On 16 April 2015 at 16:17, Paolo Bonzini <pbonz...@redhat.com> wrote: > > > On 16/04/2015 17:05, Leon Alrae wrote: >> On 16/04/2015 13:02, Paolo Bonzini wrote: >>> >>> >>> On 16/04/2015 13:07, Leon Alrae wrote: >>>> Since I also haven't had a chance to test Loongson emulation, I thought >>>> I'd give it a try (TCG only, Loongson-2E cpu and fulong2e machine). >>>> >>>> Good news is that I'm able to get to the login prompt using ancient QEMU >>>> v1.0, kernel 2.6.33 (with additional patch from >>>> https://lists.gnu.org/archive/html/qemu-devel/2010-06/msg02566.html) and >>>> some old debian image I had handy. However, in any newer version >>>> starting from v1.1.0 of QEMU something goes horribly wrong and it just >>>> segfaults somewhere inside hw/bonito.c quite early during kernel >>>> booting. >>> >>> Where exactly? If it's related to the memory API conversion, it may be >>> easy to fix. I can look at a backtrace (or you can just put the Debian >>> image somewhere I can grab it). >> >> Bisect points at: 5312bd8b3152f8d4fcf9389ba54e32b09f4b4093 >> >> Crash occurs during the first access, below there is backtrace from >> working and not working case: > > This is my best guess... > > diff --git a/hw/pci-host/bonito.c b/hw/pci-host/bonito.c > index 8bdd569..8134d0b 100644 > --- a/hw/pci-host/bonito.c > +++ b/hw/pci-host/bonito.c > @@ -233,7 +233,7 @@ static void bonito_writel(void *opaque, hwaddr addr, > uint32_t saddr; > int reset = 0; > > - saddr = (addr - BONITO_REGBASE) >> 2; > + saddr = addr >> 2; > > DPRINTF("bonito_writel "TARGET_FMT_plx" val %x saddr %x\n", addr, val, > saddr); > switch (saddr) { > @@ -295,7 +295,7 @@ static uint64_t bonito_readl(void *opaque, hwaddr addr, > PCIBonitoState *s = opaque; > uint32_t saddr; > > - saddr = (addr - BONITO_REGBASE) >> 2; > + saddr = addr >> 2; > > DPRINTF("bonito_readl "TARGET_FMT_plx"\n", addr); > switch (saddr) {
Wow, I thought we'd fixed all those "non-page-aligned mmio region broke when the memory core was fixed to actual pass the correct address to it" bugs years ago. I wonder if there's a way to find out if we have any more (coccinelle search pattern?) Incidentally, this device will happily let the guest overwrite arbitrary chunks of its state struct via bonito_cop_writel and bonito_ldma_writel, so I hope nobody runs untrusted guests on this model :-) (Its realize function maps its own MMIO regions into system memory, too, which is a huge style error these days.) -- PMM