[Qemu-devel] KVM call for agenda for 2015-03-17

[Juan Quintela]

Hi

Please, send any topic that you are interested in covering.


 Call details:

By popular demand, a google calendar public entry with it

  
https://www.google.com/calendar/embed?src=dG9iMXRqcXAzN3Y4ZXZwNzRoMHE4a3BqcXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ

(Let me know if you have any problems with the calendar entry.  I just
gave up about getting right at the same time CEST, CET, EDT and DST).

If you need phone number details,  contact me privately

Thanks, Juan.

PD. Notice that TZ daylight savings changes if you are not in sync with
USA :p

Re: [Qemu-devel] [PATCH v3] vl: fix resource leak with monitor_fdset_add_fd

[Markus Armbruster]

Paolo Bonzini  writes:

> monitor_fdset_add_fd returns an AddfdInfo struct (used by the QMP
> command add_fd).  Free it.
>
> Signed-off-by: Paolo Bonzini 
> ---
>   v1->v2: line length [Fam], pass &error_abort [Shannon]
> v2->v3: use "!!" instead of "? true : false" [Markus]
> ---
>  vl.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/vl.c b/vl.c
> index eba5d4c..5985680 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -1011,6 +1011,7 @@ static int parse_add_fd(QemuOpts *opts, void *opaque)
>  int fd, dupfd, flags;
>  int64_t fdset_id;
>  const char *fd_opaque = NULL;
> +AddfdInfo *fdinfo;
>  
>  fd = qemu_opt_get_number(opts, "fd", -1);
>  fdset_id = qemu_opt_get_number(opts, "set", -1);
> @@ -1060,8 +1061,9 @@ static int parse_add_fd(QemuOpts *opts, void *opaque)
>  }
>  
>  /* add the duplicate fd, and optionally the opaque string, to the fd set 
> */
> -monitor_fdset_add_fd(dupfd, true, fdset_id, fd_opaque ? true : false,
> - fd_opaque, NULL);
> +fdinfo = monitor_fdset_add_fd(dupfd, true, fdset_id, !!fd_opaque, 
> fd_opaque,
> +  &error_abort);
> +g_free(fdinfo);
>  
>  return 0;
>  }

Aside: monitor_fdset_add_fd()'s two has_ parameters are rather
unnatural.

Reviewed-by: Markus Armbruster 

Re: [Qemu-devel] [PATCH] hw/bt/sdp: Fix resource leak detect by coverity

[Markus Armbruster]

Paolo Bonzini  writes:

> On 15/03/2015 11:23, Michael Tokarev wrote:
>> Or, alternatively, to keep this `data' pointer in sdp to use it in
>> bt_l2cap_sdp_close_ch().
>
> Yes.
>
>>> > In any case, it seems simpler to just leave this code aside.
>> How many times this code is called?
>> 
>> We have many many places in qemu where resources are allocated once
>> at startup and never freed just because there's no need to.
>
> Well, in this case the bug in bt_l2cap_sdp_close_ch is much worse than a
> resource leak.  But bluetooth is not the utmost priority in QEMU
> development...

To put it more bluntly: it's rotting in peace.

Occasional drive-by fixes won't stop the rot, a dedicated maintener
could.

Re: [Qemu-devel] [PATCH v3 1/4] exec: Atomic access to bounce buffer

[Paolo Bonzini]

On 16/03/2015 06:31, Fam Zheng wrote:
> There could be a race condition when two processes call
> address_space_map concurrently and both want to use the bounce buffer.
> 
> Add an in_use flag in BounceBuffer to sync it.
> 
> Signed-off-by: Fam Zheng 
> ---
>  exec.c | 5 -
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/exec.c b/exec.c
> index e97071a..4080044 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2483,6 +2483,7 @@ typedef struct {
>  void *buffer;
>  hwaddr addr;
>  hwaddr len;
> +bool in_use;
>  } BounceBuffer;
>  
>  static BounceBuffer bounce;
> @@ -2571,9 +2572,10 @@ void *address_space_map(AddressSpace *as,
>  l = len;
>  mr = address_space_translate(as, addr, &xlat, &l, is_write);
>  if (!memory_access_is_direct(mr, is_write)) {
> -if (bounce.buffer) {
> +if (atomic_xchg(&bounce.in_use, true)) {
>  return NULL;
>  }
> +smp_mb();

smp_mb() not needed.

Ok with this change.

Paolo

>  /* Avoid unbounded allocations */
>  l = MIN(l, TARGET_PAGE_SIZE);
>  bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
> @@ -2641,6 +2643,7 @@ void address_space_unmap(AddressSpace *as, void 
> *buffer, hwaddr len,
>  qemu_vfree(bounce.buffer);
>  bounce.buffer = NULL;
>  memory_region_unref(bounce.mr);
> +atomic_mb_set(&bounce.in_use, false);
>  cpu_notify_map_clients();
>  }
>  
> 

Re: [Qemu-devel] [PATCH v3 2/4] exec: Protect map_client_list with mutex

[Paolo Bonzini]

On 16/03/2015 06:31, Fam Zheng wrote:
> So that accesses from multiple threads are safe.
> 
> Signed-off-by: Fam Zheng 
> ---
>  exec.c | 24 +++-
>  1 file changed, 15 insertions(+), 9 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 4080044..3e54580 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -429,15 +429,6 @@ address_space_translate_for_iotlb(CPUState *cpu, hwaddr 
> addr,
>  }
>  #endif
>  
> -void cpu_exec_init_all(void)
> -{
> -#if !defined(CONFIG_USER_ONLY)
> -qemu_mutex_init(&ram_list.mutex);
> -memory_map_init();
> -io_mem_init();
> -#endif
> -}
> -
>  #if !defined(CONFIG_USER_ONLY)
>  
>  static int cpu_common_post_load(void *opaque, int version_id)
> @@ -2494,6 +2485,7 @@ typedef struct MapClient {
>  QLIST_ENTRY(MapClient) link;
>  } MapClient;
>  
> +QemuMutex map_client_list_lock;
>  static QLIST_HEAD(map_client_list, MapClient) map_client_list
>  = QLIST_HEAD_INITIALIZER(map_client_list);
>  
> @@ -2501,12 +2493,24 @@ void *cpu_register_map_client(void *opaque, void 
> (*callback)(void *opaque))
>  {
>  MapClient *client = g_malloc(sizeof(*client));
>  
> +qemu_mutex_lock(&map_client_list_lock);
>  client->opaque = opaque;
>  client->callback = callback;
>  QLIST_INSERT_HEAD(&map_client_list, client, link);
> +qemu_mutex_unlock(&map_client_list_lock);
>  return client;
>  }
>  
> +void cpu_exec_init_all(void)
> +{
> +#if !defined(CONFIG_USER_ONLY)
> +qemu_mutex_init(&ram_list.mutex);
> +memory_map_init();
> +io_mem_init();
> +#endif
> +qemu_mutex_init(&map_client_list_lock);
> +}
> +

You are moving cpu_exec_init_all within an #ifndef CONFIG_USER_ONLY.
Does this patch compile for user-mode emulation?

The move itself is okay but only if you remove the two calls in
*-user/main.c (and possibly move the prototype to include/exec/exec-all.h).

>  static void cpu_unregister_map_client(void *_client)
>  {
>  MapClient *client = (MapClient *)_client;
> @@ -2519,11 +2523,13 @@ static void cpu_notify_map_clients(void)
>  {
>  MapClient *client;
>  
> +qemu_mutex_lock(&map_client_list_lock);
>  while (!QLIST_EMPTY(&map_client_list)) {
>  client = QLIST_FIRST(&map_client_list);
>  client->callback(client->opaque);

A good rule of thumb is never hold a lock while calling "unknown" code.
 This will be fixed in patch 4, so it's okay.

Paolo

>  cpu_unregister_map_client(client);
>  }
> +qemu_mutex_unlock(&map_client_list_lock);
>  }
>  
>  bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool 
> is_write)
> 

Re: [Qemu-devel] [PATCH v3 3/4] exec: Notify cpu_register_map_client caller if the bounce buffer is available

[Paolo Bonzini]

On 16/03/2015 06:31, Fam Zheng wrote:
> The caller's workflow is like
> 
> if (!address_space_map()) {
> ...
> cpu_register_map_client();
> }
> 
> If bounce buffer became available after address_space_map() but before
> cpu_register_map_client(), the caller could miss it and has to wait for the
> next bounce buffer notify, which may never happen in the worse case.
> 
> Just notify the list in cpu_register_map_client().
> 
> Signed-off-by: Fam Zheng 
> ---
>  exec.c | 22 +++---
>  1 file changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/exec.c b/exec.c
> index 3e54580..20381a0 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2489,6 +2489,17 @@ QemuMutex map_client_list_lock;
>  static QLIST_HEAD(map_client_list, MapClient) map_client_list
>  = QLIST_HEAD_INITIALIZER(map_client_list);
>  
> +static void cpu_notify_map_clients_unlocked(void)
> +{
> +MapClient *client;
> +
> +while (!QLIST_EMPTY(&map_client_list)) {
> +client = QLIST_FIRST(&map_client_list);
> +client->callback(client->opaque);
> +cpu_unregister_map_client(client);
> +}
> +}

Isn't the convention to call these functions "*_locked" (e.g.
timer_mod_ns_locked, monitor_flush_locked, cpu_get_clock_locked)?

Otherwise okay.

Paolo

> +
>  void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
>  {
>  MapClient *client = g_malloc(sizeof(*client));
> @@ -2497,6 +2508,9 @@ void *cpu_register_map_client(void *opaque, void 
> (*callback)(void *opaque))
>  client->opaque = opaque;
>  client->callback = callback;
>  QLIST_INSERT_HEAD(&map_client_list, client, link);
> +if (!atomic_read(&bounce.in_use)) {
> +cpu_notify_map_clients_unlocked();
> +}
>  qemu_mutex_unlock(&map_client_list_lock);
>  return client;
>  }
> @@ -2521,14 +2535,8 @@ static void cpu_unregister_map_client(void *_client)
>  
>  static void cpu_notify_map_clients(void)
>  {
> -MapClient *client;
> -
>  qemu_mutex_lock(&map_client_list_lock);
> -while (!QLIST_EMPTY(&map_client_list)) {
> -client = QLIST_FIRST(&map_client_list);
> -client->callback(client->opaque);
> -cpu_unregister_map_client(client);
> -}
> +cpu_notify_map_clients_unlocked();
>  qemu_mutex_unlock(&map_client_list_lock);
>  }
>  
> 

Re: [Qemu-devel] [PATCH v3 4/4] dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel

[Paolo Bonzini]

On 16/03/2015 06:31, Fam Zheng wrote:
> If DMA's owning thread cancels the IO while the bounce buffer's owning thread
> is notifying the "cpu client list", a use-after-free happens:
> 
>  continue_after_map_failure   dma_aio_cancel
>  --
>  aio_bh_new
>   qemu_bh_delete
>  qemu_bh_schedule (use after free)
> 
> Also, the old code doesn't run the bh in the right AioContext.
> 
> Fix both problems by passing a QEMUBH to cpu_register_map_client.
> 
> Signed-off-by: Fam Zheng 
> ---
>  dma-helpers.c | 17 -
>  exec.c| 32 +---
>  include/exec/cpu-common.h |  3 ++-
>  3 files changed, 31 insertions(+), 21 deletions(-)
> 
> diff --git a/dma-helpers.c b/dma-helpers.c
> index 6918572..1fddf6a 100644
> --- a/dma-helpers.c
> +++ b/dma-helpers.c
> @@ -92,14 +92,6 @@ static void reschedule_dma(void *opaque)
>  dma_blk_cb(dbs, 0);
>  }
>  
> -static void continue_after_map_failure(void *opaque)
> -{
> -DMAAIOCB *dbs = (DMAAIOCB *)opaque;
> -
> -dbs->bh = qemu_bh_new(reschedule_dma, dbs);
> -qemu_bh_schedule(dbs->bh);
> -}
> -
>  static void dma_blk_unmap(DMAAIOCB *dbs)
>  {
>  int i;
> @@ -161,7 +153,9 @@ static void dma_blk_cb(void *opaque, int ret)
>  
>  if (dbs->iov.size == 0) {
>  trace_dma_map_wait(dbs);
> -cpu_register_map_client(dbs, continue_after_map_failure);
> +dbs->bh = aio_bh_new(blk_get_aio_context(dbs->blk),
> + reschedule_dma, dbs);
> +cpu_register_map_client(dbs->bh);
>  return;
>  }
>  
> @@ -183,6 +177,11 @@ static void dma_aio_cancel(BlockAIOCB *acb)
>  if (dbs->acb) {
>  blk_aio_cancel_async(dbs->acb);
>  }
> +if (dbs->bh) {
> +cpu_unregister_map_client(dbs->bh);
> +qemu_bh_delete(dbs->bh);
> +dbs->bh = NULL;
> +}
>  }
>  
>  
> diff --git a/exec.c b/exec.c
> index 20381a0..b15ca5e 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -2480,8 +2480,7 @@ typedef struct {
>  static BounceBuffer bounce;
>  
>  typedef struct MapClient {
> -void *opaque;
> -void (*callback)(void *opaque);
> +QEMUBH *bh;
>  QLIST_ENTRY(MapClient) link;
>  } MapClient;
>  
> @@ -2489,30 +2488,29 @@ QemuMutex map_client_list_lock;
>  static QLIST_HEAD(map_client_list, MapClient) map_client_list
>  = QLIST_HEAD_INITIALIZER(map_client_list);
>  
> +static void cpu_unregister_map_client_do(MapClient *client);
>  static void cpu_notify_map_clients_unlocked(void)
>  {
>  MapClient *client;
>  
>  while (!QLIST_EMPTY(&map_client_list)) {
>  client = QLIST_FIRST(&map_client_list);
> -client->callback(client->opaque);
> -cpu_unregister_map_client(client);
> +qemu_bh_schedule(client->bh);
> +cpu_unregister_map_client_do(client);
>  }
>  }
>  
> -void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
> +void cpu_register_map_client(QEMUBH *bh)
>  {
>  MapClient *client = g_malloc(sizeof(*client));
>  
>  qemu_mutex_lock(&map_client_list_lock);
> -client->opaque = opaque;
> -client->callback = callback;
> +client->bh = bh;
>  QLIST_INSERT_HEAD(&map_client_list, client, link);
>  if (!atomic_read(&bounce.in_use)) {
>  cpu_notify_map_clients_unlocked();
>  }
>  qemu_mutex_unlock(&map_client_list_lock);
> -return client;
>  }
>  
>  void cpu_exec_init_all(void)
> @@ -2525,14 +2523,26 @@ void cpu_exec_init_all(void)
>  qemu_mutex_init(&map_client_list_lock);
>  }
>  
> -static void cpu_unregister_map_client(void *_client)
> +static void cpu_unregister_map_client_do(MapClient *client)
>  {
> -MapClient *client = (MapClient *)_client;
> -
>  QLIST_REMOVE(client, link);
>  g_free(client);
>  }
>  
> +void cpu_unregister_map_client(QEMUBH *bh)
> +{
> +MapClient *client;
> +
> +qemu_mutex_lock(&map_client_list_lock);
> +QLIST_FOREACH(client, &map_client_list, link) {
> +if (client->bh == bh) {
> +cpu_unregister_map_client_do(client);
> +break;
> +}
> +}
> +qemu_mutex_unlock(&map_client_list_lock);
> +}
> +
>  static void cpu_notify_map_clients(void)
>  {
>  qemu_mutex_lock(&map_client_list_lock);
> diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
> index fcc3162..43428bd 100644
> --- a/include/exec/cpu-common.h
> +++ b/include/exec/cpu-common.h
> @@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr,
>int is_write);
>  void cpu_physical_memory_unmap(void *buffer, hwaddr len,
> int is_write, hwaddr access_len);
> -void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque));
> +void cpu_register_map_client(QEMUBH *bh);
> +void cpu_unregister_map_client(QEMUBH *bh);
>  
>  bool cpu_physi

Re: [Qemu-devel] [PATCH v3 1/4] exec: Atomic access to bounce buffer

[Fam Zheng]

On Mon, 03/16 08:30, Paolo Bonzini wrote:
> 
> 
> On 16/03/2015 06:31, Fam Zheng wrote:
> > There could be a race condition when two processes call
> > address_space_map concurrently and both want to use the bounce buffer.
> > 
> > Add an in_use flag in BounceBuffer to sync it.
> > 
> > Signed-off-by: Fam Zheng 
> > ---
> >  exec.c | 5 -
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/exec.c b/exec.c
> > index e97071a..4080044 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -2483,6 +2483,7 @@ typedef struct {
> >  void *buffer;
> >  hwaddr addr;
> >  hwaddr len;
> > +bool in_use;
> >  } BounceBuffer;
> >  
> >  static BounceBuffer bounce;
> > @@ -2571,9 +2572,10 @@ void *address_space_map(AddressSpace *as,
> >  l = len;
> >  mr = address_space_translate(as, addr, &xlat, &l, is_write);
> >  if (!memory_access_is_direct(mr, is_write)) {
> > -if (bounce.buffer) {
> > +if (atomic_xchg(&bounce.in_use, true)) {
> >  return NULL;
> >  }
> > +smp_mb();
> 
> smp_mb() not needed.

OK, I was confused by the Linux documentation on atomic_xchg. Now I've looked
at the right places, it is not needed. Thanks,

Fam

> 
> Ok with this change.
> 
> Paolo
> 
> >  /* Avoid unbounded allocations */
> >  l = MIN(l, TARGET_PAGE_SIZE);
> >  bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, l);
> > @@ -2641,6 +2643,7 @@ void address_space_unmap(AddressSpace *as, void 
> > *buffer, hwaddr len,
> >  qemu_vfree(bounce.buffer);
> >  bounce.buffer = NULL;
> >  memory_region_unref(bounce.mr);
> > +atomic_mb_set(&bounce.in_use, false);
> >  cpu_notify_map_clients();
> >  }
> >  
> > 

Re: [Qemu-devel] [PATCH v5 5/7] vfio-pci: pass the aer error to guest

[Chen Fan]

On 03/16/2015 11:52 AM, Alex Williamson wrote:

On Mon, 2015-03-16 at 11:05 +0800, Chen Fan wrote:

On 03/14/2015 06:34 AM, Alex Williamson wrote:

On Thu, 2015-03-12 at 18:23 +0800, Chen Fan wrote:

when the vfio device encounters an uncorrectable error in host,
the vfio_pci driver will signal the eventfd registered by this
vfio device, the results in the qemu eventfd handler getting
invoked.

this patch is to pass the error to guest and have the guest driver
recover from the error.

What is going to be the typical recovery mechanism for the guest?  I'm
concerned that the topology of the device in the guest doesn't
necessarily match the topology of the device in the host, so if the
guest were to attempt a bus reset to recover a device, for instance,
what happens?

the recovery mechanism is that when guest got an aer error from a device,
guest will clean the corresponding status bit in device register. and for
need reset device, the guest aer driver would reset all devices under bus.

Sorry, I'm still confused, how does the guest aer driver reset all
devices under a bus?  Are we talking about function-level, device
specific reset mechanisms or secondary bus resets?  If the guest is
performing secondary bus resets, what guarantee do they have that it
will translate to a physical secondary bus reset?  vfio may only do an
FLR when the bus is reset or it may not be able to do anything depending
on the available function-level resets and physical and virtual topology
of the device.  Thanks,

in general, functions depends on the corresponding device driver behaviors
to do the recovery. e.g: implemented the error_detect, slot_reset callbacks.
and for link reset, it usually do secondary bus reset.

and do we must require to the physical secondary bus reset for vfio device
as bus reset?

Thanks,
Chen



Alex


Signed-off-by: Chen Fan 
---
   hw/vfio/pci.c | 34 --
   1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 0a515b6..8966c49 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -3240,18 +3240,40 @@ static void vfio_put_device(VFIOPCIDevice *vdev)
   static void vfio_err_notifier_handler(void *opaque)
   {
   VFIOPCIDevice *vdev = opaque;
+PCIDevice *dev = &vdev->pdev;
+PCIEAERMsg msg = {
+.severity = 0,
+.source_id = (pci_bus_num(dev->bus) << 8) | dev->devfn,
+};
   
   if (!event_notifier_test_and_clear(&vdev->err_notifier)) {

   return;
   }
   
+/* we should read the error details from the real hardware

+ * configuration spaces, here we only need to do is signaling
+ * to guest an uncorrectable error has occurred.
+ */

Inconsistent comment style


+ if(dev->exp.aer_cap) {

   ^ space


+uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+uint32_t uncor_status;
+bool isfatal;
+
+uncor_status = vfio_pci_read_config(dev,
+   dev->exp.aer_cap + PCI_ERR_UNCOR_STATUS, 4);
+
+isfatal = uncor_status & pci_get_long(aer_cap + PCI_ERR_UNCOR_SEVER);
+
+msg.severity = isfatal ? PCI_ERR_ROOT_CMD_FATAL_EN :
+ PCI_ERR_ROOT_CMD_NONFATAL_EN;
+
+pcie_aer_msg(dev, &msg);
+return;
+}
+
   /*
- * TBD. Retrieve the error details and decide what action
- * needs to be taken. One of the actions could be to pass
- * the error to the guest and have the guest driver recover
- * from the error. This requires that PCIe capabilities be
- * exposed to the guest. For now, we just terminate the
- * guest to contain the error.
+ * If the aer capability is not exposed to the guest. we just
+ * terminate the guest to contain the error.
*/
   
   error_report("%s(%04x:%02x:%02x.%x) Unrecoverable error detected.  "


.




.

Re: [Qemu-devel] [PATCH v3 3/4] exec: Notify cpu_register_map_client caller if the bounce buffer is available

[Fam Zheng]

On Mon, 03/16 08:34, Paolo Bonzini wrote:
> 
> 
> On 16/03/2015 06:31, Fam Zheng wrote:
> > The caller's workflow is like
> > 
> > if (!address_space_map()) {
> > ...
> > cpu_register_map_client();
> > }
> > 
> > If bounce buffer became available after address_space_map() but before
> > cpu_register_map_client(), the caller could miss it and has to wait for the
> > next bounce buffer notify, which may never happen in the worse case.
> > 
> > Just notify the list in cpu_register_map_client().
> > 
> > Signed-off-by: Fam Zheng 
> > ---
> >  exec.c | 22 +++---
> >  1 file changed, 15 insertions(+), 7 deletions(-)
> > 
> > diff --git a/exec.c b/exec.c
> > index 3e54580..20381a0 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -2489,6 +2489,17 @@ QemuMutex map_client_list_lock;
> >  static QLIST_HEAD(map_client_list, MapClient) map_client_list
> >  = QLIST_HEAD_INITIALIZER(map_client_list);
> >  
> > +static void cpu_notify_map_clients_unlocked(void)
> > +{
> > +MapClient *client;
> > +
> > +while (!QLIST_EMPTY(&map_client_list)) {
> > +client = QLIST_FIRST(&map_client_list);
> > +client->callback(client->opaque);
> > +cpu_unregister_map_client(client);
> > +}
> > +}
> 
> Isn't the convention to call these functions "*_locked" (e.g.
> timer_mod_ns_locked, monitor_flush_locked, cpu_get_clock_locked)?

Exactly, will rename. Thanks.

Fam

> 
> Otherwise okay.
> 
> Paolo
> 
> > +
> >  void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
> >  {
> >  MapClient *client = g_malloc(sizeof(*client));
> > @@ -2497,6 +2508,9 @@ void *cpu_register_map_client(void *opaque, void 
> > (*callback)(void *opaque))
> >  client->opaque = opaque;
> >  client->callback = callback;
> >  QLIST_INSERT_HEAD(&map_client_list, client, link);
> > +if (!atomic_read(&bounce.in_use)) {
> > +cpu_notify_map_clients_unlocked();
> > +}
> >  qemu_mutex_unlock(&map_client_list_lock);
> >  return client;
> >  }
> > @@ -2521,14 +2535,8 @@ static void cpu_unregister_map_client(void *_client)
> >  
> >  static void cpu_notify_map_clients(void)
> >  {
> > -MapClient *client;
> > -
> >  qemu_mutex_lock(&map_client_list_lock);
> > -while (!QLIST_EMPTY(&map_client_list)) {
> > -client = QLIST_FIRST(&map_client_list);
> > -client->callback(client->opaque);
> > -cpu_unregister_map_client(client);
> > -}
> > +cpu_notify_map_clients_unlocked();
> >  qemu_mutex_unlock(&map_client_list_lock);
> >  }
> >  
> > 

Re: [Qemu-devel] [PATCH v3 2/4] exec: Protect map_client_list with mutex

[Fam Zheng]

On Mon, 03/16 08:33, Paolo Bonzini wrote:
> 
> 
> On 16/03/2015 06:31, Fam Zheng wrote:
> > So that accesses from multiple threads are safe.
> > 
> > Signed-off-by: Fam Zheng 
> > ---
> >  exec.c | 24 +++-
> >  1 file changed, 15 insertions(+), 9 deletions(-)
> > 
> > diff --git a/exec.c b/exec.c
> > index 4080044..3e54580 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -429,15 +429,6 @@ address_space_translate_for_iotlb(CPUState *cpu, 
> > hwaddr addr,
> >  }
> >  #endif
> >  
> > -void cpu_exec_init_all(void)
> > -{
> > -#if !defined(CONFIG_USER_ONLY)
> > -qemu_mutex_init(&ram_list.mutex);
> > -memory_map_init();
> > -io_mem_init();
> > -#endif
> > -}
> > -
> >  #if !defined(CONFIG_USER_ONLY)
> >  
> >  static int cpu_common_post_load(void *opaque, int version_id)
> > @@ -2494,6 +2485,7 @@ typedef struct MapClient {
> >  QLIST_ENTRY(MapClient) link;
> >  } MapClient;
> >  
> > +QemuMutex map_client_list_lock;
> >  static QLIST_HEAD(map_client_list, MapClient) map_client_list
> >  = QLIST_HEAD_INITIALIZER(map_client_list);
> >  
> > @@ -2501,12 +2493,24 @@ void *cpu_register_map_client(void *opaque, void 
> > (*callback)(void *opaque))
> >  {
> >  MapClient *client = g_malloc(sizeof(*client));
> >  
> > +qemu_mutex_lock(&map_client_list_lock);
> >  client->opaque = opaque;
> >  client->callback = callback;
> >  QLIST_INSERT_HEAD(&map_client_list, client, link);
> > +qemu_mutex_unlock(&map_client_list_lock);
> >  return client;
> >  }
> >  
> > +void cpu_exec_init_all(void)
> > +{
> > +#if !defined(CONFIG_USER_ONLY)
> > +qemu_mutex_init(&ram_list.mutex);
> > +memory_map_init();
> > +io_mem_init();
> > +#endif
> > +qemu_mutex_init(&map_client_list_lock);
> > +}
> > +
> 
> You are moving cpu_exec_init_all within an #ifndef CONFIG_USER_ONLY.
> Does this patch compile for user-mode emulation?

No. Good catch!

> 
> The move itself is okay but only if you remove the two calls in
> *-user/main.c (and possibly move the prototype to include/exec/exec-all.h).

Sounds good, I'll split that patch in v4.

Fam

> 
> >  static void cpu_unregister_map_client(void *_client)
> >  {
> >  MapClient *client = (MapClient *)_client;
> > @@ -2519,11 +2523,13 @@ static void cpu_notify_map_clients(void)
> >  {
> >  MapClient *client;
> >  
> > +qemu_mutex_lock(&map_client_list_lock);
> >  while (!QLIST_EMPTY(&map_client_list)) {
> >  client = QLIST_FIRST(&map_client_list);
> >  client->callback(client->opaque);
> 
> A good rule of thumb is never hold a lock while calling "unknown" code.
>  This will be fixed in patch 4, so it's okay.
> 
> Paolo
> 
> >  cpu_unregister_map_client(client);
> >  }
> > +qemu_mutex_unlock(&map_client_list_lock);
> >  }
> >  
> >  bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, 
> > bool is_write)
> > 

Re: [Qemu-devel] [SeaBIOS] seabios stable release

[Gerd Hoffmann]

  Hi,

> Branch created, three patches (2x pvscsi + 1x multiple pci root)
> cherry-picked from master, pushed.
> 
> The smp race fix will follow as soon as it hits master.

Was cherry-picked friday.

> I plan to tag 1.8.1 tomorrow or next monday, so the release will be
> ready in time for qemu 2.3-rc0 which is planned for next tuesday.

Release 1.8.1 tagged & pushed, source tarball uploaded.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow

[Aneesh Kumar K.V]

Shannon Zhao  writes:

> It's detected by coverity. As max of sockaddr_un.sun_path is
> sizeof(helper.sun_path), should check the length of source
> and use strncpy instead of strcpy.
>
> Signed-off-by: Shannon Zhao 
> Signed-off-by: Shannon Zhao 
> ---
>  hw/9pfs/virtio-9p-proxy.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 59c7445..fb1ab7b 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>  int sockfd, size;
>  struct sockaddr_un helper;
>  
> +g_assert(strlen(path) < sizeof(helper.sun_path));

Since we are doing this from within Qemu, I did the below and folded
that into other sockadd_un.sun_path size checking patch.

diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 6bb191ee6ab8..71b6198bbd22 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
 int sockfd, size;
 struct sockaddr_un helper;
 
+if (strlen(path) >= sizeof(helper.sun_path)) {
+fprintf(stderr, "Socket name too large\n");
+return -1;
+}
 sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
 if (sockfd < 0) {
 fprintf(stderr, "failed to create socket: %s\n", strerror(errno));


Let me know if that is ok for you.
 
>  sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>  if (sockfd < 0) {
>  fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>  return -1;
>  }
> -strcpy(helper.sun_path, path);
> +strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>  helper.sun_family = AF_UNIX;
>  size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>  if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
> -- 
> 1.8.3.1

Re: [Qemu-devel] [PATCH] hw/bt/sdp: Fix resource leak detect by coverity

[Paolo Bonzini]

On 16/03/2015 08:29, Markus Armbruster wrote:
> > Well, in this case the bug in bt_l2cap_sdp_close_ch is much worse than a
> > resource leak.  But bluetooth is not the utmost priority in QEMU
> > development...
> 
> To put it more bluntly: it's rotting in peace.
> 
> Occasional drive-by fixes won't stop the rot, a dedicated maintener
> could.

I disagree.  The code is not that good, but apparently it works.
Samsung folks are using it and presented their work at KVM Forum 2014.

Paolo

[Qemu-devel] [PULL for-2.3 0/1] seabios: update to 1.8.1 stable release

[Gerd Hoffmann]

  Hi,

New seabios release from 1.8-stable branch.

Most important change is the fix for the smp race at boot
(reported multiple times on the list).

There also is a memory barrier fix (makes pvscsi boot work).
Support for multiple pci roots has been added too.

please pull,
  Gerd

The following changes since commit 7ccfb495c64e1eef5886dcc4d48523ed6d1d22a4:

  user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm (2015-03-13 15:57:00 
+)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-seabios-1.8.1-20150316-1

for you to fetch changes up to 93f7c4f09f6957244d5af0a35309b8ad4ffb64ed:

  seabios: update to 1.8.1 stable release (2015-03-16 09:07:15 +0100)


seabios: update to 1.8.1 stable release


Gerd Hoffmann (1):
  seabios: update to 1.8.1 stable release

 pc-bios/bios-256k.bin  | Bin 262144 -> 262144 bytes
 pc-bios/bios.bin   | Bin 131072 -> 131072 bytes
 pc-bios/vgabios-cirrus.bin | Bin 37888 -> 37888 bytes
 pc-bios/vgabios-qxl.bin| Bin 38400 -> 38400 bytes
 pc-bios/vgabios-stdvga.bin | Bin 38400 -> 38400 bytes
 pc-bios/vgabios-vmware.bin | Bin 38400 -> 38400 bytes
 pc-bios/vgabios.bin| Bin 38400 -> 38400 bytes
 roms/seabios   |   2 +-
 8 files changed, 1 insertion(+), 1 deletion(-)

[Qemu-devel] [PULL 1/1] seabios: update to 1.8.1 stable release

[Gerd Hoffmann]

Carries two bugfixes and support for multiple pci root buses.

git shortlog rel-1.8.0..rel-1.8.1
=

Ameya Palande (1):
  x86: add barrier to read{b,w,l} and write{b,w,l} functions

Kevin O'Connor (1):
  smp: Fix smp race introduced in 0673b787

Marcel Apfelbaum (2):
  fw/pci: scan all buses if extraroots romfile is present
  fw/pci: map memory and IO regions for multiple pci root buses

Signed-off-by: Gerd Hoffmann 
---
 pc-bios/bios-256k.bin  | Bin 262144 -> 262144 bytes
 pc-bios/bios.bin   | Bin 131072 -> 131072 bytes
 pc-bios/vgabios-cirrus.bin | Bin 37888 -> 37888 bytes
 pc-bios/vgabios-qxl.bin| Bin 38400 -> 38400 bytes
 pc-bios/vgabios-stdvga.bin | Bin 38400 -> 38400 bytes
 pc-bios/vgabios-vmware.bin | Bin 38400 -> 38400 bytes
 pc-bios/vgabios.bin| Bin 38400 -> 38400 bytes
 roms/seabios   |   2 +-
 8 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pc-bios/bios-256k.bin b/pc-bios/bios-256k.bin
index 1c3f402..c6e25ac 100644
Binary files a/pc-bios/bios-256k.bin and b/pc-bios/bios-256k.bin differ
diff --git a/pc-bios/bios.bin b/pc-bios/bios.bin
index 3724535..46ca37b 100644
Binary files a/pc-bios/bios.bin and b/pc-bios/bios.bin differ
diff --git a/pc-bios/vgabios-cirrus.bin b/pc-bios/vgabios-cirrus.bin
index 09dd0fa..02227d3 100644
Binary files a/pc-bios/vgabios-cirrus.bin and b/pc-bios/vgabios-cirrus.bin 
differ
diff --git a/pc-bios/vgabios-qxl.bin b/pc-bios/vgabios-qxl.bin
index 92f22bf..8a87c23 100644
Binary files a/pc-bios/vgabios-qxl.bin and b/pc-bios/vgabios-qxl.bin differ
diff --git a/pc-bios/vgabios-stdvga.bin b/pc-bios/vgabios-stdvga.bin
index 73c3468..00cb73c 100644
Binary files a/pc-bios/vgabios-stdvga.bin and b/pc-bios/vgabios-stdvga.bin 
differ
diff --git a/pc-bios/vgabios-vmware.bin b/pc-bios/vgabios-vmware.bin
index 86f9f7e..c9a94f9 100644
Binary files a/pc-bios/vgabios-vmware.bin and b/pc-bios/vgabios-vmware.bin 
differ
diff --git a/pc-bios/vgabios.bin b/pc-bios/vgabios.bin
index de3226e..3e3335d 100644
Binary files a/pc-bios/vgabios.bin and b/pc-bios/vgabios.bin differ
diff --git a/roms/seabios b/roms/seabios
index 4c59f5d..4adadbd 16
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit 4c59f5d83044df4d57b90958b0fdfcecb913fddb
+Subproject commit 4adadbde6904807de2e990c0af839ad0cc977806
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2] virtio: Fix memory leaks reported by Coverity

[Aneesh Kumar K.V]

Stefan Weil  writes:

> All four leaks are similar, so fix them in one patch.

Ok had to spent some time to figure out which was the path that was not
freeing memory. So added extra information to commit message.

Success path was not doing memory free.

Applied.

>
> Signed-off-by: Stefan Weil 
> ---
>
> v1 only fixed one of those leaks.
> v2 fixes all similar leaks.
>
>  hw/9pfs/virtio-9p-local.c |   28 
>  1 file changed, 8 insertions(+), 20 deletions(-)
>
> diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
> index d05c917..d66abcd 100644
> --- a/hw/9pfs/virtio-9p-local.c
> +++ b/hw/9pfs/virtio-9p-local.c
> @@ -488,7 +488,7 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  int err = -1;
>  int serrno = 0;
>  V9fsString fullname;
> -char *buffer;
> +char *buffer = NULL;
>  
>  v9fs_string_init(&fullname);
>  v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name);
> @@ -499,7 +499,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  err = local_set_xattr(buffer, credp);
> @@ -512,7 +511,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  err = local_set_mapped_file_attr(fs_ctx, path, credp);
> @@ -525,7 +523,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mknod(buffer, credp->fc_mode, credp->fc_rdev);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  err = local_post_create_passthrough(fs_ctx, path, credp);
> @@ -539,8 +536,8 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  err_end:
>  remove(buffer);
>  errno = serrno;
> -g_free(buffer);
>  out:
> +g_free(buffer);
>  v9fs_string_free(&fullname);
>  return err;
>  }
> @@ -552,7 +549,7 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  int err = -1;
>  int serrno = 0;
>  V9fsString fullname;
> -char *buffer;
> +char *buffer = NULL;
>  
>  v9fs_string_init(&fullname);
>  v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name);
> @@ -563,7 +560,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mkdir(buffer, SM_LOCAL_DIR_MODE_BITS);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  credp->fc_mode = credp->fc_mode|S_IFDIR;
> @@ -576,7 +572,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mkdir(buffer, SM_LOCAL_DIR_MODE_BITS);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  credp->fc_mode = credp->fc_mode|S_IFDIR;
> @@ -590,7 +585,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  buffer = rpath(fs_ctx, path);
>  err = mkdir(buffer, credp->fc_mode);
>  if (err == -1) {
> -g_free(buffer);
>  goto out;
>  }
>  err = local_post_create_passthrough(fs_ctx, path, credp);
> @@ -604,8 +598,8 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
> *dir_path,
>  err_end:
>  remove(buffer);
>  errno = serrno;
> -g_free(buffer);
>  out:
> +g_free(buffer);
>  v9fs_string_free(&fullname);
>  return err;
>  }
> @@ -659,7 +653,7 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
> *dir_path, const char *name,
>  int err = -1;
>  int serrno = 0;
>  V9fsString fullname;
> -char *buffer;
> +char *buffer = NULL;
>  
>  /*
>   * Mark all the open to not follow symlinks
> @@ -675,7 +669,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
> *dir_path, const char *name,
>  buffer = rpath(fs_ctx, path);
>  fd = open(buffer, flags, SM_LOCAL_MODE_BITS);
>  if (fd == -1) {
> -g_free(buffer);
>  err = fd;
>  goto out;
>  }
> @@ -690,7 +683,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
> *dir_path, const char *name,
>  buffer = rpath(fs_ctx, path);
>  fd = open(buffer, flags, SM_LOCAL_MODE_BITS);
>  if (fd == -1) {
> -g_free(buffer);
>  err = fd;
>  goto out;
>  }
> @@ -706,7 +698,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
> *dir_path, const char *name,
>  buffer = rpath(fs_ctx, path);
>  fd = open(buffer, flags, credp-

[Qemu-devel] [RESEND PATCH v4 0/6] QEMU memory hot unplug support

[Zhu Guihua]

Memory hot unplug are both asynchronous procedures.
When the unplug operation happens, unplug request cb is called first.
And when guest OS finished handling unplug, unplug cb will be called
to do the real removal of device.

v4:
 -reorganize the patchset
 -drop the new API acpi_send_gpe_event()
 -update ssdt-mem

v3:
 -commit message changes
 -reorganize the patchset, squash and separate some patches
 -update specs about acpi_mem_hotplug
 -first cleanup external state, then un-map and un-register memory device

v2:
 -do a generic for acpi to send gpe event
 -unparent object by PC_MACHINE
 -update description in acpi_mem_hotplug.txt
 -combine the last two patches in the last version
 -cleanup external state in acpi_memory_unplug_cb

Tang Chen (5):
  acpi, mem-hotplug: Add acpi_memory_slot_status() to get MemStatus
  acpi, mem-hotplug: Add unplug request cb for memory device
  pc-dimm: Add memory hot unplug request support for pc-dimm
  acpi, mem-hotplug: Add unplug cb for memory device
  pc-dimm: Add memory hot unplug support for pc-dimm

Zhu Guihua (1):
  acpi: Add hardware implementation for memory hot unplug

 docs/specs/acpi_mem_hotplug.txt   | 11 +-
 hw/acpi/ich9.c| 19 --
 hw/acpi/memory_hotplug.c  | 78 +++
 hw/acpi/piix4.c   | 16 ++--
 hw/core/qdev.c|  2 +-
 hw/i386/acpi-build.c  |  9 +
 hw/i386/acpi-dsdt-mem-hotplug.dsl | 10 +
 hw/i386/pc.c  | 54 +--
 include/hw/acpi/memory_hotplug.h  |  6 +++
 include/hw/acpi/pc-hotplug.h  |  2 +
 include/hw/qdev-core.h|  1 +
 trace-events  |  1 +
 12 files changed, 187 insertions(+), 22 deletions(-)

-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 1/6] acpi, mem-hotplug: Add acpi_memory_slot_status() to get MemStatus

[Zhu Guihua]

From: Tang Chen 

Add a new API named acpi_memory_slot_status() to obtain a single memory
slot status. Doing this is because this procedure will be used by other
functions in the next coming patches.

Signed-off-by: Tang Chen 
Signed-off-by: Zhu Guihua 
---
 hw/acpi/memory_hotplug.c | 24 ++--
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index c6580da..0efc357 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -163,29 +163,41 @@ void acpi_memory_hotplug_init(MemoryRegion *as, Object 
*owner,
 memory_region_add_subregion(as, ACPI_MEMORY_HOTPLUG_BASE, &state->io);
 }
 
-void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
- DeviceState *dev, Error **errp)
+static MemStatus *
+acpi_memory_slot_status(MemHotplugState *mem_st,
+DeviceState *dev, Error **errp)
 {
-MemStatus *mdev;
 Error *local_err = NULL;
 int slot = object_property_get_int(OBJECT(dev), PC_DIMM_SLOT_PROP,
&local_err);
 
 if (local_err) {
 error_propagate(errp, local_err);
-return;
+return NULL;
 }
 
 if (slot >= mem_st->dev_count) {
 char *dev_path = object_get_canonical_path(OBJECT(dev));
-error_setg(errp, "acpi_memory_plug_cb: "
+error_setg(errp, "acpi_memory_slot_status: "
"device [%s] returned invalid memory slot[%d]",
 dev_path, slot);
 g_free(dev_path);
+return NULL;
+}
+
+return &mem_st->devs[slot];
+}
+
+void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
+ DeviceState *dev, Error **errp)
+{
+MemStatus *mdev;
+
+mdev = acpi_memory_slot_status(mem_st, dev, errp);
+if (!mdev) {
 return;
 }
 
-mdev = &mem_st->devs[slot];
 mdev->dimm = dev;
 mdev->is_enabled = true;
 mdev->is_inserting = true;
-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 2/6] acpi, mem-hotplug: Add unplug request cb for memory device

[Zhu Guihua]

From: Tang Chen 

Memory hot unplug are both asynchronous procedures.
When the unplug operation happens, unplug request cb is called first.
And when guest OS finished handling unplug, unplug cb will be called
to do the real removal of device.

This patch adds unplug request cb for memory device, and adds the
is_removing boolean field to MemStatus. This field is used to indicate
whether the memory slot is being removed. This field is set to true in
acpi_memory_unplug_request_cb().

Signed-off-by: Tang Chen 
Signed-off-by: Zhu Guihua 
---
 hw/acpi/ich9.c   | 10 --
 hw/acpi/memory_hotplug.c | 19 +++
 hw/acpi/piix4.c  |  6 +-
 include/hw/acpi/memory_hotplug.h |  4 
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
index 5352e19..b85eed4 100644
--- a/hw/acpi/ich9.c
+++ b/hw/acpi/ich9.c
@@ -400,8 +400,14 @@ void ich9_pm_device_plug_cb(ICH9LPCPMRegs *pm, DeviceState 
*dev, Error **errp)
 void ich9_pm_device_unplug_request_cb(ICH9LPCPMRegs *pm, DeviceState *dev,
   Error **errp)
 {
-error_setg(errp, "acpi: device unplug request for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+if (pm->acpi_memory_hotplug.is_enabled &&
+object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_request_cb(&pm->acpi_regs, pm->irq,
+  &pm->acpi_memory_hotplug, dev, errp);
+} else {
+error_setg(errp, "acpi: device unplug request for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 void ich9_pm_device_unplug_cb(ICH9LPCPMRegs *pm, DeviceState *dev,
diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index 0efc357..2ef6a94 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -75,6 +75,7 @@ static uint64_t acpi_memory_hotplug_read(void *opaque, hwaddr 
addr,
 case 0x14: /* pack and return is_* fields */
 val |= mdev->is_enabled   ? 1 : 0;
 val |= mdev->is_inserting ? 2 : 0;
+val |= mdev->is_removing  ? 4 : 0;
 trace_mhp_acpi_read_flags(mem_st->selector, val);
 break;
 default:
@@ -208,6 +209,24 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 return;
 }
 
+void acpi_memory_unplug_request_cb(ACPIREGS *ar, qemu_irq irq,
+   MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp)
+{
+MemStatus *mdev;
+
+mdev = acpi_memory_slot_status(mem_st, dev, errp);
+if (!mdev) {
+return;
+}
+
+mdev->is_removing = true;
+
+/* Do ACPI magic */
+ar->gpe.sts[0] |= ACPI_MEMORY_HOTPLUG_STATUS;
+acpi_update_sci(ar, irq);
+}
+
 static const VMStateDescription vmstate_memhp_sts = {
 .name = "memory hotplug device state",
 .version_id = 1,
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index d1f1179..f716e91 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -361,7 +361,11 @@ static void piix4_device_unplug_request_cb(HotplugHandler 
*hotplug_dev,
 {
 PIIX4PMState *s = PIIX4_PM(hotplug_dev);
 
-if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) {
+if (s->acpi_memory_hotplug.is_enabled &&
+object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_request_cb(&s->ar, s->irq, &s->acpi_memory_hotplug,
+  dev, errp);
+} else if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) {
 acpi_pcihp_device_unplug_cb(&s->ar, s->irq, &s->acpi_pci_hotplug, dev,
 errp);
 } else {
diff --git a/include/hw/acpi/memory_hotplug.h b/include/hw/acpi/memory_hotplug.h
index 7bbf8a0..c437a85 100644
--- a/include/hw/acpi/memory_hotplug.h
+++ b/include/hw/acpi/memory_hotplug.h
@@ -11,6 +11,7 @@ typedef struct MemStatus {
 DeviceState *dimm;
 bool is_enabled;
 bool is_inserting;
+bool is_removing;
 uint32_t ost_event;
 uint32_t ost_status;
 } MemStatus;
@@ -28,6 +29,9 @@ void acpi_memory_hotplug_init(MemoryRegion *as, Object *owner,
 
 void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
  DeviceState *dev, Error **errp);
+void acpi_memory_unplug_request_cb(ACPIREGS *ar, qemu_irq irq,
+   MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp);
 
 extern const VMStateDescription vmstate_memory_hotplug;
 #define VMSTATE_MEMORY_HOTPLUG(memhp, state) \
-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 4/6] acpi, mem-hotplug: Add unplug cb for memory device

[Zhu Guihua]

From: Tang Chen 

This patch adds unplug cb for memory device. It resets some memory status
in acpi_memory_unplug_cb().

Signed-off-by: Tang Chen 
Signed-off-by: Zhu Guihua 
---
 hw/acpi/ich9.c   |  9 +++--
 hw/acpi/memory_hotplug.c | 14 ++
 hw/acpi/piix4.c  | 10 --
 include/hw/acpi/memory_hotplug.h |  2 ++
 4 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
index b85eed4..84e5bb8 100644
--- a/hw/acpi/ich9.c
+++ b/hw/acpi/ich9.c
@@ -413,8 +413,13 @@ void ich9_pm_device_unplug_request_cb(ICH9LPCPMRegs *pm, 
DeviceState *dev,
 void ich9_pm_device_unplug_cb(ICH9LPCPMRegs *pm, DeviceState *dev,
   Error **errp)
 {
-error_setg(errp, "acpi: device unplug for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+if (pm->acpi_memory_hotplug.is_enabled &&
+object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_cb(&pm->acpi_memory_hotplug, dev, errp);
+} else {
+error_setg(errp, "acpi: device unplug for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 void ich9_pm_ospm_status(AcpiDeviceIf *adev, ACPIOSTInfoList ***list)
diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index 2ef6a94..687b2f1 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -227,6 +227,20 @@ void acpi_memory_unplug_request_cb(ACPIREGS *ar, qemu_irq 
irq,
 acpi_update_sci(ar, irq);
 }
 
+void acpi_memory_unplug_cb(MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp)
+{
+MemStatus *mdev;
+
+mdev = acpi_memory_slot_status(mem_st, dev, errp);
+if (!mdev) {
+return;
+}
+
+mdev->is_enabled = false;
+mdev->dimm = NULL;
+}
+
 static const VMStateDescription vmstate_memhp_sts = {
 .name = "memory hotplug device state",
 .version_id = 1,
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index f716e91..781ad33 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -377,8 +377,14 @@ static void piix4_device_unplug_request_cb(HotplugHandler 
*hotplug_dev,
 static void piix4_device_unplug_cb(HotplugHandler *hotplug_dev,
DeviceState *dev, Error **errp)
 {
-error_setg(errp, "acpi: device unplug for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+PIIX4PMState *s = PIIX4_PM(hotplug_dev);
+
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_cb(&s->acpi_memory_hotplug, dev, errp);
+} else {
+error_setg(errp, "acpi: device unplug for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 static void piix4_update_bus_hotplug(PCIBus *pci_bus, void *opaque)
diff --git a/include/hw/acpi/memory_hotplug.h b/include/hw/acpi/memory_hotplug.h
index c437a85..15deae0 100644
--- a/include/hw/acpi/memory_hotplug.h
+++ b/include/hw/acpi/memory_hotplug.h
@@ -32,6 +32,8 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 void acpi_memory_unplug_request_cb(ACPIREGS *ar, qemu_irq irq,
MemHotplugState *mem_st,
DeviceState *dev, Error **errp);
+void acpi_memory_unplug_cb(MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp);
 
 extern const VMStateDescription vmstate_memory_hotplug;
 #define VMSTATE_MEMORY_HOTPLUG(memhp, state) \
-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 5/6] pc-dimm: Add memory hot unplug support for pc-dimm

[Zhu Guihua]

From: Tang Chen 

Implement unplug cb for pc-dimm. It calls memory unplug cb to reset
some memory status, removes the corresponding memory region, and
unregisters vmstate.

Signed-off-by: Tang Chen 
Signed-off-by: Zhu Guihua 
---
 hw/i386/pc.c | 26 --
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 9c7c318..141fa6a 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1689,6 +1689,23 @@ out:
 error_propagate(errp, local_err);
 }
 
+static void pc_dimm_unplug(HotplugHandler *hotplug_dev,
+   DeviceState *dev, Error **errp)
+{
+PCMachineState *pcms = PC_MACHINE(hotplug_dev);
+PCDIMMDevice *dimm = PC_DIMM(dev);
+PCDIMMDeviceClass *ddc = PC_DIMM_GET_CLASS(dimm);
+MemoryRegion *mr = ddc->get_memory_region(dimm);
+HotplugHandlerClass *hhc;
+Error *local_err = NULL;
+
+hhc = HOTPLUG_HANDLER_GET_CLASS(pcms->acpi_dev);
+hhc->unplug(HOTPLUG_HANDLER(pcms->acpi_dev), dev, &local_err);
+
+memory_region_del_subregion(&pcms->hotplug_memory, mr);
+vmstate_unregister_ram(mr, dev);
+}
+
 static void pc_cpu_plug(HotplugHandler *hotplug_dev,
 DeviceState *dev, Error **errp)
 {
@@ -1742,8 +1759,13 @@ static void 
pc_machine_device_unplug_request_cb(HotplugHandler *hotplug_dev,
 static void pc_machine_device_unplug_cb(HotplugHandler *hotplug_dev,
 DeviceState *dev, Error **errp)
 {
-error_setg(errp, "acpi: device unplug for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+pc_dimm_unplug(hotplug_dev, dev, errp);
+object_unparent(OBJECT(dev));
+} else {
+error_setg(errp, "acpi: device unplug for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 static HotplugHandler *pc_get_hotpug_handler(MachineState *machine,
-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 3/6] pc-dimm: Add memory hot unplug request support for pc-dimm

[Zhu Guihua]

From: Tang Chen 

Implement memory unplug request cb for pc-dimm, and call it in
pc_machine_device_unplug_request_cb().

Signed-off-by: Tang Chen 
Signed-off-by: Zhu Guihua 
---
 hw/i386/pc.c | 28 ++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index b5b2aad..9c7c318 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1669,6 +1669,26 @@ out:
 error_propagate(errp, local_err);
 }
 
+static void pc_dimm_unplug_request(HotplugHandler *hotplug_dev,
+   DeviceState *dev, Error **errp)
+{
+HotplugHandlerClass *hhc;
+Error *local_err = NULL;
+PCMachineState *pcms = PC_MACHINE(hotplug_dev);
+
+if (!pcms->acpi_dev) {
+error_setg(&local_err,
+   "memory hotplug is not enabled: missing acpi device");
+goto out;
+}
+
+hhc = HOTPLUG_HANDLER_GET_CLASS(pcms->acpi_dev);
+hhc->unplug_request(HOTPLUG_HANDLER(pcms->acpi_dev), dev, &local_err);
+
+out:
+error_propagate(errp, local_err);
+}
+
 static void pc_cpu_plug(HotplugHandler *hotplug_dev,
 DeviceState *dev, Error **errp)
 {
@@ -1711,8 +1731,12 @@ static void pc_machine_device_plug_cb(HotplugHandler 
*hotplug_dev,
 static void pc_machine_device_unplug_request_cb(HotplugHandler *hotplug_dev,
 DeviceState *dev, Error **errp)
 {
-error_setg(errp, "acpi: device unplug request for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+pc_dimm_unplug_request(hotplug_dev, dev, errp);
+} else {
+error_setg(errp, "acpi: device unplug request for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
 }
 
 static void pc_machine_device_unplug_cb(HotplugHandler *hotplug_dev,
-- 
1.9.3

[Qemu-devel] [RESEND PATCH v4 6/6] acpi: Add hardware implementation for memory hot unplug

[Zhu Guihua]

This patch adds a new bit to memory hotplug IO port indicating that
EJ0 has been evaluated by guest OS. And call pc-dimm unplug cb to do
the real removal.

Signed-off-by: Zhu Guihua 
---
 docs/specs/acpi_mem_hotplug.txt   | 11 +--
 hw/acpi/memory_hotplug.c  | 21 +++--
 hw/core/qdev.c|  2 +-
 hw/i386/acpi-build.c  |  9 +
 hw/i386/acpi-dsdt-mem-hotplug.dsl | 10 ++
 include/hw/acpi/pc-hotplug.h  |  2 ++
 include/hw/qdev-core.h|  1 +
 trace-events  |  1 +
 8 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/docs/specs/acpi_mem_hotplug.txt b/docs/specs/acpi_mem_hotplug.txt
index 1290994..85cd4b8 100644
--- a/docs/specs/acpi_mem_hotplug.txt
+++ b/docs/specs/acpi_mem_hotplug.txt
@@ -19,7 +19,9 @@ Memory hot-plug interface (IO port 0xa00-0xa17, 1-4 byte 
access):
   1: Device insert event, used to distinguish device for which
  no device check event to OSPM was issued.
  It's valid only when bit 1 is set.
-  2-7: reserved and should be ignored by OSPM
+  2: Device remove event, used to distinguish device for which
+ no device check event to OSPM was issued.
+  3-7: reserved and should be ignored by OSPM
   [0x15-0x17] reserved
 
   write access:
@@ -35,7 +37,12 @@ Memory hot-plug interface (IO port 0xa00-0xa17, 1-4 byte 
access):
   1: if set to 1 clears device insert event, set by OSPM
  after it has emitted device check event for the
  selected memory device
-  2-7: reserved, OSPM must clear them before writing to register
+  2: if set to 1 clears device remove event, set by OSPM
+ after it has emitted device check event for the
+ selected memory device. if guest fails to eject device, it
+ should send OST event about it and forget about device
+ removal.
+  3-7: reserved, OSPM must clear them before writing to register
 
 Selecting memory device slot beyond present range has no effect on platform:
- write accesses to memory hot-plug registers not documented above are
diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index 687b2f1..d6b8c89 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -2,6 +2,7 @@
 #include "hw/acpi/pc-hotplug.h"
 #include "hw/mem/pc-dimm.h"
 #include "hw/boards.h"
+#include "hw/qdev-core.h"
 #include "trace.h"
 #include "qapi-event.h"
 
@@ -91,6 +92,8 @@ static void acpi_memory_hotplug_write(void *opaque, hwaddr 
addr, uint64_t data,
 MemHotplugState *mem_st = opaque;
 MemStatus *mdev;
 ACPIOSTInfo *info;
+DeviceState *dev = NULL;
+HotplugHandler *hotplug_ctrl = NULL;
 
 if (!mem_st->dev_count) {
 return;
@@ -122,19 +125,33 @@ static void acpi_memory_hotplug_write(void *opaque, 
hwaddr addr, uint64_t data,
 mdev = &mem_st->devs[mem_st->selector];
 mdev->ost_status = data;
 trace_mhp_acpi_write_ost_status(mem_st->selector, mdev->ost_status);
-/* TODO: implement memory removal on guest signal */
 
 info = acpi_memory_device_status(mem_st->selector, mdev);
 qapi_event_send_acpi_device_ost(info, &error_abort);
 qapi_free_ACPIOSTInfo(info);
 break;
-case 0x14:
+case 0x14: /* set is_* fields */
 mdev = &mem_st->devs[mem_st->selector];
 if (data & 2) { /* clear insert event */
 mdev->is_inserting  = false;
 trace_mhp_acpi_clear_insert_evt(mem_st->selector);
+} else if (data & 4) { /* request removal of device */
+mdev->is_removing = false;
+trace_mhp_acpi_clear_remove_evt(mem_st->selector);
+/*
+ * QEMU memory hot unplug is an asynchronous procedure. QEMU first
+ * calls pc-dimm unplug request cb to send a SCI to guest. When the
+ * guest OS finished handling the SCI, it evaluates ACPI EJ0, and
+ * QEMU calls pc-dimm unplug cb to remove memory device.
+ */
+dev = DEVICE(mdev->dimm);
+hotplug_ctrl = qdev_get_hotplug_handler(dev);
+/* Call pc-dimm unplug cb. */
+hotplug_handler_unplug(hotplug_ctrl, dev, NULL);
 }
 break;
+default:
+break;
 }
 
 }
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 6be5866..4676ffb 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -273,7 +273,7 @@ void qdev_set_legacy_instance_id(DeviceState *dev, int 
alias_id,
 dev->alias_required_for_version = required_for_version;
 }
 
-static HotplugHandler *qdev_get_hotplug_handler(DeviceState *dev)
+HotplugHandler *qdev_get_hotplug_handler(DeviceState *dev)
 {
 HotplugHandler *hotplug_ctrl = NULL;
 
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index d0a5c85..1ba6102 100644
--- a/

[Qemu-devel] [PATCH v4 4/5] exec: Notify cpu_register_map_client caller if the bounce buffer is available

[Fam Zheng]

The caller's workflow is like

if (!address_space_map()) {
...
cpu_register_map_client();
}

If bounce buffer became available after address_space_map() but before
cpu_register_map_client(), the caller could miss it and has to wait for the
next bounce buffer notify, which may never happen in the worse case.

Just notify the list in cpu_register_map_client().

Signed-off-by: Fam Zheng 
---
 exec.c | 23 ---
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/exec.c b/exec.c
index 9f6c4f8..0fa7487 100644
--- a/exec.c
+++ b/exec.c
@@ -2489,6 +2489,18 @@ QemuMutex map_client_list_lock;
 static QLIST_HEAD(map_client_list, MapClient) map_client_list
 = QLIST_HEAD_INITIALIZER(map_client_list);
 
+static void cpu_unregister_map_client(void *_client);
+static void cpu_notify_map_clients_locked(void)
+{
+MapClient *client;
+
+while (!QLIST_EMPTY(&map_client_list)) {
+client = QLIST_FIRST(&map_client_list);
+client->callback(client->opaque);
+cpu_unregister_map_client(client);
+}
+}
+
 void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
 {
 MapClient *client = g_malloc(sizeof(*client));
@@ -2497,6 +2509,9 @@ void *cpu_register_map_client(void *opaque, void 
(*callback)(void *opaque))
 client->opaque = opaque;
 client->callback = callback;
 QLIST_INSERT_HEAD(&map_client_list, client, link);
+if (!atomic_read(&bounce.in_use)) {
+cpu_notify_map_clients_locked();
+}
 qemu_mutex_unlock(&map_client_list_lock);
 return client;
 }
@@ -2521,14 +2536,8 @@ static void cpu_unregister_map_client(void *_client)
 
 static void cpu_notify_map_clients(void)
 {
-MapClient *client;
-
 qemu_mutex_lock(&map_client_list_lock);
-while (!QLIST_EMPTY(&map_client_list)) {
-client = QLIST_FIRST(&map_client_list);
-client->callback(client->opaque);
-cpu_unregister_map_client(client);
-}
+cpu_notify_map_clients_locked();
 qemu_mutex_unlock(&map_client_list_lock);
 }
 
-- 
1.9.3

[Qemu-devel] [PATCH v4 0/5] exec: Make bounce buffer thread safe

[Fam Zheng]

v4: Remove smp_mb() in patch 1.
Remove two cpu_exec_init_all() calls.
Rename cpu_notify_map_clients_unlocked -> cpu_notify_map_clients_locked.
Add Paolo's rev-by in patch 5.

v3: Address Paolo's comments:
Use atomic_xchg for bounce buffer.
Use mutex and BH for map_client_list.

The global bounce buffer used for non-direct memory access is not thread-safe:

 1) Access to "bounce" is not atomic.

 2) Access to "map_client_list" is not atomic.

 3) In dma_blk_cb, there is a race condition between:

mem = dma_memory_map(...
and
cpu_register_map_client(...

Bounce may become available after dma_memory_map failed but before
cpu_register_map_client is called.

 4) The reschedule_dma is not in the right AioContext;
continue_after_map_failure called from other threads will race with
dma_aio_cancel.

This series fixes these issues respectively.

Fam Zheng (5):
  exec: Atomic access to bounce buffer
  linux-user, bsd-user: Remove two calls to cpu_exec_init_all
  exec: Protect map_client_list with mutex
  exec: Notify cpu_register_map_client caller if the bounce buffer is
available
  dma-helpers: Fix race condition of continue_after_map_failure and
dma_aio_cancel

 bsd-user/main.c   |  1 -
 dma-helpers.c | 17 +--
 exec.c| 76 +++
 include/exec/cpu-common.h |  3 +-
 linux-user/main.c |  1 -
 5 files changed, 61 insertions(+), 37 deletions(-)

-- 
1.9.3

[Qemu-devel] [PATCH v4 3/5] exec: Protect map_client_list with mutex

[Fam Zheng]

So that accesses from multiple threads are safe.

Signed-off-by: Fam Zheng 
---
 exec.c | 24 +++-
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/exec.c b/exec.c
index 8d21eff..9f6c4f8 100644
--- a/exec.c
+++ b/exec.c
@@ -429,15 +429,6 @@ address_space_translate_for_iotlb(CPUState *cpu, hwaddr 
addr,
 }
 #endif
 
-void cpu_exec_init_all(void)
-{
-#if !defined(CONFIG_USER_ONLY)
-qemu_mutex_init(&ram_list.mutex);
-memory_map_init();
-io_mem_init();
-#endif
-}
-
 #if !defined(CONFIG_USER_ONLY)
 
 static int cpu_common_post_load(void *opaque, int version_id)
@@ -2494,6 +2485,7 @@ typedef struct MapClient {
 QLIST_ENTRY(MapClient) link;
 } MapClient;
 
+QemuMutex map_client_list_lock;
 static QLIST_HEAD(map_client_list, MapClient) map_client_list
 = QLIST_HEAD_INITIALIZER(map_client_list);
 
@@ -2501,12 +2493,24 @@ void *cpu_register_map_client(void *opaque, void 
(*callback)(void *opaque))
 {
 MapClient *client = g_malloc(sizeof(*client));
 
+qemu_mutex_lock(&map_client_list_lock);
 client->opaque = opaque;
 client->callback = callback;
 QLIST_INSERT_HEAD(&map_client_list, client, link);
+qemu_mutex_unlock(&map_client_list_lock);
 return client;
 }
 
+void cpu_exec_init_all(void)
+{
+#if !defined(CONFIG_USER_ONLY)
+qemu_mutex_init(&ram_list.mutex);
+memory_map_init();
+io_mem_init();
+#endif
+qemu_mutex_init(&map_client_list_lock);
+}
+
 static void cpu_unregister_map_client(void *_client)
 {
 MapClient *client = (MapClient *)_client;
@@ -2519,11 +2523,13 @@ static void cpu_notify_map_clients(void)
 {
 MapClient *client;
 
+qemu_mutex_lock(&map_client_list_lock);
 while (!QLIST_EMPTY(&map_client_list)) {
 client = QLIST_FIRST(&map_client_list);
 client->callback(client->opaque);
 cpu_unregister_map_client(client);
 }
+qemu_mutex_unlock(&map_client_list_lock);
 }
 
 bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool 
is_write)
-- 
1.9.3

[Qemu-devel] [PATCH v4 5/5] dma-helpers: Fix race condition of continue_after_map_failure and dma_aio_cancel

[Fam Zheng]

If DMA's owning thread cancels the IO while the bounce buffer's owning thread
is notifying the "cpu client list", a use-after-free happens:

 continue_after_map_failure   dma_aio_cancel
 --
 aio_bh_new
  qemu_bh_delete
 qemu_bh_schedule (use after free)

Also, the old code doesn't run the bh in the right AioContext.

Fix both problems by passing a QEMUBH to cpu_register_map_client.

Signed-off-by: Fam Zheng 
Reviewed-by: Paolo Bonzini 
---
 dma-helpers.c | 17 -
 exec.c| 33 +
 include/exec/cpu-common.h |  3 ++-
 3 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/dma-helpers.c b/dma-helpers.c
index 6918572..1fddf6a 100644
--- a/dma-helpers.c
+++ b/dma-helpers.c
@@ -92,14 +92,6 @@ static void reschedule_dma(void *opaque)
 dma_blk_cb(dbs, 0);
 }
 
-static void continue_after_map_failure(void *opaque)
-{
-DMAAIOCB *dbs = (DMAAIOCB *)opaque;
-
-dbs->bh = qemu_bh_new(reschedule_dma, dbs);
-qemu_bh_schedule(dbs->bh);
-}
-
 static void dma_blk_unmap(DMAAIOCB *dbs)
 {
 int i;
@@ -161,7 +153,9 @@ static void dma_blk_cb(void *opaque, int ret)
 
 if (dbs->iov.size == 0) {
 trace_dma_map_wait(dbs);
-cpu_register_map_client(dbs, continue_after_map_failure);
+dbs->bh = aio_bh_new(blk_get_aio_context(dbs->blk),
+ reschedule_dma, dbs);
+cpu_register_map_client(dbs->bh);
 return;
 }
 
@@ -183,6 +177,11 @@ static void dma_aio_cancel(BlockAIOCB *acb)
 if (dbs->acb) {
 blk_aio_cancel_async(dbs->acb);
 }
+if (dbs->bh) {
+cpu_unregister_map_client(dbs->bh);
+qemu_bh_delete(dbs->bh);
+dbs->bh = NULL;
+}
 }
 
 
diff --git a/exec.c b/exec.c
index 0fa7487..0f81358 100644
--- a/exec.c
+++ b/exec.c
@@ -2480,8 +2480,7 @@ typedef struct {
 static BounceBuffer bounce;
 
 typedef struct MapClient {
-void *opaque;
-void (*callback)(void *opaque);
+QEMUBH *bh;
 QLIST_ENTRY(MapClient) link;
 } MapClient;
 
@@ -2489,31 +2488,29 @@ QemuMutex map_client_list_lock;
 static QLIST_HEAD(map_client_list, MapClient) map_client_list
 = QLIST_HEAD_INITIALIZER(map_client_list);
 
-static void cpu_unregister_map_client(void *_client);
+static void cpu_unregister_map_client_do(MapClient *client);
 static void cpu_notify_map_clients_locked(void)
 {
 MapClient *client;
 
 while (!QLIST_EMPTY(&map_client_list)) {
 client = QLIST_FIRST(&map_client_list);
-client->callback(client->opaque);
-cpu_unregister_map_client(client);
+qemu_bh_schedule(client->bh);
+cpu_unregister_map_client_do(client);
 }
 }
 
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
+void cpu_register_map_client(QEMUBH *bh)
 {
 MapClient *client = g_malloc(sizeof(*client));
 
 qemu_mutex_lock(&map_client_list_lock);
-client->opaque = opaque;
-client->callback = callback;
+client->bh = bh;
 QLIST_INSERT_HEAD(&map_client_list, client, link);
 if (!atomic_read(&bounce.in_use)) {
 cpu_notify_map_clients_locked();
 }
 qemu_mutex_unlock(&map_client_list_lock);
-return client;
 }
 
 void cpu_exec_init_all(void)
@@ -2526,14 +2523,26 @@ void cpu_exec_init_all(void)
 qemu_mutex_init(&map_client_list_lock);
 }
 
-static void cpu_unregister_map_client(void *_client)
+static void cpu_unregister_map_client_do(MapClient *client)
 {
-MapClient *client = (MapClient *)_client;
-
 QLIST_REMOVE(client, link);
 g_free(client);
 }
 
+void cpu_unregister_map_client(QEMUBH *bh)
+{
+MapClient *client;
+
+qemu_mutex_lock(&map_client_list_lock);
+QLIST_FOREACH(client, &map_client_list, link) {
+if (client->bh == bh) {
+cpu_unregister_map_client_do(client);
+break;
+}
+}
+qemu_mutex_unlock(&map_client_list_lock);
+}
+
 static void cpu_notify_map_clients(void)
 {
 qemu_mutex_lock(&map_client_list_lock);
diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index fcc3162..43428bd 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -82,7 +82,8 @@ void *cpu_physical_memory_map(hwaddr addr,
   int is_write);
 void cpu_physical_memory_unmap(void *buffer, hwaddr len,
int is_write, hwaddr access_len);
-void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque));
+void cpu_register_map_client(QEMUBH *bh);
+void cpu_unregister_map_client(QEMUBH *bh);
 
 bool cpu_physical_memory_is_io(hwaddr phys_addr);
 
-- 
1.9.3

[Qemu-devel] [PATCH v4 1/5] exec: Atomic access to bounce buffer

[Fam Zheng]

There could be a race condition when two processes call
address_space_map concurrently and both want to use the bounce buffer.

Add an in_use flag in BounceBuffer to sync it.

Signed-off-by: Fam Zheng 
---
 exec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/exec.c b/exec.c
index e97071a..8d21eff 100644
--- a/exec.c
+++ b/exec.c
@@ -2483,6 +2483,7 @@ typedef struct {
 void *buffer;
 hwaddr addr;
 hwaddr len;
+bool in_use;
 } BounceBuffer;
 
 static BounceBuffer bounce;
@@ -2571,7 +2572,7 @@ void *address_space_map(AddressSpace *as,
 l = len;
 mr = address_space_translate(as, addr, &xlat, &l, is_write);
 if (!memory_access_is_direct(mr, is_write)) {
-if (bounce.buffer) {
+if (atomic_xchg(&bounce.in_use, true)) {
 return NULL;
 }
 /* Avoid unbounded allocations */
@@ -2641,6 +2642,7 @@ void address_space_unmap(AddressSpace *as, void *buffer, 
hwaddr len,
 qemu_vfree(bounce.buffer);
 bounce.buffer = NULL;
 memory_region_unref(bounce.mr);
+atomic_mb_set(&bounce.in_use, false);
 cpu_notify_map_clients();
 }
 
-- 
1.9.3

[Qemu-devel] [PATCH v4 2/5] linux-user, bsd-user: Remove two calls to cpu_exec_init_all

[Fam Zheng]

The function is a nop for user mode, so just remove them.

Signed-off-by: Fam Zheng 
---
 bsd-user/main.c   | 1 -
 linux-user/main.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/bsd-user/main.c b/bsd-user/main.c
index 1bb2754..5bfaf5c 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -905,7 +905,6 @@ int main(int argc, char **argv)
 #endif
 }
 tcg_exec_init(0);
-cpu_exec_init_all();
 /* NOTE: we need to init the CPU at this stage to get
qemu_host_page_size */
 cpu = cpu_init(cpu_model);
diff --git a/linux-user/main.c b/linux-user/main.c
index 6bd23af..d8b5b4c 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -3936,7 +3936,6 @@ int main(int argc, char **argv, char **envp)
 #endif
 }
 tcg_exec_init(0);
-cpu_exec_init_all();
 /* NOTE: we need to init the CPU at this stage to get
qemu_host_page_size */
 cpu = cpu_init(cpu_model);
-- 
1.9.3

[Qemu-devel] [PATCH for-2.3] opengl: fix configure test

[Gerd Hoffmann]

Re-add the glx compile test to configure.  We can't use pkg-config to
probe for glx, and as long as milkymist-tmu2 privately uses glx (due to
opengl infrastructure in qemu not being ready yet) we must continue to
test for glx to avoid build failures.

Reported-by: Juan Quintela 
Signed-off-by: Gerd Hoffmann 
---
 configure | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index b858756..f74a6fd 100755
--- a/configure
+++ b/configure
@@ -3119,9 +3119,24 @@ libs_softmmu="$libs_softmmu $fdt_libs"
 
 ##
 # opengl probe (for sdl2, milkymist-tmu2)
+
+# GLX probe, used by milkymist-tmu2
+# this is temporary, code will be switched to egl mid-term.
+cat > $TMPC << EOF
+#include 
+#include 
+#include 
+int main(void) { glBegin(0); glXQueryVersion(0,0,0); return 0; }
+EOF
+if compile_prog "" "-lGL -lX11" ; then
+  have_glx=yes
+else
+  have_glx=no
+fi
+
 if test "$opengl" != "no" ; then
-  opengl_pkgs="gl glx"
-  if $pkg_config $opengl_pkgs x11; then
+  opengl_pkgs="gl"
+  if $pkg_config $opengl_pkgs x11 && test "$have_glx" = "yes"; then
 opengl_cflags="$($pkg_config --cflags $opengl_pkgs) $x11_cflags"
 opengl_libs="$($pkg_config --libs $opengl_pkgs) $x11_libs"
 opengl=yes
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH target-arm v2 03/15] arm: Introduce Xilinx ZynqMP SoC

[Peter Crosthwaite]

On Thu, Mar 5, 2015 at 10:11 AM, Alistair Francis
 wrote:
> On Tue, Mar 3, 2015 at 10:28 AM, Peter Crosthwaite
>  wrote:
>> With quad Cortex-A53 CPUs.
>>
>> Signed-off-by: Peter Crosthwaite 
>> ---
>> changed since v1:
>> Add &error_abort to CPU child adder call.
>>
>>  default-configs/aarch64-softmmu.mak |  2 +-
>>  hw/arm/Makefile.objs|  1 +
>>  hw/arm/xlnx-zynqmp.c| 71 
>> +
>>  include/hw/arm/xlnx-zynqmp.h| 21 +++
>>  4 files changed, 94 insertions(+), 1 deletion(-)
>>  create mode 100644 hw/arm/xlnx-zynqmp.c
>>  create mode 100644 include/hw/arm/xlnx-zynqmp.h
>>
>> diff --git a/default-configs/aarch64-softmmu.mak 
>> b/default-configs/aarch64-softmmu.mak
>> index 6d3b5c7..96dd994 100644
>> --- a/default-configs/aarch64-softmmu.mak
>> +++ b/default-configs/aarch64-softmmu.mak
>> @@ -3,4 +3,4 @@
>>  # We support all the 32 bit boards so need all their config
>>  include arm-softmmu.mak
>>
>> -# Currently no 64-bit specific config requirements
>> +CONFIG_XLNX_ZYNQMP=y
>> diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
>> index 6088e53..7c6266f 100644
>> --- a/hw/arm/Makefile.objs
>> +++ b/hw/arm/Makefile.objs
>> @@ -8,3 +8,4 @@ obj-y += armv7m.o exynos4210.o pxa2xx.o pxa2xx_gpio.o 
>> pxa2xx_pic.o
>>  obj-$(CONFIG_DIGIC) += digic.o
>>  obj-y += omap1.o omap2.o strongarm.o
>>  obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
>> +obj-$(CONFIG_XLNX_ZYNQMP) += xlnx-zynqmp.o
>> diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
>> new file mode 100644
>> index 000..1b58d65
>> --- /dev/null
>> +++ b/hw/arm/xlnx-zynqmp.c
>> @@ -0,0 +1,71 @@
>> +/*
>> + * Xilinx Zynq MPSoC emulation
>> + *
>> + * Copyright (C) 2015 Xilinx Inc
>> + * Written by Peter Crosthwaite 
>> + *
>> + * This program is free software; you can redistribute it and/or modify it
>> + * under the terms of the GNU General Public License as published by the
>> + * Free Software Foundation; either version 2 of the License, or
>> + * (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful, but 
>> WITHOUT
>> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
>> + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
>> + * for more details.
>> + */
>> +
>> +#include "hw/arm/xlnx-zynqmp.h"
>> +
>> +static void xlnx_zynqmp_init(Object *obj)
>> +{
>> +XlnxZynqMPState *s = XLNX_ZYNQMP(obj);
>> +int i;
>> +
>> +for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
>> +object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
>> +  "cortex-a53-" TYPE_ARM_CPU);
>> +object_property_add_child(obj, "cpu", OBJECT(&s->cpu[i]), 
>> &error_abort);
>
> This property seems to cause errors. When I run:
> ./aarch64-softmmu/qemu-system-aarch64 -M xlnx-ep108
>
> I get the following error (associated with this line):
> qemu-system-aarch64: attempt to add duplicate property 'cpu' to
> object (type 'xlnx,zynqmp')
> Aborted (core dumped)
>

Fixed. I'm still confused as to how I didn't get this in V1.

Regards,
Peter

> Removing the error_abort doesn't help either, then it just seg faults
> further on.
>
> Thanks,
>
> Alistair
>
>> +}
>> +}
>> +
>> +#define ERR_PROP_CHECK_RETURN(err, errp) do { \
>> +if (err) { \
>> +error_propagate((errp), (err)); \
>> +return; \
>> +} \
>> +} while (0)
>> +
>> +static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
>> +{
>> +XlnxZynqMPState *s = XLNX_ZYNQMP(dev);
>> +uint8_t i;
>> +Error *err = NULL;
>> +
>> +for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
>> +object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", 
>> &err);
>> +ERR_PROP_CHECK_RETURN(err, errp);
>> +}
>> +}
>> +
>> +static void xlnx_zynqmp_class_init(ObjectClass *oc, void *data)
>> +{
>> +DeviceClass *dc = DEVICE_CLASS(oc);
>> +
>> +dc->realize = xlnx_zynqmp_realize;
>> +}
>> +
>> +static const TypeInfo xlnx_zynqmp_type_info = {
>> +.name = TYPE_XLNX_ZYNQMP,
>> +.parent = TYPE_DEVICE,
>> +.instance_size = sizeof(XlnxZynqMPState),
>> +.instance_init = xlnx_zynqmp_init,
>> +.class_init = xlnx_zynqmp_class_init,
>> +};
>> +
>> +static void xlnx_zynqmp_register_types(void)
>> +{
>> +type_register_static(&xlnx_zynqmp_type_info);
>> +}
>> +
>> +type_init(xlnx_zynqmp_register_types)
>> diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
>> new file mode 100644
>> index 000..d6b3b92
>> --- /dev/null
>> +++ b/include/hw/arm/xlnx-zynqmp.h
>> @@ -0,0 +1,21 @@
>> +#ifndef XLNX_ZYNQMP_H_
>> +
>> +#include "qemu-common.h"
>> +#include "hw/arm/arm.h"
>> +
>> +#define TYPE_XLNX_ZYNQMP "xlnx,zynqmp"
>> +#define XLNX_ZYNQMP(obj) OBJECT_CHECK(XlnxZynqMPState, (obj), \
>> +   TYPE_XLNX_ZYNQMP)
>> +
>> +#define XLNX_ZYNQMP_NUM_CPUS 4
>> +
>> +typedef struct XlnxZynqMPState

Re: [Qemu-devel] [PATCH] hw/9pfs/virtio-9p-proxy: Fix possible overflow

[Shannon Zhao]

On 2015/3/16 15:58, Aneesh Kumar K.V wrote:
> Shannon Zhao  writes:
> 
>> It's detected by coverity. As max of sockaddr_un.sun_path is
>> sizeof(helper.sun_path), should check the length of source
>> and use strncpy instead of strcpy.
>>
>> Signed-off-by: Shannon Zhao 
>> Signed-off-by: Shannon Zhao 
>> ---
>>  hw/9pfs/virtio-9p-proxy.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
>> index 59c7445..fb1ab7b 100644
>> --- a/hw/9pfs/virtio-9p-proxy.c
>> +++ b/hw/9pfs/virtio-9p-proxy.c
>> @@ -1102,12 +1102,13 @@ static int connect_namedsocket(const char *path)
>>  int sockfd, size;
>>  struct sockaddr_un helper;
>>  
>> +g_assert(strlen(path) < sizeof(helper.sun_path));
> 
> Since we are doing this from within Qemu, I did the below and folded
> that into other sockadd_un.sun_path size checking patch.
> 
> diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
> index 6bb191ee6ab8..71b6198bbd22 100644
> --- a/hw/9pfs/virtio-9p-proxy.c
> +++ b/hw/9pfs/virtio-9p-proxy.c
> @@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
>  int sockfd, size;
>  struct sockaddr_un helper;
>  
> +if (strlen(path) >= sizeof(helper.sun_path)) {
> +fprintf(stderr, "Socket name too large\n");
> +return -1;
> +}
>  sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>  if (sockfd < 0) {
>  fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
> 
> 
> Let me know if that is ok for you.
> 

That's OK. :-)

-- 
Thanks,
Shannon

>>  sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
>>  if (sockfd < 0) {
>>  fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
>>  return -1;
>>  }
>> -strcpy(helper.sun_path, path);
>> +strncpy(helper.sun_path, path, sizeof(helper.sun_path));
>>  helper.sun_family = AF_UNIX;
>>  size = strlen(helper.sun_path) + sizeof(helper.sun_family);
>>  if (connect(sockfd, (struct sockaddr *)&helper, size) < 0) {
>> -- 
>> 1.8.3.1
> 
> 
> .
> 

[Qemu-devel] [PATCH] acpi: add acpi_send_gpe_event() to rise sci for hotplug

[Zhu Guihua]

Add a new API named acpi_send_gpe_event() to send hotplug SCI.
This API can be used by pci, cpu and memory hotplug.

Signed-off-by: Zhu Guihua 
---
 hw/acpi/core.c   |  7 +++
 hw/acpi/cpu_hotplug.c|  3 +--
 hw/acpi/memory_hotplug.c |  3 +--
 hw/acpi/pcihp.c  |  7 ++-
 include/hw/acpi/acpi.h   | 10 ++
 include/hw/acpi/memory_hotplug.h |  2 --
 include/hw/acpi/pc-hotplug.h |  1 -
 7 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 51913d6..8f9386d 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -666,6 +666,13 @@ uint32_t acpi_gpe_ioport_readb(ACPIREGS *ar, uint32_t addr)
 return val;
 }
 
+void acpi_send_gpe_event(ACPIREGS *ar, qemu_irq irq,
+ Acpi_Hotplug_Status status)
+{
+ar->gpe.sts[0] |= status;
+acpi_update_sci(ar, irq);
+}
+
 void acpi_update_sci(ACPIREGS *regs, qemu_irq irq)
 {
 int sci_level, pm1a_sts;
diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
index b8ebfad..f5b9972 100644
--- a/hw/acpi/cpu_hotplug.c
+++ b/hw/acpi/cpu_hotplug.c
@@ -59,8 +59,7 @@ void acpi_cpu_plug_cb(ACPIREGS *ar, qemu_irq irq,
 return;
 }
 
-ar->gpe.sts[0] |= ACPI_CPU_HOTPLUG_STATUS;
-acpi_update_sci(ar, irq);
+acpi_send_gpe_event(ar, irq, ACPI_CPU_HOTPLUG_STATUS);
 }
 
 void acpi_cpu_hotplug_init(MemoryRegion *parent, Object *owner,
diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index c6580da..0736726 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -191,8 +191,7 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 mdev->is_inserting = true;
 
 /* do ACPI magic */
-ar->gpe.sts[0] |= ACPI_MEMORY_HOTPLUG_STATUS;
-acpi_update_sci(ar, irq);
+acpi_send_gpe_event(ar, irq, ACPI_MEMORY_HOTPLUG_STATUS);
 return;
 }
 
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index 612fec0..4b9b2b0 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -46,7 +46,6 @@
 # define ACPI_PCIHP_DPRINTF(format, ...) do { } while (0)
 #endif
 
-#define ACPI_PCI_HOTPLUG_STATUS 2
 #define ACPI_PCIHP_ADDR 0xae00
 #define ACPI_PCIHP_SIZE 0x0014
 #define ACPI_PCIHP_LEGACY_SIZE 0x000f
@@ -203,8 +202,7 @@ void acpi_pcihp_device_plug_cb(ACPIREGS *ar, qemu_irq irq, 
AcpiPciHpState *s,
 
 s->acpi_pcihp_pci_status[bsel].up |= (1U << slot);
 
-ar->gpe.sts[0] |= ACPI_PCI_HOTPLUG_STATUS;
-acpi_update_sci(ar, irq);
+acpi_send_gpe_event(ar, irq, ACPI_PCI_HOTPLUG_STATUS);
 }
 
 void acpi_pcihp_device_unplug_cb(ACPIREGS *ar, qemu_irq irq, AcpiPciHpState *s,
@@ -221,8 +219,7 @@ void acpi_pcihp_device_unplug_cb(ACPIREGS *ar, qemu_irq 
irq, AcpiPciHpState *s,
 
 s->acpi_pcihp_pci_status[bsel].down |= (1U << slot);
 
-ar->gpe.sts[0] |= ACPI_PCI_HOTPLUG_STATUS;
-acpi_update_sci(ar, irq);
+acpi_send_gpe_event(ar, irq, ACPI_PCI_HOTPLUG_STATUS);
 }
 
 static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
diff --git a/include/hw/acpi/acpi.h b/include/hw/acpi/acpi.h
index 1f678b4..1945dcc 100644
--- a/include/hw/acpi/acpi.h
+++ b/include/hw/acpi/acpi.h
@@ -91,6 +91,13 @@
 /* PM2_CNT */
 #define ACPI_BITMASK_ARB_DISABLE0x0001
 
+/* ACPI HOTPLUG STATUS */
+typedef enum {
+ACPI_PCI_HOTPLUG_STATUS = 2,
+ACPI_CPU_HOTPLUG_STATUS = 4,
+ACPI_MEMORY_HOTPLUG_STATUS = 8,
+} Acpi_Hotplug_Status;
+
 /* structs */
 typedef struct ACPIPMTimer ACPIPMTimer;
 typedef struct ACPIPM1EVT ACPIPM1EVT;
@@ -172,6 +179,9 @@ void acpi_gpe_reset(ACPIREGS *ar);
 void acpi_gpe_ioport_writeb(ACPIREGS *ar, uint32_t addr, uint32_t val);
 uint32_t acpi_gpe_ioport_readb(ACPIREGS *ar, uint32_t addr);
 
+void acpi_send_gpe_event(ACPIREGS *ar, qemu_irq irq,
+ Acpi_Hotplug_Status status);
+
 void acpi_update_sci(ACPIREGS *acpi_regs, qemu_irq irq);
 
 /* acpi.c */
diff --git a/include/hw/acpi/memory_hotplug.h b/include/hw/acpi/memory_hotplug.h
index 7bbf8a0..b56b5c2 100644
--- a/include/hw/acpi/memory_hotplug.h
+++ b/include/hw/acpi/memory_hotplug.h
@@ -5,8 +5,6 @@
 #include "hw/acpi/acpi.h"
 #include "migration/vmstate.h"
 
-#define ACPI_MEMORY_HOTPLUG_STATUS 8
-
 typedef struct MemStatus {
 DeviceState *dimm;
 bool is_enabled;
diff --git a/include/hw/acpi/pc-hotplug.h b/include/hw/acpi/pc-hotplug.h
index efa6ed7..a5a3ac0 100644
--- a/include/hw/acpi/pc-hotplug.h
+++ b/include/hw/acpi/pc-hotplug.h
@@ -16,7 +16,6 @@
  * ONLY DEFINEs are permited in this file since it's shared
  * between C and ASL code.
  */
-#define ACPI_CPU_HOTPLUG_STATUS 4
 
 /* Limit for CPU arch IDs for CPU hotplug. All hotpluggable CPUs should
  * have CPUClass.get_arch_id() < ACPI_CPU_HOTPLUG_ID_LIMIT.
-- 
1.9.3

Re: [Qemu-devel] [PULL v4 00/11] Net patches

[Peter Maydell]

On 14 March 2015 at 04:19, Scott Feldman  wrote:
> On Thu, Mar 12, 2015 at 12:58 PM, Stefan Hajnoczi  wrote:
>> On Thu, Mar 12, 2015 at 03:03:45PM +, Peter Maydell wrote:
>>> Also fails to build with our minimum glib version

> I verified on glibc 2.13 for the second issue.

Note that "glib" and "glibc" are two different things...

-- PMM

Re: [Qemu-devel] [PULL 0/6] Use tcg_malloc more; tcg_cond_always fix

[Peter Maydell]

On 13 March 2015 at 20:23, Richard Henderson  wrote:
>
> I should have sent the pull somewhat before now, I imagine, but if
> there's still room in the schedule before the rc0 hardfreeze I'd
> like to clear my backlog of 5-6 patchsets which all depend on this.

Well, we can probably put this patchset in, but I think it's
getting too late to put the dependent patchsets in (hardfreeze
is tomorrow).

-- PMM

Re: [Qemu-devel] [PATCH] elf-loader: Add missing error handling for call of lseek

[Thomas Huth]

On Sat, 14 Mar 2015 16:42:01 +0100
Stefan Weil  wrote:

> This fixes a warning from Coverity.
> 
> Signed-off-by: Stefan Weil 
> ---
>  include/hw/elf_ops.h |4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
> index 16a627b..bd71968 100644
> --- a/include/hw/elf_ops.h
> +++ b/include/hw/elf_ops.h
> @@ -315,7 +315,9 @@ static int glue(load_elf, SZ)(const char *name, int fd,
>  glue(load_symbols, SZ)(&ehdr, fd, must_swab, clear_lsb);
> 
>  size = ehdr.e_phnum * sizeof(phdr[0]);
> -lseek(fd, ehdr.e_phoff, SEEK_SET);
> +if (lseek(fd, ehdr.e_phoff, SEEK_SET) != ehdr.e_phoff) {
> +goto fail;
> +}
>  phdr = g_malloc0(size);
>  if (!phdr)
>  goto fail;

Looks good.

Reviewed-by: Thomas Huth 

[Qemu-devel] [PATCH 5/6] virtfs-proxy: Fix possible overflow

[Aneesh Kumar K.V]

From: Shannon Zhao 

It's detected by coverity. The socket name specified
should fit in the sockadd_un.sun_path. If not abort.

Signed-off-by: Shannon Zhao 
Signed-off-by: Shannon Zhao 
Signed-off-by: Aneesh Kumar K.V 
---
 fsdev/virtfs-proxy-helper.c | 1 +
 hw/9pfs/virtio-9p-proxy.c   | 4 
 2 files changed, 5 insertions(+)

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index bf2e5f333121..13fe032543bc 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -738,6 +738,7 @@ static int proxy_socket(const char *path, uid_t uid, gid_t 
gid)
 return -1;
 }
 
+g_assert(strlen(path) < sizeof(proxy.sun_path));
 sock = socket(AF_UNIX, SOCK_STREAM, 0);
 if (sock < 0) {
 do_perror("socket");
diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 6bb191ee6ab8..71b6198bbd22 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -1100,6 +1100,10 @@ static int connect_namedsocket(const char *path)
 int sockfd, size;
 struct sockaddr_un helper;
 
+if (strlen(path) >= sizeof(helper.sun_path)) {
+fprintf(stderr, "Socket name too large\n");
+return -1;
+}
 sockfd = socket(AF_UNIX, SOCK_STREAM, 0);
 if (sockfd < 0) {
 fprintf(stderr, "failed to create socket: %s\n", strerror(errno));
-- 
2.1.0

[Qemu-devel] [PULL] VirtFS update

[Aneesh Kumar K.V]

Hi,

Please pull the below update for VirtFS

The following changes since commit ee74801035b0b5f1fdfd4e31d3a53f511f91c804:

  Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150311' into staging 
(2015-03-11 18:22:15 +)

are available in the git repository at:

  https://github.com/kvaneesh/qemu.git for-upstream

for you to fetch changes up to 4ed7b2c3a78f785a1bcbe575e08c379b166723e3:

  virtio: Fix memory leaks reported by Coverity (2015-03-16 13:32:24 +0530)


Michael Tokarev (2):
  9pfs-local: simplify/optimize local_mapped_attr_path()
  9pfs-proxy: tiny cleanups in proxy_pwritev and proxy_preadv

Shannon Zhao (3):
  hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access
  fsdev/virtfs-proxy-helper: Fix improper use of negative value
  virtfs-proxy: Fix possible overflow

Stefan Weil (1):
  virtio: Fix memory leaks reported by Coverity

 fsdev/virtfs-proxy-helper.c   |  4 
 hw/9pfs/virtio-9p-local.c | 52 ---
 hw/9pfs/virtio-9p-posix-acl.c |  2 +-
 hw/9pfs/virtio-9p-proxy.c | 22 +-
 4 files changed, 36 insertions(+), 44 deletions(-)

-- 
2.1.0

[Qemu-devel] [PATCH 4/6] fsdev/virtfs-proxy-helper: Fix improper use of negative value

[Aneesh Kumar K.V]

From: Shannon Zhao 

It's detected by coverity. Check the return value of proxy_marshal.

Signed-off-by: Shannon Zhao 
Signed-off-by: Shannon Zhao 
Signed-off-by: Aneesh Kumar K.V 
---
 fsdev/virtfs-proxy-helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index c1da2d78e78b..bf2e5f333121 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -262,6 +262,9 @@ static int send_status(int sockfd, struct iovec *iovec, int 
status)
  */
 msg_size = proxy_marshal(iovec, 0, "ddd", header.type,
  header.size, status);
+if (msg_size < 0) {
+return msg_size;
+}
 retval = socket_write(sockfd, iovec->iov_base, msg_size);
 if (retval < 0) {
 return retval;
-- 
2.1.0

[Qemu-devel] [PATCH 6/6] virtio: Fix memory leaks reported by Coverity

[Aneesh Kumar K.V]

From: Stefan Weil 

All four leaks are similar, so fix them in one patch.
Success path was not doing memory free.

Signed-off-by: Stefan Weil 
Signed-off-by: Aneesh Kumar K.V 
---
 hw/9pfs/virtio-9p-local.c | 28 
 1 file changed, 8 insertions(+), 20 deletions(-)

diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
index 84efb31cfec4..d6b1c0cddef9 100644
--- a/hw/9pfs/virtio-9p-local.c
+++ b/hw/9pfs/virtio-9p-local.c
@@ -486,7 +486,7 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
*dir_path,
 int err = -1;
 int serrno = 0;
 V9fsString fullname;
-char *buffer;
+char *buffer = NULL;
 
 v9fs_string_init(&fullname);
 v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name);
@@ -497,7 +497,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 err = local_set_xattr(buffer, credp);
@@ -510,7 +509,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mknod(buffer, SM_LOCAL_MODE_BITS|S_IFREG, 0);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 err = local_set_mapped_file_attr(fs_ctx, path, credp);
@@ -523,7 +521,6 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mknod(buffer, credp->fc_mode, credp->fc_rdev);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 err = local_post_create_passthrough(fs_ctx, path, credp);
@@ -537,8 +534,8 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath 
*dir_path,
 err_end:
 remove(buffer);
 errno = serrno;
-g_free(buffer);
 out:
+g_free(buffer);
 v9fs_string_free(&fullname);
 return err;
 }
@@ -550,7 +547,7 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
*dir_path,
 int err = -1;
 int serrno = 0;
 V9fsString fullname;
-char *buffer;
+char *buffer = NULL;
 
 v9fs_string_init(&fullname);
 v9fs_string_sprintf(&fullname, "%s/%s", dir_path->data, name);
@@ -561,7 +558,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mkdir(buffer, SM_LOCAL_DIR_MODE_BITS);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 credp->fc_mode = credp->fc_mode|S_IFDIR;
@@ -574,7 +570,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mkdir(buffer, SM_LOCAL_DIR_MODE_BITS);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 credp->fc_mode = credp->fc_mode|S_IFDIR;
@@ -588,7 +583,6 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
*dir_path,
 buffer = rpath(fs_ctx, path);
 err = mkdir(buffer, credp->fc_mode);
 if (err == -1) {
-g_free(buffer);
 goto out;
 }
 err = local_post_create_passthrough(fs_ctx, path, credp);
@@ -602,8 +596,8 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath 
*dir_path,
 err_end:
 remove(buffer);
 errno = serrno;
-g_free(buffer);
 out:
+g_free(buffer);
 v9fs_string_free(&fullname);
 return err;
 }
@@ -657,7 +651,7 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
*dir_path, const char *name,
 int err = -1;
 int serrno = 0;
 V9fsString fullname;
-char *buffer;
+char *buffer = NULL;
 
 /*
  * Mark all the open to not follow symlinks
@@ -673,7 +667,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
*dir_path, const char *name,
 buffer = rpath(fs_ctx, path);
 fd = open(buffer, flags, SM_LOCAL_MODE_BITS);
 if (fd == -1) {
-g_free(buffer);
 err = fd;
 goto out;
 }
@@ -688,7 +681,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
*dir_path, const char *name,
 buffer = rpath(fs_ctx, path);
 fd = open(buffer, flags, SM_LOCAL_MODE_BITS);
 if (fd == -1) {
-g_free(buffer);
 err = fd;
 goto out;
 }
@@ -704,7 +696,6 @@ static int local_open2(FsContext *fs_ctx, V9fsPath 
*dir_path, const char *name,
 buffer = rpath(fs_ctx, path);
 fd = open(buffer, flags, credp->fc_mode);
 if (fd == -1) {
-g_free(buffer);
 err = fd;
 goto out;
 }
@@ -722,8 +713,8 @@ err_end:
 close(fd);
 remove(buffer);
 errno = serrno;
-g_free(buffer);
 out:
+g_free(buffer);
 v9fs_string_free(&fullname);
 return err;
 }
@@ -736,7 +727,7 @@ static int local_symlink(FsContext *fs_ctx, const char 
*oldpath,
 int serrno = 0;
 char *newpath;
 V9fsString 

[Qemu-devel] [PATCH 3/6] hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access

[Aneesh Kumar K.V]

From: Shannon Zhao 

It's detected by coverity. Fix out-of-bounds access of the function 
mp_dacl_listxattr.

Signed-off-by: Shannon Zhao 
Signed-off-by: Shannon Zhao 
Signed-off-by: Aneesh Kumar K.V 
---
 hw/9pfs/virtio-9p-posix-acl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/9pfs/virtio-9p-posix-acl.c b/hw/9pfs/virtio-9p-posix-acl.c
index 803d9d94f3b8..09dad071e487 100644
--- a/hw/9pfs/virtio-9p-posix-acl.c
+++ b/hw/9pfs/virtio-9p-posix-acl.c
@@ -114,7 +114,7 @@ static ssize_t mp_dacl_listxattr(FsContext *ctx, const char 
*path,
 }
 
 /* len includes the trailing NUL */
-memcpy(value, ACL_ACCESS, len);
+memcpy(value, ACL_DEFAULT, len);
 return 0;
 }
 
-- 
2.1.0

[Qemu-devel] [PULL for-2.3 01/10] s390x: Replace unchecked qdev_init() by qdev_init_nofail()

[Cornelia Huck]

From: Markus Armbruster 

s390_flic_init() is a helper to create and realize either
"s390-flic-kvm" or "s390-flic-qemu".  When qdev_init() fails, it
complains to stderr and succeeds.

Except it can't actually fail, because the "s390-flic-qemu" is a dummy
without a realize method, and "s390-flic-kvm"'s realize can't fail,
even when the kernel device is really unavailable.  Odd.

Replace qdev_init() by qdev_init_nofail() to make "can't fail" locally
obvious, and get rid of the unreachable error reporting.

Cc: Christian Borntraeger 
Cc: Cornelia Huck 
Cc: Alexander Graf 
Signed-off-by: Markus Armbruster 
Acked-by: Cornelia Huck 
Message-Id: <1423128889-18260-4-git-send-email-arm...@redhat.com>
Signed-off-by: Cornelia Huck 
---
 hw/intc/s390_flic.c | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/hw/intc/s390_flic.c b/hw/intc/s390_flic.c
index 03c5e89..02e10b7 100644
--- a/hw/intc/s390_flic.c
+++ b/hw/intc/s390_flic.c
@@ -30,7 +30,6 @@ S390FLICState *s390_get_flic(void)
 void s390_flic_init(void)
 {
 DeviceState *dev;
-int r;
 
 dev = s390_flic_kvm_create();
 if (!dev) {
@@ -38,10 +37,7 @@ void s390_flic_init(void)
 object_property_add_child(qdev_get_machine(), TYPE_QEMU_S390_FLIC,
   OBJECT(dev), NULL);
 }
-r = qdev_init(dev);
-if (r) {
-error_report("flic: couldn't create qdev");
-}
+qdev_init_nofail(dev);
 }
 
 static int qemu_s390_register_io_adapter(S390FLICState *fs, uint32_t id,
-- 
2.3.3

[Qemu-devel] [PATCH 2/6] 9pfs-proxy: tiny cleanups in proxy_pwritev and proxy_preadv

[Aneesh Kumar K.V]

From: Michael Tokarev 

Don't compare syscall return with -1, use "<0" condition.
Don't introduce useless local variables when we already
have similar variable
Rename local variable to be consistent with other usages
Finally make the two methods, read and write, to be similar to each other

Signed-off-by: Michael Tokarev 
Signed-off-by: Aneesh Kumar K.V 
---
 hw/9pfs/virtio-9p-proxy.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/hw/9pfs/virtio-9p-proxy.c b/hw/9pfs/virtio-9p-proxy.c
index 59c7445deab9..6bb191ee6ab8 100644
--- a/hw/9pfs/virtio-9p-proxy.c
+++ b/hw/9pfs/virtio-9p-proxy.c
@@ -693,16 +693,16 @@ static ssize_t proxy_preadv(FsContext *ctx, 
V9fsFidOpenState *fs,
 const struct iovec *iov,
 int iovcnt, off_t offset)
 {
+ssize_t ret;
 #ifdef CONFIG_PREADV
-return preadv(fs->fd, iov, iovcnt, offset);
+ret = preadv(fs->fd, iov, iovcnt, offset);
 #else
-int err = lseek(fs->fd, offset, SEEK_SET);
-if (err == -1) {
-return err;
-} else {
-return readv(fs->fd, iov, iovcnt);
+ret = lseek(fs->fd, offset, SEEK_SET);
+if (ret >= 0) {
+ret = readv(fs->fd, iov, iovcnt);
 }
 #endif
+return ret;
 }
 
 static ssize_t proxy_pwritev(FsContext *ctx, V9fsFidOpenState *fs,
@@ -714,10 +714,8 @@ static ssize_t proxy_pwritev(FsContext *ctx, 
V9fsFidOpenState *fs,
 #ifdef CONFIG_PREADV
 ret = pwritev(fs->fd, iov, iovcnt, offset);
 #else
-int err = lseek(fs->fd, offset, SEEK_SET);
-if (err == -1) {
-return err;
-} else {
+ret = lseek(fs->fd, offset, SEEK_SET);
+if (ret >= 0) {
 ret = writev(fs->fd, iov, iovcnt);
 }
 #endif
-- 
2.1.0

[Qemu-devel] [PATCH 1/6] 9pfs-local: simplify/optimize local_mapped_attr_path()

[Aneesh Kumar K.V]

From: Michael Tokarev 

Omit one unnecessary memory allocation for components
of the path and create the resulting path directly given
lengths of the components.

Do not use basename(3) because there are 2 versions of
this function which differs when argument ends with
slash character, use strrchr() instead so we have
consistent result.  This also makes sure the function
will do the right thing in corner cases (eg, empty
pathname is given), when basename(3) return entirely
another string.

Signed-off-by: Michael Tokarev 
Signed-off-by: Aneesh Kumar K.V 
---
 hw/9pfs/virtio-9p-local.c | 24 +++-
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
index d05c91779f2c..84efb31cfec4 100644
--- a/hw/9pfs/virtio-9p-local.c
+++ b/hw/9pfs/virtio-9p-local.c
@@ -45,19 +45,17 @@
 
 static char *local_mapped_attr_path(FsContext *ctx, const char *path)
 {
-char *dir_name;
-char *tmp_path = g_strdup(path);
-char *base_name = basename(tmp_path);
-char *buffer;
-
-/* NULL terminate the directory */
-dir_name = tmp_path;
-*(base_name - 1) = '\0';
-
-buffer = g_strdup_printf("%s/%s/%s/%s",
- ctx->fs_root, dir_name, VIRTFS_META_DIR, base_name);
-g_free(tmp_path);
-return buffer;
+int dirlen;
+const char *name = strrchr(path, '/');
+if (name) {
+dirlen = name - path;
+++name;
+} else {
+name = path;
+dirlen = 0;
+}
+return g_strdup_printf("%s/%.*s/%s/%s", ctx->fs_root,
+   dirlen, path, VIRTFS_META_DIR, name);
 }
 
 static FILE *local_fopen(const char *path, const char *mode)
-- 
2.1.0

Re: [Qemu-devel] [PATCH RFC v1 1/2] xen/hw/passthrough: Use errno instead of ret for xc_physdev_map_* calls

[Stefano Stabellini]

On Fri, 13 Mar 2015, Konrad Rzeszutek Wilk wrote:
> As the libxc library follows (mostly) the return negative
> for failure and stashes the error value in errno.
> 
> Signed-off-by: Konrad Rzeszutek Wilk 

Acked-by: Stefano Stabellini 

I'll add it to my queue


>  hw/xen/xen_pt.c | 4 ++--
>  hw/xen/xen_pt_msi.c | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
> index c1bf357..d2c187d 100644
> --- a/hw/xen/xen_pt.c
> +++ b/hw/xen/xen_pt.c
> @@ -691,8 +691,8 @@ static int xen_pt_initfn(PCIDevice *d)
>  rc = xc_physdev_map_pirq(xen_xc, xen_domid, machine_irq, &pirq);
>  
>  if (rc < 0) {
> -XEN_PT_ERR(d, "Mapping machine irq %u to pirq %i failed, (rc: %d)\n",
> -   machine_irq, pirq, rc);
> +XEN_PT_ERR(d, "Mapping machine irq %u to pirq %i failed, (err: 
> %d)\n",
> +   machine_irq, pirq, errno);
>  
>  /* Disable PCI intx assertion (turn on bit10 of devctl) */
>  xen_host_pci_set_word(&s->real_device,
> diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
> index 9ed9321..b01921a 100644
> --- a/hw/xen/xen_pt_msi.c
> +++ b/hw/xen/xen_pt_msi.c
> @@ -132,8 +132,8 @@ static int msi_msix_setup(XenPCIPassthroughState *s,
>   msix_entry, table_base);
>  if (rc) {
>  XEN_PT_ERR(&s->dev,
> -   "Mapping of MSI%s (rc: %i, vec: %#x, entry %#x)\n",
> -   is_msix ? "-X" : "", rc, gvec, msix_entry);
> +   "Mapping of MSI%s (err: %i, vec: %#x, entry %#x)\n",
> +   is_msix ? "-X" : "", errno, gvec, msix_entry);
>  return rc;
>  }
>  }
> -- 
> 2.1.0
> 

Re: [Qemu-devel] [PATCH RFC v1 2/2] xen-hvm: When using xc_domain_add_to_physmap also include errno when reporting

[Stefano Stabellini]

On Fri, 13 Mar 2015, Konrad Rzeszutek Wilk wrote:
> .errors - as it will most likely have the proper error value.
> 
> Signed-off-by: Konrad Rzeszutek Wilk 

Acked-by: Stefano Stabellini 


>  xen-hvm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/xen-hvm.c b/xen-hvm.c
> index 7548794..3d6fed3 100644
> --- a/xen-hvm.c
> +++ b/xen-hvm.c
> @@ -348,7 +348,7 @@ go_physmap:
>  rc = xc_domain_add_to_physmap(xen_xc, xen_domid, XENMAPSPACE_gmfn, 
> idx, gpfn);
>  if (rc) {
>  DPRINTF("add_to_physmap MFN %"PRI_xen_pfn" to PFN %"
> -PRI_xen_pfn" failed: %d\n", idx, gpfn, rc);
> +PRI_xen_pfn" failed: %d (errno: %d)\n", idx, gpfn, rc, 
> errno);
>  return -rc;
>  }
>  }
> @@ -425,7 +425,7 @@ static int xen_remove_from_physmap(XenIOState *state,
>  rc = xc_domain_add_to_physmap(xen_xc, xen_domid, XENMAPSPACE_gmfn, 
> idx, gpfn);
>  if (rc) {
>  fprintf(stderr, "add_to_physmap MFN %"PRI_xen_pfn" to PFN %"
> -PRI_xen_pfn" failed: %d\n", idx, gpfn, rc);
> +PRI_xen_pfn" failed: %d (errno: %d)\n", idx, gpfn, rc, 
> errno);
>  return -rc;
>  }
>  }
> -- 
> 2.1.0
> 

[Qemu-devel] [PULL for-2.3 07/10] s390x/virtio-bus: Remove unused function s390_virtio_bus_console()

[Cornelia Huck]

From: Thomas Huth 

The function s390_virtio_bus_console() is completely unused and thus
can be removed safely.

Signed-off-by: Thomas Huth 
Reviewed-by: Jens Freimann 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-5-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 hw/s390x/s390-virtio-bus.c | 5 -
 hw/s390x/s390-virtio-bus.h | 1 -
 2 files changed, 6 deletions(-)

diff --git a/hw/s390x/s390-virtio-bus.c b/hw/s390x/s390-virtio-bus.c
index 55a5581..047c963 100644
--- a/hw/s390x/s390-virtio-bus.c
+++ b/hw/s390x/s390-virtio-bus.c
@@ -435,11 +435,6 @@ void s390_virtio_device_update_status(VirtIOS390Device 
*dev)
 virtio_set_features(vdev, features);
 }
 
-VirtIOS390Device *s390_virtio_bus_console(VirtIOS390Bus *bus)
-{
-return bus->console;
-}
-
 /* Find a device by vring address */
 VirtIOS390Device *s390_virtio_bus_find_vring(VirtIOS390Bus *bus,
  ram_addr_t mem,
diff --git a/hw/s390x/s390-virtio-bus.h b/hw/s390x/s390-virtio-bus.h
index 810a6ef..96b1890 100644
--- a/hw/s390x/s390-virtio-bus.h
+++ b/hw/s390x/s390-virtio-bus.h
@@ -108,7 +108,6 @@ typedef struct VirtIOS390Bus {
 
 void s390_virtio_device_update_status(VirtIOS390Device *dev);
 
-VirtIOS390Device *s390_virtio_bus_console(VirtIOS390Bus *bus);
 VirtIOS390Bus *s390_virtio_bus_init(ram_addr_t *ram_size);
 
 VirtIOS390Device *s390_virtio_bus_find_vring(VirtIOS390Bus *bus,
-- 
2.3.3

[Qemu-devel] [PULL for-2.3 00/10] s390x: final updates

[Cornelia Huck]

The following changes since commit 7ccfb495c64e1eef5886dcc4d48523ed6d1d22a4:

  user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm (2015-03-13 15:57:00 
+)

are available in the git repository at:

  git://github.com/cohuck/qemu tags/s390x-20150316

for you to fetch changes up to be0b608a5463a834df0e19911356ae93660d3677:

  s390x/config: Do not include full pci.mak (2015-03-16 10:20:17 +0100)


Final batch of s390x enhancements/fixes for 2.3:
- handle TOD clock during migration
- CPACF key wrap options
- limit amount of pci device code we build
- ensure big endian accesses for ccws
- various fixes and cleanups



Cornelia Huck (1):
  virtio-ccw: assure BE accesses

Dominik Dingel (3):
  kvm: encapsulate HAS_DEVICE for vm attrs
  s390x/kvm: make use of generic vm attribute check
  s390x/ipl: remove dead code

Frank Blaschka (1):
  s390x/pci: fix length in sei_nt2 event

Jason J. Herne (1):
  s390x/kvm: Guest Migration TOD clock synchronization

Markus Armbruster (1):
  s390x: Replace unchecked qdev_init() by qdev_init_nofail()

Thomas Huth (2):
  s390x/virtio-bus: Remove unused function s390_virtio_bus_console()
  s390x/config: Do not include full pci.mak

Tony Krowiak (1):
  s390x: CPACF: Handle key wrap machine options

 default-configs/s390x-softmmu.mak |   3 +-
 hw/intc/s390_flic.c   |   6 +-
 hw/s390x/ipl.c|   3 -
 hw/s390x/s390-pci-bus.c   |   1 +
 hw/s390x/s390-virtio-bus.c|   5 --
 hw/s390x/s390-virtio-bus.h|   1 -
 hw/s390x/s390-virtio-ccw.c|  67 +++
 hw/s390x/s390-virtio.c|  52 +++
 hw/s390x/virtio-ccw.c |  22 ---
 include/sysemu/kvm.h  |  12 
 kvm-all.c |  21 ++
 qemu-options.hx   |  12 +++-
 target-s390x/cpu.h|  34 ++
 target-s390x/kvm.c| 132 --
 14 files changed, 311 insertions(+), 60 deletions(-)

-- 
2.3.3

[Qemu-devel] [PULL for-2.3 03/10] virtio-ccw: assure BE accesses

[Cornelia Huck]

All fields in structures transmitted by ccws are big endian; assure
we handle them as such.

Reviewed-by: Thomas Huth 
Reviewed-by: David Hildenbrand 
Signed-off-by: Cornelia Huck 
Message-Id: <1426067871-17693-2-git-send-email-cornelia.h...@de.ibm.com>
---
 hw/s390x/virtio-ccw.c | 22 +-
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index fce52a9..130535c 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -508,7 +508,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 if (!ccw.cda) {
 ret = -EFAULT;
 } else {
-indicators = ldq_phys(&address_space_memory, ccw.cda);
+indicators = ldq_be_phys(&address_space_memory, ccw.cda);
 dev->indicators = get_indicator(indicators, sizeof(uint64_t));
 sch->curr_status.scsw.count = ccw.count - sizeof(indicators);
 ret = 0;
@@ -528,7 +528,7 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 if (!ccw.cda) {
 ret = -EFAULT;
 } else {
-indicators = ldq_phys(&address_space_memory, ccw.cda);
+indicators = ldq_be_phys(&address_space_memory, ccw.cda);
 dev->indicators2 = get_indicator(indicators, sizeof(uint64_t));
 sch->curr_status.scsw.count = ccw.count - sizeof(indicators);
 ret = 0;
@@ -548,11 +548,11 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 if (!ccw.cda) {
 ret = -EFAULT;
 } else {
-vq_config.index = lduw_phys(&address_space_memory, ccw.cda);
+vq_config.index = lduw_be_phys(&address_space_memory, ccw.cda);
 vq_config.num_max = virtio_queue_get_num(vdev,
  vq_config.index);
-stw_phys(&address_space_memory,
- ccw.cda + sizeof(vq_config.index), vq_config.num_max);
+stw_be_phys(&address_space_memory,
+ccw.cda + sizeof(vq_config.index), vq_config.num_max);
 sch->curr_status.scsw.count = ccw.count - sizeof(vq_config);
 ret = 0;
 }
@@ -580,13 +580,17 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
 if (!thinint) {
 ret = -EFAULT;
 } else {
+uint64_t ind_bit = ldq_be_p(&thinint->ind_bit);
+
 len = hw_len;
 dev->summary_indicator =
-get_indicator(thinint->summary_indicator, sizeof(uint8_t));
-dev->indicators = get_indicator(thinint->device_indicator,
-thinint->ind_bit / 8 + 1);
+get_indicator(ldq_be_p(&thinint->summary_indicator),
+  sizeof(uint8_t));
+dev->indicators =
+get_indicator(ldq_be_p(&thinint->device_indicator),
+  ind_bit / 8 + 1);
 dev->thinint_isc = thinint->isc;
-dev->routes.adapter.ind_offset = thinint->ind_bit;
+dev->routes.adapter.ind_offset = ind_bit;
 dev->routes.adapter.summary_offset = 7;
 cpu_physical_memory_unmap(thinint, hw_len, 0, hw_len);
 ret = css_register_io_adapter(CSS_IO_ADAPTER_VIRTIO,
-- 
2.3.3

[Qemu-devel] [PULL for-2.3 08/10] s390x/ipl: remove dead code

[Cornelia Huck]

From: Dominik Dingel 

load_image_targphys already checks the max size and will return
an error code. So the follow-on check will never trigger.

Signed-off-by: Dominik Dingel 
Reviewed-by: Cornelia Huck 
Reviewed-by: Thomas Huth 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-6-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 hw/s390x/ipl.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index d6c0a49..54d0835 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -142,9 +142,6 @@ static int s390_ipl_init(SysBusDevice *dev)
 bios_size = load_image_targphys(bios_filename, ZIPL_IMAGE_START,
 4096);
 ipl->bios_start_addr = ZIPL_IMAGE_START;
-if (bios_size > 4096) {
-hw_error("stage1 bootloader is > 4k\n");
-}
 }
 g_free(bios_filename);
 
-- 
2.3.3

Re: [Qemu-devel] [PATCH v4 3/5] exec: Protect map_client_list with mutex

[Paolo Bonzini]

On 16/03/2015 10:03, Fam Zheng wrote:
> +void cpu_exec_init_all(void)
> +{
> +#if !defined(CONFIG_USER_ONLY)
> +qemu_mutex_init(&ram_list.mutex);
> +memory_map_init();
> +io_mem_init();
> +#endif

The #if is now unnecessary, but I can fix this.  I'll queue the patch
for 2.4.

Paolo

> +qemu_mutex_init(&map_client_list_lock);

[Qemu-devel] [PULL for-2.3 06/10] s390x: CPACF: Handle key wrap machine options

[Cornelia Huck]

From: Tony Krowiak 

Check for the aes_key_wrap and dea_key_wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.

This patch introduces two new machine options for indicating the state of
AES/DEA key wrapping functions.  This controls whether the guest will
have access to the AES/DEA crypto functions.

aes_key_wrap="on | off" is changed to aes-key-wrap="on | off"
dea_key_wrap="on | off" is changed to dea-key-wrap="on | off"

Check for the aes-key-wrap and dea-key-wrap machine options and set the
appropriate KVM device attribute(s) to tell the kernel to enable or disable
the AES/DEA protected key functions for the guest domain.

Reviewed-by: David Hildenbrand 
Signed-off-by: Tony Krowiak 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-4-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 hw/s390x/s390-virtio-ccw.c | 63 ++
 qemu-options.hx| 12 -
 target-s390x/kvm.c | 51 +
 3 files changed, 125 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index eea0742..afb539a 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -22,6 +22,18 @@
 
 #define TYPE_S390_CCW_MACHINE   "s390-ccw-machine"
 
+#define S390_CCW_MACHINE(obj) \
+OBJECT_CHECK(S390CcwMachineState, (obj), TYPE_S390_CCW_MACHINE)
+
+typedef struct S390CcwMachineState {
+/*< private >*/
+MachineState parent_obj;
+
+/*< public >*/
+bool aes_key_wrap;
+bool dea_key_wrap;
+} S390CcwMachineState;
+
 void io_subsystem_reset(void)
 {
 DeviceState *css, *sclp, *flic;
@@ -207,9 +219,60 @@ static void ccw_machine_class_init(ObjectClass *oc, void 
*data)
 nc->nmi_monitor_handler = s390_nmi;
 }
 
+static inline bool machine_get_aes_key_wrap(Object *obj, Error **errp)
+{
+S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+return ms->aes_key_wrap;
+}
+
+static inline void machine_set_aes_key_wrap(Object *obj, bool value,
+Error **errp)
+{
+S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ms->aes_key_wrap = value;
+}
+
+static inline bool machine_get_dea_key_wrap(Object *obj, Error **errp)
+{
+S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+return ms->dea_key_wrap;
+}
+
+static inline void machine_set_dea_key_wrap(Object *obj, bool value,
+Error **errp)
+{
+S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ms->dea_key_wrap = value;
+}
+
+static inline void s390_machine_initfn(Object *obj)
+{
+object_property_add_bool(obj, "aes-key-wrap",
+ machine_get_aes_key_wrap,
+ machine_set_aes_key_wrap, NULL);
+object_property_set_description(obj, "aes-key-wrap",
+"enable/disable AES key wrapping using the CPACF wrapping key",
+NULL);
+object_property_set_bool(obj, true, "aes-key-wrap", NULL);
+
+object_property_add_bool(obj, "dea-key-wrap",
+ machine_get_dea_key_wrap,
+ machine_set_dea_key_wrap, NULL);
+object_property_set_description(obj, "dea-key-wrap",
+"enable/disable DEA key wrapping using the CPACF wrapping key",
+NULL);
+object_property_set_bool(obj, true, "dea-key-wrap", NULL);
+}
+
 static const TypeInfo ccw_machine_info = {
 .name  = TYPE_S390_CCW_MACHINE,
 .parent= TYPE_MACHINE,
+.instance_size = sizeof(S390CcwMachineState),
+.instance_init = s390_machine_initfn,
 .class_init= ccw_machine_class_init,
 .interfaces = (InterfaceInfo[]) {
 { TYPE_NMI },
diff --git a/qemu-options.hx b/qemu-options.hx
index 837624d..ad07dde 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -37,7 +37,9 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
 "kvm_shadow_mem=size of KVM shadow MMU\n"
 "dump-guest-core=on|off include guest memory in a core 
dump (default=on)\n"
 "mem-merge=on|off controls memory merge support (default: 
on)\n"
-"iommu=on|off controls emulated Intel IOMMU (VT-d) support 
(default=off)\n",
+"iommu=on|off controls emulated Intel IOMMU (VT-d) support 
(default=off)\n"
+"aes-key-wrap=on|off controls support for AES key wrapping 
(default=on)\n"
+"dea-key-wrap=on|off controls support for DEA key wrapping 
(default=on)\n",
 QEMU_ARCH_ALL)
 STEXI
 @item -machine [type=]@var{name}[,prop=@var{value}[,...]]
@@ -66,6 +68,14 @@ the host, de-duplicates identical memory pages among VMs 
instances
 (enabled by default).
 @item iommu=on|off
 Enables or disables emulated Intel IOMMU (VT-d) support. The default i

[Qemu-devel] [PULL for-2.3 05/10] s390x/kvm: make use of generic vm attribute check

[Cornelia Huck]

From: Dominik Dingel 

By using the new introduced generic interface we
can remove redundancies and clean up.

Reviewed-by: Thomas Huth 
Suggested-by: Thomas Huth 
Signed-off-by: Dominik Dingel 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-3-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 target-s390x/kvm.c | 42 +++---
 1 file changed, 7 insertions(+), 35 deletions(-)

diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index b21a348..38887aa 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -55,6 +55,9 @@
 do { } while (0)
 #endif
 
+#define kvm_vm_check_mem_attr(s, attr) \
+kvm_vm_check_attr(s, KVM_S390_VM_MEM_CTRL, attr)
+
 #define IPA0_DIAG   0x8300
 #define IPA0_SIGP   0xae00
 #define IPA0_B2 0xb200
@@ -122,16 +125,6 @@ static int cap_async_pf;
 
 static void *legacy_s390_alloc(size_t size, uint64_t *align);
 
-static int kvm_s390_supports_mem_limit(KVMState *s)
-{
-struct kvm_device_attr attr = {
-.group = KVM_S390_VM_MEM_CTRL,
-.attr = KVM_S390_VM_MEM_LIMIT_SIZE,
-};
-
-return (kvm_vm_ioctl(s, KVM_HAS_DEVICE_ATTR, &attr) == 0);
-}
-
 static int kvm_s390_query_mem_limit(KVMState *s, uint64_t *memory_limit)
 {
 struct kvm_device_attr attr = {
@@ -153,7 +146,7 @@ int kvm_s390_set_mem_limit(KVMState *s, uint64_t new_limit, 
uint64_t *hw_limit)
 .addr = (uint64_t) &new_limit,
 };
 
-if (!kvm_s390_supports_mem_limit(s)) {
+if (!kvm_vm_check_mem_attr(s, KVM_S390_VM_MEM_LIMIT_SIZE)) {
 return 0;
 }
 
@@ -167,26 +160,6 @@ int kvm_s390_set_mem_limit(KVMState *s, uint64_t 
new_limit, uint64_t *hw_limit)
 return kvm_vm_ioctl(s, KVM_SET_DEVICE_ATTR, &attr);
 }
 
-static int kvm_s390_check_clear_cmma(KVMState *s)
-{
-struct kvm_device_attr attr = {
-.group = KVM_S390_VM_MEM_CTRL,
-.attr = KVM_S390_VM_MEM_CLR_CMMA,
-};
-
-return kvm_vm_ioctl(s, KVM_HAS_DEVICE_ATTR, &attr);
-}
-
-static int kvm_s390_check_enable_cmma(KVMState *s)
-{
-struct kvm_device_attr attr = {
-.group = KVM_S390_VM_MEM_CTRL,
-.attr = KVM_S390_VM_MEM_ENABLE_CMMA,
-};
-
-return kvm_vm_ioctl(s, KVM_HAS_DEVICE_ATTR, &attr);
-}
-
 void kvm_s390_clear_cmma_callback(void *opaque)
 {
 int rc;
@@ -208,7 +181,8 @@ static void kvm_s390_enable_cmma(KVMState *s)
 .attr = KVM_S390_VM_MEM_ENABLE_CMMA,
 };
 
-if (kvm_s390_check_enable_cmma(s) || kvm_s390_check_clear_cmma(s)) {
+if (!kvm_vm_check_mem_attr(s, KVM_S390_VM_MEM_ENABLE_CMMA) ||
+!kvm_vm_check_mem_attr(s, KVM_S390_VM_MEM_CLR_CMMA)) {
 return;
 }
 
@@ -224,9 +198,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 cap_sync_regs = kvm_check_extension(s, KVM_CAP_SYNC_REGS);
 cap_async_pf = kvm_check_extension(s, KVM_CAP_ASYNC_PF);
 
-if (kvm_check_extension(s, KVM_CAP_VM_ATTRIBUTES)) {
-kvm_s390_enable_cmma(s);
-}
+kvm_s390_enable_cmma(s);
 
 if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
 || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
-- 
2.3.3

Re: [Qemu-devel] [PATCH 1/2] Revert "target-i386: Disable HLE and RTM on Haswell & Broadwell"

[Daniel P. Berrange]

On Fri, Mar 13, 2015 at 04:09:56PM -0300, Eduardo Habkost wrote:
> This reverts commit 13704e4c455770d500d6b87b117e32f0d01252c9.
> 
> With the Intel microcode update that removed HLE and RTM, there will be
> different kinds of Haswell and Broadwell CPUs out there: some that still
> have the HLE and RTM features, and some that don't have the HLE and RTM
> features. On both cases people may be willing to use the pc-*-2.3
> machine-types.
> 
> So instead of making the CPU model results confusing by making it depend
> on the machine-type, keep HLE and RTM on the existing Haswell and
> Broadwell CPU models. The plan is to introduce "Haswell-noTSX" and
> "Broadwell-noTSX" CPU models later, for people who have CPUs that don't
> have TSX feature available.
> 
> Signed-off-by: Eduardo Habkost 

Yep, in this situation we need to support both "models" of CPU, so changing
based on machine type is inappropriate in this scenario.

Reviewed-by: Daniel P. Berrange 

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

[Qemu-devel] [PULL for-2.3 02/10] s390x/kvm: Guest Migration TOD clock synchronization

[Cornelia Huck]

From: "Jason J. Herne" 

Synchronizes the guest TOD clock across a migration by sending the guest TOD
clock value to the destination system. If the guest TOD clock is not preserved
across a migration then the guest's view of time will snap backwards if the
destination host clock is behind the source host clock. This will cause the
guest to hang immediately upon resuming on the destination system.

Reviewed-by: David Hildenbrand 
Signed-off-by: Jason J. Herne 
Signed-off-by: Jens Freimann 

Message-Id: <1425912968-54387-1-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 hw/s390x/s390-virtio-ccw.c |  4 
 hw/s390x/s390-virtio.c | 52 ++
 target-s390x/cpu.h | 34 ++
 target-s390x/kvm.c | 39 ++
 4 files changed, 129 insertions(+)

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index dac00ce..eea0742 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -181,6 +181,10 @@ static void ccw_init(MachineState *machine)
 
 /* Create VirtIO network adapters */
 s390_create_virtio_net(BUS(css_bus), "virtio-net-ccw");
+
+/* Register savevm handler for guest TOD clock */
+register_savevm(NULL, "todclock", 0, 1,
+gtod_save, gtod_load, kvm_state);
 }
 
 static void ccw_machine_class_init(ObjectClass *oc, void *data)
diff --git a/hw/s390x/s390-virtio.c b/hw/s390x/s390-virtio.c
index 412e49b..bdb5388 100644
--- a/hw/s390x/s390-virtio.c
+++ b/hw/s390x/s390-virtio.c
@@ -38,6 +38,7 @@
 #include "hw/s390x/sclp.h"
 #include "hw/s390x/s390_flic.h"
 #include "hw/s390x/s390-virtio.h"
+#include "cpu.h"
 
 //#define DEBUG_S390
 
@@ -53,6 +54,9 @@
 #define ZIPL_FILENAME   "s390-zipl.rom"
 #define TYPE_S390_MACHINE   "s390-machine"
 
+#define S390_TOD_CLOCK_VALUE_MISSING0x00
+#define S390_TOD_CLOCK_VALUE_PRESENT0x01
+
 static VirtIOS390Bus *s390_bus;
 static S390CPU **ipi_states;
 
@@ -196,6 +200,51 @@ void s390_create_virtio_net(BusState *bus, const char 
*name)
 }
 }
 
+void gtod_save(QEMUFile *f, void *opaque)
+{
+uint64_t tod_low;
+uint8_t tod_high;
+int r;
+
+r = s390_get_clock(&tod_high, &tod_low);
+if (r) {
+fprintf(stderr, "WARNING: Unable to get guest clock for migration. "
+"Error code %d. Guest clock will not be migrated "
+"which could cause the guest to hang.\n", r);
+qemu_put_byte(f, S390_TOD_CLOCK_VALUE_MISSING);
+return;
+}
+
+qemu_put_byte(f, S390_TOD_CLOCK_VALUE_PRESENT);
+qemu_put_byte(f, tod_high);
+qemu_put_be64(f, tod_low);
+}
+
+int gtod_load(QEMUFile *f, void *opaque, int version_id)
+{
+uint64_t tod_low;
+uint8_t tod_high;
+int r;
+
+if (qemu_get_byte(f) == S390_TOD_CLOCK_VALUE_MISSING) {
+fprintf(stderr, "WARNING: Guest clock was not migrated. This could "
+"cause the guest to hang.\n");
+return 0;
+}
+
+tod_high = qemu_get_byte(f);
+tod_low = qemu_get_be64(f);
+
+r = s390_set_clock(&tod_high, &tod_low);
+if (r) {
+fprintf(stderr, "WARNING: Unable to set guest clock value. "
+"s390_get_clock returned error %d. This could cause "
+"the guest to hang.\n", r);
+}
+
+return 0;
+}
+
 /* PC hardware initialisation */
 static void s390_init(MachineState *machine)
 {
@@ -253,6 +302,9 @@ static void s390_init(MachineState *machine)
 
 /* Create VirtIO network adapters */
 s390_create_virtio_net((BusState *)s390_bus, "virtio-net-s390");
+
+/* Register savevm handler for guest TOD clock */
+register_savevm(NULL, "todclock", 0, 1, gtod_save, gtod_load, NULL);
 }
 
 void s390_nmi(NMIState *n, int cpu_index, Error **errp)
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 0171de0..8135dda 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -401,6 +401,8 @@ void kvm_s390_vcpu_interrupt(S390CPU *cpu, struct 
kvm_s390_irq *irq);
 void kvm_s390_floating_interrupt(struct kvm_s390_irq *irq);
 int kvm_s390_inject_flic(struct kvm_s390_irq *irq);
 void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code);
+int kvm_s390_get_clock(uint8_t *tod_high, uint64_t *tod_clock);
+int kvm_s390_set_clock(uint8_t *tod_high, uint64_t *tod_clock);
 #else
 static inline void kvm_s390_virtio_irq(int config_change, uint64_t token)
 {
@@ -408,11 +410,40 @@ static inline void kvm_s390_virtio_irq(int config_change, 
uint64_t token)
 static inline void kvm_s390_service_interrupt(uint32_t parm)
 {
 }
+static inline int kvm_s390_get_clock(uint8_t *tod_high, uint64_t *tod_low)
+{
+return -ENOSYS;
+}
+static inline int kvm_s390_set_clock(uint8_t *tod_high, uint64_t *tod_low)
+{
+return -ENOSYS;
+}
 static inline void kvm_s390_access_exception(S390CPU *cpu, uint16_t code,
   

Re: [Qemu-devel] [PATCH 2/2] target-i386: Haswell-noTSX and Broadwell-noTSX

[Daniel P. Berrange]

On Fri, Mar 13, 2015 at 04:09:57PM -0300, Eduardo Habkost wrote:
> With the Intel microcode update that removed HLE and RTM, there will be
> different kinds of Haswell and Broadwell CPUs out there: some that still
> have the HLE and RTM features, and some that don't have the HLE and RTM
> features. On both cases people may be willing to use the pc-*-2.3
> machine-types.
> 
> So, to cover both cases, introduce Haswell-noTSX and Broadwell-noTSX CPU
> models, for hosts that have Haswell and Broadwell CPUs without TSX support.
> 
> Signed-off-by: Eduardo Habkost 

The addition of Haswell-noTSX looks good to me.

I'm unclear on whether we truely need Broadwell-noTSX though. Did
Intel actually ship any Broadwell production silicon in which the
microcode disables this feature, or was it only a problem on
pre-production samples of Broadwell ? If the latter, I'd say we
don't need to have a Broadwell-noTSX model added. Perhaps Jun/Don
can confirm from Intel's side.


> ---
>  target-i386/cpu.c | 69 
> +++
>  1 file changed, 69 insertions(+)
> 
> diff --git a/target-i386/cpu.c b/target-i386/cpu.c
> index de3cdce..b693bab 100644
> --- a/target-i386/cpu.c
> +++ b/target-i386/cpu.c
> @@ -1073,6 +1073,39 @@ static X86CPUDefinition builtin_x86_defs[] = {
>  .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
>  },
>  {
> +.name = "Haswell-noTSX",
> +.level = 0xd,
> +.vendor = CPUID_VENDOR_INTEL,
> +.family = 6,
> +.model = 60,
> +.stepping = 1,
> +.features[FEAT_1_EDX] =
> +CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
> +CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA 
> |
> +CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
> +CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
> +CPUID_DE | CPUID_FP87,
> +.features[FEAT_1_ECX] =
> +CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
> +CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
> +CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
> +CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
> +CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
> +CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
> +.features[FEAT_8000_0001_EDX] =
> +CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
> +CPUID_EXT2_SYSCALL,
> +.features[FEAT_8000_0001_ECX] =
> +CPUID_EXT3_LAHF_LM,
> +.features[FEAT_7_0_EBX] =
> +CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
> +CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
> +CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID,
> +.features[FEAT_XSAVE] =
> +CPUID_XSAVE_XSAVEOPT,
> +.xlevel = 0x800A,
> +.model_id = "Intel Core Processor (Haswell, no TSX)",
> +},{
>  .name = "Haswell",
>  .level = 0xd,
>  .vendor = CPUID_VENDOR_INTEL,
> @@ -1108,6 +1141,42 @@ static X86CPUDefinition builtin_x86_defs[] = {
>  .model_id = "Intel Core Processor (Haswell)",
>  },
>  {
> +.name = "Broadwell-noTSX",
> +.level = 0xd,
> +.vendor = CPUID_VENDOR_INTEL,
> +.family = 6,
> +.model = 61,
> +.stepping = 2,
> +.features[FEAT_1_EDX] =
> +CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
> +CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA 
> |
> +CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
> +CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
> +CPUID_DE | CPUID_FP87,
> +.features[FEAT_1_ECX] =
> +CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
> +CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
> +CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
> +CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
> +CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
> +CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
> +.features[FEAT_8000_0001_EDX] =
> +CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
> +CPUID_EXT2_SYSCALL,
> +.features[FEAT_8000_0001_ECX] =
> +CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
> +.features[FEAT_7_0_EBX] =
> +CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
> +CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
> +CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
> +CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
> +CPUID_7_0_EBX_SMAP,
> +.features[FEAT_XSAVE] =
> +CPUID_XSAVE_XSAVEOPT,
> +.xlevel = 0x800A,
> +.model_id = "Intel

[Qemu-devel] [PULL for-2.3 04/10] kvm: encapsulate HAS_DEVICE for vm attrs

[Cornelia Huck]

From: Dominik Dingel 

More and more virtual machine specifics between kvm and qemu will be
transferred with vm attributes.
So we encapsulate the common logic in a generic function.

Additionally we need only to check during initialization if kvm supports
virtual machine attributes.

Cc: Paolo Bonzini 
Suggested-by: Thomas Huth 
Reviewed-by: Thomas Huth 
Signed-off-by: Dominik Dingel 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-2-git-send-email-jf...@linux.vnet.ibm.com>
Acked-by: Paolo Bonzini 
Signed-off-by: Cornelia Huck 
---
 include/sysemu/kvm.h | 12 
 kvm-all.c| 21 +
 2 files changed, 33 insertions(+)

diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
index 3792463..197e6c0 100644
--- a/include/sysemu/kvm.h
+++ b/include/sysemu/kvm.h
@@ -225,6 +225,18 @@ int kvm_vcpu_ioctl(CPUState *cpu, int type, ...);
 int kvm_device_ioctl(int fd, int type, ...);
 
 /**
+ * kvm_vm_check_attr - check for existence of a specific vm attribute
+ * @s: The KVMState pointer
+ * @group: the group
+ * @attr: the attribute of that group to query for
+ *
+ * Returns: 1 if the attribute exists
+ *  0 if the attribute either does not exist or if the vm device
+ *interface is unavailable
+ */
+int kvm_vm_check_attr(KVMState *s, uint32_t group, uint64_t attr);
+
+/**
  * kvm_create_device - create a KVM device for the device control API
  * @KVMState: The KVMState pointer
  * @type: The KVM device type (see Documentation/virtual/kvm/devices in the
diff --git a/kvm-all.c b/kvm-all.c
index cbedc25..55025cc 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -126,6 +126,7 @@ bool kvm_gsi_routing_allowed;
 bool kvm_gsi_direct_mapping;
 bool kvm_allowed;
 bool kvm_readonly_mem_allowed;
+bool kvm_vm_attributes_allowed;
 
 static const KVMCapabilityInfo kvm_required_capabilites[] = {
 KVM_CAP_INFO(USER_MEMORY),
@@ -1598,6 +1599,9 @@ static int kvm_init(MachineState *ms)
 kvm_resamplefds_allowed =
 (kvm_check_extension(s, KVM_CAP_IRQFD_RESAMPLE) > 0);
 
+kvm_vm_attributes_allowed =
+(kvm_check_extension(s, KVM_CAP_VM_ATTRIBUTES) > 0);
+
 ret = kvm_arch_init(ms, s);
 if (ret < 0) {
 goto err;
@@ -1936,6 +1940,23 @@ int kvm_device_ioctl(int fd, int type, ...)
 return ret;
 }
 
+int kvm_vm_check_attr(KVMState *s, uint32_t group, uint64_t attr)
+{
+int ret;
+struct kvm_device_attr attribute = {
+.group = group,
+.attr = attr,
+};
+
+if (!kvm_vm_attributes_allowed) {
+return 0;
+}
+
+ret = kvm_vm_ioctl(s, KVM_HAS_DEVICE_ATTR, &attribute);
+/* kvm returns 0 on success for HAS_DEVICE_ATTR */
+return ret ? 0 : 1;
+}
+
 int kvm_has_sync_mmu(void)
 {
 return kvm_check_extension(kvm_state, KVM_CAP_SYNC_MMU);
-- 
2.3.3

[Qemu-devel] [PULL for-2.3 09/10] s390x/pci: fix length in sei_nt2 event

[Cornelia Huck]

From: Frank Blaschka 

The sei_nt2 event must contain the length of the event.

Signed-off-by: Frank Blaschka 
Signed-off-by: Jens Freimann 
Message-Id: <1426164834-38648-7-git-send-email-jf...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 hw/s390x/s390-pci-bus.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/s390x/s390-pci-bus.c b/hw/s390x/s390-pci-bus.c
index dc455a2..3c086f6 100644
--- a/hw/s390x/s390-pci-bus.c
+++ b/hw/s390x/s390-pci-bus.c
@@ -44,6 +44,7 @@ int chsc_sei_nt2_get_event(void *res)
 QTAILQ_REMOVE(&s->pending_sei, sei_cont, link);
 nt2_res->nt = 2;
 nt2_res->cc = sei_cont->cc;
+nt2_res->length = cpu_to_be16(sizeof(ChscSeiNt2Res));
 switch (sei_cont->cc) {
 case 1: /* error event */
 eccdf = (PciCcdfErr *)nt2_res->ccdf;
-- 
2.3.3

[Qemu-devel] [PULL for-2.3 10/10] s390x/config: Do not include full pci.mak

[Cornelia Huck]

From: Thomas Huth 

pci.mak includes a lot of devices - and most of them do not make
sense on s390x, like USB controllers or audio cards. These devices
also show up when running "qemu-system-s390x -device help" and thus
could raise the hope for the users that they could use these kind
of devices with qemu-system-s390x. To avoid this confusion, we
should not include pci.mak and rather include the bare minimum
manually instead.

Signed-off-by: Thomas Huth 
Acked-by: Frank Blaschka 
Message-Id: <1426169954-6062-1-git-send-email-th...@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck 
---
 default-configs/s390x-softmmu.mak | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/default-configs/s390x-softmmu.mak 
b/default-configs/s390x-softmmu.mak
index 6ee2ff8..f9e13f1 100644
--- a/default-configs/s390x-softmmu.mak
+++ b/default-configs/s390x-softmmu.mak
@@ -1,4 +1,5 @@
-include pci.mak
+CONFIG_PCI=y
+CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO=y
 CONFIG_SCLPCONSOLE=y
 CONFIG_S390_FLIC=y
-- 
2.3.3

Re: [Qemu-devel] [PATCH] block: Deprecate QCOW/QCOW2 encryption

[Daniel P. Berrange]

On Fri, Mar 13, 2015 at 09:09:40PM +0100, Markus Armbruster wrote:
> We've steered users away from QCOW/QCOW2 encryption for a while,
> because it's a flawed design (commit 136cd19 Describe flaws in
> qcow/qcow2 encryption in the docs).
> 
> In addition to flawed crypto, we have comically bad usability, and
> plain old bugs.  Let me show you.
> 
> = Example images =
> 
> I'm going to use a raw image as backing file, and two QCOW2 images,
> one encrypted, and one not:
> 
> $ qemu-img create -f raw backing.img 4m
> Formatting 'backing.img', fmt=raw size=4194304
> $ qemu-img create -f qcow2 -o 
> encryption,backing_file=backing.img,backing_fmt=raw geheim.qcow2 4m
> Formatting 'geheim.qcow2', fmt=qcow2 size=4194304 
> backing_file='backing.img' backing_fmt='raw' encryption=on cluster_size=65536 
> lazy_refcounts=off
> $ qemu-img create -f qcow2 -o backing_file=backing.img,backing_fmt=raw 
> normal.qcow2 4m
> Formatting 'normal.qcow2', fmt=qcow2 size=4194304 
> backing_file='backing.img' backing_fmt='raw' encryption=off 
> cluster_size=65536 lazy_refcounts=off
> 
> = Usability issues =
> 
> == Confusing startup ==
> 
> When no image is encrypted, and you don't give -S, QEMU starts the
> guest immediately:
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio normal.qcow2
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) info status
> VM status: running
> 
> But as soon as there's an encrypted image in play, the guest is *not*
> started, with no notification whatsoever:
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) info status
> VM status: paused (prelaunch)
> 
> If the user figured out that he needs to type "cont" to enter his
> keys, the confusion enters the next level: "cont" asks for at most
> *one* key.  If more are needed, it then silently does nothing.  The
> user has to type "cont" once per encrypted image:
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio -drive 
> if=none,file=geheim.qcow2 -drive if=none,file=geheim.qcow2
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) info status
> VM status: paused (prelaunch)
> (qemu) c
> none0 (geheim.qcow2) is encrypted.
> Password: **
> (qemu) info status
> VM status: paused (prelaunch)
> (qemu) c
> none1 (geheim.qcow2) is encrypted.
> Password: **
> (qemu) info status
> VM status: running
> 
> == Incorrect passwords not caught ==
> 
> All existing encryption schemes give you the GIGO treatment: garbage
> password in, garbage data out.  Guests usually refuse to mount
> garbage, but other usage is prone to data loss.
> 
> == Need to stop the guest to add an encrypted image ==
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) info status
> VM status: running
> (qemu) drive_add "" if=none,file=geheim.qcow2
> Guest must be stopped for opening of encrypted image
> (qemu) stop
> (qemu) drive_add "" if=none,file=geheim.qcow2
> OK
> 
> Commit c3adb58 added this restriction.  Before, we could expose images
> lacking an encryption key to guests, with potentially catastrophic
> results.  See also "Use without key is not always caught".
> 
> = Bugs =
> 
> == Use without key is not always caught ==
> 
> Encrypted images can be in an intermediate state "opened, but no key".
> The weird startup behavior and the need to stop the guest are there to
> ensure the guest isn't exposed to that state.  But other things still
> are!
> 
> * drive_backup
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) drive_backup -f ide0-hd0 out.img raw
> Formatting 'out.img', fmt=raw size=4194304
> 
>   I guess this writes encrypted data to raw image out.img.  Good luck
>   with figuring out how to decrypt that again.
> 
> * commit
> 
> $ qemu-system-x86_64 -nodefaults -display none -monitor stdio geheim.qcow2
> QEMU 2.2.50 monitor - type 'help' for more information
> (qemu) commit ide0-hd0
> 
>   I guess this writes encrypted data into the unencrypted raw backing
>   image, effectively destroying it.
> 
> == QMP device_add of usb-storage fails when it shouldn't ==
> 
> When the image is encrypted, device_add creates the device, defers
> actually attaching it to when the key becomes available, then fails.
> This is wrong.  device_add must either create the device and succeed,
> or do nothing and fail.
> 
> $ qemu-system-x86_64 -nodefaults -display none -usb -qmp stdio -drive 
> if=none,id=foo,file=geheim.qcow2
> {"QMP": {"version": {"qemu": {"micro": 50, "minor": 2, "major": 2}, 
> "package": ""}, "capabilities": []}}
> { "execute": "qmp_capabilities" }
> {"return": {}

[Qemu-devel] [RFC v3] monitor: add memory search commands s, sp

[hw . claudio]

From: Claudio Fontana 

usage is similar to the commands x, xp.

Example with string: looking for "ELF" header in memory:

(qemu) s/100cb 0x40001000 "ELF"
searching memory area [40001000-400f5240]
40090001
(qemu) x/20b 0x4009
4009: '\x7f' 'E' 'L' 'F' '\x02' '\x01' '\x01' '\x03'
40090008: '\x00' '\x00' '\x00' '\x00' '\x00' '\x00' '\x00' '\x00'
40090010: '\x02' '\x00' '\xb7' '\x00'

Example with value: looking for 64bit variable value 0x990088

(qemu) s/100xg 0x90004200 0x990088
searching memory area [90004200-9000427a1200]
9000424b3000
9000424c1000

Signed-off-by: Claudio Fontana 
---
 hmp-commands.hx |  28 
 monitor.c   | 140 
 2 files changed, 168 insertions(+)

Hello, looking for some comments on whether the addition of this
command is welcome, and whether the syntax chosen is acceptable,
or how it can made better.

Thanks!

Claudio

changes from v2:
move value_raw array outside of the inner block.
Hopefully this will also make patchew tool happy.
Weird that I didn't get that warning/error.

changes from v1:
make checkpatch happy by adding braces here and there.

diff --git a/hmp-commands.hx b/hmp-commands.hx
index d5022d8..2bf5737 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -432,6 +432,34 @@ Start gdbserver session (default @var{port}=1234)
 ETEXI
 
 {
+.name   = "s",
+.args_type  = "fmt:/,addr:l,data:s",
+.params = "/fmt addr data",
+.help   = "search virtual memory starting at 'addr' for 'data'",
+.mhandler.cmd = hmp_memory_search,
+},
+
+STEXI
+@item s/fmt @var{addr} @var{data}
+@findex s
+Virtual memory search starting at @var{addr} for data described by @var{data}.
+ETEXI
+
+{
+.name   = "sp",
+.args_type  = "fmt:/,addr:l,data:s",
+.params = "/fmt addr data",
+.help   = "search physical memory starting at 'addr' for 'data'",
+.mhandler.cmd = hmp_physical_memory_search,
+},
+
+STEXI
+@item sp/fmt @var{addr} @var{data}
+@findex sp
+Physical memory search starting at @var{addr} for data described by @var{data}.
+ETEXI
+
+{
 .name   = "x",
 .args_type  = "fmt:/,addr:l",
 .params = "/fmt addr",
diff --git a/monitor.c b/monitor.c
index c86a89e..7495d7e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1208,6 +1208,124 @@ static void monitor_printc(Monitor *mon, int c)
 monitor_printf(mon, "'");
 }
 
+static void monitor_print_addr(Monitor *mon, hwaddr addr, bool is_physical)
+{
+if (is_physical) {
+monitor_printf(mon, TARGET_FMT_plx "\n", addr);
+} else {
+monitor_printf(mon, TARGET_FMT_lx "\n", (target_ulong)addr);
+}
+}
+
+/* simple memory search for a byte sequence. The sequence is generated from
+ * a numeric value to look for in guest memory, or from a string.
+ */
+static void memory_search(Monitor *mon, int count, int format, int wsize,
+  hwaddr addr, const char *data_str, bool is_physical)
+{
+int pos, len;   /* pos in the search area, len of area */
+char *hay;  /* buffer for haystack */
+int hay_size;   /* haystack size. Needle size is wsize. */
+const char *needle; /* needle to search in the haystack */
+const char *format_str; /* numeric input format string */
+char value_raw[8];  /* numeric input converted to raw data */
+#define MONITOR_S_CHUNK_SIZE 16000
+
+len = wsize * count;
+if (len < 1) {
+monitor_printf(mon, "invalid search area length.\n");
+return;
+}
+switch (format) {
+case 'i':
+monitor_printf(mon, "format '%c' not supported.\n", format);
+return;
+case 'c':
+needle = data_str;
+wsize = strlen(data_str);
+if (wsize > MONITOR_S_CHUNK_SIZE) {
+monitor_printf(mon, "search string too long [max %d].\n",
+   MONITOR_S_CHUNK_SIZE);
+return;
+}
+break;
+case 'o':
+format_str = "%" SCNo64;
+break;
+default:
+case 'x':
+format_str = "%" SCNx64;
+break;
+case 'u':
+format_str = "%" SCNu64;
+break;
+case 'd':
+format_str = "%" SCNd64;
+break;
+}
+if (format != 'c') {
+uint64_t value;  /* numeric input value */
+void *from = &value;
+if (sscanf(data_str, format_str, &value) != 1) {
+monitor_printf(mon, "could not parse search string "
+   "\"%s\" as format '%c'.\n", data_str, format);
+return;
+}
+#if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
+value = bswap64(value);
+#endif
+#if defined(TARGET_WORDS_BIGENDIAN)
+from += 8 - wsize;
+#endif
+memcpy(value_raw, from, wsize);
+needle = value_raw;

[Qemu-devel] [PATCH] add pci-bridge-seat

[Gerd Hoffmann]

Simplifies multiseat configuration, see
docs/multiseat.txt update for details.

Signed-off-by: Gerd Hoffmann 
---
 docs/multiseat.txt | 19 +++
 docs/specs/pci-ids.txt |  1 +
 hw/pci-bridge/pci_bridge_dev.c | 25 -
 include/hw/pci/pci.h   |  1 +
 4 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/docs/multiseat.txt b/docs/multiseat.txt
index b963665..814496e 100644
--- a/docs/multiseat.txt
+++ b/docs/multiseat.txt
@@ -106,6 +106,25 @@ the devices attached to the seat.
 Background info is here:
   http://www.freedesktop.org/wiki/Software/systemd/multiseat/
 
+
+guest side with pci-bridge-seat
+---
+
+Qemu version FIXME and newer has a new pci-bridge-seat device which
+can be used instead of pci-bridge.  Just swap the device name in the
+qemu command line above.  The only difference between the two devices
+is the pci id.  We can match the pci id instead of the device path
+with a nice generic rule now, which simplifies the guest
+configuration:
+
+[root@fedora ~]# cat /etc/udev/rules.d/70-qemu-pci-bridge-seat.rules
+SUBSYSTEM=="pci", ATTR{vendor}=="0x1b36", ATTR{device}=="0x000a", \
+TAG+="seat", ENV{ID_AUTOSEAT}="1"
+
+Patch with this rule will be submitted to upstream udev/systemd, so
+long-term, when systemd with this lands in distros, things will work
+just fine without any manual guest configuration.
+
 Enjoy!
 
 --
diff --git a/docs/specs/pci-ids.txt b/docs/specs/pci-ids.txt
index c6732fe..cdeb805 100644
--- a/docs/specs/pci-ids.txt
+++ b/docs/specs/pci-ids.txt
@@ -46,6 +46,7 @@ PCI devices (other than virtio):
 1b36:0004  PCI Quad-port 16550A adapter (docs/specs/pci-serial.txt)
 1b36:0005  PCI test device (docs/specs/pci-testdev.txt)
 1b36:0007  PCI SD Card Host Controller Interface (SDHCI)
+1b36:000a  PCI-PCI bridge (multiseat)
 
 All these devices are documented in docs/specs.
 
diff --git a/hw/pci-bridge/pci_bridge_dev.c b/hw/pci-bridge/pci_bridge_dev.c
index 36f73e1..e966d2e 100644
--- a/hw/pci-bridge/pci_bridge_dev.c
+++ b/hw/pci-bridge/pci_bridge_dev.c
@@ -28,7 +28,8 @@
 #include "hw/pci/pci_bus.h"
 #include "hw/hotplug.h"
 
-#define TYPE_PCI_BRIDGE_DEV "pci-bridge"
+#define TYPE_PCI_BRIDGE_DEV  "pci-bridge"
+#define TYPE_PCI_BRIDGE_SEAT_DEV "pci-bridge-seat"
 #define PCI_BRIDGE_DEV(obj) \
 OBJECT_CHECK(PCIBridgeDev, (obj), TYPE_PCI_BRIDGE_DEV)
 
@@ -170,9 +171,31 @@ static const TypeInfo pci_bridge_dev_info = {
 }
 };
 
+/*
+ * Multiseat bridge.  Same as the standard pci bridge, only with a
+ * different pci id, so we can match it easily in the guest for
+ * automagic multiseat configuration.  See docs/multiseat.txt for more.
+ */
+static void pci_bridge_dev_seat_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+k->device_id = PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT;
+dc->desc = "Standard PCI Bridge (multiseat)";
+}
+
+static const TypeInfo pci_bridge_dev_seat_info = {
+.name  = TYPE_PCI_BRIDGE_SEAT_DEV,
+.parent= TYPE_PCI_BRIDGE_DEV,
+.instance_size = sizeof(PCIBridgeDev),
+.class_init= pci_bridge_dev_seat_class_init,
+};
+
 static void pci_bridge_dev_register(void)
 {
 type_register_static(&pci_bridge_dev_info);
+type_register_static(&pci_bridge_dev_seat_info);
 }
 
 type_init(pci_bridge_dev_register);
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index be2d9b8..320c389 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -90,6 +90,7 @@
 #define PCI_DEVICE_ID_REDHAT_TEST0x0005
 #define PCI_DEVICE_ID_REDHAT_SDHCI   0x0007
 #define PCI_DEVICE_ID_REDHAT_PCIE_HOST   0x0008
+#define PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT 0x000a
 #define PCI_DEVICE_ID_REDHAT_QXL 0x0100
 
 #define FMT_PCIBUS  PRIx64
-- 
1.8.3.1

Re: [Qemu-devel] [RFC v3] monitor: add memory search commands s, sp

[Patchew Tool]

This series failed Patchew automatic testing.

Find the log fragments below (grepped lines around keywords "error" and
"warning"), or open the following URL to see the full log:

http://qemu.patchew.org/testing/log/<1426501911-1402-1-git-send-email-hw.clau...@gmail.com>

--8<-

  CCqobject/qerror.o
  GEN   trace/generated-events.c
  CCtrace/control.o
  CCtrace/qmp.o
  CCutil/osdep.o
  CCutil/cutils.o
  CCutil/unicode.o
  CCutil/qemu-timer-common.o
  CCutil/oslib-posix.o
  CCutil/qemu-thread-posix.o
  CCutil/event_notifier-posix.o
  CCutil/qemu-openpty.o
  CCutil/envlist.o
  CCutil/path.o
  CCutil/module.o
  CCutil/bitmap.o
  CCutil/bitops.o
  CCutil/hbitmap.o
  CCutil/fifo8.o
  CCutil/acl.o
  CCutil/error.o
  CCutil/qemu-error.o
  CCutil/compatfd.o
  CCutil/id.o
  CCutil/iov.o
  CCutil/aes.o
  CCutil/qemu-config.o
  CCutil/qemu-sockets.o
  CCutil/uri.o
  CCutil/notify.o
  CCutil/qemu-option.o
  CCutil/qemu-progress.o
  CCutil/hexdump.o
  CCutil/crc32c.o
  CCutil/throttle.o
  CCutil/getauxval.o
  CCutil/readline.o
  CCutil/rfifolock.o
  CCutil/rcu.o
  CCstubs/arch-query-cpu-def.o
  CCstubs/bdrv-commit-all.o
  CCstubs/chr-baum-init.o
  CCstubs/chr-msmouse.o
  CCstubs/chr-testdev.o
  CCstubs/clock-warp.o
  CCstubs/cpu-get-clock.o
  CCstubs/cpu-get-icount.o
  CCstubs/dump.o
  CCstubs/fdset-add-fd.o
  CCstubs/fdset-find-fd.o
  CCstubs/fdset-get-fd.o
  CCstubs/fdset-remove-fd.o
  CCstubs/gdbstub.o
  CCstubs/get-fd.o
  CCstubs/get-next-serial.o
  CCstubs/get-vm-name.o
  CCstubs/iothread-lock.o
  CCstubs/is-daemonized.o
  CCstubs/machine-init-done.o
  CCstubs/migr-blocker.o
  CCstubs/mon-is-qmp.o
  CCstubs/mon-printf.o
  CCstubs/mon-set-error.o
  CCstubs/monitor-init.o
  CCstubs/notify-event.o
  CCstubs/qtest.o
  CCstubs/reset.o
  CCstubs/runstate-check.o
  CCstubs/set-fd-handler.o
  CCstubs/slirp.o
  CCstubs/sysbus.o
  CCstubs/uuid.o
  CCstubs/vc-init.o
  CCstubs/vm-stop.o
  CCstubs/vmstate.o
  CCstubs/cpus.o
  CCstubs/kvm.o
  CCstubs/qmp_pc_dimm_device_list.o
  CCqemu-nbd.o
  CCasync.o
  CCthread-pool.o
  CCnbd.o
  CCblock.o
--
  GEN   x86_64-softmmu/hmp-commands.h
  GEN   x86_64-softmmu/qmp-commands-old.h
  GEN   x86_64-softmmu/config-target.h
  CCx86_64-softmmu/exec.o
  CCx86_64-softmmu/translate-all.o
  CCx86_64-softmmu/cpu-exec.o
  CCx86_64-softmmu/tcg/tcg.o
  CCx86_64-softmmu/tcg/tcg-op.o
  CCx86_64-softmmu/tcg/optimize.o
  CCx86_64-softmmu/fpu/softfloat.o
  CCx86_64-softmmu/disas.o
  CCx86_64-softmmu/arch_init.o
  CCx86_64-softmmu/cpus.o
  CCx86_64-softmmu/monitor.o
  CCx86_64-softmmu/gdbstub.o
  CCx86_64-softmmu/balloon.o
  CCx86_64-softmmu/ioport.o
  CCx86_64-softmmu/numa.o
  CCx86_64-softmmu/qtest.o
/var/tmp/patchew-test/git/monitor.c: In function 'memory_search':
/var/tmp/patchew-test/git/monitor.c:1309:19: error: 'needle' may be used 
uninitialized in this function [-Werror=maybe-uninitialized]
 match = memmem(mark, todo, needle, wsize);
   ^
cc1: all warnings being treated as errors
make[1]: *** [monitor.o] Error 1
make[1]: *** Waiting for unfinished jobs
make: *** [subdir-x86_64-softmmu] Error 2

Test failed.

Re: [Qemu-devel] [RFC PATCH] target-ppc: Register CPU class per family only when needed

[Andreas Färber]

Am 16.03.2015 um 05:58 schrieb Alexey Kardashevskiy:
> On 03/06/2015 12:17 AM, Alexander Graf wrote:
>> On 05.03.15 02:56, Alexey Kardashevskiy wrote:
>>> At the moment when running in KVM mode, QEMU registers "host" class to
>>> match the current CPU PVR value. It also registers another CPU class
>>> with a CPU family name os if we run QEMU on POWER7 machine, "host" and
>>> "POWER7" classes are created, this way we can always use "-cpu POWER7"
>>> on the actual POWER7 machine.
>>>
>>> The existing code uses DeviceClass::desc field of the CPU class as
>>> a source for the class name; it was pointed out that it is wrong to use
>>> user-visible string as a type name.
>>>
>>> This adds a common CPU class name into PowerPCCPUClass struct.
>>> This makes registration of a CPU named after the family conditional -
>>> PowerPCCPUClass::common_cpu_name has to be non-zero. Only POWER7/POWER8
>>> families have this field initialized by now.
>>>
>>> Signed-off-by: Alexey Kardashevskiy 
>>
>> LGTM. Andreas, do you agree?
> 
> 
> Ping?

No, I don't agree. Inventing a new class field just to distinguish
POWER7/POWER8 here seems like a weird idea, and the code placement is
not fixed either.

I gathered that you want -cpu POWER7 and -cpu POWER8 to work on POWER8
hardware and -cpu POWER7 on POWER7, for migration purposes, correct?

What exact PVRs have you tested on and why does it not work without
those types despite the PVR masking? To investigate I need a test case.

Is this just a question of the generic family type being abstract and
needing an updated PVR value? Which other fields are actually used?

Regards,
Andreas

-- 
SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu,
Graham Norton; HRB 21284 (AG Nürnberg)

Re: [Qemu-devel] [RFC PATCH v10 18/24] replay: replay aio requests

[Pavel Dovgaluk]

> From: Paolo Bonzini [mailto:pbonz...@redhat.com]
> On 27/02/2015 14:11, Pavel Dovgalyuk wrote:
> > This patch adds identifier to aio requests. ID is used for creating bottom
> > halves and identifying them while replaying.
> > The patch also introduces several functions that make possible replaying
> > of the aio requests.
> 
> Out of curiosity, why did you use this approach instead of using a
> RR-specific block device backend (as you did for network, I think)?  The
> backend could just store the data that is read in the RR file (or in a
> separate file that can be easily mmap-ed), and use a timer to trigger it
> at the right QEMU_CLOCK_VIRTUAL tick.
> 
> I'm sure you considered something like this.  Did you still get
> non-determinism?

We considered this approach. But it requires too much data to be written.
E.g. when loading an OS guest VM reads gigabytes of data. Writing all 
this data to file incurs significant slowdown.

Pavel Dovgalyuk

Re: [Qemu-devel] [PULL 0/6] Use tcg_malloc more; tcg_cond_always fix

[Peter Maydell]

On 13 March 2015 at 20:23, Richard Henderson  wrote:
>
> I should have sent the pull somewhat before now, I imagine, but if
> there's still room in the schedule before the rc0 hardfreeze I'd
> like to clear my backlog of 5-6 patchsets which all depend on this.
>
>
> r~
>
>
> The following changes since commit 7ccfb495c64e1eef5886dcc4d48523ed6d1d22a4:
>
>   user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm (2015-03-13 
> 15:57:00 +)
>
> are available in the git repository at:
>
>   git://github.com/rth7680/qemu.git tags/tcg-pull-20150313
>
> for you to fetch changes up to 37ed3bf1ee07bb1a26adca0df8718f601f231c0b:
>
>   tcg: Complete handling of ALWAYS and NEVER (2015-03-13 13:08:05 -0700)
>
> 
> Pool TCG data, and ALWAYS/NEVER fix

Applied, thanks.

-- PMM

[Qemu-devel] [PATCH v4 2/5] hw/intc: arm_gic_kvm.c restore config first

[Alex Bennée]

As there is logic to deal with the difference between edge and level
triggered interrupts in the kernel we must ensure it knows the
configuration of the IRQs before we restore the pending state.

Signed-off-by: Alex Bennée 
Acked-by: Christoffer Dall 

diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
index 1ad3eb0..2f21ae7 100644
--- a/hw/intc/arm_gic_kvm.c
+++ b/hw/intc/arm_gic_kvm.c
@@ -370,6 +370,11 @@ static void kvm_arm_gic_put(GICState *s)
  * the appropriate CPU interfaces in the kernel) */
 kvm_dist_put(s, 0x800, 8, s->num_irq, translate_targets);
 
+/* irq_state[n].trigger -> GICD_ICFGRn
+ * (restore targets before pending IRQs so we treat level/edge
+ * correctly */
+kvm_dist_put(s, 0xc00, 2, s->num_irq, translate_trigger);
+
 /* irq_state[n].pending + irq_state[n].level -> GICD_ISPENDRn */
 kvm_dist_put(s, 0x280, 1, s->num_irq, translate_clear);
 kvm_dist_put(s, 0x200, 1, s->num_irq, translate_pending);
@@ -378,8 +383,6 @@ static void kvm_arm_gic_put(GICState *s)
 kvm_dist_put(s, 0x380, 1, s->num_irq, translate_clear);
 kvm_dist_put(s, 0x300, 1, s->num_irq, translate_active);
 
-/* irq_state[n].trigger -> GICD_ICFRn */
-kvm_dist_put(s, 0xc00, 2, s->num_irq, translate_trigger);
 
 /* s->priorityX[irq] -> ICD_IPRIORITYRn */
 kvm_dist_put(s, 0x400, 8, s->num_irq, translate_priority);
-- 
2.3.2

[Qemu-devel] [PATCH v4 0/5] QEMU ARM64 Migration Fixes

[Alex Bennée]

This is hopefully the final update to the series. I've skipped v3 for
the purposes of having a sane relationship to the branch name ;-)

v4
  - Dropped the pl011 IRQ fiddling patch
  - Save/Restore MP STATE
- moved into kvm.c
- changed MP_STATE to STOPPED
  - Sync FP State
- Removed superfluous reg.id++
  - Save/Restore SPSR
- try and make commentary clearer
- ensure env->banked_spsr[0] = env->spsr before we sync
  - document env->spsr
- briefer commit message, leaving questions for the list ;-)

I submitted the kernel side of this on Friday

Branch: https://github.com/stsquad/qemu/tree/migration/fixes-v4
Kernel: 
https://git.linaro.org/people/alex.bennee/linux.git/shortlog/refs/heads/migration/kvmarm-fixes-for-4.0-v3

Alex Bennée (4):
  target-arm: kvm: save/restore mp state
  hw/intc: arm_gic_kvm.c restore config first
  target-arm: kvm64 sync FP register state
  target-arm: cpu.h document why env->spsr exists

Christoffer Dall (1):
  target-arm: kvm64 fix save/restore of SPSR regs

 hw/intc/arm_gic_kvm.c |   7 +++-
 target-arm/cpu.h  |   5 +++
 target-arm/kvm.c  |  40 ++
 target-arm/kvm32.c|   4 ++
 target-arm/kvm64.c| 111 +++---
 target-arm/kvm_arm.h  |  18 
 6 files changed, 178 insertions(+), 7 deletions(-)

-- 
2.3.2

[Qemu-devel] [PATCH v4 3/5] target-arm: kvm64 sync FP register state

[Alex Bennée]

For migration to work we need to sync all of the register state. This is
especially noticeable when GCC starts using FP registers as spill
registers even with integer programs.

Signed-off-by: Alex Bennée 

---

v4:
  - fixed merge conflicts
  - rm superfluous reg.id++

diff --git a/target-arm/kvm64.c b/target-arm/kvm64.c
index fed03f2..8fd0c8d 100644
--- a/target-arm/kvm64.c
+++ b/target-arm/kvm64.c
@@ -126,9 +126,17 @@ bool kvm_arm_reg_syncs_via_cpreg_list(uint64_t regidx)
 #define AARCH64_CORE_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U64 | \
  KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
 
+/* The linux headers don't define a 128 bit wide SIMD macro for us */
+#define AARCH64_SIMD_CORE_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U128 | \
+ KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
+
+#define AARCH64_SIMD_CTRL_REG(x)   (KVM_REG_ARM64 | KVM_REG_SIZE_U32 | \
+ KVM_REG_ARM_CORE | KVM_REG_ARM_CORE_REG(x))
+
 int kvm_arch_put_registers(CPUState *cs, int level)
 {
 struct kvm_one_reg reg;
+uint32_t fpr;
 uint64_t val;
 int i;
 int ret;
@@ -207,15 +215,37 @@ int kvm_arch_put_registers(CPUState *cs, int level)
 }
 }
 
+/* Advanced SIMD and FP registers */
+for (i = 0; i < 32; i++) {
+reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+reg.addr = (uintptr_t)(&env->vfp.regs[i]);
+ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+}
+
+reg.addr = (uintptr_t)(&fpr);
+fpr = vfp_get_fpsr(env);
+reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+
+fpr = vfp_get_fpcr(env);
+reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+
 if (!write_list_to_kvmstate(cpu)) {
 return EINVAL;
 }
 
 kvm_arm_sync_mpstate_to_kvm(cpu);
 
-/* TODO:
- * FP state
- */
 return ret;
 }
 
@@ -223,6 +253,7 @@ int kvm_arch_get_registers(CPUState *cs)
 {
 struct kvm_one_reg reg;
 uint64_t val;
+uint32_t fpr;
 int i;
 int ret;
 
@@ -304,6 +335,31 @@ int kvm_arch_get_registers(CPUState *cs)
 }
 }
 
+/* Advanced SIMD and FP registers */
+for (i = 0; i < 32; i++) {
+reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
+reg.addr = (uintptr_t)(&env->vfp.regs[i]);
+ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+}
+
+reg.addr = (uintptr_t)(&fpr);
+reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+vfp_set_fpsr(env, fpr);
+
+reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, ®);
+if (ret) {
+return ret;
+}
+vfp_set_fpcr(env, fpr);
+
 if (!write_kvmstate_to_list(cpu)) {
 return EINVAL;
 }
-- 
2.3.2

[Qemu-devel] [PATCH v4 1/5] target-arm: kvm: save/restore mp state

[Alex Bennée]

This adds the saving and restore of the current Multi-Processing state
of the machine. While the KVM_GET/SET_MP_STATE API exposes a number of
potential states for x86 we only use two for ARM. Either the process is
running or not. We then save this state into the cpu_powered TCG state
to avoid changing the serialisation format.

Signed-off-by: Alex Bennée 

---
v2
  - make mpstate field runtime dependant (kvm_enabled())
  - drop initial KVM_CAP_MP_STATE requirement
  - re-use cpu_powered instead of new field

v4
  - s/HALTED/STOPPED/
  - move code from machine.c to kvm.

diff --git a/target-arm/kvm.c b/target-arm/kvm.c
index 72c1fa1..a74832c 100644
--- a/target-arm/kvm.c
+++ b/target-arm/kvm.c
@@ -458,6 +458,46 @@ void kvm_arm_reset_vcpu(ARMCPU *cpu)
 }
 }
 
+/*
+ * Update KVM's MP_STATE based on what QEMU thinks it is
+ */
+int kvm_arm_sync_mpstate_to_kvm(ARMCPU *cpu)
+{
+if (kvm_check_extension(CPU(cpu)->kvm_state, KVM_CAP_MP_STATE)) {
+struct kvm_mp_state mp_state = {
+.mp_state =
+cpu->powered_off ? KVM_MP_STATE_STOPPED : KVM_MP_STATE_RUNNABLE
+};
+int ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MP_STATE, &mp_state);
+if (ret) {
+fprintf(stderr, "%s: failed to set MP_STATE %d/%s\n",
+__func__, ret, strerror(ret));
+return -1;
+}
+}
+
+return 0;
+}
+
+/*
+ * Sync the KVM MP_STATE into QEMU
+ */
+int kvm_arm_sync_mpstate_to_qemu(ARMCPU *cpu)
+{
+if (kvm_check_extension(CPU(cpu)->kvm_state, KVM_CAP_MP_STATE)) {
+struct kvm_mp_state mp_state;
+int ret = kvm_vcpu_ioctl(CPU(cpu), KVM_GET_MP_STATE, &mp_state);
+if (ret) {
+fprintf(stderr, "%s: failed to get MP_STATE %d/%s\n",
+__func__, ret, strerror(ret));
+abort();
+}
+cpu->powered_off = (mp_state.mp_state == KVM_MP_STATE_STOPPED);
+}
+
+return 0;
+}
+
 void kvm_arch_pre_run(CPUState *cs, struct kvm_run *run)
 {
 }
diff --git a/target-arm/kvm32.c b/target-arm/kvm32.c
index 94030d1..49b6bab 100644
--- a/target-arm/kvm32.c
+++ b/target-arm/kvm32.c
@@ -356,6 +356,8 @@ int kvm_arch_put_registers(CPUState *cs, int level)
 return EINVAL;
 }
 
+kvm_arm_sync_mpstate_to_kvm(cpu);
+
 return ret;
 }
 
@@ -427,5 +429,7 @@ int kvm_arch_get_registers(CPUState *cs)
  */
 write_list_to_cpustate(cpu);
 
+kvm_arm_sync_mpstate_to_qemu(cpu);
+
 return 0;
 }
diff --git a/target-arm/kvm64.c b/target-arm/kvm64.c
index 8cf3a62..fed03f2 100644
--- a/target-arm/kvm64.c
+++ b/target-arm/kvm64.c
@@ -211,6 +211,8 @@ int kvm_arch_put_registers(CPUState *cs, int level)
 return EINVAL;
 }
 
+kvm_arm_sync_mpstate_to_kvm(cpu);
+
 /* TODO:
  * FP state
  */
@@ -310,6 +312,8 @@ int kvm_arch_get_registers(CPUState *cs)
  */
 write_list_to_cpustate(cpu);
 
+kvm_arm_sync_mpstate_to_qemu(cpu);
+
 /* TODO: other registers */
 return ret;
 }
diff --git a/target-arm/kvm_arm.h b/target-arm/kvm_arm.h
index 455dea3..7b75758 100644
--- a/target-arm/kvm_arm.h
+++ b/target-arm/kvm_arm.h
@@ -162,6 +162,24 @@ typedef struct ARMHostCPUClass {
  */
 bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc);
 
+
+/**
+ * kvm_arm_sync_mpstate_to_kvm
+ * @cpu: ARMCPU
+ *
+ * If supported set the KVM MP_STATE based on QEMUs migration data.
+ */
+int kvm_arm_sync_mpstate_to_kvm(ARMCPU *cpu);
+
+/**
+ * kvm_arm_sync_mpstate_to_qemu
+ * @cpu: ARMCPU
+ *
+ * If supported get the MP_STATE from KVM and store in QEMUs migration
+ * data.
+ */
+int kvm_arm_sync_mpstate_to_qemu(ARMCPU *cpu);
+
 #endif
 
 #endif
-- 
2.3.2

[Qemu-devel] [PATCH v4 5/5] target-arm: cpu.h document why env->spsr exists

[Alex Bennée]

I was getting very confused about the duplication of state so wanted to
make it explicit.

Signed-off-by: Alex Bennée 

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 083211c..6dc1799 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -155,6 +155,11 @@ typedef struct CPUARMState {
This contains all the other bits.  Use cpsr_{read,write} to access
the whole CPSR.  */
 uint32_t uncached_cpsr;
+/* The spsr is a alias for spsr_elN where N is the current
+ * exception level. It is provided for here so the TCG msr/mrs
+ * implementation can access one register. Care needs to be taken
+ * to ensure the banked_spsr[] is also updated.
+ */
 uint32_t spsr;
 
 /* Banked registers.  */
-- 
2.3.2

[Qemu-devel] [PATCH v4 4/5] target-arm: kvm64 fix save/restore of SPSR regs

[Alex Bennée]

From: Christoffer Dall 

The current code was negatively indexing the cpu state array and not
synchronizing banked spsr register state with the current mode's spsr
state, causing occasional failures with migration.

Some munging is done to take care of the aarch64 mapping and also to
ensure the most current value of the spsr is updated to the banked
registers (relevant for KVM<->TCG migration).

Signed-off-by: Christoffer Dall 
Signed-off-by: Alex Bennée 

---
v2 (ajb)
  - minor tweaks and clarifications
v3
  - Use the correct bank index function for setting/getting env->spsr
  - only deal with spsrs in elevated exception levels
v4
 - try and make commentary clearer
 - ensure env->banked_spsr[0] = env->spsr before we sync

diff --git a/target-arm/kvm64.c b/target-arm/kvm64.c
index 8fd0c8d..7ddb1b1 100644
--- a/target-arm/kvm64.c
+++ b/target-arm/kvm64.c
@@ -140,6 +140,7 @@ int kvm_arch_put_registers(CPUState *cs, int level)
 uint64_t val;
 int i;
 int ret;
+unsigned int el;
 
 ARMCPU *cpu = ARM_CPU(cs);
 CPUARMState *env = &cpu->env;
@@ -206,9 +207,29 @@ int kvm_arch_put_registers(CPUState *cs, int level)
 return ret;
 }
 
+/* Saved Program State Registers
+ *
+ * Before we restore from the banked_spsr[] array we need to
+ * ensure that any modifications to env->spsr are correctly
+ * reflected and map aarch64 exception levels if required.
+ */
+el = arm_current_el(env);
+if (el > 0) {
+if (is_a64(env)) {
+g_assert(el == 1);
+env->banked_spsr[0] = env->spsr;
+/* QEMUs AARCH64 EL1 SPSR is in bank 0, so map it to
+ * KVM_SPSR_SVC for syncing to KVM */
+env->banked_spsr[1] = env->banked_spsr[0];
+} else {
+i = bank_number(env->uncached_cpsr & CPSR_M);
+env->banked_spsr[i] = env->spsr;
+}
+}
+
 for (i = 0; i < KVM_NR_SPSR; i++) {
 reg.id = AARCH64_CORE_REG(spsr[i]);
-reg.addr = (uintptr_t) &env->banked_spsr[i - 1];
+reg.addr = (uintptr_t) &env->banked_spsr[i+1];
 ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, ®);
 if (ret) {
 return ret;
@@ -254,6 +275,7 @@ int kvm_arch_get_registers(CPUState *cs)
 struct kvm_one_reg reg;
 uint64_t val;
 uint32_t fpr;
+unsigned int el;
 int i;
 int ret;
 
@@ -326,15 +348,34 @@ int kvm_arch_get_registers(CPUState *cs)
 return ret;
 }
 
+/* Fetch the SPSR registers
+ *
+ * KVM has an array of state indexed for all the possible aarch32
+ * privilege levels. These map onto QEMUs aarch32 banks 1 - 4.
+ */
 for (i = 0; i < KVM_NR_SPSR; i++) {
 reg.id = AARCH64_CORE_REG(spsr[i]);
-reg.addr = (uintptr_t) &env->banked_spsr[i - 1];
+reg.addr = (uintptr_t) &env->banked_spsr[i+1];
 ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, ®);
 if (ret) {
 return ret;
 }
 }
 
+el = arm_current_el(env);
+if (el > 0) {
+if (is_a64(env)) {
+g_assert(el == 1);
+/* KVM_SPSR_SVC holds the AARCH64 EL1 SPSR which QEMU
+ * keeps in bank 0 so copy it across. */
+env->banked_spsr[0] = env->banked_spsr[1];
+i = aarch64_banked_spsr_index(el);
+} else {
+i = bank_number(env->uncached_cpsr & CPSR_M);
+}
+env->spsr = env->banked_spsr[i];
+}
+
 /* Advanced SIMD and FP registers */
 for (i = 0; i < 32; i++) {
 reg.id = AARCH64_SIMD_CORE_REG(fp_regs.vregs[i]);
-- 
2.3.2

Re: [Qemu-devel] [PATCH v4 2/5] hw/intc: arm_gic_kvm.c restore config first

[Christoffer Dall]

On Mon, Mar 16, 2015 at 11:01:53AM +, Alex Bennée wrote:
> As there is logic to deal with the difference between edge and level
> triggered interrupts in the kernel we must ensure it knows the
> configuration of the IRQs before we restore the pending state.
> 
> Signed-off-by: Alex Bennée 
> Acked-by: Christoffer Dall 
> 
> diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
> index 1ad3eb0..2f21ae7 100644
> --- a/hw/intc/arm_gic_kvm.c
> +++ b/hw/intc/arm_gic_kvm.c
> @@ -370,6 +370,11 @@ static void kvm_arm_gic_put(GICState *s)
>   * the appropriate CPU interfaces in the kernel) */
>  kvm_dist_put(s, 0x800, 8, s->num_irq, translate_targets);
>  
> +/* irq_state[n].trigger -> GICD_ICFGRn
> + * (restore targets before pending IRQs so we treat level/edge

targets? trigger? configurations?

> + * correctly */
> +kvm_dist_put(s, 0xc00, 2, s->num_irq, translate_trigger);
> +
>  /* irq_state[n].pending + irq_state[n].level -> GICD_ISPENDRn */
>  kvm_dist_put(s, 0x280, 1, s->num_irq, translate_clear);
>  kvm_dist_put(s, 0x200, 1, s->num_irq, translate_pending);
> @@ -378,8 +383,6 @@ static void kvm_arm_gic_put(GICState *s)
>  kvm_dist_put(s, 0x380, 1, s->num_irq, translate_clear);
>  kvm_dist_put(s, 0x300, 1, s->num_irq, translate_active);
>  
> -/* irq_state[n].trigger -> GICD_ICFRn */
> -kvm_dist_put(s, 0xc00, 2, s->num_irq, translate_trigger);
>  
>  /* s->priorityX[irq] -> ICD_IPRIORITYRn */
>  kvm_dist_put(s, 0x400, 8, s->num_irq, translate_priority);
> -- 
> 2.3.2
> 

[Qemu-devel] [PATCH] linux-user: qemu treats TLS pointer in the wrong way when spicifying cpu cotrex-a15.

[Mikhail Ilyin]

From: Mikhail Ilyin 

At present there are two copies of TPIDRURO register for secure and unsecure
access. TLS is set via a system call __ARM_NR_set_tls and its handler
(cpu_set_tls) always assigns a provided value to unsecure register
tpidrro_el[0]/tpidruro_ns. But during execution for cortex-a15 mrc instruction
returns TLS from secure rigester tpidruro_s which is 0 and causes SIGSEGV.

Signed-off-by: Mikhail Ilyin 
---
 linux-user/arm/target_cpu.h | 15 ++-
 linux-user/main.c   |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
index d8a534d..6832262 100644
--- a/linux-user/arm/target_cpu.h
+++ b/linux-user/arm/target_cpu.h
@@ -29,7 +29,20 @@ static inline void cpu_clone_regs(CPUARMState *env, 
target_ulong newsp)
 
 static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
 {
-env->cp15.tpidrro_el[0] = newtls;
+if (access_secure_reg(env)) {
+env->cp15.tpidruro_s = newtls;
+} else {
+env->cp15.tpidrro_el[0] = newtls;
+}
+}
+
+static inline target_ulong cpu_get_tls(CPUARMState *env)
+{
+if (access_secure_reg(env)) {
+return env->cp15.tpidruro_s;
+} else {
+return env->cp15.tpidrro_el[0];
+}
 }
 
 #endif
diff --git a/linux-user/main.c b/linux-user/main.c
index 6bd23af..6e446de 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -566,7 +566,7 @@ do_kernel_trap(CPUARMState *env)
 end_exclusive();
 break;
 case 0x0fe0: /* __kernel_get_tls */
-env->regs[0] = env->cp15.tpidrro_el[0];
+env->regs[0] = cpu_get_tls(env);
 break;
 case 0x0f60: /* __kernel_cmpxchg64 */
 arm_kernel_cmpxchg64_helper(env);
-- 
1.9.1

Re: [Qemu-devel] [PATCH] linux-user: qemu treats TLS pointer in the wrong way when spicifying cpu cotrex-a15.

[Mikhail Ilin]

Here is a sample to prove the issue

$ echo "int main() { return 0; }" > /tmp/prog.c
$ arm-linux-gnueabi-gcc -g -o /tmp/prog /tmp/prog.c
$ qemu-arm -cpu cortex-a15 -L 
/home/michail/arm/arm-linux-gnueabi/sys-root /tmp/prog

qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault (core dumped)

prog backtrace look the following way

$ qemu-arm -g 1234 -cpu cortex-a15 -L 
/home/michail/arm/arm-linux-gnueabi/sys-root /tmp/prog


$ arm-linux-gnueabi-gdb -ex 'set sysroot 
/home/michail/arm/arm-linux-gnueabi/sys-root/' -ex 'file /tmp/prog' -ex 
'target remote :1234'

(gdb) c

Program received signal SIGSEGV, Segmentation fault.
0xf6690290 in __GI___ctype_init () at ctype-info.c:31
31*bp = (const uint16_t *) _NL_CURRENT (LC_CTYPE, 
_NL_CTYPE_CLASS) + 128;

(gdb) bt
#0  0xf6690290 in __GI___ctype_init () at ctype-info.c:31
#1  0xf67e62e4 in call_init (l=0xf67d5708, argc=1, argv=0xf6ffef14, 
env=0xf6ffef1c) at dl-init.c:69
#2  0xf67e6434 in _dl_init (main_map=0xf67fe960, argc=1, 
argv=0xf6ffef14, env=0xf6ffef1c) at dl-init.c:132
#3  0xf67d6d74 in _dl_start_user () from 
/home/michail/arm/arm-linux-gnueabi/sys-root/lib/ld-linux.so.3

(gdb) disassemble
Dump of assembler code for function __GI___ctype_init:
   0xf669026c <+0>: ldr r12, [pc, #88]  ; 0xf66902cc 
<__GI___ctype_init+96>

   0xf6690270 <+4>: strdr4, [sp, #-12]!
   0xf6690274 <+8>: mrc 15, 0, r3, cr13, cr0, {3}
   0xf6690278 <+12>:str lr, [sp, #8]
   0xf669027c <+16>:ldr r0, [pc, #76]   ; 0xf66902d0 
<__GI___ctype_init+100>
   0xf6690280 <+20>:ldr r1, [pc, #76]   ; 0xf66902d4 
<__GI___ctype_init+104>
   0xf6690284 <+24>:ldr r2, [pc, #76]   ; 0xf66902d8 
<__GI___ctype_init+108>

   0xf6690288 <+28>:ldr r12, [pc, r12]
   0xf669028c <+32>:ldr r0, [pc, r0]
=> 0xf6690290 <+36>:ldr r12, [r3, r12]
   0xf6690294 <+40>:ldr r12, [r12]
(gdb) p $r3
$1 = 0

Register r3 comes from mrc and should contain pointer to TLS. In runtime
cp15.tpidruro_ns contains a valid pointer that is assigned with
__ARM_NR_set_tls, cp.tpidruro_s is 0 and its value is returned with mrc.

-- Mikhail

On 16.03.2015 14:26, Mikhail Ilyin wrote:

From: Mikhail Ilyin 

At present there are two copies of TPIDRURO register for secure and unsecure
access. TLS is set via a system call __ARM_NR_set_tls and its handler
(cpu_set_tls) always assigns a provided value to unsecure register
tpidrro_el[0]/tpidruro_ns. But during execution for cortex-a15 mrc instruction
returns TLS from secure rigester tpidruro_s which is 0 and causes SIGSEGV.

Signed-off-by: Mikhail Ilyin 
---
  linux-user/arm/target_cpu.h | 15 ++-
  linux-user/main.c   |  2 +-
  2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
index d8a534d..6832262 100644
--- a/linux-user/arm/target_cpu.h
+++ b/linux-user/arm/target_cpu.h
@@ -29,7 +29,20 @@ static inline void cpu_clone_regs(CPUARMState *env, 
target_ulong newsp)

  static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
  {
-env->cp15.tpidrro_el[0] = newtls;
+if (access_secure_reg(env)) {
+env->cp15.tpidruro_s = newtls;
+} else {
+env->cp15.tpidrro_el[0] = newtls;
+}
+}
+
+static inline target_ulong cpu_get_tls(CPUARMState *env)
+{
+if (access_secure_reg(env)) {
+return env->cp15.tpidruro_s;
+} else {
+return env->cp15.tpidrro_el[0];
+}
  }

  #endif
diff --git a/linux-user/main.c b/linux-user/main.c
index 6bd23af..6e446de 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -566,7 +566,7 @@ do_kernel_trap(CPUARMState *env)
  end_exclusive();
  break;
  case 0x0fe0: /* __kernel_get_tls */
-env->regs[0] = env->cp15.tpidrro_el[0];
+env->regs[0] = cpu_get_tls(env);
  break;
  case 0x0f60: /* __kernel_cmpxchg64 */
  arm_kernel_cmpxchg64_helper(env);

Re: [Qemu-devel] [PULL for-2.3 0/1] seabios: update to 1.8.1 stable release

[Peter Maydell]

On 16 March 2015 at 08:16, Gerd Hoffmann  wrote:
>   Hi,
>
> New seabios release from 1.8-stable branch.
>
> Most important change is the fix for the smp race at boot
> (reported multiple times on the list).
>
> There also is a memory barrier fix (makes pvscsi boot work).
> Support for multiple pci roots has been added too.
>
> please pull,
>   Gerd
>
> The following changes since commit 7ccfb495c64e1eef5886dcc4d48523ed6d1d22a4:
>
>   user-exec.c: fix build on NetBSD/sparc64 and NetBSD/arm (2015-03-13 
> 15:57:00 +)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/pull-seabios-1.8.1-20150316-1
>
> for you to fetch changes up to 93f7c4f09f6957244d5af0a35309b8ad4ffb64ed:
>
>   seabios: update to 1.8.1 stable release (2015-03-16 09:07:15 +0100)
>
> 
> seabios: update to 1.8.1 stable release
>
> 

Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH] elf-loader: Fix truncation warning from coverity

[Thomas Huth]

On Sat, 14 Mar 2015 09:37:08 +0100
Stefan Weil  wrote:

> Coverity reports a truncation due to cast operation on operand
> reltab->sh_size from 64 bits to 32 bits for calls of load_at.
> 
> Fix the types of the function arguments to match their use in
> function load_at: the offset is used for lseek which takes an
> off_t parameter, the size is used for g_malloc and read.
> 
> Signed-off-by: Stefan Weil 
> ---
>  hw/core/loader.c |2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/core/loader.c b/hw/core/loader.c
> index 76d8aca..d4c441f 100644
> --- a/hw/core/loader.c
> +++ b/hw/core/loader.c
> @@ -267,7 +267,7 @@ int load_aout(const char *filename, hwaddr addr, int 
> max_sz,
> 
>  /* ELF loader */
> 
> -static void *load_at(int fd, int offset, int size)
> +static void *load_at(int fd, off_t offset, size_t size)
>  {
>  void *ptr;
>  if (lseek(fd, offset, SEEK_SET) < 0)

Sounds reasonable.

Reviewed-by: Thomas Huth 

Re: [Qemu-devel] [PATCH 0/2] Unbreak qemu-img error messages and iotests

[Kevin Wolf]

Am 14.03.2015 um 10:23 hat Markus Armbruster geschrieben:
> "check -T -qcow2" now passes again.  Sorry for the mess I made.
> 
> Markus Armbruster (2):
>   iotests: Update 051's reference output
>   qemu-img: Fix convert, amend error messages for unknown options

Thanks, applied to the block branch.

Kevin

Re: [Qemu-devel] [PATCH] linux-user: qemu treats TLS pointer in the wrong way when spicifying cpu cotrex-a15.

[Peter Maydell]

On 16 March 2015 at 11:26, Mikhail Ilyin  wrote:
> From: Mikhail Ilyin 
>
> At present there are two copies of TPIDRURO register for secure and unsecure
> access. TLS is set via a system call __ARM_NR_set_tls and its handler
> (cpu_set_tls) always assigns a provided value to unsecure register
> tpidrro_el[0]/tpidruro_ns. But during execution for cortex-a15 mrc instruction
> returns TLS from secure rigester tpidruro_s which is 0 and causes SIGSEGV.
>
> Signed-off-by: Mikhail Ilyin 

Oops; thanks for this patch. I've applied it to target-arm.next.
I took the liberty of rewriting the commit message a bit to better
fit in with QEMU's usual style; hope that's OK:

===begin===
linux-user: Access correct register for get/set_tls syscalls on ARM TZ CPUs

When support was added for TrustZone to ARM CPU emulation, we failed
to correctly update the support for the linux-user implementation of
the get/set_tls syscalls. This meant that accesses to the TPIDRURO
register via the syscalls were always using the non-secure copy of
the register even if native MRC/MCR accesses were using the secure
register. This inconsistency caused most binaries to segfault on startup
if the CPU type was explicitly set to one of the TZ-enabled ones like
cortex-a15. (The default "any" CPU doesn't have TZ enabled and so is
not affected.)

Use access_secure_reg() to determine whether we should be using
the secure or the nonsecure copy of TPIDRURO when emulating these
syscalls.
===endit===

-- PMM

Re: [Qemu-devel] [PATCH] block: Deprecate QCOW/QCOW2 encryption

[Kevin Wolf]

Am 13.03.2015 um 21:09 hat Markus Armbruster geschrieben:
> We've steered users away from QCOW/QCOW2 encryption for a while,
> because it's a flawed design (commit 136cd19 Describe flaws in
> qcow/qcow2 encryption in the docs).
> 
> In addition to flawed crypto, we have comically bad usability, and
> plain old bugs.  Let me show you.
> [...] 
> Let's deprecate the mess now, drop it after a grace period, and move
> on.
> 
> Signed-off-by: Markus Armbruster 

Thanks, applied to the block branch.

Kevin

Re: [Qemu-devel] [PATCH v5 for-2.3 23/28] hw/pxb: add map_irq func

[Marcel Apfelbaum]

On 03/10/2015 06:43 PM, Michael S. Tsirkin wrote:

On Tue, Mar 10, 2015 at 05:32:09PM +0200, Marcel Apfelbaum wrote:

The bios does not index the pxb slot number when
it computes the IRQ because it resides on bus 0
and not on the current bus.
However Qemu routes the irq through bus 0 and adds
the pxb slot to the IRQ computation.

Synchronize between bios and Qemu by canceling
pxb's effect.

Signed-off-by: Marcel Apfelbaum 
---
  hw/pci-bridge/pci_expander_bridge.c | 20 +++-
  1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/hw/pci-bridge/pci_expander_bridge.c 
b/hw/pci-bridge/pci_expander_bridge.c
index 941f3c8..87515c1 100644
--- a/hw/pci-bridge/pci_expander_bridge.c
+++ b/hw/pci-bridge/pci_expander_bridge.c
@@ -92,6 +92,24 @@ static const TypeInfo pxb_host_info = {
  .class_init= pxb_host_class_init,
  };

+
+static int pxb_map_irq_fn(PCIDevice *pci_dev, int pin)
+{
+PCIDevice *pxb = pci_dev->bus->parent_dev;
+
+/*
+ * The bios does not index the pxb slot number when
+ * it computes the IRQ because it resides on bus 0
+ * and not on the current bus.
+ * However QEMU routes the irq through bus 0 and adds
+ * the pxb slot to the IRQ computation.


I know it's QEMU but which function exactly?

PXB device with is a PCI host-bridge device.

Thanks,
Marcel




+ *
+ * Synchronize between bios and QEMU by canceling
+ * pxb's effect.
+ */
+return pin - PCI_SLOT(pxb->devfn);
+}
+
  static int pxb_dev_initfn(PCIDevice *dev)
  {
  PXBDev *pxb = PXB_DEV(dev);
@@ -118,7 +136,7 @@ static int pxb_dev_initfn(PCIDevice *dev)
  bus->parent_dev = dev;
  bus->address_space_mem = dev->bus->address_space_mem;
  bus->address_space_io = dev->bus->address_space_io;
-bus->map_irq = pci_swizzle_map_irq_fn;
+bus->map_irq = pxb_map_irq_fn;

  bds = qdev_create(BUS(bus), "pci-bridge");
  bds->id = dev_name;
--
2.1.0

[Qemu-devel] [PATCH target-arm v3 05/15] arm: xlnx-zynqmp: Connect CPU Timers to GIC

[Peter Crosthwaite]

Connect the GPIO outputs from the individual CPUs for the timers to the
GIC.

Signed-off-by: Peter Crosthwaite 
---
 hw/arm/xlnx-zynqmp.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 9465185..29954f5 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -19,9 +19,17 @@
 
 #define GIC_NUM_SPI_INTR 128
 
+#define ARM_PHYS_TIMER_PPI  30
+#define ARM_VIRT_TIMER_PPI  27
+
 #define GIC_DIST_ADDR   0xf901
 #define GIC_CPU_ADDR0xf902
 
+static inline int arm_gic_ppi_index(int cpu_nr, int ppi_index)
+{
+return GIC_NUM_SPI_INTR + cpu_nr * 32 + ppi_index;
+}
+
 static void xlnx_zynqmp_init(Object *obj)
 {
 XlnxZynqMPState *s = XLNX_ZYNQMP(obj);
@@ -60,11 +68,19 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error 
**errp)
 sysbus_mmio_map(SYS_BUS_DEVICE(&s->gic), 1, GIC_CPU_ADDR);
 
 for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
+qemu_irq irq;
+
 object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
 ERR_PROP_CHECK_RETURN(err, errp);
 
 sysbus_connect_irq(SYS_BUS_DEVICE(&s->gic), i,
qdev_get_gpio_in(DEVICE(&s->cpu[i]), ARM_CPU_IRQ));
+irq = qdev_get_gpio_in(DEVICE(&s->gic),
+   arm_gic_ppi_index(i, ARM_PHYS_TIMER_PPI));
+qdev_connect_gpio_out(DEVICE(&s->cpu[i]), 0, irq);
+irq = qdev_get_gpio_in(DEVICE(&s->gic),
+   arm_gic_ppi_index(i, ARM_VIRT_TIMER_PPI));
+qdev_connect_gpio_out(DEVICE(&s->cpu[i]), 1, irq);
 }
 }
 
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 07/15] net: cadence_gem: Split state struct and type into header

[Peter Crosthwaite]

To allow using the device with modern SoC programming conventions. The
state struct needs to be visible to embed the device in SoC containers.

Reviewed-by: Alistair Francis 
Signed-off-by: Peter Crosthwaite 
---
changed since v1:
Fix /* Public */ comment spacing (Alistair review)

 hw/net/cadence_gem.c | 43 +-
 include/hw/net/cadence_gem.h | 49 
 2 files changed, 50 insertions(+), 42 deletions(-)
 create mode 100644 include/hw/net/cadence_gem.h

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 5994306..dafe914 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -24,8 +24,7 @@
 
 #include  /* For crc32 */
 
-#include "hw/sysbus.h"
-#include "net/net.h"
+#include "hw/net/cadence_gem.h"
 #include "net/checksum.h"
 
 #ifdef CADENCE_GEM_ERR_DEBUG
@@ -141,8 +140,6 @@
 #define GEM_DESCONF6  (0x0294/4)
 #define GEM_DESCONF7  (0x0298/4)
 
-#define CADENCE_GEM_MAXREG(0x0640/4) /* Last valid GEM address */
-
 /*/
 #define GEM_NWCTRL_TXSTART 0x0200 /* Transmit Enable */
 #define GEM_NWCTRL_TXENA   0x0008 /* Transmit Enable */
@@ -349,44 +346,6 @@ static inline void rx_desc_set_sar(unsigned *desc, int 
sar_idx)
 desc[1] |= R_DESC_1_RX_SAR_MATCH;
 }
 
-#define TYPE_CADENCE_GEM "cadence_gem"
-#define CADENCE_GEM(obj) OBJECT_CHECK(CadenceGEMState, (obj), TYPE_CADENCE_GEM)
-
-typedef struct CadenceGEMState {
-SysBusDevice parent_obj;
-
-MemoryRegion iomem;
-NICState *nic;
-NICConf conf;
-qemu_irq irq;
-
-/* GEM registers backing store */
-uint32_t regs[CADENCE_GEM_MAXREG];
-/* Mask of register bits which are write only */
-uint32_t regs_wo[CADENCE_GEM_MAXREG];
-/* Mask of register bits which are read only */
-uint32_t regs_ro[CADENCE_GEM_MAXREG];
-/* Mask of register bits which are clear on read */
-uint32_t regs_rtc[CADENCE_GEM_MAXREG];
-/* Mask of register bits which are write 1 to clear */
-uint32_t regs_w1c[CADENCE_GEM_MAXREG];
-
-/* PHY registers backing store */
-uint16_t phy_regs[32];
-
-uint8_t phy_loop; /* Are we in phy loopback? */
-
-/* The current DMA descriptor pointers */
-uint32_t rx_desc_addr;
-uint32_t tx_desc_addr;
-
-uint8_t can_rx_state; /* Debug only */
-
-unsigned rx_desc[2];
-
-bool sar_active[4];
-} CadenceGEMState;
-
 /* The broadcast MAC address: 0x */
 static const uint8_t broadcast_addr[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
 
diff --git a/include/hw/net/cadence_gem.h b/include/hw/net/cadence_gem.h
new file mode 100644
index 000..12de820
--- /dev/null
+++ b/include/hw/net/cadence_gem.h
@@ -0,0 +1,49 @@
+#ifndef CADENCE_GEM_H_
+
+#define TYPE_CADENCE_GEM "cadence_gem"
+#define CADENCE_GEM(obj) OBJECT_CHECK(CadenceGEMState, (obj), TYPE_CADENCE_GEM)
+
+#include "net/net.h"
+#include "hw/sysbus.h"
+
+#define CADENCE_GEM_MAXREG(0x0640/4) /* Last valid GEM address */
+
+typedef struct CadenceGEMState {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+MemoryRegion iomem;
+NICState *nic;
+NICConf conf;
+qemu_irq irq;
+
+/* GEM registers backing store */
+uint32_t regs[CADENCE_GEM_MAXREG];
+/* Mask of register bits which are write only */
+uint32_t regs_wo[CADENCE_GEM_MAXREG];
+/* Mask of register bits which are read only */
+uint32_t regs_ro[CADENCE_GEM_MAXREG];
+/* Mask of register bits which are clear on read */
+uint32_t regs_rtc[CADENCE_GEM_MAXREG];
+/* Mask of register bits which are write 1 to clear */
+uint32_t regs_w1c[CADENCE_GEM_MAXREG];
+
+/* PHY registers backing store */
+uint16_t phy_regs[32];
+
+uint8_t phy_loop; /* Are we in phy loopback? */
+
+/* The current DMA descriptor pointers */
+uint32_t rx_desc_addr;
+uint32_t tx_desc_addr;
+
+uint8_t can_rx_state; /* Debug only */
+
+unsigned rx_desc[2];
+
+bool sar_active[4];
+} CadenceGEMState;
+
+#define CADENCE_GEM_H_
+#endif
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 10/15] char: cadence_uart: Split state struct and type into header

[Peter Crosthwaite]

To allow using the device with modern SoC programming conventions. The
state struct needs to be visible to embed the device in SoC containers.

Reviewed-by: Alistair Francis 
Signed-off-by: Peter Crosthwaite 
---
changed since v1:
Fix /* Public */ comment spacing (Alistair review)

 hw/char/cadence_uart.c | 29 +
 include/hw/char/cadence_uart.h | 35 +++
 2 files changed, 36 insertions(+), 28 deletions(-)
 create mode 100644 include/hw/char/cadence_uart.h

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index 23f548d..4509e01 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -16,9 +16,7 @@
  * with this program; if not, see .
  */
 
-#include "hw/sysbus.h"
-#include "sysemu/char.h"
-#include "qemu/timer.h"
+#include "hw/char/cadence_uart.h"
 
 #ifdef CADENCE_UART_ERR_DEBUG
 #define DB_PRINT(...) do { \
@@ -85,8 +83,6 @@
 #define LOCAL_LOOPBACK (0x2 << UART_MR_CHMODE_SH)
 #define REMOTE_LOOPBACK(0x3 << UART_MR_CHMODE_SH)
 
-#define CADENCE_UART_RX_FIFO_SIZE   16
-#define CADENCE_UART_TX_FIFO_SIZE   16
 #define UART_INPUT_CLK 5000
 
 #define R_CR   (0x00/4)
@@ -108,29 +104,6 @@
 #define R_PWID (0x40/4)
 #define R_TTRIG(0x44/4)
 
-#define CADENCE_UART_R_MAX (0x48/4)
-
-#define TYPE_CADENCE_UART "cadence_uart"
-#define CADENCE_UART(obj) OBJECT_CHECK(CadenceUARTState, (obj), \
-   TYPE_CADENCE_UART)
-
-typedef struct {
-/*< private >*/
-SysBusDevice parent_obj;
-/*< public >*/
-
-MemoryRegion iomem;
-uint32_t r[CADENCE_UART_R_MAX];
-uint8_t rx_fifo[CADENCE_UART_RX_FIFO_SIZE];
-uint8_t tx_fifo[CADENCE_UART_TX_FIFO_SIZE];
-uint32_t rx_wpos;
-uint32_t rx_count;
-uint32_t tx_count;
-uint64_t char_tx_time;
-CharDriverState *chr;
-qemu_irq irq;
-QEMUTimer *fifo_trigger_handle;
-} CadenceUARTState;
 
 static void uart_update_status(CadenceUARTState *s)
 {
diff --git a/include/hw/char/cadence_uart.h b/include/hw/char/cadence_uart.h
new file mode 100644
index 000..3456d4c
--- /dev/null
+++ b/include/hw/char/cadence_uart.h
@@ -0,0 +1,35 @@
+#ifndef CADENCE_UART_H_
+
+#include "hw/sysbus.h"
+#include "sysemu/char.h"
+#include "qemu/timer.h"
+
+#define CADENCE_UART_RX_FIFO_SIZE   16
+#define CADENCE_UART_TX_FIFO_SIZE   16
+
+#define CADENCE_UART_R_MAX (0x48/4)
+
+#define TYPE_CADENCE_UART "cadence_uart"
+#define CADENCE_UART(obj) OBJECT_CHECK(CadenceUARTState, (obj), \
+   TYPE_CADENCE_UART)
+
+typedef struct {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+MemoryRegion iomem;
+uint32_t r[CADENCE_UART_R_MAX];
+uint8_t rx_fifo[CADENCE_UART_RX_FIFO_SIZE];
+uint8_t tx_fifo[CADENCE_UART_TX_FIFO_SIZE];
+uint32_t rx_wpos;
+uint32_t rx_count;
+uint32_t tx_count;
+uint64_t char_tx_time;
+CharDriverState *chr;
+qemu_irq irq;
+QEMUTimer *fifo_trigger_handle;
+} CadenceUARTState;
+
+#define CADENCE_UART_H_
+#endif
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 09/15] char: cadence_uart: Clean up variable names

[Peter Crosthwaite]

In preparation for migrating the state struct and type cast macro to a public
header. The acronym "UART" on it's own is not specific enough to be used in a
more global namespace so preface with "cadence". Fix the capitalisation of
"uart" in the state type while touching the typename. Preface macros
used by the state struct itself with CADENCE_UART so they don't conflict
in namespace either.

Reviewed-by: Alistair Francis 
Signed-off-by: Peter Crosthwaite 
---
 hw/char/cadence_uart.c | 100 ++---
 1 file changed, 53 insertions(+), 47 deletions(-)

diff --git a/hw/char/cadence_uart.c b/hw/char/cadence_uart.c
index 7044b35..23f548d 100644
--- a/hw/char/cadence_uart.c
+++ b/hw/char/cadence_uart.c
@@ -85,8 +85,8 @@
 #define LOCAL_LOOPBACK (0x2 << UART_MR_CHMODE_SH)
 #define REMOTE_LOOPBACK(0x3 << UART_MR_CHMODE_SH)
 
-#define RX_FIFO_SIZE   16
-#define TX_FIFO_SIZE   16
+#define CADENCE_UART_RX_FIFO_SIZE   16
+#define CADENCE_UART_TX_FIFO_SIZE   16
 #define UART_INPUT_CLK 5000
 
 #define R_CR   (0x00/4)
@@ -108,10 +108,11 @@
 #define R_PWID (0x40/4)
 #define R_TTRIG(0x44/4)
 
-#define R_MAX (R_TTRIG + 1)
+#define CADENCE_UART_R_MAX (0x48/4)
 
 #define TYPE_CADENCE_UART "cadence_uart"
-#define CADENCE_UART(obj) OBJECT_CHECK(UartState, (obj), TYPE_CADENCE_UART)
+#define CADENCE_UART(obj) OBJECT_CHECK(CadenceUARTState, (obj), \
+   TYPE_CADENCE_UART)
 
 typedef struct {
 /*< private >*/
@@ -119,9 +120,9 @@ typedef struct {
 /*< public >*/
 
 MemoryRegion iomem;
-uint32_t r[R_MAX];
-uint8_t rx_fifo[RX_FIFO_SIZE];
-uint8_t tx_fifo[TX_FIFO_SIZE];
+uint32_t r[CADENCE_UART_R_MAX];
+uint8_t rx_fifo[CADENCE_UART_RX_FIFO_SIZE];
+uint8_t tx_fifo[CADENCE_UART_TX_FIFO_SIZE];
 uint32_t rx_wpos;
 uint32_t rx_count;
 uint32_t tx_count;
@@ -129,17 +130,19 @@ typedef struct {
 CharDriverState *chr;
 qemu_irq irq;
 QEMUTimer *fifo_trigger_handle;
-} UartState;
+} CadenceUARTState;
 
-static void uart_update_status(UartState *s)
+static void uart_update_status(CadenceUARTState *s)
 {
 s->r[R_SR] = 0;
 
-s->r[R_SR] |= s->rx_count == RX_FIFO_SIZE ? UART_SR_INTR_RFUL : 0;
+s->r[R_SR] |= s->rx_count == CADENCE_UART_RX_FIFO_SIZE ? UART_SR_INTR_RFUL
+   : 0;
 s->r[R_SR] |= !s->rx_count ? UART_SR_INTR_REMPTY : 0;
 s->r[R_SR] |= s->rx_count >= s->r[R_RTRIG] ? UART_SR_INTR_RTRIG : 0;
 
-s->r[R_SR] |= s->tx_count == TX_FIFO_SIZE ? UART_SR_INTR_TFUL : 0;
+s->r[R_SR] |= s->tx_count == CADENCE_UART_TX_FIFO_SIZE ? UART_SR_INTR_TFUL
+   : 0;
 s->r[R_SR] |= !s->tx_count ? UART_SR_INTR_TEMPTY : 0;
 s->r[R_SR] |= s->tx_count >= s->r[R_TTRIG] ? UART_SR_TTRIG : 0;
 
@@ -150,14 +153,14 @@ static void uart_update_status(UartState *s)
 
 static void fifo_trigger_update(void *opaque)
 {
-UartState *s = (UartState *)opaque;
+CadenceUARTState *s = opaque;
 
 s->r[R_CISR] |= UART_INTR_TIMEOUT;
 
 uart_update_status(s);
 }
 
-static void uart_rx_reset(UartState *s)
+static void uart_rx_reset(CadenceUARTState *s)
 {
 s->rx_wpos = 0;
 s->rx_count = 0;
@@ -166,12 +169,12 @@ static void uart_rx_reset(UartState *s)
 }
 }
 
-static void uart_tx_reset(UartState *s)
+static void uart_tx_reset(CadenceUARTState *s)
 {
 s->tx_count = 0;
 }
 
-static void uart_send_breaks(UartState *s)
+static void uart_send_breaks(CadenceUARTState *s)
 {
 int break_enabled = 1;
 
@@ -181,7 +184,7 @@ static void uart_send_breaks(UartState *s)
 }
 }
 
-static void uart_parameters_setup(UartState *s)
+static void uart_parameters_setup(CadenceUARTState *s)
 {
 QEMUSerialSetParams ssp;
 unsigned int baud_rate, packet_size;
@@ -236,20 +239,20 @@ static void uart_parameters_setup(UartState *s)
 
 static int uart_can_receive(void *opaque)
 {
-UartState *s = (UartState *)opaque;
-int ret = MAX(RX_FIFO_SIZE, TX_FIFO_SIZE);
+CadenceUARTState *s = opaque;
+int ret = MAX(CADENCE_UART_RX_FIFO_SIZE, CADENCE_UART_TX_FIFO_SIZE);
 uint32_t ch_mode = s->r[R_MR] & UART_MR_CHMODE;
 
 if (ch_mode == NORMAL_MODE || ch_mode == ECHO_MODE) {
-ret = MIN(ret, RX_FIFO_SIZE - s->rx_count);
+ret = MIN(ret, CADENCE_UART_RX_FIFO_SIZE - s->rx_count);
 }
 if (ch_mode == REMOTE_LOOPBACK || ch_mode == ECHO_MODE) {
-ret = MIN(ret, TX_FIFO_SIZE - s->tx_count);
+ret = MIN(ret, CADENCE_UART_TX_FIFO_SIZE - s->tx_count);
 }
 return ret;
 }
 
-static void uart_ctrl_update(UartState *s)
+static void uart_ctrl_update(CadenceUARTState *s)
 {
 if (s->r[R_CR] & UART_CR_TXRST) {
 uart_tx_reset(s);
@@ -268,7 +271,7 @@ static void uart_ctrl_update(UartState *s)
 
 static void uart_write_rx_fifo(void *opaque, const uint8_t *buf, int size)
 {
-UartState 

[Qemu-devel] [PATCH target-arm v3 00/15] Next Generation Xilinx Zynq SoC

[Peter Crosthwaite]

Hi Peter and all,

Xilinx's next gen SoC has been announced. This series adds a SoC and
board.

Series start with addition of ARM cortex A53 support (P1 and P2). The
Soc skeleton is then added with GIC, EMACs and UARTs are added. The
pre-existing models for GEM and UART are not SoC friendly (no visible
state struct), so those are refactored for SoC.

Create a model of the EP108 board. Currently this doesn't have any
EP108 specific features but is a usable board exposing the user visible
features of the raw SoC.

changed since v2:
Fix CPU child prop adder
Add DTS compat string

changed since v1:
Addressed Alistair review (individual changes on resp. patches)
Changed board name to EP108
Changed naming scheme to "zynqmp" / "ZYNQMP" (Michal review)

Regards,
Peter


Peter Crosthwaite (15):
  target-arm: cpu64: Factor out ARM cortex init
  target-arm: cpu64: Add support for cortex-a53
  arm: Introduce Xilinx ZynqMP SoC
  arm: xlnx-zynqmp: Add GIC
  arm: xlnx-zynqmp: Connect CPU Timers to GIC
  net: cadence_gem: Clean up variable names
  net: cadence_gem: Split state struct and type into header
  arm: xilinx-zynqmp: Add GEM support
  char: cadence_uart: Clean up variable names
  char: cadence_uart: Split state struct and type into header
  arm: xilinx-zynqmp: Add UART support
  arm: Add xlnx-ep108 machine
  arm: xilinx-ep108: Add external RAM
  arm: xilinx-ep108: Add bootloading
  arm: xlnx-zynqmp: Add PSCI setup

 default-configs/aarch64-softmmu.mak |   2 +-
 hw/arm/Makefile.objs|   1 +
 hw/arm/xlnx-ep108.c |  81 +
 hw/arm/xlnx-zynqmp.c| 168 
 hw/char/cadence_uart.c  | 113 ++--
 hw/net/cadence_gem.c|  95 ++--
 include/hw/arm/xlnx-zynqmp.h|  29 +++
 include/hw/char/cadence_uart.h  |  35 
 include/hw/net/cadence_gem.h|  49 +++
 target-arm/cpu64.c  |  50 ---
 10 files changed, 473 insertions(+), 150 deletions(-)
 create mode 100644 hw/arm/xlnx-ep108.c
 create mode 100644 hw/arm/xlnx-zynqmp.c
 create mode 100644 include/hw/arm/xlnx-zynqmp.h
 create mode 100644 include/hw/char/cadence_uart.h
 create mode 100644 include/hw/net/cadence_gem.h

-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 02/15] target-arm: cpu64: Add support for cortex-a53

[Peter Crosthwaite]

Similar to a53, but with different L1 I cache policy, phys addr size and
different cache geometries. The cache sizes is implementation
configurable, but use these values (from Xilinx MPSoC) as a default
until cache size configurability is added.

Reviewed-by: Alex Bennée 
Signed-off-by: Peter Crosthwaite 
---
Changed since v2:
Added dtb compatible string

 target-arm/cpu64.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/target-arm/cpu64.c b/target-arm/cpu64.c
index 3eb58c6..728d9a7 100644
--- a/target-arm/cpu64.c
+++ b/target-arm/cpu64.c
@@ -149,6 +149,21 @@ static void aarch64_a57_initfn(Object *obj)
 cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
 }
 
+static void aarch64_a53_initfn(Object *obj)
+{
+ARMCPU *cpu = ARM_CPU(obj);
+
+aarch64_axx_initfn(cpu);
+
+cpu->dtb_compatible = "arm,cortex-a53";
+cpu->midr = 0x410fd034;
+cpu->ctr = 0x84448004; /* L1Ip = VIPT */
+cpu->id_aa64mmfr0 = 0x1122; /* 40 bit physical addr */
+cpu->ccsidr[0] = 0x700fe01a; /* 32KB L1 dcache */
+cpu->ccsidr[1] = 0x201fe00a; /* 32KB L1 icache */
+cpu->ccsidr[2] = 0x707fe07a; /* 1024KB L2 cache */
+}
+
 #ifdef CONFIG_USER_ONLY
 static void aarch64_any_initfn(Object *obj)
 {
@@ -176,6 +191,7 @@ typedef struct ARMCPUInfo {
 
 static const ARMCPUInfo aarch64_cpus[] = {
 { .name = "cortex-a57", .initfn = aarch64_a57_initfn },
+{ .name = "cortex-a53", .initfn = aarch64_a53_initfn },
 #ifdef CONFIG_USER_ONLY
 { .name = "any", .initfn = aarch64_any_initfn },
 #endif
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 15/15] arm: xlnx-zynqmp: Add PSCI setup

[Peter Crosthwaite]

Use SMC PSCI, with the standard policy of secondaries starting in
power-off.

Signed-off-by: Peter Crosthwaite 
---
changed since v1:
Add &error_abort to property setter calls

 hw/arm/xlnx-zynqmp.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index e015025..0265fba 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -97,6 +97,14 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error 
**errp)
 for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
 qemu_irq irq;
 
+object_property_set_int(OBJECT(&s->cpu[i]), QEMU_PSCI_CONDUIT_SMC,
+"psci-conduit", &error_abort);
+if (i > 0) {
+/* Secondary CPUs start in PSCI powered-down state */
+object_property_set_bool(OBJECT(&s->cpu[i]), true,
+ "start-powered-off", &error_abort);
+}
+
 object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
 ERR_PROP_CHECK_RETURN(err, errp);
 
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 03/15] arm: Introduce Xilinx ZynqMP SoC

[Peter Crosthwaite]

With quad Cortex-A53 CPUs.

Signed-off-by: Peter Crosthwaite 
---
changed since v2:
Added [*] to cpu child property name.
changed since v1:
Add &error_abort to CPU child adder call.

 default-configs/aarch64-softmmu.mak |  2 +-
 hw/arm/Makefile.objs|  1 +
 hw/arm/xlnx-zynqmp.c| 72 +
 include/hw/arm/xlnx-zynqmp.h| 21 +++
 4 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/xlnx-zynqmp.c
 create mode 100644 include/hw/arm/xlnx-zynqmp.h

diff --git a/default-configs/aarch64-softmmu.mak 
b/default-configs/aarch64-softmmu.mak
index 6d3b5c7..96dd994 100644
--- a/default-configs/aarch64-softmmu.mak
+++ b/default-configs/aarch64-softmmu.mak
@@ -3,4 +3,4 @@
 # We support all the 32 bit boards so need all their config
 include arm-softmmu.mak
 
-# Currently no 64-bit specific config requirements
+CONFIG_XLNX_ZYNQMP=y
diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index 2577f68..d7cd5f4 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -10,3 +10,4 @@ obj-$(CONFIG_DIGIC) += digic.o
 obj-y += omap1.o omap2.o strongarm.o
 obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
+obj-$(CONFIG_XLNX_ZYNQMP) += xlnx-zynqmp.o
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
new file mode 100644
index 000..41c207a
--- /dev/null
+++ b/hw/arm/xlnx-zynqmp.c
@@ -0,0 +1,72 @@
+/*
+ * Xilinx Zynq MPSoC emulation
+ *
+ * Copyright (C) 2015 Xilinx Inc
+ * Written by Peter Crosthwaite 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "hw/arm/xlnx-zynqmp.h"
+
+static void xlnx_zynqmp_init(Object *obj)
+{
+XlnxZynqMPState *s = XLNX_ZYNQMP(obj);
+int i;
+
+for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
+object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
+  "cortex-a53-" TYPE_ARM_CPU);
+object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpu[i]),
+  &error_abort);
+}
+}
+
+#define ERR_PROP_CHECK_RETURN(err, errp) do { \
+if (err) { \
+error_propagate((errp), (err)); \
+return; \
+} \
+} while (0)
+
+static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+{
+XlnxZynqMPState *s = XLNX_ZYNQMP(dev);
+uint8_t i;
+Error *err = NULL;
+
+for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
+object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
+ERR_PROP_CHECK_RETURN(err, errp);
+}
+}
+
+static void xlnx_zynqmp_class_init(ObjectClass *oc, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(oc);
+
+dc->realize = xlnx_zynqmp_realize;
+}
+
+static const TypeInfo xlnx_zynqmp_type_info = {
+.name = TYPE_XLNX_ZYNQMP,
+.parent = TYPE_DEVICE,
+.instance_size = sizeof(XlnxZynqMPState),
+.instance_init = xlnx_zynqmp_init,
+.class_init = xlnx_zynqmp_class_init,
+};
+
+static void xlnx_zynqmp_register_types(void)
+{
+type_register_static(&xlnx_zynqmp_type_info);
+}
+
+type_init(xlnx_zynqmp_register_types)
diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
new file mode 100644
index 000..d6b3b92
--- /dev/null
+++ b/include/hw/arm/xlnx-zynqmp.h
@@ -0,0 +1,21 @@
+#ifndef XLNX_ZYNQMP_H_
+
+#include "qemu-common.h"
+#include "hw/arm/arm.h"
+
+#define TYPE_XLNX_ZYNQMP "xlnx,zynqmp"
+#define XLNX_ZYNQMP(obj) OBJECT_CHECK(XlnxZynqMPState, (obj), \
+   TYPE_XLNX_ZYNQMP)
+
+#define XLNX_ZYNQMP_NUM_CPUS 4
+
+typedef struct XlnxZynqMPState {
+/*< private >*/
+DeviceState parent_obj;
+/*< public >*/
+
+ARMCPU cpu[XLNX_ZYNQMP_NUM_CPUS];
+}  XlnxZynqMPState;
+
+#define XLNX_ZYNQMP_H_
+#endif
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 01/15] target-arm: cpu64: Factor out ARM cortex init

[Peter Crosthwaite]

In preparation for support for Cortex a53. Use "axx" to describe the
shareable features. Some of the CP15 registers (such as ACTLR) are
specific to implementation, but we currently just RAZ them so continue
with that as the policy for all cortex A processors under a shared
definition.

The cache sizes and geometeries, the L1 I-cache policy and the physical
address range differ between A53 and A57 so those particulars are left
as A57 specific. The rest are moved to the generalisation.

Reviewed-by: Alex Bennée 
Signed-off-by: Peter Crosthwaite 
---
 target-arm/cpu64.c | 34 --
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/target-arm/cpu64.c b/target-arm/cpu64.c
index 270bc2f..3eb58c6 100644
--- a/target-arm/cpu64.c
+++ b/target-arm/cpu64.c
@@ -38,22 +38,22 @@ static inline void unset_feature(CPUARMState *env, int 
feature)
 }
 
 #ifndef CONFIG_USER_ONLY
-static uint64_t a57_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+static uint64_t axx_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
 /* Number of processors is in [25:24]; otherwise we RAZ */
 return (smp_cpus - 1) << 24;
 }
 #endif
 
-static const ARMCPRegInfo cortexa57_cp_reginfo[] = {
+static const ARMCPRegInfo cortexaxx_cp_reginfo[] = {
 #ifndef CONFIG_USER_ONLY
 { .name = "L2CTLR_EL1", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 2,
-  .access = PL1_RW, .readfn = a57_l2ctlr_read,
+  .access = PL1_RW, .readfn = axx_l2ctlr_read,
   .writefn = arm_cp_write_ignore },
 { .name = "L2CTLR",
   .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 2,
-  .access = PL1_RW, .readfn = a57_l2ctlr_read,
+  .access = PL1_RW, .readfn = axx_l2ctlr_read,
   .writefn = arm_cp_write_ignore },
 #endif
 { .name = "L2ECTLR_EL1", .state = ARM_CP_STATE_AA64,
@@ -92,11 +92,8 @@ static const ARMCPRegInfo cortexa57_cp_reginfo[] = {
 REGINFO_SENTINEL
 };
 
-static void aarch64_a57_initfn(Object *obj)
+static void aarch64_axx_initfn(ARMCPU *cpu)
 {
-ARMCPU *cpu = ARM_CPU(obj);
-
-cpu->dtb_compatible = "arm,cortex-a57";
 set_feature(&cpu->env, ARM_FEATURE_V8);
 set_feature(&cpu->env, ARM_FEATURE_VFP4);
 set_feature(&cpu->env, ARM_FEATURE_NEON);
@@ -108,13 +105,10 @@ static void aarch64_a57_initfn(Object *obj)
 set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
 set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
 set_feature(&cpu->env, ARM_FEATURE_CRC);
-cpu->kvm_target = QEMU_KVM_ARM_TARGET_CORTEX_A57;
-cpu->midr = 0x411fd070;
 cpu->reset_fpsid = 0x41034070;
 cpu->mvfr0 = 0x10110222;
 cpu->mvfr1 = 0x1211;
 cpu->mvfr2 = 0x0043;
-cpu->ctr = 0x8444c004;
 cpu->reset_sctlr = 0x00c50838;
 cpu->id_pfr0 = 0x0131;
 cpu->id_pfr1 = 0x00011011;
@@ -133,14 +127,26 @@ static void aarch64_a57_initfn(Object *obj)
 cpu->id_aa64pfr0 = 0x;
 cpu->id_aa64dfr0 = 0x10305106;
 cpu->id_aa64isar0 = 0x00011120;
-cpu->id_aa64mmfr0 = 0x1124;
 cpu->dbgdidr = 0x3516d000;
 cpu->clidr = 0x0a200023;
+cpu->dcz_blocksize = 4; /* 64 bytes */
+define_arm_cp_regs(cpu, cortexaxx_cp_reginfo);
+}
+
+static void aarch64_a57_initfn(Object *obj)
+{
+ARMCPU *cpu = ARM_CPU(obj);
+
+aarch64_axx_initfn(cpu);
+
+cpu->dtb_compatible = "arm,cortex-a57";
+cpu->kvm_target = QEMU_KVM_ARM_TARGET_CORTEX_A57;
+cpu->midr = 0x411fd070;
+cpu->ctr = 0x8444c004; /* L1Ip = PIPT */
+cpu->id_aa64mmfr0 = 0x1124; /* 44 bit physical addr */
 cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
 cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
 cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
-cpu->dcz_blocksize = 4; /* 64 bytes */
-define_arm_cp_regs(cpu, cortexa57_cp_reginfo);
 }
 
 #ifdef CONFIG_USER_ONLY
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 04/15] arm: xlnx-zynqmp: Add GIC

[Peter Crosthwaite]

And connect IRQ outputs to the CPUs.

Reviewed-by: Alistair Francis 
Signed-off-by: Peter Crosthwaite 
---
 hw/arm/xlnx-zynqmp.c | 19 +++
 include/hw/arm/xlnx-zynqmp.h |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 41c207a..9465185 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -17,6 +17,11 @@
 
 #include "hw/arm/xlnx-zynqmp.h"
 
+#define GIC_NUM_SPI_INTR 128
+
+#define GIC_DIST_ADDR   0xf901
+#define GIC_CPU_ADDR0xf902
+
 static void xlnx_zynqmp_init(Object *obj)
 {
 XlnxZynqMPState *s = XLNX_ZYNQMP(obj);
@@ -28,6 +33,9 @@ static void xlnx_zynqmp_init(Object *obj)
 object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpu[i]),
   &error_abort);
 }
+
+object_initialize(&s->gic, sizeof(s->gic), TYPE_ARM_GIC);
+qdev_set_parent_bus(DEVICE(&s->gic), sysbus_get_default());
 }
 
 #define ERR_PROP_CHECK_RETURN(err, errp) do { \
@@ -43,9 +51,20 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error 
**errp)
 uint8_t i;
 Error *err = NULL;
 
+qdev_prop_set_uint32(DEVICE(&s->gic), "num-irq", GIC_NUM_SPI_INTR + 32);
+qdev_prop_set_uint32(DEVICE(&s->gic), "revision", 2);
+qdev_prop_set_uint32(DEVICE(&s->gic), "num-cpu", XLNX_ZYNQMP_NUM_CPUS);
+object_property_set_bool(OBJECT(&s->gic), true, "realized", &err);
+ERR_PROP_CHECK_RETURN(err, errp);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->gic), 0, GIC_DIST_ADDR);
+sysbus_mmio_map(SYS_BUS_DEVICE(&s->gic), 1, GIC_CPU_ADDR);
+
 for (i = 0; i < XLNX_ZYNQMP_NUM_CPUS; i++) {
 object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
 ERR_PROP_CHECK_RETURN(err, errp);
+
+sysbus_connect_irq(SYS_BUS_DEVICE(&s->gic), i,
+   qdev_get_gpio_in(DEVICE(&s->cpu[i]), ARM_CPU_IRQ));
 }
 }
 
diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
index d6b3b92..d29c7de 100644
--- a/include/hw/arm/xlnx-zynqmp.h
+++ b/include/hw/arm/xlnx-zynqmp.h
@@ -2,6 +2,7 @@
 
 #include "qemu-common.h"
 #include "hw/arm/arm.h"
+#include "hw/intc/arm_gic.h"
 
 #define TYPE_XLNX_ZYNQMP "xlnx,zynqmp"
 #define XLNX_ZYNQMP(obj) OBJECT_CHECK(XlnxZynqMPState, (obj), \
@@ -15,6 +16,7 @@ typedef struct XlnxZynqMPState {
 /*< public >*/
 
 ARMCPU cpu[XLNX_ZYNQMP_NUM_CPUS];
+GICState gic;
 }  XlnxZynqMPState;
 
 #define XLNX_ZYNQMP_H_
-- 
2.3.1.2.g90df61e.dirty

[Qemu-devel] [PATCH target-arm v3 06/15] net: cadence_gem: Clean up variable names

[Peter Crosthwaite]

In preparation for migrating the state struct and type cast macro to a public
header. The acronym "GEM" on it's own is not specific enough to be used in a
more global namespace so preface with "cadence". Fix the capitalisation of
"gem" in the state type while touching the typename. Also preface the
GEM_MAXREG macro as this will need to migrate to public header.

Reviewed-by: Alistair Francis 
Reviewed-by: Alex Bennée 
Signed-off-by: Peter Crosthwaite 
---
 hw/net/cadence_gem.c | 70 ++--
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 55b6293..5994306 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -141,7 +141,7 @@
 #define GEM_DESCONF6  (0x0294/4)
 #define GEM_DESCONF7  (0x0298/4)
 
-#define GEM_MAXREG(0x0640/4) /* Last valid GEM address */
+#define CADENCE_GEM_MAXREG(0x0640/4) /* Last valid GEM address */
 
 /*/
 #define GEM_NWCTRL_TXSTART 0x0200 /* Transmit Enable */
@@ -350,9 +350,9 @@ static inline void rx_desc_set_sar(unsigned *desc, int 
sar_idx)
 }
 
 #define TYPE_CADENCE_GEM "cadence_gem"
-#define GEM(obj) OBJECT_CHECK(GemState, (obj), TYPE_CADENCE_GEM)
+#define CADENCE_GEM(obj) OBJECT_CHECK(CadenceGEMState, (obj), TYPE_CADENCE_GEM)
 
-typedef struct GemState {
+typedef struct CadenceGEMState {
 SysBusDevice parent_obj;
 
 MemoryRegion iomem;
@@ -361,15 +361,15 @@ typedef struct GemState {
 qemu_irq irq;
 
 /* GEM registers backing store */
-uint32_t regs[GEM_MAXREG];
+uint32_t regs[CADENCE_GEM_MAXREG];
 /* Mask of register bits which are write only */
-uint32_t regs_wo[GEM_MAXREG];
+uint32_t regs_wo[CADENCE_GEM_MAXREG];
 /* Mask of register bits which are read only */
-uint32_t regs_ro[GEM_MAXREG];
+uint32_t regs_ro[CADENCE_GEM_MAXREG];
 /* Mask of register bits which are clear on read */
-uint32_t regs_rtc[GEM_MAXREG];
+uint32_t regs_rtc[CADENCE_GEM_MAXREG];
 /* Mask of register bits which are write 1 to clear */
-uint32_t regs_w1c[GEM_MAXREG];
+uint32_t regs_w1c[CADENCE_GEM_MAXREG];
 
 /* PHY registers backing store */
 uint16_t phy_regs[32];
@@ -385,7 +385,7 @@ typedef struct GemState {
 unsigned rx_desc[2];
 
 bool sar_active[4];
-} GemState;
+} CadenceGEMState;
 
 /* The broadcast MAC address: 0x */
 static const uint8_t broadcast_addr[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
@@ -395,7 +395,7 @@ static const uint8_t broadcast_addr[] = { 0xFF, 0xFF, 0xFF, 
0xFF, 0xFF, 0xFF };
  * One time initialization.
  * Set masks to identify which register bits have magical clear properties
  */
-static void gem_init_register_masks(GemState *s)
+static void gem_init_register_masks(CadenceGEMState *s)
 {
 /* Mask of register bits which are read only */
 memset(&s->regs_ro[0], 0, sizeof(s->regs_ro));
@@ -430,7 +430,7 @@ static void gem_init_register_masks(GemState *s)
  * phy_update_link:
  * Make the emulated PHY link state match the QEMU "interface" state.
  */
-static void phy_update_link(GemState *s)
+static void phy_update_link(CadenceGEMState *s)
 {
 DB_PRINT("down %d\n", qemu_get_queue(s->nic)->link_down);
 
@@ -450,7 +450,7 @@ static void phy_update_link(GemState *s)
 
 static int gem_can_receive(NetClientState *nc)
 {
-GemState *s;
+CadenceGEMState *s;
 
 s = qemu_get_nic_opaque(nc);
 
@@ -483,7 +483,7 @@ static int gem_can_receive(NetClientState *nc)
  * gem_update_int_status:
  * Raise or lower interrupt based on current status.
  */
-static void gem_update_int_status(GemState *s)
+static void gem_update_int_status(CadenceGEMState *s)
 {
 if (s->regs[GEM_ISR]) {
 DB_PRINT("asserting int. (0x%08x)\n", s->regs[GEM_ISR]);
@@ -495,7 +495,7 @@ static void gem_update_int_status(GemState *s)
  * gem_receive_updatestats:
  * Increment receive statistics.
  */
-static void gem_receive_updatestats(GemState *s, const uint8_t *packet,
+static void gem_receive_updatestats(CadenceGEMState *s, const uint8_t *packet,
 unsigned bytes)
 {
 uint64_t octets;
@@ -586,7 +586,7 @@ static unsigned calc_mac_hash(const uint8_t *mac)
  * GEM_RM_PROMISCUOUS_ACCEPT, GEM_RX_BROADCAST_ACCEPT,
  * GEM_RX_MULTICAST_HASH_ACCEPT or GEM_RX_UNICAST_HASH_ACCEPT
  */
-static int gem_mac_address_filter(GemState *s, const uint8_t *packet)
+static int gem_mac_address_filter(CadenceGEMState *s, const uint8_t *packet)
 {
 uint8_t *gem_spaddr;
 int i;
@@ -636,7 +636,7 @@ static int gem_mac_address_filter(GemState *s, const 
uint8_t *packet)
 return GEM_RX_REJECT;
 }
 
-static void gem_get_rx_desc(GemState *s)
+static void gem_get_rx_desc(CadenceGEMState *s)
 {
 DB_PRINT("read descriptor 0x%x\n", (unsigned)s->rx_desc_addr);
 /* read current descriptor */
@@ -660,7 +660,7 @@ static void gem_get_rx_desc(GemState *s)
  */
 static ssiz

[Qemu-devel] [PATCH target-arm v3 13/15] arm: xilinx-ep108: Add external RAM

[Peter Crosthwaite]

Zynq MPSoC supports external DDR RAM. Add a RAM at 0 to the model.

Signed-off-by: Peter Crosthwaite 
---
changed since v1:
Add ram size clamps and warnings

 hw/arm/xlnx-ep108.c | 21 +
 1 file changed, 21 insertions(+)

diff --git a/hw/arm/xlnx-ep108.c b/hw/arm/xlnx-ep108.c
index eec3e94..6042cbc 100644
--- a/hw/arm/xlnx-ep108.c
+++ b/hw/arm/xlnx-ep108.c
@@ -18,11 +18,16 @@
 #include "hw/arm/xlnx-zynqmp.h"
 #include "hw/boards.h"
 #include "qemu/error-report.h"
+#include "exec/address-spaces.h"
 
 typedef struct XlnxEP108 {
 XlnxZynqMPState soc;
+MemoryRegion ddr_ram;
 } XlnxEP108;
 
+/* Max 2GB RAM */
+#define EP108_MAX_RAM_SIZE 0x8000ull
+
 static void xlnx_ep108_init(MachineState *machine)
 {
 XlnxEP108 *s = g_new0(XlnxEP108, 1);
@@ -36,6 +41,22 @@ static void xlnx_ep108_init(MachineState *machine)
 error_report("%s", error_get_pretty(err));
 exit(1);
 }
+
+if (machine->ram_size > EP108_MAX_RAM_SIZE) {
+error_report("WARNING: RAM size " RAM_ADDR_FMT " above max supported, "
+ "reduced to %llx", machine->ram_size, EP108_MAX_RAM_SIZE);
+machine->ram_size = EP108_MAX_RAM_SIZE;
+}
+
+if (machine->ram_size <= 0x0800) {
+error_report("WARNING: RAM size " RAM_ADDR_FMT " is small for EP108\n",
+ machine->ram_size);
+}
+
+memory_region_init_ram(&s->ddr_ram, NULL, "ddr-ram", machine->ram_size,
+   &error_abort);
+vmstate_register_ram_global(&s->ddr_ram);
+memory_region_add_subregion(get_system_memory(), 0, &s->ddr_ram);
 }
 
 static QEMUMachine xlnx_ep108_machine = {
-- 
2.3.1.2.g90df61e.dirty

Re: [Qemu-devel] [PATCH] ui/cocoa.m: Give laptop users ability to scroll in monitor

[Paolo Bonzini]

On 13/03/2015 21:43, Programmingkid wrote:
>> How do you do that in a terminal?
> 
> I'm not sure what exactly you're asking. I will say past Apple laptop
> did have the ability to page up or down by using the function key +
> the up or down arrow keys. It looks like Apple removed that ability.
> I tried using function key + up, control key + up, option key + up,
> and command key + up. These do not cause the Monitor to scroll
> without the patch.

How do you scroll up and down in OS X's Terminal.app?

Paolo

Re: [Qemu-devel] [PATCH] linux-user: qemu treats TLS pointer in the wrong way when spicifying cpu cotrex-a15.

[Mikhail Ilin]

On 16.03.2015 15:05, Peter Maydell wrote:

I took the liberty of rewriting the commit message a bit to better
fit in with QEMU's usual style; hope that's OK:


Sure, it is fine :)

-- Mikhail

[Qemu-devel] [PATCH target-arm v3 12/15] arm: Add xlnx-ep108 machine

[Peter Crosthwaite]

Add a machine model for the Xilinx ZynqMP SoC EP108 board.

Signed-off-by: Peter Crosthwaite 
---
Chaned since v1:
Change board name to ep108

 hw/arm/Makefile.objs |  2 +-
 hw/arm/xlnx-ep108.c  | 52 
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/xlnx-ep108.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index d7cd5f4..a75a182 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -10,4 +10,4 @@ obj-$(CONFIG_DIGIC) += digic.o
 obj-y += omap1.o omap2.o strongarm.o
 obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
-obj-$(CONFIG_XLNX_ZYNQMP) += xlnx-zynqmp.o
+obj-$(CONFIG_XLNX_ZYNQMP) += xlnx-zynqmp.o xlnx-ep108.o
diff --git a/hw/arm/xlnx-ep108.c b/hw/arm/xlnx-ep108.c
new file mode 100644
index 000..eec3e94
--- /dev/null
+++ b/hw/arm/xlnx-ep108.c
@@ -0,0 +1,52 @@
+/*
+ * Xilinx ZynqMP SoC EP108 board
+ *
+ * Copyright (C) 2015 Xilinx Inc
+ * Written by Peter Crosthwaite 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "hw/arm/xlnx-zynqmp.h"
+#include "hw/boards.h"
+#include "qemu/error-report.h"
+
+typedef struct XlnxEP108 {
+XlnxZynqMPState soc;
+} XlnxEP108;
+
+static void xlnx_ep108_init(MachineState *machine)
+{
+XlnxEP108 *s = g_new0(XlnxEP108, 1);
+Error *err = NULL;
+
+object_initialize(&s->soc, sizeof(s->soc), TYPE_XLNX_ZYNQMP);
+object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc), NULL);
+
+object_property_set_bool(OBJECT(&s->soc), true, "realized", &err);
+if (err) {
+error_report("%s", error_get_pretty(err));
+exit(1);
+}
+}
+
+static QEMUMachine xlnx_ep108_machine = {
+.name = "xlnx-ep108",
+.desc = "Xilinx ZynqMP SoC EP108 board",
+.init = xlnx_ep108_init,
+};
+
+static void xlnx_ep108_machine_init(void)
+{
+qemu_register_machine(&xlnx_ep108_machine);
+}
+
+machine_init(xlnx_ep108_machine_init);
-- 
2.3.1.2.g90df61e.dirty

Re: [Qemu-devel] [PATCH] add pci-bridge-seat

[Michael S. Tsirkin]

On Mon, Mar 16, 2015 at 11:36:43AM +0100, Gerd Hoffmann wrote:
> Simplifies multiseat configuration, see
> docs/multiseat.txt update for details.
> 
> Signed-off-by: Gerd Hoffmann 
> ---
>  docs/multiseat.txt | 19 +++
>  docs/specs/pci-ids.txt |  1 +
>  hw/pci-bridge/pci_bridge_dev.c | 25 -
>  include/hw/pci/pci.h   |  1 +
>  4 files changed, 45 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/multiseat.txt b/docs/multiseat.txt
> index b963665..814496e 100644
> --- a/docs/multiseat.txt
> +++ b/docs/multiseat.txt
> @@ -106,6 +106,25 @@ the devices attached to the seat.
>  Background info is here:
>http://www.freedesktop.org/wiki/Software/systemd/multiseat/
>  
> +
> +guest side with pci-bridge-seat
> +---
> +
> +Qemu version FIXME and newer has a new pci-bridge-seat device which
> +can be used instead of pci-bridge.  Just swap the device name in the
> +qemu command line above.  The only difference between the two devices
> +is the pci id.  We can match the pci id instead of the device path
> +with a nice generic rule now, which simplifies the guest
> +configuration:
> +
> +[root@fedora ~]# cat /etc/udev/rules.d/70-qemu-pci-bridge-seat.rules
> +SUBSYSTEM=="pci", ATTR{vendor}=="0x1b36", ATTR{device}=="0x000a", \
> +TAG+="seat", ENV{ID_AUTOSEAT}="1"
> +
> +Patch with this rule will be submitted to upstream udev/systemd, so
> +long-term, when systemd with this lands in distros, things will work
> +just fine without any manual guest configuration.
> +
>  Enjoy!
>  

I'm confused. What's wrong with using the regular bridge,
and ATTR{vendor}=="0x1b36", ATTR{device}=="0x0001"?


>  --
> diff --git a/docs/specs/pci-ids.txt b/docs/specs/pci-ids.txt
> index c6732fe..cdeb805 100644
> --- a/docs/specs/pci-ids.txt
> +++ b/docs/specs/pci-ids.txt
> @@ -46,6 +46,7 @@ PCI devices (other than virtio):
>  1b36:0004  PCI Quad-port 16550A adapter (docs/specs/pci-serial.txt)
>  1b36:0005  PCI test device (docs/specs/pci-testdev.txt)
>  1b36:0007  PCI SD Card Host Controller Interface (SDHCI)
> +1b36:000a  PCI-PCI bridge (multiseat)
>  
>  All these devices are documented in docs/specs.
>  
> diff --git a/hw/pci-bridge/pci_bridge_dev.c b/hw/pci-bridge/pci_bridge_dev.c
> index 36f73e1..e966d2e 100644
> --- a/hw/pci-bridge/pci_bridge_dev.c
> +++ b/hw/pci-bridge/pci_bridge_dev.c
> @@ -28,7 +28,8 @@
>  #include "hw/pci/pci_bus.h"
>  #include "hw/hotplug.h"
>  
> -#define TYPE_PCI_BRIDGE_DEV "pci-bridge"
> +#define TYPE_PCI_BRIDGE_DEV  "pci-bridge"
> +#define TYPE_PCI_BRIDGE_SEAT_DEV "pci-bridge-seat"
>  #define PCI_BRIDGE_DEV(obj) \
>  OBJECT_CHECK(PCIBridgeDev, (obj), TYPE_PCI_BRIDGE_DEV)
>  
> @@ -170,9 +171,31 @@ static const TypeInfo pci_bridge_dev_info = {
>  }
>  };
>  
> +/*
> + * Multiseat bridge.  Same as the standard pci bridge, only with a
> + * different pci id, so we can match it easily in the guest for
> + * automagic multiseat configuration.  See docs/multiseat.txt for more.

Hmm, this doesn't give me any info except it has something
to do with multiseat (which is itself an ambigious term)
and is somehow magic.

It's probably obvious to you - maybe you can explain?

> + */
> +static void pci_bridge_dev_seat_class_init(ObjectClass *klass, void *data)
> +{
> +DeviceClass *dc = DEVICE_CLASS(klass);
> +PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
> +
> +k->device_id = PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT;
> +dc->desc = "Standard PCI Bridge (multiseat)";
> +}
> +
> +static const TypeInfo pci_bridge_dev_seat_info = {
> +.name  = TYPE_PCI_BRIDGE_SEAT_DEV,
> +.parent= TYPE_PCI_BRIDGE_DEV,
> +.instance_size = sizeof(PCIBridgeDev),
> +.class_init= pci_bridge_dev_seat_class_init,
> +};
> +
>  static void pci_bridge_dev_register(void)
>  {
>  type_register_static(&pci_bridge_dev_info);
> +type_register_static(&pci_bridge_dev_seat_info);
>  }
>  
>  type_init(pci_bridge_dev_register);
> diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
> index be2d9b8..320c389 100644
> --- a/include/hw/pci/pci.h
> +++ b/include/hw/pci/pci.h
> @@ -90,6 +90,7 @@
>  #define PCI_DEVICE_ID_REDHAT_TEST0x0005
>  #define PCI_DEVICE_ID_REDHAT_SDHCI   0x0007
>  #define PCI_DEVICE_ID_REDHAT_PCIE_HOST   0x0008
> +#define PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT 0x000a
>  #define PCI_DEVICE_ID_REDHAT_QXL 0x0100
>  
>  #define FMT_PCIBUS  PRIx64
> -- 
> 1.8.3.1

Re: [Qemu-devel] [PATCH v5 for-2.3 28/28] docs: Add PXB documentation

[Marcel Apfelbaum]

On 03/10/2015 07:42 PM, Michael S. Tsirkin wrote:

On Tue, Mar 10, 2015 at 06:21:14PM +0200, Marcel Apfelbaum wrote:

On 03/10/2015 05:47 PM, Michael S. Tsirkin wrote:

On Tue, Mar 10, 2015 at 05:32:14PM +0200, Marcel Apfelbaum wrote:

Signed-off-by: Marcel Apfelbaum 
---
  docs/pci_expander_bridge.txt | 52 
  1 file changed, 52 insertions(+)
  create mode 100644 docs/pci_expander_bridge.txt

diff --git a/docs/pci_expander_bridge.txt b/docs/pci_expander_bridge.txt
new file mode 100644
index 000..58bf7a8
--- /dev/null
+++ b/docs/pci_expander_bridge.txt
@@ -0,0 +1,52 @@
+PCI EXPANDER BRIDGE (PXB)
+=
+
+Description
+===
+PXB is a "light-weight" host bridge in the same PCI domain
+as the main host bridge whose purpose is to enable
+the main host bridge to support multiple PCI root buses.
+It is implemented only for i440fx.


BTW what makes it i440fx specific?
Also, what happens if you try to use it
with a different machine type?

Is is i440fx specific, please look at patch 22/28.
Also we have a specific check for i440fx, so CRS
will not be emitted for other machine types.

Thanks,
Marcel


In fact it won't work at all. Need to think about it,
maybe we can make it work more generally.
For CRS, should be possible to emit for q35 too?

We can make it work, but not on the scope of this series.
However, I'll add a IHostBridgeSnoop interface that will
make the device work only with associated bus and
this will make it less general.

Thanks,
Marcel






+
+As opposed to PCI-2-PCI bridge's secondary bus, PXB's bus
+is a primary bus and can be associated with a NUMA node
+(different from the main host bridge) allowing the guest OS
+to recognize the proximity of a pass-through device to
+other resources as RAM and CPUs.
+
+Usage
+=
+A detailed command line would be:
+
+[qemu-bin + storage options]
+-bios [seabios-dir]/out/bios.bin -L [seabios-dir]/out/
+-m 2G
+-object memory-backend-ram,size=1024M,policy=bind,host-nodes=0,id=ram-node0 
-numa node,nodeid=0,cpus=0,memdev=ram-node0
+-object 
memory-backend-ram,size=1024M,policy=interleave,host-nodes=0,id=ram-node1 -numa 
node,nodeid=1,cpus=1,memdev=ram-node1
+-device pxb-device,id=bridge1,bus=pci.0,numa_node=1,bus_nr=4 -netdev 
user,id=nd-device e1000,bus=bridge1,addr=0x4,netdev=nd
+-device pxb-device,id=bridge2,bus=pci.0,numa_node=0,bus_nr=8 -device 
e1000,bus=bridge2,addr=0x3
+-device pxb-device,id=bridge3,bus=pci.0,bus_nr=40 -drive 
if=none,id=drive0,file=[img] -device 
virtio-blk-pci,drive=drive0,scsi=off,bus=bridge3,addr=1
+
+Here you have:
+ - 2 NUMA nodes for the guest, 0 and 1. (both mapped to the same NUMA node in 
host, but you can and should put it in different host NUMA nodes)
+ - a pxb host bridge attached to NUMA 1 with an e1000 behind it
+ - a pxb host bridge attached to NUMA 0 with an e1000 behind it
+ - a pxb host bridge not attached to any NUMA with a hard drive behind it.
+
+Implementation
+==
+The PXB is composed by:
+- HostBridge (TYPE_PXB_HOST)
+  The host bridge allows to register and query the PXB's rPCI root bus in QEMU.
+- PXBDev(TYPE_PXB_DEVICE)
+  It is a regular PCI Device that resides on the piix host-bridge bus and its 
bus uses the same PCI domain.
+  However, the bus behind is exposed through ACPI as a primary PCI bus and 
starts a new PCI hierarchy.
+  The interrupts from devices behind the PXB are routed through this device 
the same as if it were a
+  PCI-2-PCI bridge. The _PRT follows the i440fx model.
+- PCIBridgeDev(TYPE_PCI_BRIDGE_DEV)
+  Created automatically as part of init sequence.
+  When adding a device to PXB it is attached to the bridge for two reasons:
+  - Using the bridge will enable hotplug support
+  - All the devices behind the bridge will use bridge's IO/MEM windows 
compacting
+the PCI address space.
+
--
2.1.0

Re: [Qemu-devel] [v2][PATCH 2/2] libxl: introduce gfx_passthru_kind

[Ian Campbell]

On Mon, 2015-03-16 at 09:07 +0800, Chen, Tiejun wrote:
> On 2015/3/13 18:11, Ian Campbell wrote:
> > On Fri, 2015-03-13 at 09:39 +0800, Chen, Tiejun wrote:
> >>> I don't think you can abort here, since a user can set
> >>> b_info->u.hvm.gfx_passthru_kind to default. You would need to
> >>> return an error.
> >>
> >> Then, looks I should do this,
> >>
> >> LOG(ERROR, "No supported IGD to passthru," " or please force set
> >> gfx_passthru=\"igd\".\n"); return NULL;
> >
> > If I remember the context correctly this is in the autodetect case,
> > so I think shouldn't mention IGD. Something like "Unable to detect
> > graphics passthru kind, please set gfx_passthru_kind. See xl.cfg(5)
> > for more
> 
> s/gfx_passthru_kind/gfx_passthru, right? Because actually we always get
> 'gfx_passthru_kind' from 'gfx_passthru'.

I think you have it backwards.

In the case here gfx_passthru=1 has been set by the user, but
gfx_passthru_kind=DEFAULT. So libxl has tried to autodetect but it has
failed.

So if the user wants to make progress they should set gfx_passthru_kind
to whatever type of passthrough they were trying to do.

Alternatively I suppose you could recommend removing gfx_passthru=1 (or
changing to=0), but given they've set =1 that doesn't seem to be the
most productive suggestion.

Ian.