value;
+if (qobject_type(e->value) == QTYPE_QLIST) {
+e->is_list_head = true;
+}
 QTAILQ_INSERT_HEAD(&qov->stack, e, node);
 }
 
@@ -122,12 +126,20 @@ static void qmp_output_start_list(Visitor *v, const char 
*name, Error **errp)
 qmp_output_push(qov, list);
 }
 
-static GenericList *qmp_output_next_list(Visitor *v, GenericList **list,
+static GenericList *qmp_output_next_list(Visitor *v, GenericList **listp,
  Error **errp)
 {
-GenericList *retval = *list;
-*list = retval->next;
-return retval;
+GenericList *list = *listp;
+QmpOutputVisitor *qov = to_qov(v);
+QStackEntry *e = QTAILQ_FIRST(&qov->stack);
+
+assert(e);
+if (e->is_list_head) {
+e->is_list_head = false;
+return list;
+}
+
+return list ? list->next : NULL;
 }
 
 static void qmp_output_end_list(Visitor *v, Error **errp)
diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index 252230e..62de83d 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -79,11 +79,11 @@ def generate_visit_list(name, members):
 
 void visit_type_%(name)sList(Visitor *m, %(name)sList ** obj, const char 
*name, Error **errp)
 {
-GenericList *i;
+GenericList *i, **head = (GenericList **)obj;
 
 visit_start_list(m, name, errp);
 
-for (i = visit_next_list(m, (GenericList **)obj, errp); i; i = 
visit_next_list(m, &i, errp)) {
+for (*head = i = visit_next_list(m, head, errp); i; i = visit_next_list(m, 
&i, errp)) {
 %(name)sList *native_i = (%(name)sList *)i;
 visit_type_%(name)s(m, &native_i->value, NULL, errp);
 }
diff --git a/test-visitor.c b/test-visitor.c
index b7717de..847ce14 100644
--- a/test-visitor.c
+++ b/test-visitor.c
@@ -27,11 +27,11 @@ static void visit_type_TestStruct(Visitor *v, TestStruct 
**obj, const char *name
 
 static void visit_type_TestStructList(Visitor *m, TestStructList ** obj, const 
char *name, Error **errp)
 {
-GenericList *i;
+GenericList *i, **head = (GenericList **)obj;
 
 visit_start_list(m, name, errp);
 
-for (i = visit_next_list(m, (GenericList **)obj, errp); i; i = 
visit_next_list(m, &i, errp)) {
+for (*head = i = visit_next_list(m, head, errp); i; i = visit_next_list(m, 
&i, errp)) {
 TestStructList *native_i = (TestStructList *)i;
 visit_type_TestStruct(m, &native_i->value, NULL, errp);
 }
@@ -50,6 +50,8 @@ static void test_visitor_core(void)
 TestStructList *lts = NULL;
 Error *err = NULL;
 QObject *obj;
+QList *qlist;
+QDict *qdict;
 QString *str;
 int64_t value = 0;
 
@@ -96,7 +98,9 @@ static void test_visitor_core(void)
 g_assert(pts->y == 84);
 
 qobject_decref(obj);
+g_free(pts);
 
+/* test list input visitor */
 obj = qobject_from_json("[{'x': 42, 'y': 84}, {'x': 12, 'y': 24}]");
 mi = qmp_input_visitor_new(obj);
 v = qmp_input_get_visitor(mi);
@@ -110,14 +114,41 @@ static void test_visitor_core(void)
 g_assert(lts->value->x == 42);
 g_assert(lts->value->y == 84);
 
-lts = lts->next;
-g_assert(lts != NULL);
-g_assert(lts->value->x == 12);
-g_assert(lts->value->y == 24);
+g_as

[Qemu-devel] [PATCH 15/21] qapi: Convert query-uuid

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp.c|8 
 hmp.h|1 +
 monitor.c|   28 +---
 qapi-schema.json |   24 
 qmp-commands.hx  |6 ++
 qmp.c|   15 +++
 6 files changed, 55 insertions(+), 27 deletions(-)

diff --git a/hmp.c b/hmp.c
index 9e7f07e..1cd40ae 100644
--- a/hmp.c
+++ b/hmp.c
@@ -72,3 +72,11 @@ void hmp_info_status(Monitor *mon)
 qapi_free_StatusInfo(info);
 }
 
+void hmp_info_uuid(Monitor *mon)
+{
+UuidInfo *info;
+
+info = qmp_query_uuid(NULL);
+monitor_printf(mon, "%s\n", info->UUID);
+qapi_free_UuidInfo(info);
+}
diff --git a/hmp.h b/hmp.h
index df4242f..49a5971 100644
--- a/hmp.h
+++ b/hmp.h
@@ -21,5 +21,6 @@ void hmp_info_name(Monitor *mon);
 void hmp_info_version(Monitor *mon);
 void hmp_info_kvm(Monitor *mon);
 void hmp_info_status(Monitor *mon);
+void hmp_info_uuid(Monitor *mon);
 
 #endif
diff --git a/monitor.c b/monitor.c
index f641504..d294bc9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -765,23 +765,6 @@ static void do_info_commands(Monitor *mon, QObject 
**ret_data)
 *ret_data = QOBJECT(cmd_list);
 }
 
-static void do_info_uuid_print(Monitor *mon, const QObject *data)
-{
-monitor_printf(mon, "%s\n", qdict_get_str(qobject_to_qdict(data), "UUID"));
-}
-
-static void do_info_uuid(Monitor *mon, QObject **ret_data)
-{
-char uuid[64];
-
-snprintf(uuid, sizeof(uuid), UUID_FMT, qemu_uuid[0], qemu_uuid[1],
-   qemu_uuid[2], qemu_uuid[3], qemu_uuid[4], qemu_uuid[5],
-   qemu_uuid[6], qemu_uuid[7], qemu_uuid[8], qemu_uuid[9],
-   qemu_uuid[10], qemu_uuid[11], qemu_uuid[12], qemu_uuid[13],
-   qemu_uuid[14], qemu_uuid[15]);
-*ret_data = qobject_from_jsonf("{ 'UUID': %s }", uuid);
-}
-
 /* get the current CPU defined by the user */
 static int mon_set_cpu(int cpu_index)
 {
@@ -2983,8 +2966,7 @@ static const mon_cmd_t info_cmds[] = {
 .args_type  = "",
 .params = "",
 .help   = "show the current VM UUID",
-.user_print = do_info_uuid_print,
-.mhandler.info_new = do_info_uuid,
+.mhandler.info = hmp_info_uuid,
 },
 #if defined(TARGET_PPC)
 {
@@ -3144,14 +3126,6 @@ static const mon_cmd_t qmp_query_cmds[] = {
 },
 #endif
 {
-.name   = "uuid",
-.args_type  = "",
-.params = "",
-.help   = "show the current VM UUID",
-.user_print = do_info_uuid_print,
-.mhandler.info_new = do_info_uuid,
-},
-{
 .name   = "migrate",
 .args_type  = "",
 .params = "",
diff --git a/qapi-schema.json b/qapi-schema.json
index de0f807..b678f07 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -152,3 +152,27 @@
 ##
 { 'command': 'query-status', 'returns': 'StatusInfo' }
 
+##
+# @UuidInfo:
+#
+# Guest UUID information.
+#
+# @UUID: the UUID of the guest
+#
+# Since: 0.14.0
+#
+# Notes: If no UUID was specified for the guest, a null UUID is returned.
+##
+{ 'type': 'UuidInfo', 'data': {'UUID': 'str'} }
+
+##
+# @query-uuid:
+#
+# Query the guest UUID information.
+#
+# Returns: The @UuidInfo for the guest
+#
+# Since 0.14.0
+##
+{ 'command': 'query-uuid', 'returns': 'UuidInfo' }
+
diff --git a/qmp-commands.hx b/qmp-commands.hx
index afa95bd..4fef25f 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1821,6 +1821,12 @@ Example:
 
 EQMP
 
+{
+.name   = "query-uuid",
+.args_type  = "",
+.mhandler.cmd_new = qmp_marshal_input_query_uuid,
+},
+
 SQMP
 query-migrate
 -
diff --git a/qmp.c b/qmp.c
index 8f7f666..58337c7 100644
--- a/qmp.c
+++ b/qmp.c
@@ -55,3 +55,18 @@ KvmInfo *qmp_query_kvm(Error **errp)
 return info;
 }
 
+UuidInfo *qmp_query_uuid(Error **errp)
+{
+UuidInfo *info = g_malloc0(sizeof(*info));
+char uuid[64];
+
+snprintf(uuid, sizeof(uuid), UUID_FMT, qemu_uuid[0], qemu_uuid[1],
+   qemu_uuid[2], qemu_uuid[3], qemu_uuid[4], qemu_uuid[5],
+   qemu_uuid[6], qemu_uuid[7], qemu_uuid[8], qemu_uuid[9],
+   qemu_uuid[10], qemu_uuid[11], qemu_uuid[12], qemu_uuid[13],
+   qemu_uuid[14], qemu_uuid[15]);
+
+info->UUID = g_strdup(uuid);
+return info;
+}
+
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 20/21] qapi: Convert system_reset

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp-commands.hx  |3 +--
 hmp.c|5 +
 hmp.h|1 +
 monitor.c|   10 --
 qapi-schema.json |9 +
 qmp-commands.hx  |5 +
 qmp.c|4 
 7 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 3ad1ce7..b2f5cd1 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -477,8 +477,7 @@ ETEXI
 .args_type  = "",
 .params = "",
 .help   = "reset the system",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_system_reset,
+.mhandler.cmd = hmp_system_reset,
 },
 
 STEXI
diff --git a/hmp.c b/hmp.c
index 871f858..d8b4de6 100644
--- a/hmp.c
+++ b/hmp.c
@@ -104,3 +104,8 @@ void hmp_stop(Monitor *mon, const QDict *qdict)
 {
 qmp_stop(NULL);
 }
+
+void hmp_system_reset(Monitor *mon, const QDict *qdict)
+{
+qmp_system_reset(NULL);
+}
diff --git a/hmp.h b/hmp.h
index cb21cce..a49a6e6 100644
--- a/hmp.h
+++ b/hmp.h
@@ -25,5 +25,6 @@ void hmp_info_uuid(Monitor *mon);
 void hmp_info_chardev(Monitor *mon);
 void hmp_quit(Monitor *mon, const QDict *qdict);
 void hmp_stop(Monitor *mon, const QDict *qdict);
+void hmp_system_reset(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/monitor.c b/monitor.c
index b4a58b1..de6a865 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1929,16 +1929,6 @@ static void do_boot_set(Monitor *mon, const QDict *qdict)
 }
 
 /**
- * do_system_reset(): Issue a machine reset
- */
-static int do_system_reset(Monitor *mon, const QDict *qdict,
-   QObject **ret_data)
-{
-qemu_system_reset_request();
-return 0;
-}
-
-/**
  * do_system_powerdown(): Issue a machine powerdown
  */
 static int do_system_powerdown(Monitor *mon, const QDict *qdict,
diff --git a/qapi-schema.json b/qapi-schema.json
index 830a508..e14f2f7 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -248,3 +248,12 @@
 # state
 ##
 { 'command': 'stop' }
+
+##
+# @system_reset:
+#
+# Performs a hard reset of a guest.
+#
+# Since: 0.14.0
+##
+{ 'command': 'system_reset' }
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 2ccddee..ea96191 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -223,10 +223,7 @@ EQMP
 {
 .name   = "system_reset",
 .args_type  = "",
-.params = "",
-.help   = "reset the system",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_system_reset,
+.mhandler.cmd_new = qmp_marshal_input_system_reset,
 },
 
 SQMP
diff --git a/qmp.c b/qmp.c
index e17c8b2..6767640 100644
--- a/qmp.c
+++ b/qmp.c
@@ -81,3 +81,7 @@ void qmp_stop(Error **errp)
 vm_stop(RSTATE_PAUSED);
 }
 
+void qmp_system_reset(Error **errp)
+{
+qemu_system_reset_request();
+}
-- 
1.7.7.rc0.72.g4b5ea

Re: [Qemu-devel] [PATCH] [SPARC] Fix segfault in Leon3

[Fabien Chouteau]

On 24/09/2011 10:29, Blue Swirl wrote:
> On Thu, Sep 22, 2011 at 3:42 PM, Fabien Chouteau  wrote:
>> Remove faulty access to global "env" in op_helper.c, replaced by function 
>> argument.
>>
>> Signed-off-by: Fabien Chouteau 
>> ---
>>  target-sparc/cpu.h   |   10 ++
>>  target-sparc/helper.c|2 +-
>>  target-sparc/op_helper.c |6 +++---
>>  3 files changed, 10 insertions(+), 8 deletions(-)
>>
>> diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
>> index 19de5ba..8245258 100644
>> --- a/target-sparc/cpu.h
>> +++ b/target-sparc/cpu.h
>> @@ -356,7 +356,9 @@ struct QEMUFile;
>>  void cpu_put_timer(struct QEMUFile *f, CPUTimer *s);
>>  void cpu_get_timer(struct QEMUFile *f, CPUTimer *s);
>>
>> -typedef struct CPUSPARCState {
>> +typedef struct CPUSPARCState CPUSPARCState;
> 
> Please remove these changes. Using CPUState instead of CPUSPARCState
> makes the code more easily reusable across targets.
> 
>> +
>> +struct CPUSPARCState {
>> target_ulong gregs[8]; /* general registers */
>> target_ulong *regwptr; /* pointer to current register window */
>> target_ulong pc;   /* program counter */
>> @@ -478,11 +480,11 @@ typedef struct CPUSPARCState {
>> sparc_def_t *def;
>>
>> void *irq_manager;
>> -void (*qemu_irq_ack) (void *irq_manager, int intno);
>> +void (*qemu_irq_ack) (CPUSPARCState *env, void *irq_manager, int intno);
>>
>> /* Leon3 cache control */
>> uint32_t cache_control;
>> -} CPUSPARCState;
>> +};
>>
>>  #ifndef NO_CPU_IO_DEFS
>>  /* helper.c */
>> @@ -521,7 +523,7 @@ void cpu_change_pstate(CPUState *env1, uint32_t 
>> new_pstate);
>>  int cpu_cwp_inc(CPUState *env1, int cwp);
>>  int cpu_cwp_dec(CPUState *env1, int cwp);
>>  void cpu_set_cwp(CPUState *env1, int new_cwp);
>> -void leon3_irq_manager(void *irq_manager, int intno);
>> +void leon3_irq_manager(CPUSPARCState *env, void *irq_manager, int intno);
>>
>>  /* sun4m.c, sun4u.c */
>>  void cpu_check_irqs(CPUSPARCState *env);
>> diff --git a/target-sparc/helper.c b/target-sparc/helper.c
>> index c80531a..a84796c 100644
>> --- a/target-sparc/helper.c
>> +++ b/target-sparc/helper.c
>> @@ -1119,7 +1119,7 @@ void do_interrupt(CPUState *env)
>>  #if !defined(CONFIG_USER_ONLY)
>> /* IRQ acknowledgment */
>> if ((intno & ~15) == TT_EXTINT && env->qemu_irq_ack != NULL) {
>> -env->qemu_irq_ack(env->irq_manager, intno);
>> +env->qemu_irq_ack(env, env->irq_manager, intno);
>> }
>>  #endif
>>  }
>> diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
>> index 48e1db8..ee90268 100644
>> --- a/target-sparc/op_helper.c
>> +++ b/target-sparc/op_helper.c
>> @@ -1667,7 +1667,7 @@ static void dump_asi(const char *txt, target_ulong 
>> addr, int asi, int size,
>>
>>  /* Leon3 cache control */
>>
>> -static void leon3_cache_control_int(void)
>> +static void leon3_cache_control_int(CPUSPARCState *env)
>>  {
>> uint32_t state = 0;
>>
>> @@ -1760,10 +1760,10 @@ static uint64_t leon3_cache_control_ld(target_ulong 
>> addr, int size)
>> return ret;
>>  }
>>
>> -void leon3_irq_manager(void *irq_manager, int intno)
>> +void leon3_irq_manager(CPUSPARCState *env, void *irq_manager, int intno)
> 
> There is actually no need for this code to remain in op_helper.c after
> this, it can be moved to helper.c. My AREG0 patches also make the same
> changes (unfortunately I didn't realize that it also fixes a bug) but
> also move the code to int_helper.c which is not compiled with
> HELPER_CFLAGS. I can rebase if you'd like this fix applied before
> that.

I'll wait for your patches to be applied.

Thanks,

-- 
Fabien Chouteau

[Qemu-devel] [PATCH 05/21] qapi: fixup command generation for functions that return list types

[Luiz Capitulino]

From: Anthony Liguori 

Signed-off-by: Anthony Liguori 
Signed-off-by: Luiz Capitulino 
---
 scripts/qapi-commands.py |   23 +++
 1 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/scripts/qapi-commands.py b/scripts/qapi-commands.py
index 2776804..c947ba4 100644
--- a/scripts/qapi-commands.py
+++ b/scripts/qapi-commands.py
@@ -17,12 +17,18 @@ import os
 import getopt
 import errno
 
+def type_visitor(name):
+if type(name) == list:
+return 'visit_type_%sList' % name[0]
+else:
+return 'visit_type_%s' % name
+
 def generate_decl_enum(name, members, genlist=True):
 return mcgen('''
 
-void visit_type_%(name)s(Visitor *m, %(name)s * obj, const char *name, Error 
**errp);
+void %(visitor)s(Visitor *m, %(name)s * obj, const char *name, Error **errp);
 ''',
-name=name)
+ visitor=type_visitor(name))
 
 def generate_command_decl(name, args, ret_type):
 arglist=""
@@ -146,9 +152,10 @@ if (has_%(c_name)s) {
  c_name=c_var(argname), name=argname)
 push_indent()
 ret += mcgen('''
-visit_type_%(argtype)s(v, &%(c_name)s, "%(name)s", errp);
+%(visitor)s(v, &%(c_name)s, "%(name)s", errp);
 ''',
-  c_name=c_var(argname), name=argname, argtype=argtype)
+ c_name=c_var(argname), name=argname, argtype=argtype,
+ visitor=type_visitor(argtype))
 if optional:
 pop_indent()
 ret += mcgen('''
@@ -179,18 +186,18 @@ static void qmp_marshal_output_%(c_name)s(%(c_ret_type)s 
ret_in, QObject **ret_o
 Visitor *v;
 
 v = qmp_output_get_visitor(mo);
-visit_type_%(ret_type)s(v, &ret_in, "unused", errp);
+%(visitor)s(v, &ret_in, "unused", errp);
 if (!error_is_set(errp)) {
 *ret_out = qmp_output_get_qobject(mo);
 }
 qmp_output_visitor_cleanup(mo);
 v = qapi_dealloc_get_visitor(md);
-visit_type_%(ret_type)s(v, &ret_in, "unused", errp);
+%(visitor)s(v, &ret_in, "unused", errp);
 qapi_dealloc_visitor_cleanup(md);
 }
 ''',
- c_ret_type=c_type(ret_type), c_name=c_var(name),
- ret_type=ret_type)
+c_ret_type=c_type(ret_type), c_name=c_var(name),
+visitor=type_visitor(ret_type))
 
 return ret
 
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 04/21] qapi: use middle mode in QMP server

[Luiz Capitulino]

From: Anthony Liguori 

Use the new middle mode within the existing QMP server.

Signed-off-by: Anthony Liguori 
Signed-off-by: Luiz Capitulino 
---
 Makefile |   12 
 Makefile.objs|2 ++
 Makefile.target  |6 +++---
 monitor.c|9 -
 qapi-schema.json |3 +++
 5 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 qapi-schema.json

diff --git a/Makefile b/Makefile
index 6ed3194..55ee79c 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,7 @@ GENERATED_HEADERS = config-host.h trace.h qemu-options.def
 ifeq ($(TRACE_BACKEND),dtrace)
 GENERATED_HEADERS += trace-dtrace.h
 endif
+GENERATED_HEADERS += qmp-commands.h qapi-types.h qapi-visit.h
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -187,9 +188,20 @@ $(qapi-dir)/qga-qapi-types.h: 
$(SRC_PATH)/qapi-schema-guest.json $(SRC_PATH)/scr
 $(qapi-dir)/qga-qapi-visit.c: $(qapi-dir)/qga-qapi-visit.h
 $(qapi-dir)/qga-qapi-visit.h: $(SRC_PATH)/qapi-schema-guest.json 
$(SRC_PATH)/scripts/qapi-visit.py
$(call quiet-command,$(PYTHON) $(SRC_PATH)/scripts/qapi-visit.py -o 
"$(qapi-dir)" -p "qga-" < $<, "  GEN   $@")
+$(qapi-dir)/qga-qmp-commands.h: $(qapi-dir)/qga-qmp-marshal.c
 $(qapi-dir)/qga-qmp-marshal.c: $(SRC_PATH)/qapi-schema-guest.json 
$(SRC_PATH)/scripts/qapi-commands.py
$(call quiet-command,$(PYTHON) $(SRC_PATH)/scripts/qapi-commands.py -o 
"$(qapi-dir)" -p "qga-" < $<, "  GEN   $@")
 
+qapi-types.c: qapi-types.h
+qapi-types.h: $(SRC_PATH)/qapi-schema.json $(SRC_PATH)/scripts/qapi-types.py
+   $(call quiet-command,$(PYTHON) $(SRC_PATH)/scripts/qapi-types.py -o "." 
< $<, "  GEN   $@")
+qapi-visit.c: qapi-visit.h
+qapi-visit.h: $(SRC_PATH)/qapi-schema.json $(SRC_PATH)/scripts/qapi-visit.py
+   $(call quiet-command,$(PYTHON) $(SRC_PATH)/scripts/qapi-visit.py -o "." 
 < $<, "  GEN   $@")
+qmp-commands.h: qmp-marshal.c
+qmp-marshal.c: $(SRC_PATH)/qapi-schema.json 
$(SRC_PATH)/scripts/qapi-commands.py
+   $(call quiet-command,$(PYTHON) $(SRC_PATH)/scripts/qapi-commands.py -m 
-o "." < $<, "  GEN   $@")
+
 test-visitor.o: $(addprefix $(qapi-dir)/, test-qapi-types.c test-qapi-types.h 
test-qapi-visit.c test-qapi-visit.h) $(qapi-obj-y)
 test-visitor: test-visitor.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o 
$(qapi-obj-y) error.o osdep.o $(oslib-obj-y) qjson.o json-streamer.o 
json-lexer.o json-parser.o qerror.o qemu-error.o qemu-tool.o 
$(qapi-dir)/test-qapi-visit.o $(qapi-dir)/test-qapi-types.o
 
diff --git a/Makefile.objs b/Makefile.objs
index 1c65087..441d797 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -406,6 +406,8 @@ qapi-nested-y = qapi-visit-core.o qmp-input-visitor.o 
qmp-output-visitor.o qapi-
 qapi-nested-y += qmp-registry.o qmp-dispatch.o
 qapi-obj-y = $(addprefix qapi/, $(qapi-nested-y))
 
+common-obj-y += qmp-marshal.o qapi-visit.o qapi-types.o $(qapi-obj-y)
+
 ##
 # guest agent
 
diff --git a/Makefile.target b/Makefile.target
index 88d2f1f..b5ed5df 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -375,7 +375,7 @@ obj-xtensa-y += xtensa-semi.o
 
 main.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
-monitor.o: hmp-commands.h qmp-commands.h
+monitor.o: hmp-commands.h qmp-commands-old.h
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
@@ -407,13 +407,13 @@ gdbstub-xml.c: $(TARGET_XML_FILES) 
$(SRC_PATH)/scripts/feature_to_c.sh
 hmp-commands.h: $(SRC_PATH)/hmp-commands.hx
$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN  
 $(TARGET_DIR)$@")
 
-qmp-commands.h: $(SRC_PATH)/qmp-commands.hx
+qmp-commands-old.h: $(SRC_PATH)/qmp-commands.hx
$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN  
 $(TARGET_DIR)$@")
 
 clean:
rm -f *.o *.a *~ $(PROGS) nwfpe/*.o fpu/*.o
rm -f *.d */*.d tcg/*.o ide/*.o 9pfs/*.o
-   rm -f hmp-commands.h qmp-commands.h gdbstub-xml.c
+   rm -f hmp-commands.h qmp-commands-old.h gdbstub-xml.c
 ifdef CONFIG_TRACE_SYSTEMTAP
rm -f *.stp
 endif
diff --git a/monitor.c b/monitor.c
index 8ec2c5e..150fe45 100644
--- a/monitor.c
+++ b/monitor.c
@@ -121,6 +121,7 @@ typedef struct mon_cmd_t {
 int  (*cmd_async)(Monitor *mon, const QDict *params,
   MonitorCompletion *cb, void *opaque);
 } mhandler;
+bool qapi;
 int flags;
 } mon_cmd_t;
 
@@ -3169,7 +3170,7 @@ static const mon_cmd_t info_cmds[] = {
 };
 
 static const mon_cmd_t qmp_cmds[] = {
-#include "qmp-commands.h"
+#include "qmp-commands-old.h"
 { /* NULL */ },
 };
 
@@ -5094,12 +5095,10 @@ static void handle_qmp_command(JSONMessageParser 
*parser, QList *tokens)
 goto err_out;
 }
 
-if (strstart(cmd_name, "query-", &query_cmd)) {
+cmd = qmp_find_cmd(cmd_name);
+if (!cmd && strstart(cmd_name, "query-", &query_cmd)) {
 cmd = qmp_find_query_cmd(query_cmd);
-} else {
-cmd = qmp_f

Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)

[Stefan Berger]

On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:

On Wed, Sep 21, 2011 at 09:44:37PM -0400, Stefan Berger wrote:

On 09/19/2011 03:04 PM, Michael S. Tsirkin wrote:

On Mon, Sep 19, 2011 at 12:22:02PM -0400, Stefan Berger wrote:

On 09/17/2011 03:28 PM, Michael S. Tsirkin wrote:

On Fri, Sep 16, 2011 at 12:46:40PM -0400, Stefan Berger wrote:

The checksuming I think makes sense if encryption is being added so
decryption and testing for proper key material remains an NVRAM
operation rather than a device operation.

Not sure how this addresses the question of what to do
on checksum failure.


Checksum failure on an unencrypted blob would mean that the blob is
corrupted. In case of encryption 'corrupted' would overlap with a
'badly decrypted' blob. In either way the startup of the device
cannot happen.

With corruption - why not? A specific block being corrupted does not mean all
data is lost.

Presumably if you feed bad data into a device it either has its own way 
of integrity checking the blob (we actually do this for the TPM) or it 
will blow up/show wrong behavior at some point - hopefully sooner rather 
than later. Though the detection of bad data *can* be an NVRAM operation 
rather than the operation of a device using the data stored in the NVRAM.

We could refuse the NVRAM key suggesting that likely
this is the wrong key for decryption but corruption is also
possible.

I'm guessing that if we find a correct ber structure in the file, this
most likely means the key is correct.
[I still would add at least a CRC32 (or maybe even a SHA1) for detection 
of corruption of the ASN.1 encoded blob without having to hunt the data 
through a ASN.1 decoder.]


If we now say that data should be encryptable even if QCoW2 wasn't used, 
then is a command line option


-nvram id=,key=,...

something we should support to make the key applicable to the whole NVRAM?

 Stefan

Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)

[Daniel P. Berrange]

On Wed, Sep 28, 2011 at 11:48:19AM -0400, Stefan Berger wrote:
> On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:
> >On Wed, Sep 21, 2011 at 09:44:37PM -0400, Stefan Berger wrote:
> >>On 09/19/2011 03:04 PM, Michael S. Tsirkin wrote:
> >>>On Mon, Sep 19, 2011 at 12:22:02PM -0400, Stefan Berger wrote:
> On 09/17/2011 03:28 PM, Michael S. Tsirkin wrote:
> >On Fri, Sep 16, 2011 at 12:46:40PM -0400, Stefan Berger wrote:
> The checksuming I think makes sense if encryption is being added so
> decryption and testing for proper key material remains an NVRAM
> operation rather than a device operation.
> >>>Not sure how this addresses the question of what to do
> >>>on checksum failure.
> >>>
> >>Checksum failure on an unencrypted blob would mean that the blob is
> >>corrupted. In case of encryption 'corrupted' would overlap with a
> >>'badly decrypted' blob. In either way the startup of the device
> >>cannot happen.
> >With corruption - why not? A specific block being corrupted does not mean all
> >data is lost.
> >
> Presumably if you feed bad data into a device it either has its own
> way of integrity checking the blob (we actually do this for the TPM)
> or it will blow up/show wrong behavior at some point - hopefully
> sooner rather than later. Though the detection of bad data *can* be
> an NVRAM operation rather than the operation of a device using the
> data stored in the NVRAM.
> >>We could refuse the NVRAM key suggesting that likely
> >>this is the wrong key for decryption but corruption is also
> >>possible.
> >I'm guessing that if we find a correct ber structure in the file, this
> >most likely means the key is correct.
> [I still would add at least a CRC32 (or maybe even a SHA1) for
> detection of corruption of the ASN.1 encoded blob without having to
> hunt the data through a ASN.1 decoder.]
> 
> If we now say that data should be encryptable even if QCoW2 wasn't
> used, then is a command line option
> 
> -nvram id=,key=,...
> 
> something we should support to make the key applicable to the whole NVRAM?

Try to avoid requiring secret keys to be set on the command line...
At least allow setting them via a monitor command

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

[Qemu-devel] [PATCH 21/21] qapi: Convert system_powerdown

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp-commands.hx  |3 +--
 hmp.c|5 +
 hmp.h|1 +
 qapi-schema.json |   14 ++
 qmp.c|5 +
 5 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index b2f5cd1..07b493c 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -492,8 +492,7 @@ ETEXI
 .args_type  = "",
 .params = "",
 .help   = "send system power down event",
-.user_print = monitor_user_noop,
-.mhandler.cmd_new = do_system_powerdown,
+.mhandler.cmd = hmp_system_powerdown,
 },
 
 STEXI
diff --git a/hmp.c b/hmp.c
index d8b4de6..13146a4 100644
--- a/hmp.c
+++ b/hmp.c
@@ -109,3 +109,8 @@ void hmp_system_reset(Monitor *mon, const QDict *qdict)
 {
 qmp_system_reset(NULL);
 }
+
+void hmp_system_powerdown(Monitor *mon, const QDict *qdict)
+{
+qmp_system_powerdown(NULL);
+}
diff --git a/hmp.h b/hmp.h
index a49a6e6..92433cf 100644
--- a/hmp.h
+++ b/hmp.h
@@ -26,5 +26,6 @@ void hmp_info_chardev(Monitor *mon);
 void hmp_quit(Monitor *mon, const QDict *qdict);
 void hmp_stop(Monitor *mon, const QDict *qdict);
 void hmp_system_reset(Monitor *mon, const QDict *qdict);
+void hmp_system_powerdown(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/qapi-schema.json b/qapi-schema.json
index e14f2f7..413fcd5 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -257,3 +257,17 @@
 # Since: 0.14.0
 ##
 { 'command': 'system_reset' }
+
+##
+# @system_powerdown:
+#
+# Requests that a guest perform a powerdown operation.
+#
+# Since: 0.14.0
+#
+# Notes: A guest may or may not respond to this command.  This command
+#returning does not indicate that a guest has accepted the request or
+#that it has shut down.  Many guests will respond to this command by
+#prompting the user in some way.
+##
+{ 'command': 'system_powerdown' }
diff --git a/qmp.c b/qmp.c
index 6767640..aa43207 100644
--- a/qmp.c
+++ b/qmp.c
@@ -85,3 +85,8 @@ void qmp_system_reset(Error **errp)
 {
 qemu_system_reset_request();
 }
+
+void qmp_system_powerdown(Error **erp)
+{
+qemu_system_powerdown_request();
+}
-- 
1.7.7.rc0.72.g4b5ea

[Qemu-devel] [PATCH 14/21] qapi: Convert query-status

[Luiz Capitulino]

The original conversion was done by Anthony Liguori. This commit
is just a rebase.

Signed-off-by: Luiz Capitulino 
---
 hmp.c|   19 +++
 hmp.h|1 +
 monitor.c|   41 +
 qapi-schema.json |   67 ++
 qmp-commands.hx  |6 +
 vl.c |   12 +
 6 files changed, 106 insertions(+), 40 deletions(-)

diff --git a/hmp.c b/hmp.c
index 94a7f74..9e7f07e 100644
--- a/hmp.c
+++ b/hmp.c
@@ -53,3 +53,22 @@ void hmp_info_kvm(Monitor *mon)
 qapi_free_KvmInfo(info);
 }
 
+void hmp_info_status(Monitor *mon)
+{
+StatusInfo *info;
+
+info = qmp_query_status(NULL);
+
+monitor_printf(mon, "VM status: %s%s",
+   info->running ? "running" : "paused",
+   info->singlestep ? " (single step mode)" : "");
+
+if (!info->running && info->status != VM_RUN_STATUS_PAUSED) {
+monitor_printf(mon, " (%s)", VmRunStatus_lookup[info->status]);
+}
+
+monitor_printf(mon, "\n");
+
+qapi_free_StatusInfo(info);
+}
+
diff --git a/hmp.h b/hmp.h
index a93ac1f..df4242f 100644
--- a/hmp.h
+++ b/hmp.h
@@ -20,5 +20,6 @@
 void hmp_info_name(Monitor *mon);
 void hmp_info_version(Monitor *mon);
 void hmp_info_kvm(Monitor *mon);
+void hmp_info_status(Monitor *mon);
 
 #endif
diff --git a/monitor.c b/monitor.c
index edb56b9..f641504 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2544,36 +2544,6 @@ static int do_inject_nmi(Monitor *mon, const QDict 
*qdict, QObject **ret_data)
 }
 #endif
 
-static void do_info_status_print(Monitor *mon, const QObject *data)
-{
-QDict *qdict;
-const char *status;
-
-qdict = qobject_to_qdict(data);
-
-monitor_printf(mon, "VM status: ");
-if (qdict_get_bool(qdict, "running")) {
-monitor_printf(mon, "running");
-if (qdict_get_bool(qdict, "singlestep")) {
-monitor_printf(mon, " (single step mode)");
-}
-} else {
-monitor_printf(mon, "paused");
-}
-
-status = qdict_get_str(qdict, "status");
-if (strcmp(status, "paused") && strcmp(status, "running")) {
-monitor_printf(mon, " (%s)", status);
-}
-
-monitor_printf(mon, "\n");
-}
-
-static void do_info_status(Monitor *mon, QObject **ret_data)
-{
-*ret_data = qobject_from_jsonf("{ 'running': %i, 'singlestep': %i, 
'status': %s }", runstate_is_running(), singlestep, runstate_as_string());
-}
-
 static qemu_acl *find_acl(Monitor *mon, const char *name)
 {
 qemu_acl *acl = qemu_acl_find(name);
@@ -2966,8 +2936,7 @@ static const mon_cmd_t info_cmds[] = {
 .args_type  = "",
 .params = "",
 .help   = "show the current VM status (running|paused)",
-.user_print = do_info_status_print,
-.mhandler.info_new = do_info_status,
+.mhandler.info = hmp_info_status,
 },
 {
 .name   = "pcmcia",
@@ -3149,14 +3118,6 @@ static const mon_cmd_t qmp_query_cmds[] = {
 .mhandler.info_new = do_pci_info,
 },
 {
-.name   = "status",
-.args_type  = "",
-.params = "",
-.help   = "show the current VM status (running|paused)",
-.user_print = do_info_status_print,
-.mhandler.info_new = do_info_status,
-},
-{
 .name   = "mice",
 .args_type  = "",
 .params = "",
diff --git a/qapi-schema.json b/qapi-schema.json
index 641f12d..de0f807 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -85,3 +85,70 @@
 ##
 { 'command': 'query-kvm', 'returns': 'KvmInfo' }
 
+##
+# @VmRunStatus
+#
+# An enumation of VM run status.
+#
+# @debug: QEMU is running on a debugger
+#
+# @inmigrate: guest is paused waiting for an incoming migration
+#
+# @internal-error: An internal error that prevents further guest execution
+# has occurred
+#
+# @io-error: the last IOP has failed and the device is configured to pause
+# on I/O errors
+#
+# @paused: guest has been paused via the 'stop' command
+#
+# @postmigrate: guest is paused following a successful 'migrate'
+#
+# @prelaunch: QEMU was started with -S and guest has not started
+#
+# @finish-migrate: guest is paused to finish the migration process
+#
+# @restore-vm: guest is paused to restore VM state
+#
+# @running: guest is actively running
+#
+# @save-vm: guest is paused to save the VM state
+#
+# @shutdown: guest is shut down (and -no-shutdown is in use)
+#
+# @watchdog: the watchdog action is configured to pause and has been triggered
+##
+{ 'enum': 'VmRunStatus',
+  'data': [ 'no-status', 'debug', 'inmigrate', 'internal-error', 'io-error',
+'paused', 'postmigrate', 'prelaunch', 'finish-migrate',
+'restore-vm', 'running', 'save-vm', 'shutdown', 'watchdog' ] }
+
+##
+# @StatusInfo:
+#
+# Information about VCPU run state
+#
+# @running: true if all VCPUs are runnable, false if not runnable
+#
+# @singlestep: true if VCPUs are in single-step mode
+#
+# @status: the @Vm