Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Gleb Natapov]

On Sat, Mar 03, 2012 at 10:56:02PM -0800, Jordan Justen wrote:
 On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
  The core issue that kvm (the kernel part) supports two styles of memory:
  read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
  and rom/device wants reads serviced from memory and writes serviced by
  userspace (as MMIO).
 
  It should not be too hard to patch kvm to support these additional two
  styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
  define the new attributes for the region, and kvm_mmu_page_fault() to
  map these pages as read-only and emulate writes (for ROM/device regions).
 
 Additional context for CC'd kvm-devel: I would like to support
 executing from an emulated flash memory on kvm.  The flash memory
 would be a CFI (Firmware Hub-like) device which is programmed via MMIO
 at the same addresses in memory where the execution would occur.
 
 What is needed is:
 1. The ability to set a region to allow read/exec,
but trap to qemu on writes.
 2. qemu should then be able to set the region
to trap on reads/exec/writes.
Do you want to execute code from a flash while it traps on read/exec?
KVM emulator can't do that.

 3. qemu should be able to then restore the region
to the initial state.
 
 Here is my plan:
 1. Add KVM_CAP_REGION_WRITE_TRAP
 2. Add kvm_memory_region::flags
KVM_MEMSLOT_TRAP_WRITES
 3. Update page table creation to trap on writes when
KVM_MEMSLOT_TRAP_WRITES is set
 
 Is this plan heading in the right direction?
 
 Regarding emulating ROM (as you mentioned above): I think that it can
 trap to qemu and QEMU can ignore it.  This would be a performance hit,
 but I don't think it is expected that lots of writes to a ROM will
 occur.  Do you agree?
 
 -Jordan

--
Gleb.

Re: [Qemu-devel] BlockDriverState stack and BlockListeners

[Paolo Bonzini]

Il 04/03/2012 06:14, Ori Mamluk ha scritto:
 I prefer not to do it as NBD server, mainly because NBD by definition
 requires a port per volume and I think it will pose a management overhead.

NBD supports multiple volumes on the same server, just not the
implementation in QEMU.  Also you could use a different negotiation but
still the same request format, which would let you share some code.

Paolo

[Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Michael S. Tsirkin]

I ended up with qmp-commands.h in target directories,
which makes build fail as it is found before the
main header.
make clean fixes it, but it might get triggered
again when we make some header target-independent next.
It's easy to just make sure all such leftovers are
removed, so let's do this.

Signed-off-by: Michael S. Tsirkin m...@redhat.com

diff --git a/Makefile b/Makefile
index e66e885..958a414 100644
--- a/Makefile
+++ b/Makefile
@@ -89,6 +89,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx
 SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
 
 subdir-%: $(GENERATED_HEADERS)
+   $(call quiet-command,rm -f $(foreach header, $(GENERATED_HEADERS), 
$*/$(header)),)
$(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $* V=$(V) 
TARGET_DIR=$*/ all,)
 
 ifneq ($(wildcard config-host.mak),)

Re: [Qemu-devel] SPARC64: unable to boot OpenBIOS from git master

[Michael S. Tsirkin]

On Sat, Mar 03, 2012 at 03:09:16PM +, Blue Swirl wrote:
 On Mon, Feb 27, 2012 at 06:36, Mark Cave-Ayland
 mark.cave-ayl...@ilande.co.uk wrote:
  Hi all,
 
  I've been experimenting with SPARC64 under QEMU, and with current git master
  I am unable to boot OpenBIOS at all with the following error:
 
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19d84 NPC = 0xffd19d88
  Stopping execution
 
  Using git bisect indicates that the problem lies with the following commit:
 
 
  commit d5f27e88699f14c802d66c01de70e5ea37b7153a
  Author: Michael S. Tsirkin m...@redhat.com
  Date:   Tue Feb 21 15:57:58 2012 +0200
 
     pci: set memory type for memory behind the bridge
 
     As we make upper bits in IO and prefetcheable memory
     registers writeable, we should declare support
     for 64 bit prefetcheable memory and 32 bit io
     in the bridge.
 
     This changes the default for apb, dec, but I'm guessing
     they got the defaults wrong by accident.
     Alternatively, we could let bridges declare lack of
     64 bit support and make the upper bits read-only zero.
 
     With this applied, we can drop these bits
     from express code.
 
     Reported-by: Gerd Hoffmann kra...@redhat.com
     Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
     Could someone familiar with apb,dec ack this please?
     Signed-off-by: Anthony Liguori aligu...@us.ibm.com
 
 
  Does anyone have an idea as to whether this is something that needs to be
  fixed in QEMU or OpenBIOS?
 
 No idea. Michael, should the commit be reverted?
 
 It's easy to confirm the bug, just run qemu-system-sparc64 without any
 arguments. Bug: black screen, no bug: yellow screen with OpenBIOS boot
 text.
 
 In fact, it's pretty annoying to see that even this very minimal
 amount of testing effort has not been spent by a critical subsystem
 maintainer.

My bad, I just sent out a fix.

 
  Many thanks,
 
  Mark.
 

[Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
a regression: we do not make IO base/limit upper 16
bit registers writeable, so we should report a 16 bit
IO range type, not a 32 bit one.
Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.

In particular, this broke sparc64.

Note: this just reverts to behaviour prior to the patch.
Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
registers writeable should, and seems to, work just as well, but
as no system seems to actually be interested in 32 bit IO,
let's not make unnecessary changes.

Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
Signed-off-by: Michael S. Tsirkin m...@redhat.com

Mark, can you confirm that this fixes the bug for you?

---
 hw/pci.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/pci.c b/hw/pci.c
index fee27fc..6d08cef 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -633,8 +633,8 @@ static void pci_init_mask_bridge(PCIDevice *d)
 memset(d-wmask + PCI_PREF_BASE_UPPER32, 0xff, 8);
 
 /* Supported memory and i/o types */
-d-config[PCI_IO_BASE] |= PCI_IO_RANGE_TYPE_32;
-d-config[PCI_IO_LIMIT] |= PCI_IO_RANGE_TYPE_32;
+d-config[PCI_IO_BASE] |= PCI_IO_RANGE_TYPE_16;
+d-config[PCI_IO_LIMIT] |= PCI_IO_RANGE_TYPE_16;
 pci_word_test_and_set_mask(d-config + PCI_PREF_MEMORY_BASE,
PCI_PREF_RANGE_TYPE_64);
 pci_word_test_and_set_mask(d-config + PCI_PREF_MEMORY_LIMIT,
-- 
1.7.9.111.gf3fb0

Re: [Qemu-devel] [PULL] kvm updates

[Avi Kivity]

On 03/02/2012 01:45 AM, Andreas Färber wrote:
 Am 01.03.2012 13:47, schrieb Avi Kivity:
  Avi Kivity (1):
pc-bios: update kvmvapic.bin
  
  Gleb Natapov (1):
kvm: Synchronize cpu state in kvm_arch_stop_on_emulation_error()
  
  Jan Kiszka (10):
kvm: Set cpu_single_env only once
Remove useless casts from cpu iterators
Process pending work while waiting for initial kick-off in TCG mode
Allow to use pause_all_vcpus from VCPU context
target-i386: Add infrastructure for reporting TPR MMIO accesses
kvmvapic: Add option ROM
kvmvapic: Introduce TPR access optimization for Windows guests
kvmvapic: Simplify mp/up_set_tpr
optionsrom: Reserve space for checksum
kvmvapic: Use optionrom helpers

 What about my kvmclock kvm_enabled() fix? Should I rather submit that as
 part of my qom-cpu queue? It depends on it.

I am still catching up with my queue post vacation.  Somehow it seems to
be getting longer instead of shorter.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
 commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
 a regression: we do not make IO base/limit upper 16
 bit registers writeable, so we should report a 16 bit
 IO range type, not a 32 bit one.
 Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.

 In particular, this broke sparc64.

 Note: this just reverts to behaviour prior to the patch.
 Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
 registers writeable should, and seems to, work just as well, but
 as no system seems to actually be interested in 32 bit IO,
 let's not make unnecessary changes.

 Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
 Signed-off-by: Michael S. Tsirkin m...@redhat.com

 Mark, can you confirm that this fixes the bug for you?

No, running
qemu-system-sparc64 -serial stdio
still shows black screen and the following on console:
OpenBIOS for Sparc64
Unhandled Exception 0x0032
PC = 0xffd19e18 NPC = 0xffd19e1c
Stopping execution

This unassigned memory exception is triggered because CMD646 IDE I/O
registers are not accessible:

(qemu) info pci
  Bus  0, device   0, function 0:
Host bridge: PCI device 108e:a000
  id 
  Bus  0, device   1, function 0:
PCI bridge: PCI device 108e:5000
  BUS 0.
  secondary bus 1.
  subordinate bus 1.
  IO range [0x, 0x0fff]
  memory range [0x, 0x000f]
  prefetchable memory range [0x, 0x000f]
  id 
  Bus  0, device   1, function 1:
PCI bridge: PCI device 108e:5000
  BUS 0.
  secondary bus 2.
  subordinate bus 2.
  IO range [0x, 0x0fff]
  memory range [0x, 0x000f]
  prefetchable memory range [0x, 0x000f]
  id 
  Bus  0, device   2, function 0:
VGA controller: PCI device 1234:
  BAR0: 32 bit prefetchable memory at 0x0080 [0x00ff].
  BAR6: 32 bit memory at 0x0100 [0x0100].
  id 
  Bus  0, device   3, function 0:
Bridge: PCI device 108e:1000
  BAR0: 32 bit memory at 0x0200 [0x02ff].
  BAR1: 32 bit memory at 0x0300 [0x037f].
  id 
  Bus  0, device   4, function 0:
Ethernet controller: PCI device 10ec:8029
  IRQ 0.
  BAR0: I/O at 0x [0x00fe].
  BAR6: 32 bit memory at 0x0380 [0x0380].
  id 
  Bus  0, device   5, function 0:
IDE controller: PCI device 1095:0646
  IRQ 1.
  BAR0: I/O at 0x [0x0006].
  BAR1: I/O at 0x [0x0002].
  BAR2: I/O at 0x [0x0006].
  BAR3: I/O at 0x [0x0002].
  BAR4: I/O at 0x [0x000e].
  id 
(qemu) info mtree
memory
-7ffe (prio 0, RW): system
  -07ff (prio 0, RW): sun4u.ram
  01fe-01fe (prio 0, RW): apb-config
  01fe0100-01fe01ff (prio 0, RW): apb-pci-config
  01fe0200-01fe0200 (prio 0, RW): apb-pci-ioport
  01ff-01ff (prio 0, RW): pci-mmio
01ff-01ff000f (prio 1, RW): alias
pci_bridge_mem @pci_bridge_pci -000f
01ff-01ff000f (prio 1, RW): alias
pci_bridge_pref_mem @pci_bridge_pci -000f
01ff-01ff000f (prio 1, RW): alias
pci_bridge_mem @pci_bridge_pci -000f
01ff-01ff000f (prio 1, RW): alias
pci_bridge_pref_mem @pci_bridge_pci -000f
01ff000a-01ff000a (prio 2, RW): alias vga.chain4
@vga.vram -
01ff000a-01ff000b (prio 1, RW): vga-lowmem
01ff0080-01ff00ff (prio 1, RW): vga.vram
01ff0100-01ff0100 (prio 1, RW): vga.rom
01ff0200-01ff02ff (prio 1, RW): isa-mmio
01ff0300-01ff037f (prio 1, RW): isa-mmio
01ff0380-01ff0380 (prio 1, RW): ne2000.rom
  01fff000-01fff03f (prio 0, R-): sun4u.prom
pci_bridge_pci
-7ffe (prio 0, RW): pci_bridge_pci
pci_bridge_pci
-7ffe (prio 0, RW): pci_bridge_pci
vga.vram
0080-00ff (prio 1, RW): vga.vram
I/O
- (prio 0, RW): io
  -0fff (prio 1, RW): alias pci_bridge_io
@pci_bridge_io -0fff
  -0fff (prio 1, RW): alias pci_bridge_io
@pci_bridge_io -0fff
  0060-0060 (prio 0, RW): i8042-data
  0064-0064 (prio 0, RW): i8042-cmd
  0074-0077 (prio 0, RW): m48t59
  01ce-01ce (prio 0, RW): alias vbe @vbe
01ce-01ce
  

Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Avi Kivity]

On 03/04/2012 10:12 AM, Gleb Natapov wrote:
 On Sat, Mar 03, 2012 at 10:56:02PM -0800, Jordan Justen wrote:
  On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
   The core issue that kvm (the kernel part) supports two styles of memory:
   read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
   and rom/device wants reads serviced from memory and writes serviced by
   userspace (as MMIO).
  
   It should not be too hard to patch kvm to support these additional two
   styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
   define the new attributes for the region, and kvm_mmu_page_fault() to
   map these pages as read-only and emulate writes (for ROM/device regions).
  
  Additional context for CC'd kvm-devel: I would like to support
  executing from an emulated flash memory on kvm.  The flash memory
  would be a CFI (Firmware Hub-like) device which is programmed via MMIO
  at the same addresses in memory where the execution would occur.
  
  What is needed is:
  1. The ability to set a region to allow read/exec,
 but trap to qemu on writes.
  2. qemu should then be able to set the region
 to trap on reads/exec/writes.
 Do you want to execute code from a flash while it traps on read/exec?
 KVM emulator can't do that.

No, he wants read/exec to go to RAM, and writes to be handled as mmio. 
This should work.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Gleb Natapov]

On Sun, Mar 04, 2012 at 12:36:20PM +0200, Avi Kivity wrote:
 On 03/04/2012 10:12 AM, Gleb Natapov wrote:
  On Sat, Mar 03, 2012 at 10:56:02PM -0800, Jordan Justen wrote:
   On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
The core issue that kvm (the kernel part) supports two styles of memory:
read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
and rom/device wants reads serviced from memory and writes serviced by
userspace (as MMIO).
   
It should not be too hard to patch kvm to support these additional two
styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
define the new attributes for the region, and kvm_mmu_page_fault() to
map these pages as read-only and emulate writes (for ROM/device 
regions).
   
   Additional context for CC'd kvm-devel: I would like to support
   executing from an emulated flash memory on kvm.  The flash memory
   would be a CFI (Firmware Hub-like) device which is programmed via MMIO
   at the same addresses in memory where the execution would occur.
   
   What is needed is:
   1. The ability to set a region to allow read/exec,
  but trap to qemu on writes.
   2. qemu should then be able to set the region
  to trap on reads/exec/writes.
  Do you want to execute code from a flash while it traps on read/exec?
  KVM emulator can't do that.
 
 No, he wants read/exec to go to RAM, and writes to be handled as mmio. 
 This should work.
 
That's mode 1 from above and will obviously work. I am asking about mode
2 from above.

--
Gleb.

Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Avi Kivity]

On 03/04/2012 08:56 AM, Jordan Justen wrote:
 On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
  The core issue that kvm (the kernel part) supports two styles of memory:
  read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
  and rom/device wants reads serviced from memory and writes serviced by
  userspace (as MMIO).
 
  It should not be too hard to patch kvm to support these additional two
  styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
  define the new attributes for the region, and kvm_mmu_page_fault() to
  map these pages as read-only and emulate writes (for ROM/device regions).

 Additional context for CC'd kvm-devel: I would like to support
 executing from an emulated flash memory on kvm.  The flash memory
 would be a CFI (Firmware Hub-like) device which is programmed via MMIO
 at the same addresses in memory where the execution would occur.

 What is needed is:
 1. The ability to set a region to allow read/exec,
but trap to qemu on writes.
 2. qemu should then be able to set the region
to trap on reads/exec/writes.
 3. qemu should be able to then restore the region
to the initial state.

 Here is my plan:
 1. Add KVM_CAP_REGION_WRITE_TRAP
 2. Add kvm_memory_region::flags
KVM_MEMSLOT_TRAP_WRITES
 3. Update page table creation to trap on writes when
KVM_MEMSLOT_TRAP_WRITES is set

 Is this plan heading in the right direction?

Sure.  I'd name things differently, call this type of slot readonly
instead of write trapping (that is, say what works in kvm (reads)
instead of what doesn't (writes).

Note you need to update kvm_userspace_memory_region, not
kvm_memory_region, which has been deprecated since 2.6.24 or so.

 Regarding emulating ROM (as you mentioned above): I think that it can
 trap to qemu and QEMU can ignore it.  This would be a performance hit,
 but I don't think it is expected that lots of writes to a ROM will
 occur.  Do you agree?

I do, I don't foresee any problems in this area.

Only potential issue is vapic writing to a ROM region, but Jan's recent
work adds a hackaround for that (vapic_map_rom_writable()).

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Avi Kivity]

On 03/04/2012 12:38 PM, Gleb Natapov wrote:
 On Sun, Mar 04, 2012 at 12:36:20PM +0200, Avi Kivity wrote:
  On 03/04/2012 10:12 AM, Gleb Natapov wrote:
   On Sat, Mar 03, 2012 at 10:56:02PM -0800, Jordan Justen wrote:
On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
 The core issue that kvm (the kernel part) supports two styles of 
 memory:
 read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
 and rom/device wants reads serviced from memory and writes serviced by
 userspace (as MMIO).

 It should not be too hard to patch kvm to support these additional two
 styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
 define the new attributes for the region, and kvm_mmu_page_fault() to
 map these pages as read-only and emulate writes (for ROM/device 
 regions).

Additional context for CC'd kvm-devel: I would like to support
executing from an emulated flash memory on kvm.  The flash memory
would be a CFI (Firmware Hub-like) device which is programmed via MMIO
at the same addresses in memory where the execution would occur.

What is needed is:
1. The ability to set a region to allow read/exec,
   but trap to qemu on writes.
2. qemu should then be able to set the region
   to trap on reads/exec/writes.
   Do you want to execute code from a flash while it traps on read/exec?
   KVM emulator can't do that.
  
  No, he wants read/exec to go to RAM, and writes to be handled as mmio. 
  This should work.
  
 That's mode 1 from above and will obviously work. I am asking about mode
 2 from above.


Mode 2 is pure mmio.  You're right that kvm won't run code from that.

Jordan, what's the use for mode 2?  Is it just used during programming?

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Avi Kivity]

On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:

  What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?

 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).

 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)

Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
on a 64k host?

Maybe I'm misremembering or misunderstanding something.

-- 
error compiling committee.c: too many arguments to function

[Qemu-devel] [PATCH v1 0/5] Microblaze machine models and bootloader refactoring

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

Overhauled the microblaze bootloader process. Factored out the common boot code 
between petalogix_ml605 and petalogix_s3adsp1800 machine models into a 
dedicated microblaze bootloader (Patch 1). It now organised in much the same 
way as its handled in arm machine models (arm_boot.c) where the machine model 
calls load_kernel() after machine initialisation.

Did some general cleanup of s2adsp1800, moved some cpu reset behaviour out of 
the machine model initialisation (patch 2) and #defined some magic numbers 
(patch 3).

Hooked up Peter Maydells -dtb argument to the bootloader for dtb loading 
(patches 4+5).

Peter A. G. Crosthwaite (5):
  microblaze: factored out common boot code
  petalogix_s2adsp1800: moved rst logic to rst fn
  petalogix_s2adsp1800: macro'd magic numbers
  qemu-options.hx: allow -dtb argument for all archs
  microblaze_boot: enabled -dtb argument

 Makefile.target   |1 +
 hw/microblaze_boot.c  |  177 +
 hw/microblaze_boot.h  |   10 +++
 hw/petalogix_ml605_mmu.c  |  144 +++--
 hw/petalogix_s3adsp1800_mmu.c |  147 +-
 qemu-options.hx   |2 +-
 6 files changed, 221 insertions(+), 260 deletions(-)
 create mode 100644 hw/microblaze_boot.c
 create mode 100644 hw/microblaze_boot.h

-- 
1.7.5.4

[Qemu-devel] [PATCH v1 1/5] microblaze: factored out common boot code

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

factored out the copy-pasted common boot code from the two microblaze platforms
into a dedicated microblaze bootloader (microblaze_boot.o).

Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
---
 Makefile.target   |1 +
 hw/microblaze_boot.c  |  183 +
 hw/microblaze_boot.h  |   10 ++
 hw/petalogix_ml605_mmu.c  |  144 +++-
 hw/petalogix_s3adsp1800_mmu.c |  127 +---
 5 files changed, 211 insertions(+), 254 deletions(-)
 create mode 100644 hw/microblaze_boot.c
 create mode 100644 hw/microblaze_boot.h

diff --git a/Makefile.target b/Makefile.target
index 343eb78..f853883 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -307,6 +307,7 @@ obj-mips-$(CONFIG_FULONG) += bonito.o vt82c686.o 
mips_fulong2e.o
 
 obj-microblaze-y = petalogix_s3adsp1800_mmu.o
 obj-microblaze-y += petalogix_ml605_mmu.o
+obj-microblaze-y += microblaze_boot.o
 
 obj-microblaze-y += microblaze_pic_cpu.o
 obj-microblaze-y += xilinx_intc.o
diff --git a/hw/microblaze_boot.c b/hw/microblaze_boot.c
new file mode 100644
index 000..37fce50
--- /dev/null
+++ b/hw/microblaze_boot.c
@@ -0,0 +1,183 @@
+/*
+ * Microblaze kernel loader
+ *
+ * Copyright (c) 2012 Peter Crosthwaite peter.crosthwa...@petalogix.com
+ * Copyright (c) 2012 PetaLogix
+ * Copyright (c) 2009 Edgar E. Iglesias.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the Software), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include qemu-option.h
+#include qemu-config.h
+#include qemu-common.h
+#include device_tree.h
+#include loader.h
+#include elf.h
+
+#include microblaze_boot.h
+
+static struct
+{
+void (*machine_cpu_reset)(CPUState *);
+uint32_t bootstrap_pc;
+uint32_t cmdline;
+uint32_t fdt;
+} boot_info;
+
+static void main_cpu_reset(void *opaque)
+{
+CPUState *env = opaque;
+
+cpu_reset(env);
+env-regs[5] = boot_info.cmdline;
+env-regs[7] = boot_info.fdt;
+env-sregs[SR_PC] = boot_info.bootstrap_pc;
+if (boot_info.machine_cpu_reset) {
+boot_info.machine_cpu_reset(env);
+}
+}
+
+static int microblaze_load_dtb(target_phys_addr_t addr,
+  uint32_t ramsize,
+  const char *kernel_cmdline,
+  const char *dtb_filename)
+{
+char *path;
+int fdt_size;
+#ifdef CONFIG_FDT
+void *fdt;
+int r;
+
+/* Try the local mb.dtb override.  */
+fdt = load_device_tree(mb.dtb, fdt_size);
+if (!fdt) {
+path = qemu_find_file(QEMU_FILE_TYPE_BIOS, dtb_filename);
+if (path) {
+fdt = load_device_tree(path, fdt_size);
+g_free(path);
+}
+if (!fdt) {
+return 0;
+}
+}
+
+if (kernel_cmdline) {
+r = qemu_devtree_setprop_string(fdt, /chosen, bootargs,
+kernel_cmdline);
+if (r  0) {
+fprintf(stderr, couldn't set /chosen/bootargs\n);
+}
+}
+
+cpu_physical_memory_write(addr, (void *)fdt, fdt_size);
+#else
+/* We lack libfdt so we cannot manipulate the fdt. Just pass on the blob
+   to the kernel.  */
+fdt_size = load_image_targphys(mb.dtb, addr, 0x1);
+if (fdt_size  0) {
+path = qemu_find_file(QEMU_FILE_TYPE_BIOS, BINARY_DEVICE_TREE_FILE);
+if (path) {
+fdt_size = load_image_targphys(path, addr, 0x1);
+g_free(path);
+}
+}
+
+if (kernel_cmdline) {
+fprintf(stderr,
+Warning: missing libfdt, cannot pass cmdline to kernel!\n);
+}
+#endif
+return fdt_size;
+}
+
+static uint64_t translate_kernel_address(void *opaque, uint64_t addr)
+{
+return addr - 0x3000LL;
+}
+
+void microblaze_load_kernel(CPUState *env, target_phys_addr_t ddr_base,
+ 

[Qemu-devel] [PATCH v1 2/5] petalogix_s2adsp1800: moved rst logic to rst fn

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

This belongs in the machine specific reset function

Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
---
 hw/petalogix_s3adsp1800_mmu.c |   12 
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/hw/petalogix_s3adsp1800_mmu.c b/hw/petalogix_s3adsp1800_mmu.c
index 7c6e9b8..99c3590 100644
--- a/hw/petalogix_s3adsp1800_mmu.c
+++ b/hw/petalogix_s3adsp1800_mmu.c
@@ -42,6 +42,12 @@
 
 #define BINARY_DEVICE_TREE_FILE petalogix-s3adsp1800.dtb
 
+static void machine_cpu_reset(CPUState *env)
+{
+/* FIXME: move to machine specfic cpu reset */
+env-pvr.regs[10] = 0x0c00; /* spartan 3a dsp family.  */
+}
+
 static void
 petalogix_s3adsp1800_init(ram_addr_t ram_size,
   const char *boot_device,
@@ -53,6 +59,7 @@ petalogix_s3adsp1800_init(ram_addr_t ram_size,
 CPUState *env;
 DriveInfo *dinfo;
 int i;
+/* FIXME: remove harcoded magic numbers */
 target_phys_addr_t ddr_base = 0x9000;
 MemoryRegion *phys_lmb_bram = g_new(MemoryRegion, 1);
 MemoryRegion *phys_ram = g_new(MemoryRegion, 1);
@@ -65,9 +72,6 @@ petalogix_s3adsp1800_init(ram_addr_t ram_size,
 }
 env = cpu_init(cpu_model);
 
-/* FIXME: move to machine specfic cpu reset */
-env-pvr.regs[10] = 0x0c00; /* spartan 3a dsp family.  */
-
 /* Attach emulated BRAM through the LMB.  */
 memory_region_init_ram(phys_lmb_bram,
petalogix_s3adsp1800.lmb_bram, LMB_BRAM_SIZE);
@@ -97,7 +101,7 @@ petalogix_s3adsp1800_init(ram_addr_t ram_size,
 xilinx_ethlite_create(nd_table[0], 0x8100, irq[1], 0, 0);
 
 microblaze_load_kernel(env, ddr_base, ram_size,
-BINARY_DEVICE_TREE_FILE, NULL);
+BINARY_DEVICE_TREE_FILE, machine_cpu_reset);
 }
 
 static QEMUMachine petalogix_s3adsp1800_machine = {
-- 
1.7.5.4

[Qemu-devel] [PATCH v1 3/5] petalogix_s2adsp1800: macro'd magic numbers

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

defined macros for the addresses of the peripherals in machine model

Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
---
 hw/petalogix_s3adsp1800_mmu.c |   20 +---
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/hw/petalogix_s3adsp1800_mmu.c b/hw/petalogix_s3adsp1800_mmu.c
index 99c3590..2cb0b1f 100644
--- a/hw/petalogix_s3adsp1800_mmu.c
+++ b/hw/petalogix_s3adsp1800_mmu.c
@@ -42,6 +42,13 @@
 
 #define BINARY_DEVICE_TREE_FILE petalogix-s3adsp1800.dtb
 
+#define MEMORY_BASEADDR 0x9000
+#define FLASH_BASEADDR 0xa000
+#define INTC_BASEADDR 0x8180
+#define TIMER_BASEADDR 0x83c0
+#define UARTLITE_BASEADDR 0x8400
+#define ETHLITE_BASEADDR 0x8100
+
 static void machine_cpu_reset(CPUState *env)
 {
 /* FIXME: move to machine specfic cpu reset */
@@ -59,8 +66,7 @@ petalogix_s3adsp1800_init(ram_addr_t ram_size,
 CPUState *env;
 DriveInfo *dinfo;
 int i;
-/* FIXME: remove harcoded magic numbers */
-target_phys_addr_t ddr_base = 0x9000;
+target_phys_addr_t ddr_base = MEMORY_BASEADDR;
 MemoryRegion *phys_lmb_bram = g_new(MemoryRegion, 1);
 MemoryRegion *phys_ram = g_new(MemoryRegion, 1);
 qemu_irq irq[32], *cpu_irq;
@@ -83,22 +89,22 @@ petalogix_s3adsp1800_init(ram_addr_t ram_size,
 memory_region_add_subregion(sysmem, ddr_base, phys_ram);
 
 dinfo = drive_get(IF_PFLASH, 0, 0);
-pflash_cfi01_register(0xa000,
+pflash_cfi01_register(FLASH_BASEADDR,
   NULL, petalogix_s3adsp1800.flash, FLASH_SIZE,
   dinfo ? dinfo-bdrv : NULL, (64 * 1024),
   FLASH_SIZE  16,
   1, 0x89, 0x18, 0x, 0x0, 1);
 
 cpu_irq = microblaze_pic_init_cpu(env);
-dev = xilinx_intc_create(0x8180, cpu_irq[0], 2);
+dev = xilinx_intc_create(INTC_BASEADDR, cpu_irq[0], 2);
 for (i = 0; i  32; i++) {
 irq[i] = qdev_get_gpio_in(dev, i);
 }
 
-sysbus_create_simple(xilinx,uartlite, 0x8400, irq[3]);
+sysbus_create_simple(xilinx,uartlite, UARTLITE_BASEADDR, irq[3]);
 /* 2 timers at irq 2 @ 62 Mhz.  */
-xilinx_timer_create(0x83c0, irq[0], 2, 62 * 100);
-xilinx_ethlite_create(nd_table[0], 0x8100, irq[1], 0, 0);
+xilinx_timer_create(TIMER_BASEADDR, irq[0], 2, 62 * 100);
+xilinx_ethlite_create(nd_table[0], ETHLITE_BASEADDR, irq[1], 0, 0);
 
 microblaze_load_kernel(env, ddr_base, ram_size,
 BINARY_DEVICE_TREE_FILE, machine_cpu_reset);
-- 
1.7.5.4

[Qemu-devel] [PATCH v1 4/5] qemu-options.hx: allow -dtb argument for all archs

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
---
 qemu-options.hx |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index e38799c..daefce3 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2038,7 +2038,7 @@ first module.
 ETEXI
 
 DEF(dtb, HAS_ARG, QEMU_OPTION_dtb, \
--dtbfileuse 'file' as device tree image\n, QEMU_ARCH_ARM)
+-dtbfileuse 'file' as device tree image\n, QEMU_ARCH_ALL)
 STEXI
 @item -dtb @var{file}
 @findex -dtb
-- 
1.7.5.4

[Qemu-devel] [PATCH v1 5/5] microblaze_boot: enabled -dtb argument

[Peter A. G. Crosthwaite]

From: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com

Use the -dtb argument for passing is a custom dtb rather than the old
hardcoded mb.dtb

Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
---
 hw/microblaze_boot.c |   34 ++
 1 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/hw/microblaze_boot.c b/hw/microblaze_boot.c
index 37fce50..b2f96df 100644
--- a/hw/microblaze_boot.c
+++ b/hw/microblaze_boot.c
@@ -59,23 +59,16 @@ static int microblaze_load_dtb(target_phys_addr_t addr,
   const char *kernel_cmdline,
   const char *dtb_filename)
 {
-char *path;
 int fdt_size;
 #ifdef CONFIG_FDT
-void *fdt;
+void *fdt = NULL;
 int r;
 
-/* Try the local mb.dtb override.  */
-fdt = load_device_tree(mb.dtb, fdt_size);
+if (dtb_filename) {
+fdt = load_device_tree(dtb_filename, fdt_size);
+}
 if (!fdt) {
-path = qemu_find_file(QEMU_FILE_TYPE_BIOS, dtb_filename);
-if (path) {
-fdt = load_device_tree(path, fdt_size);
-g_free(path);
-}
-if (!fdt) {
-return 0;
-}
+return 0;
 }
 
 if (kernel_cmdline) {
@@ -90,15 +83,9 @@ static int microblaze_load_dtb(target_phys_addr_t addr,
 #else
 /* We lack libfdt so we cannot manipulate the fdt. Just pass on the blob
to the kernel.  */
-fdt_size = load_image_targphys(mb.dtb, addr, 0x1);
-if (fdt_size  0) {
-path = qemu_find_file(QEMU_FILE_TYPE_BIOS, BINARY_DEVICE_TREE_FILE);
-if (path) {
-fdt_size = load_image_targphys(path, addr, 0x1);
-g_free(path);
-}
+if (dtb_filename) {
+fdt_size = load_image_targphys(dtb_filename, addr, 0x1);
 }
-
 if (kernel_cmdline) {
 fprintf(stderr,
 Warning: missing libfdt, cannot pass cmdline to kernel!\n);
@@ -123,8 +110,15 @@ void microblaze_load_kernel(CPUState *env, 
target_phys_addr_t ddr_base,
 
 machine_opts = qemu_opts_find(qemu_find_opts(machine), 0);
 if (machine_opts) {
+const char *dtb_arg;
 kernel_filename = qemu_opt_get(machine_opts, kernel);
 kernel_cmdline = qemu_opt_get(machine_opts, append);
+dtb_arg = qemu_opt_get(machine_opts, dtb);
+if (dtb_arg) { /* Preference a -dtb argument */
+dtb_filename = dtb_arg;
+} else { /* default to pcbios dtb as passed by machine_init */
+dtb_filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, dtb_filename);
+}
 }
 
 boot_info.machine_cpu_reset = machine_cpu_reset;
-- 
1.7.5.4

[Qemu-devel] [PATCH] usb-ehci: drop unused isoch_pause variable

[Hans de Goede]

Signed-off-by: Hans de Goede hdego...@redhat.com
---
 hw/usb-ehci.c |6 +-
 1 files changed, 1 insertions(+), 5 deletions(-)

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index df742f7..f4d53ff 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -419,7 +419,6 @@ struct EHCIState {
 
 USBPacket ipacket;
 QEMUSGList isgl;
-int isoch_pause;
 
 uint64_t last_run_ns;
 };
@@ -907,7 +906,6 @@ static void ehci_reset(void *opaque)
 
 s-astate = EST_INACTIVE;
 s-pstate = EST_INACTIVE;
-s-isoch_pause = -1;
 s-attach_poll_counter = 0;
 
 for(i = 0; i  NB_PORTS; i++) {
@@ -2150,9 +2148,7 @@ static void ehci_frame_timer(void *opaque)
 
 for (i = 0; i  frames; i++) {
 if ( !(ehci-usbsts  USBSTS_HALT)) {
-if (ehci-isoch_pause = 0) {
-ehci-frindex += 8;
-}
+ehci-frindex += 8;
 
 if (ehci-frindex  0x1fff) {
 ehci-frindex = 0;
-- 
1.7.7.6

Re: [Qemu-devel] [PULL] Patch queue

[Blue Swirl]

Thanks, pulled.

On Tue, Feb 28, 2012 at 21:47, Stefan Weil s...@weilnetz.de wrote:
 Hi,

 please pull these patches from January.

 Thanks,

 Stefan Weil


 The following changes since commit b55c952aea6de024bf1a06357b49367fba045443:

  Merge remote-tracking branch 'aneesh/for-upstream' into staging (2012-02-27 
 11:19:27 -0600)

 are available in the git repository at:


  git://qemu.weilnetz.de/qemu.git upstream

 for you to fetch changes up to c0fd260e9da7e6e60ea6bf1b0198a804f147073f:

  Move definition of HOST_LONG_BITS to qemu-common.h (2012-02-28 22:33:43 
 +0100)

 
 Stefan Weil (15):
      Remove macro HOST_LONG_SIZE
      target-alpha: Clean includes
      target-arm: Clean includes
      target-cris: Clean includes
      target-i386: Clean includes
      target-lm32: Clean includes
      target-m68k: Clean includes
      target-microblaze: Clean includes
      target-mips: Clean includes
      target-ppc: Clean includes
      target-s390x: Clean includes
      target-sh4: Clean includes
      target-unicore32: Clean includes
      target-xtensa: Clean includes
      Move definition of HOST_LONG_BITS to qemu-common.h

  configure                     |   12 
  cpu-defs.h                    |    2 --
  qemu-common.h                 |    9 +
  target-alpha/cpu.h            |    1 +
  target-alpha/translate.c      |    5 -
  target-arm/helper.c           |    5 -
  target-cris/cpu.h             |    3 +++
  target-cris/helper.c          |    4 
  target-cris/mmu.c             |    5 -
  target-cris/translate.c       |    7 ---
  target-i386/helper.c          |    6 --
  target-i386/op_helper.c       |    1 -
  target-lm32/cpu.h             |    1 +
  target-lm32/helper.c          |    5 -
  target-lm32/translate.c       |    8 
  target-m68k/cpu.h             |    1 +
  target-m68k/helper.c          |    5 -
  target-m68k/translate.c       |    6 --
  target-microblaze/cpu.h       |    3 +++
  target-microblaze/helper.c    |    5 -
  target-microblaze/mmu.c       |    4 
  target-microblaze/translate.c |    8 
  target-mips/translate.c       |    7 ---
  target-ppc/helper.c           |    6 --
  target-ppc/translate.c        |    6 --
  target-s390x/cpu.h            |    3 +++
  target-s390x/helper.c         |    5 -
  target-s390x/translate.c      |    5 -
  target-sh4/translate.c        |    6 --
  target-unicore32/cpu.h        |    2 ++
  target-unicore32/helper.c     |    4 
  target-xtensa/core-dc232b.c   |    1 -
  target-xtensa/core-fsf.c      |    1 -
  target-xtensa/helper.c        |    1 -
  thunk.h                       |    4 ++--
  35 files changed, 25 insertions(+), 132 deletions(-)

Re: [Qemu-devel] [PATCH 0/6] w64: Improve compilation with MinGW-w64

[Blue Swirl]

Thanks, applied all.

On Fri, Mar 2, 2012 at 22:30, Stefan Weil s...@weilnetz.de wrote:
 These patches are a step towards full 64 bit support for w64.
 The patches 4 and 5 are optional.

 Please apply this series.

 Thanks,
 Stefan Weil

 [PATCH 1/6] w64: Fix size of ram_addr_t
 [PATCH 2/6] tcg: Rearrange definitions and include statements
 [PATCH 3/6] w64: Fix data type of parameters for flush_icache_range
 [PATCH 4/6] w64: Change data type of parameters for
 [PATCH 5/6] cache-utils: Change data type of parameters for
 [PATCH 6/6] w64: fix type casts when calling flush_icache_range

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Benjamin Herrenschmidt]

On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
  On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:
 
   What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?
 
  We have yet to encounter such a case. It's not currently possible on
  power (some old embedded chips could do 1K and 2K page sizes in the TLB
  iirc but we never supported that in Linux and it's being phased out in
  HW).
 
  I suggest that gets dealt with when/if it needs to, which means probably
  never :-)
 
 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?
 
 Maybe I'm misremembering or misunderstanding something.

TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
#define.

The host kernel exposes the dirty bit map with a bit per -host- kernel
PAGE_SIZE (which is what getpagesize() gets you in qemu).

My patch makes thus makes things work when the host uses 64K page sizes.
In all cases, the guest page size is irrelevant, this is purely a
problem between the host kernel and qemu.

Cheers,
Ben.

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Avi Kivity]

On 03/04/2012 01:53 PM, Benjamin Herrenschmidt wrote:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
  On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
   On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:
  
What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?
  
   We have yet to encounter such a case. It's not currently possible on
   power (some old embedded chips could do 1K and 2K page sizes in the TLB
   iirc but we never supported that in Linux and it's being phased out in
   HW).
  
   I suggest that gets dealt with when/if it needs to, which means probably
   never :-)
  
  Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
  on a 64k host?
  
  Maybe I'm misremembering or misunderstanding something.

 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.

 The host kernel exposes the dirty bit map with a bit per -host- kernel
 PAGE_SIZE (which is what getpagesize() gets you in qemu).

 My patch makes thus makes things work when the host uses 64K page sizes.
 In all cases, the guest page size is irrelevant, this is purely a
 problem between the host kernel and qemu.

Right (and I actually knew all this stuff before :( ).

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH v8 1/4] cadence_uart: initial version of device model

[Peter Crosthwaite]

On Fri, Mar 2, 2012 at 12:09 AM, Peter Maydell peter.mayd...@linaro.org wrote:
 On 28 February 2012 07:40, Peter A. G. Crosthwaite
 peter.crosthwa...@petalogix.com wrote:
 Implemented cadence UART serial controller

 Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
 Signed-off-by: John Linn john.l...@xilinx.com
 Acked-by: Edgar E. Iglesias edgar.igles...@gmail.com
 ---
 changed from v7:
 removed fflush() from DBPRINTF
 changed from v6:
 removed automatic interrupt clearing
 removed mask_and_right_justify
 removed redundant stop_break logic
 made tx and rx function interfaces consistent
 renamed qemu_debug() - DB_PRINT (all)
 changed from v4:
 fixed FSF addess
 changed device_init - type_init
 changes from v1:
 converted register file to array
 added vmsd state save/load support
 removed read side effects from CISR register

  Makefile.target   |    1 +
  hw/cadence_uart.c |  535 
 +
  2 files changed, 536 insertions(+), 0 deletions(-)
  create mode 100644 hw/cadence_uart.c

 diff --git a/Makefile.target b/Makefile.target
 index 68a5641..2021926 100644
 --- a/Makefile.target
 +++ b/Makefile.target
 @@ -344,6 +344,7 @@ endif
  obj-arm-y = integratorcp.o versatilepb.o arm_pic.o arm_timer.o
  obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o 
 pl190.o
  obj-arm-y += versatile_pci.o
 +obj-arm-y += cadence_uart.o
  obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
  obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
  obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
 diff --git a/hw/cadence_uart.c b/hw/cadence_uart.c
 new file mode 100644
 index 000..646f0e6
 --- /dev/null
 +++ b/hw/cadence_uart.c
 @@ -0,0 +1,535 @@
 +/*
 + * Device model for Cadence UART
 + *
 + * Copyright (c) 2010 Xilinx Inc.
 + * Copyright (c) 2012 Peter A.G. Crosthwaite 
 (peter.crosthwa...@petalogix.com)
 + * Copyright (c) 2012 PetaLogix Pty Ltd.
 + * Written by Haibing Ma
 + *            M.Habib
 + *
 + * This program is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU General Public License
 + * as published by the Free Software Foundation; either version
 + * 2 of the License, or (at your option) any later version.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see http://www.gnu.org/licenses/.
 + */
 +
 +#include sysbus.h
 +#include qemu-char.h
 +#include qemu-timer.h
 +
 +#ifdef CADENCE_UART_ERR_DEBUG
 +#define DB_PRINT(...) do { \
 +    fprintf(stderr,  : %s: , __func__); \
 +    fprintf(stderr, ## __VA_ARGS__); \
 +    } while (0);
 +#else
 +    #define DB_PRINT(...)
 +#endif
 +
 +#define UART_INTR_RTRIG     0x0001
 +#define UART_INTR_REMPTY    0x0002
 +#define UART_INTR_RFUL      0x0004
 +#define UART_INTR_TEMPTY    0x0008
 +#define UART_INTR_TFUL      0x0010
 +#define UART_INTR_ROVR      0x0020
 +#define UART_INTR_FRAME     0x0040
 +#define UART_INTR_PARE      0x0080
 +#define UART_INTR_TIMEOUT   0x0100
 +#define UART_INTR_DMSI      0x0200
 +#define UART_INTR_TTRIG     0x0400
 +#define UART_INTR_TNFUL     0x0800
 +#define UART_INTR_TOVR      0x1000
 +
 +#define UART_CSR_RTRIG      0x0001
 +#define UART_CSR_REMPTY     0x0002
 +#define UART_CSR_RFUL       0x0004
 +#define UART_CSR_TEMPTY     0x0008
 +#define UART_CSR_TFUL       0x0010
 +#define UART_CSR_ROVR       0x0020
 +#define UART_CSR_FRAME      0x0040
 +#define UART_CSR_PARE       0x0080
 +#define UART_CSR_TIMEOUT    0x0100
 +#define UART_CSR_DMSI       0x0200
 +#define UART_CSR_RACTIVE    0x0400
 +#define UART_CSR_TACTIVE    0x0800
 +#define UART_CSR_FDELT      0x1000
 +#define UART_CSR_TTRIG      0x2000
 +#define UART_CSR_TNFUL      0x4000
 +
 +#define UART_CR_RXRST       0x0001
 +#define UART_CR_TXRST       0x0002
 +#define UART_CR_RX_EN       0x0004
 +#define UART_CR_RX_DIS      0x0008
 +#define UART_CR_TX_EN       0x0010
 +#define UART_CR_TX_DIS      0x0020
 +#define UART_CR_RST_TO      0x0040
 +#define UART_CR_STARTBRK    0x0080
 +#define UART_CR_STOPBRK     0x0100
 +
 +#define UART_MR_CLKS            0x0001
 +#define UART_MR_CHRL            0x0006
 +#define UART_MR_CHRL_SH         1
 +#define UART_MR_PAR             0x0038
 +#define UART_MR_PAR_SH          3
 +#define UART_MR_NBSTOP          0x00C0
 +#define UART_MR_NBSTOP_SH       6
 +#define UART_MR_CHMODE          0x0300
 +#define UART_MR_CHMODE_SH       8
 +#define UART_MR_UCLKEN          0x0400
 +#define UART_MR_IRMODE          0x0800
 +
 +#define UART_DATA_BITS_6       (0x3  UART_MR_CHRL_SH)
 +#define UART_DATA_BITS_7       (0x2  UART_MR_CHRL_SH)
 +#define UART_PARITY_ODD        (0x1  UART_MR_PAR_SH)
 +#define UART_PARITY_EVEN       (0x0  UART_MR_PAR_SH)
 +#define UART_STOP_BITS_1   

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?
 
 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

The weird thing is the range type does not seem to be accessed
at all. So I guessed there's some memory corruption here.
Running valgrind shows this:

--4-- WARNING: unhandled syscall: 340
--4-- You may be able to write your own handler.
--4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--4-- Nevertheless we consider this a bug.  Please report
--4-- it at http://valgrind.org/support/bug_reports.html.
==4== Invalid read of size 4
==4==at 0x2A68C0: pci_apb_init (apb_pci.c:350)
==4==by 0x2F7A84: sun4uv_init (sun4u.c:779)
==4==by 0x13D716: main (vl.c:3397)
==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
alloc'd
==4==at 0x557DD69: malloc (vg_replace_malloc.c:236)
==4==by 0x225F56: malloc_and_trace (vl.c:2156)
==4==by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
==4==by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
==4==by 0x19C50C: qemu_allocate_irqs (irq.c:47)
==4==by 0x2F7A4C: sun4uv_init (sun4u.c:778)
==4==by 0x13D716: main (vl.c:3397)
==4== 
apb: here
==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
0x16894008
==4==  to suppress, use: --max-stackframe=398791500 or
greater
==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
0xfec42cc0
==4==  to suppress, use: --max-stackframe=398791392 or
greater
==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
0x16893fd0
==4==  to suppress, use: --max-stackframe=398790640 or
greater
==4==  further instances of this message will not be shown.
QEMU 1.0.50 monitor - type 'help' for more information
(qemu) ==4== Thread 2:
==4== Conditional jump or move depends on uninitialised value(s)
==4==at 0x2A8351: compute_all_sub (cc_helper.c:37)
==4==by 0x2A8782: helper_compute_psr (cc_helper.c:470)
==4==by 0x9AD9A19: ???
==4== 
==4== Conditional jump or move depends on uninitialised value(s)
==4==at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
==4==by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==by 0x9AD9A19: ???
==4== 
==4== Conditional jump or move depends on uninitialised value(s)
==4==at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
==4==by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==by 0x9AD9A19: ???
==4== 

Is the above a problem?

 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:
 
 (qemu) info pci
   Bus  0, device   0, function 0:
 Host bridge: PCI device 108e:a000
   id 
   Bus  0, device   1, function 0:
 PCI bridge: PCI device 108e:5000
   BUS 0.
   secondary bus 1.
   subordinate bus 1.
   IO range [0x, 0x0fff]
   memory range [0x, 0x000f]
   prefetchable memory range [0x, 0x000f]
   id 
   Bus  0, device   1, function 1:
 PCI bridge: PCI device 108e:5000
   BUS 0.
   secondary bus 2.
   subordinate bus 2.
   IO range [0x, 0x0fff]
   memory range [0x, 0x000f]
   prefetchable memory range [0x, 0x000f]
   id 
   Bus  0, device   2, function 0:
 VGA controller: PCI device 1234:
   BAR0: 32 bit prefetchable memory at 0x0080 [0x00ff].
   BAR6: 32 bit memory at 0x0100 [0x0100].
   id 
   Bus  0, device   3, function 0:
 Bridge: PCI device 108e:1000
   BAR0: 32 bit memory at 0x0200 [0x02ff].
   BAR1: 32 bit memory at 0x0300 [0x037f].
   id 
   Bus  0, device   4, function 0:
 Ethernet controller: PCI device 10ec:8029
   IRQ 0.
   BAR0: I/O at 0x [0x00fe].
   BAR6: 32 bit memory at 0x0380 [0x0380].
   id 
  

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Avi Kivity]

On 03/04/2012 12:27 PM, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:

 (qemu) info pci
   Bus  0, device   5, function 0:
 IDE controller: PCI device 1095:0646
   IRQ 1.
   BAR0: I/O at 0x [0x0006].
   BAR1: I/O at 0x [0x0002].
   BAR2: I/O at 0x [0x0006].
   BAR3: I/O at 0x [0x0002].
   BAR4: I/O at 0x [0x000e].
   id 

The BARs are not initialized, so they aren't accessible.

But perhaps the dump was not taken at the point of failure, can you
provide a relevant dump if so?


-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?
 
 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution
 
 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:

So here's a theory: the issue is that both device IO
and bridge IO have the same priority.
Bridge is initialized with IO at 0 to 4K
and so we have two devices at the same priority.
And flipping a type bit affects this,  by chance?

I tried the following and it seems to help.
But the real fix IMO is to either disable the bridge ranges
at reset, in hardware, or have the BIOS do this.

Avi, could you pls comment on my analysis?

diff --git a/hw/pci.c b/hw/pci.c
index 6d08cef..286383a 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -986,7 +986,7 @@ static void pci_update_mappings(PCIDevice *d)
 r-addr = new_addr;
 if (r-addr != PCI_BAR_UNMAPPED) {
 memory_region_add_subregion_overlap(r-address_space,
-r-addr, r-memory, 1);
+r-addr, r-memory, 2);
 }
 }
 }

[Qemu-devel] questions about pci

[WanPeng Li]

Hi all:

I read pci code in qemu about i440fx, pci.c and so on. I think if guest
os whose mainboard is based on x86, it will use IO instructions to
access PCI configuration space.If not use passthrough, qemu should
emulate these operations.I find a function called kvm_handle_io who will
emulate ioport write/read, I have traced this function, but I haven't found it 
has
any relationship with pci read/write configuration space functions like
i440fx_write_config and piix3_write_config.So how does it emulate pci
configuration space access when not use passthrough?


thanks 
Wanpeng Li

LTC China, IBM

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 02:33:02PM +0200, Michael S. Tsirkin wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
  
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
  
  This unassigned memory exception is triggered because CMD646 IDE I/O
  registers are not accessible:
 
 So here's a theory: the issue is that both device IO
 and bridge IO have the same priority.
 Bridge is initialized with IO at 0 to 4K
 and so we have two devices at the same priority.
 And flipping a type bit affects this,  by chance?
 
 I tried the following and it seems to help.
 But the real fix IMO is to either disable the bridge ranges
 at reset, in hardware, or have the BIOS do this.
 
 Avi, could you pls comment on my analysis?
 
 diff --git a/hw/pci.c b/hw/pci.c
 index 6d08cef..286383a 100644
 --- a/hw/pci.c
 +++ b/hw/pci.c
 @@ -986,7 +986,7 @@ static void pci_update_mappings(PCIDevice *d)
  r-addr = new_addr;
  if (r-addr != PCI_BAR_UNMAPPED) {
  memory_region_add_subregion_overlap(r-address_space,
 -r-addr, r-memory, 1);
 +r-addr, r-memory, 2);
  }
  }
  }

Grr. Scap the above, the patch does nothing, I didn't test it right.

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Avi Kivity]

On 03/04/2012 02:33 PM, Michael S. Tsirkin wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
  
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
  
  This unassigned memory exception is triggered because CMD646 IDE I/O
  registers are not accessible:

 So here's a theory: the issue is that both device IO
 and bridge IO have the same priority.
 Bridge is initialized with IO at 0 to 4K
 and so we have two devices at the same priority.
 And flipping a type bit affects this,  by chance?

What device shares its BAR with the bridge I/O window?

 I tried the following and it seems to help.
 But the real fix IMO is to either disable the bridge ranges
 at reset, in hardware, or have the BIOS do this.

 Avi, could you pls comment on my analysis?

 diff --git a/hw/pci.c b/hw/pci.c
 index 6d08cef..286383a 100644
 --- a/hw/pci.c
 +++ b/hw/pci.c
 @@ -986,7 +986,7 @@ static void pci_update_mappings(PCIDevice *d)
  r-addr = new_addr;
  if (r-addr != PCI_BAR_UNMAPPED) {
  memory_region_add_subregion_overlap(r-address_space,
 -r-addr, r-memory, 1);
 +r-addr, r-memory, 2);
  }
  }
  }

Who says a BAR has higher priority than a bridge?

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 The weird thing is the range type does not seem to be accessed
 at all. So I guessed there's some memory corruption here.
 Running valgrind shows this:

 --4-- WARNING: unhandled syscall: 340
 --4-- You may be able to write your own handler.
 --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
 --4-- Nevertheless we consider this a bug.  Please report
 --4-- it at http://valgrind.org/support/bug_reports.html.
 ==4== Invalid read of size 4
 ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
 ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
 alloc'd
 ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
 ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
 ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
 ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==
 apb: here
 ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
 0x16894008
 ==4==          to suppress, use: --max-stackframe=398791500 or
 greater
 ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
 0xfec42cc0
 ==4==          to suppress, use: --max-stackframe=398791392 or
 greater
 ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
 0x16893fd0
 ==4==          to suppress, use: --max-stackframe=398790640 or
 greater
 ==4==          further instances of this message will not be shown.
 QEMU 1.0.50 monitor - type 'help' for more information
 (qemu) ==4== Thread 2:
 ==4== Conditional jump or move depends on uninitialised value(s)
 ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
 ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised value(s)
 ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised value(s)
 ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==

 Is the above a problem?

It looks like Sparc does not reset registers at CPU reset. Nice catch.

 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:

 (qemu) info pci
   Bus  0, device   0, function 0:
     Host bridge: PCI device 108e:a000
       id 
   Bus  0, device   1, function 0:
     PCI bridge: PCI device 108e:5000
       BUS 0.
       secondary bus 1.
       subordinate bus 1.
       IO range [0x, 0x0fff]
       memory range [0x, 0x000f]
       prefetchable memory range [0x, 0x000f]
       id 
   Bus  0, device   1, function 1:
     PCI bridge: PCI device 108e:5000
       BUS 0.
       secondary bus 2.
       subordinate bus 2.
       IO range [0x, 0x0fff]
       memory range [0x, 0x000f]
       prefetchable memory range [0x, 0x000f]
       id 
   Bus  0, device   2, function 0:
     VGA controller: PCI device 1234:
       BAR0: 32 bit prefetchable memory at 0x0080 [0x00ff].
       BAR6: 32 bit memory at 0x0100 [0x0100].
       id 
   Bus  0, device   3, function 0:
     Bridge: PCI device 108e:1000
       BAR0: 32 bit memory at 0x0200 [0x02ff].
       BAR1: 32 bit memory at 0x0300 [0x037f].
       id 
   Bus  0, device   

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 12:28, Avi Kivity a...@redhat.com wrote:
 On 03/04/2012 12:27 PM, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:

 (qemu) info pci
   Bus  0, device   5, function 0:
     IDE controller: PCI device 1095:0646
       IRQ 1.
       BAR0: I/O at 0x [0x0006].
       BAR1: I/O at 0x [0x0002].
       BAR2: I/O at 0x [0x0006].
       BAR3: I/O at 0x [0x0002].
       BAR4: I/O at 0x [0x000e].
       id 

 The BARs are not initialized, so they aren't accessible.

 But perhaps the dump was not taken at the point of failure, can you
 provide a relevant dump if so?

No, this is after failure.


 --
 error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Avi Kivity]

On 03/04/2012 02:38 PM, Blue Swirl wrote:
 
  This unassigned memory exception is triggered because CMD646 IDE I/O
  registers are not accessible:
 
  (qemu) info pci
Bus  0, device   5, function 0:
  IDE controller: PCI device 1095:0646
IRQ 1.
BAR0: I/O at 0x [0x0006].
BAR1: I/O at 0x [0x0002].
BAR2: I/O at 0x [0x0006].
BAR3: I/O at 0x [0x0002].
BAR4: I/O at 0x [0x000e].
id 
 
  The BARs are not initialized, so they aren't accessible.
 
  But perhaps the dump was not taken at the point of failure, can you
  provide a relevant dump if so?

 No, this is after failure.

I don't see why the guest expects the BARs to work then.

-- 
error compiling committee.c: too many arguments to function

[Qemu-devel] restart a coroutine?

[Michael Tokarev]

Since all block (bdrv) layer is now implemented using
coroutines, I thought I'd give it a try.  But immediately
hit a question to which I don't know a good answer.

Suppose we've some networking block device (like NBD) and
want to be able to support reconnection - this is actually
very useful feature, in order to be able to reboot/restart
the NBD server without a need to restart all the clients.

For this to work, we should have an ability to reconnect
to the server and re-issue all requests which were waiting
for reply.

Traditionally, in asyncronous event-loop-based scheme, this
is implemented as a queue of requests linked to the block
driver state structure, and in case of reconnection we just
walk over all requests and requeue these.

But if the block driver is implemented as a set of coroutines
(like nbd currently does), I see no sane/safe way to restart
the requests.  Setjmp/longjmp can be uses with extra care
there, but with these it is extremly fragile.

Any hints on how to do that?

Thanks,

/mjt

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 12:33, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 This unassigned memory exception is triggered because CMD646 IDE I/O
 registers are not accessible:

 So here's a theory: the issue is that both device IO
 and bridge IO have the same priority.
 Bridge is initialized with IO at 0 to 4K
 and so we have two devices at the same priority.
 And flipping a type bit affects this,  by chance?

 I tried the following and it seems to help.
 But the real fix IMO is to either disable the bridge ranges
 at reset, in hardware, or have the BIOS do this.

I'd suppose bridge ranges should be disabled at reset. BIOS should
probably also program the bridge ranges so that only devices behind
the bridge are visible, or if no devices exist, disable the bridge
completely. It's possible that all of these could be buggy and the
original commit could be correct.

 Avi, could you pls comment on my analysis?

 diff --git a/hw/pci.c b/hw/pci.c
 index 6d08cef..286383a 100644
 --- a/hw/pci.c
 +++ b/hw/pci.c
 @@ -986,7 +986,7 @@ static void pci_update_mappings(PCIDevice *d)
         r-addr = new_addr;
         if (r-addr != PCI_BAR_UNMAPPED) {
             memory_region_add_subregion_overlap(r-address_space,
 -                                                r-addr, r-memory, 1);
 +                                                r-addr, r-memory, 2);
         }
     }
  }

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 12:41, Avi Kivity a...@redhat.com wrote:
 On 03/04/2012 02:38 PM, Blue Swirl wrote:
 
  This unassigned memory exception is triggered because CMD646 IDE I/O
  registers are not accessible:
 
  (qemu) info pci
    Bus  0, device   5, function 0:
      IDE controller: PCI device 1095:0646
        IRQ 1.
        BAR0: I/O at 0x [0x0006].
        BAR1: I/O at 0x [0x0002].
        BAR2: I/O at 0x [0x0006].
        BAR3: I/O at 0x [0x0002].
        BAR4: I/O at 0x [0x000e].
        id 
 
  The BARs are not initialized, so they aren't accessible.
 
  But perhaps the dump was not taken at the point of failure, can you
  provide a relevant dump if so?

 No, this is after failure.

 I don't see why the guest expects the BARs to work then.

OpenBIOS could initialize them before this commit, now it obviously
can't (or initializes the bridges incorrectly).

Maybe also the devices should be moved behind the bridges, that's
where they really should be.


 --
 error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH v8 2/4] cadence_ttc: initial version of device model

[Peter Crosthwaite]

On Fri, Mar 2, 2012 at 12:58 AM, Peter Maydell peter.mayd...@linaro.org wrote:
 On 28 February 2012 07:40, Peter A. G. Crosthwaite
 peter.crosthwa...@petalogix.com wrote:
 Implemented cadence Triple Timer Counter (TCC)

 Signed-off-by: Peter A. G. Crosthwaite peter.crosthwa...@petalogix.com
 Signed-off-by: John Linn john.l...@xilinx.com
 Acked-by: Edgar E. Iglesias edgar.igles...@gmail.com
 ---
 changed from v7:
 removed fflush() from DBPRINTF
 changed from v6:
 renamed cadence_ttc_state - CadenceTTCState
 renamed qemu_debug() - DB_PRINT (all)
 added reset function
 changed from v4:
 fixed FSF addess
 changed device_init - type_init
 changed from v3:
 Fixed race condition where timer could miss match events on wrap around
 changed from v2:
 changed ptimer to QEMUTimer (Fixed skew/drift issue in timer delays)
 changes from v1:
 refactored event driven code
 marked vmsd as unmigratable
  Makefile.target  |    1 +
  hw/cadence_ttc.c |  448 
 ++
  2 files changed, 449 insertions(+), 0 deletions(-)
  create mode 100644 hw/cadence_ttc.c

 diff --git a/Makefile.target b/Makefile.target
 index 2021926..c09deda 100644
 --- a/Makefile.target
 +++ b/Makefile.target
 @@ -345,6 +345,7 @@ obj-arm-y = integratorcp.o versatilepb.o arm_pic.o 
 arm_timer.o
  obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o 
 pl190.o
  obj-arm-y += versatile_pci.o
  obj-arm-y += cadence_uart.o
 +obj-arm-y += cadence_ttc.o
  obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
  obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
  obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
 diff --git a/hw/cadence_ttc.c b/hw/cadence_ttc.c
 new file mode 100644
 index 000..08b6c9c
 --- /dev/null
 +++ b/hw/cadence_ttc.c
 @@ -0,0 +1,448 @@
 +/*
 + * Xilinx Zynq cadence TTC model
 + *
 + * Copyright (c) 2011 Xilinx Inc.
 + * Copyright (c) 2012 Peter A.G. Crosthwaite 
 (peter.crosthwa...@petalogix.com)
 + * Copyright (c) 2012 PetaLogix Pty Ltd.
 + * Written By Haibing Ma
 + *            M. Habib
 + *
 + * This program is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU General Public License
 + * as published by the Free Software Foundation; either version
 + * 2 of the License, or (at your option) any later version.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see http://www.gnu.org/licenses/.
 + */
 +
 +#include sysbus.h
 +#include qemu-timer.h
 +
 +#ifdef CADENCE_TTC_ERR_DEBUG
 +#define DB_PRINT(...) do { \
 +    fprintf(stderr,  : %s: , __func__); \
 +    fprintf(stderr, ## __VA_ARGS__); \
 +    } while (0);
 +#else
 +    #define DB_PRINT(...)
 +#endif
 +
 +#define COUNTER_INTR_IV     0x0001
 +#define COUNTER_INTR_M1     0x0002
 +#define COUNTER_INTR_M2     0x0004
 +#define COUNTER_INTR_M3     0x0008
 +#define COUNTER_INTR_OV     0x0010
 +#define COUNTER_INTR_EV     0x0020
 +
 +#define COUNTER_CTRL_DIS    0x0001
 +#define COUNTER_CTRL_INT    0x0002
 +#define COUNTER_CTRL_DEC    0x0004
 +#define COUNTER_CTRL_MATCH  0x0008
 +#define COUNTER_CTRL_RST    0x0010
 +
 +#define CLOCK_CTRL_PS_EN    0x0001
 +#define CLOCK_CTRL_PS_V     0x001e
 +
 +typedef struct {
 +    QEMUTimer *timer;
 +    int freq;
 +
 +    uint32_t reg_clock;
 +    uint32_t reg_count;
 +    uint32_t reg_value;
 +    uint16_t reg_interval;
 +    uint16_t reg_match[3];
 +    uint32_t reg_intr;
 +    uint32_t reg_intr_en;
 +    uint32_t reg_event_ctrl;
 +    uint32_t reg_event;
 +
 +    uint64_t cpu_time;
 +    unsigned int cpu_time_valid;
 +
 +    qemu_irq irq;
 +} CadenceTimerState;
 +
 +typedef struct {
 +    SysBusDevice busdev;
 +    MemoryRegion iomem;
 +    CadenceTimerState * timer[3];
 +} CadenceTTCState;
 +
 +static void cadence_timer_update(CadenceTimerState *s)
 +{
 +    qemu_set_irq(s-irq, !!(s-reg_intr  s-reg_intr_en));
 +}
 +
 +static CadenceTimerState *cadence_timer_from_addr(void *opaque,
 +                                        target_phys_addr_t offset)
 +{
 +    unsigned int index;
 +    CadenceTTCState *s = (CadenceTTCState *)opaque;
 +
 +    index = (offset  2) % 3;
 +
 +    return s-timer[index];
 +}
 +
 +static uint64_t cadence_timer_get_ns(CadenceTimerState *s, uint64_t 
 timer_steps)
 +{
 +    /* timer_steps has max value of 0x1. double check it
 +     * (or overflow can happen below) */
 +    assert(timer_steps = 1ULL  32);
 +
 +    uint64_t r = timer_steps * 10ULL;
 +    if (s-reg_clock  CLOCK_CTRL_PS_EN) {
 +        r = 16 - (((s-reg_clock  CLOCK_CTRL_PS_V)  1) + 1);
 +    } else {
 +        r = 16;
 +    }
 +    r /= (uint64_t)s-freq;
 +    return r;
 +}
 +
 +static uint64_t cadence_timer_get_steps(CadenceTimerState *s, uint64_t ns)
 +{
 +    uint64_t to_divide = 10ULL;
 +
 +    uint64_t r = ns;
 +     /* for very large intervals ( 8s) do some division 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 12:46:23PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:41, Avi Kivity a...@redhat.com wrote:
  On 03/04/2012 02:38 PM, Blue Swirl wrote:
  
   This unassigned memory exception is triggered because CMD646 IDE I/O
   registers are not accessible:
  
   (qemu) info pci
     Bus  0, device   5, function 0:
       IDE controller: PCI device 1095:0646
         IRQ 1.
         BAR0: I/O at 0x [0x0006].
         BAR1: I/O at 0x [0x0002].
         BAR2: I/O at 0x [0x0006].
         BAR3: I/O at 0x [0x0002].
         BAR4: I/O at 0x [0x000e].
         id 
  
   The BARs are not initialized, so they aren't accessible.
  
   But perhaps the dump was not taken at the point of failure, can you
   provide a relevant dump if so?
 
  No, this is after failure.
 
  I don't see why the guest expects the BARs to work then.
 
 OpenBIOS could initialize them before this commit, now it obviously
 can't (or initializes the bridges incorrectly).

I traced all config reads and writes to the bridge
and there's no difference I can see
between before and after this commit.

I think there's some other bug, tweaking this
specific bit just happens to trigger it.

 Maybe also the devices should be moved behind the bridges, that's
 where they really should be.
 
 
  --
  error compiling committee.c: too many arguments to function
 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 02:41:33PM +0200, Avi Kivity wrote:
 On 03/04/2012 02:38 PM, Blue Swirl wrote:
  
   This unassigned memory exception is triggered because CMD646 IDE I/O
   registers are not accessible:
  
   (qemu) info pci
 Bus  0, device   5, function 0:
   IDE controller: PCI device 1095:0646
 IRQ 1.
 BAR0: I/O at 0x [0x0006].
 BAR1: I/O at 0x [0x0002].
 BAR2: I/O at 0x [0x0006].
 BAR3: I/O at 0x [0x0002].
 BAR4: I/O at 0x [0x000e].
 id 
  
   The BARs are not initialized, so they aren't accessible.
  
   But perhaps the dump was not taken at the point of failure, can you
   provide a relevant dump if so?
 
  No, this is after failure.
 
 I don't see why the guest expects the BARs to work then.

I don't belive it does - it probably got hang before
initializing BARs.

 -- 
 error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Peter Maydell]

On 4 March 2012 09:10, Michael S. Tsirkin m...@redhat.com wrote:
 I ended up with qmp-commands.h in target directories,
 which makes build fail as it is found before the
 main header.
 make clean fixes it, but it might get triggered
 again when we make some header target-independent next.
 It's easy to just make sure all such leftovers are
 removed, so let's do this.

 Signed-off-by: Michael S. Tsirkin m...@redhat.com

 diff --git a/Makefile b/Makefile
 index e66e885..958a414 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -89,6 +89,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx
  SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))

  subdir-%: $(GENERATED_HEADERS)
 +       $(call quiet-command,rm -f $(foreach header, $(GENERATED_HEADERS), 
 $*/$(header)),)
        $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $* V=$(V) 
 TARGET_DIR=$*/ all,)

In general we don't have workarounds for something
moved directory and this broke builds not from clean
(source file moved from hw/ to . being one that's bitten
me before), so why does just this one deserve to get an
rm here rather than just asking the user to run
'make clean / distclean' ?

-- PMM

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
 
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
 
  The weird thing is the range type does not seem to be accessed
  at all. So I guessed there's some memory corruption here.
  Running valgrind shows this:
 
  --4-- WARNING: unhandled syscall: 340
  --4-- You may be able to write your own handler.
  --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
  --4-- Nevertheless we consider this a bug.  Please report
  --4-- it at http://valgrind.org/support/bug_reports.html.
  ==4== Invalid read of size 4
  ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
  ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
  alloc'd
  ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
  ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
  ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
  ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==
  apb: here
  ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
  0x16894008
  ==4==          to suppress, use: --max-stackframe=398791500 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
  0xfec42cc0
  ==4==          to suppress, use: --max-stackframe=398791392 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
  0x16893fd0
  ==4==          to suppress, use: --max-stackframe=398790640 or
  greater
  ==4==          further instances of this message will not be shown.
  QEMU 1.0.50 monitor - type 'help' for more information
  (qemu) ==4== Thread 2:
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
  ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
 
  Is the above a problem?
 
 It looks like Sparc does not reset registers at CPU reset. Nice catch.

Invalid read and address after block are also worrying.

irqs are allocated with
 #define MAX_PILS 16

irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);

then passed to apb:

pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, pci_bus2,
   pci_bus3);

which does:
PCIBus *pci_apb_init(target_phys_addr_t special_base,
 target_phys_addr_t mem_base,
 qemu_irq *pic, PCIBus **bus2, PCIBus **bus3)

and

   for (i = 0; i  32; i++) {
sysbus_connect_irq(s, i, pic[i]);
}



  This unassigned memory exception is triggered because CMD646 IDE I/O
  registers are not accessible:
 
  (qemu) info pci
    Bus  0, device   0, function 0:
      Host bridge: PCI device 108e:a000
        id 
    Bus  0, device   1, function 0:
      PCI bridge: PCI device 108e:5000
        BUS 0.
        secondary bus 1.
        subordinate bus 1.
        IO range [0x, 0x0fff]
        memory range [0x, 0x000f]
        prefetchable memory range [0x, 

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 01:25:59PM +, Peter Maydell wrote:
 On 4 March 2012 09:10, Michael S. Tsirkin m...@redhat.com wrote:
  I ended up with qmp-commands.h in target directories,
  which makes build fail as it is found before the
  main header.
  make clean fixes it, but it might get triggered
  again when we make some header target-independent next.
  It's easy to just make sure all such leftovers are
  removed, so let's do this.
 
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  diff --git a/Makefile b/Makefile
  index e66e885..958a414 100644
  --- a/Makefile
  +++ b/Makefile
  @@ -89,6 +89,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx
   SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
 
   subdir-%: $(GENERATED_HEADERS)
  +       $(call quiet-command,rm -f $(foreach header, $(GENERATED_HEADERS), 
  $*/$(header)),)
         $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $* V=$(V) 
  TARGET_DIR=$*/ all,)
 
 In general we don't have workarounds for something
 moved directory and this broke builds not from clean

Why don't we? It's cheaper than always doing
make clean after pull.

 (source file moved from hw/ to . being one that's bitten
 me before),

Why would that bite anyone? AFAIK files under source control
are handled fine. It's the generated ones that are
a problem.

 so why does just this one deserve to get an
 rm here rather than just asking the user to run
 'make clean / distclean' ?
 
 -- PMM

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 13:22, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 02:41:33PM +0200, Avi Kivity wrote:
 On 03/04/2012 02:38 PM, Blue Swirl wrote:
  
   This unassigned memory exception is triggered because CMD646 IDE I/O
   registers are not accessible:
  
   (qemu) info pci
     Bus  0, device   5, function 0:
       IDE controller: PCI device 1095:0646
         IRQ 1.
         BAR0: I/O at 0x [0x0006].
         BAR1: I/O at 0x [0x0002].
         BAR2: I/O at 0x [0x0006].
         BAR3: I/O at 0x [0x0002].
         BAR4: I/O at 0x [0x000e].
         id 
  
   The BARs are not initialized, so they aren't accessible.
  
   But perhaps the dump was not taken at the point of failure, can you
   provide a relevant dump if so?
 
  No, this is after failure.

 I don't see why the guest expects the BARs to work then.

 I don't belive it does - it probably got hang before
 initializing BARs.

This is later, the crash happens when IDE driver is accessing CMD646
registers after the PCI device is configured.

I changed OpenBIOS to disable any bridges with no devices, but that
didn't help. It looks like this is not related to bridges, I disabled
the secondary bridges with this patch and still there is the crash.

diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index 1d25da8..ed9dc68 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -256,11 +256,13 @@ static const MemoryRegionOps pci_ioport_ops = {
 .endianness = DEVICE_NATIVE_ENDIAN,
 };

+#if 0
 /* The APB host has an IRQ line for each IRQ line of each slot.  */
 static int pci_apb_map_irq(PCIDevice *pci_dev, int irq_num)
 {
 return ((pci_dev-devfn  0x18)  1) + irq_num;
 }
+#endif

 static int pci_pbm_map_irq(PCIDevice *pci_dev, int irq_num)
 {
@@ -322,8 +324,10 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
 SysBusDevice *s;
 APBState *d;
 unsigned int i;
+#if 0
 PCIDevice *pci_dev;
 PCIBridge *br;
+#endif

 /* Ultrasparc PBM main bus */
 dev = qdev_create(NULL, pbm);
@@ -352,6 +356,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,

 pci_create_simple(d-bus, 0, pbm-pci);

+#if 0
 /* APB secondary busses */
 pci_dev = pci_create_multifunction(d-bus, PCI_DEVFN(1, 0), true,
pbm-bridge);
@@ -368,7 +373,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
pci_apb_map_irq);
 qdev_init_nofail(pci_dev-qdev);
 *bus3 = pci_bridge_get_sec_bus(br);
-
+#endif
 return d-bus;
 }


 --
 error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
 
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
 
  The weird thing is the range type does not seem to be accessed
  at all. So I guessed there's some memory corruption here.
  Running valgrind shows this:
 
  --4-- WARNING: unhandled syscall: 340
  --4-- You may be able to write your own handler.
  --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
  --4-- Nevertheless we consider this a bug.  Please report
  --4-- it at http://valgrind.org/support/bug_reports.html.
  ==4== Invalid read of size 4
  ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
  ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
  alloc'd
  ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
  ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
  ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
  ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==
  apb: here
  ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
  0x16894008
  ==4==          to suppress, use: --max-stackframe=398791500 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
  0xfec42cc0
  ==4==          to suppress, use: --max-stackframe=398791392 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
  0x16893fd0
  ==4==          to suppress, use: --max-stackframe=398790640 or
  greater
  ==4==          further instances of this message will not be shown.
  QEMU 1.0.50 monitor - type 'help' for more information
  (qemu) ==4== Thread 2:
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
  ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
 
  Is the above a problem?
 
 It looks like Sparc does not reset registers at CPU reset. Nice catch.

The following is likely also needed, maybe the define should be shared
with apb.

diff --git a/hw/sun4u.c b/hw/sun4u.c
index 423108f..19a135a 100644
--- a/hw/sun4u.c
+++ b/hw/sun4u.c
@@ -81,7 +81,7 @@
 #define FW_CFG_SPARC64_HEIGHT (FW_CFG_ARCH_LOCAL + 0x01)
 #define FW_CFG_SPARC64_DEPTH (FW_CFG_ARCH_LOCAL + 0x02)
 
-#define MAX_PILS 16
+#define MAX_PILS 32
 
 #define TICK_MAX 0x7fffULL
 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 
   0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
 
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
 
  The weird thing is the range type does not seem to be accessed
  at all. So I guessed there's some memory corruption here.
  Running valgrind shows this:
 
  --4-- WARNING: unhandled syscall: 340
  --4-- You may be able to write your own handler.
  --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
  --4-- Nevertheless we consider this a bug.  Please report
  --4-- it at http://valgrind.org/support/bug_reports.html.
  ==4== Invalid read of size 4
  ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
  ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
  alloc'd
  ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
  ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
  ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
  ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==
  apb: here
  ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
  0x16894008
  ==4==          to suppress, use: --max-stackframe=398791500 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
  0xfec42cc0
  ==4==          to suppress, use: --max-stackframe=398791392 or
  greater
  ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
  0x16893fd0
  ==4==          to suppress, use: --max-stackframe=398790640 or
  greater
  ==4==          further instances of this message will not be shown.
  QEMU 1.0.50 monitor - type 'help' for more information
  (qemu) ==4== Thread 2:
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
  ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised value(s)
  ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
 
  Is the above a problem?

 It looks like Sparc does not reset registers at CPU reset. Nice catch.

 Invalid read and address after block are also worrying.

 irqs are allocated with
  #define MAX_PILS 16

    irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);

 then passed to apb:

    pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, pci_bus2,
                           pci_bus3);

 which does:
 PCIBus *pci_apb_init(target_phys_addr_t special_base,
                     target_phys_addr_t mem_base,
                     qemu_irq *pic, PCIBus **bus2, PCIBus **bus3)

 and

   for (i = 0; i  32; i++) {
        sysbus_connect_irq(s, i, pic[i]);
    }

Awful. But using 32 for MAX_PILS does not help either.

I get this with a modified OpenBIOS and no secondary bridges:
OpenBIOS for Sparc64
Initializing PCI host bridge...
pci_host_set_reg reg 01FE   0200

=== CHANGED === package path old=/pci new=/pci@1fe,0
0:0.0 - 108e:a000 - host bridge found - /pci@1fe,0 -
pci_host_set_reg reg 01FE   0200

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Peter Maydell]

On 4 March 2012 13:31, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 01:25:59PM +, Peter Maydell wrote:
 In general we don't have workarounds for something
 moved directory and this broke builds not from clean

 Why don't we? It's cheaper than always doing
 make clean after pull.

That's an argument for a general solution to the problem,
not a one-off bandaid fix for the bit that happened to
bite you.

 (source file moved from hw/ to . being one that's bitten
 me before),

 Why would that bite anyone? AFAIK files under source control
 are handled fine. It's the generated ones that are
 a problem.

I forget the exact failure mode but I think the problem
is that the old arm-softmmu/foo.d file is still lying
around and claims that foo.o depends on the no-longer-present
hw/foo.c. (If we didn't squash the directory structure, so
that it was arm-softmmu/hw/foo.d and arm-softmmu/hw/foo.o,
this problem wouldn't happen.)

-- PMM

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 01:33:42PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 13:22, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 02:41:33PM +0200, Avi Kivity wrote:
  On 03/04/2012 02:38 PM, Blue Swirl wrote:
   
This unassigned memory exception is triggered because CMD646 IDE I/O
registers are not accessible:
   
(qemu) info pci
  Bus  0, device   5, function 0:
    IDE controller: PCI device 1095:0646
      IRQ 1.
      BAR0: I/O at 0x [0x0006].
      BAR1: I/O at 0x [0x0002].
      BAR2: I/O at 0x [0x0006].
      BAR3: I/O at 0x [0x0002].
      BAR4: I/O at 0x [0x000e].
      id 
   
The BARs are not initialized, so they aren't accessible.
   
But perhaps the dump was not taken at the point of failure, can you
provide a relevant dump if so?
  
   No, this is after failure.
 
  I don't see why the guest expects the BARs to work then.
 
  I don't belive it does - it probably got hang before
  initializing BARs.
 
 This is later, the crash happens when IDE driver is accessing CMD646
 registers after the PCI device is configured.
 
 I changed OpenBIOS to disable any bridges with no devices, but that
 didn't help. It looks like this is not related to bridges, I disabled
 the secondary bridges with this patch and still there is the crash.

It seems to have to do with the host bridge.
It's unusual to have host bridge present itself
as a pci to pci bridge but there it is.

 diff --git a/hw/apb_pci.c b/hw/apb_pci.c
 index 1d25da8..ed9dc68 100644
 --- a/hw/apb_pci.c
 +++ b/hw/apb_pci.c
 @@ -256,11 +256,13 @@ static const MemoryRegionOps pci_ioport_ops = {
  .endianness = DEVICE_NATIVE_ENDIAN,
  };
 
 +#if 0
  /* The APB host has an IRQ line for each IRQ line of each slot.  */
  static int pci_apb_map_irq(PCIDevice *pci_dev, int irq_num)
  {
  return ((pci_dev-devfn  0x18)  1) + irq_num;
  }
 +#endif
 
  static int pci_pbm_map_irq(PCIDevice *pci_dev, int irq_num)
  {
 @@ -322,8 +324,10 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
  SysBusDevice *s;
  APBState *d;
  unsigned int i;
 +#if 0
  PCIDevice *pci_dev;
  PCIBridge *br;
 +#endif
 
  /* Ultrasparc PBM main bus */
  dev = qdev_create(NULL, pbm);
 @@ -352,6 +356,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
 
  pci_create_simple(d-bus, 0, pbm-pci);
 
 +#if 0
  /* APB secondary busses */
  pci_dev = pci_create_multifunction(d-bus, PCI_DEVFN(1, 0), true,
 pbm-bridge);
 @@ -368,7 +373,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
 pci_apb_map_irq);
  qdev_init_nofail(pci_dev-qdev);
  *bus3 = pci_bridge_get_sec_bus(br);
 -
 +#endif
  return d-bus;
  }
 
 
  --
  error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 01:44:26PM +, Peter Maydell wrote:
 On 4 March 2012 13:31, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 01:25:59PM +, Peter Maydell wrote:
  In general we don't have workarounds for something
  moved directory and this broke builds not from clean
 
  Why don't we? It's cheaper than always doing
  make clean after pull.
 
 That's an argument for a general solution to the problem,
 not a one-off bandaid fix for the bit that happened to
 bite you.

What I did is generic: I remove all generated headers.
If you see more problems, let me know.

  (source file moved from hw/ to . being one that's bitten
  me before),
 
  Why would that bite anyone? AFAIK files under source control
  are handled fine. It's the generated ones that are
  a problem.
 
 I forget the exact failure mode but I think the problem
 is that the old arm-softmmu/foo.d file is still lying
 around and claims that foo.o depends on the no-longer-present
 hw/foo.c. (If we didn't squash the directory structure, so
 that it was arm-softmmu/hw/foo.d and arm-softmmu/hw/foo.o,
 this problem wouldn't happen.)
 
 -- PMM

Aha. A stale .d file, I see. Note that it's
siginificantly different from my problem. I would think if
.c is newer than .o we should just ignore .d,
alternatively make the dependencies in .d somehow weaker
than the implicit dependencies so they don't fail the build.
I'll see whether I can come up with a solution.

-- 
MST

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com 
   wrote:
commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
a regression: we do not make IO base/limit upper 16
bit registers writeable, so we should report a 16 bit
IO range type, not a 32 bit one.
Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 
0x1.
   
In particular, this broke sparc64.
   
Note: this just reverts to behaviour prior to the patch.
Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
registers writeable should, and seems to, work just as well, but
as no system seems to actually be interested in 32 bit IO,
let's not make unnecessary changes.
   
Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
Signed-off-by: Michael S. Tsirkin m...@redhat.com
   
Mark, can you confirm that this fixes the bug for you?
  
   No, running
   qemu-system-sparc64 -serial stdio
   still shows black screen and the following on console:
   OpenBIOS for Sparc64
   Unhandled Exception 0x0032
   PC = 0xffd19e18 NPC = 0xffd19e1c
   Stopping execution
  
   The weird thing is the range type does not seem to be accessed
   at all. So I guessed there's some memory corruption here.
   Running valgrind shows this:
  
   --4-- WARNING: unhandled syscall: 340
   --4-- You may be able to write your own handler.
   --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
   --4-- Nevertheless we consider this a bug.  Please report
   --4-- it at http://valgrind.org/support/bug_reports.html.
   ==4== Invalid read of size 4
   ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
   ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
   alloc'd
   ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
   ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
   ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
   ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==
   apb: here
   ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
   0x16894008
   ==4==          to suppress, use: --max-stackframe=398791500 or
   greater
   ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
   0xfec42cc0
   ==4==          to suppress, use: --max-stackframe=398791392 or
   greater
   ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
   0x16893fd0
   ==4==          to suppress, use: --max-stackframe=398790640 or
   greater
   ==4==          further instances of this message will not be shown.
   QEMU 1.0.50 monitor - type 'help' for more information
   (qemu) ==4== Thread 2:
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
   ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
   ==4==    by 0x9AD9A19: ???
   ==4==
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
   ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
   ==4==    by 0x9AD9A19: ???
   ==4==
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
   ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
   ==4==    by 0x9AD9A19: ???
   ==4==
  
   Is the above a problem?
 
  It looks like Sparc does not reset registers at CPU reset. Nice catch.
 
  Invalid read and address after block are also worrying.
 
  irqs are allocated with
   #define MAX_PILS 16
 
     irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
 
  then passed to apb:
 
     pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, pci_bus2,
                            pci_bus3);
 
  which does:
  PCIBus *pci_apb_init(target_phys_addr_t special_base,
                      target_phys_addr_t mem_base,
                      qemu_irq *pic, PCIBus **bus2, PCIBus **bus3)
 
  and
 
    for (i = 0; i  32; i++) {
         sysbus_connect_irq(s, i, pic[i]);
     }
 
 Awful. But using 32 for MAX_PILS does not help either.


Could you please clarify what is the SABRE device?
Is it, in fact, a bridge device? Or not?


-- 
MST

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 14:08, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 01:33:42PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 13:22, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 02:41:33PM +0200, Avi Kivity wrote:
  On 03/04/2012 02:38 PM, Blue Swirl wrote:
   
This unassigned memory exception is triggered because CMD646 IDE I/O
registers are not accessible:
   
(qemu) info pci
  Bus  0, device   5, function 0:
    IDE controller: PCI device 1095:0646
      IRQ 1.
      BAR0: I/O at 0x [0x0006].
      BAR1: I/O at 0x [0x0002].
      BAR2: I/O at 0x [0x0006].
      BAR3: I/O at 0x [0x0002].
      BAR4: I/O at 0x [0x000e].
      id 
   
The BARs are not initialized, so they aren't accessible.
   
But perhaps the dump was not taken at the point of failure, can you
provide a relevant dump if so?
  
   No, this is after failure.
 
  I don't see why the guest expects the BARs to work then.
 
  I don't belive it does - it probably got hang before
  initializing BARs.

 This is later, the crash happens when IDE driver is accessing CMD646
 registers after the PCI device is configured.

 I changed OpenBIOS to disable any bridges with no devices, but that
 didn't help. It looks like this is not related to bridges, I disabled
 the secondary bridges with this patch and still there is the crash.

 It seems to have to do with the host bridge.
 It's unusual to have host bridge present itself
 as a pci to pci bridge but there it is.

It looks like the I/O base calculations in OpenBIOS are confused by
host bridge, after that all BARs are wrong. OpenBIOS also thinks that
the host bridge is a device and attempts to configure six BARs instead
of two.

 diff --git a/hw/apb_pci.c b/hw/apb_pci.c
 index 1d25da8..ed9dc68 100644
 --- a/hw/apb_pci.c
 +++ b/hw/apb_pci.c
 @@ -256,11 +256,13 @@ static const MemoryRegionOps pci_ioport_ops = {
      .endianness = DEVICE_NATIVE_ENDIAN,
  };

 +#if 0
  /* The APB host has an IRQ line for each IRQ line of each slot.  */
  static int pci_apb_map_irq(PCIDevice *pci_dev, int irq_num)
  {
      return ((pci_dev-devfn  0x18)  1) + irq_num;
  }
 +#endif

  static int pci_pbm_map_irq(PCIDevice *pci_dev, int irq_num)
  {
 @@ -322,8 +324,10 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
      SysBusDevice *s;
      APBState *d;
      unsigned int i;
 +#if 0
      PCIDevice *pci_dev;
      PCIBridge *br;
 +#endif

      /* Ultrasparc PBM main bus */
      dev = qdev_create(NULL, pbm);
 @@ -352,6 +356,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,

      pci_create_simple(d-bus, 0, pbm-pci);

 +#if 0
      /* APB secondary busses */
      pci_dev = pci_create_multifunction(d-bus, PCI_DEVFN(1, 0), true,
                                     pbm-bridge);
 @@ -368,7 +373,7 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
                         pci_apb_map_irq);
      qdev_init_nofail(pci_dev-qdev);
      *bus3 = pci_bridge_get_sec_bus(br);
 -
 +#endif
      return d-bus;
  }

 
  --
  error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com 
   wrote:
commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
a regression: we do not make IO base/limit upper 16
bit registers writeable, so we should report a 16 bit
IO range type, not a 32 bit one.
Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 is 
0x1.
   
In particular, this broke sparc64.
   
Note: this just reverts to behaviour prior to the patch.
Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
registers writeable should, and seems to, work just as well, but
as no system seems to actually be interested in 32 bit IO,
let's not make unnecessary changes.
   
Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
Signed-off-by: Michael S. Tsirkin m...@redhat.com
   
Mark, can you confirm that this fixes the bug for you?
  
   No, running
   qemu-system-sparc64 -serial stdio
   still shows black screen and the following on console:
   OpenBIOS for Sparc64
   Unhandled Exception 0x0032
   PC = 0xffd19e18 NPC = 0xffd19e1c
   Stopping execution
  
   The weird thing is the range type does not seem to be accessed
   at all. So I guessed there's some memory corruption here.
   Running valgrind shows this:
  
   --4-- WARNING: unhandled syscall: 340
   --4-- You may be able to write your own handler.
   --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
   --4-- Nevertheless we consider this a bug.  Please report
   --4-- it at http://valgrind.org/support/bug_reports.html.
   ==4== Invalid read of size 4
   ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
   ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
   alloc'd
   ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
   ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
   ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
   ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==
   apb: here
   ==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
   0x16894008
   ==4==          to suppress, use: --max-stackframe=398791500 or
   greater
   ==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
   0xfec42cc0
   ==4==          to suppress, use: --max-stackframe=398791392 or
   greater
   ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
   0x16893fd0
   ==4==          to suppress, use: --max-stackframe=398790640 or
   greater
   ==4==          further instances of this message will not be shown.
   QEMU 1.0.50 monitor - type 'help' for more information
   (qemu) ==4== Thread 2:
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
   ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
   ==4==    by 0x9AD9A19: ???
   ==4==
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
   ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
   ==4==    by 0x9AD9A19: ???
   ==4==
   ==4== Conditional jump or move depends on uninitialised value(s)
   ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
   ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
   ==4==    by 0x9AD9A19: ???
   ==4==
  
   Is the above a problem?
 
  It looks like Sparc does not reset registers at CPU reset. Nice catch.
 
  Invalid read and address after block are also worrying.
 
  irqs are allocated with
   #define MAX_PILS 16
 
     irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
 
  then passed to apb:
 
     pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, pci_bus2,
                            pci_bus3);
 
  which does:
  PCIBus *pci_apb_init(target_phys_addr_t special_base,
                      target_phys_addr_t mem_base,
                      qemu_irq *pic, PCIBus **bus2, PCIBus **bus3)
 
  and
 
    for (i = 0; i  32; i++) {
         sysbus_connect_irq(s, i, pic[i]);
     }

 Awful. But using 32 for MAX_PILS does not help either.


 Could you please clarify what is the SABRE device?
 Is it, in fact, a bridge device? Or 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com 
wrote:
 commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
 a regression: we do not make IO base/limit upper 16
 bit registers writeable, so we should report a 16 bit
 IO range type, not a 32 bit one.
 Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 
 is 0x1.

 In particular, this broke sparc64.

 Note: this just reverts to behaviour prior to the patch.
 Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
 registers writeable should, and seems to, work just as well, but
 as no system seems to actually be interested in 32 bit IO,
 let's not make unnecessary changes.

 Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
 Signed-off-by: Michael S. Tsirkin m...@redhat.com

 Mark, can you confirm that this fixes the bug for you?
   
No, running
qemu-system-sparc64 -serial stdio
still shows black screen and the following on console:
OpenBIOS for Sparc64
Unhandled Exception 0x0032
PC = 0xffd19e18 NPC = 0xffd19e1c
Stopping execution
   
The weird thing is the range type does not seem to be accessed
at all. So I guessed there's some memory corruption here.
Running valgrind shows this:
   
--4-- WARNING: unhandled syscall: 340
--4-- You may be able to write your own handler.
--4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--4-- Nevertheless we consider this a bug.  Please report
--4-- it at http://valgrind.org/support/bug_reports.html.
==4== Invalid read of size 4
==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
==4==    by 0x13D716: main (vl.c:3397)
==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
alloc'd
==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
==4==    by 0x584B528: g_malloc0 (in /lib/libglib-2.0.so.0.2800.8)
==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
==4==    by 0x13D716: main (vl.c:3397)
==4==
apb: here
==4== Warning: client switching stacks?  SP change: 0xfec42cbc --
0x16894008
==4==          to suppress, use: --max-stackframe=398791500 or
greater
==4== Warning: client switching stacks?  SP change: 0x16893fa0 --
0xfec42cc0
==4==          to suppress, use: --max-stackframe=398791392 or
greater
==4== Warning: client switching stacks?  SP change: 0xfec42fe0 --
0x16893fd0
==4==          to suppress, use: --max-stackframe=398790640 or
greater
==4==          further instances of this message will not be 
shown.
QEMU 1.0.50 monitor - type 'help' for more information
(qemu) ==4== Thread 2:
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
==4==    by 0x9AD9A19: ???
==4==
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==    by 0x9AD9A19: ???
==4==
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==    by 0x9AD9A19: ???
==4==
   
Is the above a problem?
  
   It looks like Sparc does not reset registers at CPU reset. Nice catch.
  
   Invalid read and address after block are also worrying.
  
   irqs are allocated with
    #define MAX_PILS 16
  
      irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
  
   then passed to apb:
  
      pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, pci_bus2,
                             pci_bus3);
  
   which does:
   PCIBus *pci_apb_init(target_phys_addr_t special_base,
                       target_phys_addr_t mem_base,
                       qemu_irq *pic, PCIBus **bus2, PCIBus **bus3)
  
   and
  
     for (i = 0; i  32; i++) {
          

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
 Yes, it's the host bridge, also known as PBM. It's documented in
 UltraSPARC IIi User's Manual and there it says that the device is
 found in the configuration space.

So it seems I can make things work if
I disable is_bridge and make some bits in
BAR4 writeable:

pci_set_long(d-wmask + 0x20, 0x);

I don't yet know why, and the manual says there
should be no BARs.

 The secondary bridges are Simbas and should be called APBs.
 
 
 
  --
  MST

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Andreas Färber]

Am 04.03.2012 10:10, schrieb Michael S. Tsirkin:
 I ended up with qmp-commands.h in target directories,
 which makes build fail as it is found before the
 main header.
 make clean fixes it, but it might get triggered
 again when we make some header target-independent next.
 It's easy to just make sure all such leftovers are
 removed, so let's do this.
 
 Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
 diff --git a/Makefile b/Makefile
 index e66e885..958a414 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -89,6 +89,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx
  SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
  
  subdir-%: $(GENERATED_HEADERS)
 + $(call quiet-command,rm -f $(foreach header, $(GENERATED_HEADERS), 
 $*/$(header)),)

Nack. While this happens to fix an issue you encountered this is just
plain wrong and dangerous. It takes a list of currently generated
headers in the main directory and deletes them in all target folders on
every compile; it's not forbidden to have a header of the same name in
both directories, whether generated or not.

I am all for making make clean do what it claims though.

The real solution to this problem would be to make sure by careful
review not to move files around in such a conflicting way (rename them
instead) rather than posting a note to please run make clean or make
distclean (which is fine if you have to do it once, bothersome for
multiple repos, and unhelpful for bisecting).

Andreas

   $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $* V=$(V) 
 TARGET_DIR=$*/ all,)
  
  ifneq ($(wildcard config-host.mak),)

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] restart a coroutine?

[Avi Kivity]

On 03/04/2012 02:41 PM, Michael Tokarev wrote:
 Since all block (bdrv) layer is now implemented using
 coroutines, I thought I'd give it a try.  But immediately
 hit a question to which I don't know a good answer.

 Suppose we've some networking block device (like NBD) and
 want to be able to support reconnection - this is actually
 very useful feature, in order to be able to reboot/restart
 the NBD server without a need to restart all the clients.

 For this to work, we should have an ability to reconnect
 to the server and re-issue all requests which were waiting
 for reply.

 Traditionally, in asyncronous event-loop-based scheme, this
 is implemented as a queue of requests linked to the block
 driver state structure, and in case of reconnection we just
 walk over all requests and requeue these.

 But if the block driver is implemented as a set of coroutines
 (like nbd currently does), I see no sane/safe way to restart
 the requests.  Setjmp/longjmp can be uses with extra care
 there, but with these it is extremly fragile.

 Any hints on how to do that?


From the block layer's point of view, the requests should still be
pending.  For example, if a read request sees a dropped connection, it
adds itself to a list of coroutines waiting for a reconnect, wakes up a
connection manager coroutine (or thread), and sleeps.  The connection
manager periodically tries to connect, and if it succeeds, it wakes up
the coroutines waiting for a reconnection.

It's important to implement request cancellation correctly here, or we
can end up with a device that cannot be unplugged or a guest that cannot
be shutdown.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 02:26:13PM +, Blue Swirl wrote:
  It seems to have to do with the host bridge.
  It's unusual to have host bridge present itself
  as a pci to pci bridge but there it is.
 
 It looks like the I/O base calculations in OpenBIOS are confused

Where's the source for that, BTW? Have build instructions?

 by
 host bridge, after that all BARs are wrong. OpenBIOS also thinks that
 the host bridge is a device and attempts to configure six BARs instead
 of two.

According to the spec it is a device, so should be ok?
If I just make BAR4 writeable we get past the
bios screen at least.
Maybe openbios gets confused if a device has no BARs?
Do things work for you with the patch below?
All it does is make BAR4 writeable, accesses go nowhere.
 

diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index 1d25da8..fae841f 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -433,6 +433,7 @@ static int pbm_pci_host_init(PCIDevice *d)
 pci_set_word(d-config + PCI_STATUS,
  PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
  PCI_STATUS_DEVSEL_MEDIUM);
+pci_set_long(d-wmask + 0x20, 0xfff0);
 return 0;
 }
 
@@ -444,7 +445,6 @@ static void pbm_pci_host_class_init(ObjectClass *klass, 
void *data)
 k-vendor_id = PCI_VENDOR_ID_SUN;
 k-device_id = PCI_DEVICE_ID_SUN_SABRE;
 k-class_id = PCI_CLASS_BRIDGE_HOST;
-k-is_bridge = 1;
 }
 
 static TypeInfo pbm_pci_host_info = {
-- 
MST

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Andreas Färber]

Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:

 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?

 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).

 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)

 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?

 Maybe I'm misremembering or misunderstanding something.

 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.

Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.

Maybe just add an assert and be done with it?

For the record, I am hoping to get rid of some of those cpu.h defines in
a later stage of QOM'ification.

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH] make: remove generated objects from target dirs

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 05:03:14PM +0100, Andreas Färber wrote:
 Am 04.03.2012 10:10, schrieb Michael S. Tsirkin:
  I ended up with qmp-commands.h in target directories,
  which makes build fail as it is found before the
  main header.
  make clean fixes it, but it might get triggered
  again when we make some header target-independent next.
  It's easy to just make sure all such leftovers are
  removed, so let's do this.
  
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
  diff --git a/Makefile b/Makefile
  index e66e885..958a414 100644
  --- a/Makefile
  +++ b/Makefile
  @@ -89,6 +89,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx
   SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
   
   subdir-%: $(GENERATED_HEADERS)
  +   $(call quiet-command,rm -f $(foreach header, $(GENERATED_HEADERS), 
  $*/$(header)),)
 
 Nack. While this happens to fix an issue you encountered this is just
 plain wrong and dangerous. It takes a list of currently generated
 headers in the main directory and deletes them in all target folders on
 every compile; it's not forbidden to have a header of the same name in
 both directories, whether generated or not.

Yes it is Forbidden. With a big F.
And the reason is that it will break the build
in a very confusing way.

So if you do this silly thing, you pay the price, and this
is way better than everyone who tries to build the tree pays the price.

 I am all for making make clean do what it claims though.

 The real solution to this problem would be to make sure by careful
 review not to move files around in such a conflicting way (rename them
 instead)

Too late for current tree. There are many such conflicts.

 rather than posting a note to please run make clean or make
 distclean (which is fine if you have to do it once, bothersome for
 multiple repos, and unhelpful for bisecting).
 
 Andreas

This means that a file name that was generated somewhere in the
hierarchy at any point in the past can never be generated again
anywhere else.

That's impractical.

  $(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $* V=$(V) 
  TARGET_DIR=$*/ all,)
   
   ifneq ($(wildcard config-host.mak),)
 
 -- 
 SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
 GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH] seabios: acpi: Add _STA for PCI hotplug slots

[Kevin O'Connor]

On Fri, Feb 24, 2012 at 04:21:17PM -0700, Alex Williamson wrote:
 When a Status method is provided on a slot, the OSPM evaluates
 _STA in response to the device check notify on the slot.  This
 allows some degree of a handshake between the platform and the
 OSPM that the hotplug has been acknowledged.
 
 In order to implement _STA, we need to know which slots have
 devices.  A slot with device returns 0x0F, a slot without a
 device returns Zero.  We get this information from Qemu using
 the 0xae08 I/O port register.  This was previously the read-side
 of the register written to commit a device eject and always
 returned 0 on read.  It now returns a bitmap of present slots,
 so we know that reading 0 means we have and old Qemu and
 dynamically modify our SSDT to rename the _STA methods.  This
 is necessary to allow backwards compatibility.
 
 The _STA method also writes the slot identifier to I/O port
 register 0xae00 as an acknowledgment of the hotplug request.

Thanks.  The patch looks fine to me.  However, since I'm not all that
familiar with the details of the qemu/kvm support for this, I'd like
to see an Ack from one of the qemu or kvm maintainers.

-Kevin

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin m...@redhat.com 
wrote:
 commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
 a regression: we do not make IO base/limit upper 16
 bit registers writeable, so we should report a 16 bit
 IO range type, not a 32 bit one.
 Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but PCI_IO_RANGE_TYPE_32 
 is 0x1.

 In particular, this broke sparc64.

 Note: this just reverts to behaviour prior to the patch.
 Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
 registers writeable should, and seems to, work just as well, but
 as no system seems to actually be interested in 32 bit IO,
 let's not make unnecessary changes.

 Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
 Signed-off-by: Michael S. Tsirkin m...@redhat.com

 Mark, can you confirm that this fixes the bug for you?
   
No, running
qemu-system-sparc64 -serial stdio
still shows black screen and the following on console:
OpenBIOS for Sparc64
Unhandled Exception 0x0032
PC = 0xffd19e18 NPC = 0xffd19e1c
Stopping execution
   
The weird thing is the range type does not seem to be accessed
at all. So I guessed there's some memory corruption here.
Running valgrind shows this:
   
--4-- WARNING: unhandled syscall: 340
--4-- You may be able to write your own handler.
--4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--4-- Nevertheless we consider this a bug.  Please report
--4-- it at http://valgrind.org/support/bug_reports.html.
==4== Invalid read of size 4
==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
==4==    by 0x13D716: main (vl.c:3397)
==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
alloc'd
==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
==4==    by 0x584B528: g_malloc0 (in 
/lib/libglib-2.0.so.0.2800.8)
==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
==4==    by 0x13D716: main (vl.c:3397)
==4==
apb: here
==4== Warning: client switching stacks?  SP change: 0xfec42cbc 
--
0x16894008
==4==          to suppress, use: --max-stackframe=398791500 or
greater
==4== Warning: client switching stacks?  SP change: 0x16893fa0 
--
0xfec42cc0
==4==          to suppress, use: --max-stackframe=398791392 or
greater
==4== Warning: client switching stacks?  SP change: 0xfec42fe0 
--
0x16893fd0
==4==          to suppress, use: --max-stackframe=398790640 or
greater
==4==          further instances of this message will not be 
shown.
QEMU 1.0.50 monitor - type 'help' for more information
(qemu) ==4== Thread 2:
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
==4==    by 0x9AD9A19: ???
==4==
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==    by 0x9AD9A19: ???
==4==
==4== Conditional jump or move depends on uninitialised value(s)
==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
==4==    by 0x9AD9A19: ???
==4==
   
Is the above a problem?
  
   It looks like Sparc does not reset registers at CPU reset. Nice catch.
  
   Invalid read and address after block are also worrying.
  
   irqs are allocated with
    #define MAX_PILS 16
  
      irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
  
   then passed to apb:
  
      pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, 
   pci_bus2,
                             pci_bus3);
  
   which does:
   PCIBus *pci_apb_init(target_phys_addr_t special_base,
                       target_phys_addr_t mem_base,
                       

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 05:07:34PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com 
wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin 
 m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but 
  PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 The weird thing is the range type does not seem to be accessed
 at all. So I guessed there's some memory corruption here.
 Running valgrind shows this:

 --4-- WARNING: unhandled syscall: 340
 --4-- You may be able to write your own handler.
 --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
 --4-- Nevertheless we consider this a bug.  Please report
 --4-- it at http://valgrind.org/support/bug_reports.html.
 ==4== Invalid read of size 4
 ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
 ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
 alloc'd
 ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
 ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
 ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x584B528: g_malloc0 (in 
 /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
 ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==
 apb: here
 ==4== Warning: client switching stacks?  SP change: 0xfec42cbc 
 --
 0x16894008
 ==4==          to suppress, use: --max-stackframe=398791500 or
 greater
 ==4== Warning: client switching stacks?  SP change: 0x16893fa0 
 --
 0xfec42cc0
 ==4==          to suppress, use: --max-stackframe=398791392 or
 greater
 ==4== Warning: client switching stacks?  SP change: 0xfec42fe0 
 --
 0x16893fd0
 ==4==          to suppress, use: --max-stackframe=398790640 or
 greater
 ==4==          further instances of this message will not be 
 shown.
 QEMU 1.0.50 monitor - type 'help' for more information
 (qemu) ==4== Thread 2:
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
 ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==

 Is the above a problem?
   
It looks like Sparc does not reset registers at CPU reset. Nice 
catch.
   
Invalid read and address after block are also worrying.
   
irqs are allocated with
 #define MAX_PILS 16
   
   irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
   
then passed to apb:
   
   pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 16:42, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 02:26:13PM +, Blue Swirl wrote:
  It seems to have to do with the host bridge.
  It's unusual to have host bridge present itself
  as a pci to pci bridge but there it is.

 It looks like the I/O base calculations in OpenBIOS are confused

 Where's the source for that, BTW? Have build instructions?

Under roms/openbios or www.openbios.org. You need xsltproc.
../config/scripts/switch-arch sparc64
make build-verbose
qemu-system-sparc64 -bios obj-sparc64/openbios-builtin.elf.nostrip

 by
 host bridge, after that all BARs are wrong. OpenBIOS also thinks that
 the host bridge is a device and attempts to configure six BARs instead
 of two.

 According to the spec it is a device, so should be ok?
 If I just make BAR4 writeable we get past the
 bios screen at least.
 Maybe openbios gets confused if a device has no BARs?
 Do things work for you with the patch below?
 All it does is make BAR4 writeable, accesses go nowhere.

Looking at serial console, there is no crash, but VGA still does not work.



 diff --git a/hw/apb_pci.c b/hw/apb_pci.c
 index 1d25da8..fae841f 100644
 --- a/hw/apb_pci.c
 +++ b/hw/apb_pci.c
 @@ -433,6 +433,7 @@ static int pbm_pci_host_init(PCIDevice *d)
     pci_set_word(d-config + PCI_STATUS,
                  PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
                  PCI_STATUS_DEVSEL_MEDIUM);
 +    pci_set_long(d-wmask + 0x20, 0xfff0);
     return 0;
  }

 @@ -444,7 +445,6 @@ static void pbm_pci_host_class_init(ObjectClass *klass, 
 void *data)
     k-vendor_id = PCI_VENDOR_ID_SUN;
     k-device_id = PCI_DEVICE_ID_SUN_SABRE;
     k-class_id = PCI_CLASS_BRIDGE_HOST;
 -    k-is_bridge = 1;
  }

  static TypeInfo pbm_pci_host_info = {
 --
 MST

[Qemu-devel] PPC: VGA broken in git master

[Mark Cave-Ayland]

Hi all,

I've just done a git pull to update my local repository, and it now 
appears that the VGA device is broken in QEMU - rather than displaying 
the OpenBIOS banner in my VNC client, the framebuffer remains constantly 
black.


A git bisect shows that the problem is caused by the following commit:


de58ac72b6a062d1a61478284c0c0f8a0428613e is the first bad commit
commit de58ac72b6a062d1a61478284c0c0f8a0428613e
Author: Avi Kivity a...@redhat.com
Date:   Sun Jan 8 19:46:17 2012 +0200

ioport: change portio_list not to use memory_region_set_offset()

memory_region_set_offset() will be going away soon, so don't use it.
Use an alias instead.

Signed-off-by: Avi Kivity a...@redhat.com
Reviewed-by: Richard Henderson r...@twiddle.net


Avi/Richard - please would it be possible for you to review this commit 
and come up with a suitable fix?



Many thanks,

Mark.

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Mark Cave-Ayland]

On 04/03/12 17:49, Blue Swirl wrote:


According to the spec it is a device, so should be ok?
If I just make BAR4 writeable we get past the
bios screen at least.
Maybe openbios gets confused if a device has no BARs?
Do things work for you with the patch below?
All it does is make BAR4 writeable, accesses go nowhere.


Looking at serial console, there is no crash, but VGA still does not work.


Note that I've just emailed the list about a VGA regression I've found 
on PPC caused by one of Avi's commits - perhaps Michael's fix does work, 
but you're being bitten by the same bug?



ATB,

Mark.

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Alexander Graf]

On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:
 
 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?
 
 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).
 
 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)
 
 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?
 
 Maybe I'm misremembering or misunderstanding something.
 
 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.
 
 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.
 
 Maybe just add an assert and be done with it?

Assert for what? Linux page size of 64k is something perfectly normal on ppc. 
The hardware can always do at least 4k maps however.

Alex

 
 For the record, I am hoping to get rid of some of those cpu.h defines in
 a later stage of QOM'ification.
 
 Andreas
 
 -- 
 SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
 GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH] seabios: acpi: Add _STA for PCI hotplug slots

[Michael S. Tsirkin]

On Fri, Feb 24, 2012 at 04:21:17PM -0700, Alex Williamson wrote:
 When a Status method is provided on a slot, the OSPM evaluates
 _STA in response to the device check notify on the slot.  This
 allows some degree of a handshake between the platform and the
 OSPM that the hotplug has been acknowledged.

 In order to implement _STA, we need to know which slots have
 devices.  A slot with device returns 0x0F, a slot without a
 device returns Zero.  We get this information from Qemu using
 the 0xae08 I/O port register.  This was previously the read-side
 of the register written to commit a device eject and always
 returned 0 on read.  It now returns a bitmap of present slots,
 so we know that reading 0 means we have and old Qemu and
 dynamically modify our SSDT to rename the _STA methods.  This
 is necessary to allow backwards compatibility.

Interesting. Isn't the UP register sufficient for _STA?

Assuming we want to implement _STA - for which
the only motivation seems the handshake hack below.

 The _STA method also writes the slot identifier to I/O port
 register 0xae00 as an acknowledgment of the hotplug request.

This part looks a bit like a hack.
_STA is not intended as an acknowledgement - it's a query for state.
ACPI spec 5.0 requires that _STA is called before _INI,
but ACPI 1.0b doesn't. Did you try some 1.0 OSPMs (e.g. XP)
to see what they do?

I also think I see how this can cause a race, see below.

 
 Signed-off-by: Alex Williamson alex.william...@redhat.com

Your description of the qemu patches made me think
that all you really want is detect an OS without
OSPM. If that is the case, I would suggest adding
an _INI method at top level as a simpler and more robust
procedure.


Otherwise, how about implementing _PS0
(and probably _PS3) to manage slot power?
Maybe this what you are really after, and it
seems like a better interface than 'acknowledge'
which does not seem to make sense for real hardware.



 ---
 
  src/acpi-dsdt.dsl  |   36 ++-
  src/acpi-dsdt.hex  |  124 ++
  src/acpi.c |   27 ++
  src/ssdt-pcihp.dsl |3 
  src/ssdt-pcihp.hex |  658 
 
  5 files changed, 686 insertions(+), 162 deletions(-)
 
 diff --git a/src/acpi-dsdt.dsl b/src/acpi-dsdt.dsl
 index 7082b65..6b87086 100644
 --- a/src/acpi-dsdt.dsl
 +++ b/src/acpi-dsdt.dsl
 @@ -119,17 +119,15 @@ DefinitionBlock (
 prt_slot3(0x001f),
  })
  
 -OperationRegion(PCST, SystemIO, 0xae00, 0x08)
 +OperationRegion(PCST, SystemIO, 0xae00, 0x0c)
  Field (PCST, DWordAcc, NoLock, WriteAsZeros)
  {
 -PCIU, 32,
 -PCID, 32,
 -}
 -
 -OperationRegion(SEJ, SystemIO, 0xae08, 0x04)
 -Field (SEJ, DWordAcc, NoLock, WriteAsZeros)
 -{
 -B0EJ, 32,
 +// PCI Up/ACK
 +PUPA, 32,
 +// PCI Down
 +PDWN, 32,
 +// PCI Present/Eject
 +PPEJ, 32,

Note on the comment: this only affects bus0 not all of PCI.

  }
  
  Name (_CRS, ResourceTemplate ()
 @@ -462,10 +460,20 @@ DefinitionBlock (
  /* Methods called by hotplug devices */
  Method (PCEJ, 1, NotSerialized) {
  // _EJ0 method - eject callback
 -Store(ShiftLeft(1, Arg0), B0EJ)
 +Store(ShiftLeft(1, Arg0), PPEJ)
  Return (0x0)
  }
  
 +Method (PSTA, 1, NotSerialized) {
 +Store(ShiftLeft(1, Arg0), PUPA)

So this looks wrong to me.

Specifically _STA is also called at the end after _EJ0.
If the device is ejected then insterted, you
get a window where _STA is called and hardware
will think insertion was acknowledged, while in fact
ejection was acknowledged.

I also think a request for the OS to rescan the bus
will trigger _STA calls. Same race can get triggered.


 +Store(PPEJ, Local0)
 +If (And(Local0, ShiftLeft(1, Arg0))) {
 +Return(0x0F)
 +} Else {
 +Return(Zero)
 +}
 +}
 +
   /* Hotplug notification method supplied by SSDT */
   External (\_SB.PCI0.PCNT, MethodObj)
  
 @@ -473,12 +481,16 @@ DefinitionBlock (
  Method(PCNF, 0) {
  // Local0 = iterator
  Store (Zero, Local0)
 +// Local1 = slots marked up
 +Store (PUPA, Local1)
 +// Local2 = slots marked down
 +Store (PDWN, Local2)
  While (LLess(Local0, 31)) {
  Increment(Local0)
 -If (And(PCIU, ShiftLeft(1, Local0))) {
 +If (And(Local1, ShiftLeft(1, Local0))) {
  PCNT(Local0, 1)
  }
 -If (And(PCID, ShiftLeft(1, Local0))) {
 +If (And(Local2, ShiftLeft(1, Local0))) {
  PCNT(Local0, 3)
  }
   

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 05:49:04PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 16:42, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 02:26:13PM +, Blue Swirl wrote:
   It seems to have to do with the host bridge.
   It's unusual to have host bridge present itself
   as a pci to pci bridge but there it is.
 
  It looks like the I/O base calculations in OpenBIOS are confused
 
  Where's the source for that, BTW? Have build instructions?
 
 Under roms/openbios or www.openbios.org. You need xsltproc.
 ../config/scripts/switch-arch sparc64
 make build-verbose
 qemu-system-sparc64 -bios obj-sparc64/openbios-builtin.elf.nostrip

I don't see anything obviously wrong in there, but
the behaviour does seem to indicate some firmware bug ...
I don't have the right toolchain - care debugging?

  by
  host bridge, after that all BARs are wrong. OpenBIOS also thinks that
  the host bridge is a device and attempts to configure six BARs instead
  of two.
 
  According to the spec it is a device, so should be ok?
  If I just make BAR4 writeable we get past the
  bios screen at least.
  Maybe openbios gets confused if a device has no BARs?
  Do things work for you with the patch below?
  All it does is make BAR4 writeable, accesses go nowhere.
 
 Looking at serial console, there is no crash, but VGA still does not work.

What do info pci/ifo mtree show now?

 
 
  diff --git a/hw/apb_pci.c b/hw/apb_pci.c
  index 1d25da8..fae841f 100644
  --- a/hw/apb_pci.c
  +++ b/hw/apb_pci.c
  @@ -433,6 +433,7 @@ static int pbm_pci_host_init(PCIDevice *d)
      pci_set_word(d-config + PCI_STATUS,
                   PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
                   PCI_STATUS_DEVSEL_MEDIUM);
  +    pci_set_long(d-wmask + 0x20, 0xfff0);
      return 0;
   }
 
  @@ -444,7 +445,6 @@ static void pbm_pci_host_class_init(ObjectClass *klass, 
  void *data)
      k-vendor_id = PCI_VENDOR_ID_SUN;
      k-device_id = PCI_DEVICE_ID_SUN_SABRE;
      k-class_id = PCI_CLASS_BRIDGE_HOST;
  -    k-is_bridge = 1;
   }
 
   static TypeInfo pbm_pci_host_info = {
  --
  MST

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 06:11:20PM +, Mark Cave-Ayland wrote:
 On 04/03/12 17:49, Blue Swirl wrote:
 
 According to the spec it is a device, so should be ok?
 If I just make BAR4 writeable we get past the
 bios screen at least.
 Maybe openbios gets confused if a device has no BARs?
 Do things work for you with the patch below?
 All it does is make BAR4 writeable, accesses go nowhere.
 
 Looking at serial console, there is no crash, but VGA still does not work.
 
 Note that I've just emailed the list about a VGA regression I've
 found on PPC caused by one of Avi's commits - perhaps Michael's fix
 does work, but you're being bitten by the same bug?
 
 
 ATB,
 
 Mark.

It's not a fix as such - just a hack to see what makes
bios crash.

-- 
MST

Re: [Qemu-devel] [Seabios] [PATCH 0/6] 64bit PCI BARs allocations (take 2)

[Kevin O'Connor]

On Thu, Mar 01, 2012 at 06:50:43PM +1300, Alexey Korolev wrote:
 Hi,
 
 This patch series enables 64bit BAR support in seabios. 
 It has a bit different approach for resources accounting, We did this
 because we wanted:
 a) Provide 64bit bar support for PCI BARs and bridges with 64bit memory
 window.
 b) Allow migration to 64bit bit ranges if we did not fit into 32bit
 range
 c) Keep implementation simple.

Hrmm.  By my count, this would be the third rewrite of the PCI bar
initialization in the last 14 months.

[...]
 The patch series includes 6 patches.
 In the 1st patch we introduce new structures. 

Patch 1 does not look like it will compile independently.  There is no
point in breaking up patches if each part doesn't compile.

 
 In the 2nd patch we introduce support functions for basic hlist
 operations, plus modify service functions to support 64bits address
 ranges. 
   Note: I've seen similar hlist operations in post memory manager 
 and stack location operations, it makes sense to move
 them to a header file. 
 
 In the 3rd patch a new function to fill pci_region structures with
 entries, and discover topology is added.
 
 In the 4th patch we define address range for pci_region structure,
 migrate entries to 64bits address range if necessary, and program PCI
 BAR addresses and bridge regions.
 
 In the 6th patch we clear old code.

Given the churn in this area, I don't want to commit patches that do
wholesale code replacement.  I'd prefer to see each patch
independently add some functionality and perform its related cleanup.

Also, since Gerd has some patches pending in this area, we should
figure out which direction makes sense.  Can you explain on how this
64bit support is different from the support proposed by Gerd?

Thanks,
-Kevin

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 06:11:20PM +, Mark Cave-Ayland wrote:
 On 04/03/12 17:49, Blue Swirl wrote:
 
 According to the spec it is a device, so should be ok?
 If I just make BAR4 writeable we get past the
 bios screen at least.
 Maybe openbios gets confused if a device has no BARs?
 Do things work for you with the patch below?
 All it does is make BAR4 writeable, accesses go nowhere.
 
 Looking at serial console, there is no crash, but VGA still does not work.
 
 Note that I've just emailed the list about a VGA regression I've
 found on PPC caused by one of Avi's commits - perhaps Michael's fix
 does work, but you're being bitten by the same bug?
 
 
 ATB,
 
 Mark.

Can you pls try applying my patch on top of old tree where VGA
did work, and see what happens?

-- 
MST

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 17:35, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 05:07:34PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin m...@redhat.com 
wrote:
 On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin 
 m...@redhat.com wrote:
  commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
  a regression: we do not make IO base/limit upper 16
  bit registers writeable, so we should report a 16 bit
  IO range type, not a 32 bit one.
  Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but 
  PCI_IO_RANGE_TYPE_32 is 0x1.
 
  In particular, this broke sparc64.
 
  Note: this just reverts to behaviour prior to the patch.
  Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
  registers writeable should, and seems to, work just as well, 
  but
  as no system seems to actually be interested in 32 bit IO,
  let's not make unnecessary changes.
 
  Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
  Signed-off-by: Michael S. Tsirkin m...@redhat.com
 
  Mark, can you confirm that this fixes the bug for you?

 No, running
 qemu-system-sparc64 -serial stdio
 still shows black screen and the following on console:
 OpenBIOS for Sparc64
 Unhandled Exception 0x0032
 PC = 0xffd19e18 NPC = 0xffd19e1c
 Stopping execution

 The weird thing is the range type does not seem to be accessed
 at all. So I guessed there's some memory corruption here.
 Running valgrind shows this:

 --4-- WARNING: unhandled syscall: 340
 --4-- You may be able to write your own handler.
 --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
 --4-- Nevertheless we consider this a bug.  Please report
 --4-- it at http://valgrind.org/support/bug_reports.html.
 ==4== Invalid read of size 4
 ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
 ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==  Address 0x156c7d30 is 0 bytes after a block of size 64
 alloc'd
 ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
 ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
 ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x584B528: g_malloc0 (in 
 /lib/libglib-2.0.so.0.2800.8)
 ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
 ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
 ==4==    by 0x13D716: main (vl.c:3397)
 ==4==
 apb: here
 ==4== Warning: client switching stacks?  SP change: 
 0xfec42cbc --
 0x16894008
 ==4==          to suppress, use: --max-stackframe=398791500 or
 greater
 ==4== Warning: client switching stacks?  SP change: 
 0x16893fa0 --
 0xfec42cc0
 ==4==          to suppress, use: --max-stackframe=398791392 or
 greater
 ==4== Warning: client switching stacks?  SP change: 
 0xfec42fe0 --
 0x16893fd0
 ==4==          to suppress, use: --max-stackframe=398790640 or
 greater
 ==4==          further instances of this message will not be 
 shown.
 QEMU 1.0.50 monitor - type 'help' for more information
 (qemu) ==4== Thread 2:
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
 ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==
 ==4== Conditional jump or move depends on uninitialised 
 value(s)
 ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
 ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
 ==4==    by 0x9AD9A19: ???
 ==4==

 Is the above a problem?
   
It looks like Sparc does not reset registers at CPU reset. Nice 
catch.
   
Invalid read and address after block are also worrying.
   
irqs are allocated with
 #define MAX_PILS 16
   
   irq = qemu_allocate_irqs(cpu_set_irq, env, MAX_PILS);
   
then passed to apb:
   

Re: [Qemu-devel] restart a coroutine?

[Michael Tokarev]

On 04.03.2012 20:08, Avi Kivity wrote:
 On 03/04/2012 02:41 PM, Michael Tokarev wrote:
 Since all block (bdrv) layer is now implemented using
 coroutines, I thought I'd give it a try.  But immediately
 hit a question to which I don't know a good answer.

 Suppose we've some networking block device (like NBD) and
 want to be able to support reconnection - this is actually
 very useful feature, in order to be able to reboot/restart
 the NBD server without a need to restart all the clients.

 For this to work, we should have an ability to reconnect
 to the server and re-issue all requests which were waiting
 for reply.

 Traditionally, in asyncronous event-loop-based scheme, this
 is implemented as a queue of requests linked to the block
 driver state structure, and in case of reconnection we just
 walk over all requests and requeue these.

 But if the block driver is implemented as a set of coroutines
 (like nbd currently does), I see no sane/safe way to restart
 the requests.  Setjmp/longjmp can be uses with extra care
 there, but with these it is extremly fragile.

 Any hints on how to do that?
 
 From the block layer's point of view, the requests should still be
 pending.  For example, if a read request sees a dropped connection, it
 adds itself to a list of coroutines waiting for a reconnect, wakes up a
 connection manager coroutine (or thread), and sleeps.  The connection
 manager periodically tries to connect, and if it succeeds, it wakes up
 the coroutines waiting for a reconnection.

This is all fine, except of one thing: restarting (resending) of
the requests which has been sent to the remote and for which we
were waiting for reply already.

For these requests, they should be resent using new socket, when
the connection manager wakes corresponding coroutine up.  That's
where my question comes.

The request handling coroutine looks like regular function
(pseudocode):

 offset = 0;
 while(offset  sendsize) {
   ret = send(sock, senddata+offset, sendsize-offset);
   if (EAGAIN) { coroutine_yeld(); continue; }
   if (ret  0) return -EIO;
   offset += ret;
 }
 offset = 0;
 while(offset  recvsize) {
   ret = recv(sock, recvdata+offset, recvsize-offset);
   if (EAGAIN) { coroutine_yeld(); continue; }
   if (ret  0) return -EIO;
   offset += ret;
 }
 return status(recvdata);

This function will need to have a ton of goto begin in all places
where it calls yeld() -- in order to actually start _sending_ the
request to the new sock after a reconnect.  It is all good when it
is in one function, but if the code is split into several functions,
it becomes very clumsy, to a point where regular asyncronous state
machine bay be more appropriate.  It also requires to open-code all
helper functions (like qiov handlers).

So I was asking if it can be done using a setjmp/longjmp maybe, to
simplify it all somehow.

 It's important to implement request cancellation correctly here, or we
 can end up with a device that cannot be unplugged or a guest that cannot
 be shutdown.

Is there some mechanism to cancel bdrv_co_{read,write}v()?  I see a
way to cancel bdrv_aio_{read,write}v(), but even these are now
implemented as coroutines...

Thanks!

/mjt

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 07:51:02PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 17:35, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 05:07:34PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com 
wrote:
 On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin 
 m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin 
  m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but 
   PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as well, 
   but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
 
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
 
  The weird thing is the range type does not seem to be accessed
  at all. So I guessed there's some memory corruption here.
  Running valgrind shows this:
 
  --4-- WARNING: unhandled syscall: 340
  --4-- You may be able to write your own handler.
  --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
  --4-- Nevertheless we consider this a bug.  Please report
  --4-- it at http://valgrind.org/support/bug_reports.html.
  ==4== Invalid read of size 4
  ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
  ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==  Address 0x156c7d30 is 0 bytes after a block of size 
  64
  alloc'd
  ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
  ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
  ==4==    by 0x584AFEC: ??? (in /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x584B528: g_malloc0 (in 
  /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
  ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==
  apb: here
  ==4== Warning: client switching stacks?  SP change: 
  0xfec42cbc --
  0x16894008
  ==4==          to suppress, use: --max-stackframe=398791500 
  or
  greater
  ==4== Warning: client switching stacks?  SP change: 
  0x16893fa0 --
  0xfec42cc0
  ==4==          to suppress, use: --max-stackframe=398791392 
  or
  greater
  ==4== Warning: client switching stacks?  SP change: 
  0xfec42fe0 --
  0x16893fd0
  ==4==          to suppress, use: --max-stackframe=398790640 
  or
  greater
  ==4==          further instances of this message will not 
  be shown.
  QEMU 1.0.50 monitor - type 'help' for more information
  (qemu) ==4== Thread 2:
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
  ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
 
  Is the above a problem?

 It looks like Sparc does not reset registers at CPU reset. Nice 
 catch.

 

[Qemu-devel] XP install cores with SCSI LSI 53C895A disks

[Gerhard Wiesinger]

Hello,

Clean XP install cores with SCSI LSI 53C89A disk when copying files. 
Reproduceable.  Driver used is sym_hi. Details are below.


Tried also old versions 1.0, 0.15.1, cores too.

Any ideas?

Thnx.

Ciao,
Gerhard

--
http://www.wiesinger.com/

Image created with:
qemu-img create -f qcow2 XP-TEST.qcow2 10G

Command line:
Version: git b5ed4b6f6f0d31e0d8210f4b444ba67bfa5d6de2
/root/download/qemu/git/qemu-kvm/x86_64-softmmu/qemu-system-x86_64
-drive file=VM-XP-TEST/XP-TEST.qcow2,media=disk,if=scsi,bus=0,unit=0
-cdrom ISO/XP.iso
-boot order=cad,menu=on
-m 2048
-k de
-vga vmware
-vnc :0
-bios /root/download/seabios/git/seabios/out/bios.bin
-chardev stdio,id=seabios -device isa-debugcon,iobase=0x402,chardev=seabios
-option-rom BIOS/V4.19/8xx_64.rom
-device pcnet,mac=1a:46:0b:ca:bc:7e,vlan=1,romfile=
-net tap,ifname=tap1,script=no,downscript=no,vlan=1


#0  0x7f66a29e5117 in malloc_consolidate.part.3 () from /lib64/libc.so.6
#1  0x7f66a29e5e99 in _int_free () from /lib64/libc.so.6
#2  0x7f66a64a1444 in scsi_req_unref (req=0x7f66a9791f70) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1272
#3  scsi_req_unref (req=0x7f66a9791f70) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1268
#4  0x7f66a64a2445 in scsi_device_purge_requests (sdev=0x7f66a9616160, 
sense=...) at /root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1421
#5  0x7f66a64a2d27 in scsi_disk_reset (dev=0x7f66a9616160) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-disk.c:1498
#6  0x7f66a643dd60 in lsi_reg_writeb (s=0x7f66a95fa140, offset=optimized out, 
val=optimized out)at /root/download/qemu/git/qemu-kvm/hw/lsi53c895a.c:1684
#7  0x7f66a65187a0 in access_with_adjusted_size (addr=1, value=0x7f669f3ecbb0, size=1, 
access_size_min=optimized out,access_size_max=optimized out, 
access=0x7f66a65186c0 memory_region_write_accessor, opaque=0x7f66a95fa5a8)at 
/root/download/qemu/git/qemu-kvm/memory.c:304
#8  0x7f66a651d1a0 in memory_region_dispatch_write (size=1, data=8, addr=1, 
mr=0x7f66a95fa5a8) at /root/download/qemu/git/qemu-kvm/memory.c:982
#9  io_mem_write (io_index=optimized out, addr=1, val=optimized out, 
size=1) at /root/download/qemu/git/qemu-kvm/memory.c:1564
#10 0x7f66a65187a0 in access_with_adjusted_size (addr=1, value=0x7f669f3ecc60, size=1, 
access_size_min=optimized out,access_size_max=optimized out, 
access=0x7f66a65186c0 memory_region_write_accessor, opaque=0x7f669801bae0)at 
/root/download/qemu/git/qemu-kvm/memory.c:304
#11 0x7f66a651d1a0 in memory_region_dispatch_write (size=1, data=8, addr=1, 
mr=0x7f669801bae0) at /root/download/qemu/git/qemu-kvm/memory.c:982
#12 io_mem_write (io_index=optimized out, addr=1, val=optimized out, 
size=1) at /root/download/qemu/git/qemu-kvm/memory.c:1564
#13 0x7f66a64efe58 in cpu_physical_memory_rw (addr=4273938433, buf=0x7f66a6319028 
Address 0x7f66a6319028 out of bounds, len=1, is_write=1)at 
/root/download/qemu/git/qemu-kvm/exec.c:3594
#14 0x7f66a650d195 in kvm_cpu_exec (env=0x7f66a8d52900) at 
/root/download/qemu/git/qemu-kvm/kvm-all.c:1192
#15 0x7f66a64e3201 in qemu_kvm_cpu_thread_fn (arg=0x7f66a8d52900) at 
/root/download/qemu/git/qemu-kvm/cpus.c:732
#16 0x7f66a47bbd90 in start_thread () from /lib64/libpthread.so.0
#17 0x7f66a2a57f5d in clone () from /lib64/libc.so.6

(gdb) back
#0  0x7f66efb81285 in raise () from /lib64/libc.so.6
#1  0x7f66efb82b9b in abort () from /lib64/libc.so.6
#2  0x7f66efbc2a7e in __libc_message () from /lib64/libc.so.6
#3  0x7f66efbc8da6 in malloc_printerr () from /lib64/libc.so.6
#4  0x7f66efbc9279 in malloc_consolidate.part.3 () from /lib64/libc.so.6
#5  0x7f66efbc9e99 in _int_free () from /lib64/libc.so.6
#6  0x7f66f3685444 in scsi_req_unref (req=0x7f66f6db1bc0) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1272
#7  scsi_req_unref (req=0x7f66f6db1bc0) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1268
#8  0x7f66f3686445 in scsi_device_purge_requests (sdev=0x7f66f6b8e160, 
sense=...) at /root/download/qemu/git/qemu-kvm/hw/scsi-bus.c:1421
#9  0x7f66f3686d27 in scsi_disk_reset (dev=0x7f66f6b8e160) at 
/root/download/qemu/git/qemu-kvm/hw/scsi-disk.c:1498
#10 0x7f66f3621d60 in lsi_reg_writeb (s=0x7f66f6b72140, offset=optimized out, 
val=optimized out)at /root/download/qemu/git/qemu-kvm/hw/lsi53c895a.c:1684
#11 0x7f66f36fc7a0 in access_with_adjusted_size (addr=1, value=0x7f66ec5d0bb0, size=1, 
access_size_min=optimized out,access_size_max=optimized out, 
access=0x7f66f36fc6c0 memory_region_write_accessor, opaque=0x7f66f6b725a8)at 
/root/download/qemu/git/qemu-kvm/memory.c:304
#12 0x7f66f37011a0 in 

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Andreas Färber]

Am 04.03.2012 19:46, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:

 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?

 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).

 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)

 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?

 Maybe I'm misremembering or misunderstanding something.

 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.

 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.

 Maybe just add an assert and be done with it?
 
 Assert for what? Linux page size of 64k is something perfectly normal on ppc. 
 The hardware can always do at least 4k maps however.

g_assert(TARGET_PAGE_SIZE = getpagesize())

Just declare the above case as unsupported and abort if we encounter it.

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Alexander Graf]

On 04.03.2012, at 21:21, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 19:46, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:
 
 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?
 
 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).
 
 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)
 
 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?
 
 Maybe I'm misremembering or misunderstanding something.
 
 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.
 
 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.
 
 Maybe just add an assert and be done with it?
 
 Assert for what? Linux page size of 64k is something perfectly normal on 
 ppc. The hardware can always do at least 4k maps however.
 
 g_assert(TARGET_PAGE_SIZE = getpagesize())
 
 Just declare the above case as unsupported and abort if we encounter it.

What I'm trying to tell you is that it's the default case on book3s ppc! ;)

Alex

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Andreas Färber]

Am 04.03.2012 21:25, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 21:21, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 19:46, schrieb Alexander Graf:


 On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:

 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?

 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).

 I suggest that gets dealt with when/if it needs to, which means probably
 never :-)

 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?

 Maybe I'm misremembering or misunderstanding something.

 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.

 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.

 Maybe just add an assert and be done with it?

 Assert for what? Linux page size of 64k is something perfectly normal on 
 ppc. The hardware can always do at least 4k maps however.

 g_assert(TARGET_PAGE_SIZE = getpagesize())

 Just declare the above case as unsupported and abort if we encounter it.
 
 What I'm trying to tell you is that it's the default case on book3s ppc! ;)

Exactly, which is why I'm saying just ignore the weird embedded case. :)

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

[Qemu-devel] [PATCH v4 1/3] kvmclock: Always register type

[Andreas Färber]

Currently, the kvmclock type is only registered when kvm_enabled().

This breaks when moving type registration to before command line
parsing (so that QOM types can be used for CPU and machine).

Since the QOM classes are lazy-initialized anyway and kvmclock_create()
has another kvm_enabled() check, simply drop the KVM check in
kvmclock_register_types().

kvm-i8259, kvm-apic and kvm-ioapic do not suffer from such a check.

Signed-off-by: Andreas Färber afaer...@suse.de
Reviewed-by: Jan Kiszka jan.kis...@siemens.com
Cc: Marcelo Tosatti mtosa...@redhat.com
---
 hw/kvm/clock.c |2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/hw/kvm/clock.c b/hw/kvm/clock.c
index 2157340..446bd62 100644
--- a/hw/kvm/clock.c
+++ b/hw/kvm/clock.c
@@ -121,9 +121,7 @@ void kvmclock_create(void)
 
 static void kvmclock_register_types(void)
 {
-if (kvm_enabled()) {
 type_register_static(kvmclock_info);
-}
 }
 
 type_init(kvmclock_register_types)
-- 
1.7.7

[Qemu-devel] [PATCH v4 2/3] qom: Register QOM infrastructure early

[Andreas Färber]

The constructors for QOM TYPE_INTERFACE were executed rather late in
vl.c's main(). Call them very early so that QOM can safely be used for
machines and CPUs.

Signed-off-by: Andreas Färber afaer...@suse.de
Cc: Anthony Liguori anth...@codemonkey.ws
---
 vl.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/vl.c b/vl.c
index 97ab2b9..3fb9182 100644
--- a/vl.c
+++ b/vl.c
@@ -2299,6 +2299,8 @@ int main(int argc, char **argv, char **envp)
 #endif
 }
 
+module_call_init(MODULE_INIT_QOM);
+
 runstate_init();
 
 init_clocks();
@@ -3460,8 +3462,6 @@ int main(int argc, char **argv, char **envp)
 if (foreach_device_config(DEV_DEBUGCON, debugcon_parse)  0)
 exit(1);
 
-module_call_init(MODULE_INIT_QOM);
-
 /* must be after qdev registration but before machine init */
 if (vga_model) {
 select_vgahw(vga_model);
-- 
1.7.7

[Qemu-devel] [PATCH v4 3/3] qom: Add QOM support to user emulators

[Andreas Färber]

Link the Object base class and the module infrastructure for class
registration. Introduce $(universal-obj-y) for objects that are more
common than $(common-obj-y), so that those only get built once.

Call QOM module init for type registration.

Signed-off-by: Andreas Färber afaer...@suse.de
Cc: Anthony Liguori anth...@codemonkey.ws
---
 Makefile   |6 +++---
 Makefile.objs  |   23 ++-
 Makefile.target|4 
 Makefile.user  |1 +
 bsd-user/main.c|2 ++
 darwin-user/main.c |3 +++
 linux-user/main.c  |2 ++
 qemu-user.c|   37 +
 8 files changed, 70 insertions(+), 8 deletions(-)
 create mode 100644 qemu-user.c

diff --git a/Makefile b/Makefile
index 49c775b..cc24fea 100644
--- a/Makefile
+++ b/Makefile
@@ -97,12 +97,12 @@ ifneq ($(wildcard config-host.mak),)
 include $(SRC_PATH)/Makefile.objs
 endif
 
-$(common-obj-y): $(GENERATED_HEADERS)
+$(universal-obj-y) $(common-obj-y): $(GENERATED_HEADERS)
 subdir-libcacard: $(oslib-obj-y) $(trace-obj-y) qemu-timer-common.o
 
-$(filter %-softmmu,$(SUBDIR_RULES)): $(trace-obj-y) $(common-obj-y) 
subdir-libdis
+$(filter %-softmmu,$(SUBDIR_RULES)): $(universal-obj-y) $(trace-obj-y) 
$(common-obj-y) subdir-libdis
 
-$(filter %-user,$(SUBDIR_RULES)): $(GENERATED_HEADERS) $(trace-obj-y) 
subdir-libdis-user subdir-libuser
+$(filter %-user,$(SUBDIR_RULES)): $(GENERATED_HEADERS) $(universal-obj-y) 
$(trace-obj-y) subdir-libdis-user subdir-libuser
 
 ROMSUBDIR_RULES=$(patsubst %,romsubdir-%, $(ROMS))
 romsubdir-%:
diff --git a/Makefile.objs b/Makefile.objs
index 808de6a..f912fbb 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -1,9 +1,22 @@
 ###
+# Target-independent parts used in system and user emulation
+universal-obj-y =
+
+###
 # QObject
 qobject-obj-y = qint.o qstring.o qdict.o qlist.o qfloat.o qbool.o
 qobject-obj-y += qjson.o json-lexer.o json-streamer.o json-parser.o
 qobject-obj-y += qerror.o error.o qemu-error.o
 
+universal-obj-y += $(qobject-obj-y)
+
+###
+# QOM
+include $(SRC_PATH)/qom/Makefile
+qom-obj-y = $(addprefix qom/, $(qom-y))
+
+universal-obj-y += $(qom-obj-y)
+
 ###
 # oslib-obj-y is code depending on the OS (win32 vs posix)
 oslib-obj-y = osdep.o
@@ -76,7 +89,6 @@ fsdev-obj-$(CONFIG_VIRTFS) += $(addprefix fsdev/, 
$(fsdev-nested-y))
 
 common-obj-y = $(block-obj-y) blockdev.o
 common-obj-y += $(net-obj-y)
-common-obj-y += $(qobject-obj-y)
 common-obj-$(CONFIG_LINUX) += $(fsdev-obj-$(CONFIG_LINUX))
 common-obj-y += readline.o console.o cursor.o
 common-obj-y += $(oslib-obj-y)
@@ -124,9 +136,6 @@ common-obj-$(CONFIG_WIN32) += version.o
 
 common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o 
ui/spice-display.o spice-qemu-char.o
 
-include $(SRC_PATH)/qom/Makefile
-common-obj-y += $(addprefix qom/, $(qom-y))
-
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
 audio-obj-$(CONFIG_OSS) += ossaudio.o
@@ -182,6 +191,8 @@ user-obj-y =
 user-obj-y += envlist.o path.o
 user-obj-y += tcg-runtime.o host-utils.o
 user-obj-y += cutils.o cache-utils.o
+user-obj-y += module.o
+user-obj-y += qemu-user.o
 user-obj-y += $(trace-obj-y)
 
 ##
@@ -418,9 +429,11 @@ qapi-nested-y += qmp-output-visitor.o qmp-registry.o 
qmp-dispatch.o
 qapi-nested-y += string-input-visitor.o string-output-visitor.o
 qapi-obj-y = $(addprefix qapi/, $(qapi-nested-y))
 
-common-obj-y += qmp-marshal.o qapi-visit.o qapi-types.o $(qapi-obj-y)
+common-obj-y += qmp-marshal.o qapi-visit.o qapi-types.o
 common-obj-y += qmp.o hmp.o
 
+universal-obj-y += $(qapi-obj-y)
+
 ##
 # guest agent
 
diff --git a/Makefile.target b/Makefile.target
index 343eb78..ac4ebfe 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -136,6 +136,7 @@ obj-m68k-y += m68k-sim.o m68k-semi.o
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
+obj-y += $(addprefix ../, $(universal-obj-y))
 obj-y += $(addprefix ../libuser/, $(user-obj-y))
 obj-y += $(addprefix ../libdis-user/, $(libdis-y))
 obj-y += $(libobj-y)
@@ -163,6 +164,7 @@ obj-i386-y += ioport-user.o
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
+obj-y += $(addprefix ../, $(universal-obj-y))
 obj-y += $(addprefix ../libuser/, $(user-obj-y))
 obj-y += $(addprefix ../libdis-user/, $(libdis-y))
 obj-y += $(libobj-y)
@@ -185,6 +187,7 @@ obj-i386-y += ioport-user.o
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
+obj-y += $(addprefix ../, $(universal-obj-y))
 obj-y += $(addprefix ../libuser/, $(user-obj-y))
 obj-y += $(addprefix ../libdis-user/, $(libdis-y))
 obj-y += 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 20:02, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 07:51:02PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 17:35, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 05:07:34PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin m...@redhat.com 
wrote:
 On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin 
 m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin 
  m...@redhat.com wrote:
   commit 5caef97a16010f818ea8b950e2ee24ba876643ad introduced
   a regression: we do not make IO base/limit upper 16
   bit registers writeable, so we should report a 16 bit
   IO range type, not a 32 bit one.
   Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but 
   PCI_IO_RANGE_TYPE_32 is 0x1.
  
   In particular, this broke sparc64.
  
   Note: this just reverts to behaviour prior to the patch.
   Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
   registers writeable should, and seems to, work just as 
   well, but
   as no system seems to actually be interested in 32 bit IO,
   let's not make unnecessary changes.
  
   Reported-by: Mark Cave-Ayland 
   mark.cave-ayl...@ilande.co.uk
   Signed-off-by: Michael S. Tsirkin m...@redhat.com
  
   Mark, can you confirm that this fixes the bug for you?
 
  No, running
  qemu-system-sparc64 -serial stdio
  still shows black screen and the following on console:
  OpenBIOS for Sparc64
  Unhandled Exception 0x0032
  PC = 0xffd19e18 NPC = 0xffd19e1c
  Stopping execution
 
  The weird thing is the range type does not seem to be accessed
  at all. So I guessed there's some memory corruption here.
  Running valgrind shows this:
 
  --4-- WARNING: unhandled syscall: 340
  --4-- You may be able to write your own handler.
  --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
  --4-- Nevertheless we consider this a bug.  Please report
  --4-- it at http://valgrind.org/support/bug_reports.html.
  ==4== Invalid read of size 4
  ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
  ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==  Address 0x156c7d30 is 0 bytes after a block of size 
  64
  alloc'd
  ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
  ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
  ==4==    by 0x584AFEC: ??? (in 
  /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x584B528: g_malloc0 (in 
  /lib/libglib-2.0.so.0.2800.8)
  ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
  ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
  ==4==    by 0x13D716: main (vl.c:3397)
  ==4==
  apb: here
  ==4== Warning: client switching stacks?  SP change: 
  0xfec42cbc --
  0x16894008
  ==4==          to suppress, use: 
  --max-stackframe=398791500 or
  greater
  ==4== Warning: client switching stacks?  SP change: 
  0x16893fa0 --
  0xfec42cc0
  ==4==          to suppress, use: 
  --max-stackframe=398791392 or
  greater
  ==4== Warning: client switching stacks?  SP change: 
  0xfec42fe0 --
  0x16893fd0
  ==4==          to suppress, use: 
  --max-stackframe=398790640 or
  greater
  ==4==          further instances of this message will not 
  be shown.
  QEMU 1.0.50 monitor - type 'help' for more information
  (qemu) ==4== Thread 2:
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
  ==4==    by 0x2A8782: helper_compute_psr (cc_helper.c:470)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A827C: compute_all_sub_xcc (cc_helper.c:60)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
  ==4== Conditional jump or move depends on uninitialised 
  value(s)
  ==4==    at 0x2A8296: compute_all_sub_xcc (cc_helper.c:295)
  ==4==    by 0x2A8795: helper_compute_psr (cc_helper.c:473)
  ==4==    by 0x9AD9A19: ???
  ==4==
 
  Is the above a problem?

 It 

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Alexander Graf]

On 04.03.2012, at 21:31, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 21:25, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 21:21, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 19:46, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:
 
 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?
 
 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).
 
 I suggest that gets dealt with when/if it needs to, which means 
 probably
 never :-)
 
 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?
 
 Maybe I'm misremembering or misunderstanding something.
 
 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.
 
 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.
 
 Maybe just add an assert and be done with it?
 
 Assert for what? Linux page size of 64k is something perfectly normal on 
 ppc. The hardware can always do at least 4k maps however.
 
 g_assert(TARGET_PAGE_SIZE = getpagesize())
 
 Just declare the above case as unsupported and abort if we encounter it.
 
 What I'm trying to tell you is that it's the default case on book3s ppc! ;)
 
 Exactly, which is why I'm saying just ignore the weird embedded case. :)

Ugh. Sorry, apparently I can't read :). So you're saying 'break for ppcemb'. 
Hrm. Not sure that'd be all that great for 440, since there host pagesize is 
still 4k, but T_P_S is 1k.

Alex


 
 Andreas
 
 -- 
 SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
 GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

[Qemu-devel] [PATCH v4 0/3] Prepare QOM support for machines and CPU

[Andreas Färber]

Hello Anthony,

This series prepares for QOM'ification of CPUs and machines by rearranging
constructor calls and Makefile dependency rules. I've separated it out due
to complaints about patch series length for conversion of all targets.

Patch 1 is a RESEND that avoids an abort after patch 2.

Patch 2 rearranges module init for QOM in the system emulators, so that
objects can really be used beyond devices.

Patch 3 adds QOM support to the user emulators. As required by Anthony,
they are now only built once.

Available at:
http://repo.or.cz/w/qemu/afaerber.git/shortlog/refs/heads/qom-user.v4

Regards,
Andreas

Cc: Anthony Liguori anth...@codemonkey.ws
Cc: Avi Kivity a...@redhat.com

v3 - v4:
* Fix kvmclock abort due to too early kvm_enabled() check.
* Introduce $(universal-obj-y) to build some objects only once.
* Fix GPLv2 license link.

v2 - v3:
* Rebased against qom-upstream.14 branch (and that against master).

* Build common dependencies for user emulators in libuser/.
* New dependencies needed after moving properties into object.c.
* Add a qemu-user.c with stubs needed for successful linking.

v1 - v2:

* Don't introduce extra early_init(), just relocate former MODULE_INIT_DEVICE.
* Provide new type_init() macro to be used instead of device_init().

Andreas Färber (3):
  kvmclock: Always register type
  qom: Register QOM infrastructure early
  qom: Add QOM support to user emulators

 Makefile   |6 +++---
 Makefile.objs  |   23 ++-
 Makefile.target|4 
 Makefile.user  |1 +
 bsd-user/main.c|2 ++
 darwin-user/main.c |3 +++
 hw/kvm/clock.c |2 --
 linux-user/main.c  |2 ++
 qemu-user.c|   37 +
 vl.c   |4 ++--
 10 files changed, 72 insertions(+), 12 deletions(-)
 create mode 100644 qemu-user.c

-- 
1.7.7

Re: [Qemu-devel] KVM/QEMU: Support executing from flash device

[Jordan Justen]

On Sun, Mar 4, 2012 at 02:46, Avi Kivity a...@redhat.com wrote:
 On 03/04/2012 12:38 PM, Gleb Natapov wrote:
 On Sun, Mar 04, 2012 at 12:36:20PM +0200, Avi Kivity wrote:
  On 03/04/2012 10:12 AM, Gleb Natapov wrote:
   On Sat, Mar 03, 2012 at 10:56:02PM -0800, Jordan Justen wrote:
On Tue, Oct 25, 2011 at 00:47, Avi Kivity a...@redhat.com wrote:
 The core issue that kvm (the kernel part) supports two styles of 
 memory:
 read/write RAM, and read/write MMIO.  ROM wants writes to be ignored,
 and rom/device wants reads serviced from memory and writes serviced 
 by
 userspace (as MMIO).

 It should not be too hard to patch kvm to support these additional 
 two
 styles.  The entry point is the KVM_SET_USER_MEMORY_REGION ioctl to
 define the new attributes for the region, and kvm_mmu_page_fault() to
 map these pages as read-only and emulate writes (for ROM/device 
 regions).
   
Additional context for CC'd kvm-devel: I would like to support
executing from an emulated flash memory on kvm.  The flash memory
would be a CFI (Firmware Hub-like) device which is programmed via MMIO
at the same addresses in memory where the execution would occur.
   
What is needed is:
1. The ability to set a region to allow read/exec,
   but trap to qemu on writes.
2. qemu should then be able to set the region
   to trap on reads/exec/writes.
   Do you want to execute code from a flash while it traps on read/exec?
   KVM emulator can't do that.
 
  No, he wants read/exec to go to RAM, and writes to be handled as mmio.
  This should work.
 
 That's mode 1 from above and will obviously work. I am asking about mode
 2 from above.


 Mode 2 is pure mmio.  You're right that kvm won't run code from that.

 Jordan, what's the use for mode 2?  Is it just used during programming?

Yes.  It is the programming state for the flash, and no execution
would occur from the region while it is in that state.  At least for
the flash that I'm interested in supporting (qemu:hw/pflash_cfi01.c),
it would not be possible to execute from the flash in this mode
because the entire region will no longer read-back the flash contents.

-Jordan

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Benjamin Herrenschmidt]

On Sun, 2012-03-04 at 17:46 +0100, Andreas Färber wrote:
 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.
 
 Maybe just add an assert and be done with it?

Well, my patch should work anyway, as long as getpagesize() returns a
higher power of two.

The case that wouldn't work (but also doesn't exist) is getpagesize() 
TARGET_PAGE_SIZE.

 For the record, I am hoping to get rid of some of those cpu.h defines
 in a later stage of QOM'ification.

Cheers,
Ben.

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Benjamin Herrenschmidt]

On Sun, 2012-03-04 at 21:59 +0100, Alexander Graf wrote:
  g_assert(TARGET_PAGE_SIZE = getpagesize())
  
  Just declare the above case as unsupported and abort if we
 encounter it.
  
  What I'm trying to tell you is that it's the default case on book3s
 ppc! ;)
  
  Exactly, which is why I'm saying just ignore the weird embedded
 case. :)
 
 Ugh. Sorry, apparently I can't read :). So you're saying 'break for
 ppcemb'. Hrm. Not sure that'd be all that great for 440, since there
 host pagesize is still 4k, but T_P_S is 1k.

No, Alex, you are reading Andreas assert backward :-)

What he suggests is break if TARGET_PAGE_SIZE  getpagesize() which
currently cannot happen. Even embedded 1k TARGET_PAGE_SIZE is fine. It's
getpagesize() 1k that wouldn't be but it also never happens.

Cheers,
Ben.

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Andreas Färber]

Am 04.03.2012 21:59, schrieb Alexander Graf:
 
 
 On 04.03.2012, at 21:31, Andreas Färber afaer...@suse.de wrote:
 
 Am 04.03.2012 21:25, schrieb Alexander Graf:


 On 04.03.2012, at 21:21, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 19:46, schrieb Alexander Graf:


 On 04.03.2012, at 17:46, Andreas Färber afaer...@suse.de wrote:

 Am 04.03.2012 12:53, schrieb Benjamin Herrenschmidt:
 On Sun, 2012-03-04 at 12:49 +0200, Avi Kivity wrote:
 On 02/28/2012 11:48 PM, Benjamin Herrenschmidt wrote:
 On Tue, 2012-02-28 at 14:32 +0200, Avi Kivity wrote:

 What if TARGET_PAGE_SIZE  getpagesize()?  Or is that impossible?

 We have yet to encounter such a case. It's not currently possible on
 power (some old embedded chips could do 1K and 2K page sizes in the 
 TLB
 iirc but we never supported that in Linux and it's being phased out in
 HW).

 I suggest that gets dealt with when/if it needs to, which means 
 probably
 never :-)

 Doesn't ppc support both 4k and 64k pages?  Suppose you run a 4k guest
 on a 64k host?

 Maybe I'm misremembering or misunderstanding something.

 TARGET_PAGE_SIZE in qemu is always 4k for powerpc, it's a compile time
 #define.

 Except for ppcemb-softmmu (1k), which is irrelevant for KVM AFAIU.

 Maybe just add an assert and be done with it?

 Assert for what? Linux page size of 64k is something perfectly normal on 
 ppc. The hardware can always do at least 4k maps however.

 g_assert(TARGET_PAGE_SIZE = getpagesize())

 Just declare the above case as unsupported and abort if we encounter it.

 What I'm trying to tell you is that it's the default case on book3s ppc! ;)

 Exactly, which is why I'm saying just ignore the weird embedded case. :)
 
 [...] So you're saying 'break for ppcemb'. Hrm. Not sure that'd be all that 
 great for 440, since there host pagesize is still 4k, but T_P_S is 1k.

Err, 1k = 4k would still be supported. The way I see it, the only cases
breaking would be ppc with host page size  4k, and ppcemb with host
page size  1k (which I'm not aware of).

Is it realistic to expect virtualizing a Mac or pSeries to work on a
1k/2k bamboo? TCG would be unaffected AFAICT.

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg

Re: [Qemu-devel] [PATCH 6/6] kvm: Fix dirty tracking with large kernel page size

[Alexander Graf]

On 04.03.2012, at 22:19, Benjamin Herrenschmidt b...@kernel.crashing.org 
wrote:

 On Sun, 2012-03-04 at 21:59 +0100, Alexander Graf wrote:
 g_assert(TARGET_PAGE_SIZE = getpagesize())
 
 Just declare the above case as unsupported and abort if we
 encounter it.
 
 What I'm trying to tell you is that it's the default case on book3s
 ppc! ;)
 
 Exactly, which is why I'm saying just ignore the weird embedded
 case. :)
 
 Ugh. Sorry, apparently I can't read :). So you're saying 'break for
 ppcemb'. Hrm. Not sure that'd be all that great for 440, since there
 host pagesize is still 4k, but T_P_S is 1k.
 
 No, Alex, you are reading Andreas assert backward :-)
 
 What he suggests is break if TARGET_PAGE_SIZE  getpagesize() which
 currently cannot happen. Even embedded 1k TARGET_PAGE_SIZE is fine. It's
 getpagesize() 1k that wouldn't be but it also never happens.

O_o. Ok, that would obviously work. We never get hostpagesize 4k and T_P_S is 
always 1k/4k, never bigger.

Alex

 
 Cheers,
 Ben.
 
 

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Blue Swirl]

On Sun, Mar 4, 2012 at 21:28, Michael S. Tsirkin m...@redhat.com wrote:
 On Sun, Mar 04, 2012 at 08:32:26PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 20:02, Michael S. Tsirkin m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 07:51:02PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 17:35, Michael S. Tsirkin m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 05:07:34PM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 15:22, Michael S. Tsirkin m...@redhat.com 
   wrote:
On Sun, Mar 04, 2012 at 02:35:28PM +, Blue Swirl wrote:
On Sun, Mar 4, 2012 at 14:23, Michael S. Tsirkin m...@redhat.com 
wrote:
 On Sun, Mar 04, 2012 at 01:38:38PM +, Blue Swirl wrote:
 On Sun, Mar 4, 2012 at 13:28, Michael S. Tsirkin 
 m...@redhat.com wrote:
  On Sun, Mar 04, 2012 at 12:37:57PM +, Blue Swirl wrote:
  On Sun, Mar 4, 2012 at 12:21, Michael S. Tsirkin 
  m...@redhat.com wrote:
   On Sun, Mar 04, 2012 at 10:27:24AM +, Blue Swirl wrote:
   On Sun, Mar 4, 2012 at 09:46, Michael S. Tsirkin 
   m...@redhat.com wrote:
commit 5caef97a16010f818ea8b950e2ee24ba876643ad 
introduced
a regression: we do not make IO base/limit upper 16
bit registers writeable, so we should report a 16 bit
IO range type, not a 32 bit one.
Note that PCI_PREF_RANGE_TYPE_32 is 0x0, but 
PCI_IO_RANGE_TYPE_32 is 0x1.
   
In particular, this broke sparc64.
   
Note: this just reverts to behaviour prior to the patch.
Making PCI_IO_BASE_UPPER16 and PCI_IO_LIMIT_UPPER16
registers writeable should, and seems to, work just as 
well, but
as no system seems to actually be interested in 32 bit 
IO,
let's not make unnecessary changes.
   
Reported-by: Mark Cave-Ayland 
mark.cave-ayl...@ilande.co.uk
Signed-off-by: Michael S. Tsirkin m...@redhat.com
   
Mark, can you confirm that this fixes the bug for you?
  
   No, running
   qemu-system-sparc64 -serial stdio
   still shows black screen and the following on console:
   OpenBIOS for Sparc64
   Unhandled Exception 0x0032
   PC = 0xffd19e18 NPC = 0xffd19e1c
   Stopping execution
  
   The weird thing is the range type does not seem to be 
   accessed
   at all. So I guessed there's some memory corruption here.
   Running valgrind shows this:
  
   --4-- WARNING: unhandled syscall: 340
   --4-- You may be able to write your own handler.
   --4-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
   --4-- Nevertheless we consider this a bug.  Please 
   report
   --4-- it at 
   http://valgrind.org/support/bug_reports.html.
   ==4== Invalid read of size 4
   ==4==    at 0x2A68C0: pci_apb_init (apb_pci.c:350)
   ==4==    by 0x2F7A84: sun4uv_init (sun4u.c:779)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==  Address 0x156c7d30 is 0 bytes after a block of 
   size 64
   alloc'd
   ==4==    at 0x557DD69: malloc (vg_replace_malloc.c:236)
   ==4==    by 0x225F56: malloc_and_trace (vl.c:2156)
   ==4==    by 0x584AFEC: ??? (in 
   /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x584B528: g_malloc0 (in 
   /lib/libglib-2.0.so.0.2800.8)
   ==4==    by 0x19C50C: qemu_allocate_irqs (irq.c:47)
   ==4==    by 0x2F7A4C: sun4uv_init (sun4u.c:778)
   ==4==    by 0x13D716: main (vl.c:3397)
   ==4==
   apb: here
   ==4== Warning: client switching stacks?  SP change: 
   0xfec42cbc --
   0x16894008
   ==4==          to suppress, use: 
   --max-stackframe=398791500 or
   greater
   ==4== Warning: client switching stacks?  SP change: 
   0x16893fa0 --
   0xfec42cc0
   ==4==          to suppress, use: 
   --max-stackframe=398791392 or
   greater
   ==4== Warning: client switching stacks?  SP change: 
   0xfec42fe0 --
   0x16893fd0
   ==4==          to suppress, use: 
   --max-stackframe=398790640 or
   greater
   ==4==          further instances of this message will 
   not be shown.
   QEMU 1.0.50 monitor - type 'help' for more information
   (qemu) ==4== Thread 2:
   ==4== Conditional jump or move depends on uninitialised 
   value(s)
   ==4==    at 0x2A8351: compute_all_sub (cc_helper.c:37)
   ==4==    by 0x2A8782: helper_compute_psr 
   (cc_helper.c:470)
   ==4==    by 0x9AD9A19: ???
   ==4==
   ==4== Conditional jump or move depends on uninitialised 
   value(s)
   ==4==    at 0x2A827C: compute_all_sub_xcc 
   (cc_helper.c:60)
   ==4==    by 0x2A8795: helper_compute_psr 
   (cc_helper.c:473)
   ==4==    by 0x9AD9A19: ???
   ==4==
   

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Mark Cave-Ayland]

On 04/03/12 19:51, Blue Swirl wrote:


I now know the root cause of the problem. OpenBIOS programs the BARs
somewhat correctly just by accident. The initial io_base and mem_base
for BARs are not correct, but because the host bridge BARs (and also 6
of which 4 are not even BARs!) are programmed first, the bases
happened to settle to values that happen to work. The commit revealed
the problem since the settling didn't happen. The mask changes just
let the host bridge setup continue to do the magic.

By just changing OpenBIOS (see attached patch), I can get the devices
to work (assuming that VGA is a separate problem). There's no need to
change QEMU.


Hi Blue/Michael,

Thanks for debugging this. I can confirm that building OpenBIOS SVN 
trunk with Blue's patch and testing against QEMU git master with the 
attached patch (to temporarily back out 
2b50aa1f14d8e0a40f905ad0c022443c15646914 and 
de58ac72b6a062d1a61478284c0c0f8a0428613e which breaks VGA on 
PPC/SPARC64) appears to fix the problem for me.


Thanks a lot to both of you for taking the time to track this down :)


ATB,

Mark.
diff --git a/ioport.c b/ioport.c
index 8a474d3..36fa3a4 100644
--- a/ioport.c
+++ b/ioport.c
@@ -328,7 +328,6 @@ void portio_list_init(PortioList *piolist,
 piolist-ports = callbacks;
 piolist-nr = 0;
 piolist-regions = g_new0(MemoryRegion *, n);
-piolist-aliases = g_new0(MemoryRegion *, n);
 piolist-address_space = NULL;
 piolist-opaque = opaque;
 piolist-name = name;
@@ -337,7 +336,6 @@ void portio_list_init(PortioList *piolist,
 void portio_list_destroy(PortioList *piolist)
 {
 g_free(piolist-regions);
-g_free(piolist-aliases);
 }
 
 static void portio_list_add_1(PortioList *piolist,
@@ -347,7 +345,7 @@ static void portio_list_add_1(PortioList *piolist,
 {
 MemoryRegionPortio *pio;
 MemoryRegionOps *ops;
-MemoryRegion *region, *alias;
+MemoryRegion *region;
 unsigned i;
 
 /* Copy the sub-list and null-terminate it.  */
@@ -364,20 +362,12 @@ static void portio_list_add_1(PortioList *piolist,
 ops-old_portio = pio;
 
 region = g_new(MemoryRegion, 1);
-alias = g_new(MemoryRegion, 1);
-/*
- * Use an alias so that the callback is called with an absolute address,
- * rather than an offset relative to to start + off_low.
- */
 memory_region_init_io(region, ops, piolist-opaque, piolist-name,
-  UINT64_MAX);
-memory_region_init_alias(alias, piolist-name,
- region, start + off_low, off_high - off_low);
+  off_high - off_low);
+memory_region_set_offset(region, start + off_low);
 memory_region_add_subregion(piolist-address_space,
-start + off_low, alias);
-piolist-regions[piolist-nr] = region;
-piolist-aliases[piolist-nr] = alias;
-++piolist-nr;
+start + off_low, region);
+piolist-regions[piolist-nr++] = region;
 }
 
 void portio_list_add(PortioList *piolist,
@@ -419,19 +409,15 @@ void portio_list_add(PortioList *piolist,
 
 void portio_list_del(PortioList *piolist)
 {
-MemoryRegion *mr, *alias;
+MemoryRegion *mr;
 unsigned i;
 
 for (i = 0; i  piolist-nr; ++i) {
 mr = piolist-regions[i];
-alias = piolist-aliases[i];
-memory_region_del_subregion(piolist-address_space, alias);
-memory_region_destroy(alias);
+memory_region_del_subregion(piolist-address_space, mr);
 memory_region_destroy(mr);
 g_free((MemoryRegionOps *)mr-ops);
 g_free(mr);
-g_free(alias);
 piolist-regions[i] = NULL;
-piolist-aliases[i] = NULL;
 }
 }
diff --git a/ioport.h b/ioport.h
index ab29c89..ae3e9da 100644
--- a/ioport.h
+++ b/ioport.h
@@ -60,7 +60,6 @@ typedef struct PortioList {
 struct MemoryRegion *address_space;
 unsigned nr;
 struct MemoryRegion **regions;
-struct MemoryRegion **aliases;
 void *opaque;
 const char *name;
 } PortioList;
diff --git a/memory.c b/memory.c
index 6565e2e..926201a 100644
--- a/memory.c
+++ b/memory.c
@@ -389,17 +389,17 @@ static void memory_region_iorange_read(IORange *iorange,
 
 *data = ((uint64_t)1  (width * 8)) - 1;
 if (mrp) {
-*data = mrp-read(mr-opaque, offset);
+*data = mrp-read(mr-opaque, offset + mr-offset);
 } else if (width == 2) {
 mrp = find_portio(mr, offset, 1, false);
 assert(mrp);
-*data = mrp-read(mr-opaque, offset) |
-(mrp-read(mr-opaque, offset + 1)  8);
+*data = mrp-read(mr-opaque, offset + mr-offset) |
+(mrp-read(mr-opaque, offset + mr-offset + 1)  8);
 }
 return;
 }
 *data = 0;
-access_with_adjusted_size(offset, data, width,
+access_with_adjusted_size(offset + mr-offset, data, width,
   mr-ops-impl.min_access_size,
   

Re: [Qemu-devel] [PATCH] pci: fix bridge IO/BASE

[Michael S. Tsirkin]

On Sun, Mar 04, 2012 at 09:54:02PM +, Blue Swirl wrote:
  19.3.1.10 tells that the header type is 0, as you noted too. Still,
  the register layout matches bridge spec instead, for example there are
  bus number registers in place of BAR 2.
 
  Sorry I don't see this in 19.3.1
  Where are these registers documented?
  In my spec all registers from 0x10 on are greyed out which
  it says above means 'not implemented'?
  My spec also says 'Base Address' for 0x10 - 0x27.
 
  I see bus number and subordinate bus number
  registers at 0x40 and 0x41, this is outside
  the configuration header. The spec also says
  they are unused.
 
 Oh, I somehow read that they were in bridge locations 0x18 and 0x19.
 Perhaps the is_bridge property should be removed after OpenBIOS no
 longer wants to write to the registers.

So we are in agreement then?
The device seems to (more or less) go by the spec,
but openbios gets confused, apparently by the absence of BARs.

Can you try debugging openbios to see what is wrong?

-- 
MST

Re: [Qemu-devel] [PATCH V14 2/7] Add TPM (frontend) hardware interface (TPM TIS) to Qemu

[Michael S. Tsirkin]

On Fri, Mar 02, 2012 at 07:02:21AM -0500, Stefan Berger wrote:
 On 02/21/2012 06:08 PM, Michael S. Tsirkin wrote:
 On Tue, Feb 21, 2012 at 05:30:32PM -0500, Stefan Berger wrote:
 On 02/21/2012 02:58 PM, Michael S. Tsirkin wrote:
 On Tue, Feb 21, 2012 at 10:05:26AM -0500, Stefan Berger wrote:
 On 02/21/2012 07:18 AM, Michael S. Tsirkin wrote:
 When the backend delivers the response it checks whether the
 interface is used in interrupt mode and raises the interrupt.
 IMO it's the frontend that should send interrupts.
 Yes it kind of works for isa anyway, but e.g. pci
 needs to update configuration etc.
 
 The code that causes the interrupt to be raised is in the frontend.
 The function doing that is invoked via callback from the backend.
 This should be ok?
 Absolutely.
 
 The
 backend enters the frontend code with a callback. In this function
 also a signal is sent that may wake up the main thread that, upon
 suspend, may be waiting for the last command to be processed and be
 sleeping on a condition variable.
 
 I now added a function to the backend interface that is invoked by
 the frontend to notify the backend of a TPM request. The backend
 code can then either notify a thread (passthrough and libtpms
 driver) or create a response right away and invoke that callback to
 the front-end to deliver the response (null driver). How frontend
 and backend handle notifications is isolated to the frontend and
 backend with some backends (libtpms, passthough) sharing the code
 for how the notification is done.
 
 Stefan
 Right. And all the locking/threading can then be internal to the backend.
 
 Do you really want to replace code like this in the frontend:
 
 qemu_mutex_lock(s-state_lock)
 [...]
 qemu_mutex_unlock(s-state_lock)
 
 
 with
 
 
 s-be_driver-ops-state_lock(s-be_driver)
 [...]
 s-be_driver-ops-state_unlock(s-be_driver))
 
 
 where the backend starts protecting frontend data structures ?
 It's ugly I hope you can do something saner:
 ops-send_command()
 with command encapsulating the relevant info.
 
 At the moment there are two backends that need threading: the
 libtpms and passthrough backends. Both will require locking of
 datastructures that belong to the frontend. Only the null driver
 doesn't need a thread and the main thread can call into the backend,
 create the response and call via callback into the frontend to
 deliver the repsonse. If structures are protected via mutxes then
 only the NULL driver (which we don't want anyway) may end up
 grabbing mutexes that really aren't necessary while the two other
 backends need them. I don't see the mitextes as problematic. The
 frontend at least protects its data structures for the callbacks and
 other API calls it offers and they simply are thread-safe.
 
  Stefan
 Worst case, you can take a qemu mutex. Is tpm very
 performance-sensitive to make contention on that
 lock a problem?
 
 
 Having instrumented the code with qemu_mutex_trylock() and a counter
 for failed attempts with subsequent qemu_mutex_lock() practically
 shows no lock contention at all for either polling or IRQ mode being
 used by the Linux driver.
 
 IRQ mode: 4 failed lock attempts out of 1726208 locks - 0.00%
 polling mode: 2 failed lock attempts out of 1545216 locks - 0.00%
 
 I used the libtpms based backend with and ran IMA and a test suite
 in the VM.
 
 
 Stefan

so maybe you can just do qemu_mutex_lock_iothread similar
to what kvm does.

-- 
MST

Re: [Qemu-devel] [PATCH] seabios: acpi: Add _STA for PCI hotplug slots

[Alex Williamson]

On Sun, 2012-03-04 at 20:53 +0200, Michael S. Tsirkin wrote:
 On Fri, Feb 24, 2012 at 04:21:17PM -0700, Alex Williamson wrote:
  When a Status method is provided on a slot, the OSPM evaluates
  _STA in response to the device check notify on the slot.  This
  allows some degree of a handshake between the platform and the
  OSPM that the hotplug has been acknowledged.
 
  In order to implement _STA, we need to know which slots have
  devices.  A slot with device returns 0x0F, a slot without a
  device returns Zero.  We get this information from Qemu using
  the 0xae08 I/O port register.  This was previously the read-side
  of the register written to commit a device eject and always
  returned 0 on read.  It now returns a bitmap of present slots,
  so we know that reading 0 means we have and old Qemu and
  dynamically modify our SSDT to rename the _STA methods.  This
  is necessary to allow backwards compatibility.
 
 Interesting. Isn't the UP register sufficient for _STA?

No, UP only reports the current slot being added, so we'd only be able
to report a present value for that slot and not static or previously
added slots.

 Assuming we want to implement _STA - for which
 the only motivation seems the handshake hack below.
 
  The _STA method also writes the slot identifier to I/O port
  register 0xae00 as an acknowledgment of the hotplug request.
 
 This part looks a bit like a hack.
 _STA is not intended as an acknowledgement - it's a query for state.
 ACPI spec 5.0 requires that _STA is called before _INI,
 but ACPI 1.0b doesn't. Did you try some 1.0 OSPMs (e.g. XP)
 to see what they do?

I did test with XP.  Section 6.3 of ACPI spec 1.0b references the _STA
method during hotplug.  I also found this reference for Windows ACPI
procedure for hotplug/unplug:

http://www.microsoft.com/china/whdc/system/pnppwr/hotadd/hotplugpci.mspx#EYH

I agree, _STA is not intended as an acknowledgment, but that doesn't
mean we can't use it as one.  The OSPM can call _STA at any point in
time, however calling it after we've done a notify for device check is
about the best indication we can get that the OSPM is processing it.  It
doesn't hurt anything if _STA is called spuriously.

 I also think I see how this can cause a race, see below.
 
  
  Signed-off-by: Alex Williamson alex.william...@redhat.com
 
 Your description of the qemu patches made me think
 that all you really want is detect an OS without
 OSPM. If that is the case, I would suggest adding
 an _INI method at top level as a simpler and more robust
 procedure.

No, having OSPM is a prerequisite, but does not imply supporting
hotplug.

 Otherwise, how about implementing _PS0
 (and probably _PS3) to manage slot power?
 Maybe this what you are really after, and it
 seems like a better interface than 'acknowledge'
 which does not seem to make sense for real hardware.

I tried this, _PS0/3 also requires _STA.  Implementing both caused
interrupts to stop working on Linux guests.  Note that _PS0/3 is even
less closely associated with device removal in 1.0b than _STA even
though the MSFT document references it.

  ---
  
   src/acpi-dsdt.dsl  |   36 ++-
   src/acpi-dsdt.hex  |  124 ++
   src/acpi.c |   27 ++
   src/ssdt-pcihp.dsl |3 
   src/ssdt-pcihp.hex |  658 
  
   5 files changed, 686 insertions(+), 162 deletions(-)
  
  diff --git a/src/acpi-dsdt.dsl b/src/acpi-dsdt.dsl
  index 7082b65..6b87086 100644
  --- a/src/acpi-dsdt.dsl
  +++ b/src/acpi-dsdt.dsl
  @@ -119,17 +119,15 @@ DefinitionBlock (
  prt_slot3(0x001f),
   })
   
  -OperationRegion(PCST, SystemIO, 0xae00, 0x08)
  +OperationRegion(PCST, SystemIO, 0xae00, 0x0c)
   Field (PCST, DWordAcc, NoLock, WriteAsZeros)
   {
  -PCIU, 32,
  -PCID, 32,
  -}
  -
  -OperationRegion(SEJ, SystemIO, 0xae08, 0x04)
  -Field (SEJ, DWordAcc, NoLock, WriteAsZeros)
  -{
  -B0EJ, 32,
  +// PCI Up/ACK
  +PUPA, 32,
  +// PCI Down
  +PDWN, 32,
  +// PCI Present/Eject
  +PPEJ, 32,
 
 Note on the comment: this only affects bus0 not all of PCI.

As has always been the case.

   }
   
   Name (_CRS, ResourceTemplate ()
  @@ -462,10 +460,20 @@ DefinitionBlock (
   /* Methods called by hotplug devices */
   Method (PCEJ, 1, NotSerialized) {
   // _EJ0 method - eject callback
  -Store(ShiftLeft(1, Arg0), B0EJ)
  +Store(ShiftLeft(1, Arg0), PPEJ)
   Return (0x0)
   }
   
  +Method (PSTA, 1, NotSerialized) {
  +Store(ShiftLeft(1, Arg0), PUPA)
 
 So this looks wrong to me.
 
 Specifically _STA is also called at the end after _EJ0.
 If the device is ejected then insterted, you
 get a window where 

[Qemu-devel] [PATCH 1/6] rtl8139: limit transmission buffer size in c+ mode

[Jason Wang]

The tx buffer would be re-allocated for tx descriptor with big size
and without LS bit set, this would make guest driver could easily let
qemu to allocate unlimited.

In linux host, a glib failure were easy to be triggered:

GLib-ERROR **: gmem.c:176: failed to allocate 18446744071562067968 bytes

This patch fix this by adding a limit. As the spec didn't tell the maximum size
of buffer allowed, stick it to  current CP_TX_BUFFER_SIZE (65536).

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/rtl8139.c |9 -
 1 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 05b8e1e..d9e742c 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -2063,11 +2063,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
 
 while (s-cplus_txbuffer  s-cplus_txbuffer_offset + txsize = 
s-cplus_txbuffer_len)
 {
-s-cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
-s-cplus_txbuffer = g_realloc(s-cplus_txbuffer, 
s-cplus_txbuffer_len);
-
-DPRINTF(+++ C+ mode transmission buffer space changed to %d\n,
-s-cplus_txbuffer_len);
+/* The spec didn't tell the maximum size, stick to CP_TX_BUFFER_SIZE */
+txsize = s-cplus_txbuffer_len - s-cplus_txbuffer_offset;
+DPRINTF(+++ C+ mode transmission buffer overrun, truncated descriptor
+length to %d\n, txsize);
 }
 
 if (!s-cplus_txbuffer)

[Qemu-devel] [PATCH 2/6] rtl8139: remove unused marco

[Jason Wang]

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/rtl8139.c |3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index d9e742c..ca613ae 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -65,9 +65,6 @@
 
 #define PCI_FREQUENCY 3300L
 
-/* debug RTL8139 card C+ mode only */
-//#define DEBUG_RTL8139CP 1
-
 #define SET_MASKED(input, mask, curr) \
 ( ( (input)  ~(mask) ) | ( (curr)  (mask) ) )
 

[Qemu-devel] [PATCH 4/6] net: move compute_mcast_idx() to net.h

[Jason Wang]

Reduce duplicated codes.

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/eepro100.c  |   25 -
 hw/ne2000.c|   24 
 hw/opencores_eth.c |   25 -
 hw/rtl8139.c   |   24 
 net.c  |   23 +++
 net.h  |3 +++
 6 files changed, 26 insertions(+), 98 deletions(-)

diff --git a/hw/eepro100.c b/hw/eepro100.c
index e3ba719..02e6f7e 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -322,33 +322,8 @@ static const uint16_t eepro100_mdi_mask[] = {
 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x,
 };
 
-#define POLYNOMIAL 0x04c11db6
-
 static E100PCIDeviceInfo *eepro100_get_class(EEPRO100State *s);
 
-/* From FreeBSD */
-/* XXX: optimize */
-static unsigned compute_mcast_idx(const uint8_t * ep)
-{
-uint32_t crc;
-int carry, i, j;
-uint8_t b;
-
-crc = 0x;
-for (i = 0; i  6; i++) {
-b = *ep++;
-for (j = 0; j  8; j++) {
-carry = ((crc  0x8000L) ? 1 : 0) ^ (b  0x01);
-crc = 1;
-b = 1;
-if (carry) {
-crc = ((crc ^ POLYNOMIAL) | carry);
-}
-}
-}
-return (crc  BITS(7, 2))  2;
-}
-
 /* Read a 16 bit control/status (CSR) register. */
 static uint16_t e100_read_reg2(EEPRO100State *s, E100RegisterOffset addr)
 {
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 71452e1..d02e60c 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -150,30 +150,6 @@ static void ne2000_update_irq(NE2000State *s)
 qemu_set_irq(s-irq, (isr != 0));
 }
 
-#define POLYNOMIAL 0x04c11db6
-
-/* From FreeBSD */
-/* XXX: optimize */
-static int compute_mcast_idx(const uint8_t *ep)
-{
-uint32_t crc;
-int carry, i, j;
-uint8_t b;
-
-crc = 0x;
-for (i = 0; i  6; i++) {
-b = *ep++;
-for (j = 0; j  8; j++) {
-carry = ((crc  0x8000L) ? 1 : 0) ^ (b  0x01);
-crc = 1;
-b = 1;
-if (carry)
-crc = ((crc ^ POLYNOMIAL) | carry);
-}
-}
-return (crc  26);
-}
-
 static int ne2000_buffer_full(NE2000State *s)
 {
 int avail, index, boundary;
diff --git a/hw/opencores_eth.c b/hw/opencores_eth.c
index 9b036cb..06ef712 100644
--- a/hw/opencores_eth.c
+++ b/hw/opencores_eth.c
@@ -351,31 +351,6 @@ static int open_eth_can_receive(VLANClientState *nc)
 (rx_desc(s)-len_flags  RXD_E);
 }
 
-#define POLYNOMIAL 0x04c11db6
-
-/* From FreeBSD */
-/* XXX: optimize */
-static unsigned compute_mcast_idx(const uint8_t *ep)
-{
-uint32_t crc;
-int carry, i, j;
-uint8_t b;
-
-crc = 0x;
-for (i = 0; i  6; i++) {
-b = *ep++;
-for (j = 0; j  8; j++) {
-carry = ((crc  0x8000L) ? 1 : 0) ^ (b  0x01);
-crc = 1;
-b = 1;
-if (carry) {
-crc = ((crc ^ POLYNOMIAL) | carry);
-}
-}
-}
-return crc  26;
-}
-
 static ssize_t open_eth_receive(VLANClientState *nc,
 const uint8_t *buf, size_t size)
 {
diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index a946e79..509a53e 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -708,30 +708,6 @@ static void rtl8139_update_irq(RTL8139State *s)
 qemu_set_irq(s-dev.irq[0], (isr != 0));
 }
 
-#define POLYNOMIAL 0x04c11db6
-
-/* From FreeBSD */
-/* XXX: optimize */
-static int compute_mcast_idx(const uint8_t *ep)
-{
-uint32_t crc;
-int carry, i, j;
-uint8_t b;
-
-crc = 0x;
-for (i = 0; i  6; i++) {
-b = *ep++;
-for (j = 0; j  8; j++) {
-carry = ((crc  0x8000L) ? 1 : 0) ^ (b  0x01);
-crc = 1;
-b = 1;
-if (carry)
-crc = ((crc ^ POLYNOMIAL) | carry);
-}
-}
-return (crc  26);
-}
-
 static int rtl8139_RxWrap(RTL8139State *s)
 {
 /* wrapping enabled; assume 1.5k more buffer space if size  65536 */
diff --git a/net.c b/net.c
index c34474f..1922d8a 100644
--- a/net.c
+++ b/net.c
@@ -1475,3 +1475,26 @@ int net_client_parse(QemuOptsList *opts_list, const char 
*optarg)
 default_net = 0;
 return 0;
 }
+
+/* From FreeBSD */
+/* XXX: optimize */
+unsigned compute_mcast_idx(const uint8_t *ep)
+{
+uint32_t crc;
+int carry, i, j;
+uint8_t b;
+
+crc = 0x;
+for (i = 0; i  6; i++) {
+b = *ep++;
+for (j = 0; j  8; j++) {
+carry = ((crc  0x8000L) ? 1 : 0) ^ (b  0x01);
+crc = 1;
+b = 1;
+if (carry) {
+crc = ((crc ^ POLYNOMIAL) | carry);
+}
+}
+}
+return crc  26;
+}
diff --git a/net.h b/net.h
index 75a8c15..64993b4 100644
--- a/net.h
+++ b/net.h
@@ -182,6 +182,9 @@ void qdev_set_nic_properties(DeviceState *dev, NICInfo *nd);
 
 int net_handle_fd_param(Monitor *mon, const char *param);
 
+#define POLYNOMIAL 0x04c11db6
+unsigned 

[Qemu-devel] [PATCH 3/6] rtl8139: support byte read to TxStatus registers

[Jason Wang]

Some drivers (such as win7) use byte read for TxStatus registers, so we need to
support this to let guest driver behave correctly.

For writing, only double-word access is allowed by spec.

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/rtl8139.c |   33 +
 1 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index ca613ae..a946e79 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -2495,11 +2495,30 @@ static void rtl8139_TxStatus_write(RTL8139State *s, 
uint32_t txRegOffset, uint32
 rtl8139_transmit(s);
 }
 
-static uint32_t rtl8139_TxStatus_read(RTL8139State *s, uint32_t txRegOffset)
+static uint32_t rtl8139_TxStatus_read(RTL8139State *s, uint8_t addr, int size)
 {
-uint32_t ret = s-TxStatus[txRegOffset/4];
+uint32_t reg = (addr - TxStatus0) / 4;
+uint32_t offset = addr  0x3;
+uint32_t ret = 0;
+
+if (addr  (size - 1)) {
+DPRINTF(not implemented read for TxStatus addr=0x%x size=0x%x\n, 
addr,
+size);
+return ret;
+}
 
-DPRINTF(TxStatus read offset=0x%x val=0x%08x\n, txRegOffset, ret);
+switch (size) {
+case 1: /* fall through */
+case 2: /* fall through */
+case 4:
+ret = (s-TxStatus[reg]  offset * 8)  ((1  (size * 8)) - 1);
+DPRINTF(TxStatus[%d] read addr=0x%x size=0x%x val=0x%08x\n, reg, 
addr,
+size, ret);
+break;
+default:
+DPRINTF(unsupported size 0x%x of TxStatus reading\n, size);
+break;
+}
 
 return ret;
 }
@@ -2970,6 +2989,9 @@ static uint32_t rtl8139_io_readb(void *opaque, uint8_t 
addr)
 case MAR0 ... MAR0+7:
 ret = s-mult[addr - MAR0];
 break;
+case TxStatus0 ... TxStatus0+4*4-1:
+ret = rtl8139_TxStatus_read(s, addr, 1);
+break;
 case ChipCmd:
 ret = rtl8139_ChipCmd_read(s);
 break;
@@ -3033,6 +3055,9 @@ static uint32_t rtl8139_io_readw(void *opaque, uint8_t 
addr)
 
 switch (addr)
 {
+case TxAddr0 ... TxAddr0+4*4-1:
+ret = rtl8139_TxStatus_read(s, addr, 2);
+break;
 case IntrMask:
 ret = rtl8139_IntrMask_read(s);
 break;
@@ -3123,7 +3148,7 @@ static uint32_t rtl8139_io_readl(void *opaque, uint8_t 
addr)
 break;
 
 case TxStatus0 ... TxStatus0+4*4-1:
-ret = rtl8139_TxStatus_read(s, addr-TxStatus0);
+ret = rtl8139_TxStatus_read(s, addr, 4);
 break;
 
 case TxAddr0 ... TxAddr0+4*4-1:

[Qemu-devel] [PATCH 5/6] rtl8139: correctly check the opmode

[Jason Wang]

According to the spec, only when opmode is Config. Register Write
Enable could driver write to CONFIG0,1,3,4 and bits 13,12,8 of BMCR.

Currently, we allow modifying to those registers also when 8139 is in
Auto-load mode and 93C46 (93C56) Programming mode. This patch
fixes this.

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/rtl8139.c |8 +---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 509a53e..2e3da0b 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -332,8 +332,10 @@ enum CSCRBits {
 };
 
 enum Cfg9346Bits {
-Cfg9346_Lock = 0x00,
-Cfg9346_Unlock = 0xC0,
+Cfg9346_Normal = 0x00,
+Cfg9346_Autoload = 0x40,
+Cfg9346_Programming = 0x80,
+Cfg9346_ConfigWrite = 0xC0,
 };
 
 typedef enum {
@@ -1451,7 +1453,7 @@ static uint32_t rtl8139_IntrMitigate_read(RTL8139State *s)
 
 static int rtl8139_config_writable(RTL8139State *s)
 {
-if (s-Cfg9346  Cfg9346_Unlock)
+if ((s-Cfg9346  Chip9346_op_mask) == Cfg9346_ConfigWrite)
 {
 return 1;
 }

[Qemu-devel] [PATCH 6/6] rtl8139: do the network/host communication only in normal operating mode

[Jason Wang]

According the spec, the card works in network/host communication mode only when
both EEM1 and EEM0 are unset in 93C46 Command Register (normal op
mode). So this patch check these bits before trying to receive packets.

As some guest driver (such as linux, see cp_init_hw() in 8139cp.c)
allocate rx ring after the recevier were enabled, this would cause our
emulation codes tries to dma into guest memory when the rx descriptor
is not properly configured. This patch fixes this.

Signed-off-by: Jason Wang jasow...@redhat.com
---
 hw/rtl8139.c |9 +
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 2e3da0b..97a4b77 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -791,6 +791,9 @@ static int rtl8139_can_receive(VLANClientState *nc)
   return 1;
 if (!rtl8139_receiver_enabled(s))
   return 1;
+/* network/host communication happens only in normal mode */
+if ((s-Cfg9346  Chip9346_op_mask) != Cfg9346_Normal)
+   return 0;
 
 if (rtl8139_cp_receiver_enabled(s)) {
 /* ??? Flow control not implemented in c+ mode.
@@ -833,6 +836,12 @@ static ssize_t rtl8139_do_receive(VLANClientState *nc, 
const uint8_t *buf, size_
 return -1;
 }
 
+/* check whether we are in normal mode */
+if ((s-Cfg9346  Chip9346_op_mask) != Cfg9346_Normal) {
+DPRINTF(not in normal op mode\n);
+return -1;
+}
+
 /* XXX: check this */
 if (s-RxConfig  AcceptAllPhys) {
 /* promiscuous: receive all */

[Qemu-devel] [PATCH v9 0/4] Zynq-7000 EPP platform model

[Peter A. G. Crosthwaite]

This is a suite of Device models and a machine model for the Xilinx Zynq-7000 
Extensible Processing Platform:

http://www.xilinx.com/products/silicon-devices/epp/zynq-7000/index.htm

This is an ARM based platform featuring embedded SoC peripherals. This patch 
series includes a minimal set of device models and a a machine model capable of 
emulating zynq platforms booting linux.

This first 3 patches in this series are device models for IP provided by 
cadence for the Zynq platform. The final patch is the initial revision of the 
zynq machine model.

Most of this work was originally authored by Xilinx, as indicated by (c) 
notices in added files.

Tree is available from:
git://developer.petalogix.com/private/peterc/qemu.git
branch: zynq-initial.9

---
changed from v8:
reworked uart interrupt behaviour (1/4)
implemented vmsd (2/4) (3/4) (4/4)
various typographical errors in comments (1/4) (2/4)
changed from v7:
removed fflush() from DBPRINTF (all)
address P. Maydell comments re v6 (3/4) (4/4)
fixed timer mod on wrap around logic (r.e. P Brook comments) (2/4)
changed from v6:
addressed P. Maydell comments re v5 (1/4) (2/4)
renamed qemu_debug() - DB_PRINT (all)
changed from v5:
removed usages of arm_boot_info-bootsmp_priv_base (4/4)
changed from v4:
fixed FSF addess (1/4) (2/4) (4/4)
changed device_init - type_init (all)
changed from v3:
fixed timer race condition issue (2/4)
changed from v2:
fixed timer prescision issue (2/4)
fixed compile warnings in zynq_arm_sysctl (4/4)
changes from v1:
formatting and style fixes
updated for QOM
removed former patch 3 (cadence WDT device model) - not required
removed former patch 5 (dtb argument) - this is currently under discussion in 
other patch series'
removed former patch 6 (initrd parameterisation) - not required for minimal boot


Peter A. G. Crosthwaite (4):
  cadence_uart: initial version of device model
  cadence_ttc: initial version of device model
  cadence_gem: initial version of device model
  xilinx_zynq: machine model initial version

 MAINTAINERS   |7 +
 Makefile.target   |4 +
 hw/cadence_gem.c  | 1233 +
 hw/cadence_ttc.c  |  489 +
 hw/cadence_uart.c |  513 ++
 hw/xilinx_zynq.c  |  157 +++
 hw/zynq_slcr.c|  535 +++
 7 files changed, 2938 insertions(+), 0 deletions(-)
 create mode 100644 hw/cadence_gem.c
 create mode 100644 hw/cadence_ttc.c
 create mode 100644 hw/cadence_uart.c
 create mode 100644 hw/xilinx_zynq.c
 create mode 100644 hw/zynq_slcr.c

-- 
1.7.3.2