Re: [Qemu-devel] [PATCH 4/4] error: Fix error_printf() calls lacking newlines

[Markus Armbruster]

Eric Blake  writes:

> On 08/03/2016 05:37 AM, Markus Armbruster wrote:
>> Signed-off-by: Markus Armbruster 
>> ---
>>  hw/i386/pc.c | 2 +-
>>  kvm-all.c| 2 +-
>>  ui/vnc.c | 2 +-
>>  3 files changed, 3 insertions(+), 3 deletions(-)
>> 
>
> I'm guessing these were found with a slight tweak to the Coccinelle
> script in 1/4? Worth checking that in, or at least leaving a comment
> bread-crumb?

I simply examined all error_printf() calls.  Only 49.  If the problem
persists, we may want to add a script to catch it.

> Reviewed-by: Eric Blake 

Thanks!

Re: [Qemu-devel] [PATCH for-2.7 v3 03/36] qga: free the whole blacklist

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> - Original Message -
>> Marc-André Lureau  writes:
>> 
>> > Hi
>> >
>> > - Original Message -
>> >> Copying the QGA maintainer.
>> >> 
>> >> marcandre.lur...@redhat.com writes:
>> >> 
>> >> > From: Marc-André Lureau 
>> >> >
>> >> > Free the list, not just the elements.
>> >> >
>> >> > Signed-off-by: Marc-André Lureau 
>> >> > ---
>> >> >  include/glib-compat.h | 9 +
>> >> >  qga/main.c| 8 ++--
>> >> >  2 files changed, 11 insertions(+), 6 deletions(-)
>> >> >
>> >> > diff --git a/include/glib-compat.h b/include/glib-compat.h
>> >> > index 01aa7b3..6d643b2 100644
>> >> > --- a/include/glib-compat.h
>> >> > +++ b/include/glib-compat.h
>> >> > @@ -260,4 +260,13 @@ static inline void g_hash_table_add(GHashTable
>> >> > *hash_table, gpointer key)
>> >> >  } while (0)
>> >> >  #endif
>> >> >  
>> >> > +/*
>> >> > + * A GFunc function helper freeing the first argument (not part of
>> >> > glib)
>> >> 
>> >> Well, it's not part of GLib, because non-obsolete GLib has no use for
>> >> it!  You'd simply pass g_free directly to a _free_full() function
>> >> instead of passing a silly wrapper to a _foreach() function.
>> >> 
>> >> The commit does a bit more than just plug a leak, it also provides a new
>> >> helper for general use.  Mention in the commit message?
>> >> 
>> >> I wonder how many more of these silly g_free() wrappers we have.  A
>> >> quick grep reports hits in string-input-visitor.c and
>> >> qobject/json-streamer.c.  If you add one to a header, you get to hunt
>> >> them down :)
>> >> 
>> >> > + */
>> >> > +static inline void qemu_g_func_free(gpointer data,
>> >> > +gpointer user_data)
>> >> > +{
>> >> > +g_free(data);
>> >> > +}
>> >> > +
>> >> >  #endif
>> >> > diff --git a/qga/main.c b/qga/main.c
>> >> > index 4c3b2c7..868508b 100644
>> >> > --- a/qga/main.c
>> >> > +++ b/qga/main.c
>> >> > @@ -1175,6 +1175,8 @@ static void config_free(GAConfig *config)
>> >> >  #ifdef CONFIG_FSFREEZE
>> >> >  g_free(config->fsfreeze_hook);
>> >> >  #endif
>> >> > +g_list_foreach(config->blacklist, qemu_g_func_free, NULL);
>> >> > +g_list_free(config->blacklist);
>> >> 
>> >> Modern GLib code doesn't need silly wrappers:
>> >> 
>> >> g_list_free_full(config->blacklist, g_free);
>> >> 
>> >> Unfortunately, this requires 2.28, and we're stull stuck at 2.22.
>> >> Please explain this in the commit message.
>> >> 
>> >> Even better, provide a replacement in glib-compat.h #if
>> >> !GLIB_CHECK_VERSION(2, 28, 0).  Will facilitate ditching the work-around
>> >> when we upgrade to 2.28.
>> >
>> > ok
>> >
>> >> 
>> >> >  g_free(config);
>> >> >  }
>> >> >  
>> >> > @@ -1310,11 +1312,6 @@ static int run_agent(GAState *s, GAConfig
>> >> > *config)
>> >> >  return EXIT_SUCCESS;
>> >> >  }
>> >> >  
>> >> > -static void free_blacklist_entry(gpointer entry, gpointer unused)
>> >> > -{
>> >> > -g_free(entry);
>> >> > -}
>> >> > -
>> >> >  int main(int argc, char **argv)
>> >> >  {
>> >> >  int ret = EXIT_SUCCESS;
>> >> > @@ -1379,7 +1376,6 @@ end:
>> >> >  if (s->channel) {
>> >> >  ga_channel_free(s->channel);
>> >> >  }
>> >> > -g_list_foreach(config->blacklist, free_blacklist_entry, NULL);
>> >> >  g_free(s->pstate_filepath);
>> >> >  g_free(s->state_filepath_isfrozen);
>> >> 
>> >> If you at least explain why not g_list_free_full() in the commit
>> >> message, you can add
>> >> Reviewed-by: Markus Armbruster 
>> >> 
>> >> But I'd like to encourage you to explore providing a replacement for
>> >> g_list_free_full().
>> >
>> > Such replacement would make use of a (GFunc) cast, glib implementation is
>> > calling g_list_foreach (list, (GFunc) free_func, NULL), but Eric didn't
>> > want to have such cast in qemu code. He suggested to have the static
>> > inline helper in
>> > https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06561.html
>> 
>> Pointlessly dirty:
>> 
>> g_list_foreach(list, (GFunc)g_free, NULL)
>> 
>> Trade dirty for cumbersome:
>> 
>> void free_wrapper(gpointer data, gpointer unused)
>> {
>> g_free(data)
>> }
>> 
>> g_list_foreach(list, free_wrapper, NULL);
>> 
>> But this is C.  In C, simple things are best done the simple way.  Even
>> when that means we don't get to show off how amazingly well we've been
>> educated on higher order functions:
>> 
>> for (node = list; node; node = next) {
>> next = node->next;
>> g_free(node);
>> }
>> 
>> Simple, stupid, and not dirty.
>
> If only we were paid to write more lines of code ;) Anyway, that's fine by me 
> (it's work after all, I'll write elegant code for fun time ;)

Lisp is ---> that way.

At least the stupid loop is hidden away in glib-compat.h.  The actual
uses become neater, e.g.

g_list_free_full(config->blacklist, g_free);

instead of

g_list_foreach(config->blacklist, qemu_g_func_free, NULL);
g_list_free(config-

Re: [Qemu-devel] [PATCH for-2.7 v3 32/36] tests: add qtest_add_data_func_full

[Markus Armbruster]

Marc-André Lureau  writes:

> Hi
>
> - Original Message -
>> marcandre.lur...@redhat.com writes:
>> 
>> > From: Marc-André Lureau 
>> >
>> > Allows one to specify a destroy function for the test data.
>> >
>> > Signed-off-by: Marc-André Lureau 
>> > ---
>> >  tests/libqtest.c | 15 +++
>> >  tests/libqtest.h |  7 ++-
>> >  2 files changed, 21 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/tests/libqtest.c b/tests/libqtest.c
>> > index eb00f13..9e2d0cd 100644
>> > --- a/tests/libqtest.c
>> > +++ b/tests/libqtest.c
>> > @@ -758,6 +758,21 @@ void qtest_add_func(const char *str, void (*fn)(void))
>> >  g_free(path);
>> >  }
>> >  
>> > +void qtest_add_data_func_full(const char *str, void *data,
>> > +  void (*fn)(const void *),
>> > +  GDestroyNotify data_free_func)
>> > +{
>> > +gchar *path = g_strdup_printf("/%s/%s", qtest_get_arch(), str);
>> > +#if GLIB_CHECK_VERSION(2, 34, 0)
>> > +g_test_add_data_func_full(path, data, fn, data_free_func);
>> > +#else
>> > +/* back-compat casts, remove this once we can require new-enough glib
>> > */
>> > +g_test_add_vtable(path, 0, data, NULL,
>> > +  (GTestFixtureFunc) fn, (GTestFixtureFunc)
>> > data_free_func);
>> 
>> Umm, are these function casts kosher?
>> 
>> I can't find documentation for g_test_add_vtable().  Got a pointer for
>> me?  Sure GLib 2.22 provides it?
>
> Yes, https://git.gnome.org/browse/glib/tree/glib/gtestutils.h?h=2.22.0#n214
>
> See also: https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg00073.html
>
>
>> 
>> > +#endif
>> > +g_free(path);
>> > +}
>> > +
>> >  void qtest_add_data_func(const char *str, const void *data,
>> >   void (*fn)(const void *))
>> >  {
>> > diff --git a/tests/libqtest.h b/tests/libqtest.h
>> > index 37f37ad..e4c9c39 100644
>> > --- a/tests/libqtest.h
>> > +++ b/tests/libqtest.h
>> > @@ -413,15 +413,20 @@ const char *qtest_get_arch(void);
>> >  void qtest_add_func(const char *str, void (*fn)(void));
>> >  
>> >  /**
>> > - * qtest_add_data_func:
>> > + * qtest_add_data_func_full:
>> >   * @str: Test case path.
>> >   * @data: Test case data
>> >   * @fn: Test case function
>> > + * @data_free_func: GDestroyNotify for data
>> >   *
>> >   * Add a GTester testcase with the given name, data and function.
>> >   * The path is prefixed with the architecture under test, as
>> >   * returned by qtest_get_arch().

Recommend to mention that @data is passed to @data_free_func() on test
completion.

>> >   */
>> > +void qtest_add_data_func_full(const char *str, void *data,
>> > +  void (*fn)(const void *),
>> > +  GDestroyNotify data_free_func);
>> > +
>> >  void qtest_add_data_func(const char *str, const void *data,
>> >   void (*fn)(const void *));
>> 
>> Please keep qtest_add_data_func() documented.
>
> Ok (I thought it was quite enough based on the _full description)

You could try something like

/**
 * qtest_add_data_func and qtest_add_data_func_full:
 * @str: Test case path.
 * @data: Test case data
 * @fn: Test case function
 * @data_free_func: GDestroyNotify for data
 *
 * Add a GTester testcase with the given name, data and function.
 * The path is prefixed with the architecture under test, as
 * returned by qtest_get_arch().
 */
void qtest_add_data_func_full(const char *str, void *data,
  void (*fn)(const void *),
  GDestroyNotify data_free_func);
void qtest_add_data_func(const char *str, const void *data,

GTK-Doc extraction wouldn't cope with it, but we're not using it[*].

Or something like

/**
 * qtest_add_data_func:
 * @str: Test case path.
 * @data: Test case data
 * @fn: Test case function
 * @data_free_func: GDestroyNotify for data
 *
 * Add a GTester testcase with the given name, data and function.
 * The path is prefixed with the architecture under test, as
 * returned by qtest_get_arch().
 */
void qtest_add_data_func_full(const char *str, void *data,
  void (*fn)(const void *),
  GDestroyNotify data_free_func);

/* Like qtest_add_data_func_full() with a null last argument */
void qtest_add_data_func(const char *str, const void *data,

Again, no GTK-Doc support, and again, I don't care.


[*] We only pay its price of admission: gratuitous waste of screen space
by repeating the obvious.

[Qemu-devel] [PATCH] macio: set res_count value to 0 after non-block ATAPI DMA transfers

[Mark Cave-Ayland]

res_count should be set to the number of outstanding bytes after a DBDMA
request. Unfortunately this wasn't being set to zero by the non-block
transfer codepath meaning drivers that checked the descriptor result for
such requests (e.g reading the CDROM TOC) would assume from a non-zero result
that the transfer had failed.

Signed-off-by: Mark Cave-Ayland 
---
 hw/ide/macio.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/macio.c b/hw/ide/macio.c
index 5a326af..76f97c2 100644
--- a/hw/ide/macio.c
+++ b/hw/ide/macio.c
@@ -273,6 +273,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int 
ret)
 s->io_buffer_size = MIN(s->io_buffer_size, io->len);
 dma_memory_write(&address_space_memory, io->addr, s->io_buffer,
  s->io_buffer_size);
+io->len = 0;
 ide_atapi_cmd_ok(s);
 m->dma_active = false;
 goto done;
-- 
1.7.10.4

Re: [Qemu-devel] [PATCH v6 4/4] docs: Add Documentation for Mediated devices

[Kirti Wankhede]

On 8/4/2016 1:01 PM, Tian, Kevin wrote:
>> From: Kirti Wankhede [mailto:kwankh...@nvidia.com]
>> Sent: Thursday, August 04, 2016 3:04 AM
>>
>> +
>> +* mdev_supported_types: (read only)
>> +List the current supported mediated device types and its details.
>> +
>> +* mdev_create: (write only)
>> +Create a mediated device on target physical device.
>> +Input syntax: 
>> +where,
>> +UUID: mediated device's UUID
>> +idx: mediated device index inside a VM
> 
> Is above description too specific to VM usage? mediated device can
> be used by other user components too, e.g. an user space driver.
> Better to make the description general (you can list above as one
> example).
>
Ok. I'll change it to VM or user space component.

> Also I think calling it idx a bit limited, which means only numbers
> possible. Is it more flexible to call it 'handle' and then any string
> can be used here?
> 

Index is integer, it is to keep track of mediated device instance number
created for a user space component or VM.

>> +params: extra parameters required by driver
>> +Example:
>> +# echo "12345678-1234-1234-1234-123456789abc:0:0" >
>> + /sys/bus/pci/devices/\:05\:00.0/mdev_create
>> +
>> +* mdev_destroy: (write only)
>> +Destroy a mediated device on a target physical device.
>> +Input syntax: 
>> +where,
>> +UUID: mediated device's UUID
>> +idx: mediated device index inside a VM
>> +Example:
>> +# echo "12345678-1234-1234-1234-123456789abc:0" >
>> +   /sys/bus/pci/devices/\:05\:00.0/mdev_destroy
>> +
>> +Under mdev class sysfs /sys/class/mdev/:
>> +
>> +
>> +* mdev_start: (write only)
>> +This trigger the registration interface to notify the driver to
>> +commit mediated device resource for target VM.
>> +The mdev_start function is a synchronized call, successful return of
>> +this call will indicate all the requested mdev resource has been fully
>> +committed, the VMM should continue.
>> +Input syntax: 
>> +Example:
>> +# echo "12345678-1234-1234-1234-123456789abc" >
>> +/sys/class/mdev/mdev_start
>> +
>> +* mdev_stop: (write only)
>> +This trigger the registration interface to notify the driver to
>> +release resources of mediated device of target VM.
>> +Input syntax: 
>> +Example:
>> +# echo "12345678-1234-1234-1234-123456789abc" >
>> + /sys/class/mdev/mdev_stop
> 
> I think it's clearer to create a node per mdev under /sys/class/mdev,
> and then move start/stop as attributes under each mdev node, e.g:
> 
> echo "0/1" > /sys/class/mdev/12345678-1234-1234-1234-123456789abc/start
> 

To support multiple mdev devices in one VM or user space driver, process
is to create or configure all mdev devices for that VM or user space
driver and then have a single 'start' which means all requested mdev
resources are committed.

> Doing this way is more extensible to add more capabilities under
> each mdev node, and different capability set may be implemented
> for them.
> 

You can add extra capabilities for each mdev device node using
'mdev_attr_groups' of 'struct parent_ops' from vendor driver.


>> +
>> +Mediated device Hotplug:
>> +---
>> +
>> +To support mediated device hotplug,  and  can be
>> +accessed during VM runtime, and the corresponding registration callback is
>> +invoked to allow driver to support hotplug.
> 
> 'hotplug' is an action on the mdev user (e.g. the VM), not on mdev itself.
> You can always create a mdev as long as physical device has enough
> available resource to support requested config. Destroying a mdev 
> may fail if there is still user on target mdev.
>

Here point is: user need to pass UUID to mdev_create and device will be
created even if VM or user space driver is running.

Thanks,
Kirti

> Thanks
> Kevin
> 

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[David Gibson]

On Thu, Aug 04, 2016 at 10:41:16AM +0200, Laurent Vivier wrote:
1;4402;0c> 
> 
> On 04/08/2016 04:38, David Gibson wrote:
> > On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
> >> If we don't provide the page size in target-ppc:cpu_get_dump_info(),
> >> the default one (TARGET_PAGE_SIZE, 4KB) is used to create
> >> the compressed dump. It works fine with Macintosh, but not with
> >> pseries as the kernel default page size is 64KB.
> >>
> >> Without this patch, if we generate a compressed dump in the QEMU monitor:
> >>
> >> (qemu) dump-guest-memory -z qemu.dump
> >>
> >> This dump cannot be read by crash:
> >>
> >> # crash vmlinux qemu.dump
> >> ...
> >> WARNING: cannot translate vmemmap kernel virtual addresses:
> >>  commands requiring page structure contents will fail
> >> ...
> >>
> >> Signed-off-by: Laurent Vivier 
> >> ---
> >>  target-ppc/arch_dump.c | 5 +
> >>  1 file changed, 5 insertions(+)
> > 
> > Urgh.. so, really the page size used by the guest kernel is a
> > guest-side detail, and it's certainly possible to build a 4kiB page
> > guest kernel, although 64kiB is the norm.
> 
> virtio-balloon doesn't work with 4K kernel.

It doesn't?  Balloon has rather a lot of flaws, but I didn't think
that was one of them.

> > This might be the best we can do, but it'd be nice if we could probe
> > or otherwise avoid relying on this assumption about the guest kernel.
> 
> I agree with you but none of the other architectures probes for the page
> size.

Yeah :/

> For instance ARM: |I cc: Drew to know how he has chosen the values]
> 
> if (arm_feature(env, ARM_FEATURE_AARCH64)) {
> ...
> info->page_size = (1 << 16);
> ...
> } else {
> ...
> info->page_size = (1 << 12);
> ...
> }
> 
> In the kernel:
> 
> arch/arm64/include/asm/page.h:
> 
> #define PAGE_SHIFTCONFIG_ARM64_PAGE_SHIFT
> 
> arch/arm64/Kconfig:
> 
> config ARM64_PAGE_SHIFT
> int
> default 16 if ARM64_64K_PAGES
> default 14 if ARM64_16K_PAGES
> default 12
> 
> choice
> prompt "Page size"
> default ARM64_4K_PAGES
> help
>   Page size (translation granule) configuration.
> 
> config ARM64_4K_PAGES
> bool "4KB"
> help
>   This feature enables 4KB pages support.
> 
> config ARM64_16K_PAGES
> bool "16KB"
> help
>   The system will use 16KB pages support. AArch32 emulation
>   requires applications compiled with 16K (or a multiple of 16K)
>   aligned segments.
> 
> config ARM64_64K_PAGES
> bool "64KB"
> help
>   This feature enables 64KB pages support (4KB by default)
>   allowing only two levels of page tables and faster TLB
>   look-up. AArch32 emulation requires applications compiled
>   with 64K aligned segments.
> 
> endchoice
> 
> I think we can't rely on the CPU state or the memory content as they can
> be corrupted.

I guess.  I don't know that we can really get what we want from there
anyway, at least not without even more assumptions about the guest
state than.

Hrm.  I guess I'm ok with the change, but I'd like the commit message
updated to recognize that this is a compromise just designed to work
with the most common guests.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [RFC PATCH V10 6/7] colo-compare: introduce packet comparison thread

[Zhang Chen]

On 08/02/2016 03:52 PM, Jason Wang wrote:



On 2016年07月26日 09:49, Zhang Chen wrote:

If primary packet is same with secondary packet,
we will send primary packet and drop secondary
packet, otherwise notify COLO frame to do checkpoint.
If primary packet comes and secondary packet not,


s/and/but/  and /packet not/packet does not/


I will fix it.




after REGULAR_PACKET_CHECK_MS milliseconds we set
the primary packet as old_packet,then do a checkpoint.

Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-base.c|   1 +
  net/colo-base.h|   3 +
  net/colo-compare.c | 212 
+

  trace-events   |   2 +
  4 files changed, 218 insertions(+)

diff --git a/net/colo-base.c b/net/colo-base.c
index 7e91dec..eb1b631 100644
--- a/net/colo-base.c
+++ b/net/colo-base.c
@@ -132,6 +132,7 @@ Packet *packet_new(const void *data, int size)
pkt->data = g_memdup(data, size);
  pkt->size = size;
+pkt->creation_ms = qemu_clock_get_ms(QEMU_CLOCK_HOST);
return pkt;
  }
diff --git a/net/colo-base.h b/net/colo-base.h
index 0505608..06d6dca 100644
--- a/net/colo-base.h
+++ b/net/colo-base.h
@@ -17,6 +17,7 @@
#include "slirp/slirp.h"
  #include "qemu/jhash.h"
+#include "qemu/timer.h"
#define HASHTABLE_MAX_SIZE 16384
  @@ -28,6 +29,8 @@ typedef struct Packet {
  };
  uint8_t *transport_layer;
  int size;
+/* Time of packet creation, in wall clock ms */
+int64_t creation_ms;
  } Packet;
typedef struct ConnectionKey {
diff --git a/net/colo-compare.c b/net/colo-compare.c
index 5f87710..e020edc 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -36,6 +36,8 @@
#define COMPARE_READ_LEN_MAX NET_BUFSIZE
  #define MAX_QUEUE_SIZE 1024
+/* TODO: Should be configurable */
+#define REGULAR_PACKET_CHECK_MS 3000
/*
+ CompareState ++
@@ -83,6 +85,10 @@ typedef struct CompareState {
  GQueue unprocessed_connections;
  /* proxy current hash size */
  uint32_t hashtable_size;
+/* compare thread, a thread for each NIC */
+QemuThread thread;
+/* Timer used on the primary to find packets that are never 
matched */

+QEMUTimer *timer;
  } CompareState;
typedef struct CompareClass {
@@ -170,6 +176,112 @@ static int packet_enqueue(CompareState *s, int 
mode)

  return 0;
  }
  +/*
+ * The IP packets sent by primary and secondary
+ * will be compared in here
+ * TODO support ip fragment, Out-Of-Order
+ * return:0  means packet same
+ *> 0 || < 0 means packet different
+ */
+static int colo_packet_compare(Packet *ppkt, Packet *spkt)
+{
+trace_colo_compare_ip_info(ppkt->size, inet_ntoa(ppkt->ip->ip_src),
+ inet_ntoa(ppkt->ip->ip_dst), spkt->size,
+ inet_ntoa(spkt->ip->ip_src),
+ inet_ntoa(spkt->ip->ip_dst));
+
+if (ppkt->size == spkt->size) {
+return memcmp(ppkt->data, spkt->data, spkt->size);
+} else {
+return -1;
+}
+}
+
+static int colo_packet_compare_all(Packet *spkt, Packet *ppkt)
+{
+trace_colo_compare_main("compare all");
+return colo_packet_compare(ppkt, spkt);
+}
+
+static void colo_old_packet_check_one(void *opaque_packet,
+  void *opaque_found)
+{
+int64_t now;
+bool *found_old = (bool *)opaque_found;
+Packet *ppkt = (Packet *)opaque_packet;
+
+if (*found_old) {
+/* Someone found an old packet earlier in the queue */
+return;
+}
+
+now = qemu_clock_get_ms(QEMU_CLOCK_HOST);
+if ((now - ppkt->creation_ms) > REGULAR_PACKET_CHECK_MS) {
+ trace_colo_old_packet_check_found(ppkt->creation_ms);
+*found_old = true;
+}
+}
+
+static void colo_old_packet_check_one_conn(void *opaque,
+   void *user_data)
+{


user_data is unused.


Yes,g_queue_foreach() need this.

void
(*GFunc) (gpointer data,
  gpointer user_data);





+bool found_old = false;
+Connection *conn = opaque;
+
+g_queue_foreach(&conn->primary_list, colo_old_packet_check_one,
+&found_old);


To avoid odd API for colo_old_packet_check_one, maybe you can try use 
use QTAILQ and QTAILQ_FOREACH() or g_queue_find_custom() for avoiding 
iterating each element?


I will consider it, but I think glib are more general.




+if (found_old) {
+/* do checkpoint will flush old packet */
+/* TODO: colo_notify_checkpoint();*/
+}
+}
+
+/*
+ * Look for old packets that the secondary hasn't matched,
+ * if we have some then we have to checkpoint to wake
+ * the secondary up.
+ */
+static void colo_old_packet_check(void *opaque)
+{
+CompareState *s = opaque;
+
+g_queue_foreach(&s->conn_list, colo_old_packet_check_one_conn, 
NULL);

+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare connection
+ */
+static void colo_compare_connection(void *opaque, void *user_data)
+{
+CompareState *s = user_data;
+Connection *co

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[Laurent Vivier]

On 05/08/2016 09:49, David Gibson wrote:
> On Thu, Aug 04, 2016 at 10:41:16AM +0200, Laurent Vivier wrote:
> 1;4402;0c> 
>>
>> On 04/08/2016 04:38, David Gibson wrote:
>>> On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
 If we don't provide the page size in target-ppc:cpu_get_dump_info(),
 the default one (TARGET_PAGE_SIZE, 4KB) is used to create
 the compressed dump. It works fine with Macintosh, but not with
 pseries as the kernel default page size is 64KB.

 Without this patch, if we generate a compressed dump in the QEMU monitor:

 (qemu) dump-guest-memory -z qemu.dump

 This dump cannot be read by crash:

 # crash vmlinux qemu.dump
 ...
 WARNING: cannot translate vmemmap kernel virtual addresses:
  commands requiring page structure contents will fail
 ...

 Signed-off-by: Laurent Vivier 
 ---
  target-ppc/arch_dump.c | 5 +
  1 file changed, 5 insertions(+)
>>>
>>> Urgh.. so, really the page size used by the guest kernel is a
>>> guest-side detail, and it's certainly possible to build a 4kiB page
>>> guest kernel, although 64kiB is the norm.
>>
>> virtio-balloon doesn't work with 4K kernel.
> 
> It doesn't?  Balloon has rather a lot of flaws, but I didn't think
> that was one of them.
> 
>>> This might be the best we can do, but it'd be nice if we could probe
>>> or otherwise avoid relying on this assumption about the guest kernel.
>>
>> I agree with you but none of the other architectures probes for the page
>> size.
> 
> Yeah :/
> 
>> For instance ARM: |I cc: Drew to know how he has chosen the values]
>>
>> if (arm_feature(env, ARM_FEATURE_AARCH64)) {
>> ...
>> info->page_size = (1 << 16);
>> ...
>> } else {
>> ...
>> info->page_size = (1 << 12);
>> ...
>> }
>>
>> In the kernel:
>>
>> arch/arm64/include/asm/page.h:
>>
>> #define PAGE_SHIFT   CONFIG_ARM64_PAGE_SHIFT
>>
>> arch/arm64/Kconfig:
>>
>> config ARM64_PAGE_SHIFT
>> int
>> default 16 if ARM64_64K_PAGES
>> default 14 if ARM64_16K_PAGES
>> default 12
>>
>> choice
>> prompt "Page size"
>> default ARM64_4K_PAGES
>> help
>>   Page size (translation granule) configuration.
>>
>> config ARM64_4K_PAGES
>> bool "4KB"
>> help
>>   This feature enables 4KB pages support.
>>
>> config ARM64_16K_PAGES
>> bool "16KB"
>> help
>>   The system will use 16KB pages support. AArch32 emulation
>>   requires applications compiled with 16K (or a multiple of 16K)
>>   aligned segments.
>>
>> config ARM64_64K_PAGES
>> bool "64KB"
>> help
>>   This feature enables 64KB pages support (4KB by default)
>>   allowing only two levels of page tables and faster TLB
>>   look-up. AArch32 emulation requires applications compiled
>>   with 64K aligned segments.
>>
>> endchoice
>>
>> I think we can't rely on the CPU state or the memory content as they can
>> be corrupted.
> 
> I guess.  I don't know that we can really get what we want from there
> anyway, at least not without even more assumptions about the guest
> state than.
> 
> Hrm.  I guess I'm ok with the change, but I'd like the commit message
> updated to recognize that this is a compromise just designed to work
> with the most common guests.
> 

Could you update the message or should I send a new patch?

Thanks,
Laurent

Re: [Qemu-devel] [Help]: Does qemu-system-aarch64 support virtio-9p? I got a problem when remap host file to guest in AArch64.

[Peter Maydell]

On 5 August 2016 at 03:23, Kevin Zhao  wrote:
> Hi All,
>  I have a problem may about Qemu and kindly need your help. Does
> qemu-system-aarch64 support virtio-9p ?

virtio-9p isn't guest architecture specific so in theory it
should. However I've never tried it.

>  The Qemu version is QEMU emulator version 2.5.0 (Debian
> 1:2.5+dfsg-5ubuntu10.2). Besides test fedora24 guest, I have got the same
> problem in Debian jessie.

It may be worth trying a more recent QEMU, like the 2.7.0rc1
release candidate we just put out.

thanks
-- PMM

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[Thomas Huth]

On 05.08.2016 09:49, David Gibson wrote:
> On Thu, Aug 04, 2016 at 10:41:16AM +0200, Laurent Vivier wrote:
> 1;4402;0c> 
>>
>> On 04/08/2016 04:38, David Gibson wrote:
>>> On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
 If we don't provide the page size in target-ppc:cpu_get_dump_info(),
 the default one (TARGET_PAGE_SIZE, 4KB) is used to create
 the compressed dump. It works fine with Macintosh, but not with
 pseries as the kernel default page size is 64KB.

 Without this patch, if we generate a compressed dump in the QEMU monitor:

 (qemu) dump-guest-memory -z qemu.dump

 This dump cannot be read by crash:

 # crash vmlinux qemu.dump
 ...
 WARNING: cannot translate vmemmap kernel virtual addresses:
  commands requiring page structure contents will fail
 ...

 Signed-off-by: Laurent Vivier 
 ---
  target-ppc/arch_dump.c | 5 +
  1 file changed, 5 insertions(+)
>>>
>>> Urgh.. so, really the page size used by the guest kernel is a
>>> guest-side detail, and it's certainly possible to build a 4kiB page
>>> guest kernel, although 64kiB is the norm.
>>
>> virtio-balloon doesn't work with 4K kernel.
> 
> It doesn't?  Balloon has rather a lot of flaws, but I didn't think
> that was one of them.

It currently doesn't work when the guest uses 4k page size but the host
uses 64k page size. Do you remember this bug ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=1323988 ?
... we just decided not to spent time on this because no distro is using
4k page size for the pseries platform anymore, and the virtio-balloon
code is currently under major reconstruction anyway.

 Thomas




signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH for-2.7 v4 01/36] build-sys: fix building with make CFLAGS=.. argument

[marcandre . lureau]

From: Marc-André Lureau 

When calling make with a CFLAGS=.. argument, the -g/-O filter is not
applied, which may result with build failure with ASAN for example. It
could be solved with an 'override' directive on CFLAGS, but that would
actually prevent setting different CFLAGS manually.

Instead, filter the CFLAGS argument from the top-level Makefile (so
you could still call make with a different CFLAGS argument on a
rom/Makefile manually)

Signed-off-by: Marc-André Lureau 
Reviewed-by: Paolo Bonzini 
---
 Makefile   | 3 ++-
 pc-bios/optionrom/Makefile | 2 --
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 0d7647f..50b4b3a 100644
--- a/Makefile
+++ b/Makefile
@@ -225,8 +225,9 @@ dtc/%:
 $(SUBDIR_RULES): libqemuutil.a libqemustub.a $(common-obj-y) $(qom-obj-y) 
$(crypto-aes-obj-$(CONFIG_USER_ONLY))
 
 ROMSUBDIR_RULES=$(patsubst %,romsubdir-%, $(ROMS))
+# Only keep -O and -g cflags
 romsubdir-%:
-   $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C pc-bios/$* V="$(V)" 
TARGET_DIR="$*/",)
+   $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C pc-bios/$* V="$(V)" 
TARGET_DIR="$*/" CFLAGS="$(filter -O% -g%,$(CFLAGS))",)
 
 ALL_SUBDIRS=$(TARGET_DIRS) $(patsubst %,pc-bios/%, $(ROMS))
 
diff --git a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
index 24e175e..6bab490 100644
--- a/pc-bios/optionrom/Makefile
+++ b/pc-bios/optionrom/Makefile
@@ -24,8 +24,6 @@ QEMU_CFLAGS += $(call cc-option, $(QEMU_CFLAGS), 
-no-integrated-as)
 QEMU_CFLAGS += -m32 -include $(SRC_PATH)/pc-bios/optionrom/code16gcc.h
 endif
 
-# Drop gcov and glib flags
-CFLAGS := $(filter -O% -g%, $(CFLAGS))
 QEMU_INCLUDES += -I$(SRC_PATH)
 
 Wa = -Wa,
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 03/36] glib-compat: add g_(s)list_free_full()

[marcandre . lureau]

From: Marc-André Lureau 

Those functions are only available since glib 2.28.

Signed-off-by: Marc-André Lureau 
---
 include/glib-compat.h | 24 
 1 file changed, 24 insertions(+)

diff --git a/include/glib-compat.h b/include/glib-compat.h
index 01aa7b3..ff7eae5 100644
--- a/include/glib-compat.h
+++ b/include/glib-compat.h
@@ -260,4 +260,28 @@ static inline void g_hash_table_add(GHashTable 
*hash_table, gpointer key)
 } while (0)
 #endif
 
+#if !GLIB_CHECK_VERSION(2, 28, 0)
+static inline void g_list_free_full(GList *list, GDestroyNotify free_func)
+{
+GList *l;
+
+for (l = list; l; l = l->next) {
+free_func(l->data);
+}
+
+g_list_free(list);
+}
+
+static inline void g_slist_free_full(GSList *list, GDestroyNotify free_func)
+{
+GSList *l;
+
+for (l = list; l; l = l->next) {
+free_func(l->data);
+}
+
+g_slist_free(list);
+}
+#endif
+
 #endif
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 00/36] Various memory leak fixes

[marcandre . lureau]

From: Marc-André Lureau 

Hi,

Thanks to AddressSanitizer (ASAN), I found a number of direct leaks
worth fixing. Note that there are probably many indirect leaks left (I
am adding some here), I haven't investigated much yet.

There are still a number of direct leaks remaining, in particular in
the tests, but my libc doesn't give me good backtraces.

In order to easily switch to asan-enabled build, I make use of make
CFLAGS argument, which is why the first patch is also there.

v4:
- document qtest_add_data_func_full seperately
- add g_(s)list_free_full in glib-compat
- simplify tcp_chr_close()
- move dma_buf_commit() down before the early return case
- dropped a qdist leak patch already applied

v3:
- add glib<2.34 fallback for g_test_add_data_func_full() using
  g_test_add_vtable() with an explicit comment
- add and use a tcp_chr_free_connection(), from tcp_chr_disconnect()
  (suggested by Paolo)
- remove bad comment from "free MuxDriver" patch (Eric)
- replace GFunc casts with a qemu_g_func_free() inline (suggested by Eric)
- replace CFLAGS override patch with a toplevel CFLAGS filter
  (suggested by Paolo)
- drop a patch already merged upstream
- update reviewed-by tags (28/36)

v2:
- split "pci-bus: do not allocate and leak bsel" as a seperate patch,
  since the direct leak looks like a bug
- hook virtio_input_finalize to the abstract base class
- use mkdtemp in test-io-channel-command
- fix pc-cpu-test commit message
- move the sglist destruction inside of ncq_err, call dma_buf_commit
  in ide_dma_cb, as suggested by John Snow
- fix build with glib 2.22
- add the given reviewed-by tags (22/37, 15 left)

Marc-André Lureau (36):
  build-sys: fix building with make CFLAGS=.. argument
  tests: fix test-qga leaks
  glib-compat: add g_(s)list_free_full()
  qga: free the whole blacklist
  qga: free remaining leaking state
  tests: fix test-cutils leaks
  tests: fix test-vmstate leaks
  tests: fix test-iov leaks
  tests: fix check-qom-interface leaks
  tests: fix check-qom-proplist leaks
  tests: fix small leak in test-io-channel-command
  tests: fix leak in test-string-input-visitor
  portio: keep references on portio
  numa: do not leak NumaOptions
  pc: simplify passing qemu_irq
  pc: don't leak a20_line
  machine: use class base init generated name
  acpi-build: fix array leak
  char: free the tcp connection data when closing
  char: free MuxDriver when closing
  tests: fix qom-test leaks
  pc: free i8259
  pc: keep gsi reference
  ahci: free irqs array
  sd: free timer
  qjson: free str
  virtio-input: free config list
  ipmi: free extern timer
  usb: free USBDevice.strings
  usb: free leaking path
  bus: simplify name handling
  tests: add qtest_add_data_func_full
  tests: pc-cpu-test leaks fixes
  tests: fix rsp leak in postcopy-test
  ahci: fix sglist leak on retry
  tests: fix postcopy-test leaks

 Makefile  |  3 +-
 hw/audio/gus.c|  9 --
 hw/audio/sb16.c   |  4 ++-
 hw/block/fdc.c|  4 ++-
 hw/char/parallel.c|  3 +-
 hw/core/bus.c | 21 --
 hw/core/machine.c |  1 +
 hw/display/vga-isa.c  |  8 --
 hw/dma/i8257.c|  6 ++--
 hw/i386/acpi-build.c  |  4 +--
 hw/i386/pc.c  |  9 +++---
 hw/i386/pc_piix.c | 17 ++--
 hw/i386/pc_q35.c  | 15 +-
 hw/ide/ahci.c |  4 +--
 hw/ide/core.c |  7 +++--
 hw/input/pckbd.c  |  4 +--
 hw/input/virtio-input.c   | 11 
 hw/ipmi/ipmi_bmc_extern.c |  9 ++
 hw/isa/isa-bus.c  | 14 --
 hw/sd/sd.c|  9 ++
 hw/usb/bus.c  |  7 +
 hw/usb/desc.c |  1 +
 include/glib-compat.h | 24 
 include/hw/boards.h   |  2 +-
 include/hw/i386/pc.h  |  4 +--
 include/hw/ide/internal.h |  2 ++
 include/hw/isa/i8257.h|  2 ++
 include/hw/isa/isa.h  |  5 +++-
 include/hw/qdev-core.h|  2 +-
 migration/qjson.c |  1 +
 numa.c| 15 +-
 pc-bios/optionrom/Makefile|  2 --
 qemu-char.c   | 58 ++-
 qga/guest-agent-command-state.c   |  6 
 qga/guest-agent-core.h|  1 +
 qga/main.c| 13 +
 tests/check-qom-interface.c   |  1 +
 tests/check-qom-proplist.c| 16 +++
 tests/libqtest.c  | 15 ++
 tests/libqtest.h  | 17 
 tests/pc-cpu-test.c   | 24 
 tests/postcopy-test.c |  7 +++--
 tests/qom-test.c  |  5 ++--
 tests/test-cutils.c   | 24 ++--
 tests/test-io-channel-command.c   | 20 +

[Qemu-devel] [PATCH for-2.7 v4 02/36] tests: fix test-qga leaks

[marcandre . lureau]

From: Marc-André Lureau 

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-qga.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/tests/test-qga.c b/tests/test-qga.c
index dac8fb8..21f44f8 100644
--- a/tests/test-qga.c
+++ b/tests/test-qga.c
@@ -398,6 +398,7 @@ static void test_qga_file_ops(gconstpointer fix)
 /* check content */
 path = g_build_filename(fixture->test_dir, "foo", NULL);
 f = fopen(path, "r");
+g_free(path);
 g_assert_nonnull(f);
 count = fread(tmp, 1, sizeof(tmp), f);
 g_assert_cmpint(count, ==, sizeof(helloworld));
@@ -700,7 +701,9 @@ static void test_qga_config(gconstpointer data)
 cwd = g_get_current_dir();
 cmd = g_strdup_printf("%s%cqemu-ga -D",
   cwd, G_DIR_SEPARATOR);
+g_free(cwd);
 g_shell_parse_argv(cmd, NULL, &argv, &error);
+g_free(cmd);
 g_assert_no_error(error);
 
 env[0] = g_strdup_printf("QGA_CONF=tests%cdata%ctest-qga-config",
@@ -708,6 +711,8 @@ static void test_qga_config(gconstpointer data)
 env[1] = NULL;
 g_spawn_sync(NULL, argv, env, 0,
  NULL, NULL, &out, &err, &status, &error);
+g_strfreev(argv);
+
 g_assert_no_error(error);
 g_assert_cmpstr(err, ==, "");
 g_assert_cmpint(status, ==, 0);
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 04/36] qga: free the whole blacklist

[marcandre . lureau]

From: Marc-André Lureau 

Free the config blacklist list, not just the elements. Do it so in the
more appropriate function config_free().

Signed-off-by: Marc-André Lureau 
---
 qga/main.c | 7 +--
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/qga/main.c b/qga/main.c
index 4c3b2c7..bb48214 100644
--- a/qga/main.c
+++ b/qga/main.c
@@ -1175,6 +1175,7 @@ static void config_free(GAConfig *config)
 #ifdef CONFIG_FSFREEZE
 g_free(config->fsfreeze_hook);
 #endif
+g_list_free_full(config->blacklist, g_free);
 g_free(config);
 }
 
@@ -1310,11 +1311,6 @@ static int run_agent(GAState *s, GAConfig *config)
 return EXIT_SUCCESS;
 }
 
-static void free_blacklist_entry(gpointer entry, gpointer unused)
-{
-g_free(entry);
-}
-
 int main(int argc, char **argv)
 {
 int ret = EXIT_SUCCESS;
@@ -1379,7 +1375,6 @@ end:
 if (s->channel) {
 ga_channel_free(s->channel);
 }
-g_list_foreach(config->blacklist, free_blacklist_entry, NULL);
 g_free(s->pstate_filepath);
 g_free(s->state_filepath_isfrozen);
 
-- 
2.9.0

Re: [Qemu-devel] [PATCH] error: error_setg_errno(): errno gets preserved

[Markus Armbruster]

Sascha Silbe  writes:

> Dear Eric,
>
> Eric Blake  writes:
>
>>> +++ b/include/qapi/error.h
>>> @@ -170,6 +170,9 @@ void error_setg_internal(Error **errp,
>>>   * Just like error_setg(), with @os_error info added to the message.
>>>   * If @os_error is non-zero, ": " + strerror(os_error) is appended to
>>>   * the human-readable error message.
>>> + *
>>> + * The value of errno (which usually can get clobbered by almost any
>>> + * function call) will be preserved.
>>>   */
>>>  #define error_setg_errno(errp, os_error, fmt, ...)  \
>>>  error_setg_errno_internal((errp), __FILE__, __LINE__, __func__, \
>>
>> Do we need/want to make the guarantee of preserving errno across any of
>> the other functions and macros declared in error.h?
>
> It would be more consistent to have all error reporting functions
> promise this, even if they do not get passed the errno. In some cases
> the errno might not matter to the user (so error_setg_errno() isn't
> used), but still be passed on to the caller to signal an error (so
> clobbering it could be problematic).
>
> Can prepare a follow-up patch that makes sure error_setg(),
> error_propagate(), error_setg_file_open(), error_set() preserve
> errno. Optionally also the other functions listed in
> include/qapi/error.h and include/qemu/error-report.h.

Suggest:

* A patch to document existing errno-preserving behavior.

* Patches to reduce inconsistency, if any.  E.g. say all but one
  error_setg() function preserve errno, make the exception preserve it,
  too.

* Optionally, patches to add more errno-preserving behavior you consider
  useful.  I can't promise such patches will be applied, only that they
  will be reviewed :)

[Qemu-devel] [PATCH for-2.7 v4 05/36] qga: free remaining leaking state

[marcandre . lureau]

From: Marc-André Lureau 

Signed-off-by: Marc-André Lureau 
---
 qga/guest-agent-command-state.c | 6 ++
 qga/guest-agent-core.h  | 1 +
 qga/main.c  | 6 ++
 3 files changed, 13 insertions(+)

diff --git a/qga/guest-agent-command-state.c b/qga/guest-agent-command-state.c
index 4de229c..e609d32 100644
--- a/qga/guest-agent-command-state.c
+++ b/qga/guest-agent-command-state.c
@@ -71,3 +71,9 @@ GACommandState *ga_command_state_new(void)
 cs->groups = NULL;
 return cs;
 }
+
+void ga_command_state_free(GACommandState *cs)
+{
+g_slist_free_full(cs->groups, g_free);
+g_free(cs);
+}
diff --git a/qga/guest-agent-core.h b/qga/guest-agent-core.h
index 0a49516..63e9d39 100644
--- a/qga/guest-agent-core.h
+++ b/qga/guest-agent-core.h
@@ -28,6 +28,7 @@ void ga_command_state_add(GACommandState *cs,
 void ga_command_state_init_all(GACommandState *cs);
 void ga_command_state_cleanup_all(GACommandState *cs);
 GACommandState *ga_command_state_new(void);
+void ga_command_state_free(GACommandState *cs);
 bool ga_logging_enabled(GAState *s);
 void ga_disable_logging(GAState *s);
 void ga_enable_logging(GAState *s);
diff --git a/qga/main.c b/qga/main.c
index bb48214..0b9d04e 100644
--- a/qga/main.c
+++ b/qga/main.c
@@ -1371,6 +1371,8 @@ int main(int argc, char **argv)
 end:
 if (s->command_state) {
 ga_command_state_cleanup_all(s->command_state);
+ga_command_state_free(s->command_state);
+json_message_parser_destroy(&s->parser);
 }
 if (s->channel) {
 ga_channel_free(s->channel);
@@ -1383,6 +1385,10 @@ end:
 }
 
 config_free(config);
+if (s->main_loop) {
+g_main_loop_unref(s->main_loop);
+}
+g_free(s);
 
 return ret;
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 06/36] tests: fix test-cutils leaks

[marcandre . lureau]

From: Marc-André Lureau 

Spotted thanks to ASAN.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-cutils.c | 24 
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/tests/test-cutils.c b/tests/test-cutils.c
index 64e3e95..20b0f59 100644
--- a/tests/test-cutils.c
+++ b/tests/test-cutils.c
@@ -378,7 +378,7 @@ static void test_qemu_strtol_hex(void)
 
 static void test_qemu_strtol_max(void)
 {
-const char *str = g_strdup_printf("%ld", LONG_MAX);
+char *str = g_strdup_printf("%ld", LONG_MAX);
 char f = 'X';
 const char *endptr = &f;
 long res = 999;
@@ -389,6 +389,7 @@ static void test_qemu_strtol_max(void)
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, LONG_MAX);
 g_assert(endptr == str + strlen(str));
+g_free(str);
 }
 
 static void test_qemu_strtol_overflow(void)
@@ -497,7 +498,7 @@ static void test_qemu_strtol_full_trailing(void)
 
 static void test_qemu_strtol_full_max(void)
 {
-const char *str = g_strdup_printf("%ld", LONG_MAX);
+char *str = g_strdup_printf("%ld", LONG_MAX);
 long res;
 int err;
 
@@ -505,6 +506,7 @@ static void test_qemu_strtol_full_max(void)
 
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, LONG_MAX);
+g_free(str);
 }
 
 static void test_qemu_strtoul_correct(void)
@@ -662,7 +664,7 @@ static void test_qemu_strtoul_hex(void)
 
 static void test_qemu_strtoul_max(void)
 {
-const char *str = g_strdup_printf("%lu", ULONG_MAX);
+char *str = g_strdup_printf("%lu", ULONG_MAX);
 char f = 'X';
 const char *endptr = &f;
 unsigned long res = 999;
@@ -673,6 +675,7 @@ static void test_qemu_strtoul_max(void)
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, ULONG_MAX);
 g_assert(endptr == str + strlen(str));
+g_free(str);
 }
 
 static void test_qemu_strtoul_overflow(void)
@@ -776,7 +779,7 @@ static void test_qemu_strtoul_full_trailing(void)
 
 static void test_qemu_strtoul_full_max(void)
 {
-const char *str = g_strdup_printf("%lu", ULONG_MAX);
+char *str = g_strdup_printf("%lu", ULONG_MAX);
 unsigned long res = 999;
 int err;
 
@@ -784,6 +787,7 @@ static void test_qemu_strtoul_full_max(void)
 
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, ULONG_MAX);
+g_free(str);
 }
 
 static void test_qemu_strtoll_correct(void)
@@ -941,7 +945,7 @@ static void test_qemu_strtoll_hex(void)
 
 static void test_qemu_strtoll_max(void)
 {
-const char *str = g_strdup_printf("%lld", LLONG_MAX);
+char *str = g_strdup_printf("%lld", LLONG_MAX);
 char f = 'X';
 const char *endptr = &f;
 int64_t res = 999;
@@ -952,6 +956,7 @@ static void test_qemu_strtoll_max(void)
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, LLONG_MAX);
 g_assert(endptr == str + strlen(str));
+g_free(str);
 }
 
 static void test_qemu_strtoll_overflow(void)
@@ -1058,7 +1063,7 @@ static void test_qemu_strtoll_full_trailing(void)
 static void test_qemu_strtoll_full_max(void)
 {
 
-const char *str = g_strdup_printf("%lld", LLONG_MAX);
+char *str = g_strdup_printf("%lld", LLONG_MAX);
 int64_t res;
 int err;
 
@@ -1066,6 +1071,7 @@ static void test_qemu_strtoll_full_max(void)
 
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, LLONG_MAX);
+g_free(str);
 }
 
 static void test_qemu_strtoull_correct(void)
@@ -1223,7 +1229,7 @@ static void test_qemu_strtoull_hex(void)
 
 static void test_qemu_strtoull_max(void)
 {
-const char *str = g_strdup_printf("%llu", ULLONG_MAX);
+char *str = g_strdup_printf("%llu", ULLONG_MAX);
 char f = 'X';
 const char *endptr = &f;
 uint64_t res = 999;
@@ -1234,6 +1240,7 @@ static void test_qemu_strtoull_max(void)
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, ULLONG_MAX);
 g_assert(endptr == str + strlen(str));
+g_free(str);
 }
 
 static void test_qemu_strtoull_overflow(void)
@@ -1339,7 +1346,7 @@ static void test_qemu_strtoull_full_trailing(void)
 
 static void test_qemu_strtoull_full_max(void)
 {
-const char *str = g_strdup_printf("%lld", ULLONG_MAX);
+char *str = g_strdup_printf("%lld", ULLONG_MAX);
 uint64_t res = 999;
 int err;
 
@@ -1347,6 +1354,7 @@ static void test_qemu_strtoull_full_max(void)
 
 g_assert_cmpint(err, ==, 0);
 g_assert_cmpint(res, ==, ULLONG_MAX);
+g_free(str);
 }
 
 static void test_qemu_strtosz_simple(void)
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 07/36] tests: fix test-vmstate leaks

[marcandre . lureau]

From: Marc-André Lureau 

Spotted thanks to ASAN.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-vmstate.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/test-vmstate.c b/tests/test-vmstate.c
index 41fd841..d8da26f 100644
--- a/tests/test-vmstate.c
+++ b/tests/test-vmstate.c
@@ -50,16 +50,20 @@ static QEMUFile *open_test_file(bool write)
 {
 int fd = dup(temp_fd);
 QIOChannel *ioc;
+QEMUFile *f;
+
 lseek(fd, 0, SEEK_SET);
 if (write) {
 g_assert_cmpint(ftruncate(fd, 0), ==, 0);
 }
 ioc = QIO_CHANNEL(qio_channel_file_new_fd(fd));
 if (write) {
-return qemu_fopen_channel_output(ioc);
+f = qemu_fopen_channel_output(ioc);
 } else {
-return qemu_fopen_channel_input(ioc);
+f = qemu_fopen_channel_input(ioc);
 }
+object_unref(OBJECT(ioc));
+return f;
 }
 
 #define SUCCESS(val) \
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 11/36] tests: fix small leak in test-io-channel-command

[marcandre . lureau]

From: Marc-André Lureau 

srcfifo && dstfifo must be freed in error case, however unlink() may
delete a file from a different context. Instead, use mkdtemp()/rmdir()
for the temporary files.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-io-channel-command.c | 20 +---
 tests/test-qga.c|  3 ++-
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/tests/test-io-channel-command.c b/tests/test-io-channel-command.c
index 1d1f461..f99118e 100644
--- a/tests/test-io-channel-command.c
+++ b/tests/test-io-channel-command.c
@@ -18,6 +18,7 @@
  *
  */
 
+#include 
 #include "qemu/osdep.h"
 #include "io/channel-command.h"
 #include "io-channel-helpers.h"
@@ -26,11 +27,14 @@
 #ifndef WIN32
 static void test_io_channel_command_fifo(bool async)
 {
-#define TEST_FIFO "tests/test-io-channel-command.fifo"
 QIOChannel *src, *dst;
 QIOChannelTest *test;
-char *srcfifo = g_strdup_printf("PIPE:%s,wronly", TEST_FIFO);
-char *dstfifo = g_strdup_printf("PIPE:%s,rdonly", TEST_FIFO);
+char *tmpdir = g_strdup("/tmp/test-io-channel.XX");
+g_assert_nonnull(mkdtemp(tmpdir));
+
+char *fifo = g_strdup_printf("%s/command.fifo", tmpdir);
+char *srcfifo = g_strdup_printf("PIPE:%s,wronly", fifo);
+char *dstfifo = g_strdup_printf("PIPE:%s,rdonly", fifo);
 const char *srcargv[] = {
 "/bin/socat", "-", srcfifo, NULL,
 };
@@ -38,11 +42,10 @@ static void test_io_channel_command_fifo(bool async)
 "/bin/socat", dstfifo, "-", NULL,
 };
 
-unlink(TEST_FIFO);
 if (access("/bin/socat", X_OK) < 0) {
-return; /* Pretend success if socat is not present */
+goto end; /* Pretend success if socat is not present */
 }
-if (mkfifo(TEST_FIFO, 0600) < 0) {
+if (mkfifo(fifo, 0600) < 0) {
 abort();
 }
 src = QIO_CHANNEL(qio_channel_command_new_spawn(srcargv,
@@ -59,9 +62,12 @@ static void test_io_channel_command_fifo(bool async)
 object_unref(OBJECT(src));
 object_unref(OBJECT(dst));
 
+end:
+g_free(fifo);
 g_free(srcfifo);
 g_free(dstfifo);
-unlink(TEST_FIFO);
+g_rmdir(tmpdir);
+g_free(tmpdir);
 }
 
 
diff --git a/tests/test-qga.c b/tests/test-qga.c
index 21f44f8..0d1acef 100644
--- a/tests/test-qga.c
+++ b/tests/test-qga.c
@@ -55,7 +55,8 @@ fixture_setup(TestFixture *fixture, gconstpointer data)
 fixture->loop = g_main_loop_new(NULL, FALSE);
 
 fixture->test_dir = g_strdup("/tmp/qgatest.XX");
-g_assert_nonnull(mkdtemp(fixture->test_dir));
+path = mkdtemp(fixture->test_dir);
+g_assert_nonnull(path);
 
 path = g_build_filename(fixture->test_dir, "sock", NULL);
 cwd = g_get_current_dir();
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 08/36] tests: fix test-iov leaks

[marcandre . lureau]

From: Marc-André Lureau 

Spotted thanks to ASAN.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-iov.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/tests/test-iov.c b/tests/test-iov.c
index 46ae25e..a22d71f 100644
--- a/tests/test-iov.c
+++ b/tests/test-iov.c
@@ -208,6 +208,9 @@ static void test_io(void)
} while(k < j);
}
}
+   iov_free(iov, niov);
+   g_free(buf);
+   g_free(siov);
exit(0);
 
 } else {
@@ -246,6 +249,10 @@ static void test_io(void)
test_iov_bytes(iov, niov, i, j - i);
}
 }
+
+   iov_free(iov, niov);
+   g_free(buf);
+   g_free(siov);
  }
 #endif
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 18/36] acpi-build: fix array leak

[marcandre . lureau]

From: Marc-André Lureau 

The free_ranges array is used as a temporary pointer array, the segment
should still be freed, however, it shouldn't free the elements themself.

Signed-off-by: Marc-André Lureau 
Tested-by: Marcel Apfelbaum 
Reviewed-by: Marcel Apfelbaum 
---
 hw/i386/acpi-build.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a26a4bb..433feba 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -789,7 +789,7 @@ static gint crs_range_compare(gconstpointer a, 
gconstpointer b)
 static void crs_replace_with_free_ranges(GPtrArray *ranges,
  uint64_t start, uint64_t end)
 {
-GPtrArray *free_ranges = g_ptr_array_new_with_free_func(crs_range_free);
+GPtrArray *free_ranges = g_ptr_array_new();
 uint64_t free_base = start;
 int i;
 
@@ -813,7 +813,7 @@ static void crs_replace_with_free_ranges(GPtrArray *ranges,
 g_ptr_array_add(ranges, g_ptr_array_index(free_ranges, i));
 }
 
-g_ptr_array_free(free_ranges, false);
+g_ptr_array_free(free_ranges, true);
 }
 
 /*
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 09/36] tests: fix check-qom-interface leaks

[marcandre . lureau]

From: Marc-André Lureau 

Found thanks to ASAN.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/check-qom-interface.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/check-qom-interface.c b/tests/check-qom-interface.c
index 719ddcf..f87c9aa 100644
--- a/tests/check-qom-interface.c
+++ b/tests/check-qom-interface.c
@@ -76,6 +76,7 @@ static void test_interface_impl(const char *type)
 
 g_assert(iobj);
 g_assert(ioc->test == PATTERN);
+object_unref(obj);
 }
 
 static void interface_direct_test(void)
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 14/36] numa: do not leak NumaOptions

[marcandre . lureau]

From: Marc-André Lureau 

In all cases, call qapi_free_NumaOptions(), by using a common ending
block.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 numa.c | 15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/numa.c b/numa.c
index 7286171..6289f46 100644
--- a/numa.c
+++ b/numa.c
@@ -223,14 +223,14 @@ static int parse_numa(void *opaque, QemuOpts *opts, Error 
**errp)
 }
 
 if (err) {
-goto error;
+goto end;
 }
 
 switch (object->type) {
 case NUMA_OPTIONS_KIND_NODE:
 numa_node_parse(object->u.node.data, opts, &err);
 if (err) {
-goto error;
+goto end;
 }
 nb_numa_nodes++;
 break;
@@ -238,13 +238,14 @@ static int parse_numa(void *opaque, QemuOpts *opts, Error 
**errp)
 abort();
 }
 
-return 0;
-
-error:
-error_report_err(err);
+end:
 qapi_free_NumaOptions(object);
+if (err) {
+error_report_err(err);
+return -1;
+}
 
-return -1;
+return 0;
 }
 
 static char *enumerate_cpus(unsigned long *cpus, int max_cpus)
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 19/36] char: free the tcp connection data when closing

[marcandre . lureau]

From: Marc-André Lureau 

Make sure the connection data got freed when closing the chardev, to
avoid leaks. Introduce tcp_chr_free_connection() to clean all connection
related data, and move some tcp_chr_close() clean-ups there.

(while at it, set write_msgfds_num to 0 when clearing array in
tcp_set_msgfds())

Signed-off-by: Marc-André Lureau 
---
 qemu-char.c | 50 +++---
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index a50b8fb..f20d385 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2763,6 +2763,7 @@ static int tcp_set_msgfds(CharDriverState *chr, int *fds, 
int num)
 /* clear old pending fd array */
 g_free(s->write_msgfds);
 s->write_msgfds = NULL;
+s->write_msgfds_num = 0;
 
 if (!s->connected ||
 !qio_channel_has_feature(s->ioc,
@@ -2843,19 +2844,24 @@ static GSource *tcp_chr_add_watch(CharDriverState *chr, 
GIOCondition cond)
 return qio_channel_create_watch(s->ioc, cond);
 }
 
-static void tcp_chr_disconnect(CharDriverState *chr)
+static void tcp_chr_free_connection(CharDriverState *chr)
 {
 TCPCharDriver *s = chr->opaque;
+int i;
 
 if (!s->connected) {
 return;
 }
 
-s->connected = 0;
-if (s->listen_ioc) {
-s->listen_tag = qio_channel_add_watch(
-QIO_CHANNEL(s->listen_ioc), G_IO_IN, tcp_chr_accept, chr, NULL);
+if (s->read_msgfds_num) {
+for (i = 0; i < s->read_msgfds_num; i++) {
+close(s->read_msgfds[i]);
+}
+g_free(s->read_msgfds);
+s->read_msgfds = NULL;
+s->read_msgfds_num = 0;
 }
+
 tcp_set_msgfds(chr, NULL, 0);
 remove_fd_in_watch(chr);
 object_unref(OBJECT(s->sioc));
@@ -2863,6 +2869,24 @@ static void tcp_chr_disconnect(CharDriverState *chr)
 object_unref(OBJECT(s->ioc));
 s->ioc = NULL;
 g_free(chr->filename);
+chr->filename = NULL;
+s->connected = 0;
+}
+
+static void tcp_chr_disconnect(CharDriverState *chr)
+{
+TCPCharDriver *s = chr->opaque;
+
+if (!s->connected) {
+return;
+}
+
+tcp_chr_free_connection(chr);
+
+if (s->listen_ioc) {
+s->listen_tag = qio_channel_add_watch(
+QIO_CHANNEL(s->listen_ioc), G_IO_IN, tcp_chr_accept, chr, NULL);
+}
 chr->filename = SocketAddress_to_str("disconnected:", s->addr,
  s->is_listen, s->is_telnet);
 qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
@@ -3177,17 +3201,14 @@ int qemu_chr_wait_connected(CharDriverState *chr, Error 
**errp)
 static void tcp_chr_close(CharDriverState *chr)
 {
 TCPCharDriver *s = chr->opaque;
-int i;
+
+tcp_chr_free_connection(chr);
 
 if (s->reconnect_timer) {
 g_source_remove(s->reconnect_timer);
 s->reconnect_timer = 0;
 }
 qapi_free_SocketAddress(s->addr);
-remove_fd_in_watch(chr);
-if (s->ioc) {
-object_unref(OBJECT(s->ioc));
-}
 if (s->listen_tag) {
 g_source_remove(s->listen_tag);
 s->listen_tag = 0;
@@ -3195,18 +3216,9 @@ static void tcp_chr_close(CharDriverState *chr)
 if (s->listen_ioc) {
 object_unref(OBJECT(s->listen_ioc));
 }
-if (s->read_msgfds_num) {
-for (i = 0; i < s->read_msgfds_num; i++) {
-close(s->read_msgfds[i]);
-}
-g_free(s->read_msgfds);
-}
 if (s->tls_creds) {
 object_unref(OBJECT(s->tls_creds));
 }
-if (s->write_msgfds_num) {
-g_free(s->write_msgfds);
-}
 g_free(s);
 qemu_chr_be_event(chr, CHR_EVENT_CLOSED);
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 10/36] tests: fix check-qom-proplist leaks

[marcandre . lureau]

From: Marc-André Lureau 

Found thanks to ASAN.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/check-qom-proplist.c | 16 
 1 file changed, 16 insertions(+)

diff --git a/tests/check-qom-proplist.c b/tests/check-qom-proplist.c
index 42defe7..a16cefc 100644
--- a/tests/check-qom-proplist.c
+++ b/tests/check-qom-proplist.c
@@ -230,6 +230,13 @@ struct DummyBackendClass {
 };
 
 
+static void dummy_dev_finalize(Object *obj)
+{
+DummyDev *dev = DUMMY_DEV(obj);
+
+object_unref(OBJECT(dev->bus));
+}
+
 static void dummy_dev_init(Object *obj)
 {
 DummyDev *dev = DUMMY_DEV(obj);
@@ -257,6 +264,13 @@ static void dummy_dev_class_init(ObjectClass *klass, void 
*opaque)
 }
 
 
+static void dummy_bus_finalize(Object *obj)
+{
+DummyBus *bus = DUMMY_BUS(obj);
+
+object_unref(OBJECT(bus->backend));
+}
+
 static void dummy_bus_init(Object *obj)
 {
 }
@@ -283,6 +297,7 @@ static const TypeInfo dummy_dev_info = {
 .parent= TYPE_OBJECT,
 .instance_size = sizeof(DummyDev),
 .instance_init = dummy_dev_init,
+.instance_finalize = dummy_dev_finalize,
 .class_size = sizeof(DummyDevClass),
 .class_init = dummy_dev_class_init,
 };
@@ -292,6 +307,7 @@ static const TypeInfo dummy_bus_info = {
 .parent= TYPE_OBJECT,
 .instance_size = sizeof(DummyBus),
 .instance_init = dummy_bus_init,
+.instance_finalize = dummy_bus_finalize,
 .class_size = sizeof(DummyBusClass),
 .class_init = dummy_bus_class_init,
 };
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 13/36] portio: keep references on portio

[marcandre . lureau]

From: Marc-André Lureau 

The isa_register_portio_list() function allocates ioports
data/state. Let's keep the reference to this data on some owner.  This
isn't enough to fix leaks, but at least, ASAN stops complaining of
direct leaks. Further cleanup would require calling
portio_list_del/destroy().

Signed-off-by: Marc-André Lureau 
Reviewed-by: Paolo Bonzini 
---
 hw/audio/gus.c|  9 ++---
 hw/audio/sb16.c   |  4 +++-
 hw/block/fdc.c|  4 +++-
 hw/char/parallel.c|  3 ++-
 hw/display/vga-isa.c  |  8 ++--
 hw/dma/i8257.c|  6 --
 hw/ide/core.c |  6 --
 hw/isa/isa-bus.c  | 14 +-
 include/hw/ide/internal.h |  2 ++
 include/hw/isa/i8257.h|  2 ++
 include/hw/isa/isa.h  |  5 -
 11 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/hw/audio/gus.c b/hw/audio/gus.c
index 6c02646..3d08a65 100644
--- a/hw/audio/gus.c
+++ b/hw/audio/gus.c
@@ -60,6 +60,8 @@ typedef struct GUSState {
 int64_t last_ticks;
 qemu_irq pic;
 IsaDma *isa_dma;
+PortioList portio_list1;
+PortioList portio_list2;
 } GUSState;
 
 static uint32_t gus_readb(void *opaque, uint32_t nport)
@@ -265,9 +267,10 @@ static void gus_realizefn (DeviceState *dev, Error **errp)
 s->samples = AUD_get_buffer_size_out (s->voice) >> s->shift;
 s->mixbuf = g_malloc0 (s->samples << s->shift);
 
-isa_register_portio_list (d, s->port, gus_portio_list1, s, "gus");
-isa_register_portio_list (d, (s->port + 0x100) & 0xf00,
-  gus_portio_list2, s, "gus");
+isa_register_portio_list(d, &s->portio_list1, s->port,
+ gus_portio_list1, s, "gus");
+isa_register_portio_list(d, &s->portio_list2, (s->port + 0x100) & 0xf00,
+ gus_portio_list2, s, "gus");
 
 s->isa_dma = isa_get_dma(isa_bus_from_device(d), s->emu.gusdma);
 k = ISADMA_GET_CLASS(s->isa_dma);
diff --git a/hw/audio/sb16.c b/hw/audio/sb16.c
index 3a4a57a..6b4427f 100644
--- a/hw/audio/sb16.c
+++ b/hw/audio/sb16.c
@@ -106,6 +106,7 @@ typedef struct SB16State {
 /* mixer state */
 int mixer_nreg;
 uint8_t mixer_regs[256];
+PortioList portio_list;
 } SB16State;
 
 static void SB_audio_callback (void *opaque, int free);
@@ -1378,7 +1379,8 @@ static void sb16_realizefn (DeviceState *dev, Error 
**errp)
 dolog ("warning: Could not create auxiliary timer\n");
 }
 
-isa_register_portio_list (isadev, s->port, sb16_ioport_list, s, "sb16");
+isa_register_portio_list(isadev, &s->portio_list, s->port,
+ sb16_ioport_list, s, "sb16");
 
 s->isa_hdma = isa_get_dma(isa_bus_from_device(isadev), s->hdma);
 k = ISADMA_GET_CLASS(s->isa_hdma);
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index f73af7d..b79873a 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -692,6 +692,7 @@ struct FDCtrl {
 /* Timers state */
 uint8_t timer0;
 uint8_t timer1;
+PortioList portio_list;
 };
 
 static FloppyDriveType get_fallback_drive_type(FDrive *drv)
@@ -2495,7 +2496,8 @@ static void isabus_fdc_realize(DeviceState *dev, Error 
**errp)
 FDCtrl *fdctrl = &isa->state;
 Error *err = NULL;
 
-isa_register_portio_list(isadev, isa->iobase, fdc_portio_list, fdctrl,
+isa_register_portio_list(isadev, &fdctrl->portio_list,
+ isa->iobase, fdc_portio_list, fdctrl,
  "fdc");
 
 isa_init_irq(isadev, &fdctrl->irq, isa->irq);
diff --git a/hw/char/parallel.c b/hw/char/parallel.c
index 11c78fe..fa08566 100644
--- a/hw/char/parallel.c
+++ b/hw/char/parallel.c
@@ -80,6 +80,7 @@ typedef struct ParallelState {
 uint32_t last_read_offset; /* For debugging */
 /* Memory-mapped interface */
 int it_shift;
+PortioList portio_list;
 } ParallelState;
 
 #define TYPE_ISA_PARALLEL "isa-parallel"
@@ -532,7 +533,7 @@ static void parallel_isa_realizefn(DeviceState *dev, Error 
**errp)
 s->status = dummy;
 }
 
-isa_register_portio_list(isadev, base,
+isa_register_portio_list(isadev, &s->portio_list, base,
  (s->hw_driver
   ? &isa_parallel_portio_hw_list[0]
   : &isa_parallel_portio_sw_list[0]),
diff --git a/hw/display/vga-isa.c b/hw/display/vga-isa.c
index f5aff1c..1af9556 100644
--- a/hw/display/vga-isa.c
+++ b/hw/display/vga-isa.c
@@ -39,6 +39,8 @@ typedef struct ISAVGAState {
 ISADevice parent_obj;
 
 struct VGACommonState state;
+PortioList portio_vga;
+PortioList portio_vbe;
 } ISAVGAState;
 
 static void vga_isa_reset(DeviceState *dev)
@@ -60,9 +62,11 @@ static void vga_isa_realizefn(DeviceState *dev, Error **errp)
 vga_common_init(s, OBJECT(dev), true);
 s->legacy_address_space = isa_address_space(isadev);
 vga_io_memory = vga_init_io(s, OBJECT(dev), &vga_ports, &vbe_ports);
-isa_register_portio_list(isadev, 0x3b0, vga

[Qemu-devel] [PATCH for-2.7 v4 20/36] char: free MuxDriver when closing

[marcandre . lureau]

From: Marc-André Lureau 

Similarly to other chr_close callbacks, free char type specific data.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 qemu-char.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/qemu-char.c b/qemu-char.c
index f20d385..539dd70 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -786,6 +786,13 @@ static GSource *mux_chr_add_watch(CharDriverState *s, 
GIOCondition cond)
 return d->drv->chr_add_watch(d->drv, cond);
 }
 
+static void mux_chr_close(struct CharDriverState *chr)
+{
+MuxDriver *d = chr->opaque;
+
+g_free(d);
+}
+
 static CharDriverState *qemu_chr_open_mux(const char *id,
   ChardevBackend *backend,
   ChardevReturn *ret, Error **errp)
@@ -810,6 +817,7 @@ static CharDriverState *qemu_chr_open_mux(const char *id,
 chr->opaque = d;
 d->drv = drv;
 d->focus = -1;
+chr->chr_close = mux_chr_close;
 chr->chr_write = mux_chr_write;
 chr->chr_update_read_handler = mux_chr_update_read_handler;
 chr->chr_accept_input = mux_chr_accept_input;
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 16/36] pc: don't leak a20_line

[marcandre . lureau]

From: Marc-André Lureau 

The irqs array is no longer being used

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 hw/i386/pc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 6b138d6..fd4a050 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1608,6 +1608,7 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
 }
 port92 = isa_create_simple(isa_bus, "port92");
 port92_init(port92, a20_line[1]);
+g_free(a20_line);
 
 DMA_init(isa_bus, 0);
 
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 12/36] tests: fix leak in test-string-input-visitor

[marcandre . lureau]

From: Marc-André Lureau 

Free the list returned by visit_type_intList().

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/test-string-input-visitor.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/test-string-input-visitor.c 
b/tests/test-string-input-visitor.c
index d837ebe..a679fbc 100644
--- a/tests/test-string-input-visitor.c
+++ b/tests/test-string-input-visitor.c
@@ -228,6 +228,7 @@ static void test_visitor_in_fuzz(TestInputVisitorData *data,
 
 v = visitor_input_test_init(data, buf);
 visit_type_intList(v, NULL, &ilres, NULL);
+qapi_free_intList(ilres);
 visitor_input_teardown(data, NULL);
 
 v = visitor_input_test_init(data, buf);
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 23/36] pc: keep gsi reference

[marcandre . lureau]

From: Marc-André Lureau 

Further cleanup would need to call qemu_free_irq() at the appropriate
time, but for now this silences ASAN about direct leaks.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Markus Armbruster 
---
 hw/i386/pc_piix.c| 17 -
 hw/i386/pc_q35.c | 13 ++---
 include/hw/i386/pc.h |  1 +
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index a07dc81..2af 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -74,7 +74,6 @@ static void pc_init1(MachineState *machine,
 ISABus *isa_bus;
 PCII440FXState *i440fx_state;
 int piix3_devfn = -1;
-qemu_irq *gsi;
 qemu_irq *i8259;
 qemu_irq smi_irq;
 GSIState *gsi_state;
@@ -185,16 +184,16 @@ static void pc_init1(MachineState *machine,
 gsi_state = g_malloc0(sizeof(*gsi_state));
 if (kvm_ioapic_in_kernel()) {
 kvm_pc_setup_irq_routing(pcmc->pci_enabled);
-gsi = qemu_allocate_irqs(kvm_pc_gsi_handler, gsi_state,
- GSI_NUM_PINS);
+pcms->gsi = qemu_allocate_irqs(kvm_pc_gsi_handler, gsi_state,
+   GSI_NUM_PINS);
 } else {
-gsi = qemu_allocate_irqs(gsi_handler, gsi_state, GSI_NUM_PINS);
+pcms->gsi = qemu_allocate_irqs(gsi_handler, gsi_state, GSI_NUM_PINS);
 }
 
 if (pcmc->pci_enabled) {
 pci_bus = i440fx_init(host_type,
   pci_type,
-  &i440fx_state, &piix3_devfn, &isa_bus, gsi,
+  &i440fx_state, &piix3_devfn, &isa_bus, pcms->gsi,
   system_memory, system_io, machine->ram_size,
   pcms->below_4g_mem_size,
   pcms->above_4g_mem_size,
@@ -207,7 +206,7 @@ static void pc_init1(MachineState *machine,
   &error_abort);
 no_hpet = 1;
 }
-isa_bus_irqs(isa_bus, gsi);
+isa_bus_irqs(isa_bus, pcms->gsi);
 
 if (kvm_pic_in_kernel()) {
 i8259 = kvm_i8259_init(isa_bus);
@@ -225,7 +224,7 @@ static void pc_init1(MachineState *machine,
 ioapic_init_gsi(gsi_state, "i440fx");
 }
 
-pc_register_ferr_irq(gsi[13]);
+pc_register_ferr_irq(pcms->gsi[13]);
 
 pc_vga_init(isa_bus, pcmc->pci_enabled ? pci_bus : NULL);
 
@@ -235,7 +234,7 @@ static void pc_init1(MachineState *machine,
 }
 
 /* init basic PC hardware */
-pc_basic_device_init(isa_bus, gsi, &rtc_state, true,
+pc_basic_device_init(isa_bus, pcms->gsi, &rtc_state, true,
  (pcms->vmport != ON_OFF_AUTO_ON), 0x4);
 
 pc_nic_init(isa_bus, pci_bus);
@@ -279,7 +278,7 @@ static void pc_init1(MachineState *machine,
 smi_irq = qemu_allocate_irq(pc_acpi_smi_interrupt, first_cpu, 0);
 /* TODO: Populate SPD eeprom data.  */
 smbus = piix4_pm_init(pci_bus, piix3_devfn + 3, 0xb100,
-  gsi[9], smi_irq,
+  pcms->gsi[9], smi_irq,
   pc_machine_is_smm_enabled(pcms),
   &piix4_pm);
 smbus_eeprom_init(smbus, 8, NULL, 0);
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index c5e8367..3cbcbb0 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -69,7 +69,6 @@ static void pc_q35_init(MachineState *machine)
 MemoryRegion *ram_memory;
 GSIState *gsi_state;
 ISABus *isa_bus;
-qemu_irq *gsi;
 qemu_irq *i8259;
 int i;
 ICH9LPCState *ich9_lpc;
@@ -153,10 +152,10 @@ static void pc_q35_init(MachineState *machine)
 gsi_state = g_malloc0(sizeof(*gsi_state));
 if (kvm_ioapic_in_kernel()) {
 kvm_pc_setup_irq_routing(pcmc->pci_enabled);
-gsi = qemu_allocate_irqs(kvm_pc_gsi_handler, gsi_state,
- GSI_NUM_PINS);
+pcms->gsi = qemu_allocate_irqs(kvm_pc_gsi_handler, gsi_state,
+   GSI_NUM_PINS);
 } else {
-gsi = qemu_allocate_irqs(gsi_handler, gsi_state, GSI_NUM_PINS);
+pcms->gsi = qemu_allocate_irqs(gsi_handler, gsi_state, GSI_NUM_PINS);
 }
 
 /* create pci host bus */
@@ -195,7 +194,7 @@ static void pc_q35_init(MachineState *machine)
 ich9_lpc = ICH9_LPC_DEVICE(lpc);
 lpc_dev = DEVICE(lpc);
 for (i = 0; i < GSI_NUM_PINS; i++) {
-qdev_connect_gpio_out_named(lpc_dev, ICH9_GPIO_GSI, i, gsi[i]);
+qdev_connect_gpio_out_named(lpc_dev, ICH9_GPIO_GSI, i, pcms->gsi[i]);
 }
 pci_bus_irqs(host_bus, ich9_lpc_set_irq, ich9_lpc_map_irq, ich9_lpc,
  ICH9_LPC_NB_PIRQS);
@@ -219,7 +218,7 @@ static void pc_q35_init(MachineState *machine)
 ioapic_init_gsi(gsi_state, "q35");
 }
 
-pc_register_ferr_irq(gsi[13]);
+pc_register_ferr_irq(pcms->gsi[13]);
 
 assert(pcms->vmport != ON_OFF_AUTO__MAX);
 if (pcms->vmport == ON_OFF_AUTO_AUTO) {
@@ -227,7 +226,7 @@ static void

[Qemu-devel] [PATCH for-2.7 v4 21/36] tests: fix qom-test leaks

[marcandre . lureau]

From: Marc-André Lureau 

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/qom-test.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/qom-test.c b/tests/qom-test.c
index 23493a2..d48f890 100644
--- a/tests/qom-test.c
+++ b/tests/qom-test.c
@@ -115,7 +115,7 @@ static void add_machine_test_cases(void)
 const QListEntry *p;
 QObject *qobj;
 QString *qstr;
-const char *mname, *path;
+const char *mname;
 
 qtest_start("-machine none");
 response = qmp("{ 'execute': 'query-machines' }");
@@ -132,8 +132,9 @@ static void add_machine_test_cases(void)
 g_assert(qstr);
 mname = qstring_get_str(qstr);
 if (!is_blacklisted(arch, mname)) {
-path = g_strdup_printf("qom/%s", mname);
+char *path = g_strdup_printf("qom/%s", mname);
 qtest_add_data_func(path, g_strdup(mname), test_machine);
+g_free(path);
 }
 }
 
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 31/36] bus: simplify name handling

[marcandre . lureau]

From: Marc-André Lureau 

Simplify a bit the code by using g_strdup_printf() and store it in a
non-const value so casting is no longer needed, and ownership is
clearer.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 hw/core/bus.c  | 21 ++---
 include/hw/qdev-core.h |  2 +-
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/hw/core/bus.c b/hw/core/bus.c
index 3e3f8ac..cf383fc 100644
--- a/hw/core/bus.c
+++ b/hw/core/bus.c
@@ -78,8 +78,7 @@ static void qbus_realize(BusState *bus, DeviceState *parent, 
const char *name)
 {
 const char *typename = object_get_typename(OBJECT(bus));
 BusClass *bc;
-char *buf;
-int i, len, bus_id;
+int i, bus_id;
 
 bus->parent = parent;
 
@@ -88,23 +87,15 @@ static void qbus_realize(BusState *bus, DeviceState 
*parent, const char *name)
 } else if (bus->parent && bus->parent->id) {
 /* parent device has id -> use it plus parent-bus-id for bus name */
 bus_id = bus->parent->num_child_bus;
-
-len = strlen(bus->parent->id) + 16;
-buf = g_malloc(len);
-snprintf(buf, len, "%s.%d", bus->parent->id, bus_id);
-bus->name = buf;
+bus->name = g_strdup_printf("%s.%d", bus->parent->id, bus_id);
 } else {
 /* no id -> use lowercase bus type plus global bus-id for bus name */
 bc = BUS_GET_CLASS(bus);
 bus_id = bc->automatic_ids++;
-
-len = strlen(typename) + 16;
-buf = g_malloc(len);
-len = snprintf(buf, len, "%s.%d", typename, bus_id);
-for (i = 0; i < len; i++) {
-buf[i] = qemu_tolower(buf[i]);
+bus->name = g_strdup_printf("%s.%d", typename, bus_id);
+for (i = 0; bus->name[i]; i++) {
+bus->name[i] = qemu_tolower(bus->name[i]);
 }
-bus->name = buf;
 }
 
 if (bus->parent) {
@@ -229,7 +220,7 @@ static void qbus_finalize(Object *obj)
 {
 BusState *bus = BUS(obj);
 
-g_free((char *)bus->name);
+g_free(bus->name);
 }
 
 static const TypeInfo bus_info = {
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 4b4b33b..2c97347 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -224,7 +224,7 @@ typedef struct BusChild {
 struct BusState {
 Object obj;
 DeviceState *parent;
-const char *name;
+char *name;
 HotplugHandler *hotplug_handler;
 int max_index;
 bool realized;
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 15/36] pc: simplify passing qemu_irq

[marcandre . lureau]

From: Marc-André Lureau 

qemu_irq is already a pointer, no need to have an extra pointer level.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 hw/i386/pc.c | 8 
 hw/input/pckbd.c | 4 ++--
 include/hw/i386/pc.h | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 47593b7..6b138d6 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -530,9 +530,9 @@ static uint64_t port92_read(void *opaque, hwaddr addr,
 return ret;
 }
 
-static void port92_init(ISADevice *dev, qemu_irq *a20_out)
+static void port92_init(ISADevice *dev, qemu_irq a20_out)
 {
-qdev_connect_gpio_out_named(DEVICE(dev), PORT92_A20_LINE, 0, *a20_out);
+qdev_connect_gpio_out_named(DEVICE(dev), PORT92_A20_LINE, 0, a20_out);
 }
 
 static const VMStateDescription vmstate_port92_isa = {
@@ -1594,7 +1594,7 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
 
 a20_line = qemu_allocate_irqs(handle_a20_line_change, first_cpu, 2);
 i8042 = isa_create_simple(isa_bus, "i8042");
-i8042_setup_a20_line(i8042, &a20_line[0]);
+i8042_setup_a20_line(i8042, a20_line[0]);
 if (!no_vmport) {
 vmport_init(isa_bus);
 vmmouse = isa_try_create(isa_bus, "vmmouse");
@@ -1607,7 +1607,7 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
 qdev_init_nofail(dev);
 }
 port92 = isa_create_simple(isa_bus, "port92");
-port92_init(port92, &a20_line[1]);
+port92_init(port92, a20_line[1]);
 
 DMA_init(isa_bus, 0);
 
diff --git a/hw/input/pckbd.c b/hw/input/pckbd.c
index dc57e2c..d414288 100644
--- a/hw/input/pckbd.c
+++ b/hw/input/pckbd.c
@@ -499,9 +499,9 @@ void i8042_isa_mouse_fake_event(void *opaque)
 ps2_mouse_fake_event(s->mouse);
 }
 
-void i8042_setup_a20_line(ISADevice *dev, qemu_irq *a20_out)
+void i8042_setup_a20_line(ISADevice *dev, qemu_irq a20_out)
 {
-qdev_connect_gpio_out_named(DEVICE(dev), I8042_A20_LINE, 0, *a20_out);
+qdev_connect_gpio_out_named(DEVICE(dev), I8042_A20_LINE, 0, a20_out);
 }
 
 static const VMStateDescription vmstate_kbd_isa = {
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 74c175c..330c1f2 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -220,7 +220,7 @@ void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
MemoryRegion *region, ram_addr_t size,
hwaddr mask);
 void i8042_isa_mouse_fake_event(void *opaque);
-void i8042_setup_a20_line(ISADevice *dev, qemu_irq *a20_out);
+void i8042_setup_a20_line(ISADevice *dev, qemu_irq a20_out);
 
 /* pc.c */
 extern int fd_bootchk;
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 27/36] virtio-input: free config list

[marcandre . lureau]

From: Marc-André Lureau 

Clear the list when finalizing. The list is created during realize with
virtio_input_idstr_config() and later by further calls to
virtio_input_init_config() and virtio_input_add_config().

This leak can be reproduced with device-introspect-test -p
/x86_64/device/introspect/concrete.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Gerd Hoffmann 
---
 hw/input/virtio-input.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/hw/input/virtio-input.c b/hw/input/virtio-input.c
index a87fd68..ccdf730 100644
--- a/hw/input/virtio-input.c
+++ b/hw/input/virtio-input.c
@@ -270,6 +270,16 @@ static void virtio_input_device_realize(DeviceState *dev, 
Error **errp)
 vinput->sts = virtio_add_queue(vdev, 64, virtio_input_handle_sts);
 }
 
+static void virtio_input_finalize(Object *obj)
+{
+VirtIOInput *vinput = VIRTIO_INPUT(obj);
+VirtIOInputConfig *cfg, *next;
+
+QTAILQ_FOREACH_SAFE(cfg, &vinput->cfg_list, node, next) {
+QTAILQ_REMOVE(&vinput->cfg_list, cfg, node);
+g_free(cfg);
+}
+}
 static void virtio_input_device_unrealize(DeviceState *dev, Error **errp)
 {
 VirtIOInputClass *vic = VIRTIO_INPUT_GET_CLASS(dev);
@@ -318,6 +328,7 @@ static const TypeInfo virtio_input_info = {
 .class_size= sizeof(VirtIOInputClass),
 .class_init= virtio_input_class_init,
 .abstract  = true,
+.instance_finalize = virtio_input_finalize,
 };
 
 /* - */
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 22/36] pc: free i8259

[marcandre . lureau]

From: Marc-André Lureau 

Simiarly to 2ba154cf4eb8636cdd3aa90f392ca9e77206ca39

Signed-off-by: Marc-André Lureau 
Reviewed-by: Marcel Apfelbaum 
---
 hw/i386/pc_q35.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index c0b9961..c5e8367 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -213,6 +213,8 @@ static void pc_q35_init(MachineState *machine)
 for (i = 0; i < ISA_NUM_IRQS; i++) {
 gsi_state->i8259_irq[i] = i8259[i];
 }
+g_free(i8259);
+
 if (pcmc->pci_enabled) {
 ioapic_init_gsi(gsi_state, "q35");
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 17/36] machine: use class base init generated name

[marcandre . lureau]

From: Marc-André Lureau 

machine_class_base_init() member name is allocated by
machine_class_base_init(), but not freed by
machine_class_finalize().  Simply freeing there doesn't work,
because DEFINE_PC_MACHINE() overwrites it with a literal string.

Fix DEFINE_PC_MACHINE() not to overwrite it, and add the missing
free to machine_class_finalize().

Signed-off-by: Marc-André Lureau 
Reviewed-by: Markus Armbruster 
---
 hw/core/machine.c| 1 +
 include/hw/boards.h  | 2 +-
 include/hw/i386/pc.h | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index e5a456f..00fbe3e 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -561,6 +561,7 @@ static void machine_class_finalize(ObjectClass *klass, void 
*data)
 if (mc->compat_props) {
 g_array_free(mc->compat_props, true);
 }
+g_free(mc->name);
 }
 
 void machine_register_compat_props(MachineState *machine)
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 3e69eca..e46a744 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -93,7 +93,7 @@ struct MachineClass {
 /*< public >*/
 
 const char *family; /* NULL iff @name identifies a standalone machtype */
-const char *name;
+char *name;
 const char *alias;
 const char *desc;
 
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 330c1f2..422fac7 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -903,7 +903,6 @@ bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
 { \
 MachineClass *mc = MACHINE_CLASS(oc); \
 optsfn(mc); \
-mc->name = namestr; \
 mc->init = initfn; \
 } \
 static const TypeInfo pc_machine_type_##suffix = { \
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 32/36] tests: add qtest_add_data_func_full

[marcandre . lureau]

From: Marc-André Lureau 

Allows one to specify a destroy function for the test data.

Signed-off-by: Marc-André Lureau 
---
 tests/libqtest.c | 15 +++
 tests/libqtest.h | 17 +
 2 files changed, 32 insertions(+)

diff --git a/tests/libqtest.c b/tests/libqtest.c
index eb00f13..9e2d0cd 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -758,6 +758,21 @@ void qtest_add_func(const char *str, void (*fn)(void))
 g_free(path);
 }
 
+void qtest_add_data_func_full(const char *str, void *data,
+  void (*fn)(const void *),
+  GDestroyNotify data_free_func)
+{
+gchar *path = g_strdup_printf("/%s/%s", qtest_get_arch(), str);
+#if GLIB_CHECK_VERSION(2, 34, 0)
+g_test_add_data_func_full(path, data, fn, data_free_func);
+#else
+/* back-compat casts, remove this once we can require new-enough glib */
+g_test_add_vtable(path, 0, data, NULL,
+  (GTestFixtureFunc) fn, (GTestFixtureFunc) 
data_free_func);
+#endif
+g_free(path);
+}
+
 void qtest_add_data_func(const char *str, const void *data,
  void (*fn)(const void *))
 {
diff --git a/tests/libqtest.h b/tests/libqtest.h
index 37f37ad..d2b4853 100644
--- a/tests/libqtest.h
+++ b/tests/libqtest.h
@@ -425,6 +425,23 @@ void qtest_add_func(const char *str, void (*fn)(void));
 void qtest_add_data_func(const char *str, const void *data,
  void (*fn)(const void *));
 
+/**
+ * qtest_add_data_func_full:
+ * @str: Test case path.
+ * @data: Test case data
+ * @fn: Test case function
+ * @data_free_func: GDestroyNotify for data
+ *
+ * Add a GTester testcase with the given name, data and function.
+ * The path is prefixed with the architecture under test, as
+ * returned by qtest_get_arch().
+ *
+ * @data is passed to @data_free_func() on test completion.
+ */
+void qtest_add_data_func_full(const char *str, void *data,
+  void (*fn)(const void *),
+  GDestroyNotify data_free_func);
+
 /**
  * qtest_add:
  * @testpath: Test case path
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 24/36] ahci: free irqs array

[marcandre . lureau]

From: Marc-André Lureau 

Each irq is referenced by the IDEBus in ide_init2(), thus we can free
the no longer used array.

Signed-off-by: Marc-André Lureau 
Reviewed-by: John Snow 
Acked-by: John Snow 
---
 hw/ide/ahci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bcb9ff9..6defeed 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1478,6 +1478,7 @@ void ahci_realize(AHCIState *s, DeviceState *qdev, 
AddressSpace *as, int ports)
 ad->port.dma->ops = &ahci_dma_ops;
 ide_register_restart_cb(&ad->port);
 }
+g_free(irqs);
 }
 
 void ahci_uninit(AHCIState *s)
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 26/36] qjson: free str

[marcandre . lureau]

From: Marc-André Lureau 

Release the qstring allocated in qjson_new().

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 migration/qjson.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/migration/qjson.c b/migration/qjson.c
index 5cae55a..f345904 100644
--- a/migration/qjson.c
+++ b/migration/qjson.c
@@ -109,5 +109,6 @@ void qjson_finish(QJSON *json)
 
 void qjson_destroy(QJSON *json)
 {
+QDECREF(json->str);
 g_free(json);
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 34/36] tests: fix rsp leak in postcopy-test

[marcandre . lureau]

From: Marc-André Lureau 

In all cases, even when the dict doesn't contain 'ram', the qmp response
must be unref.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/postcopy-test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/postcopy-test.c b/tests/postcopy-test.c
index 229e9e9..bf4e579 100644
--- a/tests/postcopy-test.c
+++ b/tests/postcopy-test.c
@@ -260,8 +260,8 @@ static uint64_t get_migration_pass(void)
 } else {
 rsp_ram = qdict_get_qdict(rsp_return, "ram");
 result = qdict_get_try_int(rsp_ram, "dirty-sync-count", 0);
-QDECREF(rsp);
 }
+QDECREF(rsp);
 return result;
 }
 
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 33/36] tests: pc-cpu-test leaks fixes

[marcandre . lureau]

From: Marc-André Lureau 

The path is allocated and should be freed.

The qmp response should be unref, but then 'machine' must be duplicated.

Use a destroy function for the PCTestData.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/pc-cpu-test.c | 24 +++-
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/tests/pc-cpu-test.c b/tests/pc-cpu-test.c
index 4428cea..c3a2633 100644
--- a/tests/pc-cpu-test.c
+++ b/tests/pc-cpu-test.c
@@ -14,7 +14,7 @@
 #include "qapi/qmp/types.h"
 
 struct PCTestData {
-const char *machine;
+char *machine;
 const char *cpu_model;
 unsigned sockets;
 unsigned cores;
@@ -71,6 +71,14 @@ static void test_pc_without_cpu_add(gconstpointer data)
 g_free(args);
 }
 
+static void test_data_free(gpointer data)
+{
+PCTestData *pc = data;
+
+g_free(pc->machine);
+g_free(pc);
+}
+
 static void add_pc_test_cases(void)
 {
 QDict *response, *minfo;
@@ -78,7 +86,8 @@ static void add_pc_test_cases(void)
 const QListEntry *p;
 QObject *qobj;
 QString *qstr;
-const char *mname, *path;
+const char *mname;
+char *path;
 PCTestData *data;
 
 qtest_start("-machine none");
@@ -99,7 +108,7 @@ static void add_pc_test_cases(void)
 continue;
 }
 data = g_malloc(sizeof(PCTestData));
-data->machine = mname;
+data->machine = g_strdup(mname);
 data->cpu_model = "Haswell"; /* 1.3+ theoretically */
 data->sockets = 1;
 data->cores = 3;
@@ -119,14 +128,19 @@ static void add_pc_test_cases(void)
 path = g_strdup_printf("cpu/%s/init/%ux%ux%u&maxcpus=%u",
mname, data->sockets, data->cores,
data->threads, data->maxcpus);
-qtest_add_data_func(path, data, test_pc_without_cpu_add);
+qtest_add_data_func_full(path, data, test_pc_without_cpu_add,
+ test_data_free);
+g_free(path);
 } else {
 path = g_strdup_printf("cpu/%s/add/%ux%ux%u&maxcpus=%u",
mname, data->sockets, data->cores,
data->threads, data->maxcpus);
-qtest_add_data_func(path, data, test_pc_with_cpu_add);
+qtest_add_data_func_full(path, data, test_pc_with_cpu_add,
+ test_data_free);
+g_free(path);
 }
 }
+QDECREF(response);
 qtest_end();
 }
 
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 25/36] sd: free timer

[marcandre . lureau]

From: Marc-André Lureau 

Free the timer allocated in instance_init.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Andrew Baumann 
---
 hw/sd/sd.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 87c6dc1..8e88e83 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1876,6 +1876,14 @@ static void sd_instance_init(Object *obj)
 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
 }
 
+static void sd_instance_finalize(Object *obj)
+{
+SDState *sd = SD_CARD(obj);
+
+timer_del(sd->ocr_power_timer);
+timer_free(sd->ocr_power_timer);
+}
+
 static void sd_realize(DeviceState *dev, Error **errp)
 {
 SDState *sd = SD_CARD(dev);
@@ -1927,6 +1935,7 @@ static const TypeInfo sd_info = {
 .class_size = sizeof(SDCardClass),
 .class_init = sd_class_init,
 .instance_init = sd_instance_init,
+.instance_finalize = sd_instance_finalize,
 };
 
 static void sd_register_types(void)
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 35/36] ahci: fix sglist leak on retry

[marcandre . lureau]

From: Marc-André Lureau 

ahci-test /x86_64/ahci/io/dma/lba28/retry triggers the following leak:

Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7fc4b2a25e20 in malloc (/lib64/libasan.so.3+0xc6e20)
#1 0x7fc4993bce58 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee58)
#2 0x556a187d4b34 in ahci_populate_sglist hw/ide/ahci.c:896
#3 0x556a187d8237 in ahci_dma_prepare_buf hw/ide/ahci.c:1367
#4 0x556a187b5a1a in ide_dma_cb hw/ide/core.c:844
#5 0x556a187d7eec in ahci_start_dma hw/ide/ahci.c:1333
#6 0x556a187b650b in ide_start_dma hw/ide/core.c:921
#7 0x556a187b61e6 in ide_sector_start_dma hw/ide/core.c:911
#8 0x556a187b9e26 in cmd_write_dma hw/ide/core.c:1486
#9 0x556a187bd519 in ide_exec_cmd hw/ide/core.c:2027
#10 0x556a187d71c5 in handle_reg_h2d_fis hw/ide/ahci.c:1204
#11 0x556a187d7681 in handle_cmd hw/ide/ahci.c:1254
#12 0x556a187d168a in check_cmd hw/ide/ahci.c:510
#13 0x556a187d0afc in ahci_port_write hw/ide/ahci.c:314
#14 0x556a187d105d in ahci_mem_write hw/ide/ahci.c:435
#15 0x556a1831d959 in memory_region_write_accessor 
/home/elmarco/src/qemu/memory.c:525
#16 0x556a1831dc35 in access_with_adjusted_size 
/home/elmarco/src/qemu/memory.c:591
#17 0x556a18323ce3 in memory_region_dispatch_write 
/home/elmarco/src/qemu/memory.c:1262
#18 0x556a1828cf67 in address_space_write_continue 
/home/elmarco/src/qemu/exec.c:2578
#19 0x556a1828d20b in address_space_write /home/elmarco/src/qemu/exec.c:2635
#20 0x556a1828d92b in address_space_rw /home/elmarco/src/qemu/exec.c:2737
#21 0x556a1828daf7 in cpu_physical_memory_rw 
/home/elmarco/src/qemu/exec.c:2746
#22 0x556a183068d3 in cpu_physical_memory_write 
/home/elmarco/src/qemu/include/exec/cpu-common.h:72
#23 0x556a18308194 in qtest_process_command 
/home/elmarco/src/qemu/qtest.c:382
#24 0x556a1830 in qtest_process_inbuf /home/elmarco/src/qemu/qtest.c:573
#25 0x556a18309a4a in qtest_read /home/elmarco/src/qemu/qtest.c:585
#26 0x556a18598b85 in qemu_chr_be_write_impl 
/home/elmarco/src/qemu/qemu-char.c:387
#27 0x556a18598c52 in qemu_chr_be_write 
/home/elmarco/src/qemu/qemu-char.c:399
#28 0x556a185a2afa in tcp_chr_read /home/elmarco/src/qemu/qemu-char.c:2902
#29 0x556a18cbaf52 in qio_channel_fd_source_dispatch io/channel-watch.c:84

Follow John Snow recommendation:
  Everywhere else ncq_err is used, it is accompanied by a list cleanup
  except for ncq_cb, which is the case you are fixing here.

  Move the sglist destruction inside of ncq_err and then delete it from
  the other two locations to keep it tidy.

  Call dma_buf_commit in ide_dma_cb after the early return. Though, this
  is also a little wonky because this routine does more than clear the
  list, but it is at the moment the centralized "we're done with the
  sglist" function and none of the other side effects that occur in
  dma_buf_commit will interfere with the reset that occurs from
  ide_restart_bh, I think

Signed-off-by: Marc-André Lureau 
Reviewed-by: John Snow 
---
 hw/ide/ahci.c | 3 +--
 hw/ide/core.c | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 6defeed..f3438ad 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -919,6 +919,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
 ide_state->error = ABRT_ERR;
 ide_state->status = READY_STAT | ERR_STAT;
 ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
+qemu_sglist_destroy(&ncq_tfs->sglist);
 ncq_tfs->used = 0;
 }
 
@@ -1025,7 +1026,6 @@ static void execute_ncq_command(NCQTransferState *ncq_tfs)
 default:
 DPRINTF(port, "error: unsupported NCQ command (0x%02x) received\n",
 ncq_tfs->cmd);
-qemu_sglist_destroy(&ncq_tfs->sglist);
 ncq_err(ncq_tfs);
 }
 }
@@ -1092,7 +1092,6 @@ static void process_ncq_command(AHCIState *s, int port, 
uint8_t *cmd_fis,
 error_report("ahci: PRDT length for NCQ command (0x%zx) "
  "is smaller than the requested size (0x%zx)",
  ncq_tfs->sglist.size, size);
-qemu_sglist_destroy(&ncq_tfs->sglist);
 ncq_err(ncq_tfs);
 ahci_trigger_irq(ad->hba, ad, PORT_IRQ_OVERFLOW);
 return;
diff --git a/hw/ide/core.c b/hw/ide/core.c
index f9c8162..b0e42a6 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -824,6 +824,7 @@ static void ide_dma_cb(void *opaque, int ret)
 if (ret < 0) {
 if (ide_handle_rw_error(s, -ret, ide_dma_cmd_to_retry(s->dma_cmd))) {
 s->bus->dma->aiocb = NULL;
+dma_buf_commit(s, 0);
 return;
 }
 }
-- 
2.9.0

[Qemu-devel] [PATCH for-2.7 v4 28/36] ipmi: free extern timer

[marcandre . lureau]

From: Marc-André Lureau 

Free the timer allocated during instance init.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Corey Minyard 
---
 hw/ipmi/ipmi_bmc_extern.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/hw/ipmi/ipmi_bmc_extern.c b/hw/ipmi/ipmi_bmc_extern.c
index 157879e..5b73983 100644
--- a/hw/ipmi/ipmi_bmc_extern.c
+++ b/hw/ipmi/ipmi_bmc_extern.c
@@ -487,6 +487,14 @@ static void ipmi_bmc_extern_init(Object *obj)
 vmstate_register(NULL, 0, &vmstate_ipmi_bmc_extern, ibe);
 }
 
+static void ipmi_bmc_extern_finalize(Object *obj)
+{
+IPMIBmcExtern *ibe = IPMI_BMC_EXTERN(obj);
+
+timer_del(ibe->extern_timer);
+timer_free(ibe->extern_timer);
+}
+
 static Property ipmi_bmc_extern_properties[] = {
 DEFINE_PROP_CHR("chardev", IPMIBmcExtern, chr),
 DEFINE_PROP_END_OF_LIST(),
@@ -508,6 +516,7 @@ static const TypeInfo ipmi_bmc_extern_type = {
 .parent= TYPE_IPMI_BMC,
 .instance_size = sizeof(IPMIBmcExtern),
 .instance_init = ipmi_bmc_extern_init,
+.instance_finalize = ipmi_bmc_extern_finalize,
 .class_init= ipmi_bmc_extern_class_init,
  };
 
-- 
2.9.0

Re: [Qemu-devel] [PATCH for-2.7 v4 00/36] Various memory leak fixes

[Daniel P. Berrange]

On Fri, Aug 05, 2016 at 12:23:45PM +0400, marcandre.lur...@redhat.com wrote:
> From: Marc-André Lureau 
> 
> Hi,
> 
> Thanks to AddressSanitizer (ASAN), I found a number of direct leaks
> worth fixing. Note that there are probably many indirect leaks left (I
> am adding some here), I haven't investigated much yet.
> 
> There are still a number of direct leaks remaining, in particular in
> the tests, but my libc doesn't give me good backtraces.
> 
> In order to easily switch to asan-enabled build, I make use of make
> CFLAGS argument, which is why the first patch is also there.

FWIW, you could probably use  ./configure --extra-cflags="." which is
the currently supported way to inject extra custom flags into $CFLAGS.


Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

[Qemu-devel] [PATCH for-2.7 v4 29/36] usb: free USBDevice.strings

[marcandre . lureau]

From: Marc-André Lureau 

The list is created during instance init and further populated with
usb_desc_set_string(). Clear it when unrealizing the device.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Gerd Hoffmann 
---
 hw/usb/bus.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index c28ccb8..25913ad 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -279,6 +279,13 @@ static void usb_qdev_realize(DeviceState *qdev, Error 
**errp)
 static void usb_qdev_unrealize(DeviceState *qdev, Error **errp)
 {
 USBDevice *dev = USB_DEVICE(qdev);
+USBDescString *s, *next;
+
+QLIST_FOREACH_SAFE(s, &dev->strings, next, next) {
+QLIST_REMOVE(s, next);
+g_free(s->str);
+g_free(s);
+}
 
 if (dev->attached) {
 usb_device_detach(dev);
-- 
2.9.0

Re: [Qemu-devel] [Help]: Does qemu-system-aarch64 support virtio-9p? I got a problem when remap host file to guest in AArch64.

[Daniel P. Berrange]

On Fri, Aug 05, 2016 at 10:23:58AM +0800, Kevin Zhao wrote:
> Hi All,
>  I have a problem may about Qemu and kindly need your help. Does
> qemu-system-aarch64 support virtio-9p ?
>  Recently I have tried to use qemu remapped the file from host to
> guest. As I know, Qemu has supported this so long as guest kernel has
> support 9p(virtfs). Reference to this link:
> http://wiki.qemu.org/Documentation/9psetup
> Fedora 24 AArch64 kernel has supported this:
> [root@sha-win-225 ~]# lsmod | grep 9p
> 9p 56273  0
> fscache87449  1 9p
> 9pnet_virtio9122  0
> 9pnet  83564  2 9p,9pnet_virtio
> virtio_ring13866  5 virtio_net,virtio_pci,9pnet_
> virtio,virtio_mmio,virtio_scsi
> virtio  9467  5 virtio_net,virtio_pci,9pnet_
> virtio,virtio_mmio,virtio_scsi
> 
> Now I use virsh to launch the VM, and the corresponding qemu command I
> have pasted here:
> http://paste.openstack.org/show/549225/.
> You can see that:
> * -fsdev
> local,security_model=mapped,id=fsdev-fs0,path=/var/lib/libvirt/images/coreos
> -device
> virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=share,bus=pci.2,addr=0x1*
>  Here is the command that remapped the directory from host to guest.
> After VM launched, I use the command to mount:
> * mount -t 9p -o trans=virtio share /tmp/shared/
> -oversion=9p2000.L,posixacl,cache=loose*
> But mount command will be blocked and output nothing.

Try using  version=9p2000.u instead - I've noticed other versions have
been buggy in various kernel version/qemu version combinations. The
9p2000.u version is what i use in libvirt-sandobx and so I know it will
work in general.

>  The Qemu version is QEMU emulator version 2.5.0 (Debian
> 1:2.5+dfsg-5ubuntu10.2). Besides test fedora24 guest, I have got the same
> problem in Debian jessie.
>   Kindly need your help~You will be really appreciated.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] [PATCH v2] net: check fragment length during fragmentation

[Jason Wang]

On 2016年08月04日 18:57, Dmitry Fleytman wrote:
Reviewed-by: Dmitry Fleytman >


On Thu, Aug 4, 2016 at 12:30 AM, P J P > wrote:


From: Prasad J Pandit mailto:p...@fedoraproject.org>>

Network transport abstraction layer supports packet fragmentation.
While fragmenting a packet, it checks for more fragments from
packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang mailto:liqiang...@360.cn>>
Signed-off-by: Prasad J Pandit mailto:p...@fedoraproject.org>>
---
 hw/net/net_tx_pkt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Updated as per
  ->
https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg00751.html

diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index efd43b4..53dfaa2 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -590,7 +590,7 @@ static bool
net_tx_pkt_do_sw_fragmentation(struct NetTxPkt *pkt,

 fragment_offset += fragment_len;

-} while (more_frags);
+} while (fragment_len && more_frags);

 return true;
 }
--
2.5.5




Applied. Thanks

[Qemu-devel] [PATCH for-2.7 v4 30/36] usb: free leaking path

[marcandre . lureau]

From: Marc-André Lureau 

qdev_get_dev_path() returns an allocated string, free it when no longer
needed.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Gerd Hoffmann 
---
 hw/usb/desc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/desc.c b/hw/usb/desc.c
index adb026e..5e0e1d1 100644
--- a/hw/usb/desc.c
+++ b/hw/usb/desc.c
@@ -574,6 +574,7 @@ void usb_desc_create_serial(USBDevice *dev)
 }
 dst += snprintf(serial+dst, sizeof(serial)-dst, "-%s", dev->port->path);
 usb_desc_set_string(dev, index, serial);
+g_free(path);
 }
 
 const char *usb_desc_get_string(USBDevice *dev, uint8_t index)
-- 
2.9.0

Re: [Qemu-devel] [PATCH] virtio-net: allow increasing rx queue size

[Cornelia Huck]

On Thu, 4 Aug 2016 22:52:29 +0300
"Michael S. Tsirkin"  wrote:

> On Thu, Aug 04, 2016 at 09:35:15AM +0200, Cornelia Huck wrote:
> > On Thu, 4 Aug 2016 02:16:14 +0300
> > "Michael S. Tsirkin"  wrote:
> > 
> > > This allows increasing the rx queue size up to 1024: unlike with tx,
> > > guests don't put in huge S/G lists into RX so the risk of running into
> > > the max 1024 limitation due to some off-by-one seems small.
> > > 
> > > It's helpful for users like OVS-DPDK which don't do any buffering on the
> > > host - 1K roughly matches 500 entries in tun + 256 in the current rx
> > > queue, which seems to work reasonably well. We could probably make do
> > > with ~750 entries but virtio spec limits us to powers of two.
> > > It might be a good idea to specify an s/g size limit in a future
> > > version.
> > > 
> > > It also might be possible to make the queue size smaller down the road, 64
> > > seems like the minimal value which will still work (as guests seem to
> > > assume a queue full of 1.5K buffers is enough to process the largest
> > > incoming packet, which is ~64K).  No one actually asked for this, and
> > > with virtio 1 guests can reduce ring size without need for host
> > > configuration, so don't bother with this for now.
> > 
> > Do we need some kind of sanity check that the guest did not resize
> > below a reasonable limit?
> 
> Unfortunately the spec does not have an interface for that.
> Guests expect they can get away with any size.

Might be a good idea to add this in the future, so that the guest is
able to discover the minimum and the host can refuse to work if the
configured queue is too small.

(I can easily reject the setup ccw on virtio-ccw, but is there an
elegant way to refuse setting up the queues with virtio-pci?)

> 
> > > 
> > > Signed-off-by: Michael S. Tsirkin 
> > > ---
> > >  include/hw/virtio/virtio-net.h |  1 +
> > >  hw/net/virtio-net.c| 22 +-
> > >  2 files changed, 22 insertions(+), 1 deletion(-)
> > > 
> > 
> > 
> > > @@ -1716,10 +1717,28 @@ static void virtio_net_device_realize(DeviceState 
> > > *dev, Error **errp)
> > >  VirtIONet *n = VIRTIO_NET(dev);
> > >  NetClientState *nc;
> > >  int i;
> > > +int min_rx_queue_size;
> > > 
> > >  virtio_net_set_config_size(n, n->host_features);
> > >  virtio_init(vdev, "virtio-net", VIRTIO_ID_NET, n->config_size);
> > > 
> > > +/*
> > > + * We set a lower limit on RX queue size to what it always was.
> > > + * Guests that want a smaller ring can always resize it without
> > > + * help from us (using virtio 1 and up).
> > > + */
> > > +min_rx_queue_size = 256;
> > 
> > I'd find it more readable to introduce a #define with the old queue
> > size as the minimum size...
> > 
> > > +if (n->net_conf.rx_queue_size < min_rx_queue_size ||
> > > +n->net_conf.rx_queue_size > VIRTQUEUE_MAX_SIZE ||
> > > +(n->net_conf.rx_queue_size & (n->net_conf.rx_queue_size - 1))) {
> > > +error_setg(errp, "Invalid rx_queue_size (= %" PRIu16 "), "
> > > +   "must be a power of 2 between %d and %d.",
> > > +   n->net_conf.rx_queue_size, min_rx_queue_size,
> > > +   VIRTQUEUE_MAX_SIZE);
> > > +virtio_cleanup(vdev);
> > > +return;
> > > +}
> > > +
> > >  n->max_queues = MAX(n->nic_conf.peers.queues, 1);
> > >  if (n->max_queues * 2 + 1 > VIRTIO_QUEUE_MAX) {
> > >  error_setg(errp, "Invalid number of queues (= %" PRIu32 "), "
> > > @@ -1880,6 +1899,7 @@ static Property virtio_net_properties[] = {
> > > TX_TIMER_INTERVAL),
> > >  DEFINE_PROP_INT32("x-txburst", VirtIONet, net_conf.txburst, 
> > > TX_BURST),
> > >  DEFINE_PROP_STRING("tx", VirtIONet, net_conf.tx),
> > > +DEFINE_PROP_UINT16("rx_queue_size", VirtIONet, 
> > > net_conf.rx_queue_size, 256),
> > 
> > ...and defaulting to that #define (or one derived from the #define
> > above) here.
> 
> These happen to be the same, but they are in fact
> unrelated: one is the default, the other is the
> min value.

Hm...

/* previously fixed value */
#define VIRTIO_NET_RX_DEFAULT_SIZE 256
/* for now, only allow larger queues; with virtio-1, guest can downsize */
#define VIRTIO_NET_RX_MIN_SIZE VIRTIO_NET_RX_DEFAULT_SIZE

This would allow getting rid of the new local variable and gets us a
speaking define in the property definition.

[Qemu-devel] [Bug 1586756] Re: "-serial unix:" option of qemu-system-arm is broken in qemu 2.6.0

[Daniel Berrange]

Fix posted https://lists.gnu.org/archive/html/qemu-
devel/2016-08/msg00684.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1586756

Title:
  "-serial unix:" option of qemu-system-arm is broken in qemu 2.6.0

Status in QEMU:
  Incomplete

Bug description:
  I found a bug of "-serial unix:PATH_TO_SOCKET" in qemu 2.6.0 (qemu 2.5.1 
works fine).
  Occasionally, a part of the output of qemu disappears in the bug.

  It looks like following commit is the cause:

  char: ensure all clients are in non-blocking mode (Author: Daniel P. Berrange 
)
  
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=64c800f808748522727847b9cdc73412f22dffb9

  In this commit, UNIX socket is set to non-blocking mode, but 
qemu_chr_fe_write function doesn't handle EAGAIN.
  You should fix code like that:

  ---
  diff --git a/qemu-char.c b/qemu-char.c
  index b597ee1..0361d78 100644
  --- a/qemu-char.c
  +++ b/qemu-char.c
  @@ -270,6 +270,7 @@ static int qemu_chr_fe_write_buffer(CharDriverState *s, 
const uint8_t *buf, int
   int qemu_chr_fe_write(CharDriverState *s, const uint8_t *buf, int len)
   {
   int ret;
  +int offset = 0;
   
   if (s->replay && replay_mode == REPLAY_MODE_PLAY) {
   int offset;
  @@ -280,7 +281,21 @@ int qemu_chr_fe_write(CharDriverState *s, const uint8_t 
*buf, int len)
   }
   
   qemu_mutex_lock(&s->chr_write_lock);
  -ret = s->chr_write(s, buf, len);
  +
  +while (offset < len) {
  +retry:
  +ret = s->chr_write(s, buf, len);
  +if (ret < 0 && errno == EAGAIN) {
  +g_usleep(100);
  +goto retry;
  +}
  +
  +if (ret <= 0) {
  +break;
  +}
  +
  +offset += ret;
  +}
   
   if (ret > 0) {
   qemu_chr_fe_write_log(s, buf, ret);
  ---

  Or please do "git revert 64c800f808748522727847b9cdc73412f22dffb9".

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1586756/+subscriptions

[Qemu-devel] [PATCH for-2.7 v4 36/36] tests: fix postcopy-test leaks

[marcandre . lureau]

From: Marc-André Lureau 

A few strings are allocated and never freed.

Signed-off-by: Marc-André Lureau 
Reviewed-by: Eric Blake 
---
 tests/postcopy-test.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/postcopy-test.c b/tests/postcopy-test.c
index bf4e579..41ed1a9 100644
--- a/tests/postcopy-test.c
+++ b/tests/postcopy-test.c
@@ -176,6 +176,7 @@ static void wait_for_serial(const char *side)
 int started = (strcmp(side, "src_serial") == 0 &&
strcmp(arch, "ppc64") == 0) ? 0 : 1;
 
+g_free(serialpath);
 do {
 int readvalue = fgetc(serialfile);
 
@@ -203,7 +204,6 @@ static void wait_for_serial(const char *side)
 case 'B':
 /* It's alive! */
 fclose(serialfile);
-g_free(serialpath);
 return;
 
 case EOF:
@@ -350,6 +350,7 @@ static void cleanup(const char *filename)
 char *path = g_strdup_printf("%s/%s", tmpfs, filename);
 
 unlink(path);
+g_free(path);
 }
 
 static void test_migrate(void)
@@ -394,6 +395,8 @@ static void test_migrate(void)
 g_assert_not_reached();
 }
 
+g_free(bootpath);
+
 from = qtest_start(cmd_src);
 g_free(cmd_src);
 
-- 
2.9.0

Re: [Qemu-devel] [PATCH 1/7] util: Add UUID API

[Fam Zheng]

On Thu, 08/04 16:48, Daniel P. Berrange wrote:
> On Tue, Aug 02, 2016 at 05:18:32PM +0800, Fam Zheng wrote:
> > A number of different places across the code base use CONFIG_UUID. Some
> > of them are soft dependency, some are not built if libuuid is not
> > available, some come with dummy fallback, some throws runtime error.
> > 
> > It is hard to maintain, and hard to reason for users.
> > 
> > Since UUID is a simple standard with only a small number of operations,
> > it is cleaner to have a central support in libqemuutil. This patch adds
> > qemu_uuid_* the functions so that all uuid users in the code base can
> > rely on. Except for qemu_uuid_generate which is new code, all other
> > functions are just copy from existing fallbacks from other files.
> > 
> > Signed-off-by: Fam Zheng 
> > ---
> >  arch_init.c | 19 ---
> >  block/iscsi.c   |  2 +-
> >  hw/smbios/smbios.c  |  1 +
> >  include/qemu/uuid.h | 37 +
> >  include/sysemu/sysemu.h |  4 
> >  qmp.c   |  1 +
> >  stubs/uuid.c|  2 +-
> >  util/Makefile.objs  |  1 +
> >  util/uuid.c | 63 
> > +
> >  vl.c|  1 +
> >  10 files changed, 106 insertions(+), 25 deletions(-)
> >  create mode 100644 include/qemu/uuid.h
> >  create mode 100644 util/uuid.c
> 
> It would be nice to see you add a tests/test-uuid.c unit test to
> exercise all the new utility APIs you're adding & check their
> corner cases.

Sure, I'll add a test case.

Fam

[Qemu-devel] [PULL 0/2] Docker patches

[Fam Zheng]

The following changes since commit 42e0d60f1615ef63d16e41bb1668805560c37870:

  Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20160804' 
into staging (2016-08-04 18:36:05 +0100)

are available in the git repository at:

  g...@github.com:famz/qemu tags/docker-pull-request

for you to fetch changes up to 4a93f78ed086d6f0bceb3f0b281009e6026935b7:

  docker: Add "--enable-werror" to configure command line (2016-08-05 16:34:55 
+0800)



Two bug fixes. One fixes breakage on RHEL 7, reported by Paolo, the other one
fixes the missing --enable-werror in docker build, which was intended since the
beginning, but was left behind during later iterations of the initial patch
series (lost .git in the docker src copy).



Fam Zheng (2):
  docker: Be compatible with older docker
  docker: Add "--enable-werror" to configure command line

 tests/docker/Makefile.include | 5 ++---
 tests/docker/common.rc| 1 +
 2 files changed, 3 insertions(+), 3 deletions(-)

-- 
2.7.4

Re: [Qemu-devel] [PATCH 3/7] vdi: Use QEMU UUID API

[Fam Zheng]

On Fri, 08/05 08:31, Markus Armbruster wrote:
> Eric Blake  writes:
> 
> > On 08/04/2016 12:58 PM, Stefan Weil wrote:
> >> Hi,
> >> 
> >> On 08/02/16 11:18, Fam Zheng wrote:
> >>> The QEMU UUID api, including the data structure (qemu_uuid_t), is fully
> >>> compatible with libuuid.  Use it, and remove the unused code.
> >>>
> >>> Signed-off-by: Fam Zheng 
> >>> ---
> >>>  block/vdi.c | 49 ++---
> >>>  1 file changed, 10 insertions(+), 39 deletions(-)
> >>>
> >
> >>> @@ -182,10 +153,10 @@ typedef struct {
> >>>  uint32_t block_extra;   /* unused here */
> >>>  uint32_t blocks_in_image;
> >>>  uint32_t blocks_allocated;
> >>> -uuid_t uuid_image;
> >>> -uuid_t uuid_last_snap;
> >>> -uuid_t uuid_link;
> >>> -uuid_t uuid_parent;
> >>> +qemu_uuid_t uuid_image;
> >>> +qemu_uuid_t uuid_last_snap;
> >>> +qemu_uuid_t uuid_link;
> >>> +qemu_uuid_t uuid_parent;
> >> 
> >> As far as I remember, _t should be avoided because that postfix is
> >> reserved by POSIX. Should we use qemu_uuid, or can we ignore POSIX
> >> because the type name uses the qemu_ prefix?
> >
> > Correct that POSIX reserved all _t (which is a bit broad, oh well), and
> > also correct that we can take the risk of using it anyways (but if POSIX
> > ever standardizes something, we get to keep both of our broken pieces).
> >
> >
> >> Either with qemu_uuid_t or with qemu_uuid:
> >
> > I thought our coding standard preferred QemuUUID or something similar in
> > camelcase, rather than lower case.
> 
> Correct.  It's ugly (in my opinion), but we should stick to it, so it's
> at least consistently ugly.
> 
> > But now we are just painting a
> > bikeshed, so I won't strongly object.
> 
> I'd prefer QemuUUID.

Fair enough. If QEMUUUID wasn't so UNREADABLE, I'd have used it.

Will change to QemuUUID. It's a bit more acceptable to me.

Fam

Re: [Qemu-devel] [RFC PATCH V10 7/7] colo-compare: add TCP, UDP, ICMP packet comparison

[Zhang Chen]

On 08/02/2016 04:04 PM, Jason Wang wrote:



On 2016年07月26日 09:49, Zhang Chen wrote:

We add TCP,UDP,ICMP packet comparison to replace
IP packet comparison. This can increase the
accuracy of the package comparison.
less checkpoint more efficiency.


s/less/Less/


OK.





Signed-off-by: Zhang Chen 
Signed-off-by: Li Zhijian 
Signed-off-by: Wen Congyang 
---
  net/colo-compare.c | 174 
+++--

  trace-events   |   4 ++
  2 files changed, 174 insertions(+), 4 deletions(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index e020edc..c7bb5f7 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -18,6 +18,7 @@
  #include "qapi/qmp/qerror.h"
  #include "qapi/error.h"
  #include "net/net.h"
+#include "net/eth.h"
  #include "net/vhost_net.h"
  #include "qom/object_interfaces.h"
  #include "qemu/iov.h"
@@ -197,9 +198,158 @@ static int colo_packet_compare(Packet *ppkt, 
Packet *spkt)

  }
  }
  -static int colo_packet_compare_all(Packet *spkt, Packet *ppkt)
+/*
+ * called from the compare thread on the primary
+ * for compare tcp packet
+ * compare_tcp copied from Dr. David Alan Gilbert's branch
+ */
+static int colo_packet_compare_tcp(Packet *spkt, Packet *ppkt)
+{
+struct tcphdr *ptcp, *stcp;
+int res;
+char *sdebug, *ddebug;
+
+trace_colo_compare_main("compare tcp");
+if (ppkt->size != spkt->size) {
+if (trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {
+trace_colo_compare_main("pkt size not same");
+}
+return -1;
+}
+
+ptcp = (struct tcphdr *)ppkt->transport_layer;
+stcp = (struct tcphdr *)spkt->transport_layer;
+
+if (ptcp->th_seq != stcp->th_seq) {
+if (trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {
+trace_colo_compare_main("pkt tcp seq not same");
+}
+return -1;
+}
+
+/*
+ * The 'identification' field in the IP header is *very* random
+ * it almost never matches.  Fudge this by ignoring differences in
+ * unfragmented packets; they'll normally sort themselves out if 
different

+ * anyway, and it should recover at the TCP level.
+ * An alternative would be to get both the primary and secondary 
to rewrite

+ * somehow; but that would need some sync traffic to sync the state
+ */
+if (ntohs(ppkt->ip->ip_off) & IP_DF) {
+spkt->ip->ip_id = ppkt->ip->ip_id;
+/* and the sum will be different if the IDs were different */
+spkt->ip->ip_sum = ppkt->ip->ip_sum;


This looks dangerous. If packet were not logical same, ip cusm of 
secondary were changed.


If packet not same, we will do checkpoint.





+}
+
+res = memcmp(ppkt->data + ETH_HLEN, spkt->data + ETH_HLEN,
+(spkt->size - ETH_HLEN));
+
+if (res != 0 && 
trace_event_get_state(TRACE_COLO_COMPARE_MISCOMPARE)) {

+sdebug = strdup(inet_ntoa(ppkt->ip->ip_src));
+ddebug = strdup(inet_ntoa(ppkt->ip->ip_dst));
+fprintf(stderr, "%s: src/dst: %s/%s p: seq/ack=%u/%u"
+" s: seq/ack=%u/%u res=%d flags=%x/%x\n", __func__,
+   sdebug, ddebug,
+   ntohl(ptcp->th_seq), ntohl(ptcp->th_ack),
+   ntohl(stcp->th_seq), ntohl(stcp->th_ack),
+   res, ptcp->th_flags, stcp->th_flags);
+
+trace_colo_compare_tcp_miscompare("Primary len", ppkt->size);
+qemu_hexdump((char *)ppkt->data, stderr, "colo-compare", 
ppkt->size);

+trace_colo_compare_tcp_miscompare("Secondary len", spkt->size);
+qemu_hexdump((char *)spkt->data, stderr, "colo-compare", 
spkt->size);

+
+g_free(sdebug);
+g_free(ddebug);
+}
+
+return res;
+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare udp packet
+ */
+static int colo_packet_compare_udp(Packet *spkt, Packet *ppkt)
+{
+int ret;
+
+trace_colo_compare_main("compare udp");
+ret = colo_packet_compare(ppkt, spkt);
+
+if (ret) {
+trace_colo_compare_udp_miscompare("primary pkt size", 
ppkt->size);
+qemu_hexdump((char *)ppkt->data, stderr, "colo-compare", 
ppkt->size);
+trace_colo_compare_udp_miscompare("Secondary pkt size", 
spkt->size);
+qemu_hexdump((char *)spkt->data, stderr, "colo-compare", 
spkt->size);

+}
+
+return ret;
+}
+
+/*
+ * called from the compare thread on the primary
+ * for compare icmp packet
+ */
+static int colo_packet_compare_icmp(Packet *spkt, Packet *ppkt)
  {


Consider icmp packet were usually not big, why not simply use memcpy? 
(I think I asked the same question in the past).




In past we add the colo_packet_compare(ppkt, spkt) in tail to compare 
all packet,
by the head of this function we can know what part of icmp pkt 
difference when packet not same.

So, for this comments I will remove head of this function in next version.

Thanks
Zhang Chen


-trace_colo_compare_main("compare all");
+int network_length;
+struct i

[Qemu-devel] [PULL 1/2] docker: Be compatible with older docker

[Fam Zheng]

By not using "--format" with docker images command.

The option is not available on RHEL 7 docker command. Use an awk
matching command instead.

Reported-by: Paolo Bonzini 
Signed-off-by: Fam Zheng 
Message-Id: <1470202928-3392-1-git-send-email-f...@redhat.com>
---
 tests/docker/Makefile.include | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/docker/Makefile.include b/tests/docker/Makefile.include
index 78af468..4f4707d 100644
--- a/tests/docker/Makefile.include
+++ b/tests/docker/Makefile.include
@@ -107,9 +107,8 @@ docker-run-%: docker-qemu-src
fi
$(if $(filter $(TESTS),$(CMD)),$(if $(filter $(IMAGES),$(IMAGE)), \
$(call quiet-command,\
-   if $(SRC_PATH)/tests/docker/docker.py images \
-   --format={{.Repository}}:{{.Tag}} | \
-   grep -qx qemu:$(IMAGE); then \
+   if $(SRC_PATH)/tests/docker/docker.py images | \
+   awk '$$1=="qemu" && $$2=="$(IMAGE)"{found=1} 
END{exit(!found)}'; then \
$(SRC_PATH)/tests/docker/docker.py run $(if 
$V,,--rm) \
-t \
$(if $(DEBUG),-i,--net=none) \
-- 
2.7.4

Re: [Qemu-devel] fix incorrect identify implementation in nvme

[Kevin Wolf]

Am 05.08.2016 um 08:48 hat Markus Armbruster geschrieben:
> Keith Busch  writes:
> 
> > On Thu, Aug 04, 2016 at 09:42:13PM +0200, Christoph Hellwig wrote:
> >> Third resent of this series after this didn't get picked up the
> >> previous times.  The Qemu NVMe implementation mistakes the cns
> >> field in the Identify command as a boolean.  This was never
> >> true, and is actively harmful since NVMe1.1 (which the Qemu
> >> device claims to support) supports more than two Identify variants.
> >> 
> >> We had to add a quirk in Linux to work around this behavior.
> >
> > Yes, these are great. Do we need to ping a maintainer to go through
> > their tree, or can this be applied immediately? If need be, I can apply
> > and send a pull request.
> 
> $ scripts/get_maintainer.pl -f hw/block/nvme.c 
> Keith Busch  (supporter:nvme)
> Kevin Wolf  (supporter:Block layer core)
> Max Reitz  (supporter:Block layer core)
> qemu-bl...@nongnu.org (open list:nvme)
> qemu-devel@nongnu.org (open list:All patches CC here)
> 
> Send a pull request (assuming you have a properly signed PGP key).

Keith, I'll take the patches through my tree with your Acked-by,
assuming that this makes the process easier for you.

Sorry for forgetting about the previous version, I had intended to give
others a chance to comment before I apply them, but then it fell through
the cracks. Next time someone just send a quick "ping" reply after a week
or so, please.

Kevin

[Qemu-devel] [Bug 1490611] Re: Using qemu >=2.2.1 to convert raw->VHD (fixed) adds extra padding to the result file, which Microsoft Azure rejects as invalid

[Robie Basak]

Uploaded.

** Changed in: qemu (Ubuntu Xenial)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1490611

Title:
  Using qemu >=2.2.1 to convert raw->VHD (fixed) adds extra padding to
  the result file, which Microsoft Azure rejects as invalid

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Xenial:
  In Progress

Bug description:
  [Impact]

   * Starting with a raw disk image, using "qemu-img convert" to convert
  from raw to VHD results in the output VHD file's virtual size being
  aligned to the nearest 516096 bytes (16 heads x 63 sectors per head x
  512 bytes per sector), instead of preserving the input file's size as
  the output VHD's virtual disk size.

   * Microsoft Azure requires that disk images (VHDs) submitted for
  upload have virtual sizes aligned to a megabyte boundary. (Ex. 4096MB,
  4097MB, 4098MB, etc. are OK, 4096.5MB is rejected with an error.) This
  is reflected in Microsoft's documentation: https://azure.microsoft.com
  /en-us/documentation/articles/virtual-machines-linux-create-upload-
  vhd-generic/

   * The fix for this bug is a backport from upstream.
  http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fb9245c2610932d33ce14

  [Test Case]

   * This is reproducible with the following set of commands (including
  the Azure command line tools from https://github.com/Azure/azure-
  xplat-cli). For the following example, I used qemu version 2.2.1:

  $ dd if=/dev/zero of=source-disk.img bs=1M count=4096

  $ stat source-disk.img
    File: ‘source-disk.img’
    Size: 4294967296  Blocks: 798656 IO Block: 4096   regular file
  Device: fc01h/64513dInode: 13247963Links: 1
  Access: (0644/-rw-r--r--)  Uid: ( 1000/  smkent)   Gid: ( 1000/  smkent)
  Access: 2015-08-18 09:48:02.613988480 -0700
  Modify: 2015-08-18 09:48:02.825985646 -0700
  Change: 2015-08-18 09:48:02.825985646 -0700
   Birth: -

  $ qemu-img convert -f raw -o subformat=fixed -O vpc source-disk.img
  dest-disk.vhd

  $ stat dest-disk.vhd
    File: ‘dest-disk.vhd’
    Size: 4296499712  Blocks: 535216 IO Block: 4096   regular file
  Device: fc01h/64513dInode: 13247964Links: 1
  Access: (0644/-rw-r--r--)  Uid: ( 1000/  smkent)   Gid: ( 1000/  smkent)
  Access: 2015-08-18 09:50:22.252077624 -0700
  Modify: 2015-08-18 09:49:24.424868868 -0700
  Change: 2015-08-18 09:49:24.424868868 -0700
   Birth: -

  $ azure vm image create testimage1 dest-disk.vhd -o linux -l "West US"
  info:Executing command vm image create
  + Retrieving storage accounts
  info:VHD size : 4097 MB
  info:Uploading 4195800.5 KB
  Requested:100.0% Completed:100.0% Running:   0 Time: 1m 0s Speed:  6744 KB/s
  info:https://[redacted].blob.core.windows.net/vm-images/dest-disk.vhd was 
uploaded successfully
  error:   The VHD 
https://[redacted].blob.core.windows.net/vm-images/dest-disk.vhd has an 
unsupported virtual size of 4296499200 bytes.  The size must be a whole number 
(in MBs).
  info:Error information has been recorded to /home/smkent/.azure/azure.err
  error:   vm image create command failed

   * A fixed qemu-img will not result in an error during azure image
  creation. It will require passing -o force_size, which will leverage
  the backported functionality.

  [Regression Potential]

   * The upstream fix introduces a qemu-img option (-o force_size) which
  is unset by default. The regression potential is very low, as a
  result.

  ...

  I also ran the above commands using qemu 2.4.0, which resulted in the
  same error as the conversion behavior is the same.

  However, qemu 2.1.1 and earlier (including qemu 2.0.0 installed by
  Ubuntu 14.04) does not pad the virtual disk size during conversion.
  Using qemu-img convert from qemu versions <=2.1.1 results in a VHD
  that is exactly the size of the raw input file plus 512 bytes (for the
  VHD footer). Those qemu versions do not attempt to realign the disk.
  As a result, Azure accepts VHD files created using those versions of
  qemu-img convert for upload.

  Is there a reason why newer qemu realigns the converted VHD file? It
  would be useful if an option were added to disable this feature, as
  current versions of qemu cannot be used to create VHD files for Azure
  using Microsoft's official instructions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1490611/+subscriptions

[Qemu-devel] [PATCH 1/3] ppc/pnv: add skeleton PowerNV platform

[Cédric Le Goater]

From: Benjamin Herrenschmidt 

The goal is to emulate a PowerNV system at the level of the skiboot
firmware, which loads the OS and provides some runtime services. Power
Systems have a lower firmware (HostBoot) that does low level system
initialization, like DRAM training. This is beyond the scope of what
qemu will address in a PowerNV guest.

No devices yet, not even an interrupt controller. Just to get started,
some RAM to load the skiboot firmware, the kernel and initrd. The
device tree is fully created in the machine reset op.

Signed-off-by: Benjamin Herrenschmidt 
[clg: - updated for qemu-2.7
  - replaced fprintf by error_report
  - used a common definition of _FDT macro
  - removed VMStateDescription as migration is not yet supported
  - added IBM Copyright statements
  - reworked kernel_filename handling
  - merged PnvSystem and sPowerNVMachineState
  - removed PHANDLE_XICP
  - added ppc_create_page_sizes_prop helper
  - removed nmi support
  - removed kvm support
  - updated powernv machine to version 2.8
  - removed chips and cpus, They will be provided in another patches
  - added a machine reset routine to initialize the device tree (also)
  - french has a squelette and english a skeleton.
  - improved commit log.
  - reworked prototypes parameters
  - added a check on the ram size (thanks to Michael Ellerman)
  - fixed chip-id cell
  - and then, I got lost with the changes.
]
Signed-off-by: Cédric Le Goater 
---
 default-configs/ppc64-softmmu.mak |   1 +
 hw/ppc/Makefile.objs  |   2 +
 hw/ppc/pnv.c  | 283 ++
 include/hw/ppc/pnv.h  |  36 +
 4 files changed, 322 insertions(+)
 create mode 100644 hw/ppc/pnv.c
 create mode 100644 include/hw/ppc/pnv.h

diff --git a/default-configs/ppc64-softmmu.mak 
b/default-configs/ppc64-softmmu.mak
index c4be59f638ed..516a6e25aba3 100644
--- a/default-configs/ppc64-softmmu.mak
+++ b/default-configs/ppc64-softmmu.mak
@@ -40,6 +40,7 @@ CONFIG_I8259=y
 CONFIG_XILINX=y
 CONFIG_XILINX_ETHLITE=y
 CONFIG_PSERIES=y
+CONFIG_POWERNV=y
 CONFIG_PREP=y
 CONFIG_MAC=y
 CONFIG_E500=y
diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index 99a0d4e581bf..8105db7d5600 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -5,6 +5,8 @@ obj-$(CONFIG_PSERIES) += spapr.o spapr_vio.o spapr_events.o
 obj-$(CONFIG_PSERIES) += spapr_hcall.o spapr_iommu.o spapr_rtas.o
 obj-$(CONFIG_PSERIES) += spapr_pci.o spapr_rtc.o spapr_drc.o spapr_rng.o
 obj-$(CONFIG_PSERIES) += spapr_cpu_core.o
+# IBM PowerNV
+obj-$(CONFIG_POWERNV) += pnv.o
 ifeq ($(CONFIG_PCI)$(CONFIG_PSERIES)$(CONFIG_LINUX), yyy)
 obj-y += spapr_pci_vfio.o
 endif
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
new file mode 100644
index ..3bb6a240c25b
--- /dev/null
+++ b/hw/ppc/pnv.c
@@ -0,0 +1,283 @@
+/*
+ * QEMU PowerPC PowerNV model
+ *
+ * Copyright (c) 2004-2007 Fabrice Bellard
+ * Copyright (c) 2007 Jocelyn Mayer
+ * Copyright (c) 2010 David Gibson, IBM Corporation.
+ * Copyright (c) 2014-2016 BenH, IBM Corporation.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ */
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "sysemu/sysemu.h"
+#include "sysemu/numa.h"
+#include "hw/hw.h"
+#include "target-ppc/cpu.h"
+#include "qemu/log.h"
+#include "hw/ppc/fdt.h"
+#include "hw/ppc/ppc.h"
+#include "hw/ppc/pnv.h"
+#include "hw/loader.h"
+#include "exec/address-spaces.h"
+#include "qemu/cutils.h"
+
+#include 
+
+#define FDT_ADDR0x0100
+#define FDT_MAX_SIZE0x0010
+#define FW_MAX_SIZE 0x0040
+#define FW_FILE_NAME"skiboot.lid"
+
+#define MAX_CPUS255
+
+static void powernv_populate_memory_node(void *fdt, int nodeid, hwaddr start,
+ hwaddr size)
+{
+/* Probably bogus, need to match with what's going on

[Qemu-devel] [PULL for-2.7 1/5] block/parallels: check new image size

[Stefan Hajnoczi]

From: Klim Kireev 

Before this patch incorrect image could be created via qemu-img
(Example: qemu-img create -f parallels -o size=4096T hack.img),
incorrect images cannot be used due to overflow in main image structure.

This patch add check of size in image creation.

After reading size it compare it with UINT32_MAX * cluster_size.

Signed-off-by: Klim Kireev 
Signed-off-by: Denis V. Lunev 
Message-id: 1469639300-12155-1-git-send-email-...@openvz.org
CC: Stefan Hajnoczi 
Signed-off-by: Stefan Hajnoczi 
---
 block/parallels.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/block/parallels.c b/block/parallels.c
index 807a801..2ccefa7 100644
--- a/block/parallels.c
+++ b/block/parallels.c
@@ -43,6 +43,7 @@
 #define HEADER_MAGIC2 "WithouFreSpacExt"
 #define HEADER_VERSION 2
 #define HEADER_INUSE_MAGIC  (0x746F6E59)
+#define MAX_PARALLELS_IMAGE_FACTOR (1ull << 32)
 
 #define DEFAULT_CLUSTER_SIZE 1048576/* 1 MiB */
 
@@ -475,6 +476,10 @@ static int parallels_create(const char *filename, QemuOpts 
*opts, Error **errp)
   BDRV_SECTOR_SIZE);
 cl_size = ROUND_UP(qemu_opt_get_size_del(opts, BLOCK_OPT_CLUSTER_SIZE,
   DEFAULT_CLUSTER_SIZE), BDRV_SECTOR_SIZE);
+if (total_size >= MAX_PARALLELS_IMAGE_FACTOR * cl_size) {
+error_propagate(errp, local_err);
+return -E2BIG;
+}
 
 ret = bdrv_create_file(filename, opts, &local_err);
 if (ret < 0) {
-- 
2.7.4

[Qemu-devel] [PULL 2/2] docker: Add "--enable-werror" to configure command line

[Fam Zheng]

We don't have .git in the docker checkout, add this to enable -Werror
explicitly.

Signed-off-by: Fam Zheng 
Message-id: 1469453510-658-1-git-send-email-f...@redhat.com
---
 tests/docker/common.rc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/docker/common.rc b/tests/docker/common.rc
index 77069e1..0c6d8d5 100755
--- a/tests/docker/common.rc
+++ b/tests/docker/common.rc
@@ -24,6 +24,7 @@ requires()
 build_qemu()
 {
 $QEMU_SRC/configure \
+--enable-werror \
 ${TARGET_LIST:+"--target-list=${TARGET_LIST}"} \
 --prefix="$PWD/install" \
 $EXTRA_CONFIGURE_OPTS \
-- 
2.7.4

[Qemu-devel] [PATCH 0/3] ppc/pnc: add a minimal platform

[Cédric Le Goater]

In this version, the initial patch sent by Ben was trimmed down to its
minimal : a platform with some RAM to load initial ROMs and a device
tree built from the machine reset op.

A PnvChip object comes next to act as a container for all the
'chiplets' required to run a system. First of these are the cores,
represented by the PowerNVCPUCore objects.

The PowerNV platform does not provide enough support to be useful but
yet, it can be run under qemu, so you can check the qom tree. This is
the first step to add the missing models. XICS and XCSOM should come
next.

Thanks,

C. 

Benjamin Herrenschmidt (1):
  ppc/pnv: add skeleton PowerNV platform

Cédric Le Goater (2):
  ppc/pnv: add a PnvChip object
  ppc/pnv: add a PowerNVCPUCore object

 default-configs/ppc64-softmmu.mak |   1 +
 hw/ppc/Makefile.objs  |   2 +
 hw/ppc/pnv.c  | 484 ++
 hw/ppc/pnv_core.c | 171 ++
 include/hw/ppc/pnv.h  |  58 +
 include/hw/ppc/pnv_core.h |  47 
 6 files changed, 763 insertions(+)
 create mode 100644 hw/ppc/pnv.c
 create mode 100644 hw/ppc/pnv_core.c
 create mode 100644 include/hw/ppc/pnv.h
 create mode 100644 include/hw/ppc/pnv_core.h

-- 
2.7.4

[Qemu-devel] [PATCH 2/3] ppc/pnv: add a PnvChip object

[Cédric Le Goater]

This is is an abstraction of a P8 chip which is a set of cores plus
other 'units', like the pervasive unit, the interrupt controller, the
memory controller, the on-chip microcontroller, etc. The whole can be
seen as a socket.

We start with an empty PnvChip which we will grow in the subsequent
patches with controllers required to run the system.

Signed-off-by: Cédric Le Goater 
---
 hw/ppc/pnv.c | 47 +++
 include/hw/ppc/pnv.h | 15 +++
 2 files changed, 62 insertions(+)

diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 3bb6a240c25b..a680780e9dea 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -185,6 +185,7 @@ static void ppc_powernv_init(MachineState *machine)
 sPowerNVMachineState *pnv = POWERNV_MACHINE(machine);
 long fw_size;
 char *filename;
+int i;
 
 if (ram_size < (1 * G_BYTE)) {
 error_report("Warning: skiboot may not work with < 1GB of RAM");
@@ -236,6 +237,23 @@ static void ppc_powernv_init(MachineState *machine)
 pnv->initrd_base = 0;
 pnv->initrd_size = 0;
 }
+
+/* Create PowerNV chips
+ *
+ * FIXME: We should decide how many chips to create based on
+ * #cores and Venice vs. Murano vs. Naples chip type etc..., for
+ * now, just create one chip, with all the cores.
+ */
+pnv->num_chips = 1;
+
+pnv->chips = g_new0(PnvChip, pnv->num_chips);
+for (i = 0; i < pnv->num_chips; i++) {
+PnvChip *chip = &pnv->chips[i];
+
+object_initialize(chip, sizeof(*chip), TYPE_PNV_CHIP);
+object_property_set_int(OBJECT(chip), i, "chip-id", &error_abort);
+object_property_set_bool(OBJECT(chip), true, "realized", &error_abort);
+}
 }
 
 static void powernv_machine_class_init(ObjectClass *oc, void *data)
@@ -274,10 +292,39 @@ static const TypeInfo powernv_machine_2_8_info = {
 .class_init= powernv_machine_2_8_class_init,
 };
 
+
+static void pnv_chip_realize(DeviceState *dev, Error **errp)
+{
+;
+}
+
+static Property pnv_chip_properties[] = {
+DEFINE_PROP_UINT32("chip-id", PnvChip, chip_id, 0),
+DEFINE_PROP_END_OF_LIST(),
+};
+
+static void pnv_chip_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+
+dc->realize = pnv_chip_realize;
+dc->props = pnv_chip_properties;
+dc->desc = "PowerNV Chip";
+ }
+
+static const TypeInfo pnv_chip_info = {
+.name  = TYPE_PNV_CHIP,
+.parent= TYPE_SYS_BUS_DEVICE,
+.instance_size = sizeof(PnvChip),
+.class_init= pnv_chip_class_init,
+};
+
+
 static void powernv_machine_register_types(void)
 {
 type_register_static(&powernv_machine_info);
 type_register_static(&powernv_machine_2_8_info);
+type_register_static(&pnv_chip_info);
 }
 
 type_init(powernv_machine_register_types)
diff --git a/include/hw/ppc/pnv.h b/include/hw/ppc/pnv.h
index 2990f691672d..6907dc9e5c3d 100644
--- a/include/hw/ppc/pnv.h
+++ b/include/hw/ppc/pnv.h
@@ -20,6 +20,18 @@
 #define _PPC_PNV_H
 
 #include "hw/boards.h"
+#include "hw/sysbus.h"
+
+#define TYPE_PNV_CHIP "powernv-chip"
+#define PNV_CHIP(obj) OBJECT_CHECK(PnvChip, (obj), TYPE_PNV_CHIP)
+
+typedef struct PnvChip {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+uint32_t chip_id;
+} PnvChip;
 
 #define TYPE_POWERNV_MACHINE  "powernv-machine"
 #define POWERNV_MACHINE(obj) \
@@ -31,6 +43,9 @@ typedef struct sPowerNVMachineState {
 
 uint32_t initrd_base;
 long initrd_size;
+
+uint32_t  num_chips;
+PnvChip   *chips;
 } sPowerNVMachineState;
 
 #endif /* _PPC_PNV_H */
-- 
2.7.4

Re: [Qemu-devel] [PULL 0/5] linux-user fixes for 2.7

[Peter Maydell]

On 4 August 2016 at 15:15,   wrote:
> From: Riku Voipio 
>
> The following changes since commit 09704e6ded83fa0bec14baf32f800f6512156ca0:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
> staging (2016-08-04 10:24:27 +0100)
>
> are available in the git repository at:
>
>   git://git.linaro.org/people/riku.voipio/qemu.git 
> tags/pull-linux-user-20160804
>
> for you to fetch changes up to ef4330c23bb47b97a859dbdbae1c784fd2ca402f:
>
>   linux-user: Handle brk() attempts with very large sizes (2016-08-04 
> 16:38:17 +0300)
>
> 
> linux-user important fixes for 2.7
>
> 
>
> Peter Maydell (5):
>   linux-user: Use correct alignment for long long on i386 guests
>   linux-user: Fix memchr() argument in open_self_cmdline()
>   linux-user: Don't write off end of new_utsname buffer
>   linux-user: Fix target_semid_ds structure definition
>   linux-user: Handle brk() attempts with very large sizes

Applied, thanks.

-- PMM

[Qemu-devel] [PATCH 3/3] ppc/pnv: add a PowerNVCPUCore object

[Cédric Le Goater]

This is largy inspired by sPAPRCPUCore with some simplification, no
hotplug for instance. But the differences are small and the objects
could possibly be merged.

A set of PowerNVCPUCore objects is added to the PnvChip and the device
tree is populated looping on these cores. Core ids in the device tree
are still a little fuzy. To be checked.

Signed-off-by: Cédric Le Goater 
---
 hw/ppc/Makefile.objs  |   2 +-
 hw/ppc/pnv.c  | 160 ++-
 hw/ppc/pnv_core.c | 171 ++
 include/hw/ppc/pnv.h  |   7 ++
 include/hw/ppc/pnv_core.h |  47 +
 5 files changed, 383 insertions(+), 4 deletions(-)
 create mode 100644 hw/ppc/pnv_core.c
 create mode 100644 include/hw/ppc/pnv_core.h

diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index 8105db7d5600..f8c7d1db9ade 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -6,7 +6,7 @@ obj-$(CONFIG_PSERIES) += spapr_hcall.o spapr_iommu.o 
spapr_rtas.o
 obj-$(CONFIG_PSERIES) += spapr_pci.o spapr_rtc.o spapr_drc.o spapr_rng.o
 obj-$(CONFIG_PSERIES) += spapr_cpu_core.o
 # IBM PowerNV
-obj-$(CONFIG_POWERNV) += pnv.o
+obj-$(CONFIG_POWERNV) += pnv.o pnv_core.o
 ifeq ($(CONFIG_PCI)$(CONFIG_PSERIES)$(CONFIG_LINUX), yyy)
 obj-y += spapr_pci_vfio.o
 endif
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index a680780e9dea..1219493c7218 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -35,6 +35,7 @@
 #include "hw/ppc/fdt.h"
 #include "hw/ppc/ppc.h"
 #include "hw/ppc/pnv.h"
+#include "hw/ppc/pnv_core.h"
 #include "hw/loader.h"
 #include "exec/address-spaces.h"
 #include "qemu/cutils.h"
@@ -112,6 +113,114 @@ static int powernv_populate_memory(void *fdt)
 return 0;
 }
 
+static void powernv_create_core_node(void *fdt, CPUState *cs, uint32_t chip_id)
+{
+PowerPCCPU *cpu = POWERPC_CPU(cs);
+int smt_threads = ppc_get_compat_smt_threads(cpu);
+CPUPPCState *env = &cpu->env;
+DeviceClass *dc = DEVICE_GET_CLASS(cs);
+PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cs);
+uint32_t servers_prop[smt_threads];
+uint32_t gservers_prop[smt_threads * 2];
+int i, index = ppc_get_vcpu_dt_id(cpu);
+uint32_t segs[] = {cpu_to_be32(28), cpu_to_be32(40),
+   0x, 0x};
+uint32_t tbfreq = PNV_TIMEBASE_FREQ;
+uint32_t cpufreq = 10;
+uint32_t page_sizes_prop[64];
+size_t page_sizes_prop_size;
+char *nodename;
+
+nodename = g_strdup_printf("%s@%x", dc->fw_name, index);
+
+_FDT((fdt_begin_node(fdt, nodename)));
+
+g_free(nodename);
+
+_FDT((fdt_property_cell(fdt, "reg", index)));
+_FDT((fdt_property_string(fdt, "device_type", "cpu")));
+
+_FDT((fdt_property_cell(fdt, "cpu-version", env->spr[SPR_PVR])));
+_FDT((fdt_property_cell(fdt, "d-cache-block-size",
+env->dcache_line_size)));
+_FDT((fdt_property_cell(fdt, "d-cache-line-size",
+env->dcache_line_size)));
+_FDT((fdt_property_cell(fdt, "i-cache-block-size",
+env->icache_line_size)));
+_FDT((fdt_property_cell(fdt, "i-cache-line-size",
+env->icache_line_size)));
+
+if (pcc->l1_dcache_size) {
+_FDT((fdt_property_cell(fdt, "d-cache-size", pcc->l1_dcache_size)));
+} else {
+error_report("Warning: Unknown L1 dcache size for cpu");
+}
+if (pcc->l1_icache_size) {
+_FDT((fdt_property_cell(fdt, "i-cache-size", pcc->l1_icache_size)));
+} else {
+error_report("Warning: Unknown L1 icache size for cpu");
+}
+
+_FDT((fdt_property_cell(fdt, "timebase-frequency", tbfreq)));
+_FDT((fdt_property_cell(fdt, "clock-frequency", cpufreq)));
+_FDT((fdt_property_cell(fdt, "ibm,slb-size", env->slb_nr)));
+_FDT((fdt_property_string(fdt, "status", "okay")));
+_FDT((fdt_property(fdt, "64-bit", NULL, 0)));
+
+if (env->spr_cb[SPR_PURR].oea_read) {
+_FDT((fdt_property(fdt, "ibm,purr", NULL, 0)));
+}
+
+if (env->mmu_model & POWERPC_MMU_1TSEG) {
+_FDT((fdt_property(fdt, "ibm,processor-segment-sizes",
+   segs, sizeof(segs;
+}
+
+/* Advertise VMX/VSX (vector extensions) if available
+ *   0 / no property == no vector extensions
+ *   1   == VMX / Altivec available
+ *   2   == VSX available */
+if (env->insns_flags & PPC_ALTIVEC) {
+uint32_t vmx = (env->insns_flags2 & PPC2_VSX) ? 2 : 1;
+
+_FDT((fdt_property_cell(fdt, "ibm,vmx", vmx)));
+}
+
+/* Advertise DFP (Decimal Floating Point) if available
+ *   0 / no property == no DFP
+ *   1   == DFP available */
+if (env->insns_flags2 & PPC2_DFP) {
+_FDT((fdt_property_cell(fdt, "ibm,dfp", 1)));
+}
+
+page_sizes_prop_size = ppc_create_page_sizes_prop(env, page_sizes_prop,
+  sizeof(page_sizes_prop));

[Qemu-devel] [Question] virtio-serial misses irq delivery on migration?

[Gonglei (Arei)]

Hi Paolo , Jan, Amit

Recently we encountered a problem that the virtio-serial can't work after
Migration in RH5.5 VM. The bigger problem is, I can't reproduce it. :(

It's phenomenon was much like BZ 867366, the usb-table mouse didn't work because
the uhci and virtio-serial shard the irq line (using IOAPIC, not MSI). The new 
interrupt
can't be injected to VM because the irq line bit had been set to 1, but the 
frontend
driver never handle it or never know it.

 Bug 867366 - virtio-serial misses irq delivery on migration
https://bugzilla.redhat.com/show_bug.cgi?id=867366

But my qemu is the newest qemu, Both commit 80dcfb8532"virtio-serial-bus: 
post_load
send_event when vm is running" and commit bc6b815d9e " virtio-serial: propagate 
guest_connected to the port on post_load" are applied.

I noticed that Paolo posted another problem maybe have a pertential problem 
about
apic in Comment 23. But this patch
 https://bugzilla.redhat.com/attachment.cgi?id=635535&action=diff
haven't merged into qemu master.

Would you give me some clues please? Thanks!

Regards,
-Gonglei

[Qemu-devel] [PULL 0/3] Block layer patches for 2.7.0-rc2

[Kevin Wolf]

The following changes since commit 42e0d60f1615ef63d16e41bb1668805560c37870:

  Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20160804' 
into staging (2016-08-04 18:36:05 +0100)

are available in the git repository at:


  git://repo.or.cz/qemu/kevin.git tags/for-upstream

for you to fetch changes up to 47989f14472262a289894058f7babf1db37edda5:

  nvme: bump PCI revision (2016-08-05 10:56:08 +0200)


Block layer patches for 2.7.0-rc2


Christoph Hellwig (2):
  nvme: fix identify to be NVMe 1.1 compliant
  nvme: bump PCI revision

Kevin Wolf (1):
  block: Accept any target node for transactional blockdev-backup

 blockdev.c   |  8 +++
 hw/block/nvme.c  | 61 +---
 qapi/block-core.json |  2 +-
 3 files changed, 58 insertions(+), 13 deletions(-)

[Qemu-devel] [PULL for-2.7 0/5] Block patches

[Stefan Hajnoczi]

The following changes since commit 42e0d60f1615ef63d16e41bb1668805560c37870:

  Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20160804' 
into staging (2016-08-04 18:36:05 +0100)

are available in the git repository at:

  git://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to 27d1b87688dcea8702f06b5240abf6b8d8f53346:

  virtio-blk: Remove stale comment about draining (2016-08-05 09:59:06 +0100)





Alberto Garcia (2):
  throttle: Don't allow burst limits to be lower than the normal limits
  throttle: Test burst limits lower than the normal limits

Fam Zheng (2):
  virtio-blk: Release s->rq queue at system_reset
  virtio-blk: Remove stale comment about draining

Klim Kireev (1):
  block/parallels: check new image size

 block/parallels.c |  5 +
 hw/block/virtio-blk.c | 13 +
 tests/test-throttle.c |  8 
 util/throttle.c   |  5 +
 4 files changed, 27 insertions(+), 4 deletions(-)

-- 
2.7.4

[Qemu-devel] [PULL 3/3] nvme: bump PCI revision

[Kevin Wolf]

From: Christoph Hellwig 

The broken Identify implementation in earlier Qemu versions means we
need to blacklist it from issueing the NVMe 1.1 Identify Namespace List
command.  As we want to be able to use it in newer Qemu versions we need
a way to identify those.  Bump the PCI revision as a guest visible
indicator of this bug fix.

Signed-off-by: Christoph Hellwig 
Acked-by: Keith Busch 
Signed-off-by: Kevin Wolf 
---
 hw/block/nvme.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index a0655a3..cef3bb4 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -954,7 +954,7 @@ static void nvme_class_init(ObjectClass *oc, void *data)
 pc->class_id = PCI_CLASS_STORAGE_EXPRESS;
 pc->vendor_id = PCI_VENDOR_ID_INTEL;
 pc->device_id = 0x5845;
-pc->revision = 1;
+pc->revision = 2;
 pc->is_express = 1;
 
 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
-- 
1.8.3.1

[Qemu-devel] [PULL for-2.7 2/5] throttle: Don't allow burst limits to be lower than the normal limits

[Stefan Hajnoczi]

From: Alberto Garcia 

Setting FOO_max to a value that is lower than FOO does not make
sense, and it produces odd results depending on the value of
FOO_max_length. Although the user should not set that configuration
in the first place it's better to reject it explicitly.

https://bugzilla.redhat.com/show_bug.cgi?id=1355665

Signed-off-by: Alberto Garcia 
Reported-by: Gu Nini 
Reviewed-by: Eric Blake 
Message-id: 
663d5aca406060e31f80d8113f77b6feee63b919.1469693110.git.be...@igalia.com
Signed-off-by: Stefan Hajnoczi 
---
 util/throttle.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/util/throttle.c b/util/throttle.c
index 654f95c..3817d9b 100644
--- a/util/throttle.c
+++ b/util/throttle.c
@@ -348,6 +348,11 @@ bool throttle_is_valid(ThrottleConfig *cfg, Error **errp)
" bps/iops values");
 return false;
 }
+
+if (cfg->buckets[i].max && cfg->buckets[i].max < cfg->buckets[i].avg) {
+error_setg(errp, "bps_max/iops_max cannot be lower than bps/iops");
+return false;
+}
 }
 
 return true;
-- 
2.7.4

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[Andrew Jones]

On Thu, Aug 04, 2016 at 10:41:16AM +0200, Laurent Vivier wrote:
> 
> 
> On 04/08/2016 04:38, David Gibson wrote:
> > On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
> >> If we don't provide the page size in target-ppc:cpu_get_dump_info(),
> >> the default one (TARGET_PAGE_SIZE, 4KB) is used to create
> >> the compressed dump. It works fine with Macintosh, but not with
> >> pseries as the kernel default page size is 64KB.
> >>
> >> Without this patch, if we generate a compressed dump in the QEMU monitor:
> >>
> >> (qemu) dump-guest-memory -z qemu.dump
> >>
> >> This dump cannot be read by crash:
> >>
> >> # crash vmlinux qemu.dump
> >> ...
> >> WARNING: cannot translate vmemmap kernel virtual addresses:
> >>  commands requiring page structure contents will fail
> >> ...
> >>
> >> Signed-off-by: Laurent Vivier 
> >> ---
> >>  target-ppc/arch_dump.c | 5 +
> >>  1 file changed, 5 insertions(+)
> > 
> > Urgh.. so, really the page size used by the guest kernel is a
> > guest-side detail, and it's certainly possible to build a 4kiB page
> > guest kernel, although 64kiB is the norm.
> 
> virtio-balloon doesn't work with 4K kernel.
> 
> > This might be the best we can do, but it'd be nice if we could probe
> > or otherwise avoid relying on this assumption about the guest kernel.
> 
> I agree with you but none of the other architectures probes for the page
> size.
> 
> For instance ARM: |I cc: Drew to know how he has chosen the values]
> 
> if (arm_feature(env, ARM_FEATURE_AARCH64)) {
> ...
> info->page_size = (1 << 16);
> ...
> } else {
> ...
> info->page_size = (1 << 12);
> ...
> }
>

info->page_size is used to determine the dumpfile's block size. The
block size needs to be at least the page size, but a multiple of page
size works fine too. As we can't probe for the currently used guest
page size, and a multiple of page size is fine, then using the guest's
maximum allowed page size is the best we can do.

Thanks,
drew

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[Andrew Jones]

On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
> If we don't provide the page size in target-ppc:cpu_get_dump_info(),
> the default one (TARGET_PAGE_SIZE, 4KB) is used to create
> the compressed dump. It works fine with Macintosh, but not with
> pseries as the kernel default page size is 64KB.
> 
> Without this patch, if we generate a compressed dump in the QEMU monitor:
> 
> (qemu) dump-guest-memory -z qemu.dump
> 
> This dump cannot be read by crash:
> 
> # crash vmlinux qemu.dump
> ...
> WARNING: cannot translate vmemmap kernel virtual addresses:
>  commands requiring page structure contents will fail
> ...
> 
> Signed-off-by: Laurent Vivier 
> ---
>  target-ppc/arch_dump.c | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/target-ppc/arch_dump.c b/target-ppc/arch_dump.c
> index df1fd8c..ad37a59 100644
> --- a/target-ppc/arch_dump.c
> +++ b/target-ppc/arch_dump.c
> @@ -220,6 +220,11 @@ int cpu_get_dump_info(ArchDumpInfo *info,
>  } else {
>  info->d_endian = ELFDATA2LSB;
>  }
> +/* 64KB is the page size default for pseries kernel */

This comment should rather say '...is the max page size...' than
'default' to be accurate for the reasoning. I have a comment like
that in the arm version,

 info->page_size = (1 << 16); /* aarch64 max pagesize */

> +if (strncmp(object_get_typename(qdev_get_machine()),
> +"pseries-", 8) == 0) {
> +info->page_size = (1U << 16);
> +}
>  
>  return 0;
>  }
> -- 
> 2.5.5
> 
>

Otherwise,

Reviewed-by: Andrew Jones 

[Qemu-devel] [PULL for-2.7 3/5] throttle: Test burst limits lower than the normal limits

[Stefan Hajnoczi]

From: Alberto Garcia 

This checks that making FOO_max lower than FOO is not allowed.

We could also forbid having FOO_max == FOO, but that doesn't have
any odd side effects and it would require us to update several other
tests, so let's keep it simple.

Signed-off-by: Alberto Garcia 
Reviewed-by: Eric Blake 
Message-id: 
2f90f9ee58aa14b7bd985f67c5996b06e0ab6c19.1469693110.git.be...@igalia.com
Signed-off-by: Stefan Hajnoczi 
---
 tests/test-throttle.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/tests/test-throttle.c b/tests/test-throttle.c
index afe094b..363b59a 100644
--- a/tests/test-throttle.c
+++ b/tests/test-throttle.c
@@ -394,6 +394,14 @@ static void test_max_is_missing_limit(void)
 cfg.buckets[i].max = 0;
 cfg.buckets[i].avg = 100;
 g_assert(throttle_is_valid(&cfg, NULL));
+
+cfg.buckets[i].max = 30;
+cfg.buckets[i].avg = 100;
+g_assert(!throttle_is_valid(&cfg, NULL));
+
+cfg.buckets[i].max = 100;
+cfg.buckets[i].avg = 100;
+g_assert(throttle_is_valid(&cfg, NULL));
 }
 }
 
-- 
2.7.4

[Qemu-devel] [PATCH for 2.7] linuxboot_dma: avoid guest ABI breakage on gcc vs. clang compilation

[Paolo Bonzini]

GCC compiles linuxboot_dma.c to 921 bytes, while clang needs 1527.
This causes the API to break between a GCC-compiled ROM and
one that was obtained with clang.

First, this patch fixes this by preventing clang's happy inlining (which
-Os cannot prevent).  This only requires adding a noinline attribute.

Second, it makes sure that an unexpected guest ABI breakage cannot happen
in the future.  The size must now hardcoded in the file that is passed to
signrom.py, as was the case before commit 6f71b77 ("scripts/signrom.py:
Allow option ROM checksum script to write the size header.", 2016-05-23);
signrom.py however will still pad the input to the requested size, to
avoid the need for -fno-toplevel-reorder which clang doesn't support.
signrom.py can then error out if the requested size is too small for
the actual size of the compiled ROM.

Signed-off-by: Paolo Bonzini 
---
 pc-bios/optionrom/linuxboot_dma.c |  8 ++--
 scripts/signrom.py| 27 +++
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/pc-bios/optionrom/linuxboot_dma.c 
b/pc-bios/optionrom/linuxboot_dma.c
index 8509b28..8584a49 100644
--- a/pc-bios/optionrom/linuxboot_dma.c
+++ b/pc-bios/optionrom/linuxboot_dma.c
@@ -25,7 +25,7 @@ asm(
 ".global _start\n"
 "_start:\n"
 "   .short 0xaa55\n"
-"   .byte 0\n" /* size in 512 units, filled in by signrom.py */
+"   .byte 2\n" /* desired size in 512 units; signrom.py adds padding */
 "   .byte 0xcb\n" /* far return without prefix */
 "   .org 0x18\n"
 "   .short 0\n"
@@ -157,7 +157,11 @@ static inline uint32_t be32_to_cpu(uint32_t x)
 return bswap32(x);
 }
 
-static void bios_cfg_read_entry(void *buf, uint16_t entry, uint32_t len)
+/* clang is happy to inline this function, and bloats the
+ * ROM.
+ */
+static __attribute__((__noinline__))
+void bios_cfg_read_entry(void *buf, uint16_t entry, uint32_t len)
 {
 FWCfgDmaAccess access;
 uint32_t control = (entry << 16) | BIOS_CFG_DMA_CTL_SELECT
diff --git a/scripts/signrom.py b/scripts/signrom.py
index 5629bca..d1dabe0 100644
--- a/scripts/signrom.py
+++ b/scripts/signrom.py
@@ -23,26 +23,21 @@ if magic != '\x55\xaa':
 
 size_byte = ord(fin.read(1))
 fin.seek(0)
+data = fin.read()
 
-if size_byte == 0:
-# If the caller left the size field blank then we will fill it in,
-# also rounding the whole input to a multiple of 512 bytes.
-data = fin.read()
-# +1 because we need a byte to store the checksum.
-size = len(data) + 1
-# Round up to next multiple of 512.
-size += 511
-size -= size % 512
-if size >= 65536:
-sys.exit("%s: option ROM size too large" % sys.argv[1])
+size = size_byte * 512
+if len(data) > size:
+sys.stderr.write('error: ROM is too large (%d > %d)\n' % (len(data), size))
+sys.exit(1)
+elif len(data) < size:
+# Add padding if necessary, rounding the whole input to a multiple of
+# 512 bytes according to the third byte of the input.
 # size-1 because a final byte is added below to store the checksum.
 data = data.ljust(size-1, '\0')
-data = data[:2] + chr(size/512) + data[3:]
 else:
-# Otherwise the input file specifies the size so use it.
-# -1 because we overwrite the last byte of the file with the checksum.
-size = size_byte * 512 - 1
-data = fin.read(size)
+if ord(data[-1:]) != 0:
+sys.stderr.write('WARNING: ROM includes nonzero checksum\n')
+data = data[:size-1]
 
 fout.write(data)
 
-- 
2.7.4

[Qemu-devel] [PULL for-2.7 5/5] virtio-blk: Remove stale comment about draining

[Stefan Hajnoczi]

From: Fam Zheng 

This is stale after commit 6e40b3bf (virtio-blk: Use blk_drain() to
drain IO requests), remove it.

Suggested-by: Laszlo Ersek 
Signed-off-by: Fam Zheng 
Reviewed-by: Laszlo Ersek 
Message-id: 1470278654-13525-3-git-send-email-f...@redhat.com
Signed-off-by: Stefan Hajnoczi 
---
 hw/block/virtio-blk.c | 4 
 1 file changed, 4 deletions(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 1e348b1..331d766 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -656,10 +656,6 @@ static void virtio_blk_reset(VirtIODevice *vdev)
 AioContext *ctx;
 VirtIOBlockReq *req;
 
-/*
- * This should cancel pending requests, but can't do nicely until there
- * are per-device request lists.
- */
 ctx = blk_get_aio_context(s->blk);
 aio_context_acquire(ctx);
 blk_drain(s->blk);
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 02/18] acpi: provide _PXM method for CPU devices if QEMU is started numa enabled

[Igor Mammedov]

Workaround for long standing issue where Linux kernel
assigns hotplugged CPU to 1st numa node as it discards
proximity for possible CPUs from SRAT after it's parsed.

_PXM method allows linux query proximity directly from
hotplugged CPU object, which allows Linux to assing CPU
to the correct numa node.

Signed-off-by: Igor Mammedov 
Reviewed-by: Marcel Apfelbaum 
---
v3:
 - use numa_get_node_for_cpu() instead of duplicating lookup code
 - added comment in code blaming linux
---
 hw/acpi/cpu.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/hw/acpi/cpu.c b/hw/acpi/cpu.c
index c13b65c..902f5c9 100644
--- a/hw/acpi/cpu.c
+++ b/hw/acpi/cpu.c
@@ -4,6 +4,7 @@
 #include "qapi/error.h"
 #include "qapi-event.h"
 #include "trace.h"
+#include "sysemu/numa.h"
 
 #define ACPI_CPU_HOTPLUG_REG_LEN 12
 #define ACPI_CPU_SELECTOR_OFFSET_WR 0
@@ -503,6 +504,7 @@ void build_cpus_aml(Aml *table, MachineState *machine, 
CPUHotplugFeatures opts,
 
 /* build Processor object for each processor */
 for (i = 0; i < arch_ids->len; i++) {
+int j;
 Aml *dev;
 Aml *uid = aml_int(i);
 GArray *madt_buf = g_array_new(0, 1, 1);
@@ -546,6 +548,16 @@ void build_cpus_aml(Aml *table, MachineState *machine, 
CPUHotplugFeatures opts,
   aml_arg(1), aml_arg(2))
 );
 aml_append(dev, method);
+
+/* Linux guests discard SRAT info for non-present CPUs
+ * as a result _PXM is required for all CPUs which might
+ * be hot-plugged. For simplicity, add it for all CPUs.
+ */
+j = numa_get_node_for_cpu(i);
+if (j < nb_numa_nodes) {
+aml_append(dev, aml_name_decl("_PXM", aml_int(j)));
+}
+
 aml_append(cpus_dev, dev);
 }
 }
-- 
2.7.4

[Qemu-devel] [PULL 1/3] block: Accept any target node for transactional blockdev-backup

[Kevin Wolf]

Commit 0d978913 changed blockdev-backup to accept arbitrary node names
instead of device names (i.e. root nodes) for the backup target.
However, it forgot to make the same change in transactions and to update
the documentation. This patch fixes these omissions.

Signed-off-by: Kevin Wolf 
Reviewed-by: Fam Zheng 
Reviewed-by: John Snow 
Reviewed-by: Stefan Hajnoczi 
---
 blockdev.c   | 8 
 qapi/block-core.json | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/blockdev.c b/blockdev.c
index eafeba9..2161400 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -1937,7 +1937,8 @@ static void blockdev_backup_prepare(BlkActionState 
*common, Error **errp)
 {
 BlockdevBackupState *state = DO_UPCAST(BlockdevBackupState, common, 
common);
 BlockdevBackup *backup;
-BlockBackend *blk, *target;
+BlockBackend *blk;
+BlockDriverState *target;
 Error *local_err = NULL;
 
 assert(common->action->type == TRANSACTION_ACTION_KIND_BLOCKDEV_BACKUP);
@@ -1954,15 +1955,14 @@ static void blockdev_backup_prepare(BlkActionState 
*common, Error **errp)
 return;
 }
 
-target = blk_by_name(backup->target);
+target = bdrv_lookup_bs(backup->target, backup->target, errp);
 if (!target) {
-error_setg(errp, "Device '%s' not found", backup->target);
 return;
 }
 
 /* AioContext is released in .clean() */
 state->aio_context = blk_get_aio_context(blk);
-if (state->aio_context != blk_get_aio_context(target)) {
+if (state->aio_context != bdrv_get_aio_context(target)) {
 state->aio_context = NULL;
 error_setg(errp, "Backup between two IO threads is not implemented");
 return;
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 2bbc027..5e2d7d7 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -927,7 +927,7 @@
 #
 # @device: the name of the device which should be copied.
 #
-# @target: the name of the backup target device.
+# @target: the device name or node-name of the backup target node.
 #
 # @sync: what parts of the disk image should be copied to the destination
 #(all the disk, only the sectors allocated in the topmost image, or
-- 
1.8.3.1

[Qemu-devel] [PATCH for-2.8 01/18] numa: reduce code duplication by adding helper numa_get_node_for_cpu()

[Igor Mammedov]

Replace repeated pattern

for (i = 0; i < nb_numa_nodes; i++) {
if (test_bit(idx, numa_info[i].node_cpu)) {
   ...
   break;

with a helper function to lookup numa node index for cpu.

Suggested-by: Michael S. Tsirkin 
Signed-off-by: Igor Mammedov 
Reviewed-by: David Gibson 
Reviewed-by: Shannon Zhao 
---
 include/sysemu/numa.h|  3 +++
 hw/arm/virt-acpi-build.c |  6 ++
 hw/arm/virt.c|  7 +++
 hw/i386/acpi-build.c |  7 ++-
 hw/i386/pc.c |  8 +++-
 hw/ppc/spapr_cpu_core.c  |  6 ++
 numa.c   | 12 
 7 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h
index bb184c9..4da808a 100644
--- a/include/sysemu/numa.h
+++ b/include/sysemu/numa.h
@@ -32,4 +32,7 @@ void numa_set_mem_node_id(ram_addr_t addr, uint64_t size, 
uint32_t node);
 void numa_unset_mem_node_id(ram_addr_t addr, uint64_t size, uint32_t node);
 uint32_t numa_get_node(ram_addr_t addr, Error **errp);
 
+/* on success returns node index in numa_info,
+ * on failure returns nb_numa_nodes */
+int numa_get_node_for_cpu(int idx);
 #endif
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 28fc59c..5923b3d 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -426,11 +426,9 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
VirtGuestInfo *guest_info)
 uint32_t *cpu_node = g_malloc0(guest_info->smp_cpus * sizeof(uint32_t));
 
 for (i = 0; i < guest_info->smp_cpus; i++) {
-for (j = 0; j < nb_numa_nodes; j++) {
-if (test_bit(i, numa_info[j].node_cpu)) {
+j = numa_get_node_for_cpu(i);
+if (j < nb_numa_nodes) {
 cpu_node[i] = j;
-break;
-}
 }
 }
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index a193b5a..89828e5 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -413,10 +413,9 @@ static void fdt_add_cpu_nodes(const VirtBoardInfo *vbi)
   armcpu->mp_affinity);
 }
 
-for (i = 0; i < nb_numa_nodes; i++) {
-if (test_bit(cpu, numa_info[i].node_cpu)) {
-qemu_fdt_setprop_cell(vbi->fdt, nodename, "numa-node-id", i);
-}
+i = numa_get_node_for_cpu(cpu);
+if (i < nb_numa_nodes) {
+qemu_fdt_setprop_cell(vbi->fdt, nodename, "numa-node-id", i);
 }
 
 g_free(nodename);
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a26a4bb..3912575 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2409,18 +2409,15 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 srat->reserved1 = cpu_to_le32(1);
 
 for (i = 0; i < apic_ids->len; i++) {
-int j;
+int j = numa_get_node_for_cpu(i);
 int apic_id = apic_ids->cpus[i].arch_id;
 
 core = acpi_data_push(table_data, sizeof *core);
 core->type = ACPI_SRAT_PROCESSOR_APIC;
 core->length = sizeof(*core);
 core->local_apic_id = apic_id;
-for (j = 0; j < nb_numa_nodes; j++) {
-if (test_bit(i, numa_info[j].node_cpu)) {
+if (j < nb_numa_nodes) {
 core->proximity_lo = j;
-break;
-}
 }
 memset(core->proximity_hi, 0, 3);
 core->local_sapic_eid = 0;
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 47593b7..b1fadce 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -777,11 +777,9 @@ static FWCfgState *bochs_bios_init(AddressSpace *as, 
PCMachineState *pcms)
 for (i = 0; i < max_cpus; i++) {
 unsigned int apic_id = x86_cpu_apic_id_from_index(i);
 assert(apic_id < pcms->apic_id_limit);
-for (j = 0; j < nb_numa_nodes; j++) {
-if (test_bit(i, numa_info[j].node_cpu)) {
-numa_fw_cfg[apic_id + 1] = cpu_to_le64(j);
-break;
-}
+j = numa_get_node_for_cpu(i);
+if (j < nb_numa_nodes) {
+numa_fw_cfg[apic_id + 1] = cpu_to_le64(j);
 }
 }
 for (i = 0; i < nb_numa_nodes; i++) {
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 170ed15..7b015b6 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -69,11 +69,9 @@ void spapr_cpu_init(sPAPRMachineState *spapr, PowerPCCPU 
*cpu, Error **errp)
 }
 
 /* Set NUMA node for the added CPUs  */
-for (i = 0; i < nb_numa_nodes; i++) {
-if (test_bit(cs->cpu_index, numa_info[i].node_cpu)) {
+i = numa_get_node_for_cpu(cs->cpu_index);
+if (i < nb_numa_nodes) {
 cs->numa_node = i;
-break;
-}
 }
 
 xics_cpu_setup(spapr->xics, cpu);
diff --git a/numa.c b/numa.c
index 7286171..8015f30 100644
--- a/numa.c
+++ b/numa.c
@@ -549,3 +549,15 @@ MemdevList *qmp_query_memdev(Error **errp)
 object_child_foreach(obj, query_memdev, &list);
 return list;
 }
+
+int numa_get_node_for_cpu(int idx

[Qemu-devel] [PULL for-2.7 4/5] virtio-blk: Release s->rq queue at system_reset

[Stefan Hajnoczi]

From: Fam Zheng 

At system_reset, there is no point in retrying the queued request,
because the driver that issued the request won't be around any more.

Analyzed-by: Laszlo Ersek 
Reported-by: Laszlo Ersek 
Signed-off-by: Fam Zheng 
Reviewed-by: Laszlo Ersek 
Message-id: 1470278654-13525-2-git-send-email-f...@redhat.com
Signed-off-by: Stefan Hajnoczi 
---
 hw/block/virtio-blk.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 475a822..1e348b1 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -654,6 +654,7 @@ static void virtio_blk_reset(VirtIODevice *vdev)
 {
 VirtIOBlock *s = VIRTIO_BLK(vdev);
 AioContext *ctx;
+VirtIOBlockReq *req;
 
 /*
  * This should cancel pending requests, but can't do nicely until there
@@ -663,6 +664,14 @@ static void virtio_blk_reset(VirtIODevice *vdev)
 aio_context_acquire(ctx);
 blk_drain(s->blk);
 
+/* We drop queued requests after blk_drain() because blk_drain() itself can
+ * produce them. */
+while (s->rq) {
+req = s->rq;
+s->rq = req->next;
+virtio_blk_free_request(req);
+}
+
 if (s->dataplane) {
 virtio_blk_data_plane_stop(s->dataplane);
 }
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 04/18] linux-headers: update to v4.8-rc1

[Igor Mammedov]

From: root 

Signed-off-by: Radim Krčmář 
---
 linux-headers/linux/kvm.h | 13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index e60e21b..aa7f587 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -866,6 +866,10 @@ struct kvm_ppc_smmu_info {
 #define KVM_CAP_ARM_PMU_V3 126
 #define KVM_CAP_VCPU_ATTRIBUTES 127
 #define KVM_CAP_MAX_VCPU_ID 128
+#define KVM_CAP_X2APIC_API 129
+#define KVM_CAP_S390_USER_INSTR0 130
+#define KVM_CAP_MSI_DEVID 131
+#define KVM_CAP_PPC_HTM 132
 
 #ifdef KVM_CAP_IRQ_ROUTING
 
@@ -1024,12 +1028,14 @@ struct kvm_one_reg {
__u64 addr;
 };
 
+#define KVM_MSI_VALID_DEVID(1U << 0)
 struct kvm_msi {
__u32 address_lo;
__u32 address_hi;
__u32 data;
__u32 flags;
-   __u8  pad[16];
+   __u32 devid;
+   __u8  pad[12];
 };
 
 struct kvm_arm_device_addr {
@@ -1074,6 +1080,8 @@ enum kvm_device_type {
 #define KVM_DEV_TYPE_FLIC  KVM_DEV_TYPE_FLIC
KVM_DEV_TYPE_ARM_VGIC_V3,
 #define KVM_DEV_TYPE_ARM_VGIC_V3   KVM_DEV_TYPE_ARM_VGIC_V3
+   KVM_DEV_TYPE_ARM_VGIC_ITS,
+#define KVM_DEV_TYPE_ARM_VGIC_ITS  KVM_DEV_TYPE_ARM_VGIC_ITS
KVM_DEV_TYPE_MAX,
 };
 
@@ -1313,4 +1321,7 @@ struct kvm_assigned_msix_entry {
__u16 padding[3];
 };
 
+#define KVM_X2APIC_API_USE_32BIT_IDS(1ULL << 0)
+#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK  (1ULL << 1)
+
 #endif /* __LINUX_KVM_H */
-- 
2.7.4

[Qemu-devel] [PULL 2/3] nvme: fix identify to be NVMe 1.1 compliant

[Kevin Wolf]

From: Christoph Hellwig 

NVMe 1.1 requires devices to implement a Namespace List subcommand of
the identify command.  Qemu not only not implements this features, but
also misinterprets it as an Identify Controller request.  Due to this
any OS trying to use the Namespace List will fail the probe.

Signed-off-by: Christoph Hellwig 
Acked-by: Keith Busch 
Signed-off-by: Kevin Wolf 
---
 hw/block/nvme.c | 59 ++---
 1 file changed, 52 insertions(+), 7 deletions(-)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 2ded247..a0655a3 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -469,19 +469,22 @@ static uint16_t nvme_create_cq(NvmeCtrl *n, NvmeCmd *cmd)
 return NVME_SUCCESS;
 }
 
-static uint16_t nvme_identify(NvmeCtrl *n, NvmeCmd *cmd)
+static uint16_t nvme_identify_ctrl(NvmeCtrl *n, NvmeIdentify *c)
+{
+uint64_t prp1 = le64_to_cpu(c->prp1);
+uint64_t prp2 = le64_to_cpu(c->prp2);
+
+return nvme_dma_read_prp(n, (uint8_t *)&n->id_ctrl, sizeof(n->id_ctrl),
+prp1, prp2);
+}
+
+static uint16_t nvme_identify_ns(NvmeCtrl *n, NvmeIdentify *c)
 {
 NvmeNamespace *ns;
-NvmeIdentify *c = (NvmeIdentify *)cmd;
-uint32_t cns  = le32_to_cpu(c->cns);
 uint32_t nsid = le32_to_cpu(c->nsid);
 uint64_t prp1 = le64_to_cpu(c->prp1);
 uint64_t prp2 = le64_to_cpu(c->prp2);
 
-if (cns) {
-return nvme_dma_read_prp(n, (uint8_t *)&n->id_ctrl, sizeof(n->id_ctrl),
-prp1, prp2);
-}
 if (nsid == 0 || nsid > n->num_namespaces) {
 return NVME_INVALID_NSID | NVME_DNR;
 }
@@ -491,6 +494,48 @@ static uint16_t nvme_identify(NvmeCtrl *n, NvmeCmd *cmd)
 prp1, prp2);
 }
 
+static uint16_t nvme_identify_nslist(NvmeCtrl *n, NvmeIdentify *c)
+{
+static const int data_len = 4096;
+uint32_t min_nsid = le32_to_cpu(c->nsid);
+uint64_t prp1 = le64_to_cpu(c->prp1);
+uint64_t prp2 = le64_to_cpu(c->prp2);
+uint32_t *list;
+uint16_t ret;
+int i, j = 0;
+
+list = g_malloc0(data_len);
+for (i = 0; i < n->num_namespaces; i++) {
+if (i < min_nsid) {
+continue;
+}
+list[j++] = cpu_to_le32(i + 1);
+if (j == data_len / sizeof(uint32_t)) {
+break;
+}
+}
+ret = nvme_dma_read_prp(n, (uint8_t *)list, data_len, prp1, prp2);
+g_free(list);
+return ret;
+}
+
+
+static uint16_t nvme_identify(NvmeCtrl *n, NvmeCmd *cmd)
+{
+NvmeIdentify *c = (NvmeIdentify *)cmd;
+
+switch (le32_to_cpu(c->cns)) {
+case 0x00:
+return nvme_identify_ns(n, c);
+case 0x01:
+return nvme_identify_ctrl(n, c);
+case 0x02:
+return nvme_identify_nslist(n, c);
+default:
+return NVME_INVALID_FIELD | NVME_DNR;
+}
+}
+
 static uint16_t nvme_get_feature(NvmeCtrl *n, NvmeCmd *cmd, NvmeRequest *req)
 {
 uint32_t dw10 = le32_to_cpu(cmd->cdw10);
-- 
1.8.3.1

[Qemu-devel] [PATCH for-2.8 03/18] tests: acpi: extend cphp testcase with numa check

[Igor Mammedov]

so it would be possible to verify _PXM generation in
DSDT and SRAT tables.

Signed-off-by: Igor Mammedov 
Reviewed-by: Marcel Apfelbaum 
---
NOTE to maintainer:
SRAT table is included in patch as it doesn't have
any chance for conflicts compared to often changing
DSDT

following table blobs should be updated in git tree as part
of this commit after running ./tests/acpi-test-data/rebuild-expected-aml.sh

tests/acpi-test-data/q35/DSDT.cphp
tests/acpi-test-data/pc/DSDT.cphp
---
 tests/acpi-test-data/pc/SRAT.cphp  | Bin 0 -> 304 bytes
 tests/acpi-test-data/q35/SRAT.cphp | Bin 0 -> 304 bytes
 tests/bios-tables-test.c   |   6 --
 3 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 tests/acpi-test-data/pc/SRAT.cphp
 create mode 100644 tests/acpi-test-data/q35/SRAT.cphp

diff --git a/tests/acpi-test-data/pc/SRAT.cphp 
b/tests/acpi-test-data/pc/SRAT.cphp
new file mode 100644
index 
..ff2137642f488ec70b85207ed6c20e7351d61e98
GIT binary patch
literal 304
zcmWFzattwGWME)4bMklg2v%^42yhMtiUEZfKx_~V!f+sf!DmF1XF}yOvY_!<(fDl0
pd`1npO;83GTmZW|po75R12aq^syaB21u74tQT&BzFU&Ml8UVWm2>}2A

literal 0
HcmV?d1

diff --git a/tests/acpi-test-data/q35/SRAT.cphp 
b/tests/acpi-test-data/q35/SRAT.cphp
new file mode 100644
index 
..ff2137642f488ec70b85207ed6c20e7351d61e98
GIT binary patch
literal 304
zcmWFzattwGWME)4bMklg2v%^42yhMtiUEZfKx_~V!f+sf!DmF1XF}yOvY_!<(fDl0
pd`1npO;83GTmZW|po75R12aq^syaB21u74tQT&BzFU&Ml8UVWm2>}2A

literal 0
HcmV?d1

diff --git a/tests/bios-tables-test.c b/tests/bios-tables-test.c
index de4019e..3796089 100644
--- a/tests/bios-tables-test.c
+++ b/tests/bios-tables-test.c
@@ -809,7 +809,8 @@ static void test_acpi_piix4_tcg_cphp(void)
 data.machine = MACHINE_PC;
 data.variant = ".cphp";
 test_acpi_one("-machine accel=tcg"
-  " -smp 2,cores=3,sockets=2,maxcpus=6",
+  " -smp 2,cores=3,sockets=2,maxcpus=6"
+  " -numa node -numa node",
   &data);
 free_test_data(&data);
 }
@@ -822,7 +823,8 @@ static void test_acpi_q35_tcg_cphp(void)
 data.machine = MACHINE_Q35;
 data.variant = ".cphp";
 test_acpi_one("-machine q35,accel=tcg"
-  " -smp 2,cores=3,sockets=2,maxcpus=6",
+  " -smp 2,cores=3,sockets=2,maxcpus=6"
+  " -numa node -numa node",
   &data);
 free_test_data(&data);
 }
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 00/18] pc: q35: x2APIC support in kvm_apic mode

[Igor Mammedov]

Changes since RFC:
  - use new KVM_CAP_X2APIC_API to detect x2APIC IDs support
  - rebase on top of 2.7-rc1, since many deps were merged
  - fix etc/boot-cpus to account for -device provided cpus
  - include not yet merged _PXM fix as prereq
  - add 2.8 machine type and bump up maxcpus count since it

Series extends current CPU/kvm_apic/generic pc machine
code to support x2APIC and upto 288 VCPUs when QEMU
is used with KVM's lapic.

Due to FW_CFG_MAX_CPUS (which is actually apic_id_limit)
being limited to uint16_t, the max possible APIC ID is
limitted to 2^16 with this series but that should
be sufficient for bumping VCPUs number for quite a while.

Tested with following CLI:
 QEMU -M q35 -enable-kvm -smp 1,sockets=9,cores=32,threads=1,maxcpus=288 \
  -device qemu64-x86_64-cpu,socket-id=8,core-id=30,thread-id=0   \
  -bios x2apic_bios.bin


git gree for testing:
https://github.com/imammedo/qemu.git x2apic_v1

To play with the feature, one would also need x2apic enabled
seabios counterpart:
https://github.com/imammedo/seabios.git x2apic_v3

PS:
As kernel deps it needs 4.8 kernel on host side and it
doesn't include irq remapping/iommu fixes that Radim
has WIP branch, that should be posted separately/on top of this

But even without above kernel boots in x2APIC mode

Igor Mammedov (17):
  numa: reduce code duplication by adding helper numa_get_node_for_cpu()
  acpi: provide _PXM method for CPU devices if QEMU is started numa
enabled
  tests: acpi: extend cphp testcase with numa check
  pc: acpi: x2APIC support for MADT table
  pc: acpi: x2APIC support for SRAT table
  acpi: cphp: support x2APIC entry in cpu._MAT
  acpi: cphp: force switch to modern cpu hotplug if APIC ID > 254
  pc: leave max apic_id_limit only in legacy cpu hotplug code
  pc: apic_common: extend APIC ID property to 32bit
  pc: apic_common: restore APIC ID to initial ID on reset
  pc: apic_common: reset APIC ID to initial ID when switching into
x2APIC mode
  pc: kvm_apic: pass APIC ID depending on xAPIC/x2APIC mode
  pc: clarify FW_CFG_MAX_CPUS usage comment
  increase MAX_CPUMASK_BITS from 255 to 288
  pc: add 'etc/boot-cpus' fw_cfg file for machine with more than 255
CPUs
  pc: add 2.8 machine
  pc: q35: bump max_cpus to 288

root (1):
  linux-headers: update to v4.8-rc1

 include/hw/acpi/acpi-defs.h|  29 +
 include/hw/compat.h|   2 +
 include/hw/i386/apic_internal.h|   3 +-
 include/hw/i386/pc.h   |   4 ++
 include/sysemu/numa.h  |   3 +
 include/sysemu/sysemu.h|   2 +-
 linux-headers/linux/kvm.h  |  13 -
 target-i386/cpu.h  |   1 +
 target-i386/kvm_i386.h |   1 +
 hw/acpi/cpu.c  |  17 ++
 hw/acpi/cpu_hotplug.c  |  17 --
 hw/arm/virt-acpi-build.c   |   6 +-
 hw/arm/virt.c  |   9 ++-
 hw/i386/acpi-build.c   | 117 +
 hw/i386/kvm/apic.c |  13 -
 hw/i386/pc.c   |  47 ---
 hw/i386/pc_piix.c  |  17 --
 hw/i386/pc_q35.c   |  14 -
 hw/intc/apic_common.c  |  46 ++-
 hw/ppc/spapr.c |   2 +-
 hw/ppc/spapr_cpu_core.c|   6 +-
 numa.c |  12 
 target-i386/cpu.c  |   2 +-
 target-i386/kvm.c  |  14 +
 tests/acpi-test-data/pc/SRAT.cphp  | Bin 0 -> 304 bytes
 tests/acpi-test-data/q35/SRAT.cphp | Bin 0 -> 304 bytes
 tests/bios-tables-test.c   |   6 +-
 27 files changed, 307 insertions(+), 96 deletions(-)
 create mode 100644 tests/acpi-test-data/pc/SRAT.cphp
 create mode 100644 tests/acpi-test-data/q35/SRAT.cphp

-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 07/18] acpi: cphp: support x2APIC entry in cpu._MAT

[Igor Mammedov]

Signed-off-by: Igor Mammedov 
---
 hw/acpi/cpu.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/acpi/cpu.c b/hw/acpi/cpu.c
index 902f5c9..5ac89fe 100644
--- a/hw/acpi/cpu.c
+++ b/hw/acpi/cpu.c
@@ -531,6 +531,11 @@ void build_cpus_aml(Aml *table, MachineState *machine, 
CPUHotplugFeatures opts,
 apic->flags = cpu_to_le32(1);
 break;
 }
+case ACPI_APIC_LOCAL_X2APIC: {
+AcpiMadtProcessorX2Apic *apic = (void *)madt_buf->data;
+apic->flags = cpu_to_le32(1);
+break;
+}
 default:
 assert(0);
 }
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 09/18] pc: leave max apic_id_limit only in legacy cpu hotplug code

[Igor Mammedov]

that's enough to make old code that depends on it
to prevent QEMU starting with more than 255 CPUs.

Signed-off-by: Igor Mammedov 
---
 hw/acpi/cpu_hotplug.c | 7 ++-
 hw/i386/pc.c  | 7 ---
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
index c2ab9b8..f15a240 100644
--- a/hw/acpi/cpu_hotplug.c
+++ b/hw/acpi/cpu_hotplug.c
@@ -15,6 +15,7 @@
 #include "qapi/error.h"
 #include "qom/cpu.h"
 #include "hw/i386/pc.h"
+#include "qemu/error-report.h"
 
 #define CPU_EJECT_METHOD "CPEJ"
 #define CPU_MAT_METHOD "CPMA"
@@ -236,7 +237,11 @@ void build_legacy_cpu_hotplug_aml(Aml *ctx, MachineState 
*machine,
 /* The current AML generator can cover the APIC ID range [0..255],
  * inclusive, for VCPU hotplug. */
 QEMU_BUILD_BUG_ON(ACPI_CPU_HOTPLUG_ID_LIMIT > 256);
-g_assert(pcms->apic_id_limit <= ACPI_CPU_HOTPLUG_ID_LIMIT);
+if (pcms->apic_id_limit > ACPI_CPU_HOTPLUG_ID_LIMIT) {
+error_report("max_cpus is too large. APIC ID of last CPU is %u",
+ pcms->apic_id_limit - 1);
+exit(1);
+}
 
 /* create PCI0.PRES device and its _CRS to reserve CPU hotplug MMIO */
 dev = aml_device("PCI0." stringify(CPU_HOTPLUG_RESOURCE_DEVICE));
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index b1fadce..1ca5323 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -776,7 +776,6 @@ static FWCfgState *bochs_bios_init(AddressSpace *as, 
PCMachineState *pcms)
 numa_fw_cfg[0] = cpu_to_le64(nb_numa_nodes);
 for (i = 0; i < max_cpus; i++) {
 unsigned int apic_id = x86_cpu_apic_id_from_index(i);
-assert(apic_id < pcms->apic_id_limit);
 j = numa_get_node_for_cpu(i);
 if (j < nb_numa_nodes) {
 numa_fw_cfg[apic_id + 1] = cpu_to_le64(j);
@@ -1188,12 +1187,6 @@ void pc_cpus_init(PCMachineState *pcms)
  * This is used for FW_CFG_MAX_CPUS. See comments on bochs_bios_init().
  */
 pcms->apic_id_limit = x86_cpu_apic_id_from_index(max_cpus - 1) + 1;
-if (pcms->apic_id_limit > ACPI_CPU_HOTPLUG_ID_LIMIT) {
-error_report("max_cpus is too large. APIC ID of last CPU is %u",
- pcms->apic_id_limit - 1);
-exit(1);
-}
-
 pcms->possible_cpus = g_malloc0(sizeof(CPUArchIdList) +
 sizeof(CPUArchId) * max_cpus);
 for (i = 0; i < max_cpus; i++) {
-- 
2.7.4

Re: [Qemu-devel] [PATCH 2/3] ppc/pnv: add a PnvChip object

[Benjamin Herrenschmidt]

On Fri, 2016-08-05 at 11:15 +0200, Cédric Le Goater wrote:
> This is is an abstraction of a P8 chip which is a set of cores plus
> other 'units', like the pervasive unit, the interrupt controller, the
> memory controller, the on-chip microcontroller, etc. The whole can be
> seen as a socket.
> 
> We start with an empty PnvChip which we will grow in the subsequent
> patches with controllers required to run the system..

We should create a subclass PnvChipP8 which we instanciate for now
since P9 is around the corner and will be a bit different

Cheers,
Ben.

> Signed-off-by: Cédric Le Goater 
> ---
>  hw/ppc/pnv.c | 47
> +++
>  include/hw/ppc/pnv.h | 15 +++
>  2 files changed, 62 insertions(+)
> 
> diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
> index 3bb6a240c25b..a680780e9dea 100644
> --- a/hw/ppc/pnv.c
> +++ b/hw/ppc/pnv.c
> @@ -185,6 +185,7 @@ static void ppc_powernv_init(MachineState
> *machine)
>  sPowerNVMachineState *pnv = POWERNV_MACHINE(machine);
>  long fw_size;
>  char *filename;
> +int i;
>  
>  if (ram_size < (1 * G_BYTE)) {
>  error_report("Warning: skiboot may not work with < 1GB of
> RAM");
> @@ -236,6 +237,23 @@ static void ppc_powernv_init(MachineState
> *machine)
>  pnv->initrd_base = 0;
>  pnv->initrd_size = 0;
>  }
> +
> +/* Create PowerNV chips
> + *
> + * FIXME: We should decide how many chips to create based on
> + * #cores and Venice vs. Murano vs. Naples chip type etc..., for
> + * now, just create one chip, with all the cores.
> + */
> +pnv->num_chips = 1;
> +
> +pnv->chips = g_new0(PnvChip, pnv->num_chips);
> +for (i = 0; i < pnv->num_chips; i++) {
> +PnvChip *chip = &pnv->chips[i];
> +
> +object_initialize(chip, sizeof(*chip), TYPE_PNV_CHIP);
> +object_property_set_int(OBJECT(chip), i, "chip-id",
> &error_abort);
> +object_property_set_bool(OBJECT(chip), true, "realized",
> &error_abort);
> +}
>  }
>  
>  static void powernv_machine_class_init(ObjectClass *oc, void *data)
> @@ -274,10 +292,39 @@ static const TypeInfo powernv_machine_2_8_info
> = {
>  .class_init= powernv_machine_2_8_class_init,
>  };
>  
> +
> +static void pnv_chip_realize(DeviceState *dev, Error **errp)
> +{
> +;
> +}
> +
> +static Property pnv_chip_properties[] = {
> +DEFINE_PROP_UINT32("chip-id", PnvChip, chip_id, 0),
> +DEFINE_PROP_END_OF_LIST(),
> +};
> +
> +static void pnv_chip_class_init(ObjectClass *klass, void *data)
> +{
> +DeviceClass *dc = DEVICE_CLASS(klass);
> +
> +dc->realize = pnv_chip_realize;
> +dc->props = pnv_chip_properties;
> +dc->desc = "PowerNV Chip";
> + }
> +
> +static const TypeInfo pnv_chip_info = {
> +.name  = TYPE_PNV_CHIP,
> +.parent= TYPE_SYS_BUS_DEVICE,
> +.instance_size = sizeof(PnvChip),
> +.class_init= pnv_chip_class_init,
> +};
> +
> +
>  static void powernv_machine_register_types(void)
>  {
>  type_register_static(&powernv_machine_info);
>  type_register_static(&powernv_machine_2_8_info);
> +type_register_static(&pnv_chip_info);
>  }
>  
>  type_init(powernv_machine_register_types)
> diff --git a/include/hw/ppc/pnv.h b/include/hw/ppc/pnv.h
> index 2990f691672d..6907dc9e5c3d 100644
> --- a/include/hw/ppc/pnv.h
> +++ b/include/hw/ppc/pnv.h
> @@ -20,6 +20,18 @@
>  #define _PPC_PNV_H
>  
>  #include "hw/boards.h"
> +#include "hw/sysbus.h"
> +
> +#define TYPE_PNV_CHIP "powernv-chip"
> +#define PNV_CHIP(obj) OBJECT_CHECK(PnvChip, (obj), TYPE_PNV_CHIP)
> +
> +typedef struct PnvChip {
> +/*< private >*/
> +SysBusDevice parent_obj;
> +
> +/*< public >*/
> +uint32_t chip_id;
> +} PnvChip;
>  
>  #define TYPE_POWERNV_MACHINE  "powernv-machine"
>  #define POWERNV_MACHINE(obj) \
> @@ -31,6 +43,9 @@ typedef struct sPowerNVMachineState {
>  
>  uint32_t initrd_base;
>  long initrd_size;
> +
> +uint32_t  num_chips;
> +PnvChip   *chips;
>  } sPowerNVMachineState;
>  
>  #endif /* _PPC_PNV_H */

[Qemu-devel] [PATCH for-2.8 05/18] pc: acpi: x2APIC support for MADT table

[Igor Mammedov]

Signed-off-by: Igor Mammedov 
---
 include/hw/acpi/acpi-defs.h | 18 +++
 hw/i386/acpi-build.c| 78 +++--
 2 files changed, 72 insertions(+), 24 deletions(-)

diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
index 41c1d95..8f0024b 100644
--- a/include/hw/acpi/acpi-defs.h
+++ b/include/hw/acpi/acpi-defs.h
@@ -342,6 +342,24 @@ struct AcpiMadtLocalNmi {
 } QEMU_PACKED;
 typedef struct AcpiMadtLocalNmi AcpiMadtLocalNmi;
 
+struct AcpiMadtProcessorX2Apic {
+ACPI_SUB_HEADER_DEF
+uint16_t reserved;
+uint32_t x2apic_id;  /* Processor's local x2APIC ID */
+uint32_t flags;
+uint32_t uid;/* Processor object _UID */
+} QEMU_PACKED;
+typedef struct AcpiMadtProcessorX2Apic AcpiMadtProcessorX2Apic;
+
+struct AcpiMadtLocalX2ApicNmi {
+ACPI_SUB_HEADER_DEF
+uint16_t flags;  /* MPS INTI flags */
+uint32_t uid;/* Processor object _UID */
+uint8_t  lint;   /* Local APIC LINT# */
+uint8_t  reserved[3];/* Local APIC LINT# */
+} QEMU_PACKED;
+typedef struct AcpiMadtLocalX2ApicNmi AcpiMadtLocalX2ApicNmi;
+
 struct AcpiMadtGenericInterrupt {
 ACPI_SUB_HEADER_DEF
 uint16_t reserved;
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 3912575..c5c2fbc 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -339,24 +339,38 @@ build_fadt(GArray *table_data, BIOSLinker *linker, 
AcpiPmInfo *pm,
 void pc_madt_cpu_entry(AcpiDeviceIf *adev, int uid,
CPUArchIdList *apic_ids, GArray *entry)
 {
-int apic_id;
-AcpiMadtProcessorApic *apic = acpi_data_push(entry, sizeof *apic);
-
-apic_id = apic_ids->cpus[uid].arch_id;
-apic->type = ACPI_APIC_PROCESSOR;
-apic->length = sizeof(*apic);
-apic->processor_id = uid;
-apic->local_apic_id = apic_id;
-if (apic_ids->cpus[uid].cpu != NULL) {
-apic->flags = cpu_to_le32(1);
+uint32_t apic_id = apic_ids->cpus[uid].arch_id;
+
+/* ACPI spec says that LAPIC entry for non present
+ * CPU may be omitted from MADT or it must be marked
+ * as disabled. However omitting non present CPU from
+ * MADT breaks hotplug on linux. So possible CPUs
+ * should be put in MADT but kept disabled.
+ */
+if (apic_id < 255) {
+AcpiMadtProcessorApic *apic = acpi_data_push(entry, sizeof *apic);
+
+apic->type = ACPI_APIC_PROCESSOR;
+apic->length = sizeof(*apic);
+apic->processor_id = uid;
+apic->local_apic_id = apic_id;
+if (apic_ids->cpus[uid].cpu != NULL) {
+apic->flags = cpu_to_le32(1);
+} else {
+apic->flags = cpu_to_le32(0);
+}
 } else {
-/* ACPI spec says that LAPIC entry for non present
- * CPU may be omitted from MADT or it must be marked
- * as disabled. However omitting non present CPU from
- * MADT breaks hotplug on linux. So possible CPUs
- * should be put in MADT but kept disabled.
- */
-apic->flags = cpu_to_le32(0);
+AcpiMadtProcessorX2Apic *apic = acpi_data_push(entry, sizeof *apic);
+
+apic->type = ACPI_APIC_LOCAL_X2APIC;
+apic->length = sizeof(*apic);
+apic->uid = uid;
+apic->x2apic_id = apic_id;
+if (apic_ids->cpus[uid].cpu != NULL) {
+apic->flags = cpu_to_le32(1);
+} else {
+apic->flags = cpu_to_le32(0);
+}
 }
 }
 
@@ -368,11 +382,11 @@ build_madt(GArray *table_data, BIOSLinker *linker, 
PCMachineState *pcms)
 int madt_start = table_data->len;
 AcpiDeviceIfClass *adevc = ACPI_DEVICE_IF_GET_CLASS(pcms->acpi_dev);
 AcpiDeviceIf *adev = ACPI_DEVICE_IF(pcms->acpi_dev);
+bool x2apic_mode = false;
 
 AcpiMultipleApicTable *madt;
 AcpiMadtIoApic *io_apic;
 AcpiMadtIntsrcovr *intsrcovr;
-AcpiMadtLocalNmi *local_nmi;
 int i;
 
 madt = acpi_data_push(table_data, sizeof *madt);
@@ -381,6 +395,9 @@ build_madt(GArray *table_data, BIOSLinker *linker, 
PCMachineState *pcms)
 
 for (i = 0; i < apic_ids->len; i++) {
 adevc->madt_cpu(adev, i, apic_ids, table_data);
+if (apic_ids->cpus[i].arch_id > 254) {
+x2apic_mode = true;
+}
 }
 g_free(apic_ids);
 
@@ -413,12 +430,25 @@ build_madt(GArray *table_data, BIOSLinker *linker, 
PCMachineState *pcms)
 intsrcovr->flags  = cpu_to_le16(0xd); /* active high, level triggered 
*/
 }
 
-local_nmi = acpi_data_push(table_data, sizeof *local_nmi);
-local_nmi->type = ACPI_APIC_LOCAL_NMI;
-local_nmi->length   = sizeof(*local_nmi);
-local_nmi->processor_id = 0xff; /* all processors */
-local_nmi->flags= cpu_to_le16(0);
-local_nmi->lint = 1; /* ACPI_LINT1 */
+if (x2apic_mode) {
+AcpiMadtLocalX2ApicNmi *local_nmi;
+
+local_nmi = acpi_data_push(table_data, sizeof *local_n

[Qemu-devel] [PATCH for-2.8 08/18] acpi: cphp: force switch to modern cpu hotplug if APIC ID > 254

[Igor Mammedov]

Switch to modern cpu hotplug at machine startup time if
a cpu present at boot has apic-id in range unsupported
by legacy cpu hotplug interface (i.e. > 254), to avoid
killing QEMU from legacy cpu hotplug code with error:
   "acpi: invalid cpu id: #apic-id#"

Signed-off-by: Igor Mammedov 
---
 hw/acpi/cpu_hotplug.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/hw/acpi/cpu_hotplug.c b/hw/acpi/cpu_hotplug.c
index e19d902..c2ab9b8 100644
--- a/hw/acpi/cpu_hotplug.c
+++ b/hw/acpi/cpu_hotplug.c
@@ -63,7 +63,8 @@ static void acpi_set_cpu_present_bit(AcpiCpuHotplug *g, 
CPUState *cpu,
 
 cpu_id = k->get_arch_id(cpu);
 if ((cpu_id / 8) >= ACPI_GPE_PROC_LEN) {
-error_setg(errp, "acpi: invalid cpu id: %" PRIi64, cpu_id);
+object_property_set_bool(g->device, false, "cpu-hotplug-legacy",
+ &error_abort);
 return;
 }
 
@@ -85,13 +86,14 @@ void legacy_acpi_cpu_hotplug_init(MemoryRegion *parent, 
Object *owner,
 {
 CPUState *cpu;
 
-CPU_FOREACH(cpu) {
-acpi_set_cpu_present_bit(gpe_cpu, cpu, &error_abort);
-}
 memory_region_init_io(&gpe_cpu->io, owner, &AcpiCpuHotplug_ops,
   gpe_cpu, "acpi-cpu-hotplug", ACPI_GPE_PROC_LEN);
 memory_region_add_subregion(parent, base, &gpe_cpu->io);
 gpe_cpu->device = owner;
+
+CPU_FOREACH(cpu) {
+acpi_set_cpu_present_bit(gpe_cpu, cpu, &error_abort);
+}
 }
 
 void acpi_switch_to_modern_cphp(AcpiCpuHotplug *gpe_cpu,
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 11/18] pc: apic_common: restore APIC ID to initial ID on reset

[Igor Mammedov]

APIC ID should be restored to initial APIC ID
state after Reset and Power-On.

Signed-off-by: Igor Mammedov 
---
 hw/intc/apic_common.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index 125af9d..e246cf3 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -242,6 +242,7 @@ static void apic_reset_common(DeviceState *dev)
 
 bsp = s->apicbase & MSR_IA32_APICBASE_BSP;
 s->apicbase = APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE;
+s->id = s->initial_apic_id;
 
 s->vapic_paddr = 0;
 info->vapic_base_update(s);
-- 
2.7.4

[Qemu-devel] hw/ppc/spapr_iommu.c: spapr_tce_reset() calls memset on NULL pointer

[Peter Maydell]

If you build with clang-3.8's undefined behaviour sanitizer
it reveals that hw/ppc/spapr_iommu.c is calling memset()
with a NULL pointer:

$ (cd build/clang; UBSAN_OPTIONS=print_stacktrace=1
QTEST_QEMU_BINARY=ppc64-softmmu/qemu-system-ppc64
QTEST_QEMU_IMG=qemu-img MALLOC_PERTURB_=${MALLOC_PERTURB_:-$((RANDOM %
255 + 1))} gtester -k --verbose -m=quick tests/endianness-test)
TEST: tests/endianness-test... (pid=9726)
  /ppc64/endianness/mac99: OK
  /ppc64/endianness/pseries:
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_iommu.c:388:12:
runtime error: null pointer passed as argument 1, which is declared to
never be null
/usr/include/string.h:62:62: note: nonnull attribute specified here
#0 0x562e11e5a793 in spapr_tce_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_iommu.c:388:5
#1 0x562e11e69259 in spapr_phb_children_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_pci.c:1487:9
#2 0x562e12712cbf in do_object_child_foreach
/home/petmay01/linaro/qemu-from-laptop/qemu/qom/object.c:837:19
#3 0x562e11e67b1b in spapr_phb_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr_pci.c:1519:5
#4 0x562e12210405 in qdev_reset_one
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/qdev.c:295:5
#5 0x562e122103af in qdev_walk_children
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/qdev.c:610:15
#6 0x562e1221c808 in qbus_walk_children
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/core/bus.c:59:15
#7 0x562e1208d362 in qemu_devices_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:1712:9
#8 0x562e11e460ed in ppc_spapr_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/hw/ppc/spapr.c:1198:5
#9 0x562e1208d3fb in qemu_system_reset
/home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:1725:9
#10 0x562e12093479 in main
/home/petmay01/linaro/qemu-from-laptop/qemu/vl.c:4574:5
#11 0x7f61a4a1282f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x562e11be80b8 in _start
(/home/petmay01/linaro/qemu-from-laptop/qemu/build/clang/ppc64-softmmu/qemu-system-ppc64+0xcbc0b8)

OK

Presumably the size is also 0 in this case or it would
segfault, but this is UB. Would somebody like to take a
look at fixing it?

thanks
-- PMM

[Qemu-devel] [PATCH for-2.8 10/18] pc: apic_common: extend APIC ID property to 32bit

[Igor Mammedov]

ACPI ID is 32 bit wide on CPUs with x2APIC support.
Extend 'id' property to support it.

Signed-off-by: Igor Mammedov 
---
 include/hw/i386/apic_internal.h |  3 ++-
 target-i386/cpu.h   |  1 +
 hw/intc/apic_common.c   | 40 +++-
 target-i386/cpu.c   |  2 +-
 4 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/include/hw/i386/apic_internal.h b/include/hw/i386/apic_internal.h
index 06c4e9f..c79b080 100644
--- a/include/hw/i386/apic_internal.h
+++ b/include/hw/i386/apic_internal.h
@@ -156,7 +156,8 @@ struct APICCommonState {
 MemoryRegion io_memory;
 X86CPU *cpu;
 uint32_t apicbase;
-uint8_t id;
+uint8_t id; /* legacy APIC ID */
+uint32_t initial_apic_id;
 uint8_t version;
 uint8_t arb_id;
 uint8_t tpr;
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 65615c0..9ef4db7 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -325,6 +325,7 @@
 #define MSR_IA32_APICBASE   0x1b
 #define MSR_IA32_APICBASE_BSP   (1<<8)
 #define MSR_IA32_APICBASE_ENABLE(1<<11)
+#define MSR_IA32_APICBASE_EXTD  (1 << 10)
 #define MSR_IA32_APICBASE_BASE  (0xfU<<12)
 #define MSR_IA32_FEATURE_CONTROL0x003a
 #define MSR_TSC_ADJUST  0x003b
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index 14ac43c..125af9d 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -21,6 +21,7 @@
 #include "qapi/error.h"
 #include "qemu-common.h"
 #include "cpu.h"
+#include "qapi/visitor.h"
 #include "hw/i386/apic.h"
 #include "hw/i386/apic_internal.h"
 #include "trace.h"
@@ -427,7 +428,6 @@ static const VMStateDescription vmstate_apic_common = {
 };
 
 static Property apic_properties_common[] = {
-DEFINE_PROP_UINT8("id", APICCommonState, id, -1),
 DEFINE_PROP_UINT8("version", APICCommonState, version, 0x14),
 DEFINE_PROP_BIT("vapic", APICCommonState, vapic_control, VAPIC_ENABLE_BIT,
 true),
@@ -436,6 +436,43 @@ static Property apic_properties_common[] = {
 DEFINE_PROP_END_OF_LIST(),
 };
 
+static void apic_common_get_id(Object *obj, Visitor *v, const char *name,
+   void *opaque, Error **errp)
+{
+APICCommonState *s = APIC_COMMON(obj);
+int64_t value;
+
+value = s->apicbase & MSR_IA32_APICBASE_EXTD ? s->initial_apic_id : s->id;
+visit_type_int(v, name, &value, errp);
+}
+
+static void apic_common_set_id(Object *obj, Visitor *v, const char *name,
+   void *opaque, Error **errp)
+{
+APICCommonState *s = APIC_COMMON(obj);
+Error *local_err = NULL;
+int64_t value;
+
+visit_type_int(v, name, &value, &local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+return;
+}
+
+s->initial_apic_id = value;
+s->id = (uint8_t)value;
+}
+
+static void apic_common_initfn(Object *obj)
+{
+APICCommonState *s = APIC_COMMON(obj);
+
+s->id = s->initial_apic_id = -1;
+object_property_add(obj, "id", "int",
+apic_common_get_id,
+apic_common_set_id, NULL, NULL, NULL);
+}
+
 static void apic_common_class_init(ObjectClass *klass, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(klass);
@@ -455,6 +492,7 @@ static const TypeInfo apic_common_type = {
 .name = TYPE_APIC_COMMON,
 .parent = TYPE_DEVICE,
 .instance_size = sizeof(APICCommonState),
+.instance_init = apic_common_initfn,
 .class_size = sizeof(APICCommonClass),
 .class_init = apic_common_class_init,
 .abstract = true,
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 6a1afab..f7a82fe 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -2830,7 +2830,7 @@ static void x86_cpu_apic_create(X86CPU *cpu, Error **errp)
   OBJECT(cpu->apic_state), &error_abort);
 object_unref(OBJECT(cpu->apic_state));
 
-qdev_prop_set_uint8(cpu->apic_state, "id", cpu->apic_id);
+qdev_prop_set_uint32(cpu->apic_state, "id", cpu->apic_id);
 /* TODO: convert to link<> */
 apic = APIC_COMMON(cpu->apic_state);
 apic->cpu = cpu;
-- 
2.7.4

Re: [Qemu-devel] [PATCH] ppc64: fix compressed dump with pseries kernel

[Laurent Vivier]

On 05/08/2016 11:26, Andrew Jones wrote:
> On Thu, Aug 04, 2016 at 10:41:16AM +0200, Laurent Vivier wrote:
>>
>>
>> On 04/08/2016 04:38, David Gibson wrote:
>>> On Wed, Aug 03, 2016 at 09:55:07PM +0200, Laurent Vivier wrote:
 If we don't provide the page size in target-ppc:cpu_get_dump_info(),
 the default one (TARGET_PAGE_SIZE, 4KB) is used to create
 the compressed dump. It works fine with Macintosh, but not with
 pseries as the kernel default page size is 64KB.

 Without this patch, if we generate a compressed dump in the QEMU monitor:

 (qemu) dump-guest-memory -z qemu.dump

 This dump cannot be read by crash:

 # crash vmlinux qemu.dump
 ...
 WARNING: cannot translate vmemmap kernel virtual addresses:
  commands requiring page structure contents will fail
 ...

 Signed-off-by: Laurent Vivier 
 ---
  target-ppc/arch_dump.c | 5 +
  1 file changed, 5 insertions(+)
>>>
>>> Urgh.. so, really the page size used by the guest kernel is a
>>> guest-side detail, and it's certainly possible to build a 4kiB page
>>> guest kernel, although 64kiB is the norm.
>>
>> virtio-balloon doesn't work with 4K kernel.
>>
>>> This might be the best we can do, but it'd be nice if we could probe
>>> or otherwise avoid relying on this assumption about the guest kernel.
>>
>> I agree with you but none of the other architectures probes for the page
>> size.
>>
>> For instance ARM: |I cc: Drew to know how he has chosen the values]
>>
>> if (arm_feature(env, ARM_FEATURE_AARCH64)) {
>> ...
>> info->page_size = (1 << 16);
>> ...
>> } else {
>> ...
>> info->page_size = (1 << 12);
>> ...
>> }
>>
> 
> info->page_size is used to determine the dumpfile's block size. The
> block size needs to be at least the page size, but a multiple of page
> size works fine too. As we can't probe for the currently used guest
> page size, and a multiple of page size is fine, then using the guest's
> maximum allowed page size is the best we can do.

Thank you for the explanation.

So we can unconditionally use 64KB, even for mac99 with a 64bit
processor or a 32bit processor (that are always 4K page size)?

The maximum page size in the kernel can be 256kB [1], should we use this
value instead?

Laurent

[1] linux/arch/powerpc/include/asm/page.h
/*
 * On regular PPC32 page size is 4K (but we support 4K/16K/64K/256K pages
 * on PPC44x). For PPC64 we support either 4K or 64K software
 * page size. When using 64K pages however, whether we are really supporting
 * 64K pages in HW or not is irrelevant to those definitions.
 */
#if defined(CONFIG_PPC_256K_PAGES)
#define PAGE_SHIFT  18
#elif defined(CONFIG_PPC_64K_PAGES)
#define PAGE_SHIFT  16
#elif defined(CONFIG_PPC_16K_PAGES)
#define PAGE_SHIFT  14
#else
#define PAGE_SHIFT  12
#endif

[Qemu-devel] [PATCH for-2.8 06/18] pc: acpi: x2APIC support for SRAT table

[Igor Mammedov]

Signed-off-by: Igor Mammedov 
---
rebase on top in 2.7 + updated cpu PXM patches
---
 include/hw/acpi/acpi-defs.h | 11 +++
 hw/i386/acpi-build.c| 34 --
 2 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
index 8f0024b..c892704 100644
--- a/include/hw/acpi/acpi-defs.h
+++ b/include/hw/acpi/acpi-defs.h
@@ -492,6 +492,17 @@ struct AcpiSratProcessorAffinity
 } QEMU_PACKED;
 typedef struct AcpiSratProcessorAffinity AcpiSratProcessorAffinity;
 
+struct AcpiSratProcessorX2ApicAffinity {
+ACPI_SUB_HEADER_DEF
+uint16_treserved;
+uint32_tproximity_domain;
+uint32_tx2apic_id;
+uint32_tflags;
+uint32_tclk_domain;
+uint32_treserved2;
+} QEMU_PACKED;
+typedef struct AcpiSratProcessorX2ApicAffinity AcpiSratProcessorX2ApicAffinity;
+
 struct AcpiSratMemoryAffinity
 {
 ACPI_SUB_HEADER_DEF
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index c5c2fbc..8cef627 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2420,7 +2420,6 @@ static void
 build_srat(GArray *table_data, BIOSLinker *linker, MachineState *machine)
 {
 AcpiSystemResourceAffinityTable *srat;
-AcpiSratProcessorAffinity *core;
 AcpiSratMemoryAffinity *numamem;
 
 int i;
@@ -2440,18 +2439,33 @@ build_srat(GArray *table_data, BIOSLinker *linker, 
MachineState *machine)
 
 for (i = 0; i < apic_ids->len; i++) {
 int j = numa_get_node_for_cpu(i);
-int apic_id = apic_ids->cpus[i].arch_id;
+uint32_t apic_id = apic_ids->cpus[i].arch_id;
 
-core = acpi_data_push(table_data, sizeof *core);
-core->type = ACPI_SRAT_PROCESSOR_APIC;
-core->length = sizeof(*core);
-core->local_apic_id = apic_id;
-if (j < nb_numa_nodes) {
+if (apic_id < 255) {
+AcpiSratProcessorAffinity *core;
+
+core = acpi_data_push(table_data, sizeof *core);
+core->type = ACPI_SRAT_PROCESSOR_APIC;
+core->length = sizeof(*core);
+core->local_apic_id = apic_id;
+if (j < nb_numa_nodes) {
 core->proximity_lo = j;
+}
+memset(core->proximity_hi, 0, 3);
+core->local_sapic_eid = 0;
+core->flags = cpu_to_le32(1);
+} else {
+AcpiSratProcessorX2ApicAffinity *core;
+
+core = acpi_data_push(table_data, sizeof *core);
+core->type = ACPI_SRAT_PROCESSOR_x2APIC;
+core->length = sizeof(*core);
+core->x2apic_id = apic_id;
+if (j < nb_numa_nodes) {
+core->proximity_domain = cpu_to_le32(j);
+}
+core->flags = cpu_to_le32(1);
 }
-memset(core->proximity_hi, 0, 3);
-core->local_sapic_eid = 0;
-core->flags = cpu_to_le32(1);
 }
 
 
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 15/18] increase MAX_CPUMASK_BITS from 255 to 288

[Igor Mammedov]

so that it would be possible to increase maxcpus limit
for x86 target. Keep spapr/virt_arm at limit they used
to have 255.

Signed-off-by: Igor Mammedov 
---
 include/sysemu/sysemu.h | 2 +-
 hw/arm/virt.c   | 2 +-
 hw/ppc/spapr.c  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index ee7c760..1250469 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -176,7 +176,7 @@ extern int mem_prealloc;
  *
  * Note that cpu->get_arch_id() may be larger than MAX_CPUMASK_BITS.
  */
-#define MAX_CPUMASK_BITS 255
+#define MAX_CPUMASK_BITS 288
 
 #define MAX_OPTION_ROMS 16
 typedef struct QEMUOptionRom {
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 89828e5..8b4e6e6 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -1456,7 +1456,7 @@ static void virt_machine_class_init(ObjectClass *oc, void 
*data)
  * it later in machvirt_init, where we have more information about the
  * configuration of the particular instance.
  */
-mc->max_cpus = MAX_CPUMASK_BITS;
+mc->max_cpus = 255;
 mc->has_dynamic_sysbus = true;
 mc->block_default_type = IF_VIRTIO;
 mc->no_cdrom = 1;
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index bce2371..fb533d1 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2423,7 +2423,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 mc->init = ppc_spapr_init;
 mc->reset = ppc_spapr_reset;
 mc->block_default_type = IF_SCSI;
-mc->max_cpus = MAX_CPUMASK_BITS;
+mc->max_cpus = 255;
 mc->no_parallel = 1;
 mc->default_boot_order = "";
 mc->default_ram_size = 512 * M_BYTE;
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 13/18] pc: kvm_apic: pass APIC ID depending on xAPIC/x2APIC mode

[Igor Mammedov]

Signed-off-by: Igor Mammedov 
---
 target-i386/kvm_i386.h |  1 +
 hw/i386/kvm/apic.c | 13 +++--
 target-i386/kvm.c  | 14 ++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/target-i386/kvm_i386.h b/target-i386/kvm_i386.h
index 42b00af..dad0dcf 100644
--- a/target-i386/kvm_i386.h
+++ b/target-i386/kvm_i386.h
@@ -41,4 +41,5 @@ int kvm_device_msix_set_vector(KVMState *s, uint32_t dev_id, 
uint32_t vector,
 int kvm_device_msix_assign(KVMState *s, uint32_t dev_id);
 int kvm_device_msix_deassign(KVMState *s, uint32_t dev_id);
 
+bool kvm_has_x2apic_ids(void);
 #endif
diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
index 2bd0de8..3b33502 100644
--- a/hw/i386/kvm/apic.c
+++ b/hw/i386/kvm/apic.c
@@ -15,6 +15,7 @@
 #include "hw/i386/apic_internal.h"
 #include "hw/pci/msi.h"
 #include "sysemu/kvm.h"
+#include "kvm_i386.h"
 
 static inline void kvm_apic_set_reg(struct kvm_lapic_state *kapic,
 int reg_id, uint32_t val)
@@ -34,7 +35,11 @@ void kvm_put_apic_state(DeviceState *dev, struct 
kvm_lapic_state *kapic)
 int i;
 
 memset(kapic, 0, sizeof(*kapic));
-kvm_apic_set_reg(kapic, 0x2, s->id << 24);
+if (kvm_has_x2apic_ids() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+kvm_apic_set_reg(kapic, 0x2, s->initial_apic_id);
+} else {
+kvm_apic_set_reg(kapic, 0x2, s->id << 24);
+}
 kvm_apic_set_reg(kapic, 0x8, s->tpr);
 kvm_apic_set_reg(kapic, 0xd, s->log_dest << 24);
 kvm_apic_set_reg(kapic, 0xe, s->dest_mode << 28 | 0x0fff);
@@ -59,7 +64,11 @@ void kvm_get_apic_state(DeviceState *dev, struct 
kvm_lapic_state *kapic)
 APICCommonState *s = APIC_COMMON(dev);
 int i, v;
 
-s->id = kvm_apic_get_reg(kapic, 0x2) >> 24;
+if (kvm_has_x2apic_ids() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+assert(kvm_apic_get_reg(kapic, 0x2) == s->initial_apic_id);
+} else {
+s->id = kvm_apic_get_reg(kapic, 0x2) >> 24;
+}
 s->tpr = kvm_apic_get_reg(kapic, 0x8);
 s->arb_id = kvm_apic_get_reg(kapic, 0x9);
 s->log_dest = kvm_apic_get_reg(kapic, 0xd) >> 24;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 9697e16..f1c2a93 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -111,8 +111,15 @@ static int has_pit_state2;
 
 static bool has_msr_mcg_ext_ctl;
 
+static bool has_x2apic_ids;
+
 static struct kvm_cpuid2 *cpuid_cache;
 
+bool kvm_has_x2apic_ids(void)
+{
+return has_x2apic_ids;
+}
+
 int kvm_has_pit_state2(void)
 {
 return has_pit_state2;
@@ -1155,6 +1162,13 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 has_pit_state2 = kvm_check_extension(s, KVM_CAP_PIT_STATE2);
 #endif
 
+#ifdef KVM_CAP_X2APIC_API
+if (kvm_check_extension(s, KVM_CAP_X2APIC_API)) {
+has_x2apic_ids = !kvm_vm_enable_cap(s, KVM_CAP_X2APIC_API, 0,
+KVM_X2APIC_API_USE_32BIT_IDS);
+}
+#endif
+
 ret = kvm_get_supported_msrs(s);
 if (ret < 0) {
 return ret;
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 16/18] pc: add 'etc/boot-cpus' fw_cfg file for machine with more than 255 CPUs

[Igor Mammedov]

Currently firmware uses 1 byte at 0x5F offset in RTC CMOS
to get number of CPUs present at boot. However 1 byte is
not enough to handle more than 255 CPUs.  So add a new
fw_cfg file that would allow QEMU to tell it.
For compat reasons add file only for machine types that
support more than 255 CPUs.

Signed-off-by: Igor Mammedov 
---
 hw/i386/pc.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index c2cd5bd..2b5581a 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -1235,9 +1235,11 @@ void pc_machine_done(Notifier *notifier, void *data)
 PCMachineState *pcms = container_of(notifier,
 PCMachineState, machine_done);
 PCIBus *bus = pcms->bus;
+static uint16_t boot_cpus;
 
 /* set the number of CPUs */
-rtc_set_memory(pcms->rtc, 0x5f, pc_present_cpus_count(pcms) - 1);
+boot_cpus = pc_present_cpus_count(pcms);
+rtc_set_memory(pcms->rtc, 0x5f, boot_cpus - 1);
 
 if (bus) {
 int extra_hosts = 0;
@@ -1258,8 +1260,16 @@ void pc_machine_done(Notifier *notifier, void *data)
 
 acpi_setup();
 if (pcms->fw_cfg) {
+MachineClass *mc = MACHINE_GET_CLASS(pcms);
+
 pc_build_smbios(pcms->fw_cfg);
 pc_build_feature_control_file(pcms);
+
+if (mc->max_cpus > 255) {
+boot_cpus = cpu_to_le16(boot_cpus);
+fw_cfg_add_file(pcms->fw_cfg, "etc/boot-cpus", &boot_cpus,
+sizeof(boot_cpus));
+}
 }
 }
 
-- 
2.7.4

[Qemu-devel] [PATCH for-2.8 12/18] pc: apic_common: reset APIC ID to initial ID when switching into x2APIC mode

[Igor Mammedov]

SDM: x2APIC State Transitions:
 State Changes From xAPIC Mode to x2APIC Mode
"
Any APIC ID value written to the memory-mapped
local APIC ID register is not preserved
"

Signed-off-by: Igor Mammedov 
---
 hw/intc/apic_common.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index e246cf3..492afb3 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -39,6 +39,11 @@ void cpu_set_apic_base(DeviceState *dev, uint64_t val)
 if (dev) {
 APICCommonState *s = APIC_COMMON(dev);
 APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
+/* switching to x2APIC, reset possibly modified xAPIC ID */
+if (!(s->apicbase & MSR_IA32_APICBASE_EXTD) &&
+(val & MSR_IA32_APICBASE_EXTD)) {
+s->id = s->initial_apic_id;
+}
 info->set_base(s, val);
 }
 }
-- 
2.7.4

Re: [Qemu-devel] [PATCH for 2.7] linuxboot_dma: avoid guest ABI breakage on gcc vs. clang compilation

[Richard W.M. Jones]

On Fri, Aug 05, 2016 at 11:34:57AM +0200, Paolo Bonzini wrote:
> GCC compiles linuxboot_dma.c to 921 bytes, while clang needs 1527.
> This causes the API to break between a GCC-compiled ROM and
> one that was obtained with clang.

I don't understand this justification.  Which API?  Between which
bits?  Can you expand on this bit ...

Rich.

> First, this patch fixes this by preventing clang's happy inlining (which
> -Os cannot prevent).  This only requires adding a noinline attribute.
> 
> Second, it makes sure that an unexpected guest ABI breakage cannot happen
> in the future.  The size must now hardcoded in the file that is passed to
> signrom.py, as was the case before commit 6f71b77 ("scripts/signrom.py:
> Allow option ROM checksum script to write the size header.", 2016-05-23);
> signrom.py however will still pad the input to the requested size, to
> avoid the need for -fno-toplevel-reorder which clang doesn't support.
> signrom.py can then error out if the requested size is too small for
> the actual size of the compiled ROM.
> 
> Signed-off-by: Paolo Bonzini 
> ---
>  pc-bios/optionrom/linuxboot_dma.c |  8 ++--
>  scripts/signrom.py| 27 +++
>  2 files changed, 17 insertions(+), 18 deletions(-)
> 
> diff --git a/pc-bios/optionrom/linuxboot_dma.c 
> b/pc-bios/optionrom/linuxboot_dma.c
> index 8509b28..8584a49 100644
> --- a/pc-bios/optionrom/linuxboot_dma.c
> +++ b/pc-bios/optionrom/linuxboot_dma.c
> @@ -25,7 +25,7 @@ asm(
>  ".global _start\n"
>  "_start:\n"
>  "   .short 0xaa55\n"
> -"   .byte 0\n" /* size in 512 units, filled in by signrom.py */
> +"   .byte 2\n" /* desired size in 512 units; signrom.py adds padding */
>  "   .byte 0xcb\n" /* far return without prefix */
>  "   .org 0x18\n"
>  "   .short 0\n"
> @@ -157,7 +157,11 @@ static inline uint32_t be32_to_cpu(uint32_t x)
>  return bswap32(x);
>  }
>  
> -static void bios_cfg_read_entry(void *buf, uint16_t entry, uint32_t len)
> +/* clang is happy to inline this function, and bloats the
> + * ROM.
> + */
> +static __attribute__((__noinline__))
> +void bios_cfg_read_entry(void *buf, uint16_t entry, uint32_t len)
>  {
>  FWCfgDmaAccess access;
>  uint32_t control = (entry << 16) | BIOS_CFG_DMA_CTL_SELECT
> diff --git a/scripts/signrom.py b/scripts/signrom.py
> index 5629bca..d1dabe0 100644
> --- a/scripts/signrom.py
> +++ b/scripts/signrom.py
> @@ -23,26 +23,21 @@ if magic != '\x55\xaa':
>  
>  size_byte = ord(fin.read(1))
>  fin.seek(0)
> +data = fin.read()
>  
> -if size_byte == 0:
> -# If the caller left the size field blank then we will fill it in,
> -# also rounding the whole input to a multiple of 512 bytes.
> -data = fin.read()
> -# +1 because we need a byte to store the checksum.
> -size = len(data) + 1
> -# Round up to next multiple of 512.
> -size += 511
> -size -= size % 512
> -if size >= 65536:
> -sys.exit("%s: option ROM size too large" % sys.argv[1])
> +size = size_byte * 512
> +if len(data) > size:
> +sys.stderr.write('error: ROM is too large (%d > %d)\n' % (len(data), 
> size))
> +sys.exit(1)
> +elif len(data) < size:
> +# Add padding if necessary, rounding the whole input to a multiple of
> +# 512 bytes according to the third byte of the input.
>  # size-1 because a final byte is added below to store the checksum.
>  data = data.ljust(size-1, '\0')
> -data = data[:2] + chr(size/512) + data[3:]
>  else:
> -# Otherwise the input file specifies the size so use it.
> -# -1 because we overwrite the last byte of the file with the checksum.
> -size = size_byte * 512 - 1
> -data = fin.read(size)
> +if ord(data[-1:]) != 0:
> +sys.stderr.write('WARNING: ROM includes nonzero checksum\n')
> +data = data[:size-1]
>  
>  fout.write(data)
>  
> -- 
> 2.7.4

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v