Re: [Qemu-devel] [PATCH v1] kvm/x86: Hyper-V tsc page setup

[Andrey Smetanin]

On 01/06/2016 12:48 AM, Peter Hornyack wrote:

On Thu, Dec 24, 2015 at 1:33 AM, Andrey Smetanin
 wrote:

Lately tsc page was implemented but filled with empty
values. This patch setup tsc page scale and offset based
on vcpu tsc, tsc_khz and  HV_X64_MSR_TIME_REF_COUNT value.

The valid tsc page drops HV_X64_MSR_TIME_REF_COUNT msr
reads count to zero which potentially improves performance.

The patch applies on top of
'kvm: Make vcpu->requests as 64 bit bitmap'
previously sent.

Signed-off-by: Andrey Smetanin 
CC: Paolo Bonzini 
CC: Gleb Natapov 
CC: Roman Kagan 
CC: Denis V. Lunev 
CC: qemu-devel@nongnu.org

Reviewed-by: Peter Hornyack 



---
  arch/x86/kvm/hyperv.c| 117 +--
  arch/x86/kvm/hyperv.h|   2 +
  arch/x86/kvm/x86.c   |  12 +
  include/linux/kvm_host.h |   1 +
  4 files changed, 117 insertions(+), 15 deletions(-)

diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
index d50675a..504fdc7 100644
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -753,6 +753,105 @@ static int kvm_hv_msr_set_crash_data(struct kvm_vcpu 
*vcpu,
 return 0;
  }

+static u64 calc_tsc_page_scale(u32 tsc_khz)
+{
+   /*
+* reftime (in 100ns) = tsc * tsc_scale / 2^64 + tsc_offset
+* so reftime_delta = (tsc_delta * tsc_scale) / 2^64
+* so tsc_scale = (2^64 * reftime_delta)/tsc_delta
+* so tsc_scale = (2^64 * 10 * 10^6) / tsc_hz = (2^64 * 1) / tsc_khz
+* so tsc_scale = (2^63 * 2 * 1) / tsc_khz
+*/
+   return mul_u64_u32_div(1ULL << 63, 2 * 1, tsc_khz);
+}
+
+static int write_tsc_page(struct kvm *kvm, u64 gfn,
+ PHV_REFERENCE_TSC_PAGE tsc_ref)
+{
+   if (kvm_write_guest(kvm, gfn_to_gpa(gfn),
+   tsc_ref, sizeof(*tsc_ref)))
+   return 1;
+   mark_page_dirty(kvm, gfn);
+   return 0;
+}
+
+static int read_tsc_page(struct kvm *kvm, u64 gfn,
+PHV_REFERENCE_TSC_PAGE tsc_ref)
+{
+   if (kvm_read_guest(kvm, gfn_to_gpa(gfn),
+  tsc_ref, sizeof(*tsc_ref)))
+   return 1;
+   return 0;
+}
+
+static u64 calc_tsc_page_time(struct kvm_vcpu *vcpu,
+ PHV_REFERENCE_TSC_PAGE tsc_ref)
+{
+
+   u64 tsc = kvm_read_l1_tsc(vcpu, rdtsc());
+
+   return mul_u64_u64_shr(tsc, tsc_ref->tsc_scale, 64)
+   + tsc_ref->tsc_offset;
+}
+
+static int setup_blank_tsc_page(struct kvm_vcpu *vcpu, u64 gfn)
+{
+   HV_REFERENCE_TSC_PAGE tsc_ref;
+
+   memset(_ref, 0, sizeof(tsc_ref));
+   return write_tsc_page(vcpu->kvm, gfn, _ref);
+}
+
+int kvm_hv_setup_tsc_page(struct kvm_vcpu *vcpu)
+{
+   struct kvm *kvm = vcpu->kvm;
+   struct kvm_hv *hv = >arch.hyperv;
+   HV_REFERENCE_TSC_PAGE tsc_ref;
+   u32 tsc_khz;
+   int r;
+   u64 gfn, ref_time, tsc_scale, tsc_offset, tsc;
+
+   if (WARN_ON_ONCE(!(hv->hv_tsc_page & HV_X64_MSR_TSC_REFERENCE_ENABLE)))
+   return -EINVAL;
+
+   gfn = hv->hv_tsc_page >> HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT;
+   vcpu_debug(vcpu, "tsc page gfn 0x%llx\n", gfn);
+
+   tsc_khz = vcpu->arch.virtual_tsc_khz;
+   if (!tsc_khz) {
+   vcpu_unimpl(vcpu, "no tsc khz\n");
+   return setup_blank_tsc_page(vcpu, gfn);
+   }
+
+   r = read_tsc_page(kvm, gfn, _ref);
+   if (r) {
+   vcpu_err(vcpu, "can't access tsc page gfn 0x%llx\n", gfn);
+   return r;
+   }
+
+   tsc_scale = calc_tsc_page_scale(tsc_khz);
+   ref_time = get_time_ref_counter(kvm);
+   tsc = kvm_read_l1_tsc(vcpu, rdtsc());
+
+   /* tsc_offset = reftime - tsc * tsc_scale / 2^64 */
+   tsc_offset = ref_time - mul_u64_u64_shr(tsc, tsc_scale, 64);
+   vcpu_debug(vcpu, "tsc khz %u tsc %llu scale %llu offset %llu\n",
+  tsc_khz, tsc, tsc_scale, tsc_offset);
+
+   tsc_ref.tsc_sequence++;
+   if (tsc_ref.tsc_sequence == 0)


Also avoid tsc_sequence == 0x here. In the Hyper-V TLFS 4.0
(Win2012 R2) 0x is the special sequence number to disable the
reference TSC page.


we already discussed with Microsoft
that documentation contains wrong sequence number
- 0x (instead of 0). please take a look into details here:
https://lkml.org/lkml/2015/11/2/655

+   tsc_ref.tsc_sequence = 1;
+
+   tsc_ref.tsc_scale = tsc_scale;
+   tsc_ref.tsc_offset = tsc_offset;
+
+   vcpu_debug(vcpu, "tsc page calibration time %llu vs. reftime %llu\n",
+  calc_tsc_page_time(vcpu, _ref),
+  get_time_ref_counter(kvm));
+
+   return write_tsc_page(kvm, gfn, _ref);
+}
+
  static int kvm_hv_set_msr_pw(struct kvm_vcpu *vcpu, u32 msr, u64 data,
  bool host)
  {
@@ 

Re: [Qemu-devel] [PATCH 2/8] ipmi: add get and set SENSOR_TYPE commands

[Greg Kurz]

On Tue,  5 Jan 2016 18:29:56 +0100
Cédric Le Goater  wrote:

> Signed-off-by: Cédric Le Goater 
> ---

Acked-by: Greg Kurz 

Just some minor comments on the form below.


>  hw/ipmi/ipmi_bmc_sim.c | 51 
> --
>  1 file changed, 49 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/ipmi/ipmi_bmc_sim.c b/hw/ipmi/ipmi_bmc_sim.c
> index 559e1398d669..061db8437479 100644
> --- a/hw/ipmi/ipmi_bmc_sim.c
> +++ b/hw/ipmi/ipmi_bmc_sim.c
> @@ -37,13 +37,15 @@
>  #define IPMI_CMD_CHASSIS_CONTROL  0x02
> 
>  #define IPMI_NETFN_SENSOR_EVENT   0x04
> -#define IPMI_NETFN_SENSOR_EVENT_MAXCMD0x2e
> +#define IPMI_NETFN_SENSOR_EVENT_MAXCMD0x30
> 

Maybe IPMI_NETFN_SENSOR_EVENT_MAXCMD should be defined...

>  #define IPMI_CMD_SET_SENSOR_EVT_ENABLE0x28
>  #define IPMI_CMD_GET_SENSOR_EVT_ENABLE0x29
>  #define IPMI_CMD_REARM_SENSOR_EVTS0x2a
>  #define IPMI_CMD_GET_SENSOR_EVT_STATUS0x2b
>  #define IPMI_CMD_GET_SENSOR_READING   0x2d
> +#define IPMI_CMD_SET_SENSOR_TYPE  0x2e
> +#define IPMI_CMD_GET_SENSOR_TYPE  0x2f
> 

... here ?

>  /* #define IPMI_NETFN_APP 0x06 In ipmi.h */
>  #define IPMI_NETFN_APP_MAXCMD 0x36
> @@ -1576,6 +1578,49 @@ static void get_sensor_reading(IPMIBmcSim *ibs,
>  return;
>  }
> 
> +static void set_sensor_type(IPMIBmcSim *ibs,
> +   uint8_t *cmd, unsigned int cmd_len,
> +   uint8_t *rsp, unsigned int *rsp_len,
> +   unsigned int max_rsp_len)
> +{
> +IPMISensor *sens;
> +
> +
> +IPMI_CHECK_CMD_LEN(5);
> +if ((cmd[2] > MAX_SENSORS) ||

Parenthesis not needed here since > has precedence over ||

> +!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {

Indentation ?

> +rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
> +goto out;
> +}
> +sens = ibs->sensors + cmd[2];
> +sens->sensor_type = cmd[3];
> +sens->evt_reading_type_code = cmd[4] & 0x7f;

So evt_reading_type_code is 7bit ? Maybe worth to
introduce a IPMI_SENSOR_TYPE_MASK define.

> +
> + out:
> +return;
> +}
> +
> +static void get_sensor_type(IPMIBmcSim *ibs,
> +   uint8_t *cmd, unsigned int cmd_len,
> +   uint8_t *rsp, unsigned int *rsp_len,
> +   unsigned int max_rsp_len)
> +{
> +IPMISensor *sens;
> +
> +
> +IPMI_CHECK_CMD_LEN(3);
> +if ((cmd[2] > MAX_SENSORS) ||
> +!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {

Parenthesis and indentation ?

> +rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
> +goto out;
> +}
> +sens = ibs->sensors + cmd[2];
> +IPMI_ADD_RSP_DATA(sens->sensor_type);
> +IPMI_ADD_RSP_DATA(sens->evt_reading_type_code);
> + out:
> +return;
> +}
> +
>  static const IPMICmdHandler chassis_cmds[IPMI_NETFN_CHASSIS_MAXCMD] = {
>  [IPMI_CMD_GET_CHASSIS_CAPABILITIES] = chassis_capabilities,
>  [IPMI_CMD_GET_CHASSIS_STATUS] = chassis_status,
> @@ -1592,7 +1637,9 @@ sensor_event_cmds[IPMI_NETFN_SENSOR_EVENT_MAXCMD] = {
>  [IPMI_CMD_GET_SENSOR_EVT_ENABLE] = get_sensor_evt_enable,
>  [IPMI_CMD_REARM_SENSOR_EVTS] = rearm_sensor_evts,
>  [IPMI_CMD_GET_SENSOR_EVT_STATUS] = get_sensor_evt_status,
> -[IPMI_CMD_GET_SENSOR_READING] = get_sensor_reading
> +[IPMI_CMD_GET_SENSOR_READING] = get_sensor_reading,
> +[IPMI_CMD_SET_SENSOR_TYPE] = set_sensor_type,
> +[IPMI_CMD_GET_SENSOR_TYPE] = get_sensor_type,
>  };
>  static const IPMINetfn sensor_event_netfn = {
>  .cmd_nums = IPMI_NETFN_SENSOR_EVENT_MAXCMD,

[Qemu-devel] [PATCH] virtio-blk: Allow startup of empty cdroms

[Michal Privoznik]

If you have an empty IDE cdrom we will start just fine:

-drive if=none,id=drive-ide0-0-0,readonly=on
-device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0

However, that's not the case with virtio disk:

-drive if=none,media=cdrom,id=drive-virtio-disk1,readonly=on
-device 
virtio-blk-pci,scsi=off,bus=pci.2,addr=0x2,drive=drive-virtio-disk1,id=virtio-disk1

One will get the following error:

qemu-system-x86_64: -device 
virtio-blk-pci,scsi=off,bus=pci.2,addr=0x2,drive=drive-virtio-disk1,id=virtio-disk1:
 Device needs media, but drive is empty

The error comes from virtio_blk_device_realize() where we check
if virtio block device has a media inserted. This should,
however, be not required for cdroms.

Signed-off-by: Michal Privoznik 
---
 hw/block/virtio-blk.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index 51f867b..2f687d2 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -893,6 +893,7 @@ static void virtio_blk_device_realize(DeviceState *dev, 
Error **errp)
 VirtIODevice *vdev = VIRTIO_DEVICE(dev);
 VirtIOBlock *s = VIRTIO_BLK(dev);
 VirtIOBlkConf *conf = >conf;
+DriveInfo *dinfo;
 Error *err = NULL;
 static int virtio_blk_id;
 
@@ -900,7 +901,10 @@ static void virtio_blk_device_realize(DeviceState *dev, 
Error **errp)
 error_setg(errp, "drive property not set");
 return;
 }
-if (!blk_is_inserted(conf->conf.blk)) {
+
+dinfo = blk_legacy_dinfo(conf->conf.blk);
+if (!((dinfo && dinfo->media_cd) ||
+  blk_is_inserted(conf->conf.blk))) {
 error_setg(errp, "Device needs media, but drive is empty");
 return;
 }
-- 
2.4.10

Re: [Qemu-devel] [PATCH v2 0/3] virtio: cross-endian helpers fixes

[Michael S. Tsirkin]

On Tue, Jan 05, 2016 at 08:19:22PM +0100, Greg Kurz wrote:
> On Wed, 23 Dec 2015 17:28:23 +0100
> Greg Kurz  wrote:
> 
> > On Wed, 23 Dec 2015 15:47:00 +0200
> > "Michael S. Tsirkin"  wrote:
> > 
> > > On Thu, Dec 17, 2015 at 09:52:46AM +0100, Greg Kurz wrote:
> > > > This series tries to rework cross-endian helpers for better clarity.
> > > > It does not change behaviour, except perhaps patch 3/3 even if I could 
> > > > not
> > > > measure any performance gain.
> > > 
> > > Breaks build:
> > > 
> > >   CCmips64-softmmu/hw/mips/mips_malta.o
> > > /home/mst/scm/qemu/hw/net/vhost_net.c: In function
> > > ‘vhost_net_set_vnet_endian’:
> > > /home/mst/scm/qemu/hw/net/vhost_net.c:208:10: error: implicit
> > > declaration of function ‘virtio_legacy_is_cross_endian’
> > > [-Werror=implicit-function-declaration]
> > >  (virtio_legacy_is_cross_endian(dev) &&
> > > !virtio_is_big_endian(dev))) {
> > >   ^
> > > /home/mst/scm/qemu/hw/net/vhost_net.c:208:9: error: nested extern
> > > declaration of ‘virtio_legacy_is_cross_endian’ [-Werror=nested-externs]
> > >  (virtio_legacy_is_cross_endian(dev) &&
> > > !virtio_is_big_endian(dev))) {
> > >  ^
> > > cc1: all warnings being treated as errors
> > > /home/mst/scm/qemu/rules.mak:57: recipe for target 'hw/net/vhost_net.o'
> > > failed
> > > make[1]: *** [hw/net/vhost_net.o] Error 1
> > > Makefile:186: recipe for target 'subdir-i386-softmmu' failed
> > > make: *** [subdir-i386-softmmu] Error 2
> > > 
> > > 
> > > please always build all architectures.
> > > 
> > 
> > Ok. I'll do so from now on.
> > 
> 
> The break isn't architecture related actually. It is because this series
> depends on the "virtio-net/vhost-net: share cross-endian enablement" series
> I had posted before... my bad. Since most of these series is cleanup of the
> cross-endian code,



Oh. And I thought it's the reverse order somehow.

> I'll repost a single series with all the patches.

That's probably best.

> > > > ---
> > > > 
> > > > Greg Kurz (3):
> > > >   virtio: move cross-endian helper to vhost
> > > >   vhost: move virtio 1.0 check to cross-endian helper
> > > >   virtio: optimize virtio_access_is_big_endian() for little-endian 
> > > > targets
> > > > 
> > > > 
> > > >  hw/virtio/vhost.c |   22 ++
> > > >  include/hw/virtio/virtio-access.h |   16 +++-
> > > >  2 files changed, 21 insertions(+), 17 deletions(-)
> > > 
> > 
> > 

Re: [Qemu-devel] [PATCH] SCSI device: fix to incomplete QOMify

[Michael S. Tsirkin]

On Wed, Jan 06, 2016 at 05:37:46PM +0800, Cao jin wrote:
> Signed-off-by: Cao jin 

Acked-by: Michael S. Tsirkin 

> ---
>  hw/scsi/megasas.c | 12 ++--
>  hw/scsi/scsi-bus.c|  4 ++--
>  hw/scsi/virtio-scsi.c |  2 +-
>  3 files changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
> index d7dc667..78239bf 100644
> --- a/hw/scsi/megasas.c
> +++ b/hw/scsi/megasas.c
> @@ -744,7 +744,7 @@ static int megasas_ctrl_get_info(MegasasState *s, 
> MegasasCmd *cmd)
>  info.device.type = MFI_INFO_DEV_SAS3G;
>  info.device.port_count = 8;
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  uint16_t pd_id;
>  
>  if (num_pd_disks < 8) {
> @@ -960,7 +960,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, 
> MegasasCmd *cmd)
>  max_pd_disks = MFI_MAX_SYS_PDS;
>  }
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  uint16_t pd_id;
>  
>  if (num_pd_disks >= max_pd_disks)
> @@ -1136,7 +1136,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, 
> MegasasCmd *cmd)
>  max_ld_disks = MFI_MAX_LD;
>  }
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  
>  if (num_ld_disks >= max_ld_disks) {
>  break;
> @@ -1187,7 +1187,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, 
> MegasasCmd *cmd)
>  max_ld_disks = MFI_MAX_LD;
>  }
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  
>  if (num_ld_disks >= max_ld_disks) {
>  break;
> @@ -1327,7 +1327,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, 
> MegasasCmd *cmd)
>  ld_offset = array_offset + sizeof(struct mfi_array) * num_pd_disks;
>  
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (sdev->lun & 0xFF);
>  struct mfi_array *array;
>  struct mfi_ld_config *ld;
> @@ -2237,7 +2237,7 @@ static void megasas_soft_reset(MegasasState *s)
>   * after the initial reset.
>   */
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> -SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
> +SCSIDevice *sdev = SCSI_DEVICE(kid->child);
>  
>  sdev->unit_attention = SENSE_CODE(NO_SENSE);
>  scsi_device_unit_attention_reported(sdev);
> diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
> index 00bddc9..fea0257 100644
> --- a/hw/scsi/scsi-bus.c
> +++ b/hw/scsi/scsi-bus.c
> @@ -1850,7 +1850,7 @@ void scsi_device_purge_requests(SCSIDevice *sdev, 
> SCSISense sense)
>  
>  static char *scsibus_get_dev_path(DeviceState *dev)
>  {
> -SCSIDevice *d = DO_UPCAST(SCSIDevice, qdev, dev);
> +SCSIDevice *d = SCSI_DEVICE(dev);
>  DeviceState *hba = dev->parent_bus->parent;
>  char *id;
>  char *path;
> @@ -2023,7 +2023,7 @@ static void scsi_device_class_init(ObjectClass *klass, 
> void *data)
>  static void scsi_dev_instance_init(Object *obj)
>  {
>  DeviceState *dev = DEVICE(obj);
> -SCSIDevice *s = DO_UPCAST(SCSIDevice, qdev, dev);
> +SCSIDevice *s = SCSI_DEVICE(dev);
>  
>  device_add_bootindex_property(obj, >conf.bootindex,
>"bootindex", NULL,
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 3a4f520..607593c 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -352,7 +352,7 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, 
> VirtIOSCSIReq *req)
>  target = req->req.tmf.lun[1];
>  s->resetting++;
>  QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
> - d = DO_UPCAST(SCSIDevice, qdev, kid->child);
> + d = SCSI_DEVICE(kid->child);
>   if (d->channel == 0 && d->id == target) {
>  qdev_reset_all(>qdev);
>   }
> -- 
> 2.1.0
> 
> 

[Qemu-devel] [PATCH v2 0/2] qga: guest-set-user-password - added ability to create new user

[Denis V. Lunev]

These patches add optional 'create' flag to guest-set-user-password command.
When it is specified, a new user will be created if it does not
exist yet.

Since v1:
- fixed english language mistakes in comments
- json description now mentions 'create' as default to false
- capture stdout/stderr from useradd/chpasswd and send iti back with the
  error message to caller
- split to two patches

Signed-off-by: Yuri Pudgorodskiy 
Signed-off-by: Denis V. Lunev 
CC: Eric Blake 
CC: Michael Roth 

Yuriy Pudgorodskiy (2):
  create ga_run_program() helper for guest-set-user-password
  guest-set-user-password - added ability to create new user

 qga/commands-posix.c | 215 +--
 qga/commands-win32.c |  25 +-
 qga/qapi-schema.json |   5 +-
 3 files changed, 186 insertions(+), 59 deletions(-)

-- 
2.1.4

[Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

[Stefano Stabellini]

If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.

Signed-off-by: Stefano Stabellini 

diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 4e2a27a..f963cf2 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -789,10 +789,11 @@ static void xenfb_handle_events(struct XenFB *xenfb)
 
 prod = page->out_prod;
 out_cons = page->out_cons;
-if (prod == out_cons)
-   return;
+if (prod <= out_cons) {
+return;
+}
 xen_rmb(); /* ensure we see ring contents up to prod */
-for (cons = out_cons; cons != prod; cons++) {
+for (cons = out_cons; cons < prod; cons++) {
union xenfb_out_event *event = _OUT_RING_REF(page, cons);
 uint8_t type = event->type;
int x, y, w, h;

Re: [Qemu-devel] [PATCH] virtio serial port: fix to incomplete QOMify

[Greg Kurz]

On Wed, 6 Jan 2016 16:22:55 +0800
Cao jin  wrote:

> Signed-off-by: Cao jin 
> ---

Reviewed-by: Greg Kurz 

>  hw/char/virtio-serial-bus.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
> index 497b0af..2d2a659 100644
> --- a/hw/char/virtio-serial-bus.c
> +++ b/hw/char/virtio-serial-bus.c
> @@ -798,7 +798,7 @@ static const TypeInfo virtser_bus_info = {
> 
>  static void virtser_bus_dev_print(Monitor *mon, DeviceState *qdev, int 
> indent)
>  {
> -VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, qdev);
> +VirtIOSerialPort *port = VIRTIO_SERIAL_PORT(qdev);
> 
>  monitor_printf(mon, "%*sport %d, guest %s, host %s, throttle %s\n",
> indent, "", port->id,

[Qemu-devel] [Bug 1531352] [NEW] QEMU_LD_PREFIX PATH not work on loading library

[bananaapple]

Public bug reported:

run qemu with QEMU_LD_PREFIX argument will not load the library in the PATH.
Ex: I use debootstrap to download the library of i386 architecture
And use -L point to the path.
But not load the library from that directory.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1531352

Title:
  QEMU_LD_PREFIX PATH not work on loading library

Status in QEMU:
  New

Bug description:
  run qemu with QEMU_LD_PREFIX argument will not load the library in the PATH.
  Ex: I use debootstrap to download the library of i386 architecture
  And use -L point to the path.
  But not load the library from that directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1531352/+subscriptions

[Qemu-devel] [Bug 1531352] Re: QEMU_LD_PREFIX not load correct library order in the PATH

[bananaapple]

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
+ Because the order of dynamic linker search the shared library is wrong.
+ When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
+ If the system not loaded correspond with the dynamic linker, it will crash.
+ Code flow:
+ linux-user/main.c: 
+   call loader_exec
+ linuxload.c: 
+   call load_elf_binary
+ elfload.c: 
+   in load_elf_binary function
+   dynamic loader will be elf_interpreter
+ I think the problem should be here.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1531352

Title:
  QEMU_LD_PREFIX not load correct library order in the PATH

Status in QEMU:
  New

Bug description:
  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
  Because the order of dynamic linker search the shared library is wrong.
  When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
  If the system not loaded correspond with the dynamic linker, it will crash.
  Code flow:
  linux-user/main.c: 
call loader_exec
  linuxload.c: 
call load_elf_binary
  elfload.c: 
in load_elf_binary function
dynamic loader will be elf_interpreter
  I think the problem should be here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1531352/+subscriptions

Re: [Qemu-devel] [PATCH 03/22] 9pfs: rename virtio-9p-handle.c to 9p-handle.c

[Stefano Stabellini]

Wrong subject line: you are renaming virtio-9p-local.c

On Tue, 5 Jan 2016, Wei Liu wrote:
> This file is not virtio specific. Rename it to use generic name.
> 
> Fix comment and remove unneeded inclusion of virtio.h.
> 
> Signed-off-by: Wei Liu 
> ---
>  hw/9pfs/{virtio-9p-local.c => 9p-local.c} | 3 +--
>  hw/9pfs/Makefile.objs | 2 +-
>  2 files changed, 2 insertions(+), 3 deletions(-)
>  rename hw/9pfs/{virtio-9p-local.c => 9p-local.c} (99%)
> 
> diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/9p-local.c
> similarity index 99%
> rename from hw/9pfs/virtio-9p-local.c
> rename to hw/9pfs/9p-local.c
> index f1f2e25..877ad86 100644
> --- a/hw/9pfs/virtio-9p-local.c
> +++ b/hw/9pfs/9p-local.c
> @@ -1,5 +1,5 @@
>  /*
> - * Virtio 9p Posix callback
> + * 9p Posix callback
>   *
>   * Copyright IBM, Corp. 2010
>   *
> @@ -11,7 +11,6 @@
>   *
>   */
>  
> -#include "hw/virtio/virtio.h"
>  #include "virtio-9p.h"
>  #include "virtio-9p-xattr.h"
>  #include "fsdev/qemu-fsdev.h"   /* local_ops */
> diff --git a/hw/9pfs/Makefile.objs b/hw/9pfs/Makefile.objs
> index 9fdd8a4..5059681 100644
> --- a/hw/9pfs/Makefile.objs
> +++ b/hw/9pfs/Makefile.objs
> @@ -1,5 +1,5 @@
>  common-obj-y  = virtio-9p.o
> -common-obj-y += virtio-9p-local.o virtio-9p-xattr.o
> +common-obj-y += 9p-local.o virtio-9p-xattr.o
>  common-obj-y += virtio-9p-xattr-user.o virtio-9p-posix-acl.o
>  common-obj-y += coth.o cofs.o codir.o cofile.o
>  common-obj-y += coxattr.o virtio-9p-synth.o
> -- 
> 2.1.4
> 
> 

[Qemu-devel] [Bug 1531352] Re: QEMU_LD_PREFIX not load correct library order in the PATH

[bananaapple]

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
- ./fetchlibs.sh
+ bash fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
  Because the order of dynamic linker search the shared library is wrong.
  When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
  If the system not loaded correspond with the dynamic linker, it will crash.
  Code flow:
  linux-user/main.c:
    call loader_exec
  linuxload.c:
    call load_elf_binary
  elfload.c:
    in load_elf_binary function
    dynamic loader will be elf_interpreter
  I think the problem should be here.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1531352

Title:
  QEMU_LD_PREFIX not load correct library order in the PATH

Status in QEMU:
  New

Bug description:
  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  bash fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
  Because the order of dynamic linker search the shared library is wrong.
  When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
  If the system not loaded correspond with the dynamic linker, it will crash.
  Code flow:
  linux-user/main.c:
    call loader_exec
  linuxload.c:
    call load_elf_binary
  elfload.c:
    in load_elf_binary function
    dynamic loader will be elf_interpreter
  I think the problem should be here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1531352/+subscriptions

Re: [Qemu-devel] What's the advantages of POSTCOPY over CPU-THROTTLE?

[Dr. David Alan Gilbert]

* Zhangbo (Oscar) (oscar.zhan...@huawei.com) wrote:
> Hi all:
> 　　Postcopy is suitable for migrating guests which have large page change 
> rates. It 
> 1 makes the guest run at the destination ASAP.
> 2 makes the downtime of the guest small enough.
> If we don't take the 1st advantage into account, then, its benefit seems 
> similar with CPU-THROTTLE: both of them make the guest's downtime small 
> during migration.
>  
> CPU-THROTTLE would make the guest's dirtypage rate *smaller than the 
> network bandwidth*, in order to make the to_send_page_number in each 
> iteration convergent and achieve the small-enough downtime during the last 
> iteration.
> If we adopt POST-COPY here, the guest's dirtypage rate would *become 
> equal to the bandwidth*, because we have to fetch its memory from the source 
> side, via the network.
> Both of them would introduce performance degradations of the guest, which 
> may in turn cause downtime larger.
> 
> So, here comes the question: If we just compare POSTCOPY with 
> CPU-THROTTLE for their advantages in decreasing downtime, POSTCOPY seems has 
> no pos over CPU-THROTTLE, is that right?
> 
> Meanwhile, Are there any other benifits of POSTCOPY besides the 2 
> mentioned above?

It's a good question and they do both try and help solve the same problem.
One problem with cpu-throttle is whether you can throttle the CPU enough to
get the dirty-rate below the rate of the network, and the answer to that is
very workload dependent.  On a large, many-core VM, even a little bit of CPU
can dirty a lot of memory.  Postcopy is guaranteed to finish migration,
irrespective of the workload.

Postcopy is pretty fine-grained, in that only threads that are accessing
pages that are still on the source are blocked, since it allows the use
of async page faults, that means it's even finer grained than the vCPU level,
so many threads come back up to full performance pretty quickly
even if there are a few pages left.

Dave

> 
> Oscar
> 
> 
> 
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry value

[朱东海(启路)]

Hi, Will you assign a cve to this vulnerability.This issue has the possibility 
to remote code execution, and many IAAS providers use qemu prior version 
2.4.Donghai.--From:P
 J P Send Time:2016年1月6日(星期三) 02:08To:Qemu devel 
Cc:Stefan Weil ，Peter Maydell 
，朱东海(启路) Subject:Re: 
[Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry 
value+-- On Tue, 5 Jan 2016, P J P wrote --+| An OOB r/w access issue was 
reported by Mr Donghai Zdh, CC'd here.Mr Donghai CC'd now.--Prasad J Pandit / 
Red Hat Product Security Team47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Re: [Qemu-devel] [PATCH 03/22] 9pfs: rename virtio-9p-handle.c to 9p-handle.c

[Wei Liu]

On Wed, Jan 06, 2016 at 11:22:51AM +, Stefano Stabellini wrote:
> Wrong subject line: you are renaming virtio-9p-local.c
> 

Oops, yes.

I will fix this.

Wei.

[Qemu-devel] [PATCH 2/2] guest-set-user-password - added ability to create new user

[Denis V. Lunev]

From: Yuriy Pudgorodskiy 

Added optional 'create' flag to guest-set-user-password command.
When it is specified, a new user will be created if it does not
exist yet.

The option to the existing command is added as password for newly created
user should be set as specified.

This code is made specifically for Linux/Windows and is inside proper
ifdef braces.

Signed-off-by: Yuri Pudgorodskiy 
Signed-off-by: Denis V. Lunev 
CC: Eric Blake 
CC: Michael Roth 
---
 qga/commands-posix.c | 20 
 qga/commands-win32.c | 25 -
 qga/qapi-schema.json |  5 -
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 53e8d3b..2cd10df 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -2089,6 +2089,8 @@ out:
 void qmp_guest_set_user_password(const char *username,
  const char *password,
  bool crypted,
+ bool has_create,
+ bool create,
  Error **errp)
 {
 char *passwd_path = NULL;
@@ -2125,6 +2127,24 @@ void qmp_guest_set_user_password(const char *username,
 
 chpasswd_argv[0] = passwd_path;
 
+/* create new user if requested */
+if (has_create && create) {
+char *str = g_shell_quote(username);
+char *cmd = g_strdup_printf(
+/* we want output only from useradd command */
+"id -u %s >/dev/null 2>&1 || useradd -m %s",
+str, str);
+const char *argv[] = {
+"/bin/sh", "-c", cmd, NULL
+};
+ga_run_program(argv, NULL, "add new user", errp);
+g_free(str);
+g_free(cmd);
+if (*errp) {
+goto out;
+}
+}
+
 /* set password for existed user */
 if (!crypted) {
 /* wipe -e option */
diff --git a/qga/commands-win32.c b/qga/commands-win32.c
index 61ffbdf..83fbf17 100644
--- a/qga/commands-win32.c
+++ b/qga/commands-win32.c
@@ -1285,6 +1285,8 @@ get_net_error_message(gint error)
 void qmp_guest_set_user_password(const char *username,
  const char *password,
  bool crypted,
+ bool has_create,
+ bool create,
  Error **errp)
 {
 NET_API_STATUS nas;
@@ -1308,6 +1310,27 @@ void qmp_guest_set_user_password(const char *username,
 user = g_utf8_to_utf16(username, -1, NULL, NULL, NULL);
 wpass = g_utf8_to_utf16(rawpasswddata, -1, NULL, NULL, NULL);
 
+if (has_create && create) {
+USER_INFO_1 ui = { 0 };
+
+ui.usri1_name = user;
+ui.usri1_password = wpass;
+ui.usri1_priv = USER_PRIV_USER;
+ui.usri1_flags = UF_SCRIPT|UF_DONT_EXPIRE_PASSWD;
+nas = NetUserAdd(NULL, 1, (LPBYTE), NULL);
+
+if (nas == NERR_Success) {
+goto out;
+}
+
+if (nas != NERR_UserExists) {
+gchar *msg = get_net_error_message(nas);
+error_setg(errp, "failed to add user: %s", msg);
+g_free(msg);
+goto out;
+}
+}
+
 pi1003.usri1003_password = wpass;
 nas = NetUserSetInfo(NULL, user,
  1003, (LPBYTE),
@@ -1318,7 +1341,7 @@ void qmp_guest_set_user_password(const char *username,
 error_setg(errp, "failed to set password: %s", msg);
 g_free(msg);
 }
-
+out:
 g_free(user);
 g_free(wpass);
 g_free(rawpasswddata);
diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index 01c9ee4..53a9f6a 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -787,6 +787,8 @@
 # @username: the user account whose password to change
 # @password: the new password entry string, base64 encoded
 # @crypted: true if password is already crypt()d, false if raw
+# @create: #optinal user will be created if it does not exist yet (since 2.6).
+#  The default value is false.
 #
 # If the @crypted flag is true, it is the caller's responsibility
 # to ensure the correct crypt() encryption scheme is used. This
@@ -806,7 +808,8 @@
 # Since 2.3
 ##
 { 'command': 'guest-set-user-password',
-  'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool' } }
+  'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool',
+  '*create': 'bool' } }
 
 # @GuestMemoryBlock:
 #
-- 
2.1.4

[Qemu-devel] [PATCH 1/2] create ga_run_program() helper for guest-set-user-password

[Denis V. Lunev]

From: Yuriy Pudgorodskiy 

This helper properly starts chpasswd and collects stdout/stderr of this
program to report it as error to the caller.

The code will be reused later to run useradd in addition to chpasswd.

This code is made specifically for Linux and is inside ifdef Linux braces.

Signed-off-by: Yuri Pudgorodskiy 
Signed-off-by: Denis V. Lunev 
CC: Eric Blake 
CC: Michael Roth 
---
 qga/commands-posix.c | 201 ---
 1 file changed, 141 insertions(+), 60 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 8fe708f..53e8d3b 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -75,6 +75,28 @@ static void ga_wait_child(pid_t pid, int *status, Error 
**errp)
 g_assert(rpid == pid);
 }
 
+static void ga_pipe_read_str(int fd[2], char **str, size_t *len)
+{
+ssize_t n;
+char buf[1024];
+close(fd[1]);
+fd[1] = -1;
+while ((n = read(fd[0], buf, sizeof(buf))) != 0) {
+if (n < 0) {
+if (errno == EINTR) {
+continue;
+} else {
+break;
+}
+}
+*str = g_realloc(*str, *len + n);
+memcpy(*str + *len, buf, n);
+*len += n;
+}
+close(fd[0]);
+fd[0] = -1;
+}
+
 void qmp_guest_shutdown(bool has_mode, const char *mode, Error **errp)
 {
 const char *shutdown_flag;
@@ -1952,20 +1974,128 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorList 
*vcpus, Error **errp)
 return processed;
 }
 
+/* Helper to run command with input/output redirection,
+ * sending string to stdin and taking error message from
+ * stdout/err
+ */
+static void ga_run_program(const char *argv[],
+   const char *in_str,
+   const char *action, Error **errp)
+{
+pid_t pid;
+int status;
+int infd[2] = { -1, -1 };
+int outfd[2] = { -1, -1 };
+char *str = NULL;
+size_t len = 0;
+
+if (in_str) {
+if (pipe(infd) < 0) {
+error_setg(errp, "cannot create pipe FDs");
+goto out;
+}
+}
+
+if (pipe(outfd) < 0) {
+error_setg(errp, "cannot create pipe FDs");
+goto out;
+}
+
+pid = fork();
+if (pid == 0) {
+/* child */
+setsid();
+if (in_str) {
+/* redirect stdin to infd */
+close(infd[1]);
+dup2(infd[0], 0);
+close(infd[0]);
+} else {
+reopen_fd_to_null(0);
+}
+
+/* redirect stdout/stderr to outfd */
+close(outfd[0]);
+dup2(outfd[1], 1);
+dup2(outfd[1], 2);
+close(outfd[1]);
+
+execve(argv[0], (char *const *)argv, environ);
+_exit(EXIT_FAILURE);
+} else if (pid < 0) {
+error_setg_errno(errp, errno, "failed to create child process");
+goto out;
+}
+
+if (in_str) {
+close(infd[0]);
+infd[0] = -1;
+if (qemu_write_full(infd[1],
+in_str, strlen(in_str)) != strlen(in_str)) {
+error_setg_errno(errp, errno,
+"%s: cannot write to stdin pipe", action);
+goto out;
+}
+close(infd[1]);
+infd[1] = -1;
+}
+
+
+ga_pipe_read_str(outfd, , );
+
+ga_wait_child(pid, , errp);
+if (*errp) {
+goto out;
+}
+
+if (!WIFEXITED(status)) {
+if (len) {
+error_setg(errp, "child process has terminated abnormally: "
+"%s", str);
+} else {
+error_setg(errp, "child process has terminated abnormally");
+}
+goto out;
+}
+
+if (WEXITSTATUS(status)) {
+if (len) {
+error_setg(errp, "child process has failed to %s: %s",
+action, str);
+} else {
+error_setg(errp, "child process has failed to %s: exit status %d",
+action, WEXITSTATUS(status));
+}
+goto out;
+}
+
+out:
+g_free(str);
+
+if (infd[0] != -1) {
+close(infd[0]);
+}
+if (infd[1] != -1) {
+close(infd[1]);
+}
+if (outfd[0] != -1) {
+close(outfd[0]);
+}
+if (outfd[1] != -1) {
+close(outfd[1]);
+}
+}
+
 void qmp_guest_set_user_password(const char *username,
  const char *password,
  bool crypted,
  Error **errp)
 {
-Error *local_err = NULL;
 char *passwd_path = NULL;
-pid_t pid;
-int status;
-int datafd[2] = { -1, -1 };
 char *rawpasswddata = NULL;
 size_t rawpasswdlen;
 char *chpasswddata = NULL;
-size_t chpasswdlen;
+const char *chpasswd_argv[] = { NULL /*path*/, "chpasswd", "-e", NULL };
 
 rawpasswddata = (char *)qbase64_decode(password, -1, , errp);
 if 

[Qemu-devel] [Bug 1531352] Re: QEMU_LD_PREFIX PATH loading library is not in the correct order

[bananaapple]

** Summary changed:

- QEMU_LD_PREFIX PATH not work on loading library
+ QEMU_LD_PREFIX PATH loading library is not in the correct order

** Description changed:

- run qemu with QEMU_LD_PREFIX argument will not load the library in the PATH.
+ run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  Example: I use debootstrap to download the library of i386 architecture
  And use -L point to the path.
  But not load the library from that directory.

** Summary changed:

- QEMU_LD_PREFIX PATH loading library is not in the correct order
+ QEMU_LD_PREFIX not load correct library order in the PATH

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
- Example: I use debootstrap to download the library of i386 architecture
- And use -L point to the path.
- But not load the library from that directory.
+ How to reproduce this bug:
+ ```
+ wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
+ ./fetchlibs.sh
+ sudo apt-get install qemu
+ wget http://train.cs.nctu.edu.tw/files/magic
+ chmod +x ./magic
+ qemu-i386 -L /home/apple/libs/i386 /home/apple/magic 
+ ```

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
- ```
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  sudo apt-get install qemu
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
- qemu-i386 -L /home/apple/libs/i386 /home/apple/magic 
- ```
+ qemu-i386 -L /home/apple/libs/i386 /home/apple/magic

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
+ These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  sudo apt-get install qemu
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
- sudo apt-get install qemu
+ This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
+ This is work fine. 
+ But after you install gcc-multilib, it failed.
+ sudo apt-get install gcc-multilib

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
- This is work fine. 
+ This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
+ qemu-i386 -L /home/apple/libs/i386 /home/apple/magic

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
+ /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L 

[Qemu-devel] [Bug 1531352] Re: QEMU_LD_PREFIX not load correct library order in the PATH

[bananaapple]

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
  Because the order of dynamic linker search the shared library is wrong.
  When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
  If the system not loaded correspond with the dynamic linker, it will crash.
  Code flow:
- linux-user/main.c: 
-   call loader_exec
- linuxload.c: 
-   call load_elf_binary
- elfload.c: 
-   in load_elf_binary function
-   dynamic loader will be elf_interpreter
+ linux-user/main.c:
+   call loader_exec
+ linuxload.c:
+   call load_elf_binary
+ elfload.c:
+   in load_elf_binary function
+   dynamic loader will be elf_interpreter
  I think the problem should be here.

** Also affects: gcc-defaults (Ubuntu)
   Importance: Undecided
   Status: New

** No longer affects: gcc-defaults (Ubuntu)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1531352

Title:
  QEMU_LD_PREFIX not load correct library order in the PATH

Status in QEMU:
  New

Bug description:
  run qemu with QEMU_LD_PREFIX argument will not load correct library order in 
the PATH.
  How to reproduce this bug:
  These command will download the library of other architectures
  wget 
https://raw.githubusercontent.com/BinaryAnalysisPlatform/qira/master/fetchlibs.sh
  ./fetchlibs.sh
  This is 32bit binary file,
  wget http://train.cs.nctu.edu.tw/files/magic
  chmod +x ./magic
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  This is work fine.
  But after you install gcc-multilib, it failed.
  sudo apt-get install gcc-multilib
  qemu-i386 -L /home/apple/libs/i386 /home/apple/magic
  The following is the error message
  /home/apple/magic: 0���: ̀Í�: D$(�$: Error 18446744073549536926
  Because the order of dynamic linker search the shared library is wrong.
  When your system has /lib32 directory, its priority is higher than the 
QEMU_LD_PREFIX.
  If the system not loaded correspond with the dynamic linker, it will crash.
  Code flow:
  linux-user/main.c:
    call loader_exec
  linuxload.c:
    call load_elf_binary
  elfload.c:
    in load_elf_binary function
    dynamic loader will be elf_interpreter
  I think the problem should be here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1531352/+subscriptions

[Qemu-devel] [Bug 1531352] Re: QEMU_LD_PREFIX PATH not work on loading library

[bananaapple]

** Description changed:

  run qemu with QEMU_LD_PREFIX argument will not load the library in the PATH.
- Ex: I use debootstrap to download the library of i386 architecture
+ Example: I use debootstrap to download the library of i386 architecture
  And use -L point to the path.
  But not load the library from that directory.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1531352

Title:
  QEMU_LD_PREFIX PATH not work on loading library

Status in QEMU:
  New

Bug description:
  run qemu with QEMU_LD_PREFIX argument will not load the library in the PATH.
  Example: I use debootstrap to download the library of i386 architecture
  And use -L point to the path.
  But not load the library from that directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1531352/+subscriptions

Re: [Qemu-devel] [PATCH v2] trace-events: fix broken format strings

[Alex Bennée]

Andrew Jones  writes:

> Fixes compiling with --enable-trace-backends
>
> Signed-off-by: Andrew Jones 
> ---
> v2: also remove trailing null strings [Laurent]


Reviewed-by: Alex Bennée 
Tested-by: Alex Bennée 

>
>
>  trace-events | 10 +-
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/trace-events b/trace-events
> index 6f036384a84f8..98ec748270a39 100644
> --- a/trace-events
> +++ b/trace-events
> @@ -1799,15 +1799,15 @@ qcrypto_tls_session_new(void *session, void *creds, 
> const char *hostname, const
>  vhost_user_event(const char *chr, int event) "chr: %s got event: %d"
>
>  # linux-user/signal.c
> -user_setup_frame(void *env, uint64_t frame_addr) "env=%p frame_addr="PRIx64""
> -user_setup_rt_frame(void *env, uint64_t frame_addr) "env=%p 
> frame_addr="PRIx64""
> -user_do_rt_sigreturn(void *env, uint64_t frame_addr) "env=%p 
> frame_addr="PRIx64""
> -user_do_sigreturn(void *env, uint64_t frame_addr) "env=%p 
> frame_addr="PRIx64""
> +user_setup_frame(void *env, uint64_t frame_addr) "env=%p 
> frame_addr=0x%"PRIx64
> +user_setup_rt_frame(void *env, uint64_t frame_addr) "env=%p 
> frame_addr=0x%"PRIx64
> +user_do_rt_sigreturn(void *env, uint64_t frame_addr) "env=%p 
> frame_addr=0x%"PRIx64
> +user_do_sigreturn(void *env, uint64_t frame_addr) "env=%p 
> frame_addr=0x%"PRIx64
>  user_force_sig(void *env, int target_sig, int host_sig) "env=%p signal %d 
> (host %d)"
>  user_handle_signal(void *env, int target_sig) "env=%p signal %d"
>  user_host_signal(void *env, int host_sig, int target_sig) "env=%p signal %d 
> (target %d("
>  user_queue_signal(void *env, int target_sig) "env=%p signal %d"
> -user_s390x_restore_sigregs(void *env, uint64_t sc_psw_addr, uint64_t 
> env_psw_addr) "env=%p frame psw.addr "PRIx64 " current psw.addr "PRIx64""
> +user_s390x_restore_sigregs(void *env, uint64_t sc_psw_addr, uint64_t 
> env_psw_addr) "env=%p frame psw.addr 0x%"PRIx64 " current psw.addr 0x%"PRIx64
>
>  # io/task.c
>  qio_task_new(void *task, void *source, void *func, void *opaque) "Task new 
> task=%p source=%p func=%p opaque=%p"


--
Alex Bennée

Re: [Qemu-devel] [RFC PATCH v2 00/10] Add colo-proxy based on netfilter

[Dr. David Alan Gilbert]

* Jason Wang (jasow...@redhat.com) wrote:
> 
> 
> On 01/05/2016 12:52 AM, Dr. David Alan Gilbert wrote:
> > * Jason Wang (jasow...@redhat.com) wrote:
> >>
> >> On 01/04/2016 04:16 PM, Zhang Chen wrote:
> >>>
> >>> On 01/04/2016 01:37 PM, Jason Wang wrote:
>  On 12/31/2015 04:40 PM, Zhang Chen wrote:
> > On 12/31/2015 10:36 AM, Jason Wang wrote:
> >> On 12/22/2015 06:42 PM, Zhang Chen wrote:
> >>> From: zhangchen 
> >>>
> >>> Hi,all
> >>>
> >>> This patch add an colo-proxy object, COLO-Proxy is a part of COLO,
> >>> based on qemu netfilter and it's a plugin for qemu netfilter. the
> >>> function
> >>> keep Secondary VM connect normal to Primary VM and compare packets
> >>> sent by PVM to sent by SVM.if the packet difference,notify COLO do
> >>> checkpoint and send all primary packet has queued.
> >> Thanks for the work. I don't object this method but still not
> >> convinced
> >> that qemu is the best place for this.
> >>
> >> As been raised in the past discussion, it's almost impossible to
> >> cooperate with vhost backends. If we want this to be used in
> >> production
> >> environment, need to think of a solution for vhost. There's no such
> >> worry if we decouple this from qemu.
> >>
> >>> You can also get the series from:
> >>>
> >>> https://github.com/zhangckid/qemu/tree/colo-v2.2-periodic-mode-with-colo-proxyV2
> >>>
> >>>
> >>>
> >>> Usage:
> >>>
> >>> primary:
> >>> -netdev tap,id=bn0 -device e1000,netdev=bn0
> >>> -object
> >>> colo-proxy,id=f0,netdev=bn0,queue=all,mode=primary,addr=host:port
> >>>
> >>> secondary:
> >>> -netdev tap,id=bn0 -device e1000,netdev=bn0
> >>> -object
> >>> colo-proxy,id=f0,netdev=bn0,queue=all,mode=secondary,addr=host:port
> >> Have a quick glance at how secondary mode work. What it does is just
> >> forwarding packets between a nic and a socket, qemu socket backend did
> >> exact the same job. You could even use socket in primary node and let
> >> packet compare module talk to both primary and secondary node.
> > If we use qemu socket backend , the same netdev will used by qemu
> > socket and
> > qemu netfilter. this will against qemu net design. and then, when colo
> > do failover,
> > secondary do not have backend to use. that's the real problem.
>  Then, maybe it's time to implement changing the netdev of a nic. The
>  point here is that what secondary mode did is in fact a netdev backend
>  instead of a filter ...
> >>> Currently, you are right. in colo-proxy V2 code, I just compare IP
> >>> packet to
> >>> decide whether to do checkpoint.
> >>> But, in colo-proxy V3 I will compare tcp,icmp,udp packet to decide it.
> >>> because that can reduce frequency of checkpoint and improve
> >>> performance. To keep tcp connection well, colo secondary need to record
> >>> primary guest's init seq and adjust secondary guest's ack. if colo do
> >>> failover,
> >>> secondary also need do this to old tcp connection. qemu socket
> >>> can't do this job.
> >> So a question here: is it a must to do things (e.g TCP analysis stuffs)
> >> at secondary? Looks like we could do this at primary node. And I saw
> >> you're doing packet comparing in primary node, any advantages of doing
> >> this in primary instead of secondary?
> > It needs to do this on the secondary; the trick is that things like TCP 
> > sequence
> > numbers are likely to be different on the primary and secondary; the kernel 
> > colo-proxy
> > implementation solved this problem by rewriting the sequence numbers on
> > the secondary to match the primary, after a failover, the secondary has
> > to keep doing that rewrite to ensure existing connections are OK.
> > Thus it's holding some state about the current connections.
> 
> I see.
> 
> > I think also, to be able to do a 2nd failover (i.e. recover from the 1st 
> > failure
> > and then sometime later have another) you'd have to sync this
> > state over to a new host, so again that says the state needs to be part of
> > qemu or at least easily available to it.
> >
> > Dave
> 
> Right, if it does thing like tcp seq rewrite (which is missed in current
> version), it works much more like a netfilter. Wonder if the function is
> generic enough for users other than colo.

I can imagine the sequence number rework might be, but I doubt the packet
comparison is.

Dave

> Thanks
> 
> >
> >>> and another problem is do failover, if we use qemu socket
> >>> to be backend in secondary, when colo do failover, I don't know how to
> >>> change
> >>> secondary be a normal qemu, if you know, please tell me.
> >> Current qemu couldn't do this, but I mean we implement something like
> >> nic_change_backend which can change nic's peer(s). With this, in
> >> secondary, we can replace the socket backend with whatever you want (e.g
> >> tap or other).
> >>

Re: [Qemu-devel] [PATCH 3/6] device_tree: introduce qemu_fdt_node_path

[Eric Auger]

On 01/05/2016 06:55 PM, Peter Maydell wrote:
> On 5 January 2016 at 16:20, Eric Auger  wrote:
>> Hi Peter,
>> On 12/18/2015 03:23 PM, Peter Maydell wrote:
>>> On 17 December 2015 at 12:29, Eric Auger  wrote:
 This new helper routine returns the node path of a device
 referred to by its node name and compat string.

 Signed-off-by: Eric Auger 
> 
 +
 +*node_path = NULL;
 +offset = fdt_node_offset_by_compatible(fdt, -1, compat);
 +while (offset != -FDT_ERR_NOTFOUND) {
 +if (offset < 0) {
 +continue;
>>>
>>> I don't understand this continue -- if the fdt function returned any
>>> error other than -FDT_ERR_NOTFOUND then this will cause us to go
>>> into an infinite loop around this while(). Did you mean 'break' ?
>>> (Though if you just want to break then fixing the while condition
>>> would be better.)
>> My first understanding of the API was fdt_node_offset_by_compatible
>> would increment the offset even if an error occurred; so I envisioned to
>> continue parsing the tree, looking for another node with same features.
> 
> Your code doesn't call fdt_node_offset_by_compatible again
> in the case where it's trying to continue, though...

I'll be damned, got it now!

Thanks

Eric
> 
> thanks
> -- PMM
> 

[Qemu-devel] [PATCH] SCSI device: fix to incomplete QOMify

[Cao jin]

Signed-off-by: Cao jin 
---
 hw/scsi/megasas.c | 12 ++--
 hw/scsi/scsi-bus.c|  4 ++--
 hw/scsi/virtio-scsi.c |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index d7dc667..78239bf 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -744,7 +744,7 @@ static int megasas_ctrl_get_info(MegasasState *s, 
MegasasCmd *cmd)
 info.device.type = MFI_INFO_DEV_SAS3G;
 info.device.port_count = 8;
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 uint16_t pd_id;
 
 if (num_pd_disks < 8) {
@@ -960,7 +960,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, 
MegasasCmd *cmd)
 max_pd_disks = MFI_MAX_SYS_PDS;
 }
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 uint16_t pd_id;
 
 if (num_pd_disks >= max_pd_disks)
@@ -1136,7 +1136,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, 
MegasasCmd *cmd)
 max_ld_disks = MFI_MAX_LD;
 }
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 
 if (num_ld_disks >= max_ld_disks) {
 break;
@@ -1187,7 +1187,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, 
MegasasCmd *cmd)
 max_ld_disks = MFI_MAX_LD;
 }
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 
 if (num_ld_disks >= max_ld_disks) {
 break;
@@ -1327,7 +1327,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, 
MegasasCmd *cmd)
 ld_offset = array_offset + sizeof(struct mfi_array) * num_pd_disks;
 
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (sdev->lun & 0xFF);
 struct mfi_array *array;
 struct mfi_ld_config *ld;
@@ -2237,7 +2237,7 @@ static void megasas_soft_reset(MegasasState *s)
  * after the initial reset.
  */
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
-SCSIDevice *sdev = DO_UPCAST(SCSIDevice, qdev, kid->child);
+SCSIDevice *sdev = SCSI_DEVICE(kid->child);
 
 sdev->unit_attention = SENSE_CODE(NO_SENSE);
 scsi_device_unit_attention_reported(sdev);
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index 00bddc9..fea0257 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1850,7 +1850,7 @@ void scsi_device_purge_requests(SCSIDevice *sdev, 
SCSISense sense)
 
 static char *scsibus_get_dev_path(DeviceState *dev)
 {
-SCSIDevice *d = DO_UPCAST(SCSIDevice, qdev, dev);
+SCSIDevice *d = SCSI_DEVICE(dev);
 DeviceState *hba = dev->parent_bus->parent;
 char *id;
 char *path;
@@ -2023,7 +2023,7 @@ static void scsi_device_class_init(ObjectClass *klass, 
void *data)
 static void scsi_dev_instance_init(Object *obj)
 {
 DeviceState *dev = DEVICE(obj);
-SCSIDevice *s = DO_UPCAST(SCSIDevice, qdev, dev);
+SCSIDevice *s = SCSI_DEVICE(dev);
 
 device_add_bootindex_property(obj, >conf.bootindex,
   "bootindex", NULL,
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 3a4f520..607593c 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -352,7 +352,7 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq 
*req)
 target = req->req.tmf.lun[1];
 s->resetting++;
 QTAILQ_FOREACH(kid, >bus.qbus.children, sibling) {
- d = DO_UPCAST(SCSIDevice, qdev, kid->child);
+ d = SCSI_DEVICE(kid->child);
  if (d->channel == 0 && d->id == target) {
 qdev_reset_all(>qdev);
  }
-- 
2.1.0

Re: [Qemu-devel] [PATCH v3 0/4] Convert to realize()

[Stefano Stabellini]

On Wed, 6 Jan 2016, Cao jin wrote:
> v3 changelog:
> 1. use following style when we want to check the returned error
> 
>  Error *err = NULL;
>  foo(arg, );
>  if (err) {
>  handle the error...
>  error_propagate(errp, err);
>  }
> 
> Cao jin (4):
>   Add Error **errp for xen_host_pci_device_get()
>   Add Error **errp for xen_pt_setup_vga()
>   Add Error **errp for xen_pt_config_init()
>   Xen PCI passthru: convert to realize()
> 
>  hw/xen/xen-host-pci-device.c | 106 
> +--
>  hw/xen/xen-host-pci-device.h |   5 +-
>  hw/xen/xen_pt.c  |  73 -
>  hw/xen/xen_pt.h  |   5 +-
>  hw/xen/xen_pt_config_init.c  |  51 +++--
>  hw/xen/xen_pt_graphics.c |  11 +++--
>  6 files changed, 141 insertions(+), 110 deletions(-)

Thanks Cao, I applied the whole series to my next branch.

Re: [Qemu-devel] [Xen-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

[David Vrabel]

On 06/01/16 12:08, Stefano Stabellini wrote:
> If the frontend sets out_cons to a value higher than out_prod, it will
> cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
> better checks at the beginning of the function.

You can't use less than to compare prod and cons because they wrap.

You need to compare (prod - cons) against ring size (or similar) to
check for overflow.  See RING_REQUEST_PROD_OVERFLOW() etc.

David

Re: [Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

[Paul Durrant]

> -Original Message-
> From: qemu-devel-bounces+paul.durrant=citrix@nongnu.org
> [mailto:qemu-devel-bounces+paul.durrant=citrix@nongnu.org] On
> Behalf Of Stefano Stabellini
> Sent: 06 January 2016 12:08
> To: qemu-devel@nongnu.org
> Cc: liuling...@360.cn; xen-de...@lists.xensource.com; Stefano Stabellini
> Subject: [Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod
> <= out_cons
> 
> If the frontend sets out_cons to a value higher than out_prod, it will
> cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
> better checks at the beginning of the function.
> 

What happens when out_prod wraps?

  Paul

> Signed-off-by: Stefano Stabellini 
> 
> diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
> index 4e2a27a..f963cf2 100644
> --- a/hw/display/xenfb.c
> +++ b/hw/display/xenfb.c
> @@ -789,10 +789,11 @@ static void xenfb_handle_events(struct XenFB
> *xenfb)
> 
>  prod = page->out_prod;
>  out_cons = page->out_cons;
> -if (prod == out_cons)
> - return;
> +if (prod <= out_cons) {
> +return;
> +}
>  xen_rmb();   /* ensure we see ring contents up to prod */
> -for (cons = out_cons; cons != prod; cons++) {
> +for (cons = out_cons; cons < prod; cons++) {
>   union xenfb_out_event *event = _OUT_RING_REF(page,
> cons);
>  uint8_t type = event->type;
>   int x, y, w, h;

Re: [Qemu-devel] [PATCH] hw/dma/xilinx_axidma: debug printf fixups

[Andrew Jones]

On Tue, Jan 05, 2016 at 05:45:57PM -0800, Alistair Francis wrote:
> On Tue, Jan 5, 2016 at 7:32 AM, Andrew Jones  wrote:
> > On Tue, Jan 05, 2016 at 07:07:22AM -0700, Eric Blake wrote:
> >> On 01/05/2016 06:22 AM, Andrew Jones wrote:
> >> > (Found by grepping for broken PRI users.)
> >> >
> >> > Signed-off-by: Andrew Jones 
> >> > ---
> >> >  hw/dma/xilinx_axidma.c | 8 
> >> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >> >
> >> > diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
> >> > index b1cfa11356a26..2ab0772cd19ae 100644
> >> > --- a/hw/dma/xilinx_axidma.c
> >> > +++ b/hw/dma/xilinx_axidma.c
> >> > @@ -180,10 +180,10 @@ static inline int streamid_from_addr(hwaddr addr)
> >> >  #ifdef DEBUG_ENET
> >> >  static void stream_desc_show(struct SDesc *d)
> >> >  {
> >> > -qemu_log("buffer_addr  = " PRIx64 "\n", d->buffer_address);
> >> > -qemu_log("nxtdesc  = " PRIx64 "\n", d->nxtdesc);
> >> > -qemu_log("control  = %x\n", d->control);
> >> > -qemu_log("status   = %x\n", d->status);
> >> > +qemu_log("buffer_addr  = 0x%" PRIx64 "\n", d->buffer_address);
> >> > +qemu_log("nxtdesc  = 0x%" PRIx64 "\n", d->nxtdesc);
> >> > +qemu_log("control  = 0x%x\n", d->control);
> >> > +qemu_log("status   = 0x%x\n", d->status);
> >>
> >> This is dead code.  Nothing uses stream_desc_show() even when DEBUG_ENET
> >> is defined.  I'd just delete the function and #ifdef altogether, instead.
> >
> > Sounds good, but I guess I'll leave the keep+fix vs. throw decision to the
> > maintainers, rather than to submit a v2 ripping it out.
> 
> I don't see any reason to keep dead code around. I think it should be removed.

The reason I see, is that this function could be useful to temporarily add it
different places while debugging. I.e. this is no different than a collection
of temporary printf's, but saves the time of rewriting those printf's
whenever/wherever they're necessary. I suspect that's why this function is
here in the first place.

That said, I don't debug this file, so I don't really have any say on
whether or not it's of any use now. Anyway, based on the fact this function
has PRI bugs in it that would break compilation, I guess nobody debugs this
file with DEBUG_ENET turned on.

> 
> If you send a V2 removing it (or a new patch altogether) I'll review it.

OK, sending a new patch that kills it.

Thanks,
drew

Re: [Qemu-devel] [PATCH v8 1/4] hw/ptimer: Fix issues caused by the adjusted timer limit value

[Dmitry Osipenko]

06.01.2016 15:15, Peter Crosthwaite пишет:

diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
index edf077c..035af97 100644
--- a/hw/core/ptimer.c
+++ b/hw/core/ptimer.c
@@ -34,20 +34,39 @@ static void ptimer_trigger(ptimer_state *s)

  static void ptimer_reload(ptimer_state *s)
  {
-if (s->delta == 0) {
+uint32_t period_frac = s->period_frac;
+uint64_t period = s->period;
+uint64_t delta = s->delta;
+uint64_t limit = s->limit;
+


Localising these variables is out of scope of the change. I think you can
just use s->foo and if you want to cleanup, it should be a separate
patch.



Okay


+if (delta == 0) {
  ptimer_trigger(s);
-s->delta = s->limit;
+delta = limit;
  }
-if (s->delta == 0 || s->period == 0) {
+if (delta == 0 || period == 0) {
  fprintf(stderr, "Timer with period zero, disabling\n");
  s->enabled = 0;
  return;
  }

+/*
+ * Artificially limit timeout rate to something
+ * achievable under QEMU.  Otherwise, QEMU spends all
+ * its time generating timer interrupts, and there
+ * is no forward progress.
+ * About ten microseconds is the fastest that really works
+ * on the current generation of host machines.
+ */
+
+if ((s->enabled == 1) && (limit * period < 1)) {
+period = 1 / limit;
+period_frac = 0;
+}
+


I think it should be ok to just update s->period and s->period_frac ...



No, then it would be irreversibly lost. What if'd decide to change the limit to 
some large value?



  s->last_event = s->next_event;
-s->next_event = s->last_event + s->delta * s->period;
-if (s->period_frac) {
-s->next_event += ((int64_t)s->period_frac * s->delta) >> 32;
+s->next_event = s->last_event + delta * period;
+if (period_frac) {
+s->next_event += ((int64_t)period_frac * delta) >> 32;
  }
  timer_mod(s->timer, s->next_event);
  }
@@ -82,6 +101,8 @@ uint64_t ptimer_get_count(ptimer_state *s)
  uint64_t div;
  int clz1, clz2;
  int shift;
+uint32_t period_frac = s->period_frac;
+uint64_t period = s->period;

  /* We need to divide time by period, where time is stored in
 rem (64-bit integer) and period is stored in period/period_frac
@@ -93,8 +114,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
 backwards.
  */

+if ((s->enabled == 1) && (s->limit * period < 1)) {
+period = 1 / s->limit;
+period_frac = 0;
+}
+


... and then this (and the local variables) become obsolete. Can get_count()
blindly use the period and period_frac as used by ptimer_reload?


  rem = s->next_event - now;
-div = s->period;
+div = period;

  clz1 = clz64(rem);
  clz2 = clz64(div);
@@ -103,13 +129,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
  rem <<= shift;
  div <<= shift;
  if (shift >= 32) {
-div |= ((uint64_t)s->period_frac << (shift - 32));
+div |= ((uint64_t)period_frac << (shift - 32));
  } else {
  if (shift != 0)
-div |= (s->period_frac >> (32 - shift));
+div |= (period_frac >> (32 - shift));
  /* Look at remaining bits of period_frac and round div up if
 necessary.  */
-if ((uint32_t)(s->period_frac << shift))
+if ((uint32_t)(period_frac << shift))
  div += 1;
  }
  counter = rem / div;
@@ -181,19 +207,6 @@ void ptimer_set_freq(ptimer_state *s, uint32_t freq)
 count = limit.  */
  void ptimer_set_limit(ptimer_state *s, uint64_t limit, int reload)
  {
-/*
- * Artificially limit timeout rate to something
- * achievable under QEMU.  Otherwise, QEMU spends all
- * its time generating timer interrupts, and there
- * is no forward progress.
- * About ten microseconds is the fastest that really works
- * on the current generation of host machines.
- */
-
-if (!use_icount && limit * s->period < 1 && s->period) {


This original rate limiting code is gated on icount, so I think then
new way should be the same.



Shoot :) That's second time I'm missing it. Good catch!


Regards,
Peter


-limit = 1 / s->period;
-}
-
  s->limit = limit;
  if (reload)
  s->delta = limit;
--
2.6.4




--
Dmitry

Re: [Qemu-devel] arm64 qemu tests failing in linux-next since 'arm64: kernel: enforce pmuserenr_el0 initialization and restore'

[Lorenzo Pieralisi]

Hi Guenter,

On Wed, Dec 23, 2015 at 04:52:51PM -0800, Guenter Roeck wrote:
> Hi all,
> 
> since commit 60792ad349f3 ("arm64: kernel: enforce pmuserenr_el0 
> initialization
> and restore"), my arm64 qemu tests of linux-next are failing. After this 
> commit,
> qemu does not display any output.
> 
> Qemu version is 2.5.0. Linux kernel configuration is arm64:defconfig.
> 
> qemu command line is as follows:
> 
>   qemu-system-aarch64 -machine virt -cpu cortex-a57 -machine type=virt 
> -nographic -smp 1 \
>   -m 512 -kernel arch/arm64/boot/Image -initrd rootfs.arm64.cpio 
> -no-reboot \
>   -append "console=ttyAMA0"
> 
> Any idea what might cause this problem and how to fix it (presumably in qemu) 
> ?

We took notice of this and we are going to look into it shortly, thanks for
the heads-up.

Lorenzo

> 
> Bisect log is attached below. Reverting commit 60792ad349f3 on top of 
> linux-next
> fixes the problem.
> 
> Thanks,
> Guenter
> 
> ---
> # bad: [80c75a0f1d81922bf322c0634d1e1a15825a89e6] Add linux-next specific 
> files for 20151223
> # good: [4ef7675344d687a0ef5b0d7c0cee12da005870c0] Linux 4.4-rc6
> git bisect start 'HEAD' 'v4.4-rc6'
> # bad: [52c8be920db8e42d195ca7fe93fe31aa9958100e] Merge remote-tracking 
> branch 'drm/drm-next'
> git bisect bad 52c8be920db8e42d195ca7fe93fe31aa9958100e
> # bad: [ef1ebde6af4d839a07d787440e35f0ae3b02e567] Merge remote-tracking 
> branch 'v4l-dvb/master'
> git bisect bad ef1ebde6af4d839a07d787440e35f0ae3b02e567
> # bad: [1e4012d4f91fd118167f14c4172bf779a7884d26] Merge remote-tracking 
> branch 'tegra/for-next'
> git bisect bad 1e4012d4f91fd118167f14c4172bf779a7884d26
> # good: [392fd3291c93094ca65853cca5e168016c4e08b1] Merge branch 'next/dt64' 
> into for-next
> git bisect good 392fd3291c93094ca65853cca5e168016c4e08b1
> # bad: [49fc6d2449b0cebd9738694a9c9ee794c3686797] Merge remote-tracking 
> branch 'omap/for-next'
> git bisect bad 49fc6d2449b0cebd9738694a9c9ee794c3686797
> # bad: [f5a47ef34509cbce244c18bef02b175d0e48dc4f] Merge remote-tracking 
> branch 'at91/at91-next'
> git bisect bad f5a47ef34509cbce244c18bef02b175d0e48dc4f
> # good: [59f8d523983105e8490603ae1c0798207e9781e6] Merge remote-tracking 
> branch 'arc/for-next'
> git bisect good 59f8d523983105e8490603ae1c0798207e9781e6
> # good: [40499303a6c59c96da587a91fca617017106e908] Merge branch 
> 'next/defconfig' into for-next
> git bisect good 40499303a6c59c96da587a91fca617017106e908
> # good: [ea07b401d16052b43782c6389c9c2115aa3077ff] Merge branches 'component' 
> and 'misc' into for-next
> git bisect good ea07b401d16052b43782c6389c9c2115aa3077ff
> # bad: [5d7ee87708d4d86fcc32afc9552d05f7625d303d] arm64: perf: add support 
> for Cortex-A72
> git bisect bad 5d7ee87708d4d86fcc32afc9552d05f7625d303d
> # good: [9e9caa6a496174e53d7753baa4779717771da4a7] arm64: perf: Add event 
> descriptions
> git bisect good 9e9caa6a496174e53d7753baa4779717771da4a7
> # bad: [60792ad349f3c6dc5735aafefe5dc9121c79e320] arm64: kernel: enforce 
> pmuserenr_el0 initialization and restore
> git bisect bad 60792ad349f3c6dc5735aafefe5dc9121c79e320
> # good: [aae881ad73460e1b2aea01f079a0541bd5a9136c] arm64: perf: Correct 
> Cortex-A53/A57 compatible values
> git bisect good aae881ad73460e1b2aea01f079a0541bd5a9136c
> # first bad commit: [60792ad349f3c6dc5735aafefe5dc9121c79e320] arm64: kernel: 
> enforce pmuserenr_el0 initialization and restore
> 

Re: [Qemu-devel] [PATCH v8 2/4] hw/ptimer: Perform tick and counter wrap around if timer already expired

[Peter Crosthwaite]

On Tue, Jan 05, 2016 at 05:33:27AM +0300, Dmitry Osipenko wrote:
> ptimer_get_count() might be called while QEMU timer already been expired.
> In that case ptimer would return counter = 0, which might be undesirable
> in case of polled timer. Do counter wrap around for periodic timer to keep
> it distributed.
> 
> In addition, there is no reason to keep expired timer tick deferred, so
> just perform the tick from ptimer_get_count().
> 
> Signed-off-by: Dmitry Osipenko 
> ---
>  hw/core/ptimer.c | 35 +--
>  1 file changed, 29 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
> index 035af97..96a6c7a 100644
> --- a/hw/core/ptimer.c
> +++ b/hw/core/ptimer.c
> @@ -85,15 +85,21 @@ static void ptimer_tick(void *opaque)
>  
>  uint64_t ptimer_get_count(ptimer_state *s)
>  {
> +int enabled = s->enabled;

Variable localisation not needed.

>  int64_t now;
> +int64_t next;
>  uint64_t counter;
> +int expired;
> +int oneshot;

Variable defs can be localised to the if (enabled) (even though now
in original code doesn't do that).

>  
> -if (s->enabled) {
> +if (enabled) {
>  now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
> +next = s->next_event;
> +expired = (now - next >= 0);
> +oneshot = (enabled == 2);
>  /* Figure out the current counter value.  */

This comment is now out of place.

> -if (now - s->next_event > 0
> -|| s->period == 0) {
> -/* Prevent timer underflowing if it should already have
> +if (s->period == 0 || (expired && oneshot)) {
> +/* Prevent one-shot timer underflowing if it should already have
> triggered.  */
>  counter = 0;
>  } else {
> @@ -114,12 +120,12 @@ uint64_t ptimer_get_count(ptimer_state *s)
> backwards.
>  */
>  
> -if ((s->enabled == 1) && (s->limit * period < 1)) {
> +if (!oneshot && (s->limit * period < 1)) {
>  period = 1 / s->limit;
>  period_frac = 0;
>  }
>  
> -rem = s->next_event - now;
> +rem = expired ? now - next : next - now;
>  div = period;
>  
>  clz1 = clz64(rem);
> @@ -139,6 +145,23 @@ uint64_t ptimer_get_count(ptimer_state *s)
>  div += 1;
>  }
>  counter = rem / div;
> +
> +if (expired) {
> +/* Wrap around periodic counter.  */
> +counter = s->delta = s->limit - counter % s->limit;

Why do you update the delta here?

Also can you just get ptimer_reload to do the modulo math for you? If the
timer is !oneshot and expired, then you call ptimer_reload anyway,
which will update next_event. When the expired test returns false
you can just reliably use the original logic involving now and next.

> +}
> +}
> +
> +if (expired) {
> +if (oneshot) {

This if-else has a lot of common structure with the one above. I think
they could be merged.

Regards,
Peter

> +ptimer_tick(s);
> +} else {
> +/* Don't use ptimer_tick() for the periodic timer since it
> + * would reset the delta value.
> + */
> +ptimer_trigger(s);
> +ptimer_reload(s);
> +}
>  }
>  } else {
>  counter = s->delta;
> -- 
> 2.6.4
> 

[Qemu-devel] [PATCH] SCSI bus: fix to incomplete QOMify

[Cao jin]

Signed-off-by: Cao jin 
---
 hw/scsi/scsi-bus.c | 16 
 include/hw/scsi/scsi.h |  5 -
 2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index fea0257..1667e01 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -54,7 +54,7 @@ static void scsi_device_realize(SCSIDevice *s, Error **errp)
 int scsi_bus_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf,
void *hba_private)
 {
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(dev->qdev.parent_bus);
 int rc;
 
 assert(cmd->len == 0);
@@ -145,7 +145,7 @@ static void scsi_dma_restart_cb(void *opaque, int running, 
RunState state)
 static void scsi_qdev_realize(DeviceState *qdev, Error **errp)
 {
 SCSIDevice *dev = SCSI_DEVICE(qdev);
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(dev->qdev.parent_bus);
 SCSIDevice *d;
 Error *local_err = NULL;
 
@@ -553,7 +553,7 @@ SCSIRequest *scsi_req_alloc(const SCSIReqOps *reqops, 
SCSIDevice *d,
 uint32_t tag, uint32_t lun, void *hba_private)
 {
 SCSIRequest *req;
-SCSIBus *bus = scsi_bus_from_device(d);
+SCSIBus *bus = SCSI_BUS(d->qdev.parent_bus);
 BusState *qbus = BUS(bus);
 const int memset_off = offsetof(SCSIRequest, sense)
+ sizeof(req->sense);
@@ -578,7 +578,7 @@ SCSIRequest *scsi_req_alloc(const SCSIReqOps *reqops, 
SCSIDevice *d,
 SCSIRequest *scsi_req_new(SCSIDevice *d, uint32_t tag, uint32_t lun,
   uint8_t *buf, void *hba_private)
 {
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, d->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(d->qdev.parent_bus);
 const SCSIReqOps *ops;
 SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(d);
 SCSIRequest *req;
@@ -1272,7 +1272,7 @@ int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, 
uint8_t *buf)
 
 void scsi_device_report_change(SCSIDevice *dev, SCSISense sense)
 {
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(dev->qdev.parent_bus);
 
 scsi_device_set_ua(dev, sense);
 if (bus->info->change) {
@@ -1612,7 +1612,7 @@ void scsi_req_unref(SCSIRequest *req)
 assert(req->refcount > 0);
 if (--req->refcount == 0) {
 BusState *qbus = req->dev->qdev.parent_bus;
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, qbus);
+SCSIBus *bus = SCSI_BUS(qbus);
 
 if (bus->info->free_request && req->hba_private) {
 bus->info->free_request(bus, req->hba_private);
@@ -1896,7 +1896,7 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, 
int id, int lun)
 static void put_scsi_requests(QEMUFile *f, void *pv, size_t size)
 {
 SCSIDevice *s = pv;
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, s->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(s->qdev.parent_bus);
 SCSIRequest *req;
 
 QTAILQ_FOREACH(req, >requests, next) {
@@ -1921,7 +1921,7 @@ static void put_scsi_requests(QEMUFile *f, void *pv, 
size_t size)
 static int get_scsi_requests(QEMUFile *f, void *pv, size_t size)
 {
 SCSIDevice *s = pv;
-SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, s->qdev.parent_bus);
+SCSIBus *bus = SCSI_BUS(s->qdev.parent_bus);
 int8_t sbyte;
 
 while ((sbyte = qemu_get_sbyte(f)) > 0) {
diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
index 1915a73..2ca1d7b 100644
--- a/include/hw/scsi/scsi.h
+++ b/include/hw/scsi/scsi.h
@@ -167,11 +167,6 @@ struct SCSIBus {
 void scsi_bus_new(SCSIBus *bus, size_t bus_size, DeviceState *host,
   const SCSIBusInfo *info, const char *bus_name);
 
-static inline SCSIBus *scsi_bus_from_device(SCSIDevice *d)
-{
-return DO_UPCAST(SCSIBus, qbus, d->qdev.parent_bus);
-}
-
 SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockBackend *blk,
   int unit, bool removable, int bootindex,
   const char *serial, Error **errp);
-- 
2.1.0

Re: [Qemu-devel] [PATCH v5 0/6] i386: expose floppy-related objects in SSDT

[Igor Mammedov]

On Wed, 30 Dec 2015 23:11:50 +0300
Roman Kagan  wrote:

> Windows on UEFI systems is only capable of detecting the presence and
> the type of floppy drives via corresponding ACPI objects.
> 
> Those objects are added in patch 5; the preceding ones pave the way to
> it, by making the necessary data public and by moving the whole
> floppy drive controller description into runtime-generated SSDT.
> 
> Note that the series conflicts with Igor's patchset for dynamic DSDT, in
> particular, with "[PATCH v2 27/51] pc: acpi: move FDC0 device from DSDT
> to SSDT"; I haven't managed to avoid that while trying to meet
> maintainer's comments.

Tested with XPsp3 WS2008R2 WS2012R2, no regressions so far it boots fine and 
can read floppy.

So for whole series:
Reviewed-by: Igor Mammedov 


> Roman Kagan (6):
>   i386/pc: expose identifying the floppy controller
>   i386/acpi: make floppy controller object dynamic
>   tests/acpi: update test data
>   expose floppy drive geometry and CMOS type
>   i386: populate floppy drive information in SSDT
>   tests/acpi: update test data
> 
> Signed-off-by: Roman Kagan 
> Cc: "Michael S. Tsirkin" 
> Cc: Eduardo Habkost 
> Cc: Igor Mammedov 
> Cc: John Snow 
> Cc: Kevin Wolf 
> Cc: Paolo Bonzini 
> Cc: Richard Henderson 
> Cc: qemu-bl...@nongnu.org
> Cc: qemu-sta...@nongnu.org
> ---
> changes since v4:
>  - re-split out code changes from test data updates
> 
> changes since v3:
>  - make FDC object fully dynamic in a separate patch
>  - split out support patches
>  - include test data updates with the respective patches to maintain
>bisectability
> 
> changes since v2:
>  - explicit endianness for buffer data
>  - reorder code to reduce conflicts with dynamic DSDT patchset
>  - update test data
> 
>  hw/block/fdc.c  |  11 +
>  hw/i386/acpi-build.c|  92 
> 
>  hw/i386/acpi-dsdt-isa.dsl   |  18 ---
>  hw/i386/acpi-dsdt.dsl   |   1 -
>  hw/i386/pc.c|  46 ++
>  hw/i386/q35-acpi-dsdt.dsl   |   7 +--
>  include/hw/block/fdc.h  |   2 +
>  include/hw/i386/pc.h|   3 ++
>  tests/acpi-test-data/pc/DSDT| Bin 3028 -> 2946 bytes
>  tests/acpi-test-data/pc/SSDT| Bin 2486 -> 2635 bytes
>  tests/acpi-test-data/pc/SSDT.bridge | Bin 4345 -> 4494 bytes
>  tests/acpi-test-data/q35/DSDT   | Bin 7666 -> 7578 bytes
>  12 files changed, 137 insertions(+), 43 deletions(-)
> 

Re: [Qemu-devel] [Xen-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

[Stefano Stabellini]

On Wed, 6 Jan 2016, David Vrabel wrote:
> On 06/01/16 12:08, Stefano Stabellini wrote:
> > If the frontend sets out_cons to a value higher than out_prod, it will
> > cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
> > better checks at the beginning of the function.
> 
> You can't use less than to compare prod and cons because they wrap.
> 
> You need to compare (prod - cons) against ring size (or similar) to
> check for overflow.  See RING_REQUEST_PROD_OVERFLOW() etc.

Yes, you are right. I think that the right fix should be:


diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 4e2a27a..594baff 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -789,8 +789,9 @@ static void xenfb_handle_events(struct XenFB *xenfb)
 
 prod = page->out_prod;
 out_cons = page->out_cons;
-if (prod == out_cons)
-   return;
+if (prod - out_cons >= XENFB_OUT_RING_LEL) {
+return;
+}
 xen_rmb(); /* ensure we see ring contents up to prod */
 for (cons = out_cons; cons != prod; cons++) {
union xenfb_out_event *event = _OUT_RING_REF(page, cons);

[Qemu-devel] [PATCH] hw/dma/xilinx_axidma: remove dead code

[Andrew Jones]

stream_desc_show() (and DEBUG_ENET) appear to be unused, as the
function isn't compilable (there are broken PRI format strings).

Signed-off-by: Andrew Jones 
---
 hw/dma/xilinx_axidma.c | 10 --
 1 file changed, 10 deletions(-)

diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
index b1cfa11356a26..f5ebc1f0e0734 100644
--- a/hw/dma/xilinx_axidma.c
+++ b/hw/dma/xilinx_axidma.c
@@ -177,16 +177,6 @@ static inline int streamid_from_addr(hwaddr addr)
 return sid;
 }
 
-#ifdef DEBUG_ENET
-static void stream_desc_show(struct SDesc *d)
-{
-qemu_log("buffer_addr  = " PRIx64 "\n", d->buffer_address);
-qemu_log("nxtdesc  = " PRIx64 "\n", d->nxtdesc);
-qemu_log("control  = %x\n", d->control);
-qemu_log("status   = %x\n", d->status);
-}
-#endif
-
 static void stream_desc_load(struct Stream *s, hwaddr addr)
 {
 struct SDesc *d = >desc;
-- 
2.4.3

Re: [Qemu-devel] [PATCH v8 1/4] hw/ptimer: Fix issues caused by the adjusted timer limit value

[Peter Crosthwaite]

On Tue, Jan 05, 2016 at 05:33:26AM +0300, Dmitry Osipenko wrote:
> Multiple issues here related to the timer with a adjusted .limit value:
> 
> 1) ptimer_get_count() returns incorrect counter value for the disabled
> timer after loading the counter with a small value, because adjusted limit
> value is used instead of the original.
> 
> For instance:
> 1) ptimer_stop(t)
> 2) ptimer_set_period(t, 1)
> 3) ptimer_set_limit(t, 0, 1)
> 4) ptimer_get_count(t) <-- would return 1 instead of 0
> 
> 2) ptimer_get_count() might return incorrect value for the timer running
> with a adjusted limit value.
> 
> For instance:
> 1) ptimer_stop(t)
> 2) ptimer_set_period(t, 1)
> 3) ptimer_set_limit(t, 10, 1)
> 4) ptimer_run(t)
> 5) ptimer_get_count(t) <-- might return value > 10
> 
> 3) Neither ptimer_set_period() nor ptimer_set_freq() are adjusting the
> limit value, so it is still possible to make timer timeout value
> arbitrary small.
> 
> For instance:
> 1) ptimer_set_period(t, 1)
> 2) ptimer_set_limit(t, 1, 0)
> 3) ptimer_set_period(t, 1) <-- bypass limit correction
> 
> Fix all of the above issues by adjusting timer period instead of the limit.
> Do the adjust for periodic timer only.
> 
> Signed-off-by: Dmitry Osipenko 
> ---
>  hw/core/ptimer.c | 59 
> ++--
>  1 file changed, 36 insertions(+), 23 deletions(-)
> 
> diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
> index edf077c..035af97 100644
> --- a/hw/core/ptimer.c
> +++ b/hw/core/ptimer.c
> @@ -34,20 +34,39 @@ static void ptimer_trigger(ptimer_state *s)
>  
>  static void ptimer_reload(ptimer_state *s)
>  {
> -if (s->delta == 0) {
> +uint32_t period_frac = s->period_frac;
> +uint64_t period = s->period;
> +uint64_t delta = s->delta;
> +uint64_t limit = s->limit;
> +

Localising these variables is out of scope of the change. I think you can
just use s->foo and if you want to cleanup, it should be a separate
patch.

> +if (delta == 0) {
>  ptimer_trigger(s);
> -s->delta = s->limit;
> +delta = limit;
>  }
> -if (s->delta == 0 || s->period == 0) {
> +if (delta == 0 || period == 0) {
>  fprintf(stderr, "Timer with period zero, disabling\n");
>  s->enabled = 0;
>  return;
>  }
>  
> +/*
> + * Artificially limit timeout rate to something
> + * achievable under QEMU.  Otherwise, QEMU spends all
> + * its time generating timer interrupts, and there
> + * is no forward progress.
> + * About ten microseconds is the fastest that really works
> + * on the current generation of host machines.
> + */
> +
> +if ((s->enabled == 1) && (limit * period < 1)) {
> +period = 1 / limit;
> +period_frac = 0;
> +}
> +

I think it should be ok to just update s->period and s->period_frac ...

>  s->last_event = s->next_event;
> -s->next_event = s->last_event + s->delta * s->period;
> -if (s->period_frac) {
> -s->next_event += ((int64_t)s->period_frac * s->delta) >> 32;
> +s->next_event = s->last_event + delta * period;
> +if (period_frac) {
> +s->next_event += ((int64_t)period_frac * delta) >> 32;
>  }
>  timer_mod(s->timer, s->next_event);
>  }
> @@ -82,6 +101,8 @@ uint64_t ptimer_get_count(ptimer_state *s)
>  uint64_t div;
>  int clz1, clz2;
>  int shift;
> +uint32_t period_frac = s->period_frac;
> +uint64_t period = s->period;
>  
>  /* We need to divide time by period, where time is stored in
> rem (64-bit integer) and period is stored in 
> period/period_frac
> @@ -93,8 +114,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
> backwards.
>  */
>  
> +if ((s->enabled == 1) && (s->limit * period < 1)) {
> +period = 1 / s->limit;
> +period_frac = 0;
> +}
> +

... and then this (and the local variables) become obsolete. Can get_count()
blindly use the period and period_frac as used by ptimer_reload?

>  rem = s->next_event - now;
> -div = s->period;
> +div = period;
>  
>  clz1 = clz64(rem);
>  clz2 = clz64(div);
> @@ -103,13 +129,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
>  rem <<= shift;
>  div <<= shift;
>  if (shift >= 32) {
> -div |= ((uint64_t)s->period_frac << (shift - 32));
> +div |= ((uint64_t)period_frac << (shift - 32));
>  } else {
>  if (shift != 0)
> -div |= (s->period_frac >> (32 - shift));
> +div |= (period_frac >> (32 - shift));
>  /* Look at remaining bits of period_frac and round div up if 
> necessary.  */
> -if 

Re: [Qemu-devel] [Xen-devel] [PATCH v3 02/11] pc: remove has_igd_gfx_passthru global

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann 

Reviewed-by: Stefano Stabellini 


>  hw/xen/xen_pt.h |  5 +++--
>  vl.c| 10 --
>  2 files changed, 3 insertions(+), 12 deletions(-)
> 
> diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h
> index 3749711..cdd73ff 100644
> --- a/hw/xen/xen_pt.h
> +++ b/hw/xen/xen_pt.h
> @@ -4,6 +4,7 @@
>  #include "qemu-common.h"
>  #include "hw/xen/xen_common.h"
>  #include "hw/pci/pci.h"
> +#include "hw/boards.h"
>  #include "xen-host-pci-device.h"
>  
>  void xen_pt_log(const PCIDevice *d, const char *f, ...) GCC_FMT_ATTR(2, 3);
> @@ -322,10 +323,10 @@ extern void *pci_assign_dev_load_option_rom(PCIDevice 
> *dev,
>  unsigned int domain,
>  unsigned int bus, unsigned int 
> slot,
>  unsigned int function);
> -extern bool has_igd_gfx_passthru;
>  static inline bool is_igd_vga_passthrough(XenHostPCIDevice *dev)
>  {
> -return (has_igd_gfx_passthru
> +MachineState *machine = MACHINE(qdev_get_machine());
> +return (machine->igd_gfx_passthru
>  && ((dev->class_code >> 0x8) == PCI_CLASS_DISPLAY_VGA));
>  }
>  int xen_pt_register_vga_regions(XenHostPCIDevice *dev);
> diff --git a/vl.c b/vl.c
> index 5aaea77..d4e51ec 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -1365,13 +1365,6 @@ static inline void semihosting_arg_fallback(const char 
> *file, const char *cmd)
>  }
>  }
>  
> -/* Now we still need this for compatibility with XEN. */
> -bool has_igd_gfx_passthru;
> -static void igd_gfx_passthru(void)
> -{
> -has_igd_gfx_passthru = current_machine->igd_gfx_passthru;
> -}
> -
>  /***/
>  /* USB devices */
>  
> @@ -4550,9 +4543,6 @@ int main(int argc, char **argv, char **envp)
>  exit(1);
>  }
>  
> -/* Check if IGD GFX passthrough. */
> -igd_gfx_passthru();
> -
>  /* init generic devices */
>  if (qemu_opts_foreach(qemu_find_opts("device"),
>device_init_func, NULL, NULL)) {
> -- 
> 1.8.3.1
> 
> 
> ___
> Xen-devel mailing list
> xen-de...@lists.xen.org
> http://lists.xen.org/xen-devel
> 

Re: [Qemu-devel] [PATCH v3 04/11] igd: switch TYPE_IGD_PASSTHROUGH_I440FX_PCI_DEVICE to realize

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann 

Reviewed-by: Stefano Stabellini 


>  hw/pci-host/igd.c | 9 -
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/hw/pci-host/igd.c b/hw/pci-host/igd.c
> index ef0273b..d1eeafb 100644
> --- a/hw/pci-host/igd.c
> +++ b/hw/pci-host/igd.c
> @@ -53,7 +53,7 @@ out:
>  return ret;
>  }
>  
> -static int igd_pt_i440fx_initfn(struct PCIDevice *pci_dev)
> +static void igd_pt_i440fx_realize(PCIDevice *pci_dev, Error **errp)
>  {
>  uint32_t val = 0;
>  int rc, i, num;
> @@ -65,12 +65,11 @@ static int igd_pt_i440fx_initfn(struct PCIDevice *pci_dev)
>  len = igd_host_bridge_infos[i].len;
>  rc = host_pci_config_read(pos, len, val);
>  if (rc) {
> -return -ENODEV;
> +error_setg(errp, "failed to read host config");
> +return;
>  }
>  pci_default_write_config(pci_dev, pos, val, len);
>  }
> -
> -return 0;
>  }
>  
>  static void igd_passthrough_i440fx_class_init(ObjectClass *klass, void *data)
> @@ -78,7 +77,7 @@ static void igd_passthrough_i440fx_class_init(ObjectClass 
> *klass, void *data)
>  DeviceClass *dc = DEVICE_CLASS(klass);
>  PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
>  
> -k->init = igd_pt_i440fx_initfn;
> +k->realize = igd_pt_i440fx_realize;
>  dc->desc = "IGD Passthrough Host bridge";
>  }
>  
> -- 
> 1.8.3.1
> 

Re: [Qemu-devel] [PATCH v8 3/4] hw/ptimer: Update .delta on period/freq change

[Peter Crosthwaite]

On Tue, Jan 05, 2016 at 05:33:28AM +0300, Dmitry Osipenko wrote:
> Delta value must be updated on period/freq change, otherwise running timer
> would be restarted (counter reloaded with old delta). Only m68k/mcf520x
> and arm/arm_timer devices are currently doing freq change correctly, i.e.
> stopping the timer. Perform delta update to fix affected devices and
> eliminate potential further mistakes.
> 
> Signed-off-by: Dmitry Osipenko 

Reviewed-by: Peter Crosthwaite 

> ---
>  hw/core/ptimer.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
> index 96a6c7a..8c2dd9f 100644
> --- a/hw/core/ptimer.c
> +++ b/hw/core/ptimer.c
> @@ -207,6 +207,7 @@ void ptimer_stop(ptimer_state *s)
>  /* Set counter increment interval in nanoseconds.  */
>  void ptimer_set_period(ptimer_state *s, int64_t period)
>  {
> +s->delta = ptimer_get_count(s);
>  s->period = period;
>  s->period_frac = 0;
>  if (s->enabled) {
> @@ -218,6 +219,7 @@ void ptimer_set_period(ptimer_state *s, int64_t period)
>  /* Set counter frequency in Hz.  */
>  void ptimer_set_freq(ptimer_state *s, uint32_t freq)
>  {
> +s->delta = ptimer_get_count(s);
>  s->period = 10ll / freq;
>  s->period_frac = (10ll << 32) / freq;
>  if (s->enabled) {
> -- 
> 2.6.4
> 

Re: [Qemu-devel] [PATCH v8 2/4] hw/ptimer: Perform tick and counter wrap around if timer already expired

[Dmitry Osipenko]

06.01.2016 15:17, Peter Crosthwaite пишет:

On Tue, Jan 05, 2016 at 05:33:27AM +0300, Dmitry Osipenko wrote:

ptimer_get_count() might be called while QEMU timer already been expired.
In that case ptimer would return counter = 0, which might be undesirable
in case of polled timer. Do counter wrap around for periodic timer to keep
it distributed.

In addition, there is no reason to keep expired timer tick deferred, so
just perform the tick from ptimer_get_count().

Signed-off-by: Dmitry Osipenko 
---
  hw/core/ptimer.c | 35 +--
  1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
index 035af97..96a6c7a 100644
--- a/hw/core/ptimer.c
+++ b/hw/core/ptimer.c
@@ -85,15 +85,21 @@ static void ptimer_tick(void *opaque)

  uint64_t ptimer_get_count(ptimer_state *s)
  {
+int enabled = s->enabled;


Variable localisation not needed.


  int64_t now;
+int64_t next;
  uint64_t counter;
+int expired;
+int oneshot;


Variable defs can be localised to the if (enabled) (even though now
in original code doesn't do that).



Yeah, I just tried to keep original style here.



-if (s->enabled) {
+if (enabled) {
  now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+next = s->next_event;
+expired = (now - next >= 0);
+oneshot = (enabled == 2);
  /* Figure out the current counter value.  */


This comment is now out of place.



Okay, will fix it.


-if (now - s->next_event > 0
-|| s->period == 0) {
-/* Prevent timer underflowing if it should already have
+if (s->period == 0 || (expired && oneshot)) {
+/* Prevent one-shot timer underflowing if it should already have
 triggered.  */
  counter = 0;
  } else {
@@ -114,12 +120,12 @@ uint64_t ptimer_get_count(ptimer_state *s)
 backwards.
  */

-if ((s->enabled == 1) && (s->limit * period < 1)) {
+if (!oneshot && (s->limit * period < 1)) {
  period = 1 / s->limit;
  period_frac = 0;
  }

-rem = s->next_event - now;
+rem = expired ? now - next : next - now;
  div = period;

  clz1 = clz64(rem);
@@ -139,6 +145,23 @@ uint64_t ptimer_get_count(ptimer_state *s)
  div += 1;
  }
  counter = rem / div;
+
+if (expired) {
+/* Wrap around periodic counter.  */
+counter = s->delta = s->limit - counter % s->limit;


Why do you update the delta here?



Because we would want to schedule next tick based on current wrapped around 
counter value and not some arbitrary delta.



Also can you just get ptimer_reload to do the modulo math for you? If the
timer is !oneshot and expired, then you call ptimer_reload anyway,
which will update next_event. When the expired test returns false
you can just reliably use the original logic involving now and next.



Yes, that's what I changed in V9. Have you received it?

https://lists.nongnu.org/archive/html/qemu-devel/2016-01/msg00272.html


+}
+}
+
+if (expired) {
+if (oneshot) {


This if-else has a lot of common structure with the one above. I think
they could be merged.



That's a good suggestion, will do it in V10. Thanks.


Regards,
Peter


+ptimer_tick(s);
+} else {
+/* Don't use ptimer_tick() for the periodic timer since it
+ * would reset the delta value.
+ */
+ptimer_trigger(s);
+ptimer_reload(s);
+}
  }
  } else {
  counter = s->delta;
--
2.6.4




--
Dmitry

Re: [Qemu-devel] [PATCH v3 4/7] bcm2835_peripherals: add rollup device for bcm2835 peripherals

[Peter Crosthwaite]

On Tue, Jan 5, 2016 at 10:07 PM, Andrew Baumann
 wrote:
>> From: Alistair Francis [mailto:alistai...@gmail.com]
>> Sent: Tuesday, 5 January 2016 18:14
>> On Thu, Dec 31, 2015 at 4:31 PM, Andrew Baumann
>>  wrote:
>> > This device maintains all the non-CPU peripherals on bcm2835 (Pi1)
>> > which are also present on bcm2836 (Pi2). It also implements the
>> > private address spaces used for DMA and mailboxes.
> [...]
>> > +obj = object_property_get_link(OBJECT(dev), "ram", );
>> > +if (obj == NULL) {
>> > +error_setg(errp, "%s: required ram link not found: %s",
>> > +   __func__, error_get_pretty(err));
>> > +return;
>> > +}
>>
>> I only had a quick read of this patch, but this RAM linking looks fine
>> to me. Out of curiosity is there a reason you use
>> object_property_get_link() instead of object_property_add_link() in
>> the init?
>

The const link system removes the need for the object to have storage
for the link pointer in state. This means you don't need the state
field or add_link(), but the only way to get the pointer for your own
use is to get_link() on yourself. This is slightly simpler but has the
disadvantage that you cannot unlink and then relink something else (I
think?).

I don't have an opinion over which way is more correct so both are
fine for me but if the QOM people have a preferred style we should
probably make the two patches consistent.

Regards,
Peter

> I'm not sure I understand your question... it wouldn't work the other way. I 
> allocate the ram and add the link using object_property_add_const_link() in 
> hw/arm/raspi.c. This file needs to consume the ram to setup alias mappings, 
> so it is using get_link(). (Note there's also level of indirection; raspi 
> creates bcm2836, which does nothing but get the link set by its parent and 
> add it to its bcm2835_peripherals child.)
>
> I suppose I could do it the other way around (allocate and set link in 
> bcm2835_peripherals, based on a size passed from the board), but it seemed 
> more logical to treat the RAM as created/owned of the board rather than the 
> SoC.
>
> Cheers,
> Andrew

Re: [Qemu-devel] [PATCH v8 1/4] hw/ptimer: Fix issues caused by the adjusted timer limit value

[Peter Crosthwaite]

On Wed, Jan 6, 2016 at 5:25 AM, Dmitry Osipenko  wrote:
> 06.01.2016 15:15, Peter Crosthwaite пишет:
>>>
>>> diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
>>> index edf077c..035af97 100644
>>> --- a/hw/core/ptimer.c
>>> +++ b/hw/core/ptimer.c
>>> @@ -34,20 +34,39 @@ static void ptimer_trigger(ptimer_state *s)
>>>
>>>   static void ptimer_reload(ptimer_state *s)
>>>   {
>>> -if (s->delta == 0) {
>>> +uint32_t period_frac = s->period_frac;
>>> +uint64_t period = s->period;
>>> +uint64_t delta = s->delta;
>>> +uint64_t limit = s->limit;
>>> +
>>
>>
>> Localising these variables is out of scope of the change. I think you can
>> just use s->foo and if you want to cleanup, it should be a separate
>> patch.
>>
>
> Okay
>
>>> +if (delta == 0) {
>>>   ptimer_trigger(s);
>>> -s->delta = s->limit;
>>> +delta = limit;
>>>   }
>>> -if (s->delta == 0 || s->period == 0) {
>>> +if (delta == 0 || period == 0) {
>>>   fprintf(stderr, "Timer with period zero, disabling\n");
>>>   s->enabled = 0;
>>>   return;
>>>   }
>>>
>>> +/*
>>> + * Artificially limit timeout rate to something
>>> + * achievable under QEMU.  Otherwise, QEMU spends all
>>> + * its time generating timer interrupts, and there
>>> + * is no forward progress.
>>> + * About ten microseconds is the fastest that really works
>>> + * on the current generation of host machines.
>>> + */
>>> +
>>> +if ((s->enabled == 1) && (limit * period < 1)) {
>>> +period = 1 / limit;
>>> +period_frac = 0;
>>> +}
>>> +
>>
>>
>> I think it should be ok to just update s->period and s->period_frac ...
>>
>
> No, then it would be irreversibly lost. What if'd decide to change the limit
> to some large value?
>

Ok makes sense.

>
>>>   s->last_event = s->next_event;
>>> -s->next_event = s->last_event + s->delta * s->period;
>>> -if (s->period_frac) {
>>> -s->next_event += ((int64_t)s->period_frac * s->delta) >> 32;
>>> +s->next_event = s->last_event + delta * period;
>>> +if (period_frac) {
>>> +s->next_event += ((int64_t)period_frac * delta) >> 32;
>>>   }
>>>   timer_mod(s->timer, s->next_event);
>>>   }
>>> @@ -82,6 +101,8 @@ uint64_t ptimer_get_count(ptimer_state *s)
>>>   uint64_t div;
>>>   int clz1, clz2;
>>>   int shift;
>>> +uint32_t period_frac = s->period_frac;
>>> +uint64_t period = s->period;
>>>
>>>   /* We need to divide time by period, where time is stored
>>> in
>>>  rem (64-bit integer) and period is stored in
>>> period/period_frac
>>> @@ -93,8 +114,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
>>>  backwards.
>>>   */
>>>
>>> +if ((s->enabled == 1) && (s->limit * period < 1)) {
>>> +period = 1 / s->limit;
>>> +period_frac = 0;
>>> +}
>>> +

As this now needs to be kept, another note I had is it should probably
go before the block comment as the comment relates specifically to the
math below.

Regards,
Peter

>>
>>
>> ... and then this (and the local variables) become obsolete. Can
>> get_count()
>> blindly use the period and period_frac as used by ptimer_reload?
>>
>>>   rem = s->next_event - now;
>>> -div = s->period;
>>> +div = period;
>>>
>>>   clz1 = clz64(rem);
>>>   clz2 = clz64(div);
>>> @@ -103,13 +129,13 @@ uint64_t ptimer_get_count(ptimer_state *s)
>>>   rem <<= shift;
>>>   div <<= shift;
>>>   if (shift >= 32) {
>>> -div |= ((uint64_t)s->period_frac << (shift - 32));
>>> +div |= ((uint64_t)period_frac << (shift - 32));
>>>   } else {
>>>   if (shift != 0)
>>> -div |= (s->period_frac >> (32 - shift));
>>> +div |= (period_frac >> (32 - shift));
>>>   /* Look at remaining bits of period_frac and round div
>>> up if
>>>  necessary.  */
>>> -if ((uint32_t)(s->period_frac << shift))
>>> +if ((uint32_t)(period_frac << shift))
>>>   div += 1;
>>>   }
>>>   counter = rem / div;
>>> @@ -181,19 +207,6 @@ void ptimer_set_freq(ptimer_state *s, uint32_t freq)
>>>  count = limit.  */
>>>   void ptimer_set_limit(ptimer_state *s, uint64_t limit, int reload)
>>>   {
>>> -/*
>>> - * Artificially limit timeout rate to something
>>> - * achievable under QEMU.  Otherwise, QEMU spends all
>>> - * its time generating timer interrupts, and there
>>> - * is no forward progress.
>>> - * About ten microseconds is the fastest that really works
>>> - * on the current generation of host machines.
>>> - */
>>> -
>>> -if (!use_icount && limit * 

[Qemu-devel] [PATCH] SPARC ebus: QOMify

[Cao jin]

Signed-off-by: Cao jin 
---
 hw/sparc64/sun4u.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/sparc64/sun4u.c b/hw/sparc64/sun4u.c
index d6b929c..07f74fe 100644
--- a/hw/sparc64/sun4u.c
+++ b/hw/sparc64/sun4u.c
@@ -98,6 +98,10 @@ typedef struct EbusState {
 MemoryRegion bar1;
 } EbusState;
 
+#define TYPE_EBUS_BRIDGE "ebus"
+#define EBUS_PCI_BRIDGE(obj) \
+OBJECT_CHECK(EbusState, (obj), TYPE_EBUS_BRIDGE)
+
 int DMA_get_channel_mode (int nchan)
 {
 return 0;
@@ -586,7 +590,7 @@ pci_ebus_init(PCIBus *bus, int devfn, qemu_irq *irqs)
 PCIDevice *pci_dev;
 ISABus *isa_bus;
 
-pci_dev = pci_create_simple(bus, devfn, "ebus");
+pci_dev = pci_create_simple(bus, devfn, TYPE_EBUS_BRIDGE);
 isa_bus = ISA_BUS(qdev_get_child_bus(DEVICE(pci_dev), "isa.0"));
 isa_irq = qemu_allocate_irqs(isa_irq_handler, irqs, 16);
 isa_bus_irqs(isa_bus, isa_irq);
@@ -629,7 +633,7 @@ static void ebus_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo ebus_info = {
-.name  = "ebus",
+.name  = TYPE_EBUS_BRIDGE,
 .parent= TYPE_PCI_DEVICE,
 .instance_size = sizeof(EbusState),
 .class_init= ebus_class_init,
-- 
2.1.0

Re: [Qemu-devel] [PATCH v8 2/4] hw/ptimer: Perform tick and counter wrap around if timer already expired

[Peter Crosthwaite]

On Wed, Jan 6, 2016 at 5:12 AM, Dmitry Osipenko  wrote:
> 06.01.2016 15:17, Peter Crosthwaite пишет:
>
>> On Tue, Jan 05, 2016 at 05:33:27AM +0300, Dmitry Osipenko wrote:
>>>
>>> ptimer_get_count() might be called while QEMU timer already been expired.
>>> In that case ptimer would return counter = 0, which might be undesirable
>>> in case of polled timer. Do counter wrap around for periodic timer to
>>> keep
>>> it distributed.
>>>
>>> In addition, there is no reason to keep expired timer tick deferred, so
>>> just perform the tick from ptimer_get_count().
>>>
>>> Signed-off-by: Dmitry Osipenko 
>>> ---
>>>   hw/core/ptimer.c | 35 +--
>>>   1 file changed, 29 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/hw/core/ptimer.c b/hw/core/ptimer.c
>>> index 035af97..96a6c7a 100644
>>> --- a/hw/core/ptimer.c
>>> +++ b/hw/core/ptimer.c
>>> @@ -85,15 +85,21 @@ static void ptimer_tick(void *opaque)
>>>
>>>   uint64_t ptimer_get_count(ptimer_state *s)
>>>   {
>>> +int enabled = s->enabled;
>>
>>
>> Variable localisation not needed.
>>
>>>   int64_t now;
>>> +int64_t next;
>>>   uint64_t counter;
>>> +int expired;
>>> +int oneshot;
>>
>>
>> Variable defs can be localised to the if (enabled) (even though now
>> in original code doesn't do that).
>>
>
> Yeah, I just tried to keep original style here.
>
>>>
>>> -if (s->enabled) {
>>> +if (enabled) {
>>>   now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
>>> +next = s->next_event;
>>> +expired = (now - next >= 0);
>>> +oneshot = (enabled == 2);
>>>   /* Figure out the current counter value.  */
>>
>>
>> This comment is now out of place.
>>
>
> Okay, will fix it.
>
>
>>> -if (now - s->next_event > 0
>>> -|| s->period == 0) {
>>> -/* Prevent timer underflowing if it should already have
>>> +if (s->period == 0 || (expired && oneshot)) {
>>> +/* Prevent one-shot timer underflowing if it should already
>>> have
>>>  triggered.  */
>>>   counter = 0;
>>>   } else {
>>> @@ -114,12 +120,12 @@ uint64_t ptimer_get_count(ptimer_state *s)
>>>  backwards.
>>>   */
>>>
>>> -if ((s->enabled == 1) && (s->limit * period < 1)) {
>>> +if (!oneshot && (s->limit * period < 1)) {
>>>   period = 1 / s->limit;
>>>   period_frac = 0;
>>>   }
>>>
>>> -rem = s->next_event - now;
>>> +rem = expired ? now - next : next - now;
>>>   div = period;
>>>
>>>   clz1 = clz64(rem);
>>> @@ -139,6 +145,23 @@ uint64_t ptimer_get_count(ptimer_state *s)
>>>   div += 1;
>>>   }
>>>   counter = rem / div;
>>> +
>>> +if (expired) {
>>> +/* Wrap around periodic counter.  */
>>> +counter = s->delta = s->limit - counter % s->limit;
>>
>>
>> Why do you update the delta here?
>>
>
> Because we would want to schedule next tick based on current wrapped around
> counter value and not some arbitrary delta.
>

So looking at ptimer_reload(), the new schedule is done relative to
the VM clock of the when the tick was expected to hit, not the current
time. But this new delta is going to be relative to the now time and
then used to update the next tick which will happen relative to
next_event. Unless you stop or scale the timer, I don't think you need
to do delta manipulation?

>> Also can you just get ptimer_reload to do the modulo math for you? If the
>> timer is !oneshot and expired, then you call ptimer_reload anyway,
>> which will update next_event. When the expired test returns false
>> you can just reliably use the original logic involving now and next.
>>
>
> Yes, that's what I changed in V9. Have you received it?
>
> https://lists.nongnu.org/archive/html/qemu-devel/2016-01/msg00272.html
>

Just had a look.

V9 still has the modulo I think?:

+if (expired && (counter != 0)) {
+/* Wrap around periodic counter.  */
+counter = s->delta = s->limit - counter % s->limit;
+}

Regards,
Peter

>>> +}
>>> +}
>>> +
>>> +if (expired) {
>>> +if (oneshot) {
>>
>>
>> This if-else has a lot of common structure with the one above. I think
>> they could be merged.
>>
>
> That's a good suggestion, will do it in V10. Thanks.
>
>
>> Regards,
>> Peter
>>
>>> +ptimer_tick(s);
>>> +} else {
>>> +/* Don't use ptimer_tick() for the periodic timer since
>>> it
>>> + * would reset the delta value.
>>> + */
>>> +ptimer_trigger(s);
>>> +ptimer_reload(s);
>>> +}
>>>   }
>>>   } else {
>>>   counter = s->delta;
>>> --
>>> 2.6.4
>>>
>
>
> --
> Dmitry

Re: [Qemu-devel] [Xen-devel] [PATCH v4] igd-passthrough-i440FX: convert to realize()

[Lars Kurth]

Hi folks,
let me introduce you to Xudong from Intel, who is willing to help out.
Best Regards
Lars

> On 4 Jan 2016, at 15:41, Stefano Stabellini 
>  wrote:
> 
> On Mon, 4 Jan 2016, Lars Kurth wrote:
>> On 04/01/2016 14:47, "Stefano Stabellini"
>>  wrote:
>> 
>>> Unfortunately I don't have a setup to test this either. Maybe Lars can
>>> find out who should be involved on the Intel side on this.
>> 
>> I can certainly help to this and get back to you. What exactly are we
>> asking Intel to do?
>> It is not clear to me from this email thread
> 
> Tiejun Chen, the author of the Intel graphic card passthrough patches
> for QEMU, seems to have left the company. It would be nice if somebody
> else tested this patch with an intel graphic card assigned to a guest
> VM.
> 
> ___
> Xen-devel mailing list
> xen-de...@lists.xen.org
> http://lists.xen.org/xen-devel

[Qemu-devel] What's the advantages of POSTCOPY over CPU-THROTTLE?

[Zhangbo (Oscar)]

Hi all:
　　Postcopy is suitable for migrating guests which have large page change rates. 
It 
1 makes the guest run at the destination ASAP.
2 makes the downtime of the guest small enough.
If we don't take the 1st advantage into account, then, its benefit seems 
similar with CPU-THROTTLE: both of them make the guest's downtime small during 
migration.
 
CPU-THROTTLE would make the guest's dirtypage rate *smaller than the 
network bandwidth*, in order to make the to_send_page_number in each iteration 
convergent and achieve the small-enough downtime during the last iteration.
If we adopt POST-COPY here, the guest's dirtypage rate would *become equal 
to the bandwidth*, because we have to fetch its memory from the source side, 
via the network.
Both of them would introduce performance degradations of the guest, which 
may in turn cause downtime larger.

So, here comes the question: If we just compare POSTCOPY with CPU-THROTTLE 
for their advantages in decreasing downtime, POSTCOPY seems has no pos over 
CPU-THROTTLE, is that right?

Meanwhile, Are there any other benifits of POSTCOPY besides the 2 mentioned 
above?

Oscar

Re: [Qemu-devel] [Xen-devel] [PATCH v4] igd-passthrough-i440FX: convert to realize()

[Stefano Stabellini]

Hello Xudong,

please test this patch:

http://marc.info/?l=qemu-devel=145137863501079

with an intel graphic card assigned to a Xen guest. If everything still
works as expected, please reply with your Tested-by.

Thanks,

Stefano

On Wed, 6 Jan 2016, Lars Kurth wrote:
> Hi folks,
> let me introduce you to Xudong from Intel, who is willing to help out.
> Best Regards
> Lars
> 
> > On 4 Jan 2016, at 15:41, Stefano Stabellini 
> >  wrote:
> > 
> > On Mon, 4 Jan 2016, Lars Kurth wrote:
> >> On 04/01/2016 14:47, "Stefano Stabellini"
> >>  wrote:
> >> 
> >>> Unfortunately I don't have a setup to test this either. Maybe Lars can
> >>> find out who should be involved on the Intel side on this.
> >> 
> >> I can certainly help to this and get back to you. What exactly are we
> >> asking Intel to do?
> >> It is not clear to me from this email thread
> > 
> > Tiejun Chen, the author of the Intel graphic card passthrough patches
> > for QEMU, seems to have left the company. It would be nice if somebody
> > else tested this patch with an intel graphic card assigned to a guest
> > VM.
> > 
> > ___
> > Xen-devel mailing list
> > xen-de...@lists.xen.org
> > http://lists.xen.org/xen-devel
> 

Re: [Qemu-devel] [PATCH v8 4/4] arm_mptimer: Convert to use ptimer

[Peter Crosthwaite]

On Tue, Jan 05, 2016 at 05:33:29AM +0300, Dmitry Osipenko wrote:
> Current ARM MPTimer implementation uses QEMUTimer for the actual timer,
> this implementation isn't complete and mostly tries to duplicate of what
> generic ptimer is already doing fine.
> 
> Conversion to ptimer brings the following benefits and fixes:
>   - Simple timer pausing implementation
>   - Fixes counter value preservation after stopping the timer
>   - Code simplification and reduction
> 
> Bump VMSD to version 3, since VMState is changed and is not compatible
> with the previous implementation.
> 
> Signed-off-by: Dmitry Osipenko 
> ---
>  hw/timer/arm_mptimer.c | 110 
> ++---
>  include/hw/timer/arm_mptimer.h |   4 +-
>  2 files changed, 49 insertions(+), 65 deletions(-)
> 
> diff --git a/hw/timer/arm_mptimer.c b/hw/timer/arm_mptimer.c
> index 3e59c2a..c06da5e 100644
> --- a/hw/timer/arm_mptimer.c
> +++ b/hw/timer/arm_mptimer.c
> @@ -19,8 +19,9 @@
>   * with this program; if not, see .
>   */
>  
> +#include "hw/ptimer.h"
>  #include "hw/timer/arm_mptimer.h"
> -#include "qemu/timer.h"
> +#include "qemu/main-loop.h"
>  #include "qom/cpu.h"
>  
>  /* This device implements the per-cpu private timer and watchdog block
> @@ -47,28 +48,10 @@ static inline uint32_t timerblock_scale(TimerBlock *tb)
>  return (((tb->control >> 8) & 0xff) + 1) * 10;
>  }
>  
> -static void timerblock_reload(TimerBlock *tb, int restart)
> -{
> -if (tb->count == 0) {
> -return;
> -}
> -if (restart) {
> -tb->tick = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
> -}
> -tb->tick += (int64_t)tb->count * timerblock_scale(tb);
> -timer_mod(tb->timer, tb->tick);
> -}
> -
>  static void timerblock_tick(void *opaque)
>  {
>  TimerBlock *tb = (TimerBlock *)opaque;
>  tb->status = 1;
> -if (tb->control & 2) {
> -tb->count = tb->load;
> -timerblock_reload(tb, 0);
> -} else {
> -tb->count = 0;
> -}
>  timerblock_update_irq(tb);
>  }
>  
> @@ -76,21 +59,11 @@ static uint64_t timerblock_read(void *opaque, hwaddr addr,
>  unsigned size)
>  {
>  TimerBlock *tb = (TimerBlock *)opaque;
> -int64_t val;
>  switch (addr) {
>  case 0: /* Load */
>  return tb->load;
>  case 4: /* Counter.  */
> -if (((tb->control & 1) == 0) || (tb->count == 0)) {
> -return 0;
> -}
> -/* Slow and ugly, but hopefully won't happen too often.  */
> -val = tb->tick - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
> -val /= timerblock_scale(tb);
> -if (val < 0) {
> -val = 0;
> -}
> -return val;
> +return ptimer_get_count(tb->timer);
>  case 8: /* Control.  */
>  return tb->control;
>  case 12: /* Interrupt status.  */
> @@ -100,6 +73,19 @@ static uint64_t timerblock_read(void *opaque, hwaddr addr,
>  }
>  }
>  
> +static void timerblock_run(TimerBlock *tb, uint64_t count, int set_count)
> +{
> +if (set_count) {
> +if (((tb->control & 3) == 3) && (count == 0)) {

Parentheses around == expressions should not be needed.

> +count = tb->load;
> +}
> +ptimer_set_count(tb->timer, count);
> +}
> +if ((tb->control & 1) && (count != 0)) {

This can check against tb->load instead of count to avoid dummy
pass of tb->load to this fn ...

> +ptimer_run(tb->timer, !(tb->control & 2));
> +}
> +}
> +
>  static void timerblock_write(void *opaque, hwaddr addr,
>   uint64_t value, unsigned size)
>  {
> @@ -108,32 +94,34 @@ static void timerblock_write(void *opaque, hwaddr addr,
>  switch (addr) {
>  case 0: /* Load */
>  tb->load = value;
> -/* Fall through.  */
> -case 4: /* Counter.  */
> -if ((tb->control & 1) && tb->count) {
> -/* Cancel the previous timer.  */
> -timer_del(tb->timer);
> +/* Setting load to 0 stops the timer.  */
> +if (tb->load == 0) {
> +ptimer_stop(tb->timer);
>  }
> -tb->count = value;
> -if (tb->control & 1) {
> -timerblock_reload(tb, 1);
> +ptimer_set_limit(tb->timer, tb->load, 1);
> +timerblock_run(tb, tb->load, 0);
> +break;
> +case 4: /* Counter.  */
> +/* Setting counter to 0 stops the one-shot timer.  */
> +if (!(tb->control & 2) && (value == 0)) {
> +ptimer_stop(tb->timer);
>  }
> +timerblock_run(tb, value, 1);

... then this would just need to be elsed.

>  break;
>  case 8: /* Control.  */
>  old = tb->control;
>  tb->control = value;
> -if (value & 1) {
> -if ((old & 1) && (tb->count != 0)) {
> -/* Do nothing if timer is ticking right now.  */
> -break;
> -}
> -

Re: [Qemu-devel] [PATCH 1/2] create ga_run_program() helper for guest-set-user-password

[Denis V. Lunev]

On 01/06/2016 03:01 PM, Denis V. Lunev wrote:

From: Yuriy Pudgorodskiy 

This helper properly starts chpasswd and collects stdout/stderr of this
program to report it as error to the caller.

The code will be reused later to run useradd in addition to chpasswd.

This code is made specifically for Linux and is inside ifdef Linux braces.

Signed-off-by: Yuri Pudgorodskiy 
Signed-off-by: Denis V. Lunev 
CC: Eric Blake 
CC: Michael Roth 
---
  qga/commands-posix.c | 201 ---
  1 file changed, 141 insertions(+), 60 deletions(-)

diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index 8fe708f..53e8d3b 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -75,6 +75,28 @@ static void ga_wait_child(pid_t pid, int *status, Error 
**errp)
  g_assert(rpid == pid);
  }
  
+static void ga_pipe_read_str(int fd[2], char **str, size_t *len)

+{
+ssize_t n;
+char buf[1024];
+close(fd[1]);
+fd[1] = -1;
+while ((n = read(fd[0], buf, sizeof(buf))) != 0) {
+if (n < 0) {
+if (errno == EINTR) {
+continue;
+} else {
+break;
+}
+}
+*str = g_realloc(*str, *len + n);
+memcpy(*str + *len, buf, n);
+*len += n;
+}
+close(fd[0]);
+fd[0] = -1;
+}
+
  void qmp_guest_shutdown(bool has_mode, const char *mode, Error **errp)
  {
  const char *shutdown_flag;
@@ -1952,20 +1974,128 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorList 
*vcpus, Error **errp)
  return processed;
  }
  
+/* Helper to run command with input/output redirection,

+ * sending string to stdin and taking error message from
+ * stdout/err
+ */
+static void ga_run_program(const char *argv[],
+   const char *in_str,
+   const char *action, Error **errp)
+{
+pid_t pid;
+int status;
+int infd[2] = { -1, -1 };
+int outfd[2] = { -1, -1 };
+char *str = NULL;
+size_t len = 0;
+
+if (in_str) {
+if (pipe(infd) < 0) {
+error_setg(errp, "cannot create pipe FDs");
+goto out;
+}
+}
+
+if (pipe(outfd) < 0) {
+error_setg(errp, "cannot create pipe FDs");
+goto out;
+}
+
+pid = fork();
+if (pid == 0) {
+/* child */
+setsid();
+if (in_str) {
+/* redirect stdin to infd */
+close(infd[1]);
+dup2(infd[0], 0);
+close(infd[0]);
+} else {
+reopen_fd_to_null(0);
+}
+
+/* redirect stdout/stderr to outfd */
+close(outfd[0]);
+dup2(outfd[1], 1);
+dup2(outfd[1], 2);
+close(outfd[1]);
+
+execve(argv[0], (char *const *)argv, environ);
+_exit(EXIT_FAILURE);
+} else if (pid < 0) {
+error_setg_errno(errp, errno, "failed to create child process");
+goto out;
+}
+
+if (in_str) {
+close(infd[0]);
+infd[0] = -1;
+if (qemu_write_full(infd[1],
+in_str, strlen(in_str)) != strlen(in_str)) {
+error_setg_errno(errp, errno,
+"%s: cannot write to stdin pipe", action);
+goto out;
+}
+close(infd[1]);
+infd[1] = -1;
+}
+
+
+ga_pipe_read_str(outfd, , );
+
+ga_wait_child(pid, , errp);
+if (*errp) {
+goto out;
+}
+
+if (!WIFEXITED(status)) {
+if (len) {
+error_setg(errp, "child process has terminated abnormally: "
+"%s", str);
+} else {
+error_setg(errp, "child process has terminated abnormally");
+}
+goto out;
+}
+
+if (WEXITSTATUS(status)) {
+if (len) {
+error_setg(errp, "child process has failed to %s: %s",
+action, str);
+} else {
+error_setg(errp, "child process has failed to %s: exit status %d",
+action, WEXITSTATUS(status));
+}
+goto out;
+}
+
+out:
+g_free(str);
+
+if (infd[0] != -1) {
+close(infd[0]);
+}
+if (infd[1] != -1) {
+close(infd[1]);
+}
+if (outfd[0] != -1) {
+close(outfd[0]);
+}
+if (outfd[1] != -1) {
+close(outfd[1]);
+}
+}
+
  void qmp_guest_set_user_password(const char *username,
   const char *password,
   bool crypted,
   Error **errp)
  {
-Error *local_err = NULL;
  char *passwd_path = NULL;
-pid_t pid;
-int status;
-int datafd[2] = { -1, -1 };
  char *rawpasswddata = NULL;
  size_t rawpasswdlen;
  char *chpasswddata = NULL;
-size_t chpasswdlen;
+const char *chpasswd_argv[] = { NULL /*path*/, "chpasswd", "-e", NULL };
  
  

[Qemu-devel] [PATCH 2/2] migration/virtio: Remove simple .get/.put use

[Dr. David Alan Gilbert (git)]

From: "Dr. David Alan Gilbert" 

The 'virtqueue_state' and 'ringsize' can be saved using VMSTATE
macros rather than hand coded .get/.put

Signed-off-by: Dr. David Alan Gilbert 
---
 hw/virtio/virtio.c | 87 --
 1 file changed, 19 insertions(+), 68 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 1edef59..28300cd 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1126,33 +1126,15 @@ static bool virtio_extra_state_needed(void *opaque)
 k->has_extra_state(qbus->parent);
 }
 
-static void put_virtqueue_state(QEMUFile *f, void *pv, size_t size)
-{
-VirtIODevice *vdev = pv;
-int i;
-
-for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-qemu_put_be64(f, vdev->vq[i].vring.avail);
-qemu_put_be64(f, vdev->vq[i].vring.used);
-}
-}
-
-static int get_virtqueue_state(QEMUFile *f, void *pv, size_t size)
-{
-VirtIODevice *vdev = pv;
-int i;
-
-for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-vdev->vq[i].vring.avail = qemu_get_be64(f);
-vdev->vq[i].vring.used = qemu_get_be64(f);
-}
-return 0;
-}
-
-static VMStateInfo vmstate_info_virtqueue = {
+static const VMStateDescription vmstate_virtqueue = {
 .name = "virtqueue_state",
-.get = get_virtqueue_state,
-.put = put_virtqueue_state,
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(vring.avail, struct VirtQueue),
+VMSTATE_UINT64(vring.used, struct VirtQueue),
+VMSTATE_END_OF_LIST()
+}
 };
 
 static const VMStateDescription vmstate_virtio_virtqueues = {
@@ -1161,44 +1143,20 @@ static const VMStateDescription 
vmstate_virtio_virtqueues = {
 .minimum_version_id = 1,
 .needed = _virtqueue_needed,
 .fields = (VMStateField[]) {
-{
-.name = "virtqueues",
-.version_id   = 0,
-.field_exists = NULL,
-.size = 0,
-.info = _info_virtqueue,
-.flags= VMS_SINGLE,
-.offset   = 0,
-},
+VMSTATE_STRUCT_VARRAY_KNOWN(vq, struct VirtIODevice, VIRTIO_QUEUE_MAX,
+  0, vmstate_virtqueue, VirtQueue),
 VMSTATE_END_OF_LIST()
 }
 };
 
-static void put_ringsize_state(QEMUFile *f, void *pv, size_t size)
-{
-VirtIODevice *vdev = pv;
-int i;
-
-for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-qemu_put_be32(f, vdev->vq[i].vring.num_default);
-}
-}
-
-static int get_ringsize_state(QEMUFile *f, void *pv, size_t size)
-{
-VirtIODevice *vdev = pv;
-int i;
-
-for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
-vdev->vq[i].vring.num_default = qemu_get_be32(f);
-}
-return 0;
-}
-
-static VMStateInfo vmstate_info_ringsize = {
+static const VMStateDescription vmstate_ringsize = {
 .name = "ringsize_state",
-.get = get_ringsize_state,
-.put = put_ringsize_state,
+.version_id = 1,
+.minimum_version_id = 1,
+.fields = (VMStateField[]) {
+VMSTATE_UINT32(vring.num_default, struct VirtQueue),
+VMSTATE_END_OF_LIST()
+}
 };
 
 static const VMStateDescription vmstate_virtio_ringsize = {
@@ -1207,15 +1165,8 @@ static const VMStateDescription vmstate_virtio_ringsize 
= {
 .minimum_version_id = 1,
 .needed = _ringsize_needed,
 .fields = (VMStateField[]) {
-{
-.name = "ringsize",
-.version_id   = 0,
-.field_exists = NULL,
-.size = 0,
-.info = _info_ringsize,
-.flags= VMS_SINGLE,
-.offset   = 0,
-},
+VMSTATE_STRUCT_VARRAY_KNOWN(vq, struct VirtIODevice, VIRTIO_QUEUE_MAX,
+  0, vmstate_ringsize, VirtQueue),
 VMSTATE_END_OF_LIST()
 }
 };
-- 
2.5.0

[Qemu-devel] [PATCH 1/2] Add VMSTATE_STRUCT_VARRAY_KNOWN

[Dr. David Alan Gilbert (git)]

From: "Dr. David Alan Gilbert" 

At the moment we have VMSTATE_STRUCT_ARRAY that requires
the field is declared as an array of fixed size.
We also have VMSTATE_STRUCT_VARRAY_UINT* that allows
a field declared as a pointer, but requires that the length
is a field member in the structure being loaded/saved.

VMSTATE_STRUCT_VARRAY_KNOWN is for arrays defined as pointers
yet we somehow know the length of.

Signed-off-by: Dr. David Alan Gilbert 
---
 include/migration/vmstate.h | 13 +
 1 file changed, 13 insertions(+)

diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 7267e38..97d44d3 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -374,6 +374,19 @@ extern const VMStateInfo vmstate_info_bitmap;
 .offset   = vmstate_offset_array(_state, _field, _type, _num),\
 }
 
+/* a variable length array (i.e. _type *_field) but we know the
+ * length
+ */
+#define VMSTATE_STRUCT_VARRAY_KNOWN(_field, _state, _num, _version, _vmsd, 
_type) { \
+.name   = (stringify(_field)),   \
+.num  = (_num),  \
+.version_id = (_version),\
+.vmsd   = &(_vmsd),  \
+.size   = sizeof(_type), \
+.flags  = VMS_STRUCT|VMS_ARRAY,  \
+.offset = offsetof(_state, _field),  \
+}
+
 #define VMSTATE_STRUCT_VARRAY_UINT8(_field, _state, _field_num, _version, 
_vmsd, _type) { \
 .name   = (stringify(_field)),   \
 .num_offset = vmstate_offset_value(_state, _field_num, uint8_t), \
-- 
2.5.0

Re: [Qemu-devel] How to reserve guest physical region for ACPI

[Igor Mammedov]

On Tue, 5 Jan 2016 18:22:33 +0100
Laszlo Ersek  wrote:

> On 01/05/16 18:08, Igor Mammedov wrote:
> > On Mon, 4 Jan 2016 21:17:31 +0100
> > Laszlo Ersek  wrote:
> >   
> >> Michael CC'd me on the grandparent of the email below. I'll try to add
> >> my thoughts in a single go, with regard to OVMF.
> >>
> >> On 12/30/15 20:52, Michael S. Tsirkin wrote:  
> >>> On Wed, Dec 30, 2015 at 04:55:54PM +0100, Igor Mammedov wrote:
>  On Mon, 28 Dec 2015 14:50:15 +0200
>  "Michael S. Tsirkin"  wrote:
> 
> > On Mon, Dec 28, 2015 at 10:39:04AM +0800, Xiao Guangrong wrote:
> >>
> >> Hi Michael, Paolo,
> >>
> >> Now it is the time to return to the challenge that how to reserve guest
> >> physical region internally used by ACPI.
> >>
> >> Igor suggested that:
> >> | An alternative place to allocate reserve from could be high memory.
> >> | For pc we have "reserved-memory-end" which currently makes sure
> >> | that hotpluggable memory range isn't used by firmware
> >> (https://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg00926.html)
> >> 
> >>
> >> OVMF has no support for the "reserved-memory-end" fw_cfg file. The
> >> reason is that nobody wrote that patch, nor asked for the patch to be
> >> written. (Not implying that just requesting the patch would be
> >> sufficient for the patch to be written.)
> >>  
> > I don't want to tie things to reserved-memory-end because this
> > does not scale: next time we need to reserve memory,
> > we'll need to find yet another way to figure out what is where.
>  Could you elaborate a bit more on a problem you're seeing?
> 
>  To me it looks like it scales rather well.
>  For example lets imagine that we adding a device
>  that has some on device memory that should be mapped into GPA
>  code to do so would look like:
> 
>    pc_machine_device_plug_cb(dev)
>    {
> ...
> if (dev == OUR_NEW_DEVICE_TYPE) {
> memory_region_add_subregion(as, current_reserved_end, >mr);
> set_new_reserved_end(current_reserved_end + 
>  memory_region_size(>mr));
> }
>    }
> 
>  we can practically add any number of new devices that way.
> >>>
> >>> Yes but we'll have to build a host side allocator for these, and that's
> >>> nasty. We'll also have to maintain these addresses indefinitely (at
> >>> least per machine version) as they are guest visible.
> >>> Not only that, there's no way for guest to know if we move things
> >>> around, so basically we'll never be able to change addresses.
> >>>
> >>> 
>   
> > I would like ./hw/acpi/bios-linker-loader.c interface to be extended to
> > support 64 bit RAM instead
> >>
> >> This looks quite doable in OVMF, as long as the blob to allocate from
> >> high memory contains *zero* ACPI tables.
> >>
> >> (
> >> Namely, each ACPI table is installed from the containing fw_cfg blob
> >> with EFI_ACPI_TABLE_PROTOCOL.InstallAcpiTable(), and the latter has its
> >> own allocation policy for the *copies* of ACPI tables it installs.
> >>
> >> This allocation policy is left unspecified in the section of the UEFI
> >> spec that governs EFI_ACPI_TABLE_PROTOCOL.
> >>
> >> The current policy in edk2 (= the reference implementation) seems to be
> >> "allocate from under 4GB". It is currently being changed to "try to
> >> allocate from under 4GB, and if that fails, retry from high memory". (It
> >> is motivated by Aarch64 machines that may have no DRAM at all under 4GB.)
> >> )
> >>  
> > (and maybe a way to allocate and
> > zero-initialize buffer without loading it through fwcfg),
> >>
> >> Sounds reasonable.
> >>  
> > this way bios
> > does the allocation, and addresses can be patched into acpi.
>  and then guest side needs to parse/execute some AML that would
>  initialize QEMU side so it would know where to write data.
> >>>
> >>> Well not really - we can put it in a data table, by itself
> >>> so it's easy to find.
> >>
> >> Do you mean acpi_tb_find_table(), acpi_get_table_by_index() /
> >> acpi_get_table_with_size()?
> >>  
> >>>
> >>> AML is only needed if access from ACPI is desired.
> >>>
> >>> 
>  bios-linker-loader is a great interface for initializing some
>  guest owned data and linking it together but I think it adds
>  unnecessary complexity and is misused if it's used to handle
>  device owned data/on device memory in this and VMGID cases.
> >>>
> >>> I want a generic interface for guest to enumerate these things.  linker
> >>> seems quite reasonable but if you see a reason why it won't do, or want
> >>> to propose a better interface, fine.
> >>
> >> * The guest could do the following:
> >> - while processing the ALLOCATE commands, it would make a note where in
> >> GPA space each fw_cfg blob gets allocated
> >> - at the 

Re: [Qemu-devel] [Qemu-block] [PATCH v5 4/6] expose floppy drive geometry and CMOS type

[Denis V. Lunev]

On 01/04/2016 11:44 PM, John Snow wrote:


On 12/30/2015 03:11 PM, Roman Kagan wrote:

Make it possible to query the geometry and the CMOS type of a floppy
drive outside of the respective source files.

It will be useful, in particular, when dynamically building ACPI tables,
and will allow to properly populate the corresponding ACPI objects and
thus enable BIOS-less systems to access the floppy drives.

Signed-off-by: Roman Kagan 
Cc: "Michael S. Tsirkin" 
Cc: Eduardo Habkost 
Cc: Igor Mammedov 
Cc: John Snow 
Cc: Kevin Wolf 
Cc: Paolo Bonzini 
Cc: Richard Henderson 
Cc: qemu-bl...@nongnu.org
Cc: qemu-sta...@nongnu.org
---
no changes since v4

changes since v3:
  - split out into a separate patch to faciliate review

  hw/block/fdc.c | 11 +++
  hw/i386/pc.c   |  2 +-
  include/hw/block/fdc.h |  2 ++
  include/hw/i386/pc.h   |  1 +
  4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index 4292ece..c858c5f 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -2408,6 +2408,17 @@ FDriveType isa_fdc_get_drive_type(ISADevice *fdc, int i)
  return isa->state.drives[i].drive;
  }
  
+void isa_fdc_get_drive_geometry(ISADevice *fdc, int i, uint8_t *cylinders,

+uint8_t *heads, uint8_t *sectors)
+{
+FDCtrlISABus *isa = ISA_FDC(fdc);
+FDrive *drv = >state.drives[i];
+
+*cylinders = drv->max_track;
+*heads = (drv->flags & FDISK_DBL_SIDES) ? 2 : 1;
+*sectors = drv->last_sect;
+}
+
  static const VMStateDescription vmstate_isa_fdc ={
  .name = "fdc",
  .version_id = 2,
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index c36b8cf..99fab83 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -199,7 +199,7 @@ static void pic_irq_request(void *opaque, int irq, int 
level)
  
  #define REG_EQUIPMENT_BYTE  0x14
  
-static int cmos_get_fd_drive_type(FDriveType fd0)

+int cmos_get_fd_drive_type(FDriveType fd0)
  {
  int val;
  
diff --git a/include/hw/block/fdc.h b/include/hw/block/fdc.h

index d48b2f8..adaf3dc 100644
--- a/include/hw/block/fdc.h
+++ b/include/hw/block/fdc.h
@@ -22,5 +22,7 @@ void sun4m_fdctrl_init(qemu_irq irq, hwaddr io_base,
 DriveInfo **fds, qemu_irq *fdc_tc);
  
  FDriveType isa_fdc_get_drive_type(ISADevice *fdc, int i);

+void isa_fdc_get_drive_geometry(ISADevice *fdc, int i, uint8_t *cylinders,
+uint8_t *heads, uint8_t *sectors);
  
  #endif

diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 819..d044a9a 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -268,6 +268,7 @@ typedef void (*cpu_set_smm_t)(int smm, void *arg);
  void ioapic_init_gsi(GSIState *gsi_state, const char *parent_name);
  
  ISADevice *pc_find_fdc0(void);

+int cmos_get_fd_drive_type(FDriveType fd0);
  
  /* acpi_piix.c */
  


Patches 1,4:

Reviewed-by: John Snow 

Aside: Why did they have you split out the test changes to be separate
from the code? Doesn't that introduce commits where the tests now fail?

--js


this would make merge process to downstream simplear.

Den

Re: [Qemu-devel] [PATCH v3 05/11] igd: TYPE_IGD_PASSTHROUGH_I440FX_PCI_DEVICE: call parent realize

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann 
> ---
>  hw/pci-host/igd.c | 9 +
>  1 file changed, 9 insertions(+)
> 
> diff --git a/hw/pci-host/igd.c b/hw/pci-host/igd.c
> index d1eeafb..6f52ab1 100644
> --- a/hw/pci-host/igd.c
> +++ b/hw/pci-host/igd.c
> @@ -53,12 +53,20 @@ out:
>  return ret;
>  }
>  
> +static void (*i440fx_realize)(PCIDevice *pci_dev, Error **errp);
>  static void igd_pt_i440fx_realize(PCIDevice *pci_dev, Error **errp)
>  {
> +Error *err = NULL;
>  uint32_t val = 0;
>  int rc, i, num;
>  int pos, len;

Can't we get the parent PCIDeviceClass realize function from pci_dev? So
that we don't have to introduce i440fx_realize?


> +i440fx_realize(pci_dev, );
> +if (err != NULL) {
> +error_propagate(errp, err);
> +return;
> +}
> +
>  num = ARRAY_SIZE(igd_host_bridge_infos);
>  for (i = 0; i < num; i++) {
>  pos = igd_host_bridge_infos[i].offset;
> @@ -77,6 +85,7 @@ static void igd_passthrough_i440fx_class_init(ObjectClass 
> *klass, void *data)
>  DeviceClass *dc = DEVICE_CLASS(klass);
>  PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
>  
> +i440fx_realize = k->realize;
>  k->realize = igd_pt_i440fx_realize;
>  dc->desc = "IGD Passthrough Host bridge";
>  }
> -- 
> 1.8.3.1
> 

Re: [Qemu-devel] [PATCH 3/8] ipmi: add GET_SYS_RESTART_CAUSE chassis command

[Greg Kurz]

On Tue,  5 Jan 2016 18:29:57 +0100
Cédric Le Goater  wrote:

> This is a simulator. Just return an unknown cause (0).
> 
> Signed-off-by: Cédric Le Goater 
> ---

Acked-by: Greg Kurz 

>  hw/ipmi/ipmi_bmc_sim.c | 20 ++--
>  1 file changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/ipmi/ipmi_bmc_sim.c b/hw/ipmi/ipmi_bmc_sim.c
> index 061db8437479..5db94491b130 100644
> --- a/hw/ipmi/ipmi_bmc_sim.c
> +++ b/hw/ipmi/ipmi_bmc_sim.c
> @@ -30,11 +30,12 @@
>  #include "qemu/error-report.h"
> 
>  #define IPMI_NETFN_CHASSIS0x00
> -#define IPMI_NETFN_CHASSIS_MAXCMD 0x03
> +#define IPMI_NETFN_CHASSIS_MAXCMD 0x0a
> 

No big deal again but I guess the define would better fit...

>  #define IPMI_CMD_GET_CHASSIS_CAPABILITIES 0x00
>  #define IPMI_CMD_GET_CHASSIS_STATUS   0x01
>  #define IPMI_CMD_CHASSIS_CONTROL  0x02
> +#define IPMI_CMD_GET_SYS_RESTART_CAUSE0x09
> 

... here.

>  #define IPMI_NETFN_SENSOR_EVENT   0x04
>  #define IPMI_NETFN_SENSOR_EVENT_MAXCMD0x30
> @@ -201,6 +202,8 @@ struct IPMIBmcSim {
>  uint8_t mfg_id[3];
>  uint8_t product_id[2];
> 
> +uint8_t restart_cause;
> +
>  IPMISel sel;
>  IPMISdr sdr;
>  IPMISensor sensors[MAX_SENSORS];
> @@ -754,6 +757,17 @@ static void chassis_control(IPMIBmcSim *ibs,
>  return;
>  }
> 
> +static void chassis_get_sys_restart_cause(IPMIBmcSim *ibs,
> +   uint8_t *cmd, unsigned int cmd_len,
> +   uint8_t *rsp, unsigned int *rsp_len,
> +   unsigned int max_rsp_len)
> +{
> +IPMI_ADD_RSP_DATA(ibs->restart_cause & 0xf); /* Restart Cause */

Define a mask ?

> +IPMI_ADD_RSP_DATA(0);  /* Channel 0 */
> + out:
> +return;
> +}
> +
>  static void get_device_id(IPMIBmcSim *ibs,
>uint8_t *cmd, unsigned int cmd_len,
>uint8_t *rsp, unsigned int *rsp_len,
> @@ -1624,7 +1638,8 @@ static void get_sensor_type(IPMIBmcSim *ibs,
>  static const IPMICmdHandler chassis_cmds[IPMI_NETFN_CHASSIS_MAXCMD] = {
>  [IPMI_CMD_GET_CHASSIS_CAPABILITIES] = chassis_capabilities,
>  [IPMI_CMD_GET_CHASSIS_STATUS] = chassis_status,
> -[IPMI_CMD_CHASSIS_CONTROL] = chassis_control
> +[IPMI_CMD_CHASSIS_CONTROL] = chassis_control,
> +[IPMI_CMD_GET_SYS_RESTART_CAUSE] = chassis_get_sys_restart_cause
>  };
>  static const IPMINetfn chassis_netfn = {
>  .cmd_nums = IPMI_NETFN_CHASSIS_MAXCMD,
> @@ -1746,6 +1761,7 @@ static void ipmi_sim_init(Object *obj)
>  ibs->bmc_global_enables = (1 << IPMI_BMC_EVENT_LOG_BIT);
>  ibs->device_id = 0x20;
>  ibs->ipmi_version = 0x02; /* IPMI 2.0 */
> +ibs->restart_cause = 0;
>  for (i = 0; i < 4; i++) {
>  ibs->sel.last_addition[i] = 0xff;
>  ibs->sel.last_clear[i] = 0xff;

Re: [Qemu-devel] [PATCH v3 07/11] igd: revamp host config read

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> Move all work to the host_pci_config_copy helper function,
> which we can easily reuse when adding q35 support.
> Open sysfs file only once for all values.  Use pread.
> Proper error handling.  Fix bugs:
> 
>  * Don't throw away results (like old host_pci_config_read
>did because val was passed by value not reference).
>  * Update config space directly (writing via
>pci_default_write_config only works for registers
>whitelisted in wmask).
> 
> Hmm, this code can hardly ever worked before,
> /me wonders what test coverage it had.
> 
> With this patch in place igd-passthru=on actually
> works, although it still requires root priviledges
> because linux refuses to allow non-root users access
> pci config space above offset 0x50.
> 
> Signed-off-by: Gerd Hoffmann 
> ---
>  hw/pci-host/igd.c | 65 
> +++
>  1 file changed, 27 insertions(+), 38 deletions(-)
> 
> diff --git a/hw/pci-host/igd.c b/hw/pci-host/igd.c
> index 0784128..ec48875 100644
> --- a/hw/pci-host/igd.c
> +++ b/hw/pci-host/igd.c
> @@ -19,47 +19,39 @@ static const IGDHostInfo igd_host_bridge_infos[] = {
>  {0xa8, 4},  /* SNB: base of GTT stolen memory */
>  };
>  
> -static int host_pci_config_read(int pos, int len, uint32_t val)
> +static void host_pci_config_copy(PCIDevice *guest, const char *host,
> + const IGDHostInfo *list, int len, Error 
> **errp)
>  {
> -char path[PATH_MAX];
> -int config_fd;
> -ssize_t size = sizeof(path);
> -/* Access real host bridge. */
> -int rc = snprintf(path, size, 
> "/sys/bus/pci/devices/%04x:%02x:%02x.%d/%s",
> -  0, 0, 0, 0, "config");
> -int ret = 0;
> +char *path;
> +int config_fd, rc, i;
>  
> -if (rc >= size || rc < 0) {
> -return -ENODEV;
> -}
> -
> -config_fd = open(path, O_RDWR);
> +path = g_strdup_printf("/sys/bus/pci/devices/%s/config", host);
> +config_fd = open(path, O_RDONLY);
>  if (config_fd < 0) {
> -return -ENODEV;
> +error_setg_file_open(errp, errno, path);
> +goto out_free;
>  }
>  
> -if (lseek(config_fd, pos, SEEK_SET) != pos) {
> -ret = -errno;
> -goto out;
> +for (i = 0; i < len; i++) {
> +rc = pread(config_fd, guest->config + list[i].offset,
> +   list[i].len, list[i].offset);
> +if (rc != list[i].len) {

pread is allowed to return early, returning the number of bytes read.



> +error_setg_errno(errp, errno, "read %s, offset 0x%x",
> + path, list[i].offset);
> +goto out_close;
> +}
>  }
> -do {
> -rc = read(config_fd, (uint8_t *), len);
> -} while (rc < 0 && (errno == EINTR || errno == EAGAIN));
> -if (rc != len) {
> -ret = -errno;
> -}
> -out:
> +
> +out_close:
>  close(config_fd);
> -return ret;
> +out_free:
> +g_free(path);
>  }
>  
>  static void (*i440fx_realize)(PCIDevice *pci_dev, Error **errp);
>  static void igd_pt_i440fx_realize(PCIDevice *pci_dev, Error **errp)
>  {
>  Error *err = NULL;
> -uint32_t val = 0;
> -int rc, i, num;
> -int pos, len;
>  
>  i440fx_realize(pci_dev, );
>  if (err != NULL) {
> @@ -67,16 +59,13 @@ static void igd_pt_i440fx_realize(PCIDevice *pci_dev, 
> Error **errp)
>  return;
>  }
>  
> -num = ARRAY_SIZE(igd_host_bridge_infos);
> -for (i = 0; i < num; i++) {
> -pos = igd_host_bridge_infos[i].offset;
> -len = igd_host_bridge_infos[i].len;
> -rc = host_pci_config_read(pos, len, val);
> -if (rc) {
> -error_setg(errp, "failed to read host config");
> -return;
> -}
> -pci_default_write_config(pci_dev, pos, val, len);
> +host_pci_config_copy(pci_dev, ":00:00.0",
> + igd_host_bridge_infos,
> + ARRAY_SIZE(igd_host_bridge_infos),
> + );
> +if (err != NULL) {
> +error_propagate(errp, err);
> +return;
>  }
>  }
>  
> -- 
> 1.8.3.1
> 

[Qemu-devel] [PATCH v2 4/7] device_tree: qemu_fdt_getprop converted to use the error API

[Eric Auger]

Current qemu_fdt_getprop exits if the property is not found. It is
sometimes needed to read an optional property, in which case we do
not wish to exit but simply returns a null value.

This patch converts qemu_fdt_getprop to accept an Error **, and existing
users are converted to pass _fatal. This preserves the existing
behaviour. Then to use the API with your optional semantic a null
parameter can be conveyed.

Signed-off-by: Eric Auger 

---

v1 -> v2:
- add a doc comment in the header file

RFC -> v1:
- get rid of qemu_fdt_getprop_optional and implement Peter's suggestion
  that consists in using the error API

Signed-off-by: Eric Auger 
---
 device_tree.c| 11 ++-
 include/sysemu/device_tree.h | 15 ++-
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/device_tree.c b/device_tree.c
index 8441e01..6ecc9da 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -321,18 +321,18 @@ int qemu_fdt_setprop_string(void *fdt, const char 
*node_path,
 }
 
 const void *qemu_fdt_getprop(void *fdt, const char *node_path,
- const char *property, int *lenp)
+ const char *property, int *lenp, Error **errp)
 {
 int len;
 const void *r;
+
 if (!lenp) {
 lenp = 
 }
 r = fdt_getprop(fdt, findnode_nofail(fdt, node_path), property, lenp);
 if (!r) {
-error_report("%s: Couldn't get %s/%s: %s", __func__,
- node_path, property, fdt_strerror(*lenp));
-exit(1);
+error_setg(errp, "%s: Couldn't get %s/%s: %s", __func__,
+  node_path, property, fdt_strerror(*lenp));
 }
 return r;
 }
@@ -341,7 +341,8 @@ uint32_t qemu_fdt_getprop_cell(void *fdt, const char 
*node_path,
const char *property)
 {
 int len;
-const uint32_t *p = qemu_fdt_getprop(fdt, node_path, property, );
+const uint32_t *p = qemu_fdt_getprop(fdt, node_path, property, ,
+ _fatal);
 if (len != 4) {
 error_report("%s: %s/%s not 4 bytes long (not a cell?)",
  __func__, node_path, property);
diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
index 269cb1c..4d7cbb9 100644
--- a/include/sysemu/device_tree.h
+++ b/include/sysemu/device_tree.h
@@ -45,8 +45,21 @@ int qemu_fdt_setprop_string(void *fdt, const char *node_path,
 int qemu_fdt_setprop_phandle(void *fdt, const char *node_path,
  const char *property,
  const char *target_node_path);
+/**
+ * qemu_fdt_getprop: retrieve the value of a given property
+ * @fdt: pointer to the device tree blob
+ * @node_path: node path
+ * @property: name of the property to find
+ * @lenp: fdt error if any or length of the property on success
+ * @errp: handle to an error object
+ *
+ * returns a pointer to the property on success and NULL on failure
+ * in case errp is set to _fatal, the function auto-asserts
+ * on error (legacy behavior)
+ */
 const void *qemu_fdt_getprop(void *fdt, const char *node_path,
- const char *property, int *lenp);
+ const char *property, int *lenp,
+ Error **errp);
 uint32_t qemu_fdt_getprop_cell(void *fdt, const char *node_path,
const char *property);
 uint32_t qemu_fdt_get_phandle(void *fdt, const char *path);
-- 
1.9.1

[Qemu-devel] [PATCH v2 2/7] device_tree: introduce load_device_tree_from_sysfs

[Eric Auger]

This function returns the host device tree blob from sysfs
(/proc/device-tree). It uses a recursive function inspired
from dtc read_fstree.

Signed-off-by: Eric Auger 

---
v1 -> v2:
- do not implement/expose read_fstree and load_device_tree_from_sysfs
  if CONFIG_LINUX is not defined (lstat is not implemeted in mingw)
- correct indentation in read_fstree
- use /proc/device-tree symlink instead of /sys/firmware/devicetree/base
  path (kernel.org/doc/Documentation/ABI/testing/sysfs-firmware-ofw)
- use g_file_get_contents in read_fstree
- introduce SYSFS_DT_BASEDIR macro and use strlen
- exit on error in load_device_tree_from_sysfs
- user error_setg

RFC -> v1:
- remove runtime dependency on dtc binary and introduce read_fstree
---
 device_tree.c| 100 +++
 include/sysemu/device_tree.h |   3 ++
 2 files changed, 103 insertions(+)

diff --git a/device_tree.c b/device_tree.c
index a9f5f8e..b262c2d 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -17,6 +17,9 @@
 #include 
 #include 
 #include 
+#ifdef CONFIG_LINUX
+#include 
+#endif
 
 #include "qemu-common.h"
 #include "qemu/error-report.h"
@@ -117,6 +120,103 @@ fail:
 return NULL;
 }
 
+#ifdef CONFIG_LINUX
+
+#define SYSFS_DT_BASEDIR "/proc/device-tree"
+
+/**
+ * read_fstree: this function is inspired from dtc read_fstree
+ * @fdt: preallocated fdt blob buffer, to be populated
+ * @dirname: directory to scan under SYSFS_DT_BASEDIR
+ * the search is recursive and the tree is searched down to the
+ * leafs (property files).
+ *
+ * the function self-asserts in case of error
+ */
+static void read_fstree(void *fdt, const char *dirname)
+{
+DIR *d;
+struct dirent *de;
+struct stat st;
+const char *root_dir = SYSFS_DT_BASEDIR;
+char *parent_node;
+
+if (strstr(dirname, root_dir) != dirname) {
+error_report("%s: %s must be searched within %s",
+ __func__, dirname, root_dir);
+exit(1);
+}
+parent_node = (char *)[strlen(SYSFS_DT_BASEDIR)];
+
+d = opendir(dirname);
+if (!d) {
+error_setg(_fatal, "%s cannot open %s", __func__, dirname);
+}
+
+while ((de = readdir(d)) != NULL) {
+char *tmpnam;
+
+if (!g_strcmp0(de->d_name, ".")
+|| !g_strcmp0(de->d_name, "..")) {
+continue;
+}
+
+tmpnam = g_strjoin("/", dirname, de->d_name, NULL);
+
+if (lstat(tmpnam, ) < 0) {
+error_setg(_fatal, "%s cannot lstat %s", __func__, tmpnam);
+}
+
+if (S_ISREG(st.st_mode)) {
+gchar *val;
+gsize len;
+
+if (!g_file_get_contents(tmpnam, , , NULL)) {
+error_setg(_fatal, "%s not able to extract info from %s",
+   __func__, tmpnam);
+}
+
+if (strlen(parent_node) > 0) {
+qemu_fdt_setprop(fdt, parent_node,
+ de->d_name, val, len);
+} else {
+qemu_fdt_setprop(fdt, "/", de->d_name, val, len);
+}
+g_free(val);
+} else if (S_ISDIR(st.st_mode)) {
+char *node_name;
+
+node_name = g_strdup_printf("%s/%s",
+parent_node, de->d_name);
+qemu_fdt_add_subnode(fdt, node_name);
+g_free(node_name);
+read_fstree(fdt, tmpnam);
+}
+
+g_free(tmpnam);
+}
+
+closedir(d);
+}
+
+/* load_device_tree_from_sysfs: extract the dt blob from host sysfs */
+void *load_device_tree_from_sysfs(void)
+{
+void *host_fdt;
+int host_fdt_size;
+
+host_fdt = create_device_tree(_fdt_size);
+read_fstree(host_fdt, SYSFS_DT_BASEDIR);
+if (fdt_check_header(host_fdt)) {
+error_setg(_fatal,
+   "%s host device tree extracted into memory is invalid",
+   __func__);
+}
+return host_fdt;
+}
+
+#endif /* CONFIG_LINUX */
+
 static int findnode_nofail(void *fdt, const char *node_path)
 {
 int offset;
diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
index 359e143..fdf25a4 100644
--- a/include/sysemu/device_tree.h
+++ b/include/sysemu/device_tree.h
@@ -16,6 +16,9 @@
 
 void *create_device_tree(int *sizep);
 void *load_device_tree(const char *filename_path, int *sizep);
+#ifdef CONFIG_LINUX
+void *load_device_tree_from_sysfs(void);
+#endif
 
 int qemu_fdt_setprop(void *fdt, const char *node_path,
  const char *property, const void *val, int size);
-- 
1.9.1

Re: [Qemu-devel] [PATCH v3 05/11] igd: TYPE_IGD_PASSTHROUGH_I440FX_PCI_DEVICE: call parent realize

[Gerd Hoffmann]

> >  
> > +static void (*i440fx_realize)(PCIDevice *pci_dev, Error **errp);
> >  static void igd_pt_i440fx_realize(PCIDevice *pci_dev, Error **errp)
> >  {
> > +Error *err = NULL;
> >  uint32_t val = 0;
> >  int rc, i, num;
> >  int pos, len;
> 
> Can't we get the parent PCIDeviceClass realize function from pci_dev? So
> that we don't have to introduce i440fx_realize?

I don't think so ...

> >  
> > +i440fx_realize = k->realize;
> >  k->realize = igd_pt_i440fx_realize;

... because we are overriding it right here.

cheers,
  Gerd

[Qemu-devel] [PATCH v2 3/7] device_tree: introduce qemu_fdt_node_path

[Eric Auger]

This new helper routine returns the node path of a device
referred to by its node name and compat string.

Signed-off-by: Eric Auger 

---

v1 -> v2:
- move doc comment in header file
- do not use a fixed size buffer
- break on errors in while loop
- use strcmp instead of strncmp

RFC -> v1:
- improve error handling according to Alex' comments
---
 device_tree.c| 37 +
 include/sysemu/device_tree.h | 14 ++
 2 files changed, 51 insertions(+)

diff --git a/device_tree.c b/device_tree.c
index b262c2d..8441e01 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -231,6 +231,43 @@ static int findnode_nofail(void *fdt, const char 
*node_path)
 return offset;
 }
 
+int qemu_fdt_node_path(void *fdt, const char *name, char *compat,
+   char **node_path)
+{
+int offset, len, ret;
+const char *iter_name;
+unsigned int path_len = 16;
+char *path;
+
+*node_path = NULL;
+offset = fdt_node_offset_by_compatible(fdt, -1, compat);
+
+while (offset >= 0) {
+iter_name = fdt_get_name(fdt, offset, );
+if (!iter_name) {
+offset = len;
+break;
+}
+if (!strcmp(iter_name, name)) {
+goto found;
+}
+offset = fdt_node_offset_by_compatible(fdt, offset, compat);
+}
+return offset;
+
+found:
+path = g_malloc(path_len);
+while ((ret = fdt_get_path(fdt, offset, path, path_len))
+== -FDT_ERR_NOSPACE) {
+path_len += 16;
+path = g_realloc(path, path_len);
+}
+if (!ret) {
+*node_path = path;
+}
+return ret;
+}
+
 int qemu_fdt_setprop(void *fdt, const char *node_path,
  const char *property, const void *val, int size)
 {
diff --git a/include/sysemu/device_tree.h b/include/sysemu/device_tree.h
index fdf25a4..269cb1c 100644
--- a/include/sysemu/device_tree.h
+++ b/include/sysemu/device_tree.h
@@ -20,6 +20,20 @@ void *load_device_tree(const char *filename_path, int 
*sizep);
 void *load_device_tree_from_sysfs(void);
 #endif
 
+/**
+ * qemu_fdt_node_path: return the node path of a device, given its
+ * node name and its compat string
+ * @fdt: pointer to the dt blob
+ * @name: device node name
+ * @compat: compatibility string of the device
+ * @node_path: returned node path
+ *
+ * upon success, the path is output at node_path address
+ * returns 0 on success, < 0 on failure
+ */
+int qemu_fdt_node_path(void *fdt, const char *name, char *compat,
+   char **node_path);
+
 int qemu_fdt_setprop(void *fdt, const char *node_path,
  const char *property, const void *val, int size);
 int qemu_fdt_setprop_cell(void *fdt, const char *node_path,
-- 
1.9.1

[Qemu-devel] [PATCH v2 0/7] AMD XGBE KVM platform passthrough

[Eric Auger]

This series allows to set up AMD XGBE passthrough. This was tested on AMD
Seattle.

The first upstreamed device supporting KVM platform passthrough was the
Calxeda Midway XGMAC. Compared to this latter, the XGBE XGMAC exposes a
much more complex device tree node.

- First There are 2 device tree node formats:
one where XGBE and PHY are described in separate nodes and another one
that combines both description in a single node (only supported by 4.2
onwards kernels). Only the combined description is supported for passthrough,
meaning the host must be >= 4.2 and must feature a device tree with a combined
description. The guest will also be exposed with a combined description,
meaning only >= 4.2 guest are supported. It is not planned to support
separate node representation since assignment of the PHY is less
straigtforward.

- the XGMAC/PHY node depends on 2 clock nodes (DMA and PTP).
The code checks those clocks are fixed to make sure they cannot be
switched off at some point after the native driver gets unbound.

- there are many property values to populate on guest side. Most of them
cannot be hardcoded. That series implements host device tree blob extraction
from the host /proc/device-tree (inspired from dtc implementation)
and retrieve host property values to populate guest dtb.

- the case where the host uses ACPI is not yet covered since there is
  no usable ACPI description for this HW yet.

The patches can be found at
https://git.linaro.org/people/eric.auger/qemu.git/shortlog/refs/heads/v2.5.0-xgbe-v2

Previous version can be found at
https://git.linaro.org/people/eric.auger/qemu.git/shortlog/refs/heads/v2.5.0-xgbe-v1

HISTORY:
v1 -> v2:
- take into account Peter's comments:
  - add CONFIG_LINUX protection
  - improve error handling and messages
  - no fixed size buffer anymore
  - fix read_fstree error handling
- use /proc/device-tree symlink instead of /sys/firmware/devicetree/base
- added hw/arm/sysbus-fdt: remove qemu_fdt_setprop returned value check
- see individual commits for full details

RFC -> v1:
- no dependency anymore on dtc binary: load_device_tree_from_sysfs is
  self-contained and implements something similar to dtc read_fstree.
- take into account Alex' comments
- remove qemu_fdt_getprop_optional and use error API instead

Best Regards

Eric


Eric Auger (7):
  hw/vfio/platform: amd-xgbe device
  device_tree: introduce load_device_tree_from_sysfs
  device_tree: introduce qemu_fdt_node_path
  device_tree: qemu_fdt_getprop converted to use the error API
  hw/arm/sysbus-fdt: helpers for clock node generation
  hw/arm/sysbus-fdt: enable amd-xgbe dynamic instantiation
  hw/arm/sysbus-fdt: remove qemu_fdt_setprop returned value check

 device_tree.c   | 148 ++-
 hw/arm/sysbus-fdt.c | 306 ++--
 hw/vfio/Makefile.objs   |   1 +
 hw/vfio/amd-xgbe.c  |  55 
 include/hw/vfio/vfio-amd-xgbe.h |  51 +++
 include/sysemu/device_tree.h|  32 -
 6 files changed, 577 insertions(+), 16 deletions(-)
 create mode 100644 hw/vfio/amd-xgbe.c
 create mode 100644 include/hw/vfio/vfio-amd-xgbe.h

-- 
1.9.1

[Qemu-devel] [PATCH v2 1/7] hw/vfio/platform: amd-xgbe device

[Eric Auger]

This patch introduces the amd-xgbe VFIO platform device. It
allows the guest to do passthrough on a device exposing an
"amd,xgbe-seattle-v1a" compat string.

Signed-off-by: Eric Auger 
Reviewed-by: Alex Benné

---
RFC -> v1:
- add Alex' R-b
---
 hw/vfio/Makefile.objs   |  1 +
 hw/vfio/amd-xgbe.c  | 55 +
 include/hw/vfio/vfio-amd-xgbe.h | 51 ++
 3 files changed, 107 insertions(+)
 create mode 100644 hw/vfio/amd-xgbe.c
 create mode 100644 include/hw/vfio/vfio-amd-xgbe.h

diff --git a/hw/vfio/Makefile.objs b/hw/vfio/Makefile.objs
index d324863..ceddbb8 100644
--- a/hw/vfio/Makefile.objs
+++ b/hw/vfio/Makefile.objs
@@ -3,4 +3,5 @@ obj-$(CONFIG_SOFTMMU) += common.o
 obj-$(CONFIG_PCI) += pci.o pci-quirks.o
 obj-$(CONFIG_SOFTMMU) += platform.o
 obj-$(CONFIG_SOFTMMU) += calxeda-xgmac.o
+obj-$(CONFIG_SOFTMMU) += amd-xgbe.o
 endif
diff --git a/hw/vfio/amd-xgbe.c b/hw/vfio/amd-xgbe.c
new file mode 100644
index 000..53451eb
--- /dev/null
+++ b/hw/vfio/amd-xgbe.c
@@ -0,0 +1,55 @@
+/*
+ * AMD XGBE VFIO device
+ *
+ * Copyright Linaro Limited, 2015
+ *
+ * Authors:
+ *  Eric Auger 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include "hw/vfio/vfio-amd-xgbe.h"
+
+static void amd_xgbe_realize(DeviceState *dev, Error **errp)
+{
+VFIOPlatformDevice *vdev = VFIO_PLATFORM_DEVICE(dev);
+VFIOAmdXgbeDeviceClass *k = VFIO_AMD_XGBE_DEVICE_GET_CLASS(dev);
+
+vdev->compat = g_strdup("amd,xgbe-seattle-v1a");
+
+k->parent_realize(dev, errp);
+}
+
+static const VMStateDescription vfio_platform_amd_xgbe_vmstate = {
+.name = TYPE_VFIO_AMD_XGBE,
+.unmigratable = 1,
+};
+
+static void vfio_amd_xgbe_class_init(ObjectClass *klass, void *data)
+{
+DeviceClass *dc = DEVICE_CLASS(klass);
+VFIOAmdXgbeDeviceClass *vcxc =
+VFIO_AMD_XGBE_DEVICE_CLASS(klass);
+vcxc->parent_realize = dc->realize;
+dc->realize = amd_xgbe_realize;
+dc->desc = "VFIO AMD XGBE";
+dc->vmsd = _platform_amd_xgbe_vmstate;
+}
+
+static const TypeInfo vfio_amd_xgbe_dev_info = {
+.name = TYPE_VFIO_AMD_XGBE,
+.parent = TYPE_VFIO_PLATFORM,
+.instance_size = sizeof(VFIOAmdXgbeDevice),
+.class_init = vfio_amd_xgbe_class_init,
+.class_size = sizeof(VFIOAmdXgbeDeviceClass),
+};
+
+static void register_amd_xgbe_dev_type(void)
+{
+type_register_static(_amd_xgbe_dev_info);
+}
+
+type_init(register_amd_xgbe_dev_type)
diff --git a/include/hw/vfio/vfio-amd-xgbe.h b/include/hw/vfio/vfio-amd-xgbe.h
new file mode 100644
index 000..9fff65e
--- /dev/null
+++ b/include/hw/vfio/vfio-amd-xgbe.h
@@ -0,0 +1,51 @@
+/*
+ * VFIO AMD XGBE device
+ *
+ * Copyright Linaro Limited, 2015
+ *
+ * Authors:
+ *  Eric Auger 
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef HW_VFIO_VFIO_AMD_XGBE_H
+#define HW_VFIO_VFIO_AMD_XGBE_H
+
+#include "hw/vfio/vfio-platform.h"
+
+#define TYPE_VFIO_AMD_XGBE "vfio-amd-xgbe"
+
+/**
+ * This device exposes:
+ * - 5 MMIO regions: MAC, PCS, SerDes Rx/Tx regs,
+ SerDes Integration Registers 1/2 & 2/2
+ * - 2 level sensitive IRQs and optional DMA channel IRQs
+ */
+struct VFIOAmdXgbeDevice {
+VFIOPlatformDevice vdev;
+};
+
+typedef struct VFIOAmdXgbeDevice VFIOAmdXgbeDevice;
+
+struct VFIOAmdXgbeDeviceClass {
+/*< private >*/
+VFIOPlatformDeviceClass parent_class;
+/*< public >*/
+DeviceRealize parent_realize;
+};
+
+typedef struct VFIOAmdXgbeDeviceClass VFIOAmdXgbeDeviceClass;
+
+#define VFIO_AMD_XGBE_DEVICE(obj) \
+ OBJECT_CHECK(VFIOAmdXgbeDevice, (obj), TYPE_VFIO_AMD_XGBE)
+#define VFIO_AMD_XGBE_DEVICE_CLASS(klass) \
+ OBJECT_CLASS_CHECK(VFIOAmdXgbeDeviceClass, (klass), \
+TYPE_VFIO_AMD_XGBE)
+#define VFIO_AMD_XGBE_DEVICE_GET_CLASS(obj) \
+ OBJECT_GET_CLASS(VFIOAmdXgbeDeviceClass, (obj), \
+  TYPE_VFIO_AMD_XGBE)
+
+#endif
-- 
1.9.1

Re: [Qemu-devel] [PATCH v3 10/11] igd: handle igd-passthrough-isa-bridge setup in realize()

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> That way a simple '-device igd-passthrough-isa-bridge,addr=1f' will
> do the setup.

Is this going to change the QEMU command line arguments to use it?


> Also instead of looking up reasonable PCI IDs based on the graphic
> device id simply copy over the ids from the host, thereby reusing the
> infrastructure we have in place for the igd host bridges.  Less code,
> and should be more robust as we don't have to maintain the id table
> to keep things going.
> 
> Signed-off-by: Gerd Hoffmann 
> ---
>  hw/pci-host/igd.c| 115 
> +--
>  hw/xen/xen_pt.c  |   2 +-
>  include/hw/i386/pc.h |   2 +-
>  3 files changed, 30 insertions(+), 89 deletions(-)
> 
> diff --git a/hw/pci-host/igd.c b/hw/pci-host/igd.c
> index 96b679d..8f32c39 100644
> --- a/hw/pci-host/igd.c
> +++ b/hw/pci-host/igd.c
> @@ -123,111 +123,52 @@ static const TypeInfo igd_passthrough_q35_info = {
>  .class_init= igd_passthrough_q35_class_init,
>  };
>  
> -typedef struct {
> -uint16_t gpu_device_id;
> -uint16_t pch_device_id;
> -uint8_t pch_revision_id;
> -} IGDDeviceIDInfo;
> -
> -/* In real world different GPU should have different PCH. But actually
> - * the different PCH DIDs likely map to different PCH SKUs. We do the
> - * same thing for the GPU. For PCH, the different SKUs are going to be
> - * all the same silicon design and implementation, just different
> - * features turn on and off with fuses. The SW interfaces should be
> - * consistent across all SKUs in a given family (eg LPT). But just same
> - * features may not be supported.
> - *
> - * Most of these different PCH features probably don't matter to the
> - * Gfx driver, but obviously any difference in display port connections
> - * will so it should be fine with any PCH in case of passthrough.
> - *
> - * So currently use one PCH version, 0x8c4e, to cover all HSW(Haswell)
> - * scenarios, 0x9cc3 for BDW(Broadwell).
> - */
> -static const IGDDeviceIDInfo igd_combo_id_infos[] = {
> -/* HSW Classic */
> -{0x0402, 0x8c4e, 0x04}, /* HSWGT1D, HSWD_w7 */
> -{0x0406, 0x8c4e, 0x04}, /* HSWGT1M, HSWM_w7 */
> -{0x0412, 0x8c4e, 0x04}, /* HSWGT2D, HSWD_w7 */
> -{0x0416, 0x8c4e, 0x04}, /* HSWGT2M, HSWM_w7 */
> -{0x041E, 0x8c4e, 0x04}, /* HSWGT15D, HSWD_w7 */
> -/* HSW ULT */
> -{0x0A06, 0x8c4e, 0x04}, /* HSWGT1UT, HSWM_w7 */
> -{0x0A16, 0x8c4e, 0x04}, /* HSWGT2UT, HSWM_w7 */
> -{0x0A26, 0x8c4e, 0x06}, /* HSWGT3UT, HSWM_w7 */
> -{0x0A2E, 0x8c4e, 0x04}, /* HSWGT3UT28W, HSWM_w7 */
> -{0x0A1E, 0x8c4e, 0x04}, /* HSWGT2UX, HSWM_w7 */
> -{0x0A0E, 0x8c4e, 0x04}, /* HSWGT1ULX, HSWM_w7 */
> -/* HSW CRW */
> -{0x0D26, 0x8c4e, 0x04}, /* HSWGT3CW, HSWM_w7 */
> -{0x0D22, 0x8c4e, 0x04}, /* HSWGT3CWDT, HSWD_w7 */
> -/* HSW Server */
> -{0x041A, 0x8c4e, 0x04}, /* HSWSVGT2, HSWD_w7 */
> -/* HSW SRVR */
> -{0x040A, 0x8c4e, 0x04}, /* HSWSVGT1, HSWD_w7 */
> -/* BSW */
> -{0x1606, 0x9cc3, 0x03}, /* BDWULTGT1, BDWM_w7 */
> -{0x1616, 0x9cc3, 0x03}, /* BDWULTGT2, BDWM_w7 */
> -{0x1626, 0x9cc3, 0x03}, /* BDWULTGT3, BDWM_w7 */
> -{0x160E, 0x9cc3, 0x03}, /* BDWULXGT1, BDWM_w7 */
> -{0x161E, 0x9cc3, 0x03}, /* BDWULXGT2, BDWM_w7 */
> -{0x1602, 0x9cc3, 0x03}, /* BDWHALOGT1, BDWM_w7 */
> -{0x1612, 0x9cc3, 0x03}, /* BDWHALOGT2, BDWM_w7 */
> -{0x1622, 0x9cc3, 0x03}, /* BDWHALOGT3, BDWM_w7 */
> -{0x162B, 0x9cc3, 0x03}, /* BDWHALO28W, BDWM_w7 */
> -{0x162A, 0x9cc3, 0x03}, /* BDWGT3WRKS, BDWM_w7 */
> -{0x162D, 0x9cc3, 0x03}, /* BDWGT3SRVR, BDWM_w7 */
> +static const IGDHostInfo igd_isa_bridge_infos[] = {
> +{PCI_VENDOR_ID,   2},
> +{PCI_DEVICE_ID,   2},
> +{PCI_REVISION_ID, 2},
> +{PCI_SUBSYSTEM_VENDOR_ID, 2},
> +{PCI_SUBSYSTEM_ID,2},
>  };
>  
> +static void igd_pt_isa_bridge_realize(PCIDevice *pci_dev, Error **errp)
> +{
> +Error *err = NULL;
> +
> +if (pci_dev->devfn != PCI_DEVFN(0x1f, 0)) {
> +error_setg(errp, "igd isa bridge must have address 1f.0");
> +return;
> +}
> +
> +host_pci_config_copy(pci_dev, ":00:1f.0",
> + igd_isa_bridge_infos,
> + ARRAY_SIZE(igd_isa_bridge_infos),
> + );
> +if (err != NULL) {
> +error_propagate(errp, err);
> +return;
> +}
> +}
> +
>  static void isa_bridge_class_init(ObjectClass *klass, void *data)
>  {
>  DeviceClass *dc = DEVICE_CLASS(klass);
>  PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
>  
>  dc->desc= "ISA bridge faked to support IGD PT";
> -k->vendor_id= PCI_VENDOR_ID_INTEL;
> +k->realize  = igd_pt_isa_bridge_realize;
>  k->class_id = PCI_CLASS_BRIDGE_ISA;
>  };
>  
>  static TypeInfo igd_passthrough_isa_bridge_info = {
>  .name  = "igd-passthrough-isa-bridge",
>  .parent= 

Re: [Qemu-devel] [PATCH v3 10/11] igd: handle igd-passthrough-isa-bridge setup in realize()

[Gerd Hoffmann]

On Mi, 2016-01-06 at 15:29 +, Stefano Stabellini wrote:
> On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> > That way a simple '-device igd-passthrough-isa-bridge,addr=1f' will
> > do the setup.
> 
> Is this going to change the QEMU command line arguments to use it?

See patch 11 ;)

cheers,
  Gerd

Re: [Qemu-devel] [PATCH v3 2/4] Add Error **errp for xen_pt_setup_vga()

[Eric Blake]

On 01/05/2016 07:39 PM, Cao jin wrote:
> To catch the error msg. Also modify the caller
> 
> Signed-off-by: Cao jin 
> Reviewed-by: Stefano Stabellini 
> ---
>  hw/xen/xen_pt.c  |  5 -
>  hw/xen/xen_pt.h  |  3 ++-
>  hw/xen/xen_pt_graphics.c | 11 ++-
>  3 files changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
> index 1bd4109..fbce55c 100644
> --- a/hw/xen/xen_pt.c
> +++ b/hw/xen/xen_pt.c
> @@ -807,7 +807,10 @@ static int xen_pt_initfn(PCIDevice *d)
>  return -1;
>  }
>  
> -if (xen_pt_setup_vga(s, >real_device) < 0) {
> +xen_pt_setup_vga(s, >real_device, _err);
> +if (local_err) {
> +error_append_hint(_err, "Setup VGA BIOS of passthrough"
> +" GFX failed!");

Please no '!' in error messages.  We aren't shouting at the user.

>  XEN_PT_ERR(d, "Setup VGA BIOS of passthrough GFX failed!\n");

Do we still need the XEN_PT_ERR() alongside setting the local error?

>  xen_host_pci_device_put(>real_device);
>  return -1;

This leaks local_err.


> @@ -172,13 +173,14 @@ int xen_pt_setup_vga(XenPCIPassthroughState *s, 
> XenHostPCIDevice *dev)
>  struct pci_data *pd = NULL;
>  
>  if (!is_igd_vga_passthrough(dev)) {
> -return -1;
> +error_setg(errp, "Need to enable igd-passthrough");
> +return;
>  }
>  
>  bios = get_vgabios(s, _size, dev);
>  if (!bios) {
> -XEN_PT_ERR(>dev, "VGA: Can't getting VBIOS!\n");
> -return -1;
> +error_setg(errp, "VGA: Can't getting VBIOS!");
> +return;

Please drop the trailing '!' while touching this

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH v2 6/7] hw/arm/sysbus-fdt: enable amd-xgbe dynamic instantiation

[Eric Auger]

This patch allows the instantiation of the vfio-amd-xgbe device
from the QEMU command line (-device vfio-amd-xgbe,host="").

The guest is exposed with a device tree node that combines the description
of both XGBE and PHY (representation supported from 4.2 onwards kernel):
Documentation/devicetree/bindings/net/amd-xgbe.txt.

There are 5 register regions, 6 interrupts including 4 optional
edge-sensitive per-channel interrupts.

Some property values are inherited from host device tree. Host device tree
must feature a combined XGBE/PHY representation (>= 4.2 host kernel).

2 clock nodes (dma and ptp) also are created. It is checked those clocks
are fixed on host side.

AMD XGBE node creation function has a dependency on vfio Linux header and
more generally node creation function for VFIO platform devices only make
sense with CONFIG_LINUX so let's protect this code with #ifdef CONFIG_LINUX.

Signed-off-by: Eric Auger 

---
v1 -> v2:
- add CONFIG_LINUX protection
- improves robustness in sysfs_to_dt_name
- output messages to end-user on misc failures and self-exits:
  error management becomes more violent than before assuming if
  the end-user wants passthrough we must exit if the device cannot
  be instantiated
- fix misc style issues
- remove qemu_fdt_setprop returned value check since it self-asserts

RFC -> v1:
- use qemu_fdt_getprop with Error **
- free substrings in sysfs_to_dt_name
- add some comments related to endianess in add_amd_xgbe_fdt_node
- reword commit message (dtc binary dependency has disappeared)
- check the host device has 5 regions meaning this is a combined
  XGBE/PHY device
---
 hw/arm/sysbus-fdt.c | 187 ++--
 1 file changed, 181 insertions(+), 6 deletions(-)

diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c
index a1cf57b..66fa766 100644
--- a/hw/arm/sysbus-fdt.c
+++ b/hw/arm/sysbus-fdt.c
@@ -22,6 +22,10 @@
  */
 
 #include 
+#include "qemu-common.h"
+#ifdef CONFIG_LINUX
+#include 
+#endif
 #include "hw/arm/sysbus-fdt.h"
 #include "qemu/error-report.h"
 #include "sysemu/device_tree.h"
@@ -29,6 +33,7 @@
 #include "sysemu/sysemu.h"
 #include "hw/vfio/vfio-platform.h"
 #include "hw/vfio/vfio-calxeda-xgmac.h"
+#include "hw/vfio/vfio-amd-xgbe.h"
 #include "hw/arm/fdt.h"
 
 /*
@@ -64,6 +69,8 @@ typedef struct HostProperty {
 bool optional;
 } HostProperty;
 
+#ifdef CONFIG_LINUX
+
 /**
  * inherit_properties
  *
@@ -126,12 +133,9 @@ static HostProperty clock_inherited_properties[] = {
  * @host_phandle: phandle of the clock in host device tree
  * @guest_phandle: phandle to assign to the guest node
  */
-void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
- uint32_t host_phandle,
- uint32_t guest_phandle);
-void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
- uint32_t host_phandle,
- uint32_t guest_phandle)
+static void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
+uint32_t host_phandle,
+uint32_t guest_phandle)
 {
 char *node_path = NULL;
 char *nodename;
@@ -176,6 +180,28 @@ void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
 g_free(node_path);
 }
 
+/**
+ * sysfs_to_dt_name: convert the name found in sysfs into the node name
+ * for instance e090.xgmac is converted into xgmac@e090
+ * @sysfs_name: directory name in sysfs
+ *
+ * returns the device tree name upon success or NULL in case the sysfs name
+ * does not match the expected format
+ */
+static char *sysfs_to_dt_name(const char *sysfs_name)
+{
+gchar **substrings =  g_strsplit(sysfs_name, ".", 2);
+char *dt_name = NULL;
+
+if (!substrings || !substrings[1] || !substrings[0]) {
+goto out;
+}
+dt_name = g_strdup_printf("%s@%s", substrings[1], substrings[0]);
+out:
+g_strfreev(substrings);
+return dt_name;
+}
+
 /* Device Specific Code */
 
 /**
@@ -243,9 +269,158 @@ fail_reg:
 return ret;
 }
 
+
+/* AMD xgbe properties whose values are copied/pasted from host */
+static HostProperty amd_xgbe_inherited_properties[] = {
+{"compatible", false},
+{"dma-coherent", true},
+{"amd,per-channel-interrupt", true},
+{"phy-mode", false},
+{"mac-address", true},
+{"amd,speed-set", false},
+{"amd,serdes-blwc", true},
+{"amd,serdes-cdr-rate", true},
+{"amd,serdes-pq-skew", true},
+{"amd,serdes-tx-amp", true},
+{"amd,serdes-dfe-tap-config", true},
+{"amd,serdes-dfe-tap-enable", true},
+{"clock-names", false},
+};
+
+/**
+ * add_amd_xgbe_fdt_node
+ *
+ * Generates the combined xgbe/phy node following kernel >=4.2
+ * binding documentation:
+ * Documentation/devicetree/bindings/net/amd-xgbe.txt:
+ * Also 2 clock nodes are created (dma and ptp)
+ */
+static int add_amd_xgbe_fdt_node(SysBusDevice *sbdev, void *opaque)
+{
+PlatformBusFDTData *data = opaque;
+

[Qemu-devel] [PATCH v2 7/7] hw/arm/sysbus-fdt: remove qemu_fdt_setprop returned value check

[Eric Auger]

qemu_fdt_setprop self-exists in case of error hence no need to check
the returned value.

Signed-off-by: Eric Auger 
---
 hw/arm/sysbus-fdt.c | 15 +++
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c
index 66fa766..68d7e53 100644
--- a/hw/arm/sysbus-fdt.c
+++ b/hw/arm/sysbus-fdt.c
@@ -241,12 +241,8 @@ static int add_calxeda_midway_xgmac_fdt_node(SysBusDevice 
*sbdev, void *opaque)
 reg_attr[2 * i + 1] = cpu_to_be32(
 memory_region_size(>regions[i]->mem));
 }
-ret = qemu_fdt_setprop(fdt, nodename, "reg", reg_attr,
-   vbasedev->num_regions * 2 * sizeof(uint32_t));
-if (ret) {
-error_report("could not set reg property of node %s", nodename);
-goto fail_reg;
-}
+qemu_fdt_setprop(fdt, nodename, "reg", reg_attr,
+ vbasedev->num_regions * 2 * sizeof(uint32_t));
 
 irq_attr = g_new(uint32_t, vbasedev->num_irqs * 3);
 for (i = 0; i < vbasedev->num_irqs; i++) {
@@ -256,14 +252,9 @@ static int add_calxeda_midway_xgmac_fdt_node(SysBusDevice 
*sbdev, void *opaque)
 irq_attr[3 * i + 1] = cpu_to_be32(irq_number);
 irq_attr[3 * i + 2] = cpu_to_be32(GIC_FDT_IRQ_FLAGS_LEVEL_HI);
 }
-ret = qemu_fdt_setprop(fdt, nodename, "interrupts",
+qemu_fdt_setprop(fdt, nodename, "interrupts",
  irq_attr, vbasedev->num_irqs * 3 * sizeof(uint32_t));
-if (ret) {
-error_report("could not set interrupts property of node %s",
- nodename);
-}
 g_free(irq_attr);
-fail_reg:
 g_free(reg_attr);
 g_free(nodename);
 return ret;
-- 
1.9.1

Re: [Qemu-devel] could i using qemu-img covert && rebase -u to do qcow2 rollback?

[Max Reitz]

On 05.01.2016 04:52, Huan Zhang wrote:
> Hi Max,
> "rollback" means revert user data to snap1 state, and for some reason,
> we want to
> keep snap2 and  'rollbacked' qocw2 file in a single backing file chain.
> After rollback, looks like:
> snap0.qcow2 -> snap1.qcow2 ->snap2.qcow2 -> rollbacked-snap1.qcow2
>  
> In my immature opinion,
> 'qemu-img convert -O qcow2 snap1.qcow2 rollback.qcow2' get snap1 sate data,
> 'qemu-img rebase -u -b snap2.qcow2 rollback.qcow2' just changes
> rollback.qcow2 backing file to snap2.qcow2,
> will NOT change the data from user perspective(data reading from backing
> file (snap2.qcow2 e.g.) which not in rollback.qcow2 is meaningless to user].
> Is that right?

OK. The problem with this is that qemu-img convert will not write
unallocated clusters. For instance, assume we have the following
configuration:

# An empty snap0.qcow2
$ qemu-img create -f qcow2 snap0.qcow2 64M

# snap1.qcow2 contains some 64k data block at offset 0
$ qemu-img create -f qcow2 -b snap0.qcow2 -F qcow2 snap1.qcow2
$ qemu-io -c 'write -P 1 0 64k' snap1.qcow2

# snap2.qcow2 contains some other 64k data block at offset 64k
$ qemu-img create -f qcow2 -b snap1.qcow2 -F qcow2 snap2.qcow2
$ qemu-io -c 'write -P 2 64k 64k' snap2.qcow2

# Now you want to rollback to snap1
$ qemu-img convert -O qcow2 snap1.qcow2 rollback.qcow2
$ qemu-img rebase -u -b snap2.qcow2 rollback.qcow2

# Now let's compare snap1.qcow2 and rollback.qcow2
$ qemu-img compare snap1.qcow2 rollback.qcow2
Content mismatch at offset 65536!

So what went wrong? qemu-img convert does not write unallocated sectors
to the output; therefore, the block starting from offset 64k is
unallocated in rollback.qcow2 (just as it is in snap1.qcow2), however,
in rollback.qcow2, this will not return 0, but whatever is in
snap2.qcow2 (which snap1.qcow2 does not have as a backing file).
Therefore, when read from snap1.qcow2, that range is 0; but from
rollback.qcow2, it returns 2s (what we wrote to snap2.qcow2).

How to fix it? Drop the -u for rebase. However, qemu-img will not let us
do this because without -u it wants the image to have a backing file
already.

So let's make rollback.qcow2's backing file snap0.qcow2 (the backing
file snap1.qcow2 has):

$ qemu-img convert -O qcow2 \
-o backing_file=snap0.qcow2,backing_fmt=qcow2 \
snap1.qcow2 rollback.qcow2

(So in the general case, the backing_file option should be set to
whatever backing file snap1.qcow2 has.)

Alternatively, since you will actually be doing a rebase after this, you
can also simply do:

$ cp snap1.qcow2 rollback.qcow2

Whatever you choose (the second may actually be the better choice), the
rebase can be done using:

$ qemu-img rebase -b snap2.qcow2 -F qcow2 rollback.qcow2

Now let's check:

$ qemu-img compare snap1.qcow2 rollback.qcow2
Images are identical.

That looks better!


So, conclusion, the following will probably generally do:

$ cp snap1.qcow2 rollback.qcow2
$ qemu-img rebase -b snap2.qcow2 -F qcow2 rollback.qcow2

Where snap1.qcow2 is the state you want to roll back to, and snap2.qcow2
is the last image you want to be in the backing chain under rollback.qcow2.


Hope that helps (and that I'm actually correct),

Max



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH] hw/dma/xilinx_axidma: remove dead code

[Eric Blake]

On 01/06/2016 05:53 AM, Andrew Jones wrote:
> stream_desc_show() (and DEBUG_ENET) appear to be unused, as the
> function isn't compilable (there are broken PRI format strings).
> 
> Signed-off-by: Andrew Jones 
> ---
>  hw/dma/xilinx_axidma.c | 10 --
>  1 file changed, 10 deletions(-)

Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v3 4/4] Xen PCI passthru: convert to realize()

[Eric Blake]

On 01/05/2016 07:39 PM, Cao jin wrote:
> Signed-off-by: Cao jin 
> Reviewed-by: Stefano Stabellini 
> ---
>  hw/xen/xen_pt.c | 53 -
>  1 file changed, 28 insertions(+), 25 deletions(-)
> 

> @@ -801,19 +801,19 @@ static int xen_pt_initfn(PCIDevice *d)
>  if ((s->real_device.domain == 0) && (s->real_device.bus == 0) &&
>  (s->real_device.dev == 2) && (s->real_device.func == 0)) {
>  if (!is_igd_vga_passthrough(>real_device)) {
> -XEN_PT_ERR(d, "Need to enable igd-passthru if you're trying"
> -   " to passthrough IGD GFX.\n");
> +error_setg(errp, "Need to enable igd-passthru if you're trying"
> +" to passthrough IGD GFX.");

No trailing '.' in error_setg() messages.


> @@ -827,27 +827,26 @@ static int xen_pt_initfn(PCIDevice *d)
>  xen_pt_config_init(s, _err);
>  if (local_err) {
>  error_append_hint(_err, "PCI Config space initialisation 
> failed");
> -rc = -1;
> +error_propagate(errp, local_err);
>  goto err_out;
>  }

Looks like this fixes a memory leak in an earlier patch; maybe you need
to shuffle hunks around?

>  
>  /* Bind interrupt */
>  rc = xen_host_pci_get_byte(>real_device, PCI_INTERRUPT_PIN, );
>  if (rc) {
> -XEN_PT_ERR(d, "Failed to read PCI_INTERRUPT_PIN! (rc:%d)\n", rc);
> +error_setg_errno(errp, errno, "Failed to read PCI_INTERRUPT_PIN!");

No trailing '!'


> @@ -891,14 +890,14 @@ out:
>  
>  rc = xen_host_pci_get_word(>real_device, PCI_COMMAND, );
>  if (rc) {
> -XEN_PT_ERR(d, "Failed to read PCI_COMMAND! (rc: %d)\n", rc);
> +error_setg_errno(errp, errno, "Failed to read PCI_COMMAND!");

and again


> @@ -911,12 +910,16 @@ out:
> "Real physical device %02x:%02x.%d registered 
> successfully!\n",
> s->hostaddr.bus, s->hostaddr.slot, s->hostaddr.function);
>  
> -return 0;
> +return;
>  
>  err_out:
> +for (i = 0; i < PCI_ROM_SLOT; i++) {
> +object_unparent(OBJECT(>bar[i]));
> +}
> +object_unparent(OBJECT(>rom));
> +
>  xen_pt_destroy(d);
>  assert(rc);
> -return rc;

Is the assertion still needed?

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v3 06/11] igd: use defines for standard pci config space offsets

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann 

Reviewed-by: Stefano Stabellini 


>  hw/pci-host/igd.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/hw/pci-host/igd.c b/hw/pci-host/igd.c
> index 6f52ab1..0784128 100644
> --- a/hw/pci-host/igd.c
> +++ b/hw/pci-host/igd.c
> @@ -10,9 +10,9 @@ typedef struct {
>  
>  /* Here we just expose minimal host bridge offset subset. */
>  static const IGDHostInfo igd_host_bridge_infos[] = {
> -{0x08, 2},  /* revision id */
> -{0x2c, 2},  /* sybsystem vendor id */
> -{0x2e, 2},  /* sybsystem id */
> +{PCI_REVISION_ID, 2},
> +{PCI_SUBSYSTEM_VENDOR_ID, 2},
> +{PCI_SUBSYSTEM_ID,2},
>  {0x50, 2},  /* SNB: processor graphics control register */
>  {0x52, 2},  /* processor graphics control register */
>  {0xa4, 4},  /* SNB: graphics base of stolen memory */
> -- 
> 1.8.3.1
> 

[Qemu-devel] [PATCH] i2c-tiny-usb: add new usb to i2c bridge

[Tim Sander]

Version 4 with improvements suggested by Gerd Hoffmann:

Signed-off-by: Tim Sander 

i2c-tiny-usb is a small usb to i2c bridge:
 http://www.harbaum.org/till/i2c_tiny_usb/index.shtml

It is pretty simple and has no usb endpoints just a control.
Reasons for adding this device:
* Linux device driver available
* adding an additional i2c bus via command line e.g.
  -device usb-i2c-tiny,id=i2c-0 -device tmp105,bus=i2c,address=0x50
---
 default-configs/usb.mak |   1 +
 hw/usb/Makefile.objs|   1 +
 hw/usb/dev-i2c-tiny.c   | 320 
 trace-events|  11 ++
 4 files changed, 333 insertions(+)
 create mode 100644 hw/usb/dev-i2c-tiny.c

diff --git a/default-configs/usb.mak b/default-configs/usb.mak
index f4b8568..01d2c9f 100644
--- a/default-configs/usb.mak
+++ b/default-configs/usb.mak
@@ -8,3 +8,4 @@ CONFIG_USB_AUDIO=y
 CONFIG_USB_SERIAL=y
 CONFIG_USB_NETWORK=y
 CONFIG_USB_BLUETOOTH=y
+CONFIG_USB_I2C_TINY=y
diff --git a/hw/usb/Makefile.objs b/hw/usb/Makefile.objs
index 8f00fbd..3a4c337 100644
--- a/hw/usb/Makefile.objs
+++ b/hw/usb/Makefile.objs
@@ -20,6 +20,7 @@ common-obj-$(CONFIG_USB_AUDIO)+= dev-audio.o
 common-obj-$(CONFIG_USB_SERIAL)   += dev-serial.o
 common-obj-$(CONFIG_USB_NETWORK)  += dev-network.o
 common-obj-$(CONFIG_USB_BLUETOOTH)+= dev-bluetooth.o
+common-obj-$(CONFIG_USB_I2C_TINY) += dev-i2c-tiny.o
 
 ifeq ($(CONFIG_USB_SMARTCARD),y)
 common-obj-y  += dev-smartcard-reader.o
diff --git a/hw/usb/dev-i2c-tiny.c b/hw/usb/dev-i2c-tiny.c
new file mode 100644
index 000..c28d7a5
--- /dev/null
+++ b/hw/usb/dev-i2c-tiny.c
@@ -0,0 +1,320 @@
+/*
+ * I2C tiny usb device emulation
+ *
+ * i2c-tiny-usb is a small usb to i2c bridge:
+ *
+ * http://www.harbaum.org/till/i2c_tiny_usb/index.shtml
+ *
+ * The simulated device is pretty simple and has no usb endpoints.
+ * There is a Linux device driver available named i2c-tiny-usb.
+ *
+ * Below is an example how to use this device from command line:
+ *  -device usb-i2c-tiny,id=i2c-0 -device tmp105,bus=i2c,address=0x50
+ *
+ * Copyright (c) 2015 Tim Sander 
+ *
+ * Loosly based on usb dev-serial.c:
+ * Copyright (c) 2006 CodeSourcery.
+ * Copyright (c) 2008 Samuel Thibault 
+ * Written by Paul Brook, reused for FTDI by Samuel Thibault
+ *
+ * This code is licensed under the LGPL.
+ *
+ */
+
+#include "trace.h"
+#include "qemu-common.h"
+#include "qemu/error-report.h"
+#include "hw/usb.h"
+#include "hw/usb/desc.h"
+#include "hw/i2c/i2c.h"
+#include "hw/i2c/smbus.h"
+#include "sysemu/char.h"
+#include "endian.h"
+
+/* commands from USB, must e.g. match command ids in kernel driver */
+#define CMD_ECHO   0
+#define CMD_GET_FUNC   1
+#define CMD_SET_DELAY  2
+#define CMD_GET_STATUS 3
+
+/* To determine what functionality is present */
+#define I2C_FUNC_I2C0x0001
+#define I2C_FUNC_10BIT_ADDR 0x0002
+#define I2C_FUNC_PROTOCOL_MANGLING  0x0004
+#define I2C_FUNC_SMBUS_HWPEC_CALC   0x0008 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_READ_WORD_DATA_PEC   0x0800 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_WRITE_WORD_DATA_PEC  0x1000 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_PROC_CALL_PEC0x2000 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_BLOCK_PROC_CALL_PEC  0x4000 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_BLOCK_PROC_CALL  0x8000 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_QUICK0x0001
+#define I2C_FUNC_SMBUS_READ_BYTE0x0002
+#define I2C_FUNC_SMBUS_WRITE_BYTE   0x0004
+#define I2C_FUNC_SMBUS_READ_BYTE_DATA   0x0008
+#define I2C_FUNC_SMBUS_WRITE_BYTE_DATA  0x0010
+#define I2C_FUNC_SMBUS_READ_WORD_DATA   0x0020
+#define I2C_FUNC_SMBUS_WRITE_WORD_DATA  0x0040
+#define I2C_FUNC_SMBUS_PROC_CALL0x0080
+#define I2C_FUNC_SMBUS_READ_BLOCK_DATA  0x0100
+#define I2C_FUNC_SMBUS_WRITE_BLOCK_DATA 0x0200
+#define I2C_FUNC_SMBUS_READ_I2C_BLOCK   0x0400 /*I2C-like blk-xfr 
*/
+#define I2C_FUNC_SMBUS_WRITE_I2C_BLOCK  0x0800 /*1-byte reg. 
addr.*/
+#define I2C_FUNC_SMBUS_READ_I2C_BLOCK_2 0x1000 /*I2C-like 
blk-xfer*/
+#define I2C_FUNC_SMBUS_WRITE_I2C_BLOCK_20x2000 /* w/ 2-byte 
regadr*/
+#define I2C_FUNC_SMBUS_READ_BLOCK_DATA_PEC  0x4000 /* SMBus 2.0 */
+#define I2C_FUNC_SMBUS_WRITE_BLOCK_DATA_PEC 0x8000 /* SMBus 2.0 */
+
+#define I2C_FUNC_SMBUS_BYTE (I2C_FUNC_SMBUS_READ_BYTE | \
+I2C_FUNC_SMBUS_WRITE_BYTE)
+#define I2C_FUNC_SMBUS_BYTE_DATA (I2C_FUNC_SMBUS_READ_BYTE_DATA | \
+I2C_FUNC_SMBUS_WRITE_BYTE_DATA)
+#define I2C_FUNC_SMBUS_WORD_DATA (I2C_FUNC_SMBUS_READ_WORD_DATA | \
+I2C_FUNC_SMBUS_WRITE_WORD_DATA)
+#define I2C_FUNC_SMBUS_BLOCK_DATA (I2C_FUNC_SMBUS_READ_BLOCK_DATA | 

[Qemu-devel] [RFC] util: Fix QEMU_LD_PREFIX endless loop

[Wei-Bo, Chen]

Detail bug report in the following url:
https://bugs.launchpad.net/qemu/+bug/1245703

Remove is_dir_maybe macro condition DT_LNK in util/path.c

Signed-off-by: Wei-Bo, Chen 
---
 util/path.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/path.c b/util/path.c
index 4e4877e..b99e436 100644
--- a/util/path.c
+++ b/util/path.c
@@ -58,7 +58,7 @@ static struct pathelem *new_entry(const char *root,
 #if defined(DT_DIR) && defined(DT_UNKNOWN) && defined(DT_LNK)
 # define dirent_type(dirent) ((dirent)->d_type)
 # define is_dir_maybe(type) \
-((type) == DT_DIR || (type) == DT_UNKNOWN || (type) == DT_LNK)
+((type) == DT_DIR || (type) == DT_UNKNOWN)
 #else
 # define dirent_type(dirent) (1)
 # define is_dir_maybe(type)  (type)
-- 
2.5.0

[Qemu-devel] [PATCH] hw/arm/virt: Initialize NICs configured in PCI bus

[Ashok Kumar]

virtio model is used for default case.

Signed-off-by: Ashok Kumar 
---
 hw/arm/virt.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index acc1fcb..fd52b76 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -808,6 +808,7 @@ static void create_pcie(const VirtBoardInfo *vbi, qemu_irq 
*pic,
 DeviceState *dev;
 char *nodename;
 int i;
+PCIHostState *pci;
 
 dev = qdev_create(NULL, TYPE_GPEX_HOST);
 qdev_init_nofail(dev);
@@ -847,6 +848,19 @@ static void create_pcie(const VirtBoardInfo *vbi, qemu_irq 
*pic,
 sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
 }
 
+pci = PCI_HOST_BRIDGE(dev);
+if (pci->bus) {
+for (i = 0; i < nb_nics; i++) {
+NICInfo *nd = _table[i];
+
+if (!nd->model) {
+nd->model = g_strdup("virtio");
+}
+
+pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
+}
+}
+
 nodename = g_strdup_printf("/pcie@%" PRIx64, base);
 qemu_fdt_add_subnode(vbi->fdt, nodename);
 qemu_fdt_setprop_string(vbi->fdt, nodename,
-- 
2.1.0

Re: [Qemu-devel] qcow2 snapshot + resize

[Eric Blake]

On 01/05/2016 07:50 PM, lihuiba wrote:
> At 2016-01-05 21:55:56, "Eric Blake"  wrote:
>> On 01/05/2016 05:10 AM, lihuiba wrote:
>>
> In our production environment, we need to extend a qcow2 image with
> snapshots in it.
>>
 The thing is that one would need to update all the inactive L1 tables. I
 don't think it should be too difficult, it's just that apparently so far
 nobody ever had the need for this feature.
>>
>> Is resizing a snapshot really what you want?  Ideally, a snapshot tracks
>> the data from a point in time, including the metadata of the size being
>> tracked at that time.  Extending the snapshots then reverting to that
>> snapshot means your guest would see a larger disk on revert than it did
>> at the time the snapshot was created, which guests might not handle very
>> well.
> I want to make resizing (extending only) and snapshot independent to each 
> other,otherwise going back and forth in snapshots may cause the disk shrinked 
> and extended. That would introduce some technical trouble, and possibly 
> confuse user as well.

If I take a snapshot while the guest sees a 1G disk, then resize the
disk to 2G, then roll back to the point in time of the snapshot, I'd
expect the disk to roll back to 1G in size.  Anything else is likely to
confuse the guest.  And that's what current resize support already does
(it only resizes the active image, not the snapshots).

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH 3/6] nvdimm acpi: introduce patched dsm memory

[Igor Mammedov]

On Tue,  5 Jan 2016 02:52:05 +0800
Xiao Guangrong  wrote:

> The dsm memory is used to save the input parameters and store
> the dsm result which is filled by QEMU.
> 
> The address of dsm memory is decided by bios and patched into
> int64 object returned by "MEMA" method
> 
> Signed-off-by: Xiao Guangrong 
> ---
>  hw/acpi/aml-build.c | 12 
>  hw/acpi/nvdimm.c| 24 ++--
>  include/hw/acpi/aml-build.h |  1 +
>  3 files changed, 35 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
> index 78e1290..83eadb3 100644
> --- a/hw/acpi/aml-build.c
> +++ b/hw/acpi/aml-build.c
> @@ -394,6 +394,18 @@ Aml *aml_int(const uint64_t val)
>  }
>  
>  /*
> + * ACPI 1.0b: 16.2.3 Data Objects Encoding:
> + * encode: QWordConst
> + */
> +Aml *aml_int64(const uint64_t val)
> +{
> +Aml *var = aml_alloc();
> +build_append_byte(var->buf, 0x0E); /* QWordPrefix */
> +build_append_int_noprefix(var->buf, val, 8);
> +return var;
> +}
> +
> +/*
>   * helper to construct NameString, which returns Aml object
>   * for using with aml_append or other aml_* terms
>   */
> diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
> index bc7cd8f..a72104c 100644
> --- a/hw/acpi/nvdimm.c
> +++ b/hw/acpi/nvdimm.c
> @@ -28,6 +28,7 @@
>  
>  #include "hw/acpi/acpi.h"
>  #include "hw/acpi/aml-build.h"
> +#include "hw/acpi/bios-linker-loader.h"
>  #include "hw/nvram/fw_cfg.h"
>  #include "hw/mem/nvdimm.h"
>  
> @@ -402,7 +403,8 @@ void nvdimm_init_acpi_state(AcpiNVDIMMState *state, 
> MemoryRegion *io,
>  state->dsm_mem->len);
>  }
>  
> -#define NVDIMM_COMMON_DSM  "NCAL"
> +#define NVDIMM_GET_DSM_MEM  "MEMA"
> +#define NVDIMM_COMMON_DSM   "NCAL"
>  
>  static void nvdimm_build_common_dsm(Aml *dev)
>  {
> @@ -468,7 +470,8 @@ static void nvdimm_build_ssdt(GSList *device_list, GArray 
> *table_offsets,
>GArray *table_data, GArray *linker,
>uint8_t revision)
>  {
> -Aml *ssdt, *sb_scope, *dev;
> +Aml *ssdt, *sb_scope, *dev, *method;
> +int offset;
>  
>  acpi_add_table(table_offsets, table_data);
>  
> @@ -499,9 +502,26 @@ static void nvdimm_build_ssdt(GSList *device_list, 
> GArray *table_offsets,
>  
>  aml_append(sb_scope, dev);
>  
> +/*
> + * leave it at the end of ssdt so that we can conveniently get the
> + * offset of int64 object returned by the function which will be
> + * patched with the real address of the dsm memory by BIOS.
> + */
> +method = aml_method(NVDIMM_GET_DSM_MEM, 0, AML_NOTSERIALIZED);
> +aml_append(method, aml_return(aml_int64(0x0)));
there is no need in dedicated aml_int64(), you can use aml_int(0x64) 
trick

> +aml_append(sb_scope, method);
>  aml_append(ssdt, sb_scope);
>  /* copy AML table into ACPI tables blob and patch header there */
>  g_array_append_vals(table_data, ssdt->buf->data, ssdt->buf->len);
> +
> +offset = table_data->len - 8;
> +
> +bios_linker_loader_alloc(linker, NVDIMM_DSM_MEM_FILE, TARGET_PAGE_SIZE,
> + false /* high memory */);
> +bios_linker_loader_add_pointer(linker, ACPI_BUILD_TABLE_FILE,
> +   NVDIMM_DSM_MEM_FILE, table_data,
> +   table_data->data + offset,
> +   sizeof(uint64_t));
this offset magic will break badly as soon as someone add something
to the end of SSDT.


>  build_header(linker, table_data,
>  (void *)(table_data->data + table_data->len - ssdt->buf->len),
>  "SSDT", ssdt->buf->len, revision, "NVDIMM");
> diff --git a/include/hw/acpi/aml-build.h b/include/hw/acpi/aml-build.h
> index ef44d02..b4726a4 100644
> --- a/include/hw/acpi/aml-build.h
> +++ b/include/hw/acpi/aml-build.h
> @@ -246,6 +246,7 @@ Aml *aml_name(const char *name_format, ...) 
> GCC_FMT_ATTR(1, 2);
>  Aml *aml_name_decl(const char *name, Aml *val);
>  Aml *aml_return(Aml *val);
>  Aml *aml_int(const uint64_t val);
> +Aml *aml_int64(const uint64_t val);
>  Aml *aml_arg(int pos);
>  Aml *aml_to_integer(Aml *arg);
>  Aml *aml_to_hexstring(Aml *src, Aml *dst);

Re: [Qemu-devel] [PATCH 3/6] nvdimm acpi: introduce patched dsm memory

[Xiao Guangrong]

On 01/06/2016 11:23 PM, Igor Mammedov wrote:

On Tue,  5 Jan 2016 02:52:05 +0800
Xiao Guangrong  wrote:


The dsm memory is used to save the input parameters and store
the dsm result which is filled by QEMU.

The address of dsm memory is decided by bios and patched into
int64 object returned by "MEMA" method

Signed-off-by: Xiao Guangrong 
---
  hw/acpi/aml-build.c | 12 
  hw/acpi/nvdimm.c| 24 ++--
  include/hw/acpi/aml-build.h |  1 +
  3 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index 78e1290..83eadb3 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -394,6 +394,18 @@ Aml *aml_int(const uint64_t val)
  }

  /*
+ * ACPI 1.0b: 16.2.3 Data Objects Encoding:
+ * encode: QWordConst
+ */
+Aml *aml_int64(const uint64_t val)
+{
+Aml *var = aml_alloc();
+build_append_byte(var->buf, 0x0E); /* QWordPrefix */
+build_append_int_noprefix(var->buf, val, 8);
+return var;
+}
+
+/*
   * helper to construct NameString, which returns Aml object
   * for using with aml_append or other aml_* terms
   */
diff --git a/hw/acpi/nvdimm.c b/hw/acpi/nvdimm.c
index bc7cd8f..a72104c 100644
--- a/hw/acpi/nvdimm.c
+++ b/hw/acpi/nvdimm.c
@@ -28,6 +28,7 @@

  #include "hw/acpi/acpi.h"
  #include "hw/acpi/aml-build.h"
+#include "hw/acpi/bios-linker-loader.h"
  #include "hw/nvram/fw_cfg.h"
  #include "hw/mem/nvdimm.h"

@@ -402,7 +403,8 @@ void nvdimm_init_acpi_state(AcpiNVDIMMState *state, 
MemoryRegion *io,
  state->dsm_mem->len);
  }

-#define NVDIMM_COMMON_DSM  "NCAL"
+#define NVDIMM_GET_DSM_MEM  "MEMA"
+#define NVDIMM_COMMON_DSM   "NCAL"

  static void nvdimm_build_common_dsm(Aml *dev)
  {
@@ -468,7 +470,8 @@ static void nvdimm_build_ssdt(GSList *device_list, GArray 
*table_offsets,
GArray *table_data, GArray *linker,
uint8_t revision)
  {
-Aml *ssdt, *sb_scope, *dev;
+Aml *ssdt, *sb_scope, *dev, *method;
+int offset;

  acpi_add_table(table_offsets, table_data);

@@ -499,9 +502,26 @@ static void nvdimm_build_ssdt(GSList *device_list, GArray 
*table_offsets,

  aml_append(sb_scope, dev);

+/*
+ * leave it at the end of ssdt so that we can conveniently get the
+ * offset of int64 object returned by the function which will be
+ * patched with the real address of the dsm memory by BIOS.
+ */
+method = aml_method(NVDIMM_GET_DSM_MEM, 0, AML_NOTSERIALIZED);
+aml_append(method, aml_return(aml_int64(0x0)));

there is no need in dedicated aml_int64(), you can use aml_int(0x64) 
trick


We can not do this due to the trick in  bios_linker_loader_add_pointer() which 
will
issue a COMMAND_ADD_POINTER to BIOS, however, this request does:
/*
 * COMMAND_ADD_POINTER - patch the table (originating from
 * @dest_file) at @pointer.offset, by adding a pointer to the table
 * originating from @src_file. 1,2,4 or 8 byte unsigned
 * addition is used depending on @pointer.size.
 */

that means the new-offset = old-offset + the address of the new table allocated 
by BIOS.

So we expect 0 offset here.




+aml_append(sb_scope, method);
  aml_append(ssdt, sb_scope);
  /* copy AML table into ACPI tables blob and patch header there */
  g_array_append_vals(table_data, ssdt->buf->data, ssdt->buf->len);
+
+offset = table_data->len - 8;
+
+bios_linker_loader_alloc(linker, NVDIMM_DSM_MEM_FILE, TARGET_PAGE_SIZE,
+ false /* high memory */);
+bios_linker_loader_add_pointer(linker, ACPI_BUILD_TABLE_FILE,
+   NVDIMM_DSM_MEM_FILE, table_data,
+   table_data->data + offset,
+   sizeof(uint64_t));

this offset magic will break badly as soon as someone add something
to the end of SSDT.



Yes, it is, so don't do that, :) and this is why we made the comment here:
 +/*
 + * leave it at the end of ssdt so that we can conveniently get the
 + * offset of int64 object returned by the function which will be
 + * patched with the real address of the dsm memory by BIOS.
 + */

Re: [Qemu-devel] [PATCH v3 0/4] Convert to realize()

[Stefano Stabellini]

On Wed, 6 Jan 2016, Eric Blake wrote:
> On 01/06/2016 04:08 AM, Stefano Stabellini wrote:
> > On Wed, 6 Jan 2016, Cao jin wrote:
> >> v3 changelog:
> >> 1. use following style when we want to check the returned error
> >>
> >>  Error *err = NULL;
> >>  foo(arg, );
> >>  if (err) {
> >>  handle the error...
> >>  error_propagate(errp, err);
> >>  }
> >>
> >> Cao jin (4):
> >>   Add Error **errp for xen_host_pci_device_get()
> >>   Add Error **errp for xen_pt_setup_vga()
> >>   Add Error **errp for xen_pt_config_init()
> >>   Xen PCI passthru: convert to realize()
> >>
> >>  hw/xen/xen-host-pci-device.c | 106 
> >> +--
> >>  hw/xen/xen-host-pci-device.h |   5 +-
> >>  hw/xen/xen_pt.c  |  73 -
> >>  hw/xen/xen_pt.h  |   5 +-
> >>  hw/xen/xen_pt_config_init.c  |  51 +++--
> >>  hw/xen/xen_pt_graphics.c |  11 +++--
> >>  6 files changed, 141 insertions(+), 110 deletions(-)
> > 
> > Thanks Cao, I applied the whole series to my next branch.
> 
> I found some issues while reviewing; maybe you want to wait for a v4.

Sure, thanks for reviewing.

[Qemu-devel] [Bug 1357226] Re: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

[Scott Moser]

This may or may not be relevant here, but the mysterious "uncaught
target signal 11" error was fixed for maas images (lp:maas-images) build
process by increasing the memory to the VMs that were doing the build.
We had been doing the cross/qemu-static building in ~512M vms and that
was resulting in somewhat transient failures during 'apt-get update'.
Upping the memory of the vm to 2G made those go away.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1357226

Title:
  qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Status in QEMU:
  New

Bug description:
  steps to reproduce:
  pbuilder-dist utopic armhf create
  pbuilder-dist utopic armhf login
  apt-get install imagemagick
  convert foo.xpm foo.png
  qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  Segmentation fault

  (doesn't matter if images are actually there or not)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1357226/+subscriptions

Re: [Qemu-devel] How to reserve guest physical region for ACPI

[Laszlo Ersek]

On 01/06/16 14:39, Igor Mammedov wrote:
> On Tue, 5 Jan 2016 18:22:33 +0100
> Laszlo Ersek  wrote:
> 
>> On 01/05/16 18:08, Igor Mammedov wrote:
>>> On Mon, 4 Jan 2016 21:17:31 +0100
>>> Laszlo Ersek  wrote:
>>>   
 Michael CC'd me on the grandparent of the email below. I'll try to add
 my thoughts in a single go, with regard to OVMF.

 On 12/30/15 20:52, Michael S. Tsirkin wrote:  
> On Wed, Dec 30, 2015 at 04:55:54PM +0100, Igor Mammedov wrote:
>> On Mon, 28 Dec 2015 14:50:15 +0200
>> "Michael S. Tsirkin"  wrote:
>>
>>> On Mon, Dec 28, 2015 at 10:39:04AM +0800, Xiao Guangrong wrote:

 Hi Michael, Paolo,

 Now it is the time to return to the challenge that how to reserve guest
 physical region internally used by ACPI.

 Igor suggested that:
 | An alternative place to allocate reserve from could be high memory.
 | For pc we have "reserved-memory-end" which currently makes sure
 | that hotpluggable memory range isn't used by firmware
 (https://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg00926.html)
 

 OVMF has no support for the "reserved-memory-end" fw_cfg file. The
 reason is that nobody wrote that patch, nor asked for the patch to be
 written. (Not implying that just requesting the patch would be
 sufficient for the patch to be written.)
  
>>> I don't want to tie things to reserved-memory-end because this
>>> does not scale: next time we need to reserve memory,
>>> we'll need to find yet another way to figure out what is where.
>> Could you elaborate a bit more on a problem you're seeing?
>>
>> To me it looks like it scales rather well.
>> For example lets imagine that we adding a device
>> that has some on device memory that should be mapped into GPA
>> code to do so would look like:
>>
>>   pc_machine_device_plug_cb(dev)
>>   {
>>...
>>if (dev == OUR_NEW_DEVICE_TYPE) {
>>memory_region_add_subregion(as, current_reserved_end, >mr);
>>set_new_reserved_end(current_reserved_end + 
>> memory_region_size(>mr));
>>}
>>   }
>>
>> we can practically add any number of new devices that way.
>
> Yes but we'll have to build a host side allocator for these, and that's
> nasty. We'll also have to maintain these addresses indefinitely (at
> least per machine version) as they are guest visible.
> Not only that, there's no way for guest to know if we move things
> around, so basically we'll never be able to change addresses.
>
> 
>>  
>>> I would like ./hw/acpi/bios-linker-loader.c interface to be extended to
>>> support 64 bit RAM instead

 This looks quite doable in OVMF, as long as the blob to allocate from
 high memory contains *zero* ACPI tables.

 (
 Namely, each ACPI table is installed from the containing fw_cfg blob
 with EFI_ACPI_TABLE_PROTOCOL.InstallAcpiTable(), and the latter has its
 own allocation policy for the *copies* of ACPI tables it installs.

 This allocation policy is left unspecified in the section of the UEFI
 spec that governs EFI_ACPI_TABLE_PROTOCOL.

 The current policy in edk2 (= the reference implementation) seems to be
 "allocate from under 4GB". It is currently being changed to "try to
 allocate from under 4GB, and if that fails, retry from high memory". (It
 is motivated by Aarch64 machines that may have no DRAM at all under 4GB.)
 )
  
>>> (and maybe a way to allocate and
>>> zero-initialize buffer without loading it through fwcfg),

 Sounds reasonable.
  
>>> this way bios
>>> does the allocation, and addresses can be patched into acpi.
>> and then guest side needs to parse/execute some AML that would
>> initialize QEMU side so it would know where to write data.
>
> Well not really - we can put it in a data table, by itself
> so it's easy to find.

 Do you mean acpi_tb_find_table(), acpi_get_table_by_index() /
 acpi_get_table_with_size()?
  
>
> AML is only needed if access from ACPI is desired.
>
> 
>> bios-linker-loader is a great interface for initializing some
>> guest owned data and linking it together but I think it adds
>> unnecessary complexity and is misused if it's used to handle
>> device owned data/on device memory in this and VMGID cases.
>
> I want a generic interface for guest to enumerate these things.  linker
> seems quite reasonable but if you see a reason why it won't do, or want
> to propose a better interface, fine.

 * The guest could do the following:
 - while processing the ALLOCATE commands, it would make a note where in
 GPA space 

Re: [Qemu-devel] [RFC v6 04/14] softmmu: Add helpers for a new slowpath

[Alex Bennée]

Alvise Rigo  writes:

> The new helpers rely on the legacy ones to perform the actual read/write.
>
> The LoadLink helper (helper_ldlink_name) prepares the way for the
> following SC operation. It sets the linked address and the size of the
> access.

nit: extra line or continue paragraph

> These helper also update the TLB entry of the page involved in the
> LL/SC for those vCPUs that have the bit set (dirty), so that the
> following accesses made by all the vCPUs will follow the slow path.
>
> The StoreConditional helper (helper_stcond_name) returns 1 if the
> store has to fail due to a concurrent access to the same page by
> another vCPU. A 'concurrent access' can be a store made by *any* vCPU
> (although, some implementations allow stores made by the CPU that issued
> the LoadLink).
>
> Suggested-by: Jani Kokkonen 
> Suggested-by: Claudio Fontana 
> Signed-off-by: Alvise Rigo 
> ---
>  cputlb.c|   3 ++
>  softmmu_llsc_template.h | 134 
> 
>  softmmu_template.h  |  12 +
>  tcg/tcg.h   |  31 +++
>  4 files changed, 180 insertions(+)
>  create mode 100644 softmmu_llsc_template.h
>
> diff --git a/cputlb.c b/cputlb.c
> index 7ee0c89..70b6404 100644
> --- a/cputlb.c
> +++ b/cputlb.c
> @@ -509,6 +509,8 @@ static inline void lookup_and_reset_cpus_ll_addr(hwaddr 
> addr, hwaddr size)
>
>  #define MMUSUFFIX _mmu
>
> +/* Generates LoadLink/StoreConditional helpers in softmmu_template.h */
> +#define GEN_EXCLUSIVE_HELPERS
>  #define SHIFT 0
>  #include "softmmu_template.h"
>
> @@ -521,6 +523,7 @@ static inline void lookup_and_reset_cpus_ll_addr(hwaddr 
> addr, hwaddr size)
>  #define SHIFT 3
>  #include "softmmu_template.h"
>  #undef MMUSUFFIX
> +#undef GEN_EXCLUSIVE_HELPERS
>
>  #define MMUSUFFIX _cmmu
>  #undef GETPC_ADJ
> diff --git a/softmmu_llsc_template.h b/softmmu_llsc_template.h
> new file mode 100644
> index 000..586bb2e
> --- /dev/null
> +++ b/softmmu_llsc_template.h
> @@ -0,0 +1,134 @@
> +/*
> + *  Software MMU support (esclusive load/store operations)
> + *
> + * Generate helpers used by TCG for qemu_ldlink/stcond ops.
> + *
> + * Included from softmmu_template.h only.
> + *
> + * Copyright (c) 2015 Virtual Open Systems
> + *
> + * Authors:
> + *  Alvise Rigo 
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see 
> .
> + */
> +
> +/* This template does not generate together the le and be version, but only 
> one
> + * of the two depending on whether BIGENDIAN_EXCLUSIVE_HELPERS has been set.
> + * The same nomenclature as softmmu_template.h is used for the exclusive
> + * helpers.  */
> +
> +#ifdef BIGENDIAN_EXCLUSIVE_HELPERS
> +
> +#define helper_ldlink_name  glue(glue(helper_be_ldlink, USUFFIX), MMUSUFFIX)
> +#define helper_stcond_name  glue(glue(helper_be_stcond, SUFFIX), MMUSUFFIX)
> +#define helper_ld glue(glue(helper_be_ld, USUFFIX), MMUSUFFIX)
> +#define helper_st glue(glue(helper_be_st, SUFFIX), MMUSUFFIX)
> +
> +#else /* LE helpers + 8bit helpers (generated only once for both LE end BE) 
> */
> +
> +#if DATA_SIZE > 1
> +#define helper_ldlink_name  glue(glue(helper_le_ldlink, USUFFIX), MMUSUFFIX)
> +#define helper_stcond_name  glue(glue(helper_le_stcond, SUFFIX), MMUSUFFIX)
> +#define helper_ld glue(glue(helper_le_ld, USUFFIX), MMUSUFFIX)
> +#define helper_st glue(glue(helper_le_st, SUFFIX), MMUSUFFIX)
> +#else /* DATA_SIZE <= 1 */
> +#define helper_ldlink_name  glue(glue(helper_ret_ldlink, USUFFIX), MMUSUFFIX)
> +#define helper_stcond_name  glue(glue(helper_ret_stcond, SUFFIX), MMUSUFFIX)
> +#define helper_ld glue(glue(helper_ret_ld, USUFFIX), MMUSUFFIX)
> +#define helper_st glue(glue(helper_ret_st, SUFFIX), MMUSUFFIX)
> +#endif
> +
> +#endif
> +
> +WORD_TYPE helper_ldlink_name(CPUArchState *env, target_ulong addr,
> +TCGMemOpIdx oi, uintptr_t retaddr)
> +{
> +WORD_TYPE ret;
> +int index;
> +CPUState *cpu, *this = ENV_GET_CPU(env);
> +CPUClass *cc = CPU_GET_CLASS(this);
> +hwaddr hw_addr;
> +unsigned mmu_idx = get_mmuidx(oi);
> +
> +/* Use the proper load helper from cpu_ldst.h */
> +ret = helper_ld(env, addr, mmu_idx, retaddr);
> +
> +index = 

[Qemu-devel] [PATCH v2 5/7] hw/arm/sysbus-fdt: helpers for clock node generation

[Eric Auger]

Some passthrough'ed devices depend on clock nodes. Those need to be
generated in the guest device tree. This patch introduces some helpers
to build a clock node from information retrieved in the host device tree.

- inherit_properties copies properties from a host device tree node to
  a guest device tree node
- fdt_build_clock_node builds a guest clock node and checks the host
  fellow clock is a fixed one.

fdt_build_clock_node will become static as soon as it gets used. A
dummy pre-declaration is needed for compilation of this patch.

Signed-off-by: Eric Auger 

---

v1 -> v2:
- inherit properties now outputs an error message in case
  qemu_fdt_getprop fails for an existing optional property
- no hardcoded fixed buffer length
- fdt_build_clock_node becomes void and auto-asserts on error
- use boolean values when defining the clock properties

RFC -> v1:
- use the new proto of qemu_fdt_getprop
- remove newline in error_report
- fix some style issues
---
 hw/arm/sysbus-fdt.c | 120 
 1 file changed, 120 insertions(+)

diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c
index 9d28797..a1cf57b 100644
--- a/hw/arm/sysbus-fdt.c
+++ b/hw/arm/sysbus-fdt.c
@@ -21,6 +21,7 @@
  *
  */
 
+#include 
 #include "hw/arm/sysbus-fdt.h"
 #include "qemu/error-report.h"
 #include "sysemu/device_tree.h"
@@ -56,6 +57,125 @@ typedef struct NodeCreationPair {
 int (*add_fdt_node_fn)(SysBusDevice *sbdev, void *opaque);
 } NodeCreationPair;
 
+/* helpers */
+
+typedef struct HostProperty {
+const char *name;
+bool optional;
+} HostProperty;
+
+/**
+ * inherit_properties
+ *
+ * copies properties listed in an array from host device tree to
+ * guest device tree. If a non optional property is not found, the
+ * function self-asserts. An optional property is ignored if not found
+ * in the host device tree.
+ * @props: array of HostProperty to copy
+ * @nb_props: number of properties in the array
+ * @host_dt: host device tree blob
+ * @guest_dt: guest device tree blob
+ * @node_path: host dt node path where the property is supposed to be
+  found
+ * @nodename: guest node name the properties should be added to
+ */
+static void inherit_properties(HostProperty *props, int nb_props,
+   void *host_fdt, void *guest_fdt,
+   char *node_path, char *nodename)
+{
+int i, prop_len;
+const void *r;
+Error *err = NULL;
+
+for (i = 0; i < nb_props; i++) {
+r = qemu_fdt_getprop(host_fdt, node_path,
+ props[i].name,
+ _len,
+ props[i].optional ?  : _fatal);
+if (r) {
+qemu_fdt_setprop(guest_fdt, nodename,
+ props[i].name, r, prop_len);
+} else {
+if (prop_len != -FDT_ERR_NOTFOUND) {
+/* optional property not returned although property exists */
+error_report_err(err);
+} else {
+error_free(err);
+}
+}
+}
+}
+
+/* clock properties whose values are copied/pasted from host */
+static HostProperty clock_inherited_properties[] = {
+{"compatible", false},
+{"#clock-cells", false},
+{"clock-frequency", true},
+{"clock-output-names", true},
+};
+
+/**
+ * fdt_build_clock_node
+ *
+ * Build a guest clock node, used as a dependency from a passthrough'ed
+ * device. Most information are retrieved from the host clock node.
+ * Also check the host clock is a fixed one.
+ *
+ * @host_fdt: host device tree blob from which info are retrieved
+ * @guest_fdt: guest device tree blob where the clock node is added
+ * @host_phandle: phandle of the clock in host device tree
+ * @guest_phandle: phandle to assign to the guest node
+ */
+void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
+ uint32_t host_phandle,
+ uint32_t guest_phandle);
+void fdt_build_clock_node(void *host_fdt, void *guest_fdt,
+ uint32_t host_phandle,
+ uint32_t guest_phandle)
+{
+char *node_path = NULL;
+char *nodename;
+const void *r;
+int ret, node_offset, prop_len, path_len = 16;
+
+node_offset = fdt_node_offset_by_phandle(host_fdt, host_phandle);
+if (node_offset <= 0) {
+error_setg(_fatal,
+   "not able to locate clock handle %d in host device tree",
+   host_phandle);
+}
+node_path = g_malloc(path_len);
+while ((ret = fdt_get_path(host_fdt, node_offset, node_path, path_len))
+== -FDT_ERR_NOSPACE) {
+path_len += 16;
+node_path = g_realloc(node_path, path_len);
+}
+if (ret < 0) {
+error_setg(_fatal,
+   "not able to retrieve node path for clock handle %d",
+   host_phandle);
+}
+
+r = 

Re: [Qemu-devel] [PATCH v3 11/11] igd: move igd-passthrough-isa-bridge creation to machine init

[Stefano Stabellini]

On Tue, 5 Jan 2016, Gerd Hoffmann wrote:
> This patch moves igd-passthrough-isa-bridge creation out of the xen
> passthrough code into machine init.  It is triggered by the
> igd-passthru=on machine option.  Advantages:
> 
>  * This works for on both xen and kvm.
>  * It is activated for the pc machine type only, q35 has a real
>isa bridge on 1f.0 and must be handled differently.  The q35
>plan is https://lkml.org/lkml/2015/11/26/183 (should land in
>the next merge window, i.e. linux 4.5).
>  * If we don't need it any more some day (intel is busy removing
>chipset dependencies from the guest driver) we have a single
>machine switch to just turn off all igd passthru chipset
>tweaks.
> 
> Signed-off-by: Gerd Hoffmann 
> ---
>  hw/i386/pc_piix.c |  6 ++
>  hw/xen/xen_pt.c   | 14 --
>  2 files changed, 6 insertions(+), 14 deletions(-)
> 
> diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
> index f36222e..2afbbd3 100644
> --- a/hw/i386/pc_piix.c
> +++ b/hw/i386/pc_piix.c
> @@ -281,6 +281,12 @@ static void pc_init1(MachineState *machine,
>  if (pcmc->pci_enabled) {
>  pc_pci_device_init(pci_bus);
>  }
> +
> +#ifdef CONFIG_LINUX
> +if (machine->igd_gfx_passthru) {
> +igd_passthrough_isa_bridge_create(pci_bus);
> +}
> +#endif

One thing I don't like about this is that it is going to skip the checks
done in xen_pt_initfn. For example it is going to create the isa bridge,
even if there is going to be an error loading the vga bios or if the
device specified is not even an Intel graphic card.


>  }
>  
>  /* Looking for a pc_compat_2_4() function? It doesn't exist.
> diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
> index 18a7f72..5f626c9 100644
> --- a/hw/xen/xen_pt.c
> +++ b/hw/xen/xen_pt.c
> @@ -685,17 +685,6 @@ static const MemoryListener xen_pt_io_listener = {
>  .priority = 10,
>  };
>  
> -static void
> -xen_igd_passthrough_isa_bridge_create(XenPCIPassthroughState *s,
> -  XenHostPCIDevice *dev)
> -{
> -uint16_t gpu_dev_id;
> -PCIDevice *d = >dev;
> -
> -gpu_dev_id = dev->device_id;
> -igd_passthrough_isa_bridge_create(d->bus);
> -}
> -
>  /* destroy. */
>  static void xen_pt_destroy(PCIDevice *d) {
>  
> @@ -810,9 +799,6 @@ static int xen_pt_initfn(PCIDevice *d)
>  xen_host_pci_device_put(>real_device);
>  return -1;
>  }
> -
> -/* Register ISA bridge for passthrough GFX. */
> -xen_igd_passthrough_isa_bridge_create(s, >real_device);
>  }
>  
>  /* Handle real device's MMIO/PIO BARs */
> -- 
> 1.8.3.1
> 

Re: [Qemu-devel] [PATCH v3 0/4] Convert to realize()

[Eric Blake]

On 01/06/2016 04:08 AM, Stefano Stabellini wrote:
> On Wed, 6 Jan 2016, Cao jin wrote:
>> v3 changelog:
>> 1. use following style when we want to check the returned error
>>
>>  Error *err = NULL;
>>  foo(arg, );
>>  if (err) {
>>  handle the error...
>>  error_propagate(errp, err);
>>  }
>>
>> Cao jin (4):
>>   Add Error **errp for xen_host_pci_device_get()
>>   Add Error **errp for xen_pt_setup_vga()
>>   Add Error **errp for xen_pt_config_init()
>>   Xen PCI passthru: convert to realize()
>>
>>  hw/xen/xen-host-pci-device.c | 106 
>> +--
>>  hw/xen/xen-host-pci-device.h |   5 +-
>>  hw/xen/xen_pt.c  |  73 -
>>  hw/xen/xen_pt.h  |   5 +-
>>  hw/xen/xen_pt_config_init.c  |  51 +++--
>>  hw/xen/xen_pt_graphics.c |  11 +++--
>>  6 files changed, 141 insertions(+), 110 deletions(-)
> 
> Thanks Cao, I applied the whole series to my next branch.

I found some issues while reviewing; maybe you want to wait for a v4.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v3 07/11] igd: revamp host config read

[Gerd Hoffmann]

> > +for (i = 0; i < len; i++) {
> > +rc = pread(config_fd, guest->config + list[i].offset,
> > +   list[i].len, list[i].offset);
> > +if (rc != list[i].len) {
> 
> pread is allowed to return early, returning the number of bytes read.
> 

This is a sysfs file though, not a socket or pipe where a partial read
makes sense and will actually happen.  If we can't read something
that'll be because the kernel denies access.

So IMHO it should be fine to treat anything which doesn't give us the
amount of bytes we asked for as an error condition.

cheers,
  Gerd

Re: [Qemu-devel] [PATCH v3 1/4] Add Error **errp for xen_host_pci_device_get()

[Eric Blake]

On 01/05/2016 07:39 PM, Cao jin wrote:
> To catch the error msg. Also modify the caller
> 
> Signed-off-by: Cao jin 
> ---
>  hw/xen/xen-host-pci-device.c | 106 
> +--
>  hw/xen/xen-host-pci-device.h |   5 +-
>  hw/xen/xen_pt.c  |  12 +++--
>  3 files changed, 71 insertions(+), 52 deletions(-)
> 
> diff --git a/hw/xen/xen-host-pci-device.c b/hw/xen/xen-host-pci-device.c
> index 7d8a023..952cae0 100644
> --- a/hw/xen/xen-host-pci-device.c
> +++ b/hw/xen/xen-host-pci-device.c
> @@ -49,7 +49,7 @@ static int xen_host_pci_sysfs_path(const XenHostPCIDevice 
> *d,
>  
>  /* This size should be enough to read the first 7 lines of a resource file */
>  #define XEN_HOST_PCI_RESOURCE_BUFFER_SIZE 400
> -static int xen_host_pci_get_resource(XenHostPCIDevice *d)
> +static void xen_host_pci_get_resource(XenHostPCIDevice *d, Error **errp)
>  {
>  int i, rc, fd;
>  char path[PATH_MAX];
> @@ -60,23 +60,24 @@ static int xen_host_pci_get_resource(XenHostPCIDevice *d)
>  
>  rc = xen_host_pci_sysfs_path(d, "resource", path, sizeof (path));
>  if (rc) {
> -return rc;
> +error_setg_errno(errp, errno, "snprintf err");

Are you sure that errno is relevant?  And "snprintf err" doesn't seem to
be the correct message, as there is no snprintf in the line above.

> +return;
>  }
> +
>  fd = open(path, O_RDONLY);
>  if (fd == -1) {
> -XEN_HOST_PCI_LOG("Error: Can't open %s: %s\n", path, 
> strerror(errno));
> -return -errno;
> +error_setg_errno(errp, errno, "open %s err", path);

Please use error_setg_file_open() for reporting open() failures.

> @@ -129,20 +130,20 @@ static int xen_host_pci_get_resource(XenHostPCIDevice 
> *d)
>  d->rom.bus_flags = flags & IORESOURCE_BITS;
>  }
>  }
> +
>  if (i != PCI_NUM_REGIONS) {
>  /* Invalid format or input to short */
> -rc = -ENODEV;
> +error_setg(errp, "Invalid format or input to short: %s", buf);

s/to/too/ (and might as well fix the same typo in the comment while at it)


> @@ -152,47 +153,52 @@ static int xen_host_pci_get_value(XenHostPCIDevice *d, 
> const char *name,
>  
>  rc = xen_host_pci_sysfs_path(d, name, path, sizeof (path));
>  if (rc) {
> -return rc;
> +error_setg_errno(errp, errno, "snprintf err");
> +return;
>  }
> +
>  fd = open(path, O_RDONLY);
>  if (fd == -1) {
> -XEN_HOST_PCI_LOG("Error: Can't open %s: %s\n", path, 
> strerror(errno));
> -return -errno;
> +error_setg_errno(errp, errno, "open %s err", path);

Same comments as above.

> +return;
>  }
> +
>  do {
>  rc = read(fd, , sizeof (buf) - 1);
>  if (rc < 0 && errno != EINTR) {
> -rc = -errno;
> +error_setg_errno(errp, errno, "read err");
>  goto out;
>  }
>  } while (rc < 0);
> +
>  buf[rc] = 0;
>  value = strtol(buf, , base);
>  if (endptr == buf || *endptr != '\n') {
> -rc = -1;
> +error_setg(errp, "format invalid: %s", buf);
>  } else if ((value == LONG_MIN || value == LONG_MAX) && errno == ERANGE) {
> -rc = -errno;
> +error_setg_errno(errp, errno, "strtol err");

This is pre-existing invalid use of strtol (the value of errno is not
guaranteed to be ERANGE on overflow; and the only correct way to safely
check errno after strtol() is to first prime it to 0 prior to calling
strtol).  Better would be to use qemu_strtol() (preferably as a separate
patch), so that you don't even have to worry about using strtol()
incorrectly.

> +static void xen_host_pci_config_open(XenHostPCIDevice *d, Error **errp)
>  {
>  char path[PATH_MAX];
>  int rc;
>  
>  rc = xen_host_pci_sysfs_path(d, "config", path, sizeof (path));

May want to delete the space before ( while touching the code in this
vicinity.

>  if (rc) {
> -return rc;
> +error_setg_errno(errp, errno, "snprintf err");

Another suspect message.


> +void xen_host_pci_device_get(XenHostPCIDevice *d, uint16_t domain,
> +uint8_t bus, uint8_t dev, uint8_t func,
> +Error **errp)
>  {
>  unsigned int v;
> -int rc = 0;
> +Error *local_err = NULL;

These days, naming the local variable 'err' is more common than 'local_err'.

> @@ -774,11 +775,12 @@ static int xen_pt_initfn(PCIDevice *d)
> s->hostaddr.bus, s->hostaddr.slot, s->hostaddr.function,
> s->dev.devfn);
>  
> -rc = xen_host_pci_device_get(>real_device,
> - s->hostaddr.domain, s->hostaddr.bus,
> - s->hostaddr.slot, s->hostaddr.function);
> -if (rc) {
> -XEN_PT_ERR(d, "Failed to \"open\" the real pci device. rc: %i\n", 
> rc);
> +xen_host_pci_device_get(>real_device,
> +s->hostaddr.domain, 

Re: [Qemu-devel] [PATCH v3 3/4] Add Error **errp for xen_pt_config_init()

[Eric Blake]

On 01/05/2016 07:39 PM, Cao jin wrote:
> To catch the error msg. Also modify the caller
> 
> Signed-off-by: Cao jin 
> ---
>  hw/xen/xen_pt.c |  7 ---
>  hw/xen/xen_pt.h |  2 +-
>  hw/xen/xen_pt_config_init.c | 51 
> -
>  3 files changed, 32 insertions(+), 28 deletions(-)
> 

> +++ b/hw/xen/xen_pt_config_init.c
> @@ -1899,8 +1899,9 @@ static uint8_t find_cap_offset(XenPCIPassthroughState 
> *s, uint8_t cap)
>  return 0;
>  }
>  
> -static int xen_pt_config_reg_init(XenPCIPassthroughState *s,
> -  XenPTRegGroup *reg_grp, XenPTRegInfo *reg)
> +static void xen_pt_config_reg_init(XenPCIPassthroughState *s,
> +  XenPTRegGroup *reg_grp, XenPTRegInfo *reg,
> +  Error **errp)

Indentation is now off.


> @@ -1967,10 +1970,10 @@ static int 
> xen_pt_config_reg_init(XenPCIPassthroughState *s,
>  val = data;
>  
>  if (val & ~size_mask) {
> -XEN_PT_ERR(>dev,"Offset 0x%04x:0x%04x expands past register 
> size(%d)!\n",
> -   offset, val, reg->size);
> +error_setg(errp, "Offset 0x%04x:0x%04x expands past"
> +" register size(%d)!", offset, val, reg->size);

Drop the trailing !.  Also, while touching this, it's better to have a
space before ( in English.


> +void xen_pt_config_init(XenPCIPassthroughState *s, Error **errp)
>  {
>  int i, rc;
> +Error *local_err = NULL;

Same comments as earlier in the series about using the shorter 'err'
instead of 'local_err'.

>  
>  QLIST_INIT(>reg_grps);
>  
> @@ -2039,11 +2041,12 @@ int xen_pt_config_init(XenPCIPassthroughState *s)
>reg_grp_offset,
>_grp_entry->size);
>  if (rc < 0) {
> -XEN_PT_LOG(>dev, "Failed to initialize %d/%ld, type=0x%x, 
> rc:%d\n",
> -   i, ARRAY_SIZE(xen_pt_emu_reg_grps),
> +error_setg(_err, "Failed to initialize %d/%ld, 
> type=0x%x,"
> +   " rc:%d", i, ARRAY_SIZE(xen_pt_emu_reg_grps),

This maps ARRAY_SIZE() (which is size_t) to %ld, which can fail to
compile on 32-bit platforms (where size_t is not necessarily long).  Fix
it to %zd while touching it.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [Qemu-block] [PATCH] send readcapacity10 when readcapacity16 failed

[John Snow]

On 01/05/2016 02:57 PM, ronnie sahlberg wrote:
> MMC devices:
> READ CAPACITY 10 support is mandatory.
> No support for READ CAPACITY 16
> 
> SBC devices:
> READ CAPACITY 10 is mandatory
> READ CAPACITY 16 support is only required when you have thin
> provisioning or protection information (or if the device is >2^32 blocks)
> Almost all, but apparently not all, SBC devices support both.
> 
> 
> For SBC devices you probably want to start with RC16 and only fallback
> to RC10 if you get INVALID_OPCODE.
> You start with RC16 since this is the way to discover if you have thin
> provisioning or special protection information.
> 
> For MMC devices you could try the "try RC16 first and fallback to RC10"
> but as probably almost no MMC devices support RC16 it makes little sense
> to do so.
> 
> 

Ronnie: Thanks for the explanation!

Zhu: In light of this, can the patch be reworked slightly to explicitly
check *why* READCAPACITY16 failed and only attempt the READCAPACITY10 as
a fallback if it receives INVALID_OPCODE?

If it fails for any other reason it's probably best to report the error
and let QEMU decide what to do about it.

I suppose caching a flag that lets us know to go straight to
READ_CAPACITY10 is not worthwhile because this command is not likely to
be issued very often.

Thanks,
--js

> 
> On Tue, Jan 5, 2016 at 11:42 AM, John Snow  > wrote:
> 
> 
> 
> On 12/28/2015 10:32 PM, Zhu Lingshan wrote:
> > When play with Dell MD3000 target, for sure it
> > is a TYPE_DISK, but readcapacity16 would fail.
> > Then we find that readcapacity10 succeeded. It
> > looks like the target just support readcapacity10
> > even through it is a TYPE_DISK or have some
> > TYPE_ROM characteristics.
> >
> > This patch can give a chance to send
> > readcapacity16 when readcapacity10 failed.
> > This patch is not harmful to original pathes
> >
> > Signed-off-by: Zhu Lingshan >
> > ---
> >  block/iscsi.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/iscsi.c b/block/iscsi.c
> > index bd1f1bf..c8d167f 100644
> > --- a/block/iscsi.c
> > +++ b/block/iscsi.c
> > @@ -1243,8 +1243,9 @@ static void iscsi_readcapacity_sync(IscsiLun
> *iscsilun, Error **errp)
> >  iscsilun->lbprz = !!rc16->lbprz;
> >  iscsilun->use_16_for_rw = (rc16->returned_lba
> > 0x);
> >  }
> > +break;
> >  }
> > -break;
> > +//fall through to try readcapacity10 instead
> >  case TYPE_ROM:
> >  task = iscsi_readcapacity10_sync(iscsilun->iscsi,
> iscsilun->lun, 0, 0);
> >  if (task != NULL && task->status == SCSI_STATUS_GOOD) {
> >
> 
> For the uninitiated, why does readcapacity16 fail?
> 
> My gut feeling is that this is a hack, because:
> 
> - Either readcapacity16 should work, or
> - We shouldn't be choosing 10/16 based on the target type to begin with
> 
> but I don't know much about iSCSI, so maybe You, Paolo or Peter could
> fill me in.
> 
> --js
> 
> 

Re: [Qemu-devel] [PATCH v8 19/35] qmp: Fix reference-counting of qnull on empty output visit

[Eric Blake]

On 01/05/2016 07:05 AM, Marc-André Lureau wrote:
> Hi
> 
> On Mon, Dec 21, 2015 at 6:08 PM, Eric Blake  wrote:
>> Commit 6c2f9a15 ensured that we would not return NULL when the
>> caller used an output visitor but had nothing to visit. But
>> in doing so, it added a FIXME about a reference count leak
>> that could abort qemu in the (unlikely) case of SIZE_MAX such
>> visits (more plausible on 32-bit).  (Although that commit
>> suggested we might fix it in time for 2.5, we ran out of time;
>> fortunately, it is unlikely enough to bite that it was not
>> worth worrying about during the 2.5 release.)
>>
>> This fixes things by documenting the internal contracts, and
>> explaining why the internal function can return NULL and only
>> the public facing interface needs to worry about qnull(),
>> thus avoiding over-referencing the qnull_ global object.
>>
>> It does not, however, fix the stupidity of the stack mixing
>> up two separate pieces of information; add a FIXME to explain
>> that issue.
>>
>> Signed-off-by: Eric Blake 
>> Cc: qemu-sta...@nongnu.org
>>

>> +++ b/qapi/qmp-output-visitor.c
>> @@ -29,6 +29,15 @@ typedef QTAILQ_HEAD(QStack, QStackEntry) QStack;
>>  struct QmpOutputVisitor
>>  {
>>  Visitor visitor;
>> +/* FIXME: we are abusing stack to hold two separate pieces of
>> + * information: the current root object in slot 0, and the stack
>> + * of N objects still being built in slots 1 through N (for N+1
>> + * slots in use).  Worse, our behavior is inconsistent:
>> + * qmp_output_add_obj() visiting two top-level scalars in a row
>> + * discards the first in favor of the second, but visiting two
>> + * top-level objects in a row tries to append the second object
>> + * into the first (since the first object was placed in the stack
>> + * in both slot 0 and 1, but only popped from slot 1).  */
> 
> I skipped checking thoroughly this comment, since it's a bit
> off-topic, although it looks ok.
> 
> Later, oh well, it's fixed in next commit. Imho it's not strictly
> necessary in this commit.

I added the comment based on Markus' request that I document how the
stack is used; but yes, it does feel like a bit of churn since it
changes in the next commit.

If there's a reason to respin, I might change it to:

Visitor visitor;
/* Stack holds two pieces of information: the current root object in
 * slot 0, then a stack of N objects still being built in slots 1
 * through N (for N+1 slots in use).
 * FIXME: The root object should be stored separately from the
 * stack, particularly since qmp_output_add_obj() behaves
 * differently when visiting two top-level scalars in a row than
 * it does for two objects (the second object is appended to the
 * first, since the first is placed in both slots 0 and 1 but only
 * popped from slot 1).   */

> 
> Reviewed-by: Marc-André Lureau 
> 
> 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v9 1/2] mirror: Rewrite mirror_iteration

[Max Reitz]

On 05.01.2016 09:46, Fam Zheng wrote:
> The "pnum < nb_sectors" condition in deciding whether to actually copy
> data is unnecessarily strict, and the qiov initialization is
> unnecessarily for bdrv_aio_write_zeroes and bdrv_aio_discard.
> 
> Rewrite mirror_iteration to fix both flaws.
> 
> Signed-off-by: Fam Zheng 
> ---
>  block/mirror.c | 347 
> +++--
>  trace-events   |   1 -
>  2 files changed, 216 insertions(+), 132 deletions(-)
> 
> diff --git a/block/mirror.c b/block/mirror.c
> index f201f2b..e3e9fad 100644
> --- a/block/mirror.c
> +++ b/block/mirror.c
> @@ -46,7 +46,6 @@ typedef struct MirrorBlockJob {
>  BlockdevOnError on_source_error, on_target_error;
>  bool synced;
>  bool should_complete;
> -int64_t sector_num;
>  int64_t granularity;
>  size_t buf_size;
>  int64_t bdev_length;
> @@ -63,6 +62,8 @@ typedef struct MirrorBlockJob {
>  int ret;
>  bool unmap;
>  bool waiting_for_io;
> +int target_cluster_sectors;
> +int max_iov;
>  } MirrorBlockJob;
>  
>  typedef struct MirrorOp {
> @@ -158,115 +159,93 @@ static void mirror_read_complete(void *opaque, int ret)
>  mirror_write_complete, op);
>  }
>  
> -static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s)
> +/* Round sector_num and/or nb_sectors to target cluster if COW is needed, and
> + * return the offset of the adjusted tail sector against original. */
> +static int mirror_cow_align(MirrorBlockJob *s,
> +int64_t *sector_num,
> +int *nb_sectors)
> +{
> +bool head_need_cow, tail_need_cow;
> +int diff = 0;
> +int chunk_sectors = s->granularity >> BDRV_SECTOR_BITS;
> +
> +head_need_cow = !test_bit(*sector_num / chunk_sectors, s->cow_bitmap);
> +tail_need_cow = !test_bit((*sector_num + *nb_sectors - 1) / 
> chunk_sectors,
> +  s->cow_bitmap);
> +if (head_need_cow || tail_need_cow) {
> +int64_t align_sector_num;
> +int align_nb_sectors;
> +bdrv_round_to_clusters(s->target, *sector_num, *nb_sectors,
> +   _sector_num, _nb_sectors);
> +if (tail_need_cow) {
> +diff = align_sector_num + align_nb_sectors
> +   - (*sector_num + *nb_sectors);
> +assert(diff >= 0);
> +*nb_sectors += diff;
> +}
> +if (head_need_cow) {
> +int d = *sector_num - align_sector_num;
> +assert(d >= 0);
> +*sector_num = align_sector_num;
> +*nb_sectors += d;
> +}
> +}
> +
> +/* If the resulting chunks are more than max_iov, we have to shrink it
> + * under the alignment restriction. */
> +if (*nb_sectors > chunk_sectors * s->max_iov) {
> +int shrink = *nb_sectors - chunk_sectors * s->max_iov;
> +if (tail_need_cow) {
> +/* In this case, tail must be aligned already, so we just make 
> sure
> + * the shrink is also aligned. */
> +shrink -= shrink % s->target_cluster_sectors;
> +}
> +assert(shrink);
> +diff -= shrink;
> +*nb_sectors -= shrink;
> +}

Hm, looking at this closer... If we get here with tail_need_cow not
being set, we may end up with an unaligned tail, which then may need COW
(because it points to somewhere else than before).

On the other hand, if we get here with tail_need_cow being set, shrink
will be decreased so that it will only remove an aligned number of
sectors from *nb_sectors; however, because shrink is increased, that
means that *nb_sectors may then still be too large. Also, because of the
shrink, the tail may in fact not need COW any more.

Should we do this check before we test whether we need COW and do the
correction in a way that ensures that the cluster adjustment can never
increase *nb_sectors beyond chunk_sectors * s->max_iov?

Max



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [RFC v6 00/14] Slow-path for atomic instruction translation

[Andrew Baumann]

Hi,

> From: qemu-devel-bounces+andrew.baumann=microsoft@nongnu.org
> [mailto:qemu-devel-
> bounces+andrew.baumann=microsoft@nongnu.org] On Behalf Of
> Alvise Rigo
> Sent: Monday, 14 December 2015 00:41
> 
> This is the sixth iteration of the patch series which applies to the
> upstream branch of QEMU (v2.5.0-rc3).
> 
> Changes versus previous versions are at the bottom of this cover letter.
> 
> The code is also available at following repository:
> https://git.virtualopensystems.com/dev/qemu-mt.git
> branch:
> slowpath-for-atomic-v6-no-mttcg
> 
> This patch series provides an infrastructure for atomic instruction
> implementation in QEMU, thus offering a 'legacy' solution for
> translating guest atomic instructions. Moreover, it can be considered as
> a first step toward a multi-thread TCG.
> 
> The underlying idea is to provide new TCG helpers (sort of softmmu
> helpers) that guarantee atomicity to some memory accesses or in general
> a way to define memory transactions.
> 
> More specifically, the new softmmu helpers behave as LoadLink and
> StoreConditional instructions, and are called from TCG code by means of
> target specific helpers. This work includes the implementation for all
> the ARM atomic instructions, see target-arm/op_helper.c.

As a heads up, we just added support for alignment checks in LDREX:
https://github.com/qemu/qemu/commit/30901475b91ef1f46304404ab4bfe89097f61b96

Hopefully it is an easy change to ensure that the same check happens for the 
relevant loads when CONFIG_TCG_USE_LDST_EXCL is enabled?

Thanks,
Andrew

Re: [Qemu-devel] [PATCH v4 0/5] qmp: Add blockdev-mirror

[Max Reitz]

On 24.12.2015 05:45, Fam Zheng wrote:
> v4: 02: Add Max's rev-by.
> 04: buf_size -> buf-size.
> Add Markus' Ack-by.
> 05: 'node1' -> qmp_target.
> Fix double quotes.
> Add Max's Rev-by.
> 
> v3: Rebase to master.
> 
> v2: 01: Move bdrv_op_block_all down. [Max]
> 02, 04: Add Max's rev-by.
> 03: Check has_mode and fix "return;". [Max]
> 05: Check target->blk.
> Drop superfluous whitespace. [Max]
> 06: Drop superfluous whitespace hunk and add Max's rev-by. [Max]
> 
> This is the counterpart of blockdev-backup. The biggest value of this command
> is to allow full flexibility on target image open options, via blockdev-add.
> For example this could help solve the target provisioning issue in:
> 
> http://lists.gnu.org/archive/html/qemu-devel/2015-06/msg02139.html
> 
> Fam Zheng (5):
>   block: Rename BLOCK_OP_TYPE_MIRROR to BLOCK_OP_TYPE_MIRROR_SOURCE
>   block: Extract blockdev part of qmp_drive_mirror
>   block: Add check on mirror target
>   qmp: Add blockdev-mirror command
>   iotests: Add test cases for blockdev-mirror
> 
>  blockdev.c  | 179 
> ++--
>  hw/block/dataplane/virtio-blk.c |   2 +-
>  include/block/block.h   |   3 +-
>  qapi/block-core.json|  48 +++
>  qmp-commands.hx |  50 ++-
>  tests/qemu-iotests/041  | 100 --
>  tests/qemu-iotests/041.out  |   4 +-
>  7 files changed, 316 insertions(+), 70 deletions(-)

Thanks, applied to my block tree:

https://github.com/XanClic/qemu/commits/block

Max



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v9 1/2] mirror: Rewrite mirror_iteration

[Max Reitz]

On 05.01.2016 09:46, Fam Zheng wrote:
> The "pnum < nb_sectors" condition in deciding whether to actually copy
> data is unnecessarily strict, and the qiov initialization is
> unnecessarily for bdrv_aio_write_zeroes and bdrv_aio_discard.
> 
> Rewrite mirror_iteration to fix both flaws.
> 
> Signed-off-by: Fam Zheng 
> ---
>  block/mirror.c | 347 
> +++--
>  trace-events   |   1 -
>  2 files changed, 216 insertions(+), 132 deletions(-)

Side note: This breaks the output of iotest 109, probably due to
different alignment of the mirroring operations (doesn't look serious,
though).

Max



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH] hw/arm/virt: Initialize NICs configured in PCI bus

[Peter Maydell]

On 6 January 2016 at 14:47, Ashok Kumar  wrote:
> virtio model is used for default case.
>
> Signed-off-by: Ashok Kumar 

Could you explain why you think this needs to be done?
Virtio networking works OK for me...

I guess from the patch that this is adding support for
the legacy '-net' way of configuring networking, but do
we need that if we never supported it in the first place?
(If virt is the only PCI machine which doesn't support
-net syntax that would probably be a strong argument for
supporting it.)

thanks
-- PMM

Re: [Qemu-devel] [PATCH 2/8] ipmi: add get and set SENSOR_TYPE commands

[Cédric Le Goater]

On 01/06/2016 10:55 AM, Greg Kurz wrote:
> On Tue,  5 Jan 2016 18:29:56 +0100
> Cédric Le Goater  wrote:
> 
>> Signed-off-by: Cédric Le Goater 
>> ---
> 
> Acked-by: Greg Kurz 
> 
> Just some minor comments on the form below.
> 
> 
>>  hw/ipmi/ipmi_bmc_sim.c | 51 
>> --
>>  1 file changed, 49 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/ipmi/ipmi_bmc_sim.c b/hw/ipmi/ipmi_bmc_sim.c
>> index 559e1398d669..061db8437479 100644
>> --- a/hw/ipmi/ipmi_bmc_sim.c
>> +++ b/hw/ipmi/ipmi_bmc_sim.c
>> @@ -37,13 +37,15 @@
>>  #define IPMI_CMD_CHASSIS_CONTROL  0x02
>>
>>  #define IPMI_NETFN_SENSOR_EVENT   0x04
>> -#define IPMI_NETFN_SENSOR_EVENT_MAXCMD0x2e
>> +#define IPMI_NETFN_SENSOR_EVENT_MAXCMD0x30
>>
> 
> Maybe IPMI_NETFN_SENSOR_EVENT_MAXCMD should be defined...

These are maximums for each IPMI family of commands (netfn). See
the arrays at the end of the file :

static const IPMICmdHandler *_cmds[*_MAXCMD] 

You'll get the idea.
 
>>  #define IPMI_CMD_SET_SENSOR_EVT_ENABLE0x28
>>  #define IPMI_CMD_GET_SENSOR_EVT_ENABLE0x29
>>  #define IPMI_CMD_REARM_SENSOR_EVTS0x2a
>>  #define IPMI_CMD_GET_SENSOR_EVT_STATUS0x2b
>>  #define IPMI_CMD_GET_SENSOR_READING   0x2d
>> +#define IPMI_CMD_SET_SENSOR_TYPE  0x2e
>> +#define IPMI_CMD_GET_SENSOR_TYPE  0x2f
>>
> 
> ... here ?
> 
>>  /* #define IPMI_NETFN_APP 0x06 In ipmi.h */
>>  #define IPMI_NETFN_APP_MAXCMD 0x36
>> @@ -1576,6 +1578,49 @@ static void get_sensor_reading(IPMIBmcSim *ibs,
>>  return;
>>  }
>>
>> +static void set_sensor_type(IPMIBmcSim *ibs,
>> +   uint8_t *cmd, unsigned int cmd_len,
>> +   uint8_t *rsp, unsigned int *rsp_len,
>> +   unsigned int max_rsp_len)
>> +{
>> +IPMISensor *sens;
>> +
>> +
>> +IPMI_CHECK_CMD_LEN(5);
>> +if ((cmd[2] > MAX_SENSORS) ||
> 
> Parenthesis not needed here since > has precedence over ||
> 
>> +!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
> 
> Indentation ?

OK. I will fix that.

>> +rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
>> +goto out;
>> +}
>> +sens = ibs->sensors + cmd[2];
>> +sens->sensor_type = cmd[3];
>> +sens->evt_reading_type_code = cmd[4] & 0x7f;
> 
> So evt_reading_type_code is 7bit ? Maybe worth to
> introduce a IPMI_SENSOR_TYPE_MASK define.

Yes. there are a few of these in the code.

>> +
>> + out:
>> +return;
>> +}
>> +
>> +static void get_sensor_type(IPMIBmcSim *ibs,
>> +   uint8_t *cmd, unsigned int cmd_len,
>> +   uint8_t *rsp, unsigned int *rsp_len,
>> +   unsigned int max_rsp_len)
>> +{
>> +IPMISensor *sens;
>> +
>> +
>> +IPMI_CHECK_CMD_LEN(3);
>> +if ((cmd[2] > MAX_SENSORS) ||
>> +!IPMI_SENSOR_GET_PRESENT(ibs->sensors + cmd[2])) {
> 
> Parenthesis and indentation ?

yep. copy & paste :)

Thanks,

C.

>> +rsp[2] = IPMI_CC_REQ_ENTRY_NOT_PRESENT;
>> +goto out;
>> +}
>> +sens = ibs->sensors + cmd[2];
>> +IPMI_ADD_RSP_DATA(sens->sensor_type);
>> +IPMI_ADD_RSP_DATA(sens->evt_reading_type_code);
>> + out:
>> +return;
>> +}
>> +
>>  static const IPMICmdHandler chassis_cmds[IPMI_NETFN_CHASSIS_MAXCMD] = {
>>  [IPMI_CMD_GET_CHASSIS_CAPABILITIES] = chassis_capabilities,
>>  [IPMI_CMD_GET_CHASSIS_STATUS] = chassis_status,
>> @@ -1592,7 +1637,9 @@ sensor_event_cmds[IPMI_NETFN_SENSOR_EVENT_MAXCMD] = {
>>  [IPMI_CMD_GET_SENSOR_EVT_ENABLE] = get_sensor_evt_enable,
>>  [IPMI_CMD_REARM_SENSOR_EVTS] = rearm_sensor_evts,
>>  [IPMI_CMD_GET_SENSOR_EVT_STATUS] = get_sensor_evt_status,
>> -[IPMI_CMD_GET_SENSOR_READING] = get_sensor_reading
>> +[IPMI_CMD_GET_SENSOR_READING] = get_sensor_reading,
>> +[IPMI_CMD_SET_SENSOR_TYPE] = set_sensor_type,
>> +[IPMI_CMD_GET_SENSOR_TYPE] = get_sensor_type,
>>  };
>>  static const IPMINetfn sensor_event_netfn = {
>>  .cmd_nums = IPMI_NETFN_SENSOR_EVENT_MAXCMD,
> 

[Qemu-devel] [PATCH 2/4] target-ppc: use cpu_write_xer() helper in cpu_post_load

[Mark Cave-Ayland]

Otherwise some internal xer variables fail to get set post-migration.

Signed-off-by: Mark Cave-Ayland 
---
 target-ppc/machine.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/machine.c b/target-ppc/machine.c
index 98fc63a..322ce84 100644
--- a/target-ppc/machine.c
+++ b/target-ppc/machine.c
@@ -168,7 +168,7 @@ static int cpu_post_load(void *opaque, int version_id)
 env->spr[SPR_PVR] = env->spr_cb[SPR_PVR].default_value;
 env->lr = env->spr[SPR_LR];
 env->ctr = env->spr[SPR_CTR];
-env->xer = env->spr[SPR_XER];
+cpu_write_xer(env, env->spr[SPR_XER]);
 #if defined(TARGET_PPC64)
 env->cfar = env->spr[SPR_CFAR];
 #endif
-- 
1.7.10.4

[Qemu-devel] [PATCH 0/4] target-ppc: migration fixups (TCG related)

[Mark Cave-Ayland]

This patchset came out of my work to fix migration for Mac machines under
QEMU running TCG.

Patch 1 was posted to the list a few months ago, but is now part this larger
patchset instead.

Patches 2 and 3 were discovered through a combination of dumping out CPU
structures pre- and post- migration and general code review.

Patch 4 solves the problem that caused random errors when migrating Darwin
images, but seems to duplicate some work that has already been started for
migrating timebase information (see vmstate_ppc_timebase).

I don't have access to any KVM PPC hardware so this has all been tested running
TCG and constantly running savevm/loadvm cycles during a complete Darwin
installation, which in combination with a subsequent macio/DBDMA patchset is
enough to produce a working, bootable image.

Signed-off-by: Mark Cave-Ayland 

Mark Cave-Ayland (4):
  target-ppc: add CPU IRQ state to PPC VMStateDescription
  target-ppc: use cpu_write_xer() helper in cpu_post_load
  target-ppc: add CPU access_type into the migration stream
  target-ppc: ensure we include the decrementer value during migration

 target-ppc/machine.c |   57 --
 1 file changed, 55 insertions(+), 2 deletions(-)

-- 
1.7.10.4

[Qemu-devel] [PATCH 1/4] target-ppc: add CPU IRQ state to PPC VMStateDescription

[Mark Cave-Ayland]

Commit a90db15 "target-ppc: Convert ppc cpu savevm to VMStateDescription"
appears to drop the internal CPU IRQ state from the migration stream. Whilst
testing migration on g3beige/mac99 machines, test images would randomly fail to
resume unless a key was pressed on the VGA console.

Further investigation suggests that internal CPU IRQ state isn't being
preserved and so interrupts asserted at the time of migration are lost. Adding
the pending_interrupts and irq_input_state fields back into the migration
stream appears to fix the problem here during local tests.

Signed-off-by: Mark Cave-Ayland 
---
 target-ppc/machine.c |4 
 1 file changed, 4 insertions(+)

diff --git a/target-ppc/machine.c b/target-ppc/machine.c
index f4ac761..98fc63a 100644
--- a/target-ppc/machine.c
+++ b/target-ppc/machine.c
@@ -532,6 +532,10 @@ const VMStateDescription vmstate_ppc_cpu = {
 VMSTATE_UINTTL(env.hflags_nmsr, PowerPCCPU),
 /* FIXME: access_type? */
 
+/* Interrupt state */
+VMSTATE_UINT32(env.pending_interrupts, PowerPCCPU),
+VMSTATE_UINT32(env.irq_input_state, PowerPCCPU),
+
 /* Sanity checking */
 VMSTATE_UINTTL_EQUAL(env.msr_mask, PowerPCCPU),
 VMSTATE_UINT64_EQUAL(env.insns_flags, PowerPCCPU),
-- 
1.7.10.4

[Qemu-devel] [PATCH 3/4] target-ppc: add CPU access_type into the migration stream

[Mark Cave-Ayland]

This is referenced in cpu_ppc_handle_mmu_fault() and so should be included
in the migration stream.

Signed-off-by: Mark Cave-Ayland 
---
 target-ppc/machine.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-ppc/machine.c b/target-ppc/machine.c
index 322ce84..cb56423 100644
--- a/target-ppc/machine.c
+++ b/target-ppc/machine.c
@@ -530,7 +530,7 @@ const VMStateDescription vmstate_ppc_cpu = {
 
 /* Internal state */
 VMSTATE_UINTTL(env.hflags_nmsr, PowerPCCPU),
-/* FIXME: access_type? */
+VMSTATE_INT32(env.access_type, PowerPCCPU),
 
 /* Interrupt state */
 VMSTATE_UINT32(env.pending_interrupts, PowerPCCPU),
-- 
1.7.10.4

[Qemu-devel] [PATCH 4/4] target-ppc: ensure we include the decrementer value during migration

[Mark Cave-Ayland]

During local testing with TCG, intermittent errors were found when trying to
migrate Darwin OS images.

The underlying cause was that Darwin resets the decrementer value to fairly
small values on each interrupt. cpu_ppc_set_tb_clk() sets the default value
of the decrementer to 0x during initialisation which typically
corresponds to several seconds. Hence when restoring the image, the guest
would effectively "lose" decrementer interrupts during this time causing
confusion in the guest.

NOTE: there does seem to be some overlap here with the vmstate_ppc_timebase
code, however it doesn't seem to handle multiple CPUs which is why I've gone
for an independent implementation.

Signed-off-by: Mark Cave-Ayland 
---
 target-ppc/machine.c |   49 +
 1 file changed, 49 insertions(+)

diff --git a/target-ppc/machine.c b/target-ppc/machine.c
index cb56423..5ee6269 100644
--- a/target-ppc/machine.c
+++ b/target-ppc/machine.c
@@ -499,6 +499,54 @@ static const VMStateDescription vmstate_tlbmas = {
 }
 };
 
+static bool decr_needed(void *opaque)
+{
+return true;
+}
+
+static int get_decr_state(QEMUFile *f, void *opaque, size_t size)
+{
+PowerPCCPU *cpu = opaque;
+CPUPPCState *env = >env;
+
+cpu_ppc_store_decr(env, qemu_get_be32(f));
+
+return 0;
+}
+
+static void put_decr_state(QEMUFile *f, void *opaque, size_t size)
+{
+PowerPCCPU *cpu = opaque;
+CPUPPCState *env = >env;
+
+qemu_put_be32(f, cpu_ppc_load_decr(env));
+}
+
+static const VMStateInfo vmstate_info_decr = {
+.name = "decr_state",
+.get = get_decr_state,
+.put = put_decr_state
+};
+
+static const VMStateDescription vmstate_decr = {
+.name = "cpu/decr",
+.version_id = 0,
+.minimum_version_id = 0,
+.needed = decr_needed,
+.fields = (VMStateField[]) {
+{
+.name = "cpu/decr",
+.version_id   = 0,
+.field_exists = NULL,
+.size = 0,
+.info = _info_decr,
+.flags= VMS_SINGLE,
+.offset   = 0,
+},
+VMSTATE_END_OF_LIST()
+}
+};
+
 const VMStateDescription vmstate_ppc_cpu = {
 .name = "cpu",
 .version_id = 5,
@@ -555,6 +603,7 @@ const VMStateDescription vmstate_ppc_cpu = {
 _tlb6xx,
 _tlbemb,
 _tlbmas,
+_decr,
 NULL
 }
 };
-- 
1.7.10.4