Re: [Qemu-devel] [Qemu-ppc] [PATCH 1/2] spapr: Fix stale HTAB during live migration (KVM)

[Alexander Graf]

On 05.11.14 07:17, Samuel Mendoza-Jonas wrote:
> If a guest reboots during a running migration, changes to the
> hash page table are not necessarily updated on the destination.
> Opening a new file descriptor to the HTAB forces the migration
> handler to resend the entire table.
> 
> Signed-off-by: Samuel Mendoza-Jonas 
> ---
>  hw/ppc/spapr.c | 47 +++
>  include/hw/ppc/spapr.h |  2 ++
>  2 files changed, 49 insertions(+)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 0a2bfe6..1610c28 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -833,6 +833,13 @@ static void spapr_reset_htab(sPAPREnvironment *spapr)
>  /* Kernel handles htab, we don't need to allocate one */
>  spapr->htab_shift = shift;
>  kvmppc_kern_htab = true;
> +
> +/* Tell readers to update their file descriptor */
> +pthread_mutex_lock(&spapr->htab_mutex);

I don't think you can directly use pthread functions in hw/. These files
could be compiled on Windows which doesn't have pthread. Instead, please
use the QEMU wrappers from util/qemu-thread-posix.c.

Or maybe try and find out whether you actually do need the lock. Reboots
can only happen when triggered via a HCALL which takes the BQL. I don't
quite know how much the migration code became threaded, but I'd assume
that at least device migration would happen under the BQL or after
stopping the VM, but in a consistent place.

So as long as we're guaranteed that the htab_fd_stale variable is set at
the final "send all device contents" phase, we should automatically
catch any reset that happened in between - even without a lock, no?


Alex

Re: [Qemu-devel] [PATCH 1/6] configure: add dependency from libxml2

[Michael Tokarev]

29.10.2014 16:38, Denis V. Lunev wrote:
> This dependency is required for adequate Parallels images support.
> Typically the disk consists of several images which are glued by
> XML disk descriptor. Also XML hides inside several important parameters
> which are not available in the image header.
[]
> +# check for libxml2
> +if test "$libxml2" != "no" ; then
> +if $pkg_config --exists libxml-2.0; then
> +libxml2="yes"
> +libxml2_cflags=$($pkg_config --cflags libxml-2.0)
> +libxml2_libs=$($pkg_config --libs libxml-2.0)
> +QEMU_CFLAGS="$QEMU_CFLAGS $libxml2_cflags"
> +libs_softmmu="$libs_softmmu $libxml2_libs"
> +libs_tools="$libs_tools $libxml2_libs"

Please NO.  NO NO NO NO :)

Create a separate make variable, $LIBXML or something,
and add it as a parallels.o dependency, not libs_softmmu
etc.  Ditto for the cflags.  See examples -- libiscsi,
libcurl, librbd - in block/Makefile.objs.

After that, I think we'll move parallels.o to be a module ;)

(Cc'ing Fam)

Thanks,

/mjt

Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it

[Markus Armbruster]

Markus Armbruster  writes:

[...]
> = How can we better guard the trust boundary in QEMU? =
>
> The guest can violate the trust boundary only because
>
> (a) QEMU supports both raw images and image formats, and
>
> (b) QEMU guesses image format from raw image contents, and
>
> (c) given a raw image, guests can change its contents and control a
> future QEMU's format guess.
>
> We can attack one ore more of these three conditions:
>
> (a) Outlaw raw images
>
> (b) Don't guess format from untrusted image contents
>
> (c) Prevent "bad" guest writes
>
> Nobody is seriously suggesting we do (a).  It's clearly too late for
> that.  Let's explore the other two in more detail.

Of course, if we really *want* (a)...

== Outlaw raw images ==

Define a simple raw image container, or steal an existing one we like
(suggestions welcome).  Drop support for containerless images.

Naturally, the raw container should support "single file",
i.e. container file actually contains the image.

It could also support separate container and image file, for easy and
efficient wrapping and unwrapping.

PRO: Simple, plugs the hole.

CON: Breaks a lot of existing usage.

CON: Upgrade involves image wrapping operations, which may be a bother.
If the container doesn't support separate image files, it's also a lot
of expensive copying.

Mitigation: lengthy transition period where we warn "use of
containerless raw images are insecure, and we'll eventually break this
usage; here's how to wrap your raw images in a container".

CON: We delay plugging the hole one more time.  But at least we no
longer expose our users to it silently.

Variation: keep supporting them with explicit format=raw.

PRO: Simple.

CON: Still breaks a lot of existing usage.  Not libvirt's, though.

CON: Doesn't fully plug the hole: mixing non-probed usage (user
specifies format=raw) with probed usage (user doesn't specify format)
remains insecure.  The guest's write succeeds in non-probed usage, and
the guest escapes isolation in the next probed usage.

[...]

[Qemu-devel] [RFC][PATCH 2/2] xen:i386:pc_piix: create isa bridge specific to IGD passthrough

[Tiejun Chen]

Currently IGD drivers always need to access PCH by 1f.0, and
PCH vendor/device id is used to identify the card.

Signed-off-by: Tiejun Chen 
---
 hw/i386/pc_piix.c | 28 +++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index b559181..b19c7a9 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -50,7 +50,7 @@
 #include "cpu.h"
 #include "qemu/error-report.h"
 #ifdef CONFIG_XEN
-#  include 
+#include 
 #endif
 
 #define MAX_IDE_BUS 2
@@ -452,6 +452,31 @@ static void pc_init_isa(MachineState *machine)
 }
 
 #ifdef CONFIG_XEN
+static void xen_igd_passthrough_isa_bridge_create(PCIBus *bus)
+{
+struct PCIDevice *dev;
+Error *local_err = NULL;
+uint16_t device_id = 0x;
+
+/* Currently IGD drivers always need to access PCH by 1f.0. */
+dev = pci_create_simple(bus, PCI_DEVFN(0x1f, 0),
+"xen-igd-passthrough-isa-bridge");
+
+/* Identify PCH card with its own real vendor/device ids.
+ * Here that vendor id is always PCI_VENDOR_ID_INTEL.
+ */
+if (dev) {
+device_id = object_property_get_int(OBJECT(dev), "device-id",
+&local_err);
+if (!local_err && device_id != 0x) {
+pci_config_set_device_id(dev->config, device_id);
+return;
+}
+}
+
+fprintf(stderr, "xen set xen-igd-passthrough-isa-bridge failed\n");
+}
+
 static void pc_xen_hvm_init(MachineState *machine)
 {
 PCIBus *bus;
@@ -461,6 +486,7 @@ static void pc_xen_hvm_init(MachineState *machine)
 bus = pci_find_primary_bus();
 if (bus != NULL) {
 pci_create_simple(bus, -1, "xen-platform");
+xen_igd_passthrough_isa_bridge_create(bus);
 }
 }
 #endif
-- 
1.9.1

[Qemu-devel] [RFC][PATCH 1/2] hw:xen:xen_pt: register isa bridge specific to IGD passthrough

[Tiejun Chen]

We need this instance to passthrough some config fields of PCH.

Signed-off-by: Tiejun Chen 
---
 hw/xen/xen_pt.c | 112 
 1 file changed, 112 insertions(+)

diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
index c1bf357..403c33f 100644
--- a/hw/xen/xen_pt.c
+++ b/hw/xen/xen_pt.c
@@ -60,6 +60,7 @@
 #include "xen_pt.h"
 #include "qemu/range.h"
 #include "exec/address-spaces.h"
+#include "qapi/visitor.h"
 
 #define XEN_PT_NR_IRQS (256)
 static uint8_t xen_pt_mapped_machine_irq[XEN_PT_NR_IRQS] = {0};
@@ -829,3 +830,114 @@ static void xen_pci_passthrough_register_types(void)
 }
 
 type_init(xen_pci_passthrough_register_types)
+
+typedef struct {
+uint16_t gpu_device_id;
+uint16_t pch_device_id;
+} XenIGDDeviceIDInfo;
+
+/* In real world different GPU should have different PCH. But actually
+ * the different PCH DIDs likely map to different PCH SKUs. We do the
+ * same thing for the GPU. For PCH, the different SKUs are going to be
+ * all the same silicon design and implementation, just different
+ * features turn on and off with fuses. The SW interfaces should be
+ * consistent across all SKUs in a given family (eg LPT). But just same
+ * features may not be supported.
+ *
+ * Most of these different PCH features probably don't matter to the
+ * Gfx driver, but obviously any difference in display port connections
+ * will so it should be fine with any PCH in case of passthrough.
+ *
+ * So currently use one PCH version, 0x8c4e, to cover all HSW(Haswell)
+ * scenarios, 0x9cc3 for BDW(Broadwell).
+ */
+static const XenIGDDeviceIDInfo xen_igd_combo_id_infos[] = {
+/* HSW Classic */
+{0x0402, 0x8c4e}, /* HSWGT1D, HSWD_w7 */
+{0x0406, 0x8c4e}, /* HSWGT1M, HSWM_w7 */
+{0x0412, 0x8c4e}, /* HSWGT2D, HSWD_w7 */
+{0x0416, 0x8c4e}, /* HSWGT2M, HSWM_w7 */
+{0x041E, 0x8c4e}, /* HSWGT15D, HSWD_w7 */
+/* HSW ULT */
+{0x0A06, 0x8c4e}, /* HSWGT1UT, HSWM_w7 */
+{0x0A16, 0x8c4e}, /* HSWGT2UT, HSWM_w7 */
+{0x0A26, 0x8c4e}, /* HSWGT3UT, HSWM_w7 */
+{0x0A2E, 0x8c4e}, /* HSWGT3UT28W, HSWM_w7 */
+{0x0A1E, 0x8c4e}, /* HSWGT2UX, HSWM_w7 */
+{0x0A0E, 0x8c4e}, /* HSWGT1ULX, HSWM_w7 */
+/* HSW CRW */
+{0x0D26, 0x8c4e}, /* HSWGT3CW, HSWM_w7 */
+{0x0D22, 0x8c4e}, /* HSWGT3CWDT, HSWD_w7 */
+/* HSW Server */
+{0x041A, 0x8c4e}, /* HSWSVGT2, HSWD_w7 */
+/* HSW SRVR */
+{0x040A, 0x8c4e}, /* HSWSVGT1, HSWD_w7 */
+/* BSW */
+{0x1606, 0x9cc3}, /* BDWULTGT1, BDWM_w7 */
+{0x1616, 0x9cc3}, /* BDWULTGT2, BDWM_w7 */
+{0x1626, 0x9cc3}, /* BDWULTGT3, BDWM_w7 */
+{0x160E, 0x9cc3}, /* BDWULXGT1, BDWM_w7 */
+{0x161E, 0x9cc3}, /* BDWULXGT2, BDWM_w7 */
+{0x1602, 0x9cc3}, /* BDWHALOGT1, BDWM_w7 */
+{0x1612, 0x9cc3}, /* BDWHALOGT2, BDWM_w7 */
+{0x1622, 0x9cc3}, /* BDWHALOGT3, BDWM_w7 */
+{0x162B, 0x9cc3}, /* BDWHALO28W, BDWM_w7 */
+{0x162A, 0x9cc3}, /* BDWGT3WRKS, BDWM_w7 */
+{0x162D, 0x9cc3}, /* BDWGT3SRVR, BDWM_w7 */
+};
+
+static void xen_igd_passthrough_pciisabridge_get_pci_device_id(Object *obj,
+   Visitor *v,
+   void *opaque,
+   const char 
*name,
+   Error **errp)
+{
+uint32_t gpu_id = 0x, pch_id = 0x;
+XenHostPCIDevice hdev;
+int r = 0, num;
+
+r = xen_host_pci_device_get(&hdev, 0, 0, 0x02, 0);
+if (!r) {
+gpu_id = hdev.device_id;
+
+num = ARRAY_SIZE(xen_igd_combo_id_infos);
+for (r = 0; r < num; r++)
+if (gpu_id == xen_igd_combo_id_infos[r].gpu_device_id)
+pch_id = xen_igd_combo_id_infos[r].pch_device_id;
+}
+
+visit_type_uint32(v, &pch_id, name, errp);
+}
+
+static void xen_igd_passthrough_isa_bridge_initfn(Object *obj)
+{
+object_property_add(obj, "device-id", "int",
+xen_igd_passthrough_pciisabridge_get_pci_device_id,
+NULL, NULL, NULL, NULL);
+}
+
+static void xen_igd_passthrough_isa_bridge_class_init(ObjectClass *klass,
+  void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+dc->desc= "XEN IGD PASSTHROUGH ISA bridge";
+k->class_id = PCI_CLASS_BRIDGE_ISA;
+k->vendor_id= PCI_VENDOR_ID_INTEL;
+};
+
+static TypeInfo xen_igd_passthrough_isa_bridge_info = {
+.name   = "xen-igd-passthrough-isa-bridge",
+.parent = TYPE_PCI_DEVICE,
+.instance_size  = sizeof(PCIDevice),
+.instance_init  = xen_igd_passthrough_isa_bridge_initfn,
+.class_init = xen_igd_passthrough_isa_bridge_class_init,
+};
+
+static void xen_igd_passthrough_isa_bridge_register_types(void)
+{
+type_register_static(&xen_igd_passthrough_isa_bridge_info);
+

Re: [Qemu-devel] [Xen-devel] [PATCH 2/2] xen:i386:pc_piix: create isa bridge specific to IGD passthrough

[Chen, Tiejun]

On 2014/11/3 21:10, Michael S. Tsirkin wrote:

On Mon, Nov 03, 2014 at 01:01:03PM +0100, Paolo Bonzini wrote:



On 03/11/2014 12:47, Chen, Tiejun wrote:

On 2014/11/3 19:36, Chen, Tiejun wrote:

On 2014/11/3 19:35, Paolo Bonzini wrote:

On 03/11/2014 08:48, Chen, Tiejun wrote:

I think the point was mostly to reserve 1f to prevent
devices from using it.
As we populate slots in order it doesn't seem to important ...


If we populate slot at !1f GFX driver can't find this ISA bridge.


Right, but I mean if no special options are used, 1f will typically
stay free without any effort on our side.


Yeah.

Actually based on current info we know, seems 1f is just specific to
our
scenario :) So I always think we can occupy that. But Paolo and you
can
really determine this point.


What's your idea?


I do not have any objection to always occupying 1f for Xen IGD
passthrough.


After I go back to look at this again, I hope you don't misunderstand
what Michael mean now. He was saying we don't need to create a new
separate machine specific to IGD passthrough. But that idea is just from
you :)


It's difficult for me to follow, because xen_igd_passthrough_pc_hvm_init
does not exist in the current tree.

The patches seem good to me; I was assuming that the new machine type
would call xen_igd_passthrough_pc_hvm_init, but apparently I'm wrong?
Paolo


Discussed on irc, Paolo said
 so i don't really care how the ISA bridge is created



This means all those previous patches creating new separate machine 
should be gone.


I would rebase these two patches to resend again as RFC.

Thanks
Tiejun

Re: [Qemu-devel] [Qemu-trivial] [PATCH v3 4/5] qemu-char: convert some open functions to use Error API

[Michael Tokarev]

04.11.2014 16:39, Alex Bennée wrote:
> zhanghailiang  writes:
> 
>> Convert several Character backend open functions to use the Error API.
>>
>> Signed-off-by: zhanghailiang 
>> ---
>>  qemu-char.c | 76 
>> +
>>  1 file changed, 41 insertions(+), 35 deletions(-)
>>
>> diff --git a/qemu-char.c b/qemu-char.c
>> index 0f38cdd..a1d25c7 100644
>> --- a/qemu-char.c
>> +++ b/qemu-char.c
>> @@ -1077,7 +1077,7 @@ static CharDriverState *qemu_chr_open_fd(int fd_in, 
>> int fd_out)
>>  return chr;
>>  }
>>  
>> -static CharDriverState *qemu_chr_open_pipe(ChardevHostdev *opts)
>> +static CharDriverState *qemu_chr_open_pipe(ChardevHostdev *opts, Error 
>> **errp)
>>  {
>>  int fd_in, fd_out;
>>  char filename_in[CHR_MAX_FILENAME_SIZE];
> 
> Why convert the call if we are not using the passed parameter?

This is actually a good question, -- one way or another.  On one hand,
this way we're making it all consistent for the caller at least.  On
another, this, at least, introduces a warning about unused parameter,
so an 'unused' attribute might be a good idea.

[]
>> -static CharDriverState *qemu_chr_open_win_path(const char *filename)
>> +static CharDriverState *qemu_chr_open_win_path(const char *filename,
>> +   Error **errp)
>>  {
>>  CharDriverState *chr;
>>  WinCharState *s;
>> +Error *local_err = NULL;
>>  
>>  chr = qemu_chr_alloc();
>>  s = g_malloc0(sizeof(WinCharState));
>> @@ -2033,9 +2035,11 @@ static CharDriverState *qemu_chr_open_win_path(const 
>> char *filename)
>>  chr->chr_write = win_chr_write;
>>  chr->chr_close = win_chr_close;
>>  
>> -if (win_chr_init(chr, filename) < 0) {
>> +win_chr_init(chr, filename, &local_err);
>> +if (local_err) {
>>  g_free(s);
>>  g_free(chr);
>> +error_propagate(errp, local_err);
>>  return NULL;
> 
> Hmm I'm not sure I find the change from a return value to
> pass-by-reference return value intuitive. What does this gain us?
> 
> Are the messages now being reported actually more suitable for user
> consumption? For example "ClearCommError failed" doesn't actually tell
> the user much apart from something went wrong.

Alex, I think you're way too late into the game already.  This
error api has been designed this way quite some time ago, and
many places uses it this way.  I don't really like it too, but
heck, what can I do?

I don't actually get it why, when converting some function which
returned success/failure before, to this error API, the return
value is always discarded and the function becomes void?  I'd
keep the return value (success/failure) _and_ the error, to
have better shugar in places like this one.  But I guess it'll
be a bit more confusing, which condition should be treated as
error - failure function return or non-null error argument.

But this is. again, not about this patch/change -- this is how
qemu is doing for quite some time, discusing/changing this
should be elsewhere.

P.S.  Alex, please trim unrelated original text in your replies
a bit, -- it is kinda easy to miss your small comments scattered
in a huge original patch.  (Hopefully I didn't miss any)

Thanks,

/mjt

[Qemu-devel] [PATCH v3 4/4] target-ppc: Handle ibm, nmi-register RTAS call

[Aravinda Prasad]

This patch adds FWNMI support in qemu for powerKVM
guests by handling the ibm,nmi-register rtas call.
Whenever OS issues ibm,nmi-register RTAS call, the
machine check notification address is saved and the
machine check interrupt vector 0x200 is patched to
issue a private hcall.

This patch also handles the cases when multi-processors
experience machine check at or about the same time.
As per PAPR, subsequent processors serialize waiting
for the first processor to issue the ibm,nmi-interlock call.
The second processor retries if the first processor which
received a machine check is still reading the error log
and is yet to issue ibm,nmi-interlock call.

Signed-off-by: Aravinda Prasad 
---
 hw/ppc/spapr_hcall.c|   16 +++
 hw/ppc/spapr_rtas.c |   93 +++
 include/hw/ppc/spapr.h  |   17 +++
 pc-bios/spapr-rtas/spapr-rtas.S |   38 
 4 files changed, 163 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 8f16160..eceb5e5 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -97,6 +97,9 @@ struct rtas_mc_log {
 struct rtas_error_log err_log;
 };
 
+/* Whether machine check handling is in progress by any CPU */
+bool mc_in_progress;
+
 static void do_spr_sync(void *arg)
 {
 struct SPRSyncState *s = arg;
@@ -678,6 +681,19 @@ static target_ulong h_report_mc_err(PowerPCCPU *cpu, 
sPAPREnvironment *spapr,
 cpu_synchronize_state(CPU(ppc_env_get_cpu(env)));
 
 /*
+ * Only one VCPU can process machine check NMI at a time. Hence
+ * set the lock mc_in_progress. Once the VCPU finishes processing
+ * NMI, it executes ibm,nmi-interlock and mc_in_progress is unset
+ * in ibm,nmi-interlock handler. Meanwhile if other VCPUs encounter
+ * NMI we return 0 asking the VCPU to retry h_report_mc_err
+ */
+if (mc_in_progress == 1) {
+return 0;
+}
+
+mc_in_progress = 1;
+
+/*
  * We save the original r3 register in SPRG2 in 0x200 vector,
  * which is patched during call to ibm.nmi-register. Original
  * r3 is required to be included in error log
diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c
index 2ec2a8e..71c7662 100644
--- a/hw/ppc/spapr_rtas.c
+++ b/hw/ppc/spapr_rtas.c
@@ -36,6 +36,9 @@
 
 #include 
 
+#define BRANCH_INST_MASK  0xFC00
+extern bool mc_in_progress;
+
 static void rtas_display_character(PowerPCCPU *cpu, sPAPREnvironment *spapr,
uint32_t token, uint32_t nargs,
target_ulong args,
@@ -290,6 +293,90 @@ static void rtas_ibm_os_term(PowerPCCPU *cpu,
 rtas_st(rets, 0, ret);
 }
 
+static void rtas_ibm_nmi_register(PowerPCCPU *cpu,
+  sPAPREnvironment *spapr,
+  uint32_t token, uint32_t nargs,
+  target_ulong args,
+  uint32_t nret, target_ulong rets)
+{
+int i;
+uint32_t ori_inst = 0x6063;
+uint32_t branch_inst = 0x4802;
+target_ulong guest_machine_check_addr;
+uint32_t trampoline[TRAMPOLINE_INSTS];
+int total_inst = sizeof(trampoline) / sizeof(uint32_t);
+PowerPCCPUClass *pcc = POWERPC_CPU_GET_CLASS(cpu);
+
+/* Store the system reset and machine check address */
+guest_machine_check_addr = rtas_ld(args, 1);
+
+/*
+ * Read the trampoline instructions from RTAS Blob and patch
+ * the KVMPPC_H_REPORT_MC_ERR hcall number and the guest
+ * machine check address before copying to 0x200 vector
+ */
+cpu_physical_memory_read(spapr->rtas_addr + RTAS_TRAMPOLINE_OFFSET,
+ trampoline, sizeof(trampoline));
+
+/* Safety Check */
+QEMU_BUILD_BUG_ON(sizeof(trampoline) > MC_INTERRUPT_VECTOR_SIZE);
+
+/* Update the KVMPPC_H_REPORT_MC_ERR value in trampoline */
+ori_inst |= KVMPPC_H_REPORT_MC_ERR;
+memcpy(&trampoline[TRAMPOLINE_ORI_INST_INDEX], &ori_inst,
+sizeof(ori_inst));
+
+/*
+ * Sanity check guest_machine_check_addr to prevent clobbering
+ * operator value in branch instruction
+ */
+if (guest_machine_check_addr & BRANCH_INST_MASK) {
+fprintf(stderr, "Unable to register ibm,nmi_register: "
+"Invalid machine check handler address\n");
+rtas_st(rets, 0, RTAS_OUT_NOT_SUPPORTED);
+return;
+}
+
+/*
+ * Update the branch instruction in trampoline
+ * with the absolute machine check address requested by OS.
+ */
+branch_inst |= guest_machine_check_addr;
+memcpy(&trampoline[TRAMPOLINE_BR_INST_INDEX], &branch_inst,
+sizeof(branch_inst));
+
+/* Handle all Host/Guest LE/BE combinations */
+if ((*pcc->interrupts_big_endian)(cpu)) {
+for (i = 0; i < total_inst; i++) {
+trampoline[i] = cpu_to_be32(trampoline[i]);
+}
+} else {
+for (i = 0; i < total_inst; 

[Qemu-devel] [PATCH v3 3/4] target-ppc: Build error log

[Aravinda Prasad]

Whenever there is a physical memory error due to bit
flips, which cannot be corrected by hardware, the error
is passed on to the kernel. If the memory address in
error belongs to guest address space then guest kernel
is responsible to take action. Hence the error is passed
on to guest via KVM by invoking 0x200 NMI vector.

However, guest OS, as per PAPR, expects an error log
upon such error. This patch registers a new hcall
which is issued from 0x200 interrupt vector and builds
the error log, copies the error log to rtas space and
passes the address of the error log to guest

Enhancement to KVM to perform above functionality is
already in upstream kernel.

Signed-off-by: Aravinda Prasad 
---
 hw/ppc/spapr_hcall.c   |  159 
 include/hw/ppc/spapr.h |4 +
 2 files changed, 162 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 01650ba..8f16160 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -14,6 +14,89 @@ struct SPRSyncState {
 target_ulong mask;
 };
 
+#define RTAS_ELOG_SEVERITY_SHIFT 0x5
+#define RTAS_ELOG_DISPOSITION_SHIFT  0x3
+#define RTAS_ELOG_INITIATOR_SHIFT0x4
+
+/*
+ * Only required RTAS event severity, disposition, initiator
+ * target and type are copied from arch/powerpc/include/asm/rtas.h
+ */
+
+/* RTAS event severity */
+#define RTAS_SEVERITY_ERROR_SYNC0x3
+
+/* RTAS event disposition */
+#define RTAS_DISP_NOT_RECOVERED 0x2
+
+/* RTAS event initiator */
+#define RTAS_INITIATOR_MEMORY   0x4
+
+/* RTAS event target */
+#define RTAS_TARGET_MEMORY  0x4
+
+/* RTAS event type */
+#define RTAS_TYPE_ECC_UNCORR0x09
+
+/*
+ * Currently KVM only passes on the uncorrected machine
+ * check memory error to guest. Other machine check errors
+ * such as SLB multi-hit and TLB multi-hit are recovered
+ * in KVM and are not passed on to guest.
+ *
+ * DSISR Bit for uncorrected machine check error. Based
+ * on arch/powerpc/include/asm/mce.h
+ */
+#define PPC_BIT(bit)(0x8000ULL >> bit)
+#define P7_DSISR_MC_UE  (PPC_BIT(48))  /* P8 too */
+
+/* Adopted from kernel source arch/powerpc/include/asm/rtas.h */
+struct rtas_error_log {
+/* Byte 0 */
+uint8_t byte0;  /* Architectural version */
+
+/* Byte 1 */
+uint8_t byte1;
+/* 
+ * XXX  3: Severity level of error
+ *XX2: Degree of recovery
+ *  X   1: Extended log present?
+ *   XX 2: Reserved
+ */
+
+/* Byte 2 */
+uint8_t byte2;
+/* 
+ *  4: Initiator of event
+ *  4: Target of failed operation
+ */
+uint8_t byte3;  /* General event or error*/
+__be32  extended_log_length;/* length in bytes */
+unsigned char   buffer[1];  /* Start of extended log */
+/* Variable length.  */
+};
+
+/*
+ * Data format in RTAS-Blob
+ *
+ * This structure contains error information related to Machine
+ * Check exception. This is filled up and copied to rtas-blob
+ * upon machine check exception.
+ */
+struct rtas_mc_log {
+target_ulong srr0;
+target_ulong srr1;
+target_ulong crf;
+/*
+ * Beginning of error log address. This is properly
+ * populated and passed on to OS registered machine
+ * check notification routine upon machine check
+ * exception
+ */
+target_ulong r3;
+struct rtas_error_log err_log;
+};
+
 static void do_spr_sync(void *arg)
 {
 struct SPRSyncState *s = arg;
@@ -586,6 +669,81 @@ static target_ulong h_rtas_update(PowerPCCPU *cpu, 
sPAPREnvironment *spapr,
 return 0;
 }
 
+static target_ulong h_report_mc_err(PowerPCCPU *cpu, sPAPREnvironment *spapr,
+ target_ulong opcode, target_ulong *args)
+{
+struct rtas_mc_log mc_log;
+CPUPPCState *env = &cpu->env;
+
+cpu_synchronize_state(CPU(ppc_env_get_cpu(env)));
+
+/*
+ * We save the original r3 register in SPRG2 in 0x200 vector,
+ * which is patched during call to ibm.nmi-register. Original
+ * r3 is required to be included in error log
+ */
+mc_log.r3 = env->spr[SPR_SPRG2];
+
+/*
+ * SRR0 and SRR1, containing nip and msr at the time of exception,
+ * are clobbered when we return from this hcall. Hence they
+ * need to be properly saved and restored. We save srr0
+ * and srr1 in rtas blob and restore it in 0x200 vector
+ * before branching to OS registered machine check handler
+ */
+mc_log.srr0 = env->spr[SPR_SRR0];
+mc_log.srr1 = env->spr[SPR_SRR1];
+mc_log.crf = ((target_ulong) env->crf[0]) << 32;
+
+/* Set error log fields */
+mc_log.err_log.byte0 = 0x00;
+mc_log.err_log.byte1 =
+(RTAS_SEVERITY_ERROR_SYNC << RTAS_ELOG_SEVERITY_SHIFT);
+mc_log.err_log.byte1 |=
+(RTAS_DISP_NOT_RECOVERED << RTAS_ELOG_DISPOSITION_SHIFT);
+mc_log.er

[Qemu-devel] [PATCH v3 2/4] target-ppc: Register and handle HCALL to receive updated RTAS region

[Aravinda Prasad]

Receive updates from SLOF about the updated rtas-base.
A separate patch for SLOF [1] adds functionality to invoke
a private HCALL whenever OS issues instantiate-rtas with
a new rtas-base.

This is required as qemu needs to know the updated rtas-base
as it allocates error reporting structure in RTAS space upon
a machine check exception.

[1] https://lists.ozlabs.org/pipermail/linuxppc-dev/2014-August/120386.html

Signed-off-by: Aravinda Prasad 
---
 hw/ppc/spapr_hcall.c   |8 
 include/hw/ppc/spapr.h |3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 8651447..01650ba 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -579,6 +579,13 @@ static target_ulong h_rtas(PowerPCCPU *cpu, 
sPAPREnvironment *spapr,
nret, rtas_r3 + 12 + 4*nargs);
 }
 
+static target_ulong h_rtas_update(PowerPCCPU *cpu, sPAPREnvironment *spapr,
+  target_ulong opcode, target_ulong *args)
+{
+spapr->rtas_addr = args[0];
+return 0;
+}
+
 static target_ulong h_logical_load(PowerPCCPU *cpu, sPAPREnvironment *spapr,
target_ulong opcode, target_ulong *args)
 {
@@ -1003,6 +1010,7 @@ static void hypercall_register_types(void)
 
 /* qemu/KVM-PPC specific hcalls */
 spapr_register_hypercall(KVMPPC_H_RTAS, h_rtas);
+spapr_register_hypercall(KVMPPC_H_RTAS_UPDATE, h_rtas_update);
 
 spapr_register_hypercall(H_SET_MODE, h_set_mode);
 
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index d08fcc2..ccf67ba 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -308,7 +308,8 @@ typedef struct sPAPREnvironment {
 #define KVMPPC_H_LOGICAL_MEMOP  (KVMPPC_HCALL_BASE + 0x1)
 /* Client Architecture support */
 #define KVMPPC_H_CAS(KVMPPC_HCALL_BASE + 0x2)
-#define KVMPPC_HCALL_MAXKVMPPC_H_CAS
+#define KVMPPC_H_RTAS_UPDATE(KVMPPC_HCALL_BASE + 0x3)
+#define KVMPPC_HCALL_MAXKVMPPC_H_RTAS_UPDATE
 
 extern sPAPREnvironment *spapr;
 

[Qemu-devel] [PATCH v3 1/4] target-ppc: Extend rtas-blob

[Aravinda Prasad]

Extend rtas-blob to accommodate error log. Error log
structure is saved in rtas space upon a machine check
exception.

Signed-off-by: Aravinda Prasad 
---
 hw/ppc/spapr.c |7 +++
 include/hw/ppc/spapr.h |5 +
 2 files changed, 12 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 30de25d..38e26af 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1431,6 +1431,13 @@ static void ppc_spapr_init(MachineState *machine)
 
 filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, "spapr-rtas.bin");
 spapr->rtas_size = get_image_size(filename);
+
+/*
+ * Resize blob to accommodate error log. The layout of the rtas
+ * blob is defined in include/hw/ppc/spapr.h
+ */
+spapr->rtas_size = TARGET_PAGE_ALIGN(spapr->rtas_size);
+
 spapr->rtas_blob = g_malloc(spapr->rtas_size);
 if (load_image_size(filename, spapr->rtas_blob, spapr->rtas_size) < 0) {
 hw_error("qemu: could not load LPAR rtas '%s'\n", filename);
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 749daf4..d08fcc2 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -480,4 +480,9 @@ int spapr_dma_dt(void *fdt, int node_off, const char 
*propname,
 int spapr_tcet_dma_dt(void *fdt, int node_off, const char *propname,
   sPAPRTCETable *tcet);
 
+/* RTAS Blob layout in memory */
+#define RTAS_ENTRY_OFFSET0
+#define RTAS_TRAMPOLINE_OFFSET   0x200
+#define RTAS_ERRLOG_OFFSET   0x800
+
 #endif /* !defined (__HW_SPAPR_H__) */

[Qemu-devel] [PATCH v3 0/4] target-ppc: Add FWNMI support in qemu for powerKVM guests

[Aravinda Prasad]

This series of patches add support for fwnmi in powerKVM guests.

Currently upon machine check exception, if the address in
error belongs to guest then KVM invokes guest's NMI interrupt
vector 0x200.

This patch series adds functionality where the guest's 0x200
interrupt vector is patched such that QEMU gets control. QEMU
then builds error log and reports the error to OS registered
machine check handlers through RTAS space.

Apart from this, the patch series also takes care of synchronization
when multiple processors encounter machine check at or about the
same time.

The patch set was tested by simulating a machine check error in
the guest.

Changes in v3:
- Incorporated review comments
- Byte codes in patch 4/4 are now moved to
  pc-bios/spapr-rtas/spapr-rtas.S as instructions.
- Defined the RTAS blob in-memory layout.
- FIX: save and restore cr register in the trampoline

Changes in v2:
- Re-based to github.com/agraf/qemu.git  branch: ppc-next
- Merged patches 4 and 5.
- Incorporated other review comments

---

Aravinda Prasad (4):
  target-ppc: Extend rtas-blob
  target-ppc: Register and handle HCALL to receive updated RTAS region
  target-ppc: Build error log
  target-ppc: Handle ibm,nmi-register RTAS call


 hw/ppc/spapr.c  |7 +
 hw/ppc/spapr_hcall.c|  183 +++
 hw/ppc/spapr_rtas.c |   93 
 include/hw/ppc/spapr.h  |   27 +-
 pc-bios/spapr-rtas/spapr-rtas.S |   38 
 5 files changed, 346 insertions(+), 2 deletions(-)

-- 
Aravinda Prasad

Re: [Qemu-devel] [PATCH v4 31/47] postcopy: Incoming initialisation

[David Gibson]

On Fri, Oct 03, 2014 at 06:47:37PM +0100, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" 
> 
> Signed-off-by: Dr. David Alan Gilbert 
> ---
>  arch_init.c  |  11 
>  include/migration/migration.h|   1 +
>  include/migration/postcopy-ram.h |  12 +
>  migration.c  |   1 +
>  postcopy-ram.c   | 110 
> ++-
>  savevm.c |   4 ++
>  6 files changed, 138 insertions(+), 1 deletion(-)
> 
> diff --git a/arch_init.c b/arch_init.c
> index 030d189..4a03171 100644
> --- a/arch_init.c
> +++ b/arch_init.c
> @@ -1345,6 +1345,17 @@ void ram_handle_compressed(void *host, uint8_t ch, 
> uint64_t size)
>  }
>  }
>  
> +/*
> + * Allocate data structures etc needed by incoming migration with 
> postcopy-ram
> + * postcopy-ram's similarly names postcopy_ram_incoming_init does the work
> + */
> +int ram_postcopy_incoming_init(MigrationIncomingState *mis)
> +{
> +size_t ram_pages = last_ram_offset() >> TARGET_PAGE_BITS;
> +
> +return postcopy_ram_incoming_init(mis, ram_pages);
> +}

Um.. yeah.  I'm sure ram_postcopy_incoming_init versus
postcopy_ram_incoming_init won't get confusing o_O.

[snip]
> +/*
> + * Setup an area of RAM so that it *can* be used for postcopy later; this
> + * must be done right at the start prior to pre-copy.
> + * opaque should be the MIS.
> + */
> +static int init_area(const char *block_name, void *host_addr,
> + ram_addr_t offset, ram_addr_t length, void *opaque)
> +{
> +MigrationIncomingState *mis = opaque;
> +
> +DPRINTF("init_area: %s: %p offset=%zx length=%zd(%zx)",
> +block_name, host_addr, offset, length, length);
> +/*
> + * We need the whole of RAM to be truly empty for postcopy, so things
> + * like ROMs and any data tables built during init must be zero'd
> + * - we're going to get the copy from the source anyway.
> + */
> +if (postcopy_ram_discard_range(mis, host_addr, (host_addr + length - 
> 1))) {
> +return -1;
> +}
> +
> +/*
> + * We also need the area to be normal 4k pages, not huge pages
> + * (otherwise we can't be sure we can use remap_anon_pages to put
> + * a 4k page in later).  THP might come along and map a 2MB page
> + * and when it's partially accessed in precopy it might not break
> + * it down, but leave a 2MB zero'd page.
> + */
> +if (madvise(host_addr, length, MADV_NOHUGEPAGE)) {
> +perror("init_area: NOHUGEPAGE");
> +return -1;
> +}

I'm assuming this is because remap_anon_pages() can't automatically
split a THP itself.  It's not immediately obvious to me why it can't
though.

Also.. what effect will this have on an actual hugetlbfs memory
region?  If there's code to handle that case I haven't spotted it yet.

> +
> +return 0;
> +}
> +
> +/*
> + * At the end of migration, undo the effects of init_area
> + * opaque should be the MIS.
> + */
> +static int cleanup_area(const char *block_name, void *host_addr,
> +ram_addr_t offset, ram_addr_t length, void *opaque)
> +{
> +/* Turn off userfault here as well? */

This comment appears to be obsoleted by the code below.

> +
> +DPRINTF("cleanup_area: %s: %p offset=%zx length=%zd(%zx)",
> +block_name, host_addr, offset, length, length);
> +/*
> + * We turned off hugepage for the precopy stage with postcopy enabled
> + * we can turn it back on now.
> + */
> +if (madvise(host_addr, length, MADV_HUGEPAGE)) {
> +perror("init_area: HUGEPAGE");
> +return -1;
> +}
> +
> +/*
> + * We can also turn off userfault now since we should have all the
> + * pages.   It can be useful to leave it on to debug postcopy
> + * if you're not sure it's always getting every page.
> + */
> +if (madvise(host_addr, length, MADV_NOUSERFAULT)) {
> +perror("init_area: NOUSERFAULT");
> +return -1;
> +}
> +
> +return 0;
> +}
> +
> +/*
> + * Initialise postcopy-ram, setting the RAM to a state where we can go into
> + * postcopy later; must be called prior to any precopy.
> + * called from arch_init's similarly named ram_postcopy_incoming_init
> + */
> +int postcopy_ram_incoming_init(MigrationIncomingState *mis, size_t ram_pages)
> +{
> +postcopy_pmi_init(mis, ram_pages);
> +
> +if (qemu_ram_foreach_block(init_area, mis)) {
> +return -1;
> +}
> +
> +return 0;
> +}
> +
> +/*
> + * At the end of a migration where postcopy_ram_incoming_init was called.
> + */
> +int postcopy_ram_incoming_cleanup(MigrationIncomingState *mis)
> +{
> +/* TODO: Join the fault thread once we're sure it will exit */
> +if (qemu_ram_foreach_block(cleanup_area, mis)) {
> +return -1;
> +}
> +
> +return 0;
> +}
> +
>  #else
>  /* No target OS support, stubs just fail */
>  
> @@ -404,6 +501,17 @@ void postcopy_hook_early_receive(Migr

Re: [Qemu-devel] [Qemu-trivial] [PATCH v3 3/5] qemu-char: fix incorrect state in error message

[Michael Tokarev]

04.11.2014 13:50, zhanghailiang wrote
> It is either "Failed _to_ do something", or "something failed",
> but not "failed something".

Um.  Heh.  I was afraid of seeing this ;)

My comment about bad grammar was in context of changing error
reporting in this area -- so while chaning error API in use,
it might be a good idea to reword the obviously wrong error
messages _too_, on the same line..

I'll fold this to the next patch, so not to resend whole thing
again.  Oh well ;)

The error messages aren't nice still, but maybe it will be
more clean and easier to understand from the context provided
by the error api.

Thanks,

/mjt

Re: [Qemu-devel] [PATCH v4 32/47] postcopy: ram_enable_notify to switch on userfault

[David Gibson]

On Fri, Oct 03, 2014 at 06:47:38PM +0100, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" 
> 
> Signed-off-by: Dr. David Alan Gilbert 
> ---
>  include/migration/migration.h|  2 ++
>  include/migration/postcopy-ram.h |  6 +
>  postcopy-ram.c   | 49 
> +++-
>  savevm.c |  9 
>  4 files changed, 65 insertions(+), 1 deletion(-)
> 
> diff --git a/include/migration/migration.h b/include/migration/migration.h
> index be63c89..b01cc17 100644
> --- a/include/migration/migration.h
> +++ b/include/migration/migration.h
> @@ -87,6 +87,8 @@ struct MigrationIncomingState {
>  POSTCOPY_RAM_INCOMING_END
>  } postcopy_ram_state;
>  
> +/* For the kernel to send us notifications */
> +intuserfault_fd;
>  QEMUFile *return_path;
>  QemuMutex  rp_mutex;/* We send replies from multiple threads */
>  PostcopyPMIpostcopy_pmi;
> diff --git a/include/migration/postcopy-ram.h 
> b/include/migration/postcopy-ram.h
> index 8f237a2..413b670 100644
> --- a/include/migration/postcopy-ram.h
> +++ b/include/migration/postcopy-ram.h
> @@ -19,6 +19,12 @@
>  int postcopy_ram_hosttest(void);
>  
>  /*
> + * Make all of RAM sensitive to accesses to areas that haven't yet been 
> written
> + * and wire up anything necessary to deal with it.
> + */
> +int postcopy_ram_enable_notify(MigrationIncomingState *mis);
> +
> +/*
>   * Initialise postcopy-ram, setting the RAM to a state where we can go into
>   * postcopy later; must be called prior to any precopy.
>   * called from arch_init's similarly named ram_postcopy_incoming_init
> diff --git a/postcopy-ram.c b/postcopy-ram.c
> index 8eccf26..925ac77 100644
> --- a/postcopy-ram.c
> +++ b/postcopy-ram.c
> @@ -485,9 +485,51 @@ int postcopy_ram_incoming_cleanup(MigrationIncomingState 
> *mis)
>  return 0;
>  }
>  
> +/*
> + * Mark the given area of RAM as requiring notification to unwritten areas
> + * Used as a  callback on qemu_ram_foreach_block.
> + *   host_addr: Base of area to mark
> + *   offset: Offset in the whole ram arena
> + *   length: Length of the section
> + *   opaque: Unused

^^
This appears to be wrong - opaque is used to find the MIS.

> + * Returns 0 on success
> + */
> +static int postcopy_ram_sensitise_area(const char *block_name, void 
> *host_addr,
> +   ram_addr_t offset, ram_addr_t length,
> +   void *opaque)
> +{
> +MigrationIncomingState *mis = opaque;
> +uint64_t tokern[2];

"tokern"?

> +
> +if (madvise(host_addr, length, MADV_USERFAULT)) {
> +perror("postcopy_ram_sensitise_area madvise");
> +return -1;
> +}
> +
> +/* Now tell our userfault_fd that it's responsible for this area */
> +tokern[0] = (uint64_t)(uintptr_t)host_addr | 1; /* 1 means register area 
> */
> +tokern[1] = (uint64_t)(uintptr_t)host_addr + length;
> +if (write(mis->userfault_fd, tokern, 16) != 16) {
> +perror("postcopy_ram_sensitise_area write");
> +madvise(host_addr, length, MADV_NOUSERFAULT);
> +return -1;
> +}
> +
> +return 0;
> +}
> +
> +int postcopy_ram_enable_notify(MigrationIncomingState *mis)
> +{
> +/* Mark so that we get notified of accesses to unwritten areas */
> +if (qemu_ram_foreach_block(postcopy_ram_sensitise_area, mis)) {
> +return -1;
> +}
> +
> +return 0;
> +}
> +
>  #else
>  /* No target OS support, stubs just fail */
> -
>  int postcopy_ram_hosttest(void)
>  {
>  error_report("postcopy_ram_hosttest: No OS support");
> @@ -528,6 +570,11 @@ int postcopy_ram_discard_range(MigrationIncomingState 
> *mis, uint8_t *start,
>  {
>  assert(0);
>  }
> +
> +int postcopy_ram_enable_notify(MigrationIncomingState *mis)
> +{
> +assert(0);
> +}
>  #endif
>  
>  /* - 
> */
> diff --git a/savevm.c b/savevm.c
> index 54bdb26..859c96f 100644
> --- a/savevm.c
> +++ b/savevm.c
> @@ -1304,6 +1304,15 @@ static int 
> loadvm_postcopy_ram_handle_listen(MigrationIncomingState *mis)
>  
>  mis->postcopy_ram_state = POSTCOPY_RAM_INCOMING_LISTENING;
>  
> +/*
> + * Sensitise RAM - can now generate requests for blocks that don't exist
> + * However, at this point the CPU shouldn't be running, and the IO
> + * shouldn't be doing anything yet so don't actually expect requests
> + */
> +if (postcopy_ram_enable_notify(mis)) {
> +return -1;
> +}
> +
>  /* TODO start up the postcopy listening thread */
>  return 0;
>  }

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


pgpyf9zmpViUB.pgp
Description: PGP signature

Re: [Qemu-devel] [PATCH v4 30/47] Postcopy: Maintain sentmap and calculate discard

[David Gibson]

On Fri, Oct 03, 2014 at 06:47:36PM +0100, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" 
> 
> Where postcopy is preceeded by a period of precopy, the destination will
> have received pages that may have been dirtied on the source after the
> page was sent.  The destination must throw these pages away before
> starting it's CPUs.
> 
> Maintain a 'sentmap' of pages that have already been sent.
> Calculate list of sent & dirty pages
> Provide helpers on the destination side to discard these.

I find this one really hard to wrap my head around, and I'm having
trouble putting my finger on why.

I do wonder if the "base + tiny bitmap" encodinng for the discard list
over the wire is the best choice.  It seems to involve a bunch of
rather tedious code rejigging the bitmap into 32-bit chunks, and a
bunch of rather hard to follow code moving back and forth between that
encoding and simple address or page ranges for handling the actual
discards.  It also involves sending the bit offsets for the start of
each ram block over the wire, which feels like it should be an
internal detail.

Would just a simple list of start..end or start/len pairs end up
simpler overall?  Converting the bitmap used to track it on the
source into ranges would be a little fiddly, but I suspect less so
than the code to split into 32-bit pieces.

It might also be a bit more robust against possible future options for
source host vs. dest host vs. target page size, since the source can
construct it in terms if its granularity constraints, and destination
can round each chunk out to its own granularity.

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


pgp8wk1mr5uUr.pgp
Description: PGP signature

Re: [Qemu-devel] [Qemu-trivial] [PATCH v3 1/5] qemu-char: fix parameter check in some qemu_chr_parse_* functions

[Michael Tokarev]

04.11.2014 16:25, Alex Bennée wrote:
> zhanghailiang  writes:
> 
>> For some qemu_chr_parse_* functions, we just check whether the parameter
>> is NULL or not, but do not check if it is empty.
>>
>> For example:
>> qemu-system-x86_64 -chardev pipe,id=id,path=
>> It will pass the check of NULL but will not find the error until
>> trying to open it, while essentially missing and empty parameter
>> is the same thing.
>>
>> So check the parameters for emptiness too, and avoid emptiness
>> check at open time.
>>
>> Signed-off-by: zhanghailiang 
>> Signed-off-by: Michael Tokarev 
>> ---
>>  qemu-char.c | 15 +--
>>  1 file changed, 5 insertions(+), 10 deletions(-)
>>
>> diff --git a/qemu-char.c b/qemu-char.c
>> index bd0709b..a09bbf6 100644
>> --- a/qemu-char.c
>> +++ b/qemu-char.c
>> @@ -1084,11 +1084,6 @@ static CharDriverState 
>> *qemu_chr_open_pipe(ChardevHostdev *opts)
>>  char filename_out[CHR_MAX_FILENAME_SIZE];
>>  const char *filename = opts->device;
>>  
>> -if (filename == NULL) {
>> -fprintf(stderr, "chardev: pipe: no filename given\n");
>> -return NULL;
>> -}
>> -
> 
> You seem to have dropped a check here, are you sure all avenues into
> this code have validated filename? What if a new function gets added?

Yes, the code first calls parse_pipe() and only after it is
successfully completed, it calls open_pipe().  I don't see
a good reason for having assert here.

> At a minimum I'd replace it with a g_assert(filename) to make the
> calling contract clear.

This is an internal set of APIs for a chr device, each kind is
having a pair of functions which are called in order (first parse,
next open), -- _that_ is the contract.

[]
> All this boilerplate checking makes me think that either the qemu_opt
> machinery should be ensuring we get a valid option string?

Might be a good idea, yes, but that'd be a huge change, since that
should be done in a lot of places, and in many cases we can't
express our rules easily (eg, only one of two parameters should
be present).  I think at this stage adding simple checks to
_parse functions is the way to go, and it is easy to read too.

Thanks,

/mjt

Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it

[Markus Armbruster]

Jeff Cody  writes:

> On Tue, Nov 04, 2014 at 07:45:38PM +0100, Markus Armbruster wrote:
[...]
>> == Don't guess format from untrusted image contents ==
>> 
>> Several variations of the theme.
>> 
>> Guessing only happens when the user doesn't specify a format, so the
>> simplest way to avoid it would be requiring users to always specify the
>> format.
>> 
>> PRO: Simple, plugs the hole.
>> 
>> CON: Breaks a lot of existing usage.  Bye -hda, hello extra typing.
>> 
>> Variation: command line option to opt out of probing completely.
>> 
>> PRO: Simple, plugs the hole.
>> 
>> CON: Insecure by default.
>> 
>> CON: In addition to opting out, you have to update your usage
>> accordingly.  I guess libvirt would do it anyway, to guard against
>> accidental probing once and for all.
>> 
>> Variation: Stefan proposed to make format= mandatory just for -drive.  I
>> guess he rather meant mandatory for anything but -hda and other selected
>> convenience interfaces.
>> 
>> PRO: No extra typing in the cases where it makes the most difference.
>> 
>> CON: Breaks existing usage in the other cases, extra typing.
>> 
>> CON: Doesn't fully plug the hole.  Users of convenience interfaces may
>> remain insecure out of ignorance.  We could add a warning to guide
>> them to more secure usage, but then that warning would annoy users
>> who don't care for security (sometimes with reason), and we can't
>> have that.  So we silently leave the users who would care if they
>> knew insecure.
>> 
>> I proposed something less radical, namely to keep guessing the image
>> format, but base the guess on trusted meta-data only: file name and
>> attributes.  Block and character special files are raw.  For other
>> files, find the file name extension, and look up the format claiming it.
>> 
>> PRO: Plugs the hole.
>> 
>> CON: Breaks existing usage when the new guess differs from the old
>> guess.  Common usage should be fine:
>> 
>> * -hda test.qcow2
>> 
>>   Fine as long as test.qcow2 is really QCOW2 (as it should!), and
>>   either specifies a backing format (as it arguably should), or the
>>   backing file name is sane.
>> 
>> * -hda disk.img
>> 
>>   Fine as long as disk.img is really a disk image (as it should).
>> 
>> * -hda /dev/mapper/vg0-virtdisk
>> 
>>   Fine as long as the logical volume is raw.
>> 
>> Less common usage can break:
>> 
>> * -hda nbd://localhost
>> 
>>   Socket provides no clue, so no guess.
>> 
>> Weird usage can conceivably break hard:
>> 
>> * -hdd disk.img
>> 
>>   Breaks hard when disk.img is actually QCOW2, the guest boots
>>   anyway from another drive, then proceeds to overwrite this one.
>> 
>> Mitigation: lengthy transition period where we warn "this usage is
>> insecure, and we'll eventually break it; here's a hint on secure usage".
>> 
>> CON: We delay plugging the hole one more time.  But at least we no
>> longer expose our users to it silently.
>> 
>> Jeff pointed out that we want to retain probing in things like qemu-img
>> info.
>> 
>> Richard asked for a way for users to ask for insecure probing, say
>> format=insecure-probe.  I have no problem with giving users rope when
>> they ask for it.
>> 
>> Variation: if file name and attributes are unavailable or provide no
>> clue, guess raw.  Same PRO and CON as above, only it avoids breaking a
>> few more cases.  For instance, "-hda nbd://localhost" keeps working as
>> long as the server serves a raw image.  Smells a bit like too much magic
>> to me.
>>
>
> How about another variation: probe as we do currently, but a
> result of 'raw' is a hard failure ("Unable to determine image format,
> it may be 'raw'.  You must specify the image format").
>
> This makes sense, because of a probe result of raw currently really
> means "I don't recognize this image", so maybe we should just treat it
> as such.
>
> Imagine two different QEMU binaries, with different image formats
> compiled in.  Currently, by detecting "raw" we could cause data
> corruption in a guest, if one QEMU version doesn't recognize 'foobar'
> image format.

I like the honesty of letting probing yield "I don't know", and the
general simplicity.

> PRO: 
> * Simple, and non-raw format probes will continue to behave the same
>
> * We stop "guessing" raw
>
> CON: 
> * User could specify format of "raw", have a guest write an image
> header to sector 0, and then in subsequent usage go back to probing

Yes, it doesn't fully plug the hole, just like Kevin's proposal.  Thus,
it can't satisfy my "secure usage should not be hard" requirement on its
own.

> * Will break some scripts

It'll break common usage like -cdrom r7.iso and -hda foo.img.

>> My proposal replaces probing wholesale.  I like that because it results
>> in simple, predictable guessing.  Here's a hybrid approach: first guess
>> raw vs. non-raw based on trusted meta-data only, and if non-raw, probe.
>> 
>> Nothing the guest writes can affect the raw vs. non

[Qemu-devel] [PATCH v3] qdev: Avoid type assertion in qdev_build_hotpluggable_device_list()

[Jun Li]

Currently when *obj is not a TYPE_DEVICE, qemu will abort. This patch just
fixed it. When *obj is not a TYPE_DEVICE, just do not add it to hotpluggable
device list.

This patch also fixed the following issue:
1, boot qemu using cli:
$ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
-device virtio-scsi-pci,id=scsi0

2, device_del scsi0 via hmp using tab key(first input device_del, then press
"Tab" key).
(qemu) device_del

After step2, qemu will abort.
(qemu) device_del hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
Object 0x563a2460 is not an instance of type device

Signed-off-by: Jun Li 
Reviewed-by: Paolo Bonzini 
---
v3:
  According to Andreas's suggestion, do some changes. As followings:
  1, change the Subject to more meaningful.
  2, use two "return 0" to return early avoid reindentation. And I have found 
in qcow2_grow_l1_table has also used two "return 0". So accept Andreas's 
suggestion. Thanks.

v2:
  This version just do a little changes for the commit message.
As following show:
In v1,
1, boot qemu using cli:
virtio-scsi-pci,id=scsi0 -enable-kvm

In v2,
1, boot qemu using cli:
$ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
-device virtio-scsi-pci,id=scsi0
---
 hw/core/qdev.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index b3d5196..7db3e13 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -927,7 +927,12 @@ void qdev_alias_all_properties(DeviceState *target, Object 
*source)
 int qdev_build_hotpluggable_device_list(Object *obj, void *opaque)
 {
 GSList **list = opaque;
-DeviceState *dev = DEVICE(obj);
+DeviceState *dev = (DeviceState *)object_dynamic_cast(OBJECT(obj),
+  "device");
+
+if (dev == NULL) {
+return 0;
+}
 
 if (dev->realized && object_property_get_bool(obj, "hotpluggable", NULL)) {
 *list = g_slist_append(*list, dev);
-- 
1.9.3

Re: [Qemu-devel] [Qemu-trivial] [PATCH v7] numa: make 'info numa' take into account hotplugged memory

[Michael Tokarev]

04.11.2014 14:49, zhanghailiang wrote:
> When do memory hotplug, if there is numa node, we should add
> the memory size to the corresponding node memory size.
> 
> It affects the result of hmp command "info numa".
> 
> Reviewed-by: Igor Mammedov 
> Signed-off-by: zhanghailiang 
> ---
> Hi Luiz,
> 
> This patch has been long time in the mail list.
> The change does not affect anything but the 'info numa' command.
> Actully, i have another patch that fix balloon 
> bug.(https://lists.gnu.org/archive/html/qemu-devel/2014-09/msg01568.html)
> It is related to memory hotplug too and based on this patch.
> 
> Since you don't have bandwidth for another pull request for v2.2.
> Maybe go -trivial is another choice if you agreed;)
> 
> I'm OK if you think it's not appropriate.

I applied this to -trivial.  I don't really understand what
does "have bandwidth for a pull request" mean, but..

Thanks,

/mjt

Re: [Qemu-devel] [PATCH] qemu-doc.texi: fix typos for x509 examples

[Gonglei]

On 2014/11/5 14:53, Michael Tokarev wrote:

> 04.11.2014 16:32, Eric Blake wrote:
>> On 11/03/2014 01:48 PM, arei.gong...@huawei.com wrote:
>>> From: Gonglei 
>>>
>>> Fix typos made people confuesd:
>>
>> Spelling:
>> s/confuesd/confused/
>>
>> Grammar: would read better as:
>>
>> Fix typos that caused confusion for some people:
> 
> I just removed whole commit message (besides the subject
> line), because the patch is self-explanatory anyway.
> Hopefully it's okay.. ;)
> 

OK, thanks.

Best regards,
-Gonglei

Re: [Qemu-devel] [PATCH] s390x: Implement SAM{24,31,64}

[Richard Henderson]

On 11/04/2014 09:19 PM, Alexander Graf wrote:
> The SAM instructions simply change 2 bits in PSW.MASK to advertise
> the current memory mode. While we can't fully guarantee that 31 bit
> mode (or even remotely 24 bit mode) actually work correctly, we don't
> check whether lpswe modifies these bits, so we shouldn't keep the
> guest from executing SAM instructions either.
> 
> This patch implements all SAM instrutions with their actual PSW changing
> semantics, making more recent Linux kernels boot properly which do issue
> a SAM31 call during early boot.
> 
> Signed-off-by: Alexander Graf 

Ho hum.  Reminds me that I should revive my tgt-s390 branch that
got bogged down last year on facilities management.

I think this is technically missing a SPECIFICATION exception if
the PC is out of range for the new mode.  But otherwise...

Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH] qemu-doc.texi: fix typos for x509 examples

[Michael Tokarev]

04.11.2014 16:32, Eric Blake wrote:
> On 11/03/2014 01:48 PM, arei.gong...@huawei.com wrote:
>> From: Gonglei 
>>
>> Fix typos made people confuesd:
> 
> Spelling:
> s/confuesd/confused/
> 
> Grammar: would read better as:
> 
> Fix typos that caused confusion for some people:

I just removed whole commit message (besides the subject
line), because the patch is self-explanatory anyway.
Hopefully it's okay.. ;)

Thanks,

/mjt

Re: [Qemu-devel] [PATCH v2] qdev: modify func qdev_build_hotpluggable_device_list

[Jun Li]

On Wed, 11/05 09:59, Fam Zheng wrote:
> On Wed, 11/05 08:53, jun muzi wrote:
> > Yes, in my original thought i just want to do as you said. But it will have
> > two "return 0" in one function. So i think it's not so smart. If you still
> > think two "return 0" is better, i will submit a new version. Thanks.
> > 
> > BTW, for subject, i agree with you.
> 
> Please use inline reply for mailing list discussions.

Ok, got it. Thx.

> 
> Fam
> 
> > 
> > Jun Li
> > 2014-11-5 上午2:39于 "Andreas Färber" 写道：
> > 
> > > Hi,
> > >
> > > Am 04.11.2014 um 07:55 schrieb Jun Li:
> > > > Currently when *obj is not a TYPE_DEVICE, qemu will abort. This patch
> > > just
> > > > fixed it. When *obj is not a TYPE_DEVICE, just do not add it to
> > > hotpluggable
> > > > device list.
> > > >
> > > > This patch also fixed the following issue:
> > > > 1, boot qemu using cli:
> > > > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > > > -device virtio-scsi-pci,id=scsi0
> > > >
> > > > 2, device_del scsi0 via hmp using tab key(first input device_del, then
> > > press
> > > > "Tab" key).
> > > > (qemu) device_del
> > > >
> > > > After step2, qemu will abort.
> > > > (qemu) device_del 
> > > > hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
> > > > Object 0x563a2460 is not an instance of type device
> > > >
> > > > Signed-off-by: Jun Li 
> > > > Reviewed-by: Paolo Bonzini 
> > > > ---
> > > > v2:
> > > >   This version just do a little changes for the commit message.
> > > > As following show:
> > > > In v1,
> > > > 1, boot qemu using cli:
> > > > virtio-scsi-pci,id=scsi0 -enable-kvm
> > > >
> > > > In v2,
> > > > 1, boot qemu using cli:
> > > > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > > > -device virtio-scsi-pci,id=scsi0
> > > > ---
> > > >  hw/core/qdev.c | 13 +
> > > >  1 file changed, 9 insertions(+), 4 deletions(-)
> > >
> > > Thanks, I've queued this patch, but we should give it a more meaningful
> > > subject - maybe "qdev: Avoid type assertion in qdev_build_...()"?
> > >
> > > Also, we could avoid reindentation by returning early:
> > > if (dev == NULL) {
> > > return 0;
> > > }
> > >
> > > What do you think?
> > >
> > > Regards,
> > > Andreas
> > >
> > > --
> > > SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
> > > GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 21284 AG Nürnberg
> > >

[Qemu-devel] [PATCH v3] smbios: need to change some of 'ram_addr_t' variable to 'uint64_t'

[SeokYeon Hwang]

Some of variables handling 64bit address must be changed from 'ram_addr_t' to 
'uint64_t'.

Signed-off-by: SeokYeon Hwang 
---
 hw/i386/smbios.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/i386/smbios.c b/hw/i386/smbios.c
index 8a7ad48..024e594 100644
--- a/hw/i386/smbios.c
+++ b/hw/i386/smbios.c
@@ -645,7 +645,7 @@ static void smbios_build_type_4_table(unsigned instance)
 
 static void smbios_build_type_16_table(unsigned dimm_cnt)
 {
-ram_addr_t size_kb;
+uint64_t size_kb;
 
 SMBIOS_BUILD_TABLE_PRE(16, 0x1000, true); /* required */
 
@@ -669,10 +669,10 @@ static void smbios_build_type_16_table(unsigned dimm_cnt)
 #define MAX_T17_STD_SZ 0x7FFF /* (32G - 1M), in Megabytes */
 #define MAX_T17_EXT_SZ 0x8000 /* 2P, in Megabytes */
 
-static void smbios_build_type_17_table(unsigned instance, ram_addr_t size)
+static void smbios_build_type_17_table(unsigned instance, uint64_t size)
 {
 char loc_str[128];
-ram_addr_t size_mb;
+uint64_t size_mb;
 
 SMBIOS_BUILD_TABLE_PRE(17, 0x1100 + instance, true); /* required */
 
@@ -711,9 +711,9 @@ static void smbios_build_type_17_table(unsigned instance, 
ram_addr_t size)
 }
 
 static void smbios_build_type_19_table(unsigned instance,
-   ram_addr_t start, ram_addr_t size)
+   uint64_t start, uint64_t size)
 {
-ram_addr_t end, start_kb, end_kb;
+uint64_t end, start_kb, end_kb;
 
 SMBIOS_BUILD_TABLE_PRE(19, 0x1300 + instance, true); /* required */
 
-- 
2.1.0

Re: [Qemu-devel] [PATCH v2] smbios: changed for "smbios_build_type_17_table()" to take 'uint64_t'

[SeokYeon Hwang]

> -Original Message-
> From: Paolo Bonzini [mailto:paolo.bonz...@gmail.com] On Behalf Of Paolo
> Bonzini
> Sent: Tuesday, November 04, 2014 5:42 PM
> To: SeokYeon Hwang; qemu-devel@nongnu.org
> Cc: paolo.bonz...@gmail.com; arm...@redhat.com; alex.william...@hp.com
> Subject: Re: [PATCH v2] smbios: changed for "smbios_build_type_17_table()"
> to take 'uint64_t'
> 
> 
> 
> On 04/11/2014 08:12, SeokYeon Hwang wrote:
> > "smbios_build_type_17_table()" should take 'uint64_t' instead of
> 'ram_addr_t' because it should be able to handle (16ll * GiB).
> > Otherwise, clang (>= 3.4) produces compilation warning in
> "smbios_get_tables()".
> >
> > Signed-off-by: SeokYeon Hwang 
> > ---
> >  hw/i386/smbios.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/hw/i386/smbios.c b/hw/i386/smbios.c index
> > 8a7ad48..4ad42ae 100644
> > --- a/hw/i386/smbios.c
> > +++ b/hw/i386/smbios.c
> > @@ -669,7 +669,7 @@ static void smbios_build_type_16_table(unsigned
> > dimm_cnt)  #define MAX_T17_STD_SZ 0x7FFF /* (32G - 1M), in Megabytes
> > */  #define MAX_T17_EXT_SZ 0x8000 /* 2P, in Megabytes */
> >
> > -static void smbios_build_type_17_table(unsigned instance, ram_addr_t
> > size)
> > +static void smbios_build_type_17_table(unsigned instance, uint64_t
> > +size)
> >  {
> >  char loc_str[128];
> >  ram_addr_t size_mb;
> >
> 
> Can you make a patch that replaces _all_ occurrences in hw/i386/smbios.c
> instead?
> 
> Thanks,
> 
> Paolo


I just posted patch v3 that is applied your suggestion.
Thank you for your advice.

Re: [Qemu-devel] [RESEND PATCH v4 09/10] acpi: Add hardware implementation for memory hot unplug.

[Hu Tao]

On Wed, Nov 05, 2014 at 01:49:54PM +0800, Tang Chen wrote:

<...>

> -  2-7: reserved, OSPM must clear them before writing to register
> +  2: set by hardware after it has emitted devive eject event for

s/devive/device/

Regards,
Hu

[Qemu-devel] [PATCH 2/2] spapr: Fix stale HTAB during live migration (TCG)

[Samuel Mendoza-Jonas]

If a TCG guest reboots during a running migration HTAB entries are not
marked dirty, and the destination boots with an invalid HTAB.

When a reboot occurs reset the state of HTAB migration, and explicitly
inform the destination of invalid entries.

Signed-off-by: Samuel Mendoza-Jonas 
---
 hw/ppc/spapr.c | 59 +++---
 include/hw/ppc/spapr.h |  1 +
 2 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 1610c28..9f419e8 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -829,26 +829,30 @@ static void spapr_reset_htab(sPAPREnvironment *spapr)
 
 shift = kvmppc_reset_htab(spapr->htab_shift);
 
+pthread_mutex_lock(&spapr->htab_mutex);
 if (shift > 0) {
 /* Kernel handles htab, we don't need to allocate one */
 spapr->htab_shift = shift;
 kvmppc_kern_htab = true;
 
 /* Tell readers to update their file descriptor */
-pthread_mutex_lock(&spapr->htab_mutex);
 if (spapr->htab_fd > 0) {
 spapr->htab_fd_stale = true;
 }
-pthread_mutex_unlock(&spapr->htab_mutex);
 } else {
 if (!spapr->htab) {
 /* Allocate an htab if we don't yet have one */
 spapr->htab = qemu_memalign(HTAB_SIZE(spapr), HTAB_SIZE(spapr));
+} else {
+spapr->htab_mig_full = true;
+spapr->htab_first_pass = true;
+spapr->htab_save_index = 0;
 }
 
 /* And clear it */
 memset(spapr->htab, 0, HTAB_SIZE(spapr));
 }
+pthread_mutex_unlock(&spapr->htab_mutex);
 
 /* Update the RMA size if necessary */
 if (spapr->vrma_adjust) {
@@ -1019,6 +1023,7 @@ static int htab_save_setup(QEMUFile *f, void *opaque)
 pthread_mutex_lock(&spapr->htab_mutex);
 spapr->htab_fd = kvmppc_get_htab_fd(false);
 spapr->htab_fd_stale = false;
+spapr->htab_mig_full = false;
 pthread_mutex_unlock(&spapr->htab_mutex);
 if (spapr->htab_fd < 0) {
 fprintf(stderr, "Unable to open fd for reading hash table from 
KVM: %s\n",
@@ -1034,6 +1039,7 @@ static int htab_save_setup(QEMUFile *f, void *opaque)
 static void htab_save_first_pass(QEMUFile *f, sPAPREnvironment *spapr,
  int64_t max_ns)
 {
+bool final = max_ns < 0;
 int htabslots = HTAB_SIZE(spapr) / HASH_PTE_SIZE_64;
 int index = spapr->htab_save_index;
 int64_t starttime = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
@@ -1041,33 +1047,40 @@ static void htab_save_first_pass(QEMUFile *f, 
sPAPREnvironment *spapr,
 assert(spapr->htab_first_pass);
 
 do {
-int chunkstart;
+int chunkstart, invalidstart;
 
-/* Consume invalid HPTEs */
-while ((index < htabslots)
-   && !HPTE_VALID(HPTE(spapr->htab, index))) {
+chunkstart = index;
+/* Consume valid HPTEs */
+while ((index < htabslots && (index - chunkstart < USHRT_MAX))
+   && HPTE_VALID(HPTE(spapr->htab, index))) {
 index++;
 CLEAN_HPTE(HPTE(spapr->htab, index));
 }
 
-/* Consume valid HPTEs */
-chunkstart = index;
-while ((index < htabslots)
-   && HPTE_VALID(HPTE(spapr->htab, index))) {
+invalidstart = index;
+/* Consume invalid HPTEs */
+while ((index < htabslots && (index - invalidstart < USHRT_MAX))
+   && !HPTE_VALID(HPTE(spapr->htab, index))) {
 index++;
 CLEAN_HPTE(HPTE(spapr->htab, index));
 }
 
-if (index > chunkstart) {
-int n_valid = index - chunkstart;
+/* Avoid writing an end marker (0,0,0) */
+if (index > chunkstart
+   && !(chunkstart == invalidstart && !spapr->htab_mig_full)) {
+int n_valid = invalidstart - chunkstart;
+/* If a reset has occured we must explicitly overwrite the HTAB
+ * of the destination */
+int n_invalid = spapr->htab_mig_full ? index - invalidstart : 0;
 
 qemu_put_be32(f, chunkstart);
 qemu_put_be16(f, n_valid);
-qemu_put_be16(f, 0);
+qemu_put_be16(f, n_invalid);
 qemu_put_buffer(f, HPTE(spapr->htab, chunkstart),
 HASH_PTE_SIZE_64 * n_valid);
 
-if ((qemu_clock_get_ns(QEMU_CLOCK_REALTIME) - starttime) > max_ns) 
{
+if ((qemu_clock_get_ns(QEMU_CLOCK_REALTIME) - starttime) > max_ns
+   && !final) {
 break;
 }
 }
@@ -1182,10 +1195,14 @@ static int htab_save_iterate(QEMUFile *f, void *opaque)
 if (rc < 0) {
 return rc;
 }
-} else  if (spapr->htab_first_pass) {
-htab_save_first_pass(f, spapr, MAX_ITERATION_NS);
 } else {
-rc = htab_save_later_pass(f, spapr, MAX_ITERATION_NS);
+pthread_mutex_lock(&spapr->htab_mutex);
+if

[Qemu-devel] [PATCH 1/2] spapr: Fix stale HTAB during live migration (KVM)

[Samuel Mendoza-Jonas]

If a guest reboots during a running migration, changes to the
hash page table are not necessarily updated on the destination.
Opening a new file descriptor to the HTAB forces the migration
handler to resend the entire table.

Signed-off-by: Samuel Mendoza-Jonas 
---
 hw/ppc/spapr.c | 47 +++
 include/hw/ppc/spapr.h |  2 ++
 2 files changed, 49 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 0a2bfe6..1610c28 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -833,6 +833,13 @@ static void spapr_reset_htab(sPAPREnvironment *spapr)
 /* Kernel handles htab, we don't need to allocate one */
 spapr->htab_shift = shift;
 kvmppc_kern_htab = true;
+
+/* Tell readers to update their file descriptor */
+pthread_mutex_lock(&spapr->htab_mutex);
+if (spapr->htab_fd > 0) {
+spapr->htab_fd_stale = true;
+}
+pthread_mutex_unlock(&spapr->htab_mutex);
 } else {
 if (!spapr->htab) {
 /* Allocate an htab if we don't yet have one */
@@ -850,6 +857,31 @@ static void spapr_reset_htab(sPAPREnvironment *spapr)
 }
 }
 
+/* A guest reset will cause spapr->htab_fd to become stale if being used.
+ * Reopen the file descriptor to make sure the whole HTAB is properly read.
+ */
+static int spapr_check_htab_fd(sPAPREnvironment *spapr)
+{
+int rc = 0;
+
+pthread_mutex_lock(&spapr->htab_mutex);
+
+if (spapr->htab_fd_stale) {
+close(spapr->htab_fd);
+spapr->htab_fd = kvmppc_get_htab_fd(false);
+if (spapr->htab_fd < 0) {
+error_report("Unable to open fd for reading hash table from KVM: "
+"%s", strerror(errno));
+rc = -1;
+}
+spapr->htab_fd_stale = false;
+}
+
+pthread_mutex_unlock(&spapr->htab_mutex);
+return rc;
+}
+
+
 static void ppc_spapr_reset(void)
 {
 PowerPCCPU *first_ppc_cpu;
@@ -984,7 +1016,10 @@ static int htab_save_setup(QEMUFile *f, void *opaque)
 } else {
 assert(kvm_enabled());
 
+pthread_mutex_lock(&spapr->htab_mutex);
 spapr->htab_fd = kvmppc_get_htab_fd(false);
+spapr->htab_fd_stale = false;
+pthread_mutex_unlock(&spapr->htab_mutex);
 if (spapr->htab_fd < 0) {
 fprintf(stderr, "Unable to open fd for reading hash table from 
KVM: %s\n",
 strerror(errno));
@@ -1137,6 +1172,11 @@ static int htab_save_iterate(QEMUFile *f, void *opaque)
 if (!spapr->htab) {
 assert(kvm_enabled());
 
+rc = spapr_check_htab_fd(spapr);
+if (rc < 0) {
+return rc;
+}
+
 rc = kvmppc_save_htab(f, spapr->htab_fd,
   MAX_KVM_BUF_SIZE, MAX_ITERATION_NS);
 if (rc < 0) {
@@ -1168,6 +1208,11 @@ static int htab_save_complete(QEMUFile *f, void *opaque)
 
 assert(kvm_enabled());
 
+rc = spapr_check_htab_fd(spapr);
+if (rc < 0) {
+return rc;
+}
+
 rc = kvmppc_save_htab(f, spapr->htab_fd, MAX_KVM_BUF_SIZE, -1);
 if (rc < 0) {
 return rc;
@@ -1355,6 +1400,8 @@ static void ppc_spapr_init(MachineState *machine)
 spapr->htab_shift++;
 }
 
+pthread_mutex_init(&spapr->htab_mutex, NULL);
+
 /* Set up Interrupt Controller before we create the VCPUs */
 spapr->icp = xics_system_init(smp_cpus * kvmppc_smt_threads() / 
smp_threads,
   XICS_IRQS);
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 749daf4..5e29bec 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -37,6 +37,8 @@ typedef struct sPAPREnvironment {
 int htab_save_index;
 bool htab_first_pass;
 int htab_fd;
+bool htab_fd_stale;
+pthread_mutex_t htab_mutex;
 } sPAPREnvironment;
 
 #define H_SUCCESS 0
-- 
1.9.3

[Qemu-devel] [PATCH 0/2] spapr: Fix stale HTAB during live migration

[Samuel Mendoza-Jonas]

If a spapr guest reboots during a live migration, the guest HTAB on the
destination is not updated properly, usually resulting in a kernel panic.

This is a (delayed!) follow up to my previous patch including a fix
for TCG guests as well as KVM.

Samuel Mendoza-Jonas (2):
  spapr: Fix stale HTAB during live migration (KVM)
  spapr: Fix stale HTAB during live migration (TCG)

 hw/ppc/spapr.c | 102 +
 include/hw/ppc/spapr.h |   3 ++
 2 files changed, 89 insertions(+), 16 deletions(-)

-- 
1.9.3

Re: [Qemu-devel] [PATCH 3/5] pci: move initialization of pci's conf_addr and conf_data to common place

[Hu Tao]

On Tue, Nov 04, 2014 at 04:21:41PM +0200, Marcel Apfelbaum wrote:
> On Tue, 2014-11-04 at 17:12 +0800, Hu Tao wrote:
> > So that standard pci host device can share them.
> > 
> > Signed-off-by: Hu Tao 
> > ---
> >  hw/pci-host/piix.c | 20 
> >  hw/pci-host/q35.c  |  7 ---
> >  hw/pci/pci_host.c  | 32 
> >  3 files changed, 32 insertions(+), 27 deletions(-)
> > 
> > diff --git a/hw/pci-host/piix.c b/hw/pci-host/piix.c
> > index eb92bde..683465c 100644
> > --- a/hw/pci-host/piix.c
> > +++ b/hw/pci-host/piix.c
> > @@ -256,14 +256,8 @@ static void i440fx_pcihost_get_pci_hole64_end(Object 
> > *obj, Visitor *v,
> >  
> >  static void i440fx_pcihost_initfn(Object *obj)
> >  {
> > -PCIHostState *s = PCI_HOST_BRIDGE(obj);
> >  I440FXState *d = I440FX_PCI_HOST_BRIDGE(obj);
> >  
> > -memory_region_init_io(&s->conf_mem, obj, &pci_host_conf_le_ops, s,
> > -  "pci-conf-idx", 4);
> > -memory_region_init_io(&s->data_mem, obj, &pci_host_data_le_ops, s,
> > -  "pci-conf-data", 4);
> > -
> >  object_property_add(obj, PCI_HOST_PROP_PCI_HOLE_START, "int",
> >  i440fx_pcihost_get_pci_hole_start,
> >  NULL, NULL, NULL, NULL);
> > @@ -283,18 +277,6 @@ static void i440fx_pcihost_initfn(Object *obj)
> >  d->pci_info.w32.end = IO_APIC_DEFAULT_ADDRESS;
> >  }
> >  
> > -static void i440fx_pcihost_realize(DeviceState *dev, Error **errp)
> > -{
> > -PCIHostState *s = PCI_HOST_BRIDGE(dev);
> > -SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
> > -
> > -sysbus_add_io(sbd, PC_PCI_CONFIG_ADDR, &s->conf_mem);
> > -sysbus_init_ioports(sbd, PC_PCI_CONFIG_ADDR, 4);
> > -
> > -sysbus_add_io(sbd, PC_PCI_CONFIG_DATA, &s->data_mem);
> > -sysbus_init_ioports(sbd, PC_PCI_CONFIG_DATA, 4);
> > -}
> > -
> >  static int i440fx_initfn(PCIDevice *dev)
> >  {
> >  PCII440FXState *d = I440FX_PCI_DEVICE(dev);
> > @@ -755,8 +737,6 @@ static void i440fx_pcihost_class_init(ObjectClass 
> > *klass, void *data)
> >  PCIHostBridgeClass *hc = PCI_HOST_BRIDGE_CLASS(klass);
> >  
> >  hc->root_bus_path = i440fx_pcihost_root_bus_path;
> > -dc->realize = i440fx_pcihost_realize;
> > -dc->fw_name = "pci";
> >  dc->props = i440fx_props;
> >  }
> >  
> > diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
> > index 9e66835..81eddd7 100644
> > --- a/hw/pci-host/q35.c
> > +++ b/hw/pci-host/q35.c
> > @@ -138,18 +138,11 @@ static void q35_host_class_init(ObjectClass *klass, 
> > void *data)
> >  dc->realize = q35_host_realize;
> >  dc->props = mch_props;
> >  set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
> > -dc->fw_name = "pci";
> >  }
> >  
> >  static void q35_host_initfn(Object *obj)
> >  {
> >  Q35PCIHost *s = Q35_HOST_DEVICE(obj);
> > -PCIHostState *phb = PCI_HOST_BRIDGE(obj);
> > -
> > -memory_region_init_io(&phb->conf_mem, obj, &pci_host_conf_le_ops, phb,
> > -  "pci-conf-idx", 4);
> > -memory_region_init_io(&phb->data_mem, obj, &pci_host_data_le_ops, phb,
> > -  "pci-conf-data", 4);
> >  
> >  object_initialize(&s->mch, sizeof(s->mch), TYPE_MCH_PCI_DEVICE);
> >  object_property_add_child(OBJECT(s), "mch", OBJECT(&s->mch), NULL);
> > diff --git a/hw/pci/pci_host.c b/hw/pci/pci_host.c
> > index f2a69ea..406c747 100644
> > --- a/hw/pci/pci_host.c
> > +++ b/hw/pci/pci_host.c
> > @@ -176,12 +176,44 @@ const MemoryRegionOps pci_host_data_be_ops = {
> >  .endianness = DEVICE_BIG_ENDIAN,
> >  };
> >  
> > +static void pci_host_initfn(Object *obj)
> > +{
> > +PCIHostState *phb = PCI_HOST_BRIDGE(obj);
> > +
> > +memory_region_init_io(&phb->conf_mem, obj, &pci_host_conf_le_ops, phb,
> > +  "pci-conf-idx", 4);
> > +memory_region_init_io(&phb->data_mem, obj, &pci_host_data_le_ops, phb,
> > +  "pci-conf-data", 4);
> > +}
> > +
> > +static void pci_host_realize(DeviceState *dev, Error **errp)
> > +{
> > +PCIHostState *s = PCI_HOST_BRIDGE(dev);
> > +SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
> > +
> > +sysbus_add_io(sbd, PC_PCI_CONFIG_ADDR, &s->conf_mem);
> > +sysbus_init_ioports(sbd, PC_PCI_CONFIG_ADDR, 4);
> > +
> > +sysbus_add_io(sbd, PC_PCI_CONFIG_DATA, &s->data_mem);
> > +sysbus_init_ioports(sbd, PC_PCI_CONFIG_DATA, 4);
> Hi,
> 
> If I got this right, now we have this pci_host_realize run
> for each object of classes deriving from TYPE_PCI_HOST_BRIDGE.
> Please correct me if I am wrong.

You're absolutely right unless the subclass overides the realize
function.

> The machines PC and Q35 share the same code, however
> we have other host bridges deriving that I think they behave different:
> 
> hw/mips/gt64xxx_pci.c:1207:.parent= TYPE_PCI_HOST_BRIDGE,
> hw/pci-bridge/dec.c:150:.parent= TYPE_PCI_HOST_BRIDGE,
> hw/pci-host/apb.c:839:.parent= TYPE_PCI_HOST_BRI

[Qemu-devel] [RESEND PATCH v4 09/10] acpi: Add hardware implementation for memory hot unplug.

[Tang Chen]

This patch adds a new bit to memory hotplug IO port indicating that
memory device is be removed. And set MemStatus->is_removing to false
when the bit is written.

NOTE: MemStatus->is_removing is set to true in acpi_memory_unplug_cb()
when doing memory hot-remove with device_del command.

Signed-off-by: Hu Tao 
Signed-off-by: Tang Chen 
---
 docs/specs/acpi_mem_hotplug.txt |  8 ++--
 hw/acpi/memory_hotplug.c| 14 +++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/docs/specs/acpi_mem_hotplug.txt b/docs/specs/acpi_mem_hotplug.txt
index 1290994..5524c30 100644
--- a/docs/specs/acpi_mem_hotplug.txt
+++ b/docs/specs/acpi_mem_hotplug.txt
@@ -19,7 +19,9 @@ Memory hot-plug interface (IO port 0xa00-0xa17, 1-4 byte 
access):
   1: Device insert event, used to distinguish device for which
  no device check event to OSPM was issued.
  It's valid only when bit 1 is set.
-  2-7: reserved and should be ignored by OSPM
+  2: Device remove event, used to indicate that device is being
+removed.
+  3-7: reserved and should be ignored by OSPM
   [0x15-0x17] reserved
 
   write access:
@@ -35,7 +37,9 @@ Memory hot-plug interface (IO port 0xa00-0xa17, 1-4 byte 
access):
   1: if set to 1 clears device insert event, set by OSPM
  after it has emitted device check event for the
  selected memory device
-  2-7: reserved, OSPM must clear them before writing to register
+  2: set by hardware after it has emitted devive eject event for
+selected memory device
+  3-7: reserved, OSPM must clear them before writing to register
 
 Selecting memory device slot beyond present range has no effect on platform:
- write accesses to memory hot-plug registers not documented above are
diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index 01dea6c..a745bb0 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -75,6 +75,7 @@ static uint64_t acpi_memory_hotplug_read(void *opaque, hwaddr 
addr,
 case 0x14: /* pack and return is_* fields */
 val |= mdev->is_enabled   ? 1 : 0;
 val |= mdev->is_inserting ? 2 : 0;
+val |= mdev->is_removing  ? 4 : 0;
 trace_mhp_acpi_read_flags(mem_st->selector, val);
 break;
 default:
@@ -121,21 +122,28 @@ static void acpi_memory_hotplug_write(void *opaque, 
hwaddr addr, uint64_t data,
 mdev = &mem_st->devs[mem_st->selector];
 mdev->ost_status = data;
 trace_mhp_acpi_write_ost_status(mem_st->selector, mdev->ost_status);
-/* TODO: implement memory removal on guest signal */
 
 info = acpi_memory_device_status(mem_st->selector, mdev);
 qapi_event_send_acpi_device_ost(info, &error_abort);
 qapi_free_ACPIOSTInfo(info);
 break;
-case 0x14:
+case 0x14: /* set is_* fields */
 mdev = &mem_st->devs[mem_st->selector];
+
 if (data & 2) { /* clear insert event */
 mdev->is_inserting  = false;
 trace_mhp_acpi_clear_insert_evt(mem_st->selector);
+} else if (data & 4) { /* request removal of device */
+mdev->is_enabled = false;
+mdev->is_removing = false;
+object_unparent(OBJECT(mdev->dimm));
+mdev->dimm = NULL;
 }
+
+break;
+default:
 break;
 }
-
 }
 static const MemoryRegionOps acpi_memory_hotplug_ops = {
 .read = acpi_memory_hotplug_read,
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 08/10] pc-dimm: Add pc_dimm_unrealize() for memory hot unplug support.

[Tang Chen]

From: Hu Tao 

Implement unrealize function for pc-dimm device. It remove subregion from
hotplug region, and delete ram address range from guest ram list.

Signed-off-by: Hu Tao 
Signed-off-by: Tang Chen 
---
 hw/mem/pc-dimm.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/hw/mem/pc-dimm.c b/hw/mem/pc-dimm.c
index ee802bb..b105871 100644
--- a/hw/mem/pc-dimm.c
+++ b/hw/mem/pc-dimm.c
@@ -270,12 +270,22 @@ static MemoryRegion 
*pc_dimm_get_memory_region(PCDIMMDevice *dimm)
 return host_memory_backend_get_memory(dimm->hostmem, &error_abort);
 }
 
+static void pc_dimm_unrealize(DeviceState *dev, Error **errp)
+{
+PCDIMMDevice *dimm = PC_DIMM(dev);
+MemoryRegion *mr = pc_dimm_get_memory_region(dimm);
+
+memory_region_del_subregion(mr->container, mr);
+vmstate_unregister_ram(mr, dev);
+}
+
 static void pc_dimm_class_init(ObjectClass *oc, void *data)
 {
 DeviceClass *dc = DEVICE_CLASS(oc);
 PCDIMMDeviceClass *ddc = PC_DIMM_CLASS(oc);
 
 dc->realize = pc_dimm_realize;
+dc->unrealize = pc_dimm_unrealize;
 dc->props = pc_dimm_properties;
 
 ddc->get_memory_region = pc_dimm_get_memory_region;
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 00/10] QEmu memory hot unplug support.

[Tang Chen]

This patch-set implements memory hot-remove for QEmu. 

Rebased on Igor's asynchronize hotplug framework (qemu v2.1.2, the latest).

Approach: QEmu sets GPE status bit, then triggers SCI to notify guest os.
Guest os checks device status, and free memory resource if possible,
then generate OST.

NOTE: In this version, memory hot-remove is independent from _OST, 
  following Igor's comments. Will implement _OST for memory hot-remove
  soon if this part is OK.

Change log v3 -> v4 (RESEND):
1. Add new patch 1 ~ 4, fix some small problems in coding.
2. In patch 9, make memory hot-remove independent from _OST.
3. In patch 9, add comment for is_removing flag to document.
4. In patch 10, use macro instead of number.
5. Remove original patch 8 and 12 to coincident with asynchronize
   hotplug framework.

Hu Tao (4):
  acpi, piix4: Add memory hot unplug support for piix4.
  pc: Add memory hot unplug support for pc machine.
  pc-dimm: Add pc_dimm_unrealize() for memory hot unplug support.
  pc, acpi bios: Add memory hot unplug interface.

Tang Chen (6):
  acpi, mem-hotplug: Use PC_DIMM_SLOT_PROP in acpi_memory_plug_cb().
  acpi, mem-hotplug: Add acpi_memory_get_slot_status_descriptor() to get
MemStatus.
  acpi, mem-hotplug: Add acpi_memory_hotplug_sci() to rise sci for
memory hotplug.
  acpi, mem-hotplug: Add acpi_memory_unplug_cb() to implement memory
unplug.
  acpi, ich9: Add memory hot unplug support for ich9.
  acpi: Add hardware implementation for memory hot unplug.

 docs/specs/acpi_mem_hotplug.txt  |  8 +++--
 hw/acpi/ich9.c   | 12 +++
 hw/acpi/memory_hotplug.c | 71 +++-
 hw/acpi/piix4.c  |  6 +++-
 hw/i386/pc.c | 31 ++
 hw/i386/ssdt-mem.dsl |  5 +++
 hw/i386/ssdt-misc.dsl| 13 +++-
 hw/isa/lpc_ich9.c|  5 +--
 hw/mem/pc-dimm.c | 10 ++
 include/hw/acpi/ich9.h   |  2 ++
 include/hw/acpi/memory_hotplug.h |  3 ++
 include/hw/acpi/pc-hotplug.h |  2 ++
 12 files changed, 146 insertions(+), 22 deletions(-)

-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 10/10] pc, acpi bios: Add memory hot unplug interface.

[Tang Chen]

From: Hu Tao 

This patch implements MEMORY_SLOT_EJECT_METHOD according to ACPI spec.

Signed-off-by: Hu Tao 
Signed-off-by: Tang Chen 
---
 hw/i386/ssdt-mem.dsl |  5 +
 hw/i386/ssdt-misc.dsl| 13 -
 include/hw/acpi/pc-hotplug.h |  2 ++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/hw/i386/ssdt-mem.dsl b/hw/i386/ssdt-mem.dsl
index 22ff5dd..1416639 100644
--- a/hw/i386/ssdt-mem.dsl
+++ b/hw/i386/ssdt-mem.dsl
@@ -43,6 +43,7 @@ DefinitionBlock ("ssdt-mem.aml", "SSDT", 0x02, "BXPC", 
"CSSDT", 0x1)
 External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_STATUS_METHOD, 
MethodObj)
 External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_OST_METHOD, MethodObj)
 External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_PROXIMITY_METHOD, 
MethodObj)
+External(\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_EJECT_METHOD, 
MethodObj)
 
 Scope(\_SB) {
 /*  v-- DO NOT EDIT --v */
@@ -72,6 +73,10 @@ DefinitionBlock ("ssdt-mem.aml", "SSDT", 0x02, "BXPC", 
"CSSDT", 0x1)
 Method(_OST, 3) {
 \_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_OST_METHOD(_UID, 
Arg0, Arg1, Arg2)
 }
+
+Method(_EJ0, 1) {
+\_SB.PCI0.MEMORY_HOTPLUG_DEVICE.MEMORY_SLOT_EJECT_METHOD(_UID, 
Arg0)
+}
 }
 }
 }
diff --git a/hw/i386/ssdt-misc.dsl b/hw/i386/ssdt-misc.dsl
index 0fd4480..7b29539 100644
--- a/hw/i386/ssdt-misc.dsl
+++ b/hw/i386/ssdt-misc.dsl
@@ -156,6 +156,7 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", 
"BXSSDTSUSP", 0x1)
 Offset(20),
 MEMORY_SLOT_ENABLED,  1, // 1 if enabled, read only
 MEMORY_SLOT_INSERT_EVENT, 1, // (read) 1 if has a insert 
event. (write) 1 to clear event
+MEMORY_SLOT_REMOVE_EVENT, 1, // 1 if DIMM has a remove 
request, read only
 }
 
 Mutex (MEMORY_SLOT_LOCK, 0)
@@ -174,11 +175,14 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", 
"BXSSDTSUSP", 0x1)
 Acquire(MEMORY_SLOT_LOCK, 0x)
 while (LLess(Local0, MEMORY_SLOTS_NUMBER)) {
 Store(Local0, MEMORY_SLOT_SLECTOR) // select Local0 DIMM
+
 If (LEqual(MEMORY_SLOT_INSERT_EVENT, One)) { // Memory 
device needs check
 MEMORY_SLOT_NOTIFY_METHOD(Local0, 1)
 Store(1, MEMORY_SLOT_INSERT_EVENT)
+} Elseif (LEqual(MEMORY_SLOT_REMOVE_EVENT, One)) { // 
Ejection request
+MEMORY_SLOT_NOTIFY_METHOD(Local0, 3)
 }
-// TODO: handle memory eject request
+
 Add(Local0, One, Local0) // goto next DIMM
 }
 Release(MEMORY_SLOT_LOCK)
@@ -278,6 +282,13 @@ DefinitionBlock ("ssdt-misc.aml", "SSDT", 0x01, "BXPC", 
"BXSSDTSUSP", 0x1)
 Store(Arg2, MEMORY_SLOT_OST_STATUS)
 Release(MEMORY_SLOT_LOCK)
 }
+
+Method(MEMORY_SLOT_EJECT_METHOD, 2) {
+Acquire(MEMORY_SLOT_LOCK, 0x)
+Store(ToInteger(Arg0), MEMORY_SLOT_SLECTOR) // select DIMM
+Store(One, MEMORY_SLOT_REMOVE_EVENT)
+Release(MEMORY_SLOT_LOCK)
+}
 } // Device()
 } // Scope()
 }
diff --git a/include/hw/acpi/pc-hotplug.h b/include/hw/acpi/pc-hotplug.h
index b9db295..b61b6ea 100644
--- a/include/hw/acpi/pc-hotplug.h
+++ b/include/hw/acpi/pc-hotplug.h
@@ -42,6 +42,7 @@
 #define MEMORY_SLOT_PROXIMITYMPX
 #define MEMORY_SLOT_ENABLED  MES
 #define MEMORY_SLOT_INSERT_EVENT MINS
+#define MEMORY_SLOT_REMOVE_EVENT MRMV
 #define MEMORY_SLOT_SLECTOR  MSEL
 #define MEMORY_SLOT_OST_EVENTMOEV
 #define MEMORY_SLOT_OST_STATUS   MOSC
@@ -50,6 +51,7 @@
 #define MEMORY_SLOT_CRS_METHOD   MCRS
 #define MEMORY_SLOT_OST_METHOD   MOST
 #define MEMORY_SLOT_PROXIMITY_METHOD MPXM
+#define MEMORY_SLOT_EJECT_METHOD MEJ0
 #define MEMORY_SLOT_NOTIFY_METHODMTFY
 #define MEMORY_SLOT_SCAN_METHOD  MSCN
 
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 07/10] pc: Add memory hot unplug support for pc machine.

[Tang Chen]

From: Hu Tao 

Implement device unplug callback for PCMachine. And it now only support
pc-dimm hot-remove. The callback will call piix4 or ich9 callbacks introduced
in previous patches.

Signed-off-by: Hu Tao 
Signed-off-by: Tang Chen 
---
 hw/i386/pc.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 1205db8..2c26749 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -61,6 +61,8 @@
 #include "hw/mem/pc-dimm.h"
 #include "trace.h"
 #include "qapi/visitor.h"
+#include "hw/acpi/piix4.h"
+#include "hw/i386/ich9.h"
 
 /* debug PC/ISA interrupts */
 //#define DEBUG_IRQ
@@ -1637,6 +1639,26 @@ out:
 error_propagate(errp, local_err);
 }
 
+static void pc_dimm_unplug(HotplugHandler *hotplug_dev,
+   DeviceState *dev, Error **errp)
+{
+HotplugHandlerClass *hhc;
+Error *local_err = NULL;
+PCMachineState *pcms = PC_MACHINE(hotplug_dev);
+
+if (!pcms->acpi_dev) {
+error_setg(&local_err,
+   "memory hotplug is not enabled: missing acpi device");
+   goto out;
+}
+
+hhc = HOTPLUG_HANDLER_GET_CLASS(pcms->acpi_dev);
+hhc->unplug_request(HOTPLUG_HANDLER(pcms->acpi_dev), dev, &local_err);
+
+out:
+error_propagate(errp, local_err);
+}
+
 static void pc_machine_device_plug_cb(HotplugHandler *hotplug_dev,
   DeviceState *dev, Error **errp)
 {
@@ -1647,6 +1669,14 @@ static void pc_machine_device_plug_cb(HotplugHandler 
*hotplug_dev,
 }
 }
 
+static void pc_machine_device_unplug_cb(HotplugHandler *hotplug_dev,
+DeviceState *dev, Error **errp)
+{
+if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+pc_dimm_unplug(hotplug_dev, dev, errp);
+}
+}
+
 static HotplugHandler *pc_get_hotpug_handler(MachineState *machine,
  DeviceState *dev)
 {
@@ -1753,6 +1783,7 @@ static void pc_machine_class_init(ObjectClass *oc, void 
*data)
 pcmc->get_hotplug_handler = mc->get_hotplug_handler;
 mc->get_hotplug_handler = pc_get_hotpug_handler;
 hc->plug = pc_machine_device_plug_cb;
+hc->unplug = pc_machine_device_unplug_cb;
 }
 
 static const TypeInfo pc_machine_info = {
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 03/10] acpi, mem-hotplug: Add acpi_memory_hotplug_sci() to rise sci for memory hotplug.

[Tang Chen]

Add a new API named acpi_memory_hotplug_sci() to send memory hotplug SCI.
Doing this is because this procedure will be used by other functions in the
next coming patches.

Signed-off-by: Tang Chen 
---
 hw/acpi/memory_hotplug.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index ef56bf6..9839963 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -188,6 +188,12 @@ acpi_memory_get_slot_status_descriptor(MemHotplugState 
*mem_st,
 return &mem_st->devs[slot];
 }
 
+static void acpi_memory_hotplug_sci(ACPIREGS *ar, qemu_irq irq)
+{
+ar->gpe.sts[0] |= ACPI_MEMORY_HOTPLUG_STATUS;
+acpi_update_sci(ar, irq);
+}
+
 void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
  DeviceState *dev, Error **errp)
 {
@@ -201,10 +207,8 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 mdev->is_enabled = true;
 mdev->is_inserting = true;
 
-/* do ACPI magic */
-ar->gpe.sts[0] |= ACPI_MEMORY_HOTPLUG_STATUS;
-acpi_update_sci(ar, irq);
-return;
+/* Do ACPI magic */
+acpi_memory_hotplug_sci(ar, irq);
 }
 
 static const VMStateDescription vmstate_memhp_sts = {
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 06/10] acpi, ich9: Add memory hot unplug support for ich9.

[Tang Chen]

Implement ich9_pm_device_unplug_cb() to support memory hot-remove,
calling acpi_memory_unplug_cb(). And itself will be called in
ich9_device_unplug_cb().

Signed-off-by: Tang Chen 
---
 hw/acpi/ich9.c | 12 
 hw/isa/lpc_ich9.c  |  5 +++--
 include/hw/acpi/ich9.h |  2 ++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/hw/acpi/ich9.c b/hw/acpi/ich9.c
index ea991a3..68cc169 100644
--- a/hw/acpi/ich9.c
+++ b/hw/acpi/ich9.c
@@ -301,6 +301,18 @@ void ich9_pm_device_plug_cb(ICH9LPCPMRegs *pm, DeviceState 
*dev, Error **errp)
 }
 }
 
+void ich9_pm_device_unplug_cb(ICH9LPCPMRegs *pm, DeviceState *dev, Error 
**errp)
+{
+if (pm->acpi_memory_hotplug.is_enabled &&
+object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_cb(&pm->acpi_regs, pm->irq, 
&pm->acpi_memory_hotplug,
+  dev, errp);
+} else {
+error_setg(errp, "acpi: device unplug request for not supported device"
+   " type: %s", object_get_typename(OBJECT(dev)));
+}
+}
+
 void ich9_pm_ospm_status(AcpiDeviceIf *adev, ACPIOSTInfoList ***list)
 {
 ICH9LPCState *s = ICH9_LPC_DEVICE(adev);
diff --git a/hw/isa/lpc_ich9.c b/hw/isa/lpc_ich9.c
index 530b074..75f28d1 100644
--- a/hw/isa/lpc_ich9.c
+++ b/hw/isa/lpc_ich9.c
@@ -610,8 +610,9 @@ static void ich9_device_plug_cb(HotplugHandler *hotplug_dev,
 static void ich9_device_unplug_request_cb(HotplugHandler *hotplug_dev,
   DeviceState *dev, Error **errp)
 {
-error_setg(errp, "acpi: device unplug request for not supported device"
-   " type: %s", object_get_typename(OBJECT(dev)));
+ICH9LPCState *lpc = ICH9_LPC_DEVICE(hotplug_dev);
+
+ich9_pm_device_unplug_cb(&lpc->pm, dev, errp);
 }
 
 static bool ich9_rst_cnt_needed(void *opaque)
diff --git a/include/hw/acpi/ich9.h b/include/hw/acpi/ich9.h
index fe975e6..92f19de 100644
--- a/include/hw/acpi/ich9.h
+++ b/include/hw/acpi/ich9.h
@@ -59,6 +59,8 @@ extern const VMStateDescription vmstate_ich9_pm;
 void ich9_pm_add_properties(Object *obj, ICH9LPCPMRegs *pm, Error **errp);
 
 void ich9_pm_device_plug_cb(ICH9LPCPMRegs *pm, DeviceState *dev, Error **errp);
+void ich9_pm_device_unplug_cb(ICH9LPCPMRegs *pm, DeviceState *dev,
+  Error **errp);
 
 void ich9_pm_ospm_status(AcpiDeviceIf *adev, ACPIOSTInfoList ***list);
 #endif /* HW_ACPI_ICH9_H */
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 05/10] acpi, piix4: Add memory hot unplug support for piix4.

[Tang Chen]

From: Hu Tao 

Implement acpi_memory_unplug_cb(), sending an sci to guest to trigger
memory hot-remove, and call it in piix4_device_unplug_cb().

Signed-off-by: Hu Tao 
Signed-off-by: Tang Chen 
---
 hw/acpi/piix4.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 78c0a6d..92b29b7 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -360,7 +360,11 @@ static void piix4_device_unplug_request_cb(HotplugHandler 
*hotplug_dev,
 {
 PIIX4PMState *s = PIIX4_PM(hotplug_dev);
 
-if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) {
+if (s->acpi_memory_hotplug.is_enabled &&
+object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
+acpi_memory_unplug_cb(&s->ar, s->irq, &s->acpi_memory_hotplug, dev,
+  errp);
+} else if (object_dynamic_cast(OBJECT(dev), TYPE_PCI_DEVICE)) {
 acpi_pcihp_device_unplug_cb(&s->ar, s->irq, &s->acpi_pci_hotplug, dev,
 errp);
 } else {
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 04/10] acpi, mem-hotplug: Add acpi_memory_unplug_cb() to implement memory unplug.

[Tang Chen]

Add a new bool member named is_removing to MemStatus indicating that
the memory solt is being removed. Set it to true in acpi_memory_unplug_cb(),
and send SCI to guest.

Signed-off-by: Tang Chen 
---
 hw/acpi/memory_hotplug.c | 15 +++
 include/hw/acpi/memory_hotplug.h |  3 +++
 2 files changed, 18 insertions(+)

diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index 9839963..01dea6c 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -211,6 +211,21 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 acpi_memory_hotplug_sci(ar, irq);
 }
 
+void acpi_memory_unplug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp)
+{
+MemStatus *mdev;
+
+mdev = acpi_memory_get_slot_status_descriptor(mem_st, dev, errp);
+if (!mdev)
+return;
+
+mdev->is_removing = true;
+
+/* Do ACPI magic */
+acpi_memory_hotplug_sci(ar, irq);
+}
+
 static const VMStateDescription vmstate_memhp_sts = {
 .name = "memory hotplug device state",
 .version_id = 1,
diff --git a/include/hw/acpi/memory_hotplug.h b/include/hw/acpi/memory_hotplug.h
index 7bbf8a0..fe41268 100644
--- a/include/hw/acpi/memory_hotplug.h
+++ b/include/hw/acpi/memory_hotplug.h
@@ -11,6 +11,7 @@ typedef struct MemStatus {
 DeviceState *dimm;
 bool is_enabled;
 bool is_inserting;
+bool is_removing;
 uint32_t ost_event;
 uint32_t ost_status;
 } MemStatus;
@@ -28,6 +29,8 @@ void acpi_memory_hotplug_init(MemoryRegion *as, Object *owner,
 
 void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
  DeviceState *dev, Error **errp);
+void acpi_memory_unplug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp);
 
 extern const VMStateDescription vmstate_memory_hotplug;
 #define VMSTATE_MEMORY_HOTPLUG(memhp, state) \
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 01/10] acpi, mem-hotplug: Use PC_DIMM_SLOT_PROP in acpi_memory_plug_cb().

[Tang Chen]

Replace string "slot" in acpi_memory_plug_cb() with MACRO PC_DIMM_SLOT_PROP.

Signed-off-by: Tang Chen 
---
 hw/acpi/memory_hotplug.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index ed39241..c6580da 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -168,7 +168,8 @@ void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, 
MemHotplugState *mem_st,
 {
 MemStatus *mdev;
 Error *local_err = NULL;
-int slot = object_property_get_int(OBJECT(dev), "slot", &local_err);
+int slot = object_property_get_int(OBJECT(dev), PC_DIMM_SLOT_PROP,
+   &local_err);
 
 if (local_err) {
 error_propagate(errp, local_err);
-- 
1.8.4.2

[Qemu-devel] [RESEND PATCH v4 02/10] acpi, mem-hotplug: Add acpi_memory_get_slot_status_descriptor() to get MemStatus.

[Tang Chen]

Add a new API named acpi_memory_get_slot_status_descriptor() to obtain
a single memory slot status. Doing this is because this procedure will
be used by other functions in the next coming patches.

Signed-off-by: Tang Chen 
---
 hw/acpi/memory_hotplug.c | 27 +++
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/hw/acpi/memory_hotplug.c b/hw/acpi/memory_hotplug.c
index c6580da..ef56bf6 100644
--- a/hw/acpi/memory_hotplug.c
+++ b/hw/acpi/memory_hotplug.c
@@ -163,29 +163,40 @@ void acpi_memory_hotplug_init(MemoryRegion *as, Object 
*owner,
 memory_region_add_subregion(as, ACPI_MEMORY_HOTPLUG_BASE, &state->io);
 }
 
-void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
- DeviceState *dev, Error **errp)
+static MemStatus *
+acpi_memory_get_slot_status_descriptor(MemHotplugState *mem_st,
+   DeviceState *dev, Error **errp)
 {
-MemStatus *mdev;
 Error *local_err = NULL;
 int slot = object_property_get_int(OBJECT(dev), PC_DIMM_SLOT_PROP,
&local_err);
 
 if (local_err) {
 error_propagate(errp, local_err);
-return;
+return NULL;
 }
 
 if (slot >= mem_st->dev_count) {
 char *dev_path = object_get_canonical_path(OBJECT(dev));
-error_setg(errp, "acpi_memory_plug_cb: "
+error_setg(errp, "acpi_memory_get_slot_status_descriptor: "
"device [%s] returned invalid memory slot[%d]",
-dev_path, slot);
+   dev_path, slot);
 g_free(dev_path);
-return;
+return NULL;
 }
 
-mdev = &mem_st->devs[slot];
+return &mem_st->devs[slot];
+}
+
+void acpi_memory_plug_cb(ACPIREGS *ar, qemu_irq irq, MemHotplugState *mem_st,
+ DeviceState *dev, Error **errp)
+{
+MemStatus *mdev;
+
+mdev = acpi_memory_get_slot_status_descriptor(mem_st, dev, errp);
+if (!mdev)
+return;
+
 mdev->dimm = dev;
 mdev->is_enabled = true;
 mdev->is_inserting = true;
-- 
1.8.4.2

[Qemu-devel] [PATCH v3 3/3] qemu-iotests: Test blockdev-backup in 055

[Fam Zheng]

This applies cases on drive-backup on blockdev-backup, except cases with
target format and mode.

Also add a case to check source == target.

Signed-off-by: Fam Zheng 
---
 tests/qemu-iotests/055 | 211 +
 tests/qemu-iotests/055.out |   4 +-
 2 files changed, 176 insertions(+), 39 deletions(-)

diff --git a/tests/qemu-iotests/055 b/tests/qemu-iotests/055
index 451b67d..d04dad5 100755
--- a/tests/qemu-iotests/055
+++ b/tests/qemu-iotests/055
@@ -1,8 +1,8 @@
 #!/usr/bin/env python
 #
-# Tests for drive-backup
+# Tests for drive-backup and blockdev-backup
 #
-# Copyright (C) 2013 Red Hat, Inc.
+# Copyright (C) 2013, 2014 Red Hat, Inc.
 #
 # Based on 041.
 #
@@ -27,6 +27,7 @@ from iotests import qemu_img, qemu_io
 
 test_img = os.path.join(iotests.test_dir, 'test.img')
 target_img = os.path.join(iotests.test_dir, 'target.img')
+blockdev_target_img = os.path.join(iotests.test_dir, 'blockdev-target.img')
 
 class TestSingleDrive(iotests.QMPTestCase):
 image_len = 64 * 1024 * 1024 # MB
@@ -38,34 +39,41 @@ class TestSingleDrive(iotests.QMPTestCase):
 qemu_io('-c', 'write -P0xd5 1M 32k', test_img)
 qemu_io('-c', 'write -P0xdc 32M 124k', test_img)
 qemu_io('-c', 'write -P0xdc 67043328 64k', test_img)
+qemu_img('create', '-f', iotests.imgfmt, blockdev_target_img, 
str(TestSingleDrive.image_len))
 
-self.vm = iotests.VM().add_drive(test_img)
+self.vm = 
iotests.VM().add_drive(test_img).add_drive(blockdev_target_img)
 self.vm.launch()
 
 def tearDown(self):
 self.vm.shutdown()
 os.remove(test_img)
+os.remove(blockdev_target_img)
 try:
 os.remove(target_img)
 except OSError:
 pass
 
-def test_cancel(self):
+def do_test_cancel(self, cmd, target):
 self.assert_no_active_block_jobs()
 
-result = self.vm.qmp('drive-backup', device='drive0',
- target=target_img, sync='full')
+result = self.vm.qmp(cmd, device='drive0', target=target, sync='full')
 self.assert_qmp(result, 'return', {})
 
 event = self.cancel_and_wait()
 self.assert_qmp(event, 'data/type', 'backup')
 
-def test_pause(self):
+def test_cancel_drive_backup(self):
+self.do_test_cancel('drive-backup', target_img)
+
+def test_cancel_blockdev_backup(self):
+self.do_test_cancel('blockdev-backup', 'drive1')
+
+def do_test_pause(self, cmd, target, image):
 self.assert_no_active_block_jobs()
 
 self.vm.pause_drive('drive0')
-result = self.vm.qmp('drive-backup', device='drive0',
- target=target_img, sync='full')
+result = self.vm.qmp(cmd, device='drive0',
+ target=target, sync='full')
 self.assert_qmp(result, 'return', {})
 
 result = self.vm.qmp('block-job-pause', device='drive0')
@@ -86,14 +94,25 @@ class TestSingleDrive(iotests.QMPTestCase):
 self.wait_until_completed()
 
 self.vm.shutdown()
-self.assertTrue(iotests.compare_images(test_img, target_img),
+self.assertTrue(iotests.compare_images(test_img, image),
 'target image does not match source after backup')
 
+def test_pause_drive_backup(self):
+self.do_test_pause('drive-backup', target_img, target_img)
+
+def test_pause_blockdev_backup(self):
+self.do_test_pause('blockdev-backup', 'drive1', blockdev_target_img)
+
 def test_medium_not_found(self):
 result = self.vm.qmp('drive-backup', device='ide1-cd0',
  target=target_img, sync='full')
 self.assert_qmp(result, 'error/class', 'GenericError')
 
+def test_medium_not_found_blockdev_backup(self):
+result = self.vm.qmp('blockdev-backup', device='ide1-cd0',
+ target='drive1', sync='full')
+self.assert_qmp(result, 'error/class', 'GenericError')
+
 def test_image_not_found(self):
 result = self.vm.qmp('drive-backup', device='drive0',
  target=target_img, sync='full', mode='existing')
@@ -105,31 +124,53 @@ class TestSingleDrive(iotests.QMPTestCase):
  format='spaghetti-noodles')
 self.assert_qmp(result, 'error/class', 'GenericError')
 
-def test_device_not_found(self):
-result = self.vm.qmp('drive-backup', device='nonexistent',
- target=target_img, sync='full')
+def do_test_device_not_found(self, cmd, **args):
+result = self.vm.qmp(cmd, **args)
 self.assert_qmp(result, 'error/class', 'DeviceNotFound')
 
+def test_device_not_found(self):
+self.do_test_device_not_found('drive-backup', device='nonexistent',
+  target=target_img, sync='full')
+
+self.do_test_device_not_found('blockdev-backup', device='nonexistent',
+  

[Qemu-devel] [PATCH v3 2/3] block: Add blockdev-backup to transaction

[Fam Zheng]

BTW add version info for other transaction types.

Signed-off-by: Fam Zheng 
---
 blockdev.c   | 48 
 qapi-schema.json |  7 +++
 2 files changed, 55 insertions(+)

diff --git a/blockdev.c b/blockdev.c
index 2e5068c..6401850 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -1495,6 +1495,49 @@ static void drive_backup_abort(BlkTransactionState 
*common)
 }
 }
 
+typedef struct BlockdevBackupState {
+BlkTransactionState common;
+BlockDriverState *bs;
+BlockJob *job;
+} BlockdevBackupState;
+
+static void blockdev_backup_prepare(BlkTransactionState *common, Error **errp)
+{
+BlockdevBackupState *state = DO_UPCAST(BlockdevBackupState, common, 
common);
+BlockdevBackup *backup;
+Error *local_err = NULL;
+
+assert(common->action->kind == TRANSACTION_ACTION_KIND_BLOCKDEV_BACKUP);
+backup = common->action->blockdev_backup;
+
+qmp_blockdev_backup(backup->device, backup->target,
+backup->sync,
+backup->has_speed, backup->speed,
+backup->has_on_source_error, backup->on_source_error,
+backup->has_on_target_error, backup->on_target_error,
+&local_err);
+if (local_err) {
+error_propagate(errp, local_err);
+state->bs = NULL;
+state->job = NULL;
+return;
+}
+
+state->bs = bdrv_find(backup->device);
+state->job = state->bs->job;
+}
+
+static void blockdev_backup_abort(BlkTransactionState *common)
+{
+BlockdevBackupState *state = DO_UPCAST(BlockdevBackupState, common, 
common);
+BlockDriverState *bs = state->bs;
+
+/* Only cancel if it's the job we started */
+if (bs && bs->job && bs->job == state->job) {
+block_job_cancel_sync(bs->job);
+}
+}
+
 static void abort_prepare(BlkTransactionState *common, Error **errp)
 {
 error_setg(errp, "Transaction aborted using Abort action");
@@ -1517,6 +1560,11 @@ static const BdrvActionOps actions[] = {
 .prepare = drive_backup_prepare,
 .abort = drive_backup_abort,
 },
+[TRANSACTION_ACTION_KIND_BLOCKDEV_BACKUP] = {
+.instance_size = sizeof(BlockdevBackupState),
+.prepare = blockdev_backup_prepare,
+.abort = blockdev_backup_abort,
+},
 [TRANSACTION_ACTION_KIND_ABORT] = {
 .instance_size = sizeof(BlkTransactionState),
 .prepare = abort_prepare,
diff --git a/qapi-schema.json b/qapi-schema.json
index 24379ab..5fc6892 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -1254,11 +1254,18 @@
 #
 # A discriminated record of operations that can be performed with
 # @transaction.
+#
+# Since 1.1
+# drive-backup since 1.6
+# abort since 1.6
+# blockdev-snapshot-internal-sync since 1.7
+# blockdev-backup since 2.3
 ##
 { 'union': 'TransactionAction',
   'data': {
'blockdev-snapshot-sync': 'BlockdevSnapshot',
'drive-backup': 'DriveBackup',
+   'blockdev-backup': 'BlockdevBackup',
'abort': 'Abort',
'blockdev-snapshot-internal-sync': 'BlockdevSnapshotInternal'
} }
-- 
1.9.3

[Qemu-devel] [PATCH v3 1/3] qmp: Add command 'blockdev-backup'

[Fam Zheng]

Similar to drive-backup, but this command uses a device id as target
instead of creating/opening an image file.

Also add blocker on target bs, since the target is also a named device
now.

Add check and report error for bs == target which became possible but is
an illegal case with introduction of blockdev-backup.

Signed-off-by: Fam Zheng 
---
 block/backup.c   | 28 +++
 blockdev.c   | 47 +
 qapi/block-core.json | 54 
 qmp-commands.hx  | 44 ++
 4 files changed, 173 insertions(+)

diff --git a/block/backup.c b/block/backup.c
index 792e655..b944dd4 100644
--- a/block/backup.c
+++ b/block/backup.c
@@ -360,6 +360,7 @@ static void coroutine_fn backup_run(void *opaque)
 hbitmap_free(job->bitmap);
 
 bdrv_iostatus_disable(target);
+bdrv_op_unblock_all(target, job->common.blocker);
 
 data = g_malloc(sizeof(*data));
 data->ret = ret;
@@ -379,6 +380,11 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 assert(target);
 assert(cb);
 
+if (bs == target) {
+error_setg(errp, "Source and target cannot be the same");
+return;
+}
+
 if ((on_source_error == BLOCKDEV_ON_ERROR_STOP ||
  on_source_error == BLOCKDEV_ON_ERROR_ENOSPC) &&
 !bdrv_iostatus_is_enabled(bs)) {
@@ -386,6 +392,26 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 return;
 }
 
+if (!bdrv_is_inserted(bs)) {
+error_setg(errp, "Devie is not inserted: %s",
+   bdrv_get_device_name(bs));
+return;
+}
+
+if (!bdrv_is_inserted(target)) {
+error_setg(errp, "Devie is not inserted: %s",
+   bdrv_get_device_name(target));
+return;
+}
+
+if (bdrv_op_is_blocked(bs, BLOCK_OP_TYPE_BACKUP_SOURCE, errp)) {
+return;
+}
+
+if (bdrv_op_is_blocked(target, BLOCK_OP_TYPE_BACKUP_TARGET, errp)) {
+return;
+}
+
 len = bdrv_getlength(bs);
 if (len < 0) {
 error_setg_errno(errp, -len, "unable to get length for '%s'",
@@ -399,6 +425,8 @@ void backup_start(BlockDriverState *bs, BlockDriverState 
*target,
 return;
 }
 
+bdrv_op_block_all(target, job->common.blocker);
+
 job->on_source_error = on_source_error;
 job->on_target_error = on_target_error;
 job->target = target;
diff --git a/blockdev.c b/blockdev.c
index 57910b8..2e5068c 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -2156,6 +2156,8 @@ void qmp_drive_backup(const char *device, const char 
*target,
 aio_context = bdrv_get_aio_context(bs);
 aio_context_acquire(aio_context);
 
+/* Although backup_run has this check too, we need to use bs->drv below, so
+ * do an early check redundantly. */
 if (!bdrv_is_inserted(bs)) {
 error_set(errp, QERR_DEVICE_HAS_NO_MEDIUM, device);
 goto out;
@@ -2172,6 +2174,7 @@ void qmp_drive_backup(const char *device, const char 
*target,
 }
 }
 
+/* Early check to avoid creating target */
 if (bdrv_op_is_blocked(bs, BLOCK_OP_TYPE_BACKUP_SOURCE, errp)) {
 goto out;
 }
@@ -2239,6 +2242,50 @@ BlockDeviceInfoList *qmp_query_named_block_nodes(Error 
**errp)
 return bdrv_named_nodes_list();
 }
 
+void qmp_blockdev_backup(const char *device, const char *target,
+ enum MirrorSyncMode sync,
+ bool has_speed, int64_t speed,
+ bool has_on_source_error,
+ BlockdevOnError on_source_error,
+ bool has_on_target_error,
+ BlockdevOnError on_target_error,
+ Error **errp)
+{
+BlockDriverState *bs;
+BlockDriverState *target_bs;
+Error *local_err = NULL;
+
+if (!has_speed) {
+speed = 0;
+}
+if (!has_on_source_error) {
+on_source_error = BLOCKDEV_ON_ERROR_REPORT;
+}
+if (!has_on_target_error) {
+on_target_error = BLOCKDEV_ON_ERROR_REPORT;
+}
+
+bs = bdrv_find(device);
+if (!bs) {
+error_set(errp, QERR_DEVICE_NOT_FOUND, device);
+return;
+}
+
+target_bs = bdrv_find(target);
+if (!target_bs) {
+error_set(errp, QERR_DEVICE_NOT_FOUND, target);
+return;
+}
+
+bdrv_ref(target_bs);
+backup_start(bs, target_bs, speed, sync, on_source_error, on_target_error,
+ block_job_cb, bs, &local_err);
+if (local_err != NULL) {
+bdrv_unref(target_bs);
+error_propagate(errp, local_err);
+}
+}
+
 #define DEFAULT_MIRROR_BUF_SIZE   (10 << 20)
 
 void qmp_drive_mirror(const char *device, const char *target,
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 77a0cfb..bc02bd7 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -676,6 +676,41 @@
 '*on-target-error': 'Blockd

[Qemu-devel] [PATCH v3 0/3] qmp: Add "blockdev-backup"

[Fam Zheng]

v3: Address Eric's comments on documentation.
Squashed 3/4 into 2/4.

v2: Address Markus' and Eric's comments:
Fix qapi schema documentation.
Fix versioning of transactions.
Improve test case code by dropping inelegnet bool.

The existing drive-backup command accepts a target file path, but that
interface provides little flexibility on the properties of target block device,
compared to what is possible with "blockdev-add", "drive_add" or "-drive".

This is also a building block to allow image fleecing (creating a point in time
snapshot and export with nbd-server-add).

(For symmetry, blockdev-mirror will be added in a separate series.)

Fam

Fam Zheng (3):
  qmp: Add command 'blockdev-backup'
  block: Add blockdev-backup to transaction
  qemu-iotests: Test blockdev-backup in 055

 block/backup.c |  28 ++
 blockdev.c |  95 
 qapi-schema.json   |   7 ++
 qapi/block-core.json   |  54 
 qmp-commands.hx|  44 ++
 tests/qemu-iotests/055 | 211 +
 tests/qemu-iotests/055.out |   4 +-
 7 files changed, 404 insertions(+), 39 deletions(-)

-- 
1.9.3

Re: [Qemu-devel] [PATCH 6/6] parallels: change copyright information in the image header

[Jeff Cody]

On Wed, Oct 29, 2014 at 04:38:11PM +0300, Denis V. Lunev wrote:
> Signed-off-by: Denis V. Lunev 
> Acked-by: Roman Kagan 
> CC: Jeff Cody 
> CC: Kevin Wolf 
> CC: Stefan Hajnoczi 
> ---
>  block/parallels.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/block/parallels.c b/block/parallels.c
> index d07e4f7..1491211 100644
> --- a/block/parallels.c
> +++ b/block/parallels.c
> @@ -2,8 +2,10 @@
>   * Block driver for Parallels disk image format
>   *
>   * Copyright (c) 2007 Alex Beregszaszi
> + * Copyright (c) 2014 Denis V. Lunev 
>   *
> - * This code is based on comparing different disk images created by 
> Parallels.
> + * This code was originally based on comparing different disk images created
> + * by Parallels.
>   *
>   * Permission is hereby granted, free of charge, to any person obtaining a 
> copy
>   * of this software and associated documentation files (the "Software"), to 
> deal
> -- 
> 1.9.1
>

Reviewed-by: Jeff Cody 

Re: [Qemu-devel] [PATCH 5/6] iotests: padded parallels image test

[Jeff Cody]

On Wed, Oct 29, 2014 at 04:38:10PM +0300, Denis V. Lunev wrote:
> Unfortunately, old guest OSes do not align partitions to page size by
> default. This is true for Windows 2003 and Windows XP.
> 
> "Padding" is a value which should be added to guest LBA to obtain
> sector number inside the image. This results in a shifted images.
>0123offset inside image (in 512 byte sectors)
>   +---
>   +.012guest data (512 byte sectors)
>   +---
> The information about this is available in DiskDescriptor.xml ONLY. There
> is no such data in the image header.
> 
> This patch contains very simple image with padding and corresponding
> XML disk descriptor created in authentic way.
> 
> Signed-off-by: Denis V. Lunev 
> Acked-by: Roman Kagan 
> CC: Jeff Cody 
> CC: Kevin Wolf 
> CC: Stefan Hajnoczi 
> ---
>  tests/qemu-iotests/076|   6 ++
>  tests/qemu-iotests/076.out|   4 
>  tests/qemu-iotests/sample_images/parallels-padded.xml.bz2 | Bin 0 -> 377 
> bytes
>  tests/qemu-iotests/sample_images/parallels-v2-padded.bz2  | Bin 0 -> 139 
> bytes
>  4 files changed, 10 insertions(+)
>  create mode 100644 tests/qemu-iotests/sample_images/parallels-padded.xml.bz2
>  create mode 100644 tests/qemu-iotests/sample_images/parallels-v2-padded.bz2
> 
> diff --git a/tests/qemu-iotests/076 b/tests/qemu-iotests/076
> index 242d0c3..c83b953 100755
> --- a/tests/qemu-iotests/076
> +++ b/tests/qemu-iotests/076
> @@ -81,6 +81,12 @@ _use_sample_img parallels-v2.bz2
>  _use_sample_img parallels-simple.xml.bz2
>  { $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir
>  
> +echo
> +echo "== Read from a valid v2 image opened through xml with padding =="
> +_use_sample_img parallels-v2-padded.bz2
> +_use_sample_img parallels-padded.xml.bz2
> +{ $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir
> +

Same comment as before on $TEST_IMG needing quoting, and as before,
can wait until we clean up the other instances in this same file.


Reviewed-by: Jeff Cody 


>  # success, all done
>  echo "*** done"
>  rm -f $seq.full
> diff --git a/tests/qemu-iotests/076.out b/tests/qemu-iotests/076.out
> index 628d9bf..46680d8 100644
> --- a/tests/qemu-iotests/076.out
> +++ b/tests/qemu-iotests/076.out
> @@ -23,4 +23,8 @@ read 65536/65536 bytes at offset 0
>  == Read from a valid v2 image opened through xml ==
>  read 65536/65536 bytes at offset 0
>  64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
> +
> +== Read from a valid v2 image opened through xml with padding ==
> +read 65536/65536 bytes at offset 0
> +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
>  *** done
> diff --git a/tests/qemu-iotests/sample_images/parallels-padded.xml.bz2 
> b/tests/qemu-iotests/sample_images/parallels-padded.xml.bz2
> new file mode 100644
> index 
> ..90e481b88e1f4d65256d0511a8509114c6358052
> GIT binary patch
> literal 377
> zcmV-<0fzoUT4*^jL0KkKS+JP`&Hw z0kr@C000`P{z){AUpa9SS5-9{U$c>4nhyVtdfq>MRN`P%Vs7e5mydg1cvP<`s
> zYo%7Ss&>_C5i%-bDqP)#HmEBiP+TU)8WyoiurHMw!l_ZF1>8_3m3N^^QwEd8=8hkN
> zLO3;VtVoT0C3B518KN#oIV4@)7DfOSbkchYBQVO$9`K;#(G?m(FfikRxR&q(!eB`z
> zPfQaAWzYbTAj%3PZH#S=y0Cm|7Ih97TD6vNg%Klm)F8;i7;OxS)eka
> zB8A?w-Lb zUDR|Oi30I4$}VPcTnCQ(CKJjW0g+;mFwDaQlohzp(E|mg47s2j;G&NR^b?hm3@s%x
> XY}H|5IAssg=l(9_ig2MJVKN1r8+(|=
> 
> literal 0
> HcmV?d1
> 
> diff --git a/tests/qemu-iotests/sample_images/parallels-v2-padded.bz2 
> b/tests/qemu-iotests/sample_images/parallels-v2-padded.bz2
> new file mode 100644
> index 
> ..80948ce689e2c5c2335d6e6b36965fe0b2305613
> GIT binary patch
> literal 139
> zcmV;60CfLCT4*^jL0KkKSt&WeumB1p|H%DFU;t162mk{B2!JYJ)<8f2AOHXuAOMPl
> zQl^8-X^;SIHmDUv6HN?Ehp1#2<6B`Us=32n6t4O~g)zWI0C`4`x5NN3Kna)uT+{)Q
> t08GFDLI4D2paA;UwRX=_?uTcBnnP&Yyj78F)siB
> 
> literal 0
> HcmV?d1
> 
> -- 
> 1.9.1
> 

Re: [Qemu-devel] [PATCH 4/6] block/parallels: support padded Parallels images

[Jeff Cody]

On Wed, Oct 29, 2014 at 04:38:09PM +0300, Denis V. Lunev wrote:
> Unfortunately, old guest OSes do not align partitions to page size by
> default. This is true for Windows 2003 and Windows XP.
> 
> For the time being Parallels was created an optimization for such OSes
> in its desktop product. Desktop users are not qualified enough to create
> properly aligned installations. Thus Parallels makes a blind guess
> on a customer behalf and creates so-called "padded" images if guest
> OS type is specified as WinXP, Win2k and Win2k3.
> 
> "Padding" is a value which should be added to guest LBA to obtain
> sector number inside the image. This results in a shifted images.
>0123offset inside image (in 512 byte sectors)
>   +---
>   +.012guest data (512 byte sectors)
>   +---
> The information about this is available in DiskDescriptor.xml ONLY. There
> is no such data in the image header.
> 
> There share of such images could be evaluated as 6-8% according to the
> statistics in my hands.
> 
> This patch obtains proper value from XML and applies it on reading.
> 
> Signed-off-by: Denis V. Lunev 
> Acked-by: Roman Kagan 
> CC: Jeff Cody 
> CC: Kevin Wolf 
> CC: Stefan Hajnoczi 
> ---
>  block/parallels.c | 19 +++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/block/parallels.c b/block/parallels.c
> index 201c0f1..d07e4f7 100644
> --- a/block/parallels.c
> +++ b/block/parallels.c
> @@ -66,6 +66,7 @@ typedef struct BDRVParallelsState {
>  unsigned int tracks;
>  
>  unsigned int off_multiplier;
> +unsigned int padding;
>  } BDRVParallelsState;
>  
>  static int parallels_open_image(BlockDriverState *bs, Error **errp);
> @@ -144,6 +145,7 @@ static int parallels_open_xml(BlockDriverState *bs, int 
> flags, Error **errp)
>  const char *data;
>  char image_path[PATH_MAX];
>  Error *local_err = NULL;
> +BDRVParallelsState *s = bs->opaque;
>  
>  ret = size = bdrv_getlength(bs->file);
>  if (ret < 0) {
> @@ -173,6 +175,19 @@ static int parallels_open_xml(BlockDriverState *bs, int 
> flags, Error **errp)
>  if (root == NULL) {
>  goto fail;
>  }
> +
> +data = xml_get_text(root, "/Disk_Parameters/Padding");
> +if (data != NULL) {
> +char *endptr;
> +unsigned long pad;
> +
> +pad = strtoul(data, &endptr, 0);
> +if ((endptr != NULL && *endptr != '\0') || pad > UINT_MAX) {
> +goto fail;
> +}
> +s->padding = (uint32_t)pad;
> +}
> +
>  image = xml_seek(root, "/StorageData/Storage/Image");
>  data = ""; /* make gcc happy */
>  for (size = 0; image != NULL; image = image->next) {
> @@ -385,6 +400,10 @@ static int64_t seek_to_sector(BlockDriverState *bs, 
> int64_t sector_num)
>  static int parallels_read(BlockDriverState *bs, int64_t sector_num,
>  uint8_t *buf, int nb_sectors)
>  {
> +BDRVParallelsState *s = bs->opaque;
> +
> +sector_num += s->padding;
> +
>  while (nb_sectors > 0) {
>  int64_t position = seek_to_sector(bs, sector_num);
>  if (position >= 0) {
> -- 
> 1.9.1
> 

Reviewed-by: Jeff Cody 

Re: [Qemu-devel] [PATCH 3/6] iotests: simple parallels XML disk descriptor file test added

[Jeff Cody]

On Wed, Oct 29, 2014 at 04:38:08PM +0300, Denis V. Lunev wrote:
> Signed-off-by: Denis V. Lunev 
> Acked-by: Roman Kagan 
> CC: Jeff Cody 
> CC: Kevin Wolf 
> CC: Stefan Hajnoczi 
> ---
>  tests/qemu-iotests/076|   6 ++
>  tests/qemu-iotests/076.out|   4 
>  tests/qemu-iotests/sample_images/parallels-simple.xml.bz2 | Bin 0 -> 374 
> bytes
>  3 files changed, 10 insertions(+)
>  create mode 100644 tests/qemu-iotests/sample_images/parallels-simple.xml.bz2
> 
> diff --git a/tests/qemu-iotests/076 b/tests/qemu-iotests/076
> index ed2be35..242d0c3 100755
> --- a/tests/qemu-iotests/076
> +++ b/tests/qemu-iotests/076
> @@ -75,6 +75,12 @@ echo "== Read from a valid v2 image =="
>  _use_sample_img parallels-v2.bz2
>  { $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir
>  
> +echo
> +echo "== Read from a valid v2 image opened through xml =="
> +_use_sample_img parallels-v2.bz2
> +_use_sample_img parallels-simple.xml.bz2
> +{ $QEMU_IO -c "read -P 0x11 0 64k" $TEST_IMG; } 2>&1 | _filter_qemu_io | 
> _filter_testdir
> +

$TEST_IMG should be quoted, to be path-safe ("$TEST_IMG") - although,
looks like 076 has some other instances of unquoted $TEST_IMG, as
well (not your fault).  I don't care if you fix it here or not, we can
fix them all up in a later patch.

>  # success, all done
>  echo "*** done"
>  rm -f $seq.full
> diff --git a/tests/qemu-iotests/076.out b/tests/qemu-iotests/076.out
> index 32ade08..628d9bf 100644
> --- a/tests/qemu-iotests/076.out
> +++ b/tests/qemu-iotests/076.out
> @@ -19,4 +19,8 @@ no file open, try 'help open'
>  == Read from a valid v2 image ==
>  read 65536/65536 bytes at offset 0
>  64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
> +
> +== Read from a valid v2 image opened through xml ==
> +read 65536/65536 bytes at offset 0
> +64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
>  *** done
> diff --git a/tests/qemu-iotests/sample_images/parallels-simple.xml.bz2 
> b/tests/qemu-iotests/sample_images/parallels-simple.xml.bz2
> new file mode 100644
> index 
> ..13760bc9f30246ba01f43cdca3d3d90780430f61
> GIT binary patch
> literal 374
> zcmV-+0g3)XT4*^jL0KkKSx`RPoB#ls-+)w5Py_$xpWsdazwh08Faddp1^@s613&-(
> z00UFVg-_KD8fY4NVup`X5ukcZBTOVwCXAT_OhRY?0}wJ9sXCPa+IAr*0!sLV#k$+r
> zFRIp6TJ>A%(u7Qkn2MJtX_(TWtce9REA{g&qLoa&l#2??q)aKM7Qx|d6glC9JSZw~
> z-{Dy+9yLxWKg_2Xm02klNIFQqySl|-EJ?WkLWzOBm`Xui7_);kgut`D zCYzWh49n~Qks#g*ByEgsjlH07DHv)~9ZRui7r}`9{%wsd23x|ItiZh!U&QMH5t zN>^IdcIOOiAVM)WoC{=C8L4k%Ybsug63k@+f`frkh@_Ij10W;xr->@K!oLkGw3Lv$
> zS&-sh3*_e*@-+(JnDfSD#7GS;nh3VYlxtRDgM UX+T&T%b)nWk}1N3f`Rtj;5{a#bN~PV
> 
> literal 0
> HcmV?d1
> 
> -- 
> 1.9.1
>

Reviewed-by: Jeff Cody 

Re: [Qemu-devel] [PATCH 2/6] block/parallels: allow to specify DiskDescriptor.xml instead of image file

[Jeff Cody]

On Wed, Oct 29, 2014 at 04:38:07PM +0300, Denis V. Lunev wrote:
> Typically Parallels disk bundle consists of several images which are
> glued by XML disk descriptor. Also XML hides inside several important
> parameters which are not available in the image header.
> 
> This patch allows to specify this XML file as a filename for an image
> to open. It is allowed only to open Compressed images with the only
> snapshot inside. No additional options are parsed at the moment.
> 
> The code itself is dumb enough for a while. If XML file is specified,
> the file is parsed and the image is reopened as bs->file to keep the
> rest of the driver untouched. This would be changed later with more
> features added.
> 
> Signed-off-by: Denis V. Lunev 
> Acked-by: Roman Kagan 
> CC: Jeff Cody 
> CC: Kevin Wolf 
> CC: Stefan Hajnoczi 
> ---
>  block/parallels.c | 231 
> --
>  1 file changed, 226 insertions(+), 5 deletions(-)
> 
> diff --git a/block/parallels.c b/block/parallels.c
> index 4f9cd8d..201c0f1 100644
> --- a/block/parallels.c
> +++ b/block/parallels.c
> @@ -27,6 +27,11 @@
>  #include "block/block_int.h"
>  #include "qemu/module.h"
>  
> +#if CONFIG_LIBXML2
> +#include 
> +#include 
> +#endif
> +
>  /**/
>  
>  #define HEADER_MAGIC "WithoutFreeSpace"
> @@ -34,6 +39,10 @@
>  #define HEADER_VERSION 2
>  #define HEADER_SIZE 64
>  
> +#define PARALLELS_XML   100
> +#define PARALLELS_IMAGE 101
> +
> +
>  // always little-endian
>  struct parallels_header {
>  char magic[16]; // "WithoutFreeSpace"
> @@ -59,6 +68,194 @@ typedef struct BDRVParallelsState {
>  unsigned int off_multiplier;
>  } BDRVParallelsState;
>  
> +static int parallels_open_image(BlockDriverState *bs, Error **errp);

You shouldn't need this forward declaration, if you put your new
function parallels_open_xml() after parallels_open_image().

> +
> +#if CONFIG_LIBXML2
> +static xmlNodePtr xml_find(xmlNode *node, const char *elem)
> +{
> +xmlNode *child;
> +
> +for (child = node->xmlChildrenNode; child != NULL; child = child->next) {
> +if (!xmlStrcmp(child->name, (const xmlChar *)elem) &&
> +child->type == XML_ELEMENT_NODE) {
> +return child;
> +}
> +}
> +return NULL;
> +}
> +
> +static xmlNodePtr xml_seek(xmlNode *root, const char *elem)
> +{
> +xmlNode *child = root;
> +const char *path;
> +char nodename[128];
> +int last = 0;
> +
> +path = elem;
> +if (path[0] == '/') {
> +path++;
> +}
> +if (path[0] == 0) {
> +return NULL;
> +}
> +while (!last) {
> +const char *p = strchr(path, '/');
> +int length;
> +if (p == NULL) {
> +length = strlen(path);
> +last = 1;
> +} else {
> +length = p - path;
> +}
> +memcpy(nodename, path, length);
> +nodename[length] = 0;

It looks like "elem" is always controlled by us, and not passed by the
user - will this always be the case?

If not, this doesn't seem safe, with nodename being a local array of
128 bytes.  How about using g_strdup() or g_strndup() here?

> +child = xml_find(child, nodename);
> +if (child == NULL) {
> +return NULL;
> +}
> +path = ++p;
> +}
> +return child;
> +}
> +
> +static const char *xml_get_text(xmlNode *node, const char *name)
> +{
> +xmlNode *child;
> +
> +node = xml_seek(node, name);
> +if (node == NULL) {
> +return NULL;
> +}
> +
> +for (child = node->xmlChildrenNode; child; child = child->next) {
> +if (child->type == XML_TEXT_NODE) {
> +return (const char *)child->content;
> +}
> +}
> +return NULL;
> +}
> +
> +static int parallels_open_xml(BlockDriverState *bs, int flags, Error **errp)
> +{
> +int size, ret;
> +xmlDoc *doc = NULL;
> +xmlNode *root, *image;
> +char *xml = NULL;
> +const char *data;
> +char image_path[PATH_MAX];
> +Error *local_err = NULL;
> +
> +ret = size = bdrv_getlength(bs->file);
> +if (ret < 0) {
> +goto fail;
> +}
> +/* XML file size should be resonable */

s/resonable/reasonable

> +ret = -EFBIG;
> +if (size > 65536) {
> +goto fail;
> +}
> +
> +xml = g_malloc(size + 1);
> +
> +ret = bdrv_pread(bs->file, 0, xml, size);
> +if (ret != size) {
> +goto fail;
> +}
> +xml[size] = 0;
> +
> +ret = -EINVAL;
> +doc = xmlReadMemory(xml, size, NULL, NULL,
> +XML_PARSE_NOERROR | XML_PARSE_NOWARNING);
> +if (doc == NULL) {
> +goto fail;
> +}
> +root = xmlDocGetRootElement(doc);
> +if (root == NULL) {
> +goto fail;
> +}
> +image = xml_seek(root, "/StorageData/Storage/Image");
> +data = ""; /* make gcc happy */

What gcc warning are you trying to suppress here?

> + 

Re: [Qemu-devel] [PATCH v2] qdev: modify func qdev_build_hotpluggable_device_list

[Fam Zheng]

On Wed, 11/05 08:53, jun muzi wrote:
> Yes, in my original thought i just want to do as you said. But it will have
> two "return 0" in one function. So i think it's not so smart. If you still
> think two "return 0" is better, i will submit a new version. Thanks.
> 
> BTW, for subject, i agree with you.

Please use inline reply for mailing list discussions.

Fam

> 
> Jun Li
> 2014-11-5 上午2:39于 "Andreas Färber" 写道：
> 
> > Hi,
> >
> > Am 04.11.2014 um 07:55 schrieb Jun Li:
> > > Currently when *obj is not a TYPE_DEVICE, qemu will abort. This patch
> > just
> > > fixed it. When *obj is not a TYPE_DEVICE, just do not add it to
> > hotpluggable
> > > device list.
> > >
> > > This patch also fixed the following issue:
> > > 1, boot qemu using cli:
> > > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > > -device virtio-scsi-pci,id=scsi0
> > >
> > > 2, device_del scsi0 via hmp using tab key(first input device_del, then
> > press
> > > "Tab" key).
> > > (qemu) device_del
> > >
> > > After step2, qemu will abort.
> > > (qemu) device_del hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
> > > Object 0x563a2460 is not an instance of type device
> > >
> > > Signed-off-by: Jun Li 
> > > Reviewed-by: Paolo Bonzini 
> > > ---
> > > v2:
> > >   This version just do a little changes for the commit message.
> > > As following show:
> > > In v1,
> > > 1, boot qemu using cli:
> > > virtio-scsi-pci,id=scsi0 -enable-kvm
> > >
> > > In v2,
> > > 1, boot qemu using cli:
> > > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > > -device virtio-scsi-pci,id=scsi0
> > > ---
> > >  hw/core/qdev.c | 13 +
> > >  1 file changed, 9 insertions(+), 4 deletions(-)
> >
> > Thanks, I've queued this patch, but we should give it a more meaningful
> > subject - maybe "qdev: Avoid type assertion in qdev_build_...()"?
> >
> > Also, we could avoid reindentation by returning early:
> > if (dev == NULL) {
> > return 0;
> > }
> >
> > What do you think?
> >
> > Regards,
> > Andreas
> >
> > --
> > SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
> > GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 21284 AG Nürnberg
> >

[Qemu-devel] [PATCH RESEND] vhost-user-test: Fix 'make check' broken on glib < 2.26

[arei.gonglei]

From: Gonglei 

After commit 89b516d8, some logics is turbid and
breaks 'make check' as below errors:
tests/vhost-user-test.c: In function '_cond_wait_until':
tests/vhost-user-test.c:154: error: 'G_TIME_SPAN_SECOND' undeclared (first use 
in this function)
tests/vhost-user-test.c:154: error: (Each undeclared identifier is reported 
only once
tests/vhost-user-test.c:154: error: for each function it appears in.)
tests/vhost-user-test.c: In function 'read_guest_mem':
tests/vhost-user-test.c:192: warning: implicit declaration of function 
'g_get_monotonic_time'
tests/vhost-user-test.c:192: warning: nested extern declaration of 
'g_get_monotonic_time'
tests/vhost-user-test.c:192: error: 'G_TIME_SPAN_SECOND' undeclared (first use 
in this function)
make: *** [tests/vhost-user-test.o] Error 1

First, vhost-usr-test.c rely on glib-compat.h because
of using G_TIME_SPAN_SECOND [glib < 2.26] and g_get_monotonic_time(),
but vhost-usr-test.c defined QEMU_GLIB_COMPAT_H, which make
glib-compat.h will not be included.
Second, if we remove QEMU_GLIB_COMPAT_H definability in
vhost-usr-test.c, then we will get below warnings:

tests/vhost-user-test.c: In function 'read_guest_mem':
tests/vhost-user-test.c:190: warning: passing argument 1 of 'g_mutex_lock' from 
incompatible pointer type
tests/vhost-user-test.c:234: warning: passing argument 1 of 'g_mutex_unlock' 
from incompatible pointer type

That's because glib-compat.h redefine the g_mutex_lock/unlock
function. Those functions' arguments is CompatGMutex/CompatGCond,
but vhost-user-test.c is using GMutex/GCond, which cause the type
is not consistent.

We can rerealize those functions of vhost-user-test.c,
which need a lots of patches. Let's simply address it, and
leave this file alone.

Signed-off-by: Gonglei 
---
 tests/vhost-user-test.c | 23 ++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c
index fdf91e7..75fedf0 100644
--- a/tests/vhost-user-test.c
+++ b/tests/vhost-user-test.c
@@ -21,6 +21,15 @@
 #include 
 #include 
 
+/* GLIB version compatibility flags */
+#if !GLIB_CHECK_VERSION(2, 26, 0)
+#define G_TIME_SPAN_SECOND  (G_GINT64_CONSTANT(100))
+#endif
+
+#if GLIB_CHECK_VERSION(2, 28, 0)
+#define HAVE_MONOTONIC_TIME
+#endif
+
 #if GLIB_CHECK_VERSION(2, 32, 0)
 #define HAVE_MUTEX_INIT
 #define HAVE_COND_INIT
@@ -107,6 +116,18 @@ static VhostUserMemory memory;
 static GMutex *data_mutex;
 static GCond *data_cond;
 
+static gint64 _get_time(void)
+{
+#ifdef HAVE_MONOTONIC_TIME
+return g_get_monotonic_time();
+#else
+GTimeVal time;
+g_get_current_time(&time);
+
+return time.tv_sec * G_TIME_SPAN_SECOND + time.tv_usec;
+#endif
+}
+
 static GMutex *_mutex_new(void)
 {
 GMutex *mutex;
@@ -189,7 +210,7 @@ static void read_guest_mem(void)
 
 g_mutex_lock(data_mutex);
 
-end_time = g_get_monotonic_time() + 5 * G_TIME_SPAN_SECOND;
+end_time = _get_time() + 5 * G_TIME_SPAN_SECOND;
 while (!fds_num) {
 if (!_cond_wait_until(data_cond, data_mutex, end_time)) {
 /* timeout has passed */
-- 
1.7.12.4

Re: [Qemu-devel] [PATCH v2] qdev: modify func qdev_build_hotpluggable_device_list

[jun muzi]

Yes, in my original thought i just want to do as you said. But it will have
two "return 0" in one function. So i think it's not so smart. If you still
think two "return 0" is better, i will submit a new version. Thanks.

BTW, for subject, i agree with you.

Jun Li
2014-11-5 上午2:39于 "Andreas Färber" 写道：

> Hi,
>
> Am 04.11.2014 um 07:55 schrieb Jun Li:
> > Currently when *obj is not a TYPE_DEVICE, qemu will abort. This patch
> just
> > fixed it. When *obj is not a TYPE_DEVICE, just do not add it to
> hotpluggable
> > device list.
> >
> > This patch also fixed the following issue:
> > 1, boot qemu using cli:
> > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > -device virtio-scsi-pci,id=scsi0
> >
> > 2, device_del scsi0 via hmp using tab key(first input device_del, then
> press
> > "Tab" key).
> > (qemu) device_del
> >
> > After step2, qemu will abort.
> > (qemu) device_del hw/core/qdev.c:930:qdev_build_hotpluggable_device_list:
> > Object 0x563a2460 is not an instance of type device
> >
> > Signed-off-by: Jun Li 
> > Reviewed-by: Paolo Bonzini 
> > ---
> > v2:
> >   This version just do a little changes for the commit message.
> > As following show:
> > In v1,
> > 1, boot qemu using cli:
> > virtio-scsi-pci,id=scsi0 -enable-kvm
> >
> > In v2,
> > 1, boot qemu using cli:
> > $ /opt/qemu-git-arm/bin/qemu-system-x86_64 -monitor stdio -enable-kvm \
> > -device virtio-scsi-pci,id=scsi0
> > ---
> >  hw/core/qdev.c | 13 +
> >  1 file changed, 9 insertions(+), 4 deletions(-)
>
> Thanks, I've queued this patch, but we should give it a more meaningful
> subject - maybe "qdev: Avoid type assertion in qdev_build_...()"?
>
> Also, we could avoid reindentation by returning early:
> if (dev == NULL) {
> return 0;
> }
>
> What do you think?
>
> Regards,
> Andreas
>
> --
> SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
> GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 21284 AG Nürnberg
>

Re: [Qemu-devel] [PATCH] qemu-doc.texi: fix typos for x509 examples

[Gonglei]

On 2014/11/4 21:32, Eric Blake wrote:

> On 11/03/2014 01:48 PM, arei.gong...@huawei.com wrote:
>> From: Gonglei 
>>
>> Fix typos made people confuesd:
> 
> Spelling:
> s/confuesd/confused/
> 
> Grammar: would read better as:
> 
> Fix typos that caused confusion for some people:
> 

Thanks.
Mybe /mjt would correct me directly?

Best regards,
-Gonglei

Re: [Qemu-devel] [PATCH] MAINTAINERS: add myself as bootdevice.c maintainer

[Gonglei]

On 2014/11/3 21:34, Markus Armbruster wrote:

> I still intend to post a pull request for all the recent MAINTAINERS
> patches that don't go in via some other tree.  I'm tracking yours.  Give
> me a few more days.

Cool, thanks ;)

Best regards,
-Gonglei

Re: [Qemu-devel] [PATCH v8 18/27] target-arm: make c2_mask and c2_base_mask banked

[Peter Maydell]

On 4 November 2014 22:46, Greg Bellows  wrote:
>
>
> On 31 October 2014 10:26, Peter Maydell  wrote:
>>
>> On 30 October 2014 21:28, Greg Bellows  wrote:
>> >  static void vmsa_ttbcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
>> >  {
>> > -env->cp15.c2_base_mask = 0xc000u;
>> > +/* Rest both the TTBCR as well as the masks corresponding to the
>> > bank of
>> > + * the TTBCR being reset.
>> > + */
>> > +A32_BANKED_REG_SET(env, c2_base_mask,
>> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S),
>> > +   0xc000u);
>> > +A32_BANKED_REG_SET(env, c2_mask,
>> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S), 0);
>> >  raw_write(env, ri, 0);
>> > -env->cp15.c2_mask = 0;
>>
>> Similarly this will be much cleaner.
>
>
> Changed in v9.  Question on reset.  We call raw_write() which also sets the
> masks, but we set the masks separately here too, but different values.  It
> seems we should only need to set them in raw_write() is this true?

No, raw_write() won't set the masks -- it just writes 32 or 64 bits
to the field pointed to by fieldoffset. Which makes it a pretty
obfuscated way of saying env->cp15.c2_control = 0; and I don't
know why we do it this way currently. If we go to having a TTBCR
struct we should just set all the fields directly here I think.

-- PMM

Re: [Qemu-devel] slirp-smb broken with Samba 4.1

[Peter Wu]

On Monday 03 November 2014 13:22:19 Peter Wu wrote:
> On Friday 24 October 2014 18:55:07 Jan Kiszka wrote:
> > writing to you as you provided a fix for the last related issue:
> > 
> > I just noticed that the samba-based share is broken again with smbd
> > version 4.1.11. Tried to look briefly at it, realized that it is a
> > permission thing (different error when qemu runs as root) but also some
> > more nasty problem with configuring r/w guest access to a share. If you
> > have experience in that area, maybe you have an idea.
> 
> It appears that the issue is solved in Samba 4.2 (tested with
> samba-4.2.0rc1-388-ga3b333a). Using that samba version fixes the
> problem, I'll try to do a bisect to see where it got fixed in Samba.

Unfortunately I was wrong. I have tested it by forwarding a smbd daemon
which listens on a port, not one that runs in inetd mode. The referenced
version was still broken. The earliest version I tested in the Samba 4
series is samba-4.0.0alpha17 and that is still broken.

I have reported the issue here, it turns out to affect instances running
as non-root user:
https://bugzilla.samba.org/show_bug.cgi?id=10919
-- 
Kind regards,
Peter
https://lekensteyn.nl

Re: [Qemu-devel] [PATCH v8 18/27] target-arm: make c2_mask and c2_base_mask banked

[Greg Bellows]

On 31 October 2014 10:26, Peter Maydell  wrote:

> On 30 October 2014 21:28, Greg Bellows  wrote:
> > From: Fabian Aggeler 
> >
> > Since TTBCR is banked we will bank c2_mask and c2_base_mask too. This
> > avoids recalculating them on switches from secure to non-secure world.
>
> These fields are part of our TTBCR internal representation; we
> should bank the whole TTBCR in one patch, not split over two.
>

Squashed the TTBCR and C2 mask patches in v9.


>
> > Signed-off-by: Fabian Aggeler 
> > Signed-off-by: Greg Bellows 
> >
> > ---
> >
> > v5 -> v6
> > - Switch to use distinct CPREG secure flags
> >
> > v4 -> v5
> > - Changed c2_mask updates to use the TTBCR cpreg bank flag for selcting
> the
> >   secure bank instead of the A32_BANKED_CURRENT macro.  This more
> accurately
> >   chooses the correct bank matching that of the TTBCR being accessed.
> > ---
> >  target-arm/cpu.h| 10 --
> >  target-arm/helper.c | 24 ++--
> >  2 files changed, 26 insertions(+), 8 deletions(-)
> >
> > diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> > index f125bdd..6e9f1c3 100644
> > --- a/target-arm/cpu.h
> > +++ b/target-arm/cpu.h
> > @@ -226,8 +226,14 @@ typedef struct CPUARMState {
> >  };
> >  uint64_t tcr_el[4];
> >  };
> > -uint32_t c2_mask; /* MMU translation table base selection
> mask.  */
> > -uint32_t c2_base_mask; /* MMU translation table base 0 mask. */
> > +struct { /* MMU translation table base selection mask. */
> > +uint32_t c2_mask_ns;
> > +uint32_t c2_mask_s;
> > +};
> > +struct { /* MMU translation table base 0 mask. */
> > +uint32_t c2_base_mask_ns;
> > +uint32_t c2_base_mask_s;
> > +};
>
> I think we should actually have:
> typedef struct {
> uint64_t raw_ttbcr;
> uint32_t mask;
> uint32_t base_mask;
> } TTBCR;
>
> and then have TTBCR ttbcr[2];
>
> and not use the BANKED_REG_SET/GET macros here...
>

I like the cleanliness of this approach but it does not take into
consideration the tcr_el[] fields.  I have instead changed the naming to
TCR/tcr_el and have added 4 entries instead of 2.  This is more consistent
with the other changes in the patch set.


>
> >  uint32_t c2_data; /* MPU data cachable bits.  */
> >  uint32_t c2_insn; /* MPU instruction cachable bits.  */
> >  uint32_t c3; /* MMU domain access control register
> > diff --git a/target-arm/helper.c b/target-arm/helper.c
> > index 896b40d..27eaf9c 100644
> > --- a/target-arm/helper.c
> > +++ b/target-arm/helper.c
> > @@ -1584,8 +1584,14 @@ static void vmsa_ttbcr_raw_write(CPUARMState
> *env, const ARMCPRegInfo *ri,
> >   * and the c2_mask and c2_base_mask values are meaningless.
> >   */
> >  raw_write(env, ri, value);
> > -env->cp15.c2_mask = ~(((uint32_t)0xu) >> maskshift);
> > -env->cp15.c2_base_mask = ~((uint32_t)0x3fffu >> maskshift);
> > +
> > +/* Update the masks corresponding to the the TTBCR bank being
> written */
> > +A32_BANKED_REG_SET(env, c2_mask,
> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S),
> > +   ~(((uint32_t)0xu) >> maskshift));
> > +A32_BANKED_REG_SET(env, c2_base_mask,
> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S),
> > +   ~((uint32_t)0x3fffu >> maskshift));
>
> ... so this turns into:
>
> TTBCR t = env->cp15.ttbcr[ri->secure];
>
> t->raw_ttbcr = value;
> t->mask = ~(((uint32_t)0xu) >> maskshift);
> t->base_mask = ~((uint32_t)0x3fffu >> maskshift);
>
> (XXX did we make ri->secure be a 0/1 or is it 1/2 ? anyway you get the
> idea.)
>
>
Changed in v9.  ri->secure is 1/2 as both bitsor neither may be set at
definition time.


> >  }
> >
> >  static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
> > @@ -1604,9 +1610,15 @@ static void vmsa_ttbcr_write(CPUARMState *env,
> const ARMCPRegInfo *ri,
> >
> >  static void vmsa_ttbcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
> >  {
> > -env->cp15.c2_base_mask = 0xc000u;
> > +/* Rest both the TTBCR as well as the masks corresponding to the
> bank of
> > + * the TTBCR being reset.
> > + */
> > +A32_BANKED_REG_SET(env, c2_base_mask,
> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S),
> > +   0xc000u);
> > +A32_BANKED_REG_SET(env, c2_mask,
> > +   ARM_CP_SECSTATE_TEST(ri, ARM_CP_SECSTATE_S), 0);
> >  raw_write(env, ri, 0);
> > -env->cp15.c2_mask = 0;
>
> Similarly this will be much cleaner.
>

Changed in v9.  Question on reset.  We call raw_write() which also sets the
masks, but we set the masks separately here too, but different values.  It
seems we should only need to set them in raw_write() is this true?


>
> >  }
> >
> >  static void vmsa_tcr_el1_write(CPUARMState *env, const ARMCPRe

Re: [Qemu-devel] [PATCH v8 17/27] target-arm: add TCR_EL3 and make TTBCR banked

[Greg Bellows]

Changes made in v9, but as with TTBR0_EL3 I have left the definition for
TCR_EL3 in.

On 31 October 2014 10:07, Peter Maydell  wrote:

> On 30 October 2014 21:28, Greg Bellows  wrote:
> > From: Fabian Aggeler 
> >
> > Adds TCR_EL3 system register and makes existing TTBCR banked. Adjust
> > translation functions to use TCR/TTBCR instance depending on CPU state.
> >
> > Signed-off-by: Fabian Aggeler 
> > Signed-off-by: Greg Bellows 
> >
> > ---
> >
> > v5 -> v6
> > - Changed _el field variants to be array based
> >
> > v4 -> v5
> > - Changed c2_mask updates to use the TTBCR cpreg bank flag for selcting
> the
> >   secure bank instead of the A32_BANKED_CURRENT macro.  This more
> accurately
> >   chooses the correct bank matching that of the TTBCR being accessed.
> > ---
> >  target-arm/cpu.h   | 10 +-
> >  target-arm/helper.c| 48
> +++-
> >  target-arm/internals.h |  2 +-
> >  3 files changed, 45 insertions(+), 15 deletions(-)
> >
> > diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> > index fe96869..f125bdd 100644
> > --- a/target-arm/cpu.h
> > +++ b/target-arm/cpu.h
> > @@ -217,7 +217,15 @@ typedef struct CPUARMState {
> >  };
> >  uint64_t ttbr1_el[4];
> >  };
> > -uint64_t c2_control; /* MMU translation table base control.  */
> > +union { /* MMU translation table base control. */
> > +struct {
> > +uint64_t _unused_ttbcr_0;
> > +uint64_t ttbcr_ns;
> > +uint64_t _unused_ttbcr_1;
> > +uint64_t ttbcr_s;
> > +};
> > +uint64_t tcr_el[4];
> > +};
> >  uint32_t c2_mask; /* MMU translation table base selection
> mask.  */
> >  uint32_t c2_base_mask; /* MMU translation table base 0 mask. */
> >  uint32_t c2_data; /* MPU data cachable bits.  */
> > diff --git a/target-arm/helper.c b/target-arm/helper.c
> > index 598f0d1..896b40d 100644
> > --- a/target-arm/helper.c
> > +++ b/target-arm/helper.c
> > @@ -1659,11 +1659,12 @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
> >.opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
> >.access = PL1_RW, .writefn = vmsa_tcr_el1_write,
> >.resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
> > -  .fieldoffset = offsetof(CPUARMState, cp15.c2_control) },
> > +  .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) },
> >  { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 =
> 2,
> >.access = PL1_RW, .type = ARM_CP_NO_MIGRATE, .writefn =
> vmsa_ttbcr_write,
> >.resetfn = arm_cp_reset_ignore, .raw_writefn =
> vmsa_ttbcr_raw_write,
> > -  .fieldoffset = offsetoflow32(CPUARMState, cp15.c2_control) },
> > +  .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ttbcr_s),
> > + offsetoflow32(CPUARMState, cp15.ttbcr_ns)
> } },
> >  /* 64-bit FAR; this entry also gives us the AArch32 DFAR */
> >  { .name = "FAR_EL1", .state = ARM_CP_STATE_BOTH,
> >.opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
> > @@ -2349,6 +2350,11 @@ static const ARMCPRegInfo v8_el3_cp_reginfo[] = {
> >.opc0 = 3, .crn = 2, .crm = 0, .opc1 = 6, .opc2 = 0,
> >.access = PL3_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
> >.fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[3]) },
> > +{ .name = "TCR_EL3", .state = ARM_CP_STATE_AA64,
> > +  .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 6, .opc2 = 2,
> > +  .access = PL3_RW, .writefn = vmsa_tcr_el1_write,
> > +  .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
> > +  .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[3]) },
> >  { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64,
> >.type = ARM_CP_NO_MIGRATE,
> >.opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1,
> > @@ -4435,13 +4441,13 @@ static bool get_level1_table_address(CPUARMState
> *env, uint32_t *table,
> >   * table registers.
> >   */
> >  if (address & env->cp15.c2_mask) {
> > -if ((env->cp15.c2_control & TTBCR_PD1)) {
> > +if (A32_BANKED_CURRENT_REG_GET(env, ttbcr) & TTBCR_PD1) {
> >  /* Translation table walk disabled for TTBR1 */
> >  return false;
> >  }
> >  *table = A32_BANKED_CURRENT_REG_GET(env, ttbr1) & 0xc000;
> >  } else {
> > -if ((env->cp15.c2_control & TTBCR_PD0)) {
> > +if (A32_BANKED_CURRENT_REG_GET(env, ttbcr) & TTBCR_PD0) {
> >  /* Translation table walk disabled for TTBR0 */
> >  return false;
> >  }
> > @@ -4701,13 +4707,29 @@ static int get_phys_addr_lpae(CPUARMState *env,
> target_ulong address,
> >  int32_t va_size = 32;
> >  int32_t tbi = 0;
> >  uint32_t cur_el = arm_current_el(env);
> > +uint64_t tcr;
> >
> > -if (arm_el_is_aa64(env, 1)) {
> > +if (arm_el_is_aa64(env, 3)) {
> > +switch (cur_el) {
> > +

Re: [Qemu-devel] [PATCH v8 16/27] target-arm: add TTBR0_EL3 and make TTBR0/1 banked

[Greg Bellows]

On 31 October 2014 10:04, Peter Maydell  wrote:

> On 30 October 2014 21:28, Greg Bellows  wrote:
> > From: Fabian Aggeler 
> >
> > Add TTBR0 and maps secure/non-secure instance of ttbr0 and ttbr1
>
> Is "maps" a typo for something, or have we lost a word here?
>
>
It is just not clear.  It should say something similar to the title.  I'll
update the comment in v9.


> > accordingly (translation table base register).
> >
> > Signed-off-by: Fabian Aggeler 
> > Signed-off-by: Greg Bellows 
> >
> > ---
> >
> > v5 -> v6
> > - Changed _el field variants to be array based
> > - Merged TTBR# and TTBR#_EL1 reginfo entries
> > - Globally replace Aarch# with AArch#
> > ---
> >  hw/arm/pxa2xx.c |  4 ++--
> >  target-arm/cpu.h| 20 ++--
> >  target-arm/helper.c | 54
> +++--
> >  3 files changed, 60 insertions(+), 18 deletions(-)
> >
> > diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
> > index 11d51af..641b148 100644
> > --- a/hw/arm/pxa2xx.c
> > +++ b/hw/arm/pxa2xx.c
> > @@ -275,7 +275,7 @@ static void pxa2xx_pwrmode_write(CPUARMState *env,
> const ARMCPRegInfo *ri,
> >  s->cpu->env.daif = PSTATE_A | PSTATE_F | PSTATE_I;
> >  s->cpu->env.cp15.sctlr_ns = 0;
> >  s->cpu->env.cp15.c1_coproc = 0;
> > -s->cpu->env.cp15.ttbr0_el1 = 0;
> > +s->cpu->env.cp15.ttbr0_el[1] = 0;
> >  s->cpu->env.cp15.c3 = 0;
> >  s->pm_regs[PSSR >> 2] |= 0x8; /* Set STS */
> >  s->pm_regs[RCSR >> 2] |= 0x8; /* Set GPR */
> > @@ -2047,7 +2047,7 @@ PXA2xxState *pxa270_init(MemoryRegion
> *address_space,
> >  }
> >  if (!revision)
> >  revision = "pxa270";
> > -
> > +
>
> Stray whitespace change.
>
>
Fixed in v9


> >  s->cpu = cpu_arm_init(revision);
> >  if (s->cpu == NULL) {
> >  fprintf(stderr, "Unable to find CPU definition\n");
> > diff --git a/target-arm/cpu.h b/target-arm/cpu.h
> > index 3b776a1..fe96869 100644
> > --- a/target-arm/cpu.h
> > +++ b/target-arm/cpu.h
> > @@ -199,8 +199,24 @@ typedef struct CPUARMState {
> >  uint32_t c1_xscaleauxcr; /* XScale auxiliary control register.
> */
> >  uint64_t sder; /* Secure debug enable register. */
> >  uint32_t nsacr; /* Non-secure access control register. */
> > -uint64_t ttbr0_el1; /* MMU translation table base 0. */
> > -uint64_t ttbr1_el1; /* MMU translation table base 1. */
> > +union { /* MMU translation table base 0. */
> > +struct {
> > +uint64_t _unused_ttbr0_0;
> > +uint64_t ttbr0_ns;
> > +uint64_t _unused_ttbr0_1;
> > +uint64_t ttbr0_s;
> > +};
> > +uint64_t ttbr0_el[4];
> > +};
> > +union { /* MMU translation table base 1. */
> > +struct {
> > +uint64_t _unused_ttbr1_0;
> > +uint64_t ttbr1_ns;
> > +uint64_t _unused_ttbr1_1;
> > +uint64_t ttbr1_s;
> > +};
> > +uint64_t ttbr1_el[4];
> > +};
> >  uint64_t c2_control; /* MMU translation table base control.  */
> >  uint32_t c2_mask; /* MMU translation table base selection
> mask.  */
> >  uint32_t c2_base_mask; /* MMU translation table base 0 mask. */
> > diff --git a/target-arm/helper.c b/target-arm/helper.c
> > index f6a9b66..598f0d1 100644
> > --- a/target-arm/helper.c
> > +++ b/target-arm/helper.c
> > @@ -1645,14 +1645,16 @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
> >.opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0,
> >.access = PL1_RW,
> >.fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue
> = 0, },
> > -{ .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH,
> > -  .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
> > -  .access = PL1_RW, .fieldoffset = offsetof(CPUARMState,
> cp15.ttbr0_el1),
> > -  .writefn = vmsa_ttbr_write, .resetvalue = 0 },
> > -{ .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,
> > -  .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1,
> > -  .access = PL1_RW, .fieldoffset = offsetof(CPUARMState,
> cp15.ttbr1_el1),
> > -  .writefn = vmsa_ttbr_write, .resetvalue = 0 },
> > +{ .name = "TTBR0", .state = ARM_CP_STATE_BOTH,
> > +  .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
>
> You seem to have lost the .opc0 setting; surely this breaks AArch64?
> Also you don't need to specify .cp = 15 explicitly for a STATE_BOTH
> register. This whole hunk should just be changing the .fieldoffset
> spec to .bank_fieldoffsets, really.
>

You are correct, this would break AArch64.  Fixed in v9.


>
> > +  .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
> > +  .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
> > + offsetof(CPUARMState, cp15.ttbr0_ns) } },
> > +{ .name = "TTBR1", .state = ARM_CP_STATE_BOTH,
> > +  .

[Qemu-devel] [PATCH] spapr: Allow dynamic creation of PHB

[Alexander Graf]

Now that we finally check for presence of dangling sysbus devices, make check
started complaining that the sPAPR PHB is one such device.

However, it really isn't. The spapr PHB is not really a traditional sysbus
device, but much more a special spapr pv device which is already able to get
created dynamically.

Move spapr to its own dynamic sysbus check handling and allow PHB devices to
get allocated dynamically.

Signed-off-by: Alexander Graf 
---
 hw/ppc/spapr.c | 21 +
 1 file changed, 21 insertions(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 2a78075..30de25d 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -850,11 +850,31 @@ static void spapr_reset_htab(sPAPREnvironment *spapr)
 }
 }
 
+static int find_unknown_sysbus_device(SysBusDevice *sbdev, void *opaque)
+{
+bool matched = false;
+
+if (object_dynamic_cast(OBJECT(sbdev), TYPE_SPAPR_PCI_HOST_BRIDGE)) {
+matched = true;
+}
+
+if (!matched) {
+error_report("Device %s is not supported by this machine yet.",
+ qdev_fw_name(DEVICE(sbdev)));
+exit(1);
+}
+
+return 0;
+}
+
 static void ppc_spapr_reset(void)
 {
 PowerPCCPU *first_ppc_cpu;
 uint32_t rtas_limit;
 
+/* Check for unknown sysbus devices */
+foreach_dynamic_sysbus_device(find_unknown_sysbus_device, NULL);
+
 /* Reset the hash table & recalc the RMA */
 spapr_reset_htab(spapr);
 
@@ -1667,6 +1687,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 mc->no_parallel = 1;
 mc->default_boot_order = NULL;
 mc->kvm_type = spapr_kvm_type;
+mc->has_dynamic_sysbus = true;
 
 fwc->get_dev_path = spapr_get_fw_dev_path;
 nc->nmi_monitor_handler = spapr_nmi;
-- 
1.8.1.4

Re: [Qemu-devel] [PATCH v3 2/2] vfio: use kvm_resamplefds_enabled()

[Alex Williamson]

On Fri, 2014-10-31 at 13:38 +, Eric Auger wrote:
> Use the kvm_resamplefds_enabled function
> 
> Signed-off-by: Eric Auger 
> ---

If someone wants to pick this up:

Acked-by: Alex Williamson 

Alternatively, provide an ack on patch 1 and I can bring it in through
my tree after 2.2.  Thanks,

Alex

>  hw/misc/vfio.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
> index b5e7981..75bfa1c 100644
> --- a/hw/misc/vfio.c
> +++ b/hw/misc/vfio.c
> @@ -406,7 +406,7 @@ static void vfio_enable_intx_kvm(VFIODevice *vdev)
>  
>  if (!VFIO_ALLOW_KVM_INTX || !kvm_irqfds_enabled() ||
>  vdev->intx.route.mode != PCI_INTX_ENABLED ||
> -!kvm_check_extension(kvm_state, KVM_CAP_IRQFD_RESAMPLE)) {
> +!kvm_resamplefds_enabled()) {
>  return;
>  }
>  
> @@ -568,8 +568,7 @@ static int vfio_enable_intx(VFIODevice *vdev)
>   * Only conditional to avoid generating error messages on platforms
>   * where we won't actually use the result anyway.
>   */
> -if (kvm_irqfds_enabled() &&
> -kvm_check_extension(kvm_state, KVM_CAP_IRQFD_RESAMPLE)) {
> +if (kvm_irqfds_enabled() && kvm_resamplefds_enabled()) {
>  vdev->intx.route = pci_device_route_intx_to_irq(&vdev->pdev,
>  vdev->intx.pin);
>  }

Re: [Qemu-devel] [PATCH v8 07/27] target-arm: insert AArch32 cpregs twice into hashtable

[Greg Bellows]

I have fixed the code to properly handle the CONTEXTIDR/FCSEIDR registers.
This is done in two parts:
1) I broke the FCSEIDR and CONTEXTIDR into separate secure/non-secure
definitions.
2) I updated the check that filters the secure duplicate instance caused by
registering unbanked register twice.










On 31 October 2014 14:01, Greg Bellows  wrote:

>
>
> On 31 October 2014 07:44, Peter Maydell  wrote:
>
>> On 30 October 2014 21:28, Greg Bellows  wrote:
>> > From: Fabian Aggeler 
>> >
>> > Prepare for cp register banking by inserting every cp register twice,
>> > once for secure world and once for non-secure world.
>> >
>> > Signed-off-by: Fabian Aggeler 
>> > Signed-off-by: Greg Bellows 
>> >
>> > ---
>> >
>> > v7 -> v8
>> > - Updated define registers asserts to allow either a non-zero
>> fieldoffset or
>> >   non-zero bank_fieldoffsets.
>> > - Updated CP register hashing to always set the register fieldoffset
>> when
>> >   banked register offsets are specified.
>> >
>> > v5 -> v6
>> > - Fixed NS-bit number in the CPREG hash lookup from 27 to 29.
>> > - Switched to dedicated CPREG secure flags.
>> > - Fixed disablement of reset and migration of common 32/64-bit
>> registers.
>> > - Globally replace Aarch# with AArch#
>> >
>> > v4 -> v5
>> > - Added use of ARM CP secure/non-secure bank flags during register
>> processing
>> >   in define_one_arm_cp_reg_with_opaque().  We now only register the
>> specified
>> >   bank if only one flag is specified, otherwise we register both a
>> secure and
>> >   non-secure instance.
>> > ---
>> >  target-arm/helper.c | 98
>> -
>> >  1 file changed, 82 insertions(+), 16 deletions(-)
>> >
>> > diff --git a/target-arm/helper.c b/target-arm/helper.c
>> > index 959a46e..c1c6303 100644
>> > --- a/target-arm/helper.c
>> > +++ b/target-arm/helper.c
>> > @@ -3296,22 +3296,62 @@ static void add_cpreg_to_hashtable(ARMCPU *cpu,
>> const ARMCPRegInfo *r,
>> >  uint32_t *key = g_new(uint32_t, 1);
>> >  ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
>> >  int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
>> > -if (r->state == ARM_CP_STATE_BOTH && state == ARM_CP_STATE_AA32) {
>> > -/* The AArch32 view of a shared register sees the lower 32 bits
>> > - * of a 64 bit backing field. It is not migratable as the
>> AArch64
>> > - * view handles that. AArch64 also handles reset.
>> > - * We assume it is a cp15 register if the .cp field is left
>> unset.
>> > +
>> > +if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
>> > +/* Register is banked (using both entries in array).
>> > + * Overwriting fieldoffset as the array is only used to define
>> > + * banked registers but later only fieldoffset is used.
>> >   */
>> > -if (r2->cp == 0) {
>> > -r2->cp = 15;
>> > +r2->fieldoffset = r->bank_fieldoffsets[nsbit];
>> > +}
>> > +
>> > +if (state == ARM_CP_STATE_AA32) {
>> > +/* Clear the secure state flags and set based on incoming
>> nsbit */
>> > +r2->secure &= ~(ARM_CP_SECSTATE_S | ARM_CP_SECSTATE_NS);
>> > +r2->secure |= ARM_CP_SECSTATE_S << nsbit;
>>
>> This bitmanipulation looks like leftover from when these were in 'state';
>>r2->secure = secstate;
>> should be sufficient (and you might as well put this down below the
>> 'r2->state = state' assignment, since it's harmless to do it for all
>> regdefs including 64 bit ones).
>>
>>
> It was in the previous code, but it is still necessary for marking whether
> the given register is secure or not.
>
>
>> > +
>> > +if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
>> > +/* If the register is banked and V8 is enabled then we
>> don't need
>> > + * to migrate or reset the AArch32 version of the banked
>> > + * registers as this will be handled through the AArch64
>> view.
>> > + * If v7 then we don't need to migrate or reset the AArch32
>> > + * non-secure bank as this will be handled through the
>> AArch64
>> > + * view.  In this case the secure bank is not mirrored, so
>> we must
>> > + * preserve it's reset criteria and allow it to be
>> migrated.
>> > + *
>> > + * The exception to the above is cpregs with a crn of 13
>> > + * (specifically FCSEIDR and CONTEXTIDR) in which case
>> there may
>> > + * not be an AArch64 equivalent for one or either bank so
>> migration
>> > + * and reset must be preserved.
>> > + */
>>
>> I'm not sure what this paragraph is trying to say. The AArch64 equivalent
>> of CONTEXTIDR(NS) is CONTEXTIDR_EL1. In v8 FCSEIDR is a constant RAZ/WI
>> register, so migration and reset aren't relevant anyway.
>>
>> In any case, if we only have a couple of special case registers where
>> this bank handling doesn't work, I suggest that we should handle them

Re: [Qemu-devel] [PATCH] s390x: Implement SAM{24,31,64}

[Bastian Koppelmann]

On 11/04/2014 08:19 PM, Alexander Graf wrote:

The SAM instructions simply change 2 bits in PSW.MASK to advertise
the current memory mode. While we can't fully guarantee that 31 bit
mode (or even remotely 24 bit mode) actually work correctly, we don't
check whether lpswe modifies these bits, so we shouldn't keep the
guest from executing SAM instructions either.

This patch implements all SAM instrutions with their actual PSW changing
semantics, making more recent Linux kernels boot properly which do issue
a SAM31 call during early boot.

Signed-off-by: Alexander Graf 
---
  target-s390x/insn-data.def |  6 +++---
  target-s390x/translate.c   | 12 
  2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/target-s390x/insn-data.def b/target-s390x/insn-data.def
index b42ebb6..4d2feb6 100644
--- a/target-s390x/insn-data.def
+++ b/target-s390x/insn-data.def
@@ -744,9 +744,9 @@
  /* SERVICE CALL LOGICAL PROCESSOR (PV hypercall) */
  C(0xb220, SERVC,   RRE,   Z,   r1_o, r2_o, 0, 0, servc, 0)
  /* SET ADDRESSING MODE */
-/* We only do 64-bit, so accept this as a no-op.
-   Let SAM24 and SAM31 signal illegal instruction.  */
-C(0x010e, SAM64,   E, Z,   0, 0, 0, 0, 0, 0)
+D(0x010c, SAM24,   E, Z,   0, 0, 0, 0, sam, 0, 0)
+D(0x010d, SAM31,   E, Z,   0, 0, 0, 0, sam, 0, 1)
+D(0x010e, SAM64,   E, Z,   0, 0, 0, 0, sam, 0, 3)
  /* SET ADDRESS SPACE CONTROL FAST */
  C(0xb279, SACF,S, Z,   0, a2, 0, 0, sacf, 0)
  /* SET CLOCK */
diff --git a/target-s390x/translate.c b/target-s390x/translate.c
index 0cb036f..827cda4 100644
--- a/target-s390x/translate.c
+++ b/target-s390x/translate.c
@@ -2927,6 +2927,18 @@ static ExitStatus op_sacf(DisasContext *s, DisasOps *o)
  }
  #endif
  
+static ExitStatus op_sam(DisasContext *s, DisasOps *o)

+{
+int sam = s->insn->data;
+TCGv_i64 tsam = tcg_const_i64(sam);
+
+/* Overwrite PSW_MASK_64 and PSW_MASK_32 */
+tcg_gen_deposit_i64(psw_mask, psw_mask, tsam, 31, 2);
+
+tcg_temp_free_i64(tsam);
+return EXIT_PC_STALE;
+}
+
  static ExitStatus op_sar(DisasContext *s, DisasOps *o)
  {
  int r1 = get_field(s->fields, r1);

Reviewed-by: Bastian Koppelmann 

Re: [Qemu-devel] [PULL 2.2 00/33] ppc patch queue 2014-11-04 for 2.2

[Peter Maydell]

On 4 November 2014 19:26, Alexander Graf  wrote:
> Hi Peter,
>
> This is my current patch queue for ppc.  Please pull.
>
> Alex
>
>
> The following changes since commit d5b4dc3b50175f0c34f3cf4b053e123fb37f5aed:
>
>   Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' 
> into staging (2014-11-04 17:33:34 +)
>
> are available in the git repository at:
>
>
>   git://github.com/agraf/qemu.git tags/signed-ppc-for-upstream
>
> for you to fetch changes up to 875d0edd7ce262d61a62c391b49edc2602c06150:
>
>   target-ppc: Fix Altivec Round Opcodes (2014-11-04 20:22:08 +0100)
>
> 
> Patch queue for ppc - 2014-11-04
>
> Fun things for 2.2:
>
>   - e500 virt machine: power off support (needs 3.19 guests)
>   - e500 virt machine: -device eTSEC support
>   - new framework to allow dynamic spawning of sysbus devices
>   - spapr: enable migration of nvram
>   - new 440x5wDFPU cpu type
>   - Altivec and other random fixes
>
> 

Hi. I'm afraid this fails "make check" for me (x86-64 host):

TEST: tests/spapr-phb-test... (pid=21685)
qemu-system-ppc64: Option '-device spapr-pci-host-bridge' cannot be
handled by this machine
Broken pipe
FAIL: tests/spapr-phb-test

thanks
-- PMM

Re: [Qemu-devel] [PATCH] s390x: Implement SAM{24,31,64}

[Alexander Graf]

On 04.11.14 23:02, Bastian Koppelmann wrote:
> 
> On 11/04/2014 08:19 PM, Alexander Graf wrote:
>> +static ExitStatus op_sam(DisasContext *s, DisasOps *o)
>> +{
>> +int sam = s->insn->data;
>> +TCGv_i64 tsam = tcg_const_i64(sam);
>> +
>> +/* Overwrite PSW_MASK_64 and PSW_MASK_32 */
>> +tcg_gen_deposit_i64(psw_mask, psw_mask, tsam, 31, 2);
>> +
>> +tcg_temp_free_i64(tsam);
>> +return EXIT_PC_STALE;
>> +}
>> +
> You forgot to zero out bits 64-103 of psw, in case of sam24 and bits
> 64-96 in case of sam31.

These are the address bits. PSW contains an "addr" and a "mask" field.
"addr" is PC, "mask" is similar to MSR on PPC or EFER on x86.

Other bits of the code will take care of masking out unused address bits
for 31 bit mode (check out fix_address() in mem_helper.c for example).

We don't really implent 24bit addressing mode - and I doubt we will in
the near future. Today our only target is Linux - and there simply is no
24bit Linux out there ;).

> Also you forgot to add 2 (the instruction length) to bits 64-127 of psw

This happens automatically. Each instruction carries its length in the
first 2 bits, so the instruction walker can automatically increment PC.

> or if this is a target of EXECUTE/EXECUTE RELATIVE LONG add 4/6.

EXECUTE is tricky. Basically EXECUTE is an instruction that behaves like
the instruction that a memory reference points to, but at the location
the EXECUTE is actually in. Today, we treat EXECUTE as a very special
instruction with only a small number of subinstructions that it handles
(namely the ones gcc emits).

But thanks a lot for the thorough review :)


Alex

[Qemu-devel] [Bug 1307225] Re: Running a virtual machine on a Haswell system produces machine check events

[Andrew Sabot]

mce=ignore_ce indeed "fixes" the messages. However, it will mask real
(important) errors as well.

Since Intel can't or won't correct the bug with a microcode update, how
about filtering it in the kernel?

http://svnweb.freebsd.org/base/head/sys/x86/x86/mca.c?r1=269052&r2=269051&pathrev=269052

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1307225

Title:
  Running a virtual machine on a Haswell system produces machine check
  events

Status in QEMU:
  New

Bug description:
  I'm running a virtual Windows SBS 2003 installation on a Xeon E3
  Haswell system running Gentoo Linux. First, I used Qemu 1.5.3 (the
  latest stable version on Gentoo). I got a lot of machine check events
  ("mce: [Hardware Error]: Machine check events logged") in dmesg that
  always looked like (using mcelog):

  Hardware event. This is not a software error.
  MCE 0
  CPU 3 BANK 0
  TIME 1397455091 Mon Apr 14 07:58:11 2014
  MCG status:
  MCi status:
  Corrected error
  Error enabled
  MCA: Internal parity error
  STATUS 904f0005 MCGSTATUS 0
  MCGCAP c09 APICID 6 SOCKETID 0
  CPUID Vendor Intel Family 6 Model 60

  I found this discussion on the vmware community:
  https://communities.vmware.com/thread/452344

  It seems that this is (at least partly) caused by the Qemu machine. I
  switched to Qemu 1.7.0, the first version to use "pc-i440fx-1.7". With
  this version, the errors almost disappeared, but from time to time, I
  still get machine check events. Anyways, they so not seem to affect
  neither the vm, nor the host.

  The Haswell machine has been set up and running for several days
  without a single error message. They only appear when the VM is
  running. so I think this is actually some problem with the Haswell
  architecture (and not a real hardware error).

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1307225/+subscriptions

Re: [Qemu-devel] [PATCH] s390x: Implement SAM{24,31,64}

[Bastian Koppelmann]

On 11/04/2014 08:19 PM, Alexander Graf wrote:

+static ExitStatus op_sam(DisasContext *s, DisasOps *o)
+{
+int sam = s->insn->data;
+TCGv_i64 tsam = tcg_const_i64(sam);
+
+/* Overwrite PSW_MASK_64 and PSW_MASK_32 */
+tcg_gen_deposit_i64(psw_mask, psw_mask, tsam, 31, 2);
+
+tcg_temp_free_i64(tsam);
+return EXIT_PC_STALE;
+}
+
You forgot to zero out bits 64-103 of psw, in case of sam24 and bits 
64-96 in case of sam31.
Also you forgot to add 2 (the instruction length) to bits 64-127 of psw 
or if this is a target of EXECUTE/EXECUTE RELATIVE LONG add 4/6.

  static ExitStatus op_sar(DisasContext *s, DisasOps *o)
  {
  int r1 = get_field(s->fields, r1);

Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it

[Jeff Cody]

On Tue, Nov 04, 2014 at 07:45:38PM +0100, Markus Armbruster wrote:
> I'll try to explain all solutions fairly.  Isn't easy when you're as
> biased towards one of them as I am.  Please bear with me.
> 
> 
> = The trust boundary between image contents and meta-data =
> 
> A disk image consists of image contents and meta-data.
> 
> Example: all of a raw image's contents is image contents.  Leaves just
> file name and attributes for meta-data.
> 
> Example: QCOW2 meta-data includes header, header extensions, L1 table,
> L2 tables, ...  The meta-data defines where in the image the actual
> contents is stored.
> 
> A guest can access the image contents, not the meta-data.
> 
> Image contents you've let an untrusted guest write is untrusted.
> 
> Therefore, there's a trust boundary between image contents and
> meta-data.  QEMU has to trust image meta-data, but shouldn't trust image
> contents.  The exact location of the trust boundary depends on the image
> format.
> 
> 
> = How we instruct QEMU what to trust =
> 
> By configuring QEMU to use an image, the user instructs QEMU to trust
> the image's meta-data.
> 
> When the user's configuration specifies the image format explicitly, the
> trust boundary is clear.
> 
> Else, the trust boundary is ambigous when more than one format is
> possible.
> 
> QEMU resolves this ambiguity by picking the first format with the
> highest "score".  Raw format is always possible, and always has the
> lowest score.
> 
> 
> = How this lets the guest escape isolation =
> 
> Unfortunately, this lets the guest shift the trust boundary and escape
> isolation, as follows:
> 
> * Expose a raw image to the guest (whether you specify the format=raw or
>   let QEMU guess it doesn't matter).  The complete contents becomes
>   untrusted.
> 
> * Reuse the image *without* specifying the raw format.  QEMU guesses the
>   format based on untrusted image contents.  Now QEMU guesses a format
>   chosen by the guest, with meta-data chosen by the guest.  By
>   controlling image meta-data, the malicious guest can access arbitrary
>   files as QEMU, enlarge its storage, and more.  A non-malicious guest
>   can accidentally DoS itself, by writing a pattern probing recognizes.
> 
> This is CVE-2008-2004.
> 
> 
> = Aside: other trust boundaries =
> 
> Of course, this is not the only trust boundary that matters.  For
> instance, there's normally one between your host and somebody else's
> computers.  Telling QEMU to trust meta-data of some image you got "from
> the internet" violates it.  There's nothing QEMU can do about that.
> 
> 
> = Insecure usage is easy, secure usage is hard =
> 
> The oldest stratum of user interfaces doesn't let you specify the image
> format.  Use of raw images with these is insecure by design.  These
> interfaces are still recommended for human users.
> 
> Example of insecure usage: -hda foo.img, where foo.img is raw.
> 
> With the next generation of interfaces, specifying the image format is
> optional.  Use of raw images with these is insecure by default.
> 
> Example of insecure usage: -drive file=foo.img,index=0,media=cdrom,
> where foo.img is raw.  The -hda above is actually sugar for this.
> 
> Equivalent secure usage: add format=raw.
> 
> Note that specifying just the top image's format is not enough, you also
> have to specify any backing images' formats.  QCOW2 can optionally store
> the backing image format in the image.  The other COW formats can't.
> 
> Example of insecure usage: -hda bar.vmdk, where bar.vmdk is a VMDK image
> with a raw backing file.
> 
> Equivalent secure usage: Beats me.  Maybe there's a funky -drive
> backing.whatever to specify the backing image's format.
> 
> With the latest interface blockdev-add, specifying the format is
> mandatory.  Secure, but not really suitable for humans.
> 
> Example of secure usage:
> 
> { "execute": "blockdev-add",
>   "arguments": {'options': {
>   'driver': 'raw', 'id':'foo',
>   'file': { 'driver': 'file', 'filename': 'foo.img' } } } }
> 
> Insecure usage is easy, secure usage is *hard*.  Even for sophisticated
> users like libvirt developers.  Evidence: libvirt CVE-2010-2237,
> CVE-2010-2238, CVE-2010-2239, and more that didn't get a CVE, like the
> recent accidental probing in drive-mirror.
> 
> 
> = How can we better guard the trust boundary in QEMU? =
> 
> The guest can violate the trust boundary only because
> 
> (a) QEMU supports both raw images and image formats, and
> 
> (b) QEMU guesses image format from raw image contents, and
> 
> (c) given a raw image, guests can change its contents and control a
> future QEMU's format guess.
> 
> We can attack one ore more of these three conditions:
> 
> (a) Outlaw raw images
> 
> (b) Don't guess format from untrusted image contents
> 
> (c) Prevent "bad" guest writes
> 
> Nobody is seriously suggesting we do (a).  It's clearly too late for
> that.  Let's explore the other two in more detail.
> 
> == Don't guess format from untrusted image con

[Qemu-devel] [PATCH] s390x: Implement SAM{24,31,64}

[Alexander Graf]

The SAM instructions simply change 2 bits in PSW.MASK to advertise
the current memory mode. While we can't fully guarantee that 31 bit
mode (or even remotely 24 bit mode) actually work correctly, we don't
check whether lpswe modifies these bits, so we shouldn't keep the
guest from executing SAM instructions either.

This patch implements all SAM instrutions with their actual PSW changing
semantics, making more recent Linux kernels boot properly which do issue
a SAM31 call during early boot.

Signed-off-by: Alexander Graf 
---
 target-s390x/insn-data.def |  6 +++---
 target-s390x/translate.c   | 12 
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/target-s390x/insn-data.def b/target-s390x/insn-data.def
index b42ebb6..4d2feb6 100644
--- a/target-s390x/insn-data.def
+++ b/target-s390x/insn-data.def
@@ -744,9 +744,9 @@
 /* SERVICE CALL LOGICAL PROCESSOR (PV hypercall) */
 C(0xb220, SERVC,   RRE,   Z,   r1_o, r2_o, 0, 0, servc, 0)
 /* SET ADDRESSING MODE */
-/* We only do 64-bit, so accept this as a no-op.
-   Let SAM24 and SAM31 signal illegal instruction.  */
-C(0x010e, SAM64,   E, Z,   0, 0, 0, 0, 0, 0)
+D(0x010c, SAM24,   E, Z,   0, 0, 0, 0, sam, 0, 0)
+D(0x010d, SAM31,   E, Z,   0, 0, 0, 0, sam, 0, 1)
+D(0x010e, SAM64,   E, Z,   0, 0, 0, 0, sam, 0, 3)
 /* SET ADDRESS SPACE CONTROL FAST */
 C(0xb279, SACF,S, Z,   0, a2, 0, 0, sacf, 0)
 /* SET CLOCK */
diff --git a/target-s390x/translate.c b/target-s390x/translate.c
index 0cb036f..827cda4 100644
--- a/target-s390x/translate.c
+++ b/target-s390x/translate.c
@@ -2927,6 +2927,18 @@ static ExitStatus op_sacf(DisasContext *s, DisasOps *o)
 }
 #endif
 
+static ExitStatus op_sam(DisasContext *s, DisasOps *o)
+{
+int sam = s->insn->data;
+TCGv_i64 tsam = tcg_const_i64(sam);
+
+/* Overwrite PSW_MASK_64 and PSW_MASK_32 */
+tcg_gen_deposit_i64(psw_mask, psw_mask, tsam, 31, 2);
+
+tcg_temp_free_i64(tsam);
+return EXIT_PC_STALE;
+}
+
 static ExitStatus op_sar(DisasContext *s, DisasOps *o)
 {
 int r1 = get_field(s->fields, r1);
-- 
1.7.12.4

Re: [Qemu-devel] [PATCH v4 14/47] Return path: Control commands

[Dr. David Alan Gilbert]

* Paolo Bonzini (pbonz...@redhat.com) wrote:

> > the only oddity I get from that is from the 'SEND_ACK' you suggested;
> > since all my functions to send commands are send_  I currently have
> >  'qemu_savevm_send_send_ack'  which while consistent looks a bit odd.
> 
> Perhaps ping/pong?

Done (although I'm sure I'll find 'ack' in the comments somewhere).

Dave

--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH] Add bootloader name to multiboot implementation

[Drew DeVault]

Ping: http://patchwork.ozlabs.org/patch/404885/

Does anyone know someone I can cc on this? This part of the code doesn't 
have a dedicated maintainer.


On 10/29/2014 11:52 PM, Drew DeVault wrote:

The name is set to "qemu".

Signed-off-by: Drew DeVault 
---
For the future, it may be useful to add a command line flag for setting this to
some user-specified value. I also considered naming it "qemu-system-i386" or
"qemu-system-x86_64" (as appropriate), but couldn't find an easy way to get
those strings and decided it didn't matter.

  hw/i386/multiboot.c | 32 +++-
  1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index 985ca1e..f86d351 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -54,6 +54,7 @@ enum {
  MBI_MODS_COUNT  = 20,
  MBI_MODS_ADDR   = 24,
  MBI_MMAP_ADDR   = 48,
+MBI_BOOTLOADER  = 64,

  MBI_SIZE= 88,

@@ -74,6 +75,7 @@ enum {
  MULTIBOOT_FLAGS_CMDLINE = 1 << 2,
  MULTIBOOT_FLAGS_MODULES = 1 << 3,
  MULTIBOOT_FLAGS_MMAP= 1 << 6,
+MULTIBOOT_FLAGS_BOOTLOADER  = 1 << 9,
  };

  typedef struct {
@@ -87,6 +89,8 @@ typedef struct {
  hwaddr offset_mbinfo;
  /* offset in buffer for cmdlines in bytes */
  hwaddr offset_cmdlines;
+/* offset in buffer for bootloader name in bytes */
+hwaddr offset_bootloader;
  /* offset of modules in bytes */
  hwaddr offset_mods;
  /* available slots for mb modules infos */
@@ -95,6 +99,8 @@ typedef struct {
  int mb_mods_count;
  } MultibootState;

+const char *bootloader_name = "qemu";
+
  static uint32_t mb_add_cmdline(MultibootState *s, const char *cmdline)
  {
  hwaddr p = s->offset_cmdlines;
@@ -105,6 +111,16 @@ static uint32_t mb_add_cmdline(MultibootState *s, const 
char *cmdline)
  return s->mb_buf_phys + p;
  }

+static uint32_t mb_add_bootloader(MultibootState *s, const char *bootloader)
+{
+hwaddr p = s->offset_bootloader;
+char *b = (char *)s->mb_buf + p;
+
+memcpy(b, bootloader, strlen(bootloader) + 1);
+s->offset_bootloader += strlen(b) + 1;
+return s->mb_buf_phys + p;
+}
+
  static void mb_add_mod(MultibootState *s,
 hwaddr start, hwaddr end,
 hwaddr cmdline_phys)
@@ -241,9 +257,10 @@ int load_multiboot(FWCfgState *fw_cfg,
  mbs.mb_buf_size = TARGET_PAGE_ALIGN(mb_kernel_size);
  mbs.offset_mbinfo = mbs.mb_buf_size;

-/* Calculate space for cmdlines and mb_mods */
+/* Calculate space for cmdlines, bootloader name, and mb_mods */
  mbs.mb_buf_size += strlen(kernel_filename) + 1;
  mbs.mb_buf_size += strlen(kernel_cmdline) + 1;
+mbs.mb_buf_size += strlen(bootloader_name) + 1;
  if (initrd_filename) {
  const char *r = initrd_filename;
  mbs.mb_buf_size += strlen(r) + 1;
@@ -257,9 +274,11 @@ int load_multiboot(FWCfgState *fw_cfg,

  mbs.mb_buf_size = TARGET_PAGE_ALIGN(mbs.mb_buf_size);

-/* enlarge mb_buf to hold cmdlines and mb-info structs */
-mbs.mb_buf  = g_realloc(mbs.mb_buf, mbs.mb_buf_size);
-mbs.offset_cmdlines = mbs.offset_mbinfo + mbs.mb_mods_avail * MB_MOD_SIZE;
+/* enlarge mb_buf to hold cmdlines, bootloader, mb-info structs */
+mbs.mb_buf= g_realloc(mbs.mb_buf, mbs.mb_buf_size);
+mbs.offset_cmdlines   = mbs.offset_mbinfo + mbs.mb_mods_avail * 
MB_MOD_SIZE;
+mbs.offset_bootloader = mbs.offset_cmdlines + strlen(kernel_filename) + 1
++ strlen(kernel_cmdline) + 1;

  if (initrd_filename) {
  char *next_initrd, not_last;
@@ -306,6 +325,8 @@ int load_multiboot(FWCfgState *fw_cfg,
   kernel_filename, kernel_cmdline);
  stl_p(bootinfo + MBI_CMDLINE, mb_add_cmdline(&mbs, kcmdline));

+stl_p(bootinfo + MBI_BOOTLOADER, mb_add_bootloader(&mbs, bootloader_name));
+
  stl_p(bootinfo + MBI_MODS_ADDR,  mbs.mb_buf_phys + mbs.offset_mbinfo);
  stl_p(bootinfo + MBI_MODS_COUNT, mbs.mb_mods_count); /* mods_count */

@@ -314,7 +335,8 @@ int load_multiboot(FWCfgState *fw_cfg,
  | MULTIBOOT_FLAGS_BOOT_DEVICE
  | MULTIBOOT_FLAGS_CMDLINE
  | MULTIBOOT_FLAGS_MODULES
-| MULTIBOOT_FLAGS_MMAP);
+| MULTIBOOT_FLAGS_MMAP
+| MULTIBOOT_FLAGS_BOOTLOADER);
  stl_p(bootinfo + MBI_BOOT_DEVICE, 0x8000); /* XXX: use the -boot 
switch? */
  stl_p(bootinfo + MBI_MMAP_ADDR,   ADDR_E820_MAP);

[Qemu-devel] [PULL 29/33] e500: Add support for eTSEC in device tree

[Alexander Graf]

This patch adds support to expose eTSEC devices in the dynamically created
guest facing device tree. This allows us to expose eTSEC devices into guests
without changes in the machine file.

Because we can now tell the guest about eTSEC devices this patch allows the
user to specify eTSEC devices via -device at all.

Signed-off-by: Alexander Graf 
---
 hw/ppc/e500.c | 43 +++
 1 file changed, 43 insertions(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 123379d..2832fc0 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -38,6 +38,7 @@
 #include "hw/pci-host/ppce500.h"
 #include "qemu/error-report.h"
 #include "hw/platform-bus.h"
+#include "hw/net/fsl_etsec/etsec.h"
 
 #define EPAPR_MAGIC(0x45504150)
 #define BINARY_DEVICE_TREE_FILE"mpc8544ds.dtb"
@@ -162,11 +163,53 @@ typedef struct PlatformDevtreeData {
 PlatformBusDevice *pbus;
 } PlatformDevtreeData;
 
+static int create_devtree_etsec(SysBusDevice *sbdev, PlatformDevtreeData *data)
+{
+eTSEC *etsec = ETSEC_COMMON(sbdev);
+PlatformBusDevice *pbus = data->pbus;
+hwaddr mmio0 = platform_bus_get_mmio_addr(pbus, sbdev, 0);
+int irq0 = platform_bus_get_irqn(pbus, sbdev, 0);
+int irq1 = platform_bus_get_irqn(pbus, sbdev, 1);
+int irq2 = platform_bus_get_irqn(pbus, sbdev, 2);
+gchar *node = g_strdup_printf("/platform/ethernet@%"PRIx64, mmio0);
+gchar *group = g_strdup_printf("%s/queue-group", node);
+void *fdt = data->fdt;
+
+assert((int64_t)mmio0 >= 0);
+assert(irq0 >= 0);
+assert(irq1 >= 0);
+assert(irq2 >= 0);
+
+qemu_fdt_add_subnode(fdt, node);
+qemu_fdt_setprop_string(fdt, node, "device_type", "network");
+qemu_fdt_setprop_string(fdt, node, "compatible", "fsl,etsec2");
+qemu_fdt_setprop_string(fdt, node, "model", "eTSEC");
+qemu_fdt_setprop(fdt, node, "local-mac-address", etsec->conf.macaddr.a, 6);
+qemu_fdt_setprop_cells(fdt, node, "fixed-link", 0, 1, 1000, 0, 0);
+
+qemu_fdt_add_subnode(fdt, group);
+qemu_fdt_setprop_cells(fdt, group, "reg", mmio0, 0x1000);
+qemu_fdt_setprop_cells(fdt, group, "interrupts",
+data->irq_start + irq0, 0x2,
+data->irq_start + irq1, 0x2,
+data->irq_start + irq2, 0x2);
+
+g_free(node);
+g_free(group);
+
+return 0;
+}
+
 static int sysbus_device_create_devtree(SysBusDevice *sbdev, void *opaque)
 {
 PlatformDevtreeData *data = opaque;
 bool matched = false;
 
+if (object_dynamic_cast(OBJECT(sbdev), TYPE_ETSEC_COMMON)) {
+create_devtree_etsec(sbdev, data);
+matched = true;
+}
+
 if (!matched) {
 error_report("Device %s is not supported by this machine yet.",
  qdev_fw_name(DEVICE(sbdev)));
-- 
1.8.1.4

[Qemu-devel] [PULL 32/33] target-ppc: Fix vcmpbfp. Unordered Case

[Alexander Graf]

From: Tom Musta 

Fix the implementation of Vector Compare Bounds Single Precision.
Specifically, fix the case where the operands are unordered -- since
the result is non-zero, the CR[6] field should be set to zero.

Signed-off-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/int_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
index 12c9ab0..4c2b71c 100644
--- a/target-ppc/int_helper.c
+++ b/target-ppc/int_helper.c
@@ -708,7 +708,7 @@ static inline void vcmpbfp_internal(CPUPPCState *env, 
ppc_avr_t *r,
 int le_rel = float32_compare_quiet(a->f[i], b->f[i], &env->vec_status);
 if (le_rel == float_relation_unordered) {
 r->u32[i] = 0xc000;
-/* ALL_IN does not need to be updated here.  */
+all_in = 1;
 } else {
 float32 bneg = float32_chs(b->f[i]);
 int ge_rel = float32_compare_quiet(a->f[i], bneg, 
&env->vec_status);
-- 
1.8.1.4

[Qemu-devel] [PULL 21/33] ppc: do not look at the MMU index to detect PR/HV mode

[Alexander Graf]

From: Paolo Bonzini 

The MMU index is an internal detail that should not be needed by the
translator (except to generate loads and stores).  Look at the MSR
directly.

Signed-off-by: Paolo Bonzini 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate.c | 165 +++--
 1 file changed, 77 insertions(+), 88 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 2b1fcbb..f0567f7 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -189,6 +189,7 @@ typedef struct DisasContext {
 uint32_t opcode;
 uint32_t exception;
 /* Routine used to access memory */
+bool pr, hv;
 int mem_idx;
 int access_type;
 /* Translation flags */
@@ -643,20 +644,6 @@ static opc_handler_t invalid_handler = {
 .handler = gen_invalid,
 };
 
-#if defined(TARGET_PPC64)
-/* NOTE: as this time, the only use of is_user_mode() is in 64 bit code.  And 
*/
-/*   so the function is wrapped in the standard 64-bit ifdef in order to  
*/
-/*   avoid compiler warnings in 32-bit implementations.   
*/
-static bool is_user_mode(DisasContext *ctx)
-{
-#if defined(CONFIG_USER_ONLY)
-return true;
-#else
-return ctx->mem_idx == 0;
-#endif
-}
-#endif
-
 /***   Integer comparison  ***/
 
 static inline void gen_op_cmp(TCGv arg0, TCGv arg1, int s, int crf)
@@ -1456,25 +1443,25 @@ static void gen_or(DisasContext *ctx)
 break;
 #if !defined(CONFIG_USER_ONLY)
 case 31:
-if (ctx->mem_idx > 0) {
+if (!ctx->pr) {
 /* Set process priority to very low */
 prio = 1;
 }
 break;
 case 5:
-if (ctx->mem_idx > 0) {
+if (!ctx->pr) {
 /* Set process priority to medium-hight */
 prio = 5;
 }
 break;
 case 3:
-if (ctx->mem_idx > 0) {
+if (!ctx->pr) {
 /* Set process priority to high */
 prio = 6;
 }
 break;
 case 7:
-if (ctx->mem_idx > 1) {
+if (ctx->hv) {
 /* Set process priority to very high */
 prio = 7;
 }
@@ -2901,7 +2888,7 @@ static void gen_lq(DisasContext *ctx)
 bool legal_in_user_mode = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
 bool le_is_supported = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
 
-if (!legal_in_user_mode && is_user_mode(ctx)) {
+if (!legal_in_user_mode && ctx->pr) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 return;
 }
@@ -3024,7 +3011,7 @@ static void gen_std(DisasContext *ctx)
 bool legal_in_user_mode = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
 bool le_is_supported = (ctx->insns_flags2 & PPC2_LSQ_ISA207) != 0;
 
-if (!legal_in_user_mode && is_user_mode(ctx)) {
+if (!legal_in_user_mode && ctx->pr) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 return;
 }
@@ -4002,14 +3989,14 @@ static void gen_mcrf(DisasContext *ctx)
 
 /***   System linkage  ***/
 
-/* rfi (mem_idx only) */
+/* rfi (supervisor only) */
 static void gen_rfi(DisasContext *ctx)
 {
 #if defined(CONFIG_USER_ONLY)
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 #else
 /* Restore CPU state */
-if (unlikely(!ctx->mem_idx)) {
+if (unlikely(ctx->pr)) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 return;
 }
@@ -4026,7 +4013,7 @@ static void gen_rfid(DisasContext *ctx)
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 #else
 /* Restore CPU state */
-if (unlikely(!ctx->mem_idx)) {
+if (unlikely(ctx->pr)) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 return;
 }
@@ -4042,7 +4029,7 @@ static void gen_hrfid(DisasContext *ctx)
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 #else
 /* Restore CPU state */
-if (unlikely(ctx->mem_idx <= 1)) {
+if (unlikely(!ctx->hv)) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_OPC);
 return;
 }
@@ -4211,7 +4198,7 @@ static void gen_mfmsr(DisasContext *ctx)
 #if defined(CONFIG_USER_ONLY)
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
 #else
-if (unlikely(!ctx->mem_idx)) {
+if (unlikely(ctx->pr)) {
 gen_inval_exception(ctx, POWERPC_EXCP_PRIV_REG);
 return;
 }
@@ -4235,9 +4222,9 @@ static inline void gen_op_mfspr(DisasContext *ctx)
 uint32_t sprn = SPR(ctx->opcode);
 
 #if !defined(CONFIG_USER_ONLY)
-if (ctx->mem_idx == 2)
+if (ctx->hv)
 read_cb = ctx->spr_cb[sprn].hea_read;
-else if (ctx->mem_idx)
+else if (!ctx->pr)
 read_cb = ctx->spr_cb[sprn].oea_read;
 else
 #endif
@@ -4315,7 +4302,7 @@ static void gen_mtmsrd(DisasContext *ctx)
 #if defined(CONFIG_USER_ONLY)

[Qemu-devel] [PULL 20/33] target-ppc: kvm: Fix memory overflow issue about strncat()

[Alexander Graf]

From: Chen Gang 

strncat() will append additional '\0' to destination buffer, so need
additional 1 byte for it, or may cause memory overflow, just like other
area within QEMU have done.

And can use g_strdup_printf() instead of strncat(), which may be more
easier understanding.

Signed-off-by: Chen Gang 
Signed-off-by: Alexander Graf 
---
 target-ppc/kvm.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 9c23c6b..6843fa0 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -1782,7 +1782,7 @@ static int kvmppc_find_cpu_dt(char *buf, int buf_len)
  * format) */
 static uint64_t kvmppc_read_int_cpu_dt(const char *propname)
 {
-char buf[PATH_MAX];
+char buf[PATH_MAX], *tmp;
 union {
 uint32_t v32;
 uint64_t v64;
@@ -1794,10 +1794,10 @@ static uint64_t kvmppc_read_int_cpu_dt(const char 
*propname)
 return -1;
 }
 
-strncat(buf, "/", sizeof(buf) - strlen(buf));
-strncat(buf, propname, sizeof(buf) - strlen(buf));
+tmp = g_strdup_printf("%s/%s", buf, propname);
 
-f = fopen(buf, "rb");
+f = fopen(tmp, "rb");
+g_free(tmp);
 if (!f) {
 return -1;
 }
-- 
1.8.1.4

[Qemu-devel] [PULL 25/33] sysbus: Expose IRQ enumeration helpers

[Alexander Graf]

Sysbus devices can get their IRQ lines connected to other devices. It is
possible to figure out which IRQ line a connection is on and whether a sysbus
device even provides an IRQ connector at a specific offset.

This patch exposes helpers to make this information publicly accessible. We
will need it for the platform bus dynamic sysbus enumeration.

Signed-off-by: Alexander Graf 
---
 hw/core/qdev.c | 11 +++
 hw/core/sysbus.c   | 21 +
 include/hw/qdev-core.h |  1 +
 include/hw/sysbus.h|  3 +++
 4 files changed, 36 insertions(+)

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index b3d5196..413b413 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -453,6 +453,17 @@ void qdev_connect_gpio_out_named(DeviceState *dev, const 
char *name, int n,
 g_free(propname);
 }
 
+qemu_irq qdev_get_gpio_out_connector(DeviceState *dev, const char *name, int n)
+{
+char *propname = g_strdup_printf("%s[%d]",
+ name ? name : "unnamed-gpio-out", n);
+
+qemu_irq ret = (qemu_irq)object_property_get_link(OBJECT(dev), propname,
+  NULL);
+
+return ret;
+}
+
 /* disconnect a GPIO ouput, returning the disconnected input (if any) */
 
 static qemu_irq qdev_disconnect_gpio_out_named(DeviceState *dev,
diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index 7bfe381..945dec5 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -84,6 +84,27 @@ static const TypeInfo system_bus_info = {
 .class_init = system_bus_class_init,
 };
 
+/* Check whether an IRQ source exists */
+bool sysbus_has_irq(SysBusDevice *dev, int n)
+{
+char *prop = g_strdup_printf("%s[%d]", SYSBUS_DEVICE_GPIO_IRQ, n);
+ObjectProperty *r;
+
+r = object_property_find(OBJECT(dev), prop, NULL);
+return (r != NULL);
+}
+
+bool sysbus_is_irq_connected(SysBusDevice *dev, int n)
+{
+return !!sysbus_get_connected_irq(dev, n);
+}
+
+qemu_irq sysbus_get_connected_irq(SysBusDevice *dev, int n)
+{
+DeviceState *d = DEVICE(dev);
+return qdev_get_gpio_out_connector(d, SYSBUS_DEVICE_GPIO_IRQ, n);
+}
+
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq)
 {
 qdev_connect_gpio_out_named(DEVICE(dev), SYSBUS_DEVICE_GPIO_IRQ, n, irq);
diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index 00a15a3..d3a2940 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -272,6 +272,7 @@ qemu_irq qdev_get_gpio_in_named(DeviceState *dev, const 
char *name, int n);
 void qdev_connect_gpio_out(DeviceState *dev, int n, qemu_irq pin);
 void qdev_connect_gpio_out_named(DeviceState *dev, const char *name, int n,
  qemu_irq pin);
+qemu_irq qdev_get_gpio_out_connector(DeviceState *dev, const char *name, int 
n);
 qemu_irq qdev_intercept_gpio_out(DeviceState *dev, qemu_irq icpt,
  const char *name, int n);
 
diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
index 80529ff..2a3cfa7 100644
--- a/include/hw/sysbus.h
+++ b/include/hw/sysbus.h
@@ -66,7 +66,10 @@ void sysbus_pass_irq(SysBusDevice *dev, SysBusDevice 
*target);
 void sysbus_init_ioports(SysBusDevice *dev, pio_addr_t ioport, pio_addr_t 
size);
 
 
+bool sysbus_has_irq(SysBusDevice *dev, int n);
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq);
+bool sysbus_is_irq_connected(SysBusDevice *dev, int n);
+qemu_irq sysbus_get_connected_irq(SysBusDevice *dev, int n);
 void sysbus_mmio_map(SysBusDevice *dev, int n, hwaddr addr);
 void sysbus_mmio_map_overlap(SysBusDevice *dev, int n, hwaddr addr,
  int priority);
-- 
1.8.1.4

[Qemu-devel] [PULL 26/33] sysbus: Expose MMIO enumeration helper

[Alexander Graf]

Sysbus devices have a range of MMIO regions they expose. The exact number
of regions is device specific and internal information to the device model.

Expose whether a region exists via a public interface. That way our platform
bus enumeration code can dynamically determine how many regions exist.

Signed-off-by: Alexander Graf 
---
 hw/core/sysbus.c| 6 ++
 include/hw/sysbus.h | 1 +
 2 files changed, 7 insertions(+)

diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index 945dec5..84af593 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -110,6 +110,12 @@ void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq 
irq)
 qdev_connect_gpio_out_named(DEVICE(dev), SYSBUS_DEVICE_GPIO_IRQ, n, irq);
 }
 
+/* Check whether an MMIO region exists */
+bool sysbus_has_mmio(SysBusDevice *dev, unsigned int n)
+{
+return (n < dev->num_mmio);
+}
+
 static void sysbus_mmio_map_common(SysBusDevice *dev, int n, hwaddr addr,
bool may_overlap, int priority)
 {
diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
index 2a3cfa7..6175bf9 100644
--- a/include/hw/sysbus.h
+++ b/include/hw/sysbus.h
@@ -67,6 +67,7 @@ void sysbus_init_ioports(SysBusDevice *dev, pio_addr_t 
ioport, pio_addr_t size);
 
 
 bool sysbus_has_irq(SysBusDevice *dev, int n);
+bool sysbus_has_mmio(SysBusDevice *dev, unsigned int n);
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq);
 bool sysbus_is_irq_connected(SysBusDevice *dev, int n);
 qemu_irq sysbus_get_connected_irq(SysBusDevice *dev, int n);
-- 
1.8.1.4

[Qemu-devel] [PULL 23/33] sysbus: Add dynamic sysbus device search

[Alexander Graf]

Sysbus devices can be spawned by C code or dynamically via the command line.
In the latter case, we need to be able to find the dynamically created devices
to do things with them.

This patch adds a search helper that makes it easy to look for dynamically
spawned sysbus devices.

Signed-off-by: Alexander Graf 
---
 hw/core/sysbus.c| 45 +
 include/hw/sysbus.h |  5 +
 2 files changed, 50 insertions(+)

diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index e55c3c1..19437e6 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -24,6 +24,51 @@
 static void sysbus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 static char *sysbus_get_fw_dev_path(DeviceState *dev);
 
+typedef struct SysBusFind {
+void *opaque;
+FindSysbusDeviceFunc *func;
+} SysBusFind;
+
+/* Run func() for every sysbus device, traverse the tree for everything else */
+static int find_sysbus_device(Object *obj, void *opaque)
+{
+SysBusFind *find = opaque;
+Object *dev;
+SysBusDevice *sbdev;
+
+dev = object_dynamic_cast(obj, TYPE_SYS_BUS_DEVICE);
+sbdev = (SysBusDevice *)dev;
+
+if (!sbdev) {
+/* Container, traverse it for children */
+return object_child_foreach(obj, find_sysbus_device, opaque);
+}
+
+find->func(sbdev, find->opaque);
+
+return 0;
+}
+
+/*
+ * Loop through all dynamically created sysbus devices and call
+ * func() for each instance.
+ */
+void foreach_dynamic_sysbus_device(FindSysbusDeviceFunc *func, void *opaque)
+{
+Object *container;
+SysBusFind find = {
+.func = func,
+.opaque = opaque,
+};
+
+/* Loop through all sysbus devices that were spawened outside the machine 
*/
+container = container_get(qdev_get_machine(), "/peripheral");
+find_sysbus_device(container, &find);
+container = container_get(qdev_get_machine(), "/peripheral-anon");
+find_sysbus_device(container, &find);
+}
+
+
 static void system_bus_class_init(ObjectClass *klass, void *data)
 {
 BusClass *k = BUS_CLASS(klass);
diff --git a/include/hw/sysbus.h b/include/hw/sysbus.h
index 9fb1782..80529ff 100644
--- a/include/hw/sysbus.h
+++ b/include/hw/sysbus.h
@@ -57,6 +57,8 @@ struct SysBusDevice {
 pio_addr_t pio[QDEV_MAX_PIO];
 };
 
+typedef int FindSysbusDeviceFunc(SysBusDevice *sbdev, void *opaque);
+
 void sysbus_init_mmio(SysBusDevice *dev, MemoryRegion *memory);
 MemoryRegion *sysbus_mmio_get_region(SysBusDevice *dev, int n);
 void sysbus_init_irq(SysBusDevice *dev, qemu_irq *p);
@@ -72,6 +74,9 @@ void sysbus_add_io(SysBusDevice *dev, hwaddr addr,
MemoryRegion *mem);
 MemoryRegion *sysbus_address_space(SysBusDevice *dev);
 
+/* Call func for every dynamically created sysbus device in the system */
+void foreach_dynamic_sysbus_device(FindSysbusDeviceFunc *func, void *opaque);
+
 /* Legacy helper function for creating devices.  */
 DeviceState *sysbus_create_varargs(const char *name,
  hwaddr addr, ...);
-- 
1.8.1.4

[Qemu-devel] [PULL 31/33] target-ppc: Fix Altivec Shifts

[Alexander Graf]

From: Tom Musta 

Fix the implementation of the Altivec shift left and shift right
instructions (vsl, vsr) which erroneously inverts shift direction
on big endian hosts.

Signed-off-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/int_helper.c | 13 ++---
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
index 1c7e0f1..12c9ab0 100644
--- a/target-ppc/int_helper.c
+++ b/target-ppc/int_helper.c
@@ -1552,13 +1552,6 @@ void helper_vlogefp(CPUPPCState *env, ppc_avr_t *r, 
ppc_avr_t *b)
 }
 }
 
-#if defined(HOST_WORDS_BIGENDIAN)
-#define LEFT 0
-#define RIGHT 1
-#else
-#define LEFT 1
-#define RIGHT 0
-#endif
 /* The specification says that the results are undefined if all of the
  * shift counts are not identical.  We check to make sure that they are
  * to conform to what real hardware appears to do.  */
@@ -1588,11 +1581,9 @@ void helper_vlogefp(CPUPPCState *env, ppc_avr_t *r, 
ppc_avr_t *b)
 }   \
 }   \
 }
-VSHIFT(l, LEFT)
-VSHIFT(r, RIGHT)
+VSHIFT(l, 1)
+VSHIFT(r, 0)
 #undef VSHIFT
-#undef LEFT
-#undef RIGHT
 
 #define VSL(suffix, element, mask)  \
 void helper_vsl##suffix(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)   \
-- 
1.8.1.4

[Qemu-devel] [PULL 14/33] target-ppc: Use macros in opcodes table handling code

[Alexander Graf]

From: Bharata B Rao 

Define and use macros instead of direct numbers wherever
possible in ppc opcodes table handling code.

This doesn't change any code functionality.

Signed-off-by: Bharata B Rao 
Signed-off-by: Alexander Graf 
---
 target-ppc/cpu.h|  3 ++-
 target-ppc/translate_init.c | 24 ++--
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index f367344..068fcb2 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -924,7 +924,8 @@ struct ppc_segment_page_sizes {
 /* The whole PowerPC CPU context */
 #define NB_MMU_MODES 3
 
-#define PPC_CPU_OPCODES_LEN 0x40
+#define PPC_CPU_OPCODES_LEN  0x40
+#define PPC_CPU_INDIRECT_OPCODES_LEN 0x20
 
 struct CPUPPCState {
 /* First are the most commonly used resources
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 8bfd55d..3ff68ae 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -8473,14 +8473,16 @@ enum {
 PPC_INDIRECT = 1, /* Indirect opcode table */
 };
 
+#define PPC_OPCODE_MASK 0x3
+
 static inline int is_indirect_opcode (void *handler)
 {
-return ((uintptr_t)handler & 0x03) == PPC_INDIRECT;
+return ((uintptr_t)handler & PPC_OPCODE_MASK) == PPC_INDIRECT;
 }
 
 static inline opc_handler_t **ind_table(void *handler)
 {
-return (opc_handler_t **)((uintptr_t)handler & ~3);
+return (opc_handler_t **)((uintptr_t)handler & ~PPC_OPCODE_MASK);
 }
 
 /* Instruction table creation */
@@ -8497,8 +8499,8 @@ static int create_new_table (opc_handler_t **table, 
unsigned char idx)
 {
 opc_handler_t **tmp;
 
-tmp = g_new(opc_handler_t *, 0x20);
-fill_new_table(tmp, 0x20);
+tmp = g_new(opc_handler_t *, PPC_CPU_INDIRECT_OPCODES_LEN);
+fill_new_table(tmp, PPC_CPU_INDIRECT_OPCODES_LEN);
 table[idx] = (opc_handler_t *)((uintptr_t)tmp | PPC_INDIRECT);
 
 return 0;
@@ -8625,7 +8627,8 @@ static int test_opcode_table (opc_handler_t **table, int 
len)
 table[i] = &invalid_handler;
 if (table[i] != &invalid_handler) {
 if (is_indirect_opcode(table[i])) {
-tmp = test_opcode_table(ind_table(table[i]), 0x20);
+tmp = test_opcode_table(ind_table(table[i]),
+PPC_CPU_INDIRECT_OPCODES_LEN);
 if (tmp == 0) {
 free(table[i]);
 table[i] = &invalid_handler;
@@ -8643,7 +8646,7 @@ static int test_opcode_table (opc_handler_t **table, int 
len)
 
 static void fix_opcode_tables (opc_handler_t **ppc_opcodes)
 {
-if (test_opcode_table(ppc_opcodes, 0x40) == 0)
+if (test_opcode_table(ppc_opcodes, PPC_CPU_OPCODES_LEN) == 0)
 printf("*** WARNING: no opcode defined !\n");
 }
 
@@ -8654,7 +8657,7 @@ static void create_ppc_opcodes(PowerPCCPU *cpu, Error 
**errp)
 CPUPPCState *env = &cpu->env;
 opcode_t *opc;
 
-fill_new_table(env->opcodes, 0x40);
+fill_new_table(env->opcodes, PPC_CPU_OPCODES_LEN);
 for (opc = opcodes; opc < &opcodes[ARRAY_SIZE(opcodes)]; opc++) {
 if (((opc->handler.type & pcc->insns_flags) != 0) ||
 ((opc->handler.type2 & pcc->insns_flags2) != 0)) {
@@ -8680,12 +8683,12 @@ static void dump_ppc_insns (CPUPPCState *env)
 
 printf("Instructions set:\n");
 /* opc1 is 6 bits long */
-for (opc1 = 0x00; opc1 < 0x40; opc1++) {
+for (opc1 = 0x00; opc1 < PPC_CPU_OPCODES_LEN; opc1++) {
 table = env->opcodes;
 handler = table[opc1];
 if (is_indirect_opcode(handler)) {
 /* opc2 is 5 bits long */
-for (opc2 = 0; opc2 < 0x20; opc2++) {
+for (opc2 = 0; opc2 < PPC_CPU_INDIRECT_OPCODES_LEN; opc2++) {
 table = env->opcodes;
 handler = env->opcodes[opc1];
 table = ind_table(handler);
@@ -8693,7 +8696,8 @@ static void dump_ppc_insns (CPUPPCState *env)
 if (is_indirect_opcode(handler)) {
 table = ind_table(handler);
 /* opc3 is 5 bits long */
-for (opc3 = 0; opc3 < 0x20; opc3++) {
+for (opc3 = 0; opc3 < PPC_CPU_INDIRECT_OPCODES_LEN;
+opc3++) {
 handler = table[opc3];
 if (handler->handler != &gen_invalid) {
 /* Special hack to properly dump SPE insns */
-- 
1.8.1.4

[Qemu-devel] [PULL 28/33] PPC: e500: Support dynamically spawned sysbus devices

[Alexander Graf]

For e500 our approach to supporting dynamically spawned sysbus devices is to
create a simple bus from the guest's point of view within which we map those
devices dynamically.

We allocate memory regions always within the "platform" hole in address
space and map IRQs to predetermined IRQ lines that are reserved for platform
device usage.

This maps really nicely into device tree logic, so we can just tell the
guest about our virtual simple bus in device tree as well.

Signed-off-by: Alexander Graf 
---
 hw/ppc/e500.c | 100 ++
 hw/ppc/e500.h |   5 +++
 hw/ppc/e500plat.c |   6 
 3 files changed, 111 insertions(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index cfc46c4..123379d 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -36,6 +36,8 @@
 #include "exec/address-spaces.h"
 #include "qemu/host-utils.h"
 #include "hw/pci-host/ppce500.h"
+#include "qemu/error-report.h"
+#include "hw/platform-bus.h"
 
 #define EPAPR_MAGIC(0x45504150)
 #define BINARY_DEVICE_TREE_FILE"mpc8544ds.dtb"
@@ -152,6 +154,72 @@ static void create_dt_mpc8xxx_gpio(void *fdt, const char 
*soc, const char *mpic)
 g_free(poweroff);
 }
 
+typedef struct PlatformDevtreeData {
+void *fdt;
+const char *mpic;
+int irq_start;
+const char *node;
+PlatformBusDevice *pbus;
+} PlatformDevtreeData;
+
+static int sysbus_device_create_devtree(SysBusDevice *sbdev, void *opaque)
+{
+PlatformDevtreeData *data = opaque;
+bool matched = false;
+
+if (!matched) {
+error_report("Device %s is not supported by this machine yet.",
+ qdev_fw_name(DEVICE(sbdev)));
+exit(1);
+}
+
+return 0;
+}
+
+static void platform_bus_create_devtree(PPCE500Params *params, void *fdt,
+const char *mpic)
+{
+gchar *node = g_strdup_printf("/platform@%"PRIx64, 
params->platform_bus_base);
+const char platcomp[] = "qemu,platform\0simple-bus";
+uint64_t addr = params->platform_bus_base;
+uint64_t size = params->platform_bus_size;
+int irq_start = params->platform_bus_first_irq;
+PlatformBusDevice *pbus;
+DeviceState *dev;
+
+/* Create a /platform node that we can put all devices into */
+
+qemu_fdt_add_subnode(fdt, node);
+qemu_fdt_setprop(fdt, node, "compatible", platcomp, sizeof(platcomp));
+
+/* Our platform bus region is less than 32bit big, so 1 cell is enough for
+   address and size */
+qemu_fdt_setprop_cells(fdt, node, "#size-cells", 1);
+qemu_fdt_setprop_cells(fdt, node, "#address-cells", 1);
+qemu_fdt_setprop_cells(fdt, node, "ranges", 0, addr >> 32, addr, size);
+
+qemu_fdt_setprop_phandle(fdt, node, "interrupt-parent", mpic);
+
+dev = qdev_find_recursive(sysbus_get_default(), TYPE_PLATFORM_BUS_DEVICE);
+pbus = PLATFORM_BUS_DEVICE(dev);
+
+/* We can only create dt nodes for dynamic devices when they're ready */
+if (pbus->done_gathering) {
+PlatformDevtreeData data = {
+.fdt = fdt,
+.mpic = mpic,
+.irq_start = irq_start,
+.node = node,
+.pbus = pbus,
+};
+
+/* Loop through all dynamic sysbus devices and create nodes for them */
+foreach_dynamic_sysbus_device(sysbus_device_create_devtree, &data);
+}
+
+g_free(node);
+}
+
 static int ppce500_load_device_tree(MachineState *machine,
 PPCE500Params *params,
 hwaddr addr,
@@ -413,6 +481,10 @@ static int ppce500_load_device_tree(MachineState *machine,
 create_dt_mpc8xxx_gpio(fdt, soc, mpic);
 }
 
+if (params->has_platform_bus) {
+platform_bus_create_devtree(params, fdt, mpic);
+}
+
 params->fixup_devtree(params, fdt);
 
 if (toplevel_compat) {
@@ -441,6 +513,7 @@ typedef struct DeviceTreeParams {
 hwaddr initrd_size;
 hwaddr kernel_base;
 hwaddr kernel_size;
+Notifier notifier;
 } DeviceTreeParams;
 
 static void ppce500_reset_device_tree(void *opaque)
@@ -451,6 +524,12 @@ static void ppce500_reset_device_tree(void *opaque)
  false);
 }
 
+static void ppce500_init_notify(Notifier *notifier, void *data)
+{
+DeviceTreeParams *p = container_of(notifier, DeviceTreeParams, notifier);
+ppce500_reset_device_tree(p);
+}
+
 static int ppce500_prep_device_tree(MachineState *machine,
 PPCE500Params *params,
 hwaddr addr,
@@ -469,6 +548,8 @@ static int ppce500_prep_device_tree(MachineState *machine,
 p->kernel_size = kernel_size;
 
 qemu_register_reset(ppce500_reset_device_tree, p);
+p->notifier.notify = ppce500_init_notify;
+qemu_add_machine_init_done_notifier(&p->notifier);
 
 /* Issue the device tree loader once, so that we get the size of the blob 
*/
 return ppce500_load_device_tree(machine, params, addr, initrd

[Qemu-devel] [PULL 22/33] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*)

[Alexander Graf]

From: Peter Maydell 

The g_hash_table_iter_* functions for iterating through a hash table
are not present in glib 2.12, which is our current minimum requirement.
Rewrite the code to use g_hash_table_foreach() instead.

Signed-off-by: Peter Maydell 
Signed-off-by: Alexander Graf 
---
 hw/ppc/spapr_pci.c | 28 +---
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index ad0da7f..21b95b3 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -704,28 +704,34 @@ static const VMStateDescription vmstate_spapr_pci_msi = {
 },
 };
 
+static void spapr_pci_fill_msi_devs(gpointer key, gpointer value,
+gpointer opaque)
+{
+sPAPRPHBState *sphb = opaque;
+
+sphb->msi_devs[sphb->msi_devs_num].key = *(uint32_t *)key;
+sphb->msi_devs[sphb->msi_devs_num].value = *(spapr_pci_msi *)value;
+sphb->msi_devs_num++;
+}
+
 static void spapr_pci_pre_save(void *opaque)
 {
 sPAPRPHBState *sphb = opaque;
-GHashTableIter iter;
-gpointer key, value;
-int i;
+int msi_devs_num;
 
 if (sphb->msi_devs) {
 g_free(sphb->msi_devs);
 sphb->msi_devs = NULL;
 }
-sphb->msi_devs_num = g_hash_table_size(sphb->msi);
-if (!sphb->msi_devs_num) {
+sphb->msi_devs_num = 0;
+msi_devs_num = g_hash_table_size(sphb->msi);
+if (!msi_devs_num) {
 return;
 }
-sphb->msi_devs = g_malloc(sphb->msi_devs_num * sizeof(spapr_pci_msi_mig));
+sphb->msi_devs = g_malloc(msi_devs_num * sizeof(spapr_pci_msi_mig));
 
-g_hash_table_iter_init(&iter, sphb->msi);
-for (i = 0; g_hash_table_iter_next(&iter, &key, &value); ++i) {
-sphb->msi_devs[i].key = *(uint32_t *) key;
-sphb->msi_devs[i].value = *(spapr_pci_msi *) value;
-}
+g_hash_table_foreach(sphb->msi, spapr_pci_fill_msi_devs, sphb);
+assert(sphb->msi_devs_num == msi_devs_num);
 }
 
 static int spapr_pci_post_load(void *opaque, int version_id)
-- 
1.8.1.4

[Qemu-devel] [PULL 33/33] target-ppc: Fix Altivec Round Opcodes

[Alexander Graf]

From: Tom Musta 

Correct the opcodes for the vrfim, vrfin and vrfiz instructions.

Signed-off-by: Tom Musta 
Reviewed-by: Thomas Huth 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index f0567f7..910ce56 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -7238,10 +7238,10 @@ GEN_VXFORM_NOA_ENV(vrefp, 5, 4);
 GEN_VXFORM_NOA_ENV(vrsqrtefp, 5, 5);
 GEN_VXFORM_NOA_ENV(vexptefp, 5, 6);
 GEN_VXFORM_NOA_ENV(vlogefp, 5, 7);
-GEN_VXFORM_NOA_ENV(vrfim, 5, 8);
-GEN_VXFORM_NOA_ENV(vrfin, 5, 9);
+GEN_VXFORM_NOA_ENV(vrfim, 5, 11);
+GEN_VXFORM_NOA_ENV(vrfin, 5, 8);
 GEN_VXFORM_NOA_ENV(vrfip, 5, 10);
-GEN_VXFORM_NOA_ENV(vrfiz, 5, 11);
+GEN_VXFORM_NOA_ENV(vrfiz, 5, 9);
 
 #define GEN_VXFORM_SIMM(name, opc2, opc3)   \
 static void glue(gen_, name)(DisasContext *ctx)
 \
@@ -10474,10 +10474,10 @@ GEN_VXFORM_NOA(vrefp, 5, 4),
 GEN_VXFORM_NOA(vrsqrtefp, 5, 5),
 GEN_VXFORM_NOA(vexptefp, 5, 6),
 GEN_VXFORM_NOA(vlogefp, 5, 7),
-GEN_VXFORM_NOA(vrfim, 5, 8),
-GEN_VXFORM_NOA(vrfin, 5, 9),
+GEN_VXFORM_NOA(vrfim, 5, 11),
+GEN_VXFORM_NOA(vrfin, 5, 8),
 GEN_VXFORM_NOA(vrfip, 5, 10),
-GEN_VXFORM_NOA(vrfiz, 5, 11),
+GEN_VXFORM_NOA(vrfiz, 5, 9),
 
 #undef GEN_VXFORM_UIMM
 #define GEN_VXFORM_UIMM(name, opc2, opc3)   \
-- 
1.8.1.4

[Qemu-devel] [PULL 04/33] ppc: rename gen_set_cr6_from_fpscr

[Alexander Graf]

From: Paolo Bonzini 

It sets CR1, not CR6 (and the spec agrees).

Signed-off-by: Paolo Bonzini 
Reviewed-by: Tom Musta 
Tested-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate.c | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index d03daea..d1deba7 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -8221,7 +8221,7 @@ static inline TCGv_ptr gen_fprp_ptr(int reg)
 }
 
 #if defined(TARGET_PPC64)
-static void gen_set_cr6_from_fpscr(DisasContext *ctx)
+static void gen_set_cr1_from_fpscr(DisasContext *ctx)
 {
 TCGv_i32 tmp = tcg_temp_new_i32();
 tcg_gen_trunc_tl_i32(tmp, cpu_fpscr);
@@ -8229,7 +8229,7 @@ static void gen_set_cr6_from_fpscr(DisasContext *ctx)
 tcg_temp_free_i32(tmp);
 }
 #else
-static void gen_set_cr6_from_fpscr(DisasContext *ctx)
+static void gen_set_cr1_from_fpscr(DisasContext *ctx)
 {
 tcg_gen_shri_tl(cpu_crf[1], cpu_fpscr, 28);
 }
@@ -8249,7 +8249,7 @@ static void gen_##name(DisasContext *ctx)\
 rb = gen_fprp_ptr(rB(ctx->opcode));  \
 gen_helper_##name(cpu_env, rd, ra, rb);  \
 if (unlikely(Rc(ctx->opcode) != 0)) {\
-gen_set_cr6_from_fpscr(ctx); \
+gen_set_cr1_from_fpscr(ctx); \
 }\
 tcg_temp_free_ptr(rd);   \
 tcg_temp_free_ptr(ra);   \
@@ -8307,7 +8307,7 @@ static void gen_##name(DisasContext *ctx) \
 u32_2 = tcg_const_i32(u32f2(ctx->opcode));\
 gen_helper_##name(cpu_env, rt, rb, u32_1, u32_2); \
 if (unlikely(Rc(ctx->opcode) != 0)) { \
-gen_set_cr6_from_fpscr(ctx);  \
+gen_set_cr1_from_fpscr(ctx);  \
 } \
 tcg_temp_free_ptr(rt);\
 tcg_temp_free_ptr(rb);\
@@ -8331,7 +8331,7 @@ static void gen_##name(DisasContext *ctx)\
 i32 = tcg_const_i32(i32fld(ctx->opcode));\
 gen_helper_##name(cpu_env, rt, ra, rb, i32); \
 if (unlikely(Rc(ctx->opcode) != 0)) {\
-gen_set_cr6_from_fpscr(ctx); \
+gen_set_cr1_from_fpscr(ctx); \
 }\
 tcg_temp_free_ptr(rt);   \
 tcg_temp_free_ptr(rb);   \
@@ -8352,7 +8352,7 @@ static void gen_##name(DisasContext *ctx)\
 rb = gen_fprp_ptr(rB(ctx->opcode));  \
 gen_helper_##name(cpu_env, rt, rb);  \
 if (unlikely(Rc(ctx->opcode) != 0)) {\
-gen_set_cr6_from_fpscr(ctx); \
+gen_set_cr1_from_fpscr(ctx); \
 }\
 tcg_temp_free_ptr(rt);   \
 tcg_temp_free_ptr(rb);   \
@@ -8373,7 +8373,7 @@ static void gen_##name(DisasContext *ctx)  \
 i32 = tcg_const_i32(i32fld(ctx->opcode));  \
 gen_helper_##name(cpu_env, rt, rs, i32);   \
 if (unlikely(Rc(ctx->opcode) != 0)) {  \
-gen_set_cr6_from_fpscr(ctx);   \
+gen_set_cr1_from_fpscr(ctx);   \
 }  \
 tcg_temp_free_ptr(rt); \
 tcg_temp_free_ptr(rs); \
-- 
1.8.1.4

[Qemu-devel] [PULL 30/33] target-ppc: simplify AES emulation

[Alexander Graf]

From: Aurelien Jarno 

This patch simplifies the AES code, by directly accessing the newly added
S-Box, InvS-Box tables instead of recreating them by using the AES_Te and
AES_Td tables.

Cc: Alexander Graf 
Cc: Paolo Bonzini 
Signed-off-by: Aurelien Jarno 
Reviewed-by: Paolo Bonzini 
Tested-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/int_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
index 83c1ad0..1c7e0f1 100644
--- a/target-ppc/int_helper.c
+++ b/target-ppc/int_helper.c
@@ -2352,7 +2352,7 @@ void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, 
ppc_avr_t *b)
 int i;
 
 VECTOR_FOR_INORDER_I(i, u8) {
-r->AVRB(i) = b->AVRB(i) ^ (AES_Te4[a->AVRB(AES_shifts[i])] & 0xFF);
+r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
 }
 }
 
@@ -2381,7 +2381,7 @@ void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, 
ppc_avr_t *b)
 int i;
 
 VECTOR_FOR_INORDER_I(i, u8) {
-r->AVRB(i) = b->AVRB(i) ^ (AES_Td4[a->AVRB(AES_ishifts[i])] & 0xFF);
+r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
 }
 }
 
-- 
1.8.1.4

[Qemu-devel] [PULL 17/33] PPC: E500: Instantiate MPC8XXX gpio controller on virt machine

[Alexander Graf]

With the e500 virt machine, we don't have to adhere to the exact hardware
layout of an mpc8544ds board. So there we can just add a qoriq compatible
GPIO controller into the system that we can add a power off hook to.

Signed-off-by: Alexander Graf 
---
 hw/ppc/e500.c | 32 
 hw/ppc/e500.h |  1 +
 hw/ppc/e500plat.c |  1 +
 3 files changed, 34 insertions(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 2157d87..304c124 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -61,6 +61,8 @@
 #define MPC8544_PCI_IO 0xE100ULL
 #define MPC8544_UTIL_OFFSET0xeULL
 #define MPC8544_SPIN_BASE  0xEF00ULL
+#define MPC8XXX_GPIO_OFFSET0x000FF000ULL
+#define MPC8XXX_GPIO_IRQ   43
 
 struct boot_info
 {
@@ -122,6 +124,23 @@ static void dt_serial_create(void *fdt, unsigned long long 
offset,
 }
 }
 
+static void create_dt_mpc8xxx_gpio(void *fdt, const char *soc, const char 
*mpic)
+{
+hwaddr mmio0 = MPC8XXX_GPIO_OFFSET;
+int irq0 = MPC8XXX_GPIO_IRQ;
+gchar *node = g_strdup_printf("%s/gpio@%"PRIx64, soc, mmio0);
+
+qemu_fdt_add_subnode(fdt, node);
+qemu_fdt_setprop_string(fdt, node, "compatible", "fsl,qoriq-gpio");
+qemu_fdt_setprop_cells(fdt, node, "reg", mmio0, 0x1000);
+qemu_fdt_setprop_cells(fdt, node, "interrupts", irq0, 0x2);
+qemu_fdt_setprop_phandle(fdt, node, "interrupt-parent", mpic);
+qemu_fdt_setprop_cells(fdt, node, "#gpio-cells", 2);
+qemu_fdt_setprop(fdt, node, "gpio-controller", NULL, 0);
+
+g_free(node);
+}
+
 static int ppce500_load_device_tree(MachineState *machine,
 PPCE500Params *params,
 hwaddr addr,
@@ -379,6 +398,10 @@ static int ppce500_load_device_tree(MachineState *machine,
 qemu_fdt_setprop_cell(fdt, pci, "#address-cells", 3);
 qemu_fdt_setprop_string(fdt, "/aliases", "pci0", pci);
 
+if (params->has_mpc8xxx_gpio) {
+create_dt_mpc8xxx_gpio(fdt, soc, mpic);
+}
+
 params->fixup_devtree(params, fdt);
 
 if (toplevel_compat) {
@@ -769,6 +792,15 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 cur_base = (32 * 1024 * 1024);
 }
 
+if (params->has_mpc8xxx_gpio) {
+dev = qdev_create(NULL, "mpc8xxx_gpio");
+s = SYS_BUS_DEVICE(dev);
+qdev_init_nofail(dev);
+sysbus_connect_irq(s, 0, mpic[MPC8XXX_GPIO_IRQ]);
+memory_region_add_subregion(ccsr_addr_space, MPC8XXX_GPIO_OFFSET,
+sysbus_mmio_get_region(s, 0));
+}
+
 /* Load kernel. */
 if (machine->kernel_filename) {
 kernel_base = cur_base;
diff --git a/hw/ppc/e500.h b/hw/ppc/e500.h
index 08b25fa..83c5b8b 100644
--- a/hw/ppc/e500.h
+++ b/hw/ppc/e500.h
@@ -11,6 +11,7 @@ typedef struct PPCE500Params {
 void (*fixup_devtree)(struct PPCE500Params *params, void *fdt);
 
 int mpic_version;
+bool has_mpc8xxx_gpio;
 } PPCE500Params;
 
 void ppce500_init(MachineState *machine, PPCE500Params *params);
diff --git a/hw/ppc/e500plat.c b/hw/ppc/e500plat.c
index 27df31d..bafb56d 100644
--- a/hw/ppc/e500plat.c
+++ b/hw/ppc/e500plat.c
@@ -35,6 +35,7 @@ static void e500plat_init(MachineState *machine)
 .pci_nr_slots = PCI_SLOT_MAX - 1,
 .fixup_devtree = e500plat_fixup_devtree,
 .mpic_version = OPENPIC_MODEL_FSL_MPIC_42,
+.has_mpc8xxx_gpio = true,
 };
 
 /* Older KVM versions don't support EPR which breaks guests when we 
announce
-- 
1.8.1.4

[Qemu-devel] [PULL 09/33] spapr: Cleanup machine naming conventions, and prepare for 2.2 release

[Alexander Graf]

From: David Gibson 

As of qemu-2.1, spapr/pseries, has a set of versioned machine classes to
represent the machine type as it appeared to the guest in different qemu
versions.  This allows for safe migration of guests between current and
future qemu versions.

However, these are organized a bit differently from those for PC: on PC,
the default plain "pc" machine type is just an alias for the most recent
versioned machine type.  In sPAPR, it names the base machine class from
which the versioned types are derived.

The PC approach is preferable; it makes it clearer which explicit version
is the current one.  Additionally updating the "current" machine as the
base class makes it even more likely than otherwise to incorrectly alter
the versioned machines' behaviour when updating the current machine.

Therefore this patch changes sPAPR to the PC approach - the base class
becomes abstract, and plain "pseries" becomes an alias for the most
recent versioned machine class.  Since qemu-2.1 is now released, we also
create a new pseries-2.2 machine type, to incorporate changes during this
development cycle (for now it is identical to pseries-2.1).

Signed-off-by: David Gibson 
Signed-off-by: Alexander Graf 
---
 hw/ppc/spapr.c | 22 ++
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 0a2bfe6..2a78075 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1660,9 +1660,6 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 FWPathProviderClass *fwc = FW_PATH_PROVIDER_CLASS(oc);
 NMIClass *nc = NMI_CLASS(oc);
 
-mc->name = "pseries";
-mc->desc = "pSeries Logical Partition (PAPR compliant)";
-mc->is_default = 1;
 mc->init = ppc_spapr_init;
 mc->reset = ppc_spapr_reset;
 mc->block_default_type = IF_SCSI;
@@ -1678,6 +1675,7 @@ static void spapr_machine_class_init(ObjectClass *oc, 
void *data)
 static const TypeInfo spapr_machine_info = {
 .name  = TYPE_SPAPR_MACHINE,
 .parent= TYPE_MACHINE,
+.abstract  = true,
 .instance_size = sizeof(sPAPRMachineState),
 .instance_init = spapr_machine_initfn,
 .class_init= spapr_machine_class_init,
@@ -1698,7 +1696,6 @@ static void spapr_machine_2_1_class_init(ObjectClass *oc, 
void *data)
 
 mc->name = "pseries-2.1";
 mc->desc = "pSeries Logical Partition (PAPR compliant) v2.1";
-mc->is_default = 0;
 mc->compat_props = compat_props;
 }
 
@@ -1708,10 +1705,27 @@ static const TypeInfo spapr_machine_2_1_info = {
 .class_init= spapr_machine_2_1_class_init,
 };
 
+static void spapr_machine_2_2_class_init(ObjectClass *oc, void *data)
+{
+MachineClass *mc = MACHINE_CLASS(oc);
+
+mc->name = "pseries-2.2";
+mc->desc = "pSeries Logical Partition (PAPR compliant) v2.2";
+mc->alias = "pseries";
+mc->is_default = 1;
+}
+
+static const TypeInfo spapr_machine_2_2_info = {
+.name  = TYPE_SPAPR_MACHINE "2.2",
+.parent= TYPE_SPAPR_MACHINE,
+.class_init= spapr_machine_2_2_class_init,
+};
+
 static void spapr_machine_register_types(void)
 {
 type_register_static(&spapr_machine_info);
 type_register_static(&spapr_machine_2_1_info);
+type_register_static(&spapr_machine_2_2_info);
 }
 
 type_init(spapr_machine_register_types)
-- 
1.8.1.4

[Qemu-devel] [PULL 15/33] target-ppc: Fix an invalid free in opcode table handling code.

[Alexander Graf]

From: Bharata B Rao 

Opcode table has direct, indirect and double indirect handlers, but
ppc_cpu_unrealizefn() frees direct handlers which are never allocated
and never frees double indirect handlers.

Signed-off-by: Bharata B Rao 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate_init.c | 19 ---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 3ff68ae..20d58c0 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -9132,11 +9132,24 @@ static void ppc_cpu_unrealizefn(DeviceState *dev, Error 
**errp)
 {
 PowerPCCPU *cpu = POWERPC_CPU(dev);
 CPUPPCState *env = &cpu->env;
-int i;
+opc_handler_t **table;
+int i, j;
 
 for (i = 0; i < PPC_CPU_OPCODES_LEN; i++) {
-if (env->opcodes[i] != &invalid_handler) {
-g_free(env->opcodes[i]);
+if (env->opcodes[i] == &invalid_handler) {
+continue;
+}
+if (is_indirect_opcode(env->opcodes[i])) {
+table = ind_table(env->opcodes[i]);
+for (j = 0; j < PPC_CPU_INDIRECT_OPCODES_LEN; j++) {
+if (table[j] != &invalid_handler &&
+is_indirect_opcode(table[j])) {
+g_free((opc_handler_t *)((uintptr_t)table[j] &
+~PPC_INDIRECT));
+}
+}
+g_free((opc_handler_t *)((uintptr_t)env->opcodes[i] &
+~PPC_INDIRECT));
 }
 }
 }
-- 
1.8.1.4

[Qemu-devel] [PULL 13/33] hw/pci/ppc4xx_pci.c: Remove unused pci4xx_cfgaddr_read/write/ops

[Alexander Graf]

From: Peter Maydell 

The MemoryRegionOps struct pci4xx_cfgaddr_ops and the read and
write functions it references are all unused; remove them.

Signed-off-by: Peter Maydell 
Signed-off-by: Alexander Graf 
---
 hw/ppc/ppc4xx_pci.c | 24 
 1 file changed, 24 deletions(-)

diff --git a/hw/ppc/ppc4xx_pci.c b/hw/ppc/ppc4xx_pci.c
index 55a3cab..0bb3cdb 100644
--- a/hw/ppc/ppc4xx_pci.c
+++ b/hw/ppc/ppc4xx_pci.c
@@ -92,30 +92,6 @@ typedef struct PPC4xxPCIState PPC4xxPCIState;
 
 #define PCI_ALL_SIZE(PCI_REG_BASE + PCI_REG_SIZE)
 
-static uint64_t pci4xx_cfgaddr_read(void *opaque, hwaddr addr,
-unsigned size)
-{
-PPC4xxPCIState *ppc4xx_pci = opaque;
-PCIHostState *phb = PCI_HOST_BRIDGE(ppc4xx_pci);
-
-return phb->config_reg;
-}
-
-static void pci4xx_cfgaddr_write(void *opaque, hwaddr addr,
-  uint64_t value, unsigned size)
-{
-PPC4xxPCIState *ppc4xx_pci = opaque;
-PCIHostState *phb = PCI_HOST_BRIDGE(ppc4xx_pci);
-
-phb->config_reg = value & ~0x3;
-}
-
-static const MemoryRegionOps pci4xx_cfgaddr_ops = {
-.read = pci4xx_cfgaddr_read,
-.write = pci4xx_cfgaddr_write,
-.endianness = DEVICE_LITTLE_ENDIAN,
-};
-
 static void ppc4xx_pci_reg_write4(void *opaque, hwaddr offset,
   uint64_t value, unsigned size)
 {
-- 
1.8.1.4

[Qemu-devel] [PULL 08/33] target-ppc: virtex-ml507 machine type should depend on CONFIG_XILINX

[Alexander Graf]

From: David Gibson 

The virtex-ml507 is a Xilinx CPU based system, and requires several sub
devices which are only included with CONFIG_XILINX.  Therefore, it should
only be compiled if CONFIG_XILINX is set.

Signed-off-by: David Gibson 
Reviewed-by: Peter Crosthwaite 
Signed-off-by: Alexander Graf 
---
 hw/ppc/Makefile.objs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
index edd44d0..19d9920 100644
--- a/hw/ppc/Makefile.objs
+++ b/hw/ppc/Makefile.objs
@@ -20,4 +20,4 @@ obj-$(CONFIG_MAC) += mac_newworld.o
 obj-$(CONFIG_E500) += e500.o mpc8544ds.o e500plat.o
 obj-$(CONFIG_E500) += mpc8544_guts.o ppce500_spin.o
 # PowerPC 440 Xilinx ML507 reference board.
-obj-y += virtex_ml507.o
+obj-$(CONFIG_XILINX) += virtex_ml507.o
-- 
1.8.1.4

[Qemu-devel] [PULL 27/33] sysbus: Add new platform bus helper device

[Alexander Graf]

We need to support spawning of sysbus devices dynamically via the command line.
The easiest way to represent these dynamically spawned devices in the guest's
memory and IRQ layout is by preallocating some space for dynamic sysbus devices.

This is what the "platform bus" device does. It is a sysbus device that exports
a configurably sized MMIO region and a configurable number of IRQ lines. When
this device encounters sysbus devices that have been dynamically created and not
manually wired up, it dynamically connects them to its own pool of resources.

The machine model can then loop through all of these devices and create a guest
configuration (device tree) to make them visible to the guest.

Signed-off-by: Alexander Graf 
---
 hw/core/Makefile.objs |   1 +
 hw/core/platform-bus.c| 253 ++
 include/hw/platform-bus.h |  57 +++
 3 files changed, 311 insertions(+)
 create mode 100644 hw/core/platform-bus.c
 create mode 100644 include/hw/platform-bus.h

diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
index 17845df..9dce1bc 100644
--- a/hw/core/Makefile.objs
+++ b/hw/core/Makefile.objs
@@ -14,3 +14,4 @@ common-obj-$(CONFIG_SOFTMMU) += machine.o
 common-obj-$(CONFIG_SOFTMMU) += null-machine.o
 common-obj-$(CONFIG_SOFTMMU) += loader.o
 common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
+common-obj-$(CONFIG_SOFTMMU) += platform-bus.o
diff --git a/hw/core/platform-bus.c b/hw/core/platform-bus.c
new file mode 100644
index 000..0f052b3
--- /dev/null
+++ b/hw/core/platform-bus.c
@@ -0,0 +1,253 @@
+/*
+ *  Platform Bus device to support dynamic Sysbus devices
+ *
+ * Copyright (C) 2014 Freescale Semiconductor, Inc. All rights reserved.
+ *
+ * Author: Alexander Graf, 
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "hw/platform-bus.h"
+#include "monitor/monitor.h"
+#include "exec/address-spaces.h"
+#include "sysemu/sysemu.h"
+
+
+/*
+ * Returns the PlatformBus IRQ number for a SysBusDevice irq number or -1 if
+ * the IRQ is not mapped on this Platform bus.
+ */
+int platform_bus_get_irqn(PlatformBusDevice *pbus, SysBusDevice *sbdev,
+  int n)
+{
+qemu_irq sbirq = sysbus_get_connected_irq(sbdev, n);
+int i;
+
+for (i = 0; i < pbus->num_irqs; i++) {
+if (pbus->irqs[i] == sbirq) {
+return i;
+}
+}
+
+/* IRQ not mapped on platform bus */
+return -1;
+}
+
+/*
+ * Returns the PlatformBus MMIO region offset for Region n of a SysBusDevice or
+ * -1 if the region is not mapped on this Platform bus.
+ */
+hwaddr platform_bus_get_mmio_addr(PlatformBusDevice *pbus, SysBusDevice *sbdev,
+  int n)
+{
+MemoryRegion *pbus_mr = &pbus->mmio;
+MemoryRegion *sbdev_mr = sysbus_mmio_get_region(sbdev, n);
+Object *pbus_mr_obj = OBJECT(pbus_mr);
+Object *parent_mr;
+
+if (!memory_region_is_mapped(sbdev_mr)) {
+/* Region is not mapped? */
+return -1;
+}
+
+parent_mr = object_property_get_link(OBJECT(sbdev_mr), "container", NULL);
+
+assert(parent_mr);
+if (parent_mr != pbus_mr_obj) {
+/* MMIO region is not mapped on platform bus */
+return -1;
+}
+
+return object_property_get_int(OBJECT(sbdev_mr), "addr", NULL);
+}
+
+static int platform_bus_count_irqs(SysBusDevice *sbdev, void *opaque)
+{
+PlatformBusDevice *pbus = opaque;
+qemu_irq sbirq;
+int n, i;
+
+for (n = 0; ; n++) {
+if (!sysbus_has_irq(sbdev, n)) {
+break;
+}
+
+sbirq = sysbus_get_connected_irq(sbdev, n);
+for (i = 0; i < pbus->num_irqs; i++) {
+if (pbus->irqs[i] == sbirq) {
+bitmap_set(pbus->used_irqs, i, 1);
+break;
+}
+}
+}
+
+return 0;
+}
+
+/*
+ * Loop through all sysbus devices and look for unassigned IRQ lines as well as
+ * unassociated MMIO regions. Connect them to the platform bus if available.
+ */
+static void plaform_bus_refresh_irqs(PlatformBusDevice *pbus)
+{
+bitmap_zero(pbus->used_irqs, pbus->num_irqs);
+foreach_dynamic_sysbus_device(platform_bus_count_irqs, pbus);
+pbus->done_gathering = true;
+}
+
+static int platform_bus_map_irq(PlatformBusDevice *pbus, SysBusDevice *sbdev,
+int n)
+{
+int 

[Qemu-devel] [PULL 24/33] sysbus: Make devices spawnable via -device

[Alexander Graf]

Now that we can properly map sysbus devices that haven't been connected to
something forcefully by C code, we can allow the -device command line option
to spawn them.

For machines that don't implement dynamic sysbus assignment in their board
files we add a new bool "has_dynamic_sysbus" to the machine class.
When that property is false (default), we bail out when we see dynamically
spawned sysbus devices, like we did before.

Signed-off-by: Alexander Graf 
---
 hw/core/machine.c   | 34 ++
 hw/core/sysbus.c|  7 ---
 include/hw/boards.h |  8 ++--
 vl.c|  1 +
 4 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index 7f3418c..19d3e3a 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -12,6 +12,9 @@
 
 #include "hw/boards.h"
 #include "qapi/visitor.h"
+#include "hw/sysbus.h"
+#include "sysemu/sysemu.h"
+#include "qemu/error-report.h"
 
 static char *machine_get_accel(Object *obj, Error **errp)
 {
@@ -257,8 +260,35 @@ static void machine_set_iommu(Object *obj, bool value, 
Error **errp)
 ms->iommu = value;
 }
 
+static int error_on_sysbus_device(SysBusDevice *sbdev, void *opaque)
+{
+error_report("Option '-device %s' cannot be handled by this machine",
+ object_class_get_name(object_get_class(OBJECT(sbdev;
+exit(1);
+}
+
+static void machine_init_notify(Notifier *notifier, void *data)
+{
+Object *machine = qdev_get_machine();
+ObjectClass *oc = object_get_class(machine);
+MachineClass *mc = MACHINE_CLASS(oc);
+
+if (mc->has_dynamic_sysbus) {
+/* Our machine can handle dynamic sysbus devices, we're all good */
+return;
+}
+
+/*
+ * Loop through all dynamically created devices and check whether there
+ * are sysbus devices among them. If there are, error out.
+ */
+foreach_dynamic_sysbus_device(error_on_sysbus_device, NULL);
+}
+
 static void machine_initfn(Object *obj)
 {
+MachineState *ms = MACHINE(obj);
+
 object_property_add_str(obj, "accel",
 machine_get_accel, machine_set_accel, NULL);
 object_property_add_bool(obj, "kernel-irqchip",
@@ -303,6 +333,10 @@ static void machine_initfn(Object *obj)
 object_property_add_bool(obj, "iommu",
  machine_get_iommu,
  machine_set_iommu, NULL);
+
+/* Register notifier when init is done for sysbus sanity checks */
+ms->sysbus_notifier.notify = machine_init_notify;
+qemu_add_machine_init_done_notifier(&ms->sysbus_notifier);
 }
 
 static void machine_finalize(Object *obj)
diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
index 19437e6..7bfe381 100644
--- a/hw/core/sysbus.c
+++ b/hw/core/sysbus.c
@@ -283,13 +283,6 @@ static void sysbus_device_class_init(ObjectClass *klass, 
void *data)
 DeviceClass *k = DEVICE_CLASS(klass);
 k->init = sysbus_device_init;
 k->bus_type = TYPE_SYSTEM_BUS;
-/*
- * device_add plugs devices into suitable bus.  For "real" buses,
- * that actually connects the device.  For sysbus, the connections
- * need to be made separately, and device_add can't do that.  The
- * device would be left unconnected, and could not possibly work.
- */
-k->cannot_instantiate_with_device_add_yet = true;
 }
 
 static const TypeInfo sysbus_device_type_info = {
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 99a172d..e0a6790 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -36,7 +36,8 @@ struct QEMUMachine {
 use_sclp:1,
 no_floppy:1,
 no_cdrom:1,
-no_sdcard:1;
+no_sdcard:1,
+has_dynamic_sysbus:1;
 int is_default;
 const char *default_machine_opts;
 const char *default_boot_order;
@@ -97,7 +98,8 @@ struct MachineClass {
 use_sclp:1,
 no_floppy:1,
 no_cdrom:1,
-no_sdcard:1;
+no_sdcard:1,
+has_dynamic_sysbus:1;
 int is_default;
 const char *default_machine_opts;
 const char *default_boot_order;
@@ -115,6 +117,8 @@ struct MachineClass {
 struct MachineState {
 /*< private >*/
 Object parent_obj;
+Notifier sysbus_notifier;
+
 /*< public >*/
 
 char *accel;
diff --git a/vl.c b/vl.c
index 8999f36..f4a6e5e 100644
--- a/vl.c
+++ b/vl.c
@@ -1441,6 +1441,7 @@ static void machine_class_init(ObjectClass *oc, void 
*data)
 mc->no_floppy = qm->no_floppy;
 mc->no_cdrom = qm->no_cdrom;
 mc->no_sdcard = qm->no_sdcard;
+mc->has_dynamic_sysbus = qm->has_dynamic_sysbus;
 mc->is_default = qm->is_default;
 mc->default_machine_opts = qm->default_machine_opts;
 mc->default_boot_order = qm->default_boot_order;
-- 
1.8.1.4

[Qemu-devel] [PULL 11/33] target-ppc : Allow fc[tf]id[*] mnemonics for non TARGET_PPC64

[Alexander Graf]

From: Pierre Mallard 

This patch remove limitation for fc[tf]id[*] on 32 bits targets and
add a new insn flag for signed integer 64 conversion PPC2_FP_CVT_S64

Signed-off-by: Pierre Mallard 
Signed-off-by: Alexander Graf 
---
 target-ppc/cpu.h|  5 -
 target-ppc/fpu_helper.c |  6 --
 target-ppc/helper.h |  2 --
 target-ppc/translate.c  | 16 ++--
 target-ppc/translate_init.c |  9 ++---
 5 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 8724561..f367344 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -2007,13 +2007,16 @@ enum {
 PPC2_ALTIVEC_207   = 0x4000ULL,
 /* PowerISA 2.07 Book3s specification*/
 PPC2_ISA207S   = 0x8000ULL,
+/* Double precision floating point conversion for signed integer 64  */
+PPC2_FP_CVT_S64= 0x0001ULL,
 
 #define PPC_TCG_INSNS2 (PPC2_BOOKE206 | PPC2_VSX | PPC2_PRCNTL | PPC2_DBRX | \
 PPC2_ISA205 | PPC2_VSX207 | PPC2_PERM_ISA206 | \
 PPC2_DIVE_ISA206 | PPC2_ATOMIC_ISA206 | \
 PPC2_FP_CVT_ISA206 | PPC2_FP_TST_ISA206 | \
 PPC2_BCTAR_ISA207 | PPC2_LSQ_ISA207 | \
-PPC2_ALTIVEC_207 | PPC2_ISA207S | PPC2_DFP)
+PPC2_ALTIVEC_207 | PPC2_ISA207S | PPC2_DFP | \
+PPC2_FP_CVT_S64)
 };
 
 /*/
diff --git a/target-ppc/fpu_helper.c b/target-ppc/fpu_helper.c
index da93d12..7f74466 100644
--- a/target-ppc/fpu_helper.c
+++ b/target-ppc/fpu_helper.c
@@ -649,14 +649,10 @@ FPU_FCTI(fctiw, int32, 0x8000U)
 FPU_FCTI(fctiwz, int32_round_to_zero, 0x8000U)
 FPU_FCTI(fctiwu, uint32, 0xU)
 FPU_FCTI(fctiwuz, uint32_round_to_zero, 0xU)
-#if defined(TARGET_PPC64)
 FPU_FCTI(fctid, int64, 0x8000ULL)
 FPU_FCTI(fctidz, int64_round_to_zero, 0x8000ULL)
 FPU_FCTI(fctidu, uint64, 0xULL)
 FPU_FCTI(fctiduz, uint64_round_to_zero, 0xULL)
-#endif
-
-#if defined(TARGET_PPC64)
 
 #define FPU_FCFI(op, cvtr, is_single)  \
 uint64_t helper_##op(CPUPPCState *env, uint64_t arg)   \
@@ -678,8 +674,6 @@ FPU_FCFI(fcfids, int64_to_float32, 1)
 FPU_FCFI(fcfidu, uint64_to_float64, 0)
 FPU_FCFI(fcfidus, uint64_to_float32, 1)
 
-#endif
-
 static inline uint64_t do_fri(CPUPPCState *env, uint64_t arg,
   int rounding_mode)
 {
diff --git a/target-ppc/helper.h b/target-ppc/helper.h
index 0cfdc8a..210fd97 100644
--- a/target-ppc/helper.h
+++ b/target-ppc/helper.h
@@ -66,7 +66,6 @@ DEF_HELPER_2(fctiw, i64, env, i64)
 DEF_HELPER_2(fctiwu, i64, env, i64)
 DEF_HELPER_2(fctiwz, i64, env, i64)
 DEF_HELPER_2(fctiwuz, i64, env, i64)
-#if defined(TARGET_PPC64)
 DEF_HELPER_2(fcfid, i64, env, i64)
 DEF_HELPER_2(fcfidu, i64, env, i64)
 DEF_HELPER_2(fcfids, i64, env, i64)
@@ -75,7 +74,6 @@ DEF_HELPER_2(fctid, i64, env, i64)
 DEF_HELPER_2(fctidu, i64, env, i64)
 DEF_HELPER_2(fctidz, i64, env, i64)
 DEF_HELPER_2(fctiduz, i64, env, i64)
-#endif
 DEF_HELPER_2(frsp, i64, env, i64)
 DEF_HELPER_2(frin, i64, env, i64)
 DEF_HELPER_2(friz, i64, env, i64)
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index ff0dc13..2b1fcbb 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -2287,9 +2287,8 @@ GEN_FLOAT_B(ctiwz, 0x0F, 0x00, 0, PPC_FLOAT);
 GEN_FLOAT_B(ctiwuz, 0x0F, 0x04, 0, PPC2_FP_CVT_ISA206);
 /* frsp */
 GEN_FLOAT_B(rsp, 0x0C, 0x00, 1, PPC_FLOAT);
-#if defined(TARGET_PPC64)
 /* fcfid */
-GEN_FLOAT_B(cfid, 0x0E, 0x1A, 1, PPC_64B);
+GEN_FLOAT_B(cfid, 0x0E, 0x1A, 1, PPC2_FP_CVT_S64);
 /* fcfids */
 GEN_FLOAT_B(cfids, 0x0E, 0x1A, 0, PPC2_FP_CVT_ISA206);
 /* fcfidu */
@@ -2297,14 +2296,13 @@ GEN_FLOAT_B(cfidu, 0x0E, 0x1E, 0, PPC2_FP_CVT_ISA206);
 /* fcfidus */
 GEN_FLOAT_B(cfidus, 0x0E, 0x1E, 0, PPC2_FP_CVT_ISA206);
 /* fctid */
-GEN_FLOAT_B(ctid, 0x0E, 0x19, 0, PPC_64B);
+GEN_FLOAT_B(ctid, 0x0E, 0x19, 0, PPC2_FP_CVT_S64);
 /* fctidu */
 GEN_FLOAT_B(ctidu, 0x0E, 0x1D, 0, PPC2_FP_CVT_ISA206);
 /* fctidz */
-GEN_FLOAT_B(ctidz, 0x0F, 0x19, 0, PPC_64B);
+GEN_FLOAT_B(ctidz, 0x0F, 0x19, 0, PPC2_FP_CVT_S64);
 /* fctidu */
 GEN_FLOAT_B(ctiduz, 0x0F, 0x1D, 0, PPC2_FP_CVT_ISA206);
-#endif
 
 /* frin */
 GEN_FLOAT_B(rin, 0x08, 0x0C, 1, PPC_FLOAT_EXT);
@@ -10091,16 +10089,14 @@ GEN_HANDLER_E(fctiwu, 0x3F, 0x0E, 0x04, 0, PPC_NONE, 
PPC2_FP_CVT_ISA206),
 GEN_FLOAT_B(ctiwz, 0x0F, 0x00, 0, PPC_FLOAT),
 GEN_HANDLER_E(fctiwuz, 0x3F, 0x0F, 0x04, 0, PPC_NONE, PPC2_FP_CVT_ISA206),
 GEN_FLOAT_B(rsp, 0x0C, 0x00, 1, PPC_FLOAT),
-#if defined(TARGET_PPC64)
-GEN_FLOAT_B(cfid, 0x0E, 0x1A, 1, PPC_64B),
+GEN_HANDLER_E(fcfid, 0x3F, 0x0E, 0x1A, 0x001F, PPC_NONE, PPC2_FP_CVT_S64),
 GEN_HANDLER_E(fcfids, 0x3B, 0x0E, 0x1A, 0, PPC_NONE, PPC2_FP_CVT_ISA206),
 GEN_HANDLER_E(fcfidu, 0x3F, 0x0

[Qemu-devel] [PULL 05/33] ppc: compute mask from BI using right shift

[Alexander Graf]

From: Paolo Bonzini 

This will match the code we use in fpu_helper.c when we flip
CRF_* bit-endianness.

Signed-off-by: Paolo Bonzini 
Reviewed-by: Tom Musta 
Tested-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index d1deba7..ff0dc13 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -784,7 +784,7 @@ static void gen_isel(DisasContext *ctx)
 l1 = gen_new_label();
 l2 = gen_new_label();
 
-mask = 1 << (3 - (bi & 0x03));
+mask = 0x08 >> (bi & 0x03);
 t0 = tcg_temp_new_i32();
 tcg_gen_andi_i32(t0, cpu_crf[bi >> 2], mask);
 tcg_gen_brcondi_i32(TCG_COND_EQ, t0, 0, l1);
@@ -3889,7 +3889,7 @@ static inline void gen_bcond(DisasContext *ctx, int type)
 if ((bo & 0x10) == 0) {
 /* Test CR */
 uint32_t bi = BI(ctx->opcode);
-uint32_t mask = 1 << (3 - (bi & 0x03));
+uint32_t mask = 0x08 >> (bi & 0x03);
 TCGv_i32 temp = tcg_temp_new_i32();
 
 if (bo & 0x8) {
@@ -3971,7 +3971,7 @@ static void glue(gen_, name)(DisasContext *ctx)
 else  \
 tcg_gen_mov_i32(t1, cpu_crf[crbB(ctx->opcode) >> 2]); \
 tcg_op(t0, t0, t1);   \
-bitmask = 1 << (3 - (crbD(ctx->opcode) & 0x03));  \
+bitmask = 0x08 >> (crbD(ctx->opcode) & 0x03); \
 tcg_gen_andi_i32(t0, t0, bitmask);\
 tcg_gen_andi_i32(t1, cpu_crf[crbD(ctx->opcode) >> 2], ~bitmask);  \
 tcg_gen_or_i32(cpu_crf[crbD(ctx->opcode) >> 2], t0, t1);  \
-- 
1.8.1.4

[Qemu-devel] [PULL 18/33] PPC: E500: Hook up power off GPIO to GPIO controller

[Alexander Graf]

Now that we have a working GPIO controller on the virt machine, we can use
one pin to notify QEMU that the guests wants to power off the system.

Signed-off-by: Alexander Graf 
---
 hw/ppc/e500.c | 24 
 1 file changed, 24 insertions(+)

diff --git a/hw/ppc/e500.c b/hw/ppc/e500.c
index 304c124..cfc46c4 100644
--- a/hw/ppc/e500.c
+++ b/hw/ppc/e500.c
@@ -129,6 +129,8 @@ static void create_dt_mpc8xxx_gpio(void *fdt, const char 
*soc, const char *mpic)
 hwaddr mmio0 = MPC8XXX_GPIO_OFFSET;
 int irq0 = MPC8XXX_GPIO_IRQ;
 gchar *node = g_strdup_printf("%s/gpio@%"PRIx64, soc, mmio0);
+gchar *poweroff = g_strdup_printf("%s/power-off", soc);
+int gpio_ph;
 
 qemu_fdt_add_subnode(fdt, node);
 qemu_fdt_setprop_string(fdt, node, "compatible", "fsl,qoriq-gpio");
@@ -137,8 +139,17 @@ static void create_dt_mpc8xxx_gpio(void *fdt, const char 
*soc, const char *mpic)
 qemu_fdt_setprop_phandle(fdt, node, "interrupt-parent", mpic);
 qemu_fdt_setprop_cells(fdt, node, "#gpio-cells", 2);
 qemu_fdt_setprop(fdt, node, "gpio-controller", NULL, 0);
+gpio_ph = qemu_fdt_alloc_phandle(fdt);
+qemu_fdt_setprop_cell(fdt, node, "phandle", gpio_ph);
+qemu_fdt_setprop_cell(fdt, node, "linux,phandle", gpio_ph);
+
+/* Power Off Pin */
+qemu_fdt_add_subnode(fdt, poweroff);
+qemu_fdt_setprop_string(fdt, poweroff, "compatible", "gpio-poweroff");
+qemu_fdt_setprop_cells(fdt, poweroff, "gpios", gpio_ph, 0, 0);
 
 g_free(node);
+g_free(poweroff);
 }
 
 static int ppce500_load_device_tree(MachineState *machine,
@@ -641,6 +652,13 @@ static qemu_irq *ppce500_init_mpic(PPCE500Params *params, 
MemoryRegion *ccsr,
 return mpic;
 }
 
+static void ppce500_power_off(void *opaque, int line, int on)
+{
+if (on) {
+qemu_system_shutdown_request();
+}
+}
+
 void ppce500_init(MachineState *machine, PPCE500Params *params)
 {
 MemoryRegion *address_space_mem = get_system_memory();
@@ -793,12 +811,18 @@ void ppce500_init(MachineState *machine, PPCE500Params 
*params)
 }
 
 if (params->has_mpc8xxx_gpio) {
+qemu_irq poweroff_irq;
+
 dev = qdev_create(NULL, "mpc8xxx_gpio");
 s = SYS_BUS_DEVICE(dev);
 qdev_init_nofail(dev);
 sysbus_connect_irq(s, 0, mpic[MPC8XXX_GPIO_IRQ]);
 memory_region_add_subregion(ccsr_addr_space, MPC8XXX_GPIO_OFFSET,
 sysbus_mmio_get_region(s, 0));
+
+/* Power Off GPIO at Pin 0 */
+poweroff_irq = qemu_allocate_irq(ppce500_power_off, NULL, 0);
+qdev_connect_gpio_out(dev, 0, poweroff_irq);
 }
 
 /* Load kernel. */
-- 
1.8.1.4

[Qemu-devel] [PULL 07/33] target-ppc: Implement IVOR[59] By Default for Book E

[Alexander Graf]

From: Tom Musta 

Adjust the IVOR mask for generic Book E implementation to support bit 59.
This is consistent with the Power ISA.

Signed-off-by: Tom Musta 
Reported-by: Pierre Mallard 
Signed-off-by: Alexander Graf 
---
 target-ppc/translate_init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 0530b0b..9a2e788 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -2786,7 +2786,7 @@ static void init_excp_BookE (CPUPPCState *env)
 env->excp_vectors[POWERPC_EXCP_DTLB] = 0x;
 env->excp_vectors[POWERPC_EXCP_ITLB] = 0x;
 env->excp_vectors[POWERPC_EXCP_DEBUG]= 0x;
-env->ivor_mask = 0xFFE0UL;
+env->ivor_mask = 0xFFF0UL;
 env->ivpr_mask = 0xUL;
 /* Hardware reset vector */
 env->hreset_vector = 0xFFFCUL;
-- 
1.8.1.4

[Qemu-devel] [PULL 02/33] ppc: use CRF_* in int_helper.c

[Alexander Graf]

From: Paolo Bonzini 

Signed-off-by: Paolo Bonzini 
Reviewed-by: Tom Musta 
Tested-by: Tom Musta 
Signed-off-by: Alexander Graf 
---
 target-ppc/int_helper.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
index 713d777..29ff4f6 100644
--- a/target-ppc/int_helper.c
+++ b/target-ppc/int_helper.c
@@ -2286,25 +2286,25 @@ uint32_t helper_bcdadd(ppc_avr_t *r,  ppc_avr_t *a, 
ppc_avr_t *b, uint32_t ps)
 if (sgna == sgnb) {
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
 zero = bcd_add_mag(&result, a, b, &invalid, &overflow);
-cr = (sgna > 0) ? 4 : 8;
+cr = (sgna > 0) ? 1 << CRF_GT : 1 << CRF_LT;
 } else if (bcd_cmp_mag(a, b) > 0) {
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgna, ps);
 zero = bcd_sub_mag(&result, a, b, &invalid, &overflow);
-cr = (sgna > 0) ? 4 : 8;
+cr = (sgna > 0) ? 1 << CRF_GT : 1 << CRF_LT;
 } else {
 result.u8[BCD_DIG_BYTE(0)] = bcd_preferred_sgn(sgnb, ps);
 zero = bcd_sub_mag(&result, b, a, &invalid, &overflow);
-cr = (sgnb > 0) ? 4 : 8;
+cr = (sgnb > 0) ? 1 << CRF_GT : 1 << CRF_LT;
 }
 }
 
 if (unlikely(invalid)) {
 result.u64[HI_IDX] = result.u64[LO_IDX] = -1;
-cr = 1;
+cr = 1 << CRF_SO;
 } else if (overflow) {
-cr |= 1;
+cr |= 1 << CRF_SO;
 } else if (zero) {
-cr = 2;
+cr = 1 << CRF_EQ;
 }
 
 *r = result;
-- 
1.8.1.4

[Qemu-devel] [PULL 2.2 00/33] ppc patch queue 2014-11-04 for 2.2

[Alexander Graf]

Hi Peter,

This is my current patch queue for ppc.  Please pull.

Alex


The following changes since commit d5b4dc3b50175f0c34f3cf4b053e123fb37f5aed:

  Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' 
into staging (2014-11-04 17:33:34 +)

are available in the git repository at:


  git://github.com/agraf/qemu.git tags/signed-ppc-for-upstream

for you to fetch changes up to 875d0edd7ce262d61a62c391b49edc2602c06150:

  target-ppc: Fix Altivec Round Opcodes (2014-11-04 20:22:08 +0100)


Patch queue for ppc - 2014-11-04

Fun things for 2.2:

  - e500 virt machine: power off support (needs 3.19 guests)
  - e500 virt machine: -device eTSEC support
  - new framework to allow dynamic spawning of sysbus devices
  - spapr: enable migration of nvram
  - new 440x5wDFPU cpu type
  - Altivec and other random fixes


Alexander Graf (11):
  PPC: openpic_kvm: Only map first occurence in address space
  PPC: Add MPC8XXX gpio controller
  PPC: E500: Instantiate MPC8XXX gpio controller on virt machine
  PPC: E500: Hook up power off GPIO to GPIO controller
  sysbus: Add dynamic sysbus device search
  sysbus: Make devices spawnable via -device
  sysbus: Expose IRQ enumeration helpers
  sysbus: Expose MMIO enumeration helper
  sysbus: Add new platform bus helper device
  PPC: e500: Support dynamically spawned sysbus devices
  e500: Add support for eTSEC in device tree

Alexey Kardashevskiy (2):
  target-ppc: Fix kvmppc_set_compat to use negotiated cpu-version
  spapr_nvram: Enable migration

Aurelien Jarno (1):
  target-ppc: simplify AES emulation

Bharata B Rao (2):
  target-ppc: Use macros in opcodes table handling code
  target-ppc: Fix an invalid free in opcode table handling code.

Chen Gang (1):
  target-ppc: kvm: Fix memory overflow issue about strncat()

David Gibson (2):
  target-ppc: virtex-ml507 machine type should depend on CONFIG_XILINX
  spapr: Cleanup machine naming conventions, and prepare for 2.2 release

Paolo Bonzini (6):
  ppc: fix monitor access to CR
  ppc: use CRF_* in int_helper.c
  ppc: fix result of DLMZB when no zero bytes are found
  ppc: rename gen_set_cr6_from_fpscr
  ppc: compute mask from BI using right shift
  ppc: do not look at the MMU index to detect PR/HV mode

Peter Maydell (2):
  hw/pci/ppc4xx_pci.c: Remove unused pci4xx_cfgaddr_read/write/ops
  hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*)

Pierre Mallard (2):
  target-ppc : Allow fc[tf]id[*] mnemonics for non TARGET_PPC64
  target-ppc : Add new processor type 440x5wDFPU

Tom Musta (4):
  target-ppc: Implement IVOR[59] By Default for Book E
  target-ppc: Fix Altivec Shifts
  target-ppc: Fix vcmpbfp. Unordered Case
  target-ppc: Fix Altivec Round Opcodes

 hw/core/Makefile.objs   |   1 +
 hw/core/machine.c   |  34 ++
 hw/core/platform-bus.c  | 253 
 hw/core/qdev.c  |  11 ++
 hw/core/sysbus.c|  79 --
 hw/gpio/Makefile.objs   |   1 +
 hw/gpio/mpc8xxx.c   | 217 +
 hw/intc/openpic_kvm.c   |  19 
 hw/nvram/spapr_nvram.c  |  81 +++---
 hw/ppc/Makefile.objs|   2 +-
 hw/ppc/e500.c   | 199 ++
 hw/ppc/e500.h   |   6 ++
 hw/ppc/e500plat.c   |   7 ++
 hw/ppc/ppc4xx_pci.c |  24 -
 hw/ppc/spapr.c  |  22 +++-
 hw/ppc/spapr_pci.c  |  28 +++--
 include/hw/boards.h |   8 +-
 include/hw/platform-bus.h   |  57 ++
 include/hw/qdev-core.h  |   1 +
 include/hw/sysbus.h |   9 ++
 monitor.c   |   2 +-
 target-ppc/cpu-models.c |   3 +
 target-ppc/cpu.h|   8 +-
 target-ppc/fpu_helper.c |   6 --
 target-ppc/helper.h |   2 -
 target-ppc/int_helper.c |  32 +++---
 target-ppc/kvm.c|   8 +-
 target-ppc/translate.c  | 213 +
 target-ppc/translate_init.c |  94 
 vl.c|   1 +
 30 files changed, 1195 insertions(+), 233 deletions(-)
 create mode 100644 hw/core/platform-bus.c
 create mode 100644 hw/gpio/mpc8xxx.c
 create mode 100644 include/hw/platform-bus.h