[Qemu-devel] [PATCH] configure: Fix "configure: usbredir fixes" to not break softmmu builds

[Hans de Goede]

Feel free to merge this into the original commit at that is not upstream
yet.

Signed-off-by: Hans de Goede 
CC: Aurelien Jarno 
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 1854b0b..d63530a 100755
--- a/configure
+++ b/configure
@@ -2770,7 +2770,7 @@ if test "$usb_redir" != "no" ; then
 usb_redir_cflags=$($pkg_config --cflags libusbredirparser 2>/dev/null)
 usb_redir_libs=$($pkg_config --libs libusbredirparser 2>/dev/null)
 QEMU_CFLAGS="$QEMU_CFLAGS $usb_redir_cflags"
-libs_softmmu="$LIBS $usb_redir_libs"
+libs_softmmu="$libs_softmmu $usb_redir_libs"
 else
 if test "$usb_redir" = "yes"; then
 feature_not_found "usb-redir"
-- 
1.7.12

Re: [Qemu-devel] [PATCH] configure: Fix "configure: usbredir fixes" to not break softmmu builds

[Gerd Hoffmann]

On 09/13/12 09:31, Hans de Goede wrote:
> -libs_softmmu="$LIBS $usb_redir_libs"
> +libs_softmmu="$libs_softmmu $usb_redir_libs"

Good point ;)

Fix squashed in.

thanks,
  Gerd

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Peter Lieven]

On 10.09.2012 14:32, Avi Kivity wrote:

On 09/10/2012 03:29 PM, Peter Lieven wrote:

On 09/10/12 14:21, Gleb Natapov wrote:

On Mon, Sep 10, 2012 at 02:15:49PM +0200, Paolo Bonzini wrote:

Il 10/09/2012 13:52, Peter Lieven ha scritto:

dd if=/dev/cpu/0/msr skip=$((0x194)) bs=8 count=1 | xxd
dd if=/dev/cpu/0/msr skip=$((0xCE)) bs=8 count=1 | xxd

it only works without the skip. but the msr device returns all zeroes.

Hmm, the strange API of the MSR device doesn't work well with dd (dd
skips to 0x194 * 8 because bs is 8.  You can try this program:


There is rdmsr/wrmsr in msr-tools.

rdmsr returns it cannot read those MSRs. regardless if I use -cpu host
or -cpu qemu64.

On the host.



did you get my output?

#rdmsr -0 0x194
00011100
#rdmsr -0 0xce
0c0004011103

cheers,
peter

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Paolo Bonzini]

Il 13/09/2012 09:53, Peter Lieven ha scritto:

>>> rdmsr returns it cannot read those MSRs. regardless if I use -cpu host
>>> or -cpu qemu64.
>> On the host.
>>
>>
> did you get my output?
> 
> #rdmsr -0 0x194
> 00011100
> #rdmsr -0 0xce
> 0c0004011103

Yes, that can help implementing it in KVM.  But without a spec to
understand what the bits actually mean, it's just as risky...

Peter, do you have any idea where to get the spec of the memory
controller MSRs in Nehalem and newer processors?  Apparently, memtest is
using them (and in particular 0x194) to find the speed of the FSB, or
something like that.

Paolo

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Gleb Natapov]

On Thu, Sep 13, 2012 at 09:55:06AM +0200, Paolo Bonzini wrote:
> Il 13/09/2012 09:53, Peter Lieven ha scritto:
> 
> >>> rdmsr returns it cannot read those MSRs. regardless if I use -cpu host
> >>> or -cpu qemu64.
> >> On the host.
> >>
> >>
> > did you get my output?
> > 
> > #rdmsr -0 0x194
> > 00011100
> > #rdmsr -0 0xce
> > 0c0004011103
> 
> Yes, that can help implementing it in KVM.  But without a spec to
> understand what the bits actually mean, it's just as risky...
> 
> Peter, do you have any idea where to get the spec of the memory
> controller MSRs in Nehalem and newer processors?  Apparently, memtest is
> using them (and in particular 0x194) to find the speed of the FSB, or
> something like that.
> 
Why would anyone will want to run memtest in a vm? May be just add those
MSRs to ignore list and that's it.

--
Gleb.

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Paolo Bonzini]

Il 13/09/2012 09:57, Gleb Natapov ha scritto:
>>> > > 
>>> > > #rdmsr -0 0x194
>>> > > 00011100
>>> > > #rdmsr -0 0xce
>>> > > 0c0004011103
>> > 
>> > Yes, that can help implementing it in KVM.  But without a spec to
>> > understand what the bits actually mean, it's just as risky...
>> > 
>> > Peter, do you have any idea where to get the spec of the memory
>> > controller MSRs in Nehalem and newer processors?  Apparently, memtest is
>> > using them (and in particular 0x194) to find the speed of the FSB, or
>> > something like that.
>> > 
> Why would anyone will want to run memtest in a vm? May be just add those
> MSRs to ignore list and that's it.

>From the output it looks like it's basically a list of bits.  Returning
something sensible is better, same as for the speed scaling MSRs.

Paolo

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Gleb Natapov]

On Thu, Sep 13, 2012 at 10:00:26AM +0200, Paolo Bonzini wrote:
> Il 13/09/2012 09:57, Gleb Natapov ha scritto:
> >>> > > 
> >>> > > #rdmsr -0 0x194
> >>> > > 00011100
> >>> > > #rdmsr -0 0xce
> >>> > > 0c0004011103
> >> > 
> >> > Yes, that can help implementing it in KVM.  But without a spec to
> >> > understand what the bits actually mean, it's just as risky...
> >> > 
> >> > Peter, do you have any idea where to get the spec of the memory
> >> > controller MSRs in Nehalem and newer processors?  Apparently, memtest is
> >> > using them (and in particular 0x194) to find the speed of the FSB, or
> >> > something like that.
> >> > 
> > Why would anyone will want to run memtest in a vm? May be just add those
> > MSRs to ignore list and that's it.
> 
> >From the output it looks like it's basically a list of bits.  Returning
> something sensible is better, same as for the speed scaling MSRs.
> 
Everything is list of bits in computers :) At least 0xce is documented in  SDM.
It cannot be implemented in a migration safe manner.

--
Gleb.

Re: [Qemu-devel] [PATCH V3 01/11] atomic: introduce atomic operations

[Avi Kivity]

On 09/13/2012 09:54 AM, liu ping fan wrote:

>>> +typedef struct Atomic {
>>> +int counter;
>>> +} Atomic;
>>
>> Best to mark counter 'volatile'.
>>
>>> +
>>> +static inline void atomic_set(Atomic *v, int i)
>>> +{
>>> +v->counter = i;
>>> +}
>>> +
>>> +static inline int atomic_read(Atomic *v)
>>> +{
>>> +return v->counter;
>>> +}
>>>
>>
>> So these two operations don't get mangled by the optimizer.
>>
> Browsing linux code and reading lkml, find some similar material. But
> they have moved volatile from ->counter to function - atomic_read().
> As to atomic_read(), I think it need to prevent optimizer from
> refetching issue, but as to atomic_set(), do we need ?

I think so, to prevent reordering.


-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH V3 01/11] atomic: introduce atomic operations

[Paolo Bonzini]

Il 13/09/2012 10:14, Avi Kivity ha scritto:
 >>> +static inline void atomic_set(Atomic *v, int i)
 >>> +{
 >>> +v->counter = i;
 >>> +}
 >>> +
 >>> +static inline int atomic_read(Atomic *v)
 >>> +{
 >>> +return v->counter;
 >>> +}
 >>>
>>> >>
>>> >> So these two operations don't get mangled by the optimizer.
>>> >>
>> > Browsing linux code and reading lkml, find some similar material. But
>> > they have moved volatile from ->counter to function - atomic_read().
>> > As to atomic_read(), I think it need to prevent optimizer from
>> > refetching issue, but as to atomic_set(), do we need ?
> I think so, to prevent reordering.

Agreed.  Alternatively, stick a barrier() before and after the
assignment and read.

But I don't really see the point in wrapping atomically-accessed
variables in a struct.  Are we going to add a variant for long, a
variant for pointers, etc.?

I already proposed my version of this at
http://github.com/bonzini/qemu/commit/1b439343.

Paolo

Re: [Qemu-devel] [PATCH V3 10/11] vcpu: introduce lockmap

[Avi Kivity]

On 09/13/2012 09:55 AM, liu ping fan wrote:
> On Tue, Sep 11, 2012 at 8:41 PM, Avi Kivity  wrote:
>> On 09/11/2012 03:24 PM, Avi Kivity wrote:
>>> On 09/11/2012 12:57 PM, Jan Kiszka wrote:
 On 2012-09-11 11:44, liu ping fan wrote:
> On Tue, Sep 11, 2012 at 4:35 PM, Avi Kivity  wrote:
>> On 09/11/2012 10:51 AM, Liu Ping Fan wrote:
>>> From: Liu Ping Fan 
>>>
>>> The func call chain can suffer from recursively hold
>>> qemu_mutex_lock_iothread. We introduce lockmap to record the
>>> lock depth.
>>
>> What is the root cause?  io handlers initiating I/O?
>>
> cpu_physical_memory_rw() can be called nested, and when called, it can
> be protected by no-lock/device lock/ big-lock.
> I think without big lock, io-dispatcher should face the same issue.
> As to main-loop, have not carefully consider, but at least, dma-helper
> will call cpu_physical_memory_rw() with big-lock.

 That is our core problem: inconsistent invocation of existing services
 /wrt locking. For portio, I was lucky that there is no nesting and I was
 able to drop the big lock around all (x86) call sites. But MMIO is way
 more tricky due to DMA nesting.
>>>
>>> Maybe we need to switch to a continuation style.  Instead of expecting
>>> cpu_physical_memory_rw() to complete synchronously, it becomes an
>>> asynchronous call and you provide it with a completion.  That means
>>> devices which use it are forced to drop the lock in between.  Block and
>>> network clients will be easy to convert since they already use APIs that
>>> drop the lock (except for accessing the descriptors).
>>>
 We could try to introduce a different version of cpu_physical_memory_rw,
 cpu_physical_memory_rw_unlocked. But the problem remains that an MMIO
 request can trigger the very same access in a nested fashion, and we
 will have to detect this to avoid locking up QEMU (locking up the guest
 might be OK).
>>>
>>> An async version of c_p_m_rw() will just cause a completion to bounce
>>> around, consuming cpu but not deadlocking anything.  If we can keep a
>>> count of the bounces, we might be able to stall it indefinitely or at
>>> least ratelimit it.
>>>
>>
>> Another option is to require all users of c_p_m_rw() and related to use
>> a coroutine or thread.  That makes the programming easier (but still
>> required a revalidation after the dropped lock).
>>
> For the nested cpu_physical_memory_rw(), we change it internal but
> keep it sync API as it is.  (Wrapper current cpu_physical_memory_rw()
> into cpu_physical_memory_rw_internal() )
> 
> 
> LOCK()  // can be device or big lock or both, depend on caller.
> ..
> cpu_physical_memory_rw()
> {
>UNLOCK() //unlock all the locks
>queue_work_on_thread(cpu_physical_memory_rw_internal, completion);
> // cpu_physical_memory_rw_internal can take lock(device,biglock) again
>wait_for_completion(completion)
>LOCK()
> }
> ..
> UNLOCK()
> 

This is dangerous.  The caller expects to hold the lock across the call,
and will not re-validate its state.

> Although cpu_physical_memory_rw_internal() can be freed to use lock,
> but with precondition. -- We still need to trace lock stack taken by
> cpu_physical_memory_rw(), so that it can return to caller correctly.
> Is that OK?

I'm convinced that we need a recursive lock if we don't convert
everything at once.

So how about:

- make bql a recursive lock (use pthreads, don't invent our own)
- change c_p_m_rw() calling convention to "caller may hold the BQL, but
no device lock"

this allows devices to DMA each other.  Unconverted device models will
work as they used to.  Converted device models will need to drop the
device lock, re-acquire it, and revalidate any state.  That will cause
them to become more correct wrt recursive invocation.


-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH V3 01/11] atomic: introduce atomic operations

[Avi Kivity]

On 09/13/2012 11:19 AM, Paolo Bonzini wrote:
> Il 13/09/2012 10:14, Avi Kivity ha scritto:
> >>> +static inline void atomic_set(Atomic *v, int i)
> >>> +{
> >>> +v->counter = i;
> >>> +}
> >>> +
> >>> +static inline int atomic_read(Atomic *v)
> >>> +{
> >>> +return v->counter;
> >>> +}
> >>>
 >>
 >> So these two operations don't get mangled by the optimizer.
 >>
>>> > Browsing linux code and reading lkml, find some similar material. But
>>> > they have moved volatile from ->counter to function - atomic_read().
>>> > As to atomic_read(), I think it need to prevent optimizer from
>>> > refetching issue, but as to atomic_set(), do we need ?
>> I think so, to prevent reordering.
> 
> Agreed.  Alternatively, stick a barrier() before and after the
> assignment and read.
> 
> But I don't really see the point in wrapping atomically-accessed
> variables in a struct.  

Preventing accidental naked access (to be reported in patch review as
"wardrobe malfunction").

> Are we going to add a variant for long, a
> variant for pointers, etc.?

template  ...;

> I already proposed my version of this at
> http://github.com/bonzini/qemu/commit/1b439343.

Atomic operations are sufficiently rare and sufficiently important to
warrant extra effort, so I prefer the explicitly typed variants.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH v3 2/2] slirp: Implement TFTP Blocksize option

[Jan Kiszka]

On 2012-09-13 07:55, Hervé Poussineau wrote:
> This option is described in RFC 1783. As this is only an optional field,
> we may ignore it in some situations and handle it in some others.
> 
> However, MS Windows 2003 PXE boot client requests a block size of the MTU
> (most of the times 1472 bytes), and doesn't work if the option is not
> acknowledged (with whatever value).
> 
> According to the RFC 1783, we cannot acknowledge the option with a bigger
> value than the requested one.
> 
> As current implementation is using 512 bytes by block, accept the option
> with a value of 512 if the option was specified, and don't acknowledge it
> if it is not present or less than 512 bytes.
> 
> Signed-off-by: Hervé Poussineau 
> ---
>  slirp/tftp.c |   42 +-
>  1 file changed, 33 insertions(+), 9 deletions(-)
> 
> diff --git a/slirp/tftp.c b/slirp/tftp.c
> index c6a5df2..37b0387 100644
> --- a/slirp/tftp.c
> +++ b/slirp/tftp.c
> @@ -120,13 +120,13 @@ static int tftp_read_data(struct tftp_session *spt, 
> uint32_t block_nr,
>  }
>  
>  static int tftp_send_oack(struct tftp_session *spt,
> -  const char *key, uint32_t value,
> +  const char *keys[], uint32_t values[], int nb,
>struct tftp_t *recv_tp)
>  {
>  struct sockaddr_in saddr, daddr;
>  struct mbuf *m;
>  struct tftp_t *tp;
> -int n = 0;
> +int i, n = 0;
>  
>  m = m_get(spt->slirp);
>  
> @@ -140,10 +140,12 @@ static int tftp_send_oack(struct tftp_session *spt,
>  m->m_data += sizeof(struct udpiphdr);
>  
>  tp->tp_op = htons(TFTP_OACK);
> -n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s",
> -  key) + 1;
> -n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u",
> -  value) + 1;
> +for (i = 0; i < nb; i++) {
> +n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s",
> +  keys[i]) + 1;
> +n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u",
> +  values[i]) + 1;
> +}
>  
>  saddr.sin_addr = recv_tp->ip.ip_dst;
>  saddr.sin_port = recv_tp->udp.uh_dport;
> @@ -260,6 +262,9 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t 
> *tp, int pktlen)
>int s, k;
>size_t prefix_len;
>char *req_fname;
> +  const char *option_name[2];
> +  uint32_t option_value[2];
> +  int nb_options = 0;
>  
>/* check if a session already exists and if so terminate it */
>s = tftp_session_find(slirp, tp);
> @@ -337,7 +342,7 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t 
> *tp, int pktlen)
>return;
>}
>  
> -  while (k < pktlen) {
> +  while (k < pktlen && nb_options < ARRAY_SIZE(option_name)) {
>const char *key, *value;
>  
>key = &tp->x.tp_buf[k];
> @@ -364,11 +369,30 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t 
> *tp, int pktlen)
> }
> }
>  
> -   tftp_send_oack(spt, "tsize", tsize, tp);
> -   return;
> +  option_name[nb_options] = "tsize";
> +  option_value[nb_options] = tsize;
> +  nb_options++;
> +  } else if (strcasecmp(key, "blksize") == 0) {
> +  int blksize = atoi(value);
> +
> +  /* If blksize option is bigger than what we will
> +   * emit, accept the option with our packet size.
> +   * Otherwise, simply do as we didn't see the option.
> +   */
> +  if (blksize >= 512) {
> +  option_name[nb_options] = "blksize";
> +  option_value[nb_options] = 512;
> +  nb_options++;
> +  }
>}
>}
>  
> +  if (nb_options > 0) {
> +  assert(nb_options <= ARRAY_SIZE(option_name));

I think you didn't answer my question: What if the guest sends a bogus
request with multiple tsize or blksize option entries so that nb_options
becomes > 2? That would crash QEMU, no? Even worse, that would not
require a privileged guest process.

Please explain why I'm wrong or make the code robust.

Jan

> +  tftp_send_oack(spt, option_name, option_value, nb_options, tp);
> +  return;
> +  }
> +
>spt->block_nr = 0;
>tftp_send_next_block(spt, tp);
>  }
> 

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux

[Qemu-devel] [PATCH 13/14] usb-redir: Revert usb-redir part of commit 93bfef4c

[Gerd Hoffmann]

From: Hans de Goede 

Commit 93bfef4c6e4b23caea9d51e1099d06433d8835a4 makes qemu-devices
which report the qemu version string to the guest in some way use a
qemu_get_version function which reports a machine-specific version string.

However usb-redir does not expose the qemu version to the guest, only to
the usbredir-host as part of the initial handshake. This can then be logged
on the usbredir-host side for debugging purposes and is otherwise completely
unused! For debugging purposes it is important to have the real qemu version
in there, rather then the machine-specific version.

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |8 +++-
 1 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 9a4be6d..b10241a 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -142,6 +142,8 @@ static void usbredir_interrupt_packet(void *priv, uint64_t 
id,
 static int usbredir_handle_status(USBRedirDevice *dev,
int status, int actual_len);
 
+#define VERSION "qemu usb-redir guest " QEMU_VERSION
+
 /*
  * Logging stuff
  */
@@ -863,7 +865,6 @@ static void usbredir_chardev_close_bh(void *opaque)
 static void usbredir_chardev_open(USBRedirDevice *dev)
 {
 uint32_t caps[USB_REDIR_CAPS_SIZE] = { 0, };
-char version[32];
 int flags = 0;
 
 /* Make sure any pending closes are handled (no-op if none pending) */
@@ -872,9 +873,6 @@ static void usbredir_chardev_open(USBRedirDevice *dev)
 
 DPRINTF("creating usbredirparser\n");
 
-strcpy(version, "qemu usb-redir guest ");
-pstrcat(version, sizeof(version), qemu_get_version());
-
 dev->parser = qemu_oom_check(usbredirparser_create());
 dev->parser->priv = dev;
 dev->parser->log_func = usbredir_log;
@@ -906,7 +904,7 @@ static void usbredir_chardev_open(USBRedirDevice *dev)
 if (runstate_check(RUN_STATE_INMIGRATE)) {
 flags |= usbredirparser_fl_no_hello;
 }
-usbredirparser_init(dev->parser, version, caps, USB_REDIR_CAPS_SIZE,
+usbredirparser_init(dev->parser, VERSION, caps, USB_REDIR_CAPS_SIZE,
 flags);
 usbredirparser_do_write(dev->parser);
 }
-- 
1.7.1

Re: [Qemu-devel] [PATCH V3 08/11] qom: introduce reclaimer to release obj in async

[Avi Kivity]

On 09/13/2012 09:54 AM, liu ping fan wrote:
> On Tue, Sep 11, 2012 at 5:37 PM, Avi Kivity  wrote:
>> On 09/11/2012 12:32 PM, liu ping fan wrote:
>>> On Tue, Sep 11, 2012 at 4:32 PM, Avi Kivity  wrote:
 On 09/11/2012 10:51 AM, Liu Ping Fan wrote:
> From: Liu Ping Fan 
>
> DeviceState will be protected by refcnt from disappearing during
> dispatching. But when refcnt comes down to zero, DeviceState may
> be still in use by iohandler, timer etc in main loop, we just delay
> its free untill no reader.
>

 How can this be?  We elevate the refcount while dispatching I/O.  If we
 have similar problems with the timer, we need to employ a similar solution.

>>> Yes, at the next step, plan to covert iohandler, timer etc to use
>>> refcount as memory. Here just a temp solution.
>>
>> I prefer not to ever introduce it.
>>
>> What we can do is introduce a sub-region for e1000's mmio that will take
>> only the device lock, and let original region use the old dispatch path
>> (and also take the device lock).  As we thread the various subsystems
>> e1000 uses, we can expand the sub-region until it covers all of e1000's
>> functions, then fold it back into the main region.
>>
> Introducing new sub-region for e1000  seems no help to resolve this
> issue. It can not tell whether main-loop still use it or not.

What is "it" here? (actually two of them).

> I think the key point is that original code SYNC eliminate all the
> readers of DeviceState at acpi_piix_eject_slot() by
> dev->unit()/exit(), so each subsystem will no access it in future.
> But now, we can delete the DeviceState async.

But deleting happens when we are guaranteed to have no I/O dispatch.

> Currently, we can just use e1000->unmap() to detach itself from each
> subsystem(Not implemented in this series patches for timer,...) to
> achieve the goal, because their readers are still under the protection
> of big lock, but when they are out of big lock, we need extra effort
> like memory system.

I see what you mean.  So you defer the deletion to a context where the
big lock is held.

But this solves nothing.  The device model accesses the network stack
and timer subsystem without the big lock held.  So you either need to
thread those two subsystems, or take the big lock in the I/O handlers.
If you do that, you can also take the big lock in the destructor.  If we
make the big lock a recursive lock, then the destructor can be invoked
in any context.

To summarize, I propose:
- drop the reclaimer
- make the bql recursive
- take the bql in the e1000 destructor
- take the bql in the e1000 I/O handlers when it accesses the timer or
network subsystems
(rest for a bit)
- thread the timer subsystem
- drop bql from around timer accesses
- thread the network subsystem
- drop bql from e1000 I/O handlers and destructor

does this work?

-- 
error compiling committee.c: too many arguments to function

[Qemu-devel] [PULL 00/10] spice patch queue

[Gerd Hoffmann]

  Hi,

This pull brings monitor configuration support for qxl which is needed
by the upcoming kms qxl driver.  Also a nice speedup for qxl in vga mode
and as usual some bugfixes.

please pull,
  Gerd

The following changes since commit e0a1e32dbc41e6b2aabb436a9417dfd32177a3dc:

  Merge branch 'usb.64' of git://git.kraxel.org/qemu (2012-09-11 18:06:56 +0200)

are available in the git repository at:

  git://anongit.freedesktop.org/spice/qemu spice.v60

Alon Levy (3):
  hw/qxl: tracing fixes
  qxl: add trace-event for QXL_IO_LOG
  hw/qxl: support client monitor configuration via device

Dunrong Huang (1):
  qxl: dont update invalid area

Gerd Hoffmann (4):
  spice: switch to queue for vga mode updates
  spice: split qemu_spice_create_update
  spice: add screen mirror
  spice: send updates only for changed screen content

Hans de Goede (1):
  qxl: Ignore set_client_capabilities pre/post migrate

Uri Lublin (1):
  qxl: better cleanup for surface destroy

 configure  |7 +++
 hw/qxl.c   |  107 ++--
 trace-events   |   11 -
 ui/spice-display.c |  136 
 ui/spice-display.h |4 +-
 5 files changed, 225 insertions(+), 40 deletions(-)

[Qemu-devel] [PATCH 10/10] hw/qxl: support client monitor configuration via device

[Gerd Hoffmann]

From: Alon Levy 

Until now we used only the agent to change the monitor count and each
monitor resolution. This patch introduces the qemu part of using the
device as the mediator instead of the agent via virtio-serial.

Spice (>=0.11.5) calls the new QXLInterface::client_monitors_config,
which returns wether the interrupt is enabled, and if so and given a non
NULL monitors config will
generate an interrupt QXL_INTERRUPT_CLIENT_MONITORS_CONFIG with crc
checksum for the guest to verify a second call hasn't interfered.

The maximal number of monitors is limited on the QXLRom to 64.

Signed-off-by: Alon Levy 
Signed-off-by: Gerd Hoffmann 
---
 configure|7 +
 hw/qxl.c |   79 ++
 trace-events |6 +++-
 3 files changed, 91 insertions(+), 1 deletions(-)

diff --git a/configure b/configure
index 7656c32..c75c51b 100755
--- a/configure
+++ b/configure
@@ -2709,6 +2709,9 @@ EOF
 if $pkg_config --atleast-version=0.12.0 spice-protocol >/dev/null 2>&1; 
then
 spice_qxl_io_monitors_config_async="yes"
 fi
+if $pkg_config --atleast-version=0.12.2 spice-protocol > /dev/null 2>&1; 
then
+spice_qxl_client_monitors_config="yes"
+fi
   else
 if test "$spice" = "yes" ; then
   feature_not_found "spice"
@@ -3456,6 +3459,10 @@ if test "$spice_qxl_io_monitors_config_async" = "yes" ; 
then
   echo "CONFIG_QXL_IO_MONITORS_CONFIG_ASYNC=y" >> $config_host_mak
 fi
 
+if test "$spice_qxl_client_monitors_config" = "yes" ; then
+  echo "CONFIG_QXL_CLIENT_MONITORS_CONFIG=y" >> $config_host_mak
+fi
+
 if test "$smartcard" = "yes" ; then
   echo "CONFIG_SMARTCARD=y" >> $config_host_mak
 fi
diff --git a/hw/qxl.c b/hw/qxl.c
index 5709e0d..c464408 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -18,6 +18,8 @@
  * along with this program; if not, see .
  */
 
+#include 
+
 #include "qemu-common.h"
 #include "qemu-timer.h"
 #include "qemu-queue.h"
@@ -971,6 +973,79 @@ static void interface_set_client_capabilities(QXLInstance 
*sin,
 
 #endif
 
+#if defined(CONFIG_QXL_CLIENT_MONITORS_CONFIG) \
+&& SPICE_SERVER_VERSION >= 0x000b05
+
+static uint32_t qxl_crc32(const uint8_t *p, unsigned len)
+{
+/*
+ * zlib xors the seed with 0x, and xors the result
+ * again with 0x; Both are not done with linux's crc32,
+ * which we want to be compatible with, so undo that.
+ */
+return crc32(0x, p, len) ^ 0x;
+}
+
+/* called from main context only */
+static int interface_client_monitors_config(QXLInstance *sin,
+VDAgentMonitorsConfig *monitors_config)
+{
+PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
+int i;
+
+/*
+ * Older windows drivers set int_mask to 0 when their ISR is called,
+ * then later set it to ~0. So it doesn't relate to the actual interrupts
+ * handled. However, they are old, so clearly they don't support this
+ * interrupt
+ */
+if (qxl->ram->int_mask == 0 || qxl->ram->int_mask == ~0 ||
+!(qxl->ram->int_mask & QXL_INTERRUPT_CLIENT_MONITORS_CONFIG)) {
+trace_qxl_client_monitors_config_unsupported_by_guest(qxl->id,
+qxl->ram->int_mask,
+monitors_config);
+return 0;
+}
+if (!monitors_config) {
+return 1;
+}
+memset(&rom->client_monitors_config, 0,
+   sizeof(rom->client_monitors_config));
+rom->client_monitors_config.count = monitors_config->num_of_monitors;
+/* monitors_config->flags ignored */
+if (rom->client_monitors_config.count >=
+ARRAY_SIZE(rom->client_monitors_config.heads)) {
+trace_qxl_client_monitors_config_capped(qxl->id,
+monitors_config->num_of_monitors,
+ARRAY_SIZE(rom->client_monitors_config.heads));
+rom->client_monitors_config.count =
+ARRAY_SIZE(rom->client_monitors_config.heads);
+}
+for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
+VDAgentMonConfig *monitor = &monitors_config->monitors[i];
+QXLURect *rect = &rom->client_monitors_config.heads[i];
+/* monitor->depth ignored */
+rect->left = monitor->x;
+rect->top = monitor->y;
+rect->right = monitor->x + monitor->width;
+rect->bottom = monitor->y + monitor->height;
+}
+rom->client_monitors_config_crc = qxl_crc32(
+(const uint8_t *)&rom->client_monitors_config,
+sizeof(rom->client_monitors_config));
+trace_qxl_client_monitors_config_crc(qxl->id,
+sizeof(rom->client_monitors_config),
+rom->client_monitors_config_crc);
+
+trace_qxl_interrupt_client_monitors_config(qxl->id,
+rom->client_monito

[Qemu-devel] [PATCH 02/14] ehci: switch to new-style memory ops

[Gerd Hoffmann]

Also register different memory regions for capabilities,
operational registers and port status registers.  Create
separate tracepoints for operational regs and port status
regs.  Ditch a bunch of sanity checks because the memory
core will do this for us now.

Offloading the byte, word and dword access handling to the
memory core also has the side effect of fixing ehci register
access on bigendian hosts.

Cc: David Gibson 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci.c |  173 ++---
 trace-events  |9 ++-
 2 files changed, 90 insertions(+), 92 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 2f3e9c0..f5ba8e1 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -389,6 +389,9 @@ struct EHCIState {
 USBBus bus;
 qemu_irq irq;
 MemoryRegion mem;
+MemoryRegion mem_caps;
+MemoryRegion mem_opreg;
+MemoryRegion mem_ports;
 int companion_count;
 
 /* properties */
@@ -398,10 +401,10 @@ struct EHCIState {
  *  EHCI spec version 1.0 Section 2.3
  *  Host Controller Operational Registers
  */
+uint8_t caps[OPREGBASE];
 union {
-uint8_t mmio[MMIO_SIZE];
+uint32_t opreg[(PORTSC_BEGIN-OPREGBASE)/sizeof(uint32_t)];
 struct {
-uint8_t cap[OPREGBASE];
 uint32_t usbcmd;
 uint32_t usbsts;
 uint32_t usbintr;
@@ -411,9 +414,9 @@ struct EHCIState {
 uint32_t asynclistaddr;
 uint32_t notused[9];
 uint32_t configflag;
-uint32_t portsc[NB_PORTS];
 };
 };
+uint32_t portsc[NB_PORTS];
 
 /*
  *  Internal states, shadow registers, etc
@@ -471,22 +474,12 @@ static const char *ehci_state_names[] = {
 };
 
 static const char *ehci_mmio_names[] = {
-[CAPLENGTH] = "CAPLENGTH",
-[HCIVERSION]= "HCIVERSION",
-[HCSPARAMS] = "HCSPARAMS",
-[HCCPARAMS] = "HCCPARAMS",
 [USBCMD]= "USBCMD",
 [USBSTS]= "USBSTS",
 [USBINTR]   = "USBINTR",
 [FRINDEX]   = "FRINDEX",
 [PERIODICLISTBASE]  = "P-LIST BASE",
 [ASYNCLISTADDR] = "A-LIST ADDR",
-[PORTSC_BEGIN]  = "PORTSC #0",
-[PORTSC_BEGIN + 4]  = "PORTSC #1",
-[PORTSC_BEGIN + 8]  = "PORTSC #2",
-[PORTSC_BEGIN + 12] = "PORTSC #3",
-[PORTSC_BEGIN + 16] = "PORTSC #4",
-[PORTSC_BEGIN + 20] = "PORTSC #5",
 [CONFIGFLAG]= "CONFIGFLAG",
 };
 
@@ -509,7 +502,8 @@ static const char *state2str(uint32_t state)
 
 static const char *addr2str(target_phys_addr_t addr)
 {
-return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names), addr);
+return nr2str(ehci_mmio_names, ARRAY_SIZE(ehci_mmio_names),
+  addr + OPREGBASE);
 }
 
 static void ehci_trace_usbsts(uint32_t mask, int state)
@@ -1018,7 +1012,7 @@ static int ehci_register_companion(USBBus *bus, USBPort 
*ports[],
 }
 
 s->companion_count++;
-s->mmio[0x05] = (s->companion_count << 4) | portcount;
+s->caps[0x05] = (s->companion_count << 4) | portcount;
 
 return 0;
 }
@@ -1063,7 +1057,8 @@ static void ehci_reset(void *opaque)
 }
 }
 
-memset(&s->mmio[OPREGBASE], 0x00, MMIO_SIZE - OPREGBASE);
+memset(&s->opreg, 0x00, sizeof(s->opreg));
+memset(&s->portsc, 0x00, sizeof(s->portsc));
 
 s->usbcmd = NB_MAXINTRATE << USBCMD_ITC_SH;
 s->usbsts = USBSTS_HALT;
@@ -1090,50 +1085,35 @@ static void ehci_reset(void *opaque)
 qemu_bh_cancel(s->async_bh);
 }
 
-static uint32_t ehci_mem_readb(void *ptr, target_phys_addr_t addr)
+static uint64_t ehci_caps_read(void *ptr, target_phys_addr_t addr,
+   unsigned size)
 {
 EHCIState *s = ptr;
-uint32_t val;
-
-val = s->mmio[addr];
-
-return val;
+return s->caps[addr];
 }
 
-static uint32_t ehci_mem_readw(void *ptr, target_phys_addr_t addr)
+static uint64_t ehci_opreg_read(void *ptr, target_phys_addr_t addr,
+unsigned size)
 {
 EHCIState *s = ptr;
 uint32_t val;
 
-val = s->mmio[addr] | (s->mmio[addr+1] << 8);
-
+val = s->opreg[addr >> 2];
+trace_usb_ehci_opreg_read(addr + OPREGBASE, addr2str(addr), val);
 return val;
 }
 
-static uint32_t ehci_mem_readl(void *ptr, target_phys_addr_t addr)
+static uint64_t ehci_port_read(void *ptr, target_phys_addr_t addr,
+   unsigned size)
 {
 EHCIState *s = ptr;
 uint32_t val;
 
-val = s->mmio[addr] | (s->mmio[addr+1] << 8) |
-  (s->mmio[addr+2] << 16) | (s->mmio[addr+3] << 24);
-
-trace_usb_ehci_mmio_readl(addr, addr2str(addr), val);
+val = s->portsc[addr >> 2];
+trace_usb_ehci_portsc_read(addr + PORTSC_BEGIN, addr >> 2, val);
 return val;
 }
 
-static void ehci_mem_writeb(void *ptr, target_phys_addr_t addr, uint32_t val)
-{
-fprintf(stderr, "EHCI doesn't handle byte writes to MMIO\n");
-exit(1);
-}
-
-static void ehci_mem_writ

[Qemu-devel] [PATCH 02/10] spice: split qemu_spice_create_update

[Gerd Hoffmann]

Creating one function which creates a single update for a given
rectangle.  And one (for now) pretty simple wrapper around it to
queue up screen updates for the dirty region.

[ v2: also update bounding box ]

Signed-off-by: Gerd Hoffmann 
---
 ui/spice-display.c |   31 ++-
 1 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 59c5fd7..6f68f28 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -164,7 +164,8 @@ int qemu_spice_display_is_running(SimpleSpiceDisplay *ssd)
 #endif
 }
 
-static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
+static void qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
+ QXLRect *rect)
 {
 SimpleSpiceUpdate *update;
 QXLDrawable *drawable;
@@ -174,24 +175,20 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
 int by, bw, bh;
 struct timespec time_space;
 
-if (qemu_spice_rect_is_empty(&ssd->dirty)) {
-return;
-};
-
 trace_qemu_spice_create_update(
-   ssd->dirty.left, ssd->dirty.right,
-   ssd->dirty.top, ssd->dirty.bottom);
+   rect->left, rect->right,
+   rect->top, rect->bottom);
 
 update   = g_malloc0(sizeof(*update));
 drawable = &update->drawable;
 image= &update->image;
 cmd  = &update->ext.cmd;
 
-bw   = ssd->dirty.right - ssd->dirty.left;
-bh   = ssd->dirty.bottom - ssd->dirty.top;
+bw   = rect->right - rect->left;
+bh   = rect->bottom - rect->top;
 update->bitmap = g_malloc(bw * bh * 4);
 
-drawable->bbox= ssd->dirty;
+drawable->bbox= *rect;
 drawable->clip.type   = SPICE_CLIP_TYPE_NONE;
 drawable->effect  = QXL_EFFECT_OPAQUE;
 drawable->release_info.id = (uintptr_t)update;
@@ -226,8 +223,8 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
 }
 
 src = ds_get_data(ssd->ds) +
-ssd->dirty.top * ds_get_linesize(ssd->ds) +
-ssd->dirty.left * ds_get_bytes_per_pixel(ssd->ds);
+rect->top * ds_get_linesize(ssd->ds) +
+rect->left * ds_get_bytes_per_pixel(ssd->ds);
 dst = update->bitmap;
 for (by = 0; by < bh; by++) {
 qemu_pf_conv_run(ssd->conv, dst, src, bw);
@@ -238,10 +235,18 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
 cmd->type = QXL_CMD_DRAW;
 cmd->data = (uintptr_t)drawable;
 
-memset(&ssd->dirty, 0, sizeof(ssd->dirty));
 QTAILQ_INSERT_TAIL(&ssd->updates, update, next);
 }
 
+static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
+{
+if (qemu_spice_rect_is_empty(&ssd->dirty)) {
+return;
+};
+qemu_spice_create_one_update(ssd, &ssd->dirty);
+memset(&ssd->dirty, 0, sizeof(ssd->dirty));
+}
+
 /*
  * Called from spice server thread context (via interface_release_ressource)
  * We do *not* hold the global qemu mutex here, so extra care is needed
-- 
1.7.1

[Qemu-devel] [PATCH v2] rtl8139: implement 8139cp link status

[Amos Kong]

From: Jason Wang 

Add a link status chang callback and change the link status bit in BMSR
& MSR accordingly. Tested in Linux/Windows guests.

The link status bit of MediaStatus is infered from BasicModeStatus,
they are reverse. 

Signed-off-by: Jason Wang 
Signed-off-by: Amos Kong 
---
v2: don't add MediaState in RTL8139State to avoid migration trouble
---
 hw/rtl8139.c |   19 +--
 1 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 844f1b8..fa949ca 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -167,7 +167,7 @@ enum IntrStatusBits {
 PCIErr = 0x8000,
 PCSTimeout = 0x4000,
 RxFIFOOver = 0x40,
-RxUnderrun = 0x20,
+RxUnderrun = 0x20, /* Packet Underrun / Link Change */
 RxOverflow = 0x10,
 TxErr = 0x08,
 TxOK = 0x04,
@@ -3007,7 +3007,7 @@ static uint32_t rtl8139_io_readb(void *opaque, uint8_t 
addr)
 break;
 
 case MediaStatus:
-ret = 0xd0;
+ret = 0xd0 | ~(s->BasicModeStatus & 0x0004);
 DPRINTF("MediaStatus read 0x%x\n", ret);
 break;
 
@@ -3453,12 +3453,27 @@ static void pci_rtl8139_uninit(PCIDevice *dev)
 qemu_del_net_client(&s->nic->nc);
 }
 
+static void rtl8139_set_link_status(NetClientState *nc)
+{
+RTL8139State *s = DO_UPCAST(NICState, nc, nc)->opaque;
+
+if (nc->link_down) {
+s->BasicModeStatus &= ~0x0004;
+} else {
+s->BasicModeStatus |= 0x0004;
+}
+
+s->IntrStatus |= RxUnderrun;
+rtl8139_update_irq(s);
+}
+
 static NetClientInfo net_rtl8139_info = {
 .type = NET_CLIENT_OPTIONS_KIND_NIC,
 .size = sizeof(NICState),
 .can_receive = rtl8139_can_receive,
 .receive = rtl8139_receive,
 .cleanup = rtl8139_cleanup,
+.link_status_changed = rtl8139_set_link_status,
 };
 
 static int pci_rtl8139_init(PCIDevice *dev)
-- 
1.7.1

[Qemu-devel] [PULL 00/14] usb patch queue

[Gerd Hoffmann]

  Hi,

Here comes the usb patch queue, featuring life migration support for
usb network redirection and the usual share of bugfixes ;)

please pull,
  Gerd

The following changes since commit e0a1e32dbc41e6b2aabb436a9417dfd32177a3dc:

  Merge branch 'usb.64' of git://git.kraxel.org/qemu (2012-09-11 18:06:56 +0200)

are available in the git repository at:

  git://git.kraxel.org/qemu usb.65

Aurelien Jarno (1):
  configure: usbredir fixes

Gerd Hoffmann (2):
  usb-host: allow emulated (non-async) control requests without USBPacket
  ehci: switch to new-style memory ops

Hans de Goede (11):
  ehci: Fix interrupts stopping when Interrupt Threshold Control is 8
  ehci: Don't process too much frames in 1 timer tick (v2)
  ehci: Don't set seen to 0 when removing unseen queue-heads
  ehci: Walk async schedule before and after migration
  usb-redir: Change cancelled packet code into a generic packet-id queue
  usb-redir: Add an already_in_flight packet-id queue
  usb-redir: Store max_packet_size in endp_data
  usb-redir: Add support for migration
  usb-redir: Add chardev open / close debug logging
  usb-redir: Revert usb-redir part of commit 93bfef4c
  uhci: Don't queue up packets after one with the SPD flag set

 configure   |2 +-
 hw/usb/hcd-ehci.c   |  241 +++--
 hw/usb/hcd-uhci.c   |5 +-
 hw/usb/host-linux.c |2 +-
 hw/usb/redirect.c   |  504 +++
 trace-events|9 +-
 6 files changed, 625 insertions(+), 138 deletions(-)

Re: [Qemu-devel] [PATCH V3 01/11] atomic: introduce atomic operations

[Paolo Bonzini]

Il 13/09/2012 10:23, Avi Kivity ha scritto:
>> > But I don't really see the point in wrapping atomically-accessed
>> > variables in a struct.  
> Preventing accidental naked access (to be reported in patch review as
> "wardrobe malfunction").

Yeah, I understand that, but it's rare enough that I don't think it's
worth the complication.  With C++ and templates it would be a different
story.

Paolo

[Qemu-devel] [PATCH 11/14] usb-redir: Add support for migration

[Gerd Hoffmann]

From: Hans de Goede 

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |  349 -
 1 files changed, 346 insertions(+), 3 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 3196665..5e987e9 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -65,8 +65,8 @@ struct endp_data {
 uint8_t bufpq_prefilled;
 uint8_t bufpq_dropping_packets;
 QTAILQ_HEAD(, buf_packet) bufpq;
-int bufpq_size;
-int bufpq_target_size;
+int32_t bufpq_size;
+int32_t bufpq_target_size;
 };
 
 struct PacketIdQueueEntry {
@@ -240,6 +240,11 @@ static int usbredir_write(void *priv, uint8_t *data, int 
count)
 return 0;
 }
 
+/* Don't send new data to the chardev until our state is fully synced */
+if (!runstate_check(RUN_STATE_RUNNING)) {
+return 0;
+}
+
 return qemu_chr_fe_write(dev->cs, data, count);
 }
 
@@ -858,6 +863,7 @@ static void usbredir_chardev_open(USBRedirDevice *dev)
 {
 uint32_t caps[USB_REDIR_CAPS_SIZE] = { 0, };
 char version[32];
+int flags = 0;
 
 /* Make sure any pending closes are handled (no-op if none pending) */
 usbredir_chardev_close_bh(dev);
@@ -893,7 +899,12 @@ static void usbredir_chardev_open(USBRedirDevice *dev)
 usbredirparser_caps_set_cap(caps, usb_redir_cap_filter);
 usbredirparser_caps_set_cap(caps, usb_redir_cap_ep_info_max_packet_size);
 usbredirparser_caps_set_cap(caps, usb_redir_cap_64bits_ids);
-usbredirparser_init(dev->parser, version, caps, USB_REDIR_CAPS_SIZE, 0);
+
+if (runstate_check(RUN_STATE_INMIGRATE)) {
+flags |= usbredirparser_fl_no_hello;
+}
+usbredirparser_init(dev->parser, version, caps, USB_REDIR_CAPS_SIZE,
+flags);
 usbredirparser_do_write(dev->parser);
 }
 
@@ -939,6 +950,11 @@ static int usbredir_chardev_can_read(void *opaque)
 return 0;
 }
 
+/* Don't read new data from the chardev until our state is fully synced */
+if (!runstate_check(RUN_STATE_RUNNING)) {
+return 0;
+}
+
 /* usbredir_parser_do_read will consume *all* data we give it */
 return 1024 * 1024;
 }
@@ -976,6 +992,15 @@ static void usbredir_chardev_event(void *opaque, int event)
  * init + destroy
  */
 
+static void usbredir_vm_state_change(void *priv, int running, RunState state)
+{
+USBRedirDevice *dev = priv;
+
+if (state == RUN_STATE_RUNNING && dev->parser != NULL) {
+usbredirparser_do_write(dev->parser); /* Flush any pending writes */
+}
+}
+
 static int usbredir_initfn(USBDevice *udev)
 {
 USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
@@ -1014,6 +1039,7 @@ static int usbredir_initfn(USBDevice *udev)
 qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
   usbredir_chardev_read, usbredir_chardev_event, dev);
 
+qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
 add_boot_device_path(dev->bootindex, &udev->qdev, NULL);
 return 0;
 }
@@ -1503,6 +1529,322 @@ static void usbredir_interrupt_packet(void *priv, 
uint64_t id,
 }
 }
 
+/*
+ * Migration code
+ */
+
+static void usbredir_pre_save(void *priv)
+{
+USBRedirDevice *dev = priv;
+
+usbredir_fill_already_in_flight(dev);
+}
+
+static int usbredir_post_load(void *priv, int version_id)
+{
+USBRedirDevice *dev = priv;
+struct USBEndpoint *usb_ep;
+int i;
+
+switch (dev->device_info.speed) {
+case usb_redir_speed_low:
+dev->dev.speed = USB_SPEED_LOW;
+break;
+case usb_redir_speed_full:
+dev->dev.speed = USB_SPEED_FULL;
+break;
+case usb_redir_speed_high:
+dev->dev.speed = USB_SPEED_HIGH;
+break;
+case usb_redir_speed_super:
+dev->dev.speed = USB_SPEED_SUPER;
+break;
+default:
+dev->dev.speed = USB_SPEED_FULL;
+}
+dev->dev.speedmask = (1 << dev->dev.speed);
+
+for (i = 0; i < MAX_ENDPOINTS; i++) {
+usb_ep = usb_ep_get(&dev->dev,
+(i & 0x10) ? USB_TOKEN_IN : USB_TOKEN_OUT,
+i & 0x0f);
+usb_ep->type = dev->endpoint[i].type;
+usb_ep->ifnum = dev->endpoint[i].interface;
+usb_ep->max_packet_size = dev->endpoint[i].max_packet_size;
+if (dev->endpoint[i].type == usb_redir_type_bulk) {
+usb_ep->pipeline = true;
+}
+}
+return 0;
+}
+
+/* For usbredirparser migration */
+static void usbredir_put_parser(QEMUFile *f, void *priv, size_t unused)
+{
+USBRedirDevice *dev = priv;
+uint8_t *data;
+int len;
+
+if (dev->parser == NULL) {
+qemu_put_be32(f, 0);
+return;
+}
+
+usbredirparser_serialize(dev->parser, &data, &len);
+qemu_oom_check(data);
+
+qemu_put_be32(f, len);
+qemu_put_buffer(f, data, len);
+
+free(data);
+}
+
+static int usbredir_get_parser(QEMUFile *f, void *priv, size_t unused)
+{
+ 

[Qemu-devel] [PATCH 03/10] spice: add screen mirror

[Gerd Hoffmann]

Create a screen mirror, keep there a copy of the most recent update
passed on to spice-server.

Signed-off-by: Gerd Hoffmann 
---
 ui/spice-display.c |   32 ++--
 ui/spice-display.h |1 +
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 6f68f28..973cd53 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -171,8 +171,8 @@ static void qemu_spice_create_one_update(SimpleSpiceDisplay 
*ssd,
 QXLDrawable *drawable;
 QXLImage *image;
 QXLCommand *cmd;
-uint8_t *src, *dst;
-int by, bw, bh;
+uint8_t *src, *mirror, *dst;
+int by, bw, bh, offset, bytes;
 struct timespec time_space;
 
 trace_qemu_spice_create_update(
@@ -216,19 +216,18 @@ static void 
qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
 image->bitmap.palette = 0;
 image->bitmap.format = SPICE_BITMAP_FMT_32BIT;
 
-if (ssd->conv == NULL) {
-PixelFormat dst = qemu_default_pixelformat(32);
-ssd->conv = qemu_pf_conv_get(&dst, &ssd->ds->surface->pf);
-assert(ssd->conv);
-}
-
-src = ds_get_data(ssd->ds) +
+offset =
 rect->top * ds_get_linesize(ssd->ds) +
 rect->left * ds_get_bytes_per_pixel(ssd->ds);
+bytes = ds_get_bytes_per_pixel(ssd->ds) * bw;
+src = ds_get_data(ssd->ds) + offset;
+mirror = ssd->ds_mirror + offset;
 dst = update->bitmap;
 for (by = 0; by < bh; by++) {
-qemu_pf_conv_run(ssd->conv, dst, src, bw);
+memcpy(mirror, src, bytes);
+qemu_pf_conv_run(ssd->conv, dst, mirror, bw);
 src += ds_get_linesize(ssd->ds);
+mirror += ds_get_linesize(ssd->ds);
 dst += image->bitmap.stride;
 }
 
@@ -243,6 +242,17 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
 if (qemu_spice_rect_is_empty(&ssd->dirty)) {
 return;
 };
+
+if (ssd->conv == NULL) {
+PixelFormat dst = qemu_default_pixelformat(32);
+ssd->conv = qemu_pf_conv_get(&dst, &ssd->ds->surface->pf);
+assert(ssd->conv);
+}
+if (ssd->ds_mirror == NULL) {
+int size = ds_get_height(ssd->ds) * ds_get_linesize(ssd->ds);
+ssd->ds_mirror = g_malloc0(size);
+}
+
 qemu_spice_create_one_update(ssd, &ssd->dirty);
 memset(&ssd->dirty, 0, sizeof(ssd->dirty));
 }
@@ -358,6 +368,8 @@ void qemu_spice_display_resize(SimpleSpiceDisplay *ssd)
 memset(&ssd->dirty, 0, sizeof(ssd->dirty));
 qemu_pf_conv_put(ssd->conv);
 ssd->conv = NULL;
+g_free(ssd->ds_mirror);
+ssd->ds_mirror = NULL;
 
 qemu_mutex_lock(&ssd->lock);
 while ((update = QTAILQ_FIRST(&ssd->updates)) != NULL) {
diff --git a/ui/spice-display.h b/ui/spice-display.h
index 3fcb6fe..dea41c1 100644
--- a/ui/spice-display.h
+++ b/ui/spice-display.h
@@ -72,6 +72,7 @@ typedef struct SimpleSpiceUpdate SimpleSpiceUpdate;
 
 struct SimpleSpiceDisplay {
 DisplayState *ds;
+uint8_t *ds_mirror;
 void *buf;
 int bufsize;
 QXLWorker *worker;
-- 
1.7.1

[Qemu-devel] [PATCH 05/10] qxl: dont update invalid area

[Gerd Hoffmann]

From: Dunrong Huang 

This patch fixes the following error:

$ ~/usr/bin/qemu-system-x86_64 -enable-kvm -m 1024 -spice 
port=5900,disable-ticketing -vga qxl -cdrom 
~/Images/linuxmint-13-mate-dvd-32bit.iso
(/home/mathslinux/usr/bin/qemu-system-x86_64:10068): SpiceWorker-CRITICAL **: 
red_worker.c:4599:red_update_area: condition `area->left >= 0 && area->top >= 0 
&& area->left < area->right && area->top < area->bottom' failed
Aborted

spice server terminates QEMU process if we pass invalid area to it,
so dont update those invalid areas.

Signed-off-by: Dunrong Huang 
Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c |7 +++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 257a37d..0176b1a 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1470,6 +1470,13 @@ async_common:
 return;
 }
 
+if (update.left < 0 || update.top < 0 || update.left >= update.right ||
+update.top >= update.bottom) {
+qxl_set_guest_bug(d, "QXL_IO_UPDATE_AREA: "
+  "invalid area(%d,%d,%d,%d)\n", update.left,
+  update.right, update.top, update.bottom);
+break;
+}
 if (async == QXL_ASYNC) {
 cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
 QXL_IO_UPDATE_AREA_ASYNC);
-- 
1.7.1

[Qemu-devel] [PATCH 3/3] ivshmem: add 64bit option

[Gerd Hoffmann]

This patch adds a "use64" property which will make the ivshmem driver
register a 64bit memory bar when set, so you have something to play with
when testing 64bit pci bits.  It also allows to have quite big shared
memory regions, like this:

[root@fedora ~]# lspci -vs1:1
01:01.0 RAM memory: Red Hat, Inc Device 1110
Subsystem: Red Hat, Inc Device 1100
Physical Slot: 1-1
Flags: fast devsel
Memory at fd40 (32-bit, non-prefetchable) [disabled] [size=256]
Memory at 804000 (64-bit, prefetchable) [size=1G]

[ v5: rebase, update compat property for post-1.2 merge ]
[ v4: rebase & adapt to latest master again ]
[ v3: rebase & adapt to latest master ]
[ v2: default to on as suggested by avi,
  turn off for pc-$old using compat property ]

Signed-off-by: Gerd Hoffmann 
Tested-by: Cam Macdonell 
---
 hw/ivshmem.c |   13 ++---
 hw/pc_piix.c |4 
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/hw/ivshmem.c b/hw/ivshmem.c
index 62fe53a..59f1aa4 100644
--- a/hw/ivshmem.c
+++ b/hw/ivshmem.c
@@ -71,6 +71,8 @@ typedef struct IVShmemState {
 MemoryRegion bar;
 MemoryRegion ivshmem;
 uint64_t ivshmem_size; /* size of shared memory region */
+uint32_t ivshmem_attr;
+uint32_t ivshmem_64bit;
 int shm_fd; /* shared memory file descriptor */
 
 Peer *peers;
@@ -339,7 +341,7 @@ static void create_shared_memory_BAR(IVShmemState *s, int 
fd) {
 memory_region_add_subregion(&s->bar, 0, &s->ivshmem);
 
 /* region for shared memory */
-pci_register_bar(&s->dev, 2, PCI_BASE_ADDRESS_SPACE_MEMORY, &s->bar);
+pci_register_bar(&s->dev, 2, s->ivshmem_attr, &s->bar);
 }
 
 static void ivshmem_add_eventfd(IVShmemState *s, int posn, int i)
@@ -690,6 +692,11 @@ static int pci_ivshmem_init(PCIDevice *dev)
  &s->ivshmem_mmio);
 
 memory_region_init(&s->bar, "ivshmem-bar2-container", s->ivshmem_size);
+s->ivshmem_attr = PCI_BASE_ADDRESS_SPACE_MEMORY |
+PCI_BASE_ADDRESS_MEM_PREFETCH;
+if (s->ivshmem_64bit) {
+s->ivshmem_attr |= PCI_BASE_ADDRESS_MEM_TYPE_64;
+}
 
 if ((s->server_chr != NULL) &&
 (strncmp(s->server_chr->filename, "unix:", 5) == 0)) {
@@ -715,8 +722,7 @@ static int pci_ivshmem_init(PCIDevice *dev)
 /* allocate/initialize space for interrupt handling */
 s->peers = g_malloc0(s->nb_peers * sizeof(Peer));
 
-pci_register_bar(&s->dev, 2,
- PCI_BASE_ADDRESS_SPACE_MEMORY, &s->bar);
+pci_register_bar(&s->dev, 2, s->ivshmem_attr, &s->bar);
 
 s->eventfd_chr = g_malloc0(s->vectors * sizeof(CharDriverState *));
 
@@ -786,6 +792,7 @@ static Property ivshmem_properties[] = {
 DEFINE_PROP_BIT("msi", IVShmemState, features, IVSHMEM_MSI, true),
 DEFINE_PROP_STRING("shm", IVShmemState, shmobj),
 DEFINE_PROP_STRING("role", IVShmemState, role),
+DEFINE_PROP_UINT32("use64", IVShmemState, ivshmem_64bit, 1),
 DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index afd8361..fd5898f 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -367,6 +367,10 @@ static QEMUMachine pc_machine_v1_3 = {
 .driver   = "nec-usb-xhci",\
 .property = "msix",\
 .value= "off",\
+},{\
+.driver   = "ivshmem",\
+.property = "use64",\
+.value= "0",\
 }
 
 static QEMUMachine pc_machine_v1_2 = {
-- 
1.7.1

[Qemu-devel] [PATCH 0/3] add pc-1.3, fix xhci comat, ivshmem 64bit option

[Gerd Hoffmann]

  Hi,

Small series with tree patches, the first one adds a new machine type
for the upcoming 1.3 release so we can add compat properties as needed,
the other two patches actually add compat properties.  The xhci one is
a pure compat fix which turns off msi+msix on old machine types.  The
other is the 64bit ivshmem patch which has been posted multiple times
and still didn't make it into master yet.  It adds a compat property
too to turn off 64bit on old machine types.

cheers,
  Gerd

The following changes since commit e0a1e32dbc41e6b2aabb436a9417dfd32177a3dc:

  Merge branch 'usb.64' of git://git.kraxel.org/qemu (2012-09-11 18:06:56 +0200)

are available in the git repository at:

  git://git.kraxel.org/qemu misc.1

Gerd Hoffmann (3):
  add pc-1.3 machine type
  compat: turn off msi/msix on xhci for old machine types
  ivshmem: add 64bit option

 hw/ivshmem.c |   13 ++---
 hw/pc_piix.c |   32 ++--
 2 files changed, 40 insertions(+), 5 deletions(-)

[Qemu-devel] [PATCH 2/3] compat: turn off msi/msix on xhci for old machine types

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 hw/pc_piix.c |   16 
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 5a0796b..afd8361 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -358,14 +358,30 @@ static QEMUMachine pc_machine_v1_3 = {
 .is_default = 1,
 };
 
+#define PC_COMPAT_1_2 \
+{\
+.driver   = "nec-usb-xhci",\
+.property = "msi",\
+.value= "off",\
+},{\
+.driver   = "nec-usb-xhci",\
+.property = "msix",\
+.value= "off",\
+}
+
 static QEMUMachine pc_machine_v1_2 = {
 .name = "pc-1.2",
 .desc = "Standard PC",
 .init = pc_init_pci,
 .max_cpus = 255,
+.compat_props = (GlobalProperty[]) {
+PC_COMPAT_1_2,
+{ /* end of list */ }
+},
 };
 
 #define PC_COMPAT_1_1 \
+PC_COMPAT_1_2,\
 {\
 .driver   = "virtio-scsi-pci",\
 .property = "hotplug",\
-- 
1.7.1

[Qemu-devel] [PATCH 1/3] add pc-1.3 machine type

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 hw/pc_piix.c |   12 ++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 88ff041..5a0796b 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -349,8 +349,8 @@ static void pc_xen_hvm_init(ram_addr_t ram_size,
 }
 #endif
 
-static QEMUMachine pc_machine_v1_2 = {
-.name = "pc-1.2",
+static QEMUMachine pc_machine_v1_3 = {
+.name = "pc-1.3",
 .alias = "pc",
 .desc = "Standard PC",
 .init = pc_init_pci,
@@ -358,6 +358,13 @@ static QEMUMachine pc_machine_v1_2 = {
 .is_default = 1,
 };
 
+static QEMUMachine pc_machine_v1_2 = {
+.name = "pc-1.2",
+.desc = "Standard PC",
+.init = pc_init_pci,
+.max_cpus = 255,
+};
+
 #define PC_COMPAT_1_1 \
 {\
 .driver   = "virtio-scsi-pci",\
@@ -655,6 +662,7 @@ static QEMUMachine xenfv_machine = {
 
 static void pc_machine_init(void)
 {
+qemu_register_machine(&pc_machine_v1_3);
 qemu_register_machine(&pc_machine_v1_2);
 qemu_register_machine(&pc_machine_v1_1);
 qemu_register_machine(&pc_machine_v1_0);
-- 
1.7.1

[Qemu-devel] [PATCH 06/14] ehci: Don't set seen to 0 when removing unseen queue-heads

[Gerd Hoffmann]

From: Hans de Goede 

When removing unseen queue-heads from the async queue list, we should not
set the seen flag to 0, as this may cause them to be removed by
ehci_queues_rip_unused() during the next call to ehci_advance_async_state()
if the timer is late or running at a low frequency.

Note:
1) This *may* have caused the instant unlink / relinks described in commit
   9bc3a3a216e2689bfcdd36c3e079333bbdbf3ba0

2) Rather then putting more if-s inside ehci_queues_rip_unused, this patch
   instead introduces a new ehci_queues_rip_unseen function.

3) This patch also makes it save to call ehci_queues_rip_unseen() multiple
   times, which gets used in the folluw up patch titled:
   "ehci: Walk async schedule before and after migration"

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci.c |   24 ++--
 1 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 017a01d..bc86460 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -848,10 +848,10 @@ static EHCIQueue *ehci_find_queue_by_qh(EHCIState *ehci, 
uint32_t addr,
 return NULL;
 }
 
-static void ehci_queues_rip_unused(EHCIState *ehci, int async, int flush)
+static void ehci_queues_rip_unused(EHCIState *ehci, int async)
 {
 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues;
-const char *warn = (async && !flush) ? "guest unlinked busy QH" : NULL;
+const char *warn = async ? "guest unlinked busy QH" : NULL;
 uint64_t maxage = FRAME_TIMER_NS * ehci->maxframes * 4;
 EHCIQueue *q, *tmp;
 
@@ -861,13 +861,25 @@ static void ehci_queues_rip_unused(EHCIState *ehci, int 
async, int flush)
 q->ts = ehci->last_run_ns;
 continue;
 }
-if (!flush && ehci->last_run_ns < q->ts + maxage) {
+if (ehci->last_run_ns < q->ts + maxage) {
 continue;
 }
 ehci_free_queue(q, warn);
 }
 }
 
+static void ehci_queues_rip_unseen(EHCIState *ehci, int async)
+{
+EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues;
+EHCIQueue *q, *tmp;
+
+QTAILQ_FOREACH_SAFE(q, head, next, tmp) {
+if (!q->seen) {
+ehci_free_queue(q, NULL);
+}
+}
+}
+
 static void ehci_queues_rip_device(EHCIState *ehci, USBDevice *dev, int async)
 {
 EHCIQueueHead *head = async ? &ehci->aqueues : &ehci->pqueues;
@@ -1700,7 +1712,7 @@ static int ehci_state_waitlisthead(EHCIState *ehci,  int 
async)
 ehci_set_usbsts(ehci, USBSTS_REC);
 }
 
-ehci_queues_rip_unused(ehci, async, 0);
+ehci_queues_rip_unused(ehci, async);
 
 /*  Find the head of the list (4.9.1.1) */
 for(i = 0; i < MAX_QH; i++) {
@@ -2332,7 +2344,7 @@ static void ehci_advance_async_state(EHCIState *ehci)
  */
 if (ehci->usbcmd & USBCMD_IAAD) {
 /* Remove all unseen qhs from the async qhs queue */
-ehci_queues_rip_unused(ehci, async, 1);
+ehci_queues_rip_unseen(ehci, async);
 trace_usb_ehci_doorbell_ack();
 ehci->usbcmd &= ~USBCMD_IAAD;
 ehci_raise_irq(ehci, USBSTS_IAA);
@@ -2385,7 +2397,7 @@ static void ehci_advance_periodic_state(EHCIState *ehci)
 ehci_set_fetch_addr(ehci, async,entry);
 ehci_set_state(ehci, async, EST_FETCHENTRY);
 ehci_advance_state(ehci, async);
-ehci_queues_rip_unused(ehci, async, 0);
+ehci_queues_rip_unused(ehci, async);
 break;
 
 default:
-- 
1.7.1

[Qemu-devel] [PATCH v2 7/9] fbdev: move to pixman

[Gerd Hoffmann]

Stop reinventing the wheel.  Use the pixman library for raster ops.

Signed-off-by: Gerd Hoffmann 
---
 configure  |   12 
 ui/fbdev.c |  172 +++
 2 files changed, 114 insertions(+), 70 deletions(-)

diff --git a/configure b/configure
index 0e095dc..634a5bd 100755
--- a/configure
+++ b/configure
@@ -149,6 +149,7 @@ docs=""
 fdt=""
 nptl=""
 sdl=""
+pixman=""
 fbdev="no"
 virtfs=""
 vnc="yes"
@@ -2151,6 +2152,17 @@ else
 exit 1
 fi
 
+if $pkg_config pixman-1 > /dev/null 2>&1
+then
+pixman="yes"
+pixman_cflags=`$pkg_config --cflags pixman-1 2>/dev/null`
+pixman_libs=`$pkg_config --libs pixman-1 2>/dev/null`
+QEMU_CFLAGS="$QEMU_CFLAGS $pixman_cflags"
+libs_softmmu="$libs_softmmu $pixman_libs"
+else
+fbdev="no"
+fi
+
 ##
 # libcap probe
 
diff --git a/ui/fbdev.c b/ui/fbdev.c
index c552810..07fa693 100644
--- a/ui/fbdev.c
+++ b/ui/fbdev.c
@@ -23,11 +23,12 @@
 #include 
 #include 
 
+#include 
+
 #include "qemu-common.h"
 #include "console.h"
 #include "keymaps.h"
 #include "sysemu.h"
-#include "pflib.h"
 
 /*
  * must be last so we get the linux input layer
@@ -70,19 +71,82 @@ static bool   key_down[KEY_CNT];
 #define FB_ACQ_REQ   3
 static int fb_switch_state;
 
-/* qdev windup */
+/* qemu windup */
 static DisplayChangeListener  *dcl;
-static QemuPfConv *conv;
-static PixelFormatfbpf;
 static intresize_screen;
 static intredraw_screen;
 static intcx, cy, cw, ch;
 static Notifier   exit_notifier;
+static pixman_image_t *surface;
+static pixman_image_t *framebuffer;
+static pixman_transform_t transform;
+static pixman_region16_t  dirty;
 
 /* fwd decls */
 static int fbdev_activate_vt(int tty, int vtno, bool wait);
 
 /*  */
+/* pixman helpers   */
+
+static int pixman_shifts_to_type(int rshift, int gshift, int bshift)
+{
+int type = PIXMAN_TYPE_OTHER;
+
+if (rshift > gshift && gshift > bshift) {
+if (bshift == 0) {
+type = PIXMAN_TYPE_ARGB;
+} else {
+#if PIXMAN_VERSION >= PIXMAN_VERSION_ENCODE(0, 21, 8)
+type = PIXMAN_TYPE_RGBA;
+#endif
+}
+} else if (rshift < gshift && gshift < bshift) {
+if (rshift == 0) {
+type = PIXMAN_TYPE_ABGR;
+} else {
+type = PIXMAN_TYPE_BGRA;
+}
+}
+return type;
+}
+
+static pixman_image_t *pixman_from_displaystate(DisplayState *ds)
+{
+PixelFormat *pf = &ds->surface->pf;
+pixman_format_code_t format;
+pixman_image_t *image;
+int type;
+
+type = pixman_shifts_to_type(pf->rshift, pf->gshift, pf->bshift);
+format = PIXMAN_FORMAT(pf->bits_per_pixel, type,
+   pf->abits, pf->rbits, pf->gbits, pf->bbits);
+image = pixman_image_create_bits(format, ds_get_width(ds),
+ ds_get_height(ds),
+ (void *)ds_get_data(ds),
+ ds_get_linesize(ds));
+return image;
+}
+
+static pixman_image_t *pixman_from_framebuffer(void)
+{
+pixman_format_code_t format;
+pixman_image_t *image;
+int type;
+
+type = pixman_shifts_to_type(fb_var.red.offset,
+ fb_var.green.offset,
+ fb_var.blue.offset);
+format = PIXMAN_FORMAT(fb_var.bits_per_pixel, type,
+   fb_var.transp.length,
+   fb_var.red.length,
+   fb_var.green.length,
+   fb_var.blue.length);
+image = pixman_image_create_bits(format, fb_var.xres, fb_var.yres,
+ (void *)fb_mem, fb_fix.line_length);
+return image;
+}
+
+/*  */
 /* mouse*/
 
 static void read_mouse(void *opaque)
@@ -529,6 +593,17 @@ static void fbdev_cleanup(void)
 {
 trace_fbdev_cleanup();
 
+/* release pixman stuff */
+pixman_region_fini(&dirty);
+if (framebuffer) {
+pixman_image_unref(framebuffer);
+framebuffer = NULL;
+}
+if (surface) {
+pixman_image_unref(surface);
+surface = NULL;
+}
+
 /* restore console */
 if (fb_mem != NULL) {
 munmap(fb_mem, fb_fix.smem_len+fb_mem_offset);
@@ -681,36 +756,8 @@ static int fbdev_init(const char *device)
 start_mediumraw(tty);
 qemu_set_fd_handler(tty, read_mediumraw, NULL, NULL);
 
-/* create PixelFormat from fbdev structs */
-fbpf.bits_per_pixel  = fb_var.bits_per_pixel;
-fbpf.bytes_per_pixel = (fb_var.bits_per_pi

[Qemu-devel] [PATCH v2 2/9] add unregister_displaychangelistener

[Gerd Hoffmann]

Also change the way the gui_timer is initialized: each time a
displaychangelistener is registered or unregistered we'll check
whenever we need a timer (due to dpy_refresh callback being present)
and if so setup a timer, otherwise zap it.  This way the gui timer works
correctly with displaychangelisteners coming and going.

Signed-off-by: Gerd Hoffmann 
---
 console.h |   10 ++
 vl.c  |   31 +++
 2 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/console.h b/console.h
index 646ad4b..48fef22 100644
--- a/console.h
+++ b/console.h
@@ -229,9 +229,19 @@ static inline int is_buffer_shared(DisplaySurface *surface)
 !(surface->flags & QEMU_REALPIXELS_FLAG));
 }
 
+void gui_setup_refresh(DisplayState *ds);
+
 static inline void register_displaychangelistener(DisplayState *ds, 
DisplayChangeListener *dcl)
 {
 QLIST_INSERT_HEAD(&ds->listeners, dcl, next);
+gui_setup_refresh(ds);
+}
+
+static inline void unregister_displaychangelistener(DisplayState *ds,
+DisplayChangeListener *dcl)
+{
+QLIST_REMOVE(dcl, next);
+gui_setup_refresh(ds);
 }
 
 static inline void dpy_update(DisplayState *s, int x, int y, int w, int h)
diff --git a/vl.c b/vl.c
index 2a7c92a..fbb77fe 100644
--- a/vl.c
+++ b/vl.c
@@ -1288,6 +1288,29 @@ static void gui_update(void *opaque)
 qemu_mod_timer(ds->gui_timer, interval + qemu_get_clock_ms(rt_clock));
 }
 
+void gui_setup_refresh(DisplayState *ds)
+{
+DisplayChangeListener *dcl;
+bool need_timer = false;
+
+QLIST_FOREACH(dcl, &ds->listeners, next) {
+if (dcl->dpy_refresh != NULL) {
+need_timer = true;
+break;
+}
+}
+
+if (need_timer && ds->gui_timer == NULL) {
+ds->gui_timer = qemu_new_timer_ms(rt_clock, gui_update, ds);
+qemu_mod_timer(ds->gui_timer, qemu_get_clock_ms(rt_clock));
+}
+if (!need_timer && ds->gui_timer != NULL) {
+qemu_del_timer(ds->gui_timer);
+qemu_free_timer(ds->gui_timer);
+ds->gui_timer = NULL;
+}
+}
+
 struct vm_change_state_entry {
 VMChangeStateHandler *cb;
 void *opaque;
@@ -2350,7 +2373,6 @@ int main(int argc, char **argv, char **envp)
 const char *kernel_filename, *kernel_cmdline;
 char boot_devices[33] = "cad"; /* default to HD->floppy->CD-ROM */
 DisplayState *ds;
-DisplayChangeListener *dcl;
 int cyls, heads, secs, translation;
 QemuOpts *hda_opts = NULL, *opts, *machine_opts;
 QemuOptsList *olist;
@@ -3698,13 +3720,6 @@ int main(int argc, char **argv, char **envp)
 
 /* display setup */
 dpy_resize(ds);
-QLIST_FOREACH(dcl, &ds->listeners, next) {
-if (dcl->dpy_refresh != NULL) {
-ds->gui_timer = qemu_new_timer_ms(rt_clock, gui_update, ds);
-qemu_mod_timer(ds->gui_timer, qemu_get_clock_ms(rt_clock));
-break;
-}
-}
 text_consoles_set_display(ds);
 
 if (foreach_device_config(DEV_GDB, gdbserver_start) < 0) {
-- 
1.7.1

[Qemu-devel] [PATCH v2 3/9] move set_mouse + cursor_define callbacks

[Gerd Hoffmann]

When adding DisplayChangeListeners the set_mouse and cursor_define
callbacks have been left in DisplayState for some reason.  Fix it.

Signed-off-by: Gerd Hoffmann 
---
 console.c  |2 +-
 console.h  |   39 +++
 hw/jazz_led.c  |2 +-
 hw/qxl-render.c|2 +-
 hw/vga.c   |   10 +-
 hw/vmware_vga.c|   11 ++-
 ui/sdl.c   |8 
 ui/spice-display.c |4 ++--
 ui/vnc.c   |8 
 9 files changed, 59 insertions(+), 27 deletions(-)

diff --git a/console.c b/console.c
index c1ed5e0..7dad6b3 100644
--- a/console.c
+++ b/console.c
@@ -1239,7 +1239,7 @@ static void text_console_update(void *opaque, 
console_ch_t *chardata)
 s->text_y[1] = 0;
 }
 if (s->cursor_invalidate) {
-dpy_cursor(s->ds, s->x, s->y);
+dpy_text_cursor(s->ds, s->x, s->y);
 s->cursor_invalidate = 0;
 }
 }
diff --git a/console.h b/console.h
index 48fef22..bef2d2d 100644
--- a/console.h
+++ b/console.h
@@ -164,6 +164,9 @@ struct DisplayChangeListener {
  int w, int h, uint32_t c);
 void (*dpy_text_cursor)(struct DisplayState *s, int x, int y);
 
+void (*dpy_mouse_set)(struct DisplayState *s, int x, int y, int on);
+void (*dpy_cursor_define)(struct DisplayState *s, QEMUCursor *cursor);
+
 QLIST_ENTRY(DisplayChangeListener) next;
 };
 
@@ -181,9 +184,6 @@ struct DisplayState {
 struct DisplayAllocator* allocator;
 QLIST_HEAD(, DisplayChangeListener) listeners;
 
-void (*mouse_set)(int x, int y, int on);
-void (*cursor_define)(QEMUCursor *cursor);
-
 struct DisplayState *next;
 };
 
@@ -304,7 +304,7 @@ static inline void dpy_fill(struct DisplayState *s, int x, 
int y,
 }
 }
 
-static inline void dpy_cursor(struct DisplayState *s, int x, int y)
+static inline void dpy_text_cursor(struct DisplayState *s, int x, int y)
 {
 struct DisplayChangeListener *dcl;
 QLIST_FOREACH(dcl, &s->listeners, next) {
@@ -314,6 +314,37 @@ static inline void dpy_cursor(struct DisplayState *s, int 
x, int y)
 }
 }
 
+static inline void dpy_mouse_set(struct DisplayState *s, int x, int y, int on)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_mouse_set) {
+dcl->dpy_mouse_set(s, x, y, on);
+}
+}
+}
+
+static inline void dpy_cursor_define(struct DisplayState *s, QEMUCursor 
*cursor)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_cursor_define) {
+dcl->dpy_cursor_define(s, cursor);
+}
+}
+}
+
+static inline bool dpy_cursor_define_supported(struct DisplayState *s)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_cursor_define) {
+return true;
+}
+}
+return false;
+}
+
 static inline int ds_get_linesize(DisplayState *ds)
 {
 return ds->surface->linesize;
diff --git a/hw/jazz_led.c b/hw/jazz_led.c
index 6486523..c4d54e2 100644
--- a/hw/jazz_led.c
+++ b/hw/jazz_led.c
@@ -210,7 +210,7 @@ static void jazz_led_text_update(void *opaque, console_ch_t 
*chardata)
 LedState *s = opaque;
 char buf[2];
 
-dpy_cursor(s->ds, -1, -1);
+dpy_text_cursor(s->ds, -1, -1);
 qemu_console_resize(s->ds, 2, 1);
 
 /* TODO: draw the segments */
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
index e2e3fe2..085a090 100644
--- a/hw/qxl-render.c
+++ b/hw/qxl-render.c
@@ -238,7 +238,7 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
 return 1;
 }
 
-if (!qxl->ssd.ds->mouse_set || !qxl->ssd.ds->cursor_define) {
+if (!dpy_cursor_define_supported(qxl->ssd.ds)) {
 return 0;
 }
 
diff --git a/hw/vga.c b/hw/vga.c
index 80299ea..93af63a 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -2077,11 +2077,11 @@ static void vga_update_text(void *opaque, console_ch_t 
*chardata)
 s->cr[VGA_CRTC_CURSOR_END] != s->cursor_end || full_update) {
 cursor_visible = !(s->cr[VGA_CRTC_CURSOR_START] & 0x20);
 if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
-dpy_cursor(s->ds,
-   TEXTMODE_X(cursor_offset),
-   TEXTMODE_Y(cursor_offset));
+dpy_text_cursor(s->ds,
+TEXTMODE_X(cursor_offset),
+TEXTMODE_Y(cursor_offset));
 else
-dpy_cursor(s->ds, -1, -1);
+dpy_text_cursor(s->ds, -1, -1);
 s->cursor_offset = cursor_offset;
 s->cursor_start = s->cr[VGA_CRTC_CURSOR_START];
 s->cursor_end = s->cr[VGA_CRTC_CURSOR_END];
@@ -2142,7 +2142,7 @@ static void vga_update_text(void *opaque, console_ch_t 
*chardata)
 /* Display a message */
 s->last_width = 60;
 s->last_height = height = 3;
-dpy_cursor

[Qemu-devel] [PATCH v2 5/9] fbdev: add monitor command to enable/disable

[Gerd Hoffmann]

This patch adds a fbdev monitor command to enable/disable
the fbdev display at runtime to both qmp and hmp.

qmp: fbdev enable=on|off
hmp: fbdev on|off

Signed-off-by: Gerd Hoffmann 
---
 hmp-commands.hx  |   15 +++
 hmp.c|9 +
 hmp.h|1 +
 qapi-schema.json |   14 ++
 qmp-commands.hx  |6 ++
 qmp.c|   17 +
 6 files changed, 62 insertions(+), 0 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index ed67e99..366a92b 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1377,6 +1377,21 @@ passed since 1970, i.e. unix epoch.
 ETEXI
 
 {
+.name   = "fbdev",
+.args_type  = "enable:b",
+.params = "on|off",
+.help   = "enable/disable fbdev",
+.mhandler.cmd = hmp_fbdev,
+},
+
+STEXI
+@item fbdev on | off
+@findex fbdev
+
+enable/disable fbdev
+ETEXI
+
+{
 .name   = "info",
 .args_type  = "item:s?",
 .params = "[subcommand]",
diff --git a/hmp.c b/hmp.c
index ba6fbd3..a7feec5 100644
--- a/hmp.c
+++ b/hmp.c
@@ -1168,3 +1168,12 @@ void hmp_screen_dump(Monitor *mon, const QDict *qdict)
 qmp_screendump(filename, &err);
 hmp_handle_error(mon, &err);
 }
+
+void hmp_fbdev(Monitor *mon, const QDict *qdict)
+{
+int enable = qdict_get_bool(qdict, "enable");
+Error *errp = NULL;
+
+qmp_fbdev(enable, &errp);
+hmp_handle_error(mon, &errp);
+}
diff --git a/hmp.h b/hmp.h
index 48b9c59..9c3d315 100644
--- a/hmp.h
+++ b/hmp.h
@@ -73,5 +73,6 @@ void hmp_getfd(Monitor *mon, const QDict *qdict);
 void hmp_closefd(Monitor *mon, const QDict *qdict);
 void hmp_send_key(Monitor *mon, const QDict *qdict);
 void hmp_screen_dump(Monitor *mon, const QDict *qdict);
+void hmp_fbdev(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/qapi-schema.json b/qapi-schema.json
index a9f465a..ea8c3c5 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -2555,3 +2555,17 @@
 # Since: 0.14.0
 ##
 { 'command': 'screendump', 'data': {'filename': 'str'} }
+
+# @fbdev:
+#
+# Enable/disable fbdev.
+#
+# @enable: true to set the link status to be up
+#
+# Returns: Nothing on success
+#  GenericError on failure.
+#
+# Since: 1.3
+#
+##
+{ 'command': 'fbdev', 'data': {'enable': 'bool'} }
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 6e21ddb..4b95fd0 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -2539,3 +2539,9 @@ EQMP
 .args_type  = "",
 .mhandler.cmd_new = qmp_marshal_input_query_target,
 },
+
+{
+.name   = "fbdev",
+.args_type  = "enable:b",
+.mhandler.cmd_new = qmp_marshal_input_fbdev,
+},
diff --git a/qmp.c b/qmp.c
index 8463922..7f6cc0b 100644
--- a/qmp.c
+++ b/qmp.c
@@ -391,6 +391,23 @@ void qmp_change(const char *device, const char *target,
 }
 }
 
+void qmp_fbdev(bool enable, Error **errp)
+{
+#if defined(CONFIG_LINUX)
+DisplayState *ds = get_displaystate();
+
+if (enable) {
+if (fbdev_display_init(ds, NULL) != 0) {
+error_setg(errp, "fbdev initialization failed");
+}
+} else {
+fbdev_display_uninit(ds);
+}
+#else
+error_set(errp, QERR_FEATURE_DISABLED, "fbdev");
+#endif
+}
+
 static void qom_list_types_tramp(ObjectClass *klass, void *data)
 {
 ObjectTypeInfoList *e, **pret = data;
-- 
1.7.1

[Qemu-devel] [PATCH 03/14] ehci: Fix interrupts stopping when Interrupt Threshold Control is 8

[Gerd Hoffmann]

From: Hans de Goede 

If Interrupt Threshold Control is 8 or a multiple of 8, then
s->usbsts_frindex can become exactly 0x4000, at which point
(s->usbsts_frindex > s->frindex) will never become true, as
s->usbsts_frindex will not be lowered / reset in this case.

This patch fixes this.

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index f5ba8e1..54273d7 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2413,7 +2413,7 @@ static void ehci_update_frindex(EHCIState *ehci, int 
frames)
 if (ehci->frindex == 0x4000) {
 ehci_raise_irq(ehci, USBSTS_FLR);
 ehci->frindex = 0;
-if (ehci->usbsts_frindex > 0x4000) {
+if (ehci->usbsts_frindex >= 0x4000) {
 ehci->usbsts_frindex -= 0x4000;
 } else {
 ehci->usbsts_frindex = 0;
-- 
1.7.1

[Qemu-devel] [PATCH 04/14] ehci: Don't process too much frames in 1 timer tick (v2)

[Gerd Hoffmann]

From: Hans de Goede 

The Linux ehci isoc scheduling code fills the entire schedule ahead of
time minus 80 frames. If we make a large jump in where we are in the
schedule, ie 40 frames, then the scheduler all of a sudden will only have
40 frames left to work in, causing it to fail packet submissions
with error -27 (-EFBIG).

Changes in v2:
-Don't hardcode a maximum number of frames to process in one tick, instead:
 -Process a minimum number of frames to ensure we do eventually catch up
 -Stop (after the minimum number) when the guest has requested an irq

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci.c |   14 ++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 54273d7..017a01d 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -139,6 +139,7 @@
 #define NB_PORTS 6// Number of downstream ports
 #define BUFF_SIZE5*4096   // Max bytes to transfer per transaction
 #define MAX_QH   100  // Max allowable queue heads in a chain
+#define MIN_FR_PER_TICK  3// Min frames to process when catching up
 
 /*  Internal periodic / asynchronous schedule state machine states
  */
@@ -2448,6 +2449,19 @@ static void ehci_frame_timer(void *opaque)
 }
 
 for (i = 0; i < frames; i++) {
+/*
+ * If we're running behind schedule, we should not catch up
+ * too fast, as that will make some guests unhappy:
+ * 1) We must process a minimum of MIN_FR_PER_TICK frames,
+ *otherwise we will never catch up
+ * 2) Process frames until the guest has requested an irq (IOC)
+ */
+if (i >= MIN_FR_PER_TICK) {
+ehci_commit_irq(ehci);
+if ((ehci->usbsts & USBINTR_MASK) & ehci->usbintr) {
+break;
+}
+}
 ehci_update_frindex(ehci, 1);
 ehci_advance_periodic_state(ehci);
 ehci->last_run_ns += FRAME_TIMER_NS;
-- 
1.7.1

[Qemu-devel] [PATCH 01/14] usb-host: allow emulated (non-async) control requests without USBPacket

[Gerd Hoffmann]

xhci needs this for USB_REQ_SET_ADDRESS due to the way
usb addressing is handled by the xhci hardware.

Signed-off-by: Gerd Hoffmann 
---
 hw/usb/host-linux.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/usb/host-linux.c b/hw/usb/host-linux.c
index 8df9207..44f1a64 100644
--- a/hw/usb/host-linux.c
+++ b/hw/usb/host-linux.c
@@ -1045,7 +1045,6 @@ static int usb_host_handle_control(USBDevice *dev, 
USBPacket *p,
 
 /* Note request is (bRequestType << 8) | bRequest */
 trace_usb_host_req_control(s->bus_num, s->addr, p, request, value, index);
-assert(p->result == 0);
 
 switch (request) {
 case DeviceOutRequest | USB_REQ_SET_ADDRESS:
@@ -1074,6 +1073,7 @@ static int usb_host_handle_control(USBDevice *dev, 
USBPacket *p,
 }
 
 /* The rest are asynchronous */
+assert(p && p->result == 0);
 
 if (length > sizeof(dev->data_buf)) {
 fprintf(stderr, "husb: ctrl buffer too small (%d > %zu)\n",
-- 
1.7.1

[Qemu-devel] [PATCH 09/14] usb-redir: Add an already_in_flight packet-id queue

[Gerd Hoffmann]

From: Hans de Goede 

After a live migration, the usb-hcd will re-queue all packets by
walking over the schedule in the guest memory again, but requests which
were encountered on the migration source before will already be in flight,
so these should *not* be re-send to the usbredir-host.

This patch adds an already in flight packet ud queue, which will be filled by
the source before migration and then moved over to the migration dest, any
async handled packets are then checked against this queue to avoid sending
the same packet to the usbredir-host twice.

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |   43 +++
 1 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 603262a..f474da8 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -98,6 +98,7 @@ struct USBRedirDevice {
 struct usbredirparser *parser;
 struct endp_data endpoint[MAX_ENDPOINTS];
 struct PacketIdQueue cancelled;
+struct PacketIdQueue already_in_flight;
 /* Data for device filtering */
 struct usb_redir_device_connect_header device_info;
 struct usb_redir_interface_info_header interface_info;
@@ -316,6 +317,34 @@ static int usbredir_is_cancelled(USBRedirDevice *dev, 
uint64_t id)
 return packet_id_queue_remove(&dev->cancelled, id);
 }
 
+static void usbredir_fill_already_in_flight_from_ep(USBRedirDevice *dev,
+struct USBEndpoint *ep)
+{
+static USBPacket *p;
+
+QTAILQ_FOREACH(p, &ep->queue, queue) {
+packet_id_queue_add(&dev->already_in_flight, p->id);
+}
+}
+
+static void usbredir_fill_already_in_flight(USBRedirDevice *dev)
+{
+int ep;
+struct USBDevice *udev = &dev->dev;
+
+usbredir_fill_already_in_flight_from_ep(dev, &udev->ep_ctl);
+
+for (ep = 0; ep < USB_MAX_ENDPOINTS; ep++) {
+usbredir_fill_already_in_flight_from_ep(dev, &udev->ep_in[ep]);
+usbredir_fill_already_in_flight_from_ep(dev, &udev->ep_out[ep]);
+}
+}
+
+static int usbredir_already_in_flight(USBRedirDevice *dev, uint64_t id)
+{
+return packet_id_queue_remove(&dev->already_in_flight, id);
+}
+
 static USBPacket *usbredir_find_packet_by_id(USBRedirDevice *dev,
 uint8_t ep, uint64_t id)
 {
@@ -531,6 +560,10 @@ static int usbredir_handle_bulk_data(USBRedirDevice *dev, 
USBPacket *p,
 
 DPRINTF("bulk-out ep %02X len %zd id %"PRIu64"\n", ep, p->iov.size, p->id);
 
+if (usbredir_already_in_flight(dev, p->id)) {
+return USB_RET_ASYNC;
+}
+
 bulk_packet.endpoint  = ep;
 bulk_packet.length= p->iov.size;
 bulk_packet.stream_id = 0;
@@ -611,6 +644,10 @@ static int usbredir_handle_interrupt_data(USBRedirDevice 
*dev,
 DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
 p->iov.size, p->id);
 
+if (usbredir_already_in_flight(dev, p->id)) {
+return USB_RET_ASYNC;
+}
+
 interrupt_packet.endpoint  = ep;
 interrupt_packet.length= p->iov.size;
 
@@ -753,6 +790,10 @@ static int usbredir_handle_control(USBDevice *udev, 
USBPacket *p,
 USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
 struct usb_redir_control_packet_header control_packet;
 
+if (usbredir_already_in_flight(dev, p->id)) {
+return USB_RET_ASYNC;
+}
+
 /* Special cases for certain standard device requests */
 switch (request) {
 case DeviceOutRequest | USB_REQ_SET_ADDRESS:
@@ -959,6 +1000,7 @@ static int usbredir_initfn(USBDevice *udev)
 dev->attach_timer = qemu_new_timer_ms(vm_clock, usbredir_do_attach, dev);
 
 packet_id_queue_init(&dev->cancelled, dev, "cancelled");
+packet_id_queue_init(&dev->already_in_flight, dev, "already-in-flight");
 for (i = 0; i < MAX_ENDPOINTS; i++) {
 QTAILQ_INIT(&dev->endpoint[i].bufpq);
 }
@@ -980,6 +1022,7 @@ static void usbredir_cleanup_device_queues(USBRedirDevice 
*dev)
 int i;
 
 packet_id_queue_empty(&dev->cancelled);
+packet_id_queue_empty(&dev->already_in_flight);
 for (i = 0; i < MAX_ENDPOINTS; i++) {
 usbredir_free_bufpq(dev, I2EP(i));
 }
-- 
1.7.1

[Qemu-devel] [PATCH v2 9/9] fbdev: add display scaling support

[Gerd Hoffmann]

Add support for scaling the guest display.
Ctrl-Alt-S hotkey toggles scaling.

Signed-off-by: Gerd Hoffmann 
---
 ui/fbdev.c |   61 ++-
 1 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/ui/fbdev.c b/ui/fbdev.c
index 5e700e8..e586f2d 100644
--- a/ui/fbdev.c
+++ b/ui/fbdev.c
@@ -81,6 +81,7 @@ static pixman_image_t *surface;
 static pixman_image_t *framebuffer;
 static pixman_transform_t transform;
 static pixman_region16_t  dirty;
+static double scale;
 
 static QEMUCursor *ptr_cursor;
 static pixman_image_t *ptr_image;
@@ -88,6 +89,10 @@ static intptr_refresh;
 static intpx, py, pw, ph;
 static intmx, my, mon;
 
+/* options */
+static intuse_scale = 1;
+static pixman_filter_tpfilter = PIXMAN_FILTER_GOOD;
+
 /* fwd decls */
 static int fbdev_activate_vt(int tty, int vtno, bool wait);
 
@@ -182,13 +187,14 @@ static void read_mouse(void *opaque)
 if (ay < 0) {
 ay = 0;
 }
-if (ax >= cw) {
-ax = cw-1;
+if (ax >= cw*scale) {
+ax = cw*scale-1;
 }
-if (ay >= ch) {
-ay = ch-1;
+if (ay >= ch*scale) {
+ay = ch*scale-1;
 }
-kbd_mouse_event(ax * 0x7FFF / cw, ay * 0x7FFF / ch, 0, b);
+kbd_mouse_event(ax * 0x7FFF / (cw*scale),
+ay * 0x7FFF / (ch*scale), 0, b);
 } else {
 kbd_mouse_event(x, y, 0, b);
 }
@@ -543,6 +549,12 @@ static void read_mediumraw(void *opaque)
 "(ctrl-alt-esc) ===\n");
 exit(1);
 }
+if (keycode == KEY_S) {
+use_scale = !use_scale;
+resize_screen++;
+redraw_screen++;
+continue;
+}
 if (keycode >= KEY_F1 && keycode <= KEY_F10) {
 fbdev_activate_vt(tty, keycode+1-KEY_F1, false);
 key_down[keycode] = false;
@@ -901,6 +913,11 @@ static void fbdev_render_ptr(DisplayState *ds)
 pixman_transform_translate(&transform, NULL,
pixman_int_to_fixed(-cx),
pixman_int_to_fixed(-cy));
+if (use_scale) {
+pixman_transform_scale(&transform, NULL,
+   pixman_double_to_fixed(1/scale),
+   pixman_double_to_fixed(1/scale));
+}
 pixman_transform_translate(&transform, NULL,
pixman_int_to_fixed(-px),
pixman_int_to_fixed(-py));
@@ -926,16 +943,32 @@ static void fbdev_update(DisplayState *ds, int x, int y, 
int w, int h)
 }
 
 if (resize_screen) {
+double xs, ys;
+
 trace_fbdev_dpy_resize(ds_get_width(ds), ds_get_height(ds));
 resize_screen = 0;
 cx = 0; cy = 0;
 cw = ds_get_width(ds);
 ch = ds_get_height(ds);
-if (ds_get_width(ds) < fb_var.xres) {
-cx = (fb_var.xres - ds_get_width(ds)) / 2;
-}
-if (ds_get_height(ds) < fb_var.yres) {
-cy = (fb_var.yres - ds_get_height(ds)) / 2;
+
+if (use_scale) {
+xs = (double)fb_var.xres / cw;
+ys = (double)fb_var.yres / ch;
+if (xs > ys) {
+scale = ys;
+cx = (fb_var.xres - ds_get_width(ds)*scale) / 2;
+} else {
+scale = xs;
+cy = (fb_var.yres - ds_get_height(ds)*scale) / 2;
+}
+} else {
+scale = 1;
+if (ds_get_width(ds) < fb_var.xres) {
+cx = (fb_var.xres - ds_get_width(ds)) / 2;
+}
+if (ds_get_height(ds) < fb_var.yres) {
+cy = (fb_var.yres - ds_get_height(ds)) / 2;
+}
 }
 if (surface) {
 pixman_image_unref(surface);
@@ -946,7 +979,14 @@ static void fbdev_update(DisplayState *ds, int x, int y, 
int w, int h)
 pixman_transform_translate(&transform, NULL,
pixman_int_to_fixed(-cx),
pixman_int_to_fixed(-cy));
+if (use_scale) {
+pixman_transform_scale(&transform, NULL,
+   pixman_double_to_fixed(1/scale),
+   pixman_double_to_fixed(1/scale));
+}
 pixman_image_set_transform(surface, &transform);
+
+pixman_image_set_filter(surface, pfilter, NULL, 0);
 }
 
 if (redraw_screen) {
@@ -1029,6 +1069,7 @@ static void fbdev_cursor_define(DisplayState *ds, 
QEMUCursor *cursor)
  cursor->width, cursor->height,
  

[Qemu-devel] [PATCH v2 8/9] fbdev: add mouse pointer support

[Gerd Hoffmann]

Add mouse_set and cursor_define DisplayChangeListener callbacks
and mouse pointer rendering support.

Signed-off-by: Gerd Hoffmann 
---
 ui/fbdev.c |   95 
 1 files changed, 95 insertions(+), 0 deletions(-)

diff --git a/ui/fbdev.c b/ui/fbdev.c
index 07fa693..5e700e8 100644
--- a/ui/fbdev.c
+++ b/ui/fbdev.c
@@ -82,6 +82,12 @@ static pixman_image_t *framebuffer;
 static pixman_transform_t transform;
 static pixman_region16_t  dirty;
 
+static QEMUCursor *ptr_cursor;
+static pixman_image_t *ptr_image;
+static intptr_refresh;
+static intpx, py, pw, ph;
+static intmx, my, mon;
+
 /* fwd decls */
 static int fbdev_activate_vt(int tty, int vtno, bool wait);
 
@@ -865,6 +871,51 @@ static void fbdev_render(DisplayState *ds)
 pixman_region_init(&dirty);
 }
 
+static void fbdev_unrender_ptr(DisplayState *ds)
+{
+if (!pw && !ph) {
+return;
+}
+pixman_region_union_rect(&dirty, &dirty, px, py, pw, ph);
+ph = pw = 0;
+}
+
+static void fbdev_render_ptr(DisplayState *ds)
+{
+pixman_region16_t region;
+pixman_transform_t transform;
+
+if (!mon || !ptr_image) {
+return;
+}
+if (mx < 0 || mx >= cw || my < 0 || my >= ch) {
+return;
+}
+
+px = mx - ptr_cursor->hot_x;
+py = my - ptr_cursor->hot_y;
+pw = ptr_cursor->width;
+ph = ptr_cursor->height;
+
+pixman_transform_init_identity(&transform);
+pixman_transform_translate(&transform, NULL,
+   pixman_int_to_fixed(-cx),
+   pixman_int_to_fixed(-cy));
+pixman_transform_translate(&transform, NULL,
+   pixman_int_to_fixed(-px),
+   pixman_int_to_fixed(-py));
+pixman_image_set_transform(ptr_image, &transform);
+
+pixman_region_init_rect(®ion, 0, 0, pw, ph);
+pixman_image_set_clip_region(ptr_image, ®ion);
+
+pixman_image_composite(PIXMAN_OP_OVER, ptr_image, NULL, framebuffer,
+   0, 0, 0, 0, 0, 0, fb_var.xres, fb_var.yres);
+
+pixman_region_fini(®ion);
+ptr_refresh = 0;
+}
+
 /*  */
 /* qemu interfaces  */
 
@@ -906,6 +957,9 @@ static void fbdev_update(DisplayState *ds, int x, int y, 
int w, int h)
 }
 
 pixman_region_union_rect(&dirty, &dirty, x, y, w, h);
+if (ptr_image && mon && pw && ph) {
+ptr_refresh++;
+}
 }
 
 static void fbdev_resize(DisplayState *ds)
@@ -933,9 +987,48 @@ static void fbdev_refresh(DisplayState *ds)
 fbdev_update(ds, 0, 0, 0, 0);
 }
 
+if (ptr_refresh) {
+fbdev_unrender_ptr(ds);
+}
 if (pixman_region_not_empty(&dirty)) {
 fbdev_render(ds);
 }
+if (ptr_refresh) {
+fbdev_render_ptr(ds);
+}
+}
+
+static void fbdev_mouse_set(DisplayState *ds, int x, int y, int on)
+{
+ptr_refresh++;
+mx = x;
+my = y;
+mon = on;
+}
+
+static void fbdev_cursor_define(DisplayState *ds, QEMUCursor *cursor)
+{
+ptr_refresh++;
+
+if (ptr_cursor) {
+cursor_put(ptr_cursor);
+ptr_cursor = NULL;
+}
+if (ptr_image) {
+pixman_image_unref(ptr_image);
+ptr_image = NULL;
+}
+
+if (!cursor) {
+return;
+}
+
+ptr_cursor = cursor;
+cursor_get(ptr_cursor);
+ptr_image = pixman_image_create_bits(PIXMAN_a8r8g8b8,
+ cursor->width, cursor->height,
+ cursor->data,
+ cursor->width * 4);
 }
 
 static void fbdev_exit_notifier(Notifier *notifier, void *data)
@@ -963,6 +1056,8 @@ int fbdev_display_init(DisplayState *ds, const char 
*device)
 dcl->dpy_update  = fbdev_update;
 dcl->dpy_resize  = fbdev_resize;
 dcl->dpy_refresh = fbdev_refresh;
+dcl->dpy_mouse_set = fbdev_mouse_set;
+dcl->dpy_cursor_define = fbdev_cursor_define;
 register_displaychangelistener(ds, dcl);
 
 trace_fbdev_enabled();
-- 
1.7.1

[Qemu-devel] [PATCH 04/10] spice: send updates only for changed screen content

[Gerd Hoffmann]

when creating screen updates go compare the current guest screen
against the mirror (which holds the most recent update sent), then
only create updates for the screen areas which did actually change.

[ v2: drop redundant qemu_spice_create_one_update call ]

Signed-off-by: Gerd Hoffmann 
---
 ui/spice-display.c |   56 +++-
 1 files changed, 55 insertions(+), 1 deletions(-)

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 973cd53..d062765 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -239,6 +239,13 @@ static void 
qemu_spice_create_one_update(SimpleSpiceDisplay *ssd,
 
 static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
 {
+static const int blksize = 32;
+int blocks = (ds_get_width(ssd->ds) + blksize - 1) / blksize;
+int dirty_top[blocks];
+int y, yoff, x, xoff, blk, bw;
+int bpp = ds_get_bytes_per_pixel(ssd->ds);
+uint8_t *guest, *mirror;
+
 if (qemu_spice_rect_is_empty(&ssd->dirty)) {
 return;
 };
@@ -253,7 +260,54 @@ static void qemu_spice_create_update(SimpleSpiceDisplay 
*ssd)
 ssd->ds_mirror = g_malloc0(size);
 }
 
-qemu_spice_create_one_update(ssd, &ssd->dirty);
+for (blk = 0; blk < blocks; blk++) {
+dirty_top[blk] = -1;
+}
+
+guest = ds_get_data(ssd->ds);
+mirror = ssd->ds_mirror;
+for (y = ssd->dirty.top; y < ssd->dirty.bottom; y++) {
+yoff = y * ds_get_linesize(ssd->ds);
+for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
+xoff = x * bpp;
+blk = x / blksize;
+bw = MIN(blksize, ssd->dirty.right - x);
+if (memcmp(guest + yoff + xoff,
+   mirror + yoff + xoff,
+   bw * bpp) == 0) {
+if (dirty_top[blk] != -1) {
+QXLRect update = {
+.top= dirty_top[blk],
+.bottom = y,
+.left   = x,
+.right  = x + bw,
+};
+qemu_spice_create_one_update(ssd, &update);
+dirty_top[blk] = -1;
+}
+} else {
+if (dirty_top[blk] == -1) {
+dirty_top[blk] = y;
+}
+}
+}
+}
+
+for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
+blk = x / blksize;
+bw = MIN(blksize, ssd->dirty.right - x);
+if (dirty_top[blk] != -1) {
+QXLRect update = {
+.top= dirty_top[blk],
+.bottom = ssd->dirty.bottom,
+.left   = x,
+.right  = x + bw,
+};
+qemu_spice_create_one_update(ssd, &update);
+dirty_top[blk] = -1;
+}
+}
+
 memset(&ssd->dirty, 0, sizeof(ssd->dirty));
 }
 
-- 
1.7.1

Re: [Qemu-devel] [PATCH V3 01/11] atomic: introduce atomic operations

[liu ping fan]

On Thu, Sep 13, 2012 at 4:19 PM, Paolo Bonzini  wrote:
> Il 13/09/2012 10:14, Avi Kivity ha scritto:
> >>> +static inline void atomic_set(Atomic *v, int i)
> >>> +{
> >>> +v->counter = i;
> >>> +}
> >>> +
> >>> +static inline int atomic_read(Atomic *v)
> >>> +{
> >>> +return v->counter;
> >>> +}
> >>>
 >>
 >> So these two operations don't get mangled by the optimizer.
 >>
>>> > Browsing linux code and reading lkml, find some similar material. But
>>> > they have moved volatile from ->counter to function - atomic_read().
>>> > As to atomic_read(), I think it need to prevent optimizer from
>>> > refetching issue, but as to atomic_set(), do we need ?
>> I think so, to prevent reordering.
>
> Agreed.  Alternatively, stick a barrier() before and after the
> assignment and read.
>
Yes, the linux just leave this barrier() as caller's choice at the
exact point, not right in atomic_set(). And embed barrier() in
atomic_set() can easy the caller's job.

Thanks and regards,
pingfan

> But I don't really see the point in wrapping atomically-accessed
> variables in a struct.  Are we going to add a variant for long, a
> variant for pointers, etc.?
>
> I already proposed my version of this at
> http://github.com/bonzini/qemu/commit/1b439343.
>
> Paolo

[Qemu-devel] [PATCH 06/10] qxl: Ignore set_client_capabilities pre/post migrate

[Gerd Hoffmann]

From: Hans de Goede 

The recent introduction of set_client_capabilities has broken
(seamless) migration by trying to call qxl_send_events pre (seamless
incoming) and post (*) migration, triggering the following assert:
qxl_send_events: Assertion `qemu_spice_display_is_running(&d->ssd)' failed.

The solution is easy, pre migration the guest will have already received
the client caps on the migration source side, and post migration there no
longer is a guest, so we can simply ignore the set_client_capabilities call
in both those scenarios.

*) Post migration, so not fatal for to the migration itself, but still a crash

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c |5 +
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 0176b1a..e539134 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -953,6 +953,11 @@ static void interface_set_client_capabilities(QXLInstance 
*sin,
 {
 PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
 
+if (runstate_check(RUN_STATE_INMIGRATE) ||
+runstate_check(RUN_STATE_POSTMIGRATE)) {
+return;
+}
+
 qxl->shadow_rom.client_present = client_present;
 memcpy(qxl->shadow_rom.client_capabilities, caps, sizeof(caps));
 qxl->rom->client_present = client_present;
-- 
1.7.1

Re: [Qemu-devel] Windows VM slow boot

[Mel Gorman]

On Wed, Sep 12, 2012 at 05:46:15PM +0100, Richard Davies wrote:
> Hi Mel - thanks for replying to my underhand bcc!
> 
> Mel Gorman wrote:
> > I see that this is an old-ish bug but I did not read the full history.
> > Is it now booting faster than 3.5.0 was? I'm asking because I'm
> > interested to see if commit c67fe375 helped your particular case.
> 
> Yes, I think 3.6.0-rc5 is already better than 3.5.x but can still be
> improved, as discussed.
> 

What are the boot times for each kernel?

> 
> 
> I have applied and tested again - perf results below.
> 
> isolate_migratepages_range is indeed much reduced.
> 
> There is now a lot of time in isolate_freepages_block and still quite a lot
> of lock contention, although in a different place.
> 

This on top please.

---8<---
From: Shaohua Li 
compaction: abort compaction loop if lock is contended or run too long

isolate_migratepages_range() might isolate none pages, for example, when
zone->lru_lock is contended and compaction is async. In this case, we should
abort compaction, otherwise, compact_zone will run a useless loop and make
zone->lru_lock is even contended.

V2:
only abort the compaction if lock is contended or run too long
Rearranged the code by Andrea Arcangeli.

[minc...@kernel.org: Putback pages isolated for migration if aborting]
[a...@linux-foundation.org: Fixup one contended usage site]
Signed-off-by: Andrea Arcangeli 
Signed-off-by: Shaohua Li 
Signed-off-by: Mel Gorman 
---
 mm/compaction.c |   17 -
 mm/internal.h   |2 +-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/mm/compaction.c b/mm/compaction.c
index 7fcd3a5..a8de20d 100644
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -70,8 +70,7 @@ static bool compact_checklock_irqsave(spinlock_t *lock, 
unsigned long *flags,
 
/* async aborts if taking too long or contended */
if (!cc->sync) {
-   if (cc->contended)
-   *cc->contended = true;
+   cc->contended = true;
return false;
}
 
@@ -634,7 +633,7 @@ static isolate_migrate_t isolate_migratepages(struct zone 
*zone,
 
/* Perform the isolation */
low_pfn = isolate_migratepages_range(zone, cc, low_pfn, end_pfn);
-   if (!low_pfn)
+   if (!low_pfn || cc->contended)
return ISOLATE_ABORT;
 
cc->migrate_pfn = low_pfn;
@@ -787,6 +786,8 @@ static int compact_zone(struct zone *zone, struct 
compact_control *cc)
switch (isolate_migratepages(zone, cc)) {
case ISOLATE_ABORT:
ret = COMPACT_PARTIAL;
+   putback_lru_pages(&cc->migratepages);
+   cc->nr_migratepages = 0;
goto out;
case ISOLATE_NONE:
continue;
@@ -831,6 +832,7 @@ static unsigned long compact_zone_order(struct zone *zone,
 int order, gfp_t gfp_mask,
 bool sync, bool *contended)
 {
+   unsigned long ret;
struct compact_control cc = {
.nr_freepages = 0,
.nr_migratepages = 0,
@@ -838,12 +840,17 @@ static unsigned long compact_zone_order(struct zone *zone,
.migratetype = allocflags_to_migratetype(gfp_mask),
.zone = zone,
.sync = sync,
-   .contended = contended,
};
INIT_LIST_HEAD(&cc.freepages);
INIT_LIST_HEAD(&cc.migratepages);
 
-   return compact_zone(zone, &cc);
+   ret = compact_zone(zone, &cc);
+
+   VM_BUG_ON(!list_empty(&cc.freepages));
+   VM_BUG_ON(!list_empty(&cc.migratepages));
+
+   *contended = cc.contended;
+   return ret;
 }
 
 int sysctl_extfrag_threshold = 500;
diff --git a/mm/internal.h b/mm/internal.h
index b8c91b3..4bd7c0e 100644
--- a/mm/internal.h
+++ b/mm/internal.h
@@ -130,7 +130,7 @@ struct compact_control {
int order;  /* order a direct compactor needs */
int migratetype;/* MOVABLE, RECLAIMABLE etc */
struct zone *zone;
-   bool *contended;/* True if a lock was contended */
+   bool contended; /* True if a lock was contended */
 };
 
 unsigned long

[Qemu-devel] [PATCH v2 0/9] linux framebuffer display driver

[Gerd Hoffmann]

  Hi,

Second round of the framebuffer display driver patches.

Changes:  Addressed the review comments.  Added a few more patches on
top:  Using the pixman library for raster ops now.  Added support for
mouse pointer rendering and guest display scaling.

cheers,
  Gerd

Gerd Hoffmann (9):
  QLIST-ify display change listeners.
  add unregister_displaychangelistener
  move set_mouse + cursor_define callbacks
  fbdev: add linux framebuffer display driver.
  fbdev: add monitor command to enable/disable
  fbdev: make configurable at compile time.
  fbdev: move to pixman
  fbdev: add mouse pointer support
  fbdev: add display scaling support

 configure   |   24 ++
 console.c   |2 +-
 console.h   |  123 --
 hmp-commands.hx |   15 +
 hmp.c   |9 +
 hmp.h   |1 +
 hw/jazz_led.c   |2 +-
 hw/qxl-render.c |2 +-
 hw/vga.c|   10 +-
 hw/vmware_vga.c |   11 +-
 hw/xenfb.c  |2 +-
 qapi-schema.json|   14 +
 qemu-options.hx |8 +
 qmp-commands.hx |6 +
 qmp.c   |   17 +
 sysemu.h|1 +
 trace-events|   15 +
 ui/Makefile.objs|1 +
 ui/fbdev.c  | 1121 +++
 ui/linux-keynames.h |  388 ++
 ui/sdl.c|8 +-
 ui/spice-display.c  |4 +-
 ui/vnc.c|8 +-
 vl.c|   50 ++-
 24 files changed, 1768 insertions(+), 74 deletions(-)
 create mode 100644 ui/fbdev.c
 create mode 100644 ui/linux-keynames.h

[Qemu-devel] [PATCH 10/14] usb-redir: Store max_packet_size in endp_data

[Gerd Hoffmann]

From: Hans de Goede 

So that we've a place to migrate it to / from to allow restoring it after
migration.

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index f474da8..3196665 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -57,6 +57,7 @@ struct endp_data {
 uint8_t type;
 uint8_t interval;
 uint8_t interface; /* bInterfaceNumber this ep belongs to */
+uint16_t max_packet_size; /* In bytes, not wMaxPacketSize format !! */
 uint8_t iso_started;
 uint8_t iso_error; /* For reporting iso errors to the HC */
 uint8_t interrupt_started;
@@ -1278,7 +1279,8 @@ static void usbredir_ep_info(void *priv,
 usb_ep->ifnum = dev->endpoint[i].interface;
 if (usbredirparser_peer_has_cap(dev->parser,
  usb_redir_cap_ep_info_max_packet_size)) {
-usb_ep->max_packet_size = ep_info->max_packet_size[i];
+dev->endpoint[i].max_packet_size =
+usb_ep->max_packet_size = ep_info->max_packet_size[i];
 }
 if (ep_info->type[i] == usb_redir_type_bulk) {
 usb_ep->pipeline = true;
-- 
1.7.1

[Qemu-devel] [PATCH 01/10] spice: switch to queue for vga mode updates

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c   |6 +++---
 ui/spice-display.c |   25 ++---
 ui/spice-display.h |3 ++-
 3 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 5b3f484..257a37d 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -597,9 +597,9 @@ static int interface_get_command(QXLInstance *sin, struct 
QXLCommandExt *ext)
 case QXL_MODE_VGA:
 ret = false;
 qemu_mutex_lock(&qxl->ssd.lock);
-if (qxl->ssd.update != NULL) {
-update = qxl->ssd.update;
-qxl->ssd.update = NULL;
+update = QTAILQ_FIRST(&qxl->ssd.updates);
+if (update != NULL) {
+QTAILQ_REMOVE(&qxl->ssd.updates, update, next);
 *ext = update->ext;
 ret = true;
 }
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 99bc665..59c5fd7 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -164,7 +164,7 @@ int qemu_spice_display_is_running(SimpleSpiceDisplay *ssd)
 #endif
 }
 
-static SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *ssd)
+static void qemu_spice_create_update(SimpleSpiceDisplay *ssd)
 {
 SimpleSpiceUpdate *update;
 QXLDrawable *drawable;
@@ -175,7 +175,7 @@ static SimpleSpiceUpdate 
*qemu_spice_create_update(SimpleSpiceDisplay *ssd)
 struct timespec time_space;
 
 if (qemu_spice_rect_is_empty(&ssd->dirty)) {
-return NULL;
+return;
 };
 
 trace_qemu_spice_create_update(
@@ -239,7 +239,7 @@ static SimpleSpiceUpdate 
*qemu_spice_create_update(SimpleSpiceDisplay *ssd)
 cmd->data = (uintptr_t)drawable;
 
 memset(&ssd->dirty, 0, sizeof(ssd->dirty));
-return update;
+QTAILQ_INSERT_TAIL(&ssd->updates, update, next);
 }
 
 /*
@@ -315,6 +315,7 @@ void qemu_spice_display_init_common(SimpleSpiceDisplay 
*ssd, DisplayState *ds)
 {
 ssd->ds = ds;
 qemu_mutex_init(&ssd->lock);
+QTAILQ_INIT(&ssd->updates);
 ssd->mouse_x = -1;
 ssd->mouse_y = -1;
 if (ssd->num_surfaces == 0) {
@@ -345,6 +346,8 @@ void qemu_spice_display_update(SimpleSpiceDisplay *ssd,
 
 void qemu_spice_display_resize(SimpleSpiceDisplay *ssd)
 {
+SimpleSpiceUpdate *update;
+
 dprint(1, "%s:\n", __FUNCTION__);
 
 memset(&ssd->dirty, 0, sizeof(ssd->dirty));
@@ -352,9 +355,9 @@ void qemu_spice_display_resize(SimpleSpiceDisplay *ssd)
 ssd->conv = NULL;
 
 qemu_mutex_lock(&ssd->lock);
-if (ssd->update != NULL) {
-qemu_spice_destroy_update(ssd, ssd->update);
-ssd->update = NULL;
+while ((update = QTAILQ_FIRST(&ssd->updates)) != NULL) {
+QTAILQ_REMOVE(&ssd->updates, update, next);
+qemu_spice_destroy_update(ssd, update);
 }
 qemu_mutex_unlock(&ssd->lock);
 qemu_spice_destroy_host_primary(ssd);
@@ -384,8 +387,8 @@ void qemu_spice_display_refresh(SimpleSpiceDisplay *ssd)
 vga_hw_update();
 
 qemu_mutex_lock(&ssd->lock);
-if (ssd->update == NULL) {
-ssd->update = qemu_spice_create_update(ssd);
+if (QTAILQ_EMPTY(&ssd->updates)) {
+qemu_spice_create_update(ssd);
 ssd->notify++;
 }
 qemu_spice_cursor_refresh_unlocked(ssd);
@@ -442,9 +445,9 @@ static int interface_get_command(QXLInstance *sin, struct 
QXLCommandExt *ext)
 dprint(3, "%s:\n", __FUNCTION__);
 
 qemu_mutex_lock(&ssd->lock);
-if (ssd->update != NULL) {
-update = ssd->update;
-ssd->update = NULL;
+update = QTAILQ_FIRST(&ssd->updates);
+if (update != NULL) {
+QTAILQ_REMOVE(&ssd->updates, update, next);
 *ext = update->ext;
 ret = true;
 }
diff --git a/ui/spice-display.h b/ui/spice-display.h
index 512ab78..3fcb6fe 100644
--- a/ui/spice-display.h
+++ b/ui/spice-display.h
@@ -92,7 +92,7 @@ struct SimpleSpiceDisplay {
  * to them must be protected by the lock.
  */
 QemuMutex lock;
-SimpleSpiceUpdate *update;
+QTAILQ_HEAD(, SimpleSpiceUpdate) updates;
 QEMUCursor *cursor;
 int mouse_x, mouse_y;
 };
@@ -102,6 +102,7 @@ struct SimpleSpiceUpdate {
 QXLImage image;
 QXLCommandExt ext;
 uint8_t *bitmap;
+QTAILQ_ENTRY(SimpleSpiceUpdate) next;
 };
 
 int qemu_spice_rect_is_empty(const QXLRect* r);
-- 
1.7.1

[Qemu-devel] [PATCH 08/14] usb-redir: Change cancelled packet code into a generic packet-id queue

[Gerd Hoffmann]

From: Hans de Goede 

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |  102 +
 1 files changed, 71 insertions(+), 31 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 5301a69..603262a 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -43,7 +43,6 @@
 #define EP2I(ep_address) (((ep_address & 0x80) >> 3) | (ep_address & 0x0f))
 #define I2EP(i) (((i & 0x10) << 3) | (i & 0x0f))
 
-typedef struct Cancelled Cancelled;
 typedef struct USBRedirDevice USBRedirDevice;
 
 /* Struct to hold buffered packets (iso or int input packets) */
@@ -69,6 +68,18 @@ struct endp_data {
 int bufpq_target_size;
 };
 
+struct PacketIdQueueEntry {
+uint64_t id;
+QTAILQ_ENTRY(PacketIdQueueEntry)next;
+};
+
+struct PacketIdQueue {
+USBRedirDevice *dev;
+const char *name;
+QTAILQ_HEAD(, PacketIdQueueEntry) head;
+int size;
+};
+
 struct USBRedirDevice {
 USBDevice dev;
 /* Properties */
@@ -86,7 +97,7 @@ struct USBRedirDevice {
 int64_t next_attach_time;
 struct usbredirparser *parser;
 struct endp_data endpoint[MAX_ENDPOINTS];
-QTAILQ_HEAD(, Cancelled) cancelled;
+struct PacketIdQueue cancelled;
 /* Data for device filtering */
 struct usb_redir_device_connect_header device_info;
 struct usb_redir_interface_info_header interface_info;
@@ -94,11 +105,6 @@ struct USBRedirDevice {
 int filter_rules_count;
 };
 
-struct Cancelled {
-uint64_t id;
-QTAILQ_ENTRY(Cancelled)next;
-};
-
 static void usbredir_hello(void *priv, struct usb_redir_hello_header *h);
 static void usbredir_device_connect(void *priv,
 struct usb_redir_device_connect_header *device_connect);
@@ -239,37 +245,75 @@ static int usbredir_write(void *priv, uint8_t *data, int 
count)
  * Cancelled and buffered packets helpers
  */
 
-static void usbredir_cancel_packet(USBDevice *udev, USBPacket *p)
+static void packet_id_queue_init(struct PacketIdQueue *q,
+USBRedirDevice *dev, const char *name)
 {
-USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
-Cancelled *c;
+q->dev = dev;
+q->name = name;
+QTAILQ_INIT(&q->head);
+q->size = 0;
+}
+
+static void packet_id_queue_add(struct PacketIdQueue *q, uint64_t id)
+{
+USBRedirDevice *dev = q->dev;
+struct PacketIdQueueEntry *e;
+
+DPRINTF("adding packet id %"PRIu64" to %s queue\n", id, q->name);
+
+e = g_malloc0(sizeof(struct PacketIdQueueEntry));
+e->id = id;
+QTAILQ_INSERT_TAIL(&q->head, e, next);
+q->size++;
+}
+
+static int packet_id_queue_remove(struct PacketIdQueue *q, uint64_t id)
+{
+USBRedirDevice *dev = q->dev;
+struct PacketIdQueueEntry *e;
+
+QTAILQ_FOREACH(e, &q->head, next) {
+if (e->id == id) {
+DPRINTF("removing packet id %"PRIu64" from %s queue\n",
+id, q->name);
+QTAILQ_REMOVE(&q->head, e, next);
+q->size--;
+g_free(e);
+return 1;
+}
+}
+return 0;
+}
+
+static void packet_id_queue_empty(struct PacketIdQueue *q)
+{
+USBRedirDevice *dev = q->dev;
+struct PacketIdQueueEntry *e, *next_e;
 
-DPRINTF("cancel packet id %"PRIu64"\n", p->id);
+DPRINTF("removing %d packet-ids from %s queue\n", q->size, q->name);
 
-c = g_malloc0(sizeof(Cancelled));
-c->id = p->id;
-QTAILQ_INSERT_TAIL(&dev->cancelled, c, next);
+QTAILQ_FOREACH_SAFE(e, &q->head, next, next_e) {
+QTAILQ_REMOVE(&q->head, e, next);
+g_free(e);
+}
+q->size = 0;
+}
 
+static void usbredir_cancel_packet(USBDevice *udev, USBPacket *p)
+{
+USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
+
+packet_id_queue_add(&dev->cancelled, p->id);
 usbredirparser_send_cancel_data_packet(dev->parser, p->id);
 usbredirparser_do_write(dev->parser);
 }
 
 static int usbredir_is_cancelled(USBRedirDevice *dev, uint64_t id)
 {
-Cancelled *c;
-
 if (!dev->dev.attached) {
 return 1; /* Treat everything as cancelled after a disconnect */
 }
-
-QTAILQ_FOREACH(c, &dev->cancelled, next) {
-if (c->id == id) {
-QTAILQ_REMOVE(&dev->cancelled, c, next);
-g_free(c);
-return 1;
-}
-}
-return 0;
+return packet_id_queue_remove(&dev->cancelled, id);
 }
 
 static USBPacket *usbredir_find_packet_by_id(USBRedirDevice *dev,
@@ -914,7 +958,7 @@ static int usbredir_initfn(USBDevice *udev)
 dev->chardev_close_bh = qemu_bh_new(usbredir_chardev_close_bh, dev);
 dev->attach_timer = qemu_new_timer_ms(vm_clock, usbredir_do_attach, dev);
 
-QTAILQ_INIT(&dev->cancelled);
+packet_id_queue_init(&dev->cancelled, dev, "cancelled");
 for (i = 0; i < MAX_ENDPOINTS; i++) {
 QTAILQ_INIT(&dev->endpoint[i].bufpq);
 }
@@ -933,13 +977,9 @@ static int usbredir_initfn(USBDevice *udev)
 
 static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
 {
-C

[Qemu-devel] [PATCH v2 4/9] fbdev: add linux framebuffer display driver.

[Gerd Hoffmann]

Display works, requires truecolor framebuffer with 16 or 32 bpp on the
host.  32bpp is recommended.  The framebuffer is used as-is, qemu
doesn't try to switch modes.  With LCD displays mode switching is pretty
pointless IMHO, also it wouldn't work anyway with the most common
fbdev drivers (vesafb, KMS).  Guest display is centered on the host
screen.

Mouse works, uses /dev/input/mice.

Keyboard works.  Guest screen has whatever keymap you load inside
the guest.  Text windows (monitor, serial, ...) have a simple en-us
keymap.  Good enougth to type monitor commands.  Not goot enougth to
work seriously on a serial terminal.  But the qemu terminal emulation
isn't good enough for that anyway ;)

Hot keys:
  Ctrl-Alt-F  -> host console switching.
  Ctrl-Alt-   -> qemu console switching.
  Ctrl-Alt-ESC-> exit qemu.

Special feature:  Sane console switching.  Switching away stops screen
updates.  Switching back redraws the screen.  When started from the
linux console qemu uses the vt you've started it from (requires just
read/write access to /dev/fb0).  When starting from somewhere else qemu
tries to open a unused virtual terminal and switch to it (usually
requires root privileges to open /dev/tty).

Signed-off-by: Gerd Hoffmann 
---
 console.h   |4 +
 qemu-options.hx |8 +
 sysemu.h|1 +
 trace-events|   15 +
 ui/Makefile.objs|1 +
 ui/fbdev.c  |  953 +++
 ui/linux-keynames.h |  388 +
 vl.c|   12 +
 8 files changed, 1382 insertions(+), 0 deletions(-)
 create mode 100644 ui/fbdev.c
 create mode 100644 ui/linux-keynames.h

diff --git a/console.h b/console.h
index bef2d2d..0a3bae2 100644
--- a/console.h
+++ b/console.h
@@ -417,6 +417,10 @@ void qemu_console_copy(DisplayState *ds, int src_x, int 
src_y,
 /* sdl.c */
 void sdl_display_init(DisplayState *ds, int full_screen, int no_frame);
 
+/* fbdev.c */
+int fbdev_display_init(DisplayState *ds, const char *device);
+void fbdev_display_uninit(DisplayState *ds);
+
 /* cocoa.m */
 void cocoa_display_init(DisplayState *ds, int full_screen);
 
diff --git a/qemu-options.hx b/qemu-options.hx
index 804a2d1..3402934 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -942,6 +942,14 @@ Enable/disable spice seamless migration. Default is off.
 @end table
 ETEXI
 
+DEF("fbdev", 0, QEMU_OPTION_fbdev,
+"-fbdev  enable fbdev\n", QEMU_ARCH_ALL)
+STEXI
+@item -fbdev
+@findex -fbdev
+Enable fbdev (linux framebuffer).
+ETEXI
+
 DEF("portrait", 0, QEMU_OPTION_portrait,
 "-portrait   rotate graphical output 90 deg left (only PXA LCD)\n",
 QEMU_ARCH_ALL)
diff --git a/sysemu.h b/sysemu.h
index 65552ac..34e6bfa 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -93,6 +93,7 @@ typedef enum DisplayType
 DT_DEFAULT,
 DT_CURSES,
 DT_SDL,
+DT_FBDEV,
 DT_NOGRAPHIC,
 DT_NONE,
 } DisplayType;
diff --git a/trace-events b/trace-events
index b25ae1c..1a4f325 100644
--- a/trace-events
+++ b/trace-events
@@ -987,3 +987,18 @@ spapr_pci_rtas_ibm_change_msi(unsigned func, unsigned req) 
"func %u, requested %
 spapr_pci_rtas_ibm_query_interrupt_source_number(unsigned ioa, unsigned intr) 
"queries for #%u, IRQ%u"
 spapr_pci_msi_write(uint64_t addr, uint64_t data, uint32_t dt_irq) 
"@%"PRIx64"<=%"PRIx64" IRQ %u"
 spapr_pci_lsi_set(const char *busname, int pin, uint32_t irq) "%s PIN%d IRQ %u"
+
+# ui/fbdev.c
+fbdev_enabled(void) ""
+fbdev_cleanup(void) ""
+fbdev_vt_activate(int vtno, int wait) "vtno %d, wait %d"
+fbdev_vt_activated(void) ""
+fbdev_vt_release_request(void) ""
+fbdev_vt_released(void) ""
+fbdev_vt_aquire_request(void) ""
+fbdev_vt_aquired(void) ""
+fbdev_kbd_raw(int enable) "enable %d"
+fbdev_kbd_event(int keycode, const char *kname, int up) "keycode 0x%x [%s], 
down %d"
+fbdev_dpy_resize(int w, int h) "%dx%d"
+fbdev_dpy_redraw(void)
+
diff --git a/ui/Makefile.objs b/ui/Makefile.objs
index adc07be..55ddcf2 100644
--- a/ui/Makefile.objs
+++ b/ui/Makefile.objs
@@ -12,3 +12,4 @@ common-obj-$(CONFIG_SDL) += sdl.o sdl_zoom.o x_keymap.o
 common-obj-$(CONFIG_COCOA) += cocoa.o
 common-obj-$(CONFIG_CURSES) += curses.o
 common-obj-$(CONFIG_VNC) += $(vnc-obj-y)
+common-obj-$(CONFIG_LINUX) += fbdev.o
diff --git a/ui/fbdev.c b/ui/fbdev.c
new file mode 100644
index 000..c552810
--- /dev/null
+++ b/ui/fbdev.c
@@ -0,0 +1,953 @@
+/*
+ * linux fbdev output driver.
+ *
+ * Author: Gerd Hoffmann 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include "qemu-common.h"
+#include "console.h"
+#include "keymaps.h"
+#include "sysemu.h"
+#include "pflib.h"
+
+/*
+ * must be last so we get the linux input layer
+ * KEY_* defines, not the ncurses ones.
+ */
+#include 
+
+/* -

Re: [Qemu-devel] [PATCH V3 08/11] qom: introduce reclaimer to release obj in async

[liu ping fan]

On Thu, Sep 13, 2012 at 4:45 PM, Avi Kivity  wrote:
> On 09/13/2012 09:54 AM, liu ping fan wrote:
>> On Tue, Sep 11, 2012 at 5:37 PM, Avi Kivity  wrote:
>>> On 09/11/2012 12:32 PM, liu ping fan wrote:
 On Tue, Sep 11, 2012 at 4:32 PM, Avi Kivity  wrote:
> On 09/11/2012 10:51 AM, Liu Ping Fan wrote:
>> From: Liu Ping Fan 
>>
>> DeviceState will be protected by refcnt from disappearing during
>> dispatching. But when refcnt comes down to zero, DeviceState may
>> be still in use by iohandler, timer etc in main loop, we just delay
>> its free untill no reader.
>>
>
> How can this be?  We elevate the refcount while dispatching I/O.  If we
> have similar problems with the timer, we need to employ a similar 
> solution.
>
 Yes, at the next step, plan to covert iohandler, timer etc to use
 refcount as memory. Here just a temp solution.
>>>
>>> I prefer not to ever introduce it.
>>>
>>> What we can do is introduce a sub-region for e1000's mmio that will take
>>> only the device lock, and let original region use the old dispatch path
>>> (and also take the device lock).  As we thread the various subsystems
>>> e1000 uses, we can expand the sub-region until it covers all of e1000's
>>> functions, then fold it back into the main region.
>>>
>> Introducing new sub-region for e1000  seems no help to resolve this
>> issue. It can not tell whether main-loop still use it or not.
>
> What is "it" here? (actually two of them).
>
Should expressed as "The sub-region's dispatcher can not tell whether
main-loop still use e1000 or not"

>> I think the key point is that original code SYNC eliminate all the
>> readers of DeviceState at acpi_piix_eject_slot() by
>> dev->unit()/exit(), so each subsystem will no access it in future.
>> But now, we can delete the DeviceState async.
>
> But deleting happens when we are guaranteed to have no I/O dispatch.
>
>> Currently, we can just use e1000->unmap() to detach itself from each
>> subsystem(Not implemented in this series patches for timer,...) to
>> achieve the goal, because their readers are still under the protection
>> of big lock, but when they are out of big lock, we need extra effort
>> like memory system.
>
> I see what you mean.  So you defer the deletion to a context where the
> big lock is held.
>
> But this solves nothing.  The device model accesses the network stack
> and timer subsystem without the big lock held.  So you either need to
> thread those two subsystems, or take the big lock in the I/O handlers.

Yes, at present, I tend to  use big lock to protect around the call to
subsystem in the e1000's I/O handlers. And verify the current changes,
then thread other subsystems as the next step.

> If you do that, you can also take the big lock in the destructor.  If we

We do not call qemu_del_timer() etc at the destructor, instead, we
will call it in qdev_unplug_complete() -->e1000::unmap(). And
e1000::unmap() is the only function definitely called under bql. When
coming to destructor, the DeviceState has been completely isolated
from all of the subsystem. So no need to require big lock in
destructor.

> make the big lock a recursive lock, then the destructor can be invoked
> in any context.
>
> To summarize, I propose:
> - drop the reclaimer
Agree
> - make the bql recursive
> - take the bql in the e1000 destructor
Change to e1000::unmap()
> - take the bql in the e1000 I/O handlers when it accesses the timer or
> network subsystems
Agree
> (rest for a bit)
> - thread the timer subsystem
> - drop bql from around timer accesses
> - thread the network subsystem
> - drop bql from e1000 I/O handlers and destructor
Agree
>

Thanks and regards,
pingfan

> does this work?
>
> --
> error compiling committee.c: too many arguments to function

[Qemu-devel] [PATCH 07/10] qxl: better cleanup for surface destroy

[Gerd Hoffmann]

From: Uri Lublin 

Add back a call to qxl_spice_destroy_surface_wait_complete() in 
qxl_spice_destroy_surface_wait(),
that was removed by commit c480bb7da465186b84d8427e068ef7502e47ffbf

It is needed to complete surface-removal cleanup, for non async.
For async, qxl_spice_destroy_surface_wait_complete is called upon operation 
completion.

Signed-off-by: Uri Lublin 
Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index e539134..12597e7 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -201,6 +201,7 @@ static void qxl_spice_destroy_surface_wait(PCIQXLDevice 
*qxl, uint32_t id,
 spice_qxl_destroy_surface_async(&qxl->ssd.qxl, id, (uintptr_t)cookie);
 } else {
 qxl->ssd.worker->destroy_surface_wait(qxl->ssd.worker, id);
+qxl_spice_destroy_surface_wait_complete(qxl, id);
 }
 }
 
-- 
1.7.1

[Qemu-devel] [PATCH 08/10] hw/qxl: tracing fixes

[Gerd Hoffmann]

From: Alon Levy 

Add two new trace events:
qxl_send_events(int qid, uint32_t events) "%d %d"
qxl_set_guest_bug(int qid) "%d"

Change qxl_io_unexpected_vga_mode parameters to be equivalent to those
of qxl_io_write for easier grouping under a single systemtap probe.

Change d to qxl in one place.

Signed-off-by: Alon Levy 
Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c |8 +---
 trace-events |6 --
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 12597e7..8c46766 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -141,6 +141,7 @@ static void qxl_ring_set_dirty(PCIQXLDevice *qxl);
 
 void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
 {
+trace_qxl_set_guest_bug(qxl->id);
 qxl_send_events(qxl, QXL_INTERRUPT_ERROR);
 qxl->guest_bug = 1;
 if (qxl->guestdebug) {
@@ -1408,7 +1409,7 @@ static void ioport_write(void *opaque, target_phys_addr_t 
addr,
 break;
 }
 trace_qxl_io_unexpected_vga_mode(d->id,
-io_port, io_port_to_string(io_port));
+addr, val, io_port_to_string(io_port));
 /* be nice to buggy guest drivers */
 if (io_port >= QXL_IO_UPDATE_AREA_ASYNC &&
 io_port < QXL_IO_RANGE_SIZE) {
@@ -1607,9 +1608,9 @@ cancel_async:
 static uint64_t ioport_read(void *opaque, target_phys_addr_t addr,
 unsigned size)
 {
-PCIQXLDevice *d = opaque;
+PCIQXLDevice *qxl = opaque;
 
-trace_qxl_io_read_unexpected(d->id);
+trace_qxl_io_read_unexpected(qxl->id);
 return 0xff;
 }
 
@@ -1639,6 +1640,7 @@ static void qxl_send_events(PCIQXLDevice *d, uint32_t 
events)
 uint32_t old_pending;
 uint32_t le_events = cpu_to_le32(events);
 
+trace_qxl_send_events(d->id, events);
 assert(qemu_spice_display_is_running(&d->ssd));
 old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
 if ((old_pending & le_events) == le_events) {
diff --git a/trace-events b/trace-events
index b25ae1c..6169c29 100644
--- a/trace-events
+++ b/trace-events
@@ -933,7 +933,7 @@ qxl_interface_update_area_complete_overflow(int qid, int 
max) "%d max=%d"
 qxl_interface_update_area_complete_schedule_bh(int qid, uint32_t num_dirty) 
"%d #dirty=%d"
 qxl_io_destroy_primary_ignored(int qid, const char *mode) "%d %s"
 qxl_io_read_unexpected(int qid) "%d"
-qxl_io_unexpected_vga_mode(int qid, uint32_t io_port, const char *desc) "%d 
0x%x (%s)"
+qxl_io_unexpected_vga_mode(int qid, uint64_t addr, uint64_t val, const char 
*desc) "%d 0x%"PRIx64"=%"PRIu64" (%s)"
 qxl_io_write(int qid, const char *mode, uint64_t addr, uint64_t val, unsigned 
size, int async) "%d %s addr=%"PRIu64 " val=%"PRIu64" size=%u async=%d"
 qxl_memslot_add_guest(int qid, uint32_t slot_id, uint64_t guest_start, 
uint64_t guest_end) "%d %u: guest phys 0x%"PRIx64 " - 0x%" PRIx64
 qxl_post_load(int qid, const char *mode) "%d %s"
@@ -964,7 +964,7 @@ qxl_spice_destroy_surfaces(int qid, int async) "%d async=%d"
 qxl_spice_destroy_surface_wait_complete(int qid, uint32_t id) "%d sid=%d"
 qxl_spice_destroy_surface_wait(int qid, uint32_t id, int async) "%d sid=%d 
async=%d"
 qxl_spice_flush_surfaces_async(int qid, uint32_t surface_count, uint32_t 
num_free_res) "%d s#=%d, res#=%d"
-qxl_spice_monitors_config(int id) "%d"
+qxl_spice_monitors_config(int qid) "%d"
 qxl_spice_loadvm_commands(int qid, void *ext, uint32_t count) "%d ext=%p 
count=%d"
 qxl_spice_oom(int qid) "%d"
 qxl_spice_reset_cursor(int qid) "%d"
@@ -973,6 +973,8 @@ qxl_spice_reset_memslots(int qid) "%d"
 qxl_spice_update_area(int qid, uint32_t surface_id, uint32_t left, uint32_t 
right, uint32_t top, uint32_t bottom) "%d sid=%d [%d,%d,%d,%d]"
 qxl_spice_update_area_rest(int qid, uint32_t num_dirty_rects, uint32_t 
clear_dirty_region) "%d #d=%d clear=%d"
 qxl_surfaces_dirty(int qid, int surface, int offset, int size) "%d surface=%d 
offset=%d size=%d"
+qxl_send_events(int qid, uint32_t events) "%d %d"
+qxl_set_guest_bug(int qid) "%d"
 
 # hw/qxl-render.c
 qxl_render_blit_guest_primary_initialized(void) ""
-- 
1.7.1

[Qemu-devel] [PATCH v2 6/9] fbdev: make configurable at compile time.

[Gerd Hoffmann]

Add CONFIG_FBDEV, add --enable-fbdev and --disable-fbdev
configure switches so fbdev can be enabled/disabled at
compile time.

Signed-off-by: Gerd Hoffmann 
---
 configure|   12 
 qmp.c|2 +-
 ui/Makefile.objs |2 +-
 vl.c |4 ++--
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 7656c32..0e095dc 100755
--- a/configure
+++ b/configure
@@ -149,6 +149,7 @@ docs=""
 fdt=""
 nptl=""
 sdl=""
+fbdev="no"
 virtfs=""
 vnc="yes"
 sparse="no"
@@ -528,6 +529,7 @@ Haiku)
   usb="linux"
   kvm="yes"
   vhost_net="yes"
+  fbdev="yes"
   if [ "$cpu" = "i386" -o "$cpu" = "x86_64" ] ; then
 audio_possible_drivers="$audio_possible_drivers fmod"
   fi
@@ -659,6 +661,10 @@ for opt do
   ;;
   --enable-sdl) sdl="yes"
   ;;
+  --disable-fbdev) fbdev="no"
+  ;;
+  --enable-fbdev) fbdev="yes"
+  ;;
   --disable-virtfs) virtfs="no"
   ;;
   --enable-virtfs) virtfs="yes"
@@ -1073,6 +1079,8 @@ echo "  --disable-strip  disable stripping 
binaries"
 echo "  --disable-werror disable compilation abort on warning"
 echo "  --disable-sdldisable SDL"
 echo "  --enable-sdl enable SDL"
+echo "  --disable-fbdev  disable linux framebuffer"
+echo "  --enable-fbdev   enable linux framebuffer"
 echo "  --disable-virtfs disable VirtFS"
 echo "  --enable-virtfs  enable VirtFS"
 echo "  --disable-vncdisable VNC"
@@ -3127,6 +3135,7 @@ if test "$darwin" = "yes" ; then
 echo "Cocoa support $cocoa"
 fi
 echo "SDL support   $sdl"
+echo "fbdev support $fbdev"
 echo "curses support$curses"
 echo "curl support  $curl"
 echo "mingw32 support   $mingw32"
@@ -3335,6 +3344,9 @@ if test "$sdl" = "yes" ; then
   echo "CONFIG_SDL=y" >> $config_host_mak
   echo "SDL_CFLAGS=$sdl_cflags" >> $config_host_mak
 fi
+if test "$fbdev" = "yes" ; then
+  echo "CONFIG_FBDEV=y" >> $config_host_mak
+fi
 if test "$cocoa" = "yes" ; then
   echo "CONFIG_COCOA=y" >> $config_host_mak
 fi
diff --git a/qmp.c b/qmp.c
index 7f6cc0b..060d804 100644
--- a/qmp.c
+++ b/qmp.c
@@ -393,7 +393,7 @@ void qmp_change(const char *device, const char *target,
 
 void qmp_fbdev(bool enable, Error **errp)
 {
-#if defined(CONFIG_LINUX)
+#if defined(CONFIG_FBDEV)
 DisplayState *ds = get_displaystate();
 
 if (enable) {
diff --git a/ui/Makefile.objs b/ui/Makefile.objs
index 55ddcf2..479cd01 100644
--- a/ui/Makefile.objs
+++ b/ui/Makefile.objs
@@ -12,4 +12,4 @@ common-obj-$(CONFIG_SDL) += sdl.o sdl_zoom.o x_keymap.o
 common-obj-$(CONFIG_COCOA) += cocoa.o
 common-obj-$(CONFIG_CURSES) += curses.o
 common-obj-$(CONFIG_VNC) += $(vnc-obj-y)
-common-obj-$(CONFIG_LINUX) += fbdev.o
+common-obj-$(CONFIG_FBDEV) += fbdev.o
diff --git a/vl.c b/vl.c
index 18982b2..d39352c 100644
--- a/vl.c
+++ b/vl.c
@@ -3041,7 +3041,7 @@ int main(int argc, char **argv, char **envp)
 fprintf(stderr, "SDL support is disabled\n");
 exit(1);
 #endif
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_FBDEV
 case QEMU_OPTION_fbdev:
 display_type = DT_FBDEV;
 break;
@@ -3686,7 +3686,7 @@ int main(int argc, char **argv, char **envp)
 curses_display_init(ds, full_screen);
 break;
 #endif
-#if defined(CONFIG_LINUX)
+#if defined(CONFIG_FBDEV)
 case DT_FBDEV:
 if (fbdev_display_init(ds, NULL) != 0) {
 exit(1);
-- 
1.7.1

[Qemu-devel] [PATCH 12/14] usb-redir: Add chardev open / close debug logging

[Gerd Hoffmann]

From: Hans de Goede 

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/redirect.c |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 5e987e9..9a4be6d 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -854,6 +854,7 @@ static void usbredir_chardev_close_bh(void *opaque)
 usbredir_device_disconnect(dev);
 
 if (dev->parser) {
+DPRINTF("destroying usbredirparser\n");
 usbredirparser_destroy(dev->parser);
 dev->parser = NULL;
 }
@@ -869,6 +870,8 @@ static void usbredir_chardev_open(USBRedirDevice *dev)
 usbredir_chardev_close_bh(dev);
 qemu_bh_cancel(dev->chardev_close_bh);
 
+DPRINTF("creating usbredirparser\n");
+
 strcpy(version, "qemu usb-redir guest ");
 pstrcat(version, sizeof(version), qemu_get_version());
 
@@ -980,9 +983,11 @@ static void usbredir_chardev_event(void *opaque, int event)
 
 switch (event) {
 case CHR_EVENT_OPENED:
+DPRINTF("chardev open\n");
 usbredir_chardev_open(dev);
 break;
 case CHR_EVENT_CLOSED:
+DPRINTF("chardev close\n");
 qemu_bh_schedule(dev->chardev_close_bh);
 break;
 }
@@ -1228,6 +1233,7 @@ static void usbredir_device_disconnect(void *priv)
 qemu_del_timer(dev->attach_timer);
 
 if (dev->dev.attached) {
+DPRINTF("detaching device\n");
 usb_device_detach(&dev->dev);
 /*
  * Delay next usb device attach to give the guest a chance to see
-- 
1.7.1

[Qemu-devel] [PATCH 07/14] ehci: Walk async schedule before and after migration

[Gerd Hoffmann]

From: Hans de Goede 

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci.c |   28 
 1 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index bc86460..6a5da84 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -34,6 +34,7 @@
 #include "monitor.h"
 #include "trace.h"
 #include "dma.h"
+#include "sysemu.h"
 
 #define EHCI_DEBUG   0
 
@@ -2572,6 +2573,32 @@ static int usb_ehci_post_load(void *opaque, int 
version_id)
 return 0;
 }
 
+static void usb_ehci_vm_state_change(void *opaque, int running, RunState state)
+{
+EHCIState *ehci = opaque;
+
+/*
+ * We don't migrate the EHCIQueue-s, instead we rebuild them for the
+ * schedule in guest memory. We must do the rebuilt ASAP, so that
+ * USB-devices which have async handled packages have a packet in the
+ * ep queue to match the completion with.
+ */
+if (state == RUN_STATE_RUNNING) {
+ehci_advance_async_state(ehci);
+}
+
+/*
+ * The schedule rebuilt from guest memory could cause the migration dest
+ * to miss a QH unlink, and fail to cancel packets, since the unlinked QH
+ * will never have existed on the destination. Therefor we must flush the
+ * async schedule on savevm to catch any not yet noticed unlinks.
+ */
+if (state == RUN_STATE_SAVE_VM) {
+ehci_advance_async_state(ehci);
+ehci_queues_rip_unseen(ehci, 1);
+}
+}
+
 static const VMStateDescription vmstate_ehci = {
 .name= "ehci",
 .version_id  = 2,
@@ -2721,6 +2748,7 @@ static int usb_ehci_initfn(PCIDevice *dev)
 usb_packet_init(&s->ipacket);
 
 qemu_register_reset(ehci_reset, s);
+qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s);
 
 memory_region_init(&s->mem, "ehci", MMIO_SIZE);
 memory_region_init_io(&s->mem_caps, &ehci_mmio_caps_ops, s,
-- 
1.7.1

[Qemu-devel] [PATCH v2 1/9] QLIST-ify display change listeners.

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann 
---
 console.h  |   72 +++
 hw/xenfb.c |2 +-
 vl.c   |9 ++-
 3 files changed, 42 insertions(+), 41 deletions(-)

diff --git a/console.h b/console.h
index f990684..646ad4b 100644
--- a/console.h
+++ b/console.h
@@ -164,7 +164,7 @@ struct DisplayChangeListener {
  int w, int h, uint32_t c);
 void (*dpy_text_cursor)(struct DisplayState *s, int x, int y);
 
-struct DisplayChangeListener *next;
+QLIST_ENTRY(DisplayChangeListener) next;
 };
 
 struct DisplayAllocator {
@@ -179,7 +179,7 @@ struct DisplayState {
 struct QEMUTimer *gui_timer;
 
 struct DisplayAllocator* allocator;
-struct DisplayChangeListener* listeners;
+QLIST_HEAD(, DisplayChangeListener) listeners;
 
 void (*mouse_set)(int x, int y, int on);
 void (*cursor_define)(QEMUCursor *cursor);
@@ -231,72 +231,76 @@ static inline int is_buffer_shared(DisplaySurface 
*surface)
 
 static inline void register_displaychangelistener(DisplayState *ds, 
DisplayChangeListener *dcl)
 {
-dcl->next = ds->listeners;
-ds->listeners = dcl;
+QLIST_INSERT_HEAD(&ds->listeners, dcl, next);
 }
 
 static inline void dpy_update(DisplayState *s, int x, int y, int w, int h)
 {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
 dcl->dpy_update(s, x, y, w, h);
-dcl = dcl->next;
 }
 }
 
 static inline void dpy_resize(DisplayState *s)
 {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
 dcl->dpy_resize(s);
-dcl = dcl->next;
 }
 }
 
 static inline void dpy_setdata(DisplayState *s)
 {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
-if (dcl->dpy_setdata) dcl->dpy_setdata(s);
-dcl = dcl->next;
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_setdata) {
+dcl->dpy_setdata(s);
+}
 }
 }
 
 static inline void dpy_refresh(DisplayState *s)
 {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
-if (dcl->dpy_refresh) dcl->dpy_refresh(s);
-dcl = dcl->next;
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_refresh) {
+dcl->dpy_refresh(s);
+}
 }
 }
 
 static inline void dpy_copy(struct DisplayState *s, int src_x, int src_y,
- int dst_x, int dst_y, int w, int h) {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
-if (dcl->dpy_copy)
+ int dst_x, int dst_y, int w, int h)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_copy) {
 dcl->dpy_copy(s, src_x, src_y, dst_x, dst_y, w, h);
-else /* TODO */
+} else { /* TODO */
 dcl->dpy_update(s, dst_x, dst_y, w, h);
-dcl = dcl->next;
+}
 }
 }
 
 static inline void dpy_fill(struct DisplayState *s, int x, int y,
- int w, int h, uint32_t c) {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
-if (dcl->dpy_fill) dcl->dpy_fill(s, x, y, w, h, c);
-dcl = dcl->next;
+ int w, int h, uint32_t c)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_fill) {
+dcl->dpy_fill(s, x, y, w, h, c);
+}
 }
 }
 
-static inline void dpy_cursor(struct DisplayState *s, int x, int y) {
-struct DisplayChangeListener *dcl = s->listeners;
-while (dcl != NULL) {
-if (dcl->dpy_text_cursor) dcl->dpy_text_cursor(s, x, y);
-dcl = dcl->next;
+static inline void dpy_cursor(struct DisplayState *s, int x, int y)
+{
+struct DisplayChangeListener *dcl;
+QLIST_FOREACH(dcl, &s->listeners, next) {
+if (dcl->dpy_text_cursor) {
+dcl->dpy_text_cursor(s, x, y);
+}
 }
 }
 
diff --git a/hw/xenfb.c b/hw/xenfb.c
index 338800a..ef24c33 100644
--- a/hw/xenfb.c
+++ b/hw/xenfb.c
@@ -717,7 +717,7 @@ static void xenfb_update(void *opaque)
if (xenfb_queue_full(xenfb))
return;
 
-for (l = xenfb->c.ds->listeners; l != NULL; l = l->next) {
+QLIST_FOREACH(l, &xenfb->c.ds->listeners, next) {
 if (l->idle)
 continue;
 idle = 0;
diff --git a/vl.c b/vl.c
index 7c577fa..2a7c92a 100644
--- a/vl.c
+++ b/vl.c
@@ -1276,15 +1276,14 @@ static void gui_update(void *opaque)
 {
 uint64_t interval = GUI_REFRESH_INTERVAL;
 DisplayState *ds = opaque;
-DisplayChangeListener *dcl = ds->liste

Re: [Qemu-devel] [PATCH V3 08/11] qom: introduce reclaimer to release obj in async

[Avi Kivity]

On 09/13/2012 12:59 PM, liu ping fan wrote:
> On Thu, Sep 13, 2012 at 4:45 PM, Avi Kivity  wrote:
>> On 09/13/2012 09:54 AM, liu ping fan wrote:
>>> On Tue, Sep 11, 2012 at 5:37 PM, Avi Kivity  wrote:
 On 09/11/2012 12:32 PM, liu ping fan wrote:
> On Tue, Sep 11, 2012 at 4:32 PM, Avi Kivity  wrote:
>> On 09/11/2012 10:51 AM, Liu Ping Fan wrote:
>>> From: Liu Ping Fan 
>>>
>>> DeviceState will be protected by refcnt from disappearing during
>>> dispatching. But when refcnt comes down to zero, DeviceState may
>>> be still in use by iohandler, timer etc in main loop, we just delay
>>> its free untill no reader.
>>>
>>
>> How can this be?  We elevate the refcount while dispatching I/O.  If we
>> have similar problems with the timer, we need to employ a similar 
>> solution.
>>
> Yes, at the next step, plan to covert iohandler, timer etc to use
> refcount as memory. Here just a temp solution.

 I prefer not to ever introduce it.

 What we can do is introduce a sub-region for e1000's mmio that will take
 only the device lock, and let original region use the old dispatch path
 (and also take the device lock).  As we thread the various subsystems
 e1000 uses, we can expand the sub-region until it covers all of e1000's
 functions, then fold it back into the main region.

>>> Introducing new sub-region for e1000  seems no help to resolve this
>>> issue. It can not tell whether main-loop still use it or not.
>>
>> What is "it" here? (actually two of them).
>>
> Should expressed as "The sub-region's dispatcher can not tell whether
> main-loop still use e1000 or not"

The sub-region will not use any unthreaded subsystems, so it need not
care about the main loop.

At first, it would only access registers in device state.

But if we go with the plan below, we can drop it.

> 
>> If you do that, you can also take the big lock in the destructor.  If we
> 
> We do not call qemu_del_timer() etc at the destructor, instead, we
> will call it in qdev_unplug_complete() -->e1000::unmap(). And
> e1000::unmap() is the only function definitely called under bql. When
> coming to destructor, the DeviceState has been completely isolated
> from all of the subsystem. So no need to require big lock in
> destructor.

But between unmap() and the destructor, accesses can still occur (an
access that was started before unmap() was called, but was delayed and
is dispatched after it completes).  These accesses will find the timer
deleted, and so must be prepared to check if the timer is there or not.

So we have a choice, either move timer destruction to the destructor, or
add checks in the dispatch code.



-- 
error compiling committee.c: too many arguments to function

[Qemu-devel] [PATCH 09/10] qxl: add trace-event for QXL_IO_LOG

[Gerd Hoffmann]

From: Alon Levy 

Signed-off-by: Alon Levy 
Signed-off-by: Gerd Hoffmann 
---
 hw/qxl.c |1 +
 trace-events |1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 8c46766..5709e0d 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1515,6 +1515,7 @@ async_common:
 qxl_set_mode(d, val, 0);
 break;
 case QXL_IO_LOG:
+trace_qxl_io_log(d->id, d->ram->log_buf);
 if (d->guestdebug) {
 fprintf(stderr, "qxl/guest-%d: %" PRId64 ": %s", d->id,
 qemu_get_clock_ns(vm_clock), d->ram->log_buf);
diff --git a/trace-events b/trace-events
index 6169c29..cd638f5 100644
--- a/trace-events
+++ b/trace-events
@@ -932,6 +932,7 @@ qxl_interface_update_area_complete_rest(int qid, uint32_t 
num_updated_rects) "%d
 qxl_interface_update_area_complete_overflow(int qid, int max) "%d max=%d"
 qxl_interface_update_area_complete_schedule_bh(int qid, uint32_t num_dirty) 
"%d #dirty=%d"
 qxl_io_destroy_primary_ignored(int qid, const char *mode) "%d %s"
+qxl_io_log(int qid, const uint8_t *str) "%d %s"
 qxl_io_read_unexpected(int qid) "%d"
 qxl_io_unexpected_vga_mode(int qid, uint64_t addr, uint64_t val, const char 
*desc) "%d 0x%"PRIx64"=%"PRIu64" (%s)"
 qxl_io_write(int qid, const char *mode, uint64_t addr, uint64_t val, unsigned 
size, int async) "%d %s addr=%"PRIu64 " val=%"PRIu64" size=%u async=%d"
-- 
1.7.1

[Qemu-devel] [PATCH 14/14] uhci: Don't queue up packets after one with the SPD flag set

[Gerd Hoffmann]

From: Hans de Goede 

Don't queue up packets after a packet with the SPD (short packet detect)
flag set. Since we won't know if the packet will actually be short until it
has completed, and if it is short we should stop the queue.

This fixes a miniature photoframe emulating a USB cdrom with the windows
software for it not working.

Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-uhci.c |5 -
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
index c7c8786..cdc8bc3 100644
--- a/hw/usb/hcd-uhci.c
+++ b/hw/usb/hcd-uhci.c
@@ -1000,6 +1000,9 @@ static void uhci_fill_queue(UHCIState *s, UHCI_TD *td)
 }
 assert(ret == TD_RESULT_ASYNC_START);
 assert(int_mask == 0);
+if (ptd.ctrl & TD_CTRL_SPD) {
+break;
+}
 plink = ptd.link;
 }
 }
@@ -1097,7 +1100,7 @@ static void uhci_process_frame(UHCIState *s)
 
 case TD_RESULT_ASYNC_START:
 trace_usb_uhci_td_async(curr_qh & ~0xf, link & ~0xf);
-if (is_valid(td.link)) {
+if (is_valid(td.link) && !(td.ctrl & TD_CTRL_SPD)) {
 uhci_fill_queue(s, &td);
 }
 link = curr_qh ? qh.link : td.link;
-- 
1.7.1

Re: [Qemu-devel] [PATCH] rtl8139: implement 8139cp link status

[Jason Wang]

On 09/10/2012 04:15 PM, Jason Wang wrote:

On 09/10/2012 03:59 PM, Amos Kong wrote:

From: Jason Wang

Add a link status chang callback and change the link status bit in BMSR
&  MSR accordingly. Tested in Linux/Windows guests.

Signed-off-by: Jason Wang
Signed-off-by: Amos Kong
---
  hw/rtl8139.c |   23 +--
  1 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 844f1b8..3c33908 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -167,7 +167,7 @@ enum IntrStatusBits {
  PCIErr = 0x8000,
  PCSTimeout = 0x4000,
  RxFIFOOver = 0x40,
-RxUnderrun = 0x20,
+RxUnderrun = 0x20, /* Packet Underrun / Link Change */
  RxOverflow = 0x10,
  TxErr = 0x08,
  TxOK = 0x04,
@@ -452,6 +452,7 @@ typedef struct RTL8139State {
  uint8_t  Config0;
  uint8_t  Config1;
  uint8_t  Config3;
+uint8_t  MediaStatus;
  uint8_t  Config4;
  uint8_t  Config5;


So the content of this register would be lost after migration?


Or you can do some hack to avoid hanling migration, e.g infer the the 
link status bit of MediaStatus from BasicModeStatus.

@@ -1246,6 +1247,7 @@ static void rtl8139_reset(DeviceState *d)
  /* set initial state data */
  s->Config0 = 0x0; /* No boot ROM */
  s->Config1 = 0xC; /* IO mapped and MEM mapped registers 
available */
+s->MediaStatus = 0xd0; /* Power is present, TX/RX flow control 
enable */

  s->Config3 = 0x1; /* fast back-to-back compatible */
  s->Config5 = 0x0;

@@ -3007,7 +3009,7 @@ static uint32_t rtl8139_io_readb(void *opaque, 
uint8_t addr)

  break;

  case MediaStatus:
-ret = 0xd0;
+ret = s->MediaStatus;
  DPRINTF("MediaStatus read 0x%x\n", ret);
  break;

@@ -3453,12 +3455,29 @@ static void pci_rtl8139_uninit(PCIDevice *dev)
  qemu_del_net_client(&s->nic->nc);
  }

+static void rtl8139_set_link_status(NetClientState *nc)
+{
+RTL8139State *s = DO_UPCAST(NICState, nc, nc)->opaque;
+
+if (nc->link_down) {
+s->BasicModeStatus&= ~0x0004;
+s->MediaStatus |= 0x0004;
+} else {
+s->BasicModeStatus |= 0x0004;
+s->MediaStatus&= ~0x0004;
+}
+
+s->IntrStatus |= RxUnderrun;
+rtl8139_update_irq(s);
+}
+
  static NetClientInfo net_rtl8139_info = {
  .type = NET_CLIENT_OPTIONS_KIND_NIC,
  .size = sizeof(NICState),
  .can_receive = rtl8139_can_receive,
  .receive = rtl8139_receive,
  .cleanup = rtl8139_cleanup,
+.link_status_changed = rtl8139_set_link_status,
  };

  static int pci_rtl8139_init(PCIDevice *dev)

[Qemu-devel] [PATCH 05/14] configure: usbredir fixes

[Gerd Hoffmann]

From: Aurelien Jarno 

usbredir is only used by system emulation, so add the libraries to
libs_softmmu instead of LIBS.

Cc: Michael Tokarev 
Cc: Gerd Hoffmann 
Signed-off-by: Aurelien Jarno 
Signed-off-by: Hans de Goede 
Signed-off-by: Gerd Hoffmann 
---
 configure |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/configure b/configure
index 7656c32..e42c812 100755
--- a/configure
+++ b/configure
@@ -2763,7 +2763,7 @@ if test "$usb_redir" != "no" ; then
 usb_redir_cflags=$($pkg_config --cflags libusbredirparser 2>/dev/null)
 usb_redir_libs=$($pkg_config --libs libusbredirparser 2>/dev/null)
 QEMU_CFLAGS="$QEMU_CFLAGS $usb_redir_cflags"
-LIBS="$LIBS $usb_redir_libs"
+libs_softmmu="$libs_softmmu $usb_redir_libs"
 else
 if test "$usb_redir" = "yes"; then
 feature_not_found "usb-redir"
-- 
1.7.1

Re: [Qemu-devel] Rethinking missed tick catchup

[Gleb Natapov]

On Wed, Sep 12, 2012 at 01:19:17PM -0500, Anthony Liguori wrote:
> Gleb Natapov  writes:
> 
> > On Wed, Sep 12, 2012 at 08:54:26AM -0500, Anthony Liguori wrote:
> >> 
> >> Hi,
> >> 
> >> We've been running into a lot of problems lately with Windows guests and
> >> I think they all ultimately could be addressed by revisiting the missed
> >> tick catchup algorithms that we use.  Mike and I spent a while talking
> >> about it yesterday and I wanted to take the discussion to the list to
> >> get some additional input.
> >> 
> >> Here are the problems we're seeing:
> >> 
> >> 1) Rapid reinjection can lead to time moving faster for short bursts of
> >>time.  We've seen a number of RTC watchdog BSoDs and it's possible
> >>that at least one cause is reinjection speed.
> >> 
> >> 2) When hibernating a host system, the guest gets is essentially paused
> >>for a long period of time.  This results in a very large tick catchup
> >>while also resulting in a large skew in guest time.
> >> 
> >>I've gotten reports of the tick catchup consuming a lot of CPU time
> >>from rapid delivery of interrupts (although I haven't reproduced this
> >>yet).
> >> 
> >> 3) Windows appears to have a service that periodically syncs the guest
> >>time with the hardware clock.  I've been told the resync period is an
> >>hour.  For large clock skews, this can compete with reinjection
> >>resulting in a positive skew in time (the guest can be ahead of the
> >>host).
> >> 
> >> I've been thinking about an algorithm like this to address these
> >> problems:
> >> 
> >> A) Limit the number of interrupts that we reinject to the equivalent of
> >>a small period of wallclock time.  Something like 60 seconds.
> >> 
> > How this will fix BSOD problem for instance? 60 seconds is long enough
> > to cause all the problem you are talking about above. We can make
> > amount of accumulated ticks easily configurable though to play with and
> > see.
> 
> It won't, but the goal of an upper limit is to cap time correction at
> something reasonably caused by overcommit, not by suspend/resume.
> 
> 60 seconds is probably way too long.  Maybe 5 seconds?  We can try
> various amounts as you said.
> 
> What do you think about slowing down the catchup rate?  I think now we
> increase wallclock time by 100-700%.
> 
Now we reinject up to 20 lost tick on guest interrupt acknowledgement
(RTC register C read) and increment frequency like you say if this is
not enough. We do both because on machines without hr timers we cannot
increment frequency if guest sets RTC to 1kHz and injecting a lot of RTC
interrupts at once makes Windows think that RTC irq line is stuck -> BSOD

> This is very fast.  I wonder if this makes sense anymore since hr timers
> are pretty much ubiquitous.
We can drop reinject on ACK if we do not want to support old kernels.
Frequency increase was arbitrary, we can make is smaller, but we have to
make sure that under load drift will not be stronger than our attempts
to fix it.

> 
> I think we could probably even just increase wallclock time by as little
> as 10-20%.  That should avoid false watchdog alerts but still give us a
> chance to inject enough interrupts.
We can start from 10-20% and check that if coalesced counter still grows
increase that.

> 
> >
> >> B) In the event of (A), trigger a notification in QEMU.  This is easy
> >>for the RTC but harder for the in-kernel PIT.  Maybe it's a good time to
> >>revisit usage of the in-kernel PIT?
> >> 
> > PIT does not matter for Windows guests.
> >
> >> C) On acculumated tick overflow, rely on using a qemu-ga command to
> >>force a resync of the guest's time to the hardware wallclock time.
> >> 
> > Needs guest cooperation.
> 
> Yes, hence qemu-ga.  But is there any other choice?  Hibernation can
> cause us to miss an unbounded number of ticks.   Days worth of time.  It
> seems unreasonable to gradually catch up that much time.
timedrift fix was never meant to fix timedrifts from vmstop. This is a
side effect of making RTC use real time clock instead of vm clock. With
RTC using real time clock on resume qemu_timer tries to catch up with
current time and fires timer callback for each lost tick. They are all
coalesced of course since guest has no chance to run between them and
accumulated into coalesced_irq counter. If you configure RTC to use vm
clock you should not see this.

I agree with you of course that qemu-ga is the only sane way to fix time
drift due to vstop, but better to not be in this situation if possible.
See bellow.

> 
> >> D) Whenever the guest reads the wallclock time from the RTC, reset all
> >>accumulated ticks.
> >>
> >> In order to do (C), we'll need to plumb qemu-ga through QMP.  Mike and I
> >> discussed a low-impact way of doing this (having a separate dispatch
> >> path for guest agent commands) and I'm confident we could do this for
> >> 1.3.
> >> 
> >> This would mean that management tools would need to consume qem

Re: [Qemu-devel] Rethinking missed tick catchup

[Gleb Natapov]

On Wed, Sep 12, 2012 at 09:45:49PM +0200, Stefan Weil wrote:
> Am 12.09.2012 20:13, schrieb Gleb Natapov:
> >On Wed, Sep 12, 2012 at 07:30:08PM +0200, Stefan Weil wrote:
> >>I also meant host hibernation.
> >Than I don't see how guest can handle the situation since it has
> >no idea that it was stopped. Qemu has not idea about host hibernation
> >either.
> 
> The guest can compare its internal timers (which stop
> when the host hibernates) with external time references
> (NTP, hw clock or any other clock reference).
Are you prosing to run ntpdate in a loop inside a guest?

--
Gleb.

Re: [Qemu-devel] [PATCH v3 1/2] slirp: Handle more than 65535 blocks in TFTP transfers

[Jan Kiszka]

On 2012-09-13 07:55, Hervé Poussineau wrote:
> RFC 1350 does not mention block count roll-over. However, a lot of TFTP 
> servers
> implement it to be able to transmit big files, so do it also.
> 
> Current block size is 512 bytes, so TFTP files were limited to 32 MB.
> 
> Signed-off-by: Hervé Poussineau 
> ---
>  slirp/tftp.c |   24 ++--
>  slirp/tftp.h |1 +
>  2 files changed, 11 insertions(+), 14 deletions(-)
> 
> diff --git a/slirp/tftp.c b/slirp/tftp.c
> index 520dbd6..c6a5df2 100644
> --- a/slirp/tftp.c
> +++ b/slirp/tftp.c
> @@ -97,7 +97,7 @@ static int tftp_session_find(Slirp *slirp, struct tftp_t 
> *tp)
>return -1;
>  }
>  
> -static int tftp_read_data(struct tftp_session *spt, uint16_t block_nr,
> +static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr,
>uint8_t *buf, int len)
>  {
>  int bytes_read = 0;
> @@ -197,19 +197,14 @@ out:
>tftp_session_terminate(spt);
>  }
>  
> -static int tftp_send_data(struct tftp_session *spt,
> -  uint16_t block_nr,
> -   struct tftp_t *recv_tp)
> +static int tftp_send_next_block(struct tftp_session *spt,
> +struct tftp_t *recv_tp)
>  {
>struct sockaddr_in saddr, daddr;
>struct mbuf *m;
>struct tftp_t *tp;
>int nobytes;
>  
> -  if (block_nr < 1) {
> -return -1;
> -  }
> -
>m = m_get(spt->slirp);
>  
>if (!m) {
> @@ -223,7 +218,7 @@ static int tftp_send_data(struct tftp_session *spt,
>m->m_data += sizeof(struct udpiphdr);
>  
>tp->tp_op = htons(TFTP_DATA);
> -  tp->x.tp_data.tp_block_nr = htons(block_nr);
> +  tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0x);
>  
>saddr.sin_addr = recv_tp->ip.ip_dst;
>saddr.sin_port = recv_tp->udp.uh_dport;
> @@ -231,7 +226,7 @@ static int tftp_send_data(struct tftp_session *spt,
>daddr.sin_addr = spt->client_ip;
>daddr.sin_port = spt->client_port;
>  
> -  nobytes = tftp_read_data(spt, block_nr - 1, tp->x.tp_data.tp_buf, 512);
> +  nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, 512);
>  
>if (nobytes < 0) {
>  m_free(m);
> @@ -255,6 +250,7 @@ static int tftp_send_data(struct tftp_session *spt,
>  tftp_session_terminate(spt);
>}
>  
> +  spt->block_nr++;
>return 0;
>  }
>  
> @@ -373,7 +369,8 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t 
> *tp, int pktlen)
>}
>}
>  
> -  tftp_send_data(spt, 1, tp);
> +  spt->block_nr = 0;
> +  tftp_send_next_block(spt, tp);
>  }
>  
>  static void tftp_handle_ack(Slirp *slirp, struct tftp_t *tp, int pktlen)
> @@ -386,9 +383,8 @@ static void tftp_handle_ack(Slirp *slirp, struct tftp_t 
> *tp, int pktlen)
>  return;
>}
>  
> -  if (tftp_send_data(&slirp->tftp_sessions[s],
> -  ntohs(tp->x.tp_data.tp_block_nr) + 1,
> -  tp) < 0) {
> +  if (tftp_send_next_block(&slirp->tftp_sessions[s],
> +   tp) < 0) {
>  return;
>}
>  }
> diff --git a/slirp/tftp.h b/slirp/tftp.h
> index 9c364ea..51704e4 100644
> --- a/slirp/tftp.h
> +++ b/slirp/tftp.h
> @@ -37,6 +37,7 @@ struct tftp_session {
>  
>  struct in_addr client_ip;
>  uint16_t client_port;
> +uint32_t block_nr;
>  
>  int timestamp;
>  };
> 

Thanks, applied. I added a patch on top to remove the useless return
value of tftp_send_next_block.

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Peter Lieven]

On 13.09.2012 10:05, Gleb Natapov wrote:

On Thu, Sep 13, 2012 at 10:00:26AM +0200, Paolo Bonzini wrote:

Il 13/09/2012 09:57, Gleb Natapov ha scritto:

#rdmsr -0 0x194
00011100
#rdmsr -0 0xce
0c0004011103

Yes, that can help implementing it in KVM.  But without a spec to
understand what the bits actually mean, it's just as risky...

Peter, do you have any idea where to get the spec of the memory
controller MSRs in Nehalem and newer processors?  Apparently, memtest is
using them (and in particular 0x194) to find the speed of the FSB, or
something like that.


Why would anyone will want to run memtest in a vm? May be just add those
MSRs to ignore list and that's it.

>From the output it looks like it's basically a list of bits.  Returning
something sensible is better, same as for the speed scaling MSRs.


Everything is list of bits in computers :) At least 0xce is documented in  SDM.
It cannot be implemented in a migration safe manner.

What do you suggest just say memtest does not work?
I am wondering why it is working with -cpu qemu64.

Peter



--
Gleb.

Re: [Qemu-devel] [PATCH v2] rtl8139: implement 8139cp link status

[Stefan Hajnoczi]

On Thu, Sep 13, 2012 at 9:51 AM, Amos Kong  wrote:
> From: Jason Wang 
>
> Add a link status chang callback and change the link status bit in BMSR
> & MSR accordingly. Tested in Linux/Windows guests.
>
> The link status bit of MediaStatus is infered from BasicModeStatus,
> they are reverse.
>
> Signed-off-by: Jason Wang 
> Signed-off-by: Amos Kong 
> ---
> v2: don't add MediaState in RTL8139State to avoid migration trouble
> ---
>  hw/rtl8139.c |   19 +--
>  1 files changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/hw/rtl8139.c b/hw/rtl8139.c
> index 844f1b8..fa949ca 100644
> --- a/hw/rtl8139.c
> +++ b/hw/rtl8139.c
> @@ -167,7 +167,7 @@ enum IntrStatusBits {
>  PCIErr = 0x8000,
>  PCSTimeout = 0x4000,
>  RxFIFOOver = 0x40,
> -RxUnderrun = 0x20,
> +RxUnderrun = 0x20, /* Packet Underrun / Link Change */
>  RxOverflow = 0x10,
>  TxErr = 0x08,
>  TxOK = 0x04,
> @@ -3007,7 +3007,7 @@ static uint32_t rtl8139_io_readb(void *opaque, uint8_t 
> addr)
>  break;
>
>  case MediaStatus:
> -ret = 0xd0;
> +ret = 0xd0 | ~(s->BasicModeStatus & 0x0004);
>  DPRINTF("MediaStatus read 0x%x\n", ret);
>  break;

This does not give any hint that BMSR & 0x4 is the link status
(inverted).  I suggest adding an enum like the other constants at the
top of the file:

ret = 0xd0 | (nc->link_down ? MSRLinkDown : 0);

Regarding migration: do we migrate the NetClient->link_down field?  If
we only migrate the status register value then the link may actually
be up at the net.c level.

Stefan

Re: [Qemu-devel] [PATCH v2 1/3] Refactor inet_connect_opts function

[Markus Armbruster]

Orit Wasserman  writes:

> From: Michael S. Tsirkin 
>
> refactor address resolution code to fix nonblocking connect
>
> Signed-off-by: Michael S. Tsirkin 
> Signed-off-by: Amos Kong 
> Signed-off-by: Orit Wasserman 
> ---
>  qemu-sockets.c |  139 
> +---
>  1 files changed, 82 insertions(+), 57 deletions(-)
>
> diff --git a/qemu-sockets.c b/qemu-sockets.c
> index 361d890..68e4d30 100644
> --- a/qemu-sockets.c
> +++ b/qemu-sockets.c
> @@ -209,32 +209,25 @@ listen:
>  return slisten;
>  }
>  
> -int inet_connect_opts(QemuOpts *opts, bool *in_progress, Error **errp)
> +static struct addrinfo *inet_parse_connect_opts(QemuOpts *opts, Error **errp)
>  {
> -struct addrinfo ai,*res,*e;
> +struct addrinfo ai, *res;
> +int rc;
>  const char *addr;
>  const char *port;
> -char uaddr[INET6_ADDRSTRLEN+1];
> -char uport[33];
> -int sock,rc;
> -bool block;
>  
>  memset(&ai,0, sizeof(ai));
>  ai.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
>  ai.ai_family = PF_UNSPEC;
>  ai.ai_socktype = SOCK_STREAM;
>  
> -if (in_progress) {
> -*in_progress = false;
> -}
> -
>  addr = qemu_opt_get(opts, "host");
>  port = qemu_opt_get(opts, "port");
> -block = qemu_opt_get_bool(opts, "block", 0);
>  if (addr == NULL || port == NULL) {
> -fprintf(stderr, "inet_connect: host and/or port not specified\n");
> +fprintf(stderr,
> +"inet_parse_connect_opts: host and/or port not specified\n");
>  error_set(errp, QERR_SOCKET_CREATE_FAILED);
> -return -1;
> +return NULL;
>  }
>  
>  if (qemu_opt_get_bool(opts, "ipv4", 0))
> @@ -247,57 +240,89 @@ int inet_connect_opts(QemuOpts *opts, bool 
> *in_progress, Error **errp)
>  fprintf(stderr,"getaddrinfo(%s,%s): %s\n", addr, port,
>  gai_strerror(rc));
>  error_set(errp, QERR_SOCKET_CREATE_FAILED);
> - return -1;
> +return NULL;
>  }
> +return res;
> +}
>  
> -for (e = res; e != NULL; e = e->ai_next) {
> -if (getnameinfo((struct sockaddr*)e->ai_addr,e->ai_addrlen,
> -uaddr,INET6_ADDRSTRLEN,uport,32,
> -NI_NUMERICHOST | NI_NUMERICSERV) != 0) {
> -fprintf(stderr,"%s: getnameinfo: oops\n", __FUNCTION__);
> -continue;
> -}
> -sock = qemu_socket(e->ai_family, e->ai_socktype, e->ai_protocol);
> -if (sock < 0) {
> -fprintf(stderr,"%s: socket(%s): %s\n", __FUNCTION__,
> -inet_strfamily(e->ai_family), strerror(errno));
> -continue;
> +#ifdef _WIN32
> +#define QEMU_SOCKET_RC_INPROGRESS(rc) \
> +((rc) == -EINPROGRESS || rc == -EWOULDBLOCK || rc == -WSAEALREADY)
> +#else
> +#define QEMU_SOCKET_RC_INPROGRESS(rc) \
> +((rc) == -EINPROGRESS)
> +#endif
> +
> +static int inet_connect_addr(struct addrinfo *addr, bool block,
> + bool *in_progress, Error **errp)
> +{
> +char uaddr[INET6_ADDRSTRLEN + 1];
> +char uport[33];
> +int sock, rc;
> +
> +if (getnameinfo((struct sockaddr *)addr->ai_addr, addr->ai_addrlen,
> +uaddr, INET6_ADDRSTRLEN, uport, 32,
> +NI_NUMERICHOST | NI_NUMERICSERV)) {
> +fprintf(stderr, "%s: getnameinfo: oops\n", __func__);
> +return -1;
> +}

uaddr[] and uport[] are write-only.  Let's drop getnameinfo().

> +sock = qemu_socket(addr->ai_family, addr->ai_socktype, 
> addr->ai_protocol);
> +if (sock < 0) {
> +fprintf(stderr, "%s: socket(%s): %s\n", __func__,
> +inet_strfamily(addr->ai_family), strerror(errno));
> +return -1;
> +}
> +setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
> +if (!block) {
> +socket_set_nonblock(sock);
> +}
> +/* connect to peer */
> +do {
> +rc = 0;
> +if (connect(sock, addr->ai_addr, addr->ai_addrlen) < 0) {
> +rc = -socket_error();
>  }
> -setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void*)&on,sizeof(on));
> -if (!block) {
> -socket_set_nonblock(sock);
> +} while (rc == -EINTR);
> +
> +if (!block && QEMU_SOCKET_RC_INPROGRESS(rc)) {
> +if (in_progress) {
> +*in_progress = true;
>  }
> -/* connect to peer */
> -do {
> -rc = 0;
> -if (connect(sock, e->ai_addr, e->ai_addrlen) < 0) {
> -rc = -socket_error();
> -}
> -} while (rc == -EINTR);
> -
> -  #ifdef _WIN32
> -if (!block && (rc == -EINPROGRESS || rc == -EWOULDBLOCK
> -   || rc == -WSAEALREADY)) {
> -  #else
> -if (!block && (rc == -EINPROGRESS)) {
> -  #endif
> -if (in_progress) {
> -*in_progress = true;
> -}
> -} else if (rc < 0) {
> -if (NULL == e->ai_next)
> -   

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Gleb Natapov]

On Thu, Sep 13, 2012 at 02:05:23PM +0200, Peter Lieven wrote:
> On 13.09.2012 10:05, Gleb Natapov wrote:
> >On Thu, Sep 13, 2012 at 10:00:26AM +0200, Paolo Bonzini wrote:
> >>Il 13/09/2012 09:57, Gleb Natapov ha scritto:
> >>>#rdmsr -0 0x194
> >>>00011100
> >>>#rdmsr -0 0xce
> >>>0c0004011103
> >Yes, that can help implementing it in KVM.  But without a spec to
> >understand what the bits actually mean, it's just as risky...
> >
> >Peter, do you have any idea where to get the spec of the memory
> >controller MSRs in Nehalem and newer processors?  Apparently, memtest is
> >using them (and in particular 0x194) to find the speed of the FSB, or
> >something like that.
> >
> >>>Why would anyone will want to run memtest in a vm? May be just add those
> >>>MSRs to ignore list and that's it.
> >>>From the output it looks like it's basically a list of bits.  Returning
> >>something sensible is better, same as for the speed scaling MSRs.
> >>
> >Everything is list of bits in computers :) At least 0xce is documented in  
> >SDM.
> >It cannot be implemented in a migration safe manner.
> What do you suggest just say memtest does not work?
Why do you want to run it in a guest? 

> I am wondering why it is working with -cpu qemu64.
> 
Because memtest has different code for different cpu models.

--
Gleb.

Re: [Qemu-devel] [PATCH] hw: Add support for new LSI Logic devices.

[Don Slutz]

On 09/12/12 09:58, Anthony Liguori wrote:

Kevin Wolf  writes:


Am 12.09.2012 01:50, schrieb Michael S. Tsirkin:

On Tue, Sep 11, 2012 at 01:00:13PM -0400, Don Slutz wrote:

Add LSI53C1030, SAS1068, SAS1068e.  Based on code from "VirtualBox Open Source 
Edition".
Based on QEMU MegaRAID SAS 8708EM2.

This is a common VMware disk controller.

I think you mean VMware emulates this controller too,
pls say it explicitly in the commit log.

Will do in V2.



SEABIOS change for booting is in the works.

Tested with Fedora 16, 17.  CentoOS 6. Windows 2003R2 and 2008R2.

Signed-off-by: Don Slutz 

Minor comments below.

Coding style does not adhere to qemu standards,
I guess you know that :)

Yes, But I did get checkpatch.pl to not complain.


Otherwise, from pci side of things this looks OK.
I did not look at the scsi side of things.


---
  default-configs/pci.mak |1 +
  hw/Makefile.objs|1 +
  hw/lsilogic.c   | 2743 ++
  hw/lsilogic.h   | 3365 +++
  hw/pci_ids.h|4 +
  trace-events|   26 +
  6 files changed, 6140 insertions(+), 0 deletions(-)
  create mode 100644 hw/lsilogic.c
  create mode 100644 hw/lsilogic.h

diff --git a/default-configs/pci.mak b/default-configs/pci.mak
index 69e18f1..ae4873d 100644
--- a/default-configs/pci.mak
+++ b/default-configs/pci.mak
@@ -11,6 +11,7 @@ CONFIG_PCNET_PCI=y
  CONFIG_PCNET_COMMON=y
  CONFIG_LSI_SCSI_PCI=y
  CONFIG_MEGASAS_SCSI_PCI=y
+CONFIG_LSILOGIC_SCSI_PCI=y
  CONFIG_RTL8139_PCI=y
  CONFIG_E1000_PCI=y
  CONFIG_IDE_CORE=y
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index 6dfebd2..e5f939c 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -115,6 +115,7 @@ hw-obj-$(CONFIG_OPENCORES_ETH) += opencores_eth.o
  # SCSI layer
  hw-obj-$(CONFIG_LSI_SCSI_PCI) += lsi53c895a.o
  hw-obj-$(CONFIG_MEGASAS_SCSI_PCI) += megasas.o
+hw-obj-$(CONFIG_LSILOGIC_SCSI_PCI) += lsilogic.o
  hw-obj-$(CONFIG_ESP) += esp.o
  hw-obj-$(CONFIG_ESP_PCI) += esp-pci.o
  
diff --git a/hw/lsilogic.c b/hw/lsilogic.c

new file mode 100644
index 000..1c0a54f
--- /dev/null
+++ b/hw/lsilogic.c
@@ -0,0 +1,2743 @@
+/*
+ * QEMU LSILOGIC LSI53C1030 SCSI and SAS1068 Host Bus Adapter emulation
+ * Based on the QEMU Megaraid emulator and the VirtualBox LsiLogic
+ * LSI53c1030 SCSI controller
+ *
+ * Copyright (c) 2009-2012 Hannes Reinecke, SUSE Labs
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+/* Id: DevLsiLogicSCSI.cpp 40642 2012-03-26 13:14:08Z vboxsync $ */
+/** @file
+ * VBox storage devices: LsiLogic LSI53c1030 SCSI controller.
+ */
+
+/*
+ * Copyright (C) 2006-2009 Oracle Corporation
+ *
+ * This file is part of VirtualBox Open Source Edition (OSE), as
+ * available from http://www.virtualbox.org. This file is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU
+ * General Public License (GPL) as published by the Free Software
+ * Foundation, in version 2 as it comes in the "COPYING" file of the
+ * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
+ * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
+ */
+
+

I suspect you need to rewrite above: probably add
all copyrights in 1st header and make it v2 only.

Working on the rewrite.

Do we even accept new GPLv2-only code?

Yes.

I've got some concern about the maintainability of this though.  This is
code copied from another project and then heavily modified.

Are we prepared to independently fork this device?  How are we going to test it
regularly?
I have no issue with adding myself to MAINTAINERS (hw/lsilogic*) for 
this patch.  In the near term I will be doing a lot of testing with it.  
I am just starting at looking into some sort of automatic test for this.

We seem to be growing SCSI controllers like weeds.  Why would someone
use this verses megasas vs. LSI vs virtio-scsi?
If you are attempting to use a disk that was built under Virtual Box, 
VMware, etc. as a guest for QEMU, it is likely that this is the scsi 
controller (if it was built using one) that was used.


Regards,

Anthony Liguori


Kevin

Re: [Qemu-devel] [PATCH v2 2/3] Separate inet_connect into inet_connect (blocking) and inet_nonblocking_connect

[Markus Armbruster]

Orit Wasserman  writes:

> No need to add non blocking parameters to the blocking inet_connect
>
> Signed-off-by: Orit Wasserman 
> ---
>  migration-tcp.c |2 +-
>  nbd.c   |2 +-
>  qemu-sockets.c  |   24 
>  qemu_socket.h   |4 +++-
>  ui/vnc.c|2 +-
>  5 files changed, 26 insertions(+), 8 deletions(-)
>
> diff --git a/migration-tcp.c b/migration-tcp.c
> index ac891c3..7f6ad98 100644
> --- a/migration-tcp.c
> +++ b/migration-tcp.c
> @@ -88,7 +88,7 @@ int tcp_start_outgoing_migration(MigrationState *s, const 
> char *host_port,
>  s->write = socket_write;
>  s->close = tcp_close;
>  
> -s->fd = inet_connect(host_port, false, &in_progress, errp);
> +s->fd = inet_nonblocking_connect(host_port, &in_progress, errp);
>  if (error_is_set(errp)) {
>  migrate_fd_error(s);
>  return -1;
> diff --git a/nbd.c b/nbd.c
> index 0dd60c5..206f75c 100644
> --- a/nbd.c
> +++ b/nbd.c
> @@ -162,7 +162,7 @@ int tcp_socket_outgoing(const char *address, uint16_t 
> port)
>  
>  int tcp_socket_outgoing_spec(const char *address_and_port)
>  {
> -return inet_connect(address_and_port, true, NULL, NULL);
> +return inet_connect(address_and_port, NULL);
>  }
>  
>  int tcp_socket_incoming(const char *address, uint16_t port)
> diff --git a/qemu-sockets.c b/qemu-sockets.c
> index 68e4d30..4f5eca8 100644
> --- a/qemu-sockets.c
> +++ b/qemu-sockets.c
> @@ -518,16 +518,32 @@ int inet_listen(const char *str, char *ostr, int olen,
>  return sock;
>  }
>  
> -int inet_connect(const char *str, bool block, bool *in_progress, Error 
> **errp)
> +int inet_connect(const char *str, Error **errp)
>  {
>  QemuOpts *opts;
>  int sock = -1;
>  
>  opts = qemu_opts_create(&dummy_opts, NULL, 0, NULL);
>  if (inet_parse(opts, str) == 0) {
> -if (block) {
> -qemu_opt_set(opts, "block", "on");
> -}
> +qemu_opt_set(opts, "block", "on");
> +sock = inet_connect_opts(opts, NULL, errp);

Let's go one step further: make inet_connect_opts() take a bool block
argument, and drop the stupid QemuOpt "block".  That way, opts are again
for user options only.

> +} else {
> +error_set(errp, QERR_SOCKET_CREATE_FAILED);
> +}
> +qemu_opts_del(opts);
> +return sock;
> +}
> +
> +
> +int inet_nonblocking_connect(const char *str, bool *in_progress,
> + Error **errp)
> +{
> +QemuOpts *opts;
> +int sock = -1;
> +
> +opts = qemu_opts_create(&dummy_opts, NULL, 0, NULL);
> +if (inet_parse(opts, str) == 0) {
> +qemu_opt_set(opts, "block", "off");
>  sock = inet_connect_opts(opts, in_progress, errp);
>  } else {
>  error_set(errp, QERR_SOCKET_CREATE_FAILED);
[...]

Re: [Qemu-devel] [PATCH] hw: Add support for new LSI Logic devices.

[Don Slutz]

On 09/12/12 11:38, Avi Kivity wrote:

On 09/11/2012 08:00 PM, Don Slutz wrote:

Add LSI53C1030, SAS1068, SAS1068e.  Based on code from "VirtualBox Open Source 
Edition".
Based on QEMU MegaRAID SAS 8708EM2.

This is a common VMware disk controller.

SEABIOS change for booting is in the works.

Tested with Fedora 16, 17.  CentoOS 6. Windows 2003R2 and 2008R2.


Is the spec for these devices freely available?  Please provide a link
in the source.



Still looking for freely available spec.
   -Don

Re: [Qemu-devel] [PATCH 27/47] block: introduce mirror job

[Kevin Wolf]

Am 24.07.2012 13:04, schrieb Paolo Bonzini:
> This patch adds the implementation of a new job that mirrors a disk to
> a new image while letting the guest continue using the old image.
> The target is treated as a "black box" and data is copied from the
> source to the target in the background.  This can be used for several
> purposes, including storage migration, continuous replication, and
> observation of the guest I/O in an external program.  It is also a
> first step in replacing the inefficient block migration code that is
> part of QEMU.
> 
> The job is possibly never-ending, but it is logically structured into
> two phases: 1) copy all data as fast as possible until the target
> first gets in sync with the source; 2) keep target in sync and
> ensure that reopening to the target gets a correct (full) copy
> of the source data.
> 
> The second phase is indicated by the progress in "info block-jobs"
> reporting the current offset to be equal to the length of the file.
> When the job is cancelled in the second phase, QEMU will run the
> job until the source is clean and quiescent, then it will report
> successful completion of the job.
> 
> In other words, the BLOCK_JOB_CANCELLED event means that the target
> may _not_ be consistent with a past state of the source; the
> BLOCK_JOB_COMPLETED event means that the target is consistent with
> a past state of the source.  (Note that it could already happen
> that management lost the race against QEMU and got a completion
> event instead of cancellation).
> 
> It is not yet possible to complete the job and switch over to the target
> disk.  The next patches will fix this and add many refinements to the
> basic idea introduced here.  These include improved error management,
> some tunable knobs and performance optimizations.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  block/Makefile.objs |2 +-
>  block/mirror.c  |  232 
> +++
>  block_int.h |   20 +
>  qapi-schema.json|   17 
>  trace-events|7 ++
>  5 files changed, 277 insertions(+), 1 deletion(-)
>  create mode 100644 block/mirror.c
> 
> diff --git a/block/Makefile.objs b/block/Makefile.objs
> index c45affc..f1a394a 100644
> --- a/block/Makefile.objs
> +++ b/block/Makefile.objs
> @@ -9,4 +9,4 @@ block-obj-$(CONFIG_LIBISCSI) += iscsi.o
>  block-obj-$(CONFIG_CURL) += curl.o
>  block-obj-$(CONFIG_RBD) += rbd.o
>  
> -common-obj-y += stream.o
> +common-obj-y += stream.o mirror.o
> diff --git a/block/mirror.c b/block/mirror.c
> new file mode 100644
> index 000..f7d36f9
> --- /dev/null
> +++ b/block/mirror.c
> @@ -0,0 +1,232 @@
> +/*
> + * Image mirroring
> + *
> + * Copyright Red Hat, Inc. 2012
> + *
> + * Authors:
> + *  Paolo Bonzini  
> + *
> + * This work is licensed under the terms of the GNU LGPL, version 2 or later.
> + * See the COPYING.LIB file in the top-level directory.
> + *
> + */
> +
> +#include "trace.h"
> +#include "blockjob.h"
> +#include "block_int.h"
> +#include "qemu/ratelimit.h"
> +
> +enum {
> +/*
> + * Size of data buffer for populating the image file.  This should be 
> large
> + * enough to process multiple clusters in a single call, so that 
> populating
> + * contiguous regions of the image is efficient.
> + */
> +BLOCK_SIZE = 512 * BDRV_SECTORS_PER_DIRTY_CHUNK, /* in bytes */
> +};
> +
> +#define SLICE_TIME 1ULL /* ns */
> +
> +typedef struct MirrorBlockJob {
> +BlockJob common;
> +RateLimit limit;
> +BlockDriverState *target;
> +MirrorSyncMode mode;
> +int64_t sector_num;
> +uint8_t *buf;
> +} MirrorBlockJob;
> +
> +static int coroutine_fn mirror_iteration(MirrorBlockJob *s)
> +{
> +BlockDriverState *source = s->common.bs;
> +BlockDriverState *target = s->target;
> +QEMUIOVector qiov;
> +int ret, nb_sectors;
> +int64_t end;
> +struct iovec iov;
> +
> +end = s->common.len >> BDRV_SECTOR_BITS;
> +s->sector_num = bdrv_get_next_dirty(source, s->sector_num);
> +nb_sectors = MIN(BDRV_SECTORS_PER_DIRTY_CHUNK, end - s->sector_num);
> +bdrv_reset_dirty(source, s->sector_num, nb_sectors);
> +
> +/* Copy the dirty cluster.  */
> +iov.iov_base = s->buf;
> +iov.iov_len  = nb_sectors * 512;
> +qemu_iovec_init_external(&qiov, &iov, 1);
> +
> +trace_mirror_one_iteration(s, s->sector_num, nb_sectors);
> +ret = bdrv_co_readv(source, s->sector_num, nb_sectors, &qiov);
> +if (ret < 0) {
> +return ret;
> +}
> +return bdrv_co_writev(target, s->sector_num, nb_sectors, &qiov);
> +}
> +
> +static void coroutine_fn mirror_run(void *opaque)
> +{
> +MirrorBlockJob *s = opaque;
> +BlockDriverState *bs = s->common.bs;
> +int64_t sector_num, end;
> +int ret = 0;
> +int n;
> +bool synced = false;
> +
> +if (block_job_is_cancelled(&s->common)) {
> +goto immediate_exit;
> +}
> +
> +s->common.len = bdrv_getlength(bs);
> +if (s->common.len < 0)

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Peter Lieven]

On 13.09.2012 14:42, Gleb Natapov wrote:

On Thu, Sep 13, 2012 at 02:05:23PM +0200, Peter Lieven wrote:

On 13.09.2012 10:05, Gleb Natapov wrote:

On Thu, Sep 13, 2012 at 10:00:26AM +0200, Paolo Bonzini wrote:

Il 13/09/2012 09:57, Gleb Natapov ha scritto:

#rdmsr -0 0x194
00011100
#rdmsr -0 0xce
0c0004011103

Yes, that can help implementing it in KVM.  But without a spec to
understand what the bits actually mean, it's just as risky...

Peter, do you have any idea where to get the spec of the memory
controller MSRs in Nehalem and newer processors?  Apparently, memtest is
using them (and in particular 0x194) to find the speed of the FSB, or
something like that.


Why would anyone will want to run memtest in a vm? May be just add those
MSRs to ignore list and that's it.

>From the output it looks like it's basically a list of bits.  Returning
something sensible is better, same as for the speed scaling MSRs.


Everything is list of bits in computers :) At least 0xce is documented in  SDM.
It cannot be implemented in a migration safe manner.

What do you suggest just say memtest does not work?

Why do you want to run it in a guest?
Testing memory thorughput of different host memory layouts/settings 
(hugepages, ksm etc.).

Stress testing new settings and qemu-kvm builds.
Testing new nodes with a VM which claims all available pages. Its a lot 
easier than booting

a node with a CD and attaching to the Console.

This, of course, is all not missing critical and call also be done with 
cpu model qemu64. I just
came across memtest no longer working and where wondering if there is a 
general regressing.


BTW, from 
http://opensource.apple.com/source/xnu/xnu-1228.15.4/osfmk/i386/tsc.c?txt


#define MSR_FLEX_RATIO  0x194
#define MSR_PLATFORM_INFO   0x0ce
#define BASE_NHM_CLOCK_SOURCE   1ULL
#define CPUID_MODEL_NEHALEM 26

switch (cpuid_info()->cpuid_model) {
case CPUID_MODEL_NEHALEM: {
uint64_t cpu_mhz;
uint64_t msr_flex_ratio;
uint64_t msr_platform_info;

/* See if FLEX_RATIO is being used */
msr_flex_ratio = rdmsr64(MSR_FLEX_RATIO);
msr_platform_info = rdmsr64(MSR_PLATFORM_INFO);
flex_ratio_min = (uint32_t)bitfield(msr_platform_info, 47, 40);
flex_ratio_max = (uint32_t)bitfield(msr_platform_info, 15, 8);
/* No BIOS-programed flex ratio. Use hardware max as default */
tscGranularity = flex_ratio_max;
if (msr_flex_ratio & bit(16)) {
/* Flex Enabled: Use this MSR if less than max */
flex_ratio = (uint32_t)bitfield(msr_flex_ratio, 15, 8);
if (flex_ratio < flex_ratio_max)
tscGranularity = flex_ratio;
}

/* If EFI isn't configured correctly, use a constant
 * value. See 6036811.
 */
if (busFreq == 0)
busFreq = BASE_NHM_CLOCK_SOURCE;

cpu_mhz = tscGranularity * BASE_NHM_CLOCK_SOURCE;

kprintf("[NHM] Maximum Non-Turbo Ratio = [%d]\n",
(uint32_t)tscGranularity);
kprintf("[NHM] CPU: Frequency  = %6d.%04dMhz\n",
(uint32_t)(cpu_mhz / Mega), (uint32_t)(cpu_mhz % Mega));
break;
}



Peter

Re: [Qemu-devel] Rethinking missed tick catchup

[Eric Blake]

On 09/13/2012 04:49 AM, Gleb Natapov wrote:
>> They do if you hibernate your laptop.
>>
> AFAIK libvirt migrates vm into a file on hibernate. It is better to move to S3
> (using qemu-ga) instead and migrate to file only if s3 fails.

On host hibernate, libvirt currently does nothing to the guest.  When
the host resumes, the guests see a large gap in execution.

Libvirt would need a hook into host hibernation, to have enough time to
tell the guests to go into S3 prior to allowing the host to go into S3.

On host reboot, libvirt currently saves guests to disk using migrate to
file.  The ideal solution would be to first tell the guest to go into S3
before migrating to file, but the migration to file STILL must occur,
because the host is about to reboot and S3 is not persistent.  S3 is a
better solution than S4, in that S4 requires the guest to have enough
memory (and if it doesn't cooperate, data is lost), but with S3, even if
the guest doesn't cooperate, we can still fall back to migration to file
with the guest only losing time, but not data.

-- 
Eric Blake   ebl...@redhat.com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v2 1/3] Refactor inet_connect_opts function

[Markus Armbruster]

One more...

Orit Wasserman  writes:

[...]
> +static int inet_connect_addr(struct addrinfo *addr, bool block,
> + bool *in_progress, Error **errp)

Parameter errp is unused.

> +{
> +char uaddr[INET6_ADDRSTRLEN + 1];
> +char uport[33];
> +int sock, rc;
> +
> +if (getnameinfo((struct sockaddr *)addr->ai_addr, addr->ai_addrlen,
> +uaddr, INET6_ADDRSTRLEN, uport, 32,
> +NI_NUMERICHOST | NI_NUMERICSERV)) {
> +fprintf(stderr, "%s: getnameinfo: oops\n", __func__);
> +return -1;
> +}
> +sock = qemu_socket(addr->ai_family, addr->ai_socktype, 
> addr->ai_protocol);
> +if (sock < 0) {
> +fprintf(stderr, "%s: socket(%s): %s\n", __func__,
> +inet_strfamily(addr->ai_family), strerror(errno));
> +return -1;
> +}
> +setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
> +if (!block) {
> +socket_set_nonblock(sock);
> +}
> +/* connect to peer */
> +do {
> +rc = 0;
> +if (connect(sock, addr->ai_addr, addr->ai_addrlen) < 0) {
> +rc = -socket_error();
>  }
> -setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void*)&on,sizeof(on));
> -if (!block) {
> -socket_set_nonblock(sock);
> +} while (rc == -EINTR);
> +
> +if (!block && QEMU_SOCKET_RC_INPROGRESS(rc)) {
> +if (in_progress) {
> +*in_progress = true;
>  }
> -/* connect to peer */
> -do {
> -rc = 0;
> -if (connect(sock, e->ai_addr, e->ai_addrlen) < 0) {
> -rc = -socket_error();
> -}
> -} while (rc == -EINTR);
> -
> -  #ifdef _WIN32
> -if (!block && (rc == -EINPROGRESS || rc == -EWOULDBLOCK
> -   || rc == -WSAEALREADY)) {
> -  #else
> -if (!block && (rc == -EINPROGRESS)) {
> -  #endif
> -if (in_progress) {
> -*in_progress = true;
> -}
> -} else if (rc < 0) {
> -if (NULL == e->ai_next)
> -fprintf(stderr, "%s: connect(%s,%s,%s,%s): %s\n", 
> __FUNCTION__,
> -inet_strfamily(e->ai_family),
> -e->ai_canonname, uaddr, uport, strerror(errno));
> -closesocket(sock);
> -continue;
> +} else if (rc < 0) {
> +closesocket(sock);
> +return -1;
> +}
> +return sock;
> +}
> +
> +int inet_connect_opts(QemuOpts *opts, bool *in_progress, Error **errp)
> +{
> +struct addrinfo *res, *e;
> +int sock = -1;
> +bool block = qemu_opt_get_bool(opts, "block", 0);
> +
> +res = inet_parse_connect_opts(opts, errp);
> +if (!res) {
> +return -1;
> +}
> +
> +if (in_progress) {
> +*in_progress = false;
> +}
> +
> +for (e = res; e != NULL; e = e->ai_next) {
> +sock = inet_connect_addr(e, block, in_progress, errp);
> +if (in_progress && *in_progress) {
> +return sock;
> +} else if (sock >= 0) {
> +break;
>  }
> -freeaddrinfo(res);
> -return sock;
>  }
> -error_set(errp, QERR_SOCKET_CONNECT_FAILED);
> +if (sock < 0) {
> +error_set(errp, QERR_SOCKET_CONNECT_FAILED);

Necessary, because inet_connect_addr() doesn't do it.

Suggest to drop inet_connect_addr() parameter errp.

> +}
>  freeaddrinfo(res);
> -return -1;
> +return sock;
>  }
>  
>  int inet_dgram_opts(QemuOpts *opts)

Re: [Qemu-devel] [PATCH] hw: Add support for new LSI Logic devices.

[Anthony Liguori]

Paolo Bonzini  writes:

> Il 12/09/2012 15:58, Anthony Liguori ha scritto:
>> Why would someone use this verses megasas vs. LSI vs virtio-scsi?
>
> LSI is dead.  Compare it to IDE.
>
> virtio-scsi has the highest performance, but it is not supported on all
> guests.  Compare it to virtio-blk.
>
> This vs. megasas is a good question; both can be compared to AHCI, they
> have good performance and have the advantage of compatibility with real
> hardware.  If this had gone in first, I would probably have rejected
> megasas, but this has the advantage of being used in VMware and
> VirtualBox.  Plus, unlike megasas Don said he'd work on SeaBIOS support,
> so it has further merit.

Okay.  Thanks.

Regards,

Anthony Liguori

>
> Paolo

Re: [Qemu-devel] [PATCH 28/47] qmp: add drive-mirror command

[Kevin Wolf]

Am 24.07.2012 13:04, schrieb Paolo Bonzini:
> This adds the monitor commands that start the mirroring job.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  blockdev.c   |  133 
> --
>  hmp-commands.hx  |   21 +
>  hmp.c|   28 
>  hmp.h|1 +
>  qapi-schema.json |   35 ++
>  qmp-commands.hx  |   42 +
>  trace-events |2 +-
>  7 files changed, 258 insertions(+), 4 deletions(-)
> 
> diff --git a/blockdev.c b/blockdev.c
> index 192a9db..4b4574a 100644
> --- a/blockdev.c
> +++ b/blockdev.c
> @@ -21,6 +21,8 @@
>  #include "trace.h"
>  #include "arch_init.h"
>  
> +static void block_job_cb(void *opaque, int ret);
> +
>  static QTAILQ_HEAD(drivelist, DriveInfo) drives = 
> QTAILQ_HEAD_INITIALIZER(drives);
>  
>  static const char *const if_name[IF_COUNT] = {
> @@ -825,6 +827,131 @@ exit:
>  return;
>  }
>  
> +void qmp_drive_mirror(const char *device, const char *target,
> +  bool has_format, const char *format,
> +  enum MirrorSyncMode sync,
> +  bool has_mode, enum NewImageMode mode,
> +  bool has_speed, int64_t speed, Error **errp)
> +{
> +BlockDriverInfo bdi;
> +BlockDriverState *bs;
> +BlockDriverState *source, *target_bs;
> +BlockDriver *proto_drv;
> +BlockDriver *drv = NULL;
> +Error *local_err = NULL;
> +int flags;
> +uint64_t size;
> +int ret;
> +
> +if (!has_speed) {
> +speed = 0;
> +}
> +if (!has_mode) {
> +mode = NEW_IMAGE_MODE_ABSOLUTE_PATHS;
> +}
> +
> +bs = bdrv_find(device);
> +if (!bs) {
> +error_set(errp, QERR_DEVICE_NOT_FOUND, device);
> +return;
> +}
> +
> +if (!has_format) {
> +format = mode == NEW_IMAGE_MODE_EXISTING ? NULL : 
> bs->drv->format_name;
> +}
> +if (format) {
> +drv = bdrv_find_format(format);
> +if (!drv) {
> +error_set(errp, QERR_INVALID_BLOCK_FORMAT, format);
> +return;
> +}
> +}
> +
> +if (!bdrv_is_inserted(bs)) {
> +error_set(errp, QERR_DEVICE_HAS_NO_MEDIUM, device);
> +return;
> +}
> +
> +if (bdrv_in_use(bs)) {
> +error_set(errp, QERR_DEVICE_IN_USE, device);
> +return;
> +}
> +
> +flags = bs->open_flags | BDRV_O_RDWR;

Do we take care to make the image read-only again after completion?

Kevin

Re: [Qemu-devel] [PATCH v2 3/3] Fix address handling in inet_nonblocking_connect

[Markus Armbruster]

Orit Wasserman  writes:

> getaddrinfo can give us a list of addresses, but we only try to
> connect to the first one. If that fails we never proceed to
> the next one.  This is common on desktop setups that often have ipv6
> configured but not actually working.
>
> To fix this make inet_connect_nonblocking retry connection with a different
> address.
> callers on inet_nonblocking_connect register a callback function that will
> be called when connect opertion completes, in case of failure the fd will have
> a negative value
>
> Signed-off-by: Orit Wasserman 
> Signed-off-by: Michael S. Tsirkin 
> ---
>  migration-tcp.c |   29 +++---
>  qemu-sockets.c  |  169 
> +--
>  qemu_socket.h   |9 ++-
>  3 files changed, 142 insertions(+), 65 deletions(-)
>
> diff --git a/migration-tcp.c b/migration-tcp.c
> index 7f6ad98..cadea36 100644
> --- a/migration-tcp.c
> +++ b/migration-tcp.c
> @@ -53,29 +53,18 @@ static int tcp_close(MigrationState *s)
>  return r;
>  }
>  
> -static void tcp_wait_for_connect(void *opaque)
> +static void tcp_wait_for_connect(int fd, void *opaque)
>  {
>  MigrationState *s = opaque;
> -int val, ret;
> -socklen_t valsize = sizeof(val);
>  
> -DPRINTF("connect completed\n");
> -do {
> -ret = getsockopt(s->fd, SOL_SOCKET, SO_ERROR, (void *) &val, 
> &valsize);
> -} while (ret == -1 && (socket_error()) == EINTR);
> -
> -if (ret < 0) {
> +if (fd < 0) {
> +DPRINTF("migrate connect error\n");
> +s->fd = -1;
>  migrate_fd_error(s);
> -return;
> -}
> -
> -qemu_set_fd_handler2(s->fd, NULL, NULL, NULL, NULL);
> -
> -if (val == 0)
> +} else {
> +DPRINTF("migrate connect success\n");
> +s->fd = fd;
>  migrate_fd_connect(s);
> -else {
> -DPRINTF("error connecting %d\n", val);
> -migrate_fd_error(s);
>  }
>  }
>  
> @@ -88,7 +77,8 @@ int tcp_start_outgoing_migration(MigrationState *s, const 
> char *host_port,
>  s->write = socket_write;
>  s->close = tcp_close;
>  
> -s->fd = inet_nonblocking_connect(host_port, &in_progress, errp);
> +s->fd = inet_nonblocking_connect(host_port, tcp_wait_for_connect, s,
> + &in_progress, errp);
>  if (error_is_set(errp)) {
>  migrate_fd_error(s);
>  return -1;
> @@ -96,7 +86,6 @@ int tcp_start_outgoing_migration(MigrationState *s, const 
> char *host_port,
>  
>  if (in_progress) {
>  DPRINTF("connect in progress\n");
> -qemu_set_fd_handler2(s->fd, NULL, NULL, tcp_wait_for_connect, s);
>  } else {
>  migrate_fd_connect(s);
>  }
> diff --git a/qemu-sockets.c b/qemu-sockets.c
> index 4f5eca8..f5d64c8 100644
> --- a/qemu-sockets.c
> +++ b/qemu-sockets.c
> @@ -24,6 +24,7 @@
>  
>  #include "qemu_socket.h"
>  #include "qemu-common.h" /* for qemu_isdigit */
> +#include "main-loop.h"
>  
>  #ifndef AI_ADDRCONFIG
>  # define AI_ADDRCONFIG 0
> @@ -209,41 +210,27 @@ listen:
>  return slisten;
>  }
>  
> -static struct addrinfo *inet_parse_connect_opts(QemuOpts *opts, Error **errp)
> -{
> -struct addrinfo ai, *res;
> -int rc;
> -const char *addr;
> -const char *port;
> -
> -memset(&ai,0, sizeof(ai));
> -ai.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
> -ai.ai_family = PF_UNSPEC;
> -ai.ai_socktype = SOCK_STREAM;
> -
> -addr = qemu_opt_get(opts, "host");
> -port = qemu_opt_get(opts, "port");
> -if (addr == NULL || port == NULL) {
> -fprintf(stderr,
> -"inet_parse_connect_opts: host and/or port not specified\n");
> -error_set(errp, QERR_SOCKET_CREATE_FAILED);
> -return NULL;
> -}
> -
> -if (qemu_opt_get_bool(opts, "ipv4", 0))
> -ai.ai_family = PF_INET;
> -if (qemu_opt_get_bool(opts, "ipv6", 0))
> -ai.ai_family = PF_INET6;
> +#ifdef _WIN32
> +#define QEMU_SOCKET_RC_INPROGRESS(rc) \
> +((rc) == -EINPROGRESS || rc == -EWOULDBLOCK || rc == -WSAEALREADY)
> +#else
> +#define QEMU_SOCKET_RC_INPROGRESS(rc) \
> +((rc) == -EINPROGRESS)
> +#endif
>  
> -/* lookup */
> -if (0 != (rc = getaddrinfo(addr, port, &ai, &res))) {
> -fprintf(stderr,"getaddrinfo(%s,%s): %s\n", addr, port,
> -gai_strerror(rc));
> -error_set(errp, QERR_SOCKET_CREATE_FAILED);
> -return NULL;
> -}
> -return res;
> -}

inet_parse_connect_opts() is only moved, not changed, I think.  I like
to keep code motion well away from code changes (separate patch) to
facilitate review.

> +/* Struct to store connect state for non blocking connect */
> +typedef struct ConnectState {
> +int fd;
> +struct addrinfo *addr_list;
> +struct addrinfo *current_addr;
> +ConnectHandler *callback;
> +void *opaque;
> +Error *errp;
> +} ConnectState;
> +
> +static ConnectState connect_state = {
> +.fd = -1,
> +};

Why does a single connect_state suffice

Re: [Qemu-devel] [PATCH 28/47] qmp: add drive-mirror command

[Paolo Bonzini]

Il 13/09/2012 15:15, Kevin Wolf ha scritto:
>> > +flags = bs->open_flags | BDRV_O_RDWR;
> Do we take care to make the image read-only again after completion?

Not at the file-descriptor level, but bs->read_only is indeed restored
to "true" via bdrv_swap.

Doing it on the file descriptor is possible with Jeff's bdrv_reopen patches.

Paolo

Re: [Qemu-devel] [PATCH 28/47] qmp: add drive-mirror command

[Kevin Wolf]

Am 13.09.2012 15:24, schrieb Paolo Bonzini:
> Il 13/09/2012 15:15, Kevin Wolf ha scritto:
 +flags = bs->open_flags | BDRV_O_RDWR;
>> Do we take care to make the image read-only again after completion?
> 
> Not at the file-descriptor level, but bs->read_only is indeed restored
> to "true" via bdrv_swap.
> 
> Doing it on the file descriptor is possible with Jeff's bdrv_reopen patches.

Ah, right, obviously you can't do it before Jeff's patches are in. But
yes, this is what I meant.

Kevin

Re: [Qemu-devel] Rethinking missed tick catchup

[Daniel P. Berrange]

On Thu, Sep 13, 2012 at 07:14:08AM -0600, Eric Blake wrote:
> On 09/13/2012 04:49 AM, Gleb Natapov wrote:
> >> They do if you hibernate your laptop.
> >>
> > AFAIK libvirt migrates vm into a file on hibernate. It is better to move to 
> > S3
> > (using qemu-ga) instead and migrate to file only if s3 fails.
> 
> On host hibernate, libvirt currently does nothing to the guest.  When
> the host resumes, the guests see a large gap in execution.
> 
> Libvirt would need a hook into host hibernation, to have enough time to
> tell the guests to go into S3 prior to allowing the host to go into S3.
> 
> On host reboot, libvirt currently saves guests to disk using migrate to
> file.  The ideal solution would be to first tell the guest to go into S3
> before migrating to file, but the migration to file STILL must occur,
> because the host is about to reboot and S3 is not persistent.  S3 is a
> better solution than S4, in that S4 requires the guest to have enough
> memory (and if it doesn't cooperate, data is lost), but with S3, even if
> the guest doesn't cooperate, we can still fall back to migration to file
> with the guest only losing time, but not data.

Trying to hook into host S3/S4 and do magic to the guests is just
asking for trouble. Not only can it arbitrarily delay the host going
into S3/S4, but it is not reliable in general, even for OS which do
support it. Much better off hooking into the resume path on the host
and issuing a QEMU GA call to each running guest to resync their
clocks

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH v2 3/3] Fix address handling in inet_nonblocking_connect

[Michael S. Tsirkin]

On Thu, Sep 13, 2012 at 03:22:24PM +0200, Markus Armbruster wrote:
> > +/* Struct to store connect state for non blocking connect */
> > +typedef struct ConnectState {
> > +int fd;
> > +struct addrinfo *addr_list;
> > +struct addrinfo *current_addr;
> > +ConnectHandler *callback;
> > +void *opaque;
> > +Error *errp;
> > +} ConnectState;
> > +
> > +static ConnectState connect_state = {
> > +.fd = -1,
> > +};
> 
> Why does a single connect_state suffice?

Even if it does for the specific use, better not to
make assumptions about API use. Let's pass connect state
to APIs.

Re: [Qemu-devel] [PATCH 28/47] qmp: add drive-mirror command

[Paolo Bonzini]

Il 13/09/2012 15:26, Kevin Wolf ha scritto:
> +flags = bs->open_flags | BDRV_O_RDWR;
>>> >> Do we take care to make the image read-only again after completion?
>> > 
>> > Not at the file-descriptor level, but bs->read_only is indeed restored
>> > to "true" via bdrv_swap.
>> > 
>> > Doing it on the file descriptor is possible with Jeff's bdrv_reopen 
>> > patches.
> Ah, right, obviously you can't do it before Jeff's patches are in. But
> yes, this is what I meant.

Still, the guest won't be able to issue writes after switching to the
destination, if it couldn't do so before.

Paolo

Re: [Qemu-devel] [PATCH 1/2] KVM: fix i8259 interrupt high to low transition logic

[Maciej W. Rozycki]

On Wed, 12 Sep 2012, Matthew Ogilvie wrote:

> Also, how big of a concern is a very rare gained or lost IRQ0
> actually?  Under normal conditions, I would expect this to at most
> cause a one time clock drift in the guest OS of a fraction of
> a second.  If that only happens when rebooting or migrating the
> guest...

 It depends on how you define "very rare".  Once per month or probably 
even per day is probably acceptable although you'll see a disruption in 
the system clock.  This is still likely unwanted if the system is used as 
a clock reference and not just wants to keep its clock right for own 
purposes.  Anything more frequent and NTP does care very much; an accurate 
system clock is important in many uses, starting from basic ones such as 
where timestamps of files exported over NFS are concerned.

 Speaking of real hw -- I don't know whether that really matters for 
emulated systems.  Thanks for looking into the 8254 PIT in details.

  Maciej

Re: [Qemu-devel] memtest 4.20+ does not work with -cpu host

[Gleb Natapov]

On Thu, Sep 13, 2012 at 02:56:33PM +0200, Peter Lieven wrote:
> On 13.09.2012 14:42, Gleb Natapov wrote:
> >On Thu, Sep 13, 2012 at 02:05:23PM +0200, Peter Lieven wrote:
> >>On 13.09.2012 10:05, Gleb Natapov wrote:
> >>>On Thu, Sep 13, 2012 at 10:00:26AM +0200, Paolo Bonzini wrote:
> Il 13/09/2012 09:57, Gleb Natapov ha scritto:
> >#rdmsr -0 0x194
> >00011100
> >#rdmsr -0 0xce
> >0c0004011103
> >>>Yes, that can help implementing it in KVM.  But without a spec to
> >>>understand what the bits actually mean, it's just as risky...
> >>>
> >>>Peter, do you have any idea where to get the spec of the memory
> >>>controller MSRs in Nehalem and newer processors?  Apparently, memtest 
> >>>is
> >>>using them (and in particular 0x194) to find the speed of the FSB, or
> >>>something like that.
> >>>
> >Why would anyone will want to run memtest in a vm? May be just add those
> >MSRs to ignore list and that's it.
> >From the output it looks like it's basically a list of bits.  Returning
> something sensible is better, same as for the speed scaling MSRs.
> 
> >>>Everything is list of bits in computers :) At least 0xce is documented in  
> >>>SDM.
> >>>It cannot be implemented in a migration safe manner.
> >>What do you suggest just say memtest does not work?
> >Why do you want to run it in a guest?
> Testing memory thorughput of different host memory layouts/settings
> (hugepages, ksm etc.).
In may days memtets looked for memory errors. This does not make much
sense in virtualized environment. What does it do today? Calculates
throughput? Does it prefaults memory before doing so, because otherwise
numbers will not be very meaningful when running inside VM. But since
memtets works on physical memory I doubt it prefaults.

> Stress testing new settings and qemu-kvm builds.
Why guest accessing memory stress qemu-kvm?

> Testing new nodes with a VM which claims all available pages. Its a
> lot easier than booting
> a node with a CD and attaching to the Console.
Boot Window, it access all memory :) or run with qemu64 like you say
below.

> 
> This, of course, is all not missing critical and call also be done
> with cpu model qemu64. I just
> came across memtest no longer working and where wondering if there
> is a general regressing.
> 
If it is a regression it is likely in memtest

> BTW, from 
> http://opensource.apple.com/source/xnu/xnu-1228.15.4/osfmk/i386/tsc.c?txt
>
You can send them patch to check that it runs in a VM and skip all that.
 
> #define MSR_FLEX_RATIO  0x194
> #define MSR_PLATFORM_INFO   0x0ce
> #define BASE_NHM_CLOCK_SOURCE   1ULL
> #define CPUID_MODEL_NEHALEM 26
> 
>   switch (cpuid_info()->cpuid_model) {
>   case CPUID_MODEL_NEHALEM: {
>   uint64_t cpu_mhz;
>   uint64_t msr_flex_ratio;
>   uint64_t msr_platform_info;
> 
>   /* See if FLEX_RATIO is being used */
>   msr_flex_ratio = rdmsr64(MSR_FLEX_RATIO);
>   msr_platform_info = rdmsr64(MSR_PLATFORM_INFO);
>   flex_ratio_min = (uint32_t)bitfield(msr_platform_info, 47, 40);
>   flex_ratio_max = (uint32_t)bitfield(msr_platform_info, 15, 8);
>   /* No BIOS-programed flex ratio. Use hardware max as default */
>   tscGranularity = flex_ratio_max;
>   if (msr_flex_ratio & bit(16)) {
>   /* Flex Enabled: Use this MSR if less than max */
>   flex_ratio = (uint32_t)bitfield(msr_flex_ratio, 15, 8);
>   if (flex_ratio < flex_ratio_max)
>   tscGranularity = flex_ratio;
>   }
> 
>   /* If EFI isn't configured correctly, use a constant
>* value. See 6036811.
>*/
>   if (busFreq == 0)
>   busFreq = BASE_NHM_CLOCK_SOURCE;
> 
>   cpu_mhz = tscGranularity * BASE_NHM_CLOCK_SOURCE;
> 
>   kprintf("[NHM] Maximum Non-Turbo Ratio = [%d]\n",
>   (uint32_t)tscGranularity);
>   kprintf("[NHM] CPU: Frequency  = %6d.%04dMhz\n",
>   (uint32_t)(cpu_mhz / Mega), (uint32_t)(cpu_mhz % Mega));
>   break;
> }
> 
> 
> 
> Peter

--
Gleb.

Re: [Qemu-devel] Rethinking missed tick catchup

[Gleb Natapov]

On Thu, Sep 13, 2012 at 07:14:08AM -0600, Eric Blake wrote:
> On 09/13/2012 04:49 AM, Gleb Natapov wrote:
> >> They do if you hibernate your laptop.
> >>
> > AFAIK libvirt migrates vm into a file on hibernate. It is better to move to 
> > S3
> > (using qemu-ga) instead and migrate to file only if s3 fails.
> 
> On host hibernate, libvirt currently does nothing to the guest.  When
> the host resumes, the guests see a large gap in execution.
> 
> Libvirt would need a hook into host hibernation, to have enough time to
> tell the guests to go into S3 prior to allowing the host to go into S3.
> 
> On host reboot, libvirt currently saves guests to disk using migrate to
> file.  The ideal solution would be to first tell the guest to go into S3
> before migrating to file, but the migration to file STILL must occur,
> because the host is about to reboot and S3 is not persistent.  S3 is a
> better solution than S4, in that S4 requires the guest to have enough
> memory (and if it doesn't cooperate, data is lost), but with S3, even if
> the guest doesn't cooperate, we can still fall back to migration to file
> with the guest only losing time, but not data.
> 
Correct, after S3 libvirt needs to migrate to file. So my AFAIK was
incorrect. Is it possible to hook into host hibernation?

--
Gleb.

[Qemu-devel] [PATCH] m68k: implement move to/from usp register instruction

[gerg]

From: Greg Ungerer 

Fill out the code support for the move to/from usp instructions. They are
being decoded, but there is no code to support there actions. So add it.

Current versions of Linux running on the ColdFire 5208 use these instructions.

Signed-off-by: Greg Ungerer 
---
 target-m68k/helper.c|   10 ++
 target-m68k/helpers.h   |2 ++
 target-m68k/translate.c |   10 ++
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/target-m68k/helper.c b/target-m68k/helper.c
index eac0053..722dbd9 100644
--- a/target-m68k/helper.c
+++ b/target-m68k/helper.c
@@ -229,6 +229,16 @@ void HELPER(movec)(CPUM68KState *env, uint32_t reg, 
uint32_t val)
 }
 }
 
+uint32_t HELPER(move_from_usp)(CPUM68KState * env)
+{
+return env->sp[M68K_USP];
+}
+
+void HELPER(move_to_usp)(CPUM68KState * env, uint32_t val)
+{
+env->sp[M68K_USP] = val;
+}
+
 void HELPER(set_macsr)(CPUM68KState *env, uint32_t val)
 {
 uint32_t acc;
diff --git a/target-m68k/helpers.h b/target-m68k/helpers.h
index cb8a0c7..bca780b 100644
--- a/target-m68k/helpers.h
+++ b/target-m68k/helpers.h
@@ -13,6 +13,8 @@ DEF_HELPER_3(sar_cc, i32, env, i32, i32)
 DEF_HELPER_2(xflag_lt, i32, i32, i32)
 DEF_HELPER_2(set_sr, void, env, i32)
 DEF_HELPER_3(movec, void, env, i32, i32)
+DEF_HELPER_1(move_from_usp, i32, env)
+DEF_HELPER_2(move_to_usp, void, env, i32)
 
 DEF_HELPER_2(f64_to_i32, f32, env, f64)
 DEF_HELPER_2(f64_to_f32, f32, env, f64)
diff --git a/target-m68k/translate.c b/target-m68k/translate.c
index 9fc1e31..5609240 100644
--- a/target-m68k/translate.c
+++ b/target-m68k/translate.c
@@ -1976,22 +1976,24 @@ DISAS_INSN(move_to_sr)
 
 DISAS_INSN(move_from_usp)
 {
+TCGv reg;
 if (IS_USER(s)) {
 gen_exception(s, s->pc - 2, EXCP_PRIVILEGE);
 return;
 }
-/* TODO: Implement USP.  */
-gen_exception(s, s->pc - 2, EXCP_ILLEGAL);
+reg = AREG(insn, 0);
+gen_helper_move_from_usp(reg, cpu_env);
 }
 
 DISAS_INSN(move_to_usp)
 {
+TCGv reg;
 if (IS_USER(s)) {
 gen_exception(s, s->pc - 2, EXCP_PRIVILEGE);
 return;
 }
-/* TODO: Implement USP.  */
-gen_exception(s, s->pc - 2, EXCP_ILLEGAL);
+reg = AREG(insn, 0);
+gen_helper_move_to_usp(cpu_env, reg);
 }
 
 DISAS_INSN(halt)
-- 
1.7.0.4

[Qemu-devel] [PATCH] m68k: fix usp processing on interrupt entry and exception exit

[gerg]

From: Greg Ungerer 

The action to potentially switch sp register is not occurring at the correct
point in the interrupt entry or exception exit sequences.

For the interrupt entry case the sp on entry is used to create the stack
exception frame - but this may well be the user stack pointer, since we
haven't done the switch yet. Re-order the flow to switch the sp regs then
use the current sp to create the exception frame.

For the return from exception case the code is unwinding the sp after
switching sp registers. But it should always unwind the supervisor sp
first, then carry out any required sp switch.

Note that these problems don't effect operation unless the user sp bit is
set in the CACR register. Only a single sp is used in the default power up
state. Previously Linux only used this single sp mode. But modern versions
of Linux use the user sp mode now, so we need correct behavior for Linux
to work.

Signed-off-by: Greg Ungerer 
---
 target-m68k/op_helper.c |7 +++
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/target-m68k/op_helper.c b/target-m68k/op_helper.c
index 1971a57..ac1a063 100644
--- a/target-m68k/op_helper.c
+++ b/target-m68k/op_helper.c
@@ -90,8 +90,8 @@ static void do_rte(void)
 env->pc = ldl_kernel(sp + 4);
 sp |= (fmt >> 28) & 3;
 env->sr = fmt & 0x;
-m68k_switch_sp(env);
 env->aregs[7] = sp + 8;
+m68k_switch_sp(env);
 }
 
 static void do_interrupt_all(int is_hw)
@@ -134,10 +134,7 @@ static void do_interrupt_all(int is_hw)
 
 vector = env->exception_index << 2;
 
-sp = env->aregs[7];
-
 fmt |= 0x4000;
-fmt |= (sp & 3) << 28;
 fmt |= vector << 16;
 fmt |= env->sr;
 
@@ -147,6 +144,8 @@ static void do_interrupt_all(int is_hw)
 env->sr &= ~SR_M;
 }
 m68k_switch_sp(env);
+sp = env->aregs[7];
+fmt |= (sp & 3) << 28;
 
 /* ??? This could cause MMU faults.  */
 sp &= ~3;
-- 
1.7.0.4

[Qemu-devel] [PATCH] m68k: implmenent more ColdFire 5208 interrupt controller functionality

[gerg]

From: Greg Ungerer 

Implement the SIMR and CIMR registers of the 5208 interrupt controller.
These are used by modern versions of Linux running on ColdFire (not sure
of the exact version they were introduced, but they have been in for quite
a while now).

Without this change when attempting to run a linux-3.5 kernel you will
see:

  qemu: hardware error: mcf_intc_write: Bad write offset 28

and execution will stop and dump out.

Signed-off-by: Greg Ungerer 
---
 hw/mcf_intc.c |   14 ++
 1 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/hw/mcf_intc.c b/hw/mcf_intc.c
index cc1a5f3..1811d0d 100644
--- a/hw/mcf_intc.c
+++ b/hw/mcf_intc.c
@@ -102,6 +102,20 @@ static void mcf_intc_write(void *opaque, 
target_phys_addr_t addr,
 case 0x0c:
 s->imr = (s->imr & 0xull) | (uint32_t)val;
 break;
+case 0x1c:
+if (val & 0x40) {
+s->imr = 0xull;
+} else {
+s->imr |= (0x1ull << (val & 0x3f));
+}
+break;
+case 0x1d:
+if (val & 0x40) {
+s->imr = 0ull;
+} else {
+s->imr &= ~(0x1ull << (val & 0x3f));
+}
+break;
 default:
 hw_error("mcf_intc_write: Bad write offset %d\n", offset);
 break;
-- 
1.7.0.4

Re: [Qemu-devel] [PATCH 1/2] KVM: fix i8259 interrupt high to low transition logic

[Jan Kiszka]

On 2012-09-13 15:41, Maciej W. Rozycki wrote:
> On Wed, 12 Sep 2012, Matthew Ogilvie wrote:
> 
>> Also, how big of a concern is a very rare gained or lost IRQ0
>> actually?  Under normal conditions, I would expect this to at most
>> cause a one time clock drift in the guest OS of a fraction of
>> a second.  If that only happens when rebooting or migrating the
>> guest...
> 
>  It depends on how you define "very rare".  Once per month or probably 
> even per day is probably acceptable although you'll see a disruption in 
> the system clock.  This is still likely unwanted if the system is used as 
> a clock reference and not just wants to keep its clock right for own 
> purposes.  Anything more frequent and NTP does care very much; an accurate 
> system clock is important in many uses, starting from basic ones such as 
> where timestamps of files exported over NFS are concerned.
> 
>  Speaking of real hw -- I don't know whether that really matters for 
> emulated systems.  Thanks for looking into the 8254 PIT in details.

First correct, then fast. That rule applies at least to the conceptual
phase. Also, for rarely used PIT modes, I would refrain from optimizing
them away from the specified behaviour.

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PATCH] hw: Add support for new LSI Logic devices.

[Michael S. Tsirkin]

On Tue, Sep 11, 2012 at 01:00:13PM -0400, Don Slutz wrote:
> +if (next_chain_offset) {
> +MptSGEntryChain sgec;
> +cpu_physical_memory_read(seg_start_pa + next_chain_offset,
> +&sgec, sizeof(MptSGEntryChain));
> +assert(sgec.u2ElementType == MPTSGENTRYTYPE_CHAIN);
> +next_sge_pa = sgec.u32SegmentAddressLow;
> +if (sgec.f64BitAddress) {
> +next_sge_pa |=
> +((uint64_t)sgec.u32SegmentAddressHigh) << 32;
> +}
> +seg_start_pa = next_sge_pa;
> +next_chain_offset = sgec.u8NextChainOffset * 
> sizeof(uint32_t);

BTW all this logic seems wrong on big endian.
Maybe we don't care short term but we do long term.
I think you need to fix it up using le_to_cpu or something.
And in particular this likely means bitfields can not be used cleanly,
so you will not be able to resync lsilogic.h from virtualbox.
The implication I guess is that we should just fix up the style
to match qemu.

-- 
MST

Re: [Qemu-devel] [PATCH 1/2] KVM: fix i8259 interrupt high to low transition logic

[Jan Kiszka]

On 2012-09-13 07:49, Matthew Ogilvie wrote:
> On Wed, Sep 12, 2012 at 10:57:57AM +0200, Jan Kiszka wrote:
>> On 2012-09-12 10:51, Avi Kivity wrote:
>>> On 09/12/2012 11:48 AM, Jan Kiszka wrote:
 On 2012-09-12 10:01, Avi Kivity wrote:
> On 09/10/2012 04:29 AM, Matthew Ogilvie wrote:
>> Intel's definition of "edge triggered" means: "asserted with a
>> low-to-high transition at the time an interrupt is registered
>> and then kept high until the interrupt is served via one of the
>> EOI mechanisms or goes away unhandled."
>>
>> So the only difference between edge triggered and level triggered
>> is in the leading edge, with no difference in the trailing edge.
>>
>> This bug manifested itself when the guest was Microport UNIX
>> System V/386 v2.1 (ca. 1987), because it would sometimes mask
>> off IRQ14 in the slave IMR after it had already been asserted.
>> The master would still try to deliver an interrupt even though
>> IRQ2 had dropped again, resulting in a spurious interupt
>> (IRQ15) and a panicked UNIX kernel.
>> diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
>> index adba28f..5cbba99 100644
>> --- a/arch/x86/kvm/i8254.c
>> +++ b/arch/x86/kvm/i8254.c
>> @@ -302,8 +302,12 @@ static void pit_do_work(struct kthread_work *work)
>>  }
>>  spin_unlock(&ps->inject_lock);
>>  if (inject) {
>> -kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 1);
>> +/* Clear previous interrupt, then create a rising
>> + * edge to request another interupt, and leave it at
>> + * level=1 until time to inject another one.
>> + */
>>  kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 0);
>> +kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 1);
>>  
>>  /*
>
> I thought I understood this, now I'm not sure.  How can this be correct?
>  Real hardware doesn't act like this.
>
> What if the PIT is disabled after this?  You're injecting a spurious
> interrupt then.

 Yes, the PIT has to raise the output as long as specified, i.e.
 according to the datasheet. That's important now due to the corrections
 to the PIC. We can then carefully check if there is room for
 simplifications / optimizations. I also cannot imagine that the above
 already fulfills these requirements.

 And if the PIT is disabled by the HPET, we need to clear the output
 explicitly as we inject the IRQ#0 under a different source ID than
 userspace HPET does (which will logically take over IRQ#0 control). The
 kernel would otherwise OR both sources to an incorrect result.

>>>
>>> I guess we need to double the hrtimer rate then in order to generate a
>>> square wave.  It's getting ridiculous how accurate our model needs to be.
>>
>> I would suggest to solve this for the userspace model first, ensure that
>> it works properly in all modes, maybe optimize it, and then decide how
>> to map all this on kernel space. As long as we have two models, we can
>> also make use of them.
> 
> Thoughts about the 8254 PIT:
> 
> First, this summary of (real) 8254 PIT behavior seems fairly
> good, as far it goes:
> 
> On Tue, Sep 04, 2012 at 07:27:38PM +0100, Maciej W. Rozycki wrote:
>>  * The 8254 PIT is normally configured in mode 2 or 3 in the PC/AT
>>architecture.  In the former its output is high (active) all the time
>>except from one (last) clock cycle.  In the latter a wave that has a
>>duty cycle close or equal to 0.5 (depending on whether the divider is
>>odd or even) is produced, so no short pulses either.  I don't remember
>>the other four modes -- have a look at the datasheet if interested, but
>>I reckon they're not really compatible with the wiring anyway, e.g. the
>>gate is hardwired enabled.
> 
> I've also just skimmed parts of the 8254 section of "The Indispensable PC
> Hardware Book", by Hans-Peter Messmer, Copyright 1994 Addison-Wesley,
> although I probably ought to read it more carefully.

http://download.intel.com/design/archives/periphrl/docs/23124406.pdf
should be the primary reference - as long as it leaves no open questions.

> 
> Under "normal" conditions, the 8254 part of the patch above should be
> indistinguishable from previous behavior.  The 8259's IRR will
> still show up as 1 until the interrupt is actually serviced,
> and no new interrupt will be serviced after one is serviced until
> another edge is injected via the high-low-high transition of the new
> code.  (Unless the guest resets the 8259 or maybe messes with IMR,
> but real hardware would generate extra interrupts in such cases as
> well.)
> 
> The new code sounds much closer to mode 2 described by
> Maciej, compared to the old code - except the duty cycle is
> effectively 100 percent instead of 99.[some n

Re: [Qemu-devel] Rethinking missed tick catchup

[Anthony Liguori]

"Daniel P. Berrange"  writes:

> On Thu, Sep 13, 2012 at 07:14:08AM -0600, Eric Blake wrote:
>> On 09/13/2012 04:49 AM, Gleb Natapov wrote:
>> >> They do if you hibernate your laptop.
>> >>
>> > AFAIK libvirt migrates vm into a file on hibernate. It is better to move 
>> > to S3
>> > (using qemu-ga) instead and migrate to file only if s3 fails.
>> 
>> On host hibernate, libvirt currently does nothing to the guest.  When
>> the host resumes, the guests see a large gap in execution.
>> 
>> Libvirt would need a hook into host hibernation, to have enough time to
>> tell the guests to go into S3 prior to allowing the host to go into S3.
>> 
>> On host reboot, libvirt currently saves guests to disk using migrate to
>> file.  The ideal solution would be to first tell the guest to go into S3
>> before migrating to file, but the migration to file STILL must occur,
>> because the host is about to reboot and S3 is not persistent.  S3 is a
>> better solution than S4, in that S4 requires the guest to have enough
>> memory (and if it doesn't cooperate, data is lost), but with S3, even if
>> the guest doesn't cooperate, we can still fall back to migration to file
>> with the guest only losing time, but not data.
>
> Trying to hook into host S3/S4 and do magic to the guests is just
> asking for trouble. Not only can it arbitrarily delay the host going
> into S3/S4, but it is not reliable in general, even for OS which do
> support it. Much better off hooking into the resume path on the host
> and issuing a QEMU GA call to each running guest to resync their
> clocks

I think it's better for QEMU to talk to qemu-ga.  We can tell when a large
period of time has passed in QEMU because we'll accumulate a large
number of missed ticks.

This could happen because of stop, host suspend, live migration to a
file, etc.

It's much easier for us to call into qemu-ga to do the time correction
whenever this event occurs than to try and have libvirt figure out when
it's necessary.

We know exactly when it's necessary, libvirt would need to guess.

Yes, we could generate a QMP event when a large skew was dedicated, but
I think this could happen often enough that it would be problematic.
Since QEMU is already implementing policy doing timer catchup in the
first place, I think we probably should own time catchup policy entirely.

Regards,

Anthony Liguori

>
> Regards,
> Daniel
> -- 
> |: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org  -o- http://virt-manager.org :|
> |: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH 27/47] block: introduce mirror job

[Paolo Bonzini]

Il 13/09/2012 14:54, Kevin Wolf ha scritto:
>> > +ret = bdrv_co_is_allocated_above(bs, base,
>> > + sector_num, next - 
>> > sector_num, &n);
>> > +
>> > +if (ret < 0) {
>> > +break;
>> > +} else if (ret == 1) {
>> > +bdrv_set_dirty(bs, sector_num, n);
>> > +sector_num = next;
>> > +} else {
>> > +sector_num += n;
>> > +}
> Maybe it would be worth checking for n == 0 and returning an error in
> that case. One example where this happens is when asking for the
> allocation status after EOF. It shouldn't happen as long as
> bdrv_truncate() is forbidden while the job runs, but an extra check
> rarely hurts.

This is just an initialization loop, so I'll add an assertion instead.

>> > +}
>> > +}
>> > +
>> > +if (ret < 0) {
>> > +goto immediate_exit;
>> > +}
> Why not do that directly instead of having a break; first just to get here?

Good idea.

>> > +
>> > +s->sector_num = -1;
>> > +for (;;) {
>> > +uint64_t delay_ns;
>> > +int64_t cnt;
>> > +bool should_complete;
>> > +
>> > +cnt = bdrv_get_dirty_count(bs);
>> > +if (cnt != 0) {
>> > +ret = mirror_iteration(s);
>> > +if (ret < 0) {
>> > +break;
> goto immediate_exit? It's the same now, but code after the loop may be
> added in the future.

That's why there is a break. :)  There will be code added later before
immediate_exit.  But it is just an if statement that will never be true
if mirroring hasn't started ye, so it can also go after.  I'll change to
goto and move that if statement after the label.

>> > +}
>> > +cnt = bdrv_get_dirty_count(bs);
>> > +}
>> > +
>> > +if (cnt != 0) {
>> > +should_complete = false;
>> > +} else {
>> > +trace_mirror_before_flush(s);
>> > +bdrv_flush(s->target);
> No error handling?

Will add.

Paolo

Re: [Qemu-devel] [PATCH 03/13] pseries: Use new method to correct reset sequence

[Andreas Färber]

David,

Am 13.09.2012 04:57, schrieb David Gibson:
> A number of things need to occur during reset of the PAPR
> paravirtualized platform in a specific order.  For example, the hash
> table needs to be cleared before the CPUs are reset, so that they
> initialize their register state correctly, and the CPUs need to have
> their main reset called before we set up the entry point state on the
> boot cpu.  We also need to have the main qdev reset happen before the
> creation and installation of the device tree for the new boot, because
> we need the state of the devices settled to correctly construct the
> device tree.
> 
> We currently do the pseries once-per-reset initializations done from a
> reset handler.  However we can't adequately control when this handler
> is called during the reset - in particular we can't guarantee it
> happens after all the qdev resets (since qdevs might be registered
> after the machine init function has executed).
> 
> This patch uses the new QEMUMachine reset method to to fix this
> problem, ensuring the various order dependent reset steps happen in
> the correct order.
> 
> Signed-off-by: David Gibson 

I'm pretty sure I already added

Reviewed-by: Andreas Färber 

in another thread. Please don't constantly regroup your patches or at
least carry over the tags.

Thanks,
Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH 02/13] pseries: Fix and cleanup CPU initialization and reset

[Andreas Färber]

Am 13.09.2012 04:57, schrieb David Gibson:
> The current pseries machine init function iterates over the CPUs at several
> points, doing various bits of initialization.  This is messy; these can
> and should be merged into a single iteration doing all the necessary per
> cpu initialization.  Worse, some of these initializations were setting up
> state which should be set on every reset, not just at machine init time.
> A few of the initializations simply weren't necessary at all.
> 
> This patch, therefore, moves those things that need to be to the
> per-cpu reset handler, and combines the remainder into two loops over
> the cpus (which also creates them).  The second loop is for setting up
> hash table information, and will be removed in a subsequent patch also
> making other fixes to the hash table setup.
> 
> This exposes a bug in our start-cpu RTAS routine (called by the guest to
> start up CPUs other than CPU0) under kvm.  Previously, this function did
> not make a call to ensure that it's changes to the new cpu's state were
> pushed into KVM in-kernel state.  We sort-of got away with this because
> some of the initializations had already placed the secondary CPUs into the
> right starting state for the sorts of Linux guests we've been running.
> 
> Nonetheless the start-cpu RTAS call's behaviour was not correct and could
> easily have been broken by guest changes.  This patch also fixes it.
> 
> Signed-off-by: David Gibson 

Thanks for changing the comment,

Reviewed-by: Andreas Färber 

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH 2/4] tcg/i386: Remove unused registers from tcg_target_call_iarg_regs

[Richard Henderson]

On 09/12/2012 10:50 PM, Stefan Weil wrote:
> I could use conditional compilation for those accesses,
> but first I'd like to understand why this works at all.

Before your patch you mean?

Because those are the registers reserved by the "L" constraint.


r~

Re: [Qemu-devel] Rethinking missed tick catchup

[Gleb Natapov]

On Thu, Sep 13, 2012 at 09:06:29AM -0500, Anthony Liguori wrote:
> "Daniel P. Berrange"  writes:
> 
> > On Thu, Sep 13, 2012 at 07:14:08AM -0600, Eric Blake wrote:
> >> On 09/13/2012 04:49 AM, Gleb Natapov wrote:
> >> >> They do if you hibernate your laptop.
> >> >>
> >> > AFAIK libvirt migrates vm into a file on hibernate. It is better to move 
> >> > to S3
> >> > (using qemu-ga) instead and migrate to file only if s3 fails.
> >> 
> >> On host hibernate, libvirt currently does nothing to the guest.  When
> >> the host resumes, the guests see a large gap in execution.
> >> 
> >> Libvirt would need a hook into host hibernation, to have enough time to
> >> tell the guests to go into S3 prior to allowing the host to go into S3.
> >> 
> >> On host reboot, libvirt currently saves guests to disk using migrate to
> >> file.  The ideal solution would be to first tell the guest to go into S3
> >> before migrating to file, but the migration to file STILL must occur,
> >> because the host is about to reboot and S3 is not persistent.  S3 is a
> >> better solution than S4, in that S4 requires the guest to have enough
> >> memory (and if it doesn't cooperate, data is lost), but with S3, even if
> >> the guest doesn't cooperate, we can still fall back to migration to file
> >> with the guest only losing time, but not data.
> >
> > Trying to hook into host S3/S4 and do magic to the guests is just
> > asking for trouble. Not only can it arbitrarily delay the host going
> > into S3/S4, but it is not reliable in general, even for OS which do
> > support it. Much better off hooking into the resume path on the host
> > and issuing a QEMU GA call to each running guest to resync their
> > clocks
> 
> I think it's better for QEMU to talk to qemu-ga.  We can tell when a large
> period of time has passed in QEMU because we'll accumulate a large
> number of missed ticks.
> 
With RTC configured to use vm clock we will not.

> This could happen because of stop, host suspend, live migration to a
> file, etc.
> 
> It's much easier for us to call into qemu-ga to do the time correction
> whenever this event occurs than to try and have libvirt figure out when
> it's necessary.
And if guest does not have qemu-ga what is better inject interrupts like
crazy for next 2 minutes or leave guest with incorrect time?

> 
> We know exactly when it's necessary, libvirt would need to guess.
> 
> Yes, we could generate a QMP event when a large skew was dedicated, but
> I think this could happen often enough that it would be problematic.
> Since QEMU is already implementing policy doing timer catchup in the
> first place, I think we probably should own time catchup policy entirely.
> 
> Regards,
> 
> Anthony Liguori
> 
> >
> > Regards,
> > Daniel
> > -- 
> > |: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ 
> > :|
> > |: http://libvirt.org  -o- http://virt-manager.org 
> > :|
> > |: http://autobuild.org   -o- http://search.cpan.org/~danberr/ 
> > :|
> > |: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc 
> > :|

--
Gleb.

Re: [Qemu-devel] [PATCH v2 3/3] Fix address handling in inet_nonblocking_connect

[Orit Wasserman]

On 13 בספט 2012, at 16:30, "Michael S. Tsirkin"  wrote:

> On Thu, Sep 13, 2012 at 03:22:24PM +0200, Markus Armbruster wrote:
>>> +/* Struct to store connect state for non blocking connect */
>>> +typedef struct ConnectState {
>>> +int fd;
>>> +struct addrinfo *addr_list;
>>> +struct addrinfo *current_addr;
>>> +ConnectHandler *callback;
>>> +void *opaque;
>>> +Error *errp;
>>> +} ConnectState;
>>> +
>>> +static ConnectState connect_state = {
>>> +.fd = -1,
>>> +};
>> 
>> Why does a single connect_state suffice?
> 
> Even if it does for the specific use, better not to
> make assumptions about API use. Let's pass connect state
> to APIs.
I agree,
Orit

Re: [Qemu-devel] [PATCH 2/4] tcg/i386: Remove unused registers from tcg_target_call_iarg_regs

[Peter Maydell]

On 13 September 2012 06:50, Stefan Weil  wrote:
> Am 12.09.2012 23:18, schrieb Peter Maydell:
>> This makes the array zero-length for 32 bit targets, but functions
>> like tcg_out_tlb_load() and tcg_out_qemu_ld() still unconditionally
>> access elements in it...

> Thanks for the hint. I'm afraid there are a lot more functions
> of that kind in i386/tcg-target.c.
>
> I could use conditional compilation for those accesses,
> but first I'd like to understand why this works at all.

The functions in question are generating code that needs to
use some temporary registers. (As RTH says, this lines up with
the L constraint marking those registers as not usable for the
relevant TCG operands.) To avoid unnecessary register
copies in the old pre-commit-6a18ae2d register-based calling
convention, they are forcing those temporary registers to be
the same as some of the registers that were used for function
arguments.

Now we no longer use a register-based calling convention it
doesn't matter which registers we use as long as the functions
and the constraint definitions match up. The only tricky bit
will be that the 64-bit-target cases do still care about
using the same registers as are used for function  inputs.

-- PMM

Re: [Qemu-devel] Rethinking missed tick catchup

[Avi Kivity]

On 09/13/2012 05:22 PM, Gleb Natapov wrote:
>> 
>> It's much easier for us to call into qemu-ga to do the time correction
>> whenever this event occurs than to try and have libvirt figure out when
>> it's necessary.

> And if guest does not have qemu-ga what is better inject interrupts like
> crazy for next 2 minutes or leave guest with incorrect time?

We can try to S3 and resume the guest.  The guest will assume that it
has slept for an unknown amount of time and resync from the RTC.

This may not work for really old server oriented guests.

-- 
error compiling committee.c: too many arguments to function